1. Introduction to Modern Symmetric-key Ciphers
Chapter 5
Introduction to Modern
Symmetric-key Ciphers
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1.#

2. Objectives
To distinguish between traditional and modern symmetric-key ciphers
To introduce modern block ciphers and discuss their characteristics
To explain why modern block ciphers need to be designed as substitution ciphers
To introduce components of block ciphers such as P-boxes and S-boxes
To discuss product ciphers and distinguish between two classes of product ciphers: Feistel and non-Feistel ciphers

3. Objectives – cont’d
To discuss two kinds of attacks particularly designed for modern block ciphers: differential and linear cryptanalysis
To introduce stream ciphers and to distinguish between synchronous and nonsynchronous stream ciphers
To discuss linear and nonlinear feedback shift registers for implementing stream ciphers

4. Modern Block Ciphers Block ciphers
Plaintexts are encrypted/decrypted in fixed-size block units
Key has also has a fixed size value

5. Substitution or Transposition
A modern block cipher is using a substitution cipher or a transposition cipher
To be resistant to exhaustive-search attack, a modern block cipher needs to be designed as a substitution cipher

6. Substitution or Transposition
Example
Substiution cipher: Eve has no idea how many 1’s are in the plaintext. Eve needs to try all possible bit blocks to find one that makes sense
Transposition cipher: Eve knows that there are exactly 10 1’s in the plaintext. Eve can launch an exhaustive-search attack using only those 64-bit blocks that have exactly 10 1’s
Suppose that we have a block cipher where n = 64. If there are 10 1’s in the ciphertext, how many trial-and-error tests does Eve need to do to recover the plaintext from the intercepted ciphertext in each of the following cases?
a. The cipher is designed as a substitution cipher.
b. The cipher is designed as a transposition cipher.

7. Substitution or Transposition
Full-size key cipher
A cipher where the key is long enough to choose every possible mapping from the input to the output
Usually a partial-size key ciphers are still understandable
Full-size key transposition block cipher
With block size of n, we need to have n! possible keys, so the key should have log2 n! bits

8. Substitution or Transposition
Full-size key transposition block cipher
Example 5.2
Show the model and the set of permutation tables for a 3-bit block transposition cipher where the block size is 3 bits
Among 23 key mappings,
we use only 6 mappings

9. Substitution or Transposition
Full-size key substitution block cipher
A full-size key substitution cipher does not transpose bits; it substitutes bits
We can model the substitution cipher as a permutation if we can decode the input and encode the output, where decoding means transforming an n-bit integer into a 2n-bit string with a single 1 and (2n – 1) 0’s and encoding is the reverse of decoding
The substitution cipher can be modeled as a permutation of 2n! objects

10. Substitution or Transposition
Full-size key substitution block cipher
Example 5.4: the model for a 3-bit block substitution cipher
The key space is also much longer than 8! = 40,320

11. Substitution or Transposition
A full-size key n-bit transposition cipher or a substitution block cipher can be modeled as a permutation, but their key sizes are different:
Transposition: the key is log2 n! bits long.
Substitution: the key is log2 (2n)! bits long.
A partial-key cipher is a group under the composition operation if it is a subgroup of the corresponding full-size key cipher.

12. Algebraic Structures
Cryptography requires sets of integers and specific operations that are defined for those sets
The combination of the set and the operations that are applied to the elements of the set is called an algebraic structure

13. Groups
A group (G) is a set of elements with a binary operation (•) that satisfies four properties (or axioms).
Closure
Associativity
Existence of identity
Existence of inverse
A commutative (or abelian) group satisfies an extra property, commutativity

14. Groups Closure Associativity Commutativity Existence of identity
If a and b are elements of G, then c = a  b is also an element of G
Associativity
If a, b and c are elements of G, then (ab)c = a(bc)
Commutativity
For all a and b in G, a  b = b  a
Existence of identity
For all a in G, there exists an element e, called the identity element, such that ea = ae = a
Existence of inverse
For each a in G, there exists an element a’, called the inverse of a, such that aa’ = a’a = e

15. Groups

16. Groups
Example 4.2
The set of residue integers with the addition operator,
G = < Zn , +>,
is a commutative group
Identity: 0
Inverse of n: -n
Zn = {0, 1, 2, …, n-1}

17. Groups Example 4.2 The set Zn* with the multiplication operator,
G = < Zn*, ×>
is also an abelian group
Identity: 1
Inverse of n: can be found according to the extended Euclidean algorithm
Zn* is a subset of Zn where each element has
its multiplicative inverse
Z13 = {0, 1, 2, …, 12}
Z13* = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}

18. Groups
Example 4.3
Let us define a set G = < {a, b, c, d}, •> and the operation as shown in Table 4.1
Identity: a
Inverse: we can find in the table such that (a, a), (b, d), (c, c)

19. Permutation Group The set is the set of all permutations, and
The operation is composition: applying one permutation after another
Composition (o) of permutation

20. Permutation Group Operation table for permutation group
Identity: (1, 2, 3)
Inverse can be found from the table
Commutativity property is not satisfied

21. Permutation Group
A set of permutations with the composition operation is a group
This implies that using two permutations one after another cannot strengthen the security of a cipher, because we can always find another permutation that can do the same job because of the closure property

22. Groups Finite group Order of a group: |G| Subgroups
The set has a finite number of elements
Order of a group: |G|
The number of elements in the group
Subgroups
A subset H of a group G is a subgroup of G if H itself is a group with respect to the same operation on G
Let G = <S,> and H = <T,> are groups and T is a nonempty subset of S, then H is a subgroup of G

23. Groups
Example
Is the group H = <Z10, +> a subgroup of the group G = <Z12, +>?
 No
Although H is a subset of G, the operations defined for these two groups are different.
The operation in H is addition modulo 10 and the operation in G is addition modulo 12

24. Groups Cyclic subgroups
If a subgroup of a group can be generated using the power of an element, the subgroup is called the cyclic subgroup
Power of an element means repeatedly applying the group operation to the element
a0 = e
The set made from this process is denoted by <a>

25. Groups Four cyclic subgroups made from the group G = <Z6, +>
H4 = G

26. Groups Cyclic subgroups made from the group G = <Z10∗, ×>
H3 = G
Z10* = {1, 3, 7, 9}

27. Groups A cyclic group is a group that is its own cyclic subgroup
The element that generates the group itself is called a generator
If g is a generator, then the elements in a finite cyclic subgroup can be written as

28. Groups
The group G = <Z6, +> is a cyclic group with two generators, g = 1 and g = 5
The group G = <Z10∗, ×> is a cyclic group with two generators, g = 3 and g = 7

29. Groups Lagrange’s Theorem Order of an element: ord(a)
Assume that G is a group, and H is a subgroup of G
If the order of G and H are |G| and |H|, respectively, then, |H| divides |G|.
Order of an element: ord(a)
The smallest integer n such that an = e
The order of an element is the order of the cyclic group it generates

30. Groups Order of an element: ord(a)
In the group G = <Z6, +>, the orders of the elements are:
ord(0) = 1, ord(1) = 6, ord(2) = 3, ord(3) = 2,
ord(4) = 3, ord(5) = 6
In the group G = <Z10∗, ×>, the orders of the elements are:
ord(1) = 1, ord(3) = 4, ord(7) = 4, ord(9) = 2

31. Components of a Modern Block Cipher
Modern block ciphers normally are keyed substitution ciphers in which the key allows only partial mappings from the possible inputs to the possible outputs

32. Components of a Modern Block Cipher
P-Boxes
A P-box (permutation box) transposes bits in a block
It parallels the traditional transposition cipher for characters
3 types of P-boxes

33. Components of a Modern Block Cipher
P-Boxes
possible mappings of a 3 × 3 P-box
Example of a permutation table for a straight P-box

34. Components of a Modern Block Cipher
Compression P-Boxes
P-box with n inputs and m outputs where m < n
Example of a 32 × 24 permutation table

35. Components of a Modern Block Cipher
Expansion P-Boxes
P-box with n inputs and m outputs where m > n
Example of a 12 × 16 permutation table

36. Components of a Modern Block Cipher
Invertibility of P-Boxes
A straight P-box is invertible, but compression and expansion P-boxes are not.

37. Components of a Modern Block Cipher
Inverting a permutation table

38. Components of a Modern Block Cipher
Compression and expansion P-boxes are non-invertible

39. S-Box
An S-box (substitution box) can be thought of as a miniature substitution cipher
An S-box is an m × n substitution unit, where m and n are not necessarily the same

40. S-Box S-boxes y1 = f1(x1, x2, …, xn) y2 = f2(x1, x2, …, xn) …
In an S-box with n inputs (x1, x2, …, xn) and m outputs (y1, y2, …, ym), the relationship between the inputs and outputs are represented as
y1 = f1(x1, x2, …, xn)
y2 = f2(x1, x2, …, xn) …
ym = fm(x1, x2, …, xn)

41. S-Box Linear S-boxes y1 = a1,1x1  a1,2x2  …  a1,nxn
The relationship between the inputs and outputs are represented as
y1 = a1,1x1  a1,2x2  …  a1,nxn
y2 = a2,1x1  a2,2x2  …  a2,nxn …
ym = am,1x1  am,2x2  …  am,nxn

42. S-Box Examples Linear S-box with three inputs and two outputs that has
can be represented by

43. S-Box Examples S-box with three inputs and two outputs with
where multiplication and addition is in GF(2)
The S-box is nonlinear because there is no linear relationship between the inputs and the outputs

44. S-Box
Examples
S-box of size 3 × 2, where substitutions are defined by the following table
Mapping: 010  01, 101  00

45. S-Box Invertibility An S-box may or may not be invertible
In an invertible S-box, the number of input bits should be the same as the number of output bits
Mapping: 010  01, 101  00

46. S-Box Examples an invertible S-box
the two tables are inverses of each other

47. Exclusive-Or
An important component in most block ciphers is the exclusive-or operation
Exclusive-Or is
Closed
Commutative
Identity: 00..0
Inverse of x : x

48. Exclusive-Or
Exclusive-Or is invertible

49. Circular Shift
Another component found in some modern block ciphers is the circular shift operation
Example

50. Circular Shift Swap Example
The swap operation is a special case of the circular shift operation where k = n/2
Example

51. Split and Combine
Two other operations found in some block ciphers are split and combine

52. Product Ciphers Shannon introduced the concept of a product cipher
A product cipher is a complex cipher combining substitution, permutation, and other components discussed in previous sections

53. Product Ciphers Diffusion Confusion
is to hide the relationship between the ciphertext and the plaintext
Confusion
is to hide the relationship between the ciphertext and the key

54. Product Ciphers Rounds
Diffusion and confusion can be achieved using iterated product ciphers where each iteration is a combination of S-boxes, P-boxes, and other components

55. Product Ciphers
A product cipher with two rounds

56. Product Ciphers Diffusion Confusion
p8 affects bit 2 and 4 after round 1
p8 affects bit 1, 3, 6, 7 after round 2
Confusion
k3 of K1 affects bit 3 and 7 after round 1
k3 of K1 affects bit 2, 3, 4, 7 after round 2

57. Product Ciphers
Modern block ciphers are all product ciphers, but they are divided into two classes
Feistel ciphers
Ciphers that have both invertible and non-invertible components
Non-Feistel ciphers
Ciphers that have only invertible components

58. Feistel Ciphers Feistel structure(basic)
Mixer : combining of a non-invertible function f and XOR
XOR can cancel the non-invertible function during decryption (self-invertible)

59. Feistel Ciphers Example 5.12
The plaintext and ciphertext are each 4 bits long and the key is 3 bits long
Assume that the function (f) takes the first and third bits of the key, interprets these two bits as a decimal number, squares the number, and interprets the result as a 4-bit binary pattern
P = 0111 and when K = 101, f(K) = 1001

60. Feistel Ciphers Feistel structure(enhanced)
We can make mixer more complex by adding keyless components (parts of the plaintext or ciphertext)
The input to f must be exactly the same in encryption and decryption

61. Feistel Ciphers
Feistel structure with two rounds

62. Non-Feistel Ciphers Non-Feistel structure
A non-Feistel cipher uses only invertible components
A component in the encryption cipher has the corresponding component in the decryption cipher

63. Attacks on Block Ciphers
Differential Cryptanalysis
Proposed by Eli Biham and Adi Shamir
This is a chosen-plaintext attack
Analyzes the weakness of the encryption algorithm structure and tries to get encryption key
Analyzes the relationship between the plaintext differences and ciphertext differences

64. Attacks on Block Ciphers
Differential Cryptanalysis: Example 5.13
Assume that the cipher is made only of one exclusive-or operation
Without knowing the value of the key, Eve can easily find the relationship between plaintext differences (P1  P2 ) and ciphertext differences (C1  C2)

65. Attacks on Block Ciphers
Differential Cryptanalysis: Example 5.13
S-box is added to make it hard to find the relationship between plaintext differences and ciphertext differences
The attacker can create a probabilistic relationship

66. Attacks on Block Ciphers
Differential Cryptanalysis: Example 5.13
Probabilistic relationship between plaintext differences and ciphertext differences
= X1  X2

67. Attacks on Block Ciphers
Differential Cryptanalysis: Example 5.13
The attacker can create a probabilistic relationship: Differential distribution table (XOR profile)
= X1  X2

68. Attacks on Block Ciphers
Differential Cryptanalysis: Example 5.13
Launching a chosen-plaintext attack
Eve chooses plaintexts that have the highest probability in the differential distribution table
For example, Eve knows that if P1  P2 = 001, then C1  C2 = 11 with the probability of 0.50 (50 percent)
Guessing the key value
She tries C1 = 00 and gets P1 = 010 (chosen-ciphertext attack) and also tries C2 = 11 and gets P2 = 011 (another chosen-ciphertext attack)

69. Attacks on Block Ciphers
Differential Cryptanalysis: Example 5.13
Guessing the key value
Now she tries to work backward, based on the first pair, P1 and C1
The two tests confirm that K = 011 or K =101
When X1=101, it can not be
(P1P2) = (X1X2) = 001 for any cases of
X2 (000 or 110), so 101 is dropped

70. A more detailed differential cryptanalysis is given in Appendix N.
Attacks on Block Ciphers
Differential Cryptanalysis
Differential cryptanalysis is based on a nonuniform differential distribution table of the S-boxes in a block cipher.
A more detailed differential cryptanalysis is given in Appendix N.

71. Attacks on Block Ciphers
Linear Cryptanalysis
was presented by Mitsuru Matsui in 1993
The analysis uses known-plaintext attacks
S-box can be represented by a linear transformation in which each output is a linear function of input
Example 5.14:

72. Attacks on Block Ciphers
Linear Cryptanalysis
Example 5.20
Solving key bits
The real block ciphers are more complex and usually S-boxes are not linear

73. Modern Stream Ciphers Stream ciphers
Encryption/decryption bit-by-bit or character-by-character
In a modern stream cipher, encryption and decryption are done r bits at a time
a plaintext bit stream P = pn …p2 p1, a ciphertext bit stream C = cn …c2 c1, and a key bit stream K = kn …k2 k1, in which pi , ci , and ki are r-bit words
Synchronous Stream Ciphers
Nonsynchronous Stream Ciphers

74. Modern Stream Ciphers Stream ciphers Synchronous Stream Ciphers
Nonsynchronous Stream Ciphers

75. Modern Stream Ciphers Synchronous stream ciphers
The key is independent of the plaintext or ciphertext
One-time pads

76. Modern Stream Ciphers Synchronous stream ciphers
Example 5.17: what is the pattern in the ciphertext of a one-time pad cipher in each of the following cases?
(a) The plaintext is made of n 0’s.
(b) The plaintext is made of n 1’s.
(c) The plaintext is made of alternating 0’s and 1’s.
(d) The plaintext is a random string of bits.

77. Modern Stream Ciphers Synchronous stream ciphers Solution
(a) Because 0  ki = ki , the ciphertext stream is the same as the key stream. If the key stream is random, the ciphertext is also random. The patterns in the plaintext are not preserved in the ciphertext.

78. Modern Stream Ciphers Synchronous stream ciphers Solution
(b) Because 1  ki = ki where ki is the complement of ki , the ciphertext stream is the complement of the key stream. If the key stream is random, the ciphertext is also random. Again the patterns in the plaintext are not preserved in the ciphertext.

79. Modern Stream Ciphers Synchronous stream ciphers Solution
(c) In this case, each bit in the ciphertext stream is either the same as the corresponding bit in the key stream or the complement of it. Therefore, the result is also a random string if the key stream is random
(d) In this case, the ciphertext is definitely random because the exclusive-or of two random bits results in a random bit.

80. Modern Stream Ciphers Synchronous stream ciphers
Feedback shift register (FSR)
Consists of m cells with a single bit for each
The cells are initialized to an m-bit value (seed)
Whenever an output bit is needed, every bit shifted one cell to the right

81. Modern Stream Ciphers Linear FSR
bm is a linear function of bm-1 , … b1 , b0
bm = cm-1 bm-1 + c2 b2 + c1 b1 + c0 b0 (c0 ≠ 0) or
bm = cm-1 bm-1  c2 b2  c1 b1  c0 b0 (c0 ≠ 0)

82. Modern Stream Ciphers Linear FSR
Example 5.18: Create a linear feedback shift register with 5 cells in which b5 = b4  b2  b0

83. Modern Stream Ciphers Linear FSR
Example 5.19: Create a linear feedback shift register with 4 cells in which b4 = b1  b0 . Show the value of output for 20 transitions (shifts) if the seed is (0001).

84. Modern Stream Ciphers Linear FSR
Cell values and key sequence for Example 5.19
Note that the key stream is …. This looks like a random sequence at first glance, but if we go through more transitions, we see that the sequence is periodic. It is a repetition of 15 bits as shown below

85. The maximum period of an LFSR is to 2m − 1.
Modern Stream Ciphers
Linear FSR
The key stream generated from a LFSR is a pseudorandom sequence in which the sequence is repeated after N bits
The maximum period of an LFSR is to 2m − 1.

86. Modern Stream Ciphers Non-linear FSR b4 = (b3 AND b2) OR (b1 AND b0)
Has the same structure as an LFSR except that the bm is the non-linear function of bm-1 , … , b1 , b0
Fro example:
Finding an NLFSR that has the maximum period is difficult
b4 = (b3 AND b2) OR (b1 AND b0)