Professional Documents
Culture Documents
Page 39
A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples
of classical stream ciphers are the autokeyed Vigenre cipher and the Vernam cipher. In the ideal case, a
one-time pad version of the Vernam cipher would be used, in which the keystream (ki) is as long as the
plaintext bit stream (pi). If the cryptographic keystream is random, then this cipher is unbreakable by any
means other than acquiring the keystream. However, the keystream must be provided to both users in
advance via some independent and secure channel. This introduces insurmountable logistical problems if
the intended data traffic is very large.
Accordingly, for practical reasons, the bit-stream generator must be implemented as an
algorithmic procedure, so that the cryptographic bit stream can be produced by both users.
In this approach (Fig.a), the bit-stream generator is a key-controlled algorithm and must produce a bit
stream that is cryptographically strong. The two users need only share the generating key, and each can
produce the keystream.
A block cipher is one in which a block of plaintext is treated as a whole and used to produce a
ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used. As with a stream cipher,
the two users share a symmetric encryption key (Fig.b). Using some of the modes of operation, a block
cipher can be used to achieve the same effect as a stream cipher.
Page 40
Page 41
But there is a practical problem with the ideal block cipher. If a small block size, such as n = 4, is used,
then the system is equivalent to a classical substitution cipher.
An arbitrary reversible substitution cipher (the ideal block cipher) for a large block size is not
practical, however, from an implementation and performance point of view.
In considering these difficulties, Feistel points out that what is needed is an approximation to the ideal
block cipher system for large n, built up out of components that are easily realizable.
The Feistel Cipher
Feistel proposed that we can approximate the ideal block cipher by utilizing the concept of a
product cipher, which is the execution of two or more simple ciphers in sequence in such a way that the
final result or product is cryptographically stronger than any of the component ciphers. The essence of the
approach is to develop a block cipher with a key length of k bits and a block length of n bits, allowing a
total of 2k possible transformations, rather than the 2n! transformations available with the ideal
block cipher.
In particular, Feistel proposed the use of a cipher that alternates substitutions and permutations,
where these terms are defined as follows:
Substitution: Each plaintext element or group of elements is uniquely replaced by a corresponding
ciphertext element or group of elements.
Permutation: A sequence of plaintext elements is replaced by a permutation of that sequence. That is,
no elements are added or deleted or replaced in the sequence, rather the order in which the elements
appear in the sequence is changed.
Feistels is a practical application of a proposal by Claude Shannon to develop a product cipher that
alternates confusion and diffusion functions.
Shannon suggests two methods for frustrating statistical cryptanalysis: diffusion and confusion. In
diffusion, the statistical structure of the plaintext is dissipated into long-range statistics of the ciphertext.
This is achieved by having each plaintext digit affect the value of many ciphertext digits; generally, this is
equivalent to having each ciphertext digit be affected by many plaintext digits.
Every block cipher involves a transformation of a block of plaintext into a block of ciphertext,
where the transformation depends on the key. The mechanism of diffusion seeks to make the statistical
relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to
deduce the key. On the other hand, confusion seeks to make the relationship between the statistics of the
Page 42
ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to
discover the key. Thus, even if the attacker can get some handle on the statistics of the ciphertext, the way
in which the key was used to produce that ciphertext is so complex as to make it difficult to deduce the
key. This is achieved by the use of a complex substitution algorithm.
Page 43
Round function F: Again, greater complexity generally means greater resistance to cryptanalysis.
There are two other considerations in the design of a Feistel cipher:
Fast software encryption/decryption: In many cases, encryption is embedded in applications or utility
functions in such a way as to preclude a hardware implementation.
Ease of analysis: Although we would like to make our algorithm as difficult as possible to
cryptanalyze, there is great benefit in making the algorithm easy to analyze.
Page 44
of the decryption process is same (equal) to the corresponding value of the encryption process with two
halves of the value swapped. i.e., REi || LEi (or) equivalently RD16-i || LD16-i.
After the last iteration of the encryption process, the two halves of the output are swapped, so that
the cipher text is RE16 || LE16. The output of that round is the cipher text. Now take the cipher text and
use it as input to the same algorithm. The input to the first round is RE16 || LE16, which is equal to the
32-bit swap of the output of the sixteenth round of the encryption process.
Now we will see how the output of the first round of the decryption process is equal to a 32-bit swap of
the input to the sixteenth round of the encryption process.
First consider the encryption process,
LE16 = RE15
RE16 = LE15
F (RE15, K16)
F (RD0, K16)
= RE16
F (RE15, K16)
= [LE15
F (RE15, K16)]
F (RE15, K16)
= LE15
Therefore, LD1 = RE15
RD1 = LE15
In general, for the ith iteration of the encryption algorithm,
LEi = REi-1
REi = LEi-1
F (REi-1, Ki)
Finally, the output of the last round of the decryption process is RE0 || LE0. A 32-bit swap recovers the
original plaintext.
Page 45
The algorithm transforms 64-bit input in a series of steps into a 64-bit output. The same steps,
with the same key, are used to reverse the encryption.
DES Encryption
There are two inputs to the encryption function: the plaintext to be encrypted and the key. In this
case, the plaintext must be 64 bits in length and the key is 56 bits in length.
The processing of the plaintext proceeds in three phases. First, the 64-bit plaintext passes through
an initial permutation (IP) that rearranges the bits to produce the permuted input.
This is followed by a phase consisting of sixteen rounds of the same function, which involves both
permutation and substitution functions. The output of the last (sixteenth) round consists of 64 bits that are
a function of the input plaintext and the key. The left and right halves of the output are swapped to
produce the preoutput.
Finally, the preoutput is passed through a permutation [IP -1] that is the inverse of the initial
permutation function, to produce the 64-bit ciphertext.
Page 46
The right-hand portion of Figure 3.5 shows the way in which the 56-bit key is used. Initially, the
key is passed through a permutation function. Then, for each of the sixteen rounds, a subkey (Ki) is
produced by the combination of a left circular shift and a permutation.
DES Decryption
As with any Feistel cipher, decryption uses the same algorithm as encryption, except that the
application of the subkeys is reversed. Additionally, the initial and final permutations are reversed.
DES Example
For this example, the plaintext is a hexadecimal palindrome. The plaintext, key, and resulting ciphertext
are as follows:
The first row shows the 32-bit values of the left and right halves of data after the initial
permutation. The next 16 rows show the results after each round. Also shown is the value of the 48-bit
subkey generated for each round.
Page 47
Page 48
Although much progress has been made in designing block ciphers that are cryptographically
Strong, we look at three critical aspects of block cipher design: the number of rounds, design of the
function F, and key scheduling.
Number of Rounds
The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a
relatively weak F. In general, the criterion should be that the number of rounds is chosen so that known
cryptanalytic efforts require greater effort than a simple brute-force key search attack. This criterion was
certainly used in the design of DES.
This criterion is attractive, because it makes it easy to judge the strength of an algorithm and to
compare different algorithms.
Design of Function F
The heart of a Feistel block cipher is the function F, which provides the element of confusion in a
Feistel cipher. Thus, it must be difficult to unscramble the substitution performed by F.
Several other criteria should be considered in designing F. We would like the algorithm to have
good avalanche properties.
A more stringent version of this is the strict avalanche criterion (SAC), which states that any output bit
j of an S-box should change with probability 1/2 when any single input bit i is inverted for all i, j.
Another criterion proposed in is the bit independence criterion (BIC), which states that output
bits j and k should change independently when any single input bit i is inverted for all i, j, and k.
Key Schedule Algorithm
With any Feistel block cipher, the key is used to generate one subkey for each round. In general, we
would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty
of working back to the main key.At minimum, the key schedule should guarantee key/ciphertext Strict
Avalanche Criterion and Bit Independence Criterion.
Page 49
Page 50
The plaintext (padded as necessary) consists of a sequence of b-bit blocks, P1, P2,c, PN; the
corresponding sequence of ciphertext blocks is C1, C2, c, CN. We can define ECB mode as follows.
The most significant characteristic of ECB is that if the same b-bit block of plaintext appears more
than once in the message, it always produces the same ciphertext.
Lists the following criteria and properties for evaluating and constructing block cipher modes of
operation that are superior to ECB:
Overhead: The additional operations for the encryption and decryption operation when compared to
encrypting and decrypting in the ECB mode.
Error recovery: The property that an error in the ith ciphertext block is inherited by only a few
plaintext blocks after which the mode resynchronizes.
Page 51
Error propagation: The property that an error in the ith ciphertext block is inherited by the ith and all
subsequent plaintext blocks
Diffusion: How the plaintext statistics are reflected in the ciphertext. Low entropy plaintext blocks
should not be reflected in the ciphertext blocks.
Security: Whether or not the ciphertext blocks leak information about the plaintext blocks.
2. CIPHER BLOCK CHAINING MODE
To overcome the security deficiencies of ECB, we would like a technique in which the same
plaintext block, if repeated, produces different ciphertext blocks. A simple way to satisfy this requirement
is the cipher block chaining (CBC) mode.
In this scheme, the input to the encryption algorithm is the XOR of the current plaintext block and
the preceding ciphertext block; the same key is used for each block.
The input to the encryption function for each plaintext block bears no fixed relationship to the
plaintext block. Therefore, repeating patterns of b bits are not exposed. As with the ECB mode, the CBC
mode requires that the last block be padded to a full b bits if it is a partial block.
For decryption, each cipher block is passed through the decryption algorithm. The result is
XORed with the preceding ciphertext block to produce the plaintext block. To see that this works, we can
write
Then,
Page 52
To produce the first block of ciphertext, an initialization vector (IV) is XORed with the first block
of plaintext. On decryption, the IV is XORed with the output of the decryption algorithm to recover the
first block of plaintext.
The IV is a data block that is the same size as the cipher block. We can define CBC mode as
The IV must be known to both the sender and receiver but be unpredictable by a third party. In
particular, for any given plaintext, it must not be possible to predict the IV that will be associated to the
plaintext in advance of the generation of the IV.
Page 53
Page 54
Page 55
In CFB encryption, like CBC encryption, the input block to each forward cipher function (except
the first) depends on the result of the previous forward cipher function; therefore, multiple forward cipher
operations cannot be performed in parallel.
Where
Oj-1 = E(K, Oj-2)
Some thought should convince you that we can rewrite the encryption expression as:
Let the size of a block be b. If the last block of plaintext contains u bits, with u 6 b, the most
significant u bits of the last output block ON are used for the XOR operation; the remaining b - u bits of
the last output block are discarded.
The OFB mode requires an initialization vector. In the case of OFB, the IV must be a nonce; that
is, the IV must be unique to each execution of the encryption operation. The reason for this is that the
Page 56
sequence of encryption output blocks, Oi, depends only on the key and the IV and does not depend on the
plaintext. Therefore, for a given key and IV, the stream of output bits used to XOR with the stream of
plaintext bits is fixed.
One advantage of the OFB method is that bit errors in transmission do not propagate. For
example, if a bit error occurs in C1, only the recovered value of P1 is affected; subsequent plaintext units
are not corrupted.
Page 57
The disadvantage of OFB is that it is more vulnerable to a message stream modification attack than is
CFB.
5. COUNTER MODE
The counter (CTR) mode has increased recently with applications to ATM (asynchronous transfer
mode) network security and IP sec.
A counter equal to the plaintext block size is used. The only requirement stated in SP 800-38A is
that the counter value must be different for each plaintext block that is encrypted.
Typically, the counter is initialized to some value and then incremented by 1 for each subsequent
block (modulo 2b, where b is the block size).
For encryption, the counter is encrypted and then XORed with the plaintext block to produce the
ciphertext block; there is no chaining.
For decryption, the same sequence of counter values is used, with each encrypted counter XORed
with a ciphertext block to recover the corresponding plaintext block. Thus, the initial counter value must
be made available for decryption.
Given a sequence of counters T1, T2, c, TN, we can define CTR mode as follows.
For the last plaintext block, which may be a partial block of u bits, the most significant u bits of
the last output block are used for the XOR operation; the remaining b - u bits are discarded.
The initial counter value must be a nonce; that is, T1 must be different for all of the messages
encrypted using the same key. Further, all Ti values across all messages must be unique.
Page 58
One way to ensure the uniqueness of counter values is to continue to increment the counter value
by 1 across messages. That is, the first counter value of the each message is one more than the last counter
value of the preceding message.
Lists the following advantages of CTR mode.
Hardware efficiency: Unlike the three chaining modes, encryption (or decryption) in CTR mode can be
done in parallel on multiple blocks of plaintext or ciphertext.
Software efficiency: Similarly, because of the opportunities for parallel execution in CTR mode,
processors that support parallel features.
Page 59
Preprocessing: The execution of the underlying encryption algorithm does not depend on input of the
plaintext or ciphertext.
Random access: The ith block of plaintext or ciphertext can be processed in random-access fashion.
Provable security: It can be shown that CTR is at least as secure as the other Modes.
Simplicity: Unlike ECB and CBC modes, CTR mode requires only the implementation of the encryption
algorithm and not the decryption algorithm.
Page 60
The cipher consists of N rounds, where the number of rounds depends on the key length: 10
rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key.
The first N - 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows,
MixColumns, and AddRoundKey, which are described subsequently. The final round contains only three
transformations, and there is a initial single transformation (AddRoundKey) before the first round, which
can be considered Round 0.
Page 61
Detailed Structure
1. One noteworthy feature of this structure is that it is not a Feistel structure. In the classic Feistel
structure, half of the data block is used to modify the other half of the data block and then the halves are
swapped. AES instead processes the entire data block as a single matrix during each round using
substitutions and permutation.
2. The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]. Four
distinct words (128 bits) serve as a round key for each round;
3. Four different stages are used, one of permutation and three of substitution:
Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block
ShiftRows: A simple permutation
MixColumns: A substitution that makes use of arithmetic over GF(28)
AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key
4. The structure is quite simple. For both encryption and decryption, the cipher begins with an
AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a tenth
round of three stages.
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an
AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible without knowledge of
the key and so would add no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be formidable.
Page 62
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an inverse
function is used in the decryption algorithm.
8. As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order.
9. Once it is established that all four stages are reversible, it is easy to verify that decryption does recover
the plaintext.
10. The final round of both encryption and decryption consists of only three stages. Again, this is a
consequence of the particular structure of AES and is required to make the cipher reversible.
Page 63
This method is an improvement over the chosen-plaintext approach but requires more effort. The
attack is based on the observation that if we know A and C , then the problem reduces to that of an attack
on double DES. Of course, the attacker does not know A, even if P and C are known, as long as the two
Page 64
keys are unknown. However, the attacker can choose a potential value of A and then try to find a known
(P, C) pair that produces A. The attack proceeds as follows.
1. Obtain n (P, C) pairs. This is the known plaintext. Place these in a table sorted on the values of P.
2. Pick an arbitrary value a for A, and create a second table with entries defined in the following fashion.
For each of the 256 possible keys K1 = i, calculate the plaintext value Pi that produces a:
Pi = D(i, a)
3. We now have a number of candidate values of K1 in Table 2 and are in a position to search for a value
of K2. For each of the 256 possible keys K2 = j, calculate the second intermediate value for our chosen
value of a:
Bj = D(j, a)
4. Test each candidate pair of keys (i, j) on a few other plaintextciphertext pairs. If a pair of keys
produces the desired ciphertext, the task is complete. If no pair succeeds, repeat from step 1 with a new
value of a.
Triple DES with Three Keys
Although the attacks just described appear impractical, anyone using two-key 3DES may feel
some concern. Thus, many researchers now feel that three-key 3DES is the preferred alternative. Threekey 3DES has an effective key length of 168 bits and is defined as
C = E(K3, D(K2, E(K1, P)))
Backward compatibility with DES is provided by putting K3 = K2 or K1 = K2.
2.7 BLOWFISH
a symmetric block cipher designed by Bruce Schneier in 1993/94
Characteristics
Page 65
Page 66
Page 67
RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to
keep size same as original.
Page 68
Public-Key Cryptography
Encryption algorithm: The encryption algorithm performs various transformations on the plaintext.
Public and private keys: This is a pair of keys that have been selected so that if one is used for
encryption, the other is used for decryption. The exact transformations performed by the algorithm
depend on the public or private key that is provided as input.
Page 69
Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the key.
For a given message, two different keys will produce two different ciphertexts.
Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces the
original plaintext.
The essential steps are the following.
1. Each user generates a pair of keys to be used for the encryption and decryption of messages.
2. Each user places one of the two keys in a public register or other accessible file. This is the public key.
The companion key is kept private
3. If Bob wishes to send a confidential message to Alice, Bob encrypts the message using Alices public
key.
4. When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt
the message because only Alice knows Alices private key.
Table: Conventional and Public-Key Encryption
Conventional Encryption
Needed to Work:
Public-Key Encryption
Needed to Work:
1. The same algorithm with the same key is used 1. One algorithm is used for encryption and a
for encryption and decryption.
the key.
Page 70
Let the plaintext be X=[X1, X2, X3, ,Xm] where m is the number of letters in some finite alphabets.
Suppose A wishes to send a message to B. B generates a pair of keys: a public key PUb and a private key
PRb. PRb is known only to B, whereas PUb is publicly available and therefore accessible by A.
With the message X and encryption key PUb as input, A forms the cipher text Y=[Y1, Y2, Y3, Yn].
i.e., Y=E PUb(X)
The receiver can decrypt it using the private key PRb.
i.e., X=D PRb()
The other approach (using senders private key for encryption and senders public key for decryption)
will provide authentication which is illustrated in the following diagram.
Y = E(PRa,X)
X = D(PUa,Y)
Page 71
Page 72
Key exchange: Two sides cooperate to exchange a session key. Several different approaches are
possible, involving the private key(s) of one or both parties.
It is computationally easy for a sender A, knowing the public key and the message to be encrypted
M, to generate the corresponding ciphertext: C=EKUb(M).
It is computationally easy for the receiver B to decrypt the resulting ciphertext using the private
key to recover the original message:
M = DKRb (C) = DKRb [EKUb (M)]
It is computationally infeasible for an opponent, knowing the public key KUb, to determine the
private key KRb.
It is computationally infeasible for an opponent, knowing the public key KUb, and a ciphertext C,
to recover the original message M.
Page 73
Both the sender and receiver know the value of n. the sender knows the value of e and only the receiver
knows the value of d. thus, this is a public key encryption algorithm with a public key of KU = {e, n} and
a private key of KR = {d, n}. For this algorithm to be satisfactory for public key encryption, the following
requirements must be met:
It is possible to find values of e, d, n such that Med = M mod n for all M<n.
Let us focus on the first requirement. We need to find the relationship of the form:
Med = M mod n
A corollary to Eulers theorem fits the bill: Given two prime numbers p and q and two integers, n and m,
such that n=pq and 0<m<n, and arbitrary integer k, the following relationship holds
mk(n) +1 = mk(p-1)(q-1) +1 = m mod n
where (n) Euler totient function, which is the number of positive integers less than n and relatively
prime to n. we can achieve the desired relationship,
if ed = k(n)+1
This is equivalent to saying:
ed 1 mod (n)
d = e-1 mod (n)
That is, e and d are multiplicative inverses mod (n). According to the rule of modular arithmetic, this is
true only if d (and therefore e) is relatively prime to (n). Equivalently, gcd((n), d) = 1.
The steps involved in RSA algorithm for generating the key are
Select e such that e is relatively prime to (n) = 160 and less than (n); we choose e = 7.
Determine d such that ed 1 mod (n) and d<160. the correct value is d = 23, because 23*7 =
161 = 1 mod 160.
Page 74
Security of RSA
There are three approaches to attack the RSA:
Page 75
Factoring Problem
Timing attacks
It has been proved that the opponent can determine a private key by keeping track of how long a
computer takes to decipher messages. Although the timing attack is a serious threat, there are simple
countermeasures that can be used:
Constant exponentiation time ensures that all exponentiations take the same amount of time
Public announcement
Publicly available directory
Public-key authority
Public-key certificates
Public Announcement
Page 76
Public-Key Authority
Improve security by tightening control over distribution of keys from directory
Has properties of directory
Requires users to know public key for the directory
Users interact with directory to obtain any desired public key securely
o Does require real-time access to directory when keys are needed
Public-Key Certificates
Page 77
Page 78
Similarly,
User B independently selects a random integer XB < q and computes YB = XB mod q.
Each side keeps the X value private and makes the Y value available publicly to the other side.
User A computes the key as
K = (YB)XA mod q and
User B computes the key as
K = (YA)XB mod q
These two calculations produce identical results.
K = (YB)XA mod q
= ( XB mod q)XA mod q
= ( XB)XA mod q
= ( XA)XB mod q
= ( XA mod q)XB mod q
= (YA)XB mod q
The result is that two sides have exchanged a secret key. The security of the algorithm lies in the fact that,
while it is relatively easy to calculate exponentials modulo a prime, it is very difficult to calculate discrete
logarithms. For large primes, the latter task is considered infeasible.
Page 79
The protocol depicted in figure is insecure against a man-in-the-middle attack. Suppose Alice and Bob
wish to exchange keys, and Darth is the adversary. The attack proceeds as follows:
1. Darth prepares for the attack by generating two random private keys XD1 and XD2 and then
computing the corresponding public keys YD1 and YD2.
2. Alice transmits YA to Bob.
3. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA)XD2 mod q.
4. Bob receives YD1 and calculates K1 = (YD1)XE mod q.
5. Bob transmits XA to Alice.
6. Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1 = (YB)XD1 mod q.
7. Alice receives YD2 and calculates K2 = (YD2)XA mod q.
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share
secret key K1 and Alice and Darth share secret key K2. All future communication between Bob and Alice
is compromised in the following way:
1. Alice sends an encrypted message M: E(K2, M).
2. Darth intercepts the encrypted message and decrypts it, to recover M.
Page 80
3. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth simply
wants to eavesdrop on the communication without altering it. In the second case, Darth wants to modify
the message going to Bob.
The key exchange protocol is vulnerable to such an attack because it does not authenticate the
participants. This vulnerability can be overcome with the use of digital signatures and public-key
certificates.
An elliptic curve is defined by an equation in two variables with coefficients. For cryptography,
the variables and coefficients are restricted to elements in a finite field, which results in the definition of a
finite abelian group.
Page 81
where a, b, c, d, e are real numbers and x and y take on values in the real numbers.
For our purpose, it is sufficient to limit ourselves to equations of the form
Such equations are said to be cubic, or of degree 3, because the highest exponent they contain is a 3. Also
included in the definition of an elliptic curve is a single element denoted O and called the point at infinity
or the zero point, which we discuss subsequently. To plot such a curve, we need to compute
For given values of a and b, the plot consists of positive and negative values of y for each value of x.
Thus, each curve is symmetric about y = 0
Page 82
Page 83
Page 84