2

SYMMETRIC KEY CRYPTOGRAPHY

MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY: Algebraic structures -
Modular arithmetic-Euclid‟s algorithm- Congruence and matrices - Groups, Rings,
Fields- Finite fields- SYMMETRIC KEY CIPHERS: SDES – Block cipher Principles of
DES – Strength of DES – Differential and linear cryptanalysis - Block cipher design
principles – Block cipher mode of operation – Evaluation criteria for AES – Advanced
Encryption Standard - RC4 – Key distribution.
2.1 Mathematics of Symmetric Key Cryptography
 Cryptology is the mathematics, such as number theory, and the application of
formulas and algorithms, that underpin cryptography and cryptanalysis.

 Since the cryptanalysis concepts are highly specialized and complex, we concentrate
here only on some of the key mathematical concepts behind cryptography.

 In order for data to be secured for storage or transmission, it must be transformed in

such a manner that it would be difficult for an unauthorized individual to be able to
discover its true meaning.

 To do this, certain mathematical equations are used, which are very difficult to solve
unless certain strict criteria are met. The level of difficulty of solving a given
equation is known as its intractability. These types of equations form the basis of
cryptography.

 Symmetric ciphers use symmetric algorithms to encrypt and decrypt data.

These ciphers are used in symmetric key cryptography.

 A symmetric algorithm uses the same key to encrypt data as it does to decrypt data.
The study of symmetric cryptosystems is referred to as symmetric cryptography.

 Symmetric cryptosystems are also sometimes referred to as secret key

cryptosystems.

 A few well-known examples of symmetric key encryption methods are − Digital

Encryption Standard (DES), Triple-DES (3DES), IDEA, and BLOWFISH.

2.2Algebraic structures
 Cryptography requires sets of integers and specific operations that are defined for
those sets. The combination of the set and the operations that are applied to the
elements of the set is called an algebraic structure. Figure 2.1 shows the common
algebraic structures.
 Figure 2.1 Common Algebraic Structures

2.2.1 Groups
 A group is an algebraic structure conssting of a set of elements together with an
operation that combines any two elements to form a third element.
 A group G, sometimes denoted by {G, .} is a set of elements with a binary

operation, denoted by ·,that associates to each ordered pair (a, b) of elements in G

an element (a · b) in G, such that the following axioms are obeyed:

 Closure: If a and b belong to G, then a · b is also in G.
 Associative: a · (b · c) = (a · b) · c for all a, b, c in G.
 Identity element: There is an element e in G such that a · e = e · a = a for
all a in G.
 Inverse element: For each a in G there is an element a' in G such that
a · a' = a' · a = e.
 If a group has a finite number of elements, it is referred to as a finite group, and the
order of the group is equal to the number of elements in the group. Otherwise, the
group is an infinite group.
 A group is said to be abelian if it satisfies the following additional condition:
 Commutative: a · b = b · a for all a, b in G.
Cyclic Subgroups
 If a subgroup of a group can be generated using the power of an element, the
subgroup is called the cyclic subgroup.

Example 1:
Four cyclic subgroups can be made from the group G = <Z6, +>. There are H1 = < {0}, + >,
H2 = <{0, 2, 4}, +>, H3 = <{ 0, 3}, +> and H4 = G.

Example 2:
Three cyclic subgroups can be made from the group G = <Z 10 *, x>. G has only four
elements: 1, 3, 7 and 9. The Cyclic sub groups are H1 = <{1}, x >, H2 = <{1, 9}, x>, H3 = G.

2.2.2 Rings
 A ring R, sometimes denoted by {R, +, x}, is a set of elements with two binary
operations, called addition and multiplication, such that for all a, b, c in R the
following axioms are obeyed:
 Closure under multiplication: If a and b belong to R, then ab is also in R.
 Associativity of multiplication: a(bc) = (ab)c for all a, b, c in R.
 Distributive laws:
 a (b + c) = ab + ac for all a, b, c in R.
  (a + b) c = ac + bc for all a, b, c in R.
 A ring is said to be commutative if it satisfies the following additional condition:

 Commutativity of multiplication: ab = ba for all a, b in R.

 An integral domain, which is a commutative ring that obeys the following axioms:

 Multiplicative identity: There is an element 1 in R such that a1 = 1a = a for

all a in R.

 No zero divisors: If a, b in R and ab = 0, then either a = 0 or b = 0.

2.2.3 Fields
 A field F, sometimes denoted by {F, +, x}, is a set of elements with two binary
operations, called addition and multiplication, such that for all a, b, c in F the
following axioms are obeyed:
 F is an integral domain; that is, F satisfies axioms of Groups and Rings.
 Multiplicative inverse: For each a in F, except 0, there is an element a -1 in F
such that aa-1 = (a-1) a = 1.
 A field is a set in which we can do addition, subtraction, multiplication, and division
without leaving the set. Division is defined with the following rule:
 a/b = a(b-1)
2.3 Finite Fields
 Finite Fields, also known as Galois Fields, are cornerstones for understanding
any cryptography.
 A field can be defined as a set of numbers that we can add, subtract, multiply and
divide together and only ever end up with a result that exists in our set of numbers.
 Galois showed that for a field to be finite, the number of elements should be p n, where
p is a prime and n is a positive integer.
 A Galois field, GF(pn), is a finite field with pn elements.
2.3.1 Finite Fields of Order p
 For a given prime, p, the finite field of order p, GF(p) is defined as the set Zp of
integers {0, 1,..., p- 1}, together with the arithmetic operations modulo p.
 A very common field in this category is GF(2) with the set {0, 1} and two operations,
addition and multiplication, as shown in Figure 2.2
 Figure 2.2 GF(2) field

 We can define GF(5) on the set Z5 (5 is a prime) with addition and multiplication
operators as shown in Figure 2.3.

Figure 2.3 GF(5) field

2.4 Modular Arithmetic
 Modular arithmetic is a system of arithmetic for integers, where values reset to zero
and begin to increase again, after reaching a certain predefined value, called the
modulus (modulo). Modular arithmetic is widely used in computer science
and cryptography.
2.4.1 The Modulus
 If a is an integer and n is a positive integer, we define a mod n to be the remainder
when a is divided by n. The integer n is called the modulus.
Example
 11 mod 7 = 4
 -5 mod 3 = 1
By using counter clockwise method
Let n = 3 and p = -5 so the values are taken 0, 1, 2. If these values are put in clockwise
the numbers are 2 1 0 1 2 because p is 5. The starting from the counter clockwise
direction the values are moved to n = 3, so it stop at 1. So, the answer is 1.
2.4.2 Congruence
 Congruences are an important and useful tool for the study of divisibility.
 If a and b are integers and n > 0, we write
 a ≡ b mod n
to mean n| (b − a). We read this as “a is congruent to b modulo (or mod) n.
Properties of congruences
 a ≡ a (mod n)
 if a ≡ b (mod n) then b ≡ a (mod n)

 if a ≡ b (mod n) and b ≡ c (mod n), then a ≡ c (mod n)

Example 1: 29 ≡ 8 mod 7, and 60 ≡ 0 mod 15.
 The notation is used because the properties of congruence “≡” are very similar to the
properties of equality “=”.

Example 2: 38 ≡ 14 (mod 12)

 Because 38 − 14 = 24, which is a multiple of 12, or, equivalently, because both 38 and
14 have the same remainder 2 when divided by 12.
 The same rule holds for negative values:
 -8 ≡ 7 (mod 5)
 2 ≡ -3 (mod 5)
 -3 ≡ -8 (mod 5)

Example 3: Find 17341 mod 5.

We have 17 ≡ 2 mod 5
Squaring, we have
172 ≡ 4 ≡ −1 mod 5
Squaring again, we find
174 ≡ 1 mod 5
Now, 1 to any power is 1, so we raise this last congruence to the 85th power. Why
85? Just wait a moment to find out. We then find
17340 ≡ 1 mod 5
Finally, multiply by the first congruence to obtain
17341 ≡ 2 mod 5
So, the required remainder is 2.
The strategy is to find some power of 17 to be 1 mod 5. Here, the power 4 worked.
The we divided 4 into 341 to get a quotient 85, and this is the power we used on the
congruence 174 ≡ 1 mod 5. Note also the little trick of replacing 4 by −1 mod 5. This
gives an easier number to square.
2.5 Modular Arithmetic Operations
Properties of Modular Arithmetic
1. [(a mod n) + (b mod n)] mod n = (a + b) mod n
2. [(a mod n) (b mod n)] mod n = (a b) mod n
3. [(a mod n) x (b mod n)] mod n = (a x b) mod n
2.5.1 Modular Addition
 Add two numbers
 Divide the sum and find modular
Example
Given a = 35, b = 10 and n = 12
(a + b) mod n
= (35 + 10) mod 12
= 45 mod 12
=9
2.5.2 Modular Subtraction
 Subtract two numbers
 Find the mod value
Example 1:
a = 25, b = 8, and n = 12
(a - b) mod n
= (25 - 10) mod 12
= 17 mod 12
=5
Example 2:
a = 11, b = 50, and n = 15
(a - b) mod n
= (11 - 50) mod 15
= -39 mod 15
=6
2.5.3 Modular Multiplication
 Multiple two numbers
 Find the mod value
Example
 a = 5, b = 8, and n = 12
= 40 mod 12
=4
2.5.4 Modular Division
Example
Compute 5/7 mod 12
x = 5/7 mod 12
7x = 5 mod 12
Here, x takes the values from 0 to 11
If we put x = 11, we get
(7 x 11) mod 12 = 5 mod 12
= 77 mod 12
=5
2.6 Euclid's algorithm
 The Euclid's algorithm (or Euclidean Algorithm) is a method for
efficiently finding the greatest common divisor (GCD) of two numbers.
The GCD of two integers X and Y is the largest number that divides both of X and
Y (without leaving a remainder).
 For every non-negative integer, a and any positive integer b
gcd (a, b) = gcd (b, a mod b)
Example 1:
gcd (55, 22) = gcd (22, 55 mod 22)
= gcd (22, 11)
= gcd (11, 22 mod 11)
= gcd (11, 0)
gcd (55, 22) is 11
Example 2:
gcd (30, 50) = gcd (50, 30 mod 50)
= gcd (50, 30)
= gcd (30, 50 mod 30)
= gcd (30, 20)
= gcd (20, 30 mod 20)
= gcd (20, 10)
 = gcd (10, 20 mod 10)
= gcd (10, 0)
gcd (30, 50) is 10
Another Method

Examples:
Find the GCD
 GCD (12, 8)
 GCD (200, 1000)
 GCD (7, 122)

2.7 Symmetric Key Ciphers

 Symmetric ciphers use the same cryptographic keys for both encryption of
plaintext and decryption of ciphertext. They are faster than
asymmetric ciphers and allow encrypting large sets of data. However, they require
sophisticated mechanisms to securely distribute the secret keys to both parties
Types of keys are used in symmetric key cryptography
 Symmetric encryption (figure 2.4) uses a single key that needs to be shared
among the people who need to receive the message while
asymmetrical encryption uses a pair of public key and a private key to encrypt and
decrypt messages when communicating.

Figure 2.4 Simplified Model of Symmetric Encryption

2.8 Simplified Data Encryption Standard (S-DES)
 The overall structure of the simplified DES shown in Figure 2.5. The S-DES
encryption algorithm takes an 8-bit block of plaintext (example: 10111101) and a 10-
bit key as input and produces an 8-bit block of ciphertext as output.

 The S-DES decryption algorithm takes an 8-bit block of ciphertext and the same 10-
bit key used to produce that ciphertext as input and produces the original 8-bit block
of plaintext.

Figure 2.5 Overview of S-DES Algorithm

The encryption algorithm involves five functions:

 An initial permutation (IP)

 A complex function labeled fk, which involves both permutation and

substitution operations and depends on a key input.
  A simple permutation function that switches (SW) the two halves of the
data.

 The function fk again.

 A permutation function that is the inverse of the initial permutation

 The function fk takes as input not only the data passing through the encryption
algorithm, but also an 8-bit key. Here a 10-bit key is used from which two 8-bit
subkeys are generated.

 The key is first subjected to a permutation (P10). Then a shift operation is performed.
The output of the shift operation then passes through a permutation function that
produces an 8-bit output (P8) for the first subkey (K1).

 The output of the shift operation also feeds into another shift and another instance of
P8 to produce the second subkey (K2).

 The encryption algorithm can be expressed as a composition composition1 of

functions:

IP-1 ο fK2 ο SW ο fk1 ο IP, which can also be written as

Ciphertext = IP-1 (fK2 (SW (fk1 (IP (plaintext)))))

Where

o K1 = P8 (Shift (P10 (Key)))

o K2 = P8 (Shift (shift (P10 (Key))))

 Decryption can be shown as Plaintext = IP-1 (fK1 (SW (fk2 (IP (ciphertext)))))

2.8.1 S-DES Key Generation

 S-DES depends on the use of a 10-bit key shared between sender and receiver. From
this key, two 8-bit subkeys are produced for use in particular stages of the encryption
and decryption algorithm.(Figure 2.6)
 Figure 2.6 S-DES Key Generation

 First, permute the key in the following fashion. Let the 10-bit key be designated as
(k1, K2, k3, k4, k5, k6, k7, k8, k9, k10). Then the permutation P10 is defined as:

P10 (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, K2, k7, k4, k10 10, k1, k9, k8,
k6).

 P10 can be concisely defined by the display:

 This table is read from left to right; each position in the table gives the identity of the
input bit that produces the output bit in that position. So, the first output bit is bit 3 of
the input; the second output bit is bit 5 of the input, and so on.

Example

 The 10 bit key is (1010000010), now find the permutation from P10 for this key so it
becomes (10000 01100).
  Next, perform a circular left shift (LS-1), or rotation, separately on the first five bits
and the second five bits. In our example, the result is (00001 11000).

 Next, apply P8, which picks out and permutes 8 of the 10 bits according to the
following rule:

 So, The result is subkey 1 (K1). In our example, this yield (10100100).

 Then go back to the pair of 5-bit strings produced by the two LS-1 functions and
performs a circular left shift of 2 bit positions on each string. In our example, the
value (00001 11000) becomes (00100 00011).

 Finally, P8 is applied again to produce K2. In our example, the result is (01000011).

2.8.2 S-DES Encryption

 Encryption involves the sequential application of five functions(Figure 2.7).

1. Initial Permutations
 The input to the algorithm is an 8-bit block of plaintext, which we first permute using
the IP function

The plaintext is 10111101

Permutated output is 01111110

 Figure 2.7 S-DES Encryption

2. The Function fk
 The most complex component of S-DES is the function f k, which consists of a
combination of permutation and substitution functions. The functions can be
expressed as follows. Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-
bit input to f K, and let F be a mapping (not necessarily one to one) from 4-bit strings
to 4-bit strings. Then we let

Fk (L, R) = (L⊕ F (R, SK), R)

Where SK is a sub key and ⊕ is the bit-by- bit exclusive OR function

 Now, describe the mapping F. The input is a 4-bit number (n1 n2 n3 n4). The first
operation is an expansion/permutation operation:

 Now, find the E/P from IP

 IP = 01111110, it becomes

E/P = 01111101

 Now, XOR with K1

=> 01111101 ⊕ 10100100 = 11011001

 The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to
produce a 2- bit output, and the remaining 4 bits (second row) are fed into S1 to
produce another 2-bit output.

 These two boxes are defined as follows:

 The S-boxes operate as follows. The first and fourth input bits are treated as a 2-bit
number that specify a row of the S-box, and the second and third input bits specify a
column of the S-box. Each s box gets 4-bit input and produce 2 bits as output. It
follows 00- 0, 01-1, 10-2, 11-3 scheme.

Here, take first 4 bits, Second 4 bits

S0 => 1101 S1 => 1001

11 - > 3 11 -> 3

10 -> 2 => 3 =>11 00 -> 0 = > 2 => 10

So, we get 1110

 Now, find P4

After P4, the value is 1011

Now, XOR operation 1011⊕ 0111 => 1100

 3. The Switch function

 The switch function (sw) interchanges the left and right 4 bits.

1100 1110

1110 1100

4. Second function fk

 First, do E/P function and XOR with K2, the value is 01101001⊕01000011, the
answer is 00101010

 Now, find S0 and S1

S0 => 00 - > 0 S1 = > 10 -> 2

01 -> 1 => 0 = 00 01 -> 1 = > 0 => 00

Value is 0000

 Now, find P4 and XOR operation

After P4 => 0000 ⊕ 1110 = 1110, then concatenate last 4 bits after
interchange in sw.

 Now value is 11101100

5. Find IP-1

So, value is 01110101

The Ciphertext is 01110101

2.8.3 S-DES Decryption

 Decryption involves the sequential application of five functions.

1. Find IP
  After IP, value is 11101100

2. Function fk

 After step 2, the answer is 11101100

3. Swift

 The answer is 11001110

4. Second fk

 The answer is 01111110

5. Find IP-1

 101111101 -> Plaintext

2.9 Block Cipher Principles

 All symmetric block encryption algorithms in current use are based on a structure
referred to as Fiestel block cipher.

Stream Ciphers and Block Ciphers

 A stream cipher is one that encrypts a digital data stream one bit or one byte at a
time. E.g, vigenere cipher. Figure (2.8a)

 A block cipher is one in which a block of plaintext is treated as a whole and used to
produce a cipher text block of equal length. Typically, a block size of 64 or 128 bits
is used. Figure (2.8b)
 Figure 2.8 Stream Cipher and Block Cipher

 Many block ciphers have a Feistel structure. Such a structure consists of a number of
identical rounds of processing.
 In each round, a substitution is performed on one half of the data being processed,
followed by a permutation that interchanges the two halves.
 The original key is expanded so that a different key is used for each round.
 The Data Encryption Standard (DES) has been the most widely used encryption
algorithm. It exhibits the classic Feistel structure.
 The DES uses a 64-bit block and a 56-bit key. Two important methods of
cryptanalysis are differential cryptanalysis and linear cryptanalysis. DES has been
shown to be highly resistant to these two types of attack.
 A block cipher operates on a plaintext block of n bits to produce a ciphertext block of
n bits. There are possible different plaintext blocks and, for the encryption to be
reversible (i.e., for decryption to be possible), each must produce a unique ciphertext
block. Such a transformation is called reversible, or nonsingular
 In particular, Feistel proposed the use of a cipher that alternates substitutions and
permutations, where these terms are defined as follows:
  Substitution: Each plaintext element or group of elements is uniquely replaced
by a corresponding ciphertext element or group of elements.
 Permutation: A sequence of plaintext elements is replaced by a permutation
of that sequence. That is, no elements are added or deleted or replaced in the
sequence, rather the order in which the elements appear in the sequence is
changed.
 Two methods for frustrating statistical cryptanalysis are:
 Diffusion – Each plaintext digit affects many ciphertext digits, or each
ciphertext digit is affected by many plaintext digits.
 Confusion – Make the statistical relationship between a plaintext and the
corresponding ciphertext as complex as possible in order to thread attempts to
deduce the key.

2.9.1 Feistel cipher structure

 The left-hand side of figure 2.9 depicts the structure proposed by Feistel.

 The input to the encryption algorithm is a plaintext block of length 2w bits and a key
K. the plaintext block is divided into two halves L0 and R0.

 The two halves of the data pass through n rounds of processing and then combine to
produce the ciphertext block. Each round i has inputs Li-1 and Ri-1, derived from the
previous round, as well as the subkey Ki, derived from the overall key K.

 In general, the subkeys Ki are different from K and from each other. All rounds have
the same structure.

 A substitution is performed on the left half of the data (as similar to S-DES). This is
done by applying a round function F to the right half of the data and then taking the
XOR of the output of that function and the left half of the data.

 The round function has the same general structure for each round but is parameterized
by the round subkey ki. Following this substitution, a permutation is performed that
consists of the interchange of the two halves of the data.

 This structure is a particular form of the substitution-permutation network.

 Figure 2.9 Feistel Encryption and Decryption (16 rounds)

The features of Feistel network are:

 Block size - Increasing size improves security, but slows cipher

 Key size - Increasing size improves security, makes exhaustive key searching
harder, but may slow cipher

 Number of rounds - Increasing number improves security, but slows cipher

 Subkey generation - Greater complexity can make analysis harder, but slows
cipher
  Round function - Greater complexity can make analysis harder, but slows
cipher

 The process of decryption is essentially the same as the encryption process.

 The rule is as follows: use the cipher text as input to the algorithm, but use the subkey
ki in reverse order. i.e., kn in the first round, kn-1 in second round and so on.

 For clarity, we use the notation LE i and REi for data traveling through the decryption
algorithm and LDi and RDi.

 The above diagram indicates that, at each round, the intermediate value of the
decryption process is same (equal) to the corresponding value of the encryption
process with two halves of the value swapped.

i.e., REi || LEi (or) equivalently RD16-i || LD16-i

 After the last iteration of the encryption process, the two halves of the output are
swapped, so that the cipher text is RE16 || LE16.

 The output of that round is the cipher text. Now take the cipher text and use it as input
to the same algorithm.

 The input to the first round is RE 16 || LE16, which is equal to the 32-bit swap of the
output of the sixteenth round of the encryption process.

 Now we will see how the output of the first round of the decryption process is equal
to a 32-bit swap of the input to the sixteenth round of the encryption process.

 First consider the encryption process,

  Finally, the output of the last round of the decryption process is RE 0 || LE0. A 32-bit
swap recovers the original plaintext.

2.10 Data Encryption Standard (DES)

 The Data Encryption Standard (DES) is a symmetric-key block cipher published by
the National Institute of Standards and Technology (NIST).

 DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The

block size is 64-bit. Though, key length is 64-bit, DES has an effective key length of
56 bits, since 8 of the 64 bits of the key are not used by the encryption algorithm.
These 8 bits can be used as parity bits or simply set arbitrarily

 The general Structure of DES is depicted in the following illustration −Figure 2.10
 Figure 2.10 General Structure of DES Encryption Algorithm

2.10.1 DES Encryption

 The processing of the plaintext proceeds in three phases. First, the 64-bit plaintext
passes through an initial permutation (IP) that rearranges the bits to produce the
permuted input.
 Second phase consisting of sixteen rounds of the same function, which involves both
permutation and substitution functions. The output of the last (sixteenth) round
consists of 64 bits that are a function of the input plaintext and the key. The left and
right halves of the output are swapped to produce the preoutput.
  Finally, the preoutput is passed through a permutation [IP-1] that is the inverse of the
initial permutation function, to produce the 64-bit ciphertext.
 Figure 2.10 shows the way in which the 56-bit key is used. Initially, the key is passed
through a permutation function. Then, for each of the sixteen rounds, a subkey (K i) is
produced by the combination of a left circular shift and a permutation. The
permutation function is the same for each round, but a different subkey is produced
because of the repeated shifts of the key bits.
Initial Permutation
 The initial permutation and its inverse are defined by tables, as shown in Tables 2.1 a
and 2.1b, respectively.
 The input to a table consists of 64 bits numbered from 1 to 64. The 64 entries in the
permutation table contain a permutation of the numbers from 1 to 64. Each entry in
the permutation table indicates the position of a numbered input bit in the output,
which also consists of 64 bits.
 Consider the following 64-bit input M:

Where Mi is a binary digit. Then the permutation X = (IP(M) is as follows:

If we then take the inverse permutation, Y = IP-1(X) = IP-1(IP(M)) it can be seen that the
original ordering of the bits is restored.
 Table 2.1 Permutation Tables for DES

2.10.2 Details of Single Round

 Figure 2.11 shows the internal structure of a single round. The left and right halves of
each 64-bit intermediate value are treated as separate 32-bit quantities, labeled L (left)
and R (right).
 The overall processing at each round can be summarized in the following formulas:
Li = Ri-1
Ri = Li-1 ⊕ F(Ri-1, Ki)
 The round key Ki is 48 bits. The input R is 32 bits. This input R is first expanded to
48 bits by using a table that defines a permutation plus an expansion that involves
duplication of 16 of the R bits (Table 2.1c).The resulting 48 bits are XORed with K i
This 48-bit result passes through a substitution function that produces a 32-bit output,
which is permuted as defined by Table 2.1d.
 Figure 2. 11 Single Round of DES Algorithm
2.10.3 Key Generation

 A 64-bit key is used as input to the algorithm. The bits of the key are numbered from
1 through 64; every eighth bit is ignored, as indicated by the lack of shading in Table
2.2a.
 The key is first subjected to a permutation governed by a table labeled Permuted
Choice One (Table 2.2b).
 The resulting 56-bit key is then treated as two 28-bit quantities, labelled C0 and D0.
 At each round, and are separately subjected to a circular left shift or (rotation) of 1 or
2 bits, as governed by Table 2.2d.
 These shifted values serve as input to the next round.
 They also serve as input to the part labeled Permuted Choice Two (Table 2.2c), which
produces a 48-bit output that serves as input to the function F(Ri-1, Ki)
 Table 2.2 DES Key Calculation

2.10.4 S Boxes
 The substitution consists of a set of eight S-boxes (Figure 2.12), each of which
accepts 6 bits as input and produces 4 bits as output.
 The 32-bit output from the eight S-boxes is then permuted, so that on the next round,
the output from each S-box immediately affects as many others as possible.
 Figure 2.12 Calculation of F (R. K)
2.10.5 Avalanche Effect
 A desirable property of any encryption algorithm is that a small change in either the
plaintext or the key should produce a significant change in the ciphertext.
 In particular, a change in one bit of the plaintext or one bit of the key should produce
a change in many bits of the ciphertext. Figure 2.13 shows the avalanche effect.

Figure 2.13 Avalanche Effect in DES

2.11 The Strength of DES
 The Use of 56-Bit Keys With a key length of 56 bits, there are 2 56 possible keys,
which is approximately 7.2 X 1016 keys.
 Thus, on the face of it, a brute-force attack appears impractical. Assuming that, on
average, half the key space has to be searched, a single machine performing one DES
encryption per microsecond would take more than a thousand years to break the
cipher.
 DES finally and definitively proved insecure in July 1998, when the Electronic
Frontier Foundation (EFF) announced that it had broken a DES encryption using a
special-purpose “DES cracker” machine that was built for less than $250,000. The
attack took less than three days.
 The EFF has published a detailed description of the machine, enabling others to build
their own cracker and hardware prices will continue to drop as speeds increase,
making DES virtually worthless.
 There are a number of alternatives to DES, the most important of which are AES and
triple DES.

2.12 Differential and Linear Cryptanalysis

 The DES algorithm is vulnerability against brute-force attack because of its relatively
short (56 bits) key length.
 The increasing popularity of block ciphers with longer key lengths, including triple
DES, brute-force attacks have become increasingly impractical. Thus, there has been
increased emphasis on cryptanalytic attacks on DES and other symmetric block
ciphers.
2.12.1 Differential Cryptanalysis
 Differential cryptanalysis is a general form of cryptanalysis applicable primarily to
block ciphers, but also to stream ciphers and cryptographic hash functions. In the
broadest sense, it is the study of how differences in information input can affect the
resultant difference at the output.
 Differential cryptanalysis is the first published attack that is capable of breaking DES
in less than 255encryptions. The scheme can successfully cryptanalyze DES with an
effort on the order of 247encryptions, requiring chosen plaintexts. Although 247 is
 certainly significantly less than 255, the need for the adversary to find 2 47 chosen
plaintexts makes this attack of only theoretical interest.
2.12.2 Linear Cryptanalysis
 This attack is based on finding linear approximations to describe the transformations
performed in DES.
 This method can find a DES key given 2 43 known plaintexts, as compared 247 to
chosen plaintexts for differential cryptanalysis. Although this is a minor improvement,
because it may be easier to acquire known plaintext rather than chosen plaintext, it
still leaves linear cryptanalysis infeasible as an attack on DES.

2.13 Block Cipher Design Principles

 There are three critical aspects of block cipher design:

 The number of rounds
 Design of the function F
 Key scheduling
DES Design Criteria

 The criteria used in the design of DES, focused on the design of the S-boxes and on
the P function that takes the output of the S-boxes. The criteria for the S-boxes are as
follows.
 No output bit of any S-box should be too close a linear function of the input
bits. Specifically, if we select any output bit and any subset of the six input
bits, the fraction of inputs for which this output bit equals the XOR of these
input bits should not be close to 0 or 1, but rather should be near 1/2.
 Each row of an S-box (determined by a fixed value of the leftmost and
rightmost input bits) should include all 16 possible output bit combinations.
 If two inputs to an S-box differ in exactly one bit, the outputs must differ in at
least two bits.
 If two inputs to an S-box differ in the two middle bits exactly, the outputs
must differ in at least two bits.
 If two inputs to an S-box differ in their first two bits and are identical in their
last two bits, the two outputs must not be the same.
  For any nonzero 6-bit difference between inputs, no more than eight of the 32
pairs of inputs exhibiting that difference may result in the same output
difference.
 This is a criterion similar to the previous one, but for the case of three S-
boxes.

 The S-boxes are the only nonlinear part of DES. If the S-boxes were linear (i.e., each
output bit is a linear combination of the input bits), the entire algorithm would be
linear and easily broken.

2.13.1 Number of Rounds

 The greater the number of rounds, the more difficult it is to perform cryptanalysis,
even for a relatively weak F.
 In general, the criterion should be that the number of rounds is chosen so that known
cryptanalytic efforts require greater effort than a simple brute-force key search attack.
 This criterion was certainly used in the design of DES. It observes that for 16-round
DES, a differential cryptanalysis attack is slightly less efficient than brute force.
 The differential cryptanalysis attack requires 2 55.1 operations, whereas brute force
requires 255. If DES had 15 or fewer rounds, differential cryptanalysis would require
less effort than a brute-force key search.
2.13.2 Design of Function F
 The heart of a Feistel block cipher is the function F. The function DES relies on the
use of S-boxes.
Design Criteria for F
 The function F provides the element of confusion in a Feistel cipher. Thus, it must be
difficult to “unscramble” the substitution performed by F. One obvious criterion is
that F be nonlinear. If so, it will be very difficult any type of cryptanalysis. Several
other criteria should be considered in designing F.
 The algorithm to have good avalanche properties. That means, a change in one bit of
the input should produce a change in many bits of the output. A more stringent
version of this is the Strict Avalanche Criterion (SAC) which states that any output
bit of an S-box should change with probability 1/2 when any single input bit i is
inverted for all i, j.
  Another criterion is the Bit Independence Criterion (BIC), which states that output
bits j and k should change independently when any single input bit i is inverted for all
i, j and k.
S -Box Design
 One of the most intense areas of research in the field of symmetric block ciphers is
that of S-box design.
 One obvious characteristic of the S-box is its size. An n x m S-box has n input bits
and m output bits. DES has 6 x 4 S-boxes.
 The encryption algorithm Blowfish, has 8 x 32 S-boxes. Larger S-boxes, by and large,
are more resistant to differential and linear cryptanalysis. The S-box design suggests
the following approaches:
 Random: Use some pseudorandom number generation or some table of

random digits to generate the entries in the S-boxes. This may lead to boxes

with undesirable characteristics for small sizes (e.g.,6 x 4) but should be

acceptable for large S-boxes (e.g.,8 x 32).

 Random with testing: Choose S-box entries randomly, then test the results
against various criteria.
 Human-made: This is a more or less manual approach with only simple

mathematics to support it. It is apparently the technique used in the DES

design. This approach is difficult to carry through for large S-boxes.

 Math-made: Generate S-boxes according to mathematical principles. By

using mathematical construction, S-boxes can be constructed that offer proven

security against linear and differential cryptanalysis, together with good

diffusion.
2.13.3 Key Scheduling
 A final area of block cipher design is the key schedule algorithm. With any Feistel
block cipher, the key is used to generate one subkey for each round. In general, select
subkeys to maximize the difficulty of deducing individual subkeys and the difficulty
of working back to the main key.

2.14 Block Cipher Mode of Operation

  Encryption algorithms are divided into two categories based on input type, as block
cipher and stream cipher.
 Block cipher is an encryption algorithm which takes fixed size of input say b bits and
produces a ciphertext of b bits again.
 If input is larger than b bits it can be divided further. For different applications and
uses, there are several modes of operations for a block cipher.
 The five standard Modes of Operation:

 Electronic Code Book (ECB)

 Cipher Block Chaining (CBC)
 Cipher Feedback (CFB)
 Output Feedback (OFB)
 Counter (CTR)
Electronic Code Book (ECB)
 Electronic code book is the easiest block cipher mode of functioning. It is easier
because of direct encryption of each block of input plaintext and output is in form of
blocks of encrypted ciphertext (Figure 2.14).
 Generally, if a message is larger than b bits in size, it can be broken down into bunch
of blocks and the procedure is repeated. In this approach, the plaintext is handled one
block at a time and each block of plaintext is encrypted using the same key.
 The term codebook is used because, for a given key, there is a unique ciphertext for
every b-bit block of plaintext.
Advantages
 Parallel encryption of blocks of bits is possible, thus it is a faster way of
encryption.
 Simple way of block cipher.
Disadvantages
 Prone to cryptanalysis since there is a direct relationship between plaintext and
ciphertext.
Cj = E (K, Pj) j = 1…, N
Pj = D (K, Cj) j = 1…, N
 Figure 2.14 Electronic Code Book

Cipher Block Chaining (CBC)

 This approach overcome the security deficiencies of ECB. In this scheme (Figure
2.15), the input to the encryption algorithm is the XOR of the current plaintext block
and the preceding ciphertext block; the same key is used for each block.
 In effect, we have chained together the processing of the sequence of plaintext blocks.
 The CBC mode requires that the last block be padded to a full bits if it is a partial
block.
 To produce the first block of ciphertext, an Initialization Vector (IV) is XORed with
the first block of plaintext.
 On decryption, the IV is XORed with the output of the decryption algorithm to
recover the first block of plaintext.
 The IV is a data block that is that same size as the cipher block. The IV must be
known to both the sender and receiver but be unpredictable by a third party. In
particular, for any given plaintext, it must not be possible to predict the IV that will be
 associated to the plaintext in advance of the generation of the IV. For maximum
security, the IV should be protected against unauthorized changes.

Figure 2.15 Cipher Block Chaining

Advantages
 CBC works well for input greater than b bits.
 CBC is a good authentication mechanism.
 Better resistive nature towards cryptanalysis than ECB.
Disadvantages
 Parallel encryption is not possible since every encryption requires previous
cipher.
Cipher Feedback (CFB)
 In this approach (figure 2.16), the input to the encryption function is a b-bit shift
register that is initially set to some initialization vector (IV).
 The leftmost (most significant) s bits of the output of the encryption function are
XORed with the first segment of plaintext P1 to produce the first unit of
ciphertext C1, which is then transmitted.
 In addition, the contents of the shift register are shifted left by s bits, and C1 is
placed in the rightmost (least significant) s bits of the shift register. This process
continues until all plaintext units have been encrypted.
 For decryption, the same scheme is used, except that the received ciphertext unit
is XORed with the output of the encryption function to produce the plaintext
unit. Let MSBs (X) be defined as the most significant s bits of X. Then,
C1 = P1 ⊕ MSBs [E (K, IV)]
P1 = C1 ⊕MSBs [E (K, IV)]

Figure 2.16 Cipher Feedback

Advantages
 Since, there is some data loss due to use of shift register, thus it is difficult for
applying cryptanalysis.
Output Feedback (OFB)
 The output feedback (OFB) mode is similar in structure to that of CFB (Figure 2.17),
it is the output of the encryption function that is fed back to the shift register in OFB,
whereas in CFB, the ciphertext unit is fed back to the shift register.
 The other difference is that the OFB mode operates on full blocks of plaintext and
ciphertext, not on an s bit subset. Encryption and Decryption can be expressed as

Cj = Pj ⊕ E (K, [Cj-i_ Pj-1])

Pj = Cj ⊕E (K, [Cj-1 _ Pj-1])
 Figure 2.17 Output Feedback
Advantages
 Bit errors in transmission do not propagate
Disadvantages
 It is more vulnerable to a message stream modification attack than is CFB.
Counter (CTR)
 A counter equal to the plaintext block size is used. The only requirement stated is that
the counter value must be different for each plaintext block that is encrypted (Figure
2.18).
 Typically, the counter is initialized to some value and then incremented by 1 for each
subsequent block (modulo, where is the block size).
 For encryption, the counter is encrypted and then XORed with the plaintext block to
produce the ciphertext block; there is no chaining.
 For decryption, the same sequence of counter values is used, with each encrypted
counter XORed with a ciphertext block to recover the corresponding plaintext block.
Thus, the initial counter value must be made available for decryption.
 Given a sequence of counters T1, T2, …, TN, we can define CTR mode as follows.

 For the last plaintext block, which may be a partial block of bits, the most significant
bits of the last output block are used for the XOR operation; the remaining bits are
discarded.
 Figure 2.18 Counter
Advantages
 Hardware efficiency
 Software efficiency
 Preprocessing
 Random access
 Provable security
 Simplicity

2.15 Evaluation criteria for AES

 AES has been subjected to more scrutiny than any other encryption algorithm over a
longer period of time, and no effective cryptanalytic attack based on the algorithm
rather than brute force has been found.
 The principal 3DES is that the algorithm is relatively sluggish in software. The
original DES was designed in 1970, the hardware implementation does not produce
efficient software code. 3DES which has three times as many rounds as DES, is
correspondingly slower. The secondary drawback is that both DES and 3DES use a 64
bits block size.
 Because of these drawbacks 3DES is not a reasonable for long time use. As a
replacement, proposed a new symmetric encryption algorithm which is called
Advanced Encryption Standard, which should have security strength equal to or better
than 3DES and significantly improved efficiency. The three categories of criteria
were:
 Security: This refers to the effort required to cryptanalyze an algorithm. The
emphasis in the evaluation was on the practicality of the attack. Because the
minimum key size for AES is 128 bits, brute-force attacks with current and
projected technology were considered impractical. Therefore, the emphasis,
with respect to this point, is cryptanalysis other than a brute-force attack.
 Cost: NIST intends AES to be practical in a wide range of applications.
Accordingly, AES must have high computational efficiency, so as to be usable
in high-speed applications, such as broadband links.
 Algorithm and implementation characteristics: This category include a variety
of considerations, including flexibility; suitability for a variety of hardware
 and software implementations; and simplicity, which will make an analysis of
security more straightforward.
2.16 Advanced Encryption Standard (AES)
 The more popular and widely adopted symmetric encryption algorithm likely to be
encountered nowadays is the Advanced Encryption Standard (AES). It is found at
least six time faster than triple DES.
 The AES algorithm developed by two Belgian cryptographers, Vincent
Rijmen and Joan Daemen.
 The cipher takes a plaintext block size of 128 bits, or 16 bytes. The key length can be
16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128,
AES-192, or AES-256, depending on the key length.
Overall Structure of AES

 The AES is an iterative rather than Feistel cipher. It is based on ‘substitution–

permutation network’. It comprises of a series of linked operations, some of which
involve replacing inputs by specific outputs (substitutions) and others involve
shuffling bits around (permutations).

 Interestingly, AES performs all its computations on bytes rather than bits. Hence,
AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged
in four columns and four rows for processing as a matrix.

 Unlike DES, the number of rounds in AES is variable and depends on the length of
the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14
rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key,
which is calculated from the original AES key.

 The overall structure of AES (figure 2.19) focus particularly on the four steps used in
each round of AES:

 Byte Substitution

 Shift Rows

 Mix Columns

 Add Round Key

 Figure 2.19 Overal Structure of AES

2.16.1 Encryption Process

Byte Substitution (SubBytes)

 Uses an S-box to perform a byte-by-byte substitution of the block. The forward

substitute byte transformation, called SubBytes, is a simple lookup the S-box table
and replace the value (Figure 2.20). AES defines a 16 X 16 matrix of byte values,
called an S-box, that contains a permutation of all possible 256 8-bit values.
 Each individual byte of State is mapped into a new byte in the following way: The
leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as
 a column value. These row and column values serve as indexes into the S-box to
select a unique 8-bit output value.

Figure 2.20 Substitute Byte Transformation

 For example (Table 2.3), the hexadecimal value {86} references row 8, column 6 of
the S-box, which contains the value {44}. Accordingly, the value {44} is mapped into
the value {86} from Inverse S-box at decryption stage.
 Table 2.3

Example of SubBytes transformation

Shift Rows Transformation

 In Shift Rows transformation (figure 2.21), the first row of State is not altered. For the
second row, a 1-byte circular left shift is performed. For the third row, a 2-byte
circular left shift is performed. For the fourth row, a 3-byte circular left shift is
performed.

Figure 2.21 Shift Row Transformation

Example of Shift Rows Tranformation

MixColumns Transformation
 It operates on each column individually. Each byte of a column is mapped into a new
value that is a function of all four bytes in that column. The transformation can be
defined by the following matrix multiplication on State (Figure 2.22)
 Figure 2.22 MixColumns Transformation

Example of MixColumns Transsormation

AddRoundKey Transormation
 It is a simple bitwise XOR of the current block with a portion of the expanded key.
The 128 bits of State are bitwise XORed with the 128 bits of the round key. As
shown in Figure 2.23, the operation is viewed as a columnwise operation between the
4 bytes of a State column and one word of the round key; it can also be viewed as a
byte-level operation.

Figure 2.23 AddRoundKey Transformation

Example of AddRoundKey
2.16.2 AES Key Expansion Algorithm
 This algorithm takes as input a four-word (16-byte) key and produces a linear array of
44 words (176 bytes).
 This is sufficient to provide a four-word round key for the initial AddRoundKey stage
and each of the 10 rounds of the cipher.
 The key is copied into the first four words of the expanded key. The remainder of the
expanded key is filled in four words at a time. Each added word w[i] depends on the
immediately preceding word w[i-1], and the word four positions back, w[i-4].
 In three out of four cases, a simple XOR is used. For a word whose position in the w
array is a multiple of 4, a more complex function is used. Figure 2.24 illustrates the
generation of the expanded key, using the symbol g to represent that complex
function.
 Figure 2.24 AES Key Expansion
2.17 RC4
 RC4 is an encryption algorithm created in 1987 by Ronald Rivest of RSA Security. It
is a stream cipher (figure 2.25), which means that each digit or character is encrypted
one at a time. A cipher is a message that has been encoded.
 A key input is pseudorandom bit generator that produces a stream 8-bit number that is
unpredictable without knowledge of input key.
 The output of the generator is called key-stream, is combined one byte at a time with
the plaintext stream cipher using X-OR operation.
 Figure 2.25 Stream Cipher Diagram
Example

2.17.1 Key Generation Algorithm

 A variable-length key from 1 to 256 byte is used to initialize a 256-byte state vector S,
with elements S[0] to S[255]. For encryption and decryption, a byte k is generated
from S by selecting one of the 255 entries in a systematic fashion, then the entries in S
are permuted again(Figure 2.26).
Initialization of S
 The entries of S are set equal to the values from 0 to 255 in ascending order, a
temporary vector T, is created. If the length of the key k is 256 bytes, then k is
assigned to T. Otherwise, for a key with length(k-len) bytes, the first k-len elements
of T as copied from K and then K is repeated as many times as necessary to fill T.
// Initialization
for
i = 0 to 255 do S[i] = i;
T[i] = K[i mod k - len];
  Next, use T to produce the initial permutation of S. Starting with S[0] to S[255], and
for each S[i] algorithm swap it with another byte in S according to a scheme dictated
by T[i], but S will still contain values from 0 to 255:
// Initial Permutation of S
j = 0;
for
i = 0 to 255 do
{
j = (j + S[i] + T[i]) mod 256;
Swap(S[i], S[j]);
}
Pseudo random generation algorithm (Stream Generation)
 Once the vector S is initialized, the input key will not be used. In this step, for each
S[i] algorithm swap it with another byte in S according to a scheme dictated by the
current configuration of S. After reaching S[255] the process continues, starting from
S[0] again
//Stream Generation
i, j = 0;
while (true)
i = (i + 1)mod 256;
j = (j + S[i])mod 256;
Swap(S[i], S[j]);
t = (S[i] + S[j])mod 256;
k = S[t];
 Figure 2.26 RC4 Algorithm

Encrypt using XOR

 To encrypt, XOR the value k with the next byte of plaintext.
Decrypt using XOR
 To decrypt, XOR the value k with the next byte of ciphertext.
Advantage
 It is faster and more suitable for streaming application

2.18 Key Distribution

Symmetric Key Distribution Using Symmetric Encryption
 In Symmetric key encryption, the two parties to an exchange must share the
same key, and that key must be protected from access by others. Therefore, the
term that refers to the means of delivering a key to two parties who wish to
exchange data, without allowing others to see the key.
 For two parties A and B, key distribution can be achieved in a number of ways,
as follows:
 1. A can select a key and physically deliver it to B.

2. A third party can select the key and physically deliver it to A and B.

3. If A and B have previously and recently used a key, one party can transmit
the new key to the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third-party C, C can deliver
a key on the encrypted links to A and B.

 Physical delivery (1 & 2) is simplest - but only applicable when there is personal
contact between recipient and key issuer. This is fine for link encryption where
devices & keys occur in pairs, but does not scale as number of parties who wish to
communicate grows. 3 is mostly based on 1 or 2 occurring first.
 A third party, whom all parties trust, can be used as a trusted intermediary to mediate
the establishment of secure communications between them (4). Must trust
intermediary not to abuse the knowledge of all session keys. As number of parties
grow, some variant of 4 is only practical solution to the huge growth in number of
keys potentially needed.
Key Distribution Centre

 The use of a key distribution center is based on the use of a hierarchy of keys. At a
minimum, two levels of keys are used.
 Communication between end systems is encrypted using a temporary key, often
referred to as a Session key.
 Typically, the session key is used for the duration of a logical connection and then
discarded
 Master key is shared by the key distribution center and an end system or user and
used to encrypt the session key.
Key Distribution Scenario
 Let us assume that user A wishes to establish a logical connection with B and
requires a one-time session key to protect the data transmitted over the connection.
A has a master key, Ka, known only to itself and the KDC; similarly, B shares the
master key Kb with the KDC(Figure 2.27). The following steps occur:
 Figure 2.27 Key Distribution Scenario
1. An issue a request to the KDC for a session key to protect a logical connection to B.
The message includes the identity of A and B and a unique identifier, N 1, for this
transaction, which we refer to as a nonce. The nonce may be a timestamp, a
counter, or a random number; the minimum requirement is that it differs with each
request. Also, to prevent masquerade, it should be difficult for an opponent to guess
the nonce. Thus, a random number is a good choice for a nonce.

2. The KDC responds with a message encrypted using Ka Thus, A is the only one who
can successfully read the message, and A knows that it originated at the KDC. The
message includes two items intended for A:

 The one-time session key, Ks, to be used for the session

 The original request message, including the nonce, to enable A to match this
response with the appropriate request
Thus, A can verify that its original request was not altered before reception by the
KDC and, because of the nonce, that this is not a replay of some previous request.
In addition, the message includes two items intended for B:
 The one-time session key, Ks to be used for the session

 An identifier of A (e.g., its network address), IDA

 These last two items are encrypted with Kb (the master key that the KDC shares
with B). They are to be sent to B to establish the connection and prove A's identity.
3. A store the session key for use in the upcoming session and forwards to B the
information that originated at the KDC for B, namely, E (K b, [Ks || IDA]). Because this
information is encrypted with Kb, it is protected from eavesdropping. B now knows the
session key (Ks), knows that the other party is A (from ID A), and knows that the
information originated at the KDC (because it is encrypted using K b).
At this point, a session key has been securely delivered to A and B, and they may
begin their protected exchange. However, two additional steps are desirable:
4. Using the newly minted session key for encryption, B sends a nonce, N2, to A.
5. Also using Ks, A responds with f(N2), where f is a function that performs some
transformation on N2 (e.g., adding one).
Session Key Lifetime

 The distribution of session keys delays the start of any exchange and places a
burden on network capacity. A security manager must try to balance these
competing considerations in determining the lifetime of a particular session key.

 For connection-oriented protocols, one obvious choice is to use the same session
key for the length of time that the connection is open, using a new session key
for each new session.
 If a logical connection has a very long lifetime, then it would be prudent to
change the session key periodically, perhaps every time the PDU (protocol data
unit) sequence number cycles.
 For a connectionless protocol, such as a transaction-oriented protocol, there is no
explicit connection initiation or termination.
 Thus, it is not obvious how often one needs to change the session key. The most
secure approach is to use a new session key for each exchange.
 A better strategy is to use a given session key for a certain fixed period only or for a
certain number of transactions.