Chapter 2

Symmetric Encryption

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 1

What is a Block Cipher?

A block cipher is a type of encryption algorithm that processes

data in fixed-size chunks called blocks. It transforms a plaintext
block of a specific size into a ciphertext block of the same size
using a secret key. Block ciphers are widely used in cryptography
for securing data in various applications, such as data
transmission, file encryption, and securing communication
protocols.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 3

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 4
What is a Stream Cipher?
This method of encryption works bit-by-bit, utilizing keystreams to generate ciphertext for arbitrary lengths of plain text
messages. The cipher combines a key (128/256 bits) and a nonce digit (64-128 bits) in order to generate the keystream
- a pseudorandom number XORed with the plaintext to generate the ciphertext.

The keystream must be different for each encryption iteration even though the key and nonce can be reused to
maintain security. In order to build the keystream, stream encryption ciphers generate a unique nonce (a number used
only once utilizing feedback shift registers.

Since a mistake in the translation of one bit often does not affect the entire plaintext block, stream cipher encryption
algorithms are less likely to cause system-wide errors to spread. Additionally, stream encryption is linear and
continuous, making it easier and quicker to deploy.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 5

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 6
Key Features of Block Ciphers:
 Fixed Block Size:
Operates on fixed-size blocks, e.g., 64-bit, 128-bit, or 256-bit. If the input data is larger or
smaller than the block size, it may need padding or splitting.
 Key Dependency:
The encryption and decryption processes depend on a secret key, making the ciphertext
secure as long as the key remains secret.
 Reversible Process:
Decryption reverses the encryption process to retrieve the original plaintext using the
same key.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 7

Examples of Block Ciphers
•AES (Advanced Encryption Standard): Widely used, with block sizes of 128 bits.
•DES (Data Encryption Standard): An older standard with 64-bit block size, now
considered insecure.
•3DES (Triple DES): A more secure version of DES.
•Blowfish, Twofish, and RC5: Other examples of block ciphers.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 8

Modes of Operation:
To encrypt larger messages, block ciphers use modes of operation, such as:
•ECB (Electronic Codebook): Encrypts each block independently (vulnerable to pattern
detection).
•CBC (Cipher Block Chaining): Each plaintext block is XORed with the previous
ciphertext block, making it more secure.
•CFB (Cipher Feedback) and OFB (Output Feedback): Turn block ciphers into stream
ciphers.
•CTR (Counter Mode): Uses a counter for encryption, providing parallelizability and
improved performance.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 9

1. ECB (Electronic Codebook)
ECB (Electronic Codebook) is the simplest mode of operation for block ciphers. It
divides plaintext into fixed-size blocks and encrypts each block independently using the
same key. While easy to implement, ECB is rarely used in practice due to its significant
security weaknesses.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 10

 How ECB
Works?

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 11

 How ECB
Works?

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 12

 How
ECB
Works?

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 13

 How
ECB
Works?

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 14

 How
ECB
Works?

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 15

2. Cipher Block Chaining (CBC)
Cipher Block Chaining (CBC) is a mode of operation for block ciphers that improves
security by introducing dependency between blocks. Unlike the simpler ECB mode, CBC
ensures that the encryption of one block depends on the encryption of the previous
block, making it resistant to pattern detection.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 16

 How CBC
Works

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 17

 How CBC
Works

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 18

 How CBC
Works

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 19

 Advantages

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 20

 Disadvantag
es

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 21

3. Cipher Feedback (CFB)
Cipher Feedback (CFB) is a mode of operation for block ciphers that turns them into
stream ciphers. It processes plaintext in smaller chunks than the block size (often bits or
bytes) and incorporates feedback from the ciphertext into the encryption process. This
feedback introduces dependency between blocks, improving security.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 22

 How CFB
Works?

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 23

 How CFB
Works?

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 24

 Advantages

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 25

 Disadvantag
es

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 26

4. Output Feedback (OFB)
Output Feedback (OFB) is a mode of operation for block ciphers that transforms a
block cipher into a stream cipher, similar to CFB. However, unlike CFB, the feedback in
OFB comes from the cipher's output rather than the ciphertext. This eliminates error
propagation and makes it suitable for applications requiring high error tolerance.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 27

 How it
Works?

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 28

 How it
Works?

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 29

 Advantages

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 30

 Disadvantag
es

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 31

5. Counter Mode
Counter Mode (CTR) is a mode of operation for block ciphers that
transforms them into a stream cipher. It is widely used because of its
efficiency, parallelizability, and ability to handle plaintext of any length. In
CTR mode, encryption and decryption are based on a counter value that
is incremented for each block of plaintext or ciphertext.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 32

 Counter
Mode

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 33

 How Counter
Mode Works?
CTR mode works by generating
a keystream from the block
cipher and a counter, then
XORing the keystream with the
plaintext to produce ciphertext
(or with ciphertext to recover
plaintext).

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 34

 Counter
Mode

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 35

 Counter
Mode

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 36

Feistel Cipher
Structure

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 37

 Feistel Cipher

DR. NILESH PATIL, DJSCE, MUMBAI 2/25/2025 38

The Feistel Cipher
The modern block cipher was invented by Horst Feistel, around 1973. At the time, he
was working for IBM.
◦ Based on the concept of a product cipher, which uses two or more basic ciphers in sequence in
such a way that the combined result is cryptographically stronger than any of the component
ciphers.
◦ In particular, Feistel proposed a cipher that alternates substitutions and permutations. This
is a practical implementation of Shannon's confusion and diffusion principles.
◦ So successful are diffusion and confusion, that they have become the cornerstone of modern
block cipher design.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 39

The Feistel Network
A plaintext block of
The inputs to a Feistel length n bits (n is even)
Network are: A key K of m bits

The two halves pass

through n rounds of
The plaintext is divided processing, and finally
into 2 parts, L and R combine to produce the
ciphertext.

The key, K, is used to

The subkeys are distinct
generate n subkeys, Ki, from each other and
each of which is used in a from the original key, K.
round

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 40

The Feistel Network
A Feistel Network is an iterated block cipher, where the output of the ith round is
determined from the output of the (i-1)th round:
Li  Ri 1
Ri  Li 1  f ( Ri 1 , K i )
where K i is the subkey used in the ith round,
and
f is an arbitrary round function

Because XOR is used to combine the left half with the output of the round function, the
operation is reversible:

Li 1  f ( Ri 1 , Ki )  f ( Ri 1 , K i )  Li 1

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 41

Example

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 42

The Feistel Network
Implementations of a Feistel Network depend on a number of parameters:
◦ Block size
◦ Larger block sizes provide greater security, but reduced performance.
◦ Block sizes of 64 bits or, more recently, 128 bits are reasonable
The Feistel
◦ Key size
◦ Larger key sizes provide greater security, but may reduce performance
Network
◦ Key sizes of 64 bits are now considered to be inadequate;
128 bits is now more common; 256 bits is better.
◦ Number of rounds
◦ The more rounds, the more security
◦ 16 rounds is typical
◦ Subkey generation
◦ More complexity in how subkeys are generated from the input key provides
greater security
◦ Round function
◦ Greater complexity yields greater resistance to cryptanalysis

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 43

Data Encryption Standard (DES)
Algorithm
DES (also called the Data Encryption Algorithm, DEA) is the most widely used
encryption scheme
◦ In 1973, the National Bureau of Standards (NBS) -- now called the National Institute of
Standards and Techology (NIST) -- issued a request for proposals for a national cipher
standard.
◦ IBM submitted a proposal based on Horst Feistel's work, known as Lucifer. It was adopted,
with some modifications influenced by the National Security Agency (NSA).
◦ DES is a Feistel block cipher which operates on 64 bit blocks.
◦ Lucifer originally used a key size of 128 bits, but DES reduced this to 56 bits*
(causing lots of controversy and suspicion of NSA's involvement)

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 44

DES Overview
DES is a block cipher.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 45

 The Data Encryption
Standard (DES)

There are 3 phases:

1. An initial permutation (IP)

2. 16 rounds of the same function, involving
permutation and substitution functions
3. A final permutation (IP-1), which is the
inverse of the initial permutation function

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 46

DES
General
Structure

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 47

Initial and Final Permutations
• Each of these permutations takes a 64-bit input
and permutes them according to a predefined
rule.
• We have shown only a few input ports and the
corresponding output ports.
• These permutations are keyless straight
permutations that are the inverse of each other.
• For example, in the initial permutation, the 58th
bit in the input becomes the first bit in the output.
• Similarly, in the final permutation, the first bit in
the input becomes the 58th bit in the output.
• In other words, if the rounds between these two
permutations do not exist, the 58th bit entering
the initial permutation is the same as the 58th bit
leaving the final permutation.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 48

Initial and final permutation tables
The permutation rules for these P-
boxes are shown in Table.
Each side of the table can be
thought of as a 64-element array.
Note that, as with any permutation
table, the value of each element
defines the input port number, and
the order (index) of the element
defines the output port number.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 49

Find the output of the initial permutation
box when the input is given in hexadecimal
as:
0x0002 0000 0000 0001

Solution
Binary: 0000000000000010 0000000000000000 0000000000000000 0000000000000001
The input has only two 1s (bit 15 and bit 64); the output must also have only two 1s (the nature of
straight permutation).
Using Table, we can find the output related to these two bits.
Bit 15 in the input becomes bit 63 in the output. Bit 64 in the input becomes bit 25 in the output.
So the output has only two 1s, bit 25 and bit 63.
0000000000000000 0000000010000000 0000000000000000 0000000000000010
The result in hexadecimal is 0x0000 0080 0000 0002

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 50

DES Internal Rounds (16)
DES Uses 16 Rounds. Each round of DES is a Feistel Cipher.

A round in DES
(encryption site)

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 51

DES Function
The heart of DES is the DES function. The DES function applies a 48-bit key to the rightmost
32 bits to produce a 32-bit output.

DES function

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 52

DES – Expansion P Box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI−1 to 48 bits.

DES Expansion permutation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 53

DES – Expansion P Box
Although the relationship between the input and output can be defined mathematically,
DES uses Table 6.2 to define this P-box.

DES Expansion P Box table

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 54

DES – Whitener (XOR)
Whitener (XOR)

After the expansion permutation, DES uses the XOR operation on the expanded right
section and the round key. Note that both the right section and the key are 48- bits in
length. Also note that the round key is used only in this operation.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 55

DES – S Box Substitution
S-Boxes

The S-boxes do the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input
and a 4-bit output. See Figure 6.7.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 56

DES – S Box Substitution

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 57

DES – S Box Substitution
S-Boxes
Table shows the permutation for S-box 1. For the rest of the boxes see the textbook.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 58

DES – S Box Substitution
The input to S-box 1 is 100011. What is the output?

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 59

DES – S Box Substitution
The input to S-box 1 is 100011. What is the output?

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 60

DES – S Box Substitution
The input to S-box 1 is 100011. What is the output?

Solution
If we write the first and the sixth bits together, we get 11 in binary, which is
3 in decimal.. The remaining bits are 0001 in binary, which is 1 in decimal.
We look for the value in row 3, column 1, in (S-box 1). The result is 12 in
decimal, which in binary is 1100. So the input 100011 yields the output 1100..

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 61

DES – S Box Substitution

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 62

DES – S Box Substitution

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 63

DES – Straight P Box Permutation

Straight permutation table

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 64

DES – Key Generation
The round-key generator creates
sixteen 48-bit keys out of a 56-bit
cipher key.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 65

DES – Key Generation – Parity Drop
Parity-bit drop table

Number of bits shifts

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 66

DES – Key Generation – Compression P Box
Compression Pbox-1

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 67

DES – Analysis
Critics have used a strong magnifier to analyze DES. Tests have been done to measure the strength of
some desired properties in a block cipher.

Topics discussed in this section:

1. Properties
2. Design Criteria
3. DES Weaknesses

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 68

DES – Properties
Two desired properties of a block cipher are the avalanche effect and the
completeness.

Example
To check the avalanche effect in DES, let us encrypt two plaintext blocks (with the same key)
that differ only in one bit and observe the differences in the number of bits in each round.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 69

DES – Design Criteria
S-Boxes
The design provides confusion and diffusion of bits from each round to the next.
P-Boxes
They provide diffusion of bits.

Number of Rounds
DES uses sixteen rounds of Feistel ciphers. the ciphertext is thoroughly a random
function of plaintext and ciphertext.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 70

DES – Weaknesses
During the last few years researchers found significant weaknesses in DES.

Weaknesses in the Cipher Design

1. Weaknesses in S-boxes
2. Weaknesses in P-boxes
3. Weaknesses in Key

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 71

DES – Weaknesses
Let us try the first weak key in Table to encrypt a block two times. After two encryptions with
the same key the original plaintext block is created. Note that we have used the encryption
algorithm two times, not one encryption followed by another decryption.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 72

DES – Weaknesses

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 73

Multiple DES
The major criticism of DES regards its key length. We can explore the usage
of double or triple DES to increase the key size.

Topics discussed in this section:

Double DES
Triple DES

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 74

Double and Triple
DES

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 75

Multiple DES – Double DES

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 76

Double DES(2DES) Introduction
A cryptographic algorithm that applies the Data Encryption Standard (DES)
encryption process twice.
Double DES is an encryption approach which uses two example of DES on same
plain text. In both examples it provides different keys to encode the plain text.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 77

 Double DES Encryption Process

Encryption: C = E(K2, (E(K1, P))), P: Plaintext, C: Ciphertext, K1: First key, K2: Second key

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 78

 Double DES Decryption Process

Decryption: P = D(K1, (D(K2, C))), P: Plaintext, C: Ciphertext, K2: First key, K1: Second key

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 79

Key Space in Double DES
Total key space: 22n where n is the key size in bits.
Example: With 56-bit keys, the total key space is 2112 .

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 80

Meet-in-the-Middle Attack Overview
•The Meet-in-the-Middle attack, is a chosen plaintext attack, which means the attacker
deliberately chooses certain Plaintext-Ciphertext pairs to analyse and exploit weaknesses in the
encryption scheme.
•It's important to understand that in a real-world scenario, an attacker might not have access to the
exact plaintext and ciphertext pair but could infer patterns or characteristics of the plaintext based
on the context or known data.
•Meet-in-the-Middle attacks are particularly useful when dealing with multiple rounds of
encryption, as in the case of Double DES.
•The attack takes advantage of the fact that the attacker knows the outcome of the intermediate
encryption and decryption steps, allowing them to identify potential key pairs more efficiently
than a brute-force search.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 81

Meet-in-the-Middle Attack on Double DES
The attacker, knowing a plaintext and its corresponding ciphertext (P and C),
performs a precomputation step.

The attacker encrypts the plaintext P with all possible values of K1, storing the
intermediate results in a table (T1):
T1 = {E(K1, P) for all K1}

Similarly, the attacker decrypts the known ciphertext C with all possible values of
K2, storing the results in another table (T2):
T2 = {D(K2, C) for all K2}

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 82

Meet-in-the-Middle Attack on Double DES

Encryption Side: Decryption Side:

Plaintext Key Ciphertext Ciphertext Key Plaintext

Hello 00 Pqrst Poiuy 00 988bc

Hello 01 Asdfg Poiuy 01 bngtd

Hello 10 Lkjhg Poiuy 10 Asdfg

Hello 11 Qwert Poiuy 11 ;lhmg

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 83

Matching Intermediate Results
 The attacker then looks for a match between the
entries in T1 and T2.
 If there is a match between E(K1, P) and D(K2, C),
it means that the attacker has found potential
pairs of keys (K1, K2) that could have produced the
observed ciphertext.

Encryption Side: Decryption Side:

Plaintext Key Ciphertext Ciphertext Key Plaintext

Hello 00 Pqrst Poiuy 00 988bc

Hello 01 Asdfg Poiuy 01 bngtd

Hello 10 Lkjhg Poiuy 10 Asdfg

Hello 11 Qwert Poiuy 11 ;lhmg

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 84

 Matching Intermediate Results

Encryption Side: Decryption Side:

Plaintext Key Ciphertext Ciphertext Key Plaintext

Hello 00 Pqrst Poiuy 00 988bc

Hello 01 Asdfg Key 1 (K1): 01 Poiuy 01 bngtd

Hello 10 Lkjhg Key 2 (K2): 10 Poiuy 10 Asdfg

Hello 11 Qwert Poiuy 11 ;lhmg

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 85

Decrypting with Potential Keys
The attacker can then try decrypting the ciphertext with each potential key pair (K1, K2)
until the original plaintext is obtained.
The correct key pair will yield the original plaintext, allowing the attacker to recover the
encryption keys used in the Double DES process.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 86

Effective Key Space Reduction
The effective key size of Double DES is reduced from 2 (2n) to 2n + 2n, where n is the key
size in bits. For example, if each key is 56 bits, the effective key size becomes 256 and
256 bits instead of the expected 2112

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 87

Multiple DES – Double DES – Meet in the
Middle Attack (Summary)

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 88

Triple DES (3DES) Introduction
The speed of exhaustive key searches against DES after 1990 began to cause
discomfort amongst users of DES. However, users did not want to replace DES as it
takes an enormous amount of time and money to change encryption algorithms that are
widely adopted and embedded in large security architectures.
The pragmatic approach was not to abandon the DES completely, but to change the
manner in which DES is used.
This led to the modified schemes of Triple DES (sometimes known as 3DES).
Incidentally, there are two variants of Triple DES known as:
3-key Triple DES (3TDES) and 2-key Triple DES (2TDES).

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 89

Multiple DES – Triple DES with 3 Keys
Triple DES with Three Keys
The possibility of known-plaintext attacks on triple DES with two keys has
enticed some applications to use triple DES with three keys. Triple DES with
three keys is used by many applications such as PGP ( We will see in Module 5)

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 90

Multiple DES – Triple DES with 2 keys

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 91

Security of DES
DES, as the first important block cipher, has gone through much scrutiny..
Among the attempted attacks, three are of interest:
• brute-force,
• differential cryptanalysis, and
• linear cryptanalysis..

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 92

Security of DES – Brute Force Attacks
We have discussed the weakness of short cipher key in DES. Combining this
weakness with the key complement weakness, it is clear that DES can be
broken using 255 encryptions.

Normally, to brute-force a 56-bit DES key, one would have to try 256 possible
keys. However, because of the key complement property, for every key K, there
is a corresponding complement key K‾1 that produces a predictable relationship
between ciphertexts. As a result, we only need to test 255 keys instead of 256.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 93

Security of DES – Differential Cryptanalysis
Differential Cryptanalysis is a cryptographic attack technique that targets block ciphers like DES
(Data Encryption Standard). It is a chosen-plaintext attack, meaning the attacker needs access to
the encryption of specific plaintext pairs. The goal is to exploit patterns in how differences in
plaintext propagate through the cipher and ultimately reveal the secret key.

Core Idea:
• Differential cryptanalysis studies how differences in plaintext pairs influence differences in the
corresponding ciphertext pairs after being processed through multiple rounds of the cipher.
• The goal is to analyze these differences to deduce information about the secret key.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 94

Security of DES – Linear Cryptanalysis
Linear cryptanalysis is newer than differential cryptanalysis. DES is more vulnerable to
linear cryptanalysis than to differential cryptanalysis. S-boxes are not very resistant to linear
cryptanalysis. It has been shown that DES can be broken using 243 pairs of known plaintexts.
However, from the practical point of view, finding so many pairs is very unlikely.

Core Idea:
• Linear cryptanalysis attempts to approximate the behavior of a cipher using linear
equations. It analyzes the probability that certain linear combinations of plaintext bits,
ciphertext bits, and key bits hold true.
• By gathering statistical data over many plaintext-ciphertext pairs, the attacker can
deduce bits of the secret key.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 95

Advanced Encryption
Standard

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 96

Overall Block
Diagram

1. The cipher takes a plaintext block size of 128 bits, or 16 bytes.

2. The key length can be 16, 24, or 32 bytes (128, 192, or 256
bits).
3. The algorithm is referred to as AES-128, AES-192, or AES-256,
depending on the key length.
4. The input to the encryption and decryption algorithms is a
single 128-bit block.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 97

Overall Block
Diagram

5. This block is depicted as a 4 * 4 square matrix of bytes.

6. This block is copied into the State array, which is modified at
each stage of encryption or decryption.
7. After the final stage, State is copied to an output matrix.
8. Similarly, the key is depicted as a square matrix of bytes.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 98

Overall Block
Diagram
9. This key is then expanded into an array of key schedule words.
10. Each word is four bytes, and the total key schedule is 44 words
for the 128-bit key.
11. The cipher consists of N rounds, where the number of rounds
depends on the key length: 10 rounds for a 16-byte key, 12
rounds for a 24-byte key, and 14 rounds for a 32-byte key.
12. The first N - 1 rounds consist of four distinct transformation
functions: SubBytes, ShiftRows, MixColumns, and
AddRoundKey, which are described subsequently.
13. The final round contains only three transformations, and there is
a initial single transformation (AddRoundKey) before the first
round, which can be considered Round 0.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 99

Overall Block
Diagram

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 100

Internal Block Diagram

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 101

How the Key for each round is
obtained?

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 102

How the Key for each
round is obtained?

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 103

How the Key for each round is obtained?

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 104

Operations in a
Single AES Round

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 105

 Detailed AES Round
Four different stages are used, one of permutation and three of substitution:
1. Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block
2. ShiftRows: A simple permutation
3. MixColumns: A substitution that makes use of arithmetic over GF (2^8)
4. AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 106

 Detailed AES Round
•The structure is quite simple. For both encryption and decryption, the cipher begins with an
AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by
a tenth round of three stages.
•Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns
stages, an inverse function is used in the decryption algorithm.
•For the AddRoundKey stage, the inverse is achieved by XORing the same round key to the
block.
•As with most block ciphers, the decryption algorithm makes use of the expanded key in
reverse order

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 107

1. Substitute Bytes
• The forward substitute byte transformation, called
SubBytes, is a simple table lookup. AES defines a 16 *16
matrix of byte values, called an S-box, that contains a
permutation of all possible 256 8-bit values.
• Each individual byte of State is mapped into a new byte in
the following way: The leftmost 4 bits of the byte are used as
a row value and the rightmost 4 bits are used as a column
value.
• These row and column values serve as indexes into the S-
box to select a unique 8-bit output value.
• For example, the hexadecimal value {95} references row 9,
column 5 of the S-box, which contains the value {2A}.
Accordingly, the value {95} is mapped into the value {2A}.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 108

 2. Shift Rows
•The first row of State is not altered. For the second row, a 1-byte circular left shift is performed.
•For the third row, a 2-byte circular left shift is performed.
•For the fourth row, a 3-byte circular left shift is performed. The following is an example of ShiftRows.
•The inverse shift row transformation, called InvShiftRows, performs the circular shifts in the opposite
direction for each of the last three rows, with a 1-byte circular right shift for the second row, and so on.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 109

 3. Mix Column Transformation
The forward mix column transformation, called MixColumns, operates on each column
individually. Each byte of a column is mapped into a new value that is a function of all four bytes
in that column. The transformation can be defined by the following matrix multiplication on State

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 110

 3. Mix Column Transformation
Each element in the product matrix is the sum of products of elements of one row and one
column. In this case, the individual additions and multiplications are performed in GF (2^8). The
MixColumns transformation on a single column of State can be expressed as

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 111

3. Mix Column Transformation
The multiplication mentioned above is performed over a Galois
Field. Let us see how the multiplication is performed with the
help of lookup tables E- Table and L- Table.
For example, if the two hex values being multiplied are AF *8,
we first look up L(AF) index which returns B7 then lookup L(08)
which returns 4B. We then simply add these 2 numbers, B7 and
4B to obtain 102.
Hex(102) =258 which is greater than FF i.e 255 so we subtract
255 from it and get the result as 03 in hex.
Now lookup 03 in the E table. i.e E(03) gives 0F. Therefore the
result of multiplying AF*8 over a Galois Field 2^8 is 0F.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 112

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 113

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 114

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 115

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 116

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 117

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 118

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 119

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 120

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 121

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 122

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 123

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 124

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 125

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 126

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 127

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 128

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 129

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 130

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 131

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 132

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 133

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 134

3. Mix Column Transformation

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 135

4. Add Round Key
•In the forward add round key transformation, called AddRoundKey, the 128
bits of State are bitwise XORed with the 128 bits of the round key.
•The first matrix is State, and the second matrix is the round key. The inverse
add round key transformation is identical to the forward add round key
transformation, because the XOR operation is its own inverse.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 136

 Conclusion
• The Mix Column transformation
stage happens till the (N-1)th Round.
It is not performed in the Nth Round.

• The output of the Nth Round is the

final Ciphertext.

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 137

Solved Example on AES

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 138

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 139
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 140
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 141
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 142
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 143
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 144
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 145
 B7 01

00000001
1011 0111

= 10110111
00000001

= 10110110 = B6

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 146

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 147
 w[0]
g(w[3])
B6 5A 9D 85

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 148

 w[0]
g(w[3])

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 149

 w[0]
g(w[3])

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 150

 w[0]
g(w[3])

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 151

2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 152
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 153
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 154
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 155
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 156
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 157
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 158
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 159
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 160
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 161
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 162
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 163
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 164
2/25/2025 DR. NILESH PATIL, DJSCE, MUMBAI 165