Lect 4: Information Security

Cryptography
 Modern Block Ciphers
 In general, a block cipher replaces a block of N plaintext bits with
a block of N ciphertext bits. (E.g., N = 64 or 128.)
 Each block may be viewed as a gigantic character.
 The “alphabet” consists of 2N gigantic characters.
 Each particular cipher is a one-to-one mapping from the plaintext
“alphabet” to the ciphertext “alphabet”.
 There are 2N! such mappings.
 The key space would be extremely large.
 This would require a key of log2(2N!) bits.
 A secret key indicates which mapping to use.
 Using idea of a product cipher

2
 Modern Block Ciphers
 Modern block ciphers use a key of K bits to specify a random
subset of 2K mappings.
 If K ≈ N,
 2K is much smaller than 2N!
 But is still very large.
 If the selection of the 2K mappings is random, the resulting cipher
will be a good approximation of the ideal block cipher.
 Horst Feistel, in1970s, proposed a method to achieve this.
 Shannon proposed product ciphers with two components
 S-Boxes -- substitution
 providing confusion of input bits
 P-Boxes -- permutation
 providing diffusion across S-box inputs
 n rounds of S-P boxes

3
Functions
 Exclusive-or (XOR) operation 
 Input=output
 (a+b) mod 2 (binary system)
 [A  B]  C = A  [B  C]
 A  A=0
 A  0=A
 Invertible

 M = PLAINTEXT 01101100 11011000 11011010

 K = KEY 10101111 00101100 01011011
 E= MK 11000011 11110100 10000001
encryption
 M= E + K 01101100 11011000 11011010
decryption

4
Functions (Left circular shift)
 The left shift operator, <<, shifts all of the bits in a value to the left a
specified number of times.
 It has this general form:
 value << num
 num specifies the number of positions to left-shift the value in value
 For each shift left, the high-order bit is shifted out (and lost), and a zero is
brought in on the right.
 Here (Encryption), we use num=1, referring as Sh(value)
 Sh(111101)=111010
 Left circular shift
 The high-order bit is shifted out and it is inserted on the right.
 It is referred by LS
 LS(111101)=111011
 LS(1000000)=0000001

5
Substitution-box (S-Box)
 Function takes an input as a block and replaces it by
another form
 Modern: Mapping n-bit to m-bit
 n can be equal to m
 Mapping must be reversed
 The S-box can be
 linear function or non-linear function
 with key or without key
 The S-boxes do the real mixing (confusion).

6
 Substitution-box (S-Box)

3 bit 3 bit
input output
0 0
0 1 1 1
2 2
1 3 3 1
4 4
5 5
0
6 6 0

7 7

Word size of 3 bits => mapping of 23 = 8 values

Note: mapping can be reversed

Substitution-box (S-Box)

permutation
S-Box
 In modern ciphers, S-boxes are the only non-linear
elements


S-Box

10
Permutation Box
 Permutation Box or function
 A sequence of elements is replaced by a permutation of that
sequence.
 The elements appear in the sequence is changed.
 There are three types
 Straight: input n and output n
Straight
2 6 3 1 4 8 5 7

 Expansion: output> input
 Compression: output<input

11
 Straight P-box (permutation)

4 bit
input
1 1 1 1

1 0 1 0

1 1 1 1

0 0 1
1

Example 1 Example 2 - swap two

Note: reversible halves of input
Expansion P-box
 Including: expansion and permutation
 Input n-bits and output m-bits where n<m
 Expansion function takes a block of n bits as input and
produces a block of m bits as output
 For example, n=4,m=8
 Input E
1 2 3 4 1 2 3 4 1 2 3 4

 permutation function changes the sequence of bits :

E/P

4 1 2 3 2 3 4 1

13
Compression P-box
 Including: Compression and permutation
 Input n-bits and output m-bits where n>m
 Compression function takes a block of n bits as input
and ignores some of them
 For example,
 input Compression
1 2 3 4 5 6 7 8 2 3 4 5 6 7

 Permutation function changes the sequence of bits :

C/P

4 7 2 5 6 3

14
 P-box (permutation)

4 bit
input
1 1 1 1

1 0 1 0

1 1 1 1

0 0 1
1

Example 1 Example 2 - swap two

Note: reversible halves of input
Feistel Cipher
 Virtually all conventional block encryption algorithms have a
structure described by Horst Feistel of IBM in 1973
 Based on concept of invertible product cipher
 The block size: n = 2w
 number of rounds: d
 A Feistel algorithms:
 partitions input block into two halves
 process through multiple rounds
 each round performs a substitution on left data half based on round
function of right half & sub key
 Right does not change
 then have permutation swapping halves
 Implements Shannon’s S-P net concept

16
Feistel Cipher Design Elements
 block size: larger size improves security, but slows cipher
 key size: increasing size makes exhaustive key searching
harder, but may slow cipher.
 number of rounds: increasing number improves security,
but slows cipher
 sub key generation algorithm: greater complexity can make
cryptanalysis harder, but slows cipher
 round function: greater complexity can make analysis
harder, but slows cipher
 fast software en/decryption: concern for practical use
 ease of analysis: easier validation & testing of strength

17
The Feistel
Cipher
Structure
i


Round i

Li-1 Ri-1

f ki

Li Ri
Mathematical Description of Round i
 Let Li 1 and Ri 1 be the input of round i, and
Li and Ri the output.
 We have
Li : Ri 1
Ri : Li 1  F ( Ri 1 , K i )
 Or, (Li , Ri ) :  i ( Li 1 , Ri 1 ), where
i : ( x, y )  ( x  F ( y , ki ), y ).
 : ( x, y )  ( y , x ).
 Note that i 1  i and  1   .

20
Feistel Cipher
 Goes through a number of rounds, say 16 rounds.
 A Feistel cipher encrypts a plaintext block m as:
c : E k ( m) :   16  2  1 ( m)
 The decryption will be:
Dk (c )  11  1 21  1 161  1  1 (c )
   1  2  16 (c )
 The descryption algorithm is the same as the
encryption algorithm, but uses round keys in the
reverse order.

21
Notes on Feistel Cipher Structure
 Decryption: The same process is reversible
 Ri-1=Li
 Li-1=RiF(Ri-1,Ki-1)
 Same algorithm can be used but with keys reversed

 Security Considerations
 Larger block size results in fewer blocks and increased security
 Larger key size also increases security (recall Shannon)
 More rounds considered to offer better security (?)
 Greater complexity of subkey generation may help security
 Greater complexity of round function may increase security
Design Goals for Block Ciphers
 Highly secure – more of everything…
 Fast – fewer rounds that use simpler operations
 Low communication overheads
 Low battery consumption in hand-helds

 Easy to implement in hardware

 Simple, ubiquitous operations

 Efficient in memory usage

 Can run on a smart card

 Require less secret material (keys, boxes)

 Sometimes put on expensive tamper-proof memory
Data Encryption Standard (DES)
 Without a standard, software and hardware cannot
interoperate, or at least it is very expensive

 In 1973, National Institute for Standards and Technology

(NIST) issued RFP for Data Encryption Algorithm (DEA)
 provide high level of security
 completely specified and easy to understand
 the security must reside in the key
 available to all users
 adaptable to diverse applications
 economically implementable in hardware
 efficient to use
 validated
 exportable
Data Encryption Standard (DES)
 The most widely used block cipher
– adopted in 1977 by NBS/NIST as FIPS PUB 46
 The plaintext is processed in 64-bit blocks
 The key is 56-bits in length
 Controversy over its security
– Choice of 56-bit key (vs Lucifer 128-bit)
– DES is public but design criteria were classified (S-box)
– subsequent events and public analysis show in fact design was
appropriate
– use of DES has flourished in financial applications
– still standard for legacy application use

25
DES
DES Overview- Encryption

64-bit input Generate 16

Initial 56-bit Key
per-round
Permutation
keys

Round 1

right halves
Swap left and

Permutation
Final
Round 16

27
DES Overview- Decryption

Generate 16
Initial 56-bit Key
per-round
Permutation
keys

Round 1

right halves
Swap left and

Permutation
Final
Round 16
64-bit input

28
Data Encryption Standard (DES)
 cipher structure
 64-bit blocks
 56-bit keys
 16 rounds
 Adds initial and final
permutation of the text
(irrelevant to security)
 Key shifted circularly for
next round, and 48 bits are
selected for Ki
 Initial Permutation IP
 IP reorders the input data bits
– Arrange into 8 × 8 table
– Permute, even columns into rows followed by odd columns
(write bits from bottom up)
– Example
IP(675a6967 5e5a6b5a) =
(ffb2194d 004df6fb)

0 1 1 0 0 1 1 1 1 1 1 1 1 1 1 1
0 1 0 1 1 0 1 0 1 0 1 1 0 0 1 0
0 1 1 0 1 0 0 1 0 0 0 1 1 0 0 1
0 1 1 0 0 1 1 1 0 1 0 0 1 1 0 1
0 1 0 1 1 1 1 0 0 0 0 0 0 0 0 0
0 1 0 1 1 0 1 0 0 1 0 0 1 1 0 1
0 1 1 0 1 0 1 1 1 1 1 1 0 1 1 0
0 1 0 1 1 0 1 0 1 1 1 1 1 0 1 1

30
Initial Permutation IP

31
One Round of DES
 One Round of DES
 Key Transformation
 Each key-half is shifted 1 or 2 bits in each round
(per given table)
 The 56 key bits are permuted and 48 bits are
chosen (per table)
 Text transformations
 Expansion of Ri from 32 to 48 bits (size of key)
 Avalanche effect – some bits are duplicated
 48 bits are XORed with Ki
 Substitution, using 8 S-Boxes with 6-bit input and 4-
bit output
 S-boxes are well chosen to introduce non-linearity

 32 bits are permuted according to specified P-Box

 32 bits are XORed with Li to create Ri+1
A DES Round

64-bit input 64-bit input

32-bit Ln 32-bit Rn 32-bit Ln 32-bit Rn

Kn
function function Kn

32-bit Ln+1 32-bit Rn+1 32-bit Ln+1 32-bit Rn+1

64-bit output 64-bit output

34
DES Round Details
 uses two 32-bit L & R halves
 as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
 F takes 32-bit R half and 48-bit subkey:
– expands R to 48-bits using Expansion perm E
– adds to subkey using XORE(R) XOR K – we get 48 bits which
we split into 8 blocks 6 bits each
– Substitute blocks using 8 S-boxes to get 32-bit result.
– Each S-box has 4 rows and 16 columns
– First and last bits determine the row, remaining 4 determine column
– finally permutes using 32-bit perm P Confusion

35
Calculation of F(R, K)

36
Substitution Boxes S
 have eight S-boxes which map 6 to 4 bits
 each S-box is actually 4 little 4 bit boxes
– outer bits 1 & 6 (row bits) select one row of 4
– inner bits 2-5 (col bits) are substituted
– result is 8 lots of 4 bits, or 32 bits
 row selection depends on both data & key
– feature known as autoclaving (autokeying)
 Example
S(18 09 12 3d 11 17 38 39) =
5fd25e03

37
 Substitution
Box

38
 Box S1

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 6 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

• For example, S1(101010) = 6 = 0110.

39
 DES Sub keys Generation
Main key: Get a 64-bit key from the user
Every 8th bit (the least significant bit of each byte) is considered a parity bit.
For a key to have correct parity, each byte should contain an odd number of "1"
bits.)
The parity bits are discarded, reducing the key to 56 bits (8th , 16th ,…, 64th ).

 To forms sub keys used in each round

– initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves
– 16 stages consisting of:
1. rotating each half separately either 1 or 2 places depending on the key rotation
schedule K
2. selecting 24-bits from each half & permuting them by PC2 for use in round
function F
 note practical use issues in h/w vs s/w

40
 Generating the Per-Round Keys

C0 Initial Permutation D0
57 49 41 33 25 17 9 C0 D0 63 55 47 39 31 23 15
1 58 50 42 34 26 18 7 62 54 46 38 30 22
10 2 59 51 43 35 19 14 6 61 53 45 37 29
Rotate left Rotate left
19 11 3 60 52 44 36 21 13 5 28 20 12 4

Permutation to obtain the Permutation to obtain the

C1 D1 right-half of Ki
left-half of Ki

14 17 11 24 1 5 41 52 31 37 47 55

3 28 15 6 21 10 30 40 51 45 33 48

23 19 12 4 26 8 44 49 39 56 34 53

16 7 27 20 13 2 46 42 50 36 29 32

41
 Key Schedule
Calculate the key schedule.
Permuted Choice 1 (PC-1)
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
Split the permuted key (56 bits) into two halves. The first 28
bits are called C0 and the last 28 bits are called D0.

42
 PC-1

M=0000000000000000000000000000000100000000000000000000000000000001
K=1000000000000000000000000000000010000000000000000000000000000000
The first round key is the computed as follows:
PC-1(K)= 00010001000000000000000000000000000000000000000000000000
C0= 0001000100000000000000000000
D0= 0000000000000000000000000000

43
 Calculate Sub keys
Calculate the 16 sub keys.
Perform one or two circular left shifts on both Ci-1 and Di-1 to
get Ci and Di, respectively.
The number of shifts per iteration are given in the table below.

Round # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Left Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

44
 PC-2
Calculate the key schedule.
Permuted Choice 2 (PC-2) contraction to 28 bit round key

14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
Loop back to slide 24 until K16 has been calculated

45
 PC-2

M=0000000000000000000000000000000100000000000000000000000000000001
K=1000000000000000000000000000000010000000000000000000000000000000
The first round key is the computed as follows:
PC-1(K)= 00010001000000000000000000000000000000000000000000000000
C1= 1<<C0= 1<<0001000100000000000000000000 = 0010001000000000000000000000
D1= 1<<D0= 1<<0000000000000000000000000000 = 0000000000000000000000000000

PC-2(C1||D1)=PC-2(00100010000000000000000000000000000000000000000000000000)
SK1= 000000100000000000010000000000000000000000000000

46
 Round i
 Split the block into two halves. The first 32 bits are called L0, and
the last 32 bits are called R0.
 Apply the 16 sub keys to the data block. Start with SK1
 Expand the 32-bit Ri-1(R0) into 48 bits according
 Expansion Permutation E
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1

 Exclusive-or E(Ri-1) with SKi

47
Round i/S-Boxes

 Eight S-boex that accept 6 bit inputs and produce 4 bit

outputs
 Break E(Ri-1) xor SKi into eight 6-bit input blocks.
 Bits 1-6 are B1, bits 7-12 are B2, and so on with bits 43-48 being B8.
 Take the 1st and 6th bits of Bj together as a 2-bit value
indicating the row in Sj
 Take the 2nd through 5th bits of Bj together as a 4-bit value
indicating the column in Sj to find the substitution.

48
 S-Boxes
S1 S5
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

S2 S6
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

S3 S7
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

S4 S8
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

49
 Permutation (P)
 Permute the concatenation of B1 through B8 (32 bits)
 Permutation P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
 Exclusive-or the resulting value with Li-1.
 Thus, all together, your Ri= Li-1 xor P(S1(B1)...S8(B8)), where Bj is a
6-bit block of E(Ri-1) xor SKi.
 The function for Ri is more concisely written as,
 Ri-1 = Li-1 xor f(Ri-1, Ki).)

50
Inverse Initial Permutation IP-1

 Loop back to slide 29 - Permutation E until SK16 has been applied

 Perform the following permutation on the block R16L116.
 Final Permutation (IP-1)

40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25

51
 DES Example
DES round 1
Round key = 000000100000000000010000000000000000000000000000
L1= 00000000000000000000000000000001 R1= 00000000000000000000000000000001
Apply E: 100000000000000000000000000000000000000000000010
Xor K1: 000000100000000000010000000000000000000000000000⊕
100000000000000000000000000000000000000000000010 =
100000||100000||000000||010000||000000||000000||000000||000010
S-Box S1: 0100 S-Box S2: 0000 S-Box S3: 1010 S-Box S4: 0001
S-Box S5: 0010 S-Box S6: 1100 S-Box S7: 0100 S-Box S8: 0010
P-Box: 10010000000100101000000110001100
Xor L1: 10010000000100101000000110001100⊕00000000000000000000000000000001
=10010000000100101000000110001101
R1kL1 = 00000000000000000000000000000001k10010000000100101000000110001101

52
 DES Decryption
 decrypt must unwind steps of data computation
 with Feistel design, do encryption steps again using subkeys
in reverse order (SK16 … SK1)
‒ IP undoes final FP step of encryption
‒ 1st round with SK16 undoes 16th encrypt round
‒ ….
‒ 16th round with SK1 undoes 1st encrypt round
‒ then final FP undoes initial encryption IP
‒ thus recovering original data value

53
Avalanche Effect

 key desirable property of encryption algorithm

 where a change of one input or key bit results in changing
approx half output bits
 making attempts to “home-in” by guessing keys impossible
 DES exhibits strong avalanche
 Permutation E

54
Strength of DES – Key Size
 56-bit keys have 256 = 7.2 x 1016 values
 brute force search looks hard
 recent advances have shown is possible
‒ in 1997 on Internet in a few months
‒ in 1998 on dedicated h/w (EFF) in a few days
‒ in 1999 above combined in 22hrs!
 still must be able to recognize plaintext
 must now consider alternatives to DES

55
Average time required for exhaustive key search

Key Size Number of Time required at 106

(bits) Alternative Keys Decryption/µs
32 232 = 4.3 x 109 2.15 milliseconds
56 256 = 7.2 x 1016 10 hours
128 2128 = 3.4 x 1038 5.4 x 1018 years
168 2168 = 3.7 x 1050 5.9 x 1030 years

56
Strength of DES – Analytic Attacks

 now have several analytic attacks on DES

 these utilise some deep structure of the cipher
‒ by gathering information about encryptions
‒ can eventually recover some/all of the sub-key bits
‒ if necessary then exhaustively search for the rest
 generally these are statistical attacks
‒ differential cryptanalysis
‒ linear cryptanalysis
‒ related key attacks

57
Differential Cryptanalysis
 Murphy, Biham & Shamir published in 90’s
 powerful method to analyze block ciphers
 used to analyze most current block ciphers with varying
degrees of success
 DES reasonably resistant to it
‒ a statistical attack against Feistel ciphers
‒ uses cipher structure not previously used
‒ design of S-P networks has output of function f influenced by
both input & key
‒ hence cannot trace values back through cipher without knowing
value of the key
‒ differential cryptanalysis compares two related pairs of encryptions

58
Differential Cryptanalysis
 have some input difference giving some output difference
with probability p
 if find instances of some higher probability input /
output difference pairs occurring
 can infer subkey that was used in round
 then must iterate process over many rounds (with
decreasing probabilities)

59
Compares Pairs of Encryptions

 with a known difference in the input

 searching for a known difference in output
 when same subkeys are used

60
Differential Cryptanalysis

61
Differential Cryptanalysis
 perform attack by repeatedly encrypting plaintext pairs
with known input XOR until obtain desired output XOR
 when found
 if intermediate rounds match required XOR have a right pair
 if not then have a wrong pair, relative ratio is S/N for attack
 can then deduce keys values for the rounds
 right pairs suggest same key bits
 wrong pairs give random values
 for large numbers of rounds, probability is so low that
more pairs are required than exist with 64-bit inputs
 Biham and Shamir have shown how a 13-round iterated
characteristic can break the full 16-round DES
62
Linear Cryptanalysis
 another recent development
 also a statistical method
 must be iterated over rounds, with decreasing probabilities
 developed by Matsui et al in early 90's
 based on finding linear approximations
 can attack DES with 243 known plaintexts, easier but still in
practise infeasible

63
Linear Cryptanalysis
 find linear approximations with prob p != ½
P[i1,i2,...,ia]  C[j1,j2,...,jb] =
K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
 gives linear equation for key bits
 get one key bit using max likelihood alg
 using a large number of trial encryptions
 effectiveness given by: |p–1/2|

64
 Triple DES
 Use three keys and three executions of the DES algorithm
(encrypt-decrypt-encrypt)
C = Ek3[ Dk2[ Ek1[P] ] ]
C = ciphertext
P = Plaintext
Ek[X] = encryption of X using key K
Dk[Y] = decryption of Y using key K
 Effective key length
of 168 bits

65
 Other Symmetric Block Ciphers
 International Data Encryption Algorithm (IDEA)
‒ 128-bit key
‒ Used in PGP
 Blowfish
‒ Easy to implement
‒ High execution speed
‒ Run in less than 5K of memory

66
 Other Symmetric Block Ciphers
 RC5
‒ Suitable for hardware and software
‒ Fast, simple
‒ Adaptable to processors of different word lengths
‒ Variable number of rounds
‒ Variable-length key
‒ Low memory requirement
‒ High security
‒ Data-dependent rotations
 Cast-128
‒ Key size from 40 to 128 bits
‒ The round function differs from round to round Blowfish

67
Modes of Operation
 block ciphers encrypt fixed size blocks
 eg. DES encrypts 64-bit blocks, with 56-bit key
 need way to use in practise, given usually have arbitrary
amount of information to encrypt
 Four standard modes were defined for DES
 Extended to five later, and they can be used with other
block ciphers: 3DES and AES.

68
1997 break

 RSA issued reward of $10,000 for finding a DES key, given

ciphertext for known and unknown plaintext
 solution found in 96 days – involved 70,000 computers on
the Internet
 an embarrassingly parallel problem – just divide the key space
being searched (brute force) each time a new computer joins
in
 found the key after searching 1/4 key space