Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
3.1 Introduction
In the last unit, we discussed the basic principles of encryption and two
simple encryption methods: substitution and transposition. In cryptography,
a block cipher is a deterministic algorithm that operates on fixed-length
groups of bits, called blocks, with an unvarying transformation that is
specified by a symmetric key. Many cryptographic protocol designs use
block ciphers for encryption of bulk data. The block ciphers design is based
on an iterated product cipher which means that they transform fixed-size
blocks of plain-text into identical size blocks of ciphertext through the
repeated application of an invertible transformation known as the round
function and each iteration referred to as a round.
Claude Shannon analyzed product ciphers as a means to effectively
improve security by using combining operations like substitutions and
permutations. These iterated product ciphers carry out encryption in multiple
rounds, each uses a different sub key derived from the original key. Feistel
network named after Horst Feistel is one such cipher and is implemented in
the DES cipher. Many other realizations of block ciphers, for example AES,
are classified as substitution-permutation networks.
In this unit, we will discuss Block Cipher principles, Data encryption
standard (DES) and its strength. We also study differential and linear
cryptanalysis and Block Cipher design principles.
Objectives:
After studying this unit, you should be able to:
• explain block cipher principles
• define and explain data encryption standard (DES)
• discuss DES Strength
• discuss differential and linear cryptanalysis
• explain block cipher design principles
bits at a time using the same key. The majority of block ciphers either have
a block length of 128 bits (16 bytes) like advanced encryption standard
(AES), or a block length of 64 bits (8 bytes) such as the data encryption
standard (DES) or triple DES (3DES) algorithm. The figure 3.2 shows the
block cipher encryption method.
A block cypher encryption algorithm accepts two inputs: a plain text input
block of size n bits and a key of size k bits and produces an n-bit output
block called cypher text as shown in figure 3.2.
Feistel Cipher
A Feistel cipher is a symmetric structure employed in the construction
of block ciphers. Feistel Cipher is named after the cryptographer Horst
Feistel and it is also known as a Feistel network.
We can approximate the ideal block cipher using a product cipher and
execution of two or more simple ciphers in sequence to produce final result
or product. This cryptography is stronger than any of the component
ciphers. The very idea of this technique is that we can develop a block
cipher with a key length of k bits and a block length of n bits so that we can
have a total a of 2K possible transformations. Feistel use cipher that
alternates substitutions and permutations
• Substitution: Ciphertext element or group of elements replaces uniquely
corresponding each plaintext element or group of elements.
subkey Ki, derived from the overall key K. Note that, the subkeys Ki and key
K are not the same. () The structure will remain same for all rounds. A
substitution takes place on the left half of the data by applying a round
function F to the right half of the data and then taking the XOR of the output
of that function and the left half of the data. Though the general structure is
same for round function, it is parameterized by the round subkey ki. After
substitution, a permutation is performed and this consists of the interchange
of the two halves of the data. So this structure is a particular form of the
substitution-permutation (S-P) network.
The Feistel network will be realized depending on the choice of the following
parameters and design features:
• Block size – Increase in the block size also improves security, but slows
cipher
• Key size – Increasing in size improves security, makes exhaustive key
searching harder, but may slow cipher
• Number of rounds – More number of rounds improves security but it
slows cipher
• Subkey generation – More the complexity, harder is the analysis, but it
slows cipher
• Round function – As the complexity increases analysis becomes
harder, but slows cipher
• Fast software en/decryption & ease of analysis – are more recent
concerns for practical use and testing.
The figure 3.3(a) shows the Feistel network and figure 3.3(b) shows the
encryption and decryption of Feistel network.
The decryption process is similar to the encryption process. The rule is: use
the cipher text as input to the algorithm, but use the subkey ki in reverse
order. i.e., kn in the first round, kn-1 in second round and so on. But for our
convenience we use the notation LEi and REi for data traveling through the
decryption algorithm. The intermediate value of the decryption process at
each round is not changed and is equal to the corresponding value of the
encryption process with two halves of the value swapped.
i.e., REi || LEi (or) RD16-i || LD16-i
After the final iteration of the encryption process, swapping of two output
halves will be done such that cipher text is RE16 || LE16. The output of that
round is the cipher text. Now take the cipher text and use it as input to the
same algorithm. RE16 || LE16 is the input to the first round and is equal to
the 32-bit swap of the output of the sixteenth round of the encryption
process. Now let us see how the first round output of the decryption process
is equal to a 32-bit swap of the input to the sixteenth round of the encryption
process.
On the encryption process,
LE16 = RE15
RE16 = LE15 ⊕F (RE15, K16)
On the decryption process side,
LD1 =RD0 = LE16 =RE15
RD1 = LD0 ⊕F (RD0, K16)
= RE16 ⊕F (RE15, K16)
= [LE15 ⊕F (RE15, K16)] F (RE15, K16)
= LE15
Therefore, LD1 = RE15
RD1 = LE15
The two inputs of encryption are: plaintext and the key. The plaintext length
must be 64 bits and the key length is 56 bits. Looking at figure 3.4, we can
observe that three phases are involved in processing of the plaintext. First,
the 64-bit plaintext undergoes an initial permutation (IP) where rearranging
of the bits will be done to produce the permuted input. Then in the next
phase consisting of sixteen rounds of the same function uses both
permutation and substitution functions. The output of the last round
(sixteenth) consists of 64 bits that are a function of the input plaintext and
the key. The two halves called left halve and right halve of the output are
swapped to get preoutput. This preoutput is then passed through a
permutation [IP-1] that is the inverse of the initial permutation function to
produce the 64-bit ciphertext.
The Avalanche Effect
One desirable property of any encryption algorithm is that a small change in
either plaintext or key produces significant changes in the ciphertext. DES
exhibits a strong avalanche effect. A change in one bit of the plaintext or
one bit of the key produces a change in many bits of the ciphertext. This is
known the avalanche effect and is shown in the table 3.1.
Table 3.1: Avalanche effect
bits equal to one) of the secret key. But this is a long way from knowing the
actual key.
Self-Assessment Questions
4. In _____________ effect, change in one bit of the plaintext or one bit of
the key produces a change in many bits of the ciphertext.
5. DES stands for _____________________________.
6. If we use a key length of 256 bits, then possible keys are approximately
7.28* 1016 keys. (State True or False)
7. AES and triple DES are the important alternatives to DES. (State True
or False)
8. In __________________ attack we get the information about the key
or the plaintext by observing the time taken for a given implementation
to perform decryptions on various ciphertexts.
single text block. If m is original plaintext block with m0 and m1 are the two
halves, then each round of DES maps the right-hand input into the left-hand
output and sets the right-hand output to be a function of the left-hand input
and the subkey for this round. So, only one new 32-bit block is created at
each round. If new block is mi (2≤ i ≤ 17) then the halves of intermediate
message are related as:
If m and mIc are two messages with XOR difference ∆m = m⊕ mI and the
difference between the intermediate message halves is: ∆mi ⊕ mi i Then we
have,
If we know ∆mi-1 and ∆mi with high probability, then we know ∆mi+1 with high
probability. The overall strategy of differential cryptanalysis is based on
these considerations for a single round. The procedure is: begin with two
plaintext messages m and mi with a given difference and get probable
difference for the ciphertext by tracing through a probable pattern of
differences after each round. There are two probable patterns of differences
for the two 32-bit halves: ∆m17 II ∆m16. Then submit m and mI for encryption
to know actual difference under the unknown key and compare the result to
the probable difference. If there is a match,
E(K, m) ⊕ E(K, mI) =( ∆m17 II ∆m16 )
We can suspect the correctness of all the probable patterns at all the
intermediate rounds. Now with this we can make some deductions about the
key bits. We repeat this procedure many times to determine all the key bits.
Figure 3.5 shows the propagation of differences through three rounds of
DES.
be labelled P[1], …[Pn] , the cipher text block, C[1],…C[n],and the key K[1]
to K[m]. Then define
E represents the function that takes input of block of 32 bits and produces a
block of 48 bits.
The criteria for the S-boxes are:
1. S-box output bit should not be too close a linear function of the input
bits. If any output bit and any subset of the six input bits are selected,
then the fraction of inputs for which this output bit equals the XOR of
these input bits should be near ½ but not be close to 0 or 1.
2. Each row of an S-box should include all 16 possible output bit
combinations.
3. If two inputs to an S-box differ in exactly one bit, the outputs must differ
in at least two bits.
4. Outputs differ in at least two bits when two inputs to an S-box differ in
the two middle bits.
5. If two inputs to an S-box differ in their first two bits and are identical in
their last two bits, the two outputs must be different. i.e. they should not
be the same.
6. For any nonzero 6-bit difference between inputs, no more than eight of
the 32 pairs of inputs exhibiting that difference may result in the same
output difference.
7. This is a criterion similar to the previous one, but for the case of three S-
boxes.
The only nonlinear parts of DES are S-boxes. If the S-boxes were linear,
the entire algorithm would be linear and easily broken.
The criteria for the permutation P are:
1. The four output bits from each S-box at round are distributed so that two
of them affect middle bits of round (i+1) and the other two affect end
bits. The two middle bits of input to an S-box are not shared with
adjacent S-boxes. The end bits are the two left-hand bits and the two
right-hand bits, which are shared with adjacent S-boxes.
2. The four output bits of each S-box affect six different S-boxes on the
next round, and no two affect the same S-box.
3. For two S-boxes j and k, if an output bit from Sj affects a middle bit of Sk
on the next round, then an output bit from Sk cannot affect a middle bit
of Sj. This means that, for j=k, an output bit from Sj must not affect a
middle bit of Sj.
These criteria increase the diffusion of the algorithm.
Number of Rounds
The cryptographic strength of a Feistel cipher derives from three aspects of
the design. They are:
(i) Number of rounds
(ii) Function F
(iii) Key schedule algorithm
Let us first look at the choice of the number of rounds.
When the number of rounds is greater, it will be more difficult to perform
cryptanalysis, even for a weak F. So the number of rounds is chosen such
that greater effort required for known cryptanalytic efforts than a simple
brute-force key search attack. This was used in DES design. A differential
cryptanalysis attack for 16-round DES is somewhat less efficient than brute
force. The differential cryptanalysis attack requires 255.1 operations, but brute
force requires 255. If DES had 15 or fewer rounds, then differential
cryptanalysis would require less effort than a brute-force key search. This
criterion shows the strength of an algorithm and to compare different
algorithms.
Design of Function F
The function F is the heart of a Feistel block cipher and it relies on the use
of S-boxes in in DES.
Design criteria for F
The function F provides the element of confusion in a Feistel cipher. It must
be difficult to “unscramble” the substitution performed by F. One criterion
would be making F nonlinear. For more the number of nonlinear F are, the
more difficult any type of cryptanalysis will be. We can also consider several
other criteria while designing F. The algorithm with good avalanche
properties is required for producing change in many bits of the output when
there is a change in one bit of the input. A more stringent version of this is
the strict avalanche criterion (SAC). According to this, any output bit of an
S-box should change with probability 1/2 when any single input bit is
inverted for all i, j. According to another criterion called Bit independence
criterion (BIC), when any single input bit is inverted for all i, j, and k, output
bits j and k change independently.
S-Box design
One important characteristic of the S-box is its size. An n×m S-box has
input bits and output bits. DES consists of 6×4 S-boxes. The encryption
algorithm Blowfish has 8 × 32 S-boxes. Larger S-boxes pose resistance to
differential and linear cryptanalysis. If the dimension n is larger, then also
the lookup table. So, a limit of n with value of about 8 to 10 is usually
imposed for practical reasons. Another consideration is that larger the S-box
gets, more difficult it is to design it properly.
Self-Assessment Questions
11. The only _______________ parts of DES are S-boxes.
12. __________________ pose more resistance to differential and linear
cryptanalysis.
13. GA stands for ___________________________________.
14. ____________________ final area of block cipher design.
3.7 Summary
Let us recapitulate the important concepts discussed in this unit:
• Many cryptographic protocols design use block ciphers for encryption of
bulk data.
• Claude Shannon analyzed product ciphers as a means to effectively
improve security by using combining operations like substitutions and
permutations.
• A stream cipher is one that performs encryption of a digital data stream
one bit or one byte at a time. Here a bit from a key stream is added to a
plaintext bit. E.g., Vigenere cipher, Vernam cipher.
• A block cipher is one in which a block of plaintext is treated as a whole
and used to produce a cipher text block of equal length.
• Substitution: Ciphertext element or group of elements replaces uniquely
corresponding each plaintext element or group of elements.
• Permutation: A sequence of plaintext elements is replaced by a
permutation of that sequence.
• Most symmetric block ciphers are based on a Feistel Cipher structure to
decrypt ciphertext in order to recover messages efficiently.
• A change in one bit of the plaintext or one bit of the key produces a
change in many bits of the ciphertext. This is referred to as the
avalanche effect.
• By exploiting the characteristics of the DES algorithm, it is possible to
have cryptanalysis.
• The differential cryptanalysis is complex attack.
• The DES design criteria focused on the design of the S-boxes and the
P function that takes the output of the S-boxes.
3.9 Answers
Self-Assessment Questions
1. Fiestel block cipher
2. Block cipher
3. True
4. Avalanche effect
5. Data Encryption Standard
6. True
7. True
8. Timing
9. False
10. Linear cryptanalysis
11. Nonlinear
12. Larger S-boxes
13. Guaranteed avalanche
14. Key Schedule Algorithm
Terminal Questions
1. All symmetric block encryption algorithms used currently are based on a
structure called Fiestel block cipher. So, it is important for us to study
the design principles of the Fiestel cipher. (Refer to section 3.2)
2. In any encryption algorithm, change in one bit of the plaintext or one bit
of the key produces a change in many bits of the ciphertext. This is
known as the avalanche effect. (Refer to section 3.2)
3. A stream cipher is one that encrypts a digital data stream one bit or one
byte at a time. Here a bit from a key stream is added to a plaintext bit. A
block cipher is one in which a block of plaintext is treated as a whole
and used to produce a cipher text block of equal length. Note that in this
case, encryption will be done for entire block of plaintext bits at a time
with the same key. (Refer to section 3.2 for more details.)
4. The Data Encryption Standard (DES) is a block cipher that uses shared
secret encryption. Refer to section 3.3 for more details.)
5. The differential cryptanalysis attack is complex. The reason being
observing the behavior of pairs of text blocks evolving along each round
of the cipher, rather than observing the evolution of a single text block.
Linear cryptanalysis attack is based on finding linear approximations to
describe the transformations performed in DES. (Refer to section 3.5 for
more details)
6. One important characteristic of the S-box is its size. An n×m S-box has
input bits and output bits. DES has 6×4 S-boxes. The encryption
algorithm Blowfish, has 8 × 32 S-boxes. (Refer to section 3.6 for more
details).