Unit 2
-
Upload
chintan-patel -
Category
Engineering
-
view
684 -
download
0
description
Transcript of Unit 2
![Page 1: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/1.jpg)
Prof. Chintan Patel Information Security
CE Department. Unit - 2
MEFGI , RAJKOT
![Page 2: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/2.jpg)
![Page 3: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/3.jpg)
• A stream cipher : is one that encrypts the digital data stream one bitor one byte at a time
Example : Vigenere cipher or vernam cipher.
GATE : Its also called as a block cipher where size = 1.
• A block cipher : Asymmetric key modern cipher that encrypts n bitblock of plain text and decrypts n bits block of cipher text
• PADDING : If the message has fewer than n bits , padding must be done to make it n bits.
If message size is not multiple of n bits then it should be divided into n bits andlast block should be padded.
![Page 4: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/4.jpg)
![Page 5: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/5.jpg)
• Can we model substitution as a permutation ???
• Yes , n bits of input and outputs can be represented as 2^n bit sequences , with 1’s and 0’s .
0 1 2 3 4 5 6 8
7 4 3 2 1 0 6 5
![Page 6: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/6.jpg)
• Reversible mapping : which produces unique cipher text blocks .
Plain text Cipher text
00 11
01 10
10 00
11 01
Plain text Cipher text
00 11
01 10
10 01
11 01
a. Reversible mapping b. Irreversible mapping
![Page 7: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/7.jpg)
• Can be used to define any reversible mapping between plain text andcipher text. Feistel refers it as a ideal block cipher
![Page 8: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/8.jpg)
PLAIN TEXT CIPHER TEXT
0000 1110
0001 0100
0010 1101
0011 0001
0100 0010
0101 1111
0110 1011
0111 1000
1000 0011
1001 1010
1010 0110
1011 1100
1100 0101
1101 1001
1110 0000
1111 0111
CIPHER TEXT CIPHER TEXT
0000 1110
0001 0011
0010 0100
0011 1000
0100 0001
0101 1100
0110 1010
0111 1111
1000 0111
1001 1101
1010 1001
1011 0110
1100 1011
1101 0010
1110 0000
1111 0101
![Page 9: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/9.jpg)
• Ideal block cipher for large no. of block size is not practical , how everfor implementation and performance point of view , Mapping it selfconstitutes key.
• “Basic aim of key was to produce unique cipher text but here everyplain text it self is giving unique cipher text ”….
• So total key size is if n = 4 (refer previous slide table where n = 4) is4(number of bits) * 16(no. of rows) = 64bits.
• In general , if n bits is there than n * 2^n bits.
![Page 10: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/10.jpg)
• Substitutions : Each plaintext element or group ofelement is uniquely replaced by a corresponding ciphertext elements or group of elements.
• Permutation : A sequence of plain text element isreplaced by a permutation of that sequence . There is noelements are added or deleted or replaced only order ofthe elements is changed.
![Page 11: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/11.jpg)
• “ Based on knowledge of statistical characteristic of plain text , Attacker can assume the probable words of message.”………so Claude Shannon refers a concept in which
• Relationship between plain text and cipher text was hidden : called diffusion
• And Relation between cipher text and key was hidden : called confusion
• The mechanism of diffusion seeks to make the statistical relationship between the P.T and C.T as complex as possible in order to thwart attempts to deduce the key.
• In confusion , Even if the attacker can get handle on some statistics of C.T , the way in which the key was used to produce the that cipher text is so complex as to make it difficult to deduce the key.
![Page 12: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/12.jpg)
• Diffusion can be achieved by repeatedly performingthe some permutation : The effect is that bits fromdifferent positions in the original P.T contribute to asingle bits of character in cipher text.
• Confusion can be achieved by the use of complexsubstitution algorithm like hill cipher or Playfaircipher.
![Page 13: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/13.jpg)
![Page 14: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/14.jpg)
![Page 15: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/15.jpg)
![Page 16: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/16.jpg)
![Page 17: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/17.jpg)
![Page 18: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/18.jpg)
![Page 19: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/19.jpg)
![Page 20: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/20.jpg)
![Page 21: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/21.jpg)
Data Encryption Standard (DES)
The Data Encryption Standard (DES) is a symmetric-
key block cipher published by the National Institute of
Standards and Technology (NIST).
![Page 22: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/22.jpg)
•In 1973, NIST published a request for proposals for a
national symmetric-key cryptosystem.
•A proposal from IBM, a modification of a project called
Lucifer, was accepted as DES.
•DES was published in the Federal Register in March 1975
as a draft of the Federal Information Processing Standard
(FIPS).
![Page 23: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/23.jpg)
Encryption and decryption with DES
![Page 24: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/24.jpg)
General structure of DES
![Page 25: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/25.jpg)
Initial and final permutation steps in DES
![Page 26: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/26.jpg)
![Page 27: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/27.jpg)
The initial and final permutations are
straight P-boxes that are inverses
of each other.
They have no cryptography significance
in DES.
Note
![Page 28: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/28.jpg)
DES uses 16 rounds. Each round of DES is a Feistel cipher.
A round in DES (encryption site)
![Page 29: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/29.jpg)
The heart of DES is the DES function. The DES function
applies a 48-bit key to the rightmost 32 bits to produce a 32-
bit output.
DES function
![Page 30: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/30.jpg)
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need
to expand RI−1 to 48 bits.
Expansion permutation
![Page 31: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/31.jpg)
Although the relationship between the input and output can
be defined mathematically, DES uses below Table to define
this P-box.
Expansion P-box table
![Page 32: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/32.jpg)
Whitener (XOR)
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round
key. Note that both the right section and the key are 48-
bits in length. Also note that the round key is used only in
this operation.
![Page 33: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/33.jpg)
S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8 S-
boxes, each with a 6-bit input and a 4-bit output.
S-boxes
![Page 34: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/34.jpg)
![Page 35: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/35.jpg)
S-box rule
![Page 36: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/36.jpg)
S-box 1
Example : The input to S-box 1 is 100011. What is the
output?
If we write the first and the sixth bits together, we get 11 in binary,
which is 3 in decimal. The remaining bits are 0001 in binary, which
is 1 in decimal. We look for the value in row 3, column 1, in Table (S-
box 1). The result is 12 in decimal, which in binary is 1100. So the
input 100011 yields the output 1100.
![Page 37: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/37.jpg)
![Page 38: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/38.jpg)
Straight Permutation
![Page 39: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/39.jpg)
Figure Key generation
![Page 40: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/40.jpg)
Parity-bit drop table
![Page 41: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/41.jpg)
![Page 42: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/42.jpg)
![Page 43: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/43.jpg)
![Page 44: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/44.jpg)
![Page 45: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/45.jpg)
![Page 46: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/46.jpg)
![Page 47: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/47.jpg)
![Page 48: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/48.jpg)
![Page 49: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/49.jpg)
• DES Design Criteria
Design criteria for S-Box(substitution)
Design criteria for P-Box(permutation)
• Number of Rounds
• Design of The function F.
• Key scheduling
![Page 50: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/50.jpg)
• No o/p bit of any S-Box should be too close a linear function of i/pbits.
• Each row of an S-Box should include all 16 possible o/p bitcombination
• If 2 i/p to an S-Box differ by 1 bit , than o/p must differ by at least 2bits.
• If 2 i/p to an S-Box differ in two middle bit exactly , than o/p mustdiffer by at least 2 bits.
• If 2 i/p to an S-Box differ in their first 2 bits and identical in their last2 bits, than o/p must not be same.
This criteria are intended to increase the confusion of the algorithm
![Page 51: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/51.jpg)
• 4 O/P Bits from each round I are distributed sothat 2 of them affect “middle bits” of round(i+1)
and other 2 affects end bits.
• 4 o/p bits from each S-box affect 6 different S-boxon next round and no two affect the same S-Box.
• This criteria are intended to increase thediffusion of the algorithm
![Page 52: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/52.jpg)
• Schneier observes that for 16-rounds DES, adifferential crypt analysis attack is less efficientthan brute force.
• Differential cryptanalysis requires 2^55.1operations while brute force requires 2^55.
• If DES has 15 or lesser rounds, Differentialcryptanalysis requires less effort than brute forceattack
![Page 53: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/53.jpg)
• SAC(STRONG AVALNCHE CRITERIA)
• It must provide avalanche effect :
Small changes in plain text and key must produce different ciphertext
• BIC(BIT INDEPENDENT CRITERIA) O/P bit j and k should change independently , when any single bit input I is
inverted.
BIC and SAC criteria appear to strengthen the effectiveness of confusion
• Select the key to maximize the difficulty of deducing individualsubkeys and difficulty of working back the main key.
![Page 54: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/54.jpg)
• Multiple encryption and Triple DES
•Block Cipher Modes of Operation
•Book : William Stalling (Chapter 6)
![Page 55: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/55.jpg)
• Topics to be covered….
Introduction
Double DES
Triple DES With 2 keys
Triple DES with 3 keys..
![Page 56: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/56.jpg)
![Page 57: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/57.jpg)
![Page 58: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/58.jpg)
• Multiple Encryption : Encryption algorithm is used multiple times.
• Triple DES : 3 stages of DES algorithms with 2 or 3 keys…
![Page 59: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/59.jpg)
![Page 60: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/60.jpg)
![Page 61: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/61.jpg)
• Is it true that some K3 which can be prepare from K1 and K2……..?????
• Following is true ???
• E(K2 , E(K1 , p)) = E(K3 , P)
• No its not possible. DES is not a group cipher like Caeser cipher.
• So double DES results in mapping which is not equal to a Single DES encryption
![Page 62: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/62.jpg)
• Thus double DES results in mapping which is not equal to a Single DES encryption.
• C = E(K2 , E(K1 , P))…..
• X = E(K1 , P) = D(K2 , C)..
•
• Based on Given (P,C) pair….
• Encrypt the P using K1 . Store these result in a table and then sort table by value of X.
• Decrypt the C using K2 . Store these result in a table and match with X. If 2 k same keys found than try on cipher text if it produce correct plain text than accept as a correct keys..
![Page 63: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/63.jpg)
• hence must use 3 encryptions
would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
C = EK1(DK2(EK1(P)))
and encrypt & decrypt equivalent in security
if K1=K2 then can work with single DES
![Page 64: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/64.jpg)
• although are no practical attacks on two-key Triple-DES have some indications
• can use Triple-DES with Three-Keys to avoid even these C = EK3(DK2(EK1(P)))
• has been adopted by some Internet applications, eg PGP, S/MIME
![Page 65: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/65.jpg)
![Page 66: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/66.jpg)
![Page 67: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/67.jpg)
![Page 68: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/68.jpg)
![Page 69: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/69.jpg)
![Page 70: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/70.jpg)
![Page 71: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/71.jpg)
![Page 72: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/72.jpg)
![Page 73: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/73.jpg)
![Page 74: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/74.jpg)
![Page 75: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/75.jpg)
![Page 76: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/76.jpg)
![Page 77: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/77.jpg)
![Page 78: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/78.jpg)
![Page 79: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/79.jpg)
![Page 80: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/80.jpg)
![Page 81: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/81.jpg)
![Page 82: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/82.jpg)
![Page 83: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/83.jpg)
![Page 84: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/84.jpg)
![Page 85: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/85.jpg)
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value rather than any feedback value
• must have a different key & counter value for every plaintext block (never reused)
• uses: high-speed network encryptions
![Page 86: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/86.jpg)
![Page 87: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/87.jpg)
• Hardware Efficiency : In CTR mode encryption can be done parallelon multiple plaintext block.
• Software Efficiency : Because of parallel work , functions likeaggressive pipelining , multiple instruction dispatch , and large no. ofregister can be done effectively.
• Preprocessing : Encryption does not depend on plaintext or ciphertext, preprocessing can be used to prepare the output of encryptionboxes that feed into XOR.
• Simplicity :
• Provable security :
![Page 88: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/88.jpg)
![Page 89: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/89.jpg)
• IDEA (International Data Encryption Algorithms)
• Blowfish
• RC2 , RC 5
• Cast 128
![Page 90: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/90.jpg)
![Page 91: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/91.jpg)
![Page 92: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/92.jpg)
• It is a minor revision of an earlier cipher, PES(Proposed Encryption Standard);
• IDEA was originally called IPES (Improved PES).
• IDEA was used as the symmetric cipher in earlyversions of the Pretty Good Privacy cryptosystem.
![Page 93: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/93.jpg)
• The IDEA encryption algorithm
provides high level security not based on keeping the algorithm a secret, but rather upon ignorance of the secret key
is fully specified and easily understood
is available to everybody
is suitable for use in a wide range of applications
can be economically implemented in electronic components (VLSI Chip)
can be used efficiently
may be exported world wide
is patent protected to prevent fraud and piracy
![Page 94: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/94.jpg)
![Page 95: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/95.jpg)
![Page 96: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/96.jpg)
![Page 97: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/97.jpg)
![Page 98: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/98.jpg)
![Page 99: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/99.jpg)
• The algebraic idea behind IDEA is the mixing of three incompatible algebraic
operations on 16-bit blocks:
bitwise XOR,
addition modulo 216, and
Multiplication modulo 216 + 1.
![Page 100: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/100.jpg)
• 64 bit plain text is divided into 4 , 16bit blocks. Which are Called X1,X2,X3,X4.
• 128 Bit key is divided into 8 , bit blocks.
![Page 101: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/101.jpg)
• 1. Multiply X1 and the first subkey Z1.
• 2. Add X2 and the second subkey Z2.
• 3. Add X3 and the third subkey Z3.
• 4. Multiply X4 and the fourth subkey Z4.
• 5. Bitwise XOR the results of steps 1 and 3.
• 6. Bitwise XOR the results of steps 2 and 4.
• 7. Multiply the result of step 5 and the fifth subkey Z5.
• 8. Add the results of steps 6 and 7.
• 9. Multiply the result of step 8 and the sixth subkey Z6.
• 10. Add the results of steps 7 and 9.
• 11. Bitwise XOR the results of steps 1 and 9.
• 12. Bitwise XOR the results of steps 3 and 9.
• 13. Bitwise XOR the results of steps 2 and 10.
• 14. Bitwise XOR the results of steps 4 and 10.
![Page 102: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/102.jpg)
• final transformation occurs:
• 1. Multiply X1 and the first subkey Z1.
• 2. Add X2 and the second subkey Z2.
• 3. Add X3 and the third subkey Z3.
• 4. Multiply X4 and the fourth subkey Z4.
![Page 103: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/103.jpg)
• Each of the eight complete rounds requires six subkeys, and the finaltransformation “half round” requires four subkeys; so, the entireprocess requires 52 subkeys.
• The 128-bit key is split into eight 16-bit subkeys.
• The bits are shifted to the left 25 bits.
• The resulting 128-bit string is split into eight 16-bit blocks thatbecome the next eight subkeys.
• The shifting and splitting process is repeated until 52 subkeys aregenerated.
• The shifts of 25 bits ensure that repetition does not occur in thesubkeys.
• Six subkeys are used in each of the 8 rounds. The final 4 subkeys areused in
• the ninth “half round” final transformation.
![Page 104: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/104.jpg)
![Page 105: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/105.jpg)
![Page 106: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/106.jpg)
• simplified IDEA encrypts a 16-bit block of plaintext to a 16-bit block of cipher text. It uses a 32-bit key. The simplified algorithm consists of four identical rounds and a “half round” final transformation.
![Page 107: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/107.jpg)
• IDEA Supports all,
ECB(Electronic code book)
CBC(cipher block chaining)
CFB(Cipher feedback mode)
OFB(Output Feedback mode)
![Page 108: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/108.jpg)
• IDEA-based security solutions available in many market areas,ranging from Financial Services, and Broadcasting to Government.
• The IDEA algorithm can easily be embedded in any encryption software. Data encryption can be used to protect data transmission and storage. Typical fields are:
• – Audio and video data for cable TV, pay TV, video conferencing, distance learning, business TV, VoIP
• – Sensitive financial and commercial data
• – Email via public networks
• – Transmission links via modem, router or ATM link, GSM technology
• – Smart cards
![Page 109: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/109.jpg)
Source : Internet and Book : AtulKahate.
![Page 110: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/110.jpg)
• Developed by Bruce Schneier in 1993/94 .
• Design objectives :
Fast : Blowfish encryption rate on 32 bit microprocessor is 26clock cycles per byte.
Compact : It can be executed in less than 5 kb memory.
Simple : Uses only primitive operations like XOR , and tablelookup making its design and implementation simple.
Secure : Blowfish has a variable key length up to a maximum of448 and minimum 32 bit , to make it flexible and secure.
Used in applications where key remains constant for a long time(e.g. Communication link.) but not where key changesfrequently.(e.g. Packet switching).
![Page 111: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/111.jpg)
• Encrypts a 64 bit blocks with a variable-length key. And contains 2 parts.
Subkeys Generation : Generates the key up to 448 bit long to subkeys totaling 4168 bits.
Data encryption : Iteration of feistel function 16 times. each round contains a key dependent permutation and key and data dependent substitution.
![Page 112: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/112.jpg)
![Page 113: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/113.jpg)
![Page 114: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/114.jpg)
![Page 115: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/115.jpg)
• 1. Uses large no. of subkeys. And key must be ready beforeencryption and decryption. Key size ranges from 32 bits to 448 bits.
Means 1 to 14 words with 32 bit/word.
K1, K2,K3,……..Kn ….each block contains 32 bits.
• 2. P-Array , consisting of 18, 32 bit subkeys.
P1,P2…..P18..
Schneier recommends the usage of the bits of fractional parts of constant pi=22/7.
P1 = 24F6C98
P2 = 85F6A88……..
P18 = 84F6D84.
![Page 116: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/116.jpg)
• 3. 4 S-boxes , each containing 256, 32 bit entries.
S1,0 ………………………..S1, 255
S2,0……………………… ..S2,255
S3,0…………………………S3,255
S4,0…………………………S4,255
Initialized same as P-Array with some hexadecimal value of fractional part of constant pi = 22/7.
• 4. SO bitwise XOR Operation of P1 With K1, P2 with K2 ,…….P14 with K14. after that key array K will be exhausted and hence for P15 to P18….K1 to K4. P1 = P1 XOR K1
P2 = P2 XOR K2…….
….
P18= P18 XOR K4
![Page 117: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/117.jpg)
![Page 118: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/118.jpg)
![Page 119: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/119.jpg)
• Symmetric block cipher developed by Ron Rivest.
• Quite Fast because uses only addition , XOR and shiftoperation.
• Allows variable no. of rounds and variable size key to addthe flexibility.
• Requires less memory for execution and thereforesuitable not only for desktop application but also forsmart card and other devices.
![Page 120: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/120.jpg)
Parameter Allowed values
Word size in bits 16,32,64
Number of Rounds 0……….255
Number of 8-bit bytes in the key 0……….255
Word size , number of rounds and key , all can be of variable length. These are
variable means before execution of a particular instance of RC 5, These values can
be chosen from those allowed unlike DES and IDEA.
RC 5 Uses 2-words blocks
RC5-w/r/b where w = word size , r = number of rounds , b = number of 8 bit byte in
the key..
EX. RC-5 32/16/16 …Means 64(32*2) bits , 16 rounds , 16 bytes key
![Page 121: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/121.jpg)
![Page 122: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/122.jpg)
• Input plain text is divided into equal size blocks A and B.
• To produce C and D , S[0] is added to A , S[1] is added to B
![Page 123: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/123.jpg)
• Step 1 : XOR C and D to produce E.
• Step 2. : Circular left of E by D bits.
• Step 3 : Add E with next sub key to produce F.
![Page 124: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/124.jpg)
• Step 4 : XOR D and F
• Step 5 : Circular left shift G.
• Step 6 : Add G and next sub-key
![Page 125: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/125.jpg)
• To check weather all rounds are finish or not.
![Page 126: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/126.jpg)
![Page 127: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/127.jpg)
![Page 128: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/128.jpg)
• Step 1 : The sub keys S[0],S[1]……..are generated.
• Step 2 : The original key is called L. all Sub keys (S[0],S[1]……) are mixed with corresponding sub portion of original keys (L[0],L[1]…..)
![Page 129: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/129.jpg)
![Page 130: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/130.jpg)
![Page 131: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/131.jpg)
![Page 132: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/132.jpg)
• typically have a hierarchy of keys
• session key
temporary key
used for encryption of data between users
for one logical session then discarded
• master key
used to encrypt session keys
shared by user & key distribution center
![Page 133: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/133.jpg)
![Page 134: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/134.jpg)
Henric Johnson 134
SESSION KEY LIFE TIME
![Page 135: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/135.jpg)
hierarchies of KDC’s required for large networks, but must trust each other
session key lifetimes should be limited for greater security(connection oriented and less)
use of automatic key distribution on behalf of users, but must trust system
use of decentralized key distribution
controlling key usage
![Page 136: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/136.jpg)
• for cryptographic applications, can use a block cipher to generate random numbers
• often for creating session keys from master key
• Counter ModeXi = EKm[i]
• Output Feedback ModeXi = EKm[Xi-1]
![Page 137: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/137.jpg)
• often use deterministic algorithmic techniques to create “random numbers”
although are not truly random
can pass many tests of “randomness”
• known as “pseudorandom numbers”
• created by “Pseudorandom Number Generators (PRNGs)”
![Page 138: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/138.jpg)
• common iterative technique using:• Xn+1 = (aXn + c) mod m
• given suitable values of parameters can produce a long random-like sequence
• suitable criteria to have are:• function generates a full-period• generated sequence should appear random• efficient implementation with 32-bit arithmetic
• note that an attacker can reconstruct sequence given a small number of values
• have possibilities for making this harder
![Page 139: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/139.jpg)
• Also called as Blum, Blum, Shub generator.
• Choose any two large prime number that both have remainder 3 when divided by 4.
• Let n = p*q , Choose random s, such that s is relatively prime to n.
• p and q can be factor s.
![Page 140: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/140.jpg)
• Xo = S^2 mod n
• For I = 0 to infinity.
• Xi = (X(i-1))^2 mod n
• Bi = Xi mod 2.
• BBS is also referred as Cryptographically secure pseudorandom bit generator(CSPRBG).
![Page 141: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/141.jpg)
Cast 128 , RC 2
![Page 142: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/142.jpg)
• Developed by Ron Rivest (RSA Data Security)
• 64-bit block cipher
• Variable key size (from one byte up to 128 bytes)
• Designed to be easy to implement on 16-bit microprocessor
Use 16-bit word, 16-bit arithmetic (addition, XOR, AND, ~, rotate)
• Non-Feistel
• 18 rounds (mixing/mashing)
• Used in S/MIME
![Page 143: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/143.jpg)
• RC2 assumes 128 (64 word) byte key buffer For byte operation, key array is L[0], …, L[127]; each L[i] is a byte For word operation, key array is K[0], …, K[63]; each K[i] is a 16-bit
word These are alternative views of the same key buffer
• Key expansion Assume that exactly T bytes of key are supplied, 1 T 128 The purpose of key expansion algorithm is to modify the key buffer so
that each bit of the expanded key depends in a complicated way on every bit of the supplied input key
Key expansion begins by placing the supplied T-byte key into bytes L[0], …, L[T-1] of the key buffer
L array is then computed making use of an auxiliary array P P array is a random permutation of values of 0,…,255, which is
constructed based on p=3.14159… (See next page) The computation is
K[i] = L[2*i] + 256*L[2*i+1].
![Page 144: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/144.jpg)
Here is the P array in hexadecimal notation:
0 1 2 3 4 5 6 7 8 9 a b c d e f 00: d9 78 f9 c4 19 dd b5 ed 28 e9 fd 79 4a a0 d8 9d 10: c6 7e 37 83 2b 76 53 8e 62 4c 64 88 44 8b fb a2 20: 17 9a 59 f5 87 b3 4f 13 61 45 6d 8d 09 81 7d 32 30: bd 8f 40 eb 86 b7 7b 0b f0 95 21 22 5c 6b 4e 82 40: 54 d6 65 93 ce 60 b2 1c 73 56 c0 14 a7 8c f1 dc 50: 12 75 ca 1f 3b be e4 d1 42 3d d4 30 a3 3c b6 26 60: 6f bf 0e da 46 69 07 57 27 f2 1d 9b bc 94 43 03 70: f8 11 c7 f6 90 ef 3e e7 06 c3 d5 2f c8 66 1e d7 80: 08 e8 ea de 80 52 ee f7 84 aa 72 ac 35 4d 6a 2a 90: 96 1a d2 71 5a 15 49 74 4b 9f d0 5e 04 18 a4 eca0: c2 e0 41 6e 0f 51 cb cc 24 91 af 50 a1 f4 70 39 b0: 99 7c 3a 85 23 b8 b4 7a fc 02 36 5b 25 55 97 31 c0: 2d 5d fa 98 e3 8a 92 ae 05 df 29 10 67 6c ba c9 d0: d3 00 e6 cf e1 9e a8 2c 63 16 01 3f 58 e2 89 a9 e0: 0d 38 34 1b ab 33 ff b0 bb 48 0c 5f b9 b1 cd 2e f0: c5 f3 db 47 e5 a5 9c 77 0a a6 20 68 fe 7f c1 ad
![Page 145: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/145.jpg)
![Page 146: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/146.jpg)
• Encryption algorithm takes a 64-bit input stored in R[0], R[1], R[2], R[3], and places the result back in R[0] thru R[3].
• Algorithm consists of 18 rounds of two types: mixing and mashing
• Mixing round:R[0] = R[0] + K[j] + (R[3] & R[2]) + ((~R[3] & R[1]);
R[0] = R[0] <<< 1;
j = j + 1;
R[1] = R[1] + K[j] + (R[0] & R[3]) + ((~R[0] & R[2]);
R[1] = R[1] <<< 2;
j = j + 1;
R[2] = R[2] + K[j] + (R[1] & R[0]) + ((~R[1] & R[3]);
R[2] = R[2] <<< 3;
j = j + 1;
R[3] = R[3] + K[j] + (R[2] & R[1]) + ((~R[2] & R[0]);
R[3] = R[3] <<< 5;
j = j + 1;
Here j is the global variable; K[j] is the first
subkey word that has not yet been used
![Page 147: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/147.jpg)
• Decryption: Inverse operation of encryption with the keys used in reverse order
Mashing Round : R[j] = + k[R[j-1] % 64]
![Page 148: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/148.jpg)
• 64-bit iterated block cipher
• key: 40 bits up to 128 bits (increments of 8 bits)
• 12 up to 16 rounds
• Feistel Network structure
• designed by C. Adams and S.Tavares (1996)
• S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996
![Page 149: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/149.jpg)
• CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5)
• CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S1, S2, S3, S4) and for the key schedule (S5, S6, S7, S8)
• round operations: +, -, <<<,
• three round functions: f1, f2 and f3
• An official algorithm for use with the Canadian Government:
http://www.cse-cst.gc.ca/services/crypto-services/crypto-algorithms-e.html
![Page 150: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/150.jpg)
f1
f2
f3
Round functions
![Page 151: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/151.jpg)
• Three different round functions are used in CAST-128. The rounds are as follows (where "D" is the data input to the f function and "Ia" -"Id" are the most significant byte through least significant byte of I, respectively).
• Note that "+" and "-" are addition and subtraction modulo 2**32, "^" is bitwise XOR, and "<<<" is the circular left- shift operation.
• Type 1: I = ((Kmi + D) <<< Kri), f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]
• Type 2: I = ((Kmi ^ D) <<< Kri), f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]
• Type 3: I = ((Kmi - D) <<< Kri), f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]
• Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1.
• Rounds 2, 5, 8, 11, and 14 use f function Type 2.
• Rounds 3, 6, 9, 12, and 15 use f function Type 3.
![Page 152: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/152.jpg)
• Variable key length
Blowfish, RC5, CAST-128, RC2
• Mixed operators
More than one arithmetic and/or Boolean operator, especially ones that are not associative or distributive
These operators provide nonlinearity as an alternative to S-boxes
• Data-dependent rotation
Provide excellent confusion and diffusion
RC5
• Key-dependent rotation
CAST-128
Key features found in advanced symmetric block
ciphers (not in DES)
![Page 153: Unit 2](https://reader034.fdocuments.net/reader034/viewer/2022051212/55757aefd8b42adb7e8b4bb2/html5/thumbnails/153.jpg)
• Key-dependent S-boxes
Blowfish
• Expensive key schedule computation
Blowfish
• Variable round function (F)
CAST-128
• Variable plaintext/ciphertext block length
RC5
• Variable number of rounds
RC5
• Operation on both data halves each round
IDEA, Blowfish, RC5