• AES was introduced as a replacement for DES.

• AES is more secure compared to DES.

• AES is more flexible compared to DES.
• The algorithmic structures of AES are simpler
AES over DES than that of DES.
• AES is more efficient compared to DES.
• AES suits for even resource-constrained
devices.
MULTIPLE ENCRYPTIONS
 Double DES
• C = E(K2,E(K1, P))
• P = D(K1,D(K2, C))
• Key Space = 2112
Reduction of Double DES to a Single Stage
• Assume that E(K2,E(K1, P)) = E(K3, P)

• However, each PT block is uniquely mapped to a CT block, and vice-

versa.

• Moreover, the complex operations of DES will make the reduction to

single stage almost impossible.
 • The attacker somehow gets to know (PTi, CTi)
Meet in The
Middle (MIM) • E(K1, P) = X = D(K2, C)
Attack • Sort the encryption table by values of X.

K1 Output (X) = E(K1, K2 Output (X) =

PTi) D(K2, CTi)
KE1 ACT1 KD1 ADT1
KE2 ACT2 KD2 ADT2
. . . .
. . . .
. X . .
. . . .
. . . .
. . . .
. . . X
KE256 ACT256 KD256 ADT256
 • Practically, a Hash set search approach will be
used to check if an element of second table
exists in the first or not.
MIM on • Average Time complexity of Hash set search =
Double DES O(1).
• Therefore, the strength of Double DES reduces
(Contd..) 57
to 2 from the desired value 2 . 112
 • Overcomes the disadvantage of Double DES.

• Double DES used the encryption functions in

sequence.

Triple DES • Triple DES follows E-D-E sequence.

with 2 Keys
• C = E(K1,D(K2, E(K1,P)))

• P = D(K1, E(K2, D(K1, C)))

Triple DES
with 2 Keys
 Known PT
attack on
Triple DES
with 2 Keys

• Pick any arbitrary value ‘a’ for A.

• For each K1 = i, calculate Pi = D(i, a).
 Known PT
attack on
Triple DES
with 2 Keys
(Contd..)

• B = D(i, C)

• Sort the Table based on values of B.

 • For each K2 = j, calculate Bj = D(j, a)
Known PT
attack on
Triple DES
with 2 Keys
(Contd..)
• Compute the pair (i, j) which produces the
pair (P, C).
• Test each (i, j) to see if the desired CT is
obtained or not for different (P, T) pairs.
(Repeat the process with another ‘a’ if
necessary).
 • For one (P, C) pair, the probability of success
64
= (1/2 ).
Feasibility of
Known PT • Hence, for ‘n’ (P, C) pairs, the probability of
attack on success = n/264.
Triple DES
• Expected number of values to be tried for ‘a’
with 2 Keys for large ‘n’, with 1 key = 264/n.

• Expected complexity for running the attack =

2120/n.
 • C = E(K3, D(K2, E(K1)))

• P = D(K1, E(K2, D(K3)))

• If K1 = K3 (same as Triple DES with 2 keys)

Triple DES • If K1 = K2 = K3 (same as DES)

with 3 Keys • If K1, K2, and K3 are different then highest
level of security is offered.
Triple DES
with 3 Keys
(Contd..)
COMMON OPERATING MODES
OF BLOCK CIPHERS
 Common Operating Modes of Block Ciphers

Cipher
Feedback
Cipher (CFB)
Electronic Output
Block Counter
Codebook Feedback
Chaining (CTR)
(ECB) (OFB)
(CBC)
ECB
 • Ci = E(K, Pi); where i = 1, 2, ……….., N.

• Pi = D(K, Ci); where i = 1, 2, ……….., N.

• Each block is encrypted/decrypted using the same key

producing corresponding CT/DT.
ECB
(Contd..)
• A certain PT block will encrypt to the same CT block.
 • Simple to understand and easy to implement.
• Parallel block encryptions/decryptions can be done,
which eventually provides more efficiency.
• Error propagation doesn’t happen from one block to
the subsequent blocks.

Pros and Cons • Highly vulnerable to pattern attack (especially for

of ECB large data).
• Provides poor diffusion.
• Padding might be required.
 • Overhead
Properties and
Criteria for • Error Recovery
designing
• Error Propagation
modes
superior to • Diffusion
ECB
• Security
CBC
 • C1 = E(K, P1 ⊕ IV)
• Ci = E(K, Pi ⊕ Ci-1); where i = 2, 3, 4, ………., N

• P1 = D(K, C1) ⊕ IV
• Pi = D(K, Ci) ⊕ Ci-1; where i = 2, 3, 4, ……………, N
CBC
(Contd..) • The size of IV is same as that of the blocks.
• The IV must be known and kept confidential to both
sender and the receiver, and must be protected against
unauthorized changes.
• IV must be unique for each session
• IV can be kept confidential through ECB encryption.
• Integrity of IV can be provided using Message
Authentication Codes (MACs).
 • P1 = IV ⊕ D(K, C1)
• So, P1[i] = IV[i] ⊕ D(K, C1)[i]
• Hence, P1[i]’ = IV[i]’ ⊕ D(K, C1)[i]
• The attacker takes advantage of ‘⊕’ to manipulate the
PT by altering IV.
Threat to
Integrity of IV
in CBC
• Recommended methods for unpredictable IV
generations:- Nonce, Random Number Generator
 • Simple to understand and easy to implement.
• More resistant to Pattern attack when compared to
that of ECB.
• Provides better diffusion property when compared to
that of ECB.

Pros and Cons • Requirement of secure IV generation for each session.

of CBC • CBC blocks are processed sequentially.
• Higher probability of error propagation when
compared to that of ECB.
• Error Recovery rate is lower than that of ECB.
 3 Operating Modes which can convert Block
Cipher to Stream Cipher

Cipher Feedback Output Feedback Counter (CTR)

(CFB) (OFB)

• Higher Efficiency
• Lower Latency
• Flexibility
• Error Propagation Control
 CFB
(Encryption)
 CFB
(Decryption)
 • PT is divided into segments of ‘s’ bits each.
• Popular choice of ‘s’ = 1 Byte.

• I1 = IV
CFB • Ij = LSBb-s(Ij-1)||Cj-1; j = 2, 3, 4, …….., N
(Contd..) • Oj = E(K, Ij); j = 1, 2, 3, ………., N
• Cj = Pj ⊕ MSBs(Oj) ; j = 1, 2, 3, ………., N

• Pj = Cj ⊕ MSBs(Oj); j = 1, 2, 3, ………., N
 • Padding is not required.
• Encryption Function can be used for executing the
corresponding Decryption function as well.
• Error Propagation is lesser compared to that of CBC.
• More Flexible.

Pros and Cons

• IV Management
of CFB
• Limited Parallelism
• Not a typical stream cipher.
• Not suitable for encrypting or decrypting large data.
 OFB
(Encryption)
 OFB
(Decryption)
 • Operates on full blocks (‘b’ bits each) of PT and
CT.
• Size of Nonce is same as that of the blocks.

• I1 = Nonce
OFB
• Ij = Oj-1; j = 2, 3, …………., N
(Contd..)
• Oj = E(K, Ij); j = 1, 2, 3, ……., N
• Cj = Pj ⊕ Oj; j = 1, 2, 3, ……., N – 1
• CN = PN ⊕ MSBu(ON); where u<=b

• Pj = Cj ⊕ Oj; j = 1, 2, 3, ……., N – 1
• PN = CN ⊕ MSBu(ON); where u<=b
 • Encryption Function can be used for executing the
corresponding Decryption function as well.
• Error Propagation doesn’t happen.
• Provides partial parallel processing of the blocks.
• Padding is not required.

Pros and Cons

of OFB • IV Management
• More vulnerable to Message Stream Modification
attack
• Provides a severe threat to Integrity.
CTR
 • Size of the counter = Block size
• Tj = (Tj-1 + 1) (mod 2 )
b

• Cj = Pj ⊕ E(K, Tj); j = 1, 2, ……., N-1

CTR • CN = PN ⊕ MSBu[E(K,TN)]; where u<=b
(Contd..)
• Pj = Cj ⊕ E(K, Tj); j = 1, 2, ……., N-1
• PN = CN ⊕ MSBu[E(K,TN)]; where u<=b
 • Hardware Efficiency
• Software Efficiency
• Preprocessing
CTR • Random Access
• Provable Security
(Pros and
• Simplicity
Cons)
• Nonce Management
• Nonce reuse will leak information about the
entire PT.
• Vulnerable to Message Stream Modification
attack
Overview of
Block Cipher
Modes of
Operation
 Feedback
Characteristics of
lock Cipher Modes
of Operation
 • Except ECB, the rest of the NIST approved modes
involve feedback (FB).
• Regarded as the encryption function taking input
from an input register (size equal to that of a
block).
Feedback • The output of encryption is stored in an output
Characteristics of register.
• The input register is updated one block at a time
lock Cipher Modes by FB mechanism.
of Operation • OFB and CTR produce encryption outputs
independent of PT and CT (Hence natural
candidates for stream cipher).
XTS-AES MODE FOR
BLOCK-ORIENTED
STORAGE DEVICES
 • XTS (XEX Tweakable Block Cipher with
Ciphertext Stealing)

• Approved by NIST in 2010 as an additional mode.

• Defined by an IEEE standard (1619-2007)

developed by P1619.
erview of XTS-AES
• Used for data encryptions on sector-based storage
devices.

• Some of the applications are full-disk encryption,

database encryption, secure cloud storage, etc.
 Key Points of XTS-AES

Tweakable Storage Operation on Operation on a

Block Encryption a Single Sector
Ciphers Requirements Block
 • Foundation for XTS-AES.
• Has 3 inputs:- Plaintext (P),
Tweakable Symmetric Key (K), and a
Tweak (T)
Block • ‘K’ is used to provide
Ciphers security, and ‘T’ is used to
provide variability.
Tweakable Block Ciphers
 Tweakable Block Ciphers
• h = H(T)
• C = h ⊕ E(K, h ⊕ P)
• P = h ⊕ D(K, h ⊕ C)

• Use of different T with same K and same P would produce different

Ciphertexts.
• Use of tweaks makes it easier to construct any operating mode.
 Tweakable Block Ciphers (Pros and Cons)

• Enhances the security of any operating mode.

• Versatile
• Provides Integrity of data
• Key Management gets easier

• Management of Tweaks
• The Cipher is more vulnerable if the Tweak space is small
Storage Encryption Requirements (Defined by P1619)
• The ciphertext is freely available for an attacker.
• The data layout is not changed on the storage medium and in transit.
• Data are accessed in fixed sized blocks, independently from each other.
• Encryption is performed in 16-byte blocks, independently from other blocks.
• There are no other metadata used, except the location of the data blocks within
the whole data set.
• The same plaintext is encrypted to different ciphertexts at different locations,
but always to the same ciphertext when written to the same location again.
• A standard conformant device can be constructed for decryption of data
encrypted by another standard conformant device.
Vulnerabilities identified by P1619 group for stored data
encryptions by traditional modes
• IV Prediction attack in CBC
• CT copying in CBC
• Bit Flipping attack in CBC.

• Bit Flipping attack in CTR

• Counter Synchronization Issues in CTR
• Predictable Counter values attack in CTR
XTS-AES
Operation
on a Single
Block
 • GF(2128) → (x128 + x7 + x2 + x + 1)
•α→x

Encryption:-
XTS-AES
• T = E(K2, i) ⊗ αj
Operation
• PP = P ⊕ T
on Single
• CC = E(K1, PP)
Block • C = CC ⊕ T
(Contd..)
Decryption:-
• CC = C ⊕ T
• PP = D(K1, CC)
• P = PP ⊕ T
XTS-AES
Operation on
a Sector
 • PT → (P0, P1, P2, ……., Pm-1, Pm; 128 bits each till
XTS-AES th
(m-1) block)
Operation on
• Pm (‘s’ bits); where 1 ≤ s ≤ 127 bits.
a Sector
(Contd..) • Cm-1 is the last CT block having 128 bits.

XTS-AES mode with null final block:-

• Cj = XTS-AES-blockEnc(K, Pj, i, j); j = 0, 1, …….,
m-1
• Pj = XTS-AES-blockDec(K, Cj, i, j); j = 0, 1, …….,
m-1
XTS-AES • Cj = XTS-AES-blockEnc(K, Pj, i, j); j= 0, 1, ……., m-2
Operation on a
Sector, when
final block is • XX = XTS-AES-blockEnc(K, Pm-1, i, m-1)
incomplete
(Encryption) • CP = LSB128-s(XX)

• YY = Pm||CP

• Cm-1 = XTS-AES-blockEnc(K, YY, i, m)

• Cm = MSBs(XX)
XTS-AES • Pj = XTS-AES-blockDec(K, Cj, i, j); j= 0, 1, ……., m-2
Operation on a
Sector, when
final block is • YY = XTS-AES-blockDec(K, Cm-1, i, m-1)
incomplete
(Decryption) • CP = LSB128-s(YY)

• XX = Cm||CP

• Pm-1 = XTS-AES-blockDec(K, XX, i, m)

• Pm = MSBs(YY)
 • Parallel Processing (Except the last incomplete block)
• Flexibility
• More secure compared to the traditional modes of
operations of Block Ciphers.
Pros and • Suits well for confidentiality in sector-based storage
devices.
Cons of XTS- • Provides a minor level of Data Integrity.
AES
• Complex Implementation
• Generally limited to data at rest.
• Generally, doesn’t suite for a network of devices.
• Key Management Issues