UNIT II

SYMMETRIC CRYPTOGRAPHY
MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY: Algebraic structures - Modular
arithmetic-Euclid‟s algorithm- Congruence and matrices - Groups, Rings, Fields- Finite fields
SYMMETRIC KEY CIPHERS: SDES – Block cipher Principles of DES – Strength of DES – Differential
and linear cryptanalysis - Block cipher design principles – Block cipher mode of operation – Evaluation
criteria for AES – Advanced Encryption Standard - RC4 – Key distribution.

GROUPS, RINGS, AND FIELDS

Groups, rings, and fields are the fundamental elements of a branch of mathematics known as abstract
algebra, or modern algebra.

GROUPS
A group G, sometimes denoted by {G, •}, is a set of elements with a binary operation denoted by • that
associates to each ordered pair (a, b) of elements in G an element (a • b) in G, such that the following
axioms are obeyed:

(A1) Closure: If a and b belong to G, then a • b is also in G.

(A2) Associative: a•(b•c) = (a•b)•c for all a, b, c in G.
(A3) Identity element: There is an element e in G such that a • e = e • a = a for all a in G.
(A4) Inverse element: For each a in G, there is an element a -1 in G such that a • a -1 = a -1• a = e.
If a group has a finite number of elements, it is referred to as a finite group, and the order of the group is
equal to the number of elements in the group. Otherwise, the group is an infinite group. A group is said
to be abelian if it satisfies the following additional condition:
(A5) Commutative: a • b = b • a for all a, b in G.
A group G is cyclic if every element of G is a power ak (k is an integer) of a fixed element a ε G. The
element a is said to generate the group G or to be a generator of G. A cyclic group is always abelian and
may be finite or infinite.

RINGS
A ring R, sometimes denoted by {R, +, *}, is a set of elements with two binary operations, called addition
and multiplication,6 such that for all a, b, c in R the following axioms are obeyed.
(A1–A5) R is an abelian group with respect to addition; that is, R satisfies axioms A1 through A5.
(M1) Closure under multiplication: If a and b belong to R, then ab is also in R.
(M2) Associativity of multiplication: a(bc) = (ab)c for all a, b, c in R.
(M3) Distributive laws: a(b + c) = ab + ac for all a, b, c in R.
(a + b)c = ac + bc for all a, b, c in R.
A ring is said to be commutative if it satisfies the following additional condition:
(M4) Commutativity of multiplication: ab = ba for all a, b in R.
An integral domain, which is a commutative ring that obeys
the following axioms.
(M5) Multiplicative identity: There is an element 1 in R such that a1 = 1a = a for all a in R.
(M6) No zero divisors: If a, b in R and ab = 0, then either a = 0 or b = 0.

FIELDS
A field F, sometimes denoted by {F, +, *}, is a set of elements with two binary operations, called
addition and multiplication, such that for all a, b, c in F the following axioms are obeyed.
(A1–M6) F is an integral domain; that is, F satisfies axioms A1 through A5 and M1 through M6.
(M7) Multiplicative inverse: For each a in F, except 0, there is an element a-1 in F such that
aa-1 = (a-1)a = 1

1
MODULAR ARITHMETIC
If a is an integer and n is a positive integer, we define a mod n to be the remainder
when a is divided by n. The integer n is called the modulus.

Congruent modulo
Two integers a and b are said to be congruent modulo n if
a (mod n)≡ b (mod n)
a ≡ b (mod n)
73 ≡ 4 mod 23

Properties of modulo operator

Congruences have the following properties:
1. a≡ b (mod n) if n|(a-b)
2. a≡ b (mod n) implies b≡ a( mod n)
3. a ≡ b (mod n) and b ≡ c (mod n) imply a ≡ c (mod n).

Modular Arithmetic Operations

Modular arithmetic exhibits the following properties:
1. [(a mod n) + (b mod n)] mod n = (a + b) mod n
2. [(a mod n) - (b mod n)] mod n = (a - b) mod n
3. [(a mod n) * (b mod n)] mod n = (a * b) mod n
11 mod 8 = 3; 15 mod 8 = 7
[(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 = 2
(11 + 15) mod 8 = 26 mod 8 = 2
[(11 mod 8) - (15 mod 8)] mod 8 = -4 mod 8 = 4
(11 - 15) mod 8 = -4 mod 8 = 4
[(11 mod 8) * (15 mod 8)] mod 8 = 21 mod 8 = 5
(11 * 15) mod 8 = 165 mod 8 = 5
Relatively prime
Two integers are relatively prime, if their only common positive integer factor is 1.
8 and 15 are relatively prime because
Positive divisors of 8 are 1,2,4,8
Positive divisors of 15 are 1, 3, 5, 15
Therefore, common positive factor=1.
EUCLIDEAN ALGORITHM
Euclidean algorithm is a simple procedure for determining the greatest common divisor of two positive
integers.
The positive integer c is said to be the greatest common divisor of a and b if
1. c is a divisor of a and of b.
2. Any divisor of a and b is a divisor of c.
An equivalent definition is the following:
gcd(a,b)=gcd(|a|,|b|)
gcd(a,0)=|a|

EUCLID(a, b)
1. A a; Bb
2. if B = 0 return A = gcd(a, b)
3. R = A mod B
4. AB
5. BR
6. goto 2

2
Euclidean Algorithm Revisited
For any integers a, b, with a ≥ b ≥ 0,
gcd(a, b) = gcd(b, a mod b)

Example
gcd(55, 22) = gcd(22, 55 mod 22) = gcd(22, 11) = 11
gcd(18, 12) = gcd(12, 6) = gcd(6, 0) = 6
gcd(11, 10) = gcd(10, 1) = gcd(1, 0) = 1

Multiplicative Inverse of Numbers by Extended Euclidian Algorithm

EXTENDED EUCLID [m, b]
1. [A1, A2, A3][1, 0, m]; [B1, B2,B3] [0, 1, b]
2. if B3= 0 return A3 = gcd[m, b]; no inverse
3. if B3 = 1 return B3= gcd[m, b]; B2 = b-1 mod m
4. Q = quotient of A3/B3
5. [T1, T2, T3] [A1-QB1, A2-QB2, A3-QB3]
6. [A1, A2, A3] [B1, B2, B3]
7. [B1, B2, B3] [T1, T2, T3)]
8. goto 2
Example 1: Find the multiplicative inverse 7 mod 160
Q A1 A2 A3 B1 B2 B3
- 1 0 160 0 1 7
22 0 1 7 1 -22 6
1 1 -22 6 -1 23 1
Verification
(7x23)%160=1. Hence verified.
Example 2: Find the multiplicative inverse 550 mod 1769
Q A1 A2 A3 B1 B2 B3
- 1 0 1769 0 1 550
3 0 1 550 1 -3 119
4 1 -3 119 -4 13 74
1 -4 13 74 5 -16 45
1 5 16 45 -9 29 29
1 -9 29 29 14 -45 16
1 14 -45 16 -23 74 13
1 -23 74 13 37 -119 3
4 37 -119 3 -171 550 1
Verification
(550x550)%1769=1. Hence verified.
Example 3: Find the multiplicative inverse 1234 mod 4321
Q A1 A2 A3 B1 B2 B3
- 1 0 4321 0 1 1234
3 0 1 1234 1 -3 619
1 1 -3 619 -1 4 615
1 -1 4 615 2 -7 4
153 2 -7 4 -307 1075 3
1 -307 1075 3 309 -1082 1
The inverse is in negative ie -1082.
Convert it into positive number 4321-1082=3239
Verification
(3239x1234)%4321=1. Hence verified.
3
Example 4: Find the gcd(25,60) by using extended Euclidian algorithm
Q A1 A2 A3 B1 B2 B3
- 1 0 25 0 1 60
0 0 1 60 1 0 25
2 1 0 25 -2 1 10
2 -2 1 10 5 -2 5
2 5 -2 5 -12 5 0
Gcd(25,60)=5

PUBLIC KEY CRYPTOGRAPHY

SIMPLIFIED DES
Encryption takes an 8-bit block plaintext, a 10 –bit key and produces an 8-bit block of cipher
text
Decryption takes the 8-bit block of cipher text, the same 10-bit key and produces the original
8-bit block of plaintext

The encryption algorithm involves five functions

 IP – an initialpermutation
 fk - a complex function, which involves both permutation and substitution
operations and depends on a keyinput.
 SW – a simple permutation that swaps the two halves of thedata.
 fk - a complex functionagain
 IP-1 – inverse initialpermutation

Block diagram of S-DES

4
 Cipher text=IP-1(fK2(SW(f K1(IP(Plaintext)))))
Plaintext=IP-1 (fK1(SW(f K2(IP(Cipher text)))))
S-D ES KeyGeneration:

Generate two 8-bit subkeys from the original 10-bit key

 The key is first subjected to a permutation (P10).
 Divide the output of P10 in to two halves and perform circular left shift one bit
position (LS-1) on the two halves and then passes through a permutation function
(P8) that produces an 8-bit output for the first subkey(K1).
 The output of the shift operation is given as input into another shift(LS-
2) (left shift by 2 bits on the two halves of the data) and another instance of
(P8) to produce the second subkey(K2)

K1=P8(Shift(P10(key)))
K2=P8(Shift(Shift(P10(key)

P10
3 5 2 7 4 10 1 9 8 6

P8
3 3 7 4 8 5 10 9

5
 P4
2 4 3 1

IP
2 6 3 1 4 8 5 7

IP-1
4 1 3 5 7 2 8 6

E/P
4 1 2 3 2 3 4 1

The first and fourth bits are treated as a 2 bit number that specify a row of the s-box and the
second and third bits specify a column of the S-boxes.

Example

Plain text – 10111101

Key – 1010000010

Key Generation
1) Applying P10 on key, we get:1000001100
2) Applying circular left shift by 1 bit on two 5 bits part, we get: 0000111000
3) Applying P8, we get K1:10100100
4) Applying circular left shift by 2 bits: 0010000011
5) Applying P8, we get K2:01000011

Steps for S-DES encryption

1) Initial Permutation on plain text IP (plain text)= 01111110
2) Now applying FK1 on 01111110
i) Apply E/P on 1110: 0111 1101
ii) XOR withK1:11011001
iii) Pass 1101 to S0 box:11
iv) Pass 1001 to S1 box:10
v) Combining both results from s. boxes:1101
vi) Applying P4 on it:1011
Now we have an intermediary output: 1100 1110
3) Applying SW: 11101100.
4) Applying fK2 on 11101100

6
 i) Apply E/P on 1100: 0110 1001
ii) XOR with K2:00101010
iii) Pass 0010 to S0 box:00
iv) Pass 1010 to S1 box:00
v) Combining both results from s. boxes:0000
vi) Applying P4 on it: 0000
Now we have at the end: 1110 1100
5) Apply IP-1 on it we get: 0111 0101 which is our cipher text.
Cipher text= 01110101
Inverse operation for this cipher text will give plain text.

7
 DES-DATA ENCRYPTION STANDARD
DES is also called as Data Encryption Algorithm. This algorithm is proposed by National
Institute of Standards and Technology (NIST) in 1977.
DES working principle:
DES is a block cipher.
DES takes plain text of block size 64 bits and produces 64-bit as cipher text.
Key is of 56 bit size.
DES has 16 rounds.
Same algorithm is used for encryption and decryption.
DES is based on substitution and Transposition.
The processing of the algorithm proceeds in 3 phases
Phase 1- Permutation phase, which rearranges the bits to produce permuted input (IP)
Phase 2- This phase has 16 rounds. Each round has permutation and substitution steps.
Phase3-Theoutputofthephase2ispassedthroughpermutationwhichistheinverseofinitial
permutation. The final output is 64 bit ciphertext.

General depiction of DES encryption algorithm

Single Round of DES
1. Keytransformation
2. Expansionpermutation
3. S-boxsubstitution
4. Permutation
5. XOR andswap

8
 Single round of a DES algorithm

1. Keytransformation
56-bit key is divided into two halves. Each of 28 bits are circularly shifted one or two
positions based on the round
After appropriate shifts 48 bits of 56 bits are selected as key for each round
2. Expansionpermutation
In this step Right Plain text is expanded from 32bits to 48 bits.
48 bit key is XOR with 48 bit Right Plain text and resulting output is given to next step.
3. Substitution BoxesS
S-box substitution is a process that accepts 48-bit input from XOR operation and
produces 32 bit output
4. Permutation
The output of s-box consists of 32 bits. These 32 bits are permuted using p-box.
5. XOR and swap
All the above operations are performed only on 32 bits Right Plain text.
Now Left Plain text is XOR with p-box output.
The result of XOR operation becomes the new right half. The old right half becomes
the new left half.
Inverse Initial permutation
At the end of 16 rounds simple transposition is performed.
DES decryption
It uses the same algorithm as encryption except the key is used in reverse order.

Avalanche Effect
When there is a small change in either the plaintext or the key should produce a significant
changeintheciphertext.Inparticular,achangeinonebitoftheplaintextoronebitofthekey should
produce a change in many bits of the cipher text. This is referred to as the avalanche effect.
DES exhibits a strong avalanche effect.

9
Strength of DES
1) The use of 56 bitKey
As the key length is 56 bits, for brute force attack there are 2 56 possible keys. Hence, it
is impractical.
2) The Nature of the DESAlgorithm
For cryptanalysis attack, the characteristic of DES needs to be analysed. Hence, it
makesuseofsubstitutionboxescalledS-boxes.AlgorithmforthedesignofS-boxwasknown to
thepublic.
When this algorithm is known, then then there is a crypt analytic attack. But until now
there is no such attack.
3) Timingattack
Timing attack is one in which information about the key or the plaintext is obtainedby
observing how long it takes a given implementation to perform decryptions on various cipher
texts. A timing attack exploits the fact that an encryption or decryption algorithm often takes
slightlydifferentamountsoftimeondifferentinputs.AnapproachknownasHammingweight, yields
number of bits equal to the secret key. This is a long way from knowing the actual key. The
authors conclude that DES appears to be fairly resistant to a successful timingattack.

BLOCK CIPHER DESIGN PRINCIPLES

The cryptographic strength of a Feistel cipher derives from three aspects of the design:
1) The number ofrounds,
2) The function F, and
3) The key schedulealgorithm.

1) Number ofRounds
Whenthenumberofroundincreasesthedifficultytoperformcryptanalysisalsoincreaseseven
whenweakF.Thenumberofroundsistobechosensothatknowncryptanalyticeffortsshould be
greater than the efforts of brute-forceattack.
2) Design of FunctionF
Criteria needed for F,
 It must be difficult to unscramble the substitution done byF.
 The function should satisfy strict avalancheeffect.
 The function should satisfy bit independence criterion. Output bits j and k should
change independently when any single input bit i is inverted for all i, j, andk.
 The S- box should have guaranteed avalancheeffect.
3) Key ScheduleAlgorithm
The key generation algorithm is used to generate one subkeys for each round. The subkeys
should be different for each round and it should be difficult to deduce the subkeys and trace
the main key.

10
 BLOCK CIPHER MODES OF OPERATION
To apply a block cipher in a variety of applications, four "modes of operation" have been
defined by NIST.
Amodeofoperationisatechniqueforenhancingtheeffectofacryptographicalgorithm or
adapting the algorithm for an application, such as applying a block cipher to a sequence of
data blocks or a datastream.

(i) Electronic Code Book(ECB)

The simplest mode is the electronic codebook (ECB) mode, in which plaintext is handled one
block at a time and each block of plaintext is encrypted using the same key.

CN=E(K, PN),N=1,…,n
PN=D(K,CN),N=1,…,n
Advantages
 The ECB method is ideal for a short amount of data, such as an encryptionkey.
Disadvantages
 Forthesameb-bitblockofplaintext,ifitappearsmorethanonceinthemessage,ECB always
produces the same ciphertext.
 For lengthy messages, the ECB mode may not besecure.

(ii) Cipher Block Chaining Mode(CBC)
ToovercomethedrawbackofECB,atechniqueinwhichthesameplaintextblockifrepeated,
produces different ciphertext blocks. In this scheme, the input to the encryption algorithm is
theXORofthecurrentplaintextblockandtheprecedingciphertextblock;thesamekeyisused for
eachblock.

11
where - IV- Initialization vector (only known to the communication parties)
Theinputtotheencryptionfunctionforeachplaintextblockbearsnofixedrelationshiptothe plain
text block. Therefore, repeating patterns of bits are not exposed. For decryption, each cipher
block is passed through the decryption algorithm. The result is XORed with the preceeding
cipher text block to produce the plain textblock.
Encryption : Cj = E(K, [Cj-1⊕Pj])
Decryption :D(K, Cj) = D(K, E(K, [Cj-1⊕Pj]))
Advantages:
 An appropriate mode for encrypting messages of length greater than bbits.
 In addition to its use to achieve confidentiality, the CBC mode can be used for
authentication.

(iii) Cipher FeedbackMode

The input to the encryption function is a b-bit shift register that is initially set to some
initialization vector (IV). The leftmost (most significant) s bits of the output of the encryption
functionareXORedwiththefirstsegmentofplaintextP1toproducethefirstunitofciphertext
C1.ThecontentsoftheshiftregisterareshiftedleftbysbitsandC1isplacedintherightmost. This
process continues until all plaintext units have beenencrypted.

For decryption, the same scheme is used, except that the received ciphertext unit is XORed
with the output of the encryption function to produce the plaintext unit.
Encryption function
Let Ss(X) be defined as the most significant s bits of X.
C1 = P1⊕Ss[E(K, IV)]
Therefore,
P1 = C1⊕Ss[E(K, IV)]

12
(iv) Output feedbackmode
The output feedback (OFB) mode is similar in structure to that of CFB. The output of the
encryptionfunctionthatisfedbacktotheshiftregisterinOFB,whereasinCFBtheciphertext unit is
fed back to the shiftregister.

Advantage
One advantage of the OFB method is that bit errors in transmission do not propagate.
Disadvantage
The disadvantage of OFB is that it is more vulnerable to a message stream modification
attack than is CFB.

13
(v) Counter Mode –(CTR)
Here, the counter is equal to the plaintext block size is used. The counter value must be
differentforeachplaintextblock.Thecounterisinitializedtosomevalueandthenincremented
by1foreachsubsequentblock.Forencryption,thecounterisencryptedandthenXORedwith the
plaintext block to produce the cipher text block; there is nochaining.
For decryption, the same sequence of counter values is used, with each encrypted counter
XORed with a cipher text block to recover the corresponding plaintext block.

14
Advantages
Hardware efficiency: Unlike the three chaining modes, encryption (or decryption) in CTR
mode can be done in parallel on multiple blocks of plaintext or cipher text.
Software efficiency: Similarly, because of the opportunities for parallel execution in CTR
mode, processors that support parallel features can be utilized.
Preprocessing: The execution of the underlying encryption algorithm does not depend on
input of the plaintext or cipher text.
Random access: The ith block of plaintext or ciphertext can be processed in random-access
fashion.

ADVANCED ENCRYPTION STANDARD(AES)

The Advanced Encryption Standard (AES) was published by the National Institute of
Standards and Technology (NIST) in 2001. AES is a symmetric block cipher that is intended
to replace DES as the approved standard for a wide range ofapplications.

The cipher takes a plaintext block size of 128 bits, or 16 bytes. The key length can be
16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128,AES-192,
or AES-256, depending on the keylength.

ThecipherconsistsofNrounds,wherethenumberofroundsdependsonthekeylength:
10roundsfora16-bytekey,12roundsfora24-bytekey,and14roundsfora32-bytekey.The first N - 1
rounds consist of four distinct transformationfunctions:
 SubBytes,
 ShiftRows,
 MixColumns, and
 AddRoundKey

Thefinalroundcontainsonlythreetransformations,andthereisainitialsingletransformation
(AddRoundKey)beforethefirstround,whichcanbeconsideredRound0.Eachtransformation takes
one or more 4 x4 matrices as input and produces a 4x4 matrix as output. Also, the key
expansion function generates N + 1 round keys, each of which is a distinct 4x4 matrix. Each
round key serves as one of the inputs to the AddRoundKey transformation in eachround.

Detailed Structure
1. AES is not a Feistel structure. In Feistel structure, half of the data block is used to modify
the other half of the data block and then the halves are swapped. AES instead processes the
entire data block as a single matrix during each round using substitutions andpermutation.
2. The key expanded into an array of forty-four 32-bitwords.
3. Four different stages areused,
• Substitutebytes
• ShiftRows
• MixColumns
• AddRoundKey
4. The structure is simple. For both encryption and decryption, the cipher begins with an
AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by
a tenth round of threestages.

15
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and
ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is
reversible without knowledge of the key and so would add nosecurity.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. This scheme is both efficient and highlysecure.
7. Eachstageiseasilyreversible.FortheSubstituteByte,ShiftRows,andMixColumnsstages, an
inverse function is used in the decryptionalgorithm.
8. The decryption algorithm uses the expanded key in reverseorder.
9. Once it is established that all four stages are reversible, it is easy to verify that decryption
reverse order. However, the decryption algorithm is does recover the plaintext. At each
horizontal point (e.g., the dashed line in the figure), State is the same for both encryption and
decryption.
10. The final round of both encryption and decryption consists of only threestages.

Substitute Bytes Transformation

The forward substitute byte transformation is called SubBytes. It is represented by
16x16matrixcalledanS-box.ForeachindividualbyteofStatethevalueismappedintoanew byte.
The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a
column value. These row and column values serve as indexes into the S-box to select a
unique 8-bit output value. For example, the hexadecimal value {95} references row 9,column
5 of the S-box, which contains the value{2A}.

16
ShiftRows Transformation
The forward shift row transformation, also called ShiftRows.The first row of State is
notaltered. Forthesecondrow,a1-bytecircularleftshiftisperformed. Forthethirdrow, a2-
bytecircularleftshiftisperformed.Forthefourthrow,a3-bytecircularleftshiftisperformed. The
following is an example ofShiftRows.
The inverse shift row transformation, called InvShiftRows, performs the circularshifts
intheoppositedirectionforeachofthelastthreerows,witha1-bytecircularrightshiftforthe second
row, and so on.

17
MixColumns Transformation
The forward mix column transformation, called MixColumns, operates on each column
individually. Each byte of a column is mapped into a new value that is a function of all four
bytes in that column. The transformation can be defined by the following matrix

The following is an example for mixcolumns

Multiplication of a value by x (i.e., by {02}) can be implemented as a 1-bit left shift

followedbyaconditionalbitwiseXORwith(00011011)iftheleftmostbitoftheoriginalvalue
(priortotheshift)is1.Thus,toverifytheMixColumnstransformationonthefirstcolumn,we need to
showthat

AddRoundKey Transformation
In the forward add round key transformation, called AddRoundKey, the 128 bits of
State are bitwise XORed with the 128 bits of the round key.

18
Key Expansion Algorithm
The input to this algorithm is 4 word key. The output is 44 words. The key is copied
to the first 4-words of the expanded key. The remainder of the expanded key is filled in four
words at a time. Each added word depends on the immediately preceding wordw(i-1) and the
word four positions back, w(i-4).
KeyExpansion (byte key[16], word w[44])
{
word temp
for (i = 0; i < 4; i++)
w[i] = (key[4*i], key[4*i+1], key[4*i+2], key[4*i+3]);
for (i = 4; i < 44; i++)
{
temp = w[i - 1];
if (i mod 4 = 0)
temp = SubWord (RotWord (temp))⊕Rcon[i/4];
w[i] = w[i-4] ⊕ temp
}
}

19
 DOUBLE DES
The simplest form of multiple encryption has two encryption stages and two keys. Given a
plaintext P and two encryption keys K1 and K2, ciphertext C is generated as
C = E(K2, E(K1, P))

Drawback
 Meet-in-the-middleattack
Givenaknownpair,(P,C),theattackproceedsasfollows.First,encryptPforall256possible values of
K1. Store these results in a table and then sort the table by the values of X. Next,
decryptCusingall256possiblevaluesofK2.Aseachdecryptionisproduced,checktheresult against
the table for a match. If a match occurs, then test the two resulting keys against a new known
plaintext-ciphertext pair. If the two keys produce the correct ciphertext, accept themas the
correctkeys.

TRIPLE DES
To overcome the meet-in-the-middle attack, three stages of encryption with the
different key is used. This is called triple DES.
Tuchman proposed a triple encryption method that uses only two keys. The function
follows an encrypt-decrypt-encrypt sequence

C = E(K1, D(K2, E(K1, P)))

Thereisnocryptographicsignificancetotheuseofdecryptionforthesecondstage.Its only
advantage is that it allows users of 3DES to decrypt data encrypted by users of the older
singleDES:

C = E(K1, D(K1, E(K1, P))) = E(K1, P)

3DESwithtwokeysisarelativelypopularalternativetoDESandhasbeenadoptedfor use in
the key managementstandards

20
RC5 is a family of ciphers RC5-w/r/b
– w = word size in bits (16/32/64) nbdata=2w
– r = number of rounds(0..255)
– b = number of bytes in key(0..255)
• nominal version isRC5-32/12/16
– ie 32-bit words so encrypts 64-bit datablocks
– using 12rounds
– with 16 bytes (128-bit) secretkey

PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEMS

Asymmetric algorithm uses one key for encryption and another key for decryption. Tthe
essential steps for public key cryptography are:
 Each user generates a pair of keys to be used for the encryption anddecryption.
 Each user places one of the two keys in a public register. This is the public key. The
companion key is jeptprivate.
 If Bob wishes to send a confidemtial message to alice,bob encrypts the message using
alice publickey.
 When Alice receives the message and decrypts it using her private key. No other
receipent can decrypt the message because only Alice knows Alice’ s privatekey.

Public-Key Cryptosystem: Secrecy

21
 Source A that produces a message in plaintext, X =[X 1, X2,..., XM]. The message is intended
fordestinationB.Bgeneratesarelatedpairofkeys:apublickey,PUb,andaprivatekey,PRb. PRb is
known only to B, whereas PUb is publicly available and therefore accessible byA.
Encryption
Y = E(PUb, X)
Decryption
X = D(PRb, Y)

The above scheme provides confidentiality.

Public-Key Cryptosystem: Authentication

In this case, A prepares a message to B and encrypts it using A's private key before
transmitting it. B can decrypt the message using A's public key. the message was encrypted
usingA'sprivatekey,onlyAcouldhavepreparedthemessage.Therefore,theentireencrypted
message serves as a digital signature. In addition, it is impossible to alter the message without
access to A's private key, so the message is authenticated both in terms of source and in terms
of dataintegrity.
But this encryption process doesnot provide confidentiality. The message being sent is
safefromalterationbutnotfromeavesdropping. Here,thereisnoprotectionofconfidentiality but
any observer can decrypt the message by using senders publickey.

22
Public-Key Cryptosystem: Authentication and Secrecy

Itispossibletoprovideboththeauthenticationfunctionandconfidentialitybyadoubleuseof the
public-keyscheme.
Z = E(PUb, E(PRa,X))
X = D(PUa, E(PRb,Z))
First, encrypt a message, using the sender's private key. This provides the digital signature.
Next,encryptagain,usingthereceiver'spublickey.Thefinalciphertextcanbedecryptedonly by the
intended receiver, who alone has the matching private key. Thus, confidentiality is provided.
The disadvantage of this approach is that itscomplexity.

23
 KEYMANAGEMENT
There are two distinct aspects to the use of public-key cryptography:
I) The distribution of publickeys
II) The use of public-key encryption to distribute secretkeys
I) Distribution of PublicKeys
There are four different schemes
i. Publicannouncement
ii. Publicly availabledirectory
iii. Public-keyauthority
iv. Public-keycertificates

(i) Publicannouncement
Any participant can send his or her public key to any other participant or broadcast the key to
the community.

Limitation
Anyone can forge such a public announcement. That is, some user could pretend to be user A
and send a public key to another participant or broadcast such a public key. Authentication is
needed to avoid this problem.

(ii) Publicly AvailableDirectory

A greater degree of security can be achieved by maintaining a publicly available dynamic
directoryofpublickeys.Maintenanceanddistributionofthepublicdirectorywouldhavetobe the
responsibility of some trusted entity ororganization.
• Theauthoritymaintainsadirectorywitha{name,publickey}entryforeachparticipant.
• Each participant registers a public key with the directoryauthority.
• Participants could also access the directoryelectronically.
• Participant may replace the existing key with new one at any time to avoid the attack
on thatkey.
• Periodically, the authority publishes the entire directory or updates of the directory to
all participants in the form of telephoneindex.

24
 Advantage
More secure than individual public announcement.

Limitation
Problem arises if the opponent captures the private key of the directory authority.

(iii) Public-keyauthority
Stronger security for public-key distribution can be achieved by providing tighter controlover
the distribution of public keys from the directory. The central authority maintains all public
keys of participants in its dynamic directory. Each participant knows the public key of the
authority, but the private key of the authority is keptsecret.

1. A sends a timestamped request to public-key authority for the public key ofB.
2. The authority replies with a message that is encrypted using the authority's private
key, PRauth. A is know the public key of authority. Therefore, A decrypts the
message. The message includes thefollowing:
• B's public key,PUb
• Request already sent by A (forverification)

25
 • Time1 already sent by A (prove that the message is old ornot)
3. A stores B's public key and send message to B in an encrypted format using B’s
public key. This message consistsof
• A’s identity, (IDA)
• Nonce (N1), which is used to identify this transactionuniquely.
4. B retrieves A's public key from the authority in the same manner as A retrievedB's
publickey.
5. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as
a new nonce generated by B(N2)
6. A returns N2, encrypted using B's public key, to assure B that its correspondent isA.
Advantage
More secure and attractive than previous two.
Limitations
• Each and every time the user must appeal to the authority for a public key for every
other user that it wishes tocontact.
• The directory of names and public keys maintained by the authority is vulnerable to
tampering.
(iv) Public keycertificate
Itusescertificatesthatcanbeusedbyparticipantstoexchangekeyswithoutcontactingapublic key
authority for its everytransaction.

Each certificate contains a public key and other information created by certificate authority.
Each participant conveys its key information to its corresspondant by transmitting their
certificates. Other participant can verify that the certificate was created by the authority.

The requirements of the scheme are

1. Anyparticipantcanreadacertificatetodeterminenameandpublickeyofthecertificate
owner.
2. Any participant can verify that the certificate originated from certificateauthority.
3. Only the certificate authority can create and update thecertificates.
4. Any participant can verify the currency of thecertificate.

26
II) Public key encryption todistribute
(i) Simple secret keydistribution
(ii) Secret key distribution with confidentiality andauthntication
(i) Simple secret keydistribution

Steps used for communication between A and B are

1. A generates a public/private key pair {PUa, PRa} and transmits a message intended for B
consisting of PUa and an identifier of A,IDA.
2. B generates a secret key, Ks, encrypted using A’s public key and transmit toA.
3. A computes D(PRe, E(PUe, Ks)) to recover Ks. Now, both A and B knows Ks..
Once communication is over both a and B discardKs.
Problem : Man in the middle attack . It can be rectified by using authentication.

(ii) Secret Key Distribution with Confidentiality andAuthentication

1. AusesB'spublickeytoencryptamessagetoBcontaininganidentifierofA(ID A)and a nonce

(N1), which is used to identify this transactionuniquely.
2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as
a new nonce generated by B(N2).
3. A returns N2 encrypted using B's public key, to assure B that its correspondent isA.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this
messagewithB'spublickeyensuresthatonlyBcanreadit;encryptionwithA'sprivate key
ensures that only A could have sentit.
5. B then computes D(PUa, D(PRb, M)) to recover the secretkey.

27