UNIT-II

Symmetric and Asymmetric

Key Ciphers
Dr.Nalini N
Professor in CSE
 Block vs Stream Ciphers

Block Cipher
• Block of plaintext is treated as a whole and used to produce a
ciphertext block of equal length
• Typical block size 64 – 128 bits
• Example: Data Encryption Standard (DES)(64 bit block), Advanced
Encryption Standard (AES)(128 bit block)
Stream Cipher
• Process messages a bit or byte at a time
• Examples of classical stream ciphers are the autokeyed Vigenère
cipher and the Vernam cipher.
Block vs Stream Ciphers
 Block Cipher Principles
Motivation for the Feistel Cipher Structure

• A block cipher operates on a plaintext block of n bits to

produce a ciphertext block of n bits.

• There are 2npossible different plaintext blocks

• For the encryption to be reversible, each must produce

a unique ciphertext block. Such a transformation is
called reversible, or nonsingular.
• The following examples illustrate nonsingular and
singular transformations for n = 2.
 Ideal Block Cipher

General n-bit-n-bit Block Substitution (shown with n = 4)

 Ideal Block Cipher
• A 4-bit input produces:
One of 16 possible input states,

Which is mapped by the substitution cipher into a unique one

of 16 possible output states,

Each of which is represented by 4 ciphertext bits.

 Ideal Block Cipher Contd..
• Encryption and Decryption Tables for Substitution
Cipher
 Ideal Block Cipher-
difficulties
• If a small block size, such as n=4 , is used, then the system is
equivalent to a classical substitution cipher.

• An arbitrary reversible substitution cipher for a large block size is not

practical.

• In general, for a n -bit ideal block cipher, the length of the key
defined in this fashion is n× 2n bits.

• Feistel suggests an approximation to the ideal block cipher system

for large n, built up out of components that are easily realizable-
using the concept of product cipher
 The Feistel Cipher
• Feistel proposed the use of a cipher that alternates substitutions
and permutations.

Substitution: Each plaintext element or group of elements is

uniquely replaced by a corresponding ciphertext element or
group of elements.
Permutation: A sequence of plaintext elements is replaced by
a permutation of that sequence.

• This is a practical application of a proposal by Claude Shannon to

develop a product cipher that alternates confusion and diffusion
functions.
 Diffusion and Confusion
• In diffusion, the statistical structure of the plaintext is
dissipated into long-range statistics of the ciphertext.

• An example of diffusion is to encrypt a message M = m1,

m2, m3, . . . of characters with an averaging operation:
• Confusion seeks to make the relationship between the statistics of
the ciphertext and the value of the encryption key as complex as
possible.
prevent attempts to discover the key.

• This is achieved by the use of a complex substitution algorithm.

Feistel Cipher Structure
 Feistel Cipher Structure
• The inputs to the encryption algorithm are a plaintext block
of length 2w bits and a key .

• The two halves of the plaintext pass through:

 n rounds of processing and then combine to produce the
ciphertext block.

• Each round has as:

Inputs Li-1 and Ri-1 derived from the previous round
A subkey Ki derived from the overall K .
• A substitution is performed on the left half of the data.

• Applying a round function F to the right half of the data and then
taking the exclusive-OR of the output of that function and the
left half of the data.
F(REi,Ki+1).

• Following this substitution, a permutation is performed that

consists of the interchange of the two halves of the data.
The exact realization of a Feistel network depends on the choice of
the following parameters and design features:

Block size

Key size

Number of rounds

Subkey generation algorithm

Round function F
There are two other considerations in the design of a Feistel
cipher:
•Fast software encryption/decryption:
The speed of execution of the algorithm becomes a concern.
• Ease of analysis:
If the algorithm can be concisely and clearly explained, it is
easier to analyze that algorithm for cryptanalytic
vulnerabilities
Therefore develop a higher level of assurance as to its
strength.
 FEISTEL DECRYPTION ALGORITHM
• Use the ciphertext as input to the algorithm but use the subkeys Ki
in reverse order.

• At every round, the intermediate value of the decryption process

is equal to the corresponding value of the encryption process with
the two halves of the value swapped.

• Let the output of the ith encryption round be LEi||REi, then the
corresponding output of the (16 – i)th decryption round is REi||LEi
or, equivalently LD16-i||RD16-i
• After the last iteration of the encryption process
The two halves of the output are swapped, i.e. ciphertext.

• Now take that ciphertext and use it as input to the same

algorithm.

• The input to the first round is RE16||LE16 .

Which is equal to the 32-bit swap of the output of the sixteenth round of
the encryption process.
• The output of the first round of the decryption process is
equal to a 32-bit swap of the input to the sixteenth
round of the encryption process.
 Simplified Data Encryption Standard
• Developed 1996 as a teaching tool
Santa Clara University
Prof. Edward Schaefer

• Takes an 8-bit block plaintext, a 10 –bit key and produces an 8-

bit block of ciphertext.

• Decryption takes the 8-bit block of ciphertext, the same 10-bit

key and produces the original 8-bit block of plaintext.
S-DES Scheme
 Five Functions used to Encrypt/Decrypt

• IP – an initial permutation

• fk - a complex function which involves both

permutation and substitution operations and depends
on a key input

• SW –swaps the two halves of the data

• fk - a complex function again

• IP–1 – inverse permutation of the initial permutation.

• The function fK takes as input the data and an 8-bit key.

• The key is first subjected to a permutation (P10).

• Then a shift operation is performed.

• The output of the shift operation then passes through a

permutation function that produces an 8-bit output (P8) for the
first subkey (K1).

• The output of the shift operation also feeds into another shift and
another instance of P8 to produce the second subkey (K2).
Encryption algorithm can be expressed as a composition of functions:
S-DES Key generation
• S-DES depends on the use of a 10-bit key shared between sender
and receiver.

• From this key, two 8-bit subkeys are produced for use in particular
stages of the encryption and decryption algorithm.

• Then the permutation P10 is defined as:

• For example, the key (1010000010) is permuted to
(1000001100).

• Next, perform a circular left shift (LS-1), or rotation, separately

on the first five bits and the second five bits.

• The result is (00001 11000).

S-DES Encryption
Initial and Final Permutations
• The input to the algorithm is an 8-bit block of plaintext, which we
first permute using the IP function:

• This retains all 8 bits of the plaintext but mixes them up. At the end
of the algorithm, the inverse permutation is used:

• The second permutation is indeed the reverse of the first; that is,
IP–1(IP(X)) = X.
The Function fK
• The function fK consists of a combination of permutation and substitution functions.

• Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-bit input to fK, and let
F be a mapping from 4-bit strings to 4-bit strings.

where SK is a subkey

• Suppose the output of the IP stage (10111101) and F(1101, SK) = (1110) for some key
SK.
Then fK(10111101) = (01011101) because

• Mapping F: The input is a 4-bit number (n1n2n3n4). The first operation is an

expansion/permutation operation:
• The result is depicted in this fashion:

• The first 4 bits are fed into the S-box S0 to produce a 2-bit output,
and the remaining 4 bits are fed into S1 to produce another 2-bit
output.
The two boxes are defined as follows:

4 bits produced by S0 and S1 undergo further

permutation as:

The output of P4 is the output of function F:

The Switch Function
• The function fK only alters the leftmost 4 bits of the input.

• The switch function (SW) interchanges the left and right 4

bits.

• The second instance of fK operates on a different 4 bits.

• In this second instance, the E/P, S0, S1, and P4 functions

are the same. The key input is K2.
 Problems to Solve:
1. Discover the process of subkeys generation in S-DES algorithm with the input key
as 0010010111
Given : P10: 3 5 2 7 4 10 1 9 8 6 and P8: 6 3 7 4 8 5 10 9
2. Using S-DES, encrypt the string (10100101) using the key (0010010111).
Compute and show intermediate results after each function (IP, Ek, SW, Ek, IP⁻¹).
Given:
IP: 2 6 3 1 4 8 5 7
IP-1: 4 1 3 5 7 2 8 6
E/P: 4 1 2 3 2 3 4 1
P10:3 5 2 7 4 10 1 9
P4: 2 4 3 1
P8: 6 3 7 4 8 5 10 9
The Data Encryption Standard
 The Data Encryption Standard
• The 64-bit plaintext passes through an initial permutation (IP)

• Followed by a phase consisting of 16 rounds of the same function

• The output of the last (sixteenth) round consists of 64 bits

• The left and right halves of the output are swapped to produce
the preoutput.

• Preoutput is passed through a permutation (IP-1) that is the

inverse of the initial permutation function
Single Round of DES Algorithm
Figure 3.6. Calculation of F(R, K)
Table 3.3. Definition of DES S-Boxes
The figure shows the substitution for row 0 of box S1.
 The Avalanche Effect
• A change in one bit of the plaintext or one bit of the key should
produce a change in many bits of the ciphertext.

• Two plaintexts that differ by one bit were used:

00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

with the key

0000001 1001011 0100100 1100010 0011100 0011000 0011100 0110010

• In the table (a) shows that after just three rounds, 21 bits differ
between the two blocks.

• On completion, the two ciphertexts differ in 34-bit positions.

• In table (b)shows a similar test in which a single plaintext is input:

01101000 10000101 00101111 01111010 00010011 01110110 11101011 10100100

with two keys that differ in only one bit position:

1110010 1111011 1101111 0011000 0011101 0000100 0110001 11011100

0110010 1111011 1101111 0011000 0011101 0000100 0110001 11011100

• The results show that about half of the bits in the ciphertext differ
and that the avalanche effect is pronounced after just a few rounds.
 The Strength of DES
The Use of 56-Bit Keys
A single machine performing one DES encryption per
microsecond would take more than a thousand years to break
the cipher.
The Nature of the DES Algorithm
Over the years a number of regularities and unexpected
behaviors of the S-boxes have been discovered.
Timing Attacks
An encryption or decryption algorithm often takes slightly
different amounts of time on different inputs.
 Block Cipher Design Principles
Number of Rounds
• The number of rounds is chosen so that known cryptanalytic efforts
require greater effort than a simple brute-force key search attack.
Design of Function F
One criterion is that F be nonlinear
The algorithm should have good avalanche properties.
Key Schedule Algorithm
• Select subkeys to maximize the difficulty of deducing individual
subkeys and the difficulty of working back to the main key.
 The Advanced Encryption Standard(AES)
• Published by NIST in 2001.
Cipher
• Has 128/192/256 bit keys, 128 bit data

• Each round consists of four separate functions:

 byte substitution
 Permutation
 arithmetic operations over a finite field
 XOR with a key.

• The final round contains only three transformations.

 AES General Structure

AES Encryption
Process
 AES
Data
Structures
 AES General Structure
• The cipher takes a plaintext block size of 128 bits, or 16 bytes.

• The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits)
• .
• Plaintext block is depicted as a square 4×4 matrix of bytes.

• This block is copied into the State array.

• After the final stage, State is copied to an output matrix

AES Detailed Structure
 AES-Encryption and Decryption

1. AES processes the entire data block as a single matrix

2. The key that is provided as input is expanded into an array of
forty-four 32-bit words, w[i].
3. 4 different stages are used, one of permutation and three of
substitution:
 Substitute bytes
 ShiftRows
 MixColumns
 AddRoundKey
4.For both encryption and decryption, the cipher begins
with an AddRoundKey stage, followed by nine.

5. The cipher begins and ends with an AddRoundKey

stage

6.The other three stages by themselves would provide

no security because they do not use the key.

7.For the Substitute Byte, ShiftRows, and MixColumns

stages, an inverse function is used in the decryption
algorithm.
8.The decryption algorithm is not identical to the
encryption algorithm.

9.At each horizontal point state is the same for

both encryption and decryption.

10.The final round of both encryption and

decryption consists of only three stages.
 AES TRANSFORMATION FUNCTIONS

Substitute Bytes Transformation

Forward And Inverse Transformations
• The forward substitute byte transformation, called
SubBytes, is a simple table lookup.
• AES defines a 16×16 matrix of byte values, called an
S-box
• The leftmost 4 bits of the byte are used as a row
value and the rightmost 4 bits are used as a column
value.
• These row and column values serve as indexes into
the S-box to select a unique 8-bit output value.
• For example, the hexadecimal value {95}
references row 9, column 5 of the S-box, which
contains the value {2A} .
• Accordingly, the value {95}is mapped into the
value {2A}.
• An example of the SubBytes transformation
 ShiftRows Transformation
Forward And Inverse Transformations
• The first row of State is not altered.
• For the second row, a 1-byte circular left shift is
performed.
• For the third row, a 2-byte circular left shift is
performed.
• For the fourth row, a 3-byte circular left shift is
performed.
An example of ShiftRows
• The inverse shift row transformation, called
InvShiftRows, performs the circular shifts in the
opposite direction.

• RATIONALE--A row shift moves an individual byte

from one column to another, which is a linear
distance of a multiple of 4 bytes.
 MixColumns Transformation
Forward And Inverse Transformations
• Each byte of a column is mapped into a new value
that is a function of all four bytes in that column.
 MixColumns Transformation

• In this case, the individual additions and

multiplications are performed in GF(28).
• The MixColumns transformation on a single
column of State can be expressed as
 MixColumns Transformation
An example of MixColumns
• In GF(28), addition is the bitwise XOR operation and
that multiplication can be performed according to
the rule established in Equation (1).
• In particular, multiplication of a value by {02} can
be implemented as a 1-bit left shift followed by a
conditional bitwise XOR with (0001 1011) if the
leftmost bit of the original value (prior to the shift)
is 1.
MixColumns Transformation
 MixColumns
Transformation…
• Thus, to verify the MixColumns transformation on the
first column, we need to show that
The inverse mix column
transformation
• The inverse mix column transformation defined
by the following matrix multiplication:
The inverse mix column transformation
The inverse transformation matrix times the forward
transformation matrix equals the identity matrix.
 AddRoundKey Transformation

• Example:

• The first matrix is State, and the second matrix is the

round key.
• The inverse add round key transformation is identical
to the forward add round key transformation, because
the XOR operation is its own inverse.
Inputs for Single AES
Round
AES key Expansion algorithm
• The key is copied into the first four words of the expanded key.

• The remainder of the expanded key is filled in one word at a

time.

• Each added word w[i] depends on the immediately preceding

word, w[i - 1]
• and the word four positions back, w[i - 4] . In three out of four cases, a
simple XOR is used.
Key Expansion in AES
• The AES algorithm, which takes 128 bits (16 bytes) key
as input

• Four-word key as input and produces a linear array of

44 words.

• (In AES, 4 Bytes = 1 Word)

• The initial stage is Add Round Key, and each of the 10

rounds of the cipher.

• The key is added into the first four words of the

expanded key.
AES Key Expansion…
The function g defines the complex function:
1. This function performs the one-byte circular left shift.

2. Using S-box, each sub-word performs a byte substitution.

3. Finally, the result of RotWord and step 2 is XORed with the

round constant called as Rconst[j].
AES KEY EXPANSION…

1.RotWord performs a one-byte circular left shift on a word.

This means that an input word [B0,B1,B2,B3] is transformed into
[B1,B2,B3,B0]

2.SubWord performs a byte substitution on each byte of its input

word, using the S-box
3.The result of steps 1 and 2 is XORed with a round constant,
Rcon[j].
AES KEY EXPANSION…

• The round constant is a word in which the three rightmost

bytes are always 0.
• The round constant is different for each round and is defined
as:

Rcon[j] = (RC[j], 0, 0, 0), with RC[1] = 1, RC[j] = 2 * RC[j−1]

With multiplication defined over the field GF(2^8).
AES KEY EXPANSION…

• The values of RC[j] in hexadecimal are:

AES KEY EXPANSION…

• Suppose that the round key for round 8 is:

EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D 29 2F
• Then the first 4 bytes (first column) of the round key for
round 9 are calculated as follows:
Rationale
• Expansion key algorithm is resistant to known cryptanalytic
attacks.
• The inclusion of a round-dependent round constant eliminates
the symmetry between the ways in which round keys are
generated in different rounds.
• Knowledge of a part of the cipher, key or round key does not
enable calculation of many other round-key bits.
Rationale contd…
• An invertible transformation.
• Fast on a wide range of processors.
• Diffusion of key bits to affect many round key bits.
• Enough nonlinearity to prohibit analysis.
• Simplicity of description.
 AES EXAMPLE

Solve the following example:

• The plaintext is a hexadecimal palindrome.
• The plaintext, key, and resulting ciphertext are
 AES EXAMPLE Solution
Table below shows the expansion of the 16-byte key
into 10 round keys.
 Solve these problems
5.4 Given the plaintext {000102030405060708090A0B0C0D0E0F} and the key
{01010101010101010101010101010101}:
a. Show the original contents of State, displayed as a 4 × 4 matrix.
b. Show the value of State after initial AddRoundKey.
c. Show the value of State after SubBytes.
d. Show the value of State after ShiftRows.
e. Show the value of State after MixColumns.
 Solve the Following:
• Compute the output of the MixColumns
transformation for the following sequence of input
bytes “67 89 AB CD”. Apply the InvMixColumns
transformation to the obtained result to verify your
calculations.
• Change the first byte of the input from ‘67’ to ‘77’,
perform the MixColumns transformation again for the
new input, and determine how many bits have
changed in the output.
Solution:
 PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEM
• Public-key Cryptosystems evolved from an attempt
to solve two of the most difficult problems associated with
symmetric encryption.
 Key distribution
 Digital signature
 Public Key Cryptosystems
• Asymmetric algorithms rely on one key for encryption and a
different but related key for decryption.

• These algorithms have the following important characteristic.

✔ It is computationally infeasible to determine the decryption
key given only knowledge of the cryptographic algorithm and
the encryption key.
✔ Either of the two related keys can be used for encryption,
with the
other used for decryption.
 Public-Key
Cryptosystems…
A public-key encryption scheme has six ingredients:
Plaintext
Encryption algorithm
Public and private keys
Ciphertext
Decryption algorithm
Public-Key Cryptosystems..
 Public-Key Cryptosystems…
The essential steps are the following.
1. Each user generates a pair of keys to be used for the
encryption and decryption of messages.
2. Each user places one of the two keys in a public register
or other accessible file. This is the public key. The
companion key is kept private.
3. If Bob wishes to send a confidential message to Alice,
Bob encrypts the message using Alice’s public key.
4. When Alice receives the message, she decrypts it using
her private key.
Conventional and Public-Key Encryption
Public-Key Cryptosystem:
Confidentiality
 Encryption using Public key-Secrecy…

• Source A that produces a message in plaintext, X = [X1, X2, . . . ,XM]

• B generates a related pair of keys: a public key, PUb, and a private key,
PRb
• With the message X and the encryption key PUb as input, A forms the
ciphertext Y = [Y1, Y2, . . . , YN]:

Y = E(PUb, X)
• The intended receiver, in possession of the matching private key, is
able to invert the transformation: X = D(PRb, Y)
Public-Key Cryptosystem:
Authentication
 Encryption using Private key-
Authentication
Y = E(PRa, X)
X = D(PUa, Y)
• A prepares a message to B and encrypts it using A’s private key
before transmitting it.

• B can decrypt the message using A’s public key.

• Because the message was encrypted using A’s private key, only
A could have prepared the message-digital signature.
Authentication and confidentiality
Applications for Public-Key Cryptosystems
• We can classify the use of public-key cryptosystems into three
categories:
Encryption /decryption
Digital signature
Key exchange
 Requirements for Public-Key Cryptography
1. It is computationally easy for a party B to generate a pair (public key Pub,
private key PRb).

2. It is computationally easy for a sender A, knowing the public key and the
message M to be encrypted to generate the corresponding ciphertext:
C = E(PUb,M)

3. It is computationally easy for the receiver B to decrypt the resulting

ciphertext using the private key to recover the original message:
M = D(PR , C) = D[PR , E(PU ,M)]
4. It is computationally infeasible for an adversary, knowing the public
key, PUb, to determine the private key, PRb.

5. It is computationally infeasible for an adversary, knowing the public

key, Pub, and a ciphertext, C, to recover the original message, M.

6. The two keys can be applied in either order:

M = D[PUb, E(PRb,M)] = D[PRb, E(PUb,M)]
 A trap-door one-way function.
• A one-way function :
Y = f(X) easy
X = f-1(Y) infeasible

• A trapdoor one-way function is a family of invertible functions fk,

such that
 RSA

• Developed by Rivest, Shamir & Adleman of

MIT(Massachusetts Institute of Technology) in 1977

• Best known & widely used public-key scheme

• Based on exponentiation in a finite (Galois) field over integers

modulo a prime

• Uses large integers (e.g. 1024 bits)

RSA Algorithm
The resulting keys are public key PU = {7,187} and private key PR =
{23,187}.
For encryption, we need to calculate C = 887 mod 187
 The Security of RSA

Five possible approaches to attacking the RSA algorithm are:

■ Brute force
■ Mathematical attacks
■ Timing attacks
■ Hardware fault-based attack
■ Chosen ciphertext attacks
 Diffie-Hellman Key Exchange
• Proposed by Diffie & Hellman in 1976.

• The purpose of the algorithm: to enable two users to

securely exchange a key

• Derivation of shared secret key is based on exponentiation in

a finite (Galois) field.
We can define the discrete logarithm in the following way.
• A primitive root of a prime number p is one whose powers
modulo p generate all the integers from 1 to p-1.
• That is, if α is a primitive root of the prime number p, then the
numbers
α mod p, α 2 mod p, .... , α p-1 mod p
are distinct and consist of the integers from 1 through p-1 in
some permutation.
The Algorithm
 Calculation of Secret Key-proof

Two calculations produce identical results:

 Diffie-Hellman Example
Users Alice & Bob who wish to exchange keys agree on prime q=353 and
α=3.

The random private keys are xA=97, xB=233.

Find public keys of Alice and Bob and, the session(secret) key k
generated by them.
Solution:
• Given random prime number q=353, α=3
• Given private(secret) keys of Alice and Bob:
xA=97, xB=233
• Compute respective public keys:
yA = α xA mod q (Alice)
yA=397 mod 353 = 40

yB = α xB mod q (Bob)
yB=3233 mod 353 = 248
• Compute common key as:
A computes K= (yB)xA mod q = 24897 mod 353
= 160 (Alice)
B computes K= (yA)xB mod q = 40233 mod 353
= 160 (Bob)
The Diffie–Hellman Key Exchange
Man-in-the-Middle Attack