Structures have been found in DES that were
undoubtedly inserted to strengthen the system
against certain types of attack.
Structures have also
been found that appear to weaken the system.
—
Lexar Corporation, “An Evaluation of the DES”, 1976.
Block Ciphers

❖
Stream ciphers
•
Encrypt small (bit or byte) units one at a time
•
Everything we have seen so far
•
Require less buffering
❖
Block ciphers
•
Encrypt large chunks (64+ bits) at once
•
Must buffer enough to get a block before encrypting
❖
There are ways to convert block ciphers to stream ciphers and
vice versa
Block ciphers
2

❖
Consider a block cipher with 64 bit blocks
❖
2
64
possible plaintext blocks
➠
must have at least 2
64
corresponding ciphertext blocks
•
There are 2
64
! possible mappings
❖
Why not just create a random mapping?
•
Need a 2
64
entry 64-bit table
≈
10
21
bits
•
At $30/TB (for disk), this costs $37.5 billion!
•
And would require about 200 million disks…
•
Need to distribute new table if compromised
❖
Instead,
approximate
ideal random mapping using components
controlled by a key
Block cipher
3

❖
Diffusion
•
Small change in plaintext changes lots of ciphertext
•
Statistical properties of plaintext hidden in ciphertext
❖
Confusion
•
Statistical relationship between key and ciphertext as complex as possible
•
Described by Claude Shannon in 1945
➡
Need to design functions that produce output that is diffuse and
confused
Goals: diffusion and confusion
4

❖
Encrypt in
rounds
•
Input to each round is split
L
0
= left half of input
R
0
= right half of input
•
For each round:
L
i
=
R
i-1
R
i
=
L
i-1
⊕
F(
R
i-1
,
K
i
)
❖
Substitution: S-box
❖
Permutation: P-box
❖
Proceed for
n
rounds
❖
After final round, undo last
permutation
C
=
R
n
||
L
n
Feistel cipher structure
5
Plaintext
Round
K
i
Substitution
Permutation
R
i-1
L
i-1
R
i
L
i
F
⊕

❖
Inputs to decryption engine
•
LD
0
= left half of ciphertext
•
RD
0
= right half of ciphertext
❖
For each round
•
LD
i
= RD
i-1
•
RD
i
= LD
i-1
⊕
F(RD
i-1
,K
n-i+1
)
❖
Repeat for
n
rounds
❖
Last round
•
P = RD
n
|| LD
n
Decryption
6
Plaintext
Round
K
n
Substitution
Permutation
RD
i-1
LD
i-1
RD
i
LD
i
F
⊕

❖
The entire round is a function:
fK (L || R)
= R || L
⊕
F (R, K))
swap (L || R)
= R || L
❖
E =
swap ° swap ° fK
r
° swap ° fK
r-1
° ... ° fK
2
° swap ° fK
1
❖
D = fK
1
° swap ° fK
2
°
... ° fK
r-1
° swap ° fK
r
° swap ° swap
Multiple Rounds
7

8