[CS304] Introduction to Cryptography and Network Security

Course Instructor: Dr. Dibyendu Roy Winter 2023-2024

Scribed by: Shah Vedant Rupeshkumar (202151143) Lecture (Week 3)

1 Structure of Data Encryption Standard

We have done a discussion about DES and its working in previous week. Now, we will see various
components present in DES. So, DES comprises of:

• IP

• IP −1

• Algorithm of Function f

• Key Scheduling Algorithm

2 IP
IP stands for Initial Permutation. So, as per the DES algorithm we will first permute the plain
text and then perform the rounds of DES. So, initial permutation is a 8x8 matrix used to permute
the 64 bits of the plain text.

IP : {0, 1}64 → {0, 1}64

The IP matrix for DES can be seen below.

Figure 1: IP

Here, in the above figure we can clearly see that the 1st bit will be placed at 58th bit position,
2nd bit at 50th bit position, 3rd bit at 42nd bit position and in the similar way last bit i.e. 64th
bit will be placed at 7th bit position. So,

IP (m1 , m2 , m3 , ..., m64 ) = m58 , m50 , m42 , ..., m7

1
3 IP −1
IP −1 stands for Inverse Initial Permutation. So, as per the DES algorithm after all the rounds are
performed, we will apply IP −1 to balance the effect of IP applied at the starting before applying
the rounds. So, inverse initial permutation is a 8x8 matrix used to permute the 64 bits of the plain
text.

IP −1 : {0, 1}64 → {0, 1}64

The IP −1 matrix for DES can be seen below.

Figure 2: IP −1

Here, in the above figure we can clearly see that the 58th bit will be mapped to 1st bit position,
50th bit at 2nd bit position, 42nd bit at 3rd bit position and in the similar way 7th bit will be
placed at 64th bit position. So,

IP −1 (m58 , m50 , m42 , ..., m7 ) = m1 , m2 , m3 , ..., m64

4 Algorithm of function f
f : {0, 1}32 × {0, 1}48 → {0, 1}32
f : IN P U T × KEY → OU T P U T
f (Ri , ki ) = Xi+1
where Ri is the input of 32 bits, ki is the key of 48 bits and Xi+1 is the output of 32 bits.
M
P (S(E(Ri Ki ))
Here, P represents the Permutation box which permutes the 32 bit text, S represents the sub-
stitution box which converts the 48 bit text into a 32 bit text and E represents the Expansion
function which expands the 32 bit text into a 48 bit text.

So, firstly the plaintext of 32 bits is expanded to 48 bits using expansion function, then it is
XORed with the secret key of 48 bits to generate a output of 48 bits which is then converted to 32
bits with the help of Substitution box which is then permuted using Permutation box to generate
an output of 32 bits.

2
4.1 Expansion Function
Expansion function E expands the 32 bit text to 48 bits.

E : {0, 1}32 → {0, 1}48

The expansion function uses a 8x6 matrix with elements in it from 1 to 32 which is used in
order to expand the text from 32 bit to 48 bits.The matrix for Expansion function used in DES is
represented as:

Figure 3: Expansion Function E

E(x1 , x2 , x3 , ...x32 ) = y1 , y2 , ..., y48

4.2 Substitution box of f

Substitution box S compresses the 48 bit text to 32 bit text.

E : {0, 1}48 → {0, 1}32

S(x) = y
where x is of 48 bits and y is of 32 bits.

Firstly, we will divide the x into 8 blocks of 6 bits each.

x = B1 B2 B3 ...B8

Assuming a small substitution function Si which converts 6 bit text into 4 bits.So,

S = S1 S2 S3 ...S8
E : {0, 1}6 → {0, 1}4
Si (Bi ) = Ci
C = C1 C2 C3 ...C8

3
 Where C is the final output obtained of 32 bits.

So, firstly we divide the 48 bits text into 8 blocks of 6 bits each and then apply substitution
function on each block to convert it to 4 bits each and then finally concatenate them to obtain a
32 bit output.

Conversion of 6 bits block into 4 bits block:

Bi can be represented as a combination of 6 bits.

Bi = b1 b2 b3 ...b6
So, now we will use a 4x16 matrix containing elements from 0 to 15 which can be represented
as a combination of 4 bits.Now, with the help of below equations and above bit representation, we
will find the position of row,r and column,c in the matrix and use that element present there as its
substitution of 4 bits.

r = 2.b1 + b6
c = integer representation of b2 b3 b4 b5
The 4x16 matrix for substitution box Si can be represented as belows:

Figure 4: Substitution boxes Si

4
4.3 Permutation Function
Permutation box P permutes the 32 bit text data to create a new representation of the same data.

{0, 1}32 → {0, 1}32

So, we will use a 8x4 matrix to permute the data so that its ordering gets changed. The matrix
P which is used for data permutation in DES is represented as:

Figure 5: Permutation Box P

5 Key Scheduling Algorithm for DES

The key scheduling algorithm is an algorithm used to generate round keys in DES algorithm. In
DES algorithm, we are provided with a key K of 64 bit as input and we are required to generate
16 keys k1 to k16 each of which has 48 bits and the key scheduling algorithm helps for the same.

IN P U T : K = x1 ...x64
OU T P U T : 16 round keys of 48 bits each Ki where 1 <= i <= 16
Following steps are followed for the generation of the round keys:

• Define Constants Vi for 1 <= i <= 16 such that vi = 1 for i=1,2,9 and 16 and for all other i
Vi = 2.

• Now, discard 8 parity check bits from K

• Define T as follows:
T = P C1 (k)
Where P C1 represents a matrix used to select bits from K.

P C1 : {0, 1}56 → {0, 1}56

5
 Now, T can be divided into 2 halves each of 28 bits so that the total bits in T will remain 56.

T = (C0 , D0 )

• Now, for all i’s from 1 to 16 calculate ki as follows:

Ci ← Ci−1 ←- Vi

Di ← Di−1 ←- Vi
where ←- represents left circular shift

Ki = P C2 (Ci , Di )
Where P C2 represents a matrix used to select 48 bits from the combination of Ci and Di .

P C2 : {0, 1}56 → {0, 1}48

Here, the tables(matrices) P C1 and P C2 are fixed and can be represented as belows:

Figure 6: PC1 and PC2

6 Complementation Property
In P C1 we are just altering position and not changing any values. So, if we firstly complement the
values of all the keys and then apply P C1 , then the output value will also be complemented.

Now, after that if we again apply complement then we will get P C1 as result.

P C1 (K1 k2 ...k64 ) = k57 k49 ...k4

P C1 (K̄1 k¯2 ...k¯64 ) = k¯57 k¯49 ...k¯4 = P C1¯(K)
In P C2 , the position of inputs will be the same as position of outputs expect the few elements
which are missing in the output.

So, it only does the work of reducing the no. of bits from 56 to 48 and does not alter the message.

So, the output of overall key scheduling algorithm when K̄ is passed will provide with same Ki s
but in complemented order.

6
 KS(K) = K1 , K2 , ..., K16
KS(K̄) = K̄1 , K̄2 , ..., K¯16
Now, we can see that the permutation box IP just permutes the message but does not change
any values so if we apply IP on inverse of M we will get inverse values as the output.

So, IP (M̄ ) and IP −1 (M̄ ) are complementary to complementary functions and So, the output
will be just the inverse of the outputs from IP (M ) and IP −1 (M ).

Now, looking into the process of DES having L0 ,L1 ,R0 and R1 . Now, looking at the L¯0 and R̄0
we will try to assume new L1 and R1 .

Earlier, L1 = R0 So, new L1 will be equal to R̄0 and So, will be L¯1 .

f (R0 , K1 ) .So, now we will find L¯0 f (R̄0 , K̄1 .

L L
Earlier, R1 = L0

So, now we will check for function f. As seen above, first expansion function is used in f.
Expansion function just increases the values of number of bits and does not alter values and so if
we pass a complement of message it will give complement of the original output.

¯ 0)
E(R̄0 = E(R
Now, we tend to XOR it with k¯1 , then it will give the same value as E(R0 ) k1 as it is the
L
property of XOR that its value remains same if complements of 2 numbers are XORed or the 2
numbers are XORed. So, the value is forwarded further to substitution box and permutation box
respectively and so, the value of function f remains same as earlier.

So, now we will calculate L¯0 f (R0 , K1 ) and by the property of XOR, we can say that if we
L
calculate XOR of one number and the complement of another number, then we will get the output
as complement of XOR obtained by calculating XOR of those two numbers.So, then new R1 that
we will get will be R̄1 .

So, in this DES process we will work with L¯0 ,R̄0 ,L¯1 and R̄1 .

So, by analysing all the above functions using complements we can conclude that:

If DES(M, K) = C
then DES(M̄ , K̄) = C̄
Now, we might wonder that how will this conclusion be used. So, we can say that if key size
is 56 bits then using exhaustive search the total time complexity will be 256 but if we use above
conclusion, we can reduce the time complexity.

So, we can say that if we have the following information:

DES(M, K) = C1
DES(M̄ , K) = C¯2

7
 and if we do not know the key, then from the set of all keys, if we take a random key ki , then
we can calculate

DES(M, Ki ) = C
DES(M̄ , K̄i ) = C̄
Now, we can check if C=C1 and if it is not equal we can discard ki from the set of all available
K’s and now we will check for C̄ = C2 and if it is not equal then we can discard K̄i from the set of K’s.

So, we can discard 2 values at the same time, so the complexity is reduced by half.So, the new
complexity becomes 255 .

The process of cracking the secret key of the above DES method is done by attackers and so,
we will now see various attackers models.

7 Attack Models
• Ciphertext Only Attack
Attacker is getting only ciphertext and the goal is to get back the plaintext on recursively
iterating through the secret key.

• Known Plaintext Attack

Attackers knows some plaintext and corresponding ciphertext.The goal is to find a plaintext
corresponding to a different ciphertext or to find the secret key of the system.

• Choosen Plaintext Attack

Attackers choose a plaintext of his/her choice and he/she is allowed to get the corresponding
ciphertext. The goal is to generate a plaintext from some other ciphertext and to find the
secret key. It basically focusses on finding the Encryption key system and then we can find
the decryption key using the encryption key we found. It is way more stronger then the above
attacks.

• Choosen ciphertext attack

Attackers choose some ciphertext and he/she is provided with the corresponding plaintext.
The goal is to generate a new plaintext for a different ciphertext given and to find the
corresponding secret key. Here, the key we will be able to find is the decryption key so it
becomes easier for us to directly finding plaintext from the ciphertext. It is the strongest
algorithm known for public key cryptography attacks. It is more stronger than the above
algorithm as encryption key is public but decryption key is not.

For example, lets say there is an algorithm A which claims that it has 80 bit security under
choosen plaintext attack and there is another Algorithm B which claims that it has 80 bit security
under known plaintext attack.Then we can say that Algorithm A is more stronger than Algorithm
B as that attack model is more stronger.

8 DES and Attack models

We have already seen that there are in total 256 possibilities of secret keys for DES algorithm. We
have also seen earlier that

8
 DES(M, Ki ) = C
DES(M̄ , K̄i ) = C̄
Attackers try to search and find the secret key in smaller amount of time. So, we will try to act
as an attacker and apply choosen plaintext attack. We choose 2 plaintexts M and M̄ for which we
want cipher texts.

DES(M, K) = C1
DES(M̄ , K) = C2
Now, the attacker will take the set of secret keys and try to apply DES as

DES(M, Ki ) = C̃i
If (C̃i ! = C1 ) ⇒ Ki ! = K
If (C̃i ! = C¯2 ) ⇒ K̄i ! = K.
As we are deleting 2 secret keys at a time from the set of all available secret keys, we can reduce
the secret key search complexity by half.So, the complexity now becomes 255 . This is similar as we
have seen in complementation property. The best complexity to find the secret key is 243 in normal
computers using advanced techniques.

Now, instead of using one key for the encryption in DES, we will perform multiple keys encryp-
tion in DES.

9 Double DES
Here, we will use 2 keys k0 and k1 for the encryption process of DES. In general DES using one
key, we get a 56 bit security, so here we will get 2.56 bits of security.

So, we can say that DES can provide 112 bit of security.

So, the secret key k which is a concatenation of k0 and k1 is of 128 bits of which 16 bits are
parity check bits.So, in total 112 bits remain after we remove the parity check bits.

K = (k0 , k1 )

K0 K1

ENC DES DEC DES

Plaintext(64 bits) Ciphertext

Above represents the structure of Double DES. Here, plaintext of 64 bits is provided as input
and we get ciphertext/ unreadable text as output. There are 4 possible operations possible for

9
the use of keys K0 and k1 , The four possible operation are Encryption-Encryption,Encryption-
Decryption,Decryption-Encryption and Decryption-Decryption with key K0 and k1 respectively.
The order of the keys K0 and k1 remains the same.

The choice in diagram above i.e. Encryption-Decryption is just for illustration purpose. In
reality the choice we make is based upon the time complexity. The combination which takes the
least time to execute will choosen for the purpose.As in DES, encryption and Decryption process
are somewhat same so we tend to avoid larger time complexities.

Using exhaustive search, the time complexity to find the secret key is 2112 but the attackers
claim to find the security key in the order 256 .

Attacker will have a valid plaintext-ciphertext pair i.e. P,C pair for double DES. Now, he/she
will select a secret key ki from the set of all available k’s. First, the attacker will perform encryption
of plaintext using ki .

EN CDES (P, ki ) = xi
We will store the result xi and the corresponding ki in a table called table1. So, the total time
complexity to create table1 is 256 .

Now, the attacker performs the encryption of the ciphertext using the a different secret key kj .

EN CDES (C, kj ) = yj
We will store the result yj and the corresponding kj in a table called table2. So, the total time
complexity to create table2 is 256 .

Now, we will check whether xi = yj then if it turns equal, then (Ki ,kj ) will be the required key
and else we will eliminate both the keys from the set of all available keys.

As the tables are calculated independently, we can say that the complexity of both of them are
added and so the total complexity for finding the secret key would be 257 which will be in order of
256 .

10 Triple DES
Here, we will use 2 keys k0 and k1 for the encryption process of DES but the no. of times Encryp-
tion/Decryption would be done will be 3. We have seen that Double DES using two key and two
Encryption/Decryption processes, we get an order of 56 bit security, so here we will see how much
bits of security can we achieve. So, the secret key k which is a concatenation of k0 and k1 .

K = (k0 , k1 )

10
 K0 K1 K0

ENC DEC DES ENC DES

Plaintext(64 bits) DES Ciphertext

Above represents the structure of Triple DES. Here, plaintext of 64 bits is provided as input
and we get ciphertext/ unreadable text as output. There are 8 possible operations possible for the
use of keys K0 and k1 whether Encryption or Decryption process will be taken into consideration
or not.The order of the keys K0 , k1 and k0 remains the same.

So, the first and last layer of the key remains same and the middle layer is different. It is also
known as meet-in-the-middle attack.

This algorithm provides a 2.n bit security instead of a n-bit security as provided in normal DES
algorithm.

The time complexity to find the secret key is 2112 as we can achieve 2n bit of security and as
2.56 is 112, we can achieve 2112 complexity. As we have seen earlier, the best possible complexity
we can achieve to find secret key is 243 in DES, then also using triple DES we can achieve 286
complexity which is way better than the normal DES.

So, Triple DES is a good algorithm as compared to normal DES and then we can use it to make
it difficult for attackers to crack the secret key.

11 Mathematical Tools used in AES

As we have seen earlier, to kind a secret key of n-bit using exhaustive search in normal computers, we
get a time complexity of 2n but if we use quantum computers we can find it in 2n/2 time complexity.

So, in order to achieve n bit security here, we need to have a 2.n bit security key.

11.1 Relation
Relation R can be defined as

R:X→y
R ⊆ XxY
Arbitrary operation * on a set S is a mapping from S x S to S i.e. * is a role which assigns to
each ordered pair of elements from S to an element in S.

∗ : SxS → S
If ∗ (a, b) = c
and ∗ (b, a) = d
where a,b,c,d ∈ S, then it is not necessary that d=c as they are not necessarily commutative.

11
11.2 Group
A group (G,*) consists of a set G with a binary operation * on G satisfying these conditions:

• The group operation is associative. a*(b*c) = (a*b)*c where a,b,c ∈ G

• There is an element 1 ∈ G called identity element such that a*1 = 1*a = a for all a ∈ G

• For each a ∈ G, there exists a element a−1 ∈ G called the inverse of a such that

a ∗ a−1 = 1 = a−1 ∗ a for all a, a−1 ∈ G

A group G is called abelian(Commutative) if a*b=b*a for all a,b ∈ G.

If we take G as a set of all invertible nxn matrices, then we can see that

(i) A*(B*c) = (A*B)*C

(ii) A*In = A = In*A

(iii) A*A−1 = In = A−1 *A

where In represents the identity matrix. So we can say that (G,*) where * represents matrix
multiplication will form a group.

If we take Z as a set of all integers, then we can see that

(i) a+(b+c) = (a+b)+c

(ii) a+0 = a = 0+a

(iii) a+(-a) = 0 = (-a)+a

where 0 is the identity element for (G,+) and for every a,-a ∈ Z -a is the additive inverse. So
we can say that (G,+) where + represents addition will form a group. On top of that, they are
commutative also. So,

a+b=b+a
If we take Z as a set of all integers, then we can see that

(i) a × (b × c) = (a × b) × c

(ii) a × 1 = a = 1 × a

(iii) For all a ∈ Z, it is not necessary that a−1 ∈ Z

12
 where 1 is the identity element for (Z,×). So we can say that (Z,×) where × represents multi-
plication will not form a group as inverse does not always belong to the set Z.

If we take Z as a set of all integers, then we can see that

a-(b-c) != (a-b)-c
We can say that as (Z,-) where - represents subtraction is not associative, it will not form a group.

If we take Q as a set of all rational numbers, then we can say that

(i) a*(b*c) = (a*b)*c

(ii) a*I = I*a

(iii) a*a−1 = I = a−1 *a

We can say that as (Q,*) where * represents addition will form a group as it satisfies all the
above properties but it does not form a group under multiplication as 0 does not satisfy the inverse
property i.e. property (iii) and 0 ∈ Q and if we does not include 0 in Q, then it will form a group.

If |a| is finite,then we can say that (G,*) is a finite group.

The set Zn with the operation of addition modulo n, forms a group. The set Zn with the
operation of multiplication modulo n is not a group, since all elements do not have multiplicative
inverses. So,

Zn = x mod n for all x ∈ Zn

Here, Z represents the set of integers. So, Z3 = {0,1,2}. {Zn ,+n } will form a group but {Zn ,∗n }
will not form a group as for every a we do not have a b such that a ∗n b = 1 mod n where +n
represents addition mod n and ∗n represents multiplication mod n.

Now, we will consider Un as a set of all x such that x ∈ Zn \{0} such that gcd(x,n) = 1. Then
it will form a group if n is a prime number as all numbers less then a prime number are coprime
with that prime number. So, Zp \{0} = Zp ∗ where p represents prime numbers.

13