Building Own Block Cipher: Part 2 — Block Cipher Theory & Rebuilding DES
How real encryption engines work — and how you can build one from scratch.
🔸 1. Introduction
In the previous article, we built the “Lego bricks” of cryptography — pseudo-random generators, one-way functions, and permutations. Those components are not just academic toys; they form the internal mechanics of real encryption systems.
Now it’s time to assemble those bricks into something that actually encrypts data.
Welcome to block ciphers.
A block cipher is a deterministic algorithm that:
takes a fixed-size block of input (e.g. 64 or 128 bits),
mixes it with a secret key,
and outputs another block of the same size that looks completely random.
With the same key, the process is perfectly reversible.
Without the key, the transformation should be indistinguishable from pure randomness.
Block ciphers are used everywhere:
HTTPS, VPNs, banking systems, disk encryption, password managers, secure messaging…
They are the engines behind modern symmetric cryptography.
But why do we need block ciphers in the first place?
Let’s quickly build the foundation.
🔸 2. What Are Block Ciphers, and Why Do We Need Them?
We encrypt data for two reasons:
Confidentiality — making information unreadable to anyone without the key
Integrity & authenticity — ensuring the data was not changed or forged
To do this efficiently, encryption algorithms operate on fixed-size blocks.
Why blocks?
They let us design compact and analysable algorithms
They allow predictable performance on hardware and software
They reduce the complexity of invertible transformations
They provide consistency across inputs and outputs
But real data is not always aligned to 64 or 128 bits.
Emails, files, passwords, videos — all come in arbitrary lengths.
You might think: why not just use a pure stream cipher and skip blocks entirely?
Stream ciphers (like Salsa20 or ChaCha20) are excellent — fast and lightweight — but block ciphers give us two critical things that streams alone cannot guarantee:
✔ Structure for authentication modes
Block ciphers enable modern authenticated encryption schemes (AES-GCM, AES-CCM, OCB).
These protect confidentiality and detect tampering.
✔ Predictable, algebraically analysable transformations
Block ciphers provide controlled diffusion, confusion, and round structure —
making them suitable for:
hardware acceleration
cryptanalysis and security proofs
secure key wrapping
deterministic encryption building blocks
Block ciphers are the workhorses.
Stream ciphers are the special tools.
We need both.
🔸 3. The First Big Cipher: DES
Data Encryption Standard (DES) was introduced in the 1970s as the first widely deployed modern block cipher.
It works like this:
Block size: 64 bits
Key: 64 bits (but only 56 effective — 8 parity bits)
Structure: 16-round Feistel network
Core components: permutations, S-boxes, expansion, key schedule
Output: 64-bit ciphertext block
For almost 20 years, DES secured ATMs, bank traffic, government systems, corporate networks — basically everything.
But DES has two major problems today:
❌ 1. The key is too short
A 56-bit key can be brute-forced by modern hardware.
❌ 2. The block size is too small
64-bit blocks make certain high-volume protocols vulnerable to collisions and pattern leaks.
Because of this, DES is no longer considered secure.
However, DES has one amazing property:
It is the clearest modern example of how a block cipher is constructed from basic components.
That’s exactly why I rebuilt DES from scratch using only the original technical specification.
If you want to see that process — bit by bit — here are the resources:
🔗 Jupyter Notebook (step-by-step reconstruction):
🔗 GitHub repository (code + tests + CI/CD):
https://github.com/DmytroHuzz/build_own_block_cipher/tree/main/des
This notebook is essentially the “story mode” of DES:
you will see how every permutation, S-box, and round key is derived.
🔸 4. The Successor: AES — Modern, Fast, and Secure
After DES was broken by brute force, the cryptographic community spent years designing a successor.
The result was the Advanced Encryption Standard (AES).
AES has:
128-bit block size
Key sizes: 128, 192, or 256 bits
Structure: substitution–permutation network (not Feistel)
Rounds: 10 / 12 / 14 depending on key size
Massive software and hardware optimisation
Why is AES used everywhere?
✔ Large block size
Prevents block collisions in realistic workloads.
✔ Strong security margin
No practical attacks exist; the design has held up under 20+ years of analysis.
✔ Hardware acceleration
AES instructions are available on nearly all CPUs (Intel, AMD, ARM).
✔ Authenticated modes
AES-GCM and AES-CCM power TLS, SSH, VPNs, and modern APIs.
If you are using HTTPS today, you are almost certainly using AES-GCM.
AES is the industry standard for symmetric encryption — strong, fast, secure.
📝 Want to see AES built from scratch too?
If you’d like a deep, step-by-step AES reconstruction (similar to the DES notebook),
let me know in the comments or send me an email.
If enough people are interested, I will rebuild it ;)
🔸 5. Modes of Operation — Making Block Ciphers Handle Real Data
There’s one important limitation of block ciphers:
They only encrypt exactly one block
But real data is messy:
files are large
messages are unpredictable in length
patterns may repeat
attackers may modify or reorder blocks
If we simply encrypt each 64- or 128-bit block independently, we leak structural information.
(This mistake has a name: ECB mode, the “don’t do this” mode.)
So cryptographers designed modes of operation — strategies to apply a block cipher safely to multi-block data.
A mode defines how each block is processed and how blocks relate to each other.
Here are the most common ones:
ECB → simple but insecure
encrypt blocks independently
✔ only safe on truly random data
❌ leaks structure
CBC → chain blocks via XOR
✔ great for large files
❌ needs padding + sequential
CTR → encrypt counter → XOR
✔ streaming, parallel, fast
❌ careful nonce handling required
GCM → CTR + integrity tag
✔ modern web & APIs (TLS)
❌ more complex to implement safely
Why modes matter
Modes give us:
Confidentiality — data looks random
Randomness — even repeated plaintext → different ciphertext
Flexibility — any-length data, streaming, random access
Modern guarantees — integrity and authenticity with AEAD modes like GCM
Without modes, even the strongest block cipher fails to secure real-world messages.
🧪 DES With CTR Mode — Rebuilt From Scratch
In my implementation, I rebuilt DES step-by-step and wrapped it in CTR mode:
DES produces a pseudorandom block
Counter increments per block
XOR with plaintext gives ciphertext
Same process decrypts (symmetry of stream XOR)
CTR turns any block cipher into a stream cipher with nice properties:
No padding needed
Parallelizable
Random-access decryption (decrypt block N without decrypting all before it)
You can try running DES-CTR live:
🔗 Colab Notebook — editable, runnable: https://colab.research.google.com/github/DmytroHuzz/build_own_block_cipher/blob/main/des/des_story.ipynb
🔗 GitHub Repo — code + CI/CD + tests
CTR isn’t the only mode worth exploring — it’s just the cleanest and easiest to start with.
📝 Want other modes reconstructed too?
If you’d like me to:
implement CBC, CFB, OFB, GCM
explain how they prevent pattern leaks and tampering
demonstrate attacks when modes are misused
Please let me know in the comments, or email me directly.
I’m happy to continue the series in the direction that helps you most.
🔸 6. Summary — Where We Go From Here
Today we connected the ideas from the previous article (“the cryptography Lego bricks”) to real-world encryption:
✔ What block ciphers are, and why we need them
✔ Why stream ciphers alone are not enough
✔ How DES introduced the first practical, structured encryption engine
✔ Why DES is insecure today — but still worth rebuilding to understand the foundations
✔ Why AES became the modern global standard
✔ How modes of operation (especially CTR, CBC, GCM) make block ciphers safe for real data
✔ How I rebuilt DES from the original spec — including a working CTR mode implementation
All the resources are here:
🔗 GitHub repository (code + tests + CI/CD):
https://github.com/DmytroHuzz/build_own_block_cipher/tree/main
🔗 Step-by-step DES reconstruction notebook (Colab):
🔗 Previous Article
What’s next?
There are two natural directions from here — and you get to decide where we go:
🅰️ Continue the Block Cipher Journey
More modes (CBC / CFB / OFB / GCM)
Example attacks when modes are misused
AES reconstruction “from the standard”
Performance, key schedules, design philosophy
🅱️ Move to Next Cryptography Foundations
Message integrity
MACs & authenticated encryption
Why confidentiality without integrity can be dangerous
How encryption interacts with signatures and hashing
If you’re interested in AES step-by-step like we did with DES — or want me to dive deeper into modes — just leave a comment below or email me directly.
Your preference will shape the next episode in this series.
Block ciphers are the engines of secure communication.
Now you know how they are designed, how they evolved, and how we actually use them today.