Chapter 4:

Modern
Symmetric
1
Cipher
Kalpana Karki
2 Contents
 Binary Block Substitution
 Shannon’s theory of diffusion and
confusion
 Fistel Cipher
 Data Encryption Standard (DES)
 Modes of Block/Stream Cipher
 International data encryption algorithm
(IDEA)
 Advanced Encryption Standard (AES)
 Block Cipher & Stream Cipher
3
 A block cipher is an encryption method that applies a
deterministic algorithm along with a symmetric key to
encrypt a block of text, rather than encrypting one bit at a
time as in stream ciphers.
 For example, a common block cipher:
 AES, encrypts 128 bit blocks with a key of predetermined
length: 128, 192, or 256 bits.
 DES, encrypts 64 bit blocks with a key of predetermined length
56 bits.
4 Block vs Stream Ciphers
 Block ciphers process messages in
blocks, each of which is then
en/decrypted
 Like a substitution on very big
characters
 64-bits or more
 Stream ciphers process messages a bit
or byte at a time when en/decrypting
 Many current ciphers are block ciphers
 Better analyzed
 Broader range of applications
5 Block vs Stream Ciphers
6 Block vs Stream Ciphers
7 Block Cipher Principles
 most symmetric block ciphers are based
on a Feistel Cipher Structure
 needed since must be able to decrypt
ciphertext to recover messages
efficiently
 block ciphers look like an extremely large
substitution
 would need table of 264 entries for a 64-
bit block
 instead create from smaller building
blocks
 using idea of a product cipher
8 Block cipher principles
 Most symmetric block encryption algorithms in
current use are based on a structure referred to as a
Feistel block cipher.
 needed since must be able to decrypt ciphertext to
recover messages efficiently
 block ciphers look like an extremely large
substitution
 would need table of 264 entries for a 64-bit block
 instead create from smaller building blocks
 using idea of a product cipher, which is the execution
of two or more simple ciphers in sequence in such a
way that the final result or product is
cryptographically stronger than any of the
component ciphers.
9 Ideal Block Cipher

permutation
 Claude Shannon and
10 Substitution-Permutation
Ciphers
 Claude Shannon introduced idea of
substitution-permutation (S-P) networks in
his 1945 classified report “A mathematical
theory of cryptography”
 form basis of modern block ciphers
 S-P nets are based on the two primitive
cryptographic operations seen before:
substitution (S-box)
permutation (P-box)
 provide confusion & diffusion of message &
key
11
Claude Shannon and
Substitution-Permutation
Ciphers
Encryption method steps:
P= message
Diffuse
Confuse
Encrypted (P)
Decryption method steps:
Encrypted(P)
Confuse
Diffuse
Decrypted (P)
12
Confusion and Diffusion
 Diffusion (Permutation/ Transposition):
Dissipates statistical structure of plaintext over bulk
of cipher text .
Little changes in plain text makes large change in
cipher text.
Refers to the property that the redundancy in the statistics of
the plaintext is “dissipated” in the statistics of the cipher text.
 Confusion (Substitution):
Makes relationship between cipher text and key as
complex as possible.
Intruder don’t know about the relation between plain
text and cipher text.
Refers to making the correlation between the key and the
cipher text as complex and intricate as possible
13
14
15 Feistel Cipher Structure
 It practically implement the abstract idea of
Shannon’s
 Horst Feistel devised the Feistel cipher
based on concept of invertible product cipher
 partitions input block into two halves
process through multiple rounds which
perform a substitution on left data half
based on round function of right half & subkey
then have permutation swapping halves
 implements Shannon’s S-P net concept
16

F= Feistel function, operates on half a

block (32 bits) at a time and consists of
four stages: Expansion, Key mixing,
Sustitution & Permutation.
 Feistel Cipher Structure
17

Encryption Decryption
18
Feistel Cipher
Structure
Stallings Figure 3.3 illustrates the classical feistel cipher structure, with data split in 2
halves, processed through a number of rounds which perform a substitution on left half
using output of round function on right half & key, and a permutation which swaps halves,
as listed previously. The LHS side of this figure shows the flow during encryption, the RHS
in decryption.
The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K.
The plaintext block is divided into two halves, L 0 and R0. The two halves of the data pass
through n rounds of processing and then combine to produce the ciphertext block. Each
round i has as inputs Li–1 and Ri–1, derived from the previous round, as well as a subkey K i,
derived from the overall K. In general, the subkeys K are different from K and from each
other.
The process of decryption with a Feistel cipher is essentially the same as the encryption
process. The rule is as follows: Use the ciphertext as input to the algorithm, but use the
subkeys Ki in reverse order. That is, use Kn in the first round, Kn–1 in the second round, and
so on until K1 is used in the last round. This is a nice feature because it means we need not
implement two different algorithms, one for encryption and one for decryption. See
discussion in text for why using the same algorithm with a reversed key order produces the
correct result, noting that at every round, the intermediate value of the decryption process
is equal to the corresponding value of the encryption process with the two halves of the
value swapped.
 Feistel Cipher Structure
19
20
Feistel cipher design
elements
The exact realization of a Feistel network depends on the
choice of the following parameters and design
features:
• block size - increasing size improves security, but
slows cipher
• key size - increasing size improves security, makes
exhaustive key searching harder, but may slow cipher
• number of rounds - increasing number improves
security, but slows cipher
• subkey generation algorithm - greater complexity can
make analysis harder, but slows cipher
• round function - greater complexity can make analysis
harder, but slows cipher
• fast software en/decryption - more recent concern for
practical use
• ease of analysis - for easier validation & testing of
strength
 Data Encryption
21
Standard (DES)
 The Data Encryption Standard (DES) is a symmetric-
key block cipher published by the National Institute of
Standards and Technology (NIST).
 In 1973, NIST published a request for proposals for a
national symmetric-key cryptosystem. A proposal from
IBM, a modification of a project called Lucifer, was
accepted as DES. DES was published in the Federal
Register in March 1975 as a draft of the Federal
Information Processing Standard (FIPS).
 Block cipher
 Data encrypted in 64 bits block using 56 bits keys.
 There has been considerable controversy over the
design, particularly in the choice of a 56-bit key.
22 DES Overview

Figure Encryption and decryption with DES

23 DES Structure
 The encryption process is made of two permutations (P-
boxes), which we call initial and final permutations, and
sixteen rounds of complex key dependent calculation.
24
25 DES - Basics
 Fundamentally DES performs only two
operations on its input, bit shifting
(permutation), and bit substitution.
 The key controls exactly how this process
works.
 By doing these operations repeatedly and in
a non-linear manner you end up with a result
which can not be used to retrieve the original
without the key.
 By applying relatively simple operations
repeatedly a system can achieve a state of
near total randomness.
26 Each Iteration Use of a Different Sub-key

 DES works on 64 bits of data at a time.

Each 64 bits of data is iterated on from 1
to 16 times (16 is the DES standard).
 For each iteration a 48 bit subset of the
56 bit key is fed into the encryption block
 Decryption is the inverse of the
encryption process.
 8 bits is used as parity bits, which are
used for error detection in key
generation.
27 DES Key Processing
 The key is usually stored as a 64-bit number,
where every eighth bit is a parity bit.
 The parity bits are pitched during the
algorithm, and the 56-bit key is used to create
16 different 48-bit subkeys - one for each
round.
 Subkeys Generation
 First, the key is loaded according to the PC-1 and
then halved. (Permuted choice 1 (PC-1))
 Then each half is rotated by 2 bits in every round
except the first, second, 9th and last rounds.
 The reason for this is that it makes it secure against
related-key cryptanalysis.
 Then 48 of the 56 bits are chosen according to a
compression permutation.
28 The Key Schedule
 The subkeys used by the 16 rounds are
formed by the key schedule which
consists of:
· An initial permutation of the key
(PC1) which selects 56-bits in two
28-bit halves
· 16 stages consisting of
- selecting 24-bits from each
half and permuting them by
PC2 for use in function f,
- rotating each half either 1 or 2
places depending on the key
rotation schedule
29 Security of DES
 Strength of DES-Key size:
 56-bits key length have 2^56 key values
 Brute force attack looks hard
 DES, as the first important block cipher,
has gone through much scrutiny. Among
the attempted attacks, three are of
interest:
1. Brute-Force Attack
2. Differential Cryptanalysis
3. Linear Cryptanalysis
30 Attack Methods
 Brute-Force Attack
 the most basic method of attack is brute force —
trying every possible key in turn.
 Combining the weakness of short cipher key with the
key complement weakness, it is clear that DES can
be broken using 255 encryptions.
 Differential Cryptanalysis
 In the broadest sense, it is the study of how
differences in an input can affect the resultant
difference at the output.
 To break the full 16 rounds, differential cryptanalysis
requires 247 chosen plaintexts.
 It has been revealed that the designers of DES
already knew about this type of attack and designed
S-boxes and chose 16 as the number of rounds to
make DES specifically resistant to this type of attack.
31 Attack Methods-II
 Linear cryptanalysis
 Linear cryptanalysis is newer than differential cryptanalysis.
 Linear cryptanalysis tries to take advantage of high
probability occurrences of linear expressions involving
plaintext bits, "ciphertext" bits, and subkey bits.
 Linear cryptanalysis is a known plaintext attack and uses a
linear approximation to describe the behavior of the block
cipher. Given sufficient pairs of plaintext and corresponding
ciphertext, bits of information about the key can be obtained
and increased amounts of data will usually give a higher
probability of success.
 DES is more vulnerable to linear cryptanalysis than to
differential cryptanalysis. S-boxes are not very resistant to
linear cryptanalysis.
 It has been shown that DES can be broken using 243 pairs of
known plaintexts. However, from the practical point of view,
finding so many pairs is very unlikely.
32 DES- Current State
 Currently DES is no longer certified for US
federal use.
 The availability of faster hardware, and
access to large distributed systems meant
that 56-bit DES keys could be recovered by
brute force searches in an unreasonably
short time (days or even hours).
 DES should almost certainly not be used in
any new product, and should not be used in
existing products to protect information with
a lifetime of more than a few minutes.
33 3DES or Triple-DES
 Triple-DES is a block cipher, which
applies the Data Encryption
Standard (DES) cipher algorithm three
times to each data block.
 DES used a single 56-bit key.
 3DES uses three 56-bit keys (often just
referred to as a 3DES key), and
performs three rounds of DES
operations on the data.
 The result is that DES technology
could be used until long term solution
(the Advanced Encryption Standard) is
found.
34 Triple DES - More Secure
35 3DES
 A typical application of 3DES is known as
EDE (Encrypt-Decrypt-Encrypt).
 In this case, the first and third keys are
equal, so the effective key length is 112-
bits.
 In the first operation, the plaintext is
encrypted with the first DES key, K1.
36 3DES
 In the second step, the results of
the first step, C1, is decrypted
using the second key, K2
 Since K2 ≠ K1, this does not result
in the original plaintext message.
37 3DES
 In the final step, the results of the
second step, C2, is encrypted using the
third key, K3
 The output ciphertext C3 is the final
encrypted message.
 Recall that K3 = K1 in this case, so even
though there are three 56-bit keys, the
effective key length is only 112-bits.
38 3DES or Triple-DES
 Decryption in this case follows the
reverse of the encryption process, as
shown below.
39 3DES or Triple-DES
 Although the length of the key has
doubled, there are 256 (=
72,057,594,037,927,936) times as many
keys.
 Therefore a brute force search for a
3DES-EDE key would take 256 times
longer on the same hardware than a
brute force search for a DES key.
 There are some approaches that can
recover 3DES keys more quickly than
brute force searches, but for many kinds
of data 3DES is still an acceptable
encryption method.
40 Block Cipher Modes of
Operation
 Electronic Codebook Mode
 Cipher Block Chaining Mode
 Cipher Feedback Mode
 Output Feedback Mode
 Counter Mode
 Block Cipher Modes of
41
Operation
Mode Description Typical Application
Electronic Each block of 64 plaintext bits is encoded • Secure transmission of
Codebook (ECB) independently using the same key. single values (e.g., an
encryption key)

Cipher Block The input to the encryption algorithm is • General-purpose block-

Chaining (CBC) the XOR of the next 64 bits of plaintext oriented transmission
and the preceding 64 bits of ciphertext. • Authentication

Cipher Feedback Input is processed j bits at a time. • General-purpose

(CFB) Preceding ciphertext is used as input to stream-oriented
the encryption algorithm to produce transmission
pseudorandom output, which is XORed • Authentication
with plaintext to produce next unit of
ciphertext.
Output Feedback Similar to CFB, except that the input to • Stream-oriented
(OFB) the encryption algorithm is the preceding transmission over
DES output. noisy channel (e.g.,
satellite
communication)
Counter (CTR) Each block of plaintext is XORed with an • General-purpose block-
encrypted counter. The counter is oriented transmission
incremented for each subsequent block. • Useful for high-speed
requirements
42 Electronic Codebook (ECB)
43 Cipher Block Chaining (CBC)
44 Cipher Feedback (CFB)
45 Output Feedback (OFB)
46 Counter (CTR)
47 International Data Encryption
Algorithm (IDEA)

 The International Data Encryption

Algorithm (IDEA), originally
called Improved Proposed Encryption
Standard (IPES), is a symmetric-key block
cipher designed by James Massey of ETH
Zurich and Xuejia Lai and was first
described in 1991.
 The algorithm was intended as a
replacement for the Data Encryption
Standard (DES). IDEA is a minor revision of
an earlier cipher, Proposed Encryption
Standard (PES).
48 IDEA
 IDEA operates on 64-bit blocks using a 128-bit key, and
consists of a series of eight identical transformations
(a round) and an output transformation (the half-
round). The processes for encryption and decryption
are similar.
 IDEA derives much of its security by interleaving
operations from different groups — modular addition
and multiplication, and bitwise eXclusive OR (XOR) —
which are algebraically "incompatible" in some sense.
In more detail, these operators, which all deal with 16-
bit quantities, are:
 Bitwise eXclusive OR (denoted with a blue circled plus ⊕).
 Addition modulo 216 (denoted with a green boxed plus ⊞).
 Multiplication modulo 216+1, where the all-zero word (0x0000) in
inputs is interpreted as 216 and 216 in output is interpreted as the all-
zero word (0x0000) (denoted by a red circled dot ⊙).
49 IDEA
50 IDEA
 Advanced Encryption Standard (AES)
51

 DES is near end of useful life

 NIST has begun process to look for successor to DES

 The Advanced Encryption Standard (AES) was the

result of an open international search organized by
NIST for a replacement for DES.

 AES Process:
 Proposals submitted 3/98
 AES Workshop - 8/98
 15 proposals selected
 Key sizes of 128, 192, and 256 bits
 AES
52
 Rules:
 Unclassified
 Royalty-free
 Worldwide
 Public domain
 Significantly More Efficient than 3DES
 Symmetric Block Cipher
 AES Timeline:
 Public comment through April 1999
 Candidate Conference, March 22-23, 1999,
Rome
 Finalists selected summer 1999
 AES3 conference, April 13 -14, 2000, New York
53 AES
 Algorithms were submitted, and five
finalists were selected.
 Finalists for the AES standard are:
 MARS (IBM - USA)
 RC6 (RSA Labs - USA)
 Rijndael (Daemen and Rijmen -
Belgium)
 SERPENT (Anderson, Biham, and
Knudsen - UK, Israel, Norway)
 TWOFISH (Schneier, Kelsey, et al. -
USA)
54 AES
 The finalists were subjected to open
review by the cryptographic community.
 The entire process took over 3 years to
complete.
 The Rijndael algorithm was declared by
NIST to be the eventual winner, and is
now generally referred to as AES.
 http://csrc.nist.gov/publications/fips/fip
s197/fips-197.pdf
 Rijndael was developed and submitted
by two European cryptographers, Joan
Daemen and Vincent Rijmen.
55
Evaluation Criteria for
AES Proposals

 Security
 Computational Efficiency
 Memory Requirements
 Hardware and Software
Suitability
 Flexibility
 Symmetric Key
56
Encryption- Strength
 The strengths of modern symmetric key
encryption algorithms include:
 Fairly fast encryption/decryption
process (in comparison to public key
techniques, for example)
 Several well known, well tested
algorithms are available, including
3DES and AES.
 Library implementations of symmetric
key algorithms are commonly available
for many programming languages.
57 AES Algorithm – High
 Level
KeyExpansion—round keys are derived from the cipher key
using Rijndael's key schedule
 Initial Round
 AddRoundKey—each byte of the state is combined with the round
key using bitwise xor
 Rounds
 SubBytes—a non-linear substitution step where each byte is
replaced with another according to a lookup table.
 ShiftRows—a transposition step where each row of the state is
shifted cyclically a certain number of steps.
 MixColumns—a mixing operation which operates on the columns of
the state, combining the four bytes in each column.
 AddRoundKey
 Final Round (no MixColumns)
 SubBytes
 ShiftRows
 AddRoundKey
58
59 The State and Key Schedule
 Input is a 128 bit block (16 bytes) that is placed in the
state array
 The key is entered in a block and divided into key
schedule words of 4 bytes/word.
 The key schedule is an expansion of the key—eg, a 128
bit key is expanded into 44 key schedule words.
 A square matrix of bytes is used by the standard to
describe the state.
60 Rounds and Transformation Stages

 The encryption process executes a round

function, Nr times, with the number of rounds (Nr)
being dependent on key size.
 The round function consists of four
transformation stages.
 SubBytes()
 ShiftRows()
 MixColumns()
 AddRoundKey()
61 Rounds and Transformation Stages

 The cipher begins with an AddRoundKey().

 All rounds then execute each of the
transformations except the last round.
 The MixColumns( ) transformation is not executed
in the final round.
 For a 128 bit key, there are 10 rounds.
 12 and 14 rounds are used with keys of 192 and
256.
62 SubBytes ( ) Transformation

 The substitute transformation is an S-Box process,

that is independent of the key.
 Each of the bytes of the State is replaced by a
different byte, according to a table.
 The table is fixed and derived from two
transformations defined in the standard.
 The table is an 8 x 8 array, indexed with the State
byte.
63 ShiftRows( ) Transformation

 The ShiftRows() transformation is a permutation that

is performed row by row on the State array,
independently of the key.
 The first row is not shifted.
 The 2nd row is circularly shifted left 1 byte.
 The 3rd row is circularly shifted left 2 bytes.
 The 4th row is circularly shifted left 3 bytes.
64 MixColumns()
Transformation
 The MixColumns( ) transformation manipulates each
column of the state array.
 The process can be described as a matrix
multiplication of a polynomial and the state array.
 This process does not depend on the key.
65 AddRoundKey( )
Transformation
 The AddRoundKey( ) transformation uses the key
schedule word.
 The process is a bitwise XOR of the columns of the
state array, with the key schedule word.
66 AES Decryption

 AES decryption is accomplished using inverses of

the transformations, in the appropriate order.
 The AddRoundKey( ) is its own inverse when (since A
 B  B = A).
67
End of Chapter 4.