COMP3260/6360 Data Security Lecture 5

A/Prof Ljiljana Brankovic School of Electrical Engineering and Computer Science

L. Brankovic, based on text, Data security by D. Denning and lecture notes by M. Miller

Polyalphabetic and Polygram Ciphers; Stream and Block Ciphers; DES

Chapter 2 Textbook (Stallings) Chapter 3 Block Ciphers Section 7.4 Stream Ciphers

These lecture notes (based on Cryptography and Data Security by D. Denning [1])
Note that in-text references and quotes are omitted for clarity of the slides. When you write an essay or report it is very important that you use both in-text references and quotes where appropriate.

Running Key ciphers

In a running key cipher, the key is as long as the plaintext.
The key is typically a text in a well-known book, and is specified by the title of the book and starting position (for example, Chapter 2, Paragraph 3). The cipher is typically substitution based on shifted alphabet (e.g., a nonperiodic Vigenere cipher).

Running Key ciphers

Example: The key is a text starting with The second cipher and the plaintext starts with The treasure is buried. M: K: C: THETREASUREISBURIED THESECONDCIPHERISAN

MOILVGOFXTMXZFLZAEQ

Running Key ciphers

Although a running key cipher uses a key as long as the message, it is not unbreakable.

Friedman (1918) observed that a large proportion of letters in the ciphertext comes from the encipherment where both key and plaintext letters fall in the high frequency category.

Running Key ciphers

Example: In our previous example, 12 out of 19 ciphertext pairs come from high frequency pairs: M: K: C: THETREASUREISBURIED THESECONDCIPHERISAN

MOILVGOFXTMXZFLZAEQ

6 of the remaining 7 pairs have either the plaintext or the key letter belonging to the high frequency category.

Running Key ciphers

To break the cipher we start with the assumption that all ciphertext letters correspond to high frequency pairs. In this way we reduce the number of initial possibilities for each pair, and then we use diagram and trigram distributions to verify the initial guesses and determine the actual pairs.

Running Key ciphers

Example: We consider the first three ciphertext letters in the previous example (MOI), and we examine the possible pairs for each of the three letters. For M we get:
plaintext letter: key letter: ciphertext letter: ABCDEFGHIJKLMNOPQRSTUVWXYZ MLKJIHGFEDCBAZYXWVUTSRQPON
MMMMMMMMMMMMMMMMMMMMMMMMMM

The high frequency pairs are underlined.

The high frequency pairs for all three letters are: M: E-I, I-E, T-T O: A-O, O-A, H-H I: A-I, I-A, E-E, R-R There re 3*3*4=36 possible combinations of pairs. Many of them produce highly unlikely trigrams. Some of the trigrams are shown below. Trigram THE occurring in both plaintext and key is the most likely. plaintext: EAA EAI THE THR key: IOI IOA THE THR ciphertext: MOI MOI ... MOI MOI

Running Key ciphers

Rotor machines are used to implement polyalphabetic ciphers with a long period. A Rotor machine consists of a collection of cylinders that can rotate independently of each other. Each cylinder has: 26 input pins on its front face, one for each letter in the alphabet 26 output pins on its rear face. Each input pin is wired to a unique output pin. Thus each cylinder encodes a fixed permutation of the alphabet. After encoding a character in the plaintext, a cylinder is rotated; this changes the relative position of the cylinder and its neighbours.

Rotor Machines

Rotor Machines

C1
a b c d e f g

C2

C3

C4

Rotor Machines
The rotor machine encryption depends on:
fixed permutations inside each cylinder initial position of each cylinder the rule by which the cylinders are rotated.

Formally, if a Rotor machine consists of k cylinders, the fixed permutation (mapping) inside cylinder i is defined by fi(a) and ji denotes the position of cylinder i, then the mapping of cylinder i is defined by: Fi(a) = ( fi(a - ji) mod 26 + ji) mod 26 The mapping (encipherment) of the whole Rotor machine is:

F(a) = Fk ( Fk-1 ( Fk-2 ( F2 ( F1 (a)) )))

Rotor Machines
After each of the plaintext characters is enciphered, one or more of the cylinders move to a new position, changing the encipherment of the Rotor machine.
A Rotor machine with k cylinders is capable of providing 26k different encipherments; for example, if there are 4 cylinders, there are 264 = 456,976 different encipherments.

Practically, Rotor machines provide a period as long as the plaintext itself.

Rotor Machines
A Rotor machine Enigma, used by Germans in World War II, was pretty complex and included a plugboard that permuted the plaintext, and a reflecting rotor that caused each rotor to encrypt each plaintext letter twice. Enigma rotated its cylinders according to the following rule:
After each plaintext character is enciphered, the first cylinder advances to the next position; after the first cylinder has reached a certain position, the second cylinder advances to its next position; after the second cylinder has made the complete rotation, the third cylinder advances to its next position, and so on.

Rotor Machines
Enigma was broken during the World War II by Allies, first by Polish cryptographers. Germans kept modifying Enigma as the war progressed, and the British kept breaking the new versions. A contributing factor to this successful cryptanalysis was the fact that Germans reused the code-books (keys), and had very stereotyped military messages, often starting with a same phrase.

One-Time Pads
Consider a substitution cipher whose key is a random sequence of characters, as long as the message. Such cipher is called one-time pad, and achieves perfect secrecy (recall that the perfect secrecy is achieved when the ciphertext provides no information about the plaintext - any ciphertext can be obtained from any plaintext using some key). The computer implementation of one-time pad is based on the cryptographic device for telegraphic communications; the device was designed in 1917 by Gilbert Vernam, an employee of American Telephone and Telegraph Company (A.T. & T.).

One-Time Pads
The code used was Baudot code with 32 characters, where each character was represented as a combination of 5 marks and spaces, corresponding to bits 1 and 0. A key was a nonrepeating random sequence of characters, also represented as marks and spaces (0s and 1s); the key was punched on a paper tape, and each key-tape was meant to be used more than once. This cipher is known as Vernam cipher, and it generates a ciphertext bit stream C = Ek(M) = c1c2 where ci = (mi + ki) mod 2, i = 1,2,...

The Vernam cipher is efficiently implemented on modern computers by taking exclusive-or of each plaintext/key bit pair: ci = mi ki Deciphering is performed with the same operation: mi = ci ki (To verify this, recall that x x = 0 and x 0 = x , for x=1 or 0; thus ci ki = mi ki ki = mi 0 = mi )

One-Time Pads

Example: If the plaintext character A (11000 in Baudot)

is enciphered under the key character D (10010 in Baudot), the resulting ciphertext character is: M = 11000 K = 10010 C = 01010

One-Time Pads
If a key-tape is used more than once, the cipher is breakable, as it is equivalent to a running-key cipher. To see why, suppose that two plaintext streams M and M are enciphered with the same key stream K, giving ciphertext streams C and C. Then ci = mi ki and ci = mi ki, for i = 1, 2, ...

Let C be the stream obtained by taking the exclusive-or of C and C; then ci = ci ci = mi ki mi ki = mi mi Thus C corresponds to the encipherment of M under key M, which is equivalent to running-key cipher.

One-Time Pads
Army cryptologist Mayor Joseph Mauborgne suggested that each key-tape is used only once, and the one-time pad was born.

Polygram Substitution Ciphers

Polygram substitution ciphers encipher block of letters at the time, rather than a single letter; this makes cryptanalysis harder, as it destroys the single letter frequency distribution. The Playfair cipher is a diagram substitution cipher invented in 1854 by Charles Wheatstone (it is named after Wheatstones friend, English scientist Lyon Playfair). The Playfair cipher was used by the British in World War I.

Playfair Ciphers
The key for Playfair cipher is given by 5 5 matrix of 25 letters (J was not used). For example,

H I E M V

A C F N W

R O G Q X

P D K T Y

S B L U Z

A pair of plaintext letters m1m2 is enciphered according to the following rules:

Playfair Ciphers

If m1 and m2 are in the same row, then c1 and c2 are the two characters to the right of m1 and m2, respectively (the first column is considered to be to the right of the last column). If m1 and m2 are in the same column, then c1 and c2 are the two characters below m1 and m2, respectively (the first row is considered to be below the last row). If m1 and m2 are in different rows and columns, then c1 and c2 are the other two corners of the rectangle having m1 and m2 as corners, where c1 is in m1s row, and c2 is in m2s row. If m1 = m2, a null letter (for example, X) is inserted into the plaintext between m1 and m2 to eliminate the double. If the plaintext has an odd number of characters, a null letter is appended to the end of the plaintext.

Playfair Ciphers
Example: Let the key be
H I E M V A C F N W R O G Q X P D K T Y S B L U Z

and let the plaintext be RENAISSANCE.

Then the ciphertext is: M = RE C = HG NA WC IS BH SA HR NC WF EX GV

 Stream ciphers convert plaintext into ciphertext one bit (or one byte) at a time; in the same plaintext message, the same plaintext bit (or byte) is encrypted with a different key every time it appears (eventually the key will repeat in the periodic ciphers). Example: Vigenere, Vernam, rotor machine.

Stream and Block Ciphers

Advantage: stream ciphers are faster and easier to

implement than block ciphers.

Block ciphers convert plaintext into ciphertext one block (typically 64 or 128 bits) at a time; in the same plaintext message, the same block is encrypted with the same key every time it appears (thus to the same ciphertext). Example: Playfair, transposition with period d, monoalphabetic substitution (blocksize 1)

Advantage: block ciphers can reuse keys, and provide both confusion and diffusion.

Stream Ciphers
In a typical stream cipher, a stream of plaintext bits is XORed with a stream of key bits to produce the stream of ciphertext bits. ci = pi ki
To decrypt, ciphertext bits are XORed with the identical stream of key bits to produce the plaintext. ci ki = pi ki ki = pi

Stream Ciphers

Key
Pi

Ki
Ci

Ki

Key
Pi

Plaintext

Ciphertext

Plaintext

Encryption

Decryption

Stream Ciphers
If the key stream is non-repeating and random, this is a one-time pad it is perfectly secure. In practice, one-time pad is rarely used because of the need for secure exchange of long keys. Keys used in practice look random, but are deterministically generated and can be reproduced at the decryption end. Stream ciphers differ in ways the key is generated and fall into 2 categories: self-synchronizing and synchronous.

Self-Synchronising Stream Ciphers

In a self-synchronizing stream cipher each bit in the key stream is a function of a fixed number (say n) of previous ciphertext bits.
Internal state Output Function
Key Ki

Internal state Output Function

Ki Key

Pi Plaintext

Ci Ciphertext

Pi Plaintext

Encryption

Decryption

Self-Synchronising Stream Ciphers

The internal state depends only on n previous ciphertext bits.

The output function takes as its input the internal state, and generates the key as its output.
The output function must be cryptographically strong, otherwise Bad Barry can intercept the ciphertext stream, generate the key stream an obtain plaintext.

Self-Synchronising Stream Ciphers

Self-synchronizing stream cipher is error propagating: each garbled ciphertext bit will result in n incorrect plaintext bits before it re-synchronizes. Self-synchronizing stream cipher is vulnerable to playback attack: Bad Barry can replay some old ciphertext (that, for example, credits his bank account); after resynchronising, the ciphertext will decrypt as normal.

Synchronous Stream Ciphers

The synchronous stream ciphers have a key generated independently of ciphertext. The same key stream must be generated at the decryption end, so must be deterministic.

Synchronous Stream Ciphers

Advantage: synchronous ciphers are not error
propagating - each garbled ciphertext bit will result in only one garbled plaintext bit.

Disadvantage: if one ciphertext bit gets lost during the

transmission, all the subsequent bits will be deciphered incorrectly - the sender and receiver must re-synchronize; moreover, they should not use the same key stream as before.

Synchronous Stream Ciphers

This is what can happen if the same key stream is used twice: Bad Barry intercepts a ciphertext (he does not know the plaintext or the key): Original plaintext: p1 p2 p3 p4 Original key: k1 k2 k3 k4 Original ciphertext: c1 c2 c3 c4 Then Bad Barry inserts a single bit p in the same (resent) plaintext encrypted under the same key, and again intercepts the ciphertext: New plaintext: p1 p p2 p3 p4 Original key: k1 k2 k3 k4 k5 New ciphertext: c1 c2 c3 c4c5

Synchronous Stream Ciphers

Bad Barry can now determine the entire plaintext:
k2 = c2 p and then p2 = c2 k2 k3 = c3 p2 and then p3 = c3 k3 k4 = c4 p3 and then p4 = c4 k4 and so on. This attack is known as an insertion attack. To protect against insertion attack, Good Garry must never use the same key stream.

Design Principles for Stream Ciphers

1. The key-stream should be as close to a random stream as possible, e.g.

Approximately equal number of 0s and 1s, for a stream of bits Approximately equal number of all the possible 256 bytes, for byte stream

2. The period of the key-stream should be as long as possible 3. The input key that is passed to Pseudo Random Number Generator (PRNG) should be sufficiently long at least 128bits.

Block Ciphers
Recall that a block cipher takes as input an n-bit block of plaintext and produces an n-bit block of ciphertext.

In order to enable encryption, for a given key each plaintext block must encrypt into a unique ciphertext block. Such mapping is called reversible (one-to-one).
Be careful not to confuse this with the discussions about perfect secrecy where any ciphertext can come from any plaintext, but for different keys.

Irreversible mapping is also called one-way mapping (function).

Block Cipher
Example:
Reversible mapping Plaintext Ciphertext 00 11 01 10 10 00 11 01 Irreversible mapping Plaintext Ciphertext 00 11 01 10 10 01 11 01

Block Cipher
The mapping between plaintext and ciphertext blocks should be arbitrary (equivalent to general monoalphabetic cipher). Note that here the statistical properties of the plaintext are not preserved in the ciphertext, providing that the block size is large enough.

Block Cipher
How about the block size? If it is small this converts to monoalphabetic substitution cipher - not secure.

If it is very large, and mapping is arbitrary, the system is very secure, but implementation is not feasible.
If, on the other hand, mapping is not arbitrary but given with a system of equations, the implementation is easy but the system is not secure.

Feistel Block Cipher

Feistel block cipher ( 1973) illustrates the underlying principles of many modern block encryption algorithms.
Feistel cipher is a product cipher, which means that it uses a sequence of two or more basic ciphers, so that the final result is cryptographically stronger than any of the components. In particular, Feistel cipher uses a sequence of substitutions and permutations. Such ciphers are also called S-P ciphers.

Confusion and Diffusion

Feistel cipher is based on the work by Shannon, who proposed a development of a product cipher that alternates confusion and diffusion functions.

Roughly speaking, confusion obscures the local structure of the plaintext, while the diffusion obscures the global structure.

Confusion and Diffusion

Confusion means that the cipher should hide local patterns in the plaintext. For example, Caesar cipher replaces every letter with another letter, but fails to hide double letters. Diffusion refers to spreading out the plaintext over the ciphertext. Ideally, each plaintext letter should affect many ciphertext letters.
Stream ciphers rely on confusion alone. Block ciphers use both confusion and diffusion.

Feistel Block Cipher

The Feistel cipher takes as input a plaintext block of size 2w and a key K.
The plaintext block is divided into two halves L0 and R0 which are then passed though n rounds and finally combined together to produce the ciphertext.

Each round has the same structure but uses a different subkey - the subkeys K1,,K2 K3 Kn are derived from K and are different from each other. Each round first applies a round function F to the right half of the data, and takes the XOR of the result and the left half of the data. Then the two halves are interchanged.

Feistel Cipher
The parameters of the Feistel cipher: Block size - the larger the block size, the greater security but slower encryption/decryption; typical block size is 64 bits (the new encryption standard AES uses 128 bit blocks). Key size - the larger the key size, the greater security but slower encryption/decryption; 64 bits is now consider insufficient - 128 bits is a common key size. Number of rounds - typically 16 Subkey generation algorithm - the more complex the algorithm, the cipher harder to break, but also harder to analyse and discover weaknesses Round function - the more complex the function, the cipher harder to break, but also harder to analyse and discover weaknesses

The Feistel decryption is essentially the same as encryption - the only difference being that the subkeys are used in reverse order.
We shall illustrate this by showing that LD1 = RE15 and RD1 = LE15. At the end of the encryption we have: LE16 = RE15 RE16 = LE15 F(RE15, K16) At the beginning of decryption we have: LD1 = RD0 = LE16 = RE15 RD1 = LD0 F(RD0, K16) = = RE16 F(RE15, K16) = = (LE15 F(RE15, K16)) F(RE15, K16) = LE15

Feistel Decryption

References
1. D. Denning. Cryptography and Data Security, Addison Wesley, 1982.

2.

W. Stallings. Cryptography and Network Security, 6th Edition, Pearson Education, 2014.