CS5285

Information Security for eCommerce

Dr. Gerhard Hancke

CS Department
City University of Hong Kong

1
 Reminder of last week
❑ Information security
o Basic concepts and terminology
o Threats, services, mechanisms, algorithms
❑ Whereto find countermeasures and
mechanisms?
o What is a standard? Good and bad aspects.
o Standard bodies
o Internet/company standards

2
 Today’s Lecture
❑ Confidentiality
o Symmetric key encryption mechanisms
❑ CILO2 and CILO5
(technology that impact systems, and
security mechanisms)

3
 Cryptographic Tools:

Symmetric Key Encryption

Symmetric Key Encryption 4

Encryption has fascinated people for centuries….this lecture gives us a little

bit of history of security and encryption

Looking at symmetric or secret key cryptography (this simple

means the sender and recipient uses the same key)

The other approach we will be looking at later is asymmetric or

public key cryptography.

Note the we are dealing specifically with encryption mechanisms

(symmetric key crypto can also be used for other purposes.)

4
 Crypto – a brief introduction
❑ Cryptology ⎯ The art and science of making and breaking
“secret codes”
❑ Cryptography ⎯ making “secret codes”
o ychrpyaprtgo
o C=MK
❑ Cryptanalysis ⎯ breaking “secret codes”
o ychrpyaprtgo is cracked to ______________, QED.
❑ Crypto ⎯ all of the above (and more)
o More on non-repudiation (signature), authentication,
identification, zero-knowledge, commitment, and more…
o Any reference books?... Bruce Schneier’s Applied Cryptography, Handbook
of Applied Cryptography, Introduction to Modern Cryptography

Symmetric Key Encryption 5

Reference slides

Cryptography was originally mostly encryption

Ychrpyaprtgo is cracked to ‘Cryptography’

Allocate 12 spaces for the ciphertext (1-12) – start writing the letters from C
in the even spaces until o is the final letter in space 12, now start filling in
the remaining letters into the odd spaces starting with space 11.

These days ‘Crypto’ – and Cryptography is much more than just

secret codes and confidentiality.

5
 "The history of codes and ciphers
is the story of the centuries-old
battle between codemakers and
codebreakers, an intellectual arms
race that has had a dramatic
impact on the course of history."
– Simon Singh, The Code Book

Cryptography – Part I 6

References slide

This is essentially the same remarks one can make about anything
in security – it is an ‘arms race’ between those who design secure
systems and those who wish to circumvent security
countermeasures.

Still consider historical methods to give us an idea of how this

cycle works, and why the need was there to improve.

6
• A symmetric-key cipher or cryptosystem is used for encrypting/decrypting a
plaintext/ciphertext
• The same key is used for encrypting and decrypting

Alice Bob

eavesdropper
plaintext
cryptanalysis key

Symmetric Key Encryption 7

You need to know this model and be able to explain the

similarities and differences between symmetric and asymmetric
mechanisms.

In a symmetric system the encryption and decryption key is the

same!

The message is plaintext, which becomes ciphertext after

encryption function.
The decryption function takes the ciphertext and makes it into
plaintext.

An attacker’s goals it to either get the key or the plaintext –

from the observed ciphertext.

7
 Cryptanalysis
Basic assumptions
o The system is completely known to the attacker
o Only the key is secret
o Also known as Kerckhoffs Principle
o Crypto algorithms are not secret
o No “security through obscurity”

Objective of an attacker
o Identify secret key used to encrypt a ciphertext
o (OR) recover the plaintext of a ciphertext without the
secret key

Symmetric Key Encryption 8

You need to be able to explain Kerckhoffs principles and know the

objectives of an attacker that would result in encryption being
‘broken’

Look at the previous slide again -

Which of the following need to be kept secret when doing
symmetric encryption?
a) Encryption/decryption key
b) Encryption/decryption algorithm

Only a – keeping b secret does not adhere to Kerckhoffs

principle…

In modern cryptography we are mostly concerned with the key

being found – more so than the message – many times an attacker
can guess the basic messages (e.g. repetitive network commands)

-----------------
For interest

8
System is known to the attacker – what does he know about our
plaintext/ciphertext
There are different approaches
Ciphertext only (attacker sees only encrypted data), known plaintext
(attacker sees ciphertext but he knows the plaintext), chosen plaintext
(the attacker can ask our system to encrypt plaintext messages he
chooses)!

Three basic types of cryptanalysis vs encryption

Ciphertext only attack

–The attacker only possesses some ciphertext
•Known plaintext attack
–The attackers possesses some corresponding pairs of plaintext and
ciphertext
•Chosen plaintext attack
–The attacker has temporary access to the encryption process and
hence can choose plaintexts and generate the corresponding
ciphertexts

8
Examples of (Classical) Symmetric Key Encryption
Algorithms – Classical Cryptography
Ciphertexts:
1. IRXUVFRUHDQGVHYHQBHDUVDJR
2. VSRQJHEREVTXDUHSDQWV
ab c d e f g h i j k l mn o p q r s t u v wx y z
D E F G H I J K L M N O P Q R S T U VWX Y Z A B C

Caesar Cipher
• Famous early use of cryptography was by the Roman Emperor Julius Caesar
• Caesar cipher (a.k.a. shift cipher) is a type of substitution cipher
• Cipher algorithm: each letter in the plain alphabet is replaced with the letter
n places further on in the alphabet
• Key: n, the number of letters to shift

Symmetric Key Encryption 9

Look at next two slides then do examples.

I expect you to know what a substitution cipher is, and know the
special case of Ceasar cipher type.

What is the key in this case? N=3 (A Caesar cipher is a shift

cipher with N=3)

1. IRXUVFRUHDQGVHYHQBHDUVDJR
FOURSCORE AND SEVEN YEARS AGO

2. VSRQJHEREVTXDUHSDQWV
Sponge Bob Square Pants

9
 Example
❑ Plain letters are written in lower case and
cipher letters in UPPER CASE
❑ Key is 3

abcdefghijklmnopqrstuvwxyz
DEFGHIJKLMNOPQRSTUVWXYZABC
❑ Write out plain message: hello everyone
❑ encipher each letter in turn by looking for the
corresponding letter in the cipher translation
table.
❑ This gives the ciphertext message:
KHOOR HYHUBRQH

Hello everyone is:

KHOORHYHURQH

10
 So as long as the message recipient
knows the key – how many letters you
have shifted the alphabet by – they can
build the cipher alphabet and decipher
the message by going through the
cipher algorithm in reverse.
KHOOR HYHUBRQH

hello everyone

Go back to slide 9 and try the examples.

What is the key in this case?

11
 Other simple substitution
ciphers
❑ Caesar cipher has only 25 possible
cipher alphabets
❑ Wouldn’t take long to try them all
❑ Other cipher systems use less regular
methods for generating alphabets
❑ Must still have a key to generate an
alphabet the recipient can reproduce

In the case of a shift cipher what is the secret key?

The offset of the shift.

12
 Example
❑ Take as your key a favourite quote.
❑ For example, take:
“pure mathematics is, in its way, the
poetry of logical ideas”
❑ First strip out repeating letters so
each letter is unique

Quote from Albert Einstein

13
pure mathematics is, in its way,

pure*math****ics **, *n *** w*y,

the poetry of logical ideas

*** ****** of l*g**** *d***

puremathicsnwyoflgd

14
 ❑ Fill in this sequence as the start of your
cipher alphabet.
a b c d e f g h ij k l m n o p q r s t u v w x y z
P U R E M A T H IC S N W Y O F L G D Z X V Q K J B
❑ Fill up the alphabet with the letters which
have not been used, in some systematic order
(here we have used reverse alphabetical
order)
❑ This cipher alphabet is less predictable than
the Caesar cipher, yet it is still simple for
both sender and receiver to generate,
provided they know the key phrase

What is the key in this case? What must both parties know?

You should know the substitution table but I would argue that the
complete phrase is the key. This allows both parties to construct
the table and encrypt/decrypt.

15
 Simple Substitution: each plaintext letter is substituted by
a distinct ciphertext letter
EIMBULJIWLNYANJMVLIURAHIWAI
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

DEPARTMENTOFCOMPUTERSCIENCE

Symmetric Key Encryption 16

You can choose any permutation you like as long as the recipient
knows what you are using.

Shift is a special sub-category of substitution.

16
An example of simple substitution…

Symmetric Key Encryption 17

Substitution ciphers are made for people to understand

17
 An Example

Ciphertext (encrypted using simple substitution)

PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAX
BVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJ
VWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFA
GFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODX
QHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQP
QJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUV
WFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEF
ZQWGFLVWPTOFFA

Symmetric Key Encryption 18

Where would you start if given a ciphertext to decode? What is

your strategy?

What cipher? In this case substitution – so you know each letter

maps onto another letter but you do not know the permutation for
all 26 letters.

18
 Question: how secure is Simple Substitution?

Let’s do some analysis…

Symmetric Key Encryption 19

Is substitution a very weak approach in itself?

The problem is that it can only encrypt text really.

What is the key?

For Ceasar – the shift value

For a Ceasar cipher everything mapped using a uniform shift 1-25.

For substituion – the substitution alphabet

19
 • A secret key (in Simple Substitution) is a random permutation of the alphabetic
characters.
• E.g.

• Each permutation is a potential candidate of the secret key

• Question: how many distinct permutations are there? (in other words,
how many distinct secret keys are in the key space?)

Symmetric Key Encryption 20

Think why we said the number of keys in a Ceasar Cipher is 25

while here we say to total number of permutations is 26! (this is
all possible combinations of mappings – A can map to 26 possible
letters – choose 1; B can then map to 25 possible letters, choose
1; C can then map to 24 possible letters, etc….)

For a Ceasar cipher everything mapped using a uniform shift 1-25.

20
 • Total number of possible permutations
26!
• 26! = 403,291,461,126,605,635,584,000,000 (27 digits)  288

• Maybe… write a computer program to try all the possible keys

exhaustively… (so-called Brute-force Attack)

• Calculation: suppose we have one million 3GHz PCs which can try 3
billion permutations per second, the machines will take 4,263 years to
try all the 26! permutations…
• Not so efficient

• Question: any better cracking algorithm?

Symmetric Key Encryption 21

You must understand how we get to a keyspace of 26!

26! is Factorial of 26.

Brute force is not the best way of doing things – all algorithms
can be brute forced! It is just that some algorithms require more
effort to brute force than others.

Also think about the practical issues involved with brute force –
how you do know when you found the right permutation? In
substitution it is easier – the plaintext must be coherent text.

What is data represented as in computer systems? Binary data.

Remember this when thinking about one time pad later…

21
 Cracking substitution ciphers
❑ In the eighth century AD, Islamic culture
entered a golden age
❑ The most learned society of its time
❑ Cryptography was routinely used for matters
of state
❑ This led to the development of cryptanalysis,
with scholars using a combination of
mathematics, statistics and linguistics to
develop techniques for deciphering messages
when the key is unknown

This history is not important but you need to know what

frequency analysis approach to cryptanalysis is, and how it works.

22
 Letter frequencies
❑ In studies of the text of the Qur’an,
scholars had noticed that some letters
appear more frequently than others
❑ In English the letters e and t are used
much more frequently than the letters z
and q, and this fact can be used to
decipher messages
❑ This process is called frequency analysis

Why is the statistical information of the plaintext important in

substitution cipher?

Because there is a one to one match from plaintext character to

ciphertext character, plaintext statistical information will
therefore determine ciphertext statistical information.

23
 Statistical Attack / Frequency Analysis
• An interesting observation on simple substitution: the relative
letter frequencies do not change during encryption
• Average letter frequencies in English (Beker and Piper, 1982)

letter frequency letter frequency

A .082 N .067
B .015 O .075
C .028 P .019
D .043 Q .001
E .127 R .060
F .022 S .063
G .020 T .091
H .061 U .028
I .070 V .010
J .002 W .023
K .008 X .001
L .040 Y .020
M .024 Z .001

Symmetric Key Encryption 24

Substitution does not change the letter frequency of the

plaintext

These are obviously average frequency – so you cannot expect

these values to exactly appear in a ciphertext but it is useful to
know what letters are more likely to occur. So for example, if you
see a letter appearing lots then is probably not mapping to X or Z.

You should be able to solve basic short substitution problems

using frequency analysis – so I suggest you study the most
common letters and letter combination (you should not memorise
every single frequency or all letter combination).

24
 Further frequency analysis
❑ Pairs of letters in words are most
likely to be: “ss”, “ee”, “tt”, “ff”, “ll”,
“mm” or “oo”.
❑ A one letter word is either “a” or “I”.
❑ Two letter words are commonly: “of”,
“to”, “in”, “it”, “is”, “be”, “as”, “at”, “so”,
“we”, “he”, “by”, “or”, “on” or “do”, in
that order.

25
 Further frequency analysis
❑ Three letter words are commonly
“the” or “and”.
❑ The letter h frequently goes before e
(as in “he”, “the”, “then”, etc.) but
rarely goes after e. No other pair of
letters has such an asymmetric
relationship.

26
 Further frequency analysis
❑ Another technique is to use a crib,
which is a word or phrase you can
guess will be in the message

If you know there is a certain word and where it is you know the
associated ciphertext (known plaintext approach) – this means
you know the mapping for all the word’s letters.

27
 Example
NKRRU NKXK OY G ZKYZ
SKYYGMK ZU KTIOVNKX LUX AYK
GY GT KDGSVRK OT GT GXZOIRK
LUX OYWAGXKJ SGMGFOTK

a b c d e f g h ij k l m n o p q r s t u v w x y z
G K

Any letter more than usual? K

Single letter? A?

28
 Example
NeRRU heXe
heRRU NeXe OY a ZeYZ
SeYYaMe ZU eTIOVheX
eTIOVNeX LUX AYe
aY aT eDaSVRe OT aT aXZOIRe
LUX OYWAaXeJ SaMaFOTe

a b c d e f g h ij k l m n o p q r s t u v w x y z
G K N

Some letter always front of e? N >> h

First word
We can see that the first word has “RR” as a repeated character, so we
might try to think of a word with a repeated letter in the middle. Also,
noticing that the combination “Ne” keeps appearing in the message, you
might guess this is “he”, which appears frequently in English. So perhaps R
corresponds to l and N to h, so that the first word is “hello”?

29
 Example
ahello
n heXe hOY a ZeYZ t
SeYYaMe Zo eTIOpheX
meYYaMe eTIOVheX LoX AYe
aY e x a OT
aT eDaSVle
example m aTp aXZOIRe
l e
LoX OYWAaXeJ maMaFOTe
SaMaFOTe
n o
❑ Notice all the letters are in alphabetical
positions?
a b c d e f g h ij k l m n o p q r s t u v w x y z
G K N R S U V D

We can see that the first word has “RR” as a repeated character, so we
might try to think of a word with a repeated letter in the middle. Also,
noticing that the combination “Ne” keeps appearing in the message, you
might guess this is “he”, which appears frequently in English. So perhaps R
corresponds to l and N to h, so that the first word is “hello”?

What do you notice down there? Alphabetical with a shift of 6

30
 Example
hello heXe
here OY
is a ZeYZ
test
message Zo
meYYaMe to eTIOpheX
encipher LoX
for AYe
use
as aT
aY an example OT
in aT
an aXZOIRe
article
for OYWAaXeJ
LoX isquared maMaFOTe
magazine
❑ Could this be a Caesar cipher?

a b c d e f g h ij k l m n o p q r s t u v w x y z
G H I J K L M N OP Q R S T U V W X Y Z A B C D E F

Since we have obtained a sensible message, it is clear that we

have found the correct cipher alphabet.

31
Knowing the key is 6, you can now
decipher future messages from your
enemy. Be careful what information you
act on though – if you seem too knowing
your enemy might get suspicious and
change their key or algorithm!

32
 Ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAX
BVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJV
WLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAG
FOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQH
FOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJT
QOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFL
QHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQW
GFLVWPTOFFA

Ciphertext frequency counts:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
21 26 6 10 12 51 10 25 10 9 3 10 0 1 15 28 42 0 0 27 4 24 22 28 6 8

Symmetric Key Encryption 33

Fun exercise – decipher the following plaintext….

33
Question: How to beat frequency analysis?

Symmetric Key Encryption 34

34
 Beating frequency analysis
❑ Methods for countering frequency
analysis were developed, including:
o Omitting spaces
o Deliberate misspellings
o Nulls – characters that have no meaning
o Codes – replacing whole words or phrases
with letters, words or phrases

Slide 35 and 36 for references – just know that substitution

ciphers are not statistically strong enough.

Remember the quotes about ‘arms race’ with codes….each times

we make modification it makes things better for a while, then
someone finds a way around it…

We cab out in nulls (‘dummy’ words), or first substitute and then

substitute again….but at the end of the day simple substitution is
not strong enough method against modern cryptanalysis and
computing capability.

How to make better? Ideas?

35
 ❑ Such methods helped, but ultimately
cryptanalysts won out and each method could
be accounted for
❑ A better cipher was needed
❑ Led to different variations on substitution
ciphers using principle of polyalphabetic
substitution (repeating plaintext letter
mapped to different ciphertext based in
changing state of cipher).

The next step was polyalphabetic ciphers – the substitution

alphabet changes during the message.

Not necessarily in terms of principle (some substitution ciphers

were historically quite tricky to try and figure out – e.g. read
about the Enigma machine).
Was quite good – operational issues led to cryptanalysis (repeat
use of keys, often sending the same message, start message same
way –’To:’, ‘Nothing to report’. Having a user manual with some
plaintext/ciphertext examples.

Vigenere Cipher is only for reference.

36
 Vigenère cipher
❑ Emerged in sixteenth century
❑ The same plain letter can be enciphered and
the same cipher letter deciphered in several
different ways, significantly disrupting
frequency analysis
❑ Uses more than one cipher alphabet and
different letters are enciphered with these
in turn (basically interwoven Caesar cipher).
❑ Cipher alphabets must be chosen by some
systematic process
Copyright information: some of the slides are taken from Peter Rowlett’s Substitution Ciphers: Ancient – Renaissance in the
History of Maths and 
www.historyofmathsandx.co.uk/topics/cryptography

This is just for extra information, no need to study Vigenere

37
 Example
❑ First, choose a word for your key
❑ Key: Choose “pauli”
❑ The Caesar cipher alphabets beginning with
the letters of the keyword are then
produced:
a b c d e f g h i j k l m n o p q r s t u v w x y z
P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
LMNOPQRSTUVWXYZABCDEFGHIJK
IJKLMNOPQRSTUVWXYZABCDEFGH

38
❑ Take as plaintext message: hello
❑ Cipher algorithm: encode each letter
using each cipher alphabet in turn,
cycling through the cipher alphabets
❑ If your plaintext is longer than the key
word then keep repeating the keyword
o hellobob >> paulipau

39
a b c d e f g h i j k l m n o p q r s t u v w x y z
P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
LMNOPQRSTUVWXYZABCDEFGHIJK
IJKLMNOPQRSTUVWXYZABCDEFGH
❑ “h” is enciphered using the “P” alphabet, giving “W”
❑ “e” is enciphered using the “A” alphabet, giving “E”
❑ “l” is enciphered using the “U” alphabet, giving “F”
❑ “l” is enciphered using the “L” alphabet, giving “W”
❑ “o” is enciphered using the “I” alphabet, giving “W”

❑ ciphertext message: WEFWW

40
❑ hello to ciphertext message: WEFWW
❑ Notice that, crucially, we have
o (a) enciphered the two letters “l” to give
different cipher letters “F” and “W”;
o and, (b) enciphered different plaintext
letters “h”, “l” and “o” to give the same
ciphertext letter “W”.
❑ Through use of multiple alphabets, the chart
of letter frequencies is distorted, providing
strong resistance to frequency analysis

41
 ❑ Vigenère is more complicated to
implement than single-alphabet
substitution ciphers
❑ This adds to the time taken to encipher
and decipher messages
❑ It becomes worth the time and hassle if
you know your enemy can decipher your
simple substitution cipher messages
❑ Can the Vigenère cipher be broken?

Can we use frequency analysis? No since there are no discernible

substation mapping for each plaintext word. It is a one to many
mapping.

42
❑ Vigenère was for 300 years considered
undecipherable (1553-1863)
❑ Primary weakness is that if the length of the
codeword is known we can break each of the
individual Caesar ciphers independently
❑ 1863 Friedrich Kasiski published his Kasiski
Examination method
o Estimates keyword length without plaintext
knowledge or the keyword needing to be a
recognisable word

Source: https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher

43
❑ Kasiski notices that repeated words are by
chance encrypted using same key letters
❑ For keyword ABCD:
Key: ABCDABCDABCDABCDABCDABCDABCD
Plaintext: CRYPTOISSHORTFORCRYPTOGRAPHY
Ciphertext: CSASTPKVSIQUTGQUCSASTPIUAQJB

❑ Repetition distance is 16 - key size is

16,8,4,2,1
❑ If you find multiple repetitions then easier

Ciphertext: VHVSSPQUCEMRVBVBBBVHVSURQGIBDUGRNICJQUCERVUAXSSR

❑ VHVS is 18 (18,9,6,3,2,1) and QUCE is 30

(30,15,10,6,5,3,2,1)
❑ Key size 6,3,2,1 (most probably 6)

44
 Enigma Machine
❑ Used by Germany in World War II
o Last famous substitution cipher
❑ Polyalphabetic substitution
o To recover message receiver must have
machine configured in same initial state as
the sender

Credit: https://brilliant.org/wiki/enigma-machine/

This is just for extra information, no need to study Ënigma

Configured rotors, and plug board on front. Pressing keys would

light a lamp showing the corresponding plaintext (or ciphertext
when decrypting).

45
 Enigma Machine
❑ Sender and receiver used monthly code
books to configure machine for specific
day
❑ Plugboard (up to 10 pair swops)
o Letter swop, if codebook said A/L connect
these by wire causing A input to be seen as
L, and L as A
❑ Rotors
o Choose 3 of 5 rotors in specified order
o Set initial letter of each rotor

This is just for extra information, no need to study Ënigma

Configured rotors, and plug board on front. Pressing keys would

light a lamp showing the corresponding plaintext (or ciphertext
when decrypting).

46
 Enigma Machine
❑ This mean the machine has many states
o Approximately 267 or 160 x 1018
❑ Cryptanalysis
o One feature (turned weakness) was a plaintext
cannot encrypt to itself. So this gives clue as
to what the message is not.
o Used cribs (known plaintext to eliminate
states)
▪ Weather report, “nothing to report”, message sign
off
❑ State then calculated through search
o Bombe machines (each emulating 36 Enigmas)

Usually message started with a weather report, and message was

signed Heil Hitler. Commonly message was “Keine besonderen
Ereignisse” which means nothing to report.

Move one from substitution - In the end substitution it can also

only encrypt text characters…

Efforts on Enigma drove lots of other computer science

inventions (first effort at a computer) and involved famous
mathematicians/scientists. (Alan Turing).

The Germans also used an early stream cipher called the Lorenz
cipher (this led to development of early computer – the Colossus to aid
in cryptanalysis)

47
 One-time Pad Encryption
Encryption: Plaintext  Key = Ciphertext

We use ASCII to represent the text (shown as hexadecimal numbers)

eXclusive OR () binary operation (11=0; 10=1; 00=0)

h e l l o a l i c e
Plaintext: 68 65 6C 6C 6F 61 6C 69 63 65
Key: FF 0A B2 5D C7 C3 EE 22 3F 68
Ciphertext: 97 6F DE 31 A8 A2 82 4B 5C 0D

Symmetric Key Encryption 48

Times were changing - arguably due to changes in communication

methods binary data rather than alphabet was considered. Early
telegraph/radio used Baudot code (letters presented by 5 bits).

The idea for the one time pad was first mentioned by Frank
Miller, but originally through to be invented in 1917 by Gilbert
Vernam (called the Vernam cipher, a patent was issued for the
XOR operation) for teleprinters.

In 1940s, Claude Shannon proved the significant of the one time

pad - he studied security from information theory perspective
and introduced the concept of perfect secrecy.

Go back to substitution – if we sends same message twice, and we

see the same ciphertext – do we learn something?

XOR is special binary function, if C = A XOR B then C XOR A = B,

or C XOR B = A

True one time pad the entire message is XORed to a random

48
binary value (string) of equal length.

Right so what does the perfect scheme look like?

You need to understand that perfect secrecy means that the attacker
has now idea about any of the plaintext – this does not mean he does
not know the plaintext, this means he knows *nothing*. For example, if
we use a good cipher and we encrypt the same plaintext twice and it
gives the same ciphertext then even the plaintext is not known we lose
perfect secrecy as we know something – the message is the same.

Here the key is random value that has the same length as the plaintext.

48
 One-time Pad Decryption
Decryption: Ciphertext  Key = Plaintext

Ciphertext: 97 6F DE 31 A8 A2 82 4B 5C 0D
Key: FF 0A B2 5D C7 C3 EE 22 3F 68
Plaintext: 68 65 6C 6C 6F 61 6C 69 63 65

h e l l o a l i c e

❑ Pad must be random, used only once

❑ Pad has the same size as message

Symmetric Key Encryption 49

A one time pad is very simple – yet it offers perfect secrecy –

theoretically secure. Why?

If given the ciphertext there is no way we can know for sure the
message. Any ciphertext can decrypt to any possible plaintext.

Any encrypted message can then decrypt to any other message.

49
 One-time Pad Use

Ciphertext: 97 6F DE 31 A8 A2 82 4B 5C 0D
Key: F5 16 BB 53 D1 C7 E8 24 34 63
Plaintext: 62 79 65 62 79 65 6A 6F 68 6E

b y e b y e j o h n

❑ Good: The ciphertext can decrypt to any possible plaintext

❑ Bad: Managing the key (the pad) is not practical

Symmetric Key Encryption 50

Why do we not use it? Key management…

1. How will we keep giving the pad to the recipient? Each time we
send a message we need to send a new random ‘pad’ with it.

2. We need a key that is the same length as the message.

3. We also need a new key each and every time.

50
• A symmetric-key cipher or cryptosystem is used for encrypting/decrypting a
plaintext/ciphertext
• The same key is used for encrypting and decrypting

Alice Bob

eavesdropper
plaintext
cryptanalysis key

Symmetric Key Encryption 51

Remember Alice and Bob

Same key.
Algorithm for encrypt and decrypt.

What two main types: Stream and block? Can you remember the
difference?

51
 Stream Ciphers

• Deterministic Algorithm a.k.a. Keystream Generator

• Ciphering Sequence a.k.a. Keystream

Symmetric Key Encryption 52

You need to study this slide.

XOR is special binary function, if C = A XOR B then C XOR A = B,

or C XOR B = A

Remember our basic symmetric encryption model – in this case we

have a shared key, and the ‘encryption’ and ‘decryption’ function is
actually the same mathematical function (each side calculates the
same keystream and does the XOR).

The key is fed into a deterministic algorithm (a function that has

no randomness in future states – reproducable and predictable).
This only holds for someone with the key – if you know the key
the algorithm is deterministic.
If someone just observes the output, and he does not have the
key, it appears like random output.

Later we will see that other schemes can have different encrypt
and decrypt functions, i.e. encrypt and then reverse the
encryption operation

52
What is important here? Sender and receiver synchronisation.

52
 Stream Ciphers

Secret Key Keystream Generator

keystream
Plaintext
 Ciphertext

❑ Secret key length: 128 bits, 256 bits, etc.

❑ Maximum plaintext length: usually can be arbitrarily long.
❑ Security: Given a “long” segment of keystream (e.g. 240 bits), the secret key cannot be
derived AND the subsequent segment of the keystream cannot be deduced.

Symmetric Key Encryption 53

Study this slide.

We consider a stream cipher to be secure if – the attackers gets

a long sequence of the keystream (not the ciphertext) then he
cannot 1) determine the key 2) calculate future keystream.

Stream ciphers are considered to be fast, and you can make as

much cipherstream as you have plaintext.

What about disadvantage ? What happens if we know the

plaintext? We can XOR the plaintext with the ciphertext – then
we have the keystream. Then we XOR it own message.

As we combine the plaintext and keystream using XOR – we

should really also then provide integrity for the data.

Consider if we send a value 0010 encrypted with keystream 1010

(C= 0010 XOR 1010 = 1000) Without knowing the plaintext (maybe
just the format) an attacker can modify the message by flipping a
bit C’=0000, then means P = 0000 XOR 1010 = 1010 and the value

53
is bigger.

Alternative if the attacker knows the plaintext he can go KS= C XOR P

and then create C’ = KS XOR M (his message). The reciever will then
decrypt to M

If we are to use stream ciphers in practice we need additional security

services – especially with regards to integrity/data origin
authentication.

53
 RC4
❑ A stream cipher
❑ Ron’s code version 4 (Ronald Rivest)
❑ Stream ciphers are generally faster than block
ciphers
❑ RC4
o Stage 1: RC4 initialization
o Stage 2: RC4 keystream generation

Symmetric Key Encryption 54

You need to know that RC4 is example of a stream cipher but no

need to study the inner details/working.

RC4 is a good (or famous anyway) example of a stream cipher.

From late 1980s, not secure anymore.

In practice we rarely use special/dedicated stream ciphers – if

we would like to generate keystream it is seen as more secure to
generate keystream using block ciphers in a mode of operation
that gives us keystream (Like OFB of CFB output feedback or
cipher feedback mode). Stallings has more details about these
modes.

54
 RC4 Initialization
o Setup:
byte key[N]; // secret key (e.g. N = 16, i.e. 128-bit key)
byte K[256]; // keying material
byte S[256]; // internal states
o Initialization:
for i = 0 to 255
S[i] = i
K[i] = key[i (mod N)]
j=0
for i = 0 to 255
j = (j + S[i] + K[i]) mod 256
swap(S[i], S[j])
i=j=0
❑ S[] is the permutation of 0,1,...,255

Symmetric Key Encryption 55

We are interested in the fact that after initialisation the

internal state is now a permutation dependent on the key

Can see that in keeping with earlier ideas on permutation we are

actually just dealing with bit level permutation/substitution.

55
 RC4 Keystream Generation
❑ To output a keystream byte, swap table elements and select a byte

i = (i + 1) mod 256
j = (j + S[i]) mod 256
swap(S[i], S[j])
t = (S[i] + S[j]) mod 256
KeyStreamByteSelected = S[t]

❑ Use the KeyStreamByteSelected to do XOR with one byte of plaintext,

then iterate the keystream generation steps above for getting
another byte of keystream
❑ Note: Some research results show that the first 256 bytes must be
discarded, otherwise attacker may be able to recover the key.

Symmetric Key Encryption 56

This illustrates the advantage of a stream cipher – if we need a

byte of keystream then we just iterate once more…
We can make as much keystream as we have plaintext….need to
encrypt another byte, make another byte of keystream.

56
 Questions: What are the current symmetric key cryptosystems?

There are many…

They can be categorized into two types:

1.Stream Cipher
Cryptosystems
2.Block Cipher

Symmetric Key Public Key

Cryptosystems Cryptosystems

Stream Ciphers Block Ciphers

Symmetric Key Encryption 57

What is symmetric key cryptosystem?

Finished with looking at stream and block cipher.

You can use this picture to understand how cryptosystem we will

look at relate to each other.

Symmetric encryption we can have either a stream cipher of

block cipher.

57
 Block Ciphers
plaintext Block Ciphertext
Cipher

secret key

❑ A block cipher takes a block of plaintext and a secret key,

produces a block of ciphertext.
❑ The key is reused for different plaintext blocks
❑ Typical block sizes: 64 bits, 128 bits, 192 bits, 256 bits
❑ Key sizes: 56 bits (DES), 128/192/256 bits (AES)
❑ Popular block ciphers: DES, 3DES, AES, Twofish, Serpent

Symmetric Key Encryption 58

Study this slides

You must at least know the most common block ciphers like DES,
3DES and AES.

What is the main difference between stream cipher and block

cipher?

A Stream cipher used a cryptographic function and key to

generate keystream the same length as the plaintext – it can be
any length. The key stream is then XORed to the plaintext to
form the ciphertext.

This means that the function does not need to be reversible it

just needs to generate good unpredictable keystream. You do not
need to reverse the function, the actual plaintext encryption and
decryption combination is the XOR.

Block ciphers takes a plaintext input of fixed size (the block size,
if you do not have enough plaintext you need to pad until you have

58
a block of required size). It then generates ciphertext of a fixed size
(the block size).

The block cipher cryptographic function actually works on the plaintext

(for example, it does permutation/substitution,etc. on the plaintext) to
come up with ciphertext. This means the block cipher function must be
reversible/invertible (i.e. given ciphertext you must be able to work
back to plaintext).

Do not confuse stream ciphers with block cipher modes of operation

that try to approximate stream ciphers – in such mode the underlying
function is still a block cipher the output of the deterministic function
is still multiples of the block size.

58
 DES (Data Encryption Standard)
❑ Ciphertext obtained from 64-bit Plaintext Block
plaintext by iterating a
round function (i.e.
cryptographic operations)
❑ Input to round function 56-bit Secret Key
16 rounds
consists of a round key Ki
and the output of the Ki
previous round

❑ The DES round function is

also known as Feistel
Transformation

64-bit Ciphertext Block

Symmetric Key Encryption 59

You should know the basic operation of DES, like block size, key
size and basic architecture (initial, final permutation and 16
rounds each with own round key).

Text below is for reference only

1973: NBS publish a call for proposals for an encryption
algorithm standard.
1974: IBM encouraged to submit an encryption algorithm.
1976: After consultation this algorithm adopted as a federal
standard and then published as DES the following year.
1977: DES mandatory for Federal Agencies and adopted as ANSI
X3.92 and used throughout international financial industry.
1988: NSA removed its endorsement of DES (despite predicted
15-year lifespan).
1988: NBS reaffirmed use of DES to appease the financial
industry.
1998: NIST issue a new call for an algorithm in 1998.

59
 Feistel Structure

Cryptography – Part I 60

Interest only

We only deal with half the data during one round.

60
 56-bit Secret Key

Round Key-expansion
Function Algorithm
.
.
.

Symmetric Key Encryption 61

Interest only

A Feistel cipher is a basic architecture used in a number of

ciphers).

This is the structure shown about where each round as a split of

text into left and right 32 bits, Li+1=Ri and Ri+1=f(Ri) XOR Li

1. How do you choose the round function f ?

Feistel cipher – example – f does not need to be reversible. It can

be one way, the reversibility comes from the XOR

2. How do you decrypt using a Feistel cipher?

How to we decrypt flip when whe have a feistel architecture?

order of rounds to decrypt (i.e. order you used the round keys) ,
otherwise exactly the same logic.

61
This saves resources, 1976 what is status of computers (Apple I
released 1976 – 1 MHz clock, standard 4kB memory).

3. How many rounds should a Feistel cipher have?

Generally you need more rounds, because you are only working on half
the block at a time.

Key expansion – need out one 56 bit key for 16 rounds

61
 Li-1 Ri-1 key
32 28 28

expand shift shift

48 28 28
One
32
Ki Round

48 48 compress
of
S-boxes
28 28
DES
32

P box
32
32

32
Li Ri key
Symmetric Key Encryption 62

You should know that in DES the round function F is a expansion,

substitution and permutation…

Substitution every 6 bits to 4 bits

P box – one fixed shuffle of each bit

The rest is for references only.

62
 Properties of good block cipher algorithms

• Confusion
– A small change in the key should be able to change 50% of the
ciphertext
– An attacker using a bruteforce attack shouldn’t receive any signs that
he is getting closer to the correct key
• Diffusion
– A small change in the plaintext should cause 50% of the ciphertext to
change
– Hide any statistical relation between the plaintext and the ciphertext
• Completion
– Each bit of the ciphertext depends on each bit of the key
– The attacker won’t be able to find valid parts of the key using divide
and conquer methods

Symmetric Key Encryption 63

Study this slide

Completion means if we flip a bit if it always change the same

50% of bits not

63
 Security of DES
❑ Security of DES depends solely on the internals of f
❑ More than thirty years of intense analysis has revealed no
“back door”
❑ The most effective attack today against DES is still the
exhaustive key search (a.k.a. bruteforce attack)

Symmetric Key Encryption 64

Best attack against DES remains exhaustive key search

64
 Bruteforce Attack | Exhaustive Key Search

• An algorithm is secure when the easiest way of attacking it is

by bruteforce attack.
• i.e. check all possible key combinations one by one (could
be done in parallel)
• For a key of n bits, the total number of possible keys (or the
entire key space) is 2n.
• An average of half the combinations should be tried in order
to find the key, i.e. 2n-1.
• Nowadays the minimum recommended key size is 128 bits to
make it impossible for a bruteforce attack.

Symmetric Key Encryption 65

Know the recommended key size, and the minimum key size.

128 bit symmetric keys recommended until 2030.

Also note that if doing brute force search on average you need to
search half the key space (2^(n-1)).

65
 Bruteforce Attack Against DES
❑ Known-Plaintext Attack: Given a plaintext x and corresponding
ciphertext y, every possible key would be tested until a key K is
found such that
E(K, x) = y
Note: there may be more than one such key K.
❑ Total number of keys = 256  7.21016 keys
❑ Assume at the speed of 106 encryptions per second, it would need
more than 1000 years to break DES.
❑ Two cryptographers, Diffie and Hellman, postulated in 1977 that a
DES cracking machine with 106 processors, each could test 106
keys per second, could be built for about US$20M.
o This machine can break DES in about 10 hours.

Symmetric Key Encryption 66

Only know that brute force attack (finding key with know
plaintext) is now viable against DES.

US$20 million in 1977 is about US$ 107 million today

Rest of Slide 66 and 67 for reference

66
 Exhaustive Key Search

Symmetric Key Encryption 67

Rest for reference

•In 1993, Michael Wiener presented a

pipelined chip which tests 5107 DES
keys per second.
•Each chip could cost US$10 and a frame of
5760 chips would cost about $100K.

•In 1998, DES cracker (nicknamed

“Deep Crack”
http://en.wikipedia.org/wiki/EFF_DES
_cracker) was built by the Electronic

67
Frontier Foundation (EFF).
•It performs 256 DES operations in 56 hours. 90
billion searches per second.
•Cost: US$250K (first piece), US$50K - $75K
(duplicates).

•Software version of DES cracking effort

can be found at
http://www.distributed.net/des/

2007 we also had the COPACOBANA

platforms – parallel FPGA platform (128
FPGAs)
10,000 USD dedicate hardware platform –
took about a week for a key.

•Other examples: Record 22 hrs and 15

mins by distributed software cracking
effort, various attempts with GPU/CUDA
around similar to COPACOBANA days.

•Total bitcoin mining system 2^65 hash

per second DES 1 millisecond…

67
 What Should We Use Today?

❑ 3DES (or Triple DES)

❑ AES (or Rijndael)
❑ Other candidates
o Twofish
o RC6
o Serpent

Symmetric Key Encryption 68

We should use 3DES or ideally AES (other ciphers for

reference).

What is the main problem with DES? How should we fix? Address
key size

68
 Triple DES and DESX
❑ Triple DES: two 56-bit keys
C
M
DES DES-1 DES

K1 K2 K1
❑ DESX: three keys
C = K3  DES(K2 , M  K1)

M  DES  C

K1 K2 K3
• Similar security to DES using differential cryptanalysis and linear
cryptanalysis, which are theoretical attacks
• But much harder to break using exhaustive key search than DES.

Symmetric Key Encryption 69

Please study these variations of DES (you do not need to

memorise the architecture)

Triple DES – Encrypt, decrypt then encrypt.

Two key (use K1 K2 and K1 again) and three key variety (use K1 K2
and K3)

In theory this gives us 112 and 168 bit keyspace but due to some
improved cryptanalysis attacks the keyspace is actually reduced
(in other words there are better attacks than Brute Force):
This reduced keyspace is called the ‘effective key space’
For 2-key effective key space is 80 bits (what is the effort
needed? 2^79
For 3-key effective key space is 112 bits

Better than DES but less secure than AES

Why do we still have DES – legacy applications, most banking

standards use DES.

69
Why do we have the encrypt/decrypt/encrypt design?
Backward compatibility? K1=K2 (and = K3 in three key model) – then it
is just single DES.

DESX
What is the length of K1 K2 and K3? K1 and K3 = |M| while K2 is just a
DES key (56-bits)

69
 Advanced Encryption Standard
❑ Replacement for DES
o Selection by public process and chosen algorithm design
details freely available for public use.
o Required to operate at a faster speed than Triple DES
across a number of different platforms.
❑ AES competition (late 90’s)
o NSA openly involved
o Many strong algorithms were proposed and cryptanalyzed
publicly
o Rijndael Algorithm was ultimately selected
▪ Pronounced like “Rain Doll” or “Rhine Doll”
❑ Iterated block cipher (like DES)
❑ Not using Feistel round function (unlike DES)
Symmetric Key Encryption 70

You should know the basic operation of AES, like block size, key
size and basic architecture (the basic idea of the permutation
and it having multiple rounds each with own round key).

Designed by Vincent Rijmen and Joan Daemen (the name of the

cipher is combination of their name RIJnDAEl)

Other secure algorithms: Serpent, TwoFish, RC6

Rijndael chosen because it had the best performance across all

the proposals (especially 8-bit processors).

We will now look at AES in more detail – this is for your interest.
We would like for you to know a little about the inner workings of
a cipher – but I do not expect that you remember all the lower
details but you must be able to give a basic description of the
round function and overall structure. So for example, know the
basic intention of subbyte, shiftrow, mixcolumn and add round
key (but the actual operation, like finite field arithmetic for
mixcolumn is not needed)

70
Know AES is not a Feistel design, and that AES is now recommended
for new systems.

For reference only

Requirements:
128-bit block
128-256 bit key
Faster than 3DES in a number of specified platforms

70
 AES (Advanced Encryption Standard)
❑ Replacement of DES
❑ Block size: 128 bits
❑ Key length: 16, 24, or 32 bytes (128, 192,
or 256 bits) – independent of block size
❑ 10 to 14 rounds (depends on key length)
❑ Substitution-Permutation Network (SPN)
❑ Each round has 4 transformations (except
the last round)
o ByteSub
o ShiftRow
o MixColumn
o AddRoundKey

Symmetric Key Encryption 71

Study this slide

Think back - what is the block size? We can only input into a block
cipher a fixed length piece of plaintext of size equal to the block.
No less, no more.

What was key size and block size for DES? 56 and 64.

You must be able to describe AES – the detail on this slide is

important.
You do not need to study slides 71-87 in detail but you need to
look through it an be able to explain in a sentence or two each
transformation, and also the general order of the
transformations (and round keys) during an encryption and
decryption of data.

71
 AES Encryption Process

•In AES, all operations are performed on 8-bit bytes

•The arithmetic operations of addition,
multiplication, and division are performed over the
finite field GF(28) (more details later)
•The ordering of bytes within a matrix is by column
•N rounds
•Last round has three transformations only
•AddRoundKey carries out N+1 times:
(1) Initial transformation
(2) N rounds
•M = 16, 24, or 32 (bytes)

This slide shows the high level process of encryption – multiple

rounds each with 4 transformation (except for initial permutation
and final round).

72
 AES Encryption and Decryption

•Different from Feistel Transformation

• Feistel: process/encrypt half of the
data block in each round
• AES: process/encrypt the entire
data block in each round
•Key Scheduling = Key Expansion
•A 16-byte Key is expanded into 11 round
keys
•Each round key is 4 words (16 bytes or 128
bits) long.
• Each word has 4 bytes (32 bits)
• E.g. for Round 0 (i.e. the Initial
Transformation), the 4 words are
denoted as w[0,3]
• for Round 1, the 4 words are
denoted as w[4,7]
• for Round 9, the 4 words are
denoted as w[36,39]
• for Round 10, the 4 words are
denoted as w[40,43]
•Decryption: each transformation is
reversible

This slide shows the order of transformations of encryption and

decryption.

Understand that decryption is the reverse of encryption – all

functions are reversible.

73
 AES
The Four Transformations in Each Round (Except the Last Round):
• ByteSub: use an S-box to perform a byte-by-byte substitution of the data block
• ShiftRow: a permutation
• MixColumn: a substitution that makes use of arithmetic over GF(2 8)
• AddRoundKey: a simple bitwise XOR of the current data block with a round key

Overall visual summary of what happens to the data during

changing from plaintext to ciphertext during ONE round.

74
 AES
ByteSub (substitute byte transformation)
• Each individual byte in a data block is mapped into a new byte using a 16x16 matrix of byte values
• The leftmost 4 bits of a data block byte are used as a row value
• The rightmost 4 bits of a data block byte are used as a column value
• E.g. a data block byte value 95 references row 9, column 5 of the S-box, which contains the value
2A. So the value 95 is substituted by 2A in ByteSub

S-box Inverse S-box

(for encryption) (for decryption)

More detail on Byte Substitution transform – just a lookup table.

There are two table – one for encrypt and one decrypt.

For the picture lets say we sub 00, then it is 63. For decryption
if we look up 63 then 00. Reversible.

75
 AES
ByteSub
An example of the ByteSub transformation of a 128-bit data block using the S-box.

EA 04 65 85 87 F2 4D 97
83 45 5D 96 S-box EC 6E 4C 90
5C 33 98 B0 4A C3 46 E7
F0 2D AD C5 8C D8 95 A6

Check previous slide and try for yourself.

See if you can substitute and get same answers

76
 AES
ShiftRow
•The first row of the data block is not altered
•The second row: 1-byte circular left shift
•The third row: 2-byte circular left shift
•The fourth row: 3-byte circular left shift

87 F2 4D 97 87 F2 4D 97
EC 6E 4C 90 6E 4C 90 EC
4A C3 46 E7 46 E7 4A C3
8C D8 95 A6 A6 8C D8 95

Shift row just means we left rotate each row of the 4x4 data
matrix

77
 AES
MixColumn
•Operate on each column individually
•Each byte of a column is mapped into a new value that is a function of all the four bytes in that
column
•Matrix multiplication over GF(28) with irreducible polynomial m(x) = x8 + x4 + x3 + x + 1

e.g.
s’0,0 = 02s0,0 + 03s1,0 + s2,0 + s3,0 mod m(x)
 s’0,0 = (x)s0,0 + (x+1)s1,0 + s2,0 + s3,0 mod m(x)
Note: each si,j represents 8 bits (i.e. a polynomial of degree 7 with binary coefficients)

MixColumn does not mean moving around the column – in means we

multiply the data matrix over GF(2^8) mod m(x) to create a new
matrix.

Do decrypt we multiple by the inverse of the Matrix shown on the

left here (no need to know the exact matrix)

78
Mathematical Background: Finite Field Arithmetic
Galois Field or Finite Field: we only focus on GF(2n) here
•Informally: a field is a set in which we can do addition, subtraction, multiplication, and division
without leaving the set
•GF(2n) is a finite field containing 2n elements
•Consider a set S of all polynomials of degree n-1 or less with binary coefficients. Thus, each
polynomial has the form
f(x) = an-1xn-1 + an-2xn-2 + … + a1x + a0
where each ai takes on the value 0 or 1 only.
•There are a total of 2n different polynomials in S.
•For n = 3, GF(23) has 8 polynomials in the form of f(x) = a2x2 + a1x + a0.
They are: {0, 1, x, x + 1, x2, x2 + 1, x2 + x, x2 + x + 1}.
•Arithmetic on coefficients is performed modulo 2
•Addition:
• E.g. f(x) + g(x) = (x2 + 1) + (x2 + x + 1) = x
• This is the same as the bitwise XOR operation
• Represent each element in GF(23) by a 3-bit value: {000, 001, 010, 011, 100, 101, 110, 111}
• f(x) + g(x) = (101) + (111) = (010)  x

79
 Mathematical Background: Finite Field Arithmetic
• Multiplication:
• Multiply two polynomials together. If the resulting polynomial has degree greater than n-1,
then the polynomial is reduced modulo some irreducible polynomial m(x) of degree n.
• Irreducible polynomial m(x): a polynomial cannot be expressed as a product of two
polynomials, both with degree smaller than that of m(x).
• Irreducible polynomials of degree 3: (x3 + x2 + 1) and (x3 + x + 1)
• f(x)  g(x) = (x2 + 1)  (x2 + x + 1) mod m(x) = (x4 + x3 + x2) + (x2 + x + 1) mod m(x)
= x4 + x3 + x + 1 mod m(x)
take m(x) = (x3 + x + 1) as the irreducible polynomial, we have
f(x)  g(x) = x4 + x3 + x + 1 mod (x3 + x + 1) = (x + 1)(x3 + x + 1) + (x2 + x) mod (x3 + x + 1)
= x2 +x
• Represent each element in GF(23) by a 3-bit value: {000, 001, 010, 011, 100, 101, 110, 111}
• f(x)  g(x) = (101)  (111) = (110)

• AES uses arithmetic in the finite field GF(28) with the irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1

80
 AES
MixColumn

e.g.
s’0,0 = 02s0,0 + 03s1,0 + s2,0 + s3,0 mod m(x)
 s’0,0 = (x)s0,0 + (x+1)s1,0 + s2,0 + s3,0 mod m(x)
Note: each si,j represents 8 bits (i.e. a polynomial of degree 7 with binary coefficients)

•s’0,0 is a polynomial of degree 7 with binary coefficients obtained by adding four

polynomials together (i.e. the bitwise XOR operation) and each of the first two
polynomials is obtained by multiplying two polynomials modulo m(x).
• i.e. s’0,0 = [(x)s0,0 mod m(x)]  [(x+1)s1,0 mod m(x)]  s2,0  s3,0

The mixcolumn value is either x+1 (11, 3) x (10,2), or 1 (01, 1)

81
AES
MixColumn

87 F2 4D 97 47 40 A3 4C
6E 4C 90 EC 37 D4 70 9F
46 E7 4A C3 94 E4 3A 42
A6 8C D8 95 ED A5 A6 BC

82
 Example
❑ Calculate S’0,0 = 02 . S0,0 + 03. S1,0 + S2,0 + S3,0
❑ 02h(10b). 87h(10000111b) + 03h(11b). 6Eh(01101110b) +
46h(01000110b) + A6h(10100110b)
❑ (x)(x7+x2+x+1)+(x+1)(x6+x5+x3+x2+x)+(x6+x2+x)+(x7+x5+x2+x)
❑ x8+x3+x2+x+x7+x6+x4+x3+x2+x6+x5+x3+x2+x+x6+x2+x+x7+x5+x2+x
❑ x8+x3+x2+x6+x4 mod x8+x4+x3+x+1
❑ x8+x3+x2+x6+x4+(x+x+1+1) mod x8+x4+x3+x+1
❑ x6+x2+x+1+(x8+x4+x3+x+1) mod x8+x4+x3+x+1
❑ x6+x2+x+1 mod x8+x4+x3+x+1
❑ x6+x2+x+1 is 01000111b is 47h

Cryptography – Part I 83

A different example (from a different matrix state)

S0,0=3E
S1,0=1C
S2,0=22
S3,0=C0

Calculate S3’,0=
03.3E(00111110)+01.1C(00011100)+01.22(00100010)+02.C0(110000
00)
= (x+1)(x5+x4+x3+x2+x)+(x4+x3+x2)+(x5+x)+x.(x7+x6) =
x6+x5+x4+x3+x2+x5+x4+x3+x2+x +x4+x3+x2+x5+x+x8+x7
= x6+x4+x3+x2+x5+x8+x7 mod x8 + x4 + x3 + x + 1
= x8+x7+x6+x5+x4+x3+x2 +1+1+x+x mod x8 + x4 + x3 + x + 1
= (x8+x4+x3+x+1)+x7+x6+x5+x2 +x+1 mod x8 + x4 + x3 + x + 1 =
x7+x6+x5+x2 +x+1 =11100111 = E7

83
 AES
AddRoundKey

47 40 A3 4C AC 19 28 57 EB 59 8B 1B
37 D4 70 9F 77 FA D1 5C 40 2E A1 C3
94 E4 3A 42
 66 DC 29 00
= F2 38 13 42
ED A5 A6 BC F3 21 41 6A 1E 84 E7 D6

Finally we just XOR the round key (which we also divided into a
matrix) with the data matrix.

84
 AES Summary of One AES Round (except the last round)

Summary of what happens during encryption round.

Implementation is easy – simple binary operations (why it works,

or design not so easy).

85
 AES
Key Expansion / Key Scheduling

Review:
•A 16-byte (128-bit) Key is expanded
into 11 round keys
•Each round key is 4 words (or 16 bytes
or 128 bits) long
•Total size of the 11 round keys = 44
words (or 176 bytes)

Notations:
•Key: k0, k1, … k15
•Round Keys: w0, w1, …, w43

•Round 0 key: w0, w1, w2, w3

•Round 1 key: w4, w5, w6, w7
•Round 2 key: w8, w9, w10, w11
•…
•Round 10 key: w40, w41, w42, w43

From slides 86 and 87 you only need to know that we generate a

round key from the single AES key.

g next slide

Details for reference only.

86
 AES
Key Expansion / Key Scheduling

Summary:
•The 16-byte key is copied into the first
four words for Round 0 key
•i.e. the key is used directly to do the
AddRoundKey at the initial
transformation

•Each subsequent word w[i] in a round

key depends on the immediately
preceding word w[i-1], and the word
four positions back, w[i-4]
• in three out of the four cases a
simple XOR is used, e.g. w5, w6,
and w7
• for a word whose position in
the w array is a multiple of 4, a
more complex function g is
used

•RC stands for Round Constant

RCj is a constant.

87
 Key Space
❑ The Key Space of a cipher is the set of all possible
and distinct secret keys
❑ E.g. The key space of DES is all distinct 56-bit
binary strings
❑ E.g. The size of the key space of simple
substitution for case-insensitive English alphabet
is 26!
❑ What’s the key space size of AES?
❑ What’s the key space size of one-time pad?
❑ What’s the key space size of RC4?

Symmetric Key Encryption 88

Study this slide – you need to know what the keyspace is, how to
calculate it, and how much exhaustive search attempts are
required for a given keyspace (see slide 52)

AES 128-256 bits

So searching for DES? 2^55

So searching for AES (128-bit key version)? 2^127

One time pad – key is size of the message – keyspace is 2^keysize

RC4 40-2048 bits

88
 Multiple Blocks
Message Ciphertext
ENC
(n bits) (n bits)

secret key
(k bits)

❑ How to encrypt multiple blocks?

❑ A new key for each block?
o As bad as (or worse than) the one-time pad!
❑ Encrypt each block independently?
❑ Make encryption depend on previous block(s), i.e.,
“chain” the blocks together?
❑ How to handle partial blocks?
Symmetric Key Encryption 89

Study slide

A block cipher only encrypts a fixed block – not like a steam

cipher that just keeps generating keystream.

So we need ways to encrypt multiple block if the message is

larger than the block size.

We also need a padding method if out message is not a multiple of

the block size.

89
 Modes of Operation
❑ Many modes of operation ⎯ we discuss three
❑ Electronic Codebook (ECB) mode
o Obvious thing to do
o Encrypt each block independently
o There is a serious weakness
❑ Cipher Block Chaining (CBC) mode
o Chain the blocks together
o More secure than ECB
❑ Counter Mode (CTR) mode
o Acts like a stream cipher
o Popular for random access

Symmetric Key Encryption 90

You need to know the three modes of operation well (plus CFB)
(understand what is going on – but you do not need to memorise
what is going on)

Be comfortable with how data is encrypted and decrypted.

90
 ECB Mode
❑ Notations: C=E(K, P) P=D(K,C)
❑ Given plaintext P = P0,P1,…,Pm,… (in blocks)
❑ Obvious way of using a block cipher is to encrypt
plaintext blocks independently
Encrypt Decrypt
C0 = E(K, P0), P0 = D(K, C0),
C1 = E(K, P1), P1 = D(K, C1),
C2 = E(K, P2),… P2 = D(K, C2),…

P0 P1 Pi
K K K
ENC ENC ENC

C0 C1 Ci

Symmetric Key Encryption 91

What are the problems?

Cut and paste

Can see if Pi=Pj

91
 ECB Cut and Paste Attack
❑ Suppose plaintext is
Alice digs Bob. Trudy digs Tom.
❑ Assuming 64-bit blocks and 8-bit ASCII:
P0 = “Alice di”, P1 = “gs Bob. ”,
P2 = “Trudy di”, P3 = “gs Tom. ”
❑ Ciphertext: C0,C1,C2,C3
❑ Trudy cuts and pastes: C0,C3,C2,C1
❑ Decrypts as
Alice digs Tom. Trudy digs Bob.
Symmetric Key Encryption 92

In ECB all the plaintext blocks are encrypted independently – this

means you can in theory delete some of the ciphertext blocks, or
move some of the ciphertext blocks around.

92
 ECB Weakness
❑ Suppose P i = Pj
❑ Then Ci = Cj and Trudy knows Pi = Pj
❑ This gives Trudy some information,
even if she does not know Pi or Pj
❑ Is this a serious issue?

Symmetric Key Encryption 93

The second weakness is that even if the rest of the message is

different each identical plaintext block encrypts to same
ciphertext block.

This means if we see same ciphertext twice the same plaintext

got sent twice…

This is now like a very very large substitution cipher! (with 2^n
possible permutations where n is blocksize)….

Traffic analysis – can see the same messages being sent. What if
message repeat?

93
 Alice Hates ECB Mode
❑ Alice’s uncompressed image, Alice ECB encrypted

❑ Why does this happen?

❑ Same plaintext block  same ciphertext!
Symmetric Key Encryption 94

This is an examples of that to a practical scenario – a picture

encrypted in ECB mode appears to still expose most of the data.

This is a black and white picture – the same pixel combinations

encrypt to same ciphertext….
ECB is essentially like a fancy substitution cipher with a much
larger binary alphabet

94
 CBC Mode
❑ Blocks are “chained” together
❑ A random initialization vector, or IV, is required to initialize
CBC mode
❑ IV is random, but is not a secret
Encryption Decryption
C0 = E(K, IV  P0), P0 = IV  D(K, C0),
C1 = E(K, C0  P1), P1 = C0  D(K, C1),
C2 = E(K, C1  P2),… P2 = C1  D(K, C2),…

P0 P1

IV
ENC ENC
K K
C1
C0

Symmetric Key Encryption 95

Cipher Block Chaining tries to address this. Here the ciphertext

depends on all previous ciphertext. So even if we send the same
plaintext block twice the cipher text block differs (as the set of
ciphertext sent before since the beginning of the message
differs).

We must still be careful if sending the same entire plaintext

message, in such a case we must use a different IV for each
message otherwise all the ciphertext will be the same.

If P0 changes in the messages what happens to all C blocks? All

change.

The implication is all C blocks are dependent on all previous P

blocks.

95
 Alice Likes CBC Mode
❑ Alice’s uncompressed image, Alice CBC encrypted

❑ Why does this happen?

❑ Same plaintext yields different ciphertext!
Symmetric Key Encryption 96

As seen with the picture, the same plaintext now delivers much
different ciphertext – and you can now longer see Alice

96
 What is a ‘good’ mode?
Good properties:
❑Message dependence of ciphertext
❑Limited error propagation
❑Works without block synchronisation
❑Optimise use of decrypt/encrypt
❑Reduce padding

Cryptography – Part I 97

Study this slide…

Message dependence means the ciphertext also depends on

previous blocks of the message rather that only the input
plaintext block (For example, ECB mode does not have good
message dependence).

A mode of operation should be able to recover from errors (the

error should not continue until the end of the message).

Does not need block synchronization between sender and receiver

(if a block of the message goes missing, the impact on subsequent
messages should be limited)

Optimise use of decrypt/encrypt (in some block ciphers

implementing both decrypt a block and encrypt a block
functionality takes more resources) – some block modes only
require one of these to be implemented to encrypt or decrypt and
entire message.

97
Ideally we do not want to generate too much ciphertext in comparison
to our plaintext if possible (this is not always practical, especially with
block ciphers – you need to enter a full block even if your message (or
what is left of your message is smaller than the block).

97
 Type of transmission errors
❑ Transmission errors are errors (a 1
becomes a 0 or a 0 becomes a 1) that
occur in the communication channel.
❑ Transmission losses are bits that get
lost (they never arrive) in the
communication channel.

Slide 98-105 (credit to Keith Martin)

Everyday Cryptography: Fundamental Principles and
Applications
Cryptography – Part I 98

Study this slide…

Transmission error means we receive the block but one or more

bits are wrong.

Transmission losses basically means the block goes missing.

98
 Error Propagation
❑A decryption process involves error
propagation if a ciphertext input
that has one incorrect bit produces a
plaintext output that has more than
one incorrect bit.

Cryptography – Part I 99

Study this slide…

1.To what extent does error propagation occur in basic stream

and block ciphers?
In a basic stream ciphers – errors in ciphertext map directly to
errors in plaintext. This is due to the XOR used. Think – one bit
of C XOR one bit of corresponding KS is P, then C’ XOR the same
KS is P’ (where if X=1 then X’=0, if X=0 then X’=1)

2. Does error propagation have anything to with error prevention

or error correction?
No, we cannot prevent errors as such. We can however limit the
effect is has on the received message.

A little bit connected – if we minimise the errors is might be

possible to correct the received message. It is nearly impossible
to recover from a major amount of errors.

3. Is error propagation a good thing?

No, if an error occurs early in the message that means the entire

99
message is wrong.

99
 Counter Mode (CTR)
❑ Use block cipher like stream cipher
Encryption Decryption
C0 = P0  E(K, IV), P0 = C0  E(K, IV),
C1 = P1  E(K, IV+1), P1 = C1  E(K, IV+1),
C2 = P2  E(K, IV+2),… P2 = C2  E(K, IV+2),…

❑ CTR is good for random access (both READ and WRITE)

❑ CBC is good for random READ only, but not WRITE
IV IV+1 IV+i

K K K
ENC ENC ENC

P0 P1  Pi 

C1 Ci
C0

Symmetric Key Encryption

100

Error? 1 bit

What do we mean by synchronisation? Receiver needs to know

what block we have incoming.

CTR mode requires synchronisation between readers in terms of

the counter. It overcomes ECB weakness as even with same
plaintext block it will have different ciphertext as value of IV is
different.

Does CBC need synchronisation? No, you just feed to received

blocks into the decryption function there is no need to keep track
of how many your received.

For error propagation – how would CTR perform if

1 bit is incorrect during transmission? There will be a one bit
mistake in the decrypted plaintext.
1 block is lost? The receiver IV counter would now be one behind
and all data will decrypt incorrectly.

100
CTR mode is good if you store encrypted data. Consider that the IV is
also the index of the stored ciphertext block. To read the block’s
plaintext you do E(Ivi, K) and XOR it to stored C. If you edit the block
you can then simple XOR the new plaintext the E(Ivi, K) and store it.

Can you do the same with CBC?

Reading is easy, you take cipher block Ci-1 and use it to decrypt Ci, now
you can read the data. However, what happens now if you change the
plaintext? You can encrypt Ci again using Ci-1. Is that good enough?

No! Now you need to decrypt and encrypt all the remaining block as the
change in Ci means all the rest of the blocks will change.

100
 Cipher Feedback Mode (CFB)
❑ One more mode…
❑ Use block cipher like stream cipher (like counter mode)
Encryption Decryption
C0 = P0  E(K, IV), P0 = C0  E(K, IV),
C1 = P1  E(K, C0), P1 = C1  E(K, C0),
C2 = P2  E(K, C1),… P2 = C2  E(K, C1),…
C0 Ci
IV
K K K
ENC ENC ENC

P0 P1  Pi 

Ci
C0

Cryptography – Part I 101

Study this slide…

How is this similar to CBC?

There is an XOR operation, and the ciphertext Ci is used to

calculate ciphertext Ci+1.

How is this different?

In CBC the plaintext is XORed with Ci and then encrypted to

form Ci+1, this means means the receiver has to implemented a
decrypt (decrypt received ciphertext Ci+1 and then XOR to
previous Ci)

In CFB we use the block cipher to create keystream (similar to a

stream cipher approach), this means both encryption and
decryption of message requires only E() encrypt function.

101
 CFB Mode

Cryptography – Part I 102

Study this slide…

Explain then ask about error – what happens if a 1 bit error

occurs in C?

Ok lets see how CFB works – follow the numbers.

1.At the start Ci has been stored by the sender, at the same time
Ci is also stored be the receiver (from previous round) in blue
registers.

2.Sender encrypts (with block cipher) and key K to get keystream

(purple block)

3.To generate Ci+1 the plaintext is XOR to the plaintext

4.Ci+1 is send, and also fed back and stored by the sender (blue
register)

102
5. The sender is now finished and ready for next block to be sent.

6.The receivers has Ci

7.He encrypts it with K to get keystream (purple). This keystream is

the same as that used by sender (as both used Ci).

8.He XOR keystream to Ci+1 to get Pi+1.

9.Finally het stores Ci+1 for the next block.

10.Repeat the process….

102
 CFB Error

Cryptography – Part I 103

Study this slide…

This picture is drawn from the receiver’s perspective…

Ci has been sent (sender has use Ci-1 to generate it Ci has been
stored for next block by the sender). There is a one bit error in
Ci > lets call error block C’i.

The receiver receives C’i, and XOR E(Ci-1, K) to get Pi. As there is
one bit error in C’i and we XOR with same KS that sender used we
get one bit error in Pi.

C’i is now stored for the next block received.

We now received Ci+1 (sender used Ci to generate) but we try to

decrypt is with keystream KS=E(C’I,K). Remember what we said
about a good block cipher – one bit in plaintext change should
change at least 50% of ciphertext. So if input to E() is one bit
different at receiver than sender then at least 50% of
keystream is different. We XOR this to the Ci+1 and thus Pi+1

103
has lots of bit errors.

The receiver no stores Ci+1 for next block – it arrived without error,
and is the same data the sender will use to generate Ci+2, therefore
the error will not propagate any further and Pi+2 would be fine.

NOTE! For error propogation do not try to memorise the error

propogation, you need to be able to understand and work things out
from what you know if CFB (and other modes of operation). What
if you get a question that does not ask about a 1-bit error?

When working out the error do what is comfortable for you –

Prefer mathematic representation? Prefer drawing a picture?

103
 CBC Mode

Cryptography – Part I 104

Study this slide…

Explain and ask about error.

1.At the start both sender and receiver has Ci-1 stored (in blue)

2.Sender calculates Pi XOR Ci-1

3.Then Ci= E(Pi XOR Ci-1)

4.Ci is sent (and also stored for the next block by sender)

5.Sender is now done with this block.

6.The receiver (remember) has stored Ci-1…

7.The receiver decrypts Ci (result is D(Ci) = Ci-1 XOR Pi)

104
8. D(Ci) XOR Ci-1 is therefore Pi

9.Receiver stores Ci for next round.

10.We repeat for next block.

104
 CBC Error

Cryptography – Part I 105

Study this slide…

Once again from the receiver’s perspective, and assuming a 1-bit

error.

Give the quick notes supplementary material!!

The receiver receives C’i instead of Ci (one bit error).

D(C’i,K) not equal Ci-1 XOR Pi (many bit errors as input to decrypt
is one bit different than sender), so D(C’i,K) XOR Ci-1 not equal to
Pi (Pi has lots of errors, due to decrypt function).

Receiver now stores C’i.

Receiver receives Ci+1 = E(Ci XOR Pi+1,K). D(Ci+1,K) = Ci XOR Pi+1

Ci XOR Pi+1 XOR C’I = P’i+1 (one bit error in Pi+1).

105
The next block is fine as both parties use correct Ci+1

105
 Supplementary Materials

Cryptography – Part I 106

Rest of slides only for reference

106
 Practical Cipher Knowledge
❑ I am not a cryptographer – how do I know a good
cipher?
❑ Basic cipher analysis in under a minute
o Keysize
▪ For symmetric ciphers key > 128 is now considered best practice
o Public
▪ Security cannot come from obscurity (Kerkhoffs principle)
o Standard
▪ If the cipher is as result of open competition good, if proprietary be wary?
▪ If it is old and public and still not ‘broken’ then could be OK.
o Mode of operation?
▪ Of the basic modes CBC is considered good (ECB not good)

107

107
 Mifare Classic
❑ Developed in 1995 (NXP Semiconductor) – Crypto1 algorithm
o 48 bit key, stream cipher
❑ Used in a significant number of current systems
o Access control
o Travel
o Closed payment
❑ Cipher kept secret…was securely used for a long time
❑ Researchers reverse engineered cipher by analysis of the IC
architecture
o Subsequently another group also used these findings to
reconstruct the full cipher
❑ Mifare Classic also shown to have further security flaws

108

What do you think about this cipher?

Keysize? Poor
Secrecy? Kerkhoffs principle? Bad, kept secret.

108
 Mifare Classic Metal Layers

Nohl, et al (2008)
109

109
 Reconstructing the Algorithm

Nohl, et al (2008)

110

Would sufficient tamper resistance have prevented this attack? Not

really. Tamper resistance usually protects the inner circuitry from
being read (e.g. probe data lines, read memory content – if chip is
opened the memory is deleted), but here we are interested in the
logic only by observing metal layers so unless there is some
countermeasure in terms of obfuscation of fake gates it is not likely to
help.
And or Invert (AOI)

Initial state of the register is the key, possible to reverse LFSR to

initial state and get the key.

110
 Security through obscurity
❑ Legacy/proprietary RFID
systems available and
possibly used for security
sensitive applications.
❑ Several examples of reverse
engineering
o NXP Mifare Classic, TI DST,
NXP HiTag, Microchip
Keeloq,
HID and Atmel CryptoRF
❑ The first….
o TI DST algorithm reverse
engineered (2005), used for
Speedpass, car immobilizers
o Researchers had general
idea of cipher architecture
used black box, brute force
method
o Recover the 40-bit key in a
111 few hours and masquerade
as a real DST device

Illustrate skill and devotion of attackers…

111
 The end!

?
Any questions…
112

112