Cryptography II

Block ciphers and modes of operations

Block ciphers: getting the concept

n The input (binary bit string) is divided into

blocks of fixed length
n The encryption and decryption are applied on
each block
Plain text

key Encryption

Cipher text

2
Block ciphers: getting the concept
key 000 001 010 011 100 101 110 111
0 001 111 110 000 100 010 101 011
1 001 110 111 100 011 010 000 101
2 001 000 100 101 110 111 010 011
3 100 101 110 111 000 001 010 011
4 101 110 100 010 011 001 011 111

n Plaintext= 010100110111= (010)(100)(110)(111)

q è Ciphertext = 111 011 000 101 key=1
q è Ciphertext = 100 011 011 111 key=4
n There are 5 keys, 22 < 5 < 23 è need keys in 3 bits to
presentè key size= block size= 3.
n Small sizes are dangerous, however: If Eve catches C=001 è
can infer P= 000 or 101.

3
General condition in creating secure block
ciphers
n The block size has to be large enough to prevent
against statistical analysis
q However, larger block size means slower processing
n The key space (then key length) must be large
enough to prevent against exhaustive key search
q However, key length shouldn’t be too big that makes key
distribution and management more difficult

4
General principles in designing secure
block ciphers
n Confusion: As a function, the dependence of the
ciphertext on the plaintext should be complex enough
so that enemy can’t find the rules
q The function should be non-linear.
n Diffusion: The goal is to spread the information from
the plaintext over the entire ciphertext so that
changes in plaintext affect many parts in ciphertext
q This makes it difficult for an enemy to break the cipher by
using statistical analysis
n Confusion is made by usings substitutions while
diffusion by transpositions and/or permutations.

5
General principles in designing
secure block ciphers
n Confusion T =tt
' ' '
1 2
q Plaintext : T = t1t 2
M ' = m1' m2'
q Cipher text : M = m m
1 2

ìm1 = k11t1 + k12t 2 ìïm1' = k11t1' + k12t 2'

í í '
îm2 = k 21t1 + k 22t 2 ïîm2 = k 21t1' + k 22t 2'

ìm1 = k11t1 + k12t 2 ìm2 = k 21t1 + k 22t 2

í ' í '
m = k t '
+ k t ' m
î 2 = k t '
+ k t '
î 1 11 1 12 2 21 1 22 2

6
General principles in designing secure
block ciphers
n Confusion
q Solution: complex substitution

7
General principles in designing secure
block ciphers
n Diffusion
q Permutation + operation

c o m p u
t e r s e
c u r i t
uetpsimrroeuctcy
y computersecurity

xtgfncrjkthpucwx

8
Block cipher: main idea

n Block ciphers are usually designed with many

rounds where basic round accomplishes the core
function 𝑔 for basic confusion and diffusion.
q The input of a round is the output of the previous round and
a subkey which is generated by a key-schedule algorithm
n The decryption is a reverse process where the sub-
keys are handled in the reverse order

9
Substitution and Permutation network
(SPN)
n Key schedule algorithm
q Input: main key 𝐾
q Output: 𝑁! sub keys: {𝐾" , 𝐾 # , … , 𝐾$! }
n Round function 𝑤! ← 𝑥
q 𝑔(𝑤 !%" , 𝐾 ! ) 𝑤"← 𝑔 𝑤 !, 𝐾"
𝑤 #← 𝑔 𝑤", 𝐾 #
…..

𝑤 $!"# ← 𝑔 𝑤 $!"$ , 𝐾$!"#

𝑤 $! ← 𝑔 𝑤 $!"# , 𝐾$!
𝑦 ← 𝑤 $!

10
Substitution and Permutation network
(SPN)
n Block length: 𝑙×𝑚
n Round function
q Substitution: 𝜋&
n S-box: replacing 𝑙 bits with different set of other 𝑙 bits
q Permutation: 𝜋'
n P-box: permuting 𝑙𝑚 bits

𝑢! ← 𝑤 !"#⨁ 𝐾 !
𝑣 ! ← 𝜋$ (𝑢! ) An example of round 𝑟
𝑤 ! ← 𝜋% (𝑣 ! )

11
Substitution and Permutation network
(SPN)
n An example: 𝑆𝑃𝑁(𝑥, 𝜋! , 𝜋" , (𝐾 # , … , 𝐾$( %# ))
𝑤! ← 𝑥
For 𝑟 ← 1 to 𝑁% − 1
𝑢% ← 𝑤 %&" ⨁𝐾 %
For 𝑖 ← 1 to 𝑚 // divide into 𝑚 blocks, each of length 𝑙
𝑣'% ← 𝜋( (𝑣'% ) // substitution
end
𝑤 % ← 𝜋) 𝑣 % // permutation
End
For 𝑖 ← 1 to 𝑚
$ $
𝑣' ! ← 𝜋( (𝑣' ! )
$
𝑦 ← 𝑣' ! ⨁𝐾$! *"

12
 Substitution and Permutation network
(SPN)
n Exercise: 𝑙 = 𝑚 = 𝑁# = 4
z 0 1 2 3 4 5 6 7 8 9 A B C D E F
𝜋! (z) E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7

z 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
𝜋" (z) 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16
𝑤! ← 𝑥
For 𝑟 ← 1 to 𝑁" − 1
𝐾%= 0011 1010 1001 0100 𝑢" ← 𝑤 "#$ ⨁𝐾 "
For 𝑖 ← 1 to 𝑚
𝐾 &= 1010 1001 0100 1101 {𝑢$" , … , 𝑢%
" } ← 𝑢 " // divide into 𝑚 blocks, each of length 𝑙
𝐾 '= 1001 0100 1101 0110 𝑣& ← 𝜋' (𝑢&" ) // substitution
"

𝐾 (= 0100 1101 0110 0011 end

𝑣 " ← {𝑣$" , … , 𝑣%
" } // concatenation
𝐾 )= 1101 0110 0011 1111 𝑤 " ← 𝜋( 𝑣 " // permutation
End
Plain text 𝑢)! ← 𝑤 )! #$ ⨁𝐾)!
𝑥 = 0010 0110 1011 0111 For 𝑖 ← 1 to 𝑚 No permutation
)! )!
𝑣& ← 𝜋' (𝑢& )
𝑦 ← 𝑣 )! ⨁𝐾)! *$ No substitution and permutation 13
Substitution and Permutation network
(SPN)
n Exercise: 𝑙 = 𝑚 = 𝑁# = 4
𝒘𝟎 0010 0110 1011 0111 𝑲𝟑 1001 0100 1101 0110
𝑲𝟏 0011 1010 1001 0100 𝒖𝟑 1101 0101 0110 1110
𝒖𝟏 0001 1100 0010 0011 𝒗𝟑 1001 1111 1011 0000
𝒗𝟏 0100 0101 1101 0001 𝒘𝟑 1110 0100 0110 1110
𝒘𝟏 0010 1110 0000 0111 𝑲𝟒 0100 1101 0110 0011
𝑲𝟐 1010 1001 0100 1101 𝒖𝟒 1010 1001 0000 1101
𝒖𝟐 1000 0111 0100 1010 𝒗𝟒 0110 1010 1110 1001
𝒗𝟐 0011 1000 0010 0110 𝑲𝟓 1101 0110 0011 1111
𝒘𝟐 0100 0001 1011 1000 𝒚 1011 1100 1101 0110

14
Feistel structure
Plaintext

round 1 K1
L0 R0
Å f

L1 R1

…
round i Ki
𝐿0 = 𝑅0"# Å f
𝑅0 = 𝐿0"#⨁𝑓(𝑅0"#, 𝐾0 )
Li Ri

…
round n Kn
Å f

Ln Rn
Ln +1 Rn +1
Cipher text 15
Block Ciphers Features

n Block size: in general larger block sizes mean

greater security.
n Key size: larger key size means greater security
(larger key space).
n Number of rounds: multiple rounds offer increasing
security.
n Encryption modes: define how messages larger
than the block size are encrypted, very important for
the security of the encrypted message.

16
History of Data Encryption Standard
(DES)
n 1967: Feistel at IBM
q Lucifer: block size 128; key size 128 bit
n 1972: NBS asks for an encryption standard
n 1975: IBM developed DES (modification of Lucifer
q block size 64 bits; key size 56 bits
n 1975: NSA suggests modification
n 1977: NBS adopts DES as encryption standard in
(FIPS 46-1, 46-2).
n 2001: NIST adopts Rijndael as replacement to DES

17
DES Features

n Block size = 64 bits

n Key size = 56 bits
n Number of rounds = 16
q 16 sub keys, each 48 bits

18
DES Rounds

19
 DES encryption: A closer look
INPUT
64 Bits

IP

L0 32 Bits 32 Bits R0
K1
f

R1 = L0 Å f ( R0 , K 1 )
Decryption uses the same
L1 = R0 32 Bits 32 Bits

K2
algorithm as encryption,
f
except that the subkeys
L2 = R1
32 Bits 32 Bits
R2 = L1 Å f ( R1 , K 2 ) 𝐾1, 𝐾2, … 𝐾16 are applied in
f Ki reversed order

L15 = R14 32 Bits 32 Bits

R15 = L14 Å f ( R14 , K 15 )
f K 16
32 Bits 32 Bits
L16 = L15 + f ( R15 , K 16 ) R16 = R15

IP-1

64 Bits

OUTPUT
20
 DES: 𝑓 function

n 𝑅𝐸'&" is “expanded” to a bit-string of

length 48: 𝐸(𝐴)
n Compute 𝐸(𝐴) ⊕ 𝐾' and write the
result as the concatenation of eight 6-
bit strings 𝐵 = 𝐵1𝐵2𝐵3𝐵4𝐵5𝐵6𝐵7𝐵8
n Uses eight S-boxes 𝑆1, . . . , 𝑆8 and
compute 𝐶𝑗 = 𝑆𝑗 𝐵𝑗 , 1 ≤ 𝑗 ≤ 8
n The bitstring 𝐶 = 𝐶1𝐶2𝐶3𝐶4𝐶5𝐶6𝐶7𝐶8 of
length 32 is permuted according to a
fixed permutation 𝑃

21
DES: S-boxes

n Input: 𝐵 = 𝑏1𝑏2𝑏3𝑏4𝑏5𝑏6
n Output: 𝐶 = 𝑐#𝑐1𝑐2𝑐3𝑐4𝑐5
n Two bits 𝑏1𝑏6 determine the binary representation of a
row 𝑟 of 𝑆𝑗
n the four bits 𝑏2𝑏3𝑏4𝑏5 determine the binary
representation of a column 𝑐 of 𝑆𝑗

22
Modes of Operation (Encryption modes)
(optional)
n Mode of operation (or encryption mode):
q A block cipher algorithm takes on a fixed-length input, i.e. a block,
and produce an output, usually a block of the same fixed-length.
q In practice, we want to encrypt files of various length è need to
divide a file into block of that given fixed length è then call the
encryption algorithms several times
q Operation mode: the manner and structure in which we feed the
encryption algorithm (several times) with blocks of the plaintext
file and concatenate the resulted blocks to produce the ciphertext
file.
n The popular modes:
q ECB, CBC, OFB, CFB

n We now overview the properties of certain modes (privacy,

integrity) and potential attacks against them.

23
Electronic Code Book (ECB)
n Each block is independently encoded

n Problem:
q Identical Inputè Identical Output
n Deterministic: the same data block gets encrypted the same way,
reveals patterns of data when a data block repeats.

24
ECB critics

n Weakness: Replay/Manipulation attack

q Can insert encoded blocks
q Reordering ciphertext results in reordered
plaintext.
n Strength:
q Errors in one ciphertext block do not propagate.
n Usage:
q not recommended to encrypt more than one block
of data
q Encryption in database

25
Cipher Block Chaining (CBC)

n Improving on ECB: think of adding a random

number before encoding

26
CBC (cont.)

n The main idea:

q Use Ci as random number block operation for i+1
q So, need a so called Initial Value (IV)
n If no IV, then one can guess changed blocks

27
CBC critics
n Good
q Randomized encryption: repeated text gets mapped to
different encrypted data.
n Can be proven to be “secure” assuming that the block cipher
has desirable properties and that random IV’s are used
q A ciphertext block depends on all preceding plaintext
blocks
n reorder affects decryption
n Bad
q Errors in one block propagate to two blocks
n one bit error in Cj affects all bits in Mj and one bit in Mj+1
q Sequential encryption, cannot use parallel hardware
q Observation: if Ci=Cj then Ek (MiÅCi-1) = Ek (MjÅCj-1); thus
MiÅCi-1 = MjÅCj-1; thus MiÅ Mj = Ci-1 ÅCj-1

28
Cipher Feedback (CFB)

n The message is XORed with the feedback of

encrypting the previous block

29
CFB critics

n Good
q Randomized encryption
q A ciphertext block depends on all preceding plaintext
blocks; reorder affects decryption
n Bad
q Errors propagate for several blocks after the error, but the
mode is self-synchronizing (like CBC).
q Sequential encryption

30
Output Feedback (OFB)

n IV is used to generate a stream of blocks

n Stream is used a one-time pad and XOR'ed to plain text

31
OFB critics

n Randomized encryption
n Sequential encryption, but preprocessing
possible
n Error propagation limited

32