Beruflich Dokumente
Kultur Dokumente
Stream cipher, A stream cipher is one that encrypts a digital data stream one bit or one
byte at a time. such as Vigen`ere cipher, encrypts one letter at a time(Fig 1a).
Block cipher, A block cipher is one in which a block of plaintext is treated as a whole and
used to produce a cipher text block of equal length. Such as Hill cipher, treats a n-letter
block of plaintext as a whole and produce a cipher text block of equal length(Fig 1b).
A. Block Cipher Principles: As block cipher have different modes of operation and applies
to a broader range of applications than stream cipher.
A block cipher transforms a plaintext block of n letters into an encrypted block. For the
alphabet with 26 letters, there are 26n possible different plaintext blocks. The most general way of
encrypting a n-letter block is to take each of the plaintext blocks and map it to a cipher block
(arbitrary n-letter substitution cipher). For decryption to be possible, such mapping needs to be
one-to-one (i.e., each plaintext block must be mapped to a unique cipher text block). The number
of different one-to-one mappings among n-letter blocks is (26n)!.
The length of block n cannot be too short in order to secure the cryptographic scheme. For
example, n= 1 gives a mono-alphabetic cipher. Such schemes are vulnerable to frequency analysis
and brute-force attacks. However, an arbitrary reversible substitution cipher for a large block size
n is not practical. Let’s consider the problem of specifying a mapping of all possible n-letter blocks.
In a cipher, each key specifies such a mapping. Let’s assume the key consists of a block of k letters.
Then the number of all possible keys is 26k. Then for a n-letter arbitrary substitution block cipher,
the key size needs to satisfy 26k _ (26n)!, i.e., k _ n × 26n!.
So the major challenge to design a symmetric key cryptographic scheme is to provide
enough security (e.g., using a reasonable large block size) with a reasonable small size key1.
Claude Shannon theoretically deduced the following principles that should be followed to design
secure cryptographic systems. These principles aim at thwarting cryptanalysis based on known
statistical properties of the plaintext.
Confusion: In Shannon’s original definitions, confusion makes the relation between the key and
the ciphertext as complex as possible. Ideally, every letter in the key influences every letter of the
ciphertext block. Replacing every letter with the one next to it on the typewriter keyboard is a
simple example of confusion by substitution. However, good confusion can only be achieved when
each character of the ciphertext depends on several parts of the key, and this dependence appears
to be random to the observer. Ciphers that do not offer much confusion (such as Vigen`ere cipher)
are vulnerable to frequency analysis. Confusion:Make the statistical relationship between a
plaintext and the corresponding ciphertextas complex as possible in order to thread attempts to
deduce the key.(See figure 0)
• Diffusion: Diffusion refers to the property that the statistics structure of the plaintext is
dissipated into long range statistics of the ciphertext. In contrast to confusion, diffusion
spreads the influence of a single plaintext letter over many ciphertext letters. In terms of
the frequency statistics of letters, digrams, etc in the plaintext, diffusion randomly spreads
them across several characters in the ciphertext.
Diffussion means each plaintext digit affects many cipher text digits, or each
ciphertextdigit is affected by many plaintext digits. This means that much more ciphertexts
are needed to do a meaningful statistical attack on the cipher. (See figure 0).
B. The Feistel Network: Product ciphers use the two classical encryption forms: substitution
and transposition, alternatively in multiple rounds to achieve both confusion and diffusion
respectively. The product cryptosystems are also called substitution-permutation network).
A cryptographic system based on Feistel structure uses the same basic algorithm for both
encryption and decryption. One possible way to build a secret key algorithm using substitution-
permutation-network is to break the input into manageable-sized chunks, do a substitution on each
small chunk, and then take the outputs of all the substitutions and run them through a permuter
that is as big as the input, which shuffles the letters around. Then the process is repeated, so that
each letter winds up as an input to each of the substitutions. Since modern cryptosystems are all
computer-based, from now on we will assume that both plain and cipher text are strings of bits ({0,
1}), instead of strings of letters ({A, B, C, ..., Z}).
The Feistel network shown in Fig. 1 is a particular form of the substitution-permutation
network. The input to a Feistel network is a plaintext block of N bits, and a key K. The plaintext
block is divided into two halves, L0 and R0. The two halves of the data pass through R rounds of
processing and then combine to produce the ciphertext block. Each round I has as input LI−1 and
RI−1, derived from the previous round, as well as a subkey KI, derived from the overall key K. In
general, the subkey KI are different from K and from each other. In this structure, a substitution is
performed via the round function F, and permutation is performed that interchanges the two halves
of the data.
The exact realization of a Feistel network depends on the choices of the following
parameters and design features.
• Block size: Larger block size means greater security, but reduces encryption/decryption
speed.
• Key size: Larger key size means greater security but may decrease encryption/decryption
speed.
• Number of rounds: Multiple rounds offer increasing security.
• Subkey generation algorithm: Greater complexity in subkey generation leads to greater
security.
• Round function: Greater complexity in round function means greater difficulty of
cryptanalysis.
There are two other considerations in the design of a Feistel cipher:
• Fast software encryption/decryption: In many cases, encryption is embedded in
applications or utility functions in such a way as to preclude a hardware implementation.
Accordingly, the speed of execution of the algorithm becomes a concern.
• Ease of analysis: Although we would like to make our algorithm as difficult as possible to
cryptanalyze, there is great benefit in making the algorithm easy to analyze. That is, if the
algorithm can be concisely and clearly explained, it is easier to analyze that algorithm for
cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its
strength. DES, for example, does not have an easily analyzed functionality.
Figure 2: The encryption and decryption of Feistel network
The process of decryption with a Feistel network is essentially the same as the encryption
process by using the cipher text as input to the network, but using the sub key Ki in reverse order,
as shown in Fig 2. The reason is explained as follows.
DES Encryption:
Figure 3: Flow Diagram of DES algorithm for encrypting data.
The processing of the plaintext proceeds in three phases as can be seen from the left hand side
of figure 3.
1. Initial permutation (IP- defined in table 2.1) rearranging the bits to form the “permuted
input”.
2. Followed by 16 iterations of the same function (substitution and permutation). The output
of the last iteration consists of 64 bits which is a function of the plaintext and key. The
left and right halves are swapped to produce the pre output.
3. Finally, the pre output is passed through a permutation (IP−1- defined in table 2.1) which
is simply the inverse of the initial permutation (IP). The output of IP−1 is the 64-bit cipher
text.
Table 1: Permutation tables used in DES.
As figure 3 shows, the inputs to each round consist of the Li, Ripair and a 48 bit Subkey
which is a shifted and contracted version of the original 56 bit key. The use of the key can be seen
in the right hand portion of figure 3:
• Initially the key is passed through a permutation function (PC1- defined in table 1)
• For each of the 16 iterations, a subkey ( Ki) is produced by a combination of a left circular
shift and a permutation ( PC2- defined in table 1) which is the same for each iteration.
However, the resulting subkey is different for each iteration because of repeated shifts.
Table 2: DES key schedule.
Where Lcsi is the left cyclic shift for round i,Ci and Di are the outputs after the shifts, P
C2 (.) is a function which permutes and compresses a 56 bit number into a 48 bit number and K I
is the actual key used in round i. The number of shifts is either one or two and is determined by
the round number i. For i = { 1 ,2,9,16} the number of shifts is one and for every other round it is
two (table 2).
Figure 4: Details of a single DES round.
The common formulas used to describe the relationships between the input to one round
and its output (or the input to the next round) are:
Li=Ri−1 …. (2.3)
Ri=Li−1⊕F(Ri−1, Ki)
…. (2.4)
where L and R have their usual meaning and F(.) is the cipher function. This function F is the
main part of every round and consists of four separate stages (see figure 2.4):
1. The E-box expansion permutation - here the 32-bit input data from Ri−1is expanded and
permuted to give the 48 bits necessary for combination with the 48 bit key (defined in table
2.1). The E-box expansion permutation delivers a larger output by splitting its input into 8,
4-bit blocks and copying every first and fourth bit in each block into the output in a defined
manner. The security offered by this operation comes from one bit affecting two
substitutions in the S-boxes. This causes the dependency of the output bits on the input bits
to spread faster,and is known as the avalanche affect.
2. The bit by bit addition modulo 2 (or exclusive OR) of the E-box output and 48 bit subkey
Ki.
3. The S-box substitution - this is a highly important substitution which accepts a 48-bit input
and outputs a 32-bit number (defined in table 2.3). The S-boxes are the only non-linear
operation in DES and are therefore the most important part of its security. They were very
carefully designed although the conditions they were designed under has been under
intense scrutiny since DES was released. The reason was because IBM had already
designed a set of S-boxes which were completely changed by the NSA with no explanation
why .
The input to the S-boxes is 48 bits long arranged into 8, 6 bit blocks (b1, b2, . . . ,
b6).There are 8 S-boxes (S1, S2, . . . , S8) each of which accepts one of the 6 bit blocks.
The output of each S-box is a four bit number. Each of the S-boxes can be thought of as a
4×16matrix. Each cell of the matrix is identified by a coordinate pair (i, j), where 0≤i≤3
and 0≤j≤15. The value of i is taken as the decimal representation of the first and last bits
of the input to each S-box, i.e.Dec(b1b6) =I and the value of j is take from the decimal
representation of the inner four bits that remain, i.e.Dec ( b2b3b4b5) =j. Each cell within
the S-box matrices contains a 4-bit number which is output once that particular cell is
selected by the input.
4. The P-box permutation - This simply permutes the output of the S-box without changing
the size of the data (defined in table 2.1). It is simply a permutation and nothing else. It has
a one to one mapping of its input to its output giving a 32 bit output from a 32 bit input.
Double DES
P E(K1,P) E(K2,E(K1,P)) = C
Double DES has a 112-bit key and enciphers blocks of 64 bits. DES is not a group; i.e.,
E(K2,E(K1,P)) (refer below figure: Double DES) is not equivalent to DES encryption using a
single key. Recall that, for example, the Caesar cipher is a group. If a message were encrypted
with the Caesar cipher with a key of 3 and then re-encrypted with the Caesar cipher with a key of
5, the result is equivalent to encrypting the message with the Caesar cipher with a key of 8. For
the Caesar cipher, double encryption does not increase security. DES is not a group; double
encryption is not equivalent to single encryption. Security does increase by double encryption, but
it does not increase much.
This attack requires knowing some plaintext/ciphertext pairs. Let’s assume that we have a
plaintext/ciphertext pair; i.e., we know the plaintext pand the corresponding (double DES
enciphered) ciphertext C. Attacks on DES have typically been brute force attacks (see “Breaking
DES”); so, we will use brute force here.
The double encryption is:
P E(K1,P) E(K2,E(K1,P)) = C
56
Encrypt P using all 2 possible keys, and store the results.(Storage could be a problem).
The stored results will include all possible encryptions PE(K1,P).
Then decrypt C using all 256 possible keys.
D ( K2, C ) = D (K2, E ( K2, E ( K1, P ) ) ) E ( K1 , P )
After decrypting with each key, check for a match with the stored outputs of the 256possible
encryptions. When we have a match, we have located a possibly correct pair of keys. Now, perhaps
more than one pair of keys will result in a match, but the number of pairs of keys that return
matches should be small. We could try each possible pair of keys. If more than one plaintext/cipher
text correspondence is known (for the key pair), then other correspondences could be used to check
which of the keys is correct.
So, it only takes twice as long to break double DES using brute force. Because DES has
56-bit security, double DES has 2*256=257 security.
3DES was developed in 1999 by IBM – by a team led by Walter Tuchman. 3DES (refer
below figure: triple DES) prevents a meet-in-the-middle attack. 3DES has a 168-bit key and
enciphers blocks of 64 bits. 3DES effectively has 112-bit security. 3DES can be done with 2 or 3
keys.
3-key encryption
E (K3, D (K2, E ( K1, P ) ) )
2-key encryption
The use of 56-bit keys: 56-bit key is used in encryption, there are 256 possible keys. A
brute force attack on such number of keys is impractical.
The nature of algorithm: Cryptanalyst can perform cryptanalysis by exploiting the
characteristic of DES algorithm but no one has succeeded in finding out the weakness.
Traditional cryptanalysis of block ciphers such as the Data Encryption Standard rely on
known plaintext methods as doing exhaustive search over the whole key space. While this type of
brute force cryptanalytic attack may seem practical on conventional single DES encryption, it
becomes impractical to perform on double DES and triple DES enciphering implementations.
More sophisticated cryptanalysis methods have been proposed in the recent years to reduce the
computational complexity of a brute force attack. Two such methods are
Differential Cryptanalysis:
Differential cryptanalysis involves the analysis of the distribution of the difference (modulo-2bit
per bit) between two plaintexts X1 and X2 and the two cipher texts Y1 and Y2 resulting from their
encryption. Here the plaintexts X1 and X2 are in fact the 32-bit contents of the right register prior
the extension permutation E (X) in a DES round. The two cipher texts Y1 and Y2 are the 32-bit
output from the standard permutation P(C) after the substitution boxes.
Figure 4 shows a single round of DES encryption. Let ∆X represent the difference of the two
known (and chosen) plaintexts X1 and X2:
∆X = X1 X2
Where X1 X2 represents the addition modulo-2 bit by bit of the 2 plaintext vectors. In a
chosen plaintext attack, the two plaintexts X1 and X2 are chosen such as to give a desired plaintext
difference ∆X.
Since ∆X = X1 X2 and A= E( X) is simply an expansion permutation of the plaintext bits
A, then the difference ∆A is also known:
∆A = A1 A2
∆A=E(X1) E(X2)
∆A=E(∆X)
At each DES round, the unknown 48-bit subkey Ki is added to the 48-bit vector A at the
output of the expansion permutation box:
B1=A1 Ki and B2=A2 © Ki
Since the 48-bit subkey Ki is secret, the two 48-bit vectors B1 and B2 are also unknown.However,
their difference ∆B is known!
∆B = B1 B2
∆B = (A1 Ki ) ( A2 Ki ) ∆B =
A1 A2
∆B = ∆A ∆B
= E (∆X)
Differential cryptanalysis compares the distribution of the difference ∆X for a plaintext
pair X1 and X2 with the distribution of the cipher text difference ∆Y for the corresponding cipher
text pair Y1 and Y2. In a chosen plaintext-cipher text attack, the plaintext is chosen such as to
provide the desired difference ∆X. It exploits the fact that the plaintext differences ∆X and the
cipher text differences ∆Y are not equally likely. Some differences in plaintext pairs have a higher
probability of causing difference in cipher text pairs than others.
Linear cryptanalysis:
A method to break a block cipher such as DES is linear cryptanalysis. It basically consists
in trying to represent (or approximate) a round of DES encryption with a linear transformation. In
the known plaintext attack both the plaintext M and the corresponding cipher text C are known.
Since the output IP(M) after the initial permutation function IP is known, one knows also the
contents of the left and right registers.
Refer : http://www.site.uottawa.ca/~chouinar/Handout_CSI4138_DES_2002.pdf
i. No output bit of any S-box should be too close a linear function of the input bits.
Specifically, if we select any output bit and any subset of the six input bits, the fraction of
inputs for which this output bit equals the XOR of these input bits should not be close to 0
or 1, but rather should be near 1/2.
ii. Each row of an S-box (determined by a fixed value of the leftmost and rightmost input bits)
should include all 16 possible output bit combinations.
iii. If two inputs to an S-box differ in exactly one bit, the outputs must differ in at least two bits.
iv. If two inputs to an S-box differ in the two middle bits exactly, the outputs must differ in at
least two bits
v. If two inputs to an S-box differ in their first two bits and are identical in their last two bits,
the two outputs must not be the same.
vi. For any nonzero 6-bit difference between inputs, no more than eight of the 32 pairs of inputs
exhibiting that difference may result in the same output difference.
vii. This is a criterion similar to the previous one, but for the case of three S-boxes.
The simplest of the encryption modes is the electronic codebook (ECB) mode(See Fig:5).
The message is divided into blocks and each block is encrypted separately. A clear vulnerability
is that identical plaintext blocks are encrypted into identical cipher text blocks, i.e. ECB does not
hide data patterns well. Many forms of attack can be drawn from this feature: replay, reorder, and
insert or delete selected blocks. Enemy can even manipulated with blocks from different old
encrypted messages to create a new legally encrypted one. Clearly, ECB should not be used in any
communication protocol.
However, because of its nature of encrypting blocks separately, ECB can be used for
storage systems, e.g. encrypting data segments in disks or records in relational databases. This
allows straightforward updates to any disk segment or database record without interfering with
surrounding units (which cannot be avoided in CBC or others).
In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with
the previous cipher text block before being encrypted. Obviously, each cipher text block is
dependent on all plaintext blocks processed up to that point. Also, initialization vector is
used in the first block to make each message unique.(See Fig:6)
CBC critics:
There is a clear improvement on ECB:
Since we use a randomized encryption, repeated text is mapped to different encrypted
data.
CBC provides provable security: we can prove it assuming that the block cipher has
desirable properties and that random IV’s are used.
A cipher text block depends on all preceding plaintext blocks: thus, reorder affects
decryption.
On the other hand, there are minus points:
Errors in one block propagate to two blocks.
One bit error in Cj affects all bits in Mj and one bit in Mj+1.
CBC is a sequential process wherein we cannot use parallel hardware.
Observation: if Ci = Cj then Ek (Mi Ci-1) = Ek ( Mj Cj-1); thus Mi Ci-1 = Mj Cj-1; thus
Mi Mj = Ci-1 Cj-1.
The Output Feedback (OFB) mode makes a block cipher into a synchronous stream
cipher. It generates key stream blocks, which are then XORed with the plaintext blocks to
get the cipher text. Just as with other stream ciphers, flipping a bit in the cipher text
produces a flipped bit in the plaintext at the same location. This property allows many error
correcting codes to function normally even when applied before encryption.
Because of the symmetry of the XOR operation, encryption and decryption are
exactly the same:
Counter Mode:
CTR made another move, in fact a crucial one, towards simplification and efficiency. Simply,
IV is incremented and used to generate one-time pad. Note that this incrementing pad should never
be repeated or the scheme will be insecure: if the same IV and key is used again, XOR of two
encrypted messages equals XOR of plain texts(See fig 9). Thus, if the communication session lasts
too long, the key must be changed before the pad numbers making a full circle and repeating
themselves.
CTR recorded significant advantages over the previous encryption modes and become widely
used now:
Software and hardware efficiency: different blocks can be encrypted in parallel.
Preprocessing: the encryption part can be done offline and when the message is known,
just do the XOR.
Random access: decryption of a block can be done in random order, very useful for hard-
disk/database encryption (like with ECB).
Messages of arbitrary length: ciphertext is the same length with the plaintext (i.e., no IV).
AES Structure:
The cipher takes a plaintext block size of 128 bits, or 16 bytes. The key length can be 16,
24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128, AES-192, or AES-
256, depending on the key length(See figure 10).
Figure 10 : AES Parameters
The input to the encryption and decryption algorithms is a single 128-bit block and it is
copied into the State array, which is modified at each stage of encryption or decryption. After the
final stage, State is copied to an output matrix. Similarly, the key is depicted as a square matrix of
bytes. This key is then expanded into an array of key schedule words. Each word is four bytes, and
the total key schedule is 44 words for the 128-bit key. Note that the ordering of bytes within a
matrix is by column. So, for example, the first four bytes of a 128-bit plaintext input to the
encryption cipher occupy the first column of the in matrix, the second four bytes occupy the second
column, and so on. Similarly, the first four bytes of the expanded key, which form a word, occupy
the first column of the w matrix.
The cipher consists of N rounds, where the number of rounds depends on the key length:
10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key. The
first (N-1) rounds consist of four distinct transformation functions: SubBytes, ShiftRows,
MixColumns, and AddRoundKey, which are described subsequently. The final round contains
only three transformations, and there is a initial single transformation (AddRoundKey) before the
first round, which can be considered Round 0. Each transformation takes one or more matrices as
input and produces 4×4 a matrix as output. Figure 11 shows that the output of each round is a 4×4
matrix, with the output of the final round being the cipher text. Also, the key expansion function
generates N+1 round keys, each of which is a distinct 4×4 matrix. Each round key serve as one of
the inputs to the AddRoundKey transformation in each round.
Figure 11: AES Encryption Process
Figure 12: AES Data Structure
6) The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. The other three stages together provide confusion, diffusion, and nonlinearity,
but by themselves would provide no security because they do not use the key.We can view
the cipher as alternating operations of XOR encryption (AddRoundKey) of a block,
followed by scrambling of the block (theother three stages), followed by XOR encryption,
and so on.This scheme is both efficient and highly secure.
7) Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns
stages, an inverse function is used in the decryption algorithm. For the AddRoundKey
stage, the inverse is achieved by XORing the same round key to the block, using the result
that A B B = A.
8) As with most block ciphers, the decryption algorithm makes use of the expanded key in
reverse order. However, the decryption algorithm is not identical to the encryption
algorithm. This is a consequence of the particular structure of AES.
9) Once it is established that all four stages are reversible, it is easy to verify that decryption
does recover the plaintext. Figure 13 lays out encryption and decryption going in opposite
vertical directions. At each horizontal point (e.g., the dashed line in the figure), State is the
same for both encryption and decryption.
10) The final round of both encryption and decryption consists of only three stages. Again, this
is a consequence of the particular structure of AES and is required to make the cipher
reversible.
The inverse substitute byte transformation, called InvSubBytes, makes use of the
inverse S-box shown in Table 5.2b. Note, for example, that the input { 2A } produces the output
{ 95 } , and the input { 95 } to the S-box produces { 2A }.
Figure 15: AES byte Level operation
Table 1: AES S - boxes
ShiftRows Transformation
Forward and Inverse Transformation The forward shift row transformation,called
ShiftRows, is depicted in Figure 16a.The first row of State is not altered. For the second row, a 1-
byte circular left shift is performed. For the third row, a 2-byte circular left shift is performed. For
the fourth row, a 3-byte circular left shift is performed. The following is an example of ShiftRows.
The inverse shift row transformation, called InvShiftRows, performs the circular shifts
in the opposite direction for each of the last three rows, with a 1-byte circular right shift for the
second row, and so on.
AddRoundKey Transformation
Forward and Inverse Transformation In the forward add round key transformation,
called AddRoundKey, the 128 bits of State are bitwise XORed with the 128 bits of the round key.
As shown in Figure 15b, the operation is viewed as a column wise operation between the 4 bytes
of a State column and one word of the round key; it can also be viewed as a byte-level operation.
The following is an example of AddRoundKey:
The first matrix is State, and the second matrix is the round key.
The inverse add round key transformation is identical to the forward add round key
transformation, because the XOR operation is its own inverse.
1. RotWord performs a one-byte circular left shift on a word.This means that an input word [B0,
B1, B2, B3] is transformed into [B1, B2, B3, B0] .
2. Sub Word performs a byte substitution on each byte of its input word, using the S-box (Table
1 a).
3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j].
The round constant is a word in which the three rightmost bytes are always 0.Thus, the
effect of an XOR of a word with Rcon is to only perform an XOR on the leftmost byte of the word.
The round constant is different for each round and is defined as Rcon[j] = (RC[j], 0, 0, 0),with ,
RC[1] = 1 RC[j] = 2. RC [j-1] and with multiplication defined over the field GF(28).The values of
RC[j] in hexadecimal are
RC4(Stream Cipher Structure):
A typical stream cipher encrypts plaintext one byte at a time, although a stream cipher may
be designed to operate on one bit at a time or on units larger than a byte at a time. Figure 18 is a
representative diagram of stream cipher structure. In this structure a key is input to a pseudorandom
bit generator that produces a stream of 8-bit numbers that are apparently random. A pseudorandom
stream is one that is generated by an algorithm but is unpredictable without knowledge of the input
key. The output of the generator, called a key stream , is combined one byte at a time with the
plaintext stream using the bitwise exclusive-OR (XOR) operation. For example, if the next byte
generated by the generator is 01101100 and the next plaintext byte is 11001100, then the resulting
cipher text byte is:
11001100 plain text
01101100 key stream
----------
10100000 cipher text
Decryption requires the use of the same pseudorandom sequence:
10100000 cipher text
01101100 key stream
-------------
11001100 plain text
With a properly designed pseudorandom number generator, a stream cipher can be as secure
as block cipher of comparable key length. The primary advantage of a stream cipher is that stream
ciphers are almost always faster and use far less code than do block ciphers. RC4 can be
implemented in just a few lines of code.
The advantage of a block cipher is that key reusability. For example, if two plaintexts are
encrypted with the same key using a stream cipher, then cryptanalysis is often quite simple. If the
two ciphertext streams are XORed together, the result is the XOR of the original plaintexts.
For applications that require encryption/decryption of a stream of data, such as over a data
communications channel or a browser/Web link, a stream cipher might be the better alternative.
For applications that deal with blocks of data, such as file transfer, e-mail, and database, block
ciphers may be more appropriate.
RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable
key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a
random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be
greater than 10100. Eight to sixteen machine operations are required per output byte, and the cipher
can be expected to run very quickly in software. RC4 was kept as a trade secret by RSA Security.
In September 1994, the RC4 algorithm was anonymously posted on the Internet on the Cypher -
punks anonymous remailers list.
The RC4 algorithm is remarkably simply and quite easy to explain. A variable-length key
of from 1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-byte state vector S, with elements
S[0], S[1], ..., S[255]. At all times, S contains a permutation of all 8-bit numbers from 0 through
255. For encryption and decryption, a byte k (see Figure 18) is generated from S by selecting one
of the 255 entries in a systematic fashion. As each value of k is generated, the entries in S are once
again permuted.
Initialization of S:
To begin, the entries of S are set equal to the values from 0 through 255 in ascending order;
that is; S[0] = 0, S[1] = 1, ..., S[255] = 255. A temporary vector, T, is also created. If the length of
the key K is 256 bytes, then K is transferred to T. Otherwise, for a key of length keylen bytes, the
first keylen elements of T are copied from K and then K is repeated as many times as necessary to
fill out T. These preliminary operations can be summarized as follows:
/* Initialization */
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];
Next we use T to produce the initial permutation of S. This involves starting with S[0]
and going through to S[255], and, for each S[i], swapping S[i] with another byte in S according
to a scheme dictated by T[i]:
/* Initial Permutation of S */
j = 0;
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod
256; Swap (S[i], S[j]);
Because the only operation on S is a swap, the only effect is a permutation. S still contains
all the numbers from 0 through 255.
Stream Generation
Once the S vector is initialized, the input key is no longer used. Stream generation involves starting
with S[0] and going through to S[255], and, for each S[i], swapping S[i] with another byte in S
according to a scheme dictated by the current configuration of S. After S[255] is reached, the
process continues, starting over again at S[0]:
/* Stream Generation */
i, j = 0;
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap(S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];
To encrypt, XOR the value k with the next byte of plain text. To decrypt, XOR the value k with
the next byte of cipher text. Figure 19 summarizes the RC4 logic.
Figure 19: RC4 Stream Cipher