Contemporary Block Ciphers

This paper considers modern secret-key block ciphers. The theory behind the design and analysis of modern block ciphers is explained, and the most important known attacks are outlined. Finally the Advanced Encryption Standard is discussed. 1 Block Ciphers Introduction In the last few thousands of years encryption algorithms, also called ciphers, have been developed and used [18,28]. Many of the old ciphers are much too weak to be used in applications today because of the tremendous progress in computer technology. There are essentially two types of cryptosystems, one-key and twokey ciphers. In one-key ciphers the encryption of a plaintext and the decryption of the corresponding ciphertext is performed using the same key. Until 1976 when Diffie and Hellman introduced public-key or two-key cryptography [20] all ciphers were one-key systems, today called conventional or classical cryptosystems. Conventional cryptosystems are widely used throughout the world today, and new systems are published frequently. There are two kinds of one-key ciphers, stream ciphers and block ciphers. In stream ciphers, typically a long sequence of bits is generated from a short string of key bits, and is then added bitwise modulo 2 to the plaintext to produce the ciphertext. In block ciphers the plaintext is divided into blocks of a fixed length, which are then encrypted into blocks of ciphertexts using the same key. The interested reader will find a comprehensive treatment of early cryptology in [28]. A block cipher is called an iterated cipher if the ciphertext is computed by iteratively applying a round function several times to the plaintext. In each round a round key is combined with the text input. In other words, let G be a function taking two arguments, such that, it is invertible when the first argument is fixed. Then define Ci = G(Ki, Ci−1), where C0 is the plaintext, Ki is the ith round key, and Cr is the ciphertext. A special kind of iterated ciphers are the Feistel ciphers. A Feistel cipher with block size 2n and r rounds is defined as follows. Let C 0 and C R 0 be the left and right halves of the plaintext, respectively, each of n bits. The round function G operates as follows C i = C R i−1 C i = F (Ki, C R i−1) + C L i−1, I. Damg̊ard (Ed.): Lectures on Data Security, LNCS 1561, pp. 105–126, 1999. c © Springer-Verlag Berlin Heidelberg 1999