Tr 31 Key Block Format Essay

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called a block, with an unvarying transformation that is specified by a symmetric key. Block ciphers operate as important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.

The modern design of block ciphers is based on the concept of an iterated product cipher. In his seminal 1949 publication, Communication Theory of Secrecy Systems, Claude Shannon analyzed product ciphers and suggested them as a means of effectively improving security by combining simple operations such as substitutions and permutations.[1] Iterated product ciphers carry out encryption in multiple rounds, each of which uses a different subkey derived from the original key. One widespread implementation of such ciphers, named a Feistel network after Horst Feistel, is notably implemented in the DES cipher.[2] Many other realizations of block ciphers, such as the AES, are classified as substitution–permutation networks.

The publication of the DES cipher by the United States National Bureau of Standards (subsequently the U.S. National Institute of Standards and Technology, NIST) in 1977 was fundamental in the public understanding of modern block cipher design. It also influenced the academic development of cryptanalytic attacks. Both differential and linear cryptanalysis arose out of studies on the DES design. As of 2016[update] there is a palette of attack techniques against which a block cipher must be secure, in addition to being robust against brute-force attacks.

Even a secure block cipher is suitable only for the encryption of a single block under a fixed key. A multitude of modes of operation have been designed to allow their repeated use in a secure way, commonly to achieve the security goals of confidentiality and authenticity. However, block ciphers may also feature as building blocks in other cryptographic protocols, such as universal hash functions and pseudo-random number generators.


A block cipher consists of two paired algorithms, one for encryption, E, and the other for decryption, D.[4] Both algorithms accept two inputs: an input block of size n bits and a key of size k bits; and both yield an n-bit output block. The decryption algorithm D is defined to be the inverse function of encryption, i.e., D = E−1. More formally,[5][6] a block cipher is specified by an encryption function

which takes as input a key K of bit length k, called the key size, and a bit string P of length n, called the block size, and returns a string C of n bits. P is called the plaintext, and C is termed the ciphertext. For each K, the function EK(P) is required to be an invertible mapping on {0,1}n. The inverse for E is defined as a function

taking a key K and a ciphertext C to return a plaintext value P, such that

For example, a block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext. The exact transformation is controlled using a second input – the secret key. Decryption is similar: the decryption algorithm takes, in this example, a 128-bit block of ciphertext together with the secret key, and yields the original 128-bit block of plain text.[7]

For each key K, EK is a permutation (a bijective mapping) over the set of input blocks. Each key selects one permutation from the set of possible permutations.


Iterated block ciphers[edit]

Most block cipher algorithms are classified as iterated block ciphers which means that they transform fixed-size blocks of plaintext into identical size blocks of ciphertext, via the repeated application of an invertible transformation known as the round function, with each iteration referred to as a round.[9]

Usually, the round function R takes different round keysKi as second input, which are derived from the original key:[citation needed]

where is the plaintext and the ciphertext, with r being the number of rounds.

Frequently, key whitening is used in addition to this. At the beginning and the end, the data is modified with key material (often with XOR, but simple arithmetic operations like adding and subtracting are also used):[citation needed]

Given one of the standard iterated block cipher design schemes, it is fairly easy to construct a block cipher that is cryptographically secure, simply by using a large number of rounds. However, this will make the cipher inefficient. Thus, efficiency is the most important additional design criterion for professional ciphers. Further, a good block cipher is designed to avoid side-channel attacks, such as input-dependent memory accesses that might leak secret data via the cache state or the execution time. In addition, the cipher should be concise, for small hardware and software implementations. Finally, the cipher should be easily cryptanalyzable, such that it can be shown how many rounds the cipher needs to be reduced to, so that the existing cryptographic attacks would work – and, conversely, that it can be shown that the number of actual rounds is large enough to protect against them.[citation needed]

Substitution–permutation networks[edit]

Main article: Substitution–permutation network

One important type of iterated block cipher known as a substitution–permutation network (SPN) takes a block of the plaintext and the key as inputs, and applies several alternating rounds consisting of a substitution stage followed by a permutation stage—to produce each block of ciphertext output.[10] The non-linear substitution stage mixes the key bits with those of the plaintext, creating Shannon's confusion. The linear permutation stage then dissipates redundancies, creating diffusion.[11][12]

A substitution box (S-box) substitutes a small block of input bits with another block of output bits. This substitution must be one-to-one, to ensure invertibility (hence decryption). A secure S-box will have the property that changing one input bit will change about half of the output bits on average, exhibiting what is known as the avalanche effect—i.e. it has the property that each output bit will depend on every input bit.[13]

A permutation box (P-box) is a permutation of all the bits: it takes the outputs of all the S-boxes of one round, permutes the bits, and feeds them into the S-boxes of the next round. A good P-box has the property that the output bits of any S-box are distributed to as many S-box inputs as possible.[citation needed]

At each round, the round key (obtained from the key with some simple operations, for instance, using S-boxes and P-boxes) is combined using some group operation, typically XOR.[citation needed]

Decryption is done by simply reversing the process (using the inverses of the S-boxes and P-boxes and applying the round keys in reversed order).[citation needed]

Feistel ciphers[edit]

Main article: Feistel cipher

In a Feistel cipher, the block of plain text to be encrypted is split into two equal-sized halves. The round function is applied to one half, using a subkey, and then the output is XORed with the other half. The two halves are then swapped.

Let be the round function and let be the sub-keys for the rounds respectively.

Then the basic operation is as follows:

Split the plaintext block into two equal pieces, (, )

For each round , compute


Then the ciphertext is .

Decryption of a ciphertext is accomplished by computing for


Then is the plaintext again.

One advantage of the Feistel model compared to a substitution–permutation network is that the round function does not have to be invertible.

Lai–Massey ciphers[edit]

Main article: Lai–Massey scheme

The Lai–Massey scheme offers security properties similar to those of the Feistel structure. It also shares its advantage that the round function does not have to be invertible. Another similarity is that is also splits the input block into two equal pieces. However, the round function is applied to the difference between the two, and the result is then added to both half blocks.

Let be the round function and a half-round function and let be the sub-keys for the rounds respectively.

Then the basic operation is as follows:

Split the plaintext block into two equal pieces, (, )

For each round , compute

where and

Then the ciphertext is .

Decryption of a ciphertext is accomplished by computing for

where and

Then is the plaintext again.


ARX (add–rotate–xor)[edit]

Many modern block ciphers and hashes are ARX algorithms—their round function involves only three operations: modular addition, rotation with fixed rotation amounts, and XOR (ARX). Examples include Salsa20, Speck, XXTEA, and BLAKE. Many authors draw an ARX network, a kind of data flow diagram, to illustrate such a round function.[16]

These ARX operations are popular because they are relatively fast and cheap in hardware and software, and also because they run in constant time, and are therefore immune to timing attacks. The rotational cryptanalysis technique attempts to attack such round functions.

Other operations[edit]

Other operations often used in block ciphers include data-dependent rotations as in RC5 and RC6, a substitution box implemented as a lookup table as in Data Encryption Standard and Advanced Encryption Standard, a permutation box, and multiplication as in IDEA.

Modes of operation[edit]

Main article: Block cipher modes of operation

A block cipher by itself allows encryption only of a single data block of the cipher's block length. For a variable-length message, the data must first be partitioned into separate cipher blocks. In the simplest case, known as the Electronic Codebook (ECB) mode, a message is first split into separate blocks of the cipher's block size (possibly extending the last block with padding bits), and then each block is encrypted and decrypted independently. However, such a naive method is generally insecure because equal plaintext blocks will always generate equal ciphertext blocks (for the same key), so patterns in the plaintext message become evident in the ciphertext output.

To overcome this limitation, several so-called block cipher modes of operation have been designed[18] and specified in national recommendations such as NIST 800-38A[20] and BSI TR-02102[21] and international standards such as ISO/IEC 10116.[22] The general concept is to use randomization of the plaintext data based on an additional input value, frequently called an initialization vector, to create what is termed probabilistic encryption. In the popular cipher block chaining (CBC) mode, for encryption to be secure the initialization vector passed along with the plaintext message must be a random or pseudo-random value, which is added in an exclusive-or manner to the first plaintext block before it is being encrypted. The resultant ciphertext block is then used as the new initialization vector for the next plaintext block. In the cipher feedback (CFB) mode, which emulates a self-synchronizing stream cipher, the initialization vector is first encrypted and then added to the plaintext block. The output feedback (OFB) mode repeatedly encrypts the initialization vector to create a key stream for the emulation of a synchronous stream cipher. The newer counter (CTR) mode similarly creates a key stream, but has the advantage of only needing unique and not (pseudo-)random values as initialization vectors; the needed randomness is derived internally by using the initialization vector as a block counter and encrypting this counter for each block.[20]

From a security-theoretic point of view, modes of operation must provide what is known as semantic security. Informally, it means that given some ciphertext under an unknown key one cannot practically derive any information from the ciphertext (other than the length of the message) over what one would have known without seeing the ciphertext. It has been shown that all of the modes discussed above, with the exception of the ECB mode, provide this property under so-called chosen plaintext attacks.


Main article: Padding (cryptography)

Some modes such as the CBC mode only operate on complete plaintext blocks. Simply extending the last block of a message with zero-bits is insufficient since it does not allow a receiver to easily distinguish messages that differ only in the amount of padding bits. More importantly, such a simple solution gives rise to very efficient padding oracle attacks.[25] A suitable padding scheme is therefore needed to extend the last plaintext block to the cipher's block size. While many popular schemes described in standards and in the literature have been shown to be vulnerable to padding oracle attacks,[25][26] a solution which adds a one-bit and then extends the last block with zero-bits, standardized as "padding method 2" in ISO/IEC 9797-1,[27] has been proven secure against these attacks.[26]


This section needs expansion with: Introduction of attack models may be needed for the cryptanalysis techniques: ciphertext only, known plaintext, chosen plaintext, chosen ciphertext, etc.. You can help by adding to it.(April 2012)

Brute-force attacks[edit]

This section needs expansion with: Impact of key size and block size, discuss time–memory–data trade-offs.. You can help by adding to it.(April 2012)

Due to a block cipher's characteristic as an invertible function, its output becomes distinguishable from a truly random output string over time due to the birthday attack. This property results in the cipher's security degrading quadratically, and needs to be taken into account when selecting a block size. There is a trade-off though as large block sizes can result in the algorithm becoming inefficient to operate.[28] Earlier block ciphers such as the DES have typically selected a 64-bit block size, while newer designs such as the AES support block sizes of 128 bits or more, with some ciphers supporting a range of different block sizes.[29]

Differential cryptanalysis[edit]

Main article: Differential cryptanalysis

This section needs expansion. You can help by adding to it.(April 2012)

Linear cryptanalysis[edit]

Main article: Linear cryptanalysis

Linear cryptanalysis is a form of cryptanalysis based on finding affine approximations to the action of a cipher. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.

A sketch of a substitution–permutation network with 3 rounds, encrypting a plaintext block of 16 bits into a ciphertext block of 16 bits. The S-boxes are the Si, the P-boxes are the same P, and the round keys are the Ki.
Many block ciphers, such as DES and Blowfish utilize structures known as Feistel ciphers
The Lai–Massey scheme. The archetypical cipher utilizing it is IDEA.

Голос все звал его, а он безучастно смотрел на светящуюся картинку. Он видел ее на крошечном экране. Эту женщину, которая смотрела на него из другого мира.

Она наблюдает за тем, как я умираю.

0 thoughts on “Tr 31 Key Block Format Essay

Leave a Reply

Your email address will not be published. Required fields are marked *