Session 3: Secret key cryptography – block ciphers – part 1

Session 3: Secret key cryptography – block

ciphers – part 1

Block ciphers - definition

Block cipher encryption provides confidentiality by transforming a plaintext message into a ciphertext message, by means of a special function.

The precise function implemented by the block cipher is determined by a secret key.


The principal difference between a stream cipher and a block cipher:• A stream cipher contains memory, embodied

in its current state.

• A block cipher is memoryless outside its current block and therefore has no current state.


Block ciphers operation:• A plaintext message is partitioned into a

series of blocks.

• These blocks are then encrypted one block at a time.

A block cipher can also be used as a component in a stream cipher, message authentication codes (MACs), hash functions, and signature schemes.


Block cipher encryption is a form of symmetric-key encryption.

Both transmitter and receiver of the ciphertext have knowledge of the secret key.

Example: the substitution cipher, and the transposition cipher are essentially block ciphers.


A block cipher is a vectorial Boolean function E : {0, 1}K × {0, 1}N → {0, 1}N that takes two inputs:• a K-bit key k ;

• an N-bit plaintext P.

It returns an N-bit ciphertext C = E(k, P).


For any block cipher, and any key k, the function Ek is a permutation on {0, 1}N.

This means that it is a bijection - a one-to-one mapping of {0, 1}N to {0, 1}N.

Since it is a bijection, it has an inverse, Since E is invertible, decryption is

possible.

1kE


Both the cipher and its inverse E−1 should be easily computable:• Given k, P, we can compute E(k, P).

• Given k, C, we can compute E−1(k,C).

The key k should be chosen uniformly at random.

Block ciphers - design

The aim of the block cipher design is to make it practically impossible to retrieve the plaintext from the ciphertext without knowledge of the K-bit secret key.

Since decryption is only possible if the encryption function is invertible (i.e. if it is a bijection) the choice of possible N-bit block ciphers is restricted to one of (2N)! block ciphers.


Of all these (2N)! block ciphers, only 2K are used, because of the parameterization by the key.

In practice, these 2K block ciphers that are actually used constitute an infinitesimally small fraction of (2N)! possible block ciphers.

Example: N=3, K=2 A 3-bit block cipher with 2 bits of key. There are (2N)! = 8! = 40320 possible

permutations, of which only 2K = 22 = 4 permutations are used.

Let these permutations be:

• k=00, p0=(4,6,1,8,5,7,3,2)

• k=01, p1=(5,2,7,1,8,6,4,3)

• k=10, p2=(8,6,2,1,3,4,5,7)

• k=11, p3=(3,8,6,2,4,7,5,1)

Example (cont.)

Let us choose k=00, which means:• k=00, p0=(4,6,1,8,5,7,3,2)

• or:

The corresponding block cipher, Ek:

Addr. Value

0 010

1 111

2 110

3 000

4 100

5 001

6 101

7 011

23758164

876543210p

Example (cont.)

The inverse permutation:• P0’=(3,8,7,1,5,2,6,4)

• or:

The corresponding inverse block cipher, Ek

-1:

Addr. Value

0 011

1 101

2 000

3 111

4 100

5 110

6 010

7 001

46251783

87654321'0p

Example (cont.)

Let us encipher X=101. The corresponding address is 5. Y=Ek(X)=Ek(5)=001. Deciphering: Y=001. The corresponding address is 1. Ek

-1(Y)=Ek-1(1)= 101=X.


The problem of block cipher design:• determine which set of 2K block ciphers to

choose such that, for an unknown fixed key, it is virtually impossible to say anything about the ciphertext resulting from a known or chosen plaintext;

• given prior knowledge of a few plaintext/ciphertext pairs it should be impossible to say anything about the fixed key.


Any effective block cipher scheme must be realized efficiently in time and space, with as little implementation cost as possible.

The practical trade-off is to design a block cipher which is both sufficiently secure, and satisfactorily efficient in terms of hardware/software space and time resources.


A block cipher with a secret key is considered perfect if, for all plaintexts P and ciphertexts C, it holds that Pr(P|C)=Pr(P).

If, for a fixed K-bit key, an N-bit block cipher is used to encrypt K/N plaintexts, then the cipher can always be chosen to be the one-time pad.

In this special case, the encryption is provably secure and the block cipher is perfect.


In most situations the one-time pad is impractical as far too many secret keys must be used.

Therefore it is highly desirable to securely encrypt T plaintexts using the same, fixed K-bit secret key, where T >> K/N .


Most modern block ciphers seek to maximize T, whilst still achieving an acceptable security.

This is achieved via a combination of:• confusion, which makes the relationship between key

and ciphertext as complicated as possible, and

• diffusion, which seeks to eliminate any redundancy in the plaintext. Diffusion also makes it difficult for any attacker to partially approximate the cipher.


Confusion:• The relation between the key and the

ciphertext must be as complex as possible.

• Thus, the statistics of the ciphertext is not significantly influenced by the plaintext statistics.

• Confusion is achieved by means of substitution (through non linear functions, so called S boxes).


Diffusion:• Diffusion annihilates the influence of the

redundancy of the plaintext on the ciphertext.

• It is achieved by making every letter of the ciphertext dependent on as much plaintext letters as possible (by means of linear transformations such as permutations).


Theoretically, the ideal block cipher, from a security viewpoint, would involve one very large, well-chosen N-bit Substitution Box (S-Box), keyed by K key bits and,

ideally, it would be impossible to decompose this S-box into smaller sub-units.

Such a block cipher would have a huge implementation complexity.


Any practical block cipher combines relatively small sub-units to confuse (S-boxes) and diffuse (linear transformation layers) the plaintext.

These sub-units are applied iteratively as keyed rounds, parameterized by sub-keys, which are derived from the master K-bit key.

This decomposition into practical sub-units constitutes a trade-off between security and acceptable complexity.


A key-schedule is needed to derive round keys from a master key.

It is an accepted design principle that encryption using a block cipher, selected via a randomly-chosen key, should look like encryption by a randomly-chosen invertible function over N bits.


Basic design types of block ciphers:• Feistel ciphers

• Substitution-permutation networks.

Both design philosophies have their advantages and disadvantages.

It is possible to combine these design types in a single block cipher (rarely used, e.g. SC2000).

There is no agreement about the best design philosophy for block ciphers.

Feistel ciphers

A basic Feistel cipher takes 2t plaintext bits, and is a permutation, F, which uses m round permutations, Fi:

Where ◦ is a composition of functions, i.e.

110 mFFFF

xGFxGxF

Feistel ciphers

Round i acts on t bits, R (right), by means of the keyed nonlinear function, fi, and XORs the result with other t bits, L (left).

The L and R halves are then swapped. After the i-th round, we have:

[L’ R’] becomes the new input [L,R] to the round i + 1.

RfLRRLFRL ii , , ','

Feistel ciphers F and the Fi must be permutations, but

the fi need not be. It takes two rounds before all plaintext

bits have been acted on in a nonlinear way.

In the decryption process, the same functions are used, but with the round keys used in reverse order.

Feistel ciphers Example of a round:

Feistel ciphers

Examples of Feistel design:• LUCIFER (author: Horst Feistel)

• DES (Data Encryption Standard)

• MISTY1

• KASUMI (used in UMTS)

• CAMELLIA

• FEAL

• etc.

Substitution-permutation networks A substitution-permutation network (SPN)

separates the role of confusion and diffusion in the cipher.

The cipher is also decomposed into iterative rounds.

Each round comprises a layer of non linear functions (often S-boxes), followed by a linear layer (often a permutation).

The non linear layer provides the confusion. The linear layer provides the diffusion.

Substitution-permutation networks

The separating of the tasks of confusion and diffusion allows the designer to maximise nonlinearity for the non linear layer, and maximise information spread for the diffusion layer.

Examples of SPN design:• AES (Rijndael) (Advanced Encryption Standard)

• IDEA

• etc.

Non linear transformations

Non linearity in block ciphers is usually introduced by means of tables, so called S-boxes.

There are also designs without explicit S-boxes. Instead, integer addition and multiplication, discrete logarithm and exponentiation, etc. are used (examples of such ciphers are IDEA, RC6, etc.)


S-boxes can be very simple. For example, S-boxes of Rijndael and Camellia are essentially X-1 over GF(28).

Regarding the relation with the key, S-boxes can be• Key dependent

• Key independent.


Almost perfect non linear functions (APN) – resistant to certain attacks against block ciphers (differential and linear cryptanalysis):• Let f(x) be a mapping: GF(pn)→GF(pn).

• Let N(a,b) denote the number of solutions xGF(pn) of the equation f(x+a)–f(x)=b, a,b GF(pn).

• Let f = max{N(a,b) | a,bGF(pn), a≠0}.


For linear functions, f(x+a)=f(x)+f(a). So, f(x+a)-f(x)=f(x)+f(a)-f(x)=f(a). Thus for linear functions b=f(a), which

means that every x satisfies the equation.

A completely contrary case: only 1 solution of the equation – the “most nonlinear” function f(x).


If f =k , the mapping is called differentially k uniform.

For applications in cryptography, f should be as small as possible.

If p is odd, there exist functions for which f = 1 → perfect nonlinear functions (PN).

Functions of the form f(x)=xd over GF(pn), p prime, are of special interest.


Theorem 1:• f(x)=xd is a mapping over GF(pn), p>2.

• Then f(x) is 1-uniform (PN) in the following cases:• d=2;

• d=pk+1, n/(n,k) is odd;

• d=(3k+1)/2, p=3, k odd, (n,k)=1.

Since for the most interesting case, p=2, PN functions do not exist, we use APN.


APN functions → f = 2. For p = 2, if x is a solution of f(x+a)-

f(x)=b, so is x+a. Thus f = 2 is the smallest possible value

when p=2. This means that the restricted meaning of

“almost” is not justified in this case.


Theorem 2:• f(x)=xd is a mapping over GF(2n).

• Then f(x) is APN in the following cases:

• n=2m+1:• d=2n-2;

• d=2k+1, (n,k)=1, 1km; (Gold’s function)

• d=22k-2k+1, (n,k)=1, 2km; (Kasami’s function)

• d=2m+3; (Welch’s function)

• d=2m + 2m/2 − 1 (even m), 2m + 2(3m+1)/2 − 1 (odd m); (Niho’s function)


Theorem 2 (cont.):• n=2m:

• d=2k+1, (n,k)=1, 1km; (Gold’s function)

• d=22k-2k+1, (n,k)=1, 2km; (Kasami’s function).

An exponent d’ is equivalent to d if there is t such that d’=2td.

An S-box can be obtained by means of a linear transform of a power function xd of this type.

The Hamming weight of d is equal to the non linear order of the S-box obtained from xd.


Example: Use the Kasami exponent to design a 7-bit S-box.• n=7, m=3, 2k3.

• Let us choose k=2. (2,7)=1.

• Then d=22k-2k+1 = 24-22+1=13.

• The Hamming weight of d=1310=11012 is 3, so the non linear order of the S-box will be 3.

• We now pick an irreducible polynomial of degree n=7, f(x)=x7+x+1.


Example (cont.):• We also pick polynomials a(x) and b(x) at

random, deg a(x)<n, deg b(x)<n. For example, let a(x)=x5+x4+x+1, b(x)=x4+x.

• The general linear function F(x)=ax+b is used to transform xd linearly, i.e. S(x)=F(x)◦xd=F(xd)=axd+b, a,b,xGF(27).

• Thus, the S-box is S(x)=a(x)xd+b(x) mod f(x), x=0,…,2n-1.


Example (cont.):• For any primitive element , the field elements

of GF(27) determined by f(x)=x7+x+1 are:0=1→0000001 7= +1 →000011

1= →0000010 8= 2+ →0000110

2= 2 →0000100 9= 3+2 →0001100

3= 3 →0001000 10= 4+3 →0011000

4= 4 →0010000 11= 5+4 →0110000

5= 5 →0100000 12= 6+5 →1100000

6= 6 →1000000 13= 6++1 →1000011 …


Example (cont.):• Then (i)13= (i13) mod 127:

• (0)13=1→0000001

• (1)13=13= 6++1→1000011

• (2)13=26= 6+5+2+1→1100101

• (3)13=39= 5+4+3+ →0111010

• …

• (10)13=130 mod 127=3→0001000

• …


Example (cont.):• Every (i)d= (id) mod 127 should now be multiplied

by a(x) mod f(x) and b(x) is added to the result. So we finally get:0=0000001→a(x)+b(x)→ 5+1→01000011=0000010→ ((x5+x4+x+1)(x6+x+1)+(x4+x)) mod

(x7+x+1) →5+3+2→0101100

• The addresses should be given in the increasing order, from 0000000 to 1111111, and the corresponding values of S are given for every address → S-box.

Commonly used designs

Feistel ciphers:• DES (triple DES, etc.)

• KASUMI

• …

Substitution-permutation networks:• Rijndael (AES)

• IDEA

• …

DES

The block cipher most implemented in practice is (still, as triple DES) DES (Data Encryption Standard), introduced in USA by NBS (National Bureau of Standards) in 1974.

The length of the block in this cipher is 64 bits and the length of the key is 56 bits.

DES works alternatively over two halves of the block to be enciphered.

DES First, an initial fixed permutation of the input

block is performed. Then the block is divided into two halves. After that, a modular operation is realized 16

times (“rounds"). This operation consists of summing modulo 2 the

left part with a function of the right part F(Ki), managed by the subkey Ki, i=1,…,16, where i is the ordinal number of the round.

After that, the left and the right parts are interchanged.

DES The initial permutation is represented in the following

way in the standard FIPS 46-3: 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 This means that the 58th bit of input becomes the 1st

bit of output, 50th bit of input becomes the 2nd bit of output, etc.

DES

DES

In the round 16 the interchange is omitted. There is a final permutation, inverse to the

initial one. DES realizes an involution and because of that

it is not necessary to invert the function F in the deciphering algorithm.

The function F contains non linear operations.

DES The final permutation: 40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25 The 40th bit of input becomes the 1st bit of output, etc.

DES

DES

The expansion algorithm from 32 to 48 bits:

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1 The first bit of the resulting 48 bit vector

is the 32nd bit of the input vector, etc.

DES The function F is a set of following operations:

• The first manipulation consists of producing a vector of 48 bits from the initial 32 bits by means of a linear expansion.

• Next, the local key of 48 bits is combined with the obtained vector by means of the sum modulo 2, bit by bit.

• Thus another vector of 48 bits is obtained, which is divided in 8 groups of 6 bits each.

• Each group serves as input to 8 functions called S-boxes.• These boxes are responsible for the non linearity of DES.• The output of each S-box are 4 bits. • When a single input bit is changed, at least 2 output bits

are changed.

DES

S1 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

DES

S2 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

DES

S3 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

DES

S4 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

DES

S5 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

DES

S6 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

DES

S7 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

DES

S8 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

DES

Addressing of the DES S-boxes:• Let the addressing 6-tuple for any S-box be

b1b2b3b4b5b6.

• The bits b1b6 determine the row of the S-box.

• The bits b2b3b4b5 determine the column of the S-box.

• Example:

• Let the addressing 6-tuple of the 3rd S-box be 001001.

• The row is 01, which means the 2nd row, since 00 is the first row.

• The column is 0100, which means the 5th column, since the numbering starts from 0000.

DES

Finally, the information passes through a "P-box", which is a fixed permutation, chosen in such a way that a maximum diffusion of bits is achieved through the whole 32 bit vector.

The P-box: 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25 16th bit of input becomes the 1st bit of output,

etc.

DES

Although DES handles 64 bit keys, the first operation that is realized in the process of key expansion is their reduction to 56 bits, by eliminating one bit of every 8 bits.

Then the remaining bits are reordered. Next, 16 subkeys necessary in the 16

rounds of the algorithm are obtained.

DES The reordering key permutation: 57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4 57th bit of input becomes the 1st bit of output, etc.

Every 8th bit of the initial 64 bit key is dropped.

DES During the deciphering process, the subkeys are used in

the reverse order. The subkeys are generated in the following way:

• First, the key of 56 bits is divided in two halves of 28 bits each.

• Then, the halves are rotated left 1 or 2 bits, depending on the round. Rotating left a number of positions depending on the round is recursive, which means that the initial vector for the i-th round is the output vector of the (i-1)st round.

• After the rotation, the halves are reunited, obtaining again 16 groups of 56 bits.

• Next, 48 bits of each group are selected to form the final 16 subkeys, in the process denominated "permutation with compression".

DES Iteration Number Number of Left Shifts

1 1 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 10 2 11 2 12 2 13 2 14 2 15 2 16 1

DES The choice of 48 bits of the i-th subkey from

the corresponding 56 bits: 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32

DES

For deciphering, DES should run backwards, which means that K16 subkey is used in the first round, K15 in the second, …, K1 in the 16th round.

Triple DES – mode 1

The data is encrypted with the first key, then encrypted with the second key, and finally encrypted with the third key.

Triple DES – mode 2

The data is encrypted with the first key, then decrypted with the second key, and finally encrypted again with the first key.

Goal: compatibility with a single DES.

Triple DES - security

Equivalent key length:• Of Double DES – only 57 bits (so called Meet-

in-the-middle attack is possible that reduces the size of the key from 112 to 57 bits).

• Of Triple DES – 112 bits, instead of 168 bits, but this is an acceptable length.

Session 3: Secret key cryptography – block ciphers – part 1

Documents

possible block ciphers

corresponding block

block ciphers definitionboth

block ciphers definitionfor

block ciphers designof

current block

stream cipher

substitution cipher