lOMoARcPSD|28867284

CCS UNIT 2 - Cryptography and Cybersecurity unit 2

Cryptography and cybersecurity (Anna University)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

RAJALAKSHMI INSTITUTE OF TECHNOLOGY

(AN AUTONOMOUS INSTITUTION)

DEPARTMENT OF ELECTRONICS AND

COMMUNICATION ENGINEERING

CB3491 – CRYPTOGRAPHY AND CYBER SECURITY

(REGULATION-2021)

SEM-05
COMPUTER AND COMMUNICATION
ENGINEERING

UNIT – II

Prepared by Verified by Approved by

1|P a ge
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Department of Electronics and Communication Engineering

CB3491- CRYPTOGRAPHY AND CYBER SECURITY

(Regulation-2021)

UNIT-2: SYMMETRIC KEY CRYPTOGRAPHY

(For V Semester CCE Students)

2|P a ge
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

TOPIC CONTENTS PAGE

NO. NO.
UNIT-2: SYMMETRIC CIPHERS

2.1 MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY 7

2.1.1 Algebraic structures 7
2.1.2 Modular arithmetic 7
2.1.3 Euclid’s algorithm 8
2.1.4 Congruence and matrices 10
2.1.4.1 Congruence 10
2.1.4.2 Matrices 11
2.1.4.3 Determinant 11
2.1.4.4 Groups 12
2.1.4.5 Rings 12
2.1.4.6 Fields 12
2.1.4.7 Finite Fields 12
2.2 SYMMETRIC KEY CIPHERS 13
2.3 STANDARD DATA ENCRYPTION STANDARD (SDES) 13
2.4 DATA ENCRYPTION STANDARD (DES) 16
2.5 BLOCK CIPHER PRINCIPLES OF DES 18
2.5.1 Strength of DES 18
2.6 DIFFERENTIAL AND LINEAR CRYPTANALYSIS 20
2.7 BLOCK CIPHER DESIGN PRINCIPLES 22
2.8 BLOCK CIPHER MODE OF OPERATION 22
2.9 ADVANCED ENCRYPTION STANDARD 29
2.10 EVALUATION CRITERIA FOR AES 34
2.11 RC4 -STREAM CIPHER 34
2.12 KEY DISTRIBUTION 37

3|P a ge
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY: Algebraic structures:

Cryptography requires sets of integers and specific operations that are defined for those sets. The
combination of the set and the operations that are applied to the elements of the set is called an algebraic
structure. The Greatest Common Divisor (GCD) determines the common divisor of integer “a” and “b”.
Modular Arithmetic:
Modular arithmetic is a system of arithmetic for integers, which considers the remainder. In modular
arithmetic, numbers "wrap around" upon reaching a given fixed quantity (this given quantity is known
as the modulus) to leave a remainder. Modular arithmetic is often tied to prime numbers.
Euclid‘s algorithm:
Euclid's algorithm, is an efficient method for computing the greatest common divisor (GCD) of two
integers (numbers), the largest number that divides them both without a remainder. The Euclidean
algorithm is based on the principle that the greatest common divisor of two numbers does not change if
the larger number is replaced by its difference with the smaller number. the algorithm never requires
more steps than five times the number of digits (base 10) of the smaller integer. The Euclidean
algorithm has many theoretical and practical applications. It is used for reducing fractions to their
simplest form and for performing division in modular arithmetic. Computations using this algorithm
form part of the cryptographic protocols that are used to secure internet communications, and in
methods for breaking these cryptosystems by factoring large composite numbers.
Congruence and matrices:
Matrix congruence arises when considering the effect of change of basis on the Gram matrix attached to
a bilinear form or quadratic form on a finite-dimensional vector space: two matrices are congruent if
and only if they represent the same bilinear form with respect to different bases.
Groups:
Groups are the set of numbers or elements that were finite, involving in specific operation whose result
is also a finite (set – closure) value. The groups obeys the properties like associative law, identity,
inverse, and commutative law.
Rings:
Rings are the set of numbers, with two operations namely addition and multiplication. If the
multiplication operation is commutative, it forms commutative ring, and in turn if the multiplicative
operation result is identity or zero, it forms integral domain.
Fields:
The fields are the set of numbers with two operations namely abelian group for addition and abelian
group for multiplication (ignoring 0).
Finite Fields:
The finite fields plays a key role in cryptography and is known as Galois fields. It can show a number of
elements in the finite field and it must be the power or prime.
Symmetric Key Ciphers: SDES:
The process of encrypting a plan text into an encrypted message with the use of S-DES has been
divided into multi-steps which may help you to understand it as easily as possible. SDES is a symmetric
block cipher and has 8-bits block size of plain text or cipher text. It uses 10-bits key size for encryption
and it has two Rounds. The main advantage of this method is that it is extremely simple. The key
exchange method has been picked up by several vendors already, even though some vendors do not use
a secure mechanism to transport the key. This helps to get the critical mass of implementation to make
this method the de facto standard.
Block cipher Principles of DES:
Block ciphers are built in the Feistel cipher structure. Block cipher has a specific number of rounds and
keys for generating ciphertext. For defining the complexity level of an algorithm few design principles
are to be considered.
Number of Rounds –The number of Rounds is regularly considered in design criteria, it just reflects the
number of rounds to be suitable for an algorithm to make it more complex, in DES we have 16 rounds
ensuring it to be more secure while in AES we have 10 rounds which makes it more secure.
Design of function F –The core part of the Feistel Block cipher structure is the Round Function. The
complexity of cryptanalysis can be derived from the Round function i.e. the increasing level of
complexity for the round function would be greatly contributing to an increase in complexity.

4|P a ge
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

To increase the complexity of the round function, the avalanche effect is also included in the round
function, as the change of a single bit in plain text would produce a mischievous output due to the
presence of avalanche effect.
Key schedule algorithm – In Feistel Block cipher structure, each round would generate a sub-key for
increasing the complexity of cryptanalysis. The Avalanche effect makes it more complex in deriving
sub-key. Decryption must be done very carefully to get the actual output as the avalanche effect is
present in it.
Strength of DES:
Data encryption standard (DES) is a symmetric key block cipher algorithm. The algorithm is based on
Feistel network. The algorithm uses a 56-bit key to encrypt data in 64-bit blocks.
There are mainly two categories of concerns about the strength of Data encryption standard. They are:
 Concerns about the particular algorithm used.
 Concerns about the usage of key of size 56-bit.
The first concern regarding the algorithm used addresses the possibility of cryptanalysis by making use
of the DES algorithm characteristics. A more severe concern is about the length of secret key used.
Differential and linear cryptanalysis:
For most of its life, the prime concern with DES has been its vulnerability to brute-force attack
because of its relatively short (56 bits) key length. However, there has also been interest in finding
cryptanalytic attacks on DES. With the increasing popularity of block ciphers with longer key lengths,
including triple DES, brute-force attacks have become increasingly impractical. Thus, there has been
increased emphasis on cryptanalytic attacks on DES and other symmetric block ciphers. In this section,
we provide a brief overview of the two most powerful and promising approaches: differential
cryptanalysis and linear cryptanalysis.
Differential Cryptanalysis Attack - The differential cryptanalysis attack is complex; [BIHA93] provides
a complete description. The rationale behind differential cryptanalysis is to observe the behavior of
pairs of text blocks evolving along each round of the cipher, instead of observing the evolution of a
single text block. Here, we provide a brief overview so that you can get the flavor of the attack. We
begin with a change in notation for DES. Consider the original plaintext block m to consist of two
halves m0, m1. Each round of DES maps the right-hand input into the left-hand output and sets the
right-hand output to be a function of the left-hand input and the subkey for this round. So, at each
round, only one new 32-bit block is created. If we label each new block mi (2 … i … 17), then the
intermediate message halves are related as follows:

The overall strategy of differential cryptanalysis is based on these considerations for a single round. The
procedure is to begin with two plaintext messages m and m¿ with a given difference and trace through a
probable pattern of differences after each round to yield a probable difference for the ciphertext.
Actually, there are two probable patterns of differences for the two 32-bit halves: (¢m17 || ¢m16). Next,
we submit m and m¿ for encryption to determine the actual difference under the unknown key and
compare the result to the probable difference. If there is a match,

Advanced Encryption Standard & Evaluation criteria for AES:

AES is a subset of the Rijndael block cipher developed by two Belgian cryptographers, Vincent Rijmen
and Joan Daemen, who submitted a proposal to NIST during the AES selection process.Rijndael is a
family of ciphers with different key and block sizes. For AES, NIST selected three members of the
Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256
bits.
AES has been adopted by the U.S. government. It supersedes the Data Encryption Standard (DES),
which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning
the same key is used for both encrypting and decrypting the data.
The more popular and widely adopted symmetric encryption algorithm likely to be encountered
nowadays is the Advanced Encryption Standard (AES). It is found at least six time faster than triple
DES.

5|P a ge
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

A replacement for DES was needed as its key size was too small. With increasing computing power, it
was considered vulnerable against exhaustive key search attack. Triple DES was designed to overcome
this drawback but it was found slow. The features of AES are as follows −
 Symmetric key symmetric block cipher
 128-bit data, 128/192/256-bit keys
 Stronger and faster than Triple-DES
 Provide full specification and design details
 Software implementable in C and Java
Operation of AES: AES is an iterative rather than Feistel cipher. It is based on ‘substitution–
permutation network’. It comprises of a series of linked operations, some of which involve replacing
inputs by specific outputs (substitutions) and others involve shuffling bits around (permutations).
Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats the 128
bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for
processing as a matrix. Unlike DES, the number of rounds in AES is variable and depends on the length
of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit
keys. Each of these rounds uses a different 128-bit round key, which is calculated from the original AES
key.
RC4 – Key distribution.
RC4 is a stream cipher and variable length key algorithm. This algorithm encrypts one byte at a time (or
larger units on a time). A key input is pseudorandom bit generator that produces a stream 8-bit number
that is unpredictable without knowledge of input key, The output of the generator is called key-stream,
is combined one byte at a time with the plaintext stream cipher using X-OR operation.
Key-Generation Algorithm – A variable-length key from 1 to 256 byte is used to initialize a 256-byte state
vector S, with elements S[0] to S[255]. For encryption and decryption, a byte k is generated from S by
selecting one of the 255 entries in a systematic fashion, then the entries in S are permuted again.

6|P a ge
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

2.1. MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY:

Cryptography is based on some specific areas of mathematics, including number theory, linear algebra,
and algebraic structures.
2.1.1 Algebraic structures:
The three common algebraic structures are:
1. Groups
2. Rings
3. Fields
2.1.2 Modular arithmetic:
The division relationship (a = q n + r) discussed in the previous section has two inputs (a and n) and
two outputs (q and r). In modular arithmetic, we are interested in only one of the outputs, the
remainder r. We don’t care about the quotient q. In other words, we want to know what is the value of
r when we divide a by n. This implies that we can change the above relation into a binary operator
with two inputs a and n and one output r.
Modulo Operator
The above-mentioned binary operator is called the modulo operator and is shown as mod.
The second input (n) is called the modulus. The output r is called the residue.

Fig 2.1: Division relation and modulo operator

Example: Find 27 mod 5
Solution: We are looking for the residue r. We can divide the a by n and find q and r. We can then
disregard q and keep r. Dividing 27 by 5 results in r = 2. This means that 27 mod 5 = 2.
Modular arithmetic exhibits the following properties:
1. [(a mod n) + (b mod n)] mod n = (a + b) mod n
2. [(a mod n)-(b mod n)] mod n=(a-b) mod n
3. [(a mod n) x (b mod n)] mod n = (a x b) mod n
Example – 2.1:
11 mod 8 = 3; 15 mod 8 = 7
[(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 = 2 (11 + 15) mod 8 = 26 mod 8 = 2
[(11 mod 8) (15 mod 8)] mod 8 = 4 mod 8 = 4 (11 15) mod 8 = 4 mod 8 = 4
[(11 mod 8) x (15 mod 8)] mod 8 = 21 mod 5 (11 x 15) mod 8 = 165 mod 8 = 5
Set of Residues: Zn:
The result of the modulo operation with modulus n is always an integer between 0 and n - 1.
In other words, the result of a mod n is always a nonnegative integer less than n. We can say that the
modulo operation creates a set, which in modular arithmetic is referred to as the set of least residues
modulo n, or Zn. However, we need to remember that although we have only one set of integers (Z),
we have infinite instances ofthe set of residues (Zn), one for each value of n.

Fig 2.2: Some Zn sets

7|P a ge
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

2.1.3 Euclid’s algorithm:

Greatest Common Divisor one integer often needed in cryptography is the greatest common divisor of
two positive integers. Two positive integers may have many common divisors, but only one greatest
common divisor. For example, the common divisors of 24 and 36 are 12.

Fig 2.3: Greatest Common Divisor (GCD)

Finding the greatest common divisor (gcd) of two positive integers by listing all com- mon divisors is
not practical when the two integers are large. Fortunately, more than 2000 years ago a mathematician
named Euclid developed an algorithm that can find the greatest common divisor of two positive
integers. The Euclidean algorithm is based on the following two facts:
Fact 1: gcd (a, 0) = a
Fact 2: gcd (a, b) = gcd (b, r), where r is the remainder of dividing a by b
Algorithm: (Euclidean algorithm) Computing the greatest common divisor of two integers.
 INPUT: Two non-negative integers a and b with a ≥ b.
 OUTPUT: gcd(a, b).
 While b > 0, do
 Set r = a mod b,
 a = b,
 b=r
 Return a.
The first fact tells us that if the second integer is 0, the greatest common divisor is the first one. The
second fact allows us to change the value of a, b until b becomes 0. For example, to calculate the gcd
(36, 10), we can use the second fact several times and the first fact once, as shown below
gcd (36, 10) = gcd (10, 6) = gcd (6, 4) = gcd (4, 2) = gcd (2, 0) = 2
In other words, gcd (36, 10) = 2, gcd (10, 6) = 2, and so on. This means that instead of calculating gcd
(36, 10), we can find gcd (2, 0).
We use two variables, r1 and r2, to hold the changing values during the process of reduction.
They are initialized to a and b. In each step, we calculate the remainder of r1 divided by r2 and store
the result in the variable r. We then replace r1 by r2 and r2 by r. The steps are continued until r2 becomes
0. At this moment, we stop. The gcd (a, b) is r1. When gcd (a, b) = 1, we say that a and b are relatively
prime.

8|P a ge
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Fig 2.4: Process of Euclidean algorithm

Example 2.2:
Find the greatest common divisor of 1785 and 546.
Solution:

Fig 2.5: Example for GCD

2.1.3.1 The Extended Euclidean Algorithm:
Given two integers a and b, we often need to find other two integers, s and t, such that:
s x a + t x b = gcd(a, b)
The extended Euclidean algorithm can calculate the gcd (a, b) and at the same time calculate the value
of s and t. The extended Euclidean algorithm uses the same number of steps as the Euclidean algorithm.
However, in each step, we use three sets of calculations and exchanges instead of one. The algorithm uses
three sets of variables, r’s, s’s, and t’s.
Algorithm: Extended Euclidean algorithm.
INPUT: Two non-negative integers a and b with a ≥ b.
OUTPUT: d = gcd(a, b) and integers x and y satisfying ax + by = d.
 If b = 0 then set d = a, x = 1, y = 0, and return(d, x, y).
 Set x2 = 1, x1 = 0, y2 = 0, y1 = 1
 While b > 0, do
– q = floor(a/b), r = a - qb, x = x2 - qx1, y = y2 - q y1.
– a = b, b = r, x2 = x1, x1 = x, y2 = y1, y1 = y.
 Set d = a, x = x2, y = y2, and return(d, x, y).

In each step, r1, r2, and r have the same values in the Euclidean algorithm. The variables r1 and r2
are initialized to the values of a and b, respectively. The variables s1 and s2 are initialized to 1 and 0,
respectively. The variables t1 and t2 are initialized to 0 and 1, respectively. The calculations of r, s, and t
are similar, with one warning. Although r is the remainder of dividing r1 by r2, there is no such
relationship between the other two sets. There is only one quotient, q, which is calculated as r1 by r2 and
used for the other two calculations.

9|P a ge
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Fig 2.6: Process of Extended Euclidean Algorithm

Example:
Given a = 161 and b = 28, find gcd (a, b) and the values of s and t.
q r1 r2 r s1 s2 s t1 t2 t
5 161 28 21 1 0 1 0 1 5
1 28 21 7 0 1 1 1 5 6
3 21 7 0 1 1 5 6 23
7 0 1 6 23

2.1.4 Congruence and matrices:

2.1.4.1 Congruence:
In cryptography, we often used the concept of congruence instead of equality. Map- ping
from Z to Zn is not one-to-one. Infinite members of Z can map to one member of Zn. For example,
the result of 2 mod 10 = 2, 12 mod 10 = 2, 22 mod 2 = 2, and so on. In modular arithmetic, integers
like 2, 12, and 22 are called congruent mod 10. To show that two integers are congruent, we use the
congruence operator (≡). We add the phrase (mod n) to the right side of the congruence to define
the value of modulus that makes the relationship valid.

Fig 2.7: Congruence Relationship

2 ≡ 12 (mod 10) 13 ≡ 23 (mod 10) 34 ≡ 24 (mod 10) -8 ≡ 12 (mod 10)

3 ≡ 8 (mod 5) 8 ≡13 (mod 5) 23 ≡ 33 (mod 5) -8 ≡ 2 (mod 5)
 The congruence operator looks like the equality operator, but there are differences. First, an
equality operator maps a member of Z to itself; the congruence operator maps a member from Z to
a member of Zn. Second, the equality operator is one- to-one; the congruence operator is many-to-
one.
 The phrase (mod n_ that we insert at the right-hand side of the congruence operator is just an
indication of the destination set (Zn). We need to add this phrase to show what modulus is used in
the mapping. The symbol mod used here does not have the same meaning as the binary operator. In
other words, the symbol mod in 12 mod 10 is an operator; the phrase (mod 10) in 2 ≡ 12 (mod 10)
means that the destination set is Z10.

10 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

2.1.4.2 Matrices:
Definitions: A matrix is a rectangular array of l x m elements, in which l is the number of rows and m
is the number of columns. A matrix is normally denoted with a boldface uppercase letter such as A.
The element aij is located in the ith row and jth column.
If a matrix has only one row (l x 1), it is called a row matrix; if it has only one column
(mx1), it is called a column matrix. In a square matrix, in which there is the same number of
rows and columns (l = m), the elements a11, a22, …. , amm make the main diagonal. An additive
identity matrix, denotedas 0, is a matrix with all rows and columns set to 0’s. An identity matrix,
denoted as I, is a square matrix with 1s on the main diagonal and 0s elsewhere.
Operations and Relations
In linear algebra, one relation (equality) and four operations (addition, subtraction, multiplication, and
scalar multiplication) are defined for matrices.
 Equality
Two matrices are equal if they have the same number of rows and columns and the
corresponding elements are equal. In other words, A = B if we have aij = bij for all i’s and j’s.
 Addition and Subtraction
Two matrices can be added if they have the same number of columns and rows. This
addition is shown as C = A + B. In this case, the resulting matrix C has also the same
number of rows and columns as A or B. Each element of C is the sum of the two
corresponding elements of A and B: cij = aij + bij. Subtraction is the same except that each
element of B is subtracted from the corresponding element of A: dij = aij - bij.
 Multiplication
We can multiply two matrices of different sizes if the number of columns of the first matrix
is the same as the number of rows of the second matrix. If A is an l x m matrix and B is an m
x p matrix, the product of the two is a matrix C of size l x p. If each element of matrix A is
called aij, each element of matrix B is called bjk, then each element of matrix C, cik, can be
calculated as:
cik = ∑ 𝐚𝐢𝐣 𝐱 𝐛𝐣𝐤 = ai1 x b1j + ai2 x b2j + ……+ aim x bmj
 Scalar Multiplication
We can also multiply a matrix by a number (called a scalar). If A is an l x m matrix and x is a
scalar, C = xA is a matrix of size l x m, in which cij = x x aij.

2.1.4.3 Determinant
The determinant of a square matrix A of size m x m denoted as det (A) is a scalar calculated
recursively as shown below:
If m = 1, det (A) = a11
If m > 1, det (A) = ∑(−𝟏)𝐢+𝐣 𝐱 𝐚𝐢𝐣 𝐱 det (Aij)
 Inverses
Matrices have both additive and multiplicative inverses.
 Additive Inverse
The additive inverse of matrix A is another matrix B such that A + B = 0. In other words, we
have bij = - aij for all values of i and j. Normally the additive inverse of A is defined by -A.
 Multiplicative Inverse
The multiplicative inverse is defined only for square matrices. The multiplicative inverse
of a square matrix A is a square matrix B such that A x B = B x A = I. Normally the
multiplicative inverse of A is defined by A-1. The multiplicative inverse exists only
if the (A) has a multiplicative inverse in the corresponding set. Since no integer has a
multiplicative inverse in Z, there is no multiplicative inverse of a matrix in Z. However,
matrices with real elements have matrices only if det (A) ≠ 0.
 Congruence

11 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Two matrices are congruent modulo n, written as A ≡ B (mod n), if they have the same
number of rows and columns and all corresponding elements are congruent modulo n. In
other words, A ≡ B (mod n) if aij ≡ bij (mod n) for all i’s and j’s.

2.1.4.4 Groups:
⚫ Fundamental elements of modern algebra.
GROUPS:{G, .}
• It is a set of elements or “numbers” with binary operation, denoted by .
• The elements in a Group obeys the properties:
• A1: Closure: if a and b belong to G, then a . B is also in G.
• A2: Associative law: (a.b).c = a.(b.c).
• A3: Has identity e: e . a = a . e = a.
• A4: Has inverses a : -1
a . a-1 = e.
• A5: If commutative a . b = b . a then it forms an abelian group.
• Finite group- It contains finite number of elements.
• Order of a group- Represents number of elements in a group. Otherwise the group is
infinite.
• CYCLIC GROUP- A group is cyclic if every element of G is a power ak. Where k is an
integer and a is an element in Group G.
• Eg: a3=a .a. a.

2.1.4.5 Rings:
• A set of “numbers” with two binary operations (addition and multiplication).{R, +, x}
• R is an abelian group with addition operation (+) (A1-A5) identity-0, inverse as –a.
• Multiplication properties:
– M1: Has closure-if a,b€R, then a.b also €R.
– M2: Is associative-a(bc)=(ab)c.
– M3: Distributive over Addition: a(b+c) = ab + ac.
– M4: If multiplication operation is commutative, it forms a commutative ring
(ab=ba).
– M5: Multiplicative identity- a.1=1.a=a.
– M6: No zero divisors, ab=0, then a=0 or b=0.

2.1.4.6 Field{F,+,x}:
• a set of elements with two binary operations addition and multiplication.
• The following axioms are obeyed:
• A1: Closure: if a and b belong to F, then a . B is also in F.
• A2: Associative law: (a.b).c = a.(b.c).
• A3: Has identity e: e . a = a . e = a.
• A4: Has inverses a-1: a . a-1 = e.
• A5: If commutative a . b = b . a.
• M1: Has closure-if a,b€R, then a.b also €R.
• M2: Is associative-a(bc)=(ab)c.
• M3: Distributive over Addition: a(b+c) = ab + ac.
• M4: If multiplication operation is commutative, it forms a commutative field (ab=ba).
• M5: Multiplicative identity- a.1=1.a=a.
• M6: No zero divisors, ab=0, then a=0 or b=0.
• M7: Multiplicative inverse: aa-1=a-1a=1.
2.1.4.7 Finite fields:
• A field is a set of elements with two custom-defined arithmetic operations: most
commonly, addition and multiplication.
• A field is called finite if it has a finite number of elements. The most commonly used
finite fields in cryptography are the field Fp (where p is a prime number)
• Also known as Galois fields and it is denoted as GF(pn). and in particular often use the

12 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

fields:
• GF(p)
• GF(2n)
• GF(p) is the set of integers {0,1, … , p-1} with arithmetic operations modulo prime p
and these form a finite field.
• Since it has multiplicative inverses, hence arithmetic is “well-behaved” and can do
addition, subtraction, multiplication, and division without leaving the field GF(p)

Fig 2.8 Multiplication of modulo 7

2.2 SYMMETRIC KEY CIPHERS:
Symmetric ciphers use the same cryptographic keys for both encryption of plaintext and decryption of
ciphertext. They are faster than asymmetric ciphers and allow encrypting large sets of data. However,
they require sophisticated mechanisms to securely distribute the secret keys to both parties.
Definition: A symmetric cipher defined over (K, M, C), where:
 K - a set of all possible keys,
 M - a set of all possible messages,
 C - a set of all possible cipher texts has a pair of efficient algorithms (E, D), where:
 E: K × M -> C
 D: K × C -> M such that for every m belonging to M, k belonging to K there is an equality.
 D (k, E (k, m)) = m (the consistency rule).
There are two kinds of symmetric ciphers:
 stream ciphers and
 block ciphers
Stream ciphers:
Stream ciphers use one secret key bit (or byte) at a time, and use it to encrypt a corresponding bit (or
byte) of input data.
Block ciphers:
Block ciphers work on larger fragments of data (called blocks) at a time, by encrypting data blocks
one by one.

2.3 STANDARD DATA ENCRYPTION STANDARD (SDES):

The S-DES encryption algorithm takes an 8-bit block of plaintext (example: 10111101) and a 10-bit key
as input and produces an 8-bit block of cipher text as output. The S-DES decryption algorithm takes an
8- bit block of cipher text and the same 10-bit key used to produce that cipher text as input and produces
the original 8-bit block of plaintext.
The encryption algorithm involves five functions:
1. An initial permutation (IP);
2. A complex function labeled fk, which involves both permutation and substitution operations
and depends on a key input;
3. A simple permutation function that switches (SW) the two halves of the data;
4. The function fk again; and
5. a permutation function that is the inverse of the initial permutation (IP-1).

13 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Fig: 2.9 Simple DES Structure

Fig2.10: SDES Encryption

• S-DES depends on the use of a 10-bit key shared between sender and receiver.
• Two 8-bit subkeys are produced for use in particular stages of the encryption and
decryption algorithm.
Simplified DES - Key Generation
• P10 Permutation:
• P10(in-order) = k1, k2, k3, k4, k5, k6, k7, k8, k9, k10 (1010000010)
• P10(out-order)= k3, k5, k2, k7, k4, k10, k1, k9, k8, k6 (1000001100)
• Split the permuted key into 2 five-bit halves and circular left shift 1.
• Input = 10000 01100 Output = 00001 11000
• P8 Permutation - selects and permutes 8 of the 10 bits

14 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

• Result is Sub-key K1 = 10100100

• To get sub-key K2:
• Take output of original circular left shift 1 and shift an additional 2
• Input = 00001 11000 Output = 00100 00011
• Apply P8 to this value to produce K2
• K2 = 01000011
• This completes the generation of K1 and K2
• Two permutation functions (initial - IP, and final IP-1), where
• IP-1 is the inverse of IP; that is IP-1(IP(X)) = X.
• Two permutation/substitution functions fk each using one sub-key,
• On the left (L) and right (R) data elements. That is:
fk(L,R) = (L F(R, SK), R)
• Where SK is a sub-key and is the bit-by-bit Exclusive OR.
• One switch function SW that interchanges the left and right 4 bits
• So the second instance of fk operates on a different set of bits.

Fig 2.11: SDES Key generation

Function fk:
 Assume output of the IP stage is = 10111101
 Then L, R = 1011, 1101
 And fk(L,R) = (L  F(R, SK), R)
 So fk(1011, 1101) = (1011  F(R, SK), 1101)
 Now assume F(R, SK) = F(1101, SK) for some sub-key = 1110 (this value will
change depending on the sub-key).
 Then: fk(1011, 1101) = (1011  1110, 1101) = 0101, 1101
 Next we need to describe the complex function F(R,SK).
Function Parts of
F(R,SK):
 Rename these 8 bits:
 Row 1 p0,0 | p0,1 p0,2 | p0,3
 Row 2 p1,0 | p1,1 p1,2 | p1,3
 The first 4 bits, row 1 are input to the s-box S0, 2nd row to S-box S1 to produce a 2-bit output
for each input bit as follows:

0 1 2 3 0 1 2 3
01 0 3 2 00 1 2 3
13 2 1 0 12 0 1 3

15 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

S0 20 2 1 3 S1 23 0 1 0
33 1 3 2 32 1 0 3

 P4 Permutation: 2 bit input from S0, 2 bits from S1.

 P4 output = output of fk
 Switch function: interchanges the left and right halves so the second instance of fk
using the second key operates on different data.
 The second instance of fk operates the same as encryption.
 Using the k2 sub-key and the switched input.
 Decryption uses all the same functions run backwards.

2.4 DATA ENCRYPTION STANDARD (DES):

The Data Encryption Standard (DES) is a symmetric-key block cipher published by
the National Institute of Standards and Technology (NIST).
The left side shows the basic process for enciphering a 64-bit data block which consists of:
-
an initial permutation (IP) which shuffles the 64-bit input block
-
16 rounds of a complex key dependent round function involving substitutions &
permutations
- a final permutation, being the inverse of IP
The right side shows the handling of the 56-bit key and consists of:
 an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two
28-bit halves.
 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the
two 28-bit halves.

Fig 2.12: General Depiction of DES Encryption Algorithm

2.4.1 Initial Permutation:
The plaintext block undergoes an initial permutation. 64 bits of the block are permuted.

16 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Fig 2.13: Initial Permutation

2.4.2 A Complex Transformation:
64-bit permuted block undergoes 16 rounds of complex transformation. (Using sub-keys)
32-bit swap:
32 bit left and right halves of the output of the 16th round are swapped.
Inverse Initial Permutation (IP-1):
The 64 bit output undergoes a permutation that is inverse of the initial permutation. The 64-bit output is the
cipher text.

Fig 2.14: Initial Permutation and Final Permutation

2.4.3 Details of function F:
The 32-bit input is expanded into 48 bits. This is done by permuting and duplicating some bits of 32
bits. Exclusive OR operation is performed between these 48-bits and 48-bit sub-key.

Fig 2.15: Single Round of DES algorithm

Details of S-box:
The 48-bit output of the Exclusive OR operation is grouped into 8 groups of 6 bits each. Each 6-
bit group is fed into a 6-to-4 substitution box that transforms 6 bits to 4 bits.

17 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Fig 2.16: Calculation of s-box(48→32 bits)

2.5 Block cipher Principles of DES:

 Nonlinear S-Boxes: Resistant to linear cryptanalysis.
 Linear approximations between input and output bits of the S- boxes should have minimal bias
P ≈ ½.
 S-Boxes resistant to differential cryptanalysis.
 All (Input bit difference, output bit difference) pairs should be equally likely.
 Any output bit should change with probability ½ when any input bit is changed (strict
avalanche criterion)
 Output bits j and k should change independently when any input bit i is inverted for all i, j, k
(bit independence criterion).
 Permutation: Adjacent bits should affect different S-Boxes in the next round Þ Increase
diffusion.
 More rounds are better (but also more computation).
2.5.1 Strength of DES:
1. Use of 56 bits key:
a. 70 quadrillion possible key values.
b. Brute-force attack is impractical.
c. Length of the increases, security increases.
2. The nature of the DES algorithm:
a. Till now, No one has discovered any weakness in S-boxes
b. S-box design criteria and the entire algorithm were not made public.
3. Timing Attacks:
a. Can occur by observing Information about key or plaintext. And Observing how long
decryption takes place.
b. But failed since different inputs take different times.
2.5.2 Avalanche Effect:
 Key desirable property of encryption algorithm
 A change of one input or key bit results in changing approx. half output bits = Diffusion
 Making attempts to “home-in” by guessing keys impossible.
 DES exhibits strong avalanche effect.
2.5.3 DES weaknesses:
 Symmetric- key may be intercepted
 Linear and differential cryptanalysis attack is possible.
 Some initial keys produce only 2 or 4 sub-keys called possible weak keys.

2.5.4 Double and triple DES: Double DES:

The simplest form of multiple encryptions has two encryption stages and two keys - Double-DES.

18 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

 could use 2 DES encrypts on each block

 C = E (K2, E (K1, P))→112 bits key
 P = D (K1, D (K2, C))
Have concern that there might be a single key that is equivalent to using 2 keys as above, not likely but
only finally proved as impossible in 1992. More seriously have the “meet-in-the-middle” attack, first
described by Diffie in 1977. It is a known plaintext attack (i.e. have known pair (P,C), and attempts to
find by trial-and-error a value X in the “middle” of the double-DES encryption of this pair, and chances
of this are much better at O(256) than exhaustive search at O(211).

Fig 2.17: Double DES Encryption and Decryption

2.5.5 Triple DES:

Triple-DES with two keys is a popular alternative to single-DES, but suffers from being 3 times slower
to run. The use of encryption & decryption stages is equivalent, but the chosen structure allows for
compatibility with single-DES implementations. 3DES with two keys is a relatively popular alternative
to DES and has been adopted for use in the key management standards ANS X9.17 and ISO 8732.
Currently, there are no practical cryptanalytic attacks on 3DES. Coppersmith notes that the cost of a
brute-force key search on 3DES is on the order of 2112 (=5*1033) and estimates that the cost of
differential cryptanalysis suffers an exponential growth, compared to single DES, exceeding 1052 .
There are several proposed attacks on 3DES that, although not currently practical, give a flavor for the
types of attacks that have been considered and that could form the basis for more successful future
attacks.

Fig 2.18: Triple DES Encryption and Decryption with 3 keys

Although the attacks currently known appear impractical, anyone using two-key 3DES may feel
some concern. Thus, many researchers now feel that three-key 3DES is the preferred alternative.
 Two-key: key length = 56*2 = 112 bits
 Three-key: key length = 56*3 = 168 bits(slow)

19 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

We can use Triple-DES with Three-Keys to avoid even impractical attacks as,
 C = EK3(DK2(EK1(P)))
A number of Internet-based applications have adopted three-key 3DES, including PGP and S/MIME.

2.6 Differential and linear Cryptanalysis:

Differential Cryptanalysis can be successfully used to cryptanalyze the DES with an effort on
the order of 247 encryptions, requiring 247 chosen plaintexts. Although 247 is certainly significantly
less than 255, the need for the adversary to find 247 chosen plaintexts makes this attack of only
theoretical interest. They also demonstrated this form of attack on a variety of encryption algorithms
and hash functions.
Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T
attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it.
Compare DES’s security with the cryptanalysis of an eight-round LUCIFER algorithm which
requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 214
chosen plaintexts.
 Takes inputs with known difference (XOR)
 Predicts XOR of corresponding outputs, based on structure of cipher
 When input pair – output pair are found that have the predicted differences, assume internal
states follow predictions also
 Work backwards to find subkeys that would produce observed pairs, each gets a vote
 Most popular subkeys collected
 Bits that agree amongst subkeys are “known”
 A function f is linear if f(x+y) = f(x) + f(y)
 A cipher is linear if given any two inputs p1 and p2, and their corresponding outputs c1 and
c2, we have c1 XOR c2 = p1 XOR p2.
 Onetime pad is linear: E(p1+p2) = E(p1)+E(p2)
 DES is not linear (and neither are S-boxes)
 Non-linearity and effect of (sub-) key on output suggests that information about the (sub-)
key can be discovered by examining the relationship between input deltas and output deltas.
The overall strategy of differential cryptanalysis is based on these considerations for a single
round. The procedure is to begin with two plaintext messages m and m’ with a given difference and
trace through a probable pattern of differences after each round to yield a probable difference for the
cipher text. You submit m and m’ for encryption to determine the actual difference under the
unknown key and compare the result to the probable difference. If there is a match, then suspect that
all the probable patterns at all the intermediate rounds are correct. With that assumption, can make
some deductions about the key bits. Thisprocedure must be repeated many times to determine all the
key bits.
The diagram below illustrates the propagation of differences through three rounds of DES.
The probabilities shown on the right refer to the probability that a given set of intermediate
differences will appear as a function of the input differences. Overall, after three rounds the
probability that the output difference is as shown is equal to 0.25*1*0.25=0.0625. Since the output
difference is the same as the input, these 3 round patterns can be iterated over a larger number of
rounds, with probabilities multiplying to be successively smaller.
Differential Cryptanalysis works by performing the attack by repeatedly encrypting plaintext
pairs with known input XOR until obtain desired output XOR. Attack on full DES requires an effort
on the order of 247 encryptions, requiring 247 chosen plaintexts to be encrypted, with a considerable
amount of analysis in practise exhaustive search is still easier, even though up to 2 55 encryptions are
required for this.

20 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Fig 2.19: Differential Cryptanalysis

2.6.1 Linear Cryptanalysis:
A more recent development is linear cryptanalysis. This attack is based on finding linear
approximations to describe the transformations performed in DES. This method can find a DES key
given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for differential cryptanalysis.
Although this is a minor improvement, because it may be easier to acquire known plaintext rather
than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. Again, this
attack uses structure not seen before. So far, little work has been done by other groups to validate the
linear cryptanalytic approach.
• To find linear approximations with prob
p <= ½ P[i1,i2,...,ia]  C[j1,j2,...,jb]
= K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
The objective of linear cryptanalysis is to find an effective linear equation relating some plaintext,
cipher text and key bits that holds with probability p<>0.5 as shown. Once a proposed relation is
determined, the procedure is to compute the results of the left-hand side of the equation for a large
number of plaintext- cipher text pairs, in order to determine whether the sum of the key bits is 0 or 1,
thus giving 1 bit of info about them. This is repeated for other equations and many pairs to derive
some of the key bit values. Because we are dealing with linear equations, the problem can be
approached one round of the cipher at a time, with the results combined.
 Bits in plaintext, ciphertext, and keys may have a linear relationship. For example:
 P1 P2 C3=K2 K5
 In a good cipher, the relationship should hold w probability ½. If any relationship has
probability 1, the cipher is easy to break. If any relationship has probability 0, the cipher is
easy to break.
 Bias = |Probability of linear relationship – 0.5|
 Find the linear approximation with the highest bias and it helps to reduce the brute force search
effort.
 This method can be used to find the DES key given 243 plaintexts.

21 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

2.6.2 Difference between Differential and Linear Cryptanalysis:

Basis of Linear Cryptanalysis Differential Cryptanalysis
comparison
Linear cryptanalysis is a known plaintext Differential cryptanalysis can be
Description
attack, in which the attacker studies described as a general form of
probabilistic linear relations known as cryptanalysis that is primarily applicable
linear approximations between parity bits to block ciphers, cryptographic hash
of the plaintext, the Ciphertext and the functions. It entails a careful analysis of
secrete key. how differences in information input can
affect the resulting difference at the
output.
Linear cryptanalysis was first discovered Differential analysis was discovered by
Discovery
by Matsui and Yamagishi in 1992. Israeli researchers Eli Biham and Adi
Shamir.
Linear cryptanalysis focuses on statistical Differential analysis focuses on statistical
Focus analysis against one round of decrypted analysis of two inputs and two outputs of
cipher text. a cryptographic algorithm.
In linear cryptanalysis, the role of the In differential cryptanalysis, the role of
attacker is to identify the linear relation the attacker is to analyze the changes in
Role of The
between some bits of the plaintext, some some chosen plaintexts and the
Attacker
bits of the ciphertext and some bits of the difference in the outputs resulting from
unknown key. encrypting each one, it is possible to
recover some of the key.
In linear cryptanalysis, the cryptanalyst In differential cryptanalysis, the changes
decrypts each cipher using all possiblesub to the intermediate cipher text are
Decryption keys for one round of encryption and obtained between multiple rounds of
studies the resulting intermediate cipher encryption. The attacks can be combined,
text to analyze the random results. and this can be referred to as differential-
linear cryptanalysis.

2.7 Block cipher design principles

Virtually, all symmetric block encryption algorithms in current use are based on a structure
referred to as Feistel block cipher. For that reason, it is important to examine the design principles of
the Feistel cipher. We begin with a comparison of stream cipher with block cipher.
 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. E.g.
vigenere cipher. A block cipher is one in which a block of plaintext is treated as a whole and
used to produce a cipher text block of equal length. Typically, a block size of 64 or 128 bits is
used.
2.7.1 Block cipher principles:
 Most of the symmetric block ciphers are based on a Feistel Cipher Structure.
 It is needed since; it must be able to decrypt ciphertext to recover messages efficiently.
 Block ciphers look like an extremely large substitution, and would need table of 264 entries
for a 64- bit block
 Instead creating from smaller building blocks, using idea of a product cipher in 1949 Claude
Shannon introduced idea of substitution-permutation (S-P) networks called modern
substitution-transposition product cipher and it forms the basis of modern block ciphers.
 S-P networks are based on the two primitive cryptographic operations:
 substitution (S-box)
 permutation (P-box)
 Provides confusion and diffusion of messages.
 Diffusion: It dissipates statistical structure of plaintext over bulk of ciphertext.
 Confusion: It makes relationship between ciphertext and key as complex as possible.

22 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

2.7.2 Feistel cipher structure:

The input to the encryption algorithm is a plaintext block of length 2w bits and a key K. the
plaintext block is divided into two halves L0 and R0. The two halves of the data pass through “n”
rounds of processing and then combine to produce the ciphertext block. Each round „i‟ has inputs Li-
1 and Ri-1, derived from the previous round, as well as the subkey Ki, derived from the overall key
K. in general, the subkeys Ki are different from K and from each other.
All rounds have the same structure. A substitution is performed on the left half of the data (as similar
to S-DES). This is done by applying a round function F to the right half of the data and then taking
the XOR of the output of that function and the left half of the data. The round function has the same
general structure for each round but is parameterized by the round subkey ki. Following this
substitution, a permutation is performed that consists of the interchange of the two halves of the data.
This structure is a particular form of the substitution-permutation network.
The exact realization of a Feistel network depends on the choice of the following parameters and
design features:

• Block size - Increasing size improves security, but slows cipher

• Key size - Increasing size improves security, makes exhaustive key searching harder, but may
slow cipher
• Number of rounds - Increasing number improves security, but slows cipher
• Subkey generation - Greater complexity can make analysis harder, but slows cipher
• Round function - Greater complexity can make analysis harder, but slows cipher
• Fast software en/decryption & ease of analysis - are more recent concerns for practical use and
testing.
The process of decryption is essentially the same as the encryption process. The rule is as follows:
use the cipher text as input to the algorithm, but use the subkey ki in reverse order. i.e., kn in the
first round, kn-1 in second round and so on. For clarity, we use the notation LEi and REi for data
traveling through the decryption algorithm. The diagram below indicates that, at each round, the
intermediate value of the decryption process is same (equal) to the corresponding value of the
encryption process with two halves of the value swapped.

Fig 2.20: Feistel Cipher Structure

i.e., REi || LEi (or) equivalently RD16-i || LD16-i
After the last iteration of the encryption process, the two halves of the output are swapped, so that the
cipher text is RE16 || LE16. The output of that round is the cipher text. Now take the cipher text and

23 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

use it as input to the same algorithm. The input to the first round is RE16 || LE16, which is equal to the
32-bit swap of the output of the sixteenth round of the encryption process.
Now we will see how the output of the first round of the decryption process is equal to a 32-bit swap
of the input to the sixteenth round of the encryption process. First consider the encryption process,
LE16 = RE15
RE16 = LE15 F (RE15, K16) On the decryption
side, LD1 =RD0 = LE16 =RE15
RD1 = LD0 F (RD0, K16)
= RE16 F (RE15, K16)
= [LE15 F (RE15, K16)] F (RE15, K16)
= LE15 Therefore, LD1 = RE15 RD1 = LE15
In general, for the ith iteration of the encryption
algorithm, LEi = REi-1 REi = LEi-1
F (REi-1, Ki)
Finally, the output of the last round of the decryption process is RE0 || LE0. A 32-bit swap recovers the
original plaintext.

Fig2.21: Feistel Cipher Encryption and Decryption

2.8 Block cipher mode of operation:

These are procedural rules for a generic block cipher. The different modes result in different
properties being achieved which add to the security of the underlying block cipher.
24 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

A block cipher processes the data blocks of fixed size. Usually, the size of a message is larger than the
block size. Hence, the long message is divided into a series of sequential message blocks, and the
cipher operates on these blocks one at a time.
2.8.1 Electronic Code Book (ECB) Mode:
This mode is a most straightforward way of processing a series of sequentially listed message blocks.
Operation:
 The user takes the first block of plaintext and encrypts it with the key to produce the first block
of ciphertext.
 He then takes the second block of plaintext and follows the same process with same key and so
on so forth.
The ECB mode is deterministic, that is, if plaintext block P1, P2,…, Pm are encrypted twice under
the same key, the output ciphertext blocks will be the same.
In fact, for a given key technically we can create a codebook of ciphertexts for all possible
plaintext blocks. Encryption would then entail only looking up for required plaintext and select the
corresponding ciphertext. Thus, the operation is analogous to the assignment of code words in a
codebook, and hence gets an official name − Electronic Codebook mode of operation (ECB). It is
illustrated as follows:

Fig 2.22: ECB mode

2.8.1.1 Analysis of ECB Mode:
In reality, any application data usually have partial information which can be guessed. For
example, the range of salary can be guessed. A ciphertext from ECB can allow an attacker to guess the
plaintext by trial-and-error if the plaintext message is within predictable.
For example, if a ciphertext from the ECB mode is known to encrypt a salary figure, then a
small number of trials will allow an attacker to recover the figure. In general, we do not wish to use a
deterministic cipher, and hence the ECB mode should not be used in most applications.
Advantages of using ECB:
 Parallel encryption of blocks of bits is possible, thus it is a faster way of encryption.
 Simple way of block cipher.

Disadvantages of using ECB:

 Prone to cryptanalysis since there is a direct relationship between plaintext and ciphertext.

25 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

2.8.2 Cipher Block Chaining (CBC) Mode:

CBC mode of operation provides message dependence for generating ciphertext and makes the system
non-deterministic.
Operation
The operation of CBC mode is depicted in the following illustration. The steps are as follows −
 Load the n-bit Initialization Vector (IV) in the top register.
 XOR the n-bit plaintext block with data value in top register.
 Encrypt the result of XOR operation with underlying block cipher with key K.
 Feed ciphertext block into top register and continue the operation till all plaintext blocks are
processed.
 For decryption, IV data is XORed with first ciphertext block decrypted. The first ciphertext block
is also fed into to register replacing IV for decrypting next ciphertext block.

Fig 2.23: CBC mode

2.8.2.1 Analysis of CBC Mode:
In CBC mode, the current plaintext block is added to the previous ciphertext block, and then the result
is encrypted with the key. Decryption is thus the reverse process, which involves decrypting the current
ciphertext and then adding the previous ciphertext block to the result.
Advantages of CBC:
 CBC works well for input greater than b bits.
 CBC is a good authentication mechanism.
 Better resistive nature towards cryptanalysis than ECB.
Disadvantages of CBC:
 Parallel encryption is not possible since every encryption requires previous cipher.

2.8.3 Cipher Feedback (CFB) Mode:

In this mode, each ciphertext block gets ‘fed back’ into the encryption process in order to encrypt the
next plaintext block.
Operation: The operation of CFB mode is depicted in the following illustration. For example, in the
present system, a message block has a size ‘s’ bit where 1 < s < n. The CFB mode requires an
initialization vector (IV) as the initial random n-bit input block. The IV need not be secret. Steps of
operation are:
 Load the IV in the top register.
 Encrypt the data value in top register with underlying block cipher with key K.
 Take only ‘s’ number of most significant bits (left bits) of output of encryption process

26 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

and XOR them with ‘s’ bit plaintext message block to generate ciphertext block.
 Feed ciphertext block into top register by shifting already present data to the left and
continue the operation till all plaintext blocks are processed.
 Essentially, the previous ciphertext block is encrypted with the key, and then the result is
XORed to the current plaintext block.
 Similar steps are followed for decryption. Pre-decided IV is initially loaded at the start of
decryption.

Fig 2.24: CFB mode

2.8.3.1 Analysis of CFB Mode:
 CFB mode differs significantly from ECB mode, the ciphertext corresponding to a given
plaintext block depends not just on that plaintext block and the key, but also on the previous
ciphertext block. In other words, the ciphertext block is dependent of message.
 CFB has a very strange feature. In this mode, user decrypts the ciphertext using only the
encryption process of the block cipher. The decryption algorithm of the underlying block
cipher is never used.
 Apparently, CFB mode is converting a block cipher into a type of stream cipher. The
encryption algorithm is used as a key-stream generator to produce key-stream that is placed
in the bottom register. This key stream is then XORed with the plaintext as in case of stream
cipher.
 By converting a block cipher into a stream cipher, CFB mode provides some of the
advantageous properties of a stream cipher while retaining the advantageous properties of a
block cipher. On the flip side, the error of transmission gets propagated due to changing of
blocks.
Advantages of CFB:
 Since, there is some data loss due to use of shift register, thus it is difficult for applying
cryptanalysis.
2.8.4 Output Feedback (OFB) Mode:
 The output feedback mode follows nearly same process as the Cipher Feedback mode except
that it sends the encrypted output as feedback instead of the actual cipher which is XOR
output. In this output feedback mode, all bits of the block are sent instead of sending
selected s bits. The Output Feedback mode of block cipher holds great resistance towards bit
transmission errors. It also decreases dependency or relationship of cipher on plaintext.

27 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Fig 2.25: OFB mode

2.8.5 Counter (CTR) Mode:
It can be considered as a counter-based version of CFB mode without the feedback. In this mode, both
the sender and receiver need to access to a reliable counter, which computes a new shared value each
time a ciphertext block is exchanged. This shared counter is not necessarily a secret value, but
challenge is that both sides must keep the counter synchronized.
Operation:
Both encryption and decryption in CTR mode are depicted in the following illustration. Steps in
operation are:
 Load the initial counter value in the top register is the same for both the sender and the receiver.
It plays the same role as the IV in CFB (and CBC) mode.
 Encrypt the contents of the counter with the key and place the result in the bottom register.
 Take the first plaintext block P1 and XOR this to the contents of the bottom register. The result
of this is C1. Send C1 to the receiver and update the counter. The counter update replaces the
ciphertext feedback in CFB mode.
 Continue in this manner until the last plaintext block has been encrypted.
The decryption is the reverse process. The ciphertext block is XORed with the output of
encrypted contents of counter value. After decryption of each ciphertext block counter is updated
as in case of encryption.
2.8.5.1 Analysis of Counter Mode:
 It does not have message dependency and hence a ciphertext block does not depend on the
previous plaintext blocks.
 Like CFB mode, CTR mode does not involve the decryption process of the block cipher. This
is because the CTR mode is really using the block cipher to generate a key-stream, which is
encrypted using the XOR function. In other words, CTR mode also converts a block cipher to
a stream cipher.
 The serious disadvantage of CTR mode is that it requires a synchronous counter at sender and
receiver. Loss of synchronization leads to incorrect recovery of plaintext.
 However, CTR mode has almost all advantages of CFB mode. In addition, it does not propagate
error of transmission at all.

28 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Fig 2.26: CTR mode

2.9Advanced Encryption Standard:

Origin:
The Advanced Encryption Standard (AES) was published by NIST (National Institute of Standards and
Technology) in 2001. AES is a symmetric block cipher that is intended to replace DES as the approved
standard for a wide range of applications. The AES cipher (& other candidates) form the latest
generation of block ciphers, and now we see a significant increase in the block size - from the old
standard of 64-bits up to 128-bits; and keys from 128 to 256-bits. In part this has been driven by the
public demonstrations of exhaustive key searches of DES. Whilst triple-DES is regarded as secure and
well understood, it is slow, especially in s/w. In a first round of evaluation, 15 proposed algorithms were
accepted. A second round narrowed the field to 5 algorithms. NIST completed its evaluation process
and published a final standard (FIPS PUB 197) in November of 2001. NIST selected Rijndael as the
proposed AES algorithm. The two researchers who developed and submitted Rijndael for the AES are
both cryptographers from Belgium: Dr. Joan Daemen and Dr. Vincent Rijmen.
2.9.1 AES GENERAL STRUCTURE:
 AES is a non-Feistel cipher that encrypts and decrypts a data block of 128 bits.
 It uses 10, 12, or 14 rounds.
 The key size, which can be 128, 192, or 256 bits, depends on the number of rounds. But the
round keys are always 128 bits.
2.9.1.1 The AES Cipher structure:
 Designed by Rijmen-Daemen in Belgium.
 In AES, data block can be viewed as 4 x 4 matrix of bytes.
 Such table is called the current state.
 The key is expanded to array of words(w), and has 10 rounds in which state the following
transformations (called `layers’):
 Substitute bytes (1 S-box used on every byte)
 Shift rows (permute bytes between groups/columns)
 Mix columns (uses matrix multiplication in GF(256))
 Add round key (XOR state with round key)
 In AES the first and last round are a little different.

29 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Fig 2.27: General design of AES encryption cipher

The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for
a 16-byte key; 12 rounds for 24-byte key; and 14 rounds for a 32-byte key. The first N – 1 rounds
consist of four distinct transformation functions: Sub Bytes, Shift Rows, Mix Columns, and Add
Round Key, which are described subsequently.

Fig2.28: AES Encryption and decryption

30 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

The final round contains only 3 transformations, and there is a initial single transformation (Add
Round Key) before the first round, which can be considered Round 0. Each transformation takes one
or more 4 x 4 matrices as input and produces a 4 x 4 matrix as output. Figure 5.1 shows that the
output of each round is a 4 x 4 matrix, with the output of the final round being the ciphertext. Also,
the key expansion function generates N + 1 round keys, each of which is a distinct 4 x 4 matrix. Each
round key served as one of the inputs to the Add Round Key transformation in each round.
2.9.1.2 Substitute Bytes:
The Substitute bytes stage uses an S-box to perform a byte-by-byte substitution of the block.
There is a single 8-bit wide S-box used on every byte. This S-box is a permutation of all 256 8-bit
values, constructed using a transformation which treats the values as polynomials in GF(28) – however
it is fixed, so really only need to know the table when implementing. Decryption requires the inverse
of the table.
The table was designed to be resistant to known cryptanalytic attacks. Specifically, the Rijndael
developers sought a design that has a low correlation between input bits and output bits, with the
property that the output cannot be described as a simple mathematical function of the input, with no
fixed points and no “opposite fixed points”.

Fig2.29: Substitute Bytes

2.9.1.3 Shift Rows:
The Shift Rows stage provides a simple “permutation” of the data, whereas the other steps
involve substitutions. Further, since the state is treated as a block of columns, it is this step which
provides for diffusion of values between columns. It performs a circular rotate on each row of 0, 1, 2
& 3 places for respective rows. When decrypting it performs the circular shifts in the opposite direction
for each row. This row shift moves an individual byte from one column to another, which is a linear
distance of a multiple of 4 bytes, and ensures that the 4 bytes of one column are spread out to four
different columns.

Fig 2.30: Shift Rows (permutated)

31 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

2.9.1.4 Mix Columns:

The forward mix column transformation, called Mix Columns, operates on each column
individually. Each byte of a column is mapped into a new value that is a function of all four bytes in
that column. It is a substitution that makes use of arithmetic over GF(2^8). Each byte of a column is
mapped into a new value that is a function of all four bytes in that column. It is designed as a matrix
multiplication where each byte is treated as a polynomial in GF(28). The inverse used for decryption
involves a different set of constants.
The constants used are based on a linear code with maximal distance between code words –
this gives good mixing of the bytes within each column. Combined with the “shift rows” step provides
good avalanche, so that within a few rounds, all output bits depend on all input bits.

Fig 2.31: Mix Columns

2.9.1.5 AddRoundKey:
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the round
key. If this is the last round then the output is the ciphertext. Otherwise, the resulting 128 bits are interpreted as
16 bytes and we begin another similar round.

Fig2.32: Add round Key

2.9.1.6 AES Key Expansion:
The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of
words, providing a 4-word round key for the initial Add Round Key stage and each of the 10/12/14 rounds of
the cipher. It involves copying the key into the first group of 4 words, and then constructing subsequent groups
of 4 based on the values of the previous & 4th back words. The first word in each group of 4 gets “special
treatment” with rotate + S-box + XOR constant on the previous word before XOR’ing the one from 4 back. In
the 256-bit key/14 round version, there’s also an extra step on the middle word.

32 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

Fig 2.33: AES Key Expansion

The first block of the AES Key Expansion is shown here in Stallings Figure 5.9a. It shows each
group of 4 bytes in the key being assigned to the first 4 words, then the calculation of the next 4
words based on the values of the previous 4 words, which is repeated enough times to create all the
necessary subkey information.

Fig2.34: AES Key Expansion

2.9.1.7 AES Decryption:
The AES decryption cipher is not identical to the encryption cipher. The sequence of
transformations for decryption differs from that for encryption, although the form of the key
schedules for encryption and decryption is the same. This has the disadvantage that two separate
software or firmware modules are needed for applications that require both encryption and
decryption. There is, however, an equivalent version of the decryption algorithm that has the same
structure as the encryption algorithm, with the same sequence of transformations as the encryption
algorithm (with transformations replaced by their inverses). To achieve this equivalence, a change in
key schedule is needed.
By constructing an equivalent inverse cipher with steps in same order as for encryption, we can
derive a more efficient implementation. Clearly swapping the byte substitutions and shift rows has no
effect, since work just on bytes. Swapping the mix columns and add round key steps requires the
33 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

inverse mix columns step be applied to the round keys first – this makes the decryption key schedule
a little more complex with this construction, but allows the use of same h/w or s/w for the data
en/decrypt computation.

2.10 Evaluation criteria for AES:

The goal of the Advanced Encryption Standard (AES) competition was to specify "an unclassified,
publicly disclosed encryption algorithm capable of protecting sensitive government information well
into the next century". The AES competition was organized by the United States National Institute of
Standards and Technology (NIST).
2.10.1 Requirements:
Each AES submission was required to be a block cipher supporting a block length of 128 bits and key
lengths of 128, 192, and 256 bits. The call for proposals specified the following evaluation criteria:
 Security ("the most important factor in the evaluation"):
 "Actual security of the algorithm compared to other submitted algorithms";
 "The extent to which the algorithm output is indistinguishable from a random
permutation on the input block";
 "Soundness of the mathematical basis for the algorithm's security";
 "Other security factors raised by the public during the evaluation process, including
any attacks which demonstrate that the actual security of the algorithm is less than the
strength claimed by the submitter".
 Cost:
 "Licensing requirements" ("AES shall be available on a worldwide, non-exclusive,
royalty- free basis");
 "Computational efficiency";
 "Memory requirements".
 "Algorithm and implementation characteristics":
 "Flexibility" (e.g., additional key sizes, additional block sizes, wide variety of
platforms, stream cipher, MAC generator, PRNG, hash);
 "Hardware and software suitability";
 "Simplicity".

2.11 RC4 -STREAM CIPHER:

RC4 is a stream cipher and variable length key algorithm. This algorithm encrypts one byte at a time.
A key input is pseudorandom bit generator that produces a stream 8-bit number that is unpredictable
without knowledge of input key, The output of the generator is called key-stream, is combined one
byte at a time with the plaintext stream cipher using X-OR operation.

Fig 2.35: Block diagram of RC4-Stream Cipher

RC4 is a byte-oriented stream cipher in which a byte (8 bits) of a plaintext is exclusive-ored with a
byte of key to produce a byte of a ciphertext.

34 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

2.11.1 State
RC4 is based on the concept of a state.
S[0] S[1] S[2]...........S[255]
2.11.2 The RC4 Stream Cipher:
• RC4 was designed by Ron Rivest in 1987 for RSA Security.
• It was kept as a trade secret until leaked out in 1994.
• One of the most popular stream cipher.
• RC4 is Simple and fast.
• It is used in the SSL/TLS standards (for secure Web communication), IEEE 802.11 wireless
LAN standard, Microsoft Point-to-Point Encryption, and many others.
2.11.3 Key Scheduling Algorithm:
Initialization: Initialization is done in two steps:
 In the first step, the state is initialized to values 0,1,…,255. A key array K[0],K[1]…,K[255]
is also created. If the secret key has exactly 256 bytes, the bytes are copied to the K array
otherwise the bytes are repeated until the K array is filled.
for (i=0to255)
{
S[i]=i
K[i]=key[imodKeylength]
 In the second step, the initialized state goes through a permutation based on the value of the
bytes in K[i]. The key byte is used only in this step to define which elements are to be
swapped. The state bytes are shuffled after this step.
j=0
for (i=0to255)
{
j=(j+S[i]+K[i])
mod256
swap(S[i],S[j])
}
i=j=0
 Key Stream Generation: The keys in the key stream, the K’s are generated one by one. First
the state is permuted on the values of state elements and the values of two individual
variables i and j. second the values of two state elements in positions i and j are used to
define the index of the state element that serves as K. The following code is used:
i=(i+l)mo
d256
j=(j+S[i])
mod256
swap(S[i],
S[j])
k=(S[i]+S[j])
mod256
keystreamByt
e=S[k]
 The output i.e. keystream Byte is a single byte that can be XORed with plaintext to encrypt or
XORed with ciphertext to decrypt.
2.11.44 Security of RC4:
• The keystream generated by RC4 is biased.
• The first few bytes are strongly non-random and cannot leak information about the
input key.
35 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

• Recommended values for n = 256, 768, or 3072 bytes.

• Efforts are underway (e.g. the eSTREAM project) to develop more secure stream ciphers.
2.11.5 RC4 and WEP:
• WEP is a protocol using RC4 to encrypt packets for transmission over IEEE 802.11 wireless
LAN.
• WEP requires each packet to be encrypted with a separate RC4 key.
• The RC4 key for each packet is a concatenation of a 24-bit IV (initialization vector) and a 40
or 104- bit long-term key.
• RC4 key: IV (24) Long-term key (40 or 104 bits).

2.12 Key distribution:

• Symmetric schemes require both parties to share a common secret key.
• The issue is how to securely distribute this key.
• Often secure system failure due to a break in the key distribution scheme.
• Given parties A and B have various key distribution alternatives:
• A can select key and physically deliver to B
• third party can select & deliver key to A & B
• if A & B have communicated previously can use previous key to encrypt a new key
• if A & B have secure communications with a third-party C, C can relay key between A
&B
2.12.1 Symmetric Key Distribution Task:
The scale of the problem depends on the number of communicating pairs that must be
supported. If end-to-end encryption is done at a network or IP level, then a key is needed for each pair
of hosts on the network that wish to communicate.
Thus, if there are N hosts, the number of required keys is [N(N – 1)]/2. If encryption is done at
the application level, then a key is needed for every pair of users or processes that require
communication. Thus, a network may have hundreds of hosts but thousands of users and processes

Fig2.36: Symmetric Key Distribution Task

The above diagram illustrates the magnitude of the key distribution task for end-to-end encryption. A
network using node-level encryption with 1000 nodes would conceivably need to distribute as many
as half a million keys. If that same network supported 10,000 applications, then as many as 50 million
keys may be required for application-level encryption.
 Physical delivery (1 & 2) is simplest - but only applicable when there is personal contact
between recipient and key issuer. Is fine for link encryption where devices & keys occur in
pairs, but does not scale as number of parties who wish to communicate grows.
 A third party is a trusted intermediary, whom all parties trust, to mediate the establishment of
secure communications between them. Must trust intermediary not to abuse the knowledge of
all session keys. As number of parties grow, some variant of 4 is only practical solution.

36 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

2.12.2 Key Hierarchy:

The use of a key distribution center is based on the use of a hierarchy of keys. At a minimum, two
levels of keys are used: a session key, used for the duration of a logical connection; and a master key
shared by the key distribution center and an end system or user and used to encrypt the session key.

Fig 2.37: Key Hierarchy

The use of a key distribution center is based on the use of a hierarchy of key, Communication
between end systems is encrypted using a temporary key, often referred to as a session key. Typically,
the session key is used for the duration of a logical connection, such as a frame relay connection or
transport connection, and then discarded. Each session key is obtained from the key distribution
center over the same networking facilities used for end-user communication. Accordingly, session
keys are transmitted in encrypted form, using a master key that is shared by the key distribution center
and an end system or user. For each end system or user, there is a unique master key that it shares
with the key distribution center. Of course, these master keys must be distributed in some fashion.
However, the scale of the problem is vastly reduced, as only N master keys are required, one for each
entity. Thus, master keyscan be distributed in some non-cryptographic way, such as physical delivery.

Fig2.38: Symmetric Key Distribution Scenario

The key distribution concept can be deployed in a number of ways. A typical scenario is illustrated in
the above diagram, which has a “Key Distribution Center” (KDC) which shares a unique key with each
party (user). The text in section 14.1 details the steps needed, which are briefly:
1. A requests from the KDC a session key to protect a logical connection to B. The message includes
the identity of A and B and a unique nonce N1.
2. The KDC responds with a message encrypted using Ka that includes a one-time session key Ks to
be used for the session, the original request message to enable A to match response with appropriate
request, and info for B
3. A stores the session key for use in the upcoming session and forwards to B the information from the
KDC for B, namely, E(Kb, [Ks || IDA]). Because this information is encrypted with Kb, it is
protected from eavesdropping.

37 | P a g e
Downloaded by Varsha R ([email protected])
 lOMoARcPSD|28867284

At this point, a session key has been securely delivered to A and B, and they may begin their
protected exchange. Two additional steps are desirable:
4. Using the new session key for encryption B sends a nonce N2 to A.
5. Also using Ks, A responds with f(N2), where f is a function that performs some transformation on
N2 (eg. adding one). These steps assure B that the original message it received (step 3) was not a
replay. Note that the actual key distribution involves only steps 1 through 3 but that steps 4 and 5, as
well as 3, perform an authentication function.

2.12.3 Symmetric Key Distribution Issues:

• Hierarchies of KDC’s required for large networks, but must trust each other.
• Session key lifetimes should be limited for greater security.
• Use of automatic key distribution on behalf of users, but must trust system.
• Use of decentralized key distribution.
• Controlling key usage.

2.12.4 Symmetric Key Distribution Using Public Keys:

Because of the inefficiency of public key cryptosystems, they are almost never used for the direct
encryption of sizable block of data, but are limited to relatively small blocks. One of the most
important uses of a public key cryptosystem is to encrypt secret keys for distribution.
Simple Secret Key Distribution:
An extremely simple scheme was put forward by Merkle. If A wishes to communicate with B, the
following procedure is employed:
1. A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of PUa
and an identifier of A, IDA.
2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.
3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the
message, only A and B will know the identity of Ks.
4. A discards PUa and PRa and B discards PUa.

Fig 2.39: Simple Secret Key Distribution

A and B can now securely communicate using conventional encryption and the session key Ks. At the
completion of the exchange, both A and B discard Ks. Despite its simplicity, this is an attractive
protocol. No keys exist before the start of the communication and none exist after the completion of
communication. Thus, the risk of compromise of the keys is minimal. At the same time, the
communication is secure from eavesdropping.
Advantages:
• Simplicity.
• No keys stored before and after the communication.
• Security against eavesdropping.
Disadvantages:
• Lack of authentication mechanism between participants.
• Vulnerability to an active attack as described in the next slide.
• Leak of the secret key upon such active attacks.
********

38 | P a g e
Downloaded by Varsha R ([email protected])