CRYPTOGRAPHY ANND IT

SECURITY
 MODULE - I

INTRODUCTION
Computer data often travels from one computer to another, leaving the safety of its protected
physical surroundings. Once the data is out of hand, people with bad intention could modify or forge
your data, either for amusement or for their own benefit.
Cryptography can reformat and transform our data, making it safer on its trip between
computers. The technology is based on the essentials of secret codes, augmented by modern
mathematics that protects our data in powerful ways.

• Computer Security - generic name for the collection of tools designed to protect data and to thwart
hackers
• Network Security - measures to protect data during their transmission

• Internet Security - measures to protect data during their transmission over a collection of
interconnected networks

Security Attacks, Services and Mechanisms

To assess the security needs of an organization effectively, the manager responsible for
security needs some systematic way of defining the requirements for security and characterization
of approaches to satisfy those requirements. One approach is to consider three aspects of information
security:
Security attack – Any action that compromises the security of information owned by an
organization.
Security mechanism – A mechanism that is designed to detect, prevent or recover from a
security attack.
Security service – A service that enhances the security of the data processing systems and the
information transfers of an organization. The services are intended to counter security attacks and
they make use of one or more security mechanisms to provide the service.
Basic Concepts
Cryptography The art or science encompassing the principles and methods of transforming an
intelligible message into one that is unintelligible, and then retransforming that message back to its
original form

Plaintext The original intelligible message

Cipher text The transformed message

Cipher An algorithm for transforming an intelligible message into one that is unintelligible by
transposition and/or substitution methods

Key Some critical information used by the cipher, known only to the sender& receiver

Encipher (encode) The process of converting plaintext to cipher text using a cipher and a key

Decipher (decode) the process of converting cipher text back into plaintext using a cipher and a key

Cryptanalysis The study of principles and methods of transforming an unintelligible message back
into an intelligible message without knowledge of the key. Also called code breaking

Cryptology Both cryptography and cryptanalysis

Code An algorithm for transforming an intelligible message into an unintelligible one using a code-
book

Cryptography
Cryptographic systems are generally classified along 3 independent dimensions:
Type of operations used for transforming plain text to cipher text
All the encryption algorithms are based on two general principles: substitution, in which each
element in the plaintext is mapped into another element, and transposition, in which
elements in the plaintext are rearranged.
The number of keys used
If the sender and receiver uses same key then it is said to be symmetric key (or) single
key (or) conventional encryption.
If the sender and receiver use different keys then it is said to be public key encryption. The
way in which the plain text is processed
A block cipher processes the input and block of elements at a time, producing output block for each
input block.
A stream cipher processes the input elements continuously, producing output element one at a
time, as it goes along.

Cryptanalysis
The process of attempting to discover X or K or both is known as cryptanalysis. The strategy
used by the cryptanalysis depends on the nature of the encryption scheme and the information
available to the cryptanalyst.
There are various types of cryptanalytic attacks based on the amount of information
known to the cryptanalyst.
 Cipher text only – A copy of cipher text alone is known to the cryptanalyst.
Known plaintext – The cryptanalyst has a copy of the cipher text and the corresponding
plaintext.
Chosen plaintext – The cryptanalysts gains temporary access to the encryption machine. They
cannot open it to find the key, however; they can encrypt a large number of suitably chosen
plaintexts and try to use the resulting cipher texts to deduce the key.

Chosen cipher text – The cryptanalyst obtains temporary access to the decryption machine,
uses it to decrypt several string of symbols, and tries to use the results to deduce the key.

STEGANOGRAPHY
A plaintext message may be hidden in any one of the two ways. The methods of
steganography conceal the existence of the message, whereas the methods of cryptography
render the message unintelligible to outsiders by various transformations of the text.
A simple form of steganography, but one that is time consuming to construct is one in which
an arrangement of words or letters within an apparently innocuous text spells out the real message.
e.g., (i) the sequence of first letters of each word of the overall message spells out the real (Hidden)
message.
(ii) Subset of the words of the overall message is used to convey the hidden message.
Various other techniques have been used historically, some of them are
Character marking – selected letters of printed or typewritten text are overwritten in pencil. The
marks are ordinarily not visible unless the paper is held to an angle to bright light.
Invisible ink – a number of substances can be used for writing but leave no visible trace until heat
or some chemical is applied to the paper.
Pin punctures – small pin punctures on selected letters are ordinarily not visible unless the paper is
held in front of the light. Typewritten correction ribbon – used between the lines typed with a black
ribbon, the results of typing with the correction tape are visible only under a strong light.
Drawbacks of steganography
Requires a lot of overhead to hide a relatively few bits of information.
Once the system is discovered, it becomes virtually worthless.

SECURITY SERVICES
The classification of security services are as follows:
Confidentiality: Ensures that the information in a computer system a n d transmitted information
are accessible only for reading by authorized parties. E.g. Printing, displaying and other forms of
disclosure.
Authentication: Ensures that the origin of a message or electronic document is correctly identified,
with an assurance that the identity is not false.
Integrity: Ensures that only authorized parties are able to modify computer system assets and
transmitted information. Modification includes writing, changing status, deleting, creating
and delaying or replaying of transmitted messages.
Non repudiation: Requires that neither the sender nor the receiver of a message be able to deny the
transmission.
Access control: Requires that access to information resources may be controlled by or the target
system.
Availability: Requires that computer system assets be available to authorized parties when needed.

SECURITY MECHANISMS
One of the most specific security mechanisms in use is cryptographic techniques. Encryption
or encryption-like transformations of information are the most common means of providing
security. Some of the mechanisms are
1 Encipherment
2 Digital Signature

3 Access Control

SECURITY ATTACKS
There are four general categories of attack which are listed below.

Interruption
An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on

availability e.g., destruction of piece of hardware, cutting of a communication line or Disabling

of file management system.

Interception

An unauthorized party gains access to an asset. This is an attack on confidentiality.

Unauthorized party could be a person, a program or a
computer.e.g., wire tapping to capture data in the network, illicit copying of files
 Sender Receiver

Eavesdropper or forger

Modification
An unauthorized party not only gains access to but tampers with an asset. This is an attack on

integrity. e.g., changing values in data file, altering a program, modifying the contents of messages

being transmitted in a network.

Sender Receiver

Eavesdropper or forger

Fabrication
An unauthorized party inserts counterfeit objects into the system. This is an attack on authenticity.
e.g., insertion of spurious message in a network or addition of records to a file.

Sender Receiver

Eavesdropper or forger

Cryptographic Attacks

Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of
the opponent is to obtain information that is being transmitted. Passive attacks are of two types:
Release of message contents: A telephone conversation, an e-mail message and a transferred file
may contain sensitive or confidential information. We would like to prevent the opponent from
learning the contents of these transmissions.
Traffic analysis: If we had encryption protection in place, an opponent might still be able to observe
the pattern of the message. The opponent could determine the location and identity of
communication hosts and could observe the frequency and length of messages being exchanged.
This information might be useful in guessing the nature of communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any alteration of data.
However, it is feasible to prevent the success of these attacks.
Active attacks

These attacks involve some modification of the data stream or the creation of a false stream. These
attacks can be classified in to four categories:

Masquerade – One entity pretends to be a different entity.

Replay – involves passive capture of a data unit and its subsequent transmission to produce an
unauthorized effect.
Modification of messages – Some portion of message is altered or the messages are delayed or
recorded, to produce an unauthorized effect.
Denial of service – Prevents or inhibits the normal use or management of communication
facilities. Another form of service denial is the disruption of an entire network, either by disabling
the network or overloading it with messages so as to degrade performance.
It is quite difficult to prevent active attacks absolutely, because to do so would require physical
protection of all communication facilities and paths at all times. Instead, the goal is to detect them
and to recover from any disruption or delays caused by them.

Symmetric and public key algorithms

Encryption/Decryption methods fall into two categories.
Symmetric key
Public key
In symmetric key algorithms, the encryption and decryption keys are known both to sender and
receiver. The encryption key is shared and the decryption key is easily calculated from it. In many
cases, the encryption and decryption keys are the same.
In public key cryptography, encryption key is made public, but it is
computationally infeasible to find the decryption key without the information known to the
receiver.
 A MODEL FOR NETWORK SECURITY

A message is to be transferred from one party to another across some sort of internet. The two
parties, who are the principals in this transaction, must cooperate for the exchange to take place. A
logical information channel is established by defining a route through the internet from source to
destination and by the cooperative use of communication protocols (e.g., TCP/IP) by the two
principals.
Using this model requires us to:
– design a suitable algorithm for the security transformation
– generate the secret information (keys) used by the algorithm
– develop methods to distribute and share the secret information
– specify a protocol enabling the principals to use the transformation and secret information for a
security service

MODEL FOR NETWORK ACCESS SECURITY

Using this model requires us to:

– select appropriate gatekeeper functions to identify users
– implement security controls to ensure only authorized users access designated information
or resources
• Trusted computer systems can be used to implement this model

CONVENTIONAL ENCRYPTION
• Referred conventional / private-key / single-key
• Sender and recipient share a common key

All classical encryption algorithms are private-key was only type prior to invention of publickey in
1970‟plaintext - the original message Some basic terminologies used:
• cipher text - the coded message
• Cipher - algorithm for transforming plaintext to cipher text
• Key - info used in cipher known only to sender/receiver
• encipher (encrypt) - converting plaintext to cipher text
• decipher (decrypt) - recovering cipher text from plaintext
• Cryptography - study of encryption principles/methods

• Cryptanalysis (code breaking) - the study of principles/ methods of deciphering cipher text
without knowing key
• Cryptology - the field of both cryptography and cryptanalysis

Here the original message, referred to as plaintext, is converted into apparently random
nonsense, referred to as cipher text. The encryption process consists of an algorithm and a key. The
key is a value independent of the plaintext. Changing the key changes the output of the algorithm.
Once the cipher text is produced, it may be transmitted. Upon reception, the cipher text can be
transformed back to the original plaintext by using a decryption algorithm and the same key that
was used for encryption. The security depends on several factors. First, the encryption algorithm
must be powerful enough that it is impractical to decrypt a message on the basis of cipher text alone.
Beyond that, the security depends on the secrecy of the key, not the secrecy of the algorithm.
• Two requirements for secure use of symmetric encryption:
– A strong encryption algorithm
– A secret key known only to sender / receiver
Y = EK(X)
X = DK(Y)

• assume encryption algorithm is known • implies a secure channel to distribute key

A source produces a message in plaintext, X = [X1, X2… XM] where M are the number of letters
in the message. A key of the form K = [K1, K2… KJ] is generated. If the key is generated at the
source, then it must be provided to the destination by means of some secure channel.

With the message X and the encryption key K as input, the encryption algorithm forms the
cipher text Y = [Y1, Y2, YN]. This can be expressed as
Y = EK(X)
The intended receiver, in possession of the k e y , is able to invert the
transformation:
X = DK(Y)
An opponent, observing Y but not having access to K or X, may attempt to recover X or K
or both. It is assumed that the opponent knows the encryption and decryption algorithms.
If the opponent is interested in only this particular message, then the focus of effort is to recover X
by generating a plaintext estimate. Often if the opponent is interested in being able to read future
messages as well, in which case an attempt is made to recover K by generating an estimate.

CLASSICAL ENCRYPTION TECHNIQUES

There are two basic building blocks of all encryption techniques: substitution and
transposition.

SUBSTITUTION TECHNIQUES
A substitution technique is one in which the letters of plaintext are replaced by other letters or by
numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution involves
replacing plaintext bit patterns with cipher text bit patterns.
Caesar cipher (or) shift cipher

The earliest known use of a substitution cipher and the simplest was by Julius Caesar. The
Caesar cipher involves replacing each letter of the alphabet with the letter standing 3 places further
down the alphabet.
e.g., plain text : pay more money
Cipher text: SDB PRUH PRQHB
Note that the alphabet is wrapped around, so that letter following „z‟ is „a‟.
For each plaintext letter p, substitute the cipher text letter c such that
C = E(p) = (p+3) mod 26
A shift may be any amount, so that general Caesar algorithm is
C = E (p) = (p+k) mod 26
Where k takes on a value in the range 1 to 25. The decryption algorithm is simply

P = D(C) = (C-k) mod 26

Playfair cipher

The best known multiple letter encryption cipher is the playfair, which treats digrams in the
plaintext as single units and translates these units into cipher text digrams. The playfair algorithm
is based on the use of 5x5 matrix of letters constructed using a keyword. Let the keyword be
„monarchy‟. The matrix is constructed by filling in the letters of the keyword (minus duplicates)
from left to right and from top to bottom, and then filling in the remainder of the matrix with the
remaining letters in alphabetical order.
The letter „i‟ and „j‟ count as one letter. Plaintext is encrypted two letters at a time According to
the following rules:
Repeating plaintext letters that would fall in the same pair are separated with a Filler letter
such as „x‟.
Plaintext letters that fall in the same row of the matrix are each replaced by the letter to the right,
with the first element of the row following the last.
Plaintext letters that fall in the same column are replaced by the letter beneath, with the top element
of the column following the last.
Otherwise, each plaintext letter is replaced by the letter that lies in its own row And the
column occupied by the other plaintext letter.

M O N A R
 C H Y B D

E F G I/J K

L P Q S T

U V W X Z

Plaintext = meet me at the school house

Splitting two letters as a unit => me et me at th es ch o x ol ho us ex
Corresponding cipher text => CL KL CL RS PD IL HY AV MP HF XL IU

Strength of playfair cipher

Playfair cipher is a great advance over simple mono alphabetic ciphers.
Since there are 26 letters, 26x26 = 676 diagrams are possible, so identification of individual diagram
is more difficult.

1.15.1.3 Polyalphabetic ciphers

Another way to improve on the simple monoalphabetic technique is to use different
monoalphabetic substitutions as one proceeds through the plaintext message. The general name for
this approach is polyalphabetic cipher. All the techniques have the following features in common.
A set of related monoalphabetic substitution rules are used
A key determines which particular rule is chosen for a given transformation.

Vigenere cipher
In this scheme, the set of related monoalphabetic substitution rules consisting of
26 caesar ciphers with shifts of 0 through 25. Each cipher is denoted by a key letter. e.g., Caesar
cipher with a shift of 3 is denoted by the key value 'd‟ (since a=0, b=1, c=2 and so on). To aid in
understanding the scheme, a matrix known as vigenere tableau is
Constructed

Each of the 26 ciphers is laid out horizontally, with the key letter for each cipher to its left.
A normal alphabet for the plaintext runs across the top. The process of
PLAIN TEXT
K a b c d e f g h i j k … x y z
E a A B C D E F G H I J K … X Y Z
Y b B C D E F G H I J K L … Y Z A
c C D E F G H I J K L M … Z A B
 L d D E F G H I J K L M N … A B C
E e E F G H I J K L M N O … B C D
T f F G H I J K L M N O P … C D E
T g G H I J K L M N O P Q … D E F
E
: :: :: :: :: :: :: :: :: :: :: :: … :: :: ::
R :
S
x X Y Z A B C D E F G H … W
y Y Z A B C D E F G H I … X
z Z A B C D E F G H I J … Y
Encryption is simple: Given a key letter X and a plaintext letter y, the cipher text is at the intersection
of the row labeled x and the column labeled y; in this case, the ciphertext is V.
To encrypt a message, a key is needed that is as long as the message. Usually, the key is a
repeating keyword.
e.g., key = d e c e p t i v e d e c e p t i v e d e c e p t i v e PT = w e a r e d i s c o v e r e d s a
v e y o u r s e l f CT = ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Decryption is equally simple. The key letter again identifies the row. The position of the
cipher text letter in that row determines the column, and the plaintext letter is at the top of that
column.

Strength of Vigenere cipher o There are multiple cipher text

letters for each plaintext letter. o Letter frequency information
is obscured.

One Time Pad Cipher

It is an unbreakable cryptosystem. It represents the message as a sequence of 0s and 1s.
this can be accomplished by writing all numbers in binary, for example, or by using ASCII. The key
is a random sequence of 0‟s and 1‟s of same length as the message. Once a key is used, it is
discarded and never used again. The system can be expressed as Follows:

th th
Ci = Pi Ki Ci - i binary digit of cipher text Pi - i binary digit of

th
plaintext Ki - i binary digit of key
Exclusive OR operation
Thus the cipher text is generated by performing the bitwise XOR of the plaintext and the key.
Decryption uses the same key. Because of the properties of XOR, decryption simply involves the
same bitwise operation:

Pi = Ci Ki

e.g., plaintext = 0 0 1 0 1 0 0 1
Key =10101100
------------------- ciphertext = 1 0 0 0 0 1 0 1

Advantage:
Encryption method is completely unbreakable for a ciphertext only attack.
Disadvantages
It requires a very long key which is expensive to produce and expensive to transmit.
Once a key is used, it is dangerous to reuse it for a second message; any knowledge on
the first message would give knowledge of the second.

TRANSPOSITION TECHNIQUES
All the techniques examined so far involve the substitution of a cipher text symbol
for a plaintext symbol. A very different kind of mapping is achieved by performing some sort of
permutation on the plaintext letters. This technique is referred to as a transposition cipher.

Rail fence
is simplest of such cipher, in which the plaintext is written down as a sequence of diagonals and
then read off as a sequence of rows.
Plaintext = meet at the school house
To encipher this message with a rail fence of depth 2, we write the message as follows:
m e a t e c o l o se t t h s h o h u e
The encrypted message is
MEATECOLOSETTHSHOHUE
Row Transposition Ciphers-
A more complex scheme is to write the message in a rectangle, row by row, and read the message
off, column by column, but permute the order of the columns. The order of columns then becomes
the key of the algorithm.
e.g., plaintext = meet at the school house

Key = 4 3 1 2 5 6 7
PT = m e e t a t t
heschoolhouse
CT = ESOTCUEEHMHLAHSTOETO
A pure transposition cipher is easily recognized because it has the same letter frequencies as
the original plaintext. The transposition cipher can be made significantly more secure by performing
more than one stage of transposition. The result is more complex permutation that is not easily
reconstructed.

Feistel cipher structure

The input to the encryption algorithm are a plaintext block of length 2w bits and a key K.
the plaintext block is divided into two halves L0 and R0. The two halves of the data pass through
„n‟ rounds of processing and then combine to produce the ciphertext block. Each round „i‟ has
inputs Li-1 and Ri-1, derived from the previous round, as well as the subkey Ki, derived from the
overall key K. in general, the subkeys Ki are different from K and from each other.
All rounds have the same structure. A substitution is performed on the left half of the data (as
similar to S-DES). This is done by applying a round function F to the right half of the data and then
taking the XOR of the output of that function and the left half of the data. The round function has
the same general structure for each round but is parameterized by the round sub key ki.
Following this substitution, a permutation is performed that consists of the interchange of the two
halves of the data. This structure is a particular form of the substitution-permutation network. The
exact realization of a Feistel network depends on the choice of the following parameters and design
features:
Block size - Increasing size improves security, but slows cipher
Key size - Increasing size improves security, makes exhaustive key searching harder, but may slow
cipher
Number of rounds - Increasing number improves security, but slows cipher
Subkey generation - Greater complexity can make analysis harder, but slows cipher
 Round function - Greater complexity can make analysis harder, but slows cipher
Fast software en/decryption & ease of analysis - are more recent concerns for practical use and
testing.
 Fig: Classical Feistel Network

Fig: Feistel encryption and decryption

The process of decryption is essentially the same as the encryption process. The rule is as follows:
use the cipher text as input to the algorithm, but use the subkey ki in reverse order. i.e., kn in the
first round, kn-1 in second round and so on. For clarity, we use the notation LEi and REi for data
traveling through the decryption algorithm. The diagram below indicates that, at each round, the
intermediate value of the decryption process is same (equal) to the corresponding value of the
encryption process with two halves of the value swapped.

i.e., REi || LEi (or) equivalently RD16-i || LD16-i

After the last iteration of the encryption process, the two halves of the output are swapped,
so that the cipher text is RE16 || LE16. The output of that round is the cipher text. Now take the
cipher text and use it as input to the same algorithm. The input to the first round is RE16 || LE16,
which is equal to the 32-bit swap of the output of the sixteenth round of the encryption process.
Now we will see how the output of the first round of the decryption process is equal to a 32-bit swap
of the input to the sixteenth round of the encryption process. First consider the encryption process,
 LE16 = RE15
RE16 = LE15 F (RE15, K16) On the decryption side,
LD1 =RD0 = LE16 =RE15
RD1 = LD0 F (RD0, K16)
= RE16 F (RE15, K16)
= [LE15 F (RE15, K16)] F (RE15, K16)
= LE15
Therefore, LD1 = RE15

th
RD1 = LE15 In general, for the i iteration of the encryption algorithm, LEi = REi-1 REi
= LEi-1 F (REi-1, Ki)
Finally, the output of the last round of the decryption process is RE0 || LE0. A 32-bit swap recovers
the original plaintext.

MODULE - II
BLOCK CIPHER PRINCIPLES
Virtually, all symmetric block encryption algorithms in current use are based on a structure
referred to as Fiestel block cipher. For that reason, it is important to examine the design principles
of the Fiestel cipher. We begin with a comparison of stream cipher with block cipher.
• A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. E.g, vigenere
cipher. A block cipher is one in which a block of plaintext is treated as a whole and used to produce
a cipher text block of equal length. Typically a block size of 64 or 128 bits is used.
Block cipher principles
• most symmetric block ciphers are based on a Feistel Cipher Structure needed since must be
able to decrypt ciphertext to recover messages efficiently. block ciphers look like an extremely
large substitution
• would need table of 264 entries for a 64-bit block
• Instead create from smaller building blocks
• using idea of a product cipher in 1949 Claude Shannon introduced idea of substitu-tion-
permutation (S-P) networks called modern substitution-transposition product cipher these form
the basis of modern block ciphers
• S-P networks are based on the two primitive cryptographic operations we have seen before:
• substitution (S-box)
• permutation (P-box)
• provide confusion and diffusion of message
 • diffusion – dissipates statistical structure of plaintext over bulk of ciphertext
• confusion – makes relationship between ciphertext and key as complex as possible

DATA ENCRYPTION STANDARD (DES)

In May 1973, and again in Aug 1974 the NBS (now NIST) called for possible encryption algorithms
for use in unclassified government applications response was mostly disappointing, however IBM
submitted their Lucifer design following a period of redesign and comment it became the Data
Encryption Standard (DES)
it was adopted as a (US) federal standard in Nov 76, published by NBS as a hardware only scheme
in Jan 77 and by ANSI for both hardware and software standards in ANSI X3.92-1981 (also X3.106-
1983 modes of use) subsequently it has been widely adopted and is now published in many
standards around the world cf Australian Standard AS2805.5-1985
one of the largest users of the DES is the banking industry, particularly with EFT, and EFTPOS
it is for this use that the DES has primarily been standardized, with ANSI having twice reconfirmed
its recommended use for 5 year periods - a further extension is not expected however although the
standard is public, the design criteria used are classified and have yet to be released there has been
considerable controversy over the design, particularly in the choice of a 56-bit key
• recent analysis has shown despite this that the choice was appropriate, and that DES is well
designed
• rapid advances in computing speed though have rendered the 56 bit key susceptible to
exhaustive key search, as predicted by Diffie & Hellman
• the DES has also been theoretically broken using a method called Differential
Cryptanalysis, however in practice this is unlikely to be a problem (yet)
 Overview of the DES Encryption Algorithm

• the basic process in enciphering a 64-bit data block using the DES consists of:
o an initial permutation (IP)

o 16 rounds of a complex key dependent calculation f o a final

permutation, being the inverse of IP • in more detail the 16

rounds of f consist of:

• this can be described functionally as

L(i) = R(i-1)
R(i) = L(i-1) (+) P(S( E(R(i-1))(+) K(i) )) and
forms one round in an S-P network
• the subkeys used by the 16 rounds are formed by the key schedule which consists of: o
an initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves

o 16 stages consisting of

o selecting 24-bits from each half and permuting them by PC2 for use in function f, o

rotating each half either 1 or 2 places depending on the key rotation schedule

KS

• this can be described functionally as: K(i) = PC2(KS(PC1(K),i))

• the key rotation schedule KS is specified as:
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
KS 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Total Rot 1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28

• more details on the various DES functions can be found in your textbooks
• following is a walk-through of a DES encryption calculation taken from:
H Katzan, "The Standard Data Encryption Algorithm", Petrocelli Books, New York, 1977 DES

Modes of Use
• DES encrypts 64-bit blocks of data, using a 56-bit key
• we need some way of specifying how to use it in practise, given that we usually have an
arbitrary amount of information to encrypt
• the way we use a block cipher is called its Mode of Use and four have been defined for the
DES by ANSI in the standard: ANSI X3.106-1983 Modes of Use)
• modes are either:

Block Modes
Splits messages in blocks (ECB, CBC)
Electronic Codebook Book (ECB)
- Where the message is broken into independent 64-bit blocks which are encrypted
C_(i) = DES_(K1) (P_(i))

Cipher Block Chaining (CBC)

Again the message is broken into 64-bit blocks, but they are linked together in the encryption
operation with an IV C_(i) = DES_(K1) (P_(i)(+)C_(i-1)) C_(-1)=IV

Stream Modes
On bit stream messages (CFB, OFB)
 Cipher Feedback (CFB)
- Where the message is treated as a stream of bits, added to the output of the DES, with the result
being feedback for the next stage
C_(i) = P_(i)(+) DES_(K1) (C_(i-1)) C_(-1)=IV

Output Feedback (OFB)

- Where the message is treated as a stream of bits, added to the message, but with the feedback being
independent of the message
C_(i) = P_(i)(+) O_(i) O_(i) = DES_(K1)(O_(i-1)) O_(-1)=IV
• each mode has its advantages and disadvantages

Limitations of Various Modes ECB

• repetitions in message can be reflected in ciphertext

o if aligned with message block o particularly with data such graphics o or with messages that change
very little, which become a code-book analysis problem
• weakness is because enciphered message blocks are independent of each other

CBC
• use result of one encryption to modify input of next
o hence each ciphertext block is dependent on all message blocks before it o thus a
change in the message affects the ciphertext block after the change as well as the original block
 to start need an Initial Value (IV) which must be known by both sender and receiver
o however if IV is sent in the clear, an attacker can change bits of the first block, and change IV
to compensate o hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in
ECB mode before rest of message
• also at the end of the message, have to handle a possible last short block o either pad last block
(possible with count of pad size), or use some fiddling to double up last two blocks

o see Davies for examples CFB

• when data is bit or byte oriented, want to operate on it at that level, so use a stream mode
• the block cipher is use in encryption mode at both ends, with input being a feed-back copy
of the ciphertext
• can vary the number of bits feed back, trading off efficiency for ease of use
• again errors propogate for several blocks after the error
•
OFB
also a stream mode, but intended for use where the error feedback is a problem, or where the
encryptions want to be done before the message is available
• is superficially similar to CFB, but the feedback is from the output of the block cipher and
is independent of the message, a variation of a Vernam cipher
• again an IV is needed
• sender and receiver must remain in sync, and some recovery method is needed to ensure this
occurs
• although originally specified with varying m-bit feedback in the standards, subsequent
research has shown that only 64-bit OFB should ever be used (and this is the most efficient
use anyway), see
D Davies, G Parkin, "The Average Cycle Size of the Key Stream in Output Feedback Encipherment"
in Advances in Cryptology - Crypto 82, Plenum Press, 1982, pp97-98

DES Weak Keys

• with many block ciphers there are some keys that should be avoided, because of reduced cipher
complexity
• these keys are such that the same sub-key is generated in more than one round, and they include:

Weak Keys
• he same sub-key is generated for every round
• DES has 4 weak keys Semi-Weak Keys

• only two sub-keys are generated on alternate rounds

• DES has 12 of these (in 6 pairs)
•
Demi-Semi Weak Keys
have four sub-keys generated
• none of these cause a problem since they are a tiny fraction of all available keys
• however they MUST be avoided by any key generation program

DES Design Principles

Although the standard for DES is public, the design criteria used are classified and have yet to be
released. some information is known, and more has been deduced
L P Brown, "A Proposed Design for an Extended DES", in Computer Security in the Age of
Information, W. J. Caelli (ed), North-Holland, pp 9-22, 1989
L P Brown, J R Seberry, "On the Design of Permutation Boxes in DES Type Cryptosystems", in
Advances in Cryptology - Eurocrypt '89, Lecture Notes in Computer Science, vol 434, pp 696705,
J.J. Quisquater, J. Vanderwalle (eds), Springer-Verlag, Berlin, 1990.
L P Brown and J R Seberry, "Key Scheduling in DES Type Cryptosystems," in Advances in
Cryptology - Auscrypt '90, Lecture Notes in Computer Science, vol 453, pp 221-228, J. Seberry, J.
Pieprzyk (eds), Springer-Verlag, Berlin, 1990. will briefly overview the basic results, for more
detailed analyses see the above papers

DES S-Box Design Criteria

Each S-box may be considered as four substitution functions o these

1-1 functions map inputs 2,3,4,5 onto output bits o a particular function

is selected by bits 1,6 o this provides an autoclave feature

DES Design Criteria

• there were 12 criterion used, resulting in about 1000
• possible S-Boxes, of which the implementers chose 8
• these criteria are CLASSIFIED SECRET • however, some of them have become
known
• The following are design criterion:
R1: Each row of an S-box is a permutation of 0 to 15
R2: No S-Box is a linear of affine function of the input
R3: Changing one input bit to an S-box results in changing at least two output bits
•
R4: S(x) and S(x+001100) must differ in at least 2 bits
The following are said to be caused by design criteria
R5: S(x) [[pi]] S(x+11ef 00) for any choice of e and f
R6: The S-boxes were chosen to minimize the difference between the number of 1's and 0's in any
S-box output when any single input is held constant
R7: The S-boxes chosen require significantly more minterms than a random choice would require
Meyer Tables 3-17, 3-18

DES Permutation Tables

• there are 5 Permutations used in DES: o IP and IP^(-1) , P, E, PC1, PC2
• their design criteria are CLASSIFIED SECRET
• it has been noted that IP and IP^(-1) and PC1 serve no cryptological function when DES is
used in ECB or CBC modes, since searches may be done in the space generated after they
have been applied
• E, P, and PC2 combined with the S-Boxes must supply the required dependence of the
output bits on the input bits and key bits (avalanche and completeness effects) Ciphertext
Dependence on Input and Key
• the role of P, E, and PC2 is distribute the outputs of the S-boxes so that each output bit
becomes a function of all the input bits in as few rounds as possible
• Carl Meyer (in Meyer 1978, or Meyer & Matyas 1982) performed this analysis on the current
DES design

Ciphertext dependence on Plaintext

• define G_(i,j) a 64*64 array which shows the dependence of output bits X(j) on input bits
X(i)
• examine G_(0,j) to determine how fast complete dependence is achieved
• to build G_(0,1) use the following
L(i) = R(i-1)
R(i) = L(i-1) (+) f( K(i), R(i-1))
• DES P reaches complete dependence after 5 rounds

• []
•
Ciphertext dependence on Key
• Carl Meyer also performed this analysis
• define F_(i,j) a 64*56 array which shows the dependence of output bits X(j) on key bits U(i)
(after PC1 is used)
• examine F_(0,j) to determine how fast complete dependence is achieved
• DES PC2 reaches complete dependence after 5 rounds Key Scheduling and PC2

• Key Schedule

o is a critical component in the design o must provide different keys for each round otherwise security
may be compromized (see Grossman & Tuckerman 1978) o current scheme can result in weak keys
which give the same, 2 or 4 keys over the 16 rounds

• Key Schedule and PC-2 Design o is performed in two

28-bit independent halves o C-side provides keys to S-boxes 1

to 4 o D-side provides keys to S-boxes 5 to 8

o the rotations are used to present different bits of the key for selection on successive rounds o PC-2
selects key-bits and distributes them over the S-box inputs Possible Techniques for Improving DES
• multiple enciphering with DES
• extending DES to 128-bit data paths and 112-bit keys

• extending the Key Expansion calculation Triple DES

• DES variant
• standardised in ANSI X9.17 & ISO 8732 and in PEM for key management
• proposed for general EFT standard by ANSI X9
• backwards compatible with many DES schemes
• uses 2 or 3 keys
C = DES_(K1) Bbc{(DES^(-1)_(K2)Bbc{(DES_(K1)(P)))
• no known practical attacks
o brute force search impossible o meet-in-the-middle attacks

need 2^(56) PC pairs per key

• popular current alternative IDEA (IPES)

• developed by James Massey & Xuejia Lai at ETH originally in Zurich in 1990, then called
IPES :
• Name changed to IDEA in 1992
• encrypts 64-bit blocks using a 128-bit key
• based on mixing operations from different (incompatible) algebraic groups (XOR, Addition
mod 2^(16) , Multiplication mod 2^(16) +1)
• all operations are on 16-bit sub-blocks, with no permutations used, hence its very efficient
in s/w
• IDEA is patented in Europe & US, however non-commercial use is freely permitted
• used in the public domain PGP secure email system (with agreement from the patent holders)
• currently no attack against IDEA is known (it appears secure against differential
cryptanalysis), and its key is too long for exhaustive search Overview of IDEA
• IDEA encryption works as follows:

o the 64-bit data block is divided by 4 into: X_(1) , X_(2) , X_(3) , X_(4) o in each of
eight the sub-blocks are XORd, added, multiplied with one another and with six 16-
bit sub-blocks of key material, and the second and third sub-blocks are swapped
o finally some more key material is combined with the sub-blocks

• IDEA sub-keys

o theencryption keying material is obtained by splitting the 128-bits of key into eight 16-bit sub-keys,
once these are used the key is rotated by 25-bits and broken up again etc o the decryption keying
material is a little more complex, since inverses of the subblocks need to be calculated
• the keys used may be summarised as follows:
Round Encryption Keys Decryption Keys
1 K1.1 K1.2 K1.3 K1.4 K1.5 K1.6 K9.1-1 -K9.2 -K9.3 K9.4-1 K8.5
K8.6
2 K2.1 K2.2 K2.3 K2.4 K2.5 K2.6 K8.1-1 -K8.3 -K8.2 K8.4-1 K7.5
K7.6
3 K3.1 K3.2 K3.3 K3.4 K3.5 K3.6 K7.1-1 -K7.3 -K7.2 K7.4-1 K6.5
K6.6
 4 K4.1 K4.2 K4.3 K4.4 K4.5 K4.6 K6.1-1 -K6.3 -K6.2 K6.4-1 K5.5
K5.6
5 K5.1 K5.2 K5.3 K5.4 K5.5 K5.6 K5.1-1 -K5.3 -K5.2 K5.4-1 K4.5
K4.6
6 K6.1 K6.2 K6.3 K6.4 K6.5 K6.6 K4.1-1 -K4.3 -K4.2 K4.4-1 K3.5
K3.6
7 K7.1 K7.2 K7.3 K7.4 K7.5 K7.6 K3.1-1 -K3.3 -K3.2 K3.4-1 K2.5
K2.6
8 K8.1 K8.2 K8.3 K8.4 K8.5 K8.6 K2.1-1 -K2.3 -K2.2 K2.4-1 K1.5
K1.6
Output K9.1 K9.2 K9.3 K9.4 K1.1-1 -K1.2 -K1.3 K1.4-1

where: K1.1^(-1 ) is the multiplicative inverse mod 2^(16) +1

-K1.2 is the additive inverse mod 2^(16) and the original operations are: (+)
bit-by-bit XOR + additional mod 2^(16) of 16-bit integers

* Multiplication mod 2^(16) +1 (where 0 means 2^(16) )

IDEA Example Encryption

# Key (128-bits) Plain (64-bit) Cipher (64-bit)
7ca110454a1a6e5701a1d6d039776742 690f5b0d9a26939b 1bddb24214237ec7 idea(X=690f
5b0d 9a26 939b)
r=1, X=690f 5b0d 9a26 939b, SK=7ca1 1045 4a1a 6e57 01a1 d6d0
steps=234a 6b52 e440 840f c70a ef5d 3606 2563 0311 3917 205b e751 5245 bd18 r=2,
X=205b e751 5245 bd18, SK=3977 6742 8a94 34dc ae03 43ad
steps=460a 4e93 dcd9 3995 9ad3 7706 d13d 4843 4b2d 1c6a 0d27 97f4 52f9 25ff r=3,
X=0d27 97f4 52f9 25ff, SK=a072 eece 84f9 4220 b95c 0687
steps=3320 86c2 d7f2 7410 e4d2 f2d2 57cb 4a9d 04e4 5caf 37c4 d316 da6d 28bf r=4,
X=37c4 d316 da6d 28bf, SK=5b40 e5dd 9d09 f284 4115 2869
steps=8920 b8f3 7776 69e3 fe56 d110 7266 4376 10c0 8326 99e0 67b6 3bd5 eac5 r=5,
X=99e0 67b6 3bd5 eac5, SK=0eb6 81cb bb3a 13e5 0882 2a50
steps=9c69 e981 f70f 8efb 6b66 677a b63b 1db5 f5a8 abe3 69c1 02a7 4262 2518 r=6,
X=69c1 02a7 4262 2518, SK=d372 b80d 9776 7427 ca11 0454
steps=d39a bab4 d9d8 75d4 0a42 cf60 ba4a 89aa d175 8bbf 02ef 08ad 310b fe6b r=7,
X=02ef 08ad 310b fe6b, SK=a1a6 e570 1a1d 6d03 4f94 2208
steps=3420 ee1d 4b28 1deb 7f08 f3f6 c124 b51a 04bd c5e1 309d 4f95 2bfc d80a r=8,
X=309d 4f95 2bfc d80a, SK=a943 4dca e034 3ada 072e ece8
steps=3df3 9d5f 0c30 0ada 31c3 9785 44a5 dc2a 7253 b6f8 4fa0 7e63 2ba7
bc22 out, X=4fa0 2ba7 7e63 bc22, SK=1152 869b 95c0 6875 = 1bdd b242 1423
7ec7

Differential Cryptanalysis of Block Ciphers

• Differential Cryptanalysis is a recently (in the public research community) developed
method which provides a powerful means of analysing block ciphers
• it has been used to analyse most of the currently proposed block ciphers with varying degrees
of success
• usually have a break-even point in number of rounds of the cipher used for which differential
cryptanalysis is faster than exhaustive key-space search

• if this number is greater than that specified for the cipher, then it is regarded as broken

Overview of Differential Cryptanalysis

• is a statistical attack against Feistel ciphers
• uses structure in cipher not previously used
• design of S-P networks is such that the output from function f is influenced by both input
and key
R(i)=L(i-1) (+) f(K(i)(+)R(i-1))
• hence cannot trace values back through cipher without knowing the values of the key Biham
& Shamir's key idea is to compare two separate encryptions (using the same key) and look
at the XOR of the S-box inputs and outputs and this is independent of the key being used

Ra(i)=f(K(i)(+)Ra(i-1))
Rb(i)=f(K(i)(+)Rb(i-1))
hence
Y(i)= Ra(i)(+)Rb(i)
= f(K(i)(+)Ra(i-1)(+)K(i)(+)Rb(i-1))
= f(Ra(i-1)(+)Rb(i-1)) = f(X(i))
• further various input XOR - output XOR pairs occur with different probabilities
• hence knowing information on these pairs gives us additional information on the cipher

XOR Profiles and Characteristics

• start by compiling a table of input vs output XOR values, an XOR Profile for each S-box

• a particular input XOR value and output XOR value pair will occur with some probability
• call such a specified pair, a characteristic
• can infer information about key value in one round, if find a pair of encryptions matching a
characteristic, and hence knowing input and output XOR values
• have several variant forms of differential cryptanalysis, will discuss just the general form
used for attacking many rounds (>8) of a cipher
• can describe 1-round characteristic by:
 f(x')->y', Pr(p)
(a',b')->(b',a'(+)f(b')) with prob p
• useful characteristics:
i) f(0')->0', Pr(1) ie
always A.(x,0)->(0,x)
always ii) f(x')->0',
Pr(p_(0) )
B.(0,x)->(x,0) with probability p_(0)
• attack multiple rounds using n-round characteristics
• n-round characteristics combine one round characteristics whose outputs & inputs match
•
probability of n-round characteristic is product of the 1-round characteristic probabilities

2-Round Iterative Characteristic

• some common characteristic.0000c structures are:
* a 2-round characteristic:
A.(x,0)->(0,x) always
B.(0,x)->(x,0) with probability p *
a 3-round characteristic:
A.(x,0)->(0,x) always
B.(0,x)->(x,x) with probability p1
C.(x,x)->(x,0) with probability p2
• perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain expected
output XOR matching n-round characteristic being used
• if all intermediate rounds also match required XOR (which is unknown) then have a right pair, if
not then have a wrong pair, relative ratio is S/N for attack
• assume know XOR at intermediate rounds (if right pair) then deduce keys values for the rounds -
right pairs suggest same key bits, wrong pairs give random values
• for large numbers of rounds, probability is so low that more pairs are required than exist with 64-
bit inputs
• optimisations of this attack can be made, trading memory for search time, and number of rounds
used
• in their latest paper, Biham and Shamir show how a 13-round iterated characteristic can be used to
break the full 16-round DES

Linear Cryptanalysis of Block Ciphers

• Linear Cryptanalysis is another recently developed method for analysing block ciphers
• like differential cryptanalysis it is a statistical method
again have a break-even point in number of rounds of the cipher used for which linear
•
cryptanalysis is faster than exhaustive key-space search
• if this number is greater than that specified for the cipher, then it is regarded as broken
• In Linear Cryptanalysis want to find a linear approximation which holds with Prob p!=^(1)
/_(2)
P[i1,i2,...,ia](+)C[j1,j2,...,jb]=K[k1,k2,...,kc] where
ia,jb,kc are bit locations in P,C,K
• can determine one bit of key using maximum likelihood algorithm, using a large number of
trial encryptions
• effectiveness of linear cryptanalysis is given by
|p - 1/2|
• DES can be broken by encrypting 2^(47) known plaintexts
PL[7,18,24](+) PR[12,16](+) CL[15](+) CR[7,18,24,29](+) F16(CR,K16)[15] =
K1[19,23](+)K3[22](+) K4[44](+) K5[22](+)K7[22](+) K8[44](+) K9[22](+) K11[22](+)
K12[44](+) K13[22](+) K15[22]
• this will recover some of the key bits, the rest must be searched for exhaustively
• LOKI with 12 or more rounds cannot be broken using linear cryptanalysis

Stream Ciphers and the Vernam cipher

• Process the message bit by bit (as a stream)
• The most famous of these is the Vernam cipher (also known as the one-time pad)
• invented by Vernam, working for AT&T, in 1917
• simply add bits of message to random key bits
• need as many key bits as message, difficult in practise (ie distribute on a mag-tape or
CDROM)
• is unconditionally secure provided key is truly random

• suggest generating keystream from a smaller (base) key

use some pseudo-random function to do this

•
Modern Private Key Ciphers (part 1)
• now want to concentrate on modern encryption systems • these

usually consider the message as a sequence of bits o (eg as a series of

ASCII characters concatenated)

• have two broad families of methods o stream ciphers and block ciphers

Block Ciphers
• in a block cipher the message is broken into blocks, each of which is then
encrypted (ie like a substitution on very big characters - 64-bits or more)
• most modern ciphers we will study are of this form

Shannons Theory of Secrecy Systems

• Claude Shannon wrote some of the pivotal papers on modern cryptology theory in 1949:

o C E Shannon, "Communication Theory of Secrecy Systems", Bell System

Technical Journal, Vol 28, Oct 1949, pp 656-715 o C E Shannon, "Prediction and Entropy of printed
English", Bell System Technical

Journal, Vol 30, Jan 1951, pp 50-64

• in these he developed the concepts of:

o entropy of a message, o redundancy in a language,

o theories about how much information is needed to break a cipher

o defined the concepts of computationally secure vs

unconditionally secure ciphers

• he showed that the Vernam cipher is the only currently known unconditionally secure cipher,
provided the key is truly random
• also showed that if try to encrypt English text by adding to other English text (ie a Bookcipher), this
is not secure since English is 80% redundant, giving ciphertext with 60% redundancy, enough to
break
a similar technique can also be used if the same random key stream is used twice on
different messages, the redundancy in the messages is sufficient to break this
• as discussed earlier, exhaustive key search is the most fundamental attack, and is directly
proportional to the size of the key
•
• can tabulate these for reasonable assumptions about the number of operations possible (& parallel
tests):
Key Size (bits) Time (1us/test) Time (1us/106test)
24 8.4 sec 8.4 usec
32 35.8 mins 2.15 msec
40 6.4 days 550 msec
48 4.46 yrs 2.35 mins
56 ~2000 yrs 10.0 hrs
64 ~500000 yrs 107 days

• as the ultimate limit, it can be shown from energy consumption considerations that the maximum
number of possible elementary operations in 1000 years is about: 3 x 10 ^(48)
• similarly can show that if need say 10 atoms to store a bit of information, then the greatest possible
number of bits storable in a volume of say the moon is: 10 ^(45)
• if a cipher requires more operations, or needs more storage than this, it is pretty reasonable to say it
is computationally secure o eg to test all possible 128-bit keys in Lucifer takes about 3 x 10 ^(48)
encryptions, needing 10 ^(19) years

Substitution-Permutation Ciphers
• in his 1949 paper Shannon also introduced the idea of substitution-permutation (S-P)
networks, which now form the basis of modern block ciphers
• an S-P network is the modern form of a substitution-transposition product cipher
• S-P networks are based on the two primitive cryptographic operations we have seen before

Substitution Operation
• a binary word is replaced by some other binary word
• the whole substitution function forms the key
• if use n bit words, the key is 2^(n)!bits, grows rapidly

can also think of this as a large lookup table, with n address lines (hence 2^(n) addresses),
each n bits wide being the output value
• will call them S-boxes Permutation
Operation
• a binary word has its bits reordered (permuted)
•
• the re-ordering forms the key
• if use n bit words, the key is n!bits, which grows more slowly, and hence is less secure than
substitution

• this is equivalent to a wire-crossing in practise (though is much harder to do in software)

• will call these P-boxes
Substitution-Permutation Network
• Shannon combined these two primitives
• he called these mixing transformations

• Shannons mixing transformations are a special form of product ciphers where

S-Boxes provide confusion of input bits
P-Boxes provide diffusion across S-box inputs
• in general these provide the following results, as described in:
A F Webster & S E Tavares "On the Design of S-boxes", in Advances in Cryptology - Crypto 85,
Lecture Notes in Computer Science, No 218, Springer-Verlag, 1985, pp 523-534 Avalanche effect
• where changing one input bit results in changes of approx half the output bits
 More formally, a function f has a good avalanche effect if for each bit i,0<=i<m, if the 2^(m)
plaintext vectors are divided into 2^(m-1) pairs X and X_(i) with each pair differing only in bit i;
and if the 2^(m-1) exclusive-or sums, termed avalanche vectors
V_(i) = f(X) (+) f(X_(i))
Are compared, then about half of these sums should be found to be 1. Completeness

effect
• where each output bit is a complex function of all the input bits
More formally, a function f has a good completeness effect if for each bit j,0<=j<m, in the ciphertext
output vector, there is at least one pair of plaintext vectors X and X_(i) which differ only in bit i,
and for which f(X) and f(X_(i)) differ in bit j Practical Substitution-Permutation Networks
• in practise we need to be able to decrypt messages, as well as to encrypt them, hence either:

o have to define inverses for each of our S & P-boxes, but this doubles the code/hardware needed, or o
define a structure that is easy to reverse, so can use basically the same code or hardware for both
encryption and decryption
• Horst Feistel, working at IBM Thomas J Watson Research Labs devised just such a structure
in early 70's, which we now call a feistel cipher o the idea is to partition the input block into
two halves, L(i-1)and R(i-1), and use only R(i-1)in each round i (part) of the cipher o the
function g incorporates one stage of the S-P network, controlled by part of the key K(i)known
as the ith subkey

• this can be described functionally as:

L(i) = R(i-1)
R(i) = L(i-1) (+) g(K(i), R(i-1))
• this can easily be reversed as seen in the above diagram, working backwards through the
rounds

• in practise link a number of these stages together (typically 16 rounds) to form the full cipher

MODULE - III
Modular Arithmetic
Modular arithmetic is 'clock arithmetic' a congruence a = b mod n says when divided by n that a and
b have the same remainder

100 = 34 mod 11 usually

have 0<=b<=n-1
-12mod7 = -5mod7 = 2mod7 = 9mod7 b
is called the residue of a mod n
can do arithmetic with integers modulo n with all results between 0 and n
Addition a+b mod n
Subtraction a-b mod n
= a+(-b) mod n
Multiplication

a.b mod n

• derived from repeated addition • can get

a.b=0 where neither a,b=0

o eg 2.5 mod 10
Division a/b
mod n

• is multiplication by inverse of b: a/b = a.b-1 mod n •

if n is prime b-1 mod n exists s.t b.b-1 = 1 mod n

o eg 2.3=1 mod 5 hence 4/2=4.3=2 mod 5

• integers modulo n with addition and multiplication form a commutative ring with the laws of
Associativity
(a+b)+c = a+(b+c) mod

n Commutativity a+b

= b+a mod n

Distributivity

(a+b).c = (a.c)+(b.c) mod n

• also can chose whether to do an operation and then reduce modulo n, or reduce then do the
operation, since reduction is a homomorphism from the ring of integers to the ring of integers modulo
n o a+/-b mod n = [a mod n +/- b mod n] mod n o (the above laws also hold for multiplication)

• if n is constrained to be a prime number p then this forms a Galois Field modulo p denoted GF(p)
and all the normal laws associated with integer arithmetic work

Exponentiation in GF(p)
• many encryption algorithms use exponentiation - raising a number a (base) to some power b
(exponent) mod p

o b = ae mod p

• exponentiation is basically repeated multiplication, which take s O(n) multiples for a number
n
• a better method is the square and multiply algorithm
let base = a, result =1
for each bit ei (LSB to MSB) of exponent if
ei=0 then
square base mod p if ei=1
then multiply result by base
mod p
square base mod p (except for MSB)
required ae is result
• only takes O(log2 n) multiples for a number n

see Sebbery p9 Fig2.1 + example

Discrete Logarithms in GF(p)

• the inverse problem to exponentiation is that of finding the discrete logarithm of a number modulo
p

o find x where ax = b mod p

Seberry examples p10

• whilst exponentiation is relatively easy, finding discrete logarithms is generally a hard problem,
with no easy way
• in this problem, we can show that if p is prime, then there always exists an a such that there is
always a discrete logarithm for any b!=0

o successive powers of a "generate" the group mod p

• such an a is called a primitive root and these are also relatively hard to find
2.1.3 Greatest Common Divisor
• the greatest common divisor (a,b) of a and b is the largest number that divides evenly into both a
and b
• Euclid's Algorithm is used to find the Greatest Common Divisor (GCD) of two numbers a and
n, a<n o use fact if a and b have divisor d so does a-b, a-2b
GCD (a,n) is given by:
let g0=n
g1=a
gi+1 = gi-1 mod gi
when gi=0 then (a,n) = gi-1
eg find (56,98)

g0=98
g1=56
g2 = 98 mod 56 = 42
g3 = 56 mod 42 = 14
g4 = 42 mod 14 = 0
hence (56,98)=14

Inverses and Euclid's Extended GCD Routine

• unlike normal integer arithmetic, sometimes a number in modular arithmetic has a unique inverse

o a-1 is inverse of a mod n if a.a-1 = 1 mod n

o where a,x in {0,n-1} o eg 3.7 = 1 mod 10

• if (a,n)=1 then the inverse always exists

• can extend Euclid's Algorithm to find Inverse by keeping track of gi = ui.n + vi.a
• Extended Euclid's (or Binary GCD) Algorithm to find Inverse of a number a mod n
(where (a,n)=1) is:
Inverse(a,n) is given by:
g0=n u0=1 v0=0
g1=a u1=0 v1=1
let
y = gi-1 div gi gi+1 = gi-1 - y.gi =
gi-1 mod gi ui+1 = ui-1 - y.ui vi+1
= vi-1 - y.vi when gi=0 then
Inverse(a,n) = vi-1 Example

eg: want to find Inverse(3,460):

i y g u v
0 - 460 1 0
 1 - 3 0 1
2 153 1 1 -153 3 3 0 -3 460

hence Inverse(3,460) = -153 = 307 mod 460

Euler Totient Function [[phi]](n)
• if consider arithmetic modulo n, then a reduced set of residues is a subset of the complete set of
residues modulo n which are relatively prime to n
o eg for n=10,

o the complete set of residues is {0,1,2,3,4,5,6,7,8,9} o the reduced

set of residues is {1,3,7,9}

• the number of elements in the reduced set of residues is called the Euler Totient function
[[phi]](n)
• there is no single formula for [[phi]](n) but for various cases count how many elements are
excluded[4]:
p (p prime) [[phi]](p) =p-1 pr (p
prime) [[phi]](p) =pr-1(p-1)
p.q (p,q prime) [[phi]](p.q) =(p-1)(q-1)
see Seberry Table 2.1 p13
• several important results based on [[phi]](n) are: • Theorem (Euler's Generalization)

o let gcd(a,n)=1 then o a[[phi]](n) mod n = 1

• Fermat's Theorem
o let p be a prime and gcd(a,p)=1 then o ap-1

mod p = 1

• Algorithms to find Inverses a-1 mod n

1. search 1,...,n-1 until an a-1 is found with a.a-1 mod n

2. if [[phi]](n) is known, then from Euler's Generalization

 a-1 = a[[phi]](n)-1 mod n

3. otherwise use Extended Euclid's algorithm for inverse

Computing with Polynomials in GF(qn)

• have seen arithmetic modulo a prime number GF(p)
• also can do arithmetic modulo q over polynomials of degree n, which also form a Galois Field
GF(qn)

• its elements are polynomials of degree (n-1) or lower

o a(x)=an-1xn-1+an-2xn-2+...+a1x+a0

• have residues for polynomials just as for integers

o p(x)=q(x)d(x)+r(x)

o and this is unique if deg[r(x)]<deg[d(x)]

• if r(x)=0, then d(x) divides p(x), or is a factor of p(x)

• addition in GF(qn) just involves summing equivalent terms in the polynomial modulo q (XOR
if q=2)

o a(x)+b(x)=(an-1+bn-1)xn-1+...+(a1+b1)x+(a0+b0) Multiplication

with Polynomials in GF(qn)

• multiplication in GF(qn) involves [5] o multiplying the two polynomials together (cf

longhand multiplication; here use shifts

& XORs if q=2)

o then finding the residue modulo a given irreducible polynomial of degree n

• an irreducible polynomial d(x) is a 'prime' polynomial, it has no polynomial divisors other
than itself and 1

• modulo reduction of p(x) consists of finding some r(x) st: p(x)=q(x)d(x)+r(x) o nb. in

GF(2n) with d(x)=x3+x+1 can do simply by replacing x3 with x+1

•
eg in GF(23) there are 8 elements:

o 0, 1, x, x+1, x2, x2+1, x2+x, x2+x+1

• with irreducible polynomial d(x)=x3+x+1* arithmetic in this field can be summarised as:

Seberry Table 2.3 p20

• can adapt GCD, Inverse, and CRT algorithms for GF(qn)

o [[phi]](p(x)) = 2n-1 since every poly except 0 is relatively prime to p(x)

•arithmetic in GF(qn) can be much faster than integer arithmetic, especially if the irreducible
polynomial is carefully chosen

o eg a fast implementation of GF(2127) exists

• has both advantages and disadvantages for cryptography, calculations are faster, as are methods for
breaking

Public-Key Ciphers
• traditional secret key cryptography uses a single key shared by both sender and receiver
• if this key is disclosed communications are compromised
• also does not protect sender from receiver forging a message & claiming is sent by sender,
parties are equal
• public-key (or two-key) cryptography involves the use of two keys:
o a public-key, which may be known by anybody, and can be used to encrypt
messages, and verify signatures
o a private-key, known only to the recipient, used to decrypt messages, and sign
•
(create) signatures

the public-key is easily computed from the private key and other information about the
cipher (a polynomial time (P-time) problem)
• however, knowing the public-key and public description of the cipher, it is still
computationally infeasible to compute the private key (an NP-time problem)
• thus the public-key may be distributed to anyone wishing to communicate securly with its
owner (although secure distribution of the public-key is a non-trivial problem - the key
distribution problem)
• have three important classes of public-key algorithms:
o Public-Key Distribution Schemes (PKDS) - where the scheme is used to securely exchange
a single piece of information (whose value depends on the two parties, but cannot be set). o This
value is normally used as a session key for a private-key scheme

o Signature Schemes - used to create a digital signature only, where the private-key signs
(create) signatures, and the public-key verifies signatures
o Public Key Schemes (PKS) - used for encryption, where the public-key encrypts messages,
and the private-key decrypts messages. o Any public-key scheme can be used as a PKDS, just by
selecting a message which is
the required session key
o Many public-key schemes are also signature schemes (provided encryption& decryption can
be done in either order)

RSA Public-Key Cryptosystem

•best known and widely regarded as most practical public-key scheme was proposed by Rivest,
Shamir & Adleman in 1977:
•
R L Rivest, A Shamir, L Adleman, "On Digital Signatures and Public Key Cryptosystems",
Communications of the ACM, vol 21 no 2, pp120-126, Feb 1978
• it is a public-key scheme which may be used for encrypting messages, exchanging keys, and
creating digital signatures

• is based on exponentiation in a finite (Galois) field over integers modulo a prime o nb

exponentiation takes O((log n)3) operations

• its security relies on the difficulty of calculating factors of large numbers o nb

factorization takes O(e log n log log n) operations o (same as for discrete logarithms)

• the algorithm is patented in North America (although algorithms cannot be patented elsewhere
in the world) o this is a source of legal difficulties in using the scheme
RSA is a public key encryption algorithm based on exponentiation using modular arithmetic
• to use the scheme, first generate keys:

• Key-Generation by each user consists of: o selecting two large primes at random (~100

digit), p, q o calculating the system modulus R=p.q p, q primes o selecting at

random the encryption key e, o e < R, gcd(e, F(R)) = 1 o solving the congruence to

find the decryption key d, o e.d [[equivalence]] 1 mod [[phi]](R) 0 <= d <= R o

publishing the public encryption key: K1={e,R} o securing the private decryption

key: K2={d,p,q}

• Encryption of a message M to obtain ciphertext C is:

• C = Me mod R 0 <= d <= R

• Decryption of a ciphertext C to recover the message M is: o M = Cd = Me.d =

M1+n.[[phi]](R) = M mod R

• the RSA system is based on the following result:

if R = pq where p, q are distinct large primes then
X [[phi]](R) = 1 mod R for all
x not divisible by p or q
and [[Phi]](R) = (p-1)(q-1)
RSA Example
• usually the encryption key e is a small number, which must be relatively prime to [[phi]](R)
(ie GCD(e, [[phi]](R)) = 1)
•
• typically e may be the same for all users (provided certain precautions are taken), 3 is
suggested

• the decryption key d is found by solving the congruence:

e.d [[equivalence]] 1 mod [[phi]](R), 0 <= d <= R,
• an extended Euclid's GCD or Binary GCD calculation is done to do this. given e=3,
R=11*47=517, [[phi]](R)=10*46=460 then d=Inverse(3,460) by Euclid's alg:
i y g u v
0 - 460 1 0
1 - 3 0 1
 2 153 1 1 -153
3 3 0 -3 460
ie: d = -153, or 307 mod 517
• a sample RSA encryption/decryption calculation is: M = 26
C = 263 mod 517 = 515
M = 515307 mod 517 = 26
•

Security of RSA
• The security of the RSA scheme rests on the difficulty of factoring the modulus of the scheme
R
• best known factorization algorithm (Brent-Pollard) takes:

operations on number R whose largest prime factor is p

Decimal Digits in R #Bit Operations to Factor R

20 7200
40 3.11e+06
60 4.63e+08
80 3.72e+10
100 1.97e+12
120 7.69e+13
140 2.35e+15
160 5.92e+16
180 1.26e+18
200 2.36e+19

• This leads to R having a length of 200 digits (or 600 bits) given that modern computers
perform 1-100 MIPS the above can be divided by 106 to get a time in seconds o nb: currently
1e+14 operations is regarded as a limit for computational feasability and there are 3e+13
usec/year
• but most (all!!) computers can't directly handle numbers larger than 32-bits (64-bits on the
very newest)
• hence need to use multiple precision arithmetic libraries to handle numbers this large

Multi-Precision Arithmetic
• involves libraries of functions that work on multiword (multiple precision) numbers
• classic references are in Knuth vol 2 - "Seminumerical Algorithms"
o multiplication digit by digit o do

exponentiation using square and multiply[6]

• are a number of well known multiple precision libraries available - so don't reinvent the
wheel!!!!
• can use special tricks when doing modulo arithmetic, especially with the modulo reductions

Faster Modulo Reduction

* Chivers (1984) noted a fast way of performing modulo reductions whilst doing multi-precision
arithmetic calcs

Given an integer A of n characters (a0, ... , an-1) of base b

then

ie: this implies that the MSD of a number can be removed and its remainder mod m added to the
remaining digits will result in a number that is congruent mod m to the original.
* Chivers algorithm for reducing a number is thus:

1. Construct an array R = (bd, 2.bd, ... , (b-1).bd)(mod m)

2. FOR i = n-1 to d do WHILE

A[i] != 0 do
j = A[i];
A[i] = 0;
A = A + bi-d.R[j];

END WHILE END

FOR

where A[i] is the ith character of number A

R[j] is the jth integer residue from the array R

n is the number of symbols in A d is the

number of symbols in the modulus

•

Speeding up RSA - Alternate Multiplication Techniques

conventional multiplication takes O(n2) bit operations, faster techniques include:

• the Schonhage-Strassen Integer Multiplication Algorithm:

o breaks each integer into blocks, and uses them as coefficients of a polynomial o
evaluates these polynomials at suitable points, & multiplies the resultant values o
interpolates these values to form the coefficients of the product polynomial o

combines the coefficients to form the product of the original integer o the Discrete
Fourier Transform, and the Convolution Theorem are used to speed up the
interpolation stage
o can multiply in O(n log n) bit operations

• the use of specialized hardware because:

o conventional arithmetic units don't scale up, due to carry propogation delays o so can use
serial-parallel carry-save, or delayed carry-save techniques with O(n) gates to multiply in O(n) bit
operations,

o or can use parallel-parallel techniques with O(n2) gates to multiply in O(log n) bit operations

RSA and the Chinese Remainder Theorem

• a significant improvement in decryption speed for RSA can be obtained by using the
Chinese Remainder theorem to work modulo p and q respectively o since p,q are only
half the size of R=p.q and thus the arithmetic is much faster

• CRT is used in RSA by creating two equations from the decryption calculation: M = Cd
mod R
as follows:

M1 = M mod p = (C mod p)d mod (p-1)

M2 = M mod q = (C mod q)d mod (q-1)
then the pair of equations

M = M1 mod p M = M2 mod q
has a unique solution by the CRT, given by:

M = [((M2 +q - M1)u mod q] p + M1 where

 p.u mod q = 1
Primality Testing and RSA
• The first stage of key-generation for RSA involves finding two large primes p, q
•

Because of the size of numbers used, must find primes by trial and error
• Modern primality tests utilize properties of primes eg:

o an-1 = 1 mod n where GCD(a,n)=1

o all primes numbers 'n' will satisfy this equation o some composite numbers will also
satisfy the equation, and are called pseudoprimes.
• Most modern tests guess at a prime number 'n', then take a large number (eg 100) of numbers
'a', and apply this test to each. If it fails the number is composite, otherwise it is is probably prime.
• There are a number of stronger tests which will accept fewer composites as prime than the
above test. eg:

RSA Implementation in Practice • Software implementations o generally

perform at 1-10 bits/second on block sizes of 256-512 bits o two main types

of implementations:

 - on micros as part of a key exchange mechanism in a hybrid scheme

 - on larger machines as components of a secure mail system

• Harware Implementations o generally perform 100-10000 bits/sec on blocks

sizes of 256-512 bits o all known implementations are large bit length

conventional ALU units

ElGamal
• A variant of the Diffie-Hellman key distribution scheme, allowing secure exchange of
messages
• published in 1985 by ElGamal in
T. ElGamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms",
IEEE Trans. Information Theory, vol IT-31(4), pp469-472, July 1985.
• like Diffie-Hellman its security depends on the difficulty of factoring logarithms
 Key Generation o select a large prime p

(~200 digit), and o [[alpha]] a primitive element

mod p o A has a secret number xA o B has a

secret number xB

o A and B compute yA and yB respectively, which are then made public

 yA = [[alpha]]xA mod p

 yB = [[alpha]]xB mod p

• to encrypt a message M into ciphertext C, o

selects a random number k, 0 <= k <= p-1 o

computes the message key K

 K = yBk mod p

o computes the ciphertext pair: C = {c1,c2}

 C1 = [[alpha]]k mod p C2 = K.M mod p

• to decrypt the message o

extracts the message key K

 K = C1xB mod p = [[alpha]]k.xB mod p o extracts M by

solving for M in the following equation:

 C2 = K.M mod p

Other Public-Key Schemes

• a number of other public-key schemes have been proposed, some of the better known being:

o Knapsack based schemes

o McEleice's Error Correcting Code based schems

• ALL of these schemes have been broken
• the only currently known secure public key schemes are those based on exponentiation
(all of which are patented in North America)
• it has proved to be very difficult to develop secure public key schemes
•

• this in part is why they have not been adopted faster, as their theorectical advantages might
have suggested
AUTHENTICATION REQUIREMENTS
In the context of communication across a network, the following attacks can be identified:
Disclosure – releases of message contents to any person or process not possessing the
appropriate cryptographic key.
Traffic analysis – discovery of the pattern of traffic between parties.
Masquerade – insertion of messages into the network fraudulent source.
Content modification – changes to the content of the message, including insertion
deletion, transposition and modification.

Sequence modification – any modification to a sequence of messages between parties, including

insertion, deletion and reordering.
Timing modification – delay or replay of messages.

Source repudiation – denial of transmission of message by source.

Destination repudiation – denial of transmission of message by destination.
easures to deal with first two attacks are in the realm of message confidentiality. Measures to deal
with 3 through 6 are regarded as message authentication. Item 7 comes under digital signature and
dealing with item 8 may require a combination of digital signature and a protocol to counter this
attack.

AUTHENTICATION FUNCTIONS
Any message authentication or digital signature mechanism can be viewed as having fundamentally
two levels. At the lower level, there may be some sort of function that produces an authenticator: a
value to be used to authenticate a message. This lower layer function is then used as primitive in a
higher-layer authentication protocol that enables a receiver to verify the authenticity of a message.
The different types of functions that may be used to produce an authenticator

are as follows:

Message encryption – the cipher text of the entire message serves as its authenticator.
Message authentication code (MAC) – a public function of the message and a secret key that
produces a fixed length value serves as the authenticator.
Hash function – a public function that maps a message of any length into a fixed length hash value,
which serves as the authenticator.

Message encryption

Message encryption by itself can provide a measure of authentication. The analysis differs from
symmetric and public key encryption schemes.
Suppose the message can be any arbitrary bit pattern. In that case, there is no way to determine
automatically, at the destination whether an incoming message is the ciphertext of a legitimate
message. One solution to this problem is to force the plaintext to have some structure that is easily
recognized but that cannot be replicated without recourse to the encryption function. We could, for
example, append an error detecting code, also known as Frame Check Sequence (FCS) or checksum
to each message before encryption
‘A’ prepares a plaintext message M and then provides this as input to a function F that produces an
FCS. The FCS is appended to M and the entire block is then encrypted. At the destination, B decrypts
the incoming block and treats the result as a message with an appended FCS. B applies the same
function F to attempt to reproduce the FCS. If the calculated FCS is equal to the incoming FCS, then
the message is considered authentic.
In the internal error control, the function F is applied to the plaintext, whereas in external error control,
F is applied to the ciphertext (encrypted message).

MESSAGE AUTHENTICATION CODE (MAC)

An alternative authentication technique involves the use of secret key to generate a small fixed size
block of data, known as cryptographic checksum or MAC that is appended to the message. This
technique assumes that two communication parties say A and B, share a common secret key ‘k’.
When A has to send a message to B, it calculates the MAC as a function of the message and the key.
MAC = CK(M) Where M – input message
C – MAC function

K – Shared secret key

+MAC - Message Authentication Code

The message plus MAC are transmitted to the intended recipient. The recipient performs the same
calculation on the received message, using the shared secret key, to generate a new MAC. The
received MAC is compared to the calculated MAC. If it is equal, then the message is considered
authentic.
A MAC function is similar to encryption. One difference is that MAC algorithm need not be
reversible, as it must for decryption. In general, the MAC function is a many- to-one function.