CSF352: Number Theory and Cryptology

Session: 2024-25

B. Tech (CSE) 5th Semester

Course Instructor Course Coordinator

Dr. Parul Saini Dr. Parul Saini

Assistant Professor, School Assistant Professor, School
of Computing of Computing
 Unit –II
Modern ciphers: Block ciphers and their applications, Structure of a
block cipher, The Fiestel structure, Key and block size length, The Data
Encryption Standard (DES), Double DES, Triple DES, AES.
Modern Block Ciphers
• A block of plaintext is treated as a whole and used to produce a
ciphertext block of equal length. Typically, a block size of 64 or 128
bits is used.
• Applications of Block Ciphers:
• Data Encryption: Encrypting sensitive data like financial transactions and
personal data (e.g., AES encryption for secure communications).
• Digital Signatures: Verifying the integrity of data and ensuring authenticity
(combined with other cryptographic algorithms).
• Secure Network Protocols: Used in protocols like IPsec, SSL/TLS for secure
communication.
• Cryptographic Primitives: Block ciphers are used as building blocks for hash
functions and pseudo-random number generators.
Structure of Block Cipher: Feistel Structure

• Substitution (S-Box): Each plaintext element or group of elements is

uniquely replaced by a corresponding ciphertext element or group of
elements.
• Permutation (P-Box): A sequence of plaintext elements is replaced by
a permutation of that sequence. That is, no elements are added or
deleted or replaced in the sequence, rather the order in which the
elements appear in the sequence is changed.
• Claude Shannon develop confusion and diffusion concept
• Confusion :
• Property of making the relationship between the key and the
ciphertext as complex as possible.
• Making it difficult for an attacker to reverse-engineer the key from
the ciphertext.
• Confusion is achieved through substitution techniques (S-boxes),
where plaintext bits are replaced with other values based on the
key, creating non-linear transformations.
• In many block ciphers, confusion is introduced by applying
multiple layers of substitution in combination with key mixing.
• Diffusion:
• Property of spreading the influence of each plaintext bit over
many ciphertext bits
• Diffusion ensures that the output is highly scrambled.
• Block ciphers achieve diffusion through techniques like
permutations (P-boxes) and the use of multiple rounds of
processing.
• In each round, bits of the block are rearranged and mixed.
Feistel Cipher Structure

• Feistel proposed a scheme to produce a

block cipher using permutation and
substitution alternatively. The inputs to
the encryption algorithm are a plaintext
block of length 2w bits and a key Ki. The
plaintext block is divided into two halves,
LE0 and RE0. The two halves of the data
pass through rounds of processing and
then combine to produce the ciphertext
block.
Working of Feistel Cipher Structure
• A substitution is performed on the left half of the data. This is done
by applying a round function F to the right half of the data and then
taking the exclusive-OR of the output of that function and the left half
of the data. The round function has the same general structure for
each round but is parameterized by the round subkey Ki. Permutation
is performed that consists of the interchange of the two halves of the
data.
• The input block to each round is divided into two halves that can be denoted as L
and R for the left half and the right half.
• In each round, the right half of the block, R, goes through unchanged. But the left
half, L, goes through an operation that depends on R and the encryption key.
First, we apply an encrypting function ‘f’ that takes two input − the key K and R.
The function produces the output f(R,K). Then, we XOR the output of the
mathematical function with L.
• In real implementation of the Feistel Cipher, such as DES, instead of using the
whole encryption key during each round, a round-dependent key (a subkey) is
derived from the encryption key. This means that each round uses a different key,
although all these subkeys are related to the original key.
• The permutation step at the end of each round swaps the modified L and
unmodified R. Therefore, the L for the next round would be R of the current
round. And R for the next round be the output L of the current round.
• Above substitution and permutation steps form a ‘round’. The number of rounds
are specified by the algorithm design.
• Once the last round is completed then the two sub blocks, ‘R’ and ‘L’ are
concatenated in this order to form the ciphertext block.
Decryption Process
• The process of decryption in Feistel cipher is almost similar. Instead of
starting with a block of plaintext, the ciphertext block is fed into the start of
the Feistel structure and then the process thereafter is exactly the same as
for encryption.
• The process is said to be almost similar and not exactly same. In the case of
decryption, the only difference is that the subkeys used in encryption are
used in the reverse order.
• The final swapping of ‘L’ and ‘R’ in last step of the Feistel Cipher is essential.
If these are not swapped then the resulting ciphertext could not be
decrypted using the same algorithm.
• Number of Rounds
• The number of rounds used in a Feistel Cipher depends on desired security from the
system. More number of rounds provide more secure system. But at the same time,
more rounds mean the inefficient slow encryption and decryption processes.
Number of rounds in the systems thus depend upon efficiency–security tradeoff.
Data Encryption Standard (DES)

• Symmetric block cipher

• Based on Fiestal Structure
• 56-bit key, 64-bit input block, 64-bit output block
• Developed in 1977 by National Institute of Standards and Technology
(NIST); designed by IBM (Lucifer) with input from National Security
Agency (NSA)
General Structure

It consists of :
1. Initial Permutation
2. 16 Rounds
3. Round Key generator
4. Final Permutation
1. Initial Permutation
• It takes a 64-bit input and
permutes them according
to a predefined rule as
shown in Table.
2. Round Structure
• DES uses 16 rounds. Each round of DES
is a Feistel cipher, as shown in Figure.
• The round i takes Li−1 and Ri−1 from
previous round (or the initial
permutation box) and creates Li and Ri,
which go to the next round (or final
permutation box).
• The DES function F applies a 48-bit key
Ki to the rightmost 32 bits (Ri−1) to
produce a 32-bit output. This function
is made up of four sections:
1. An expansion P-box
2. A XOR Operation
3. A group of S-boxes, and
4. A straight P-box
 a. Expansion permutation

This expansion permutation follows a

predetermined rule. For each section,
input bits 1, 2, 3, and 4 are copied to
output bits 2, 3, 4, and 5,
respectively. Output bit 1 comes from
bit 4 of the previous section; output
bit 6 comes from bit 1 of the next
section. If sections 1 and 8 can be
considered adjacent sections, the
same rule applies to bits 1 and 32.
 b. XOR Operation
• After the expansion permutation, DES uses the XOR operation on the
expanded right section and the round key. Note that both the right
section and the key are 48-bits in length. Also note that the round key
is used only in this operation.
 c. S-boxes

The S-boxes do the real mixing (confusion). DES

uses 8 S-boxes, each with a 6-bit input and a 4-
bit output. The 48-bit data from the second
operation is divided into eight 6-bit chunks, and
each chunk is fed into a box. The result of each
box is a 4-bit chunk; when these are combined
the result is a 32-bit output. The substitution in
each box follows a pre-determined rule based
on a 4-row by 16-column table. The
combination of bits 1 and 6 of the input defines
one of four rows; the combination of bits 2
through 5 defines one of the sixteen columns
 S-boxes Contd.
• Because each S-box has its own table, we need eight tables, shown in upcoming
slides, to define the output of these boxes. The values are given as decimal numbers
to save space. These need to be changed to binary.
• Example : Consider S1 box below

• The input to S-box 1 is 100011. What is the output?

• Row = 11 (3) , Column = 0001 (1)
• Output from table = 12
• Binary of 12 = 1100
• So the output of 10011 is 1100
S1 Box

• The input to S-box 1 is 100011. What is the output?

• Row = 11
• Column = 0001
• Output from table = 12
• Binary of 12 = 1100
S-boxes are:
d. Straight permutation table

• The last operation in the DES function is a straight permutation with a

32-bit input and a 32-bit output.
• The input/output relationship for this operation is shown in table
above.
3. Round Key generation

a) Parity Drop
b) Shift Left
a) Parity Drop
a) It drops the parity bits
(bits 8, 16, 24, 32, …, 64)
b) The remaining 56-bit value is the actual cipher key which is used to generate
round keys.
Parity-bit drop table
b) Shift Left
• After the parity drop, the key is divided into two 28-bit parts. Each
part is shifted left (circular shift) one or two bits. In rounds 1, 2, 9, and
16, shifting is one bit; in the other rounds, it is two bits. The two parts
are then combined to form a 56-bit part.
Compression Permutation (P-Box)
• The compression permutation (P-box) changes the 58 bits to 48 bits,
which are used as a key for a round.
Importance of Feistal structure in DES
1. Simplicity of Design
• One of the main advantages of the Feistel structure is that encryption and decryption
use the same algorithm. In DES, the only difference between encryption and
decryption is the order in which the round keys are applied. This makes the design
efficient and elegant because no separate algorithm is needed for decryption. During
decryption, the keys are simply applied in reverse order, and the swapping of left and
right halves is maintained.
2. Confusion and Diffusion
• Confusion: This ensures that the relationship between the plaintext,
ciphertext, and encryption key is as complex as possible. In DES, confusion is
achieved through the substitution step in the round function. The round
function in DES includes S-boxes (substitution boxes), which perform a non-
linear transformation of the input.
• Diffusion: Diffusion ensures that the influence of each bit of the plaintext and
the key is spread across many bits of the ciphertext. The Feistel structure
enhances diffusion because every bit of the input can influence every bit of
the output after a few rounds. The permutation step in DES enhances this
diffusion, scrambling the bits to ensure widespread influence.
3. Key Symmetry and Reversibility
• The Feistel structure is symmetric, meaning that it allows for easy reversibility
of the process. In DES, once the encryption is complete, decryption can be
achieved by running the Feistel structure in reverse:
• In encryption, the round keys K1,K2,…,K16K_1, K_2, \dots, K_{16}K1​,K2​,…,K16
are applied in a forward direction.
• During decryption, the round keys are applied in reverse order
K16,K15,…,K1K_{16}, K_{15}, \dots, K_1K16​,K15​,…,K1.
• Because the Feistel structure only relies on the XOR operation (which is its
own inverse), the decryption process is simple and efficient. This is one of the
most important reasons why Feistel ciphers, like DES, are widely used.
4. Resistance to Cryptanalysis:
• The Feistel structure allows DES to withstand various types of attacks,
including differential and linear cryptanalysis. The repeated rounds and key
mixing ensure that even if a part of the input is known, recovering the key
remains difficult.
• Efficient Block Cipher Construction
The Feistel structure allows for the construction of a block cipher that is:
• Efficient: Feistel networks require simple operations like XOR and bit shifts,
making them suitable for implementation in hardware and software.
• Modular: The structure allows for a flexible number of rounds, which can be
increased to improve security without changing the basic framework.
• Block Cipher Foundation
• DES, based on the Feistel network, laid the groundwork for other block
ciphers, such as Triple DES (3DES) and later modern algorithms like AES
(though AES does not use a Feistel structure).
DES ANALYSIS
• Avalanche Effect
• a small change in the plaintext (or key) should create a significant change in
the ciphertext. DES has been proved to be strong with regard to this property.
• Completeness
• Each bit of ciphertext depends on many bits of plaintext.
• Design Criteria
• The design of DES was revealed by IBM in 1994.
• S-Boxes, P-Boxes and 16 rounds.
DES Weaknesses
• Weakness has been found in the design of the cipher:
• Two chosen input to an S-box can create the same output.
• The purpose of initial and final permutation is not clear.
• Key Size: brute-force attack on a given ciphertext block, the adversary
needs to check 256 keys.
• Using parallel processing, we can test the whole key domain in approximately
20 hours
• In history:
• A special computer was built in 1998 that found the key in 112 hours.
• In 1977 a team of researchers used 3500 computers attached to the Internet to find a
key challenged by RSA Laboratories in 120 days.
Weak Keys
• A weak key is the one that, after parity drop operation, consists either of all
0s, all 1s, or half 0s and half 1s.

• The round keys created from any of these weak keys are the same and have
the same pattern as the cipher key.
• If we encrypt a block with a weak key and subsequently encrypt the result
with the same weak key, we get the original block.
Cryptanalysis
Various types of cryptanalytic attacks based on the amount of information
known to the cryptanalyst.
• Cipher text only – A copy of cipher text alone is known to the
cryptanalyst.
• Known plaintext – The cryptanalyst has a copy of the cipher text and the
corresponding plaintext.
• Chosen plaintext – The cryptanalysts gains temporary access to the
encryption machine. They cannot open it to find the key, however; they
can encrypt a large number of suitably chosen plaintexts and try to use
the resulting cipher texts to deduce the key.
• Chosen cipher text – The cryptanalyst obtains temporary access to the
decryption machine, uses it to decrypt several string of symbols, and tries
to use the results to deduce the key.
Double DES
• In this approach, we use two instances of DES ciphers for encryption
and two instances of reverse ciphers for decryption.
• Each instances use a different key.
• The size of the key is doubled.
• There are issues of reduction to single stage.
• However, double DES is vulnerable to meet-in-the-middle attack.
• Given a plaintext P and two encryption keys 𝐾1 and 𝐾2, a cipher text
can be generated as,
C = E(𝐾2, E(𝐾1, P))
• Decryption requires that the keys be applied in reverse order,
P = D(𝐾1, D(𝐾2, C))
• Reduction to single stage:
• DES is not a group; i.e., Double DES is not equivalent to DES encryption using
a single key.
• For example, the Caesar cipher is a group. If a message were encrypted with
the Caesar cipher with a key of 3 and then re-encrypted with the Caesar
cipher with a key of 5, the result is equivalent to encrypting the message with
the Caesar cipher with a key of 8. For the Caesar cipher, double encryption
does not increase security. DES is not a group; double encryption is not
equivalent to single encryption. Security does increase by double encryption,
but it does not increase much.
 Meet-in-the–middle attack on Double DES
• At first glance, it looks like double
DES increases the number of tests
for key search from 256 (in single
DES) to 2112 (in double DES).
• Meet-in-the-middle attack proves
that double DES improves this
vulnerability slightly (to 257 tests).
Given a known pair, (P,C) , the attack proceeds as
follows.
• First, encrypt P for all 256 possible values of k1. M = Ek1 (P) M = Dk2 (C)
• Store these results in a table and then sort the
table by the values of M .
• Next, decrypt C using all 256 possible values of k2.
• As each decryption is produced, check the result
against the table for a match.
• If only one match occurs, then test the two
resulting keys against a new known plaintext–
ciphertext pair. If the two keys produce the correct
ciphertext, accept them as the correct keys.
• If more than two match, then take another
intercepted plaintext-ciphertext pair until finally
finds a unique pair.
• It has been proved that after applying the above
step to a few intercepted plaintext ciphertext pairs,
the keys are found. This means that instead of
using 2112 key-search tests, Attacker can use 256
key-search tests two times.
• In other words, moving from single DES to double
DES, we have increased the strength from 256 to
257.
Triple DES – 3DES
• 3DES was developed in 1999
• Uses three stages of DES for encryption and decryption.
• Two versions of triple DES
• Triple DES with Two Keys
• Triple DES with Three Keys
 Triple DES with Two Keys
• The first and the third stages use
k1; the second stage uses k2.
• The middle stage uses decryption
(reverse cipher) in the encryption
site and encryption (cipher) in the
decryption site.
• Although triple DES with two keys
is also vulnerable to a known-
plaintext attack, it is much
stronger than double DES.
Triple DES with Three Keys
• Use three stages of DES
for encryption and
decryption with three
different keys.
• 3-key 3DES has an
effective key length of 168
bits
SECURITY OF DES
1. Brute-Force Attack: it is clear that DES can be broken using 256
encryptions. However, today most applications use either 3DES with
two keys (key size of 112) or 3DES with three keys (key size of 168).
These two multiple-DES versions make DES resistant to brute-force
attacks.
2. Differential Cryptanalysis
3. Linear Cryptanalysis
Linear Cryptanalysis
• Linear cryptanalysis examines the linear connection between the plaintext,
ciphertext, and encryption key. Linear cryptanalysis is constructing linear
equations using known plaintext and ciphertext combinations to obtain the
encryption key.
• Linear cryptanalysis is a known plaintext attack that involves discovering
affine approximations to the target cipher’s action. The attacker studies the
probabilistic linear relations, referred to as linear approximations, between
plaintext parity bits, the ciphertext, and the target’s secret key. This attack
is one of the most common attacks employed against block ciphers.
• In addition, to use linear cryptanalysis properly, we must build a strong
correlation between the plaintext and the ciphertext.
• Advantages:
• It requires minimal computational resources and can be performed with
relatively small amounts of data.
• Limitations:
• It’s less effective against ciphers that use a non-linear substitution box (S-box).
• it also requires a considerable amount of known plaintext-ciphertext pairs
• Example:
Differential Cryptanalysis
• Differential cryptanalysis was not reported in the open literature until
1990. Differential cryptanalysis is the first published attack that is capable
of breaking DES in less than 255 encryptions.
• Differential cryptanalysis is a choosen plaintext attack used to break
encryption systems by analysing the differences between pairs of plaintexts
and ciphertext.
• Differential cryptanalysis examines the differences between pairs of
plaintext and ciphertext blocks to figure out how they differ. Finding pairs
of plaintexts that only differ by one bit is the first step in the process. The
second step involves examining the difference in the corresponding
ciphertext blocks.
• It must be remembered establishing a high correlation between the
differences in plaintext and the differences in the ciphertext is essential for
the technique to be successful. This method is particularly effective for
attacking substitution-permutation networks-based ciphers like AES and
DES.
• Advantages
• The ability to attack ciphers that use non-linear S-boxes is one of the key
advantages of the differential method. It’s also relatively efficient and
requires fewer plaintext-ciphertext pairs than other cryptanalytic techniques.
• Additionally, differential cryptanalysis has shown to be successful in breaching
a variety of block ciphers and successfully attacking a wide range of
cryptographic systems.
• Limitations
• Despite its many advantages, the differential technique has several
limitations. For instance, this method is less effective against ciphers with a
small block size or a limited number of rounds.
• Furthermore, this method requires many plaintext-ciphertext pairs with
specific characteristics. This can be a limitation when trying to attack systems
with limited data. Finally, it’s susceptible to noise and randomisation,
significantly affecting the attack’s success rate.
Example