MODULE 2

SYMMETRIC AND ASYMMETRIC

KEY CRYPTOGRAPHY AND KEY
MANAGEMENT
Locking and unlocking with the same key
Private key cryptography/ Symmetric

Simplified Model of Symmetric Encryption

PUBLIC KEY CRYPTOGRAPHY
Public key cryptography (also known as public-key encryption and
asymmetric encryption). Asymmetric key cryptography uses two
separate keys: one private and one public.

Fig. Locking and unlocking in asymmetric-key cryptosystem

PUBLIC KEY CRYPTOGRAPHY

Fig. General idea of asymmetric-key cryptosystem

PUBLIC KEY CRYPTOGRAPHY
Plaintext/Ciphertext
Unlike in symmetric-key cryptography, plaintext and ciphertext are
treated as integers in asymmetric-key cryptography.
Encryption/Decryption
C = e(Kpublic , P) P = d(Kprivate , C)
PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEM
Public-Key Cryptosystems (many types)
A public-key encryption scheme has six ingredients

Fig.1.a Public-Key Cryptography

plaintext, encryption algorithm, public & private keys, ciphertext &

decryption algorithm.
PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEM
Public-Key Cryptosystems

Fig.1.b Public-Key Cryptography

Symmetric VS Asymmetric (imp slide)
Symmetric Key Encryption Asymmetric Key Encryption
It requires two keys, a public key and a
It only requires a single key for both private key, one to encrypt and the other one
encryption and decryption. to decrypt.
The size of cipher text is the same or The size of cipher text is the same or larger
smaller than the original plain text. than the original plain text.
The encryption process is very fast. The encryption process is slow.
It is used when a large amount of data is
required to transfer. It is used to transfer small amounts of data.
It provides confidentiality, authenticity,
It only provides confidentiality. and non-repudiation.
The length of key used is 128 or 256 bits The length of key used is 2048 or higher
In symmetric key encryption, resource
utilization is low as compared to In asymmetric key encryption, resource
asymmetric key encryption. utilization is high.
Symmetric VS Asymmetric

It is efficient as it is used for handling It is comparatively less efficient as it can

large amount of data. handle a small amount of data.
It is more secure as two keys are used here-
Security is less as only one key is used for one for encryption and the other for
both encryption and decryption purpose. decryption.
The Mathematical Representation is as The Mathematical Representation is as
follows- follows-
P = D (K, E(P)) P = D(Kd, E (Ke,P))
where K –> encryption and decryption where Ke –> encryption key
key Kd –> decryption key
P –> plain text D –> Decryption
D –> Decryption E(Ke, P) –> Encryption of plain text using
E(P) –> Encryption of plain text encryption key Ke . P –> plain text
Symmetric Vs Asymmetric

It requires n personal secret keys are

needed.
It requires n(n-1)/2 shared secret keys,if 2
people are there, it is 2(2-1)/2 = 1 key It is based on personal secrecy
It is based on sharing secrecy.
Plaintext and ciphertext are Plaintext and ciphertext are
symbols(bits/characters). numbers

Encryption and decryption is based on Encryption and decryption are mathematical

permutation and substitution of functions.
symbols.
 Use of public key cryptosystems can be classified into
three categories:-
 encryption/decryption (provide secrecy)
 digital signatures (provide authentication)
 key exchange (of session keys)
some algorithms are suitable for all uses, others are
specific to one
DSS: Digital signature standard

12
STREAM CIPHER
A stream cipher is one that encrypts a digital data stream one bit or
one byte at a time. Examples of classical stream ciphers are the
autokeyed Vigenère cipher and the Vernam cipher.
BLOCK CIPHER
A symmetric-key modern block cipher encrypts an n-bit block of plaintext
or decrypts an n-bit block of ciphertext.
The encryption or decryption algorithm uses a k-bit key.
The decryption algorithm must be the inverse of the encryption algorithm,
and both operations must use the same secret key so that Bob can retrieve
the message sent by Alice.
Figure shows the general idea of encryption and decryption in a modern
block cipher.
BLOCK CIPHER
If the message has fewer than n-bits, padding must be added to
make it an n-bit block; if the message has more than n-bits, it should
be divided into n-bit blocks and the appropriate padding must be
added to the last block if necessary. The common values
for n are 64, 128, 256, or 512 bits.
Block vs Stream Ciphers (imp slide)
Modern Block Ciphers
• The ciphers that perform encryption or decryption
at the bit level rather than character level are
referred to as bit-oriented ciphers.
• The modern block cipher is a bit-oriented cipher
that encrypts a m-bit block of plaintext at a time to
produce m-bit block of ciphertext.
• Reverse is followed during decryption.
• Each block of bits is encrypted or decrypted using
k-bit key.
• Use of extra bits (padding)
BLOCK CIPHER
Substitution or Transposition
A modern block cipher can be designed to act as a substitution
cipher or a transposition cipher. This is the same idea as is used in
traditional ciphers, except that the symbols to be substituted or
transposed are bits instead of characters.
ü If the cipher is designed as a substitution cipher, a 1-bit or a 0-
bit in the plaintext can be replaced by either a 0 or a 1. This
means that the plaintext and the ciphertext can have a different
number of 1’s.
ü A 64-bit plaintext block of 12 0’s and 52 1’s can be encrypted to a
ciphertext of 34 0’s and 30 1’s.
ü If the cipher is designed as a transposition cipher, the bits are
only reordered (transposed); there is the same number of 1’s in
the plaintext and in the ciphertext.
BLOCK CIPHER
ü In either case, the number of n-bit possible plaintexts or
ciphertexts is 2n, because each of the n bits in the block can have
one of the two values, 0 or 1.

ü Modern block ciphers are designed as substitution ciphers

because the inherent characteristics of transposition (preserving
the number of 1’s or 0’s) makes the cipher vulnerable to
exhaustive-search attacks, as the next example shows.
COMPONENTS OF BLOCK CIPHER

• S- box
• P-box
• Straight P-box
• Compression P-box
• Expansion P-box
• Circular shift
S-box: It is equivalent to substitution cipher.
• This is a substitution box having the same characteristics as
that of the substitution cipher, except that the substitution of
several bits is performed in parallel.
• It takes n bits of plaintext at a time as input and produces m
bits of ciphertext as output, where the value of n and m may
be the same or different.
• An S-box can be keyed or keyless.
• In a keyed S-box, the mapping of n inputs to m outputs is
decided with the help of a key, whereas in a keyless S-box ,
the mapping from inputs to outputs is predetermined.
• Usually, keyless S-boxes are used in modern block ciphers.
P-box

• This is a permutation box having the same characteristics as

that of the traditional transposition cipher, except that it
performs transposition at the bit-level, and that transposition
of several bits is performed at the same time.
• The input bits are permuted to produce the output bits.
• For example, the first input bit can be the second output bit,
the second input bit can be the third output bit and so on.
• A P-box is sometimes also referred to as a D-box ( diffusion
box ).
• It is normally a keyless cipher and can be classified into three
types based on the length of input and output:
COMPONENTS OF BLOCK CIPHER

We can find three types of P-boxes in modern block ciphers:

ü Straight P-boxes
ü Expansion P-boxes and
ü Compression P-boxes
COMPONENTS OF BLOCK CIPHER

Figure shows a 5 × 5 straight P-box, a 5 × 3 compression P-box,

and a 3 × 5 expansion P-box.
COMPONENTS OF BLOCK CIPHER
Straight P-Boxes
A straight P-Box with n inputs and n outputs is a permutation.
There are n! possible mappings. (3!)

The possible mappings of a 3 × 3 P-box

Although a P-box can use a key to define one of the n! mappings, P-
boxes are normally keyless, which means that the mapping is
predetermined.
If the P-box is implemented in hardware, it is prewired; if it is
implemented in software, a permutation table shows the rule of
mapping.
COMPONENTS OF BLOCK CIPHER
Straight P-Boxes
In the second case, the entries in the table are the inputs and the
positions of the entries are the outputs. Table shows an example of a
straight permutation table when n is 64.

Table has 64 entries, corresponding to the 64 inputs. The position

(index) of the entry corresponds to the output. Because the first
entry contains the number 58, we know that the first output comes
from the 58th input. Because the last entry is 7, we know that the
64th output comes from the 7th input, and so on.
COMPONENTS OF BLOCK CIPHER
Compression P-Boxes

A compression P-box is a P-box with n inputs and m outputs

where m < n. Some of the inputs are blocked and do not reach the
output.

The compression P-boxes used in modern block ciphers normally

are keyless with a permutation table showing the rule for
transposing bits.

We need to know that a permutation table for a compression P-box

has m entries, but the content of each entry is from 1 to n with some
missing values (those inputs that are blocked).
COMPONENTS OF BLOCK CIPHER
Compression P-Boxes
Table shows an example of a permutation table for a 32 × 24
compression P-box.

Note that inputs 7, 8, 9, 15, 16, 23, 24, and 25 are blocked.
Compression P-boxes are used when we need to permute bits and
the same time decrease the number of bits for the next stage.
COMPONENTS OF BLOCK CIPHER
Expansion P-Boxes
An expansion P-box is a P-box with n inputs and m outputs
where m > n. Some of the inputs are connected to more than one
input.
The expansion P-boxes used in modern block ciphers normally are
keyless, where a permutation table shows the rule for transposing
bits.
We need to know that a permutation table for an expansion P-box
has m entries, but m − n of the entries are repeated
(those inputs mapped to more than one output).
COMPONENTS OF BLOCK CIPHER
Expansion P-Boxes
Table shows an example of a permutation table for a 12 × 16
expansion P-box.

Note that each of the inputs 1, 3, 9, and 12 is mapped to two outputs.

Expansion P-boxes are used when we need to permute bits and the
same time increase the number of bits for the next stage.
COMPONENTS OF BLOCK CIPHER
Circular Shift
Another component found in some modern block ciphers is the
circular shift operation. Shifting can be to the left or to the right.
ü The circular left-shift operation shifts each bit in an n-bit word k
positions to the left; the leftmost k bits are removed from the left
and become the rightmost bits.
ü The circular right-shift operation shifts each bit in an n-bit word
k positions to the right; the rightmost k bits are removed from the
right and become the leftmost bits.
COMPONENTS OF BLOCK CIPHER
Circular Shift
Figure 5.10 shows both left and right operations in the case where
n = 8 and k = 3.
BLOCK CIPHER SCHEMES
There is a vast number of block ciphers schemes that are in use.
Many of them are publicly known. Most popular and prominent
block ciphers are listed below.
Digital Encryption Standard (DES) − The popular block cipher of
the 1990s. It is now considered as a ‘broken’ block cipher, due
primarily to its small key size.
Triple DES − It is a variant scheme based on repeated DES
applications. It is still a respected block ciphers but inefficient
compared to the new faster block ciphers available.
Advanced Encryption Standard (AES) − It is a relatively new block
cipher based on the encryption algorithm (also known as
Rijndael algorithm.
BLOCK CIPHER SCHEMES
IDEA − It is a sufficiently strong block cipher with a block size of
64 and a key size of 128 bits. A number of applications use IDEA
encryption, including early versions of Pretty Good Privacy (PGP)
protocol. The use of IDEA scheme has a restricted adoption due to
patent issues.
Twofish − This scheme of block cipher uses block size of 128 bits
and a key of variable length. It was one of the AES finalists. It is
based on the earlier block cipher Blowfish with a block size of 64
bits.
Serpent − A block cipher with a block size of 128 bits and key
lengths of 128, 192, or 256 bits, which was also an AES competition
finalist. It is a slower but has more secure design than other block
cipher.
PRODUCT CIPHERS
Shannon introduced the concept of a product cipher. A product
cipher is a complex cipher combining substitution, permutation,
diffusion, confusion and rounds.
Substitution: Each plaintext element or group of elements is
uniquely replaced by a corresponding ciphertext element or group
of elements.
Permutation: A sequence of plaintext elements is replaced by a
permutation of that sequence. That is, no elements are added or
deleted or replaced in the sequence, rather the order in which the
elements appear in the sequence is changed.
Diffusion: The idea of diffusion is to hide the relationship between
the ciphertext and the plaintext.
PRODUCT CIPHERS
Confusion: The idea of confusion is to hide the relationship between
the ciphertext and the key.

Rounds: Diffusion and confusion can be achieved using iterated

product ciphers where each iteration is a combination of S-boxes,
P-boxes, and other components.
PRODUCT CIPHERS
Diffusion and Confusion (important slide)
Shannon’s idea in introducing the product cipher was to enable the
block ciphers to have two important properties: diffusion and
confusion.
ü The idea of diffusion is to hide the relationship between the
ciphertext and the plaintext. This will frustrate the adversary who
uses ciphertext statistics to find the plaintext.
ü Diffusion implies that each symbol (character or bit) in the
ciphertext is dependent on some or all symbols in the plaintext.
ü In other words, if a single symbol in the plaintext is changed,
several or all symbols in the ciphertext will also be changed.
PRODUCT CIPHERS
Diffusion and Confusion
The idea of confusion is to hide the relationship between the
ciphertext and the key.
ü This will frustrate the adversary who tries to use the ciphertext to
find the key.
ü In other words, if a single bit in the key is changed, most or all
bits in the ciphertext will also be changed.
TWO CLASSES OF PRODUCT CIPHERS (IMP SLIDE)
Modern block ciphers are all product ciphers, but they are divided
into two classes.

ü The ciphers in the first class use both invertible and

noninvertible components. The ciphers in this class are normally
referred to as Feistel ciphers. The block cipher DES is a good
example of a Feistel cipher.

ü The ciphers in the second class use only invertible components.

We refer to ciphers in this class as non-Feistel ciphers. The block
cipher AES is a good example of a non-Feistel cipher.
BLOCK CIPHER MODES OF OPERATION
Explain the different modes of Block Ciphers (IMP)
ELECTRONIC CODEBOOK (ECB)
The simplest mode of operation is called the electronic codebook
(ECB) mode.
• message is broken into independent blocks which are encrypted
• each block is a value which is substituted, like a codebook, hence
name
• each block is encoded independently of the other blocks
• uses: secure transmission of single values
ELECTRONIC CODEBOOK (ECB)

Fig. Electronic codebook (ECB) mode

ADVANTAGES AND LIMITATIONS OF
ECB
• message repetitions may show in ciphertext
• if aligned with message block
• particularly with data such graphics
• or with messages that change very little, which become a code-
book analysis problem
• weakness is due to the encrypted message blocks being
independent
• main use is sending a few blocks of data
ADVANTAGES AND LIMITATIONS OF
ECB
• Does not hide data patterns, unsuitable for long messages
– Wiki example: pixel map using ECB

Plain text ECB mode Other modes

• Susceptible to replay attacks
– Example: a wired transfer transaction can be replayed by
resending the original message)
CIPHER BLOCK CHAINING (CBC)
In CBC mode, each plaintext block is exclusive-ored with the
previous ciphertext block before being encrypted.
• message is broken into blocks
• linked together in encryption operation
• each previous cipher blocks is chained with current plaintext
block, hence name
• use Initial Vector (IV) to start process
• uses: bulk data encryption, authentication
CIPHER BLOCK CHAINING (CBC)

Fig. Cipher block chaining (CBC) mode

ADVANTAGES AND LIMITATIONS OF
CBC
• a ciphertext block depends on all blocks before it
• any change to a block affects all following ciphertext blocks
• need Initialization Vector (IV)
• which must be known to sender & receiver
• if sent in clear, attacker can change bits of first block, and
change IV to compensate
• hence IV must either be a fixed value
• or must be sent encrypted in ECB mode before rest of message
CIPHER FEEDBACK MODE (CFB)
In some situations, we need to use DES or AES as secure ciphers,
but the plaintext or ciphertext block sizes are to be smaller.
• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8, 64 or 128 etc) to be feed
back
• denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
• most efficient to use all bits in block (64 or 128)
• uses: stream data encryption, authentication
CIPHER FEEDBACK MODE (CFB)
Note
In CFB mode, encipherment and decipherment use
the encryption function of the underlying block
cipher.

The relation between plaintext and ciphertext blocks is shown below:

ADVANTAGES AND LIMITATIONS OF
(CFB)
• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block encryption after every
n-bits
• note that the block cipher is used in encryption mode at both
ends
• errors propagate for several blocks after the error
OUTPUT FEEDBACK MODE (OFB)
In this mode each bit in the ciphertext is independent of the previous
bit or bits. This avoids error propagation.
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
• uses: stream encryption on noisy channels
OUTPUT FEEDBACK MODE (OFB)
ADVANTAGES AND LIMITATIONS OF
OFB
• bit errors do not propagate
• more vulnerable to message stream modification
• a variation of a Vernam cipher
• hence must never reuse the same sequence (key+IV)
• sender & receiver must remain in sync
• originally specified with m-bit feedback
• subsequent research has shown that only full block feedback
(ie CFB-64 or CFB-128) should ever be used
COUNTER (CTR)
In the counter (CTR) mode, there is no feedback. The pseudo-
randomness in the key stream is achieved using a counter.
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value rather than any
feedback value
• must have a different key & counter value for every plaintext
block (never reused)
• Oi = DESK1(i)
• Ci = Pi XOR Oi
• uses: high-speed network encryptions
COUNTER (CTR)
ADVANTAGES AND LIMITATIONS OF
CTR
• efficiency
• can do parallel encryptions in hardware or software
• can preprocess in advance of need
• good for burst high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values, otherwise
could break (OFB)
DATA ENCRYPTION STANDARD (DES)
The Data Encryption Standard (DES) is a symmetric-key block
cipher published by the National Institute of Standards and
Technology (NIST).

Fig. Encryption and Decryption with DES

ü At the encryption site, DES takes a 64-bit plaintext and creates a
64-bit ciphertext;
ü At the decryption site, DES takes a 64-bit ciphertext and creates
a 64-bit block of plaintext.
ü The same 56-bit cipher key is used for both encryption and
decryption ie. why it is called symmetric-key cipher
ü DES uses 16 rounds
DES STRUCTURE

Fig. DES (Fiestal Structure)

DES ENCRYPTION ALGORITHM

Fig. DES Structure (Feistal structure)

DES ENCRYPTION
The encryption process is made of two permutations (P-boxes),
which we call initial and final permutations, and sixteen Feistel
rounds. Each round uses a different 48-bit round key generated from
the cipher key according to a predefined algorithm.
DES ENCRYPTION
Initial and Final permutations (bit positions changed) :

Each entry in the permutation table indicates the

position of a input bit in the output
DES ENCRYPTION
Rounds :
DES uses 16 rounds. Each round of DES is a Feistel cipher, as
shown in Figure
Input to DES function
1. 48 bit Key
2. Rightmost 32 bits
Output
32-bit output
DES ENCRYPTION
Rounds :
DES uses 16 rounds. Each round of DES is a Feistel cipher, as
shown in Figure
ü The round takes LI-1 and RI-1 from previous round (or the initial
permutation box) and creates LI and RI , which go to the next
round (or final permutation box).
ü We can assume that each round has two cipher elements (mixer
and swapper). Each of these elements is invertible.
ü The swapper is obviously invertible. It swaps the left half of the
text with the right half.
ü The mixer is invertible because of the XOR operation.
ü All noninvertible elements are collected inside the function f (RI-1,
KI).
DES FUNCTION
DES Function :
The heart of DES is the DES function.
ü The DES function applies a 48-bit key to the rightmost 32 bits
(RI-1) to produce a 32-bit output.
ü This function is made up of four sections:
Ø an expansion P-box,
Ø a whitener (that adds key),
Ø a group of S-boxes, and
Ø a straight P-box as shown in Figure.
DES FUNCTION
DES Function :

DES function is made up of 4

sections:
1. Expansion Box
2. XOR
3. Group of S-boxes
4. A straight P-box
DES FUNCTION
1. Expansion P-Box :
• Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need
to expand RI−1 to 48 bits
• RI−1 is divided into 8, 4-bit blocks/sections
• Each 4-bit section is expanded to 6 bits in the following
manner:
• Input bits 1,2,3,4 are copied to output bits 2,3,4,5
respectively.
• Output bit 1 comes from bit 4 of the previous section; output
bit 6 comes from bit 1 of the next section.
• If sections 1 and 8 can be considered adjacent sections, the
same rule applies to bits 1 and 32. Figure shows the input
and output in the expansion permutation.
DES FUNCTION
1. Expansion P-Box :

Although the relationship between the input and output can be

defined mathematically, DES uses Table to define this P-box.
Note that the number of output ports is 48, but the value range is
only 1 to 32. Some of the inputs go to more than one output.
For example, the value of input bit 5 becomes the value of output
bits 6 and 8.
DES FUNCTION
1. Expansion P-Box :

Expansion P-Box table

DES FUNCTION
2. Whitener (XOR) :
After the expansion permutation, DES uses the XOR operation
on the expanded right section and the round key.
Note : Both the right section and the key are 48-bits in length.
The 48-bit output goes as input to the S-box.
DES FUNCTION
3. S-Boxes :
DES uses ‘8’ S-boxes, each with a 6-bit input and produces a 4-bit
output.
Substitution follows a predetermined rule :
Outer 2 bits of the 6-bits input indicates or selects the row.
Inner 4 bits select the column.
DES FUNCTION
3. S-Boxes :
DES FUNCTION
3. S-Boxes :
Note : Each S-box has its own table, we need to have eight tables

Table S-box 1
There are a total of eight S-box tables. The output of all eight s-
boxes is then combined in to 32-bit section.
DES FUNCTION
4. Straight P-Box Permutation :
The 32-bit output of S-boxes is then subjected to the straight
permutation with rule shown in the following illustration:

Table: Straight permutation table

DES KEY GENERATION
The round-key generator creates sixteen 48-bit keys out of a 56-bit
cipher key.
However, the cipher key is normally given as a 64-bit key in which 8
extra bits are the parity bits, which are dropped before the actual
key-generation process, as shown in Figure.
 DES KEY GENERATION

From Left 28 – bits :

bit position 8, 9, 22, 25
are discarded
From Right 28 – bits :
bit position 35, 38, 43,
54 are discarded
DES KEY GENERATION
Parity Drop
The preprocess before key expansion is a compression permutation
that we call parity bit drop.
ü It drops the parity bits (bits 8, 16, 24, 32, …, 64) from the 64-bit
key and permutes the rest of the bits according to Table.
ü The remaining 56-bit value is the actual cipher key which is used
to generate round keys. The parity drop permutation (a
compression P-box) is shown in Table.

Fig. Parity-bit drop table

DES KEY GENERATION
Shift Left
After the straight permutation, the key is divided into two 28-bit
parts.
ü Each part is shifted left (circular shift) one or two bits.
ü In rounds 1, 2, 9, and 16, shifting is one bit;
ü in the other rounds, it is two bits.
ü The two parts are then combined to form a 56-bit part.
ü Table 6.13 shows the number of shifts for each round.

Fig. Number of bit shifts

DES KEY GENERATION
Compression Permutation
The compression permutation (P-box) changes the 58 bits to 48 bits,
which are used as a key for a round. The compression permutation is
shown in Table.

Fig. Key compression table

DES FUNCTION
DOUBLE DES (2DES) (IMP SLIDE)
• In this approach, we use two instances of DES ciphers for
encryption and two instances of reverse ciphers for decryption.
• Each instances use a different key, so we have 2 keys.
• The size of the key is doubled.
• However, double DES is vulnerable to meet-in-the-middle attack.
DOUBLE DES (2DES)
Given a plaintext P and two encryption keys � 1 and � 2, a cipher
text can be generated as,
C = E(� 2, E(� 1, P))
Decryption requires that the keys be applied in reverse order,
P = D(� 1, D(� 2, C))

The drawback of 2DES is Meet-in-the-Middle Attack.

DOUBLE DES (2DES)

Double DES Structure

TRIPLE DES (3DES)
• There are two variants of Triple DES known as 2-key Triple DES
(2TDES) and 3-key Triple DES (3TDES).

• Use three stages of DES for encryption and decryption, so it has

three keys but uses 2 keys as � 1 and � 2, whereas is � 1 repeated.
• The 1st, 3rd stage use � 1 key and 2nd stage use � 2 key.
• To make triple DES compatible with single DES, the middle
stage uses decryption in the encryption side and encryption in
the decryption side.
• It’s much stronger than double DES.
TRIPLE DES WITH TWO KEYS (2TDES)

The function follows an encrypt-decrypt-encrypt (EDE) sequence.

C = E(� 1, D(� 2, E(� 1, P)))
P = D(� 1, E(� 2, D(� 1, C)))
TRIPLE DES WITH TWO KEYS (2TDES)

Triple DES using 2-keys Structure

TRIPLE DES WITH THREE KEYS (3TDES)
• Use three stages of DES for encryption and decryption, so it has
three keys as � 1, � 2 and � 3.
3-key 3DES has an effective key length of 168 bits and is defined as,
C = E(� 3, D(� 2, E(� 1, P)))
P = D(� 1, E(� 2, D(� 3, C)))

Triple DES using 2-keys Structure

TRIPLE DES WITH THREE KEYS (3TDES)

Triple DES using 3-keys Structure

ADVANCED ENCRYPTION STANDARD
(AES)
The more popular and widely adopted symmetric encryption
algorithm is the Advanced Encryption Standard (AES). It is found
that it is at least six time faster than triple DES.
AES is widely used today as it is a much stronger than DES and
triple DES despite being harder to implement.
Points to remember
• AES is a Symmetric key symmetric block cipher.
• The key size can be 128/192/256 bits.
• Encrypts data in blocks of 128 bits each.
That means it takes 128 bits as input and outputs 128 bits of
encrypted cipher text as output.
AES
AES is an iterative rather than Feistel cipher.
AES relies on substitution-permutation network principle which
means it is performed using a series of linked operations which
involves replacing and shuffling of the input data.
Working of the cipher :
AES performs operations on bytes of data rather than in bits. Since
the block size is 128 bits, the cipher processes 128 bits (or 16 bytes)
of the input data at a time.
The number of rounds depends on the key length as follows :
ü 128 bit key – 10 rounds
ü 192 bit key – 12 rounds
ü 256 bit key – 14 rounds
AES
Data Units
AES uses five units of measurement to refer to data: bits, bytes,
words, blocks, and state.
The bit is the smallest and atomic unit; other units can be expressed
in terms of smaller ones.

Bit
In AES, a bit is a binary digit with a value of 0 or 1. We use a
lowercase letter to refer to a bit.
AES
Data Units
Byte
A byte is a group of eight bits that can be treated as a single entity,
a row matrix (1 × 8) of eight bits, or a column matrix (8 × 1) of eight
bits.
When treated as a row matrix, the bits are inserted to the matrix
from left to right; when treated as a column matrix, the bits are
inserted into the matrix from top to bottom. We use a lowercase bold
letter to refer to a byte.
AES
Data Units
Word
A word is a group of 32 bits that can be treated as a single entity, a
row matrix of four bytes, or a column matrix of four bytes.
When it is treated as a row matrix, the bytes are inserted into the
matrix from left to right; when it is considered as a column matrix,
the bytes are inserted into the matrix from top to bottom.
We use the lowercase bold letter w to show a word.

Block
AES encrypts and decrypts data blocks. A block in AES is a group of
128 bits. However, a block can be represented as a row matrix of 16
bytes.
AES
AES STRUCTURE
AES STRUCTURE
AES STRUCTURE
AES STRUCTURE
Initial Array represent the given plaintext in
this 4 * 4 input array
Each cell represents 1 bytes (8 bits), so we
have 16 Bytes
4 Bytes represents 1 word, so we have 4
words

The results from each round is stored in

state array.
First digit represent Byte and second digit
represents word.
AES KEY
AES KEY EXPANSION
AES KEY EXPANSION
The process is as follows:
1. The first four words (w0, w1, w22, w3) are made from the cipher
key. The cipher key is thought of as an array of 16 bytes (k0 to k15).
The first four bytes (k0 to k3) become w0; the next four bytes (k4 to
k7 ) become w1; and so on. In other words, the concatenation of
the words in this group replicates the cipher key.
2. The rest of the words (wi for i = 4 to 43) are made as follows:
a. If (i mod 4) ≠ 0, wi = wi-1⊕ wi-4 Referring to Figure, this
means each word is made from the one at the left and the one
at the top.
b. If (i mod 4) = 0, wi = t ⊕ wi-4. Here t, a temporary word, is
the result of applying two routines, SubWord and RotWord, on
wi-1 and XORing the result with a round constants, RCon. In
other words, we have,
t = SubWord (RotWord (wi−1)) ⊕ Rconi/4
AES ROUNDS
AES ROUNDS
SubBytes
AES defines a 16 * 16 matrix of byte values, called an S-box that
contains a permutation of all possible 256 8-bit values. Each
individual byte of State is mapped into a new byte in the following
way: The leftmost 4 bits of the byte are used as a row value and the
rightmost 4 bits are used as a column value. These row and column
values serve as indexes into the S-box to select a unique 8-bit output
value.
AES ROUNDS
SubBytes
AES ROUNDS
SubBytes
AES ROUNDS
SubBytes
AES ROUNDS
SubBytes

For every cell we have to perform the same

AES ROUNDS
SubBytes

The SubBytes and InvSubBytes transformations

are inverses of each other.
AES ROUNDS
Shift Rows
The first row of State is not altered. For the second row, a 1 byte
circular left shift is performed. For the third row, a 2-byte circular
left shift is performed. For the fourth row, a 3-byte circular left shift
is performed. The following is an example of ShiftRows.
Example :
AES ROUNDS
Mix Columns
The forward mix column transformation, called MixColumns,
operates on each column individually. Each byte of a column is
mapped into a new value that is a function of all four bytes in that
column. The transformation can be defined by the following matrix
multiplication on State
AES ROUNDS
Mix Columns

Example :
AES ROUNDS
Mix Columns
The inverse mix column transformation, called InvMixColumns, is
defined by the following matrix multiplication:

Add Round Key

In the forward add round key transformation, called AddRoundKey,
the 128 bits of State are bitwise XORed with the 128 bits of the round
key. the operation is viewed as a columnwise operation between the 4
bytes of a State column and one word of the round key; it can also be
viewed as a byte-level operation. The following is an example of
AddRoundKey:
AES ROUNDS
Add Round Key

The first matrix is State, and the second matrix is the round key.
The inverse add round key transformation is identical to the forward
add round key transformation, because the XOR operation is its own
inverse.
STREAM CIPHER
• A typical stream cipher encrypts plaintext one byte at a time,
although a stream cipher may be designed to operate on one bit
at a time or on units larger than a byte at a time.
STREAM CIPHER
• In this structure, a key is input to a pseudorandom bit generator
that produces a stream of 8-bit numbers that are apparently
random. The output of the generator, called a keystream, is
combined one byte at a time with the plaintext stream using the
bitwise exclusive-OR (XOR) operation.
• For example, if the next byte generated by the generator is
01101100 and the next plaintext byte is 11001100, then the
resulting ciphertext byte is
STREAM CIPHER
• process message bit by bit (as a stream)
• have a pseudo random keystream
• combined (XOR) with plaintext bit by bit
• randomness of stream key completely destroys statistically
properties in message
• Ci = Mi XOR StreamKeyi
• but must never reuse stream key
• otherwise can recover messages
STREAM CIPHER RC4
RC4 is a byte-oriented stream cipher in which a byte (8 bits) of a
plaintext is exclusive-ored with a byte of key to produce a byte of a
ciphertext.
• a proprietary cipher owned by RSA
• another Ron Rivest design, simple but effective
• variable key size, byte-oriented stream cipher
• widely used (web SSL/TLS, wireless WEP)
• key forms random permutation of all 8-bit values
• uses that permutation to scramble input info processed a byte at
a time
STREAM CIPHER RC4
• A variable length key of from 1 to 256 bytes (8 to 2048 bits) is
used to initialize a 256-byte state vector S, with elements
S[0],S[1], …….,S[255].
• At all times, S contains a permutation of all 8-bit numbers from 0
through 255.
• For encryption and decryption, a byte k is generated from S by
selecting one of the 255 entries in a systematic fashion. As each
value of k is generated, the entries in S are once again permuted
STREAM CIPHER RC4
State
RC4 is based on the concept of a state.

Uses an array S of length 256 where S[0] = 0, to S[255] = 255

Has a key, example key = “Hello”
Key is encoded using ASCII
Has a key array, K of length 256 i.e. K[0] to K[255]
Elements of the key are repeated
STREAM CIPHER RC4
Initialization of S
• To begin, the entries of S are set equal to the values from 0
through 255 in ascending order; that is, S[0] = 0, S[1] = 1, c,
S[255] = 255.
• A temporary vector, T, is also created. If the length of the key K is
256 bytes, then K is transferred to T. Otherwise, for a key of
length keylen bytes, the first keylen elements of T are copied from
K, and then K is repeated as many times as necessary to fill out T.
These preliminary operations can be summarized as
STREAM CIPHER RC4
Algorithms
1. Initial permutation of S
2. Pseudo random generation algorithm(Key Stream Generation
3. Encryption and Decryption Algorithm
STREAM CIPHER RC4
1. Initial permutation of S
We use T to produce the initial permutation of S. This involves
starting with S[0] and going through to S[255], and for each S[i],
swapping S[i] with another byte in S according to a scheme dictated
by T[i]:

Stop: value of i ranges from : 0 to S[len-1], mod value = S[len]

STREAM CIPHER RC4
2. Key Stream Generation:
Once the S vector is initialized, the input key is no longer used.
Stream generation involves cycling through all the elements of S[i],
and for each S[i], swapping S[i] with another byte in S according to
a scheme dictated by the current configuration of S. After S[255] is
reached, the process continues, starting over again at S[0]:

Stop: value of i ranges from : 1 to PT[len], mod value = S[len]

STREAM CIPHER RC4
3. Encryption and Decryption
To encrypt, XOR the value k with the next byte of plaintext.
To decrypt, XOR the value k with the next byte of ciphertext.
STREAM CIPHER RC4
STREAM CIPHER RC4
Example:
Q. Encrypt the plaint-text, pt - [2,7,1], if , Length of the S-Array is
4 , given key – [5,1,0,7]

Solution:
Initialization of S:
S[4] = [S0, S1, S2, S3] = [0,1,2,3]
K = [5,1,0,7]
T = [5,1,0,7]
STREAM CIPHER RC4
Initial Permutation of S:

T 5 1 0 7
i j S0 S1 S2 S3
0 0 1 2 3
0 j = j + S[i] + T[i] 1 0 2 3
j=0+0+5
j = 5 mod 4 = 1
Swap(S[i], S[j])
Swap(S[0],S[1])
1 j = j + S[i] + T[i] 1 2 0 3
j=1+0+1
j = 2 mod 4 = 2
Swap(S[1],S[2])
STREAM CIPHER RC4
Initial Permutation of S:

T 5 1 0 7
i j S0 S1 S2 S3
1 2 0 3
2 j = j + S[i] + T[i] 1 2 0 3
j=2+0+0
j = 2 mod 4 = 2
Swap(S[2],S[2])
3 j = j + S[i] + T[i] 3 2 0 1
j=2+3+7
j = 12 mod 4 = 0
Swap(S[3],S[0])
STREAM CIPHER RC4
Example:
S = [0,1,2,3,4,5,6,7]
K = [1,2,3,6]
K/ T = [1,2,3,6,1,2,3,6]
Plaintext PT = [1,2,2,2]

When i = 0,
j = [0 + 0 + 1] mod 8 = 1 mod 8 = 1,
Swap S[0],S[1]
S = [1,0,2,3,4,5,6,7]
When i = 1,
j = [1 + 0 + 2] mod 8 = 3 mod 8 = 3,
Swap S[1],S[3]
S = [1,3,2,0,4,5,6,7]
STREAM CIPHER RC4
Example:

When i = 2,
j = [3 + 2 + 2] mod 8 = 8 mod 8 = 0,
Swap S[2],S[0]
S = [2,3,1,0,4,5,6,7]
When i = 3,
j = [0 + 0 + 6] mod 8 = 6 mod 8 = 6,
Swap S[3],S[6]
S = [2,3,1,6,4,5,0,7]
When i = 4,
j = [6 + 4 + 1] mod 8 = 11 mod 8 = 3,
Swap S[4],S[3]
S = [2,3,1,4,6,5,0,7]
STREAM CIPHER RC4
Example:

When i = 5,
j = [3 + 5 + 2] mod 8 = 10 mod 8 = 2,
Swap S[5],S[2]
S = [2,3,5,4,6,1,0,7]
When i = 6,
j = [2 + 0 + 3] mod 8 = 5 mod 8 = 5,
Swap S[6],S[5]
S = [2,3,5,4,6,0,1,7]
When i = 7,
j = [5 + 7 + 6] mod 8 = 18 mod 8 = 2,
Swap S[7],S[2]
S = [2,3,7,4,6,0,1,5]
STREAM CIPHER RC4
Example: Key Stream Generation
When i = 1
j = 0 + 3 mod 8 = 3 mod 8 = 3
Swap S[1],S[3]
S = [2,4,7,3,6,0,1,5],
t = 4 + 3 mod 8 = 7 mod 8 = 7
k=5
When i = 2
j = 3 + 7 mod 8 = 10 mod 8 = 2
Swap S[2],S[2]
S = [2,4,7,3,6,0,1,5],
t = 7 + 7 mod 8 = 14 mod 8 = 6
k=1
STREAM CIPHER RC4
Example: Key Stream Generation
When i = 3
j = 2 + 3 mod 8 = 5 mod 8 = 5
Swap S[3],S[5]
S = [2,4,7,0,6,3,1,5],
t = 0 + 3 mod 8 = 3 mod 8 = 3
k=0
When i = 4
j = 5 + 6 mod 8 = 11 mod 8 = 3
Swap S[4],S[3]
S = [2,4,7,6,0,3,1,5],
t = 0 + 6 mod 8 = 6 mod 8 = 6
k=1
STREAM CIPHER RC4
Example: Encryption
KS = [5, 1, 0, 1]

PT = [1,2,2,2]

CT = PT XOR KS

PT = [0001, 0010, 0010, 0010]

KS = [0101, 0001, 0000, 0001]

CT = [0100, 0011, 0010, 0011]

CT = [4, 3, 2, 3]
STREAM CIPHER RC4
Example: Decryption
PT = CT XOR KS

CT = [0100, 0011, 0010, 0011]

KS = [0101, 0001, 0000, 0001]

PT = [0001, 0010, 0010, 0010]

PT = [1, 2, 2, 2]
STREAM CIPHER RC4
Example:
Suppose an S-Array is of length 8
[S0, S1, S2, S3, S4, S5, S6, S7] = [0,1,2,3,4,5,6,7]
K = [3,1,4,1,5]
K/ T-Array is [K0, K1, K2, K3, K4, K5, K6, K7] = [3,1,4,1,5,3,1,4]
Plaintext PT = [6,1,5,4]
STREAM CIPHER RC4
Example: Key Scheduling

T -- 3 1 4 1 5 3 1 4
i j S0 S1 S2 S3 S4 S5 S6 S7
- 0 0 1 2 3 4 5 6 7
When i = 0
j = 0 + 0 + 3 = 3 Swap S[0],S[3] = 0, 3
0 3 3 1 2 0 4 5 6 7
When i = 1
j = 3 + 1 + 1 = 5 Swap S[1],S[5] = 1, 5

1 5 3 5 2 0 4 1 6 7
STREAM CIPHER RC4
Example: Key Scheduing

T -- 3 1 4 1 5 3 1 4
i j S0 S1 S2 S3 S4 S5 S6 S7
- 0 0 1 2 3 4 5 6 7
0 3 3 1 2 0 4 5 6 7
1 5 3 5 2 0 4 1 6 7
2 3 3 5 0 2 4 1 6 7
3 6 3 5 0 6 4 1 2 7
4 7 3 5 0 6 7 1 2 4
5 3 3 5 0 1 7 6 2 4
6 6 3 5 0 1 7 6 2 4
7 6 3 5 0 1 7 6 4 2
STREAM CIPHER RC4
Example: Key Stream Generation
The new S-Array is [3,5,0,1,7,6,4,2], PT = [6,1,5,4]
Take the length of PT
STREAM CIPHER RC4
Example: Key Stream Generation

i j t KStr S0 S1 S2 S3 S4 S5 S6 S7
- 0 - - 3 5 0 1 7 6 4 2
When i = 1
j = 0 + 5 mod 8 = 5, Swap S[1],S[5] = 5, 6
1 5 - - 3 6 0 1 7 5 4 2
When i = 1
t = 6 + 5 mod 8 = 3, Swap S[1],S[5] = 5, 6
KStr = S[3] = 1
1 5 3 1 3 6 0 1 7 5 4 2
STREAM CIPHER RC4
Example: Key Stream Generation
i j t KStr S0 S1 S2 S3 S4 S5 S6 S7
- 0 - - 3 5 0 1 7 6 4 2
1 5 3 1 3 6 0 1 7 5 4 2
2 5 5 0 3 6 5 1 7 0 4 2
3 6 5 0 3 6 5 4 7 0 1 2
4 5 7 2 3 6 5 4 0 7 1 2
STREAM CIPHER RC4
Example: Encryption
KS = [1, 0, 0, 2]

PT = [6,1,5,4]

CT = PT XOR KS

PT = [0110, 0001, 0101, 0100]

KS = [0001, 0000, 0000, 0010]

CT = [0111, 0001, 0101, 0110]

CT = [7, 1, 5, 6]
STREAM CIPHER RC4
Example: Decryption
PT = CT XOR KS

CT = [0111, 0001, 0101, 0110]

KS = [0001, 0000, 0000, 0010]

PT = [0110, 0001, 0101, 0100]

PT = [6, 1, 5, 4]
STREAM CIPHER RC4
Example:
S = [0,1,2,3,4,5,6,7]
K = [6,5,2,3,1,4]
Plaintext PT = [5,2,2,4,1,3]
STREAM CIPHER RC4

Fig. The idea of RC4 stream cipher