Post on 28-Sep-2020
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 1
Q 1. Draw and explain Feistel’s structure for encryption and decryption. The exact realization of Feistel
network depends on the choice of which parameters?
Feistel cipher is based on the idea that instead of using Ideal block cipher which degrades
performance, a “substitution-permutation network” can be used.
Feistel Cipher Encryption
The inputs to the encryption algorithm are a plaintext block of length b bits and a key K.
The plaintext block is divided into two halves.
The two halves of the data pass through rounds of processing and then combine to produce
the ciphertext block.
Each round has as inputs and derived from the previous round, as well as a subkey derived
from the overall K.
Any number of rounds could be implemented and all rounds have the same structure.
A substitution is performed on the left half of the data. This is done by applying a round
function F.
The Round Function F: F takes right-half block of previous round and a subkey as input.
The output of the function is XORed with the left half of the data.
Left and right halves are then swapped.
Feistel Cipher Decryption
The process of decryption with a Feistel cipher is same as the encryption process.
The ciphertext is input to the algorithm and the subkeys are used in reverse order. That is,
subkey of the last round in encryption is used in the first round in decryption, second last in
the second round, and so on.
The exact realization of a Feistel network depends on the choice of the following parameters:
Block size: Larger block sizes mean greater security but reduced encryption/decryption speed
for a given algorithm. Traditionally, a block size of 64 bits is used which gives enough security
without greatly affecting the speed.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 2
Key size: Larger key size means greater security but may decrease encryption/ decryption
speed. The greater security is achieved by greater resistance to brute-force attacks and greater
confusion. Key sizes of 64 bits or less are now widely considered to be inadequate, and 128
bits has become a common size.
Number of rounds: The essence of the Feistel cipher is that a single round offers inadequate
security but that multiple rounds offer increasing security. A typical size is 16 rounds.
Sub key generation algorithm: Greater complexity in this algorithm leads to greater difficulty
of cryptanalysis.
Round function F: Again, greater complexity generally means greater resistance to
cryptanalysis.
There are two other considerations in the design of a Feistel cipher:
Fast software encryption/decryption: In many cases, encryption is embedded in applications
implementation (as software). Accordingly, the speed of execution of the algorithm becomes a
concern.
Ease of analysis: Although we would like to make our algorithm as difficult as possible to
cryptanalyze, there is great benefit in making the algorithm easy to analyze. Thus, it will be
easier to analyze that algorithm for cryptanalytic.
Q 2. Write a note on block cipher design principles.
The followed criteria need to be taken into account when designing a block cipher:
Number of Rounds: The greater the number of rounds, the more difficult it is to perform
cryptanalysis, even for a weak function. The number of rounds is chosen so that efforts
required to crypt analyze it becomes greater than a simple brute-force attack.
Design of Function F: F should be nonlinear and should satisfy strict avalanche criterion (SAC)
and bit independence criterion (BIC).
S-Box Design: S-Box obviously should be non-linear and should satisfy SAC, BIC and
Guaranteed Avalanche criteria. One more obvious characteristic of the S-box is its size. Larger
S-Boxes provide good diffusion but also result in greater look-up tables. Hence, general size is
8 to 10.
Key Generation Algorithm: With any Feistel block cipher, the key is used to generate one sub
key for each round. In general, sub keys should be selected such that it should be deduce sub
keys from one another or main key from the sub key.
Q 3. Explain the following algorithms in detail:
a) Data Encryption Standard(DES)
b) Double and Triple DES
c) International Data Encryption Algorithm(IDEA)
d) Blowfish
e) RC-5
f) RC-2
g) CAST-128
Data Encryption Standard(DES) DES encrypts 64-bit blocks using a 56-bit key and produces a 64-bit ciphertext.
The same steps, with the same key, are used to reverse the encryption with the order of the
keys reversed.
The DES is widely used.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 3
DES Encryption
The DES encryption is shown in the figure below:
Encryption function has two inputs: the plaintext to be encrypted and the key.
The processing of the plaintext proceeds in three phases.
o The 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to
produce the permuted input.
o The permuted output is then passed through sixteen rounds of the same function, which
involves both permutation and substitution functions. The left and right halves from the
last round are swapped to produce preoutput.
o The preoutput is passed through a permutation that is the inverse of the initial
permutation function, to produce the 64-bit cipher text.
The right-hand portion of the figure shows the way in which the 56-bit key is used.
o Initially, the key is passed through a permutation function.
o Then, a sub key (ki) is produces for each of the sixteen rounds by the combination of a left
circular shift and a permutation.
o The permutation function is the same for each round, but a different sub key is produced
because of the repeated shifts of the key bits.
Initial Permutation
The initial permutation and its inverse are defined by tables.
The tables are to be interpreted as follows.
o The input to a table consists of 64 bits numbered from 1 to 64.
o The 64 entries in the permutation table contain a permutation of the numbers from 1 to
64.
o Each entry in the permutation table indicates the position of a input bit in the output.
Inverse permutation table nullifies the effect of initial permutation.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 4
Details Of Single Round
The figure shows the internal structure of a single round.
The left and right halves are treated as separate 32-bit quantities, labeled L (left) and R (right).
The overall processing at each round can be summarized as:
Li = Ri-1
Ri = Li-1 ⊕ { F(Ri-1, Ki) Expansion: The 32-bit input is first expanded to 48 bits.
o 32 bits of input are split into groups of 4 bits.
o Each group is written as groups of 6 bits by taking the outer bits from the two adjacent
groups. For example
... efgh ijkl mnop ... is expanded to
... defghi hijklm lmnopq ...
The resulting 48 bits are XORed with Ki.
Substitution: This 48-bit result is input to S-Boxes that perform a substitution on input and
produces a 32-bit output.
o DES consists of a set of eight S-boxes.
o Each S-Box takes 6 bits as input and produces 4 bits as output.
o The first and last bits of the input to box form a 2-bit binary number which gives the
binary value of row number.
o The middle four bits select one of the sixteen columns.
o The decimal value in the cell selected by the row and column is then converted to its
4-bit binary number to produce the output.
o For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100
(column 12).The value in row 1, column 12 is 9, so the output is 1001.
The result is again permuted using a permutation table.
Key Generation: A 64-bit key is used as input to the algorithm while only 56 bits are actually
used. Every eighth bit is ignored. Sub-keys at each round are generated as given below:
o The key is first permuted using a table named Permuted Choice One.
o The resulting 56-bit key is divided into two 28-bit quantities, C0 and D0. At each round,
Ci-1 and Di-1 are separately subjected to a circular left shift of 1 or 2 bits, as governed by
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 5
a table.
o These shifted values are forwarded to the next round. They are also input to a
permutation table-Permuted Choice Two.
o The table produces a 48-bit output that serves as the round key ki.
DES Decryption
Decryption in DES is same as encryption, except that the subkeys are used in reverse order.
Strength of DES
The Use of 56-Bit Keys
DES has been developed from LUCIFER which used 128-bit keys.
As a result, DES with only 56-bit key-length is considered insecure and devices have been
proposed time and again showing that DES is no longer secure.
The Nature of the DES
The only non-linear part of DES is the S-Boxes, design of which was not made public.
If someone is able to find weakness in S-Box, then attack on DES is possible.
Characteristics of the algorithm can be exploited as the algorithm is based on linear functions.
Algorithm Timing Attacks
In this type of attack, the attacker exploits the fact that any algorithm takes different amount
of time for different data.
Double DES DES is vulnerable to a brute-force attack, so various alternatives have been considered, one of
which is multiple encryptions.
The simplest form of multiple encryptions has two encryption stages and two keys and is
known as Double DES.
Given a plaintext P and two encryption keys K1 and K2, cipher text C is generated as:
C = E(K2, E(K1, P))
Decryption applies keys in reverse order:
P = D(K1, D(K2, C))
This scheme involves a key length of 56 * 2 = 112 bits, making Brute-Force attack impractical.
However, other types of attacks are possible:
o Reduction to a Single Stage: If it is possible to find a key such that
E(K2, E(K1, P)) = E(K3, P)
then double encryption, or any number of stages of multiple encryption with DES, would
be useless because the result would be equivalent to a single encryption with a single 56-
bit key. However, by the principle of reverse mapping, such a key is not possible.
o Meet-In-The-Middle Attack: This attack is based on the on the observation that if:
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 6
C = E(K2, E(K1, P)), then
X = E(K1, P) = D(K2, C)
Given a known (P, C) pair, the attack proceeds as follows:
First, encrypt P for all 256 possible values of K1.
Store these results in a table and then sort the table by the values of X.
Decrypt C using all 256 possible values of K2.
Check the result against the table for a match after every decryption.
If a match occurs, then test the two resulting keys against a new known plaintext–
ciphertext pair. If the two keys produce the correct ciphertext, accept them as the
correct keys.
For any given plaintext, 248 false alarms are possible since there are only 264 ciphertext
values whereas 2112 key values. Thus, the order of attack can be reduced to 248 instead
of 2112.
Triple DES Triple DES with Two Keys
An alternative to the meet-in-the-middle attack is to use three stages of encryption with three
or two different keys.
The function follows an encrypt-decrypt-encrypt (EDE) sequence.
C = E(K1, D(K2, E(K1, P)))
P = D(K1, E(K2, D(K1, C)))
3DES with two keys is a relatively popular alternative to DES.
Currently, there are no practical cryptanalytic attacks on 3DES.
Brute-force key search on 3DES is on the order of 2112 and the cost of differential cryptanalysis
also has an exponential growth, compared to single DES.
Several proposed attacks (though impractical) on 3DES are:
o Chosen-plaintext attack: Find plaintext values that gives A = 0. Then, use the meet-in-the-
middle attack to determine the two keys. However, this attack requires 256 chosen
plaintext-cipher text pairs which is impractical.
o Known-plaintext attack: This method does not require chosen plaintext-cipher text pairs
but requires more effort. The attack is based on the observation that if an attacker knows
A and C, then the problem reduces to that of an attack on double DES. The attack is as
follows:
The attacker obtains n(P, C) pairs places them in Table 1 sorted on the values of P.
For an arbitrary value a for A, calculate the plaintext value that produces:
Pi = D(i, a)
For each Pi that matches an entry in Table 1, create an entry in Table 2 that contains value
of K1 and b that is obtained by decrypting the corresponding cipher text from Table 2.
B = D(i, C)
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 7
Table 2 contains a number of candidate values of Ki. Now, for each of the 256 possible
values of K2, calculate the second intermediate value for our chosen value of a:
Bj = D(j, a)
At each step, look up Bj in Table 2. If there is a match, then the corresponding key i from
Table 2 plus this value of j are candidate values for the unknown keys (K1, K2).
Test each candidate pair of keys on a few other plaintext–cipher text pairs. If a pair of
keys produces the desired cipher text, the task is complete.
If no pair succeeds, repeat from step 1 with a new value of a.
Triple DES with Three Keys
Although the attacks just described appear impractical, anyone using two-key 3DES may feel
some concern.
In that case, three-key 3DES is the preferred alternative.
Three-key 3DES has an effective key length of 168 bits and is defined as:
C = E(K3, D(K2, E(K1, P)))
Backward compatibility with DES is provided by putting K3 = K1 or K1 = K3.
A number of Internet-based applications have adopted three-key 3DES, including PGP and
S/MIME.
International Data Encryption Algorithm (IDEA) Features
IDEA is publicly known and easily understandable.
Due to the simplicity of the operations used in this algorithm, it can be economically
implemented in electronic components. As result, its hardware implementation is extremely
fast and cheap and consumes low power.
A distinct feature of this algorithm is that it completely avoids look-up tables and S-Boxes.
To avoid fraud and piracy, this algorithm is patent protected.
This algorithm uses operations from three different algebraic groups viz. bitwise X-OR, modulo
addition and multiplication.
IDEA supports all the modes of operation.
Encryption
IDEA is a block cipher with input of 64-bits.
Key size is 128-bits.
Encryption consists of eight identical rounds also known as encryption rounds followed by one
output transformation round.
Input is divided into four 16-bit blocks. Two blocks are combined with two 16-bit key blocks
using addition modulo 216 and other two plaintext blocks are combined with key blocks using
multiplication modulo 216 + 1.
Two more 16-bit key blocks are used in modulo multiplication and addition as shown in the
figure.
At the end of the first round, four 16-bit values are produced which are input to the next
round.
The same process is repeated 7 more times using a different key-block every time.
During the subsequent output transformation, the four 16-bit values produced at the end of
the 8th encryption round are combined with the last four of the 52 key sub-blocks using
addition modulo 216 and multiplication modulo 216 + 1 to form the resulting four 16-bit cipher
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 8
text blocks.
Figure : IDEA Encryption
Decryption
Decryption is same as encryption except that different key-blocks are used.
Key Generation
A total of 52 (6 keys in each of the first eight rounds and 4 keys in last round) different 16-bit
sub-blocks have to be generated from the 128-bit key.
Encryption Keys: The fifty two 16-bit key sub-blocks are generated from the 128-bit key as
given below:
o The 128-bit key is partitioned into eight 16-bit sub-blocks. These are directly used as the
first eight key sub-blocks.
o The 128-bit key is cyclically shifted to the left by 25 positions. The resulting 128-bit block is
again partitioned into eight 16-bit sub-blocks to be used as the next eight key sub-blocks.
o The cyclic shift procedure described above is repeated until all of the required fifty two 16-
bit key sub-blocks have been generated.
Round Encryption Keys Decryption Keys
1 Z1(1) Z2
(1) Z3(1) Z4
(1) Z5(1) Z6
(1) Z1(9)-1 -Z2
(9) -Z3(9) Z4
(9)-1 Z5(8) Z6
(8)
2 Z1(2) Z2
(2) Z3(2) Z4
(2) Z5(2) Z6
(2) Z1(8)-1 -Z3
(8) -Z2(8) Z4
(8)-1 Z5(7) Z6
(7)
3 Z1(3) Z2
(3) Z3(3) Z4
(3) Z5(3) Z6
(3) Z1(7)-1 -Z3
(7) -Z2(7) Z4
(7)-1 Z5(6) Z6
(6)
4 Z1(4) Z2
(4) Z3(4) Z4
(4) Z5(4) Z6
(4) Z1(6)-1 -Z3
(6) -Z2(6) Z4
(6)-1 Z5(5) Z6
(5)
5 Z1(5) Z2
(5) Z3(5) Z4
(5) Z5(5) Z6
(5) Z1(5)-1 -Z3
(5) -Z2(5) Z4
(5)-1 Z5(4) Z6
(4)
6 Z1(6) Z2
(6) Z3(6) Z4
(6) Z5(6) Z6
(6) Z1(4)-1 -Z3
(4) -Z2(4) Z4
(4)-1 Z5(3) Z6
(3)
7 Z1(7) Z2
(7) Z3(7) Z4
(7) Z5(7) Z6
(7) Z1(3)-1 -Z3
(3) -Z2(3) Z4
(3)-1 Z5(2) Z6
(2)
8 Z1(8) Z2
(8) Z3(8) Z4
(8) Z5(8) Z6
(8) Z1(2)-1 -Z3
(2) -Z2(2) Z4
(2)-1 Z5(1) Z6
(1)
9 Z1(9) Z2
(9) Z3(9) Z4
(9) Z1(1)-1 -Z2
(1) -Z3(1) Z4
(1)-1
Decryption keys: Each of the 52 16-bit key sub-blocks used for decryption is either inverse or
negative of the key sub-block used during encryption.
Also, the key sub-blocks must be used in the reverse order during decryption.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 9
Blowfish Blowfish is a symmetric block cipher algorithm which is public domain, secure and lightweight.
Notable features of Blowfish include key-dependent S-Boxes and a highly complex key
schedule.
This algorithm is fast. And Blowfish has a very low memory requirement and uses simple
operations that are efficient on microprocessors.
This algorithm is suitable for applications where the key does not change often as the key
schedule is highly complex and time consuming.
This algorithm has no linear structure and hence is more secure against cryptanalysis.
There is no effective cryptanalysis on the full-round version of Blowfish.
It includes bitwise X-OR, addition modulo 232 and S-Box look-up.
Encryption
The encryption process is shown in the figure below:
The algorithm takes a 64-bit input and uses a key varying from 32 to 448 bits.
Keys are precomputed.
Input is divided into two halves. Left half is X-ORed with first element of P-array P1 and the
right half is X-ORed with the output of the round function.
Left and right halves are then swapped to give left and right halves that are fed to the next
round.
Same process is repeated 16 times.
The left output of the 16th round is X-ORed with P18 and the other output is X-ORed with P17.
The result is then combined to produce 64-bit cipher text.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 10
Round Function
The function divides a 32-bit input into four groups of 8 bits.
Each group is input to an S-Box which takes in 8-bit input and gives out 32-bit output.
The output of S-Boxes are then added and X-ORed as shown in the figure below to produce
the output.
Generating the Sub keys
The P-array and S-array values used by Blowfish are precomputed based on the user's key.
After computing P and S arrays, the user's may be discarded.
The P-array and S-array need to be recomputed only when the key changes and they must be
kept secret.
The sub keys are calculated using the Blowfish algorithm:
1) Initialize first the P-array and then the four S-boxes with hexadecimal digits of pi except
the initial 3.
2) XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-bits of the key, and so
on for all bits of the key.
3) Repeatedly cycle the key bits until the entire P-array has been XORed with key bits.
4) Encrypt a message with all zeroes with the Blowfish algorithm, using the sub keys
described in steps (1) and (2).
5) Replace P1 and P2 with the output of step (4).
6) Encrypt the output of step (4) using the Blowfish algorithm with the modified sub keys.
7) Replace P3 and P4 with the output of step (6).
8) Continue the process, replacing all entries of the P array, and then all four S-boxes.
RC-2 RC-2 has a very simple design and is 3 times faster than DES.
This algorithm does not use S-Boxes.
This algorithm is used in S/MIME.
This algorithm has a total of 18 rounds – 16 mixing rounds and 2 mashing rounds.
RC-2 is a 64-bit block cipher with a variable key size of 8-128 bits in 8-bit increment. Default
size is 64 bits.
RC-2 Encryption
The 64-bit input is split into 4 16-bit words, R[0], R[1], R[2], R[3].
Key is expanded to get 64 16-bit words, K[0], K[1],…, K[63].
Initialize a variable j to 0.
Perform 5 mixing rounds followed by 1 mashing round. It is followed by 6 more mixing rounds,
then 1 mashing rounds and again 5 mixing rounds.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 11
Each mixing round uses 4 keywords and mashing rounds uses keywords that vary from
encryption to encryption.
Mixing round
One-fourth part of a mixing round is shown in the figure below. When this process is repeated
four times, a single mixing round is completed.
The mix operation adds a combination of other data words and one keyword to each data
word.
Operations of mixing round can be given by the expression:
R[i] = R[i] + K[j] + ((R[i-1] & R[i-2]) + (~R[i-1] & R[i-3]))
R[i] = R[i] <<< S[i]; left shift by S[i] bits
j = j + 1
Mashing round
The mashing operation chooses 4 random sub keys based on the value of current data words
and adds them to the data word.
A mash operations can be expressed as:
R[i] = R[i] + K[R[i-1 % 64]]
Decryption
Decryption is just the reverse of encryption.
Decryption uses the reverse encryption operations and has R-mixing and R-mashing rounds.
R-mixing round
j is initialized to 63.
This round can be expresses as:
R[i] = R[i] >>> S[i]; right shift by S[i] bits
R[i] = R[i] – ((R[i-1] & R[i-2]) – (~R[i-1] & R[i-3])) – K[j]
j = j - 1
R-mashing round
The expression for this round is:
R[i] = R[i] – K[R[i-1] % 64]]
A related key attack has been proposed for RC-2. However, it need 234 chosen plaintexts and
hence is impractical and RC-2 is secure at least in near future.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 12
RC-5 RC-5 has a variable block size (32, 64, 128), key size (0 - 2040 bits) and number of rounds (0 –
255).
Most common values for block size, key size and number of rounds is 64 bits, 128 bits and 12
respectively.
This algorithm is very fast and has a low memory requirement.
This algorithm has a data dependent rotation which strengthens the algorithm against
cryptanalysis.
Operations used in the algorithm are rotation, X-OR, addition and subtraction modulo 2w.
Encryption
Data words are divided into 2 parts.
Left and right half are added with S[0] and S[1] respectively.
Each half is then subjected to the following round operations:
o X-OR with other half.
o Rotate data (left/ right half) based on the other half.
o Add subsequent S-array element.
A single encryption round and the initial addition is shown below.
Entire encryption algorithm can be depicted by the following expressions:
A = A + S[0]
B = B + S[1]
for i = 1 to r (r = no of rounds)
A = (A ⊕ B) <<< B) + S[2*i]; <<< B is left shift based on B
B = (B ⊕ A) <<< A) + S[2*i + 1]
Decryption
Decryption is just the reverse of encryption and can be expressed as:
for i = r to 1 (r = no of rounds)
B = ((B – S[2*i + 1]) >>> A) ⊕ A; >>> A is right shift based on A
A = ((A – S[2*i]) >>> B) ⊕ B
B = B - S[1]
A = A - S[0]
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 13
Key expansion
User’s secret key is expanded to fill S-array of size t = 2(r + 1).
Define magic constants Pw and Qw.
Pw = Odd((e – 2)2w); e = 2.71
Qw = Odd(( – 1)2w); = 1.61
Convert the secret key K[0] to K[b-1] from bytes to words and copy it into L-array, L[0] to L[c-
1]. b is the size of key in bytes and c is the size of L-array obtained by dividing the key size by
number of bytes in a word.
Initialize S-array in the following way:
S[0] = Pw
for I = 1 to (t-1)
S[i] = S[i-1] + Qw
Mix the secret key with S-array and L-array.
i = j = 0
A = B = 0
for i = 1 to 3 * max(t, c)
A = S[i] = (S[i] + A + B) <<< 3; <<< 3 denotes left shift by 3 bits.
B = L[j] = (L[j] + A + B) <<< (A + B);
i = (i + 1) mod t
j = (j + 1) mod c
12 round RC-5 is prone to differential attack but it needs 244 chosen cipher texts, hence
impractical.
Generally, for greater security RC-5 with 18 to 20 rounds is used.
CAST-128 CAST-128 is a 64-bit block cipher and it supports variable key-size (40-128 in 8-bit increments
like 40, 48, 56 and so on).
Components include large 8×32-bit S-boxes, key-dependent rotations, modular addition and
subtraction, and XOR operations.
There are three alternating types of round function which are similar in structure but differ
only in the choice of the exact operation (addition, subtraction or XOR) at various points.
CAST-128 is a 12 or 16-round Feistel network. If key size is less than 80 bits, 12 rounds are
used else full 16 rounds are used.
CAST-128 is a cryptographically-strong, freely-available encryption algorithm.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 14
Encryption
The CAST-128 encryption is shown in the figure:
Compute 16 pairs of sub keys {Kmi, Kri} from K.
Split the plaintext into left and right 32-bit halves.
There are 3 different rounds which are repeated alternately and the data halves are processed
in the following way.
Li = Ri-1
Ri = Li-1 ^ f(Ri-1,Kmi,Kri) , where f is round function.
Swap the left and right halves obtained from the final round. These are combined to form
cipher text.
Decryption is same as encryption except that rounds are used in reverse order.
Key Generation
CAST-128 key generation includes splitting the input keys and passing it through a large series
of S-box look-ups.
CAST-128 uses a pair of sub keys per round: a 32-bit quantity Km is used as a "masking" key
and a 5-bit quantity Kr is used as a "rotation" key.
Variable Key size: The CAST-128 encryption algorithm has been designed to allow a key size
that can vary from 40 bits to 128 bits. The specifications for the use of variable key size are as
follows:
o For key sizes up to and including 80 bits (i.e., 40, 48… 72, 80 bits), the algorithm uses 12
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 15
rounds instead of 16.
o For key sizes greater than 80 bits, the algorithm uses the full 16 rounds.
o For key sizes less than 128 bits, the key is padded with zero bytes (in the rightmost
positions) out to 128 bits
Non-identical rounds and Round function
Input is split into 4 8-bit blocks, Ia, Ib, Ic and Id.
Three different round functions are used in CAST-128. The rounds are as follows:
o Type 1: Input = ((Kmi + Ri-1) <<< Kri)
f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]
o Type 2: Input = ((Kmi ^ Ri-1) <<< Kri)
f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]
o Type 3: Input = ((Kmi - Ri-1) <<< Kri)
f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]
where "+" and "-" are addition and subtraction modulo 232
"^" is bitwise XOR
"<<<" is the circular left-shift operation.
Rounds 1, 4, 7, 10, 13, and 16 use function of Type 1. Rounds 2, 5, 8, 11, and 14 use function of
Type 2. Rounds 3, 6, 9, 12, and 15 use function of Type 3.
Substitution Boxes: CAST-128 uses eight substitution boxes: S-boxes S1, S2, S3, and S4 are
used in encryption-decryption while S5, S6, S7, and S8 are used in key schedule algorithm.
This algorithm is resistant to linear and differential attacks.
Q 4. Explain S-box. What is the purpose of S-boxes in DES?
Figure: Calculation of F(R, K)
The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and
produces 4 bits as output.
S-boxes: These are the only non-linear part of DES and it secures the algorithm against
differential cryptanalysis.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 16
They are typically used to obscure the relationship between the key and the cipher text to
provide confusion.
The permutation P spreads the bits as widely as possible, so each S-box output affects as many
S-box inputs in the next round as possible, giving "diffusion".
There are 8 S-boxes or substitution boxes. An S-box is a table that consists of four rows and 16
columns.
They take in 6-bits and produce 4-bits. The 48-bit input is divided into groups of 6-bits each to
form a total of 8 groups.
Each group is fed to S-box. The 6-bits are represented in binary form. The two outer bits (the
first and the last bit) represents the row (one of the four rows) and the inner four bits
represent the columns (one of the 16 columns). The cell where the row and the column meet
represents the value of the output.
For example if the input to an S-box is 010100, the first and last digits 00 = the row (Row 0).
The inner four digits 1010= the column (Column 10).
All the 8 S-boxes will output 4-bits each in similar way.
Figure: S-Box
Q 5. List and explain various block cipher modes of operation with the help of diagram.
There are 5 modes of operation which are listed below.
Electronic Codebook mode (ECB)
This is the simplest mode in which plaintext is handled one block at a time and each block of
plaintext is encrypted using the same key.
The term codebook is used because, for a given key, there is a unique ciphertext for every -bit
block of plaintext. Therefore, we can imagine a huge codebook in which there is an entry for
every possible b-bit plaintext showing its corresponding ciphertext.
For a message longer than b bits, the procedure is simply to break the message into b-bit
blocks, padding the last block if necessary.
Decryption is performed one block at a time, always using the same key.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 17
For lengthy messages, ECB mode may be not secure. If the message has repetitive elements,
then these elements can be identified by the analyst.
Thus, the ECB method is ideal for a short amount of data, such as an encryption key.
Cipher Block Chaining Mode (CBC)
To overcome the security deficiencies of ECB, a technique is needed in which the same
plaintext block, if repeated, produces different cipher text blocks.
A simple way to satisfy this requirement is the cipher block chaining (CBC) which is shown in
the figure.
In this mode, the input to the encryption algorithm is the X-OR of the current plaintext block
and the preceding ciphertext block; the same key is used for each block.
The input to the encryption function for each plaintext block has no fixed relationship to the
plaintext block.
Therefore, repeating patterns will not produce same ciphertext.
The last block is padded to a full b bits if it is a partial block.
For decryption, each cipher block is passed through the decryption algorithm. The result is X-
ORed with the preceding ciphertext block to produce the plaintext block.
The expressions for CBC are:
Cj = E(K, [Cj-1 ⊕ Pj]); Encryption
D(K, Cj)= D(K, E(K, [Cj-1 ⊕ Pj])); Decryption
= Cj-1 ⊕ Pj
Cj-1 ⊕ D(K, C) = Cj-1 ⊕ Cj-1 ⊕ Pj; X-OR ciphertext with decryption
output
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 18
= Pj
To produce the first block of cipher text, an initialization vector (IV) is X-ORed with the first
block of plaintext.
On decryption, the IV is X-ORed with the output of the decryption algorithm to recover the
first block of plaintext.
The IV must be known to both the sender and receiver but be unpredictable by a third party.
For maximum security, the IV should be protected against unauthorized changes. This could be
done by sending the IV using ECB encryption.
Cipher Feedback Mode (CFB)
DES is a block cipher, but it may be used as a stream cipher if the Cipher Feedback Mode (CFB)
or the Output Feedback Mode (OFB) is used. CFB scheme is depicted below.
A stream cipher eliminates the need to pad a message to be an integral number of blocks.
It also can operate in real time.
s bits is the size usually selected by the user, usually 8 bits.
In this case, rather than units of 64 bits, the plaintext is divided into segments of s bits.
Encryption: The input to the encryption function is a 64-bit shift register that is initially set to
some initialization vector (IV).
The leftmost (most significant) s bits of the output of the encryption function are X-ORed with
the first segment of plaintext P1 to produce the first unit of ciphertext C1, which is then
transmitted.
In addition, the contents of the shift register are shifted left by s bits and C1 is placed in the
rightmost s bits of the shift register.
This process continues until all plaintext units have been encrypted.
Decryption: The same scheme is used except that the received ciphertext unit is X-ORed with
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 19
the output of the encryption function to produce the plaintext unit.
The disadvantage of this scheme is that bit error in one ciphertext propagates to next stage
also.
Output Feedback Mode (OFB)
The Output Feedback Mode (OFB) is similar in structure to that of CFB:
The only difference between CFB and OFB is that in OFB the output of the encryption function
is fed back to the shift register in OFB, whereas in CFB the ciphertext is fed to the shift register.
One advantage of the OFB method is that bit errors in transmission do not propagate.
The disadvantage of OFB is that it is more vulnerable to a message stream modification attack
than CFB.
Counter Mode (CTR)
In this mode, a counter equal to the plaintext block size is used.
The only requirement is that the counter value must be different for each plaintext block that
is encrypted.
Typically, the counter is initialized to some value and then incremented by 1 for each
subsequent block (modulo 2b, where b is the block size)
Counter Mode works as follows:
Encryption: The counter is encrypted and then X-ORed with the plaintext block to produce the
cipher text block; there is no chaining.
Decryption: The same sequence of counter values is used. Each encrypted counter is X-ORed
with a cipher text block to recover the corresponding plaintext block.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 20
CTR has following advantages:
o Hardware efficiency: In this mode, encryption (or decryption) can be done in parallel on
multiple blocks of plaintext or cipher text. For the chaining modes, the algorithm must
complete the computation on one block before beginning on the next block.
o Software efficiency: Similarly, because of the opportunities for parallel execution in CTR
mode, processors that support parallel features, such as aggressive pipelining, multiple
instruction dispatch per clock cycle, a large number of registers can be effectively utilized.
o Preprocessing: The execution of the encryption algorithm does not depend on input of the
plaintext or cipher text. Therefore preprocessing can be used to prepare the output of the
encryption boxes which can be fed into the X-OR functions when the plaintext or cipher
text input is presented.
o Random access: The ith block of plaintext or cipher text can be processed in random-access
fashion. With the chaining modes, block cannot be computed until the i– 1 prior block is
computed.
o Provable security: It can be shown that CTR is as secure as the other modes.
o Simplicity: CTR mode requires only the implementation of the encryption algorithm and
not the decryption algorithm and has a very simple implementation.
This mode is used in ATM (asynchronous transfer mode) and IPsec (IP security) nowadays.
Q 6. Write the key distribution scenario in which each user shares a unique master key with key
distribution center.
A scenario where each user shares a unique master key with the key distribution center (KDC)
is presented below.
Assume that user A wishes to establish a logical connection with B and requires a one-time
session key to protect the data transmitted over the connection.
A has a master key, Ka, known only to itself and the KDC; similarly, B shares the master key Kb
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 21
with the KDC.
The following steps occur:
o Step 1: A issues a request to the KDC for a session key to communicate with B. The
message includes the identity of A and B and a unique identifier, nonce N1, for this
transaction. Nonce should be difficult for an opponent to guess.
o Step 2: The KDC responds with a message encrypted using Ka. Thus, A is the only one who
can successfully read the message, and knows that it originated at the KDC. The message
includes two items intended for A: The one-time session key, Ks, the original request
message so that A can verify that its original request was not altered before reception by
the KDC and the nonce proves that this is not a replay of some previous request.
o In addition, the message includes two items intended for B: The one-time session key, Ks
to be used for the session and an identifier of A, IDA. The last two items are encrypted with
Kb.
o Step 3: A stores the session key for use in the upcoming session and forwards to B the last
two items ( E(Kb, [Ks || IDA]) ) of the message from KDC.
o Since, this information is encrypted with Kb, it is protected from eavesdropping.
o B knows the session key and the other party A. and knows that the information originated
at the KDC (because it is encrypted using Kb).
o Key exchange is complete here. However two steps are added for authentication purpose.
o Step 4: Using the new session key for encryption, B sends a nonce N2, to A.
o Step 5: A encrypts f(N2) using Ks, where f is a function that performs some transformation
on N2.
In some cases, users are concerned about security from traffic analysis. Knowledge about the number and length of messages between nodes may enable an opponent to determine who is talking to whom.
This can have obvious implications in a military conflict. Even in commercial applications, traffic analysis may yield information that the traffic generators would like to conceal.
lists the following types of information that can be derived from a traffic analysis attack:
Identities of partners How frequently the partners are communicating
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 22
Message pattern, message length, or quantity of messages that suggest important information is being exchanged
The events that correlate with special conversations between particular partners
Another concern related to traffic is the use of traffic patterns to create a covert channel. A covert channel is a means of communication in a fashion unintended by the designers of the communications facility. Typically, the channel is used to transfer information in a way that violates a security policy.
For example, an employee may wish to communicate information to an outsider in a way that is not detected by management and that requires simple eavesdropping on the part of the outsider. The two participants could set up a code in which an apparently legitimate message of a less than a certain length represents binary zero, whereas a longer message represents a binary one.
Q 7. Explain different key distribution techniques.
Various key distribution techniques are:
Hierarchical Key control
For very large networks, key distribution function using a single KDC may not be practical.
As an alternative, a hierarchy of KDCs can be established.
For example, there can be local KDCs, each responsible for a small domain of the overall
internetwork, such as a single LAN or a single building.
For communication among entities within the same local domain, the local KDC is responsible
for key distribution.
If two entities in different domains desire a shared key, then the corresponding local KDCs can
communicate through a global KDC. In this case, any one of the three KDCs involved can
actually select the key.
The hierarchical concept can be extended to three or even more layers, depending on the size
of the user population and the geographic scope of the internetwork.
A hierarchical scheme minimizes the effort involved in master key distribution, because most
master keys are those shared by a local KDC with its local entities.
Such a scheme limits the damage of a faulty or subverted KDC to its local area only.
A Transparent Key Control Scheme
This scheme is useful for providing end-to-end encryption at a network or transport level in a
way that is transparent to the end users.
The approach assumes that communication makes use of a connection-oriented end-to-end
protocol, such as TCP.
An element of this approach is a session security module (SSM) that performs end-to-end
encryption and obtains session keys on behalf of its host or terminal.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 23
Step 1: When one host wishes to set up a connection to another host, it transmits a
connection-request packet.
Step 2: The SSM saves that packet and applies to the KDC for permission to establish the
connection. The communication between the SSM and the KDC is encrypted using a master
key shared only by this SSM and the KDC.
Step 3: If the KDC approves the connection request, it generates the session key and delivers it
to the two appropriate SSMs, using a unique master key for each SSM.
Step 4: The requesting SSM can now release the connection request packet, and a connection
is set up between the two end systems. All user data exchanged between the two end systems
are encrypted by their respective SSMs using the one-time session key.
The automated key distribution approach provides the flexibility and dynamic characteristics
so that a number of terminal users can access a number of hosts.
Decentralized Key Control
The use of a key distribution center requires that the KDC should be trusted and protected
from subversion.
This requirement can be avoided if key distribution is fully decentralized.
Full decentralization is not practical for larger networks using symmetric encryption only. It
may be useful within a local context.
In a decentralized approach, each end system should be able to communicate in a secure
manner with all partner end systems. Thus, [n(n - 1)]/2 master keys must be maintained in a
network of n end systems.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 24
A session key may be established with the following sequence of steps:
o A issues a request to B for a session key and includes a nonce N1.
o B responds with a message that is encrypted using the shared master key. The response
includes the session key selected by B, an identifier of B, the value f(N1), and another
nonce, N2.
o Using the new session key, A returns f(N2) to B.
Since the messages transferred using the master key are short, cryptanalysis is difficult.
Session keys are used for only a limited time to protect them.
Q 8. Which two criteria are used to validate that a sequence of numbers is random? Explain various
pseudorandom number generators.
Following are the criteria for validating whether a sequence of numbers is random:
o Randomness: The sequence of numbers should appear random in some well-defined
statistical sense. The following two criteria are used to validate that a sequence of
numbers is random:
Uniform distribution: The distribution of numbers in the sequence should be uniform;
that is, the frequency of occurrence of all the numbers should be approximately equal.
Independence: No one sub-sequence in the sequence can be inferred (guessed) from
the others.
o Unpredictability: The successive members of the sequence should be unpredictable. In
other words, each number should be statistically independent of other numbers in the
sequence and therefore unpredictable.
Various pseudorandom number generators are:
Linear Congruential Generators
The most widely used technique for pseudorandom number generation is known as the linear
congruential method.
The sequence of random numbers {Xn} is obtained via the following equation:
Xn+1 = (aXn + c) mod m, where
m is the modulus, m > 0
a is the multiplier, 0 < a < m
c is the increment, 0 ≤ c < m
X0 the starting value, or seed, 0 ≤ X0 < m
The selection of values for a, c, and m is critical in developing a good random number
generator.
However, this has implications for cryptanalysis. If an opponent knows that the linear
congruential algorithm is being used, then knowledge of a small part of the sequence is
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 25
sufficient to determine the parameters of the algorithm.
Suppose that the opponent is able to determine values for X0, X1, X2 and X3. Then
X1 = (aX0 + c) mod m
X2 = (aX1 + c) mod m
X3 = (aX2 + c) mod m
Cryptographically Generated Random Numbers
In this type of generators, encryption logic available to produce random numbers. Three
representative examples are:
1. Cyclic Encryption
Session keys are generated from master keys in this procedure.
A counter with period N provides input to the encryption logic.
After each key is produced, the counter is incremented by one. Thus, the pseudorandom
numbers produced by this scheme cycle through a full period.
Since each of the outputs X0, X1,... XN is obtained by encrypting a different counter value,
therefore X0 ≠ X1 ≠ ... ≠ XN.
Also because the master key is protected, it is not feasible to deduce any of the session keys
(random numbers) through knowledge of one or earlier session keys.
To strengthen the algorithm further, the input could be the output of a full-period PRNG
rather than a simple counter.
2. DES Output Feedback Mode
The output feedback (OFB) mode of DES can be used for key generation as well as for stream
encryption.
The output of each stage of operation OFB is a 64-bit value, of which the s leftmost bits are fed
back for encryption.
Successive 64-bit outputs constitute a sequence of pseudorandom numbers with good
statistical properties.
3. ANSI X9.17 PRNG
One of the strongest PRNGs is specified in ANSI X9.17.
A number of applications employ this technique, like financial security applications and PGP.
The algorithm makes use of triple DES for encryption.
The ingredients are as follows:
o Input: Two pseudorandom inputs are given to the generator. One is a 64-bit
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 26
representation of the current date and time DTi and the other is a 64-bit seed value Vi.
o Keys: The generator makes use of three triple DES encryption modules which use the same
pair of 56-bit keys {K1, K2}.
o Output: The output consists of a 64-bit pseudorandom number Ri and a 64-bit seed value
Vi+1.
The expressions for a random number and the seed value are:
Ri = EDE([K1, K2], [Vi EDE([K1, K2], DTi)])
Vi+1 = EDE([K1, K2], [Ri EDE([K1, K2], DTi)])
Where EDE ([K1,K2], X) refers to the sequence encrypt-decrypt-encrypt
using two-key triple DES to encrypt X.
This technique is cryptographically strong due to the following reasons:
o The technique involves a 112-bit key and three EDE encryptions (nine DES
encryptions).
o The scheme has two pseudorandom inputs, the date and time value, and a seed
produced by the generator that is distinct from the pseudorandom number produced
by the generator. Thus, the amount of material that must be compromised by an
opponent is overwhelming.
Blum Blum Shub Generator
The procedure of this generator is as follows.
o Choose two large prime numbers, p and q, such that p ≡ q ≡ 3 (mod 4). For example,
the prime numbers 7 and 11. Let n = p x q.
o Choose a random number s, such that s is relatively prime to n.
o Then the BBS generator produces a sequence of bits Bi according to the following
algorithm:
X0 = s2 mod n
for i = 1 to infinity
Xi = (Xi-1)2 mod n
Bi = Xi mod 2
The BBS is referred to as a cryptographically secure pseudorandom bit generator (CSPRBG).
That is this generator passes the next-bit test.
The security of BBS is based on the difficulty of factoring n.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 27
Q 9. Where are random numbers used? Explain true random numbers.
A number of network security algorithms and protocols based on cryptography make use of
random binary numbers, some of which are:
o Key distribution (nonces)
o Authentication schemes
o Session key generation
o Generation of keys for the RSA public-key encryption algorithm
True Random Number Generators
A true random number generator (TRNG) uses a nondeterministic source to produce
randomness.
Most operate by measuring unpredictable natural processes, such as pulse detectors of
ionizing radiation events, leaky capacitors etc.
Intel has developed a commercially available chip that uses thermal noise by amplifying the
voltage measured across undriven resistors.
Another algorithm uses the variations in the response time of raw read requests for one disk
sector of a hard disk.
There are problems with the randomness and the precision of such numbers and also there
arises a requirement of attaching one of these devices to every system in an internetwork.
Another alternative is to use a published collection of good-quality random numbers.
However, these collections provide a very limited source of numbers compared to the
requirements of a network security application.
Furthermore, although the numbers in these books do indeed exhibit statistical randomness,
they are predictable, because an opponent who knows that the book is in use can obtain a
copy.
A true random number generator may produce an output that is biased in some way, such as
having more ones than zeros or vice versa, known as skew.
Various methods of modifying a bit stream to reduce or eliminate the bias have been
developed. These are referred to as de-skewing algorithms.
Q 10. Explain the following terms:
a) Diffusion
b) Confusion
c) The avalanche effect
d) Stream and Block ciphers
e) Transposition and Substitution
f) Differential and Linear Cryptanalysis
g) Reversible Mapping
h) Pseudorandom numbers
a) Diffusion: Diffusion attempts make the statistical relationship between the plaintext and cipher
text as complex as possible in order to thwart attempts to deduce the key. This is achieved by
having each plaintext digit affect the value of many cipher text digits. Diffusion can be achieved
by repeatedly performing some permutation on the data followed by applying a function to that
permutation.
b) Confusion: Confusion seeks to make the relationship between the statistics of the cipher text and
the value of the encryption key as complex as possible, again to thwart attempts to discover the
key. This is achieved by the use of a complex substitution algorithm.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 28
c) The avalanche effect: A small change in either the plaintext or the key should produce a
significant change in the cipher text. In particular, a change in one bit of the plaintext or one bit of
the key should produce a change in many bits of the cipher text. This is referred to as the
avalanche effect.
d) Stream and Block ciphers: A block cipher processes the input, one block of elements at a time,
producing an output block for each input block. A stream cipher processes the input elements
continuously, producing output one element at a time.
e) Transposition and Substitution: Transposition or permutation includes changing of position
elements. That is, no elements are added or deleted or replaced in the sequence, but the order in
which the elements appear in the sequence is changed. Substitution includes replacing each
plaintext element or group of elements uniquely by a corresponding ciphertext element or group
of elements.
f) Differential Cryptanalysis: In differential cryptanalysis, the behavior of pairs of text blocks from
each round of the cipher is observed instead of the final output. This attack starts with two
messages, and , with a known XOR difference △m = m ⊕ m’, and consider the difference
between the intermediate message halves: mi = mi ⊕ m’i.Then,
When many pairs of inputs to f with the same difference yield the same output difference if the
same sub key is used and if a number of such differences are determined, it is feasible to
determine the sub key used in the function f.
g) Linear Cryptanalysis: This attack is based on finding linear approximations to describe the
transformations performed in an algorithm. This method can find a key given known plaintexts
whereas differential cryptanalysis requires chosen plaintexts. For a cipher with n-bit plaintext and
cipher text blocks and an m-bit key, let the plaintext block be P[1], ..., P[n], the cipher text block
C[1], ..., C[n], and the key K[1], ... K[m]. Then, find an effective linear equation of the form:
P[a1, a2, ..., aa] ⊕ C[b1, b2, ..., bb] = K[g1, g2, ..., gc]
where x = 0 or 1
1 ≤ a
b ≤ n
1 ≤ c ≤ m and
a, b and g terms represent fixed, unique bit locations
Once a proposed relation is determined, the procedure is to compute the results of the left-
hand side of the equation for a large number of plaintext-ciphertext pairs. If the result is 0
more than half the time, assume K[g1, g2, ..., gc] = 0 and vice versa. This gives us a linear
equation on the key bits.
h) Reversible Mapping: For a given plaintext blocks, if the encryption produces a unique ciphertext
block, then such a transformation is called reversible, or nonsingular mapping.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 29
i) Pseudorandom numbers: The sequence of numbers that exhibit properties of random numbers
like randomness and unpredictability but actually are not random numbers. They are generated
using some deterministic algorithm. Such numbers are called pseudorandom numbers.
Q-11 Explain characteristics of Advanced Symmetrical Block Cipher.
Key size (words/bytes/bits) 4/16/128 6/24/192 8/32/256
Plaintext block size (words/bytes/bits) 4/16/128 4/16/128 4/16/128
Number of rounds 10 12 14
Round key size (words/bytes/bits) 4/16/128 4/16/128 4/16/128
Expanded key size (words/bytes) 44/176 52/208 60/240
Figure shows the overall structure of AES. The input to the encryption and decryption
algorithms is a single 128-bit block.
160702 – Information Security (IS) UNIT-2 Conventional Encryption Techniques
Darshan Institute of Engineering & Technology Page 30
In FIPS PUB 197, this block is depicted as a square matrix of bytes. This block is copied into the State array, which is modified at each stage of encryption or decryption.
After the final stage, State is copied to an output matrix. The 128-bit key is depicted as a square matrix of bytes. This key is then expanded into an array of key schedule words; each word is four bytes and the total key schedule is 44 words for the 128-bit key.
Note that the ordering of bytes within a matrix is by column.
So, for example, the first four bytes of a 128-bit plaintext input to the encryption cipher occupy the first column of the in matrix, the second four bytes occupy the second column, and so on.
Similarly, the first four bytes of the expanded key, which form a word, occupy the first column of the W matrix.