Cryptography & Network

Security
Symmetry Key Cryptography
UNIT-II

Dr P Naga Jyothi
Assistant Professor,
Dept of CSE
Learning Outcomes
• Distinguish between block and stream ciphers
• Explain and implement block cipher DES and AES algorithm
• Explain and implement stream cipher RC4
Key Topics

• Block ciphers

• DES Algorithm

• AES Algorithm

• Stream Ciphers
Modern Block Ciphers
• Now look at modern block ciphers
• One of the most widely used types of cryptographic algorithms
• Provide secrecy /authentication services
• Focus on DES (Data Encryption Standard)
• To illustrate block cipher design principles
Block vs Stream Ciphers
• Block ciphers process messages in blocks, each of which is then
en/decrypted.
• Like a substitution on very big characters
• 64-bits or 128-bit
• Stream ciphers is one that encrypts a digital data stream one bit or
one byte at a time. Ex: Vigenere cipher and Vernam cipher
• Many current ciphers are block ciphers.
• Broader range of applications.
Block cipher vs Stream cipher
Block Cipher Stream Cipher

Block Cipher Converts the plain text into cipher text by Stream Cipher Converts the plain text into cipher text by
taking plain text’s block at a time. taking 1 byte of plain text at a time.

Block cipher uses either 64 bits or more than 64 bits. While stream cipher uses 8 bits.

The complexity of block cipher is simple. While stream cipher is more complex.

Block cipher Uses confusion as well as diffusion. While stream cipher uses only confusion.

In block cipher, reverse encrypted text is hard. While in stream cipher, reverse encrypted text is easy.

The algorithm modes which are used in block cipher are:

The algorithm modes which are used in stream cipher are:
ECB (Electronic Code Book) and CBC (Cipher Block
CFB (Cipher Feedback) and OFB (Output Feedback).
Chaining).

Block cipher works on transposition techniques like rail- While stream cipher works on substitution techniques
fence technique, columnar transposition technique, etc. like Caesar cipher, substitution cipher, etc.

Block cipher is slow as compared to stream cipher. While stream cipher is fast in comparison to block cipher.
Motivation of Feistel cipher structure
• A block cipher operates on a plaintext block of n bits to produce a ciphertext
block of n bits.
• 2n possible different plaintext blocks for en/decryption

• Each must produce a unique ciphertext block- Reversible or non singular

• Most of block cipher can be used reversible mapping between plaintext and
ciphertext,
• Feistel is ideal block cipher as it allows maximum number of en mappings from
plaintext block.
• For ex. n=4 then system is equivalent to classical substitution cipher but these are
vulnerable to statistical analysis.
• An arbitrary reversible substitution cipher for large block size is not practical for
implementation and performance.
Block Cipher Principles
• Most symmetric block ciphers are based on a Feistel Cipher Structure
• Needed since must be able to decrypt ciphertext to recover messages
efficiently
• Block ciphers look like an extremely large substitution
• Would need table of 264 entries for a 64-bit block
• Instead create from smaller building blocks
• Using idea of a product cipher
Ideal Block Cipher
Claude Shannon and Substitution-Permutation Ciphers

• Claude Shannon introduced idea of substitution-permutation (S-P)

networks in 1949 paper
• form basis of modern block ciphers
• S-P nets are based on the two primitive cryptographic operations seen
before:
• substitution (S-box)-Each plaintext element or group of elements is uniquely
replaced by corresponding ciphertext element or group of elements
• permutation (P-box)- A sequence of plaintext elements is replaced by a permutation
of that sequence. No elements are added, deleted or replaced in the
sequence,rather than order in which the elements appear in the sequence is
changed.
• Fiestel application has a product cipher that alternates confusion &
diffusion functions.
Confusion and Diffusion
• Cipher needs to completely obscure statistical properties of original
message
• A one-time pad does this more practically Shannon suggested combining S
& P elements to obtain
• Diffusion – Involves spreading the influence of individual P.T bits or parts
throughout the entirely at the C.T. This is usually achieved by permutation
or transposition that disperse the influence of a single input bit across
multiple output bits. dissipates statistical structure of plaintext over bulk of
ciphertext.
• Confusion – makes relationship between the statistics of the ciphertext
and the value of encryption key as complex as possible.I includes
substitution r mixing that obscure the statistical relationship between P.T
and C.T
Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
• based on concept of invertible product cipher
• Partitions input block into two halves
• process through multiple rounds which
• perform a substitution on left data half
• based on round function of right half & subkey
• then have permutation swapping halves
• Implements Shannon’s S-P net concept
 Feistel Cipher Design Elements

• Block size
• Key size
• Number of rounds
• Subkey generation algorithm
• Round function
• Fast software en/decryption
• Ease of analysis
 Plaintext(2w bits)

Round 1 L0 w bits w bits R0 Feistel Cipher Structure

K1

⊕ F
L1 R1
. .
. .
w bits w bits .
Round i .

Ki

⊕ F
Li Ri
. .
. .
. w bits w bits .
Round n
Ki

⊕ F
Ln Rn

Ln+1 Rn+1

Cipherntext(2w bits)
Feistel Cipher Decryption
1st round of the decryption is equal to
32 bit swap of input to the sixteenth
round of encryption process

LE16=RE15
RE16=LE15 X F(RE15,K16)---Encryption

Decryption
LD1=RD0=LE16=RE15
RD1=LD0 X F(RD0,K16)
=RE16 X F(RE15,K16)
=[LE15 X F(RE15,K16 ) F(RE15,K16)

REi-1 =LEi
LEi-1=Rei F( REi-1,Ki)=REi F(LEi,Ki)
Data Encryption Standard (DES) Algorithm
Data Encryption Standard (DES)
• Most widely used block cipher in world -IBM developed Lucifer cipher
• Adopted in 1977 by NBS (now NIST)
• as FIPS PUB 46
• Has widespread use and had considerable controversy over its security
• Although DES standard is public
• Subsequent events and public analysis show in fact design was appropriate
• Use of DES has flourished
• especially in financial applications
• still standardised for legacy application use
DES Algorithm
Steps
• Initial Permutation-64 bit plaintext passes through IP that rearranges the
bits to produce the Permuted Input.
• Followed by 16 Fiestel rounds of same function(Substitution and
Permutation)
• The output of last (16) round consists of 64bits that are function of input
plaintext and the key.
• Swapping- Left and right halves are− swapped to produce the preoutput .It is
passed to through permutation(IP 1) to produce 64bit ciphertext.
• Final Permutation/Inverse initial permutation
• 56 bit key is used initially while it is passing through permutation function
for each 16 rounds, a sub key is produced by the combination of left
circular shift and a permutation.
DES Algorithm
64-bit plaintext 64-bit key
……….. ………..

Initial permutation Permuted choice 1

64 56

K1 48 56
Round 1 Permuted choice 2 Left circular shift
64 56

K2 48 56
Round 2 Permuted choice 2 Left circular shift

48 56
Round 16 Permuted choice 2 Left circular shift

32-bit swap

Inverse Initial
permutation
………..
64-bit ciphertext
 Initial Permutation IP
First step of the data computation
IP reorders the input data bits
Even bits to LH half, odd bits to RH half
Quite regular in structure (easy in h/w)
example:

IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

 Initial Permutation

M1 M2 M3 M4 M5 M6 M7 M8 M58 M50 M42 M34 M26 M18 M10 M2

M9 M10 M11 M12 M13 M14 M15 M16 M52 M44 M36 M28 M20 M12 M4
M60
M17 M18 M19 M20 M21 M22 M23 M24 M30 M22 M14 M6
M62 M54 M46 M38
M25 M26 M27 M28 M29 M30 M31 M32 M56 M48 M40 M32 M24 M16 M8
M64
M33 M34 M35 M36 M37 M38 M39 M40 M57 M49 M41 M33 M25 M17 M9 M1
M41 M42 M43 M44 M45 M46 M47 M48 M59 M51 M43 M35 M27 M19 M11 M3
M49 M50 M51 M52 M53 M54 M55 M56 M61 M53 M45 M37 M29 M21 M13 M5
M57 M58 M59 M60 M61 M62 M63 M64 M63 M55 M47 M39 M31 M23 M15 M7

This table specifies the input permutation on a 64-bit block. The meaning is as follows: the first bit of the
output is taken from the 58th bit of the input; the second bit from the 50th bit, and so on, with the last bit
of the output taken from the 7th bit of the input.
Inverse Initial Permutation

M40 M8 M48 M16 M56 M24 M64 M32

M39 M7 M47 M15 M55 M23 M63 M31

M38 M6 M46 M14 M54 M22 M62 M30

M37 M5 M45 M13 M53 M21 M61 M29

M36 M4 M44 M12 M52 M20 M60 M28

M35 M3 M43 M11 M51 M19 M59 M27

M34 M2 M42 M10 M50 M18 M58 M26

M33 M1 M41 M9 M49 M17 M57 M25

DES Round Structure
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
• F takes 32-bit R half and 48-bit subkey:
• expands R to 48-bits using perm E
• adds to subkey using XOR
• passes through 8 S-boxes to get 32-bit result
• finally permutes using 32-bit perm P
Single
round
of DES
E-Table
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25 Expansion Permutation
24 25 26 27 28 29
28 29 30 31 32 1
 Permutation Choice 1 (PC1)

57 49 41 33 25 17 9
1 58 50 42 34 26 18
The "Left" and "Right" halves of the table show which bits
10 2 59 51 43 35 27
from the input key form the left and right sections of the key
19 11 3 60 52 44 36 schedule state. Note that only 56 bits of the 64 bits of the
63 55 47 39 31 23 15 input are selected; the remaining eight (8, 16, 24, 32, 40, 48,
56, 64) were specified for use as parity bits
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4

Permutation Choice 2 (PC2)

14 17 11 24 1 5 3 28
This permutation selects the 48-bit subkey for each round
15 6 21 10 23 19 12 4
from the 56-bit key-schedule state. This permutation will
ignore 8 bits below: 26 8 16 7 27 20 13 2
Permuted Choice 2 "PC-2" ignored bits 9, 18, 22, 25, 35, 41 52 31 37 47 55 30 40
38, 43,
51 45 33 48 44 49 39 56
34 53 46 42 50 36 29 32
 Permutation Table (P)

Schedule of Left Shifts

S-Boxes
Substitution Boxes S
Have eight S-boxes which map 6 to 4 bits
Each S-box is actually 4 little 4 bit boxes
outer bits 1 & 6 (row bits) select one row of 4
inner bits 2-5 (col bits) are substituted
result is 8 lots of 4 bits, or 32 bits
Row selection depends on both data & key
feature known as autoclaving (autokeying)
example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
S-Box lookup
DES Key Schedule
Forms subkeys used in each round
• Initial permutation of the key (PC1) which selects 56-bits in two
28-bit halves
• 16 stages consisting of:
• rotating each half separately either 1 or 2 places depending on
the key rotation schedule K
• selecting 24-bits from each half & permuting them by PC2 for
use in round function F
Key
Expansion
Avalanche Effect
• Key desirable property of encryption alg
• Where a change of one input or key bit results in changing approx
half output bits
• Making attempts to “home-in” by guessing keys impossible
• DES exhibits strong avalanche
Avalanche Effect
• A desirable property of any encryption algorithm is that a small
change in either the plaintext or the key should produce a significant
change in the ciphertext.
• A change in one bit of the plaintext or one bit of the key should
produce a change in many bits of the ciphertext.
• If the change were small, this might provide a way to reduce the size
of the plaintext or key space to be searched.
• DES exhibits a strong avalanche effect.
Avalanche in DES
DES Decryption
• Decrypt must unwind steps of data computation
• With Feistel design, do encryption steps again using subkeys in
reverse order (SK16 … SK1)
• IP undoes final FP step of encryption
• 1st round with SK16 undoes 16th encrypt round
• ….
• 16th round with SK1 undoes 1st encrypt round
• then final FP undoes initial encryption IP
• thus recovering original data value
DES Example
Strength of DES – Analytic Attacks
Now have several analytic attacks on DES
These utilise some deep structure of the cipher
by gathering information about encryptions
can eventually recover some/all of the sub-key bits
if necessary then exhaustively search for the rest
Generally these are statistical attacks
differential cryptanalysis
linear cryptanalysis
related key attacks
Strength of DES – Timing Attacks
Attacks actual implementation of cipher
Use knowledge of consequences of implementation to derive
information about some/all subkey bits
Specifically use fact that calculations can take varying times
depending on the value of the inputs to it
Particularly problematic on smartcards
Differential Cryptanalysis
• One of the most significant recent (public) advances in cryptanalysis
• Known by NSA in 70’s of DES design
• Murphy, Biham & Shamir published in 90’s powerful method to
analyse block ciphers
• Used to analyse most current block ciphers with varying degrees of
success
• DES reasonably resistant to Differential Cryptanalysis
Differential Cryptanalysis
A statistical attack against Feistel ciphers
Uses cipher structure not previously used
Design of S-P networks has output of function f influenced by both
input & key
Hence cannot trace values back through cipher without knowing
value of the key
Differential cryptanalysis compares two related pairs of encryptions
Differential Cryptanalysis Compares Pairs of
Encryptions
With a known difference in the input
Searching for a known difference in output
When same subkeys are used
Differential Cryptanalysis
Have some input difference giving some output difference with
probability p
It finds instances of some higher probability input / output difference
pairs occurring
It can infer to subkey that was used in round
Then it iterates process over many rounds (with decreasing
probabilities)
Differential Cryptanalysis
Differential Cryptanalysis
Performs attack by repeatedly encrypting plaintext pairs with known input X until
desired output is obtained
when found
 if intermediate rounds match required X have a right pair
 if not then have a wrong pair, relative ratio is S/N for attack
Can then deduce keys values for the rounds
 right pairs suggest same key bits
 wrong pairs give random values
For large numbers of rounds, probability is so low that more pairs are required
than exist with 64-bit inputs
Biham and Shamir have shown how a 13-round iterated characteristic can break
the full 16-round DES
Linear Cryptanalysis
Another development which is also a statistical method
Must be iterated over rounds, with decreasing probabilities
Developed by Matsui et al in early 90's
Based on finding linear approximations
Can attack DES with 243 known plaintexts, easier but still in practise
infeasible
Linear Cryptanalysis
• Find linear approximations with prob p != ½
P[i1,i2,...,ia]  C[j1,j2,...,jb] = K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
• Gives linear equation for key bits
• Get one key bit using max likelihood alg
• Using a large number of trial encryptions
• Effectiveness given by: |p–1/2|
Block Cipher Design
• Basic principles still like Feistel’s in 1970’s
• Number of rounds
• more is better, exhaustive search best attack
• Function f:
• provides “confusion”, is nonlinear, avalanche
• have issues of how S-boxes are selected
• Key schedule
• complex subkey creation, key avalanche
Triple DES
• Vulnerability of DES is a brute-force attack.
• Use multiple encryption with DES and multiple keys.
Double DES
• The simplest form of multiple encryption has two encryption stages and two keys.
• Plaintext P and Keys K1 and K2
• Cipher text C=E(K2,E(K1,P))
• Decryption P=D(K2,D(K1,C))
• Double DES use 112bit key
• Meet-in-the-Middle attack
Double DES

K1 K2

P X C C=E(K2,E(K1,P))
E E

Encryption

K2 K1

C X P P=D(K1,D(K2,C))
D D

Decryption
Triple DES
• Counter to Meet-in-the-middle attack is to use three stage of encryption with
three different keys.
• Key length 168bit, it overcomes the Vulnerability to brute-force attack of DES.
• Triple DES with two keys
C=E(K1,D(K2,E(K1,P)))
• It has three times as many rounds as DES, is correspondingly slower.
Triple DES

K1 K2 K3

P E A
D B
E C
C=E(K3,D(K2,E(K1,P)))
Encryption

K1 K2 K3

C B A P
D E D
P=D(K3,E(K2,D(K1,C)))
Decryption
 Meet-in-the-Middle attack
• The meet-in-the-middle attack is a type of cryptanalytic attack commonly used
against encryption algorithms that use symmetric keys. Furthermore, the attack
takes advantage of the fact that the encryption and decryption processes are
inverse operations of each other. Therefore, an attacker follows a brute-force
approach to find the secret key we use in the encryption process.
• The attack works by dividing the key space into two parts. First, it encrypts the
plaintext using all possible keys from one-half of the key space. Additionally, an
attacker decrypts the resulting ciphertext using all possible keys from the other
half of the key space. Finally, the attacker checks for a match between
intermediate values obtained from the encryption and decryption steps.
• If a match is found, the key used in the encryption and decryption is in the middle
of the key space. By repeating the process with smaller key spaces on either side
of the matched key, the attacker can eventually find the secret key used in the
encryption. The meet-in-the-middle attack is particularly effective against
encryption algorithms with a relatively small key space and vulnerable
to exhaustive key search.
Ref: https://www.baeldung.com/cs/security-meet-in-the-middle-attack
Modes of Operation
• Block ciphers encrypt fixed size blocks
• Eg. DES encrypts 64-bit blocks, with 56-bit key
• Need way to use in practise, given usually have arbitrary amount of
information to encrypt
• Four were defined for DES in ANSI standard ANSI X3.106-1983 Modes
of Use
• DES is the basic building block
• Have block and stream modes
 Modes of operation

8.61
Electronic Codebook Book (ECB)
• Message is broken into independent blocks which are
encrypted
• Each block is a value which is substituted, like a
codebook, hence name
• Each block is encoded independently of the other
blocks
• Uses: secure transmission of single values

8.62
 Electronic Codebook (ECB) Mode
The simplest mode of operation is called the electronic codebook
(ECB) mode.

Electronic codebook (ECB) mode

8.63
 Advantages and Limitations of ECB
• Message repetitions may show in ciphertext
• if aligned with message block
• particularly with data such graphics
• or with messages that change very little, which become a code-
book analysis problem
• Weakness is due to the encrypted message blocks being
independent
• Main use is sending a few blocks of data

8.64
Cipher Block Chaining (CBC)
• Message is broken into blocks
• Linked together in encryption operation
• Each previous cipher blocks is chained with current
plaintext block, hence name
• Use Initial Vector (IV) to start process
• Uses: bulk data encryption, authentication

8.65
 Cipher Block Chaining (CBC) Mode
In CBC mode, each plaintext block is exclusive-ored with the
previous cipher text block before being encrypted.

Cipher block chaining (CBC) mode

8.66
Cipher block chaining (CBC) mode

8.67
Message Padding
• At end of message must handle a possible last short
block
• which is not as large as block size of cipher
• pad either with known non-data value (e.g. nulls)
• or pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad+count
• this may require an extra entire block over those in message
• There are other, more esoteric modes, which avoid the
need for an extra block

8.68
Advantages and Limitations of CBC
• A cipher text block depends on all blocks before it
• Any change to a block affects all following cipher text
blocks
• Need Initialization Vector (IV)
• which must be known to sender & receiver
• if sent in clear, attacker can change bits of first block, and change
IV to compensate
• hence IV must either be a fixed value (as in EFTPOS)
• or must be sent encrypted in ECB mode before rest of message

8.69
Cipher Feedback (CFB)
• Message is treated as a stream of bits
• Added to the output of the block cipher
• Result is feed back for next stage (hence name)
• Standard allows any number of bit (1,8 or 64 or whatever) to be feed
back
• denoted CFB-1, CFB-8, CFB-64 etc
• Is most efficient to use all 64 bits (CFB-64)
C1 = P1 ⊕ MSBSE[(K,IV)]
P1 = C1 ⊕ MSBSE[(K,IV)]
• Uses: stream data encryption, authentication
Cipher Feedback (CFB) Mode
In some situations, we need to use DES or AES as secure ciphers, but the plaintext or cipher text block sizes are to be smaller.
Encryption in cipher feedback (CFB) mode

8.71
Advantages and Limitations of CFB
• Appropriate when data arrives in bits/bytes
• Most common stream mode
• Note that the block cipher is used in encryption mode at both ends
• Errors propagate for several blocks after the error
• Must use over a reliable network channel
Output Feedback (OFB)
• Message is treated as a stream of bits
• Output of cipher is added to message
• Output is then feed back (hence name)
• Feedback is independent of message
• Can be computed in advance
Cj = Pj ⊕ E(K,Oj-1)
Oj-1 = E(k,Oj-1)
Cj = Pj ⊕ E(K,[Cj-1 ⊕ Pj-1])
Pj = Cj ⊕ E(K,[Cj-1 ⊕ Pj-1])
Uses: stream encryption on noisy channels

8.73
 Output Feedback (OFB) Mode
In this mode each bit in the cipher text is independent of the previous
bit or bits. This avoids error propagation.

8.74
 Advantages and Limitations of OFB
• Bit errors do not propagate
• More vulnerable to message stream modification
• A variation of a Vernam cipher
• hence must never reuse the same sequence (key+IV)
• Sender & receiver must remain in sync
• Originally specified with m-bit feedback
• Subsequent research has shown that only full block
feedback (ie CFB-64 or CFB-128) should ever be used

8.75
 Counter (CTR)
• A “new” mode, though proposed early on
• Similar to OFB but encrypts counter value rather than
any feedback value
• Must have a different key & counter value for every
plaintext block (never reused)
Cj = Pj ⊕ E(K,Tj)
Pj = Cj ⊕ E(K,Tj)
• Uses: high-speed network encryptions

8.76
 Counter (CTR) Mode
In the counter (CTR) mode, there is no feedback. The pseudo
randomness in the key stream is achieved using a counter.
Encryption in counter (CTR) mode

8.77
 Advantages and Limitations of CTR
• Efficiency
• can do parallel encryptions in hardware or software
• can preprocess in advance of need
• good for burst high speed links
• Random access to encrypted data blocks
• Provable security (good as other modes)
• But must ensure never reuse key/counter values,
otherwise could break (cf OFB)

8.78
 Comparison of Different Modes

n-bit

8.79
Advanced Encryption Standard (AES)
 AES Origins

• Clear a replacement for DES was needed

• have theoretical attacks that can break it
• have demonstrated exhaustive key search attacks
• It can use Triple-DES – but slow, has small
blocks
• US NIST issued call for ciphers in 1997
• Proposed by Rijndael so it called as Rijndael
AES
• Symmetric algorithm and it works on block
cipher technique
 AES Structure
• The cipher takes a plaintext block size of 128bits or 64
bytes
• The key length can be 16,24,32 bytes(128,192,256 bits)-
the algorithm referred to as AES-128,AES-192,AES-256
• The input to encryption is a single 128 bit block it is
depicted by 4X4 matrix of bytes.
• This block is copied into state array which is modified at
each stage of encryption or decryption.
• Final stage , state is copied to an output matrix.
AES Structure
• Key is also depicted a square matrix of bytes and then
expanded into an array of key schedule words
• Key is of 128 bits –each word is of 4 bytes and total key
schedule is of 44 words.
• The ordering of bytes within matrix is by column-1st four
bytes of 128 bit plaintext occupy in the first column and 2nd
four bytes occupy 2nd column..and so on.
• The first four bytes of key expansion form a word as w
matrix
• The cipher rounds of N depends on the key length(10 for
16byte,12 for 24byte and 14 for 32byte)
AES Structure
• The first N-1 rounds consists of four distinct transformations
functions
• SubBytes-Uses S-Box to perform byte by byte substitution
of the block.
• ShiftRows-A simple permutation
• MixColumns-A substitution that makes use of arithmetic
over GF(2 power 8)
• AddRoundKey-A simple bitwise XOR of the current block
with a portion of the expanded key.
• Final round contains only 3 transformations(excludes mix
columns)
AES Structure
• Each transformation takes 4X4 matrices as input and
produces 4X4 matrices as output.
• The output of each round is 4X4 matrix , with a final round
is being cipher text
• Key expansion function generates N+1 round keys, each of
which is a distinct 4X4 matrix.
• Each round key serves as one of the input to the
AddRoundKey transformation in each round
 Plain text-16 bytes(128 bits) Key- M bytes

Number of Key length

Input state Round 0 key
Key Rounds (bytes)
(16 bytes) (M bytes)
(16 bytes)
10 16
Initial Transformation Key
expansion 12 24
State after
Initial transformation Round 1 key
14 32
(16 bytes) (16 bytes)

Round1 (4 transformations)

Round 1
Output state
(16 bytes) Round N-1 key
.
. (16 bytes)
.

Round1 (4 transformations)
Round N-1
Output state Round N key
(16 bytes) (16 bytes)

Round N(3 transformations)

Final state
(16 bytes) AES Encryption process
Cipher text-16 bytes(128 bits)
AES Structure
 Substitute Bytes
• A simple substitution of each byte uses one table of 16x16
bytes containing a permutation of all 256 8-bit values.
• Each byte of state is replaced by byte indexed by row (left 4-
bits) & column (right 4-bits)
• eg. byte {95} is replaced by byte in row 9 column 5
• which has value {2A}
• S-box constructed using defined transformation of values in
GF(28)
• Designed to be resistant to all known attacks.
Substitute Bytes
Substitute Bytes
Example
 Shift Rows
 A circular byte shift in each
• 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 Decrypt inverts using shifts to right
 Since state is processed by columns, this step
permutes bytes between the columns
Shift Rows
 Mix Columns
 Each column is processed separately
 Each byte is replaced by a value dependent on all 4
bytes in the column
 Effectively a matrix multiplication in GF(28) using
prime poly m(x) =x8+x4+x3+x+1
 Mix Columns
 Can express each col as 4 equations
 to derive each new byte in col
 Decryption requires use of inverse matrix
 with larger coefficients, hence a little harder
 Have an alternate characterization
 each column a 4-term polynomial
 with coefficients in GF(28)
 and polynomials multiplied modulo (x4+1)
 coefficients based on linear code with maximal distance between
codewords
 AES Arithmetic
 Uses arithmetic in the finite field GF(28)
 With irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
which is (100011011) or {11b}
 e.g.
{02} • {87} mod {11b} = (1 0000 1110) mod {11b}
= (1 0000 1110) xor (1 0001 1011) = (0001 0101)
Mix Columns
Mix Columns Example

{02.87} –1000 0111 perform 1

bit left shift
Results –0000 1110
{03}.{6E} – {6E} XOR {02}.{6E}
{01}.46- results same-
unchanged
{01}.{A6}-unchanged
Mix Columns Example
 Add Round Key
 XOR state with 128-bits of the round key
 again processed by column (though effectively a series
of byte operations)
 Inverse for decryption identical
 since XOR own inverse, with reversed keys
 Designed to be as simple as possible
 a form of Vernam cipher on expanded key
 requires other stages for complexity / security
 Add Round Key
Forward add round key transformation called AddRound Key, the 128 bits of State are bitwise
XORed with the 128 bits of the round key. The operation is viewed as a columnwise operation between
the 4 bytes of a State column and one word of the round key, it can also be viewed as a byte-level
operation.
Single AES
Round
 AES Key Expansion
 Takes 128-bit (16-byte) key and expands into array of
44/52/60 32-bit words
 The key is copied into first word of the expanded key.
The remainder of expanded key is filled in four words
at a time.
 Each added word depends on the immediately
preceeding word, w[i-1] and the word four positions
back w[i-4].
 Three out of four cases a simple XOR operation is
performed.
AES Key Expansion
 AES Key Expansion
 Rot word performs a one byte circular shift on a word.
 Input word [B0,B1,B2,B3] is transformed into [B1,B2.B3,B0]
 SubWord performs a byte substitution on each byte of its
input word using S-Box
 The result of steps 1&2 is XORed with Round constant
Rcon[j]
 RC is word in which 3RMByte always 0’s so Rcons is only
perform XOR operation on LMByte of word.
 RC is defined in different rounds as Rcon[j]=(RC[j],0,0,0)
with RC[1]=1….RC[j-1] with multiplication defined by
8
 Key Expansion Rationale
 Designed to resist known attacks
 Design criteria includes
 knowing part key insufficient to find many more
 invertible transformation
 fast on wide range of CPU’s
 use round constants to break symmetry
 diffuse key bits into round keys
 enough non-linearity to hinder analysis
 simplicity of description
 AES Decryption
 AES decryption is not identical to encryption since
steps done in reverse
 But can define an equivalent inverse cipher with steps
as for encryption
 but using inverses of each step
 with a different key schedule
 works since result is unchanged when
 swap byte substitution & shift rows
 swap mix columns & add (tweaked) round key
AES Decryption
Stream Cipher Structure
Stream Cipher Properties
• Some design considerations are:
• long period with no repetitions
• statistically random
• depends on large enough key
• large linear complexity
• Properly designed, can be as secure as a block cipher with same size
key
• But usually simpler & faster
RC4
• A proprietary cipher owned by RSA DSI
• Another Ron Rivest design, simple but effective
• Variable key size, byte-oriented stream cipher
• Widely used (web SSL/TLS, wireless WEP)
• Key forms random permutation of all 8-bit values
• Uses that permutation to scramble input info processed a byte at a
time
RC4 Key Schedule
• Starts with an array S of numbers: 0..255
• Use key to well and truly shuffle
• S forms internal state of the cipher

for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen])
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256)
swap (S[i], S[j])
RC4 Encryption
• Encryption continues shuffling array values
• Sum of shuffled pair selects "stream key" value from permutation
• XOR S[t] with next byte of message to en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
RC4 Overview
RC4 Security
• Claimed secure against known attacks
• have some analyses, none practical
• Result is very non-linear
• Since RC4 is a stream cipher, must never reuse a key
• Have a concern with WEP, but due to key handling rather than RC4
itself