MODULE - II

Symmetric Key Cryptography

1. BLOCK CIPHER PRINCIPLES

Block Cipher: An encryption algorithm that takes a fixed-length block of plaintext (e.g., 64
or 128 bits) and a secret key to produce a ciphertext block of the same length.
Core Idea: Provide confusion and diffusion.
Confusion: Makes the relationship between the key and ciphertext as complex as possible.
Achieved by substitution.
Diffusion: Dissipates the statistical structure of the plaintext over the bulk of the ciphertext.
Achieved by permutation/transposition.

2. DATA ENCRYPTION STANDARD (DES)

2.1 Principles & Structure

Block Size: 64 bits.
Key Size: 56 bits (+8 parity bits for error detection, making the input key 64 bits).
Rounds: 16 identical rounds of processing (a Feistel Network).
Feistel Network Advantage: Encryption and decryption use the same algorithm, just with
a reversed key schedule.

Diagram: DES Encryption Overview

```
64-bit Plaintext
|
Initial Permutation (IP)
|
Split into L₀ (32-bit) and R₀ (32-bit)
|
+-----> 16 Rounds of Feistel Function (F) ---+
| |
| L₁ = R₀ |
 | R₁ = L₀ ⊕ F(R₀, K₁) |
| |
| ... (16 rounds) |
| |
+<----- (Final swap: L₁₆ ↔ R₁₆) <------------+
|
|
Combine L₁₆ & R₁₆
|
Final Permutation (IP⁻¹)
|
64-bit Ciphertext
```

Diagram: The F-Function (Heart of DES)

```
32-bit Input (Rᵢ₋₁)
|
Expansion Permutation (E) -> 48-bit output
|
XOR with 48-bit Round Key (Kᵢ)
|
Substitution via 8 S-boxes (6-bit input -> 4-bit output)
|
Permutation (P)
|
32-bit Output
```
S-Boxes: Non-linear lookup tables that are the core source of confusion in DES. They are the
most critical and secret part of the design.
2.2 Strength of DES
Key Size (56 bits): The primary weakness. A key space of 2⁵⁶ is vulnerable to brute-force
attacks with modern computing power (e.g., special-purpose machines like COPACOBANA
can break it in days).
S-Box Design: The design criteria for the S-boxes were kept secret, raising concerns about
potential "trapdoors." However, they were later found to be highly resistant to cryptanalysis.
Block Size (64 bits): Vulnerable to birthday attacks in certain modes of operation (like
CBC), making it susceptible to collisions when encrypting large amounts of data (~2³²
blocks).

2.3 Cryptanalysis of DES

Differential Cryptanalysis: A chosen-plaintext attack. It analyzes the difference (XOR)
between two plaintexts and how that difference affects the difference in the resulting
ciphertexts. This can be used to probabilistically deduce the key. DES's S-boxes were
specifically designed to be resistant to this attack.
Linear Cryptanalysis: A known-plaintext attack. It finds linear approximations between
plaintext, ciphertext, and key bits. By analyzing many pairs, it can guess key bits with high
probability. DES is more vulnerable to linear cryptanalysis than differential, but still requires
~2⁴³ known plaintexts, which is impractical.

3. BLOCK CIPHER DESIGN PRINCIPLES

General principles learned from analyzing DES and other ciphers:
1. Number of Rounds: More rounds increase security, but also increase computational cost.
The number should be chosen so that known attacks (like differential) are less efficient than
brute force.
2. Design of F Function: Should provide high "avalanche effect" (a small change in input
produces a large change in output).
3. S-Box Design Criteria:
Non-linearity: Must be highly non-linear to resist linear cryptanalysis.
Strict Avalanche Criterion: Changing one input bit should change each output bit with
a 50% probability.
Bit Independence Criterion: Output bits should change independently when any single
input bit is changed.
4. Key Schedule Algorithm: The process for generating round keys from the main key
should have high non-linearity and diffusion to prevent related-key attacks.
4. BLOCK CIPHER MODES OF OPERATION
Modes define how a block cipher is applied to encrypt data larger than a single block.

| Mode | Acronym | Description | Use Case | Diagram (Conceptual) |

| :--- | :--- | :--- | :--- | :--- |
| Electronic Codebook | ECB | Encrypts each block independently with the same key. |
Insecure for most uses. Encrypting a small, single block of data (e.g., a key). | `P1 -> Enc ->
C1`<br>`P2 -> Enc -> C2` |
| Cipher Block Chaining | CBC | Input to next block is XORed with previous ciphertext.
Needs an Initialization Vector (IV). | General-purpose encryption. Files, databases. | `IV --
>⊕`<br>`P1 -> Enc -> C1 -->⊕`<br>`P2 -> Enc -> C2` |
| Cipher Feedback | CFB | Turns a block cipher into a self-synchronizing stream cipher. |
Encrypting real-time data (e.g., keystrokes). | `IV -> Enc -> ... ->⊕-> P1 -> C1` |
| Output Feedback | OFB | Turns a block cipher into a synchronous stream cipher. | Error-
prone channels (e.g., satellite comms). | `IV -> Enc -> ... ->⊕-> P1 -> C1` |
| Counter | CTR | Encrypts a counter value for each block. Highly parallelizable. | High-speed
networks. Disk encryption. | `CTR -> Enc ->⊕-> P1 -> C1`<br>`CTR+1-> Enc ->⊕-> P2 ->
C2` |

Example: CBC Mode Encryption

`C_i = E_K(P_i ⊕ C_{i-1})`, where `C_0 = IV`.
Decryption:** `P_i = D_K(C_i) ⊕ C_{i-1}`.
Why an IV? Using the same key and `IV` for two messages leaks information. The IV must
be random and unpredictable. It does not need to be secret and is typically sent along with the
ciphertext.

5. ADVANCED ENCRYPTION STANDARD (AES) - RIJNDAEL

5.1 Evaluation Criteria & Selection Motivation: DES was becoming insecure due to its
small key size.
NIST Requirements: 128-bit block size, support for 128, 192, and 256-bit keys. Must be
resistant to known attacks.
Winner: Rijndael cipher, selected in 2001 after a public, transparent competition.

5.2 AES Structure (for 128-bit key)

Block Size: 128 bits (processed as a 4x4 matrix of bytes, called the State).
 Key Sizes: 128, 192, or 256 bits.
Rounds: 10 (for 128-bit key), 12 (192-bit), or 14 (256-bit).
Not a Feistel Cipher. Each round transforms the entire state.

Diagram: AES Encryption Round (High-Level)

```
Input State
|
SubBytes() <- Non-linear byte substitution (S-Box). Provides CONFUSION.
|
ShiftRows() <- Cyclic shifting of rows. Provides DIFFUSION.
|
MixColumns() <- Linear transformation on columns. Provides DIFFUSION.
|
AddRoundKey() <- XOR State with Round Key.
|
Output State (to next round)
```
The final round omits the `MixColumns` step.

5.3 Key Features of AES

Efficiency: Fast in both software and hardware.
Security: Resistant to differential and linear cryptanalysis. No practical cryptanalytic
attacks better than brute-force are known.
Simplicity: Design is simple and elegant, making it easy to analyze and implement.

6. STREAM CIPHERS & RC4

Stream Cipher: Encrypts plaintext one byte or bit at a time by combining it with a keystream
(pseudo-random stream of bits) using XOR.
Core Idea: `C_i = P_i ⊕ KS_i`. Decryption is identical: `P_i = C_i ⊕ KS_i`.
 Synchronous vs. Self-Synchronizing: Most are synchronous, meaning the keystream
depends only on the key. If a bit is lost, synchronization is lost.

6.1 RC4 (Rivest Cipher 4)

A widely used (but now considered insecure) software-based stream cipher.
Key: Variable length (typically 40-256 bits).
Algorithm: Based on using a key to initialize a permutation of all 256 possible bytes (S[0]
to S[255]). The keystream is generated by swapping bytes in this array and selecting an
output.

RC4 Key Scheduling Algorithm (KSA)

```python
# Input: Key K of length L bytes
for i from 0 to 255:
S[i] = i
j=0
for i from 0 to 255:
j = (j + S[i] + K[i mod L]) mod 256
swap(S[i], S[j])
```

RC4 Pseudo-Random Generation Algorithm (PRGA)

```python
# Generates one keystream byte at a time
i=0
j=0
while True:
i = (i + 1) mod 256
j = (j + S[i]) mod 256
swap(S[i], S[j])
K = S[(S[i] + S[j]) mod 256]
 output K
```
Weaknesses: The initial output of the keystream is biased and reveals information about the
key. Vulnerable to several attacks. Discard the first 1024 bytes (or more) of the keystream
was a common mitigation, but it is now deprecated (e.g., prohibited in TLS 1.3).