Modern Block Ciphers

CSCI 5857: Encoding and Encryption

Outline

• Binary blocks and keys• The XOR function• Structure of modern round cipher• Permutation and Substitution boxes

Block Ciphers

• Long plaintext messages broken up into blocks

• Encryption substitutes n bit block of ciphertext for n bit block of plaintext– Example: 11010010 10001011 01000111

01101011 10010110 10110001

• Key question: Good block size– 8 bits too small: just maps one ASCII character to

another (monoalphabetic cipher)– Usually 64, 128, 256, or 512 bits

Binary Keys

• Key: Binary number 32 to 256 bits long

• Minimum size now 128 bits to defeat exhaustive search attacks

• Amount of information stored by key is limited

(128 bit key equivalent to 16 ASCII characters)

Substitution and Block Ciphers

• Standard binary key insufficient to represent even simple monoalphabetic substitution cipher– Example: Block size 64 bits– 264 possible blocks, each of which needs a

corresponding ciphertext block listed– Key: 264 x 64 bits long >> 256 bits for normal binary key– Number of mappings with 256-bit key

<< all possible mappings of 64 bit blocks

Transposition and Binary Text

Transposition ciphers of binary text easy to break• Small alphabet reduces distinguishable permutations

– 11001011 encrypted with 70351264 11001011

• Example: 64-bit ciphertext block with 8 1’s and 56 0’s

– Only (64 x 63 x 62 x 61 x 60 x 59 x 58 x 57)/ (8 x 7 x 6 x 5 x 4 x 3 x 2 x 1) = 4,426,165,368 combinations of 8 1’s and 56 0’s

– Easily broken with exhaustive search (each successive block reduces number of possible combinations)

Binary Functions

• Since both text and key binary, can use binary function to encrypt/decrypt

• Example: AND function– Plaintext: 1001101110101100– Key: 1101100011001010– Ciphertext: 1001100010001000

Invertible Binary Functions

• Problem: Binary function must be invertible• Otherwise, cannot uniquely decrypt message• AND not invertible

– Plaintext: ? could be either 1 or 0 – Key: 0– Ciphertext: 0

???

Exclusive Or Function (XOR)

• Definition:

• 1 if operands not equal0 if operands equal

P K C = P K

1 1 0

1 0 1

0 1 1

0 0 0

Plaintext

Key

Ciphertext

XOR is Invertible

• XOR is its own inverse: C = P K P = C K

C = P K K P must be:

1 1 0

1 0 1

0 1 1

0 0 0

Plaintext

Ciphertext

Plaintext

Ciphertext

Key

encryption

decryption

XOR and Block Ciphers• Most modern block ciphers use XOR to

produce ciphertext from plaintext and key Simple Example (8 bit key and blocks):• Encryption:

Plaintext: 10010101 00100110 01110101Key: 10100110 10100110 10100110Ciphertext: 00110011 10000000 01010011

• Decryption:Ciphertext: 00110011 10000000 01010011Key: 10100110 10100110 10100110Plaintext: 10010101 00100110 01110101

XOR Alone is Breakable

• K = P C • Key can be computed from single known plaintext

“This is too easy!”

Plaintext

Key

Ciphertext

Confusion and Diffusion

• Diffusion:– Hiding relationship between plaintext and ciphertext– Changing one plaintext bit should change many bits

in ciphertext

• Confusion:– Hiding relationship between ciphertext and key– Changing one key bit should change many characters

in ciphertext

Product Cipher

• Substitution and permutation can be used to add diffusion and confusion

Plaintext

Key

CiphertextSubstitution permutation

Substitution permutation

adds diffusion

adds confusion

Substitution permutation

Invertibility

• Transformations on plaintext must be invertible• Transformations on key do not

– Don’t care if can’t recover key from ciphertext

Plaintext

Key

CiphertextSubstitution permutation

Substitution permutation

Must be invertible

Does not have to be invertible

Substitution permutation

Rounds in Product Cipher

• Most ciphers have many rounds of substitution, permutation, and XOR

• Maximizes diffusion

P

key 1

Csubst/perm

round 1

key 2

subst/perm

round 2

key n

subst/perm

round n

…

Key Generation• Most ciphers generate separate round keys from

main key using substitution/permutation

P

round key 1

Csubst/perm

round 1

round key 2

subst/perm

round 2

round key n

subst/perm

round n

…

main key K

subst/perm subst/perm subst/perm…

Keyless Ciphers• Substitution/permutation not based on key

– “Hardwired” into cipher– Assume known by adversary

• Simply used to add diffusion/confusion

subst/perm

round i

subst/perm

… …P C

K

“I know this, but still can’t figure out what P and K are”

P-Boxes for Permutation

• Number in box gives position of corresponding input bit in output

• Example: 16-bit P-Box

12 7 1 8 15 11 2 5 16 4 13 10 9 3 14 6

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Input1 1 0 1 0 1 0 1 0 0 0 1 0 1 1 0

1 0 1 1 1 0 1 0 0 1 0 0 0 0 1 1 Output

Invertible P-Boxes• P-Box invertible if each input maps to one and only

one output– Example: Same 16-bit P-Box

– Swap numbers and indices

– Resort by indices

12 7 1 8 15 11 2 5 16 4 13 10 9 3 14 6

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

12 7 1 8 15 11 2 5 16 4 13 10 9 3 14 6

3 7 14 10 8 16 2 4 13 12 6 1 11 15 14 9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Shift and Swap P-Boxes

• Shift Box moves inputs over by some n bits– May be circular, shifting bits at end to beginning– Example: 8-bit right circular shift box

• Swap box swaps two or more blocks of bits– Example: swapping two adjacent 4-bit blocks

8 1 2 3 4 5 6 7

5 6 7 8 1 2 3 4

Compression/Expansion P-Boxes

• Compression P-Box:Not all inputs map to an output

• Example: 8 x 6 P-Box– 8 inputs, only 6 outputs– Note that inputs 3 and 5 do not map to an output

7 4 1 8 6 2

Compression/Expansion P-Boxes

• Expansion P-Box:Some inputs map to multiple outputs

• Example: 8 x 12 P-Box– 8 inputs, 12 outputs– Note that inputs 1, 4, 5, and 7 map to two different

outputs

6 5 1 8 7 2 7 4 5 3 1 4

Compression/Expansion P-Boxes• Compression and Expansion P-Boxes not invertible

– Compression boxes lose information– Can invert expansion box only if output has identical

values corresponding to inputs that are duplicated• 1010 11234 11010• ? 11234 10010

• Used primarily in key generation– Example: Creating 16 32-bit round keys from single

128-bit key

S-Boxes for Substitution• Map blocks of plaintext to ciphertext

– Example: 3 x 3 S-Box

– Often simplify by making “2 dimensional”Example: First bit of input determines row of output

Input 000 001 010 011 100 101 110 111Output 011 101 111 100 000 010 001 110

00 01 10 11

0 011 101 111 100

1 000 010 001 110

Invertible S-Boxes• Must have same number of inputs and outputs

– Example: 3 x 2 compression S-Box

• Each output must be unique

00 01 10 11

0 00 10 01 11

1 10 00 11 01

Input 000 001 010 011 100 101 110 111Output 011 101 111 100 011 010 001 110