“It seems that our competence to secure the net
cannot keep up with our desire to use it.”
by ARJEN K. LENSTRA
in ‘Securing the Net – The Fruits of Incompetence’, published in First Monday, 1996,
http://www.firstmonday.org/issues/issue4/lenstra/ as of Nov 1, 2009
1
Stream Cipher

Streaming Cipher: encrypts data unit by unit, where
a unit is of certain number of bits (Example: If the
unit be a bit, a stream cipher encrypts data unit by
unit. Or if the unit be a byte, it encrypts byte by
byte)
simpler and faster than block cipher; but less secure

Two Modes of Stream Cipher:



Synchronous Stream Cipher: Sender uses a key to
encrypt. Receiver uses the same key to decrypt.
Self-Synchronizing Stream Cipher: The key stream
generator (KSG) generates a key, which depends
upon the original key and the cipher output.
2
Key Stream Generator (KSG)
Key
Pseudorandom
Byte Generator
Stream of bytes
The stream of bytes cannot be determined, if the
Key is not known.
The stream is deterministic.
The stream repeats after a long chain of bits.
3
Self-Synchronizing Stream Cipher
Stream of bytes
Plaintext

Ciphertext
In a stream Cipher, a key must not be repeated.
4
RC 4:

RC4: A byte by byte encryption
algorithm, used in




Example of a Stream Cipher
SSL (Secure socket Layer)
WEP (Wired Equivalent Privacy)
Developed in 1987 by Ron Rivest for
RSA
Sept 1994: RC4 algorithm: Developed in
1987 by Ron Rivest for RSA
5
RC4: Key and the Temporary Vector






Key: 1 to 256 octets
First byte of Key: K[0]; Second byte of
key: K[1] ……
No of bytes of key = kbytes
A 256 byte Temporary vector: T[0] to T[255]
If kbytes = 256, for i = 0 to 255, T[i] = K[i]
If kbytes < 256, for i=0 to 255,
T[i] = K[i mod kbytes]
6
RC4: The State Vector



A 256 byte State vector: S[0] to S[255]
INITIALIZATION: For i = 0 to 255, S[i] = i
Initial PERMUTATION of S: j = 0;
For i = 0 to 255,
j = (j + S[i] + T[i]) mod 256
Swap (S[i] and S[j]).
After initial permutation, the key is not used.
7
Stream Encryption



mth byte of Plaintext P[m]
i = j = 0; m = 0
while (true){
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];
C[m] = P[m]  k;
m=m+1
}
8
Strength of RC4



For decryption, xor k with the next byte
of ciphertext.
For a key length of 128 bits or more,
RC4 is secure.
The weakness in WEP: due to the
weakness of the protocol for key
generation ( not due to weakness in
RC4).
Reference: Fluhrer, S.; Mantin, I.; and Shamir, A.
“Weakness in the Key Scheduling Algorithm of RC4,”
Proceedings, Workshop in Selected Areas of
Cryptography, 2001
9
Symmetric Key Ciphers



Symmetric key ciphers: efficient, secure
Problem: How to share a key securely
between the sender and the receiver?
If 100 persons want to send message
securely to one another  4950
different keys are required (Reference: Niels
Ferguson and Bruce Schneier ,” Practical
Cryptography”, Wiley 2003)
9
Other Symmetric Ciphers

DES: ‘arguably the most widely used and successful
encryption algorithm in the world’
(Reference: Bruce
Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels
Ferguson,” Two fish: A 128-Bit Block Cipher”, 15 June 1998,
http://www.schneier.com/twofish.html)



AES: October 2, 2000: RIJNDAEL selected as AES;
issued as FIPS PUB 197 standard in Nov-2001
RC4: A Stream Cipher; Developed in 1987 by Ron
Rivest for RSA; used in SSL and WEP
Other Symmetric Ciphers:


Blowfish: designed in 1993 by Bruce Schiener as a licencefree replacement for DES
Five Finalists for the AES competition: MARS, RC6,
11
RIJNDAEL, SERPENT, TWOFISH
AES Selection Process



June 1998: 21 proposals
Aug 20, 1998: shortlisted to 15 proposals
shortlist in Aug-99:





MARS (IBM) - complex, fast, high security margin
RC6 (USA) - v. simple, v. fast, low security margin
Rijndael (Belgium) - clean, fast, good security margin -academic
Serpent (Euro) – slow (1/3rd the speed of AES), clean,
highest security margin out of the 5 finalists --academic
Twofish (USA) – complex, Feistel, DES-like structure; v. fast
(as fast as AES), high security margin– key dependent Sboxes; Uses whitening: at both the start and the end of the
cipger process, add key-material to data
12
BLOWFISH
Blowfish (also known as puffer, globefish, or swellfish) is
called fugu in Japanese. It blows itself up when
threatened. The costliest and the ideal of gourmet dining,
fugu is known to have a deadly poison (tetrodoxin) in its
ovary and the liver. Only specially licensed cooks who know
exactly how to cut up fugu are allowed to cook fugu.
Tetrodoxin is 1250 times deadlier than cynide and has no
known anti-dote.
Reference: http://www1.american.edu/TED/blowfish.htm as of Nov 1,
2009
13
BLOWFISH


1993: designed by Bruce Schiener as a licence-free
replacement for DES
a Feistel Network, iterating a simple encryption
function 16 times.

a symmetric block cipher. It has a 64-bit block size

a variable key length from 32 bits to 448 bits

Uses simple operations that are efficient on
microprocessors. e.g. exclusive-or, addition, table
lookup (four indexed array data lookups per
round), modular- multiplication.
14
BLOWFISH


does not use variable-length shifts or bit-wise
permutations, or conditional jumps.
Employs precomputable subkeys:



….2
On large-memory systems, these subkeys can be
precomputed for faster operation.
Not precomputing the subkeys will result in slower
operation, but it should still be possible to encrypt
data without any precomputations.
It is significantly faster than most encryption
algorithms when implemented on 32-bit
microprocessors with large data caches.
15
BLOWFISH

DES operates on Right Half whereas Blowfish:
operates on Left Half of data
(DES is designed for Big-Endians machines,
whereas Blowfish is designed for Little endian;
Intel processors are Little Endian.



Little Endian: increasing numeric significance with
increasing memory addresses or increasing time; The LSB
is at the lowest address. The other bytes follow in
increasing order of significance.
Big Endian: MSB stored at the lowest address and the
next byte value in significance is stored at the next
memory location. )
Blowfish algorithm consists of two parts: key
expansion and data encryption.
16
Blowfish Key Schedule Algorithm
(Sub-Keys Generation Algorithm)


Data encryption consists of a simple function
iterated 16 times. Each round
consists of
 a key-dependent permutation, and
 a key- and data-dependent
substitution.
Blowfish uses a large number of subkeys.
These keys must be precomputed before any
data encryption or decryption.
17
Subkeys:


The P-array consists of 18 32-bit subkeys:
P(1), P(2),..., P(18).
There are four 32-bit S-boxes with 256
entries each:




S1,0,
S2,0,
S3,0,
S4,0,
S1,1,...,
S2,1,..,,
S3,1,...,
S4,1,..,,
S1,255;
S2,255;
S3,255;
S4,255.
18
Key Expansion
Given a key of a maximum of 448 bits
 Key Schedule: generates 18x4 + 256x4x4 = 4168 bytes
of subkeys
 Uses the fractional part of π.
π = 3.1415926535 8979323846 2643383279 5028841971..

(Reference: http://www.eveandersson.com/pi/digits/pi-digits as of Nov 1, 2009)


To initialize 18 sub-keys and 4 S-boxes, we need 18*32
+ 4*256*32 = 576 + 32768 = 33344 binary digits of, or
33,344/4 = 8,366 hex digits of π.
fractional part of π in HEX digits:
19
Key Expansion Algorithm:
Given the key K (keysize= an integer multiple of 32 bits)
1. Repeat the key K to generate K’ of length 18x32 bits:
K’ = (K K K K….)
2.
Initialize first the P-array and then the four S-boxes, in order, with
the hexadecimal digits of the fractional part of π (i.e. π - 3):
P(1) = 0x243F6A88,
P(2) = 0x85A308D3,
P(3) = 0x13198A2E,
P(4) = 0x03707344,
.
S1 = (0xD1310BA6, 0x98DFB5AC, 0x2FFD72DB, 0x D01ADFB7, 0xB8E1AFED, ……)
.
XOR P(1) with the first 32 bits of the key K’, XOR P(2) with the
second 32-bits of the key, and so on for all the 18 P’s.
3.
20
Key Expansion Algorithm:
4.
5.
6.
7.
8.
…2
Consider a 64-bit all zero data. Encrypt the all-zero string with the
Blowfish algorithm, using the subkeys P’s obtained in step (3) and
S’s obtained in step (2). The output will be a 64-bit string.
Replace P(1) and P(2) with the output of step (4).
Encrypt the output of step (4) using the Blowfish algorithm with the
subkeys, obtained after modification of step (5). Again we shall get a
64-bit string as the output.
Replace P(3) and P(4) with the output of step (5).
Continue the process, replacing all entries of the P array, and then
all four S-boxes in order, with the output of the continuously
changing Blowfish algorithm.
In total, 521 iterations are required to generate all required subkeys.
Applications can store the subkeys rather than execute this derivation
process multiple times.
21
Blowfish
Key Expansion Algorithm Process
Reference: P.K. Yuen,” Practical Cryptology and Web security”,
Pearson/Addison Wesley 2006, pp 394
…3
22
Blowfish
Data Encryption Algorithm




Blowfish has 16 rounds.
The input is a 64-bit data element, x.
Divide x into two 32-bit halves: xL, xR.
Then, for i = 1 to 16:




xL = xL XOR P(i)
xR = F(xL) XOR xR
Swap xL and xR
After the sixteenth round, swap xL and
xR again to undo the last swap.
23
Data Encryption Algorithm Process
first, second and the last rounds
Reference: P.K. Yuen,” Practical Cryptology and Web security”,
Pearson/Addison Wesley 2006, pp 392
24
Blowfish
Data Encryption Algorithm



Then,
..3
xR = xR XOR P(17) and
xL = xL XOR P(18).
Finally, recombine xL and xR to get the
ciphertext.
Decryption is exactly the same as
encryption, except that P(1), P(2),...,
P(18) are used in the reverse order.
25
Blowfish
Round Function
ROUND FUNCTION F
 INPUTS: 32 bit data L
S1[], S2[], S3[], S4[]:four 32-bit S-boxes
with 256 entries each
1. Divide L into four 8-bit parts:
L = (a, b, c, d)
2. Output

B =( (S1[a] + S2[b] mod 232 )  S3[c] ) + S4[d] mod 232
26
Blowfish
The Round Function Process
…….2
Reference: P.K. Yuen,” Practical Cryptology and Web security”,
Pearson/Addison Wesley 2006, pp 393
27
8366 HEX DIGITS of π - 3
Reference: http://www.herongyang.com/crypto/cipher_blowfish_4.html

243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C894528
21E638D01377BE5466CF34E90C6CC0AC29B7C97C50DD3F84D5B5B54709179216D5
D98979FB1BD1310BA698DFB5AC2FFD72DBD01ADFB7B8E1AFED6A267E96BA7C9045
F12C7F9924A19947B3916CF70801F2E2858EFC16636920D871574E69A458FEA3F493
3D7E0D95748F728EB658718BCD5882154AEE7B54A41DC25A59B59C30D5392AF2601
3C5D1B023286085F0CA417918B8DB38EF8E79DCB0603A180E6C9E0E8BB01E8A3ED7
1577C1BD314B2778AF2FDA55605C60E65525F3AA55AB945748986263E8144055CA3
96A2AAB10B6B4CC5C341141E8CEA15486AF7C72E993B3EE1411636FBC2A2BA9C55D
741831F6CE5C3E169B87931EAFD6BA336C24CF5C7A325381289586773B8F48986B4
BB9AFC4BFE81B6628219361D809CCFB21A991487CAC605DEC8032EF845D5DE98575
B1DC262302EB651B8823893E81D396ACC50F6D6FF383F442392E0B4482A48420046
9C8F04A9E1F9B5E21C66842F6E96C9A670C9C61ABD388F06A51A0D2D8542F68960F
A728AB5133A36EEF0B6C137A3BE4BA3BF0507EFB2A98A1F1651D39AF017666CA593
E82430E888CEE8619456F9FB47D84A5C33B8B5EBEE06F75D885C12073401A449F56
C16AA64ED3AA62363F77061BFEDF72429B023D37D0D724D00A1248DB0FEAD349F1
C09B075372C980991B7B25D479D8F6E8DEF7E3FE501AB6794C3B976CE0BD04C006B
AC1A94FB6409F60C45E5C9EC2196A246368FB6FAF3E6C53B51339B2EB3B52EC6F6D
FC511F9B30952CCC814544AF5EBD09BEE3D004DE334AFD660F2807192E4BB3C0CBA
85745C8740FD20B5F39B9D3FBDB5579C0BD1A60320AD6A100C6402C7279679F25FE
FB1FA3CC8EA5E9F8DB3222F83C7516DFFD616B152F501EC8AD0552AB323DB5FAFD
23876053317B483E00DF829E5C57BBCA6F8CA01A87562EDF1769DBD542A8F6287EF
FC3
28
8366 HEX DIGITS of π – 3

…..2
AC6732C68C4F5573695B27B0BBCA58C8E1FFA35DB8F011A010FA3D98FD2183B84AF
CB56C2DD1D35B9A53E479B6F84565D28E49BC4BFB9790E1DDF2DAA4CB7E3362FB1
341CEE4C6E8EF20CADA36774C01D07E9EFE2BF11FB495DBDA4DAE909198EAAD8E7
16B93D5A0D08ED1D0AFC725E08E3C5B2F8E7594B78FF6E2FBF2122B648888B81290
0DF01C4FAD5EA0688FC31CD1CFF191B3A8C1AD2F2F2218BE0E1777EA752DFE8B021
FA1E5A0CC0FB56F74E818ACF3D6CE89E299B4A84FE0FD13E0B77CC43B81D2ADA8D
9165FA2668095770593CC7314211A1477E6AD206577B5FA86C75442F5FB9D35CFEB
CDAF0C7B3E89A0D6411BD3AE1E7E4900250E2D2071B35E226800BB57B8E0AF24643
69BF009B91E5563911D59DFA6AA78C14389D95A537F207D5BA202E5B9C583260376
6295CFA911C819684E734A41B3472DCA7B14A94A1B5100529A532915D60F573FBC9
BC6E42B60A47681E6740008BA6FB5571BE91FF296EC6B2A0DD915B6636521E7B9F9
B6FF34052EC585566453B02D5DA99F8FA108BA47996E85076A4B7A70E9B5B32944D
B75092EC4192623AD6EA6B049A7DF7D9CEE60B88FEDB266ECAA8C71699A17FF5664
526CC2B19EE1193602A575094C29A0591340E4183A3E3F54989A5B429D656B8FE4D
699F73FD6A1D29C07EFE830F54D2D38E6F0255DC14CDD20868470EB266382E9C602
1ECC5E09686B3F3EBAEFC93C9718146B6A70A1687F358452A0E286B79C5305AA500
7373E07841C7FDEAE5C8E7D44EC5716F2B8B03ADA37F0500C0DF01C1F040200B3FF
AE0CF51A3CB574B225837A58DC0921BDD19113F97CA92FF69432477322F547013AE
5E58137C2DADCC8B576349AF3DDA7A94461460FD0030EECC8C73EA4751E41E238C
D993BEA0E2F3280BBA1183EB3314E548B384F6DB9086F420D03F60A04BF2CB81290
24977C79
29
8366 HEX DIGITS of π – 3

…..3
5679B072BCAF89AFDE9A771FD9930810B38BAE12DCCF3F2E5512721F2E6B7124501
ADDE69F84CD877A5847187408DA17BC9F9ABCE94B7D8CEC7AEC3ADB851DFA63094
366C464C3D2EF1C18473215D908DD433B3724C2BA1612A14D432A65C45150940002
133AE4DD71DFF89E10314E5581AC77D65F11199B043556F1D7A3C76B3C11183B592
4A509F28FE6ED97F1FBFA9EBABF2C1E153C6E86E34570EAE96FB1860E5E0A5A3E2A
B3771FE71C4E3D06FA2965DCB999E71D0F803E89D65266C8252E4CC9789C10B36AC
6150EBA94E2EA78A5FC3C531E0A2DF4F2F74EA7361D2B3D1939260F19C279605223
A708F71312B6EBADFE6EEAC31F66E3BC4595A67BC883B17F37D1018CFF28C332DDE
FBE6C5AA56558218568AB9802EECEA50FDB2F953B2AEF7DAD5B6E2F841521B62829
076170ECDD4775619F151013CCA830EB61BD960334FE1EAA0363CFB5735C904C70A
239D59E9E0BCBAADE14EECC86BC60622CA79CAB5CABB2F3846E648B1EAF19BDF0C
AA02369B9655ABB5040685A323C2AB4B3319EE9D5C021B8F79B540B19875FA09995
F7997E623D7DA8F837889A97E32D7711ED935F166812810E358829C7E61FD696DED
FA17858BA9957F584A51B2272639B83C3FF1AC24696CDB30AEB532E30548FD948E4
6DBC312858EBF2EF34C6FFEAFE28ED61EE7C3C735D4A14D9E864B7E342105D14203
E13E045EEE2B6A3AAABEADB6C4F15FACB4FD0C742F442EF6ABBB5654F3B1D41CD2
105D81E799E86854DC7E44B476A3D816250CF62A1F25B8D2646FC8883A0C1C7B6A3
7F1524C369CB749247848A0B5692B285095BBF00AD19489D1462B17423820E00584
28D2A0C55F5EA1DADF43E233F70613372F0928D937E41D65FECF16C223BDB7CDE3
759CBEE74604085F2A7CE77326EA607808419F8509EE8EFD85561D99735A969A7AA
C50C06C25A04ABFC800BCADC9E447A2EC3453484FDD567050E1E9EC9DB73DBD310
5588CD
30
8366 HEX DIGITS of π – 3

…..4
675FDA79E3674340C5C43465713E38D83D28F89EF16DFF20153E21E78FB03D4AE6E39F2BDB83A
DF7E93D5A68948140F7F64C261C94692934411520F77602D4F7BCF46B2ED4A20068D4082471332
0F46A43B7D4B7500061AF1E39F62E9724454614214F74BF8B88404D95FC1D96B591AF70F4DDD36
6A02F45BFBC09EC03BD97857FAC6DD031CB850496EB27B355FD3941DA2547E6ABCA0A9A285078
25530429F40A2C86DAE9B66DFB68DC1462D7486900680EC0A427A18DEE4F3FFEA2E887AD8CB58
CE0067AF4D6B6AACE1E7CD3375FECCE78A399406B2A4220FE9E35D9F385B9EE39D7AB3B124E8B
1DC9FAF74B6D185626A36631EAE397B23A6EFA74DD5B43326841E7F7CA7820FBFB0AF54ED8FEB
397454056ACBA48952755533A3A20838D87FE6BA9B7D096954B55A867BCA1159A58CCA9296399E
1DB33A62A4A563F3125F95EF47E1C9029317CFDF8E80204272F7080BB155C05282CE395C11548E
4C66D2248C1133FC70F86DC07F9C9EE41041F0F404779A45D886E17325F51EBD59BC0D1F2BCC18
F41113564257B7834602A9C60DFF8E8A31F636C1B0E12B4C202E1329EAF664FD1CAD181156B239
5E0333E92E13B240B62EEBEB92285B2A20EE6BA0D99DE720C8C2DA2F728D012784595B794FD64
7D0862E7CCF5F05449A36F877D48FAC39DFD27F33E8D1E0A476341992EFF743A6F6EABF4F8FD37
A812DC60A1EBDDF8991BE14CDB6E6B0DC67B55106D672C372765D43BDCD0E804F1290DC7CC00
FFA3B5390F92690FED0B667B9FFBCEDB7D9CA091CF0BD9155EA3BB132F88515BAD247B9479BF7
63BD6EB37392EB3CC1159798026E297F42E312D6842ADA7C66A2B3B12754CCC782EF11C6A12423
7B79251E706A1BBE64BFB63501A6B101811CAEDFA3D25BDD8E2E1C3C9444216590A121386D90C
EC6ED5ABEA2A64AF674EDA86A85FBEBFE98864E4C3FE9DBC8057F0F7C08660787BF86003604DD
1FD8346F6381FB07745AE04D736FCCC83426B33F01EAB71B08041873C005E5F77A057BEBDE8AE2
4
31
8366 HEX DIGITS of π – 3

…..5
55464299BF582E614E58F48FF2DDFDA2F474EF388789BDC25366F9C3C8B38E74B475F25546FCD9
B97AEB26618B1DDF84846A0E79915F95E2466E598E20B457708CD55591C902DE4CB90BACE1BB8
205D011A862487574A99EB77F19B6E0A9DC09662D09A1C4324633E85A1F0209F0BE8C4A99A0251
D6EFE101AB93D1D0BA5A4DFA186F20F2868F169DCB7DA83573906FEA1E2CE9B4FCD7F5250115E
01A70683FAA002B5C40DE6D0279AF88C27773F8641C3604C0661A806B5F0177A28C0F586E00060
58AA30DC7D6211E69ED72338EA6353C2DD94C2C21634BBCBEE5690BCB6DEEBFC7DA1CE591D76
6F05E4094B7C018839720A3D7C927C2486E3725F724D9DB91AC15BB4D39EB8FCED54557808FCA
5B5D83D7CD34DAD0FC41E50EF5EB161E6F8A28514D96C51133C6FD5C7E756E14EC4362ABFCED
DC6C837D79A323492638212670EFA8E406000E03A39CE37D3FAF5CFABC277375AC52D1B5CB067
9E4FA33742D382274099BC9BBED5118E9DBF0F7315D62D1C7EC700C47BB78C1B6B21A19045B26
EB1BE6A366EB45748AB2FBC946E79C6A376D26549C2C8530FF8EE468DDE7DD5730A1D4CD04DC
62939BBDBA9BA4650AC9526E8BE5EE304A1FAD5F06A2D519A63EF8CE29A86EE22C089C2B84324
2EF6A51E03AA9CF2D0A483C061BA9BE96A4D8FE51550BA645BD62826A2F9A73A3AE14BA99586E
F5562E9C72FEFD3F752F7DA3F046F6977FA0A5980E4A91587B086019B09E6AD3B3EE593E990FD5
A9E34D7972CF0B7D9022B8B5196D5AC3A017DA67DD1CF3ED67C7D2D281F9F25CFADF2B89B5AD
6B4725A88F54CE029AC71E019A5E647B0ACFDED93FA9BE8D3C48D283B57CCF8D5662979132E28
785F0191ED756055F7960E44E3D35E8C15056DD488F46DBA03A161250564F0BDC3EB9E153C9057
A297271AECA93A072A1B3F6D9B1E6321F5F59C66FB26DCF3197533D928B155FDF5035634828ABA
3CBB28517711C20AD9F8ABCC5167CCAD925F4DE817513830DC8E379D58629320F991EA7A90C2F
B3E7BCE
32
8366 HEX DIGITS of π – 3
…..6
Extracted from the source code provided in BLOWFISH by MARKUS HAHN

5121CE64774FBE32A8B6E37EC3293D4648DE53696413E680A2AE0810DD6DB224698
52DFD09072166B39A460A6445C0DD586CDECF1C20C8AE5BBEF7DD1B588D40CCD2
017F6BB4E3BBDDA26A7E3A59FF453E350A44BCB4CDD572EACEA8FA6484BB8D6612
AEBF3C6F47D29BE463542F5D9EAEC2771BF64E6370740E0D8DE75B1357F8721671A
F537D5D4040CB084EB4E2CC34D2466A0115AF84E1B0042895983A1D06B89FB4CE6E
A0486F3F3B823520AB82011A1D4B277227F8611560B1E7933FDCBB3A792B344525B
DA08839E151CE794B2F32C9B7A01FBAC9E01CC87EBCC7D1F6CF0111C3A1E8AAC71
A908749D44FBD9AD0DADECBD50ADA380339C32AC69136678DF9317CE0B12B4FF79
E59B743F5BB3AF2D519FF27D9459CBF97222C15E6FC2A0F91FC719B941525FAE5936
1CEB69CEBC2A8645912BAA8D1B6C1075EE3056A0C10D25065CB03A442E0EC6E0E16
98DB3B4C98A0BE3278E9649F1F9532E0D392DFD3A0342B8971F21E1B0A74414BA33
48CC5BE7120C37632D8DF359F8D9B992F2EE60B6F470FE3F11DE54CDA541EDAD89
1CE6279CFCD3E7E6F1618B166FD2C1D05848FD2C5F6FB2299F523F357A632762393
A8353156CCCD02ACF081625A75EBB56E16369788D273CCDE96629281B949D04C509
01B71C65614E6C6C7BD327A140A45E1D006C3F27B9AC9AA53FD62A80F00BB25BFE2
35BDD2F671126905B2040222B6CBCF7CCD769C2B53113EC01640E3D338ABBD6025
47ADF0BA38209CF746CE7677AFA1C52075606085CBFE4E8AE88DD87AAAF9B04CF9A
A7E1948C25C02FB8A8C01C36AE4D6EBE1F990D4F869A65CDEA03F09252DC208E69F
B74E6132CE77E25B578FDFE33AC372E6
33
REFERENCES


http://www.herongyang.com/crypto/cipher_blowfish.
html
http://pocketbrief.net/related/BlowfishEncryption.pdf
34
TWOFISH
“Key dependent S-boxes are something new in a cipher design.”
-Pawel Chodowiec, Kris Gaj,
in ” Implementation of the Twofish Cipher Using FPGA Devices”, page 3,
http://bass.gmu.edu/crypto/Twofish_hardware.PDF, as of Nov 1, 2009
“There is no such thing as a key-dependent S-box, only a complicated
multi-stage nonlinear function that is implemented as a key-dependent
S-box for efficiency.”
--Bruce Schneier, John Kelsey, Doug Whiting, David
Wagner, Chris Hall, Niels Ferguson,
in ” Two fish: A 128-Bit Block Cipher”, page 57,
http://www.schneier.com/twofish.html , as of Nov 1, 2009
35
TwoFish






is a block cipher by Counterpane Labs, designed by Bruce
Schneier, John Kelsey, Doug Whiting, David Wagner, Chris
Hall, and Niels Ferguson, published in 1998.
one of the five Advanced Encryption Standard (AES)
finalists, and was not selected as AES.
unpatented, and the source code is uncopyrighted and
license-free;
uses Feistel structure
has a 128-bit block size,
a key size of 128, 192 or 256 bit
36
TwoFish

optimized for 32-bit CPUs. On most software platforms Twofish is slightly slower than
Rijndael for 128-bit keys, but somewhat faster for 256-bit keys.

Has a key schedule that can be precomputed for maximum speed, or computed onthe-fly for maximum agility and minimum memory requirements.

suitable for dedicated hardware applications: e.g. it has no large tables.

a block cipher, which can also be used as a

stream cipher,

one-way hash function,

MAC and

pseudo-random number generator.
(Reference: B. Schneier and D. Whiting,” A Performance Comparison of the Five AES
Finalists”, http://www.schneier.com/paper-aes-comparison.html)
37
Components used by TwoFish
four different 8-by-8-bit S-boxes:
1.
pre-computed and key-dependent
built using two fixed 8-by-8-bit permutations and key
material.


2.
Key-dependent MDS (maximum distance separable)
matrix:
Notes:
1. During encryption, the four bytes output from the four S-boxes is multiplied by a 4by-4 MDS matrix over GF(28). This matrix multiply is the principal diffusion
mechanism in Twofish.
2. For software implementation on a modern microprocessor, the MDS matrix multiply is
normally implemented using four lookup tables, each consisting of 256 32-bit words,
so the particular coefficients used in the matrix do not affect performance.
38
Components used by TwoFish
…2
3. 32-bit Pseudo-Hadamard transform (PHT)
to mix the outputs from its two parallel 32-bit g functions. This PHT can
be executed in two opcodes on most modern microprocessors,
including the Pentium family.
4. Whitening: the technique of xoring key material before the first
round and after the last round
Twofish xors a subkey before the first Feistel round, and another subkey after the last Feistel round. These subkeys are calculated in the
same manner as the round subkeys, but are not used anywhere else in
the cipher.
5. Key: Twofish can accept keys of any byte length up to 256 bits.
For key sizes, other than the three defined sizes of 128, 192
and 256 bits, the key is padded at the end with zero bytes to
the next larger length that is defined.
For example, an 80-bit key m0; : : : ;m9 would be extended by
setting mi = 0 for i = 10; : : : ; 15 and treating it as a 128-bit
key.
39
Writing plaintext of 128 bits as four 32-bit words


The plaintext is split into four 32-bit words.
The 16 bytes of plaintext p0; : : : ; p15 are first split into
4 words P0; : : : ; P3 of 32 bits each using the little-
endian convention.
P0
P1
P2
P3

= p3.224 + p2.216 + p1.28 + p0.20
= p7.224 + p6.216 + p5.28 + p4.20
= p11.224 + p10.216 + p9.28 + p8.20
= p15.224 + p14.216 + p13.28 + p12.20
Similarly the given key is used to generate 32-bit subkeys. The sub-keys are generated in pairs: K2i and K2i + 1
for i = 0 to i = n, where the value of n is defined in a later
slide to be 19.
40
Data Encryption Algorithm
1. Input Whitening step: The four data words Po …. P3 are xored
with four key words.
R0,i = Pi  Ki
i =0…3
The 16 Rounds use the function F.
2. Round # 0:
Function F has inputs of r = 0, R0,0 and R0,1
where r = Round #
Function F has two outputs called F0,0 and F0,1
Round # r: for 0 ≤ r ≤ 15
For the r-th round, the inputs would be r, Rr,0 and Rr,1
Function F has 3 steps for Rr,0 and 4 steps for Rr,1.
Function F has two outputs called Fr,0 and Fr,1
Fr,0, Fr,1 = F(Rr,0, Rr,1, r)
41
Outputs of round r:
Rr+1,0 = ROR(Fr,0 Rr,2 , 1)
where ROR(*,1) means a rotation to the right by one
bit.
 Rr+1,1 = ROL(Rr,3 , 1)  Fr,1
 Rr+1,2 = Rr,0
 Rr+1,3 = Rr,1
These will be the inputs for the next ( i.e. the (r+1)st)
round.

Note: The next slide shows the Data Encryption Algorithm process.
Reference: Figure 1, page 6 from Bruce Schneier, John Kelsey, Doug Whiting,
David Wagner, Chris Hall, Niels Ferguson,” Two fish: A 128-Bit Block Cipher”, 15
June 1998, http://www.schneier.com/twofish.html
42
43
Data Encryption Algorithm
….2
3. Undo the last swap of the 15th round.
4. Output Whitening:
Ci = = R16.(i+2)mod4  Ki+4 i =0…3
5. The four words of ciphertext are then
written as 16 bytes c0; : : : ; c15
using the same little-endian
conversion used for the plaintext.
ci =
44
Twofish Decryption
Decryption process:
1. Apply subkeys in the reverse order.
2. Since we are moving from C
(ciphertext) towards P (Plaintext), some
of the processes have to be re-adjusted
a little, as shown in the Figure on the
next slide.
45
Differences between the
Twofish Encryption and Decryption processes
(a) Encryption
(b) Decryption
46
FUNCTION F
The function F is a key-dependent permutation on 64-bit values.
INPUTS: two 32-bit input words R0 and R1, and the round number r.
Note: r is used to select the appropriate subkeys.



R0 is passed through the g function, which yields T0.
R1 is rotated left by 8 bits and then passed through the g function
to yield T1.
 T0 = g(R0)
 T1 = g(ROL(R1; 8))
The results T0 and T1 are then combined in a PHT and two words
of the expanded key are added.
32
 F0 = (T0 + T1 + K2r+8) mod 2
32
 F1 = (T0 + 2T1 + K2r+9) mod 2
where (F0; F1) is the result of F.
47
FUNCTION g
1.
The INPUT word X is split into four bytes x0, x1, x2 and x3.
2.
Each byte is run through its own key-dependent S-box to
produce 8 bits of output.
yi = Si[xi]
3.
for i = 0…..3
The four results are interpreted as a vector of length 4 over
GF(28), and multiplied by the 4x4 MDS matrix (using the field
GF(28) for the computations).
y] = (y0, y1, y2, y3)
z] = (z0, z1, z2, z3)
z] = [MDS] y]
The resulting vector z] is interpreted as a 32-bit word which is the
OUTPUT of g.
Z = z0.28.0 + z1.28.1 + z2.28.2 + z3.28.3
48
Notes about FUNCTION g
….2
NOTES:
 We represent GF(28) as GF(2)[x]/v(x)
where v(x) = x8+x6+x5+x3+1 is a primitive polynomial of
degree 8 over GF(2).
8
 Addition in GF(2 ) corresponds to a xor of the bytes.
 The MDS matrix is given by:
where the elements have been written as hexadecimal byte
values using the above defined correspondence.
49
Two Fish

KEY SCHEDULE:
Using the given key to define three vectors
The key schedule has to generate







40 words of expanded key K0; : : : ;K39
(4 words each for initial and the last whitening plus 2 words each
for each of the 16 rounds. )
the 4 key-dependent S-boxes used in the g function.
Designed for keys of length N = 128, N = 192, and N = 256.
Keys of any length shorter than 256 bits can be used by
padding them with zeroes until the next larger designed key
length.
Let k = N/64.
Thus k may have a value of 2, 3 or 4.
Each vector will have k elements. Each element is of 32-bits.
50
Two Fish
KEY SCHEDULE
Using the given key to define three vectors




…….2
The given key M consists of 8k bytes ( ie 16, 24 or 32)
m0; : : : ;m8k-1.
The bytes are first converted into 2k (ie 4, 6 or 8) words of 32
bits each, called M0, M1, M2, M3 …
and then into two word vectors of length k.
Me = (M0, M2, ……;M2k-2)
Mo = (M1, M3 ….M2k-1)
A third word-vector S of length k is also derived from the key.
For i = (k-1) …0, each 32-bit word Si is computed as follows:
 Take the key bytes in groups of 8, interpreting them as a
8x1 vector mi] over GF(28).
 Generate a 4x1 vector si] as follows:
si] = [RS]. mi]
where RS is a 4x8 matrix derived from the Reed–Solomon
code.
Consider the 4 byte-elements of si] into a 32-bit word Si
51
Two Fish
KEY SCHEDULE
Using the given key to define three vectors …..3

si] = [RS]. mi]
where
 si] is a 4x1 vector. si] = (si,0, si,1, si,2, si,3)
Note: si,3 is the MSB.




[RS] is a 4x8 matrix
mi] is a 8x1 vector with key bytes. mi]= (m8i, m8i+1,
……..m8i+7 ) with i varying from 0 to (k-1).
si] will yield 4 bytes, which can be combined into a
32-bit word Si
Example: A key of 128 bits has 16 bytes and two words S0 and
S1 will be created by this process.
52
Two Fish
KEY SCHEDULE
Using the given key to define three vectors
…..4

The 32-bit words Si can be put together in a word-vector S as
follows:
S = (Sk-1; Sk-2; : : : ; S0)

Note that S lists the words in “reverse" order.
For the RS matrix multiply, GF(28) is represented by GF(2)[x]/w(x),
where
w(x) = x8+x6+x3+x2+1
is another primitive polynomial of degree 8 over GF(2).
The three vectors Me, Mo and S are used for generating sub-keys.
53
Key Expansion
K2i and K2i+1

Me and Mo:
 word-vectors, as defined in slide 50.
 derived directly from the given key

For a 128-bit key, for example, M3, M2, M1 and M0 are 32-bit
parts, where M3 is the MS 32 bits and M0 is the LS 32 bits
Using h Function:

ρ = 224 + 216 + 28 + 20

Ai = h(2i ρ; Me)

Bi = ROL(h((2i + 1).ρ;Mo); 8)
The constant ρ: used here to duplicate bytes; it has the property
that for i = 0; : : : ; 255, the word i ρ consists of four equal
bytes, each with the value i.
54
Key Expansion
K2i and K2i+1 …….2
The values Ai and Bi are combined in a PHT. (The
second value is rotated by 9 bits.)
 K2i = (Ai + Bi) mod 232
 K2i+1 = ROL((Ai + 2Bi) mod 232; 9)
K2i and K2i+1 form two words of the expanded key. By
choosing i =0 to i = 19, all the 40 values of 32-bit
sub-keys can be generated.
Note: The function h uses two byte-substitution boxes, called q0
and q1, as shown on the next slide for an example of a 128-bit
key.
55
Key
Expansion Process for a 128-bit key
Reference: Pawel Chodowiec, Kris Gaj,” Implementation of the Twofish Cipher Using
FPGA Devices”, page 6, http://bass.gmu.edu/crypto/Twofish_hardware.PDF, as of
Nov 1, 2009
…………3
56
FUNCTION h:
for a key of length 64.k
INPUT: A 32-bit word X and a word-vector L] = (…….L1,
L0) of length k
 OUTPUT: A 32-bit word Z
PROCESS of h:


k stages of the Function h:


After the k-stages: Finally,



Each stage: The four bytes of X are each passed through a fixed
Byte-Substitution-box, and xored with a byte derived from L].
the bytes are once again passed through a fixed Byte-Substitutionbox
and the four bytes are multiplied by the MDS matrix just as in g.
The output of this product is a 4-element byte-vector z].
OUTPUT:
57
FUNCTION h:




for a key of length 64.k
X is divided into 4 bytes yk,0, yk,1, yk,2, yk,3.
Similarly Li is divided into 4 bytes li,0, li,1, li,2, li,3.
If k = 4 we have
y3;0 = q1[y4;0]  l3;0
y3;1 = q0[y4;1]  l3;1
y3;2 = q0[y4;2]  l3;2
y3;3 = q1[y4;3]  l3;3
If k ≥ 3 we have
y2;0 = q1[y3;0]  l2;0
y2;1 = q1[y3;1]  l2;1
y2;2 = q0[y3;2]  l2;2
y2;3 = q0[y3;3]  l2;3
…2
58
FUNCTION h: for a key of length 64.k
….3
In all cases we have

y0 = q1[q0[q0[y2;0]  l1;0]  l0;0]

y1 = q0[q0[q1[y2;1]  l1;1]  l0;1]

y2 = q1[q1[q0[y2;2] l1;2]  l0;2]

y3 = q0[q1[q1[y2;3]  l1;3]  l0;3]
Here q0 and q1 are fixed permutations on 8-bit values that we
will define shortly.
The resulting 4x1 vector of yi's is multiplied by the MDS matrix,
just as in the g function to yield a new 4x1 vector z].
y] = (y0, y1, y2, y3)

z] = (z0, z1, z2, z3)
y3 is the MSB in the above vector.
z] = [MDS] y]

OUTPUT: 32-bit word Z –formed from z], as shown in slide 56.

59
FUNCTION h process: for a key of length 64.k
….4
Reference:Figure 2, page 9 from Bruce Schneier, John Kelsey, Doug Whiting, David
Wagner, Chris Hall, Niels Ferguson,” Two fish: A 128-Bit Block Cipher”, 15 June
1998, http://www.schneier.com/twofish.html
Xa
60
FUNCTION h process:
for a key of length 64.k
….5
Xa
61
FUNCTION h: for a key of length 64.k
….6
Notes: The multiplication is performed (byte by
byte) in the Galois field GF (28). The primitive
polynomial is x8 + x6 + x5 + x3 + 1.
where the MDS matrix is given by:

OUTPUT: A 32-bit word Z formed by
concatening 4 bytes of the vector z].
62
The Permutations q0 and q1









The permutations q0 and q1 are fixed permutations on 8-bit values.
They are constructed from four different 4-bit permutations each.
INPUT value x, we define the corresponding OUTPUT value y as
follows:
Split the INPUT byte x into two nibbles:
a1 = a0  b0
b1 = a0  ROR4(b0; 1)  8 a0 mod 16
Each nibble is passed through its own 4-bit fixed S-box:
a2; b2 = t0[a1]; t1[b1]
a 3 = a 2  b2
b3 = a2  ROR4(b2; 1)  8 a2mod 16
Again using the 4-bit fixed S-boxes:
a4; b4 = t2[a3]; t3[b3]
OUTPUT: Combine the two nibbles a4 and b4 into a byte:
y = 16 b4 + a4
63
Permutation q: Use appropriate t0, t1, t2 and t3 for q0 and q1.
Reference: Pawel Chodowiec, Kris Gaj,” Implementation of the Twofish Cipher
Using FPGA Devices”, page 4, http://bass.gmu.edu/crypto/Twofish_hardware.PDF,
as of Nov 1, 2009
64
The Permutations q0 and q1
……..2
ROR4 rotates 4-bit values.
For the permutation q0 the 4-bit S-boxes are given by
t0 = [ 8 1 7 D 6 F 3 2 0 B 5 9 E C A 4 ]
t1 = [ E C B 8 1 2 3 5 F 4 A 6 7 0 9 D ]
t2 = [ B A 5 E 6 D 9 0 C 8 F 3 2 4 7 1 ]
t3 = [ D 7 F 4 1 2 6 E 9 B 3 0 8 5 C A ]
where each 4-bit S-box is represented by a list of the entries
using hexadecimal notation. (The entries for the inputs 0;
1; : : : ; 15 are listed in order.)
Similarly, for q1 the 4-bit S-boxes are given by
t0 = [ 2 8 B D F 7 6 E 3 1 9 4 0 A C 5 ]
t1 = [ 1 E 2 B 4 C 3 7 6 D A 5 F 9 0 8 ]
t2 = [ 4 C 7 5 1 6 9 A 0 E D 8 2 B 3 F ]
t3 = [ B 9 5 1 C 3 D E 6 4 7 F 2 0 8 A ]
65
Key dependent S-boxes
Y = S[X]
where both X and Y are 32 bit words.
Function h is used for generating Y from X.
Function h:

INPUT: A 32-bit word X and a word-vector L] = (…….L1, L0) of
length k

OUTPUT: A 32-bit word Z
L] = S]
Note: S] is obtained in slide 52.
Y = S[X] = h(X, S])
That is, for i = 0; : : : ; 3, the key-dependent S-box
Si is formed by the mapping from xi to yi in the h
function.
66
Key dependent S-boxes
for a 128-bit key ( i.e. k = 2)

Split X into four bytes a, b, c, d.
X1 =( q0[a], q1[b], q0[c], q1[d])

X2= X1 s0

s0 and s1 are from slide 51

Split X2 into four bytes a2, b2, c2, d2.
X3 =( q0[a2], q0[b2], q1[c2], q1[d2])

X4= X3 s1

67
Key dependent S-boxes
for a 128-bit key ( i.e. k = 2)
………2
 Split X4 into four bytes a4, b4, c4, d4.
 (a5, b5, c5, d5) =( q1[a4], q0[b4], q1[c4], q0[d4])
The four S-boxes are given as follows:
 a5 = q1[a4] = S0[a]
 b5 = q0[b4]= S1[b]
 c5 = q1[c4] = S2[c]
 d5 = q0[d4]= S3[d]
From slide 51
s0 = (s00, s01, s02, s03)
s1 = (s10, s11, s12, s13)
68
Key dependent S-boxes for a 128-bit key
………3
69
Key dependent S-boxes for a 128-bit key
Reference: Pawel Chodowiec, Kris Gaj,” Implementation of the Twofish
Cipher Using FPGA Devices”, page 4,
http://bass.gmu.edu/crypto/Twofish_hardware.PDF, as of Nov 1, 2009 …4
70
Serpent
“ Finally, we considered making available cognate algorithms
with the same structure as Serpent but with block sizes of
(say) 64, 256 and 512 bits. In the end we decided not include
these in our submission for a number of reasons, of which by
far the most important was that we …..did not have the
resources to test variants with other block lengths with the
thoroughness that would have been appropriate.”
---Bruce Schneier, John Kelsey, Doug Whiting, David
Wagner, Chris Hall, Niels Ferguson,
” Two fish: A 128-Bit Block Cipher”, 15 June 1998,
http://www.schneier.com/twofish.html , as of Nov 1, 2009
71
Serpent Encryption Algorithm
Introduction






one of the five finalists of the AES contest
a 128-bit symmetric key block cipher
supports key sizes of 128-bits, 192-bits and 256-bits
32 round substitution-permutation network
For internal computation, all values are represented in
little-endian, where the first word (word 0) is the LSword, and the last word is the MS-word, and where bit
0 is the LS-bit of word 0.
16-round Serpent is as secure as triple-DES, and twice
as fast as DES; 32-round Serpent is even more secure
than triple-DES, and is as fast as DES. (Reference:
http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf page 4 as of 1st Nov 2009)
72
Serpent
The Algorithm


an initial permutation
32 rounds: In each round,




works on four 32-bit words
Key-mixing operation
applies one of its eight 4-bit to 4-bit S-boxes, 32 times, in
parallel
A linear transformation (except for the last round, where the
transformation is substituted with an additional mixing
operation)
a final permutation FP (which is the inverse of IP).
Note: Each of the eight substitution boxes is used in 4
rounds.

73
Serpent
The Key



The given key length: 128, 192 or 256 bits;
short keys with less than 256 bits are
mapped to full-length keys of 256 bits by
appending one “1" bit to the MSB end,
followed by as many “0" bits as required to
make up 256 bits.
Generates 33 128-bit subkeys K0; : : : ; K32.
74
Serpent
The Notation


The initial permutation IP: Bo = IP(P), where P is
the plaintext
The rounds 0 to 31:






First (0th) Round:
B1 = R0(B0),
i-th round:
Bi+1 = Ri(Bi) for i = 0 to 30
last (31st) round (in which the linear transformation is
replaced by an additional key mixing):
B32 =
R31(B31)
The Final permutation FP: C = FP(B32), where C is
the ciphertext.
Ri (X) = L(Si mod8(X  Ki) for i = 0 to 30, where L is
a linear transformation
R31 (X) = Si mod8(X  Ki)  K32 for i = 31
75
S-Boxes
Reference: http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf
page 21 as of 1st Nov 2009
Starting with the 32-rows of DES S-boxes, the S-boxes for Serpent
were created so that the resulting array has the desired differential and linear- properties:








S0:
S1:
S2:
S3:
S4:
S5:
S6:
S7:
3 8 15 1 10 6 5 11 14 13 4 2 7 0 9 12
15 12 2 7 9 0 5 10 1 11 14 8 6 13 3 4
8 6 7 9 3 12 10 15 13 1 14 4 0 11 5 2
0 15 11 8 12 9 6 3 13 1 2 4 10 7 5 14
1 15 8 3 12 0 11 6 2 5 4 10 9 14 7 13
15 5 2 11 4 10 9 12 0 3 14 8 13 6 7 1
7 2 12 5 8 4 6 11 14 9 1 15 13 3 10 0
1 13 15 0 14 8 2 11 7 4 12 10 9 3 5 6
76
Inverse S-Boxes
Reference: http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf
page 21 as of 1st Nov 2009








InvS0:
InvS1:
InvS2:
InvS3:
InvS4:
InvS5:
InvS6:
InvS7:
13 3 11 0 10 6 5 12 1 14 4 7 15 9 8 2
5 8 2 14 15 6 12 3 11 4 7 9 1 13 10 0
12 9 15 4 11 14 1 2 0 3 6 13 5 8 10 7
0 9 10 7 11 14 6 13 3 5 12 2 4 8 15 1
5 0 8 3 10 9 7 14 2 12 11 6 4 15 13 1
8 15 2 9 4 1 13 14 11 6 5 3 7 12 10 0
15 10 1 13 5 3 6 0 4 9 14 7 2 12 8 11
3 0 6 13 9 14 15 8 5 12 11 7 10 1 4 2
77
Linear Transformation (LT)
For i = 0 to 30: The four 32-bit output words from the
substitution box in a round are linearly mixed using LT:
 INPUT for LT: X0;X1;X2;X3 := Si(Bi  Ki)
 LT:





X0 := ROL(X0; 13);
X1 := X1  X0  X2;
X1 := ROL(X1 ;1);
X0 := X0  X1  X3;
X0 := ROL(X0; 5);
X2 := ROL(X2; 3)
X3 := X3  X2  ShL(X0; 3)
X3 := ROL(X3; 7)
X2 := X2  X3  ShL (X1; 7)
X2 := ROL(X2 ; 22)
OUTPUT from LT: Bi+1 := X0; X1; X2; X3
For i = 31: B32 := S7(B31  K31)  K32
78
Key Schedule




Requirement: 132 2-bit words of subkeys.
Padding: If the given key is less than 256 bits, append one “1" bit
to the MSB end, followed by as many “0" bits as required to make
up 256 bits
Write this 256-bit key as eight 32-bit words as
w−8, . . . , w−1
Expand the eight 32-bit words into 132 intermediate keys (called
pre-keys) by the following affine recurrence for i = 0 to 131:
wi := ROL((wi−8  wi−5  wi−3  wi−1  ɸ  i);11)
where ɸ = golden ratio =
or 0x9e3779b9.
The underlying polynomial x8 + x7 + x5 + x3 + 1 is primitive.
79
Key Schedule
…..2

Use S-boxes to get 33 round keys as follows:

Renumber to get 128-bit subkeys Ki for i from 0 to 32:
80
Decryption
For Decryption:
 The inverse of the S-boxes must be
used in the reverse order.
 The inverse linear transformation must
be used.
 The subkeys must be used in the
reverse order.
81