SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

UNIT -II
Symmetric Encryption
Mathematics of Symmetric Key Cryptography, Introduction to Modern Symmetric Key Ciphers,
Data Encryption Standard, Advanced Encryption Standard.

Mathematics of Symmetric Key Cryptography:

Cryptography ?
Cryptography is a technique of securing information and communications through use of codes. Thus
preventing unauthorized access to information. The prefix “crypt” means “hidden” and suffix graphy means
“writing”.
Cryptography Types
1) Symmetric Key Cryptography:
The sender and receiver of message use a single common key to encrypt and decrypt messages.
2) Asymmetric Key Cryptography:
A pair of keys is used to encrypt and decrypt information. A public key is used for encryption and a private
key is used for decryption. Even if the public key is known by everyone the intended receiver can only
decode it because he alone knows the private key.
3) Hash Functions:
There is no usage of any key in this algorithm. A hash value with fixed length is calculated as per the
plain text which makes it impossible for contents of plain text to be recovered..

Mathematics of Symmetric Key Cryptography

Algebraic Structures:
Cryptography requires set of integers and specific operations that are defined for those sets. The
combination of the set and the operations that are applied to the elements of the set is called an algebraic
structure.

1. Groups
A Group (G) is a set elements with a binary operation “” usually Addition or multiplication that satisfies
four properties(Axioms).
• A Commutative Group, also called an abelian group, is a group in which the operator satisfies the four
properties for groups plus an extra property, commutativity.
• Closure Property: if a and b are elements of G, then c = a  b is also an element of G.
• Associatively Property: if a, b, and c are elements of “G, then ( a  b )  c = a  ( b  c ).
• Existence of Identity Property: For all a in G, there exists an element e, called the identity element,
such that ea=ae=a

30
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

• Existence of Inverse Property: For each a in G, there exists an element a 1 , called the inverse of a,
such that a  a1 = a1  a = e
• Commutativity Property: For all a and b in G, we have a  b = b  a.

EXAMPLE 1
The set of residue integers with the addition operator, G=< Zn , + >, is a commutative group
1. Closure is satisfied. The result of adding two integers in Z n is another integer in Zn
2.Associativity is satisfied. The result of 4+(3+2) is same as (4+3) + 2
3. Commutative is satisfied. we have 3+4=4+3
4.The identity element is 0. we have 3+0=0+3=3
5. Every element has an additive inverse. The inverse of 3 is 7 (3+7 mod 10 =0 mod 10 in Z10 ) and
inverse of 7 is 3( 7+3 mod 10 =0 mod 10 in Z10 ), so inverse property satisfied
EXAMPLE 2
The set Zn * with multiplication operator, G=<Zn *, x >, is also an abelian group. We can perform
multiplication and divisions on the elements. We an identity element as 1.
Finite Group: A group is called a finite group if the set has a finite number of elements; otherwise, it is an
infinite group.

Order of a Group: The order of group, |G|, is the number of elements in the group. If the group is not
finite, its order is infinite; if the group is finite, the order is finite.

Subgroups: A subset H of a group G is a subgroup of G if H itself is a group with respect to the operation
on G. In other words, if G = <S,  > is a group, H = <T,  > is a group under the same operation, and T is a
non-empty subset of S, then H is a subgroup of G. The above definition implies that:
1. If a and b are members of both groups, then c=a  b is also a member of both groups
2.The group share the same identity element
3.If a is a member of both groups, the inverse of a is also a member of both groups
4.The group made with the identity element of G,H=<{e},  >, is a sub group of G
5. Each group is a subgroup of itself

Cyclic Subgroup: If a subgroup of a group can be generated using the power of an element, the subgroup is
called the cyclic subgroup.
The term power means repeatedly applying the group operation to the element:
an -> a.a.a.a ..... a (n times)
Example: The group G=< Z3, + > contains cyclic subgroups for 0,1 and 2:
If generated using 0:
00 mod 3 = 0, 01 mod 3 = 0, 02 mod 3 = 0. so, H1=<{0}, +>

31
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

If generated using 1:
10 mod 3 = 0, 1 1 mod 3 = 1, 1 2 mod 3 = (1+1) mod 3=2. so, H2=G
If generated using 2:
20 mod 3 = 0, 21 mod 3 = 2, 22 mod 3 = (2+2) mod 3=1. so, H3=G
Cyclic Group: A Cyclic group is a group that is its own cyclic subgroup. The element that generates cyclic
subgroup can also generates group itself.This element is referred as generator ‘g’.
Example: In the previous example, The group G=<Z3, +> is a cyclic grop with two generators g=1 and g=2
Lagrange’s Theorem:
It related the order of a group to the order of its sub group. Assme that G is group and H is its subgroup.
If order of G and H are |G| and |H|, respectively, based on this theorem |H| divides |G|.
EXAMPLE: As per the previous cyclic subgroup example, |H1|=1, |H2|=3, |H3|=3,
Obviously, all of these orders divide the order of |G|.

Example:
In the group G=<Z3, +>, ord(0)=1, ord(1)=3, ord(2)=3
2. RING
A Ring, denoted as R = < {. ...},  , □ >, is an algebraic structure with two operations(addition and
multiplication).
The first operation must satisfy all five properties required for an abelian group.
The second operation must satisfy only the first two.
In addition, the second operation must be distributed over the first operation.
Distributivity means that for all a, b and c elements of R, we have
a □ ( b  c ) = ( a □ b )  ( a □ c ) and ( a  b ) □ c = ( a □ c )  ( b □ c )

Commutative Ring: If a ring satisfies commutative property, then we say the ring is a commutative ring.
• Rings do not need to have a multiplicative inverse.

Example: Z an Integer set is a Ring structure.

Explain why Z (set of Integer numbers) is a ring?
Suppose that 2,3,4∈Z.
• Both addition and multiplication are associative since

32
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

2+(3+4)=(2+3)+4, and 2(3x4)=(2x3)4.

• It follows that
The identity element for addition is 0 since, 2+0=2.
The identity element for multiplication is 1 since 1x2=2.
• Addition is commutative too since 2+3=3+2
Multiplication is also commutative since 2x3=3x2,
so, Z can be called a commutative ring).
Addition has the inverse of -2 since 2+(−2)=0
(Note that multiplication does not need to have a multiplicative inverse. Because multiplicative inverse of 2
is ½. It is not an integer.
Lastly, multiplication also distributes over addition, that is 2(3+4)=2x3+2x4.
Rings do not need to have a multiplicative inverse.

3. FIELDS
A field, denoted by F = < { ... },  , □ >, is a commutative ring in which first and second operations satisfies
all five properties.
In other words:
A field is a set with the two binary operations of addition and multiplication, both of which operations are
commutative, associative, contain identity elements, and contain inverse elements.
The identity element for addition is 0, and the identity element for multiplication is 1.
Application: A field is a structure that supports two pairs of operations: addition/subtraction and
multiplication/division

FIELDS-Example

Explain why R is a field.(R is set of real numbers) :Suppose that a,b,c,d∈R. We know that R has addition
and multiplication as binary operations since (a+b)=c for some c, and ab=d for some d. Furthermore, we
know that addition and multiplication defined on real numbers is both commutative and associative.
Additionally, the identity element for addition is 0, x+0=x, and the identity element for multiplication is 1,
since 1x=x.
Lastly, the inverse element for addition is -x, since x+(−x)=0 (0 being the identity for addition), and the
inverse element for multiplication 1/x since x⋅1/x=1 when x ≠ 0.

33
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Comparison of Group, Ring and Field:

Check whether Zp is field structure or not?

Finite Fields:
A finite field, a field with a finite number of elements. The finite fields are usually called Galois fields and
denoted as GF(pn).
Note: A Galois field, GF(pn), is a finite field with pn elements where p is prime.
GF(p) Fields: When n=1, we have GF(p) field. Tis field can be the set Z, (0,1,2,p-1), with two operations
addition and multiplication. Each element has an additive inverse and that nonzero elements have a
multiplicative inverse for prime p.
Example for GF(p) Field: A very common field in this category is GF(2) with the set {0,1} and two
operations addition and multiplication a shown below:

NOTE: Addition is same as to XOR and multiplication is AND operation

GF(2n) Fields:-
GF(2n) is a Finite Field with 2 n elements. The elements in this set are n-bit words. For example, if n = 3, the
set is: { 000, 001, 010, 011, 100, 101, 110, 111 }
Example: if n = 2, then GF(22 ) field in which the set has four 2-bit words:
{ 00, 01, 10, 11 }.
Why GF(2n)?
Generally computer stores positive integers as n-bit words, can be 8-bit, 16-bit, 32-bit, 64-bit.
This means that range of words(integers) is 0 to 2n -1. So, the modulus is 2n
We have two choices if we use a field structure 1) using GF(p) or GF(2 n)
1) If we use GF(p) with the set Zp, where p is the largest prime number less than 2 n. This is
ineffiecient, if we use integers from p to2n-1.
If n=3, the largest prime less than 23 is 7. This means that we can not use integer 7,8.

34
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

2) If we GF(2n) with the set 2n elements. The elements in this set are n-bit words. Example: If n=3, , the set
is {000,001,010,011,100,101,110,111}

Polynomials
The data is shown as n-bit words in the computers that satisfy the properties in GF(2 n) . These n-bit words
are easily represented by Polynomial of degree n-1.
A polynomial of degree n-1 is an expression of the form: Where x i is called the ith term and ai is called
coefficient of the ith term.

Note: Polynomials representing n-bit words use two fields: GF(2) for Coefficients and GF(2 n) for
terms.

Modulus:
Addition of two polynomials never creates a polynomial out of the set. However, multiplication of two
polynomials may create a polynomial with degrees more than n-1. This means that we need to divide the
result by a modulus and keep only the remainder.
A Prime Polynomial cannot be factored into a polynomial with degree of less than n. Such polynomials are
referred to as Irreducible polynomials.

35
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Operations on Polynomials: Addition:

Addition and Subtraction operations on polynomials are the same operation.
The addition operation for polynomials with coefficient in GF(2) is add the coefficients of the corresponding
term in GF(2).
Adding two polynomials of degree n-1 always create a polynomial with degree n-1, which means that we do
not need to reduce the result using the modulus.

Additive Identity: The additive identity in a polynomial is a zero polynomial ( a polynomial with all
coefficients set to zero).

Additive inverse: The additive inverse of a polynomial with coefficients in GF(2) is the polynomial itself.
This means that the subtraction operation is the same as the addition operation.
Polynomials-Addition

Polynomials- Multiplication
• Multiplication in polynomials is the sum of the multiplication of each term of the first polynomial
with each term of the second polynomial.
• The multiplication may create terms with degree more than n-1, which means the result needs to be
reduced using a modulus polynomial

36
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Division by modulus to reduce Polynomial

Multiplicative identity & Multiplicative inverse

Multiplicative identity:- The multiplicative identity is always 1. For example, in GF(28 ), the multiplicative
inverse is the bit pattern 00000001
Multiplicative inverse:- Use extended Euclidean Algorithm to find the multiplicative inverse of a
polynomial. This process is exactly same as for integers.
Example: In GF(24), find the inverse of (x2+1) modulo (x4+x+1)
Solution:- Use the extended Euclidean algorithm as in Table:

Polynomials- Multiplication using a computer

If we multiply two polynomials, we also need to perform division operation that reduces an efficiency.
Computer uses an algorithm for multiply the polynomials that should not use division operation, instead
repeatedly multiplying a reduced polynomial by x.

37
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Example: Instead of finding the result of x2  P2 , it can done like

x  (x  P2)

Example:
Power Operation New Result Reduction
x0  P2 x +x +x3+x2+x
7 4
No
x1  P 2 x (x7+x4+x3+x2+x) x5+x2+x+1 Yes
x2  P 2 x ( x5+x2+x+1) x6+x3+x2+x No
x3  P 2 x ( X6+x3+x2+x) x7+x4+x3+x2 No
x4  P 2 x ( x7+x4+x3+x2) x5+x+1 Yes
x5 P 2 x ( x5 +x+1) x6+x2+x No

Result is P1xP2= (x6+x2+x) + (x6+x3+x2+x)+ (x5+x2+x+1)=x5+x3+x2+x+1

Simple algorithm
1. If the most significant bit of the previous result is 0, just shift the previous result one bit to the left.
2. If the most significant bit of the previous result is 1.
a)Shift it one bit to the left, and
b) Exclusive-OR it with the modulus without the most significant bit.
Example:Multiply P1= ( x5+x2+x) by P2=(x7+x4+x3+x2+x) in GF(28) with irreducible (x8+x4+x3+x+1)
Binary representation of P2=10011110,
Irreducible polynomial = 100011011(9bits)

Power Shift-left Operation Exclusive-OR

x  P2
0
10011110
X1  P2 111100 (00111100)+(00011011)=00100111
X  P2
2
1001110 1001110
X3  P2 10011100 10011100
X4  P2 111000 (00111000)+( 00011011)= 00100011
X5  P2 01000110 01000110
P1 P2 = (00100111) + 01001110+01000110= 00101111

Multiplication of polynomials in GF(2n) can be achieved using shift-left and exclusive-or operations

Example:Find Addition Table for GF(23) -

38
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Example :find Multiplication Table for GF(23 ) -with irreducible polynomial is x3 +x2 +1

Symmetric Key Cipher

The sender and receiver of message use a single common key to encrypt and decrypt messages.

39
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

If P is the plaintext, C is the ciphertext, and K is the key,

We assume that Bob creates P1; we prove that P1 = P:

Figure Locking and unlocking with the same key

Kerckhoff’s Principle
Based on Kerckhoff’s principle, one should always assume that the adversary, Eve, knows the
encryption/decryption algorithm. The resistance of the cipher to attack must be based only on the secrecy of
the key.

Cryptanalysis
As cryptography is the science and art of creating secret codes, cryptanalysis is the science and art of breaking those
codes.

40
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Ciphertext-Only Attack
Figure Ciphertext-only attack

In Ciphertext-Only Attack , the attacker knows only some cipher text. He try to find
corresponding key and plain text using various methods.
Brute-Force attack: Attacker tries all possible keys. We assume that he knows key domain
Statistical attack: The cryptanalyst can benefit from some inherent charactersistics of the plain text language
to perform statistical attack. Example: Letter E is most frequently used character in English.
Known-Plaintext Attack
Figure Known-plaintext attack

In this attack, he know some cipher text and plain text pairs that were sent previously by Alice to Bob. Attacker has
kept both cipher text and plain text to use them to break the next secrete message.

Chosen-Plaintext Attack
Figure Chosen-plaintext attack

This is similar to known-plaintext attack, but plaintext/cipher text pairs have been choosen by the attacker .
This can happen when attacker has access to Alice computer. She can choose some plaintext and interpret
ciphertext.

41
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Chosen-Ciphertext Attack
Figure Chosen-Ciphertext attack

This is similar to Chosen Plaintext attack except eve chooses some ciphertext and decrypt it to from a
cipher/plain text pairs. This can happen when Eve has access to Bob computer.

Categories of Traditional Ciphers

1. SUBSTITUTION CIPHERS
A substitution cipher replaces one character with another
2. TRANSPOSITION CIPHERS
A Transposition cipher reorders symbols
1. SUBSTITUTION CIPHERS
A substitution cipher replaces one symbol with another. Substitution ciphers can be categorized as either
monoalphabetic ciphers or polyalphabetic ciphers.
Note:
A substitution cipher replaces one symbol with another.

Monoalphabetic Ciphers:
In monoalphabetic substitution, the relationship between a symbol in the plaintext to a symbol in the
ciphertext is always one-to-one.

Example 1
The following shows a plaintext and its corresponding ciphertext. The cipher is probably
monoalphabetic because both l’s (els) are encrypted as O’s.

Example 2
The following shows a plaintext and its corresponding ciphertext. The cipher is not monoalphabetic
because each l (el) is encrypted by a different character. The first l (el) is encrypted with N;the second as Z

42
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Additive Cipher
The simplest monoalphabetic cipher is the additive cipher. This cipher is sometimes called a shift cipher and
sometimes a Caesar cipher, but the term additive cipher better reveals its mathematical nature.
Figure Plaintext and ciphertext in Z26

Figure Additive cipher

Note:
When the cipher is additive, the plaintext, ciphertext, and key are integers in Z26.
Example:
Use the additive cipher with key = 15 to encrypt the message “hello”.
Solution
We apply the encryption algorithm to the plaintext, character by character:

Example:
Use the additive cipher with key = 15 to decrypt the message “WTAAD”.
Solution
We apply the decryption algorithm to the plaintext character by character:

43
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Shift Cipher and Caesar Cipher

Historically, additive ciphers are called shift ciphers. Julius Caesar used an additive cipher to
communicate with his officers. For this reason, additive ciphers are sometimes referred to as the Caesar
cipher. Caesar used a key of 3 for his communications.
Note:
Additive ciphers are sometimes referred to as shift ciphers or Caesar cipher

Multiplicative Ciphers
Figure Multiplicative cipher

Note:

In a multiplicative cipher, the plaintext and ciphertext are integers in Z26 ; the key is an integer in Z26 *.

Example1:

What is the key domain for any multiplicative cipher?

Solution: The key needs to be in Z26 *. This set has only 12 members: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25.

Example2:

We use a multiplicative cipher to encrypt the message “hello” with a key of 7. The ciphertext is “XCZZU”.

Affine Ciphers:

44
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Combine additve and multiplicative Ciphers

Example1:
The affine cipher uses a pair of keys in which the first key is from Z26 * and the second is from Z26 .
The size of the key domain is
26 × 12 = 312.
Example2:
Use an affine cipher to encrypt the message “hello” with the key pair (7, 2).

Monoalphabetic Substitution Cipher

Because additive, multiplicative, and affine ciphers have small key domains, they are very vulnerable to
brute-force attack.
A better solution is to create a mapping between each plaintext character and the corresponding ciphertext
character. Alice and Bob can agree on a table showing the mapping for each character.
Figure An example key for monoalphabetic substitution cipher

Example:

We can use the key in Figure to encrypt the message

The ciphertext is

Reference

Polyalphabetic Ciphers
In polyalphabetic substitution, each occurrence of a character may have a different substitute. The
relationship between a character in the plaintext to a character in the ciphertext is one-to-many.
Example ‘a’ can be enciphered as ‘D’ in the beginning of the text, but as ‘N’ at the middle.

45
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Polyalphabetic has advantage of hiding the letter frequency.

Example: Autokey Cipher

Example:
Assume that Alice and Bob agreed to use an autokey cipher with initial key value k1 = 12. Now
Alice wants to send Bob the message “Attack is today”. Enciphering is done character by character.

TRANSPOSITION CIPHERS
A transposition cipher does not substitute one symbol for another, instead it changes the location of the
symbols. A symbol in the first position may appaer in the tenth position of the cipher. A symbol in the
eighth position may appear in the first osition of the cipher.
Note: A transposition cipher reorders symbols
Keyless Transposition Ciphers
Simple transposition ciphers, which were used in the past, are keyless.
Example 1:
A good example of a keyless cipher using the first method is the rail fence cipher. The ciphertext is
created reading the pattern row by row. For example, to send the message “ Meet me at the park” to Bob,
Alice writes

She then creates the ciphertext “MEMATEAKETETHPR ”.

Example 2:
Alice and Bob can agree on the number of columns and use the second method. Alice writes the
same plaintext, row by row, in a table of four columns.

She then creates the ciphertext “MMTAEEHREAEKTTP” by transmitting the characters column by
column. Bob receives the cipher text and follows the reverse process to get plain text .
Example:

46
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

The cipher in previous example is actually a transposition cipher. The following shows the permutation of
each character in the plaintext into the ciphertext based on the positions.

The second character in the plaintext has moved to the fifth position in the ciphertext; the third character has
moved to the ninth position; and so on.Although the characters are permuted, there is a pattern in the
permutation: (01, 05, 09, 13), (02, 06, 10, 13), (03, 07, 11, 15), and (4, 8, 12). In each section, the difference
between the two adjacent numbers is 4.
Keyed Transposition Ciphers
The keyless ciphers permute the characters by using writing plaintext in one way and reading it in another
way The permutation is done on the whole plaintext to create the whole ciphertext.
Another method is to divide the plaintext into groups of predetermined size, called blocks, and then use a
key to permute the characters in each block separately.
Example
Alice needs to send the message “Enemy attacks tonight” to Bob..

The key used for encryption and decryption is a permutation key, which shows how the character
are permuted.

The permutation yields

Combining Two Approaches for better result

Encryption or decryption is done in 3 steps:
1) Text is written into row by row
2) Permutation is done by reordering columns
3) New table is read column by column
Example

47
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Keys
In the previous Example, a single key was used in two directions for the column exchange: downward for
encryption, upward for decryption. It is customary to create two keys.

Figure Encryption/decryption keys in transpositional ciphers

Key inversion in a transposition cipher

Using Matrices
We can use matrices to show the encryption/decryption process for a transposition cipher. The plain text and
cipher text are lxm matrices with numberical values of characters and keys are mxm matri x.
In a permutation matrix, every row or column has exactly one 1 and others are 0’s. Encryption multiplies
plaintext matrix with key matrix and decryption multiplies ciphertext matrix with inverse of key matrix(This
simply the transpostion of key matrix)

48
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Example

Figure Representation of the key as a matrix in the transposition cipher

Stream Ciphers and Block Ciphers

Stream Ciphers
• A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of
classical stream ciphers are the autokeyed Vigenère cipher and the Vernamcipher.

Block Ciphers
A block cipher is one in which a block of plaintext is treated as a whole and used to produce a cipher text
block of equal length. Typically, a block size of 64 or 128 bits is used.

Modern Block Ciphers

A symmetric-key modern block cipher encrypts an n-bit block of plaintext or decrypts an n-bit block of
cipher text. The encryption or decryption algorithm uses a k-bit key. The Decryption algorithm must be the
inverse of the encryption algorithm and must use the same secrete key.
Figure A modern block cipher

49
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Example: How many padding bits must be added to a message of 100 characters if 8-bit ASCII is used for
encoding and the block cipher accepts blocks of 64 bits?
Solution
Encoding 100 characters using 8-bit ASCII results in an 800-bit (100x8) message. The plaintext must be
divisible by 64. If | M | and |Pad| are the length of the message and the length of the padding,

A modern block cipher can be designed to act as a substitution cipher or a transposition cipher.
To be resistant to exhaustive-search attack, a modern block cipher needs to be designed as a substitution
cipher.
Example
Suppose that we have a block cipher where n = 64. If there are 10 1’s in the ciphertext, how many trial-and-
error tests does Eve need to do to recover the plaintext from the intercepted ciphertext in each of the
following cases?
a. The cipher is designed as a substitution cipher.
b. The cipher is designed as a transposition cipher.

Solution
a) In the first case, Eve has no idea how many 1’s are in the plaintext. Eve needs to try all possible 264
64-bit blocks to find one that makes sense.
b) In the second case, Eve knows that there are exactly 10 1’s in the plaintext. Eve can launch an
exhaustive-search attack using only those 64-bit blocks that have exactly 101’s.

Components of a Modern Block Cipher

Modern block ciphers normally are keyed substitution ciphers in which the key allows only partial mappings
from the possible inputs to the possible outputs. It usses P-Boxes,S-Boxes.

50
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

P-Boxes
P-Boxes(also called ad D-Box means Diffusion box)
A P-box (permutation box) parallels the traditional transposition cipher for characters. It transposes bits.
Three types of P-boxes

Example
Figure shows all 6 possible mappings of a 3 × 3 P-box.

The possible mappings of a 3 × 3 P-box

Straight P-Boxes
Table Example of a permutation table for a straight P-box(64x64)
At output of P-Box:
Input 58 goes to 1 st position, input 50 goes to 2nd position, input 42 to 3rd position,….

Example

Design an 8 × 8 permutation table for a straight P-box that moves the two middle bits (bits 4 and 5) in the
input word to the two ends (bits 1 and 8) in the output words. Relative positions of other bits should not be
changed.
Solution

We need a straight P-box with the table [4 1 2 3 6 7 8 5]. The relative positions of input bits 1, 2, 3, 6, 7,
and 8 have not been changed, but the first output takes the fourth input and the eighth output takes the fifth
input.

51
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Compression P-Boxes
Example of a 32 × 24 permutation table

Some of the input bits are blocked at output: example: 7,8,9,15,16,23,24,25

Expansion P-Boxes
Example of a 12 × 16 permutation table

1,3,9,12 are mapped to two outputs

P-Boxes: Invertibility
A straight P-Box is invertible, that means we use straight P-Box in encryption cipher and its inverse in
decryption cipher.

Note

A straight P-box is invertible, but compression and expansion P-boxes are not.

Example

Figure shows how to invert a permutation table represented as a one-dimensional table.

Figure Compression and expansion P-boxes are non-invertible

52
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

S-Box
An S-box (substitution box) can be thought of as a small substitution cipher
Note
An S-box is an m × n substitution unit, where m and n are not necessarily the same.
Linear S-Box: if the inputs are x1,x2,x3… and outputs are y1,y2,y3… and relationship between them is
Y1=f1(x1,x2,x3..) ,
Y2=f2 (x1,x2,x3..)
…..
Then above relation can be expressedas
Y1=a11 x1 +a12 x2 +…
Y2=a21x1+a22x2+…

Example: In a nonlinear s-box, such boxes can have ‘and’ terms like x1 x2 , x3 x5 …
In an S-box with three inputs and two outputs, we have

The S-box is linear because a1,1 = a1,2 = a1,3 = a2,1 = 1 and a2,2 = a2,3 = 0. The relationship can be
represented by matrices, as shown below:

Example
In an S-box with three inputs and two outputs, we have

53
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

where multiplication and addition is in GF(2). The S-box is nonlinear because there is no linear relationship
between the inputs and the outputs.
Example
The following table defines the input/output relationship for an S-box of size 3 × 2. The leftmost bit of the
input defines the row; the two rightmost bits of the input define the column. The two output bits are values
on the cross section of the selected row and column.

Based on the table, an input of 010 yields the output 01. An input of 101 yields the output of 00.
S-Boxes: Invertibility
An S-box may or may not be invertible. In an invertible
S-box, the number of input bits should be the same as the number of output bits.
Example
Figure shows an example of an invertible S-box. For example, if the input to the left box is 001, the output
is 101. The input 101 in the right table creates the output 001, which shows that the two tables are inverses
of each other.

Exclusive-OR
An important component in most block ciphers is the exclusive-or operation.
Invertibility of the exclusive-or operation

Product Ciphers
Shannon introduced the concept of a product cipher. A product cipher is a complex cipher combining
substitution, permutation, and other components .
Combination of S-box and P-box transformation—a product cipher.
Two classes of product ciphers:
a) Feistel ciphers, Example DES(data encryption standard)
b) Non-feistel Ciphers, Example AES(Advanced Encryptin system)

54
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Diffusion
The idea of diffusion is to hide the relationship between the ciphertext and the plaintext.

Confusion
The idea of confusion is to hide the relationship between the ciphertext and the key.

Rounds
Diffusion and confusion can be achieved using iterated product ciphers where each iteration is a
combination of S-boxes, P-boxes, and other components.

Figure A product cipher made of tworounds

Feistel Cipher Structure:

• Feistel Cipher is not a specific scheme of block cipher. It is a design model from which many
different block ciphers are derived.
• DES is just one example of a Feistel Cipher.
• A cryptographic system based on Feistel cipher structure uses the same algorithm for both
encryption and decryption.
• The input block to each round is divided into two halves that can be denoted as L and R for the left
half and the right half.
• In each round, the right half of the block, R, goes through unchanged. But the left half, L, goes
through an operation that depends on R and the encryption key. First, we apply an encrypting
function ‘f’ that takes two input − the key K and R. The function produces the output f(R,K). Then,
we XOR the output of the mathematical function with L.

55
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

56
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Block Cipher Design Principles

Block size: Larger block sizes mean greater security (all other things being equal) but reduced
encryption/decryption speed for a given algorithm. The greater security is achieved by greater diffusion.
Key size: Larger key size means greater security but may decrease encryption/ decryption speed. The
greater security is achieved by greater resistance to brute-force attacks and greater confusion
Number of rounds: The essence of the Feistel cipher is that a single round offers inadequate security but
that multiple rounds offer increasing security. A typical size is 16 rounds.
Subkey generation algorithm: Greater complexity in this algorithm should lead to greater difficulty of
cryptanalysis.
Round function F: Again, greater complexity generally means greater resistance to cryptanalysis.
Diffusion And Confusion:- The terms diffusion and confusion were introduced by Claude Shannon to
capture the two basic building blocks (Plain Text & Cipher Text) for any cryptographic system.

Data Encryption Standard (DES)

The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National Institute of
Standards and Technology (NIST).
DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The block size is 64 -bit.
Though, key length is 64-bit, DES has an effective key length of 56 bits, since 8 of the 64 bits of the key are
not used by the encryption algorithm (function as check bits only).

57
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

DES Symmetric key Block Cipher

algorithm. DES follows Feistel cipher
structure.
Plain Text Block Size :
64 Bits Cipher Text Size :
64 Bits
Master Key Size : 64 / 56
Bits No. Of Rounds 16
Round Key / Subkey Size: 48 Bits.

Initial Permutation & Inverse Initial Permutation

The initial permutation and its inverse are defined by tables, as shown in Tables.
The tables are to be interpreted as follows.
The input to a table consists of 64 bits numbered from 1 to 64.
The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64.
Each entry in the permutation table indicates the position of a numbered input bit in the output, which also
consists of 64 bits.
The initial and final permutations are straight Permutation boxes (P-boxes) that are inverses of each other.
Note:
Initial Permutation & Inverse Initial Permutations have no cryptography significance in DES.

Input Table

In output
At 1st place 58
At 2nd place 50

58
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

At 3rd place 42 ..

In output
At 1st place 40
At 2nd place 8
At 3rd place 48 ..

Rounds
The left and right halves of each 64- bit intermediate value are treated as separate 32-bit quantities, labeled
L (left) and R (right).
As in any classic Feistel cipher, the overall processing at each round can be summarized in the following
formulas:

The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by using a table
that defines a permutation plus an expansion that involves duplication of 16 of the R bits.

59
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

The resulting 48 bits are XORed with Ki. This 48-bit result passes through a substitution function that
produces a 32-bit output, which is permuted as defined by Table.
The role of the S-boxes in the function F is illustrated in Figure 3.7.The substitution consists of a set of eight
S-boxes, each of which accepts 6 bits as input and produces 4 bits as output. These transformations are
defined in Table 3.3, which is interpreted as follows: The first and last bits of the input to box Si form a 2-bit
binary number to select one of four substitutions defined by the four rows in the table for Si. The middle
four bits select one of the sixteen columns. The decimal value in the cell selected by the row and column is
then converted to its 4-bit representation to produce the output. For example, in S1, for input 011001, the
row is 01 (row 1) and the column is 1100 (column 12). The value in row 1, column 12 is 9, so the output is
1001.

60
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Round Function
The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the rightmost 32
bits to produce a 32-bit output.

Expansion Permutation Box − Since right input is 32-bit and round key is a 48-bit, we first need to expand
right input to 48 bits. Permutation logic is graphically depicted in the following illustration −

The graphically depicted permutation logic is generally described as table in DES specification illustrated as
shown −

61
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

XOR (Whitener). − After the expansion permutation, DES does XOR operation on the expanded right
section and the round key. The round key is used only in this operation.
Substitution Boxes. − The S-boxes carry out the real mixing (confusion). DES uses 8 S-boxes, each with a
6-bit input and a 4-bit output. Refer the following illustration −

The S-box rule is illustrated below −

62
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

There are a total of eight S-box tables.

The output of all eight s-boxes is then combined in to 32 bit section.

63
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

The 32-bit output from the eight S-boxes is then permuted, so that on the next round, the output from
each S-box immediately affects as many others as possible.

Straight Permutation
− The 32 bit output of S-boxes is then subjected to the straight permutation with rule shown in the
following illustration:

DES Key Generation

The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of key
generation is depicted in the following illustration −

64
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

DES Decryption

As with any Feistel cipher, decryption uses the same algorithm as encryption, except that the application of
the subkeys is reversed.

DES Analysis
Two desired properties of a block cipher are the Avalanche effect and the completeness.
Avalanche effect :

65
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

A small change in plaintext results in the very great change in the ciphertext.

Completeness effect:
Completeness effect means that each bit of ciphertext needs to depends on many bits on the plaintext. The
diffusion and confusion produced by P-Boxes and S-Boxes in DES, show a very strong completeness effect.

DES Weaknesses Analysis

Weakness in Cipher Design:
It is not clear why the designers of DES used the initial and final permutations; these have no security
benefits.
In the expansion permutation, the first and fourth bits of every 4-bit series are repeated.
Weakness in Cipher Key:
o DES Key size is 56 bits. To do Brute force attack on a given ciphertext block, the adversary needs to
check 256 keys.
With available technology it is possible to check 1 million keys per second

Double – DES

66
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Triple – DES

Triple DES was developed in 1999 by IBM – by a team led by Walter Tuchman. DES prevents a meet-in-
the-middle attack. 3- DES has a 168-bit key and enciphers blocks of 64 bits.

3-DES with 2 Keys:

67
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

3- DES with 3 Keys:

68
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

The encryption-decryption process is as follows −

Encrypt the plaintext blocks using single DES with key K 1 .
Now decrypt the output of step 1 using single DES with key K2 .
Finally, encrypt the output of step 2 using single DES with key K3 .
The output of step 3 is the ciphertext.
Decryption of a ciphertext is a reverse process. User first decrypt using K 3, then encrypt with K 2, and finally
decrypt with K1 .

Advanced Encryption Standard

(AES Algorithm)
• The Advanced Encryption Standard (AES) was published by the National Institute of Standards and
Technology (NIST) in 2001.
• AES is a symmetric block cipher that is intended to replace DES.
The features of AES are as follows −
• Symmetric key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• Stronger and faster than Triple-DES
• Provide full specification and design details
• Software implementable in C and Java

AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It

comprises of a series of linked operations, some of which involve replacing inputs by specific outputs
(substitutions) and others involve shuffling bits around (permutations).
Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats the 128 bits
of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for
processing as a matrix.

69
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

Unlike DES, the number of rounds in AES is variable and depends on the length of the key.
AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. Each
of these rounds uses a different 128-bit round key, which is calculated from the original AES key.

The schematic of AES structure is given in the following illustration

ROUNDS
• Unlike DES, the number of rounds in AES is variable and depends on the length of the key.
• AES uses 10 rounds for 128-bit keys,
• 12 rounds for 192-bit keys and
• 14 rounds for 256-bit keys.
• Each of these rounds uses a different 128-bit round key, which is calculated from the original AES
key.

Each round comprise of four sub-processes. The first round process is depicted below −
AES Transformations:

There are four transformation functions used in AES Cipher at each round.
1. Substitute Bytes Transformation

70
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

2. ShiftRows Transformation
3. MixColumns Transformation
4. AddRoundKey Transformation

1. Byte Substitution (SubBytes)

The 16 input bytes are substituted by values as specified in a table
(S-box) given in design.
Each input byte of State is mapped into a new byte in the following way:
• The leftmost 4 bits of the byte are used as a row value(in hexadecimal form) and the rightmost 4
bits are used as a column value(in hexadecimal form) in S-boxtable.
For example, the hexadecimal value {95} references row 9, column 5 of the S -box, which contains the
value {2A}. Accordingly, the value {95} is mapped into the value {2A}.

2. ShiftRows Transformation:

 In this transformation bytes are permuted(shifted).

 In the Encryption, the tranformation is called Shiftrows and the shifting is to the left.
 The number of shifts depends on the row number(0,1,2,or 3) of the state matrix as shown below:

71
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

The following is an example of ShiftRows.

The inverse shift row transformation, called InvShiftRows, performs the circular shifts in the
opposite direction for each of the last three rows, with a 1-byte circular right shift for the second row, and so
on.

3. MixColumns Transformation:
Mixing is the transformaton that changes bits inside byte.
This operation takes 4 bytes(a column) and by multiplying it with a constant matrix then mixes them that
produces new bytes.
MixColumn: operates on each column individually. Each byte of a column is mapped into a new value.

72
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

It takes a column from state and multiply it with a constant square matrix.
The byte values are represented as polynomials with coefficients in GF(2) and mulitplications are done in
GF(28)

Constant matrices for multiplications:

4. AddRoundKey Transformation:
 To make the ciphertext more secrete, we add cipher key to the data in a state.
 AddRoundKey is same as to MixColumns but performs addition operation instead of multiplication.

73
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

The following is an example of AddRoundKey:

The first matrix is State, and the second matrix is the round key.

AES Key Expansion:

 The AES key expansion algorithm takes as input a four-word (16-byte) key and produces a linear
array of 44 words (176 bytes). This is sufficient to provide a four-word round key for the initial
AddRoundKey stage and each of the 10 rounds of the cipher.
 The key is copied into the first four words of the expanded key. The remain- der of the expanded key
is filled in four words at a time. Each added word w[i] depends on the immediately preceding word,
w[i - 1], and the word four positions back, w[i - 4]. In three out of four cases, a simple XOR is used.
 For a word whose position in the w array is a multiple of 4, a more complex function is used. Figure
illustrates the generation of the expanded key, using the symbol g to represent that complex function.
The function g consists of the following subfunctions.

74
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

For example, suppose that the round key for round 8 is

EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D 29 2F
Then the first 4 bytes (first column) of the round key for round 9 are calculated as follows:

75
 SATYA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Cryptography and Network Security B.Tech(ECE) IV Year I Sem

ANALYSIS OF AES
Security
• AES was designed after DES. Most of the known attacks on DES were already tested on AES.
• Brute-Force Attack
• AES is definitely more secure than DES due to the larger-size key.
• Statistical Attacks
• Numerous tests have failed to do statistical analysis of the ciphertext.
• Differential and Linear Attacks
• There are no differential and linear attacks on AES as yet.
Implementation
• AES can be implemented in software, hardware, and firmware. The implementation can use table
lookup process or routines that use a well-defined algebraic structure.
Simplicity and Cost
• The algorithms used in AES are so simple that they can be easily implemented using cheap
processors and a minimum amount of memory.

76