Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

UNIT-2
Secret Key Cryptography

UNIT-II: Secret Key Cryptography: Data Encryption Standard(DES), Strength of DES,

Block Cipher Design Principles and Modes of Operations, Triple DES, International Data
Encryption algorithm, Blowfish, CAST-128, AES

Previous Paper Questions:

IV B.Tech I Semester Regular Examinations, December - 2013

Explain Feistel encryption structure with diagram
1
Explain the triple DES in detail
Explain the DES encryption algorithm
2
Explain the strength of the DES.
Explain block cipher design principles in detail
3
Explain single round of DES
Explain block cipher modes of operations
4
Explain CAST-128 cipher.

IV B.Tech I Semester Supplementary Examinations, May/June - 2014

Briefly explain the following
1 i) Security services ii) Feistel cipher structure
What is the difference between differential and linear cryptanalysis?
2 Explain IDEA encryption and decryption process in detail?
What is encryption? Briefly describe the ingredients of a conventional encryption scheme.
3
What is a codebook? With a neat diagram, briefly describe CFB mode.
Draw the general structure of DES and explain the encryption and decryption process in
4
detail?

bphanikrishna.wordpress.com CSE Page 1

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Symmetric encryption is a form of cryptosystem in which encryption and decryption are

performed using the same key. It is also known as conventional encryption. Symmetric
encryption, also referred to as conventional encryption or single-key encryption.

◆ Symmetric encryption transforms plaintext into ciphertext using a secret key and an
encryption algorithm. Using the same key and a decryption algorithm, the plaintext is
recovered from the ciphertext.

◆ The two types of attack on an encryption algorithm are cryptanalysis, based on properties
of the encryption algorithm, and brute-force, which involves trying all possible keys.

◆ Traditional (precomputer) symmetric ciphers use substitution and/or transposition

techniques. Substitution techniques map plaintext elements (characters, bits) into ciphertext
elements. Transposition techniques systematically transpose the positions of plaintext
elements.

bphanikrishna.wordpress.com CSE Page 2

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

The Feistel Cipher:

Feistel proposed [FEIS73] that we can approximate the ideal block cipher by utilizing
the concept of a product cipher, which is the execution of two or more simple ciphers in
sequence in such a way that the final result or product is cryptographically stronger than any
of the component ciphers.The essence of the approach is to develop a block cipher with a key
length of k bits and a block length of n bits, allowing a total of 2 k possible transformations,
rather than the 2n! transformations available with the ideal block cipher.
In particular, Feistel proposed the use of a cipher that alternates substitutions and
permutations, where these terms are defined as follows:
 Substitution: Each plaintext element or group of elements is uniquely replaced by a
corresponding ciphertext element or group of elements.
 Permutation: A sequence of plaintext elements is replaced by a permutation of that
sequence. That is, no elements are added or deleted or replaced in the sequence, rather
the order in which the elements appear in the sequence is changed.

Feistel’s is a practical application of a proposal by Claude Shannon to develop a product

cipher that alternates confusion and diffusion functions

FEISTEL CIPHER STRUCTURE The left-hand side of Figure 3.3 depicts the structure
proposed by Feistel.The inputs to the encryption algorithm are a plaintext block of length 2w
bits and a key . The plaintext block is divided into two halves, L 0 and R0. The two halves of
the data pass through n rounds of processing and then combine to produce the ciphertext
block. Each round i has as inputs Li-1 and Ri-1 derived from the previous round, as well as a
subkey Ki derived from the overall K. In general, the subkeys Ki are different from K and
from each othe.

All rounds have the same structure. A substitution is performed on the left half of the data.
This is done by applying a round function F to the right half of the data and then taking the
exclusive-OR of the output of that function and the left half of the data. The round function
has the same general structure for each round but is parameterized by the round subkey Ki.

bphanikrishna.wordpress.com CSE Page 3

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Feistel Cipher structures

Permutation is performed that consists of the interchange of the two halves of the data. This
structure is a particular form of the substitution-permutation network (SPN) proposed by
Shannon.
Te exact realization of a Feistel network depends on the choice of the following parameters
and design features:
 Block size: Larger block sizes mean greater security (all other things being equal) but
reduced encryption/decryption speed for a given algorithm. The greater security is
achieved by greater diffusion. Traditionally, a block size of 64 bits has been
considered a reasonable tradeoff and was nearly universal in block cipher design.
However, the new AES uses a 128-bit block size.
 Key size: Larger key size means greater security but may decrease encryption/
decryption speed. The greater security is achieved by greater resistance to brute-force
attacks and greater confusion. Key sizes of 64 bits or less are now widely considered
to be inadequate, and 128 bits has become a common size.
 Number of rounds: The essence of the Feistel cipher is that a single round offers
inadequate security but that multiple rounds offer increasing security. A typical size is
16 rounds.
 Subkey generation algorithm: Greater complexity in this algorithm should lead to
greater difficulty of cryptanalysis.

bphanikrishna.wordpress.com CSE Page 4

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

 Round function F: Again, greater complexity generally means greater resistance to

cryptanalysis.

There are two other considerations in the design of a Feistel cipher:

 Fast software encryption/decryption: In many cases, encryption is embedded in
applications or utility functions in such a way as to preclude a hardware
implementation. Accordingly, the speed of execution of the algorithm becomes a
concern.
 Ease of analysis: Although we would like to make our algorithm as difficult as
possible to cryptanalyze, there is great benefit in making the algorithm easy to
analyze. That is, if the algorithm can be concisely and clearly explained, it is easier to
analyze that algorithm for cryptanalytic vulnerabilities and therefore develop a higher
level of assurance as to its strength. DES, for example, does not have an easily
analyzed functionality.

bphanikrishna.wordpress.com CSE Page 5

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Data Encryption Standard (DES):

 DES is a Symmetric-key algorithm for the encryption of electronic data.

 DES originated at IBM in 1977 & was adopted by the U.S Department of Defence.
Now it is under the NIST (National Institute of Standard & Technology)
 Data Encryption Standard (DES) is a widely-used method of data encryption using a
private (secret) key
 DES applies a 56-bit key to each 64-bit block of data. The process can run in several
modes and involves 16 rounds or operations.

Inner workings of DES:

DES (and most of the other major symmetric ciphers) is based on a cipher known as the
Feistel block cipher. This was a block cipher developed by the IBM cryptography researcher
Horst Feistel in the early 70’s. It consists of a number of rounds where each round contains
bit-shuffling, non-linear substitutions (S-boxes) and exclusive OR operations. Most
symmetric encryption schemes today are based on this structure (known as a feistel network).

Overall structure

DES (and most of the other major symmetric ciphers) is based on a cipher known as the
Feistel block cipher.
Looking at the left-hand side of the figure, we can see that the processing of the plaintext
proceeds in three phases.
 First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the
bits to produce the permuted input.
 This is followed by a phase consisting of sixteen rounds of the same function, which
involves both permutation and substitution functions. The output of the last
(sixteenth) round consists of 64 bits that are a function of the input plaintext and the
key. The left and right halves of the output are swapped to produce the preoutput.
 Finally, the preoutput is passed through a permutation that is the inverse of the initial
permutation function, to produce the 64-bit cipher text. With the exception of the
initial and final permutations, DES has the exact structure of a Feistel cipher,

bphanikrishna.wordpress.com CSE Page 6

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

The right-hand portion of below shows the way in which the 56-bit key is used. Initially, the
key is passed through a permutation function. Then, for each of the sixteen rounds, a subkey
(Ki ) is produced by the combination of a left circular shift and a permutation. The
permutation function is the same for each round, but a different subkey is produced because
of the repeated shifts of the key bits.

Initial Permutation: The initial permutation and its inverse are defined by tables, as shown
in Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to
a table consists of 64 bits numbered from 1 to 64. The 64 entries in the permutation table
contain a permutation of the numbers from 1 to 64. Each entry in the permutation table
indicates the position of a numbered input bit in the output, which also consists of 64 bits.

bphanikrishna.wordpress.com CSE Page 7

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

To see that these two permutation functions are indeed the inverse of each other, consider the
following 64-bit input M:

Where Mi is a binary digit. Then the permutation X = (IP(M)) is as follows:

bphanikrishna.wordpress.com CSE Page 8

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

DETAILS OF SINGLE ROUND

Below figure shows the internal structure of a single round. Again, begin by focusing on the
left-hand side of the diagram. The left and right halves of each 64-bit intermediate value are
treated as separate 32-bit quantities, labeled L (left) and R (right). As in any classic Feistel
cipher, the overall processing at each round can be summarized in the following formulas:

bphanikrishna.wordpress.com CSE Page 9

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by
using a table that defines a permutation plus an expansion that involves duplication of 16 of
the R bits (Table 3.2c).The resulting 48 bits are XORed with K i . This 48-bit result passes
through a substitution function that produces a 32-bit output, which is permuted as defined by
Table 3.2d. The role of the S-boxes in the function F is illustrated in Figure 3.7.The
substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and
produces 4 bits as output. These transformations are defined in Table 3.3, which is interpreted
as follows : The first and last bits of the input to box Si form a 2-bit binary number to select
one of four substitutions defined by the four rows in the table for . The middle four bits select
one of the sixteen columns. The decimal value in the cell selected by the row and column is
then converted to its 4-bit representation to produce the output.

For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100 (column
12).The value in row 1, column 12 is 9, so the output is 1001. Each row of an S-box defines a
general reversible substitution. Figure 3.2 may be useful in understanding the mapping. The
figure shows the substitution for row 0 of box S 1. The operation of the S-boxes is worth
further comment. Ignore for the moment the contribution of the key (Ki). If you examine the
expansion table, you see that the 32 bits of input are split into groups of 4 bits and then
become groups of 6 bits by taking the outer bits from the two adjacent groups. For example,
if part of the input word is
... efgh ijkl mnop ...
This becomes ... defghi hijklm lmnopq ...

The outer two bits of each group select one of four possible substitutions (one row of an S-
box). Then a 4-bit output value is substituted for the particular 4-bit input (the middle four
input bits). The 32-bit output from the eight S-boxes is then permuted, so that on the next
round, the output from each S-box immediately affects as many others as possible.

bphanikrishna.wordpress.com CSE Page 10

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Substitution Boxes S: Have eight S-boxes which map 6 to 4 bits. Each S-box is actually 4
little 4 bit boxes. Outer bits 1 & 6 (row bits) select one rows. inner bits 2-5 (col bits) are
substituted. Result is 8 lots of 4 bits, or 32 bits. Row selection depends on both data & key

KEY GENERATION Returning to above all figures, we see that a 64-bit key is used as
input to the algorithm.The bits of the key are numbered from 1 through 64; every eighth bit is
ignored, as indicated by the lack of shading in Table 3.4a.The key is first subjected to a
permutation governed by a table labeled Permuted Choice One (Table 3.4b)
The resulting 56-bit key is then treated as two 28-bit quantities, labelled C0 and D0. At each
round, Ci-1 and Di-1 are separately subjected to a circular left shift or (rotation) of 1 or 2 bits,
as governed by Table 3.4d.These shifted values serve as input to the next round. They also
serve as input to the part labeled Permuted Choice Two (Table 3.4c), which produces a 48-bit
output that serves as input to the Function F(Ri-1, Ki).

DES DECRYPTION:
Whatever process we following in the encryption that process is used for decryption also but
the order of key is changed on input message (cipher text).
Reverse order of keys are K16, K15 ,……, K1.

Strengths of DES:

The DES is a symmetric key block cipher which takes 64bits cipher text and 56 bit
key as an input and produce 64 bits cipher text as output.
The DES function is made up of P & S boxes
P-boxes transpose bits
S-boxes Substitution bits to generating the cipher text.

The use of 56bits keys: 56 bit key is used in encryption, there are 256 possible keys.
256=7.2×1016 keys, by this a brute force attack on such number of keys is impractical. A
machine performing one DES encryption per microsecond would take more than a thousand
years to break the cipher.

The nature of algorithm: Cryptanalyst can perform cryptanalysis by exploiting the

characteristic of DES algorithm but no one has succeeded in finding out the weakness. This is
possible because, in DES, they using 8-substitution tables or S-boxes in each iteration & one
P-box transition for the every individual iteration.

Avalanche Effect:
• key desirable property of an encryption algorithm
• where a change of one input or key bit results in changing approx half output bits
• making attempts to “home-in” by guessing keys impossible
• DES exhibits strong avalanche
Timing Attacks
• attacks actual implementation of cipher
• use knowledge of consequences of implementation to derive knowledge of some/all
subkey bits
• specifically use fact that calculations can take varying times depending on the value
of the inputs to it
• particularly problematic on smartcards
Analytic Attacks
• now have several analytic attacks on DES

bphanikrishna.wordpress.com CSE Page 11

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

• these utilize some deep structure of the cipher

– by gathering information about encryptions
– can eventually recover some/all of the sub-key bits
– if necessary then exhaustively search for the rest
• generally these are statistical attacks
• include
– differential cryptanalysis
– linear cryptanalysis
– related key attacks

Triple DES:

Multiple encryption is a technique in which an encryption algorithm is used multiple times.

In the first instance, plaintext is converted to ciphertext using the encryption algorithm. This
ciphertext is then used as input and the algorithm is applied again. This process may be
repeated through any number of stages.

Double DES:
The simplest form of multiple encryption has two encryption stages and two keys (Figure
4.la). Given a plaintext P and two encryption keys K, and K,, ciphertext C is generated as

Decryption requires that the keys be applied in reverse order:

For DES, this scheme apparently involves a key length of 56 * 2 = 112 bits, resulting in a
dramatic increase in cryptographic strength. But we need to examine the algorithm more
closely.
Reduction to A Single Stage: Suppose it were true for DES, for all 56-bit key values, that
given any two keys K1 and K2, it would be possible to find a key K3 such that

If this were the case, then double encryption, and indeed any number of stages of
multiple encryption with DES, would be useless because the result would be equivalent
to a single encryption with a single 56-bit key.

MEET-IN-THE-MIDDLE ATTACK Thus, the use of double DES results in a mapping that
is not equivalent to a single DES encryption. But there is a way to attack this scheme, one
that does not depend on any particular property of DES but that will work against any block
encryption cipher.
meet-in-the-middle attack is based on the observation that, if we have

bphanikrishna.wordpress.com CSE Page 12

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Given a known pair, (P, C) the attack proceeds as follows. First, encrypt for all 2 56 possible
values of K1. Store these results in a table and then sort the table by the values of .
Next, decrypt C using all 256 possible values of K2. As each decryption is produced, check the
result against the table for a match. If a match occurs, then test the two resulting keys against
a new known plaintext–ciphertext pair. If the two keys produce the correct ciphertext, accept
them as the correct keys.
For any given plaintext P, there are 2 64 possible ciphertext values that could be produced by
double DES. Double DES uses, in effect, a 112-bit key, so that there are 2 112 possible keys.
Therefore, on average, for a given plaintext , the number of different 112-bit keys that will
produce a given ciphertext C is 2112/ 264=248 Thus, the foregoing procedure will produce about
248 false alarms on the first (P, C)

Triple DES with Two Keys:

An obvious counter to the meet-in-the-middle attack is to use three stages of encryption with
three different keys. This raises the cost of the meet-in-the-middle attack to 2112 bits, which
may be somewhat unwieldy.
As an alternative, Tuchman proposed a triple encryption method that uses only two keys
[TUCH79]. The function follows an encrypt-decrypt-encrypt (EDE) sequence

Triple DES with Three Keys :

Although the attacks just described appear impractical, anyone using two-key 3DES may feel
some concern. Thus, many researchers now feel that three-key 3DES is the preferred
alternative (e.g., [KALI96a]).Three-key 3DES has an effective key length of 168 bits and is
defined as

Backward compatibility with DES is provided by putting K3 = K2 or K1 = K2

A number of Internet-based applications have adopted three-key 3DES, including PGP and
S/MIME.

bphanikrishna.wordpress.com CSE Page 13

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Block Cipher Modes of Operation

Mode Description Typical Application

Electronic Codebook Each block of 64 plaintext bits is Secure transmission of

encoded independently using the same single values (e.g., an
(ECB) key. encryption key)

The input to the encryption algorithm General-purpose

Cipher Block Chaining is the XOR of the next 64 bits of blockoriented
(CBC) plaintext and the preceding 64 bits of Transmission
ciphertext Authentication

Input is processed bits at a time.

Preceding ciphertext is used as input General-purpose
Cipher Feedback to the encryption algorithm to produce streamoriented
(CFB) pseudorandom output, which is Transmission,
XORed with plaintext to produce next Authentication
unit of ciphertext

Input is processed bits at a time.

Preceding ciphertext is used as input Stream-oriented
Output Feedback to the encryption algorithm to produce transmission over noisy
(OFB) pseudorandom output, which is channel (e.g., satellite
XORed with plaintext to produce next communication)
unit of ciphertext

General-purpose
Each block of plaintext is XORed with blockoriented
an encrypted counter. The counter is
Counter (CTR) Transmission.
incremented for each subsequent
block. Useful for high-speed
requirements

bphanikrishna.wordpress.com CSE Page 14

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Electronic Codebook (ECB)

Message is broken into independent blocks which are encrypted

● Each block is encoded independently of the other blocks

Ci = DESK (Pi)

● Applications
– secure transmission of single values
– Databases (retrieval of single fields)

● Weakness - encrypted message blocks are independent

● Strength – in some applications the independence of message blocks is very useful
– Databases
– Parallelizing encryption / decryption

Cipher Block Chaining Mode

● Message is broken into blocks
● “Linked” together during encryption
● each previous cipher block is chained with current plaintext block
● Initial Vector (IV) used to start process
● Applications: bulk data encryption, authentication

● Each ciphertext block depends on all

message blocks
● A change in a message block affects
all ciphertext blocks after the change
(as well as the original block)
● Need Initial Value (IV) known to
sender & receiver

bphanikrishna.wordpress.com CSE Page 15

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

– however if IV is sent in the clear, an attacker can change bits of the first block, and change
IV to compensate
– hence either IV must be a fixed value - or it must be sent encrypted in ECB mode before
rest of message

Cipher Feedback Mode

● Message is treated as a
stream of bits
● Added to the output of the
block cipher
● Result is feed back for
next stage (hence name)
● Standard allows any
number of bit (1,8 or 64 or
whatever) to be feed back
– denoted CFB-1, CFB-8,
CFB-64 etc
● CFB-64 is used most often
(most efficient)
● Applications: stream data
encryption, authentication

● Appropriate when data arrives in bits/bytes

● Most common stream mode
● Block cipher is used in encryption mode at both ends!
● Errors propagate for several blocks after the error (depending on s)

bphanikrishna.wordpress.com CSE Page 16

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Output feedback mode:

● Message treated as a stream of bits

● Output of cipher is added to message
● Output is then fed back
● feedback is independent of message
● Applications: stream encryption over noisy channels

● Used when error feedback is a serious problem

● Superficially similar to CFB
– but feedback is from the output of cipher and is independent of message
● a variation of a Vernam cipher
– hence must never reuse the same sequence (key+IV)
● Sender and receiver must remain in sync, and some recovery method is needed to ensure
this occurs
● Originally specified with s-bit feedback in the standards
● Subsequent research has shown that only OFB-64 should be used

bphanikrishna.wordpress.com CSE Page 17

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

COUNTER MODE
● A “new” mode, though proposed in '79
● Similar to OFB but encrypts counter value rather than any feedback value
● Must have a different key & counter value for every plaintext block (never reused)
● Applications: high-speed network encryptions

● Efficiency
– can do parallel encryptions
– in advance of need
– good for bursty high speed links
● Random access to encrypted data blocks
● Provable security (good as other modes)
– must ensure key/counter values are not reused

bphanikrishna.wordpress.com CSE Page 18

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

IDEA (International Data Encryption Algorithm):

 The International Data Encryption Algorithm (IDEA) is a symmetric block cipher

developed by Xuejia Lai and James Massey of the Swiss Federal Institute of
Technology.
 IDEA originally called “IPES” (Improved proposed Encryption Standard).
 IDEA is one of a number of conventional encryption algorithms that have been
proposed in recent years to replace DES
 IDEA is one of the most successful of these proposals. For example, IDEA is included
in PGP.

Details of IDEA algorithm:

 IDEA operates with 64 bit plain text and cipher text blocks and is controlled b a 128
bit key.
 It avoids substitution boxes & lookup tables used in the block cipher.
 The algorithm structure has been chosen such that different key sub-blocks are used;
the encryption process is identical to the decryption process.

Encryption process in IDEA:

 The design principle behind IDEA is mixing of arithmetical operations form different
algebraic groups.
 The arithmetical operations are easily implemented both in hardware and software.
 The underling operations are
a. Exclusive-OR.
b. Addition of integers modulo 216
c. Multiplication modulo 210+1
 The algorithm structure has been chosen such that when different key sub-blocks are
used, the encryption process is identical to the decryption process
 The IDEA algorithm consists of eight rounds followed by a final transformation
function. The algorithm divides the input into four 16-bit subblocks. Each of the
rounds takes four 16-bit subblocks as input and produces four 16-bit output blocks.
The final transformation also produces four %-bit blocks, which are concatenated to
form the 64-bit ciphertext.
 Each of the rounds also makes use of six 16-bit subkeys, whereas the final
transformation uses four subkeys, for a total of 52 subkeys

bphanikrishna.wordpress.com CSE Page 19

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Key Expansion (Encryption):

The 128-bit key is expanded into 52 16-bit keys: K1, K2, ....K52. (in diagram we represented
these keys with Z1 to z52)
Step 1: Keys K1….K8 are generated by taking 8 chunks of 16-bits each
Step 2: Keys K9…K16 are generated by starting from the 25 th bit, wrapping around the first
25 bits at the end, and taking 16-bit chunks.
Step 3: Wrap around 25 more bits to the end, and generate keys K17…K24. This process is
repeated until all keys K1…K52 are generated

Details of a Single Round:

64 bit data is divided into 4 16bit data blocks. These 4 blocks are processed through 8 rounds
and transformed by the above arithmetical operations among each other and with 6 16 bit
subkeys.

bphanikrishna.wordpress.com CSE Page 20

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Blow fish:
 Blow fish is a symmetric block cipher developed by bruce schner in year 1993.
 Blow fish is designed to have following characteristics
 Speed: Blowfish encrypts data on 32 bit microprocessor at a rate of 18 clock
cycles per byte.
 Compact: it can run in less than 5k memory.
 Simple: very easy to implements.
 Variably secure: the key length is variable and can be as long as 448 bits. This
allows a trade off between higher speed and higher security.
 Blowfish is a feistal type model.

BLOWFISH ALGORITHM:

bphanikrishna.wordpress.com CSE Page 21

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

 Blowfish is feistel type model, iterating a simple encryption function 16 times.

 Blowfish block size is 64 & key can be upto 448 bits.
 Blow fish encryption 64bits blocks of plaintext into 64 bit block of cipher.
 Blow fish make use of a key that ranges from 32bits to 448 bits (one to
fourteen 32 bit keys).
 The keys are stored in a k-array (one to 14 32 bits)
K1,K2----Kj where 1≤ j ≤14.

 That key is used to generate 18 “32 bit” subkeys & four “8*32”bits S-boxes.
 The subkeys are stored in the p-array
P1,P2,-------P18
There are four s-boxes(each s-box size is 8*32 bits) each with 256 32bit entries.
S1,0, S1,1,-------------------S1,255
S2,0, S2,1,-------------------S2,255
S3,0, S3,1,-------------------S3,255
S4,0, S4,1,-------------------S4,255
The steps in generating the P-array & S-boxes as follows.

Step1 initialize first the P-array and then 4 s-boxes in order using the bits of fractional part
of the constant п.
Step 2 Perform a bitwise xor of the P-array & k-array, reusing words from the k-array as
needed.
Example P1=P1 K1, P1=P2 K2, -------- P14=P14 K14,
P15=P15 K1, P16=P1 K2, P17=P1 K3, P18=P1 K4,
Step 3 Encrypt the 64 bit block of all zeros using the current P & S-arrays, Replace P1&P2
with the output of the encryption.

Step 4 Encrypt the output of step 3 using the current P- and S-arrays and replace P3, and
P4, with the resulting ciphertext.

Step 5Continue this process to update all elements of P and then, in order, all elements of
S, using at each step the output of the continuously changing Blowfish algorithm.

The update process can be summarized as follows

Where Ep,s[Y] is the ciphertext produced by encrypting Y using Blowfish with the arrays S
and P.

bphanikrishna.wordpress.com CSE Page 22

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

 A total of 521 executions of the Blowfish encryption algorithm are required to

produce the final S- and P-arrays.
 Accordingly, Blowfish is not suitable for applications in which the secret key changes
frequently. Further, for rapid execution, the P- and S-arrays can be stored rather than
rederived from the key each time the algorithm is used.
 This requires over 4 kilobytes of memory. Thus, Blowfish is not appropriate for
applications with limited memory, such as smart cards.

Encryption and Decryption

Blowfish uses two primitive operations:
 Addition: Addition of words, denoted by +, is performed modulo 232.
 Bitwise exclusive-OR: This operation is denoted by

In the above figure the encryption operation. The plaintext is divided into two 32-bit halves
LE, and RE,. We use the variables LE, and RE, to refer to the left and right half of the data
after round i has completed. The algorithm can be defined by the following pseudocode:

The function F is shown in below Figure. The 32-bit input to F is divided into 4 bytes. If we
label those bytes a, b, c, and d, then the function can be defined as follows:

bphanikrishna.wordpress.com CSE Page 23

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Blowfish Decryption:
Blowfish decryption occurs in the same algorithmic direction as encryption. Rather
than the reverse. The algorithm can be defined as follows:

Advantages or features of blowfish:

 A brute-force attack is even more difficult than may be apparent from the key length
because of the time-consuming subkey-generation process. A total of 522 executions
of the encryption algorithm are required to test a single key.
 The function F gives Blowfish the best possible avalanche affect for a Feistel
network: In round i, every bit of Li-1, affects every bit of Ri-1. In addition . every
subkey bit is affected by every key bit. and therefore F has a perfect avalanche effect
between the key (P,) and the right half of the data (R,) after every round.
 Every bit of the input to F is only used as input to one S-box. In contrast. In DES,
many bits are used as inputs to two S-boxes. which strengthens the algorithm
considerably against differential attacks. Schneier felt that this added complexity was
not necessary with key-dependent S-boxes.
 Unlike in CAST, the function F in Blowfish is not round dependent. Schneier felt that
such dependency did not add any cryptographic merit, given that the P-array
substitution is already round dependent.

CAST-128

 In cryptography, CAST-128 (alternatively CAST5) is a symmetric-key block cipher.

 CAST-128, also known as CAST5
 This block cipher used in a number of products, notably as the default cipher in some
versions of GPG (GNU Privacy Guard ) and PGP (Pretty Good Privacy) systems.
 It has also been approved for Canadian government use by the Communications
Security Establishment.
 CAST-128 algorithm was created in 1996 by Carlisle Adams and Stafford Tavares.
The CAST name is based on the initials of its inventors

bphanikrishna.wordpress.com CSE Page 24

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

 CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key
size of between 40 to 128 bits (but only in 8-bit increments). The full 16 rounds are
used when the key size is longer than 80 bits.

CAST-128 Encryption
CAST-128 uses four primitive operations:
 Addition and subtraction: Addition of words, denoted by +, is performed modulo
232. The inverse operation, denoted by -, is subtraction modulo 232.
 Bitwise exclusive-OR: This operation is denoted by
 Left circular rotation: The cyclic rotation of word x left by y bits is denoted by x
<<< y.
The CAST-128 encryption algorithm can be defined by the following pseudocode. The
plaintext is divided into two 32-bit halves L0, and R0. We use the variables Li and Ri, to refer
to the left and right half of the data after round i has completed. The ciphertext is formed by
swapping the output of the sixteenth round; that is, the ciphertext is the concatenation of R16
and L16.

Decryption is the same as encryption, with the keys employed in reverse order. Figure 4.14
depicts the details of a single round. The F function includes the use of four 8 x 32 S-boxes,
the left circular rotation function, and four functions that vary depending on the round
number; we label these functions f1, f2,, f3,, and f4,. We use I to refer to the intermediate 32-
bit value after the left circular rotation function, and the labels Ia, Ib, Ic, and Id to refer to the
4 bytes of I, where Ia is the most significant and Id is the least significant. With these
conventions, F is defined as follows:

bphanikrishna.wordpress.com CSE Page 25

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

FEATURES OF CAST-128:
There are several notable features of CAST worthy of comment.,
CAST makes use of fixed S-boxes. The designers felt that fixed S-boxes with good
nonlinearity characteristics are preferable to random S-boxes as might be obtained if the S-
boxes were key dependent. The subkey-generation process used in CAST-128 is different
from that employed in other symmetric encryption algorithms described in the literature.
The
CAST designers were concerned to make subkeys as resistant to known cryptanalytic attacks
as possible and felt that the use of highly nonlinear S-boxes provided this strength. We have
seen other approaches with the same goal.
For example. Blowfish uses the encryption algorithm itself to generate the subkeys.

The function F is designed to have good confusion, diffusion. and avalanche properties. It
uses S-box substitutions, mod 2 addition and subtraction, exclusive- OR operations, and key-
dependent rotation.
The strength of the F function is based primarily on the strength of the S-boxes, but the
further use of these arithmetic. Boolean, and rotate operators adds to its strength. Finally, F is
not uniform from round to round, as was described. This dependence of F on round number
may provide.

ADVANCED ENCRYPTION STANDARD

 The Advanced Encryption Standard (AES) was published by the National Institute of
Standards and Technology (NIST) in 2001.
 AES is a block cipher intended to replace DES for commercial applications.
 It uses a 128-bit block size and a key size of 128, 192, or 256 bits.

bphanikrishna.wordpress.com CSE Page 26

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

 AES does not use a Feistel structure. Instead, each full round consists of four separate
functions: byte substitution, permutation, arithmetic operations over a finite field, and
XOR with a key.
AES parameters:
Key size(words/bytes/bits) 4/16/128 6/24/192 8/32/256

Plaintext block Size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Number of rounds 10 12 14

Round Key size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Expanded key size (words/bytes) 44/176 52/208 60/240

Inner Workings of a Round

The algorithm begins with an Add round key stage followed by 9 rounds of four stages and a
tenth round of three stages. This applies for both encryption and decryption with the
exception that each stage of a round the decryption algorithm is the inverse of it’s counterpart
in the encryption algorithm. The four stages are as follows:
1. Substitute bytes
2. Shift rows
3. Mix Columns
4. Add Round Key
The tenth round simply leaves out the Mix Columns stage. The first nine rounds of the
decryption algorithm consist of the following:
1. Inverse Shift rows
2. Inverse Substitute bytes
3. Inverse Add Round Key
4. Inverse Mix Columns

Again, the tenth round simply leaves out the Inverse Mix Columns stage. Each of these
stages will now be considered in more detail.

bphanikrishna.wordpress.com CSE Page 27

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Substitute Bytes
This stage (known as SubBytes) is simply a table lookup using a 16×16 matrix of byte values
called an s-box. This matrix consists of all the possible combinations of an 8 bit sequence (2 8
= 16 × 16 = 256). However, the s-box is not just a random permutation of these values and
there is a well defined method for creating the s-box tables. The designers of Rijndael showed
how this was done unlike the s-boxes in DES for which no rationale was given. We will not
be too concerned here how the s-boxes are made up and can simply take them as table
lookups.

bphanikrishna.wordpress.com CSE Page 28

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

Figure 7.2: Data structures in the AES algorithm.

Again the matrix that gets operated upon throughout the encryption is known as state. We
will be concerned with how this matrix is effected in each round. For this particular round
each byte is mapped into a new byte in the following way: the leftmost nibble of the byte is
used to specify a particular row of the s-box and the rightmost nibble specifies a column. For
example, the byte {95} (curly brackets represent hex values in FIPS PUB 197) selects row
9 column 5 which turns out to contain the value {2A}.
This is then used to update the state matrix. Figure 7.3 depicts this idea.

The Inverse substitute byte transformation (known as InvSubBytes) makes use of an inverse
s-box. In this case what is desired is to select the value {2A} and get the value {95}. Table
7.4 shows the two s-boxes and it can be verified that this is in fact the case.

The s-box is designed to be resistant to known cryptanalytic attacks. Specifically, the

Rijndael developers sought a design that has a low correlation between input bits and output
bits, and the property that the output cannot be described as a simple mathematical function
of the input. In addition, the s-box has no fixed points (s-box(a) = a) and no opposite fixed
points (s-box(a) = ) where is the bitwise compliment of a. The s-box must be

bphanikrishna.wordpress.com CSE Page 29

 Cryptography & Network Security @ Unit-2 [Secret Key Cryptography]

invertible if decryption is to be possible (Is-box[s-box(a)]= a) however it should not be its

self inverse i.e. s-box(a) ≠ Is-box(a)

bphanikrishna.wordpress.com CSE Page 30