Lecture 4 Modern Cryptography
Lecture 4 Modern Cryptography
Modern Cryptography
ECEG 4192 1
Introduction
• Modern cryptography is based on various mathematical
concepts (e.g probability )
ECEG 4192 2
Modern cryptography
• Two types of cryptosystems based on the
relationship between the encryption and
decryption keys
• Symmetric key (Secret key) encryption
– The same keys are used for encrypting and decrypting
• Asymmetric key (public key) encryption
– Different keys are used for encrypting and decrypting
– But the keys are mathematically related
ECEG 4192 3
Stream Ciphers and Block Ciphers
• Based on the way in which the plaintext is processed,
cryptographic systems can be
– Stream ciphers: encrypt a digital data stream one bit/byte at a
time. E.g. OTP
– Relatively faster and mostly used in real-time applications
– In practice the bit-stream generator is not truly random and has
limited applicability
– Block ciphers: a block of plaintext is treated as a whole and used
to produce a ciphertext block of equal length
– Encrypts all blocks independently and concatenates the ciphers
of the blocks.
– It doesn’t depend on random numbers and is widely used.
ECEG 4192 4
Cont’d
ECEG 4192 6
Introduction
• The classical ciphers we saw are also symmetric ciphers.
• There are Two restrictive challenges of employing symmetric key
cryptography.
– Key establishment : key must be shared securely before
communication
– Trust Issue : There is a requirement that the sender and the
receiver ‘trust’ each other b/c they share a key
ECEG 4192 7
Cont’d
• A source produces a message in plaintext, X = [X1,
X2, ..., XM]
• A key of the form K = [K1, K2, .., KJ] is
generated by the source and securely provided to the
destination or a third party can generate it
• The encryption algorithm produces the ciphertext Y =
[Y1, Y2, .. , YM] such that Y = E(K, X).
• The destination decrypts the message as X = D(K, Y)
• Examples:
– Data Encryption Standard (DES), Triple DES and Advanced
Encryption Standard (AES)
ECEG 4192 8
Ideal block cipher
• A block cipher operates on a plaintext block of n bits
to produce a ciphertext block of n bits.
• There are 2n possible different plaintext blocks and, for
the encryption to be reversible each must produce a
unique ciphertext block
• For n=2, the following shows examples of reversible and
irreversible transformations
ECEG 4192 9
Cont’d
• With 2 bits block cipher
– There are 4 possible plaintext combinations
– There are 24 possible transformations
• The sender must send the exact mapping to the receiver. E.g. if the sender
chooses to encrypt P using mapping to K8, then the sender must tell the
receiver that k8 is 01,00,11,10. In this case each possible transformation is
treated as a key. So there are 22! = 24 keys.
• For n-bit block size, there are 2n possible plaintext blocks and 2n!
possible transformations (or possible keys) 10
ECEG 4192
Limitation of ideal block cipher
• Limitations: the factor is the block size
• If a small block size is used, then the system is equivalent
to a classical substitution cipher.
– Key size is too small
• If large block size is used, the key becomes very large
which incurs implementation and performance problems
– if n=64 bits, then there are 264! Possible keys. It is good we
have many different keys, but the length is too large to be
represented in binary.
– for n -bit ideal block cipher, the length of the key is n x 2n bits,
hence for n=64, 270 or around 1021 bits are required
– Which makes key representation and distribution is difficult
• Hence ideal block cipher is not implemented or is
impractical 11
Feistel cipher/structure
• The ideal block cipher is not practical, and Feistel cipher is an
approximation for the ideal block by using the concept of product
cipher
• It is the execution of two or more simple ciphers in sequence in
such a way that the final result is cryptographically stronger than
any of the component ciphers
• Developing a block cipher with a key length of k bits and a block
length of n bits, allowing a total of 2k possible transformations,
rather than the 2n! transformations
• Feistel proposed the use of a cipher that alternates substitutions
and permutations
– In substitution: each element is uniquely replaced by a
ciphertext element whereas in permutation, the order in
which the elements appear in the sequence is changed
ECEG 4192 12
Cont’d
• The inputs to the encryption algorithm are a
plaintext block of 2w length bits and a key K.
• The plaintext block is divided into two halves,
and L0 and R0.
• The two halves of the data pass through rounds
of processing and then combine to produce the
ciphertext block.
• All rounds have the same structure
• Substitution and permutation operations are
used to produce the output
ECEG 4192 13
Encryption/
decryption using
Feistel cipher
e.g. 16 rounds
ECEG 4192 14
Cont’d
• The left hand side of the previous diagram shows the encryption
process whereas the right side is for decryption
• The decryption process is similar to the encryption except it a
reverse procedure (keys are used in reverse order)
• Feistel network depends on the selection of the following terms:
• Block size: generally greater block size means more security but
with reduced encryption/decryption speed.
– E.g. DES uses block size of 64-bits, AES uses 128 bits
• Key size: larger means more security but with reduced speed
– < 64bits – insecure against brute force, 128 bits become common size
• Number of rounds: multiple rounds offer increased security
• Sub-key generation algorithm: greater complexity required
• Round function F: greater complexity required
• Greater complexity should lead to cryptanalysis difficulty !
ECEG 4192 15
Data Encryption Standard (DES)
ECEG 4192 16
Introduction
• Adopted in 1977 by the US government
• The most widely used symmetric encryption scheme
• It is based on Feistel cipher with block size of 64-bits and
key size of 56-bits
• The algorithm transfers 64-bits plaintext input into 64-
bits of ciphertext output
64bits of plaintext
P
C
DES 64bits ciphertext
56 bits key
ECEG 4192 17
General Fiestel network
• Encryption
• Decryption
ECEG 4192 19
General Depiction of DES Encryption Algorithm
Key generation
Encryption
ECEG 4192 20
IP and IP-1
• The initial permutation and its inverse are defined by tables
• The input to the tables consist of 64 bits numbered from 1 to 64
• The IP is done only once before the 1st round function and IP-1 is
applied after the 16th round
ECEG 4192 21
Details of a single round
ECEG 4192 22
Cont’d
• The left and right halves of each 64-bit intermediate value are
treated as separate 32-bit quantities, labeled L (left) and R (right)
• At a given round i is
ECEG 4192 24
Expansion/permutation (E)
Cont’d
S-boxes: 8 S-boxes
• The 48-bit input is first divided into 8 with 6 bits each
• The first and last bits of the input to box Si select one of four
rows in the table for Si.
• The middle four bits select one of the sixteen columns
• The 4-bit binary value of the selected cell is produced as output
• The outputs of the S-boxes are then combined to 32-bit output
ECEG 4192 25
S-boxes
E.g:
if 011001 is input for S1, the output will be 1001
ECEG 4192 26
Permutation (P)
• The output of the S-boxes (32 bits) passes through another
permutation P to find the output of F(Ri, Ki)
Permutation (P)
ECEG 4192 27
Key generation
• 64-bit key is used as input to the algorithm but every
eighth bit is ignored leaving 56-bit key
• The key is first subjected to a permutation governed by a
table labeled Permuted Choice One
• The resulting 56-bit key is then treated as two 28-bit
quantities, labeled C0 and D0
• At each round, C i-1 and D i-1 are separately subjected to a
circular left shift of 1 or 2 bits using schedule of left shift
table.
• These shifted values serve as input to the next round and
pass through a permutation Permuted Choice Two to
produce a 48-bit round key which will be input to F(Ri, Ki)
ECEG 4192 28
Cont’d
Permuted Choice One Permuted Choice Two
ECEG 4192 29
DES Decryption
• Decryption uses the
same algorithm as
encryption, except
that the application of
the round keys is
reversed (start from
k16)
• The input is 64-bit
cipher and the output
is 64-bit plaintext
ECEG 4192 30
Example
• Given that
Plaintext: 0x02468aceeca86420
Key: 0x0f1571c947d9e859
• Determine R1, L1 and K1.
Solution:
L0= 5a005a00 and R0= 3cf03c0f,
K1=7833a320da70
L1=R0=3cf03c0f and
R1= L0 XOR F(R0, K1)=bad22845
ECEG 4192 31
The strength of DES
• The key size is 56-bits => 256possible keys( ~7.2x1016
keys)
• With this key size brute force attack seemed impractical
assuming a single machine which performs a single
decryption per microseconds
• Nowadays the key space of DES is small enough
• DES finally and definitively proved insecure in July 1998
when it was broken with in less than three days using
brute force attack
• DES is not secure algorithm anymore but it has been the
most used in the financial industry
• Other symmetric algorithms: Triple DES, AES
ECEG 4192 32
Triple DES
• Uses three keys with 56-bit each and block size of 64 bits
=> total key size of 3DES is 168 bits
• More secure than single DES but slower
• The encryption-decryption process is as follows:
– Encrypt the plaintext blocks using single DES with key K1.
– Now decrypt the output of step 1 using single DES with key K2.
– Finally, encrypt the output of step 2 using single DES with key
K3 to produce the ciphertext.
– Decryption of a ciphertext is a reverse process. User first
decrypt using K3, then encrypt with K2, and finally decrypt with
K1.
ECEG 4192 34
Advanced Encryption Standard (AES)
ECEG 4192 35
Introduction
• Limitation of DES: broken with brute force due to its
smaller key size (56 bits) no more secured!
• Triple DES: secured but slow
• The National Institute of Standards and Technology in
2001 published AES
• AES is a symmetric block cipher that encrypts a block
size of 128-bit data using 128-bit, 192-bit or 256-bit key.
• Faster than TDES
• AES performs all its computations on bytes rather than
bits.
• Unlike DES, AES uses a different block cipher called
Rijndael.
ECEG 4192 36
AES operation
• treats the 128 bits of a plaintext block as 16 bytes.
• These 16 bytes are arranged in four columns and four
rows as a matrix
• Unlike DES, the number of rounds in AES is variable and
depends on the length of the key.
• AES uses 10 rounds for 128-bit keys, 12 rounds for 192-
bit keys and 14 rounds for 256-bit keys.
• Each of these rounds uses a different 128-bit round key,
which is calculated from the original AES key
• AES takes 128 block of plaintext and produces 128 bits
of ciphertext
ECEG 4192 37
Structure of AES
ECEG 4192 40
Cont’d
• MixColumns:
– Each column of four bytes is now transformed into new bytes
using a special mathematical function.
– This step is not performed in the last round.
• AddRoundKey:
– A simple bitwise XOR of the current block with a portion of the
expanded key.
– The 16 bytes of the matrix are now considered as 128 bits and
are XORed to the 128 bits of the round key.
– If this is the last round then the output is the ciphertext.
Otherwise, the resulting 128 bits are interpreted as 16 bytes
and we begin another similar round.
ECEG 4192 41
Decryption
• It is encryption in reverse order, i.e
– Add round key
– Mix columns
– Shift rows
– Byte substitution
• AES has built-in flexibility of key length
• No practical cryptanalytic attacks against AES has been
discovered.
• But like DES, AES security is assured only if it is
correctly implemented and good key management is
employed
ECEG 4192 42
Summary
• Both DES and AES are symmetric, block ciphers
• DES is based on Feistel block cipher where as
AES is uses Rijndael
• DES takes a block size of 64-bit of plaintext and
produces 64-bits of ciphertext. Similarly AES has
a block size of 128 bits of plaintext and produces
the same size of ciphertext block
• DES uses 56-bit key whereas AES uses 128, 192
or 256 bits of key
• DES is no more secured!
ECEG 4192 43
Asymmetric Encryption
ECEG 4192 44
Introduction
• Asymmetric encryption - also called public-key encryption
• Public-key algorithms are based on mathematical
functions rather than on substitution and permutation
• Uses two different keys for encryption and decryption
• More computational overhead compared to symmetric
encryption techniques
• The primary limitation of symmetric encryption is key
distribution
• In symmetric , the key must be kept secret, where as in
asymmetric only one of the keys is kept secret
• E.g: RSA
ECEG 4192 45
Public-key encryption example
• Alice’s private key is only known by her. So decryption is only possible by the
receiver who knows the private key
ECEG 4192 46
Cont’d
• With this approach, all parties have access to
public keys
• And private keys are generated locally by each
participant and therefore need never be
distributed.
• As long as a user’s private key remains protected
and secret, incoming communication is secure.
• At any time, a system can change its private key
and publish the companion public key to replace
its old public key.
ECEG 4192 47
Modulo arithmetic
• The number X (mod Y) is the remainder when X is
divided by Y.
• Z ≡ X (mod Y) means that Z and X have the same
remainder when divided by Y
• Definition
a ≡ b (mod c) ⇐⇒ a = b + kc for some integer k.
• Example
21 ≡ 1 (mod 4) because 21 = 1 + (5)4
52 ≡ 3 (mod 11) because 25 = 3 + (2)11
• Properties
ECEG 4192 48
Example
• E.g 1: compute X = 36 * 53 * 91 * 17 * 22 (mod 29)
Solution:
• Use the modular multiplication property
X = 36 * 53 * 91 * 17 * 22 (mod 29)
= [(36 mod29) *(53 mod29) *(91 mod29) *(17 mod29)
*(22 mod29) ] (mod 29)
= 7*24*4*17*22 (mod 29)
= 168*68*22 (mod 29)
= 23*10*22 (mod 29)
= 230*22 (mod 29)
= 27*22 (mod 29)
= 14 mod 29
= 14 ECEG 4192 49
Cont’d
• E.g 2: Compute 1143 (mod 13)
Solution:
• First write 43 as a sum of powers of 2: in binary 43= 101011.
• Then add the decimal values of each 1: 43 = 32 + 8 + 2 + 1
• Now 1143 = 1132 * 118 * 112 * 11
• Hence 1143 (mod 13)= (1132 * 118 * 112 * 11 ) (mod 13)
• To solve this start by squaring the number
11 (mod 13) = 11
112 (mod 13) = 121 (mod 13) = 4 (mod 13) = 4
114 (mod 13) = (112)2 (mod 13) = 42 (mod 13) = 16 (mod 13) = 3 (mod 13) = 3
118 (mod 13) = (114)2 (mod 13) = 32 (mod 13) = 9 (mod 13) = 9
1116 (mod 13) = (118)2 (mod 13) = 92 (mod 13) = 81 (mod 13) = 3 (mod 13) =3
1132 (mod 13) = (1116)2 (mod 13) = 32 (mod 13) = 9 (mod 13) = 9
1143 (mod 13)= (9*9*4*11) (mod 13)= (81*44) (mod 13)
= (3*5) (mod 13)= 15 (mod 13) = 2
50
ECEG 4192
The Euclidean algorithm
• a simple procedure for determining the greatest
common divisor of two positive integers
• Suppose we have integers a, b such that d=gcd(a,b)
• applying the division algorithm,
• a = q1b + r1 , 0 <= r1 < b
• If r1=0, b is a divisor of a, and d=gcd(a,b) = b
• if r1≠0, then d is divisor of r1
• b = q2r1 + r2 , 0 <= r2 < r1 ,
• if r2=0 then d=r1 if r2≠0, then d=gcd(r1,r2)
ECEG 4192 51
The Extended Euclidean Algorithm
• For integers a and b, the extended Euclidean algorithm
not only calculates the gcd but also two additional
integers x and y such that
ax + by = d = gcd(a, b)
• at each step i we can find integers xi and yi that satisfy
ri = axi + byi
ECEG 4192 52
Cont’d
• E.g: Solve for x , y and d such that d = 1759x + 550y =
gcd(1759, 550).
– Answer: d = 1, x =-111, y =355
ECEG 4192 53
RSA
• The most widely accepted public key encryption
• RSA- Rivest-Shamir-Adleman
• Plaintext and ciphertext are integers between 0 and n-1,
for some n.
• A typical size for n is 1024 bits, mostly minimum of 512
bits
• Plaintext is encrypted in blocks, with each block having a
binary value less than some number n
• Each party who uses this encryption needs to generate a
pair of keys->public and private keys.
• The public key is made public while the private key is kept
secret
ECEG 4192 54
Generation of RSA Key Pair
• Generate the RSA modulus (n)
– Select two large primes, p and q.
– Calculate n=p*q
• Find Derived Number (e)
– Number e must be greater than 1 and less than (p − 1)(q − 1).
– The two numbers e and (p – 1)(q – 1) must be co-primes. i.e,
gcd(e, (p – 1)(q – 1) )=1
• Publish the public key
– The pair of numbers (n, e) form the public key
– Strength of RSA: difficulty in factoring n in to p and q
• Generate the private key
– Private Key d is calculated from p, q, and e. For given n and e,
there is unique number d.
ed = 1 mod (p − 1)(q − 1)
– The pair (n,d) is the private key and is kept secret
ECEG 4192 55
RSA encryption and Decryption
• RSA encryption : Plaintext is first represented as a series
of numbers less than n
– To encrypt the plaintext P, which is a number modulo n, the
step is as:
C = Pe mod n
– where C is the RSA ciphertext, P is the plaintext, e is the public
key and n is the product of p and q
– This means that C is also a number less than n
• RSA Decryption : is also straight forward ; Suppose the receiver of
public-key pair (n, e) has received a ciphertext C, then
P = Cd mod n
• Both sender and receiver must know the value of n.
• The sender knows the value of e, and only the receiver
knows the value of d.
• It is infeasible to determine d given e and n 56
ECEG 4192
Example
• Given two primes p = 7 and q = 13, encrypt the plaintext
P=10.
Solution:
• Compute modulus n:
• n=p*q=91
• Find the public key:
– Find e such that 1 < e < (p-1)(q-1), and gcd (e, (p-1)(q-1), )=1
• Let e= 5, b/c gcd (5,72)=1
– Public key is (91,5)
• Compute private key
• ed= 1 (mod (p-1)(q-1))
• 5d= 1 (mod 72)
• You can use Extended Euclidean Algorithm to compute d
ECEG 4192 57
Using Extended Euclidean Algorithm
• Ø = (p-1)(q-1) =72
• Solve for x and y such that gcd(Ø, e)=1, that is,
Øx + ey =1 , where y is the private key d
72x + 5y = 1
• Solving this, x=-2, y=29
• 5d= 1 (mod 72) => d=29
• The private key is (91,29)
ECEG 4192 58
Cont’d
• Encryption
– C = Pe mod n => 105 mod 91 = 82. Hence, using RSA, the ciphertext of
plaintext of 10 is 82.
• Decryption : let us find the original message
• P= Cd mod n = 8229 mod 91
First 29= 11101=> 29=16+8+4+1
Hence 8229 mod 91= (82*824*828*8216) (mod 91)
• Use modular product
(82)1 ≡ 82 (mod 91) = 82
(82)2 ≡ 822 = 81 (mod 91) = 81
(82)4 ≡ (822)2=(81)2 ≡ 9 (mod 91) = 9
(82)8 ≡ (824)2=(9)2 ≡ 81 (mod 91) = 81
(82)16 ≡ (828)2=(81)2 ≡ 9 (mod 91)= 9
• Then compute output of the decryption
8229 mod 91= (82*824*828*8216) (mod 91)
= 82*9*81*9 (mod 91)
= 738*729 (mod 91)
= 10*1 (mod 91)
= 10 => the original plaintext 59
Other cryptographic techniques
• Symmetric and asymmetric encryption
techniques ensure confidentiality of information
• Cryptography is more than that
– Can ensure Data integrity, authentication and others
– E.g: hashing function, message authentication, digital
signature
ECEG 4192 60
Cryptographic Hashing functions
• A hash fun H accepts a variable-length block of data M as
input and produces a fixed-size hash value h = H(M )
• A change to any bit or bits in M results in a change to the
hash code
ECEG 4192 61
Cont’d
• The principal objective of a hash function is data integrity
• The kind of hash function needed for security applications is
referred to as a cryptographic hash function
• Is an algorithm for which it is computationally infeasible to find
either
– A data object that maps to a pre-specified hash result (the one-
way property) or
– Two data objects that map to the same hash result (the
collision-free property)
• When a hash function is used to provide integrity, the hash function
value is often referred to as a message digest
ECEG 4192 62
Operation of hashing
• Sender/Alice computes a
hash value as a function of
the bits in the message
• Alice transmits both the
hash value and the
message.
• Alice performs the same
hash calculation on the
received message bits and
compares this value with
the received hash value.
• If there is a mismatch, the receiver knows that the message (or
possibly the hash value) has been altered
ECEG 4192 63
Examples
• Message Digest 5 (MD5)
– Processes a variable length message in to a fixed-
length out put of 128 bits
– The input message is broken up into 512-bit blocks
– it is not secured any more! (a collision attack exists)
• Secure Hash Algorithms (SHA)
– SHA1: hash output of 160 bits
– SHA2 (SHA-224, SHA-256, SHA512)
• Hash output of 224 bits, 256 bits and 512 bits respectively
– Secured
ECEG 4192 64
Message Authentication Code
• Message authentication is a procedure to verify that received
messages come from the alleged source and have not been
altered.
• Message Authentication Code (MAC) is used to verify the
source of the message (Source authentication) and the
received message has not modified (Data integrity )
– involves the use of a secret key to generate a small fixed-size block
of data, known as a cryptographic checksum or MAC, that is
appended to the message.
– MAC= C(K,M)
where
M = input message
C = MAC function
K = shared secret key
MAC = message authentication code
ECEG 4192 65
Cont’d
• The message plus MAC are transmitted to the intended recipient.
The recipient performs the same calculation on the received
message, using the same secret key, to generate a new MAC.
• The received MAC is compared to the calculated MAC, if the
received MAC matches the calculated MAC
– The receiver is assured that the message has not been altered.
– The receiver is assured that the message is from the alleged sender.
Because no one else knows the secret key, no one else could prepare a
message with a proper MAC
ECEG 4192 66
Digital Signature
• Message authentication protects two parties from any third party.
• However, it does not protect the two parties against each other.
– Several forms of dispute between the two are possible. Soln: Digital
Signature
• Is based on public-key cryptography
• Bob can sign a message using a digital signature generation
algorithm.
– The inputs to the algorithm are the message and Bob’s private key.
– Any other user, say Alice, can verify the signature using a verification
algorithm, whose inputs are the message, the signature, and Bob’s public
key.
• The hash value of a message is encrypted with a sender’s private
key. Anyone who knows the sender’s public key can verify the
integrity of the message that is associated with the digital
signature.
• In this case, an attacker who wishes to alter the message would
need to know the user’s private key
ECEG 4192 67
Cont’d Alice
Bob Verifying the
generating signature
his signature
ECEG 4192 68