Block Ciphers

Dhananjoy Dey

Indian Institute of Information Technology, Lucknow

[email protected]

February 2, 2021

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 1 / 88
 Disclaimers

1
All the pictures used in this presentation are taken from freely available
websites.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 2 / 88
 Disclaimers

1
All the pictures used in this presentation are taken from freely available
websites.

2
If there is a reference on a slide all of the information on that slide is
attributable to that source whether quotation marks are used or not.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 2 / 88
 Disclaimers

1
All the pictures used in this presentation are taken from freely available
websites.

2
If there is a reference on a slide all of the information on that slide is
attributable to that source whether quotation marks are used or not.

3
Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply recommendation
or endorsement nor does it imply that the products mentioned are
necessarily the best available for the purpose.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 2 / 88
 Outline

1 Introduction

2 Feistel Network
DES

3 SPN
AES

4 Modes of Operation

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 3 / 88
 Introduction

Outline

1 Introduction

2 Feistel Network
DES

3 SPN
AES

4 Modes of Operation

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 4 / 88
 Introduction

What is a Block Cipher?

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 5 / 88
 Introduction

What is a Block Cipher?

Block Cipher
A block cipher is a function

fK : PnA → CmA ,

such that for each key K ∈ K, an ‘invertible mapping’ exists for fK .

Definition
A mapping f{0,1}k : {0, 1}n → {0, 1}n is called a block cipher with block size n
bits and key size k bits, if the mapping fK (·) is a bijection for each K ∈ {0, 1}k ,
i.e., if fK−1 (·) exists with fK−1 ( fK (x)) = x for each K ∈ {0, 1}k & x ∈ {0, 1}n .

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 5 / 88
 Introduction

Simple Substitution

Example

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 6 / 88
 Introduction

Simple Substitution

Example

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 6 / 88
 Introduction

Simple Substitution

Example

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 6 / 88
 Introduction

Permutation on Block of Characters

Example
AAAA AAAB AAAC ··· ZZZZ
QAQZ WIJT ENTO ··· MIHB

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 7 / 88
 Introduction

Permutation on Block of Characters

Example
AAAA AAAB AAAC ··· ZZZZ
QAQZ WIJT ENTO ··· MIHB

‘code book ’

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 7 / 88
 Introduction

Permutation on Block of Characters

Example
AAAA AAAB AAAC ··· ZZZZ
QAQZ WIJT ENTO ··· MIHB

‘code book ’
If blocks are large enough, then frequency analysis becomes
impossible (infeasible).

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 7 / 88
 Introduction

Block Cipher

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 8 / 88
 Introduction

Block Cipher

Avoid transport & storage of huge table

Introduce computation rule to compute table elements:

T [X] = fkey (X)

Design “good" rule f :

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 8 / 88
 Introduction

Block Cipher

Avoid transport & storage of huge table

Introduce computation rule to compute table elements:

T [X] = fkey (X)

Design “good" rule f :

Secure
Efficient

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 8 / 88
 Introduction

Block Cipher

A block cipher with n-bit block and k-bit key is a subset of 2k

permutations among all 2n ! permutations on n bits.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 9 / 88
 Introduction

Block Cipher

A block cipher with n-bit block and k-bit key is a subset of 2k

permutations among all 2n ! permutations on n bits.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 9 / 88
 Introduction

Attack Models

An attack model is a set of assumptions about how attackers might

interact with a cipher and what they can and can’t do. The goals of an
attack model are as follows:

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 10 / 88
 Introduction

Attack Models

An attack model is a set of assumptions about how attackers might

interact with a cipher and what they can and can’t do. The goals of an
attack model are as follows:
To set requirements for cryptographers who design ciphers, so
that they know what attackers and what kinds of attacks to protect
against.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 10 / 88
 Introduction

Attack Models

An attack model is a set of assumptions about how attackers might

interact with a cipher and what they can and can’t do. The goals of an
attack model are as follows:
To set requirements for cryptographers who design ciphers, so
that they know what attackers and what kinds of attacks to protect
against.
To give guidelines to users, about whether a cipher will be safe to
use in their environment.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 10 / 88
 Introduction

Attack Models

An attack model is a set of assumptions about how attackers might

interact with a cipher and what they can and can’t do. The goals of an
attack model are as follows:
To set requirements for cryptographers who design ciphers, so
that they know what attackers and what kinds of attacks to protect
against.
To give guidelines to users, about whether a cipher will be safe to
use in their environment.
To provide clues for cryptanalysts who attempt to break ciphers,
so they know whether a given attack is valid. An attack is only
valid if it’s doable in the model considered.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 10 / 88
 Introduction

Attack Models

An attack model is a set of assumptions about how attackers might

interact with a cipher and what they can and can’t do. The goals of an
attack model are as follows:
To set requirements for cryptographers who design ciphers, so
that they know what attackers and what kinds of attacks to protect
against.
To give guidelines to users, about whether a cipher will be safe to
use in their environment.
To provide clues for cryptanalysts who attempt to break ciphers,
so they know whether a given attack is valid. An attack is only
valid if it’s doable in the model considered.
All models are wrong; the practical question is how wrong do they have
to be to not be useful – George E. P. Box

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 10 / 88
 Introduction

Security Goals

Cryptographers define two main security goals:

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 11 / 88
 Introduction

Security Goals

Cryptographers define two main security goals:

Indistinguishability (IND) Ciphertexts should be

indistinguishable from random strings.

Non-malleability (NM) Given a ciphertext C1 = E(K, P1 ), it should

be impossible to create another ciphertext, C2 , whose
corresponding plaintext, P2 , is related to P1 in a meaningful way.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 11 / 88
 Introduction

Even-Mansour

Even & Mansour in Asiacrypt’91

Fixed public permutation π1
Indistinguishable for ≤ 2n/2 queries when A accesses to π1
Key recovery attack in 2n/2 by Daemen Asiacrypt’91

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 12 / 88
 Introduction

Iterative Block Ciphers

An iterative block cipher consists of r consecutive applications of
simpler key-dependent transforms

f = fr ◦ fr−1 ◦ · · · ◦ f2 ◦ f1

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 13 / 88
 Introduction

Block Cipher Primitives

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 14 / 88
 Introduction

Block Cipher Primitives

Claude Elwood Shannon

C. E. SHANNON,
Communication Theory of Secrecy Systems, 1949.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 14 / 88
 Introduction

Block Cipher Primitives: Confusion and Diffusion

Confusion: is intended to make the relationship between the key and ciphertext
as complex as possible.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 15 / 88
 Introduction

Block Cipher Primitives: Confusion and Diffusion

Confusion: is intended to make the relationship between the key and ciphertext
as complex as possible.
Today, a common element for achieving confusion is substitution/S-box, which is
found in both AES and DES.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 15 / 88
 Introduction

Block Cipher Primitives: Confusion and Diffusion

Confusion: is intended to make the relationship between the key and ciphertext
as complex as possible.
Today, a common element for achieving confusion is substitution/S-box, which is
found in both AES and DES.

Diffusion: refers to rearranging or spreading out the bits in the message so that
any redundancy in the plaintext is spread out over the ciphertext.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 15 / 88
 Introduction

Block Cipher Primitives: Confusion and Diffusion

Confusion: is intended to make the relationship between the key and ciphertext
as complex as possible.
Today, a common element for achieving confusion is substitution/S-box, which is
found in both AES and DES.

Diffusion: refers to rearranging or spreading out the bits in the message so that
any redundancy in the plaintext is spread out over the ciphertext.
A simple diffusion element is the bit permutation, which is frequently used within
DES.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 15 / 88
 Introduction

Block Cipher Primitives: Confusion and Diffusion

Confusion: is intended to make the relationship between the key and ciphertext
as complex as possible.
Today, a common element for achieving confusion is substitution/S-box, which is
found in both AES and DES.

Diffusion: refers to rearranging or spreading out the bits in the message so that
any redundancy in the plaintext is spread out over the ciphertext.
A simple diffusion element is the bit permutation, which is frequently used within
DES.

Both operations by themselves cannot provide security. The idea is to

concatenate confusion and diffusion elements to build so called product
ciphers.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 15 / 88
 Introduction

Confusion

Example
Let x, y & k ∈ {0, 1}8 and y = con f (x, k), where

y1 = x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ k1 ⊕ k2 ⊕ k3 ⊕ k4
y2 = x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕ k2 ⊕ k3 ⊕ k4 ⊕ k5
y3 = x3 ⊕ x4 ⊕ x5 ⊕ x6 ⊕ k3 ⊕ k4 ⊕ k5 ⊕ k6
y4 = x4 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ k4 ⊕ k5 ⊕ k6 ⊕ k7
y5 = x5 ⊕ x6 ⊕ x7 ⊕ x8 ⊕ k5 ⊕ k6 ⊕ k7 ⊕ k8
y6 = x6 ⊕ x7 ⊕ x8 ⊕ x1 ⊕ k6 ⊕ k7 ⊕ k8 ⊕ k1
y7 = x7 ⊕ x8 ⊕ x1 ⊕ x2 ⊕ k7 ⊕ k8 ⊕ k1 ⊕ k2
y8 = x8 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ k8 ⊕ k1 ⊕ k2 ⊕ k3

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 16 / 88
 Introduction

Confusion

Example
Let x, y & k ∈ {0, 1}8 and y = con f (x, k), where

y1 = x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ k1 ⊕ k2 ⊕ k3 ⊕ k4
y2 = x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕ k2 ⊕ k3 ⊕ k4 ⊕ k5
y3 = x3 ⊕ x4 ⊕ x5 ⊕ x6 ⊕ k3 ⊕ k4 ⊕ k5 ⊕ k6
y4 = x4 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ k4 ⊕ k5 ⊕ k6 ⊕ k7
y5 = x5 ⊕ x6 ⊕ x7 ⊕ x8 ⊕ k5 ⊕ k6 ⊕ k7 ⊕ k8
y6 = x6 ⊕ x7 ⊕ x8 ⊕ x1 ⊕ k6 ⊕ k7 ⊕ k8 ⊕ k1
y7 = x7 ⊕ x8 ⊕ x1 ⊕ x2 ⊕ k7 ⊕ k8 ⊕ k1 ⊕ k2
y8 = x8 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ k8 ⊕ k1 ⊕ k2 ⊕ k3

It has bad confusion, as they are linear relations.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 16 / 88
 Introduction

Diffusion

Example
y1 = f1 (x1 , x2 , k1 , k2 )
y2 = f2 (x2 , x3 , k2 , k3 )
y3 = f3 (x3 , x4 , k3 , k4 )
y4 = f4 (x4 , x5 , k4 , k5 )
y5 = f5 (x5 , x6 , k5 , k6 )
y6 = f6 (x6 , x7 , k6 , k7 )
y7 = f7 (x7 , x8 , k7 , k8 )
y8 = f8 (x8 , x1 , k8 , k1 )

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 17 / 88
 Introduction

Diffusion

Example
y1 = f1 (x1 , x2 , k1 , k2 )
y2 = f2 (x2 , x3 , k2 , k3 )
y3 = f3 (x3 , x4 , k3 , k4 )
y4 = f4 (x4 , x5 , k4 , k5 )
y5 = f5 (x5 , x6 , k5 , k6 )
y6 = f6 (x6 , x7 , k6 , k7 )
y7 = f7 (x7 , x8 , k7 , k8 )
y8 = f8 (x8 , x1 , k8 , k1 )

It has bad diffusion.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 17 / 88
 Introduction

Diffusion

Example
y1 = x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ k1 ⊕ k2 ⊕ k3 ⊕ k4
y2 = x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕ k2 ⊕ k3 ⊕ k4 ⊕ k5
y3 = x3 ⊕ x4 ⊕ x5 ⊕ x6 ⊕ k3 ⊕ k4 ⊕ k5 ⊕ k6
y4 = x4 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ k4 ⊕ k5 ⊕ k6 ⊕ k7
y5 = x5 ⊕ x6 ⊕ x7 ⊕ x8 ⊕ k5 ⊕ k6 ⊕ k7 ⊕ k8
y6 = x6 ⊕ x7 ⊕ x8 ⊕ x1 ⊕ k6 ⊕ k7 ⊕ k8 ⊕ k1
y7 = x7 ⊕ x8 ⊕ x1 ⊕ x2 ⊕ k7 ⊕ k8 ⊕ k1 ⊕ k2
y8 = x8 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ k8 ⊕ k1 ⊕ k2 ⊕ k3

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 18 / 88
 Introduction

Design Criteria

Confusion and diffusion methods required to design block ciphers.

The following methods are applied to design confusion and
diffusion

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 19 / 88
 Introduction

Design Criteria

Confusion and diffusion methods required to design block ciphers.

The following methods are applied to design confusion and
diffusion
i. S-box + Permutation

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 19 / 88
 Introduction

Design Criteria

Confusion and diffusion methods required to design block ciphers.

The following methods are applied to design confusion and
diffusion
i. S-box + Permutation
ii. S-box + MDS matrix

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 19 / 88
 Introduction

Design Criteria

Confusion and diffusion methods required to design block ciphers.

The following methods are applied to design confusion and
diffusion
i. S-box + Permutation
ii. S-box + MDS matrix
iii. ARX

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 19 / 88
 Introduction

Design Criteria

Confusion and diffusion methods required to design block ciphers.

The following methods are applied to design confusion and
diffusion
i. S-box + Permutation
ii. S-box + MDS matrix
iii. ARX (Mod Addition + Rotation & Xoring)

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 19 / 88
 Introduction

Comparison Among Feistel Networks, SPN and ARX

Confusion Diffusion

Feistel Non-linear function F Branch swapping

SPN S-box Linear transformation

ARX Modular addition XOR, Bit rotation

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 20 / 88
 Introduction

Padding

Padding for block ciphers is specified in the PKCS#7 and in

RFC5652

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 21 / 88
 Introduction

Padding

Padding for block ciphers is specified in the PKCS#7 and in

RFC5652
The rules for padding 16-byte blocks
If there are one byte left, pad the message with 15 bytes 0f.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 21 / 88
 Introduction

Padding

Padding for block ciphers is specified in the PKCS#7 and in

RFC5652
The rules for padding 16-byte blocks
If there are one byte left, pad the message with 15 bytes 0f.
If there are two bytes left, pad the message with 14 bytes 0e.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 21 / 88
 Introduction

Padding

Padding for block ciphers is specified in the PKCS#7 and in

RFC5652
The rules for padding 16-byte blocks
If there are one byte left, pad the message with 15 bytes 0f.
If there are two bytes left, pad the message with 14 bytes 0e.
If there are 15 bytes left, pad the message with 1 bytes 01.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 21 / 88
 Introduction

Padding

Padding for block ciphers is specified in the PKCS#7 and in

RFC5652
The rules for padding 16-byte blocks
If there are one byte left, pad the message with 15 bytes 0f.
If there are two bytes left, pad the message with 14 bytes 0e.
If there are 15 bytes left, pad the message with 1 bytes 01.
If it is a multiple of 16 bytes, add 16 bytes 10.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 21 / 88
 Horst Feistel

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 22 / 88
 Feistel Network

Outline

1 Introduction

2 Feistel Network
DES

3 SPN
AES

4 Modes of Operation

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 23 / 88
 Feistel Network

Balanced and Generalized Feistels

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 24 / 88
 Feistel Network

Balanced and Generalized Feistels

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 25 / 88
 Feistel Network

Classification of 4-line GFNs

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 26 / 88
 Feistel Network DES

Introduction

May 1973 : NBS issued a call for proposals for a block

cipher suitable for federal use
Aug 1974 : a second call was made
: DEA (modified Lucifer) was submitted by IBM.
Mar 1975 : the algorithm was published for public comment
Aug 1976 : accepted as a standard
Jan 1977 : published as FIPS 46

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 27 / 88
 Feistel Network DES

Introduction

May 1973 : NBS issued a call for proposals for a block

cipher suitable for federal use
Aug 1974 : a second call was made
: DEA (modified Lucifer) was submitted by IBM.
Mar 1975 : the algorithm was published for public comment
Aug 1976 : accepted as a standard
Jan 1977 : published as FIPS 46

———————————————————————————
It was designed by IBM, verified by NSA and published by the NBS.
———————————————————————————

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 27 / 88
 Feistel Network DES

Introduction

May 1973 : NBS issued a call for proposals for a block

cipher suitable for federal use
Aug 1974 : a second call was made
: DEA (modified Lucifer) was submitted by IBM.
Mar 1975 : the algorithm was published for public comment
Aug 1976 : accepted as a standard
Jan 1977 : published as FIPS 46

———————————————————————————
It was designed by IBM, verified by NSA and published by the NBS.
———————————————————————————
2004 : NIST withdrew DES
2009 : NIST withdrew 2-key TDES
until 2030 : 3-key TDES

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 27 / 88
 Feistel Network DES

Introduction

DES Development was controversial

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 28 / 88
 Feistel Network DES

Introduction

DES Development was controversial

NSA secretly involved

design process was secret
key length reduced from 128-bit to 56-bit
two 4 × 4 S-boxes to eight 6 × 4 S-boxes
subtle changes to Lucifer algorithm

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 28 / 88
 Feistel Network DES

DES Numerology

DES is a Feistel cipher with

64-bit block length

56-bit key length
16 rounds
48-bit of key used in each round

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 29 / 88
 Feistel Network DES

Encryption Algorithm

Initial Permutation IP and Inverse Permutation IP−1

IP
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
IP−1
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 30 / 88
 Feistel Network DES

Encryption Algorithm
DES Round Function

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 31 / 88
 Feistel Network DES

Encryption Algorithm
DES Round Function

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 32 / 88
 Feistel Network DES

Encryption Algorithm

Expansion E and Permutation P

E P
32 1 2 3 4 5 16 7 20 21
4 5 6 7 8 9 29 12 28 17
8 9 10 11 12 13 1 15 23 26
12 13 14 15 16 17 5 18 31 10
16 17 18 19 20 21 2 8 24 14
20 21 22 23 24 25 32 27 3 9
24 25 26 27 28 29 19 13 30 6
28 29 30 31 32 1 22 11 4 25

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 33 / 88
 Feistel Network DES

Encryption Algorithm
DES S-boxes

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 34 / 88
 Feistel Network DES

DES Key Schedule

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 35 / 88
 Feistel Network DES

DES Key Schedule

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 36 / 88
 Feistel Network DES

DES Diffusion

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 37 / 88
 Feistel Network DES

Design Criteria of The S-boxes

No S-box is a linear or affine function of the input.

Changing 1 bit in the input to an S-box results in changing at least 2 output bits.
The S-boxes were chosen to minimize the difference between the number of 1’s
and 0’s when any single bit is held constant.
For any S-box S , it holds that S [x] and S [x ⊕ 001100] differ in at least 2 bits.
For any S-box S , it holds that S [x] , S [x ⊕ 11rs00] for any binary values r and s.
If 2 different 48-bit inputs to the 8 S-boxes result in equal outputs, then there
must be different inputs to at least 3 neighbouring S-boxes.
For any S-box it holds for any nonzero 6-bit value α and for any 4-bit value β, that
the number of solutions for x to the equation S [x] ⊕ S [x ⊕ α] = β is at most 16.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 38 / 88
 Feistel Network DES

Properties of The P Permutation

The 4 bits output from an S-box are distributed so that they affect 6
different S-boxes in the following round (4 boxes directly and 2 via the
expansion mapping).
If an output bit from S-box i affects one of the 2 middle input bits to
S-box j (in the next round), then an output bit from S-box i cannot affect
a middle bit of S-box i.
The middle 6 inputs to 2 neighbouring S-boxes (those not shared by any
other S-boxes) are constructed from the outputs from 6 different S-boxes
in the previous round.
The middle 10 input bits to 3 neighbouring S-boxes, 4 bits from the 2
outer S-boxes and 6 from the middle S-box (i.e., those not shared by any
other S-boxes), are constructed from the outputs from all S-boxes in the
previous round.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 39 / 88
 Feistel Network DES

Structural Properties

Complementation Property

DES k (m) = DES k̄ (m̄).

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 40 / 88
 Feistel Network DES

Structural Properties

Weak Keys
Definition
A DES key k is said to be weak if the following relationship holds

DES k (DES k (m)) = m, ∀ m.

4 weak keys of DES

0101010101010101 fefefefefefefefe

1f1f1f1f1f1f1f1f e0e0e0e0e0e0e0e0

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 41 / 88
 Feistel Network DES

Structural Properties

Semi-Weak Keys
Definition
A pair of keys k1 & k2 is said to be semi-weak keys if the following
relation satisfies
DES k1 (DES k2 (m)) = m, ∀ m.

6 pairs of semi-weak keys of DES

01fe01fe01fe01fe 1fe01fe01fe01fe0 01e001e001e001e0

fe01fe01fe01fe01 e01fe01fe01fe01f e001e001e001e001
1ffe1ffe1ffe1ffe 011f011f011f011f e0fee0fee0fee0fe
fe1ffe1ffe1ffe1f 1f011f011f011f01 fee0fee0fee0fee0

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 42 / 88
 Feistel Network DES

Weak Permutation

Definition
A permutation F is called a weak permutation if given

y1 = Fk (x1 ) & y2 = Fk (x2 )

it is ‘easy’ to extract the key k.

Question
Does 3 rounds of DES form a weak permutation?

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 43 / 88
 Feistel Network DES

Common Proposals for Triple Encryption Using a

Generic Block Cipher

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 44 / 88
 SPN

Outline

1 Introduction

2 Feistel Network
DES

3 SPN
AES

4 Modes of Operation

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 45 / 88
 SPN

Joan Daemen

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 46 / 88
 SPN

Vincent Rijmen

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 47 / 88
 SPN AES

Introduction I

Jan 1997 : NIST announced the initiation.

Sep 1997 : published the final request for candidate
nominations.

The functional requirements

support block length of 128 bits.
support key length of 128, 192 and 256 bits.
as secure as T-DES but much more efficient.
the encryption scheme available on a world wide royalty-free
basis.

Aug 1998 : 15 candidates accepted for the 1 st AES candidate

conference.
Mar 1999 : after the 1 st evaluation NIST selected 5 finalists.
Dhananjoy Dey (Indian Institute of Information Technology,
Block
[email protected])
Ciphers February 2, 2021 48 / 88
 SPN AES

Introduction II

Rijndael (86)
Serpent (59)
RC6 (31)
Mars (23)
Twofish (13)

Oct 2000 : NIST announced that Rijndael was “the best overall
algorithm for the AES".
Nov 2001 : Dept of Commerce officially declared Rijndael as
the AES. (FIPS 197)
May 2002 : AES is effective

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 49 / 88
 SPN AES

AES Numerology

AES is a SPN cipher with

128-bit block length

128-, 192- or 256-bit key length
10, 12 or 14 rounds

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 50 / 88
 SPN AES

Mathematical Background

Addition (in the field GF(28 ))

The sum of two elements is the polynomial with coefficients that
are given by the sum modulo 2 of the coefficients of the two terms.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 51 / 88
 SPN AES

Mathematical Background

Addition (in the field GF(28 ))

The sum of two elements is the polynomial with coefficients that
are given by the sum modulo 2 of the coefficients of the two terms.
Example

57 + 83 =?

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 51 / 88
 SPN AES

Mathematical Background

Addition (in the field GF(28 ))

The sum of two elements is the polynomial with coefficients that
are given by the sum modulo 2 of the coefficients of the two terms.
Example

57 + 83 =?

(x6 + x4 + x2 + x + 1) + (x7 + x + 1) = x7 + x6 + x4 + x2

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 51 / 88
 SPN AES

Mathematical Background

Addition (in the field GF(28 ))

The sum of two elements is the polynomial with coefficients that
are given by the sum modulo 2 of the coefficients of the two terms.
Example

57 + 83 =?

(x6 + x4 + x2 + x + 1) + (x7 + x + 1) = x7 + x6 + x4 + x2
01010111 ⊕ 10000011 = 11010100 = D4

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 51 / 88
 SPN AES

Mathematical Background

Multiplication
Multiplication in GF(28 ) corresponds with multiplication of polynomials modulo an
irreducible polynomial over GF(2) of degree 8

m(x) = x8 + x4 + x3 + x + 1or11B.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 52 / 88
 SPN AES

Mathematical Background

Multiplication
Multiplication in GF(28 ) corresponds with multiplication of polynomials modulo an
irreducible polynomial over GF(2) of degree 8

m(x) = x8 + x4 + x3 + x + 1or11B.

Example

57 × 83 =?

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 52 / 88
 SPN AES

Mathematical Background

Multiplication
Multiplication in GF(28 ) corresponds with multiplication of polynomials modulo an
irreducible polynomial over GF(2) of degree 8

m(x) = x8 + x4 + x3 + x + 1or11B.

Example

57 × 83 =?

(x6 + x4 + x2 + x + 1) × (x7 + x + 1)
= x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 52 / 88
 SPN AES

Mathematical Background

Multiplication
Multiplication in GF(28 ) corresponds with multiplication of polynomials modulo an
irreducible polynomial over GF(2) of degree 8

m(x) = x8 + x4 + x3 + x + 1or11B.

Example

57 × 83 =?

(x6 + x4 + x2 + x + 1) × (x7 + x + 1)
= x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1
(x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1) mod m(x)
= x7 + x6 + 1 = C1

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 52 / 88
 SPN AES

Mathematical Background

Choice of Irreducible Polynomial

AES uses arithmetic in GF(28 ) with the irreducible polynomial
x8 + x4 + x3 + x + 1.
There are 30 irreducible polynomials among which 16 are
primitive polynomials.
It is irrelevant whether the irreducible polynomial is primitive or
not, due to the isomorphism of all fields of GF(28 ).
The isomorphism transformation that takes one description of a
cipher under an irreducible polynomial to another description with
a different irreducible polynomial is linear.
There is no advantage to select a primitive polynomial over the
current polynomial of Rijndael.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 53 / 88
 SPN AES

Mathematical Background

The extended algorithm of Euclid

The multiplication defined above is associative and there is an
identity element (‘010 ). For any polynomial b(x) of degree at most
7 over GF(2), the extended algorithm of Euclid can be used to
compute polynomials a(x), c(x) such that

b(x)a(x) + m(x)c(x) = 1.

It follows that the set of 256 possible byte values, with the XOR as
addition and the multiplication defined as above has the structure
of the finite field GF(28 ).

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 54 / 88
 SPN AES

Mathematical Background

Multiplication by x
If we multiply b(x) by the polynomial x, we have :

b7 x8 + b6 x7 + b5 x6 + b4 x5 + b3 x4 + b2 x3 + b1 x2 + b0 x

(x ∗ b(x)) is obtained by reducing the above result mod m(x).

i. If b7 = 0, the reduction is identity operation;
ii. if b7 = 1, m(x) must be subtracted.

Example
57 × 13 = 57 × (01 ⊕ 02 ⊕ 10)

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 55 / 88
 SPN AES

Mathematical Background

Multiplication by x
If we multiply b(x) by the polynomial x, we have :

b7 x8 + b6 x7 + b5 x6 + b4 x5 + b3 x4 + b2 x3 + b1 x2 + b0 x

(x ∗ b(x)) is obtained by reducing the above result mod m(x).

i. If b7 = 0, the reduction is identity operation;
ii. if b7 = 1, m(x) must be subtracted.

Example
57 × 13 = 57 × (01 ⊕ 02 ⊕ 10)
= 57 ⊕ AE ⊕ 07 = FE.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 55 / 88
 SPN AES

AES Encryption

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 56 / 88
 SPN AES

Input Block

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 57 / 88
 SPN AES

Substitute Bytes Transformation

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 58 / 88
 SPN AES

S-box

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 59 / 88
 SPN AES

Shift Rows

In shift rows transformation every byte of ith row is cyclically

rotated to the left by (i − 1).

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 60 / 88
 SPN AES

Shift Rows

In shift rows transformation every byte of ith row is cyclically

rotated to the left by (i − 1).

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 60 / 88
 SPN AES

Mix Columns

In mix columns transformation each column is considered as a

polynomial over GF(28 ) of degree 4 and multiplied with a fixed
polynomial

03.x3 + 01.x2 + 01.x + 02 (mod x4 + 1).

Mix columns transformation can also be represented by a matrix

M multiplication, where
 
 02 03 01 01 
 01 02 03 01 
M =  
 01 01 02 03 

03 01 01 02

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 61 / 88
 SPN AES

Mix Columns

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 62 / 88
 SPN AES

Add Round Key

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 63 / 88
 SPN AES

AES One Round

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 64 / 88
 SPN AES

Overview of AES Encryption

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 65 / 88
 SPN AES

Encryption and Decryption

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 66 / 88
 SPN AES

Inverse S-box

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 67 / 88
 SPN AES

Key Schedule

i. It takes a 4-word (128 bits) key and produces a linear array of 44

words (1408 bits).
ii. The key is copied into the 1 st 4 words of the expanded key.
iii. In the expanded key each added word W[i] depends on W[i − 1]
and W[i − 4].
iv. If i is a multiple of 4 then

W[i] = S ubWord(RotWord(W[i − 1])) ⊕ Rcon[i/4] ⊕ W[i − 4],

where Rcon[1] = 1, Rcon[ j] = 2 ∗ Rcon[ j − 1]

v. Else
W[i] = W[i − 1] ⊕ W[i − 4].

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 68 / 88
 SPN AES

Key Schedule

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 69 / 88
 SPN AES

AES Diffusion

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 70 / 88
 SPN AES

Design Criteria of S-Box

The Rijndael S-Box is the composition of the following 3 functions:
1 φ1 : GF(28 ) → GF(28 )
f 7→ f −1 if f , 0
7→ 0 if f = 0
2 L : GF(28 ) → GF(28 )

f 7→ (x4 + x3 + x2 + x + 1). f mod (x8 + 1)

3 φ2 : GF(28 ) → GF(28 )

f 7→ (x6 + x5 + x + 1) + f

Sbox = φ2 ◦ L ◦ φ1 .

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 71 / 88
 SPN AES

Design Criteria of S-Box

S-Box is defined over GF(28 ) in the following way

y = S Box(x) = A ∗ x−1 + c, where
   
 1 1 1 1 1 0 0 0   0 
0 1 1 1 1 1 0 0 1
   
   

 0 0 1 1 1 1 1 0 


 1 

0 0 0 1 1 1 1 1 0
A =   c = 
   

 1 0 0 0 1 1 1 1   0 
  

 1 1 0 0 0 1 1 1   0 
1 1 1 0 0 0 1 1 1
   
   
1 1 1 1 0 0 0 1 1

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 72 / 88
 SPN AES

Recommended Block Ciphers

Recommendation
Primitive Legacy Future
AES X X
Camellia X X

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 73 / 88
 SPN AES

Recommended Block Ciphers

Recommendation
Primitive Legacy Future
AES X X
Camellia X X
Three-Key-3DES X ×
Two-Key-3DES X ×
Kasumi X ×
Blow≥ 80−bit keys X ×

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 73 / 88
 SPN AES

Recommended Block Ciphers

Recommendation
Primitive Legacy Future
AES X X
Camellia X X
Three-Key-3DES X ×
Two-Key-3DES X ×
Kasumi X ×
Blow≥ 80−bit keys X ×
DES × ×

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 73 / 88
 SPN AES

Recommended Block Ciphers

Legacy × Attack exists or security considered not sufficient.

Mechanism should be replaced in Fielded products
as a matter of urgency.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 74 / 88
 SPN AES

Recommended Block Ciphers

Legacy × Attack exists or security considered not sufficient.

Mechanism should be replaced in Fielded products
as a matter of urgency.

Legacy X No known weaknesses at present.

Better alternatives exist.
Lack of security proof or limited key size.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 74 / 88
 SPN AES

Recommended Block Ciphers

Legacy × Attack exists or security considered not sufficient.

Mechanism should be replaced in Fielded products
as a matter of urgency.

Legacy X No known weaknesses at present.

Better alternatives exist.
Lack of security proof or limited key size.

Future X Mechanism is well studied (often with security proof).

Expected to remain secure in 10-50 year lifetime.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 74 / 88
 Modes of Operation

Outline

1 Introduction

2 Feistel Network
DES

3 SPN
AES

4 Modes of Operation

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 75 / 88
 Modes of Operation

Electronic Code Book (ECB) Mode

Encryption : ci = E K (pi ), Decryption : pi = DK (ci )

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 76 / 88
 Modes of Operation

Properties of ECB

Advantages
i. No block synchronization between sender and receiver is required.
ii. Bit errors caused by noisy channels only affect the corresponding
block but not succeeding blocks.
iii. Block cipher operating can be parallelized for high-speed
implementations.
Disadvantages
i. Identical plaintexts result in identical ciphertexts.
ii. An attacker recognizes if the same message has been sent twice.
iii. Plaintext blocks are encrypted independently of previous blocks.
iv. An attacker may reorder ciphertext blocks which results in valid
plaintext.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 77 / 88
 Modes of Operation

Cipher Block Chaining (CBC)Mode

Encryption : ci = E K (pi ⊕ ci−1 ), Decryption : pi = DK (ci ) ⊕ ci−1

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 78 / 88
 Modes of Operation

Properties of CBC

The encryption of all blocks are chained together.

The encryption is randomized by using an initialization vector IV.
A single bit error in ciphertext block ci affects decipherment of
blocks ci and ci+1 .
Block p0i recovered from ci is typically totally random, while the
recovered plaintext p0i+1 has bit errors precisely where ci did.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 79 / 88
 Modes of Operation

Output FeedBack (OFB) Mode

Encryption : ci = pi ⊕ E K (ki−1 ), Decryption : pi = ci ⊕ E K (ki−1 )

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 80 / 88
 Modes of Operation

Properties of OFB

It is used to build a synchronous stream cipher from a block cipher.

The key stream is not generated bitwise but instead in a blockwise
fashion.
one or more bit errors in any ciphertext block ci affects the
decipherment of only that block.
The IV, which need not be secret, must be changed if an OFB
key K is re-used.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 81 / 88
 Modes of Operation

Cipher FeedBack (CFB) Mode

Encryption : ci = pi ⊕ E K (ci−1 ), Decryption : pi = ci ⊕ E K (ci−1 )

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 82 / 88
 Modes of Operation

Properties of CFB

Since the encryption function E K is used for both CFB encryption

and decryption, the CFB mode must not be used if the block
cipher E is a public-key algorithm.
The CFB mode may be modified
to allow processing of plaintext blocks whose size is less than the
size of the feedback variable.
It can be used in situations where short plaintext blocks are to be
encrypted.

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 83 / 88
 Modes of Operation

CounTeR (CTR) Mode

Encryption : ci = pi ⊕ E K (Nonce||CT R)

Decryption : pi = ci ⊕ Ek (Nonce||CT R)
Dhananjoy Dey (Indian Institute of Information Technology,
Block
[email protected])
Ciphers February 2, 2021 84 / 88
 Modes of Operation

Properties of CTR

It uses a block cipher as a stream cipher

The key stream is computed in a blockwise fashion
Unlike CFB and OFB modes, the CTR mode can be parallelized -
desirable for high-speed implementations, e.g., in network routers

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 85 / 88
 Modes of Operation

Galois Counter Mode (GCM)

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 86 / 88
 Modes of Operation

Galois Counter Mode (GCM)

AES-GCM Authenticated Encryption (proposed by D. McGrew & J. Viega)

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 87 / 88
 Modes of Operation

Galois Counter Mode (GCM)

AES-GCM Authenticated Encryption (proposed by D. McGrew & J. Viega)

Designed for high performance (Mainly with a HW viewpoint)
A NIST standard FIPS 800-38D (since 2008)
Included in the NSA Suite B Cryptography, IPsec (RFC 4106), IEEE P1619, TLS 1.2

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 87 / 88
 Modes of Operation

Galois Counter Mode (GCM)

AES-GCM Authenticated Encryption (proposed by D. McGrew & J. Viega)

Designed for high performance (Mainly with a HW viewpoint)
A NIST standard FIPS 800-38D (since 2008)
Included in the NSA Suite B Cryptography, IPsec (RFC 4106), IEEE P1619, TLS 1.2
How it works:

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 87 / 88
 Modes of Operation

Galois Counter Mode (GCM)

AES-GCM Authenticated Encryption (proposed by D. McGrew & J. Viega)

Designed for high performance (Mainly with a HW viewpoint)
A NIST standard FIPS 800-38D (since 2008)
Included in the NSA Suite B Cryptography, IPsec (RFC 4106), IEEE P1619, TLS 1.2
How it works:
Encryption is done with AES in CTR mode
Authentication tag computations : “Galois Hash"
A Carter-Wegman-Shoup universal hash construction: polynomial evaluation
over a binary field
Uses GF(2128 ) defined by the “lowest" irreducible polynomial

g(x) = x128 + x7 + x2 + x + 1

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 87 / 88
 Modes of Operation

Galois Counter Mode (GCM)

AES-GCM Authenticated Encryption (proposed by D. McGrew & J. Viega)

Designed for high performance (Mainly with a HW viewpoint)
A NIST standard FIPS 800-38D (since 2008)
Included in the NSA Suite B Cryptography, IPsec (RFC 4106), IEEE P1619, TLS 1.2
How it works:
Encryption is done with AES in CTR mode
Authentication tag computations : “Galois Hash"
A Carter-Wegman-Shoup universal hash construction: polynomial evaluation
over a binary field
Uses GF(2128 ) defined by the “lowest" irreducible polynomial

g(x) = x128 + x7 + x2 + x + 1

Computations based on GF(2128 ) arithmetic

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 87 / 88
 Applications

Crypto Applications
Algorithm
TDES ATM, BlackBerry, SSH, PGP,S/MIME
IDEA PGP, SSH
CAST-128 PGP (Session Key Generation)
Encryption runs in cipher feedback mode
AES BlackBerry, HTTPS,
AES-256 iOS (Apple)
Blowfish SSH, PGP

Dhananjoy Dey (Indian Institute of Information Technology,

Block
[email protected])
Ciphers February 2, 2021 88 / 88