Chapter 5

Introduction to
Modern Symmetric-key
Ciphers

5.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
 Chapter 2

Symmetric and Asymmetric key

Cryptography and Key management

5.2
 Chapter 5
Objectives

❏ To distinguish between traditional and modern

symmetric-key ciphers.
❏ To introduce modern block ciphers and discuss
their characteristics.
❏ To explain why modern block ciphers need to be
designed as substitution ciphers.
❏ To introduce components of block ciphers such as
P-boxes and S-boxes.

5.3
 Chapter 5
Objectives (Continued)

❏ To discuss product ciphers and distinguish

between two classes of product ciphers: Feistel
and non-Feistel ciphers.
❏ To discuss two kinds of attacks particularly
designed for modern block ciphers: differential
and linear cryptanalysis.
❏ To introduce stream ciphers and to distinguish
between synchronous and nonsynchronous stream
ciphers.
❏ To discuss linear and nonlinear feedback shift
registers for implementing stream ciphers.
5.4
 5-1 MODERN BLOCK CIPHERS

A symmetric-key modern block cipher encrypts an

n-bit block of plaintext or decrypts an n-bit block of
ciphertext. The encryption or decryption algorithm
uses a k-bit key.

Topics discussed in this section:

5.1.1 Substitution or Transposition
5.1.2 Block Ciphers as Permutation Groups
5.1.3 Components of a Modern Block Cipher
5.1.4 Product Ciphers
5.1.5 Two Classes of Product Ciphers
5.1.6 Attacks on Block Ciphers
5.5
5.1 Continued

Figure 5.1 A modern block cipher

If message has fewer than n bits, padding must be added to make it an n-bit block; if >n bits, it should
be divided into n-bit blocks and add appropriate padding. Common values of n can be 64,128,256 or
512 bits.

5.6
5.1 Continued
Example 5.1
How many padding bits must be added to a message of 100
characters if 8-bit ASCII is used for encoding and the block
cipher accepts blocks of 64 bits?

Solution
Encoding 100 characters using 8-bit ASCII results in an 800-
bit message. The plaintext must be divisible by 64. If | M | and
|Pad| are the length of the message and the length of the
padding,

5.7
 5.1.3 Components of a Modern Block Cipher

Modern block ciphers normally are keyed substitution

ciphers in which the key allows only partial mappings
from the possible inputs to the possible outputs.

P-Boxes Or D-box: Diffusion box

A P-box (permutation box) parallels the traditional
transposition cipher for characters. It transposes bits.

5.15
 5.1.3 Continued

Figure 5.4 Three types of P-boxes

5.16
 5.1.3 Continued

Example 5.5
Figure 5.5 shows all 6 possible mappings of a 3 × 3 P-box.

Figure 5.5 The possible mappings of a 3 × 3 P-box

5.17
 5.1.3 Continued
Straight P-Boxes
Table 5.1 Example of a permutation table for a straight P-box

• D box can be implemented in H/W or S/W

• H/W implementation ---prewired

• S/W implementation—uses permutation table

• Entries are i/p’s and position of entries are o/p’s E.g. 1st o/p comes from 58th i/p and 64th o/p from

comes 7th i/p

5.18
 5.1.2 Continued

Example 5.6
Design an 8 × 8 permutation table for a straight P-box that
moves the two middle bits (bits 4 and 5) in the input word to
the two ends (bits 1 and 8) in the output words. Relative
positions of other bits should not be changed.

Solution
We need a straight P-box with the table [4 1 2 3 6 7 8 5].
The relative positions of input bits 1, 2, 3, 6, 7, and 8 have not
been changed, but the first output takes the fourth input and
the eighth output takes the fifth input.

5.19
 5.1.3 Continued
Compression P-Boxes

A compression P-box is a P-box with n inputs and m

outputs where m < n.

Table 5.2 Example of a 32 × 24 permutation table

5.20
 5.1.3 Continued
Expansion P-Boxes

An expansion P-box is a P-box with n inputs and m

outputs where m > n.

Table 5.3 Example of a 12 × 16 permutation table

5.21
 5.1.3 Continued
P-Boxes: Invertibility
• Encryption uses straight D-Box

• Decryption uses inverse of D-Box

Note
A straight P-box is invertible, but compression and
expansion P-boxes are not.

5.22
 5.1.3 Continued

Example 5.7
Figure 5.6 shows how to invert a permutation table
represented as a one-dimensional table.
Figure 5.6 Inverting a permutation table

5.23
 5.1.3 Continued

Figure 5.7 Compression and expansion P-boxes are non-invertible

5.24
 5.1.3 Continued

S-Box
An S-box (substitution box) can be thought of as a
miniature substitution cipher.

Note
An S-box is an m × n substitution unit, where m and
n are not necessarily the same.

• S-Box can be keyed or keyless

• Modern block ciphers uses keyless S-boxes

5.25
 5.1.3 Continued
Example 5.10
The following table defines the input/output relationship for
an S-box of size 3 × 2. The leftmost bit of the input defines the
row; the two rightmost bits of the input define the column.
The two output bits are values on the cross section of the
selected row and column.

Based on the table, an input of 010 yields the output 01. An

input of 101 yields the output of 00.
5.28
 5.1.3 Continued

Example 5.11
Figure 5.8 shows an example of an invertible S-box. For
example, if the input to the left box is 001, the output is 101.
The input 101 in the right table creates the output 001, which
shows that the two tables are inverses of each other.

Figure 5.8 S-box tables for Example 5.11

5.30
 5.1.3 Exclusive-Or

An important component in most block ciphers is the

exclusive-or operation. Addition and subtraction
operations in the GF(2n) field are performed by a single
operation called the exclusive-or (XOR).
• Finite fields are called Galois Field. Denoted as GF(P^n), P: Prime and n: positive integer

• Addition and subtraction operations in GF are same as Ex-or and multiplication and division are

same as AND
The five properties of the exclusive-or operation in the
GF(2n) field makes this operation a very interesting
component for use in a block cipher: closure,
associativity, commutativity, existence of identity, and
existence of inverse.

5.31
 5.1.1 Continued
Figure 5.9 Invertibility of the exclusive-or operation

5.33
 5.1.3 Continued

Circular Shift
Another component found in some modern block ciphers
is the circular shift operation.

Figure 5.10 Circular shifting an 8-bit word to the left or right

5.34
 5.1.3 Continued

Swap
The swap operation is a special case of the circular shift
operation where k = n/2. (n should be even)

Figure 5.11 Swap operation on an 8-bit word

5.35
 5.1.3 Continued
Split and Combine

Two other operations found in some block ciphers are

split and combine.

Figure 5.12 Split and combine operations on an 8-bit word

5.36
 5.1.4 Product Ciphers

Shannon introduced the concept of a product cipher. A

product cipher is a complex cipher combining
substitution, permutation, and other components
discussed in previous sections.

5.37
 5.1.4 Continued

Diffusion
The idea of diffusion is to hide the relationship between
the ciphertext and the plaintext.

Note
Diffusion hides the relationship between the
ciphertext and the plaintext.

5.38
 5.1.4 Continued

Confusion
The idea of confusion is to hide the relationship between
the ciphertext and the key.

Note
Confusion hides the relationship between the
ciphertext and the key.

5.39
 5.1.4 Continued

Rounds
Diffusion and confusion can be achieved using iterated
product ciphers where each iteration is a combination of
S-boxes, P-boxes, and other components.

Iteration is referred to as round. The block cipher

uses a key schedule or key generator that creates
different keys for each round from the cipher key.

5.40
 5.1.4 Continued
Figure 5.13 A product cipher made of two rounds

5.41
 5.1.4 Continued
Figure 5.14 Diffusion and confusion in a block cipher

5.42
 5.1.5 Two Classes of Product Ciphers

Modern block ciphers are all product ciphers, but they

are divided into two classes.

1. Feistel ciphers
Can have 3 types of components : self invertible. invertible and Non invertible

components

2. Non-Feistel
e.g. DES ciphers
Uses only invertible components

e.g. AES

5.43
 5.1.5 Continued

Feistel Ciphers
Feistel designed a very intelligent and interesting cipher
that has been used for decades. A Feistel cipher can have
three types of components: self-invertible, invertible, and
noninvertible.
Feistel combines all non invertible elements in a unit and
uses same element in both encryption and decryption.
First Thought: How we can use same non invertible component
in encryption and decryption algorithm?
The effect of non-invertible component in encryption can be
cancelled out in decryption if we use an exclusive-or operation.

Function is non invertible but mixer is self invertible.

5.44
 5.1.5 Continued

Figure 5.15 The first thought in Feistel cipher design

Note
Diffusion hides the relationship between the
ciphertext and the plaintext.
5.45
 5.1.3 Continued
Example 5.12
This is a trivial example. The plaintext and ciphertext are
each 4 bits long and the key is 3 bits long. Assume that the
function takes the first and third bits of the key, interprets
these two bits as a decimal number, squares the number, and
interprets the result as a 4-bit binary pattern. Show the
results of encryption and decryption if the original plaintext
is 0111 and the key is 101.
Solution
The function extracts the first and third bits to get 11 in
binary or 3 in decimal. The result of squaring is 9, which is
1001 in binary.

5.46
 5.1.5 Continued
Figure 5.16 Improvement of the previous Feistel design

Drawback:

•Right half of the plaintext never changes

5.47
 5.1.5 Continued
Figure 5.17 Final design of a Feistel cipher with two rounds

5.48
 5.1.5 Continued

Non-Feistel Ciphers
A non-Feistel cipher uses only invertible components. A
component in the encryption cipher has the
corresponding component in the decryption cipher.

 No compression and expansion components are allowed as they are non invertible.
 In this cipher there is no need to divide plain text into two halves.

 Product cipher diagram can be thought of as a non-feistel cipher

 As only component in each round are ex-or operation (self invertible).
 Encryption uses round key k1 and k2, whereas decryption uses round keys k2,k1.
5.50
 5-2 MODERN STREAM CIPHERS

In a modern stream cipher, encryption and decryption

are done r bits at a time. We have a plaintext bit
stream P = pn…p2 p1, a ciphertext bit stream
C = cn…c2 c1, and a key bit stream K = kn…k2 k1, in
which pi , ci , and ki are r-bit words.

Topics discussed in this section:

5.2.1 Synchronous Stream Ciphers
5.2.2 Nonsynchronous Stream Ciphers

5.63
5.2 Continued
Figure 5.20 Stream cipher

Note
In a modern stream cipher, each r-bit word in the
plaintext stream is enciphered using an r-bit word
in the key stream to create the corresponding r-bit
word in the ciphertext stream.
5.64
 5.2.1 Synchronous Stream Ciphers

Note
In a synchronous stream cipher the key is
independent of the plaintext or ciphertext.

Figure 5.22 One-time pad

5.65
 5.2.1 Continued
Example 5.17
What is the pattern in the ciphertext of a one-time pad cipher
in each of the following cases?
a. The plaintext is made of n 0’s.
b. The plaintext is made of n 1’s.
c. The plaintext is made of alternating 0’s and 1’s.
d. The plaintext is a random string of bits.

Solution
a. Because 0  ki = ki , the ciphertext stream is the same as
the key stream. If the key stream is random, the
ciphertext is also random. The patterns in the plaintext
are not preserved in the ciphertext.
5.66
 5.2.1 Continued
Example 5.7 (Continued)

b. Because 1  ki = ki where ki is the complement of ki , the

ciphertext stream is the complement of the key stream. If
the key stream is random, the ciphertext is also random.
Again the patterns in the plaintext are not preserved in
the ciphertext.
c. In this case, each bit in the ciphertext stream is either the
same as the corresponding bit in the key stream or the
complement of it. Therefore, the result is also a random
string if the key stream is random.
d. In this case, the ciphertext is definitely random because
the exclusive-or of two random bits results in a random
bit.

5.67
 5.2.1 Continued

Figure 5.23 Feedback shift register (FSR)

5.68
 5.2.1 Continued
Example 5.18

Create a linear feedback shift register with 5 cells in which

b5 = b4  b2  b0 .

Solution
If ci = 0, bi has no role in calculation of bm. This means that bi
is not connected to the feedback function. If ci = 1, bi is
involved in calculation of bm. In this example, c1 and c3 are
0’s, which means that we have only three connections. Figure
5.24 shows the design.

5.69
 5.2.1 Confidentiality
Figure 5.24 LSFR for Example 5.18

5.70
 5.2.1 Continued
Example 5.19
Create a linear feedback shift register with 4 cells in which
b4 = b1  b0. Show the value of output for 20 transitions
(shifts) if the seed is (0001)2.

Solution
Figure 5.25 LFSR for Example 5.19

5.71
 5.2.1 Continued
Example 5.19 (Continued)
Table 4.6 Cell values and key sequence for Example 5.19

5.72
 5.2.1 Continued
Example 5.19 (Continued)

Table 4.6 Continued

5.73
 5.2.1 Continued
Example 5.19 (Continued)
Note that the key stream is 100010011010111 10001…. This
looks like a random sequence at first glance, but if we go
through more transitions, we see that the sequence is
periodic. It is a repetition of 15 bits as shown below:

The key stream generated from a LFSR is a pseudorandom

sequence in which the the sequence is repeated after N bits.

Note

The maximum period of an LFSR is to 2m − 1.

5.74
 5.2.1 Continued
Example 5.20

The characteristic polynomial for the LFSR in Example 5.19

is (x4 + x + 1), which is a primitive polynomial. Table 4.4
(Chapter 4) shows that it is an irreducible polynomial. This
polynomial also divides (x7 + 1) = (x4 + x + 1) (x3 + 1), which
means e = 23 − 1 = 7.

5.75
 5.2.2 Nonsynchronous Stream Ciphers

In a nonsynchronous stream cipher, each key in the key

stream depends on previous plaintext or ciphertext.

Note
In a nonsynchronous stream cipher, the key
depends on either the plaintext or ciphertext.

5.76
 Chapter 6

Objectives

❏ To review a short history of DES

❏ To define the basic structure of DES

❏ To describe the details of building elements of DES

❏ To describe the round keys generation process

❏ To analyze DES

6.77
 6-1 INTRODUCTION

The Data Encryption Standard (DES) is a symmetric-key block cipher published by the

National Institute of Standards and Technology (NIST).

Topics discussed in this section:

6.1.1 History

6.1.2 Overview

6.78
 6.1.1 History

In 1973, NIST published a request for proposals for a national symmetric-key cryptosystem. A

proposal from IBM, a modification of a project called Lucifer, was accepted as DES. DES was

published in the Federal Register in March 1975 as a draft of the Federal Information Processing

Standard (FIPS).

6.79
 6.1.2 Overview

DES is a block cipher, as shown in Figure 6.1.

Figure 6.1 Encryption and decryption with DES

6.80
 6-2 DES STRUCTURE

The encryption process is made of two permutations (P-boxes), which we call initial and final

permutations, and sixteen Feistel rounds.

Topics discussed in this section:

6.2.1 Initial and Final Permutations

6.2.2 Rounds

6.2.3 Cipher and Reverse Cipher

6.2.4 Examples

6.81
 6-2 Continue

Figure 6.2 General structure of DES

6.82
 6.2.1 Initial and Final Permutations

Figure 6.3 Initial and final permutation steps in DES

6.83
 6.2.1 Continue

Table 6.1 Initial and final permutation tables

6.84
 6.2.1 Continued

Example 6.1

Find the output of the final permutation box when the input is given in hexadecimal as:

Solution

Only bit 25 and bit 63 are 1s; the other bits are 0s. In the final permutation, bit 25 becomes bit 64 and bit

63 becomes bit 15. The result is

6.85
 6.2.1 Continued

Example 6.2

Prove that the initial and final permutations are the inverse of each other by finding the output of the

initial permutation if the input is

Solution

The input has only two 1s; the output must also have only two 1s. Using Table 6.1, we can find the output

related to these two bits. Bit 15 in the input becomes bit 63 in the output. Bit 64 in the input becomes bit 25

in the output. So the output has only two 1s, bit 25 and bit 63. The result in hexadecimal is

6.86
 6.2.1 Continued

Note

The initial and final permutations are straight P-boxes that are inverses

of each other.

They have no cryptography significance in DES.

6.87
 6.2.2 Rounds

DES uses 16 rounds. Each round of DES is a Feistel cipher.

Figure 6.4
A round in DES

(encryption site)

6.88
 6.2.2 Continued

DES Function

The heart of DES is the DES function. The DES function applies a 48-bit key to the rightmost 32

bits to produce a 32-bit output.

Figure 6.5
DES function

6.89
 6.2.2 Continue

Expansion P-box

Since R is a 32-bit input and K is a 48-bit key, we first need to expand R to 48 bits.
I−1 I I−1

Figure 6.6 Expansion permutation

6.90
 6.2.2 Continue

Although the relationship between the input and output can be defined mathematically, DES uses

Table 6.2 to define this P-box.

Table 6.6 Expansion P-box table

6.91
 6.2.2 Continue

Whitener (XOR)

After the expansion permutation, DES uses the XOR operation on the expanded right section and

the round key. Note that both the right section and the key are 48-bits in length. Also note that the

round key is used only in this operation.

6.92
 6.2.2 Continue

S-Boxes

The S-boxes do the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and a 4-bit

output. See Figure 6.7.

Figure 6.7 S-boxes

6.93
 6.2.2 Continue

Figure 6.8 S-box rule

6.94
 6.2.2 Continue

Table 6.3 shows the permutation for S-box 1. For the rest of the boxes see the textbook.

Table 6.3 S-box 1

6.95
 6.2.2 Continued

Example 6.3

The input to S-box 1 is 100011. What is the output?

Solution

If we write the first and the sixth bits together, we get 11 in binary, which is 3 in decimal. The remaining

bits are 0001 in binary, which is 1 in decimal. We look for the value in row 3, column 1, in Table 6.3 (S-box

1). The result is 12 in decimal, which in binary is 1100. So the input 100011 yields the output 1100.

6.96
 6.2.2 Continued

Example 6.4

The input to S-box 8 is 000000. What is the output?

Solution

If we write the first and the sixth bits together, we get 00 in binary, which is 0 in decimal. The remaining

bits are 0000 in binary, which is 0 in decimal. We look for the value in row 0, column 0, in Table 6.10 (S-

box 8). The result is 13 in decimal, which is 1101 in binary. So the input 000000 yields the output 1101.

6.97
 6.2.2 Continue

Straight Permutation

Table 6.11 Straight permutation table

6.98
 6.2.3 Cipher and Reverse Cipher

Using mixers and swappers, we can create the cipher and reverse cipher, each having 16 rounds.

First Approach

To achieve this goal, one approach is to make the last round (round 16) different from the others; it

has only a mixer and no swapper.

Note

In the first approach, there is no swapper in the last round.

6.99
 6.2.3 Continued

Figure 6.9 DES cipher and reverse cipher for the first approach

6.100
 6.2.3 Continued

Algorithm 6.1 Pseudocode for DES cipher

6.101
 6.2.3 Continued

Algorithm 6.1 Pseudocode for DES cipher (Continued)

6.102
 6.2.3 Continued

Algorithm 6.1 Pseudocode for DES cipher (Continued)

6.103
 6.2.3 Continued

Algorithm 6.1 Pseudocode for DES cipher (Continued)

6.104
 6.2.3 Continued

Alternative Approach

We can make all 16 rounds the same by including one swapper to the 16th round and add an extra

swapper after that (two swappers cancel the effect of each other).

Key Generation

The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key.

6.105
 6.2.3 Continued

Figure 6.10
Key generation

6.106
 6.2.3 Continued

Table 6.12 Parity-bit drop table

Table 6.13 Number of bits shifts

6.107
 6.2.3 Continued

Table 6.14 Key-compression table

6.108
 6.2.4 Examples

Example 6.5

We choose a random plaintext block and a random key, and determine what the ciphertext block would be

(all in hexadecimal):

Table 6.15 Trace of data for Example 6.5

6.109
 6.2.4 Continued

Example 6.5 Continued

Table 6.15 Trace of data for Example 6.5 (Conintued

6.110
 6-3 DES ANALYSIS

Critics have used a strong magnifier to analyze DES. Tests have been done to measure the

strength of some desired properties in a block cipher.

Topics discussed in this section:

6.3.1 Properties

6.3.2 Design Criteria

6.3.3 DES Weaknesses

6.111
 6.3.1 Properties

Two desired properties of a block cipher are the avalanche effect and the completeness.

Example 6.7

To check the avalanche effect in DES, let us encrypt two plaintext blocks (with the same key) that differ

only in one bit and observe the differences in the number of bits in each round.

6.112
 6.3.1 Continued

Example 6.7 Continued

Although the two plaintext blocks differ only in the rightmost bit, the ciphertext blocks differ in 29 bits.

This means that changing approximately 1.5 percent of the plaintext creates a

change of approximately 45 percent in the ciphertext.

Table 6.17 Number of bit differences for Example 6.7

6.113
 6.3.1 Continued

Completeness effect

Completeness effect means that each bit of the ciphertext needs to depend on many bits on the

plaintext.

6.114
 6.3.2 Design Criteria

S-Boxe

The design provides confusion and diffusion of bits from each round to the next.

P-Boxes

They provide diffusion of bits.

Number of Rounds

DES uses sixteen rounds of Feistel ciphers. the ciphertext is thoroughly a random function of

plaintext and ciphertext.

6.115
 6.3.3 DES Weaknesses

During the last few years critics have found some weaknesses in DES.

Weaknesses in Cipher Design

1. Weaknesses in S-boxes

2. Weaknesses in P-boxes

3. Weaknesses in Key

6.116
 6.3.3 Continued

Figure 6.11 Double encryption and decryption with a weak key

6.117
 6.3.3 Continued

Example 6.8

Let us try the first weak key in Table 6.18 to encrypt a block two times. After two encryptions

with the same key the original plaintext block is created. Note that we have used the encryption algorithm

two times, not one encryption followed by another decryption.

6.118
 6.3.3 Continued

6.119
 6.3.3 Continued

6.120
 6.3.3 Continued

Figure 6.12 A pair of semi-weak keys in encryption and decryption

6.121
 6-4 Multiple DES

The major criticism of DES regards its key length. Fortunately DES is not a group. This

means that we can use double or triple DES to increase the key size.

Topics discussed in this section:

6.4.1 Double DES

6.4.4 Triple DES

6.122
 6-4 Continued

A substitution that maps every possible input to every possible output is a group.

Figure 6.13 Composition of mapping

6.123
 6.4.1 Double DES

The first approach is to use double DES (2DES).

Meet-in-the-Middle Attack

However, using a known-plaintext attack called meet-in-the-middle attack proves that double DES

improves this vulnerability slightly (to 257 tests), but not tremendously (to 2112).

6.124
 6.4.1 Continued

Figure 6.14 Meet-in-the-middle attack for double DES

6.125
 6.4.2 Triple DES

Figure 6.16 Triple DES with two keys

6.126
 6.4.2 Continuous

Triple DES with Three Keys

The possibility of known-plaintext attacks on triple DES with two keys has enticed some

applications to use triple DES with three keys. Triple DES with three keys is used by many

applications such as PGP (See Chapter 16).

6.127
 6-5 Security of DES

DES, as the first important block cipher, has gone through much scrutiny. Among the

attempted attacks, three are of interest: brute-force, differential cryptanalysis, and linear

cryptanalysis.

Topics discussed in this section:

6.5.1 Brute-Force Attack

6.5.2 Differential Cryptanalysis

6.5.3 Linear Cryptanalysis

6.128