Q 1. Draw and explain Feistel’s structure for encryption ... · Feistel cipher is based on the idea that instead of using Ideal block cipher which degrades per formance, a “substitution-permutation

160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques

Darshan Institute of Engineering & Technology Page 1

Q 1. Draw and explain Feistel’s structure for encryption and decryption. The exact realization of Feistel

network depends on the choice of which parameters?

Feistel cipher is based on the idea that instead of using Ideal block cipher which degrades

performance, a “substitution-permutation network” can be used.

Feistel Cipher Encryption

The inputs to the encryption algorithm are a plaintext block of length b bits and a key K.

The plaintext block is divided into two halves.

The two halves of the data pass through rounds of processing and then combine to produce

the ciphertext block.

Each round has as inputs and derived from the previous round, as well as a subkey derived

from the overall K.

Any number of rounds could be implemented and all rounds have the same structure.

A substitution is performed on the left half of the data. This is done by applying a round

function F.

The Round Function F: F takes right-half block of previous round and a subkey as input.

The output of the function is XORed with the left half of the data.

Left and right halves are then swapped.

Feistel Cipher Decryption

The process of decryption with a Feistel cipher is same as the encryption process.

The ciphertext is input to the algorithm and the subkeys are used in reverse order. That is,

subkey of the last round in encryption is used in the first round in decryption, second last in

the second round, and so on.

The exact realization of a Feistel network depends on the choice of the following parameters:

Block size: Larger block sizes mean greater security but reduced encryption/decryption speed

for a given algorithm. Traditionally, a block size of 64 bits is used which gives enough security

without greatly affecting the speed.



Key size: Larger key size means greater security but may decrease encryption/ decryption

speed. The greater security is achieved by greater resistance to brute-force attacks and greater

confusion. Key sizes of 64 bits or less are now widely considered to be inadequate, and 128

bits has become a common size.

Number of rounds: The essence of the Feistel cipher is that a single round offers inadequate

security but that multiple rounds offer increasing security. A typical size is 16 rounds.

Sub key generation algorithm: Greater complexity in this algorithm leads to greater difficulty

of cryptanalysis.

Round function F: Again, greater complexity generally means greater resistance to

cryptanalysis.

There are two other considerations in the design of a Feistel cipher:

Fast software encryption/decryption: In many cases, encryption is embedded in applications

implementation (as software). Accordingly, the speed of execution of the algorithm becomes a

concern.

Ease of analysis: Although we would like to make our algorithm as difficult as possible to

cryptanalyze, there is great benefit in making the algorithm easy to analyze. Thus, it will be

easier to analyze that algorithm for cryptanalytic.

Q 2. Write a note on block cipher design principles.

The followed criteria need to be taken into account when designing a block cipher:

Number of Rounds: The greater the number of rounds, the more difficult it is to perform

cryptanalysis, even for a weak function. The number of rounds is chosen so that efforts

required to crypt analyze it becomes greater than a simple brute-force attack.

Design of Function F: F should be nonlinear and should satisfy strict avalanche criterion (SAC)

and bit independence criterion (BIC).

S-Box Design: S-Box obviously should be non-linear and should satisfy SAC, BIC and

Guaranteed Avalanche criteria. One more obvious characteristic of the S-box is its size. Larger

S-Boxes provide good diffusion but also result in greater look-up tables. Hence, general size is

8 to 10.

Key Generation Algorithm: With any Feistel block cipher, the key is used to generate one sub

key for each round. In general, sub keys should be selected such that it should be deduce sub

keys from one another or main key from the sub key.

Q 3. Explain the following algorithms in detail:

a) Data Encryption Standard(DES)

b) Double and Triple DES

c) International Data Encryption Algorithm(IDEA)

d) Blowfish

e) RC-5

f) RC-2

g) CAST-128

Data Encryption Standard(DES) DES encrypts 64-bit blocks using a 56-bit key and produces a 64-bit ciphertext.

The same steps, with the same key, are used to reverse the encryption with the order of the

keys reversed.

The DES is widely used.



DES Encryption

The DES encryption is shown in the figure below:

Encryption function has two inputs: the plaintext to be encrypted and the key.

The processing of the plaintext proceeds in three phases.

o The 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to

produce the permuted input.

o The permuted output is then passed through sixteen rounds of the same function, which

involves both permutation and substitution functions. The left and right halves from the

last round are swapped to produce preoutput.

o The preoutput is passed through a permutation that is the inverse of the initial

permutation function, to produce the 64-bit cipher text.

The right-hand portion of the figure shows the way in which the 56-bit key is used.

o Initially, the key is passed through a permutation function.

o Then, a sub key (ki) is produces for each of the sixteen rounds by the combination of a left

circular shift and a permutation.

o The permutation function is the same for each round, but a different sub key is produced

because of the repeated shifts of the key bits.

Initial Permutation

The initial permutation and its inverse are defined by tables.

The tables are to be interpreted as follows.

o The input to a table consists of 64 bits numbered from 1 to 64.

o The 64 entries in the permutation table contain a permutation of the numbers from 1 to

64.

o Each entry in the permutation table indicates the position of a input bit in the output.

Inverse permutation table nullifies the effect of initial permutation.



Details Of Single Round

The figure shows the internal structure of a single round.

The left and right halves are treated as separate 32-bit quantities, labeled L (left) and R (right).

The overall processing at each round can be summarized as:

Li = Ri-1

Ri = Li-1 ⊕ { F(Ri-1, Ki) Expansion: The 32-bit input is first expanded to 48 bits.

o 32 bits of input are split into groups of 4 bits.

o Each group is written as groups of 6 bits by taking the outer bits from the two adjacent

groups. For example

... efgh ijkl mnop ... is expanded to

... defghi hijklm lmnopq ...

The resulting 48 bits are XORed with Ki.

Substitution: This 48-bit result is input to S-Boxes that perform a substitution on input and

produces a 32-bit output.

o DES consists of a set of eight S-boxes.

o Each S-Box takes 6 bits as input and produces 4 bits as output.

o The first and last bits of the input to box form a 2-bit binary number which gives the

binary value of row number.

o The middle four bits select one of the sixteen columns.

o The decimal value in the cell selected by the row and column is then converted to its

4-bit binary number to produce the output.

o For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100

(column 12).The value in row 1, column 12 is 9, so the output is 1001.

The result is again permuted using a permutation table.

Key Generation: A 64-bit key is used as input to the algorithm while only 56 bits are actually

used. Every eighth bit is ignored. Sub-keys at each round are generated as given below:

o The key is first permuted using a table named Permuted Choice One.

o The resulting 56-bit key is divided into two 28-bit quantities, C0 and D0. At each round,

Ci-1 and Di-1 are separately subjected to a circular left shift of 1 or 2 bits, as governed by



a table.

o These shifted values are forwarded to the next round. They are also input to a

permutation table-Permuted Choice Two.

o The table produces a 48-bit output that serves as the round key ki.

DES Decryption

Decryption in DES is same as encryption, except that the subkeys are used in reverse order.

Strength of DES

The Use of 56-Bit Keys

DES has been developed from LUCIFER which used 128-bit keys.

As a result, DES with only 56-bit key-length is considered insecure and devices have been

proposed time and again showing that DES is no longer secure.

The Nature of the DES

The only non-linear part of DES is the S-Boxes, design of which was not made public.

If someone is able to find weakness in S-Box, then attack on DES is possible.

Characteristics of the algorithm can be exploited as the algorithm is based on linear functions.

Algorithm Timing Attacks

In this type of attack, the attacker exploits the fact that any algorithm takes different amount

of time for different data.

Double DES DES is vulnerable to a brute-force attack, so various alternatives have been considered, one of

which is multiple encryptions.

The simplest form of multiple encryptions has two encryption stages and two keys and is

known as Double DES.

Given a plaintext P and two encryption keys K1 and K2, cipher text C is generated as:

C = E(K2, E(K1, P))

Decryption applies keys in reverse order:

P = D(K1, D(K2, C))

This scheme involves a key length of 56 * 2 = 112 bits, making Brute-Force attack impractical.

However, other types of attacks are possible:

o Reduction to a Single Stage: If it is possible to find a key such that

E(K2, E(K1, P)) = E(K3, P)

then double encryption, or any number of stages of multiple encryption with DES, would

be useless because the result would be equivalent to a single encryption with a single 56-

bit key. However, by the principle of reverse mapping, such a key is not possible.

o Meet-In-The-Middle Attack: This attack is based on the on the observation that if:



C = E(K2, E(K1, P)), then

X = E(K1, P) = D(K2, C)

Given a known (P, C) pair, the attack proceeds as follows:

First, encrypt P for all 256 possible values of K1.

Store these results in a table and then sort the table by the values of X.

Decrypt C using all 256 possible values of K2.

Check the result against the table for a match after every decryption.

If a match occurs, then test the two resulting keys against a new known plaintext–

ciphertext pair. If the two keys produce the correct ciphertext, accept them as the

correct keys.

For any given plaintext, 248 false alarms are possible since there are only 264 ciphertext

values whereas 2112 key values. Thus, the order of attack can be reduced to 248 instead

of 2112.

Triple DES Triple DES with Two Keys

An alternative to the meet-in-the-middle attack is to use three stages of encryption with three

or two different keys.

The function follows an encrypt-decrypt-encrypt (EDE) sequence.

C = E(K1, D(K2, E(K1, P)))

P = D(K1, E(K2, D(K1, C)))

3DES with two keys is a relatively popular alternative to DES.

Currently, there are no practical cryptanalytic attacks on 3DES.

Brute-force key search on 3DES is on the order of 2112 and the cost of differential cryptanalysis

also has an exponential growth, compared to single DES.

Several proposed attacks (though impractical) on 3DES are:

o Chosen-plaintext attack: Find plaintext values that gives A = 0. Then, use the meet-in-the-

middle attack to determine the two keys. However, this attack requires 256 chosen

plaintext-cipher text pairs which is impractical.

o Known-plaintext attack: This method does not require chosen plaintext-cipher text pairs

but requires more effort. The attack is based on the observation that if an attacker knows

A and C, then the problem reduces to that of an attack on double DES. The attack is as

follows:

The attacker obtains n(P, C) pairs places them in Table 1 sorted on the values of P.

For an arbitrary value a for A, calculate the plaintext value that produces:

Pi = D(i, a)

For each Pi that matches an entry in Table 1, create an entry in Table 2 that contains value

of K1 and b that is obtained by decrypting the corresponding cipher text from Table 2.

B = D(i, C)



Table 2 contains a number of candidate values of Ki. Now, for each of the 256 possible

values of K2, calculate the second intermediate value for our chosen value of a:

Bj = D(j, a)

At each step, look up Bj in Table 2. If there is a match, then the corresponding key i from

Table 2 plus this value of j are candidate values for the unknown keys (K1, K2).

Test each candidate pair of keys on a few other plaintext–cipher text pairs. If a pair of

keys produces the desired cipher text, the task is complete.

If no pair succeeds, repeat from step 1 with a new value of a.

Triple DES with Three Keys

Although the attacks just described appear impractical, anyone using two-key 3DES may feel

some concern.

In that case, three-key 3DES is the preferred alternative.

Three-key 3DES has an effective key length of 168 bits and is defined as:

C = E(K3, D(K2, E(K1, P)))

Backward compatibility with DES is provided by putting K3 = K1 or K1 = K3.

A number of Internet-based applications have adopted three-key 3DES, including PGP and

S/MIME.

International Data Encryption Algorithm (IDEA) Features

IDEA is publicly known and easily understandable.

Due to the simplicity of the operations used in this algorithm, it can be economically

implemented in electronic components. As result, its hardware implementation is extremely

fast and cheap and consumes low power.

A distinct feature of this algorithm is that it completely avoids look-up tables and S-Boxes.

To avoid fraud and piracy, this algorithm is patent protected.

This algorithm uses operations from three different algebraic groups viz. bitwise X-OR, modulo

addition and multiplication.

IDEA supports all the modes of operation.

Encryption

IDEA is a block cipher with input of 64-bits.

Key size is 128-bits.

Encryption consists of eight identical rounds also known as encryption rounds followed by one

output transformation round.

Input is divided into four 16-bit blocks. Two blocks are combined with two 16-bit key blocks

using addition modulo 216 and other two plaintext blocks are combined with key blocks using

multiplication modulo 216 + 1.

Two more 16-bit key blocks are used in modulo multiplication and addition as shown in the

figure.

At the end of the first round, four 16-bit values are produced which are input to the next

round.

The same process is repeated 7 more times using a different key-block every time.

During the subsequent output transformation, the four 16-bit values produced at the end of

the 8th encryption round are combined with the last four of the 52 key sub-blocks using

addition modulo 216 and multiplication modulo 216 + 1 to form the resulting four 16-bit cipher



text blocks.

Figure : IDEA Encryption

Decryption

Decryption is same as encryption except that different key-blocks are used.

Key Generation

A total of 52 (6 keys in each of the first eight rounds and 4 keys in last round) different 16-bit

sub-blocks have to be generated from the 128-bit key.

Encryption Keys: The fifty two 16-bit key sub-blocks are generated from the 128-bit key as

given below:

o The 128-bit key is partitioned into eight 16-bit sub-blocks. These are directly used as the

first eight key sub-blocks.

o The 128-bit key is cyclically shifted to the left by 25 positions. The resulting 128-bit block is

again partitioned into eight 16-bit sub-blocks to be used as the next eight key sub-blocks.

o The cyclic shift procedure described above is repeated until all of the required fifty two 16-

bit key sub-blocks have been generated.

Round Encryption Keys Decryption Keys

1 Z1(1) Z2

(1) Z3(1) Z4

(1) Z5(1) Z6

(1) Z1(9)-1 -Z2

(9) -Z3(9) Z4

(9)-1 Z5(8) Z6

(8)

2 Z1(2) Z2

(2) Z3(2) Z4

(2) Z5(2) Z6

(2) Z1(8)-1 -Z3

(8) -Z2(8) Z4

(8)-1 Z5(7) Z6

(7)

3 Z1(3) Z2

(3) Z3(3) Z4

(3) Z5(3) Z6

(3) Z1(7)-1 -Z3

(7) -Z2(7) Z4

(7)-1 Z5(6) Z6

(6)

4 Z1(4) Z2

(4) Z3(4) Z4

(4) Z5(4) Z6

(4) Z1(6)-1 -Z3

(6) -Z2(6) Z4

(6)-1 Z5(5) Z6

(5)

5 Z1(5) Z2

(5) Z3(5) Z4

(5) Z5(5) Z6

(5) Z1(5)-1 -Z3

(5) -Z2(5) Z4

(5)-1 Z5(4) Z6

(4)

6 Z1(6) Z2

(6) Z3(6) Z4

(6) Z5(6) Z6

(6) Z1(4)-1 -Z3

(4) -Z2(4) Z4

(4)-1 Z5(3) Z6

(3)

7 Z1(7) Z2

(7) Z3(7) Z4

(7) Z5(7) Z6

(7) Z1(3)-1 -Z3

(3) -Z2(3) Z4

(3)-1 Z5(2) Z6

(2)

8 Z1(8) Z2

(8) Z3(8) Z4

(8) Z5(8) Z6

(8) Z1(2)-1 -Z3

(2) -Z2(2) Z4

(2)-1 Z5(1) Z6

(1)

9 Z1(9) Z2

(9) Z3(9) Z4

(9) Z1(1)-1 -Z2

(1) -Z3(1) Z4

(1)-1

Decryption keys: Each of the 52 16-bit key sub-blocks used for decryption is either inverse or

negative of the key sub-block used during encryption.

Also, the key sub-blocks must be used in the reverse order during decryption.



Blowfish Blowfish is a symmetric block cipher algorithm which is public domain, secure and lightweight.

Notable features of Blowfish include key-dependent S-Boxes and a highly complex key

schedule.

This algorithm is fast. And Blowfish has a very low memory requirement and uses simple

operations that are efficient on microprocessors.

This algorithm is suitable for applications where the key does not change often as the key

schedule is highly complex and time consuming.

This algorithm has no linear structure and hence is more secure against cryptanalysis.

There is no effective cryptanalysis on the full-round version of Blowfish.

It includes bitwise X-OR, addition modulo 232 and S-Box look-up.

Encryption

The encryption process is shown in the figure below:

The algorithm takes a 64-bit input and uses a key varying from 32 to 448 bits.

Keys are precomputed.

Input is divided into two halves. Left half is X-ORed with first element of P-array P1 and the

right half is X-ORed with the output of the round function.

Left and right halves are then swapped to give left and right halves that are fed to the next

round.

Same process is repeated 16 times.

The left output of the 16th round is X-ORed with P18 and the other output is X-ORed with P17.

The result is then combined to produce 64-bit cipher text.

http://en.wikipedia.org/wiki/Cryptanalysis



Round Function

The function divides a 32-bit input into four groups of 8 bits.

Each group is input to an S-Box which takes in 8-bit input and gives out 32-bit output.

The output of S-Boxes are then added and X-ORed as shown in the figure below to produce

the output.

Generating the Sub keys

The P-array and S-array values used by Blowfish are precomputed based on the user's key.

After computing P and S arrays, the user's may be discarded.

The P-array and S-array need to be recomputed only when the key changes and they must be

kept secret.

The sub keys are calculated using the Blowfish algorithm:

1) Initialize first the P-array and then the four S-boxes with hexadecimal digits of pi except

the initial 3.

2) XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-bits of the key, and so

on for all bits of the key.

3) Repeatedly cycle the key bits until the entire P-array has been XORed with key bits.

4) Encrypt a message with all zeroes with the Blowfish algorithm, using the sub keys

described in steps (1) and (2).

5) Replace P1 and P2 with the output of step (4).

6) Encrypt the output of step (4) using the Blowfish algorithm with the modified sub keys.

7) Replace P3 and P4 with the output of step (6).

8) Continue the process, replacing all entries of the P array, and then all four S-boxes.

RC-2 RC-2 has a very simple design and is 3 times faster than DES.

This algorithm does not use S-Boxes.

This algorithm is used in S/MIME.

This algorithm has a total of 18 rounds – 16 mixing rounds and 2 mashing rounds.

RC-2 is a 64-bit block cipher with a variable key size of 8-128 bits in 8-bit increment. Default

size is 64 bits.

RC-2 Encryption

The 64-bit input is split into 4 16-bit words, R[0], R[1], R[2], R[3].

Key is expanded to get 64 16-bit words, K[0], K[1],…, K[63].

Initialize a variable j to 0.

Perform 5 mixing rounds followed by 1 mashing round. It is followed by 6 more mixing rounds,

then 1 mashing rounds and again 5 mixing rounds.



Each mixing round uses 4 keywords and mashing rounds uses keywords that vary from

encryption to encryption.

Mixing round

One-fourth part of a mixing round is shown in the figure below. When this process is repeated

four times, a single mixing round is completed.

The mix operation adds a combination of other data words and one keyword to each data

word.

Operations of mixing round can be given by the expression:

R[i] = R[i] + K[j] + ((R[i-1] & R[i-2]) + (~R[i-1] & R[i-3]))

R[i] = R[i] <<< S[i]; left shift by S[i] bits

j = j + 1

Mashing round

The mashing operation chooses 4 random sub keys based on the value of current data words

and adds them to the data word.

A mash operations can be expressed as:

R[i] = R[i] + K[R[i-1 % 64]]

Decryption

Decryption is just the reverse of encryption.

Decryption uses the reverse encryption operations and has R-mixing and R-mashing rounds.

R-mixing round

j is initialized to 63.

This round can be expresses as:

R[i] = R[i] >>> S[i]; right shift by S[i] bits

R[i] = R[i] – ((R[i-1] & R[i-2]) – (~R[i-1] & R[i-3])) – K[j]

j = j - 1

R-mashing round

The expression for this round is:

R[i] = R[i] – K[R[i-1] % 64]]

A related key attack has been proposed for RC-2. However, it need 234 chosen plaintexts and

hence is impractical and RC-2 is secure at least in near future.



RC-5 RC-5 has a variable block size (32, 64, 128), key size (0 - 2040 bits) and number of rounds (0 –

255).

Most common values for block size, key size and number of rounds is 64 bits, 128 bits and 12

respectively.

This algorithm is very fast and has a low memory requirement.

This algorithm has a data dependent rotation which strengthens the algorithm against

cryptanalysis.

Operations used in the algorithm are rotation, X-OR, addition and subtraction modulo 2w.

Encryption

Data words are divided into 2 parts.

Left and right half are added with S[0] and S[1] respectively.

Each half is then subjected to the following round operations:

o X-OR with other half.

o Rotate data (left/ right half) based on the other half.

o Add subsequent S-array element.

A single encryption round and the initial addition is shown below.

Entire encryption algorithm can be depicted by the following expressions:

A = A + S[0]

B = B + S[1]

for i = 1 to r (r = no of rounds)

A = (A ⊕ B) <<< B) + S[2*i]; <<< B is left shift based on B

B = (B ⊕ A) <<< A) + S[2*i + 1]

Decryption

Decryption is just the reverse of encryption and can be expressed as:

for i = r to 1 (r = no of rounds)

B = ((B – S[2*i + 1]) >>> A) ⊕ A; >>> A is right shift based on A

A = ((A – S[2*i]) >>> B) ⊕ B

B = B - S[1]

A = A - S[0]



Key expansion

User’s secret key is expanded to fill S-array of size t = 2(r + 1).

Define magic constants Pw and Qw.

Pw = Odd((e – 2)2w); e = 2.71

Qw = Odd(( – 1)2w); = 1.61

Convert the secret key K[0] to K[b-1] from bytes to words and copy it into L-array, L[0] to L[c-

1]. b is the size of key in bytes and c is the size of L-array obtained by dividing the key size by

number of bytes in a word.

Initialize S-array in the following way:

S[0] = Pw

for I = 1 to (t-1)

S[i] = S[i-1] + Qw

Mix the secret key with S-array and L-array.

i = j = 0

A = B = 0

for i = 1 to 3 * max(t, c)

A = S[i] = (S[i] + A + B) <<< 3; <<< 3 denotes left shift by 3 bits.

B = L[j] = (L[j] + A + B) <<< (A + B);

i = (i + 1) mod t

j = (j + 1) mod c

12 round RC-5 is prone to differential attack but it needs 244 chosen cipher texts, hence

impractical.

Generally, for greater security RC-5 with 18 to 20 rounds is used.

CAST-128 CAST-128 is a 64-bit block cipher and it supports variable key-size (40-128 in 8-bit increments

like 40, 48, 56 and so on).

Components include large 8×32-bit S-boxes, key-dependent rotations, modular addition and

subtraction, and XOR operations.

There are three alternating types of round function which are similar in structure but differ

only in the choice of the exact operation (addition, subtraction or XOR) at various points.

CAST-128 is a 12 or 16-round Feistel network. If key size is less than 80 bits, 12 rounds are

used else full 16 rounds are used.

CAST-128 is a cryptographically-strong, freely-available encryption algorithm.

http://en.wikipedia.org/wiki/S-box

http://en.wikipedia.org/wiki/Modular_arithmetic

http://en.wikipedia.org/wiki/XOR

http://en.wikipedia.org/wiki/Feistel_network



Encryption

The CAST-128 encryption is shown in the figure:

Compute 16 pairs of sub keys {Kmi, Kri} from K.

Split the plaintext into left and right 32-bit halves.

There are 3 different rounds which are repeated alternately and the data halves are processed

in the following way.

Li = Ri-1

Ri = Li-1 ^ f(Ri-1,Kmi,Kri) , where f is round function.

Swap the left and right halves obtained from the final round. These are combined to form

cipher text.

Decryption is same as encryption except that rounds are used in reverse order.

Key Generation

CAST-128 key generation includes splitting the input keys and passing it through a large series

of S-box look-ups.

CAST-128 uses a pair of sub keys per round: a 32-bit quantity Km is used as a "masking" key

and a 5-bit quantity Kr is used as a "rotation" key.

Variable Key size: The CAST-128 encryption algorithm has been designed to allow a key size

that can vary from 40 bits to 128 bits. The specifications for the use of variable key size are as

follows:

o For key sizes up to and including 80 bits (i.e., 40, 48… 72, 80 bits), the algorithm uses 12



rounds instead of 16.

o For key sizes greater than 80 bits, the algorithm uses the full 16 rounds.

o For key sizes less than 128 bits, the key is padded with zero bytes (in the rightmost

positions) out to 128 bits

Non-identical rounds and Round function

Input is split into 4 8-bit blocks, Ia, Ib, Ic and Id.

Three different round functions are used in CAST-128. The rounds are as follows:

o Type 1: Input = ((Kmi + Ri-1) <<< Kri)

f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]

o Type 2: Input = ((Kmi ^ Ri-1) <<< Kri)

f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]

o Type 3: Input = ((Kmi - Ri-1) <<< Kri)

f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]

where "+" and "-" are addition and subtraction modulo 232

"^" is bitwise XOR

"<<<" is the circular left-shift operation.

Rounds 1, 4, 7, 10, 13, and 16 use function of Type 1. Rounds 2, 5, 8, 11, and 14 use function of

Type 2. Rounds 3, 6, 9, 12, and 15 use function of Type 3.

Substitution Boxes: CAST-128 uses eight substitution boxes: S-boxes S1, S2, S3, and S4 are

used in encryption-decryption while S5, S6, S7, and S8 are used in key schedule algorithm.

This algorithm is resistant to linear and differential attacks.

Q 4. Explain S-box. What is the purpose of S-boxes in DES?

Figure: Calculation of F(R, K)

The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and

produces 4 bits as output.

S-boxes: These are the only non-linear part of DES and it secures the algorithm against

differential cryptanalysis.



They are typically used to obscure the relationship between the key and the cipher text to

provide confusion.

The permutation P spreads the bits as widely as possible, so each S-box output affects as many

S-box inputs in the next round as possible, giving "diffusion".

There are 8 S-boxes or substitution boxes. An S-box is a table that consists of four rows and 16

columns.

They take in 6-bits and produce 4-bits. The 48-bit input is divided into groups of 6-bits each to

form a total of 8 groups.

Each group is fed to S-box. The 6-bits are represented in binary form. The two outer bits (the

first and the last bit) represents the row (one of the four rows) and the inner four bits

represent the columns (one of the 16 columns). The cell where the row and the column meet

represents the value of the output.

For example if the input to an S-box is 010100, the first and last digits 00 = the row (Row 0).

The inner four digits 1010= the column (Column 10).

All the 8 S-boxes will output 4-bits each in similar way.

Figure: S-Box

Q 5. List and explain various block cipher modes of operation with the help of diagram.

There are 5 modes of operation which are listed below.

Electronic Codebook mode (ECB)

This is the simplest mode in which plaintext is handled one block at a time and each block of

plaintext is encrypted using the same key.

The term codebook is used because, for a given key, there is a unique ciphertext for every -bit

block of plaintext. Therefore, we can imagine a huge codebook in which there is an entry for

every possible b-bit plaintext showing its corresponding ciphertext.

For a message longer than b bits, the procedure is simply to break the message into b-bit

blocks, padding the last block if necessary.

Decryption is performed one block at a time, always using the same key.



For lengthy messages, ECB mode may be not secure. If the message has repetitive elements,

then these elements can be identified by the analyst.

Thus, the ECB method is ideal for a short amount of data, such as an encryption key.

Cipher Block Chaining Mode (CBC)

To overcome the security deficiencies of ECB, a technique is needed in which the same

plaintext block, if repeated, produces different cipher text blocks.

A simple way to satisfy this requirement is the cipher block chaining (CBC) which is shown in

the figure.

In this mode, the input to the encryption algorithm is the X-OR of the current plaintext block

and the preceding ciphertext block; the same key is used for each block.

The input to the encryption function for each plaintext block has no fixed relationship to the

plaintext block.

Therefore, repeating patterns will not produce same ciphertext.

The last block is padded to a full b bits if it is a partial block.

For decryption, each cipher block is passed through the decryption algorithm. The result is X-

ORed with the preceding ciphertext block to produce the plaintext block.

The expressions for CBC are:

Cj = E(K, [Cj-1 ⊕ Pj]); Encryption

D(K, Cj)= D(K, E(K, [Cj-1 ⊕ Pj])); Decryption

= Cj-1 ⊕ Pj

Cj-1 ⊕ D(K, C) = Cj-1 ⊕ Cj-1 ⊕ Pj; X-OR ciphertext with decryption

output



= Pj

To produce the first block of cipher text, an initialization vector (IV) is X-ORed with the first

block of plaintext.

On decryption, the IV is X-ORed with the output of the decryption algorithm to recover the

first block of plaintext.

The IV must be known to both the sender and receiver but be unpredictable by a third party.

For maximum security, the IV should be protected against unauthorized changes. This could be

done by sending the IV using ECB encryption.

Cipher Feedback Mode (CFB)

DES is a block cipher, but it may be used as a stream cipher if the Cipher Feedback Mode (CFB)

or the Output Feedback Mode (OFB) is used. CFB scheme is depicted below.

A stream cipher eliminates the need to pad a message to be an integral number of blocks.

It also can operate in real time.

s bits is the size usually selected by the user, usually 8 bits.

In this case, rather than units of 64 bits, the plaintext is divided into segments of s bits.

Encryption: The input to the encryption function is a 64-bit shift register that is initially set to

some initialization vector (IV).

The leftmost (most significant) s bits of the output of the encryption function are X-ORed with

the first segment of plaintext P1 to produce the first unit of ciphertext C1, which is then

transmitted.

In addition, the contents of the shift register are shifted left by s bits and C1 is placed in the

rightmost s bits of the shift register.

This process continues until all plaintext units have been encrypted.

Decryption: The same scheme is used except that the received ciphertext unit is X-ORed with



the output of the encryption function to produce the plaintext unit.

The disadvantage of this scheme is that bit error in one ciphertext propagates to next stage

also.

Output Feedback Mode (OFB)

The Output Feedback Mode (OFB) is similar in structure to that of CFB:

The only difference between CFB and OFB is that in OFB the output of the encryption function

is fed back to the shift register in OFB, whereas in CFB the ciphertext is fed to the shift register.

One advantage of the OFB method is that bit errors in transmission do not propagate.

The disadvantage of OFB is that it is more vulnerable to a message stream modification attack

than CFB.

Counter Mode (CTR)

In this mode, a counter equal to the plaintext block size is used.

The only requirement is that the counter value must be different for each plaintext block that

is encrypted.

Typically, the counter is initialized to some value and then incremented by 1 for each

subsequent block (modulo 2b, where b is the block size)

Counter Mode works as follows:

Encryption: The counter is encrypted and then X-ORed with the plaintext block to produce the

cipher text block; there is no chaining.

Decryption: The same sequence of counter values is used. Each encrypted counter is X-ORed

with a cipher text block to recover the corresponding plaintext block.



CTR has following advantages:

o Hardware efficiency: In this mode, encryption (or decryption) can be done in parallel on

multiple blocks of plaintext or cipher text. For the chaining modes, the algorithm must

complete the computation on one block before beginning on the next block.

o Software efficiency: Similarly, because of the opportunities for parallel execution in CTR

mode, processors that support parallel features, such as aggressive pipelining, multiple

instruction dispatch per clock cycle, a large number of registers can be effectively utilized.

o Preprocessing: The execution of the encryption algorithm does not depend on input of the

plaintext or cipher text. Therefore preprocessing can be used to prepare the output of the

encryption boxes which can be fed into the X-OR functions when the plaintext or cipher

text input is presented.

o Random access: The ith block of plaintext or cipher text can be processed in random-access

fashion. With the chaining modes, block cannot be computed until the i– 1 prior block is

computed.

o Provable security: It can be shown that CTR is as secure as the other modes.

o Simplicity: CTR mode requires only the implementation of the encryption algorithm and

not the decryption algorithm and has a very simple implementation.

This mode is used in ATM (asynchronous transfer mode) and IPsec (IP security) nowadays.

Q 6. Write the key distribution scenario in which each user shares a unique master key with key

distribution center.

A scenario where each user shares a unique master key with the key distribution center (KDC)

is presented below.

Assume that user A wishes to establish a logical connection with B and requires a one-time

session key to protect the data transmitted over the connection.

A has a master key, Ka, known only to itself and the KDC; similarly, B shares the master key Kb



with the KDC.

The following steps occur:

o Step 1: A issues a request to the KDC for a session key to communicate with B. The

message includes the identity of A and B and a unique identifier, nonce N1, for this

transaction. Nonce should be difficult for an opponent to guess.

o Step 2: The KDC responds with a message encrypted using Ka. Thus, A is the only one who

can successfully read the message, and knows that it originated at the KDC. The message

includes two items intended for A: The one-time session key, Ks, the original request

message so that A can verify that its original request was not altered before reception by

the KDC and the nonce proves that this is not a replay of some previous request.

o In addition, the message includes two items intended for B: The one-time session key, Ks

to be used for the session and an identifier of A, IDA. The last two items are encrypted with

Kb.

o Step 3: A stores the session key for use in the upcoming session and forwards to B the last

two items ( E(Kb, [Ks || IDA]) ) of the message from KDC.

o Since, this information is encrypted with Kb, it is protected from eavesdropping.

o B knows the session key and the other party A. and knows that the information originated

at the KDC (because it is encrypted using Kb).

o Key exchange is complete here. However two steps are added for authentication purpose.

o Step 4: Using the new session key for encryption, B sends a nonce N2, to A.

o Step 5: A encrypts f(N2) using Ks, where f is a function that performs some transformation

on N2.

In some cases, users are concerned about security from traffic analysis. Knowledge about the number and length of messages between nodes may enable an opponent to determine who is talking to whom.

This can have obvious implications in a military conflict. Even in commercial applications, traffic analysis may yield information that the traffic generators would like to conceal.

lists the following types of information that can be derived from a traffic analysis attack:

Identities of partners How frequently the partners are communicating



Message pattern, message length, or quantity of messages that suggest important information is being exchanged

The events that correlate with special conversations between particular partners

Another concern related to traffic is the use of traffic patterns to create a covert channel. A covert channel is a means of communication in a fashion unintended by the designers of the communications facility. Typically, the channel is used to transfer information in a way that violates a security policy.

For example, an employee may wish to communicate information to an outsider in a way that is not detected by management and that requires simple eavesdropping on the part of the outsider. The two participants could set up a code in which an apparently legitimate message of a less than a certain length represents binary zero, whereas a longer message represents a binary one.

Q 7. Explain different key distribution techniques.

Various key distribution techniques are:

Hierarchical Key control

For very large networks, key distribution function using a single KDC may not be practical.

As an alternative, a hierarchy of KDCs can be established.

For example, there can be local KDCs, each responsible for a small domain of the overall

internetwork, such as a single LAN or a single building.

For communication among entities within the same local domain, the local KDC is responsible

for key distribution.

If two entities in different domains desire a shared key, then the corresponding local KDCs can

communicate through a global KDC. In this case, any one of the three KDCs involved can

actually select the key.

The hierarchical concept can be extended to three or even more layers, depending on the size

of the user population and the geographic scope of the internetwork.

A hierarchical scheme minimizes the effort involved in master key distribution, because most

master keys are those shared by a local KDC with its local entities.

Such a scheme limits the damage of a faulty or subverted KDC to its local area only.

A Transparent Key Control Scheme

This scheme is useful for providing end-to-end encryption at a network or transport level in a

way that is transparent to the end users.

The approach assumes that communication makes use of a connection-oriented end-to-end

protocol, such as TCP.

An element of this approach is a session security module (SSM) that performs end-to-end

encryption and obtains session keys on behalf of its host or terminal.



Step 1: When one host wishes to set up a connection to another host, it transmits a

connection-request packet.

Step 2: The SSM saves that packet and applies to the KDC for permission to establish the

connection. The communication between the SSM and the KDC is encrypted using a master

key shared only by this SSM and the KDC.

Step 3: If the KDC approves the connection request, it generates the session key and delivers it

to the two appropriate SSMs, using a unique master key for each SSM.

Step 4: The requesting SSM can now release the connection request packet, and a connection

is set up between the two end systems. All user data exchanged between the two end systems

are encrypted by their respective SSMs using the one-time session key.

The automated key distribution approach provides the flexibility and dynamic characteristics

so that a number of terminal users can access a number of hosts.

Decentralized Key Control

The use of a key distribution center requires that the KDC should be trusted and protected

from subversion.

This requirement can be avoided if key distribution is fully decentralized.

Full decentralization is not practical for larger networks using symmetric encryption only. It

may be useful within a local context.

In a decentralized approach, each end system should be able to communicate in a secure

manner with all partner end systems. Thus, [n(n - 1)]/2 master keys must be maintained in a

network of n end systems.



A session key may be established with the following sequence of steps:

o A issues a request to B for a session key and includes a nonce N1.

o B responds with a message that is encrypted using the shared master key. The response

includes the session key selected by B, an identifier of B, the value f(N1), and another

nonce, N2.

o Using the new session key, A returns f(N2) to B.

Since the messages transferred using the master key are short, cryptanalysis is difficult.

Session keys are used for only a limited time to protect them.

Q 8. Which two criteria are used to validate that a sequence of numbers is random? Explain various

pseudorandom number generators.

Following are the criteria for validating whether a sequence of numbers is random:

o Randomness: The sequence of numbers should appear random in some well-defined

statistical sense. The following two criteria are used to validate that a sequence of

numbers is random:

Uniform distribution: The distribution of numbers in the sequence should be uniform;

that is, the frequency of occurrence of all the numbers should be approximately equal.

Independence: No one sub-sequence in the sequence can be inferred (guessed) from

the others.

o Unpredictability: The successive members of the sequence should be unpredictable. In

other words, each number should be statistically independent of other numbers in the

sequence and therefore unpredictable.

Various pseudorandom number generators are:

Linear Congruential Generators

The most widely used technique for pseudorandom number generation is known as the linear

congruential method.

The sequence of random numbers {Xn} is obtained via the following equation:

Xn+1 = (aXn + c) mod m, where

m is the modulus, m > 0

a is the multiplier, 0 < a < m

c is the increment, 0 ≤ c < m

X0 the starting value, or seed, 0 ≤ X0 < m

The selection of values for a, c, and m is critical in developing a good random number

generator.

However, this has implications for cryptanalysis. If an opponent knows that the linear

congruential algorithm is being used, then knowledge of a small part of the sequence is



sufficient to determine the parameters of the algorithm.

Suppose that the opponent is able to determine values for X0, X1, X2 and X3. Then

X1 = (aX0 + c) mod m



Cryptographically Generated Random Numbers

In this type of generators, encryption logic available to produce random numbers. Three

representative examples are:

1. Cyclic Encryption

Session keys are generated from master keys in this procedure.

A counter with period N provides input to the encryption logic.

After each key is produced, the counter is incremented by one. Thus, the pseudorandom

numbers produced by this scheme cycle through a full period.

Since each of the outputs X0, X1,... XN is obtained by encrypting a different counter value,

therefore X0 ≠ X1 ≠ ... ≠ XN.

Also because the master key is protected, it is not feasible to deduce any of the session keys

(random numbers) through knowledge of one or earlier session keys.

To strengthen the algorithm further, the input could be the output of a full-period PRNG

rather than a simple counter.

2. DES Output Feedback Mode

The output feedback (OFB) mode of DES can be used for key generation as well as for stream

encryption.

The output of each stage of operation OFB is a 64-bit value, of which the s leftmost bits are fed

back for encryption.

Successive 64-bit outputs constitute a sequence of pseudorandom numbers with good

statistical properties.

3. ANSI X9.17 PRNG

One of the strongest PRNGs is specified in ANSI X9.17.

A number of applications employ this technique, like financial security applications and PGP.

The algorithm makes use of triple DES for encryption.

The ingredients are as follows:

o Input: Two pseudorandom inputs are given to the generator. One is a 64-bit



representation of the current date and time DTi and the other is a 64-bit seed value Vi.

o Keys: The generator makes use of three triple DES encryption modules which use the same

pair of 56-bit keys {K1, K2}.

o Output: The output consists of a 64-bit pseudorandom number Ri and a 64-bit seed value

Vi+1.

The expressions for a random number and the seed value are:

Ri = EDE([K1, K2], [Vi EDE([K1, K2], DTi)])

Vi+1 = EDE([K1, K2], [Ri EDE([K1, K2], DTi)])

Where EDE ([K1,K2], X) refers to the sequence encrypt-decrypt-encrypt

using two-key triple DES to encrypt X.

This technique is cryptographically strong due to the following reasons:

o The technique involves a 112-bit key and three EDE encryptions (nine DES

encryptions).

o The scheme has two pseudorandom inputs, the date and time value, and a seed

produced by the generator that is distinct from the pseudorandom number produced

by the generator. Thus, the amount of material that must be compromised by an

opponent is overwhelming.

Blum Blum Shub Generator

The procedure of this generator is as follows.

o Choose two large prime numbers, p and q, such that p ≡ q ≡ 3 (mod 4). For example,

the prime numbers 7 and 11. Let n = p x q.

o Choose a random number s, such that s is relatively prime to n.

o Then the BBS generator produces a sequence of bits Bi according to the following

algorithm:

X0 = s2 mod n

for i = 1 to infinity

Xi = (Xi-1)2 mod n

Bi = Xi mod 2

The BBS is referred to as a cryptographically secure pseudorandom bit generator (CSPRBG).

That is this generator passes the next-bit test.

The security of BBS is based on the difficulty of factoring n.



Q 9. Where are random numbers used? Explain true random numbers.

A number of network security algorithms and protocols based on cryptography make use of

random binary numbers, some of which are:

o Key distribution (nonces)

o Authentication schemes

o Session key generation

o Generation of keys for the RSA public-key encryption algorithm

True Random Number Generators

A true random number generator (TRNG) uses a nondeterministic source to produce

randomness.

Most operate by measuring unpredictable natural processes, such as pulse detectors of

ionizing radiation events, leaky capacitors etc.

Intel has developed a commercially available chip that uses thermal noise by amplifying the

voltage measured across undriven resistors.

Another algorithm uses the variations in the response time of raw read requests for one disk

sector of a hard disk.

There are problems with the randomness and the precision of such numbers and also there

arises a requirement of attaching one of these devices to every system in an internetwork.

Another alternative is to use a published collection of good-quality random numbers.

However, these collections provide a very limited source of numbers compared to the

requirements of a network security application.

Furthermore, although the numbers in these books do indeed exhibit statistical randomness,

they are predictable, because an opponent who knows that the book is in use can obtain a

copy.

A true random number generator may produce an output that is biased in some way, such as

having more ones than zeros or vice versa, known as skew.

Various methods of modifying a bit stream to reduce or eliminate the bias have been

developed. These are referred to as de-skewing algorithms.

Q 10. Explain the following terms:

a) Diffusion

b) Confusion

c) The avalanche effect

d) Stream and Block ciphers

e) Transposition and Substitution

f) Differential and Linear Cryptanalysis

g) Reversible Mapping

h) Pseudorandom numbers

a) Diffusion: Diffusion attempts make the statistical relationship between the plaintext and cipher

text as complex as possible in order to thwart attempts to deduce the key. This is achieved by

having each plaintext digit affect the value of many cipher text digits. Diffusion can be achieved

by repeatedly performing some permutation on the data followed by applying a function to that

permutation.

b) Confusion: Confusion seeks to make the relationship between the statistics of the cipher text and

the value of the encryption key as complex as possible, again to thwart attempts to discover the

key. This is achieved by the use of a complex substitution algorithm.



c) The avalanche effect: A small change in either the plaintext or the key should produce a

significant change in the cipher text. In particular, a change in one bit of the plaintext or one bit of

the key should produce a change in many bits of the cipher text. This is referred to as the

avalanche effect.

d) Stream and Block ciphers: A block cipher processes the input, one block of elements at a time,

producing an output block for each input block. A stream cipher processes the input elements

continuously, producing output one element at a time.

e) Transposition and Substitution: Transposition or permutation includes changing of position

elements. That is, no elements are added or deleted or replaced in the sequence, but the order in

which the elements appear in the sequence is changed. Substitution includes replacing each

plaintext element or group of elements uniquely by a corresponding ciphertext element or group

of elements.

f) Differential Cryptanalysis: In differential cryptanalysis, the behavior of pairs of text blocks from

each round of the cipher is observed instead of the final output. This attack starts with two

messages, and , with a known XOR difference △m = m ⊕ m’, and consider the difference

between the intermediate message halves: mi = mi ⊕ m’i.Then,

When many pairs of inputs to f with the same difference yield the same output difference if the

same sub key is used and if a number of such differences are determined, it is feasible to

determine the sub key used in the function f.

g) Linear Cryptanalysis: This attack is based on finding linear approximations to describe the

transformations performed in an algorithm. This method can find a key given known plaintexts

whereas differential cryptanalysis requires chosen plaintexts. For a cipher with n-bit plaintext and

cipher text blocks and an m-bit key, let the plaintext block be P[1], ..., P[n], the cipher text block

C[1], ..., C[n], and the key K[1], ... K[m]. Then, find an effective linear equation of the form:

P[a1, a2, ..., aa] ⊕ C[b1, b2, ..., bb] = K[g1, g2, ..., gc]

where x = 0 or 1

1 ≤ a

b ≤ n

1 ≤ c ≤ m and

a, b and g terms represent fixed, unique bit locations

Once a proposed relation is determined, the procedure is to compute the results of the left-

hand side of the equation for a large number of plaintext-ciphertext pairs. If the result is 0

more than half the time, assume K[g1, g2, ..., gc] = 0 and vice versa. This gives us a linear

equation on the key bits.

h) Reversible Mapping: For a given plaintext blocks, if the encryption produces a unique ciphertext

block, then such a transformation is called reversible, or nonsingular mapping.



i) Pseudorandom numbers: The sequence of numbers that exhibit properties of random numbers

like randomness and unpredictability but actually are not random numbers. They are generated

using some deterministic algorithm. Such numbers are called pseudorandom numbers.

Q-11 Explain characteristics of Advanced Symmetrical Block Cipher.

Key size (words/bytes/bits) 4/16/128 6/24/192 8/32/256

Plaintext block size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Number of rounds 10 12 14

Round key size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Expanded key size (words/bytes) 44/176 52/208 60/240

Figure shows the overall structure of AES. The input to the encryption and decryption

algorithms is a single 128-bit block.



In FIPS PUB 197, this block is depicted as a square matrix of bytes. This block is copied into the State array, which is modified at each stage of encryption or decryption.

After the final stage, State is copied to an output matrix. The 128-bit key is depicted as a square matrix of bytes. This key is then expanded into an array of key schedule words; each word is four bytes and the total key schedule is 44 words for the 128-bit key.

Note that the ordering of bytes within a matrix is by column.

So, for example, the first four bytes of a 128-bit plaintext input to the encryption cipher occupy the first column of the in matrix, the second four bytes occupy the second column, and so on.

Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of the W matrix.

Documents

Q 1. Draw and explain Feistel’s structure for encryption ... · Feistel cipher is based on the idea that instead of using Ideal block cipher which degrades per formance, a “substitution-permutation