Unit -2 Cryptography and Network Security

Stream Cipher
 A stream cipher is an encryption technique that works byte by byte to
transform plain text into code that's unreadable to anyone without the proper
key.
 Stream ciphers are linear, so the same key both encrypts and decrypts messages.
And while cracking them can be difficult.

Block Cipher
 A block cipher takes a block of plaintext bits and generates a block of ciphertext
bits, generally of same size.
 The size of block is fixed in the given scheme. A block cipher processes the data
blocks of fixed size. Typically, a message's size exceeds a block's size.
 As a result, the lengthy message is broken up into a number of sequential message
blocks, and the cipher operates on these blocks one at a time.

1
 Unit -2 Cryptography and Network Security

Design Principles of Block Cipher

1. Number of Rounds

The number of rounds judges the strength of the block cipher algorithm. It is considered
that more is the number of rounds, difficult is for cryptanalysis to break the algorithm.

It is considered that even if the function F is relatively weak, the number of rounds would
make the algorithm tough to break.

2. Design of Function F

The function F of the block cipher must be designed such that it must be impossible for
any cryptanalysis to unscramble the substitution. The criterion that strengthens the
function F is it non-linearity.

Key Schedule Algorithm

It is suggested that the key schedule should confirm the strict avalanche effect and bit
independence criterion.

Stream Cipher Vs Block Cipher

Stream Cipher Block Cipher

Converts the plain text into cipher text by Converts the plain text into cipher text by
taking 1 byte of plain text at a time. taking plain text’s block at a time.
Uses 8 bits. Uses either 64 bits or more than 64 bits.
The complexity is more complex The complexity simple
Reverse encrypted text is easy. Reverse encrypted text is hard.
Works on substitution techniques like Works on transposition techniques like rail-
Caesar cipher, polygram substitution fence technique, columnar transposition
cipher, etc. technique, etc.
Fast in comparison to block cipher. Slow as compared to a stream cipher.
Vernam Cipher is the main implementation Feistel Cipher is the most popular block
of Stream Cipher cipher implementation.
Relies on confusion only. Uses both confusion and diffusion.
The algorithm modes which are used in algorithm modes which are used in block
stream cipher are CFB (Cipher Feedback) cipher are ECB (Electronic Code Book)
and OFB (Output Feedback). and CBC (Cipher Block Chaining)

2
 Unit -2 Cryptography and Network Security

Confusion and Diffusion

Confusion
In confusion, the relationship between the data of the ciphertext and the value of the
encryption key is made difficult. The approach provides that the cipher text gives no clue
about the plaintext.

The main objective of confusion is to make it very complex to discover the key even if
one has most of the plaintext-ciphertext pairs created with the similar key and in this
regard, each bit of the Ciphertext should be based on the entire key and in several
methods on different bits of the key, changing one bit of the key should change the
Ciphertext completely.

Diffusion
The concept of diffusion is to hide the relationship among the ciphertext and the plain
text. This will create it complex for an attacker who tries to discover out the plain text
and it enhance the redundancy of plain text by spreading it across the rows and columns.

Diffusion means that if it can change an individual bit of the plaintext, therefore
(statistically) half of the bits in the ciphertext must change, and likewise, if it can alter
one bit of the ciphertext, thus relatively one half of the plaintext bits should alter.

Confusion Vs Diffusion

Confusion Diffusion
Obscure the relationship between the Spread the plaintext statistics through the
plaintext and ciphertext. cipher.
Confusion technique is possible through Diffusion technique is possible through
substitution algorithm. transportation algorithm
Confusion technique is used in both block Diffusion technique is only used in block
and stream cipher. cipher.
If a single bit in the key is changed, all the In case a symbol in the plaintext is
bits in the ciphertext will also have to be changed, several or all symbols in the
changed. cipher text will also have to be changed.
Confusion technique hides the relation Diffusion hides the relation between the
between the ciphertext and key. ciphertext and the plaintext.
Confusion technique results in increased Diffusion technique results in increased
vagueness. redundancy.
3
 Unit -2 Cryptography and Network Security

Structure of Block Cipher (Feistel Cipher)

Feistel Cipher is not a specific scheme of block cipher. It is a design model from which
many different block ciphers are derived. DES is just one example of a Feistel Cipher. A
cryptographic system based on Feistel cipher structure uses the same algorithm for both
encryption and decryption.

Encryption Process

The encryption process uses the Feistel structure consisting multiple rounds of processing
of the plaintext, each round consisting of a “substitution” step followed by a permutation
step.
Feistel Structure is shown in the following illustration –
Block Size= common 64 bit new algorithm uses 128 or 256 bits
Key size= common 64 bit new algorithm uses 128 or 256 bits

4
 Unit -2 Cryptography and Network Security

 The input block to each round is divided into two halves that can be denoted as L
and R for the left half and the right half.

 In each round, the right half of the block, R, goes through unchanged. But the left
half, L, goes through an operation that depends on R and the encryption key. First,
we apply an encrypting function ‘f’ that takes two input − the key K and R. The
function produces the output f(R,K). Then, we XOR the output of the
mathematical function with L.

 The permutation step at the end of each round swaps the modified L and
unmodified R. Therefore, the L for the next round would be R of the current
round. And R for the next round be the output L of the current round.
 The numbers of rounds are specified by the algorithm design. Once the last round
is completed then the two sub blocks, ‘R’ and ‘L’ are concatenated in this order to
form the ciphertext block.

 The difficult part of designing a Feistel Cipher is selection of round function ‘f’. In
order to be unbreakable scheme, this function needs to have several important
properties that are beyond the scope of our discussion.

Decryption Process

 The process of decryption in Feistel cipher is almost similar. Instead of starting

with a block of plaintext, the ciphertext block is fed into the start of the Feistel
structure and then the process thereafter is exactly the same as described in the
given illustration.

 The process is said to be almost similar and not exactly same. In the case of
decryption, the only difference is that the subkeys used in encryption are used in
the reverse order.

 The final swapping of ‘L’ and ‘R’ in last step of the Feistel Cipher is essential. If
these are not swapped then the resulting ciphertext could not be decrypted using
the same algorithm.
5
 Unit -2 Cryptography and Network Security

The Data Encryption Standard (DES)

 The Data Encryption Standard (DES) is a symmetric-key block cipher published
by the National Institute of Standards and Technology (NIST).

 DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure.

The block size is 64-bit.

 Though, key length is 64-bit, DES has an effective key length of 56 bits, since 8 of
the 64 bits of the key are not used by the encryption algorithm (function as check
bits only). General Structure of DES is depicted in the following illustration.

6
 Unit -2 Cryptography and Network Security

Initial and Final Permutation

The initial and final permutations are straight Permutation boxes (P-boxes) that are
inverses of each other. They have no cryptography significance in DES. The initial and
final permutations are shown as follows −

 In the first step, the 64-bit plain text block is handed over to an initial
Permutation (IP) function.

 The initial permutation is performed on plain text.

 Next, the initial permutation (IP) produces two halves of the permuted block;
saying Left Plain Text (LPT) and Right Plain Text (RPT).

 Now each LPT and RPT go through 16 rounds of the encryption process.

 In the end, LPT and RPT are rejoined and a Final Permutation (FP) is performed
on the combined block

 The result of this process produces 64-bit ciphertext.

7
 Unit -2 Cryptography and Network Security

Single Round Function in DES

After the initial permutation, we had two 32-bit plain text areas called Left Plain
Text(LPT) and Right Plain Text(RPT).

During the expansion permutation, the RPT is expanded from 32 bits to 48 bits. Bits are
permuted as well hence called expansion permutation. This happens as the 32-bit RPT is
divided into 8 blocks, with each block consisting of 4 bits. Then, each 4-bit block of the
previous step is then expanded to a corresponding 6-bit block, i.e., per 4-bit block, 2 more
bits are added.

8
 Unit -2 Cryptography and Network Security

This process results in expansion as well as a permutation of the input bit while
creating output. Then the expansion permutation process expands the 32-bit
RPT to 48-bits. Now the 48-bit key is XOR with 48-bit RPT and the resulting output
is given to the next step, which is the S-Box substitution.

The role of the S-boxes

The role of the S-boxes in the function F is that the substitution includes a group of eight
S-boxes. Each of which take 6 bits as input and creates 4 bits as output

9
 Unit -2 Cryptography and Network Security

The first and last bits of the input to box Si form a 2-bit binary number to choose one of
four substitutions represented by the four rows in the table for Si.
The middle four bits choose one of the sixteen columns. The decimal value in the cell
chosen by the row and column is then transformed to its 4-bit description to make the
output. For instance, in S1, for input 011001, the row is 01 and the column is 1100.The
value in row 1, column 12 is 9, therefore the output is 1001.

Key transformation in DES

The process of generating keys is as follows

 The round key generator produces sixteen 48-bit keys out of a 56-bit cipher key.
The cipher key is provided as 64 bit key in which 8 extra bits are parity bits, which
are discarded before the actual key generation process begins.
 The parity bit process drops the parity bits (bit 8, 16, 24, 32…64) from the 64-bit
key and permutes the remaining bit according to the pre-defined rules as display in
the parity bit drop table below.

 These remaining 56 bits are generally used for key generation.

 After the permutation, the keys are divided into two 28 bits parts. Each part is
changed left one or two bits is depend on the rounds.
 In round 1, 2, 9, and 16 shifting is one bit and in the other rounds it is two bits.
The two parts are integrated to build a 56 bit part.
 After an appropriate shift, 48 of the 56 bits are selected
 Thus the compression D-box transform it into 48 bit. These 48 bits are being
utilized as a key for a round. Since the key transformation process involves

10
 Unit -2 Cryptography and Network Security

permutation as well as a selection of a 48-bit subset of the original 56-bit key it

is called Compression Permutation.

 Because of this compression permutation technique, a different subset of key

bits is used in each round. That makes DES not easy to crack.

11
 Unit -2 Cryptography and Network Security

Advanced Encryption Standard (AES)

The more popular and widely adopted symmetric encryption algorithm likely to be
encountered nowadays is the Advanced Encryption Standard (AES). The Rijndael
proposal for AES defined a cipher in which the block length and the key length can be
independently specified to be 128,192 or 256 bits.

Characteristics

 Resistance against all known attacks

 Speed and code compactness on a wide range platform
 Design Simplicity

It is based on ‘substitution–permutation network’. It comprises of a series of linked

operations, some of which involve replacing inputs by specific outputs (substitutions) and
others involve shuffling bits around (permutations).
AES performs all its computations on bytes rather than bits. Hence, AES treats the 128
bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and
four rows for processing as a matrix.

12
 Unit -2 Cryptography and Network Security

General Structure of AES

13
 Unit -2 Cryptography and Network Security

Encryption Process

Each round comprise of four sub-processes. The single round process is shown in the
following figure.

14
 Unit -2 Cryptography and Network Security

AddRoundKey Transformation

The 128 bits of State are bitwise XORed with the 128 bits of the round key. The
operation is viewed as a column wise operation between the 4 bytes of a State column
and one word of the round key; it can also be viewed as a byte-level
operation. The following is an example of AddRoundKey:

The key that is provided as input is expanded into an array of forty-four bit words, for distinct
words(128 bits) serve as round key for each round.

15
 Unit -2 Cryptography and Network Security

Substitute Bytes Transformation

 Sub Bytes, is a simple table lookup, AES defines a 16 * 16 matrix of byte

values, called an S-box that contains a permutation of all possible 256 8-bit
values.
 Each individual byte of State is mapped into a new byte in the following
way: The leftmost 4 bits of the byte are used as a row value and the rightmost 4
bits are used as column value.
 These row and column values serve as indexes into the S- box to select a unique 8 bit
output value.
 For example, the hexadecimal value3 {95} references row 9, column 5

16
 Unit -2 Cryptography and Network Security

Substitute byte transformation example

Shift Rows Transformation

Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-
inserted on the right side of row. Shift is carried out as follows −
 First row is not shifted.
 Second row is shifted one (byte) position to the left.
 Third row is shifted two positions to the left.
 Fourth row is shifted three positions to the left.
 The result is a new matrix consisting of the same 16 bytes but shifted with respect
to each other.

Mix Columns Transformation

 Each column of four bytes is now transformed using a special mathematical

function. This function takes as input the four bytes of one column and outputs
four completely new bytes, which replace the original column. The result is
another new matrix consisting of 16 new bytes.

17
 Unit -2 Cryptography and Network Security

The MixColumns transformation on a single column of State can be expressed as

Decryption Process
The process of decryption of an AES ciphertext is similar to the encryption process in the
reverse order. Each round consists of the four processes conducted in the reverse order −

 Add round key

 Mix columns
 Shift rows
 Byte substitution

18
 Unit -2 Cryptography and Network Security

Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the
encryption and decryption algorithms need to be separately implemented, although they
are very closely related.

Avalanche Effect
A slight change in either the key or the plain-text should result in a significant change
in the cipher-text. This property is termed as avalanche effect. It quantifies the effect
on the cipher-text with respect to the small change made in plain text or the key.
Avalanche effect is considered as one of the desirable property of any encryption
algorithm.

Changing 1.5% of the palintext creates changes of approximately 45% in the cipher
text.

AES Vs DES

AES DES
AES stands for Advanced Encryption DES stands for Data Encryption Standard
Standard
Byte-Oriented. Bit-Oriented.
Key length can be 128-bits, 192-bits, and The key length is 56 bits in DES.
256-bits
Number of rounds depends on key length: DES involves 16 rounds of identical
10(128-bits), 12(192-bits), or 14(256-bits) operations
The structure is based on a substitution- The structure is based on a Feistel network.
permutation network.
AES is more secure than the DES cipher DES can be broken easily as it has known
vulnerabilities.
The rounds in AES are: Byte Substitution, The rounds in DES are: Expansion, XOR
Shift Row, Mix Column and Key Addition operation with round key, Substitution and
Permutation
AES can encrypt 128 bits of plaintext. DES can encrypt 64 bits of plaintext.
It can generate Ciphertext of 128, 192, 256 It generates Ciphertext of 64 bits.
bits.

19