12/29/23

Introduction
▶ A block cipher is an encryption/decryption schem e in which a block of plaintext is

treated as a whole and used to produce a ciphertext block of equal length.

▶ Many block ciphers have a Feistel structure. Such a structure consists of a num ber
Course : 18AIC307T & Cryptography and
of identical rounds of processing. In each round, a substitution is perform ed on one
Network Security
UNIT 2 : Block Ciphers & Symmetric Key Cryptography half of the data being processed, followed by a perm utation that interchanges the

Faculty : Ms. NITHYASRI A, two halves. The original key is expanded so that a different key is used for each
Assistant Professor round.
Department of Artificial Intelligence
MKCE ▶ The Data Encryption Standard (DES) has been the m ost widely used encryption

algorithm until recently. It exhibits the classic Feistel structure. DES uses a 64-bit

block and a 56-bit key.

1 2

Stream Ciphers and Block Ciphers

▶ A stream cipher is one that encrypts a digital data stream one bit or one byte at a

tim e. Exam ples of classical stream ciphers are the autokeyed Vigenère cipher and

the Vernam cipher.

▶ A block cipher is one in which a block of plaintext is treated as a whole and used to

produce a ciphertext block of equal length.

▶ Typically, a block size of 64 or 128 bits is used. As with a stream cipher, the two users

share a sym m etric encryption key

3 4

Feistel Cipher Structure ▶ In particular, Feistel proposed the use of a cipher that alternates substitutions and
▶ Feistel proposed that we can approxim ate the ideal block cipher by utilizing the perm utations, where these term s are defined as follows:
concept of a product cipher, which is the execution of two or m ore sim ple ciphers in
▶ Substitution: Each plaintext elem ent or group of elem ents is uniquely replaced by
sequence in such a way that the final result or product is cryptographically stronger
a corresponding ciphertext elem ent or group of elem ents.
than any of the com ponent ciphers.
▶ Perm utation: A sequence of plaintext elem ents is replaced by a perm utation of
▶ The essence of the approach is to develop a block cipher with a key length of k bits
that sequence. That is, no elem ents are added or deleted or replaced in the
k
and a block length of n bits, allowing a total of 2 possible transform ations, rather
sequence, rather the order in which the elem ents appear in the sequence is changed.
than the 2 n ! transform ations available with the ideal block cipher.

5 6

1
 12/29/23

Diffusion and Confusion FEISTEL CIPHER STRUCTURE

▶ The inputs to the encryption algorithm are a plaintext block of length
▶ Confusion m eans that each binary digit (bit) of the ciphertext should depend on
2w bits and a key K.
several parts of the key.

▶ The plaintext block is divided into two halves, L 0 andR 0 . The two halves
▶ Diffusion m eans that if we change a single bit of the plaintext, then (statistically)
of the data pass through n rounds of processing and then com bine to
half of the bits in the ciphertext should change, and sim ilarly, if we change one bit
produce the ciphertext block.
of the ciphertext, then approxim ately one half of the plaintext bits should change.
▶ Each round i has as inputs L i-1 and R i-1 , derived from the previous round,
as well as a subkey K i, derived from the overall K.

▶ In general, the subkeys K i are different from K and from each other.

7 8

The exact realization of a Feistel network depends on the choice of the following param eters

and design features:

▶ All rounds have the sam e structure. A substitution is perform ed on the left half of the
▶ Block size: Larger block sizes m ean greater security but reduced encryption/decryption
data. This is done by applying a round function F to the right half of the data and
then taking the exclusive-OR of the output of that function and the left half of the speed for a given algorithm . The greater security is achieved by greater diffusion Traditionally,

data. The round function has the sam e general structure for each round but is a block size of 64 bits has been considered a reasonable tradeoff and was nearly universal in

param eterized by the round subkey K i. block cipher design. However, the new AES uses a 128-bit block size.

▶ Following this substitution, a perm utation is perform ed that consists of the

▶ Num ber of rounds: The essence of the Feistel cipher is that a single round offers inadequate
interchange of the two halves of the data.
security but that m ultiple rounds offer increasing security. A typical size is 16 rounds.

▶ Subkey generation algorithm : Greater com plexity in this algorithm should lead to greater

difficulty of cryptanalysis.

▶ Round function: Again, greater com plexity generally m eans greater resistance to

cryptanalysis.

9 10

There are two other considerations in the design of a Feistel cipher:

▶ Fast software encryption/decryption: The speed of execution of the algorithm

Feistel Decryption Algorithm
becom es a concern. The process of decryption with a Feistel cipher is essentially the sam e as the

encryption process.
▶ Ease of analysis: Although we would like to m ake our algorithm as difficult as
The rule is as follows:
possible to cryptanalyze, there is great benefit in m aking the algorithm easy to
▶ Use the ciphertext as input to the algorithm , but use the subkeys K in reverse
analyze. That is, if the algorithm can be concisely and clearly explained, it is easier
order.
to analyze that algorithm for cryptanalytic vulnerabilities and therefore develop a
▶ That is, use K n in the first round, K n-1 in the second round, and so on until K is
higher level of assurance as to its strength. DES, for exam ple, does not have an
used in the last round. This is a nice feature because it m eans we need not
easily analyzed functionality.
im plem ent two different algorithm s, one for encryption and one for decryption.

11 12

2
 12/29/23

▶ To see that the sam e algorithm with a reversed key order produces the correct result,

which shows the encryption process going down the left-hand side and the decryption
process going up the right-hand side for a 16-round algorithm .

▶ For clarity, we use the notation LE i and RE i for data traveling through the encryption
algorithm and LD i and RD i for data traveling through the decryption algorithm .

▶ The diagram indicates that, at every round, the interm ediate value of the decryption
process is equal to the corresponding value of the encryption process with the two

halves of the value swapped.

Figure. Feistel
Encryption and ▶ After the last iteration of the encryption process, the two halves of the output are
D ecryption
swapped, so that the ciphertext is RE 16 ||LE 16 . The output of that round is the
ciphertext. Now take that ciphertext and use it as input to the sam e algorithm . The

input to the first round is RE 16 ||LE 16 , which is equal to the 32-bit swap of the output
of the sixteenth round of the encryption process.

13 14

▶ If you clearly observe that the output of the first round of the decryption process is

equal to a 32-bit swap of the input to the sixteenth round of the encryption
Data Encryption Standard
process. First, consider the encryption process. ▶ The m ost widely used encryption schem e is based on the Data Encryption Standard

(DES) adopted in 1977 by the National Institute of Standards and Technology (NIST).
LE 16 = RE 15
RE 16 = LE 15 x F(RE 15 , K 16 ) ▶ The algorithm itself is referred to as the Data Encryption Algorithm (DEA).

▶ For DES, data are encrypted in 64-bit blocks using a 56-bit key. The algorithm
On the decryption side, LD 1 = RD 0 = LE 16 = RE 15 RD 1 = LD 0 x F(RD 0 , K 16 )
transform s 64-bit input in a series of steps into a 64-bit output. The sam e steps, with
= RE 16 x F(RE 15 , K 16 )
the sam e key, are used to reverse the encryption.
= [LE 15 x F(RE 15 , K 16 )] x F(RE 15 , K 16 )

15 16

DES Encryption ▶ The right-hand portion of Figure shows the way in which the 56-

▶ As with any encryption scheme, there are two inputs to the encryption function: the bit key is used.
plaintext to be encrypted and the key. In this case, the plaintext must be 64 bits in
length and the key is 56 bits in length. ▶ Initially, the key is passed through a perm utation function. Then,

▶ Actually, the function expects a 64-bit key as input. However, only 56 of these bits are for each of the 16 rounds, a subkey (K) is produced by the
ever used; the other 8 bits can be used as parity bits or simply set arbitrarily. com bination of a left circular shift and a perm utation. The

▶ we can see that the processing of the plaintext proceeds in three phases. perm utation function is the sam e for each round, but a different

▶ First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the subkey is produced because of the repeated shifts of the key
bits to produce the permuted input. bits.
▶ This is followed by a phase consisting of 16 rounds of the same function, which involves
both permutation and substitution functions.

▶ The output of the last (sixteenth) round consists of 64 bits that are a function of the
input plaintext and the key. The left and right halves of the output are swapped to
produce the preoutput.

▶ Finally, the preoutput is passed through a permutation (IP-1) that is the inverse of the
initial permutation function, to produce the 64-bit ciphertext. With the exception of
the initial and final permutations, DES has the exact structure of a Feistel cipher.

17 18

3
 12/29/23

DES Decryption The Avalanche Effect

▶ As with any Feistel cipher, decryption uses the sam e algorithm as encryption, ▶ A desirable property of any encryption algorithm is that a sm all change in either

except that the application of the subkeys is reversed. Additionally, the initial the plaintext or the key should produce a significant change in the ciphertext.

and final perm utations are reversed. ▶ In particular, a change in one bit of the plaintext or one bit of the key should

produce a change in m any bits of the ciphertext.

▶ This is referred to as the avalanche effect.

19 20

Initial Permutation To see that these two perm utation functions are indeed the inverse of each other,
consider the following 64-bit input M:

▶ The input to a table consists of 64 bits num bered from 1 to 64. The 64 entries in the

perm utation table contain a perm utation of the num bers from 1 to 64. Each entry in

the perm utation table indicates the position of a num bered input bit in the output,

which also consists of 64 bits. From this the initial perm utation and its inverse are

defined.

where M i is a binary digit.

Then the perm utation X = IP(M ) is as follows

If we then take the inverse perm utation Y = IP -1 (X) = IP -1 (IP(M )), it can be seen that the
original ordering of the bits is restored.

21 22

Expansion Perm utation (E)

Inverse Initial Perm utation (IP -1 )

Perm utation Function (P)

23 24

4
 12/29/23

Details of Single Round

▶ Figure shows the internal structure of a single round.

▶ Again, begin by focusing on the left-hand side of the diagram . The left and right
halves of each 64-bit interm ediate value are treated as separate 32- bit quantities,
labeled L (left) and R (right).
▶ As in any classic Feistel cipher, the overall processing at each round can be
sum m arized in the following form ulas:

L i = R i-1
R i = L i-1 x F(R i-1 , K i)

25 26

▶ The round key K i is 48 bits. The R input is 32 bits. This R input is first expanded to

48 bits by using a table that defines a perm utation plus an expansion that involves

duplication of 16 of the R bits. The resulting 48 bits are XORed with K i. This 48-bit

result passes through a substitution function that produces a 32-bit output, which

is perm uted from perm utation function.

▶ The role of the S-boxes in the function F is illustrated in Figure. The substitution

consists of a set of eight S-boxes, each of which accepts 6 bits as input and

produces 4 bits as output.

27 28

THE STRENGTH OF DES The Nature of the DES Algorithm

The Use of 56-Bit Keys

▶ With a key length of 56 bits, there are 2 56 possible keys, which is approxim ately 7.2 x 10 16 . ▶ Possibilities of cryptanalysis is done by finding the characteristics of DES algorithm .

▶ A brute-force attack appears im practical. ▶ Learning of S-Box logic is com plex.

▶ Assum ing that, on average, half the key space has to be searched, a single m achine ▶ Weakness of the S-boxes not been discovered.

perform ing one DES encryption per m icrosecond would take m ore than a thousand years to

break the cipher.

▶ Diffie and Hellm an postulated that the technology existed to build a parallel m achine with
1 m illion encryption devices, each of which could perform one encryption per m icrosecond.

This would bring the average search tim e down to about 10 hours.

29 30

5
 12/29/23

Timing Attacks Block Cipher Design Principles

▶ A tim ing attack is one in which inform ation about the key or the plaintext is
▶ There are three critical aspects of block cipher design: the num ber of rounds,
obtained by observing how long it takes a given im plem entation to perform
design of the function F, and key scheduling.
decryptions on various ciphertexts.

▶ A tim ing attack exploits the fact that an encryption or decryption algorithm

often takes slightly different am ounts of tim e on different inputs.

▶ DES appears to be fairly resistant to a successful tim ing attack.

31 32

Number of Rounds Design of Function F

▶ The heart of a Feistel block cipher is the function F, which provides the
▶ The greater the num ber of rounds, the m ore difficult it is to perform cryptanalysis,
elem ent of confusion in a Feistel cipher. Thus, it m ust be difficult to
even for a relatively weak F.
“unscram ble” the substitution perform ed by F.
▶ In general, the criterion should be that the num ber of rounds is chosen so that
▶ F m ust be nonlinear. The m ore nonlinear F, the m ore difficult any type of
known cryptanalytic efforts require greater effort than a sim ple brute-force key
cryptanalysis will be.
search attack. This criterion was certainly used in the design of DES.

33 34

Key Schedule Algorithm Advanced Encryption Standard

▶ With any Feistel block cipher, the key is used to generate one subkey for each ▶ The Rijndael proposal for AES defined a cipher in which the block length and
round. the key length can be independently specified to be 128 bits.

▶ In general, we would like to select subkeys to

m axim ize the difficulty of AES Param eters(in bits)

deducing individual subkeys and the difficulty of working back to the m ain key.
Keysize 128 192 256
Plaintext block
128 128 128
size
Num ber of
10 12 14
rounds
Round key size 128 128 128
Expanded key
176 208 240
size

35 36

6
 12/29/23

▶ The input to the encryption and decryption algorithm s is a single 128-bit block, this

block is depicted as a square m atrix of bytes.

Rijndael was designed to have the following characteristics:
▶ This block is copied into the State array, which is
▶ Resistance against all known attacks
m odified at each stage of encryption or decryption.
▶ Speed and code com pactness on a wide range of platform s
▶ After the final stage, State is copied to an output m atrix.
▶ Design sim plicity
▶ Sim ilarly, the 128-bit key is depicted as a square m atrix of bytes. This key is then

expanded into an array.

37 38

Figure(b). AES
Encryption and
D ecryption

Figure(a). AES Data Structures

39 40

Detailed structure ▶ The structure is quite sim ple. For both encryption and decryption, the cipher begins

with an AddRoundKey stage, followed by nine rounds that each includes all four stages,
▶ It is not a Feistel structure. In this process the entire data block in parallel during each followed by a tenth round of three stages.
round using substitutions and perm utation.
▶ Only the AddRoundKey stage m akes use of the key. For this reason, the cipher begins
▶ The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]. and ends with an AddRoundKey stage.
Four distinct words (128 bits) serve as a round key for each round; these are indicated in ▶ The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
Figure(b). form idable. The other three stages together provide confusion, diffusion, and

▶ Four different stages are used, one of perm utation and three of substitution: nonlinearity. This schem e is both efficient and highly secure.

▶ Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block ▶ Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColum ns
stages, an inverse function is used in the decryption algorithm . For the AddRoundKey
▶ ShiftRows: A simple permutation
stage, the inverse is achieved by XORing the sam e round key to the block, using the
▶ MixColumns: A substitution that makes use of arithmetic
result that A B B = B.
▶ AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key

41 42

7
 12/29/23

▶ Once it is established that all four stages are reversible, it is easy to verify that Substitute Bytes Transformation
decryption does recover the plaintext. At each horizontal point (e.g., the dashed ▶ There are two types of substitute bytes operations. Forward substitute byte operation in
line in the figure), State is the sam e for both encryption and decryption. encryption. Inverse substitute byte operation in decryption.

▶ The final round of both encryption and decryption consists of only three stages. ▶ Uses an s-box to perform byte-by-byte substitution of the block.

Again, this is a consequence of the particular structure of AES and is required to ▶ AES has a 16X16 matrix of byte values called as an s-box. It contains all possible 256 8-bit
m ake the cipher reversible. values.

▶ Each individual byte of State is mapped into a new byte in the following way:

▶ The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a column
value. These row and column values serve as indexes into the S-box to select a unique 8-bit output
value.

▶ Goto S-box and take a value from column and row and take the value from s-box and replace this value
with in value in input matrix.

Ex: in 4= EA( E means 14, A means 10)

So consider a value s-box in 14 th column and row 10 th row. Let it be s4.

43 44

Shift Rows Transformation FORWARD SHIFT ROW TRANSFORMATION

Shift row transform ation are two types. ▶ The first row of State m atrix is not altered.

▶ Forward Shift row transform ation which is used in encryption. ▶ For the second row, a 1-byte circular left shift is perform ed.
▶ Inverse Shift row transform ation which is used in decryption. ▶ For the third row, a 2-byte circular left shift is perform ed.

▶ For the fourth row, a 3-byte circular left shift is perform ed.
The following is an exam ple of ShiftRows:

45 46

INVERSE SHIFT ROWS MIX COLUMNS TRANSFORMATION

▶ Perform s the circular shifts in the opposite direction for each of the last three rows, Mix colum ns transform ation are two types.

with a one byte circular right shift for the second row and soon. ▶ Forward Mix colum ns transform ation which is used in encryption.
▶ Inverse Mix colum ns transform ation which is used in decryption.

47 48

8
 12/29/23

Forward Mix columns transformation inverse Mix columns transformation

▶ Forward Mix colum ns transform ation called m ix colum ns, operates on each colum n
▶ The inverse m ix colum n transform ation, called InvMixColum ns, is defined by the
individually. Each byte of a colum n is m apped into a new value that is a function of
following m atrix m ultiplication:
all 4 bytes in that colum n. The transform ation can be defined by the following

m atrix m ultiplication on state.

49 50

AddRoundKey Transformation AES Key Expansion

▶ In the forward add round key transform ation, called AddRoundKey, the 128
▶ The 128 bit key value can be expanded into 44 words i.e. 44X32=1408bits
bits of State are bitwise XORed with the 128 bits of the round key.
▶ In each round 4 words will be used i.e. 4x32=128 bits
▶ The inverse add round key transform ation is identical to the forward add
round key transform ation, because the XOR operation is its own inverse. ▶ In Addroundkey first 4 words w0,w1,w2,w3 are used.

▶ In first round,w4,w5,w6,w7 are used and soon.

51 52

The 128 bit key is expanded as follows

▶ First 128 bit key is arranged as a 4x4 m atrix each value size is
8-bits

▶ The first 32 bits (k0,k1,k2,k3) is considered as w0.

▶ The first 32 bits (k4,k5,k6,k7) is considered as w1.

▶ The first 32 bits (k8,k9,k10,k11) is considered as w2.
▶ The first 32 bits (k12,k13,k14,k15) is considered as w4.

▶ Next 4 words w4,w5,w6,w7 are followed as w4=w0 w3

w5=w1 w4
w6=w2 w5 w7=w3 w6
Figure. AES Key Expansion

53 54

9
 12/29/23

Block Cipher Modes of Operation Electronic Codebook Mode

▶ A block cipher algorithm is a basic building block for providing data security. To apply a ▶ The sim plest m ode is the electronic codebook (ECB) m ode, in which plaintext is

block cipher in a variety of applications, different "m odes of operation" have been handled one block at a tim e and each block of plaintext is encrypted using the sam e

defined by NIST. key (Figure a & b).

▶ In essence, a m ode of operation is a technique for enhancing the effect of a ▶ The term codebook is used because, for a given key, there is a unique ciphertext for

cryptographic algorithm or adapting the algorithm for an application, such as applying a every b-bit block of plaintext.
block cipher to a sequence of data blocks or a data stream . ▶ For a m essage longer than b bits, the procedure is sim ply to break the m essage into b-

▶ The m odes are intended to cover virtually all the possible applications of encryption for bit blocks, padding the last block if necessary. Decryption is perform ed one block at

which a block cipher could be used. a tim e, always using the sam e key. In Figure, the plaintext (padded as necessary)

consists of a sequence of b-bit blocks, P1, P2,..., PN; the corresponding sequence of

ciphertext blocks is C1, C2,..., CN.

55 56

▶ The ECB m ethod is ideal for a short am ount of data, such as an encryption key. Thus, if

you want to transm it a DES key securely, ECB is the appropriate m ode to use.

▶ The m ost significant characteristic of ECB is that the sam e b-bit block of plaintext, if
it appears m ore than once in the m essage, always produces the sam e ciphertext.

▶ For lengthy m essages, the ECB m ode m ay not be secure.

▶ If the m essage is highly structured, it m ay be possible for a cryptanalyst to exploit

these regularities. For exam ple, if it is known that the m essage always starts out with

certain predefined fields, then the cryptanalyst m ay have a num ber of known
plaintext-ciphertext pairs to work with. If the m essage has repetitive elem ents, with

a period of repetition a m ultiple of b bits, then these elem ents can be identified by
the analyst. This m ay help in the analysis or m ay provide an opportunity for

substituting or rearranging blocks.

Figure . Electronic Codebook (ECB) Mode

57 58

Cipher Block Chaining Mode

▶ To overcom e the security deficiencies of ECB, we would like a technique in
which the sam e plaintext block, if repeated, produces different ciphertext
blocks.

▶ A sim ple way to satisfy this requirem ent is the cipher block chaining (CBC)
m ode.
▶ In this schem e, the input to the encryption algorithm is the XOR of the current
plaintext block and the preceding ciphertext block; the sam e key is used for
each block.

▶ In effect, we have chained together the processing of the sequence of

plaintext blocks.
▶ The input to the encryption function for each plaintext block bears no fixed
relationship to the plaintext block. Therefore, repeating patterns of b bits
are not exposed.

Figure : Cipher Block Chaining (CBC) Mode

59 60

10
 12/29/23

▶ For decryption, each cipher block is passed through the decryption algorithm . The

result is XORed with the preceding ciphertext block to produce the plaintext block. Cipher Feedback Mode
▶ To produce the first block of ciphertext, an initialization vector (IV) is XORed with the
first block of plaintext. ▶ The DES schem e is essentially a block cipher technique that uses b-bit blocks.

▶ On decryption, the IV is XORed with the output of the decryption algorithm to recover ▶ However, it is possible to convert DES into a stream cipher, using either the cipher

the first block of plaintext. The IV is a data block that is that sam e size as the cipher feedback (CFB) or the output feedback m ode.
block.
▶ Figure depicts the CFB schem e. In the figure, it is assum ed that the unit of transm ission
▶ The IV m ust be known to both the sender and receiver but be unpredictable by a third is s bits; a com m on value is s = 8. As with CBC, the units of plaintext are chained together,
party. so that the ciphertext of any plaintext unit is a function of all the preceding plaintext. In

▶ For m axim um security, the IV should be protected against unauthorized changes. This this case, rather than units of b bits, the plaintext is divided into segm ents of s bits.
could be done by sending the IV using ECB encryption.

▶ Because of the chaining m echanism of CBC, it is an appropriate m ode for encrypting

m essages of length greater than b bits.

▶ CBC m ode can be used for authentication.

61 62

First, consider encryption.

For decryption, the sam e schem e is used,
▶ The input to the encryption function is a b-bit shift register that is initially set

to som e initialization vector (IV). ▶ except that the received ciphertext unit is XORed with the output of the

encryption function to produce the plaintext unit.

▶ The leftm ost (m ost significant) s bits of the output of the encryption function
are XORed with the first segm ent of plaintext P1 to produce the first unit of Let S s (X) be defined as the m ost significant s bits of X. Then C1 = P1 S s [E(K,IV)]

ciphertext C, which is then transm itted. Therefore,

▶ In addition, the contents of the shift register are shifted left by s bits and C is P1 = C1 S s [E(K, IV)]
placed in the rightm ost (least significant) s bits of the shift register.

▶ This process continues until all plaintext units have been encrypted.

63 64

Output Feedback Mode

▶ The output feedback (OFB) m ode is sim ilar in structure to that of CFB, as illustrated in

Figure. As can be seen, it is the output of the encryption function that is fed back to the
shift register in OFB, whereas in CFB the ciphertext unit is fed back to the shift register.

▶ One advantage of the OFB m ethod is that bit errors in transm ission do not propagate.

For exam ple, if a bit error occurs in C 1 only the recovered value of is P 1 affected;
subsequent plaintext units are not corrupted. With CFB, C 1 also serves as input to the shift

register and therefore causes additional corruption downstream .

▶ The disadvantage of OFB is that it is m ore vulnerable to a m essage stream m odification

attack than is CFB.

Figure. s-bit Cipher Feedback (CFB) Mode

65 66

11
 12/29/23

Counter Mode
▶ In CTR mode a counter, equal to the plaintext block size is used. The only requirement is
that the counter value must be different for each plaintext block that is encrypted.
Typically, the counter is initialized to some value and then incremented by 1 for each
subsequent block. For encryption, the counter is encrypted and then XORed with the
plaintext block to produce the ciphertext block; there is no chaining. For decryption, the
same sequence of counter values is used, with each encrypted counter XORed with a
ciphertext block to recover the corresponding plaintext block.

Advantages:

1. Hardware efficiency

2. Software efficiency

3. Preprocessing

4. Random access

5. Provable security

6. Simplicity

Figure. s-bit Output Feedback (OFB) Mode

67 68

Blowfish Encryption Algorithm

▶ Blowfish was designed in 1993 by Bruce Scheier as a fast, alternative to existing encryption
algorithms such AES, DES and 3 DES etc.

▶ Blowfish was designed to have the following characteristics:

▶ Fast: Blowfish encrypts data on 32-bit microprocessor at rate of 18 clock cycles per byte.

▶ Compact: Blowfish can run in less than 5K of memory.

▶ Simple: Blowfish’s simple structure is easy to implement and eases the task of determining the
strength of the algorithm.

▶ Variable secure: The key length is variable and can be as long as 448 bits. default 128 bits key
length

▶ It is suitable for applications where the key does not change often, like communication link or an
automatic file encryptor.

Figure. Counter (CTR) Mode

69 70

Subkey and S-box generation The steps in generating P-array and S-boxes are as follows:
▶ Blowfish makes use of a key that ranges from 32 bits to 448 bits (1 to 14 32-bit words). 1.Initialize first the P-array and then the four S-boxes in order using the bits of the
▶ That key is used to generate 18 32-bit subkeys and four 8x32 S-boxes containing a total fractional part of the constant π . Then the leftmost 32 bits of the fractional part of π
of 1024 32-bit entries. The total is 1042 32-bit values, or 4168 bytes. become P1, and so on.

The keys are stored in a K-array: P1 = 0x243f6a88, P2 = 0x85a308d3, P3 = 0x13198a2e, P4 = 0x03707344, etc.

K 1K 2..K j , ,, … , 1≤ j ≤ 14 2.Perform a bitwise XOR of the P-array and the K-array, reusing words from the K-array as
The subkeys are stored in the P-array: needed. For example, for the maximum length key (14 32-bit words), P1=P1 ⊕ K 1, P2=P2
⊕ K 2,… P14=P14 ⊕ K14. P15=P15 ⊕K1… P18=P18⊕K4
P 1P 2….. P 18

There are four S-boxes each with 256 32-bit entries: 3.Encrypt the 64-bit block of all zeros using the current P- and S-arrays; replace P1 and P2
with the output of the encryption.
S1,0, S1,1,………. S1,255
4.Encrypt the output of step 3 using the current P- and S arrays and replace P3 and P4
S2,0, S2,1,……….. S2,255
with the resulting ciphertext.
S3,0, S3,1,……….. S3,255 S4,0, S4,1,..............S4,255
5.Continue this procedure to update all elements of P and then, in order, all elements of
S, using at each step the output of the continuously changing Blowfish algorithm.

71 72

12
 12/29/23

Encryption and Decryption

▶ Blowfish uses two prim itive operations:

Addition: Addition of words, denoted by +.

Bitwise exclusive-OR: The operation is denoted by ⊕ .

▶ The plaintext is divided into two 32-bit halves LE 0

and RE 0 .

73 74

INTERNATIONAL DATA
ENCRYPTION ALGORITHM(IDEA)
▶ IDEA (International Data Encryption Algorithm) was originally called IPES (Improved Proposed Encryption Standard). Prim itive Operations

▶ Each prim itive operation in IDEA m aps two 16-bit quantities into a 16-bit
▶ It was developed by Xuejia Lai and James L. Massey of ETH Zuria.
quantity.
▶ IDEA was designed to be efficient to compute in software. It encrypts a 64-bit block of plaintext into a 64-bit block ▶ IDEA uses three operations
of ciphertext using a 128-bit key.
▶ ⊕ -XOR,
▶ It was published in 1991, so cryptanalysts have had time to find weaknesses.
▶ +-Adddition all easy to com pute in software, to create a m apping.
▶ IDEA is similar to DES in some ways.
Multiplication Operation.
▶ Both of them operate in rounds, and both have a complicated mangler function that does not have to be reversible
in order for decryption to work.

▶ Instead, the mangler function is run in the same direction for encryption as decryption, in both IDEA and DES.

▶ In fact, both DES and IDEA have the property that encryption and decryption are identical except for key
expansion.

▶ With DES, the same keys are used in the reverse order

▶ with IDEA, the encryption and decryption keys are related in a more complex manner.

75 76

▶ It has total 17 rounds

▶ In IDEA, Odd rounds accepts 4 subkeys.

▶ Even rounds accepts 2 subkeys.

77 78

13
 12/29/23

Key expansion One Round

▶ The 128-bit key is expanded into 52 16-bit keys, K 1 , K 2 ,...K 52 .

▶ The key expansion is done differently for encryption than for decryption. ▶ It has 17rounds, where the odd num bered rounds are different from the even
num bered rounds.
▶ Once the 52 keys are generated, the encryption and decryption operations
are the sam e. ▶ Each round takes the input a 64-bit quantity and treats it as four 16-bit
quantities X a ,X b ,X c ,X d . Mathem atical Operations are perform ed on it.
▶ The 52 encryption keys are generated by writing out the 128-bit key and,
starting from the left, chopping off 16 bits at a tim e. ▶ In IDEA, Odd rounds accepts 4 subkeys.

▶ This generates eight 16-bit keys ▶ Even rounds accepts 2 subkeys.

79 80

Odd round Even Round

81 82

CAST-128
▶ It is an encryption algorithm .

▶ It takes 64 bit plain text,128 bit key as input and produces 64-bit cipher text
as output. It has 16 rounds.

83 84

14
 12/29/23

Description of Algorithm Pairs of Round Keys

▶ CAST-128 belongs to the class of encryption algorithms known as Feistel ciphers; overall operation is
thus similar to the Data Encryption Standard (DES). The full encryption algorithm is given in the
following four steps.
INPUT: plaintext m1...m64; ▶ CAST-128 uses a pair of subkeys per round: a 32-bit quantity “Km ” is used as
key K = k1...k128. a "m asking" key and a 5-bit quantity “Kr” is used as a "rotation" key.
OUTPUT: ciphertext c1...c64.
1. (key schedule) Compute 16 pairs of subkeys {Kmi, Kri} from K
2. Split the plaintext into left and right 32-bit halves L0 = m1...m32 and R0 = m33...m64.
3. It has 16 rounds for i from 1 to 16, compute Li and Ri as follows: Li = Ri-1;
Ri = Li-1 ⊕ f(Ri-1,Kmi,Kri), where f is function (f is of Type 1, Type 2, or Type 3, depending
on i).
4. c1...c64 <-- (R16,L16). (Exchange final blocks L16, R16 and concatenate to form the ciphertext.)

Decryption is identical to the encryption algorithm given above, except that the rounds (and therefore
the subkey pairs) are used in reverse order to compute (L0,R0) from (R16,L16).

85 86

Non-Identical Rounds Type 1: I = ((Km i + D) <<< Kri)

f = ((S1[Ia] ⊕ S2[Ib]) - S3[Ic]) + S4[Id]

Type 2: I = ((Km i ⊕ D) <<< Kri)

f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ⊕ S4[Id]

Three different round functions are used in CAST-128. Type 3: I = ((Km i - D) <<< Kri)
The rounds are as follows f = ((S1[Ia] + S2[Ib]) ⊕ S3[Ic]) - S4[Id]
▶ where "D" is the data input to the f function and "Ia" - "Id" are the
m ost significant byte through least significant byte of I, respectively).
Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1.
▶ All functions uses the operation "+" and "-" are addition and
Rounds 2, 5, 8, 11, and 14 use f function Type 2.
subtraction ⊕
XOR, and "<<<" is the circular left-shift operation. Rounds 3, 6, 9, 12, and 15 use f function Type 3.

87 88

Substitution Boxes
▶ CAST-128 uses eight substitution boxes:
s-boxes S1, S2, S3, and S4 are round function s-boxes; S5,
S6, S7, and S8 are key schedule s-boxes.

Masking Subkeys And Rotate Subkeys

Let Km 1, ..., Km 16 be 32-bit m asking subkeys (one per round).
Three rounds of Let Kr1,…., Kr16 be 32-bit rotate subkeys (one per round); only the least significant
the CAST-128 5 bits are used in each round.
block cipher
for (i=1; i<=16; i++)
{ Km i = Ki; Kri = K16+i; }

89 90

15