Introduction to Modern Symmetric Key Ciphers

The traditional symmetric -key ciphers that we have studied so far character- oriented
ciphers.With the advent of the computer, we need bit oriented ciphers. This is because the
information to be encrypted is not just text; it can also consists of numbers, graphics, audio,
video data.It is convenient to convert these types of data into stream o bits, to encrypt the stream
and then to send the encrypted stream. In addition , when the text is treated is treated at the bit
level, each character is replaced by 8 or 16 bits, which means number of symbols becomes 8 or
16 times larger. Mixing the larger number of symbols increases security.

Modern Block Ciphers:

A symmetric - key modern block cipher encrypts an n-bit block o plaintext or decrypts an n -bit block of
ciphertext. The encryption or decryption algorithm uses a k-bit key.

The decryption algorithm must be the inverse of the encryption algorithm, and both operation must use
the same secret key that Bob can retrieve the message sent by Alice. If the message has fewer than n bits ,
padding must be added to make it an n-bit block; if the message has more than n bits, it should be divided
into n -bit blocks and the appropriate padding must be added to the last block if it necessary. The common
values for n are 64,128,256,or 512 bits.

Example:

How many padding bits must be added to a message of 100 characters if 8-bit ASCII is used for
encoding and the block cipher accepts blocks of 64 bits?
Solution:
Encoding 100 characters using 8-bit ASCII results in an 800-bit message. The plaintext must be divisible
by 64. If | M | and |Pad| are the length of the message and the length of the padding,

Substitution or Transposition

A modern block cipher can be designed to act as a substitution cipher. This is the same idea as
used in traditional ciphers, except symbols to be substituted or transposed are bits instead of
characters.If the cipher is designed as a substitution cipher, a 1-bit or 0-bit in the plaintext can be
replaced either a 0’s or a 1’s.

In either case, the number of n-bit possible plaintext or ciphertexts is , because each of the n

bits in the block can have one of the two values, 0 or 1.

Example:

Suppose that we have a block cipher where n = 64. If there are 10 1’s in the ciphertext, how
many trial-and-error tests does Eve need to do to recover the plaintext from the intercepted
ciphertext in each of the following cases?
a. The cipher is designed as a substitution cipher.
b. The cipher is designed as a transposition cipher.

Solution:

a. In the first case, Eve has no idea how many 1’s are in the plaintext. Eve needs to try all
possible 264 64-bit blocks to find one that makes sense.
b. In the second case, Eve knows that there are exactly 10 1’s in the plaintext. Eve can
launch an exhaustive-search attack using only those 64-bit blocks that have exactly 10
1’s.
Fig: A transposition block cipher modeled as a permutation
Full-Size Key Substitution Block Ciphers
A full-size key substitution cipher does not transpose bits; it substitutes bits. We can model the
substitution cipher as a permutation if we can decode the input and encode the output.

Example:

Show the model and the set of permutation tables for a 3-bit block substitution cipher.
solution
Figure 5.3 shows the model and the set of permutation tables. The key is also much longer,

élog240,320 = 16 bits.

Figure A substitution block cipher model as a permutation

Note:

A full-size key n-bit transposition cipher or a substitution block cipher can be modeled as a
permutation, but their key sizes are different:

 Transposition: the key is bits long.

 Substitution: the key is bits long.

Note:

A partial-key cipher is a group under the composition operation if it is a subgroup of the

corresponding full-size key cipher.

D-BOX:
Modern block ciphers normally are keyed substitution ciphers in which the key allows only
partial mappings from the possible inputs to the possible outputs. A D-box (Diffusion box)
parallels the traditional transposition cipher for characters. It transposes bits.
We find there are three types of D- boxes in modern block ciphers: straight D- Boxes, expansion
D- boxes and compression D-boxes.

Straight D-boxes: A straight D- box, with n- input and n-outputs is a permutation. There are
n! mappings. D-boxes are normally keyless which means that the mapping is predetermined.
Figure 5.5 The possible mappings of a 3 × 3 D-box

Straight D-Boxes: D-boxes are normally keyless which means that the mapping is
predetermined. If the d-box is implemented in hardware, it is prewired; if it is implemented in
software, a permutation table shows the rule of mapping. In second case, the entries in the table
are the inputs and the position of the entries of the entries are the outputs. The given table shows
an example of a straight permutation table when n is 64.

Table 5.1 Example of a permutation table for a straight D-box .

It has 64 entries, corresponding to the 64 inputs . The position(index) of the entry corresponds to
the output. Because the first entry contains the number 58, we know that the first output comes
from the 58th input. Because the last entry is 7, we know that the 64 th output comes from the 7th
input, and so on.

Example: Design an 8 × 8 permutation table for a straight P-box that moves the two middle
bits (bits 4 and 5) in the input word to the two ends (bits 1 and 8) in the output words. Relative
positions of other bits should not be changed.
Solution: We need a straight P-box with the table [4 1 2 3 6 7 8 5]. The relative positions
of input bits 1, 2, 3, 6, 7, and 8 have not been changed, but the first output takes the fourth input
and the eighth output takes the fifth input.

Compression D-Boxes:
A compression D-box is a D-box with n inputs and m outputs where m < n. Some of the inputs
are blocked and do not reach the output(see the table). The compression D-boxes used in modern
block ciphers normally are keyless with a table showing the rule for transposing bits. We need to
know that a table for a compression D- box has m entries, but the content of each entry is from 1
to n with some missing values(those inputs that are blocked).The given example the compression
box note that the input 7,8,9,15,16,23,24,and 25 are blocked.
It means that compression D- box are used when we need to permute bits and the same time
decrease the number of bits for the next stage.

Table 5.2 Example of a 32 × 24 permutation table

Expansion D-Boxes:

An expansion P-box is a P-box with n inputs and m outputs where m > n. Here some of the
inputs are connected to more than one input(see table).The expansion D-boxes used in modern
block ciphers normally are keyless, where a table shows the rules for transposing bits. We need
to know that a table for expansion D-box has m entries, but m-n of the entries are are
repeated(those inputs are mapped more than one output).Note that the each of the inputs
1,3,9,and 12 is mapped to two outputs.
Table Example of a 12 × 16 permutation expansion D-box table
Invertibility: A straight D- box is invertible. This means that we can use a straight D-box in the
encryption cipher and its inverse in the decryption cipher. The mapping defined by a straight D-
box is a permutation, and thus may be referred to as P-box. The permutation tables, however
need to be the inverses of each other.

Figure 5.6 shows how to invert a permutation table represented as a one-dimensional table.

Note: A straight D-box is invertible, but compression and expansion D-boxes are not.

Compression and expansion D-boxes have no inverses:

In a compression D- box, an input can be during encryption; the decryption algorithm does not
have a clue how to replace the dropped bit(a choice between a 0-bit or 1-bit).In an expansion D-
box, an input may be mapped to more than oneoutput during encryption; the encryption
algorithm does not have a clue which of the several inputs are mapped to an output.
S-Boxes:

An S-box(substitution box) can be the thought of as a miniature substitution cipher. However, an

S-box can have different number inputs and outputs.In other words, the input to an S-box could
be an m-bit word, where m and n are not necessarily the same. Although as s-box can be keyed
or keyless, modern block ciphers normally use keyless S-boxes, where the mapping from the
inputs to the outputs is predetermined.

Example1:

In an S-box with three inputs and two outputs, we have

The S-box is linear because a1,1 = a1,2 = a1,3 = a2,1 = 1 and a2,2 = a2,3 = 0. The relationship can be
represented by matrices, as shown below:
Example2:

In an S-box with three inputs and two outputs, we have

where multiplication and addition is in GF(2). The S-box is nonlinear because there is no linear
relationship between the inputs and the outputs.

S-box Example 1:
The following table defines the input/output relationship for an S-box of size 3 × 2. The leftmost
bit of the input defines the row; the two rightmost bits of the input define the column. The two
output bits are values on the cross section of the selected row and column.
Based on the table, an input of 010 yields the output 01. An input of 101 yields the output of 00.

Example2:

Figure shows an example of an invertible S-box. For example, if the input to the left box is 001,
the output is 101. The input 101 in the right table creates the output 001, which shows that the
two tables are inverses of each other.

(s-box Example)

Exclusive-Or:
An important component in most block ciphers is the exclusive-or operation. In last session

addition and sustraction operations in the GF( ) field are performed by a single operation called

single operation called exclusive -or.

Figure Invertibility of the exclusive-or operation

The five properties of the exclusive-or operation in the GF(2n) field makes this operation a very
interesting component for use in a block cipher: closure, associativity, commutativity,
existence of identity, and existence of inverse.

The inverse of a component in a cipher makes sense if the component represents a unary
operation (one input and one output). For example, a keyless P-box or a keyless S-box can be
made invertible because they have one input and one output. An exclusive operation is a binary
operation. The inverse of an exclusive-or operation can make sense only if one of the inputs is
fixed (is the same in encryption and decryption). For example, if one of the inputs is the key,
which normally is the same in encryption and decryption, then an exclusive-or operation is self-
invertible, as shown in Figure.
Circular Shift:
Another component found in some modern block ciphers is the circular shift operation.
Shifting can be to the left or to the right. The circular left-shift operation shifts operation shifts
each bit in an circular left-shift operation shifts each bit in an n-bits word k – position to shifts
each bit in an n- bits are leftost bits.
In given figure both left and right operations in case where n=8,and k=3.

Swap:
The swap operation is a special case of the circular shift operation where k = n/2.
Split and Combine:

Two other operations found in some block ciphers are split and combine. The split operation
normally splits an n-bit word in the middle, creating two equal length words. The combine
operation normally concatenates two equal- length words to create an n-bit word.

The Data Encryption Standard

The Data Encryption Standard (DES) was developed in 1977 by National Institute of
Standards and Technology (NIST), For DES, data are encrypted in 64-bit blocks using a
56-bit key. The algorithm transforms 64-bit input in a series of steps into a 64-bit output.
The same steps, with the same key, are used to reverse the encryption.
In the late 1960s, IBM set up a research project in computer cryptography led by Horst
Feistel. The project concluded in 1971 with the development of an algorithm with the
designation LUCIFER. LUCIFER is a Feistel block cipher that operates on blocks of 64 bits,
using a key size of 128 bits. Because of the promising results produced by the LUCIFER
project, IBM embarked on an effort to develop a marketable commercial encryption product
that ideally could be implemented on a single chip. The outcome of this effort was a refined
version of LUCIFER that was more resistant to cryptanalysis but that had a reduced key size
of 56 bits, in order to fit on a single chip. It was known as DES in 1977.
In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a
national cipher standard. IBM submitted the results of its Tuchman–Meyer project. This
was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption
Standard.

DES Key Schedule

The 64 bits key is input to permuted choice 1 (PC1) function. The eighth bit in every byte is
dropped, and the remaining 48 bits are the output.
The 48-bit output is then passed left shift operation. The 48 bits are divided into 2 halves and

they are termed as and . To generate key for round 1, both and are

circularly shifted left 1 bit position. Then the output is passed to permuted choice 2 (PC2)

function to generate . At the same time it is also passed to the next round. In round 2, as

shown in table it is also 1 bit circularly shifted left. For other rounds you can see the table.
The PC2 function takes 56 bits of input, suppose the bits are 1, 2, 3, …, 56. From these bits 8 bits
are dropped and remaining 48 bits are only considered as the key for the particular round.

DES Decryption
The decryption operation is same as encryption, the only difference is that in encryption we give

the keys to round 1, to round 2, to round 3, …, and to round 16. In decryption we

give the keys in reverse order, i.e. to round 1, to round 2, to round 3, …, and to

round 16.
DES Example
For this example, the plaintext is a hexadecimal palindrome. The plaintext, key, and
resulting ciphertext are as follows:

Table 3.5 below shows the progression of the algorithm. The first row shows the 32-bit
values of the left and right halves of data after the initial permutation. The next 16 rows
show the results after each round. Also shown is the value of the 48-bit subkey generated
for each round. Note that Li = Ri -1. The final row shows the left- and right-hand values
after the inverse initial permutation. These two values combined form the ciphertext.

Table 3.5
The Avalanche Effect
A desirable property of any encryption algorithm is that a small change in either the
plaintext or the key should produce a significant change in the ciphertext. In particular, a
change in one bit of the plaintext or one bit of the key should produce a change in many
bits of the ciphertext. This is referred to as the avalanche effect. If the change were
small, this might provide a way to reduce the size of the plaintext or key space to be
searched.
Using the example from Table 3.5, Table 3.6 shows the result when the fourth bit of the
plaintext is changed, so that the plaintext is 12468aceeca86420. The second column of
the table shows the intermediate 64-bit values at the end of each round for the two
plaintexts. The third column shows the number of bits that differ between the two
intermediate values. The table shows that, after just three rounds, 18 bits differ between
the two blocks. On completion, the two ciphertexts differ in 32 bit positions.

Table 3.6
Table 3.7 shows a similar test using the original plaintext of with two keys that differ in
only the fourth bit position: the original key, 0f1571c947d9e859, and the altered key,
1f1571c947d9e859. Again, the results show that about half of the bits in the ciphertext
differ and that the avalanche effect is pronounced after just a few rounds.

Table 3.7
DES Strengths
Since its adoption as a federal standard, there have been lingering concerns about the
level of security provided by DES. These concerns, by and large, fall into two areas: (i)
key size and (ii) the nature of the algorithm.
The Use of 56-Bit Keys: With a key length of 56 bits, there are 256 possible keys, which is

approximately 72* 1016 keys. Thus, on the face of it, a brute-force attack appears impractical.
Assuming that, on average, half the key space has to be searched, a single machine performing one
DES encryption per microsecond would take more than a thousand years to break the cipher.
However, the assumption of one encryption per microsecond is overly conservative. As
far back as 1977, Diffie and Hellman postulated that the technology existed to build a
parallel machine with 1 million encryption devices, each of which could perform one
encryption per microsecond. This would bring the average search time down to about 10
hours. The authors estimated that the cost would be about $20 million in 1977 dollars.
DES finally and definitively proved insecure in July 1998, when the Electronic Frontier
Foundation (EFF) announced that it had broken a DES encryption using a special-
purpose “DES cracker” machine that was built for less than $250,000. The attack took
less than three days. The EFF has published a detailed description of the machine, enabling
others to build their own cracker. And, of course, hard-ware prices will continue to drop as
speeds increase, making DES virtually worthless. It is important to note that there is more
to a key-search attack than simply running through all possible keys. Unless known
plaintext is provided, the analyst must be able to recognize plaintext as plaintext. If the
message is just plain text in English, then the result pops out easily, although the task of
recognizing English would have to be automated. If the text message has been
compressed before encryption, then recognition is more difficult. And if the message is
some more general type of data, such as a numerical file, and this has been compressed,
the prob- lem becomes even more difficult to automate. Thus, to supplement the brute-
force approach, some degree of knowledge about the expected plaintext is needed, and
some means of automatically distinguishing plaintext from garble is also needed.
The EFF approach addresses this issue as well and introduces some automated
techniques that would be effective in many contexts. Fortunately, there are a number of
alternatives to DES, the most important of which are AES and triple DES.
The Nature of the DES Algorithm: Another concern is the possibility that cryptanalysis is possible by
exploiting the characteristics of the DES algorithm. The focus of concern has been on the eight
substitution tables, or S-boxes, that are used in each iteration. Because the design criteria for these
boxes, and indeed for the entire algorithm, were not made public, there is a suspicion that the boxes
were constructed in such a way that cryptanalysis is possible for an opponent who knows the
weaknesses in the S-boxes. This assertion is tantalizing, and over the years a number of regularities
and unexpected behaviors of the S-boxes have been discovered. Despite this, no one has so far
succeeded in discovering the supposed fatal weaknesses in the S-boxes.

Overall structure of DES Encryption Algorithm

The overall structure of DES encryption is shown in figure. As with any encryption
scheme, there are two inputs to the encryption function: the plaintext to be encrypted
and the key. In this case, the plaintext must be 64 bits in length and the key is 56 bits in
length. Looking at the left-hand side of the figure, we can see that the processing of the
plaintext proceeds in three phases. First, the 64-bit plaintext passes through an initial
permutation (IP) that rearranges the bits to produce the permuted input. This is followed
by a phase consisting of sixteen rounds of the same function, which involves both
permutation and substitution functions. The output of the last (sixteenth) round consists
of 64 bits that are a function of the input plaintext and the key. The left and right halves
of the output are swapped to produce the preoutput. Finally, the preoutput is passed

through a permutation [IP-1] that is the inverse of the initial permutation function, to
produce the 64-bit ciphertext. With the exception of the initial and final permutations,
DES has the exact structure of a Feistel cipher.
The right-hand portion of the Figure shows the way in which the 56-bit key is used.
Initially, the key is passed through a permutation function. Then, for each of the sixteen
rounds, a subkey (Ki ) is produced by the combination of a left circular shift and a
permutation. The permutation function is the same for each round, but a different subkey
is produced because of the repeated shifts of the key bits.
INITIAL PERMUTATION
The 64 bits input to the initial permutation are to . The output is X=IP(M), it is to

as shown below. Similarly suppose the inputs to inverse permutation are to , then

the outputs are to .

DETAILS OF SINGLE ROUND
Figure below shows the internal structure of a single round. Again, begin by focusing on
the left-hand side of the diagram. The left and right halves of each 64-bit
intermediate value are treated as separate 32-bit quantities, labeled L (left) and R
(right). As in any classic Feistel cipher, the overall processing at each round can be
summarized in the following formulas:
Li = Ri - 1

Ri = Li -1 {F(Ri -1, Ki)}

The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48
bits by using a table that defines a permutation plus an expansion that involves
duplication of 16 of the R bits. The resulting 48 bits are XORed with Ki. This 48-bit
result passes through a substitution function that produces a 32-bit output, which is
permuted as defined by S-boxes. The role of the S-boxes in the function F is illustrated
below. The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as
input and produces 4 bits as output. These transformations are defined in Tables, which
is interpreted as follows: The first and last bits of the input to box Si form a 2-bit binary
number to select one of four substitutions defined by the four rows in the table for Si. The
middle four bits select one of the sixteen columns. The decimal value in the cell selected
by the row and column is then converted to its 4-bit representation to produce the output.
For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100
(column 12). The value in row 1, column 12 is 9, so the output is 1001.

Expansion permutation input bits are: 1, 2, 3,…, 32. The output bits are 32, 1, 2, 3, 4, 5, …,1
as shown below

Input output
The permutation (P) function takes 32 bits: 1, 2, 3, …, 32 and produces 32 bit outputs 16, 7, 20,
…, 25 as shown below.
Input output

S-Box: There are 8 s-boxes, each runs under a Table named to . Each S-box takes 6 bit

input and gives 4 bit output. So in total for all the 8 boxes the 48 bit input is converted to 32 bit
output.

Suppose the input value of S1 are: 011001. The first and last bit together is 01, stands for row 1
and 4 middle bits 1100 stands for column 12. the value in row 1 and column 12 of S1 is 9, so the
output 4 bits are 1001.
Advanced Encrypted Standard (AES)
AES is a block cipher. It was published by National Institute of Standards and Technology in
2001. The block size is 128 bits. There are three variants of AES, with key size 128/192/256 bits,
so it is called AES-128, AES-192 or AES-256 respectively. It is an iterative cipher rather than a
fiestel cipher unlike DES. If key size is 16 bytes (128 bits), then it operates in 10 rounds. If key
size is 24 bytes (192 bits), then it operates in 12 rounds. If key size is 32 bytes (256bits), then it
operates in 14 rounds. The general architecture of AES is as given below.
For AES-128 we have one zeroth round, and 10 more round i.e. round 0 to round 10. The input
plain text 128 bits can be treated as a 4×4 matrix, each element of the matrix is a byte. This
matrix passes through all the rounds, it is called as state array. The key is 128 bits it can be also
arranged in 4×4 matrix, each element of the matrix is a byte. The four bytes in a column of this
matrix is called as a word. So, there are 4 words in the key matrix. From these four words we
expand another 40 words, so total 44 words are available. From these 44 words we create 11
keys, each key 4 words.
AES structure
In AES-128 we have 11 rounds. The zeroth round is AddRoundKey operation. The Round 1 to 9
has 4 different stages, those are (i) Substitute Bytes, (ii) ShiftRows, (iii) Mix Columns, and (iv)
AddRound Key. The Round 10 has only three stages, (i) Substitution bytes, (ii) Shift Rows, and
(iii) Add Round Key. The 4 word key (each word is 4 bytes) is extended to 44 words, so that 11
different keys are generated and used in these 11 rounds.
Add Round Key
It is just Vernam cipher. The 128 bits of the state are bitwise XORed with the 128 bits of the
round key. The inverse add round key is identical to the add round key because the XOR
operation is its own inverse.

AddRoundKey together with other 3 stages, provides confusion, diffusion, and non-linearity
 Confusion – Makes relationship between ciphertext and key as complex as possible.
 Diffusion – Each plaintext digit affect the value of many ciphertext digits.
 NonLinearity – No linear relationship between plain text and key with cipher text
Substitute Byte Transformation
It is just a table look up activity. AES defines a 16×16 matrix of byte values, called a S-box, that
contains all possible permutation of 256 bytes. Each individual byte of a state is mapped into a
new byte. The table below and example represents the bytes in 2 hexadecimal digits.

For example suppose we have a byte EA. E stands for the first 4 bits, A stands for the next 4 bits.
The first hexadecimal digit represents the row value and the 2 nd hexadecimal digit represent the
column value. So, in row E and column A, the value is 87, hence EA is replaced by 87. The
inverse s-box can be used for decryption to perform inverse substitute byte operation. It is similar
to S-box operation.

Shift Rows
The shift row transformation is performed as follows. Row i does i-1 byte circular shift left, for
i=1, 2, 3,4. Similarly, the inverse shift row transformation is performed as follows. Row i does i-
1 byte circular shift right, for i=1, 2, 3,4. An example of shift row operation is as given below.
Blowfish Encryption Algorithm

Blowfish is an encryption technique designed by Bruce Schneier in 1993 as an alternative to

DES Encryption Technique. It is significantly faster than DES and provides a good encryption
rate with no effective cryptanalysis technique found to date. It is one of the first, secure block
cyphers not subject to any patents and hence freely available for anyone to use.

1. blockSize: 64-bits
2. keySize: 32-bits to 448-bits variable size

3. number of subkeys: 18 [P-array]

4. number of rounds: 16

5. number of substitution boxes: 4 [each having 512 entries of 32-bits each]

Blowfish Encryption Algorithm

The entire encryption process can be elaborated as:

Lets see each step one by one:

Step1: Generation of subkeys:

 18 subkeys{P[0]…P[17]} are needed in both encryption as well as decryption process

and the same subkeys are used for both the processes.
 These 18 subkeys are stored in a P-array with each array element being a 32-bit entry.

 It is initialized with the digits of pi(?).

 The hexadecimal representation of each of the subkeys is given by:

P[0] = "243f6a88"
P[1] = "85a308d3"
.
.
.
P[17] = "8979fb1b"

 Now each of the subkey is changed with respect to the input key as:

P[0] = P[0] xor 1st 32-bits of input key

P[1] = P[1] xor 2nd 32-bits of input key
.
.
.
P[i] = P[i] xor (i+1)th 32-bits of input key
(roll over to 1st 32-bits depending on the key length)
.
.
.
P[17] = P[17] xor 18th 32-bits of input key
(roll over to 1st 32-bits depending on key length)

The resultant P-array holds 18 subkeys that is used during the entire encryption process

Step2: initialise Substitution Boxes:

 4 Substitution boxes(S-boxes) are needed{S[0]…S[4]} in both encryption aswell as

decryption process with each S-box having 256 entries{S[i][0]…S[i][255], 0&lei&le4}
where each entry is 32-bit.
 It is initialized with the digits of pi(?) after initializing the P-array. You may find the s-
boxes in here!

Step3: Encryption:

 The encryption function consists of two parts:

a. Rounds: The encryption consists of 16 rounds with each round(Ri) taking inputs the
plainText(P.T.) from previous round and corresponding subkey(Pi). The description of
each round is as follows:
The description of the function ” F ” is as follows:
Here the function “add” is addition modulo 2^32.

b. Post-processing: The output after the 16 rounds is processed as follows:

IDEA:

Simplified International Data Encryption Algorithm

(IDEA)

In cryptography, block ciphers are very important in the designing of many cryptographic
algorithms and are widely used to encrypt the bulk of data in chunks. By chunks, it means that
the cipher takes a fixed size of the plaintext in the encryption process and generates a fixed size
ciphertext using a fixed-length key. An algorithm’s strength is determined by its key length.
The Simplified International Data Encryption Algorithm (IDEA) is a symmetric key block
cipher that:

 uses a fixed-length plaintext of 16 bits and

 encrypts them in 4 chunks of 4 bits each

 to produce 16 bits ciphertext.

 The length of the key used is 32 bits.

 The key is also divided into 8 blocks of 4 bits each.

This algorithm involves a series of 4 identical complete rounds and 1 half-round. Each complete
round involves a series of 14 steps that includes operations like:

 Bitwise XOR
 Addition modulo

 Multiplication modulo +1

After 4 complete rounds, the final “half-round” consists of only the first 4 out of the 14 steps
previously used in the full rounds. To perform these rounds, each binary notation must be
converted to its equivalent decimal notation, perform the operation and the result obtained should
be converted back to the binary representation for the final result of that particular step.

Key Schedule: 6 subkeys of 4 bits out of the 8 subkeys are used in each complete round, while 4
are used in the half-round. So, 4.5 rounds require 28 subkeys. The given key, ‘K’, directly gives
the first 8 subkeys. By rotating the main key left by 6 bits between each group of 8, further
groups of 8 subkeys are created, implying less than one rotation per round for the key (3
rotations).
 K1 K2 K3 K4 K5 K6

Round 1 1101 1100 0110 1111 0011 1111

Round 2 0101 1001* 0001 1011 1100 1111

Round 3 1101 0110 0111 0111* 1111 0011

Round 4 1111 0101 1001 1101 1100 0110*

Round 4.5 1111 1101 0110 0111

* denotes a shift of bits

Notations used in the 14 steps:

Symbol Operation

Multiplication modulo +1
*

Addition modulo
+

^ Bitwise XOR

The 16-bit plaintext can be represented as X1 || X2 || X3 || X4, each of size 4 bits. The 32-bit key
is broken into 8 subkeys denoted as K1 || K2 || K3 || K4 || K5 || K6 || K7 || K8, again of size 4 bits
each. Each round of 14 steps uses the three algebraic operation-Addition modulo (2^4),
Multiplication modulo (2^4)+1 and Bitwise XOR. The steps involved are as follows:

DES advantages:

 DES has been around a long time (since 1977), even now no real weaknesses
have been found: the most efficient attack is still brute force.
 DES is an official United States Government standard; the Government is
required to re-certify, DES every five years and ask it be replaced if necessary.
DES has been re-certified in 1983, 1987, 1992.
 DES is also an ANSI and ISO standard - anybody can learn the details and
implement it.
 Since DES was designed to run on 1977 hardware, it is fast in hardware and
relatively fast in software.

DES Disadvantages

 The 56-bit key size is the biggest defect of DES. Chips to perform one million of DES
encrypt or decrypt operations a second are available (in 1993). A $1 million DES
cracking machine can search the entire key space in about 7 hours.
  Hardware implementations of DES are very fast; DES was not designed for software and
hence runs relatively slowly.
 As the technology is improving lot more day by day so there is a possibility to break the
encrypted code, so AES is preferred than DES.
 As we know in DES only one private key is used for encryption as well as for decryption
because it is symmetric encryption technique so if we lost that key to decrypt the data
then we cannot get the readable data at the receiving end

Benefits or advantages of AES

Following are the benefits or advantages of AES:

 As it is implemented in both hardware and software, it is most robust security protocol.

 It uses higher length key sizes such as 128, 192 and 256 bits for encryption. Hence it
makes AES algorithm more robust against hacking.
 It is most common security protocol used for wide several of applications such as
wireless communication, financial transactions, e-business, encrypted data storage etc.
 It is one of the most spread commercial and open source solutions used all over the
world.
 No one can hack your personal information.
 For 128 bit, about 2128 attempts are needed to break. This makes it very difficult to hack
it as a result it is very safe protocol.

Drawbacks or disadvantages of AES

Following are the disadvantages of AES:

 It uses too simple algebraic structure.

 Every block is always encrypted in the same way.
 Hard to implement with software.
 AES in counter mode is complex to implement in software taking both performance and
security into considerations.
Block Cipher Modes of Operations.

Encryption algorithms are divided into two categories based on the input type, as a block cipher
and stream cipher. Block cipher is an encryption algorithm that takes a fixed size of input say b
bits and produces a ciphertext of b bits again. If the input is larger than b bits it can be divided
further. For different applications and uses, there are several modes of operations for a block
cipher.

Electronic Code Book (ECB) –

Electronic code book is the easiest block cipher mode of functioning. It is easier because of
direct encryption of each block of input plaintext and output is in form of blocks of encrypted
ciphertext. Generally, if a message is larger than b bits in size, it can be broken down into a
bunch of blocks and the procedure is repeated.

Procedure of ECB is illustrated below:

Advantages of using ECB –

 Parallel encryption of blocks of bits is possible, thus it is a faster way of encryption.

 Simple way of the block cipher.
Disadvantages of using ECB –

 Prone to cryptanalysis since there is a direct relationship between plaintext and

ciphertext.

Cipher Block Chaining –

Cipher block chaining or CBC is an advancement made on ECB since ECB compromises some
security requirements. In CBC, the previous cipher block is given as input to the next encryption
algorithm after XOR with the original plaintext block. In a nutshell here, a cipher block is
produced by encrypting an XOR output of the previous cipher block and present plaintext block.

The process is illustrated here:

Advantages of CBC –
  CBC works well for input greater than b bits.
 CBC is a good authentication mechanism.

 Better resistive nature towards cryptanalysis than ECB.

Disadvantages of CBC –

 Parallel encryption is not possible since every encryption requires a previous cipher.

Cipher Feedback Mode (CFB) –

In this mode the cipher is given as feedback to the next block of encryption with some new
specifications: first, an initial vector IV is used for first encryption and output bits are divided as
a set of s and b-s bits.The left-hand side s bits are selected along with plaintext bits to which an
XOR operation is applied. The result is given as input to a shift register having b-s bits to lhs,s
bits to rhs and the process continues. The encryption and decryption process for the same is
shown below, both of them use encryption algorithms.
Advantages of CFB –

 Since, there is some data loss due to the use of shift register, thus it is difficult for
applying cryptanalysis.

Output Feedback Mode –

The output feedback mode follows nearly the same process as the Cipher Feedback mode except
that it sends the encrypted output as feedback instead of the actual cipher which is XOR output.
In this output feedback mode, all bits of the block are sent instead of sending selected s bits. The
Output Feedback mode of block cipher holds great resistance towards bit transmission errors. It
also decreases the dependency or relationship of the cipher on the plaintext.

Advantages of OFB –
  In the case of CFB, a single bit error in a block is propagated to all subsequent blocks.
This problem is solved by OFB as it is free from bit errors in the plaintext block.

Counter Mode –
The Counter Mode or CTR is a simple counter-based block cipher implementation. Every time a
counter-initiated value is encrypted and given as input to XOR with plaintext which results in
ciphertext block. The CTR mode is independent of feedback use and thus can be implemented in
parallel.

Its simple implementation is shown below:

Advantages of Counter –

 Since there is a different counter value for each block, the direct plaintext and ciphertext
relationship is avoided. This means that the same plain text can map to different
ciphertext.
 Parallel execution of encryption is possible as outputs from previous stages are not
chained as in the case of CBC.

Fermat’s little theorem: It states that if p is a prime number, then for any integer a, the number
a p – a is an integer multiple of p.

Here p is a prime number

ap ≡ a (mod p).

Special Case: If a is not divisible by p, Fermat’s little theorem is equivalent to the statement that
a p-1-1 is an integer multiple of p.

ap-1 ≡ 1 (mod p)
OR
ap-1 % p = 1
Here a is not divisible by p.

Take an Example How Fermat’s little theorem works

Example 1:

P = an integer Prime number

a = an integer which is not multiple of P
Let a = 2 and P = 17
According to Fermat's little theorem
2 17 - 1 ≡ 1 mod(17)
we got 65536 % 17 ≡ 1
that mean (65536-1) is an multiple of 17

Eulers theorm: It is an be represented in the form (2n - 1)*(2n / 2) )) where n is a prime number and 2n - 1
is a Mersenne prime number. It is a product of a power of 2 with a Mersenne prime number

Some Examples (Perfect Numbers) which satisfy Euclid Euler Theorem are:

6, 28, 496, 8128, 33550336, 8589869056, 137438691328

Explanations:
1) 6 is an even perfect number.
So, is can be written in the form
(22 - 1) * (2(2 - 1)) = 6
where n = 2 is a prime number and 2^n - 1 = 3 is a Mersenne prime number

Chinese Remainder Theorem

The Chinese Remainder Theorem (CRT) is a technique to reduce modular calculations with large moduli
to similar calculations for each of the (mutually co-prime) factors of the modulus.
DISCRETE LOGARITHMS

Discrete logarithms are fundamental to a number of public-key algorithms, includ- ing Diffie-
Hellman key exchange and the digital signature algorithm (DSA). This section provides a brief
overview of discrete logarithms. For the interested reader, more detailed developments of this
topic can be found in [ORE67] and [LEVE90].

The Powers of an Integer, Modulo n

Recall from Euler’s theorem [Equation (8.4)] that, for every a and n that are rela- tively prime,
where ϕ(n), Euler’s totient function, is the number of positive integers less than n and relatively prime
to n. Now consider the more general expression:

If a and n are relatively prime, then there is at least one integer m that satisfies Equation (8.10),
namely, M = ϕ(n). The least positive exponent m for which Equation (8.10) holds is referred to in
several ways:

• The order of a (mod n)

• The exponent to which a belongs (mod n)

• The length of the period generated by a

Table 8.3 shows all the powers of a, modulo 19 for all positive a 6 19. The length of the sequence
for each base value is indicated by shading. Note the following:

1. All sequences end in 1. This is consistent with the

reasoning of the preceding few paragraphs.

2. The length of a sequence divides ϕ(19) = 18.

That is, an integral number of sequences occur in each row of the table.

3. Some of the sequences are of length 18. In this

case, it is said that the base inte- ger a generates (via powers) the set of nonzero integers modulo
19. Each such integer is called a primitive root of the modulus 19.
More generally, we can say that the highest possible exponent to which a number can belong
(mod n) is ϕ(n). If a number is of this order, it is referred to as a primitive root of n. The
importance of this notion is that if a is a primitive root of n, then its powers

are distinct (mod n) and are all relatively prime to n. In particular, for a prime number p, if a is a
primitive root of p, then

are distinct (mod p). For the prime number 19, its primitive roots are 2, 3, 10, 13, 14, and 15.

Not all integers have primitive roots. In fact, the only integers with primitive roots are those of
the form 2, 4, pa, and 2pa, where p is any odd prime and a is a positive integer. The proof is not
simple but can be found in many number theory books, including [ORE76].

Logarithms for Modular Arithmetic

With ordinary positive real numbers, the logarithm function is the inverse of expo- nentiation.
An analogous function exists for modular arithmetic.

Let us briefly review the properties of ordinary logarithms. The logarithm of a number is
defined to be the power to which some positive base (except 1) must be raised in order to equal
the number. That is, for base x and for a value y,
Consider a primitive root a for some prime number p (the argument can be developed for nonprimes
as well). Then we know that the powers of a from 1 through (p - 1) produce each integer from 1
through (p - 1) exactly once. We also know that any integer b satisfies

by the definition of modular arithmetic. It follows that for any integer b and a prim- itive root a
of prime number p, we can find a unique exponent i such that

This exponent i is referred to as the discrete logarithm of the number b for the base a (mod p). We
denote this value as dloga,p(b).10

Note the following:

dloga,p(1) = 0 because a0 mod p = 1 mod p = 1 (8.13)

dloga,p(a) = 1 because a1 mod p = a (8.14)
This demonstrates the analogy between true logarithms and discrete logarithms.

Keep in mind that unique discrete logarithms mod m to some base a exist only if a is a primitive root
of m.

Table 8.4, which is directly derived from Table 8.3, shows the sets of discrete logarithms that
can be defined for modulus 19.
Table 8.4 Tables of Discrete Logarithms, Modulo 19
FEISTEL ALGORITHM:
The encryption process uses the Feistel structure consisting multiple rounds of processing of the plaintext,
each round consisting of a “substitution” step followed by a permutation step. The input block to each
round is divided into two halves that can be denoted as L and R for the left half and the right half.

Feistel Cipher is not a specific scheme of block cipher. It is a design model from which many
different block ciphers are derived. DES is just one example of a Feistel Cipher. A cryptographic
system based on Feistel cipher structure uses the same algorithm for both encryption and
decryption.

Encryption Process

The encryption process uses the Feistel structure consisting multiple rounds of processing of the
plaintext, each round consisting of a “substitution” step followed by a permutation step.

Feistel Structure is shown in the following illustration −

 The input block to each round is divided into two halves that can be denoted as L and R
for the left half and the right half.
 In each round, the right half of the block, R, goes through unchanged. But the left half, L,
goes through an operation that depends on R and the encryption key. First, we apply an
encrypting function ‘f’ that takes two input − the key K and R. The function produces the
output f(R,K). Then, we XOR the output of the mathematical function with L.

 In real implementation of the Feistel Cipher, such as DES, instead of using the whole
encryption key during each round, a round-dependent key (a subkey) is derived from the
 encryption key. This means that each round uses a different key, although all these
subkeys are related to the original key.

 The permutation step at the end of each round swaps the modified L and unmodified R.
Therefore, the L for the next round would be R of the current round. And R for the next
round be the output L of the current round.

 Above substitution and permutation steps form a ‘round’. The number of rounds are
specified by the algorithm design.

 Once the last round is completed then the two sub blocks, ‘R’ and ‘L’ are concatenated in
this order to form the ciphertext block.

The difficult part of designing a Feistel Cipher is selection of round function ‘f’. In order to be
unbreakable scheme, this function needs to have several important properties that are beyond the
scope of our discussion.

Decryption Process

 The process of decryption in Feistel cipher is almost similar. Instead of starting with a
block of plaintext, the ciphertext block is fed into the start of the Feistel structure and
then the process thereafter is exactly the same as described in the given illustration.
 The process is said to be almost similar and not exactly same. In the case of decryption,
the only difference is that the subkeys used in encryption are used in the reverse order.

 The final swapping of ‘L’ and ‘R’ in last step of the Feistel Cipher is essential. If these
are not swapped then the resulting ciphertext could not be decrypted using the same
algorithm.

Number of Rounds

The number of rounds used in a Feistel Cipher depends on desired security from the system.
More number of rounds provide more secure system. But at the same time, more rounds mean
the inefficient slow encryption and decryption processes. Number of rounds in the systems thus
depend upon efficiency–security tradeoff.