Smartzworld.com Smartworld.

asia

UNIT-2
Conventional encryption principles, conventional encryption algorithms, cipher block
modes of operation, location of encryption devices, key distribution approaches of message
authentication, secure hash functions and hmac

Conventional Encryption principles

A Symmetric encryption scheme has five ingredients

1. Plain Text: This is the original message or data which is fed into the algorithm as input.
2. Encryption Algorithm: This encryption algorithm performs various substitutions and transformations on
the plain text.
3. Secret Key: The key is another input to the algorithm. The substitutions and transformations performed
by algorithm depend on the key.

4. Cipher Text: This is the scrambled (unreadable) message which is output of the encryption algorithm.
This cipher text is dependent on plaintext and secret key. For a given plaintext, two different keys produce
two different cipher texts.
5. Decryption Algorithm: This is the reverse of encryption algorithm. It takes the cipher text and secret key
as inputs and outputs the plain text.

Two main requirements are needed for secure use of conventional encryption:

(i). A strong encryption algorithm is needed. It is desirable that the algorithm should be in such a way that,
even the attacker who knows the algorithm and has access to one or more cipher texts would be unable to
decipher the cipher text or figure out the key.
(ii).The secret key must be distributed among the sender and receiver in a very secured way. If in any way
the key is discovered and with the knowledge of algorithm, all communication using this key is readable.

19

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

Cryptography
A cipher is a secret method of writing, as by code. Cryptography, in a very broad sense, is the
study of techniques related to aspects of information security. Hence cryptography is concerned with the
writing (ciphering or encoding) and deciphering (decoding) of messages in secret code. Cryptographic
systems are classified along three independent dimensions:

The type of operations used for performing plaintext to ciphertext

All the encryption algorithms make use of two general principles; substitution and transposition through
which plaintext elements are rearranged. Important thing is that no information should be lost.
The number of keys used
If single key is used by both sender and receiver, it is called symmetric, single-key, secret-key or
conventional encryption. If sender and receiver each use a different key, then it is called asymmetric, two-
key or public-key encryption.
The way in which plaintext is processed
A block cipher process the input as blocks of elements and generated an output block for each input block.
Stream cipher processes the input elements continuously, producing output one element at a time as it goes
along.

Cryptanalysis
The process of attempting to discover the plaintext or key is known as cryptanalysis. It is very difficult
when only the cipher text is available to the attacker as in some cases even the encryption algorithm is not
known. The most common attack under these circumstances is brute-force approach of trying all the possible
keys. This attack is made impractical when the key size is considerably large. The table below gives an idea on
types of attacks on encrypted messages.

20

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

Cryptology covers both cryptography and cryptanalysis. Cryptology is a constantly evolving science; ciphers are
invented and, given time, are almost certainly breakable. Cryptanalysis is the best way to understand the subject
of cryptology. Cryptographers are constantly searching for the perfect security system, a system that is both fast
and hard and a system that encrypts quickly but is hard or impossible to break. Cryptanalysts are always
looking for ways to break the security provided by a cryptographic system, mostly though
mathematical understanding of the cipher structure.

Cryptography can be defined as the conversion of data into a scrambled code that can be deciphered and sent
across a public or a private network.
A Ciphertext-only attack is an attack with an attempt to decrypt ciphertext when only the ciphertext itself
is available.
A Known-plaintext attack is an attack in which an individual has the plaintext samples and its encrypted
version(ciphertext) thereby allowing him to use both to reveal further secret information like the key
A Chosen- plaintext attack involves the cryptanalyst be able to define his own plaintext, feed it into the
cipher and analyze the resulting ciphertext.
A Chosen-ciphertext attack is one, where attacker has several pairs of plaintext-ciphertext and ciphertext
chosen by the attacker.

An encryption scheme is unconditionally secure if the ciphertext generated by the scheme does not contain
enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext and time
is available to the opponent. Example for this type is One-time Pad.

An encryption scheme is computationally secure if the ciphertext generated by the scheme meets the following
criteria:
Cost of breaking cipher exceeds the value of the encrypted information.
Time required to break the cipher exceeds the useful lifetime of the information. The average
time required for exhaustive key search is given below:

Key Size Number of Time required at 1 Time required at

(bits) Alternative Keys decryption/µs 106 decryptions/µs

32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds

56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years

21

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years

Feistel Cipher Structure

Most symmetric block ciphers are based on a Feistel Cipher Structure. It was first described by Horst Feistel of
IBM in 1973 and is still forms the basis for almost all conventional encryption schemes. It makes use of two
properties namely diffusion and confusion; identified by Claude Shannon for frustrating statistical cryptanalysis.
Confusion is basically defined as the concealment of the relation between the secret key and the cipher text. On
the other hand, diffusion is regarded as the complexity of the relationship between the plain text and the cipher
text.

22

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

The function of Feistel Cipher is shown in the above figure and can be explained by following steps:
The input to the encryption algorithm is a plaintext block of length 2w bits and a key K.
The plaintext block is divided into two halves: Li and Ri.
The two halves pass through n rounds of processing and then combine to produce the cipher text block
Each Round i has inputs Li-1 and Ri-1, derived from the previous round, as well as a unique subkey K i
generated by a sub-key generation algorithm.
All rounds have the same structure which involves substitution (mapping) on left half of data, which is
done by applying a round function F to right half of data and then taking
XOR of the output of that function and left half of data. The round function F is common to every round
but parameterized by round subkey Ki.
Then a permutation is performed that consists of interchange of the two halves of data.

For each round , compute

. Then the ciphertext is (Rn + 1,Ln + 1).

Decryption of a ciphertext (Rn + 1,Ln + 1) is accomplished by computing for

. Then (L0,R0) is the plaintext again.

The structure is a particular form of substitution-permutation network (SPN) proposed by Shannon. The
realization or development of a Feistel encryption scheme depends on the choice of the following parameters
and design features:
• Block size: larger block sizes mean greater security but slower processing. Block size of 64 bits has been
nearly universal in block cipher design.
• Key Size: larger key size means greater security but slower processing. Most common key length in
modern algorithms is 128 bits.
• Number of rounds: multiple rounds offer increasing security but slows cipher. Typical size is 16 rounds.
• Subkey generation algorithm: greater complexity will lead to greater difficulty of cryptanalysis.
• Round Function: greater complexity will make cryptanalysis harder.
• Fast software en/decryption & ease of analysis: are more recent concerns for practical use and testing.

23

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

Feistel Cipher Decryption

The process of decryption with a Fiestel cipher is same as the encyption process. Use the ciphertext as input to the
algorithm, but use the subkeys Ki in the reverse order. Use Kn in the first round and Kn-1 in the second round and so
on until k1 is used in the last round. Main advantage is we need not implement two different algorithms for
encryption and decryption.

The Fiestel cipher has the advantage that encryption and decryption operations are very similar, even
identical in some cases requiring only a reversal in the key schedule. Therefore, the size of the code or circuitry
required to implement such a cipher is nearly halved.

24

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

Conventional Encryption Algorithms

Simplified DES
S-DES is a reduced version of the DES algorithm. It has similar properties to DES but deals with a much
smaller block and key size (operates on 8-bit message blocks with a 10-bit key). The S-DES decryption
algorithm takes an 8-bit block of ciphertext and the same 10-bit key used to produce that ciphertext as input and
produces the original 8-bit block of plaintext. S-DES scheme is shown below:

The encryption algorithm involves five functions: and initial permuatation(IP), a complex function labeled f k,
which involves both permutations and substitution operations and depends on a key input, a single permutation
function (SW) that switches the two halves of the data, the function f k again and finally a permutation function
that is inverse of the IP i.e. IP-1.

25

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

As shown in figure, the function fk takes the data from encryption function along with 8-bit key. The key is
choosen to be 10-bit length from which two 8-bit subkeys are generated. The initial 10-bit key is subjected to a
permutation (P10) followed by a shift operation. The output of this shift operation then passes through a
permutation function that produces an 8-bit output (P8) for the first key (k1) and also feeds into another shift
and another instance of P8 to produce the second subkey (k2). The encryption algorithm can be written as:

Ciphertext = IP-1 ( f k2(SW(f k1(IP(plaintext)))))

Where K1 = P8(shift(p10(key)))
K2 = P8(shift(shift(p10(key))))
Decryption is also shown in the above figure and can be given as:
Plaintext = IP-1 ( f k1(SW(f k2(IP(ciphertext)))))

Key Generation:
The key generation process is shown below:

As shown above, a 10-bit key shared between sender and receiver is used and fist passed through a permutation
P10.
The Switch Function:
This function interchanges the left and right 4 bits so that the second instance of fK operates on a different 4
bits. For second instance all other parameters remain same, but the key is K 2. The S-boxes operates as follows:-
The first and fourth input bits are treated as 2-bit numbers that specify a row of the S-box, and the second and
third input bits specify a column of S-box. The entry in that row and column in base2 is the 2-bit output.

26

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

Data Encryption Standard

In 1974, IBM proposed "Lucifer", an encryption algorithm using 64-bit keys. Two years later (1977),
NBS (now NIST) in consultation with NSA made a modified version of that algorithm into a standard. DES
uses the two basic techniques of cryptography - confusion and diffusion. At the simplest level, diffusion is
achieved through numerous permutations and confusion is achieved through the XOR operation and the S-
Boxes. This is also called an S-P network The DES encryption scheme can be explained by the following
figure

27

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

The plain text is 64 bits in length and the key in 56 bits in length. Longer plain text amounts are processed
in 64-bit blocks. The main phases in the left hand side of the above figure i.e. processing of the plain text
are,
Initial Permutation (IP): The plaintext block undergoes an initial permutation. 64 bits of the block
are permuted.
A Complex Transformation: 64 bit permuted block undergoes 16 rounds of complex transformation.
Subkeys are used in each of the 16 iterations.
32-bit swap: The output of 16th round consists of 64bits that are a function of input plain text and key.32
bit left and right halves of this output is swapped.
Inverse Initial Permutation (IP-1): The 64 bit output undergoes a permutation that is inverse of the initial
permutation.
A Complex Transformation: 64 bit permuted block undergoes 16 rounds of complex transformation.
Subkeys are used in each of the 16 iterations.
32-bit swap: The output of 16th round consists of 64bits that are a function of input plain text and key.32
bit left and right halves of this output is swapped.
Inverse Initial Permutation (IP-1): The 64 bit output undergoes a permutation that is inverse of the initial
permutation.

The following figure shows a closer view of algorithms for a single iteration. The 64bit permuted input
passes through 16 iterations, producing an intermediate 64-bit value at the conclusion of each iteration.

The left and right halves of each 64 bit intermediate value are treated as separated 32-bit quantities labeled L
(left) and R (Right). The overall processing at each iteration is given by following steps, which form one round
in an S-P network.

28

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

Li = Ri-1.
Ri = L i-1 F(R i-1, Ki )
Where Function F can be described as P(S( E(R(i-1)) K(i) ))

The left hand output of an iteration (Li) is equal to the right hand input to that iteration Ri-1. The right hand
output Ri is exclusive OR of Li-1 and a complex function F of Ri-1 and Ki. The fucntion F can be depicted by
the following figure. S1, S2-----S8 represent the ”S-boxes” , which maps each combination of 48 input bits into
a particular 32 bit pattern. For the generation of subkey of length 48 bits, a 56bit key is used which is first
passed through a permutation funciton and then halved to get two 28 bit quantities labeled C0 and D0. At each
iteration, these two C and D are subjected to a circular left shift or rotation of 1 or 2 bits. These shifted values
serve as input to the next iteration and also to another permutation function which produces a 48-bit output.
This output is fed as input to function
F(R i-1, Ki).

The first and last bits of the input to the box Si form a 2-bit binary number to select one of four substitutions
defined by the four rows in the table for Si. The middle 4-bits select a particular column. The decimal value in
the cell selected by the row and column is converted to its 4-bit representation to produce the output.

29

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as
output. The process of decryption with DES is essentially the same as the encryption process: no different
algorithm is used. The ciphertext is used as input to the DES algorithm and the keys are used in the reverse
order i.e. K16 in the first iteration, K15 on the second iteration and so on until k1 is used on the sixteenth and
last iteration.

Strength of DES:
Avalanche Effect: An effect in DES and other secret key ciphers where each small change in plaintext implies
that somewhere around half the ciphertext changes. The avalanche effect makes it harder to successfully
cryptanalyze the ciphertext. DES exhibits a strong Avalanche effect.
Concern about the strength of DES falls into two categories i.e. strength of algorithm itself and use of 56-
bit key. Though many attempts were made over the years to find and exploit weaknesses in the algorithm, none
of them were successful in discovering any fatal weakness in DES. A serious concern is with the key size as the
time passed the security in DES became getting compromised by the advent of supercomputers which
succeeded in breaking the DES quickly using a brute-force attack. If the only form of attack that could be made
on an encryption algorithm is brute force, the way of countering it is obviously using long keys. If a key of size
128 bits is used, it takes approximately 1018 years to break the code making the algorithm unbreakable by brute-
force approach.
The two analytical attacks on DES are Differential cryptanalysis and Linear cryptanalysis. Both make use
of Known plaintext-ciphertext pairs and try to attack the round structure and the S-Boxes. Recent advancements
showed that using Differential cryptanalysis, DES can be broken using 2 47 plaintext-ciphertext pairs and for
linear cryptanalysis, the number is even reduced to 2 41.

Triple DES
The first answer to problems of DES is an algorithm called Double DES which includes double encryption with
two keys. It increases the key size to 112 bits, which seems to be secure. But, there are some problems
associated with this approach.
issue of reduction to single stage:
In other words, could there be a key K3 such that EK2 (EK21(P))= EK3(P)?
“meet-in-the-middle” attack:
Works when given a known (P,C) pair
since X = EK1(P) = DK2(C)
attack by encrypting P with all 256 keys K1and store
then decrypt C with all possible 256 keys K2 and match X value

30

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

Triple DES was the answer to many of the shortcomings of DES. Since it is based on the DES algorithm, it is
very easy to modify existing software to use Triple DES. 3DES was developed in 1999 by IBM – by a team led
by Walter Tuchman. 3DES prevents a meet-in-the-middle attack. 3DES has a 168-bit key and enciphers blocks
of 64 bits. It also has the advantage of proven reliability and a longer key length that eliminates many of the
shortcut attacks that can be used to reduce the amount of time it takes to break DES. 3DES uses three keys and
three executions of the DES algorithm. The function follows an encrypt-decrypt-encrypt (EDE) sequence.

Where C= ciphertext, P= plaintext and

EK[X] = encryption of X using key K
DK[Y] = decryption of Y using key K
Decryption is simply the same operation with the keys reversed

Triple DES runs three times slower than standard DES, but is much more secure if used properly. With three
distinct keys, TDEA has an effective key length of 168 bits making it a formidable algorithm. As the underlying
algorithm is DEA, it offers the same resistance to cryptanalysis as is DEA.
Triple DES can be done using 2 keys or 3 keys.

31

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

Advanced Encryption Standard

AES is a symmetric block cipher that is intended to replace DES as the approved standard for a wide range
of applications. The drawbacks of 3DES being it is very slow and also it uses 64-bit block size same as DES. For
reasons of both efficiency and security, a larger key size is desirable. So, NIST (National Institute of Standards and
Technology) has called for proposals for a new AES, which should have security strength equal to or better than
3DES and significantly, improved efficiency. NIST specified that AES must be a symmetric block cipher with a
block length of 128 bits and support for key lengths of 128, 192, and 256 bits.

Out of all the algorithms that were submitted, five were shortlisted and upon final evaluation, NIST selected
Rijndael as the proposed AES algorithm. The two researchers who developed and submitted Rijndael for the AES
are both cryptographers from Belgium: Dr. Joan
Daemen and Dr. Vincent Rijmen.

AES Evaluation:
There are three main categories of criteria used by NIST to evaluate potential candidates.
Security: Resistance to cryptanalysis, soundness of math, randomness of output, etc
Cost: Computational efficiency (speed), Memory requirements
Algorithm/Implementation Characteristics: Flexibility, hardware and software suitability, algorithm
simplicity

Simplified AES
The encryption algorithm takes a 16-bit block of plaintext as input and a 16-bit key and produces a 16-bit block
of ciphertext as output. The S-AES decryption algorithm takes a 16-bit block of ciphertext and the same 16-bit key
used to produce that ciphertext as input and produces the original 16-bit block of plaintext as output. The encryption
algorithm involves the use of four different functions, or transformations: add key (A K) nibble substitution (NS), shift
row (SR), and mix column (MC).
The encryption algorithm can be expressed as:

, so that AK0 is applied first.

The encryption algorithm is organized into three rounds. Round 0 is simply an add key round; round 1 is a
full round of four functions; and round 2 contains only 3 functions. Each round includes the add key function, which
makes use of 16 bits of key. The initial 16-bit key is expanded to 48 bits, so that each round uses a distinct 16-bit
round key. S- AES encryption and decryption scheme is shown below.

32

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

Each function operates on a 16-bit state, treated as a 2 x 2 matrix of nibbles, where one nibble equals 4 bits.
The initial value of the state matrix is the 16-bit plaintext; the state matrix is modified by each subsequent function in
the encryption process, producing after the last function the 16-bit ciphertext. The following figure shows the
ordering of nibbles within the matrix is by column. So, for example, the first eight bits of a 16-bit plaintext input to
the encryption cipher occupy the first column of the matrix, and the second eight bits occupy the second column. The
16-bit key is similarly organized, but it is somewhat more convenient to view the key as two bytes rather than four
nibbles The expanded key of 48 bits is treated as three round keys, whose bits are labelled as follows: K 0 = k0...k15; K1
= k16...k31; K2 = k32...k47.

33

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

The following figure shows the essential elements of a full round of S-AES. The decryption as shown above can
be given as:

in which three of the functions have a corresponding inverse function: inverse nibble substitution (INS), inverse shift
row (ISR), and inverse mix column (IMC).

S-AES Encryption and Decryption

The individual functions that are part of the encryption algorithm are given below.
Add Key

The add key function consists of the bitwise XOR of the 16-bit state matrix and the 16-bit round key. As shown in the
above example, it can also be viewed as a nibble-wise or bitwise operation. The inverse of the add key function is
identical to the add key function, because the XOR operation is its own inverse.
Nibble Substitution
The nibble substitution function is a simple table lookup. AES defines a 4 x 4 matrix of nibble values, called an S-box
that contains a permutation of all possible 4-bit values. Each individual nibble of the state matrix is mapped into a
new nibble in the following way: The leftmost 2 bits of the nibble are used as a row value and the rightmost 2 bits are
used as a column value. These row and column values serve as indexes into the S-box to select a unique 4-bit output
value. For example, the hexadecimal value A references row 2, column 2 of the S-box, which contains the value 0.
Accordingly, the value A is mapped into the value 0.

34

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

For the example, after nibble substitution, the output is

35

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

Shift Row
The shift row function performs a one-nibble circular shift of the second row of the state matrix; the first row is not
altered. Our example is shown below:

The inverse shift row function is identical to the shift row function, because it shifts the second row back to its original
position.

Mix Column
The mix column function operates on each column individually. Each nibble of a column is mapped into a new value
that is a function of both nibbles in that column. The transformation can be defined by the following matrix
multiplication on the state matrix.

Where arithmetic is performed in GF(24), and the symbol · refers to multiplication in GF(2 4). The example is shown
below:

The inverse mix column function is defined as follows:

Key Expansion
For key expansion, the 16 bits of the initial key are grouped into a row of two 8-bit words. The following figure shows
the expansion into 6 words, by the calculation of 4 new words from the initial 2 words. The algorithm is as follows:

36

jntuworldupdates.org Specworld.in
Smartzworld.com Smartworld.asia

RCON is a round constant, defined as follows: RC[i] = xi + 2, so that RC[1]=x3=1000 and RC[2]=x4 mod (x4 + x + 1)
= x + 1 = 0011. RC[i] forms the leftmost nibble of a byte, with the rightmost nibble being all zeros. Thus, RCON(1) =
10000000 and RCON(2) = 00110000.

For example, suppose the key is 2D55 = 0010 1101 0101 0101 = w0w1. Then,

The S-Box

The S-box is constructed as follows:

Initialize the S-box with the nibble values in ascending sequence row by row. The first row contains the hexadecimal
values 0, 1, 2, 3; the second row contains 4, 5, 6, 7; and so on. Thus, the value of the nibble at row i, column j is 4i + j.
Treat each nibble as an element of the finite field GF(24) modulo x4 +x + 1. Each nibble a0a1a2a3 represents a
polynomial of degree 3.
Map each byte in the S-box to its multiplicative inverse in the finite field GF(2 4) modulo x4 + x + 1; the value 0 is
mapped to itself.
Consider that each byte in the S-box consists of 4 bits labeled (b0, b1, b2, b3). Apply the following transformation to
each bit of each byte in the S-box: The AES standard depicts this transformation in matrix form as follows:

The prime (') indicates that the variable is to be updated by the value on the right. Remember that addition and
multiplication are being calculated modulo 2.

37

jntuworldupdates.org Specworld.in