DescriptionIETE Journal of Education

ISSN: (Print) (Online) Journal homepage: https://www.tandfonline.com/loi/tije20

A Review on Evolution of Symmetric Key Block

Ciphers and Their Applications

Appala Naidu Tentu

To cite this article: Appala Naidu Tentu (2020): A Review on Evolution of Symmetric Key Block

Ciphers and Their Applications, IETE Journal of Education, DOI: 10.1080/09747338.2020.1769508

To link to this article: https://doi.org/10.1080/09747338.2020.1769508

Published online: 12 Jun 2020.

Submit your article to this journal

Article views: 2

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=tije20

IETE JOURNAL OF EDUCATION

https://doi.org/10.1080/09747338.2020.1769508

REVIEW ARTICLE

A Review on Evolution of Symmetric Key Block Ciphers and Their Applications

Appala Naidu Tentu

C. R. Rao Advanced Institute of Mathematics, Statistics and Computer Science (AIMSCS), University of Hyderabad Campus, Hyderabad,

Telangana 500 046, India

ABSTRACT

KEYWORDS

This paper reviews the state of the art of symmetric key block cipher designs and their essential security role in several applications like IoT, low-power devices like motes, etc. Many engineering curricula

have one course on network and internetwork security at the undergraduate level. However due to

the expanding research on newer and newer primitives and host of published literature in the area of

protocols, algorithms for encryption, authentication, message integrity, key exchange, it is of interest to deliver (teach) as much information as possible within one or two semester courses in the

undergraduate engineering curriculum. In this paper, our objective is to present a comprehensive

review of design approaches including Feistel, SPN, ARX, and other hybrid structures and also highlight various cryptanalysis techniques and attacks. We focus on what topics that need to be covered

and to what depth in this paper. Further, this paper also presents the performance metrics that are

commonly reported in the literature when comparing block cipher implementations. These are necessary since the students should finally be able to appreciate how to benchmark and know what

industry needs.

Symmetric key ciphers;

Feistel; SP network; IoT;

Lightweight cryptography;

Cryptanalysis

1. INTRODUCTION

The most obvious use of cryptography, and the one that

all of us are familiar with in our daily life is for encrypting communications between sender and receiver via

internet. This is most commonly used for communicating between a client program and a server. Symmetric

block encryption algorithms are among the most widely

used cryptographic primitives [1]. In addition to providing confidentiality via encryption, they are also used as

basic primitives in the construction of hash functions,

generation of pseudorandom sequences [3], etc.

The advent of digital computers and need for storage

paired with an increasing desire for sophistication in

cryptography developed the science of block ciphers

since 70’s. Over the decades of research, there are several block ciphers [3] that have been in use and they

are based on one of the inner structures: “Substitution

Permutation Networks (SPNs), Feistel networks, AddRotate-XOR (ARX [43]), NLFSR(Non-linear Feedback

Shift Register)-based and hybrid types”. AES [32] is the

best-known cipher that adopts the SPN structure, DES

[2], and its extension T-DES are the best-known Feistel type ciphers, cipher-KeeLoq [2] is the best-known

NLFSR-based cipher and the best-known hybrid ciphers

are those of the Hummingbird [65] family. Also, recently

to address the challenges for securing smart wireless

© 2020 IETE

and IoT based devices, a new research direction called

lightweight cryptography has been established which

focuses on designing novel cryptographic algorithms

and protocols tailored for implementation in resourceconstrained environments.

While cryptographers design secure block ciphers, cryptanalysts use cryptanalysis [2,55] to breach cryptographic

security systems in order to find/analyze the hidden

aspects and weakness of the systems and even to find

the key that is used by the sender. There are several

ways to analyze the security of a block cipher. To analyze

cipher design, several cryptanalysis techniques [45,48]

are proposed in the literature including linear cryptanalysis, differential cryptanalysis, algebraic attacks, multiple approximations, and key independence, differential and linear cryptanalysis, Man in the middle attacks,

Boomerang – rectangle attacks, Interpolation attacks,

Integral, and Related-key attacks. Besides this, the most

practical attacks today belong to side-channel analysis

(SCA) [48] targeting implementations of cryptography in

software and hardware.

Modern block ciphers depend on the concept of iterated

product cipher which follow the Shannon’s [44] paradigm

of mixing confusion layers with diffusion layers. These

ciphers design carry out encryption in multiple rounds

2

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

each of which uses a different subkey derived from the

original key. There were many advancements after the

pioneering work of Luby-Rackoff [45] on the security of

top-level designs of block ciphers. For Feistel ciphers both

security proofs and generic attacks are given in [45] and

[46] and for SPN based ciphers a more powerful theory

has been developed in [47] which allows to make security

proofs against a large class of attacks.

Figure 1: Client–Server communication protocol

Main important applications [4] of modern block ciphers

are encryption as building blocks for cryptographic hash

functions. Other applications of cryptography [12,13]

include Wired and Wireless communication, Internet

Protocol Security [10], electronic commerce, chip-based

payment cards [27], digital currencies, computer passwords, Internet of Things (IoT) [24], and military communications. The scope of the subject being very vast,

it is necessary to teach the students these various topics within the limited time. In this paper, we focus on

teaching block ciphers as a vehicle. The course shall be

balanced in theory and practice.

The Organisation of the paper is as follows: Section 2

describes the applications of symmetric key block

ciphers. In Section 3, we present the design primitives

and cryptanalysis of symmetric key block ciphers. In Sections 4 and 5, we consider Feistel and SPN based ciphers

and their analysis. In Section 6, we discuss lightweight

cryptographic ciphers and their analysis. In Section 7, we

present performance metrics of all type of block ciphers

and conclusions are given in Section 8.

2. APPLICATIONS OF BLOCK CIPHERS

In the following subsections, we discuss popular every

day applications of cryptographic algorithms:

The process of establishing a secure SSL/TLS connection between the client and the server involves several

steps. SSL/TLS security protocols [10] use a combination

of asymmetric and symmetric encryption algorithms.

The client and the server must negotiate the algorithms

used and exchange key information (see Figure 1). Major

vulnerabilities [6,12] are exploited in TLS/SSL older versions (TLSv1.2 and SSL 2.0) and most recent “TLS V1.1,

v1.3 and SSL 3.0 protocols” uses strong key lengthbased block cipher encryption algorithms. Recently,

IETF (Internet Engineering Task Force) [11] specified

TLS version (TLS 1.3) in the document RFC 8446

and SSL version (SSL 3.0) in the IETF document RFC

6101.

The most important part of this protocol is “cipher

suite” [10] which provides confidentiality, Authentication, and Integrity. In general, the client sends a list of all

the cipher suites that it supports in order of preference

to the server. Each cipher suite contains one cryptographic algorithm (mostly block cipher) [8] with a certain mode for each of the following tasks: key exchange,

authentication, bulk (data) encryption, and message

authentication.

A sample cipher suite [8] string is:

2.1 Secure Socket Layer/Transport Layer Security

In general, to secure network communication, Secure

Socket Layer (SSL) and Transport Layer Security (TLS)

[10] are used. The Internet Protocol Security (IPSec) protocol [5] uses standard cryptographic algorithms and it

is standard way for secure data exchange at the network

level. Mostly TCP/IP-based protocols [7,9] widely use

TLS/SSL cryptographic security protocols implemented

on OpenSSL library that includes “email (SMTPS/POP3),

HTTPS, instant messaging (XMPP), FTPS, VoIP, and

VPN” etc. SSL/TLS protocols allow the connection

between two media (client–server) to be encrypted and

it makes sure that no third party is able to read or modify

the data.

“TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA

512”. This string contains the following information:

ECDHE is the key exchange algorithm (Elliptic curve

Diffie–Hellman)

ECDSA is the authentication algorithm (Elliptic Curve

Digital Signature Algorithm)

AES_256_GCM is the data encryption algorithm

(Advanced Encryption Standard 256-bit Galois/

Counter Mode)

SHA512 is the Message Authentication Code (MAC)

algorithm (Secure Hash Algorithm 256-bit)

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

3

2.2 Internet of Things (IoT)

The vision of connecting everything including Ubiquitous, Radio-frequency identification (RFID), Machine to

Machine (M2M), etc. is a new concept of communication. Internet of Things (IoT) [24] is the new era technology and recently we are learning and benefiting from

the opportunities provided by the Internet of Things.

Advantage of IoT [22] is to capture and analyze data

from distributed connected devices. However, the IoT

also exposes organizations to new security vulnerabilities introduced by increased network connectivity and

devices that are not secured by design. In order to achieve

confidentiality, authenticity and integrity, encryption,

and decryption [23] are usually implemented in different

forms. In place of traditional Cryptography techniques in

the IOT environment, Light-Weight Cryptography [21]

algorithms seem the most promising for this environment.

2.3 Banking and E-commerce

Electronic Banking [27] is now the basic essence of Banking services. On-line transactions need utmost security

to avoid possible fraudulent transaction of any kind. Various Encryption algorithms [25] are built into the communication network to prevent unauthorized transactions.

All the data and communications are protected by cryptography, making chip and PIN cards more difficult to

hack. E-Commerce [26] relies on encryption to secure

data transmission by controlling data access and protect

information on the internet.

3. CRYPTOGRAPHY

In symmetric key cryptography [1,2], encryption is performed on plain data using the shared secret key. For

any cryptosystem using block ciphers, important parameters are key length, block length, number of rounds,

operations in each round, and key schedule algorithm

(KSA).

3.1 Design Primitives

Block ciphers comprise of several rounds and each round

has diffusion and confusion layers and uses a round key

(see Figure 2). The round keys are derived from the master encryption key using key schedule algorithm (KSA).

We usually formalize confusion layers realized by application of substitution boxes which are defined by lookup

tables and diffusion layers as the application of MDS

(maximum Distance separable) matrices and permutations.

Figure 2: Encryption-round function

The purpose of confusion [1,20] is to make the relationship between the statistics of the key and the ciphertext

as complex as possible. Thus, even if the intruder gets

to know the statistics in the ciphertext, he should not be

able to get the statistics of the key. Purpose of diffusion

[19] is to maintain a very complex relationship between

statistics of ciphertexts and plaintexts so as to make the

deduction of key more complex.

(i) Boolean functions

A Boolean function [3] in n binary variables maps from

n

F2n into F2 . There are 22 number of n-bit Boolean functions in total. Let f : F2n − > F2 be a Boolean function.

A Boolean function f of n variables can be uniquely represented by a truth table (TT) for example consider a

3-input (x2 , x1 , x0 )Boolean function f having eight values

0,1,0,1,1,1,0,0 corresponding to all eight input combinations 000,001,010,..111. This function can be obtained

using a technique like Karnaugh map etc. However, the

presentation may not be unique. Walsh transform is a

second unique representation of a Boolean function that

measures the similarity between f(x) and the linear function a · x. Third unique representation of a Boolean function f on F2n is by means of a polynomial which uses only

AND operations and Exclusive OR functions. As an illustration, the Boolean function corresponding to the above

example is as follows:

f (x2 , x1 , xo ) = x2 x1 ⊕ x2 x0 ⊕ x2 ⊕ x0

This form is called algebraic normal form (ANF). The

same function using truth table will be x2 x1 + x0 x1 x2 +

x2 x1 x0 , Note that here + stands for OR logic function.

Many other functions are possible in this representation.

The student shall be taught how to get the sequence from

4

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

× 16 = 256) elements in which rows and columns are

having values ranging from 0 to 15 (0 to f in hexadecimal). Each byte of S-box is mapped to its multiplicative

inverse in GF(28 ), where 00 is mapped into itself. Then,

an affine transformation (over GF(2)) is computed.

Figure 3: Static view of an n × m S-box

the given ANF and vice-versa. Tools that can analyze the

security properties of Boolean functions are:

• Boolfunpackage in R [67]: it is possible to load a

package named boolfun that provides functionalities

related to the cryptographic analysis of Boolean functions.

• Boolean functions in Sage [66]: In Sage, there is a

module called BooleanFunctions that allows one to

study cryptographic properties of Boolean functions.

The student can use these packages and find out degree,

non-linearity, correlation immunity, algebraic immunity,

etc.

3.2 S-Boxes

Substitution boxes (S-boxes) [32] are important nonlinear functions in the many block cipher algorithms to

play a crucial role in their security.

An S-box ((n,m)-function) is any mapping F: F2 n − >

F2m . If m = 1 then the function is called a Boolean function. Boolean functions fi , i ∈ {1, . . . , m} are coordinate

functions of F where every Boolean function has n variables. In other words, each output bit of the 8-bit S-Box is

a non-linear function of 8 input variables, Thus, S-box

is characterized by eight Boolean functions. Hence the

student shall be encouraged to know the properties of

Boolean functions in an advanced level course.

The static view of an S-box, with inputs X = [x1 , x2 ,

. . . , xn ] and outputs Y = [y1 , y2 , . . . , ym ]. can be represented as shown in Figure 3.

S-Boxes can be constructed in an adhoc manner and

tested for good properties. Alternatively, they can be constructed using an algorithm. In this following, we present

the generation of AES 8 × 8 S-box for illustration.

AES Substitution Box [20]: AES S-box is generated by

using GF(28 ) (Galois Field) and irreducible polynomial

M = x8 + x4 + x3 + x + 1. AES S-box is a matrix of (16

AES S-Box output byte is generated by equation

Y := Ax ⊕ c, where “A” is represented as affine matrix

(8×8), “x” is a byte (b7b6..b0) which is the multiplicative

inverse of input byte with respect to an irreducible polynomial, “c” is affine constant i.e. 63 (01100011). Note that

all operations are bit-oriented. The symbol ⊕ is one-bit

xor operation. The student shall be told that the multiplication with Affine matrix means finding parity of 5 bit

string in the input. An inquisitive student must be asked

to consult literature and find out why this step is needed

and why inverse of the byte itself cannot be used. The

affine matrix used is shown as under

B i = bi ⊕ b(i+4)mod8 ⊕ b(i+5)mod8 ⊕ b(i+6)mod8

⊕ b(i+7)mod8 ⊕ ci ,

⎞⎛ ⎞ ⎛ ⎞

⎞ ⎛

b0

b0

1000 1111

1

⎜ b1 ⎟ ⎜ 11000111 ⎟ ⎜ b1 ⎟ ⎜1⎟

⎟⎜ ⎟ ⎜ ⎟

⎜ ⎟ ⎜

⎜ b2 ⎟ ⎜ 11100011 ⎟ ⎜ b2 ⎟ ⎜1⎟

⎟⎜ ⎟ ⎜ ⎟

⎜ ⎟ ⎜

⎜ b3 ⎟ ⎜1111000 1⎟ ⎜ b3 ⎟ ⎜0⎟

⎟⎜ ⎟ ⎜ ⎟

⎜ ⎟ = ⎜

⎜ b4 ⎟ ⎜ 11111000 ⎟ ⎜ b4 ⎟ + ⎜0⎟

⎟⎜ ⎟ ⎜ ⎟

⎜ ⎟ ⎜

⎜ b5 ⎟ ⎜0111 1100⎟ ⎜ b5 ⎟ ⎜0⎟

⎟⎜ ⎟ ⎜ ⎟

⎜ ⎟ ⎜

⎝ b6 ⎠ ⎝ 00111110 ⎠ ⎝ b6 ⎠ ⎝1⎠

⎛

b7

00011111

b7

1

The S-Box generated by the above equation is represented

in Table 1.

The student shall work out examples in Galois field operations. The various properties of the S-Box shall be taught

to the student. The eight algebraic equations which realize the S-Box table (i.e equations expressing each output

bit in terms of the eight input bits) shall be derived. The

student shall be taught about the degree of the Boolean

function, non-linearity, etc.

Tools that can analyze the security properties of S-boxes

are:

• SAGE Math [66] tool (www.sagemath.org) S-boxes in

Sage. There is a module called S-box that allows

the algebraic treatment of S-boxes (sage: from

sage.crypto.sbox import SBox) including Algebraic

degree, Non-linearity, differential difference table

(DDT), balancedness, branch numberand other properties of S-boxes.

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

5

Table 1: AES 8 × 8 S-box

0

1

2

3

4

5

6

7

8

9

A

B

C

D

E

F

0

63

Ca

b7

04

09

53

d0

51

cd

60

e0

e7

ba

70

e1

8c

1

7c

82

fd

c7

83

d1

ef

a3

0c

81

32

c8

78

3e

f8

a1

2

77

c9

93

23

2c

00

aa

40

13

4f

3a

37

25

b5

98

89

3

7b

7d

26

c3

1a

ed

fb

8f

ec

dc

0a

6d

2e

66

11

0d

4

f2

fa

36

18

1b

20

43

92

5f

22

49

8d

1c

48

69

bf

5

6b

59

3f

96

6e

fc

4d

9d

97

2a

06

d5

a6

03

d9

e6

6

6f

47

f7

05

5a

b1

33

38

44

90

24

4e

b4

f6

8e

42

• Picek, Peigen, SET (S-box Evaluation Tool) [68]: These

customized tools provide a comprehensive check list

for designers.

3.3 MDS Matrices

In cryptography, an MDS (Maximum Distance Separable) matrix is a matrix representing a function with

certain diffusion properties that have useful applications.

MDS matrices are widely used in SPN cipher and also

in Feistel ciphers. More recently, new MDS matrices are

proposed which allow efficient hardware implementation

which can be computed in a single cycle.

AES block cipher uses 4×4 circulant MDS matrix and

the realized function is called Mix Column. In this, each

of the 32 bit output bits is a linear function of some of

the input bits. The following 4×4 matrix is the diffusion

matrix used to multiply with 32-bit input considered as 4

bytes a0 ,a1 , a2 and a3 to get the 4-byte output b0 ,b1 ,b2 ,b3 .

Note that the entries in the matrix are bytes written in

HEX form (as two nibbles).

⎛ ⎞ ⎛

⎞⎛ ⎞

b0

02030101

a0

⎜ b1 ⎟ ⎜01020301⎟ ⎜a1 ⎟

⎜ ⎟ = ⎜

⎟⎜ ⎟

⎝ b2 ⎠ ⎝01010203⎠ ⎝a2 ⎠

03010102

b3

a3

The output of the Mix Column operation is as follows:

b0 = {02}.a0 ⊕ {03}.a1 ⊕ {01}.a2 ⊕ {01}.a3

b1 = {01}.a0 ⊕ {02}.a1 ⊕ {03}.a2 ⊕ {01}.a3

b2 = {01}.a0 ⊕ {01}.a1 ⊕ {02}.a2 ⊕ {03}.a3

b3 = {03}.a0 ⊕ {01}.a1 ⊕ {01}.a2 ⊕ {02}.a3

Note that the bytes are treated as polynomials in

GF(2). A byte p = p7 p6 p5 p4 p3 p2 p1 p0 is considered as the polynomial p7 x7 + p6 x6 + p5 x5 + p4 x4 +

p3 x3 + p2 x2 + p1 x + p0 Note that p7 ,p6 , . . . ., p0 are

all bits. Similarly, the {03} corresponds to the byte

7

c5

f0

cc

9a

a0

5b

85

f5

17

88

5c

a9

c6

0e

94

68

8

30

ad

34

07

52

6a

45

bc

c4

46

c2

6c

e8

61

9b

41

9

01

d4

a5

12

3b

cb

f9

b6

a7

ee

d3

56

dd

35

1e

99

A

67

a2

e5

80

d6

be

02

da

7e

b8

ac

f4

74

57

87

2d

B

2b

af

f1

e2

b3

39

7f

21

3d

14

62

ea

1f

b9

e9

0f

C

fe

9c

71

eb

29

4a

50

10

64

de

91

65

4b

86

ce

b0

D

d7

a4

d8

27

e3

4c

3c

ﬀ

5d

5e

95

7a

bd

c1

55

54

E

ab

72

31

b2

2f

58

9f

f3

19

0b

e4

ae

8b

1d

28

bb

F

76

c0

15

75

84

cf

a8

d2

73

db

79

08

8a

9e

df

16

00000011 = x+1. The multiplication of ai with another

polynomial needs to be reduced modulo the irreducible polynomial x8 + x4 + x3 + x + 1, This is possible by noting that x8 %(x8 + x4 + x3 + x + 1) = x4 +

x3 + x + 1 = 1B and so on up to x14 . Some exercises

on Galois field multiplications need to be given to the

students.

3.4 Cryptanalysis Techniques

In the following subsections, we present a brief overview

of the attacks that the student shall know which are used

to find the weakness and strength of block ciphers.

(a) Brute force attack: It is standard known-cipher text

attack or known-plaintext and in this attack [3] in

which, try all possible keys and verify which ones

give us the correct plaintext–cipher text pair. The

only real optimization which helps to brute force is

to divide the key space into parts and distribute them

between multiple processors or cluster computers

having GPU/FPGA cards.

(b) Linear cryptanalysis: Linear cryptanalysis is a

known plaintext attack and it is an efficient attack for

cryptanalysis of block ciphers introduced by Matsui

in 1994 [49]. In this attack, the attacker finds probabilistic linear relations between plaintext, cipher text,

and the secret key. Given an approximation with

high probability, the attacker obtains estimate for

secret key bits by correlating known plaintexts and

cipher text bits. For finding more secret key bits, the

attacker combines other techniques.

(c) Differential cryptanalysis: It is another important

attack on block ciphers introduced by E.Biham and

A.Shamir [50]. It is a chosen plaintext attack and

focuses on the difference between two related plaintexts as they encrypted under the same key. Based

6

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

on observing the difference in cipher texts C, C corresponding to plaintexts P, P that satisfy a chosen

difference. Although p ⊕ k and p ⊕ k are unknown

(p, p plaintext bits), the attacker still knows their

difference irrespective of the key value k.

(d) Related-key attacks: A related-key attack [51] is

an attack under the particular hypothesis that the

attacker is able to learn the encryption of some plaintexts not only under the original (unknown) key K

but also under some derived keysK ∗ = f (K).

(e) Boomerang-rectangle attacks: The boomerang

attack [52] is a differential-style attack in which the

attacker does not try to cover the whole cipher with

a single highly-probable differential pattern. Instead,

the attacker tries to find two high-probability patterns that are not necessarily related to each other

but together cover the whole cipher. In its basic version, it requires the ability to make chosen-plaintext

and chosen-ciphertext queries.

(f) Algebraic cryptanalysis: Algebraic attack [53] is the

process of breaking the cipher by solving polynomial

systems of equations. The basic idea [54] is to model

a cipher using a system of polynomial equations over

a finite field and the system of polynomial equations

is solved to retrieve either a key or a plaintext. Polynomial system solving is the problem of finding a

solution to a system of polynomial equations over

some field F.

(g) Other attacks: In addition to the above attacks,

there is a growing catalog of attacks [42]: truncated

differential cryptanalysis, partial differential cryptanalysis, integral cryptanalysis, which encompasses

square and integral attacks, slide attacks, the XSL

attack, impossible differential cryptanalysis.

Exercises to the students on deriving the Linear approximation table, Difference distribution table, Algebraic

model of S-Box, etc shall be given and inference of the

results shall be taught. In an advanced level course, exercises on various types of attacks need to be given on some

block ciphers.

For the above cryptanalysis tools for practice and testing the block cipher strength, the codes are available in https://github.com/Deadlyelder/Tools-for-Crypta

nalysis.

4. FEISTEL NETWORK BASED CIPHERS

In this section, we discuss familiar cryptographic designs

Data Encryption Standard (DES), KASUMI, (Feistel network), and CLAFIA (generalized Feistel network) and

cryptanalysis of these block ciphers.

4.1 Designs and Cryptanalysis

To achieve confusion and diffusion in any cryptosystem,

the encryption process is divided into multiple iterations.

And the input is divided into two halves Lhi (left) and

Rhi (right). In round i+1, Rhi is sent into round function along with round key Ki+1 , where each round key

generated is from one master key using a key scheduling

algorithm.

DES [3] is a block cipher – an algorithm that takes a fixedlength string of plaintext bits and transforms it through a

series of complicated operations into another ciphertext

bit string of the same length. In the case of DES, the block

size is 64 bits. The key consists of 64 bits; however, only

56 of these are actually used by the algorithm.

KASUMI [29] is a block cipher used in Universal Mobile

Telecommunications System (UMTS), and in Global System for Mobile Communications (GSM), KASUMI is

used in the A5/3 key stream generator and in GPRS in

the GEA3 key stream generator.

KASUMI [29] uses a 128-bit key and 64-bit input and

output blocks and having an eight-round Feistel network. The KASUMI encryption function [29] is shown

in Figure 4(a). It has 8 round functions. The FL and FO

functions divide the 32-bit input data into two 16-bit

halves. The FL is an irreversible bit manipulation while

the FO function is an irreversible three round Feistel-like

network.

Function FO: the FO function is a three-round Feistel

structure which consists of three FI functions and key

adding stages. A 96-bit round key given inputs to FO

function in each round (48 subkey bits KI used in FI and

48 subkey bits KO in the key adding stage). Structure of

FO function is given in Figure 4(b).

Function FI: FI is another 4-round Feistel design that uses

two non-linear S-boxes S7 (7×7 bit permutation) and S9

(9×9 bit permutation) is given as input to Figure 4(b).

Function FL: The 32-bit input x of FL(KLi , x) divided to

two 16-bit halves x = L||R, First the left half of the input

L is ANDed bitwise with round key KLi,1 and rotated left

by one bit. The result of that is XOR’ed to the right half

of the input r to get the right half of the output. Structure

of FL as shown in Figure 4(c). KASUMI Key schedule: The

key schedule is simple and it divides the 128-bit secret key

into 16-bit data blocks Ki (1 ≤ i ≤ 8) and generates subkeys K i . Round keys are linearly derived from these eight

key words K = K1 ||K2 ||K3 ||K4 ||K5 ||K6 ||K7 ||K8 . Round

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

(a)

7

keys are generated by bitwise rotation to left (ROL) with

a fixed amount as follows:

KLi,1 = ROL(Ki , 1)

KLi,2 = K i+2

KOi,1 = ROL(Ki+1 , 5)

KOi,2 = ROL(Ki+5 , 8)

KOi,3 = ROL(Ki+6 , 13)

KIi,1 = K i+4

KIi,2 = K i+3

KIi,3 = K i+7

Sub key index additions are cyclic so that if i + j is greater

than 8 one has to subtract 8 from the result to get the

actual sub key index.

4.2 Performance and Security Level

(b)

In Table 2, we provide summary of the performance

of Feistel based ciphers and their cryptanalysis status

against several attacks.

The student shall be taught about such evaluation so that

they can later design their own by benchmarking with

these. There are some implementation benchmarks available [65] on various platforms like PCs, ARM Processors,

etc.

5. SUBSTITUTION-PERMUTATION NETWORK

BASED CIPHERS

In cryptography, an SP-network, or substitution-permutation network (SPN), is a series of linked mathematical operations used in block cipher algorithms. In

this section, we discuss familiar cryptographic design

Advanced Encryption Standard (AES) cipher.

5.1 Designs and Cryptanalysis

(c)

Figure 4: (a). KASUMI Encryption. (b). FO and FI functions. (c). FL

function

AES (Rijndael) [20] For AES, NIST selected three members of the Rijndael family, each with a block size of 128

bits but three different key lengths: 128, 192 and 256 bits

with 10, 12 and 14 rounds.

AES Encryption [3,20]: For encryption, each round consists of the following four steps: (1) Substitute bytes (see

in 3.1.2), (2) Shift rows (Arranges the state in a matrix

and then performs a circular shift for each row), (3) Mix

columns (see in 3.1.3), and (4) Add round key (Each of

the 16 bytes of the state is XORed with each of the 16

bytes of a portion of the expanded key for the current

round). The last step consists of XORing the output of

the previous three steps with four words from the key

schedule.

8

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

Table 2: Cryptanalysis status of Feistel ciphers

Cipher

Block/Key

Rounds

Best attack

Memory/Requirements

Attack complexity

DES [2]

Triple DES [3]

Kasumi [56]

BLOWFISH [57]

GOST [58]

64/56

64/168,112

64/128

64/32-448

64/256

16

48

8

31

32

Linear Cryptanalysis

Known Plaintext Attack

related-key rectangle attack

diﬀerential attack

Single key attack

243 known plaintexts

232 known plaintexts, 288 memory

260.8 chosen plaintexts

up to 14 round is broken

264 data

239–43

290

265.4

2192

Table 3: SPN ciphers – cryptanalysis

Cipher

AES128 [31]

AES192/256 [31]

LED [30]

KLEIN [28]

MANTIS [41]

Block/Key

Rounds

Attack type

Memory/Requirements

Attack complexity

128/128

128/192, 256

64/64, 128

64/64,80,96

64/tweak(128+64)

10

12, 14

32,48

12,16,20

14

Biclique attack

Related-key attacks

Diﬀerential attack

Diﬀerential attack

Diﬀerential attack

–

2126.1

2189.7 and 2254.4

–

241.4

–

AES Key Expansion [20]: From 128-bit master secret key,

it derives the 128-bit round key. Input block 128-bit is

arranged as a state array of 16 bytes arranged into 4×4

array of bytes. The first four bytes of the encryption key

constitute the word w0 , the next four bytes the word w1 ,

and so on.

• It expands the words [w0 ,w1 ,w2 ,w3 ] into 44 32-bit

words that can be labeled w0 , w1 , w2 , w3 , . . . . . . . . .

. . . . . . .., w43 .

• Out of these, [w0 ,w1 ,w2 ,w3 ] are bitwise XOR’ed with

the input block before round steps begin. This is called

the whitening step.

• The remaining 40 words of the key schedule are used

four words at a time in each of the 10 rounds.

For decryption, each round consists Inverse shift rows,

Inverse substitute bytes, Add round key, and Inverse mix

columns.

Data 299.5

12 Rounds of LED-64, 32 Rounds of LED-128

Up to 10 rounds

they are efficient in limited hardware resources are available and to maintain a practical trade-off between security, efficient hardware performance, and low overall cost.

Several directions in the design of lightweight cryptographic systems [17] are proposed in the literature that

includes ARX-based designs and bit-sliced-S-Box-based

designs or simpler key schedules. ARX stands for simple

operations such as modular addition (A), bitwise rotation

(R), and exclusive-OR (X).

Several light-weight block ciphers [14,15,33,34,36,37,65]

viz., Chaskey, Fantomas, HIGHT, LBlock, LEA, LED,

Piccolo, PRESENT, PRIDE, PRINCE, RC5, RECTANGLE, RoadRunneR, Robin, Simon, SPARX, Speck, and

TWINE can be efficiently implemented in microcontroller platforms such as 8-bit AVR, 16-bit MSP430, and

32-bit ARM (Figure 5).

6.1 Designs and Cryptanalysis

5.2 Performance and Security Level

In Table 3, we provide summary of the performance of

SP Network based ciphers and their security level against

several attacks.

6. LIGHTWEIGHT CRYPTOGRAPHY

Lightweight cryptography [16,17,23] is a quickly evolving

area of research interest by the community and it is driven

by the need to give security or cryptographic measures

to several applications. These lightweight cryptographic

primitives are widely used on resource-constrained

devices such as mobile communication (phones), smart

cards, Internet of Things (IoT) [13], RFID tags, and

sensor networks. The major motivation for designing

lightweight cryptographic primitives [18] is as follows:

In this subsection, we summarize the design of lightweight cipher SIMON.

SIMON [38] was designed by the NSA and performs well

in software and hardware [35]. It supports several sizes

for key (64; 72; 96; 128; 144; 192; 256) and block (32; 48;

64; 96; 128) and number of rounds (32; 36; 42; 44; 52; 54;

68; 69; 72).

SIMON Encryption: It uses the classic Feistel design

on two n-bit halves for each round. Each round of

SIMON applies a non-linear, non-bijective function F :

GF(2)n → GF(2)n to the left half of the state which is

repeated for t rounds.

The bitwise XOR, bitwise AND(&) and circular left shift

(S), where Sa implies circular left shift by “a” bits, are the

operations used in the round function. For round k, let

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

9

Figure 5: AES encryption-decryption round

the left half of the input be xi and the right half be yi ,

then the round function Rk () is given by, Rk (xi+1 , yi+1 ) =

(yi ⊕ f (xi ) ⊕ ki , xi ) where f (x) = (S1 &S8 ) ⊕ S2 .

Figure 6(a) shows the encryption algorithm of one round

of SIMON.

SIMON Key schedule: The key schedule of SIMON is

described as a function that will operate on two, three,

or four n-bit word registers, depending on the size of

the master key. It performs two rotations to the right

x >> 3 and x >> 1 and XOR the results together with

a fixed constant c. The m master key words, each of n bits

where m ∈ {2,3,4}, are used at the first iterations of key

scheduling, and hence the first mn round key bits equal

the master key. If the key is defined as k0 , k1 , the sequence

of round keys is

c ⊕ (zj )i ⊕ ki ⊕ (I ⊕ S−1 )(S−3 ki+1 )m = 2

c ⊕ (zj )i ⊕ ki ⊕ (I ⊕ S−1 )(S−3 ki+2 )m = 3

k i+m=

c ⊕ (zj )i ⊕ ki ⊕ (I ⊕ S−1 )

(S−3 ki+3 ⊕ ki+1 )m = 4

for m = 2, 3, 4 respectively and c = 2n − 4. Note

that I is a nxn matrix. The constant sequence is

obtained from a 5-bit LFSR loaded with an initial

5 bit value. Depending on the key length, there are

sequences zi for I = 1,..,4. For example z0 is as follows

z0 = 11111010001001010110000111 00110111110100

0100101011000011100110.

Figure 6: (a) SIMON – round function. (b). The SIMON three key

expansion

It has same 31-bit sequence repeated twice. The constant

bit zi operates once in each round on the LSB of the key.

For decryption, the ciphertexts are swapped and round

keys are used in reverse order. Independent cryptanalysis

efforts on SIMON [39,40] present a series of observations on the cipher’s construction and attacks on reduced

round versions. Differential fault attacks on SIMON are

presented in [39].

6.2 Performance and Security Level

In Table 4, we provide summary of the performance of

lightweight block ciphers and their security level against

to several attacks.

7. PERFORMANCE METRICS

In this section, we present performance and the benchmarking results of three primary metrics, namely execution time, run-time memory (i.e. RAM) consumption,

and technology.

10

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

Table 4: Performance comparison of light-weight block ciphers

Cipher

Key size (bits)

Block size (bits)

Area [GE]

Throughput (Kb/sec)

Technology (μm)

Type

SW/HW target

128

128

128

80

128

128

256

128

128

64

64

64

64

64

64

64

128

16

1000

1127

–

1,075

758

700

651

3400

2159

16.7

13.8

–

11.4

12.1

3.4

24.24

12.4

–

–

–

–

0.18

0.13

0.18

0.18

0.38

0.13

Feistel

Feistel

Feistel

SPN

Feistel

SPN

Feistel

SPN

Hybrid

HW, SW

SW, HW

–

HW

HW

HW, SW

SW, HW

SW,HW

HW

SIMON [59]

SPECK [60]

Kasumi [56]

PRESENT [64]

Piccolo [62]

LED-128

GOST [58]

AES [31]

HummingBird-2 [61,63]

Table 5: Cryptanalysis state of the art of light-weight ciphers

Cipher

SIMON [59]

SPECK [60]

Piccolo [62]

Humming bird [61]

Block/Key

Rounds

Attack type

Memory requirements

32, 48..128/64,72,..,256 32,36,..,72 Diﬀerential cryptanalysis

32, 48,..128/64,.256

22–34

Diﬀerential cryptanalysis

64/80,128

25,31

Biclique attack

16/12864-bit IV

–

chosen-IV attack

Attack

complexity

2125.7

46 Rds of Simon128/128 with2125.6 data, 240.6 memory

2125.35 data on Speck128/128

2125.35

Piccolo-80; data 248

278.95 and 2126.79

264 oﬀ-line data

264

Light-weight cipher implementation in software or on

microcontrollers s can be given as undergraduate projects

and used in some IoT applications (Table 5).

REFERENCES

8. CONCLUSION

2. E. Biham and A. Shamir, “Differential cryptanalysis of

DES-like cryptosystems.” J. Cryptol., Vol. 4, no. 1, pp. 3–72,

1991.

The field of modern cryptography provides a theoretical foundation based on which we may understand what

exactly these problems are, how to evaluate protocols

that purport to solve them, and how to build protocols

in whose security we can have confidence. Lightweight

cryptography has been a recent area for the last few years,

driven by the lack of primitives capable to run on devices

with very low computing power. In this paper, we have

presented a survey of the some of the modern block

ciphers with their structure designs and security levels.

We have pointed out the topics that need to be taught

to some depth within the available time of the term.

We also discussed cryptanalysis of the Feistel, SPN, and

lightweight ciphers and performance constraints so that

the students can bench mark their implementations and

be aware of what the industry needs.

The suggested course structure has been tried on few

batches of trainees at the author’s institute.

ACKNOWLEDGEMENT

Author must thank to Editor-in-Chief, IETE Journal of Education for his invitation for writing this tutorial review paper. This

paper would not have been possible without his exceptional

inputs.

1. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone,

Handbook of Applied Cryptography, 1997. ISBN 978-08493-8523-0.

3. L. R. Knudsen and M. J. B. Robshaw, The Block

Cipher Companion, Springer, 2011. ISBN:978-3-642-173

41-7.

4. B. Schneier (1996). Applied Cryptography, 2nd ed. New

York: Wiley. ISBN 978-0-471-11709-4.

5. “Internet security glossary.” Internet Engineering Task

Force. May 2000. RFC 2828. Retrieved 26 March

2015.

6. D. Wagner and B. Schneier, “Analysis of the SSL 3.0 protocol” (PDF). The Second USENIX Workshop on Electronic Commerce Proceedings. USENIX Press. pp. 29–40,

November 1996.

7. E. Rescorla. SSL and TLS: Designing and Building Secure

Systems. Boston: Addison-Wesley Pub Co, 2001. ISBN 9780-201-61598-2.

8. B. Daniel and M. David, “AES-CCM cipher suites for

Transport Layer Security (TLS),” tools.ietf.org. Retrieved

2017-10-26.

9. “TCP (Transmission Control Protocol),” Retrieved 201906-26.

10. “Cipher Suites in TLS/SSL (Schannel SSP) (Windows),”

docs.microsoft.com. Retrieved 2018-07-02.

11. https://datatracker.ietf.org/wg/tls/documents/

DISCLOSURE STATEMENT

No potential conflict of interest was reported by the author(s).

12. https://www.acunetix.com/blog/articles/establishing-tlsssl-connection-part-5/

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

11

13. E. Borgia, “The Internet of Things vision: Key features,

applications and open issues,” Comput. Commun., Vol. 54,

pp. 1–31, 2014.

26. N. M. A. Al-Slamy, “E-Commerce security”, IJCSNS Int. J.

Comput. Sci. Network Security, Vol. 8, no. 5, pp. 340–344,

May 2008.

14. F. Karakoç, A. HüseyinDemirci, and E. Harmancı. “ITUbee:

A software oriented lightweight block cipher, lightweight

cryptography for security and privacy: LightSec 2013,”

volume 8162 of LNCS, pages 16–27, Berlin, Heidelberg,

2013.

27. S. Yasin, “Cryptography based E-commerce security: A

review,” IJCSI Int. J. Computer Sci. Issues, Vol. 9 (2), no. 1,

pp. 132–137, 2012.

15. A. Bogdanov, L. R. Knudsen, G. Le, C. Paar, A. Poschmann,

M. J. B. Robshaw, Y. Seurin, and C. Vikkelsoe, “Present: An

ultra-lightweight block cipher,” in: Proceedings of Workshop on Cryptographic Hardware and Embedded Systems

(CHES), Springer, 2007.

16. S. Panasenko and S. Smagin. “Lightweight cryptography:

Underlying principles and approaches,” Int. J. Comput.

Theory Eng., Vol. 3, pp. 516–520, 2011.

17. A. Biryukov and L. Perrin. “State of the art in lightweight

symmetric cryptography,” IACR Cryptol. EPrint Archive,

pp. 1–55, 2017.

18. T. Eisenbarth, S. Kumar, C. Paar, A. Poschmann, and L.

Uhsadel. “A survey of lightweight cryptography implementations,” IEEE Design Test Comput. (Special Issue on

Secure ICs for Secure Embedded Computing), Vol. 24,

no. 6, pp. 522–33, November/December 2007.

28. Z. Gong, S. I. Nikova, and Y. W. Law, (2010). “KLEIN: A

new family of lightweight block ciphers. (CTIT Technical

Report Series; No. TR-CTIT-10-33),” Centre for Telematics

and Information Technology (CTIT), Enschede.

29. General Report on the Design. “Specification and evaluation of 3GPP standard confidentiality and integrity algorithms (PDF),” 3GPP. 2009.

30. I. Nikolíc, L. Wang, and S. Wu, “Cryptanalysis of roundreduced LED,” Available: https://eprint.iacr.org/2015/

429.pdf

31. A. Bogdanov, D. Khovratovich, and C. Rechberger.

“Biclique cryptanalysis of the full AES” (PDF). Archived

from the original (PDF) on March 6, 2016. Retrieved May

1, 2019.

32. A. Webster and S. Tavares, “On the design of Sboxes, advances in cryptology CRYPTO-1985, LNCS218,”

Springer-Verlag, 1985.

19. P. Junod and S. Vaudenay. “Perfect diffusion primitives

for block ciphers,” in Handschuh H., Hasan M.A. (eds)

Selected Areas in Cryptography. SAC 2004. Lecture Notes

in Computer Science, Vol. 3357. Berlin: Springer, 2004.

33. A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, and

A. Poschmann, “PRESENT: An ultra-lightweight block

cipher, cryptographic hardware and embedded systems,

CHES 2007,” Springer, LNCS, 4727, 2007, pp. 450–66.

20. J. Daemen and V. Rijmen. “The design of Rijndael,”

in Information Security and Cryptography. Heidelberg:

Springer, 2002, pp. XVII, 238. Hardcover ISBN 978-3-54042580-9.

34. X. Lai and J. L. Massey, “A proposal for a new block encryption standard, advances in cryptology EUROCRYPT ‘90,”

Springer, LNCS, 473, 1991, pp. 389–404.

21. D. Dinu, Y. L. Corre, D. Khovratovich,L. Perrin, J.

Großschädl, and A. Biryukov, “Triathlon of lightweight

block ciphers for the Internet of Things,” J. Cryptogr. Eng.,

Vol. 9, pp. 283–302, 2019.

22. M. Katagi and S. Moriai, “Lightweight cryptography for the

Internet of Things.” Available: https://iab.org/wp-content/

IAB-uploads/2011/03/Kaftan.pdf

23. T. Suzaki, K. Minematsu, S. Morioka, and E. Kobayashi,

“TWINE: A lightweight block cipher for multiple platforms,” SAC 2012.

35. O. Tigli, “Area efficient ASIC implementation of IDEA

(International data encryption standard),” Best design for

ASIC implementation of IDEA,GMU 2003.

36. D. Khovratovich, G. Leurent, and C. Rechberger, “Narrowbicliques: Cryptanalysis of full IDEA, EUROCRYPT 2012,”

Springer, LNCS, 7237, 2012, pp. 392410.

37. D. Honget al., “HIGHT: A new block cipher suitable for

low-resource device. Cryptographic hardware and embedded systems,” CHES 2006,Springer, LNCS, 4249, 2006,

pp. 46–59.

24. E. Borgia, “The Internet of Things vision: Key features,

applications and open issues,” Comput. Commun., Vol. 54,

pp. 1–31, 2014.

38. R. Beaulieu, S. Douglas, J. Smith, S. Treatman-Clark, B.

Weeks, and L. Wingers, “The SIMON and SPECK families of lightweight block ciphers,” IACR Cryptology ePrint

Archive, 2013, 404.

25. A. Murphy and D. Murphy, “The role of cryptography in

security for electronic commerce,” ITB J., Vol. 2, no. 1,

2001, Article 3. DOI: 10.21427/D7B32.

39. H. Tupsamudre, S. Bisht, and D. Mukhopadhyay, “Differential fault analysis on the families of SIMON and SPECK

ciphers,” IACR Cryptology ePrint Archive, 2014.

12

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

40. F. Abed, E. List, S. Lucks, and J. Wenzel, “Cryptanalysis

of the SPECK family of block ciphers,” IACR Cryptology

ePrint Archive, 2013.

41. C. Beierle, J. Jean, S. Kolbl, G. Leander, A. Moradi, T.

Peyrin, Y. Sasaki, P. Sasdrich, and S. M. Sim, “The SKINNY

family of block ciphers and its low-latency variant MANTIS,” in Annual Cryptology Conference, Springer, Berlin,

Heidelberg, pp. 123–53, August, 2016.

42. D. Hong, B. Koo, and D. Kwon, “Biclique attack on the

full HIGHT,” in Information security and cryptology-ICISC

2011, H. Kim, Ed. Berlin: Springer, 2012, pp. 365–74.

43. E. Biham, O. Dunkelman, N. Keller, and A. Shamir, “New

attacks on IDEA with at lleast 6 rounds,” J. Cryptol., Vol. 28,

no. 2, pp. 209–39, 2011.

44. “Claude Elwood Shannon: Communication theory of

secrecy systems,” Bell System Technical Journal 28 (1949),

see in particular page 704.

45. M. Luby and C. W. Rackoff, “How to construct pseudorandom permutations from pseudorandom functions,” SIAM

J. Comput., Vol. 17, no. 2, pp. 373–86, April 1988.

46. J. Patarin, “Generic attacks on Feistel schemes; Asiacrypt

2001, LNCS 2248,” Springer, pp. 222–38.

47. S. Vaudenay, “Provable security for block ciphers by decorrelation,” Technical Report LIENS98-8 of the Laboratoired’Informatique de l’EcoleNormaleSup´erieure, 1998.

Available:

http://lasecwww.epfl.ch/query.msql?ref =

Vau98b

48. F.-X. Standaert, G. Piret, and J.-J. Quisquater, “Cryptanalysis of block ciphers: A survey,” Computer Science 2002.

Available: https://perso.uclouvain.be/fstandae/PUBLIS/

U1.pdf.

49. M. Matsui, “Linear cryptanalysis method for DES cipher,”

Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT’93, pp. 386–97,

1993.

50. E. Biham and A. Shamir, Differential Cryptanalysis of the

Data Encryption Standard. Springer Verlag, 1993, ISBN:

0-387-97930-1, 3-540-97930-1.

54. G. V. Bard, N. Courtois, and J. Nakahara Jr., “Pouyan

Sepehrdad, Bingsheng Zhang: Algebraic, AIDA/cube and

side channel analysis of KATAN family of block ciphers,”

INDOCRYPT 2010: 176–96.

55. J. Borst, B. Preneel, and J. Vandewalle, “Linear cryptanalysis of RC5 and RC6,” In Fast Software Encryption. Springer

Berlin Heidelberg, 1999, January, pp. 16–30.

56. E. Biham, O. Dunkelman, and N. Keller, “A related-key

rectangle attack on the full KASUMI. ASIACRYPT 2005,”

pp. 443–61. Archived from the original (ps) on 2013-10-11.

57. O. Kara and C. Manap, “A new class of weak keys for blowfish” (PDF). FSE 2007. Archived (PDF) from the original

on 2016-10-05, March 2007.

58. I. Dinur, O. Dunkelman, and A. Shamir, “Improved attacks

on Full GOST.” Lect. Notes Comput. Sci. Vol. 7549 (Fast

Software Encryption), pp. 9–28, 2012.

59. F. Abed, E. List, S. Lucks, and J. Wenzel, “Differential and

linear cryptanalysis of reduced-round Simon.” Available:

https://eprint.iacr.org/2013/526

60. S. Ling, Z. Huang, and Q. Yang, “Automatic differential

analysis of ARX block ciphers with application to SPECK

and LEA” (PDF). Retrieved 2018-05-06, 2016.

61. Y. Wang, W. Wu, and X. Yu, “Biclique cryptanalysis of

reduced-round piccolo block cipher,” in Information Security Practice and Experience, M. D. Ryan, B. Smyth, and

G. Wang, Eds. Berlin: Springer, 2012, pp. 337–52.

62. N. Courtois, G. Bard, and D. Wagner, “Algebraic and slide

attacks on KeeLoq,” Fast Software Encryption, FSE’08,

LNCS 5086, 2008, pp. 97–115.

63. Q. Chai and G. Gong, “A cryptanalysis of HummingBird-2:

The differential sequence analysis,” Available: https://eprint

.iacr.org/2012/233.pdf

64. F. Sereshgi, M. Hossein, D. Mohammad, and S. Mohsen.

“Biclique cryptanalysis of MIBS-80 and PRESENT-80

block ciphers.” Security Commun. Networks, Vol. 9,

pp. 27–33, 2015.

65. https://www.cryptolux.org/index.php/Lightweight_

Cryptography.

51. E. Biham, O. Dunkelman, and N. Keller, “The Rectangle

Attack, rectangling the Serpent,” in Proceedings of EUROCRYPT 2001, Lecture Notes in Computer Science 2045

p.340-ff, Springer-Verlag.

66. W. A. Stein, et al. “Sage Mathematics Software (Version 5.10),” The Sage Development Team, 2013, Available:

http://www.sagemath.org

52. D. Wagner, “The Boomerang Attack,” in Proceedings of

FSE999, LNCS 1636, p. 156 ff, Springer-Verlag.

67. F. Lafitte, “The Boolfun package: Cryptographic properties

of Boolean functions,” 2013.

53. N. Courtois and J. Pieprzyk, “Cryptanalysis of block ciphers

with overdefined systems of equations,” in Proceedings of

Asiacrypt 2002, LNCS, Springer-Verlag.

68. Z. Bao, J. Guo, S. Ling, and Y. Sasaki, “SoK: Peigen – a

platform for evaluation, implementation, and generation of

S-boxes,” Cryptology ePrint Archive: Report 2019/209.

A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS

Author

Appala Naidu Tentu is Senior Assistant

Professor at CR Rao Advanced Institute of Mathematics, Statistics, and Computer Science (AIMSCS), University of

Hyderabad Campus, Hyderabad. Before

this, he worked as Research Scientist

and also worked as Project Engineer at

CSIR-CMMACS, NAL Bangalore. Tentu

obtained his PhD in Computer Science

and Engineering (specialization is Cryptography and Information Security) from JNTU Hyderabad and CR Rao AIMSCS,

13

University of Hyderabad. He received his Master of Technology (MTech) from National Institute of Technology, Suratkal

(NITK), Karnataka. His research interests are in the areas of

cryptography, cryptanalysis, design of security protocols and

high-performance computing. He executed couple of projects

for Intelligence agencies, Govt of India. He published about

20 research publications in various International Journals and

Conference proceedings. He is a member of International Association for Cryptology Research (IACR) and life member of

Cryptology Research Society of India (CRSI).

Corresponding author. Email: naidunit@gmail.com

Purchase answer to see full

attachment