Traditional Symmetric-key

cipher
UNIT-2
Introduction

 Symmetric key encipherment uses single key on both the side.

 Several reasons for studying:
1. They are simpler than modern ciphers and easier to understand.
2. They show the basic foundation of cryptography and encipherment.
3. They provide the rationale for using modern ciphers.
Symmetric Key Ciphers
 The original message from Alice to Bob is called plaintext;
 The message that is sent through the channel is called the ciphertext.
 To create the ciphertext from the plaintext, Alice uses an encryption
algorithm and a shared secret key.
 To create the plaintext from ciphertext, Bob uses a decryption
algorithm and the same secret key.
 We refer to encryption and decryption algorithms as Ciphers.
 A Key is a set of values(Numbers) that the cipher operates on
 Encryption and decryption algorithms are inverses of each other.
 If P is the plaintext, C is the ciphertext, and K is the key, the encryption algorithm E k(x)
creates ciphertext from plaintext.
Encryption: C = Ek(P)

 The decryption algorithm Dk(x) creates the plaintext from the ciphertext.
 Decryption: P = Ek(C)

 In which Dk(Ek(x)) = Ek(Dk(x)) = x

 According to Kerckhoff’s Principle:
It is better to make the encryption and decryption public but keep the shared
key secret.

 Secured channels:
Face-to-face exchange of the key.
They can also trust a third party to give them the same key.
They can create a temporary secret key using another kind of cipher.
 If there are m people in a group who need to communicate with each other, then (m x (m
– 1))/2 keys are used.
 Each person need m-1 keys to communicate with the rest of the group.
 Encryption can be thought of as locking the message in a box.
 Decryption can be thought of as unlocking the box.
Cryptanalysis:
 Cryptography is the science and art of creating secret codes.
 Cryptanalysis is the science and art of breaking those codes.
 The study of cryptanalysis helps us create better secret codes.
 There are four common types of cryptanalysis attacks.

Figure : Cryptanalysis attacks

 Ciphertext-only attack:

Figure : Cipher text-only attack

 Eve has access to only some cipher text, then finds the key and plaintext.
 Assume eve knows the encryption algorithm.

 Various methods can be used in ciphertext-only attack:

1. Brute-Force attack: exhaustive key search attack
2. Statistical attack: benefit from inherent characteristics of the plaintext language. E.g. E
is the most frequently used letter.
3. Pattern attack: discover pattern in ciphertext.
 Known –Plaintext attack:
 Eve has access to some plaintext/ciphertext pairs in addition to the intercepted ciphertext that
he/she wants to break.
 Plaintext/Ciphertext pairs have been collected earlier.
 Chosen- plaintext Attack:
 The chosen-plaintext attack is similar to the known-plaintext attack, but the plaintext/ciphertext
pairs have been chosen by the attacker herself.
 Chosen – ciphertext attack:
 Eve has access to Bob computer.
 Cryptanalyst chose some ciphertext and decrypts to form the pair plaintext/ciphertext.
Substitution ciphers

 We can divide traditional symmetric key ciphers into two broad categories:
 Substitution Ciphers:
In a substitution cipher, we replace one symbol in the ciphertext with another
symbol.

 Transposition Ciphers:
In a transposition cipher, we reorder the position of symbols in the plaintext.
Substitution ciphers:
 Substitution symbol replaces one symbol with another.
 If the symbol in the plaintext are alphabetic character, we can replace one character with another.
 Example: A  D, T  Z.
 If the symbol are digits ( 0 to 9), we can replace 3 with 7, and 2 with 6.

 Substitution ciphers can be categorized as:

 monoalphabetic ciphers or
 polyalphabetic ciphers.
 Monoalphabetic ciphers:
 A Character in the plaint text is changed to the same character in the ciphertext regardless of its
position in the plaintext.
 The relationship between a symbol in the plaintext to a symbol in the ciphertext is always one-to-
one.
POLYGRAM SUBSTITUTION CIPHER:

 Polygram cipher systems are ciphers in which group of letters are

encrypted together, and includes enciphering large blocks of letters.
Therefore, permits arbitrary substitution for groups of characters.
For example the plaintext group "ABC" could be encrypted to
"RTQ", "ABB" could be encrypted to "SLL", and so on. In another
meaning, encryption includes substitution of a block of multiple
letters from plaintext with the corresponding group of ciphertext.
Example of such ciphers are Playfair, and Hill ciphers.
 Monoalphabetic ciphers

a. Additive cipher(Shift cipher/Ceasar cipher)

b. Multiplicative ciphers
c. Affine cipher
 Additive cipher:
 The simplest mono-alphabetic cipher is the additive cipher.
 This cipher is sometimes called a shift cipher/Caesar cipher, but the term additive cipher better
reveals its mathematical nature.
 Assume that the plaintext consists of lowercase letters (a to z), and that the cipher-text consists of
uppercase letters (A to Z).
 To be able to apply mathematical operations on the plaintext and ciphertext, we assign numerical
values to each letter (lower- or uppercase),
 Each character is assigned an integer in Z26

Figure : Representation of plaintext and ciphertext characters

 In Figure each character (lowercase or uppercase) is assigned an integer in Z26.
 The secret key between Alice and Bob is also an integer in Z26.
 The encryption algorithm adds the key to the plaintext character;
 the decryption algorithm subtracts the key from the ciphertext character.
 All operations are done in Z26

Figure : Additive cipher

 Example 3.4 Use the additive cipher with key = 15 to decrypt the message “WTAAD”.
Shift cipher
 Historically, additive ciphers are called shift ciphers.
 The reason is that the encryption algorithm can be interpreted as
“shift key characters down” and the encryption algorithm can be
interpreted as “shift key character up”.
 For example, if the key = 15, the encryption algorithm shifts 15
characters down (toward the end of the alphabet).
 The decryption algorithm shifts 15 characters up (toward the
beginning of the alphabet).
 Of course, when we reach the end or the beginning of the alphabet,
we wrap around (manifestation of modulo 26)
 Shift Cipher
 A shift cipher involves replacing each letter in the message by a letter that is some fixed number of
positions further along in the alphabet.
 Here is an example of how to use the Caesar cipher to encrypt the message “HELLO” with a shift of
3:
 Write down the plaintext message: HELLO
 Choose a shift value. In this case, we will use a shift of 3.
 Replace each letter in the plaintext message with the letter that is three positions to the right in the
alphabet.
 H becomes K (shift 3 from H)
 E becomes H (shift 3 from E)
 L becomes O (shift 3 from L)
 L becomes O (shift 3 from L)
Caesar Cipher

 Julius Caesar used an additive cipher to communicate with his officers.

 For this reason, additive ciphers are sometimes referred to as the Caesar cipher. Caesar
used a key of 3 for his communications.
 Caesar used a key of 3 for his communications.
Example:
1. Encrypt the message “the house is being sold tonight” using additive cipher with key 20. ignore the
space between words. Decrypt the message to get the plaintext.
2. Encrypt the following message and shift with the key 23.
“ABCDEFGHIJKLMNOPQRSTUVWXYZ”.
3. Encrypt the following message and shift with the key 4. “ATTACKATONCE”.
 Cryptanalysis
 Additive ciphers are vulnerable to ciphertext-only attacks using exhaustive key searches
(brute-force attacks).
 The key domain of the additive cipher is very small; there are only 26 keys. However, one
of the keys, zero, is useless (the ciphertext is the same as the plaintext).
 This leaves only 25 possible keys. Eve can easily launch a bruteforce attack on the
ciphertext
 Example:
 Eve has intercepted the ciphertext “UVACLYFZLJBYL”. Show how she can use a brute
force attack to break the cipher.
 Solution: Eve tries from 1 to 7, the plaintext is “not very secure”, which makes sense.
 Multiplicative ciphers
 In a multiplicative cipher, the encryption algorithm specifies multiplication of the plaintext by the
key and the decryption algorithm specifies division of the ciphertext by the key as shown in
Figure.
 However, since operations are in Z26, decryption here means multiplying by the multiplicative
inverse of the key. Note that the key needs to belong to the set Z26* to guarantee that the
encryption and decryption are inverses of each other.
 In Cryptography use
 Zn when additive inverse are needed
 Zn* when multiplicative inverse are needed
 Example:
 Use multiplicative cipher to encrypt the message “hello” with a key of 7.
Example 3.7 What is the key domain for any multiplicative cipher?

Solution The key needs to be in Z26*.

This set has only 12 members: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25.
 Affine cipher
 Combination of cipher with a pair of keys
 First key is used with multiplicative cipher
 Second key is used with additive cipher
 Use the affine cipher to decrypt the message “ZEBBW” with the key pair (7, 2) in modulus 26

 The additive cipher is a special case of an affine cipher in which k 1 = 1.

 The multiplicative cipher is a special case of affine cipher in which k 2 = 0.
 Cryptanalysis of affine cipher:
 Brute-force and statistical method of ciphertext-only attack can be used.

 Chosen-plaintext attack:
 Assume that Eve intercepts the following ciphertext.
 PWUFFOGWCHFDWIWEJOUUNJORSMDWRHVCMWJUPVCCG

 She tries to encrypt the short plaintext using two different algorithms, because she is not sure
which one is the affine cipher.
 Algorithm 1: Plaintext: et ciphertext:  WC
 Algorithm 2: Plaintext: et ciphertext:  WF
 To find the key, Eve uses the following strategy:
 Eve knows that if the first algorithm is affine, she can construct the following two equations based on
the first data set.
 eW 04  22 (04 x k1 x k2 ) ≡ 22(mod 26)
 tC 19  02 (19 x k1 x k2 ) ≡ 02(mod 26)
 k1 =16 (16 does not have a multiplicative inverse in Z 26*)

 Eve now tries the result of the second set of data.

 eW 04  22 (04 x k1 x k2 ) ≡ 22(mod 26)
 tF 19  05 (19 x k1 x k2 ) ≡ 05(mod 26)
 k1 = 11 and k2 = 4
 She tries the pair of keys (19,22), which are the inverse of the pair(11,4), to decipher the message.

Best time of the year is spring when flowers bloom

 Monoalphabetic substitution cipher:
 Additive, multiplicative and affine ciphers have small key domains, hence, they are vulnerable to
brute-force attack.

The monoalphabetic ciphers do not change the frequency of characters in the

ciphertext, which makes the ciphers vulnerable to statistical attack.
Polyalphabetic Ciphers:
 In polyalphabetic substitution, each occurrence of a character may have a different substitute.
 It hides the letter frequency of the underlying language,
 The relationship between a character in the plaintext to a character in the ciphertext is one-to-
many.
 Example:
PT = WELCOME
CT = XGPHUTR
 We need to have a key stream k =(k1, k2, k3, …) in which ki is used to encipher the i th character
in the plaintext to create the ith character in the ciphertext.
 Polyalphabetic ciphers
a. Autokey cipher
b. Playfair cipher
c. Vigener cipher
d. Hill cipher
e. One time pad
f. Rotor cipher
 Autokey cipher:
 In this cipher, key is a stream of subkeys, in which each subkey is used to encrypt the
corresponding character in the plaintext.
 The first subkey is predetermined secret value agreed between Sender and receiver
 Example:
 Assume that Alice and Bob agreed to use an autokey cipher with initial key value k1 = 12.
 Now Alice wants to send Bob the message “Attack is today”. Enciphering is done
character by character.
 Playfair cipher
 The best-known digraph substitution cipher, invented in 1854 by Charles Wheatstone but was
named after Lord Playfair who promoted the use of the cipher.
 Used by British army during World war I.
 Secret key is made up of 25 characters arranged in 5*5 matrix (I and J are considered same)
 The Playfair Cipher Encryption Algorithm:
 1.Generate the key Square(5×5):
 The key square is a 5×5 grid of alphabets that acts as the key for encrypting the plaintext.
 The initial alphabets in the key square are the unique alphabets of the key in the order in
which they appear followed by the remaining letters of the alphabet in order.
 Example : Keyword - ATHENS
 The Playfair Cipher Encryption Algorithm:
 Before encryption:
 Divide the plaint text into digraphs
 PT = attack
 Digrams  at ta ck
 If two letters in a pair are the same, a bogus letter is inserted to separate them.
 PT = balloon
 Digrams  ba ll oo n  ba lx lo on
 After inserting bogus letter, if number of character is odd, one extra bogus character is
added at the end to make number of characters even.
 PT = msit academy
 Digrams  ms it ac ad em yx
 The Playfair Cipher Encryption Algorithm:
 2.Encrypt the Plaintext  Three cipher rules:
1. If the two letters in a pair are located in the same row of the secret key, the corresponding
encrypted character for each character is the next letter to the right in the same row(wrap to
beginning of row)
2. If the two letters in a pair are located in the same column of the secret key, the
corresponding encrypted character for each character is the letter beneath in the same
column(wrap to beginning of column)
3. If the two letter in a pair are not in the same row or column of the secret, the corresponding
encrypted character for each letter is a letter that is in its own row but in the same column
as the other letter. (Form a rectangle)
Example:
 Let us encrypt the plaintext “Hello”.
 Using the key,

 Step1 : group the character in two –character pairs:

 He ll o  He lx lo
 We have,
He  EC lx  QZ lo BX
plaintext  Hello Ciphertext  ECQZBX
 Example 2: Use the Playfair cipher to encipher the message “The key is hidden
under the door pad” using the secret key “GUIDANCE”.
The key is hidden under the door pad
secret Key:

G U I/J D A
N C E B F
H K L M O
P Q R S T
V W X Y Z

PT: Th ek ey is hi dx de nu nd er th ed ox or pa dx
CT: PO CL BX DR LG IY/JY IB/JB CG BG LX PO BI/BJ LZ LT TG IY/JY
Ciphertext : POCLBXDR LGIYIBCGBGLXPOBILZLTTGIY
 Example 2: Use the Playfair cipher to encipher the message “COMSEC means
communications security” using the secret key “GALOIS”.(name of the
mathematician).
COMSEC means communications security

G A L O I/J
S B C D E
F H K M N
P Q R T U
V W X Y Z

Plaintext: co ms ec me an sc om mu ni ca ti on sx se cu ri ty
Ciphertext: DLFDSDNDIHBDDTNTUEBLUOIMCVBSERULYO
Cryptanalysis of a Playfair Cipher:
 Brute-force attack on a Playfair cipher is very difficult.
 A cryptanalyst can use a ciphertext-only attack based on the digram frequency test to find the
key.
Vigenere Cipher:
 Vigenere cipher uses a different strategy to create the key stream .
 Keystream is a repetition of an initial secret key stream of length m, where 1 ≤ m ≤ 26.
 Suppose Alice and Bob agree k= (k1,k2,k3……….km).
 Where,
P = P1, P2, P3, ….
C = C1, C2, C3, ….
K = [(k1,k2,k3……….km), (k1,k2,k3……….km),….]
Encryption : Ci = Pi + ki
Decryption : Pi = Ci - ki
  The Vigenere cipher can be seen as combinations of m additive ciphers.

We can say that the additive cipher is a special case of vigenere cipher in which m=1
Cryptanalysis of Vigenere Ciphers :
 Eve can use technique to decipher the intercepted cipher text. The cryptanalysis
consist of :
 Finding the length of key
 Finding the key itself.
 Several methods to find the length of key Kasiski test
 Kasiski Test:
 The cryptanalyst searches for repeated text segments, of at least three characters, in the
ciphertext.
 Suppose, that two of these segment are found and the distance between them is d.
 The cryptanalyst assumes that d/m where m is the key length.
 If more repeated segments can be found with distance d1, d2, d3,….. dn then, gcd(d1,d2,
d3,…..dn)/m
 Example: Let us assume that the intercepted text is as follows:

Searching for the repeated text segments:

The Kasiski test for repetition of three-character segments yields the results
shown in Table

GCD = 4
 Key value = CODE.
 JULIUSCAESARUSEDACRYPTOSYSTEMINHISWARWHICHISNOWREFERREDTOASCAES
ARCIPHERITISANADDITIVECIPHERWITHTHEKEYSETTOTHREEEACHCHARACTERINT
HEPLAINTEXTISSHIFTEDTHREECHARACTERSTOCREATETHECIPHERTEXT.

 Julius Caesar used a cryptosystem in his wars, which is now referred to as Caesar cipher. It is an
additive cipher with the key set to three. Each character in the plaintext is shifted three character to
create the ciphertext.
 Hill Cipher:
 The Hill Cipher was invented by Lester S. Hill in 1929
 It acts on groups of letters.
 It is a polygraphic substitution cipher, as it can work on digraphs, trigraphs (3 letter blocks) or
theoretically any sized blocks.
 Key is a square matrix of size m x m matrix in which m is the size of the block( 2 x 2 matrix for
digraphs, a 3 x 3 matrix for trigraphs).
Encryption
 Turn the plaintext into digraphs (or trigraphs) and each of these into a column vector.
 To encrypt a message, each block of n letters is multiplied by an m × m matrix, against modulus
26.
 C = K*P mod 26

Decryption
 To decrypt the message, each block is multiplied by the inverse of the matrix
 Example:
 Let us see an example:
 We have been given the phrase “code is ready” and a 4 X 4 key matrix. We can append some
bogus characters (“z”) to the plain text making the plain text “codeisreadyz” and making it into a
3 X 4 plain text matrix.
 Plain Text Matrix =

 Key Matrix =
 Now, performing the encryption:
 C = PK

 Thus,

 The cipher text obtained from the ciphertext matrix is: “OHKNIHGKLISS”
 Example: (Assignment)
 Encrypt the plaintext message "short example" using the keyword hill with a 2 x 2 matrix.
 The first step is to turn the keyword hill into a matrix.
 hill  7 8 11 11
One-Time pad:
 One of the goals of cryptography is perfect secrecy.
 A study by Shannon has shown that perfect secrecy can be achieved if each plaintext symbol is
encrypted with a key randomly chosen from a key domain.
 This idea is used in a cipher called one-time pad, invented by Vernam.
 Each character is chosen randomly from the key domain (00, 01,02,……,25) – i.e., if the first
character is encrypted using the key 4, second by 02, the third by using 21 and so on.
 Here, the cipher text only attack is impossible. Other type of attack are also impossible if the
sender changes the key each time.
 Key has same length as the plaintext.
Rotor cipher:
 It uses the idea behind monoalphabetic substitution but changes the mapping between the
plaintext and the ciphertext character for each plaintext character.

Figure: A rotor cipher

 The rotor in figure uses only 6 letters, but actual rotors use 26 letters.
 The initial setting (position) of the rotor is the secret key between sender and receiver.
 First character is encrypted using initial position. Second character after first rotation. Third
character after second rotation and so on.
 Example: bee  BCA
Enigma Machine:
 The machine was based on the principle of rotor ciphers.
 Main components of Enigma machine
1. Keyboard = 26keys
2. Lampboard =26 lamps
3. Plugboard = 26plugs
4. Three rotors
5. Reflector
 To use Engima machine , a code book is published that gives several settings for each day
a. 3 rotor to be chosen, out of 5 available
b. The order in which rotor to be installed
c. Setting for plugboard
d. A three letter code for the day
 Procedure for Encrypting message
1. Set starting position of rotor to code of the day. For example code was “HUA”
2. Choose a random 3 letter code such as ACF
Encrypt ACFACF(repeated code) using code from step1
Encrypted code is OPNABT
3. Set the starting position to OPN(half of encrypted code)
4. Append encrypted six letters to the beginning of the message  OPNABT
5. Encrypt the message including six letter code OPNABTGFHBVC F.
Send the encrypted message
 Procedure for Decrypting message
1. Receive the message and separate the first six letters
2. Set the starting position of the rotor to the code of the day
3. Decrypt the first six letter using initial setting in step2
4. Set the position of the rotor to the first half of the decrypted code
5. Decrypt the message (without the first six letter)
Transposition ciphers

 Transposition cipher does not substitute one symbol for another, instead it changes the location
of the symbols.
 A transposition cipher reorders (transposes) the symbols.
 Different transposition ciphers:
1. Keyless Transposition Ciphers
2. Keyed Transposition Ciphers
3. Combining Two Approaches
Keyless transposition ciphers
 Simple transposition ciphers, which were used in the past, are keyless.
 There are two methods for permutating character:
1.Text is written into table column by column and transmit row by row.
2.Text is written into table row by row and transmit column by column.
 Example: Rail Fence cipher
 Plaintext is arranged in two line as a zigzag pattern(Column by column) and the ciphertext is
created reading the pattern row by row.
 Plaintext  “Meet me at the park”

 Ciphertext  MEMATEAKETETHPR
 Example:
Alice and Bob can agree on the number of columns. Alice writes the plaintext, row by row, in a table
of four columns.
Plaintext  “Meet me at the park”

Ciphertext  “MMTAEEHREAEKTTP”.
 Bob receives the ciphertext and follows the reverse process. He writes column by column and
reads row by row.
 The following shows the permutation of each character in the plaintext into the ciphertext
based on the positions.

 The second character in the plaintext has moved to the fifth position in the ciphertext; the third
character has moved to the ninth position; and so on.
 Although the characters are permuted, there is a pattern in the permutation: (01, 05, 09, 13),
(02, 06, 10, 13), (03, 07, 11, 15), and (08, 12).
 In each section, the difference between the two adjacent numbers is 4.
 Keyed transposition ciphers:
 Divide the plaintext into groups of predetermined size, called blocks, and then use a key to
permute the characters in each block separately.
 Example: Alice needs to send the message “Enemy attacks tonight” to Bob. Alice and Bob agrees
with block size =5.

 The key used for encryption and decryption is a permutation key, which shows how the character
are permuted.
 Combining Two approaches:
 Cryptanalysis of transposition ciphers:
 Transposition ciphers are vulnerable to several kinds of ciphertext only attacks.
 Statistical Attack: A transposition cipher does not change the frequency of
letters in the ciphertext, it only reorders the letters.
 Brute-force attack: Eve can try all possible keys to decrypt the message.
 Pattern attack: The ciphertext created from a keyed transposition cipher has
some repeated patterns.

 Double Transposition Ciphers:

 This makes the job of cryptanalysts difficult.
 Cipher would be the one repeats twice the algorithm used for encryption and
decryption.
Stream and Block Ciphers
 The literature divides the symmetric ciphers into two broad categories:
 Stream ciphers
 Block ciphers

 Stream ciphers:
 In a stream cipher, encryption and decryption are done typically on one symbol at a time.
 Stream ciphers - Call the plaintext stream P, the ciphertext stream C, and the key stream K.
Figure: Stream cipher
 Block cipher:
 In a block cipher, a group of plaintext symbols of size m (m > 1) are encrypted together creating
a group of ciphertext of the same size.
 A single key is used to encrypt the whole block even if the key is made of multiple values.

Figure: Block cipher

STREAM CIPHER BLOCK CIPHER
Key and algorithm applied on each binary Key and algorithm applied on block of
digit. data.

Less time consuming compare to block More time consuming compare to stream
cipher. cipher.

Only one bit is encrypted at a time, hence Block of data is encrypted at a time, hence
it is faster. it is slower.

Example: One Time Pad, Additive cipher, Example: Playfair cipher, Hill cipher
Vegenere cipher.
Data Encryption Standard
Unit 2 - Chapter 2
Introduction

 The Data Encryption Standard(DES) is a symmetric-key block cipher

published by the National Institute of Standards and Technology(NIST).
 In 1973, NIST published a request for proposals for a national
symmetric-key cryptosystem.
 A proposal from IBM, a modification of a project called Lucifer, was
accepted as DES.
 DES was published in the Federal Register in March 1975 as a draft of
the Federal Information Processing Standard (FIPS).
 After the publication, the draft was criticized severely for two
reasons:
1. Critics questioned the small key length(only 56 bits), which would make
the cipher vulnerable to brute-force attack.
2. Critics were concerned about some hidden design behind the internal
structure of DES.
3. They were suspicious that some part of the structure (the S-Boxes) may
have some hidden design trapdoor that would allow the national
Security Agency(NSA) to decrypt the messages without the need for the
key.
Overview:
 DES is a block cipher.
 At the encryption site, DES takes a 64-bit plaintext and creates a 64 bits ciphertext.
 At the decryption site, Des takes a 64bit ciphertext and creates a 64-bits block of plaintext.

Figure: Encryption and Decryption with DES

 DES Structure

 The encryption process is made of

two permutations(P- boxes)-
initial permutation and final
permutation.
 And sixteen Feistel rounds.
 Each round uses a different 48-bit
round key generated from the
cipher key according to a
predefined algorithm.

Figure: General structure of DES

Initial and Final permutations
 Each of these permutations takes a 64-bit input and permutes them
according to a predefined rule.
 We have shown only a few input ports and the corresponding output
ports.
 in the initial permutation, the 58th bit in the input becomes the first bit in
the output.

Figure: Initial and Final permutation steps in DES

 These permutations are keyless straight permutations that are the inverses of each other.
 Each side of the table can be thought of as a 64-element array.
 The initial permutation (IP) happens only once and it happens before the first round.
 Transposition in IP is done, Both are keyless and predetermined.
 Initial permutation replaces the first bit of the original plain text block with the 58th bit of the
original plain text, the second bit with the 50th bit of the original plain text block, and so on.
Rounds:
 DES uses 16 rounds.
 Each round is a Feistel cipher is the DES function f.

Figure: A round in DES(encryption site)

 The round takes LI-1 and RI-1 from the previous round (or the initial permutation box) and
creates LI and RI which go to the next round(or final permutation box).
 Each round has two cipher elements (mixer and swapper). Each of these elements are
invertible.
 The swapper is obviously invertible, it swaps the left half of the text with the right half.
 The mixer is invertible because of the XOR operation.
 All non-invertible elements are collected inside the function f(R I-1, KI ).
DES Function:
 The heart of DES is the DEs function.
 The DES function applies a 48 bit key to the
rightmost 32 bits(RI-1) to produce a 32-bit
output.
 This function is made up of four sections:
 An expansion P-box
 A whitener (that adds key),
 A group of S-boxes, and
 A straight P-box
Expansion P-box:
 Since RI-1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI-1 to 48 bits.
 RI-1 is divided into 8 4-bit sections.
 Each 4 bit section is then expanded to 6 bits. This expansion permutation follows a
predetermined rule.

Figure: Expansion permutation

 The relationship between the input and output can be defined mathematically, DES uses Table
to define this D-box.

Figure: Expansion P-box table

Whitener(XOR):
 After the expansion permutation, DES uses the XOR operation on the expanded right section and
the round key.
 Note that both the right section and the key are 48-bits in length.
S-boxes:
 The S-boxes do the real mixing (confusion).
 DES uses 8 S-boxes, each with a 6-bit input and 4-bit output.

Figure: S-boxes
 The substitution in each box follows a pre-determined rule based on a 4-rows by 16 column
table.
 The combination of bits 1 and 6 of the input defines one of four rows.
 The combination of bits 2 through 5 defines one of the sixteen columns.

Figure: S-box rule

 Each S-box has its own table, we need 8 tables to define the output of these boxes.
 The values of the inputs (row number and column number) and the value of the outputs are given
as decimal numbers to save space. These need to be changed to binary.
Example: The input to S-box 1 is 100011. what is the output?
Solution:
If we write the first and the sixth bits together, we get binary 11 in binary, which is 3 in decimal.
The remaining bits are 0001 in binary, which is 1 in decimal.
We look for the value in row 3, column 1  result = 12 in decimal which is binary 1100.
 Example: The input to S-box 8 is 000000. what is the output?
 Solution : 13  1101
Final permutation:
 The last operation in the DES is the final permutation with a 32-bit input and a 32-bit output.
 The input/output relationship for this is shown in the table:

 For example: the seventh bit of the input becomes the second bit of the output.
Cipher and Reverse Cipher:
 Using mixers and swappers, we can create the cipher and reverse cipher,
each having 16 rounds.
 The cipher is used at the encryption site; the reverse cipher is used at the
decryption site.
 The whole idea is to make the cipher and the reverse cipher algorithms
similar.
 First approach:
 To achieve this one approach is to make the last round(round 16) different from the others.
 it has only a mixer and no swapper.
 Although the rounds are not aligned, the elements (mixer or swapper) are aligned.
 the mixer is a self-inverse; so is a swapper. The final and initial permutations are also
inverses of each other.
 The left section of the plaintext at the encryption site, L0, is enciphered as L16 at the
encryption site; L16 at the decryption is deciphered as L0 at the decryption site.
 The situation is the same with R0 and R16. A very important point we need to remember about
the ciphers is that the round keys (K1 to K16) should be applied in the reverse order.
 At the encryption site, round 1 uses K1 and round 16 uses K16; at the decryption site, round 1
uses K16 and round 16 uses K1.
 Pseudocode for DES cipher:
 Alternate approach:
 In the first approach, round 16 is different from other rounds; there is no
swapper in this round. This is needed to make the last mixer in the cipher
and the first mixer in the reverse cipher aligned.
 We can make all 16 rounds the same by including one swapper to the
16th round and add an extra swapper after that (two swappers cancel the
effect of each other). We leave the design for this approach as an
exercise.
 Key generation:
 The round-key generator creates sixteen 48-bit keys out of a 56-bit
cipher key.
 However, the cipher key is normally given as a 64-bit key in which 8
extra bits are the parity bits, which are dropped before actual key
generation process.
Figure: Key generation
 Parity drop:
 The preprocessor before key expansion is a compression transposition step, that is called Parity-bit
drop.
 It drops the parity bits(8,16,24,32,…..64) from the 64-bit key and permutes the rest of the bits.
 The remaining 56-bit value is the actual cipher key which is used to generate round keys.

Parity-bit drop table

 In the context of the Data Encryption Standard (DES), "parity drop" refers to a step in
the key schedule algorithm used to generate the subkeys for each round of encryption and
decryption. DES is a symmetric-key block cipher that operates on 64-bit blocks of data
and uses a 56-bit key.

 During the key schedule algorithm in DES, the initial 56-bit key undergoes a series of
transformations to generate 16 48-bit subkeys, one for each round of encryption and
decryption. The parity drop is a step in this process where the least significant bit (LSB) of
each byte in the 56-bit key is dropped, resulting in a 64-bit key after the parity bits are
removed.
 Shift left:
 After the straight permutation, the key is divided into two 28-bits parts.
 Each part is shifted left(circular shift) one or two bits.
 In rounds 1,2,9 and 16, shifting is one bit; in the other rounds, it is two bits.
 The two parts are then combined to form a 56-bit part.

Number of bit shifts.

 Compression P-Box:
 The compression D-Box changes 56 bits to 48 bits, which are used as a key for a round.
 Algorithm: a simple algorithm to create round keys from the key with parity bits.
DES Analysis
 Critics have used a strong magnifier to analyze DES.
 Tests have been done to measure the strength of some desired properties in a block cipher.
1. Properties :
Avalanche Effect : A small change in the plaintext (or key) should create a significant
change in the ciphertext.
Completeness: Completeness effect means that each bit of the ciphertext needs to depend
on many bits on the plaintext.
 Example : To check avalanche effect in DES.
 Design Criteria:
 Many tests on DES have proved that it satisfied some of the required criteria as
claimed.
 S – Boxes:
 The entries of each row are permutations of values between 0 and 15.
 S-boxes are nonlinear.
 If we change a single bit in the input, two or more bits will be changed in the
output.
 If two inputs to an S-box differ only in two middle bits (bits 3 and 4), the
output must differ in at least two bits.
 If two inputs to an S-box differ in first two middle bits (bits 1 and 2) and the
same in the last two bits (bits 5 and 6), the two outputs must different.
  A criterion similar to #6 is applied to three S-boxes.
 In any S-box, if a single input bit is held constant (0 or 1) and other
bits are changed randomly, the differences between the numbers of 0s
and 1s are minimized.

 P-boxes:
The following design criteria were implemented in the design of P-
boxes to achieve this goal.
 Each S-box input comes from the output of a different S-box
 No input to a given S-box comes from the output from the same box.
 The four outputs from each S-box go to six different S-boxes.
 No two output bits from an S-box go to the same S-box
 If we number the eight S-boxes S1, S2, …… S8,
 An output of Sj-2 goes to one of the first two bits of Sj.
 An output bit from Sj-1 goes to one of the last two bits of Sj.
 An output of Sj+1 goes to one of the two middle bits of Sj.
 For each S-box, the two output bits go to the first or last two bits of an S-box. The
other two output bits go to the middle bits of an S-box.
 If an output bit from Sj goes to one of the middle bits in Sk(in the next round), then an
output bit from Sk cannot go to the middle bit of Sj. If we let j = k, this implies that
none of the middle bits of an S-box can go to one of the middle bits of the same S-
box in the next round.
 Number of rounds:
 DES uses sixteen rounds of Feistel ciphers.
 It has been proved that after eight rounds, each ciphertext is a
function of every plaintext bit and every key bit; the ciphertext is
thoroughly a random function of plaintext and ciphertext.
 Therefore, it looks like 8 rounds should be enough.
 However, experiments have found that DES versions with less than 16
rounds are even more vulnerable to known-plaintext than brute-force
attack, which justify the use of 16 rounds by the designers of DES.
 DES Weaknesses
 S-Boxes
• In S-box 4, the last three output bits can be derived in the same
way as the first output bit by complementing some of the input
bits.
• Two specifically chosen inputs to an S-box array can create the
same output.
• It is possible to obtain the same output in a single round by
changing bits in only three neighboring S-boxes.
 D-boxes
• It is not clear why designers of DES used the initial and final
permutations; these have no security benefits.
• In the expansion permutation (inside the function), the first and
fourth bits of every 4-bit series are repeated.
 Weakness in the Cipher key:
 Brute force attack adversary will check with – 256 keys
• One computer with processor à more than thousand years
• Computer with parallel processing à 20 hours
• Computer network with parallel processing à 120 days (key
challenged by RSA Laboratories)

Solution:
 Is to use triple DES (3DES) with two keys(112 bits).
 Triple DES with three keys(168 keys).
 Weakness in cipher key-Weak keys
 Four out of 256 keys are called weak keys
 Round keys created from weak keys will have the same pattern as cipher key.
 Weakness in cipher key-Weak keys
 What is the disadvantage of using a weak key?
 Weakness in cipher key-Weak keys:
 Let us try the first weak key in Table 6.18 to encrypt a block two times.
 After two encryptions with the same key the original plaintext block is created. Note that we have
used the encryption algorithm two times, not one encryption followed by another decryption.
 Semi-weak Keys:
 There are six key pairs called semi weak keys
 A Semi weak keys creates two different round keys and each of them is repeated eight times
 Round key created from each pair are the same with different order
 Weakness in cipher key – Possible weak keys
 48 Keys are possible weak keys
 A possible weak key is a key that creates four distinct round keys
 16round keys = 4 groups à each group 4 equal round key

 Weakness in cipher key – Key clustering

 2 or more different keys can create same ciphertext from the same plaintext.
Security of DES

 DES, as the first important block cipher, has gone through much scrutiny.
 Among the attempted attacks, three are of interest
 Brute Force attack
 Differential cryptanalysis
 Linear cryptanalysis
 Brute Force attack
 We have discussed the weakness of short cipher key in DES.
 Combining this weakness with the key complement weakness, it is clear that DES can be broken using 255
encryptions.
 However, today most applications use either 3DES with two keys (key size of 112) or 3DES with three
keys (key size of 168).
 These two multiple-DES versions make DES resistant to brute-force attack.

 Differential cryptanalysis
 It has been revealed that the designers of DES already knew about this type of attack and designed S-boxes and
chose 16 as the number of rounds to make DES specifically resistant to this type of attack.
 Linear cryptanalysis
 Linear cryptanalysis is newer than differential cryptanalysis. DES is more vulnerable to linear cryptanalysis
than to differential cryptanalysis, probably because this type of attack was not known to the designers of
DES. S-boxes are not very resistant to linear cryptanalysis. It has been shown that DES can be broken
using 243 pairs of known plaintexts. However, from the practical point of view, finding so many pairs is
very unlikelly.
THANK YOU