Unit II

Symmetric Ciphers
Prepared by: Suresh Thapa
Vedas College, Jawalakhel, Lalitpur
 Feistel Cipher Structure

• Horst Feistel devised the feistel cipher

– based on concept of invertible product cipher
• partitions input block into two halves
• process through multiple rounds which:
• perform a substitution on left data half
• based on round function of right half & sub key
• then have permutation swapping halves
• implements Shannon’s substitution-permutation network concept
• Virtually all conventional block encryption algorithms including data
encryption standard (DES) are based on Feistel Cipher Structure.
• The plaintext is divided into two halves L0 and R0
• Then the two halves pass through n rounds of processing then combine to
produce the cipher block.
• Each round i has as input Li-1 and Ri-1 derived from the previous round as
well as a sub-key Ki derived from the overall K.
Classical Feistel Network
Classical Feistel Network
 Feistel Cipher Structure (1973)

• All rounds have the same structure

• A substitution is performed on the left half of the data. This is done by
applying a round function F to the right half of the data followed by the
XOR of the output of that function and the left half of the data.
• The round function has the same general structure for each round but is
parameterized by the round subkey Ki. Following this substitution, a
permutation is performed that consists of the interchange of the two
halves of the data. This structure is a particular form of the substitution
permutation network (SPN) proposed by Shannon.
• More practically Shannon suggested combining element to obtain:
– Diffusion : dissipates statistical structure of plaintext over bulk of ciphertext
– Confusion : make relationship between ciphertext and key as complex as possible
• The exact realization of a Feistel network depends on the choice of the
following parameters and design features:
 Design Features of Feistel Network

 Block Size: (larger block means greater security) 64 bits.

 Key Size:56-128 bits.
 Number of Rounds: a single round offers inadequate security, a typical size is 16
rounds.
 Sub-key Generation Algorithms: greater complexity should lead to a greater
difficulty of cryptanalysis.
 Round function: Again, greater complexity generally means greater resistance to
cryptanalysis.
 Round function: Again, greater complexity generally means greater resistance to
cryptanalysis.
 Fast Software encryption/Decryption: the speed of execution of the algorithm is
important.
 Ease of Analysis: to be able to develop a higher level of assurance as to its
strength
 Decryption: use the same algorithm with reversed keys.
Feistel Encryption and Decryption
 Data Encryption Standards (DES)

• In May 1973, and again in Aug 1974 the NBS (now NIST) called for
possible encryption algorithms for use in unclassified government
applications response was mostly disappointing, however IBM submitted
their Lucifer design following a period of redesign and comment it became
the Data Encryption Standard (DES)
• It was adopted as a (US) federal standard in Nov 76, published by NBS as a
hardware only scheme in Jan 77 and by ANSI for both hardware and
software standards in ANSI X3.92-1981 (also X3.106-1983 modes of use)
subsequently it has been widely adopted and is now published in many
standards around the world cf Australian Standard AS2805.5-1985
• One of the largest users of the DES is the banking industry, particularly with
EFT, and EFTPOS
• It is for this use that the DES has primarily been standardized, with ANSI
having twice reconfirmed its recommended use for 5 year periods - a further
extension is not expected however although the standard is public, the
design criteria used are classified and have yet to be released there has been
considerable controversy over the design, particularly in the choice of a 56-
bit key.
 Data Encryption Standards (DES)

• Recent analysis has shown despite this that the choice

was appropriate, and that DES is well designed
• Rapid advances in computing speed though have
rendered the 56 bit key susceptible to exhaustive key
search, as predicted by Diffie & Hellman
• The DES has also been theoretically broken using a
method called Differential Cryptanalysis, however in
practice this is unlikely to be a problem (yet)
Data Encryption Standards (DES)
 Data Encryption Standards (DES)

• Initial Permutation IP
– First step of the data computation
– IP reorders the input data bits
– Even bits to LH half and, odd bits to RH half
– Quite regular in structure
– Example
• IP (675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
• DES Round Structure
– uses two 32-bit L & R halves
– as for any Feistel cipher can describe as:
• L i = R i–1
• R i = L i–1 xor F(R i–1, K i )
– takes 32-bit R half and 48-bit subkey and:
• expands R to 48-bits using perm E
• adds to subkey
• passes through 8 S-boxes to get 32-bit result
• finally permutes this using 32-bit perm P 
Data Encryption Standards (DES)
 Data Encryption Standards (DES)

• Substitution Boxes S
– have eight S-boxes which map 6 to 4 bits
– each S-box is actually 4 little 4 bit boxes
• outer bits 1 & 6 (row bits) select one rows
• inner bits 2-5 (col bits) are substituted
• result is 8 lots of 4 bits, or 32 bits
– row selection depends on both data & key
• feature known as autoclaving (autokeying)
– example: S(18 09 12 3d 11 17 38 39) = 5fd25e03 
– forms subkeys used in each round consists of:
• initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves
• 16 stages consisting of:
– selecting 24-bits from each half
– permuting them by PC2 for use in function f,
– rotating each half separately either 1 or 2 places depending on the key rotation schedule K 
 Data Encryption Standards (DES)

• DES Decryption
– decrypt must unwind steps of data computation
– with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
– note that IP undoes final FP step of encryption
– 1st round with SK16 undoes 16th encrypt round
….
– 16th round with SK1 undoes 1st encrypt round
– then final FP undoes initial encryption IP
– thus recovering original data value
 Data Encryption Standards (DES)

• Avalanche Effect key

– desirable property of encryption algorithm where
a change of one input or key bit results in
changing approx. half output bits
– making attempts to “home-in” by guessing keys
impossible
– DES exhibits strong avalanche 
 Data Encryption Standards (DES)

• Strength of DES – Key Size

– Key Size 56-bit keys have 2 56 = 7.2 x 10 16 values
– brute force search looks hard
– recent advances have shown is possible
• in 1997 on Internet in a few months
• in 1998 on dedicated h/w (EFF) in a few days
• in 1999 above combined in 22hrs!
– still must be able to recognize plaintext
– now considering alternatives to DES 
 Data Encryption Standards (DES)

• Strength of DES – Time Attacks

– Attacks actual implementation of cipher
– use knowledge of consequences of
implementation to derive knowledge of some/all
subkey bits
– specifically use fact that calculations can take
varying times depending on the value of the
inputs to it
– particularly problematic on smartcards 
 Data Encryption Standards (DES)

• Strength of DES – Analytic Attacks

– now have several analytic attacks on DES
– these utilize some deep structure of the cipher
• by gathering information about encryptions
• can eventually recover some/all of the sub-key bits
• if necessary then exhaustively search for the rest
– generally these are statistical attacks include
• differential cryptanalysis
• linear cryptanalysis
• related key attack
 Data Encryption Standards (DES)

• Double DES
– The simplest form of multiple encryption has two
encryption stages and two keys).
– Given a plaintext P and two encryption keys K1 and
K2, ciphertext C is generated as
• C = E(K2, E(K1, P))
– Decryption requires that the keys be applied in
reverse order:
• P = D(K1, D(K2, C))
– For DES, this scheme apparently involves a key length
of 56 * 2 = 112 bits, and should result in a dramatic
increase in cryptographic strength.  
 Data Encryption Standards (DES)

• Double DES
 Data Encryption Standards (DES)

• Triple DES with two key

– Two-key triple encryption was first proposed by Tuchman
[TUCH79].
– The function follows an encrypt-decrypt-encrypt (EDE)
sequence
• C = E(K1, D(K2, E(K1, P)))
• P = D(K1, E(K2, D(K1, C)))
– There is no cryptographic significance to the use of decryption
for the second stage.
– 3DES with two keys is a relatively popular alternative to DES
and has been adopted for use in the key management
standards ANSI X9.17 and ISO 8732.1
– Currently, there are no practical cryptanalytic attacks on 3DES 
 Data Encryption Standards (DES)

• Triple DES
 Data Encryption Standards (DES)

• Triple DES with three key

– Three-key 3DES is defined as
• C = E(K3, D(K2, E(K1, P)))
– Backward compatibility with DES is provided by
putting K3 = K2 or K1 = K2. One might expect that
3TDEA would provide 56 # 3 = 168 bits of strength.
– However, there is an attack on 3TDEA that reduces
the strength to the work that would be involved in
exhausting a 112-bit key
 Finite Fields

• Groups
– A group G, sometimes denoted by {G, ·} is a set of elements with a binary operation,
denoted by ·, that associates to each ordered pair (a, b) of elements in G an element
(a · b) in G, such that the following axioms are obeyed.]The operator · is generic and
can refer to addition, multiplication, or some other mathematical operation.
• (A1) Closure:
– If a and b belong to G, then a · b is also in G.
• (A2) Associative:
– a · (b · c) = (a · b) · c for all a, b, c in G.
• (A3) Identity element:
– There is an element e in G such that a · e = e · a = a for all a in G.
• (A4) Inverse element:
– For each a in G there is an element a' in G such that a · a' = a' · a = e.
– If a group has a finite number of elements, it is referred to as a finite group, and the
order of the group is equal to the number of elements in the group. Otherwise, the
group is an infinite group.
– A group is said to be abelian if it satisfies the following additional condition:
• (A5) Commutative:
– a · b = b · a for all a, b in G. The set of integers (positive, negative, and 0) under addition is an abelian group.
 Finite Fields

• Cyclic Group
– We define exponentiation within a group as repeated
application of the group operator, so that a3 = a · a · a.
– Further, we define a0 = e, the identity element; and a-
n = (a')n.

– A group G is cyclic if every element of G is a power ak

(k is an integer) of a fixed element a εG. The element
a is said to generate the group G, or to be a generator
of G.
– A cyclic group is always abelian, and may be finite or
infinite
 Finite Fields

• Ring
– A ring R, sometimes denoted by {R, +, x}, is a set of
elements with two binary operations, called addition and
multiplication, such that for all a, b, c in R the following
axioms are obeyed:
• (A1-A5) R is an abelian group with respect to addition; that is, R
satisfies axioms A1 through A5. For the case of an additive group,
we denote the identity element as 0 and the inverse of a as a.
• (M1) Closure under multiplication:
– If a and b belong to R, then ab is also in R.
• (M2) Associativity of multiplication:
– a(bc) = (ab)c for all a, b, c in R.
• (M3) Distributive laws:
– a(b + c) = ab + ac for all a, b, c in R. (a + b)c = ac + bc for all a, b, c in R.
 Finite Fields

• Commutative Ring
– A ring is said to be commutative if it satisfies the
following additional condition:
– (M4) Commutativity of multiplication:
• ab = ba for all a, b in R.
– Let S be the set of even integers (positive,
negative, and 0) under the usual operations of
addition and multiplication. S is a commutative
ring. The set of all n-square matrices defined in
the preceding example is not a commutative ring.
 Finite Fields

• Integral Domain
– we define an integral domain, which is a
commutative ring that obeys the following axioms:
– (M5) Multiplicative identity:
• There is an element 1 in R such that a1 = 1a = a for all a
in R. (M6) No zero divisors: If a, b in R and ab = 0, then
either a = 0 or b = 0.
– Let S be the set of integers, positive, negative, and
0, under the usual operations of addition and
multiplication. S is an integral domain.
 Finite Fields

• Fields
– A field F, sometimes denoted by {F, +, x}, is a set of elements with two
binary operations, called addition and multiplication, such that for all a, b,
c in F the following axioms are obeyed:
– (A1 M6) F is an integral domain; that is, F satisfies axioms A1 through A5
and M1 through M6.
– (M7) Multiplicative inverse:
• For each a in F, except 0, there is an element a-1 in F such that
• aa-1 = (a-1)a = 1.
– In essence, a field is a set in which we can do addition, subtraction,
multiplication, and division without leaving the set. Division is defined
with the following rule: a/b = a(b-1).
– Familiar examples of fields are the rational numbers, the real numbers,
and the complex numbers. Note that the set of all integers is not a field,
because not every element of the set has a multiplicative inverse; in fact,
only the elements 1 and -1 have multiplicative inverses in the integers
 Finite Fields

• Fields
– A field F, sometimes denoted by {F, +, x}, is a set of elements with
two binary operations, called addition and multiplication, such that
for all a, b, c in F the following axioms are obeyed:
– (A1 M6) F is an integral domain; that is, F satisfies axioms A1 through
A5 and M1 through M6.
– (M7) Multiplicative inverse:
• For each a in F, except 0, there is an element a-1 in F such that
• aa-1 = (a-1)a = 1.
– In essence, a field is a set in which we can do addition, subtraction,
multiplication, and division without leaving the set. Division is
defined with the following rule: a/b = a(b-1).
– Familiar examples of fields are the rational numbers, the real
numbers, and the complex numbers. Note that the set of all integers
is not a field, because not every element of the set has
Finite Fields
 Finite Fields

• Modular Arithmetic
– Given any positive integer n and any nonnegative integer
a, if we divide a by n, we get an integer quotient q and an
integer remainder r that obey the following relationship:
• a=qn+r…………………….*(1)
– If a is an integer and n is a positive integer, we define a
mod n to be the remainder when a is divided by n. The
integer n is called the modulus.
• For example: 11 mod 7=4 and -11 mod 7 = 3
– Two integers a and b are said to be congruent modulo n,
if (a mod n) = (b mod n).
• i.e. a ≡ b ( mod n)
 Finite Fields

• Divisors
– We say that a nonzero b divides a if a = mb for
some m, where a, b, and m are integers. That is, b
divides a if there is no remainder on division. The
notation is commonly used to mean b divides a.
Also, if b|a, we say that b is a divisor of a.
– The following relations hold:
• If a|1, then a = ±1.
• If a|b and b|a, then a = ±b.
• Any b 0 divides 0.
• If b|g and b|h, then b|(mg + nh) for arbitrary integers m
and n.
 Finite Fields

• Properties of Congruences
– Congruences have the following properties:
• a ≡ b (mod n) if n|(a-b).
• a ≡ b (mod n) implies b ≡ a (mod n)..
• a ≡ b (mod n) and b ≡ c (mod n) imply a ≡ c (mod n).
– To demonstrate the first point, if n|(a b), then (a b) = kn for some k.
So we can write a = b + kn. Therefore, (a mod n) = (reminder when b
+ kn is divided by n) = (reminder when b is divided by n) = (b mod n)

• Modular Arithmetic Operations

– Modular arithmetic exhibits the following properties:
• [(a mod n) + (b mod n)] mod n = (a + b) mod n
• [(a mod n) - (b mod n)] mod n = (a- b) mod n
• [(a mod n) x (b mod n)] mod n = (a x b) mod n
 Finite Fields

• Arithmetic Modulo 8
+ 0 1 2 3 4 5 6 7 * 0 1 2 3 4 5 6 7 W -w w-
0 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 -
1 1 2 3 4 5 6 7 0 1 0 1 2 3 4 5 6 7 1 7 1
2 2 3 4 5 6 7 0 1
2 0 2 4 6 0 2 4 6 2 6 -
3 3 4 5 6 7 0 1 2
3 0 3 6 1 4 7 2 5 3 5 3
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4 4 0 4 0 4 0 4 0 4 4 4 -
6 6 7 0 1 2 3 4 5 5 0 5 2 7 4 1 6 3 5 3 5
7 7 0 1 2 3 4 5 6 6 0 6 4 2 0 6 4 2 6 2 -
7 0 7 6 5 4 3 2 1 7 1 7

a. Addition Modulo 8 b. Multiplication Modulo 8 c. Addition and

Multiplicative Inverse
Modulo 8
 Finite Fields

• Properties of Modular Algorithm

– Define the set Zn as the set of nonnegative integers less than n:
Zn = {0, 1,...,(n-1)}
– This is referred to as the set of residues, or residue classes
modulo n.
– To be more precise, each integer in Zn represents a residue class.
We can label the residue classes modulo n as [0], [1], [2],...,[n-1],
where
– [r] = {a: a is an integer, a ≡ r (mod n)}
– The residue classes modulo 4 are
• [0] = { ..., -16, -12, -8, -4, 0, 4, 8, 12, 16,... }
• [1] = { ..., -15, -11, -7, -3, -1, 5, 9, 13, 17,... }
• [2] = { ..., -14, -10, -6, -2, 2, 6, 10, 14, 18,... }
• [3] = { ..., -13, -9, -5, -1, 3, 7, 11, 15, 19,... }
 Finite Fields

• Properties of Modular Arithmetic for Integers in Zn

– Commutative laws
• (a + b) mod n = (b + a) mod n
• (a * b) mod n = (b * a) mod n
– Associative laws
• [(a + b) + c] mod n = [a + (b + c)] mod n
• [(a x b) x c] mod n = [a x (b x c)] mod n
– Distributive laws
• [a + (b + c)] mod n = [(a x b) + (a x c)] mod n
• [a + (b x c)] mod n = [(a + b) x (a + c)] mod n
– Identities
• (0 + a) mod n = a mod n
• (1 x a) mod n = a mod n
– Additive inverse
• For each a Є Zn, there exists z such that a + z ≡ 0 mod n
– If (a+b) ≡ (a+c) mod n then b ≡ c mod n
• (5 + 23) ≡ (5 + 7)(mod 8}; 23 ≡ 7 (mod 8)
– If (axb) ≡ (axc) mod n then b ≡ c mod n if a is relatively prime to n
• (5 x 23) ≡ (5 x 7)(mod 8}; 23 ≡ 7 (mod 8)
 Finite Fields

• The Euclidean Algorithm

– One of the basic techniques of number theory is the Euclidean
algorithm, which is a simple procedure for determining the
greatest common divisor of two positive integers.
– Recall that nonzero b is defined to be a divisor of a if a = mb for
some m, where a, b, and m are integers. We will use the
notation gcd(a, b) to mean the greatest common divisor of a
and b. The positive integer c is said to be the greatest common
divisor of a and b if
• c is a divisor of a and of b;
• any divisor of a and b is a divisor of c.
– An equivalent definition is the following:
• gcd(a, b) = max[k, such that k|a and k|b]
 Finite Fields

• The Euclidean Algorithm

– The Euclidean algorithm is based on the following
theorem:
• For any nonnegative integer a and any positive integer
b,
– gcd(a,b) = gcd(b,a mod b)
• EUCLID(a, b) 1.
1. A  a; B  b
2. if B = 0 return A = gcd(a, b)
3. R = A mod B
4. AB
5. BR
6. goto 2
 Finite Fields

• Finite Fields of The Form GF(p)

– It can be shown that the order of a finite field
(number of elements in the field) must be a power
of a prime pn , where n is a positive integer.
– The finite field of order pn is generally written
GF(pn ); GF stands for Galois field, in honor of the
mathematician who first studied finite fields.
– Two special cases are of interest for our purposes.
• For n = 1, we have the finite field GF(p);
– this finite field has a different structure than that for finite
fields with n > 1.
• For finite fields of the form GF(pn )
 Finite Fields

• Finite Fields of The Form GF(p)

– For a given prime, p, we define the finite field of order p, GF(p), as the
set Zp of integers {0, 1, ….. , p - 1} together with the arithmetic
operations modulo p.
– If n is prime, then all of the nonzero integers in Zn are relatively prime to
n, and therefore there exists a multiplicative inverse for all of the
nonzero integers in Zn.
– Multiplicative inverse (w-1 )
• For each w ∈ Zp, w ≠ 0, there exists a z ∈ Zp such that w x z = 1 (mod p)
• Because w is relatively prime to p, if we multiply all the elements of Zp by w, the
resulting residues are all of the elements of Zp permuted. Thus, exactly one of
the residues has the value 1. Therefore, there is some integer in Zp that, when
multiplied by w, yields the residue 1. That integer is the multiplicative inverse of
w, designated w-1 .
– Therefore, Zp is in fact a finite field
 Finite Fields

• Arithmetic in GF(7)
+ 0 1 2 3 4 5 6 * 0 1 2 3 4 5 6 W -w w-
0 0 1 2 3 4 5 6 0 0 0 0 0 0 0 0 0 0 -
1 1 2 3 4 5 6 0 1 0 1 2 3 4 5 6 1 6 1
2 2 3 4 5 6 0 1
2 0 2 4 6 1 3 5 2 5 4
3 3 4 5 6 0 1 2
3 0 3 6 2 5 1 4 3 4 5
4 4 5 6 0 1 2 3
5 5 6 0 1 2 3 4 4 0 4 1 5 2 6 2 4 3 2
6 6 0 1 2 3 4 5 5 0 5 3 1 6 4 2 5 2 3
6 0 6 5 4 3 2 1 6 1 6

a. Addition Modulo 7 b. Multiplication Modulo 7 c. Addition and

Multiplicative Inverse
Modulo 7
 Finite Fields

• Finding
  the Multiplicative Inverse in GF(p)
– The Euclidean algorithm can be extended so that, in addition
to finding gcd(m, b), if the gcd is 1, the algorithm returns the
multiplicative inverse of b.
– EXTENDED EUCLID(m, b)
1. (A1, A2, A3)  (1, 0, m); (B1, B2, B3)  (0, 1, b)
2. if B3 = 0 return A3 = gcd(m, b); no inverse
3. if B3 = 1 return B3 = gcd(m, b); B2 = b -1 mod m

4. (T1, T2, T3)  (A1 - QB1, A2 - QB2, A3 - QB3)

5. (A1, A2, A3)  (B1, B2, B3)
6. (B1, B2, B3)  (T1, T2, T3)
7. goto 2
 Finite Fields

• Finding the Multiplicative Inverse in GF(p)

– It shows that gcd(1759, 550) = 1 and that the
multiplicative inverse of 550 is 355; that is, 550 x 335
1 (mod 1759).
Q A1 A2 A3 B1 B2 B3
1 0 1759 0 1 550
3 0 1 550 1 -3 109
5 1 -3 109 -5 16 5
21 -5 16 5 106 -339 4
1 106 -339 4 -111 355 1
 Finite Fields

• Polynomial Arithmetic
– Ordinary polynomial arithmetic, using the basic rules
of algebra.
– Polynomial arithmetic in which the arithmetic on the
coefficients is performed modulo p; that is, the
coefficients are in GF(p).
– Polynomial arithmetic in which the coefficients are in
GF(p), and the polynomials are defined modulo a
polynomial m(x) whose highest power is some
integer n.
 Finite Fields

•• Polynomial
  Arithmetic
– A polynomial of degree n (integer n≥ 0) is an expression of the
form
f(x) = anxn + an-1xn-1 + …….. + a1x + a0 =
where the ai are elements of some designated set of numbers S,
called the coefficient set, and an ≠ 0.
– We say that such polynomials are defined over the coefficient set
S.
– As an example,
• let f(x) = x3 + x2 + 2 and g(x) = x2 - x + 1, where S is the set of integers. Then
f(x) + g(x) = x3 + 2x2 - x + 3
f(x) - g(x) = x3 + x + 1
f(x) * g(x) = x5 + 3x2 - 2x + 2
 Finite Fields

• Polynomial Arithmetic
– Given polynomials f(x) of degree n and g(x) of degree (m), (n ≥ m), if
we divide f(x) by g(x), we get a quotient q(x) and a remainder r(x) that
obey the relationship
f(x) = q(x)g(x) + r(x)
with polynomial degrees:
Degree f(x) = n
Degree g(x) = m
Degree q(x) = n - m
Degree r(x) ≤ m - 1
– A polynomial f(x) over a field F is called irreducible if and only if f(x)
cannot be expressed as a product of two polynomials, both over F,
and both of degree lower than that of f(x). By analogy to integers, an
irreducible polynomial is also called a prime polynomial.
 Finite Fields

• Finding Greatest Common Divisor

– We can extend the analogy between polynomial arithmetic over a
field and integer arithmetic by defining the greatest common
divisor as follows.
– The polynomial c(x) is said to be the greatest common divisor of
a(x) and b(x) if the following are true.
• c(x) divides both a(x) and b(x).
• Any divisor of a(x) and b(x) is a divisor of c(x).
– An equivalent definition is the following: gcd[a(x), b(x)] is the
polynomial of maximum degree that divides both a(x) and b(x).
– We can adapt the Euclidean algorithm to compute the greatest
common divisor of two polynomials. This equality can be rewritten
as the following equation:
gcd[a(x), b(x)] = gcd[b(x), a(x) mod b(x)]
 Finite Fields

• Finding Multiplicative Inverse

– Just as the Euclidean algorithm can be adapted to find the greatest common divisor of
two polynomials, the extended Euclidean algorithm can be adapted to find the
multiplicative inverse of a polynomial.
– Specifically, the algorithm will find the multiplicative inverse of b(x) modulo m(x) if the
degree of b(x) is less than the degree of m(x) and gcd[m(x), b(x)] = 1. If m(x) is an
irreducible polynomial, then it has no factor other than itself or 1, so that gcd[m(x),
b(x)] = 1.
– The algorithm is as follows:
– EXTENDED EUCLID[m(x), b(x)]
1. [A1(x), A2(x), A3(x)]  [1, 0, m(x)]; [B1(x), B2(x), B3(x)]  [0, 1, b(x)]
2. if B3(x) = 0 return A3(x) = gcd[m(x), b(x)]; no inverse
3. if B3(x) = 1 return B3(x) = gcd[m(x), b(x)]; B2(x) = b(x) -1 mod m(x)
4. Q(x) = quotient of A3(x)/B3(x)
5. [T1(x), T2(x), T3(x)]  [A1(x) Q(x) - B1(x), A2(x) Q(x) - B2(x), A3(x) Q - B3(x)]
6. [A1(x), A2(x), A3(x)]  [B1(x), B2(x), B3(x)]
7. [B1(x), B2(x), B3(x)]  [T1(x), T2(x), T3(x)]
8. goto 2
 Finite Fields

• Extended Euclid [(x8 + x4 + x3 + x + 1), (x7 + x + 1)]

– Initialization
• a(x) = x8 + x4 + x3 + x + 1; v-1(x) = 1; w-1(x) = 0
• b(x) = x7 + x + 1; v0(x) = 0; w0(x) = 1
– Iteration 1
• q1(x) = x; r1(x) = x4 + x3 + x2 + 1
• v1(x) = 1; w1(x) = x
– Iteration 2
• q2(x) = x3 + x2 + 1; r2(x) = x
• v2(x) = x3 + x2 + 1; w2(x) = x4 + x3 + x + 1
– Iteration 3
• q3(x) = x3 + x2 + x; r3(x) = 1
• v3(x) = x6 + x2 + x + 1; w3(x) = x7
– Iteration 4
• q4(x) = x; r4(x) = 0
• v4(x) = x7 + x + 1; w4(x) = x8 + x4 + x3 + x + 1
– Result
• d(x) = r3(x) = gcd(a(x), b(x)) = 1
• w(x) = w3(x) = (x7 + x + 1)-1 mod (x8 + x4 + x3 + x + 1) = x7
 IDEA

• International Data Encryption Standard (IDEA)

– In cryptography, the International Data Encryption Algorithm (IDEA), originally called Improved
Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey
of ETH Zurich and Xuejia Lai and was first described in 1991. The algorithm was intended as a
replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher
Proposed Encryption Standard (PES).
– IDEA was used in Pretty Good Privacy (PGP) v2.0 and was incorporated after the original cipher
used in v1.0, BassOmatic, was found to be insecure. IDEA is an optional algorithm in the
OpenPGP standard.
– IDEA operates on 64-bit blocks, using a 128-bit key. It contains a series of eight identical
transformations (rounds) and one output transformation (the half-round). It does this for a total
of 8.5 rounds. The processes for encryption and decryption are similar.
– IDEA derives much of its security by interleaving operations from different groups — modular
addition and multiplication, and bitwise eXclusive OR (XOR) — which are chosen to be
"algebraically incompatible".
– Each of the eight round uses six sub-keys, while the half-round uses four; for a total of 52 sub-
keys. Each sub-key is a 16-bit in length. The first eight sub-keys are extracted directly from the
128-bit key, with K1 being the lowest sixteen bits and K8 is the highest sixteen bits; further
groups of eight keys are created by rotating the main key left 25 bits after the creation of the
previous group; six rotations generate all sub-keys.
IDEA
 IDEA

• Key generation process

– First of all we will see how these 52 keys are generated.
– The 128 bit key is divided into 8 sub parts that is 16 bits
each.
– Then the 128 bit key is cyclically shifted to the left by 25
position, so by doing this we will have one new 128 bit key.
– Now similarly as above it is divided into 8 sub blocks and
will be used in next round.
– The same process is performed 9 times and 56 keys are
generated from which the first 52keys will be used.
– So likewise from K1 to K52 keys are generated.
 IDEA

• Sequence of operation in one round

– 1) Multiply P1 and K1
– 2) Add P2 and second K2
– 3) Add P3 and third K3
– 4) Multiply P4 and K4
– 5) Step 1 ⊕ step 3
– 6) Step 2 ⊕ step 4
– 7) Multiply step 5 with K5
– 8) Add result of step 6 and step 7
– 9) Multiply result of step 8 with K6.
– 10) Add result of step 7 and step 9.
– 11) XOR result of steps 1 and step 9.
– 12) XOR result of steps 3 and step 
– 13) XOR result of steps 2 and step 10.
– 14) XOR result of steps 4 and step 10. Sequence of operation in one round
• Same operations are performed in 8 rounds…
 IDEA

• Sequence of operation in last round

– 1) Multiply P1 with K49.
– 2) Add P2 and K50.
– 3) Add P3 and K51.
– 4) Multiply P4 and K52
 IDEA

• Encryption
– First of all 64 bit plain text is divided into 4 16-bit parts and they are taken as
an input in first round.
– At the end of the first encryption round four 16-bit values are produced
which are used as input to the second encryption round
– The process is repeated in each of the subsequent 8 encryption rounds
– Note that in 9th round we have to use only 4 key( K49, K50, K51,K52) and
have to perform different operation as guided in previous slide.
• Decryption
– The computational process used for decryption of the ciphertext is
essentially the same as that used for encryption
– The only difference is that each of the 52 16-bit key sub-blocks used for
decryption is the inverse of the key sub-block used during encryption
– Do remember that the sub blocks must be used in reverse order than of the
encryption round.
 IDEA

• Applications of IDEA
– Today, there are hundreds of IDEA-based security solutions
available in many market areas, ranging from Financial
Services, and Broadcasting to Government
– The IDEA algorithm can easily be combined in any encryption
software. Data encryption can be used to protect data
transmission and storage.
– Typical fields are:
• Audio and video data for cable TV, video conferencing, distance
learning
• Sensitive financial and commercial data
• Email via public networks
• Smart cards
Block Cipher Mode of Operation
 Block Cipher Mode of Operation

• Electronic Codebook (ECB) Mode

 Block Cipher Mode of Operation

• Electronic Codebook (ECB) Mode

– The simplest mode is the electronic codebook (ECB) mode, in which plaintext is
handled one block at a time and each block of plaintext is encrypted using the
same key.
– For lengthy messages, the ECB mode may not be secure. If the message is highly
structured, it may be possible for a cryptanalyst to exploit these regularities.
• Cj = DES(K, [ Pj ])
– Let us assume that we have n=3 and we want to encrypt the plaintext p
=1011011. p is of length 7 the blocks look like 101 101 1, so we add zeroes to
the last block until it has size 3: p = (p1,p2,p3) such that p1 = 101, p2 = 101, p3 =
100.
– We use the permutation cipher from Example 3.3, i.e. K =K′=S3. Let us assume
the key k =(123).
– We encrypt in ECB mode each block on its own:
• c1 = 011 =Ek(p1) c2 = 011 =Ek(p2) c3 = 001 =Ek(p3).
– So we receive the ciphertext c =(c1,c2,c3)=011 011 001.
 Block Cipher Mode of Operation

• Cipher Block Chaining (CBC) Mode

 Block Cipher Mode of Operation

• Cipher Block Chaining (CBC) Mode

– In this scheme, the input to the encryption algorithm is the XOR of the
current plaintext block and the preceding ciphertext block; the same key is
used for each block.
– In effect, we have chained together the processing of the sequence of
plaintext blocks.
– The input to the encryption function for each plaintext block bears no fixed
relationship to the plaintext block
• Cj = DES(K, [Cj-1 ⊕ Pj ]), C-1=IV
– Let us recall : n = 3, p = 101 101 100 and k = (123).
– We choose IV=101.
• c1 = 000 = Ek(p1⊕IV)
• c2 = 011 = Ek(p2⊕c1)
• c3 = 111 = Ek(p3⊕c2).
– So we receive the ciphertext c = (c1,c2,c3) = 000 011 111.
– We see that in CBC mode c1 ̸= c2 where as p1 = p2
 Block Cipher Mode of Operation

• Cipher Feedback (CFB) Mode

 Block Cipher Mode of Operation

• Cipher Feedback (CFB) Mode

– Where the message is treated as a stream of bits,
added to the output of the DES, with the result being
feedback for the next stage
• Ci = Pi ⊕ DES(K1,Ci-1)
• C-1=IV
– Let us recall : n=3, p =101101100, k =(123) and IV=101.
• c1 = 110 = Ek(IV)⊕p1
• c2 = 000 = Ek(c1)⊕p2
• c3 = 100 = Ek(c2)⊕p3.
– So we receive the ciphertext c =(c1,c2,c3)=110 000 100.
 Block Cipher Mode of Operation

• Output Feedback (OFB) Mode

 Block Cipher Mode of Operation

• Output Feedback (OFB) Mode

– Where the message is treated as a stream of bits, added to the
message, but with the feedback being independent of the message
• Ci = Pi ⊕ Oi,
• Oi = DES(K1,Oi-1)
• O-1=IV
– Let us recall : n=3, p =101101100, k =(123) and IV=101.
• O1 = 011 = Ek(IV)
• O2 = 110 = Ek(O1)
• O3 = 101 = Ek(O2)
• c1 = 110 = O1⊕p1
• c2 = 011 = O2⊕p2
• c3 = 001 = O3⊕p3.
– So we receive the ciphertext c =(c1,c2,c3)=110 011 001
 Block Cipher Mode of Operation

• Counter (CTR) Mode

 Block Cipher Mode of Operation

• Counter (CTR) Mode

– A counter equal to the plaintext block size is used.
– For encryption, the counter is encrypted and then XORed with the plaintext
block to produce the ciphertext block; there is no chaining
• Ci = Pi ⊕ DES(K1,NCi)
– Let us recall : n=3, p =101101100, k =(123). This time take as nonce the
random number 5, in binary representation 101.
– As counter we use the usual increment. We combine the nonce with the
counter by addition.
• NC1 = 011 = Ek(101)
• NC2 = 101 = Ek(110)
• NC3 = 111 = Ek(111)
• c1 = 110 = NC1⊕p1
• c2 = 000 = NC2⊕p2
• c3 = 011 = NC3⊕p3.
– So we receive the ciphertext c =(c1,c2,c3)=110 000 011
 Advance Encryption System (AES)

• Advance Encryption System (AES)

 Advance Encryption System (AES)

• Advance Encryption System (AES)

– Like DES, AES is a symmetric block cipher. This means that it uses the same key for
both encryption and decryption
– However, AES is quite different from DES in a number of ways.
– The algorithm Rijndael allows for a variety of block and key sizes and not just the
64 and 56 bits of DES’ block and key size.
– The block and key can in fact be chosen independently from 128,160,192,224,256
bits and need not be the same.
– However, the AES standard states that the algorithm can only accept a block size of
128 bits and a choice of three keys - 128,192,256 bits.
– Depending on which version is used, the name of the standard is modified to AES-
128, AES-192 or AES256 respectively.
– As well as these differences AES differs from DES in that it is not a feistel structure.
– A number of AES parameters depend on the key length. For example, if the key size
used is 128 then the number of rounds is 10 whereas it is 12 and 14 for 192 and
256 bits respectively.
 Advance Encryption System (AES)

• Advance Encryption System (AES)

– Rijndael was designed to have the following
characteristics:
• Resistance against all known attacks.
• Speed and code compactness on a wide range of platforms.
• Design Simplicity.
Advance Encryption System (AES)
 Advance Encryption System (AES)

• Inner Workings of a Round

– The algorithm begins with an Add round key stage followed by 9 rounds of four stages
and a tenth round of three stages.
– This applies for both encryption and decryption with the exception that each stage of a
round the decryption algorithm is the inverse of it’s counterpart in the encryption
algorithm.
– The four stages are as follows:
• Substitute bytes
• Shift rows
• Mix Columns
• Add Round Key
– The tenth round simply leaves out the Mix Columns stage. The first nine rounds of the
decryption algorithm consist of the following:
• Inverse Shift rows
• Inverse Substitute bytes
• Inverse Add Round Key
• Inverse Mix Columns
– Again, the tenth round simply leaves out the Inverse Mix Columns stage.
 Advance Encryption System (AES)

• Substitute Bytes
– This stage (known as SubBytes) is simply a table
lookup using a 16×16 matrix of byte values called an
s-box.
– This matrix consists of all the possible combinations
of an 8 bit sequence (28 = 16×16 = 256).
– However, the s-box is not just a random permutation
of these values and there is a well defined method for
creating the s-box tables
 Advance Encryption System (AES)

• Substitute Bytes
 Advance Encryption System (AES)

• Substitute Bytes
 Advance Encryption System (AES)

• Construction of S-Box
– Initialize the S-box with the byte values in ascending sequence row by row. The  first
row contains {00}, {01}, {02}, c , {0F}; the second row contains {10}, {11}, etc.; and so
on. Thus, the value of the byte at row y, column x is {yx}.
– Map each byte in the S-box to its multiplicative inverse in the finite field GF(28 ); the
value {00} is mapped to itself.
– Consider that each byte in the S-box consists of 8 bits labeled (b7, b6, b5, b4, b3,
b2, b1, b0). Apply the following transformation to each bit of each byte in the S-box:
• b′i = bi ⊕ b(i+4) mod 8 ⊕ b(i+5) mod 8 ⊕ b(i+6) mod 8 ⊕ b(i+7) mod 8 ⊕ ci
where ci is the ith bit of byte c with the value {63}; that is, (c7c6c5c4c3c2c1c0) = (01100011). The
prime (′) indicates that the variable is to be updated by the value on the right. The AES standard
depicts this transformation in matrix form as follows.
– The inverse substitute byte transformation, called InvSubBytes, makes use of the
inverse S-box. The inverse S-box is constructed by applying the inverse of the
transformation followed by taking the multiplicative inverse in GF(28 ). The inverse
transformation is
• b′ i = b(i+2) mod 8 ⊕ b(i+5) mod 8 ⊕ b(i+7) mod 8 ⊕ di where byte d = {05}, or 00000101.
 Advance Encryption System (AES)

• Shift Row Transformation

– The forward shift row transformation, called ShiftRows.
• The first row of State is not altered.
• For the second row, a 1-byte circular left shift is performed.
• For the third row, a 2-byte circular left shift is performed.
• For the fourth row, a 3-byte circular left shift is performed
– The inverse shift row transformation, called
InvShiftRows, performs the circular shifts in the
opposite direction for each of the last three rows, with
a 1-byte circular right shift for the second row, and so
on.
 Advance Encryption System (AES)

• Shift Row Transformation

 Advance Encryption System (AES)

• Mix Columns Transformation

– The forward mix column transformation, called
MixColumns, operates on each column individually.
– Each byte of a column is mapped into a new value
that is a function of all four bytes in that column.
– The transformation can be defined by the following
matrix multiplication on State
 Advance Encryption System (AES)

• Mix Columns Transformation

– The inverse mix column transformation, called
InvMixColumns, is defined by the following matrix
multiplication:
 Advance Encryption System (AES)

• Add Round Key Transformation

– In the forward add round key transformation, called
AddRoundKey, the 128 bits of State are bitwise
XORed with the 128 bits of the round key.
– The operation is viewed as a columnwise operation
between the 4 bytes of a State column and one word
of the round key; it can also be viewed as a byte-level
operation.
– The inverse add round key transformation is identical
to the forward add round key transformation,
because the XOR operation is its own inverse
 Advance Encryption System (AES)

• AES Key Expansion

– The AES key expansion algorithm takes as input a four-word (16-
byte) key and produces a linear array of 44 words (176 bytes).
– This is sufficient to provide a fourword round key for the initial
AddRoundKey stage and each of the 10 rounds of the cipher
– The key is copied into the first four words of the expanded key.
The remainder of the expanded key is filled in four words at a
time.
– Each added word w[i] depends on the immediately preceding
word, w[i−1], and the word four positions back w[i−4].
– In three out of four cases, a simple XOR is used. For a word
whose position in the w array is a multiple of 4, a more complex
function is used.
 Advance Encryption System (AES)

• AES Key Expansion

KeyExpansion (byte key[16], word w[44])
{
word temp;
for (i = 0; i < 4; i++)
w[i] = (key[4*i], key[4*i+1], key[4*i+2], key[4*i+3]);
for (i = 4; i < 44; i++)
{
temp = w[i − 1];
if (i mod 4 = 0)
temp = SubWord (RotWord (temp)) ⊕ Rcon[i/4];
w[i] = w[i−4] ⊕ temp;
}
}
 Advance Encryption System (AES)

• AES Key Expansion

 Advance Encryption System (AES)

• AES Key Expansion

– The function g consists of the following subfunctions:
• RotWord performs a one-byte circular left shift on a word.
This means that an input word [B0, B1, B2, B3] is
transformed into [B1, B2, B3, B0].
• SubWord performs a byte substitution on each byte of its
input word, using the S-box.
• The result of steps 1 and 2 is XORed with a round constant,
Rcon[j].
j 1 2 3 4 5 6 8 9 10
RC[j] 01 02 04 08 10 20 40 1B 36
 Advance Encryption System (AES)

• AES Key Expansion

 Advance Encryption System (AES)

• AES
– Refer to document provided for more detail
Thank You
End of Unit II
(Symmetric Ciphers)