Dr.

Ammar Haider
Assistant Professor
School of Computing

CS3002 Information Security

Modern Symmetric
Ciphers

Source: Stallings CNS chap 4, 6

Modern Ciphers

“A modern block cipher can be designed to

act as a substitution cipher or a transposition
cipher. This is the same idea as is used in
traditional ciphers, except that the symbols to
be substituted or transposed are bits instead
of characters.”

Forouzan, Cryptography & Network Security

Strength of a cipher

• A cipher needs to completely obscure

statistical properties of original message
• In 1945, Shannon suggested that a cipher
needs to have these two properties:
Confusion

• Confusion means that each character (e.g. bit)

of the ciphertext should depend on several
parts of the key, obscuring the connection
between the two.
• This property makes it difficult to find key from
ciphertext. If a single bit in key is changed,
calculation of values of most or all bits in
ciphertext will be affected.
– In classical ciphers, substitution provides confusion
Diffusion

• Diffusion means the influence of one plaintext

symbol is spread over many ciphertext
symbols, so that statistical properties of
plaintext remain hidden.
– In classical ciphers, permutation provides diffusion
• Ciphers that only perform confusion or only
diffusion are not secure enough.
– Except for one-time pad, which is confusion only;
but as discussed, it is impractical.
• A product cipher is the one which includes
both of these operations.
Block & Stream ciphers

• Block ciphers break messages into blocks of

predetermined sizes – e.g. 64 bits or 128 bits.
– Cipher encrypts one block of plaintext, creating a
ciphertext block of same size.
– Each character (e.g. bit) contributes to encryption of
other characters in the block

https://ieeexplore.ieee.org/document/9093670/
Block & Stream ciphers

• In stream ciphers, encryption is done on

much smaller unit (bit, byte etc.)
– Units in plaintext are fed into encryption algorithm
as a stream (one at a time), ciphertext is similarly
outputted as a stream.
– They are more suitable when data is a continuous
stream

Stream ciphers do not provide diffusion,

since there is a one-to-one mapping
between units in plaintext and ciphertext.

https://ieeexplore.ieee.org/document/9093670/
Block & Stream ciphers

Stream ciphers high level structure

Bitwise XOR
XOR operation: extremely useful
in crypto
XOR AND OR
0 0 0 0 0 0 0 0 0
0 1 1 0 1 0 0 1 1
1 0 1 1 0 0 1 0 1
1 1 0 1 1 1 1 1 1

Information Leak!

• Primary reason: It does not reveal any information about plaintext

(both 0 and 1 are equally likely).
• Secondary advantage: Both encryption and decryption can be
done the same way, by adding the key. XOR is a self-inverse
function!
010010 ⊕ 101100 = 111110 111110 ⊕ 101100 = 010010
plaintext key ciphertext ciphertext key plaintext
Modern Encryption Algorithms

Examples
• Block Ciphers
– DES
– 3DES
– AES
– Twofish
• Stream Ciphers
– RC4
– ChaCha20
Data Encryption Standard

• DES was once the most widely used encryption

scheme
– developed in early 1970s at IBM, slightly tweaked by NSA
– the first modern, public, freely available encryption algorithm
– Standardized by National Bureau of Standards in 1977

• Uses 64 bit plaintext block and 56 bit key to produce

a 64 bit cipher text block
DES Algorithm
DES Algorithm
Initial and final permutation
(inverse of each other)
DES Round
One round in DES (Feistel structure)

f(…) is the DES function

DES Function
DES Function: Expansion
Expansion Mechanism
DES Function: S-Boxes

All 8 S-Boxes have same working principle, but different substitution tables
DES Function: S-Box-1

Example: If input is 1011002

We check row 2 (102) and
column 6 (01102) to get
output 2, which is 00102

Find the output if S-Box-1 input is 100011

DES Function: S-Boxes
S-Box-2

S-Box-3
DES Function: Straight P-Box

32-bit input to 32-bit output

16th bit of input becomes 1st bit of output, and so on.

 DES Decryption

• During encryption, skip

the swapper in the last
round.
• For decryption, go
through the same
procedure as encryption
(i.e. initial permutation, 16
rounds, final
permutation), just use the
round keys in reverse
order
– this methodology is common
in all Fiestel ciphers
DES Strength Analysis

• DES is probably the most-scrutinized

encryption algorithm, and to date no
substantial mathematical weakness has been
discovered.

• BUT… it is not resistant to brute force attacks.

DES Strength Analysis

Short key length

• With 56 bits, there are 256 possible keys, which is approximately
7.2  1016 keys, which can be broken in relatively short time by
brute forcing.

• More powerful and parallelized hardware yields quicker results

• Within 26 hours when using a specialized hardware:
https://crack.sh
Triple DES (3DES)

• Repeats basic DES algorithm three times

• Using either two or three unique keys
– key size of 112 or 168 bits.
• much more secure but also much slower

DES DES DES

plaintext ciphertext
encrypt decrypt encrypt

K1 K2 K1

With two keys, Effective key length = 112 bits

Triple DES (3DES)

• Repeats basic DES algorithm three times

• Using either two or three unique keys
– key size of 112 or 168 bits.
• much more secure but also much slower

DES DES DES

plaintext ciphertext
encrypt decrypt encrypt

K1 K2 K3

With three keys, Effective key length = 168 bits

Advanced Encryption Standard

• NIST called for proposals in 1997

– goals: efficiency, security, HW/SW suitability
– key length 128, 192, 256 bits
– Selected Rijndael in Nov 2001 and declared as ‘AES’

• Symmetric block cipher

• Uses 128 bit data block & 128/192/256 bit
keys
• Now widely available commercially
The AES Cipher - Rijndael

• An iterative rather than Feistel cipher

– processes data as block of 4 columns of 4 bytes
(128 bits)
– operates on entire data block in every round
Plaintext (128 bits)

AES Key (128/192/256 bits)

Ciphertext (128 bits)

Multiple rounds
Overall Structure
Structure of 128-bit block

• Data block viewed as table of bytes

• Represented as 4 by 4 matrix of bytes.
• Key is expanded to array of 32 bits words

1 byte
Data block represented as ‘State’

(bytes)

Example - changing plaintext to State

Details of each round
SubBytes Operation
The SubBytes operation involves 16 independent byte-
to-byte substitutions.

Get S’1,1 from table

* Let S1,1 = xy

* Interpret a byte as two hexadecimal digits xy

SubBytes Table

Implemented by table lookup

InvSubBytes Table
SubByte Example

• The SubBytes and InvSubBytes transformations

are inverses of each other.
ShiftRows

• Shifting permutes the bytes.

• Do a circular byte shift in each row
– 1st row is unchanged
– 2nd row does 1 byte circular shift to left
– 3rd row does 2 byte circular shift to left
– 4th row does 3 byte circular shift to left
• In the encryption, the transformation is
called ShiftRows
• In the decryption, the transformation is
called InvShiftRows and the shifting is
to the right
ShiftRows Scheme

Example
MixColumns

• ShiftRows and MixColumns provide diffusion

to the cipher
• In MixColumns, each column is processed
separately
• Each byte is replaced by a value dependent on
all 4 bytes in the column
• Effectively a matrix multiplication in finite field
GF(28) using prime polynomial x8+x4+x3+x+1
MixColumns Scheme

The MixColumns transformation operates at the column level;

it transforms each column of the state to a new column.
MixColumn and InvMixColumn

During decryption, inverse mixing matrix is used

AddRoundKey

XOR state with 128-bits of the round key

• AddRoundKey proceeds one column at a time.

– adds a round key word with each state column
matrix
– the operation is matrix addition

• Inverse for decryption is identical

– since XOR is its own inverse, with same keys
AddRoundKey Scheme
AES Round
AES Key Scheduling (generating
round keys)
• takes 128-bits (16-bytes) key and expands into
array of 44 words (32-bit each)
AES Security

• AES was designed after DES.

– Most of the known attacks on DES were already tested on
AES.
• Brute-Force Attack
– AES is definitely more secure than DES due to the larger-size
key.
• Statistical Attacks
– Numerous tests have failed to do statistical analysis of the
ciphertext
• Differential and Linear Attacks
– There are no differential and linear attacks on AES as yet.
Implementation Aspects

• The algorithms used in AES are so simple that they

can be easily implemented using cheap processors
and a minimum amount of memory.
– Very efficient
– Implementation was a key factor in its selection as the AES
cipher
• Several modern CPU architectures include AES
instructions
https://en.wikipedia.org/wiki/AES_instruction_set
AES illustrated

A stick figure guide

http://www.moserware.com/2009/09/stick-figure-
guide-to-advanced.html
Block Cipher Modes of
Operation
ECB mode

• Block ciphers operate only on small fixed size chunks

like 64 bits (DES), 128 bits (AES) etc.
• To encrypt large data, one (lazy) option is to simply
divide the whole data in blocks and encrypt them
separately with same key. This is ECB mode.
ECB mode: problem
CBC mode

• More secure modes are available, such as Cipher Block

Chaining (CBC)
• Each ciphertext block depends on all plaintext blocks
processed up to that point

Any fixed (non-secret)

value to start with
CTR mode

• Another one is Counter mode

• Start with any pre-defined counter value and then
keep incrementing.
• Can encrypt blocks in parallel (unlike CBC mode)

Counter Counter + 1 Counter + (N – 1)