BITS F463

CRYPTOGRAPHY

Introduction to Modern Symmetric-key

Ciphers

Ashutosh Bhatia
BITS Pilani
ashutosh.bhatia@pilani.bits-pilani.ac.in
 Objectives
 To introduce modern block ciphers and discuss their characteristics
 To introduce the components of block ciphers such as P-Box and S-Box
 MODERN BLOCK CIPHERS
A symmetric-key modern block cipher encrypts an
n-bit block of plaintext or decrypts an n-bit block of ciphertext. The
encryption or decryption algorithm uses a k-bit key.
 Substitution or Transposition
A modern block cipher can be designed to act as a substitution cipher or a
transposition cipher.

To be resistant to exhaustive-search attack,

a modern block cipher needs to be designed as a
substitution cipher.
 Example
Suppose that we have a block cipher where n = 64. If there are 10 1’s in the
ciphertext, how many trial-and-error tests does Eve need to do to recover the
plaintext from the intercepted ciphertext in each of the following cases?
a. The cipher is designed as a substitution cipher.
b. The cipher is designed as a transposition cipher.
Solution
a. In the first case, Eve has no idea how many 1’s are in the plaintext. Eve needs to try
all possible 264 64-bit blocks to find one that makes sense.
b. In the second case, Eve knows that there are exactly 10 1’s in the plaintext because
transposition does not change the number of 1’s ( or 0’s) in the cipher text. Eve can
launch an exhaustive-search attack using only those 64-bit blocks that have exactly
10 1’s.
Note: to be resistant to exhaustive search attack , a modern block cipher needs to be designed as
substitution cipher
 Full-Size Key Transposition Block Ciphers
In a full-size key transposition cipher We need to have n! possible keys,
so the key should have log2 n! bits.

Example
Show the model and the set of permutation tables for a 3-bit block
transposition cipher where the block size is 3 bits.

Solution

The set of permutation tables has 3! = 6 elements

A transposition block cipher
 Full-Size Key Substitution Block Ciphers
A full-size key substitution cipher does not transpose bits; it substitutes
bits. We can model the substitution cipher as a permutation if we can
decode the input and encode the output. In a full-size key substitution
cipher we need to have 2n! possible keys, so the key should have log2 2n! 
bits
Example
Show the model and the set of permutation tables for a 3-bit block
substitution cipher.

Solution
The key is also much longer, log240,320 = 16 bits. (8!=40,320)
A substitution block cipher model as a permutation
 Permutation Group

Full key transposition and substitution cipher is a permutation

group, i.e. the permutation is closed under the composition
operation.
 Partial Key Ciphers
 Actual ciphers cannot be full key ciphers
2 70
 The number bits required in the key for a 64 bit full key cipher is 2

 All practical ciphers use a much smaller key size and hence cover only a
fraction of total mapping

 Whether a partial key cipher is a permutation group

Yes, if it is a subgroup of a corresponding full size key cipher

 Only the partial key ciphers that are not permutation group can be used to
combine to make a more secure cipher.

 Most of the classical ciphers such as substitution, shift etc. are permutation
groups
 Keyless Cipher
 Not useful alone, but used within keyed ciphers

 Keyless Transposition Cipher (P-boxes or D-boxes): Fixed Key

transposition
 Used to achieve diffusion (discussed later)

 Keyless Substitution Cipher (S-boxes): Fixed Key substitution

 Used to achieve confusion (discussed later)
 Components of a Modern Block Cipher

Modern block ciphers normally are keyed substitution ciphers in which the
key allows only partial mappings from the possible inputs to the possible
outputs.
 P-Boxes or D-boxes
A P-box (permutation box) parallels the traditional transposition cipher
for characters. It transposes bits.

A straight P-box
is invertible, but
compression and
expansion P-
boxes are not.
 S-Boxes
An S-box (substitution box) can be thought of as a miniature
substitution cipher. An S-box is an m × n substitution unit, where m
and n are not necessarily the same.

An S-box could be linear or

non-linear
 Circular Shift
The swap operation is a special case of the circular shift operation
where k = n/2.

Circular shifting an 8-bit word to the left or right

 Swap
Another component found in some modern block ciphers is the circular
shift operation
 Diffusion and Confusion
Terms introduced by Claude Shannon
Confusion Diffusion
Seeks to make the relationship between the statistics of The statistical structure of the plaintext is
the ciphertext and the value of the encryption key as dissipated into long-range statistics of the
complex as possible so that even if the attacker can get ciphertext. This is achieved by having each
some handle on the statistics of the ciphertext it would be plaintext digit affect the value of many
difficult to deduce the key ciphertext digits

K3
K1

K2
 Product Cipher
 The concept was introduced by
Shanon

 A product cipher combines

substitution, permutation and
other components

 Rounds: Diffusion and

Confusion can be introduced
using iterated product cipher

 Each round uses a different key

generated by a key scheduler A product cipher made of two rounds
 Feistel Cipher
• Feistel proposed the use of a cipher that alternates substitutions and
permutations
• Substitutions: Each plaintext element or group of elements is uniquely
replaced by a corresponding ciphertext element or group of elements
• Permutations: No elements are added or deleted or replaced in the
sequence, rather the order in which the elements appear in the sequence is
changed
• Is a practical application of a proposal by Claude Shannon to develop a
product cipher that alternates confusion and diffusion functions
• Is the structure used by many significant symmetric block ciphers currently in
use
 Feistel Network: Core Idea
 partitions input block into two halves
o process through multiple rounds where each round
o perform a substitution on left data half
o based on round function of right half & subkey
o then have permutation swapping halves
n-bits

R0 R1 R2 Rd-1 Rd
fk1 fk2
⋯ fkd
n-bits

L0 ⊕ L1 ⊕ L2 Ld-1 ⊕ Ld

input output
Feistel network is invertible

Claim: for all fk1, …, fkd: {0,1}n ⟶ {0,1}n

Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible

Proof: construct inverse

Ri-1 Ri Ri = fk(Ri-1) ⊕ Li-1

fk

Li-1 ⊕ Li Li = Ri-1
 Feistel network is invertible
Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n
Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible

Proof: construct inverse

Ri-1 Ri inverse Ri ⊕ Ri-1

fi
fi
Li-1 ⊕ Li Li Li-1
 Decryption circuit
⊕ ⊕
n-bits

Rd ⊕
Rd-1 Rd-2 R1 R0
fd fd-1
⋯ f1
n-bits

Ld Ld-1 Ld-2 L1 L0

• Inversion is basically the same circuit,

with f1, …, fd applied in reverse order

• General method for building invertible functions (block ciphers) from

arbitrary functions.

• Used in many block ciphers such as Blowfish but not in AES

 “Thm:” (Luby-Rackoff ‘85):

f: K × {0,1}n ⟶ {0,1}n a secure PRF

⇒ 3-round Feistel F: K3 × {0,1}2n ⟶ {0,1}2n a secure PRP

R0 R1 R2 R3
f f f
L0 ⊕ L1 ⊕ L2 ⊕ L3

input output
 Abstractly: PRPs and PRFs
• Pseudo Random Function (PRF) defined over (K,X,Y):
F: K  X  Y
such that exists “efficient” algorithm to evaluate F(k,x)

• Pseudo Random Permutation (PRP) defined over (K,X):

E: K  X  X
such that:
1. Exists “efficient” deterministic algorithm to evaluate E(k,x)
2. The function E( k,  ) is one-to-one
3. Exists “efficient” inversion algorithm D(k,y)
 Secure PRFs
• Let F: K  X  Y be a PRF
Funs[X,Y]: the set of all functions from X to Y

SF = { F(k,) s.t. k  K }  Funs[X,Y]

• Intuition: a PRF is secure if

a random function in Funs[X,Y] is indistinguishable from
a random function in SF

SF Funs[X,Y]
|X|
Size |Y|
Size |K|
 Secure PRFs
• Let F: K  X  Y be a PRF
Funs[X,Y]: the set of all functions from X to Y

SF = { F(k,) s.t. k  K }  Funs[X,Y]

• Intuition: a PRF is secure if

a random function in Funs[X,Y] is indistinguishable from
a random function in SF

f  Funs[X,Y]
xX
???
f(x) or F(k,x) ? kK
 Secure PRPs (secure block cipher)
• Let E: K  X  Y be a PRP
Perms[X]: the set of all one-to-one functions from X to Y

SF = { E(k,) s.t. k  K }  Perms[X,Y]

• Intuition: a PRP is secure if

a random function in Perms[X] is indistinguishable from
a random function in SF

π  Perms[X]
xX
??? kK
π(x) or E(k,x) ?
 Exercise
𝑛 𝑛 𝑛
• Let 𝐹: 0,1 𝑋 0,1 → 0,1 be a secure PRF. Which of the following
is secure.
′ 𝐹 𝑘, 𝑥 when 𝑥 ≠ 0𝑛
• 𝐹 𝑘, 𝑥 = ቊ 𝑛
0 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒

• 𝐹 ′ 𝑘, 𝑥 = 𝐹 𝑘, 𝑥 ⊕ 𝐹(𝑘, 𝑥 ⊕ 1𝑛 )

• 𝐹 ′ 𝑘, 𝑥 = 𝐹 𝑘, 𝑥 0,1,2…….𝑛−2 (drop the last bit of the 𝐹 𝑘, 𝑥 )

ሼ𝐹 𝑥, 𝑘 when 𝑥 ≠ 0𝑛
• 𝐹′ 𝑘, 𝑥 = ቊ
𝑘 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒

ሼ𝐹 𝑥, 𝑘1 when 𝑥 ≠ 0𝑛
• 𝐹′ 𝑘1 , 𝑘2 , 𝑥 = ቊ
𝑘2 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
 Exercise
• Let us see, what goes wrong, if we only use two rounds of Feistel
network.

n-bits
R0 R1 R2
fk1 fk2
n-bits

L0 L1 L2
⊕ ⊕
input
output