1

Introduction and Historical

Ciphers

2
What is cryptography?
 “hidden writing”
 Until recently: military tool
 Like any military technology: methods change over time
 Two sides:
 designing codes
 breaking codes (cryptanalysis)
 Computers have changed both

How do we encrypt?

Protocol, or scheme: method of encryption

Cryptovariable, or key: secret information

plaintext protocol
ciphertext
cryptovariable
Symmetric encryption: decryption is the same 3
Some Basic Terminology
plaintext - original message / clear text – message in clear
ciphertext - coded message / encrypted message
cipher - algorithm for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering plaintext from ciphertext
cryptography - study of encryption principles/methods
cryptanalysis (codebreaking) - study of principles/ methods of
deciphering ciphertext without knowing key
cryptology - field of both cryptography and cryptanalysis

4
Example: Caesar Shift
Protocol: shift each letter by the same amount
Cryptovariable: amount to shift

IBM HAL
-1
Veni, vidi, vici Foxs, fsns, fsms
10
• Decryption: shift back the same amount

How could we break this?

Case I: we don’t know the protocol
 Hard problem in cryptanalysis
Case II: we know the protocol
 Need to guess the cryptovariable
 Only 26 possibilities 5
Substitution Cipher
Allow any permutation of the alphabet
Key = permutation; 26! possibilities
26! = 403,291,461,126,605,635,584,000,000
Roughly 288: checking 1 billion per second, would take 12 billion years
Is there a better way?
al-Kindi, ninth century: frequency analysis

ROT13 : rotate by 13 places

Example: Substitution Cipher

6
The perfect cryptosystem
One-time pad: encrypt each letter with its own key
Example: Caesar shift each letter separately
Ci = (Pi + Ki )mod 26
To encrypt n bits, use n bits of key(or for a word with n letters use n
letters key.)
This uses up lots of key bits; need to prearrange
How do you generate key bits?
Given:
Key: XMCKL
A=0, B=1…..Z=25

Encryption process
The cipher text to be sent to
Bob is thus "EQNVZ"

Decryption process 7
Vigenère Cipher
 Blaise de Vigenère (c. 1562)
 Ci = Pi + Ki (mod 26)
 Key repeats with a short cycle
 Frequency analysis doesn’t work
 Caught on with the telegraph, considered “unbreakable”
 Broken by Babbage, Kasiski (c. 1860)
Example
 Suppose that the plaintext to be encrypted is: ATTACKATDAWN
 The person sending the message chooses a keyword and repeats it until it matches
the length of the plaintext, for example, the keyword "LEMON": LEMONLEMONLE

Plaintext: ATTACKATDAWN
a M ac hine
Key: LEMONLEMONLE Enigm T alkers
o de
Ciphertext: LXFOPVEFRNHR Navajo C

http://www.math.tamu.edu/~dallen/hollywood/breaking/v.htm 8
Modern Symmetric Cryptography
Assume the protocol is known to the enemy
Only the key is secret
Encryption, cryptanalysis use computers
Operate on bits, rather than letters
E.g.: DES, AES
Open standards; let everyone try to break it
Closed design often fails (cell phones)

Key Distribution
Secure communication requires a key distribution
How do you exchange keys securely?
Military: codebooks in field could fall into enemy hands
Commerce: might not meet face-to-face

9
Paradigm Shift
 Alice wants to mail Bob a letter securely
 If they share a “key”, Alice locks, Bob unlocks
 If not: Alice puts on padlock, sends box to Bob
 Bob adds his padlock, sends box back to Alice
 Alice removes her padlock, sends box to Bob
 Bob unlocks box, reads letter
 Problem: how to translate this to mathematics

Alice, Bob agree on information Y

Alice computes A(Y) Bob computes B(Y)

Mails it to Bob Mails it to Alice

Alice computes A(B(Y)) Bob computes B(A(Y))

“Trudy” knows Y, A(Y), B(Y), but A(B(Y)) = B(A(Y)) = secret key

can’t compute key

Problem: how do you make A(B(Y)) = B(A(Y))? 10

Diffie-Hellman-Merkle (1976)
 Modular Arithmetic Eg. Let Alice’s Secret is , A=3 and Bob’s Secret
 Choose Y, modulus p is, B=2. And Y = 2, p=3.
 Alice’s function is YA (mod p)
YA (mod p) = 2
 Bob’s function is Y (mod p)
B
YB (mod p) = 1
 Key is YAB  YBA (mod p)
 Trudy can’t compute YAB from Y, YA, YB Now, assume Trudy eavesdropped/intercepted
 We think (no one can prove it) these numbers(2 and 1). She knows, g, p and
 One problem: must communicate to get key these numbers.
NB: Computing A or B back from the results
When she try to calculate the secret nos from
is a computationally difficult task. the numbers she has, it is impossible as there
OR infinite numbers that can be secret number
and yet gives the same result, 2 and 1.
Eg. Both A= 3 and A= 5 gives the same result.

 A and B choose two big integers p (prime) and g so that: 1 < g < p
 A chooses a number x arbitrarily and computes: X = gx mod p
 B chooses a number y arbitrarily and computes: Y = gy mod p p
m od
 A and B exchange among themselves (publish) X and Y g
y )
x
(
 A computes K = Yx mod p d p≡
o
p )x m
 B computes K’ = X mod p
y
y mo
d
g
B: (
11
xy
One-way Functions
Easy to compute, hard to reverse
Example: f (A) = YA (mod p)
f -1(YA) is called “discrete log”
Hard to compute
Could always do exhaustive search
Here, there are p-1 choices

12
Cryptographic Primitives
 Are well-established, low-level cryptographic algorithms that are frequently used to
build cryptographic protocols for computer security system.
 Building blocks for algorithms
 Example: one-way functions
 Protocols built out of primitives
 Example: Diffie-Hellman-Merkle
 Protocols built out of other protocols
 Example:
 1. Use Diffie-Hellman to exchange key

 2. Use symmetric encryption key to encode message

 Good, “modular” design

13
Trapdoor one-way functions
 Another useful primitive
 f (X) is easy to compute
 f -1(Y) is hard for most people to compute
But: easy to compute if you know a secret
E.g:- Easy to calculate (xe mod n) from x
Hard to invert: to calculate x from (x e mod n)
 There are trapdoor one-way functions found by Rivest-Shamir-Adleman, 1977 (RSA- we will see
later in the course)

14
Idea behind public key
Bob publishes design specifications for a padlock
Alice wants to send Bob a box
Alice builds a Bob padlock, locks the box
Bob unlocks box using his key
Trudy intercepts box, knows design specs
Goal: Trudy still can’t build a key
Padlock = trapdoor one-way function

15
Public Key Cryptography
Alice wants to talk to Bob: computes key X
Alice sends Bob fB (X) (Bob’s function)
Bob computes fB-1 (fB (X)) = X
Both Alice and Bob know X, use as key for symmetric encryption
Trudy knows fB (X); can’t compute X
Asymmetric encryption
Whitfield Diffie, 1975

16
Digital Signature Scheme
Alice wants to send Bob a message, sign it
Alice sends Bob X and S = fA-1 (X)
Bob checks that fA (S) = X
Therefore Bob knows that S = fA-1 (X)
Only Alice can compute fA-1 (X) easily, so Alice must have sent the message
Same primitive, new protocol

17
 SYMMETRIC ENCRYPTION AND
MESSAGE CONFIDENTIALITY
Outline
Symmetric encryption
Block encryption algorithms
Stream ciphers
Block cipher modes of operations

18
Symmetric Encryption
Also referred to as conventional / private-key / single-key encryption
sender and recipient share a common key
all classical encryption algorithms are private-key
was only type prior to invention of public-key in 1970’s
and by far most widely used

19
Symmetric Cipher Model

 Detail the five ingredients of the symmetric cipher model

• plaintext - original message
• encryption algorithm – performs substitutions/transformations on plaintext
• secret key – control exact substitutions/transformations used in encryption
algorithm
• ciphertext - scrambled message
• decryption algorithm – inverse of encryption algorithm
20
Cryptography’s strength(Kirchhoff's principle)
 if the keys:
 are kept secret
 are managed only by trusted systems
 are of adequate length
 then ...
 ... it has no importance that the encryption and decryption algorithms are
kept secret
 ... on the contrary it is better to make the algorithms public so that they can
be widely analyzed and their possible weaknesses identified

Requirements
 two requirements for secure use of symmetric encryption:
 a strong encryption algorithm
 a secret key known only to sender / receiver
 mathematically have:
Y = E(K, X)
X = D(K, Y)
 assume encryption algorithm is known
21
 implies a secure channel to distribute key
Cryptography
can characterize cryptographic system by:
type of encryption operations used
 Substitution- in which each element in the plaintext (bit, letter, group of
bits or letters) is mapped into another element
 Transposition- in which elements in the plaintext are rearranged.
 Product- involve multiple stages of substitutions and transpositions.
number of keys used
 single-key or private- when both sender and receiver use the same key
and is referred to as symmetric, single-key, secret-key, or conventional
encryption.
 two-key or public- when the sender and receiver use different keys, the
system and is referred to as asymmetric, two-key, or public-key encryption.
way in which plaintext is processed
 Block cipher- cipher processes the input one block of elements at a time,
producing an output block for each input block.
 Stream cipher - processes the input elements continuously, producing
output one element at a time, as it goes along.
22
Cryptanalysis
objective to recover key not just message
general approaches:
 cryptanalytic attack- This type of attack exploits the characteristics of
the algorithm to attempt to deduce a specific plaintext or to deduce the
key being used.
 brute-force attack- try every possible key on a piece of ciphertext until
an intelligible translation into plaintext is obtained
if either type of attack succeeds all key use are compromised

23
Cryptanalytic Attacks
 ciphertext only
 only know algorithm & ciphertext, is statistical, know or can identify
plaintext – is the most difficult problem.
 The ciphertext-only attack is the easiest to defend against because the
opponent has the least amount of information to work with.
 known plaintext
 know/suspect plaintext & ciphertext
 chosen plaintext
 select plaintext and obtain ciphertext
 chosen ciphertext
 select ciphertext and obtain plaintext
 chosen text
 select plaintext or ciphertext to encrypt/decrypt

NB
An encryption scheme is computationally secure if
 The cost of breaking the cipher exceeds the value of information
 The time required to break the cipher exceeds the lifetime of information
24
Table : summarizes the various types of cryptanalytic attacks, based on
the amount of information known to the cryptanalyst, from least to most.
25
Brute Force Search
Always possible to simply try every key
On average, half of all possible keys must be tried to achieve success
Most basic attack, proportional to key size
Assume either know / recognise plaintext

1µs = 1 x = 4.3x109 x 1µs

? = 4.3x109 = 4300sec or 71.666minutes(maximum)
= 71.66/2 = 35.8minutes(average)
Key Size (bits) Number of Alternative Time required at 1 Time required at 106
Keys decryption/µs decryptions/µs

32 232 = 4.3  109 231 µs = 35.8 minutes 2.15 milliseconds

56 256 = 7.2  1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4  1038 2127 µs = 5.4  1024 years 5.4  1018 years

168 2168 = 3.7  1050 2167 µs = 5.9  1036 years 5.9  1030 years

26 characters 26! = 4  1026 2  1026 µs = 6.4  1012 years 6.4  106 years
(permutation) 26
 Feistel Cipher Structure
Feistel Encryption
is a type of block cipher design,
not a specific cipher
Split plain text block into left and right
halves: P=(L0,R0)
For each round i = 1, 2,…., n compute
Li = Ri–1
Ri = Li–1 ⊕ F(Ri–1,Ki)
Where F is round function and Ki is subkey
Ciphertext: C = (Ln,Rn)
Feistel Decryption
Start with ciphertext C = (Ln,Rn)
For each round i = n, n-1,….,1 Compute
Ri–1=Li
Li–1 = Ri ⊕ F(Ri–1,Ki)
Where F is round function and Ki is subkey
27
Plaintext : P=(L ,R )
Feistel Cipher Structure
Feistel Cipher Design Elements
block size: 128 bits
key size: 128 bits
number of rounds: 16
subkey generation algorithm
round function
fast software encryption/decryption

28
Symmetric Block Cipher Algorithms
 DES (Data Encryption Standard)
 3DES (Triple DES)
 AES (Advanced Encryption Standard)

29
Data Encryption Standard (DES)
 most widely used block cipher in the world
 encrypts 64-bit data using 56-bit key
 has widespread use
 has considerable controversy over its security
History
IBM developed Lucifer cipher
 by team led by Feistel in late 60’s
 used 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher with input from NSA(National
Security Agency) and others
in 1973 NBS(National Bureau of Standards) issued request for proposals for a
national cipher standard
IBM submitted their revised Lucifer which was eventually accepted as the DES

30
DES Design Controversy
although DES standard is public, considerable controversy over design
 in choice of 56-bit key (vs Lucifer 128-bit)
 and because design criteria were classified(officially secret)
subsequent events and public analysis show in fact design was
appropriate
use of DES has flourished
 especially in financial applications
 still standardised for legacy application use

Time to Break a DES Code

(assuming 106 decryptions/s)

31
Multiple Encryption & DES
clear a replacement for DES was needed
 theoretical attacks that can break it
 demonstrated exhaustive key search attacks
AES(Advanced Encryption Standard ) is a new cipher alternative
 prior to this alternative was to use multiple encryption with DES
implementations
 Triple-DES is the chosen form

32
Double-DES?
could use 2 DES encrypts on each block
 C = EK2(EK1(P))
issue of reduction to single stage
and have “meet-in-the-middle” attack
 works whenever use a cipher twice
 since X = EK1(P) = DK2(C)
 attack by encrypting P with all keys and store
 then decrypt C with keys and match X value
 takes O(256) steps

33
Triple-DES with Two-Keys
hence must use 3 encryptions
 would seem to need 3 distinct keys
but can use 2 keys with E-D-E sequence
 C = E (D (E (P)))
K1 K2 K1
 NB: encrypt & decrypt is equivalent in security
 if K1=K2 then can work with single DES
no current known practical attacks
 several proposed impractical attacks might become basis of future
attacks
Triple-DES with Three-Keys
although no practical attacks on two-key Triple-DES have some concerns
 Two-key: key length = 56*2 = 112 bits
 Three-key: key length = 56*3 = 168 bits
can use Triple-DES with Three-Keys to avoid even these
 C = E (D (E (P)))
K3 K2 K1 34
Triple DES

35
Advanced Encryption Standard (AES)
is a symmetric block cipher that is intended to replace DES,
which:
 have theoretical attacks that can break it
 have demonstrated exhaustive key search attacks
can use Triple-DES – but slow, as it has small blocks(64-bits)
US NIST(National Institute of Standards and Technology) issued call
for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99
Rijndael was selected as the AES in Oct-2000

36
The AES Cipher - Rijndael
The two researchers who developed and submitted Rijndael for the
AES are both cryptographers from Belgium: Dr. Joan Daemen and
Dr.Vincent Rijmen.
has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher
 processes data as block of 4 columns of 4 bytes
 operates on entire data block in every round
designed to be:
 resistant against known attacks
 speed and code compactness on many CPUs
 design simplicity

37
AES Encryption
Process

38
Random Numbers
 many uses of random numbers in cryptography
1. Public key generation
2. Generation of a stream key for symmetric stream cipher
3. Nonces in authentication protocols to prevent replay
4. Generation of a symmetric key for use as a temporary session key.
5. Keystream for a one-time pad
 in all cases its critical that these values be
 statistically random, uniform distribution, independent
 unpredictability of future values from previous values
 true random numbers provide this

Pseudorandom Number Generators (PRNGs)

 often use deterministic algorithmic techniques to create “random numbers”
 although are not truly random
 can pass many tests of “randomness”
 Such numbers are referred to as pseudorandom numbers.
 created by “Pseudorandom Number Generators (PRNGs)”
Stream Cipher Structure

40
Stream Cipher Properties
some design considerations are:
 long period with no repetitions
 Encrypts one byte at a time
 statistically random
 depends on large enough key, e.g. 128 bits
properly designed, can be as secure as a block cipher with same size key
but usually simpler & faster

Speed Comparisons of Symmetric Ciphers on a Pentium II 41

 RC2, RC4
developed by Ron Rivest
RC = Ron’s Code
3 or 10 times faster than DES
RC2 is a block algorithm, RC4 is a stream one
variable length key
RC2:
 8 to 1024 bits keys (usually 64 bits)
 64 bits data block

RC4 Security:
 claimed secure against known attacks
 have some analyses, none practical
 result is very non-linear
 since RC4 is a stream cipher, must never reuse a key
 have a concern with WEP(Wired Equivalent Privacy), but due to key
handling rather than RC4 itself 42
Modes of Operation
 block ciphers encrypt fixed size blocks
 eg. DES encrypts 64-bit blocks with 56-bit key
 need some way to encrypt/decrypt arbitrary amounts of data in practice
 NIST SP 800-38A defines 5 modes
 have block and stream modes to cover a wide variety of applications
 can be used with any block cipher

The Most Important Modes

 Electronic Codebook Mode (ECB)
 Cipher Block Chaining Mode (CBC)
 Cipher Feedback Mode (CFB)
 Output Feedback Mode (OFB)
 Counter Mode (CTR)

43
Electronic Codebook Book (ECB)
message is broken into independent blocks which are encrypted
each block is a value which is substituted, like a codebook, hence name
each block is encoded independently of the other blocks
formula for the i-th block:
Ci = enc ( K, Pi )
uses: secure transmission of single values
NOT to be used on long messages because
 swapping of two blocks goes undetected
 vulnerable to known-plaintext attacks

44
ECB - decrypt
• formula for the i-th block:
Pi = enc-1 ( K, Ci )
• an error in transmission generates an error at the decryption of one
block

Advantages and Limitations of ECB

 Suitable for use in secure transmission of single values (e.g. an encryption
key)
 Error in one received ciphertext block does not affect the correct decryption
of other ciphertext blocks
 Identical plaintext blocks produce identical ciphertext blocks resulting in
recognizable pattern
 Ciphertext blocks can be easily rearranged or modified
 Main use is sending a few blocks of data 45
Cipher Block Chaining (CBC)
 message is broken into blocks
 linked together in encryption
operation
 each previous cipher blocks is
chained with current plaintext
block, hence name
 use Initial Vector (IV) to start
process
Ci = EK(Pi ⊕ Ci-1) Ci = enc (K, Pi ⊕ Ci-1)
C0 = IV
 uses: bulk data encryption,
authentication
Decryption
 requires C0 (i.e. IV) to be
known by the receiver
A one-bit error in transmission will ruin one block
and cause a one-bit error in decrypting the next.
Pi = enc-1 ( K , Ci ) ⊕ Ci-1
(generates an error at the decryption of two blocks)
Advantages and Limitations of CBC
 Suitable for use in general-purpose block-oriented transmission, and authentication
 The same block repeating in the plaintext will not cause repeats in the ciphertext
 Subject to modification attack: (but error propagates)

• P1 depends only on C1 and IV

, and hence is corrupted
• P2 depends on C2 and C1,
and is also corrupted
 Subject to ciphertext block rearranging attack • P3 depends on C3 and C2,
and is not affected.
 IV: needs to be shared between sender and receiver, either a fixed value or sent
NB: Whatever the value of C2,
encrypted.
we can get P3 by decrypting
C3 and XORing with c2

47
AES Example: ECB vs. CBC

AES in ECB mode AES in CBC mode

Similar plaintext
blocks produce
similar ciphertext
blocks (not good!)

48
Cipher FeedBack (CFB)
 message is treated as a stream of bits
 allows to encrypt N bits at a time (a group)
 added to the output of the block cipher
 result is feed back for next stage (hence name)
 standard allows any number of bit (1,8, 64 or 128 etc) to be fed back
 denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
 most efficient to use all bits in block (64 or 128)
 requires an IV (to initialize the shift register)- shared between sender and
receiver
Ci = Pi XOR EK(Ci-1)
C0 = IV
 uses: stream data encryption, authentication
 a transmission error ~ causes an error in the decryption of an entire block

49
s-bit Cipher Feedback (CFB) Mode transmission is s bits; a common
value is s =8 50
Advantages and Limitations of CFB
Suitable for use in general-purpose stream-oriented transmission, and
authentication
Most common stream mode
Bit errors in the incoming cipher block will cause bit error at the same
bit positions in the first plain text block. This cipher block will then be
fed to the shift register and cause bit errors in the plain text for as long
as the erroneous bits stay in the shift register. Hence, for 8-bit CFB the
following 8 bytes will be garbled. After that, the system recovers, and
all following bytes is decrypted correctly.
note that the block cipher is used in encryption mode at both ends
errors propagate for several blocks after the error
Output Feedback Mode (OFB)
• allows to encrypt N bits at a time (a group)
• requires an IV (to initialize the shift register)
• a transmission error ~ causes an error only in one group

52
Advantages and Limitations of OFB
Suitable for use in stream-oriented transmission over noisy channel
(e.g., satellite communication)
Bit errors do not propagate: error in one ciphertext block only
garbles/affects the corresponding plaintext block
Message can arrive in arbitrarily sized chunks, get encrypted and
transmitted immediately
Plaintext modification attack: if attacker knows <plaintext, ciphertext>,
he can XOR the plaintext and ciphertext, and XOR the result with any
message of his choosing
Must not reuse the same IV or secret key.

53
Counter (CTR)
a “new” mode, though
proposed early on
similar to OFB but encrypts
counter value rather than
any feedback value
must have a different key &
counter value for every
plaintext block (never
reused)
Oi = EK(i)
Ci = Pi XOR Oi
uses: high-speed network
encryptions

54
 •Instead of chaining the encryption
of one-time pad, the IV is
incremented and encrypted to get
successive blocks of the one-time
pad

Advantages and Limitations of CTR

 Suitable for use in general-purpose block-oriented transmission, and high
speed encryption
 One-time pad can be pre-computed
 Efficiency: - can do parallel encryptions/decryption in h/w or s/w
- good for bursty high speed links
 Simplicity: unlike ECB and CBC, no decryption algorithm is needed in CTR
(also true for OFB and CFB)
 Provable security: (at least as secure as other modes)
 but must ensure never reuse key/counter values, otherwise could break (also
true for OFB) 55
56