Chap.

6: Contemporary
Symmetric Ciphers
Jen-Chang Liu, 2004
Adapted from
Lecture slides by Lawrie Brown

"I am fairly familiar with all the forms

of secret writings, and am myself the
author of a trifling monograph upon
the subject, in which I analyze one
hundred and sixty separate ciphers,"
said Holmes.
The Adventure of the Dancing
Men, Sir Arthur Conan Doyle

Outline

Characteristics of advanced symmetric

block cipher
Triple DES
Blowfish
RC5
RC4 stream cipher

Feistel cipher
+

Key
Key length
subkey generation
block
block length
two halves of block
no. of round
encryption algorithm
S-box
XOR

Key features not found in

DES
Variable length key : Blowfish, RC5

Key
Complex subkey generation proces
Key length
subkey generation Blowfish
block
Variable plain/ciphertext block leng
block length
RC5
two halves of block Operate on both halves each round
no. of round
Blowfish, RC5
encryption algorithm Variable no. of round: RC5
S-box
Key-dependent S-box: Blowfish
XOR
Data/key-dependent rotation: RC5
Mixed operation: more than one
arithmetic and Boolean operations

Outline

Characteristics of advanced symmetric

block cipher
Triple DES
Blowfish
RC5
RC4 stream cipher

Triple DES

clear a replacement for DES was

needed

theoretical attacks that can break it

demonstrated exhaustive key search
attacks

AES is a new cipher alternative

prior to this alternative was to use
multiple encryption with DES
implementations

Double-DES ?

why not DoubleDES?

56x2=112 bits key

E K 2 [ E K1 [ P]] EK 3 [ P ]
Q1: Is that possible
for some K3 ?

Space of mapping
1. The whole space of mapping
64-bit plaintext

mapping

64-bit ciphertext

2. Space of mapping defined by DES

56-key => 256 mapping

264! > 10347380000000000000000

256 < 1017

264!
256

Double-DES is likely to produ

a new mapping !

Q2: meet-in-the-middle
attack

DES: O(256) to attack

2DES: O(2112) to attack?
1. Given a (P,C)

2. Encrypt P with 256 keys

K1

00000000 01010101
00000001 11010111
00000010

00000011
00010110

11111111

3. Decrypt C with 256 keys

X

K2

00000000
00000001
00010110 00000010
00000011

Match!
11111111

Triple-DES

3 DES encryption with 3 keys

(56x3=168 bits)

Avoid meet-in-the-middle attack with

O(256) complexity
3
E

E-D-E application of DES: PGP, S/MIME

Backward compatible with DES: K33=K2 or
K1=K2

Standardized 3DES

3DES standardized in ANSI X9.17 &

ISO8732

2 56-bit keys

Compatible with DES

Attack on 3DES

Idea: if A and C are known, then it

becomes an attack on double DES

0100
K1,1
101
a
K2
1001
K1,2
011

0110
100
1001
1.
Given n known (P,C) pairs
001
2.
Select an arbitrary a for A

0110000
1110011

K1,1
K1,2

1100111
1011001

0100101
1101010

3. Search 256 keys for K1

4. Search 256 keys for K2

Complexity of attack on
3DES

Brute-force key search: 2112

Known plaintext-ciphertext attack on
previous slide:2120 / n

No practical attack is known for now

Outline

Characteristics of advanced symmetric

block cipher
Triple DES
Blowfish
RC5
RC4 stream cipher

Blowfish

a symmetric block cipher designed by

Bruce Schneier in 1993/94
Characteristics

64-bit block cipher

Variable length key (32 bits to 448 bits)
Complex subkey generation
Key-dependent S-boxes
Simple operations fast implementation

Modulo 232 addition

Bitwise XOR

Blowfish

+
+

18 subkeys Pi

Blowfish single round

256-entry S-box, 32-bit output/entry
+

Modulo 232 addition

Subkey and S-box

generation

uses a 32 to 448 bit key

1 word = 32 bits, 1 to 14 words

K1, K2, K3, K4, , Kj

1<= j <= 14

to generate

18 32-bit subkeys stored in P-array

P1, P2, P3, P4, , P18

four 256 entry S-boxes, 1 word in each entry

S1,0, S1,1, S1,2, S1,3, , S1,255
S2,0, S2,1, S2,2, S2,3, , S2,255
Totally 1024 words
S3,0, S3,1, S3,2, S3,3, , S3,255
S4,0, S4,1, S4,2, S4,3, , S4,255

Subkey and S-box

generation
1. initialize P-array and then 4 S-boxes
using

S
S4,255 = 3AC372E6
P
1 = 243F6A88P2 = 85A308D3
2. XOR
P-array
with
K-array
(reuse
as
P1, P2, P3, P4, P14, P15, P16, P17, P18
needed)
+
+
+
+
+
+
+
+ +
K1, K2, K3, K4, , K14,K1, K2, K3, K4

(Suppose input key is 14 words)

Subkey and S-box

generation

3. loop repeatedly encrypting data using

current P & S and replace successive
pairs of P then S values
P1, P2 = EP,S [0]

P,S Blowfish,
P1, P2

P3, P4 = EP,S [P1 || P2]

S1,0, S1,1 = EP,S [P17 || P18]

S4,254, S4,255 = EP,S [S4,252 || S4,253]

Totally 521 executions of Blowfish encryption
=> not suitable for frequent key changes

Blowfish Encryption

+ and do not commut

+
+

Discussion

key dependent S-boxes and subkeys,

generated using cipher itself, makes
analysis very difficult
changing both halves in each round
increases security (c.f. Feistel cipher)
brute-force key search is not practical
(maximally 448 bits)

Discussion (cont.)

fast

Outline

Characteristics of advanced symmetric

block cipher
Triple DES
Blowfish
RC5
RC4 stream cipher

RC5

designed by Ronald Rivest (of RSA

fame)

used in RSA Data Security, Inc.s products

can vary key size / data size / no rounds

very clean and simple design
easy implementation on various CPUs
yet still regarded as secure

RC5 Ciphers

RC5 is a family of ciphers RC5-w/r/b

w = word size in bits (16/32/64), block

data=2w
r = number of rounds (0..255)
b = number of bytes in key (0..255)

nominal version is RC5-32/12/16

i.e. 32-bit words so encrypts 64-bit data

blocks
using 12 rounds
with 16 bytes (128-bit) secret key

subkey

Simple operations:

1. Addition: modulo 2w
2. Bitwise XOR
3. Circular shift (rotation):
x <<< y, x is left rotate y b
(nonlinear and data dependent !!!)

A Substitution-permutation rou
+

1. Substitution depends on bo
words
2. Permutation depends on bo
words
3. Substitution depends on ke

RC5 Key Expansion

RC5 uses t=2r+2 subkey words (w-bits)

( subkeys
)

RC5 subkey initialization

e = 2.718281828459 Pw=Odd[(e-2)2w] = B7E1 (16 bits

B7E15163 (32 bits

= 1.618033988749 Qw=Odd[( -1)2w] = 9E37 (16 bit

9E3779B9 (32 bit

/* initialize subkey array */

S[0] = Pw
for i=1 to t-1 do
S[i] = S[i-1] + Qw

RC5
Decryption
+

RC5 Modes

RFC2040 defines 4 modes used by RC5

RC5 Block Cipher, is ECB mode

RC5-CBC, is CBC (cipher block chaining)
mode
RC5-CBC-PAD, is CBC with padding by
bytes with value being the number of
padding bytes
RC5-CTS, a variant of CBC which is the
same size as the original message, uses
Plaintext
message
may not
a multiple
of theas
block si
ciphertext
stealing
to be
keep
size same
original

RC5 ciphertext stealing

mode
Ciphertext chaining

Not transmitted

Summary: Block Cipher

Characteristics
features
seen in modern block ciphers
are:

variable key length / block size / no rounds

mixed operators, data/key dependent
rotation
key dependent S-boxes
more complex key scheduling
operation of full data in each round
varying non-linear functions

Outline

Characteristics of advanced symmetric

block cipher
Triple DES
Blowfish
RC5
RC4 stream cipher

Stream cipher diagram

Recall: One-time pad in Chap. 2

Stream Cipher Properties

some design considerations are:

A pseudorandom number generator

produces a deterministic stream that
eventually repeats

Keystream should approximate a true

random stream

The period should be long

Ex. Approximately equal number of 1s and 0s

The key needs to be sufficiently long

Ex. 128 bits or longer key to avoid brute-force

attack

Advantage of stream
cipher

Fasters than block ciphers

Disadvantage of stream
cipher

never reuse stream key

Ciphertext 1 = plaintext 1 keystream
Ciphertext 2 = plaintext 2 keystream

Ciphertext 1 Ciphertext 2
= (plaintext 1 keystream) (plaintext 2 keystre
= plaintext 1 plaintext 2
If plaintexts are text string, credit card no., or other
streams with known properties, then cryptanalysis
may be successful

RC4

Designed by Ron Rivest in 1987, owned by RSA

DSI
variable key size, byte-oriented stream cipher
widely used (web SSL/TLS, wireless WEP)

SSL: secure sockets layer

TLS: transport layer security
WEP: wired equivalent privacy

Main steps:

key forms random permutation of all 8-bit values

(state vector S[0],S[1],,S[255])
uses that permutation to scramble input info
processed a byte at a time

RC4 Key Schedule

starts with an array S of numbers: 0255

S forms internal state of the cipher
given a key K of length keylen bytes (1 to
256 bytes)
253 254

RC4 key scheduling and stream

generation
j=0, for i=0 to 255

i=0, j=0

While(1){ i=i+1 mod 256, }

Plaintext k = ciphertext

RC4 Encryption

encryption continues shuffling array values

sum of shuffled pair selects "stream key"
value
XOR with next byte of message to en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]

RC4 Security

The period of RC4 > 10100

claimed secure against known attacks

have some analyses, none practical

result is very non-linear

since RC4 is a stream cipher, must
never reuse a key
have a concern with WEP, but due to
key handling rather than RC4 itself