Cryptography and Network Security UNIT-1

BLOCK CIPHERS & SYMMETRIC KEY CRYPTOGRAPHY

Syllabus: Traditional Block Cipher Structure, DES, Block Cipher Design Principles, AES-
Structure, Transformation functions, Key Expansion, Blowfish, CAST-128, IDEA, Block Cipher
Modes of Operations

Simplified DES: Simplified DES, developed by Professor Edward Schaefer of Santa Clara University,
is an educational rather than a secure encryption algorithm. It has similar properties and structure to
DES with much smaller parameters.
The S-DES encryption algorithm takes an 8-bit block of plain text and a 10-bit key as input and produces
an 8-bit block of cipher text as output. The S-DES decryption algorithm takes an 8-bit block of cipher
text and the same 10-bit key used to produce that cipher text as input and produces the original 8-bit
block of plaintext as shown in the following figure. The encryption algorithm involves five functions:
i) An initial permutation (IP);
ii) A complex function labelled fK, which involves both permutation and substitution
operations and depends on a key input;
iii) A simple permutation function that switches (SW) the two halves of the data;
iv) The function fK again;
v) And finally a permutation function that is the inverse of the initial permutation (IP–1).

Dr. Kalavathi A, Professor & HoD IT 1

 Cryptography and Network Security UNIT-1

The use of multiple stages of permutation and substitution results in a more complex algorithm, which
increases the difficulty of cryptanalysis.
S-DES Key Generation: The complex function fK takes both 6 bit plain text and key as input. It uses a
10-bit key from which two 8-bit sub keys are generated as shown in the following figure.

In this case, the key is first subjected to a permutation (P10). Then a circular left shift or left
shift (LS) operation is performed. The output of the shift operation then passes through a permutation
function that produces an 8-bit output (P8) for the first sub key (K1). The output of the shift operation
also feeds into another shift and another instance of P8 to produce the second sub key (K2).
We can concisely express the encryption algorithm as a composition of functions:
IP-1(fK2(SW(fK1(IP(plain text)))))
which can also be written as: Cipher text = IP-1(fK2(SW(fK1(IP(plaintext)))))
where K1 = P8(Shift(P10(key))) and
K2 = P8(Shift(Shift(P10(key))))
Decryption is also shown in the above figure and is essentially the reverse of encryption:
S-DES depends on the use of a 10-bit key shared between sender and receiver. From this key, two 8-
bit sub keys are produced for use in particular stages of the encryption and decryption algorithm.
Figure G.2 depicts the stages followed to produce the sub keys. First, permute the key in the
following fashion. Let the 10-bit key be designated as (k1, k2, k3, k4, k5, k6, k7, k8, k9, k10). Then the

Dr. Kalavathi A, Professor & HoD IT 2

 Cryptography and Network Security UNIT-1

permutation P10 is defined as: P10(k1, k2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, k2, k7, k4, k10, k1,
k9, k8, k6). P10 can be concisely defined by the display:

This table is read from left to right; each position in the table gives the identity of the input bit that
produces the output bit in that position. So the first output bit is bit 3 of the input; the second output
bit is bit 5 of the input, and so on.
For example, the key (1010000010) is permuted to (1000001100). Next, perform a circular left shift
(LS-1), or rotation, separately on the first five bits and the second five bits. In the given example, the
result is (00001 11000).
Next we apply P8, which picks out and permutes 8 of the 10 bits according to the following rule:

The result is sub key1 (K1). In our example, this yields (10100100) We then go back to the pair of 5-
bit strings produced by the two LS-1 functions and perform a circular left shift of 2 bit positions on
each string. In our example, the value (00001 11000) becomes (00100 00011). Finally, P8 is applied
again to produce K2. In our example, the result is (01000011).
S-DES Encryption: Encryption involves 5 different functions.

Dr. Kalavathi A, Professor & HoD IT 3

 Cryptography and Network Security UNIT-1

1. The input to the algorithm is the 8-bit plain text which is first permuted using the
following IP function

2. The most complex function of s-des is Fk which is a combination of both substitution

and permutation function and is summarized in the following equation. Let L and R be
the leftmost 4 bits and rightmost 4 bits of the 8-bit input to fK, and let F be a mapping (not
necessarily one to one) from 4-bit strings to 4-bit strings. Then we let

where SK is a subkey and (+) is the bit-by-bit exclusive-OR function. For example, suppose the
output of the IP stage is (10111101) and F(1101, SK) = (1110) for some key SK. Then
fK(10111101) = (01011101) because (1011) ! (1110) = (0101). We now describe the mapping
F. The input is a 4-bit number (n1,n2,n3,n4). The first operation is an expansion/permutation
operation:

Therefore it is clear that

The 8-bit sub key k1=(k11,k12,k13,k14,k15,k16,k17,k18) is added to this function, then

Let us rename these 8 bits as

Dr. Kalavathi A, Professor & HoD IT 4

 Cryptography and Network Security UNIT-1

The first 4 bits (first row) are compared into the S-box S0 to produce a 2- bit output, and the
remaining 4 bits (second row) are compared into S1 to produce another 2-bit output. These
two boxes are defined as follows:

The first and fourth input bits (end bits) are treated as a 2-bit number that specify a row index
of the S-box, and the second and third input bits (middle bits) specify a column of the S-box.
The entry in that row and column, in base 2, is the 2-bit output.
Next, the 4 bits produced by S0 and S1 undergo a further permutation as follows:

3. Switch Function (swap): The function fK only alters the leftmost 4 bits of the input. The
switch function (SW) interchanges the left and right 4 bits so that the second instance of fK
operates on a different 4 bits.
4. Again the same complex function is repeated with the sub key K2
5. Apply inverse Initial permuation(IP-1) on the output of complex function fk2 which give an 8-
bit cipher text.

Data Encryption Standard:

The most widely used encryption scheme adopted in 1977 by National Bureau of
Standards, now it is NIST as FIPS46(Federal Information Processing Standard)
The components of DES algorithm are:
Plain Text Block Size :64 bits
Key size :56 bits
No of Rounds :16
No of Sub keys :2, where each sub key is of length 48 bits

Dr. Kalavathi A, Professor & HoD IT 5

 Cryptography and Network Security UNIT-1

In DES, there are two inputs to an encryption function that is plain text and key. Inititailly
the 64 bit plain text is taken an input to the Initial Permutation Function (IP) which
rearranges the bits to produce 64 bit permuted sequence. This is followed by 16 rounds
to produce cipher text.

These 16 rounds include both substitution and permutation functions. The output of the
last round consists of 64 bits. The left and right halves of output are swapped to produce
the output. Finally this is passed through inverse initial permutation (IP-1) to produce
cipher text. The right hand part of the above diagram shows the way in which the 56-bit
key is used. Initially given key is passes through a permutation function (PC-I). Then for
each of the 16 rounds, a sub key ki is generated with a Left shift and permuted choice II
(PC-II) function.
Details of single Round:
1. Arrange the given 64-bit plain text in the following format

Dr. Kalavathi A, Professor & HoD IT 6

 Cryptography and Network Security UNIT-1

2. 64-bit plain text will be taken as input to IP function which rearranges positions of bits
and out puts again 64 bits.

3. The left and right halves of 64-bit value are treated as separate 32-bit quantities. The
right hand side 32 bit will be taken as input to Expansion/Permutation function and it
outputs a 48 bit data.

4. These 48 bits will be taken as an input to XOR function with the corresponding round
sub key and outputs a 48 bit data.
5. Then these are compared in 8 s-boxes. Each s-box takes a 6-bit input and outputs a 4-
bit. Each row of s-box contains all 16 possibilities i.e from 0 to 15. To represent these
values we need a 4 bit information. Therefore 8 s-boxes output 32 bits of data.

Dr. Kalavathi A, Professor & HoD IT 7

 Cryptography and Network Security UNIT-1

6. Now, apply P-32 function on the output of four s-boxes.

7. Apply an XOR operation with left hand side 32 bits and on the output of P-32

8. Then apply 32 bit swap between left hand side data and right hand data.
9. Finally apply Inverse Initial Permutation on the output of 32-bit swap to get cipher
text. The overall procedure can be summarized as:

Dr. Kalavathi A, Professor & HoD IT 8

 Cryptography and Network Security UNIT-1

Sub-key Generation: the given 56 bit key is extended to 64 bit by adding a parity bit
for each 7-bits. Let us assume that these 64-bits are arranged in the following way

 Apply PC-I on the extended 64 bits

 On the output of PC-I divide into two equal halves Ci-1 and Di-1
 Apply LCS-1 or LCS-2 on these two halves based on the round count

 Then apply PC-II operation to get a 48 bit sub key for the corresponding round

Dr. Kalavathi A, Professor & HoD IT 9

 Cryptography and Network Security UNIT-1

Role of S-Boxes: Each S-box accepts 6-bits as input and produces 4 bits as o/p. The first and
last bits signify row index and middle 4 bits signify column index. Each row of s-box contains
all the 16 possible combinations. The decimal value selected by the row and colum is
converted to binary and is considered as the output of s-box. In this way 8 s-boxes produce 1
32 bit output.

Avalanche Effect: A small change in either the Plain text or key should produce a significant
change in cipher text. That is a change in 1 bit of plain text or key should produce a change in
many bits of the cipher text. The two plain texts that differ in 1-bit are used

With the following key

Dr. Kalavathi A, Professor & HoD IT 10

 Cryptography and Network Security UNIT-1

Strength of DES : The strength of DES depends on key size and the nature of algorithm.
1. The Use of 56-Bit Keys: With a key length of 56 bits, there are 256 possible keys, which
is approximately 7.2 * 1016 keys. Therefore brute-force attack appears impractical.
Assuming that, on average, half the key space has to be searched, a single machine
performing one DES encryption per microsecond would take more than a thousand
years to break the cipher.

However, the assumption of one encryption per microsecond is overly conservative. As far
back as 1977, Diffie and Hellman postulated that the technology existed to build a parallel
machine with 1 million encryption devices, each of which could perform one encryption per
microsecond [DIFF77]. This would bring the average search time down to about 10 hours. The
authors estimated that the cost would be about $20 million in 1977 dollars.
Weiner reports on the design of a chip that uses pipelined techniques to achieve a key search
rate 50 million keys per second. Using 1993 costs, he designed a module that costa one lakh
dollars and contains 5760 key search chips. With this design the following results are
obtained.

2. The Nature of the DES Algorithm

Another concern is the possibility that cryptanalysis is possible by exploiting the
characteristics of the DES algorithm. The focus of concern has been on the eight substitution
tables, or S-boxes, that are used in each iteration. Because the design criteria for these boxes,
and indeed for the entire algorithm, were not made public, there is a suspicion that the boxes

Dr. Kalavathi A, Professor & HoD IT 11

 Cryptography and Network Security UNIT-1

were constructed in such a way that cryptanalysis is possible for an opponent who knows the
weaknesses in the S-boxes. This assertion is tantalizing, and over the years a number of
regularities and unexpected behaviours of the S-boxes have been discovered. Despite this, no
one has so far succeeded in discovering the supposed fatal weaknesses in the S-boxes.

3. Timing Attacks: We discuss timing attacks in more detail in Part Two, as they relate to
public-key algorithms. However, the issue may also be relevant for symmetric ciphers.
In essence, a timing attack is one in which information about the key or the plaintext
is obtained by observing how long it takes a given implementation to perform
decryptions on various cipher texts. A timing attack exploits the fact that an encryption
or decryption algorithm often takes slightly different amounts of time on different
inputs.

Block Cipher Design Principles: There are three critical aspects in designing block
ciphers: number of rounds, Design of function F and key scheduling
DES design Criteria: S-box design and P function design criteria is as follows:
1. N output of any s-box should be too close to a linear function of the input bits.
2. Each row of an s-box should contain all 16 possibilities
3. If two inputs to an s-box differ in exactly one bit, the outputs differ in at least two bits
4. If two inputs to an s-box differ in two middle bits exactly then their output mst differ
in at least two bits.
5. If two inputs to an s-box differ in their first two bits and are identical in their last two
bits, the two outputs must not be the same.
6. For any non-zero 6-bit difference between inputs, no more than 8 of the 32 pairs of
inputs exhibit the same difference in their outputs.
Criteria for function P:
1. The four output bits from each s-box at round I are distributed so that two of them
affect middle bits of round (i+1) and the other two affect end bits.
2. The four output bits from each s-box affect six different s-boxes on the next round ,
and no two affect the same s-box

Dr. Kalavathi A, Professor & HoD IT 12

 Cryptography and Network Security UNIT-1

3. For two s-boxes j,k if an output bit from Sj affects a middle bit os Sk on the next round,
then an out put bit fro, Sk cannot affect a moddle bit of Sj.
Number of Rounds: The greater the number of rounds , the more difficult it is to perform
analysis, even for a week function F.
Design of Complex Function F: This function relies on the use of s-boxes. The function F
provides elements of confusion. Therefore it is very difficult to unscramble the substitution
performed by F. Several other criteria should be considered in designing F is:
1. Strict Avalanche Criteria: Any output j of an s-box should change with probability ½
when any single input bit ‘I’ is inverted for all I,j.
2. Bit Independence Criteria: The output bits j and k should change independently when
considering design that do not include s-boxes.
S-box Design: The guaranteed avalanche criterion for s-boxes is as follows: An s-box satisfies
GA of order n if, for a 1-bit input change atleast n output bits change. S-boxes are generated
in the following way
1. Random: use some pseudorandom number generation for generating each row of an
s-box
2. Random with Testing: choose s-box entries randomly and then test the results against
various criteria and throw away that do not pass
3. Man-made: using manual approach s-boxes elements are generated with simple
mathematics
4. Math-made: generate s-boxes according to mathematical principles.
Key-Schedule Algorithm: This is the final area of block cipher design, and one that has
received less attention than s-box design is the key generation. This is used to generate sub
keys corresponding to each round.

Modes of Block Ciphers: We have seen previously that five modes of operation are used when
applying block ciphers in a variety of applications. This section will give a more detailed view of how
these modes operate.
Electronic Codebook Mode (ECB) : This first mode is the simplest of all five modes. Figure 7.10 shows
the scheme where it can be seen that a block of plaintext (which is the same size in each case) is
encrypted with the same key K. The term codebook is used because, for a given key, there is a unique

Dr. Kalavathi A, Professor & HoD IT 13

 Cryptography and Network Security UNIT-1

cipher text for every block of plaintext. Therefore we can imagine a gigantic codebook in which there
is an entry for every possible plaintext pattern showing its corresponding cipher text. If the message
is longer than the block length then the procedure is to break the message into blocks of the required
length padding the last block if necessary.

As with encryption, decryption is performed one block at a time, always using the same key. The ECB
method is ideal for small amounts of data such as an encryption key however for larger messages if
the same plaintext block appears more than once then the same cipher text is produced. This may
assist an attacker.

Cipher Block Chaining (CBC) Mode: Cipher Block Chaining allows this by XORing each plaintext with
the cipher text from the previous round (the first round using an Initialisation Vector (IV)). As before,
the same key is used for each block. Decryption works as shown in the figure because of the properties
of the XOR operation, i.e. IV ⊕ IV ⊕ P = P where IV is the Initialisation Vector and P is the plaintext.
Obviously the IV needs to be known by both sender and receiver and it should be kept secret along
with the key for maximum security.

Dr. Kalavathi A, Professor & HoD IT 14

 Cryptography and Network Security UNIT-1

Cipher Feedback Mode: The Cipher Feedback and Output Feedback allows a block cipher to be
converted into a stream cipher. This eliminates the need to pad a message to be an integral number
of blocks. It also can operate in real time. Here it is assumed that the unit of transmission is s bits; a
common value is s = 8. As with CBC, the units of plaintext are chained together, so that the cipher text
of any plaintext unit is a function of all the preceding plaintext (which is split into s bit segments). The
input to the encryption function is a shift register equal in length to the block cipher of the algorithm
(although the diagram shows 64 bits, which is block size used by DES, this can be extended to other
block sizes such as the 128 bits of AES).

This is initially set to some Initialisation Vector (IV). The leftmost s bits of the output of the encryption
function are XORed with the first segment of plaintext P1 (also s bits) to produce the first unit of cipher
text C1 which is then transmitted. In addition, the contents of the shift register are shifted left by s
bits and C1 is placed in the rightmost (least significant) s bits of the shift register. This process
continues until all plaintext units have been encrypted. Decryption is similar.

Output Feedback Mode (OFB): The Output Feedback Mode is similar in structure to that of CFB, As
can be seen, it is the output of the encryption function that is fed back to the shift register in OFB,
whereas in CFB the cipher text unit is fed back to the shift register. One advantage of the OFB method
is that bit errors in transmission do not propagate. For example, if a bit error occurs in C1 only the
recovered value of P1 is affected; subsequent plaintext units are not corrupted. With CFB, C1 also
serves as input to the shift register and therefore causes additional corruption downstream.

Dr. Kalavathi A, Professor & HoD IT 15

 Cryptography and Network Security UNIT-1

Counter Mode: This is a newer mode that was not listed initially with the above four. Interest in this
mode has increased a good deal lately. A counter, equal to the plaintext block size is used. The only
requirement stated in the standard is that the counter value must be different for each plaintext block
that is encrypted. Typically, this counter is initialised to some value and then incremented by 1 for
each subsequent block (modulo 2b where b is the block size). For encryption, the counter is encrypted
and then XORed with the plaintext to produce the cipher text block; there is no chaining. For
decryption, the same sequence of counter values is used, with each encrypted counter XORed with a
cipher text block to recover the corresponding plaintext block. This mode contains a number of
advantages including hardware efficiency, software efficiency, provable security and simplicity.

Dr. Kalavathi A, Professor & HoD IT 16

 Cryptography and Network Security UNIT-1

Double DES : Given a plain text P and two encryption keys K1 and K2, cipher text C
C=Ek2[Ek1[P]]
Decryption requires that the keys need to be applied in reverse order
P= Dk1[Dk2[P]]

For any two possible keys k1 and k2 it is possible to find a k3 such that
EK2[e=EK1[P]]=EK3[p]

Meet in the Middle Attack(MITM): This is a type of attack that can exponentially reduce
the number of brute force permutations required to decrypt text that is encrypted with more than
one key. It makes much easier for an intruder to gain access to data.
C=Ek2[Ek1[P]]
X=EK1[P]=DK2[C]

Triple DES(with two keys): To counter meet in the middle attack, this algorithm uses three
stages of encryption with two different keys.
C=EK1[DK2[EK1[P]]]
P=DK1[EK2[DK1[C]]]
This was proposed by Tuchman EDE. It is relatively popular and alternative to
DES.

Triple DES with three keys: It has an effective key length of 168 bits.

C=EK3[DK2[EK1[P]]]
P=DK1[EK2[DK3[C]]]

Dr. Kalavathi A, Professor & HoD IT 17

 Cryptography and Network Security UNIT-1

International Data Encryption Algorithm: A symmetric block cipher developed by Xuejia

Lai and James Massey of Swiss Federal Institute of Technology.
Plain text block size – 64 bits
Key Size – 128 bits
No of Rounds -8 + one output transformation round
Sub keys – Each rounds needs six sub keys of length 16 bits. The output transformation rounds needs
another 4 sub keys. So the total number of sub keys are 8x6=48+4=52 sub keys. They are represented
with Z1,Z2,….Z52
Algorithm consists of the following functions.
Confusion: Cipher text should depend on plain text and key in a complicated and involved way. This is
achieved by mixing three different operations. Each operation is performed on two 16-bit inputs.
1. Bit by bit XOR
2. Addition of integer modulo 216
3. Multiplication of integer modulo 216
Diffusion: Each lain text bit influence every cipher text bit and key bit should influence cipher text bit.
This is achieved by multiplication/addition (M/A) structure.

IDEA Encryption: It consists of eight (8) rounds followed by an output transformation round. It
divides the input into four 16-bit blocks. Each round takes 4 16-bit blocks as an input and produces 4
16-bit blocks, which are concatenated to form cipher text. Each round uses six 16-bit sub keys,
whereas the last output round uses only 4 sub keys, for a total of 52 sub keys.

Dr. Kalavathi A, Professor & HoD IT 18

 Cryptography and Network Security UNIT-1

Sub key generation: 52, 16-bit sub keys are generated from the given 128 bit key. The procedure is
described as follows
 First 8 sub keys are generated using the given 128 bit key that is from Z1 to Z8.
Z1 : First 16 bits (most significant bits)
Z2: Next 16 bits -----Z8: Last 16 bits (least significant bits)
 Apply a circular left shift of 25 bits on the fiven key and select another set of 8 sub keys
from Z9 to Z16
 Continue step 2 till you get 52 sub keys

Dr. Kalavathi A, Professor & HoD IT 19

 Cryptography and Network Security UNIT-1

Single Round Details:

 The round begins with a transformation that combines 4 16-bit input sub blocks with 4 16-
bit sub keys using and operations.
 The four output blocks of this transformation are then combined using to form 2 16-bit
blocks that are taken as input to MA structure.
 MA structure also takes two sub keys as input and combines these inputs to produce two 16-
bit outputs.
 Finally the four output blocks from upper transformation are combined with two output
blocks of MA structure using XOR to produce 4 output blocks in every round

The output transformation round also uses the same functionality of transformation round. The only
difference is the second and third inputs are interchanged before this round. Means undoing the
interchange after the 8th round. The reason for this extra interchange is so that the decryption has
same structure as encryption.

Dr. Kalavathi A, Professor & HoD IT 20

 Cryptography and Network Security UNIT-1

Blowfish: A symmetric block cipher developed by Bruce Shiner. It encrypts data on 32 bit

microprocessors at a rate of 19 clock cycles per byte.

Block size-64 bits
Key size- 32 bits to 448 bits(1 to 14 words)
No of Rounds – 16
Sub Key and S-Box Generation: It uses 32 to 448 bits key. This is used to generate 18 32-bit sub key
and four 8x32 s-boxes which contains 1024 entries. The size of each s-box element is 32-bit. The keys
are stored in a k-array K1,K2,K3, … ,Kj (1<=j<=14) ,
The sub keys are stored in P-array P1,P2,P3, … P18. There are four s-boxes, each with 256 32-bit
entries:
S10,S11,…. S1,255
S20,S21,….S2,255
S30,S31,….S3,255
S40,S41,….S4,255
To generate these P-array and s-boxes the following procedure is adopted:
1. Initialize the p-array and then four s-boxes using the fractional part of PI. So, the left most 32-
bits of PI becomes P1 and so on.
Ex: in hexadecimal
P1=243F6!88
P2=…
S4254=578FdFE3
S4255=3AC372E6
2. Perform bitwise XOR of p-array and k-array i.e,
P1=P1 K1
P2=P1 K2
…..
P14=P14 K14
P15=P15 K1
P16=P16 K2
P17=P17 K3
P18=P16 K4 (since K-array has only 14 keys)
3. Encrypt 64-bit block of all 0’s using current p-array and s-boxes to replace P1&P2 with the
output of encryption.

Dr. Kalavathi A, Professor & HoD IT 21

 Cryptography and Network Security UNIT-1

4. Encrypt the output of step-3 using current p-array and s-arrays to replace P3 and P4 with
resulting cipher text.
5. Continue the above step to update all p and s-box elements.
P1P2=Ep,s[0]
P3P4=Eps[P1||P2]
…
P17P18=Eps[P115||P16]
S10S11=Eps[P17||P18]
…
S4254,S4255=Eps[S4252||S4253]
Encryption-Decryption: Uses two primitive operations
1. Addition Integer Modulo 232
2. Bitwise XOR
The plain text is divided into two 32-bit halves LE0 and RE0. We use Lei, REi to refer each
round output. For i=1 to 16 do

The function Fid divided into 4 parts where each part uses 8 bit input and these bytes are
represented as a,d,c,d.
F[a,b,c,d]=((S1a S1b) S1c) S1d)
For decryption, for i=1 to 16 do

Dr. Kalavathi A, Professor & HoD IT 22

 Cryptography and Network Security UNIT-1

Dr. Kalavathi A, Professor & HoD IT 23

 Cryptography and Network Security UNIT-1

CAST-128: This algorithm was developed by Carlisle Adams and Stafford Tavares. The components

are: Block size-64 bit

Key size- 40 bits-128 bits(in 8-bit increment)
No of Rounds 16
Each round uses two sub-keys (1-masking sub key and 1-rotating sub key. Therefore the total sub keys
are 32 out of which 16 are masking and 16 are rotating sub keys.e ach sub key of length 32-bits Kmi
and a 5-bit Kri. The function F depends on each round.
Encryption: It uses four primitive operations.
1. Addition Integer Modulo 232 +
2. Subtraction Integer Modulo 232 -
3. XOR
4. Left Circular rotation x<<<Y (rotation of word x by y number of bits)
Details of Single Round: The plain text is divided into two 32-bit halves L0 and R0. The cipher text is
formed by swapping the output of 16th round that is,

Function F uses four 8x32 s-boxes, the <<< function, and 4 functions that depend on round number.
These functions are labelled as f1,f2,f3 and f4. We use function I to refer to the Intermediate 32-bit
value after left circular rotation, and labels them as Ia,Ib,Ic,Id and they refer as I

Dr. Kalavathi A, Professor & HoD IT 24

 Cryptography and Network Security UNIT-1

S-boxes and Sub Key Generation: CAST 128 uses eight 8x32 s=boxes. Four of these, s-box1 through s-
box4 are used in encryption/decryption. The remaining four S5 to S8 are used in sub key generation.
Each s-box contains 256 elements. Each s-box takes an 8-bit input which signifies the index of element.
All these s-boxes contain fixed values. These values are generated with bent functions.
1. Label the bytes of 128-bit key as
X0x1x2x3x4x5x6x7x8x9xAxBxCxDxExF
X0 is the most significant byte
..
XF is the least significant byte
Km1---Km16  sixteen 32-bit masking sub keys-one per round
Kr1…..Kr16  sixteen 2-bit rotating sub keys – one per round
Z0--------------ZF Intermediate bytes
K1--------------K32m Intermediate 32-nit words.
For i=1 to 16 do
Kmi=Ki
Kri=K16+i
z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA]
z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9]
zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB]
K1 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2]
K2 = S5[zA] ^ S6[zB] ^ S7[z5] ^ S8[z4] ^ S6[z6]
K3 = S5[zC] ^ S6[zD] ^ S7[z3] ^ S8[z2] ^ S7[z9]

Dr. Kalavathi A, Professor & HoD IT 25

 Cryptography and Network Security UNIT-1

K4 = S5[zE] ^ S6[zF] ^ S7[z1] ^ S8[z0] ^ S8[zC]

x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0]
x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2]
x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1]
xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3]
K5 = S5[x3] ^ S6[x2] ^ S7[xC] ^ S8[xD] ^ S5[x8]
K6 = S5[x1] ^ S6[x0] ^ S7[xE] ^ S8[xF] ^ S6[xD]
K7 = S5[x7] ^ S6[x6] ^ S7[x8] ^ S8[x9] ^ S7[x3]
K8 = S5[x5] ^ S6[x4] ^ S7[xA] ^ S8[xB] ^ S8[x7]
z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA]
z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9]
zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB]
K9 = S5[z3] ^ S6[z2] ^ S7[zC] ^ S8[zD] ^ S5[z9]
K10 = S5[z1] ^ S6[z0] ^ S7[zE] ^ S8[zF] ^ S6[zC]
K11 = S5[z7] ^ S6[z6] ^ S7[z8] ^ S8[z9] ^ S7[z2]
K12 = S5[z5] ^ S6[z4] ^ S7[zA] ^ S8[zB] ^ S8[z6]
x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0]
x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2]
x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1]
xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3]
K13 = S5[x8] ^ S6[x9] ^ S7[x7] ^ S8[x6] ^ S5[x3]
K14 = S5[xA] ^ S6[xB] ^ S7[x5] ^ S8[x4] ^ S6[x7]
K15 = S5[xC] ^ S6[xD] ^ S7[x3] ^ S8[x2] ^ S7[x8]
K16 = S5[xE] ^ S6[xF] ^ S7[x1] ^ S8[x0] ^ S8[xD]
z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA]
z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9]
zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB]
K17 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2]
K18 = S5[zA] ^ S6[zB] ^ S7[z5] ^ S8[z4] ^ S6[z6]
K19 = S5[zC] ^ S6[zD] ^ S7[z3] ^ S8[z2] ^ S7[z9]
K20 = S5[zE] ^ S6[zF] ^ S7[z1] ^ S8[z0] ^ S8[zC]
x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0]
x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2]
x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1]
xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3]
K21 = S5[x3] ^ S6[x2] ^ S7[xC] ^ S8[xD] ^ S5[x8]
K22 = S5[x1] ^ S6[x0] ^ S7[xE] ^ S8[xF] ^ S6[xD]
K23 = S5[x7] ^ S6[x6] ^ S7[x8] ^ S8[x9] ^ S7[x3]
K24 = S5[x5] ^ S6[x4] ^ S7[xA] ^ S8[xB] ^ S8[x7]
z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA]
z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9]
zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB]
K25 = S5[z3] ^ S6[z2] ^ S7[zC] ^ S8[zD] ^ S5[z9]
K26 = S5[z1] ^ S6[z0] ^ S7[zE] ^ S8[zF] ^ S6[zC]
K27 = S5[z7] ^ S6[z6] ^ S7[z8] ^ S8[z9] ^ S7[z2]
K28 = S5[z5] ^ S6[z4] ^ S7[zA] ^ S8[zB] ^ S8[z6]
x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0]
x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2]
x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1]
xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3]
K29 = S5[x8] ^ S6[x9] ^ S7[x7] ^ S8[x6] ^ S5[x3]

Dr. Kalavathi A, Professor & HoD IT 26

 Cryptography and Network Security UNIT-1

K30 = S5[xA] ^ S6[xB] ^ S7[x5] ^ S8[x4] ^ S6[x7]

K31 = S5[xC] ^ S6[xD] ^ S7[x3] ^ S8[x2] ^ S7[x8]
K32 = S5[xE] ^ S6[xF] ^ S7[x1] ^ S8[x0] ^ S8[xD]

Advanced Encryption Standard : The more popular and widely adopted symmetric

encryption algorithm likely to be encountered nowadays is the Advanced Encryption Standard (AES).
It is found at least six time faster than triple DES.
A replacement for DES was needed as its key size was too small. With increasing computing
power, it was considered vulnerable against exhaustive key search attack. Triple DES was designed to
overcome this drawback but it was found slow.
The features of AES are as follows:
1. Symmetric key symmetric block cipher
2. 128-bit data, 128/192/256-bit keys,
3. Stronger and faster than Triple-DES
4. Provide full specification and design details
5. Software implementable in C and Java.
AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It
comprises of a series of linked operations, some of which involve replacing inputs by specific outputs
(substitutions) and others involve shuffling bits around (permutations).
Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats
the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four
rows for processing as a matrix. Unlike DES, the number of rounds in AES is variable and depends on
the length of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds
for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated from the
original AES key. The schematic of AES structure is given in the following illustration −

Dr. Kalavathi A, Professor & HoD IT 27

 Cryptography and Network Security UNIT-1

Encryption Process: Here, we restrict to description of a typical round of AES encryption. Each round
comprise of four sub-processes. The first round process is depicted below –
Byte Substitution (Sub Bytes):
The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The result is in a
matrix of four rows and four columns.

Dr. Kalavathi A, Professor & HoD IT 28

 Cryptography and Network Security UNIT-1

Shift rows
Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-inserted on
the right side of row. Shift is carried out as follows −
First row is not shifted.
Second row is shifted one (byte) position to the left.
Third row is shifted two positions to the left.
Fourth row is shifted three positions to the left.

Dr. Kalavathi A, Professor & HoD IT 29

 Cryptography and Network Security UNIT-1

The result is a new matrix consisting of the same 16 bytes but shifted with respect to each other.
MixColumns
Each column of four bytes is now transformed using a special mathematical function. This function
takes as input the four bytes of one column and outputs four completely new bytes, which replace the
original column. The result is another new matrix consisting of 16 new bytes. It should be noted that
this step is not performed in the last round.

Add round key

In this stage (known as Add Round Key) the 128 bits of state are bitwise XORed with the 128 bits of
the round key. The operation is viewed as a column wise operation between the 4 bytes of a state
column and one word of the round key. This transformation is as simple as possible which helps in
efficiency but it also effects every bit of state. If this is the last round then the output is the cipher text.
Otherwise, the resulting 128 bits are interpreted as 16 bytes and we begin another similar round.

AES Key Expansion: The AES key expansion algorithm takes as input a 4-word key and produces a
linear array of 44 words. Each round uses 4 of these words as shown in figure 7.2. Each word contains
32 bytes which means each sub key is 128 bits long. Figure 7.7 show pseudo code for generating the
expanded key from the actual key.

Dr. Kalavathi A, Professor & HoD IT 30

 Cryptography and Network Security UNIT-1

The key is copied into the first four words of the expanded key. The remainder of the expanded key is
filled in four words at a time. Each added word w[i] depends on the immediately preceding word, w[i
− 1], and the word four positions back w[i − 4]. The func on g consists of the following sub func ons:
1. Rot Word performs a one-byte circular left shift on a word. This means that an input word [b0, b1,
b2, b3] is transformed into [b1, b2, b3, b0].
2. Sub Word performs a byte substitution on each byte of its input word, using the s-box described
earlier.
3. The result of steps 1 and 2 is XORed with round constant, Rcon[j]

The round constant is a word in which the three rightmost bytes are always 0. Thus the effect of an
XOR of a word with Rcon is to only perform an XOR on the leftmost byte of the word. The round

Dr. Kalavathi A, Professor & HoD IT 31

 Cryptography and Network Security UNIT-1

constant is different for each round and is defined as Rcon[j] = (RC[J], 0,0,0), with RC[1]= 1, RC[j]= 2•
RC[j − 1] and with mul plica on defined over the field GF(2 8 ). The key expansion was designed to be
resistant to known cryptanalytic attacks. The inclusion of a round-dependent round constant
eliminates the symmetry, or similarity, between the way in which round keys are generated in
different rounds
Decryption Process
The process of decryption of an AES cipher text is similar to the encryption process in the reverse
order. Each round consists of the four processes conducted in the reverse order −
Add round key
Mix columns
Shift rows
Byte substitution
Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the encryption
and decryption algorithms needs to be separately implemented, although they are very closely
related.
AES Analysis: In present day cryptography, AES is widely adopted and supported in both hardware
and software. Till date, no practical cryptanalytic attacks against AES has been discovered.
Additionally, AES has built-in flexibility of key length, which allows a degree of ‘future-proofing’ against
progress in the ability to perform exhaustive key searches.
However, just as for DES, the AES security is assured only if it is correctly implemented and good key
management is employed.

Dr. Kalavathi A, Professor & HoD IT 32