Ca529 Cns-Module 3
Ca529 Cns-Module 3
CRYPTOGRAPHY
2
Information Theory
• Information theory defines the amount of information in a message as the
minimum number of bits needed to encode all possible meanings of that message.
• The amount of information in a message M is measured by the entropy of a
message, denoted by H(M).
• The entropy of a message measured in bits is log2n, in which n is the number of
possible meanings.
• The entropy of a message also measures its uncertainty, which is the number of
plaintext bits needed to be recovered when the message is scrambled in ciphertext
in order to learn the plaintext.
• For a given language, the rate of the language is r = H(M)/N, in which N is the
length of the message.
• The absolute rate of a language is the maximum number of bits that can be coded
in each character, assuming each character sequence is equally likely. If there are L
characters in a language, the absolute rate is: R = log2L.
• The redundancy of a language, denoted D, is defined by: D = R - r
3
Information Theory
• The entropy of a cryptosystem is a measure of the size of the keyspace, K. It is
approximated by the base two logarithm of the number of keys: H(K) = log2K
• For a message of length n, the number of different keys that will decipher a
ciphertext message to some intelligible plaintext in the same language as the
original plaintext is given by the following formula: 2H(K)- nD – 1.
4
Information Theory
• Confusion
• obscures the relationship between the plaintext and the ciphertext.
• This frustrates attempts to study the ciphertext looking for redundancies and statistical
patterns.
• The easiest way to do this is through substitution.
• Diffusion
• Dissipates the redundancy of the plaintext by spreading it out over the ciphertext.
• A cryptanalyst looking for those redundancies will have a harder time finding them.
• The simplest way to cause diffusion is through transposition (also called permutation).
5
Complexity Theory
• Computational complexity of different cryptographic techniques and algorithms.
It compares cryptographic algorithms and techniques and determines their
security.
• Information theory tells us that all cryptographic algorithms can be broken
whereas Complexity theory tells us whether they can be broken in a feasible time
frame.
• Complexity of Algorithm
• An algorithm’s complexity is determined by the computational power needed to execute it.
• T (for time complexity) and S (for space complexity, or memory requirement).
• Using Big O notation, makes measuring time complexity system independent.
• Constant: if its complexity is independent of n, O(1).
• Linear: if its time complexity is O(n).
• Polynomial: time complexity is O(nm), when m is a constant.
• Exponential: Algorithms whose complexities are O(tf(n)), where t is a constant greater than 1
and f(n) is some polynomial function of n.
• Superploynomial: Algorithms whose complexities are O(cf(n)), where c is a constant and f(n) is
more than constant but less than linear.
6
Complexity Theory
• Complexity of Problems
• The theory looks at the minimum time and space required to solve the hardest
instance of a problem on a theoretical computer known as a Turing machine.
• A Turing machine is a finite-state machine with an infinite read-write memory tape.
• Broad classification of problems:
• Tractable: that can be solved with polynomial-time
• Intractable: that cannot be solved in polynomial time (hard)
• Undecidable: It is impossible to devise any algorithm to solve them.
• Types of problems based on their complexity:
• class P: consists of all problems that can be solved in polynomial time.
• class NP: consists of all problems that can be solved in polynomial time only on a
nondeterministic Turing machine: a variant of a normal Turing machine that can
make guesses.
• Many symmetric algorithms and all public-key algorithms can be cracked in
nondeterministic polynomial time.
7
Number Theory
Modular Arithmetic
• Division has two output, but in modular arithmetic only one output (r) is used.
• Output r is termed as residue.
• The result of a modulo operation with modulus n is an integer between 0 to n-1
which is termed as the set of least residues modulo n (𝑍𝑍𝑛𝑛 ).
Z3 = {0, 1, 2}
Congruence
• Two numbers a and b are said to be congruent modulo n, if their
difference a − b is an integer multiple of n.
𝑎𝑎 ≡ 𝑏𝑏(𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛)
8
Number Theory
• Equality operator is one-to-one and the congruence operator is many-to-one.
• A residue class [𝑎𝑎] or [𝑎𝑎]𝑛𝑛 is the set of integers congruent modulo n. i.e. it is the
set of all integers such that 𝑥𝑥 = 𝑎𝑎 (𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛).
• Example for n=3
Residue classes: [0], [1], [2]
[0] = {….., -12, -9, -6, -3, 0, 3, 6, 9, 12,……}
[1] = {….., -11, -8, -5, -2, 1, 4, 7, 10, 13, …….}
[2] = {……., -10, -7, -4, -1, 2, 5, 8, 11, 14,……}
𝑍𝑍3 = {0, 1, 2}
7 mod 8 = 7 ; -7 mod 8 = 1;
11 mod 7 = 4; -11 mod 7 = 3;
(a mod n) = ( b mod n) ⇒ a ≡ b (mod n)2
-11 ≡ 5 (mod 8) ⇒ -11 mod 8 = 5 mod 8
9
Number Theory
Operations in 𝒁𝒁𝒏𝒏
𝑎𝑎 + 𝑏𝑏 𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛 = 𝑐𝑐
𝑎𝑎 − 𝑏𝑏 𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛 = 𝑐𝑐
𝑎𝑎 × 𝑏𝑏 𝑚𝑚𝑚𝑚𝑚𝑚 𝑛𝑛 = 𝑐𝑐
• Add 7 to 14 in 𝑍𝑍15
14 + 7 𝑚𝑚𝑚𝑚𝑚𝑚 15 → 21 𝑚𝑚𝑚𝑚𝑚𝑚 15 = 6
• Multiply 11 by 7 in 𝑍𝑍20
7 × 11 𝑚𝑚𝑚𝑚𝑚𝑚 20 → 77 𝑚𝑚𝑚𝑚𝑚𝑚 20 = 17
10
Number Theory
• Division Algorithm:
• a = qn + r, 0 ≤ r < n; q = 𝑎𝑎/𝑛𝑛 ;
• All divisors
• The integer 1 has only 1 divisor
• Any positive integer has at least two divisors.
• Greatest Common Divisor
• Gcd of two positive integers is the largest integer that can divide both integers.
• Euclidean Algorithm
11
Number Theory
• Euclidean Algorithm:
12
Euclidean Algorithm
• Euclidean Algorithm
• Example: find the gcd(25, 60).
Initialization 25 60
1st iteration 0 60 25 25
2nd iteration 2 25 10 10
3rd iteration 2 10 5 5
4th iteration 2 5 0 0
13
Number Theory
• Extended Euclidean Algorithm:
14
Extended Euclidean Algorithm
• Extended Euclidean Algorithm
• Example: find the gcd(161, 28).
Initialization 161 28 1 0 0 1
1st iteration 5 28 21 21 0 1 1 1 -5 -5
2nd iteration 1 21 7 7 1 -1 -1 -5 6 6
3rd iteration 3 7 0 0 -1 4 4 6 -23 -23
𝑔𝑔𝑔𝑔𝑔𝑔 161,28 ← 7
15
Euler’s Phi - Function
• Also called Euler’s totient function ɸ(n).
• It finds the number of integers that are both smaller than n and relatively prime
to n.
• Rules
1. ɸ(1) = 0
2. ɸ(p) = p – 1 if p is prime.
3. ɸ(m× n) = ɸ(m) × ɸ(n) if m and n are relatively prime.
4. ɸ(pe) = pe – pe-1 if p is prime
𝑒𝑒 𝑒𝑒 𝑒𝑒
• Example: if n can be factored as 𝑛𝑛 = 𝑝𝑝11 × 𝑝𝑝22 × ⋯ × 𝑝𝑝𝑘𝑘𝑘𝑘 , then using rule 3 and
4:
𝑒𝑒 𝑒𝑒 −1 𝑒𝑒 𝑒𝑒 −1 𝑒𝑒 𝑒𝑒 −1
ϕ 𝑛𝑛 = 𝑝𝑝11 − 𝑝𝑝11 × 𝑝𝑝22 − 𝑝𝑝22 × ⋯ × (𝑝𝑝𝑘𝑘𝑘𝑘 − 𝑝𝑝𝑘𝑘𝑘𝑘 )
16
Euler’s Phi - Function
Q) ϕ(13) = (13 – 1) = 12
Q) φ(240) ? n = 240 = 24 × 31 × 51
φ(240) = (24 – 23) × (31 – 30) × (51 – 50) = 64
17
Fermat’s Little Theorem
• First Version: The first version says that if p is prime and a is an integer such that
p does not divide a, then ap-1≡ 1 mod p.
Q) Find the result of 610 mod 11.
• ap-1 mod p = 1 ⇒ 611-1 = 610 mod 11 = 1.
• Second Version: The second version removes the condition on a. It says that if p
is prime and a is an integer, then ap ≡ a mod p.
• Q) Find the result of 312 mod 11.
• Here the exponent 12 and modulus 11 are not the same.
• 312 mod 11 = (311 × 3) mod 11 = (311 mod 11)(3 mod 11) = (3 × 3) mod 11 = 9
18
Fermat’s Little Theorem
Q) Find the result of 8-1 mod 17.
• 8-1 mod 17 = 817-2 mod 17 = 815 mod 17 = (87 × 88) mod 17 = (15 × 1) mod 17 = 15
19
Euler’s Theorem
• First Version: The first version says that if a and n are coprime,
then aɸ(n)≡ 1 mod n.
Q) Find the result of 624 mod 35.
• Since 35 is not prime, we use the Euler’s theorem.
• 624 mod 35 = 6ɸ(35) mod 35 = 1
20
Euler’s Theorem
Q) Find the result of 8-1 mod 77.
• Since 77 is not prime, we use the Euler’s theorem.
• 8-1 mod 77 = 8ɸ(77)-1 mod 35 = 859 mod 77 = 29
21
Block Cipher Structure
• Stream Cipher:
• A stream cipher is one that encrypts a digital data stream one bit or one byte at time.
• Vigenère cipher and the Vernam cipher.
22
Block Cipher Structure
• Block Cipher:
• A block cipher is one in which a block of plaintext is treated as a whole and used to
produce a ciphertext block of equal length.
• Typically, a block size of 64 or 128 bits is used.
• Most network-based symmetric cryptographic applications make use of block
ciphers.
23
Block Cipher Structure
• A block cipher operates on a plaintext block of n bits to produce a ciphertext
block of n bits.
• The transformation from plain text to cipher text must be reversible.
• Example, for n=2
24
Block Cipher Structure
Components of a Block Cipher Structure
• D Boxes (Diffusion Boxes)
• Straight
• Compression
• Expansion
• S Boxes (Substitution)
• Linear
25
Feistal Cipher
• Develop a block cipher with a key length of k bits and a block length of n bits,
allowing a total of 2k possible transformations.
• Diffusion:
• In diffusion, the statistical structure of the plaintext is dissipated into long-range
statistics of the ciphertext.
• This is achieved by having each plaintext digit affect the value of many ciphertext
digits; generally, this is equivalent to having each ciphertext digit be affected by many
plaintext digits.
• The letter frequencies in the ciphertext will be more nearly equal than in the
plaintext.
• Diffusion can be achieved by repeatedly performing some permutation on the data
followed by applying a function to that permutation; the effect is that bits from
different positions in the original plaintext contribute to a single bit of ciphertext.
26
Feistal Cipher
• Confusion:
• Confusion seeks to make the relationship between the statistics of the ciphertext and
the value of the encryption key as complex as possible.
• Thus, even if the attacker can get some handle on the statistics of the ciphertext, the
way in which the key was used to produce that ciphertext is so complex as to make it
difficult to deduce the key.
• This is achieved by the use of a complex substitution algorithm.
27
Feistal Cipher
……….
Encryption
28
Feistal Cipher
……….
Decryption
29
Feistal Cipher
• Block size:
• Larger block sizes mean greater security but reduced encryption/decryption speed for a
given algorithm.
• The greater security is achieved by greater diffusion.
• Traditionally, a block size of 64 bits has been considered a reasonable tradeoff and was
nearly universal in block cipher design.
• Key size:
• Larger key size means greater security but may decrease encryption/ decryption speed.
The greater security is achieved by greater resistance to brute-force attacks and greater
confusion.
• Key sizes of 128 bits has become a common size.
• Number of rounds:
• The essence of the Feistel cipher is that a single round offers inadequate security but
that multiple rounds offer increasing security.
• A typical size is 16 rounds.
• Subkey generation algorithm:
• Greater complexity in this algorithm should lead to greater difficulty of cryptanalysis.
• Round function F:
• Again, greater complexity generally means greater resistance to cryptanalysis.
30
Data Encryption Standard (DES)
• Is a block cipher
• 64 bits plain text
• 64 bits cipher text
• 56 bit key size
• DES Structure
31
Feistal Cipher
32
Data Encryption Standard (DES)
• Initial and Final Permutations
• P Boxes:
• Keyless
• Straight D - boxes
33
Data Encryption Standard (DES)
• Rounds
• 16 rounds
• Each round is a Feistal cipher
• Feistal cipher combines all non invertible
elements .
• Then how to use it for decryption ?
• The function 𝑓𝑓(𝐾𝐾) accepts the key as input.
• The output is eXclusive-ORed with the plaintext.
• Together they are called the mixer.
𝐸𝐸: 𝐶𝐶1 = 𝑃𝑃1 ⊕ 𝑓𝑓 𝐾𝐾
𝐷𝐷: 𝑃𝑃2 = 𝐶𝐶2 ⊕ 𝑓𝑓 𝐾𝐾
34
Data Encryption Standard (DES)
• DES Function
• Expansion D – box:
• XOR
• Divide input onto 8 block each of 6 bits
• S – box:
• mixing (confusion)
• 8 S – boxes, each with 6 bit input and 4
bit output.
35
Data Encryption Standard (DES)
• DES Function
1. Expansion P box
2. XOR
3. S box 1
36
Data Encryption Standard (DES)
• DES Function
4. Straight P box
5. Final Permutation
37
Data Encryption Standard (DES)
• Key Generation
• Parity drop: Parity bits are (8, 16, 24, …64)
• Divide into L, R and Shift according to
the Shifting table.
• Compression D box
38
Data Encryption Standard (DES)
• DES Example
39
DES Analysis
• Properties
• Avalanche Effect: A small
change in the plaintext or the
key should produce a
significant change in the
ciphertext. A change in just 1
bit should change the
ciphertext by many bit
locations.
• Completeness Effect: Each bit
in the ciphertext needs to
depend on many bits in the
plaintext. The diffusion and
confusion (D boxes and S
boxes) show a strong
completeness effect.
• Design Criteria
• S – Boxes: Linear vs. Non linear
• D – Boxes
• Number of rounds 40
DES Analysis
• DES Strength
• Variation of DES
• DES algorithm
• Timing Attacks
• DES weaknesses
• Weakness in Cipher Design
• S – boxes:
• In S- box 4, the last three output bits can be derived in the same way as
the first input bit by complementing some of the input bits.
• Two specifically chosen inputs can create the same output
• It is possible to obtain the same output in a single round by changing bits
in only three neighboring S boxes
• D – boxes
• The initial and final permutation used have no additional security
benefits.
• In the expansion permutation, the first and fourth bits of every 4 bit
series are repeated.
41
DES Analysis
• DES weaknesses
• Weakness in the Cipher Key
• Key Size
• Brute Force attack possible
• Weak Keys
• A key that consists of all 0s or all 1s or half 0s or half 1s after parity drop.
(Each subkey generated will be the same)
• 4 such key exists
• Semi-weak key
• Creates only two different round keys and each of them is repeated eight
times
• 6 key pairs are weak
• Possible weak keys
• Creates only four distinct round keys
• 48 keys are possible weak keys
42
Lucifer
• Similar to DES but Lucifer’s S-boxes have 4-bit inputs and 4-bit outputs; the
input of the S-boxes is the bit-permuted output of the S-boxes of the previous
round; the input of the S-boxes of the first round is the plaintext.
• Unlike DES, there is no swapping between rounds and no block halves are
used.
• Lucifer has 16 rounds, 128-bit blocks, and a key schedule simpler than DES.
43
Madryga
• It has no permutations and consists of two nested cycles.
• The outer cycle repeats eight times and consists of an application of the inner
cycle to the plaintext.
• The inner cycle transforms plaintext to ciphertext and repeats once for each 8-
bit block (byte) of the plaintext. Thus, the algorithm passes through the entire
plaintext eight successive times.
• An iteration of the inner cycle operates on a 3-byte window of data, called the
working frame which advances 1 byte for each iteration.
• The first 2 bytes of the working frame are together rotated a variable number
of positions, while the last byte is XORed with some key bits.
• As the working frame advances, all bytes are successively rotated and XORed
with key material. Successive rotations overlap the results of a previous XOR
and rotation, and data from the XOR is used to influence the rotation. This
makes the entire process reversible.
44
Madryga
45
NewDES
• It operates on 64-bit blocks of plaintext, but it has a 120-bit key.
• NewDES is simpler than DES, with no initial or final permutations. All
operations are on entire bytes.
• The plaintext block is divided into eight 1-byte sub-blocks: B0, B1,..., B6, B7.
• Then the sub-blocks go through 17 rounds. Each round has eight steps.
• In each step, one of the sub-blocks is XORed with some key material,
substituted with another byte via an f function, and then XORed with another
sub-block to become that sub-block.
• The 120-bit key is divided into 15 key sub-blocks: K0, K1,..., K13, K14.
46
Combining Block Ciphers
• Combining different block ciphers is needed to increase security without going
through the trouble of designing a new algorithm.
47
Double and Triple Encryption
• In double encryption, a block is encrypted twice with two different keys.
• First encrypt a block with the first key, then encrypt the resulting ciphertext
with the second key.
C = EK2(EK1(P))
P = DK1(DK2(C))
• Triple encryption operates on a block three times with two keys: with the first
key, then with the second key, and finally with the first key again.
• The sender first encrypt with the first key, then decrypt with the second key,
and finally encrypt with the first key.
• The receiver decrypts with the first key, then encrypts with the second key, and
• finally decrypts with the first key.
C = EK1(DK2(EK1(P)))
P = DK1(EK2(DK1(C)))
• This is sometimes called encrypt-decrypt-encrypt (EDE) mode.
48
CDMF Key Shortening
• Commercial Data Masking Facility (CDMF) shrinks a 56-bit DES key to a 40-bit
key making it suitable for export.
• It assumes that the original DES key includes the parity bits.
• Steps:
Zero the parity bits: bits 8, 16, 24, 32, 40, 48, 56, 64.
Encrypt the output of step (1) with DES and the key (K1), and XOR the
result with the output of step (1).
Take the output of step (2) and zero the following bits: 1, 2, 3, 4, 8, 16, 17,
18, 19, 20, 24, 32, 33, 34, 35, 36, 40, 48, 49, 50, 51, 52, 56, 64.
Encrypt the output of step (3) with DES and the key (K2). This key is then
used for message encryption.
49
CDMF Key Shortening
• Commercial Data Masking Facility (CDMF) shrinks a 56-bit DES key to a 40-bit
key making it suitable for export.
• It assumes that the original DES key includes the parity bits.
• Steps:
Zero the parity bits: bits 8, 16, 24, 32, 40, 48, 56, 64.
Encrypt the output of step (1) with DES and the key (K1), and XOR the
result with the output of step (1).
Take the output of step (2) and zero the following bits: 1, 2, 3, 4, 8, 16, 17,
18, 19, 20, 24, 32, 33, 34, 35, 36, 40, 48, 49, 50, 51, 52, 56, 64.
Encrypt the output of step (3) with DES and the key (K2). This key is then
used for message encryption.
50
Whitening
• Whitening is the name given to the technique of XORing some key material
with the input to a block algorithm, and XORing some other key material with
the output.
• The idea is to prevent a cryptanalyst from obtaining a plaintext/ciphertext pair
for the underlying algorithm.
• The technique forces a cryptanalyst to guess not only the algorithm key, but
also one of the whitening values.
• Since there is an XOR both before and after the block algorithm, this technique
is not susceptible to a meet-in-the-middle attack.
C = K3 ⊕ EK2(P ⊕ K1)
P = K1 ⊕ DK2(C ⊕ K3)
51