DescriptionIETE Journal of Education
ISSN: (Print) (Online) Journal homepage: https://www.tandfonline.com/loi/tije20
A Review on Evolution of Symmetric Key Block
Ciphers and Their Applications
Appala Naidu Tentu
To cite this article: Appala Naidu Tentu (2020): A Review on Evolution of Symmetric Key Block
Ciphers and Their Applications, IETE Journal of Education, DOI: 10.1080/09747338.2020.1769508
To link to this article: https://doi.org/10.1080/09747338.2020.1769508
Published online: 12 Jun 2020.
Submit your article to this journal
Article views: 2
View related articles
View Crossmark data
Full Terms & Conditions of access and use can be found at
https://www.tandfonline.com/action/journalInformation?journalCode=tije20
IETE JOURNAL OF EDUCATION
https://doi.org/10.1080/09747338.2020.1769508
REVIEW ARTICLE
A Review on Evolution of Symmetric Key Block Ciphers and Their Applications
Appala Naidu Tentu
C. R. Rao Advanced Institute of Mathematics, Statistics and Computer Science (AIMSCS), University of Hyderabad Campus, Hyderabad,
Telangana 500 046, India
ABSTRACT
KEYWORDS
This paper reviews the state of the art of symmetric key block cipher designs and their essential security role in several applications like IoT, low-power devices like motes, etc. Many engineering curricula
have one course on network and internetwork security at the undergraduate level. However due to
the expanding research on newer and newer primitives and host of published literature in the area of
protocols, algorithms for encryption, authentication, message integrity, key exchange, it is of interest to deliver (teach) as much information as possible within one or two semester courses in the
undergraduate engineering curriculum. In this paper, our objective is to present a comprehensive
review of design approaches including Feistel, SPN, ARX, and other hybrid structures and also highlight various cryptanalysis techniques and attacks. We focus on what topics that need to be covered
and to what depth in this paper. Further, this paper also presents the performance metrics that are
commonly reported in the literature when comparing block cipher implementations. These are necessary since the students should finally be able to appreciate how to benchmark and know what
industry needs.
Symmetric key ciphers;
Feistel; SP network; IoT;
Lightweight cryptography;
Cryptanalysis
1. INTRODUCTION
The most obvious use of cryptography, and the one that
all of us are familiar with in our daily life is for encrypting communications between sender and receiver via
internet. This is most commonly used for communicating between a client program and a server. Symmetric
block encryption algorithms are among the most widely
used cryptographic primitives [1]. In addition to providing confidentiality via encryption, they are also used as
basic primitives in the construction of hash functions,
generation of pseudorandom sequences [3], etc.
The advent of digital computers and need for storage
paired with an increasing desire for sophistication in
cryptography developed the science of block ciphers
since 70’s. Over the decades of research, there are several block ciphers [3] that have been in use and they
are based on one of the inner structures: “Substitution
Permutation Networks (SPNs), Feistel networks, AddRotate-XOR (ARX [43]), NLFSR(Non-linear Feedback
Shift Register)-based and hybrid types”. AES [32] is the
best-known cipher that adopts the SPN structure, DES
[2], and its extension T-DES are the best-known Feistel type ciphers, cipher-KeeLoq [2] is the best-known
NLFSR-based cipher and the best-known hybrid ciphers
are those of the Hummingbird [65] family. Also, recently
to address the challenges for securing smart wireless
© 2020 IETE
and IoT based devices, a new research direction called
lightweight cryptography has been established which
focuses on designing novel cryptographic algorithms
and protocols tailored for implementation in resourceconstrained environments.
While cryptographers design secure block ciphers, cryptanalysts use cryptanalysis [2,55] to breach cryptographic
security systems in order to find/analyze the hidden
aspects and weakness of the systems and even to find
the key that is used by the sender. There are several
ways to analyze the security of a block cipher. To analyze
cipher design, several cryptanalysis techniques [45,48]
are proposed in the literature including linear cryptanalysis, differential cryptanalysis, algebraic attacks, multiple approximations, and key independence, differential and linear cryptanalysis, Man in the middle attacks,
Boomerang – rectangle attacks, Interpolation attacks,
Integral, and Related-key attacks. Besides this, the most
practical attacks today belong to side-channel analysis
(SCA) [48] targeting implementations of cryptography in
software and hardware.
Modern block ciphers depend on the concept of iterated
product cipher which follow the Shannon’s [44] paradigm
of mixing confusion layers with diffusion layers. These
ciphers design carry out encryption in multiple rounds
2
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
each of which uses a different subkey derived from the
original key. There were many advancements after the
pioneering work of Luby-Rackoff [45] on the security of
top-level designs of block ciphers. For Feistel ciphers both
security proofs and generic attacks are given in [45] and
[46] and for SPN based ciphers a more powerful theory
has been developed in [47] which allows to make security
proofs against a large class of attacks.
Figure 1: Client–Server communication protocol
Main important applications [4] of modern block ciphers
are encryption as building blocks for cryptographic hash
functions. Other applications of cryptography [12,13]
include Wired and Wireless communication, Internet
Protocol Security [10], electronic commerce, chip-based
payment cards [27], digital currencies, computer passwords, Internet of Things (IoT) [24], and military communications. The scope of the subject being very vast,
it is necessary to teach the students these various topics within the limited time. In this paper, we focus on
teaching block ciphers as a vehicle. The course shall be
balanced in theory and practice.
The Organisation of the paper is as follows: Section 2
describes the applications of symmetric key block
ciphers. In Section 3, we present the design primitives
and cryptanalysis of symmetric key block ciphers. In Sections 4 and 5, we consider Feistel and SPN based ciphers
and their analysis. In Section 6, we discuss lightweight
cryptographic ciphers and their analysis. In Section 7, we
present performance metrics of all type of block ciphers
and conclusions are given in Section 8.
2. APPLICATIONS OF BLOCK CIPHERS
In the following subsections, we discuss popular every
day applications of cryptographic algorithms:
The process of establishing a secure SSL/TLS connection between the client and the server involves several
steps. SSL/TLS security protocols [10] use a combination
of asymmetric and symmetric encryption algorithms.
The client and the server must negotiate the algorithms
used and exchange key information (see Figure 1). Major
vulnerabilities [6,12] are exploited in TLS/SSL older versions (TLSv1.2 and SSL 2.0) and most recent “TLS V1.1,
v1.3 and SSL 3.0 protocols” uses strong key lengthbased block cipher encryption algorithms. Recently,
IETF (Internet Engineering Task Force) [11] specified
TLS version (TLS 1.3) in the document RFC 8446
and SSL version (SSL 3.0) in the IETF document RFC
6101.
The most important part of this protocol is “cipher
suite” [10] which provides confidentiality, Authentication, and Integrity. In general, the client sends a list of all
the cipher suites that it supports in order of preference
to the server. Each cipher suite contains one cryptographic algorithm (mostly block cipher) [8] with a certain mode for each of the following tasks: key exchange,
authentication, bulk (data) encryption, and message
authentication.
A sample cipher suite [8] string is:
2.1 Secure Socket Layer/Transport Layer Security
In general, to secure network communication, Secure
Socket Layer (SSL) and Transport Layer Security (TLS)
[10] are used. The Internet Protocol Security (IPSec) protocol [5] uses standard cryptographic algorithms and it
is standard way for secure data exchange at the network
level. Mostly TCP/IP-based protocols [7,9] widely use
TLS/SSL cryptographic security protocols implemented
on OpenSSL library that includes “email (SMTPS/POP3),
HTTPS, instant messaging (XMPP), FTPS, VoIP, and
VPN” etc. SSL/TLS protocols allow the connection
between two media (client–server) to be encrypted and
it makes sure that no third party is able to read or modify
the data.
“TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA
512”. This string contains the following information:
ECDHE is the key exchange algorithm (Elliptic curve
Diffie–Hellman)
ECDSA is the authentication algorithm (Elliptic Curve
Digital Signature Algorithm)
AES_256_GCM is the data encryption algorithm
(Advanced Encryption Standard 256-bit Galois/
Counter Mode)
SHA512 is the Message Authentication Code (MAC)
algorithm (Secure Hash Algorithm 256-bit)
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
3
2.2 Internet of Things (IoT)
The vision of connecting everything including Ubiquitous, Radio-frequency identification (RFID), Machine to
Machine (M2M), etc. is a new concept of communication. Internet of Things (IoT) [24] is the new era technology and recently we are learning and benefiting from
the opportunities provided by the Internet of Things.
Advantage of IoT [22] is to capture and analyze data
from distributed connected devices. However, the IoT
also exposes organizations to new security vulnerabilities introduced by increased network connectivity and
devices that are not secured by design. In order to achieve
confidentiality, authenticity and integrity, encryption,
and decryption [23] are usually implemented in different
forms. In place of traditional Cryptography techniques in
the IOT environment, Light-Weight Cryptography [21]
algorithms seem the most promising for this environment.
2.3 Banking and E-commerce
Electronic Banking [27] is now the basic essence of Banking services. On-line transactions need utmost security
to avoid possible fraudulent transaction of any kind. Various Encryption algorithms [25] are built into the communication network to prevent unauthorized transactions.
All the data and communications are protected by cryptography, making chip and PIN cards more difficult to
hack. E-Commerce [26] relies on encryption to secure
data transmission by controlling data access and protect
information on the internet.
3. CRYPTOGRAPHY
In symmetric key cryptography [1,2], encryption is performed on plain data using the shared secret key. For
any cryptosystem using block ciphers, important parameters are key length, block length, number of rounds,
operations in each round, and key schedule algorithm
(KSA).
3.1 Design Primitives
Block ciphers comprise of several rounds and each round
has diffusion and confusion layers and uses a round key
(see Figure 2). The round keys are derived from the master encryption key using key schedule algorithm (KSA).
We usually formalize confusion layers realized by application of substitution boxes which are defined by lookup
tables and diffusion layers as the application of MDS
(maximum Distance separable) matrices and permutations.
Figure 2: Encryption-round function
The purpose of confusion [1,20] is to make the relationship between the statistics of the key and the ciphertext
as complex as possible. Thus, even if the intruder gets
to know the statistics in the ciphertext, he should not be
able to get the statistics of the key. Purpose of diffusion
[19] is to maintain a very complex relationship between
statistics of ciphertexts and plaintexts so as to make the
deduction of key more complex.
(i) Boolean functions
A Boolean function [3] in n binary variables maps from
n
F2n into F2 . There are 22 number of n-bit Boolean functions in total. Let f : F2n − > F2 be a Boolean function.
A Boolean function f of n variables can be uniquely represented by a truth table (TT) for example consider a
3-input (x2 , x1 , x0 )Boolean function f having eight values
0,1,0,1,1,1,0,0 corresponding to all eight input combinations 000,001,010,..111. This function can be obtained
using a technique like Karnaugh map etc. However, the
presentation may not be unique. Walsh transform is a
second unique representation of a Boolean function that
measures the similarity between f(x) and the linear function a · x. Third unique representation of a Boolean function f on F2n is by means of a polynomial which uses only
AND operations and Exclusive OR functions. As an illustration, the Boolean function corresponding to the above
example is as follows:
f (x2 , x1 , xo ) = x2 x1 ⊕ x2 x0 ⊕ x2 ⊕ x0
This form is called algebraic normal form (ANF). The
same function using truth table will be x2 x1 + x0 x1 x2 +
x2 x1 x0 , Note that here + stands for OR logic function.
Many other functions are possible in this representation.
The student shall be taught how to get the sequence from
4
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
× 16 = 256) elements in which rows and columns are
having values ranging from 0 to 15 (0 to f in hexadecimal). Each byte of S-box is mapped to its multiplicative
inverse in GF(28 ), where 00 is mapped into itself. Then,
an affine transformation (over GF(2)) is computed.
Figure 3: Static view of an n × m S-box
the given ANF and vice-versa. Tools that can analyze the
security properties of Boolean functions are:
• Boolfunpackage in R [67]: it is possible to load a
package named boolfun that provides functionalities
related to the cryptographic analysis of Boolean functions.
• Boolean functions in Sage [66]: In Sage, there is a
module called BooleanFunctions that allows one to
study cryptographic properties of Boolean functions.
The student can use these packages and find out degree,
non-linearity, correlation immunity, algebraic immunity,
etc.
3.2 S-Boxes
Substitution boxes (S-boxes) [32] are important nonlinear functions in the many block cipher algorithms to
play a crucial role in their security.
An S-box ((n,m)-function) is any mapping F: F2 n − >
F2m . If m = 1 then the function is called a Boolean function. Boolean functions fi , i ∈ {1, . . . , m} are coordinate
functions of F where every Boolean function has n variables. In other words, each output bit of the 8-bit S-Box is
a non-linear function of 8 input variables, Thus, S-box
is characterized by eight Boolean functions. Hence the
student shall be encouraged to know the properties of
Boolean functions in an advanced level course.
The static view of an S-box, with inputs X = [x1 , x2 ,
. . . , xn ] and outputs Y = [y1 , y2 , . . . , ym ]. can be represented as shown in Figure 3.
S-Boxes can be constructed in an adhoc manner and
tested for good properties. Alternatively, they can be constructed using an algorithm. In this following, we present
the generation of AES 8 × 8 S-box for illustration.
AES Substitution Box [20]: AES S-box is generated by
using GF(28 ) (Galois Field) and irreducible polynomial
M = x8 + x4 + x3 + x + 1. AES S-box is a matrix of (16
AES S-Box output byte is generated by equation
Y := Ax ⊕ c, where “A” is represented as affine matrix
(8×8), “x” is a byte (b7b6..b0) which is the multiplicative
inverse of input byte with respect to an irreducible polynomial, “c” is affine constant i.e. 63 (01100011). Note that
all operations are bit-oriented. The symbol ⊕ is one-bit
xor operation. The student shall be told that the multiplication with Affine matrix means finding parity of 5 bit
string in the input. An inquisitive student must be asked
to consult literature and find out why this step is needed
and why inverse of the byte itself cannot be used. The
affine matrix used is shown as under
B i = bi ⊕ b(i+4)mod8 ⊕ b(i+5)mod8 ⊕ b(i+6)mod8
⊕ b(i+7)mod8 ⊕ ci ,
⎞⎛ ⎞ ⎛ ⎞
⎞ ⎛
b0
b0
1000 1111
1
⎜ b1 ⎟ ⎜ 11000111 ⎟ ⎜ b1 ⎟ ⎜1⎟
⎟⎜ ⎟ ⎜ ⎟
⎜ ⎟ ⎜
⎜ b2 ⎟ ⎜ 11100011 ⎟ ⎜ b2 ⎟ ⎜1⎟
⎟⎜ ⎟ ⎜ ⎟
⎜ ⎟ ⎜
⎜ b3 ⎟ ⎜1111000 1⎟ ⎜ b3 ⎟ ⎜0⎟
⎟⎜ ⎟ ⎜ ⎟
⎜ ⎟ = ⎜
⎜ b4 ⎟ ⎜ 11111000 ⎟ ⎜ b4 ⎟ + ⎜0⎟
⎟⎜ ⎟ ⎜ ⎟
⎜ ⎟ ⎜
⎜ b5 ⎟ ⎜0111 1100⎟ ⎜ b5 ⎟ ⎜0⎟
⎟⎜ ⎟ ⎜ ⎟
⎜ ⎟ ⎜
⎝ b6 ⎠ ⎝ 00111110 ⎠ ⎝ b6 ⎠ ⎝1⎠

b7
00011111
b7
1
The S-Box generated by the above equation is represented
in Table 1.
The student shall work out examples in Galois field operations. The various properties of the S-Box shall be taught
to the student. The eight algebraic equations which realize the S-Box table (i.e equations expressing each output
bit in terms of the eight input bits) shall be derived. The
student shall be taught about the degree of the Boolean
function, non-linearity, etc.
Tools that can analyze the security properties of S-boxes
are:
• SAGE Math [66] tool (www.sagemath.org) S-boxes in
Sage. There is a module called S-box that allows
the algebraic treatment of S-boxes (sage: from
sage.crypto.sbox import SBox) including Algebraic
degree, Non-linearity, differential difference table
(DDT), balancedness, branch numberand other properties of S-boxes.
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
5
Table 1: AES 8 × 8 S-box
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
0
63
Ca
b7
04
09
53
d0
51
cd
60
e0
e7
ba
70
e1
8c
1
7c
82
fd
c7
83
d1
ef
a3
0c
81
32
c8
78
3e
f8
a1
2
77
c9
93
23
2c
00
aa
40
13
4f
3a
37
25
b5
98
89
3
7b
7d
26
c3
1a
ed
fb
8f
ec
dc
0a
6d
2e
66
11
0d
4
f2
fa
36
18
1b
20
43
92
5f
22
49
8d
1c
48
69
bf
5
6b
59
3f
96
6e
fc
4d
9d
97
2a
06
d5
a6
03
d9
e6
6
6f
47
f7
05
5a
b1
33
38
44
90
24
4e
b4
f6
8e
42
• Picek, Peigen, SET (S-box Evaluation Tool) [68]: These
customized tools provide a comprehensive check list
for designers.
3.3 MDS Matrices
In cryptography, an MDS (Maximum Distance Separable) matrix is a matrix representing a function with
certain diffusion properties that have useful applications.
MDS matrices are widely used in SPN cipher and also
in Feistel ciphers. More recently, new MDS matrices are
proposed which allow efficient hardware implementation
which can be computed in a single cycle.
AES block cipher uses 4×4 circulant MDS matrix and
the realized function is called Mix Column. In this, each
of the 32 bit output bits is a linear function of some of
the input bits. The following 4×4 matrix is the diffusion
matrix used to multiply with 32-bit input considered as 4
bytes a0 ,a1 , a2 and a3 to get the 4-byte output b0 ,b1 ,b2 ,b3 .
Note that the entries in the matrix are bytes written in
HEX form (as two nibbles).
⎛ ⎞ ⎛
⎞⎛ ⎞
b0
02030101
a0
⎜ b1 ⎟ ⎜01020301⎟ ⎜a1 ⎟
⎜ ⎟ = ⎜
⎟⎜ ⎟
⎝ b2 ⎠ ⎝01010203⎠ ⎝a2 ⎠
03010102
b3
a3
The output of the Mix Column operation is as follows:
b0 = {02}.a0 ⊕ {03}.a1 ⊕ {01}.a2 ⊕ {01}.a3
b1 = {01}.a0 ⊕ {02}.a1 ⊕ {03}.a2 ⊕ {01}.a3
b2 = {01}.a0 ⊕ {01}.a1 ⊕ {02}.a2 ⊕ {03}.a3
b3 = {03}.a0 ⊕ {01}.a1 ⊕ {01}.a2 ⊕ {02}.a3
Note that the bytes are treated as polynomials in
GF(2). A byte p = p7 p6 p5 p4 p3 p2 p1 p0 is considered as the polynomial p7 x7 + p6 x6 + p5 x5 + p4 x4 +
p3 x3 + p2 x2 + p1 x + p0 Note that p7 ,p6 , . . . ., p0 are
all bits. Similarly, the {03} corresponds to the byte
7
c5
f0
cc
9a
a0
5b
85
f5
17
88
5c
a9
c6
0e
94
68
8
30
ad
34
07
52
6a
45
bc
c4
46
c2
6c
e8
61
9b
41
9
01
d4
a5
12
3b
cb
f9
b6
a7
ee
d3
56
dd
35
1e
99
A
67
a2
e5
80
d6
be
02
da
7e
b8
ac
f4
74
57
87
2d
B
2b
af
f1
e2
b3
39
7f
21
3d
14
62
ea
1f
b9
e9
0f
C
fe
9c
71
eb
29
4a
50
10
64
de
91
65
4b
86
ce
b0
D
d7
a4
d8
27
e3
4c
3c

5d
5e
95
7a
bd
c1
55
54
E
ab
72
31
b2
2f
58
9f
f3
19
0b
e4
ae
8b
1d
28
bb
F
76
c0
15
75
84
cf
a8
d2
73
db
79
08
8a
9e
df
16
00000011 = x+1. The multiplication of ai with another
polynomial needs to be reduced modulo the irreducible polynomial x8 + x4 + x3 + x + 1, This is possible by noting that x8 %(x8 + x4 + x3 + x + 1) = x4 +
x3 + x + 1 = 1B and so on up to x14 . Some exercises
on Galois field multiplications need to be given to the
students.
3.4 Cryptanalysis Techniques
In the following subsections, we present a brief overview
of the attacks that the student shall know which are used
to find the weakness and strength of block ciphers.
(a) Brute force attack: It is standard known-cipher text
attack or known-plaintext and in this attack [3] in
which, try all possible keys and verify which ones
give us the correct plaintext–cipher text pair. The
only real optimization which helps to brute force is
to divide the key space into parts and distribute them
between multiple processors or cluster computers
having GPU/FPGA cards.
(b) Linear cryptanalysis: Linear cryptanalysis is a
known plaintext attack and it is an efficient attack for
cryptanalysis of block ciphers introduced by Matsui
in 1994 [49]. In this attack, the attacker finds probabilistic linear relations between plaintext, cipher text,
and the secret key. Given an approximation with
high probability, the attacker obtains estimate for
secret key bits by correlating known plaintexts and
cipher text bits. For finding more secret key bits, the
attacker combines other techniques.
(c) Differential cryptanalysis: It is another important
attack on block ciphers introduced by E.Biham and
A.Shamir [50]. It is a chosen plaintext attack and
focuses on the difference between two related plaintexts as they encrypted under the same key. Based
6
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
on observing the difference in cipher texts C, C corresponding to plaintexts P, P that satisfy a chosen
difference. Although p ⊕ k and p ⊕ k are unknown
(p, p plaintext bits), the attacker still knows their
difference irrespective of the key value k.
(d) Related-key attacks: A related-key attack [51] is
an attack under the particular hypothesis that the
attacker is able to learn the encryption of some plaintexts not only under the original (unknown) key K
but also under some derived keysK ∗ = f (K).
(e) Boomerang-rectangle attacks: The boomerang
attack [52] is a differential-style attack in which the
attacker does not try to cover the whole cipher with
a single highly-probable differential pattern. Instead,
the attacker tries to find two high-probability patterns that are not necessarily related to each other
but together cover the whole cipher. In its basic version, it requires the ability to make chosen-plaintext
and chosen-ciphertext queries.
(f) Algebraic cryptanalysis: Algebraic attack [53] is the
process of breaking the cipher by solving polynomial
systems of equations. The basic idea [54] is to model
a cipher using a system of polynomial equations over
a finite field and the system of polynomial equations
is solved to retrieve either a key or a plaintext. Polynomial system solving is the problem of finding a
solution to a system of polynomial equations over
some field F.
(g) Other attacks: In addition to the above attacks,
there is a growing catalog of attacks [42]: truncated
differential cryptanalysis, partial differential cryptanalysis, integral cryptanalysis, which encompasses
square and integral attacks, slide attacks, the XSL
attack, impossible differential cryptanalysis.
Exercises to the students on deriving the Linear approximation table, Difference distribution table, Algebraic
model of S-Box, etc shall be given and inference of the
results shall be taught. In an advanced level course, exercises on various types of attacks need to be given on some
block ciphers.
For the above cryptanalysis tools for practice and testing the block cipher strength, the codes are available in https://github.com/Deadlyelder/Tools-for-Crypta
nalysis.
4. FEISTEL NETWORK BASED CIPHERS
In this section, we discuss familiar cryptographic designs
Data Encryption Standard (DES), KASUMI, (Feistel network), and CLAFIA (generalized Feistel network) and
cryptanalysis of these block ciphers.
4.1 Designs and Cryptanalysis
To achieve confusion and diffusion in any cryptosystem,
the encryption process is divided into multiple iterations.
And the input is divided into two halves Lhi (left) and
Rhi (right). In round i+1, Rhi is sent into round function along with round key Ki+1 , where each round key
generated is from one master key using a key scheduling
algorithm.
DES [3] is a block cipher – an algorithm that takes a fixedlength string of plaintext bits and transforms it through a
series of complicated operations into another ciphertext
bit string of the same length. In the case of DES, the block
size is 64 bits. The key consists of 64 bits; however, only
56 of these are actually used by the algorithm.
KASUMI [29] is a block cipher used in Universal Mobile
Telecommunications System (UMTS), and in Global System for Mobile Communications (GSM), KASUMI is
used in the A5/3 key stream generator and in GPRS in
the GEA3 key stream generator.
KASUMI [29] uses a 128-bit key and 64-bit input and
output blocks and having an eight-round Feistel network. The KASUMI encryption function [29] is shown
in Figure 4(a). It has 8 round functions. The FL and FO
functions divide the 32-bit input data into two 16-bit
halves. The FL is an irreversible bit manipulation while
the FO function is an irreversible three round Feistel-like
network.
Function FO: the FO function is a three-round Feistel
structure which consists of three FI functions and key
adding stages. A 96-bit round key given inputs to FO
function in each round (48 subkey bits KI used in FI and
48 subkey bits KO in the key adding stage). Structure of
FO function is given in Figure 4(b).
Function FI: FI is another 4-round Feistel design that uses
two non-linear S-boxes S7 (7×7 bit permutation) and S9
(9×9 bit permutation) is given as input to Figure 4(b).
Function FL: The 32-bit input x of FL(KLi , x) divided to
two 16-bit halves x = L||R, First the left half of the input
L is ANDed bitwise with round key KLi,1 and rotated left
by one bit. The result of that is XOR’ed to the right half
of the input r to get the right half of the output. Structure
of FL as shown in Figure 4(c). KASUMI Key schedule: The
key schedule is simple and it divides the 128-bit secret key
into 16-bit data blocks Ki (1 ≤ i ≤ 8) and generates subkeys K i . Round keys are linearly derived from these eight
key words K = K1 ||K2 ||K3 ||K4 ||K5 ||K6 ||K7 ||K8 . Round
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
(a)
7
keys are generated by bitwise rotation to left (ROL) with
a fixed amount as follows:
KLi,1 = ROL(Ki , 1)
KLi,2 = K i+2
KOi,1 = ROL(Ki+1 , 5)
KOi,2 = ROL(Ki+5 , 8)
KOi,3 = ROL(Ki+6 , 13)
KIi,1 = K i+4
KIi,2 = K i+3
KIi,3 = K i+7
Sub key index additions are cyclic so that if i + j is greater
than 8 one has to subtract 8 from the result to get the
actual sub key index.
4.2 Performance and Security Level
(b)
In Table 2, we provide summary of the performance
of Feistel based ciphers and their cryptanalysis status
against several attacks.
The student shall be taught about such evaluation so that
they can later design their own by benchmarking with
these. There are some implementation benchmarks available [65] on various platforms like PCs, ARM Processors,
etc.
5. SUBSTITUTION-PERMUTATION NETWORK
BASED CIPHERS
In cryptography, an SP-network, or substitution-permutation network (SPN), is a series of linked mathematical operations used in block cipher algorithms. In
this section, we discuss familiar cryptographic design
Advanced Encryption Standard (AES) cipher.
5.1 Designs and Cryptanalysis
(c)
Figure 4: (a). KASUMI Encryption. (b). FO and FI functions. (c). FL
function
AES (Rijndael) [20] For AES, NIST selected three members of the Rijndael family, each with a block size of 128
bits but three different key lengths: 128, 192 and 256 bits
with 10, 12 and 14 rounds.
AES Encryption [3,20]: For encryption, each round consists of the following four steps: (1) Substitute bytes (see
in 3.1.2), (2) Shift rows (Arranges the state in a matrix
and then performs a circular shift for each row), (3) Mix
columns (see in 3.1.3), and (4) Add round key (Each of
the 16 bytes of the state is XORed with each of the 16
bytes of a portion of the expanded key for the current
round). The last step consists of XORing the output of
the previous three steps with four words from the key
schedule.
8
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
Table 2: Cryptanalysis status of Feistel ciphers
Cipher
Block/Key
Rounds
Best attack
Memory/Requirements
Attack complexity
DES [2]
Triple DES [3]
Kasumi [56]
BLOWFISH [57]
GOST [58]
64/56
64/168,112
64/128
64/32-448
64/256
16
48
8
31
32
Linear Cryptanalysis
Known Plaintext Attack
related-key rectangle attack
differential attack
Single key attack
243 known plaintexts
232 known plaintexts, 288 memory
260.8 chosen plaintexts
up to 14 round is broken
264 data
239–43
290
265.4
2192
Table 3: SPN ciphers – cryptanalysis
Cipher
AES128 [31]
AES192/256 [31]
LED [30]
KLEIN [28]
MANTIS [41]
Block/Key
Rounds
Attack type
Memory/Requirements
Attack complexity
128/128
128/192, 256
64/64, 128
64/64,80,96
64/tweak(128+64)
10
12, 14
32,48
12,16,20
14
Biclique attack
Related-key attacks
Differential attack
Differential attack
Differential attack

2126.1
2189.7 and 2254.4

241.4

AES Key Expansion [20]: From 128-bit master secret key,
it derives the 128-bit round key. Input block 128-bit is
arranged as a state array of 16 bytes arranged into 4×4
array of bytes. The first four bytes of the encryption key
constitute the word w0 , the next four bytes the word w1 ,
and so on.
• It expands the words [w0 ,w1 ,w2 ,w3 ] into 44 32-bit
words that can be labeled w0 , w1 , w2 , w3 , . . . . . . . . .
. . . . . . .., w43 .
• Out of these, [w0 ,w1 ,w2 ,w3 ] are bitwise XOR’ed with
the input block before round steps begin. This is called
the whitening step.
• The remaining 40 words of the key schedule are used
four words at a time in each of the 10 rounds.
For decryption, each round consists Inverse shift rows,
Inverse substitute bytes, Add round key, and Inverse mix
columns.
Data 299.5
12 Rounds of LED-64, 32 Rounds of LED-128
Up to 10 rounds
they are efficient in limited hardware resources are available and to maintain a practical trade-off between security, efficient hardware performance, and low overall cost.
Several directions in the design of lightweight cryptographic systems [17] are proposed in the literature that
includes ARX-based designs and bit-sliced-S-Box-based
designs or simpler key schedules. ARX stands for simple
operations such as modular addition (A), bitwise rotation
(R), and exclusive-OR (X).
Several light-weight block ciphers [14,15,33,34,36,37,65]
viz., Chaskey, Fantomas, HIGHT, LBlock, LEA, LED,
Piccolo, PRESENT, PRIDE, PRINCE, RC5, RECTANGLE, RoadRunneR, Robin, Simon, SPARX, Speck, and
TWINE can be efficiently implemented in microcontroller platforms such as 8-bit AVR, 16-bit MSP430, and
32-bit ARM (Figure 5).
6.1 Designs and Cryptanalysis
5.2 Performance and Security Level
In Table 3, we provide summary of the performance of
SP Network based ciphers and their security level against
several attacks.
6. LIGHTWEIGHT CRYPTOGRAPHY
Lightweight cryptography [16,17,23] is a quickly evolving
area of research interest by the community and it is driven
by the need to give security or cryptographic measures
to several applications. These lightweight cryptographic
primitives are widely used on resource-constrained
devices such as mobile communication (phones), smart
cards, Internet of Things (IoT) [13], RFID tags, and
sensor networks. The major motivation for designing
lightweight cryptographic primitives [18] is as follows:
In this subsection, we summarize the design of lightweight cipher SIMON.
SIMON [38] was designed by the NSA and performs well
in software and hardware [35]. It supports several sizes
for key (64; 72; 96; 128; 144; 192; 256) and block (32; 48;
64; 96; 128) and number of rounds (32; 36; 42; 44; 52; 54;
68; 69; 72).
SIMON Encryption: It uses the classic Feistel design
on two n-bit halves for each round. Each round of
SIMON applies a non-linear, non-bijective function F :
GF(2)n → GF(2)n to the left half of the state which is
repeated for t rounds.
The bitwise XOR, bitwise AND(&) and circular left shift
(S), where Sa implies circular left shift by “a” bits, are the
operations used in the round function. For round k, let
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
9
Figure 5: AES encryption-decryption round
the left half of the input be xi and the right half be yi ,
then the round function Rk () is given by, Rk (xi+1 , yi+1 ) =
(yi ⊕ f (xi ) ⊕ ki , xi ) where f (x) = (S1 &S8 ) ⊕ S2 .
Figure 6(a) shows the encryption algorithm of one round
of SIMON.
SIMON Key schedule: The key schedule of SIMON is
described as a function that will operate on two, three,
or four n-bit word registers, depending on the size of
the master key. It performs two rotations to the right
x >> 3 and x >> 1 and XOR the results together with
a fixed constant c. The m master key words, each of n bits
where m ∈ {2,3,4}, are used at the first iterations of key
scheduling, and hence the first mn round key bits equal
the master key. If the key is defined as k0 , k1 , the sequence
of round keys is
c ⊕ (zj )i ⊕ ki ⊕ (I ⊕ S−1 )(S−3 ki+1 )m = 2
c ⊕ (zj )i ⊕ ki ⊕ (I ⊕ S−1 )(S−3 ki+2 )m = 3
k i+m=
c ⊕ (zj )i ⊕ ki ⊕ (I ⊕ S−1 )
(S−3 ki+3 ⊕ ki+1 )m = 4
for m = 2, 3, 4 respectively and c = 2n − 4. Note
that I is a nxn matrix. The constant sequence is
obtained from a 5-bit LFSR loaded with an initial
5 bit value. Depending on the key length, there are
sequences zi for I = 1,..,4. For example z0 is as follows
z0 = 11111010001001010110000111 00110111110100
0100101011000011100110.
Figure 6: (a) SIMON – round function. (b). The SIMON three key
expansion
It has same 31-bit sequence repeated twice. The constant
bit zi operates once in each round on the LSB of the key.
For decryption, the ciphertexts are swapped and round
keys are used in reverse order. Independent cryptanalysis
efforts on SIMON [39,40] present a series of observations on the cipher’s construction and attacks on reduced
round versions. Differential fault attacks on SIMON are
presented in [39].
6.2 Performance and Security Level
In Table 4, we provide summary of the performance of
lightweight block ciphers and their security level against
to several attacks.
7. PERFORMANCE METRICS
In this section, we present performance and the benchmarking results of three primary metrics, namely execution time, run-time memory (i.e. RAM) consumption,
and technology.
10
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
Table 4: Performance comparison of light-weight block ciphers
Cipher
Key size (bits)
Block size (bits)
Area [GE]
Throughput (Kb/sec)
Technology (μm)
Type
SW/HW target
128
128
128
80
128
128
256
128
128
64
64
64
64
64
64
64
128
16
1000
1127

1,075
758
700
651
3400
2159
16.7
13.8

11.4
12.1
3.4
24.24
12.4




0.18
0.13
0.18
0.18
0.38
0.13
Feistel
Feistel
Feistel
SPN
Feistel
SPN
Feistel
SPN
Hybrid
HW, SW
SW, HW

HW
HW
HW, SW
SW, HW
SW,HW
HW
SIMON [59]
SPECK [60]
Kasumi [56]
PRESENT [64]
Piccolo [62]
LED-128
GOST [58]
AES [31]
HummingBird-2 [61,63]
Table 5: Cryptanalysis state of the art of light-weight ciphers
Cipher
SIMON [59]
SPECK [60]
Piccolo [62]
Humming bird [61]
Block/Key
Rounds
Attack type
Memory requirements
32, 48..128/64,72,..,256 32,36,..,72 Differential cryptanalysis
32, 48,..128/64,.256
22–34
Differential cryptanalysis
64/80,128
25,31
Biclique attack
16/12864-bit IV

chosen-IV attack
Attack
complexity
2125.7
46 Rds of Simon128/128 with2125.6 data, 240.6 memory
2125.35 data on Speck128/128
2125.35
Piccolo-80; data 248
278.95 and 2126.79
264 off-line data
264
Light-weight cipher implementation in software or on
microcontrollers s can be given as undergraduate projects
and used in some IoT applications (Table 5).
REFERENCES
8. CONCLUSION
2. E. Biham and A. Shamir, “Differential cryptanalysis of
DES-like cryptosystems.” J. Cryptol., Vol. 4, no. 1, pp. 3–72,
1991.
The field of modern cryptography provides a theoretical foundation based on which we may understand what
exactly these problems are, how to evaluate protocols
that purport to solve them, and how to build protocols
in whose security we can have confidence. Lightweight
cryptography has been a recent area for the last few years,
driven by the lack of primitives capable to run on devices
with very low computing power. In this paper, we have
presented a survey of the some of the modern block
ciphers with their structure designs and security levels.
We have pointed out the topics that need to be taught
to some depth within the available time of the term.
We also discussed cryptanalysis of the Feistel, SPN, and
lightweight ciphers and performance constraints so that
the students can bench mark their implementations and
be aware of what the industry needs.
The suggested course structure has been tried on few
batches of trainees at the author’s institute.
ACKNOWLEDGEMENT
Author must thank to Editor-in-Chief, IETE Journal of Education for his invitation for writing this tutorial review paper. This
paper would not have been possible without his exceptional
inputs.
1. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone,
Handbook of Applied Cryptography, 1997. ISBN 978-08493-8523-0.
3. L. R. Knudsen and M. J. B. Robshaw, The Block
Cipher Companion, Springer, 2011. ISBN:978-3-642-173
41-7.
4. B. Schneier (1996). Applied Cryptography, 2nd ed. New
York: Wiley. ISBN 978-0-471-11709-4.
5. “Internet security glossary.” Internet Engineering Task
Force. May 2000. RFC 2828. Retrieved 26 March
2015.
6. D. Wagner and B. Schneier, “Analysis of the SSL 3.0 protocol” (PDF). The Second USENIX Workshop on Electronic Commerce Proceedings. USENIX Press. pp. 29–40,
November 1996.
7. E. Rescorla. SSL and TLS: Designing and Building Secure
Systems. Boston: Addison-Wesley Pub Co, 2001. ISBN 9780-201-61598-2.
8. B. Daniel and M. David, “AES-CCM cipher suites for
Transport Layer Security (TLS),” tools.ietf.org. Retrieved
2017-10-26.
9. “TCP (Transmission Control Protocol),” Retrieved 201906-26.
10. “Cipher Suites in TLS/SSL (Schannel SSP) (Windows),”
docs.microsoft.com. Retrieved 2018-07-02.
11. https://datatracker.ietf.org/wg/tls/documents/
DISCLOSURE STATEMENT
No potential conflict of interest was reported by the author(s).
12. https://www.acunetix.com/blog/articles/establishing-tlsssl-connection-part-5/
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
11
13. E. Borgia, “The Internet of Things vision: Key features,
applications and open issues,” Comput. Commun., Vol. 54,
pp. 1–31, 2014.
26. N. M. A. Al-Slamy, “E-Commerce security”, IJCSNS Int. J.
Comput. Sci. Network Security, Vol. 8, no. 5, pp. 340–344,
May 2008.
14. F. Karakoç, A. HüseyinDemirci, and E. Harmancı. “ITUbee:
A software oriented lightweight block cipher, lightweight
cryptography for security and privacy: LightSec 2013,”
volume 8162 of LNCS, pages 16–27, Berlin, Heidelberg,
2013.
27. S. Yasin, “Cryptography based E-commerce security: A
review,” IJCSI Int. J. Computer Sci. Issues, Vol. 9 (2), no. 1,
pp. 132–137, 2012.
15. A. Bogdanov, L. R. Knudsen, G. Le, C. Paar, A. Poschmann,
M. J. B. Robshaw, Y. Seurin, and C. Vikkelsoe, “Present: An
ultra-lightweight block cipher,” in: Proceedings of Workshop on Cryptographic Hardware and Embedded Systems
(CHES), Springer, 2007.
16. S. Panasenko and S. Smagin. “Lightweight cryptography:
Underlying principles and approaches,” Int. J. Comput.
Theory Eng., Vol. 3, pp. 516–520, 2011.
17. A. Biryukov and L. Perrin. “State of the art in lightweight
symmetric cryptography,” IACR Cryptol. EPrint Archive,
pp. 1–55, 2017.
18. T. Eisenbarth, S. Kumar, C. Paar, A. Poschmann, and L.
Uhsadel. “A survey of lightweight cryptography implementations,” IEEE Design Test Comput. (Special Issue on
Secure ICs for Secure Embedded Computing), Vol. 24,
no. 6, pp. 522–33, November/December 2007.
28. Z. Gong, S. I. Nikova, and Y. W. Law, (2010). “KLEIN: A
new family of lightweight block ciphers. (CTIT Technical
Report Series; No. TR-CTIT-10-33),” Centre for Telematics
and Information Technology (CTIT), Enschede.
29. General Report on the Design. “Specification and evaluation of 3GPP standard confidentiality and integrity algorithms (PDF),” 3GPP. 2009.
30. I. Nikolíc, L. Wang, and S. Wu, “Cryptanalysis of roundreduced LED,” Available: https://eprint.iacr.org/2015/
429.pdf
31. A. Bogdanov, D. Khovratovich, and C. Rechberger.
“Biclique cryptanalysis of the full AES” (PDF). Archived
from the original (PDF) on March 6, 2016. Retrieved May
1, 2019.
32. A. Webster and S. Tavares, “On the design of Sboxes, advances in cryptology CRYPTO-1985, LNCS218,”
Springer-Verlag, 1985.
19. P. Junod and S. Vaudenay. “Perfect diffusion primitives
for block ciphers,” in Handschuh H., Hasan M.A. (eds)
Selected Areas in Cryptography. SAC 2004. Lecture Notes
in Computer Science, Vol. 3357. Berlin: Springer, 2004.
33. A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, and
A. Poschmann, “PRESENT: An ultra-lightweight block
cipher, cryptographic hardware and embedded systems,
CHES 2007,” Springer, LNCS, 4727, 2007, pp. 450–66.
20. J. Daemen and V. Rijmen. “The design of Rijndael,”
in Information Security and Cryptography. Heidelberg:
Springer, 2002, pp. XVII, 238. Hardcover ISBN 978-3-54042580-9.
34. X. Lai and J. L. Massey, “A proposal for a new block encryption standard, advances in cryptology EUROCRYPT ‘90,”
Springer, LNCS, 473, 1991, pp. 389–404.
21. D. Dinu, Y. L. Corre, D. Khovratovich,L. Perrin, J.
Großschädl, and A. Biryukov, “Triathlon of lightweight
block ciphers for the Internet of Things,” J. Cryptogr. Eng.,
Vol. 9, pp. 283–302, 2019.
22. M. Katagi and S. Moriai, “Lightweight cryptography for the
Internet of Things.” Available: https://iab.org/wp-content/
IAB-uploads/2011/03/Kaftan.pdf
23. T. Suzaki, K. Minematsu, S. Morioka, and E. Kobayashi,
“TWINE: A lightweight block cipher for multiple platforms,” SAC 2012.
35. O. Tigli, “Area efficient ASIC implementation of IDEA
(International data encryption standard),” Best design for
ASIC implementation of IDEA,GMU 2003.
36. D. Khovratovich, G. Leurent, and C. Rechberger, “Narrowbicliques: Cryptanalysis of full IDEA, EUROCRYPT 2012,”
Springer, LNCS, 7237, 2012, pp. 392410.
37. D. Honget al., “HIGHT: A new block cipher suitable for
low-resource device. Cryptographic hardware and embedded systems,” CHES 2006,Springer, LNCS, 4249, 2006,
pp. 46–59.
24. E. Borgia, “The Internet of Things vision: Key features,
applications and open issues,” Comput. Commun., Vol. 54,
pp. 1–31, 2014.
38. R. Beaulieu, S. Douglas, J. Smith, S. Treatman-Clark, B.
Weeks, and L. Wingers, “The SIMON and SPECK families of lightweight block ciphers,” IACR Cryptology ePrint
Archive, 2013, 404.
25. A. Murphy and D. Murphy, “The role of cryptography in
security for electronic commerce,” ITB J., Vol. 2, no. 1,
2001, Article 3. DOI: 10.21427/D7B32.
39. H. Tupsamudre, S. Bisht, and D. Mukhopadhyay, “Differential fault analysis on the families of SIMON and SPECK
ciphers,” IACR Cryptology ePrint Archive, 2014.
12
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
40. F. Abed, E. List, S. Lucks, and J. Wenzel, “Cryptanalysis
of the SPECK family of block ciphers,” IACR Cryptology
ePrint Archive, 2013.
41. C. Beierle, J. Jean, S. Kolbl, G. Leander, A. Moradi, T.
Peyrin, Y. Sasaki, P. Sasdrich, and S. M. Sim, “The SKINNY
family of block ciphers and its low-latency variant MANTIS,” in Annual Cryptology Conference, Springer, Berlin,
Heidelberg, pp. 123–53, August, 2016.
42. D. Hong, B. Koo, and D. Kwon, “Biclique attack on the
full HIGHT,” in Information security and cryptology-ICISC
2011, H. Kim, Ed. Berlin: Springer, 2012, pp. 365–74.
43. E. Biham, O. Dunkelman, N. Keller, and A. Shamir, “New
attacks on IDEA with at lleast 6 rounds,” J. Cryptol., Vol. 28,
no. 2, pp. 209–39, 2011.
44. “Claude Elwood Shannon: Communication theory of
secrecy systems,” Bell System Technical Journal 28 (1949),
see in particular page 704.
45. M. Luby and C. W. Rackoff, “How to construct pseudorandom permutations from pseudorandom functions,” SIAM
J. Comput., Vol. 17, no. 2, pp. 373–86, April 1988.
46. J. Patarin, “Generic attacks on Feistel schemes; Asiacrypt
2001, LNCS 2248,” Springer, pp. 222–38.
47. S. Vaudenay, “Provable security for block ciphers by decorrelation,” Technical Report LIENS98-8 of the Laboratoired’Informatique de l’EcoleNormaleSup´erieure, 1998.
Available:
http://lasecwww.epfl.ch/query.msql?ref =
Vau98b
48. F.-X. Standaert, G. Piret, and J.-J. Quisquater, “Cryptanalysis of block ciphers: A survey,” Computer Science 2002.
Available: https://perso.uclouvain.be/fstandae/PUBLIS/
U1.pdf.
49. M. Matsui, “Linear cryptanalysis method for DES cipher,”
Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT’93, pp. 386–97,
1993.
50. E. Biham and A. Shamir, Differential Cryptanalysis of the
Data Encryption Standard. Springer Verlag, 1993, ISBN:
0-387-97930-1, 3-540-97930-1.
54. G. V. Bard, N. Courtois, and J. Nakahara Jr., “Pouyan
Sepehrdad, Bingsheng Zhang: Algebraic, AIDA/cube and
side channel analysis of KATAN family of block ciphers,”
INDOCRYPT 2010: 176–96.
55. J. Borst, B. Preneel, and J. Vandewalle, “Linear cryptanalysis of RC5 and RC6,” In Fast Software Encryption. Springer
Berlin Heidelberg, 1999, January, pp. 16–30.
56. E. Biham, O. Dunkelman, and N. Keller, “A related-key
rectangle attack on the full KASUMI. ASIACRYPT 2005,”
pp. 443–61. Archived from the original (ps) on 2013-10-11.
57. O. Kara and C. Manap, “A new class of weak keys for blowfish” (PDF). FSE 2007. Archived (PDF) from the original
on 2016-10-05, March 2007.
58. I. Dinur, O. Dunkelman, and A. Shamir, “Improved attacks
on Full GOST.” Lect. Notes Comput. Sci. Vol. 7549 (Fast
Software Encryption), pp. 9–28, 2012.
59. F. Abed, E. List, S. Lucks, and J. Wenzel, “Differential and
linear cryptanalysis of reduced-round Simon.” Available:
https://eprint.iacr.org/2013/526
60. S. Ling, Z. Huang, and Q. Yang, “Automatic differential
analysis of ARX block ciphers with application to SPECK
and LEA” (PDF). Retrieved 2018-05-06, 2016.
61. Y. Wang, W. Wu, and X. Yu, “Biclique cryptanalysis of
reduced-round piccolo block cipher,” in Information Security Practice and Experience, M. D. Ryan, B. Smyth, and
G. Wang, Eds. Berlin: Springer, 2012, pp. 337–52.
62. N. Courtois, G. Bard, and D. Wagner, “Algebraic and slide
attacks on KeeLoq,” Fast Software Encryption, FSE’08,
LNCS 5086, 2008, pp. 97–115.
63. Q. Chai and G. Gong, “A cryptanalysis of HummingBird-2:
The differential sequence analysis,” Available: https://eprint
.iacr.org/2012/233.pdf
64. F. Sereshgi, M. Hossein, D. Mohammad, and S. Mohsen.
“Biclique cryptanalysis of MIBS-80 and PRESENT-80
block ciphers.” Security Commun. Networks, Vol. 9,
pp. 27–33, 2015.
65. https://www.cryptolux.org/index.php/Lightweight_
Cryptography.
51. E. Biham, O. Dunkelman, and N. Keller, “The Rectangle
Attack, rectangling the Serpent,” in Proceedings of EUROCRYPT 2001, Lecture Notes in Computer Science 2045
p.340-ff, Springer-Verlag.
66. W. A. Stein, et al. “Sage Mathematics Software (Version 5.10),” The Sage Development Team, 2013, Available:
http://www.sagemath.org
52. D. Wagner, “The Boomerang Attack,” in Proceedings of
FSE999, LNCS 1636, p. 156 ff, Springer-Verlag.
67. F. Lafitte, “The Boolfun package: Cryptographic properties
of Boolean functions,” 2013.
53. N. Courtois and J. Pieprzyk, “Cryptanalysis of block ciphers
with overdefined systems of equations,” in Proceedings of
Asiacrypt 2002, LNCS, Springer-Verlag.
68. Z. Bao, J. Guo, S. Ling, and Y. Sasaki, “SoK: Peigen – a
platform for evaluation, implementation, and generation of
S-boxes,” Cryptology ePrint Archive: Report 2019/209.
A. N. TENTU: A REVIEW ON EVOLUTION OF SYMMETRIC KEY BLOCK CIPHERS AND THEIR APPLICATIONS
Author
Appala Naidu Tentu is Senior Assistant
Professor at CR Rao Advanced Institute of Mathematics, Statistics, and Computer Science (AIMSCS), University of
Hyderabad Campus, Hyderabad. Before
this, he worked as Research Scientist
and also worked as Project Engineer at
CSIR-CMMACS, NAL Bangalore. Tentu
obtained his PhD in Computer Science
and Engineering (specialization is Cryptography and Information Security) from JNTU Hyderabad and CR Rao AIMSCS,
13
University of Hyderabad. He received his Master of Technology (MTech) from National Institute of Technology, Suratkal
(NITK), Karnataka. His research interests are in the areas of
cryptography, cryptanalysis, design of security protocols and
high-performance computing. He executed couple of projects
for Intelligence agencies, Govt of India. He published about
20 research publications in various International Journals and
Conference proceedings. He is a member of International Association for Cryptology Research (IACR) and life member of
Cryptology Research Society of India (CRSI).
Corresponding author. Email: naidunit@gmail.com

Purchase answer to see full
attachment

  
error: Content is protected !!