S. Erfani, ECE Dept.

, University of Windsor 0688-590-18 Network Security

2.3-Cipher Block Modes of operation

2.3-1 Model of Conventional Cryptosystems

The following figure, which is on the next page, illustrates the conventional
encryption process. The original “plaintext” is converted into apparently random
nonsense, called “ciphertext”. The encryption process consists of an algorithm
and a key. The key is a value independent of the plaintext. The algorithm will
produce a different output depending on the specific key being used at the time.
Changing the key changes the output of the algorithm, i.e., the ciphertext.

Once the ciphertext is produced, it may be transmitted. Upon reception, the

ciphertext can be transformed back to the original plaintext by using a decryption
algorithm and the same key that was used for encryption.

X^
Cryptanalyst
Y^

Message X Y
Encryption Decryption Destination
Source
Algorithm Algorithm

Secure Channel
Key
Source

Figure. 1: Model of Conventional Cryptosystem

The security of conventional encryption depends on several factors:

 The Encryption Algorithm- It must be powerful enough that it is impractical

to decrypt a message on the basis of the ciphertext alone.

Sep. 23.2003
 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security

 Secrecy of the key- It was shown that the security of conventional

encryption depends on the secrecy of the key, not the secrecy of the
algorithm.

Referring to Fig. 1 above, with the message X and the encryption key K as input,
the encryption algorithm forms the ciphertext.

Y=Ek (X)

The intended receiver, in possession of the key is able to invert the

transformation
X=Dk (Y)
An opponent, observing Y but not having access to K or X, may attempt to
recover X or K or both X and K. It is assumed that the opponent knows the
encryption (E) and decryption (D) algorithms. If the opponent is interested in only
this particular message, then the focus of the effort is to recover X by generating
a plaintext estimate X^. Often, however, the opponent is interested in being able
to read future messages as well, in which case an attempt is made to recover K
by generating an estimate K^.

2.3-2 Cryptanalysis

The process of attempting to discover X or Y or both is known as cryptanalysis.

The strategy used by the cryptanalysis depends on the nature of the encryption
scheme and the information available to the cryptanalyst.

The following table summarizes the various types of cryptanalytic attacks based
on the amount of information known to the cryptanalyst.

Table 1: Types of Attacks on Encrypted Message

Attack Type Knowledge Known to Cryptanalyst

Ciphertext only  Encryption algorithm

 Ciphertext to be decoded
Known Plaintext  Encryption algorithm
 Ciphertext to be decoded
 One or more plaintext-ciphertext pairs formed with
the same secret key
Chosen Plaintext  Encryption algorithm
 Ciphertext to be decoded
 Plaintext message chosen by cryptanalyst, together
with its corresponding ciphertext generated with the
same secret key

Sep. 23.2003 2
 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security

Chosen Ciphertext  Encryption algorithm

 Ciphertext to be decoded
 Purported ciphertext chosen by cryptanalyst,
together with its corresponding decrypted plaintext
generated with the secret key
Chosen text  Encryption algorithm
 Ciphertext to be decoded
 Plaintext message chosen by cryptanalyst, together
with its corresponding ciphertext generated with the
secret key
 Purported ciphertext chosen by cryptanalyst,
together with its corresponding decrypted plaintext
generated with the secret key

2.3-3 -Transposition Ciphers: Moving around

Changing the positions of plaintext letters is another enciphering technique. It is

called transposition, as in transferring position. Please note that many
newspapers have transposition puzzles called “jumbles”.

To illustrate this technique, let’s do the following example.

Example 1:

Plaintext: “last nite was heaven please marry me”

We use a 5x6 grid to write the plaintext as:

Read L A S T N I
down T E W A S H
E A V E N P
L E A S E M
A R R Y M E

To encipher the text, we only read letters down the first column, then letters down
from the second column, and so on. The ciphered letters are the same as the
plaintext letters except that they are positioned to form a new pattern, as given
below.

Ciphertext: LTELA AEAER SWVAR TAESY NSNEM IHPME

To decipher the received ciphertext, the receiver must know two things: the
length and width of the grid and the way letters are read from the grid.

Sep. 23.2003 3
 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security

Note 1: The transposition cipher is also known as permutation cipher. We

know give the mathematical description of the permutation cryptosystem as
follows:

Def: Permutation Cipher

Let m be a positive integer. Let P =C = (Z26)m and let K consist of all permutations
of {1, …, m}. For a key (i.e., a permutation) , we define
e (x1, …, x m)=( x(1), …, x(m)) and
d (y1, …, ym)=( y (1), …, y (m)) ,
-1 -1

where -1 is the inverse permutation to .

Example 2: Suppose m = 6 and the key is the following permutation :

x 1 2 3 4 5 6
(x) 3 6 1 5 2 4

Note that the first row of this diagram lists the values of x, 1 x 6, and the 2nd
row lists the corresponding values of (x).

The inverse permutation -1 can be constructed by interchanging the two rows in
this diagram, and rearranging the columns so that the first row is in increasing
order. Thus, carrying out these operations, we get the following decryption
permutation -1 as:

x 1 2 3 4 5 6
 (x)
-1
3 5 1 6 4 2

Now, suppose we are given the plaintext

Plaintext: “she sells seashells by the seashore”

We first partition the plaintext into groups of six letters, and then rearrange each
group of six letters according to permutation . The result is shown in the
following 6x6 grid.

x 1 2 3 4 5 6
(x) E E S L S H
S A L S E S
L S H B L E
H S Y E E T
H R A E O S

Sep. 23.2003 4
 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security

2.3-4 Hill Cipher

Another interesting multi-alphabetic cipher is the Hill cipher, developed by the

mathematician Lester Hill in 1929.

The idea is based on linear transposition. In fact, permutation cipher is a special

case of the Hill cipher.

In this scheme, we take m linear combinations of the m successive plaintext

alphabetic characters and produce an m ciphertext letters for them. The
substitution is determined by m linear equations in which each letter is assigned
its numerical value; i.e. {0, 1, 2, …25} = Z26.

For m = 3, the system can be described as follows:

y1  (k11 x1  k12 x2  k13 x3 ) mod 26

y2  (k21 x1  k22 x2  k23 x3 ) mod 26
y3  ( k31 x1  k32 x2  k33 x3 ) mod 26

This can be expressed in terms of column vectors and matrices:

 y1   k11 k12 k13   x1 

 y   k k22 k23   x2 
 2   21
 y3   k31 k32 k33   x3 

or in a compact form

Y=KX

Where Y and X are column vectors of length 3, representing the ciphertext and
plaintext letters, and K is a 33 matrix, representing the encryption key.
Operations are performed mod26. Decryption requires using the inverse of matrix
K.

Example 1: Consider the plaintext “paymoremoney,” and use the

encryption key

 17 17 5 
 
K   21 18 21
 2 2 19 
 

Sep. 23.2003 5
 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security

Find the resulting ciphertext.

Solution:

Plaintext: paymoremoney

15 0 24 …

The first three letters of the plaintext are represented by vector (x 1, x2, x3)=(15, 0,
24)
Thus:

 y1   x1   17 17 5 15 
      
 y2   K  x2    21 18 21 0 
y   x   2 2 19  24 
 3  3   

That is:
 y1   375   11   L 
       
 y2    819  mod 26  13    N 
 y   489  18   S 
 3      

Continuing in this fashion, the ciphertext for the entire plaintext is:

Ciphertext: LNSHDLEWMTRW

Q.E.D.
Decryption requires using the inverse of the matrix K. The inverse K1 of a matrix
K is defined by the equation K K1= K1K =I, where I is the diagonal matrix that is
all zeros except for ones along the main diagonal from upper left to lower right.

Note 2: The inverse of a matrix does not always exist, but when it does, it
satisfies the preceding equation.

Exercise 1: Show that the inverse of matrix K used in above example is

 4 9 15 
 
K 1   15 17 6 
 24 0 17 
 

Sep. 23.2003 6
 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security

Note 3: It is easily shown that if the matrix K1 is applied to the above
resulting ciphertext, then the plaintext can be recovered.

Exercise 2: A cryptanalyst receives the following ciphertext:

LNSHDLEWMTRW

He has also estimated the decryption matrix from some previous analysis for this
Hill Cipher to be:
 4 9 15 
1  
K   15 17 6 
 24 0 17 
 

What is the plaintext?

We now give a precise description of the Hill Cipher over Z26.

Definition: Hill Cipher Cryptosystem

Let m  2 be an integer, Let P=C=(Z26)m

and let

K = {mm invertible matrix over Z26}.

For a key K, we define:

C = EK(P)=KP
P = DK(C) = K1 C= K1 KP = P

Note 1: Hill Cipher completely hides single-letter frequencies. Use of a

larger matrix hides more frequency information.

Note 2: The weakness of the Hill Cipher is that it is easily broken with a
known plaintext attack.

To show this, suppose we have m plaintext-ciphertext pairs, each of length m.

Let

Sep. 23.2003 7
 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security

Pj=(P1j, P2j, …, Pmj)

Cj=(C1j, C2j, …, Cmj)

Therefore, we can write

Cj=KPj 1jm

for some known key matrix K.

We now define the following two mm square matrices:

X = (Pij)
Y = (Cij)

Then, we can form the matrix equation Y=XK.

Now, we can find the unknown key matrix K from the equation K=X-1Y
Let us illustrate the above attack by a simple example.

Example 2: It is known that the plaintext “friday” is encrypted using a 22 Hill
Cipher to yield the ciphertext PQCFKU. Find the key matrix K for this
cryptosystem.

Solution:

Plaintext: f r i d a y
Pij : 15 17 8 3 0 24
Ciphertext: P Q C F K U
Cij : 15 16 2 5 10 20

For the unknown key matrix is K, we can write the following plaintext-ciphertext
pairs:

KPj = Cj 1jm

Sep. 23.2003 8
 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security

Using the first two plaintext-ciphertext pairs, we can write the following matrix
equation:

15 16   5 17 
 2 5   8 3  K mod 26
   
1
 5 17  15 16 
K =     mod 26
8 3   2 5 
 9 1  15 16 
=   mod 26
 2 15  2 5 
 7 19 
= 
8 3 

Therefore, we obtained the key matrix! The result can be verified by testing the
remaining plaintext- ciphertext pair.

Note 3 : From the above example and other examples worked out so far, we
may conclude that neither cipher schemes of Substitution nor Transposition are
strong enough to stand cryptanalytic attacks. One may find that using the two
types together creates much better concealment than either method above. In
fact, using substitution and transposition cipher methods repeatedly on ciphertext
provides strong disguising patterns.

We will discuss this scheme in the next chapter.

Exercise 2: Why transposition ciphers are used if they are so easy to crack?

Answer: Transposition can be looked at a set of instructions, one instruction

for each letter, easily implemented by a computer and can be difficult to crack if
they are repeatedly used on the same plaintext!

Exercise 3: Repeat the transposition cipher used in Exercise 1 (on page 17)
twice for the plaintext used:

Solution:

Plaintext: lastnitewasheavenpleasemarryme
1st transposed ciphertext: LTELAAEAERSWVARTAESYNSNEMIHPME
2nd transposed ciphertext: LEVSMTAAYIEERNHLRTSPASANMAWEE

LTELA AEAER SWVAR TAESY

last nite was heaven please marry me NSNEM I HPME

Read
down
L A S T N I L T E L A A

Sep. 23.2003 9
 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security

T E W A S H E A E R S W

E A V E N P V A R T A E

L E A S E M S Y N S N E

A R R Y M E M I H P M E

(a) 1st transposed cipher. (b) The ou

Sep. 23.2003 10