ECE596C: Handout #7 - University of Arizona

ECE596C: Handout #7 

Analysis of DES and the AES Standard 

Electrical and Computer Engineering, University of Arizona, 

Loukas Lazos 

Abstract. In this lecture we analyze the security properties of DES and present the AES 

cryptosystem. 

1 On the Security of DES 

1.1 The Avalanche Effect 

For any encryption/decryption algorithm, a desirable property is that a small change in either the 

plaintext or the key should result in a significant change in the produced ciphertext (WHY?). DES 

indeed exhibits a strong avalanche effect. The avalanche effect can be illustrated by considering the 

following two experiments: 

Experiment 1 

– Pick two plaintexts that differ at only one bit. 

– Encrypt both plaintexts with the same key. 

– XOR the two ciphertexts and count the number of ones. 

Example: 

and 

x 1 = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000, 

x 2 = 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000, 

K = 00000001 1001011 0100100 11000100 0011100 0011000 0011100 0110010, 

yields two ciphertexts that differ at 35 bits after the third round in DES, and a final difference of 

34 bits after all 16 rounds have been executed. 

Experiment 2 

– Pick two keys that differ at only one bit. 

– Encrypt the same plaintext using the two different keys. 

– XOR the two ciphertexts and count the number of ones. 

Example: 

and 

x = 01101000 10000101 00101111 01111010 000010011 01110110 11101011 10100100, 

K 1 = 1110010 1111011 1101111 0011000 0011101 0000100 0110001 1101100, 

K 2 = 0110010 1111011 1101111 0011000 0011101 0000100 0110001 1101100, 

yields two ciphertexts that differ to 26 bits after the third round in DES, and a final difference of 

35 bits after all 16 rounds have been executed.

2 ECE 596C: Cryptography for Secure Communications with Applications to Network Security 

1.2 The strength of 56-Bit keys 

With a key length of 56 bits, there are 2 56 possible keys, i.e. approximately 7.2×10 16 keys. With 

today’s technology breaking a DES encryption via brute-force attack has been proved feasible. In 

1998 the Electronic Frontier Foundation (EFF) developed a DES cracker worth a quarter million 

dollars, that broke DES in 56 hours. The DES cracker searched 88 billion keys per second. 

In 1999, DES was cracked within 22 hours and 15 minutes by using the idle cycles of 100,000 

networked computers worldwide. The network was capable of searching 245 billion keys per second. 

In 2007, researchers from Germany developed an FPGA based machine called COPACOBANA, 

with off-the-self components that can break a DES encryption in 6.4 days (on average). 

Given the short key length, the DES scheme cannot be considered secure. However, note that the 

adversary must have an estimate of the plaintext to perform a brute-force attack. Without plaintext 

knowledge or a plaintext estimate, it is not possible to determine when the right DES key is found. 

2 The AES Standard 

The Advanced Encryption Standard (AES) standard was adopted by NIST in December of 2001. 

It was designed by two Belgian scientists, Rinjmen and Daemen (it is also known as the Rijmen cipher). 

It has been adopted by the US government as the default encryption cipher, wherever encryption 

is required (details can be found at http://csrc.nist.gov/publications/fips/fips197/fips- 

197.pdf) 

2.1 Description of the cipher 

The AES is a block cipher with a block length of 128 bits (as opposed to 64 bits in DES). It can 

operate with three different key lengths; 128 bits, 192 bits and 256 bits. Like DES, it is also an 

iterative cipher with a number of rounds that depends on the key length. 10 rounds for a key length 

of 128 bits, 12 rounds for a key length of 192 bits and 14 rounds for a key length of 256 bits. 

In AES, all operations are performed on a byte basis. Blocks of 128 bits are split to 16 bytes 

which are organized into 4x4 arrays, which are also referred to as states. The following operations 

take place 

– Key Expansion using Rijndael’s key schedule 

– Initial Round 

1. AddRoundKey 

– Nr −1 Rounds 

1. SubBytes:anon-linearsubstitutionstepwhereeachbyteisreplacedwithanotheraccording 

to a lookup table. 

2. ShiftRows: a transposition step where each row of the state is left-shifted cyclically a 

number of steps equal to the row number. 

3. MixColumns: a mixing operation which operates on the columns of the state, combining 

the four bytes in each column. 

4. AddRoundKey: each byte of the state is XORed with the round key. 

– Final round 

1. SubBytes 

2. ShiftRows 

3. AddRoundKey

Handout # 7 3 

2.2 The SubBytes transformation 

This is a typical S-box lookup table operation. For example, if s 1,1 = {53}, then the substitution 

value would be determined by the intersection of the row with index 5 and the column with index 

3 in Fig. 7. This would result in s ′ 1,1 = {ed}. 

Fig.1. The SubBytes transformation. 

Fig.2. The SubBytes lookup table. 

2.3 The ShiftRows Transformation 

In the ShiftRows transformation, the bytes in each row of the state are cyclically shifted over a 

number of bytes equal to the row number.


Fig.3. The ShiftRows tranformation. 

2.4 The MixColumns Transformation 

The MixColumns transformation operates on the state column-by-column, treating each column 

as a four-term polynomial GF(2 8 ) and multiplied modulo x 4 +1 with a fixed polynomial a(x). 

Fig.4. The MixColumns transformation. 

2.5 Key Expansion 

The AES algorithm takes the cipher key K and expands it to generate a key schedule. The total 

number of keys generated is equal to (Nr +1), each of which is 16 bytes long. The key scheduling 

is word oriented with each word consisting of 4 bytes. For a 10 round AES, we need a total of 11*4 

= 44 words to be generated from an initial key of 4 words. 

Key Expansion transformations,


Algorithm 1 Key Expansion Algorithm 

1: INPUT K 

2: RCon[1] ← 01000000 

3: RCon[2] ← 02000000 

4: RCon[3] ← 04000000 

5: RCon[4] ← 08000000 

6: RCon[5] ← 10000000 

7: RCon[6] ← 20000000 

8: RCon[7] ← 40000000 

9: RCon[8] ← 80000000 

10: RCon[9] ← 1B000000 

11: RCon[10] ← 36000000 

12: for i ← 0 to 3 do 

w[i] ← (key[4i],key[4i+1],key[4i+2],key[4i+3]) 

13: end for 

14: for i → 4 to 43 do 

15: temp ← w[i−1] 

16: if i ≡ 0 (mod 4) then 

17: temp ← SubWord(RotWord(temp)) ⊕RCon[ i 4 ] 

18: end if 

19: w[i] ← w[i−4]⊕temp 

20: end for 

21: return (w[0],...,w[43]) 

– SubWord: transformation that takes a four-byte input word and applies the S-box to each of 

the four bytes to produce an output word. 

– RotWord: transformation that takes a word [a 0 ,a 1 ,a 2 ,a 3 ] as input, performs a cyclic permutation, 

and returns the word [a 1 ,a 2 ,a 3 ,a 0 ]. 

– Rcon[i] :, A constant array of ten words 

2.6 Example 

Key, K = 66 50 3c 41 67 22 63 46 25 77 5d 27 26 55 3c 7a 

w[0] = 66 50 3c 41, w[1] = 67 22 63 46, w[2] = 25 77 5d 27, w[3] = 26 55 3c 7a 

for i = 4, temp = w[3] = 26 55 3c 7a. 

Because i ≡ 0 (mod 4) 

temp ← SubWord(RotWord(temp))) ⊕RCon[1] 

temp ← 55 3c 7a 26⊕01 00 00 00 = 54 3c 7a 26 

w[4] ← w[0]⊕temp = 66 50 3c 41⊕54 3c 7a 26 = 32 6c 46 67 

for i = 5, temp = w[4] = 32 6c 46 67. 

w[5] ← w[1]⊕w[4] = 67 22 63 46⊕32 6c 46 67 = 55 4e 25 21

IV = y§ 

+ 

d¤ 


x 

x¢ 

y¥ y¦ 

IV = y£ 

+ 

+ 

+ 

y 

(a) 

d¤ 

(b) 

e¡ 

Fig.5. The diagram for the CBC mode of operation. (a) Encryption, (b) Decryption 

e¡ 

3 Modes of operation 

y¢ 

x¦ 

DES has four modes of operation that were standardized in 1980. These modes can be used with 

minor modifications with any block cipher. A brief description of the four modes of operation is 

x¥ 

outlined as follows. 

3.1 Electronic Codebook Mode (ECB) 

Each plaintext block is encrypted with the same key K, producing a stream of ciphers. Identical 

plaintext blocks yield identical ciphers. What is the vulnerability of an ECB mode of operation? Do 

you see any advantage in using the ECB mode of operation? 

3.2 Cipher Block Chaining Mode (CBC) 

In CBC operation mode, each plaintext x i is XORed with the last ciphertext before being encrypted 

with the same key K. The first plaintext is encrypted with an initialization vector IV, of the same 

length as the plaintext. The encrypting rule under the CBC operation mode becomes 

y i = e K (y i−1 ⊕x i ), y 0 = IV. (1) 

In CBC operation mode, if any block of the plaintext is changed, the entire ciphertext sequence 

will be changed. Think of how we can use this property to provide Message Authentication. In figure 

5 we show the encryption/decryption schematics of the CBC operation mode. 

CBC is the most common mode of operation. What are the advantages and disadvantages of 

CBC mode of operation? 

3.3 Output Feedback Mode (OFB) 

In OFB mode, a keystream is generated which is XORed to the plaintext in order to produce the 

ciphertext. This is a synchronous stream cipher mode of operation. The keystream is generated using 

the DES encryption algorithm,


The ciphertext is then computed as: 

z i = e K (z i−1 ), z 0 = IV. (2) 

y i = x i ⊕z i . (3) 

The OFB mode can be used as a pseudo-random number generator. Given that much faster 

stream ciphers exist in the literature, the OFB mode is not used in practical applications. 

3.4 Cipher Feedback Mode (CFB) 

The CFB mode of opertion is very similar to the OFB mode, with the difference being in the 

generation of the keystream. In CFB, the ciphertext is encrypted to produce the keystream elements 

z i . 

The ciphertext is then computed as: 

z i = e K (y i−1 ), y 0 = IV. (4) 

y i = x i ⊕z i . (5) 

Given that much faster stream ciphers exist in the literature, the OFB mode is not used in 

practical applications.

ECE596C: Handout #7 - University of Arizona

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?