SIMULATION OF IMAGE ENCRYPTION

USING AES ALGORITHM

 ABSTRACT

With the fast progression of data exchange in electronic way, information security is
becoming more important in data storage and transmission. Because of widely using images in
industrial process, it is important to protect the confidential image data from unauthorized
access. This paper presents the design of a 128 bit encoder using AES Rijndael Algorithm for
image encryption.
The AES algorithm defined by the National Institute of Standard and Technology(NIST)
of United States has been widely accepted. Optimized and Synthesizable VHDL code is
developed for the implementation of 128- bit data encryption and process. Xilinx ISE9.2i
software is used for synthesis.
Timing simulation is performed to verify the functionality of the designed circuit.
Transmission of sensitive data over the communication channel have emphasized the need for
fast and secure digital communication networks to achieve the requirements for secrecy, integrity
and non reproduction of exchanged information. Cryptography provides a method for securing
and authenticating the transmission of information over insecure channels.
 INTRODUCTION

Transmission of sensitive data over the communication channel have emphasized the
need for fast and secure digital communication networks to achieve the requirements for secrecy,
integrity and non reproduction of exchanged information. Cryptography provides a method for
securing and authenticating the transmission of information over insecure channels. It enables
us to store sensitive information or transmit it across insecure networks so that unauthorized
persons cannot read it.

The urgency for secure exchange of digital data resulted in large quantities of different
encryption algorithms which are evaluated on the basis of throughput ,speed of operation and
area requirements. There are mainly two types of cryptographic algorithms: symmetric and
asymmetric algorithms. Symmetric systems such as Data Encryption Standard(DES),3DES, and
Advanced Encryption Standard(AES) uses an identical key for the sender and receiver; both to
encrypt the message text and decrypt the cipher text. Asymmetric systems such as Rivest-
Shamir- Adelman(RSA) & Elliptic Curve Cryptosystem(ECC) uses different keys for encryption
and decryption. Symmetric cryptosystems is more suitable to encrypt large amount of data with
high speed.

To replace the old Data Encryption Standard ,in September 12 of 1997,the National
Institute of Standard and Technology(NIST) required proposals to what was called Advanced
Encryption Standard (AES).Many algorithms were presented originally with researches from 12
different nations. On October 2nd 2000,NIST has announced the Rijndael Algorithm is the best
in security, performance, efficiency, implement ability & flexibility. The Rijndael algorithm was
developed by Joan Daemen of Proton World International and Vincent Rijmen of Katholieke
University at Leuven.

AES encryption is an efficient scheme for both hardware and software implementation.
As compare to software implementation, hardware implementation provides greater physical
security and higher speed. Hardware implementation is useful in wireless security like military
communication and mobile telephony where there is a greater emphasis on the speed of
communication. Most of the work has been presented on hardware implementation of AES using
FPGA.

ADVANCED ENCRYPTION STANDARD

The Advanced Encryption Standard (AES) is a specification for the encryption of

electronic data established by the U.S. National Institute of Standards and Technology (NIST) in
2002. Originally called Rijndael, the cipher was developed by two Belgian cryptographers, Joan
Daemen and Vincent Rijmen, who submitted to the AES selection process.

AES has been adopted by the U.S. government and is now used worldwide. It supersedes
the Data Encryption Standard (DES). The algorithm described by AES is a symmetric-key
algorithm, meaning the same key is used for both encrypting and decrypting the data.

In the United States, AES was announced by the NIST as U.S. FIPS PUB 197 (FIPS 197)
on November 26, 2001. This announcement followed a five-year standardization process in
which fifteen competing designs were presented and evaluated, before the Rijndael cipher was
selected as the most suitable (see Advanced Encryption Standard process for more details). It
became effective as a federal government standard on May 26, 2002 after approval by
the Secretary of Commerce. AES is included in the ISO/IEC 18033-3 standard. AES is available
in many different encryption packages, and is the first publicly accessible and
open cipher approved by the National Security Agency (NSA) for top secret information when
used in an NSA approved cryptographic module.

The name plays on the names of the two inventors. Strictly speaking, the AES standard
is a variant of Rijndael where the block size is restricted to 128 bits.

INTRODUCTION TO THE CIPHER

AES is based on a design principle known as a substitution-permutation network, and is

fast in both software and hardware. Unlike its predecessor DES, AES does not use a Feistel
network. AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of
128, 192, or 256 bits. By contrast, the Rijndael specification per se is specified with block and
key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of
256 bits.

AES operates on a 4×4 column-major order matrix of bytes, termed the state, although

some versions of Rijndael have a larger block size and have additional columns in the state. Most
AES calculations are done in a special finite field.

The key size used for an AES cipher specifies the number of repetitions of transformation
rounds that convert the input, called the plaintext, into the final output, called the ciphertext. The
number of cycles of repetition are as follows:

 10 cycles of repetition for 128 bit keys.

 12 cycles of repetition for 192 bit keys.
 14 cycles of repetition for 256 bit keys.

Each round consists of several processing steps, including one that depends on the
encryption key itself. A set of reverse rounds are applied to transform cipher text back into the
original plaintext using the same encryption key.

HIGH-LEVEL DESCRIPTION OF THE ALGORITHM

1. Key Expansion—round keys are derived from the cipher key using Rijndael's key
schedule
2. Initial Round
1. Add Round Key—each byte of the state is combined with the round key using
bitwise xor
3. Rounds
1. Sub Bytes—a non-linear substitution step where each byte is replaced with
another according to a lookup table.
2. Shift Rows—a transposition step where each row of the state is shifted cyclically
a certain number of steps.
 3. Mix Columns—a mixing operation which operates on the columns of the state,
combining the four bytes in each column.
4. Add Round Key
4. Final Round (no Mix Columns)
1. Sub Bytes
2. Shift Rows
3. Add Round Key

SUB BYTES STEP

In the Sub Bytes step, each byte in the state matrix is replaced with a SubByte using an 8-

bit substitution box, the Rijndael S-box. This operation provides the non-linearity in the cipher.
The S-box used is derived from the multiplicative inverse over GF(28), known to have good non-
linearity properties. To avoid attacks based on simple algebraic properties, the S-box is
constructed by combining the inverse function with an invertible affine transformation. The S-
box is also chosen to avoid any fixed points (and so is a derangement), and also any opposite
fixed points.
SHIFTROWS STEP

The Shift Rows step operates on the rows of the state; it cyclically shifts the bytes in each
row by a certain offset. For AES, the first row is left unchanged. Each byte of the second row is
shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three
respectively. For blocks of sizes 128 bits and 192 bits, the shifting pattern is the same. Row n is
shifted left circular by n-1 bytes. In this way, each column of the output state of the Shift
Rows step is composed of bytes from each column of the input state. (Rijndael variants with a
larger block size have slightly different offsets). For a 256-bit block, the first row is unchanged
and the shifting for the second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectively—
this change only applies for the Rijndael cipher when used with a 256-bit block, as AES does not
use 256-bit blocks.

MIX COLUMNS STEP

In the Mix Columns step, the four bytes of each column of the state are combined using
an invertible linear transformation. The Mix Columns function takes four bytes as input and
outputs four bytes, where each input byte affects all four output bytes. Together with Shift
Rows, Mix Columns provides diffusion in the cipher.

During this operation, each column is multiplied by the known matrix that for the 128 bit
key is
 The multiplication operation is defined as: multiplication by 1 means no change,
multiplication by 2 means shifting to the left, and multiplication by 3 means shifting to the left
and then performing xor with the initial unshifted value. After shifting, a conditional xorwith
0x1B should be performed if the shifted value is larger than 0xFF.

In more general sense, each column is treated as a polynomial over GF(28) and is then
multiplied modulo x4+1 with a fixed polynomial c(x) = 0x03 · x3 + x2 + x + 0x02. The
coefficients are displayed in their hexadecimal equivalent of the binary representation of bit
polynomials from GF(2)[x]. The MixColumns step can also be viewed as a multiplication by a
particular MDS matrix in a finite field. This process is described further in the article Rijndael
mix columns.
ADD ROUND KEY STEP

In the Add Round Key step, the sub key is combined with the state. For each round, a sub
key is derived from the main key using Rijndael's key schedule; each sub key is the same size as
the state. The sub key is added by combining each byte of the state with the corresponding byte
of the sub key using bitwise XOR.

OPTIMIZATION OF THE CIPHER

On systems with 32-bit or larger words, it is possible to speed up execution of this cipher
by combining the SubBytes andShiftRows steps with the MixColumns step by transforming
them into a sequence of table lookups. This requires four 256-entry 32-bit tables, and utilizes a
total of four kilobytes (4096 bytes) of memory — one kilobyte for each table. A round then be
done with 16 table lookups and 12 32-bit exclusive-or operations, followed by four 32-bit
exclusive-or operations in the AddRoundKey step.
 If the resulting four kilobyte table size is too large for a given target platform, the table
lookup operation can be performed with a single 256-entry 32-bit (i.e. 1 kilobyte) table by the
use of circular rotates.

Using a byte-oriented approach, it is possible to combine the SubBytes, ShiftRows,

and MixColumns steps into a single round operation.

Security

Until May 2009, the only successful published attacks against the full AES were side-
channel attacks on some specific implementations. The National Security Agency (NSA)
reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough
for U.S. Government non-classified data. In June 2003, the U.S. Government announced that
AES could be used to protect classified information:

The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256)
are sufficient to protect classified information up to the SECRET level. TOP SECRET
information will require use of either the 192 or 256 key lengths. The implementation of AES in
products intended to protect national security systems and/or information must be reviewed and
certified by NSA prior to their acquisition and use."

AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-
bit keys. By 2006, the best known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit
keys, and 9 rounds for 256-bit keys.
ATTACKS

For cryptographers, a cryptographic "break" is anything faster than a brute force—

performing one trial decryption for each key (see Cryptanalysis). This includes results that are
infeasible with current technology. The largest successful publicly known brute force
attack against any block-cipher encryption was against a 64-bit RC5 key by distributed.net in
2006.

AES has a fairly simple algebraic description. In 2002, a theoretical attack, termed the
"XSL attack", was announced by Nicolas Courtois and Josef Pieprzyk, purporting to show a
weakness in the AES algorithm due to its simple description. Since then, other papers have
shown that the attack as originally presented is unworkable; see XSL attack on block ciphers.

During the AES process, developers of competing algorithms wrote of Rijndael, "...we
are concerned about [its] use...in security-critical applications." [13] However, in October 2000 at
the end of the AES selection process in, Bruce Schneier, a developer of the competing
algorithm Twofish, wrote that while he thought successful academic attacks on Rijndael would
be developed someday, "I do not believe that anyone will ever discover an attack that will allow
someone to read Rijndael traffic."

On July 1, 2009, Bruce Schneier blogged about a related-key attack on the 192-bit and
256-bit versions of AES, discovered by Alex Biryukov and Dmitry Khovratovich, which exploits
AES's somewhat simple key schedule and has a complexity of 2 119. In December 2009 it was
improved to 299.5. This is a follow-up to an attack discovered earlier in 2009 by Alex Biryukov,
Dmitry Khovratovich, and Ivica Nikolić, with a complexity of 296 for one out of every 235 keys.

Another attack was blogged by Bruce Schneier on July 30, 2009 and released as a
preprint[19] on August 3, 2009. This new attack, by Alex Biryukov, Orr Dunkelman, Nathan
Keller, Dmitry Khovratovich, and Adi Shamir, is against AES-256 that uses only two related
keys and 239 time to recover the complete 256-bit key of a 9-round version, or 245 time for a 10-
round version with a stronger type of related subkey attack, or 2 70 time for an 11-round version.
256-bit AES uses 14 rounds, so these attacks aren't effective against full AES.
 In November 2009, the first known-key distinguishing attack against a reduced 8-round
version of AES-128 was released as a preprint. [20] This known-key distinguishing attack is an
improvement of the rebound or the start-from-the-middle attacks for AES-like permutations,
which view two consecutive rounds of permutation as the application of a so-called Super-Sbox.
It works on the 8-round version of AES-128, with a time complexity of 2 48, and a memory
complexity of 232.

In July 2010 Vincent Rijmen published an ironic paper on "chosen-key-relations-in-the-

middle" attacks on AES-128.

The first key-recovery attacks on full AES were due to Andrey Bogdanov, Dmitry
Khovratovich, and Christian Rechberger, and were published in 2011. [22] The attack is based on
bicliques and is faster than brute force by a factor of about four. It requires 2 126.1 operations to
recover an AES-128 key. For AES-192 and AES-256, 2189.7 and 2254.4 operations are needed,
respectively.

Side-channel attacks

Side-channel attacks do not attack the underlying cipher and so have nothing to do with
its security as described here, but attack implementations of the cipher on systems which
inadvertently leak data. There are several such known attacks on certain implementations of
AES.

In April 2005, D.J. Bernstein announced a cache-timing attack that he used to break a

custom server that used Open SSL's AES encryption. The attack required over 200 million
chosen plaintexts.[24] The custom server was designed to give out as much timing information as
possible (the server reports back the number of machine cycles taken by the encryption
operation); however, as Bernstein pointed out, "reducing the precision of the server’s
timestamps, or eliminating them from the server’s responses, does not stop the attack: the client
simply uses round-trip timings based on its local clock, and compensates for the increased noise
by averaging over a larger number of samples." 
 In October 2005, Dag Arne Osvik, Adi Shamir and Eran Tromer presented a paper
demonstrating several cache-timing attacks against AES.[25] One attack was able to obtain an
entire AES key after only 800 operations triggering encryptions, in a total of 65 milliseconds.
This attack requires the attacker to be able to run programs on the same system or platform that
is performing AES.

In December 2009 an attack on some hardware implementations was published that

used differential fault analysis and allows recovery of a key with a complexity of 232.

In November 2010 Endre Bangerter, David Gullasch and Stephan Krenn published a
paper which described a practical approach to a "near real time" recovery of secret keys from
AES-128 without the need for either cipher text or plaintext. The approach also works on AES-
128 implementations that use compression tables, such as OpenSSL.[27] Like some earlier attacks
this one requires the ability to run unprivileged code on the system performing the AES
encryption, which may be achieved by malware infection far more easily than commandeering
the root account.

NIST OR CSEC VALIDATION

The Cryptographic Module Validation Program (CMVP) is operated jointly by the

United States Government's National Institute of Standards and Technology (NIST) Computer
Security Division and the Communications Security Establishment (CSE) of the Government of
Canada. The use of cryptographic modules validated to NIST FIPS 140-2 is required by the
United States Government for encryption of all data that has a classification of Sensitive but
Unclassified (SBU) or above. From NSTISSP #11, National Policy Governing the Acquisition of
Information Assurance: “Encryption products for protecting classified information will be
certified by NSA, and encryption products intended for protecting sensitive information will be
certified in accordance with NIST FIPS 140-2.” 

The Government of Canada also recommends the use of FIPS 140 validated

cryptographic modules in unclassified applications of its departments.
 Although NIST publication 197 ("FIPS 197") is the unique document that covers the
AES algorithm, vendors typically approach the CMVP under FIPS 140 and ask to have several
algorithms (such as Triple DES or SHA1) validated at the same time. Therefore, it is rare to find
cryptographic modules that are uniquely FIPS 197 validated and NIST itself does not generally
take the time to list FIPS 197 validated modules separately on its public web site. Instead, FIPS
197 validation is typically just listed as an "FIPS approved: AES" notation (with a specific FIPS
197 certificate number) in the current list of FIPS 140 validated cryptographic modules.

The Cryptographic Algorithm Validation Program (CAVP) allows for independent

validation of the correct implementation of the AES algorithm at a reasonable cost. Successful
validation results in being listed on the NIST validations page. This testing is a pre-requisite for
the FIPS 140-2 module validation described below. However, successful CAVP validation in no
way implies that the cryptographic module implementing the algorithm is secure. Lacking FIPS
140-2 validation or specific approval by the NSA, a cryptographic module is not deemed secure
by the US Government and cannot be used to protect government data.

FIPS 140-2 validation is challenging to achieve both technically and fiscally. There is a

standardized battery of tests as well as an element of source code review that must be passed
over a period of a few weeks. The cost to perform these tests through an approved laboratory can
be significant (e.g., well over $30,000 US) and does not include the time it takes to write, test,
document and prepare a module for validation. After validation, modules must be re-submitted
and re-evaluated if they are changed in any way. This can vary from simple paperwork updates if
the security functionality did not change to a more substantial set of re-testing if the security
functionality was impacted by the change.
 DIGITAL IMAGE PROCESSING

BACKGROUND:

Digital image processing is an area characterized by the need for extensive

experimental work to establish the viability of proposed solutions to a given problem. An
important characteristic underlying the design of image processing systems is the significant
level of testing & experimentation that normally is required before arriving at an acceptable
solution. This characteristic implies that the ability to formulate approaches &quickly prototype
candidate solutions generally plays a major role in reducing the cost & time required to arrive at
a viable system implementation.

What is DIP?

An image may be defined as a two-dimensional function f(x, y), where x & y are
spatial coordinates, & the amplitude of f at any pair of coordinates (x, y) is called the intensity
or gray level of the image at that point. When x, y & the amplitude values of f are all finite
discrete quantities, we call the image a digital image. The field of DIP refers to processing digital
image by means of digital computer. Digital image is composed of a finite number of elements,
each of which has a particular location & value. The elements are called pixels.

Vision is the most advanced of our sensor, so it is not surprising that image play the single
most important role in human perception. However, unlike humans, who are limited to the visual
band of the EM spectrum imaging machines cover almost the entire EM spectrum, ranging from
gamma to radio waves. They can operate also on images generated by sources that humans are
not accustomed to associating with image.

There is no general agreement among authors regarding where image processing stops &
other related areas such as image analysis& computer vision start. Sometimes a distinction is
made by defining image processing as a discipline in which both the input & output at a process
are images. This is limiting & somewhat artificial boundary. The area of image analysis (image
understanding) is in between image processing & computer vision.

There are no clear-cut boundaries in the continuum from image processing at one end to
complete vision at the other. However, one useful paradigm is to consider three types of
computerized processes in this continuum: low-, mid-, & high-level processes. Low-level
process involves primitive operations such as image processing to reduce noise, contrast
enhancement & image sharpening. A low- level process is characterized by the fact that both its
inputs & outputs are images. Mid-level process on images involves tasks such as segmentation,
description of that object to reduce them to a form suitable for computer processing &
classification of individual objects. A mid-level process is characterized by the fact that its inputs
generally are images but its outputs are attributes extracted from those images. Finally higher-
level processing involves “Making sense” of an ensemble of recognized objects, as in image
analysis & at the far end of the continuum performing the cognitive functions normally
associated with human vision.

Digital image processing, as already defined is used successfully in a broad range of areas
of exceptional social & economic value.

What is an image?

An image is represented as a two dimensional function f(x, y) where x and y are spatial co-
ordinates and the amplitude of ‘f’ at any pair of coordinates (x, y) is called the intensity of the
image at that point.
Gray scale image:

A grayscale image is a function I (xylem) of the two spatial coordinates of the image
plane. I(x, y) is the intensity of the image at the point (x, y) on the image plane. I (xylem) takes
non-negative values assume the image is bounded by a rectangle [0, a] ´[0, b]I: [0, a] ´ [0, b] ®
[0, info)

Color image:

It can be represented by three functions, R (xylem) for red, G (xylem) for green and
B (xylem) for blue.

An image may be continuous with respect to the x and y coordinates and also in
amplitude. Converting such an image to digital form requires that the coordinates as well as the
amplitude to be digitized. Digitizing the coordinate’s values is called sampling. Digitizing the
amplitude values is called quantization.

Coordinate convention:

The result of sampling and quantization is a matrix of real numbers. We use two principal
ways to represent digital images. Assume that an image f(x, y) is sampled so that the resulting
image has M rows and N columns. We say that the image is of size M X N. The values of the
coordinates (xylem) are discrete quantities. For notational clarity and convenience, we use
integer values for these discrete coordinates. In many image processing books, the image origin
is defined to be at (xylem)=(0,0).The next coordinate values along the first row of the image are
(xylem)=(0,1).It is important to keep in mind that the notation (0,1) is used to signify the second
sample along the first row. It does not mean that these are the actual values of physical
coordinates when the image was sampled. Following figure shows the coordinate convention.
Note that x ranges from 0 to M-1 and y from 0 to N-1 in integer increments.

The coordinate convention used in the toolbox to denote arrays is different from the
preceding paragraph in two minor ways. First, instead of using (xylem) the toolbox uses the
notation (race) to indicate rows and columns. Note, however, that the order of coordinates is the
same as the order discussed in the previous paragraph, in the sense that the first element of a
coordinate topples, (alb), refers to a row and the second to a column. The other difference is that
the origin of the coordinate system is at (r, c) = (1, 1); thus, r ranges from 1 to M and c from 1 to
N in integer increments. IPT documentation refers to the coordinates. Less frequently the toolbox
also employs another coordinate convention called spatial coordinates which uses x to refer to
columns and y to refers to rows. This is the opposite of our use of variables x and y.

Image as Matrices:

The preceding discussion leads to the following representation for a digitized image
function:

f (0,0) f(0,1) ……….. f(0,N-1)

f(1,0) f(1,1) ………… f(1,N-1)

f(xylem)= . . .

. . .

f(M-1,0) f(M-1,1) ………… f(M-1,N-1)

The right side of this equation is a digital image by definition. Each element of this
array is called an image element, picture element, pixel or pel. The terms image and pixel are
used throughout the rest of our discussions to denote a digital image and its elements.

A digital image can be represented naturally as a MATLAB matrix:

 f(1,1) f(1,2) ……. f(1,N)

f(2,1) f(2,2) …….. f(2,N)

. . .

f= . . .

f(M,1) f(M,2) …….f(M,N)

Where f(1,1) = f(0,0) (note the use of a monoscope font to denote

MATLAB quantities). Clearly the two representations are identical, except for the shift in origin.
The notation f(p ,q) denotes the element located in row p and the column q. For example f(6,2)
is the element in the sixth row and second column of the matrix f. Typically we use the letters M
and N respectively to denote the number of rows and columns in a matrix. A 1xN matrix is
called a row vector whereas an Mx1 matrix is called a column vector. A 1x1 matrix is a scalar.

Matrices in MATLAB are stored in variables with names such as A, a, RGB, real array and
so on. Variables must begin with a letter and contain only letters, numerals and underscores. As
noted in the previous paragraph, all MATLAB quantities are written using mono-scope
characters. We use conventional Roman, italic notation such as f(x ,y), for mathematical
expressions

Reading Images:

Images are read into the MATLAB environment using function imread whose syntax is

imread(‘filename’)
Format name Description recognized extension

TIFF Tagged Image File Format .tif, .tiff

JPEG Joint Photograph Experts Group .jpg, .jpeg

GIF Graphics Interchange Format .gif

BMP Windows Bitmap .bmp

PNG Portable Network Graphics .png

XWD X Window Dump .xwd

Here filename is a spring containing the complete of the image file(including any
applicable extension).For example the command line

>> f = imread (‘8. jpg’);

reads the JPEG (above table) image chestxray into image array f. Note the use of single quotes
(‘) to delimit the string filename. The semicolon at the end of a command line is used by
MATLAB for suppressing output. If a semicolon is not included. MATLAB displays the results
of the operation(s) specified in that line. The prompt symbol(>>) designates the beginning of a
command line, as it appears in the MATLAB command window.

When as in the preceding command line no path is included in filename, imread reads the
file from the current directory and if that fails it tries to find the file in the MATLAB search path.
The simplest way to read an image from a specified directory is to include a full or relative path
to that directory in filename.
 For example,

>> f = imread ( ‘D:\myimages\chestxray.jpg’);

reads the image from a folder called my images on the D: drive, whereas

>> f = imread(‘ . \ myimages\chestxray .jpg’);

reads the image from the my images subdirectory of the current of the current working
directory. The current directory window on the MATLAB desktop toolbar displays MATLAB’s
current working directory and provides a simple, manual way to change it. Above table lists
some of the most of the popular image/graphics formats supported by imread and imwrite.

Function size gives the row and column dimensions of an image:

>> size (f)

ans = 1024 * 1024

This function is particularly useful in programming when used in the following form to
determine automatically the size of an image:

>>[M,N]=size(f);

This syntax returns the number of rows(M) and columns(N) in the image.

The whole function displays additional information about an array. For instance ,the
statement

>> whos f

gives
 Name size Bytes Class

F 1024*1024 1048576 unit8 array

Grand total is 1048576 elements using 1048576 bytes

The unit8 entry shown refers to one of several MATLAB data classes. A semicolon at the
end of a whose line has no effect ,so normally one is not used.

Displaying Images:

Images are displayed on the MATLAB desktop using function imshow, which has the basic
syntax:

imshow(f,g)

Where f is an image array, and g is the number of intensity levels used to display it.
If g is omitted ,it defaults to 256 levels .using the syntax

imshow(f,{low high})

Displays as black all values less than or equal to low and as white all values greater
than or equal to high. The values in between are displayed as intermediate intensity values using
the default number of levels .Finally the syntax

Imshow(f,[ ])

Sets variable low to the minimum value of array f and high to its maximum value.
This form of imshow is useful for displaying images that have a low dynamic range or that have
positive and negative values.

Function pixval is used frequently to display the intensity values of individual pixels
interactively. This function displays a cursor overlaid on an image. As the cursor is moved over
the image with the mouse the coordinates of the cursor position and the corresponding intensity
values are shown on a display that appears below the figure window .When working with color
images, the coordinates as well as the red, green and blue components are displayed. If the left
button on the mouse is clicked and then held pressed, pixval displays the Euclidean distance
between the initial and current cursor locations.

The syntax form of interest here is Pixval which shows the cursor on the last image
displayed. Clicking the X button on the cursor window turns it off.

The following statements read from disk an image called rose_512.tif extract basic
information about the image and display it using imshow :

>>f=imread(‘rose_512.tif’);

>>whos f

Name Size Bytes Class

F 512*512 262144 unit8 array

Grand total is 262144 elements using 262144 bytes

>>imshow(f)

A semicolon at the end of an imshow line has no effect, so normally one is not used.
If another image,g, is displayed using imshow, MATLAB replaces the image in the screen with
the new image. To keep the first image and output a second image, we use function figure as
follows:

>>figure ,imshow(g)

Using the statement

>>imshow(f),figure ,imshow(g) displays both images.

 Note that more than one command can be written on a line ,as long as different commands
are properly delimited by commas or semicolons. As mentioned earlier, a semicolon is used
whenever it is desired to suppress screen outputs from a command line.

Suppose that we have just read an image h and find that using imshow produces the image.
It is clear that this image has a low dynamic range, which can be remedied for display purposes
by using the statement.

>>imshow(h,[ ])

WRITING IMAGES:

Images are written to disk using function imwrite, which has the following basic syntax:

Imwrite (f,’filename’)

With this syntax, the string contained in filename must include a recognized file format
extension .Alternatively, the desired format can be specified explicitly with a third input
argument. >>imwrite(f,’patient10_run1’,’tif’)

Or alternatively

For example the following command writes f to a TIFF file named patient10_run1:

>>imwrite(f,’patient10_run1.tif’)

If filename contains no path information, then imwrite saves the file in the current working
directory.

The imwrite function can have other parameters depending on e file format selected. Most
of the work in the following deals either with JPEG or TIFF images ,so we focus attention here
on these two formats.
More general imwrite syntax applicable only to JPEG images is

imwrite(f,’filename.jpg,,’quality’,q)

where q is an integer between 0 and 100(the lower number the higher the degradation due to
JPEG compression).

For example, for q=25 the applicable syntax is

>> imwrite(f,’bubbles25.jpg’,’quality’,25)

The image for q=15 has false contouring that is barely visible, but this effect becomes quite
pronounced for q=5 and q=0.Thus, an expectable solution with some margin for error is to
compress the images with q=25.In order to get an idea of the compression achieved and to obtain
other image file details, we can use function imfinfo which has syntax.

Imfinfo filename

Here filename is the complete file name of the image stored in disk.

For example,

>> imfinfo bubbles25.jpg

outputs the following information(note that some fields contain no information in this case):

Filename: ‘bubbles25.jpg’

FileModDate: ’04-jan-2003 12:31:26’

FileSize: 13849

Format: ‘jpg’

Format Version: ‘‘
Width: 714

Height: 682

Bit Depth: 8

Color Depth: ‘grayscale’

Format Signature: ‘‘

Comment: {}

Where file size is in bytes. The number of bytes in the original image is corrupted simply
by multiplying width by height by bit depth and dividing the result by 8. The result is
486948.Dividing this file size gives the compression ratio:(486948/13849)=35.16.This
compression ratio was achieved. While maintaining image quality consistent with the
requirements of the appearance. In addition to the obvious advantages in storage space, this
reduction allows the transmission of approximately 35 times the amount of un compressed data
per unit time.

The information fields displayed by imfinfo can be captured in to a so called structure

variable that can be for subsequent computations. Using the receding an example and assigning
the name K to the structure variable.

We use the syntax >>K=imfinfo(‘bubbles25.jpg’);

To store in to variable K all the information generated by command imfinfo, the

information generated by imfinfo is appended to the structure variable by means of fields,
separated from K by a dot. For example, the image height and width are now stored in structure
fields K. Height and K. width.

As an illustration, consider the following use of structure variable K to commute the

compression ratio for bubbles25.jpg:

>> K=imfinfo(‘bubbles25.jpg’);
 >> image_ bytes =K.Width* K.Height* K.Bit Depth /8;

>> Compressed_ bytes = K.FilesSize;

>> Compression_ ratio=35.162

Note that iminfo was used in two different ways. The first was t type imfinfo bubbles25.jpg
at the prompt, which resulted in the information being displayed on the screen. The second was
to type K=imfinfo (‘bubbles25.jpg’),which resulted in the information generated by imfinfo
being stored in K. These two different ways of calling imfinfo are an example of command_
function duality, an important concept that is explained in more detail in the MATLAB online
documentation.

More general imwrite syntax applicable only to tif images has the form

Imwrite(g,’filename.tif’,’compression’,’parameter’,….’resloution’,[colres rowers] )

Where ‘parameter’ can have one of the following principal values: ‘none’ indicates no
compression, ‘pack bits’ indicates pack bits compression (the default for non ‘binary images’)
and ‘ccitt’ indicates ccitt compression. (the default for binary images).The 1*2 array [colres
rowers]

Contains two integers that give the column resolution and row resolution in dot per_ unit
(the default values). For example, if the image dimensions are in inches, colres is in the number
of dots(pixels)per inch (dpi) in the vertical direction and similarly for rowers in the horizontal
direction. Specifying the resolution by single scalar, res is equivalent to writing [res res].

>>imwrite(f,’sf.tif’,’compression’,’none’,’resolution’,……………..[300 300])

the values of the vector[colures rows] were determined by multiplying 200 dpi by the ratio
2.25/1.5, which gives 30 dpi. Rather than do the computation manually, we could write

>> res=round(200*2.25/1.5);

>>imwrite(f,’sf.tif’,’compression’,’none’,’resolution’,res)
 where its argument to the nearest integer.It function round rounds is important to note that
the number of pixels was not changed by these commands. Only the scale of the image changed.
The original 450*450 image at 200 dpi is of size 2.25*2.25 inches. The new 300_dpi image is
identical, except that is 450*450 pixels are distributed over a 1.5*1.5_inch area. Processes such
as this are useful for controlling the size of an image in a printed document with out sacrificing
resolution.

Often it is necessary to export images to disk the way they appear on the MATLAB
desktop. This is especially true with plots .The contents of a figure window can be exported to
disk in two ways. The first is to use the file pull-down menu is in the figure window and then
choose export. With this option the user can select a location, filename, and format. More control
over export parameters is obtained by using print command:

Print-fno-dfileformat-rresno filename

Where no refers to the figure number in the figure window interest, file format refers
one of the file formats in table above. ‘resno’ is the resolution in dpi, and filename is the name
we wish to assign the file.

If we simply type print at the prompt, MATLAB prints (to the default printer) the contents
of the last figure window displayed. It is possible also to specify other options with print, such as
specific printing device.

Data Classes:

Although we work with integers coordinates the values of pixels themselves are not
restricted to be integers in MATLAB. Table above list various data classes supported by
MATLAB and IPT are representing pixels values. The first eight entries in the table are refers to
as numeric data classes. The ninth entry is the char class and, as shown, the last entry is referred
to as logical data class.

All numeric computations in MATLAB are done in double quantities, so this is also a
frequent data class encounter in image processing applications. Class unit 8 also is encountered
frequently, especially when reading data from storages devices, as 8 bit images are most
common representations found in practice. These two data classes, classes logical, and, to a
lesser degree, class unit 16 constitute the primary data classes on which we focus. Many ipt
functions however support all the data classes listed in table. Data class double requires 8 bytes
to represent a number uint8 and int 8 require one byte each, uint16 and int16 requires 2bytes and
unit 32.

Name Description

Double Double _ precision, floating_ point numbers the Approximate.

Uinit8 unsigned 8_bit integers in the range [0,255] (1byte per

Element). Element).

Uinit16 unsigned 16_bit integers in the range [0,65535] (2byte

Per element).

Uinit 32 unsigned 32_bit integers in the range [0,4294967295]

(4 bytes per element).

Int8 signed 8_bit integers in the range[-128,127]

1 byte per element)

Int 16 signed 16_byte integers in the range

[32768, 32767] (2 bytes per element).

Int 32 Signed 32_byte integers in the range

[-2147483648, 21474833647]
 (4 byte per element).

Single single _precision floating _point numbers with values

In the approximate range (4 bytes per elements).

Char characters (2 bytes per elements).

Logical values are 0 to 1 (1byte per element).

int 32 and single, required 4 bytes each. The char data class holds characters in Unicode
representation. A character string is merely a 1*n array of characters logical array contains only
the values 0 to 1,with each element being stored in memory using function logical or by using
relational operators.

Image Types:

The toolbox supports four types of images:

1 .Intensity images

2. Binary images

3. Indexed images

4. R G B images

Most monochrome image processing operations are carried out using binary or intensity
images, so our initial focus is on these two image types. Indexed and RGB colour images.
Intensity Images:

An intensity image is a data matrix whose values have been scaled to represent intentions.
When the elements of an intensity image are of class unit8, or class unit 16, they have integer
values in the range [0,255] and [0, 65535], respectively. If the image is of class double, the
values are floating _point numbers. Values of scaled, double intensity images are in the range [0,
1] by convention.

Binary Images:

Binary images have a very specific meaning in MATLAB.A binary image is a logical array
0s and1s.Thus, an array of 0s and 1s whose values are of data class, say unit8, is not considered
as a binary image in MATLAB .A numeric array is converted to binary using function logical.
Thus, if A is a numeric array consisting of 0s and 1s, we create an array B using the statement.

B=logical (A)

If A contains elements other than 0s and 1s.Use of the logical function converts all
nonzero quantities to logical 1s and all entries with value 0 to logical 0s.

Using relational and logical operators also creates logical arrays.

To test if an array is logical we use the I logical function:

islogical(c)

If c is a logical array, this function returns a 1.Otherwise returns a 0. Logical array can be
converted to numeric arrays using the data class conversion functions.

Indexed Images:

An indexed image has two components:

A data matrix integer, x.

A color map matrix, map.

Matrix map is an m*3 arrays of class double containing floating_ point values in the range
[0, 1].The length m of the map are equal to the number of colors it defines. Each row of map
specifies the red, green and blue components of a single color. An indexed images uses “direct
mapping” of pixel intensity values color map values. The color of each pixel is determined by
using the corresponding value the integer matrix x as a pointer in to map. If x is of class double
,then all of its components with values less than or equal to 1 point to the first row in map, all
components with value 2 point to the second row and so on. If x is of class units or unit 16, then
all components value 0 point to the first row in map, all components with value 1 point to the
second and so on.

RGB Image:

An RGB color image is an M*N*3 array of color pixels where each color pixel is triplet
corresponding to the red, green and blue components of an RGB image, at a specific spatial
location. An RGB image may be viewed as “stack” of three gray scale images that when fed in to
the red, green and blue inputs of a color monitor

Produce a color image on the screen. Convention the three images forming an RGB color
image are referred to as the red, green and blue components images. The data class of the
components images determines their range of values. If an RGB image is of class double the
range of values is [0, 1].

Similarly the range of values is [0,255] or [0, 65535].For RGB images of class units or unit
16 respectively. The number of bits use to represents the pixel values of the component images
determines the bit depth of an RGB image. For example, if each component image is an 8bit
image, the corresponding RGB image is said to be 24 bits deep.
 Generally, the number of bits in all component images is the same. In this case the number
of possible color in an RGB image is (2^b) ^3, where b is a number of bits in each component
image. For the 8bit case the number is 16,777,216 colors.
AES

The Advanced Encryption Standard (AES), the block cipher ratified as a standard

by National Institute of Standards and Technology of the United States (NIST), was chosen
using a process markedly more open and transparent than its predecessor, the aging Data
Encryption Standard (DES). This process won plaudits from the open cryptographic community,
and helped to increase confidence in the security of the winning algorithm from those who were
suspicious of backdoors in the predecessor, DES.

A new standard was needed primarily because DES has a relatively small 56-
bit key which was becoming vulnerable to brute force attacks. In addition, the DES was designed
primarily for hardware and is relatively slow when implemented in software. [1] While Triple-
DES avoids the problem of a small key size, it is very slow even in software; is unsuitable for
limited-resource platforms, and may be affected by potential security issues connected with the
(today comparatively small) block size of 64 bits.

Initiation of the process

On January 2, 1997, NIST announced that they wished to choose a successor to DES to
be known as AES. Like DES, this was to be "an unclassified, publicly disclosed encryption
algorithm capable of protecting sensitive government information well into the next
century." However, rather than simply publishing a successor, NIST asked for input from
interested parties on how the successor should be chosen. Interest from the
open cryptographic community was immediately intense, and NIST received a great many
submissions during the three month comment period.

The result of this feedback was a call for new algorithms on September 12, 1997. The
algorithms were all to be block ciphers, supporting a block size of 128 bits and key sizes of 128,
192, and 256 bits. Such ciphers were rare at the time of the announcement; the best known was
probably Square.
Start and stop rounds

In the nine months that followed, fifteen different designs were created and submitted
from several different countries. They were, in alphabetical order: CAST-
256, CRYPTON, DEAL, DFC, E2,FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael, 
SAFER+, Serpent, and Two fish.

In the ensuing debate, many advantages and disadvantages of the different candidates
were investigated by cryptographers; they were assessed not only on security, but also on
performance in a variety of settings (PCs of various architectures, smart cards, hardware
implementations) and on their feasibility in limited environments (smart cards with very limited
memory, low gate count implementations, FPGAs).

Some designs fell due to cryptanalysis that ranged from minor flaws to significant attacks,
while others lost favour due to poor performance in various environments or through having little
to offer over other candidates. NIST held two conferences to discuss the submissions (AES1,
August 1998 and AES2, March 1999), and in August 1999 they announced [4] that they were
narrowing the field from fifteen to five: MARS, RC6, Rijndael, Serpent, and Twofish. All five
algorithms, commonly referred to as "AES finalists", were designed by cryptographers
considered well-known and respected in the community. The AES2 conference votes were as
follows:

 Rijndael: 86 positive, 10 negative

 Serpent: 59 positive, 7 negative
 Twofish: 31 positive, 21 negative
 RC6: 23 positive, 37 negative
 MARS: 13 positive, 84 negative

A further round of intense analysis and cryptanalysis followed, culminating in the AES3
conference in April 2000, at which a representative of each of the final five teams made a
presentation arguing why their design should be chosen as the AES.
Implementations

Rijndael is free for any use public or private, commercial or non-commercial. The
authors of Rijndael used to provide a home page for the algorithm. Care should be taken when
implementing AES in software. Like most encryption algorithms, Rijndael was designed on big-
endian systems. For this reason, little-endian systems return correct test vector results only
through swapping bytes of the input and output words.

The algorithm operates on plaintext blocks of 16 bytes. Encryption of shorter blocks is

possible only by padding the source bytes, usually with null bytes. This can be accomplished via
several methods, the simplest of which assumes that the final byte of the cipher identifies the
number of Null bytes of padding added.

Careful choice must be made in selecting the mode of operation of the cipher. The simplest
mode encrypts and decrypts each 128-bit block separately. In this mode, called "electronic code
book (ECB)", blocks that are identical will be encrypted identically, which is entirely insecure.
This will make some of the plaintext structure visible in the cipher text. Selecting other modes,
such as empressing a sequential counter over the block prior to encryption (CTR mode) and
removing it after decryption avoids this problem.

 Current list of FIPS 197 validated cryptographic modules (hosted by NIST)

 Current list of FIPS 140 validated cryptographic modules with validated AES
implementations (hosted by NIST) - Most of these involve a commercial implementation of
AES algorithms. Look for "FIPS-approved algorithms" entry in the "Level / Description"
column followed by "AES" and then a specific certificate number.
 Figure shows AES speed at 128, 192 and 256-bit key sizes.

C/ASM library

 AES Crypt
 Bee Crypt
 c crypt
 Open SSL
 Gnu TLS
 A portable byte-oriented AES-256 implementation in C
 Polar SSL (single header and source file implementation Source Code)
 Reference implementation and derived code
 Brian Glad man
 lib tom crypt used in Drop bear SSH client and server
 m crypt
 n crypt
 Matrix SSL, Embedded SSL library.
 Microsoft CryptoAPI uses Cryptographic Service Providers to offer encryption
implementations. The Microsoft AES Cryptographic Provider was introduced in Windows
XP and can be used with any version of the Microsoft Crypto API .

C++ library

 Botan has implemented Rijndael since its very first release in 2001

 Crypto++ A comprehensive C++ semi-public-domain implementation of encryption and
hash algorithms. FIPS validated

C# /.NET

 As of version 3.5 of the .NET Framework, the System. Security.

Cryptography namespace contains both a fully managed implementation of AES and
a managed wrapper around the CAPI AES implementation.
 Bouncy Castle Crypto Library

Java

 Java Cryptography Extension, integrated in the Java Runtime Environment since version

1.4.2 (see example code)
 IAIK JCE, (see features)
 Bouncy Castle Crypto Library

Java script

 Implementation for JavaScript

 Stanford Java script Crypto Library
PHP

 php sec lib

Python

 Py Crypto
 M2Crypto, a Python wrapper for Open SSL
 Python AES
 N Crypt, a Python wrapper for Open SSL built using Pyrex
 alo- aes
 py crypt opp, a set of Python wrappers for a few of the best crypto algorithms from the
Crypto++ library
 Slow AES, slow but still useful when faster ones are not available
 py crypt, a small Python program that encrypts or decrypts files using AES
 crypto_ example, Set of example code that wraps around PyCrypto and demonstrates
best-practises symmetric encryption, as per Cryptographic Right Answers by Colin Percival.

Rijndael key schedule

AES (Rijndael) uses a key schedule to expand a short key into a number of separate
round keys. This is known as the Rijndael key schedule.

Operators

Rijndael's key schedule utilizes a number of operations, which will be described before
describing the key schedule.
Rotate

The rotate operation takes a 32-bit word like this (in hexadecimal):

1D 2C 3A 4F

and rotates it eight bits to the left such that the high eight bits "wrap around" and become the low
eight bits of the result.

2C 3A 4F 1D

Rcon

Rcon is what the Rijndael documentation calls the exponentiation of 2 to a user-specified

value. Note that this operation is not performed with regular integers, but in Rijndael's finite
field. In polynomial form, 2

is  , and we
compute

in   or equivalently,

in  .
 For example, the rcon(1) = 1, the rcon(2) = 2, the rcon(3) = 4, and the rcon(9) is
the hexadecimal number 0x1b (27 in decimal).

Rcon[256] = {
0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab,
0x4d, 0x9a,
0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5,
0x91, 0x39,
0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83,
0x1d, 0x3a,
0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36,
0x6c, 0xd8,
0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d,
0xfa, 0xef,
0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33,
0x66, 0xcc,
0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40,
0x80, 0x1b,
0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a,
0xd4, 0xb3,
0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25,
0x4a, 0x94,
0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08,
0x10, 0x20,
0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6,
0x97, 0x35,
0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61,
0xc2, 0x9f,
 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01,
0x02, 0x04,
0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e,
0xbc, 0x63,
0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4,
0xd3, 0xbd,
0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8,
0xcb, 0x8d}

S-box

The key schedule uses Rijndael's S-box.

Key schedule core

This operation is used as an inner loop in the key schedule, and is done thus:

 The input is a 32-bit word and at an iteration number i. The output is a 32-bit word.
 Copy the input over to the output.
 Use the above described rotate operation to rotate the output eight bits to the left
 Apply Rijndael's S-box on all four individual bytes in the output word
 On just the first (leftmost) byte of the output word, exclusive or the byte with 2 to the
power of (i-1). In other words, perform the rcon operation with i as the input, and exclusive
or the rcon output with the first byte of the output word

Key schedule
Constants

Since the key schedule for 128-bit, 192-bit, and 256-bit encryption are very similar, with
only some constants changed, the following keysize constants are defined here:

 n has a value of 16 for 128-bit keys, 24 for 192-bit keys, and 32 for 256-bit keys
 b has a value of 176 for 128-bit keys, 208 for 192-bit keys, and 240 for 256-bit keys

Key schedule description

Rijndael's key schedule is done as follows:

1. The first n bytes of the expanded key are simply the encryption key.
2. The rcon iteration value i is set to 1
3. Until we have b bytes of expanded key, we do the following to generate n more bytes of
expanded key:
 We do the following to create 4 bytes of expanded key:
1. We create a 4-byte temporary variable, t
2. We assign the value of the previous four bytes in the expanded key to t
3. We perform the key schedule core (see above) on t, with i as the rcon
iteration value
4. We increment i by 1
5. We exclusive-or t with the four-byte block n bytes before the new
expanded key. This becomes the next 4 bytes in the expanded key
 We then do the following three times to create the next twelve bytes of expanded
key:
1. We assign the value of the previous 4 bytes in the expanded key to t
2. We exclusive-or t with the four-byte block n bytes before the new
expanded key. This becomes the next 4 bytes in the expanded key
  If we are generating a 256-bit key, we do the following to generate the next 4
bytes of expanded key:
1. We assign the value of the previous 4 bytes in the expanded key to t
2. We run each of the 4 bytes in t through Rijndael's S-box
3. We exclusive-or t with the 4-byte block n bytes before the new expanded
key. This becomes the next 4 bytes in the expanded key.
 If we are generating a 128-bit key, we do not perform the following steps. If we
are generating a 192-bit key, we run the following steps twice. If we are generating a
256-bit key, we run the following steps three times:
1. We assign the value of the previous 4 bytes in the expanded key to t
2. We exclusive-or t with the four-byte block n bytes before the new
expanded key. This becomes the next 4 bytes in the expanded key

Rjindael s box

The Rijndael S-box is a matrix (square array of numbers) used in the Rijndael cypher,

also known as the Advanced Encryption Standard (AES) cryptographic algorithm. The S-box
(substitution box) serves as a lookup table.

Forward s box

The S-box is generated by determining the multiplicative inverse for a given number in

GF(28) = GF(2)[x]/(x8 + x4 + x3 + x + 1), Rijndael's finite field (zero, which has no inverse, is set
to zero). The multiplicative inverse is then transformed using the following affine
transformation:
 where [x0, ..., x7] is the multiplicative inverse as a vector.

This affine transformation is the sum of multiple rotations of the byte as a vector, where
addition is the XOR operation. For example, the multiplicative inverse of 0x11 is 0xb4. The
affine transformation is defined as:

where A is the matrix:

This can further be simplified as:

The rotational matrices simplify to:

hich is equal to 0x82.

The matrix multiplication can be calculated by the following algorithm:

1. Store the multiplicative inverse of the input number in two 8-bit unsigned
temporary variables: s and x.
2. Rotate the value s one bit to the left; if the value of s had a high bit (eighth
bit from the right) of one, make the low bit of s one; otherwise the low bit
of s is zero.
3. Exclusive or the value of x with the value of s, storing the value in x
4. For three more iterations, repeat steps two and three; steps two and three are
done a total of four times.
5. The value of x will now have the result of the multiplication.

After the matrix multiplication is done, exclusive or the value by the decimal number 99
(the hexadecimal number 0x63, the binary number 1100011, and the bit string 11000110
representing the number in LSb first notation).

This will generate the following S-box, which is represented here

with hexadecimal notation:

|0 1 2 3 4 5 6 7 8 9 a b c d e f
---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|
 00 |63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
10 |ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
20 |b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
30 |04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
40 |09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
50 |53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
60 |d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8
70 |51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
80 |cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
90 |60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
a0 |e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
b0 |e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
c0 |ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a
d0 |70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
e0 |e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
f0 |8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

Here the column is determined by the least significant nibble, and the row is
determined by the most significant nibble. For example, the value 0x9a is converted
in to 0xb8 by Rijndael's S-box. Note that the multiplicative inverse of 0x00 is
defined as itself.

Inverse s box

The inverse S-box is simply the S-box run in reverse. For example, the inverse S-box
of 0xdb is 0x9f. It is calculated by first calculating the inverse affine transformation of the input
value, followed by the multiplicative inverse. The inverse affine transformation is as follows:
The following table represents Rijndael's inverse S-box:

|0 1 2 3 4 5 6 7 8 9 a b c d e f
---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|
00 |52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb
10 |7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb
20 |54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e
30 |08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25
40 |72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92
50 |6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84
60 |90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06
70 |d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b
80 |3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73
90 |96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e
a0 |47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b
b0 |fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4
c0 |1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f
d0 |60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef
e0 |a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61
f0 |17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d
design criteria

The Rijndael S-Box was specifically designed to be resistant

to linear and differential cryptanalysis. This was done by minimizing the correlation between
linear transformations of input/output bits, and at the same time minimizing the difference
propagation probability.

In addition, to strengthen the S-Box against algebraic attacks, the affine transformation
was added. In the case of suspicion of a trapdoor being built into the cipher, the current S-box
might be replaced by another one. The authors claim that the Rijndael cipher structure should
provide enough resistance against differential and linear cryptanalysis, even if an S-Box with
"average" correlation / difference propagation properties is used.

Data encryption standard

The Data Encryption Standard (DES,   /ˌdiːˌiːˈɛs/ or /ˈdɛz/) is a previously

predominant algorithm for the encryption of electronic data. It was highly influential in the
advancement of modern cryptography in the academic world. Developed in the early 1970s
at IBMand based on an earlier design by Horst Feistel, the algorithm was submitted to
the National Bureau of Standards (NBS) following the agency's invitation to propose a candidate
for the protection of sensitive, unclassified electronic government data. In 1976, after
consultation with the National Security Agency (NSA), the NBS eventually selected a slightly
modified version, which was published as an official Federal Information Processing
Standard (FIPS) for the United States in 1977. The publication of an NSA-approved encryption
standard simultaneously resulted in its quick international adoption and widespread academic
scrutiny. Controversies arose out of classified design elements, a relatively short key length of
the symmetric-key block cipher design, and the involvement of the NSA, nourishing suspicions
about a backdoor. The intense academic scrutiny the algorithm received over time led to the
modern understanding of block ciphers and their cryptanalysis.
 DES is now considered to be insecure for many applications. This is chiefly due to the
56-bit key size being too small; in January, 1999,distributed.net and the Electronic Frontier
Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes. There are also
some analytical results which demonstrate theoretical weaknesses in the cipher, although they
are infeasible to mount in practice. The algorithm is believed to be practically secure in the form
of Triple DES, although there are theoretical attacks. In recent years, the cipher has been
superseded by the Advanced Encryption Standard (AES). Furthermore, DES has been withdrawn
as a standard by the National Institute of Standards and Technology.

The Feistel function (F function) of DES

General

Designers IBM

First published 1977 (standardized in January

1979)
 Derived from Lucifer

Successors Triple DES, G-DES, DES-

X, LOKI89, ICE

Cipher detail

Key sizes 56 bits

Block sizes 64 bits

Structure Balanced Feistel network

Rounds 16

Best public cryptanalysis

DES is now considered insecure because a brute

force attack is possible (see EFF DES cracker). As of
2008, the best analytical attack is linear cryptanalysis,
which requires 243 known plaintexts and has a time
complexity of 239–43(Junod, 2001).

The origins of DES go back to the early 1970s. In 1972, after concluding a study on the
US government's computer security needs, the US standards body NBS (National Bureau of
Standards)  now named NIST (National Institute of Standards and Technology)  identified a need
for a government-wide standard for encrypting unclassified, sensitive information. Accordingly,
on 15 May 1973, after consulting with the NSA, NBS solicited proposals for a cipher that would
meet rigorous design criteria. None of the submissions, however, turned out to be suitable. A
second request was issued on 27 August 1974. This time, IBM submitted a candidate which was
deemed acceptable — a cipher developed during the period 1973–1974 based on an earlier
algorithm, Horst Feistel's Lucifer cipher. The team at IBM involved in cipher design and analysis
included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas,
Roy Adler, Edna Grossman, Bill Notz, Lynn Smith, and Bryant Tuckerman.

NSA's involvement in the design

On 17 March 1975, the proposed DES was published in the Federal Register. Public
comments were requested, and in the following year two open workshops were held to discuss
the proposed standard. There was some criticism from various parties, including from public-key
cryptography pioneers Martin Hellman and Whitfield Diffie, citing a shortened key length and
the mysterious "S-boxes" as evidence of improper interference from the NSA. The suspicion was
that the algorithm had been covertly weakened by the intelligence agency so that they  but no-
one else  could easily read encrypted messages. Alan Konheim (one of the designers of DES)
commented, "We sent the S-boxes off to Washington. They came back and were all
different." The United States Senate Select Committee on Intelligence reviewed the NSA's
actions to determine whether there had been any improper involvement. In the unclassified
summary of their findings, published in 1978, the Committee wrote:

In the development of DES, NSA convinced IBM that a reduced key size was sufficient;
indirectly assisted in the development of the S-box structures; and certified that the final DES
algorithm was, to the best of their knowledge, free from any statistical or mathematical
weakness.

However, it also found that NSA did not tamper with the design of the algorithm in any
way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and
concurred that the agreed upon key size was more than adequate for all commercial applications
for which the DES was intended.

Another member of the DES team, Walter Tuchman, stated "We developed the DES
algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!" In contrast,
a declassified NSA book on cryptologic history states:

In 1973 NBS solicited private industry for a data encryption standard (DES). The first
offerings were disappointing, so NSA began working on its own algorithm. Then Howard
Rosenblum, deputy director for research and engineering, discovered that Walter Tuchman of
IBM was working on a modification to Lucifer for general use. NSA gave Tuchman a clearance
and brought him in to work jointly with the Agency on his Lucifer modification." and NSA
worked closely with IBM to strengthen the algorithm against all except brute force attacks and to
strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce
the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.

Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990,
with the independent discovery and open publication by Eli Biham and Adi
Shamir of differential cryptanalysis, a general method for breaking block ciphers. The S-boxes of
DES were much more resistant to the attack than if they had been chosen at random, strongly
suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994,
Don Coppersmith published some of the original design criteria for the S-boxes. According
to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974
and were asked by the NSA to keep the technique secret. Coppersmith explains IBM's secrecy
decision by saying, "that was because [differential cryptanalysis] can be a very powerful tool,
used against many schemes, and there was concern that such information in the public domain
could adversely affect national security." Levy quotes Walter Tuchman: "they asked us to stamp
all our documents confidential... We actually put a number on each one and locked them up in
safes, because they were considered U.S. government classified. They said do it. So I did
it". Bruce Schneier observed that "It took the academic community two decades to figure out that
the NSA 'tweaks' actually improved the security of DES."

The algorithm as a standard

Despite the criticisms, DES was approved as a federal standard in November 1976, and
published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified data. It was
subsequently reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-46-2),
and again in 1999 (FIPS-46-3), the latter prescribing "Triple DES" (see below). On 26 May
2002, DES was finally superseded by the Advanced Encryption Standard (AES), following a
public competition. On 19 May 2005, FIPS 46-3 was officially withdrawn, but NIST has
approved Triple DESthrough the year 2030 for sensitive government information.
 The algorithm is also specified in ANSI X3.92, [14] NIST SP 800-67 and ISO/IEC 18033-
3 (as a component of TDEA). Another theoretical attack, linear cryptanalysis, was published in
1994, but it was a brute force attack in 1998 that demonstrated that DES could be attacked very
practically, and highlighted the need for a replacement algorithm. These and other methods
of cryptanalysis are discussed in more detail later in this article.

The introduction of DES is considered to have been a catalyst for the academic study of
cryptography, particularly of methods to crack block ciphers. According to a NIST retrospective
about DES,

The DES can be said to have "jump started" the nonmilitary study and development of
encryption algorithms. In the 1970s there were very few cryptographers, except for those in
military or intelligence organizations, and little academic study of cryptography. There are now
many active academic cryptologists, mathematics departments with strong programs in
cryptography, and commercial information security companies and consultants. A generation of
cryptanalysts has cut its teeth analyzing (that is trying to "crack") the DES algorithm. In the
words of cryptographer Bruce Schneier, "DES did more to galvanize the field of cryptanalysis
than anything else. Now there was an algorithm to study." An astonishing share of the open
literature in cryptography in the 1970s and 1980s dealt with the DES, and the DES is the
standard against which every symmetric key algorithm since has been compared.

DES is the archetypal block cipher — an algorithm that takes a fixed-length string

of plaintext bits and transforms it through a series of complicated operations into another cipher
text bit string of the same length. In the case of DES, the block size is 64 bits. DES also uses
a key to customize the transformation, so that decryption can supposedly only be performed by
those who know the particular key used to encrypt. The key ostensibly consists of 64 bits;
however, only 56 of these are actually used by the algorithm. Eight bits are used solely for
checking parity, and are thereafter discarded. Hence the effective key length is 56 bits, and it is
always quoted as such. Every 8th bit of the selected key is discarded, that is, positions 8, 16, 24,
32, 40, 48, 56, 64 are removed from the 64 bit key leaving behind only the 56 bit key.
 Like other block ciphers, DES by itself is not a secure means of encryption but must
instead be used in a mode of operation. FIPS-81 specifies several modes for use with
DES. Further comments on the usage of DES are contained in FIPS-74.
Key schedule

Figure shows The key-schedule of DES

Figure illustrates the key schedule for encryption  — the algorithm which generates the
subkeys. Initially, 56 bits of the key are selected from the initial 64 by Permuted Choice 1 (PC-
1) — the remaining eight bits are either discarded or used as parity check bits. The 56 bits are
then divided into two 28-bit halves; each half is thereafter treated separately. In successive
rounds, both halves are rotated left by one or two bits (specified for each round), and then 48
subkey bits are selected by Permuted Choice 2 (PC-2) — 24 bits from the left half, and 24 from
the right. The rotations (denoted by "<<<" in the diagram) mean that a different set of bits is used
in each subkey; each bit is used in approximately 14 out of the 16 subkeys.

The key schedule for decryption is similar — the subkeys are in reverse order compared
to encryption. Apart from that change, the process is the same as for encryption. The same 28
bits are passed to all rotation boxes.

Security and crypt analysis

Although more information has been published on the cryptanalysis of DES than any
other block cipher, the most practical attack to date is still a brute force approach. Various minor
cryptanalytic properties are known, and three theoretical attacks are possible which, while having
a theoretical complexity less than a brute force attack, require an unrealistic number
of known or chosen plaintexts to carry out, and are not a concern in practice.

Brute force attack

For any cipher, the most basic method of attack is brute force — trying every possible
key in turn. The length of the key determines the number of possible keys, and hence the
feasibility of this approach. For DES, questions were raised about the adequacy of its key size
early on, even before it was adopted as a standard, and it was the small key size, rather than
theoretical cryptanalysis, which dictated a need for a replacement algorithm. As a result of
discussions involving external consultants including the NSA, the key size was reduced from 128
bits to 56 bits to fit on a single chip.
 The EFF's US$250,000 DES cracking machine contained 1,856 custom chips and could
brute force a DES key in a matter of days — the photo shows a DES Cracker circuit board fitted
with several Deep Crack chips.

In academia, various proposals for a DES-cracking machine were advanced. In 1977,

Diffie and Hellman proposed a machine costing an estimated US$20 million which could find a
DES key in a single day. By 1993, Wiener had proposed a key-search machine costing US$1
million which would find a key within 7 hours. However, none of these early proposals were
ever implemented—or, at least, no implementations were publicly acknowledged. The
vulnerability of DES was practically demonstrated in the late 1990s. In 1997, RSA
Security sponsored a series of contests, offering a $10,000 prize to the first team that broke a
message encrypted with DES for the contest. That contest was won by the DESCHALL Project,
led by Rocke Verser, Matt Curtin, and Justin Dolske, using idle cycles of thousands of computers
across the Internet. The feasibility of cracking DES quickly was demonstrated in 1998 when a
custom DES-cracker was built by the Electronic Frontier Foundation (EFF), a cyberspace civil
rights group, at the cost of approximately US$250,000 (see EFF DES cracker). Their motivation
was to show that DES was breakable in practice as well as in theory: "There are many people
who will not believe a truth until they can see it with their own eyes. Showing them a physical
machine that can crack DES in a few days is the only way to convince some people that they
really cannot trust their security to DES." The machine brute-forced a key in a little more than 2
days search.
 The next confirmed DES cracker was the COPACOBANA machine built in 2006 by
teams of the Universities of Bochum and Kiel, both in Germany. Unlike the EFF machine,
COPACOBANA consists of commercially available, reconfigurable integrated circuits. 120 of
these field-programmable gate arrays (FPGAs) of type XILINX Spartan3-1000 run in parallel.
They are grouped in 20 DIMM modules, each containing 6 FPGAs. The use of reconfigurable
hardware makes the machine applicable to other code breaking tasks as well. One of the more
interesting aspects of COPACOBANA is its cost factor. One machine can be built for
approximately $10,000. The cost decrease by roughly a factor of 25 over the EFF machine is an
example of the continuous improvement of digital hardware. Adjusting for inflation over 8 years
yields an even higher improvement of about 30x. Since 2007, SciEngines GmbH, a spin-off
company of the two project partners of COPACOBANA has enhanced and developed successors
of COPACOBANA. In 2008 their COPACOBANA RIVYERA reduced the time to break DES
to less than one day, using 128 Spartan-3 5000's. Currently SciEngines RIVYERA holds the
record in brute-force breaking DES, having utilized 128 Spartan-3 5000 FPGAs. Their 256
Spartan-6 LX150 model has even lowered this time.

Attacks faster than brute-force

There are three attacks known that can break the full 16 rounds of DES with less complexity
than a brute-force search: differential cryptanalysis (DC), linear cryptanalysis (LC), and Davies'
attack. However, the attacks are theoretical and are unfeasible to mount in practice; these types
of attack are sometimes termed certificational weaknesses.

 Differential cryptanalysis was rediscovered in the late 1980s by Eli Biham and Adi

Shamir; it was known earlier to both IBM and the NSA and kept secret. To break the full 16
rounds, differential cryptanalysis requires 249 chosen plaintexts.[26] DES was designed to be
resistant to DC.
 Linear cryptanalysis was discovered by Mitsuru Matsui, and needs 243 known
plaintexts (Matsui, 1993); the method was implemented (Matsui, 1994), and was the first
experimental cryptanalysis of DES to be reported. There is no evidence that DES was
 tailored to be resistant to this type of attack. A generalization of LC — multiple linear
cryptanalysis — was suggested in 1994 (Kaliski and Robshaw), and was further refined by
Biryukov and others. (2004); their analysis suggests that multiple linear approximations
could be used to reduce the data requirements of the attack by at least a factor of 4 (that is,
241 instead of 243). A similar reduction in data complexity can be obtained in a chosen-
plaintext variant of linear cryptanalysis (Knudsen and Mathiassen, 2000). Junod (2001)
performed several experiments to determine the actual time complexity of linear
cryptanalysis, and reported that it was somewhat faster than predicted, requiring time
equivalent to 239–241 DES evaluations.
 Improved Davies' attack: while linear and differential cryptanalysis are general
techniques and can be applied to a number of schemes, Davies' attack is a specialized
technique for DES, first suggested by Donald Davies in the eighties, and improved by Biham
and Biryukov (1997). The most powerful form of the attack requires 2 50 known plaintexts,
has a computational complexity of 250, and has a 51% success rate.

There have also been attacks proposed against reduced-round versions of the cipher, that is,
versions of DES with fewer than 16 rounds. Such analysis gives an insight into how many
rounds are needed for safety, and how much of a "security margin" the full version
retains. Differential-linear cryptanalysis was proposed by Langford and Hellman in 1994, and
combines differential and linear cryptanalysis into a single attack. An enhanced version of the
attack can break 9-round DES with 215.8 known plaintexts and has a 229.2 time complexity.

Disk encryption

Disk encryption is a technology which protects information by converting it into

unreadable code that cannot be deciphered easily by unauthorized people. Disk
encryption uses disk encryption software or hardware to encrypt every bit of data that goes on
a disk or disk volume. Disk encryption prevents unauthorized access to data storage.
 Expressions full disk encryption (FDE) or whole disk encryption often signify that
everything on disk is encrypted – including the programs that can encrypt bootable operating
system partitions – when part of the disk is necessarily not encrypted. FileVault 2 encrypts
the OS X startup volume in its entirety; authorised FDE users’ information is loaded from from a
separate non encrypted boot volume (partition/slice type Apple_Boot). On systems that use
a master boot record (MBR), that part of the disk remains non encrypted. Some hardware-based
full disk encryption systems can truly encrypt an entire boot disk, including the MBR.

Disk encryption does not replace file or directory encryption in all situations. Disk
encryption is sometimes used in conjunction with file system-level encryption with the intention
of providing a more secure implementation. Since disk encryption generally uses the
same key for encrypting the whole volume, all data is de cryptable when the system runs.
However, some disk encryption solutions use multiple keys for encrypting different partitions. If
an attacker gains access to the computer at run-time, the attacker has access to all files.
Conventional file and folder encryption instead allows different keys for different portions of the
disk. Thus an attacker cannot extract information from still-encrypted files and folders.

Unlike disk encryption, file system-level encryption does not typically encrypt file
system metadata, such as the directory structure, file names, modification timestamps or sizes.

Disk encryption in Trusted platform module

Trusted Platform Module (TPM) is a secure crypto processor embedded in

the motherboard that can be used to authenticate a hardware device. Since each TPM chip is
unique to a particular device, it is capable of performing platform authentication. It can be used
to verify that the system seeking the access is the expected system.

A limited number of disk encryption solutions have support for TPM. These
implementations can wrap the decryption key using the TPM, thus tying the hard disk
drive (HDD) to a particular device. If the HDD is removed from that particular device and placed
in another, the decryption process will fail. Recovery is possible with the
decryption password or token.

Although this has the advantage that the disk cannot be removed from the device, it might
create a single point of failure in the encryption. For example, if something happens to the TPM
or the mother board, a user would not be able to access the data by connecting the hard drive to
another computer, unless that user has a separate recovery key.

Multi scale electro physiology format

Multi scale Electrophysiology Format (MEF) was developed to handle the large amounts
of data produced by large-scale electrophysiology in human and animal subjects. MEF can store
any time series data up to 24 bits in length, and employs lossless range encoded difference
compression. Subject identifying information in the file header can be encrypted using 128-bit
AES encryption in order to comply with HIPAA requirements for patient privacy when
transmitting data across an open network.

Compressed data is stored in independent blocks to allow direct access to the data,
facilitate parallel processing and limit the effects of potential damage to files. Data fidelity is
ensured by a 32-bit cyclic redundancy check in each compressed data block using the Koopman
polynomial (0xEB31D82E), which has a Hamming distance of from 4 to 114 kbits.

Triple des

In cryptography, Triple DES is the common name for the Triple Data Encryption

Algorithm (TDEA or Triple DEA) block cipher, which applies theData Encryption
Standard (DES) cipher algorithm three times to each data block.

The original DES cipher's key size of 56 bits was generally sufficient when that
algorithm was designed, but the availability of increasing computational power made brute-force
attacks feasible. Triple DES provides a relatively simple method of increasing the key size of
DES to protect against such attacks, without the need to design a completely new block cipher
algorithm.

The earliest standard that defines the algorithm (ANS X9.52, published in 1998)
describes it as the "Triple Data Encryption Algorithm (TDEA)" — i.e. three operations of the
Data Encryption Algorithm specified in ANSI X3.92 — and does not use the terms "Triple DES"
or "DES" at all. FIPS PUB 46-3 (1999) defines the "Triple Data Encryption Algorithm (TDEA)",
but also uses the terms "DES" and "Triple DES". It uses the terms "Data Encryption Algorithm"
and "DES" interchangeably, including starting the specification with:

The Data Encryption Standard (DES) shall consist of the following Data Encryption
Algorithm (DES) [sic] and Triple Data Encryption Algorithm (TDEA, as described in ANSI
X9.52).

NIST SP 800-67 (2004, 2008, 2012) primarily uses the term TDEA, but also refers to
"Triple DES (TDEA)". ISO/IEC 18033-3 (2005) uses "TDEA", but mentions that:

The TDEA is commonly known as Triple DES (Data Encryption Standard).

None of the standards that define the algorithm use the term "3DES".

Triple DES uses a "key bundle" which comprises three DES keys, K1, K2 and K3, each of
56 bits (excluding parity bits). The encryption algorithm is:

Cipher text = EK3(DK2(EK1(plaintext)))

I.e., DES encrypt with K1, DES decrypt with K2, then DES encrypt with K3.

Decryption is the reverse:

plaintext = DK1(EK2(DK3(ciphertext)))

I.e., decrypt with K3, encrypt with K2, then decrypt with K1.

Each triple encryption encrypts one block of 64 bits of data.

 In each case the middle operation is the reverse of the first and last. This improves the
strength of the algorithm when using keying option 2, and provides backward compatibility with
DES with keying option 3.

Key option

The standards define three keying options:

 Keying option 1: All three keys are independent.

 Keying option 2: K1 and K2 are independent, and K3 = K1.
 Keying option 3: All three keys are identical, i.e. K1 = K2 = K3.

Keying option 1 is the strongest, with 3 × 56 = 168 independent key bits.

Keying option 2 provides less security, with 2 × 56 = 112 key bits. This option is stronger than
simply DES encrypting twice, e.g. with K1 and K2, because it protects against meet-in-the-middle
attacks.

Keying option 3 is equivalent to DES, with only 56 key bits. This option provides
backward compatibility with DES, because the first and second DES operations cancel out. It is
no longer recommended by the National Institute of Standards and Technology (NIST), and is
not supported by ISO/IEC 18033-3.

Block diagram
A symmetric cryptosystem is shown in figure and has five ingredients:
i. Plain text: this is the original message or data that fed into the algorithm as input.
ii. Encryption algorithm: the algorithm performs various substitutions and transformations on the
plaintext.
iii. Secret key: this is also an input to the algorithm and its value is independent of the plaintext.
The algorithm will produce a different output depending on the specific key.
iv. Cipher text: this is the scrambled message produced as output. It depends on the plaintext and
the secret key.
v. Decryption algorithm: this is essentially the encryption algorithm run in reverse. It takes the
cipher text and the secret key and produces the original plaintext.

AES Algorithm
 The AES Algorithm is a symmetric-key cipher, in which both the sender and the receiver
use a single key for encryption and decryption. The data block length is fixed to be 128 bits,
while the length can be 128,192,or 256 bits. In addition, the AES algorithm is an iterative
algorithm. Each iteration can be called a round, and the total number of rounds is 10,12, or 14,
when key length is 128,192, or 256, respectively. The 128 bit data block is divided into 16 bytes.
These bytes are mapped to a 4x4 array called the State, and all the internal operations of the AES
algorithm are performed on the State.

ALGORITHM

The encryption process is iterative in nature. Each iterations are known as rounds. For
each round 128 bit input data and 128 bit key is required. That is, need 4 words of key in one
round. So the input key must be expanded to the required number of words, which depends upon
the number of rounds. The output of each round serves as input of next stage. In AES system,
same secret key is used for both encryption and decryption. So it provides simplicity in design.
 Figure shows the following image encryption

In the encryption of the AES algorithm(Figure), each round except the final round
consists of four transformations:

i. Sub Bytes: Operates in each byte of the State independently. Each byte is substituted by
corresponding byte in the S-box.
ii. Shift Row: Cyclically shifts the rows of the State over different offsets.
iii. Mix Column: In this operation the column of the State are considered as polynomials over
GF(2⁸) and are multiplied with a fixed polynomial. The Mix Column component Does not
operate in the last round of the algorithm.
iv. Add Round Key: Involves bit-wise XOR operation.

State array
 The input to the encryption algorithm is a single 128-bit block .This block is copied into
the State array, which is a square matrix of bytes. State array is modified at each stage of
encryption. Similarly, the 128 bit key is depicted as a square matrix of bytes. The ordering of
bytes within a matrix is by column.

Key expansion

Key expansion is an important for both encryption and decryption.

Figure shows the key expansion algorithm

 The AES key expansion algorithm takes as input a 4-word (16 bytes) key and produces a
linear array of 44 words (176 bytes).This is sufficient to provide a 4-word round key for the
initial Add Round Key stage and each of the 10 rounds of the cipher.

Key Expansion(byte key[16],word[44])

{
word temp
for (i=0; i<4; i++)
w[i]=(key[4*i],key[4*i+1],key[4*i+2],key[4*i+3]);for
(i=4; i<44; i++)
{
temp =w[i-1];
if(i mod 4 = 0)
temp=Sub Word(Rot Word(temp)) xor R con[i/4];
w[i] = w[i-4] xor temp
}
}

The key is copied into the first 4 words of the expanded key. The reminder of the
expanded key is filled in 4 words at a time. Each added word w[i] depends on the immediately
preceding word, w[i-1] and the word four positions back, w[i-4]. In three out of four cases, a
simple XOR is used. For a word whose position in the w array is a multiple of 4, a more complex
function g is used.
1. Rot Word performs a one-byte circular left shift on a word. This means that an input word
[b0,b1,b2,b3] is transformed into [b1,b2,b3,b0].
2. Sub Word performs a byte substitution on each byte of its input word, using the S-box.
3. The result of step 1 and step2 is XOR ed with a round constant R con[j].

The round constant is a word in which the three rightmost bytes are always 0.Thus the
effect of XOR of a word with Rcon is to only perform an XOR on the left byte of the word. The
round constant is for each round and is defined as Rcon[j] = ( RC[j],0,0,0), with RC[1]=1;
RC[j]=2*RC[j-1] and with multiplication over the field GF(2^8).

The values of RC[j] in hexadecimal are :

Add Round Key

The 128 bits of State array are bitwise XOR ed with the 128 bits of the round key(4
words of the expanded key).The operation is viewed as a column wise operation between the 4
bytes of the State array column and one word of the round key.
 Figure shows the xor operation between key and state word

Substitute Bytes

AES defines a 16 x 16 matrix of byte values, called an S-box, that contains a permutation
of all possible 256 8-bit values. Each byte of State array is mapped into a new byte in the
following way: The leftmost 4 bits of the byte are used as a row value and the leftmost 4 bits are
used as a column value. These row and column values serve as indexes into the S-box to select a
unique
 Figure shows the sub byte operation

Shift Rows

The first row of State array is not altered. For the second row , a 1-byte circular left shift
is performed. For the third row,a 2- byte circular left shift is performed. For the third row, a 3-
byte circular left shift is performed.
 Figure shows the shifting operation

Mix Column

It operates on each column individually. Each byte of a column is mapped into a new
value that is a function of all four bytes in the column. The transformation can be defined by
following matrix multiplication on State array.
 Each element in the product matrix is the sum of products of elements of one row and
one column. In this case, individual additions and multiplications are performed in GF(2^8).The
Mix Column transformation on a single column j(0 <= j <= 3) of State array can be expressed as

S’(0,j) = (2.s(0,j)) xor (3.s(1,j)) xor (s(2,j)) xor (s(3,j))

S’(1,j) = ( s(0,j)) xor (2.s(1,j)) xor (3.s(2,j)) xor (s(3,j))

S’(2,j) = (s(0,j)) xor (s(1,j)) xor (2.s(2,j)) xor (3.s(3,j))

S’(3,j) = (3.s(0,j)) xor (s(1,j)) xor (s(2,j)) xor (2.s(3,j))

 Conclusion

An image can be encrypted by combining MATLAB with the encoder. Each pixel in an
image is represented by 8 bits, ie 1 byte. Using MATLAB convert the pixel values into bytes.
These byte values are then used as input to the encoder. The 128 bit encoder then convert this
byte into corresponding encoded byte. The encoded bit values are then converted into decimal
values for pixels. Repeat this operation for each pixels
 REFERENCES

1. Bruce schneier“Applied Cryptography” 2nd Edition published by John Wiley&SonsInc.

2. William stallings “Cryptography and Network Security” 3rd Edition published by Pearson
Education Inc and Dorling Kindersley Publishing Inc.

3. M. Zeghid, M. Machhout, L. Khriji, A. Baganne, and R. Tourki “A Modified AES Based

Algorithm for ImageEncryption” World Academy of Science, Engineering and Technology 27,
2007

4. Abdelfatah A. Yahya and Ayman M. Abdalla“A Shuffle Image-Encryption Algorithm

”Department of Computer Science, Al-Zaytoonah University of Jordan, Journal of Computer
Science 4 (12): 999- 1002, 2008

5. Xinmiao Zhang, Student Member,IEEE, and Keshab K. Parthi, Fellow, IEEE “High-Speed
VLSI Architecture for AES Algorithm” IEEE Transactions on VLSI, Vol.12, No.19, September
2004

6. Alireza Hodjat, Student Member, IEEE, and Ingrid Verbauwhede, Senior Member, IEEE
“Area- Throughput Trade-Offs for Fully Pipelined30 to 70 Gbits/s AES Processors” IEEE
Transactions on Computers, Vol.55, no.4, April2006

7. Pawel Chodowiec and Kris Gaj “Very compact FPGA implementation of the AES
Algorithm”,in Proc. Of Cryptographic hardware and embedded system workshop,pp.319-
333,2003

8. F.Rodriguez-Henriquez,N.A Saquib and A. Diaz- Perez“4.2 Gbits/sec Single Chip FPGA

implementation of the AES Algorithm”, ElectronicsLetters, Vol.39, No.15, pp.1115-1116,2003
9. N. Sklavos and O. Koufopavlou, Member, IEEE “Architectures and VLSI Implementations of
the AESProposal Rijndael” IEEE Transactions on Computers, Vol. 51, No. 12, December2002.

10.J.Bhasker “ A VHDL Primer”.3rd Edition published by Pearson Education Inc and Dorling
Kindersley Publishing Inc.

11.J. Elbirt, W. Yip, B. Chetwynd, and C. Paar. An FPGA implementation and performance
evaluation of the AES block cipher candidate algorithm finalist. presented at Proc.3rdAESConf.
(AES3).[Online].Available:http://cs rc.nist.gov/encryption/aes/round2/conf3/aes3papers.ht ml.

12.V. Fischer and M. Drutarovsky, “Two methods of Rijndael implementation in reconfigurable

hardware,” in Proc. , pp. 77–92, CHES 2001, Paris, France,May 2001.

13.H. Kuo and I. Verbauwhede, “Architectural optimization for a 1.82 Gbits/sec VLSI
implementation of the AES Rijndael algorithm,” in Proc. CHES 2001, pp. 51–64, Paris, France,
May 2001.

14.M. McLoone and J. V. McCanny, “Rijndael FPGA implementation utilizing look-up tables,”
in IEEEWorkshop on Signal Processing Systems, pp.349–360, Sept. 2001.
 Appendix

INTRODUCTION TO MATLAB

Matlab Introduction

MATLAB is a high performance language for technical

computing .It integrates computation visualization and programming in an easy to use
environment

Mat lab stands for matrix laboratory. It was written originally to

provide easy access to matrix software developed by LINPACK (linear system package) and
EISPACK (Eigen system package) projects.

MATLAB is therefore built on a foundation of sophisticated

matrix software in which the basic element is matrix that does not require pre dimensioning

Typical uses of MATLAB

1. Math and computation

2. Algorithm development
3. Data acquisition
4. Data analysis ,exploration ands visualization
5. Scientific and engineering graphics

The main features of MATLAB

1. Advance algorithm for high performance numerical computation ,especially in the Field
matrix algebra
2. A large collection of predefined mathematical functions and the ability to define one’s own
functions.
3. Two-and three dimensional graphics for plotting and displaying data
4. A complete online help system
5. Powerful, matrix or vector oriented high level programming language for individual
applications.
6. Toolboxes available for solving advanced problems in several application areas

MATLAB

MATLAB
Programming language

User written / Built in functions

Graphics Computation External interface

2-D graphics Linear algebra Interface with C and
3-D graphics Signal processing FORTRAN
Color and lighting Quadrature Programs
Animation Etc

Tool boxes
Signal processing
Image processing
Control systems
Neural Networks
Communications
Robust control
Statistics

Features and capabilities of MATLAB

The MATLAB System

The MATLAB system consists of five main parts:

Development Environment.

This is the set of tools and facilities that help you use
MATLAB functions and files. Many of these tools are graphical user interfaces. It includes the
MATLAB desktop and Command Window, a command history, an editor and debugger, and
browsers for viewing help, the workspace, files, and the search path.

The MATLAB Mathematical Function Library.

This is a vast collection of computational algorithms

ranging from elementary functions, like sum, sine, cosine, and complex arithmetic, to more
sophisticated functions like matrix inverse, matrix Eigen values, Bessel functions, and fast
Fourier transforms.

The MATLAB Language.

This is a high-level matrix/array language with

control flow statements, functions, data structures, input/output, and object-oriented
programming features. It allows both "programming in the small" to rapidly create quick and
dirty throw-away programs, and "programming in the large" to create large and complex
application programs.

Graphics.

MATLAB has extensive facilities for displaying

vectors and matrices as graphs, as well as annotating and printing these graphs. It includes high-
level functions for two-dimensional and three-dimensional data visualization, image processing,
animation, and presentation graphics. It also includes low-level functions that allow you to fully
customize the appearance of graphics as well as to build complete graphical user interfaces on
your MATLAB applications.

The MATLAB Application Program Interface (API).

This is a library that allows you to write C and

Fortran programs that interact with MATLAB. It includes facilities for calling routines from
MATLAB (dynamic linking), calling MATLAB as a computational engine, and for reading and
writing MAT-files.

Starting MATLAB

On Windows platforms, start MATLAB by double-

clicking the MATLAB shortcut icon on your Windows desktop. On UNIX platforms, start
MATLAB by typing mat lab at the operating system prompt. You can customize MATLAB
startup. For example, you can change the directory in which MATLAB starts or automatically
execute MATLAB statements in a script file named startup.m

MATLAB Desktop

When you start MATLAB, the MATLAB desktop

appears, containing tools (graphical user interfaces) for managing files, variables, and
applications associated with MATLAB. The following illustration shows the default desktop.
You can customize the arrangement of tools and documents to suit your needs. For more
information about the desktop tools .
Implementations

1. Arithmetic operations
Entering Matrices

The best way for you to get started with MATLAB is to learn how to handle matrices. Start
MATLAB and follow along with each example.

You can enter matrices into MATLAB in several different ways:

• Enter an explicit list of elements.

• Load matrices from external data files.

• Generate matrices using built-in functions.

• Create matrices with your own functions in M-files.

Start by entering Dürer’s matrix as a list of its elements. You only have to follow a few basic
conventions:

• Separate the elements of a row with blanks or commas.

• Use a semicolon, to indicate the end of each row.

• Surround the entire list of elements with square brackets, [ ].

To enter matrix, simply type in the Command Window

A = [16 3 2 13; 5 10 11 8; 9 6 7 12; 4 15 14 1]

MATLAB displays the matrix you just entered:

A=

16 3 2 13

5 10 11 8

9 6 7 12

4 15 14 1

This matrix matches the numbers in the engraving. Once

you have entered the matrix, it is automatically remembered in the MATLAB workspace. You
can refer to it simply as A. Now that you have A in the workspace,

sum, transpose, and diag

You are probably already aware that the special properties of a magic square have to do with the
various ways of summing its elements. If you take the sum along any row or column, or along
either of the two main diagonals, you will always get the same number. Let us verify that using
MATLAB.
The first statement to try is

sum(A)

MATLAB replies with

ans =

34 34 34 34

When you do not specify an output variable, MATLAB

uses the variable ans, short for answer, to store the results of a calculation. You have computed a
row vector containing the sums of the columns of A. Sure enough, each of the columns has the
same sum, the magic sum, 34.

How about the row sums? MATLAB has a preference for

working with the columns of a matrix, so one way to get the row sums is to transpose the matrix,
compute the column sums of the transpose, and then transpose the result. For an additional way
that avoids the double transpose use the dimension argument for the sum function.

MATLAB has two transpose operators. The apostrophe

operator (e.g., A') performs a complex conjugate transposition. It flips a matrix about its main
diagonal, and also changes the sign of the imaginary component of any complex elements of the
matrix. The apostrophe-dot operator (e.g., A'.), transposes without affecting the sign of complex
elements. For matrices containing all real elements, the two operators return the same result.

So A' produces

ans =

16 5 9 4

3 10 6 15

2 11 7 14

13 8 12 1
And sum(A')' produces a column vector containing the row sums

ans =

34

34

34

34

The sum of the elements on the main diagonal is obtained with the sum and the diag
functions:

diag(A) produces

ans =

16

10

1 and

sum(diag(A)) produces

ans =

34

The other diagonal, the so-called anti diagonal, is not so important

Mathematically, so MATLAB does not have a ready-made function for it.

But a function originally intended for use in graphics, fliplr, flips a matrix From left to right:

Sum (diag(fliplr(A)))
ans =

34

You have verified that the matrix in Dürer’s engraving is indeed a magic Square and, in the
process, have sampled a few MATLAB matrix operations.

Operators

Expressions use familiar arithmetic operators and precedence rules.

+ Addition

- Subtraction

* Multiplication

/ Division

\ Left division (described in “Matrices and Linear Algebra” in the

MATLAB documentation)

. ^ Power

' Complex conjugate transpose

( ) Specify evaluation order

Generating Matrices

MATLAB provides four functions that generate basic matrices.

zeros All zeros

ones All ones

rand Uniformly distributed random elements

randn Normally distributed random elements

Here are some examples:

Z = zeros(2,4)

Z=

0000

0000

F = 5*ones(3,3)

F=

555

555

555

N = fix(10*rand(1,10))

N=

9264874084

R = randn(4,4)

R=

0.6353 0.0860 -0.3210 -1.2316

-0.6014 -2.0046 1.2366 1.0556

0.5512 -0.4931 -0.6313 -0.1132

-1.0998 0.4620 -2.3252 0.3792

M-Files

You can create your own matrices using M-files, which

are text files containing MATLAB code. Use the MATLAB Editor or another text editor to
create a file Containing the same statements you would type at the MATLAB command Line.
Save the file under a name that ends in .m.

For example, create a file containing these five lines:

A = [...

16.0 3.0 2.0 13.0

5.0 10.0 11.0 8.0

9.0 6.0 7.0 12.0

4.0 15.0 14.0 1.0 ];

Store the file under the name magik.m. Then the statement

Magik reads the file and creates a variable, A, containing our example matrix.

Graph Components

MATLAB displays graphs in a special window known as a

figure. To create a graph, you need to define a coordinate system. Therefore every graph is
placed within axes, which are contained by the figure.

The actual visual representation of the data is achieved with

graphics objects like lines and surfaces. These objects are drawn within the coordinate system
defined by the axes, which MATLAB automatically creates specifically to accommodate the
range of the data. The actual data is stored as properties of the graphics objects.
Plotting Tools

Plotting tools are attached to figures and create an environment

for creating Graphs. These tools enable you to do the following:

• Select from a wide variety of graph types

• Change the type of graph that represents a variable

• See and set the properties of graphics objects

• Annotate graphs with text, arrows, etc.

• Create and arrange subplots in the figure

• Drag and drop data into graphs

Display the plotting tools from the View menu or by clicking

the plotting tools icon in the figure toolbar, as shown in the following picture.
Editor/Debugger

Use the Editor/Debugger to create and debug M-files,

which are programs you write to run MATLAB functions. The Editor/Debugger provides a
graphical user interface for text editing, as well as for M-file debugging. To create or edit an M-
file use File > New or File > Open, or use the edit function.