Traditional Symmetric-key

cipher
UNIT-2
Introduction

 Symmetric key encipherment uses single key on both the

side.
 Several reasons for studying:
1. They are simpler than modern ciphers and easier to
understand.
2. They show the basic foundation of cryptography and
encipherment.
3. They provide the rationale for using modern ciphers.
Symmetric Key Ciphers
 The original message from Alice to Bob is called plaintext;
 The message that is sent through the channel is called the
ciphertext.
 To create the ciphertext from the plaintext, Alice uses an
encryption algorithm and a shared secret key.
 To create the plaintext from ciphertext, Bob uses a
decryption algorithm and the same secret key.
 We refer to encryption and decryption algorithms as
Ciphers.
 A Key is a set of values(Numbers) that the cipher operates
on
 Encryption and decryption algorithms are inverses of each other.
 If P is the plaintext, C is the ciphertext, and K is the key, the encryption
algorithm Ek(x) creates ciphertext from plaintext.
Encryption: C = Ek(P)

 The decryption algorithm Dk(x) creates the plaintext from the ciphertext.
 Decryption: P = Ek(C)

 In which Dk(Ek(x)) = Ek(Dk(x)) = x

 According to Kerckhoff’s Principle:
It is better to make the encryption and decryption public but keep the
shared key secret.

 Secured channels:
Face-to-face exchange of the key.
They can also trust a third party to give them the same key.
They can create a temporary secret key using another kind of cipher.
 If there are m people in a group who need to communicate with each
other, then (m x (m – 1))/2 keys are used.
 Each person need m-1 keys to communicate with the rest of the group.
 Encryption can be thought of as locking the message in a box.
 Decryption can be thought of as unlocking the box.
Cryptanalysis:
 Cryptography is the science and art of creating secret codes.
 Cryptanalysis is the science and art of breaking those codes.
 The study of cryptanalysis helps us create better secret codes.
 There are four common types of cryptanalysis attacks.

Figure : Cryptanalysis attacks

 Ciphertext-only attack:

Figure : Cipher text-only attack

 Eve has access to only some cipher text, then finds the key and plaintext.
 Assume eve knows the encryption algorithm.

 Various methods can be used in ciphertext-only attack:

1. Brute-Force attack: exhaustive key search attack
2. Statistical attack: benefit from inherent characteristics of the plaintext
language. E.g. E is the most frequently used letter.
3. Pattern attack: discover pattern in ciphertext.
 Known –Plaintext attack:
 Eve has access to some plaintext/ciphertext pairs in addition to the intercepted
ciphertext that he/she wants to break.
 Plaintext/Ciphertext pairs have been collected earlier.
 Chosen- plaintext Attack:
 The chosen-plaintext attack is similar to the known-plaintext attack, but the
plaintext/ciphertext pairs have been chosen by the attacker herself.
 Chosen – ciphertext attack:
 Eve has access to Bob computer.
 Cryptanalyst chose some ciphertext and decrypts to form the pair
plaintext/ciphertext.
Substitution ciphers

 We can divide traditional symmetric key ciphers into two broad categories:
 Substitution Ciphers:
In a substitution cipher, we replace one symbol in the ciphertext with
another symbol.

 Transposition Ciphers:
In a transposition cipher, we reorder the position of symbols in the
plaintext.
Substitution ciphers:
 Substitution symbol replaces one symbol with another.
 If the symbol in the plaintext are alphabetic character, we can replace one
character with another.
 Example: A  D, T  Z.
 If the symbol are digits ( 0 to 9), we can replace 3 with 7, and 2 with 6.

 Substitution ciphers can be categorized as:

 monoalphabetic ciphers or
 polyalphabetic ciphers.
 Monoalphabetic ciphers:
 A Character in the plaint text is changed to the same character in the ciphertext
regardless of its position in the plaintext.
 The relationship between a symbol in the plaintext to a symbol in the ciphertext is
always one-to-one.
POLYGRAM SUBSTITUTION CIPHER:

 Polygram cipher systems are ciphers in which group of

letters are encrypted together, and includes
enciphering large blocks of letters. Therefore, permits
arbitrary substitution for groups of characters. For
example the plaintext group "ABC" could be encrypted
to "RTQ", "ABB" could be encrypted to "SLL", and so on. In
another meaning, encryption includes substitution of a
block of multiple letters from plaintext with the
corresponding group of ciphertext. Example of such
ciphers are Playfair, and Hill ciphers.
 Monoalphabetic ciphers

a. Additive cipher(Shift cipher/Ceasar cipher)

b. Multiplicative ciphers
c. Affine cipher
 Additive cipher:
 The simplest mono-alphabetic cipher is the additive cipher.
 This cipher is sometimes called a shift cipher/Caesar cipher, but the term additive
cipher better reveals its mathematical nature.
 Assume that the plaintext consists of lowercase letters (a to z), and that the cipher-
text consists of uppercase letters (A to Z).
 To be able to apply mathematical operations on the plaintext and ciphertext, we
assign numerical values to each letter (lower- or uppercase),
 Each character is assigned an integer in Z26

Figure : Representation of plaintext and ciphertext characters

 In Figure each character (lowercase or uppercase) is assigned an integer in Z26.
 The secret key between Alice and Bob is also an integer in Z26.
 The encryption algorithm adds the key to the plaintext character;
 the decryption algorithm subtracts the key from the ciphertext character.
 All operations are done in Z26

Figure : Additive cipher

 Example 3.4 Use the additive cipher with key = 15 to decrypt the
message “WTAAD”.
Shift cipher
 Historically, additive ciphers are called shift ciphers.
 The reason is that the encryption algorithm can be interpreted
as “shift key characters down” and the encryption algorithm
can be interpreted as “shift key character up”.
 For example, if the key = 15, the encryption algorithm shifts 15
characters down (toward the end of the alphabet).
 The decryption algorithm shifts 15 characters up (toward the
beginning of the alphabet).
 Of course, when we reach the end or the beginning of the
alphabet, we wrap around (manifestation of modulo 26)
 Shift Cipher
 A shift cipher involves replacing each letter in the message by a letter that is some
fixed number of positions further along in the alphabet.
 Here is an example of how to use the Caesar cipher to encrypt the message
“HELLO” with a shift of 3:
 Write down the plaintext message: HELLO
 Choose a shift value. In this case, we will use a shift of 3.
 Replace each letter in the plaintext message with the letter that is three positions to
the right in the alphabet.
 H becomes K (shift 3 from H)
 E becomes H (shift 3 from E)
 L becomes O (shift 3 from L)
 L becomes O (shift 3 from L)
Caesar Cipher

 Julius Caesar used an additive cipher to communicate with his officers.

 For this reason, additive ciphers are sometimes referred to as the Caesar
cipher. Caesar used a key of 3 for his communications.
 Caesar used a key of 3 for his communications.
Example:
1. Encrypt the message “the house is being sold tonight” using additive cipher with
key 20. ignore the space between words. Decrypt the message to get the plaintext.
2. Encrypt the following message and shift with the key 23.
“ABCDEFGHIJKLMNOPQRSTUVWXYZ”.
3. Encrypt the following message and shift with the key 4. “ATTACKATONCE”.
 Cryptanalysis
 Additive ciphers are vulnerable to ciphertext-only attacks using exhaustive
key searches (brute-force attacks).
 The key domain of the additive cipher is very small; there are only 26 keys.
However, one of the keys, zero, is useless (the ciphertext is the same as the
plaintext).
 This leaves only 25 possible keys. Eve can easily launch a bruteforce attack
on the ciphertext
 Example:
 Eve has intercepted the ciphertext “UVACLYFZLJBYL”. Show how she can
use a brute force attack to break the cipher.
 Solution: Eve tries from 1 to 7, the plaintext is “not very secure”, which
makes sense.
 Multiplicative ciphers
 In a multiplicative cipher, the encryption algorithm specifies multiplication of the
plaintext by the key and the decryption algorithm specifies division of the
ciphertext by the key as shown in Figure.
 However, since operations are in Z26, decryption here means multiplying by the
multiplicative inverse of the key. Note that the key needs to belong to the set
Z26* to guarantee that the encryption and decryption are inverses of each other.
 In Cryptography use
 Zn when additive inverse are needed
 Zn* when multiplicative inverse are needed
 Example:
 Use multiplicative cipher to encrypt the message “hello” with a key of 7.
Example 3.7 What is the key domain for any multiplicative cipher?

Solution The key needs to be in Z26*.

This set has only 12 members: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25.
 Affine cipher
 Combination of cipher with a pair of keys
 First key is used with multiplicative cipher
 Second key is used with additive cipher
 Use the affine cipher to decrypt the message “ZEBBW” with the key pair (7, 2) in
modulus 26

 The additive cipher is a special case of an affine cipher in which k1 = 1.

 The multiplicative cipher is a special case of affine cipher in which k2 = 0.
 Cryptanalysis of affine cipher:
 Brute-force and statistical method of ciphertext-only attack can be used.

 Chosen-plaintext attack:
 Assume that Eve intercepts the following ciphertext.
 PWUFFOGWCHFDWIWEJOUUNJORSMDWRHVCMWJUPVCCG

 She tries to encrypt the short plaintext using two different algorithms, because she
is not sure which one is the affine cipher.
 Algorithm 1: Plaintext: et ciphertext:  WC
 Algorithm 2: Plaintext: et ciphertext:  WF
 To find the key, Eve uses the following strategy:
 Eve knows that if the first algorithm is affine, she can construct the following two
equations based on the first data set.
 eW 04  22 (04 x k1 x k2 ) ≡ 22(mod 26)
 tC 19  02 (19 x k1 x k2 ) ≡ 02(mod 26)
 k1 =16 (16 does not have a multiplicative inverse in Z26*)

 Eve now tries the result of the second set of data.

 eW 04  22 (04 x k1 x k2 ) ≡ 22(mod 26)
 tF 19  05 (19 x k1 x k2 ) ≡ 05(mod 26)
 k1 = 11 and k2 = 4
 She tries the pair of keys (19,22), which are the inverse of the pair(11,4), to decipher
the message.

Best time of the year is spring when flowers bloom

 Monoalphabetic substitution cipher:
 Additive, multiplicative and affine ciphers have small key domains, hence, they
are vulnerable to brute-force attack.

The monoalphabetic ciphers do not change the frequency of

characters in the ciphertext, which makes the ciphers vulnerable
to statistical attack.
Polyalphabetic Ciphers:
 In polyalphabetic substitution, each occurrence of a character may have a
different substitute.
 It hides the letter frequency of the underlying language,
 The relationship between a character in the plaintext to a character in the
ciphertext is one-to-many.
 Example:
PT = WELCOME
CT = XGPHUTR
 We need to have a key stream k =(k1, k2, k3, …) in which ki is used to encipher
the ith character in the plaintext to create the ith character in the ciphertext.
 Polyalphabetic ciphers
a. Autokey cipher
b. Playfair cipher
c. Vigener cipher
d. Hill cipher
e. One time pad
f. Rotor cipher
 Autokey cipher:
 In this cipher, key is a stream of subkeys, in which each subkey is used to encrypt
the corresponding character in the plaintext.
 The first subkey is predetermined secret value agreed between Sender and
receiver
 Example:
 Assume that Alice and Bob agreed to use an autokey cipher with initial key
value k1 = 12.
 Now Alice wants to send Bob the message “Attack is today”. Enciphering is
done character by character.
 Playfair cipher
 The best-known digraph substitution cipher, invented in 1854 by Charles
Wheatstone but was named after Lord Playfair who promoted the use of the
cipher.
 Used by British army during World war I.
 Secret key is made up of 25 characters arranged in 5*5 matrix (I and J are
considered same)
 The Playfair Cipher Encryption Algorithm:
 1.Generate the key Square(5×5):
 The key square is a 5×5 grid of alphabets that acts as the key for encrypting
the plaintext.
 The initial alphabets in the key square are the unique alphabets of the key
in the order in which they appear followed by the remaining letters of the
alphabet in order.
 Example : Keyword - ATHENS
 The Playfair Cipher Encryption Algorithm:
 Before encryption:
 Divide the plaint text into digraphs
 PT = attack
 Digrams  at ta ck
 If two letters in a pair are the same, a bogus letter is inserted to separate
them.
 PT = balloon
 Digrams  ba ll oo n  ba lx lo on
 After inserting bogus letter, if number of character is odd, one extra bogus
character is added at the end to make number of characters even.
 PT = msit academy
 Digrams  ms it ac ad em yx
 The Playfair Cipher Encryption Algorithm:
 2.Encrypt the Plaintext  Three cipher rules:
1. If the two letters in a pair are located in the same row of the secret key, the
corresponding encrypted character for each character is the next letter to
the right in the same row(wrap to beginning of row)
2. If the two letters in a pair are located in the same column of the secret key,
the corresponding encrypted character for each character is the letter
beneath in the same column(wrap to beginning of column)
3. If the two letter in a pair are not in the same row or column of the secret,
the corresponding encrypted character for each letter is a letter that is in its
own row but in the same column as the other letter. (Form a rectangle)
Example:
 Let us encrypt the plaintext “Hello”.
 Using the key,

 Step1 : group the character in two –character pairs:

 He ll o  He lx lo
 We have,
He  EC lx  QZ lo BX
plaintext  Hello Ciphertext  ECQZBX
 Example 2: Use the Playfair cipher to encipher the message “The key is hidden
under the door pad” using the secret key “GUIDANCE”.
The key is hidden under the door pad
secret Key:

G U I/J D A
N C E B F
H K L M O
P Q R S T
V W X Y Z
PT: Th ek ey is hi dx de nu nd er th ed ox or pa dx
CT: PO CL BX DR LG IY/JY IB/JB CG BG LX PO BI/BJ LZ LT TG IY/JY
Ciphertext : POCLBXDR LGIYIBCGBGLXPOBILZLTTGIY
 Example 2: Use the Playfair cipher to encipher the message “COMSEC means
communications security” using the secret key “GALOIS”.(name of the
mathematician).
COMSEC means communications security

G A L O I/J
S B C D E
F H K M N
P Q R T U
V W X Y Z
Plaintext: co ms ec me an sc om mu ni ca ti on sx se cu ri ty
Ciphertext: DLFDSDNDIHBDDTNTUEBLUOIMCVBSERULYO
Cryptanalysis of a Playfair Cipher:
 Brute-force attack on a Playfair cipher is very difficult.
 A cryptanalyst can use a ciphertext-only attack based on the digram
frequency test to find the key.
Vigenere Cipher:
 Vigenere cipher uses a different strategy to create the key stream .
 Keystream is a repetition of an initial secret key stream of length m, where 1 ≤ m
≤ 26.
 Suppose Alice and Bob agree k= (k1,k2,k3……….km).
 Where,
P = P1, P2, P3, ….
C = C1, C2, C3, ….
K = [(k1,k2,k3……….km), (k1,k2,k3……….km),….]
Encryption : Ci = Pi + ki
Decryption : Pi = Ci - ki
  The Vigenere cipher can be seen as combinations of m additive ciphers.

We can say that the additive cipher is a special case of vigenere cipher in which m=1
Cryptanalysis of Vigenere Ciphers :
 Eve can use technique to decipher the intercepted cipher text. The
cryptanalysis consist of :
 Finding the length of key
 Finding the key itself.
 Several methods to find the length of key Kasiski test
 Kasiski Test:
 The cryptanalyst searches for repeated text segments, of at least three
characters, in the ciphertext.
 Suppose, that two of these segment are found and the distance between
them is d.
 The cryptanalyst assumes that d/m where m is the key length.
 If more repeated segments can be found with distance d1, d2, d3,….. dn
then, gcd(d1,d2, d3,…..dn)/m
 Example: Let us assume that the intercepted text is as follows:

Searching for the repeated text segments:

The Kasiski test for repetition of three-character segments yields the results
shown in Table

GCD = 4
 Key value = CODE.
 JULIUSCAESARUSEDACRYPTOSYSTEMINHISWARWHICHISNOWREFERREDTOASCAESAR
CIPHERITISANADDITIVECIPHERWITHTHEKEYSETTOTHREEEACHCHARACTERINTHEPLAINTE
XTISSHIFTEDTHREECHARACTERSTOCREATETHECIPHERTEXT.

 Julius Caesar used a cryptosystem in his wars, which is now referred to as Caesar
cipher. It is an additive cipher with the key set to three. Each character in the
plaintext is shifted three character to create the ciphertext.
 Hill Cipher:
 The Hill Cipher was invented by Lester S. Hill in 1929
 It acts on groups of letters.
 It is a polygraphic substitution cipher, as it can work on digraphs, trigraphs (3
letter blocks) or theoretically any sized blocks.
 Key is a square matrix of size m x m matrix in which m is the size of the block( 2 x 2
matrix for digraphs, a 3 x 3 matrix for trigraphs).
Encryption
 Turn the plaintext into digraphs (or trigraphs) and each of these into a column
vector.
 To encrypt a message, each block of n letters is multiplied by an m × m matrix,
against modulus 26.
 C = K*P mod 26

Decryption
 To decrypt the message, each block is multiplied by the inverse of the matrix
 Example:
 Let us see an example:
 We have been given the phrase “code is ready” and a 4 X 4 key matrix. We can
append some bogus characters (“z”) to the plain text making the plain
text “codeisreadyz” and making it into a 3 X 4 plain text matrix.
 Plain Text Matrix =

 Key Matrix =
 Now, performing the encryption:
 C = PK

 Thus,

 The cipher text obtained from the ciphertext matrix is: “OHKNIHGKLISS”
 Example: (Assignment)
 Encrypt the plaintext message "short example" using the keyword hill with a 2 x 2
matrix.
 The first step is to turn the keyword hill into a matrix.
 hill  7 8 11 11
One-Time pad:
 One of the goals of cryptography is perfect secrecy.
 A study by Shannon has shown that perfect secrecy can be achieved if each
plaintext symbol is encrypted with a key randomly chosen from a key domain.
 This idea is used in a cipher called one-time pad, invented by Vernam.
 Each character is chosen randomly from the key domain (00, 01,02,……,25) –
i.e., if the first character is encrypted using the key 4, second by 02, the third by
using 21 and so on.
 Here, the cipher text only attack is impossible. Other type of attack are also
impossible if the sender changes the key each time.
 Key has same length as the plaintext.
Rotor cipher:
 It uses the idea behind monoalphabetic substitution but changes the mapping
between the plaintext and the ciphertext character for each plaintext
character.

Figure: A rotor cipher

 The rotor in figure uses only 6 letters, but actual rotors use 26 letters.
 The initial setting (position) of the rotor is the secret key between sender and
receiver.
 First character is encrypted using initial position. Second character after first
rotation. Third character after second rotation and so on.
 Example: bee  BCA
Enigma Machine:
 The machine was based on the principle of rotor ciphers.
 Main components of Enigma machine
1. Keyboard = 26keys
2. Lampboard =26 lamps
3. Plugboard = 26plugs
4. Three rotors
5. Reflector
 To use Engima machine , a code book is published that gives several settings
for each day
a. 3 rotor to be chosen, out of 5 available
b. The order in which rotor to be installed
c. Setting for plugboard
d. A three letter code for the day
 Procedure for Encrypting message
1. Set starting position of rotor to code of the day. For example code was
“HUA”
2. Choose a random 3 letter code such as ACF
Encrypt ACFACF(repeated code) using code from step1
Encrypted code is OPNABT
3. Set the starting position to OPN(half of encrypted code)
4. Append encrypted six letters to the beginning of the message  OPNABT
5. Encrypt the message including six letter code OPNABTGFHBVC F.
Send the encrypted message
 Procedure for Decrypting message
1. Receive the message and separate the first six letters
2. Set the starting position of the rotor to the code of the day
3. Decrypt the first six letter using initial setting in step2
4. Set the position of the rotor to the first half of the decrypted code
5. Decrypt the message (without the first six letter)
Transposition ciphers

 Transposition cipher does not substitute one symbol for another, instead it
changes the location of the symbols.
 A transposition cipher reorders (transposes) the symbols.
 Different transposition ciphers:
1. Keyless Transposition Ciphers
2. Keyed Transposition Ciphers
3. Combining Two Approaches
Keyless transposition ciphers
 Simple transposition ciphers, which were used in the past, are keyless.
 There are two methods for permutating character:
1.Text is written into table column by column and transmit row by row.
2.Text is written into table row by row and transmit column by column.
 Example: Rail Fence cipher
 Plaintext is arranged in two line as a zigzag pattern(Column by column) and the
ciphertext is created reading the pattern row by row.
 Plaintext  “Meet me at the park”

 Ciphertext  MEMATEAKETETHPR
 Example:
Alice and Bob can agree on the number of columns. Alice writes the plaintext, row
by row, in a table of four columns.
Plaintext  “Meet me at the park”

Ciphertext  “MMTAEEHREAEKTTP”.
 Bob receives the ciphertext and follows the reverse process. He writes column by
column and reads row by row.
 The following shows the permutation of each character in the plaintext into the ciphertext
based on the positions.

 The second character in the plaintext has moved to the fifth position in the
ciphertext; the third character has moved to the ninth position; and so on.
 Although the characters are permuted, there is a pattern in the permutation:
(01, 05, 09, 13), (02, 06, 10, 13), (03, 07, 11, 15), and (08, 12).
 In each section, the difference between the two adjacent numbers is 4.
 Keyed transposition ciphers:
 Divide the plaintext into groups of predetermined size, called blocks, and then
use a key to permute the characters in each block separately.
 Example: Alice needs to send the message “Enemy attacks tonight” to Bob. Alice
and Bob agrees with block size =5.

 The key used for encryption and decryption is a permutation key, which shows
how the character are permuted.
 Combining Two approaches:
 Cryptanalysis of transposition ciphers:
 Transposition ciphers are vulnerable to several kinds of ciphertext only
attacks.
 Statistical Attack: A transposition cipher does not change the
frequency of letters in the ciphertext, it only reorders the letters.
 Brute-force attack: Eve can try all possible keys to decrypt the
message.
 Pattern attack: The ciphertext created from a keyed transposition
cipher has some repeated patterns.

 Double Transposition Ciphers:

 This makes the job of cryptanalysts difficult.
 Cipher would be the one repeats twice the algorithm used for
encryption and decryption.
Stream and Block Ciphers
 The literature divides the symmetric ciphers into two broad categories:
 Stream ciphers
 Block ciphers

 Stream ciphers:
 In a stream cipher, encryption and decryption are done typically on one symbol
at a time.
 Stream ciphers - Call the plaintext stream P, the ciphertext stream C,and the key stream K.
Figure: Stream cipher
 Block cipher:
 In a block cipher, a group of plaintext symbols of size m (m >1) are encrypted together creating a
group of ciphertext of the same size.
 A single key is used to encrypt the whole block even if the key is made of multiple values.

Figure: Block cipher

STREAM CIPHER BLOCK CIPHER
Key and algorithm applied on Key and algorithm applied on
each binary digit. block of data.

Less time consuming compare to More time consuming compare to

block cipher. stream cipher.

Only one bit is encrypted at a time, Block of data is encrypted at a

hence it is faster. time, hence it is slower.

Example: One Time Pad, Additive Example: Playfair cipher, Hill cipher
cipher, Vegenere cipher.
Data Encryption Standard
Unit 2 - Chapter 2
Introduction

 The Data Encryption Standard(DES) is a symmetric-key block

cipher published by the National Institute of Standards and
Technology(NIST).
 In 1973, NIST published a request for proposals for a national
symmetric-key cryptosystem.
 A proposal from IBM, a modification of a project called
Lucifer, was accepted as DES.
 DES was published in the Federal Register in March 1975 as a
draft of the Federal Information Processing Standard (FIPS).
 After the publication, the draft was criticized severely for
two reasons:
1. Critics questioned the small key length(only 56 bits), which
would make the cipher vulnerable to brute-force attack.
2. Critics were concerned about some hidden design behind
the internal structure of DES.
3. They were suspicious that some part of the structure (the S-
Boxes) may have some hidden design trapdoor that would
allow the national Security Agency(NSA) to decrypt the
messages without the need for the key.
Overview:
 DES is a block cipher.
 At the encryption site, DES takes a 64-bit plaintext and creates a 64 bits
ciphertext.
 At the decryption site, Des takes a 64bit ciphertext and creates a 64-bits
block of plaintext.

Figure: Encryption and Decryption with DES

DES Structure

 The encryption process is

made of two
permutations(P- boxes)-
initial permutation and final
permutation.
 And sixteen Feistel rounds.
 Each round uses a different
48-bit round key generated
from the cipher key
according to a predefined
algorithm. Figure: General structure of DES
Initial and Final permutations

 Each of these permutations takes a 64-bit input and

permutes them according to a predefined rule.
 We have shown only a few input ports and the
corresponding output ports.
 in the initial permutation, the 58th bit in the input becomes
the first bit in the output.

Figure: Initial and Final permutation steps in DES

 These permutations are keyless straight permutations that are the inverses of
each other.
 Each side of the table can be thought of as a 64-element array.
 The initial permutation (IP) happens only once and it happens before the first
round.
 Transposition in IP is done, Both are keyless and predetermined.
 Initial permutation replaces the first bit of the original plain text block with the
58th bit of the original plain text, the second bit with the 50th bitof the original
plain text block, and so on.
Rounds:
 DES uses 16 rounds.
 Each round is a Feistel cipher is theDES function f.

Figure: A round in DES(encryption site)

 The round takes LI-1 and RI-1 from the previous round (or the initial permutation
box) and creates LI and RI which go to the next round(or final permutation
box).
 Each round has two cipher elements (mixer and swapper). Each of these
elements are invertible.
 The swapper is obviously invertible, it swaps the left half of the text with the right
half.
 The mixer is invertible because of the XOR operation.
 All non-invertible elements are collected inside the function f(RI-1, KI ).
DES Function:
 The heart of DES is the DEs function.
 The DES function applies a 48 bit key to
the rightmost 32 bits(RI-1) to produce a
32-bit output.
 This function is made up of four
sections:
 An expansion P-box
 A whitener (that adds key),
 A group of S-boxes, and
 A straight P-box
Expansion P-box:
 Since RI-1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI-1 to 48
bits.
 RI-1 is divided into 8 4-bit sections.
 Each 4 bit section is then expanded to 6 bits. This expansion permutation follows
a predetermined rule.

Figure: Expansion permutation

 The relationship between the input and output can be defined
mathematically, DES uses Table to define this D-box.

Figure: Expansion P-box table

Whitener(XOR):
 After the expansion permutation, DES uses the XOR operation on the expanded
right section and the round key.
 Note that both the right section and the key are 48-bits in length.
S-boxes:
 The S-boxes do the real mixing (confusion).
 DES uses 8 S-boxes, each with a 6-bit input and 4-bit output.

Figure: S-boxes
 The substitution in each box follows a pre-determined rule based on a 4-rows by
16 column table.
 The combination of bits 1 and 6 of the input defines one of four rows.
 The combination of bits 2 through 5 defines one of the sixteen columns.

Figure: S-box rule

 Each S-box has its own table, we need 8 tables to define the output of these
boxes.
 The values of the inputs (row number and column number) and the value of the
outputs are given as decimal numbers to save space. These need to be
changed to binary.
Example: The input to S-box 1 is 100011. what is the output?
Solution:
If we write the first and the sixth bits together, we get binary 11 in binary, which is 3
in decimal.
The remaining bits are 0001 in binary, which is 1 in decimal.
We look for the value in row 3, column 1  result = 12 in decimal which is binary
1100.
 Example: The input to S-box 8 is 000000. what is the output?
 Solution : 13  1101
Final permutation:
 The last operation in the DES is the final permutation with a 32-bit input and a 32-
bit output.
 The input/output relationship for this is shown in the table:

 For example: the seventh bit of the input becomes the second bit of the output.
Cipher and Reverse Cipher:
 Using mixers and swappers, we can create the cipher and
reverse cipher, each having 16 rounds.
 The cipher is used at the encryption site; the reverse cipher is
used at the decryption site.
 The whole idea is to make the cipher and the reverse cipher
algorithms similar.
 First approach:
 To achieve this one approach is to make the last round(round 16) different
from the others.
 it has only a mixer and no swapper.
 Although the rounds are not aligned, the elements (mixer or swapper) are
aligned.
 the mixer is a self-inverse; so is a swapper. The final and initial permutations
are also inverses of each other.
 The left section of the plaintext at the encryption site, L0, is enciphered as L16
at the encryption site; L16 at the decryption is deciphered as L0 at the
decryption site.
 The situation is the same with R0 and R16. A very important point we need to
remember about the ciphers is that the round keys (K1 to K16) should be
applied in the reverse order.
 At the encryption site, round 1 uses K1 and round 16 uses K16; at the
decryption site, round 1 uses K16 and round 16 uses K1.
 Pseudocode for DES cipher:
 Alternate approach:
 In the first approach, round 16 is different from other rounds;
there is no swapper in this round. This is needed to make the
last mixer in the cipher and the first mixer in the reverse
cipher aligned.
 We can make all 16 rounds the same by including one
swapper to the 16th round and add an extra swapper after
that (two swappers cancel the effect of each other). We
leave the design for this approach as an exercise.
 Key generation:
 The round-key generator creates sixteen 48-bit keys out of a 56-bit
cipher key.
 However, the cipher key is normally given as a 64-bit key in which 8
extra bits are the parity bits, which are dropped before actual key
generation process.
Figure: Key generation
 Parity drop:
 The preprocessor before key expansion is a compression transposition step, that is
called Parity-bit drop.
 It drops the parity bits(8,16,24,32,…..64) from the 64-bit key and permutes the rest
of the bits.
 The remaining 56-bit value is the actual cipher key which is used to generate
round keys.

Parity-bit drop table

 In the context of the Data Encryption Standard (DES), "parity drop" refers to a
step in the key schedule algorithm used to generate the subkeys for each round
of encryption and decryption. DES is a symmetric-key block cipher that
operates on 64-bit blocks of data and uses a 56-bit key.

 During the key schedule algorithm in DES, the initial 56-bit key undergoes a
series of transformations to generate 16 48-bit subkeys, one for each round of
encryption and decryption. The parity drop is a step in this process where the
least significant bit (LSB) of each byte in the 56-bit key is dropped, resulting in a
64-bit key after the parity bits are removed.
 Shift left:
 After the straight permutation, the key is divided into two 28-bits parts.
 Each part is shifted left(circular shift) one or two bits.
 In rounds 1,2,9 and 16, shifting is one bit; in the other rounds, it is two bits.
 The two parts are then combined to form a 56-bit part.

Number of bit shifts.

 Compression P-Box:
 The compression D-Box changes 56 bits to 48 bits, which are used as a key for a
round.
 Algorithm: a simple algorithm to create round keys from the key with parity bits.
DES Analysis
 Critics have used a strong magnifier to analyze DES.
 Tests have been done to measure the strength of some desired properties in a
block cipher.
1. Properties :
Avalanche Effect : A small change in the plaintext (or key) should create a
significant change in the ciphertext.
Completeness: Completeness effect means that each bit of the ciphertext
needs to depend on many bits on the plaintext.
 Example : To check avalanche effect in DES.
 Design Criteria:
 Many tests on DES have proved that it satisfied some of the required criteria as
claimed.
 S – Boxes:
 The entries of each row are permutations of values between 0 and 15.
 S-boxes are nonlinear.
 If we change a single bit in the input, two or more bits will be changed in the
output.
 If two inputs to an S-box differ only in two middle bits (bits 3 and 4), the output
must differ in atleast two bits.
 If two inputs to an S-box differ in first two middle bits (bits 1 and 2) and the
same in the last two bits (bits 5 and 6), the two outputs must different.
 A criterion similar to #6 is applied to three S-boxes.
In any S-box, if a single input bit is held constant (0 or 1) and other
bits are changed randomly, the differences between the numbers of 0s
and 1s are minimized.

 P-boxes:
The following design criteria were implemented in the design of P-
boxes to achieve this goal.
Each S-box input comes from the output of a different S-box
No input to a given S-box comes from the output from the same box.
The four outputs from each S-box go to six different S-boxes.
No two output bits from an S-box go to the same S-box
 If we number the eight S-boxes S1, S2, …… S8,
 An output of Sj-2 goes to one of the first two bits of Sj.
 An output bit from Sj-1 goes to one of the last two bits of Sj.
 An output of Sj+1 goes to one of the two middle bits of Sj.
 For each S-box, the two output bits go to the first or last two bits of an S-box. The
other two output bits go to the middle bits of an S-box.
 If an output bit from Sj goes to one of the middle bits in Sk(in the next round), then an
output bit from Sk cannot go to the middle bit of Sj. If we let j = k, this implies that
none of the middle bits of an S-box can go to one of the middle bits of the same S-box
in the next round.
 Number of rounds:
 DES uses sixteen rounds of Feistel ciphers.
 It has been proved that after eight rounds, each ciphertext is a
function of every plaintext bit and every key bit; the ciphertext is
thoroughly a random function of plaintext and ciphertext.
 Therefore, it looks like 8 rounds should be enough.
 However, experiments have found that DES versions with less than 16
rounds are even more vulnerable to known-plaintext than brute-force
attack, which justify the use of 16 rounds by the designers of DES.
 DES Weaknesses
 S-Boxes
• In S-box 4, the last three output bits can be derived in the same
way as the first output bit by complementing some of the input
bits.
• Two specifically chosen inputs to an S-box array can create the
sameoutput.
• It is possible to obtain the same output in a single round by
changingbits in only three neighboring S-boxes.
 D-boxes
• It is not clear why designers of DES used the initial and final
permutations; these have no security benefits.
• In the expansion permutation (inside the function), the first and fourth
bits of every 4-bit series are repeated.
 Weakness in the Cipher key:
 Brute force attack adversary will check with – 256 keys
• One computer with processor à more than thousand years
• Computer with parallel processing à 20 hours
• Computer network with parallel processing à 120 days (key
challenged by RSALaboratories)

Solution:
 Is to use triple DES (3DES) with two keys(112 bits).
 Triple DES with three keys(168 keys).
 Weakness in cipher key-Weak keys
 Four out of 256 keys are called weak keys
 Round keys created from weak keys will have the same pattern as cipher key.
 Weakness in cipher key-Weak keys
 What is the disadvantage of using a weak key?
 Weakness in cipher key-Weak keys:
 Let us try the first weak key in Table 6.18 to encrypt a block two times.
 After two encryptions with the same key the original plaintext block is created.
Note that we have used the encryption algorithm two times, not one encryption
followed by another decryption.
 Semi-weak Keys:
 There are six key pairs called semi weak keys
 A Semi weak keys creates two different round keys and each of them is
repeated eight times
 Round key created from each pair are the same with different order
 Weakness in cipher key – Possible weak keys
 48 Keys are possible weak keys
 A possible weak key is a key that creates four distinct round keys
 16round keys = 4 groups à each group 4 equal round key

 Weakness in cipher key – Key clustering

 2 or more different keys can create same ciphertext from the same plaintext.
Security of DES

 DES, as the first important block cipher, has gone through much scrutiny.
 Among the attempted attacks, three are of interest
 Brute Force attack
 Differential cryptanalysis
 Linear cryptanalysis
 Brute Force attack
 We have discussed the weakness of short cipher key in DES.
 Combining this weakness with the key complement weakness, it is clear that DES can be
broken using 255 encryptions.
 However, today most applications use either 3DES with two keys (key size of 112) or 3DES with
three keys (key size of 168).
 These two multiple-DES versions make DES resistant to brute-force attack.

 Differential cryptanalysis
 It has been revealed that the designers of DES already knew about this type of attack and
designed S-boxes and chose 16 as the number of rounds to make DES specifically resistant to this
type of attack.
 Linear cryptanalysis
 Linear cryptanalysis is newer than differential cryptanalysis. DES is more vulnerable to linear
cryptanalysis than to differential cryptanalysis, probably because this type of attack was not
known to the designers of DES. S-boxes are not very resistant to linear cryptanalysis. It has been
shown that DES can be broken using 243 pairs of known plaintexts. However, from the practical
point of view, finding so many pairs is very unlikelly.
THANK YOU