CRYPTOGRAPHY AND NETWORK SECURITY

MODULE 2

SYMMETRIC KEY CRYPTOGRAPHY

Block Ciphers and the Data Encryption Standard (DES) algorithm. Differential and linear
cryptanalysis, triple DES. Block cipher design principles, Block cipher modes of operation,
Advanced Encryption Standard (AES), Stream Ciphers: RC4.

1.1 Block Cipher Basics

❖ A stream cipher is one that encrypts a digital data stream one bit or one byte at a
time. Ex: Vernam Cipher
❖ In the ideal case, a one-time pad version of the Vernam cipher would be used, in
which the keystream is as long as the plaintext bit stream.
❖ If the cryptographic keystream is random, then this cipher is unbreakable.
❖ The keystream must be provided to both users in advance via some independent
and secure channel.
❖ The bit-stream generator must be implemented as an algorithmic procedure, so that
the cryptographic bit stream can be produced by both users as shown in figure 1
❖ In this approach, the bit-stream generator is a key-controlled algorithm and must
produce a bit stream that is cryptographically strong.
❖ Now, the two users need to share only the generating key, and each can produce
the keystream.

Figure 1: Stream cipher using algorithmic bit-stream generator

❖ A block cipher is an encryption/decryption scheme in which a block of plaintext

is treated as a whole and used to produce a ciphertext block of equal length.
❖ Typically, a block size of 64 or 128 bits is used.
❖ Similar to stream cipher, the two users of block ciphers share a symmetric
encryption key as shown in figure 2
❖ The majority of network-based symmetric cryptographic applications make use of
block ciphers.

GST, DEPT. OF CSE, BENGALURU 1

 CRYPTOGRAPHY AND NETWORK SECURITY

Figure 2: Block Cipher

1.2 Data Encryption Standard (DES) Algorithm

❖ DES is most widely used encryption technique

❖ For DES, data are encrypted in 64-bit blocks using a 56-bit key.
❖ The algorithm transforms 64-bit input in a series of steps into a 64-bit output.
❖ The same steps, with the same key, are used to reverse the encryption

DES Encryption

❖ The DES encryption is shown in figure 3

Figure 3: DES Encryption Algorithm

❖ There are two inputs to the encryption function: the plaintext to be encrypted and
the key.

GST, DEPT. OF CSE, BENGALURU 2

 CRYPTOGRAPHY AND NETWORK SECURITY
❖ In DES scheme, the plaintext must be 64 bits in length and the key is 56 bits
in length
❖ The left-hand side of the figure 3 shows the processing of the plaintext which
proceeds in 3 phases
❖ First, the 64-bit plaintext passes through an initial permutation (IP) that
rearranges the bits to produce the permuted input.
❖ This is followed by a phase consisting of sixteen rounds of the same function, which
involves both permutation and substitution functions.
❖ The output of the last (sixteenth) round consists of 64 bits that are a function of
the input plaintext and the key.
❖ The left and right halves of the output are swapped to produce the pre-output.
❖ Finally, the pre-output is passed through a permutation [IP-1] that is the inverse of
the initial permutation function, to produce the 64-bit ciphertext
❖ The right-hand side of the figure 3 shows the way in which the 56-bit key is used
❖ Initially, the key is passed through a permutation function
❖ Then, for each of the sixteen rounds, a subkey (Ki ) is produced by the combination
of a left circular shift and a permutation
❖ The permutation function is the same for each round, but a different subkey is
produced because of the repeated shifts of the key bits.

DES Single Round

Figure 4 shows the internal structure of a single round

Figure 4: Single Round of DES Algorithm

❖ The left and right halves of each 64-bit intermediate value are treated as separate 32-
bit quantities, labeled L (left) and R (right).

GST, DEPT. OF CSE, BENGALURU 3

 CRYPTOGRAPHY AND NETWORK SECURITY
❖ The overall processing at each round can be summarized in the following formulas:

❖ The round key Ki is 48 bits. The R input is 32 bits.

❖ This R input is first expanded to 48 bits by using permutation plus an expansion that
involves duplication of 16 of the R bits
❖ The resulting 48 bits are XORed with Ki.
❖ This 48-bit result passes through a substitution function that produces a 32-bit
output, which is again permuted
❖ The role of the S-boxes in the function F is shown in figure 5
❖ The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as
input and produces 4 bits as output.

Figure 5: Calculation of F(R,K)

❖ The transformations are defined in table 1 and is interpreted as follows:

Table 1: DES S-Box

❖ The first and last bits of the input to box Si form a 2-bit binary number to select one of
four substitutions defined by the four rows in the table for Si .
❖ The middle four bits select one of the sixteen columns.
❖ The decimal value in the cell selected by the row and column is then converted to its
4-bit representation to produce the output.
❖ For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100
(column 12).The value in row 1, column 12 is 9, so the output is 1001.

GST, DEPT. OF CSE, BENGALURU 4

 CRYPTOGRAPHY AND NETWORK SECURITY
❖ The 32-bit output from the eight S-boxes is then permuted, so that on the next round,
the output from each S-box immediately affects as many others as possible.

Key Generation

❖ As per figure 3 and 4, a 64-bit key is used as an input to the algorithm

❖ The bits of the key are numbered from 1 through 64, every eighth bit is ignored. The
key is first subjected to a permutation
❖ The resulting 56-bit key is then treated as two 28-bit quantities, labeled C0 and D0.
❖ At each round, Ci-1 and Di-1 are separately subjected to a circular left shift or (rotation)
of 1 or 2 bits
❖ These shifted values serve as input to the next round. They also serve as input for
producing a 48-bit output that in turn serves as input to the function F(Ri-1, Ki) .

DES Decryption
❖ Decryption uses the same algorithm as encryption, except that the application of the
subkeys is reversed.

The Strength of DES

1 The Use of 56-bit Keys: With a key length of 56 bits, there are 256 possible keys,
which is approximately 7.2 * 1016 keys. Thus, a brute-force attack is impossible.
With Brute-force on average, a single machine performing one DES encryption per
microsecond would take more than a thousand years to break the cipher.
2 The Nature of the DES algorithm: The cryptanalysis is possible by exploiting the
characteristics of the DES algorithm. The usage of 8 substitution table or S-boxes
that are used in each iteration. The design criteria of these boxes for the entire
algorithm in nor public.
3 Timing Attacks: Information about key or plain text is obtained by observing how
long it takes a given implementation to perform decryption. A timing attack exploits
the fact that an encryption or decryption algorithm often takes slightly different
amounts of time on different inputs.

1.3 Differential and Linear Cryptanalysis

❖ The primary concern with DES is its vulnerability to brute-force attack because of its
short 56-bits key length
❖ Thus, a cryptanalytic attack on DES has increased

1.3.1 Differential Cryptanalysis

❖ Differential cryptanalysis is the attack that is capable of breaking DES in less than 255
encryptions.

GST, DEPT. OF CSE, BENGALURU 5

 CRYPTOGRAPHY AND NETWORK SECURITY
❖ This can successfully cryptanalyze DES with an effort on the order of 247 encryptions,
requiring 247 chosen plaintexts.
❖ Although differential cryptanalysis is a powerful tool, it does not do very well against
DES.
❖ The need to strengthen DES against attacks using differential cryptanalysis played a
large part in the design of the S-boxes and the permutation P

Differential Cryptanalysis Attack

❖ The Differential Cryptanalysis attack is complex.

❖ The idea behind this attack is to know the pair of text blocks which is evolved in each
round of cipher.
❖ Consider the original plaintext block m to consist of two halves m0, m1
❖ Each round of DES maps the right-hand input into the left-hand output and sets the
right-hand output to be a function of the left-hand input and the subkey for this round.
❖ So, at each round, only one new 32-bit block is created.
❖ If we label each new block mi (2 ≤ i ≤ 17), then the intermediate message halves are
related as follows:

❖ In differential cryptanalysis, we start with two messages, m and m', with a known
XOR difference ∆m =m  m' , and consider the difference between the intermediate
message halves: ∆mi  mi' .Then we have

❖ The overall strategy of differential cryptanalysis is based on these considerations for a

single round.
❖ The procedure is to begin with two plaintext messages m and m' with a given difference
and trace through a probable pattern of differences after each round to yield a probable
difference for the ciphertext.
❖ There are two probable patterns of differences for the two 32-bit halves: (∆m17|| m16)
❖ Next, we submit m and m' for encryption to determine the actual difference under the
unknown key and compare the result to the probable difference. If there is a match,

then we suspect that all the probable patterns at all the intermediate rounds are
correct.
✔ With that assumption, key bits can be deducted.
✔ This procedure must be repeated many times to determine all the key bits.

GST, DEPT. OF CSE, BENGALURU 6

 CRYPTOGRAPHY AND NETWORK SECURITY

1.3.2 Linear Cryptanalysis

❖ Linear Cryptanalysis attack is based on finding linear approximations to describe the

transformations performed in DES
❖ This method can find a DES key given 243 known plaintexts, as compared to 247 chosen
plaintexts for differential cryptanalysis.

Principle of Linear Cryptanalysis:

❖ For a cipher with n-bit plaintext and ciphertext blocks and an m-bit key, let the
plaintext block be labeled P[1]....P[n], the cipher text block C[1]....C[n], and the key
K[1]....K[m], Then define

❖ The objective of linear cryptanalysis is to find an effective linear equation of the form:

where x=0 or 1;1 ≤a; b ≤n; c ≤m; and where the α, β and γ terms represent fixed, unique
bit locations that holds with probability p ≠ 0.5.
❖ Once a proposed relation is determined, the procedure is to compute the results of the
left-hand side of the preceding equation for a large number of plaintext–ciphertext
pairs.
❖ If the result is 0 more than half the time, assume K[γ1,γ2.....γC]=0 .
❖ If it is 1 most of the time, assume K[γ1,γ2.....γC]=1.
❖ This gives us a linear equation on the key bits

1.4 Block Cipher Design Principles

✔ Three critical aspects of block cipher design: the number of rounds, design of the
function F, and the key scheduling.

1 Number of Rounds
✔ The greater the number of rounds, the more difficult it is to perform cryptanalysis,
even for a relatively weak F.
✔ In general, the criterion should be that the number of rounds is chosen so that known
cryptanalytic efforts require greater effort than a simple brute-force key search attack
✔ This criterion was certainly used in the design of DES.
✔ For DES with 16 rounds, a differential cryptanalysis attack is slightly less efficient
than brute force attack
✔ The differential cryptanalysis attack requires 255.1 operations, whereas brute force
requires 255

GST, DEPT. OF CSE, BENGALURU 7

 CRYPTOGRAPHY AND NETWORK SECURITY
✔ If DES had 15 or fewer rounds, differential cryptanalysis would require less effort than
a brute-force key search.
✔ This criterion is important, because it makes it easy to judge the strength of an
algorithm and to compare different algorithms.

2 Design of Function F
✔ Design of Function F includes the criteria for F and S-Box Design
✔ The function F should be nonlinear.
✔ The more nonlinear F, the more difficulty for cryptanalysis
✔ General Criteria is a change in one bit of the input should produce a change in many
bits of the output
✔ Several criteria are used for designing function F:
● Strict Avalanche Criterion (SAC): Which states that any output bit j of an S-box
should change with probability 1/2 when any single input bit i is inverted for all i,j.
Although SAC is expressed in terms of S-boxes, a similar criterion could be applied
to F as a whole. This is important when considering designs that do not include S-
boxes.
● Bit Independent Criterion (BIC): Which states that output bits j and k should
change independently when any single input bit i is inverted for all i, j and k.

3 Key Schedule Algorithm

✔ The key is used to generate one subkey for each round.

✔ In general, subkeys are selected to maximize the difficulty of deducing individual
subkeys and the difficulty of working back to the main key.

1.5 Block Cipher Modes of Operation

✔ A block cipher takes a fixed-length block of text of length b bits and a key as input and
produces a b-bit block of ciphertext.
✔ If the amount of plaintext to be encrypted is greater than b bits, then the block cipher
can be used by breaking the plaintext up into b-bit blocks.
✔ When multiple blocks of plaintext are encrypted using the same key, a number of
security issues arise.
✔ To apply a block cipher in a variety of applications, five modes of operation have been
defined.
✔ A mode of operation is a technique for enhancing the effect of a cryptographic
algorithm or adapting the algorithm for an application, such as applying a block cipher
to a sequence of data blocks or a data stream.
✔ These modes are intended for use with any symmetric block cipher, including triple
DES and AES and is shown in table 2.

GST, DEPT. OF CSE, BENGALURU 8

 CRYPTOGRAPHY AND NETWORK SECURITY
1 Electronic Codebook (ECB) Mode
✔ It is the simplest mode in which plaintext is handled one block at a time and each
block of plaintext is encrypted using the same key.
✔ For a message longer than b bits, the procedure is simply to break the message into
b-bit blocks, padding the last block if necessary.
✔ Decryption is performed one block at a time, using the same key as shown in figure
7.

Table 2: Block Cipher Modes of Operation

GST, DEPT. OF CSE, BENGALURU 9

 CRYPTOGRAPHY AND NETWORK SECURITY

Figure 7: ECB mode

✔ In Figure 7, the plaintext (padded as necessary) consists of a sequence of b-bit blocks,

P1,P2....PN; the corresponding sequence of ciphertext blocks is C1,C2....CN.
✔ ECB Mode can be defined as follows:

✔ The ECB method is ideal for a short amount of data, such as an encryption key. Thus,
to transmit a DES or AES key securely, ECB is the appropriate mode to use.
✔ The most significant characteristic of ECB is that if the same b-bit block of plaintext
appears more than once in the message, it always produces the same ciphertext.
✔ For lengthy messages, the ECB mode may not be secure.

2 Cipher Block Chaining (CBC) Mode

✔ This mode is used to overcome the difficulties of ECB mode
✔ In CBC technique, the same plaintext block if repeated, produces different ciphertext
blocks
✔ In CBC scheme, the input to the encryption algorithm is the XOR of the current
plaintext block and the preceding ciphertext block; the same key is used for each block
as shown in figure 8.
✔ The sequence of plaintext blocks are sequenced

GST, DEPT. OF CSE, BENGALURU 10

 CRYPTOGRAPHY AND NETWORK SECURITY

Figure 8: CBC Mode

✔ The input to the encryption function for each plaintext block has no fixed relationship
to the plaintext block
✔ The CBC mode requires that the last block be padded to a full b bits if it is a partial
block.
✔ For decryption, each cipher block is passed through the decryption algorithm.
✔ The result is XORed with the preceding ciphertext block to produce the plaintext block.
✔ It can be shown as:

✔ The IV(Initialisation Vector) is a data block that is that same size as the cipher block
✔ To produce the first block of ciphertext, a IV is XORed with the first block of plaintext.
✔ On decryption, the IV is XORed with the output of the decryption algorithm to recover
the first block of plaintext.
✔ CBC mode can be defined as

✔ The IV must be known to both the sender and receiver but be unpredictable by a third
party
✔ For maximum security, the IV should be protected against unauthorized changes. This
could be done by sending the IV using ECB encryption

GST, DEPT. OF CSE, BENGALURU 11

 CRYPTOGRAPHY AND NETWORK SECURITY
✔ Because of the chaining mechanism of CBC, it is an appropriate mode for encrypting
messages of length greater than b bits.
✔ In addition to its use to achieve confidentiality, the CBC mode can be used for
authentication.

3 Cipher Feedback (CFB) Mode

✔ Block cipher can be converted to stream cipher using one of the 3 modes: Cipher
Feedback(CFB) mode, output feedback(OFB) mode and Counter(CTR) mode
✔ A stream cipher eliminates the need to pad a message to be an integral number of
blocks. It also can operate in real time.
✔ Property of Stream cipher: Ciphertext is of same length of plaintext. Thus, if 8-bit
characters are being transmitted, each character should be encrypted to produce a
ciphertext output of 8 bits
✔ Figure 9 shows the CFB mode.
✔ In the figure 9, it is assumed that the unit of transmission is s bits; a common value
is s=8 .
✔ As with CBC, the units of plaintext are chained together, so that the ciphertext of any
plaintext unit is a function of all the preceding plaintext.
✔ In this case, rather than blocks of b bits, the plaintext is divided into segments of s
bits.

GST, DEPT. OF CSE, BENGALURU 12

 CRYPTOGRAPHY AND NETWORK SECURITY

Figure 9: CFB Mode

✔ For Encryption, the input to the encryption function is a b-bit shift register that is
initially set to some initialization vector (IV).
✔ The leftmost (most significant) s bits of the output of the encryption function are
XORed with the first segment of plaintext P1 to produce the first unit of ciphertext C1,
which is then transmitted.
✔ In addition, the contents of the shift register are shifted left by s bits, and is placed in
the rightmost (least significant) bits of the shift register. This process continues until
all plaintext units have been encrypted.
✔ For Decryption, the same scheme is used, except that the received ciphertext unit is
XORed with the output of the encryption function to produce the plaintext unit.
✔ Let MSBs(X) be defined as the most significant s bits of X .Then

✔ Therefore, by rearranging terms:

GST, DEPT. OF CSE, BENGALURU 13

 CRYPTOGRAPHY AND NETWORK SECURITY
✔ In the case of CFB, the stream of bits that is XORed with the plaintext also depends
on the plaintext.

4 Output Feedback (OFB) Mode

✔ The output feedback (OFB) mode is similar in structure to that of CFB.

Figure 10: Output Feedback (OFB) mode

✔ As shown in figure 10, it is the output of the encryption function that is fed back to
the shift register in OFB, whereas in CFB, the ciphertext unit is fed back to the shift
register.
✔ The other difference is that the OFB mode operates on full blocks of plaintext and
ciphertext, not on an s-bit subset
✔ Encryption can be expressed as

✔ By rearranging terms, decryption is expressed as:

GST, DEPT. OF CSE, BENGALURU 14

 CRYPTOGRAPHY AND NETWORK SECURITY
✔ The OFB mode requires an initialization vector.
✔ In the case of OFB, the IV must be a nonce; that is, the IV must be unique to each
execution of the encryption operation.
✔ The reason for this is that the sequence of encryption output blocks Oi , depends only
on the key and the IV and does not depend on the plaintext.
✔ Therefore, for a given key and IV, the stream of output bits used to XOR with the
stream of plaintext bits is fixed.
✔ If two different messages had an identical block of plaintext in the identical position,
then an attacker would be able to determine that portion of the Oi, stream.
Advantage
● The bit errors in transmission do not propagate. For example, if a bit error occurs
in C1, only the recovered value of P1 is affected; subsequent plaintext units are not
corrupted.
Disadvantage
● It is more vulnerable to a message stream modification attack than is CFB. Consider
that complementing a bit in the ciphertext complements the corresponding bit in
the recovered plaintext.

5 Counter (CTR) Mode

✔ Figure 11 shows the CTR mode.

GST, DEPT. OF CSE, BENGALURU 15

 CRYPTOGRAPHY AND NETWORK SECURITY
Figure 11: Counter Mode

✔ In CTR mode, a counter equal to the plaintext block size is used.

✔ The counter value must be different for each plaintext block that is encrypted.
✔ The counter is initialized to some value and then incremented by 1 for each subsequent
block (modulo 2b, where b is the block size).
✔ For encryption, the counter is encrypted and then XORed with the plaintext block to
produce the ciphertext block; there is no chaining.
✔ For decryption, the same sequence of counter values is used, with each encrypted
counter XORed with a ciphertext block to recover the corresponding plaintext block.
✔ Thus, the initial counter value must be available for decryption.
✔ For the last plaintext block, which may be a partial block of u bits, the most significant
u bits of the last output block are used for the XOR operation; the remaining b-u bits
are discarded.
✔ The initial counter value must be nonce; that is T1, must be different for all of the
messages encrypted using the same key.
✔ Further, all values across all messages must be unique.
✔ To this requirement, a counter value is used multiple times, then the confidentiality of
all of the plaintext blocks corresponding to that counter value may be compromised.
✔ In particular, if any plaintext block that is encrypted using a given counter value is
known, then the output of the encryption function can be determined easily from the
associated ciphertext block.
✔ One way to ensure the uniqueness of counter values is to continue to increment the
counter value by 1 across messages.

Advantages
● Hardware Efficiency: Encryption (or decryption) in CTR mode can be done in
parallel on multiple blocks of plaintext or ciphertext. For the chaining modes, the
algorithm must complete the computation on one block before beginning on the next
block. This limits the maximum throughput of the algorithm to the reciprocal of the
time for one execution of block encryption or decryption. In CTR mode, the
throughput is only limited by the amount of parallelism that is achieved.
● Software Efficiency: Because of the opportunities for parallel execution in CTR
mode, processors that support parallel features, such as aggressive pipelining,
multiple instruction dispatch per clock cycle, a large number of registers, and SIMD
instructions, can be effectively utilized.
● Preprocessing: The execution of the underlying encryption algorithm does not
depend on input of the plaintext or ciphertext. Therefore, if sufficient memory is
available and security is maintained, pre-processing can be used to prepare the
output of the encryption boxes that feed into the XOR functions
● Random Access: The ith block of plaintext or ciphertext can be processed in random-
access fashion. There may be applications in which a ciphertext is stored and it is

GST, DEPT. OF CSE, BENGALURU 16

 CRYPTOGRAPHY AND NETWORK SECURITY
desired to decrypt just one block; for such applications, the random-access feature
is attractive.
● Simplicity: CTR mode requires only the implementation of the encryption algorithm
and not the decryption algorithm. In addition, the decryption key scheduling need
not be implemented.
● Security: CTR is least secure as compared to other modes

1.7 Advanced Encryption Standard (AES)

➢ The cipher takes a plaintext block size of 128 bits or 16 bytes

➢ The key length can be 16,24 or 32 bytes (128,192 or 256 bits)
➢ The algorithm is referred to as AES-128, AES-192 or AES-256, depending on the
key length
➢ The input to the encryption and decryption algorithms is a single 128-bit block.
➢ This block is depicted as a 4 * 4 square matrix of bytes
➢ This block is copied into the State array, which is modified at each stage of
encryption or decryption.
➢ After the final stage, State is copied to an output matrix. These operations are
shown in figure 13(a)
➢ Similarly, the key is depicted as a square matrix of bytes. This key is then expanded
into an array of key schedule words.
➢ Figure 13(b) shows the expansion for the 128bit key. Each word is four bytes, and
the total key schedule is 44 words for the 128-bit key.
➢ The cipher consists of N rounds, where the number of rounds depends on the key
length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds
for a 32-byte key
➢ The first N-1 rounds consist of four distinct transformation functions: SubBytes,
ShiftRows, MixColumns, and AddRoundKey, which are described subsequently.
The final round contains only three transformations
➢ Each transformation takes one or more 4 *4 matrices as input and produces a 4 *
4 matrix as output.
➢ Each round key serves as one of the inputs to the AddRoundKey transformation in
each round.
➢ The detailed Structure of AES is shown in figure 12.
➢ AES processes the entire data block as a single matrix during each round using
substitution and permutation
➢ The key that is provided as input is expanded into an array of forty-four 32-bit
words, w[i]. Four distinct words (128 bits) serve as a round key for each round;
these are indicated in Figure 13.
➢ Four different stages are used, one of permutation and three of substitution:

GST, DEPT. OF CSE, BENGALURU 17

 CRYPTOGRAPHY AND NETWORK SECURITY
● Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of
the block
● ShiftRows: A simple permutation
● MixColumns: A substitution technique is used
● AddRoundKey: A simple bitwise XOR of the current block with a portion of
the expanded key
➢ The structure is quite simple. For both encryption and decryption, the cipher
begins with an AddRoundKey stage, followed by nine rounds that each includes all
four stages, followed by a tenth round of three stages
➢ Only the AddRoundKey stage makes use of the key. For this reason, the cipher
begins and ends with an AddRoundKey stage.
➢ For the Substitute Byte, ShiftRows, and MixColumns stages, an inverse function
is used in the decryption algorithm.
➢ As with most block ciphers, the decryption algorithm makes use of the expanded
key in reverse order. However, the decryption algorithm is not identical to the
encryption algorithm. This is a consequence of the particular structure of AES.
➢ The final round of both encryption and decryption consists of only three stages

Figure 12: AES Encryption and Decryption

GST, DEPT. OF CSE, BENGALURU 18

 CRYPTOGRAPHY AND NETWORK SECURITY

Figure 13: AES Data Structure

Substitute Bytes Transformation

➢ The forward substitute byte transformation, called SubBytes, is a simple table

lookup.
➢ AES defines a matrix of byte values, called an S-box (Table 5.2a), that contains a
permutation of all possible 256 8-bit values.
➢ Each individual byte of State is mapped into a new byte in the following way: The
leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used
as a column value. These row and column values serve as indexes into the S-box
to select a unique 8-bit output value as shown in figure 14.

Figure 14: Substitute byte transformation

ShiftRows Transformation

➢ The forward shift row transformation, called ShiftRows, is depicted in Figure 15

GST, DEPT. OF CSE, BENGALURU 19

 CRYPTOGRAPHY AND NETWORK SECURITY

Figure 15: Shift row transformation

➢ The first row of State is not altered. For the second row, a 1-byte circular left shift
is performed. For the third row, a 2-byte circular left shift is performed. For the
fourth row, a 3-byte circular left shift is performed
➢ The inverse shift row transformation, called InvShiftRows, performs the circular
shifts in the opposite direction for each of the last three rows, with a 1-byte circular
right shift for the second row, and so on.
➢ The shift row transformation is more substantial than it may first appear.
➢ This is because the State, as well as the cipher input and output, is treated as an
array of four 4-byte columns.
➢ Thus, on encryption, the first 4 bytes of the plaintext are copied to the first column
of State, and so on.
➢ Furthermore, the round key is applied to State column by column. Thus, a row
shift moves an individual byte from one column to another, which is a linear
distance of a multiple of 4 bytes. Also note that the transformation ensures that
the 4 bytes of one column are spread out to four different columns as shown in
figure 16.

Figure 16: AES Encryption Round

GST, DEPT. OF CSE, BENGALURU 20

 CRYPTOGRAPHY AND NETWORK SECURITY
MixColumns Transformation

➢ The forward mix column transformation, called MixColumns, operates on each

column individually. Each byte of a column is mapped into a new value that is a
function of all four bytes in that column. The transformation can be defined by the
following matrix multiplication on State as shown in figure 17.

Figure 17: Mix Column Transformation

➢ Each element in the product matrix is the sum of products of elements of one row
and one column.

AddRoundKey Transformation

➢ In the forward add round key transformation, called AddRoundKey, the 128 bits
of State are bitwise XORed with the 128 bits of the round key.
➢ As shown in Figure 18, the operation is viewed as a column wise operation between
the 4 bytes of a State column and one word of the round key; it can also be viewed
as a byte-level operation.

Figure 18: Add round key transformation

➢ The inverse add round key transformation is identical to the forward add round
key transformation, because the XOR operation is its own inverse.
➢ The add round key transformation is as simple as possible and affects every bit of
State. The complexity of the round key expansion, plus the complexity of the other
stages of AES, ensure security.

AES Key Expansion

➢ The AES key expansion algorithm takes as input a four-word (16-byte) key and
produces a linear array of 44 words (176 bytes).This is sufficient to provide a four-
word round key for the initial AddRoundKey stage and each of the 10 rounds of the
cipher.
➢ The key is copied into the first four words of the expanded key.

GST, DEPT. OF CSE, BENGALURU 21

 CRYPTOGRAPHY AND NETWORK SECURITY
➢ The remainder of the expanded key is filled in four words at a time.
➢ Each added word w[i] depends on the immediately preceding word, w[i-1], and the
word four positions back, w[i-4].
➢ In three out of four cases, a simple XOR is used.
➢ For a word whose position in the w array is a multiple of 4, a more complex function
is used.
➢ Figure 19 illustrates the generation of the expanded key, using the symbol g to
represent that complex function

Figure 19: AES Key Expansion

GST, DEPT. OF CSE, BENGALURU 22

 CRYPTOGRAPHY AND NETWORK SECURITY

STREAM CIPHER- RC4

RC4 is a stream cipher and variable length key algorithm. This algorithm encrypt one
byte at a time (or larger units on a time).

A key input is pseudorandom bit generator that produces a stream 8-bit number that
is unpredictable without knowledge of input key, The output of generator is called key-
stream, is combined one byte at a time with the plaintext stream cipher using X-OR
operation.

Example:

RC4 Encryption

10011000 ⊕ 01010000 = 11001000

RC4 Decryption

11001000 ⊕ 01010000 = 10011000

Key-Generation Algorithm:

A variable-length key of from 1 to 256 byte is used to initialize a 256-byte state vector
S, with elements S[0] to S[255]. For encryption and decryption, a byte k is generated
from S by selecting one of te 255 entries in systematic fashion, then the entries in S
are permuted again.

● Key-Scheduling Algorithm:
Initialization: The entries of S are set equal to the values from 0 to 255 in ascending
order, a temporary vector T, is created.

GST, DEPT. OF CSE, BENGALURU 23

 CRYPTOGRAPHY AND NETWORK SECURITY
If length of the key k is 256 bytes, then k is assigned to T. Otherwise, for a key with
length(k-len) bytes, the first k-len elements of T as copied from K and then K is repeated
as many times as necessary to fill T. The idea is illustrated as follow:

for

i = 0 to 255 do S[i] = i;

T[i] = K[i mod k - len];

we use T to produce the initial permutation of S. Starting with S[0] to S[255], and for
each S[i] algorithm swap it with another byte in S according to a scheme dictated by
T[i], but S will still contain values from 0 to 255 :

j = 0;

for
i = 0 to 255 do

j = (j + S[i] + T[i]) mod 256;

Swap(S[i], S[j]);

• Pseudo random generation algorithm (Stream Generation):

Once the vector S is initialized, the input key will not be used. In this step, for each
S[i] algorithm swap it with another byte in S according to a scheme dictated by current
configuration of S. After reaching S [255] the process continues, starting from S[0]
again

i, j = 0;

while (true)

i = (i + 1) mod 256;

j = (j + S[i]) mod 256;

Swap(S[i], S[j]);

t = (S[i] + S[j]) mod 256;

k = S[t];

GST, DEPT. OF CSE, BENGALURU 24