The IDEA encryption algorithm was designed in 1990 at ETH Zurich. It operates on 64-bit plaintext blocks, has a 128-bit key, and consists of 8 rounds of processing with 16-bit subkeys derived from the main key. The algorithm mixes XOR, addition modulo 216, and multiplication modulo 216 + 1 operations on its 16-bit subblocks at each round. IDEA is faster than DES in software implementations and remains secure against known cryptanalytic attacks due to its large key size and complex operations.

1. International Data Encryption
Algorithm (IDEA)
•Originally designed by Massey and Lai at ETH (Zurich),
1990.
•Based on mixing operations from different algebraic
groups (XOR, addition mod 216 , multiplication mod 216 +1).
•All operations are on 16-bit sub-blocks, with no
permutations used.
•Speed: faster than DES in software.

2. Broad Level Steps in IDEA
Input Plain Text (64 bits)
P1 (16 bits) P2 (16 bits) P3 (16 bits) P4 (16 bits)
Round 1
K1
.
. K6
Round 2
K7
.
. K12

Round 8
K43
.
. K48
Output Transformation
K49
.
. K52
C1 (16 bits) C2 (16 bits) C3 (16 bits) C4 (16 bits)
Output Cipher Text (64 bits)

3. IDEA
• Design goals:
– Block Length: deter statistical analysis
– Key Length: deter exhaustive search
• Features:
– 128-bit key
– 64 bit blocks
– 8 rounds,
– operates on 16-bit numbers

4. IDEA: Encryption
• 64-bit data block is divided in 4 parts:
X1 X2 X3 X4
• In each of eight rounds with 14 steps the sub-blocks
are XORd, added, multiplied with one another and with
six 16-bit sub-blocks of key material, and the second
and third sub-blocks are swapped.
• Finally some more key material is combined with the
sub-blocks.

5. IDEA Key Schedule
• Total of 52 subkeys: 6*8+4
• Subkey is generated by dividing the 128 bits key
in 8 x 16 bits keys. Every time more subkeys are
needed, rotate left the key 25 bits and divide
again in 8 subkeys.
• The decryption keys are
a little more difficult to
generate.

6. IDEA Cryptanalysis
• Currently there is no known practical attack against
IDEA.
• Appears secure against differential cryptanalysis.
• Key length protects against exhaustive search.
• IDEA has weak keys, avoided at key generation.

7. Encryption key generation
• The 52 16-bit key sub-blocks which are generated from
the 128-bit key are produced as follows:
• First, the 128-bit key is partitioned into eight 16-bit sub-
blocks which are then directly used as the first eight key
sub-blocks.
• The 128-bit key is then cyclically shifted to the left by 25
positions, after which the resulting 128-bit block is again
partitioned into eight 16-bit sub-blocks to be directly used
as the next eight key sub-blocks.
• The cyclic shift procedure described above is repeated
until all of the required 52 16-bit key sub-blocks have
been generated.

15. In each round, the sequence of events is as follows:
(1) Multiply X1 and the first subkey.
(2) Add X2 and the second subkey.
(3) Add X3 and the third subkey.
(4) Multiply X4 and the fourth subkey.
(5) XOR the results of steps (1) and (3).
(6) XOR the results of steps (2) and (4).
(7) Multiply the results of step (5) with the fifth subkey.
(8) Add the results of steps (6) and (7).
(9) Multiply the results of step (8) with the sixth subkey.
(10) Add the results of steps (7) and (9).
(11) XOR the results of steps (1) and (9).
(12) XOR the results of steps (3) and (9).
(13) XOR the results of steps (2) and (10).
(14) XOR the results of steps (4) and (10).

16. X1 X2 X3 X4
X1 X2 X3 X4

17. After the eighth round, there is a final output
transformation:
(1) Multiply X1 and the first subkey.
(2) Add X2 and the second subkey.
(3) Add X3 and the third subkey.
(4) Multiply X4 and the fourth subkey.

18. Algebraic operations used in IDEA
• The algebraic idea behind IDEA is the
mixing of three incompatible algebraic
operations on 16-bit blocks:
– bitwise XOR,
– addition modulo 216,
– and multiplication modulo 216 + 1.

21. RC5
• Proprietary cipher owned by RSA Data Security
(designed by Ron Rivest).
• Very fast, operates on words.
• Variable key size, block size and number of rounds.
• Clean and simple design.
• Low memory requirement.
• Data-dependent rotations that strengthen the
algorithm against cryptanalysis.

22. Design objectives for RC5
• RC5 should be a symmetric block cipher.
• The plaintext and ciphertext are fixed-length
bit sequences (blocks).
• RC5 should be suitable for hardware or
software. This means that RC5 should use only
computational primitive operations commonly
found on typical microprocessors.

23. Design objectives for RC5
• RC5 should be fast. This more-or-less implies that RC5 be
word-oriented: the basic computational operations should be
operators that work on full words of data at a time.
• RC5 should be adaptable to processors of different word-
lengths. For example, as 64-bit processors become available, it
should be possible for RC5 to exploit their longer word length.
• Therefore, the number w of bits in a word is a parameter of
RC5; different choices of this parameter result in different
RC5 algorithms.

24. Design objectives for RC5
• RC5 should be iterative in structure, with a variable number of
rounds.
• The user can explicitly manipulate the trade-off between
higher speed and higher security.
• The number of rounds r is a second parameter of RC5.
• RC5 should have a variable-length cryptographic key. The
user can choose the level of security appropriate for his
application, or as required by external considerations such as
export restrictions.
• The key length b (in bytes) is thus a third parameter of RC5.

25. Design objectives for RC5
• RC5 should be simple. It should be easy to implement. More
importantly, a simpler structure is perhaps more interesting to
analyze and evaluate, so that the cryptographic strength of
RC5 can be more rapidly determined.
• RC5 should have a low memory requirement, so that it may be
easily implemented on smart cards or other devices with
restricted memory.
• (Last but not least!) RC5 should provide high security when
suitable parameter values are chosen.

26. Design objectives for RC5
In addition, during the development of RC5, designer began to
focus his attention on a intriguing new cryptographic
primitive: data-dependent rotations, in which one word of
intermediate results is cyclically rotated by an amount
determined by the low-order bits of another intermediate
result.
Thus developed an additional goal.
• RC5 should highlight the use of data-dependent rotations, and
encourage the assessment of the cryptographic strength data-
dependent rotations can provide.

27. RC5:A Parameterized Family of Encryption
Algorithms
• RC5 is a family of ciphers rc5-w/r/b
– w = word size in bits (16/32/64)
(plaintext block size=2w=ciphertext block size)
– r = number of rounds (0..255)
• In addition to w and r, RC5 has a variable-length
secret cryptographic key, specified by parameters b
and K:
– b The number of bytes in the secret key K. Allowable
values of b are 0, 1, ..., 255.
– K The b-byte secret key: K[0], K[1], ..., K[b − 1] .

28. RC5:A Parameterized Family of Encryption
Algorithms
• Nominal version is RC5-32/12/16
– 32-bit words so encrypts 64-bit data blocks
– Using 12 rounds
– 16 bytes (128-bit) secret key
– But Algorithm needs 2*(r+1)=26 byte of keys.

29. RC5 Key Schedule
• RC5 uses 2r+2 subkey words (w-bits)
• subkeys are stored in array s[i], i=0..t-1
t=2*(r+1)
• Initialize S to a fixed pseudorandom value
• The byte key is copied (little-endian) into a c-
word array L
• A mixing operation then combines L and S to
form the final S array

31. RC5 Encryption
Split input text into two parts A and B
LE0 = A + S[0]
RE0 = B + S[1]
for i = 1 to r do
LEi = ((LEi-1  REi-1) <<< REi-1) + S[2 * i]
REi = ((REi-1  LEi) <<< LEi) + S[2 * i + 1]
• Rotation is main source of non-linearity
• x <<< y cyclic rotation of word x left by y bits

32. RC5 Decryption
Cipher text is LDr and RDr
for i = r downto 1 do
RDi-1 = ((RDi-1 - S[2 * i +1]) >>> LDi)  LDi
LDi-1 = ((LDi - S[2 * i]) >>> RDi-1)  RDi-1
B = RD0 – S[1]
A = LD0 – S[0]
• x >>> y cyclic rotation of word x right by y bits.
• Two’s complement addition of words, denoted by “+”.
This is modulo-2w addition. The inverse operation,
subtraction, is denoted “−”.

33. Key Expansion
• The key-expansion routine expands the user’s secret
key K to fill the expanded key array S, so that S
resembles an array of t = 2(r+1) random binary words
determined by K.
• The key expansion algorithm uses two “magic
constants,” and consists of three simple algorithmic
parts.

34. Key Expansion
• The key-expansion algorithm uses two word-sized binary constants Pw and
Qw (called Magic Constants). They are defined for arbitrary w as follows:
• and where Odd(x) is the odd integer nearest to x (rounded up if x is an even
integer, although this won’t happen here).

35. Key Expansion
• For w = 16, 32, and 64, these constants are given below in
binary and in hexadecimal.
• P16 = 1011011111100001 = b7e1
• Q16 = 1001111000110111 = 9e37
• P32 = 10110111111000010101000101100011 = b7e15163
• Q32 = 10011110001101110111100110111001 = 9e3779b9
• P64 =
10110111111000010101000101100010100010101110110100
10101001101011 = b7e151628aed2a6b
• Q64 =
10011110001101110111100110111001011111110100101001
11110000010101 = 9e3779b97f4a7c15

36. Converting the Secret Key from Bytes to Words
• The first algorithmic step of key expansion is to copy the
secret key K[0...b − 1] into an array L[0...c − 1] of c = b/u
words, where u = w/8 is the number of bytes/word.
• This operation is done in a natural manner, using u consecutive
key bytes of K to fill up each successive word in L, low-order
byte to high-order byte.
• Any unfilled byte positions of L are zeroed.

37. Initializing the Array S
• The second algorithmic step of key expansion is to initialize
array S to a particular fixed (key-independent) pseudo-random
bit pattern, using an arithmetic progression modulo 2w
determined by the “magic constants” Pw and Qw.
• Since Qw is odd, the arithmetic progression has period 2w.

38. Mixing in the Secret Key
• The third algorithmic step of key expansion is to mix in the
user’s secret key in three passes over the arrays S and L.
• More precisely, due to the potentially different sizes of S and
L, the larger array will be processed three times, and the other
may be handled more times.

39. Reference for RC5
R.L. Rivest, “The RC5 Encryption Algorithm,”
Fast Software Encryption: Second
International Workshop, Leuven, Belgium,
December 1994, Proceedings, Springer-
Verlag, 1994, pp. 86-96.
www.ecs.csus.edu/csc/iac/csc296o/lecture_notes
/rc5.pdf

40. RC5 Encryption Modes
• RC5 Block Cipher, is ECB mode.
• RC5-CBC, is CBC mode.
• RC5-CBC-PAD, is CBC with padding by bytes
with value being the number of padding bytes.
• RC5-CTS, a variant of CBC which is the same
size as the original message, uses ciphertext
stealing to keep size same as original, handles
plaintext of any size and produces ciphertext of
equal size.

42. Blowfish
• Designed by Bruce Schneier
in 1993/94.
• Fast implementation on 32-bit CPUs.
• Compact: runs in less than 5K of memory.
• Simple to implement and analyze its strength.
• Variable security: can give it larger keys.

43. Blowfish Key Generation
• Block size is 64
• Number of rounds is 16
• Uses a key of variable size,
from 32 to 448 bits.
• The key is used to generate:
– 18 32-bit subkeys stored in P-arrays
– 4 8x32 S-boxes stored in S-arrays
• Requires 521 encryptions, so it has a
slow rekeying.

44. Each line represents 32 bits. The algorithm keeps two subkey
arrays: the 18-entry P-array and four 256-entry S-boxes. The S-
boxes accept 8-bit input and produce 32-bit output. One entry of
the P-array is used every round, and after the final round, each half
of the data block is XORed with one of the two remaining unused
P-entries.

46. Blowfish decryption
• Decryption is exactly the same as encryption,
except that P1, P2,..., P18 are used in the
reverse order.
• This is not so obvious because xor is
commutative and associative.
• A common mistake is to use inverse order of
encryption as decryption algorithm (i.e. first
XORing P17 and P18 to the ciphertext block,
then using the P-entries in reverse order).

52. Blowfish Cryptanalysis
• Key dependent S-boxes and subkeys,
generated using cipher itself, makes
analysis very difficult.
• Changing both halves in each
round increases security.
• Provided key is large enough, brute-force
key search is not practical.