Cryptography

Lecture 4: Practical Constructions of Symmetric Key Primitives

(Block Ciphers and Stream Ciphers)

Srimanta Bhattacharya
Table of contents

1
Encryption Scheme: Types

Encryption schemes
Encryption Scheme: Types

Encryption schemes

Symmetric / Private-key
Encryption Scheme: Types

Encryption schemes

Symmetric / Private-key Public-key

Encryption Scheme: Types

Encryption schemes

Symmetric / Private-key Public-key

Block ciphers
Encryption Scheme: Types

Encryption schemes

Symmetric / Private-key Public-key

Block ciphers Stream ciphers

Encryption Scheme: Types

Encryption schemes

Symmetric / Private-key Public-key

Implemented using machine

instructions ⊕, ¡¡, etc.
Block ciphers Stream ciphers
Encryption Scheme: Types

Encryption schemes

Symmetric / Private-key Public-key

Implemented using machine

instructions ⊕, ¡¡, etc.
Block ciphers Stream ciphers Faster speed of operation
Encryption Scheme: Types

Encryption schemes

Symmetric / Private-key Public-key

Implemented using machine

instructions ⊕, ¡¡, etc.
Block ciphers Stream ciphers Faster speed of operation
Used for bulk data encryption
Encryption Scheme: Types

Encryption schemes

Symmetric / Private-key Public-key

Implemented using machine

instructions ⊕, ¡¡, etc.
Block ciphers Stream ciphers Faster speed of operation
Used for bulk data encryption

Resource requirement is less

Encryption Scheme: Types

Encryption schemes

Symmetric / Private-key Public-key

Implemented using machine

instructions ⊕, ¡¡, etc.
Block ciphers Stream ciphers Faster speed of operation
Used for bulk data encryption

Resource requirement is less

Used in portable hand-held devices

2
The Setting

Encryption Secure channel Decryption

Key (K) Key (K)

Insecure channel
Encryption Decryption
Plaintext(M) E(K, .) Ciphertext Ciphertext D(K, .)
(C) (C) Plaintext(M)
Sender Receiver

tux@linux#

Adversary

Alice (Sender) and Bob (Receiver) shares the same key K .

3
The Setting

Encryption Secure channel Decryption

Key (K) Key (K)

Insecure channel
Encryption Decryption
Plaintext(M) E(K, .) Ciphertext Ciphertext D(K, .)
(C) (C) Plaintext(M)
Sender Receiver

tux@linux#

Adversary

Alice (Sender) and Bob (Receiver) shares the same key K .

E (the encryption algorithm Enc) and D (the decryption algorithm Dec)
are known to everyone (Kerchoff’s)

3
The Setting

Encryption Secure channel Decryption

Key (K) Key (K)

Insecure channel
Encryption Decryption
Plaintext(M) E(K, .) Ciphertext Ciphertext D(K, .)
(C) (C) Plaintext(M)
Sender Receiver

tux@linux#

Adversary

Alice (Sender) and Bob (Receiver) shares the same key K .

E (the encryption algorithm Enc) and D (the decryption algorithm Dec)
are known to everyone (Kerchoff’s)
How are E and D constructed in real life?
3
Encryption Scheme(contd..)

Encryption scheme
Encryption Scheme(contd..)

Encryption scheme

Gen
Encryption Scheme(contd..)

Enc, Dec

Encryption scheme

Gen
Encryption Scheme(contd..)

Enc, Dec
Cipher

Encryption scheme

Gen

4
Block cipher and Stream cipher

Block Cipher:

Takes n-bit message M = m1 . . . mn

and r -bit key K = k1 . . . kr to produce
n-bit ciphertext C = c1 . . . cn .

5
Block cipher and Stream cipher

Block Cipher:

Takes n-bit message M = m1 . . . mn

and r -bit key K = k1 . . . kr to produce
n-bit ciphertext C = c1 . . . cn .
E : {0, 1}n × {0, 1}r 7→ {0, 1}n

5
Block cipher and Stream cipher

Block Cipher:

Takes n-bit message M = m1 . . . mn

and r -bit key K = k1 . . . kr to produce
n-bit ciphertext C = c1 . . . cn .
E : {0, 1}n × {0, 1}r 7→ {0, 1}n
For fixed K , E (K , .) is a permutation
from {0, 1}n to {0, 1}n
5
Block cipher and Stream cipher
Stream Cipher:

{
{
K IV
k1 k r iv1 ivs

Block Cipher:

z2
z1
m2 m1 c2 c1

zi = E(K, IV)
i
Takes n-bit message M = m1 . . . mn ci = m i zi

and r -bit key K = k1 . . . kr to produce Takes r -bit key K = k1 . . . kr and s-bit

n-bit ciphertext C = c1 . . . cn . intial vector IV = iv1 . . . ivs to produce
E : {0, 1}n × {0, 1}r 7→ {0, 1}n ℓ-bit keystream Z = z1 . . . zℓ .
For fixed K , E (K , .) is a permutation
from {0, 1}n to {0, 1}n
5
Block cipher and Stream cipher
Stream Cipher:

{
{
K IV
k1 k r iv1 ivs

Block Cipher:

z2
z1
m2 m1 c2 c1

zi = E(K, IV)
i
Takes n-bit message M = m1 . . . mn ci = m i zi

and r -bit key K = k1 . . . kr to produce Takes r -bit key K = k1 . . . kr and s-bit

n-bit ciphertext C = c1 . . . cn . intial vector IV = iv1 . . . ivs to produce
E : {0, 1}n × {0, 1}r 7→ {0, 1}n ℓ-bit keystream Z = z1 . . . zℓ .
For fixed K , E (K , .) is a permutation IV is arbitrary but known.
from {0, 1}n to {0, 1}n
5
Block cipher and Stream cipher
Stream Cipher:

{
{
K IV
k1 k r iv1 ivs

Block Cipher:

z2
z1
m2 m1 c2 c1

zi = E(K, IV)
i
Takes n-bit message M = m1 . . . mn ci = m i zi

and r -bit key K = k1 . . . kr to produce Takes r -bit key K = k1 . . . kr and s-bit

n-bit ciphertext C = c1 . . . cn . intial vector IV = iv1 . . . ivs to produce
E : {0, 1}n × {0, 1}r 7→ {0, 1}n ℓ-bit keystream Z = z1 . . . zℓ .
For fixed K , E (K , .) is a permutation IV is arbitrary but known.
from {0, 1}n to {0, 1}n ℓ >> r
5
Block cipher and Stream cipher
Stream Cipher:

{
{
K IV
k1 k r iv1 ivs

Block Cipher:

z2
z1
m2 m1 c2 c1

zi = E(K, IV)
i
Takes n-bit message M = m1 . . . mn ci = m i zi

and r -bit key K = k1 . . . kr to produce Takes r -bit key K = k1 . . . kr and s-bit

n-bit ciphertext C = c1 . . . cn . intial vector IV = iv1 . . . ivs to produce
E : {0, 1}n × {0, 1}r 7→ {0, 1}n ℓ-bit keystream Z = z1 . . . zℓ .
For fixed K , E (K , .) is a permutation IV is arbitrary but known.
from {0, 1}n to {0, 1}n ℓ >> r
5
E : {0, 1}r × {0, 1}s 7→ {0, 1}ℓ
Block cipher and Stream cipher
Stream Cipher:

{
{
K IV
k1 k r iv1 ivs

Block Cipher:

z2
z1
m2 m1 c2 c1

zi = E(K, IV)
i
Takes n-bit message M = m1 . . . mn ci = m i zi

and r -bit key K = k1 . . . kr to produce Takes r -bit key K = k1 . . . kr and s-bit

n-bit ciphertext C = c1 . . . cn . intial vector IV = iv1 . . . ivs to produce
E : {0, 1}n × {0, 1}r 7→ {0, 1}n ℓ-bit keystream Z = z1 . . . zℓ .
For fixed K , E (K , .) is a permutation IV is arbitrary but known.
from {0, 1}n to {0, 1}n ℓ >> r
5
E : {0, 1}r × {0, 1}s 7→ {0, 1}ℓ
Few Remarks

• Real life constructions are based on certain well-studied design

“principles” and not on weaker assumptions (as discussed in the
context of “modern cryptography”).

6
Few Remarks

• Real life constructions are based on certain well-studied design

“principles” and not on weaker assumptions (as discussed in the
context of “modern cryptography”).
Heuristic security arguments are given rather than
concrete security proofs.
• Withstood attacks for a sustained period.
• Much more efficient than public-key counterparts.

6
Block Cipher: Real-world Example

There are many of them.

DES, Triple-DES, AES, CAST, Camellia, Blowfish, Twofish, IDEA, LED,
PRESENT, KATAN, SIMON, SPEC, GIFT, . . .

7
Block Cipher: Real-world Example

There are many of them.

DES, Triple-DES, AES, CAST, Camellia, Blowfish, Twofish, IDEA, LED,
PRESENT, KATAN, SIMON, SPEC, GIFT, . . .
Where to find them?
• Design description is openly published.
• Software
• Open source packages like OpenSSL, GPG etc.
• Hardware and Hardware Accelerators
• Smart Cards, Routers, Trusted Platform Module ICs, . . .

An Example: OpenSSL
• A free, open source, robust, commercial-grade crypto library
implementing various cryptographic algorithms including block
ciphers.
• Available for Windows and Linux.
7
Block Ciphers in OpenSSL

• # openssl enc -ciphers

• prints a list of available ciphers along with their modes.
• # openssl des-ecb -e -K e0e0e0e0f1f1f1f1 -in plaintext
-out ciphertext
• Encrypts the text in the file plaintext using the cipher des in ecb
mode using the key e0e0e0e0f1f1f1f1 and generates the ciphertext
in the file ciphertext.
• # openssl des-ecb -d -K e0e0e0e0f1f1f1f1 -in
ciphertext -out plaintext2
• Decrypts the text in the file ciphertext using the cipher des in ecb
mode using the key e0e0e0e0f1f1f1f1 and generates the plaintext
in the file plaintext2.

8
Block cipher

Theoretical view

9
Block cipher

Theoretical view
• For each key K , the function E (K , .) is a permutation of {0, 1}n .
For a fixed key k ∈ {0, 1}r , Ek (.) (= E (k, .)) takes as input
m ∈ {0, 1}n and outputs c ∈ {0, 1}n

9
Block cipher

Theoretical view
• For each key K , the function E (K , .) is a permutation of {0, 1}n .
For a fixed key k ∈ {0, 1}r , Ek (.) (= E (k, .)) takes as input
m ∈ {0, 1}n and outputs c ∈ {0, 1}n
• Modeled as Pseudorandom Permutation
When K ←$ {0, 1}r EK () should be indistinguishable from a random
permutation on {0, 1}n .
How to distinguish?

9
Block cipher

Theoretical view
• For each key K , the function E (K , .) is a permutation of {0, 1}n .
For a fixed key k ∈ {0, 1}r , Ek (.) (= E (k, .)) takes as input
m ∈ {0, 1}n and outputs c ∈ {0, 1}n
• Modeled as Pseudorandom Permutation
When K ←$ {0, 1}r EK () should be indistinguishable from a random
permutation on {0, 1}n .
How to distinguish?
Through queries (To be discussed later)

9
Block cipher

Theoretical view
• For each key K , the function E (K , .) is a permutation of {0, 1}n .
For a fixed key k ∈ {0, 1}r , Ek (.) (= E (k, .)) takes as input
m ∈ {0, 1}n and outputs c ∈ {0, 1}n
• Modeled as Pseudorandom Permutation
When K ←$ {0, 1}r EK () should be indistinguishable from a random
permutation on {0, 1}n .
How to distinguish?
Through queries (To be discussed later)
• Pn - Set of permutations on {0, 1}n . |Pn | =

9
Block cipher

Theoretical view
• For each key K , the function E (K , .) is a permutation of {0, 1}n .
For a fixed key k ∈ {0, 1}r , Ek (.) (= E (k, .)) takes as input
m ∈ {0, 1}n and outputs c ∈ {0, 1}n
• Modeled as Pseudorandom Permutation
When K ←$ {0, 1}r EK () should be indistinguishable from a random
permutation on {0, 1}n .
How to distinguish?
Through queries (To be discussed later)
• Pn - Set of permutations on {0, 1}n . |Pn | = 2n !.
• Need log(2n !) ≈ n2n bit key to index Pn .

9
Block cipher

Theoretical view
• For each key K , the function E (K , .) is a permutation of {0, 1}n .
For a fixed key k ∈ {0, 1}r , Ek (.) (= E (k, .)) takes as input
m ∈ {0, 1}n and outputs c ∈ {0, 1}n
• Modeled as Pseudorandom Permutation
When K ←$ {0, 1}r EK () should be indistinguishable from a random
permutation on {0, 1}n .
How to distinguish?
Through queries (To be discussed later)
• Pn - Set of permutations on {0, 1}n . |Pn | = 2n !.
• Need log(2n !) ≈ n2n bit key to index Pn .
• For n = 64, need ≈ 270 bit key ⇒ impractical.

9
Block cipher

Theoretical view
• For each key K , the function E (K , .) is a permutation of {0, 1}n .
For a fixed key k ∈ {0, 1}r , Ek (.) (= E (k, .)) takes as input
m ∈ {0, 1}n and outputs c ∈ {0, 1}n
• Modeled as Pseudorandom Permutation
When K ←$ {0, 1}r EK () should be indistinguishable from a random
permutation on {0, 1}n .
How to distinguish?
Through queries (To be discussed later)
• Pn - Set of permutations on {0, 1}n . |Pn | = 2n !.
• Need log(2n !) ≈ n2n bit key to index Pn .
• For n = 64, need ≈ 270 bit key ⇒ impractical.

9
Block cipher

Theoretical view
• For each key K , the function E (K , .) is a permutation of {0, 1}n .
For a fixed key k ∈ {0, 1}r , Ek (.) (= E (k, .)) takes as input
m ∈ {0, 1}n and outputs c ∈ {0, 1}n
• Modeled as Pseudorandom Permutation
When K ←$ {0, 1}r EK () should be indistinguishable from a random
permutation on {0, 1}n .
How to distinguish?
Through queries (To be discussed later)
• Pn - Set of permutations on {0, 1}n . |Pn | = 2n !.
• Need log(2n !) ≈ n2n bit key to index Pn .
• For n = 64, need ≈ 270 bit key ⇒ impractical.
Practical view
• Carefully choose a subset S ⊂ Pn having enough “randomness”
property for “practical” purposes.

9
Block cipher

Theoretical view
• For each key K , the function E (K , .) is a permutation of {0, 1}n .
For a fixed key k ∈ {0, 1}r , Ek (.) (= E (k, .)) takes as input
m ∈ {0, 1}n and outputs c ∈ {0, 1}n
• Modeled as Pseudorandom Permutation
When K ←$ {0, 1}r EK () should be indistinguishable from a random
permutation on {0, 1}n .
How to distinguish?
Through queries (To be discussed later)
• Pn - Set of permutations on {0, 1}n . |Pn | = 2n !.
• Need log(2n !) ≈ n2n bit key to index Pn .
• For n = 64, need ≈ 270 bit key ⇒ impractical.
Practical view
• Carefully choose a subset S ⊂ Pn having enough “randomness”
property for “practical” purposes.
• 128-bit key ⇒ |S| = 2128
9
Block cipher

Theoretical view
• For each key K , the function E (K , .) is a permutation of {0, 1}n .
For a fixed key k ∈ {0, 1}r , Ek (.) (= E (k, .)) takes as input
m ∈ {0, 1}n and outputs c ∈ {0, 1}n
• Modeled as Pseudorandom Permutation
When K ←$ {0, 1}r EK () should be indistinguishable from a random
permutation on {0, 1}n .
How to distinguish?
Through queries (To be discussed later)
• Pn - Set of permutations on {0, 1}n . |Pn | = 2n !.
• Need log(2n !) ≈ n2n bit key to index Pn .
• For n = 64, need ≈ 270 bit key ⇒ impractical.
Practical view
• Carefully choose a subset S ⊂ Pn having enough “randomness”
property for “practical” purposes.
• 128-bit key ⇒ |S| = 2128
• Practical security claims made w.r.t. key size (e.g. 2128 operations). 9
Data Encryption Standard (DES)

Feistel Network

10
Data Encryption Standard (DES)

Feistel Network
i-th Round:

3-Round Feistel Network (Image

Source: KL Book)

10
Data Encryption Standard (DES)

Feistel Network
i-th Round:

n
Li , Ri ∈ {0, 1} 2

3-Round Feistel Network (Image

Source: KL Book)

10
Data Encryption Standard (DES)

Feistel Network
i-th Round:

n
Li , Ri ∈ {0, 1} 2
n n
fi : {0, 1} 2 7→ {0, 1} 2 are arbitrary

3-Round Feistel Network (Image

Source: KL Book)

10
Data Encryption Standard (DES)

Feistel Network
i-th Round:

n
Li , Ri ∈ {0, 1} 2
n n
fi : {0, 1} 2 7→ {0, 1} 2 are arbitrary

3-Round Feistel Network (Image

Source: KL Book)

10
Data Encryption Standard (DES)

Feistel Network
i-th Round:

n
Li , Ri ∈ {0, 1} 2
n n
fi : {0, 1} 2 7→ {0, 1} 2 are arbitrary

Li+1 = Ri

3-Round Feistel Network (Image

Source: KL Book)

10
Data Encryption Standard (DES)

Feistel Network
i-th Round:

n
Li , Ri ∈ {0, 1} 2
n n
fi : {0, 1} 2 7→ {0, 1} 2 are arbitrary

Li+1 = Ri
Ri+1 = Li ⊕ fi (Ri )

3-Round Feistel Network (Image

Source: KL Book)

10
Data Encryption Standard (DES)

Feistel Network
i-th Round:

n
Li , Ri ∈ {0, 1} 2
n n
fi : {0, 1} 2 7→ {0, 1} 2 are arbitrary

Li+1 = Ri
Ri+1 = Li ⊕ fi (Ri )

3-Round Feistel Network (Image

Source: KL Book)

10
Data Encryption Standard (DES)

Feistel Network
i-th Round:

n
Li , Ri ∈ {0, 1} 2
n n
fi : {0, 1} 2 7→ {0, 1} 2 are arbitrary

Li+1 = Ri
Ri+1 = Li ⊕ fi (Ri )

We have a mapping (Li , Ri ) →

(Li+1 , Ri+1 )
3-Round Feistel Network (Image
Source: KL Book)

10
Data Encryption Standard (DES)

Feistel Network
i-th Round:

n
Li , Ri ∈ {0, 1} 2
n n
fi : {0, 1} 2 7→ {0, 1} 2 are arbitrary

Li+1 = Ri
Ri+1 = Li ⊕ fi (Ri )

We have a mapping (Li , Ri ) →

(Li+1 , Ri+1 )
3-Round Feistel Network (Image
Source: KL Book)

10
Data Encryption Standard (DES)

Feistel Network
i-th Round:

n
Li , Ri ∈ {0, 1} 2
n n
fi : {0, 1} 2 7→ {0, 1} 2 are arbitrary

Li+1 = Ri
Ri+1 = Li ⊕ fi (Ri )

We have a mapping (Li , Ri ) →

(Li+1 , Ri+1 )
3-Round Feistel Network (Image
Source: KL Book)
Is the mapping invertible?

10
Li+1 = Ri
Ri+1 = Li ⊕ fi (Ri )

11
Li+1 = Ri
Ri+1 = Li ⊕ fi (Ri )

Ri = Li+1

11
 Li+1 = Ri
Ri+1 = Li ⊕ fi (Ri )

Ri = Li+1

Li = Ri+1 ⊕ fi (Ri )
= Ri+1 ⊕ fi (Li+1 )

11
 Li+1 = Ri
Ri+1 = Li ⊕ fi (Ri )

Ri = Li+1

Li = Ri+1 ⊕ fi (Ri )
= Ri+1 ⊕ fi (Li+1 )

After any number of rounds the

mapping remains invertible.

11
 Li+1 = Ri
Ri+1 = Li ⊕ fi (Ri )

Ri = Li+1

Li = Ri+1 ⊕ fi (Ri )
= Ri+1 ⊕ fi (Li+1 )

After any number of rounds the

mapping remains invertible.
Why?

11
Data Encryption Standard (DES)

Design of DES:

12
Data Encryption Standard (DES)

Design of DES:
• 16 round Feistel network
• Input size (block length) = 64 bits. Key size = 56 bits.
• Round functions fi , 1 ≤ i ≤ 16 are key dependent.

12
Data Encryption Standard (DES)

Design of DES:
• 16 round Feistel network
• Input size (block length) = 64 bits. Key size = 56 bits.
• Round functions fi , 1 ≤ i ≤ 16 are key dependent.
fi depends on 48-bit subkey ki derived from 56-bit master key
(through a key schedule)

How does the round function fi look like?

12
Data Encryption Standard (DES)

13
Data Encryption Standard (DES)

Expansion (E ):
Key Schedule: Derives 48-bit
{0, 1}32 → {0, 1}48
round keys Ki from the 56-bit mas-
Permutation (P):
ter key.
{0, 1}32 → {0, 1}32

13
Data Encryption Standard (DES)

Substitution Boxes (S-Box):

• There are 8 S-boxes. Each is
a mapping {0, 1}6 → {0, 1}4
• Each S-box is a 4 to 1
mapping.
• Changing one input (out of
six) changes at least two
outputs (out of four)
• Together they form a
mapping {0, 1}48 → {0, 1}32
• Crucial for security; slight
change may affect the
Round Function of DES (Image
security drastically
Courtesy: Wikimedia)

14
Data Encryption Standard (DES)

Substitution Boxes (S-Box):

• There are 8 S-boxes. Each is
a mapping {0, 1}6 → {0, 1}4
• Each S-box is a 4 to 1
mapping.
• Changing one input (out of
six) changes at least two
outputs (out of four)
• Together they form a
mapping {0, 1}48 → {0, 1}32
• Crucial for security; slight
change may affect the
Round Function of DES (Image
security drastically
Courtesy: Wikimedia)
All these details are public (except for the key)!
14
Data Encryption Standard (DES)

Design Considerations:
• 4 outputs of an S-box affects inputs to 6 S-boxes in the next round;
due to the permutation function P and the expansion function E .
• “Avalanche” effect; changing a single input affects a lot of outputs
after a few rounds.

15
Data Encryption Standard (DES)

Design Considerations:
• 4 outputs of an S-box affects inputs to 6 S-boxes in the next round;
due to the permutation function P and the expansion function E .
• “Avalanche” effect; changing a single input affects a lot of outputs
after a few rounds.
Facts:
• Designed in the 1970s by IBM and NSA. Adopted as FIPS standard
in 1977. Intensely scrutinised for years.
• Key length is small (56 bits) for brute-force attack (in fact, attacked).
• DES cracking box with FPGAs can find a key in 23 hours.
• Other forms of attack like TMTO (TBD) possible due to short key
• Short block length (64 bit) is also problematic -e.g., counter-mode
(TBD) security.
• Weaknesses has been obseved on reduced version, general consensus
is secure for 16 rounds (apart from short key) in practical scenario.
• Enhancements like Triple-DES is still used. Also in Unix passwords. 15
Advanced Encryption Standard (AES)

Confusion-Diffusion Paradigm
Goal: Change in a single bit of the input “affects” a lot of (typicall all)
bits of the output.

16
Advanced Encryption Standard (AES)

Confusion-Diffusion Paradigm
Goal: Change in a single bit of the input “affects” a lot of (typicall all)
bits of the output.
“Affect” does not mean change but change with probability 12 .

16
Advanced Encryption Standard (AES)

Confusion-Diffusion Paradigm
Goal: Change in a single bit of the input “affects” a lot of (typicall all)
bits of the output.
“Affect” does not mean change but change with probability 12 .
A random permutation surely achieves this.

16
Advanced Encryption Standard (AES)

Confusion-Diffusion Paradigm
Goal: Change in a single bit of the input “affects” a lot of (typicall all)
bits of the output.
“Affect” does not mean change but change with probability 12 .
A random permutation surely achieves this.
But requires a large key

16
Advanced Encryption Standard (AES)

Confusion-Diffusion Paradigm
Goal: Change in a single bit of the input “affects” a lot of (typicall all)
bits of the output.
“Affect” does not mean change but change with probability 12 .
A random permutation surely achieves this.
But requires a large key
Is there a way around?

16
Advanced Encryption Standard (AES)

Confusion-Diffusion Paradigm
Goal: Change in a single bit of the input “affects” a lot of (typicall all)
bits of the output.
“Affect” does not mean change but change with probability 12 .
A random permutation surely achieves this.
But requires a large key
Is there a way around?
divide into small blocks

16
Advanced Encryption Standard (AES)

Confusion-Diffusion Paradigm
Goal: Change in a single bit of the input “affects” a lot of (typicall all)
bits of the output.
“Affect” does not mean change but change with probability 12 .
A random permutation surely achieves this.
But requires a large key
Is there a way around?
divide into small blocks

16
Example:
Consider block size 16 bits.

17
Example:
Consider block size 16 bits.
Will require key of length ≈ 220

17
Example:
Consider block size 16 bits.
Will require key of length ≈ 220
Divide into 4 4 bit blocks and permute each block

17
Example:
Consider block size 16 bits.
Will require key of length ≈ 220
Divide into 4 4 bit blocks and permute each block

Will require key of length ≈ 4 × 2 × 24 = 27

17
Example:
Consider block size 16 bits.
Will require key of length ≈ 220
Divide into 4 4 bit blocks and permute each block

Will require key of length ≈ 4 × 2 × 24 = 27

What happens if change the 1st input? How many gets
affected?

17
Example:
Consider block size 16 bits.
Will require key of length ≈ 220
Divide into 4 4 bit blocks and permute each block

Will require key of length ≈ 4 × 2 × 24 = 27

What happens if change the 1st input? How many gets
affected?
Way out?

17
Example:
Consider block size 16 bits.
Will require key of length ≈ 220
Divide into 4 4 bit blocks and permute each block

Will require key of length ≈ 4 × 2 × 24 = 27

What happens if change the 1st input? How many gets
affected?
Way out?
Scramble (permute) the output

17
Example:
Consider block size 16 bits.
Will require key of length ≈ 220
Divide into 4 4 bit blocks and permute each block

Will require key of length ≈ 4 × 2 × 24 = 27

What happens if change the 1st input? How many gets
affected?
Way out?
Scramble (permute) the output

Role of the key: Fix the mapping (substitution+ permutation)

17
Substitution Permutation Network
Based on confusion-diffusion paradigm.
Instead of key dependent mapping the mapping is fixed (public).
(Sub-)key is xored with the input before the mapping is applied.
For a single round: Input x, Sub-key k,
Intermediate values y and z.
x x x x
z }|1 { z }|2 { z }|3 { z }|4 {
x = x1 . . . x4 x5 . . . x8 x9 . . . x12 x13 . . . x16

Likewise for y

1. Key Mixing: y = x ⊕ k
2. Substitution:
z = S1 (y1 )∥S2 (y2 )∥S3 (y3 )∥S4 (y4 )
3. Permutation: Permutes the bits of z

18
Substitution Permutation Network
Based on confusion-diffusion paradigm.
Instead of key dependent mapping the mapping is fixed (public).
(Sub-)key is xored with the input before the mapping is applied.
For a single round: Input x, Sub-key k,
Intermediate values y and z.
x x x x
z }|1 { z }|2 { z }|3 { z }|4 {
x = x1 . . . x4 x5 . . . x8 x9 . . . x12 x13 . . . x16

Likewise for y

1. Key Mixing: y = x ⊕ k
2. Substitution:
z = S1 (y1 )∥S2 (y2 )∥S3 (y3 )∥S4 (y4 )
3. Permutation: Permutes the bits of z

SPN is invertible

18
Advanced Encryption Standard (AES)

Substitution Permutation Network (SPN) Single Round of AES

19
AddRoundKey: Add 128-bit
round key to the message.

20
AddRoundKey: Add 128-bit
round key to the message.

SubBytes: Each byte is

replaced by another byte
according to a fixed lookup ta-
ble. The mapping is x 7→ x −1
in F28

20
AddRoundKey: Add 128-bit
round key to the message.

SubBytes: Each byte is

replaced by another byte
according to a fixed lookup ta-
ble. The mapping is x 7→ x −1
in F28

ShiftRows: Rows are shifted

according to a fixed rule.

20
AddRoundKey: Add 128-bit
round key to the message.

SubBytes: Each byte is

replaced by another byte
according to a fixed lookup ta-
ble. The mapping is x 7→ x −1
in F28

ShiftRows: Rows are shifted

according to a fixed rule.

MixColumns: Applies a lin-

ear transformation to the
columns.
20
Practical key and block sizes:
• DES
• 64-bit DES: Block size 64 bit, key size 56 bit.
• 64-bit Triple-DES: Block size 64 bit, key sizes 64, 112, and 168 bit.
• AES
• 128-bit AES: Block size 128 bit, key sizes 128, 192, 256 bit.

Speed of Operation:
• Can be measured e.g. by
openssl speed -evp aes-128-{ecb,ctr,cbc,ofb,cfb}
• In (ECB mode) AES can process 3.84 GB per second (depends on
various factors).

21
Modes of Operation

• In real-world scenario, one needs to encrypt a long plaintext (e.g., a

file of size 8 MB) rather than a single “block” (of typical size, e.g.,
256 bits).
• A block cipher has to be repeatedly applied to encrypt long (longer
than the size of a block) plaintexts.
• A mode of operation of a block cipher is an algorithm for encrypting
a long plaintext using a block cipher in a “secure” and “efficient”
manner, sometime using an additional input known as initialization
vector (IV).
• There are many modes of operations; some are standardized, some
are used without standardization.

22
NIST standardized modes

• Confidentiality Modes
• ECB, CBC, OFB, CFB, CTR
• Authentication Modes
• XCBC
• Authenticated Encryption Modes
• CCM and GCM (high throughput)
• Modes for Confidentiality on Storage Devices (Disk Encryption)
• XTS
• Key-Wrap Modes
• KW, KWP, TKW
• Modes for Format Preserving Encryption
• FF1, FF3

There are other proposed modes such as EAX, OCB, etc..

23
Block cipher: Modes of operations

Electronic codebook mode

Image source: Wikipedia

24
Block cipher: Modes of operations

Cipher block chaining mode

Image source: Wikipedia

25
Block cipher: Modes of operations

Cipher feedback mode

Image source: Wikipedia 26

Block cipher: Modes of operations

Output feedback mode

Image source: Wikipedia 27

Block cipher: Modes of operations

Counter mode

Image source: Wikipedia

28
Block cipher: Modes of operations

Which of the modes can be parallelized (in encryption/ decryption)?

29
Block cipher: Modes of operations

Which of the modes can be parallelized (in encryption/ decryption)?

ECB, CTR, ... ?

29
Block cipher: Modes of operations

Which of the modes can be parallelized (in encryption/ decryption)?

ECB, CTR, ... ?

Facts:

• ECB mode is insecure.

29
Block cipher: Modes of operations

Which of the modes can be parallelized (in encryption/ decryption)?

ECB, CTR, ... ?

Facts:

• ECB mode is insecure.

• ECB and CTR modes are efficient (order of magnitude faster than the
other modes).

29
Block cipher: Modes of operations

Which of the modes can be parallelized (in encryption/ decryption)?

ECB, CTR, ... ?

Facts:

• ECB mode is insecure.

• ECB and CTR modes are efficient (order of magnitude faster than the
other modes).
• CTR mode seems optimal for confidentiality purpose.

29
Attacks

What is an “attack”?

• An attack is (proof) demonstration of a “weakness” of the cipher.

• Refutation of the security claim by the designer; e.g., an algorithm
that recovers “partial information” about the key of a cipher with
128-bit key with “non-tirivial” probability in 2100 steps is an attack.
• Showing weakness in a “reduced” cipher is also an attack.
• These are theoretical in nature; may or may not have any practical
impact.
• May not have - An attack in 2100 steps is still infeasible practically.
• May have ! - Keeloq, WEP, ....

30
Keeloq

• Lightweight block cipher that uses 64 bit key and block size is 32 bits.

31
Keeloq

• Lightweight block cipher that uses 64 bit key and block size is 32 bits.
• Used in remote keyless entry systems by car manufacturers.

31
Keeloq

• Lightweight block cipher that uses 64 bit key and block size is 32 bits.
• Used in remote keyless entry systems by car manufacturers.

31
Keeloq

• Lightweight block cipher that uses 64 bit key and block size is 32 bits.
• Used in remote keyless entry systems by car manufacturers.

Attack requires 216 known plaintexts and 244.5 encryptions.

31
Keeloq

• Lightweight block cipher that uses 64 bit key and block size is 32 bits.
• Used in remote keyless entry systems by car manufacturers.

Attack requires 216 known plaintexts and 244.5 encryptions.

Required data can be obtained in 100 minutes and the key can be found in
7.8 days using 64 cpus.

31
Attack Models

32
Attack Models

• Known plaintext attack

32
Attack Models

• Known plaintext attack

• Chosen plaintext attack

32
Attack Models

• Known plaintext attack

• Chosen plaintext attack
• Chosen ciphertext attack

32
Attack Models

• Known plaintext attack

• Chosen plaintext attack
• Chosen ciphertext attack
• Ciphertext-only attack

32
Attack Models

• Known plaintext attack

• Chosen plaintext attack
• Chosen ciphertext attack
• Ciphertext-only attack
• Known/ chosen IV attack (for stream ciphers)

32
Adversarial goals

33
Adversarial goals

• Key recovery

33
Adversarial goals

• Key recovery
• State recovery

33
Adversarial goals

• Key recovery
• State recovery
• Distinguishing attack

33
Attack on DES

Attack on single round DES

Given (Li , Ri ) and (Li+1 , Ri+1 ) the goal is to
find Ki

34
Attack on DES

Attack on single round DES

Given (Li , Ri ) and (Li+1 , Ri+1 ) the goal is to
find Ki
There are 248 possibilities.

34
Attack on DES

Attack on single round DES

Given (Li , Ri ) and (Li+1 , Ri+1 ) the goal is to
find Ki
There are 248 possibilities.
Ri and F (Ri ) = Li ⊕ Ri+1 known

34
Attack on DES

Attack on single round DES

Given (Li , Ri ) and (Li+1 , Ri+1 ) the goal is to
find Ki
There are 248 possibilities.
Ri and F (Ri ) = Li ⊕ Ri+1 known

How to use this information?

34
Attack on DES

Attack on single round DES

Given (Li , Ri ) and (Li+1 , Ri+1 ) the goal is to
find Ki
There are 248 possibilities.
Ri and F (Ri ) = Li ⊕ Ri+1 known

How to use this information?

Look inside F

34
F (Ri ) and the permutation P is known

35
F (Ri ) and the permutation P is known
(32 bit) output of S-Box is
known.

35
F (Ri ) and the permutation P is known
(32 bit) output of S-Box is
known.

Ri is known and expansion

E is known

35
F (Ri ) and the permutation P is known
(32 bit) output of S-Box is
known.

Ri is known and expansion

E is known
(48 bit) output of E is known

35
4 bit output of S1 to S8 is known

36
4 bit output of S1 to S8 is known
Each Si is {0, 1}6 -to-{0, 1}4 mapping.

36
4 bit output of S1 to S8 is known
Each Si is {0, 1}6 -to-{0, 1}4 mapping.

There are 48 = 216 possibilities for

Ki

36
4 bit output of S1 to S8 is known
Each Si is {0, 1}6 -to-{0, 1}4 mapping.

There are 48 = 216 possibilities for

Ki How?

36
4 bit output of S1 to S8 is known
Each Si is {0, 1}6 -to-{0, 1}4 mapping.

There are 48 = 216 possibilities for

Ki How?

Substantial saving from 248 !

36
 4 bit output of S1 to S8 is known
Each Si is {0, 1}6 -to-{0, 1}4 mapping.

There are 48 = 216 possibilities for

Ki How?

Substantial saving from 248 !

More than one round ?

36
Attacks on SPN

Attack on single round (without key mixing in the end)

37
Attacks on SPN

Attack on single round (without key mixing in the end)

x x x x
z }|1 { z }|2 { z }|3 { z }|4 {
Input (plaintext):x = x1 . . . x4 x5 . . . x8 x9 . . . x12 x13 . . . x16
z z z z
z }|1 { z }|2 { z }|3 { z }|4 {
Output (ciphertext):z = z1 . . . z4 z5 . . . z8 z9 . . . z12 z13 . . . z16

37
Attacks on SPN

Attack on single round (without key mixing in the end)

x x x x
z }|1 { z }|2 { z }|3 { z }|4 {
Input (plaintext):x = x1 . . . x4 x5 . . . x8 x9 . . . x12 x13 . . . x16
z z z z
z }|1 { z }|2 { z }|3 { z }|4 {
Output (ciphertext):z = z1 . . . z4 z5 . . . z8 z9 . . . z12 z13 . . . z16
Key?

37
Attacks on SPN

Attack on single round (without key mixing in the end)

x x x x
z }|1 { z }|2 { z }|3 { z }|4 {
Input (plaintext):x = x1 . . . x4 x5 . . . x8 x9 . . . x12 x13 . . . x16
z z z z
z }|1 { z }|2 { z }|3 { z }|4 {
Output (ciphertext):z = z1 . . . z4 z5 . . . z8 z9 . . . z12 z13 . . . z16
Key?

Trivial!

37
Attacks on SPN

Attack on single round (with key mixing in the end)

38
Attacks on SPN

Attack on single round (with key mixing in the end)

x x x x
z }|1 { z }|2 { z }|3 { z }|4 {
Input (plaintext):x = x1 . . . x4 x5 . . . x8 x9 . . . x12 x13 . . . x16
z z z z
z }|1 { z }|2 { z }|3 { z }|4 {
Output (ciphertext):z = z1 . . . z4 z5 . . . z8 z9 . . . z12 z13 . . . z16

38
Attacks on SPN

Attack on single round (with key mixing in the end)

x x x x
z }|1 { z }|2 { z }|3 { z }|4 {
Input (plaintext):x = x1 . . . x4 x5 . . . x8 x9 . . . x12 x13 . . . x16
z z z z
z }|1 { z }|2 { z }|3 { z }|4 {
Output (ciphertext):z = z1 . . . z4 z5 . . . z8 z9 . . . z12 z13 . . . z16
Key?

38
Attacks on SPN

Attack on single round (with key mixing in the end)

x x x x
z }|1 { z }|2 { z }|3 { z }|4 {
Input (plaintext):x = x1 . . . x4 x5 . . . x8 x9 . . . x12 x13 . . . x16
z z z z
z }|1 { z }|2 { z }|3 { z }|4 {
Output (ciphertext):z = z1 . . . z4 z5 . . . z8 z9 . . . z12 z13 . . . z16
Key? Can always find in 216 × 216 = 232 operations.

38
Attacks on SPN

Attack on single round (with key mixing in the end)

x x x x
z }|1 { z }|2 { z }|3 { z }|4 {
Input (plaintext):x = x1 . . . x4 x5 . . . x8 x9 . . . x12 x13 . . . x16
z z z z
z }|1 { z }|2 { z }|3 { z }|4 {
Output (ciphertext):z = z1 . . . z4 z5 . . . z8 z9 . . . z12 z13 . . . z16
Key? Can always find in 216 × 216 = 232 operations.
Can we do it faster?

38
First Attempt
1. Get y = z ⊕ K2 for each K2 ∈ {0, 1}16

39
First Attempt
1. Get y = z ⊕ K2 for each K2 ∈ {0, 1}16
2. For each y get unique K1 using x as before.

39
First Attempt
1. Get y = z ⊕ K2 for each K2 ∈ {0, 1}16
2. For each y get unique K1 using x as before.

39
First Attempt
1. Get y = z ⊕ K2 for each K2 ∈ {0, 1}16
2. For each y get unique K1 using x as before.

No. of possible pairs (K1 , K2 ) = 216 .

39
First Attempt
1. Get y = z ⊕ K2 for each K2 ∈ {0, 1}16
2. For each y get unique K1 using x as before.

No. of possible pairs (K1 , K2 ) = 216 .

Takes time ≈ 218 and space ≈ 220

39
First Attempt
1. Get y = z ⊕ K2 for each K2 ∈ {0, 1}16
2. For each y get unique K1 using x as before.

No. of possible pairs (K1 , K2 ) = 216 .

Takes time ≈ 218 and space ≈ 220

With additional (x, z) pairs possible (K1 , K2 ) pairs can be narrowed down.

39
Second Attempt

40
Second Attempt

Focus on individual S-Boxes

40
Second Attempt

Focus on individual S-Boxes

For S1 iterate over the 1st, 5th, 9th, and 11th bits of K2 .

40
Second Attempt

Focus on individual S-Boxes

For S1 iterate over the 1st, 5th, 9th, and 11th bits of K2 .
Each choice fixes bits 1-4 of K1 (as in fist attempt).

40
Second Attempt

Focus on individual S-Boxes

For S1 iterate over the 1st, 5th, 9th, and 11th bits of K2 .
Each choice fixes bits 1-4 of K1 (as in fist attempt).

Time (for all the S-Boxes S1 − S4 ) = ≈ 4 × 24 = 26 and space ≈ 28

40
Second Attempt

Focus on individual S-Boxes

For S1 iterate over the 1st, 5th, 9th, and 11th bits of K2 .
Each choice fixes bits 1-4 of K1 (as in fist attempt).

Time (for all the S-Boxes S1 − S4 ) = ≈ 4 × 24 = 26 and space ≈ 28

Substantial Saving!

40
Few generic attacks

• Brute-force search
• Meet-in-the-middle attack
• Algebraic attack
• Time-memory trade-off
• Differential attack
• Linear attack
• Side channel attack

41
Few generic attacks

• Brute-force search
• Meet-in-the-middle attack
• Algebraic attack
• Time-memory trade-off
• Differential attack
• Linear attack
• Side channel attack

For attacks such as Brute-force search, Meet-in-the-middle attack,

Time-memory trade-off, etc. the cipher can be taken as a black-box
(internal structure need not be known).

41
Meet-in-the-middle attack

• Consider the DES encryption scheme E (k2 , E (k1 , x)), where k1 , k2

are 56 bit keys and x is a 64 bit plaintext.

42
Meet-in-the-middle attack

• Consider the DES encryption scheme E (k2 , E (k1 , x)), where k1 , k2

are 56 bit keys and x is a 64 bit plaintext.
• Natural security claim is that it will require 256 × 256 time.

42
Meet-in-the-middle attack

• Consider the DES encryption scheme E (k2 , E (k1 , x)), where k1 , k2

are 56 bit keys and x is a 64 bit plaintext.
• Natural security claim is that it will require 256 × 256 time.

42
Meet-in-the-middle attack

• Consider the DES encryption scheme E (k2 , E (k1 , x)), where k1 , k2

are 56 bit keys and x is a 64 bit plaintext.
• Natural security claim is that it will require 256 × 256 time.
The attack
• Obtain a plaintext-ciphertext pair (x, y ) corresponding to the key pair
(k1 , k2 ).

42
Meet-in-the-middle attack

• Consider the DES encryption scheme E (k2 , E (k1 , x)), where k1 , k2

are 56 bit keys and x is a 64 bit plaintext.
• Natural security claim is that it will require 256 × 256 time.
The attack
• Obtain a plaintext-ciphertext pair (x, y ) corresponding to the key pair
(k1 , k2 ).
• For each 56-bit key k1∗ Evaluate z1 = E (k1∗ , x) and for each 56-bit
key k2∗ evaluate z2 = D(k2∗ , y ). Store the pairs(z1 , k1∗ ) in a table T1
indexed by z1 also store the pairs(z2 , k2∗ ) in a table indexed by z2 in a
table T2 .

42
Meet-in-the-middle attack

• Consider the DES encryption scheme E (k2 , E (k1 , x)), where k1 , k2

are 56 bit keys and x is a 64 bit plaintext.
• Natural security claim is that it will require 256 × 256 time.
The attack
• Obtain a plaintext-ciphertext pair (x, y ) corresponding to the key pair
(k1 , k2 ).
• For each 56-bit key k1∗ Evaluate z1 = E (k1∗ , x) and for each 56-bit
key k2∗ evaluate z2 = D(k2∗ , y ). Store the pairs(z1 , k1∗ ) in a table T1
indexed by z1 also store the pairs(z2 , k2∗ ) in a table indexed by z2 in a
table T2 .
• (k1∗ , k2∗ ) is a possible key if there is a pair (z1 , k1∗ ) in T1 and a pair
(z1 , k1∗ ) in T2 such that z1 = z2 . If (k1∗ , k2∗ ) is a possible key pair then
store it in a table S.

42
Meet-in-the-middle attack

• Consider the DES encryption scheme E (k2 , E (k1 , x)), where k1 , k2

are 56 bit keys and x is a 64 bit plaintext.
• Natural security claim is that it will require 256 × 256 time.
The attack
• Obtain a plaintext-ciphertext pair (x, y ) corresponding to the key pair
(k1 , k2 ).
• For each 56-bit key k1∗ Evaluate z1 = E (k1∗ , x) and for each 56-bit
key k2∗ evaluate z2 = D(k2∗ , y ). Store the pairs(z1 , k1∗ ) in a table T1
indexed by z1 also store the pairs(z2 , k2∗ ) in a table indexed by z2 in a
table T2 .
• (k1∗ , k2∗ ) is a possible key if there is a pair (z1 , k1∗ ) in T1 and a pair
(z1 , k1∗ ) in T2 such that z1 = z2 . If (k1∗ , k2∗ ) is a possible key pair then
store it in a table S.
• The attack requires 112 × 256 time to build S and its size is
approximately 248 .
42
• Repeat the procedure with another plaintext-ciphertext pair (x ∗ , y ∗ )
taking the keys from S and then build another table S ∗ .

43
• Repeat the procedure with another plaintext-ciphertext pair (x ∗ , y ∗ )
taking the keys from S and then build another table S ∗ .
• After a few iterations correct key can be predicted with high
probability. The complete attack will take time much less than 2112 .

43
Stream Cipher

• Goal is to produce
{
{
K IV
k1 k r iv1 ivs pseudorandom (“random
looking”) key stream.
• Operation is broadly divided
E into two parts - Init and
GenBits
z2 • Init takes key K and
z1 initialization vector IV to
m2 m1 c2 c1
produce state st.
zi = E(K, IV)
i
ci = m i zi • GenBits produces keystream
from st.

44
Stream Cipher

• Goal is to produce
{
{
K IV
k1 k r iv1 ivs pseudorandom (“random
looking”) key stream.
• Operation is broadly divided
E into two parts - Init and
GenBits
z2 • Init takes key K and
z1 initialization vector IV to
m2 m1 c2 c1
produce state st.
zi = E(K, IV)
i
ci = m i zi • GenBits produces keystream
from st.
Why stream ciphers?

44
Stream Cipher

• Goal is to produce
{
{
K IV
k1 k r iv1 ivs pseudorandom (“random
looking”) key stream.
• Operation is broadly divided
E into two parts - Init and
GenBits
z2 • Init takes key K and
z1 initialization vector IV to
m2 m1 c2 c1
produce state st.
zi = E(K, IV)
i
ci = m i zi • GenBits produces keystream
from st.
Why stream ciphers?
Extremely efficient (especially in hardware).

44
Stream Cipher

• Goal is to produce
{
{
K IV
k1 k r iv1 ivs pseudorandom (“random
looking”) key stream.
• Operation is broadly divided
E into two parts - Init and
GenBits
z2 • Init takes key K and
z1 initialization vector IV to
m2 m1 c2 c1
produce state st.
zi = E(K, IV)
i
ci = m i zi • GenBits produces keystream
from st.
Why stream ciphers?
Extremely efficient (especially in hardware).Security?

44
Stream Cipher

• Goal is to produce
{
{
K IV
k1 k r iv1 ivs pseudorandom (“random
looking”) key stream.
• Operation is broadly divided
E into two parts - Init and
GenBits
z2 • Init takes key K and
z1 initialization vector IV to
m2 m1 c2 c1
produce state st.
zi = E(K, IV)
i
ci = m i zi • GenBits produces keystream
from st.
Why stream ciphers?
Extremely efficient (especially in hardware).Security?
Less understood than block ciphers.

44
 First (Historical) Attempt
Linear Feedback Shift Register (LFSR):

• An array of shift registers

• At each clock pulse
• Contents of the array shifted to the right
• XOR (linear function) of the contents of specified registers is fed back
to the left-most register

45
Example:

time t = 1

46
Example:

time t = 1

time t = 2

46
Example:

time t = 1

time t = 2

time t = 3

46
Example:

time t = 1

time t = 2

time t = 3

46
Example:

time t = 1

time t = 2

time t = 3

Contents of the array at time t

(s3t , s2t , s1t , s0t ) - state at time t

46
Example:

time t = 1

time t = 2

time t = 3

Contents of the array at time t

(s3t , s2t , s1t , s0t ) - state at time t

State at time t + 1 -
(s3t+1 , s2t+1 , s1t+1 , s0t+1 )

46
Example:

time t = 1

time t = 2

time t = 3

s0t+1 = s1t
s1t+1 = s2t
Contents of the array at time t
s2t+1 = s3t
(s3t , s2t , s1t , s0t ) - state at time t
s3t+1 = s0t ⊕ s2t
t
State at time t + 1 - Output at time t + 1 = s0
(s3t+1 , s2t+1 , s1t+1 , s0t+1 )

46
If the LFSR has n registers -

s0t+1 = s1t
s1t+1 = s2t
..
.
t+1
sn−2 = snt
t+1
sn−1 = c0 s0t ⊕ c1 s1t ⊕ · · · ⊕ cn−2 sn−2
t
,
where ci = 1 if the i-th register is tapped, = 0 otherwise.
Output at time t + 1 = s0t
For a fixed LFSR output and state at t + 1 is uniquely determined by the
state at t

47
If the LFSR has n registers -

s0t+1 = s1t
s1t+1 = s2t
..
.
t+1
sn−2 = snt
t+1
sn−1 = c0 s0t ⊕ c1 s1t ⊕ · · · ⊕ cn−2 sn−2
t
,
where ci = 1 if the i-th register is tapped, = 0 otherwise.
Output at time t + 1 = s0t
For a fixed LFSR output and state at t + 1 is uniquely determined by the
state at t
How many different states are possible?

47
If the LFSR has n registers -

s0t+1 = s1t
s1t+1 = s2t
..
.
t+1
sn−2 = snt
t+1
sn−1 = c0 s0t ⊕ c1 s1t ⊕ · · · ⊕ cn−2 sn−2
t
,
where ci = 1 if the i-th register is tapped, = 0 otherwise.
Output at time t + 1 = s0t
For a fixed LFSR output and state at t + 1 is uniquely determined by the
state at t
How many different states are possible?
2n

47
If the LFSR has n registers -

s0t+1 = s1t
s1t+1 = s2t
..
.
t+1
sn−2 = snt
t+1
sn−1 = c0 s0t ⊕ c1 s1t ⊕ · · · ⊕ cn−2 sn−2
t
,
where ci = 1 if the i-th register is tapped, = 0 otherwise.
Output at time t + 1 = s0t
For a fixed LFSR output and state at t + 1 is uniquely determined by the
state at t
How many different states are possible?
2n so the states and the output sequence will repeat

47
If the LFSR has n registers -

s0t+1 = s1t
s1t+1 = s2t
..
.
t+1
sn−2 = snt
t+1
sn−1 = c0 s0t ⊕ c1 s1t ⊕ · · · ⊕ cn−2 sn−2
t
,
where ci = 1 if the i-th register is tapped, = 0 otherwise.
Output at time t + 1 = s0t
For a fixed LFSR output and state at t + 1 is uniquely determined by the
state at t
How many different states are possible?
2n so the states and the output sequence will repeat
What is the maximum period?

47
If the LFSR has n registers -

s0t+1 = s1t
s1t+1 = s2t
..
.
t+1
sn−2 = snt
t+1
sn−1 = c0 s0t ⊕ c1 s1t ⊕ · · · ⊕ cn−2 sn−2
t
,
where ci = 1 if the i-th register is tapped, = 0 otherwise.
Output at time t + 1 = s0t
For a fixed LFSR output and state at t + 1 is uniquely determined by the
state at t
How many different states are possible?
2n so the states and the output sequence will repeat
What is the maximum period?
2n − 1

47
If the LFSR has n registers -

s0t+1 = s1t
s1t+1 = s2t
..
.
t+1
sn−2 = snt
t+1
sn−1 = c0 s0t ⊕ c1 s1t ⊕ · · · ⊕ cn−2 sn−2
t
,
where ci = 1 if the i-th register is tapped, = 0 otherwise.
Output at time t + 1 = s0t
For a fixed LFSR output and state at t + 1 is uniquely determined by the
state at t
How many different states are possible?
2n so the states and the output sequence will repeat
What is the maximum period?
2n − 1
Is it possible to achieve a period of 2n − 1 ?
47
If the LFSR has n registers -

s0t+1 = s1t
s1t+1 = s2t
..
.
t+1
sn−2 = snt
t+1
sn−1 = c0 s0t ⊕ c1 s1t ⊕ · · · ⊕ cn−2 sn−2
t
,
where ci = 1 if the i-th register is tapped, = 0 otherwise.
Output at time t + 1 = s0t
For a fixed LFSR output and state at t + 1 is uniquely determined by the
state at t
How many different states are possible?
2n so the states and the output sequence will repeat
What is the maximum period?
2n − 1
Is it possible to achieve a period of 2n − 1 ?
47
Yes, with appropriate tap positions (coefficients ci )
Sequences with period 2n − 1 (maximum length sequences, pseudo-noise
sequences) -
Have good random-like properties -

• # of 0s ≈ # of 1s
• # of 00 ≈ # of 01 ≈ # of 10 ≈ # of 11
..
.

48
Sequences with period 2n − 1 (maximum length sequences, pseudo-noise
sequences) -
Have good random-like properties -

• # of 0s ≈ # of 1s
• # of 00 ≈ # of 01 ≈ # of 10 ≈ # of 11
..
.

Can be used to encrypt?

48
Sequences with period 2n − 1 (maximum length sequences, pseudo-noise
sequences) -
Have good random-like properties -

• # of 0s ≈ # of 1s
• # of 00 ≈ # of 01 ≈ # of 10 ≈ # of 11
..
.

Can be used to encrypt? Like OTP?

48
Sequences with period 2n − 1 (maximum length sequences, pseudo-noise
sequences) -
Have good random-like properties -

• # of 0s ≈ # of 1s
• # of 00 ≈ # of 01 ≈ # of 10 ≈ # of 11
..
.

Can be used to encrypt? Like OTP? Where is the key?

Reconstruction Attack

48
Sequences with period 2n − 1 (maximum length sequences, pseudo-noise
sequences) -
Have good random-like properties -

• # of 0s ≈ # of 1s
• # of 00 ≈ # of 01 ≈ # of 10 ≈ # of 11
..
.

Can be used to encrypt? Like OTP? Where is the key?

Reconstruction Attack
2n consecutive bits reveal the state and tap positions of the LFSR

48
Sequences with period 2n − 1 (maximum length sequences, pseudo-noise
sequences) -
Have good random-like properties -

• # of 0s ≈ # of 1s
• # of 00 ≈ # of 01 ≈ # of 10 ≈ # of 11
..
.

Can be used to encrypt? Like OTP? Where is the key?

Reconstruction Attack
2n consecutive bits reveal the state and tap positions of the LFSR How?

• First n bits reveal the state

• Last n bits reveal the tap positions

48
Sequences with period 2n − 1 (maximum length sequences, pseudo-noise
sequences) -
Have good random-like properties -

• # of 0s ≈ # of 1s
• # of 00 ≈ # of 01 ≈ # of 10 ≈ # of 11
..
.

Can be used to encrypt? Like OTP? Where is the key?

Reconstruction Attack
2n consecutive bits reveal the state and tap positions of the LFSR How?

• First n bits reveal the state

• Last n bits reveal the tap positions

How?

48
If the 2n bits are y1 , . . . , y2n and c0 , . . . cn−1 are unknown then

yn+1 = cn−1 yn ⊕ · · · ⊕ c0 y1
..
.
y2n = cn−1 y2n−1 ⊕ · · · ⊕ c0 yn

49
If the 2n bits are y1 , . . . , y2n and c0 , . . . cn−1 are unknown then

yn+1 = cn−1 yn ⊕ · · · ⊕ c0 y1
..
.
y2n = cn−1 y2n−1 ⊕ · · · ⊕ c0 yn

Unknowns c0 , . . . , cn−1 can be found out!

49
If the 2n bits are y1 , . . . , y2n and c0 , . . . cn−1 are unknown then

yn+1 = cn−1 yn ⊕ · · · ⊕ c0 y1
..
.
y2n = cn−1 y2n−1 ⊕ · · · ⊕ c0 yn

Unknowns c0 , . . . , cn−1 can be found out!

Way out?

49
If the 2n bits are y1 , . . . , y2n and c0 , . . . cn−1 are unknown then

yn+1 = cn−1 yn ⊕ · · · ⊕ c0 y1
..
.
y2n = cn−1 y2n−1 ⊕ · · · ⊕ c0 yn

Unknowns c0 , . . . , cn−1 can be found out!

Way out?
Add nonlinearity

49
If the 2n bits are y1 , . . . , y2n and c0 , . . . cn−1 are unknown then

yn+1 = cn−1 yn ⊕ · · · ⊕ c0 y1
..
.
y2n = cn−1 y2n−1 ⊕ · · · ⊕ c0 yn

Unknowns c0 , . . . , cn−1 can be found out!

Way out?
Add nonlinearity
How?

49
Add nonlinearity in the feedback:
Example: Instead of s0 ⊕ s2 (linear) make it s0 s2 ⊕ s1 s3

50
Add nonlinearity in the feedback:
Example: Instead of s0 ⊕ s2 (linear) make it s0 s2 ⊕ s1 s3

(nonlinear) combination generator:

50
Add nonlinearity in the feedback:
Example: Instead of s0 ⊕ s2 (linear) make it s0 s2 ⊕ s1 s3

(nonlinear) combination generator:

Basic versions have been cryptanalyzed!

50
Add nonlinearity in the feedback:
Example: Instead of s0 ⊕ s2 (linear) make it s0 s2 ⊕ s1 s3

(nonlinear) combination generator:

Basic versions have been cryptanalyzed!

Enhancements/modifications are in use
Trivium:

50
Add nonlinearity in the feedback:
Example: Instead of s0 ⊕ s2 (linear) make it s0 s2 ⊕ s1 s3

(nonlinear) combination generator:

Basic versions have been cryptanalyzed!

Enhancements/modifications are in use
Trivium:

50
Details?
Add nonlinearity in the feedback:
Example: Instead of s0 ⊕ s2 (linear) make it s0 s2 ⊕ s1 s3

(nonlinear) combination generator:

Basic versions have been cryptanalyzed!

Enhancements/modifications are in use
Trivium:

50
Details?FIY (Section 6.1.3)
Rivest’s Cipher: RC4
Trivia:
• Proposed by Ronald Rivest - ‘R’ of
RSA
• (Used to be?) used in WEP - Wifi
encryption
• Efficient in software
• Many weaknesses / vulnerabilities
found
Highlights of operation:
• 256 byte array S always contains a
permutation of {0, . . . , 255} - state
of the cipher.
• Init: 16 byte key is intially repeated
(in the 256 byte array) and then used
to swap entries of S.
• GenBits: produces the output byte by
pseudorandomly swapping the entries
of S - each entry is swapped at least
once in 256 times.

51
An attack on WEP

• WEP uses 3 byte IV and 16 byte key K - the array is initialized by

IV ∥K instead of K .

52
An attack on WEP

• WEP uses 3 byte IV and 16 byte key K - the array is initialized by

IV ∥K instead of K .
• IV is refreshed often and is exchanged between the sender and the
receiver in the open (visible to the adversary)

52
An attack on WEP

• WEP uses 3 byte IV and 16 byte key K - the array is initialized by

IV ∥K instead of K .
• IV is refreshed often and is exchanged between the sender and the
receiver in the open (visible to the adversary)

52
An attack on WEP

• WEP uses 3 byte IV and 16 byte key K - the array is initialized by

IV ∥K instead of K .
• IV is refreshed often and is exchanged between the sender and the
receiver in the open (visible to the adversary)

• The attacker waits until IV [0] = 3, IV [1] = 255, IV [2] = X (there are
other patterns as well)

52
An attack on WEP

• WEP uses 3 byte IV and 16 byte key K - the array is initialized by

IV ∥K instead of K .
• IV is refreshed often and is exchanged between the sender and the
receiver in the open (visible to the adversary)

• The attacker waits until IV [0] = 3, IV [1] = 255, IV [2] = X (there are
other patterns as well)
• After first four iterations of the second loop of Init -
S[0] = 3, S[1] = 0, S[3] = X + 6 + K [0].

52
An attack on WEP

• WEP uses 3 byte IV and 16 byte key K - the array is initialized by

IV ∥K instead of K .
• IV is refreshed often and is exchanged between the sender and the
receiver in the open (visible to the adversary)

• The attacker waits until IV [0] = 3, IV [1] = 255, IV [2] = X (there are
other patterns as well)
• After first four iterations of the second loop of Init -
S[0] = 3, S[1] = 0, S[3] = X + 6 + K [0].
• i is not touched in the next 252 iterations of Init. So, if j does not
take value in {0, 1, 3} in the next 252 iterations then S[0], S[1], S[3]
does not change.

52
An attack on WEP

• WEP uses 3 byte IV and 16 byte key K - the array is initialized by

IV ∥K instead of K .
• IV is refreshed often and is exchanged between the sender and the
receiver in the open (visible to the adversary)

• The attacker waits until IV [0] = 3, IV [1] = 255, IV [2] = X (there are
other patterns as well)
• After first four iterations of the second loop of Init -
S[0] = 3, S[1] = 0, S[3] = X + 6 + K [0].
• i is not touched in the next 252 iterations of Init. So, if j does not
take value in {0, 1, 3} in the next 252 iterations then S[0], S[1], S[3]
does not change.
• This happens with probability ( 253
256
)252 ≈ .05 assuming (heuristically) j
to be uniform.

52
An attack on WEP

• WEP uses 3 byte IV and 16 byte key K - the array is initialized by

IV ∥K instead of K .
• IV is refreshed often and is exchanged between the sender and the
receiver in the open (visible to the adversary)

• The attacker waits until IV [0] = 3, IV [1] = 255, IV [2] = X (there are
other patterns as well)
• After first four iterations of the second loop of Init -
S[0] = 3, S[1] = 0, S[3] = X + 6 + K [0].
• i is not touched in the next 252 iterations of Init. So, if j does not
take value in {0, 1, 3} in the next 252 iterations then S[0], S[1], S[3]
does not change.
• This happens with probability ( 253
256
)252 ≈ .05 assuming (heuristically) j
to be uniform.
• Assuming this to be the case - the first byte output by GenBits is
S[3].

52
An attack on WEP

• WEP uses 3 byte IV and 16 byte key K - the array is initialized by

IV ∥K instead of K .
• IV is refreshed often and is exchanged between the sender and the
receiver in the open (visible to the adversary)

• The attacker waits until IV [0] = 3, IV [1] = 255, IV [2] = X (there are
other patterns as well)
• After first four iterations of the second loop of Init -
S[0] = 3, S[1] = 0, S[3] = X + 6 + K [0].
• i is not touched in the next 252 iterations of Init. So, if j does not
take value in {0, 1, 3} in the next 252 iterations then S[0], S[1], S[3]
does not change.
• This happens with probability ( 253
256
)252 ≈ .05 assuming (heuristically) j
to be uniform.
• Assuming this to be the case - the first byte output by GenBits is
S[3].
• Since X is known the secret K [0] is revealed

52
“Weaknesses” of RC4:

53
“Weaknesses” of RC4:

Biases

53
“Weaknesses” of RC4:

Biases
Second output byte of GenBits is biased towards 0

53
“Weaknesses” of RC4:

Biases
Second output byte of GenBits is biased towards 0 RIY (Section 6.1.4)

53
Standardization

What are the standardization bodies?

• National Institute for Standard and Technology (NIST), USA.

54
Standardization

What are the standardization bodies?

• National Institute for Standard and Technology (NIST), USA.

• Responsible for Federal Information Processing Standards (FIPS).

54
Standardization

What are the standardization bodies?

• National Institute for Standard and Technology (NIST), USA.

• Responsible for Federal Information Processing Standards (FIPS).
• International Organization for Standardization.

54
Standardization

What are the standardization bodies?

• National Institute for Standard and Technology (NIST), USA.

• Responsible for Federal Information Processing Standards (FIPS).
• International Organization for Standardization.
• Responsible for ISO/IEC standards.

54
Standardization

What are the standardization bodies?

• National Institute for Standard and Technology (NIST), USA.

• Responsible for Federal Information Processing Standards (FIPS).
• International Organization for Standardization.
• Responsible for ISO/IEC standards.

54
Standardization

What are the standardization bodies?

• National Institute for Standard and Technology (NIST), USA.

• Responsible for Federal Information Processing Standards (FIPS).
• International Organization for Standardization.
• Responsible for ISO/IEC standards.

So, are AES and DES standardized?

• DES - FIPS PUB 46 (1/2/3).

54
Standardization

What are the standardization bodies?

• National Institute for Standard and Technology (NIST), USA.

• Responsible for Federal Information Processing Standards (FIPS).
• International Organization for Standardization.
• Responsible for ISO/IEC standards.

So, are AES and DES standardized?

• DES - FIPS PUB 46 (1/2/3).

• AES - FIPS PUB 197, ISO/IEC 18033-3:2010 (along with other
ciphers such as MISTY, CAST-128, Camellia)

54
Standardization

What are the standardization bodies?

• National Institute for Standard and Technology (NIST), USA.

• Responsible for Federal Information Processing Standards (FIPS).
• International Organization for Standardization.
• Responsible for ISO/IEC standards.

So, are AES and DES standardized?

• DES - FIPS PUB 46 (1/2/3).

• AES - FIPS PUB 197, ISO/IEC 18033-3:2010 (along with other
ciphers such as MISTY, CAST-128, Camellia)

54
Standardization

What are the standardization bodies?

• National Institute for Standard and Technology (NIST), USA.

• Responsible for Federal Information Processing Standards (FIPS).
• International Organization for Standardization.
• Responsible for ISO/IEC standards.

So, are AES and DES standardized?

• DES - FIPS PUB 46 (1/2/3).

• AES - FIPS PUB 197, ISO/IEC 18033-3:2010 (along with other
ciphers such as MISTY, CAST-128, Camellia)

The modes are also standardized.

• ISO/IEC 10116:2006 spcifies the modes ECB, CBC, CFB, OFB, CTR.

54
Standardization

What are the standardization bodies?

• National Institute for Standard and Technology (NIST), USA.

• Responsible for Federal Information Processing Standards (FIPS).
• International Organization for Standardization.
• Responsible for ISO/IEC standards.

So, are AES and DES standardized?

• DES - FIPS PUB 46 (1/2/3).

• AES - FIPS PUB 197, ISO/IEC 18033-3:2010 (along with other
ciphers such as MISTY, CAST-128, Camellia)

The modes are also standardized.

• ISO/IEC 10116:2006 spcifies the modes ECB, CBC, CFB, OFB, CTR.
• FIPS PUB 81 specifies ECB, CBC, CFB, OFB.

54
55
Standardization Process
• Starts the (open) competetion with a call for proposal.

56
Standardization Process
• Starts the (open) competetion with a call for proposal.
• Prominent competitions: AES (Block ciphers), e-STREAM (Stream
ciphers), SHA-3 (Hash functions), PHC (Password hashing), CAESER
(Authenticated encryption).

56
Standardization Process
• Starts the (open) competetion with a call for proposal.
• Prominent competitions: AES (Block ciphers), e-STREAM (Stream
ciphers), SHA-3 (Hash functions), PHC (Password hashing), CAESER
(Authenticated encryption).
• Broader competitions: CRYPTREC, NESSIE.

56
Standardization Process
• Starts the (open) competetion with a call for proposal.
• Prominent competitions: AES (Block ciphers), e-STREAM (Stream
ciphers), SHA-3 (Hash functions), PHC (Password hashing), CAESER
(Authenticated encryption).
• Broader competitions: CRYPTREC, NESSIE.
• Proposals are sumitted within a given deadline.

56
Standardization Process
• Starts the (open) competetion with a call for proposal.
• Prominent competitions: AES (Block ciphers), e-STREAM (Stream
ciphers), SHA-3 (Hash functions), PHC (Password hashing), CAESER
(Authenticated encryption).
• Broader competitions: CRYPTREC, NESSIE.
• Proposals are sumitted within a given deadline.
• Being open, the competetions receive entries from across the globe.

56
Standardization Process
• Starts the (open) competetion with a call for proposal.
• Prominent competitions: AES (Block ciphers), e-STREAM (Stream
ciphers), SHA-3 (Hash functions), PHC (Password hashing), CAESER
(Authenticated encryption).
• Broader competitions: CRYPTREC, NESSIE.
• Proposals are sumitted within a given deadline.
• Being open, the competetions receive entries from across the globe.
• A proposal comprises of technical description along with software and
hardware implementation.

56
Standardization Process
• Starts the (open) competetion with a call for proposal.
• Prominent competitions: AES (Block ciphers), e-STREAM (Stream
ciphers), SHA-3 (Hash functions), PHC (Password hashing), CAESER
(Authenticated encryption).
• Broader competitions: CRYPTREC, NESSIE.
• Proposals are sumitted within a given deadline.
• Being open, the competetions receive entries from across the globe.
• A proposal comprises of technical description along with software and
hardware implementation.
• Analysis begins and continues for several rounds and several years.

56
Standardization Process
• Starts the (open) competetion with a call for proposal.
• Prominent competitions: AES (Block ciphers), e-STREAM (Stream
ciphers), SHA-3 (Hash functions), PHC (Password hashing), CAESER
(Authenticated encryption).
• Broader competitions: CRYPTREC, NESSIE.
• Proposals are sumitted within a given deadline.
• Being open, the competetions receive entries from across the globe.
• A proposal comprises of technical description along with software and
hardware implementation.
• Analysis begins and continues for several rounds and several years.
• Security of the schemes are analyzed by the relevant community
(researchers) with open discussion through publication of important
cryptanalytic results and performance evaluations.

56
Standardization Process
• Starts the (open) competetion with a call for proposal.
• Prominent competitions: AES (Block ciphers), e-STREAM (Stream
ciphers), SHA-3 (Hash functions), PHC (Password hashing), CAESER
(Authenticated encryption).
• Broader competitions: CRYPTREC, NESSIE.
• Proposals are sumitted within a given deadline.
• Being open, the competetions receive entries from across the globe.
• A proposal comprises of technical description along with software and
hardware implementation.
• Analysis begins and continues for several rounds and several years.
• Security of the schemes are analyzed by the relevant community
(researchers) with open discussion through publication of important
cryptanalytic results and performance evaluations.
• Hardware and software performance is also extremely crucial. A more
secure scheme is less considered if it is not adequately efficient.

56
Standardization Process
• Starts the (open) competetion with a call for proposal.
• Prominent competitions: AES (Block ciphers), e-STREAM (Stream
ciphers), SHA-3 (Hash functions), PHC (Password hashing), CAESER
(Authenticated encryption).
• Broader competitions: CRYPTREC, NESSIE.
• Proposals are sumitted within a given deadline.
• Being open, the competetions receive entries from across the globe.
• A proposal comprises of technical description along with software and
hardware implementation.
• Analysis begins and continues for several rounds and several years.
• Security of the schemes are analyzed by the relevant community
(researchers) with open discussion through publication of important
cryptanalytic results and performance evaluations.
• Hardware and software performance is also extremely crucial. A more
secure scheme is less considered if it is not adequately efficient.
• At each round, a few candidates are shortlisted (those with no security
vulnerability and with satisfactory performance); the remaining are
discarded.
56
• At the end of the evaluation phase, a portfolio of selected candidates
is announced (some are suitable for software, some are suitable for
hardware).

57
• At the end of the evaluation phase, a portfolio of selected candidates
is announced (some are suitable for software, some are suitable for
hardware).
• Selected candidates are formally standardized.

57
Example: AES standardization

This example is from https://competitions.cr.yp.to/aes.html.

Requirement specification
• Security (”the most important factor in the evaluation”):
• ”Actual security of the algorithm compared to other submitted
algorithms”;
• ”The extent to which the algorithm output is indistinguishable from a
random permutation on the input block”;
• ”Soundness of the mathematical basis for the algorithm’s security”;
• ”Other security factors raised by the public during the evaluation
process, including any attacks which demonstrate that the actual
security of the algorithm is less than the strength claimed by the
submitter”.
• Cost:
• ”Licensing requirements” (”AES shall be available on a worldwide,
non-exclusive, royalty-free basis”);
• ”Computational efficiency”;
• ”Memory requirements”.
58
Example: AES standardization

Requirement specification

• ”Algorithm and implementation characteristics”:

• ”Flexibility” (e.g., additional key sizes, additional block sizes, wide
variety of platforms, stream cipher, MAC generator, PRNG, hash);
• ”Hardware and software suitability”;
• ”Simplicity”.

59
Example: AES standardization

• 1997.01.02: NIST announces AES competition.

• 1997.04.15: AES Evaluation Criteria/Submission Requirements
Workshop. Gaithersburg.
• 1997.09.12: NIST issues call for algorithms.
• 1998.06.15: Deadline for submissions.
• 1998.08.20: First AES Candidate Conference. NIST announces 15
AES candidates.
• 1999.03.22-23: Second AES Candidate Conference.
• 1999.08.09: NIST announces its selection of 5 AES finalists.
• 2000.04.13-14: Third AES Candidate Conference.
• 2000.05.15: End of comment period.
• 2000.10.02: NIST announces its selection of AES.

60
Image Sources

1. Introduction to Modern Cryptography by Jonathan Katz and Yehuda

Lindell
2. www.cybrary.it/0p3n/des-data-encryption-standard
3. https://www.commonlounge.com/discussion/
e32fdd267aaa4240a4464723bc74d0a5
4. https://en.wikipedia.org/wiki/Block cipher mode of operation

61
Reading Assignments

1. Attacks on two-round and three-round DES (Section 6.2.3)

2. Triple encryption (Section 6.2.4)

62