Chapter 5

Introduction to
Modern Symmetric-key
Ciphers

5.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
 Chapter 5
Objectives

❑ To distinguish between traditional and modern

symmetric-key ciphers.
❑ To introduce modern block ciphers and discuss
their characteristics.
❑ To explain why modern block ciphers need to
be designed as substitution ciphers.
❑ To introduce components of block ciphers such as
P-boxes and S-boxes.

5.2
 Chapter 5
Objectives (Continued)
❑ To discuss product ciphers and distinguish
between two classes of product ciphers:
Feistel and non-Feistel ciphers.
❑ To discuss two kinds of attacks particularly
designed for modern block ciphers: differential
and linear cryptanalysis.
❑ To introduce stream ciphers and to distinguish
between synchronous and nonsynchronous stream
ciphers.
❑ To discuss linear and nonlinear feedback
shift registers for implementing stream
5.3 ciphers.
 5-1 MODERN BLOCK CIPHERS

A symmetric-key modern block cipher encrypts an

n-bit block of plaintext or decrypts an n-bit block of
ciphertext. The encryption or decryption algorithm
uses a k-bit key.

Topics discussed in this section:

1. Substitution or Transposition
2. Block Ciphers as Permutation Groups
3. Components of a Modern Block Cipher
4. Product Ciphers
5. Two Classes of Product Ciphers
6. Attacks on Block Ciphers
5.4
5.1 Continued

Figure 5.1 A modern block

cipher

5.5
5.6
5.1 Continued
Example 5.1
How many padding bits must be added to a message of 100
characters if 8-bit ASCII is used for encoding and the block
cipher accepts blocks of 64 bits?

Solution
Encoding 100 characters using 8-bit ASCII results in an 800-
bit message. The plaintext must be divisible by 64. If | M | and
|Pad| are the length of the message and the length of
the padding,

5.7
 5.1.1 Substitution or Transposition

A modern block cipher can be designed to act as a

substitution cipher or a transposition cipher.

Note

To be resistant to exhaustive-search attack,

a modern block cipher needs to be
designed as a substitution cipher.

5.8
 5.1.1 Continued
Example 5.2
Suppose that we have a block cipher where n = 64. If there
are 10 1’s in the ciphertext, how many trial-and-error tests
does Eve need to do to recover the plaintext from the
intercepted ciphertext in each of the following cases?
a. The cipher is designed as a substitution cipher.
b. The cipher is designed as a transposition cipher.

Solution
c. In the first case, Eve has no idea how many 1’s are in the
plaintext. Eve needs to try all possible 264 64-bit blocks to
find one that makes sense.
d. In the second case, Eve knows that there are exactly 10 1’s
in the plaintext. Eve can launch an exhaustive-
search attack using only those 64-bit blocks that have
5.9
exactly 10 1’s.
 5.1.2 Block Ciphers as Permutation
Groups
Is a modern block cipher a group?
Full-Size Key Transposition Block Ciphers
In a full-size key transposition cipher We need to have n!
possible keys, so the key should have log2 n! bits.
Example 5.3

Show the model and the set of permutation tables for a 3-bit
block transposition cipher where the block size is 3 bits.

Solution
The set of permutation tables has 3! = 6 elements, as shown in
Figure 5.2.
5.10
 5.1.2 Continued

Figure 5.2 A transposition block cipher modeled as a

permutation

5.11
 5.1.2 Continued

Full-Size Key Substitution Block Ciphers

A full-size key substitution cipher does not transpose bits;
it substitutes bits. We can model the substitution cipher as
a permutation if we can decode the input and encode the
output.

Example 5.4

Show the model and the set of permutation tables for a 3-bit
block substitution cipher.
Solution
Figure 5.3 shows the model and the set of permutation tables.
The key is also much longer, log240,320 = 16 bits.
5.12
 5.1.2 Continued

Figure 5.3 A substitution block cipher model as a

permutation

5.13
 5.1.2 Continued

Note

A full-size key n-bit transposition cipher or

a substitution block cipher can be modeled
as a permutation, but their key sizes are
different:
 Transposition: the key is log2n! bits
long.
Note
 Substitution: the key is log2(2n)! bits
long.
A partial-key cipher is a group under
the composition operation if it is a
subgroup of the corresponding full-size
5.14
key cipher.
 5.1.3 Components of a Modern Block
Cipher
Modern block ciphers normally are keyed substitution
ciphers in which the key allows only partial mappings
from the possible inputs to the possible outputs.

P-Boxes
A P-box (permutation box) parallels the traditional
transposition cipher for characters. It transposes bits.

5.15
 5.1.3 Continued

Figure 5.4 Three types of P-boxes

5.16
5.17
5.18
5.19
 5.1.3 Continued

Example 5.5
Figure 5.5 shows all 6 possible mappings of a 3 × 3 P-box.

Figure 5.5 The possible mappings of a 3 × 3 P-box

5.20
 5.1.3
Continued
Straight P-Boxes

Table 5.1 Example of a permutation table for a straight P-

box

5.21
 5.1.2 Continued

Example 5.6
Design an 8 × 8 permutation table for a straight P-box that
moves the two middle bits (bits 4 and 5) in the input word to
the two ends (bits 1 and 8) in the output words. Relative
positions of other bits should not be changed.

Solution
We need a straight P-box with the table [4 1 2 3 6 7 8
5].
The relative positions of input bits 1, 2, 3, 6, 7, and 8 have not
been changed, but the first output takes the fourth input and
the eighth output takes the fifth input.

5.22
 5.1.3 Continued
Compression P-Boxes

A compression P-box is a P-box with n inputs and m

outputs where m < n.

Table 5.2 Example of a 32 × 24 permutation

table

Compression P-boxes are used when we need to permute bits and

the same time decrease the number of bits for the next stage.
5.23
 5.1.3
Continued
Compression P-Box

Table 5.2 Example of a 32 × 24 permutation

table

5.24
 5.1.3 Continued
Expansion P-Boxes

An expansion P-box is a P-box with n inputs and m

outputs where m > n.

Table 5.3 Example of a 12 × 16 permutation

table

Expansion P-boxes are used when we need to permute

bits and the same time increase the number of bits for
the next stage

5.25
 5.1.3
Continued
P-Boxes: Invertibility

Note
A straight P-box is invertible, but compression and
expansion P-boxes are not.

5.26
 5.1.3 Continued

Example 5.7
Figure 5.6 shows how to invert a permutation table
represented as a one-dimensional table.
Figure 5.6 Inverting a
permutation table

5.27
 5.1.3 Continued

Figure 5.7 Compression and expansion P-boxes are non-

invertible

5.28
 5.1.3 Continued

S-Box
An S-box (substitution box) can be thought of as a
miniature substitution cipher.

Note
An S-box is an m × n substitution unit, where m and
n are not necessarily the same.

5.29
 5.1.3 Continued
Example 5.8
In an S-box with three inputs and two outputs, we have

The S-box is linear because a1,1 = 1

= a1,2 = a1,3 = a2,1
and = 0. The relationship can be represented by
a2,2 = a2,3
matrices, as shown below:

5.30
 5.1.3 Continued
Example 5.9
In an S-box with three inputs and two outputs, we have

where multiplication and addition is in GF(2). The S-box is

nonlinear because there is no linear relationship between the
inputs and the outputs.

5.31
 5.1.3 Continued
Example 5.10
The following table defines the input/output relationship for
an S-box of size 3 × 2. The leftmost bit of the input defines the
row; the two rightmost bits of the input define the column.
The two output bits are values on the cross section of the
selected row and column.

Based on the table, an input of 010 yields the output 01. An

input of 101 yields the output of 00.
5.32
5.33
 5.1.3 Continued
S-Boxes: Invertibility
S-boxes are substitution ciphers in which the relationship
between input and output is defined by a table or
mathematical relation. An S-box may or may not be
invertible.

In an invertible S-box, the number of input bits should be

the same as the number of output bits.

5.34
 5.1.3 Continued

Example 5.11
Figure 5.8 shows an example of an invertible S-box. For
example, if the input to the left box is 001, the output is 101.
The input 101 in the right table creates the output 001, which
shows that the two tables are inverses of each other.

Figure 5.8 S-box tables for Example 5.11

5.35
5.36
 5.1.3 Continued

Exclusive-Or
An important component in most block ciphers is the
exclusive-or operation.

Figure 5.9 Invertibility of the exclusive-or operation

5.37
 5.1.3 Continued
Exclusive-Or (Continued)

An important component in most block ciphers is the

exclusive-or operation. As we discussed in Chapter 4,
addition and subtraction operations in the GF(2n) field
are performed by a single operation called the exclusive-
or (XOR).

The five properties of the exclusive-or operation in the

GF(2n) field makes this operation a very interesting
component for use in a block cipher: closure,
associativity, commutativity, existence of identity, and
existence of inverse.

5.38
 If x is the complement of x, x xor x(bar) is 1
5.39
 5.1.3 Continued
Exclusive-Or (Continued)

The inverse of a component in a cipher makes sense if the

component represents a unary operation (one input and
one output). For example, a keyless P-box or a keyless S-
box can be made invertible because they have one input
and one output. An exclusive operation is a binary
operation. The inverse of an exclusive-or operation can
make sense only if one of the inputs is fixed (is the same
in encryption and decryption). For example, if one of the
inputs is the key, which normally is the same in
encryption and decryption, then an exclusive-or operation
is self-invertible, as shown in Figure 5.9.

5.40
 5.1.1 Continued
Figure 5.9 Invertibility of the exclusive-or
operation

5.41
 5.1.3 Continued

Circular Shift
Another component found in some modern block ciphers
is the circular shift operation.

Figure 5.10 Circular shifting an 8-bit word to the left or right

5.42
 5.1.3 Continued

Swap
The swap operation is a special case of the circular shift
operation where k = n/2.

Figure 5.11 Swap operation on an 8-bit word

5.43
 5.1.3 Continued
Split and Combine

Two other operations found in some block ciphers are

split and combine.

Figure 5.12 Split and combine operations on an 8-bit

word

5.44
 5.1.3 Continued
Figure 5.12 Split and combine operations on an 8-bit
word

5.45
 5.1.4 Product Ciphers

Shannon introduced the concept of a product cipher. A

product cipher is a complex cipher combining
substitution, permutation, and other components
discussed in previous sections.

5.46
 5.1.4 Continued

Diffusion
The idea of diffusion is to hide the relationship between
the ciphertext and the plaintext.

Note
Diffusion hides the relationship between the
ciphertext and the plaintext.

5.47
 5.1.4 Continued

Confusion
The idea of confusion is to hide the relationship between
the ciphertext and the key.

Note
Confusion hides the relationship between the
ciphertext and the key.

5.48
 5.1.4 Continued

Rounds
Diffusion and confusion can be achieved using iterated
product ciphers where each iteration is a combination of
S-boxes, P-boxes, and other components.

5.49
 5.1.4 Continued
Figure 5.13 A product cipher made of two rounds
The 8-bit text is mixed with the key to
whiten the text (hide the bits using
the key). This is normally done by
exclusive-oring the 8-bit word with
the 8-bit key.

The outputs of the whitener are

organized into four 2-bit groups and
are fed into four S-boxes. The values
of bits are changed based on the
structure of the S-boxes in this
transformation.

The outputs of S-boxes are passed

through a P-box to permute the bits
so that in the next round each box
receives different inputs.
5.50
Fi
gu r e 5 . 14
5 . 1 .4 CDoiffnustIn
i othen first round, bit 8, after being
in
exclusive-ored with the
corresponding bit of K1, affects two
an d confusion in a block cipher
u ed bits (bits 7 and 8) through S-box 4.
Bit 7 is permuted and becomes bit 2;
bit 8 is permuted and becomes bit 4.
After the first round, bit 8 has
affected bits 2 and 4. In the second
round, bit 2, after being exclusive-
ored with the corresponding bit of
K2, affects two bits (bits 1 and 2)
through S-box 1. Bit 1 is permuted
and becomes bit 6; bit 2 is permuted
and becomes bit 1. Bit 4, after being
exclusiveored with the corresponding
bit in K2, affects bits 3 and 4. Bit 3
remains the same; bit 4 is permuted
and becomes bit 7. After the second
round, bit 8 has affected bits 1, 3, 6,
and 7.
 The four bits of ciphertext, bits 1, 3, 6, and 7, are
affected by three bits in the key (bit 8 in K1 and
bits 2 and 4 in K2)

each bit in each round key affects several bits in

the ciphertext. The relationship between
ciphertext bits and key bits is obscured.

5.52
 5.1.5 Two Classes of Product
Ciphers
Modern block ciphers are all product ciphers, but they
are divided into two classes.

1. Feistel ciphers

2. Non-Feistel ciphers

5.53
 5.1.5 Continued

Figure 5.15 The first thought in Feistel cipher

design

Note
Diffusion hides the relationship between the
ciphertext and the plaintext.
5.54
 5.1.5 Continued

Feistel Ciphers
Feistel designed a very intelligent and interesting cipher
that has been used for decades. A Feistel cipher can have
three types of components: self-invertible, invertible, and
noninvertible.

5.55
 5.1.3 Continued
Example 5.12
This is a trivial example. The plaintext and ciphertext are
each 4 bits long and the key is 3 bits long. Assume that the
function takes the first and third bits of the key, interprets
these two bits as a decimal number, squares the number, and
interprets the result as a 4-bit binary pattern. Show the
results of encryption and decryption if the original plaintext
is 0111 and the key is 101.
Solution
The function extracts the first and second bits to get 11 in
binary or 3 in decimal. The result of squaring is 9, which is
1001 in binary.

5.56
 5.1.5 Continued
Figure 5.16 Improvement of the previous Feistel
design

5.57
5.58
 Figure 5.17 Final design of a Feistel cipher with two
rounds

increase the number of

rounds. Second, add a
new element to each
round: a swapper. The
effect of the swapper in
the encryption round is
canceled by the effect of
the swapper in the
decryption round.

5.59
5.60
5.61
 5.1.5 Blowfish with one round

5.62
 5.1.5 Continued

Non-Feistel Ciphers
A non-Feistel cipher uses only invertible components. A
component in the encryption cipher has the
corresponding component in the decryption cipher.

5.63
 5.1.6 Attacks on Block Ciphers

Attacks on traditional ciphers can also be used on modern

block ciphers, but today’s block ciphers resist most of the
attacks discussed in Chapter 3.

5.64
 5.1.5 Continued

Differential Cryptanalysis
Eli Biham and Adi Shamir introduced the idea of
differential cryptanalysis. This is a chosen-plaintext
attack.

5.65
 5.1.6 Continued
Example 5.13
Assume that the cipher is made only of one exclusive-or
operation, as shown in Figure 5.18. Without knowing the
value of the key, Eve can easily find the relationship between
plaintext differences and ciphertext differences if by plaintext
difference we mean P1  P2 and by ciphertext difference, we
mean C1 C2. The following proves that C1  C2 = P1  P2:

Figure 5.18 Diagram for Example

5.13

5.66
 5.1.6 Continued
Example 5.14
We add one S-box to Example 5.13, as shown in Figure 5.19.

Figure 5.19 Diagram for Example 5.14

5.67
 5.1.6 Continued
Example 5.14 Continued
Eve now can create a probabilistic relationship as shone in
Table 5.4.
Table 5.4 Differential input/output

5.68
 5.1.6 Continued
Example 5.15

The heuristic result of Example 5.14 can create probabilistic

information for Eve as shown in Table 5.5.

Table 5.5 Differential distribution table

5.69
 5.1.6 Continued
Example 5.16
Looking at Table 5.5, Eve knows that if P1  P2 = 001, then C1
 C2 = 11 with the probability of 0.50 (50 percent). She tries
C1 = 00 and gets P1 = 010 (chosen-ciphertext attack). She also
tries C2 = 11 and gets P2 = 011 (another chosen-
ciphertext attack). Now she tries to work backward, based
on the first pair, P1 and C1,

The two tests confirm that K = 011 or K =101.

5.70
 5.1.6 Continued

Note
Differential cryptanalysis is based on a nonuniform
differential distribution table of the S-boxes in a
block cipher.

Note
A more detailed differential cryptanalysis is
given in Appendix N.

5.71
 5.1.6 Continued

Linear Cryptanalysis
Linear cryptanalysis was presented by Mitsuru Matsui in
1993. The analysis uses known plaintext attacks.

5.72
 5.1.6 Continued
Figure 5.20 A simple cipher with a linear S-
box

5.73
 5.1.6 Continued

Solving for three unknowns, we get.

This means that three known-plaintext attacks can

find the values of k0, k1, and k2 .
5.74
 5.1.6 Continued

In some modern block ciphers, it may happen that some

S-boxes are not totally nonlinear; they can be
approximated, probabilistically, by some linear functions.

where 1 ≤ x ≤ m, 1 ≤ y ≤ n, and 1 ≤ z ≤ n.

Note
A more detailed linear cryptanalysis is given
in Appendix N.

5.75
 5-2 MODERN STREAM CIPHERS

In a modern stream cipher, encryption and decryption

are done r bits at a time. We have a plaintext bit stream
P = pn…p2 p1, a ciphertext bit
stream C = cn…c2 c1, and a key bit
streamK = kn…k2 k1, in which pi , ci , and ki
are r-bit words.

Topics discussed in this section:

1. Synchronous Stream Ciphers
2. Nonsynchronous Stream Ciphers

5.76
5.2 Continued
Figure 5.20 Stream cipher

Note
In a modern stream cipher, each r-bit word in the
plaintext stream is enciphered using an r-bit word
in the key stream to create the corresponding r-bit
word in the ciphertext stream.
5.77
 5.2.1 Synchronous Stream Ciphers

Note
In a synchronous stream cipher the key is
independent of the plaintext or ciphertext.

Figure 5.22 One-time pad

5.78
 5.2.1 Continued
Example 5.17
What is the pattern in the ciphertext of a one-time pad cipher
in each of the following cases?
a. The plaintext is made of n 0’s.
b. The plaintext is made of n 1’s.
c. The plaintext is made of alternating 0’s and 1’s.
d. The plaintext is a random string of bits.

Solution
a. Because 0  ki = ki , the ciphertext stream is the same as
the key stream. If the key stream is random, the
ciphertext is also random. The patterns in the plaintext
are not preserved in the ciphertext.
5.79
 5.2.1 Continued
Example 5.7 (Continued)

b. Because 1  ki = ki where ki is the complement of ki , the

ciphertext stream is the complement of the key
stream. If the key stream is random, the ciphertext is
also random. Again the patterns in the plaintext are
not preserved in the ciphertext.
c. In this case, each bit in the ciphertext stream is either the
same as the corresponding bit in the key stream or the
complement of it. Therefore, the result is also a random
string if the key stream is random.
d. In this case, the ciphertext is definitely random because
the exclusive-or of two random bits results in a
random bit.

5.80
 5.2.1 Continued

Figure 5.23 Feedback shift register

(FSR)

5.81
 5.2.1 Continued
Example 5.18

Create a linear feedback shift register with 5 cells in which

b5 = b4  b2  b0 .

Solution
If ci = 0, bi has no role in calculation of bm. This means that bi
is not connected to the feedback function. If ci = 1, bi is
involved in calculation of bm. In this example, c1 and c3 are
0’s, which means that we have only three connections. Figure
5.24 shows the design.

5.82
 5.2.1 Confidentiality
Figure 5.24 LSFR for Example 5.18

5.83
 5.2.1 Continued
Example 5.19
Create a linear feedback shift register with 4 cells in which
b4 = b1  b0. Show the value of output for 20
transitions (shifts) if the seed is (0001)2.

Solution
Figure 5.25 LFSR for Example 5.19

5.84
 5.2.1 Continued
Example 5.19 (Continued)

Table 4.6 Cell values and key sequence for Example

5.19

5.85
 5.2.1 Continued
Example 5.19 (Continued)

Table 4.6 Continued

5.86
 5.2.1 Continued
Example 5.19 (Continued)
Note that the key stream is 100010011010111 10001…. This
looks like a random sequence at first glance, but if we go
through more transitions, we see that the sequence is
periodic. It is a repetition of 15 bits as shown below:

The key stream generated from a LFSR is a pseudorandom

sequence in which the the sequence is repeated after N bits.

Note
The maximum period of an LFSR is to 2m − 1.

5.87
 5.2.1 Continued
Example 5.20

The characteristic polynomial for the LFSR in Example 5.19

is (x4 + x + 1), which is a primitive polynomial. Table 4.4
(Chapter 4) shows that it is an irreducible polynomial. This
polynomial also divides (x7 + 1) = (x4 + x + 1) (x3 + 1), which
means e = 23 − 1 = 7.

5.88
 5.2.2 Nonsynchronous Stream
Ciphers
In a nonsynchronous stream cipher, each key in the key
stream depends on previous plaintext or ciphertext.

Note
In a nonsynchronous stream cipher, the key
depends on either the plaintext or ciphertext.

5.89