Modern Block Ciphers

CSE 651: Introduction to Network Security

Summary

• Block Ciphers (Chapter 3)

• Feistel Cipher Structure (Chapter 3)

• DES: Data Encryption Standard (Ch. 3)

• 3DES (Ch 6.1)

• AES: Advanced Encryption Standard (Ch. 5.2)

2

Monoalphabetic Substitution Cipher

• Shuffle the letters and map each plaintext letter to a different random ciphertext letter:

Plain letters: abcdefghijklmnopqrstuvwxyzCipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplaceletters

Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA

• What does a key look like?

3

Playfair Key Matrix

• Use a 5 x 5 matrix.

• Fill in letters of the key (w/o duplicates).

• Fill the rest of matrix with other letters.

• E.g., key = MONARCHY.

MM OO NN AA RR

CC HH YY BB DD

EE FF GG I/JI/J KK

LL PP QQ SS TT

UU VV WW XX ZZ

4

Vigenère Cipher

• Simplest polyalphabetic substitution cipher• Consider the set of all Caesar ciphers:

{ Ca, Cb, Cc, ..., Cz }• Key: e.g. security• Encrypt each letter using Cs, Ce, Cc, Cu, Cr,

Ci, Ct, Cy in turn. • Repeat from start after Cy. • Decryption simply works in reverse.

5

Basic idea of modern block ciphers

• From classical ciphers, we learn two techniques that may improve security:– Encrypt multiple letters at a time– Use multiple ciphertext alphabets (Polyalphabetic

ciphers)

• Combining these two techniques– encrypt eight (or more) letters at a time

• called a block cipher

– and use an extremely large number of ciphertext alphabets

• will be called modes of operation

1

Block Ciphers

• In general, a block cipher replaces a block of N plaintext bits with a block of N ciphertext bits. (E.g., N = 64 or 128.)

• A block cipher is a monoalphabetic cipher.• Each block may be viewed as a gigantic character.• The “alphabet” consists of 2N gigantic characters.• Each particular cipher is a one-to-one mapping from the

plaintext “alphabet” to the ciphertext “alphabet”.• There are 2N! such mappings.• A secret key indicates which mapping to use.

7

Ideal Block Cipher

• An ideal block cipher would allow us to use any of these 2N! mappings.

– The key space would be extremely large.

• But this would require a key of log2(2N!) bits.

• If N = 64,

log2(2N!) ≈ N x 2N ≈ 1021 bits ≈ 1011 GB.

• Infeasible!8

Practical Block Ciphers

• Modern block ciphers use a key of K bits to specify a random subset of 2K mappings.

• If K ≈ N, – 2K is much smaller than 2N!

– But is still very large.

• If the selection of the 2K mappings is random, the resulting cipher will be a good approximation of the ideal block cipher.

• Horst Feistel, in1970s, proposed a method to achieve this.

9

The Feistel Cipher Structure

• Input: a data block and a key• Partition the data block into two halves L and

R.• Go through a number of rounds.• In each round,

– R does not change.

– L goes through an operation that depends on R

and a round key derived from the key.

10

The Feistel Cipher Structure

i

Round i

+

f

Li-1 Ri-1

ki

Li Ri

Mathematical Description of Round i

13

1 1

1

1 1

1

Let and be the input of round , and

and the output.

We have

:

( , )

:

:

( , )

Or, (

i i

i i

i i

i i

i

i

i i

i

iL R

L R i

L R

L

L

R

R L F R K

1

1 1

, where

: ( , ) ( , ).

: ( , ) ( , ).

Not

,

e

)

that and .

( , )i

i

i

i

i

x y y

x y y x

x F y k

R

Feistel Cipher

14

16 2 1

1 1 1 11 2 1

Goes through a number of rounds, say 16 rounds.

A Feistel cipher encrypts a plaintext block as:

: E ( ) : ( )

The decryption will be:

D ( )

k

k

m

c m m

c

11 16

1 2 16

( )

( )

The descryption algorithm is the same as the

encryption algorithm, but uses round keys in the

reverse order.

c

c

DES: The Data Encryption Standard

• Most widely used block cipher in the world. • Adopted by NIST in 1977.• Based on the Feistel cipher structure with 16

rounds of processing.• Block = 64 bits• Key = 56 bits • What is specific to DES is the design of the F

function and how round keys are derived from the main key.

15

Design Principles of DES

• To achieve high degree of diffusion and confusion.

• Diffusion: making each plaintext bit affect as many ciphertext bits as possible.

• Confusion: making the relationship between the encryption key and the ciphertext as complex as possible.

1

DES Encryption Overview

Round Keys Generation

• Main key: 64 bits.• 56-bits are selected and permuted using Permuted

Choice One (PC1); and then divided into two 28-bit halves.

• In each round:

– Left-rotate each half separately by either 1 or 2 bits according to a rotation schedule.

– Select 24-bits from each half, and permute the combined 48 bits.

– This forms a round key.

Permuted Choice One (PC1)

19

57 49 41 33 25 17 91 58 50 42 34 26 18

10 2 59 51 43 35 2719 11 3 60 52 44 3663 55 47 39 31 23 15

7 62 54 46 38 30 2214 6 61 53 45 37 2921 13 5 28 20 12 4

Initial Permutation IP

• IP: the first step of the encryption.

• It reorders the input data bits.

• The last step of encryption is the inverse of IP.

• IP and IP-1 are specified by tables (see Stallings book, Table 3.2) or http://en.wikipedia.org/wiki/DES_supplementary_material

Round i

+

F

Li-1 Ri-1

ki

Li Ri

32

483232

22

The and each have 32 bits, and the round key 48 bits.

The function, on input and , produces 32 bits:

( , )

where :

(

expands 32 bits o 4

)

t

The function of DES

L R K

F R K

F R K P S E K

E

R

F

8 bits;

: shrinks it back to 32 bits;

: permutes the 32 bits.

S

P

The F function of DES

The Expansion Permutation E

The S-Boxes

• Eight S-boxes each map 6 to 4 bits • Each S-box is specified as a 4 x 16 table

– each row is a permutation of 0-15– outer bits 1 & 6 of input are used to select one

of the four rows – inner 4 bits of input are used to select a

column

• All the eight boxes are different.

26

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

0 15 7 4 14 2 13 1 10 6 12 11 6 5 3 8

4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

Box S1

• For example, S1(101010) = 6 = 0110.

0

1

2

3

Permutation Function P

1

P

16 7 20 21

29 12 28 17

1 15 23 26

5 18 31 10

2 8 24 14

32 27 3 9

19 13 30 6

22 11 4 25

Avalanche Effect

• Avalanche effect:– A small change in the plaintext or in the key results in a

significant change in the ciphertext.

– an evidence of high degree of diffusion and confusion

– a desirable property of any encryption algorithm

• DES exhibits a strong avalanche effect– Changing 1 bit in the plaintext affects 34 bits in the

ciphertext on average.

– 1-bit change in the key affects 35 bits in the ciphertext on average.

29

Attacks on DES

• Brute-force key search– Needs only two plaintext-ciphertext samples

– Trying 1 key per microsecond would take 1000+ years on average, due to the large key space size, 256 ≈ 7.2×1016.

• Differential cryptanalysis– Possible to find a key with 247 plaintext-ciphertext samples

– Known-plaintext attack

• Liner cryptanalysis: – Possible to find a key with 243 plaintext-ciphertext samples

– Known-plaintext attack

30

DES Cracker• DES Cracker:

– A DES key search machine

– contains 1536 chips

– Cost: $250,000.

– could search 88 billion keys per second

– won RSA Laboratory’s “DES Challenge II-2” by successfully finding a DES key in 56 hours.

• DES is feeling its age. A more secure cipher is needed.

Multiple Encryption with DES

• In 2001, NIST published the Advanced Encryption

Standard (AES) to replace DES.

• But users in commerce and finance are not ready to give

up on DES.

• As a temporary solution to DES’s security problem, one

may encrypt a message (with DES) multiple times using

multiple keys:

– 2DES is not much securer than the regular DES

– So, 3DES with either 2 or 3 keys is used31

2DES

• Consider 2DES with two keys:

C = EK2(EK1(P))

• Decryption: P = DK1(DK2(C))

• Key length: 56 x 2 = 112 bits

• This should have thwarted brute-force attacks?

• Wrong!

32

Meet-in-the-Middle Attack on 2DES

• 2-DES: C = EK2(EK1(P))

• Given a known pair (P, C), attack as follows:

– Encrypt P with all 256 possible keys for K1.

– Decrypt C with all 256 possible keys for K2.

– If EK1’(P) = DK2’(C), try the keys on another (P’, C’).

– If works, (K1’, K2’) = (K1, K2) with high probability.

– Takes O(256) steps; not much more than attacking 1-DES.

33

EK1P CEK2

34

1 2 1

1 2 1

1 2

A straightforward implementation would be :  

         : ( )

In practice :  : ( )

Also referred to as EDE encryption

Reason : if , then

3DE

3DES with 2 keys

k k k

k k k

c E E E m

c E D E m

k k

S 1DES. 

Thus, a 3DES software can be used as a single-DES.

Standardized in ANSI X9.17 & ISO 8732.

No practical attacks are known.

35

3 2 1

1 3

1 2 3

Encryption:  : ( ) .

If , it becomes 3DES with 2 keys.

If , it becomes the regular DES.

So, it is backward compatible with both 3DES with 2 keys

and

3DES with 3 keys

k k kc E D E m

k k

k k k

the regular DES.

Some internet applications adopt 3DES with three keys;

e.g. PGP and S / MIME.

AES: Advanced Encryption Standard

37

AES: Advanced Encryption Standard

• In1997, NIST began the process of choosing a replacement for DES and called it the Advanced Encryption Standard.

• Requirements: block length of 128 bits, key lengths of 128, 192, and 256 bits.

• In 2000, Rijndael cipher (by Rijmen and Daemen) was selected.

• An iterated cipher, with 10, 12, or 14 rounds. • Rijndael allows various block lengths. • But AES allows only one block size: 128 bits.

There are only two numbers : 0 and 1.

Addition, substraction and multiplication are as below:

0 1 0 1 0 1

0 0 1 0 0 1 0 0 0

1 1 0 1 1 0 1 0 1

Note: addition =

Modulo-2 Arithmetic

substraction = XOR.

39

7 3

7

Each byte is viewed as a polynomial of degree 7.

Example: 10001001 1 ( ).

10000010 ( ).

Addition and substraction are simply b

Byte-oriented operations

a x x A x

b x x B x

XOR:

10001001 10000010 00001011 ( ) ( ).

10001001 10000010 00001011

itwise

( ) ( ).

a b A x B x

a b A x B x

40

8 4 3

Multiplication ( ): "regular" polynomial multiplication ( )

modulo a fixed modulus ( ), where

( ) .

( ) ( ) mod ( )

1 100011011

Byte-oriented operations

P x x x x

P x

a b A x B x P x

x

14 10 8 7 4

6 5 4 3 2

mod ( )

1

10001001 10000010 mod 100011011

= 100010110010010 mod 100011011

01111111

x x x x x x P x

x x x x x x

a b

41

For any byte (viewed as a polynomial), there is

a unique byte (also viewed as a polynomial) such that

1.

This element is called the inverse of , and is

Byte-oriented operations

a

b

a b

b a

1

8

denoted by .

Mathematically, the set of all polynomials of degrees 7

forms a field, GF(2 ), under the operation of addition and

multiplication mod ( ), where ( ) is a fixed modulus.

a

P x P x

42

: block size (number of words). For AES, 4.

: key length (number of words).

: number of rounds, depending on , .

Assume: 4, 4, 10.

:

Structure of Rijndael

b b

k

r b k

b k r

N N

N

N N

sta

N

N N

e

N

t

0 1 10

a variable of 4 words, holding the data block,

viewed as a each column is a word.

Key schedule: 11 round keys , , ,

computed from the main key

4 4 matrix of byt

.

es;

key key key

k

43

0

input: plaintext , key

1 2 AddKey( , ) 3 for 1 to 1 do 4 SubBytes( ) 5 ShiftRows( ) 6 Mixcolumns( ) 7

Rijndael algorithm

r

m k

state mstate key

i Nstatestatestate

AddKey( , ) 8 SubBytes( ) 9 ShiftRows( ) 10 AddKey( , )

11 return( )r

i

N

state keystatestate

state key

state

44

Figure 5.1 AES Encryption and Decryption

45

AddKey( , )

i

i

state state key

state key

46

1RD

1RD

Each byte in the matrix is substituted with

another byte S ( ) .

The substitution S ( ) , called Rijndael's

S-box, is based on some mathematics in

SubBytes( )

z

z Az

stat

b

z Az

e

b

state

finite fields,

and can be specified as a table (Table 5.4 of Stallings).

47

8

1 8

1

1

That is, treat as an element in GF(2 ).

Find its multiplicative inverse in GF(2 ).

Now treat as a vector of 0/1.

Multiply with , and add the result to .

1000111111

z

z

z

A z b

A

1000111 1

11100011 011110001 0 and 11111000 001111100 100111110 100011111 0

b

48

Left-shift row circularly by bytes, 0 3.

ShiftRows( )

i i i

a b c d a b c d

e f g h f g h e

i j k l k l i j

m n o p p m n o

state

49

0 1 2 3

0 1 2 3

0

1

2

3

Operate on each column of the matrix.

Each column ( , , , ) is substituted with

( , , , ), where

02 03 01 01

01 02 03 01

01 0

MixColumns( )

a a a a a

b b b b

b

b

b

b

state

state

0

1

2

3

1 02 03

03 01 01 02

Using finite-field multiplication and addition.

a

a

a

a

50

0 1 2 3

3 23 2 1 0

Operate on each column of the matrix.

Each column ( , , , ) is viewed as a

polynomial :

( ) +

A fixed polynomial: (

Math behind MixColumns( )

a a a a a

a x a

stat

x a x a x a

c

e

state

3 2

3 23 2 1 0

0 1 2 3 0 1 2 3

4

) 03 01 +01 02.

Compute ( ) +

=

( , , , ) is substituted with ( , , , )

( ) ( ) mod ( 1)

x x x x

b x b x b x b x b

a a a a b

a x c x x

b b b

51

Each step of Rijndael encryption is invertible.

Rijndael Decryption

A Rijndael Animation by Enrique Zabala

52