Cryptography & Network Security
4 CSE- 1 SEM
Unit-II
Topics to be covered:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Introduction to Secret Key Cryptography and Principles
Block Ciphers Vs Stream Ciphers
Feistel Cipher Structure
Data Encryption Standard and Strengths DES
Block Cipher Design Principles and Modes of Operations
Triple DES
IDEA (International Data Encryption Algorithm)
Blowfish and CAST-128
AES( Advanced Encryption Standard)
1. Introduction to Secret Key Cryptography and Principles
Secret Key encryption, also referred to as conventional encryption, Symmetric key,
Single-key encryption, was the only type of encryption in use prior to the development
of public-key encryption in the late 1970s.1 It remains by far the most widely used of
the two types of encryption. The plain text is encrypted and decrypted with same key
which shared by the sender and receiver. The secrecy of the message depends on the
secrecy of the key, but not on the algorithm.
A symmetric encryption scheme has Five ingredients as follows: Principles
1. plain text - original message or data that is fed into algorithm as input
2. cipher text - coded message
3. Secret key – information used in cipher known only to sender/receiver also given as
input to algorithm
4. Encryption Algorithm –The Encryption algorithm uses various substitutions and
transformations for converting plaintext to cipher text with
5. Decryption Algorithm- This is essentially the encryption algorithm run in the reverse
order. It takes the same secret key and cipher text to produce the plain text.
Fig 2.1 Simplified Model of Conventional Encryption
There are two requirements for secure use of symmetric encryption:
1. We need strong encryption algorithm.
UNIT-2
Page 1
Cryptography & Network Security
4 CSE- 1 SEM
2. Sender and Receiver must have obtained the copies the secret key in the secured
fashion and must keep the key secure.
2. Stream Ciphers and Block Ciphers
Any plain text can be transformed into cipher text with following Ciphers
 Stream Cipher is the one that encrypts the digital data one bit or one byte at a time to
produce the cipher text. Ex:-Autokyed Vigenere Cipher and Verman Cipher
 Block Cipher is the one in which a block of plain text is treated as whole and used to
produce a cipher text of equal length. Ex:- DES
Motivations for Feistel Cipher Structure:
 A block cipher operates on a plain text of n-bits to produce the cipher text of n-bits.
There are 2n different possible plain text blocks for encryptions to be reversible (Eg:
for decryption to be possible), and each must produce unique cipher text block. Such
transformation is called “reversible” or “nonsingular.
 If same cipher block has different plain text block such scheme is called “irreversible
Transformation”
Table 1: Reversible and Irreversible Transformations
Reversible Mapping
Irreversible Mapping
Plain Text
Cipher
Text
Plain Text
Cipher
Text
00
11
00
11
10
01
10
01
01
00
01
01
In the above example the same cipher block "01" is producing different plain text
blocks, this is called "irreversible transformation".
Block Cipher Principles:
Most symmetric block encryption algorithms in current use are based on a structure referred
to as a Feistel block cipher. A block cipher operates on a plaintext block of n bits to produce a
ciphertext block of n bits. An arbitrary reversible substitution cipher for a large block size is
not practical, however, from an implementation and performance point of view. In general, for
an n-bit general substitution block cipher, the size of the key is n x 2n. For a 64-bit block,
UNIT-2
Page 2
Cryptography & Network Security
4 CSE- 1 SEM
which is a desirable length to thwart statistical attacks, the key size is 64 x 264 = 270 = 1021
bits. In considering these difficulties, Feistel points out that what is needed is an
approximation to the ideal block cipher system for large n, built up out of components that are
easily realizable.
Ideal Block Cipher:
The most general form of the block cipher is Ideal Block Cipher in which a reversible
mapping between plain text and cipher text is possible. This allows the maximum number of
possible encryption mappings from plain text to cipher text.
Fig 2.2 General n-bit by n-bit Ideal Block Cipher
3. The Feistel Cipher
Horst Feistel, working at IBM Thomas J Watson Research Labs devised a suitable invertible
cipher structure in early 70's. He proposed that we can actually approximate the concept of a
product cipher, which is the execution of two or more simple ciphers in sequence in such a
way that to produce the final result or product that is cryptographically stronger than any of
the component ciphers. The structure uses the alternate use of substitutions and permutations,
which is proposed by the Claude Shannon to develop the product cipher that alternates
confusion and diffusion.
Confusion and Diffusion:
The terms diffusion and confusion were introduced by Claude Shannon to capture the
two basic building blocks for any cryptographic system. Every block cipher involves a
transformation of a block of plaintext into a block of ciphertext, where the transformation
depends on the key. The mechanism of diffusion seeks to make the statistical relationship
between the plaintext and ciphertext as complex as possible in order to thwart attempts to
UNIT-2
Page 3
Cryptography & Network Security
4 CSE- 1 SEM
deduce the key. Confusion seeks to make the relationship between the statistics of the
ciphertext and the value of the encryption key as complex as possible, again to thwart
attempts to discover the key. So successful are diffusion and confusion in capturing the
essence of the desired attributes of a block cipher that they have become the cornerstone of
modern block cipher design.
Feistel Cipher Structure
 Horst Feistel devised the feistel cipher
based on concept of invertible product cipher
 partitions input block into two halves
process through multiple rounds which
perform a substitution on left data half
based on round function of right half & subkey
then have permutation swapping halves
 implements Shannon’s S-P net concept
The Design Elements of the Feistel Cipher are as follows:
•
Block size - increasing size improves security, but slows cipher
•
Key size - increasing size improves security, makes exhaustive key searching harder,
but may slow cipher
•
Number of rounds –single round offers inadequate security, but multiple rounds
increase security, increasing number improves security, but slows cipher
•
Subkey generation algorithm - greater complexity can make analysis harder, but
slows cipher
•
Round function - greater complexity can make analysis harder, but slows cipher
•
Fast software encryption/decryption – in many cases encryption is embeded in
hardware to increase speed of cipher, more recent concern for practical use
•
Ease of analysis - for easier validation & there is a great advantage in designing
easier algorithm to find all the vulnerabilities, testing of strength
UNIT-2
Page 4
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.3 Encryption Process
UNIT-2
Page 5
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.4 Encryption and Decryption Processes
Working procedure of Feistel Cipher:
The plaintext block is divided into two halves, Lo and Ro. The two halves of the data
pass through n rounds of processing and then combine to produce the ciphertext block. Each
round i has as inputs Li-l and R;-l' derived from the previous round, as welI as a subkey Ki,
derived from the overall K. In general, the subkeys Ki are different from K and from each
other and are generated from the key by a subkey generation algorithm.
All rounds have the same structure. A substitution is performed on the left half of the data.
This is done by applying a round function F to the right half of the data and then taking the
exclusive-OR (X OR) of the output of that function and the left half of the data. The round
function has the same generaI structure for each round but is parameterized by the round
subkey Ki. Following this substitution, a permutation is performed that consists of the
interchange of the two halves of the data.
UNIT-2
Page 6
Cryptography & Network Security
4 CSE- 1 SEM
The general process of the encryption will be as follows:
LEi= REi-1
REi=LEI X F(REi-1,Ki)
The Decryption is as follows:
LE16=RE15
RE16=LE15 X F(RE15,K16)
4.Data Encryption Standard and Strengths DES
Introduction: The most widely used private key block cipher, is the Data Encryption
Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal
Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using
a 56-bit key. The DES enjoys widespread use. It has also been the subject of much
controversy its security. IBM developed Lucifer cipher
 by team led by Feistel in late 60’s
 used 64-bit data blocks with 128-bit key
 then redeveloped as a commercial cipher with input from NSA and others
 in 1973 NBS issued request for proposals for a national cipher standard
 IBM submitted their revised Lucifer which was eventually accepted as the DES
Over View of DES:
The overall scheme for DES encryption is illustrated in Stallings Figure 2.5, which takes as
input 64-bits of data and of key. The left side shows the basic process for enciphering a 64-bit
data block which consists of:



an initial permutation (IP) which shuffles the 64-bit input block
16 rounds of a complex key dependent round function involving substitutions &
permutations
a final permutation, being the inverse of IP
The right side shows the handling of the 56-bit key and consists of:


an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in
two 28-bit halves
16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of
the two 28-bit halves
UNIT-2
Page 7
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.6 Over view of DES
The main phases in the left hand side of the above figure i.e. processing of the plain text are:
Initial Permutation (IP): The plaintext block undergoes an initial permutation. 64 bits of the
block are permuted. For example the actual input message order can be as follows according
to their bit positions:
Table 2: Actual 64 bit order
An example initial Permutation obtained by just writing the even numbered columns first in
the row wise and odd numbered columns later in the row wise.
UNIT-2
Page 8
Cryptography & Network Security
4 CSE- 1 SEM
Table 3: Initial Permutation
A Single Round Transformation:
On the right hand side part of the figure, the usage of the 56 bit key is shown. Initially
the key ispassed through a permutation function. Now for each of the 16 iterations, a new
subkey (Ki) is produced by combination of a left circular shift and a permutation function
which is same for each iteration. A different subkey is produced because of repeated shifting
of the key bits.
The left and right halves of each 64 bit intermediate value are treated as separated 32bit quantities labeled L (left) and R (Right). The overall processing at each iteration is given
by following steps, which form one round in an S-P network.
Li = Ri-1.
Ri = L i-1 F(R i-1, Ki ) Where Function F can be described as P(S( E(R(i-1)) K(i) ))
The following figure shows a closer view of algorithms for a single iteration. The
64bit permuted input passes through 16 iterations, producing an intermediate 64-bit value at
the conclusion of each iteration.
UNIT-2
Page 9
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.7: Single Round Function
A Complex Transformation (F): This again contains two sub transformations i) Expansion
transformation (E) ii) Substitution transformation (S)
Fig 2.8: Expansion and Substitution Transformations
i. Expansion transformation
64 bit permuted block undergoes 16 rounds of complex transformation. Subkeys are used in
each of the 16 iterations. The round Key Ki is 48 bits. The R input is 32 bits. The R input is
first expanded to 48 bit by using a table that defines a permutation plus an expansion that
involves duplication of 16 of R bits. The Expansion is as follows: The middle elements belong
UNIT-2
Page 10
Cryptography & Network Security
4 CSE- 1 SEM
to the 32 bit R input and Left and right 8 elements are the duplications of the R input, to make
as 48 bit.
Table 4: Expansion Permutation
i) Substitution transformation
The Role of the S-Box in the transformation (F) is as follows, the substitution consists of a set
of 8 S-Boxes, each accepts 6 input and produce 4 out bits. These transformations are defined
as follows: The first and last bits of 6bits used to specify the row, and the rest of the 4 bits are
used to specify the column of the specific box. The data in the specified position is used to
replace. The S-box will be as follows,
Table 5: Substitution Table
Row0
Row1
Row2
Row3
Col 0
14
0
4
15
Col 1
4
15
1
12
Col 2
13
7
14
8
Col 3
1
4
8
2
Col 4
2
14
13
4
Col 5
15
2
6
9
Col 6
11
13
2
1
Col 7
8
1
11
7
Col 8
3
10
15
5
Col 9
10
6
12
11
Col
10
6
12
9
3
Col
11
12
11
7
14
Col
12
5
9
3
10
Col
13
9
5
10
0
Col
14
0
3
5
6
For example, if the input to the s-box is 011001, the first and last are "01" means decimal
value 1, therefore it is Row 1, and middle bits are "1100", decimal value equal to that is 12,
means Column 12, the value in the Row1 and Col 12 is "9", which is used for replacement.
again the 4 bit is generated from the s-box as output.
32-bit swap: The output of 16th round consists of 64bits that are a function of input plain text
and key.32 bit left and right halves of this output is swapped.
Inverse Initial Permutation (IP-1): The 64 bit output undergoes a permutation that is inverse
of the initial permutation.
Sub Key Generation Algorithm:
Here 64-bit is used as input to the algorithm. The Bits of the key are numbered from 1
to 64; and every 8th bit is ignored. The resulting 56-bit key is then treated as two 28 bit
quantities, labled C0 and D0 . At each round Ci-1 and Di-1 are subjected to a circular shift or
rotation of one or two bits. After shifting it is given to a permutation /contraction function,
which then produces 48 bit output as key for that round.
DES Decryption:
The DES decryption uses the same algorithm as encryption, except the application of subkey
in the reverse order.
The Avalanche Affect of DES:
UNIT-2
Page 11
Col
15
7
8
0
13
Cryptography & Network Security
4 CSE- 1 SEM
The Desirable property of any encryption algorithm is that a small change in the planin text or
key has to produce a significant change in the ciphertext. In particular, a change in one bit of
plaintext or key should produce bits of the ciphertext. If the change were small, this might
provide a way to reduce the size of the plaintext or key space to be searched.
Strength of DES – Key Size
1. The Key
Since its adoption as a federal standard, there have been lingering concerns about the
level of security provided by DES in two areas: key size and the nature of the
algorithm. With a key length of 56 bits, there are 2^56 possible keys, which is
approximately 7.2*10^16 keys. Thus a brute-force attack appeared impractical.
However DES was finally and definitively proved insecure in July 1998, when the
Electronic Frontier Foundation (EFF) announced that it had broken a DES
encryption using a special-purpose "DES cracker" machine that was built for less than
$250,000. The attack took less than three days. The EFF has published a detailed
description of the machine, enabling others to build their own cracker [EFF98].There
have been other demonstrated breaks of the DES using both large networks of
computers & dedicated h/w, including:
- 1997 on a large network of computers in a few months
- 1998 on dedicated h/w (EFF) in a few days
- 1999 above combined in 22hrs!
It is important to note that there is more to a key-search attack than simply running
through all possible keys. Unless known plaintext is provided, the analyst must be able
to recognize plaintext as plaintext. Clearly must now consider alternatives to DES, the
most important of which are AES and triple DES.
2. The Nature of the Encryption algorithm
Another concern is the possibility that cryptanalysis is possible by exploiting the
characteristics of the DES algorithm. The focus of concern has been on the eight
substitution tables, or S-boxes, that are used in each iteration. These techniques utilise
some deep structure of the cipher by gathering information about encryptions so that
eventually you can recover some/all of the sub-key bits, and then exhaustively search
for the rest if necessary. Generally these are statistical attacks which depend on the
amount of information gathered for their likelihood of success. Attacks of this form
include differential cryptanalysis. linear cryptanalysis, and related key attacks.
3. The Timing Attack
A timing attack exploits the fact that an encryption or decryption algorithm often takes
slightly different amounts of time on different inputs. The AES analysis process has
highlighted this attack approach, and showed that it is a concern particularly with
smartcard implementations, though DES appears to be fairly resistant to a successful
timing attack.
5. Block Cipher Design Principles and Modes of Operations
UNIT-2
Page 12
Cryptography & Network Security
4 CSE- 1 SEM
There are three critical aspects of the design of the block cipher: The number of rounds, the
function F, and Key Scheduling.
The DES design criteria:
The design of DES has focused on design of S-Box and P function that takes the output of the
S-Box. The criteria for S-box are as follows:
i.
ii.
iii.
No output bit of any s-box should be too close a linear function of the input bits.
Each row of the S-box should include all 16 possible output bit combinations.
If two inputs to an s-box differ in exactly one bit, the output must differ in at least two
bits.
If two inputs to the s-box differ in middle two bits, then output must differ in at least
two bits.
If two inputs to the s-box differ in their first two bits and are identical in their last two
bits, the outputs must not be the same.
For any nonzero 6-bit difference between inputs, no more than 8 of 32 pairs of inputs
exhibiting that difference may result in the same output difference.
This is a criterion similar to the previous one, but for the case of three s-boxes.
iv.
v.
vi.
vii.
The Criteria for the Permutation P as follows:
i.
The four output bits from each s-box at each round I are distributed so that two of
them affect "middle bits" of round (i+1) and the other two affect end bits. The two
middle bits of the input to s-box are not shared with adjacent s-boxes. The end bits
are the two left-hand bits and the two right-hand bits, which are shared with adjacent
s-boxes.
The four output bits from each s-box affect six different s-boxes on the next round,
and no two affect the same s-box.
For two s-boxes l, k if output bit from Sj affect a middle bit of Sk on the nest round,
then an output bit from Sk canot affect a middle bit of Sj.
ii.
iii.
These criteria are intended to increase the diffusion of the algorithm.
I. The Number of Rounds
The greater the number of rounds, the more difficult it is to perform cryptanalysis,
even for a relatively weak F. IF DES had less than 15 or fewer rounds, differential
cryptanalysis would require less effort than brute-force attack.
II. Design of the Function F
The heart of the Feistel Cipher is the Function F. This function relies on the use of the
S-boxes. This is also the case for most other symmetric block ciphers. The function F
provides the elements of confusion in the feistel cipher. Thus it must be difficult to
"unscramble" the substitution performed by the F.
UNIT-2
Page 13
Cryptography & Network Security
4 CSE- 1 SEM
Criterion 1: The more nonlinear is the more difficulty in cryptanalysis.
Criterion 2: The algorithm even can be designed with good avalanche properties.
Criterion 3: Bit independence Criterion, which states that the output bits j and k
should change independently when any single bit I is inverted, for i, j and k.
The S-Box Design:
This is the one of the intense research area in the field of symmetric block ciphers. The Papers
are almost too numerous to count. There are some general principles. One Characteristic of Sboxes is its size. An NxM S-box has N inputs and M outputs. The DES has 6X4 s-boxes. The
larger is the size of the S-box, the stronger is against the cryptanalysis.
The approaches for the S-boxes:
 Random: Use some random number generation to generate the entries in the Sboxes.
 Random with testing: Choose S-Box entries randomly, then test the results against
various criteria, and throw away those that do not pass.
 Human-made: This is manual approach with only simple mathematics to support it.
 Math-made: Generate S-box according to mathematical principles, that offer proven
security against cryptanalysis.
III. The Key Schedule Algorithm:
With any Feistel Cipher only one sub key is generated for each round. In general we would
like to select the subkey to maximize the difficulty of deducing the individual subkeys and
difficulty of working back to the main key. There are no general principles for this yet.
Cipher Block Modes of Operations:
A symmetric block cipher processes one block of data at a time. In the case of DES and
3DES, the block length is 64 bits. For longer amounts of plaintext, it is necessary to break the
plaintext into 64-bit blocks (padding the last block if necessary). There are three modes of
operations:
 Electronic Codebook Mode
 Cipher Block Chaining Mode
 Cipher Feed back Mode.
 Output Feedback Mode
 Counter Mode
Electronic Codebook Mode:
The simplest way to proceed is what is known as electronic codebook (ECB) mode, in which
plaintext is handled 64 bits at a time and each block of plaintext is encrypted using the same
key. The term codebook is used because, for a given key, there is a unique ciphertext for every
64-bit block of plaintext. Therefore, one can imagine a gigantic codebook in which there is an
entry for every possible 64-bit plaintext pattern showing its corresponding ciphertext.
UNIT-2
Page 14
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.9: ECB
Problem of ECB:
With ECB, if the same 64-bit block of plaintext appears more than once in the message, it
always produces the same ciphertext. Because of this, for lengthy messages, the ECB mode
may not be secure, for repeated 64 bit patterns.
Cipher Block Chaining Mode (CBC):
In the cipher block chaining (CBC) mode, the input to the encryption algorithm is the
XOR of the current plaintext block (P) and the preceding ciphertext block(C ) ; the same
key is used for each block. In effect, we have chained together the processing of the sequence
of plaintext blocks, to avoid the similarities. The input to the encryption function for each
plaintext block bears no fixed relationship to the plaintext block. Therefore, repeating patterns
of 64 bits are not exposed.
For decryption, each cipher block is passed through the decryption algorithm. The result is
XORed with the preceding ciphertext block to produce the plaintext block. To see that this
works, we can write:
Ci=Ek[Ci-1 XOR Pi], where Ek[x] is the encryption of plain text x, using the key K, and XOR
is the Exclusive OR operation.
The Decryption process is as follows: Pi=Dk[Ci] XOR Ci-1
UNIT-2
Page 15
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.10 Cipher Block Chaining Mode
Cipher Feedback Mode (CFB):
It is possible to convert any block cipher into a stream cipher by using the cipher feedback
(CFB) mode. A stream cipher eliminates the need to pad a message to be an integraI number
of blocks. It also can operate in real time. Thus, if a character stream is being transmitted,
each character can be encrypted and transmitted immediately using a character-oriented
stream cipher. One desirable property of a stream cipher is that the ciphertext be of the same
length as the plaintext. Thus, if 8-bit characters are being transmitted, each character should
be encrypted using 8 bits. If more than 8 bits are used, transmission capacity is wasted.
In the figure, it is assumed that the unit of transmission is s bits; a common value is s = 8.
As with CBC, the units of plaintext are chained together, so that the ciphertext of any
plaintext unit is a function of all the preceding plaintext.
First, consider encryption. The input to the encryption function is a 64-bit shift register
that is initially set to some initialization vector (IV). The leftmost (most significant) s bits of
the output of the encryption function are XORed with the first unit of plaintext Pl to produce
the first unit of ciphertext Cl, which is then transmitted. In addition, the contents of the shift
register are shifted left by s bits and Cl is placed in the rightmost (least significant) s bits of
the shift register. This process continues until all plaintext units have been encrypted.
UNIT-2
Page 16
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.11 Cipher Feedback Mode
Output Feedback Mode (OFB):
The output feedback (OFB) mode is similar in structure to that of CFB. As can be seen in Fig
2.12, it is the output of the encryption function that is fed back to the shift register in OFB,
whereas in CFB, the ciphertext unit is fed back to the shift register. The other difference is
that the OFB mode operates on full blocks of plaintext and ciphertext, not on an -bit subset.
Encryption can be expressed as By rearranging terms,
Cj = Pj_ E(K, [Cj-i_ Pj-1])
we can demonstrate that decryption works.
Pj = Cj_ E(K, [Cj-1 _ Pj-1])
UNIT-2
Page 17
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.12 Output Feedback Mode
Advantage of OFB Mode: The bit errors in transmission do not propagate
Disadvantage of OFB Mode: The disadvantage of OFB is that it is more vulnerable to a
message stream modification attack than is CFB.
Counter Mode (CTR):
Although interest in the counter (CTR) mode has increased recently with applications to
ATM (asynchronous transfer mode) network security and IP sec (IP security), this mode was
proposed early on 1979. In Fig 2.13 depicts the CTR mode. A counter equal to the plaintext
block size is used. The only requirement stated in SP 800-38A is that the counter value must
be different for each plaintext block that is encrypted. Typically, the counter is initialized to
some value and then incremented by 1 for each subsequent block.
UNIT-2
Page 18
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.14 Counter Mode
Advantages of CRT:
 Hardware Efficiency
 Software Efficiency
 Preprocessing
 Random Access
 Provable Security
 Simplicity
6. Triple DES
Double DES:
The simplest form of multiple encryption has two encryption stages and two keys, Fig 2.16
Given a plaintext P and two encryption keys K1 andK2, ciphertext is generated as
Decryption requires that the keys be applied in reverse order:
UNIT-2
Page 19
Cryptography & Network Security
4 CSE- 1 SEM
For DES, this scheme apparently involves a key length of 56X2=112 bits, resulting in a
dramatic increase in cryptographic strength. But we need to examine the algorithm more
closely.
Fig 2.16 Double DES
The first answer to problems of DES is an algorithm called Double DES which includes
double encryption with two keys. It increases the key size to 112 bits, which seems to be
secure. But, there are some problems associated with this approach.
 Issue of reduction to single stage:
Suppose it were true for DES, for all 56-bit key values, that given any two keys K1 and K2, it
would be possible to find a key K3 such that
If this were the case, then double encryption, and indeed any number of stages of multiple
encryption with DES, would be useless because the result would be equivalent to a single
encryption with a single 56-bit key.

meet-in-the-middle” attack:
Given a known pair(P,C), the attack proceeds as follows. First, encrypt P for all 256
possible values of K1. Store these results in a table and then sort the table by the values of X .
Next, decrypt C, using all 256 possible values of K2. As each decryption is produced, check
the result against the table for a match. If a match occurs, then test the two resulting keys
against a new known plaintext–ciphertext pair. If the two keys produce the correct ciphertext,
accept them as the correct keys. Test the two keys for the second pair of plaintext-ciphertext
and if they match, correct keys are found
Triple DES was the answer to many of the shortcomings of DES. Since it is based on
the DES algorithm, it is very easy to modify existing software to use Triple DES. 3DES was
developed in 1999 by IBM – by a team led by Walter Tuchman. 3DES prevents a meet-in-themiddle attack. 3DES has a 168-bit key and enciphers blocks of 64 bits. It also has the
advantage of proven reliability and a longer key length that eliminates many of the shortcut
attacks that can be used to reduce the amount of time it takes to break DES. 3DES uses three
keys and three executions of the DES algorithm. The function follows an encrypt-decryptencrypt (EDE) sequence.
UNIT-2
Page 20
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.12 Triple DES Encryption and Decryption
C=Ek3[Dk2[Ek1[p]]]
Where C= ciphertext, P= plaintext and
EK[X] = encryption of X using key K
DK[Y] = decryption of Y using key K
Decryption is simply the same operation with the keys reversed
P=Dk1[Ek2[Dk3[c]]]
Triple DES runs three times slower than standard DES, but is much more secure if
used properly. With three distinct keys, TDEA has an effective key length of 168 bits making
it a formidable algorithm. As the underlying algorithm is DEA, it offers the same resistance to
cryptanalysis as is DEA. Triple DES can be done using 2 keys or 3 keys.
There is no cryptographic significance to the use of decryption for the second stage of 3DES
encryption. Its only advantage is that it allows users of 3DES to decrypt data encrypted by
users of the older single DES:
c = Ek1 [D2l [EK3 [P]]] = EK1 [P]
Strength of Triple DES:
If we assume that the cracker would perform 1 million decryptions per 1micro second, then
DES would take 10 hours to break. With 128 bit Key It would take 1018 years to break. With
168 bit key Brute force attack is impossible.
Fig 2.13 Time to break Code
UNIT-2
Page 21
Cryptography & Network Security
4 CSE- 1 SEM
7. IDEA (International Data Encryption Algorithm)
The International Data Encryption Standard Algorithm (IDEA) is a symmetric block
cipher that was proposed and developed by Lai and James to replace DES. It differs with
DES both in terms of Rounds and Keys. IDEA uses 128 bit Key. It is a minor revision of
an earlier cipher, PES (Proposed Encryption Standard). IDEA was originally called IPES
(Improved PES) and was also included in PGP (Pretty Good Privacy Protocol). IDEA is a
block cipher which uses a 128-bit length key to encrypt successive 64-bit blocks of
plaintext.
The main design goals of IDEA are,

Block Length: Block size of 64 bits is considered strong enough to deter statistical
analysis. Also usage of Cipher Feedback Mode of operation provides better strength.

Key Length: Its key size of 128 bits is very secure to deter exhaustive search
IDEA’s overall scheme is based on three different operations: Bit by Bit XOR denoted as
, addition mod 216 denoted
as and multiplication mod (216 +1) as ʘ. All
operations are on 16-bit sub-blocks, with no permutations used. Completely avoid substitution
boxes and table lookups used in the block ciphers. The algorithm structure has been chosen
such that when different key sub-blocks are used, the encryption process is identical to the
decryption process.
In IDEA, Confusion is achieved by using these three separate operations in
combination providing a complex transformation of the input, making cryptanalysis much
more difficult (than with a DES which uses just a single XOR). The main basic building block
is the Multiplication/Addition (MA) structure shown below:
Fig 2.14 Multiplication and Addition Structure
UNIT-2
Page 22
Cryptography & Network Security
4 CSE- 1 SEM
Diffusion is provided by this MA structure where, each output bit depends on every bit of
inputs (plaintext-derived inputs and subkey inputs).This MA structure is repeated eight times,
providing very effective diffusion
The overall scheme for IDEA is shown below:
Fig 2.15 Overall IDEA Structure
Working of IDEA:
The encryption function takes two inputs; one being the plaintext to be encrypted and
the key. The plaintext is 64 bits in length and key is 128 bits in length. The IDEA algorithm
UNIT-2
Page 23
Cryptography & Network Security
4 CSE- 1 SEM
consists of eight rounds followed by a final transformation function. The algorithm divides the
input into four 16-bit sub-blocks. Each of the rounds takes four 16-bit sub-blocks as input and
produces four 16-bit output blocks. The final transformation also produces four 16-bit blocks,
which are concatenated to form the 64-bit ciphertext. Each of the rounds also makes use of six
16-bit subkeys, whereas the final transformation uses four subkeys, for a total of 52 subkeys.
First, the 128-bit key is partitioned into eight 16-bit sub-blocks which are then directly
used as the first eight key sub-blocks {i.e. Z1, Z2… Z8 are taken directly from the 128-bit key
where Z1.equals the first 16 bits, Z2 corresponding to next 16 bits and so on}. The 128-bit key
is then cyclically shifted to the left by 25 positions, after which the resulting 128-bit block is
again partitioned into eight 16-bit sub-blocks to be directly used as the next eight key subblocks. The cyclic shift procedure described above is repeated until all of the required 52 16bit key sub-blocks have been generated. The following figure shows the single round in the
encryption algorithm.
Fig 2.16 IDEA Single Round Encryption
UNIT-2
Page 24
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.17 First Stage of MA Structure




IDEA deviates from the Feistel Structure that the round starts with a transformation
that combines four input subblocks with four subkeys, using the addition and
multiplication operations.
These four output blocks are then combined using the XOR operation to form two 16bit blocks that are input to the MA structure, which also takes two subkeys(k5,k6) as
input and combines these inputs to produce 16-bit outputs.
Finally, the four output blocks from the upper transformation are combined with the
two output blocks of the MA (Multiplication/Addition) structure using XOR to
produce the four output blocks for this round.
Also, the two outputs that are partially generated by the second and third inputs(X2
and X3) are interchanged to produce the second and third outputs (W12 and W13).
This increases the mixing of bits being processed and makes the algorithm more
resistant to differential cryptanalysis.
The ninth stage of the algorithm, labelled the output transformation stage has the same
structure as the upper rounds, but the only difference is that the second and third inputs are
interchanged before being applied to the operational units. The effect of this is undoing the
interchange at the end of eighth round. The reason for this extra interchange is so that
decryption has the same structure as encryption. The ninth stage requires only four subkey
inputs, compared to six subkey inputs for each of the first eight stages.
UNIT-2
Page 25
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.19 The 9th Stage of the Algorithm
Decryption Steps:
1. The first four subkeys of decryption round i are derived from the first four subkeys of
encryption round (10-i), where the transformation stage is counted as round 9. The first and
fourth decryption subkeys are equal to the multiplicative inverse modulo (216 +1) of the
corresponding first and fourth encryption subkeys. For rounds 2 through 8, the second and
third decryption subkeys are equal to the additive inverse modulo (216) of the corresponding
third and second encryption subkeys. For rounds 1 and 9, the second and third decryption
subkeys are equal to the additive inverse modulo (216) of the corresponding second and third
encryption subkeys.
2. For the first eight rounds, the last two subkeys of decryption round i are equal to the last
two subkeys of encryption round (9-i)
8. Blowfish










Blowfish was developed in 1993 by Bruce Schneier [SCHN93, SCHN94], an
independent consultant and cryptographer, and quickly became one of the most
popular alternatives to DES.
Blowfish was designed to be easy to implement and to have a high execution speed.
It is also a very compact algorithm that can run in less than 5K of memory.
An interesting feature of Blowfish is that the key length is variable and it can vary
from 32 bits up to 448 bits.
In practice, 128-bit keys are used.
Blowfish uses 16 rounds.
Blowfish uses 8X32 S-boxes and the XOR function, as does DES, but also uses
binary addition.
Unlike DES, which uses fixed S-boxes, Blowfish uses dynamic S-boxes that are
generated as a function of the key.
A total of 521 executions of the Blowfish encryption algorithm is required to produce
the subkeys and S-boxes.
Accordingly, Blowfish is not suitable for applications in which the secret key changes
frequently.
UNIT-2
Page 26
Cryptography & Network Security
4 CSE- 1 SEM
Fig 2.20 Blowfish Structure
Working of the Round Function:
The function splits the 32-bit input into four eight-bit quarters, and uses the quarters as input
to the S-boxes. The outputs are added modulo 232 and XORed to produce the final 32-bit
output.
Fig 2.21 The Round Function
Decryption is exactly the same as encryption, except that P1, P2,..., P18 are used in the
reverse order. This is not so obvious because xor is commutative and associative. A common
misconception is to use inverse order of encryption as decryption algorithm (i.e. first XORing
P17 and P18 to the ciphertext block, then using the P-entries in reverse order).
UNIT-2
Page 27
Cryptography & Network Security
4 CSE- 1 SEM
CAST -128 Algorithms:
In cryptography, CAST-128 (alternatively CAST5) is a block cipher used in a number
of products, notably as the default cipher in some versions of GPG and PGP. It has also been
approved for Canadian government use by the Communications Security Establishment. The
algorithm was created in 1996 by Carlisle Adams and Stafford Tavares using the CAST
design procedure.
Another member of the CAST family of ciphers, CAST-256 (a former AES candidate)
was derived from CAST-128. According to some sources, the CAST name is based on the
initials of its inventors, though Bruce Schneier reports the authors' claim that "the name
should conjure up images of randomness".
CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size
of between 40 to 128 bits (but only in 8-bit increments). The full 16 rounds are used when the
key size is longer than 80 bits.
Components include large 8×32-bit S-boxes based on bent functions, key-dependent
rotations, modular addition and subtraction, and XOR operations. There are three alternating
types of round function, but they are similar in structure and differ only in the choice of the
exact operation (addition, subtraction or XOR) at various points.
Fig 2.22 Structure of CAST -128
9. Advanced Encryption Standard (AES)
UNIT-2
Page 28
Cryptography & Network Security
4 CSE- 1 SEM
Introduction to AES Structure:
The AES encryption process takes the plain text of length 128 bit or 16 bytes. The Key length
can vary in the range of 128, 192, or 256 bits, 16,24 or 32 bytes respectively. The Algorithms
can be referred to as AES-128, AES-192, and AES-256.
The Encryption and decryption algorithms take a block of length 128 bits, for producing the
cipher block of length 128 bit. The plain text block is copied into an array called “State
Array” which is modified at each stage of encryption and decryption. After the final stage the
“State array” moved to the Output Matrix. The key is also represented in the form of a square
matrix. The Key is expanded to 44 words, each word of 4 bytes length (32 bits). The 1st four
bytes of the plain text input to encryption cipher occupy the 1st column of “in” matrix, second
four bytes occupy the second column and so on. Similarly, the first four bytes of the expanded
key, which form a word, occupy the first column of the w matrix.
The cipher consists of rounds, where the number of rounds depends on the key length:
 10 rounds for a 16-byte key,
 12 rounds for a 24-byte key,
 14 rounds for a 32-byte key.
UNIT-2
Page 29
Cryptography & Network Security
4 CSE- 1 SEM
The first N-1 rounds consists 4 distinct operations: SubBytes, ShiftRows,
MixColumns, and AddRoundKey, and final round contains only three transformations and
there is an initial single transformation before the first round, that can be considered as round
0. Each transformation takes one or more 4X4 matrices as input and produce the 4X4 as
output. The out put the final round is the cipher text. A separate round key is used for each
round, which is obtained from the expanded key.
AES Data structure:
The 1st four bytes of the plain text input to encryption cipher occupy the 1 st column of
“in” matrix; second four bytes occupy the second column and so on. Similarly, the first four
bytes of the expanded key, which form a word, occupy the first column of the “w” matrix.
Comments about the Overall Structure:
•
•
•
One noteworthy feature of this structure is that it is not a Feistel structure.
The key that is provided as input is expanded into an array of forty-four 32-bit
words, w[i]. Four distinct words (128 bits) serve as a round key for each round
Four different stages are used, one of permutation and three of substitution:
• Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of
the block
• ShiftRows: A simple permutation
• MixColumns: A substitution that makes use of arithmetics
• AddRoundKey: A simple bitwise XOR of the current block with a portion
of the expanded key
• The structure is quite simple.
• Only the AddRoundKey stage makes use of the key
UNIT-2
Page 30
Cryptography & Network Security
4 CSE- 1 SEM
• The other three stages together provide confusion, diffusion, and nonlinearity, but by
•
•
•
•
themselves would provide no security because they do not use the key.
Each stage is easily reversible.
As with most block ciphers, the decryption algorithm makes use of the expanded key
in reverse order. Decryption is not identical to the encryption. This is just because of
the structure of the AES.
Once it is established that all four stages are reversible, it is easy to verify that
decryption does recover the plaintext.
The final round of both encryption and decryption consists of only three stages.
AES Transformation Functions:
i.
The Substitute Transformation:
The AES defines a 16 X 16 matrix of byte values, which is called “S-Box”. This
contains the permutations of all possible 256 b-bit values. Each and every byte of the “State
matrix” mapped into a new byte in the following way: The left most 4 bytes used to define the
row, and right most 4 bits used to define the column. These row and column values used to
serve the indexes for the s- box to identify 8-bit output value.
State Array
ii.
S- BOX
OUTPUT
ShiftRows Transformation:
The first row of State is not altered. For the second row, a 1-byte circular left shift is
performed. For the third row, a 2-byte circular left shift is performed. For the fourth row, a 3byte circular left shift is performed. The following is an example of ShiftRows.
UNIT-2
Page 31
Cryptography & Network Security
iii.
4 CSE- 1 SEM
MixColumns Transformation:
Each byte of a column is mapped into a new value that is a function of all four bytes in that
column. The transformation can be defined by the following matrix multiplication on State.
Each element in the product matrix is the sum of products of elements of one row and one
column. The MixColumns transformation on a single column of State can be expressed as:
For example:
iv.
UNIT-2
AddRoundKey Transformation
Page 32
Cryptography & Network Security
4 CSE- 1 SEM
The 128 bits of State are bitwise XORed with the 128 bits of the round key. the operation is
viewed as a columnwise operation between the 4 bytes of a State column and one word of
the round key; it can also be viewed as a byte-level operation.
For example:
Inputs to the Single Round AES:
AES Key Expansion:
The 128 bit key is copied into the first four words of the expanded key. The remainder
of the expanded key is filled in four words at a time. Each added new word depends on the
w[i] and w[i-4]. In three out of four cases, a simple XOR is used. For a word whose position
in the w array is a multiple of 4, a more complex function is used. The complex function g
consists of the following subfunctions.
UNIT-2
Page 33
Cryptography & Network Security
4 CSE- 1 SEM
Where R is the called Rotate Constant.



RotWord performs a one-byte circular left shift on a word.
SubWord performs a byte substitution on each byte of its input word, using the S-box
The result of steps 1 and 2 is XORed with a round constant, R
*******END of the 2nd UNIT*******
UNIT-2
Page 34