Name of the subject: Cryptography and Network Security Sub Code: EC E14

Name of the Faculty: A.Vijayalakshmi Yr/Sem/Sec:IV/VII/

Date: Day: Hour:1

UNIT-II

Symmetric Ciphers: Model of conventional cryptosystem - Substitution techniques-

Transposition techniques-Block Cipher Principles-Data Encryption Standard –Strength of DES-
Advanced Encryption Standard -Block cipher design principles-Block cipher modes of
operation.-Triple DES-RC4 Stream cipher.

MODEL OF CONVENTIONAL CRYPTOSYSTEM:

Plaintext: This is the original intelligible message or data that is fed into the algorithm as input.

Encryption algorithm: The encryption algorithm performs various substitutions and

transformations on the plaintext.

Secret key: The secret key is also input to the encryption algorithm. The key is a value
independent of the plaintext and of the algorithm. The algorithm will produce a different output
depending on the specific key being used at the time. The exact substitutions and
transformations performed by the algorithm depend on the key.

Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and
the secret key. For a given message, two different keys will produce two different ciphertexts.
The ciphertext is an apparently random stream of data and, as it stands, is unintelligible.

Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the
cipher text and the secret key and produces the original plaintext.

Fig.1 Simplified Model of Conventional Cryptography

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 1
There are two requirements for secure use of conventional encryption:

1. We need a strong encryption algorithm. At a minimum, we would like the algorithm to be

such that an opponent who knows the algorithm and has access to one or more ciphertexts
would be unable to decipher the ciphertext or figure out the key. This requirement is usually
stated in a stronger form: The opponent should be unable to decrypt ciphertext or discover
the key even if he or she is in possession of a number of ciphertexts together with the
plaintext that produced each ciphertext.

2. Sender and receiver must have obtained copies of the secret key in a secure fashion and
must keep the key secure. If someone can discover the key and knows the algorithm, all
communication using this key is readable.

Fig.2 Model for Conventional CryptoSystem

A source produces a message in plaintext, X = [X 1, X2, … , XM] where M are the number of
letters in the message. A key of the form K = [K 1, K2, …, KJ] is generated. If the key is generated
at the source, then it must be provided to the destination by means of some secure channel.
With the message X and the encryption key K as input, the encryption algorithm forms the
cipher text Y = [Y1, Y2, …, YN].

This can be expressed as Y = E K(X) The intended receiver, in possession of the key, is able to
invert the transformation: X = DK(Y) An opponent, observing Y but not having access to K or X,
may attempt to recover X or K or both. It is assumed that the opponent knows the encryption
and decryption algorithms. If the opponent is interested in only this particular message, then the
focus of effort is to recover X by generating a plaintext estimate. Often if the opponent is
interested in being able to read future messages as well, in which case an attempt is made to
recover K by generating an estimate.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 2
 Name of the subject: Cryptography and Network Security Sub Code: EC E14
Name of the Faculty: A.Vijayalakshmi Yr/Sem/Sec:IV/VII/
Date: Day: Hour:2
SUBSTITUTION TECHNIQUES:

A substitution technique is one in which the letters of plaintext are replaced by other letters or by
numbers or symbols.1 If the plaintext is viewed as a sequence of bits, then substitution involves
replacing plaintext bit patterns with ciphertext bit patterns.

Caesar Cipher

The earliest known, and the simplest, use of a substitution cipher was by Julius Caesar.The
Caesar cipher involves replacing each letter of the alphabet with the letter standing three places
further down the alphabet. For example,

Plain : meet me after the toga party

Cipher :PHHW PH DIWHU WKH WRJD SDUWB

Note that the alphabet is wrapped around, so that the letter following Z is A. The transformation
can be defined by listing all possibilities,

Plain: abcdefghIjklmnopqrstuvwxyz

Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC

Then the algorithm can be expressed as follows. For each plaintext letter , substitute the
ciphertext letter

A shift may be of any amount, so that the general Caesar algorithm is

where takes on a value in the range 1 to 25.The decryption algorithm is simply

If it is known that a given ciphertext is a Caesar cipher, then a brute-force cryptanalysis is easily
performed by simply trying all the 25 possible keys. Fig.3 below shows the results of applying
this strategy to the example ciphertext. In this case, the plaintext leaps out as occupying the
third line.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 3
 Fig.3 Brute force crypt analysis of Cease

MONOAPLHABETIC CIPHERS:

With only 25 possible keys, the Caesar cipher is far from secure. A dramatic increase in the key
space can be achieved by allowing an arbitrary substitution. The term permutation is defined as
a finite set of elements in an ordered sequence of all the elements of, with each element
appearing exactly once.
For example if there are six permutations abc, acb, bac, bca, cab, cba.

There are n! permutations of a set of elements, because the first element can be chosen in one
of n ways, the second in ways, the third in ways.
Recall the assignment for the Caesar cipher:

Plain: abcdefghIjklmnopqrstuvwxyz
Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC

 If instead the cipher line can be any permutation of the 26 alphabetic characters, then there
are 26! or greater than possible keys. This is 10 orders of magnitude greater than the
key space for DES(Data Encryption Standard) and would seem to eliminate brute-force
techniques for cryptanalysis. Such an approach is referred to as a monoalphabetic
substitution cipher, because a single cipher alphabet (mapping from plain alphabet to cipher

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 4
 alphabet) is used per message. Monoalphabetic ciphers are easy to break because they
reflect the frequency data of the original alphabet.

 A countermeasure is to provide multiple substitutes, known as homophones, for a single

letter. For example, the letter e could be assigned a number of different cipher symbols, such
as 16, 74, 35, and 21, with each homophone assigned to a letter in rotation or randomly. If
the number of symbols assigned to each letter is proportional to the relative frequency of that
letter, then single-letter frequency information is completely obliterated.

Playfair cipher: The best known multiple letter encryption cipher is the playfair, which treats
digrams in the plaintext as single units and translates these units into cipher text digrams. The
playfair algorithm is based on the use of 5x5 matrix of letters constructed using a keyword. Let
the keyword be “monarchy”. The matrix is constructed by filling in the letters of the keyword
(minus duplicates) from left to right and from top to bottom, and then filling in the remainder of
the matrix with the remaining letters in alphabetical order. The letter ‘i’ and ‘j’ count as one letter.
Plaintext is encrypted two letters at a time according to the following rules:

 Repeating plaintext letters that would fall in the same pair are separated with a filler
letter such as ‘x’.
 Plaintext letters that fall in the same row of the matrix are each replaced by the letter to
the right, with the first element of the row following the last.
 Plaintext letters that fall in the same column are replaced by the letter beneath, with the
top element of the column following the last.
 Otherwise, each plaintext letter is replaced by the letter that lies in its own row and the
column occupied by the other plaintext letter..

M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z

Plaintext = meet me at the school house

Splitting two letters as a unit => me et me at th es ch ox ol ho us ex

Corresponding cipher text => CL KL CL RS PD IL HY AV MP HF XL IU

Strength of playfair cipher

 Playfair cipher is a great advance over simple mono alphabetic ciphers.

 Since there are 26 letters, 26x26 = 676 diagrams are possible, so identification of
individual digram is more difficult.
 Frequency analysis is much more difficult.

Hill cipher: The encryption algorithm takes m successive plaintext letters and substitutes for
them m ciphertext letters. The substitution is determined by m linear equations in which each
character is assigned a numerical value (a = 0, b = 1 ... z = 25). For m = 3, the system can be
described as follows:

C1 = (k11P1 + k12P2 + k13P3) mod 26

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 5
 C2 = (k21P1 + k22P2 + k23P3) mod 26

C3 = (k31P1 + k32P2 + k33P3) mod 26

This can be expressed in term of column vectors and matrices:

= mod 26

C = KP mod 26

where C and P are column vectors of length 3, representing the plaintext and ciphertext, and K
is a 3 x3 matrix, representing the encryption key. Operations are performed mod 26.

For example, consider the plaintext "paymoremoney" and use the encryption key

K=

The first three letters of the plaintext are represented by the vector

Then C= mod 26=

Decryption requires using the inverse of the matrix K. The inverse K1 of a matrix K is defined by
the equation KK-1 = K-1K = I, where I is the matrix that is all zeros except for ones along the
main diagonal from upper left to lower right. The inverse of a matrix does not always exist, but
when it does, it satisfies the preceding equation.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 6
 Name of the subject: Cryptography and Network Security Sub Code: EC E14
Name of the Faculty: A.Vijayalakshmi Yr/Sem/Sec:IV/VII/
Date: Day: Hour:3
SUBSTITUTION TECHNIQUES:

Polyalphabetic ciphers: Another way to improve on the simple monoalphabetic technique is

to use different monoalphabetic substitutions as one proceeds through the plaintext message.
The general name for this approach is polyalphabetic cipher. All the techniques have the
following features in common.

 A set of related monoalphabetic substitution rules are used

 A key determines which particular rule is chosen for a given transformation.

Vigenere Cipher: The best known and one of the simplest, polyalphabetic ciphers is the
Vigenère cipher. In this scheme, the set of related monoalphabetic substitution rules consists of
the 26 Caesar ciphers with shifts of 0 through 25. Each cipher is denoted by a key letter, which
is the ciphertext letter that substitutes for the plaintext letter a. Thus, a Caesar cipher with a shift
of 3 is denoted by the key value .

Vigenere Cipher can be expressed in the following manner,

A sequence of plain text letters, P = p 1, p2, p3,….. pn-1 and key consisting of a sequence of
letters, K= k1, k2, k3, …….km-1 where m < n.The sequence of cipher texts letters, C = c 1, c2, c3,
…..cn-1.

Thus, the first letter of the key is added to the first letter of the plaintext, mod 26, the second
letters are added, and so on through the first m letters of the plaintext. For the next m letters of
the plaintext, the key letters are repeated. This process continues until all of the plaintext
sequence is encrypted. A general equation of the encryption process is,

A general equation of the encryption process is,

To encrypt a message, a key is needed that is as long as the message. Usually,the key is a
repeating keyword.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 7
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Vernam Cipher:

Fig.4 Vernam Cipher

The ciphertext is generated by performing the bitwise XOR of the plaintext and the key.
Because of the properties of the XOR, decryption simply involves the same bitwise operation:

The essence of this technique is the means of construction of the key. Vernam proposed the
use of a running loop of tape that eventually repeated the key, so that in fact the system worked
with a very long but repeating keyword. Although such a scheme, with a long key, presents
formidable cryptanalytic difficulties, it can be broken with sufficient ciphertext, the use of known
or probableplaintext sequences, or both.

One time pad: Here a random key as long as the message is selected so that the key need not
be repeated. The key is used to encrypt and decrypt a message and is then discarded. Each
new message requires a new key of the same length as the new message. Such a scheme,
known as a one-time pad, is unbreakable. It produces random output that bears no statistical
relationship to the plaintext. Because the ciphertext contains no information whatsoever about
the plaintext, there is simply no way to break the code.

Consider a ciphertext,
ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS

Two different decryptions using two different keys:

ciphertext: ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS
key: pxlmvmsydofuyrvzwc tnlebnecvgdupahfzzlmnyih
plaintext: mr mustard with the candlestick in the hall

ciphertext: ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS
key: mfugpmiydgaxgoufhklllmhsqdqogtewbqfgyovuhwt

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 8
plaintext: miss scarlet with the knife in the library

The one-time pad offers complete security but, in practice, has two fundamental difficulties:

1. There is the practical problem of making large quantities of random keys. Any heavily used
system might require millions of random characters on a regular basis. Supplying truly random
characters in this volume is a significant task.
2. Even more daunting is the problem of key distribution and protection. For every message to
be sent, a key of equal length is needed by both sender and receiver.Thus, a mammoth key
distribution problem exists.

Transposition Techniques

All the techniques examined so far involve the substitution of a cipher text symbol for a plaintext
symbol. A very different kind of mapping is achieved by performing some sort of permutation on
the plaintext letters. This technique is referred to as a transposition cipher.

Rail fence is simplest of such cipher, in which the plaintext is written down as a sequence of
diagonals and then read off as a sequence of rows.

Plaintext = meet at the school house

To encipher this message with a rail fence of depth 2,

we write the message as follows: m e a t e c o l o s e t t h s h o h u e

The encrypted message is MEATECOLOSETTHSHOHUE

Row Transposition Ciphers-A more complex scheme is to write the message in a rectangle,
row by row, and read the message off, column by column, but permute the order of the columns.
The order of columns then becomes the key of the algorithm. e.g., plaintext = meet at the school
house.

Key = 4 3 1 2 5 6 7

PT = m e e t a t t h e s c h o o l h o u s e

CT = ESOTCUEEHMHLAHSTOETO

A pure transposition cipher is easily recognized because it has the same letter frequencies as
the original plaintext. The transposition cipher can be made significantly more secure by
performing more than one stage of transposition. The result is more complex permutation that is
not easily reconstructed.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 9
 Name of the subject: Cryptography and Network Security Sub Code: EC E14
Name of the Faculty: A.Vijayalakshmi Yr/Sem/Sec:IV/VII/
Date: Day: Hour:4

BLOCK CIPHER PRINCIPLES:

 Many symmetric block encryption algorithms in current use are based on a structure referred
to as a Feistel block cipher. A stream cipher is one that encrypts a digital data stream one bit
or one byte at a time.
 Examples of classical stream ciphers are the autokeyed Vigenère cipher and the Vernam
cipher. In the ideal case, a one-time pad version of the Vernam cipher would be used in
which the keystream ki is long as the plain text stream pi.
 If the cryptographic keystream is random, then this cipher is unbreakable by any means other
than acquiring the keystream.
 The keystream must be provided to both users in advance via some independent and secure
channel. This introduces insurmountable logistical problems if the intended data traffic is very
large.
 In this approach as shown in the figure below the bit-stream generator is a key-controlled
algorithm and must produce a bit stream that is cryptographically strong. Now, the two users
need only share the generating key, and each can produce the keystream.

Fig.5 Stream Cipher

A block cipher is one in which a block of plaintext is treated as a whole and used to produce a
ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used. As with a
stream cipher, the two users share a symmetric encryption key as shown in the figure below.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 10
 Fig.6 Block Cipher

Fig.7 n-bit block substitution

 A 4‐bit input produces 16 possible i/p states which is mapped by the substitution cipher into
unique one of the possible o/p states
 Practical problems - Easy to build for small block size, n=4 but vulnerable to attacks. If n is
large mapping of plaintext to ciphertext is allowed, statistical characteristics of the mapping
is masked but infeasible.

FIESTAL STRUCTURE

 Feistel proposed an approximate the simple substitution cipher by utilizing the concept of a
product cipher, which is the performing of two or more basic ciphers in sequence in such a
way that the final result or product is cryptographically stronger than any of the component
ciphers.
 In particular, Feistel proposed the use of a cipher that alternates substitutions and
permutations.

Diffusion These are measures to thwart cryptanalysis based on statistical analysis.

In diffusion, the statistical structure of the plaintext is dissipated into long range
statistics of the ciphertext. This is achieved by having each plaintext letter affect the

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 11
 value of many ciphertext digits, which is equivalent to saying that each ciphertext
digit is affected by many plaintext digits. An example of diffusion is to encrypt a
message M=m1,m2,m3,.. of characters with an averaging operation:

adding k successive letters to get a ciphertext letter y n. The letter frequencies in the
ciphertext will be more nearly equal than in the plaintext (structure dissipated).

Confusion seeks to make the relationship between the statistics of the ciphertext and and
the value of the encryption key as complex as possible. This is achieved by the use of a
complex substitution algorithm. These operations became the cornerstone of modern block
cipher design.

Fig.8 Feistal Structure

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 12
 The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K.
The plaintext block is divided into 2 halves, L0 and R0. The 2 halves of the data pass
through n rounds of processing and the combine to produce the ciphertext block. Each
round i has as inputs L i-1 and Ri-1, derived from the previous round, as well as a subkey K i,
derived from the overall K. In general, the subkeys K i are different from K and from each
other.

Fig.9 Feistel encryption and decryption

Encryption: All rounds have the same structure. A substitution is performed on the left half
of the data. This is done by applying a round function F to the right half of the data and then
taking exclusive –OR of the output of that function and the left half of the data. The round
function has the same general structure for each round but is parameterized by the round
subkey K i. Following this substitution, a permutation is performed that consists of the
interchange of the two halves of the data. This structure is a particular form of the
substitution-permutation network (SPN) proposed by Shannon.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 13
 The exact realization of a Feistel network depends on the choice of the following parameters
and design features:

Lock size: large size means greater security but greater overhead (64, 128 bits)

Key size: large size means greater security but greater overhead (64, 128 bits)

Number of rounds: multiple rounds increase security (16 rounds)

Subkey generation algorithm: greater complexity – more secure

Round function: greater complexity – more secure

Fast software encryption/decryption: speed of execution becomes a concern

Ease of analysis: it should be difficult to cryptanalyze, but easy to analyze for cryptanalytic
vulnerabilities.

Decryption: Let, REi – data travelling through encryption, L Di, RDi – data travelling through
decryption. Output of i th encryption round is LEi||REi (concatenation). To simplify the diagram,
it is untwisted, not showing the swap that occurs at the end of each interaction. But
intermediate result at the end of ith stage of the encryption process is the 2w-bit L Ei||REi, and
the intermediate result at the end of the ith stage of decryption is L Di||RDi. Then the
corresponding input to (16-i)th decryption round is LEi||REi, or, equivalently, RD16-i ||LD16-i. Let’s
prove that.

After the last iteration, the two halves are swapped, so that the ciphertext is R E16||LE16. Now
take the ciphertext and use it as input to the same algorithm. The input to the 1 st round is
RE16||LE16, which is equal to the 32-bit swap of the output of the 16 th round of the encryption
process. Now we show that the output of the 1 st round of the decryption process is equal to
a 32-bit swap of the output of the 15th round of the encryption process. First, consider
encryption process,

LE16=RE15

RE16=LE15+F(RE15,K16)

On the decryption side,

LD1=RD0=LE16=RE15

RD1=LD0+F(RD0,K16)=RE16+F(RE15,K16)=

[LE15+F(RE15,K16)]+F(RE15,K16)=LE15

Thus, we have

LD1=RE15

RD1=LE15,

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 14
 So, we got that output of the 1 st stage of decryption process is equal to 32-bit swap of the
15th round of the encryption process: LD1||RD1=RE15||LE15, and continuing these
considerations, we come to

LDi||RDi=RE(16-i)||LE(16-i).

Also, we can write

LEi=RE(i-1)

REi=LE(i-1)+F(RE(i-1),Ki)

or

RE(i-1)=LEi

LE(i-1)=REi+F(RE(i-1),Ki)= REi+F(LEi,Ki)

and these equations confirm the assignments shown in the right-hand side of Figure 3.6.

Output of the last round of the decryption process is

LD16||RD16=RE0||LE0

A 32-bit swap recovers the original plaintext. Note that the derivation does not require that F
be a reversible function (for example, it may be a constant value 1).

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 15
DES ENCRYPTION AND DECRYPTION:

The S-DES encryption algorithm takes an 8-bit block of plaintext (example: 10111101) and a
10-bit key as input and produces an 8-bit block of ciphertext as output. The S-DES decryption
algorithm takes an 8-bit block of ciphertext and the same 10-bit key used to produce that
ciphertext as input and produces the original 8-bit block of plaintext.

The encryption algorithm involves five functions:

 an initial permutation (IP)

 a complex function labeled fk, which involves both permutation and substitution
operations and depends on a key input
 a simple permutation function that switches (SW) the two halves of the data
 the function fk again
 a permutation function that is the inverse of the initial permutation

The function fk takes as input not only the data passing through the encryption algorithm, but
also an 8-bit key. Here a 10-bit key is used from which two 8-bit subkeys are generated. The
key is first subjected to a permutation (P10). Then a shift operation is performed. The output of
the shift operation then passes through a permutation function that produces an 8-bit output
(P8) for the first subkey (K1). The output of the shift operation also feeds into another shift and
another instance of P8 to produce the second subkey (K2).

The encryption algorithm can be expressed as a composition of functions:

 IP-1 fK SW fk1 IP Which can also be written as

 Ciphertext = IP-1 (fK2 (SW (fk1 (IP (plaintext)))))

 Where K1 = P8 (Shift (P10 (Key)))

 K2 = P8 (Shift (shift (P10 (Key))))

 Decryption can be shown as Plaintext = IP-1 (fK1 (SW (fk2 (IP (ciphertext)))))

Name of the subject: Cryptography and Network Security Sub Code: EC E14
Name of the Faculty: A.Vijayalakshmi Yr/Sem/Sec:IV/VII/

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 16
 Date: Day: Hour:5

Fig.10 DES Encryption and Decryption

Figure below illustrates key generation of S-DES. S-DES depends on the use of a 10-bit key
shared between sender and receiver. From this key, two 8-bit subkeys are produced for use in
particular stages of the encryption and decryption algorithm. First, permute the key in the
following fashion. Let the 10-bit key be designated as (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10).
Then the permutation P10 is defined as: P10 (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5,
K2, k7, k4, k10 10, k1, k9, k8, k6) P10 can be concisely defined by the display:

P10
3 5 2 7 4 10 1 9 8 6
A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 17
 Fig.11DES key generation

This table is read from left to right; each position in the table gives the identity of the input bit
that produces the output bit in that position. So the first output bit is bit 3 of the input; the second
output bit is bit 5 of the input, and so on.

For example, the key (1010000010) is permuted to (10000 01100). Next, perform a circular left
shift (LS-1), or rotation, separately on the first five bits and the second five bits. In our example,
the result is (00001 11000). Next apply P8, which picks out and permutes 8 of the 10 bits
according to the following rule:

P8
6 3 7 4 8 5 10 9

The result is subkey 1 (K1). In our example, this yields (10100100). Then go back to the pair of
5-bit strings produced by the two LS-1 function and performs a circular left shift of 2 bit positions
on each string. In our example, the value (00001 11000) becomes (00100 00011). Finally, P8 is
applied again to produce K2. In our example, the result is (01000011).

S-DES encryption involves the sequential application of five functions. Initial and Final
Permutations The input to the algorithm is an 8-bit block of plaintext, which we first permute using the
IP function:

IP
2 6 3 1 4 8 5 7

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 18
This retains all 8 bits of the plaintext but mixes them up. Consider the plaintext to be 11110011.

Permuted output = 10111101

At the end of the algorithm, the inverse permutation is used:

IP-1
4 1 3 5 7 2 8 6
The Function fk :

The most complex component of S-DES is the function fk, which consists of a combination of
permutation and substitution functions. The functions can be expressed as follows. Let L and R
be the leftmost 4 bits and rightmost 4 bits of the 8-bit input to f K, and let F be a mapping (not
necessarily one to one) from 4-bit strings to 4-bit strings. Then let

fk(L, R) = ( L ⊕F( R, SK), R)

Where SK is a subkey and ⊕ is the bit-by-bit exclusive-OR function. e.g., permuted output =
1011 1101 and suppose F (1101, SK) = (1110) for some key SK. Then f K(10111101) =
10111110, 1101 = 01011101. We now describe the mapping F. The input is a 4-bit number (n1
n2 n3 n4).

The first operation is an expansion/permutation operation:

EP
4 1 2 3 2 3 4 1

e.g., R= 1101 E/P output = 11101011

The S-boxes operate as follows. The first and fourth input bits are treated as a 2-bit number that specify
a row of the S-box, and the second and third input bits specify a column of the S-box. The entry in that
row and column, in base 2, is the 2-bit output. For example, if (p0,0 p0,3) = ) (00) and ( p0,1 p0,2) = (10),
then the output is from row 0, column 2 of S0, which is 3, or (11) in ) binary. Similarly, (p1,0 p1,3) and
( p1,1 p1,2) are used to index into a row and column of S1 to produce an additional 2 bits. Next, the 4
bits produced by S0 and S1 undergo a further permutation as follows:

P4
2 4 3 1

The output of P4 is the output of the function F.

The Switch Function The function f K only alters the leftmost 4 bits of the input. The switch
function (SW) interchanges the left and right 4 bits so that the second instance of f K operates
on a different 4 bits. In this second instance, the E/P, S0, S1, and P4 functions are the same.
The key input is K2. Finally apply inverse permutation to get the ciphertext.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 19
STRENGTH OF DES

With a key length of 56 bits, there are possible keys, which is approximately
keys. Thus, on the face of it, a brute-force attack appears impractical.It is important to note that
there is more to a key-search attack than simply running through all possible keys. Unless
known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. If the
message is just plain text in English, then the result pops out easily, although the task of
recognizing English would have to be automated. If the text message has been compressed
before encryption, then recognition is more difficult. And if the message is some more general
type of data, such as a numerical file, and this has been compressed, the problem becomes
even more difficult to automate. Thus, to supplement the brute-force approach, some degree of
knowledge about the expected plaintext is needed, and some means of automatically
distinguishing plaintext from garble is also needed.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 20
AES ORIGIN:

The principal drawback of 3DES (which was recommended in 1999, Federal Information
Processing Standard FIPS PUB 46-3 as new standard with 168-bit key) is that the algorithm is
relatively sluggish in software. A secondary drawback is the use of 64-bit block size. For
reasons of both efficiency and security, a larger block size is desirable.

In 1997, National Institute of Standards and Technology NIST issued a call for proposals for a
new Advanced Encryption Standard (AES), which should have security strength equal to or
better than 3DES, and significantly improved efficiency. In addition, NIST also specified that
AES must be a symmetric block cipher with a block length of 128 bits and support for key
lengths of 128, 192, and 256 bits.

In a first round of evaluation, 15 proposed algorithms were accepted. A 2 nd round narrowed to 5

algorithms. NIST completed its evaluation process and published a final standard (FIPS PUB
197) in November, 2001. NIST selected Rijndael as the proposed AES algorithm. The 2
researches of AES are Dr. Joan Daemon and Dr. Vincent Rijmen from Belgium.

AES EVALUATION:

Algorithm and implementation characteristics – this includes variety of considerations, including

flexibility, suitability for hardware and software implementations, simplicity.

Name of the subject: Cryptography and Network Security Sub Code: EC E14
Name of the Faculty: A.Vijayalakshmi Yr/Sem/Sec:IV/VII/
Date: Day: Hour:6
Additional criteria include: general security, software implementations, restricted-space
environments, hardware implementations, attacks on implementation (timing attacks),
encryption versus decryption, key agility, flexibility, potential for instruction-level parallelism.

AES CIPHER

Add Round Key Transformation:

The forward add round key transformation, called Add Round Key, the 128 bits of State are
bitwise XORed with the 128 bits of the round key. As shown in Figure the operation is viewed
as a column wise operation between the 4 bytes of a State column and one word of the round
key; it can also be viewed as a byte-level operation.

The following is an example of AddRoundKey:

The first matrix is State, and the second matrix is the round key.

The inverse add round key transformation is identical to the forward add round key
transformation, because the XOR operation is its own inverse.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 21
The add round key transformation is as simple as possible and affects every bit of State. The
complexity of the round key expansion, plus the complexity of the other stages of AES, ensure
security.

Fig.12 AES Byte Level Operation

Key Expansion Algorithm

The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear
array of 44 words (176 bytes). This is sufficient to provide a 4-word round key for the initial Add
Round Key stage and each of the 10 rounds of the cipher.

The following pseudocode describes the expansion:

The key is copied into the first four words of the expanded key. The remainder of the expanded
key is filled in four words at a time. Each added word w[i] depends on the immediately
preceding word, w[i1], and the word four positions back, w[i 4]. In three out of four cases, a
simple XOR is used. For a word whose position in the w array is a multiple of 4, a more complex
function is used. The function g consists of the following sub functions:

 Rot Word performs a one-byte circular left shift on a word. This means that an input
word [b0, b1, b2, b3] is transformed into [b1, b2, b3, b0].
 Sub Word performs a byte substitution on each byte of its input word, using the S-box.
 The result of steps 1 and 2 is XORed with a round constant, Rcon[j].

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 22
 Fig.13 AES Key Generation

The round constant is a word in which the three rightmost bytes are always 0. Thus the effect of
an XOR of a word with Rcon is to only perform an XOR on the leftmost byte of the word. The
round constant is different for each round and is defined as Rcon[j] = (RC[j], 0, 0, 0), with RC[1]
= 1, RC[j] = 2 · RC[j -1] and with multiplication defined over the field GF(28). The values of RC[j]
in hexadecimal are

J 1 2 3 4 5 6 7 8 9 10
Rc[j] 01 02 04 08 10 20 40 80 1B 36

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 23
AES ENCRYPTION AND DECRYPTION

Fig.13 AES Encryption and Decryption

1.AES instead processes the entire data block as a single matrix during each round using
substitutions and permutation.

2. The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i].
Four distinct words (128 bits) serve as a round key for each round;

3. Four different stages are used, one of permutation and three of substitution: Substitute bytes:
Uses an S-box to perform a byte-by-byte substitution of the block

• ShiftRows: A simple permutation

• MixColumns: A substitution that makes use of arithmetic over

• AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 24
4. The structure is quite simple. For both encryption and decryption, the cipher begins with an
AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a
tenth round of three stages.

5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and
ends with an AddRoundKey stage.Any other stage, applied at the beginning or end, is reversible
without knowledge of the key and so would add no security.

6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. The other three stages together provide confusion, diffusion, and nonlinearity, but by
themselves would provide no security because they do not use the key.We can view the cipher
as alternating operations of XOR GF(28 ) encryption (AddRoundKey) of a block, followed by
scrambling of the block (the other three stages), followed by XOR encryption, and so on.This
scheme is both efficient and highly secure.

7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages,
an inverse function is used in the decryption algorithm. For the AddRoundKey stage, the inverse
is achieved by XORing the same round key to the block, using the result that .

8. As with most block ciphers, the decryption algorithm makes use of the expanded key in
reverse order. However, the decryption algorithm is not A B B = A identical to the encryption
algorithm. This is a consequence of the particular structure of AES.

9. Once it is established that all four stages are reversible, it is easy to verify that decryption
does recover the plaintext. Figure 5.3 lays out encryption and decryption going in opposite
vertical directions. At each horizontal point (e.g., the dashed line in the figure), State is the same
for both encryption and decryption.

10. The final round of both encryption and decryption consists of only three stages. Again, this is
a consequence of the particular structure of AES and is required to make the cipher reversible.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 25
 Name of the subject: Cryptography and Network Security Sub Code: EC E14
Name of the Faculty: A.Vijayalakshmi Yr/Sem/Sec:IV/VII/
Date: Day: Hour:7

BLOCK CIPHER

A block cipher is an encryption/decryption scheme in which a block of plaintext is treated as a

whole and used to produce a ciphertext block of equal length.

Many block ciphers have a Feistel structure. Such a structure consists of a number of identical
rounds of processing. In each round, a substitution is performed on one half of the data being
processed, followed by a permutation that interchanges the two halves. The original key is
expanded so that a different key is used for each round.

The Data Encryption Standard (DES) has been the most widely used encryption algorithm until
recently. It exhibits the classic Feistel structure.DES uses a 64-bit block and a 56-bit key.

Two important methods of cryptanalysis are differential cryptanalysis and linear

cryptanalysis.DES has been shown to be highly resistant to these two types of attack.

BLOCK CIPHER DESIGN PRINCIPLES

DES DESIGN CRITERIA:

The criteria used in the design of DES, focused on the design of the S-boxes and on the P
function that takes the output of the S-boxes
The criteria for the S-boxes are as follows,

1. No output bit of any S-box should be too close a linear function of the input bits.
Specifically, if we select any output bit and any subset of the six input bits, the fraction of
inputs for which this output bit equals the XOR of these input bits should not be close to 0
or 1, but rather should be near 1/2.
2. Each row of an S-box (determined by a fixed value of the leftmost and rightmost input bits)
should include all 16 possible output bit combinations.
3. If two inputs to an S-box differ in exactly one bit, the outputs must differ in at least two bits.
4. If two inputs to an S-box differ in the two middle bits exactly, the outputs must differ in at
least two bits.
5. If two inputs to an S-box differ in their first two bits and are identical in their last two bits,
the two outputs must not be the same.
6. For any nonzero 6-bit difference between inputs, no more than eight of the 32 pairs of
inputs exhibiting that difference may result in the same output difference.
7. This is a criterion similar to the previous one, but for the case of three S-boxes.

The criteria for the permutation P are as follows.

1. The four output bits from each S-box at round are distributed so that two of them affect
(provide input for) “middle bits” of round (i+1) and the other two affect end bits. The two middle

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 26
bits of input to an S-box are not shared with adjacent S-boxes. The end bits are the two left-
hand bits and the two right-hand bits, which are shared with adjacent S-boxes.

2. The four output bits from each S-box affect six different S-boxes on the next round, and no
two affect the same S-box.

3. For two S-boxes j,k, if an output bit from affects a middle bit of on the next round, then
output bit from cannot affect a middle bit of . This implies that, for j=k , an output bit from
must not affect a middle bit of .

TRIPLE DES:

In cryptography, Triple DES (3DES), officially the Triple Data Encryption Algorithm (TDEA or
Triple DEA), is a symmetric-key block cipher, which applies the Data Encryption Standard
(DES) cipher algorithm three times to each data block.

The original DES cipher's key size of 56 bits was generally sufficient when that algorithm was
designed, but the availability of increasing computational power made brute-force attacks
feasible. Triple DES provides a relatively simple method of increasing the key size of DES to
protect against such attacks, without the need to design a completely new block cipher
algorithm.

3-KEY Triple DES

Before using 3TDES, user first generate and distribute a 3TDES key K, which consists of three
different DES keys K1, K2 and K3. This means that the actual 3TDES key has length 3×56 = 168
bits. The encryption scheme is illustrated as follows,

Fig.14 Encryption and Decryption

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 27
The encryption-decryption process is as follows −

 Encrypt the plaintext blocks using single DES with key K1.
 Now decrypt the output of step 1 using single DES with key K2.

 Finally, encrypt the output of step 2 using single DES with key K3.

 The output of step 3 is the ciphertext.

 Decryption of a ciphertext is a reverse process. User first decrypt using K 3, then encrypt
with K2, and finally decrypt with K1.

Due to this design of Triple DES as an encrypt–decrypt–encrypt process, it is possible to use a

3TDES (hardware) implementation for single DES by setting K 1, K2, and K3 to be the same value.
This provides backwards compatibility with DES.

Second variant of Triple DES (2TDES) is identical to 3TDES except that K 3is replaced by K1. In
other words, user encrypt plaintext blocks with key K 1, then decrypt with key K2, and finally
encrypt with K1 again. Therefore, 2TDES has a key length of 112 bits.

Triple DES systems are significantly more secure than single DES, but these are clearly a much
slower process than encryption using single DES.

The Triple Data Encryption Algorithm:

 Triple DES uses a "key bundle" that comprises three DES keys, K1, K2 and K3, each of
56 bits (excluding parity bits). The encryption algorithm is:
 ciphertext = EK3(DK2(EK1(plaintext)))
 I.e., DES encrypt with K1, DES decrypt with K2, then DES encrypt with K3.
 Decryption is the reverse:
 plaintext = DK1(EK2(DK3(ciphertext)))
 I.e., decrypt with K3, encrypt with K2, then decrypt with K1.
 Each triple encryption encrypts one block of 64 bits of data.
 In each case the middle operation is the reverse of the first and last. This improves the
strength of the algorithm when using keying option 2, and provides backward
compatibility with DES with keying option 3.

KEYING OPTIONS:

Keying option 1
All three keys are independent.
Keying option 2
K1 and K2 are independent, and K3 = K1.
Keying option 3
All three keys are identical, i.e. K1 = K2 = K3.

Keying option 1 is the strongest, with 3 × 56 = 168 independent key bits.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 28
Keying option 2 provides less security, with 2 × 56 = 112 key bits. This option is stronger than
simply DES encrypting twice, e.g. with K 1 and K2, because it protects against meet-in-the-middle
attacks.

Keying option 3 is equivalent to DES, with only 56 key bits. It provides backward compatibility
with DES, because the first and second DES operations cancel out. It is no longer
recommended by the National Institute of Standards and Technology (NIST),[6] and is not
supported by ISO/IEC 18033-3.

Each DES key is nominally stored or transmitted as 8 bytes, each of odd parity, so a key bundle
requires 24 bytes for option 1, 16 for option 2, or 8 for option 3.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 29
 Name of the subject: Cryptography and Network Security Sub Code: EC E14
Name of the Faculty: A.Vijayalakshmi Yr/Sem/Sec:IV/VII/
Date: Day: Hour:8

RC4 STREAM CIPHER

The RC4 Encryption Algorithm, developed by Ronald Rivest of RSA, is a shared key stream
cipher algorithm requiring a secure exchange of a shared key. The symmetric key algorithm is
used identically for encryption and decryption such that the data stream is simply XORed with
the generated key sequence. The algorithm is serial as it requires successive exchanges of
state entries based on the key sequence. Hence implementations can be very computationally
intensive. The RC4 encryption algorithm is used by standards such as IEEE 802.11 within
WEP (Wireless Encryption Protocol) using 40 and 128-bit keys.

In the RC4 encryption algorithm, the key stream is completely independent of the plaintext used.
An 8 * 8 S-Box (S0 S255), where each of the entries is a permutation of the numbers 0 to 255,
and the permutation is a function of the variable length key. There are two counters i, and j, both
initialized to 0 used in the algorithm.

The algorithm uses a variable length key from 1 to 256 bytes to initialize a 256-byte state table.
The state table is used for subsequent generation of pseudo-random bytes and then to generate
a pseudo-random stream which is XORed with the plaintext to give the ciphertext. Each element
in the state table is swapped at least once.

The key is often limited to 40 bits, because of export restrictions but it is sometimes used as a
128 bit key. It has the capability of using keys between 1 and 2048 bits. RC4 is used in many
commercial software packages such as Lotus Notes and Oracle Secure SQL.

The algorithm works in two phases, key setup and ciphering. Key setup is the first and most
difficult phase of this encryption algorithm. During a N-bit key setup (N being your key length),
the encryption key is used to generate an encrypting variable using two arrays, state and key,
and N-number of mixing operations. These mixing operations consist of swapping bytes,
modulo operations, and other formulas. A modulo operation is the process of yielding a
remainder from division. For example, 11/4 is 2 remainder 3, therefore eleven mod four would
be equal to three.

RC4 generates a pseudo-random stream of bits (a key-stream). As with any stream cipher,
these can be used for encryption by combining it with the plaintext using bit-wise exclusive-or.
Decryption is performed the same way (since exclusive-or is a symmetric operation).

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 30
 Fig.15 Look up stage of RC4

The lookup stage of RC4. The output byte is selected by looking up the values of S(i) and S(j),
adding them together modulo 256, and then looking up the sum in S; S(S(i) + S(j)) is used as a
byte of the key-stream, K.

Strengths of RC4

 The difficulty of knowing where any value is in the table.

 The difficulty of knowing which location in the table is used to select each value in the
sequence.

 A particular RC4 Algorithm key can be used only once.

 Encryption is about 10 times faster than DES.

Limitations of RC4

 One in every 256 keys can be a weak key. These keys are identified by cryptanalysis
that is able to find circumstances under which one of more generated bytes are strongly
correlated with a few bytes of the key.

A.Vijayalakshmi, Associate Professor, Department of ECE, Sri Manakula Vinayagar Engineering College 31