II: BLOCK CIPHERS

Ms. Stevina Correia

 Block Ciphers
 A block cipher is one in which a block of plaintext is
treated as a whole and used to produce a ciphertext
block of equal length.
 Typically, a block size of 64 or 128 bits is used.
 As with a stream cipher, the two users share a
symmetric encryption key
 Using some of the modes of operation a block cipher
can be used to achieve the same effect as a stream
cipher.
Prof. Stevina Correia-DJSCOE
 Block Cipher Principles

 Stream Ciphers and Block Ciphers

 The Fiestal Cipher
 theuse of a cipher that alternates substitutions and
permutations
 Can have 3 components : self invertible (XOR operation),
invertible (straight D box) and non-invertible
(compression, expansion d boxes)
 Non-Fiestal Ciphers
 Uses only invertible components.

Prof. Stevina Correia-DJSCOE

 Diffusion
 Hide relationship between cipher text and plain text
 Frustrate adversary who uses cipher text statistics to find plaintext
 Confusion
 Hide relationship between cipher text and key
 Frustrate adversary who uses ciphertext to find key
 Avalanche effect
 A desirable property of any encryption algorithm is that a
small change in either the plaintext or the key should produce
a significant change in the ciphertext.
 In particular, a change in one bit of the plaintext or one bit of
the key should produce a change in many bits of the
ciphertext. This is referred to as the avalanche effect.

Prof. Stevina Correia-DJSCOE

 Substitution or transposition
 Modern block ciphers are designed as keyed
substitution ciphers because transposition (preserving
the no. of 0s and 1s)makes cipher vulnerable to
exhaustive search attacks.

 To provide confusion and diffusion , modern block

cipher is made up of combination of transposition
units for diffusion (D-boxes-straight, compression,
expansion), substitution units (S-boxes)

Prof. Stevina Correia-DJSCOE

 Modes of operation
 To apply a block cipher in a variety of applications,
five modes of operation have been defined by NIST
(National Institute of Standards and Technology)

 A mode of operation is a technique for enhancing the

effect of a cryptographic algorithm or adapting the
algorithm for an application, such as applying a block
cipher to a sequence of data blocks or a data stream.

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
Electronic Code Book (ECB)
 Single key is used
 If Pi repeats,
corresponding Ci also
repeats.
 Suitable for
encrypting small
messages

Prof. Stevina Correia-DJSCOE

Cipher Block Chaining (CBC)
 In ECB, if Pi repeats, corresponding Ci also
repeats.
 CBC ensures that if Pi repeats then identical
plaintext blocks yield totally different Ci blocks.
 CBC uses feedback mechanism

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
 IV (initialization vector)has no special meaning. It
is used to make each message unique.
 IV is randomly generated.
 It is not necessary to keep IV secret. But for
maximum security, both key and IV are kept secret.

Prof. Stevina Correia-DJSCOE

Cipher Feedback Mode (CFB)
 CFB is used in cases where data to be encrypted is
smaller than the predetermined block size n. (n=64
for DES, 128 for AES)
 To encrypt 8 bit (s bits) ASCII character, instead of
using traditional ciphers which are insecure we use
AES/ DES in CFB mode.

Prof. Stevina Correia-DJSCOE

 In CFB, initialization vector(IV) is stored in a shift
register.
 IV is encrypted to produce the corresponding
ciphertext.
 Leftmost (s) bits of encrypted IV are XORed with s
bits of the first plaintext block.
 For each block (2 onwards), the shift register (IV) is
made by shifting previous IV by s bits to the left and
filling the rightmost by previous Ciphertext block.
Prof. Stevina Correia-DJSCOE
Prof. Stevina Correia-DJSCOE
Output Feedback Mode (OFB)
 Similar to CFB.
 In CFB, the shift register (IV) is made by shifting
previous IV by s bits to the left and filling the
rightmost by previous Ciphertext block.
 In case of OFB, the output of the IV encryption
process is fed to the next stage.

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
Counter (CTR)mode

Prof. Stevina Correia-DJSCOE

 Counter1 =constant value
 For each block a updated counter value is used.
Counter is generally incremented by 1.

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
 Data Encryption Standard
 Real life cryptographic algorithm
 Used in ECB, CBC, CFB mode
 Found vulnerable against very powerful attacks

Prof. Stevina Correia-DJSCOE

 How DES works??
 DES is a block cipher
 Encrypts data in block of 64 bit each
 Key length is 56 bits
 Same algorithm and key is used for encryption and decryption
with minor differences

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
 Initial Permutation
 Happens only once, before the
1st round.
 Replace 1st bit of original
plaintext block with 58th bit of
original plaintext block
 After IP, the resultant block is
divided into 2 half blocks (LPT
& RPT 32 bit each)
 16 rounds are preformed on
these 2 blocks

Prof. Stevina Correia-DJSCOE

 There are 16 steps, each is called a round.
 Each round performs the steps of substitution and
transposition.

Prof. Stevina Correia-DJSCOE

Rounds
 Each of the 16 rounds, consists of following steps:

Prof. Stevina Correia-DJSCOE

Parity drop c(compression
transposition step)
 Actually key is 64 bits
 Before DES process starts, every 8th bit of the key
(8, 16, 24, 32, 40, 48, 56,64)is discarded to produce
a 56 bit key
 Compression d box is used for parity drop

Prof. Stevina Correia-DJSCOE

 Key Transformation:
 Initialkey: 64 bits discard 8th bit56 bit key a
different 48 bit key is generated using key
transformation
 Here, 56 bit key is divided into 2 halves, 28 bit each

 These halves are circularly shifted left depending upon

the round as follows:

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
 The compression (D box/ P box) box changes the 56 bits
to 48 bits.
 Key transformation process involves permutation as well as
compression (bit 18+7 more), hence it s called compression
permutation

Table 6.14 Key-compression table

Prof. Stevina Correia-DJSCOE

 Expansion Permutation:
 Recall that after IP, the resultant block is divided into 2
half blocks (LPT & RPT 32 bit each)
 During expansion permutation, RPT is expanded from 32
bits to 48 bits
 This process involves permutation as well as expansion,
hence it s called expansion permutation
 Process:
 32bit RPT is divided into 8 blocks (4 bits each)
 Each 4 bit block is expanded to a 6 bit block

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
Table 6.6 Expansion D-box/ P-box table
Prof. Stevina Correia-DJSCOE
 Now, 48-bit key is XORed with 48bit RPT

Prof. Stevina Correia-DJSCOE

 S-box Substitution:
 Receives 48 bit input and produces 32 bit output using
substitution technique (using 8 substitution boxes/ S-
boxes).
 Each S-box takes 6 bit input and produces 4-bit output.

 48 bits are divided into 8 sub-blocks (6 bit each). Each

sub block is given to 8 S-boxes
 S-box is conceptually a table that has 4 rows (0-3) and 16
columns (0-15)

Prof. Stevina Correia-DJSCOE

Eg:
1. input to S-box 1 is 100011. what is
the o/p
2. input to S-box 2 is 101101. what is
the o/p

Prof. Stevina Correia-DJSCOE

S-boxes (substitution s boxes)

Prof. Stevina Correia-DJSCOE

 P-Box Permutation/ straight permutation/
straight D-box
 Just permuting the input 32 bits to obtain 32 bit output

Prof. Stevina Correia-DJSCOE

 XOR & Swap:
 Step1-4 are done only on RPT. LPT is untouched yet.
 LPT is XORed with step 4 o/p (o/p of P box
permutation)
 Result becomes new RPT and old RPT becomes LPT

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
Final permutation
 At the end of 16 rounds final permutation is
performed (only once)
 o/p of final permutation is the 64-bit encrypted
block

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
DES Decryption
 The only difference between encryption and
decryption is the reversal of key portions.

 If original key K was divided into K1, K2…..K16

for 16 encryption rounds, then for decryption, the
key should be used as K16, K15, …..K1

Prof. Stevina Correia-DJSCOE

Double DES

Prof. Stevina Correia-DJSCOE

 Double DES/ 2-DES suffers from meet in the
middle attack.
 To overcome this triple DES/ 3-DES was
developed.

Prof. Stevina Correia-DJSCOE

 Meet in the Middle Attack
 At first glance, it looks like double DES increases the number of tests for
key search from 2^56 (in single DES) to 2^112 (in double DES).
 However, using a known-plaintext attack called meet-in-the-middle attack
proves that double DES improves this vulnerability slightly (to 2^57 tests),
but not tremendously (to 2^112).

Prof. Stevina Correia-DJSCOE

 The point is that the middle text, the text created by the first encryption or
first decryption, M, should be the same for encryption and decryption to
work. In other words, we have two relationships:
 M=Ek1(P) and M=Dk2(C)

Prof. Stevina Correia-DJSCOE

 Triple DES
 Triple DES with 2 keys

Prof. Stevina Correia-DJSCOE

Triple DES
 Triple DES with 3 keys

Prof. Stevina Correia-DJSCOE

Cryptanalysis of DES
 Brute Force
 Bestcase=1 attempt
 Worst case: 2^n (n is size of the key)

 Average case: 2^(n-1)

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
 Differential Cryptanalysis: uses chosen plaintext
attack
 #rounds and s boxes are designed to make DES resistant
against this type of attack.

 Itis shown that DES can be broken with 2^47 chosen

plaintexts or 2^55 known plaintexts. (impractical)

Prof. Stevina Correia-DJSCOE

 Linear Cryptanalysis: uses known plaintext attacks
 More vulnerable to this type of attacks
 S boxes are not resistant to linear cryptanalysis

 Can be broken using 2^43 pairs of known plaintext

(unlikely)

Prof. Stevina Correia-DJSCOE

 AES (Advanced Encryption
Standard)
 3 criteria for selecting AES:
 Security, cost and implementation.
 Features of AES:
 Symmetric and parallel structure.
 Stands up well against cryptanalysis attacks.

 Adopted to modern processors.

 Suited to smart cards.

 AES is a non-Feistel cipher that encrypts and

decrypts a data block of 128 bits, or 16 bytes.
Prof. Stevina Correia-DJSCOE
Data Units
 Bit: 0,1
 1 Byte: 8 bits
 Word: 32 bits = 4 bytes
 Block: 128 bits (AES)=16 bytes
 State: 16 bytes of block treated as matrices of 4*4
bytes

Prof. Stevina Correia-DJSCOE

7.1.4 Continue

Example 7.1 Continue

Figure 7.4 Changing plaintext to state

7.55
 7.1.3 Continue

Figure 7.1 General design of AES encryption cipher

7.56
Broad Steps (AES-128)
 Generate round keys using key expansion
schedule

 Actual rounds depending upon no. of rounds

Prof. Stevina Correia-DJSCOE

Generate round keys using key expansion
schedule

 No. of round keys=no. of rounds+1

 AES-128, #rounds=10=>#round Keys=11

 Original
key of 16 bytes (128bits) is expanded into a
key containing 11*16 bytes (176 bytes=1408 bits)
 11 states (matrices) of 4*4 bytes

Prof. Stevina Correia-DJSCOE

Key expansion schedule
 The AES key expansion algorithm takes as input a
four-word (16-byte) key (original) and produces a
linear array of 44 words (176 bytes).

 This is sufficient to provide a four word round key

for the initial AddRoundKey stage and each of the
10 rounds of the cipher.

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
 The original key is copied into the first four words of
the expanded key.
 The remainder of the expanded key is filled in four
words at a time.
 Each added word w[i] depends on the immediately
preceding word, w[i - 1], and the word four positions
back, w[i - 4].
 In three out of four cases, a simple XOR is used.
 For a word whose position in the w array is a
multiple of 4, a more complex function is used.

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
 Rotate: [B1, B2, B3,
B4][B2, B3, B4,B1]

 Substitute: byte
substitution using s box

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
 example
 Suppose 4-word key is as follows:

Byte 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
positi
on
Value 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

W0 W1 W2 W3

Prof. Stevina Correia-DJSCOE

 W[4]=?
 Temp=W[3]
 0C 0D 0E 0F

 Rotate(W[3])
 0D 0E 0F 0C

 Subword(0D 0E 0F 0C)
 D7 AB 76 FE
 Add constant(i/4)=1=01
 D7 AB 76 FE xor 01 00 00 00
 D6 AB 76 FE
 W[4]=W[0] xor D6 AB 76 FE
 D6 AA 74 FD Prof. Stevina Correia-DJSCOE
 Actual rounds depending upon
#rounds
 Each round consist of four distinct transformation
functions:
 SubBytes, ShiftRows, MixColumns, and AddRoundKey
 Pre round section uses only single transformation
(AddRoundKey) before the first round, which
can be considered Round 0.
 The final round contains only three
transformations (SubBytes, ShiftRows, and
AddRoundKey)
Prof. Stevina Correia-DJSCOE
7.1.5 Structure of Each Round

Figure 7.5 Structure of each round at the encryption site

7.68
Prof. Stevina Correia-DJSCOE
 SubBytes (substitute Bytes): provides confusion
effect
 To substitute a byte, we interpret the byte as two
hexadecimal digits.
 Predefined S-box is used

Prof. Stevina Correia-DJSCOE

subByte transformation table

Prof. Stevina Correia-DJSCOE

InvSubByte transformation table

Prof. Stevina Correia-DJSCOE

Example of subbyte

Prof. Stevina Correia-DJSCOE

 ShiftRows
 In the encryption, the transformation is called
ShiftRows.

 InvShiftRows
 In the decryption, the transformation is called
InvShiftRows and the shifting is to the right.

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
 MixColumns:
 We need an interbyte transformation that changes the bits
inside a byte, based on the bits inside the neighboring
bytes. We need to mix bytes to provide diffusion at the bit
level.
Figure: Constant matrices used by MixColumns and InvMixColumns

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-
DJSCOE
 Multiplication is performed over Galois Field.
 Very complex but can be done easily with the use of 2 look up
tables (L-table and E-table)

 Nos. to be multiplied using Mixcol will form 2digit no. (if single
digit append 0)
 1st digit horizontal, 2nd digit vertical

 Eg: AB*CD, L(AB)+L(CD)=x

 if x>FF, x=x-FF
 E(x)

Prof. Stevina Correia-DJSCOE

L table

Prof. Stevina Correia-DJSCOE

E table

Prof. Stevina Correia-DJSCOE

 What is AF*8 over Galois field

 L(AF)=B7
 L(08)=4B

 B7+4B=102>FF

 E(102-FF=03)=0F

Prof. Stevina Correia-DJSCOE

 [2 3 1 1 ] 87
6E
46
A6
 2*87 xor 3*6E xor 1*46 xor 1*A6
 E(L(02)+L(87))

Prof. Stevina Correia-DJSCOE

 AddRoundKey (Exor)
 AddRoundKey proceeds one column at a time.
AddRoundKey adds a round key word with each state
column matrix; the operation in AddRoundKey is
matrix addition.

 The AddRoundKey transformation is the

inverse of itself.

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
Prof. Stevina Correia-DJSCOE
Prof. Stevina Correia-DJSCOE
 Avalanche Effect
 The Avalanche Effect
 DES and AES exhibit avalanche effect.

 AES exhibits a very strong avalanche effect.

 AES avalanche effect is stronger than that for DES

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE
Key Expansion in AES-192 and
AES-256

Prof. Stevina Correia-DJSCOE

 Analysis of AES
 Security
 AES was designed after DES. Most known attacks on DES
were tested on AES; none has broken the security of AES.

 Brute Force: 2^128 test (minimum)to find the key

(impossible)

 Statistical attack: strong confusion and diffusion provided

by SubBytes, ShiftRows, MixCol transformations.

 Differential and linear cryptanalysis: no such attacks on

AES yet.

Prof. Stevina Correia-DJSCOE

 Implementation
 Can be implemented in s/w, h/w and firmware
 Transformation can be byte oriented or word oriented.
 For byte oriented: algo can use 8 bit processor.
 Word oriented: 32 bit processor.

 Simplicity and Cost

 Algorithms used in AES are simple and can be easily
implemented using cheap processors and minimum
amount of memory.

Prof. Stevina Correia-DJSCOE