Block Ciphers

Secret-key ciphers can be partitioned into two groups: block ciphers and stream ciphers. The unit of operation is a block of data, its size depends on the actual cipher, common values are 64 and 128 bits of data, sometimes larger, older ciphers use smaller blocks, whereas modern ciphers prefer larger block sizes. Block ciphers process one block of input data, transform it to another block of output data (based on some key) of the same size, then proceed to the next block. Stream ciphers operate on a continuous stream of undetermined size, some ciphers process the data bit after bit, other ciphers process the data byte-wise.

One advantage of a block cipher is their speed. Modern processors possess large register banks with long registers, they can process large portions of such blocks at once with single statements. Additionally it is computationally very expensive to mount an exhaustive attack on blocks with size 64 or even 128 bits, compared to blocks of 8 bits: as each bit in the original data influences the output the number of possible outputs doubles with every bit. Therefore the probability of correctly “guessing” the plaintext data is much lower with larger block lengths.

The drawback is that the underlying data must be organised in chunks which have the size of the encryption blocks. If this is not the case, the data must be padded with some additional data. An example for this would be an encrypted

remote login session where the user types the keys on the local keyboard and transmits them over some network to the remote host: one byte typed by the user and 7 bytes added for padding is not efficient of course. Sometimes padding is not possible at all. Imagine an application using a record set of data with fixed lengths, when one wants to encrypt pieces of data smaller then the blocksize, it must be padded, but the result does not fit into the record set any more.

3.1 sidestep: XOR

In the following we will often refer to the XOR-operation It is very popular in cryptology because it is its own inverse function:

input 1

Given a plaintext bitstream T and some secret bitstream S then the applica-tion of the bitwise XOR-operaapplica-tion gives The inverse operation to recompute the original is

therefore These bitstreams T, S and C can be fixed length blocks of bits or a continuous stream of bits. The basic principle is the same: at a certain point during encryption a common secret stream is XORed with the input data, and during decryption the same secret stream is XORed again to produce the original plaintext. Sometimes XOR is also referred to as

“addition modulo 2”.

3.2 Operation Modes for Block Ciphers

Block ciphers can be deployed in different so-called “Operation Modes”.

Depending on external requirements or threats to avoid a suitable mode should be chosen. The most common modes are:

ECB = electronic codebook mode: the most obvious mode. Here each block of data is encrypted/decrypted completely independent of all data before or after this block. This has the advantage that encryption of multiple blocks in parallel is possible, transmission errors are confined to the current block.

The disadvantage is that this mode is susceptible for replay attacks or traffic analysis: a block containing constant data is encrypted every time to the same cipher block provided the same key is used.

CBC = cipher block chaining mode: This mode can be a solution against the replay attacks on the ECB mode. Here the output (the ciphertext) of the previous block and the plaintext of the current block are XOR-ed and subsequently encrypted and transmitted/stored. The output of the current

Cryptography Primer 25 block is used for the XOR-operation with the next plaintext block. The de-cryption works in reverse order: the current ciphertext block is decrypted, the result XOR-ed with the previous ciphertext block, the result is the orig-inal plaintext block. A careful reader might have noticed that there is a problem at the beginning, to solve this a dummy block must be transmit-ted first to start the chain, this block is also called “initialisation vector”

(IV). Transmission errors have a slightly larger impact, a flipped bit leads to completely different plaintext version of the current block (as in ECB), and it changes a single bit of plaintext in the next block.

CFB = cipher feedback mode: This mode and the following modes have been invented to transform a block cipher into a stream cipher. These modes can be used when data must be encrypted with a size less than the block length.

Again, at the beginning an initialisation vector is used, it is put into a shift register (in the following we assume that it shifts from right to left). The contents of this register is encrypted, the left-most bits are used for an XOR-operation with plaintext of size The resulting cipher data (again size is sent or stored and additionally put back into the shift register on the right side. The decryption operation is almost identical to the encryp-tion operaencryp-tion: it is initialised with the same IV. The received cipher data of size is put into the shift register, its contents encrypted and the left-most bits of its output XOR-ed with the just-received cipher data. Care must be taken that the IV is unique for every message, but there are no absolute requirements to keep it secret.

OFB = output feedback mode: is similar to CFB. Whereas in CFB-mode the result of the XOR-function is put back into the shift register, in OFB the loop does not involve data from a user, the feedback-loop comprises just the shift register and the encryption function: the result of the encryption function is fed back to the shift register. This has the advantage that the key stream can be computed independently of the data that must be encrypted.

CTR = counter mode: Similar to OFB, but here no shift register is used. In-stead a counter value is used as the input to encryption function, after each encryption the counter is changed, usually it is incremented by one. An advantage of this mode is that random access mode to some data is possi-ble, without the drawbacks of ECB. An example application is described in RFC 3686 ([63]).

3.3 DES and triple-DES

DES and its variant triple-DES are example algorithms for block ciphers, and probably the most widely used block ciphers. DES is a standard developed first at IBM, subsequently modified and finally published by the US NIST (see

[101]). DES uses blocks which contain 64 bits and keys with a length of 56 bits. DES performs 16 rounds of substitution (with given S-boxes) and permu-tation (with given P-boxes).

64-bit blocks and 56-bit keys were sufficient to provide enough practical security at the time of its publication (1975) as well as for the next years. Its validity has been prolonged several times by NIST until it became obvious that brute-force cracking was feasible. A public brute-force attempt was performed by the EFF in 1998: they showed that it is possible to break a cipher by brute-force with an investment of just 200000 US$ (see [49]). Moores law can be applied here, this means that every 18 months the expected duration can be divided by 2 (with fixed costs), or that the costs can be divided by 2 (with fixed time). This constituted a problem since many organisations relied on DES.

Countermeasures have been taken, even before this public demonstration:

DES can be extended to triple-DES where any plaintext block was mangled three times by the DES algorithm instead of just one time. Depending on the actual implementation this gave keys with a length of 2*56 or 3*56 bits. This is still sufficient secure for most applications, but triple-DES has a drawback:

it is very slow when compared to other ciphers of similar strength. The reason for this is that DES was designed in the early 1970ies with 4-bit processors in mind, at this time top-of-the-line, but the algorithm does not perform too good on current 32-bit CPUs. And then triple the time for triple-DES. So another countermeasure was applied: establish a different cipher as a new standard.

This leads to AES, the Advanced Encryption Standard.

3.4 AES

AES is the successor of DES, the winner of a contest organised by NIST and subsequently published as standard (see [102]). NIST set up a list of rules, besides the security guidelines e.g. that it should perform well on very differ-ent kind of hardware ranging from 8-bit CPUs on smartcard to modern 64-bit server CPUs. This new algorithm uses blocks of size 128 bits, and it allows keys with 128, 192 or 256 bit length. The winner algorithm was designed by two Belgian cryptologists, Joan Daemen and Vincent Rijmen, with their algo-rithm “Rijndael”, which is based on Galois Field theory.

At the NIST website you can find an outdated info page which NIST keeps deliberately for users to be able to see historic information¹, it provides a FAQ page², and the actual standard can be obtained from http://csrc.nist.gov/publications/fips/fips197/fips–197.pdf.

Additional information can be found on the Rijndael Fan Page at http://www.rijndael.com/.

The algorithm performs 10, 12 or 14 rounds, the number of round depends on the size of the key. In each round four functions for perturbation of the input data are called, their names areSubBytes(),ShiftRows(),MixColumns(),

Cryptography Primer 27 and AddRoundKey(). The creators of the AES cipher explain their algorithm in several publications: [27–29].

Since a replacement for DES has been established NIST currently proposes to withdraw DES as a standard, just keeping it in the triple-DES variant[103].

3.5 Other Blockciphers

Of course there are more block ciphers than the two by NIST, many people and organisations try to invent secure ciphers. The general problem with any cipher is that it must be tested and tried to get an impression of its security.

The best way would be to prove that a cipher is secure, but that is difficult, and does not help about yet to be discovered attacks.

Some other ciphers which are considered secure are the competitors in the AES challenge in round 2³: MARS, RC6, Serpent, Twofish. Another cipher is IDEA, invented by Ascom, now a company called MediaCrypt is in charge of this cipher⁴. Some years ago the NSA created a classified cipher called Skipjack, later it became declassified and now the information is online at http://csrc.nist.gov/CryptoToolkit/skipjack/skipjack–kea.htm.

UMTS cell phones use another block algorithm, KASUMI [1], this block ci-pher is used for both the confidentiality function f8 and the integrity function f9 [2]. And there are a lot more ciphers which are more or less secure...