ALGORITHM Types and Modes

•An algorithm type  defines what size of plain

text should be encrypted in each step of the
algorithm.
•The  algorithm mode defines the details of
the cryptographic algorithm, once the type is
decided.  
 Algorithm Types
• the generation of cipher text  from plain text
itself can be done in two basic ways, stream
ciphers and block ciphers.
 Stream ciphers
• In Stream Cipher-s. the plain text is encrypted one bit at a time.
Suppose the original  message (plain text) is Pay 100 in ASCII (i.e. text
format).
• When we convert these ASCII  characters to their binary values. let us
assume that it translate to 0101 1 100 (hypothetically,  just for
simplicity. in reality. the binary text would be much larger as each text
character  takes seven bits).
• Suppose the key to be applied is l00l0l0l in binary. Let us also assume
 that we apply the XOR logic as the encryption algorithm. XOR is quite
simple to understand  as shown in Fig. 3.2.
• ln simple terms, XOR produces an output of I only if one input is 0  and
the other is l. The output is 0 if both the inputs are 0 or if both the
inputs are l
• Another interesting property of XOR is that when used twice. it produces the original
  data. For example, suppose we have two binary numbers A = 101 and B = 110.
• We now  want to perform an XOR operation on A and B to produce a third number C.
i.e.:  
• C = A XOR B  
• Thus. we will have:  
• C = 101 XOR 110  
• = 011  
• Now. if we perform C XOR A, we will get B. That is:  
• B = 011 XOR 101  
• = 110  
• Similarly. if we perform C XOR B. we will get A. That is:  
• A = 011 XOR 110  
• = 101  
• This reversibility of XOR operations has many implications in cryptographic
algorithms,  
• W XORistwersible—whetttued twice. it
produce: the original values. This is  
• tnefulhcryptography  
•  
 Block Ciphers
• In Block Ciphers, rather than encrypting one bit at a time. a block of bits is
encrypted at  one go.
• Suppose we have a plain text FOUR_AND_FOUR that needs to be encrypted.
• Using   block cipher, FOUR could be encrypted first, followed by _AND_ and
finally FOUR.
• Thus,   one block of characters gets encrypted at a time. During decryption,
each block would be translated back to the original form. In actual  practice,
the communication takes place only in bits.
• Therefore. FOUR actually means  binary equivalent of the ASCII characters
FOUR. After any algorithm encrypts these. the  resultant bits are converted
back into their ASCII equivalents.
• Therefore. we get funny  symbols such as Vfa%, etc. In actual practice, their
binary equivalents are received, which are  decrypted back into binary
equivalent of ASCII FOUR
• An obvious problem with block ciphers is repeating text. For
repeating text patterns. the  same cipher is generated. Therefore.
it could give a clue to the cryptanalyst regarding the  original
plain text.
• The cryptanalyst can look for repeating strings and try to break
them.  
• If she succeeds in doing so, there is a danger that a relatively
large portion of the original  message is broken into, and
therefore, the entire message can then be revealed with more
 effort.
• To deal with  this problem. block ciphers are used in chaining
mode
 Group structures
•  
• When discussing an algorithm, many times a
question arises, as to whether it is a group.
• The  elements of the group are the cipher text
blocks with each possible key.
• Grouping, thus, means  how many times the
plain text is scrambled in various ways to
generate the cipher text.  
 Concepts confusion and diffusion
• Claude Shannon introduced the concepts of confusion
and diffusion. which are significant  from the perspective
of the computer-based cryptographic techniques.  
• Confusion is a technique of ensuring that a cipher text
gives no clue about the original  plain text. This is to try
and thwart the attempts of a cryptanalyst to look for
patterns in  the cipher text, so as to deduce the
corresponding plain text.
• We already know-how to  achieve confusion: it is
achieved by means of the substitution techniques
• Diffusion increases the redundancy of the plain
text by spreading it across rows and  columns.
• We have already seen that this can be achieved
by using the transposition techniques (also
called as permutation techniques).  
• Stream cipher relies only on confusion. Block
cipher uses both confusion and diffusion.  
 Algorithm Modes
• An algorithm mode is a combination of a
series of the basic algorithm steps on block
cipher,  and some kind of feedback from the
previous step
• There are four important algorithm  modes,
namely,
• Electronic Code Book (ECB),
• Cipher Block Chaining(CBC),
• Cipher Feed-  back (CFB) and
• Output Feedback (OFB).
• The first two modes  operate on block cipher,
whereas the latter two modes are block cipher
modes, which can  be used as if they are
working on stream cipher.  
 Electronic Code Book (ECB) mode
• Electronic Code Book (ECB) is the simplest
mode of operation. Here, the incoming plain
 text message is divided into blocks of 64 bits
each.
• Each such block is then encrypted
 independently of the other blocks. For all
blocks in an message. the same key is used for
 encryption
• At the receiver's end. the incoming data is
divided into 64-bit blocks. and by using the
 same key as was used for encryption. each
block is decrypted to produce the
corresponding  plain text block.
• In ECB. since a single key is used for encrypting
all the blocks of a message. If a plain text block
repeats in the original message, the
corresponding cipher text block will also
 repeat in the encrypted message.
• Therefore. ECB is suitable only for encrypting
small  messages. where the scope for
repeating the same plain text blocks is quite
less.  
. Cipher Block Chaining (CBC) mode
• We saw that in the case of ECB, within a given message (i.e. for a
given key). a plain text   block always produces the same cipher
text block.
• Thus. If a block of plain text occurs more  than once in the input.
the corresponding cipher text block will also occur more than
once  in the output. thus providing some clues to a cryptanalyst.
• To overcome this problem. the  Cipher Block Chaining (CBC)
mode ensures that even if a block of plain text repeats in  the
input. these two (or more) identical plain text blocks yield totally
different cipher text  blocks in the output. For this. a feedback
mechanism is used.
• Chaining adds a feedback mechanism to a block
cipher.
• ln Cipher Block Chaining (CBC).  the results of the
encryption of the previous block are fed back into
the encryption of the  current block.
• That is. each block is used to modify the encryption
of the next block. Thus.  each block of cipher text is
dependent on the corresponding current input plain
text block.  as well as all the previous plain text
blocks.  
 Cipher Feedback (CFB) mode
• Not all applications can work with blocks of data. Security
also required it applications  that are character-oriented. For
instance, an operator can be typing keystrokes at a terminal,
which need to be immediately transmitted across the
communications link in a secure  manner. i.e. by using
encryption.
• In such situations. stream cipher must be used. The Cipher
 Feedback (CFB) mode is useful in such cases. ln this mode.
data is encrypted in units that   are smaller (e.g. they could be
of size 8 bits, i.e. the size of a character typed by an operator)
 than a defined block size (which is usually 64 bits).  
• Step 1 : Like CBC, a 64-bit Initialization Vector (IV) is used in
the case of CFB mode. The IV is kept in a shift register. It is
encrypted in the first step to produce a corresponding 64-bit
IV cipher text
• Now, the leftmost (i.e. the most significant).) bits of the
encrypted IV are X0Red with the first] bits of the plain text
This produces the first portion of cipher text (say Cr) as shown
in Fig_ 3.11. C is then transmitted to the receiver,
•  
• Step 3 Now, the bits of IV (i.e, the contents of the shift register
containing 1V) are shifted Left by j positions. Thus, the rightmost .
positions of the shift register now contain unpredictable data. These
rightmost] positions are now filled with C.
• Step 4 Now, steps 1 through 3 continue until all the plain-
text units are encrypted. That is, the following steps are
repeated:
• IV is encrypted.
• The leftmost j bits resulting from this encryption process
are XORed With the next j bits of the plain text,
• The resulting cipher-text portion (i.e_ the next j bits of
cipher text) is sent to the receiver.
• The shift register containing the 1V is left-shifted by jbits.
• The, bits of the cipher text are inserted from right into the
shift register containing the IV.
 Output Feedback (OFB) Mode
• The Output Feedback (OFB) mode is extremely similar to the CFB, The
only difference is that in the case of CFB, the cipher text is fed into the
next stage of encryption process.
• But in the case of OFB, the output of the IV encryption process is fed into
the next stage of encryption process, Therefore, we shall not describe
the details of OFB, and instead, shall simply draw the block diagram of
the OFB process,
•  
• Let us summarize the key advantage of the OFB mode. In simple terms,
we can state that in this mode, if there are errors in individual bits, they
remain errors in individual bits and do not corrupt the whole message.
• That is, bit errors do not get propagated, If a cipher-text bit Ci is in error,
only the decrypted value corresponding to this bit, i.e. Pi wrong. other
bits are not affected.
• Remember that in contrast to this, in the CFB mode, the cipher text bit C,
is fed back as input to the shift register, and would corrupt the other hits
in the message!
• The possible drawback with OFB is that an attacker can make
necessary changes to the cipher text and the checksum of
the message in a controlled fashion.
• This causes changes in the cipher text without it getting
detected. In other words, the attacker changes both the
cipher text and the checksum at the same time, hence there
is no way to detect this change.
• The Counter (CTR) triode is quite similar to the OFB mode, with one
variation. It uses sequence number. called counter as the inputs to the
algorithm.
• After each block is encrypted. to fill the register, the next counter value
is used. Usually, a constant is used as the initial counter value, and is
incremented (usually by 1) for every iteration, The size of the counter
block is the same as that of the plain-text block.
• For encryption, the counter is encrypted and then X0Red with the plain
text block to get the cipher text No chaining process is used ,On the
other hand, for decryption, the same sequence of counters is used. Here,
each encrypted counter is XORed with the corresponding cipher-text
block to obtain the original plain-text block.
AN OVERVIEW OF SYMMETRIC-KEY
CRYPTOGRAPHY
 DATA ENCRYPTION STANDARD (DES)
• The Data Encryption Standard (DES), also called the Data Encryption
Algorithm (DEA) by ANSI and DEA-1 by ISO, has been a cryptographic
algorithm used for over two decades. Of late, DES has been found
vulnerable against very powerful attacks, and therefore, the popularity
of DES has been slightly on the decline.
• . DES is generally used in the ECB, CBC or the CFB mode.
• The origins of DES go back to 1972, when in the US, the National
Bureau of Standards (NBS), now known as the National Institute of
Standards and Technology (NIST), embarked upon a project for
protecting the data in computers and computer communications.
• They wanted to develop a single cryptographic algorithm. After
two years, NBS realized that IBM's Lucifer could be considered a
serious candidate, rather than developing a fresh algorithm from
scratch. After a few discussions, in 1975, the NBS published the
details of the algorithm. Towards the end of 1976, the US Federal
Government decided to adopt this algorithm, and soon. it was
renamed Data Encryption Siandrear (DES). Soon, other bodies also
recognized and adopted DES as a cryptographic algorithm
 How DES Works

•  1. Basic Principles

• DES is a block cipher. It encrypts data in blocks of 64 bits each, That is, 64
bits of plain text goes as the input to DES, which produces 64 bits of cipher
text. The same algorithm and key are used for encryption and decryption,
with minor differences. The key length is 56 bits.
• We have mentioned that DES uses a 56-bit key. Actually, the initial key
consists of 64 bits. However, before the DES process even starts, every
eighth bit of the key is discarded to produce a 56-bit key. That is, bit
positions 8, 16, 24, 32, 40, 48, 56 and 64 are discarded.
• Thus, the discarding of every 8th bit of the key
produces a 56-bit key from the original 64-bit
key,
• Simplistically, DES is based on the two fundamental attributes of cryp-
tography: substitution (also called confusion) and transposition (also
called diffusion).
• DES consists of I6 steps, each of which is called a round. Each round
performs the steps of substitution and transposition. Let us now discuss
the broad-level steps in DES
• 1. In the first step, the 64-bit plain-text block is handed over to an
• Initial Permutation (IP) function.
• 2. The initial permutation is performed on plain text
• 3 Next, the Initial Permutation (IP) produces two halves of the permuted
block; say Left Plain Text (LPT) and Right Plain Text (RPT), .
• 4. Now, each of LPT and RPT go through 16 rounds of encryption process,
each with its own key.
• 5. In the end, LPT and RPT are rejoined, and a Final Permutation (FP) is
performed on the combined block,
• 6. The result of this process produces 64-bit cipher text
 Initial Permutation (IP)
• , the initial Permutation UP) happens only once, and it happens before
the first round. It suggests how the transposition in IP should proceed, as
shown in Fig. 3.22. For example, it says that the IP replaces the first bit of
the original plain-text block with the 58th bit of the original plain-text
bock, the second bit with the 50th bit of the original plain text block, and
so on This is nothing but jugglery of bit positions of the original plain-text
block.
• after IP is done, the resulting 64-bit permuted
text block is divided into two half blocks.
• Each half block consists of 32 bits. We have
called the left block as LPT and the right block
as RPT, Now 16 rounds are performed on
these two blocks
 3. Rounds

Each of the 16 rounds, in turn, consists of the broad-level steps

• Step 1: Key Transformation We have noted that the initial 64-bit
key is transformed into a 56-bit key by discarding every 8th bit of the
initial key.
• Thus, for each round, a 56-bit key is available. From this
56-bit key, a different 48-bit subkey is generated during each round using a
process called key transformation.
• For this, the 56-bit key is divided into two halves, each of 28 bits. These
halves arc circularly shifted left by one or two positions, depending on the
round.
• For ex-ample, Write round number is I, 2, 9 or 16, the shift is done by only
one position. For other rounds, the circular shift is dorm by two positions
• After an appropriate shift, 48 of the 56 bits are selected. For
selecting 48 of the 56 bits, the table shown in Fig. 3,26 is used. For
instance, after the shift, bit number 14 moves into the first position,
bit number 17 moves into the second position, and so on if we
observe the table carefully, we will realize that it contains only 48
bit positions.
• Bit number 18 is discarded (we will not find it in the table), like 7
others, to reduce the 56-bit key to a 48-bit key. Since the key-
transformation process involves permutation as well as selection of
a 48-bit subset of the original 56-bit key, it is called compression
permutation.
• Step 2: Expansion Permutation Recall that after initial
permutation, we had two 32-bit plain text areas, called Left
Plain Text (LPT) and Right Plain Text (RPT).
• During expansion permutation, the RPT is expanded from 32
bits to 48 bits. Resides increasing the bit size from 32 to 48,
the bits are permuted as well, hence the name expansion
Permutation
• 1. The 32-bit RPT is divided into 8 blocks, with
each block consisting of 4 bits,
• Next, each 4-bit block of the above step is then expanded to a
corresponding 6-bit block, That is, per 4-bit block, 2 more bits are added.
What are these two bits? They are actually the repeated first and the
fourth bits of the 4-bit block, The second and the third bits are written
down as they were in the input
• As we can see, the first input bit goes into the second and the 48th output
positions. The second input bit goes into the third output position, and so
on. Consequently, we will observe that the expansion permutation has
actually used the table shown in Fig. 3.29.
 Step 3: S-box Substitution
• S-box substitution is a process that accepts the 48-bit
input from the XOR operation involving the compressed
key and expanded RPT,. and produces a 32-bit output
using the substitution technique.
• The substitution is performed by eight substitution boxes
(also called as S-boxes). Each of the eight S-boxes has a 6-
bit input and a 4-bit output.
• The 48-bit input block is divided into 8 sub-blocks (each
containing 6 bits), and each such sub-block is given to an
S-box, The S-box transforms the 6-bit input into a 4-bit
output,
• The 6-bit input indicates which row and column, and therefore,
which intersection is to be selected, and thus, determines the 4-
bit output, How is it done? Let us assumc that the six bits of an S-
box are indicated by b1, b2, b3, b4, b5, and b6.
• Now, bits b1 and b6 are combined to form a two-bit number. Two
bits can store any decimal number between 0 (binary 00) and 3
(binary 11), This specifies the row number. The remaining four
bits h2, b3, b4, b5 make up a four-bit number, which specifies the
column number between decimal 0 (binary 0000) and 15 (binary
1111). Thus, the 6-bit input automatically selects the row number
and column number for the selection of the output.
 P-box Permutation
• The output of S-box consists of 32 bits. These 32 bits are
permuted using a P-box, This straightforward permutation
mechanism involves simple permutation (i.e, replacement of each
bit with another bit, as specified in the P-box table, without any
expansion or compression).
• This is called P-box permutation. The P-box is shown in Fig_ 3_35_
• For example, a 16 in the first block indicates that the bit at
position 16 of the original input moves to the bit at position 1 in
the output, and a 10 in the block number 16 indicates that the bit
at the position 10 a the original input moves to bit at the position
16 in the output.
•
•  
• XOR and Swap Note that we have been performing all
these operations only on the 32-bit right half portion of
the 64-bit original plain text (i.e_ on the RPT). The left
half portion (i.e. LPT) was untouched so far.
• At this juncture, the left half portion of the initial 64-bit
plain text block (i.e, LPT) isX0Red with the output
produced by P-box permutation. The result of this XOR
operation becomes the new right half (i.e. RPT). The old
right half (i.e. RPT) becomes the new left half, in a
process of swapping.
 Final Permutation

• At the end of the 16 rounds, the final permutation is

performed (only once). This is a simple transposition based
on Fig. 3,37, For instance, the 4th input bit takes the position
of the 1st output bit, and so on.
• The output of the final permutation is the 64-bit encrypted
block.
 Variations of DES
• In spite of its strengths, it is generally felt that
with the tremendous advances in computer
hardware (higher processing speeds of
gigahertz, higher memory availability at cheap
prices, parallel processing capabilities, etc.),
• DES is susceptible to possible attacks. However,
because DES is already proven to be a very
competent algorithm, it would be wise to reuse
DES by making it stronger by some means
 Double DES
• Double DES is quite simple to understand. Essentially, it does
twice what DES normally does only once. Double DES uses
two keys, say K1 and K2. It first performs DES on the original
plain text using K1 to get the encrypted text, It again
performs DES on the encrypted text, but this time with the
other key, i.e. K2. The final output is the encryption of
encrypted text
• The doubly encrypted cipher-text block is first decrypted using
the key K2 to produce [he singly encrypted cipher text. This
cipher-text block is then decrypted using the key K1 to obtain
the original plain-text block.
• If we use a key of just 1 bit, there are two possible keys (0 and 1), If we
use a 2-bit key, there are four possible key values (00, 01,10 and 11),
• In general, if we use an n-bit key, the cryptanalyst has to perform 2P
operations to try out all the possible keys, If we use two different keys,
each consisting o f n bits, the cryptanalyst would need 2 2n attempts to
crack the key. Therefore, on the face of it, we may think that since the
cryptanalysis for the basic version of DES requires a search of 2 56 keys.
• Double DES would require a key search of (2 2*56), i.e. 2112 keys.
However, it is not quite true. Merkle and Hellman introduced the
concept of the meet-in-the-middle attack. This attack involves
encryption from one end, decryption from the other, and matching the
results in the middle, hence the name meet-in-the-middle attack.
• Now. the aim of the cryptanalyst, who is armed with the
knowledge of P and C, is to obtain the values
K I and K2, What would the cryptanalyst do?
• Step 1 For all possible values (256) of key K1, the cryptanalyst
would use a large table in the memory of the computer, and
perform the following two steps:
• 1. The cryptanalyst would encrypt the plain-text block P by
performing the First encryption operation, i.e EK1(P), That is, it
will calculate T.
• 2. The cryptanalyst would store the output of the operation
EK1(P), i.e. the temporary cipher text (T),
in the next available row of the table in the memory
• Step 2 Thus, at the end of the above process, the
cryptanalyst will have the table of cipher texts as
shown in the figure. Next, the cryptanalyst will
perform the reverse operation.
• That is, he/she will now decrypt the known cipher
text C with all the possible values of K2 [i.e, perform
Dk2(C) for all possible values of K2]. In each case, the
cryptanalyst will compare the resulting value with all
the values in the table of cipher texts, which were
computed earlier. This process as before, for 2-bit key)
• In the first step, the cryptanalyst was
calculating the value of T from the left-hand
side (i.e. encrypt P with K1 to find D. Thus,
here T = EK1(P),
• • In the second step, the cryptanalyst was
finding the value or T from the right-band side
(i.e. decrypt C with K2 to find D. Thus, here T=
DK2(C).
• From the above two steps, we can actually conclude that the
temporary result (T) can be obtained in two ways, either by
encrypting P with Kl, or by decrypting C with K2. This is
because, we can write the following equations;
• T= EK1(P) = DK2(C)
• Now, if the cryptanalyst creates a table of EK1(P) (i.e. table of T)
for all the possible values of K1, and then performs DK2(C) for all
possible values of K2 (i.e. computes T), there is a chance that she
gets the same T in both the operations. if the cryptanalyst is able
to find the same T for both encrypt with K1 and decrypt with K2
operations, it means that the cryptanalyst knows not only P and
C. but he/she has now also been able to find out the possible
values of K1 and K2!
• The cryptanalyst can now try this K1 and K2 pair on another
known pair of P and C. and if he she is able to get the same T by
performing the EK1(P) and DK2(C)operations. he/she can then try
to use Kl and K2 for the remaining blocks of the message
 Triple DES
• Although the meet-in-the-middle attack on double DES is not
quite practical yet, in cryptography, it is always better to take
the minimum possible chances, Consequently, double DES
seemed inadequate, paving way for triple DES.
As we can imagine, Triple DES is DES three times, It comes in
two kinds: one that uses three keys, and the other that uses
two keys.
Triple DES with Three Keys
• Triple DES with three keys is used quite extensively in many products,
including PGP and S/ MIME.
• To decrypt the cipher text C and obtain the plain text P, we need to
perform the operation P = DK3(DK2(DK1(C)))
 Triple DES with Two Keys
• Triple DES with three keys is highly secure. It can be denoted in
the form of an equation as C = EK3(EK2(EK1(P)))However, triple DES
with three keys also has the drawback of requiring 56 x 3 = 168
bits for the key, which can be slightly difficult to have in
practical situations. A workaround suggested by Tuchman uses
just two keys for triple DES. Here, the algorithm works a
follows:
• 1. Encrypt the plain text with key K1. Thus, we have EK1(P).
• 2. Decrypt the output of stop 1 above with key K2. Thus, we
have DK2(EK1 (P)).
• 3. Finally, encrypt the output of step 2 again with key K1. Thus,
we have EK1(DK2(EK1(P))), This
To decrypt the cipher text C and obtain the original plain text
P, we need io perform the operation P= DK1(EK2(DK1(C)))
 INTERNATIONAL DATA ENCRYPTION
ALGORITHM (IDEA)
• The International Data Encryption Algorithm (IDEA) is
perceived as one of the strongest cryptographic algorithms.
It was launched in 1990, and underwent certain changes in
names and capabilities
• Although it is quite strong, IDEA is not as popular as DES for
two primary reasons. Firstly, it is patented unlike DES, and
therefore, must be licensed before it can be used in
commercial applications.
• Secondly, DES has a long history and track record as compared
to IDEA. However one popular email privacy technology
known as Pretty Good Privacy (PCP) is based on IDEA
 How IDEA Works
• IDEA is a block cipher. Like DES, it also works on (4-bit plain-
text blocks. The key is longer, however, and consists of 128
bits. IDEA is reversible like DES, that is, the same algorithm is
used for encryption and decryption. Also, IDEA uses both
difussion and confusion for encryption
• The working of IDEA can be visualized at a broad level as shown
in Fig, 3.45. The 64-bit input plaintext block is divided into four
portions of plain text (each of size 16 bits), say P1 to P4. Thus, P1
to P4 are the inputs to the first round of the algorithm. There are
eight such round. As we mentioned, the key consists of 128 bits,
• In each round, six subkeys are generated from the original key,
Each of the subkeys consists of 16 bits. These six subkeys are
applied to the four input blocks PI to P4.
• Thus, for the first round, we will have the six keys K1 to K6. For
the second round, we will have keys K7 to K12, Finally, for the
eighth round, we will have keys K43 to K48.
• The final step consists of an output transformation, which uses
just four subkeys (K49 to K52). The final output produced is the
output produced by the output transformation step, which is four
blocks of cipher text named CI to C4 (each consisting of 16 bits).
These are combined to form the final 64-bit cipher-text block.
• We have mentioned that there are 8 rounds in IDEA. Each
round involves a series of operations on the four data blocks
using six keys. At a broad level, these steps can be described
as shown in Fig. 3A6. As we can see, these steps perform a lot
of mathematical actions. There are multiplications, additions
and XOR operations.
• Note that we have put an asterisk in front of
the words add and multiply, causing them to
be shown as Add* and Multiply*, respectively.
• The reason behind this is that these are not
mere additions and multiplications. Instead,
these are addition modulo 216 (i.e addition
modulo 65536) and multiplication modulo 216
+ 1 (i.e. multiplication modulo 65537).
• Why is this required in IDEA, and what does this mean'? Let us
examine the case of the normal binary addition with an
example. Suppose that we are in round 2 of IDEA.
• Further, let us assume that P2 = 1111111100000000 and K2 =
1111111111000001, First, simply add them (and no' add'
them!) and see what happens.
• As we see, the normal addition will produce a number that
consists of17 bits (i.e.1111 1111011000001).
• However, remember that we have only 16 bit positions
available for the output of round 2.
• Therefore, we must reduce this number (which is 130753 in
decimal) to a 16-bit number. For this, we take modulo 65536
of this.
• 130753 modulo 65536 yields 65217, which is
1111111011000001 in binary, and is a 16-bit number, which
fits well in our scheme
Rounds
 . Subkey Generation for a Round
• each of the eight rounds makes use of six subkeys (so, 8 x 6 —
48 subkeys are required for the rounds), and the final output
transformation uses four subkeys (making a total of 48 + 4 =
52 subkeys overall). From an input key of 128 bits, how are
these 52 subkeys generated?
 First Round
• We know that the initial key consists of 128 bits, from which 6 subkeys K1
to K6 are generated for the first round. Since K1 to K6 consist of 16 bits
each, out of the original 128 bits, the first 96 bits (6 subkeys x 16 bits per
subkey) are used for the first round. Thus, at the end of the first round,
bits 97--128 of the original key are unused
 Second Round
• As we can see, bits 1-96 are adequate to produce subkeys K1 to
K6 for round
• I. For the second round, we can utilize the 32 unused key bits at
positions 97 to 128 (which would give us two subkeys, each of 16
bits),
• HOW do we now get the remaining 64 bits for the second
round? For this, IDEA employs the technique of key shifting. At
this stage, the original key is shifted left circularly by 25 bits.
• That is, the 26th bit of the original key moves to the first
position, and becomes the first bit after the shift, and the 25th
bit of the original key moves to the last position, and becomes
the 128th bit after the shift
• We can now imagine that the unused bits of the second round (i.e.
bit positions 65-128) will firstly be used in round 3, and then a
circular-left shift of 25 bits will be performed once again.
• From the resulting shifted key, we would extract the first 32 bits,
which covers the shortfall in the key bits for this round,
• This process would go on for the remaining rounds on similar line.
These procedures for all the S rounds can be tabulated as shown in
Table 3.4.
 The output transformation
• The output transformation is a one-time operation. It takes
place at the end of the 8th round. The input to the output
transformation is, of course, the output of the 8th round.
• This is, as usual, a 64-bit value divided into four sub-blocks
(say R1 to R4, each consisting of 16 bits). Also, four subkeys
are applied here, and not six.
• We will describe the key-generation process for the output
transformation later. For now, we shall assume that four 16-
bit subkeys K1 to K4 are available to the output
transformation. The process of the output transformation is
described in Fig. 3.51.
• The output of this process is the final 64-bit cipher text, which
is a combination of the four cipher-text sub-blocks Cl to C4,
 Subkey Generation for The Output
Transformation
• The process for the subkey generation for the output
transformation is exactly similar to the subkey generation
process for the eight rounds.
• Recall that at the end of the eighth and the final round, the
key is exhausted and shifted. Therefore, in this round, the first
64 bits make up subkeys K1 to K4, which are used as the four
subkeys for this round
 . IDEA Decryption

• The decryption process is exactly the same as the encryption

process. There are some alterations in the generation and
pattern of subkeys. The decryption subkeys are act-1.a), an
inverse of the encryption subkeys. We shall not discuss this
any further, as the basic concepts remain the same.
•  
 . The Strength of IDEA
• IDEA uses a 128-bit key, which is double than the key
size of DES. Thus, to break into IDEA. 2128 (i.e. 1038)
encryption operations would be required.
• As before, even if we assume that to obtain the
correct key, only half of the possible keys (i.e. half of
the key space) needs to be examined and tried out,
A single computer performing one IDEA encryption
per microsecond would require more than
540000000000000000000000000 years to break
IDEA!
 RC4
• RC4 was designed by Ron Rivest of RSA Security in 1987. The
official name for this algorithm is "Rivest Cipher 4". However,
because of its ease of reference. the acronym RC4 has stuck.
• RC4 is a stream cipher. This means that the encryption
happens byte-by-byte. However, this can be changed to bit-
by-bit encryption (or to a site other than a byte/bit)„
• 2 Description
• RC4 generates a pseudorandom stream of bits called keystream. This is
combined with the plain text using XOR for encryption.
• Even decryption is performed in a similar manner.
• Let us understand this in more detail now.
• There is a variable length key consisting of 1 to 256 bytes (or 8 to 2048 bits).
• This key is used to initialize a 256-byte state vector with elements identified
as S [0] S[1] ……. S[255].
• To perform an encryption or decryption operation, one of these 256 bytes of
S is selected, and processed. We will call the resulting output as ok. After
this, the entries in S are permuted once again.
• Overall, there are two processes involved: (a) initialization of S, and (b)
stream generation
 1. Initialization of S

• This process consists of the following steps,

• 1. Choose a key (K) of length between 1 and 256 bytes.
• 2. Set the values in the state vector S equal to the values
from 0 to 255 in an ascending order, In other words, we
should have S[0]=1,S[1]=1,..., S [255] = 255.
• 3. Create another temporary array T. if the length of the
key K (termed ass keylen)is 256 bytes. copy K into T' as is.
• Otherwise, after copying .K to T, whatever are the
remaining positions in T are filled with the values olK
again. At the end, T should be completely filled,
• After this, the T array is used to produce initial permutation
of S. For this purpose. a loop executes, iterating i from 0 to
255.
• In each case, the byte at the position S [i] is swapped with
another byte in the S array, as per an arrangement decided
by T [1]. For this purpose, the following logic is used:
• j= 0:
• for 1= 0 to 255
• j=(j+S[i] + T [i]) mod 256;
• swap (S[i], S [j]);
• Note that this is just a permutation, The values of .S are
simply being rearranged, not changed
 Stream Generation
• Now that the S array is ready with the above initializations and
permutations, the initial key array K is discarded.
• Now, we need to again loop for i = 0 to 255, In each step. we swap S [i]
with another byte in S, as per the mechanism decided by the
implementation of S. Once we exhaust i he 255 positions, we need to
restart at S[0]
• After this, for encryption, k is X0Red with the
next byte of the plain text. For decryption, k
is XORed with the next byte of the cipher text
 RC5

• RC5 is a symmetric key block encryption

algorithm developed by Ron Rivest. The main
features of RC5 ATC that it is quite Fast .
• it uses only the primitive computer
operations (such as addition, XOR, shift, etc,),
• It allows for a variable number of rounds.
and a variable bit-size key to add to the
flexibility
• Another important aspect is that RC5
requires less memory For execution, and is
therefore, suitable not only For desktop
computers, but also for smart cards and
other devices that have a small memory
capacity.
 How RC5 Work
• In RC5, the word size (i.e. input plain text
block size), number of rounds and number of
ii-bit bytes (octets) or the key. all can be of
variable length
• These ate variable in the sense that before
the execution of a particular instance of RC5,
these values can be chosen From those
allowed.
• This is unlike DES, for instance, where the
block size must be of 64 bits and the key site
must always be of 56 bits; or unlike IDEA,
which uses 64-bit blocks and 128-bit keys.
• The plain text block size can be of 32, 64 or
128 bits (since 2-word blocks are used).
• The key length can be 0 to 2041) bits (since
we have specified the allowed -values For
8-bit keys).
• The output resulting from RCS is the cipher text, which
has the sane size as the input plain text. Since RC5 allows
for variable values in the three parameters, as specified,
a particular instance of the RC5 algorithm is denoted as
RC5-w/r/b, where
• W=word size in bits , r = number of rounds, b = number
of 8-bit bytes in the key.
• Thus, if we have RC5-32/ 16/16, it means that we are
using RC5 with a block size of 64 bits (remember that RC5
uses 2-word blocks), 16 rounds of encryption, and 16
bytes (i.e. 128 bits) in the key
• Then, the round begin. In each round, there are
following operations:
• • Bitwise XOR
• • Left circular-shift
• • Addition with the next sub-ley, for both C and
D. This is the addition operation first,
and then the result of the addition mod 2w
(since w = 32 here, we have 232) is performed
One-time initial operation
• Details of one round
• Now, we observe the results for the first round. The process for the first
round will apply for further round
• XOR C and D
Circular-left @bilk E
 BLOWFISH
• Blowfish was developed by Brace Saucier, and has the reputation
of being a very strong symmetric key cryptographic algorithm,
According to Schneier, Blowfish was designed with the following
objectives in mind,
• (a) Fast Blowfish encryption rate on 32-bit microprocessors is 26
clock cycles per byte.
• (b) Compact Blowfish can execute in less than 5 KB memory.
• (c) Simple Blowfish uses only primitive operations, such as
addition, XOR and table look-up, making its design and
implementation simple.
• (d) Secure Blowfish has a variable key length up to a maximum
of 448 bits long, making it both flexible and secure.
 Operation

• Blowfish encrypts 64-bit blocks with a variable-

length key. It Contains two parts, as follows.
• (a) Subkey GeneratIon This process converts the
key up to 448 bits long to subkeys totaling 4168 bits.
• (b) Data Encryption This process involves the
iteration of a simple function 16 times- Each round
contains a key-dependent permutation and key- and
data-dependent substitution.
 Subkey Generation
• Let us understand the important aspects of the subkey
generation process step by step.
• (a) Blowfish makes use of a very large number of subkeys.
These keys have to be ready before encryption and
decryption happen. The key size ranges from 32 bits to 448
bits.
• In other words, the key size ranges from 1 to 14 words, each
comprising a word of 32 bits. These keys are stored in an
array, as follows:
• K1, K2,…., Kn where 1 <=n<= 14
•
• (c) Now take a 64-bit block, with all the 64 bits initialized to
value of 0. Use the above P-arrays and S-boxes above (the P-
arrays and S-boxes are called subkeys) to run the Blowfish
encryption process (described in the next section) on the 64-bit
all-zero block,
• In other words, to generate the subkeys themselves, the
Blowfish algorithm is used. It is needless to say that once the
final subkeys arc ready, the Blowfish algorithm would be used to
encrypt the actual plain text.
• This step would produce a 64-bit cipher text. Divide this into two
32-bit blocks and replace the original values of PI and P2 with
these 32-bit block values, respectively.
• (d) Encrypt the output of step (c) above using Blowfish
with the modified subkeys. The resulting output would
again consist of 64 bits, As before, divide this into two
blocks of 32 bits each, Now, replace P3 and P4 with the
contents of these two ciphertext blocks.
• (e) In the same manner, replace all the remaining P-arrays
(i.e. P5 through P18) and then all the elements of the four
S-boxes, in order. In each step, the output of the previous
step is fed to the Blowfish algorithm to generate the next
two 32-bit blocks of the subkey (i.e. P5 and Pd, followed by
P7 and P8, etc).
Data Encryption and Decryption
ADVANCED ENCRYPTION STANDARD (AES)

• ln the l990s. the US Government wanted to

standardize to cryptographic algorithm. which
was to be used universally by them.
• lt was to be called the Advanced Encryption
Standard (AES). Many proposals were
submitted. and after a lot of debate, an
algorithm called Rijndael was accepted.
• Rijndael   was developed by Joan Daemen and
Vincent Rijmen (both from Belgium)
• The need for coming up with a new algorithm
was actually because of the perceived
weakness in  DES.
• The 56-bit keys of DES were no longer
considered safe against attacks based on
exhaustive key  searches. and the 64-bit blocks
were also considered weak. AES was to be
based on I28-bit blocks.  with 128-bit keys.  
• In June I998. the Rijndael proposal was submitted to NIST as one of
the candidates for AES.
• Out of the initial 15 candidates. only 5 were shortlisted in August
I999. which were as follows:  
• l. Rijndael (From Joan Daemen and Vincent Rijmen: 86 votes)  
• 2. Serpent (From Ross Anderson, Eli Bihant. and Lars Knudsen; 59
votes)  
• 3. Twofish (From Bnrcc Schneicr and others. 3| votes)  
• 4. RC6 (From RSA Laboratories. 23 votes)  
• 5. MARS (From IBM, I3 votes)  
• ln October 2000. Rijndael was announced as the linal selection for
ABS
• According to its designers. the main features of AES
are as follows.  
• (ct) Symmetric and Parallel Structure This gives the
implementers of the algorithm a lot of  flexibility. lt
also stands up well against cryptroanalysis attacks.  
• (b) Adopted to Modern Processor :The algorithm
works well with modern processors (Pentium. RISC.
parallel).  
• (C) Suited to Smart Cards :The algorithm can work well
with smart cards.
• Rijndael supports key lengths and plain-text block sizes
from I28 bits to 256 bits.
• In the steps of 32 bits.  The key length and the length
of the plain-text blocks need to be selected
independently.
• AES mandates   that the plain-text block size must be
I82 bits, and key size should be I28, I92, or 256 bits.
• In general, two versions of AES are used: a I28-bit
plain-text block combined with a I28-bit key block. and
a I28-  bit plain text block with a 256-bit key block.
 Operation
• Similar to the way DES functions. Rijndztel also
uses the basic techniques of substitution and
transposition (i.e. permutation).
• The key size and the plain-text block size decide
how many rounds need to be  executed.
• The minimum number of rounds is 1O (when key
size and the plain-text block size are each  I28 bits)
and the maximum number of rounds is 14
 One-time initialization Process
• I. Expand the 16-byte key to get the actual key
block to be used  
• The inputs to the algorithm are the key and
the plain text as usual. The key size is 16 bytes
in this  case.
• This step expands this I6-byte key into 11
arrays, and each array contains 4 rows and 4
columns.
• In other words. the original 16-byte key is expanded
into a key containing 11 x 4 x 4 = I76 bytes.  
• One of these. 11 arrays are used in the initialization
process and the other I0 arrays are used in the 10
rounds. one array per round.  
• The terminology of word. in the context  of AES. A
word means 4 bytes. Therefore. in the current context.
our 16-byte initial key (i.e. I6/4 =  4-word key) will he
expanded into I76-byte key (i.e. l76/4 words, i.e. 44
words).  
• (a) Firstly. the original l6-byte key is copied
into the first 4 words of the expanded key (i.e.
the first  4 x 4 array of our diagram),
• (b) Alter filling the first array (for words numbered W1to W3)
of the expanded key block as explained above, the remaining
10 arrays (for words numbered W4 to W43) are filled one by
one.  
• Every time. one such 4 x 4 array (i.e. four words) gets filled
• . Every added key array block depends on the
immediately preceding block and the block 4
positions earlier to it.
• That is. every added word w [i] depends on w
[i - 1] and w [i - 4].
• discussed the portion of copying all the I6
input key blocks (i.e. I6 bytes) into the first
four words of the output key block.
• Therefore. we will not discuss this again. This
is described by  the first for loop.  
• In the second for loop. we cheek if the current word being
populated in the output key block is a multiple of 4.
• If it is. we perform three functions. titled substitute, Rotate. and
constant.
• However. if the current word in the output key block is not a
multiple of four.
• we simply  perform an XOR operation of the previous word and
the word four places earlier, and store it as the  output word. That
is. for word W [5]. we would XOR W [4] and W [1] and store their
output us W [5].  
• Note that a temporary variable called tmp is created. which  stores
W [i — I], which is then XORed with W [i - 4].  
• Function Rotate performs a circular let shift on
the contents of the word by one byte. Thus. If
an input word contains four bytes numbered
[B1 B2. B3. B4] then the output word would
contain  [B2. B3. B4. B1 ].  
• (ii) Function Substitute: performs a byte
substitution on each byte of the input word.
For this purpose. it uses an S-box
• In the function Constant. the output of the above steps is
XORed with a constant. This constant  is n word. consisting of
4 bytes.
• The value of the constant depends on the round number. The
last those bytes of a constant word always contain 0.
• Thus. XORing any input word with such at   constant is as good
as XORing only with the first byte of the input word.
• Thus. the first 4 words of the output key (i.e. from W [0] to W[3]) would
contain values as shown
• 0 Firstly. the first four bytes. i.e. one word. of the input key. namely 00 01
02 03 is copied into the first word of the output key W [0].  
• 0 Now. the next four bytes of the input key. i.e. 04 05 06 07 would he
copied into the second word of the output key. i.e. W [1].  
• Needless to say, W [2] and W [3] would get populated with the remaining
contents of the input  key bytes. as shown in the figure.  
• 0 we know that Rotate (temp) will produce Rotate (0C 0D 0E 0F).
which equals 0D 0E 0F 0C.  
• 0 Now. we need to do Substitute (Rotate (temp)).
• For this purpose. we need to take one byte at a  time. and look up
in the S-box for substitution.
• For example. our first byte is OD. Looking it up in the S-box with x
= 0 and y = D produces D7.
• Similarly. 0E produce AB. 0F produces 76. and 0C  
• produces FE.
• Thus. at the end of the Substitute (Rotate (temp)) step. our input
of 0D 0E 0F 0C is transformed into the output of D7 AB 76 FE.  
• we now need to XOR this value with Constant [i/4]. Since i = 4,
we need to obtain the value of  
• Constant [4/4]. i.e. constant [1]. which is 01. as per our earlier
table of constants.
• As we know.  we need to pad this with three more bytes,all
set to 00. Therefore. our constant value is O1 00 00 00.
Therefore. we have:  
 Do one-time initialization of the 16-byte
plain-text block (called State)
• This step is relatively simple. Here. the 16-byte
plain-text block is copied into a two-
dimensional 4 x 4  array called state. The order
of copying is in the column order.
• That is. the first four bytes of the plain-text
block get copied into the first column of the
State array. the next four bytes of the plain-
text block  get copied into the second column
of the state array and so on.
 . XOR the state with the key block
•  Now, the first 16 bytes (i.e. four words W[0],
W[ 1], W [2], and W [3]) of the expanded key
an: XORed   into the l6-byte state array (B1 to
B16 shown above).
Thus. every byte in the stale army is replaced by
 the XOR of itself and the corresponding byte in
the expanded key.  
• At this stage. the initialization is complete, and
we are ready for rounds.
 Processes in Each Round
• 1. Apply S-box to each of the plain-text bytes  
• This step is very straightforward. The contents
of the State array are looked up into the S-box.
Byte   by-byte substitution is done to replace
the contents of the state array with the
respective entries in the  S-box.
• Note that only one S-box is used. unlike DES.
which has multiple S-boxes.  
 Rotate row k at the plain-text block (i.e.
state) by k bytes
• Here. each of the four rows of the state array are rotated to
the left.
• Row 0 is rotated 0 bytes (i.e. not rotated at all). row l is
rotated by I byte. row 2 is rotated 2 bytes. and row 2 is
rotated 3 bytes.
• This helps in diffusion of data
 3. Perform a mix-columns operation
• Now. each column is mixed independent of the
other. Matrix multiplication is used. The output of
this  step is the matrix multiplication of the old
values and a constant matrix.
• There are two aspects of this step.
• The first explains which parts of the state are
multiplied against  which parts of the matrix.
• The second explains how this multiplication is
implemented over what's called a Galois field.  
 Matrix Multiplication
• The multiplication is performed one column at a time (i.e. on
4 bytes at a time). Each value in the  column is eventually
multiplied against every value of the matrix (i.e. I6 total
multiplications are performed).
• The results of these multiplications are XORed together to
produce only 4 resulting bytes for  the next state.
• We together have 4 bytes of input. I6 multiplications, I2
XORs, and 4 bytes output.
• The multiplication is performed one matrix row at a time
against each value of a state column.  
•  
• All numbers being multiplied using the Mix Column
function converted to HEX will form a maximum   of a 2-
digit hex number. We use the first digit in the number on
the vertical index and the second number on the
horizontal index.
• If the value being multiplied is composed of only one digit.
we use 0 on the vertical index.
• For example if the two hex values being multiplied are AF
*8 we first look up L (AF) index which returns B7 and then
lockup L(08) which returns 4B. Once the L-table look-up is
complete,  
• we can then simply add the numbers together.
The only trick being that if the addition result
is greater than FF. we subtract FF from the
addition result. For example B7 + 4B - 102.
Because I02 > FF. we perform 102 –FF which
gives us 03.  
• The last step is to look up the addition result
on the E-table. Again. we take the first digit to
look up the vertical index and the second digit
to look up the horizontal index.  
• For example, E(03) = 0F. Therefore. the result
of multiplying AF*8 over a Galois field is 0F.  
 4. XOR the state with the key block  

• This step XORs the key for this round into the
state array.  
• For decryption. the process can be executed in
the reverse order.
• There is another option. though. The  same
encryption process. run with some different
table values. can also perform decryption.