Modern Block Ciphers

CSE 651: Introduction to Network

Security
Summary
Block Ciphers (Chapter 3)

Feistel Cipher Structure (Chapter 3)

DES: Data Encryption Standard (Ch. 3)

3DES (Ch 6.1)

AES: Advanced Encryption Standard (Ch.
5.2)
2
Monoalphabetic Substitution Cipher

Shuffle the letters and map each plaintext letter to a
different random ciphertext letter:

Plain letters: abcdefghijklmnopqrstuvwxyz
Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA

What does a key look like?


3
Playfair Key Matrix
Use a 5 x 5 matrix.
Fill in letters of the key (w/o duplicates).
Fill the rest of matrix with other letters.
E.g., key = MONARCHY.
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
4
Vigenre Cipher
Simplest polyalphabetic substitution cipher
Consider the set of all Caesar ciphers:
{ C
a
, C
b
, C
c
, ..., C
z
}
Key: e.g. security
Encrypt each letter using C
s
, C
e
, C
c
, C
u
,

C
r
,
C
i
, C
t
, C
y
in turn.
Repeat from start after C
y
.
Decryption simply works in reverse.
5
Basic idea of modern block ciphers
From classical ciphers, we learn two techniques
that may improve security:
Encrypt multiple letters at a time
Use multiple ciphertext alphabets (Polyalphabetic
ciphers)
Combining these two techniques
encrypt eight (or more) letters at a time
called a block cipher
and use an extremely large number of ciphertext
alphabets
will be called modes of operation

1
Block Ciphers

In general, a block cipher replaces a block of N plaintext bits
with a block of N ciphertext bits. (E.g., N = 64 or 128.)
A block cipher is a monoalphabetic cipher.
Each block may be viewed as a gigantic character.
The alphabet consists of 2
N
gigantic characters.
Each particular cipher is a one-to-one mapping from the
plaintext alphabet to the ciphertext alphabet.
There are 2
N
! such mappings.
A secret key indicates which mapping to use.
7
Ideal Block Cipher

An ideal block cipher would allow us to use
any of these 2
N
! mappings.
The key space would be extremely large.
But this would require a key of log
2
(2
N
!) bits.

If N = 64,
log
2
(2
N
!) N x 2
N
10
21
bits 10
11
GB.

Infeasible!







8
Practical Block Ciphers
Modern block ciphers use a key of K bits to specify a
random subset of 2
K
mappings.

If K N,
2
K
is much smaller than 2
N
!
But is still very large.

If the selection of the 2
K
mappings is random, the
resulting cipher will be a good approximation of the
ideal block cipher.
Horst Feistel, in1970s, proposed a method to achieve
this.







9
The Feistel Cipher Structure
Input: a data block and a key
Partition the data block into two halves L and
R.
Go through a number of rounds.
In each round,
R does not change.
L goes through an operation that depends on R
and a round key derived from the key.
10
The Feistel
Cipher
Structure
i
|

Round i
+
f
L
i-1
R
i-1
k
i
L
i
R
i

Mathematical Description of
Round i
13

1 1
1
1 1
1
Let and be the input of round , and
and the output.
We have
:

( , )
:
:
( , )
Or, (
i i
i i
i i
i i
i
i
i i
i
i
L R
L R i
L R
L
L
R
R L F R K
|

-
-
=

- =
=
1
1 1
, where
: ( , ) ( , ).
: ( , ) ( , ).
Not
,
e
)
that and .

( , )
i
i
i
i
i
x y y
x y y x
x F y k
R
|

| |

- = =

Feistel Cipher
14
16 2 1
1 1 1 1
1 2 1
Goes through a number of rounds, say 16 rounds.
A Feistel cipher encrypts a plaintext block as:
: E ( ) : ( )
The decryption will be:
D ( )
k
k
m
c m m
c
| | |
| |

|

-
-
= =
-
=
1 1 1
6
1 2 16
( )
( )
The descryption algorithm is the same as the
encryption algorithm, but uses round keys in the
reverse order.
c
c

| | |

=
-
DES: The Data Encryption Standard
Most widely used block cipher in the world.
Adopted by NIST in 1977.
Based on the Feistel cipher structure with 16
rounds of processing.
Block = 64 bits
Key = 56 bits
What is specific to DES is the design of the F
function and how round keys are derived from
the main key.



15
Design Principles of DES
To achieve high degree of diffusion and
confusion.

Diffusion: making each plaintext bit affect
as many ciphertext bits as possible.

Confusion: making the relationship
between the encryption key and the
ciphertext as complex as possible.

1
DES Encryption
Overview
Round Keys Generation
Main key: 64 bits.
56-bits are selected and permuted using Permuted
Choice One (PC1); and then divided into two 28-bit
halves.
In each round:
Left-rotate each half separately by either 1 or 2
bits according to a rotation schedule.

Select 24-bits from each half, and permute the
combined 48 bits.
This forms a round key.
Permuted Choice One (PC1)
19
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
Initial Permutation IP
IP: the first step of the encryption.
It reorders the input data bits.
The last step of encryption is the inverse of IP.
IP and IP
-1
are specified by tables (see
Stallings book, Table 3.2) or
http://en.wikipedia.org/wiki/DES_supplementar
y_material

Round i
+
F
L
i-1
R
i-1
k
i
L
i
R
i

32
48
32
32
22
( ) ( )
The and each have 32 bits, and the round key 48 bits.
The function, on input and , produces 32 bits:
( , )
where :
(
expands 32 bits o 4
)
t
The function of DES
L R K
F R K
F R K P S E K
E
R
F
=
-
-
8 bits;
: shrinks it back to 32 bits;
: permutes the 32 bits.
S
P
The F function of DES
The Expansion Permutation E

The S-Boxes
Eight S-boxes each map 6 to 4 bits
Each S-box is specified as a 4 x 16 table
each row is a permutation of 0-15
outer bits 1 & 6 of input are used to select one
of the four rows
inner 4 bits of input are used to select a
column
All the eight boxes are different.

26


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 6 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
Box S
1
For example, S
1
(101010) = 6 = 0110.

0

1

2

3
Permutation Function P
1
P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
Avalanche Effect
Avalanche effect:
A small change in the plaintext or in the key results in a
significant change in the ciphertext.
an evidence of high degree of diffusion and confusion
a desirable property of any encryption algorithm

DES exhibits a strong avalanche effect
Changing 1 bit in the plaintext affects 34 bits in the
ciphertext on average.
1-bit change in the key affects 35 bits in the ciphertext on
average.

29
Attacks on DES
Brute-force key search
Needs only two plaintext-ciphertext samples
Trying 1 key per microsecond would take 1000+ years on
average, due to the large key space size, 2
56
7.210
16
.

Differential cryptanalysis
Possible to find a key with 2
47
plaintext-ciphertext samples
Known-plaintext attack

Liner cryptanalysis:
Possible to find a key with 2
43
plaintext-ciphertext samples
Known-plaintext attack

30
DES Cracker
DES Cracker:
A DES key search machine
contains 1536 chips
Cost: $250,000.
could search 88 billion keys per second
won RSA Laboratorys DES Challenge II-2 by
successfully finding a DES key in 56 hours.
DES is feeling its age. A more secure
cipher is needed.
Multiple Encryption with DES

In 2001, NIST published the Advanced Encryption
Standard (AES) to replace DES.

But users in commerce and finance are not ready to give
up on DES.

As a temporary solution to DESs security problem, one
may encrypt a message (with DES) multiple times using
multiple keys:
2DES is not much securer than the regular DES
So, 3DES with either 2 or 3 keys is used
31
2DES
Consider 2DES with two keys:
C = E
K2
(E
K1
(P))

Decryption: P = D
K1
(D
K2
(C))

Key length: 56 x 2 = 112 bits


This should have thwarted brute-force attacks?

Wrong!
32
Meet-in-the-Middle Attack on 2DES
2-DES: C = E
K2
(E
K1
(P))





Given a known pair (P, C), attack as follows:

Encrypt P with all 2
56
possible keys for K1.

Decrypt C with all 2
56
possible keys for K2.

If E
K1
(P) = D
K2
(C), try the keys on another (P, C).

If works, (K1, K2) = (K1, K2) with high probability.

Takes O(2
56
) steps; not much more than attacking 1-DES.
33
E
K1

P C
E
K2

34
( )
( )
( )
( )
1 2 1
1 2 1
1 2
A straightforward implementation would be :
: ( )
In practice : : ( )
Also referred to as EDE encryption
Reason : if , then

3DE
3DES with 2 keys
k k k
k k k
c E E E m
c E D E m
k k
-
-
-
=
=
= S 1DES.
Thus, a 3DES software can be used as a single-DES.
Standardized in ANSI X9.17 & ISO 8732.
No practical attacks are known.

-
=
-
35
( )
( )
3 2 1
1 3
1 2 3
Encryption: : ( ) .
If , it becomes 3DES with 2 keys.
If , it becomes the regular DES.
So, it is backward compatible with both 3DES with 2 keys
and
3DES with 3 keys
k k k
c E D E m
k k
k k k
-
-
-
-
=
=
= =
the regular DES.
Some internet applications adopt 3DES with three keys;
e.g. PGP and S / MIME.
-
AES: Advanced Encryption
Standard
37
AES: Advanced Encryption Standard
In1997, NIST began the process of choosing a
replacement for DES and called it the
Advanced Encryption Standard.
Requirements: block length of 128 bits, key
lengths of 128, 192, and 256 bits.
In 2000, Rijndael cipher (by Rijmen and
Daemen) was selected.
An iterated cipher, with 10, 12, or 14 rounds.
Rijndael allows various block lengths.
But AES allows only one block size: 128 bits.
There are only two numbers : 0 and 1.
Addition, substraction and multiplication are as below:
0 1 0 1 0 1
0 0 1 0 0 1 0 0 0
1 1 0 1 1 0 1 0 1
Note: addition =
Modulo-2 Arithmetic
-
-
+
- substraction = XOR.
39
7 3
7
Each byte is viewed as a polynomial of degree 7.
Example: 10001001 1 ( ).
10000010 ( ).
Addition and substraction are simply b
Byte-oriented operations
a x x A x
b x x B x
s
= = + + =
= = + =
XOR:
10001001 10000010 00001011 ( ) ( ).
10001001 10000010 00001011
itwise
( ) ( ).
a b A x B x
a b A x B x
+ = = = +
= = = +
40
8 4 3
Multiplication ( ): "regular" polynomial multiplication ( )
modulo a fixed modulus ( ), where
( ) .
( ) ( ) mod ( )

1 100011011
Byte-oriented operations
P x x x x
P x
a b A x B x P x
x = + + + +

=
=

14 10 8 7 4
6 5 4 3 2
mod ( )
1
10001001 10000010 mod 100011011
= 100010110010010 mod 100011011
01111111
x x x x x x P x
x x x x x x
a b
= + + + + +
= + + + + + +
=
=
41
For any byte (viewed as a polynomial), there is
a unique byte (also viewed as a polynomial) such that
1.
This element is called the inverse of , and is

Byte-oriented operations
a
b
a b
b a
=
1
8
denoted by .
Mathematically, the set of all polynomials of degrees 7
forms a field, GF(2 ), under the operation of addition and
multiplication mod ( ), where ( ) is a fixed modulus.
a
P x P x

s
42
: block size (number of words). For AES, 4.
: key length (number of words).
: number of rounds, depending on , .
Assume: 4, 4, 10.
:
Structure of Rijndael
b b
k
r b k
b k r
N N
N
N N
sta
N
N N
e
N
t
=
= = =
0 1 10
a variable of 4 words, holding the data block,
viewed as a each column is a word.
Key schedule: 11 round keys , , ,
computed from the main key
4 4 matrix of byt
.
es;
key key key
k

43
( )
0
input: plaintext , key
1
2 AddKey( , )
3 for 1 to 1 do
4 SubBytes( )
5 ShiftRows( )
6 Mixcolumns( )
7
Rijndael algorithm
r
m k
state m
state key
i N
state
state
state

AddKey( , )
8 SubBytes( )
9 ShiftRows( )
10 AddKey( , )
11 return( )
r
i
N
state key
state
state
state key
state
44
Figure 5.1 AES Encryption and Decryption
45


AddKey( , )
i
i
state state key
state key

46
1
RD
1
RD
Each byte in the matrix is substituted with
another byte S ( ) .
The substitution S ( ) , called Rijndael's
S-box, is based on some mathematics in
SubBytes( )
z
z Az
stat
b
z Az
e
b
state

= +
= +
finite fields,
and can be specified as a table (Table 5.4 of Stallings).

47
8
1 8
1
1
That is, treat as an element in GF(2 ).
Find its multiplicative inverse in GF(2 ).
Now treat as a vector of 0/1.
Multiply with , and add the result to .
10001111
11

z
z
z
A z b
A

=
1
000111 1
11100011 0
11110001 0
and
11111000 0
01111100 1
00111110 1
00011111 0
b
| | | |
| |
| |
| |
= | |
| |
| |
| |
| |
\ . \ .
48
Left-shift row circularly by bytes, 0 3.

ShiftRows( )
i i i
a b c d a b c d
e f g h f g h e
i j k l k l i j
m n o p p m n o
state
s s
| | | |
| |
| |

| |
| |
\ . \ .
49
0 1 2 3
0 1 2 3
0
1
2
3
Operate on each column of the matrix.
Each column ( , , , ) is substituted with
( , , , ), where
02 03 01 01
01 02 03 01

01 0
MixColumns( )
a a a a a
b b b b
b
b
b
b
state
state
=
| |
|
|
=
|
|
\ .
0
1
2
3

1 02 03
03 01 01 02
Using finite-field multiplication and addition.
a
a
a
a
| | | |
| |
| |
| |
| |
\ . \ .
50
0 1 2 3
3 2
3 2 1 0
Operate on each column of the matrix.
Each column ( , , , ) is viewed as a
polynomial :
( ) +
A fixed polynomial: (
Math behind MixColumns( )
a a a a a
a x a
stat
x a x a x a
c
e
state
=
= + +
3 2
3 2
3 2 1 0
0 1 2 3 0 1 2 3
4
) 03 01 +01 02.
Compute ( ) +
=
( , , , ) is substituted with ( , , , )
( ) ( ) mod ( 1)
x x x x
b x b x b x b x b
a a a a b
a x c x x
b b b
= +
+
+
= + +
51
Each step of Rijndael encryption is invertible.
Rijndael Decryption
A Rijndael Animation by Enrique
Zabala
52