SYMMETRIC CIPHER

DR. NOR FADZILAH ABDULLAH

JKEES, FKAB
 COURSE STRUCTURE

No. Topic
1 Security principles and practices
2 Classic Ciphers
3 Symmetric Ciphers
4 Asymmetric Ciphers & Public key crytosystems
5 Communication security across different layers

2
 CRYPTOGRAPHIC SYSTEMS
• Characterized along 3 independent dimensions:

Type of operations used for The way in which the

transforming plaintext to Number of keys used plaintext is processed
ciphertext

Substitution Symmetric Block cipher

(replace) (single-key/ secret-key/ (split into blocks &
conventional encryption) processed separately)

Transposition Asymmetric Stream cipher

(rearrange) (2 keys/ public-key (processed continuously)
encryption)
 STREAM CIPHER
Ideal case: one-time pad version of
Encrypts a digital data stream 1 bit Vernam cipher, with keystream
or 1 byte at a time same length as the plaintext bit
stream
Examples: Random cryptographic
• Autokeyed Vigenère keystream means an
cipher unbreakable cipher unless
• Vernam cipher keystream is acquired
• Keystream provided to both
• One-time pad
users in advance via an
• RC4 independent and secure channel
• Limitation: insurmountable
logistical problems if the
intended data traffic is very
large
• Suitable for: browser/Web link
Practical case: bit-stream generator
implemented as an algorithmic
procedure so cryptographic bit
stream can be produced by both
users
computationally impractical
to predict future portions of
the bit stream based on
previous portions of the bit
stream
2 users need only share the
generating key
(symmetric) and each can
produce the keystream
 BLOCK CIPHER

A block of plaintext
is treated as a Typically a block
whole and used to size of 64 or 128
produce a bits is used
ciphertext block of
equal length

As with a stream More popular than

cipher, the two stream cipher.
users share a Example:
symmetric Feistel Cipher, DES,
encryption key IDEA, AES

• Suitable for: file transfer, e-mail, database

STREAM CIPHER AND
BLOCK CIPHER
General n x n bit Ideal Block
Substitution
 IDEAL BLOCK SUBSTITUTION: REVERSIBLE
(NON-SINGULAR TRANSFORMATION)

• Unique input & output mapping requires key length

of 𝑛𝑛 × 2𝑛𝑛 bits (e.g. 4 bits * 16 rows = 64 bits key)
• To thwart statistical attacks, desirable block length is
64-bit, requires key length of 64 x 264 = 270 ~ 1021
bits (impractical!)
 PRODUCT CIPHERS

• Substitution (S-box) & Transposition/Permutation (P-box)

• (a) P-box only: with internal wiring, no computation is involved, just signal
propagation

• (b) P-box + S-box: 8-bit S-box has 28 = 256-entry lookup table

• (c) Product cipher: 7 stages implementation  smaller S-boxes more practical (23 =8
vs. 212 =4096 crosswires).

• In practise: [64 to 256] k-bits input & output, ≥ 8 S-box iterations (rounds), ≥ 10
stages
Components of a modern block cipher

31.10
 PRODUCT CIPHERS BASIS: DIFFUSION
AND CONFUSION
• Terms introduced by Claude Shannon in 1949 to capture the two basic
principles for any cryptographic system
• Objective: thwart cryptanalysis based on statistical analysis

Diffusion
• The statistical structure of the plaintext is dissipated into long-range statistics of
the ciphertext
• This is achieved by having each plaintext digit affect the value of many
ciphertext digits e.g. averaging operation

Confusion
• Seeks to make the relationship between the statistics of the ciphertext and the
value of the encryption key as complex as possible
• Even if the attacker can get some handle on the statistics of the ciphertext, the
way in which the key was used to produce that ciphertext is so complex as to
make it difficult to deduce the key
 FEISTEL CIPHER
• Proposed the use of a cipher that alternates
substitutions and permutations
• Each plaintext element or group of elements is
Substitutions uniquely replaced by a corresponding ciphertext
element or group of elements

• No elements are added or deleted or replaced in

the sequence, rather the order in which the
Permutation elements appear in the sequence is changed

• Is the structure used by many significant

symmetric block ciphers currently in use
 FEISTEL CIPHER
ENCRYPTION
• Plaintext block is divided into 2 halves, L0 and
R0. The 2 halves of the data pass through n
rounds (e.g. 16 rounds) of processing and then
combine to produce the ciphertext block. Each
round i has as inputs from previous round Li-1
and Ri-1 , and a unique subkey Ki derived from
the overall K.
• Permutation: performed by interchange of the 2
halves of the data.

• Substitution: applying a round function F to the

right half of the data F(REi , Ki+1 ) and then XOR
with the left half of the data.
 FEISTEL CIPHER: 7 DESIGN FEATURES

Block size Key size Number of

rounds

Design of round Subkey

function F generation Fast software
algorithm

Ease of analysis
to cryptanalytic
vulnerabilities
 FEISTEL CIPHER
DECRYPTION
• Use ciphertext as input & the subkeys Ki
in reverse order, such that the output of
the ith encryption round corresponds to
output of the (16–i)th decryption round

i.e. REi║LEi = LD16-i ║RD16-i.

EXAMPLE 1: FEISTEL CIPHER
 SYMMETRIC-KEY ALGORITHMS
• DES – The Data Encryption Standard
• AES – The Advanced Encryption Standard
• Block Cipher Modes
• Etc.
 DATA ENCRYPTION STANDARD
(DES)
• Issued in 1977 by the National Bureau of Standards (now NIST) as Federal
Information Processing Standard 46 (FIPS PUB 46).
• Was the most widely used encryption scheme until the introduction of the
Advanced Encryption Standard (AES) in 2001

• Algorithm itself is referred to as the Data Encryption Algorithm (DEA)

• Based on 16 rounds of modified Feistal network
• Data are encrypted in 64-bit blocks using a 56-bit key
• Transforms 64-bit input in a series of steps into a 64-bit output
• The same steps, with the same key, are used to reverse the encryption

• In 1999, NIST issued a new version (FIPS PUB 46-3): DES should be used only
for legacy systems and triple DES otherwise.
 DES OPERATION

• Perform an initial permutation (IP).

• Split the blocks into left and right half.

• Perform 16 rounds of identical operations

(Function F).
• Expansion Permutation
• Round Key Addition
• Splitting
• S-Box
• P-Box

• Join the half blocks back together.

• Perform a final permutation.

19
 DES ENCRYPTION
ALGORITHM
Left part (plaintext): With the
exception of the initial and final
permutations, DES has the exact
structure of a Feistel cipher.
Right part (key expansion): The
permutation function is the same
for each round, but a different
subkey is produced because of the
repeated shifts & selecting 48-bits
from 56-bits key.
DES: function f(R,K)

• Splitting
• Expansion Permutation (E)
• Round Key Addition (XOR)
• Substitution (S-box)
• Permutation (P)
22
 DES: 8 S-boxes
• Input: 6 bits
(6 x 8 = 48)
• Output: 4 bits
(4 x 8 = 32)

• Row Index: 1st and last bit (00 – 11)

• Column Index: remaining 4 bits (0000 – 1111)

23
EXAMPLE 2:
DES

• Note: DES subkeys (Ri)

are shown as eight 6-bit
values in hex format
AVALANCHE EFFECT IN DES: CHANGE IN PLAINTEXT
AVALANCHE EFFECT IN DES: CHANGE IN KEY
 AVERAGE TIME REQUIRED
FOR EXHAUSTIVE KEY SEARCH

26!
 BLOCK CIPHER DESIGN PRINCIPLES:
NUMBER OF ROUNDS

In general, the
criterion should be If DES had 15 or
The greater the that the number of fewer rounds,
number of rounds, rounds is chosen so differential
the more difficult it is that known cryptanalysis would
to perform cryptanalytic efforts require less effort
cryptanalysis require greater than a brute-force
effort than a simple key search
brute-force key
search attack
 BLOCK CIPHER DESIGN PRINCIPLES:
DESIGN OF FUNCTION F
• The heart of a Feistel block
cipher is the function F
• The more nonlinear F, the more
difficult any type of
cryptanalysis will be
• The SAC and BIC criteria
appear to strengthen the
effectiveness of the confusion
function
The algorithm should have good
avalanche properties
Strict Bit
avalanche independence
criterion (SAC) criterion (BIC)
States that any output bit States that output bits j
j of an S-box should and k should change
change with probability
1/2 when any single
independently when
any single input bit i is
input bit i is inverted for
all i , j
inverted for all i , j ,
and k
 BLOCK CIPHER DESIGN PRINCIPLES:
KEY SCHEDULE ALGORITHM
• With any Feistel block cipher, the key is used to generate one subkey
for each round
• In general, we would like to select subkeys to maximize the difficulty of
deducing individual subkeys and the difficulty of working back to the
main key
• It is suggested that, at a minimum, the key schedule should guarantee
key/ciphertext Strict Avalanche Criterion (SAC) and Bit Independence
Criterion (BIC)
DOUBLE DES
 MEET-IN-THE-MIDDLE ATTACK

Attack against double Does not depend on

DES based on 2 blocks any particular property
of known (plaintext, of DES but will work
ciphertext) pair against any block
encryption cipher
TRIPLE DES (3DES) WITH 2-KEYS
 TRIPLE DES WITH THREE KEYS

• Many researchers now feel that three-key 3DES is the preferred

alternative

Three-key 3DES has an

effective key length of
168 bits and is defined • C = E( K3, D( K2, E( K1, P)))
as:

Backward compatibility
with DES is provided by • K3 = K2 or K1 = K2
putting:

• A number of Internet-based applications have adopted three-key 3DES

including PGP and S/MIME
 ADVANCED ENCRYPTION STANDARD

• Symmetric, block (128-bit) cipher.

• Full design publicly accessible (in ISO/IEC 18033-3 standard)
• Key lengths of 128, 192, and 256 bits supported
• Software and hardware implementations possible.
• Algorithm licensed on non-discriminatory terms by NIST (originally from
Rijndael 1997)
• Has excellent diffusion & confusion properties
• Not Feistel (processes the entire data block as a single matrix during each
round using substitutions & permutation)
35
 AES PARAMETERS

• Each block and key size combination has different number of rounds
• Most common AES-128 (4x4 = 16 bytes key): 10 rounds
 AES
ENCRYPTION
PROCESS
• Round 0: Initial single transformation
(AddRoundKey)

• First N - 1 rounds: 4 transformation functions

(SubBytes, ShiftRows, MixColumns,
AddRoundKey)

• Final round N: 3 transformations (SubBytes,

ShiftRows, AddRoundKey)
 AES DATA STRUCTURES

State array: internal 4 x 4 matrix of bytes, modified at each stage of

encryption/decryption (1 word = 4 bytes column)

The key that is provided as input is expanded into an array of (R+1) 32-bit words, w[i] to
cater initial stage AddRoundKey stage
 AES:
KEY
EXPANSION
•e.g. 10 rounds
AES: Takes as
input a 4-word
(16 byte) key and
produces a linear
array of 44 words
(176) bytes
 AES
ENCRYPTION &
DECRYPTION
• Alternating operations of XOR
encryption (AddRoundKey) of a
block, followed by scrambling of
the block (the other 3 stages),
followed by XOR encryption, and
so on
• Only the AddRoundKey stage
makes use of the 4-byte expanded
key.
• Each stage is easily reversible
 AES ENCRYPTION &
DECRYPTION
• two separate software/firmware modules are needed for applications
that require both encryption and decryption (costly).
• Solution: interchange InverseShiftRows & InverseSubBytes + interchange
AddRoundKey & InverseMixColumns  a change in key schedule is
needed.

41
 4 encryption/decryption stages:
• Substitute bytes – uses an S-box to perform a byte-by-byte substitution of the block
• ShiftRows – a simple permutation
• MixColumns – a substitution that makes use of arithmetic over GF(28)
• AddRoundKey – a simple bitwise XOR of the current block with a portion of the expanded key
AES: S-Box (encryption)
(a) S-box
AES: IS-Box (decryption)
(b) Inverse S-box
 AES
BYTE
LEVEL
OPERATIONS
AES: SHIFT ROW TRANSFORMATION
AES: MIX COLUMN TRANSFORMATION
 AES: MIXCOLUMN TRANSFORMATION RULE

• AES uses GF(28), with irreducible polynomial m(x)=x8+x4+x3+x+1

• Based on modular polynomial arithmetic, x8 mod m(x) = m(x) - x8 = x4+
x3+x+1 = 0001 1011
• E.g. x. f(x) = 0000 0010 . f(x) = {02}.f(x)

• E.g. {03}.f(x) = 0000 0011. f(x) = {02}.f(x) + f(x)

48
 AES
EXAMPLE:
KEY
EXPANSION

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 AES
Example:
encryption

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Avalanche
Effect
in AES: Change
in Plaintext

• Stronger than DES!

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Avalanche
Effect
in AES: Change
in Key

• Stronger than DES!

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 OTHER SYMMETRIC CIPHERS

• Some common symmetric-key cryptographic algorithms.

 PROBLEM WITH BLOCK CIPHER

• The plaintext of a file encrypted as 16 bytes DES blocks.

• Problem: the message can be falsified even if not decrypted (e.g.
swapping the “Bonus’ field)  integrity vulnerability

54
BLOCK CIPHER MODES OF OPERATION

• A technique for enhancing the effect of a cryptographic algorithm or

adapting the algorithm for an application
• intended for use with any symmetric block cipher, including triple DES
and AES

• 5 block cipher modes of operation have been defined by NIST

• ECB (Electronic Codebook Mode)
• CBC (Cipher Block Chaining Mode)
• CFB (Cipher Feedback Mode)
• OFB (Output Feedback Mode)
• CTR (Counter Mode)
BLOCK CIPHER MODES OF OPERATION
 {P1,P2, …, PN}= plaintext blocks of L-bits
ELECTRONIC
CODEBOOK
MODE
(ECB)
• Simplest: plaintext handled 1 block
at a time & encrypted using the
same key (K)

• Codebook: for a given key, there is

a unique ciphertext for every b-bit
block of plaintext

• Limitation: the same b-bit block of

plaintext always produces the
same ciphertext

• Application: for a short amount of

data, e.g. encryption key
 CIPHER BLOCK
CHAINING (CBC)
• Uses same key (K), but input to the
encryption algorithm is the XOR of
the current plaintext block and the
preceding ciphertext block:
overcome security deficiencies of
ECB.

• 1st block of ciphertext is produced

by an initialization vector (IV): known
to both the sender and receiver but
unpredictable by a 3rd party

• Application: Authentication (block)

 S-BIT CIPHER FEEDBACK
(CFB) MODE
• plaintext is divided into segments of s bits
(not blocks of b bits)

• does not conform to the typical construction

of a stream cipher i.e. the stream of bits
that is XORed with the plaintext also
depends on the plaintext.

• Encryption: multiple forward cipher

operations cannot be performed in parallel

• Decryption: uses same encryption

algorithm. Multiple forward cipher in
parallel if the input blocks are 1st
constructed (in series) from IV & ciphertext.

• Application: Authentication (stream)

 OUTPUT
FEEDBACK (OFB)
MODE
• operates on full blocks of
plaintext and ciphertext
• Nonce: unique IV for each
encryption operation
• Advantage: bit errors in
transmission do not propagate
• Limitation: more vulnerable to
a message stream modification
attack than CFB
• ** OFB and CTR output is
independent of both the
plaintext and the ciphertext
 more suitable for stream
ciphers (encrypt plaintext by
XOR one full block at a time).
 COUNTER
(CTR)
MODE
Advantages:

• Hardware efficiency

• Software efficiency

• Pre-processing

• Random access

• Provable security

• Simplicity

** used in ATM (Async. Transfer Mode)

network security & IPSec
 CIPHER FEEDBACK MODES
• Block cipher: encryption is performed 3 modes that made it possible to
convert a block cipher into a stream
on a block of b bits cipher:
• DES: b = 64
• AES: b = 128
Cipher feedback (CFB) mode
• Advantage of stream cipher:
• eliminates message padding
requirement Output feedback (OFB) mode
• can operate in real time (each
character stream can be encrypted
and transmitted immediately).
Counter (CTR) mode

ECB and CBC: both encryption and decryption is used.

CFB, OFB and CTR: only encryption is used because the plaintext does not pass through the
encryption function, but is XORed with the output of the encryption function. Thus, encryption
function is also be used for decryption.
CBC, CFB, OFB, and CTR: involves feedback