Conventional Encryption: Algorithms

1
Conventional Encryption Algorithms

• Some of the most important symmetric block
  ciphers in current use
• Triple DES
• IDEA
• Blowfish
• RC5
• CAST-128
• RC2

2
Multiple Encryption with DES
Triple DES

• Double DES
• C EK2EK1P D DK1DK2C
• 112 bit key is safe from brute force attack
• Need to examine if ? K3 s.t. EK2EK1P EK3P
• The answer is No!! (Proved in 1992)
• of mappings between 64-bit blocks 264!
  10347380000000000000000
• DES defines one mapping for each different key,
  for a total of mappings 256 lt1017
• If DES is used twice with different keys, it will
  produce one of the many mappings that is not
  defined by a single application of DES

3
Meet In The Middle Attack
Triple DES

• Let X EK1(P). Clearly X DK2(C)
• Given a known ltP, Cgt, construct a table of size
  256 with all values of K1 and EK1(P)
• Sort on EK1(P)
• Now decrypt C with all values of K2. Check all
  results against table
• Any match is a candidate ltK1, K2gt pair
• If this pair is checked with another
  plaintext-ciphertext pair, it can be determined
  with the probability 1-2-16 (If this pair is
  correct with another plaintext-ciphertext pair,
  it is a correct key with the probability 1-2-16 )
• Total effort is O(256), not 2112 (Not much better
  than the 255 required for single DES)

4
Triple DES
Triple DES

• C EK3(DK2(EK1(P)))
• No cryptographic significance to middle decrypt
  operation
• backwards compatible with existing single DES (K1
  K2 K3)
• Two-key Triple DES (K1 K3) or three-key triple
  DES
• Security of Triple DES
• no known practical attacks
• brute force search impossible
• meet-in-the-middle attacks need 256
  plaintext-ciphertext pairs per key
• A popular current
• alternative
• Major disadvantage is
• speed (3x slower)

5
International Data Encryption Algorithm (IDEA)
IDEA

• Xuejia Lai and James Massey, ETH (Swiss Federal
  Institute of Technology), 1991
• Patented
• patent is held by Ascom-Tech
• Non-commercial use of IDEA is free. Commercial
  licenses can be obtained by contacting Ascom-Tech
• Used in PGP
• 128-bit key, 64-bit block
• Variant Feistel network (not Feistel)
• Eight rounds final transformation

6
IDEA Basic Operations
IDEA

• Uses three operations. Each operation is
  performed on two 16-bit inputs to produce a
  single 16-bit output
• Bit-by-bit XOR ( ? )
• (Unsigned 16-bit integers) addition modulo 216
  ( )
• (Unsigned 16-bit integers) multiplication modulo
  216 1 (except that a block of all zeros is
  treated as representing 216 ( ? )
• Three operations are incompatible in the sense
  that
• No pair of the three operations satisfies a
  distributive law. e.g.,
• a (b ? c) ? (a b) ? (a c)
• No pair of the three operations satisfies an
  associative law. e.g.,
• a (b ? c) ? (a b) ? c
• In IDEA, confusion is achieved by using these
  three separate operations in combination
• Provides a complex transformation of the input,
  making cryptanalysis much more difficult (than
  with a DES which uses just a single XOR)

7
IDEA Basic Operations - Examples
IDEA

• Examples for 2-bit operands

8
IDEA Basic Building Block, MA
IDEA

• Basic building block is the Multiplication/Additio
  n (MA) structure
• F1,F2 Two 16-bit values derived from
• the plaintext
• Z5,Z6 Two 16-bit subkeys derived from
• the key
• G1,G2 Two 16-bit outputs
• In IDEA, diffusion is provided by MA
• Each output bit depends on every bit of
• inputs (plaintext-derived inputs and
• subkey inputs)
• This MA structure is repeated eight times,
• providing very effective diffusion

9
Overall IDEA Encryption Structure
IDEA
10
Single Round of IDEA (1st Round)
IDEA
Transformation
Sub-encryption
11
IDEA
Output Transformation Stage of IDEA
12
IDEA
Subkey Generation

• 52 16-bit subkeys are generated from the 128-bit
  key
• The first eight subkeys, Z1, Z2, , Z8, are taken
  directly from the key
• Then a circular left shift of 25 bit positions is
  applied to the key, and the next eight keys are
  extracted.
• This procedure is repeated until all 52 subkeys
  are generated

13
IDEA
IDEA Decryption

• Use the same structure (algorithm) as the
  encryption, but with different subkeys
• Decryption subkeys U1, , U52 are derived from
  encryption subkeys

14
IDEA
Encryption and Decryption Subkeys

• Zj-1 multiplicative inverse Zj ? Zj-1 1
• -Zj additive inverse -Zj Zj 0

15
Blowfish
Blowfish

• Designed by Bruce Schneier, 1993
• Freely available (Unpatented Royalty-free No
  license required Free source code available)
• Used in SSH, OpenBSD, IPSec
• Block cipher 64-bit block
• Variable key length 32 bits to 448 bits
• Fast encryption (much faster than DES and IDEA)
• Compact
• Simple

16
Subkey and S-Box Generation
Blowfish

• The key ranging from 32 bits to 448 bits (1 to 14
  32-bit words) is stored in a K-array
• K1, K2, , Kj 1 ? j ? 14
• The 18 32-bit subkeys are stored in the P-array
  P1, P2, , P18
• There are 4 S-boxes, each with 8x32(256) 32-bit
  entries
• P-array and then 4 S-boxes are initialized with
  fractional part of ?

S1,0, S1,1, , S1,255 S2,0, S2,1, , S2,255 S3,0,
S3,1, , S3,255 S4,0, S4,1, , S4,255
P1 243F6A8816 P2 85A308D316 ? ? ? S4,254
578FDFE316 S4,255 3AC372E616
17
Subkey and S-Box Initialization
Blowfish

• P-array is XORed with K-array (reusing K-array if
  necessary) P1 P1 ? K1, P2 P2 ? K2, , Pj
  Pj ? Kj, Pj1 Pj1 ? K1, Pj2 Pj2 ? K2,
• Then update P-array and S-boxes as follows
• Where EP,SY is the ciphertext produced by
  encrypting Y using Blowfish with the P and S
  arrays
• 521 executions in total are required to produce
  the final P and S arrays

P1, P2 EP,S0 P3, P4 EP,SP1 P2 ? ?
? P17, P18 EP,SP15 P16 S1,0, S1,1
EP,SP17 P18 ? ? ? S4,254, S4,255
EP,SP4,252 P4,253
18
Blowfish Encryption/Decryption
Blowfish

• Slight variant of classic Feistel network
• L and R are both processed in each round
• 16 rounds
• Two extra XORs at the end

19
Single Blowfish Round
Blowfish

• Uses addition modulo 232 and XOR
• Round function processes four bytes
• F(a, b, c, d) ((S1,a S2,b) ? S3,c) S4,d
• Followed by Feistel swap

20
Characteristics of Blowfish
Blowfish

• Key-dependent S-Boxes
• Operations are performed on both halves of data
• Time-consuming subkey generation process
• Makes it bad for rapid key switching, but makes
  brute force expensive
• Perfect avalanche effect
• Fast

21
RC5
RC5

• Designed by Ronald Rivest (MIT Prof.) for RSA
  Data Security
• Secret-key block cipher
• Parameterized algorithm
• Features
• Data-dependent rotations
• Variable block size
• Variable key size
• Variable number of rounds

22
Motivations
RC5

• Suitable for hardware and software
• Fast
• Adaptable to processors of different word lengths
• Variable number of rounds
• Variable-length key
• Simple
• Low memory usage
• High security
• Emphasis of data-dependent rotations

23
Parameterization
RC5

• RC5 is word-oriented
• Two-word input and two-word output
• Representation
• Word size w (16,32,64)
• Number of rounds r (0,1, , 255)
• Number of bytes in key K b (0,1, , 255)
• RC5 algorithm notation RC5-w/r/b
• RC5 algorithm example RC5-32/16/7
• Similar to DES
• Two 32-bit word inputs and outputs
• 16 rounds
• 7-byte (56-bit) key
• RC5-32/12/16
• nominal version

24
Key Expansion
RC5

• RC5 performs complex operations on the secret key
  to generate a total of t subkeys, which are
  stored in S array, S0,S1, , St-1
• Each subkey is one word (w bits) in length
• Two subkeys are used in each round, and two more
  subkeys are used outside the r-round ? t 2r2
• In key expansion, magic constants are used
• Pw Odd((e - 2)2w) e2.718281828. (base of
  natural logarithms)
• Qw Odd((? - 1)2w) ?1.618033988. (golden
  ratio (1sqr(5))/2)
• Odd(x) odd integer nearest to x
• Example

w 16 32 64 Pw B7E1 B7E15163
B7E151628AED2A6B Qw 9E37 9E3779B9
9E3779B97F4A7C15
25
Key Expansion Algorithm
RC5

• Step-1 Convert secret key bytes to words
• b byte key K, (K0, K1, , Kb-1) is
  converted to word array L0, L1, ,
  Lc-1
• Step-2 Initialize subkey array S (S0, S1,
  , St-1)
• S0 Pw
• for i1 to t-1 do
• si si-1 Qw
• Step-3 Mix the secret key into subkey array S

ijXY0 Do 3max(t, c) times
XSi(SiXY)ltltlt3 YLj(LjXY)ltltlt(
XY) i(i1) mod t j(j1) mod c
Note ltltlt ? cyclic rotate left
26
RC5 Key Expansion
RC5
27
RC5 Encryption
RC5

• RC5 uses 3 primitive operations
• Addition, Subtraction (of words) modulo 2w
• Bitwise XOR
• Left, right circular rotation
• Encryption

LE0 A S0 RE0 B S1 for i 1 to r
do LEi ((LEi-1 ? REi-1) ltltlt REi-1)
S2i REi ((REi-1 ? LEi) ltltlt LEi)
S2i1
28
RC5 Decryption
RC5
for i r downto 1 do RDi-1 ((RDi
S2i1 gtgtgt LDi) ? LDi) LDi-1 ((LDi
S2i gtgtgt Rdi-1) ? RDi-1) B RD0 - S1 A
LD0 - S0
29
CAST-128
CAST-128

• Developed by Carlisle Adams and Stafford Tavares
• Used in IPSec
• 64-bit block, 40- to 128-bit keys (in 8-bit
  increments)
• Classical Feistel network structure
• Sixteen rounds
• Two subkeys per round, one 32-bit (Kmi), one
  5-bit (Kri)
• Three different round functions
• Four operations addition() and subtraction(-)
  modulo 232, XOR, and (variable) circular left
  rotate (ltltlt)
• 5-bit subkey (Kri) determines rotate amount
• Encryption
• Decryption same as encryption with the keys
  applied in reverse order

L0R0 Plaintext for i 1 to 16 do Li
Ri-1 Ri Li-1 ? FiRi-1, Kmi,
Kri Ciphertext L16R16
30
CAST-128 Round Function F
CAST-128
Definition of F
Rounds 1,4 I(Kmi Ri-1)ltltltKri) 7,10,13,16
F((S1Ia?S2Ib)-S3Ic)S4Id Rounds 2,5
I(Kmi?Ri-1)ltltltKri) 8,11,14
F((S1Ia-S2Ib)S3Ic)?S4Id Rounds 3,6
I(Kmi-Ri-1)ltltltKri) 9,12,15
F((S1IaS2Ib)?S3Ic)-S4Id
31
CAST-128 S-Boxes
CAST-128

• CAST-128 uses 8 S-boxes
• Four of these, S-box 1 thru S-box 4 are used in
  the encryption/decryption process
• S-box 5 thru S-box 8 are used in the subkey
  generation
• S-boxes contain fixed (predefined) values
• Each S-box contains 256 32-bit values

32
CAST-128 Subkey Generation
CAST-128

• Label the 128-bit (16-byte) key as
• x0x1x3x4x5x6x7x8xAxBxCxDxExF
• Symbol Definitions
• Km1, , Km16 Sixteen 32-bit masking subkeys (one
  per round)
• Kr1, , Kr16 Sixteen 32-bit rotate subkeys (one
  per round), of which
• only the least significant 5 bits of each are
  used
• z0, , zF Intermediate (temporary) bytes
• K1, , K32 Intermediate (temporary) words
• K1 thru K32 are calculated from the key using
  S-boxes 5 thru 8 (See next pages)
• Then subkeys are defined as
• for i 1 to 16 do
• Kmi Ki
• Kri K16i

33
CAST-128
CAST-128 Subkey Generation
z0z1z2z3 x0x1x2x3 ? S5xD ? S6xF ? S7xC ?
S8xE ? S7x8 z4z5z6z7 x8x9xAxB ? S5z0 ?
S6z2 ? S7z1 ? S8z3 ? S8xA z8z9zAzB
xCxDxExF ? S5z7 ? S6z6 ? S7z5 ? S8z4 ?
S5x9 zCzDzEzF x4x5x6x7 ? S5zA ? S6z9 ?
S7zB ? S8z8 ? S6xB K1 S5z8 ? S6z9 ?
S7z7 ? S8z6 ? S5z2 K2 S5zA ? S6zB ?
S7z5 ? S8z4 ? S6z6 K3 S5zC ? S6zD ?
S7z3 ? S8z2 ? S7z9 K4 S5zE ? S6zF ?
S7z1 ? S8z0 ? S8zC x0x1x2x3 z8z9zAzB ?
S5z5 ? S6z7 ? S7z4 ? S8z6 ? S7z0
x4x5x6x7 z0z1z2z3 ? S5x0 ? S6x2 ? S7x1 ?
S8x3 ? S8z2 x8x9xAxB z4z5z6z7 ? S5x7 ?
S6x6 ? S7x5 ? S8x4 ? S5z1 xCxDxExF
zCzDzEzF ? S5xA ? S6x9 ? S7xB ? S8x8 ?
S6z3 K5 S5x3 ? S6x2 ? S7xC ? S8xD ?
S5x8 K6 S5x1 ? S6x0 ? S7xE ? S8xF ?
S6xD K7 S5x7 ? S6x6 ? S7x8 ? S8x9 ?
S7x3 K8 S5x5 ? S6x4 ? S7xA ? S8xB ?
S8x7 z0z1z2z3 x0x1x2x3 ? S5xD ? S6xF ?
S7xC ? S8xE ? S7x8 z4z5z6z7 x8x9xAxB ?
S5z0 ? S6z2 ? S7z1 ? S8z3 ? S8xA
z8z9zAzB xCxDxExF ? S5z7 ? S6z6 ? S7z5 ?
S8z4 ? S5x9 zCzDzEzF x4x5x6x7 ? S5zA ?
S6z9 ? S7zB ? S8z8 ? S6xB K9 S5z3 ?
S6z2 ? S7zC ? S8zD ? S5z9 K10 S5z1 ?
S6z0 ? S7zE ? S8zF ? S6zC K11 S5z7 ?
S6z6 ? S7z8 ? S8z9 ? S7z2 K12 S5z5 ?
S6z4 ? S7zA ? S8zB ? S8z6 x0x1x2x3
z8z9zAzB ? S5z5 ? S6z7 ? S7z4 ? S8z6 ?
S7z0 x4x5x6x7 z0z1z2z3 ? S5x0 ? S6x2 ?
S7x1 ? S8x3 ? S8z2 x8x9xAxB z4z5z6z7 ?
S5x7 ? S6x6 ? S7x5 ? S8x4 ? S5z1
xCxDxExF zCzDzEzF ? S5xA ? S6x9 ? S7xB ?
S8x8 ? S6z3 K13 S5x8 ? S6x9 ? S7x7 ?
S8x6 ? S5x3 K14 S5xA ? S6xB ? S7x5 ?
S8x4 ? S6x7 K15 S5xC ? S6xD ? S7x3 ?
S8x2 ? S7x8 K16 S5xE ? S6xF ? S7x1 ?
S8x0 ? S8xD
34
CAST-128
CAST-128 Subkey Generation
z0z1z2z3 x0x1x2x3 ? S5xD ? S6xF ? S7xC ?
S8xE ? S7x8 z4z5z6z7 x8x9xAxB ? S5z0 ?
S6z2 ? S7z1 ? S8z3 ? S8xA z8z9zAzB
xCxDxExF ? S5z7 ? S6z6 ? S7z5 ? S8z4 ?
S5x9 zCzDzEzF x4x5x6x7 ? S5zA ? S6z9 ?
S7zB ? S8z8 ? S6xB K17 S5z8 ? S6z9 ?
S7z7 ? S8z6 ? S5z2 K18 S5zA ? S6zB ?
S7z5 ? S8z4 ? S6z6 K19 S5zC ? S6zD ?
S7z3 ? S8z2 ? S7z9 K20 S5zE ? S6zF ?
S7z1 ? S8z0 ? S8zC x0x1x2x3 z8z9zAzB ?
S5z5 ? S6z7 ? S7z4 ? S8z6 ? S7z0
x4x5x6x7 z0z1z2z3 ? S5x0 ? S6x2 ? S7x1 ?
S8x3 ? S8z2 x8x9xAxB z4z5z6z7 ? S5x7 ?
S6x6 ? S7x5 ? S8x4 ? S5z1 xCxDxExF
zCzDzEzF ? S5xA ? S6x9 ? S7xB ? S8x8 ?
S6z3 K21 S5x3 ? S6x2 ? S7xC ? S8xD ?
S5x8 K22 S5x1 ? S6x0 ? S7xE ? S8xF ?
S6xD K23 S5x7 ? S6x6 ? S7x8 ? S8x9 ?
S7x3 K24 S5x5 ? S6x4 ? S7xA ? S8xB ?
S8x7 z0z1z2z3 x0x1x2x3 ? S5xD ? S6xF ?
S7xC ? S8xE ? S7x8 z4z5z6z7 x8x9xAxB ?
S5z0 ? S6z2 ? S7z1 ? S8z3 ? S8xA
z8z9zAzB xCxDxExF ? S5z7 ? S6z6 ? S7z5 ?
S8z4 ? S5x9 zCzDzEzF x4x5x6x7 ? S5zA ?
S6z9 ? S7zB ? S8z8 ? S6xB K25 S5z3 ?
S6z2 ? S7zC ? S8zD ? S5z9 K26 S5z1 ?
S6z0 ? S7zE ? S8zF ? S6zC K27 S5z7 ?
S6z6 ? S7z8 ? S8z9 ? S7z2 K28 S5z5 ?
S6z4 ? S7zA ? S8zB ? S8z6 x0x1x2x3
z8z9zAzB ? S5z5 ? S6z7 ? S7z4 ? S8z6 ?
S7z0 x4x5x6x7 z0z1z2z3 ? S5x0 ? S6x2 ?
S7x1 ? S8x3 ? S8z2 x8x9xAxB z4z5z6z7 ?
S5x7 ? S6x6 ? S7x5 ? S8x4 ? S5z1
xCxDxExF zCzDzEzF ? S5xA ? S6x9 ? S7xB ?
S8x8 ? S6z3 K29 S5x8 ? S6x9 ? S7x7 ?
S8x6 ? S5x3 K30 S5xA ? S6xB ? S7x5 ?
S8x4 ? S6x7 K31 S5xC ? S6xD ? S7x3 ?
S8x2 ? S7x8 K32 S5xE ? S6xF ? S7x1 ?
S8x0 ? S8xD
35
CAST-128
CAST-128 S-Box S1
S-Box S1 30fb40d4 9fa0ff0b 6beccd2f 3f258c7a
1e213f2f 9c004dd3 6003e540 cf9fc949 bfd4af27
88bbbdb5 e2034090 98d09675 6e63a0e0 15c361d2
c2e7661d 22d4ff8e 28683b6f c07fd059 ff2379c8
775f50e2 43c340d3 df2f8656 887ca41a a2d2bd2d
a1c9e0d6 346c4819 61b76d87 22540f2f 2abe32e1
aa54166b 22568e3a a2d341d0 66db40c8 a784392f
004dff2f 2db9d2de 97943fac 4a97c1d8 527644b7
b5f437a7 b82cbaef d751d159 6ff7f0ed 5a097a1f
827b68d0 90ecf52e 22b0c054 bc8e5935 4b6d2f7f
50bb64a2 d2664910 bee5812d b7332290 e93b159f
b48ee411 4bff345d fd45c240 ad31973f c4f6d02e
55fc8165 d5b1caad a1ac2dae a2d4b76d c19b0c50
882240f2 0c6e4f38 a4e4bfd7 4f5ba272 564c1d2f
c59c5319 b949e354 b04669fe b1b6ab8a c71358dd
6385c545 110f935d 57538ad5 6a390493 e63d37e0
2a54f6b3 3a787d5f 6276a0b5 19a6fcdf 7a42206a
29f9d4d5 f61b1891 bb72275e aa508167 38901091
c6b505eb 84c7cb8c 2ad75a0f 874a1427 a2d1936b
2ad286af aa56d291 d7894360 425c750d 93b39e26
187184c9 6c00b32d 73e2bb14 a0bebc3c 54623779
64459eab 3f328b82 7718cf82 59a2cea6 04ee002e
89fe78e6 3fab0950 325ff6c2 81383f05 6963c5c8
76cb5ad6 d49974c9 ca180dcf 380782d5 c7fa5cf6
8ac31511 35e79e13 47da91d0 f40f9086 a7e2419e
31366241 051ef495 aa573b04 4a805d8d 548300d0
00322a3c bf64cddf ba57a68e 75c6372b 50afd341
a7c13275 915a0bf5 6b54bfab 2b0b1426 ab4cc9d7
449ccd82 f7fbf265 ab85c5f3 1b55db94 aad4e324
cfa4bd3f 2deaa3e2 9e204d02 c8bd25ac eadf55b3
d5bd9e98 e31231b2 2ad5ad6c 954329de adbe4528
d8710f69 aa51c90f aa786bf6 22513f1e aa51a79b
2ad344cc 7b5a41f0 d37cfbad 1b069505 41ece491
b4c332e6 032268d4 c9600acc ce387e6d bf6bb16c
6a70fb78 0d03d9c9 d4df39de e01063da 4736f464
5ad328d8 b347cc96 75bb0fc3 98511bfb 4ffbcc35
b58bcf6a e11f0abc bfc5fe4a a70aec10 ac39570a
3f04442f 6188b153 e0397a2e 5727cb79 9ceb418f
1cacd68d 2ad37c96 0175cb9d c69dff09 c75b65f0
d9db40d8 ec0e7779 4744ead4 b11c3274 dd24cb9e
7e1c54bd f01144f9 d2240eb1 9675b3fd a3ac3755
d47c27af 51c85f4d 56907596 a5bb15e6 580304f0
ca042cf1 011a37ea 8dbfaadb 35ba3e4a 3526ffa0
c37b4d09 bc306ed9 98a52666 5648f725 ff5e569d
0ced63d0 7c63b2cf 700b45e1 d5ea50f1 85a92872
af1fbda7 d4234870 a7870bf3 2d3b4d79 42e04198
0cd0ede7 26470db8 f881814c 474d6ad7 7c0c5e5c
d1231959 381b7298 f5d2f4db ab838653 6e2f1e23
83719c9e bd91e046 9a56456e dc39200c 20c8c571
962bda1c e1e696ff b141ab08 7cca89b9 1a69e783
02cc4843 a2f7c579 429ef47d 427b169c 5ac9f049
dd8f0f00 5c8165bf
36
RC2
RC2

• Developed by Ron Rivest (RSA Data Security)
• 64-bit block cipher
• Variable key size (from one byte up to 128 bytes)
• Designed to be easy to implement on 16-bit
  microprocessor
• Use 16-bit word, 16-bit arithmetic (addition,
  XOR, AND, , rotate)
• Non-Feistel
• 18 rounds (mixing/mashing)
• Used in S/MIME

37
RC2 Key Expansion
RC2

• RC2 assumes 128 (64 word) byte key buffer
• For byte operation, key array is L0, ,
  L127 each Li is a byte
• For word operation, key array is K0, , K63
  each Ki is a 16-bit word
• These are alternative views of the same key
  buffer
• Key expansion
• Assume that exactly T bytes of key are supplied,
  1 ? T ? 128
• The purpose of key expansion algorithm is to
  modify the key buffer so that each bit of the
  expanded key depends in a complicated way on
  every bit of the supplied input key
• Key expansion begins by placing the supplied
  T-byte key into bytes L0, , LT-1 of the key
  buffer
• L array is then computed making use of an
  auxiliary array P
• P array is a random permutation of values of
  0,,255, which is constructed based on p3.14159
  (See next page)
• The computation is

for i T to 127 do Li PLi-1
Li-T L128-T PL128-T For i 127 T
down to 0 do LiPLi1 ? LiT
38
PiTable (P-array)
RC2
Here is the P array in hexadecimal notation
0 1 2 3 4 5 6 7 8 9 a b c d e f
00 d9 78 f9 c4 19 dd b5 ed 28 e9 fd 79 4a a0 d8
9d 10 c6 7e 37 83 2b 76 53 8e 62 4c 64 88 44 8b
fb a2 20 17 9a 59 f5 87 b3 4f 13 61 45 6d 8d 09
81 7d 32 30 bd 8f 40 eb 86 b7 7b 0b f0 95 21 22
5c 6b 4e 82 40 54 d6 65 93 ce 60 b2 1c 73 56 c0
14 a7 8c f1 dc 50 12 75 ca 1f 3b be e4 d1 42 3d
d4 30 a3 3c b6 26 60 6f bf 0e da 46 69 07 57 27
f2 1d 9b bc 94 43 03 70 f8 11 c7 f6 90 ef 3e e7
06 c3 d5 2f c8 66 1e d7 80 08 e8 ea de 80 52 ee
f7 84 aa 72 ac 35 4d 6a 2a 90 96 1a d2 71 5a 15
49 74 4b 9f d0 5e 04 18 a4 ec a0 c2 e0 41 6e 0f
51 cb cc 24 91 af 50 a1 f4 70 39 b0 99 7c 3a 85
23 b8 b4 7a fc 02 36 5b 25 55 97 31 c0 2d 5d fa
98 e3 8a 92 ae 05 df 29 10 67 6c ba c9 d0 d3 00
e6 cf e1 9e a8 2c 63 16 01 3f 58 e2 89 a9 e0 0d
38 34 1b ab 33 ff b0 bb 48 0c 5f b9 b1 cd 2e f0
c5 f3 db 47 e5 a5 9c 77 0a a6 20 68 fe 7f c1 ad
39
RC2 Encryption
RC2

• Encryption algorithm takes a 64-bit input stored
  in R0, R1, R2, R3, and places the result
  back in R0 thru R3.
• Algorithm consists of 18 rounds of two types
  mixing and mashing
• Mixing round

R0 R0 Kj (R3 R2) ((R3
R1) R0 R0 ltltlt 1 j j 1 R1 R1
Kj (R0 R3) ((R0 R2) R1
R1 ltltlt 2 j j 1 R2 R2 Kj (R1
R0) ((R1 R3) R2 R2 ltltlt 3 j
j 1 R3 R3 Kj (R2 R1)
((R2 R0) R3 R3 ltltlt 5 j j
1 Here j is the global variable Kj is the
first subkey word that has not yet been used
40
RC2 Encryption
RC2

• Mashing round
• RC2
• Initialize j to zero
• Perform five mixing rounds (j 20)
• Perform one mashing round
• Perform six mixing rounds (j 44)
• Perform one mashing round
• Perform five mixing rounds (j64)
• Decryption Inverse operation of encryption with
  the keys used in reverse order

R0 R0 KR3 63 R1 R1 KR0
63 R2 R2 KR1 63 R3 R3
KR2 63
41
Characteristics of Advanced Block Ciphers
Key features found in advanced symmetric block
ciphers (not in DES)

• Variable key length
• Blowfish, RC5, CAST-128, RC2
• Mixed operators
• More than one arithmetic and/or Boolean operator,
  especially ones that are not associative or
  distributive
• These operators provide nonlinearity as an
  alternative to S-boxes
• Data-dependent rotation
• Provide excellent confusion and diffusion
• RC5
• Key-dependent rotation
• CAST-128

42
Characteristics of Advanced Block Ciphers

• Key-dependent S-boxes
• Blowfish
• Expensive key schedule computation
• Blowfish
• Variable round function (F)
• CAST-128
• Variable plaintext/ciphertext block length
• RC5
• Variable number of rounds
• RC5
• Operation on both data halves each round
• IDEA, Blowfish, RC5

43
Chapter 4 HW

• Prob. 4.5
• Prob. 4.8
• Prob. 4.9
• Prob. 4.13