UNIT – II – Part-I

Syllabus: Symmetric key Ciphers: Introduction, Algorithm modes and types, An overview
of symmetric key cryptography, Modern Block Ciphers and Components of Modern Block
Ciphers, Algorithms- DES, AES, IDEA, Blowfish, RC4, Differential and Linear
Cryptanalysis.

Conventional Encryption Principles

A Conventional/Symmetric encryption scheme has five ingredients:
 Plain Text: This is the original message or data which is fed into the algorithm as
input.
 Encryption Algorithm: This encryption algorithm pperforms
erforms various substitutions and
transformations on the plain text.
 Secret Key: The key is another input to the algor thm. The substitutions and
transformations performed by algorithm depend on the key.
 Cipher Text: This is the scrambled (unreadable) mess message
age which is output of the
encryption algorithm. This cipher text is dependent on plaintext and secret key. For a
given plaintext, two different keys produce two different cipher texts.
 Decryption Algorithm: This is the reverse of encryption algorithm. It takes the cipher
text and secret key as inputs and outputs the plain text.

The important point is that the security of conventional encrypt on depends on the secrecy of
the key, not the secrecy of the algorithm i.e. it is not necessary to keep the algorithm secret,
but onlythe key is to be kept secret. This feature that algorithm need not be kept secret made it
feasible for wide spread use and enabled manufacturers develop low cost chip implementation
of data encryption algorithms. With the use of conventional algorithm, the principal security
problem is maintaining the secrecy of the key.
Feistel Cipher Structure
The input to the encryption algorithm are a plaintext block of length 2w bits and a key K, the
plaintext block is divided into two halves L0 and R0. The two halves of the data pass through
“n” rounds of processing and then combine to produce the cipher text block. Each round “i”
has inputs Li-1 and Ri-1, derived from the previous round, as well as the subkey Ki, derived
from the overall key K. in general, the subkeys Ki are different from K and from each other.
All rounds have the same structure. A substitution is performed on the left half of the data (as
similar to S-DES).
DES). This is done by applying a round function F to the right half of the data
and then taking the XOR of the output of that function and the left half of the data. The round
function has the same general structure for each round but is parameterized by the round
subkey ki. Following this substitution, a permutation is performperformed
ed that consists of the
interchange of the two halves of the data. This structure is a particular form of the

Dr. Ram Prasad Reddy Sadi Page 1

 UNIT – II – Part-I

substitution-permutation
permutation network. The exact realization of a Feistel network depends on the
choice of the following parameters and design features:
 Block size - Increasing size improves security, but slows cipher
 Key size - Increasing size improves security, makes exhaustive key searching harder,
but may slow cipher
 Number of rounds - Increasing number improves security, but slows cipher
 Subkey generation - Greater complexity can make analysis harder, but slowscipher
 Round function - Greater complexity can make analysis harder, but slows cipher
Fast software en/decryption & ease of analysis - more recent concerns for practical use and
testing

Dr. Ram Prasad Reddy Sadi Page 2

 UNIT – II – Part-I

The process of decryption is essentially the same as the encryption process. The rule is as
follows: use the cipher text as input to the algorithm, but use the subkey ki in reverse order.
i.e., kn in the first round, kn-11 in second round and so on. For clarity, we use the notation LEi
and REi for data traveling through the decryption algorithm. The diagram below indicates
that, at each round, the intermediate value of the decryption process is same (equal) to the
corresponding value of the encryption process with two halves of the value swapped.
i.e., REi || LEi (or) equivalently RD16-i || LD16-i
After the last iteration of the encryption process, the two halves of the output are swapped, so
that the cipher text is RE16 || LE16. The output of that round is the cipher text. Now take the
cipher text and use it as input to the same algorithm. The input to the first round is RE16 ||
LE16, which is equal to the 32 32-bit
bit swap of the output of the sixteenth round of the encryption
process. Now we willl see how the output of the first round of the decryption process is equal
to a 32-bit swap of the input to the sixteenth round of the encryption process.
First consider the encryption process,LE16 = RE15
RE16 = LE15(+) F (RE15, K16)
On the decryption side, LD1 =RD0 = LE16 =RE15
RD1 = LD0 (+) F (RD0, K16)
= RE16 F (RE15, K16)
= [LE15 F (RE15, K16)] F (RE15, K16)
= LE15

Dr. Ram Prasad Reddy Sadi Page 3

 UNIT – II – Part-I

Therefore, LD1 = RE15 RD1 = LE15 In general, for the ith iteration of the encryption
algorithm, LEi = REi-1 REi = LEi-1 F (REi-1, Ki)
Finally, the output of the last round of the decryption process is RE0 || LE0. A 32-bit swap
recovers the original plaintext.
Data Encryption Standard (DES)
The main standard for encrypting data was a symmetric algorithm known as the Data
Encryption Standard (DES). However, this has now been replaced by a new standard known
as the Advanced Encryption Standard (AES) which we will look at later. DES is a 64 bit
block cipher which means that it encrypts data 64 bits at a time. This is contrasted to a stream
cipher in which only one bit at a time (or sometimes small groups of bits such as a byte) is
encrypted. DES was the result of a research project set up by International Business
Machines (IBM) corporation in the late 1960’s which resulted in a cipher known as
LUCIFER. In the early 1970’s it was decided to commercialize LUCIFER and a number of
significant changes were introduced. IBM was not the only one involved in these changes as
they sought technical advice from the National Security Agency (NSA) (other outside
consultants were involved but it is likely that the NSA were the major contributors from a
technical point of view). The alt red version of LUCIFER was put forward as a proposal for
the new national encryption standard requested by the National Bureau of Standards (NBS)3 .
It was finally adopted in 1977 as the Data Encryption Standard - DES (FIPS PUB 46). Some
of the changes made to LUCIFER have been the subject of much controversy even to the
present day. The most notable of these was the key size. LUCIFER used a key size of 128
bits however this was reduced to 56 bits for DES. Even though DES actually accepts a 64 bit
key as input, the remaining eight bits are used for parity checking and have no effect on
DES’s security. Outsiders were convinced that the 56 bit key was an easy target for a brute
force attack4 due to its extremely small size. The need for the parity checking scheme was
also questioned without satisfying answers. Another controversial issue was that the S-boxes
used were designed under classified conditions and no reasons for their particular design
were ever given. This led people to assume that the NSA had introduced a “trapdoor” through
which they could decrypt any data encrypted by DES even without knowledge of the key.
One startling discovery was that the S-boxes appeared to be secure against an attack known
as Differential Cryptanalysis which was only publicly discovered by Biham and Shamir in
1990. This suggests that the NSA were aware of this attack in 1977; 13 years earlier! In

fact the DES designers claimed that the reason they never made the design specifications for
the S-boxes available was that they knew about a number of attacks that weren’t public
knowledge at the time and they didn’t want them leaking - this is quite a plausible claim as
differential cryptanalysis has shown. However, despite all this controversy, in 1994 NIST
reaffirmed DES for government use for a further five years for use in areas other than
“classified”. DES of course isn’t the only symmetric cipher. There are many others, each with
varying levels of complexity. Such ciphers include: IDEA, RC4, RC5, RC6 and the new
Advanced Encryption Standard (AES). AES is an important algorithm and was originally
meant to replace DES (and its more secure variant triple DES) as the standard algorithm for
non-classified material. However as of 2003, AES with key sizes of 192 and 256 bits has
been found to be secure enough to protect information up to top secret. Since its creation,
AES had underdone intense scrutiny as one would expect for an algorithm that is to be used
as the standard. To date it has withstood all attacks but the search is still on and it remains to
be seen Media whetherornotthis will last. We will look at AES later in the course.
DES
DES (and most of the other major symmetric ciphers) is based on cipher known as the Feistel
block cipher. It consists of a number of rounds where each round contains bit-shuffling, non-

Dr. Ram Prasad Reddy Sadi Page 4

 UNIT – II – Part-I

linear substitutions (S-boxes)

boxes) and exclusive OR operations. As with most encrypt encryption
schemes, DES expects two inputs - the plaintext to be encrypted and the secret key. The
manner in which the plaintext is accepted, and the key arrangement used for encryption and
decryption, both determine the type of cipher it is. DES is therefore a ssymmetric,
ymmetric, 64 bit block
cipher as it uses the same key for both encryption and decryption and only operates on 64 bit
blocks of data at a time5 (be they plaintext or ciphertext). The key size used is 56 bits,
however a 64 bit (or eight-byte)
byte) key is actually input. The least significant bit of each byte is
either used for parity (odd for DES) or set arbitrarily and does not increase the security in any
way. All blocks are numbered from left to right which makes the eight bit of each byte the
parity bit.
Once a plain-text
text message is received to be encrypted, it is arranged into 64 bit blocks
required for input. If the number of bits in the message is not evenly divisible by 64, then the
last block will be padded. Multiple permutations and substitutions are inco incorporated
throughout in order to increase the difficulty of performing a cryptanalysis on the cipher
Overall Structure
Figure below shows the sequence of events that occur during an encryption operation. DES
performs an initial permutation on the entire 64 bit block of data. It is then split into 2, 32 bit
sub-blocks,
blocks, Li and Ri which are then passed into what is known as a round (see figure 2.3), of
which there are 16 (the subscript i in Li and Ri indicates the current round). Each of the
rounds are identicall and the effects Media of increasing their number is twofold - the
algorithms security is increased and its temporal efficiency decreased. Clearly these are two
conflicting outcomes and a compromise must be ma . For DES the number chosen was 16,
probably to guarantee the elimination of any correlation between the cipher text and either
the plaintext or key6 . At the end of the 16th round, the 32 bit Li and Ri output quantities are
swapped to create what is known as the pre pre-output.
output. This [R16, L16] concatenation
concatena is
permuted using a function which is the exact inverse of the initial permutation. The output of
this final permutation is the 64 bit cipher text.

Dr. Ram Prasad Reddy Sadi Page 5

 UNIT – II – Part-I

So in total the processing of the plaintext proceeds in three phases as can be seen from the
left hand side of figure
 Initial permutation (IP - defined in table 2.1) rearranging the bits to form the
“permuted input”.
 Followed by 16 iterations of the same function (substitution and permutation). The
output of the last iteration consists of 64 bits which is a function of the plaintext and
key. The left and right halves are swapped to produce the pre-output.
 Finally, the pre-output is passed through a permutation (IP−1 - defined in table 2.1)
which is simply the inverse of the initial permutation (IP). The output of IP−1 is the
64-bit cipher text

Dr. Ram Prasad Reddy Sadi Page 6

 UNIT – II – Part-I

As figure shows, the inputs to each round consist of the Li , Ri pair and a 48 bit subkey which
is a shifted and contracted version of the original 56 bit key. The use of the key can be seen in
the right hand portion of figure 2.2: • Initially the key is passed through a permutation
function (PC1 - defined in table 2.2) • For each of the 16 iterations, a subkey (Ki) is produced
by a combination of a left circular shift and a permutation (PC2 - defined in table 2.2) which
is the same for each iteration. However, the resulting subkey is different for each iteration
because of repeated shifts.

Details Of Individual Rounds

The main operations on the data are encompassed into what is referred to as the cipher
function and is labeled F. This function accepts two different length inputs of 32 bits and 48
bits and outputs a single 32 bit number. Both the data and key are operated on in parallel,
however the operations are quite different. The 56 bit key is split into two 28 bit halves Ci
and Di (C and D being chosen so as not to be conf sed with L and R). The value of the key
used in any round is simply a left cyclic shift and a permuted contraction of that used in the
previous round. Mathematically, this can be written as
Ci = Lcsi(Ci−1), Di = Lcsi(Di−1) Ki = P C2(Ci , Di)
where Lcsi is the left cyclic shift for round i, Ci and Di are the outputs after the shifts, P C2(.)
is a function which permutes and compresses a 56 bit number into a 48 bit number and Ki is

Dr. Ram Prasad Reddy Sadi Page 7

 UNIT – II – Part-I

the actual key used in round i. The number of shifts is either one or two and is determined by
the round number i. For i = {1, 2, 9, 16} the number of shifts is one and for every other round
it is two.

S-Box

Dr. Ram Prasad Reddy Sadi Page 8

 UNIT – II – Part-I

F- Function

Advanced Encryption Algorithm (AES)

 AES is a block cipher with a block length of 128 bits.
 AES allows for three different key lengths: 128, 192, or 256 bits. Most of our
discussion will assume that the key length is 128 bits.
 Encryption consists of 10 rounds of processing for 128 128-bit keys, 12 rounds for 192-bit
192
keys, and 14 rounds for 256
256-bit keys.
 Except for the last round in each case, all other rounds are identical.
 Each round of processing includes one single single-byte
byte based substitution step, a row-
row
wise permutation step, a column
column-wise mixing step, and the addition of the round key.
The order in which these four steps are executed is different for encryption and
decryption.
To appreciate the processing steps used in single round, it is best to think of a 128
128-bit block
as consisting of a 4 × 4 matrix of bytes, rearranged as follows:

Therefore, the first four bytes of a 128-bit input block occupy the first column in the 4
× 4 matrix of bytes. The next four bytes occupy the second column, and so on. The
4×4 matrix of bytes shown above is referred to as the state array in AES.

Dr. Ram Prasad Reddy Sadi Page 9

 UNIT – II – Part-I

The algorithm begins with an Add round key stage followed by 9 rounds of four stages and a
tenth round of three stages.
This applies for both encryption and decryption with the exception that each stage of a round
the decryption algorithm is the inverse of its counterpart in the encryption algorithm.
The four stages are as follows: 1. Substitute bytes 2. Shift rows 3. Mix Columns 4. Add
Round Key
Substitute Bytes
 This stage (known as SubBytes) is simply a table lookup using a 16 × 16 matrix of byte
values called an s-box.
 This matrix consists of all the possible combinations of an 8 bit sequence (28 = 16
 × 16 = 256).
 However, the s-box is not just a random permutation of these values and there is a well
defined method for creating the s-box tables.
 The designers of Rijndael showed how this was done unlike the s-boxes boxes in DESfor which
no rationale was given. Our concern will be how state is affected in each round.
 For this particular round each byte is mapped into a new byte in the following way: the
leftmost nibble of the byte is used tto o specify a particular row of the s-box
s and the
rightmost nibble specifies a column.

Dr. Ram Prasad Reddy Sadi Page 10

 UNIT – II – Part-I

 For example, the byte {95} (curly brackets represent hex values in FIPS PUB197) selects
row 9 column 5 which turns out to contain the value {2A}.
 This is then used to update the state matrix.
Shift Row Transformation
 This stage (known as ShiftRows) is shown in figure below.
 Simple permutation an nothing more.
 It works as follow: – The first row of state is not altered. – The second
row is shifted 1 bytes to the left in a circular manner. – The third row is
shifted 2 bytes to the left in a circular manner. – The fourth row is shifted 3
bytes to the left in a circular manner.

Mix Column Transformation

 This stage (known as MixColumn) is basically a substitution
 Each column is operated on individually. Each byte of a column is mapped into a new
value that is a function of all four bytes in the column.
 The transformation can be determined by the following matrix multiplication on state
 Each element of the product matrix is the sum of products of elements of one row and
one column.
 In this case the individual additions and multiplications are performed in GF(28 ).
 The MixColumns transformation of a single column j (0 ≤ j ≤ 3) of state can be
expressed as:
s ′ 0,j = (2 • s0,j) ⊕ (3 • s1,j) ⊕ s2,j ⊕ s3,j s

Dr. Ram Prasad Reddy Sadi Page 11

 UNIT – II – Part-I

′ 1,j = s0,j ⊕ (2 • s1,j) ⊕ (3 • s2,j) ⊕ s3,j s ′ 2,j = s0,j ⊕ s1,j ⊕ (2 • s2,j) ⊕ (3 • s3,j) s ′ 3,j
= (3 • s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2 • s3,j)

Add Round Key Transformation

 In this stage (known as AddRoundKey) the 128 bits of state are bitwise XORed with
the 128 bits of the round key.
 The operation is viewed as a column wise operation between the 4 bytes of a state
column and one word of the round key.
 This transformation is as simple as possible which helps in efficiency but it alsoeffects
every bit of state.
 The AES key expansion algorithm takes as input a 44-word word key and produces a linear
array of 44 words. Each round uses 4 of these words as shown in figure.
 Each word contains 32 bytes which means each subkey is 128 bits long. Figure 7show
pseudocode for generating the expanded key from the actual key.
Blowfish Algorithm
A symmetric block cipher designe
designed by Bruce Schneier in 1993/94.
Characteristics:
• fast implementation on 32 32-bit CPUs
• compact in use of memory
• simple structure for analysis/implementation
• variable security by varying key size
• has been implemented in various products
Blowfish Key Schedule
•uses a 32 to 448 bit key, 32-bit
bit words store in K-array Kj ,j from 1 to 14
• used to generate

• 18 32-bit subkeys stored in P array, P1 ….P18

• four 8x32 S-boxes stored in Si,j , each with 256 32-bit entries
Subkeys And S-Boxes Generation:
1initialize P-array and then 4 S S-boxes in order using the fractional part of pi P1 (
.
left most 32-bit), and so on,,, S4,255.

Dr. Ram Prasad Reddy Sadi Page 12

 UNIT – II – Part-I

2XOR P-array with key-Array (32

(32-bit blocks) and reuse as needed: assume we have
.
up to k10 then P10 XOR K10,, P11 XOR K1 … P18 XOR K8
3Encrypt 64-bit block of zeros, and use the result to update P1 and P2.
.
4Encrypting output from previous step using current P & S and replace P3 and P4.
.
Then encrypting current output and use it to update successive pairs of P.
5After updating all P’s (last :P17 P18), start updating S values using the encrypted
.
output from previous step.
 requires 521 encryptions, hence slow in re-keying
 Not suitable for limited
limited-memory applications.
Blowfish Encryption
 uses two main operations: addition modulo 232 , and XOR
 data is divided into two 32 32-bit halves L0 & R0
for i = 1 to 16 do
Ri = Li-1 XOR Pi;
Li = F[Ri] XOR Ri-1; 1; L17 = R16 XOR P18; R17 = L16 XOR P17;
Where

F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) + S4,d

Dr. Ram Prasad Reddy Sadi Page 13

 UNIT – II – Part-I

Advantages of Blowfish
One of the fastest and most compact block ciphers in public use, Blowfish uses a symmetric
encryption key to turn data into ciphertext. Almost three decades after it was first developed,
Blowfish is still widely used because it offers the following advantages:
 much faster and more efficient than DES and IDEA algorithms;
 unpatented and can be freely used by anyone even without a license;
 despite the complex initialization phase before encryption, the data encryption process is
efficient on large microprocessors;
 provides extensive security for software and applications developed in Java;
 provides secure access for backup tools; and
 supports secure user authentication for remote access.
Disadvantages of Blowfish
There are some downsides to using Blowfish for encryption, including the following:
 Speed is affected when changing keys.
 The key schedule takes a long time.
 The small 64-bit bit block size makes the algorithm vulnerable to birthday attacks, a class
of brute-force attacks.
 Each new key requires preprocessing equivalent to 4 KB of text, which affects its sp speed,
making it unusable for some applications.
IDEA
The IDEA encryption algorithm
 provides high level security not based on keeping the algorithm a secret, but rather
upon ignorance of the secret key
 is fully specified and easily understood
 is available to everybody
 is suitable for use in a wide range of applications
 can be economically implemented in electronic components (VLSI Chip)
 can be used efficiently
 may be exported world wide
 is patent protected to prevent fraud and piracy

Dr. Ram Prasad Reddy Sadi Page 14

 UNIT – II – Part-I

Description of IDEA
The block cipher IDEA operates with 64-bit plaintext and cipher text blocks and is controlled
by a 128-bit key. The fundamental innovation in the design of this algorithm is the use of
operations from three different algebraic groups. The substitution boxes and the associated
table lookups used in the block ciphers available to-date have been completely avoided. The
algorithm structure has been chosen such that, with the exception that different key sub-
blocks are used, the encryption process is identical to the decryption process.
Key Generation
The 64-bit plaintext block is partitioned into four 16-bit sub-blocks, since all the algebraic
operations used in the encryption process operate on 16-bit numbers. Another process
produces for each of the encryption rounds, six 16-bit key sub-blocks from the 128-bit key.
Since a further four 16-bit key-sub-blocks are required for the subsequent output
transformation, a total of 52 (= 8 x 6 + 4) different 16-bit sub-blocks have to be generated
from the 128-bit key.
The key sub-blocks used for the encryption and the decryption in the individual rounds are
shown in Table 1.

The 52 16-bit key sub-blocks which are generated from the 128-bit key are produced as
follows:

 First, the 128-bit key is partitioned into eight 16-bit sub-blocks which are then
directly used as the first eight key sub-blocks.
 The 128-bit key is then cyclically shifted to the left by 25 positions, after which the
resulting 128-bit block is again partitioned into eight 16-bit sub-blocks to be directly
used as the next eight key sub-blocks.
 The cyclic shift procedure described above is repeated until all of the required 52 16-
bit key sub-blocks have been generated.
Encryption
The functional representation of the encryption process is shown in Figure 1. The process
consists of eight identical encryption steps (known as encryption rounds) followed by an
output transformation. The structure of the first round is shown in detail.

Dr. Ram Prasad Reddy Sadi Page 15

 UNIT – II – Part-I

In the first encryption round, the first four 16-bit key sub-blocks are combined with two of
the 16-bit plaintext blocks using addition modulo 216, and with the other two plaintext blocks
using multiplication modulo 216 + 1. The results are then processed further as shown in
Figure 1, whereby two more 16-bit key sub-blocks enter the calculation and the third
algebraic group operator, the bit-by-bit exclusive OR, is used. At the end of the first
encryption round four 16-bit values are produced which are used as input to the second
encryption round in a partially changed order. The process described above for round one is
repeated in each of the subsequent 7 encryption rounds using different 16-bit key sub-blocks
for each combination. During the subsequent output transformation, the four 16-bit values
produced at the end of the 8th encryption round are combined with the last four of the 52 key
sub-blocks using addition modulo 216 and multiplication modulo 216 + 1 to form the resulting
four 16-bit ciphertext blocks.
Decryption

Dr. Ram Prasad Reddy Sadi Page 16

 UNIT – II – Part-I

The computational process used for decryption of the ciphertext is essentially the same as
that used for encryption of the plaintext. The only difference compared with encryption is
that during decryption, different 16-bit key sub-blocks are generated.
More precisely, each of the 52 16-bit key sub-blocks used for decryption is the inverse of the
key sub-block used during encryption in respect of the applied algebraic group operation.
Additionally, the key sub-blocks must be used in the reverse order during decryption in order
to reverse the encryption process as shown in Table 2.
Modes of operation
IDEA supports all modes of operation as described by NIST in its publication FIPS 81. A
block cipher encrypts and decrypts plaintext in fixed-size-bit blocks (mostly 64 and 128 bit).
For plaintext exceeding this fixed size, the simplest approach is to partition the plaintext into
blocks of equal length and encrypt each separately. This method is named Electronic Code
Book (ECB) mode. However, Electronic Code Book is not a good system to use with small
block sizes (for example, smaller than 40 bits) and identical encryption modes. As ECB has
disadvantages in most applications, other methods named modes have been created. They are
Cipher Block Chaining (CBC), Cipher Feedback (CFB) and Output Feedback (OFB) modes.
Applications
Today, there are hundreds of IDEA-based security solutions available in many market areas,
ranging from Financial Services, and Broadcasting to Government. IDEA is the name of a
proven, secure, and universally applicable block encryption algorithm, which permits
effective protection of transmitted and stored data against unauthorized access by third
parties. The fundamental criteria for the development of IDEA were highest security
requirements along with easy hardware and software implementation for fast execution.
The IDEA algorithm can easily be embedded in any encryption software. Data encryption
can be used to protect data transmission and storage. Typical fields are:
– Audio and video data for cable TV, pay TV, video conferencing, distance learning,
business TV, VoIP
– Sensitive financial and commercial data
– Email via public networks
– Transmission links via modem, router or ATM link, GSM technology
– Smart cards
Conclusion
As electronic communications grow in importance, there is also an increasing need for data
protection. Encryption ensures that:
– Only authorized persons can access information.
– Data cannot be amended or manipulated by unauthorized persons.
– Unbreakable crypt system warrants military strength security level.
When PGP (Pretty Good Privacy) was designed, the developers were looking for maximum
security. IDEA was their first choice for data encryption based on its proven design and its
great reputation. Today, there are hundreds of IDEA-based security solutions available
RC4
RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable keysize
stream cipher with byte-oriented operations. The algorithm is based on the use of a random
permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater
than 10100 [ROBS95]. Eight to sixteen machine operations are required per output byte, and
the cipher can be expected to run very quickly in software. RC4 was kept as a trade secret by
RSA Security. In September 1994, the RC4 algorithm was anonymously posted on the Internet
on the Cypherpunks anonymous remailers list. The RC4 algorithm is remarkably simply and
quite easy to explain. A variable-length key of from 1 to 256 bytes (8 to 2048 bits) is used to
initialize a 256-byte state vector S, with elements S[0], S[1], …, S[255]. At all times, S contains a
permutation of all 8-bit numbers from 0 through 255. For encryption and decryption, a byte k

Dr. Ram Prasad Reddy Sadi Page 17

 UNIT – II – Part-I

(see Figure 1) is generated from S by selecting one of the 255 entries in a systematic fashion. As
each value of k is generated, the entries in S are once again permuted.
Initialization of S
To begin, the entries of S are set equal to the values from 0 through 255 in ascending order; that
is; S[0] = 0, S[1] = 1, …, S[255] = 255. A temporary vector, T, is also created. If the length of the
key K is 256 bytes, then K is transferred to T. Otherwise, for a key of length keylen bytes, the
first keylen elements of T are copied from K and then K is repeated as many times as necessary
to fill out T. These preliminary operations can be summarized as follows:
/* Initialization */
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];
Next we use T to produce the initial permutation of S. This involves starting with S[0] and going
through to S[255], and, for each S[i], swapping S[i] with another byte in S according to a scheme
dictated by T[i]:
/* Initial Permutation of S */
j = 0;
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);
Because the only operation on S is a swap, the only effect is a permutation. S still contains all the
numbers from 0 through 255.
Stream Generation
Once the S vector is initialized, the input key is no longer used. Stream generation involves
starting with S[0] and going through to S[255], and, for each S[i], swapping S[i] with another
byte in S according to a scheme dictated by the current configuration of S. After S[255] is
reached, the process continues, starting over again at S[0]:
/* Stream Generation */
i, j = 0;
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];
To encrypt, XOR the value k with the next byte of plaintext. To decrypt, XOR the value k with the
next byte of ciphertext. The following figure summarizes the RC4 logic.

Dr. Ram Prasad Reddy Sadi Page 18

 UNIT – II – Part-I

Strength of RC4
A number of papers have been published analyzing methods of attacking RC4 [e.g., [KNUD98],
[MIST98], [FLUH00], [MANT01]). None of these approaches is practical against RC4 with a
reasonable key length, such as 128 bits. A more serious problem is reported in [FLUH01]. The
authors demonstrate that the WEP protocol, intended to provide confidentiality on 802.11
wireless LAN networks, is vulnerable to a particular attach approach. In essence, the problem is
not with RC4 itself but the way in which keys are generated for use as input to RC4. This
particular problem does not appear to be applicable to other applications using RC4 and can be
remedied in WEP by changing the way in which keys are generated. This problem points out the
difficulty in designing a secure system that involves both cryptographic functions and protocols
that make use of them.
Differential and Linear Cryptanalysis
Linear Cryptanalysis
Linear cryptanalysis first defined by Matsui and Yamagishi in 1992. It was extended Matsui
later in 1993 published a linear attack on DES.
Linear cryptanalysis is a known-plaintext attack in which cryptanalyst access larger plaintext
and ciphertext messages along with an encrypted unknown key.
In a linear Cryptanalysis, the role of the cryptanalyst is to identify the linear relation between
some bits of the plaintext, some bits of the ciphertext, and some bits of the unknown key.
This relation helps cryptanalysts to understand the logic used during encryption and
decryption. the decryption of messages and to find how many bits of messages undergo
encryption.
There are two basic approaches. The first is to use an approximation that relates some way as
mentioned earlier. bits of plain text with some bits ciphertext messages and user-defined key
in a linear.
The second focuses on statistical analysis against one round of decrypted ciphertext. The
cryptanalyst each ciphertext using all possible subkeys for one round of encryption and
studies the resulting intermediate ciphertext to analyze the random result.

Dr. Ram Prasad Reddy Sadi Page 19

 UNIT – II – Part-I

The subkey obtained during this pro and dec g this process called as candidate key used
during encryption of a large amount of data.
Differential Cryptanalysis
Differential cryptanalysis is a method for breaking certain classes of cryptosystems. It was
invented in 1990 by Israeli researchers Eli Biham and Adi Shamir.
Differential cryptanalysis is available to obtain clues about some bits of the key, thereby
shortening an exhaustive search. By analyzing the changes in some chosen plaintexts, and the
difference in the outputs resulting from encrypting each one, it is possible to recover some
properties of the key.
Differential cryptanalysis is a chosen-plaintext attack that identifies a relationship between
ciphertexts produced by the same plaintexts.
The differential analysis focuses on a statistical analysis of two inputs and two outputs of a
cryptographic algorithm. For example, assume that the ciphertext obtained from one
exclusive-or operation of plain text and key.
Without knowing the value of the key, the cryptanalyst can easily find the differences
between plaintext and ciphertext. Plaintext difference is represented by P1⊕P2.
Whereas the ciphertext difference represented by C1⊕C2. The following proves that
C1⊕C2 =P1⊕P2 First ciphertext C1 obtained = First plaintext P1 ⊕ Key K
Second ciphertext C2 obtained = Second plaintext P2 ⊕ Key K, if C1 and C2 obtained from
XORing P1 and P2 and using Key K, can be represented by,
C1⊕C2=P1⊕K⊕P2⊕K=P1⊕P2
Differential cryptanalysis and linear cryptanalysis attacks are related to each other basically
used in symmetric key cryptography. Whatever ciphertext produced from the same plain text
the multiple rounds of encryption applied using for each round.
Subkey Cryptanalyst studies changes to the intermediate ciphertext obtained between
multiple rounds of encryption. The attacks can be combined, which is called differential-
linear cryptanalysis.
Linear Cryptanalysis Differential Cryptanalysis
Linear cryptanalysis Differential cryptanalysis is a method for
first defined by Matsui and Yamagishi breaking certain classes of cryptosystems is
in 1992. invented in 1990 by Israeli researchers Eli
Biham and Adi Shamir.
In linear cryptanalysis, the role of the Differential cryptanalysis is available to
cryptanalyst is to identify the linear relation obtain clues about some bits of the key,
between some bits of the plaintext, some bits thereby shortening an exhaustive search
of the ciphertext, and some bits of the
unknown key.
The cryptanalyst decrypts each ciphertext Cryptanalyst studies changes to the
using all possible subkeys for one round of intermediate ciphertext obtained between
encryption and studies the resulting multiple rounds of encryption. The attacks
intermediate ciphertext to analyze the can be combined, which is called differential
random result. linear cryptanalysis.
In linear cryptanalysis, the role of the By analyzing the changes in some chosen
cryptanalyst is to identify the linear relation plaintexts, and the difference in the outputs
between some bits of the plaintext, some bits resulting from encrypting each one, it is
of the ciphertext, and some bits of the possible to recover some of the keys.
unknown key
Linear cryptanalysis focus on statistical Differential analysis focuses on the statistical
analysis against one round of decrypted analysis of two inputs and two outputs of a
ciphertext cryptographic algorithm.

Dr. Ram Prasad Reddy Sadi Page 20

 UNIT – II – Part-I

Block Cipher Modes Of Operations

 Direct use of a block cipher is in advisable
 Enemy can build up “code book” of plaintext/cipher text equivalents
 Beyond that, direct use only works on messages that is multiple of the cipher block
size in length
Solution: five standard Modes of Operation: Electronic Code Book (ECB), Cipher
Block Chaining (CBC), CipherFeedback(CFB), Output Feedback (OFB), and Counter
(CTR).
Electronic Code Book
 Direct use of the block cipher
 Used primarily to transmit encrypted keys
 Very weak if used for general
general-purpose
purpose encryption; never use it for a file or a message.
 Attacker can build codebook; no semantic security
 We write {P}k → C to denote “encryption of plaintext P with key k to produce cipher
text C”

Cipher Block Chaining

 We would like that same plaintext blocks produce different cipher text blocks.
 Cipher Block Chaining (see figure) allows this by XORing each plaintext with the
Cipher
ipher text from the previous round (the first round using an Initialisation Vector
(IV)).
 As before, the same key is used for each block.
 Decryption works as shown in the figure because of the properties of the XOR
operation, i.e. IV ⊕ IV ⊕ P = P where IV is the Initialisation Vector and P is the
plaintext.
 Obviously the IV needs to be known by both sender and receiver and it should be kept
secret along with the key for maximum security.

Dr. Ram Prasad Reddy Sadi Page 21

 UNIT – II – Part-I

Cipher Feedback (CFB) Mode

 The Cipher Feedback and O Output
utput Feedback allows a block cipher to be converted into
stream cipher.
 This eliminates the need to pad a message to be an integral number of blocks. It also
can operate in real time.
 Figure shows the CFB scheme.
 In this figure it assumed that the unit of transmission is s bits; a common value is s
=8.
As with CBC, the units of plaintext are chained together, so that the ciphertext of any
plaintext unit is a function of all the preceding plaintext (which is split into s bit segments).
 The input to the encryption function is a shift register equal in length to the block
cipher of the algorithm (although the diagram shows 64 bits, which is block size used
by DES, this can be extended to other block sizes such as the 128 bits of AES).
 This is initially set to some Initialization Vector (IV).

Dr. Ram Prasad Reddy Sadi Page 22

 UNIT – II – Part-I

Output Feedback (OFB) Mode

 The Output Feedback Mode is similar in structure to that of CFB, as seen in figure13.
 As can be seen, it is the output of the encryption function that is fed back to the shift
register in OFB, whereas in CFB the cipher text unit is fed back to the shiftregister.
 One advantage of the OFB method is that bit errors in transmission do not propagate.
 For example, if a bit error occurs in C1 only the recovered value of P1 is affected;
subsequent plaintext units are not corrupted.
 With CFB, C1 also serves as input to the shift register and therefore causes additional
corruption downstream.

Dr. Ram Prasad Reddy Sadi Page 23

 UNIT – II – Part-I

Dr. Ram Prasad Reddy Sadi Page 24