Cryptography and Network Security

UNIT-2

Syllabus: Block Ciphers & Symmetric Key Cryptography

Traditional Block Cipher Structure, DES, Block Cipher Design Principles, AES-Structure, Transformation
functions, Key Expansion, Blowfish, CAST-128, IDEA, Block Cipher Modes of Operations

TRADITIONAL BLOCK CIPHER STRUCTURE

Block cipher:
 A block cipher is one in which a block of plaintext is treated as a whole and used to produce a
ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used.
 A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits. There
are 2n possible different plaintext blocks and, for the encryption to be reversible (i.e., for decryption
to be possible), each must produce a unique ciphertext block.

Stream cipher:
 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
Examples of classical stream ciphers are the auto keyed Vigenere cipher and the Vernam cipher.

The Feistel Cipher:

 Feistel proposed that we can approximate the ideal block cipher by utilizing the concept of a
product cipher, which is the execution of two or more simple ciphers in sequence in such a way
that the final result or product is cryptographically stronger than any of the component
ciphers.
 The essence of the approach is to develop a block cipher with a key length of k bits and a block
length of n bits, allowing a total of 2k possible transformations, rather than the 2n!
transformations available with the ideal block cipher.
 In particular, Feistel proposed the use of a cipher that alternates substitutions and
permutations, where these terms are defined as follows:
  Substitution: Each plaintext element or group of elements is uniquely replaced by a
corresponding ciphertext element or group of elements.
 Permutation: A sequence of plaintext elements is replaced by a permutation of that sequence.
That is, no elements are added or deleted or replaced in the sequence, rather the order in which the
elements appear in the sequence is changed.

FEISTEL CIPHER STRUCTURE

The Figure depicts the structure proposed by Feistel.

 The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K.
 The plaintext block is divided into two halves, L0 and R0.
 The two halves of the data pass through rounds of processing and then combine to produce the
ciphertext block. Each round i has as inputs Li-1 and Ri-1 derived from the previous round, as well
as a subkey Ki derived from the overall K.
 In Feistel cipher, 16 rounds are used, although any number of rounds could be implemented. All
rounds have the same structure.
 A substitution is performed on the left half of the data. This is done by applying a round function
F to the right half of the data and then taking the exclusive-OR of the output of that function and
the left half of the data.
 The round function has the same general structure for each round but is parameterized by the
round subkey Ki. Another way to express this is to say that F is a function of right-half block of
w bits and a subkey of y bits, which produces an output value of length w bits: F(REi, Ki+1).
Following this substitution, a permutation is performed that consists of the interchange of the two
 halves of the data.
The exact realization of a Feistel network depends on the choice of the following parameters and design
features:
 Block size: Larger block sizes mean greater security (all other things being equal) but reduced
encryption/decryption speed for a given algorithm. The greater security is achieved by greater
diffusion. Traditionally, a block size of 64 bits has been considered a reasonable tradeoff and was
nearly universal in block cipher design. However, the new AES uses a 128-bit block size.

 Key size: Larger key size means greater security but may decrease encryption/ decryption
speed. The greater security is achieved by greater resistance to brute-force attacks and greater
confusion. Key sizes of 64 bits or less are no widely considered to be inadequate, and 128 bits has
become a common size.

 Number of rounds: The essence of the Feistel cipher is that a single round offers inadequate
security but that multiple rounds offer increasing security. A typical size is 16 rounds.

 Sub key generation algorithm: Greater complexity in this algorithm should lead to greater
difficulty of cryptanalysis.

 Round function F: Again, greater complexity generally means greater resistance to cryptanalysis.

There are two other considerations in the design of a Feistel cipher:

Fast software encryption/decryption:

 In many cases, encryption is embedded in applications or utility functions in such a way as to
preclude a hardware implementation. Accordingly, the speed of execution of the algorithm becomes
a concern.

Ease of analysis:
 Although we would like to make our algorithm as difficult as possible to crypt analyze, there is
great benefit in making the algorithm easy to analyze.
 That is, if the algorithm can be concisely and clearly explained, it is easier to analyze that algorithm
for cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its strength.
 DES, for example, does not have an easily analyzed functionality.

FEISTEL DECRYPTION ALGORITHM

 The process of decryption with a Feistel cipher is essentially the same as the encryption process.
The rule is as follows:
 Use the ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. That is, use
Kn in the first round, Kn-1 in the second round, and so on, until K1 is used in the last round. This
is a nice feature, because it means we need not implement two different algorithms; one for
encryption and one for decryption.
 To see that the same algorithm with a reversed key order produces the correct result, which shows
the encryption process going down the left-hand side and the decryption process going up the right-
hand side for a 16-round algorithm.
THE DATA ENCRYPTION STANDARD(DES):

 The most widely used encryption scheme is based on the Data Encryption Standard (DES)
adopted in 1977 by the National Bureau of Standards---data are encrypted in 64-bit blocks using
a 56-bit key.
 The algorithm transforms 64-bit input in a series of steps into a 64- bit output. The process can run
in several modes and involves 16 rounds or operations.

DES Encryption
The overall scheme for DES encryption is illustrated in Figure. There are two inputs to the
encryption function: the plaintext to be encrypted and the key. In this case, the plaintext must be 64 bits in
length and the key is 56 bits in length.

 Looking at the left-hand side of the figure, we can see that the processing of the plaintext proceeds
in three phases.
 First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to
produce the permuted input. This is followed by a phase consisting of sixteen rounds of the same
function, which involves both permutation and substitution functions.
 The output of the last (sixteenth) round consists of 64 bits that are a function of the input plaintext
and the key. The left and right halves of the output are swapped to produce the pre output.
 Finally, the pre output is passed through a permutation IP-1 that is the inverse of the initial
permutation function, to produce the 64-bit ciphertext.

Initially,the key is passed through a permutation function. Then, for each of the sixteen rounds, a
subkey (Ki ) is produced by the combination of a left circular shift and a permutation. The permutation
function is the same for each round, but a different sub key is produced because of the repeated shifts of
the key bits.

INITIAL PERMUTATION The initial permutation and its inverse are defined by tables, as shown in
Tables.

 If we then take the inverse permutation Y = IP-1(X) = IP-1(IP(M)), it can be seen that the original
ordering of the bits is restored.

DETAILS OF SINGLE ROUND

Figure shows the internal structure of a single round. The left and right halves of each 64-bit
intermediate value are treated as separate 32-bit quantities, labeled L (left) and R (right).

The overall processing at each round can be summarized in the following formulas:

The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by using a
table that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Table).
The resulting 48 bits are XOR ed with K i . This 48-bit result passes through a substitution function that
produces a 32-bit output, which is permuted as defined by Table:

The role of the S-boxes in the function F is illustrated in Figure:

 The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and
produces 4 bits as output.
 It works as as follows: The first and last bits of the input to box form a 2-bit binary number to
select one of four substitutions defined by the four rows in the table for. The middle four bits
select one of the sixteen columns. The decimal value in the cell selected by the row and column
is then converted to its 4-bit representation to produce the output.

 For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100 (column
12).The value in row 1, column 12 is 9, so the output is 1001.
An example of S box:

Similarly we have 8 more S-boxes.

Key Generation:
 Returning to above all figures, we see that a 64-bit key is used as input to the algorithm. The bits
of the key are numbered from 1 through 64; every eighth bit is ignored, as indicated by the lack of
shading in Table 3.4a.
 The key is first subjected to a permutation governed by a table labeled Permuted Choice One
(Table 3.4b)
 The resulting 56-bit key is then treated as two 28-bit quantities, labelled C0 and D0. At each
 round, Ci-1 and Di-1 are separately subjected to a circular left shift or (rotation) of 1 or 2 bits, as
governed by Table 3.4d.
 These shifted values serve as input to the next round. They also serve as input to the part labeled
Permuted Choice Two (Table 3.4c), which produces a 48-bit output that serves as input to the
Function F(Ri-1, Ki).

DES Decryption
 Decryption uses the same algorithm as encryption, except that the application of the sub keys is
reversed.

The Avalanche Effect:

 A desirable property of any encryption algorithm is that a small change in either the plaintext or the
key should produce a significant change in the ciphertext.
 In particular, a change in one bit of the plaintext or one bit of the key should produce a change in
many bits of the ciphertext. This is referred to as the avalanche effect.
 In DES 1 bit change in input will affect nearly 32 bit of output after all rounds.

Strength- The strength of DES lies on two facts:

 The use of 56-bit keys: 56-bit key is used in encryption, there are 256 possible keys. A brute force
attack on such number of keys is impractical.
 The nature of algorithm: Cryptanalyst can perform cryptanalysis by exploiting the characteristic of
DES algorithm but no one has succeeded in finding out the weakness.
Weakness- Weakness has been found in the design of the cipher:
 Two chosen input to an S-box can create the same output.
 The purpose of initial and final permutation is not clear.
The Nature of the DES Algorithm:
 Possibilities of cryptanalysis is done by finding the characteristics of DES algorithm.
 Learning of S-Box logic is complex.
 Weakness of the S-boxes not been discovered.

Timing Attacks:

 A timing attack is one in which information about the key or the plaintext is obtained by observing
how long it takes a given implementation to perform decryptions on various ciphertexts.
 A timing attack exploits the fact that an encryption or decryption algorithm often takes slightly
different amounts of time on different inputs.
 DES appears to be fairly resistant to a successful timing attack.

BLOCK CIPHER DESIGN PRINCIPLES:

Three critical aspects of block cipher design: the number of rounds, design of the function F, and key
scheduling.

1. Number of Rounds

 The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a
relatively weak F. In general, the criterion should be that the number of rounds is chosen so that
known cryptanalytic efforts require greater effort than a simple brute-force key search attack.

2. Design of Function F

 The heart of a block cipher is the function F. The function F provides the element of confusion in a
cipher. Thus, it must be difficult to “unscramble” the substitution performed by F. One obvious
criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis
will be.
 It should satisfy strict avalanche criterion (SAC) and bit independence criterion (BIC).
 The strict avalanche criterion (SAC) , which states that any output bit of an S-box should
change with probability 1/2 when any single input bit is inverted for all, Although SAC is
expressed in terms of S-boxes, a similar criterion could be applied to F as a whole. This is
important when considering designs that do not include S-boxes.
 Another criterion proposed in is the bit independence criterion (BIC), which states that
output bits and should change independently when any single input bit is inverted for all. The
SAC and BIC criteria appear to strengthen the effectiveness of the confusion function.

S-box design
 One obvious characteristic of the S-box is its size. An nxm S-box has input bits and m output
bits. DES has 6 x 4 S-boxes.
 Larger S-boxes, by and large, are more resistant to differential and linear cryptanalyst.

S-box design, suggests the following approaches:

 Random: Use some pseudo random number generation or some table of random digits to
generate the entries in the S-boxes. This may lead to boxes with undesirable characteristics for
 small sizes (e.g.6 x 4) but should be acceptable for large S-boxes (e.g.8 x 32).
 Random with testing: Choose S-box entries randomly, then test the results against various
criteria, and throw away those that do not pass.
 Human-made: This is a more or less manual approach with only simple mathematics to
support it. It is apparently the technique used in the DES design. This approach is difficult to
carry through for large S-boxes.
 Math-made: Generate S-boxes according to mathematical principles. By using mathematical
construction, S-boxes can be constructed that offer proven security against linear and differential
cryptanalysis, together with good diffusion.
A variation on the first technique is to use S-boxes that are both random and key dependent.

3. Key Schedule Algorithm

 With any block cipher, the key is used to generate one subkey for each round. In general, we
would like to select subkeys to maximize the difficulty of deducing individual subkeys and the
difficulty of working back to the main key.

ADVANCED ENCRYPTION STANDARD (AES):

 The Advanced Encryption Standard (AES) was published by the National Institute of Standards and
Technology (NIST) in 2001.
 AES is a block cipher intended to replace DES for commercial applications.
 The cipher takes a plaintext block size of 128 bits, or 16 bytes.
 The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as
AES-128, AES-192, or AES-256, depending on the key length.
 The input to the encryption and decryption algorithms is a single 128-bit block. This block is
depicted as a 4x4 square matrix of bytes. This block is copied into the State array, which is
modified at each stage of encryption or decryption. After the final stage, State is copied to an
output matrix. These operations are depicted in Figure a.
 Similarly, the key is depicted as a square matrix of bytes. This key is then expanded into an array
of key schedule words. Figure b shows the expansion for the 128-bit key.
 Each word is four bytes, and the total key schedule is 44 words for the 128-bit key. Note that the
ordering of bytes within a matrix is by column.
 So, for example, the first four bytes of a 128- bit plaintext input to the encryption cipher occupy the
first column of the in matrix, the second four bytes occupy the second column, and so on.
Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of
the w matrix.
 The cipher consists of rounds, where the number of N rounds depends on the key length: 10
rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key.
 The first N-1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows,
MixColumns, and AddRoundKey.
 The final round contains only three transformations, and there is a initial single transformation
(AddRoundKey) before the first round, which can be considered Round 0. Each transformation
takes one or more 4 X 4 matrices as input and produces a matrix as output.
 Figure 5.1 shows that the output of each round is a 4x4 matrix, with the output of the final round
being the ciphertext. Also, the key expansion function generates N+1 round keys, each of which is
a distinct 4x4 matrix. Each round key serve as one of the inputs to the AddRoundKey
transformation in each round.
 The tenth round simply leaves out the Mix Columns stage. The first nine rounds of the decryption
algorithm consist of the following:
1. Inverse Shift rows
2. Inverse Substitute bytes
3. Inverse Add Round Key
4. Inverse Mix Columns
Again, the tenth round simply leaves out the Inverse Mix Columns stage. Each of these stages will
now be considered in more detail.
 The below figure shows the AES cipher in more detail, indicating the sequence of transformations in
each round and showing the corresponding decryption function.

AES TRANSFORMATION FUNCTIONS

1. SUBSTITUTE BYTES TRANSFORMATION

The substitute byte transformation, called SubBytes, is a simple table lookup (Figure).

 AES defines a 16 x 16 matrix of byte values, called an S-box, that contains a permutation of all
possible 256 8-bit values. Each individual byte of State is mapped into a new byte in the
 following way: The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are
used as a column value. These row and column values serve as indexes into the S-box to select a
unique 8-bit output value.

 For example, the hexadecimal value3 {68} references row 6, column 8 of the S-box, which
contains the value {45}. Accordingly, the value {68}is mapped into the value {45}.

. Here is an example of the SubBytes transformation:

The S-box is constructed in the following fashion

 1. Initialize the S-box with the byte values in ascending sequence row by row. The first row
contains {00}, {01}, {02}, ….. , {0F} ; the second row contains {10}, {11} , etc.; and so on.
Thus, the value of the byte at row y, column x is {yx} .
2. Map each byte in the S-box to its multiplicative inverse in the finite field GF(28); the value {00}
is mapped to itself.
3. Consider that each byte in the S-box consists of 8 bits labeled (b7, b6, b5, b4, b3, b2, b1, b0).
Apply the following transformation to each bit of each byte in the S-box:

Where C is the ith bit of byte with the value {63}; that is, (c7c6c5c4c3c2c1c0) =(01100011)
. The prime ( „ ) indicates that the variable is to be updated by the value on the right. The AES
standard depicts this transformation in matrix form as follows.

The inverse substitute byte transformation, called InvSubBytes, makes use of the inverse S-box. Note,
for example, that the input produces the output , and the input to the S-box produces . The inverse S-box
is constructed by applying the inverse of the transformation followed by taking the multiplicative inverse
in GF(28).

The inverse transformation is

where byte d = {05}, or 00000101.We can depict this transformation as follows:

2. SHIFT ROWS TRANSFORMATION

Shift row transformation are two types.
 Forward Shift row transformation which is used in encryption.
 Inverse Shift row transformation which is used in decryption.

The shift row transformation, called Shift Rows, is depicted in Figure.

 The first row of State is not altered.
 For the second row, a 1-byte circular left shift is performed.
  For the third row, a 2-byte circular left shift is performed.
 For the fourth row, a 3-byte circular left shift is performed.

The following is an example of ShiftRows.

INVERSE SHIFT ROWS:

 Performs the circular shifts in the opposite direction for each of the last three rows, with a one-
byte circular right shift for the second row and soon.

3. MIXCOLUMNS TRANSFORMATION

Mix columns transformation are two types.

 Forward Mix columns transformation which is used in encryption.
 Inverse Mix columns transformation which is used in decryption.
The mix column transformation, called MixColumns, operates on each column individually. Each byte
of a column is mapped into a new value that is a function of all four bytes in that column.

The transformation can be defined by the following matrix multiplication on State (Figure):

4. ADDROUNDKEY TRANSFORMATION

 In the add round key transformation, called AddRoundKey, the 128 bits of State are bitwise
XORed with the 128 bits of the round key. As shown in Figure 5.5b, the operation is viewed as a
column wise operation between the 4 bytes of a State column and one word of the round key; it
can also be viewed as a byte-level operation.
  The following is an example of AddRoundKey:

The first matrix is State, and the second matrix is the round key.

Figure is another view of a single round of AES, emphasizing the mechanisms and inputs of each
transformation.

AES KEY EXPANSION

 The AES key expansion algorithm takes as input a four-word (16-byte) key and produces a linear
array of 44 words (176 bytes).
 This is sufficient to provide a four-word round key for the initial AddRoundKey stage and each
of the 10 rounds of the cipher.
The pseudocode on the next page describes the expansion.
  The key is copied into the first four words of the expanded key.
 The remainder of the expanded key is filled in four words at a time.
 Each added word w[i] depends on the immediately preceding word, w[i-1], and the word four
positions back, w[i-4] .
 In three out of four cases, a simple XOR is used. For a word whose position in the w array is a
multiple of 4, a more complex function is used.
Figure illustrates the generation of the expanded key, using the symbol g to represent that
complex function.

The function g consists of the following sub functions.

1. RotWord performs a one-byte circular left shift on a word. This means that an input
word[B0,B1,B2,B3] is transformed into[B1,B2,B3,B0] .
2. SubWord performs a byte substitution on each byte of its input word, using the S-box (Table
5.2a).
3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j].

 The round constant is a word in which the three rightmost bytes are always 0. Thus, the effect of
an XOR of a word with Rcon is to only perform an XOR on the leftmost byte of the word.

 The round constant is different for each round and is defined as Rcon[j] = (RC[j], 0, 0,
0),with RC[1] = 1 RC[j] = 2 . RC [j-1], and with multiplication defined over the field GF (28).

The values of RC[j] in hexadecimal are

 BLOWFISH

 Blow fish is a symmetric block cipher developed by Bruce Schneier in year 1993.
 Blowfish is a symmetric-key block cipher proposed as a new encryption standard.
 It is a 16- round system, which uses large key-dependent S-boxes and iterates a simple encryption
16 times.
 The block size is 64 bits and the key-length may varies from 32 bits up to 448 bits.

Blowfish encryption algorithm designed to have the following characteristics,

Fast: It encrypts data on large 32-bit microprocessors at a rate of 26 clock cycles per byte.
Compact: It can run in less than 5K of memory.
Simple: It uses addition, XOR, lookup table with 32-bit operands.
Secure: The key length is variable, it can be in the range of 32~448 bits: default 128 bits key length.

The algorithm is divided into 3 main parts:

1. Key-expansion
2. Data Encryption
3. Data Decryption

Key Expansion
Prior to any data encryption and decryption, these keys should be computed before-hand.

The p-array consists of 18, 32-bit sub-keys:

Four 32-bit S-Boxes consist of 256 entries each: P1, P2, .............. , P18

S1, 0, S1, 1,........................S1, 255

S2, 0, S2, 1,........................S2, 255
S3, 0, S3, 1,........................S3, 255
S4, 0, S4, 1.........................S4, 255

Data Encryption
 It is having a function to iterate 16 times of network.
 Each round consists of key-dependent permutation and a key and data-dependent substitution.
 All operations are XORs and additions on 32-bit words. The only additional operations are four
indexed array data lookup tables for each round.
 The plaintext is divided into two 32-bit halves LE, and RE,.
 We use the variables LE, and RE, to refer to the left and right half of the data after round i has
completed.
 The algorithm can be defined by the following pseudocode:
The function F is shown in below Figure. The 32-bit input to F is divided into 4 bytes. If we label
those bytes a, b, c, and d, then the function can be defined as follows:

Blowfish Decryption:
Blowfish decryption occurs in the same algorithmic direction as encryption. Rather than the
reverse. The algorithm can be defined as follows:

Advantages or features of blowfish:

 A brute-force attack is even more difficult than may be apparent from the key length because of the
 time-consuming subkey-generation process. A total of 522 executions of the encryption algorithm
are required to test a single key.
 The function F gives Blowfish the best possible avalanche affect for a Feistel network.
 Every bit of the input to F is only used as input to one S-box. In contrast. In DES, many bits are
used as inputs to two S-boxes. Which strengthens the algorithm considerably against differential
attacks.
 Unlike in CAST, the function F in Blowfish is not round dependent. Schneier felt that such
dependency did not add any cryptographic merit, given that the P-array substitution is already round
dependent.

CAST-128:

 In cryptography, CAST-128 is a symmetric-key block cipher. CAST-128 is a 16-round with a 64-

bit block size and a key size of between 40 and 128.
 The full 16 rounds are used when the key size is longer than 80 bits.
 Components include large 8×32-bit S-boxes based on bent functions, key-dependent rotations,
modular addition and subtraction, and XOR operations.
 There are three alternating types of round function, but they are similar in structure and differ only
in the choice of the exact operation (addition, subtraction or XOR) at various points.

Algorithm:

INPUT: plaintext m1...m64; key K = k1...k128.

OUTPUT: cipher text c1...c64.
1. (key schedule) Compute 16 pairs of subkeys {Kmi, Kri} from K.
2. (L0,R0) ->(m1...m64). (Split the plaintext into left and right 32-bit halves L0 =m1...m32 and R0 =
m33...m64.)
3. (16 rounds) for i from 1 to 16, compute Li and Ri as follows: Li = Ri-1;
Ri = Li-1 ^ f (Ri-1,Kmi,Kri), where f is of Type 1, Type 2, or Type 3, depending on i.
 4. c1...c64 <-- (R16,L16). (Exchange final blocks L16, R16 and concatenate to form the ciphertext.)

Pairs of Round Keys

CAST-128 uses a pair of subkeys per round: a 32-bit quantity Km is used as a "masking" key
and a 5-bit quantity Kr is used as a "rotation" key.

Non-Identical Rounds

Three different round functions are used in CAST-128. The rounds are as follows (where "D" is
the data input to the f function and "Ia" - "Id" are the most significant byte through least significant byte
of I, respectively). Note that "+" and "-" are addition and subtraction modulo 2**32, "^" is bitwise XOR,
and "<<<" is the circular left- shift operation.

Type 1: I = ((Kmi + D) <<< Kri)

f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]

Type 2: I = ((Kmi ^ D) <<< Kri)

f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]

Type 3: I = ((Kmi - D) <<< Kri)

f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]

Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1.

Rounds 2, 5, 8, 11, and 14 use f function Type 2.
Rounds 3, 6, 9, 12, and 15 use f function Type 3.

Substitution Boxes

CAST-128 uses eight substitution boxes: s-boxes S1, S2, S3, and S4 are round function s-boxes;
S5, S6, S7, and S8 are key schedule s- boxes. Although 8 s-boxes require a total of 8 KBytes of storage,
note that only 4 KBytes are required during actual encryption or decryption since subkey generation is
typically done prior to any data input.

Key Schedule

The CAST-128 encryption algorithm has been designed to allow a key size that can vary from
40 bits to 128 bits, in 8-bit increments (that is, the allowable key sizes are 40, 48, 56, 64,..., 112, 120, and
128 bits. ) For variable key size operation, the specification is as follows:

1. For key sizes up to and including 80 bits (i.e., 40, 48, 56, 64, 72, and 80 bits), the algorithm is exactly
as specified but uses 12 rounds instead of 16;
2. For key sizes greater than 80 bits, the algorithm uses the full 16 rounds;
3. For key sizes less than 128 bits, the key is padded with zero bytes (in the rightmost, or least
significant, positions) out to 128 bits (since the CAST-128 key schedule assumes an input key of 128
bits).
 IDEA

 International Data Encryption Algorithm (IDEA) is one of the encryption algorithms that is widely
used for security purpose.
 IDEA block cipher operates with 64-bit plain text block and 64-bit cipher text block, and a 128-bit
key controls it.
 The fundamental design of the algorithm is using three different algebraic operations: bitwise
Exclusive OR, multiplication modulo, and addition modulo.
 The algorithm (refer to Fig) consists of eight identical rounds plus a half round for output
transformation.
 The fundamental design in IDEA is the use of the mixing of three incompatible algebraic groups:
bit-by-bit XOR, addition modulo 216, and multiplication modulo 216+1.
 The plain text is a fixed size (64-bit block) that is divided into four 16-bit blocks (X1|| X2|| X3||
X4).

The following steps are the encryption process in each round:

1. First multiplication between X1 and the first sub key Z1.

2. Addition operation of X2 with the second sub key Z2.
3. Addition operation between X3 and the third sub-key Z3.
4. Second multiplication between X4 and the fourth sub-key Z4.
5. Calculating Bitwise XOR from the results of steps 1 and 3.
6. Calculating Bitwise XOR from the results of steps 2 and 4.

The decryption process is an essential process that is applied on cipher text to transform it into the
original message (plaintext). The computational process for the decryption is the same as that used for the
encryption of the plain text. The difference compared to the encryption is that the 16-bit sub keys are
generated in reverse order.
  The key is a 128-bit block. It is divided into eight 16-bit sub keys. The division into 16 bits is
because all of the algebraic operations used in the encryption and decryption process operate at 16-
bit numbers.
 The last output round is four 16- bit sub keys. Each round uses six 16-bit sub keys and the
remaining two sub keys are used in the next round by implementing left shifting by 25 positions.
 The total sub keys is 52 {52=8 rounds*6 sub key + (4 sub keys “output transformation”)}. The
encryption and decryption of sub keys are shown in Table.

The IDEA encryption algorithm has some features which claim for use:
 High level security not keeping the algorithm a secret, but rather upon ignorance of the secret key.
 Easily understood.
 Available online.
 Widely used range of application and efficiently such as distance learning.
Applications
 Today, there are hundreds of IDEA-based security solutions available in many market areas,
ranging from Financial Services, and Broadcasting to Government.
 IDEA is the name of a proven, secure, and universally applicable block encryption algorithm, which
permits effective protection of transmitted and stored data against unauthorized access by third
parties.
 The fundamental criteria for the development of IDEA were highest security requirements along
with easy hardware and software implementation for fast execution.
 The IDEA algorithm can easily be embedded in any encryption software. Data encryption can be used to
protect data transmission and storage.

Typical fields are:

 Audio and video data for cable TV, pay TV, video conferencing, distance learning, business
TV, VoIP
 Sensitive financial and commercial data
 Email via public networks
 Transmission links via modem, router or ATM link, GSM technology
 Smart cards
BLOCK CIPHER MODES OF OPERATIONS

 A block cipher takes a fixed-length block of text of length bits and a key as input and produces a -bit
block of cipher text.
 If the amount of plaintext to be encrypted is greater than b bits, then the block cipher can still be used
by breaking the plaintext up into bit blocks. When multiple blocks of plaintext are encrypted using
the same key, a number of security issues arise.
 To apply a block cipher in a variety of applications, five modes of operation.
1. Electronic codebook (ECB) mode
2. Cipher block chaining mode
3. Cipher feedback mode
4. Output feedback mode
5. Counter mode

The five modes are intended to cover a wide variety of applications of encryption for which a block
cipher could be used.

1. Electronic codebook (ECB) mode

 The plaintext is handled one block at a time and each block of plaintext is encrypted using the
same key (Figure).
 The term codebook is used because, for a given key, there is a unique ciphertext for every bit
block of plaintext.
 Therefore, we can imagine a gigantic codebook in which there is an entry for every possible bit
plaintext pattern showing its corresponding ciphertext.
 For a message longer than bits, the procedure is simply to break the message into bit blocks,
padding the last block if necessary.
 Decryption is performed one block at a time, always using the same key.
 Each block is encoded independently of the other blocks Ci = EK(Pi)
 uses: secure transmission of single values.
 The plaintext (padded as necessary) consists of a sequence of b-bit blocks, P1, P2, …PN; the
corresponding sequence of ciphertext blocks is. We can define ECB mode as follow

Cj = E (K, Pj) j = 1, ................................., N

Pj = D (K, Cj) j = 1, .................................. , N

Advantages and Limitations of ECB

 Message repetitions may show in ciphertext

 if aligned with message block
 particularly with data such graphics
 or with messages that change very little, which become a code-book analysis problem
 Weakness is due to the encrypted message blocks being independent
 Vulnerable to cut-and-paste attacks
 Main use is sending a few blocks of data

2. Cipher block chaining mode

 To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext
block, if repeated, produces different ciphertext blocks.
 A simple way to satisfy this requirement is the cipher block chaining (CBC) mode (Figure 6.4).
 In this scheme, the input to the encryption algorithm is the XOR of the current plaintext block and
the preceding ciphertext block; the same key is used for each block.
 In effect, we have chained together the processing of the sequence of plaintext blocks.
 The input to the encryption function for each plaintext block bears no fixed relationship to the
plaintext block. Therefore, repeating patterns of bits are not exposed.
 As with the ECB mode, the CBC mode requires that the last block be padded to a full b bits if it is a
partial block.
 For decryption, each cipher block is passed through the decryption algorithm. The result is
XORed with the preceding cipher text block to produce the plaintext block.

We can define CBC mode as:

Advantages and Limitations of CBC

 a ciphertext block depends on all blocks before it
 any change to a block affects all following ciphertext blocks...
 need Initialization Vector (IV)
 which must be known to sender & receiver
 if sent in clear, attacker can change bits of first block, by changing corresponding bits of IV
 hence IV must either be a fixed value (as in EFTPOS)
 or derived in way hard to manipulate
 or sent encrypted in ECB mode before rest of message
 or message integrity must be checked otherwise
 CBC is the block mode generally used. The chaining provides an avalanche effect, which means the
encrypted message cannot be changed or rearranged without totally destroying the subsequent data.
However there is the issue of ensuring that the IV is either fixed or sent encrypted in ECB mode to
stop attacks on 1st block.

Stream cipher Modes of Operation

Cipher feedback mode

 As with CBC, the units of plaintext are chained together, so that the ciphertext of any plaintext unit
is a function of all the preceding plaintext. In this case, rather than blocks of b bits, the plaintext is
divided into segments of bits.
 First, consider encryption. The input to the encryption function is a bit shift register that is initially
set to some initialization vector (IV).
 The leftmost (most significant) bits of the output of the encryption function are XORed with the
first segment of plaintext P1 to produce the first unit of ciphertext C1, which is then transmitted.
 In addition, the contents of the shift register are shifted left by s bits, and C1 is placed in the
rightmost (least significant) bits of the shift register. This process continues until all plaintext units
have been encrypted.
For decryption, the same scheme is used, except that the received ciphertext unit is XORed with the
output of the encryption function to produce the plaintext unit. Note that it is the encryption function that
is used, not the decryption function. This is easily explained. Let MSBs(X) be defined as the most
 significant bits s of X .Then

Advantages and Limitations of CFB

 most common stream mode
 appropriate when data arrives in bits/bytes
 limitation is need to stall while do block encryption after every s-bits
 note that the block cipher is used in encryption mode at both ends (XOR)

Output feedback mode

 The output feedback (OFB) mode is similar in structure to that of CFB. As can be seen in Figure,
it is the output of the encryption function that is fed back to the shift register in OFB, whereas in
CFB, the ciphertext unit is fed back to the shift register.
 The other difference is that the OFB mode operates on full blocks of plaintext and ciphertext, not on
an s-bit subset.
 Encryption and Decryption can be expressed as
Advantages and Limitations of OFB
 needs an IV which is unique for each use
 if ever reuse attacker can recover outputs...
 OTP
 can pre-compute
 bit errors do not propagate
 more vulnerable to message stream modification...
 change arbitrary bits by changing ciphertext
 sender & receiver must remain in sync
 only use with full block feedback
 subsequent research has shown that only full block feedback (ie CFB-64 or CFB-128)
should ever be used

Counter mode

 The counter (CTR) mode has increased recently with applications to ATM (asynchronous transfer
mode) network security and IP sec (IP security). Figure depicts the CTR mode.
 A counter equal to the plaintext block size is used.
 Typically, the counter is initialized to some value and then incremented by 1 for each b
subsequent block (modulo 2, where is the block size).
 For encryption, the counter is encrypted and then XORed with the plaintext block to produce
the ciphertext block; there is no chaining.
 For decryption, the same sequence of counter values is used, with each encrypted counter XORed
with a ciphertext block to recover the corresponding plaintext block.
 Thus, the initial counter value must be made available for decryption. Given a sequence of
counters T1, T2, ….. , TN, we can define CTR mode as follows.
For the last plaintext block, which may be a partial block of bits, the most significant bits of the last output
block are used for the XOR operation; the remaining bits are discarded.

Advantages and Limitations of CTR

 efficiency
o can do parallel encryptions in h/w or s/w
o can preprocess in advance of need
o good for bursty high speed links
 random access to encrypted data blocks
 provable security (good as other modes)
 never have cycle less than 2b
 but must ensure never reuse key/counter values, otherwise could break (cf OFB)
Block Cipher Modes of Operation summary: