Elementary cryptography

Unit-2
Elementary Cryptography

Contents
• Introduction
• Substitution Ciphers
• Transpositions
• Data Encryption Standard
• AES Encryption Algorithm
• Public-Key Encryption
• Uses of Encryption

Basic Terminology
• Plaintext - Original human-readable message
• Cipher text – En-coded message
• Cipher - Algorithm for transforming plaintext into cipher text and vice-versa
• Key – Unique information used in cipher known only to sender and receiver
• Encipher (Encryption) - Converting plaintext to cipher text
• Decipher (Decryption) - Recovering cipher text from plaintext
• Cryptography - Study of encryption principles/methods
• Cryptanalysis (code-breaking) - Study of principles and methods of
deciphering cipher text without knowing key
• Cryptology - Field of cryptography and cryptanalysis

Two kinds of Ciphers
• State-of-the-art: two kinds of most popular encryption algorithms are-
• Symmetric or secret-key ciphers
• Sender and receiver share a common key.
• Public-key ciphers
• Sender and receiver have asymmetric information of the key(s).

Symmetric Encryption
• Also know as conventional / private-key / single-key encryption.
• Only type prior to invention of public-key in 1970’s.
• Sender and recipient share a common key.
• Both parties have full information of the key.
• All classical encryption algorithms are common key (private-key).
• Characteristic of conventional algorithms.

Plain Text Encryption
Algorithm
Key A Key A
Cipher Text Plain TextDecryption
Algorithm
Symmetric Cipher Model

Requirements
• Two requirements for secure use of symmetric encryption are:
• A strong encryption algorithm (keeping key secret is sufficient for security).
• A secret key known only to sender / receiver.
Y = EK(X)
X = DK(Y)
• Assumption - encryption algorithm is known.
• Implies a secure channel to distribute key.

Cryptography
• Can characterize by:
• Type of encryption operations used.
• Substitution / transposition / product systems
• Number of keys used.
• Single-key or private / two-key or public
• Way in which plaintext is processed.
• Block: process one block of elements a time
• Stream: continuous input, output one element a time

Classical Ciphers
• Examine a sampling of what might be called classical encryption
techniques.
• Illustrate the basic approaches to symmetric encryption and the types
of cryptanalytic attacks that must be anticipated.
• The two basic building blocks of all encryption techniques:
substitution and transposition.

Classical Substitution Ciphers
• Letters of plaintext are replaced by other letters or by numbers or
symbols.
• In other words, if plaintext is viewed as a sequence of bits, then
substitution involves replacing plaintext bit patterns with cipher text
bit patterns

1. Caesar Cipher
• Earliest known substitution cipher.
• Proposed by Julius Caesar.
• First attested use in military affairs.
• Replaces each letter by a letter three places down the alphabet.
• For example:
PT- meet me after the toga party
CT- PHHW PH DIWHU WKH WRJD SDUWB

Caesar Cipher
• Can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
• Mathematically, give each letter a number as:
a b c d e f g h i j k l m
0 1 2 3 4 5 6 7 8 9 10 11 12
n o p q r s t u v w x y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
• Then have Caesar cipher as:
C = E(p) = (p + k) mod (26)
p = D(C) = (C – k) mod (26)
• modulo arithmetic: 1 = 27 mod 26, 3 = 29 mod 26

Cryptanalysis of Caesar Cipher
• Only have 26 possible keys.
• Could shift K = 0, 1, 2, …, 25 slots
• Could simply try each in turn.
• A brute force search
• Given cipher text, just try all shifts of letters
• Do need to recognize when have plaintext
• Test: break cipher text
GCUA VQ DTGCM

2. Monoalphabetic Cipher
• Rather than just shifting the alphabet, could shuffle the letters
arbitrarily.
• Each plaintext letter maps to a different random cipher text letter.
• Hence, key is 26 letters long.
Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Cipher text: WIRFRWAJUHYFTSDVFSFUUFYA

Monoalphabetic Cipher Security
• Now have a total of 26! = 4 x 10^26 keys
• With so many keys, might think is secure
• The simplicity and strength of the mono-alphabetic substitution cipher
dominated for the first millennium AD.
• But would be !!!WRONG!!!
• First broken by Arabic scientists in 9th century.

Frequency Analysis
• Letters are not equally commonly used.
• In English e is by far the most common letter then T,R,N,I,O,A,S.
• Other letters are fairly rare.
• cf. Z,J,K,Q,X
• Have tables of single, double & triple letter frequencies.

Use in Cryptanalysis
• Key concept - monoalphabetic substitution ciphers do not change
relative letter frequencies.
• Discovered by Arabian scientists in 9th century.
• Calculate letter frequencies for cipher text.
• Compare counts/plots against known values.
• For monoalphabetic must identify each letter.
• tables of common double/triple letters help.

Example Cryptanalysis
• Given cipher text:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
• Count relative letter frequencies (see text).
• Guess P & Z are e and t.
• Guess ZW is th and hence ZWP is the.
• Proceeding with trial and error finally get:
it was disclosed yesterday that several informal but
direct contacts have been made with political
representatives of the viet cong in moscow

3. Playfair Cipher
• Not even the large number of keys in a monoalphabetic cipher
provides security.
• One approach to improving security was to encrypt multiple letters.
• The Playfair Cipher is an example.
• Invented by Charles Wheatstone in 1854, but named after his friend
Baron Playfair.

Playfair Key Matrix
• A 5X5 matrix of letters based on a keyword
• Fill in letters of keyword (sans duplicates)
• Fill rest of matrix with other letters
• E.g. using the keyword MONARCHY
MONAR
CHYBD
EFGIK
LPQST
UVWXZ

Encrypting and Decrypting
• Plaintext encrypted two letters at a time:
1. If a pair is a repeated letter, insert a filler like 'X', eg. "balloon" encrypts as "ba lx lo on"
2. If both letters fall in the same row, replace each with letter to right (wrapping back to start
from end), eg. “ar" encrypts as "RM"
3. If both letters fall in the same column, replace each with the letter below it (again wrapping
to top from bottom), eg. “mu" encrypts to "CM"
4. Otherwise, each letter is replaced by the one in its row in the column of the other letter of
the pair, eg. “hs" encrypts to "BP", and “ea" to "IM" or "JM" (as desired)

Security of the Playfair Cipher
• Security much improved over monoalphabetic
• Since have 26 x 26 = 676 digrams
• Would need a 676-entry frequency table to analyse (verses 26 for a
monoalphabetic), and correspondingly more ciphertext
• Was widely used for many years (eg. US & British military in WW1)
• It can be broken, given a few hundred letters
• Since still has much of plaintext structure

4. Polyalphabetic Ciphers
• Another approach to improving security is to use multiple cipher
alphabets called polyalphabetic substitution ciphers.
• Makes cryptanalysis harder with more alphabets to guess and flatter
frequency distribution.
• Use a key to select which alphabet is used for each letter of the
message.
• Use each alphabet in turn.
• Repeat from start after end of key is reached.

Example
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
Ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
• Write the plaintext out
• Write the keyword repeated above it
• eg using keyword deceptive
• Use each key letter as a caesar cipher key
• Encrypt the corresponding plaintext letter

5. Vigenère Cipher
• Simplest polyalphabetic substitution cipher is the Vigenère Cipher.
• Effectively multiple caesar ciphers.
• Key is d-letter long K = k1 k2 ... kd
• ith letter specifies ith alphabet to use.
• Use each alphabet in turn.
• Repeat from start after d letters in message.
• Decryption simply works in reverse.

Security of Vigenère Ciphers
• Have multiple ciphertext letters for each plaintext letter.
• Hence letter frequencies are obscured, but not totally lost.
• Start with letter frequencies
• see if look monoalphabetic or not
• If not, then need to determine number of alphabets, since then can
attach each.

Kasiski Method
• Repetitions in cipher text give clues to period
• So find same plaintext an exact period apart, which results in the same cipher text
• Eg. repeated “VTW” in previous example
key: deceptivedeceptivedeceptive
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
• suggests size of 3 or 9
• find a number of duplicated sequences, collect all their distances apart, look for common
factors
• then attack each monoalphabetic cipher individually using same techniques as before

6. Autokey Cipher
• Use the plain text itself as part of the key
• eg. given key deceptive
key: deceptivewearediscoveredsav
ciphertext:ZICVTWQNGKZEIIGASXSTSLVVWLA
• But still have frequency characteristics to attack

7. One-Time Pad
• If a truly random key as long as the message is used, the cipher will be
secure
• called a One-Time pad
• Is unbreakable since cipher text bears no statistical relationship to the
plaintext
• No repetition of patterns
• Since for any plaintext & any ciphertext there exists a key mapping
one to other
• Can only use the key once though have problem of safe distribution of
key

Transposition Ciphers
• Now consider classical transposition or permutation ciphers
• These hide the message by rearranging the letter order without altering
the actual letters used
• Can recognise these since have the same frequency distribution as the
original text

1. Rail Fence cipher
• Write message letters out diagonally over a number of rows then read
off cipher row by row
• Eg. write message out as:
m e m a t r h t g p r y
e t e f e t e o a a t
• Giving cipher text
MEMATRHTGPRYETEFETEOAAT

2. Row Transposition Ciphers
• A more complex scheme
• Write letters of message out in rows over a specified number of
columns
• Then reorder the columns according to some key before reading off
the rows
Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

3. Product Ciphers
• Ciphers using substitutions or transpositions are not secure because of
language characteristics
• Hence consider using several ciphers in succession to make harder,
but:
• two substitutions make a more complex substitution
• two transpositions make more complex transposition
• but a substitution followed by a transposition makes a new much harder cipher
• This is bridge from classical to modern ciphers

4. Rotor Machines
• Multiple-stage substitution algorithms
• Before modern ciphers, rotor machines were most common product cipher
• Were widely used in WW2
• German Enigma, Allied Hagelin, Japanese Purple
• Implemented a very complex, varying substitution cipher
• Used a series of cylinders, each giving one substitution, which rotated and
changed after each letter was encrypted

Basic Principles of Cryptography
• Principle 1 — The first step in solving any cryptographic problem is the formulation of a rigorous and precise
definition of security.
• Principle 2 — When the security of a cryptographic construction relies on an unproven assumption, this
assumption must be precisely stated. Furthermore, the assumption should be as minimal as possible.
• Principle 3 — Cryptographic constructions should be accompanied by a rigorous proof of security with
respect to a definition formulated according to principle 1, and relative to an assumption stated as in principle
2 (if an assumption is needed at all).

Data Encryption Standard (DES)
• Goal of DES is to completely scramble the data and key so that every
bit of cipher text depends on every bit of data and ever bit of key.
• DES is a block Cipher Algorithm.
• Encodes plaintext in 64 bit chunks.
• One parity bit for each of the 8 bytes thus it reduces to 56 bits.
• It is the most used algorithm.
• Standard approved by US National Bureau of Standards for Commercial and
non-classified US government use in 1993.

Data Encryption Standard (DES)
• DES run in reverse to
decrypt
• Cracking DES
• 1997: 140 days
• 1999: 14 hours
64-bit input
L1 R1
F(L1, R1, K1)
L2 R2
L3 R3
L17 R17
56-bit key
48-bit k1
48-bit k2
48-bit k3
48-bit k16
F(L2, R2, K2)
F(L16, R16, K16)

Double DES
• In this approach, we use two instances of DES ciphers for encryption and two
instances of reverse ciphers for decryption.
• Each instances use a different key.
• The size of the key is doubled.
• There are issues of reduction to single stage.
• However, double DES is vulnerable to meet-in-the-middle attack.

Double DES
• Given a plaintext P and two encryption keys 𝐾1 and 𝐾2, a cipher text can be
generated as,
C = E(𝐾2, E(𝐾1, P)).
• Decryption requires that the keys be applied in reverse order,
P = D(𝐾1, D(𝐾2, C)).

Triple DES
• Use three stages of DES for encryption and decryption.
• The 1st, 3rd stage use 𝐾1 key and 2nd stage use 𝐾2 key.
• To make triple DES compatible with single DES, the middle stage uses
decryption in the encryption side and encryption in the decryption side.
• It’s much stronger than double DES.

Breaking DES
• Key length issues
• originally 56 bit
• in 1977 Diffie and Hellmann designed a machine to break DES by brute-force
attack
• estimated cost 20Mill $, successful break in 12 hours
• cost / time to break depending on key-length in 1996.
• 40-bit (10Mill$ / 0.02 sec, 10k$ / 12 min, 400$ / 5 hours)
• 56-bit (10Mill$ / 21 min, 10k$ / 556 days, 400$ / 38 years)
• 168-bit (10Mill$ / 1017 years, 10k$ / 1019 years, 400$ / too long)
• in 1998 EFF built a special-purpose engine
• DES Cracker for 250k$ finding key in 4.5 days
• in 1996 minimal recommended key length was 90 bits to provide security
through 2016, in 2000 128 bit is considered as good key length

Linear Cryptanalysis
Notation-
• P = plaintext
• pi = ith bit of P
• C = Ciphertext
• ci = ith bit of C
• K = Key (initial or expanded)
• ki = ith bit of K
• i=1,n pi = p1  p2  ….  pn
• X,Y,Z are subsets of bits (notation on next slide only)

Linear Cryptanalysis
Attack Overview-
• Obtain linear approximation(s) of the cipher relating P,K,C
iX, pi  jY cj = gZ kg
which occur with probability pr = ½ + e for max bias -½  ei
 ½ .
• Encrypt random P’s to obtain C’s and compute kg’s.
• Known plaintext attack
• Guess remaining key bits via exhaustive search.

Example – Single S-Box
K2K1
P2P1
00 01 10 11
00 10 11 00 01
01 11 00 01 10
10 00 01 10 11
11 01 10 11 00
Considering only relationships between 1 input
bit,1 output bit and 1 key bit:
(1) Pr(P1 C1 = K1) = 1
(2) Pr(P2 C2 = K1) = 5/8
(3) Pr(P2 C2 = K2) = 3/8
For all other triples of Pi, Ci, Ki
Pr(Pi Ci = Ki) = ½
Use (1) and (3) to determine the key.
Can determine K1 from one (P,C) by (1)
P1 C1 = 0 =K1
One P2 C2 = 0 is not enough to infer K2 is 1
Additional (P,C)’s needed
(3) returns 0, implying K2 is 1.
Guess key = 10
(P,C) pairs
(a) 00  00
(b) 01  01
(c) 10  10
In each pair
P1 C1 = 0
P2 C2 = 0

Example S-Box
Input:Output (4 bits, in hex)
0:E
1:4
2:D
3:1
4:2
5:F
6:B
7:8
8:3
9:A
A:6
B:C
C:5
D:9
E:0
F:7
S-Box Example from Tutorial on Linear and
Differential Crypt. Tutorial, H. Heys,
Memorial U. of of Newfoundland

Example S-Box
Y1 Y2 Y3 Y4
Z1 Z2 Z3 Z4
S-Box on 4-bit value
Y2  Y3 = Z1  Z3  Z4 in 12 of the 16 input, output pairs
12/16 = ½ + ¼ and the bias is ¼
Y1  Y4 = Z2 in ½ of the pairs, so there is no bias
Y3  Y4 = Z1  Z4 in 2 of the 16 pairs, so the bias is -3/8
2/16 = ½ -3/8

Finding Linear Relationships
• General form of linear relationship:
a1Y1  a2Y2  a3Y3  a4Y4
=
b1Z1  b2Z2  b3Z3  b4 Z4
ai, bi  {0,1}
• Summarize all equations in a table
• Only need to do once – upfront work

0 1 2 3 4 5 6 7 8 9 A B C D E F
0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 0 -2 -2 0 0 -2 6 2 2 0 0 2 2 0 0
2 0 0 -2 -2 0 0 -2 -2 0 0 2 2 0 0 -6 2
3 0 0 0 0 0 0 0 0 2 -6 -2 -2 2 2 -2 -2
4 0 2 0 -2 -2 -4 -2 0 0 -2 0 2 2 -4 2 0
5 0 -2 -2 0 -2 0 4 2 -2 0 4 -2 0 -2 -2 0
6 0 2 -2 4 2 0 0 2 0 -2 2 4 -2 0 0 -2
7 0 -2 0 2 2 -4 2 0 -2 0 2 0 4 2 0 2
8 0 0 0 0 0 0 0 0 -2 2 2 -2 2 -2 -2 6
9 0 0 -2 -2 0 0 -2 -2 -4 0 -2 2 0 4 2 -2
A 0 4 -2 2 -4 0 2 -2 2 2 0 0 2 2 0 0
B 0 4 0 -4 4 0 4 0 0 0 0 0 0 0 0 0
C 0 -2 4 -2 -2 0 2 0 2 0 2 4 0 2 0 2
D 0 2 2 0 -2 4 0 2 -4 -2 2 0 2 0 0 2
E 0 2 2 0 -2 -4 0 2 -2 0 0 -2 -4 2 -2 0
F 0 -2 4 -2 -2 0 2 0 0 -2 4 -2 -2 0 2 0
a1a2a3a4
b1b2b3b4
# of times equation holds: a1Y1  a2Y2  a3Y3  a4Y4 = b1Z1  b2Z2  b3Z3  b4 Z4

• “a” value of E: a1 =1, a2 = 1, a3 = 1, a4 = 0
• “b” value of 1: b1 = 0, b2 = 0, b3 = 0, b4 = 1
• Row E, Column 1 has a value of 2
• Bias is 2/16 = 1/8
• Probability X1 X2  X3 = Y4 is ½ + 1/8 = 5/8

Piling-Up Lemma
Matsui
• Know Pr(Vi = 0) = ½ + ei
• Pr(V1V2 … Vn = 0) = ½ + 2n-1 ei
• Vi’s are independent random variables
• ei is the bias -½  ei  ½
Use to combine linear equations if view each as independent
random variable
n
i=1

• Apply same process used for S-Box to other steps within the round
function
• Determine equations for entire round
• Incorporate whitening (if any) into equations

Linear Bounds
• Bound a linear equation holds across q rounds: 0
< p  1
• Cipher has nq rounds
• Estimate upper bound  pn
• 2b possible plaintexts
•  2b/pn satisfy equations
• Round key bits, output of a round/input to next
round not independent
• If pn  2-b ,, no attack
q rounds
q rounds
q rounds
p
p2
p3
q rounds
pn

Applying an Attack
• When attacking the cipher, try to determine key bits for first or last round,
then repeat attack on reduced round version of the cipher
• DES has 16 rounds, find round key for 1st or last round, repeat attack for
15 round version.
• If same expanded key bits used in multiple rounds, fill in round key bits as
they become known

Linear Cryptanalysis DES
• Determined linear approximations via exhaustive search
• First for S-Boxes
• Then extended to round function and multiple rounds.
• Approximations
• 5 good approximations for initial key bits with bias e ranging from  0.031 to 0.218
• Examples,
• 1st round: iX foi,1  p15 = k22 X = {7,18,24,29} with probability 19%
• Last round: iX foi,16 fin15,16 = k22 X = {7,18,24} with probability 66%
• 1 approximation for round key bits with e = O(2-3).
• Others with e= O(2-5) to O(2-30)
finij = ith bit of input of round function in jth round
foij = ith bit of output of round function in jth round

Linear Cryptanalysis DES
• Plaintext Attack
• Found 14 key bits.
• Remaining 42 key bits found by exhaustive search.
• 8 rounds required 221 P’s with 96% success.
• 16 rounds required 247 P’s with 96% success
• Ciphertext Only Attack
• Found 7 key bits.
• Assumed some pis were 0 to have equations of C, K only.
• 8 rounds required 237 C’s with 78% success, assumed 1 pi is 0
• 16 rounds required 1.82 x 253 C’s with 78% success, assumed 5 pi’s are 0.

Differential Cryptanalysis
Notation
• P = plaintext
• C = ciphertext
• (P1,P2) = plaintext pair
• (C1,C2) = ciphertext pair
• P = P1  P2
• C = C1  C2
• Characteristic:  = (i1,o1,i2,o2,….ir,or)
• ij=  of inputs to round j
• oj=  of outputs from round j
• If prj= probability oj occurs given ij
• then probability of  =  prj ‘s (upper bound)

Example: 1 round ’s
F
P = (L, R)
C = (L o, R)
i = Ro
If R = 0 then
o= 0
C = (L,0)
with probability 1.
If R = 60 00 00 00 then
o= 00 80 82 00
C = (L  00 08 82 00,
60 00 00 00)
with probability 14/64.
DES without initial and final permutations.
First round of any Feistel
network does not assist
in preventing differential crypt.

Finding Characteristics
• Process similar to that used in linear crypt example
• Enumerate all cases
• Only need to do once – one time upfront work

Differential Cryptanalysis - DES
F
P = (L, R)
C = (L, R)
i1 = Ro1 = L
Fo2 = 0
Fo3 = L
i2 = 0
i3 = R
3 round  with P = C
Probability (14/64)2  0.048
14/64
14/64
1
Want output of first F to cancel L
Same  as input to first F

Attack Overview
• Find  with non-negligible probability.
• Minimal key bits to guess, but allow guessing those in last (or first) round.
• Exhaustive search to find best ’s.
• Determine key bits of last round:
• Choose pairs (P1,P2) such that P provides i1 .
• Decrypt ciphertext with key guess for last round
• Count # of (C1,C2) pairs such that match characterstic
• Assume correct key bits is guess with highest count.
• Eliminate last round and attack the reduced cipher.
• Can also work from 1st round:
• Choose pairs (C1,C2) such that C= or
• Determine key bits in 1st round.

Finding ’s
Output 
Input  … 2 3 4 5 …
2 … 0 8 0 4 …
3 … 2 2 10 6 …
•Manually created distribution tables for input ’s and output ’s
for each S-Box.
•If input  is 2, output  is 5, 4 possible keys.
• Segment of distribution table for DES S-Box 0

F
P = (L, R)
C = (CL, CR)
i1 = 0o1 = 0
Fo2
Fo3
i2
i3
Fo4 i4
k4
k3
k2
k1
4 round 
P with
L = 20 00 00 00
R = 00 00 00 00
Then
o1 = 00 00 00 00
i2 = L = 20 00 00 00
i2 affect only 1st S-Box so 28 bits of o2
are 0.
o4 = i3  CL
= i1  o2  CL
= o2  CL
know all but 4 bits of o2
Know right halves of ciphertexts,
 know inputs into 4th round.
i4 : at most 11 non zero bits
CR varies amongst pairs.

Number of Plaintexts
• Use m = c/pr() plaintext pairs, for some small c > 0.
• Chosen Plaintext: Select m pairs that satisfy P.
• Known Plaintext: have set of P’s, but did not choose them, so need to
find pairs satisfying P.
• 2|P|/2(2m)½ plaintexts required
• Can form ½ (2|P|/2(2m)½)2 = 2|P|m pairs.
• 2|P| possible P’s.
• 2|P|m/ 2|P| = m pairs on average create each P.
• If > # of possible P’s, attack not possible.

# Rounds # Chosen Plaintexts # Known Plaintexts
4 23 233
6 28 236
8 214 238
9 224 244
11 231 247
13 239 252
16 247 255
• Any reduced round version of DES is breakable via a known plaintext
attack faster than via exhaustive key search.

The AES Cipher
• Data block of 4 columns of 4 bytes is state
• Key is expanded to array of words
• Has 9/11/13 rounds in which state undergoes:
• Byte substitution (1 S-box used on every byte)
• Shift rows (permute bytes between groups/columns)
• Mix columns (subs using matrix multiply of groups)
• Add round key (XOR state with key material)
• View as alternating XOR key & scramble data bytes
• Initial XOR key material & incomplete last round
• With fast XOR & table lookup implementation

 designed by Rijmen-Daemen in Belgium
 has 128/192/256 bit keys, 128 bit data
 an iterative rather than Feistel cipher
 processes data as block of 4 columns of 4 bytes
 operates on entire data block in every round
 designed to have:
 resistance against known attacks
 speed and code compactness on many CPUs
 design simplicity
The AES Cipher - Rijndael

 a simple substitution of each byte
 uses one table of 16x16 bytes containing a permutation of all 256 8-bit values
 each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)
 eg. byte {95} is replaced by byte in row 9 column 5
 which has value {2A}
 S-box constructed using defined transformation of values in GF(28)
 designed to be resistant to all known attacks
Substitution Bytes

 a circular byte shift in each each
 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 decrypt inverts using shifts to right
 since state is processed by columns, this step permutes bytes between the columns
Shift Rows

 each column is processed separately
 each byte is replaced by a value dependent on all 4 bytes in the column
 effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1
Mix Columns

 uses arithmetic in the finite field GF(28)
 with irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
which is (100011011) or {11b}
 e.g.
{02} • {87} mod {11b} = (1 0000 1110) mod {11b}
= (1 0000 1110) xor (1 0001 1011) = (0001 0101)
AES Arithmetic

 can express each col as 4 equations
 to derive each new byte in col
 decryption requires use of inverse matrix
 with larger coefficients, hence a little harder
 have an alternate characterisation
 each column a 4-term polynomial
 with coefficients in GF(28)
 and polynomials multiplied modulo (x4+1)
 coefficients based on linear code with maximal distance between codewords
Mix Columns

 XOR state with 128-bits of the round key
 again processed by column (though effectively a series of byte operations)
 inverse for decryption identical
 since XOR own inverse, with reversed keys
 designed to be as simple as possible
 a form of Vernam cipher on expanded key
 requires other stages for complexity / security
Add Round Key

 takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words
 start by copying key into first 4 words
 then loop creating words that depend on values in previous & 4 places back
 in 3 of 4 cases just XOR these together
 1st word in 4 has rotate + S-box + XOR round constant on previous, before XOR 4th back
AES Key Expansion

 designed to resist known attacks
 design criteria included
 knowing part key insufficient to find many more
 invertible transformation
 fast on wide range of CPU’s
 use round constants to break symmetry
 diffuse key bits into round keys
 enough non-linearity to hinder analysis
 simplicity of description
Key Expansion Rationale

 AES decryption is not identical to encryption since steps done in reverse
 but can define an equivalent inverse cipher with steps as for encryption
 but using inverses of each step
 with a different key schedule
 works since result is unchanged when
 swap byte substitution & shift rows
 swap mix columns & add (tweaked) round key
AES Decryption

 can efficiently implement on 8-bit CPU
 byte substitution works on bytes using a table of 256 entries
 shift rows is simple byte shift
 add round key works on byte XOR’s
 mix columns requires matrix multiply in GF(28) which works on byte values, can be simplified
to use table lookups & byte XOR’s
Implementation Aspects

 can efficiently implement on 32-bit CPU
 redefine steps to use 32-bit words
 can precompute 4 tables of 256-words
 then each column in each round can be computed using 4 table lookups + 4
XORs
 at a cost of 4Kb to store tables
 designers believe this very efficient implementation was a key factor in its selection
as the AES cipher
Implementation Aspects

Asymmetric Encryption
• Uses a pair of keys for encryption.
• Public key for encryption
• Private key for decryption
• Messages encoded using public key can only be decoded by the private key.
• Secret transmission of key for decryption is not required
• Every entity can generate a key pair and release its public key
Plain Text
Cipher
Public Key Private Key
Cipher Text Plain Text
Cipher

RSA
• Developed by Ron Rivest, Adi Shamir, Len Adelman.
• Both public and private key are interchangeable.
• Variable Key Size (512, 1024, or 2048 buts).
• Most popular public key algorithm.

RSA
• Choose two large prime numbers p & q
• Compute n=pq and z=(p-1)(q-1)
• Choose number e, less than n, which has no common factor (other than 1) with z
• Find number d, such that ed – 1 is exactly divisible by z
• Keys are generated using n, d, e
• Public key is (n,e)
• Private key is (n, d)
• Encryption: c = me mod n
• m is plain text
• c is cipher text
• Decryption: m = cd mod n
• Public key is shared and the private key is hidden

RSA
• P=5 & q=7
• n=5*7=35 and z=(4)*(6) = 24
• e = 5
• d = 29 , (29x5 –1) is exactly divisible by 24
• Keys generated are
• Public key: (35,5)
• Private key is (35, 29)
• Encrypt the word love using (c = me mod n)
• Assume that the alphabets are between 1 & 26
Plain Text Numeric Representation me Cipher Text (c = me mod n)
l 12 248832 17
o 15 759375 15
v 22 5153632 22
e 5 3125 10

RSA
• Decrypt the word love using (m = cd mod n)
• n = 35, c=29
Cipher
Text
cd (m = me mod n) Plain
Text
17 481968572106750915091411825223072000 17 l
15 12783403948858939111232757568359400 15 o
22 852643319086537701956194499721110000000 22 v
10 100000000000000000000000000000 10 e

Uses of Encryption in Everyday Life
• Network logons and passwords
• Secure Web transactions
• ATMs
• Storage Media
• Communication devices

Elementary cryptography

In this document

More Related Content

What's hot

Similar to Elementary cryptography

More from Prachi Gulihar

Recently uploaded

Elementary cryptography