You are on page 1of 91


8th SEM E&C


Assistant Professor – Dept of E&CE


B.G Nagara, Nagamangala Tq, Mandya District- 571448




UNIT - 2
SYMMETRIC CIPHERS: Symmetric Cipher Model, Substitution Techniques,
Transposition Techniques, Simplified DES, Data encryption standard (DES), The strength of
DES, Differential and Linear Cryptanalysis, Block Cipher Design Principles and Modes of
Operation, Evaluation Criteria for Advanced Encryption Standard, The AES Cipher.

1. Cryptography and Network Security, William Stalling, Pearson Education, 2003.

1. Cryptography and Network Security, Behrouz A. Forouzan, TMH, 2007.
2. Cryptography and Network Security, Atul Kahate, TMH, 2003.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 1


UNIT - 2
SYMMETRIC CIPHERS: Symmetric Cipher Model, Substitution Techniques,
Transposition Techniques, Simplified DES, Data encryption standard (DES), The strength of
DES, Differential and Linear Cryptanalysis, Block Cipher Design Principles and Modes of
Operation, Evaluation Criteria for Advanced Encryption Standard, The AES Cipher.


 An original message is known as the plaintext.

 The coded message is called the cipher text.
 The process of converting from plaintext to cipher text is known as enciphering or
 Restoring the plaintext from the cipher text is deciphering or decryption.
 The many schemes used for encryption constitute the area of study known as
cryptography. Such a scheme is known as a cryptographic system or a cipher.
 Techniques used for deciphering a message without any knowledge of the enciphering
details fall into the area of cryptanalysis.
 The areas of cryptography and cryptanalysis together are called cryptology.


Figure 1: Simplified Model of Symmetric Encryption

A symmetric encryption scheme has five ingredients (Figure .1):

 Plaintext: This is the original intelligible message or data that is fed into the
algorithm as input.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 2


 Encryption algorithm: The encryption algorithm performs various substitutions and

transformations on the plaintext.
 Secret key: The secret key is also input to the encryption algorithm. The key is a
value independent of the plaintext and of the algorithm. The algorithm will produce a
different output depending on the specific key being used at the time. The exact
substitutions and transformations performed by the algorithm depend on the key.
 Cipher text: This is the scrambled message produced as output. It depends on the
plaintext and the secret key. For a given message, two different keys will produce two
different cipher texts. The cipher text is an apparently random stream of data and, as it
stands, is unintelligible.
 Decryption algorithm: This is essentially the encryption algorithm run in reverse. It
takes the cipher text and the secret key and produces the original plaintext.
 Encryption Requirements: There are two requirements for secure use of
conventional encryption
1. The encryption algorithm must be strong.
 At a minimum, an opponent who knows the algorithm and has access to one or
more cipher texts would be unable to decipher the cipher text or figure out the
 In a stronger form, the opponent should be unable to decrypt cipher text or
discover the key even if he or she has a number of cipher texts together with
the plaintext for each cipher text.
2. Sender and receiver must have obtained copies of the secret key in a secure
fashion and must keep the key secure. If someone can discover the key and knows
the algorithm, all communication using this key is readable.

We assume that it is impractical to decrypt a message on the basis of the Cipher text plus
knowledge of the encryption/decryption algorithm. In other words, we do not need to keep
the algorithm secret; we need to keep only the key secret.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 3



The essential elements of a symmetric encryption scheme is described in the following


Figure 2: model of symmetric cryptosystem

 A source produces a message in plaintext,

X= [𝑋1, 𝑋2, 𝑋3, .............𝑋𝑀, ].
 A key of the form is K= [𝐾1, 𝐾2, 𝐾3,.............𝐾𝐽 , ] generated.
 If the key is generated at the message source, then it must also be provided to
the destination by means of some secure channel.
 Alternatively, a third party could generate the key and securely deliver it to
both source and destination.
 The cipher text is produced by the encryption algorithm with the message X and the
encryption key K as input.

The encryption process is:

Y=E (K, X)

This notation indicates that Y is produced by using encryption algorithm E as a function of

the plaintext X, with the specific function determined by the value of the key K.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 4


The intended receiver with the key is able to invert the transformation:

X=D (K, Y)

An opponent, observing Y but not having access to K or X, may attempt to recover X or K or

both. It is assumed that the opponent knows the encryption (E) and decryption (D)

The opponent may do one of the following:

 Recover X by generating a plaintext estimate 𝑋0, if the opponent is interested in only

this particular message.

 Recover K by generating an estimate 𝐾0, if the opponent is interested in being able to

read future messages.

4. CRYPTOGRAPHY. [DEC-2013 / JAN-2014 (4M)]

Cryptographic systems are characterized along three independent dimensions:

1. The Type of operations used for transforming plaintext to cipher text. All
encryption algorithms are based on two general principles:

 Substitution: each element in the plaintext (bit, letter, group of bits or letters)
is mapped into another element,
 Transposition: elements in the plaintext are rearranged.

The fundamental requirement is that no information be lost (all operations are

reversible). Product systems involve multiple stages of substitutions and

2. The Number of keys used.

 If both sender and receiver use the same key, the system is referred to as
symmetric, single-key, secret-key, or conventional encryption.
 If the sender and receiver use different keys, the system is referred to as
asymmetric, two-key, or public-key encryption.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 5


3. The way in which the plaintext is processed.

 A block cipher processes the input one block of elements at a time, producing an
output block for each input block.
 A stream cipher processes the input elements continuously, producing output one
element at a time, as it goes along.
CRYPTOGRAPHY [DEC-2013 / JAN-2014 (4M)]
 The word cryptography was derives from combining 2 Greek words. “Krypto” it
means “hidden” and “graphene” meaning “writing”. Cryptography is the art of secret
information writing or secret data writing.
 The main goal of cryptography is a data secure from unauthorized persons or
attackers or hackers.
 Cryptography is a method of storing and transmitting data in a particular form so that
only those for whom it is intended can read and process it.

Figure 3: Cryptographic Flow

 Encryption is a technique for transforming plain-text into an unreadable cipher-text or
unintelligible format.
 Decryption is a technique for transforming cipher text (unreadable data) into plain text
or original data (secret or confidential data).
 The key is also a group of bits which as a major role in the process of encryption and
Types of Cryptography
1. Symmetric Key Cryptography (Secret Key Cryptography)
2. Asymmetric Key Cryptography (Public Key Cryptography)

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 6


1. Symmetric Key Cryptography: Symmetric key cryptography is called secret key

cryptography or shared key or private key cryptography and it uses a same key or
single-key for both of encryption & decryption method. The Symmetric key system is
the DEC (data encryption standard).Symmetric key cryptography systems are simpler
and faster.

2. Asymmetric Key Cryptography (Public Key Cryptography): where a different

keys used for encryption and decryption. The different keys are a private key & a
public key.

3. Hash functions: uses a mathematical transformation to irreversibility “encrypt”

information. It is a one-way encryption. Uses no key for encryption and decryption.

 Enter (key) length will be generally short.
 Symmetric key cipher can be joined together to prepare stronger ciphers.
 It hides those secret or confidential messages and your protection or privacy may be
sheltered or protected or safe.

 On line banking.
 On line transaction.
 Media data base system.
 Medical application. Etc


The objective of attacking an encryption system is to recover the key in use rather
than simply to recover the plaintext of a single cipher text. There are two general approaches
to attacking a conventional encryption scheme:

 Cryptanalysis (cryptanalytic attacks): This attack relies on the nature of the

algorithm plus some knowledge of the general characteristics of the plaintext or
some sample plaintext–cipher text pairs. It exploits the characteristics of the
algorithm to attempt to deduce a specific plaintext or to deduce the key being

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 7


 Brute-force attack: The attacker tries every possible key on a piece of cipher text
until an intelligible translation into plaintext is obtained. On average, half of all
possible keys must be tried to achieve success.

If either type of attack succeeds in deducing the key, then future and past messages
encrypted with that key are compromised.

The following table summarizes the various types of cryptanalytic attacks based on the
amount of information known to the cryptanalyst.

Type of Known to Cryptanalyst


Cipher text  Encryption algorithm

Only  Cipher text

Known  Encryption algorithm

Plaintext  Cipher text
 One or more plaintext–cipher text pairs formed with the secret key

Chosen  Encryption algorithm

Plaintext  Cipher text
 Plaintext message chosen by cryptanalyst, together with its
corresponding cipher text generated with the secret key

Chosen Cipher  Encryption algorithm

text  Cipher text
 Cipher text chosen by cryptanalyst, together with its corresponding
decrypted plaintext generated with the secret key

Chosen Text Combination of "Chosen Plaintext" and "Chosen Cipher text"

Table1: Types of Attacks on Encrypted Messages

The two basic building blocks of all encryption techniques are substitution and
transposition. A substitution technique is one in which the letters of plaintext are replaced by
other letters or by numbers or symbols.1 If the plaintext is viewed as a sequence of bits, then
substitution involves replacing plaintext bit patterns with cipher text bit patterns.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 8


6.1 CAESAR CIPHER [JUNE-2012 -6M], [JUNE/JULY − 2017 (6M)]

 The encryption rule is simple; replace each letter of the alphabet with the letter
standing 3 places further down the alphabet.
 The alphabet is wrapped around so that Z follows A.
 Example:

Plaintext: meet me after the party


 Note that the alphabet is wrapped around, so that the letter following Z is A.
 We can define the transformation by listing all possibilities, as follows:
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher: d e f g h i j k l m n o p q r s T u v w x y z a b c
 Let us assign a numerical equivalent to each letter:
a b c d e f g H i j k l m
0 1 2 3 4 5 6 7 8 9 10 11 12

n o p q r s t u v w x y z
13 14 15 16 17 18 19 20 21 22 23 24 25

 Then the algorithm can be expressed as follows. For each plaintext letter p, substitute
the cipher text letter.
C = E (3, p) = (p + 3) mod 26
 A shift may be of any amount, so that the general Caesar algorithm is
C = E (k, p) = (p + k) mod 26
Where k takes on a value in the range 1 to 25. The decryption algorithm is simply
p = D (k, C) = (C - k) mod 26
 If it is known that a given cipher text is a Caesar cipher, then a brute-force
cryptanalysis is easily performed: simply try all the 25 possible keys.
Three important characteristics of this problem enabled us to use a brute force cryptanalysis:
1. The encryption and decryption algorithms are known.
2. There are only 25 keys to try.
3. The language of the plaintext is known and easily recognizable.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 9



 Instead of shifting alphabets by the fixed amount as in Caesar cipher, any random
permutation is assigned to the alphabets. This type of encryption called
Monoalphabetic substitution cipher.
 For example, a replaced by Q, B by D, C by T etc. then it will be comparatively
stronger than Caesar.

6.3 PLAYFAIR CIPHER [JUNE/JULY-2013(10M)], [DEC-2015/JAN-2016 (10M)]

 In this technique, multiple (2) letters encrypted at a time.

 This technique uses a 5 X 5 matrix which also called the key matrix.

 The plaintext encrypted two letters at a time, according to the following rules:
 Repeating plaintext letters that are in the same pair are separated with a filler
letter, such as x, so that balloon would be treated as ba lx lo on.
 Two plaintext letters that fall in the same row of the matrix are each replaced by
the letter to the right, with the first element of the row circularly following the
 For example, ar is encrypted as RM.
 Two plaintext letters that fall in the same column are each replaced by the letter
beneath, with the top element of the column circularly following the last.
 For example, mu is encrypted as CM.
 Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its
own row and the column occupied by the other plaintext letter. Thus, hs become
BP and ea becomes IM (or JM, as the enciphered wishes).
 Security much improved over Monoalphabetic as here two letters are encrypted at a
time and hence there are 26 X 26 =676 diagrams and hence it needs a 676 entry
frequency table.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 10


 However, it can break even if a few hundred letters known as much of plaintext
structure retained in the cipher text.

6.4 HILL CIPHER [DEC-2012(10M)] , [DEC-2013 / JAN-2014 (10M)]

 This cipher is based on linear algebra.

 Each letter is represented by numbers from 0 to 25 and calculations are done modulo
 This encryption algorithm takes m successive plaintext letters and substitutes them
with m cipher text
 The substitution determined by m linear equations. For m = 3, the system can describe
c1 = (k11p1 + k21p2 + k31p3) mod 26
c2 = (k12p1 + k22p2 + k32p3) mod 26
c3 = (k13p1 + k23p2 + k33p3) mod 26
 This can also expressed in terms of row vectors and matrices.

C = PK mod 26
 Where C and P are row vectors of length 3 representing the plaintext and cipher text,
and K is a 3 X 3 matrix representing the encryption key
 Key is an invertible matrix K modulo 26, of size m. For example:

 Encryption and decryption can give by the following formulae: Hill Cipher
Encryption: C =E (K, P) = PK mod 26

Decryption: P = D (K, C) = CK-1 mod 26 = PKK-1 = P

 The strength of the Hill cipher is that it completely hides single-letter frequencies.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 11


 Although the Hill ciphers strong against a cipher text-only attack, it easily broke with
a known plaintext attack.
 Collect m pair of plaintext-cipher text, where m is the size of the key.
 Write the m plaintexts as the rows of a square matrix P of size m.
 Write the m cipher texts as the rows of a square matrix C of size m.
 We have that C=PK mod 26.
 If P is invertible, then K=13-1C mod 26,
 If P is not invertible, then collect more plaintext-cipher text pairs until an invertible P


Another way to improve on the simple Monoalphabetic technique is to use different
Monoalphabetic substitutions as one proceeds through the plaintext message.
The general name for this approach is polyalphabetic substitution cipher. All these techniques
have the following features in common:
1. A set of related Monoalphabetic substitution rules is used.
2. A key determines which particular rule is chosen for a given transformation.

6.5.1 Vigenere cipher:-

 This is a type of polyalphabetic substitution cipher (includes multiple substitutions

depending on the key). In this type of cipher, the key determines which particular
substitution to use.

 To encrypt a message, a key needed that is as long as the message. Usually, the key a

 We can express the Vigenere cipher in the following manner. Assume a sequence of
plaintext letters P =𝑃0 , 𝑃1 , 𝑃2 ...... 𝑃𝑛−1 and a key consisting of the sequence of letters
K =𝐾0 , 𝐾1 , 𝐾2 … 𝐾𝑚 −1 , where typically m 6 n. The sequence of cipher text letters C =
𝐶0 , 𝐶1 , 𝐶2 … … 𝐶𝑛−1 is calculated as follows:
C = 𝐶0 , 𝐶1 , 𝐶2 … … 𝐶𝑛−1 = E (K, P) = E [(𝐾0 , 𝐾1 , 𝐾2 … 𝐾𝑚 −1 ,), (P =𝑃0 , 𝑃1 ,
𝑃2 ...... 𝑃𝑛 −1 )] = (𝑃0 +𝐾0 , ) mod 26, ( 𝑃1 + 𝐾1 ) mod 26 .......... (𝑃𝑚 −1 +𝐾𝑚 −1 ) mod 26,
(𝑃𝑚 +𝐾0 , ) mod 26, (𝑃𝑚 +1 + 𝐾1 ) mod 26, c, (𝑃2𝑚 −1 + 𝐾𝑚 −1 ) mod 26,........
 Thus, the first letter of the key is added to the first letter of the plaintext, mod 26, the
second letters are added, and so on through the first m letters of the plaintext.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 12


 For the next m letters of the plaintext, the key letters are repeated. This process
continues until all of the plaintext sequence is encrypted.
 A general equation of the encryption process is

 A general equation of the decryption process is

 To encrypt a message, a key is needed that is as long as the message. Usually, the key
is a repeating keyword. For example, if the keyword is deceptive, the message “we
are discovered save yourself” is encrypted as
Key: d e c e p t i v e d e c e p t i v e d e c e p t i v e
Plaintext: w e a r e d i s c o v e r e d s a v e y o u r s e l f
Cipher text: Z I C V T W Q N G R Z G V T W A V Z H C Q Y G L M G J
Expressed numerically, we have the following result.

 The strength of this cipher is that there are multiple cipher text letters for each plaintext
letter, one for each unique letter of the keyword.
 Thus, the letter frequency information obscured, however, not all knowledge of the
plaintext structure lost.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 13


6.5.2 Vernam Cipher

 The ultimate defense against such a cryptanalysis is to choose a keyword that is as

long as the plaintext and has no statistical relationship to it. Such a system was
introduced by an AT&T engineer named Gilbert Vernam in 1918.

Figure 4: Vernam Cipher

 His system works on binary data (bits) rather than letters. The system can be
expressed succinctly as follows (Above figure 3)

 The cipher text is generated by performing the bitwise XOR of the plaintext and the
key. Because of the properties of the XOR, decryption simply involves the same
bitwise operation.


 A very different kind of mapping is achieved by performing some sort of permutation

on the plaintext letters. This technique is referred to as a transposition cipher.
 The simplest such cipher is the rail fence technique, in which the plaintext is written
down as a sequence of diagonals and then read off as a sequence of rows. For
example, to encipher the message “meet me after the toga party” with a rail fence of
depth 2, we write the following:

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 14


e tefeteoaat
 The encrypted message is
This sort of thing would be trivial to crypt analyze.
 A more complex scheme is to write the message in a rectangle, row by row, and read
the message off, column by column, but permute the order of the columns. The order
of the columns then becomes the key to the algorithm. For example,

Thus, in this example, the key is 4312567. To encrypt, start with the column that is
labelled 1, in this case column 3. Write down all the letters in that column. Proceed to
column 4, which is labelled 2, then column 2, then column 1, then columns 5, 6, and 7.
 A pure transposition cipher is easily recognized because it has the same letter
frequencies as the original plaintext. For the type of columnar transposition just
shown, cryptanalysis is fairly straightforward and involves laying out the cipher text
in a matrix and playing around with column positions. Diagram and trigram frequency
tables can be useful.
 The transposition cipher can be made significantly more secure by performing more
than one stage of transposition. The result is a more complex permutation that is not
easily reconstructed. Thus, if the foregoing message is re-encrypted using the same

To visualize the result of this double transposition, designate the letters in the original
plaintext message by the numbers designating their position. Thus, with 28 letters in the
message, the original sequence of letters is

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 15


After the first transposition, we have

Which has a somewhat regular structure. But after the second transposition, we have


 DES encrypts 64-bit blocks using a 56-bit key and produces a 64-bit cipher text.
 Same steps, with the same key, used to reverse the encryption with the order of the
keys reversed. The DES widely used.

8.1 DES Encryption [JUNE-2012 -10M]

The DES encryption is shown in the figure below

 Encryption function has two inputs: the plaintext to be encrypted and the key.

 The processing of the plaintext proceeds in three phases.

 The permuted output then passed through sixteen rounds of the same function, which
involves both permutation and substitution functions. The left and right halves from the
last round swapped to produce pre output.
 The pre-output passed through a permutation that is the inverse of the initial permutation
function, to produce the 64-bit cipher text.
 Moreover, The 64-bit plaintext passes through an initial permutation (IP) that rearranges
the bits to produce the permuted input.
 The right-hand portion of the figure shows the way in which the 56-bit key used.
 Initially, the key passed through a permutation function.
 Then, a sub key (ki) produced for each of the sixteen rounds by the combination of a left
circular shift and a permutation.
 The permutation functions the same for each round, but a different sub key produced
because of the repeated shifts of the key bits.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 16


Figure 5: General Depiction of DES Encryption Algorithm

8.2 DES Decryption
As with any Feistel cipher, decryption uses the same algorithm as encryption, except
that the application of the sub keys is reversed. Additionally, the initial and final permutations
are reversed.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 17



The followed criteria need to be taken into account when designing a block cipher:

Number of Rounds: The greater the number of rounds. The more difficult it is to perform
cryptanalysis, even for a weak function. The number of rounds chosen so that efforts required
to crypt analyze it becomes greater than a simple brute-force attack.

Design of Function F: F should be nonlinear and should satisfy strict avalanche criterion
(SAC) and bit independence criterion (BIC).

S-Box Design: S-Box obviously should non-linear and should satisfy SAC, BIC, and
Guaranteed Avalanche criteria. One more obvious characteristic of the S-box is its size.
Larger S-Boxes provide good diffusion but also result in greater look-up tables. Hence,
general size is 8 to 10.

Key schedule Algorithm: With any Feistel block cipher, the key used to generate one sub
key for each round. In general, sub keys should be selected such that it should be deduced sub
keys from one another or main key from the sub key.


A block cipher algorithm is a basic building block for providing data security. to
apply a block cipher in variety of applications.” Modes of operation have been defined by
A mode of operation is a technique for enhancing the effect of a cryptographic
algorithm or adapting the algorithm for an application. Such as applying a block cipher to a
sequence of data blocks or a data stream.
Block cipher modes of operation are

1. Electronic Codebook mode (ECB)

1. This is the simplest mode in which plaintext is handled one block at a time and each
block of plaintext is encrypted using the same key.
2. The term codebook is used because, for a given key, there is a unique cipher text for
every -bit block of plaintext.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 18


3. Therefore, we can imagine a huge codebook in which there is an entry for every possible
b-bit plaintext showing its corresponding cipher text.
4. For a message longer than b bits, the procedure is simply to break the message into b-bit
blocks, padding the last block if necessary.

Figure 6: Electronic Codebook mode (ECB)

 Decryption is performed one block at a time, always using the same key.
 For lengthy messages, ECB mode may be not secure. If the message has repetitive
elements, then these elements can be identified by the analyst.
 Thus, the ECB method is ideal for a short amount of data, such as an encryption key.

Lists the following criteria and properties for evaluating and constructing block cipher modes
of operation that are superior to ECB:
Overhead: The additional operations for the encryption and decryption operation when
compared to encrypting and decrypting in the ECB mode.
Error recovery: The property that an error in the ith cipher text block is inherited by
only a few plaintext blocks after which the mode resynchronizes.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 19


Error propagation: The property that an error in the ith cipher text block is inherited by
the ith and all subsequent plaintext blocks. What is meant here is a bit error that occurs in
the transmission of a cipher text block, not a computational error in the encryption of a
plaintext block.
Diffusion: How the plaintext statistics are reflected in the cipher text. Low entropy
plaintext blocks should not be reflected in the cipher text blocks. Roughly, low entropy
equates to predictability or lack of randomness
Security: Whether or not the cipher text blocks leak information about the plaintext

2. Cipher Block Chaining Mode (CBC)

Figure 7: Cipher Block Chaining (CBC) Mode

 To overcome the security deficiencies of ECB, a technique is needed in which the same
plaintext block, if repeated, produces different cipher text blocks.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 20


 A simple way to satisfy this requirement is the cipher block chaining (CBC) which is
shown in the figure.
 In this mode, the input to the encryption algorithm is the X-OR of the current plaintext
block and the preceding cipher text block; the same key is used for each block.
 The input to the encryption function for each plaintext block has no fixed relationship to
the plaintext block.
 Therefore, repeating patterns will not produce the same cipher text.
 The last block is padded to a full b bits if it is a partial block.
 For decryption, each cipher block is passed through the decryption algorithm. The result
is X-OR ed with the preceding cipher text block to produce the plaintext block.
 The expressions for CBC are: Modes: Operations
 Encryption:
Cj = E (K, [Cj-1 Pj])
 Decryption:
D (K, Cj) = D (K, E (K, [Cj-1  Pj]))
D (K, Cj) = Cj-1  Pj
Cj-1 D (K, Cj) = Cj-1  Cj-1 Pj = Pj

3. Cipher Feedback Mode (CFB)

DES is a block cipher, but it may be used as a stream cipher if the Cipher Feedback Mode
(CFM) or the Output Feedback Mode (OFB) is used. CFB scheme is depicted below.

 A stream cipher eliminates the need to pad a message to be an integral number of

 It also can operate in real time.
 ‘s’ bits the size usually selected by the user, most of the time it 8 bits.
 In this case, rather than the block of 64 bits, the plaintext is divided into segments of s
 Encryption: The input to the encryption function a 64-bit shift register that is initially
set to some initialization vector (IV).
 The leftmost (most significant) s bits of the output of the encryption function X-ORed
with the first segment of plaintext P1 to produce the first unit of cipher text C1, which
is then transmitted.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 21


 In addition, the contents of the shift register are shifted left by s bits and C1 is placed
in the rightmost s bits of the shift register.
 This process continues until all plaintext units have been encrypted.

Figure 8: s-bit Cipher Feedback (CFB) Mode

 Decryption: The same scheme used except that the received cipher text unit is X-
ORed with the output of the encryption function to produce the plaintext unit.
The main disadvantage of this scheme is that bit error in one cipher text propagates to

next stage also.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 22


4. Output Feedback Mode (OFM)

 The output feedback mode is similar in structure to that of CFB.
 The difference between CFB and OFB is that in OFB the output of the encryption
function is fed back to the shift register in OFB, whereas in CFB the cipher text is fed
to the shift register.
 The other difference is that the OFB mode operates on full blocks of plaintext and
cipher text, not on „s‟ bit subset.
One advantage of the OFB method is that bit errors in transmission do not propagate.
The main disadvantage of OFB is that it is more vulnerable to a message stream
modification attack than CFB

Figure 9: Output Feedback (OFB) Mode

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 23


5. Counter Mode (CTR) [DEC-2010(10M)]

 In this mode, a counter equal to the plaintext block size used.

 The only requirement that the counter value must different for each plaintext block that
 Typically, the counter initialized to some value and then incremented by 1 for
each subsequent block (modulo 2b, where b the block size)
 Counter Mode works as follows:
 Encryption: The counter encrypted and then XORed with the plaintext block to produce
the cipher text block; there is no chaining.
 Decryption: The same sequence of counter values used. Each encrypted counter X-ORed
with a cipher text block to recover the corresponding plaintext block.

Figure 10: Counter (CTR) Mode

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 24


 CTR has following advantages: Modes: Operations

 Hardware efficiency: In this mode, encryption (or decryption) can do in parallel on

multiple blocks of plaintext or cipher text. For the chaining modes, the algorithm must
complete the computation on one block before beginning on the next block.
 Software efficiency: Similarly, because of the opportunities for parallel execution in
CTR mode, processors that support parallel features, such as aggressive pipelining,
multiple instruction dispatches per clock cycle, the large number of registers can
effectively utilize.
 Preprocessing: The execution of the encryption algorithm does not depend on the
input of the plaintext or cipher text. Therefore preprocessing can used to prepare the
output of the encryption boxes which can feed into the X-OR functions when the
plaintext or cipher text input presented.
 Random access: The ith block of plaintext or cipher text can process in the random-
access fashion. With the chaining modes, a block cannot compute until i– 1 prior
block computed.
 Provable security: It can show that CTR is as secure as the other modes.
 Simplicity: CTR mode requires only the implementation of the encryption algorithm
and not the decryption algorithm and has a very simple implementation.

This mode used in ATM (asynchronous transfer mode) and IP Sec (IP security) nowadays.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 25



AES is a non –Feistel cipher, which means that each transformation or group of
transformation must be invertible. In addition, the cipher and the inverse cipher must use
these operations in such a way that cancel each other. The round keys must also be used in
the reverse order. Two different designs are given to be used for different implementation.

11.1 Original design or Detailed Structure

In the original design, the order of transformations in each round is not the same in the cipher
and reverse cipher. Shown in below figure 5.
 1st, the order of sub bytes and shift rows is changed in the reverse cipher.
 2nd, the order of mix columns and Add round key is changed in the reverse cipher.
This difference in ordering is needed to make each transformation in the cipher
aligned with its inverse in the reverse cipher.
 Consequently, the decryption algorithm as a whole is the inverse of the encryption
 We have shown only three rounds, but the rest is the same.
 Note that the round keys are used in the reverse order.
 Note that the encryption and decryption algorithms in the original are not similar.


Dept. of ECE, BGSIT, BG Nagara, Mandya Page 26


Figure 11: cipher and inverse cipher of the original design or AES Encryption and
11.2 Alternative design
1. Sub Bytes / shift rows pairs
 Sub bytes change the contents of each bytes without changing the order of the
bytes in the state; shift rows change the order of the bytes in the state without
changing the content of the bytes. This implies that we can change the order of
these two transformations in the inverse cipher without affecting the invertibility
of the whole algorithm. Below fig 6 shows the idea.
 Note that the combination of two transformations in the cipher and inverse cipher
are the inverse of each other.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 27


Figure 12: invertibility of sub bytes and shift rows combinations

2. Mix columns/Add round key pair
 Here the two involved transformations are of different nature.
 However, the pairs can become inverse of each if we multiply the key matrix
by the inverse of the constant matrix – used in mix columns transformation.
We call the new transformation InvAddRoundKey. Below fig 7 shows the new

Figure 13: invertibility of mix columns and Addroundkey combinations

 It can be proved that the two combinations are now inverses of each other.
 In the cipher we call the input state to the combination S and the output state T.
 In the inverse cipher the input state to the combination is T.
 The following show that the output state is also S.
 Not the matrix columns transformation is actually multiplication of the C matrix.

 Now we can show the cipher and inverse cipher for the alternate design.
 Note that we still need to use two add round key transformations in the
 In other words, we have nine InvAddRoundKey and two Addroundkey
transformation as shown in below fig8

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 28


Figure 14: cipher and reverse cipher in alternate design or AES Encryption and
Decryption in alternate design


[MAY/JUNE -2010 (06M)], [DEC-2014 / JAN-2015 (8M)]
Figure 9 shows the overall structure of the AES encryption process. The cipher takes a
plaintext block size of 128 bits, or 16 bytes. The key length can be 16, 24, or 32 bytes (128,
192, or 256 bits). The algorithm is referred to as AES-128, AES-192, or AES-256, depending
on the key length.
 The input to the encryption and decryption algorithms is a single 128-bit block.
 In FIPS PUB 197, this block is depicted as a 4 * 4 square matrix of bytes. This block
is copied into the State array, which is modified at each stage of encryption or
 After the final stage, State is copied to an output matrix. These operations are
depicted in 10 (a). Similarly, the key is depicted as a square matrix of bytes. This key
is then expanded into an array of key schedule words.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 29


 Figure 10 (b). Shows the expansion for the 128-bit key. Each word is four bytes, and
the total key schedule is 44 words for the 128-bit key. Note that the ordering of bytes
Within a matrix is by column.
 So, for example, the first four bytes of a 128-bit plaintext input to the encryption
cipher occupy the first column of the in matrix, the second four bytes occupy the
second column, and so on. Similarly, the first four bytes of the expanded key, which
form a word, occupy the first column of the w matrix.

Figure 15: AES Encryption Process

 The cipher consists of N rounds, where the number of rounds depends on the key
length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key and 14 rounds for a
32-byte key (Table 5.1). The first N - 1 round consist of four distinct transformation

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 30


functions: Sub Bytes, Shift Rows, Mix Columns, and Addroundkey, which are
described subsequently.
 The final round contains only three transformations, and there is a initial single
transformation (Addroundkey) before the first round, which can be considered Round
0. Each transformation takes one or more 4 X 4 matrices as input and produces a 4 X
4 matrix as output.
 Figure 9 shows that the output of each round is a 4 X 4 matrix, with the output of the
final round being the cipher text. Also, the key expansion function generates N + 1
round key, each of which is a distinct 4 X 4 matrix. Each round key serves as one of
the inputs to the Addroundkey transformation in each round.

(a) Input, state array, and output

(b) Key and expanded key

Figure 2: AES Data Structures

Table1 3: AES Parameters

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 31


13 DETAILS OF SINGLE ROUND DES [MAY/JUNE -2010 (08M)], [DEC-2010(10M)],

[DEC-2014 / JAN-2015 (8M)], [JUNE/JULY − 2017 (6M)],[DEC-2013 / JAN-2014 (10M)]

Figure 11 shows the internal structure of a single round.

Figure 16: single round of DES algorithm

 The left and right halves are treted as separate 32-bit quantities, labelled L (left) and R
 The overall processing at each round can be summarized as:

𝐿𝑖 = 𝑅𝑖 -1
𝑅𝑖 = 𝐿𝑖 -1 ⊕ {F (𝑅𝑖 -1,𝑘𝑖 )}

Expansion (E)

 The 32-bit input first expanded to 48 bits. o Bits of input split into groups of 4 bits.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 32


 Each group wrote as groups of 6 bits by taking the outer bits from the two adjacent
 For example: … efgh ijkl mnop … is expanded to … defghi hijklm lmnopq …

Table1 4: Expansion permutation (E)

Substitution (S-Box)

This 48-bit result input to S-Boxes that perform a substitution on input and produces a 32-bit
It is easy to understand S-Box by the following figure:

Figure 17: calculation of F( R,K)

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 33


 DES consists of a set of eight S-Boxes.

 Each S-Box takes 6 bits as input and produces 4 bits as output.
 The first and last bits of the input to box form a 2-bit binary number which gives the
binary value of row number.
 The middle four bits select one of the sixteen columns.
 The decimal value in the cell selected by the row and column then converted to its 4-bit
binary number to produce the output.
 For example, in S1, for input 101110, the row is 10 (row 2) and the column is 0111
(column 7).The value in row 2, column 7 is 11, so the output is 1011.

Permutation (P)
The result permuted using a permutation table.

Table1 5: Permutation function (p)

Key Generation

 A 64-bit key used as input to the algorithm while only 56 bits actually used. Every eighth
bit ignored. Sub-keys at each round generated as given below:
 The key first permuted using a table named Permuted Choice One table (6).
 The resulting 56-bit key divided into two 28-bit quantities, C0 and D0. At each round, Ci-
1 and Di-1 separately subjected to a circular left shift of 1 or 2 bits, as governed by a table.
 Moreover, these shifted values forwarded to the next round. They are also inputting to a
permutation table Permuted Choice Two table (7).
 The table produces a 48-bit output that serves as the round key ki.

Table1 6: Input key Table 7: Permuted choice one (PC-1)

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 34


Table 8: Permuted choice two (PC- 2)

Table 9: Schedule of left shifts


A. Stream ciphers
 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
 Examples: one time pad
 In which the key stream (ki) is as long as the plaintext bit stream (pi).
 If the cryptographic key stream is random, then this cipher is unbreakable by any
means other than acquiring the key stream.
 However, the key stream must be provided to both users in advance via some
independent and secure channel.
(Figure 13)

Figure 18: Stream cipher using algorithmic bit-stream generator

Accordingly, for practical reasons, the bit-stream generator must be implemented as an
algorithmic procedure, so that the cryptographic bit stream can be produced by both
users. In this approach (Figure 13), the bit-stream generator is a key-controlled algorithm
and must produce a bit stream that is cryptographically strong. That is, it must be
computationally impractical to predict future portions of the bit stream based on previous

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 35


portions of the bit stream. The two users need only share the generating key, and each can
produce the key stream.
B. Block ciphers
 A block cipher is one in which a block of plaintext is treated as a whole and used to
produce a cipher text block of equal length.
 Typically, a block size of 64 or 128 bits is used.
 As with a stream cipher, the two users share a symmetric encryption key (Figure 14).

Figure 19: Block Cipher

 Plaintext:227 bytes
Block size: 16bytes
=227/16=14 blocks & 3 bytes
 Total block 15 in which last block contain 3 bytes and padding bytes



Dept. of ECE, BGSIT, BG Nagara, Mandya Page 36




Feistel cipher is based on the idea that instead of using Ideal block cipher which degrades
performance, a “substitution-permutation network” can be used.

Feistel Cipher Encryption (shown in below fig 15)

 The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K.
 The plaintext block is divided into two halves 𝐿𝑂 and 𝑅𝑂
 The two halves of the data pass through rounds of processing and then combine to
produce the cipher text block.
 Each round has as inputs 𝐿𝑖−1 and 𝑅𝑖−1 derived from the previous round, as well as a sub
key 𝐾𝑖 derived from the overall K.
 Any number of rounds could implement and all rounds have the same structure.
 A substitution is performed on the left half of the data. This done by applying around
function F.
 The Round Function F: F takes the right-half block of the previous round and a sub key as
 The output of the function XORed with the left half of the data.
Dept. of ECE, BGSIT, BG Nagara, Mandya Page 37

 Left and right halves then swapped.

Figure 20: Feistel Encryption and Decryption (16 rounds)

Feistel Cipher Decryption

 The process of decryption with a Feistel cipher is same as the encryption process.
 The cipher text input to the algorithm and the sub keys used in reverse order. That is, sub
key of the last round in encryption used in the first round in decryption, second last in the
second round, and so.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 38


The exact realization of a Feistel network depends on the choice of the following

 Block size: Larger block sizes mean greater security but reduced encryption/decryption
speed for a given Traditionally, a block size of 64 bits used which gives enough security
without greatly affecting the speed.
 Key size: Larger key size means greater security but may decrease encryption/ decryption
speed. The greater security achieved by greater resistance to brute-force attacks and
greater confusion. Key sizes of 64 bits or less now widely considered to inadequate, and
128 bits has become a common size.
 The number of rounds: The essence of the Feistel cipher that a single round offers
inadequate security but that multiple rounds offer increased security. A typical size 16

 Sub key generation algorithm: Greater complexity in this algorithm leads to greater
difficulty of cryptanalysis

 Round function F: Again, greater complexity generally means greater resistance to


There are two other considerations in the design of a Feistel cipher:

 Fast software encryption/decryption: In many cases, encryption embedded in

applications implementation (as software). Accordingly, the speed of execution of the
algorithm becomes a concern.
 Ease of analysis: Although we would like to make our algorithm as difficult as possible
to crypt analyze, there is a great benefit in making the algorithm easy to analyze. That is
if The algorithm can concisely and clearly explain, it is easier to analyze that algorithm
for cryptanalytic vulnerabilities and therefore develop a high level of assurance as to its

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 39



A. The Use of 56-Bit Keys

 With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2
X 1016 keys. Thus, on the face of it, a brute-force attack appears impractical.
 Assuming that, on average, half the key space has to be searched, a single machine
performing one DES encryption per microsecond would take more than a thousand
years to break the cipher.
 The assumption of one encryption per microsecond is overly conservative. As far
back as 1977, Diffie and Hellman postulated that the technology existed to build a
parallel machine with 1 million encryption devices, each of which could perform one
encryption per microsecond [DIFF77]. This would bring the average search time
down to about 10 hours. The authors estimated that the cost would be about $20
million in 1977 dollars.
 Table 9 shows how much time is required for a brute-force attack for various key
sizes. As can be seen, a single PC can break DES in about a year; if multiple PCs
work in parallel, the time is drastically shortened.

Table 10 : Average Time Required for Exhaustive Key Search

 Today‟s supercomputers should be able to find a key in about an hour. Key sizes of
128 bits or greater are effectively unbreakable using simply a brute force approach.
Even if we managed to speed up the attacking system by a factor of 1 trillion (1012),
it would still take over 100,000 years to break a code using a 128-bit key.

B. The Nature of the DES Algorithm

 Another concern is the possibility that cryptanalysis is possible by exploiting the
characteristics of the DES algorithm.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 40


 The focus of concern has been on the eight substitution tables, or S-boxes, that are
used in each iteration. Because the design criteria for these boxes, and indeed for the
entire algorithm, were not made public, there is a suspicion that the boxes were
constructed in such a way that cryptanalysis is possible for an opponent who knows
the weaknesses in the S-boxes. This assertion is tantalizing, and over the years a
number of regularities and unexpected behaviors of the S-boxes have been
discovered. Despite this, no one has so far succeeded in discovering the supposed
fatal weaknesses in the S-boxes.


For most of its life, the prime concern with DES has been its vulnerability to brute-
force attack because of its relatively short (56 bits) key length. However, there has also been
interest in finding cryptanalytic attacks on DES. With the increasing popularity of block
ciphers with longer key lengths, including triple DES, brute-force attacks have become
increasingly impractical. Thus, there has been increased emphasis on cryptanalytic attacks on
DES and other symmetric block ciphers. In this section, we provide a brief overview of the
two most powerful and promising approaches: differential cryptanalysis and linear

Differential Cryptanalysis

One of the most significant advances in cryptanalysis in recent years is differential

cryptanalysis. In this section, we discuss the technique and its applicability to DES.

Differential Cryptanalysis Attack

 The differential cryptanalysis attack is complex; [BIHA93] provides a complete
 The rationale behind differential cryptanalysis is to observe the behavior of pairs of
text blocks evolving along each round of the cipher, instead of observing the
evolution of a single text block. Here, we provide a brief overview so that you can get
the flavor of the attack.
 We begin with a change in notation for DES. Consider the original plaintext
block m to consist of two halves m0, m1.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 41


 Each round of DES maps the right-hand input into the left-hand output and sets the
right-hand output to be a function of the left-hand input and the sub key for this
round. So, at each round, only one new 32-bit block is created.
 If we label each new block m1(2  I  17), then the intermediate message halves are
related as follows:

 In differential cryptanalysis, we start with two messages, m and m', with a known XOR
difference  m = m  m' and consider the difference b/w the intermediate message
halves:  𝑚𝑖 = 𝑚𝑖  𝑚𝑖+1

. then we have

 Now, suppose that many pairs of inputs to f with the same difference yield the same
output difference if the same sub key is used. To put this more precisely, let us say
that X may cause Y with probability p, if for a fraction p of the pairs in which the
input XOR is X, the output XOR equals Y.
 We want to suppose that there are a number of values of X that have high probability
of causing a particular output difference. Therefore, if we know Dmi-1 and Dmi with
high probability, then we know Dmi+1 with high probability.
 Furthermore, if a number of such differences are determined, it is feasible to
determine the sub key used in the function f.
 The overall strategy of differential cryptanalysis is based on these considerations for a
single round.
 The procedure is to begin with two plaintext messages m and m' with a given
difference and trace through a probable pattern of differences after each round to yield
a probable difference for the cipher text.
 there are two probable patterns of differences for the two 32-bit halves: (m17||m16).
Next, we submit m and m' for encryption to determine the actual difference under the
unknown key and compare the result to the probable difference. If there is a match,

E (K, m)  E (m') = (m17|| m16)

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 42


 Then we suspect that all the probable patterns at all the intermediate rounds are
correct. With that assumption, we can make some deductions about the key bits. This
procedure must be repeated many times to determine all the key bits.

Figure 21: Differential Propagation through Three Round of DES (numbers in


Dept. of ECE, BGSIT, BG Nagara, Mandya Page 43


Figure (16) based on a figure in [BIHA93], illustrates the propagation of differences

through three rounds of DES. The probabilities shown on the right refer to the probability that
a given set of intermediate differences will appear as a function of the input differences.
Overall, after three rounds the probability that the output difference is as shown is equal to
0.25 x 1 x 0.25 = 0.0625.

Linear Cryptanalysis

A more recent development is linear cryptanalysis, described in [MATS93]. This attack is

based on finding linear approximations to describe the transformations performed in DES.
This method can find a DES key given 243 known plaintexts, as compared to 247 chosen
plaintexts for differential cryptanalysis. Although this is a minor improvement, because it
may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear
cryptanalysis infeasible as an attack on DES. So far, little work has been done by other
groups to validate the linear cryptanalytic approach.

We now give a brief summary of the principle on which linear cryptanalysis is based. For a
cipher with n-bit plaintext and cipher text blocks and an m-bit key, let the plaintext block be
labelled P[1], ... P[n], the cipher text block C[1], ... C[n], and the key K[1], ... K[m]. Then

The objective of linear cryptanalysis is to find an effective linear equation of the form:

That holds with probability p  0. If it is 1 most of the time, assume = 1.

This gives us a linear equation on the key bits. Try to get more such relations so that we can
solve for the key bits. Because we are dealing with linear equations, the problem can be
approached one round of the cipher at a time, with the results combined.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 44


19 ONE-TIME PAD [JUNE-2012 -4M]

 In this scheme, a random key that is as long as the message used.

 The key used to encrypt and decrypt a single message and then discarded. Each new
message requires a new key of the same length as the new message.
 This scheme is unbreakable.
 It produces random output that bears no statistical relationship to the plaintext.
 Because the cipher text contains no information whatsoever about the plaintext, there is
simply no way to break the code.
 For any plaintext of equal length to the cipher text, there is a key that produces that
 Therefore, if you did an exhaustive search of all possible keys, you would end up with
many legible plaintexts, with no way of knowing which the intended plaintext was.
 Therefore, the code is unbreakable.
 The security of the one-time pad is entirely due to the randomness of the key.
 The one-time pad offers complete security but, in practice, has two fundamental

1. There is the practical problem of making large quantities of random keys. Any heavily
used system might require millions of random characters on a regular basis.
Supplying truly random characters in this volume is a significant task.

2. Another problem is that of key distribution and protection. For every message to sent,
a key of equal length needed by both sender and receiver.

Because of these difficulties, the one-time pad used where very high security required.

The one-time pad is the only cryptosystem that exhibits perfect secrecy.

20 STEGANOGRAPHY [JUNE/JULY-2013(4M)]. [DEC-2013 / JAN-2014 (4M)]

The steganography comes from Greek words, steganos in Greek meaning “hidden” or
“covered” and graphic in Greek meaning “writing”. Steganography is the invisible

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 45


The main idea of steganography is to hide secret messages in the other cover digital
Medias such as a text, video, and audio, image etc. show that someone or hacker or other
person cannot know the presence of the secret information.
There are three basic types of steganography
a. Pure or Stegano-graphy.
b. secret key Stegano-graphy.
c. Public key Stegano-graphy.

a. Pure-steganography: is embedding the secret information or message into the thing (item)
without using any private keys. Pure Stegano-graphy is entirely depends upon secrecy. In this
steganography uses a cover image in which information is to be embedded.

Figure 22: pure steganography

Pure Stego cannot give the better security because of it will be not difficult for Extracting the
information, if the hacker know the embedding technique.
Advantage - It decreases the difficulty in key sharing.

Secret key steganography: in this technique uses the individual key for combine the
Information into The thing (item), so this will be similar to symmetric key. For a Decryption
it will be uses the same-key, which will be utilized to encryption.

Figure 23: secret key Steganography

Advantage - Mystery-key Stego gives high security compare to pure-Stego.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 46


Public-key Stego: this type of Stego uses 2 types of keys like,

1) Encryption
2) Decryption

Figure 24: Public key Steganography

Encryption used for private - key and Decryption used for public- key & it is saved in a
public database.


 Confidential communication and secret data storing.

 Protect of data alteration.
 Access control system for digital content distribution.
 Usage in modern printers
 Alleged use by terrorists.
 Alleged use by intelligence services etc.
 It is used in the way of hiding not the information but the password to reach that
 Difficult to detect. Only receiver can detect.
 Can be applied differently in digital image, sound, audio and video file.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 47



The overall structure of the simplified DES. The S-DES encryption algorithm takes an
8-bit block of plaintext (example: 10111101) and a 10-bit key as input and produces an 8-bit
block of cipher text as output. The S-DES decryption algorithm takes an 8-bit block of cipher
text and the same 10-bit key used to produce that cipher text as input and produces the
original 8-bit block of plaintext.

Figure 25: Simplified DES scheme

The encryption algorithm involves five functions: an initial permutation (IP); a
complex function labelled fk, which involves both permutation and substitution operations
and depends on a key input ;a simple permutation function that switches (SW) the two halves

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 48


of the data; the function fk again; and finally a permutation function that is the inverse of the
initial permutation( I𝑃 −1 ) .

The function fk takes as input not only the data passing through the encryption
algorithm, but also an 8-bit key. Here a 10-bit key is used from which two 8-bit sub keys are
generated. The key is first subjected to a permutation (P10). Then a shift operation is
performed. The output of the shift operation then passes through a permutation function that
produces an 8-bit output (P8) for the first sub key (K1). The output of the shift operation also
feeds into another shift and another instance of P8 to produce the second sub key (K2).

The encryption algorithm can be expressed as a composition composition1 of functions:

IP-1 ο fK2 ο SW ο fk1 ο IP

Which can also be written as

Cipher text = IP-1 (fK2 (SW (fk1 (IP (plaintext)))))


K1 = P8 (Shift (P10 (Key)))

K2 = P8 (Shift (shift (P10 (Key))))

Decryption is also shown in above fig25 and is essentially the reverse of encryption:

Plaintext = IP-1 (fK1 (SW (fk2 (IP (cipher text))))).


S-DES depends on the use of a 10-bit key shared between sender and receiver. From
this key, two 8-bit sub keys are produced for use in particular stages of the encryption and
decryption algorithm.
First, permute the key in the following fashion. Let the 10-bit key be designated as
(k1, K2, k3, k4, k5, k6, k7, k8, k9, k10). Then the permutation P10 is defined as:

P10 (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, K2, k7, k4, k10 10, k1, k9, k8, k6)
P10 can be concisely defined by the display:

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 49


Figure 26: Key generation for simplified DES

This table is read from left to right; each position in the table gives the identity of the
input bit that produces the output bit in that position. So the first output bit is bit 3 of the
input; the second output bit is bit 5 of the input, and so on. For example, the key
(1010000010) is permuted to (10000 01100). Next, perform a circular left shift (LS-1), or
rotation, separately on the first five bits and the second five bits. In our example, the result is
(00001 11000). Next we apply P8, which picks out and permutes 8 of the 10 bits according to
the following rule:

The result is sub key 1 (K1). In our example, this yields (10100100). We then go back to the
pair of 5-bit strings produced by the two LS-1 functions and performs a circular left shift of 2
bit positions on each string. In our example, the value (00001 11000) becomes (00100
00011). Finally, P8 is applied again to produce K2. In our example, the result is (01000011).

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 50


Encryption involves the sequential application of five functions.

Figure 27: simplified DES scheme Encryption Detail

Initial and Final Permutations

The input to the algorithm is an 8-bit block of plaintext, which we first permute using
the IP function:

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 51


This retains all 8 bits of the plaintext but mixes them up.

Consider the plaintext to be 11110011.

Permuted output = 10111101

At the end of the algorithm, the inverse permutation is used:

The Function fk

The most complex component of S-DES is the function fk, which consists of a
combination of permutation and substitution functions. The functions can be expressed as
follows. Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-bit input to fk, and let
F be a mapping (not necessarily one to one) from 4-bit strings to 4-bit strings. Then we let

We now describe the mapping F. The input is a 4-bit number (n1 n2 n3 n4). The first
operation is an expansion/permutation operation:

e.g., R= 1101

E/P output = 11101011

It is clearer to depict the result in this fashion

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 52


The 8-bit sub key K1 = (k11, k12 12, k13 13, k14 14, k15 15, k16 16, k17 17, k18) is added
to this value using exclusive-OR:

The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to produce a 2- bit
output, and the remaining 4 bits (second row) are fed into S1 to produce another 2-bit output.
These two boxes are defined as follows:

The S-boxes operate as follows. The first and fourth input bits are treated as a 2-bit number
that specify a row of the S-box, and the second and third input bits specify a column of the S-
box. The entry in that row and column, in base 2, is the 2-bit output. For example, if
(p0,0 p0,3) = ) (00) and ( p0,1 p0,2) = (10), then the output is from row 0, column 2 of S0,
which is 3, or (11) in ) binary. Similarly, (p1,0 p1,3) and ( p1,1p1,2) are used to index into a
row and column of S1 to produce an additional 2 bits. Next, the 4 bits produced by S0 and S1
undergo a further permutation as follows:

The output of P4 is the output of the function F.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 53



1. In S-DES, 10-bit key is “1010000010”.find the sub keys K1 and K2. If
𝑃10 = 3 5 2 7 4 10 1 9 8 6
𝑃8 = 6 3 7 4 8 5 10 9. [MAY/JUNE -2010 (06M)]
2. With a neat diagram, explain the single round of DEC encryption. [MAY/JUNE -2010
3. Discuss the evaluation criteria of AES. [MAY/JUNE -2010 (06M)]
7 8
4. Encrypt the plain text “SECURITY” using Hill cipher with the key . [MAY/JUNE -
19 3
2010 (08M)]
DEC – 2010
1. Encrypt the message “we will meet tomorrow” using Playfair cipher with a key “STORY”.
Give the rules for encryption. [DEC-2010(10M)]
2. With a schematic diagram, explain the S-DES encryption and decryption process,
highlighting the key generation phase. [DEC-2010(10M)]
3. Explain the counter mode of block cipher. What are its advantages? [DEC-2010(10M)]
𝐉𝐔𝐍𝐄/𝐉𝐔𝐋𝐘 − 𝟐𝟎𝟏𝟏
9 4
1. Encrypt the plain text “MONDAY” using Hill cipher with the key . Show your
5 7
calculation and cipher text. [Hint: a=0, b=1 …… z = 25] [JUNE/JULY − 2011(8M)]
2. Draw the single round of DES algorithm and explain the process. [JUNE/JULY −
3. Describe the block cipher modes of operation in details. [JUNE/JULY − 2011(10M)]
1. Explain block cipher design principles. [DEC-2011(8M)]
2. In S-DES, the plain text is 11110010 and key is 1011100110. Find cipher text. [DEC-
3. Explain the strength of DES. [DEC-2011(4M)]
1. Explain the operation of Caesar cipher with an algorithm. Derive the cipher with an
algorithm. Derive the cipher text using caser cipher for the following plain text message

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 54


2. with a block diagram. Explain Feistel encryption and decryption algorithm. [JUNE-2012 -
3. Write a note on one-time pad. [JUNE-2012 -4M]
4. With a block diagram, explain DES encryption and key generation technique. [[JUNE-
2012 -10M]
1. With a neat diagram, explain the single round DES encryption. [DEC-2012(10M)]
2. Encrypt the plaintext “CRYPTOGRAPHY” using Hill cipher technique. Key K= .
1. Explain the working of the Playfair cipher with an example. [JUNE/JULY-2013(10M)]
2. Distinguish block cipher and stream cipher with examples. [JUNE/JULY-2013(8M)]
3. Explain block cipher design principles. [JUNE/JULY-2013(8M)]
4. Briefly describe about steganography. [JUNE/JULY-2013(4M)]
DEC-2013 / JAN-2014
1. Define the terms cryptography and steganography.[ DEC-2013 / JAN-2014 (4M)]
6 24 1
2. Encrypt the message “ACT” using the Hill Cipher key K= 13 16 10 . And also the
20 17 15
calculations for the corresponding decryption of the cipher text to recover original plain text
8 5 10
𝐾 −1 = 21 8 21 . [DEC-2013 / JAN-2014 (10M)]
21 12 8
3. With the help of a block diagram, explain the overall structure of the S-DES. Explain the
role of sub key generation with suitable analysis. [DEC-2013 / JAN-2014 (10M)]

7 8
1. Encrypt the plain text “Hard work” using hill cipher with the key . [DEC -
19 3
2014/JAN-2015 (8M)]
2. With a neat diagram, explain the single round of DEC encryption. [DEC-2014 / JAN-2015
3. In S-DES 10 bit key is 1000100010. Find the sub key K1 and K2 if
𝑃10 = 3 5 2 7 4 10 1 9 8 6
𝑃8 = 6 3 7 4 8 5 10 9. [DEC-2014/JAN-2015 (8M)]

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 55


4. Explain in brief the evaluation criteria of AES. [DEC-2014 / JAN-2015 (8M)]

1. Encrypt the message “ELECTRONICS” using Playfair cipher with a key “INDIA”, also
give the rules for encryption. [DEC-2015/JAN-2016 (10M)]
5 8
2. Encrypt the plain text “HAND” using hill cipher with the key = . Also decrypt it and
17 3
verify the encryption and decryption text. [DEC-2015/JAN-2016 (10M)]
3. In S-DES, 10-bit key is “1010000010”.find the sub keys K1 and K2. If
𝑃10 = 3 5 2 7 4 10 1 9 8 6
𝑃8 = 6 3 7 4 8 5 10 9. [DEC-2015/JAN-2016 (10M)]
𝐉𝐔𝐍𝐄/𝐉𝐔𝐋𝐘 − 𝟐𝟎𝟏𝟕
1. Encrypt the plain text “HELLO” Using the play fair cipher with the key “EXAM”. [JUNE/
JULY − 2017 (8M)]
2. Explain the operation of caser cipher with an algorithm. Derive the cipher text using caser
cipher for the following plain text message with key length K=3, “logic”. [JUNE/JULY −
2017 (6M)]
3. Explain the single round of DES – encryption model. [JUNE/JULY − 2017 (6M)]

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 56