Applied Cryptography

1
§ Diffusion Diffusion means that if we
§ The ciphertext statistics should depend on the plaintext statistics change a single bit of the
in a manner too complicated to be exploited by the cryptanalyst plaintext, then about half of the
§ Rule of thumb → Permutations creates diffusion bits in the ciphertext should
change
§ Confusion
§ Each digit of the plaintext and each digit of the secret key should Confusion means that each bit
influence many digits of the ciphertext of the ciphertext should depend
§ Rule of thumb → Substitutions creates confusion on several parts of the key

§ Modern block ciphers are typically obtained by mixing

substitutions and permutations to obtain both confusion
and diffusion

§ How can we be sure an attacker will require a large amount of work to break a non-
perfect system with every method?
§ This is a difficult answer to which no unique or good single answer exists, as far as
we know today…
§ … in practice, we try to make ciphers secure to all known attacks
§ This is typically the approach used to show the security of symmetric ciphers, both stream
and block ciphers
§ An alternative, it is to show that breaking the cipher can be reconducted to a
computationally difficult problem
§ This is typically the approach used to show the security of public key ciphers

3
 4

§ A block cipher is a keyed family of pseudorandom permutations

§ For each key, we have a single permutation that is independent of all the others

§ Design ways to choose 2^K permutations uniformly at random from the set of all (2^N)!
permutations
§ As one can see from the table, it is obvious that block ciphers can only select a tiny fraction of all
possible n-bit permutations

§ Goal
§ for a block cipher to be good, Eve should not be able to recover the key even using multiple
plaintext-ciphertext pairs

5
Key design principles

§ Diffusion
If a plaintext bit changes, several ciphertext bits should change
§ This is a basic demand on a block cipher, and ensures that the statistics
used are block statistics

§ Confusion
Every bit of the ciphertext should depend on several bits in the key
§ This can be achieved by ensuring that the system is nonlinear

§ Diffusion means that the output bits should depend on the input bits in a very
complex way
§ Ideally, if one bit of the plaintext is changed, then the ciphertext should change
completely, in an unpredictable or pseudorandom manner

§ Avalanche criterion
§ Flipping a fixed set of bits should change each output bit with probability one half

§ Strict avalanche criterion

§ For a randomly chosen input, if one flips the i-th bit, then the probability that the j-th
output bit will change should be one half, for any i and j

7
§ Confusion refers to making the relationship between the key and
the ciphertext as complex and involved as possible

§ Goal: make it very hard to find the key even if one has a large number of plaintext-
ciphertext pairs produced with the same key
§ Each bit of the ciphertext should depend on the entire key, and in different ways on
different bits of the key
§ Changing one bit of the key should change the ciphertext completely

§ The simplest way to achieve both diffusion and confusion

§ The plaintext and the key often have a very similar role in producing the output, hence it is the
same mechanism that ensures both diffusion and confusion
§ It takes a block of the plaintext and the key as inputs, and to produce
the ciphertext block applies several alternating "rounds" or "layers" of
§ substitution boxes (S-boxes) and
§ permutation boxes (P-boxes)

§ S-boxes and P-boxes transform (sub-)blocks of input bits into output bits
§ It is common for these transformations to be operations that are efficient to perform in
hardware, such as xor and bitwise rotation
§ The key is introduced in each round, usually in the form of "round keys" derived from it
§ Decryption is done by simply reversing the process (using the inverses of the S-boxes
and P-boxes and applying the round keys in reverse order)

9
 § It substitutes a small block of bits by another block of bits
§ This substitution should be one-to-one, to ensure invertibility (hence decryption)
§ There are exceptions as we will see for DES

§ In many cases, the length of the output is the same as the length of the input
§ In general, this is not always the case as in the case of DES (Data Encryption Standard)

§ An S-box is usually not just a permutation of the bits

§ Rather, a good S-box will have the property that changing one input bit will change
about half of the output bits (with an avalanche effect)
§ It will also have the property that each output bit will depend on every input bit

10

§ It is a permutation of all the bits

§ It takes the outputs of all the S-boxes of one round,

permutes the bits, and feeds them into the S-boxes of
the next round

§ A good P-box has the property that the output bits

of any S-box are distributed to as many S-box
inputs as possible

At each round, the round key (obtained from

Side the key with some simple operations, for instance, using
note S-boxes and P-boxes) is combined using some group
S.operation,
Ranise - Security typically
& Trust (FBK) XOR 11
§ A single typical S-box or a single P-box alone does not have much cryptographic strength
§ A good SP network with several alternating rounds of S- and P-boxes already
satisfies Shannon’s Diffusion and Confusion
§ Diffusion: If one changes one bit of the plaintext, then it is fed into an S-box, whose output will
change at several bits, then all these changes are distributed by the P-box among several S-boxes,
hence the outputs of all of these S-boxes are again changed at several bits, and so on
§ Doing several rounds, each bit changes several times back and forth, therefore, by the end, the ciphertext has
changed completely, in a pseudorandom manner.
§ Confusion: changing one bit of the key changes several of the round keys, and every change in
every round key diffuses over all the bits, changing the ciphertext in a very complex manner

12

A s-box is inspired to a
substitution cipher for characters
as it substitutes bits (the numbers
of input and output bit may differ)

6 bits
A s-box may or may
input not be invertible.
First and last bit When it is, the number
f input and output bit
should be the same. How to read a S-box table
• First and last bit are
interpreted as row index
• Other four bits are interpreted
as column index
• Given the 6 input bits, find the
First S-box in DES: box S1 cell identified by row and
column indexes (extracted as
explained above) and read the
Output 11 that written in base 2 is equal to 1011 binary equivalent of the
integer in the cell
4 bits 13
 § The definition of S-boxes may be obscure
§ This is so because the criteria for their design are not fully disclosed
§ Around 1976, NSA disclosed some of the properties of the S-boxes in DES:
§ Each row should be a permutation of the integers from 0 to 15
§ No s-box should be an affine or linear mapping of its input
§ Changing one of the input bit at least two out bits should change
§ …

§ It is unknown if more properties were used to design the S-boxes…

14

A straight p-box
n inputs
is invertible
whereas neither
n=m
a compression
nor an expansion m outputs
p-box is so.

n inputs n inputs

n>m m>n

m outputs m outputs

15
§ Although a P-box can use a key to identify one of the n!, they are normally key-less
as the mapping is pre-configured
§ Below are the n!=3! possible definitions of a P-box of size 3

16

Compression p-box

Expansion p-box

17
 § Si is an S-box and P is a P-box

§ 3 rounds or layers and Kj is a key derived from the same key (KEY)

§ https://en.wikipedia.org/wiki/Block_cipher

§ Formalization

where k is the key size/length and n is the block size

• EK is a permutation (i.e. a bijective mapping) over the set of input blocks

• Each key selects one permutation from the set of (2^n)! possible permutations

18

19

Data Encryption Standard

DES standard original document (withdrawn):

https://csrc.nist.gov/csrc/media/publications/fips/46/3/archive/1999-10-25/documents/fips46-3.pdf
S. Ranise - Security & Trust (FBK)
§ Based on the Feistel Structure
§ Named after the IBM cryptographer Horst Feistel and first implemented
in the Lucifer cipher by Horst Feistel and Don Coppersmith
§ It uses the same basic algorithm for both encryption and
decryption
§ It consists of multiple rounds of processing of the plaintext, with
each round consisting of a substitution step followed by a
permutation step
§ In each round
§ the right half of the block, R, goes through unchanged
§ the left half, L, goes through an operation that depends on R and the
encryption key
§ the operation carried out on the left half L is referred to as the Feistel
Function F
§ The permutation step consists of swapping the modified L and R

20

• There are 16 rounds

numbered from 1 to 15
• 0 identifies the plaintext
• 16 identifies the ciphertext

§ Let LEi and REi denote the output half-blocks at the end of the i-th round of
processing (E stands for encryption)
§ Relationship between the output of the i-th round and the output of the previous
(i-1)-th round:
Feistel function

where
§ the symbol ⊕ denotes xor
§ the symbol F denotes the operation that “scrambles” REi-1 of the previous round with the
round key Ki

§ The round key Ki is derived from the main encryption key (we will see how below)

21
§ Decryption is exactly the same as the encryption with
the only difference that the round keys are used in
the reverse order
§ Fact. The output of each round during decryption is the
input to the corresponding round during encryption,
except for the left-right switch between the two halves
§ This holds true regardless of the choice of the Feistel
function F

§ Proof
§ Let LDi and RDi denote the left half and the right half of the
output of the i-th round
§

22

The result is
independent of the
definition of the
Feistel function F

§ Proof (continued)
§ Let LDi and RDi denote the left half and the right half of the
output of the i-th round during Decryption
§
§ Then
The output of the first round of
decryption is the same as the
input to the last stage of the
encryption round

23
 § Adopted by NIST in 1977
§ Based on the Lucifer cipher developed earlier by IBM for Lloyd’s of London for
cash transfer
§ DES uses the Feistel cipher structure with 16 rounds of processing
§ DES uses a 56-bit encryption key
§ The key size was apparently dictated by the memory and processing constraints imposed
by a single-chip implementation of the algorithm for DES
§ The key itself is specified with 8 bytes, but one bit of each byte is used as a parity check

Parity checking (by example)

• if the original data is 1010001, there are three 1s
• when even parity checking is used, a parity bit with value 1 is added to the data’s left side to make the
number of 1s even; transmitted data becomes 11010001
• when odd parity checking is used, then parity bit value is zero; transmitted data is 01010001
• In case data is transmitted incorrectly, the parity bit value becomes incorrect; thus, indicating error
S. Ranise - Security & Trust (FBK) 24
has occurred during transmission

25
 Feistel
function F

§ The 32-bit right half of the 64-bit input data

block is expanded into a 48-bit block
§ Expansion permutation step
1. divide the 32-bit block into eight 4-bit words
2. attach an additional bit on the left to each 4-
bit word that is the last bit of the previous 4-
bit word
3. attach an additional bit to the right of each 4-
bit word that is the beginning bit of the next
4-bit word
§ The 56-bit key is divided into two halves,
each half shifted separately, and the
combined 56-bit key permuted/contracted
to yield a 48-bit round key
§ Details will be given later

26

Feistel
function F

§ The 48 bits of the expanded output

produced by the Expansion permutation
step are xor-ed with the round key
§ This is called key mixing

§ The output produced is broken into eight 6-

bit words
§ Each six-bit word goes through a
substitution step; its replacement is a 4-bit
word
§ The substitution is carried out with an S-box

§ So after all the substitutions, we again end

up with a 32-bit word

27
 Feistel
function F

§ The 32-bits of the previous step then go

through a P-box based permutation
§ What comes out of the P-box is then XORed
with the left half of the 64-bit block that we
started out with
§ The output of this XOR operation gives us
the right half block for the next round

• The goal of the substitution step implemented

by the S-box is to introduce diffusion in the
generation of the output from the input
• The strategy used for creating the different
round keys from the main key is meant to
introduce confusion into the encryption
process (we- Security
S. Ranise will see how
& Trust (FBK) below) 28

§ The 48-bit input word is divided

into eight 6-bit words
§ Each 6-bit word fed into a
separate S-box
§ Each S-box produces a 4-bit
output
§ The 8 S-boxes together generate
a 32-bit output

§ Recall that the input 48 bits are

obtained by xor-ing the output
from the expansion permutation
step with the round key

29
§ Each of the eight S-boxes consists of a 4 × 16 table lookup for an output 4-bit word
§ The first and the last bit of the 6-bit input word are decoded into one of 4 rows and
the middle 4 bits decoded into one of 16 columns for the table lookup

§ The goal of the substitution carried out by an S-box is to 6 bits

enhance diffusion input
First and last bit
§ The expansion-permutation step expands a 32-bit block
into a 48-bit block by attaching a bit at the beginning
and a bit at the end of each 4-bit sub-block
§ the 2 bits for these attachments belong to the adjacent blocks
First s-box in DES: box S1

§ Note that the row lookup for each of the eight S-boxes
Output 11 that written in base 2 is equal to 1011
becomes a function of the input bits for the previous S-box
and the next S-box 4 bits

30

Recall that in a chosen plaintext attack the

attacker must be able to obtain ciphertexts
for some set of plaintexts of their choosing

§ The S-boxes were tuned to enhance the resistance of DES to differential attacks
§ It is an instance of a chosen plaintext attack

§ Differential cryptanalysis of block ciphers consists of presenting to the encryption

algorithm pairs of plaintext bit patterns with known differences between them and
examining the differences between the corresponding ciphertexts
§ Typically the notion of difference between two plaintexts or ciphertexts is the XOR
of the bits performed position-wise
§ Let X1 and X2 be two plaintexts related by a constant difference ∆X = X1 + X2
where + is the bitwise xor operator
§ The attacker computes the difference ∆Y = Y1 + Y2 of the ciphertexts Y1 and Y2
corresponding to the plaintexts X1 and X2, respectively

31
§ In an ideally randomizing block cipher, the probability of ∆Y being a particular
value for a given ∆X is 1/(2^n) for an n-bit block cipher
§ The probability of ∆Y taking on different values for a given ∆X can be shown to be
§ independent of the encryption key (because of the properties of the XOR operator)
§ but strongly dependent on the S-box tables

§ By feeding into a cipher several pairs of plaintext blocks with known ∆X and
observing the corresponding ∆Y, it is possible to discover parts of the round keys
§ Block ciphers should be shown resistant to this class of attacks
§ DES is surprisingly robust to differential attacks
§ It is believed that such an attack was known when designing DES…

§ If you want to have a deeper look at this kind of attacks, you may consider to read
the following tutorial introduction to (linear and) differential attacks:
http://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf

32

33
§ This table should be read as follows
§ the 0th output bit will be the 15th bit of the input
§ the 1st output bit the 6th bit of the input
§ and so on for all of the 32 bits of the output that
are obtained from the 32 bits of the input
§ Each row of the table specifies how to select
the input bits for the output byte
corresponding to the row 1st byte
§ Consider the second output byte 2nd byte
§ The first entry in the second row means that the
0th bit of the second output byte (or, equivalently, 4th byte
the 8th bit of the output) will be the 0th bit of the 5th byte
32-bit input
§ …

34

35
§ The 56-bit encryption key is represented by 8 bytes, with the least Initial permutation
significant bit of each byte used as a parity bit
§ The relevant 56 bits are subject to a permutation before any round
keys are generated
§ This is called Key Permutation 1 (see right)

§ The bit indexing is based on using the range 0-63 for addressing
the bit positions in an 8-byte bit pattern in which the last bit of
each byte is used as a parity bit.
§ Each row has only 7 positions: the positions corresponding to the parity
bit are not included above, i.e. position indexes 7, 15, 23, 31, 39, 47, 55,
63 are not shown
§ The table specifies that
§ the 0th bit of the output will be the 56th bit of the input (in a 64 bit
representation of the 56-bit encryption key)
§ the 1st bit of the output the 48th bit of the input,
§ … and so on, until we have for the 55th bit of the output the 3rd bit of
the input
36

Round Number of
number left shift
1 1
2 1
3 2
4 2
§ At the beginning of each round 5 2
§ we divide the 56 relevant key bits into two 28 bit halves and
6 2
§ circularly shift to the left each half by one or two bits, depending
on the round, according to the table on the right 7 2
8 2
9 1
10 2
11 2
12 2
13 2
14 2
15 2
16 1 37
 The key permutation with the one-bit or
two-bit rotation of the two key halves prior
to each round (previous slide) aims to
ensure that each bit of the original
encryption key is used in roughly 14 of
the 16 rounds

§ For generating the round key, we glue together the two halves
and apply a 56 bit to 48 bit contracting permutation (this is
referred to as Permutation Choice 2) to the joined bit
pattern
§ The resulting 48 bits constitute the round key

§ Key permutation 2
§ The bit addressing now spans the 0 through 55 index values for
the 56 bit key. Out of this index range, the permutation shown
above retains only 48 bits for the round key. Since there are only
six rows and there are 8 positions in each row, the output will
consist of 48 bits.
§ As for the permutation tables above, what is shown on the right is
not a table, in the sense that the rows and the columns do not carry
any special and separate meanings
§ The permutation order for the bits is given by reading the entries shown
from the upper left corner to the lower right corner

38

39
§ The substitution step is very effective in supporting
Feistel
diffusion function F
§ If one changes just one bit of the 64-bit input data block,
on the average it propagates out to affect 34 bits of the
ciphertext block

§ The manner in which the round keys are generated

from the encryption key is also very effective in
supporting confusion
§ If one changes just one bit of the encryption key, on the
average that affects 35 bits of the ciphertext

Avalanche effect

40

§ The 56-bit encryption key means a key space of size

2^(56) ≈ 7.2 × 10^(16) Feistel
function F
§ In a brute-force attack, a machine able to process 1,000
keys per microsecond (i.e. 10^(-6) second) would need
roughly 13 months to break the code
§ Estimate based on average case reasoning: to discover the
key, one would need to try half the keys
§ A parallel-processing machine trying 1 million keys
simultaneously would need only about 10 hours
§ The EFF took three days on a machine with a special
architecture to break the code
§ https://web.archive.org/web/20170507231657/https://w2.eff.
org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980
716_eff_des_faq.html

41
§ DES was broken in 1999

§ NIST issued a new directive that year that required organizations to use Triple
DES, i.e. 3 consecutive applications of DES

§ The attack to DES prompted NIST to initiate the development of new standards for
data encryption
§ The result is AES that we will see later

42

43
§ Triple DES continues to enjoy wide usage in commercial applications even today
§ In the electronic payment industry, standards continue to use Triple DES
§ Example: EMV (Europay, Mastercard, and Visa)
§ Standard for smart payment cards and for payment terminals and automated teller
machines which can accept them

§ Triple DES will be disallowed after December 31, 2023.

§ To understand Triple DES, one needs to understand why it is not sufficient to
consider only Two DES or Double DES…

44

§ A naive approach to increase the strength of a block cipher with short keys is to use
two keys k1 and k2 instead of one and encrypt the block twice with them
§ The hope is that the scheme will provide the same security of using a key of length
k1+k2 when the two keys have lengths k1 and k2 by abuse of notation
§ This is not the case because of the meet-in-the-middle attack
§ Instead of performing 2^(k1+k2) guesses…
§ Let

§ Decrypt the ciphertext C with k2 to derive the following equalities:

[apply decryption with k2 to both sides]
[simplify right hand side]

45
§ Now, considering the two sides of the equality , the attacker
can compute
§ DECk2(C) for all possible values of k2
§ ENCk1(P) for all values of k1 and
for a total of 2k1 + 2k2 or 2k1+1 if k1 and k2 are the same size operations
§ If the result from any of the ENCk1(P) operations matches a result from the DECk2(C)
operations, the pair of k1 and k2 is possibly the correct key, called a candidate key
§ The attacker can determine which candidate key is correct by testing it with a
second test-set of plaintext and ciphertext

§ Contrast the complexity 2k1 + 2k2 of this attack with that of the brute force method
requiring 2k1+k2 = 2k1 * 2k2

46

§ To avoid meet-in-the-middle attacks…

§ Triple DES uses a key bundle comprising 3 DES keys (K1, K2, K3), each one of 56
bits length
In each case the middle operation is
§ Encryption works as follows
the reverse of the first and last

§ i.e. perform encryption with K1, followed by a decryption with K2 and then encryption
with K3

§ Decryption is the inverse, namely

§ i.e. perform decryption with K3, followed by an encryption with K2, and then decryption
with K1
§ Each triple encryption works on one block of 64 bits of data
47
§ Care should be put in selecting the keys in key bundle
§ There are 3 possible options
1. All three keys are independent
§ Strongest option, still vulnerable to meet-in-the-middle but requires 2^(2*56) operations
2. K1 and K2 are independent but K3=K1
§ Similar to double DES and vulnerable to the same attack with equal complexity, deprecated
3. All three keys are equal
§ For backward compatibility with DES, forbidden

§ Additionally, some specific values for keys are forbidden

§ With these restrictions, Triple DES has been reapproved with keying options 1 and
2 only although it is current best practice to use only option 1 as keys should be
generated by using random generators
48

49
 • Notified by NIST as a standard
in 2001
• AES is a slight variation of the
Rijndael cipher invented by two
Belgian cryptographers
Daemen and Rijmen
• In 1999, Rijndael was
§ Block length: 128 bits
shortlisted with other 4 ciphers
to become the successors of
§ 3 different key lengths: 128, 192, or 256 bits DES:
§ In the following, for simplicity, we assume the key length to be • MARS from IBM
128 bits
• RC6 from RSA Security
§ For other key lengths, the main difference is the key
scheduling algorithm • Serpent by Anderson
Biham, and Knudsen
• Twofish by a team led by
§ Encryption consists of Schneier
§ 10 rounds for 128-bit keys
§ 12 rounds for 192-bit keys
§ 14 rounds for 256-bit keys

§ Except for the last round, all other rounds are identical

50

Organization of an AES block of

128 bits or equivalently 16 keys
(keys are stored by column)
State array of AES key0 key4 key8 key12
Each round includes
1. one single-key based substitution step key1 key5 key9 key13

2. a row-wise permutation step key2 key6 key10 key14

key3 key7 key11 key15
3. a column-wise mixing step
4. the addition of the round key
§ The order of these steps is different for encryption and decryption Word of 4 keys

§ Each round takes an input state array and returns an output state array
§ The output state array produced by the last round is rearranged into a 128-bit
output block
Unlike DES, decryption differs substantially from
encryption although similar transformations are used 51
 Feistel
The Feistel function, function F
after key mixing, first
applies a substitution
and then a
permutation

§ DES is based on the Feistel (substitution-permutation)

network
§ DES involves substitutions and permutations
§ Permutations are based on the Feistel notion of dividing the
input block into two halves, processing each half separately,
and then swapping the two halves
§ AES uses a substitution-permutation network in a
more general sense
§ Each round in AES involves key-level substitutions followed by In AES round,
word-level permutations substitution is
applied first
followed by two
§ Like DES, AES is an iterated block cipher in which
plaintext is subject to multiple rounds with each round permutations
applying the same overall transformation function to the (row and
incoming block column wise)
and then key
52
mixing is done

§ Unlike DES, AES is an example of key-alternating block ciphers

§ Each round first applies a diffusion-achieving transformation operation to the entire
incoming block, which is then followed by the application of the round key to the entire
block
§ DES is based on the Feistel structure in which, for each round, one-half of the block passes
through unchanged and the other half goes through a transformation that depends on the
S-boxes and the round key
§ Key alternating ciphers lend themselves well to theoretical analysis of the security of the
ciphers
§ The substitution step in DES requires bit-level access to the block coming into a
round whereas all operations in AES are purely byte-level (which is good for fast
software implementations)
§ DES is a bit-oriented cipher
§ AES is a byte-oriented cipher

53
§ Since its introduction in 2001, all of the threats against the cipher remain
theoretical, i.e. their time complexity is way beyond what any computer system
will be able to handle for a long time to come
§ For the 128-bit key AES, the worst-case time complexity for a brute-force attack
would be 2^(128) which is beyond any practical implementation
§ A meet-in-the-middle attack is marginally better with 2^(126) which is also beyond
any practical implementation
§ Bogdanov, Khovratovich, Rechberger. Biclique Cryptanalysis of the Full AES. 2011

§ Many other attacks have been attempted based on algebraic techniques…

§ For full details on the AES design, the standard is available at
https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-
197.pdf
54

55
 128 bits key

key0 key4 key8 key12

key1 key5 key9 key13
key2 key6 key10 key14
§ The 128 bits key is arranged in the form of an array of key3 key7 key11 key15
4 * 4 keys (bytes):
§ Similarly to the input block, the first word from the key fills
the first column of the array, and so on
word0
§ The four column words of the key array are expanded
into a schedule of 44 words word1
§ Details will be given later

§ Each round consumes four words from the key word2

schedule
§ Recall that AES has 10 rounds with a key length of 128 bits word3
§ The first 4 words are used for adding to the input state

…
array before any round can begin
§ The remaining 40 words are used for the 10 rounds word43

word of 4 keys 56

Input block
Input key
(seen as state array)

word0, …, word3

§ Recall that key expansion generates 44 keys

word4, …, word7
§ The first 4 are mixed with the input blocks (AddRoundKey)
§ Encryption: the input state array is xor-ed with the first four
words of the key schedule.
§ Decryption: same as above except that the ciphertext state
array is xor-ed with the last four words of the key schedule
§ The remaining 40 are used in each one of the 10 rounds
§ 4 at a time
word40, …,
§ Structure of each round word43

Similar transformations are

adopted in each round for
encryption and decryption but Output block
they are not identical (need to
consider inverses and also in
different order) as it was the
S. Ranise - Security & Trust (FBK) Encryption Decryption 57
case for DES
§ Encryption steps: § Decryption steps
1. Substitute bytes 1. Inverse shift rows
2. Shift rows 2. Inverse substitute bytes
3. Mix columns 3. Add round key
4. Add round key 4. Inverse mix columns
§ It consists of xor-ing the
output of the previous 3
steps with 4 words from the
key expansion/schedule
Encryption Decryption
§ Note the differences between the order in which substitution and shifting operations
are carried out in a decryption round vis-a-vis the order in which similar operations
are carried out in an encryption round.
§ The final round for encryption does not involve the “Mix columns” step
§ The final round for decryption does not involve the “Inverse mix columns” step
58

59
 Encryption
§ SubBytes for byte-by-byte substitution during encryption
§ InvSubBytes for the corresponding substitution during decryption

Decryption
§ It consists of using a 16 × 16 lookup table to find a replacement
byte for a given byte in the input state array
§ The entries in the lookup table are created by using the notions of
multiplicative inverses in GF(2^8) and bit scrambling to eliminate
the bit-level correlations inside each byte
60

§ To find the substitute byte for a given input byte, divide the input byte
into two 4-bit patterns, each yielding an integer value between 0 and
15
§ It is possible to represent these integers by their hex values 0 through F

§ One of the hex values is used as a row index and the other as a column
index for selecting one cell in a 16 × 16 lookup table

61
§ Fill each cell of the 16 × 16 table with the byte obtained by joining together its row
index and the column index
§ Both the row and column indexes of this table range from hexadecimal 0 to hexadecimal F

§ Here is a part of the table

0 1 2 3 4 5 6 7 8 9
0 00 01 02 03 04 05 06 07 08 09
1 10 11 12 13 14 15 16 17 18 19
…

62

§ Then, replace the value in each cell by its multiplicative inverse in GF(2^8)
based on the irreducible polynomial x^8 + x^4 + x^3 + x + 1
§ The hex value 00 is replaced by itself since it has no multiplicative inverse

§ Represent a byte stored in a cell of the table by b7b6b5b4b3b2b1b0 where b7 is the

MSB and b0 the LSB

§ Example: the byte stored in the cell (9, 5) of the lookup table is the multiplicative inverse
of 95, i.e. 8A
§ The polynomial representation of 95 (bit pattern: 10010101) is x^7 + x^4 + x^2 + 1
§ The polynomial representation of 8A (bit pattern: 10001010) is x^7 + x^3 + x
§ Exercise: show that the product of the two polynomials modulo the irreducible polynomial
x^8 + x^4 + x^3 + x + 1 is indeed 1

63
§ Bit scrambling: apply the following transformation to each bit bi of the byte stored
in a cell of the lookup table

where ci is the i-th bit of a specially designated byte c whose hex value is 63, i.e.
the bit pattern is c7c6c5c4c3c2c1c0 ≡ 01100011
§ The transformation can also be described by using matrix multiplication (xor):

64

Requirements
1. The mapping defined by the lookup table must be invertible
§ the byte-to-byte mapping induced by the 16 × 16 table must be one-one, i.e., for each input
byte, there must be a unique output byte
§ To each output byte there must correspond only one input byte

2. No input byte should map to itself, since a byte mapping to itself would weaken the
cipher
§ Taking multiplicative inverses in the construction of the table does give us unique entries in the
table for each input byte except for 00 (for which no multiplicative inverse exists)
Role of the constant byte c
§ If it were not for the byte c, the bit scrambling step would leave the input byte 00
unchanged
§ With the mapping considered above, the 00 input byte is mapped to c i.e. 63 and, at the
same time, all other bytes are mapped one-to-one

65
§ The 16 × 16 table created as described above is the S-Box
§ The S-Box is the same for all the bytes in the state array
§ The steps that go into constructing the 16 × 16 lookup table are reversed for the
decryption table:
§ first apply the reverse of the bit-scrambling operation to each byte
§ then take the multiplicative inverse in GF(2^8)

§ Bit scrambling for decryption: carry out the following bit-level transformation in
each cell of the table

where di is the i-th bit of a specially designated byte d whose hex is 05 or,
equivalently, the bit vector d7d6d5d4d3d2d1ddc0 = 00000101
66

§ Let Xin be a byte of the state array for which we want to define a substitute byte
Xout, i.e. Xout = f(Xin) A X′ c
§ For encryption, the function f() involves two nonlinear operations:
1. Find the multiplicative inverse X′ = Xin^(−1) in GF(2^8)
xor
2. Scramble the bits of X′ by xor-ing X′ with
§ four different circularly rotated versions of itself and
§ a special constant byte c = (hex) 63
§ This can be expressed as follows: Xout = A · X′ + c

§ For decryption, the situation is similar except for the fact that one needs to first
apply the bit scrambling operation to the byte and then find its multiplicative
inverse in GF(2^8)

67
 68

Encryption
§ ShiftRows for shifting the rows of the state array during encryption
§ InvShiftRows for the corresponding transformation during decryption Decryption

§ The goal is to scramble the byte order inside each 128-bit block

69
 § ShiftRows transformation consists of § Recall that the input block is
1. not shifting the first row of the state array at all written column-wise
§ The first four bytes of the input
2. circularly shifting the second row by one byte to the left block fill the first column of the
3. circularly shifting the third row by two bytes to the left state array, the next four bytes the
second column, etc
4. circularly shifting the last row by three bytes to the left
§ Shifting the rows as indicated
scrambles up the byte order of
0 the input block
1
2 § For decryption, the
3 corresponding step shifts the
rows in exactly the opposite
direction

70

Notice that we consider the

Encryption
3rd step for encryption and
the 4th step for decryption

§ MixColumns for mixing up of the bytes in each column separately during

encryption
§ InvMixColumns for the corresponding transformation during decryption

§ The goal is to further scramble up the 128-bit input block

Decryption

§ The combination of the shift-rows and the mix-column steps causes each
bit of the ciphertext to depend on every bit of the plaintext after 10
rounds of processing
§ Recall the avalanche effect
§ In DES, one bit of plaintext affected roughly 31 bits of ciphertext
§ In AES, the goal is that each bit of the plaintext will affect every bit position of the
ciphertext block of 128 bits

71
§ This step replaces each byte of a column by a function of all the bytes in the same
column: each byte in a column is replaced by two times that byte, plus three
times the next byte, plus the byte that comes next, plus the byte that follows
§ The multiplications and the additions are meant to be carried out in GF(2^8)
§ For instance, ‘two times’ means multiplication by bit pattern 000000010 and ‘three times’
by bit pattern00000011,
§ The words ‘next’ and ‘follow’ refer to bytes in the same column, and their meaning is
circular, in the sense that the byte that is next to the one in the last row is the one in the
first row
§ The transformation can be compactly represented as follows:

72

Notice that we consider the

Encryption
4th step for encryption and
the 3rd step for decryption

§ AddRoundKey for adding the round key to the output of the

previous step during encryption
§ AddRoundKey or InvAddRoundKey for inverse add round key
transformation during decryption
Decryption

73
§ Each round has its own round key that is derived from the original 128-bit
encryption key as described in the following
§ One of the four steps of each round, for both encryption and decryption, involves
the xor-ing of the round key with the state array
§ The AES Key Expansion algorithm is used to derive the 128-bit round key for each
round from the original 128-bit encryption key

§ The logic of the key expansion algorithm is designed to ensure that if one changes
one bit of the encryption key, it should affect the round keys for several rounds

74

§ In the same manner as the 128-bit input block is arranged in the

form of a state array, the algorithm first arranges the 16 bytes of
the encryption key in the form of a 4 × 4 array of bytes

§ The first four bytes of the encryption key constitute the word w0
§ The next four bytes the word w1
§ The next four bytes the word w2
§ The last four bytes the word w3

75
§ The algorithm subsequently expands the words [w0, w1,
w2, w3] into a 44-word key schedule:
w0, w1, w2, w3, ................., w43
§ The first four words w0, w1, w2, w3 are bitwise xor-ed
with the input block before the round-based processing
begins
§ The remaining 40 words w4, …, w43 of the key schedule
are used 4 words at a time in each of the 10 rounds

76

Encryption Decryption
§ The description in the previous slide
is for encryption
§ However, the same holds for
decryption except for the fact that
the order of the words in the key
schedule is reversed
§ The last four words of the key schedule
are bitwise xor-ed with the 128-bit
ciphertext block before any round-
based processing begins
§ Subsequently, each of the four words in
the remaining 40 words of the key
schedule are used in each of the ten
rounds of processing

77
§ How does the Key Expansion Algorithm expand four words w0, w1, w2, w3 into the
44 words w0, w1, w2, w3, w4, w5, ........, w43 ?

§ High-level answer
§ The key expansion takes place on a 4-word to 4-word basis, in the sense that each
grouping of 4 words decides what the next grouping of 4 words will be

§ Detailed answer…

78

§ The core of the key expansion algorithm is a procedure for generating the four
words of the round key for a given round from the corresponding four words of the
round key for the previous round
§ Assume we have four words of the round key for the i-th round
w(i) w(i+1) w(i+2) w(i+3)
§ Notice that it must be that i should be divided by 4 as the four words constitute the key for
the (i/4)-th round
§ Examples
§ w4, w5, w6, w7 form the key for round 1
§ w8, w9, w10, w11 form the key for round 2
§ …

§ We are going to describe how to determine the words w(i+4) w(i+5) w(i+6) w(i+7)
from w(i) w(i+1) w(i+2) w(i+3)

79
§ The transformation can be graphically depicted as follows for rounds 0, 1, 2,…

Notice how the values of the

0 words at the previous round
are used to compute the
words for the next round by
using xor and the function g

2
80

Function defined on
top of the lookup
tables of the SubBytes
transformation

§ Mathematically, the transformation is expressed as follows: Round i Round i+1

g(.) w(i) w(i+4)
w(i+1) w(i+5)
w(i+2) w(i+6)
w(i+3) w(i+7)

§ Except for the first word in a new 4-word grouping, each word is obtained by xor-
ing the previous word and the corresponding word in the previous 4-word
grouping
§ The first word of the new 4-word grouping is obtained by xor-ing the first word of
the last grouping with what is returned by applying a function g() to the last word of
the previous 4-word grouping
81
 The addition of the round
constants is for the purpose
of destroying any symmetries
that may have been
introduced by the other steps
in the key expansion
algorithm
§ The function g() consists of the following three steps:
1. Perform a one-byte left circular rotation on the argument 4-byte word
2. Perform a byte substitution for each byte of the word returned by the previous step by
using the same 16 × 16 lookup table as used in the SubBytes step of the encryption
rounds
3. xor the bytes obtained from the previous step with a round constant
§ The round constant is a word whose three rightmost bytes are always zero
§ xor-ing with the round constant amounts to xor-ing with just its leftmost byte

§ The round constant for the i-th round is Rcon[i] and is defined as follows
§ Rcon[i] = (RC[i], 00, 00, 00)
where RC is such that RC[1] = 01 and RC[j] = 02 × RC[j − 1]
§ Observe that the multiplication by 02 can be interpreted as a multiplication by x of the
polynomial corresponding to RC[j − 1]
82

§ The nice property of the 128-bit key is that one can think of the key expansion
being in one-to-one correspondence with the rounds
§ This is no longer the case with 192-bit keys and one has to think of key
expansion as something that is not in synch from round-based processing of the
input block
§ The key expansion algorithm ensures that AES has no weak keys
§ A weak key reduces the security of a cipher in a predictable manner
§ Example
§ DES is known to have weak keys (e.g., alternating ones and zeros) that are those that produce
identical round keys for each of the 16 rounds
§ This causes all the round keys to become identical, which, in turn, implies the encryption to
become self-inverting, i.e. plain text encrypted and then encrypted again will lead back to the
same plain text

83
§ Cryptographers are constantly probing AES for weaknesses
§ This is essential, because if it was not being thoroughly tested by academics, then
criminals or nation states could eventually find a way to crack it without the rest of
the world knowing
§ So far, researchers have only uncovered theoretical breaks and side channel
attacks

84

§ In 2009, a series of related-key attacks were discovered

§ These involve observing how a cipher operates under different keys
§ These attacks are only possible against protocols that are not implemented properly
§ More information at http://www.cs.haifa.ac.il/~orrd/RK-Attacks.pdf

§ In 2009, there was a known-key distinguishing attack against an eight round

version of AES-128
§ This attack uses a key that is already known in order to figure out the inherent structure of
the cipher
§ As this attack was only against an eight round version, there is not much to worry about
for everyday users of AES-128
§ More information at
https://online.tugraz.at/tug_online/voe_main2.getvolltext?pCurrPk=31551

85
§ There have been several other theoretical attacks, but under current technology
they would still take billions of years to crack
§ This means that AES is essentially unbreakable at the moment
§ Despite this, AES can still be vulnerable if it is not implemented properly,
especially with respect to a side-channel attack

§ Brute force attacks on keys are out of reach for the moment especially if we
consider AES-256
§ The size of the key space is 2^(256) i.e. around 1.15*10^(77)

86

§ Initially, the 64-bit plaintext

undergoes initial
permutation which
rearranges the bits to get
64-bit permuted input
§ The 64 bit permuted input is
divided into two halves i.e.
32-bit left portion and 32-bit
right portion
§ Each half undergoes 16
rounds where each round
applies the same Feistel
transformation
§ After completion of sixteen
rounds, final permutation is
applied and the 64-bit
ciphertext is obtained

87
 § AES takes 128-bit plaintext and 128-bit secret key which
together forms a 128-bit block which is depicted as 4 X 4 square
matrix
§ The 4 X 4 square matrix undergoes an initial transformation that
is followed by 10 rounds
§ 9 rounds are structured as follows:
§ Subbytes uses S-box to perform byte by byte substitution of the
entire block (matrix)
§ Shift Rows: Rows of the matrix are shifted

§ Mix Columns: Columns of the matrix are shuffled from right to left
§ Add round keys: the Xor of the current block and the expanded key
is performed
§ The last (10th) round involves Subbytes, Shift Rows, and Add
round keys stages only and provides 16 bytes (128-bit)
ciphertext

88

§ The basic difference between DES and AES is that the block in DES is divided into
two halves before further processing whereas in AES entire block is processed to
obtain ciphertext
§ The DES algorithm works on the Feistel Cipher principle and the AES algorithm
works on substitution and permutation principle
§ The key size of DES is 56 bit which is comparatively smaller than AES which has
128,192, or 256-bit secret key
§ The rounds in DES include Expansion Permutation, Xor, S-box, P-box, Xor and Swap
whereas rounds in AES include Subbytes, Shiftrows, Mix columns, Addroundkeys
§ DES is less secure than AES because of the small key size and the relatively small
block size
§ AES is comparatively faster than DES

89