21CSE358T - Network Security and Cryptography

PROFESSIONAL ELECTIVE
(L-2 T-1 C-3)
Unit -2

Prepared by
Dr. B. Umamageswari, AP/CTECH
Unit - 2
Algebraic structures, Divisibility and division algorithm, Euclidean algorithm,
Modular arithmetic, Prime numbers- Fermats and Eulers theorem,
Congruence and matrices, Block Ciphers and operations-Simplified Data
Encryption Standard - Data Encryption Standard - Advanced Encryption
Standard
 Divisors
say a non-zero number b divides a if for
some m have a=mb (a,b,m all integers)
that is b divides into a with no remainder
denote this as b|a (“b divides a”)
and say that b is a divisor of a
eg. all of 1,2,3,4,6,8,12,24 divide 24
eg. 13 | 182; –5 | 30; 17 | 289; –3 | 33; 17 | 0
 Properties of Divisibility
If a|1, then a = ±1.
If a|b and b|a, then a = ±b.
Any b /= 0 divides 0.
If a | b and b | c, then a | c
● e.g. 11 | 66 and 66 | 198 so 11 | 198
If b|g and b|h, then b|(mg + nh)
linear combinations for arbitrary integers m and n
e.g. b = 7; g = 14; h = 63; m = 3; n = 2
7|14 and 7|63 hence 7 | 168 (= 42 + 126)
 Division Algorithm
if we divide a by n we get integer quotient
q and integer remainder r such that:
● a = qn + r where 0 <= r < n; q = floor(a/n)
remainder r often referred to as a residue
Greatest Common Divisor (GCD)
a common problem in number theory
GCD (a,b) of a and b is the largest integer
that divides evenly into both a and b
● e.g. GCD(60,24) = 12
define gcd(0, 0) = 0
often want no common factors (except 1)
define such numbers as relatively prime
● e.g. GCD(8,15) = 1
● hence 8 & 15 are relatively prime
Euclid’s algorithm to compute GCD
• Suppose we wish to determine the greatest common divisor d of the integers a and b;
that is determine d = gcd(a, b). Because gcd(|a|, |b|) = gcd(a, b), there is no harm in
assuming a >= b > 0.
• Dividing a by b and applying the division algorithm, we can state:
a = q1b + r1 where r1>=0 and r1<b
• First consider the case in which r1 = 0. Therefore, b divides a and clearly no larger
number divides both b and a, because that number would be larger than b. So, we have
d = gcd(a, b) = b.
The other possibility from Equation (2.2) is r1 ≠ 0. For this case, we can state that d|r1.
This is due to the basic properties of divisibility: the relations d|a and d|b together imply
that d (a - q1b), which is the same as d r1.
Euclid’s algorithm
 Example GCD(1970,1066)
1970 = 1 x 1066 + 904 gcd(1066, 904)
1066 = 1 x 904 + 162 gcd(904, 162)
904 = 5 x 162 + 94 gcd(162, 94)
162 = 1 x 94 + 68 gcd(94, 68)
94 = 1 x 68 + 26 gcd(68, 26)
68 = 2 x 26 + 16 gcd(26, 16)
26 = 1 x 16 + 10 gcd(16, 10)
16 = 1 x 10 + 6 gcd(10, 6)
10 = 1 x 6 + 4 gcd(6, 4)
6 = 1 x 4 + 2 gcd(4, 2)
4 = 2 x 2 + 0 gcd(2, 0)
 GCD(1160718174, 316258250)
Dividend Divisor Quotient Remainder
a = 1160718174 b = 316258250 q1 = 3 r1 = 211943424
b = 316258250 r1 = 211943424 q2 = 1 r2 = 104314826
r1 = 211943424 r2 = 104314826 q3 = 2 r3 = 3313772
r2 = 104314826 r3 = 3313772 q4 = 31 r4 = 1587894
r3 = 3313772 r4 = 1587894 q5 = 2 r5 = 137984
r4 = 1587894 r5 = 137984 q6 = 11 r6 = 70070
r5 = 137984 r6 = 70070 q7 = 1 r7 = 67914
r6 = 70070 r7 = 67914 q8 = 1 r8 = 2156
r7 = 67914 r8 = 2156 q9 = 31 r9 = 1078
r8 = 2156 r9 = 1078 q10 = 2 r10 = 0
 Modular Arithmetic
define modulo operator “a mod n” to be
remainder when a is divided by n
● where integer n is called the modulus
b is called a residue of a mod n
● since with integers can always write: a = qn + b
● usually chose smallest positive remainder as residue
•ie. 0 <= b <= n-1
● process is known as modulo reduction
•eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7
a & b are congruent if: a mod n = b mod n
● when divided by n, a & b have same remainder
● eg. 100 mod 11 = 34 mod 11
so 100 is congruent to 34 mod 11
Modular Arithmetic Operations
can perform arithmetic with residues
uses a finite number of values, and loops
back from either end
Zn = {0, 1, . . . , (n – 1)}
modular arithmetic is when do addition &
multiplication and modulo reduce answer
can do reduction at any point, i.e.
a+b mod n = [a mod n + b mod n] mod n
Modular Arithmetic Operations
1. [(a mod n) + (b mod n)] mod n
= (a + b) mod n
2. [(a mod n) – (b mod n)] mod n
= (a – b) mod n
3. [(a mod n) x (b mod n)] mod n
= (a x b) mod n
e.g.
[(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 = 2 (11 + 15) mod 8 = 26 mod 8 = 2
[(11 mod 8) – (15 mod 8)] mod 8 = –4 mod 8 = 4 (11 – 15) mod 8 = –4 mod 8 = 4
[(11 mod 8) x (15 mod 8)] mod 8 = 21 mod 8 = 5 (11 x 15) mod 8 = 165 mod 8 = 5
Modulo 8 Addition Example
+ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1
3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4
6 6 7 0 1 2 3 4 5
7 7 0 1 2 3 4 5 6
Modulo 8 Multiplication
+ 0 1 2 3 4 5 6 7
0 0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6 7
2 0 2 4 6 0 2 4 6
3 0 3 6 1 4 7 2 5
4 0 4 0 4 0 4 0 4
5 0 5 2 7 4 1 6 3
6 0 6 4 2 0 6 4 2
7 0 7 6 5 4 3 2 1
Modular Arithmetic Properties
Refer word docx for proof

w+ (-w) congruent to 0 mod n

 Euclidean Algorithm
an efficient way to find the GCD(a,b)
uses theorem that:
● GCD(a,b) = GCD(b, a mod b)
Euclidean Algorithm to compute GCD(a,b) is:
Euclid(a,b)
if (b=0) then return a;
else return Euclid(b, a mod b);
Extended Euclidean Algorithm
calculates not only GCD but x & y:
ax + by = d = gcd(a, b)
useful for later crypto computations
follow sequence of divisions for GCD but
assume at each step i, can find x &y:
r = ax + by
at end find GCD value and also x & y
if GCD(a,b)=1 these values are inverses
 Finding Inverses
EXTENDED EUCLID(m, b)
1. (A1, A2, A3)=(1, 0, m);
(B1, B2, B3)=(0, 1, b)
2. if B3 = 0
return A3 = gcd(m, b); no inverse
3. if B3 = 1
return B3 = gcd(m, b); B2 = b–1 mod m
4. Q = A3 div B3
5. (T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)
6. (A1, A2, A3)=(B1, B2, B3)
7. (B1, B2, B3)=(T1, T2, T3)
8. goto 2
Inverse of 550 in GF(1759)
Q A1 A2 A3 B1 B2 B3
— 1 0 1759 0 1 550
3 0 1 550 1 –3 109
5 1 –3 109 –5 16 5
21 –5 16 5 106 –339 4
1 106 –339 4 –111 355 1

-111(1759) + 355(550) = 1
 Prime Numbers
prime numbers only have divisors of 1 and self
● they cannot be written as a product of other numbers
● note: 1 is prime, but is generally not of interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
prime numbers are central to number theory
list of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97
101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179
181 191 193 197 199
 Prime Factorization
to factor a number n is to write it as a
product of other numbers: n=a x b x c
note that factoring a number is relatively
hard compared to multiplying the factors
together to generate the number
Fundamental theorem of arithmetic
the prime factorization of a number n is
when its written as a product of primes
● eg. 91=7x13 ; 3600=24x32x52
Relatively Prime Numbers & GCD
two numbers a, b are relatively prime if have
no common divisors apart from 1 also called as co prime
● eg. 8 & 15 are relatively prime since factors of 8 are
1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only
common factor
conversely can determine the greatest common
divisor by comparing their prime factorizations
and using least powers
● eg. 300=21x31x52 18=21x32 hence
GCD(18,300)=21x31x50=6
 Fermat's Theorem
ap-1 = 1 (mod p)
● where p is prime and gcd(a,p)=1
also known as Fermat’s Little Theorem
also have: ap = a (mod p)
useful in public key and primality testing
Euler Totient Function ø(n)
when doing arithmetic modulo n
complete set of residues is: 0..n-1
reduced set of residues is those numbers
(residues) which are relatively prime to n
● eg for n=10,
● complete set of residues is {0,1,2,3,4,5,6,7,8,9}
● reduced set of residues is {1,3,7,9}
number of elements in reduced set of residues is
called the Euler Totient Function ø(n)
Euler Totient Function ø(n)
to compute ø(n) need to count number of
residues to be excluded
in general need prime factorization, but
● for p (p prime) ø(p)=p-1
● for p.q (p,q prime) ø(p.q)=(p-1)x(q-1)
eg.
ø(37) = 36
ø(21) = (3–1)x(7–1) = 2x6 = 12
 Euler's Theorem
First chk if a, n are relatively prime to each other

a generalisation of Fermat's Theorem

aø(n) = 1 (mod n)
● for any a,n where gcd(a,n)=1
eg.
a=3;n=10; ø(10)=4;
hence 34 = 81 = 1 mod 10
a=2;n=11; ø(11)=10;
hence 210 = 1024 = 1 mod 11
also have: aø(n)+1 = a (mod n)

IMPORTANT: For proof refer William

Stallings text book.
Refer word docx
 Modern Block Ciphers
now look at modern block ciphers
one of the most widely used types of
cryptographic algorithms
provide secrecy /authentication services
focus on DES (Data Encryption Standard)
to illustrate block cipher design principles
Confusion and Diffusion
Confusion Stream Cipher
Making the relationship between the encryption key and the ciphertext as Each plaintext digit is encrypted one at a time with the corresponding digit of
complex as possible. the keystream, to give a digit of the ciphertext stream.
Relationship between CT and PT is obscured.
Given CT, no info about PT, Key, Encryption algorithm etc.,
Example: Substitution. Block Cipher
Diffusion A block cipher is a deterministic algorithm operating on fixed-length groups of
Making each plaintext bit affect as many ciphertext bits as possible. bits, called blocks.
bit change in PT, significant effect on CT.
Example: Transposition or Permutation.
 Block vs Stream Ciphers
block ciphers process messages in blocks,
each of which is then en/decrypted
like a substitution on very big characters
● 64-bits or more
stream ciphers process messages a bit or
byte at a time when en/decrypting
many current ciphers are block ciphers
● better analysed
● broader range of applications
 Block vs Stream Ciphers
Stream Cipher
Bit or Byte
Complex
Confusion
Faster
CFB (Cipher Feedback) and
OFB (Output Feedback) Length
XOR Design
Vernam Cipher Principle
Speed
Encryption
Decryption
Example

Block Cipher
Block Size - 64 bits, 128 bits
Simple
Confusion and Diffusion
Slower
Electronic Code Book (ECB) and
Cipher Block Chaining (CBC)
Reverse of encryption
DES, AES
 Block Cipher Principles
most symmetric block ciphers are based on a
Feistel Cipher Structure
needed since must be able to decrypt ciphertext
to recover messages efficiently
block ciphers look like an extremely large
substitution
would need table of 264 entries for a 64-bit block
instead create from smaller building blocks
using idea of a product cipher
Ideal Block Cipher

permutation
 Claude Shannon and
Substitution-Permutation Ciphers
Claude Shannon introduced idea of
substitution-permutation (S-P) networks in 1949
paper
form basis of modern block ciphers
S-P nets are based on the two primitive
cryptographic operations seen before:
● substitution (S-box)
● permutation (P-box)
provide confusion & diffusion of message & key
 Confusion and Diffusion
cipher needs to completely obscure
statistical properties of original message
a one-time pad does this
more practically Shannon suggested
combining S & P elements to obtain:
diffusion – dissipates statistical structure
of plaintext over bulk of ciphertext
confusion – makes relationship between
ciphertext and key as complex as possible
 Feistel Cipher Structure
Horst Feistel devised the Feistel cipher
● based on concept of invertible product cipher
partitions input block into two halves
● process through multiple rounds which
● perform a substitution on left data half
● based on round function of right half & subkey
● then have permutation swapping halves
implements Shannon’s S-P net concept
Feistel Cipher Structure
Feistel Cipher Structure
Feistel Cipher Design Elements
Key size and the number of rounds are critical factors in encryption
security. Larger keys enhance security but may slow down the
encryption and decryption process.
Collapse
block size 09:39
A larger key size increases security but can reduce the speed of
encryption and decryption, which is crucial for efficient data transfer.
key size 10:26
Having only one round in the encryption process is inadequate for
security, necessitating multiple rounds for effective encryption and

number of rounds decryption.

10:54
The symmetric encryption model uses the same key for both encryption

subkey generation algorithm and decryption, emphasizing the importance of the order of key usage.
11:40
The design of secure encryption algorithms requires complexity in key
generation and round functions to resist cryptanalysis. Additionally,
round function speed and ease of analysis are crucial for practical applications.
Collapse
11:42

fast software en/decryption A complex key size is vital for enhancing security, making it difficult for
attackers to break the encryption easily. This complexity helps in
safeguarding sensitive data.

ease of analysis 12:14

Fast encryption and decryption processes are essential, as delays can
lead to user dissatisfaction. Efficient algorithms ensure smooth data
transfer and enhance user experience.
12:59
The algorithm should be designed for ease of analysis, making it
challenging for cryptanalysts to interpret its workings. This complexity
helps build confidence in the algorithm's security.
Data Encryption Standard (DES)

most widely used block cipher in world

adopted in 1977 by NBS (now NIST)
● as FIPS PUB 46
encrypts 64-bit data using 56-bit key
has widespread use
has been considerable controversy over
its security
 DES History
IBM developed Lucifer cipher
● by team led by Feistel in late 60’s
● used 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher
with input from NSA and others
in 1973 NBS issued request for proposals
for a national cipher standard
IBM submitted their revised Lucifer which
was eventually accepted as the DES
 DES Design Controversy
although DES standard is public
was considerable controversy over design
● in choice of 56-bit key (vs Lucifer 128-bit)
● and because design criteria were classified
subsequent events and public analysis
show in fact design was appropriate
use of DES has flourished
● especially in financial applications
● still standardised for legacy application use
 DES Encryption Overview
The Data Encryption Standard (DES) is a
symmetric block cipher that uses the same key The input and output sizes of the DES algorithm are both 64
for encryption and decryption. It processes data bits, demonstrating its function as a block cipher for data
in blocks rather than individual bits, making it an encryption.
efficient encryption method.
The video explains the process of converting 64-bit plaintext
Understanding the Feistel structure is crucial for into ciphertext through a series of 16 rounds, focusing on the
grasping how DES functions. This structure initial permutation and round operations. Each round takes 64
allows for complex encryption while maintaining bits as input and produces 64 bits as output, eventually
the ability to decrypt efficiently. leading to a transformed state of the data.

The DES was adopted by the National Institute of The initial permutation function takes 64 bits of plaintext,
Standards and Technology in 1977, but it is now processes it, and outputs another 64 bits before proceeding to
considered outdated due to security multiple rounds of encryption. This function is crucial for the
vulnerabilities. AES replaced DES in 2001. encryption process.

AES, or Advanced Encryption Standard, is now The importance of the Feistel structure is highlighted, as it
widely used due to its robust security features organizes the rounds of encryption and ensures that the data
and efficiency. It has become the standard for is systematically transformed. This structure is foundational for
modern encryption practices. maintaining security throughout the process.

The DES encryption algorithm processes 64-bit After 16 rounds of processing, the final output consists of 64
plaintext into 64-bit ciphertext while utilizing a 56- bits that undergo a 32-bit swap function, rearranging the data
bit key and generating 48-bit round keys for its for further transformation. This swap ensures that the
16 rounds of operation. encryption remains secure.

The main key provided to the DES algorithm is The process involves an initial permutation function that
64 bits, though it is effectively reduced to a 56-bit prepares the data for encryption. This function is crucial for the
key before encryption begins. security of the algorithm.

For the encryption process, 16 round keys of 48 Each of the 16 rounds utilizes a distinct round key derived
bits each are generated from the 56-bit key, from the original key. This method enhances the complexity
essential for the algorithm's multiple rounds. and security of the encryption.
The input and output sizes of the DES algorithm
are both 64 bits, demonstrating its function as a The key length used in the DES algorithm is 56 bits, despite
block cipher for data encryption. starting with a 64-bit key. This reduction is significant for
generating round keys effectively.
 Initial Permutation IP
first step of the data computation
IP reorders the input data bits
even bits to LH half, odd bits to RH half
quite regular in structure (easy in h/w)
no cryptographic value
example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
Feistel Cipher Round
 DES Round Structure
uses two 32-bit L & R halves
as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 ⊕ F(Ri–1, Ki)
F takes 32-bit R half and 48-bit subkey:
● expands R to 48-bits using perm E
● adds to subkey using XOR
● passes through 8 S-boxes to get 32-bit result
● finally permutes using 32-bit perm P
The video explains the single round of the
DES algorithm, focusing on the processes
including initial and inverse permutations.
Understanding these functions is crucial
for grasping how DES encryption works.
DES Round Structure
The initial permutation alters the positions
of the bits in a 64-bit plaintext, preparing it
for the round function. This foundational
step is essential for subsequent
encryption.

The round function processes the altered

bits with a 48-bit round key, which
changes for each of the 16 rounds in the
DES algorithm. This ensures varying
encryption for each cycle.
The final stage involves the inverse initial
permutation, which rearranges the bits
back after processing through the round
functions. This completes the
transformation into 64-bit ciphertext.
The video explains the process of the
initial permutation in a cryptographic
algorithm, which involves rearranging the
bits of a 64-bit plaintext. This
transformation is essential for generating
the correct output for the encryption
process.

The left circular shift algorithm is crucial

for deriving 48-bit round keys from the
original 56-bit key, enhancing the
encryption strength. This step is
fundamental in the overall encryption
mechanism.
The initial permutation takes the ordered
64-bit input and changes the positions of
the bits to produce a new arrangement for
encryption. This rearrangement plays a
key role in securing the data.
 Understanding the bit positioning is
essential as it dictates how input bits
translate into output bits during the initial
permutation, ensuring the integrity of the
encryption process. Proper positioning is
vital for security. DES Round Structure
Understanding the initial and inverse The expansion function plays a vital role by converting the 32-bit right side into a
initial permutations is crucial in 48-bit format, which allows it to be combined with the round key. This
encryption processes. These transformation is essential for maintaining security.
permutations change the arrangement The original 64-bit key is also essential, as it guides the expansion and xor
of bits, crucial for the security of the operations performed during the encryption process. Understanding this
algorithm. connection is key to grasping encryption fundamentals.
The initial permutation alters the The process involves reducing 48 bits to 32 bits using a substitution box, followed
positions of the 64 bits, setting the stage by the application of a permutation box to further process the data. This
for the encryption process. This process transformation is essential for the encryption method, ensuring data security
is essential for ensuring data security. through multiple rounds of processing.
Inverse initial permutation also involves The substitution box, or S-box, plays a crucial role in reducing input bits while
64 bits, converting ciphertext back to maintaining the integrity of the data during the encryption process. It ensures
plaintext. It emphasizes the importance security through bit transformation.
of correctly arranging bits for accurate Following the S-box, the permutation box, or P-box, modifies the positions of the
decryption. bits without changing their count, enhancing the complexity of the encrypted
output. This step is vital for effective encryption.
The encryption process involves multiple rounds, specifically 16, where each
round utilizes a unique round key derived from the original key, ensuring thorough
data protection. This repetition increases security.
The algorithm consists of 16 rounds, where each round processes input values
The 32-bit swap function is a simple yet vital and generates output through a series of transformations. Understanding these
operation in the encryption algorithm. It effectively transformations is crucial for grasping the overall function of the algorithm.
rearranges the halves of the input bits during Each round of the algorithm utilizes specific equations to transform input values,
processing. leading to a structured output. This process is repeated for all 16 rounds
consistently.
The video explains how a 64-bit input and a 48- The left and right outputs of each round are derived from specific previous values,
bit key interact during encryption rounds, highlighting the algorithm's dependency on prior computations. This relationship is
illustrating the critical transformation of data critical for maintaining the algorithm's integrity.
within the rounds. Each round processes the The function involved in the round is a Mangler function, which combines inputs in
input by expanding the right-hand side bits for a defined manner, ensuring that the output is secure and reliable. Understanding
compatibility with the key, enabling secure this function is essential for analyzing the algorithm.
encryption.

During each round, the 64-bit input is divided into

two 32-bit halves, which enhances the encryption
process by managing data efficiently. This
division is crucial for the encryption mechanism.
DES Expansion Permutation

R half expanded to same length as 48-bit

subkey
consider R as 8 nybbles (4 bits each)
expansion permutation
● copies each nybble into the middle of a 6-bit
block
● copies the end bits of the two adjacent
nybbles into the two end bits of the 6-bit block
 Substitution Boxes S
have eight S-boxes which map 6 to 4 bits
each S-box is actually 4 little 4 bit boxes
● outer bits 1 & 6 (row bits) select one row of 4
● inner bits 2-5 (col bits) are substituted
● result is 8 lots of 4 bits, or 32 bits
row selection depends on both data & key
● feature known as autoclaving (autokeying)
example:
● S(18 09 12 3d 11 17 38 39) = 5fd25e03
Substitution Boxes S
each of the eight
s-boxes is different
each s-box reduces
6 bits to 4 bits
so the 8 s-boxes
implement the 48-bit
to 32-bit contraction
substitution
 Permutation Box P

P-box at end of each round

Increases diffusion/avalanche effect
DES Round in Full
 Round Key Generation: The key is split into two halves,
and for each of the 16 rounds of DES, a left circular
shift is performed (either one or two shifts depending on

DES Key Schedule the round). After shifting, a Permuted Choice 2 (PC-2)
operation is applied to produce the 48-bit round keys
(K1 to K16).

Key Usage: Each of these round keys is used in the

corresponding round of the DES encryption and
decryption processes. During decryption, the order of

forms subkeys used in each round these keys is reversed, using K16 for the first round,
K15 for the second, and so on, effectively reversing the
encryption process.

Key scheduling in the Data Encryption

● initial permutation of the key (PC1) which
Standard (DES) is a crucial process that
selects 56-bits in two 28-bit halves
transforms a 64-bit key into a series of 48-bit
round keys used during the encryption and
decryption processes. Here’s a breakdown of
its role:
● 16 stages consisting of:
Key Reduction: The original 64-bit key is first
reduced to a 56-bit effective key by removing
•rotating each half separately either 1 or 2 places
specific bits (the 8 parity bits). This 56-bit key is
then used for further processing.
depending on the key rotation schedule K
Permuted Choice: The reduced key undergoes
a Permuted Choice 1 (PC-1) operation, which
selects and rearranges bits to create the 56-bit•selecting 24-bits from each half & permuting them by
key. This is followed by a left circular shift
operation, which prepares the key for
generating round keys.
PC2 for use in round function F
note practical use issues in h/w vs s/w
DES Key Schedule
 DES Decryption
decrypt must unwind steps of data computation
with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
● IP undoes final FP step of encryption
● 1st round with SK16 undoes 16th encrypt round
● ….
● 16th round with SK1 undoes 1st encrypt round
● then final FP undoes initial encryption IP
● thus recovering original data value
DES Round Decryption
The decryption process in the Data Encryption
Standard (DES) is essentially the reverse of the
encryption process. Here’s how it works: DES Example
1. **Input**: The decryption process begins with the
ciphertext, which is a 64-bit block of data that was
previously encrypted.

2. **Initial Permutation**: The ciphertext is first

subjected to an initial permutation (IP), which
rearranges the bits in a specific order. This step is
necessary to prepare the data for the subsequent
rounds.

3. **Round Keys**: In encryption, the round keys

(K1 to K16) are applied in a specific order. For
decryption, the order of these keys is reversed.
This means that K16 is used for the first round,
K15 for the second, and so on, down to K1 for
the last round.

4. **Rounds of Processing**: The decryption

process consists of 16 rounds, similar to
encryption. Each round involves:
- Splitting the data into two halves (left and
right).
- Applying the round function, which uses the
current round key and involves expansion,
substitution, and permutation operations.
- The output from the round function is then
combined with the left half of the data using an
XOR operation, and the halves are swapped.

5. **Final Permutation**: After completing all 16

rounds, the final output is subjected to an inverse
initial permutation (IP-1), which rearranges the
bits back to their original order.

6. **Output**: The result of this process is the

original plaintext, effectively reversing the
encryption.
 Avalanche Effect
key desirable property of encryption algo
where a change of one input or key bit
results in changing approx half output bits
making attempts to “home-in” by guessing
keys impossible
DES exhibits strong avalanche
The Avalanche Effect in DES
The Avalanche effect is a desirable property of encryption algorithms where a small change (such as flipping a single bit) in the plaintext or key results in a significant change in the ciphertext. DES
exhibits a strong Avalanche effect—changing one bit in the plaintext or key leads to approximately 34-35 bit changes in the ciphertext on average. This makes it difficult for attackers to identify
patterns in encrypted data.
 2. **The Strength of DES**
The strength of DES is evaluated based on three main factors:
- **Key Size**: DES uses a **56-bit key**, making the key space large
but still vulnerable to brute-force attacks.

Avalanche in DES- **Algorithm Structure**: DES includes multiple complex components

like **initial permutation, 16 rounds of Feistel structure, expansion
tables, substitution (S-boxes), permutations, and final permutation**,
adding layers of security.
- **Resistance to Timing Attacks**: DES is **fairly resistant to timing
attacks**, meaning attackers cannot easily extract useful information
based on the time taken to perform encryption or decryption.

3. **The Use of the 56-bit Key in DES and Brute-Force Attack on DES**
DES uses a **56-bit key**, which means there are **2 possible keys
(around 7.2 × 10¹ keys)**. In a brute-force attack, an attacker attempts
every possible key until the correct one is found. While this was
computationally expensive in the past, advancements in computing
power have made brute-force attacks feasible. DES was cracked in
**less than three days** using a specialized hardware-based DES
cracker that cost under **$250,000**. As a result, DES is considered
**insecure** for modern applications.
 Strength of DES – Key Size
Refer word docx
56-bit keys have 256 = 7.2 x 1016 values
brute force search looks hard
recent advances have shown is possible
● in 1997 on Internet in a few months
● in 1998 on dedicated h/w (EFF) in a few days
● in 1999 above combined in 22hrs!
still must be able to recognize plaintext
must now consider alternatives to DES
 Strength of DES – Analytic
Attacks
now have several analytic attacks on DES
these utilise some deep structure of the cipher
● by gathering information about encryptions
● can eventually recover some/all of the sub-key bits
● if necessary then exhaustively search for the rest
generally these are statistical attacks
● differential cryptanalysis
● linear cryptanalysis
● related key attacks
 The Use of the 56-bit Key in DES and
Brute-Force Attack on DES

Strength of DES – Timing DES uses a 56-bit key, which means there are
2 possible keys (around 7.2 × 10¹ keys). In a
brute-force attack, an attacker attempts every
possible key until the correct one is found.

Attacks While this was computationally expensive in

the past, advancements in computing power
have made brute-force attacks feasible. DES
was cracked in less than three days using a
specialized hardware-based DES cracker that
cost under $250,000. As a result, DES is
considered insecure for modern applications.
attacks actual implementation of cipher The Nature of the DES Algorithm
DES is a block cipher that encrypts 64-bit
plaintext blocks using a 16-round Feistel
use knowledge of consequences of structure.
The Use of the 56-bit Theand
Key in DES encryption
Brute-Forceprocess
Attack onincludes:
attack, an attacker
Initial Permutation
DES
DES uses a 56-bit key, which means there are 2 possible keys (around 7.2
× 10¹ keys). In a brute-force (IP) attempts every possible key
until the correct one is found. While this was computationally expensive in
16 Rounds of Feistel
powerFunction
have made(including
implementation to derive information about
the past, advancements
feasible. DES wasexpansion,
hardware-based DES
considered insecure
in computing

XOR that
for modern
Final
S-box
cracked in less
andcracker withcost
substitution,
than three
round
under
applications.
Permutation
keys)
brute-force attacks
days usingpermutation,
a specialized
$250,000. As a result, DES is
(Inverse IP)

some/all subkey bits DESAlgorithm

The Nature of the DES
were
about
Feistel structure. The
relies on S-boxes for substitution, which
DES is a block cipher thatinitially
encryptskept
potential
encryption
secret,
64-bit raising
plaintext
weaknesses.
process
blocks suspicions
using a 16-round
includes: Over time,
vulnerabilities in the S-boxes were discovered,
Initial Permutation making
(IP) DES susceptible to cryptanalysis.
specifically use fact that calculations can
16 Rounds of Feistel Function (including expansion, S-box substitution,
permutation, and XOR with Attack
Final Permutation A
Timing
(Inverse
perform
DES relies on S-boxes
and Resistance of DES
round keys)
timingIP)attack analyzes the time taken to
encryption
for substitution, or decryption
which were initially operations
kept secret, to

take varying times depending on the value

raising suspicions infer
about information
potential weaknesses.
about the Over time,
key or vulnerabilities
plaintext. in
the S-boxes were discovered,
While some making DES susceptible
encryption algorithms to cryptanalysis.
are
Timing Attack and Resistance of DES
vulnerable
A timing attack analyzes totaken
the time this type of attack,
to perform DES
encryption or is fairly
decryption
operations to infer resistant
informationdueabouttothe
itskey
structure. However,
or plaintext. While somemodern

of the inputs to it alternatives

encryption algorithms liketoAES
are vulnerable
resistant due to itsStandard)
structure. However,
and Triple
(Advanced
this type
modern DES
of attack, Encryption
alternatives
DES is fairly
(3DES) like
(Advanced Encryption Standard) and Triple DES (3DES) provide stronger
stronger
security against such attacks. security against such attacks.
AES
provide

particularly problematic on smartcards

 Differential Cryptanalysis
one of the most significant recent (public)
advances in cryptanalysis
known by NSA in 70's cf DES design
Murphy, Biham & Shamir published in 90’s
powerful method to analyse block ciphers
used to analyse most current block ciphers
with varying degrees of success
DES reasonably resistant to it, cf Lucifer
 Differential Cryptanalysis
a statistical attack against Feistel ciphers
uses cipher structure not previously used
design of S-P networks has output of
function f influenced by both input & key
hence cannot trace values back through
cipher without knowing value of the key
differential cryptanalysis “eliminates” key
by using differenced input
 Differential Cryptanalysis
Compares Pairs of Encryptions
differential cryptanalysis compares two
related pairs of encryptions
with a known difference in the input
searching for a known difference in output
when same subkeys are used
 Differential Cryptanalysis
Compares Pairs of Encryptions
Let mi-1 be the left half of the input to round
i, and mi be the right half

f(mi,Ki) = P(S(Ki XOR E(mi))), where P is

the PBox transposition, S is the Sbox
substitution, and E is the expansion perm.
Differential Cryptanalysis Takes
Advantage of Linearity
f(mi,Ki) = P(S(Ki XOR E(mi))), where P is the
PBox transposition, S is the Sbox
substitution, and E is the expansion perm.
So E(mi) XOR E(m’i) = E(mi XOR m’i), i.e.,
the expansion permutation preserves
differences (E is linear)
XOR with Ki also preserves differences
E changes the input in a known way, so
difference changes in known way
Differential Cryptanalysis Takes
Advantage of Non-Uniformity
For all pairs of inputs with the same
difference, compute differences in output
Build a table with Δx as row index and Δy as
column index, with frequency in cells (i.e.,
T(Δx,Δy) = # times inputs x and x’ have
outputs y and y’
with Δx = x XOR x’ and Δy = y XOR y’
Rows have non-uniformity, so some output
differences are more likely than others for a
given input difference
 Differential Cryptanalysis
have some input difference giving some
output difference with probability p
if find instances of some higher probability
input / output difference pairs occurring
can infer subkey that was used in round
then must iterate process over many
rounds (with decreasing probabilities)
Refer word docx
Differential Cryptanalysis
 Differential Cryptanalysis
perform attack by repeatedly encrypting plaintext pairs
with known input XOR until obtain desired output XOR
when found
● if intermediate rounds match required XOR have a right pair
● if not then have a wrong pair, relative ratio is S/N for attack
can then deduce keys values for the rounds
● right pairs suggest same key bits
● wrong pairs give random values
for large numbers of rounds, probability is so low that
more pairs are required than exist with 64-bit inputs
Biham and Shamir have shown how a 13-round iterated
characteristic can break the full 16-round DES
 Linear Cryptanalysis
another recent development
also a statistical method
must be iterated over rounds, with
decreasing probabilities
developed by Matsui et al in early 90's
based on finding linear approximations
can attack DES with 243 known plaintexts,
easier but still in practise infeasible
 Linear Cryptanalysis
Refer word docx
find linear approximations with prob p != ½
P[i1,i2,...,ia] ⊕ C[j1,j2,...,jb] =
K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
gives linear equation for key bits
get one key bit using max likelihood alg
using a large number of trial encryptions
effectiveness given by: |p–1/2|
 DES Design Criteria
as reported by Coppersmith in [COPP94]
7 criteria for S-boxes provide for
● non-linearity
● resistance to differential cryptanalysis
● good confusion
3 criteria for permutation P provide for
● increased diffusion
 Block Cipher Design
basic principles still like Feistel’s in 1970’s
number of rounds
● more is better – make exhaustive search best
attack
function f:
● provides “confusion”, is nonlinear, avalanche
● have issues of how S-boxes are selected
key schedule
● complex subkey creation, key avalanche
AES Origins
• clear a replacement for DES was needed
• have theoretical attacks that can break it
• have demonstrated exhaustive key search attacks
• can use Triple-DES – but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001
The AES Cipher - Rijndael
• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• an iterative rather than Feistel cipher
• processes data as block of 4 columns of 4 bytes
• operates on entire data block in every round
• designed to have:
• resistance against known attacks
• speed and code compactness on many CPUs
• design simplicity
 AES
Encryption
Process

Refer word docx

AES Structure
data block of 4 columns of 4 bytes is state
key is expanded to array of words
has 9/11/13 rounds in which state undergoes:
● byte substitution (1 S-box used on every byte)
● shift rows (permute bytes between groups/columns)
● mix columns (subs using matrix multiply of groups)
● add round key (XOR state with key material)
● view as alternating XOR key & scramble data bytes
initial XOR key material & incomplete last round
with fast XOR & table lookup implementation
AES Structure Refer word docx
Some Comments on AES
1. an iterative rather than Feistel cipher
2. key expanded into array of 32-bit words
1. four words form round key in each round
3. 4 different stages are used as shown
4. has a simple structure
5. only AddRoundKey uses key
6. AddRoundKey a form of Vernam cipher
7. each stage is easily reversible
8. decryption uses keys in reverse order
9. decryption does recover plaintext
10. final round has only 3 stages
Substitute Bytes
• a simple substitution of each byte
• uses one table of 16x16 bytes containing a permutation of all 256
8-bit values
• each byte of state is replaced by byte indexed by row (left 4-bits) &
column (right 4-bits)
• eg. byte {95} is replaced by byte in row 9 column 5
• which has value {2A}
• S-box constructed using defined transformation of values in GF(28)
• designed to be resistant to all known attacks
Substitute Bytes Refer word docx
Substitute Bytes Example
Shift Rows
• a circular byte shift in each each
• 1st row is unchanged
• 2nd row does 1 byte circular shift to left
• 3rd row does 2 byte circular shift to left
• 4th row does 3 byte circular shift to left
• decrypt inverts using shifts to right
• since state is processed by columns, this step permutes bytes
between the columns
Shift Rows Refer word docx
Mix Columns
• each column is processed separately
• each byte is replaced by a value dependent on all 4 bytes in the
column
• effectively a matrix multiplication in GF(28) using prime poly m(x)
=x8+x4+x3+x+1
Mix Columns Refer word docx
Mix Columns Example
AES Arithmetic
• uses arithmetic in the finite field GF(28)
• with irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
which is (100011011) or {11b}
• e.g.
{02} • {87} mod {11b} = (1 0000 1110) mod {11b}
= (1 0000 1110) xor (1 0001 1011) = (0001 0101)
Mix Columns
• can express each col as 4 equations
• to derive each new byte in col
• decryption requires use of inverse matrix
• with larger coefficients, hence a little harder
• have an alternate characterisation
• each column a 4-term polynomial
• with coefficients in GF(28)
• and polynomials multiplied modulo (x4+1)
• coefficients based on linear code with maximal
distance between codewords
Add Round Key
XOR state with 128-bits of the round key
again processed by column (though effectively a series of byte
operations)
inverse for decryption identical
● since XOR own inverse, with reversed keys
designed to be as simple as possible
● a form of Vernam cipher on expanded key
● requires other stages for complexity / security
Add Round Key Refer word docx
AES Round
AES Key Expansion
takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit
words
start by copying key into first 4 words
then loop creating words that depend on values in previous & 4
places back
● in 3 of 4 cases just XOR these together
● 1st word in 4 has rotate + S-box + XOR round constant on previous, before
XOR 4th back
AES Key Expansion
Refer
word docx
Key Expansion Rationale
• designed to resist known attacks
• design criteria included
• knowing part key insufficient to find many more
• invertible transformation
• fast on wide range of CPU’s
• use round constants to break symmetry
• diffuse key bits into round keys
• enough non-linearity to hinder analysis
• simplicity of description
AES Example
Key
Expansion
AES Example
Encryption
AES Example
Avalanche
AES Decryption
• AES decryption is not identical to encryption since steps done in
reverse
• but can define an equivalent inverse cipher with steps as for
encryption
• but using inverses of each step
• with a different key schedule
• works since result is unchanged when
• swap byte substitution & shift rows
• swap mix columns & add (tweaked) round key
AES Decryption Refer word docx
Implementation Aspects
• can efficiently implement on 8-bit CPU
• byte substitution works on bytes using a table of 256 entries
• shift rows is simple byte shift
• add round key works on byte XOR’s
• mix columns requires matrix multiply in GF(28) which works on byte values,
can be simplified to use table lookups & byte XOR’s
Implementation Aspects
can efficiently implement on 32-bit CPU
● redefine steps to use 32-bit words
● can precompute 4 tables of 256-words
● then each column in each round can be computed using 4 table lookups + 4
XORs
● at a cost of 4Kb to store tables
designers believe this very efficient implementation was a key factor
in its selection as the AES cipher
Thank you