UNIT – II

Block Cipher Principle

All the classical ciphers may operate in the following two ways:

 Stream cipher, A stream cipher is one that encrypts a digital data stream one bit or one
 byte at a time. such as Vigen`ere cipher, encrypts one letter at a time(Fig 1a). 
 Block cipher, A block cipher is one in which a block of plaintext is treated as a whole and
used to produce a cipher text block of equal length. Such as Hill cipher, treats a n-letter
block of plaintext as a whole and produce a cipher text block of equal length(Fig 1b). 

A. Block Cipher Principles: As block cipher have different modes of operation and applies
to a broader range of applications than stream cipher.
A block cipher transforms a plaintext block of n letters into an encrypted block. For the
alphabet with 26 letters, there are 26n possible different plaintext blocks. The most general way of
encrypting a n-letter block is to take each of the plaintext blocks and map it to a cipher block
(arbitrary n-letter substitution cipher). For decryption to be possible, such mapping needs to be
one-to-one (i.e., each plaintext block must be mapped to a unique cipher text block). The number
of different one-to-one mappings among n-letter blocks is (26n)!.
The length of block n cannot be too short in order to secure the cryptographic scheme. For
example, n= 1 gives a mono-alphabetic cipher. Such schemes are vulnerable to frequency analysis
and brute-force attacks. However, an arbitrary reversible substitution cipher for a large block size
n is not practical. Let’s consider the problem of specifying a mapping of all possible n-letter blocks.
In a cipher, each key specifies such a mapping. Let’s assume the key consists of a block of k letters.
Then the number of all possible keys is 26k. Then for a n-letter arbitrary substitution block cipher,
the key size needs to satisfy 26k _ (26n)!, i.e., k _ n × 26n!.
So the major challenge to design a symmetric key cryptographic scheme is to provide
enough security (e.g., using a reasonable large block size) with a reasonable small size key1.
Claude Shannon theoretically deduced the following principles that should be followed to design
secure cryptographic systems. These principles aim at thwarting cryptanalysis based on known
statistical properties of the plaintext.
Confusion: In Shannon’s original definitions, confusion makes the relation between the key and
the ciphertext as complex as possible. Ideally, every letter in the key influences every letter of the
ciphertext block. Replacing every letter with the one next to it on the typewriter keyboard is a
simple example of confusion by substitution. However, good confusion can only be achieved when
each character of the ciphertext depends on several parts of the key, and this dependence appears
to be random to the observer. Ciphers that do not offer much confusion (such as Vigen`ere cipher)
are vulnerable to frequency analysis. Confusion:Make the statistical relationship between a
plaintext and the corresponding ciphertextas complex as possible in order to thread attempts to
deduce the key.(See figure 0)
• Diffusion: Diffusion refers to the property that the statistics structure of the plaintext is
dissipated into long range statistics of the ciphertext. In contrast to confusion, diffusion
spreads the influence of a single plaintext letter over many ciphertext letters. In terms of
the frequency statistics of letters, digrams, etc in the plaintext, diffusion randomly spreads
them across several characters in the ciphertext.
Diffussion means each plaintext digit affects many cipher text digits, or each
ciphertextdigit is affected by many plaintext digits. This means that much more ciphertexts
are needed to do a meaningful statistical attack on the cipher. (See figure 0).

Figure 0: Diffusion and Confusion

Figure 1: Stream Cipher and Block Cipher

B. The Feistel Network: Product ciphers use the two classical encryption forms: substitution
and transposition, alternatively in multiple rounds to achieve both confusion and diffusion
respectively. The product cryptosystems are also called substitution-permutation network).
 A cryptographic system based on Feistel structure uses the same basic algorithm for both
encryption and decryption. One possible way to build a secret key algorithm using substitution-
permutation-network is to break the input into manageable-sized chunks, do a substitution on each
small chunk, and then take the outputs of all the substitutions and run them through a permuter
that is as big as the input, which shuffles the letters around. Then the process is repeated, so that
each letter winds up as an input to each of the substitutions. Since modern cryptosystems are all
computer-based, from now on we will assume that both plain and cipher text are strings of bits ({0,
1}), instead of strings of letters ({A, B, C, ..., Z}).
The Feistel network shown in Fig. 1 is a particular form of the substitution-permutation
network. The input to a Feistel network is a plaintext block of N bits, and a key K. The plaintext
block is divided into two halves, L0 and R0. The two halves of the data pass through R rounds of
processing and then combine to produce the ciphertext block. Each round I has as input LI−1 and
RI−1, derived from the previous round, as well as a subkey KI, derived from the overall key K. In
general, the subkey KI are different from K and from each other. In this structure, a substitution is
performed via the round function F, and permutation is performed that interchanges the two halves
of the data.
The exact realization of a Feistel network depends on the choices of the following
parameters and design features.
• Block size: Larger block size means greater security, but reduces encryption/decryption
speed.
• Key size: Larger key size means greater security but may decrease encryption/decryption
speed.
• Number of rounds: Multiple rounds offer increasing security.
• Subkey generation algorithm: Greater complexity in subkey generation leads to greater
security.
• Round function: Greater complexity in round function means greater difficulty of
cryptanalysis.
There are two other considerations in the design of a Feistel cipher:
• Fast software encryption/decryption: In many cases, encryption is embedded in
applications or utility functions in such a way as to preclude a hardware implementation.
Accordingly, the speed of execution of the algorithm becomes a concern.
• Ease of analysis: Although we would like to make our algorithm as difficult as possible to
cryptanalyze, there is great benefit in making the algorithm easy to analyze. That is, if the
algorithm can be concisely and clearly explained, it is easier to analyze that algorithm for
cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its
strength. DES, for example, does not have an easily analyzed functionality.
 Figure 2: The encryption and decryption of Feistel network

The process of decryption with a Feistel network is essentially the same as the encryption
process by using the cipher text as input to the network, but using the sub key Ki in reverse order,
as shown in Fig 2. The reason is explained as follows.

Let’s consider the last step in encryption, which gives,

LE16 = RE15 …. (1)

RE16 = LE15 _ F(RE15,K16) …. (2)

On the decryption side,

LD1 = RD0 = LE16 = RE15 …. (3)

RD1 = LD0 _ F(RD0,K16) …. (4)
= RE16 _ F(RE15,K16) …. (5)
= [LE15 _ F(RE15,K16)] _ F(RE15,K16) …. (6)
= LE15 …. (7)
 The process can be done iteratively. Finally, we will see that the output of the decryption
is the same as the input to the encryption (i.e., original plaintext).

THE DATA ENCRYPTION STANDARD

The most widely used encryption scheme is based on the Data Encryption Standard (DES)
adopted in 1977 by the National Bureau of Standards, now the National Institute of Standards and
Technology (NIST).
As with most encryption schemes, DES expects two inputs - the plaintext to be encrypted
and the secret key. The manner in which the plaintext is accepted, and the key arrangement used
for encryption and decryption, both determine the type of cipher it is. DES is therefore a
symmetric, 64 bit block cipher as it uses the same key for both encryption and decryption and only
operates on 64 bit blocks of data at a time (be they plaintext or cipher text). The key size used is
56 bits, however a 64 bit (or eight-byte) key is actually input. The least significant bit of each byte
is either used for parity (odd for DES) or set arbitrarily and does not increase the security in any
way. All blocks are numbered from left to right which makes the eight bit of each byte the parity
bit.
Once a plain-text message is received to be encrypted, it is arranged into 64 bit blocks
required for input. If the number of bits in the message is not evenly divisible by 64, then the last
block will be padded. Multiple permutations and substitutions are incorporated throughout in order
to increase the difficulty of performing a cryptanalysis on the cipher. However, it is generally
accepted that the initial and final permutations offer little or no contribution to the security of DES
and in fact some software implementations omit them (although strictly speaking these are not
DES as they do not adhere to the standard).

DES Encryption:
 Figure 3: Flow Diagram of DES algorithm for encrypting data.

The processing of the plaintext proceeds in three phases as can be seen from the left hand side
of figure 3.

1. Initial permutation (IP- defined in table 2.1) rearranging the bits to form the “permuted
input”.
2. Followed by 16 iterations of the same function (substitution and permutation). The output
of the last iteration consists of 64 bits which is a function of the plaintext and key. The
left and right halves are swapped to produce the pre output.
3. Finally, the pre output is passed through a permutation (IP−1- defined in table 2.1) which
is simply the inverse of the initial permutation (IP). The output of IP−1 is the 64-bit cipher
text.
 Table 1: Permutation tables used in DES.

As figure 3 shows, the inputs to each round consist of the Li, Ripair and a 48 bit Subkey
which is a shifted and contracted version of the original 56 bit key. The use of the key can be seen
in the right hand portion of figure 3:

• Initially the key is passed through a permutation function (PC1- defined in table 1)
• For each of the 16 iterations, a subkey ( Ki) is produced by a combination of a left circular
shift and a permutation ( PC2- defined in table 1) which is the same for each iteration.
However, the resulting subkey is different for each iteration because of repeated shifts.
 Table 2: DES key schedule.

Individual rounds Structure:

Details of an individual round can be seen in figure 4. The main operations on the data are
encompassed into what is referred to as the cipher function and is labeled F . This function accepts
two different length inputs of 32 bits and 48 bits and outputs a single 32 bit number. Both the data
and key are operated on in parallel, however the operations are quite different. The 56 bit key is
split into two 28 bit halves CI and Di(C and D being chosen so as not to be confused with L and
R). The value of the key used in any round is simply a left cyclic shift and a permuted contraction
of that used in the previous round. Mathematically, this can be written as

Ci=Lcsi(Ci−1), Di=Lcsi(Di−1) …. (2.1)

Ki=P C2(Ci, Di) …. (2.2)

Where Lcsi is the left cyclic shift for round i,Ci and Di are the outputs after the shifts, P
C2 (.) is a function which permutes and compresses a 56 bit number into a 48 bit number and K I
is the actual key used in round i. The number of shifts is either one or two and is determined by
the round number i. For i = { 1 ,2,9,16} the number of shifts is one and for every other round it is
two (table 2).
 Figure 4: Details of a single DES round.
The common formulas used to describe the relationships between the input to one round
and its output (or the input to the next round) are:

Li=Ri−1 …. (2.3)

Ri=Li−1⊕F(Ri−1, Ki)
…. (2.4)

where L and R have their usual meaning and F(.) is the cipher function. This function F is the
main part of every round and consists of four separate stages (see figure 2.4):
1. The E-box expansion permutation - here the 32-bit input data from Ri−1is expanded and
permuted to give the 48 bits necessary for combination with the 48 bit key (defined in table
2.1). The E-box expansion permutation delivers a larger output by splitting its input into 8,
4-bit blocks and copying every first and fourth bit in each block into the output in a defined
manner. The security offered by this operation comes from one bit affecting two
substitutions in the S-boxes. This causes the dependency of the output bits on the input bits
to spread faster,and is known as the avalanche affect.
 2. The bit by bit addition modulo 2 (or exclusive OR) of the E-box output and 48 bit subkey
Ki.
3. The S-box substitution - this is a highly important substitution which accepts a 48-bit input
and outputs a 32-bit number (defined in table 2.3). The S-boxes are the only non-linear
operation in DES and are therefore the most important part of its security. They were very
carefully designed although the conditions they were designed under has been under
intense scrutiny since DES was released. The reason was because IBM had already
designed a set of S-boxes which were completely changed by the NSA with no explanation
why .
The input to the S-boxes is 48 bits long arranged into 8, 6 bit blocks (b1, b2, . . . ,
b6).There are 8 S-boxes (S1, S2, . . . , S8) each of which accepts one of the 6 bit blocks.
The output of each S-box is a four bit number. Each of the S-boxes can be thought of as a
4×16matrix. Each cell of the matrix is identified by a coordinate pair (i, j), where 0≤i≤3
and 0≤j≤15. The value of i is taken as the decimal representation of the first and last bits
of the input to each S-box, i.e.Dec(b1b6) =I and the value of j is take from the decimal
representation of the inner four bits that remain, i.e.Dec ( b2b3b4b5) =j. Each cell within
the S-box matrices contains a 4-bit number which is output once that particular cell is
selected by the input.
4. The P-box permutation - This simply permutes the output of the S-box without changing
the size of the data (defined in table 2.1). It is simply a permutation and nothing else. It has
a one to one mapping of its input to its output giving a 32 bit output from a 32 bit input.

Data Encryption Standard (DES)

First published in 1977 as a US Federal standard.
Known as Data Encryption AlgorithmDEA(ANSI) or DEA-1 (ISO)
 A de-facto international standard for banking security. 
 An example of a Feistel Cipher . 
 Most analyzed cryptographic algorithm 
Short history of DES:
 Work started in early 1970s by IBM. 
  Based on IBMs Lucifer, but amended by NSA 
 Design criteria were kept secret for more than 20 years. 
 Supposed to be reviewed every 5 years 

Data Encryption Standard (DES)

Block length is 64 bits , key length 56 bits.
Feistel Cipher:
 Initial permutation of bits. 
  Split into left and right half. 
 16 rounds of identical operations, depending on round key. 
 Inverse initial permutation 
Round
 transformation : 
 Linear expansion: 32 bits48 bits. 
  XOR with subkey of 48 bits (key schedule selects 48 bits of key k ). 
 8 parallel non-linear S-boxes (6 input bits, 4 output bits). 
  Permutation of the 32 bits. 

Data Encryption Standard (DES)

Each DES round consists of the following six stages:
1. Expansion Permutation:
 Right half (32 bits) is expanded (and permuted) to 48 bits. 
  Diffuses relationship of input bits to output bits. 
  Means one bit of input affects two substitutions in output. 
 Spreads dependencies. 
2. Use of Round Key:
 48 bits are XOR-ed with the round key (48 bits).
 3. Splitting : 
 Result is split into eight lots of six bit values. 

Data Encryption Standard (DES)

4. S-Box:
 Each six bit value is passed into an S-box to produce a four bit result in a non-linear way.
(S = Substitution)
5. P-Box:
 32 bits of output are combined and permuted. (P = Permutation) 

Double DES
P  E(K1,P)  E(K2,E(K1,P)) = C

Double DES has a 112-bit key and enciphers blocks of 64 bits. DES is not a group; i.e.,
E(K2,E(K1,P)) (refer below figure: Double DES) is not equivalent to DES encryption using a
single key. Recall that, for example, the Caesar cipher is a group. If a message were encrypted
with the Caesar cipher with a key of 3 and then re-encrypted with the Caesar cipher with a key of
5, the result is equivalent to encrypting the message with the Caesar cipher with a key of 8. For
the Caesar cipher, double encryption does not increase security. DES is not a group; double
encryption is not equivalent to single encryption. Security does increase by double encryption, but
it does not increase much.

Figure : Double Encryption DES

 The security of DES depends on its having a large key space; so large that (at least when it
first began being used in the 1970’s a brute force attack was not practical [that has now changed]).
Recall that DES has a 56-bit key (the key is actually 64 bits, but every 8thbit is a parity check; so,
only 56 or the 64 bits are meaningful); therefore, the size of the key space is 2 56=72, 057, 594,
037, 927, 936 . Recall that the algorithm that was originally proposed had a 128-bit key, but the
size of the key space was reduced by the NSA (for some reason). Intuitively, double encryption
should double the size of the key space. But, that is not the case with DES.

Meet-in-the–middle attack on double encryption:

This attack requires knowing some plaintext/ciphertext pairs. Let’s assume that we have a
plaintext/ciphertext pair; i.e., we know the plaintext pand the corresponding (double DES
enciphered) ciphertext C. Attacks on DES have typically been brute force attacks (see “Breaking
DES”); so, we will use brute force here.
The double encryption is:
P  E(K1,P)  E(K2,E(K1,P)) = C
56
Encrypt P using all 2 possible keys, and store the results.(Storage could be a problem).
The stored results will include all possible encryptions PE(K1,P).
Then decrypt C using all 256 possible keys.
D ( K2, C ) = D (K2, E ( K2, E ( K1, P ) ) )  E ( K1 , P )
After decrypting with each key, check for a match with the stored outputs of the 256possible
encryptions. When we have a match, we have located a possibly correct pair of keys. Now, perhaps
more than one pair of keys will result in a match, but the number of pairs of keys that return
matches should be small. We could try each possible pair of keys. If more than one plaintext/cipher
text correspondence is known (for the key pair), then other correspondences could be used to check
which of the keys is correct.
So, it only takes twice as long to break double DES using brute force. Because DES has
56-bit security, double DES has 2*256=257 security.

Triple DES – 3DES:

3DES was developed in 1999 by IBM – by a team led by Walter Tuchman. 3DES (refer
below figure: triple DES) prevents a meet-in-the-middle attack. 3DES has a 168-bit key and
enciphers blocks of 64 bits. 3DES effectively has 112-bit security. 3DES can be done with 2 or 3
keys.
3-key encryption
E (K3, D (K2, E ( K1, P ) ) )

2-key encryption

E ( K1, D ( K2, E ( K1, P ) ) )

Why would we want to do decryption as the second step? One reason might be that by taking k2
=k1; 2-key, 3DES becomes single DES with key K1,. 3DES can communicate with single DES.
 Figure : Triple Encryption using DES

Data Encryption Standard (DES) weakness and strength:

The Data Encryption Standard (DES) is a symmetric key block cipher which takes 64-bit
plaintext and 56-bit key as an input and produces 64-bit cipher text as output. The DES function
is made up of P and S-boxes. P-boxes transpose bits and S-boxes substitute bits to generate a
cipher.

Strength- The strength of DES lies on two facts:

 The use of 56-bit keys: 56-bit key is used in encryption, there are 256 possible keys. A
 brute force attack on such number of keys is impractical. 
 The nature of algorithm: Cryptanalyst can perform cryptanalysis by exploiting the
characteristic of DES algorithm but no one has succeeded in finding out the weakness. 

Weakness- Weakness has been found in the design of the cipher:

 Two chosen input to an S-box can create the same output. 

 The purpose of initial and final permutation is not clear. 

Differential and linear cryptanalysis:

Traditional cryptanalysis of block ciphers such as the Data Encryption Standard rely on
known plaintext methods as doing exhaustive search over the whole key space. While this type of
brute force cryptanalytic attack may seem practical on conventional single DES encryption, it
becomes impractical to perform on double DES and triple DES enciphering implementations.
More sophisticated cryptanalysis methods have been proposed in the recent years to reduce the
computational complexity of a brute force attack. Two such methods are

Differential crypt-analysis and 


Linear cryptanalysis crypt-analysis. 

Differential Cryptanalysis:
Differential cryptanalysis involves the analysis of the distribution of the difference (modulo-2bit
per bit) between two plaintexts X1 and X2 and the two cipher texts Y1 and Y2 resulting from their
encryption. Here the plaintexts X1 and X2 are in fact the 32-bit contents of the right register prior
the extension permutation E (X) in a DES round. The two cipher texts Y1 and Y2 are the 32-bit
output from the standard permutation P(C) after the substitution boxes.

Figure 4 shows a single round of DES encryption. Let ∆X represent the difference of the two
known (and chosen) plaintexts X1 and X2:
∆X = X1 X2
Where X1 X2 represents the addition modulo-2 bit by bit of the 2 plaintext vectors. In a
chosen plaintext attack, the two plaintexts X1 and X2 are chosen such as to give a desired plaintext
difference ∆X.
Since ∆X = X1 X2 and A= E( X) is simply an expansion permutation of the plaintext bits
A, then the difference ∆A is also known:
∆A = A1 A2
∆A=E(X1) E(X2)
∆A=E(∆X)
At each DES round, the unknown 48-bit subkey Ki is added to the 48-bit vector A at the
output of the expansion permutation box:
B1=A1 Ki and B2=A2 © Ki
Since the 48-bit subkey Ki is secret, the two 48-bit vectors B1 and B2 are also unknown.However,
their difference ∆B is known!
∆B = B1 B2
∆B = (A1 Ki ) ( A2 Ki ) ∆B =
A1 A2
∆B = ∆A ∆B
= E (∆X)
Differential cryptanalysis compares the distribution of the difference ∆X for a plaintext
pair X1 and X2 with the distribution of the cipher text difference ∆Y for the corresponding cipher
text pair Y1 and Y2. In a chosen plaintext-cipher text attack, the plaintext is chosen such as to
provide the desired difference ∆X. It exploits the fact that the plaintext differences ∆X and the
cipher text differences ∆Y are not equally likely. Some differences in plaintext pairs have a higher
probability of causing difference in cipher text pairs than others.

Linear cryptanalysis:
A method to break a block cipher such as DES is linear cryptanalysis. It basically consists
in trying to represent (or approximate) a round of DES encryption with a linear transformation. In
the known plaintext attack both the plaintext M and the corresponding cipher text C are known.
Since the output IP(M) after the initial permutation function IP is known, one knows also the
contents of the left and right registers.
 Refer : http://www.site.uottawa.ca/~chouinar/Handout_CSI4138_DES_2002.pdf

BLOCK CIPHER DESIGN PRINCIPLES

DES Design Criteria:

i. No output bit of any S-box should be too close a linear function of the input bits.
Specifically, if we select any output bit and any subset of the six input bits, the fraction of
inputs for which this output bit equals the XOR of these input bits should not be close to 0
or 1, but rather should be near 1/2.

ii. Each row of an S-box (determined by a fixed value of the leftmost and rightmost input bits)
should include all 16 possible output bit combinations.
iii. If two inputs to an S-box differ in exactly one bit, the outputs must differ in at least two bits.
iv. If two inputs to an S-box differ in the two middle bits exactly, the outputs must differ in at
least two bits
v. If two inputs to an S-box differ in their first two bits and are identical in their last two bits,
the two outputs must not be the same.
vi. For any nonzero 6-bit difference between inputs, no more than eight of the 32 pairs of inputs
exhibiting that difference may result in the same output difference.
vii. This is a criterion similar to the previous one, but for the case of three S-boxes.

The criteria for the permutation P are as follows.

i. TThe four output bits from each S-box at round are distributed so that two of them affect
(provide input for) “middle bits” of round and the other two affect end bits. The two middle
bits of input to an S-box are not shared with adjacent S-boxes. The end bits are
 the two left-hand bits and the two right-hand bits, which are shared with adjacent S-
boxes.
ii. The four output bits from each S-box affect six different S-boxes on the next round, and
no two affect the same S-box.
iii. For two S-boxes , , if an output bit from affects a middle bit of on the next round, then an
output bit from cannot affect a middle bit of . This implies that, for , an output bit from
must not affect a middle bit of .
These criteria are intended to increase the diffusion of the algorithm.
Number of Rounds:
The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for
a relatively weak F. In general, the criterion should be that the number of rounds is chosen so that
known cryptanalytic efforts require greater effort than a simple brute-force key search attack.
Design of Function F:
Design criteria of Function F: The function F provides the element of confusion in a
Feistel cipher. Thus, it must be difficult to “unscramble” the substitution performed by F. One
obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of
cryptanalysis will be.
Several other criteria should be considered in designing F. The algorithm should have good
avalanche properties. This means that a change in one bit of the input should produce a change in
many bits of the output. A more stringent version of this is the strict avalanche criterion (SAC).
Which states that any output bit of an S-box should change with probability 1/2 when any single
input bit is inverted for all , . Although SAC is expressed in terms of S-boxes, a similar criterion
could be applied to F as a whole. This is important when considering designs that do not
include S-boxes.
Another criterion is the bit independence criterion (BIC), which states that output bits
and should change independently when any single input bit is inverted for all ,I ,j, and k . The SAC
and BIC criteria appear to strengthen the effectiveness of the confusion function.
S-Box Design One of the most intense areas of research in the field of symmetric block
ciphers is that of S-box design. An S-box has input bits and output bits. DES has 6 _ 4 S-boxes.
The encryption algorithm Blowfish has 8×32 S-boxes.
Key Schedule Algorithm :
A final area of block cipher design, and one that has received less attention than S-box
design, is the key schedule algorithm.With any Feistel block cipher, the key is used to generate
one subkey for each round. In general, we would like to select subkeys to maximize the difficulty
of deducing individual subkeys and the difficulty of working back to the main key.The key
schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence
Criterion

Block Cipher modes of operation:

The DES algorithm is a basic building block for providing data security. A mode of
operation is essentially a way of encrypting arbitrary-length messages using a block cipher (i.e.,
pseudorandom permutation). To apply DES in a variety of application, five modes of operation
have been defined.
  Electronic Code Book (ECB) mode 
  Cipher Block Chain (CBC) mode 
 Cipher Feedback (CFB) mode 
 Output Feedback (OFB) mode 
 Counter (CTR) mode. 




 Electronic Code Book (ECB) mode: 

The simplest of the encryption modes is the electronic codebook (ECB) mode(See Fig:5).
The message is divided into blocks and each block is encrypted separately. A clear vulnerability
is that identical plaintext blocks are encrypted into identical cipher text blocks, i.e. ECB does not
hide data patterns well. Many forms of attack can be drawn from this feature: replay, reorder, and
insert or delete selected blocks. Enemy can even manipulated with blocks from different old
encrypted messages to create a new legally encrypted one. Clearly, ECB should not be used in any
communication protocol.
However, because of its nature of encrypting blocks separately, ECB can be used for
storage systems, e.g. encrypting data segments in disks or records in relational databases. This
allows straightforward updates to any disk segment or database record without interfering with
surrounding units (which cannot be avoided in CBC or others).

Figure 5: Electronic Codebook Mode (ECB mode).

 Cipher Block Chain (CBC) mode: 

In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with
the previous cipher text block before being encrypted. Obviously, each cipher text block is
dependent on all plaintext blocks processed up to that point. Also, initialization vector is
used in the first block to make each message unique.(See Fig:6)
CBC critics:
There is a clear improvement on ECB:
 Since we use a randomized encryption, repeated text is mapped to different encrypted
 data. 
CBC provides provable security: we can prove it assuming that the block cipher has
desirable properties and that random IV’s are used. 
A cipher text block depends on all preceding plaintext blocks: thus, reorder affects 
decryption.
On the other hand, there are minus points:
Errors in one block propagate to two blocks. 
One bit error in Cj affects all bits in Mj and one bit in Mj+1. 
CBC is a sequential process wherein we cannot use parallel hardware. 

Observation: if Ci = Cj then Ek (Mi Ci-1) = Ek ( Mj Cj-1); thus Mi Ci-1 = Mj Cj-1; thus
Mi Mj = Ci-1 Cj-1. 

Figure 6: Cipher Feedback Mode (CFB mode).

Encryption and decryption algorithms are as follows:

 Cipher Feedback (CFB): 

The Cipher Feedback (CFB) mode, a close relative of CBC, makes a block cipher
into a self-synchronizing stream cipher.
CFB has a similar look to CBC with this difference: the XOR is being made after
the block cipher function rather than before as in CBC. However it makes a conceptual
move here because CFB now looks quite close to the one-time pad and this makes it easier
to formally show the security of CFB by comparing it with later.
CFB has strengths and weaknesses similar to CBC’s, but it can be made into a self-
synchronizing stream cipher: we can vary the input block size to any number of bits up to
the block size used by the block cipher function.
 Figure 7: Cipher Feedback Mode (CFB mode).

 Output Feedback (OFB): 

The Output Feedback (OFB) mode makes a block cipher into a synchronous stream
cipher. It generates key stream blocks, which are then XORed with the plaintext blocks to
get the cipher text. Just as with other stream ciphers, flipping a bit in the cipher text
produces a flipped bit in the plaintext at the same location. This property allows many error
correcting codes to function normally even when applied before encryption.

Because of the symmetry of the XOR operation, encryption and decryption are
exactly the same:

Encryption can be expressed as

Cj = Pj_ E(K, [Cj-i_ Pj-1])

By rearranging terms, we can demonstrate that decryption works.

Pj = Cj_ E(K, [Cj-1 _ Pj-1])

 Cj = Pj_ E(K, [Cj-i_ Pj-1])

Figure 8: Output Feedback Mode

 Counter Mode: 

CTR made another move, in fact a crucial one, towards simplification and efficiency. Simply,
IV is incremented and used to generate one-time pad. Note that this incrementing pad should never
be repeated or the scheme will be insecure: if the same IV and key is used again, XOR of two
encrypted messages equals XOR of plain texts(See fig 9). Thus, if the communication session lasts
too long, the key must be changed before the pad numbers making a full circle and repeating
themselves.

CTR recorded significant advantages over the previous encryption modes and become widely
used now:
Software and hardware efficiency: different blocks can be encrypted in parallel.
 Preprocessing: the encryption part can be done offline and when the message is known,
 just do the XOR. 
Random access: decryption of a block can be done in random order, very useful for hard-
disk/database encryption (like with ECB). 
Messages of arbitrary length: ciphertext is the same length with the plaintext (i.e., no IV). 

Figure 9: Counter (CTR) Mode

Advanced Encryption Standard (AES):

AES Evaluation Criteria:
1. Initial Criteria:
 security – effort to practically crypt analyze 

 cost – computational efficiency, so as to be used in high - speed applications, such as
 broadband links 
 algorithm and implementation characteristics: should be suitable for a variety of soft/hard
implementations, simple enough to make analysis straightforward. 

2. Final criteria
 general security: this was conducted by the public (academic) cryptographic community:
 people published various attacks and weaknesses of the candidates 
 software and hardware implementation ease: execution speed, performance on various
platforms, variation of speed with key size 
 Attacks on implementation: timing attacks and power analysis 
Multiplication consumes more power and takes more time than addition 
Writing 1s consumes more power and takes more time than writing 0s 
 Flexibility (in encryption/decryption, key change, other factors) 

AES Structure:
The cipher takes a plaintext block size of 128 bits, or 16 bytes. The key length can be 16,
24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128, AES-192, or AES-
256, depending on the key length(See figure 10).
 Figure 10 : AES Parameters

The input to the encryption and decryption algorithms is a single 128-bit block and it is
copied into the State array, which is modified at each stage of encryption or decryption. After the
final stage, State is copied to an output matrix. Similarly, the key is depicted as a square matrix of
bytes. This key is then expanded into an array of key schedule words. Each word is four bytes, and
the total key schedule is 44 words for the 128-bit key. Note that the ordering of bytes within a
matrix is by column. So, for example, the first four bytes of a 128-bit plaintext input to the
encryption cipher occupy the first column of the in matrix, the second four bytes occupy the second
column, and so on. Similarly, the first four bytes of the expanded key, which form a word, occupy
the first column of the w matrix.
The cipher consists of N rounds, where the number of rounds depends on the key length:
10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key. The
first (N-1) rounds consist of four distinct transformation functions: SubBytes, ShiftRows,
MixColumns, and AddRoundKey, which are described subsequently. The final round contains
only three transformations, and there is a initial single transformation (AddRoundKey) before the
first round, which can be considered Round 0. Each transformation takes one or more matrices as
input and produces 4×4 a matrix as output. Figure 11 shows that the output of each round is a 4×4
matrix, with the output of the final round being the cipher text. Also, the key expansion function
generates N+1 round keys, each of which is a distinct 4×4 matrix. Each round key serve as one of
the inputs to the AddRoundKey transformation in each round.
Figure 11: AES Encryption Process
 Figure 12: AES Data Structure

Detailed Structure of AES:

Figure 13 shows the AES cipher in more detail, indicating the sequence of
transformations in each round and showing the corresponding decryption function.

Figure 13: AES Encryption and Decryption Process

The overall AES structure of AES is:

1) One noteworthy feature of this structure is that it is not a Feistel structure.Recall that, in
the classic Feistel structure, half of the data block is used to modify the other half of the
data block and then the halves are swapped.AES instead processes the entire data block as
a single matrix during each round using substitutions and permutation.
2) The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i].
Four distinct words (128 bits) serve as a round key for each round; these are indicated in
Figure 13.
3) Four different stages are used, one of permutation and three of substitution:
• Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block
• ShiftRows: A simple permutation
• MixColumns: A substitution that makes use of arithmetic over GF(28)
• AddRoundKey: A simple bitwise XOR of the current block with a portionof the
expanded key.
4) The structure is quite simple. For both encryption and decryption, the cipher begins with
an AddRoundKey stage, followed by nine rounds that each includes all four stages,
followed by a tenth round of three stages. Figure 14 depicts the structure of a full encryption
round.
5) Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and
ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is
reversible without knowledge of the key and so would add no security.

Figure 14: AES Round Structure.

6) The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. The other three stages together provide confusion, diffusion, and nonlinearity,
but by themselves would provide no security because they do not use the key.We can view
the cipher as alternating operations of XOR encryption (AddRoundKey) of a block,
followed by scrambling of the block (theother three stages), followed by XOR encryption,
and so on.This scheme is both efficient and highly secure.
7) Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns
stages, an inverse function is used in the decryption algorithm. For the AddRoundKey
stage, the inverse is achieved by XORing the same round key to the block, using the result
that A B B = A.
8) As with most block ciphers, the decryption algorithm makes use of the expanded key in
reverse order. However, the decryption algorithm is not identical to the encryption
algorithm. This is a consequence of the particular structure of AES.
9) Once it is established that all four stages are reversible, it is easy to verify that decryption
does recover the plaintext. Figure 13 lays out encryption and decryption going in opposite
vertical directions. At each horizontal point (e.g., the dashed line in the figure), State is the
same for both encryption and decryption.
 10) The final round of both encryption and decryption consists of only three stages. Again, this
is a consequence of the particular structure of AES and is required to make the cipher
reversible.

AES TRANSFORMATION FUNCTIONS:

Substitute Bytes Transformation
Forward and Inverse Transformation The forward substitute byte transformation, called
SubBytes, is a simple table lookup (Figure 15a). AES defines a matrix of byte values, called an
S-box (Table 1a), that contains a permutation of all possible 256 8-bit values. Each individual
byte of State is mapped into a new byte in the following way: The leftmost 4 bits of the byte are
used as a row value and the rightmost 4 bits are used as a column value. These row and column
values serve as indexes into the S-box to select a unique 8-bit output value. For example, the
hexadecimal value3 {95} references row 9, column 5 ,16 * 16 of the S-box, which contains the
value . Accordingly, the value is mapped into the value . Here is an example of the SubBytes
transformation:

The inverse substitute byte transformation, called InvSubBytes, makes use of the
inverse S-box shown in Table 5.2b. Note, for example, that the input { 2A } produces the output
{ 95 } , and the input { 95 } to the S-box produces { 2A }.
Figure 15: AES byte Level operation
Table 1: AES S - boxes
ShiftRows Transformation
Forward and Inverse Transformation The forward shift row transformation,called
ShiftRows, is depicted in Figure 16a.The first row of State is not altered. For the second row, a 1-
byte circular left shift is performed. For the third row, a 2-byte circular left shift is performed. For
the fourth row, a 3-byte circular left shift is performed. The following is an example of ShiftRows.

The inverse shift row transformation, called InvShiftRows, performs the circular shifts
in the opposite direction for each of the last three rows, with a 1-byte circular right shift for the
second row, and so on.

Figure 16: AES Row and Column Operation

MixColumns Transformation:
Forward and Inverse Transformation The forward mix column transformation,called
MixColumns, operates on each column individually. Each byte of a column is mapped into a new
value that is a function of all four bytes in that column. The transformation can be defined by the
following matrix multiplication on State (Figure 16 b):
Let us verify the first column of this example.

The other equations can be similarly verified.

The inverse mix column transformation, called InvMixColumns, is defined by the following
matrix multiplication:

AddRoundKey Transformation
Forward and Inverse Transformation In the forward add round key transformation,
called AddRoundKey, the 128 bits of State are bitwise XORed with the 128 bits of the round key.
As shown in Figure 15b, the operation is viewed as a column wise operation between the 4 bytes
of a State column and one word of the round key; it can also be viewed as a byte-level operation.
The following is an example of AddRoundKey:
The first matrix is State, and the second matrix is the round key.
The inverse add round key transformation is identical to the forward add round key
transformation, because the XOR operation is its own inverse.

AES KEY EXPANSION:

The AES key expansion algorithm takes as input a four-word (16-byte) key and produces a linear
array of 44 words (176 bytes).This is sufficient to provide a four-word round key for the initial
AddRoundKey stage and each of the 10 rounds of the cipher. The pseudo code on the next page
describes the expansion.
The key is copied into the first four words of the expanded key. The remainder of the
expanded key is filled in four words at a time. Each added word w[i] depends on the immediately
preceding word, w[i - 1] , and the word four positions back, w[i - 4] . In three out of four cases, a
simple XOR is used. For a word whose position in the w array is a multiple of 4, a more complex
function is used. Figure 17 illustrates the generation of the expanded key, using the symbol g to
represent that complex function. The function g consists of the following sub functions.
 Figure 17: AES Key Expansion

1. RotWord performs a one-byte circular left shift on a word.This means that an input word [B0,
B1, B2, B3] is transformed into [B1, B2, B3, B0] .
2. Sub Word performs a byte substitution on each byte of its input word, using the S-box (Table
1 a).
3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j].
The round constant is a word in which the three rightmost bytes are always 0.Thus, the
effect of an XOR of a word with Rcon is to only perform an XOR on the leftmost byte of the word.
The round constant is different for each round and is defined as Rcon[j] = (RC[j], 0, 0, 0),with ,
RC[1] = 1 RC[j] = 2. RC [j-1] and with multiplication defined over the field GF(28).The values of
RC[j] in hexadecimal are
RC4(Stream Cipher Structure):
A typical stream cipher encrypts plaintext one byte at a time, although a stream cipher may
be designed to operate on one bit at a time or on units larger than a byte at a time. Figure 18 is a
representative diagram of stream cipher structure. In this structure a key is input to a pseudorandom
bit generator that produces a stream of 8-bit numbers that are apparently random. A pseudorandom
stream is one that is generated by an algorithm but is unpredictable without knowledge of the input
key. The output of the generator, called a key stream , is combined one byte at a time with the
plaintext stream using the bitwise exclusive-OR (XOR) operation. For example, if the next byte
generated by the generator is 01101100 and the next plaintext byte is 11001100, then the resulting
cipher text byte is:
11001100 plain text
01101100 key stream
----------
10100000 cipher text
Decryption requires the use of the same pseudorandom sequence:
10100000 cipher text
01101100 key stream
-------------
11001100 plain text

Figure 18: Stream Cipher

Design considerations for a stream cipher:

1. The encryption sequence should have a large period. A pseudorandom number generator
uses a function that produces a deterministic stream of bits that eventually repeats. The
longer the period of repeat the more difficult it will be to do cryptanalysis.
2. The keystream should approximate the properties of a true random number stream as close
as possible. For example, there should be an approximately equal number of 1s and 0s. If
the keystream is treated as a stream of bytes, then all of the 256 possible byte values should
appear approximately equally often. The more random-appearing the keystream is, the
more randomized the ciphertext is, making cryptanalysis more difficult.
3. Note from Figure 1 that the output of the pseudorandom number generator is conditioned
on the value of the input key. To guard against brute-force attacks, the key needs to be
 sufficiently long. The same considerations as apply for block ciphers are valid here. Thus,
with current technology, a key length of at least 128 bits is desirable.

With a properly designed pseudorandom number generator, a stream cipher can be as secure
as block cipher of comparable key length. The primary advantage of a stream cipher is that stream
ciphers are almost always faster and use far less code than do block ciphers. RC4 can be
implemented in just a few lines of code.

The advantage of a block cipher is that key reusability. For example, if two plaintexts are
encrypted with the same key using a stream cipher, then cryptanalysis is often quite simple. If the
two ciphertext streams are XORed together, the result is the XOR of the original plaintexts.

For applications that require encryption/decryption of a stream of data, such as over a data
communications channel or a browser/Web link, a stream cipher might be the better alternative.
For applications that deal with blocks of data, such as file transfer, e-mail, and database, block
ciphers may be more appropriate.

The RC4 Algorithm:

RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable
key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a
random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be
greater than 10100. Eight to sixteen machine operations are required per output byte, and the cipher
can be expected to run very quickly in software. RC4 was kept as a trade secret by RSA Security.
In September 1994, the RC4 algorithm was anonymously posted on the Internet on the Cypher -
punks anonymous remailers list.

The RC4 algorithm is remarkably simply and quite easy to explain. A variable-length key
of from 1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-byte state vector S, with elements
S[0], S[1], ..., S[255]. At all times, S contains a permutation of all 8-bit numbers from 0 through
255. For encryption and decryption, a byte k (see Figure 18) is generated from S by selecting one
of the 255 entries in a systematic fashion. As each value of k is generated, the entries in S are once
again permuted.
Initialization of S:
To begin, the entries of S are set equal to the values from 0 through 255 in ascending order;
that is; S[0] = 0, S[1] = 1, ..., S[255] = 255. A temporary vector, T, is also created. If the length of
the key K is 256 bytes, then K is transferred to T. Otherwise, for a key of length keylen bytes, the
first keylen elements of T are copied from K and then K is repeated as many times as necessary to
fill out T. These preliminary operations can be summarized as follows:
/* Initialization */
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];
Next we use T to produce the initial permutation of S. This involves starting with S[0]
and going through to S[255], and, for each S[i], swapping S[i] with another byte in S according
to a scheme dictated by T[i]:
 /* Initial Permutation of S */
j = 0;
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod
256; Swap (S[i], S[j]);
Because the only operation on S is a swap, the only effect is a permutation. S still contains
all the numbers from 0 through 255.
Stream Generation
Once the S vector is initialized, the input key is no longer used. Stream generation involves starting
with S[0] and going through to S[255], and, for each S[i], swapping S[i] with another byte in S
according to a scheme dictated by the current configuration of S. After S[255] is reached, the
process continues, starting over again at S[0]:
/* Stream Generation */
i, j = 0;
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap(S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];

To encrypt, XOR the value k with the next byte of plain text. To decrypt, XOR the value k with
the next byte of cipher text. Figure 19 summarizes the RC4 logic.
Figure 19: RC4 Stream Cipher