Prof. Dr. Michael Eichberg
Cryptography and Network Security  Principles and Practice, 8th Edition, William Stallings
Encrypts a digital data stream one bit or one byte at a time.
Examples: Autokeyed Vigenère cipher and Vernam cipher
In the ideal case, a onetime pad version of the Vernam cipher would be used, in which the keystream is as long as the plaintext bit stream.
If the cryptographic keystream is random, then this cipher is unbreakable by any means other than acquiring the keystream
Keystream must be provided to both users in advance via some independent and secure channel
This introduces insurmountable logistical problems if the intended data traffic is very large
For practical reasons the bitstream generator must be implemented as an algorithmic procedure so that the cryptographic bit stream can be produced by both users.
It must be computationally impractical to predict future portions of the bit stream based on previous portions of the bit stream.
The two users need only share the generating key and each can produce the keystream.
A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.
Typically a block size of 64 or 128 bits is used.
As with a stream cipher, the two users share a symmetric encryption key.
The majority of networkbased symmetric cryptographic applications make use of block ciphers.
Encryption Table
Plaintext 
0000 
0001 
0010 
0011 
0100 
0101 
0110 
0111 
1000 
1001 
1010 
1011 
1100 
1101 
1110 
1111 
Ciphertext 
1110 
0100 
1101 
0001 
0010 
1111 
1011 
1000 
0011 
1010 
0110 
1100 
0101 
1001 
0000 
0111 
Decryption Table
Ciphertext 
0000 
0001 
0010 
0011 
0100 
0101 
0110 
0111 
1000 
1001 
1010 
1011 
1100 
1101 
1110 
1111 
Plaintext 
1110 
0011 
0100 
1000 
0001 
1100 
1010 
1111 
0111 
1101 
1001 
0110 
1011 
0010 
0000 
0101 
Feistel proposed the use of a cipher that alternates substitutions and permutations.
This is a practical application of a proposal by Claude Shannon to develop a product cipher that alternates confusion and diffusion functions.
It is the structure used by many significant symmetric block ciphers currently in use.
Diffusion and Confusion
Terms introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system.
Shannon’s concern was to thwart cryptanalysis based on statistical analysis.
Greater complexity generally means greater resistance to cryptanalysis
In many cases, encrypting is embedded in applications or utility functions in such a way as to preclude a hardware implementation; accordingly, the speed of execution of the algorithm becomes a concern
If the algorithm can be concisely and clearly explained, it is easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its strength
Larger block sizes mean greater security but reduced encryption/decryption speed for a given algorithm
Larger key size means greater security but may decrease encryption/decryption speeds
The essence of the Feistel cipher is that a single round offers inadequate security but that multiple rounds offer increasing security
Greater complexity in this algorithm should lead to greater difficulty of cryptanalysis
Issued in 1977 by the National Bureau of Standards (now NIST) as Federal Information Processing Standard 46
Was the most widely used encryption scheme until the introduction of the Advanced Encryption Standard (AES) in 2001
Algorithm itself is referred to as the Data Encryption Algorithm (DEA):
Data is encrypted in 64bit blocks using a 56bit key
The algorithm transforms 64bit input in a series of steps into a 64bit output
The same steps, with the same key, are used to reverse the encryption
Round 
Ki 
Li 
Ri 
IP 
5a005a00 
3cf03c0f 

1 
1e030f03080d2930 
3cf03c0f 
bad22845 
2 
0a31293432242318 
bad22845 
99e9b723 
3 
23072318201d0c1d 
99e9b723 
Obae3b9e 
4 
05261d3824311a20 
Obae3b9e 
42415649 
5 
3325340136002025 
42415649 
18b3fa41 
6 
123a2d0d04262a1c 
18b3fa41 
9616fe23 
7 
021f120b1c130611 
9616fe23 
67117cf2 
8 
1c10372a2832002b 
67117c12 
c11bfc09 
9 
04292a380c341103 
c11bfc09 
887fbe6c 
10 
2703212607280403 
887fbc6c 
60017e8b 
11 
2826390c31261504 
60017e8b 
f596506e 
12 
12071c241a0a0108 
f596506e 
738538b8 
13 
300935393c0d100b 
73853868 
с6а62с4е 
14 
311e09231321182a 
с6а62с4е 
56b0bd75 
15 
283d3e0227072528 
56b0bd75 
75e8fd8f 
16 
2921080b13143025 
75e8fd8f 
25896490 
IP1 
da02ce3a 
89ecac3b 
DES subkeys are shown as eight 6bit values in hex format (max value for \(k_i\) is \(2^61=63=0x3F\))
Small change in plaintext:
Round 
δ 
Round 
δ 

02468aceeca86420 12468aceeca86420 
1 
9 
c11bfc09887fbc6c 996911532eed7d94 
32 

1 
3cf03c0fbad22845 3cf03c0fbad32845 
1 
10 
887fbc6c60017e8b 2eed7d94d0f23094 
34 
2 
bad2284599e9b723 bad3284539a9b7a3 
5 
11 
600f7e8bf596506e d0f23094455da9c4 
37 
3 
99e9b7230bae3b9e 39a9b7a3171cb8b3 
18 
12 
1596506e738538b8 455da9c47f6e3cf3 
31 
4 
Obae3b9e42415649 171cb8b3ccaca55e 
34 
13 
738538b8c6a62c4e 7f6e3cf34bc1a8d9 
29 
5 
4241564918b3fa41 ccaca55ed16c3653 
37 
14 
c6a62c4e56b0bd75 4bc1a8d91e07d409 
33 
6 
18b3fa419616fe23 d16c3653cf402c68 
33 
15 
56b0bd7575e8fd81 1e07d4091ce2e6dc 
31 
7 
9616fe2367117cf2 cf402c682b2cefbc 
32 
16 
75e8fd8625896490 1ce2e6dc365e5f59 
32 
8 
67117cf2c11bfc09 2b2cefbc99191153 
33 
IP1 
da02ce3a89ecac3b 057cde97d7683f2a 
32 
Small change in key (0f1571c947d9e859 \(\rightarrow\) 1f1571c947d9e859):
Round 
δ 
Round 
δ 

02468aceeca86420 02468aceeca86420 
0 
9 
c11bfe09887fbe6c 548f1de471f64dfd 
34 

1 
3cf03c0fbad22845 3cf03c0f9ad628c5 
3 
10 
8876be6c60067e8b 71664dfd4279876c 
36 
2 
bad2284599e9b723 9ad628c59939136b 
11 
11 
60017e8bf596506e 4279876c399fdc0d 
32 
3 
99e9b7230bae3b9e 9939136676806767 
25 
12 
f596506e738538b8 399fde0d6d208dbb 
28 
4 
Obae3b9e42415649 768067b75a8807c5 
29 
13 
738538b8c6a62c4e 6d208dbbb9bdeeaa 
33 
5 
4241564918b3fa41 5a8807c5488bde94 
26 
14 
c6a62c4e56b0bd75 b9bdeeaad2c3a56f 
30 
6 
18b3fa419616fe23 488dbe94aba7fe53 
26 
15 
56b0bd7575e8fd8f d2c3a5612765c1fb 
33 
7 
9616fe2367117cf2 aba7fe53177d21e4 
27 
16 
75e8fd8f25896490 2765c1fb01263dc4 
30 
8 
67117cf2c11bfc09 177d21e4548f1de4 
32 
IP1 
da02ce3a89ecac3b ee92b50606b6260b 
30 
Key size (bits) 
Cipher 
Number of Alternative Keys 
Time Required at \(10^9\) decryptions/s 
Time Required at \(10^{13}\) decryptions/s 
56 
DES 
\(2^{56}\) ≈ 7.2 x \(10^{16}\) 
1.125 years 
1 hour 
128 
AES 
\(2^{128}\) ≈ 3.4 x \(10^{38}\) 
5.3 x \(10^{21}\) years 
5.3 x \(10^{17}\) years 
168 
Triple DES 
\(2^{168}\) ≈ 3.7 x \(10^{50}\) 
5.8 x \(10^{33}\) years 
5.8 × \(10^{29}\) years 
192 
AES 
\(2^{192}\) ≈ 6.3 x \(10^{57}\) 
\(2^{191}\) ns = 9.8 x \(10^{40}\) years 
9.8 × \(10^{36}\) years 
256 
AES 
\(2^{256}\) ≈ 1.2 x \(10^{77}\) 
\(2^{255}\) ns = 1.8 x \(10^{60}\) years 
1.8 x \(10^{56}\) years 
26 characters (permutation) 
Monoalphabetic 
26! = 4 x \(10^{26}\) 
6.3 x \(10^9\) years 
6.3 × \(10^6\) years 
One in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various ciphertexts.
Exploits the fact that an encryption or decryption algorithm often takes slightly different amounts of time on different inputs.
So far it appears unlikely that this technique will ever be successful against DES or more powerful symmetric ciphers such as triple DES and AES.
The greater the number of rounds, the more difficult it is to perform cryptanalysis.
In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple bruteforce key search attack.
If DES had 15 or fewer rounds, differential cryptanalysis would require less effort than a bruteforce key search.
The heart of a Feistel block cipher is the function F.
The more nonlinear F, the more difficult any type of cryptanalysis will be.
The algorithm should have good avalanche properties.
The SAC and BIC criteria appear to strengthen the effectiveness of the confusion function
With any Feistel block cipher, the key is used to generate one subkey for each round
In general, we would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key.
It is suggested that, at a minimum, the key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion