BLOCK CIPHER PRINCIPLES
KEY POINTS
* A block cipher is an encryption/decryption scheme in
which a block of plaintext is treated as a whole and used
to produce a ciphertext block of equal length.
* Many block ciphers have a Feistel structure. Such a
structure consists of a number of identical rounds of
processing. In each round, a substitution is performed on
one half of the data being processed, followed by a
permutation that interchanges the two halves. The
original key is expanded so that a different key is used for
each round.
* The Data Encryption Standard (DES) has been the
most widely used encryption algorithm until recently.
It exhibits the classic Feistel structure. DES uses a 64bit block and a 56-bit key.
* Two important methods of cryptanalysis are
differential cryptanalysis and linear cryptanalysis. DES
has been shown to be highly resistant to these two
types of attack.
Stream Ciphers and Block Ciphers
A stream cipher is one that encrypts a digital data stream one
bit or one byte at a time. Examples of classical stream ciphers are
the auto keyed Vigenere cipher and the Vernam cipher.
A block cipher is one in which a block of plaintext is treated as
a whole and used to produce a ciphertext block of equal length.
Typically, a block size of 64 or 128 bits is used. Using some of the
modes of operation, a block cipher can be used to achieve the
same effect as a stream cipher.
Majority of the network based symmetric cryptographic
applications make use of block ciphers.
Block Cipher Principles
Most symmetric block encryption algorithms in current use are
based on a structure referred to as a Feistel block cipher.
Motivation for the Feistel Cipher Structure
A block cipher operates on a plaintext block of n bits to produce
a ciphertext block of n bits. There are 2n possible different plaintext
blocks and, for the encryption to be reversible (i.e., for decryption to
be possible), each must produce a unique ciphertext block. Such a
transformation is called reversible, or nonsingular.
The following example illustrate nonsingular and
singular transformation for n = 2.
In the latter case, a ciphertext of 01 could have been produced
by one of two plaintext blocks. So if we limit ourselves to
reversible mappings, the number of different transformations is
2n!
A 4-bit input produces one of 16 possible input states, which is
mapped by the substitution cipher into a unique one of 16
possible output states, each of which is represented by 4
ciphertext bits. The encryption and decryption mappings can be
defined by a tabulation, as shown in Table below.
This is the most general form of block cipher and can be used to
define any reversible mapping between plaintext and cipertext.
Feistel refers to this as the ideal block cipher, because it allows
for the maximum number of possible encryption mappings (2n)
from the plaintext block
If a small block size, such as n = 4, is used, then the system is
equivalent to a classical substitution cipher. Such systems, are
vulnerable to a statistical analysis of the plaintext. This
weakness is not inherent in the use of a substitution cipher but
rather results from the use of a small block size. If n is
sufficiently large and arbitrary reversible substitution between
plaintext and ciphertext is allowed, then the statistical
characteristics of the source plaintext are masked to such an
extent that this type of cryptanalysis is infeasible.
An arbitrary reversible substitution cipher (the ideal block
cipher) for a large block size is not practical from an
implementation and performance point of view. For such a
transformation, the mapping itself constitutes the key
Consider again Table above, which defines one particular
reversible mapping from plaintext to ciphertext for n = 4. The
mapping can be defined by the entries in the second column,
which show the value of the ciphertext for each plaintext block.
This, in essence, is the key that determines the specific mapping
from among all possible mappings. In this case, using this
straightforward method of defining the key, the required key
length is (4 bits) x (16 rows) = 64 bits. In general, for an n-bit ideal
block cipher, the length of the key defined in this fashion is n X 2n
bits. For a 64-bit block, which is a desirable length to thwart
statistical attacks, the required key length is 64 X 264 = 270 = 1021
bits.
The Feistel Cipher
Horst Feistel proposed that we can approximate the ideal
block cipher by utilizing the concept of a product cipher, which is
the execution of two or more simple ciphers in sequence in such
a way that the final result or product is cryptographically
stronger than any of the component ciphers.
The essence of the approach is to develop a block cipher with
a key length of k bits and a block length of n bits, allowing a total
of 2k possible transformations.
Feistel proposed the use of a cipher that alternates
substitutions and permutations. In fact, this is a practical
application of a proposal by Claude Shannon to develop a product
cipher that alternates confusion and diffusion functions.
Diffusion and Confusion The terms diffusion and confusion
were introduced by Claude Shannon to capture the two basic
building blocks for any cryptographic system.
Shannon's concern was to thwart cryptanalysis based on
statistical analysis. The reasoning is as follows. Assume the attacker
has some knowledge of the statistical characteristics of the
plaintext.
For example, in a human-readable message in some language,
the frequency distribution of the various letters may be known. THE
MOST FREQUENTLY USED CHARACTERS ARE E, T, O, AND A. Or
there may be words or phrases likely to appear in the message (TH,
HE, IN, ER, AN, RE, ED, ON, ES, ST, THE, ING, AND, HER, ERE, ENT,
THE or probable words). If these statistics are in any way reflected
in the ciphertext, the cryptanalyst may be able to deduce the
encryption key, or part of the key, or at least a set of keys likely to
contain the exact key.
Shannon suggests two methods for frustrating statistical
cryptanalysis: diffusion and confusion. In diffusion, the statistical
structure of the plaintext is dissipated into long-range statistics of
the ciphertext. This is achieved by having each plaintext digit affect
the value of many ciphertext digits, generally this is equivalent to
having each ciphertext digit be affected by many plaintext digits.
The mechanism of DIFFUSION seeks to make the statistical
relationship between the plaintext and ciphertext as complex as
possible in order to thwart attempts to deduce the key.
DIFFUSION is achieved by using the transposition techniques also
known as permutation techniques.
The mechanism of CONFUSION seeks to make the relationship
between the statistics of the ciphertext and the value of the
encryption key as complex as possible, to thwart attempts to
discover the key.
Thus, even if the attacker can get some handle on the statistics of
the ciphertext, the way in which the key was used to produce that
ciphertext is so complex as to make it difficult to deduce the key.
This is achieved by the use of a complex substitution algorithm. In
contrast, a simple linear substitution function would add little
confusion. (CONFUSION is achieved through the use of
substitution techniques/mechanism).
Feistel Cipher Structure
Figure in the next slide depicts the structure proposed by Feistel:
The inputs to the encryption algorithm are a plaintext block of
length 2w bits and a key K.
The plaintext block is divided into two halves, L0 and R0. The two
halves of the data pass through n rounds of processing and then
combine to produce the ciphertext block.
Each round i has as inputs Li-1 and Ri-1 derived from the previous
round, as well as a subkey Ki derived from the overall key K.
In general, the subkeys Ki are different from K and from each-other.
Feistel Cipher Structure
All rounds have the same structure. A substitution is performed
on the left half of the data. This is done by applying a round
function F to the right half of the data and then taking the
exclusive-OR of the output of that function and the left half of the
data.
The round function has the same general structure for each
round but is parameterized by the round subkey Ki. Following this
substitution, a permutation is performed that consists of the
interchange of the two halves of the data.
This structure is a particular form of the SubstitutionPermutation Network (SPN) proposed by Shannon.
The exact realization of a Feistel network depends on the
choice of the following parameters and design features:
Block size: Larger block sizes mean greater security (all other
things being equal) but reduced encryption/decryption speed for
a given algorithm. The greater security is achieved by greater
diffusion. Traditionally, a block size of 64 bits has been considered
a reasonable tradeoff and was nearly universal in block cipher
design. However, the new AES uses a 128-bit block size.
* Key size: Larger key size means greater security but may
decrease encryption/decryption speed. The greater security is
achieved by greater resistance to brute-force attacks and greater
confusion. Key sizes of 64 bits or less are now widely considered
to be inadequate, and 128 bits has become a common size.
* Number of rounds: The essence of the Feistel cipher is that a
single round offers inadequate security but that multiple rounds
offer increasing security. A typical size is 16 rounds.
* Subkey generation algorithm: Greater complexity in this
algorithm should lead to greater difficulty of cryptanalysis.
* Round function: Again, greater complexity generally means
greater resistance to cryptanalysis.
There are two other considerations in the design of a Feistel
cipher:
*
Fast software encryption/decryption: In many cases,
encryption is embedded in applications or utility functions in such
a way as to preclude a hardware implementation. Accordingly, the
speed of execution of the algorithm becomes a concern.
*
Ease of analysis: Although we would like to make our
algorithm as difficult as possible to cryptanalyze, there is great
benefit in making the algorithm easy to analyze. That is, if the
algorithm can be concisely and clearly explained, it is easier to
analyze that algorithm for cryptanalytic vulnerabilities and
therefore develop a higher level of assurance as to its strength.
DES for example does not have an easily analysed functionality.
Feistel Decryption Algorithm
The process of decryption with a Felstel cipher is essentially the
same as the encryption process.
The rule is as follows:
Use the ciphertext as input to the algorithm, but use the subkeys Ki
in reverse order. That is, use Kn in the first round, Kn-1 in the
second round, and so on until K1 is used in the last round.
This is a nice feature because it means we need not implement two
different algorithms, one for encryption and one for decryption.