1 Cryptography Reference Note

Unit-II
Symmetric Ciphers

Fiestel Cipher Structure

Fiestel structure is shown in the following figure:

Collegenote Prepared By: Jayanta Poudel

2 Cryptography Reference Note

- Fiestel cipher is a type of block cipher design, not a specific cipher.

- In a fiestel cipher, the plaintext block 𝑃 is divided into left and right halves: 𝑃 = (𝐿0 , 𝑅0 ).
Then the two halves pass through 𝑛 rounds of processing then combine to produce the
cipher block.
For each round 𝑖 = 1, 2, … … . 𝑛 new left and right halves are computed according to the
rules:
𝐿𝑖 = 𝑅𝑖−1
𝑅𝑖 = 𝐿𝑖−1 ⊕ 𝐹(𝑅𝑖−1 , 𝐾𝑖 )
Where, 𝐹 is round function and 𝐾𝑖 is the subkey for round 𝑖.
The subkey is derived from the original key 𝐾𝑖 according to a specified key schedule
algorithm. Finally the ciphertext 𝐶 is the output of the final round.
𝐶 = (𝐿𝑛 , 𝑅𝑛 )
- All rounds have the same structure.
- A substitution is performed on the left half of the data. This is done by applying a round
function 𝐹 to the right half of data followed by the XOR of the output of that function and
left half of data.
- The permutation steps at each round swaps the modified 𝐿 and unmodified 𝑅.
- The combination of substitution and permutation is called a round.

Decryption
- The process of decryption is similar to encryption with reversed keys.
Start with ciphertext 𝐶 = (𝐿𝑛 , 𝑅𝑛 )
For each round 𝑖 = 𝑛, 𝑛 − 1, … … … . ,1 compute:
𝑅𝑖−1 = 𝐿𝑖
𝐿𝑖−1 = 𝑅𝑖 ⊕ 𝐹(𝑅𝑖−1 , 𝐾𝑖 )
Where, 𝐹 is round function and 𝐾𝑖 is subkey.
Plaintext: 𝑃 = (𝐿0 , 𝑅0 )

Design Features/Principles of Fiestel Network:

 Block size: increasing size improves security, but reduced encryption/decryption speed.
 Key size: increasing key size improves security, makes exhaustive key searching harder,
but may slow cipher.
 Number of rounds: increasing number of rounds increases security, but slows cipher.
 Sub-key generation algorithm: greater complexity in this algorithm can make analysis
harder, but slows cipher.
 Round function: greater complexity can make analysis harder, but slows cipher.
 Fast software en/decryption & ease of analysis: are more recent concerns for practical use
and testing.

Collegenote Prepared By: Jayanta Poudel

3 Cryptography Reference Note

Substitution Permutation Network (SPN)

Substitution Permutation network is a series of linked mathematical operations used in block
cipher algorithms. These networks describe a series of substitution and permutation operations
to be applied on the block of input bits to produce output bits. It takes the block of the plaintext
and key as inputs and applies several alternating “rounds” or “layers” of substitution boxes (S-
boxes) and permutation boxes (P-boxes) to produce the ciphertext block.
 An S-Box substitutes a small block of bits (the input of the S-box) by another block of bits
(the output of the S-box). In particular, the length of the output should be same as the length
of the input. A good S-box will have the property that changing one input bit will change
about half of the output bits. It will also have the property that each output bit will depend
on every input bit.
 A P-Box is a permutation of all the bits: it takes the outputs of all the S-boxes of one round,
permutes the bits, and feeds them into the S-boxes of the next round. A good P-box has the
property that the output bits of any S-box are distributed to as many S-box inputs as
possible.
In addition, at each round the key is combined using some group operation, typically XOR.

Fig: SPN with 3 rounds

- Provides confusion and diffusion of message and key.
Decryption
- Decryption is done by simply reversing the process (using the inverse of the S-boxes and
P-boxes and applying the round keys in reverse order).

Collegenote Prepared By: Jayanta Poudel

4 Cryptography Reference Note

Q. Explain the concepts of diffusion and confusion.

Solution:
Block ciphers use “confusion” and “diffusion” in their encryption method. The terms
diffusion and confusion were introduced by the famous information theorist Claude
Shannon. According to the Shannon, there are two primitive operations with which strong
encryption algorithms can be built:
 Confusion refers to making the relationship between the key and ciphertext as complex
and involved as possible.
- Each bit of the ciphertext should depend on several part of the key, obscuring the
connections between the two.
- E.g. S-box or substitution cipher.
 Diffusion means any of the characters in the plaintext is changed, then simultaneously
several characters of the ciphertext should also be changed. Similarly, if the characters
of ciphertext is changed then simultaneously several characters of plaintext should be
changed.
- Diffusion hides the relation between the ciphertext and the plaintext.
- E.g. P-box or transposition cipher.

Data Encryption Standards (DES)

- DES is block cipher that operates on a plaintext block of 64 bits and returns ciphertext of
same size.
- The key length is 56 bits. The key originally consists of 64 bits; however, only 56 of these
are actually used by the algorithm. Eight bits are used for checking parity and are thereafter
discarded.
- It consists of 16 rounds, each round performs the steps of substitution (confusion) and
transposition (diffusion).
DES Algorithm
- The algorithm accepts plaintext 𝑃, performs an initial permutation,𝐼𝑃, on 𝑃 producing 𝑃𝑜 .
The block is then broken down into left and right halves, the left (𝐿𝑜 ) being the first 32 bits
of 𝑃𝑜 and the right (𝑅𝑜 ) being the last 32 bits of 𝑃𝑜 .
- With 𝐿𝑜 and 𝑅𝑜 , 16 rounds are performed until 𝐿16 and 𝑅16 are generated according the
rule:
𝐿𝑖 = 𝑅𝑖−1
𝑅𝑖 = 𝐿𝑖−1 ⊕ 𝐹(𝑅𝑖−1 , 𝐾𝑖 )
- The inverse permutation, 𝐼𝑃−1, is applied to 𝐿16 𝑅16 to produce ciphertext 𝐶.

Collegenote Prepared By: Jayanta Poudel

5 Cryptography Reference Note

Key Generation
In DES encryption, the round-key generator creates sixteen 48-bit keys out of a 56-bit cipher
key.
Initially, 56 bits of the key are selected from the initial 64-bit by Permuted Choice 1 (PC-1),
the remaining eight bits are either discarded or used as parity check bits. The 56 bits are then
divided into two 28-bit halves (𝐶0 &𝐷0 ); each half is thereafter treated separately. In successive
rounds, both halves(𝐶𝑖−1 &𝐷𝑖−1 ) are rotated left by one or two bits specified for each round,
and then 48 subkey bits are selected by Permuted Choice 2, PC-2 (24 bits from the left half,
and 24 from the right) that serves as input to the function 𝐹(𝑅𝑖−1 , 𝐾𝑖 ).

Shifting
Rounds Shift
1, 2, 9, 16 One bit
Others Two bit

Collegenote Prepared By: Jayanta Poudel

6 Cryptography Reference Note

Single Round of DES Algorithm

The following figure shows a closer view of algorithms for a single iteration. The 64bit
permuted input passes through 16 iterations, producing an intermediate 64-bit value at the
conclusion of each iteration.

The left hand output of an iteration (𝐿𝑖 ) is equal to the right hand input to that iteration 𝑅𝑖−1 .
The right hand output 𝑅𝑖 is exclusive OR of 𝐿𝑖−1 and a complex function 𝐹 of 𝐾𝑖 and 𝑅𝑖−1 . The
function 𝐹 can be depicted by the following figure. 𝑆1, 𝑆2, … … … , 𝑆8 represent the ”S-boxes”
, which maps each combination of 48 input bits into a particular 32 bit pattern.

Collegenote Prepared By: Jayanta Poudel

7 Cryptography Reference Note

Decryption of DES
The process is the same as encryption, only the difference is that keys are used in reverse order.
Thus, when in decryption mode, the key schedule algorithm has to generate the round keys as
the sequence 𝐾16 , 𝐾15 , … … … , 𝐾1 .

Double DES
- It does twice what DES normally does only once.
- It uses two keys 𝐾1 & 𝐾2 and encrypt the text using the two keys.
𝐶 = 𝐸𝐾2 (𝐸𝐾1 (𝑃))
- To decrypt simply use DES decryption twice.
𝐶 = 𝐷𝐾1 (𝐷𝐾2 (𝐶))

Triple DES
 With Two Keys: It uses three stages of DES for encryption and decryption. The 1st & 3rd
stages use 𝐾1 key and 2nd stage uses 𝐾2 key. To make triple DES compatible with single DES,
the middle stage uses decryption in the encryption side and encryption in the decryption side.
Encryption: 𝐶 = 𝐸𝐾1 (𝐷𝐾2 (𝐸𝐾1 (𝑃)))
Decryption: 𝑃 = 𝐷𝐾1 (𝐸𝐾2 (𝐷𝐾1 (𝐶)))

Collegenote Prepared By: Jayanta Poudel

8 Cryptography Reference Note

 With Three Keys: It uses three stages of DES for encryption and decryption with three
different keys.
Encryption: 𝐶 = 𝐸𝐾3 (𝐷𝐾2 (𝐸𝐾1 (𝑃)))
Decryption: 𝑃 = 𝐷𝐾1 (𝐸𝐾2 (𝐷𝐾3 (𝐶)))

Q. Which types of keys are considered as weak keys in DES?

Solution:
Weak keys are keys that cause the encryption mode of DES to act identically to the
decryption mode of DES.
DES uses 16 48-bits subkeys generated from a master 56- bit key, one subkey is used in each
of the sixteen DES rounds. The weak keys of DES are those which produce sixteen identical
subkeys. This occurs when the key bits are:
 all zeros
 all ones
 the first half of the entire key is all ones and the second half is all zeros
 vice versa
Since all the subkeys are identical, encrypting twice produces the original plaintext.

Semi-weak Key
A semi-weak key creates only two different round keys each of them repeated eight times.
There are six semi-weak key pairs. Specific pairs of keys have identical decryption. That is,
there are two different keys, k1 and k2, for which c = DES(p, k1) and c = DES(p, k2). This
similarity implies that k1 can decrypt a message encrypted under k2.

Collegenote Prepared By: Jayanta Poudel

9 Cryptography Reference Note

Finite Fields

Groups
- denoted by {𝐺, ∙}, where ∙ is generic symbol and can be a binary symbol.
- is a set of elements with a binary operation, such that following axioms are obeyed:
 𝐴1 : 𝑐𝑙𝑜𝑠𝑢𝑟𝑒 → 𝑖𝑓 𝑎, 𝑏 ∈ 𝐺, 𝑡ℎ𝑒𝑛 𝑎 ∙ 𝑏 ∈ 𝐺
 𝐴2 : 𝐴𝑠𝑠𝑜𝑐𝑖𝑎𝑡𝑖𝑣𝑒 → 𝑎 ∙ (𝑏 ∙ 𝑐) = (𝑎 ∙ 𝑏) ∙ 𝑐 𝑓𝑜𝑟 𝑎𝑙𝑙 𝑎, 𝑏, 𝑐 ∈ 𝐺
 𝐴3 : 𝐼𝑑𝑒𝑛𝑡𝑖𝑡𝑦 → 𝑎 ∙ 𝑒 = 𝑒 ∙ 𝑎 𝑓𝑜𝑟 𝑎𝑙𝑙 𝑎 ∈ 𝐺
 𝐴4 : 𝐼𝑛𝑣𝑒𝑟𝑠𝑒 → 𝑎 ∙ 𝑎′ = 𝑎′ ∙ 𝑎 = 𝑒 𝑓𝑜𝑟 𝑒𝑎𝑐ℎ 𝑎 ∈ 𝐺
 𝐴5 : 𝐶𝑜𝑚𝑚𝑢𝑡𝑎𝑡𝑖𝑣𝑒 → 𝑎 ∙ 𝑏 = 𝑏 ∙ 𝑎 𝑓𝑜𝑟 𝑎𝑙𝑙 𝑎, 𝑏 ∈ 𝐺
→ If 𝐴1 , 𝐴2 , 𝐴3 , 𝐴4 satisfies = Group
→ If 𝐴1 , 𝐴2 , 𝐴3 , 𝐴4 , 𝐴5 satisfies = Abelian Group

Rings
- denoted by {𝑅, +,∗}
- is a set of elements with two binary operations addition and multiplication, such that
following axioms are obeyed:
 𝐴𝑏𝑒𝑙𝑖𝑎𝑛 𝑔𝑟𝑜𝑢𝑝 𝑢𝑛𝑑𝑒𝑟 𝑎𝑑𝑑𝑖𝑡𝑖𝑜𝑛 [𝐴1 − 𝐴5 ]
 𝑀1 : 𝐶𝑙𝑜𝑠𝑢𝑟𝑒 𝑢𝑛𝑑𝑒𝑟 𝑚𝑢𝑙𝑡𝑖𝑝𝑙𝑖𝑐𝑎𝑡𝑖𝑜𝑛 → 𝑖𝑓 𝑎, 𝑏 ∈ 𝑅, 𝑡ℎ𝑒𝑛 𝑎𝑏 ∈ 𝑅
 𝑀2 : 𝐴𝑠𝑠𝑜𝑐𝑖𝑎𝑡𝑖𝑣𝑖𝑡𝑦 𝑜𝑓 𝑚𝑢𝑙𝑡𝑖𝑝𝑙𝑖𝑐𝑎𝑡𝑖𝑜𝑛 → 𝑎(𝑏𝑐) = (𝑎𝑏)𝑐 𝑓𝑜𝑟 𝑎𝑙𝑙 𝑎, 𝑏, 𝑐 ∈ 𝑅
 𝑀3 : 𝐷𝑖𝑠𝑡𝑟𝑖𝑏𝑢𝑡𝑖𝑣𝑒 → 𝑎(𝑏 + 𝑐) = 𝑎𝑏 + 𝑎𝑐 𝑓𝑜𝑟 𝑎𝑙𝑙 𝑎, 𝑏, 𝑐 ∈ 𝑅
 𝑀4 : 𝐶𝑜𝑚𝑚𝑢𝑡𝑎𝑡𝑖𝑣𝑒 → 𝑎𝑏 = 𝑏𝑎 𝑓𝑜𝑟 𝑎𝑙𝑙 𝑎, 𝑏 ∈ 𝑅
 𝑀5 : 𝑀𝑢𝑙𝑡𝑖𝑝𝑙𝑖𝑐𝑎𝑡𝑖𝑣𝑒 𝑖𝑑𝑒𝑛𝑡𝑖𝑡𝑦 → 𝑎𝑒 = 𝑒𝑎 = 𝑎 𝑓𝑜𝑟 𝑎𝑙𝑙 𝑎 ∈ 𝑅
 𝑀6 : 𝑁𝑜 𝑧𝑒𝑟𝑜 𝑑𝑖𝑣𝑖𝑠𝑜𝑟 → 𝑖𝑓 𝑎𝑏 = 0 𝑡ℎ𝑒𝑛 𝑒𝑖𝑡ℎ𝑒𝑟 𝑎 = 0 𝑜𝑟 𝑏 = 0, 𝑎, 𝑏 ∈ 𝑅
→ If 𝐴1 − 𝑀4 satisfies = Commutative ring
→ If 𝐴1 − 𝑀6 satisfies = Integral domain

Fields
- denoted by {𝐹, +,∗}
- is a set of elements with two binary operations addition and multiplication, such that
following axioms are obeyed:
 [𝐴1 − 𝑀6 ]
 𝑀7 : 𝑀𝑢𝑙𝑡𝑖𝑝𝑙𝑖𝑐𝑎𝑡𝑖𝑣𝑒 𝑖𝑛𝑣𝑒𝑟𝑠𝑒 → 𝑎𝑎−1 = 𝑎−1 𝑎 = 1

Modular Arithmetic
- According to division rule,
𝑝) 𝑛 (𝑞
−𝑝𝑞 𝑛 = 𝑞𝑝 + 𝑟
𝑟
Where, 𝑝 is dividor, 𝑞 is quotient and r is remainder.
- Mod is an operator that gives the remainder.

Collegenote Prepared By: Jayanta Poudel

10 Cryptography Reference Note

E.g.
5 𝑚𝑜𝑑 2 = 1, 7 𝑚𝑜𝑑 9 = 7 , −7 𝑚𝑜𝑑 9 = 2,
15 𝑚𝑜𝑑 3 = 0 , −6 𝑚𝑜𝑑 7 = 1 , 81 𝑚𝑜𝑑 7 = 4,
−13 𝑚𝑜𝑑 10 = 7

Congruent Modulo
Two integers 𝑎 and 𝑏 are said to be congruent modulo 𝑛, if 𝒂 ≡ 𝒃(𝒎𝒐𝒅 𝒏) i.e. when 𝑎 is
divided by 𝑛, we get remainder 𝑏.
E.g. 7 ≡ 2(𝑚𝑜𝑑 5)
𝑎 ≡ 𝑏(𝑚𝑜𝑑 𝑛) ⇔ (𝑎 − 𝑏) 𝑚𝑜𝑑 𝑛 = 0 ⇔ (𝑎 𝑚𝑜𝑑 𝑛) = (𝑏 𝑚𝑜𝑑 𝑛)

Greatest Common Divisor (GCD)

The GCD of two positive integers 𝑎 and 𝑏 is the greatest number that divides both 𝑎 and 𝑏.
E.g. 𝐺𝐶𝐷(25, 10) = 5
Euclidean algorithm to find GCD:
𝑟1 = 𝑎;
𝑟2 = 𝑏;
𝑤ℎ𝑖𝑙𝑒(𝑟2 > 0)
{
𝑞 = 𝑟1 /𝑟2 ;
𝑟 = 𝑟1 − 𝑞 ∗ 𝑟2 ;
𝑟2 = 𝑟;
𝑟1 = 𝑟2 ;
}
𝐺𝐶𝐷(𝑎, 𝑏) = 𝑟1

Q. 𝑮𝑪𝑫(𝟏𝟔𝟏, 𝟐𝟖) =?
Soln:
Here,
𝑎 = 161 , 𝑏 = 28
Now,
𝒓𝟏 𝒓𝟐 𝒒 𝒓
161 28 5 21
28 21 1 7
21 7 3 0
7 0
∴ 𝐺𝐶𝐷(161, 28) = 7

Collegenote Prepared By: Jayanta Poudel

11 Cryptography Reference Note

Q. 𝑮𝑪𝑫(𝟔𝟎, 𝟐𝟓) =?
Soln:
Here,
𝑎 = 60 , 𝑏 = 25
Now,
𝒓𝟏 𝒓𝟐 𝒒 𝒓
60 25 2 10
25 10 2 5
10 5 2 0
5 0
∴ 𝐺𝐶𝐷(60, 25) = 5

Set of Residues
- denoted as 𝑍𝑛 .
- is a set of remainders when divided by 𝑛 i.e. 𝑍𝑛 = {0, 1, 2, 3, … … … . , 𝑛 − 1}.
E.g. 𝑍5 = {0, 1, 2, 3, 4}
𝑍2 = {0, 1}

Operations of 𝒁𝒏
- Addition, subtraction, multiplication
1. Add 7 to 14 in 𝒁𝟏𝟓 .
(7 + 14) 𝑚𝑜𝑑 15 = 21 𝑚𝑜𝑑 15 = 6
2. Subtract 11 from 7 in 𝒁𝟏𝟑 .
(7 − 11) 𝑚𝑜𝑑 13 = −4 𝑚𝑜𝑑 13 = 9
3. Multiply 11 by 7 in 𝒁𝟐𝟎 .
(11 ∗ 7) 𝑚𝑜𝑑 20 = 77 𝑚𝑜𝑑 20 = 17

Properties of Modular arithmetic for integers in 𝒁𝒏

Collegenote Prepared By: Jayanta Poudel

12 Cryptography Reference Note

Residue Class
- denoted as [𝑎] 𝑜𝑟 [𝑎]𝑛 .
- is the set of integers, when divided by 𝑛, we get remainder 𝑎.
- i.e. 𝑥 ∈ [𝑎]𝑛 ; 𝑥 ≡ 𝑎(𝑚𝑜𝑑 𝑛)
E.g.
Let 𝑛 = 4
[0] = {… … … , −12, −8, −4, 0, 4, 8, 12, … … … }
[1] = {… … … , −11, −7, −3, 1, 5, 9, 13, … … … }
[2] = {… … … , −10, −6, −2, 2, 6, 10, 14, … … … }
[3] = {… … … , −9, −5, −1, 3, 7, 11, 15, … … … }

Quadratic Residue
- Suppose ‘𝑝’ is an odd prime and ‘𝑎’ is an integer.
- ‘𝑎’ is defined to be quadratic residue if 𝒚𝟐 ≡ 𝒂(𝒎𝒐𝒅 𝒑), where 𝑦 ∈ 𝑍𝑝
E.g.
𝑝=7
𝑍7 = {1, 2, 3, 4, 5, 6}

12 ≡ 1(𝑚𝑜𝑑 7)
22 ≡ 4(𝑚𝑜𝑑 7)
32 ≡ 2(𝑚𝑜𝑑 7)
42 ≡ 2(𝑚𝑜𝑑 7)
52 ≡ 4(𝑚𝑜𝑑 7)
62 ≡ 1(𝑚𝑜𝑑 7)

∴ 1, 2, 4 𝑎𝑟𝑒 𝑞𝑢𝑎𝑑𝑟𝑎𝑡𝑖𝑐 𝑟𝑒𝑠𝑖𝑑𝑢𝑒 𝑚𝑜𝑑𝑢𝑙𝑜 7.

Additive inverse of 𝒁𝒏

Let 𝑎, 𝑏 ∈ 𝑍𝑛 , then 𝑎 is additive inverse of 𝑏 if (𝒂 + 𝒃) 𝒎𝒐𝒅 𝒏 = 𝟎.

E.g.
1. Find all the additive inverse pairs in 𝒁𝟓 .
Soln:
𝑍5 = {0, 1, 2, 3, 4}
The additive inverse pairs in 𝑍5 are:
(0, 0), since (0+0) mod 5 = 0.
(1, 4), since (1+4) mod 5 =0.
(2, 3), since (2+3) mod 5 =0.
(3, 2), since (3+2) mod 5 =0.
(4, 1), since (4+1) mod 5 =0.

Collegenote Prepared By: Jayanta Poudel

13 Cryptography Reference Note

2. Find the additive inverse of all the elements of 𝒁𝟏𝟎 .

Soln:
𝑍10 = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
Now,
w 0 1 2 3 4 5 6 7 8 9
-w 0 9 8 7 6 5 4 3 2 1
Where, -w is the additive inverse of w.

Multiplicative inverse in 𝒁𝒏

Let 𝑎, 𝑏 ∈ 𝑍𝑛 , then 𝑎 is multiplicative inverse of 𝑏 if (𝒂 ∗ 𝒃) 𝒎𝒐𝒅 𝒏 = 𝟏.

E.g.
1. Find all the multiplicative inverse pairs in 𝒁𝟏𝟎 .
Soln:
𝑍10 = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
The multiplicative inverse pairs in 𝑍10 are;
(1, 1), since (1*1) mod 10 = 1.
(3, 7), since (3*7) mod 10 = 1.
(7, 3), since (7*3) mod 10 = 1.
(9, 9), since (9*9) mod 10 = 1.

2. Find multiplicative inverse of each nonzero element in 𝒁𝟕 .

Soln:
𝑍7 = {0, 1, 2, 3, 4, 5, 6}
Now,
𝒘 1 2 3 4 5 6
𝒘−𝟏 1 4 5 2 3 6
Where, 𝑤 −1 is the multiplicative inverse of 𝑤.

Co-prime

- Also called relatively prime.

- Two positive numbers 𝑎 and 𝑏 are co-prime of each other if and only if 𝑮𝑪𝑫(𝒂, 𝒃) = 𝟏.
E.g. (10, 3), (22, 13)
Note: Let 𝑏 ∈ 𝑍𝑛 then the multiplicative inverse of 𝑏 exist if and only if 𝐺𝐶𝐷(𝑏, 𝑛) = 1 i.e.
𝑏 𝑎𝑛𝑑 𝑛 are co-prime.

Q. Find the multiplicative inverse of 𝟐 in 𝒁𝟔 .

Soln:
Since 2 and 6 are not co-prime so multiplicative inverse of 2 in 𝑍6 doesn’t exist.

Collegenote Prepared By: Jayanta Poudel

14 Cryptography Reference Note

Extended Euclidean Algorithm (EEA) to find multiplicative inverse

To find the multiplicative inverse of b in 𝒁𝒏 , EEA works as follows:

𝑟1 = 𝑛;
𝑟2 = 𝑏;
𝑡1 = 0;
𝑡2 = 1;
𝑤ℎ𝑖𝑙𝑒(𝑟2 > 0)
{
𝑞 = 𝑟1 /𝑟2 ;
𝑟 = 𝑟1 − 𝑞 ∗ 𝑟2 ;
𝑟1 = 𝑟2 ;
𝑟2 = 𝑟;
𝑡 = 𝑡1 − 𝑞 ∗ 𝑡2 ;
𝑡1 = 𝑡2 ;
𝑡2 = 𝑡;
}
𝑖𝑓(𝑟1 == 1)𝑡ℎ𝑒𝑛 𝑏 −1 = 𝑡1 𝑚𝑜𝑑 𝑛.
E.g.
Q. Find the multiplicative inverse of 11 in 𝒁𝟐𝟔 .
Soln:
Here, 𝑏 = 11, 𝑍𝑛 = 𝑍26 𝑖. 𝑒 𝑛 = 26
Now,
𝒒 𝒓𝟏 𝒓𝟐 𝒓 𝒕𝟏 𝒕𝟐 𝒕
2 26 11 4 0 1 -2
2 11 4 3 1 -2 5
1 4 3 1 -2 5 -7
3 3 1 0 5 -7 26
1 0 -7 26
∴ 11−1 = −7 𝑚𝑜𝑑 26 = 19

Q. Find the multiplicative inverse of 23 in 𝒁𝟏𝟎𝟎 .

Soln:
Here, 𝑏 = 23, 𝑍𝑛 = 𝑍100 𝑖. 𝑒 𝑛 = 100
Now,
𝒒 𝒓𝟏 𝒓𝟐 𝒓 𝒕𝟏 𝒕𝟐 𝒕
4 100 23 8 0 1 -4
2 23 8 7 1 -4 9
1 8 7 1 -4 9 -13
7 7 1 0 9 -13 100
1 0 -13 100
∴ 23−1 = −13 𝑚𝑜𝑑 100 = 87

Collegenote Prepared By: Jayanta Poudel

15 Cryptography Reference Note

Galois Field (GF)

- A Galois field can be defined as a set of numbers that we can add, subtract, multiply and
divide together and only ever end up with a result that exists in our set of numbers.
- The number of elements of a Galois field is of the form 𝑝𝑛 , where 𝑝 is a prime and 𝑛 is a
positive integer. Generally, it is denoted by 𝐺𝐹(𝑝𝑛 ).

𝐺𝐹(𝑝𝑛 )
n =1 n >1

𝐺𝐹(𝑝) 𝐺𝐹(𝑝𝑛 )
(Prime Fields) (Extension Fields)

For a given prime 𝑝, 𝐺𝐹(𝑝) is defined as the set 𝑍𝑝 = {0, 1, 2, … … … , 𝑝 − 1} of integers

together with arithmetic operations modulo p.
E.g. Arithmetic in 𝐺𝐹(7)

Polynomial Arithmetic
In general, polynomial is an expression of the form
𝑎𝑛 𝑥 𝑛 + 𝑎𝑛−1 𝑥 𝑛−1 + ⋯ … … + 𝑎1 + 𝑎0
for some non-negative integer 𝑛 and where the coefficient 𝑎0 , 𝑎1 ,……., 𝑎𝑛 are drawn from
some designated set 𝑆. 𝑆 is called the coefficient set.

Collegenote Prepared By: Jayanta Poudel

16 Cryptography Reference Note

When 𝑎𝑛 ≠ 0, we have a polynomial of degree 𝑛.

Polynomial arithmetic deals with the addition, subtraction, multiplication and division of
polynomials.

Addition:
𝑓(𝑥) = 𝑎2 𝑥 2 + 𝑎1 𝑥 + 𝑎0
𝑔(𝑥) = 𝑏1 𝑥 + 𝑏0
𝑓(𝑥) + 𝑔(𝑥) = 𝑎2 𝑥 2 + (𝑎1 + 𝑏1 )𝑥 + (𝑎0 + 𝑏0 )
Subtraction:
𝑓(𝑥) = 𝑎2 𝑥 2 + 𝑎1 𝑥 + 𝑎0
𝑔(𝑥) = 𝑏3 𝑥 3 + 𝑏0
𝑓(𝑥) − 𝑔(𝑥) = −𝑏3 𝑥 3 + 𝑎2 𝑥 2 + 𝑎1 𝑥 + (𝑎0 − 𝑏0 )
Multiplication:
𝑓(𝑥) = 𝑎2 𝑥 2 + 𝑎1 𝑥 + 𝑎0
𝑔(𝑥) = 𝑏1 𝑥 + 𝑏0
𝑓(𝑥) ∗ 𝑔(𝑥) = 𝑎2 𝑏1 𝑥 3 + (𝑎2 𝑏0 + 𝑎1 𝑏1 )𝑥 2 + (𝑎1 𝑏0 + 𝑎0 𝑏1 )
Division:
𝑓(𝑥) = 𝑎2 𝑥 2 + 𝑎1 𝑥 + 𝑎0
𝑔(𝑥) = 𝑏1 𝑥 + 𝑏0
𝑓(𝑥)
=? (Obtained by long division)
𝑔(𝑥)

Long division for polynomials consists of the following steps:

a) Arrange both the dividend and the divisor in the descending powers of the variable.
b) Divide the first term of the dividend by the first term of the divisor and write the result
as the first term of the quotient.
c) Multiply the divisor with the quotient term just obtained and arrange the result under
the dividend so that the same powers of 𝑥 match up. Subtract the expression just laid
out from the dividend.
d) Consider the result of the above subtraction as the new dividend and go back to the first
step.

Polynomial Arithmetic over 𝑮𝑭(𝒑)

Polynomial arithmetic in which the arithmetic on the coefficients is performed modulo 𝑝; that
is, the coefficients are in 𝐺𝐹(𝑝).
E.g.
Q. Calculate the result of the following if the polynomials are over 𝑮𝑭(𝟐).
 (𝒙𝟕 + 𝒙𝟓 + 𝒙𝟒 + 𝒙𝟑 + 𝒙 + 𝟏) + (𝒙𝟑 + 𝒙 + 𝟏)
 (𝒙𝟕 + 𝒙𝟓 + 𝒙𝟒 + 𝒙𝟑 + 𝒙 + 𝟏) − (𝒙𝟑 + 𝒙 + 𝟏)
 (𝒙𝟕 + 𝒙𝟓 + 𝒙𝟒 + 𝒙𝟑 + 𝒙 + 𝟏) × (𝒙𝟑 + 𝒙 + 𝟏)
 (𝒙𝟕 + 𝒙𝟓 + 𝒙𝟒 + 𝒙𝟑 + 𝒙 + 𝟏)/(𝒙𝟑 + 𝒙 + 𝟏)
Soln:

Collegenote Prepared By: Jayanta Poudel

17 Cryptography Reference Note

Q. Divide 𝟓𝒙𝟐 + 𝟒𝒙 + 𝟔 by 𝟐𝒙 + 𝟏 over 𝑮𝑭(𝟕).

Soln:

1) We must start by dividing 5𝑥 2 by 2𝑥. This requires that

we divide 5 by 2 in GF(7). Dividing 5 by 2 is the same as
multiplying 5 by the multiplicative inverse of 2.
Multiplicative inverse of 2 is 4 since 2 ∗ 4 𝑚𝑜𝑑 7 = 1.
5
So we have = 5 ∗ 2−1 = 5 ∗ 4 = 20 𝑚𝑜𝑑 7 = 6.
2
Therefore, the first term of the quotient is 6𝑥.
2) Since the product of 6𝑥 and 2𝑥 + 1is (12𝑥 2 +
6𝑥) 𝑚𝑜𝑑 7 = 5𝑥 2 + 6𝑥, we need to subtract 5𝑥 2 + 6𝑥
from the dividend 5𝑥 2 + 4𝑥 + 6.The result is (−2𝑥 +
6) 𝑚𝑜𝑑 7 = 5𝑥 + 6.
3) Our new dividend for the next round of long division is
therefore 5𝑥 + 6. To find the next quotient term, we need
to divide 5𝑥 by the first term of the divisor that is by 2𝑥.
Reasoning as before, we see that the next quotient term is
again 6.
4) Applying the same process as above, we get the
remainder is zero.

Collegenote Prepared By: Jayanta Poudel

18 Cryptography Reference Note

International Data Encryption Standard (IDEA)

The block cipher IDEA operates with 64-bit plaintext and ciphertext blocks and is controlled
by a 128- bit key from which we derive 52 subkeys that is used in the algorithm, and consists
of a series of eight identical transformations (a round) in which 6 different subkeys are used
and last four keys are used for output transformation (the half-round).
IDEA derives much of its security by interleaving operations from different groups - modular
addition and multiplication, and bitwise eXclusive OR (XOR) - which are algebraically
"incompatible" in some sense. In more detail, these operators, which all deal with 16-bit
quantities, are:
⊕ 𝑏𝑖𝑡𝑤𝑖𝑠𝑒 𝑋𝑂𝑅 𝑜𝑓 16 − 𝑏𝑖𝑡 𝑠𝑢𝑏 − 𝑏𝑙𝑜𝑐𝑘𝑠
⊞ 𝑎𝑑𝑑𝑖𝑡𝑖𝑜𝑛 𝑚𝑜𝑑𝑢𝑙𝑜 216 𝑜𝑓 16 − 𝑏𝑖𝑡 𝑖𝑛𝑡𝑒𝑔𝑒𝑟𝑠
⨀ 𝑚𝑢𝑙𝑡𝑖𝑝𝑙𝑖𝑐𝑎𝑡𝑖𝑜𝑛 𝑚𝑜𝑑𝑢𝑙𝑜 216 + 1 𝑜𝑓 16 − 𝑏𝑖𝑡 𝑖𝑛𝑡𝑒𝑔𝑒𝑟𝑠 𝑤𝑖𝑡ℎ 𝑡ℎ𝑒 𝑧𝑒𝑟𝑜 𝑠𝑢𝑏 −
𝑏𝑙𝑜𝑐𝑘 𝑐𝑜𝑟𝑟𝑒𝑠𝑝𝑜𝑛𝑑𝑖𝑛𝑔 𝑡𝑜 216

After the eight rounds comes a final “half round”, for the output.

Fig: Structure of IDEA

Collegenote Prepared By: Jayanta Poudel

19 Cryptography Reference Note

Key Generation
The 64-bit plaintext block is partitioned into four 16-bit sub-blocks, since all the algebraic
operations used in the encryption process operate on 16-bit numbers. For each of the encryption
round, six 16-bit key sub-blocks are generated from the 128-bit key. Since a further four 16-bit
key-sub- blocks are required for the subsequent output transformation, a total of 52 (= 8 x 6 +
4) different 16-bit sub-blocks have to be generated from the 128-bit key.
The 52 16-bit key sub-blocks which are generated from the 128-bit key are produced as
follows:
 First, the 128-bit key is partitioned into eight 16-bit sub-blocks which are then directly used
as the first eight key sub-blocks.
 The 128-bit key is then cyclically shifted to the left by 25 positions, after which the resulting
128-bit block is again partitioned into eight 16-bit sub-blocks to be directly used as the next
eight key sub-blocks.
 The cyclic shift procedure described above is repeated until all of the required 52 16-bit
key sub-blocks have been generated.

Encryption
The process consists of eight identical encryption steps (known as encryption rounds) followed
by an output transformation.
- The first four 16-bit key sub-blocks are combined with two of the 16-bit plaintext blocks
using addition modulo 216 , and with the other two plaintext blocks using multiplication
modulo 216 + 1.
- At the end of the first encryption round four 16-bit values are produced which are used as
input to the second encryption round.
- The process is repeated in each of the subsequent 7 encryption rounds.
- The four 16-bit values produced at the end of the 8th encryption round are combined with
the last four of the 52 key sub-blocks using addition modulo 216 and multiplication modulo
216 + 1 to form the resulting four 16- bit ciphertext blocks.

Decryption
- The computational process used for decryption of the cipher text is essentially the same as
that used for encryption of the plaintext.
- The only difference is that each of the 52 16-bit key sub- blocks used for decryption is the
inverse of the key sub-block used during encryption in respect of the applied algebraic
group operation.
- Additionally, the key sub-blocks must be used in the reverse order during decryption in
order to reverse the encryption process.

Collegenote Prepared By: Jayanta Poudel

20 Cryptography Reference Note

Q. Explain odd and even round (round operations) in IDEA.

Soln:
IDEA uses 8 full rounds and 1 half round. We now break the 8 full round and make it 16 rounds
such that there are total 17 rounds where 9 odd rounds (1, 3, …., 17) are identical and 8 even
rounds (2, 4, ….,16) are identical. Each odd round takes 4 subkeys and each even round takes
2 subkeys.
Odd Round
- Treat 64-bit input block as four 16-bit sub-blocks (𝑋𝑎 , 𝑋𝑏 , 𝑋𝑐 , 𝑋𝑑 ).
- Uses 4 16-bit keys (𝐾𝑎 , 𝐾𝑏 , 𝐾𝑐 , 𝐾𝑑 ).
It works as follow:

𝑋𝑎 𝑋𝑏 𝑋𝑐 𝑋𝑑

𝑋𝑎 = 𝑋𝑎 ⊙ 𝐾𝑎
⊙ 𝐾𝑎 ⊞ 𝐾𝑏 ⊞ 𝐾𝑐 ⊙ 𝐾𝑑
𝑋𝑏 = 𝑋𝑐 ⊞ 𝐾𝑐
𝑋𝑐 = 𝑋𝑏 ⊞ 𝐾𝑏
𝑋𝑑 = 𝑋𝑑 ⊙ 𝐾𝑑
𝑋𝑎 𝑋𝑏 𝑋𝑐 𝑋𝑑

Fig: IDEA Odd Round

Even Round
- There are four input 16-bit sub-blocks (𝑋𝑎 , 𝑋𝑏 , 𝑋𝑐 , 𝑋𝑑 ) from the previous round.
- Uses 2 16-bit keys (𝐾𝑒 &𝐾𝑓 ).
It works as follows:

𝑌𝑖𝑛 = 𝑋𝑎 ⊕ 𝑋𝑏
𝑍𝑖𝑛 = 𝑋𝑐 ⊕ 𝑋𝑑
𝑌𝑜𝑢𝑡 = ((𝐾𝑒 ⊙ 𝑌𝑖𝑛 ) ⊞ 𝑍𝑖𝑛 ) ⊙ 𝐾𝑓
𝑍𝑜𝑢𝑡 = ((𝐾𝑒 ⊙ 𝑌𝑖𝑛 ) ⊞ 𝑌𝑜𝑢𝑡 )
𝑋𝑎 = 𝑋𝑎 ⊕ 𝑌𝑜𝑢𝑡
𝑋𝑏 = 𝑋𝑏 ⊕ 𝑌𝑜𝑢𝑡
𝑋𝑐 = 𝑋𝑐 ⊕ 𝑍𝑜𝑢𝑡
𝑋𝑑 = 𝑋𝑑 ⊕ 𝑍𝑜𝑢𝑡

Fig: IDEA Even Round

Collegenote Prepared By: Jayanta Poudel

21 Cryptography Reference Note

Advance Encryption Standard (AES)

- AES is a block cipher which operates on block size of 128 bits for both encrypting as well
as decrypting.
- Three key lengths are available: 128, 192, or 256 bits (16, 24, or 32 bytes)
- The number of rounds performed by the algorithm strictly depends on the size of key.
Key Size (in bits) Rounds
128 10
192 12
256 14
- Each of these rounds uses a different 128-bit round key, which is calculated from the
original AES key.
- Each round consists of four functions:
1. Sub Bytes
2. Shift Rows
3. Mix Columns, not applied in last round.
4. Add Round Key

Fig: Encryption/Decryption Rounds in AES

AES treats the 128-bits block (16 bytes) as a 4 × 4 byte array, called state matrix.
𝑎00 𝑎01 𝑎02 𝑎03
𝑎10 𝑎11 𝑎12 𝑎12
𝑎20 𝑎21 𝑎22 𝑎23
𝑎30 𝑎31 𝑎32 𝑎33
All the four AES operations are applied on the matrices further. These operations can be
described as:

Collegenote Prepared By: Jayanta Poudel

22 Cryptography Reference Note

1. Sub Bytes
In the SubBytes step, each byte in the state is replaced with the corresponding S-box value,
𝑆; 𝑏𝑖𝑗 = 𝑆(𝑎𝑖𝑗 ).

The S-box is a special lookup table which is constructed by Galois fields. The generation
algorithm used in this algorithm is 𝐺𝐹(28 ) i.e 256 values are possible. The elements of S-
box are written in hexadecimal system.
AES S-box lookup table appears as shown below:

For E.g. 𝑆(3𝐶) = 𝐸𝐵since 𝐸𝐵 appears in row 3 and column 𝐶 of above given tabe.

For decryption, the inverse of SubBytes (InvSubBytes) is the same operation using the inversed
S-box, which is also pre-calculated.

Collegenote Prepared By: Jayanta Poudel

23 Cryptography Reference Note

2. Shift Rows
In the ShiftRows step, bytes in each row of the state are shifted cyclically to the left. The
number of places each byte is shifted differs for each row.
1st row: no shift.
2nd row: a 1-byte circular left shift.
3rd row: a 2-byte circular left shift.
4th row: a 3-byte circular left shift.

The inverse of Shift Row is the same cyclically shift but to the right.

3. Mix Columns
Each column of four bytes is now transformed using a special mathematical function. This
function takes as input the four bytes of one column and outputs four completely new bytes,
which replace the original column. The result is another new matrix consisting of 16 new
bytes. It should be noted that this step is not performed in the last round.
Each column of the state is multiplied with a fixed matrix. The multiplication is field
multiplication in Galois field.

MixColumn matrix used for 128-bit key:

2 31 1
1 23 1
[ ]
1 12 3
3 11 2

4. Add Round Key

In the AddRoundKey step, each byte of the state is combined with a corresponding byte of
the round subkey using the XOR operation (⊕).

Collegenote Prepared By: Jayanta Poudel

24 Cryptography Reference Note

AES Key Expansion

To create round keys for each round, AES uses a key expansion process. If the number of
rounds is 𝑁𝑟 , the key expansion routines creates 𝑁𝑟 + 1 128-bit round keys for one single 128-
bit cipher key.
It takes 128 bits (16-bytes) key and expands into array of 44 32-bit words. For the purpose of
adding the key to state, each word is considered as column matrix.

Fig: Key expansion in AES

Collegenote Prepared By: Jayanta Poudel

25 Cryptography Reference Note

Round Words
Pre-round 𝑤0 𝑤1 𝑤2 𝑤3
1 𝑤4 𝑤5 𝑤6 𝑤7
2 𝑤8 𝑤9 𝑤10 𝑤11
… …
𝑁𝑟 𝑤4𝑁𝑟 𝑤4𝑁𝑟 +1 𝑤4𝑁𝑟 +2 𝑤4𝑁𝑟 +3
Calculation of 𝒈 function includes following 3 processes:
1. RotWord performs a one byte circular left shift on a word. For e.g.
𝑅𝑜𝑡𝑊𝑜𝑟𝑑[𝑏0 , 𝑏1 , 𝑏2 , 𝑏3 ] → [𝑏1 , 𝑏2 , 𝑏3 , 𝑏4 ]
2. SubWord performs a byte substitution on each byte of input word using S-box.
3. The result of step 1 and 2 is XORed with 𝑅𝐶𝑜𝑛[𝑗]- the round constant.
Round Constant (RCon):
- The round constant is a word in which the three rightmost bytes are always 0.
- It is different for each round and defined as:
𝑅𝐶𝑜𝑛[𝑗] = (𝑅𝐶𝑜𝑛[𝑗], 0, 0, 0)
Where, 𝑅𝐶𝑜𝑛[1] = 1, 𝑅𝐶𝑜𝑛[𝑗] = 2 ∗ 𝑅𝐶𝑜𝑛[𝑗 − 1]

Pseudocode for key expansion:

Collegenote Prepared By: Jayanta Poudel

26 Cryptography
Difference Between AES and DES
AES
AES stands for Advanced Encryption
Standard.
Block Size is 128 bits.
Key length can be of 128-bits, 192-bits and
256-bits.
AES divides plaintext into 128-bit block each
and treats each block as a 4 x 4 array. The
block is then encrypted using one of the three
different key lengths, 128, 192 & 256 bits.
Number of rounds depends on key length :
10(128-bits), 12(192-bits) or 14(256-bits)
AES structure is based on substitution-
permutation network.
AES is faster.
AES is more secure than DES.
The rounds in AES are: Byte Substitution,
Shift Row, Mix Column and Key Addition.
AES was designed by Vincent Rijmen and
Joan Daemen.
Collegenote
Reference Note
DES
DES stands for Data Encryption Standard.
Block size is 64 bits.
Key length is 56 bits in DES.
DES divides plaintext message 64-bit block
each and encrypts using 56-bit key.
DES involves 16 rounds of identical
operations
DES structure is based on feistal network.
DES is comparatively slower.
DES is less secure
The rounds in DES are: Expansion, XOR
operation with round key, Substitution and
Permutation.
DES was designed by IBM.
Prepared By: Jayanta Poudel
27 Cryptography Reference Note

Modes of Block Cipher Encryptions

1. Electronic Code Book (ECB) Mode

In ECB mode, the message is divided into blocks of given size and each block of
plaintext/ciphertext is encrypted/decrypted separately using the same key.
Encryption: 𝐶𝑖 = 𝐸(𝑃𝑖 , 𝑘𝑒𝑦)
Decryption: 𝑃𝑖 = 𝐷(𝐶𝑖 , 𝑘𝑒𝑦)
The same bit block of plaintext appears more than once in the message, it always produces
the same ciphertext.

2. Cipher Block Chaining (CBC) mode

In CBC mode, each block of current plaintext is XORed with the previous ciphertext block
before being encrypted with key. This way, each ciphertext block depends on all plaintext
blocks processed up to that point. To make each message unique, an initialization vector
(IV) must be used in first block.
Decryption involves decrypting the current ciphertext block and then XORed with the
previous ciphertext block.
Encryption: 𝐶𝑖 = 𝐸(𝑃𝑖 ⊕ 𝐶𝑖−1 , 𝑘𝑒𝑦), 𝐶0 = 𝐼𝑉
Decryption: 𝑃𝑖 = 𝐷(𝐶𝑖 , 𝑘𝑒𝑦) ⊕ 𝐶𝑖−1 , 𝐶0 = 𝐼𝑉

Collegenote Prepared By: Jayanta Poudel

28 Cryptography Reference Note

3. Cipher Feedback (CFB) Mode

- A way of using a block cipher as a stream cipher.
- The shift register of block size maintains the current state of the cipher operation,
initially set to some initialization vector (IV).
- The value of the shift register is encrypted using key K and the leftmost 𝑗 bits of the
output is XORed with 𝑗-bit plaintext 𝑃𝑖 to produce 𝑗-bit ciphertext 𝐶𝑖 .
- The value of the shift register is shifted left by 𝑗 bits and the 𝐶𝑖 is feedback to the
rightmost 𝑗-bits of the shift register.
- Typically 𝑗 = 8, 16, 32, … ….
- For decryption, the same scheme is used, except that the received ciphertext unit is
XORed with the output of the encryption function to produce the plaintext unit. Note
that it is the encryption function that is used, not the decryption function.
Encryption: 𝐶𝑖 = 𝐸(𝐶𝑖−1 , 𝑘𝑒𝑦) ⊕ 𝑃𝑖 , 𝐶0 = 𝐼𝑉
Decryption: 𝑃𝑖 = 𝐸(𝐶𝑖−1 , 𝑘𝑒𝑦) ⊕ 𝐶𝑖 , 𝐶0 = 𝐼𝑉

Collegenote Prepared By: Jayanta Poudel

29 Cryptography Reference Note

4. Output Feedback (OFB) Mode

It is similar to CFB mode except that it sends the encrypted output as feedback instead of
the actual cipher which is XOR output. In this output feedback mode, all bits of the block
are send instead of sending selected 𝑗 bits.
Encryption: 𝐶𝑗 = 𝑃𝑗 ⊕ 𝑂𝑗
Decryption: 𝑃𝑗 = 𝐶𝑗 ⊕ 𝑂𝑗
𝑂𝑗 = 𝐸(𝐼𝑗 , 𝑘𝑒𝑦)
𝐼𝑗 = 𝑂𝑗−1
𝐼0 = 𝐼𝑉

Collegenote Prepared By: Jayanta Poudel

30 Cryptography Reference Note

5. Counter (CTR) Mode

In this mode a counter, equal to the plaintext block size is used. The counter value must be
different for each plaintext block that is encrypted. Typically, the counter is initialized to
some value (nonce + counter) and then incremented by 1 for each subsequent block. The
nonce is a random number used for all blocks of an encryption operation and the counter is
exactly what it sounds like: a value that starts at zero for block zero and increments to one
for block one and so on.
For encryption, the counter is encrypted and then XORed with the plaintext block to
produce the ciphertext block; there is no chaining. For decryption, the same sequence of
counter values is used, with each encrypted counter XORed with a ciphertext block to
recover the corresponding plaintext block.

Collegenote Prepared By: Jayanta Poudel

31 Cryptography Reference Note

Q. Consider the message blocks 𝒎𝟏, 𝒎𝟐 , 𝒎𝟑 . If the cipher block chaining mode DES
encryption can be expressed as 𝑪𝒊 = 𝑫𝑬𝑺(𝒎𝒊 ⊕ 𝒎𝒊−𝟏 ⊕ 𝑪𝒊−𝟏 ); 𝒎𝟎 ⊕ 𝑪𝟐 = 𝑰𝑽. Now,
write the expression for the DES decryption to extract each of the message blocks
𝒎𝟏, 𝒎𝟐 , 𝒎𝟑 .
Soln:
Encryption
Given,
𝐶𝑖 = 𝐷𝐸𝑆(𝑚𝑖 ⊕ 𝑚𝑖−1 ⊕ 𝐶𝑖−1 )
𝐶1 = 𝐷𝐸𝑆(𝑚1 ⊕ 𝑚0 ⊕ 𝐶0 )
𝐶2 = 𝐷𝐸𝑆(𝑚2 ⊕ 𝑚1 ⊕ 𝐶1 )
𝐶3 = 𝐷𝐸𝑆(𝑚3 ⊕ 𝑚2 ⊕ 𝐶2 )

Decryption
Expression for the decryption:
𝑚𝑖 = 𝐷𝐸𝑆𝑑 (𝐶𝑖 )⨁𝑚𝑖−1 ⊕ 𝐶𝑖−1
𝑚1 = 𝐷𝐸𝑆𝑑 (𝐶1 )⨁𝑚0 ⊕ 𝐶0
𝑚2 = 𝐷𝐸𝑆𝑑 (𝐶2 )⨁𝑚1 ⊕ 𝐶1
𝑚3 = 𝐷𝐸𝑆𝑑 (𝐶3 )⨁𝑚2 ⊕ 𝐶2

Collegenote Prepared By: Jayanta Poudel

 32 Cryptography Reference Note

Please let me know if I missed anything or

anything is incorrect.
[email protected]

Collegenote Prepared By: Jayanta Poudel

Protect pdf from copying with Online-PDF-No-Copy.com