Euclidean algorithm

One of the basic techniques of number theory is the Euclidean

algorithm, which is a simple procedure for determining the greatest common
divisor of two positive integers. Let a and b be integers, not both zero.
Recall that GCD (a, b) is the greatest common divisor of a and b. The best
general algorithm for computing GCD (a, b) (and the only practical
algorithm, unless the prime factorizations of a and b are known) is due to
Euclid. This algorithm (known as Euclid’s Algorithm or the Euclidean
Algorithm) involves repeated application of the Division Algorithm. In
another word, given any positive integer n and any positive integer a, if we
divide a by b, we get an integer q quotient and an integer r remainder that
obey the following relationship:

If have two numbers c,q that c=q*d+r, then GCD(c,q)=GCD(q,r)

Ex1: find the Greatest Common Divisor (GCD) between 132 and 55 by
using Euclid’s Algorithm.

132 = 55 * 2 + 22
55 = 22 * 2 + 11
22 = 11 * 2 + 0

Stopping when getting zero 0 then GCD is 11:

GCD(132,55) = GCD(55,22) = GCD(22,11) = GCD(11,0) = 11

Ex2: find the GCD (252 , 198 ) by using Euclid’s Algorithm.

252 = 198 * 1 + 54
198 = 54 * 3 + 36
54 = 36 * 1 + 18
36 = 18 * 2 + 0

GCD(252,198) = (198,54) = (54,36) = (36,18) = (18,0) = 18.

Example: Compute the greatest common divisor (GCD) between the

numbers (831, 366(.

Solution:
831 = 2 × 366 + 99
366 = 3 × 99 + 69
99 = 1 × 69 + 30
69 = 2 × 30 +9
30 = 3×9 +3
9 = 3×3 +0
The answer is revealed as the last nonzero remainder: gcd (831, 366)
=3

Note: Because we require that the greatest common divisor be positive

GCD (a, b) = GCD (a, -b) = GCD (-a, b) = GCD(-a,-b). In general, GCD(a,
b)
= GCD( / a / , / b /).

Example: Find the the greatest common divisor

(GCD) of a=321805575, b=198645

Solution:
321805575 = 1620 * 198645 + 675
198645 = 294 * 675 + 195
675 = 3 * 195 + 90
195 = 2 * 90 + 15
 90 = 6 * 15 +0

The answer is revealed as the last nonzero remainder: GCD (321805575,

198645) = 15

H.W.

Multiplicative Inverses Modulo n

Any positive integer that is less than n and relatively prime to n has a
multiplicative inverse modulo n. This is a consequence of the Euclidean
algorithm. We will see in the example below why this must be so. Any
positive integer that is less than n and not relatively prime to n does not have
a multiplicative inverse modulo n.

Example: find the multiplicative Invers of 15 mod 26

Solution: First, do the "forward part" of the Euclidean algorithm – finding

the GCD.

26  115  11
15  111  4
11  2  4  3
4  1 3  1
So, GCD (15, 26) = 1.
Now, do the "backward part" of the algorithm (this is often called the
“extended Euclidean algorithm)– expressing 1 as a combination of 15 and
26.

1  4 1 3
1  4 1 (11  2  4)
1  3 4 111
1  3 (15 111) 111
1  315  4 11
1  315  4  (26 115)
1  7 15  4  26

So, 1  7 15  4  26 .

Finally, "go mod 26." Because 26  0 mod 26 , when we "go mod 26," the
equation 1  7 15  4  26 becomes the congruence1  7 15mod 26 .
So, the inverse of 15 modulo 26 is 7 (and the inverse of 7 modulo 26 is 15).

Example: find the multiplicative Invers of 19 mod 26

26 = 19 * 1 + 7
19 = 7 * 2 + 5
7=5*1+2
5=2*2+1
2=2*1+0
Now, do the "backward part" of the algorithm
1 = 5 - 2*2
1 = 5 - 2(7 - 5*1)
1 = 5*3 - 2*7
1 = (19 - 7*2)*3 - 2*7
 1 = 3*19 - 8*7
1 = 3*19 - 8(26 - 19*1)
1 = 11*19 - 8*26

1 = 11*19 mod 26
So, we conclude that 11 is the multiplicative inverse of 19 modulo 26.
Hill cipher

The Hill cipher uses matrix multiplication, mod 26. In particular, the
encryption key is an nxn matrix with an inverse mod 26, where n is the
block size. System can be described as follows:

C = KP mod 26

For example, we will illustrate the cipher with n=2. Consider the
following key:

( )
3 1
6 5

To encrypt a plaintext, group the plaintext in pairs: "math", for

example. Convert each letter to its numerical equivalent, mod 26, and write
it in a nx1 matrix as follows:

( )
12
0
stands for "ma"

Now, multiply the encryption key by the plaintext and reduce mod 26 to get
the ciphertext:

(36 51 )(120 ) mod 26=(3672 ) mod 26=(1020 )

, which corresponds to the ciphertext
KU.

Here is the encryption of "th":

(36 51 )(197 ) mod 26=( 64149) mod 26=(1219 )
, which corresponds to the ciphertext
MT.

Ciphertext: KUMT

Example: consider the plaintext "paymoremoney" and use the encryption

key:

The first three letters of the plaintext are represented by the vector

The ciphertext for the entire plaintext is: LNS HDL EWM TRW.

Decryption:

Decryption requires using the inverse of the matrix K. The inverse K -1

of a matrix K is defined by the equation KK -1 = K-1K = I, where I is the
matrix that is all zeros except for ones along the main diagonal from upper
left to lower right. The inverse of a matrix does not always exist, but when it
does, it satisfies the preceding equation.

P = K-1 C mod 26

To find K-1 it needs to use a bit of math. It turns out that K -1 above can
be calculated from our key. The important things to know are inverses (mod
m), determinants of matrices and matrix adjugates.

Let K be the key matrix. Let d be the determinant of K. We wish to

find K-1 (the inverse of K), such that K × K -1 = I (mod 26), where I is the
identity matrix. The following formula tells us how to find K-1 given K:

where d × d-1 = 1(mod 26), and adj(K) is the adjugate matrix of K.

The determinant (d) is calculated normally for K as follows:

The determinant of a 2 × 2 matrix is defined by:

The determinant of a 3 × 3 matrix is defined by:

1 1 2
Determinant 1 3 5 7 9 11 17 21 25
5 9 3
 1 1 1
Reciprocal Modulo 26 1 9 21 3 19 7 23 5 25
5 1 7

The adjugate is the transpose of its cofactor matrix, it is calculated as

follows:

The adjugate of the 2×2 matrix

The adjugate of the 3×3 matrix

Once K-1 is found, decryption can be performed.

Example: decrypt the following ciphertext " KUMT" if you know it is

encrypted using Hill cipher by key

(36 51 )
Solution:

d= 3*5 –(1*6) = 9

d-1 = 3

( 5 −1
−6 3 )
adj(k) =

15 23
k-1 =d-1 * adj(k) = 8 9
( )
Now, we can corroborate that this is the case by decrypting the example
above.

(158 239 )(1020 ) mod 26=(610

260 ) mod26=( )
12
0
(158 239 )(1219 ) mod 26=(617
267 ) mod26=( 19 )
7

Plaintext: math

We can also verify this by multiplying both matrices in question together:

(K*K-1) mod 26 = 0 1 [ 1 0]
(36 51 )(158 239 ) mod26=( 53130 78183 ) mod 26=(10 01 )

Example of decryption 3x3 key: decrypt the following ciphertext "LNS

HDL EWM TRW " if you know it is encrypted using Hill cipher key

Solution:

p=k-1*C mod 26

d= 17*(18*19-21*2) - 17*(21*19-21*2) + 5*(21*2-18*2)= -939 mod 26

=23

(23)-1=17

The adjugate of the 3×3 matrix and then transpose is

([ ] ) [ ]
300 −313 267 4 9 15
−357 313 −252 ∗17 mod 26 = 15 17 6 this is K-1
6 0 −51 24 0 17

[ ][ ][]
p1 4 9 15 11
p 2 = 15 17 6 * 13 mod 26
p3 24 0 17 18
p1= (4*11+9*13+15*18) mod 26 =15  p

p2= (15*11+17*13+6*18) mod 26 =0  a

p1= (24*11+0*13+17*18) mod 26 =24  y

And repeat the same function to the next three letters until end the ciphertext

Then plaintext is pay mor emo ney.

Example: Suppose that the plaintext "friday" is encrypted using a 2 x 2 Hill

cipher to yield the ciphertext PQCFKU. Find the key?

Solution:

Using the first two plaintext-ciphertext pairs, we have

The inverse of matrix can be computed:

So:

This result is verified by testing the remaining plaintext-ciphertext pair.

Feistel cipher

It is a symmetric structure used in the construction of block ciphers. It

is also commonly known as a Feistel network. A large proportion of block
ciphers use the scheme, including the Data Encryption Standard (DES). The
Feistel structure has the advantage that encryption and decryption operations
are very similar, even identical in some cases, requiring only a reversal of
the key schedule. Therefore, the size of the code or circuitry required to
implement such a cipher is nearly halved.

Feistel proposed the use of a cipher that alternates substitutions and

permutations, as Diffusion and Confusion.

Diffusion: the statistical structure of the plaintext is dissipated into long-

range statistics of the ciphertext. This is achieved by having each plaintext
digit affect the value of many ciphertext digits; generally, this is equivalent
to having each ciphertext digit be affected by Many plaintext digits, in other
words diffusion hides the relationship between the ciphertext and the
plaintext in way that each symbol (character or bit) in the ciphrtext is
dependent on some or all symbols in the plaintext, so if one symbol in the
plaintext changed several or all symbols in the ciphertext will also be
changed. Diffusion can be achieved by repeatedly performing some
permutation on the data followed by applying a function to that permutation.
Confusion: seeks to make the relationship between the statistics of the
ciphertext and the value of the encryption key as complex as possible, again
to thwart attempts to discover the key. In other words confusion hides the
relationship between the ciphertext and the encryption key this done if a
single bit in the key is changed then most or all bits in the ciphertext will
also be changed Thus, even if the attacker can get some handle on the
statistics of the ciphertext, the way in which the key was used to produce
that ciphertext is so complex as to make it difficult to deduce the key. This is
achieved by the use of a complex substitution algorithm. In contrast, a
simple linear substitution function would add little confusion.

Data Encryption Standard (DES) is a symmetric-key block cipher

published by the National Institute of Standards and Technology (NIST(.

DES is an implementation of a Feistel Cipher. It uses 16 round Feistel

structure. The block size is 64-bit. Though, key length is 64-bit, DES has an
effective key length of 56 bits.
 Looking at the left-hand side of the figure, we can see that the
processing of the plaintext proceeds in three phases. First, the 64-bit
plaintext passes through an initial permutation (IP) that rearranges the bits to
produce the permuted input. This is followed by a phase consisting of 16
rounds of the same function, which involves both permutation and
substitution functions. The output of the last (sixteenth) round consists of 64
bits that are a function of the input plaintext and the key. The left and right
halves of the output are swapped to produce the preoutput. Finally, the
preoutput is passed through a permutation (IP-1) that is the inverse of the
initial permutation function, to produce the 64-bit ciphertext. With the
exception of the initial and final permutations, DES has the exact structure
of a Feistel cipher.
The right-hand portion of the previous figure shows the way in which
the 56-bit key is used. Initially, the key is passed through a permutation
function. Then, for each of the 16 rounds, a subkey (Ki) is produced by the
combination of a left circular shift and a permutation. The permutation
function is the same for each round, but a different subkey is produced
because of the repeated shifts of the key bits.

Initial Permutation
The initial permutation and its inverse are defined by tables, as shown in
Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as
follows. The input to a table consists of 64 bits numbered from 1 to 64. The
64 entries in the permutation table contain a permutation of the numbers
from 1 to 64. Each entry in the permutation table indicates the position of a
numbered input bit in the output, which also consists of 64 bits.
Details of Single Round
Figure 3.5 shows the internal structure of a single round. Again, begin by
focusing on the left-hand side of the diagram. The left and right halves of
each 64-bit intermediate value are treated as separate 32-bit quantities,
labeled L (left) and R (right). As in any classic Feistel cipher, the overall
processing at each round can be summarized in the following formulas:
 Li = Ri-1
Ri = Li-1 x F(Ri-1, Ki)

Figure 3.5. Single Round of DES Algorithm.

The round key Ki is 48 bits. The R input is 32 bits. This R input is first
expanded to 48 bits by using a table that defines a permutation plus an
expansion that involves duplication of 16 of the R bits (Table 3.2c). The
resulting 48 bits are XORed with Ki. This 48-bit result passes through a
substitution function that produces a 32-bit output, which is permuted as
defined by Table 3.2d.
The role of the S-boxes in the function F is illustrated in Figure 3.6.
The substitution consists of a set of eight S-boxes, each of which accepts 6
bits as input and produces 4 bits as output. These transformations are
defined in Table 3.3, which is interpreted as follows: The first and last bits
of the input to box Si form a 2-bit binary number to select one of four
substitutions defined by the four rows in the table for Si. The middle four
bits select one of the sixteen columns. The decimal value in the cell selected
by the row and column is then converted to its 4-bit representation to
produce the output. For example, in S1 for input 011001, the row is 01 (row
1) and the column is 1100 (column 12). The value in row 1, column 12 is 9,
so the output is 1001.

Figure 3.6. Calculation of F(R, K)

Table 3.3. Definition of DES S-Boxes.

 Each row of an S-box defines a general reversible substitution. Figure
3.1 may be useful in understanding the mapping. The figure shows the
substitution for row 0 of box S1.
 The operation of the S-boxes is worth further comment. Ignore for the
moment the contribution of the key (Ki). If you examine the expansion table,
you see that the 32 bits of input are split into groups of 4 bits, and then
become groups of 6 bits by taking the outer bits from the two adjacent
groups. For example, if part of the input word is

... efgh ijkl mnop ...

this becomes
... defghi hijklm lmnopq ...
The outer two bits of each group select one of four possible
substitutions (one row of an S-box). Then a 4-bit output value is substituted
for the particular 4-bit input (the middle four input bits). The 32-bit output
from the eight S-boxes is then permuted, so that on the next round the output
from each S-box immediately affects as many others as possible.
Key Generation
Returning to Figures 3.4 and 3.5, we see that a 64-bit key is used as input to
the algorithm. The bits of the key are numbered from 1 through 64; every
eighth bit is ignored, as indicated by the lack of shading in Table 3.4a. The
key is first subjected to a permutation governed by a table labeled Permuted
Choice One (Table 3.4b). The resulting 56-bit key is then treated as two 28-
bit quantities, labeled C 0 and D0. At each round, Ci-1 and Di-1 are
separately subjected to a circular left shift, or rotation, of 1 or 2 bits, as
governed by Table 3.4d.
These shifted values serve as input to the next round. They also serve as
input to Permuted Choice Two (Table 3.4c), which produces a 48-bit output
that serves as input to the function F(Ri-1, Ki).
 HOW DES WORKS IN DETAIL

Example: Let M be the plain text message M =

0123456789ABCDEF, where M is in hexadecimal (base 16)
format. Rewriting M in binary format, we get the 64-bit block of
text:

M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010
1011 1100 1101 1110 1111
L = 0000 0001 0010 0011 0100 0101 0110 0111
R = 1000 1001 1010 1011 1100 1101 1110 1111

The first bit of M is "0". The last bit is "1". We read from left to
right.

DES operates on the 64-bit blocks using key sizes of 56- bits. The
keys are actually stored as being 64 bits long, but every 8th bit in
the key is not used (i.e. bits numbered 8, 16, 24, 32, 40, 48, 56, and
64). However, we will nevertheless number the bits from 1 to 64,
going left to right, in the following calculations. But, as you will
see, the eight bits just mentioned get eliminated when we create
subkeys.

Example: Let K be the hexadecimal key K =

133457799BBCDFF1. This gives us as the binary key (setting 1 =
0001, 3 = 0011, etc., and grouping together every eight bits, of
which the last one in each group will be unused):

K = 00010011 00110100 01010111 01111001 10011011

10111100 11011111 11110001

The DES algorithm uses the following steps:

STEP 1: CREATE 16 SUBKEYS, EACH OF WHICH IS 48-BITS
LONG.
The 64-bit key is permuted according to the following table, PC-1.
Since the first entry in the table is "57", this means that the 57th bit
of the original key K becomes the first bit of the permuted key K+.
The 49th bit of the original key becomes the second bit of the
permuted key. The 4th bit of the original key is the last bit of the
permuted key. Note only 56 bits of the original key appear in the
permuted key.

PC-1
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4

Example: From the original 64-bit key

K = 00010011 00110100 01010111 01111001 10011011 10111100

11011111 11110001

we get the 56-bit permutation

K+ = 1111000 0110011 0010101 0101111 0101010 1011001 1001111

0001111

Next, split this key into left and right halves, C0 and D0, where each half has
28 bits.

Example: From the permuted key K+, we get

C0 = 1111000 0110011 0010101 0101111

D0 = 0101010 1011001 1001111 0001111
With C0 and D0 defined, we now create sixteen blocks Cn and Dn,
1<=n<=16. Each pair of blocks Cn and Dn is formed from the previous pair
Cn-1 and Dn-1, respectively, for n = 1, 2, ..., 16, using the following schedule
of "left shifts" of the previous block. To do a left shift, move each bit one
place to the left, except for the first bit, which is cycled to the end of the
block.
Iteration Number of
Number Left Shifts

1 1
2 1
3 2
4 2
5 2
6 2
7 2
8 2
9 1
10 2
11 2
12 2
13 2
14 2
15 2
16 1

This means, for example, C3 and D3 are obtained from C2 and D2,
respectively, by two left shifts, and C16 and D16 are obtained from C15 and
D15, respectively, by one left shift. In all cases, by a single left shift is meant
a rotation of the bits one place to the left, so that after one left shift the bits
in the 28 positions are the bits that were previously in positions 2, 3,..., 28, 1.

Example: From original pair pair C0 and D0 we obtain:

C0 = 1111000011001100101010101111
D0 = 0101010101100110011110001111

C1 = 1110000110011001010101011111
D1 = 1010101011001100111100011110

C2 = 1100001100110010101010111111
D2 = 0101010110011001111000111101
C3 = 0000110011001010101011111111
D3 = 0101011001100111100011110101

C4 = 0011001100101010101111111100
D4 = 0101100110011110001111010101

C5 = 1100110010101010111111110000
D5 = 0110011001111000111101010101

C6 = 0011001010101011111111000011
D6 = 1001100111100011110101010101

C7 = 1100101010101111111100001100
D7 = 0110011110001111010101010110

C8 = 0010101010111111110000110011
D8 = 1001111000111101010101011001

C9 = 0101010101111111100001100110
D9 = 0011110001111010101010110011

C10 = 0101010111111110000110011001
D10 = 1111000111101010101011001100

C11 = 0101011111111000011001100101
D11 = 1100011110101010101100110011

C12 = 0101111111100001100110010101
D12 = 0001111010101010110011001111

C13 = 0111111110000110011001010101
D13 = 0111101010101011001100111100

C14 = 1111111000011001100101010101
D14 = 1110101010101100110011110001

C15 = 1111100001100110010101010111
D15 = 1010101010110011001111000111

C16 = 1111000011001100101010101111
D16 = 0101010101100110011110001111
We now form the keys Kn, for 1<=n<=16, by applying the following
permutation table to each of the concatenated pairs CnDn. Each pair has 56
bits, but PC-2 only uses 48 of these. PC-2

14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32

Therefore, the first bit of Kn is the 14th bit of CnDn, the second bit the 17th,
and so on, ending with the 48th bit of Kn being the 32th bit of CnDn.

Example: For the first key we have C1D1 = 1110000 1100110 0101010
1011111 1010101 0110011 0011110 0011110

which, after we apply the permutation PC-2, becomes

K1 = 000110 110000 001011 101111 111111 000111 000001 110010

For the other keys we have

K2 = 011110 011010 111011 011001 110110 111100 100111 100101

K3 = 010101 011111 110010 001010 010000 101100 111110 011001
K4 = 011100 101010 110111 010110 110110 110011 010100 011101
K5 = 011111 001110 110000 000111 111010 110101 001110 101000
K6 = 011000 111010 010100 111110 010100 000111 101100 101111
K7 = 111011 001000 010010 110111 111101 100001 100010 111100
K8 = 111101 111000 101000 111010 110000 010011 101111 111011
K9 = 111000 001101 101111 101011 111011 011110 011110 000001
K10 = 101100 011111 001101 000111 101110 100100 011001 001111
K11 = 001000 010101 111111 010011 110111 101101 001110 000110
K12 = 011101 010111 000111 110101 100101 000110 011111 101001
K13 = 100101 111100 010111 010001 111110 101011 101001 000001
K14 = 010111 110100 001110 110111 111100 101110 011100 111010
K15 = 101111 111001 000110 001101 001111 010011 111100 001010
K16 = 110010 110011 110110 001011 000011 100001 011111 110101
So much for the subkeys. Now we look at the message itself.

STEP 2: ENCODE EACH 64-BIT BLOCK OF DATA.

There is an initial permutation IP of the 64 bits of the message data M. This

rearranges the bits according to the following table, where the entries in the
table show the new arrangement of the bits from their initial order. The 58th
bit of M becomes the first bit of IP. The 50th bit of M becomes the second
bit of IP. The 7th bit of M is the last bit of IP.
IP

58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7

Example: Applying the initial permutation to the block of text M, given

previously, we get

M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011
1100 1101 1110 1111
IP = 1100 1100 0000 0000 1100 1100 1111 1111 1111 0000 1010 1010
1111 0000 1010 1010

Here the 58th bit of M is "1", which becomes the first bit of IP. The 50th bit
of M is "1", which becomes the second bit of IP. The 7th bit of M is "0",
which becomes the last bit of IP.

Next divide the permuted block IP into a left half L0 of 32 bits, and a right
half R0 of 32 bits.

Example: From IP, we get L0 and R0

L0 = 1100 1100 0000 0000 1100 1100 1111 1111

R0 = 1111 0000 1010 1010 1111 0000 1010 1010
We now proceed through 16 iterations, for 1<=n<=16, using a function f
which operates on two blocks--a data block of 32 bits and a key Kn of 48
bits--to produce a block of 32 bits. Let + denote XOR addition, (bit-by-bit
addition modulo 2). Then for n going from 1 to 16 we calculate

Ln= Rn-1
Rn = Ln-1 + f(Rn-1,Kn)

This results in a final block, for n = 16, of L16R16. That is, in each iteration,
we take the right 32 bits of the previous result and make them the left 32 bits
of the current step. For the right 32 bits in the current step, we XOR the left
32 bits of the previous step with the calculation f .

Example: For n = 1, we have

K1 = 000110 110000 001011 101111 111111 000111 000001 110010

L1 = R0 = 1111 0000 1010 1010 1111 0000 1010 1010
R1 = L0 + f(R0,K1)

It remains to explain how the function f works. To calculate f, we first

expand each block Rn-1 from 32 bits to 48 bits. This is done by using a
selection table that repeats some of the bits in Rn-1 . We'll call the use of this
selection table the function E. Thus E(Rn-1) has a 32 bit input block, and a 48
bit output block.

Let E be such that the 48 bits of its output, written as 8 blocks of 6 bits each,
are obtained by selecting the bits in its inputs in order according to the
following table:
E BIT-SELECTION TABLE

32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1

Thus the first three bits of E(Rn-1) are the bits in positions 32, 1 and 2 of Rn-1
while the last 2 bits of E(Rn-1) are the bits in positions 32 and 1.
Example: We calculate E(R0) from R0 as follows:

R0 = 1111 0000 1010 1010 1111 0000 1010 1010

E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101

(Note that each block of 4 original bits has been expanded to a block of 6
output bits.)

Next in the f calculation, we XOR the output E(Rn-1) with the key Kn:

Kn + E(Rn-1).

Example: For K1 , E(R0), we have

K1 = 000110 110000 001011 101111 111111 000111 000001 110010

E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101
K1+E(R0) = 011000 010001 011110 111010 100001 100110 010100
100111.

We have not yet finished calculating the function f . To this point we have
expanded Rn-1 from 32 bits to 48 bits, using the selection table, and XORed
the result with the key Kn . We now have 48 bits, or eight groups of six bits.
We now do something strange with each group of six bits: we use them as
addresses in tables called "S boxes". Each group of six bits will give us an
address in a different S box. Located at that address will be a 4 bit number.
This 4 bit number will replace the original 6 bits. The net result is that the
eight groups of 6 bits are transformed into eight groups of 4 bits (the 4-bit
outputs from the S boxes) for 32 bits total.

Write the previous result, which is 48 bits, in the form:

Kn + E(Rn-1) =B1B2B3B4B5B6B7B8,

where each Bi is a group of six bits. We now calculate

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8)

where Si(Bi) referres to the output of the i-th S box.

To repeat, each of the functions S1, S2,..., S8, takes a 6-bit block as input
and yields a 4-bit block as output. The table to determine S1 is shown and
explained below:
S1

Column Number
Row
No. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

If S1 is the function defined in this table and B is a block of 6 bits, then S1(B)
is determined as follows: The first and last bits of B represent in base 2 a
number in the decimal range 0 to 3 (or binary 00 to 11). Let that number be
i. The middle 4 bits of B represent in base 2 a number in the decimal range 0
to 15 (binary 0000 to 1111). Let that number be j. Look up in the table the
number in the i-th row and j-th column. It is a number in the range 0 to 15
and is uniquely represented by a 4 bit block. That block is the output S1(B)
of S1 for the input B. For example, for input block B = 011011 the first bit is
"0" and the last bit "1" giving 01 as the row. This is row 1. The middle four
bits are "1101". This is the binary equivalent of decimal 13, so the column is
column number 13. In row 1, column 13 appears 5. This determines the
output; 5 is binary 0101, so that the output is 0101. Hence S1(011011) =
0101.

The tables defining the functions S1,...,S8 are the following:

S1

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

S2

15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
 S3

10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

S4

7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

S5

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

S6

12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

S7

4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

S8

13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

Example: For the first round, we obtain as the output of the eight S boxes:

K1 + E(R0) = 011000 010001 011110 111010 100001 100110 010100

100111.
S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010
1011 0101 1001 0111

The final stage in the calculation of f is to do a permutation P of the S-box

output to obtain the final value of f:

f = P(S1(B1)S2(B2)...S8(B8))

The permutation P is defined in the following table. P yields a 32-bit output

from a 32-bit input by permuting the bits of the input block.
P

16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25

Example: From the output of the eight S boxes:

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) =
0101 1100 1000 0010 1011 0101 1001 0111

we get f = 0010 0011 0100 1010 1010 1001 1011 1011

R1 = L0 + f(R0 , K1 )

= 1100 1100 0000 0000 1100 1100 1111 1111

+ 0010 0011 0100 1010 1010 1001 1011 1011
= 1110 1111 0100 1010 0110 0101 0100 0100

In the next round, we will have L2 = R1, which is the block we just
calculated, and then we must calculate R2 =L1 + f(R1, K2), and so on for 16
rounds. At the end of the sixteenth round we have the blocks L16 and R16. We
then reverse the order of the two blocks into the 64-bit block
R16L16
and apply a final permutation IP-1 as defined by the following table:
IP-1

40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25

That is, the output of the algorithm has bit 40 of the preoutput
block as its first bit, bit 8 as its second bit, and so on, until bit 25 of
the preoutput block is the last bit of the output.
Example: If we process all 16 blocks using the method defined previously,
we get, on the 16th round,

L16 = 0100 0011 0100 0010 0011 0010 0011 0100

R16 = 0000 1010 0100 1100 1101 1001 1001 0101

We reverse the order of these two blocks and apply the final permutation to

R16L16 = 00001010 01001100 11011001 10010101 01000011 01000010

00110010 00110100

IP-1 = 10000101 11101000 00010011 01010100 00001111 00001010

10110100 00000101

which in hexadecimal format is 85E813540F0AB405.

This is the encrypted form of M = 0123456789ABCDEF: namely, C =

85E813540F0AB405.

Decryption is simply the inverse of encryption, follwing the same steps as

above, but reversing the order in which the subkeys are applied.