Product Ciphers:

Shannon introduced the concept of a product cipher.

A product cipher is a complex cipher combining substitution, permutation, and other components.

Diffusion and Confusion:

The product cipher was to enable the block ciphers to have two important properties: diffusion and
confusion.

Diffusion is to hide the relationship between the ciphertext and the plaintext.

Confusion is to hide the relationship between the ciphertext and the key.

Rounds:
Diffusion and confusion can be achieved using iterated product ciphers.

Each iteration is a combination of S-boxes, P-boxes, and other components.

Each iteration is referred to as a round.

The block cipher uses a key schedule or key generator that creates different keys for each round
from the cipher key

In an N-round cipher, the plaintext is encrypted N times to create the ciphertext;

the ciphertext is decrypted N times to create the plaintext.

Figure 5.13 shows a simple product cipher with two rounds

 The 8-bit text is mixed with the key to whiten the text (hide the bits using the key). This is
normally done by exclusive-oring the 8-bit word with the 8-bit key.
 The outputs of the whitener are organized into four 2-bit groups and are fed into four S-
boxes. The values of bits are changed based on the structure of the S-boxes in this
transformation.
 The outputs of S-boxes are passed through a P-box to permute the bits so that in the next
round each box receives different inputs.
We refer to the text created at the intermediate levels (between two rounds) as the middle text

Diffusion:

Figure 5.14 shows how changing a single bit in the plaintext affects many bits in the ciphertext.

In the first round, bit 8, after being exclusive-ored with the corresponding bit of K1, affects two
bits (bits 7 and 8) through S-box 4. Bit 7 is permuted and becomes bit 2; bit 8 is permuted and
becomes bit 4. After the first round, bit 8 has affected bits 2 and 4.

In the second round, bit 2, after being exclusive-ored with the corresponding bit of K2, affects
two bits (bits 1 and 2) through S-box 1. Bit 1 is permuted and becomes bit 6; bit 2 is permuted
and becomes bit 1. Bit 4, after being exclusiveored with the corresponding bit in K2, affects bits 3
and 4. Bit 3 remains the same; bit 4 is permuted and becomes bit 7.

After the second round, bit 8 has affected bits 1, 3, 6, and 7.

Confusion:
The four bits of ciphertext, bits 1, 3, 6, and 7, are affected by three bits in the key (bit 8 in K1 and
bits 2 and 4 in K2).

Two Classes of Product Ciphers:

Modern block ciphers are all product ciphers.

They are divided into two classes.

The ciphers in the first class use both invertible and noninvertible components referred to as
Feistel ciphers.

The ciphers in the second class use only invertible components. We refer to ciphers as non-
Feistel ciphers.

Feistel Ciphers:

A Feistel cipher can have three types of components: self-invertible, invertible, and
noninvertible.

A Feistel cipher combines all noninvertible elements in a unit and uses the same unit in the
encryption and decryption algorithms.

First Thought:

The effects of a noninvertible component in the encryption algorithm can be canceled in the
decryption algorithm if we use an exclusive-or operation.
In the encryption, a noninvertible function, ƒ(K), accepts the key as the input. The output of this
component is exclusive-ored with the plaintext. The result becomes the ciphertext. We call the
combination of the function and the exclusive-or operation the mixer. The mixer in the Feistel
design is self-invertible.

the key is the same in encryption and decryption

if C2 = C1 (no change in the ciphertext during transmission), then P2 = P1.

Improvement:

Divide the plaintext and the ciphertext into two equal-length blocks, left and right.

We call the left block L and the right block R.

Let the right block be the input to the function, and let the left block be exclusive-ored with the
function output.

one important point: the inputs to the function must be exactly the same in encryption and
decryption
 The encryption and decryption algorithms are still inverses of each other. Assume that L3 = L2
and R3 = R2 (no change in the ciphertext during transmission)

Final Design:

The design needs more improvement. First, increase the number of rounds. Second, add a new
element to each round: a swapper. The effect of the swapper in the encryption round is canceled by
the effect of the swapper in the decryption round.
Note that there are two round keys, K1 and K2. The keys are used in reverse order in the encryption
and decryption.

Because the two mixers are inverses of each other, and the swappers are inverses of each other, it
should be clear that the encryption and decryption ciphers are inverses of each other.

Relationship between the left and right sections in each cipher:

if L6 = L1 and R6 = R1, assuming that L4 = L3 and R4 = R3.

We first prove the equality for the middle text.

Then it is easy to prove that the equality holds for two plaintext blocks.

Non-Feistel Ciphers:

A non-Feistel cipher uses only invertible components.

 For example, S-boxes need to have an equal number of inputs and outputs to be compatible. No
compression or expansion P-boxes are allowed, because they are not invertible

A component in the encryption cipher has the corresponding component in the decryption cipher.

In a non-Feistel cipher, there is no need to divide the plaintext into two halves as we saw in the
Feistel ciphers

Figure 5.13 can be thought of as a non-Feistel cipher because the only components in each round
are the exclusive-or operation (self-invertible), 2 × 2 S-boxes that can be designed to be invertible,
and a straight P-box that is invertible using the appropriate permutation table. Because each
component is invertible, it can be shown that each round is invertible. We only need to use the
round keys in the reverse order. The encryption uses round keys K1 and K2. The decryption
algorithm needs to use round keys K2 and K1.

Attacks on Block Ciphers

These attacks use differential and linear cryptanalysis techniques.

Cryptanalysis is the process of transforming or decoding communications

from non-readable to readable format without having access to the real key.
Differential Cryptanalysis:

Eli Biham and Adi Shamir introduced the idea of differential cryptanalysis.

This is a chosen-plaintext attack;

Eve can somehow access Alice’s computer, submitting chosen plaintext and obtaining the
corresponding ciphertext. The goal is to find Alice’s cipher key.

Linear Cryptanalysis:
The analysis uses knownplaintext attacks.
n in Figure 5.20, where c0, c1, and c2 represent the three bits in the output and x0, x1, and x2
represent the three bits in the input of the S-box.

The S-box is a linear transformation in which each output is a linear function of input, With this

linear component, we can create three linear equations between plaintext and ciphertext bits,

MODERN STREAM CIPHERS:

In a modern stream cipher, encryption and decryption are done r bits at a time.

We have a plaintext bit stream P = pn…p2p1, a ciphertext bit stream C = cn…c2c1, and a key bit
stream K = kn…k2k1, in which pi, ci, and ki are r-bit words. Encryption is ci = E (ki , pi ), and
decryption is pi = D (ki , ci ),
Stream ciphers are faster than block ciphers

Modern stream ciphers are divided into two broad categories:

 Synchronous
 Non-synchronous

Synchronous Stream Ciphers:

In a synchronous stream cipher, the key stream is independent of the plaintext or ciphertext stream.
The key stream is generated and used with no relationship between key bits and the plaintext or
ciphertext bits.

One-Time Pad:

The simplest and the most secure type of synchronous stream cipher is called the onetime pad
invented and patented by Gilbert Vernam

A one-time pad cipher uses a key stream that is randomly chosen for each encipherment.

The one-time pad is an ideal cipher.

There is no relationship between the plaintext and ciphertext,

Feedback Shift Register:

An FSR can be implemented in either software or hardware.

A feedback shift register is made of a shift register and a feedback function,

The shift register is a sequence of m cells, b0 to bm−1, where each cell holds a single bit. The cells
are initialized to an m-bit word, called the initial value or the seed.

every bit is shifted one cell to the right

The rightmost cell, b0, gives its value as output (ki ); the leftmost cell, bm−1, receives its value from
the feedback function. We call the output of the feedback function bm.

Linear Feedback Shift Register:

In a linear feedback shift register (LFSR), bm is a linear function of b0, b1, …, bm−1.

bm = cm−1 bm−1 + … + c2 b2 + c1 b1 + c0 b0 (c0 ≠ 0)

The addition operation is also the exclusive-or operation.

bm = cm−1 bm−1 ⊕ … ⊕ c2 b2 ⊕ c1 b1 ⊕ c0 b0 (c0 ≠ 0)

Nonlinear Feedback Shift Register:

The linear feedback shift register is vulnerable to attacks mainly because of its linearity.

An NLFSR has the same structure as an LFSR except that the bm is the nonlinear function of b0, b1,
…, bm

Combination:

A stream cipher can use a combination of linear and nonlinear structures.

Nonsynchronous Stream Ciphers:

In a nonsynchronous stream cipher, each key in the key stream depends on previous plaintext or
ciphertext.