Module: 2

“Block Cipher and Stream Ciphers”

--
Dr.S.P.Anandaraj
‘Associate Professor’

Department-CSE’
Presidency University,
Bangalore

1
Plaintext to Ciphertext
Objectives:
• one ‘character’ in ciphertext
= function of a large number of ‘characters’
in the plaintext.
• Thus if e is the most commonly used
character in English plaintext, it may not
be so in the ciphertext.
In ciphertext all the characters
should have ideally an equal
frequency of occurrence.
2
Frequency of Patterns
For every language: frequency of
characters, digrams ( two letter
sequences) and trigrams are known.
statistical analysis to decipher encrypted
information.
 English: e: the character with highest

frequency
 C: #define and #include in the beginning

 Protocols and tcpdump: repetitive, fixed

sized fields
3
Block Ciphers
used for
 Fast encryption of large amount of

data
 Creating a cryptographic

checksum for guaranteeing the

integrity of data
 Secrecy and authentication service

4
Modern Block Ciphers
 will now look at modern block
ciphers
 one of the most widely used types
of cryptographic algorithms
 provide secrecy and/or
authentication services
 in particular will introduce DES
(Data Encryption Standard)
Types of Cipher Algorithms
 Streaming Cipher: encrypts data unit by
unit, where a unit is of certain number
of bits (Example: If the unit be a bit, a stream
cipher encrypts data unit by unit. Or if the unit
be a byte, it encrypts byte by byte)
 Block cipher: encrypts a fixed- sized
block of data at a time:
 For a 64 bit block of plaintext, for encryption
to a 64-bit ciphertext, may need a table of
264 = 150 million terabytes = 15x1019 bytes
 For a block size of 128 bits, the table would
require a memory of 5x1039 bytes.
6
Block vs Stream Ciphers
 block ciphers process messages in into
blocks, each of which is then
en/decrypted
 like a substitution on very big characters
 64-bits or more
 stream ciphers process messages a bit
or byte at a time when en/decrypting
 many current ciphers are block ciphers
 hence are focus of course
Block Cipher Principles
 most symmetric block ciphers are based on a
Feistel Cipher Structure
 needed since must be able to decrypt
ciphertext to recover messages efficiently
 block ciphers look like an extremely large
substitution
 would need table of 264 entries for a 64-bit
block
 instead create from smaller building blocks
 using idea of a product cipher
 Feistel Cipher Structure
 Horst Feistel devised the feistel cipher
 based on concept of invertible product cipher
 partitions input block into two halves
 process through multiple rounds which
 perform a substitution on left data half
 based on round function of right half & subkey
 then have permutation swapping halves
 implements Shannon’s substitution-
permutation network concept
Feistel Cipher Structure
 Feistel Cipher Design
Principles
 block size

increasing size improves security, but slows cipher
 key size

increasing size improves security, makes exhaustive key
searching harder, but may slow cipher
 number of rounds

increasing number improves security, but slows cipher
 subkey generation

greater complexity can make analysis harder, but slows cipher
 round function

greater complexity can make analysis harder, but slows cipher
 fast software en/decryption & ease of analysis

are more recent concerns for practical use and testing
Feistel Cipher Decryption
 Diffusion & Confusion :
1945: “Introduce diffusion and confusion through
cryptographic algorithms”, said CLAUDE SHANNON.

DIFFUSION:
• Use permutation followed by some functional

transformation.
• seeks to make statistical relationship between

the plaintext and ciphertext as complex as

possible.
• Diffuses the structure of the plaintext over a

large part of the ciphertext. 13

CONFUSION
CONFUSION:
• makes the relationship between the

statistics of the ciphertext and the

encryption key as complex as possible.
• Achieved by using a complex substitution

algorithm.

IMPORTANT: Substitution or Permutation: easy to

break by using statistical analysis; strength due
to non-linear functional transformation.

14
 Diffusion and Confusion

 cipher needs to completely obscure

statistical properties of original message
 a one-time pad does this
 more practically Shannon suggested
combining elements to obtain:
 diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
 confusion – makes relationship between
ciphertext and key as complex as possible
Kerckhoff’s Rule
The strength of an encryption algorithm depends
upon:
1. Design of the algorithm
2. Key length
3. Secrecy of the key ( requires proper
management of key distribution)
1883: Jean Guillaumen Hubert Victor Fransois Alexandre
Auguste Kerckhoff von Nieuwenhof: “ Cryptosystems should
rely on the secrecy of the key, but not of algorithm.”

Advantages of Openness: 1994: A hacker published

the source code of RC4, a secret encryption
algorithm, designed by RSA Data security Inc. 
attacks, that exposed several weaknesses of RC4

16
 Modern Encryption Techniques:
• DES: A rather complex encryption scheme.
• Simplified DES:
• A teaching tool

• Designed by Prof. Edward Schaeter,

Santa Clara University, 1996

• http://www.cs.binghamton.edu/~steflik/cs455/Simplified_D
ES.ppt
, as of 29th Sept 2009

Given: plaintext 8-bit, Key 10-bit

Output: ciphertext 8-bit 17
 Simplified DES:
ciphertext = IP-1 (fk2 (SW (fk1 ( IP
(plaintext)))))
• SDES ‘s five steps:
1. Initial Permutation IP.
2. A complex function fk which requires key K1.
3. A switch function SW which switches the left
half and the right half of a data string.
4. The function fk again with a different key K2.
5. A permutation function that is the inverse of IP
–called IP-1 .
( IP-1 ( IP (X) )) = X.
SDES may be said to have two ROUNDS of the
function fk.
18
 ciphertext = IP-1 (fk2 (SW (fk1 ( IP
(plaintext)))))
Plaintext = IP-1 (fk1 (SW (fk2 ( IP
(ciphertext)))))
10-bit Key
DECRYPTION
ENCRYPTION
8-bit P10 8-bit plaintext
plaintext
Shift
IP IP-1
K1 P8 K1
fk fk

SW Shift
SW
K2 P8 K2
fk fk

IP-1 IP

8-bit ciphertext 8-bit ciphertext

19
 SDES (continued)
K1 = P8 ( Shift (P10 (Key)))

Plaintext = IP-1 (fk1 (SW (fk2 ( IP (ciphertext))))).

• To obtain K and K :
1 2
• Given: K = (k k k k k k k k k k )
1 2 3 4 5 6 7 8 9 10
• Step1: Permutation P10
3 5 2 7 4 10 1 9 8 6
P10 :
• Step2: Left shift (circular) by one bit
• for the left half and
• for the right half separately.

20
 To obtain K1 and K2
• Step3: Permutation for producing an 8 bit key K1
from a 10 bit input.
P8: 6 3 7 4 8 5 10 9
• Step4: Take the result of step2. On it use Left
Shift (circular) by 2 bits
• for the left half and
• for the right half separately.
• Step5: Another instance of P8 is used to produce
the second 8 bit key K2 .
K1 = P8 ( Shift (P10 (Key)))
K2 = P8 ( Shift ( Shift (P10 (Key)))).
21
 K1 = P8 ( Shift (P10
(Key)))
K2 = P8 ( Shift ( Shift (P10
(Key))))
10 bit key
1 10
P10 3 5 2 7 4 10 1 9 8 6 P10
5 5

LS-1 LS-1 Circular left shift by 1, separately on

the left and the right halves
5 5
5 P8 5 6 3 7 4 8 5 10 9 P8
K1 8

LS-2 LS-2 Circular left shift by 2 , separately on

5 5 the left and the right halves
P8 6 3 7 4 8 5 10 9 P8
K2
8 22
Example: Key Generation
3 5 2 7 4 10 1 9 8 6 P10

6 3 7 4 8 5 10 9 P8

10-bit key = 1 0 1 0 0 0 0 0 1 0

10000 01100 P1O

00001 11000 LS-1 LS-1

1 0 1 0 0 1 0 0 = K1 P8

00100 00011 LS-2 LS-2

0 1 0 0 0 0 1 1 = K2 P8 23
Simplified DES Encryption:
ciphertext = IP-1 (fk2 (SW (fk1 ( IP
(plaintext)))))
8-bit plaintext
8
IP 2 6 3 1 4 8 5 7 IP
L1
4 4 R1 IP-1
4 1 3 5 7 2 8 6
E/P
8 EPR K1 4 1 2 3 2 3 4 1 E/P

L2
4 + 4 R2
S0 S1
L22 2 2 R22
P4
4 R3
+ 4
4 L3
SW
L5 4 4 24
R
 S0 and S1 boxes:
0 1 2 3

S0 = 10 0 3 2
31 2 1 0
02 2 1 3
33 1 3 2

0 1 2 3
00 1 2 3
2
1 0 1 3
S1 3
2 0 1 0
= 23 1 0 3

2 4 3 1 P4

25
 The function fk :
Permutation IP is applied to the 8-bit plaintext to
generate L1 and R1, the left and the right halves.
INPUT to fk:
• 4-bit left half (L1) and
• 4-bit Right half (R1) of a data string.
• Step1: E/P: Expansion/Permutation on R1 to
produce an 8 bit data string called EPR.
• Step2: XOR of EPR with key K1 for fk1 to produce
the left half (L2) and right half (R2).
• Step3 (a): L2 4 2
L22
S0 box

26
 The function fk (continued):
• Step3(b): R2 4 2
S1 box R22
Given the 4 bits of L2 (or R2) part. Pick up the ijth
element of S0 (or of S1), where
i = 1st and 4th bits; j = 2nd and 3rd bits.
Then convert this element to a 2-bit binary
number.

 AUTOKEYING (also called autoclaving): In

step 3, the selection of the element in the
S-box depends on both data & key. This
feature is called autokeying.
27
The function fk (continued)
Step4: (L22 : R22) goes through a
permutation P4 to produce a 4-bit R3.

2 4 3 1
P4

• Step5: L3 = L1  R3
• Step6: L3 : R1 is then the input to SW .
• The second instance of fk is similar to
the first, except that the key K2 is used.
28
Example: SDES Encryption
 Example:
Plaintext = 1 0 1 1 1 1 0 1
0111 1110
L1 = 0 1 1 1
R1 = 1 1 1 0
EPR = 0 1 1 1 1 1 0 1
EPR  K1 = 1 1 0 1 1 0 0 1
Row : first and fourth bit
Column : 2nd and 3rd bit

29
 Example: SDES Encryption
(continued)
For S0:
L2 = 1 1 0 1
Therefore Row = 3 Column = 2
L22 = 3  11
For S1:
R2 = 1 0 0 1
Row = 3 Column = 0
R22 = 2  1 0
L22 : R22 1 1 1 0
R3 = 1 0 1 1

30
Example: SDES Encryption
(continued)

L3 = R3  L1
= 1100
L5 = 1110
R5 = 1100

31
 4 R5 4
L5
E/P
8 EPR2
+ K2

L6 4 4 R6
S0 S1
2
L62 2 R62
P4
4 R7
+ 4
L7
4
IP-1
8
c8 32
 Example: SDES Encryption: fk2
 EPR2 = 0 1 1 0 1 0 0 1
EPR2  K2 = 0 0 1 0 1 0 1 0
L6 = 0 0 1 0
R6 = 1 0 1 0

For S0:
Row = 0 Column = 1
L62 = 0  0 0
33
Example: SDES Encryption: fk2
(continued)
For S1:
Row = 2 Column = 1
R62 = 0  0 0
R7 = 0 0 0 0
L7 = R7  L5
=1110
L7 : L5 = 1 1 1 0 1 1 0 0
C8 = 0 1 1 1 0 1 0 1
34
SDES Decryption:
c8 8
IP
c 8
9 4 R9
L9 4
E/P
EPR3 8
K2

LA 4 4 RA

S0 S1
LA2 2 2 RA2

P4
4 RB
+
LB 4

LC 4 4 RC 35
Decryption: Example
C9 = 1 1 1 0 1 1 0 0
EPR3 = 0 1 1 0 1 0 0 1
LA : RA = EPR3  K2
=0010 1010
S0: Row = 0 Column = 1
LA2 = 0 => 0 0
S1: Row = 2 Column = 1
RA2 = 0 => 0 0
R7 = 0000 LB = 1110
LC = 1100 RC = 1110
36
 4 RC
LC 4
E/P
8 EPR4

LD
+ RD
K1

4 4

S0 S1
LE2 2 2 RE2

P4
4 RF
+
LF 4

IP-1
8
P8 37
Decryption: Example (continued)
 EPR4 = 0 1 1 1 1 1 0 1
LD : RD = EPR4  K1
=1101 1001
S0: Row = 3 Column = 2
LE2 = 3 => 1 1
S1: Row = 3 Column = 0
RE2 = 2 => 1 0
LE2 : RE2 = 1 1 1 0
RF = 1 0 1 1
38
Decryption: Example (continued)
LF = LC  RF
=0111

LF : RC = 0 1 1 1 1 1 1 0
P8 = 1 0 1 1 1 1 0 1

39
“As far as the laws of mathematics
refer to reality, they are not
certain, and as far as they are
certain, they do not refer to
reality.”

40
 DES Encryption:
DES: a public standard. But its design criterion has not
been published.
64 bit plaintext goes through
• an Initial Permutation (IP).
• 16 Rounds of a complex function f as follows:
k
• Round 1 of a complex function f with sub key K .
k 1
• Round 2 of a complex function f with sub key K
k 2.

• Round 16 of a complex function f k with sub key K16

• At the end of 16 rounds, the Left-half and Right-half are
swapped..
• an Inverse Initial Permutation (IP -1 )

to produce 64 bit ciphertext.

41
 Fig : single Round of DES
Algorithm:
32bits 32bits 28 bits 28 bits

L R i-1 C i-1 D i-1

i-1
32
32 Expansion/ Left shift (s)
permutation (E table)
Left shift (s)

48
F XOR Ki
48
Permutation/contraction
(permuted choice 2)
48
Substitution/
choice (S-box)
32
Permutation
(P)
32
XOR

Li Ri C D i
i
42
DES Round
 x: block of plaintext
 let x = IP (x) = L :R
0 0 0
 16 rounds with f: cipher function

Ki: sub-key for the ith round

While i ≤ 16,
xi = Li:Ri
Li = Ri-1
Ri = Li  F(Ri-1 , Ki)
43
DES Encryption
Recapitulation:
 IP

 16 rounds with 16 sub-keys

 Swapping

 Inverse Initial Permutation

44
 Initial Permutation (IP):
• IP and IP-1 are defined by 8X8 tables T1 and T2.

Table T1: IP

58 50 42 34 26 18 10
2
60 52 44 36 28 20 12
4
62 54 46 38 30 22 14
6
64 56 48 40 32 24 16
8
57 49 41 33 25 17 9
1
45
59 51 43 35 27 19 11
 Inverse Initial Permutation(IP-1)

Table T2: IP-1

40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25

46
IP and IP-1
Input Permutation permutes the position of bits as
follows:
Input 1 2 3 4 …… 61 62 63 64
Position
Output40 8 48 16 …… 49 17 57 25
Position
IP(plaintext) = L(0): R(0),
where L(0) and R(0) are the left –half and the right-
half
of the output after the permutation done through IP.
Inverse Input Permutation reverses it back.
Thus IP-1( IP( X)) = X
47
IP
Regular in structure, so that hardware is simple
 Even bits allocated to L(0)

 Odd bits allocated to R(0)

IP does not add to security. It makes the function a

little complex.
 Example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
IP-1(068dddcd 1d4ccebf) = 974affbf, 86022d1f
Reference:Lawrie Brown, “Cryptography: lecture 8”. available at
http://www.cs.adfa.edu.au/archive/teaching/studinfo/ccs3/lecture
s/less08.html

48
Function

E/P: to get 48 bits from 32 bits of Ri : each input
block of 4 bits contributes 2 bits to each output
block  Avalanche Effect: A small difference in
plaintext causes quite different ciphertext

E(Ri-1)  Ki
 Eight 4x16 S-boxes for converting 48 bits to 32
bits output: Non-linear; provide major part of the
strength of the cipher: Divide 48 bits to 8 units of
6 bits each; the first and the last bit determine the
row #; the middle 4 bits determine the column #;
The element value is between 0 and 15  4 bits
 Straight permutation
 XOR with left half
 Switch the left half and the right half

49
 Each round of encryption:
After IP, 64 bits are divided into left-half (L(0)) and
Right-half (R(0)).
• L(0): R(0) is the input to Round 1 of encryption.
During Round1, L(0):R(0) will be operated by Fk1 to
produce L(1):R(1), where FK1 is the function Fk with
subkey K1.
• .
• .
• Similarly for Round i, L i-1:R i-1 would be the input and
L i: R i will be the output.
Figure 2 shows the function FKi .
50
 Fig : single Round of DES
Algorithm:
32bits 32bits 28 bits 28 bits

L R i-1 C i-1 D i-1

i-1
32
32 Expansion/ Left shift (s)
permutation (E table)
Left shift (s)

48
F XOR Ki
48
Permutation/contraction
(permuted choice 2)
48
Substitution/
choice (S-box)
32
Permutation
(P)
32
XOR

Li Ri C D i
i
51
i-th Round
The part in yellow, in the previous slide, shows the sub
key generation. After PC1, the circular rotations are
independent for the left half and the right-half.
ENCRYPTION: In the i-th round,
Li = Ri-1
Ri = Li-1  F(Ri-1, Ki)
= Li-1  P(S( E(Ri-1)  Ki ))
Where E: expansion from 32 bits to 48
S: Using 8 S-boxes to convert 48 bits to 32 bits – each S
box converts 6 bits to 4 bits
P: permutation

52
 Expansion-Permutation (E/P):
• In figure 2, the E-table generates 48-bit
output from 32 bit input by expansion-
permutation by using table T6.
Table T6: E/P
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
53
 Expansion-Permutation (continued)
• Table T6 in fact divides the input of 32 bits into 8
units of 4 bit each.
• Each unit is converted to 6 bits by borrowing the
two adjoining bits of each unit of 4 bits.
• Thus …… efgh ijkl mnop ……..

is converted by Expansion/permutation through

table T6 to …… defghi hijklm lmnopq ……
AUTOKEYING/ AUTOCLAVING: The duplicated
outside bits in each group of 6 act as a key to the
following S-box, allowing the data (as well as the
key) to influence the S-box operation.
• This results in a 48 bit output from E/P module.
54
 Output of E/P and S-Boxes
• The output from the E/P module is divided
into 8 groups of 6 bits each.
• Using 8 4X16 S-boxes, each group of 6 bits
is reduced to 4 bits as follows:
• For each S box: Row Number = Outermost 2
bits; Column Number = Inner 4 bits.
• Using the row and column number, the S-box
yields a decimal number (lying between 0
and 15). Its 4 bit binary equivalent is the
output of the S-box.
Reference: A F Webster & S E Tavares "On the Design of S-
boxes", in Advances in Cryptology - Crypto 85, Lecture Notes in
Computer Science, No 218, Springer-Verlag, 1985, pp 523-534
55
DES Round Structure

56
 Definition of DES S-boxes:
• 8 S-boxes are shown in table T-7.
Table T7: S-Boxes
0 1 2 15
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0
S1 0 7 1
0 15 7 4 14 2 13 1 10 6 12 11 9 5 2
3 8 3
4 1 14 8 13 6 2 11 15 12 9 7 3 10
5 0
1 158 12
14 8 6 11
2 3
4 4 1
9 9 77 2 13
5 12 14
11 3 0 10
5 10
0
S13
2 6 4 13 7 15 2 8 14 12 0 1 10 6 9 11 5
14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
3 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

57
Definition of DES S-boxes: S3 and
S4

58
Definition of DES S-boxes: S5 and
S6

59
Definition of DES S-boxes: S7 and
S8

60
 Permutation Function (P):
• 8 S-boxes give 32 bit output, which is passed
through Permutation (P).
• P is shown in table T-8.
Table T8: P

16 7 20 21 29 12 28 17
1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9
19 13 30 6 22 11 4 25

61
Key Schedule Algorithm

Each sub-key Ki : 48 bits: obtained from a
56 bit key K

Fixed Permutation: PC1(K) = C0:D0
 A left circular shift (of 1 or 2 bits) on the
Left-half (C0 ) and Right-half (D0) separately
(Output: C1 of 28 bits and D1 of 28 bits)
 2 bits: for rounds 3-8 and 10-15
 Compression permutation PC2 to get 48
bit key Ki from Ci:Di
 Round-dependent left shifts  different
parts of initial key create each sub-key

63
Sub Key Generation
The input key: 56 bits
Hardware Design: the 8, 16, 24, 32, 40, 48, 56
and 64th bit is always the odd parity bit. 
64 bit key
Software design: the key is stated in ASCII
code. Each character of 8 bits, with the first
bit being zero plus 7 bits of code. (!)
Since DES was designed with the viewpoint of
hardware implementation, the conversion to 56
bits is done by neglecting every 8th bit.
PC1 converts to 56 bits and permutes.

64
Key Schedule
 K: 64 bit key
 C0: D0 =PC1(K) , 56 bit key
 16 steps for i = 1-15: A left circular
shift (of 1 or 2 bits) on the Left-half (Ci-1)
and Right-half (Di-1) separately (Output:
Ci of 28 bits and Di of 28 bits)
 16 Subkeys for i = 1-15: Ki = PC2(Ci : Di )
of 48 bits each
65
Input Key
odd parity bit: 8, 16, 24, 32, 40, 48,
56, 64
1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24
25 26 27 28 29 30 31 32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56
57 58 59 60 61 62 63 64
66
 Permuted Choice One (PC –1):
• Tables 8x7 T3 show PC-1.
• Table 6x8 T4 (slide 39) shows PC-2. Table T5
(slide 40) gives the number of shifts
Table T3: PC-1
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4

67
PC1: Obtaining C0 and D0
PC1 generates C0 and D0, the left and the right
halves respectively.
C0 Read the first column of the input 64-bit key from
bottom up. Write it row-wise from left to right.
Repeat for the second, the third and the lower-half
of the fourth column respectively.
D0 Read the seventh column of the input 64-bit key
from bottom up. Write it row-wise from left to right.
Repeat for the sixth, the fifth and the upper-half of
the fourth column respectively.
Probably the conversion to the two halves was done
due to the limitation of the hardware of seventies.

68
 Sub Key Generation: continued
Thus DES has a 56 bit key K consisting of C0 and D0.
All the sub keys K1 to K16 are of 48 bits.
To generate these keys, K goes through
• A Permuted Choice (PC-1) (output C of 28 bits
0
and D0 of 28 bits).
• A left circular shift (of 1 or 2 bits) on the Left-half (C0 )
and Right-half (D0) separately (Output: C1 of 28 bits and
D1 of 28 bits)
followed by a Permuted Choice (PC-2) which permutes
as well as ‘contracts’ to produce a sub-key K1 of 48 bits.

69
 Sub Key Generation (continued)
• A left circular shift (of 1 or 2 bits) on the Left-half (C1 ) and
Right-half (D1) separately (Output: C2 of 28 bits and D2 of
28 bits)
followed by a Permuted Choice (PC-2) which permutes as
well as ‘contracts’ to produce a sub-key K2 of 48 bits.
• .
• .
• .
• A left circular shift (of 1 or 2 bits) on the Left-half (C15 )
and Right-half (D15) separately (Output: C16 of 28 bits and
D16 of 28 bits)
followed by a Permuted Choice (PC-2) which permutes as
well as ‘contracts’ to produce a sub-key K16 of 48 bits.
70
Key Schedule
 KA = PC1(K)
 KB1 = LS-j(KA);
LS-j is left circular shift by j bits, on the two halves of
the 56 bits separately. j is given by Table 5.
KB2 = LS-j(KB1)
KB3 = LS-j(KB2)
.
KBi = LS-j(Kbi-1)
.
KB16 = LS-j(KB15)
 Ki = PC2(KBi)

71
Permuted Choice Two (PC-2):
Table T-4: PC-2: The upper 3 rows (24bits)
refer to the left half Ci. (It affects S-boxes 1 to 4.)
Similarly the remaining 24 bits refer to Di (and
affect S-boxes 5 to 8).
14 17 11 24 1 5 3 28
15 6 21 10 23 19 12 4
26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40
51 45 33 48 44 49 39 56
34 53 46 42 50 36 29 32

72
 Schedule of left shifts:
• The number of circular left shift in each
round is given in Table T5.
• 2 bits: for rounds 3-8 and 10-15:
• 1 bit: for rounds 1, 2, 9, 16 only. Total = 28

Table T-5 The number of circular Left Shifts

ound number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1
ts rotated 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

73
Schedule of left shifts:
 CoC1 with 1 shift
 C1C2 with 1 shift

 C2C3 with 2 shifts

 .

 .

 C8C9 with 2 shifts

 .

 .

 C15C16 with 1 shift

Di follows the same shifts as Ci.

74
Left Shifts in Key schedule
• The effect of left-shifts:
• First, any bit would affect a different S-box
in successive rounds.
• Secondly if a bit is not used in one sub-key,
it would be in the next.
• Thirdly after 16 rounds it comes back to the
original value so that computing the sub-
keys for decryption becomes easy.

75
 DES Decryption:
Decryption uses the same algorithm as
encryption
except that the application of the sub-keys is
reversed.:
• In the first round of decryption, sub-key K16 is used.
• .
• .
• .
• In the 16th round of decryption, sub-key K1 is used .

80
Decryption Relations
ENCRYPTION: (from slide 49)
Li = Ri-1
Ri = Li-1  F(Ri-1, Ki)
= Li-1  P(S( E(Ri-1)  Ki ))
Rewriting: DECRYPTION relations are:
Ri-1= Li
Li-1 = Ri  F(Ri-1, Ki)
On substituting the value of Ri-1 from the first
decryption relation,
Li-1 = Ri  F(Li, Ki)

81
Decryption Process
 First: IP on ciphertext: undoes the final
IP-1 step of encryption
 16 Rounds: First round with subkey 16
undoes 16th round of encryption
.
.
Sixteenth round with subkey 1 undoes
1st encryption round
 Last: IP-1 undoes the initial encryption IP

82