3.

1 Conventional Symmetric Block Ciphers

This section gives a brief overview of the construction of two selected popular
conventional encryption algorithms: Data Encryption Standard (DES) and Rivest
Cipher 6 (RC6) . Each of the following encryption algorithms is a symmetric block
cipher algorithm. Symmetric means that the key used for encryption and
decryption is the same; block means that the data (information) to be encrypted is
divided into blocks of equal length.

3.2 Data Encryption Standard

The Data Encryption Standard (DES) is the most well-known symmetric-key block
cipher. It was selected by the National Bureau of Standards as an official Federal
Information Processing Standard (FIPS) for the United States in 1976, and it
subsequently enjoyed widespread use internationally [46].

The DES is a block cipher, which encrypts data in 64-bit blocks. A 64-bit block of
plaintext goes at one end of the algorithm, and a 64-bit block of ciphertext comes
out at the other end. The same algorithm and key of size 56 bits are used for both
encryption and decryption except for minor differences in the key schedule. The
key is usually expressed as a 64-bit number, but every eighth bit, one bit is used for
parity checking and is ignored. These parity bits are the least-significant bits of the
key bytes. The key can be any 56-bit number and can be changed at any time,
although some selections can be considered weak keys.
 Figure 3.1: Expansion process.

The DES is based on four basic operations: expansion, permutation, XOR, and
substitution. The data to be encrypted are first divided into 64-bit blocks and fed
into an Initial Permutation (IP) stage, in which each block is divided into two
subblocks, each with a 32-bit length. The right subblock is fed into a Feistel
function (f-function), which is depicted in Figure 3.1. It operates on half a block
(32 bits) at a time and consists of four stages as shown in Figure 3.2.

1. Expansion. The 32-bit half block is expanded to 48 bits using the expansion
permutation, denoted as E in the diagram, by duplicating half of the bits. The
output consists of eight 6-bit (8 × 6 = 48 bits) pieces, each containing a copy of 4
corresponding input bits plus a copy of the immediately adjacent bit from each of
the input pieces to either side.

2. Key mixing. The result is combined with a subkey using an XOR operation.
Sixteen 48-bit subkeys, one for each round, are derived from the main key using a
key-schedule mechanism.

3. Substitution. After mixing with the subkey, the block is divided into eight 6-bit
pieces before processing by the Substitution boxes (S-boxes). Each of the eight S-
boxes replaces its six input bits with four output bits according to a nonlinear
transformation, provided in the form of a lookup table. The S-boxes provide the
core of security of the DES. Without them, the cipher would be linear and trivially
breakable.

Figure 3.2: The DES algorithm and f-function.

4. Permutation. Finally, the 32 outputs from the S-boxes are rearranged according
to a fixed permutation, the P-box, which is designed so that, after expansion, each
group of S-box output bits is spread across six different S-boxes in the next round.

At its simplest level, the DES algorithm is nothing more than a combination of the
two basic techniques of encryption: confusion and diffusion. The fundamental
building block of the DES is a single combination of these techniques: a
substitution followed by a permutation on the data based on the key. After an
initial permutation, each block is broken into a right half and a left half, each with
32 bits. Then, there are 16 rounds of identical operations, called f functions, in
which the data are combined with the key. After these rounds, the right and left
halves are joined, and a final permutation, the inverse of the initial permutation,
finishes the algorithm.

3.2.1 Initial and Final Permutation in DES

As shown in Figures 3.3 and 3.4, the initial permutation IP and the final
permutation IP −1 are bitwise permutations. A bitwise permutation can be viewed
as simple cross-wiring, Interestingly, permutations can be very easily implemented
in hardware but are not particularly fast in software. Note that both permutations
do not increase the security of DES at all. The exact rationale for the existence of
these two permutations is not known, but it seems likely that their original purpose
was to arrange the plaintext, ciphertext and bits in a bytewise manner to make data
fetches easier for 8-bit data busses, which were the state-of-the-art register size in
the early 1970s.
 Figure 3.3: Examples for the bit swaps of the initial permutation

Figure 3.4: Examples for the bit swaps of the final permutation

The details of the transformation IP are given in Fig. 3.5(a). This table, like all
other tables in this chapter, should be read from left to right, top to bottom. The
table indicates that input bit 58 is mapped to output position 1, input bit 50 is
mapped to the second output position, and so forth. The final permutation IP −1
performs the inverse operation of IP as shown in Fig. 3.5(b).

(a) (b)
Figure 3.5: (a) Initial permutation IP (b) Final permutation IP−1
3.2.2 Key Schedule

The key schedule derives 16 round keys ki , each consisting of 48 bits, from the
original 56-bit key. Another term for round key is subkey. First, note that the DES
input key is often stated as 64-bit, where every eighth bit is used as an odd parity
bit over the preceding seven bits. It is not quite clear why DES was specified that
way. In any case, the eight parity bits are not actual key bits and do not increase the
security. DES is a 56-bit cipher, not a 64-bit one.

As shown in Figure 3.6, the 64-bit key is first reduced to 56 bits by ignoring every
eighth bit, i.e., the parity bits are stripped in the initial PC−1 permutation. Again,
the parity bits certainly do not increase the key space! The name PC−1 stands for
“permuted choice one”. The exact bit connections that are realized by PC−1 are
given in Figure 3.7.

Figure 3.6: Location of the eight parity bits for a 64-bit input key
 Figure 3.7: Initial key permutation PC−1

The resulting 56-bit key is split into two halves C 0 and D0 , and the actual key
schedule starts as shown in Fig. 3.8. The two 28-bit halves are cyclically shifted,
i.e., rotated, left by one or two bit positions depending on the round i according to
the following rules:

 In rounds i = 1,2,9,16, the two halves are rotated left by one bit.
 In the other rounds where i ?= 1,2,9,16, the two halves are rotated left by
two bits.

Note that the rotations only take place within either the left or the right half. The
total number of rotation positions is 4·1+12·2 = 28. This leads to the interesting
property that C0 = C16 and D0 = D16 . This is very useful for the decryption key
schedule where the subkeys have to be generated in reversed order
 Figure 3.8: Key schedule for DES encryption

To derive the 48-bit round keys ki , the two halves are permuted bitwise again with
PC−2, which stands for “permuted choice 2”. PC−2 permutes the 56 input bits
coming from Ci and Di and ignores 8 of them. The exact bit-connections of PC−2
are given in Figure 3.9.
 Figure 3.9: Round key permutation PC−2

Note that every round key is a selection of 48 permuted bits of the input key k. The
key schedule is merely a method of realizing the 16 permutations systematically.
Especially in hardware, the key schedule is very easy to implement. The key
schedule is also designed so that each of the 56 key bits is used in different round
keys; each bit is used in approximately 14 of the 16 round keys.

3.2.3 DES Decryption

One advantage of DES is that decryption is essentially the same function as

encryption. This is because DES is based on a Feistel network. Figure 3.10 shows a
block diagram for DES decryption. Compared to encryption, only the key schedule
is reversed, i.e., in decryption round 1, subkey 16 is needed; in round 2, subkey 15;
etc. Thus, when in decryption mode, the key schedule algorithm has to generate the
round keys as the sequence k16 ,k15 ,...,k1 .
Figure 3.9: DES decryption
3.2.4 Reversed Key Schedule

The first question that we have to clarify is how, given the initial DES key k, can
we easily generate k 16 ? Note that we saw above thatC 0 =C16 and D0 = D16 . Hence
k16 can be directly derived after PC−1.

To compute k15 we need the intermediate variables C 15 and D15 , which can be
derived from C16 ,D16 through cyclic right shifts (RS):

The subsequent round keys k14 ,k13 ,...,k1 are derived via right shifts in a similar
fashion. The number of bits shifted right for each round key in decryption mode

 In decryption round 1, the key is not rotated.

 In decryption rounds 2, 9, and 16 the two halves are rotated right by one bit.
 In the other rounds 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14 and 15 the two halves
are rotated right by two bits.

Figure 3.10 shows the reversed key schedule for decryption.

Figure 3.10: Reversed key schedule for decryption of DES
3.3 RC6 Algorithm

RC6 is a new block cipher submitted to NIST for consideration as the new
Advanced Encryption Standard (AES). The design of RC6 began with a
consideration of RC5 [18] as a potential candidate for an AES submission.
Modifications were then made to meet the AES requirements, to increase security,
and to improve performance. The inner loop, however, is based around the same
\half-round" found in RC5. RC5 was intentionally designed to be extremely
simple, to invite analysis shedding light on the security provided by extensive use
of data-dependent rotations. Since RC5 was proposed in 1995, various studies
have provided a greater understanding of how RC5's structure and operations
contribute to its security. While no practical attack on RC5 has been found, the
studies provide some interesting theoretical attacks, generally based on the fact that
the \rotation amounts" in RC5 do not depend on all of the bits in a register. RC6
was designed to thwart such attacks, and indeed to thwart all known attacks,
providing a cipher that can offer the security required for the lifespan of the AES.
To meet the requirements of the AES, a block cipher must handle 128-bit
input/output blocks. While RC5 is an exceptionally fast block cipher, extending it
to act on 128-bit blocks in the most natural manner would result in using two 64-
bit working registers. The specified target architecture and languages for AES do
not yet support 64-bit operations in an efficient and clean manner. Thus we have
modified the design to use four 32-bit registers rather than two 64-bit registers.
This has the advantage that we are doing two rotations per round rather than the
one found in a half-round of RC5, and we are using more bits of data to determine
rotation amounts in each round. The philosophy of RC5 is to exploit operations
(such as rotations) that are efficiently implemented on modern processors. RC6
continues this trend, and takes advantage of the fact that 32-bit integer
multiplication is now efficiently implemented on most processors. Integer
multiplication is a very effective \diffusion" primitive, and is used in RC6 to
compute rotation amounts, so that the rotation amounts are dependent on al l of the
bits of another register, rather than just the low-order bits (as in RC5). As a result
the new RC6 has much faster diffusion than RC5. This also allows RC6 to run with
fewer rounds at increased security and with increased throughput. We believe that
RC6 is well-suited to meet all of the requirements of the Advanced Encryption
Standard.

The RC6 block cipher is a modified version of RC5 that uses four working
registers instead of two and integer multiplication as an additional primitive
operation. The integer multiplication process greatly enhances the diffusion
achieved per round, which leads to greater security, fewer rounds, and increased
throughput. The key schedule of RC6-w/r/b is similar to the key schedule of RC5-
w/r/b. The only difference is that for RC6-w/r/b, more words are derived from the
user-supplied key for use during encryption and decryption. The user supplies a
key of b bytes, where 0 ≤ b ≤ 255. From this key, 2r + 4 words (w bits each) are
derived and stored in the array S[0, … , 2r + 3].

This array is used in both encryption and decryption [12]. Generally, RC6 consists
of two Feistel networks whose data are mixed via data-dependent rotations. The
operations in a single round of RC6 contain two applications of the squaring
function f(x) = x(2x + 1) mod 2 32 , two fixed 32-bit rotations, two data-dependent
32-bit rotations, two XORs, and two additions modulo 2 32 .
3.3.1 The Concept of RC6

Like RC5, RC6 is a fully parameterized family of encryption algorithms. A version

of RC6 is more accurately specified as RC6-w/r/b where the word size is w bits,
encryption consists of a nonnegative number of rounds r, and b denotes the length
of the encryption key in bytes. Since the AES submission is targeted at w = 32 and
r = 20, we shall use RC6 as shorthand to refer to such versions. When any other
value of w or r is intended in the text, the parameter values will be specified as
RC6-w/r. Of particular relevance to the AES effort will be the versions of RC6
with 16-, 24-, and 32-byte keys.

For all variants, RC6-w/r/b operates on units of four w-bit words using the
following six basic operations. The base-two logarithm of w will be denoted by
(lg w).

Note that in the description of RC6 the term \round" is somewhat analogous to the
usual DES-like idea of a round: half of the data is updated by the other half; and
the two are then swapped. In RC5, the term \half-round" was used to describe this
style of action, and an RC5 round was deemed to consist of two half-rounds. This
seems to have become a potential cause of confusion, and so RC6 reverts to using
the term \round" in the more established way.
3 3.2 RC6 Key schedule

The key schedule of RC6-w/r/b is practically identical to the key schedule of RC5-
w/r/b. Indeed, the only difference is that for RC6-w/r/b, more words are derived
from the user-supplied key for use during encryption and decryption. The user
supplies a key of b bytes, where 0 ≤ b ≤ 255. From this key, 2r + 4 words (w bits
each) are derived and stored in the array S[0,…, 2r + 3]. This array is used in both
encryption and decryption. 2.2 Encryption and decryption RC6 works with four w-
bit registers A; B ; C; D which contain the initial input plaintext as well as the
output ciphertext at the end of encryption. The first byte of plaintext or ciphertext
is placed in the least-significant byte of A; the last byte of plaintext or ciphertext is
placed into the most-significant byte of D. We use (A; B ; C; D) = (B; C; D; A) to
mean the parallel assignment of values on the right to registers on the left.

3.3.3 RC6 Encryption Algorithm

Encryption is the process of converting a plaintext message into cipher text which
can be decoded back into the original message. An encryption algorithm along
with a key is used in the encryption and decryption of data. There are several types
of data encryptions which form the basis of network security. Encryption schemes
are based on block or stream ciphers. The type and length of the keys utilized
depend upon the encryption algorithm and the amount of security needed. In
conventional symmetric encryption a single key is used. With this key, the sender
can encrypt a message and a recipient can decrypt the message but the security of
the key becomes problematic. In asymmetric encryption, the encryption key and
the decryption key are different. One is a public key by which the sender can
encrypt the message and the other is a private key by which a recipient can decrypt
the message.
RC6 works with four w-bit registers A; B ; C; D which contain the initial input
plaintext as well as the output ciphertext at the end of encryption. The first byte of
plaintext or ciphertext is placed in the least-significant byte of A; the last byte of
plaintext or ciphertext is placed into the most-significant byte of D. We use (A,B,
C,D) = (B,C,D,A) to mean the parallel assignment of values on the right to
registers on the left.
 Figure 3.11: Encryption with RC6-w/r/b algorithm.

3.3.4 RC6 Decryption Algorithm

RC6 decryption works with four w-bit registers A, B, C, D which contain the
initial input cipher text as well as the output plain text at the end of decryption. The
first byte of cipher text is placed in the least significant byte of A, the last byte of
cipher text is placed into the most-significant byte of D. We use (A, B, C, D) = (B,
C, D, A) to mean the parallel assignment of values on the right to registers on the
left.
Figure 3.12: Decryption with RC6-w/r/b algorithm.