Module II

AES
The Advanced Encryption Standard (AES) was published by the National
Institute of Standards and Technology (NIST) in 2001. AES is a symmetric block
cipher that is intended to replace DES as the approved standard for a wide
range of applications.In AES, all operations are performed on 8-bit bytes. In
particular, the arithmetic operations of addition, multiplication, and division are
performed over the finite field GF(28 ) .Designed by Rijmen-Daemen in Belgium.

Figure shows the overall structure of the AES encryption process. The cipher
takes a plaintext block size of 128 bits, or 16 bytes. The key length can be 16,
24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128,
AES-192, or AES-256, depending on the key length.
The input to the encryption and decryption algorithms is a single 128-bit
block.This block is copied into the State array, which is modified at each stage
of encryption or decryption. After the final stage, State is copied to an output
matrix. These operations are depicted in Figure 5.2a. Similarly, the key is
depicted as a square matrix of bytes. This key is then expanded into an array of
key schedule words. Figure 5.2b shows the expansion for the 128-bit key. Each
word is four bytes, and the total key schedule is 44 words for the 128-bit key.
Note that the ordering of bytes within a matrix is by column. So, for example,
the first four bytes of a 128-bit plaintext input to the encryption cipher occupy
the first column of the in matrix, the second four bytes occupy the second
column, and so on. Similarly, the first four bytes of the expanded key, which
form a word, occupy the first column of the w matrix.

The cipher consists of N rounds, where the number of rounds depends on the
key length.Refer table 5.1. The first N - 1 rounds consist of four distinct
transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey,
which are described subsequently. The final round contains only three
transformations, and there is a initial single transformation (AddRoundKey)
before the first round,which can be considered Round 0. Each transformation
takes one or more 4 * 4 matrices as input and produces a 4 * 4 matrix as
output. Figure 5.1 shows that the output of each round is a 4 * 4 matrix, with
the output of the final round being the ciphertext. Also, the key expansion
function generates N + 1 round keys, each of which is a distinct 4 * 4 matrix.
Each round key serve as one of the inputs to the AddRoundKey transformation
in each round.
AES encrytpion and decryption

AES TRANSFORMATION FUNCTIONS

Substitute Bytes
a simple substitution of each byte
• uses one table of 16x16 bytes containing a permutation of all 256 8 – bit
values
• each byte of state is replaced by byte indexed by row (left 4 - bits) & column
(right 4 - bits)
– eg . byte {95} is replaced by byte in row 9 column 5 which has value {2A}
• S - box constructed using defined transformation of values in GF(28 )
• designed to be resistant to all known attacks
Shift Rows
• a circular byte shift in each each.1 st row is unchanged.2 nd row does 1 byte
circular shift to left.3rd row does 2 byte circular shift to left.4th row does 3 byte
circular shift to left
• decrypt inverts using shifts to right
• since state is processed by columns, this step permutes bytes between the
columns

MixColumns Transformation
The forward mix column transformation,called MixColumns, operates on each
column individually. Each byte of a column is mapped into a new value that is a
function of all four bytes in that column.

The transformation can be defined by the following matrix multiplication on

State.
Each element in the product matrix is the sum of products of elements of one
row and one column. In this case, the individual additions and multiplications
are performed in GF(2 8 ). The MixColumns transformation on a single column
of State can be expressed as

In GF(2 8 ) , addition is the bitwise XOR operation and that multiplication of a

value by x (i.e., by {02}) can be implemented as a 1-bit left shift followed by a
conditional bitwise XOR with (0001 1011) if the leftmost bit of the original value
(prior to the shift) is 1. Thus, to verify the MixColumns transformation on the
first column, we need to show that

The inverse mix column transformation, called InvMixColumns, is defined by

the following matrix multiplication:
That is, the inverse transformation matrix times the forward transformation
matrix equals the identity matrix. To verify the first column of Equation (5.6),
we need to show

AddRoundKey Transformation

FORWARD AND INVERSE TRANSFORMATIONS In the forward add round key

transformation, called AddRoundKey, the 128 bits of State are bitwise XORed
with the 128 bits of the round key. As shown in Figure 5.5b, the operation is
viewed as a columnwise operation between the 4 bytes of a State column and
one word of the round key; it can also be viewed as a byte-level operation. The
following is an example of AddRoundKey:

The first matrix is State, and the second matrix is the round key.The inverse
add round key transformation is identical to the forward add round key
transformation, because the XOR operation is its own inverse.

Inputs for single AES round

AES KEY EXPANSION

The AES key expansion algorithm takes as input a four-word (16-byte) key and
produces a linear array of 44 words (176 bytes). This is sufficient to provide a
four-word round key for the initial AddRoundKey stage and each of the 10
rounds of the cipher. The pseudocode on the next page describes the
expansion.The key is copied into the first four words of the expanded key. The
remainder of the expanded key is filled in four words at a time. Each added
word w[i] depends on the immediately preceding word, w[i - 1] , and the word
four positions back, w[i - 4] . In three out of four cases, a simple XOR is used.
For a word whose position in the w array is a multiple of 4, a more complex
function is used.
Figure 5.9 illustrates the generation of the expanded key, using the symbol g to
represent that complex function. The function g consists of the following
subfunctions.
1. RotWord performs a one-byte circular left shift on a word. This means that an
input word [B 0 , B 1 , B 2 , B 3 ] is transformed into [B 1 , B 2 , B 3 , B 0 ] .
2. SubWord performs a byte substitution on each byte of its input word, using
the S-box (Table 5.2a).
3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j] .The
round constant is a word in which the three rightmost bytes are always 0.Thus,
the effect of an XOR of a word with Rcon is to only perform an XOR on the left-
most byte of the word. The round constant is different for each round and is
defined as
Rcon[j] = (RC[j], 0, 0, 0) , with RC[1] = 1 , RC[j] = 2 RC[j-1]
and with multiplication defined over the field GF(2 8
) . The values of RC[j] in
hexadecimal are

AES Decryption
AES decryption is not identical to encryption since steps done in reverse,but
can define an equivalent inverse cipher with steps as for encryption– but using
inverses of each step with a different key schedule works since result is
unchanged when
• swap byte substitution & shift rows.swap mix columns & add (tweaked)
round key
Implementation Aspects
➔ can efficiently implement on 8 - bit CPU
– byte substitution works on bytes using a table of 256 entries– shift rows is
simple byte shift,add round key works on byte XOR ’ s– mix columns requires
matrix multiply in GF(2 8 ) which works on byte values, can be simplified to use
table lookups & byte XOR ’ s
➔ can efficiently implement on 32 - bit CPU
– redefine steps to use 32 - bit words-can precompute 4 tables of 256 - words–
then each column in each round can be computed using 4 table lookups + 4
XORs– at a cost of 4Kb to store tables
**For stream cipher refer your assignment number 2......
 MODULE 3

Principles of public key cryptography

The concept of public-key cryptography evolved from an attempt to attack two
of the most difficult problems associated with symmetric encryption.
Asymmetric algorithms rely on one key for encryption and a different but
related key for decryption. These algorithms have the following important
characteristic.
• It is computationally infeasible to determine the decryption key given only
knowledge of the cryptographic algorithm and the encryption key.
In addition, some algorithms, such as RSA, also exhibit the following
characteristic.
• Either of the two related keys can be used for encryption, with the other used
for decryption.

Public-Key Cryptosystems
A public-key encryption scheme has six ingredients
Plaintext: This is the readable message or data that is fed into the
algorithm as input.
Encryption algorithm: The encryption algorithm performs various
transformations on the plaintext.
Public and private keys: This is a pair of keys that have been selected
so that if one is used for encryption, the other is used for decryption. The
exact transformations performed by the algorithm depend on the public
or private key that is provided as input.
Ciphertext: This is the scrambled message produced as output. It
depends on the plaintext and the key. For a given message, two different
keys will produce two different ciphertexts.
Decryption algorithm: This algorithm accepts the ciphertext and the
matching key and produces the original plaintext.
The essential steps are the following.
1. Each user generates a pair of keys to be used for the encryption and decryp-
tion of messages.
2. Each user places one of the two keys in a public register or other accessible
file.This is the public key.The companion key is kept private.As Figure 9.1a
suggests,each user maintains a collection of public keys obtained from others.
3. If Bob wishes to send a confidential message to Alice, Bob encrypts the
message using Alice’s public key.
4. When Alice receives the message, she decrypts it using her private key. No
other recipient can decrypt the message because only Alice knows Alice’s
private key.
There is some source A that produces a message in plaintext, X = [X 1 , X 2 , . . .
, X M ]. The M elements of X are letters in some finite alphabet. The message is
intended for destination B. B generates a related pair of keys: a public key, PU b
, and a private key, PR b . PR b is known only to B, whereas PU b is publicly
available and therefore accessible by A.With the message X and the encryption
key PU b as input, A forms the ciphertext Y = [Y 1 , Y 2 , . . . , Y N ]:
Y = E(PU b , X)

The intended receiver, in possession of the matching private key, is able to

invert the transformation:
It is, however, possible to provide both the authentication function and confi-
dentiality by a double use of the public-key scheme (Figure 9.4):
Fundamental Theorem of arithmetic
Fermat’s Theorem
An integer p >1 is a prime number if and only if its only divisors 2 are (+/-)1
and (+/-)p . Prime numbers play a critical role in number theory and in the
techniques discussed.

Fermat’s theorem states the following: If p is prime and a is a positive integer

not divisible by p , then

An alternative form of Fermat’s theorem is also useful: If p is prime and a is a

positive integer, then
Euler’s Totient Function
Euler’s totient function, written Ф(n) , and defined as the number of positive
integers less than n and relatively prime to n . By convention,
Ф(1) = 1 .

Refer the rules from lecture note..

Euler’s Theorem
Euler’s theorem states that for every a and n that are relatively prime:
RSA Algorithm
RSA was developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT
and first published in 1978

Description of the Algorithm

Encryption and decryption are of the following form, for some plaintext block
M and ciphertext block C:
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n
Both sender and receiver must know the value of n. The sender knows the
value of e, and only the receiver knows the value of d. Thus, this is a public-key
encryption algorithm with a public key of PU = {e, n} and a private key of PU =
{d, n}. For this algorithm to be satisfactory for public-key encryption

The ingredients are the following:

p,q, two prime numbers (private, chosen)

n = pq (public,
calculated)

e, with gcd(f(n),e) = 1;1 (public, chosen)

< e < f(n)

d= e1(mod f(n)) (private,

calculated)

The private key consists of {d, n} and the public key consists of {e, n}.
Suppose that user A has published its public key and that user B wishes to send
the message M to A. Then B calculates C = Me modn and transmits C. On
receipt of this ciphertext, user A decrypts by calculating M = Cd mod n.

Example

1. Select two prime numbers, p = 17 and q = 11.

2. Calculate n = pq = 17 x 11 = 187.
 3. Calculate f(n) = (p 1)(q 1) = 16 x 10 = 160.
4. Select e such that e is relatively prime to f(n) = 160 and less than f(n)
we choose e = 7.
5. Determine d such that de = 1 (mod 160) and d < 160. The correct
value is d = 23, because 23 x 7 = 161 = 10 x 160 + 1; d can be
calculated using the extended Euclid's algorithm
1.
Algorithm Steps

An Example Illustrated
The Security of RSA
Four possible approaches to attacking the RSA algorithm are as follows:
Brute force: This involves trying all possible private keys.
Mathematical attacks: There are several approaches, all equivalent in
effort to factoring the product of two primes.
Timing attacks: These depend on the running time of the decryption
algorithm.
Chosen ciphertext attacks: This type of attack exploits properties of
the RSA algorithm.

RSA Probelm – Solution

Perform encryption and decryption using RSA alg. For the following.
P=7; q=11; e=17; M=8.
Soln:
n=pq
n=7*11=77
ö(n)=(p-1) (q-1)
=6*10 = 60
e=17
d =27
C= Me mod n
C = 817 mod 77
= 57
M = Cd mod n
= 5727 mod 77
=8

Key Management

Distribution of Public Keys

Several techniques have been proposed for the distribution of public keys.
Virtually all these proposals can be grouped into the following general
schemes:
Public announcement
Publicly available directory
Public-key authority
Public-key certificates
Public Announcement of Public Keys

Publicly Available Directory

A greater degree of security can be achieved by maintaining a publicly
available dynamic directory of public keys. Maintenance and distribution of the
public directory would have to be the responsibility of some trusted entity or
organization.
The authority maintains a directory with a {name, public key} entry for each
participant.
1.Each participant registers a public key with the directory authority.
Registration would have to be in person or by some form of secure
authenticated communication.

Stronger security for public-key distribution can be achieved by providing

tighter control over the distribution of public keys from the directory.
Public-Key Authority
The following diagram illustrates this method
1. A sends a timestamped message to the public-key authority
containing a request for the current public key of B
2. The authority responds with a message that is encrypted using the
authority's private key, PRauth Thus, A is able to decrypt the message
using the authority's public key. Therefore, A is assured that the message
originated with the authority
 3. A stores B's public key and also uses it to encrypt a message to B
containing an identifier of A (IDA) and a nonce (N1), which is used to
identify this transaction uniquely.
4. B retrieves A's public key from the authority in the same manner as A
retrieved B's public key.

At this point, public keys have been securely delivered to A and B, and
they may begin their protected exchange
5. B sends a message to A encrypted with PUa and containing A's nonce
(N1) as well as a new nonce generated by B (N2) Because only B could
have decrypted message (3), the presence of N1 in message (6) assures
A that the correspondent is B.
6. A returns N2, encrypted using B's public key, to assure B that its
correspondent is A

Public-Key Certificates
1. Any participant can read a certificate to determine the name and public key
of the certificate's owner.
2. Any participant can verify that the certificate originated from the
certificate authority and is not counterfeit.
3. Only the certificate authority can create and update certificates.
4 Any participant can verify the currency of the certificate.
CA = E(PRauth, [T||IDA||PUa])
where PRauth is the private key used by the authority and T is a timestamp. A
may then pass this certificate on to any other participant, who reads and
verifies the certificate as follows:
D(PUauth, CA) = D(PUauth, E(PRauth, [T||IDA||PUa])) = (T||IDA||PUa)

Diffie-Hellman Key Exchange

The purpose of the algorithm is to enable two users to securely exchange a key
that can then be used for subsequent encryption of messages. The algorithm
itself is limited to the exchange of secret values.
For this scheme, there are two publicly known numbers:
a prime number q and an integer that is a primitive root of q.
Suppose the users A and B wish to exchange a key. User A selects a random
integer XA < q and computes YA = aXA mod q. Similarly, user B independently
selects a random integer XA < q and computes YB = aXB mod q.
Each side keeps the X value private and makes the Y value available publicly to
the other side.
User A computes the key as K = (YB)XA mod q and user B computes the key
as K = (YA)XB mod q.
The Algorithm
The result is that the two sides have exchanged a secret value.The Diffie-
Hellman algorithm depends for its effectiveness on the difficulty of computing
discrete logarithms

Example
User A & B exchange the key using Diffie Hellman alg. Assume
á=5 q=11 XA=2 XB=3. Find YA, YB, K.
Soln:
YA = áXA mod q
=52 mod 11
=3
YB = áXB mod q
= 53 mod 11
=4
KA = YBXA mod q
= 42 mod 11
=5
KB = YAXB mod q
= 33 mod 11
=5
Comparison of RSA & DES