ADVANCED ENCRYPTION

STANDARD (AES)
FINITE FIELD ARITHMETIC
RING
 A set of “numbers” with two operations (addition and multiplication) which are:
a) An abelian group with addition operation
b) Multiplication:
 has closure
 is associative
 distributive over addition: a(b+c) = ab + ac
 A ring is a set in which we can do addition, subtraction, and multiplication
without leaving the set.
 If multiplication operation is commutative, it forms a commutative ring
 If multiplication operation has inverses and no zero divisors, it forms an integral
domain
FIELD
 A field is a commutative ring in which every nonzero element is invertible.
 A field denoted as F is a structure that supports two pairs of operations:
 addition/subtraction
 multiplication/division
 There is one exception: division by zero is not allowed.
▪ A field is a set in which we can do addition, subtraction,
multiplication, and division without leaving the set
▪ Division is defined with the following rule: a /b = a (b-1 )
 Examples of fields are rational numbers, real numbers, complex numbers.
FINITE FIELD
 A finite field is a field with a finite number of elements.
 Cryptographic algorithms and protocols process messages as numbers
or elements in a finite space.
 Finite fields play a crucial role in many cryptographic algorithms
 An example of a finite field is the set Zp consisting of all the integers {0,
1, . . . . , p - 1}, where p is a prime number and in which arithmetic is
carried out modulo p
 FINITE, OR GALOIS FIELDS
 For a field to be finite, the number of elements should be pn, where p is a
prime and n is a positive integer.
 The finite field of order pn is generally written GF(pn )
 GF stands for Galois Field, in honor of the mathematician who first
studied finite fields
 A finite field is also known as a Galois* Field
 We often use the fields:
 GF(p)
 GF(2n)

*Evariste Galois (1811-1832), French mathematician

FINITE FIELDS OF THE FORM GF(P)

 When n = 1, we have GF(p) field.

 For a given prime, p, the finite field of order p, GF(p) is defined as the set Zp of
integers {0, 1, ... , p - 1}, together with the arithmetic operations modulo p.
 Example: GF(2) with the set {0, 1} and two operations, addition and
multiplication
FINITE FIELDS OF THE FORM GF(P)…

 Example: GF(5)
FINITE FIELDS OF THE FORM GF(2N)
 GF(2n) Fields
 Uses a set of 2n elements
 The elements in this set are n-bit words.
 For example, if n = 3, the set is
{000, 001, 010, 011, 100, 101, 110, 111}
 Define a set of n-bit words and two new operations that satisfy the
properties defined for a field.
AN EXAMPLE OF A GF(22 ) FIELD

 Let us define a GF(22 ) field in which the set

has four 2-bit words: {00, 01, 10, 11}.
 Each word is the additive inverse of itself.
 Every word (except 00) has a multiplicative
inverse.
 The multiplicative inverse pairs are (01, 01) and
(10, 11).
 Addition and multiplication are defined in
terms of polynomials.
GF(2N) FIELDS

 Addition is performed by taking bitwise XOR of two n-bit elements.

 Multiplication of polynomials in GF(2n ) with irreducible polynomial m(x)=
x8+x5+x3+x+1can be achieved using left-shift and exclusive OR operation
 Consider 2 elements A=(a7a6…a1a0) and B=(b7b6…b1b0)
 Th sum A+B =ai XOR bi
 The multiplication {02}. A equals (a6…a1a00) if a7 = 0 and equals (a6…a1a00)
XOR (00011011) if a7 =1
 Division is achieved by finding the multiplicative inverse
FINITE FIELD ARITHMETIC- SUMMARY
If one of the operations used in the
• Division requires that each nonzero element
algorithm is division, then we need to
have a multiplicative inverse
work in arithmetic defined over a field
For convenience and for
implementation efficiency we would like
• Integers in the range 0 through 2n – 1, which
to work with integers that fit exactly
fit into an n-bit word
into a given number of bits with no
wasted bit patterns
• For example, the integer 2 has no multiplicative
The set of such integers, Z2n, using
inverse in Z2n, that is, there is no integer b, such
modular arithmetic, is not a field
that 2b mod 2n = 1

A finite field containing 2n elements is • Every polynomial in GF(2n) can be represented

referred to as GF(2n) by an n-bit number
ADVANCED ENCRYPTION STANDARD (AES)
https://www.cryptool.org/en/cto/aes-animation

17
ADVANCED ENCRYPTION STANDARD (AES)
 Needed a better replacement for DES
 NIST called for proposals in 1997 with criteria: Security, computational
efficiency, memory requirements, hardware and software suitability, and
flexibility with 128, 256, 256 keys.
 Selected Rijndael in Nov 2001
 The Advanced Encryption Standard (AES) is a symmetric key block cipher
 Uses 128-bit data & 128/192/256-bit keys
 AES was published as FIPS 197 in December 2001.
 Now widely available commercially 18

VIT/SCOPE/BCSE309-CNS/MODULE 2
AES…

 AES is a non-Feistel cipher that encrypts and decrypts a plaintext block of 128 bits
(16 bytes).
 The cipher consists of N rounds, where the number of rounds depends on the key
length
 AES has defined three versions, with 10, 12, and 14 rounds.
 The key size can be 16, 24 or 32 bytes (128, 192, or 256 bits), depends on the
number of rounds
 The algorithm is referred to as AES-128,AES-192, or AES-
256, depending on the key length.
VIT/SCOPE/BCSE309-CNS/MODULE 2 19
 ▪ AES operates on 8-bit bytes.
▪ The addition of two bytes is defined as the bitwise XOR operation.
▪ Multiplication of two bytes is defined as multiplication in the finite field
GF(28), with the irreducible polynomial m(x) = x8+ x4 +x3 +x + 1.
VIT/SCOPE/BCSE309-CNS/MODULE 2 20
GENERAL DESIGN OF AES ENCRYPTION CIPHER

VIT/SCOPE/BCSE309-CNS/MODULE 2 21
AES STRUCTURE

 The input to the encryption and decryption algorithms is a single 128-

bit block.
 This block is copied into the state array.
 States, like blocks, are made of 16 bytes, but normally are treated as
matrices of 4 × 4 bytes.
 In this case, each element of a state is referred to as sr,c, where r (0 to 3)
defines the row and the c (0 to 3) defines the column.
VIT/SCOPE/BCSE309-CNS/MODULE 2 22
AES STRUCTURE…

 Example for Changing plaintext to state

 Consider the plaintext “AES uses a matrix”.

23
VIT/SCOPE/BCSE309-CNS/MODULE 2
STRUCTURE OF EACH ROUND
 The first N - 1 rounds consist of four distinct
transformation functions:
 SubBytes
 ShiftRows
 MixColumns
 AddRoundKey
 The final round contains only 3 transformations
 There is an initial single transformation
(AddRoundKey) before the first Round (Round 0).
VIT/SCOPE/BCSE309-CNS/MODULE 2 25
AES Encryption Round
AES TRANSFORMATION FUNCTIONS

01 02 03 04
Substitute Shift Rows Mix Columns Add Round
Bytes Key

VIT/SCOPE/BCSE309-CNS/MODULE 2 27
SUBSTITUTE BYTES
TRANSFORMATION

 The forward
substitute byte
transformation,
called SubBytes, is a
simple table lookup.
 AES defines a 16 * 16
matrix of byte values,
called an S-box, that
contains a permutation
of all possible 256 8-bit
values

VIT/SCOPE/BCSE309-CNS/MODULE 2 28
SUBSTITUTE BYTES TRANSFORMATION
S-Box

VIT/SCOPE/BCSE309-CNS/MODULE 2 29
SUBSTITUTE BYTES TRANSFORMATION…
Inverse S-Box
SUBSTITUTE BYTES TRANSFORMATION…
EXAMPLE FOR SUBBYTES TRANSFORMATION

VIT/SCOPE/BCSE309-CNS/MODULE 2 31
 TRANSFORMATION USING GF(28) FIELD

• Transformation
TRANSFORMATION using
USING THE GF(28) the
FIELD GF(28)
field with the irreducible
polynomial
x8 + x4 + x3+ x + 1
• The SubBytes transformation
repeats a routine, called subbyte,
16 times.
• The InvSubBytes repeats a routine
called invsubbyte.
• Each iteration transforms one byte.
• Multiplication and addition of bits
are done in GF(2).
SHIFT ROWS
TRANSFORMATION

 In forward shift row

transformation, Shifting
is to the left
 The number of shifts
depends on the row
number (0, 1, 2, or 3) of
the state matrix.

VIT/SCOPE/BCSE309-CNS/MODULE 2 33
SHIFT ROWS TRANSFORMATION…

 Example for ShiftRows transformation

VIT/SCOPE/BCSE309-CNS/MODULE 2 34
MIX COLUMN TRANSFORMATION

 The MixColumns transformation operates at the column level; it transforms each

column of the state to a new column.
 The transformation is actually the matrix multiplication of a state column by a
constant square matrix.
Constant matrices used by MixColumns and InvMixColumns

VIT/SCOPE/BCSE309-CNS/MODULE 2 35
MIX COLUMN
TRANSFORMATION…

 The transformation can

be defined by the
following matrix
multiplication on State

VIT/SCOPE/BCSE309-CNS/MODULE 2 36
MIX COLUMN TRANSFORMATION…

 Example for Mixcolumns transformation

VIT/SCOPE/BCSE309-CNS/MODULE 2 37
ADD ROUND KEY
TRANSFORMATION

 AddRoundKey also
proceeds one column
at a time
 Adds a round key word
with each state column
matrix
 The 128 bits of State
are bitwise XORed
with the 128 bits of the
round key.

VIT/SCOPE/BCSE309-CNS/MODULE 2 38
ADD ROUND KEY TRANSFORMATION…

 Example for AddRoundKey transformation

VIT/SCOPE/BCSE309-CNS/MODULE 2 39
 Inputs for Single AES Round

VIT/SCOPE/BCSE309-CNS/MODULE 2 40
 AES KEY
EXPANSION
 The AES key
expansion algorithm
takes as input a four-
word (16-byte) key
and produces a linear
array of 44 words
(176 bytes)

VIT/SCOPE/BCSE309-CNS/MODULE 2 41
AES KEY EXPANSION…

 The key-expansion routine creates Nr + 1 128-bit round keys from one

single 128-bit cipher key
 The key-expansion routine creates round keys word by word, where a
word is an array of four bytes.
 The routine creates 4 × (Nr +1) words that are called w0, w1, w2, …,
w4(Nr + 1) −1
 Each round key is made of four words

VIT/SCOPE/BCSE309-CNS/MODULE 2 42
Key expansion in AES-128

43
AES KEY EXPANSION…
Round Constants
 Each round constant, RCon, is a 4-byte value in which the rightmost three
bytes are always zero.
 The round constant is different for each round and is defined as
Rcon[j] = (RC[j], 0, 0, 0), with RC[1] = 1, RC[j] = 2 . RC[j - 1]
and with multiplication defined over the field GF(28).
RCon constants

VIT/SCOPE/BCSE309-CNS/MODULE 2 44
EXAMPLE ROUND KEY CALCULATION

 Suppose that the round key for round 8 is

EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D 29 2F
 Then the first 4 bytes (first column) of the round key for round 9 are calculated as:
KEY EXPANSION EXAMPLE
MORE ABOUT ROUND KEYS
 The two sets of round keys can be created from two cipher keys that are different only in one bit.
 Cipher Key 1: 12 45 A2 A1 23 31 A4 A3 B2 CC AA 34 C2 BB 77 23
 Cipher Key 2: 12 45 A2 A1 23 31 A4 A3 B2 CC AB 34 C2 BB 77 23
 There are significant differences between the two corresponding round keys
KEY EXPANSION IN AES-192 AND AES-256

 In AES-192, the words are generated in groups of six instead of four.

a) The cipher key creates the first six words (w0 to w5).
b) If i mod 6 ≠ 0, wi ← wi−1+ wi−6; otherwise, wi← t + wi−6.
 In AES-256, the words are generated in groups of eight instead of four.
a) The cipher key creates the first eight words (w0 to w7).
b) If i mod 8 ≠ 0, wi ← wi−1 + wi−8; otherwise, wi ← t + wi−8.
c) If i mod 4 = 0, but i mod 8 ≠ 0, then wi = SubWord (wi−1) + wi−8.
 Avalanche Effect in AES:
Change in Plaintext
AVALANCHE EFFECT IN AES: CHANGE IN PLAINTEXT
 Avalanche Effect in AES:
Change in Key
AVALANCHE EFFECT IN AES: CHANGE IN PLAINTEXT
 AES Decryption

VIT/SCOPE/BCSE309-CNS/MODULE 2 51
ANALYSIS OF AES
Security
AES was designed after DES.
Most of the known attacks on
DES were already tested on
AES; none of them has broken
the security of AES so far.
VIT/SCOPE/BCSE309-CNS/MODULE 2
Implementation
AES can be implemented in
software, hardware, and firmware.
The implementation can use table
lookup process or routines that
use a well-defined algebraic
structure.
The transformation can be either
byte-oriented or word-oriented
Simplicity and Cost
The algorithms used in AES are
so simple that they can be
easily implemented using cheap
processors and a minimum
amount of memory
52
PRACTICE QUESTIONS

1. Given the plaintext {0F0E0D0C0B0A090807060504030 20100} and the

key {02020202020202020202020202020202}:
a) Show the original contents of State, displayed as a 4 * 4 matrix.
b) Show the value of State after initial AddRoundKey.
c) Show the value of State after SubBytes.
d) Show the value of State after ShiftRows.
e) Show the value of State after MixColumns.
VIT/SCOPE/BCSE309-CNS/MODULE 2 53
PRACTICE QUESTIONS

2. A) Compute the output of the MixColumns transformation for the following

sequence of input bytes “A1 B2 C3 D4.”
B) Apply the InvMixColumns transformation to the obtained result to verify your
calculations.
C) Change the first byte of the input from “A1” to “A3” perform the MixColumns
transformation again for the new input, and determine how many bits have changed
in the output.

VIT/SCOPE/BCSE309-CNS/MODULE 2 54
 INTERNATIONAL DATA
ENCRYPTION ALGORITHM (IDEA)

VIT/SCOPE/BCSE309-CNS/MODULE 2 55
INTERNATIONAL DATA ENCRYPTION ALGORITHM (IDEA)

 A block cipher that operates on 64-bit data and key of 128 bits
 Invented by Xuejia and James Massey in 1990.
 Design principle is the “mixing of arithmetic operations from different algebraic
groups”
 Operations involved are:
 Exclusive OR
 Addition modulo 216
 Multiplication modulo 216 +1

VIT/SCOPE/BCSE309-CNS/MODULE 2 56
 64-bit Plaintext Overall Structure of IDEA
X1 X2 X3 X4
K1

Round 1
K6

K7
Round 2

K12 Subkey
Generation 128 Bit Key
K43 Algorithm
Round 8
K48

K49
Output Transformation
VIT/SCOPE/BCSE309-CNS/MODULE 2 57

K52
Y1 Y2 Y3 Y4
64-bit ciphertext
 ROUND TRANSFORMATION OF IDEA

 64-bit data is divided into four 16-bit blocks: X1,X2, X3, X4

 These 4 blocks are processed through 8 rounds with six 16-bit subkeys.
 Six subkeys are used in each of the eight rounds, and the final 4 subkeys are used in
the final output transformation.
 The sequence of operations in each round is as follows:
1. Multiply X1 and the first subkey
2. Add X2 and the second subkey
3. Add X3 and the third subkey

VIT/SCOPE/BCSE309-CNS/MODULE 2 59
ROUND TRANSFORMATION OF IDEA…

4. Multiply X4 and the fourth subkey

5. XOR the results of steps 1 and 3
6. XOR the results of steps 2 and 4
7. Multiply the results of steps 5 with fifth subkey
8. Add the results of steps 6 and 7.
9. Multiply the result of step 8 with sixth subkey.
10. Add the results of steps 7 and 9.

60
ROUND TRANSFORMATION OF IDEA
11. XOR the results of steps 1 and 9.
12. XOR the results of steps 3 and 9
13. XOR the results of steps 2 and 10
14. Bitwise XOR the results of steps 4 and 10.
 The output of steps 11,12,13, and 14 are stored in 4 words of 16-bits each : Y1,Y2,Y3,
Y4
 Blocks Y2 and Y3 are swapped
 The resultant 4 blocks are the output of a round of IDEA
 Swapping occurs for every round until the final round (round 8).
61
 Single Round of IDEA

x1 x2 x3 x4

VIT/SCOPE/BCSE309-CNS/MODULE 2 62

Y1 Y2 Y3 Y4
 Final Output Transformation Stage of IDEA

Y1 Y2 Y3 Y4

C1 C2 C3 C4

63
SUBKEY GENERATION

 52 16-bit subkeys are generated from 128-bit encryption key.

 The scheme for generation is as follows.
 The first eight subkeys, labeled K1, K2, K3, K4, K5, K6, K7, K8 are taken directly
from the key, with K1 being equal to the first 16 bits, K2 corresponding to the
next 16 bits, and so on.
 Then a circular left shift of 25-bit positions is applied to the entire 128-bit key, and
the next eight subkeys are extracted.
 This procedure is repeated until all 52 subkeys are generated.

VIT/SCOPE/BCSE309-CNS/MODULE 2 64
DECRYPTION IN IDEA

 The decryption process uses the same steps as the encryption process.
 However, different 16-bit key subblocks are generated.
 The subkeys are reversed ( Either multiplicative or additive inverse of the
encryption keys)

VIT/SCOPE/BCSE309-CNS/MODULE 2 65
MODES OF OPERATION
MODES OF OPERATION

 Block ciphers encrypt fixed size blocks

 Example: DES encrypts 64-bit blocks, with 56-bit key
 Need a way to use in practice, given usually have an arbitrary amount of
information to encrypt
 Modes of operation have been devised to encipher text of any size
employing either DES or AES

VIT/SCOPE/BCSE309-CNS/MODULE 2 67
MODES OF OPERATION

• A technique for enhancing the effect of a cryptographic algorithm or

adapting the algorithm for an application
• To apply a block cipher in a variety of applications, five modes of operation
have been defined by NIST(SP 800-38A)
• The five modes are intended to cover a wide variety of applications of encryption
for which a block cipher could be used
• These modes are intended for use with any symmetric block cipher, including
triple DES and AES
VIT/SCOPE/BCSE309-CNS/MODULE 2 68
 Electronic Codebook Mode(ECB)

Cipher Block Chaining (CBC)

MODES OF
OPERATION
Cipher FeedBack (CFB)

Output FeedBack (OFB)

Counter (CTR)
69
ELECTRONIC CODE BOOK (ECB) MODE
 Plaintext is handled one block at a time and each block of plaintext is encrypted
using the same key
 The term codebook is used because, for a given key, there is a unique ciphertext for
every b-bit block of plaintext.
 ECB mode can be defined as:

 ECB mode is used only to secure messages shorter than a single block of underlying
cipher
 If the same b-bit block of plaintext appears more than once in the message, it always
produces the same ciphertext.
 For lengthy messages, the ECB mode may not be secure.
VIT/SCOPE/BCSE309-CNS/MODULE 2 70
71
ECB MODE…

 Patterns at the block level are preserved

 The block independence creates opportunities for the adversary to exchange some
ciphertext blocks without knowing the key.
 Single-bit error in transmission can create errors in several bits(normally half of the
bits or all bits) in the corresponding block.
 Application
 Random access to database records
 Parallel Processing
CIPHER BLOCK CHAINING (CBC) MODE

 The input to the encryption algorithm is the XOR of the current plaintext block and
the preceding ciphertext block; the same key is used for each block.
 The input to the encryption function for each plaintext block bears no fixed
relationship to the plaintext block.
 To produce the first block of ciphertext, an initialization vector (IV) is XORed with
the first block of plaintext.
 The IV is a data block that is the same size as the cipher block.
 The IV must be known to both the sender and receiver but be unpredictable by a
third party.
74
CBC MODE…

 CBC Mode is defined as:

 In CBC mode, a single bit error in ciphertext block Cj during transmission may
create error in most bits in plaintext block Pj during decryption. However, this single
error toggles only one bit in plaintext block Pj+1 (the bit in the same location).
 CBC is an appropriate mode for encrypting messages of length greater than b-bits.
 CBC mode can be used for achieving confidentiality and authentication.
EXAMPLE

 Using the CBC mode of operation, encrypt the given plaintext blocks
using the provided key and IV.
 Block size: 16 bits
 Initialization Vector (IV): 1011011100110101
 Key: 1010101010101010
 Plaintext block 1: 1100101011110010
 Plaintext block 2: 0011101010101001
CIPHER FEEDBACK MODE
Three modes make it possible to
 For AES, DES, or any block cipher, convert a block cipher into a
encryption is performed on a block stream cipher:
of b bits
 In the case of DES b = 64 Cipher feedback
 In the case of AES b = 128 (CFB) mode

 The CFB mode of operation can be

used to encipher blocks of small Output feedback
size such as one character or bit at (OFB) mode
a time
VIT/SCOPE/BCSE309-CNS/MODULE 2 Counter (CTR) 77

mode
CFB MODE…

 As with CBC, the units of plaintext are chained together, so that the ciphertext of
any plaintext unit is a function of all the preceding plaintext.
 Rather than blocks of b bits, the plaintext is divided into segments of s bits.
 The input to the encryption function is a b-bit shift register that is initially set to
some initialization vector (IV).
 Encryption is done by exclusive-or ing an s-bit plaintext block with s-bits of the shift
register.
 Decryption is done by exclusive-or ing an s-bit ciphertext block withs bits of the
shift register.
 In CFB mode, encipherment and decipherment use the encryption function of the
underlying block cipher.
CFB MODE…

 In CFB, a single bit error in ciphertext block Cj during transmission creates a single
bit error (at the same position) in plaintext block Pj.
 However, most of the following plaintext blocks are in error (with 50 percent
probability) as long as some bits of Cj are still in the shift register.
CFB MODE…

 Advantages
 No padding is required
 The system does not have to wait until it has received a large block of data (64 bits
or 128 bits) before starting the encryption.
 Disadvantages
 CFB is less efficient than CBC or ECB, because it needs to apply the encryption
function of the underlying block cipher for each small block of size.
EXAMPLE

 Using the CFB mode of operation, encrypt the given plaintext blocks using the
provided key and IV.
 Block size: n=16 bits and s=8 bits
 Initialization Vector (IV): 1011011100110101
 Key: 1010101010101010
 Plaintext block 1: 11001011
 Plaintext block 2: 10101001
OUTPUT FEEDBACK (OFB) MODE

 The output feedback (OFB) mode is similar in structure to that of CFB.

 Each bit in the ciphertext is independent of the previous bit or bits. This avoids error
propagation
 The output of the encryption function is fed back to become the input for encrypting
the next block of plaintext
 OFB mode operates on full blocks of plaintext and ciphertext, whereas CFB operates
on an s-bit subset.
 As with CBC and CFB, the OFB mode requires an initialization vector and the IV
must be a nonce
 86

VIT/SCOPE/BCSE309-CNS/MODULE 2
OFB MODE…

 We can define OFB mode as:

OUTPUT FEEDBACK (OFB) MODE…

 OFB has the structure of a typical stream cipher

 One advantage of the OFB method is that bit errors in transmission do
not propagate.
 A single error in the ciphertext affects only the corresponding bit in the
plaintext.
 The disadvantage of OFB is that it is more vulnerable to a message
stream modification attack than CFB
EXAMPLE

 Consider a block cipher with a block size of 16 bits. Using the Output
Feedback (OFB) mode of operation, the encryption process starts with
an Initialization Vector (IV) of 1011011010110110. The key is
1100110011001100. Encrypt the plaintext 1111000011110000
1100101011110010 using the provided IV and key.
COUNTER MODE
 In the counter (CTR) mode, there is no feedback.
 A counter equal to the plaintext block size is used, counter value must be different
for each plaintext block that is encrypted.
 An n-bit counter is initialized to a pre-determined value (IV) and incremented by 1
for subsequent block(mod 2b).
 For encryption, the counter is encrypted and then XORed with the plaintext block
to produce the ciphertext block; there is no chaining.
 For decryption, the same sequence of counter values is used, with each encrypted
counter XORed with a ciphertext block to recover the corresponding plaintext
block.
 As with the OFB mode, the initial counter value must be a nonce
 92

VIT/SCOPE/BCSE309-CNS/MODULE 2
COUNTER MODE

 We can define Counter mode as:

 A single error in the ciphertext affects only the corresponding bit in the
plaintext.
ADVANTAGES OF CTR MODE

Hardware Software
Preprocessing
efficiency Efficiency

Random Provable
Simplicity
Access Security
EXAMPLE

 Using the Counter (CTR) mode of operation, encrypt the given plaintext
using the provided key and IV.
 Block size: 8 bits

 Counter value: 10110110

 Key: 01011011

 Plaintext: 11001011 11001011

96
Block Cipher Modes of Operation

97
RANDOM BIT GENERATION AND STREAM CIPHERS
RANDOM NUMBERS

 A random number is a number that cannot be predicted by an observer

before it is generated.
 Several network security algorithms and protocols based on cryptography
make use of random binary numbers:
 Key distribution and mutual authentication schemes
 Session key generation
 Generation of keys for the RSA public-key encryption algorithm
 Generation of a bit stream for symmetric stream encryption

VIT/SCOPE/BCE309-CNS/MODULE 2 99
REQUIREMENTS OF RANDOM NUMBERS

Randomness
There are two
distinct requirements
for a sequence of
random numbers:
Unpredictability

VIT/SCOPE/BCE309-CNS/MODULE 2 100
RANDOMNESS

 The generation of a sequence of allegedly random numbers being random in some

well-defined statistical sense has been a concern

Two criteria are used to validate that a sequence of

numbers is random:
Uniform distribution
• The frequency of occurrence of ones and zeros
should be approximately equal
Independence
• No one subsequence in the sequence can be inferred
from the others
VIT/SCOPE/BCE309-CNS/MODULE 2 101
UNPREDICTABILITY

 The requirement is that the successive members of the sequence are

unpredictable
 With “true” random sequences each number is statistically independent of
other numbers in the sequence and therefore unpredictable
 True random numbers have their limitations, such as inefficiency, so it is more common to
implement algorithms that generate sequences of numbers that appear to be random
 Care must be taken that an opponent is not able to predict future elements of the
sequence based on earlier elements
VIT/SCOPE/BCE309-CNS/MODULE 2 102
RANDOM NUMBERS

 Two different strategies for generating random bits or random numbers.

 Pseudorandom number generators (PRNGs) or deterministic random bit
generators (DRBGs): compute bits deterministically using an algorithm
 True random number generators (TRNGs) or non-deterministic random bit
generators (NRBGs): produce bits non-deterministically using some physical
source that produces some sort of random output

VIT/SCOPE/BCE309-CNS/MODULE 2 103
TRUE RANDOM NUMBER GENERATOR (TRNG)

 Takes as input a source that is effectively random

 The source is referred to as an entropy source and is drawn from the physical
environment of the computer
 Includes things such as keystroke timing patterns, disk electrical activity, mouse
movements, and instantaneous values of the system clock
 The source, or combination of sources, serves as input to an algorithm that
produces random binary output
 The TRNG may simply involve conversion of an analog source to a binary output
 The TRNG may involve additional processing to overcome any bias in the source
VIT/SCOPE/BCE309-CNS/MODULE 2 104
PSEUDORANDOM NUMBERS

 Cryptographic applications typically make use of algorithmic techniques

for random number generation
 These algorithms are deterministic and therefore produce sequences of
numbers that are not statistically random
 If the algorithm is good, the resulting sequences will pass many tests of
randomness and are referred to as pseudorandom numbers

VIT/SCOPE/BCE309-CNS/MODULE 2 105
 PSEUDORANDOM NUMBER GENERATOR (PRNG)
Two different forms of PRNG
 Takes as input a fixed value, called the seed, and
produces a sequence of output bits using a
deterministic algorithm Pseudorandom Pseudorandom
number function (PRF)
 Quite often the seed is generated by a TRNG generator • Used to produce a
• An algorithm that is pseudorandom
string of bits of
 The output bit stream is determined solely by the used to produce an
open-ended some fixed length
• Examples are
input value or values, so an adversary who knows sequence of bits
• Input to a symmetric
encryption keys and
the algorithm and the seed can reproduce the symmetric stream
cipher is a common nonces
application for an
entire bit stream open-ended
sequence of bits
 Other than the number of bits produced there is
no difference between a PRNG and a PRF 106

VIT/SCOPE/BCE309-CNS/MODULE 2
 Source of Context-
true specific
randomness Seed Seed values

Conversion Deterministic Deterministic

to binary algorithm algorithm

Random Pseudorandom Pseudorandom

bit stream bit stream value

(a) TRNG (b) PRNG (c) PRF

TRNG = true random number generator

PRNG = pseudorandom number generator
PRF = pseudorandom function

Figure 8.1 Random and Pseudorandom Number Generators

107

VIT/SCOPE/BCE309-CNS/MODULE 2
PRNG REQUIREMENTS

 The basic requirement when a PRNG or PRF is used for a cryptographic

application is that an adversary who does not know the seed is unable to
determine the pseudorandom string
 The requirement for secrecy of the output of a PRNG or PRF leads to
specific requirements in the areas of:
 Randomness
 Unpredictability
 Characteristics of the seed
VIT/SCOPE/BCE309-CNS/MODULE 2 108
RANDOMNESS

 The generated bit stream needs to appear random even though it is deterministic
 There is no single test that can determine if a PRNG generates numbers that have
the characteristic of randomness
 If the PRNG exhibits randomness based on multiple tests, then it can be assumed
to satisfy the randomness requirement
 NIST SP 800-22 specifies that the tests should seek to establish three characteristics:
 Uniformity
 Scalability
 Consistency
VIT/SCOPE/BCE309-CNS/MODULE 2 109
 UNPREDICTABILITY
 A stream of pseudorandom numbers should exhibit two forms of unpredictability:
 Forward unpredictability
 If the seed is unknown, the next output bit in the sequence should be unpredictable in spite of any knowledge of
previous bits in the sequence
 Backward unpredictability
 It should not be feasible to determine the seed from knowledge of any generated values
 No correlation between a seed and any value generated from that seed should be evident
 Each element of the sequence should appear to be the outcome of an independent random event whose
probability is 1/2
 The same set of tests for randomness also provides a test of unpredictability
 A random sequence will have no correlation with a fixed value (the seed)
VIT/SCOPE/BCE309-CNS/MODULE 2 111
 Entropy
source
SEED REQUIREMENTS

True random
 The seed that serves as input to the PRNG number generator
must be secure and unpredictable (TRNG)

 The seed itself must be a random or Seed

pseudorandom number
Pseudorandom
 Typically, the seed is generated by TRNG number generator
(PRNG)

Pseudorandom
bit stream 112

Figure 8.2 Generation of Seed Input to PRNG

COMPARISON OF PRNGS AND TRNGS

Pseudorandom Number True Random Number

Generators Generators
Efficiency Very efficient Generally inefficient
Determinism Deterministic Nondeterministic
Periodicity Periodic Aperiodic

113

VIT/SCOPE/BCE309-CNS/MODULE 2
PSEUDORANDOM NUMBER GENERATOR

 A cryptographic pseudo-random number generator(PRNG)is a

mechanism that takes as input a (random and secret) seed and outputs a
longer “pseudorandom” sequence called the keystream.

VIT/SCOPE/BCE309-CNS/MODULE 2 114
ALGORITHM DESIGN
 Algorithms fall into two categories:
 Purpose-built algorithms
 Algorithms designed specifically and solely for the purpose of generating pseudorandom bit
streams
 Algorithms based on existing cryptographic algorithms
 Have the effect of randomizing input data

Three broad categories of cryptographic algorithms are

commonly used to create PRNGs:
• Symmetric block ciphers
VIT/SCOPE/BCE309-CNS/MODULE 2
• Asymmetric ciphers 115

• Hash functions and message authentication codes

LINEAR CONGRUENTIAL GENERATOR

 An algorithm first proposed by Lehmer that is parameterized with four numbers:

n the modulus n>0
a the multiplier 0 < a< n
b the increment 0≤ b < n
X0 the starting value, or seed 0 ≤ X0 < n
 The sequence of random numbers {Xn} is obtained via the following iterative equation:
Xi+1 = (aXi + b) mod n
 If n , a , b , and X0 are integers, then this technique will produce a sequence of
integers with each integer in the range 0 ≤ Xi < n
VIT/SCOPE/BCE309-CNS/MODULE 2 116
LINEAR CONGRUENTIAL GENERATOR

 The selection of values for a , b , and n is critical in developing a good random

number generator
VIT/SCOPE/BCE309-CNS/MODULE 2 117
LINEAR CONGRUENTIAL GENERATOR…

Example
 Assume that a = 4, b = 5, n = 17, and x0 = 7.
 The sequence is 16, 1, 9, 7, 16, 1, 9, 7, …,
 This is a poor pseudorandom sequence; the period is only 4.

VIT/SCOPE/BCE309-CNS/MODULE 2 118
BLUM BLUM SHUB (BBS) GENERATOR

 Has the strongest public proof of its cryptographic strength of any purpose-
built algorithm
 Referred to as a cryptographically secure pseudorandom bit generator (CSPRBG)
 A CSPRBG is defined as one that passes the next-bit-test
 if there is not a polynomial-time algorithm that, on input of the first k bits of an
output sequence, can predict the (k + 1)st bit with probability significantly greater
than 1/2
 The security of BBS is based on the difficulty of factoring n
VIT/SCOPE/BCE309-CNS/MODULE 2 119
BLUM BLUM SHUB (BBS) GENERATOR…

 BBC uses quadratic residue congruence, but it is a pseudorandom bit

generator; it generates a sequence of bits (0 or 1).

VIT/SCOPE/BCE309-CNS/MODULE 2 120
BLUM BLUM SHUB (BBS) GENERATOR…
1. Find two large primes numbers p and q in the form 4k + 3, where k is an integer
[(or) 𝑝 ≡ 𝑞 ≡ 3(𝑚𝑜𝑑4)]
2. Select the modulus n = p × q.
3. Choose a random integer r which is coprime to n.
Then the BBS generator produces a sequence of bits Bi as:
4. Calculate the seed as x0 = r2 mod n.
5. Generate the sequence as xi+1 = xi2 mod n.
6. Extract the least significant bit of the generated random integer as the random bit.
PRNG USING BLOCK CIPHER MODES OF OPERATION

 Two approaches that use a block cipher to build a PNRG have gained
widespread acceptance:
 CTR mode- Recommended in NIST SP 800-90, ANSI standard X.82, and RFC 4086
 OFB mode- Recommended in X9.82 and RFC 4086

VIT/SCOPE/BCE309-CNS/MODULE 2 124
 1

+ V V

K Encrypt K Encrypt

pseudorandom bits pseudorandom bits

(a) CTR Mode (b) OFB Mode

Figure 8.4 PRNG Mechanisms Based on Block Ciphers

125

VIT/SCOPE/BCE309-CNS/MODULE 2
PRACTICE

 Consider the following pseudorandom number generator:

yn+1 = (yn−1 + 6) mod 8, y0 = 3

(i) Find out the period of the generator.
(ii) Calculate each term of the recurrence for a complete cycle.
PRACTICE…

1. Using a multiplier of 57 and modulus 231 - 1, generate five session keys (X1, X2, X3,
X4, X5) using the pseudo-random number generator algorithm. Assume the seed
value is 10135.

2. Select two primes, P and Q, so that P=Q=3 mod 4 of 3 digits each. Assume seed
value as 101355. Using the Blum Blum Shub generator, generate two session keys.
STREAM CIPHERS

VIT/SCOPE/BCE309-CNS/MODULE 2 128
INTRODUCTION TO STREAM CIPHERS

 Stream ciphers process messages a bit or byte at a time when en/decrypting.

 In a modern stream cipher, encryption and decryption are done r bits at a time.

VIT/SCOPE/BCE309-CNS/MODULE 2 129
INTRODUCTION TO STREAM CIPHERS…

 Modern stream ciphers are divided into two broad categories:

 Synchronous Stream Ciphers
 The key is independent of the plaintext or ciphertext.
 Example Ciphers: One-Time pad, Feedback Shift Register
 Nonsynchronous Stream Ciphers
 The key depends on either the plaintext or ciphertext.

VIT/SCOPE/BCE309-CNS/MODULE 2 130
EXAMPLE: ONE TIME PAD

 The simplest and the most secure type of synchronous stream cipher
 Introduced by AT&T engineer named Gilbert Vernam in 1918.
 His system works on binary data rather than letters.
 A one-time pad cipher uses a key stream that is randomly chosen for each
encipherment.
 The ciphertext is generated by performing the bitwise XOR of the plaintext and the
key

VIT/SCOPE/BCE309-CNS/MODULE 2 131
ONE TIME PAD …

VIT/SCOPE/BCE309-CNS/MODULE 2 132
ONE TIME PAD …

VIT/SCOPE/BCE309-CNS/MODULE 2 133
EXAMPLE

 Encrypt the message 'HELLO' using the key 'PLUTO’

Plain text Key

H 01001000 P 01010000
E 01000101 L 01001100
L 01001100 U 01010101
L 01001100 T 01010100
O 01001111 O 01001111

Plain text 01001000 01000101 01001100 01001100 01001111

Key 01010000 01001100 01010101 01010100 01001111
Cipher text 00011000 00001001 00011001 00011000 00000000
VIT/SCOPE/BCE309-CNS/MODULE 2 134
STREAM CIPHERS

 Stream ciphers can be viewed a pseudorandom equivalent of a one-time pad.

 Stream ciphers are useful when there is a need to encrypt large amounts of fast
streaming data.
 Stream ciphers are well suited to use in devices with very limited memory and
processing power, called constrained devices.

VIT/SCOPE/BCE309-CNS/MODULE 2 135
136
STREAM CIPHERS…

 The keystream is combined one byte at a time with the plaintext stream using the bitwise exclusive-
OR (XOR) operation.
 Example: If the next byte generated by the generator is 01101100 and the next plaintext byte is
11001100, then the resulting ciphertext byte is
11001100 plaintext
01101100 key stream
10100000 ciphertext
 Decryption requires the use of the same pseudorandom sequence:
10100000 ciphertext
01101100 key stream
11001100 plaintext

VIT/SCOPE/BCE309-CNS/MODULE 2 137
STREAM CIPHER DESIGN CONSIDERATIONS
The encryption sequence
should have a large period
The keystream should
approximate the properties of
a true random number stream
as close as possible
A key length of at least 128 bits
is desirable
With a properly designed
pseudorandom number
generator a stream cipher can be
as secure as a block cipher of
comparable key length
• A pseudorandom number generator uses a function that produces a
deterministic stream of bits that eventually repeats; the longer the
period of repeat the more difficult it will be to do cryptanalysis
• There should be an approximately equal number of 1s and 0s
• If the keystream is treated as a stream of bytes, then all of the 256
possible byte values should appear approximately equally often
• The output of the pseudorandom number generator is conditioned
on the value of the input key
• The same considerations that apply to block ciphers are valid
• A potential advantage is that stream ciphers that do not use block
ciphers as a building block are typically faster and use far less code
138
than block ciphers
ADVANTAGES OF STREAM CIPHERS

 Stream ciphers are faster than block ciphers.

 The hardware implementation of a stream cipher is also easier.
 A stream cipher is the better choice to use to encrypt binary streams and transmit
them at a constant rate.
 Stream ciphers are also more immune to the corruption of bits during transmission.

VIT/SCOPE/BCE309-CNS/MODULE 2 139
RC4
 Designed in 1987 by Ron Rivest for RSA Security
 Variable key-size stream cipher with byte-oriented operations
 Based on the use of a random permutation
 Eight to sixteen machine operations are required per output byte and the cipher can be
expected to run very quickly in software
 RC4 is used in the WiFi Protected Access (WPA) protocol that are part of the IEEE
802.11 wireless LAN standard
 It is optional for use in Secure Shell (SSH) and Kerberos
 RC4 was kept as a trade secret by RSA Security until September 1994 when the RC4
algorithm was anonymously posted on the Internet on the Cypherpunks anonymous
remailers list
VIT/SCOPE/BCE309-CNS/MODULE 2 140
 RC4…

 RC4 is a byte-oriented stream cipher in which a byte (8 bits) of a plaintext is

exclusive-ORed with a byte of key to produce a byte of a ciphertext.
 The secret key, from which the one-byte keys in the key stream are generated,
can contain anywhere from 1 to 256 bytes(8 to 2048 bits)
A variable-length key of from 1 to 256 bytes is used to initialize a 256-byte state
vector S, with elements S[0],S[1], . . . ,S[255].
 At all times, S contains a permutation of all 8-bit numbers from 0 through 255.
 For encryption and decryption, a byte k is generated from S by selecting one of
the 255 entries in a systematic fashion.
 As each value of k is generated, the entries in S are once again permuted.
VIT/SCOPE/BCE309-CNS/MODULE 2 141
RC4…
 Initialization of S

 Initial Permutation of S

VIT/SCOPE/BCE309-CNS/MODULE 2 142
RC4…

 Stream Generation

 To encrypt, XOR the value k with the next byte of plaintext.

 To decrypt, XOR the value k with the next byte of ciphertext.

143

VIT/SCOPE/BCE309-CNS/MODULE 2
 144

VIT/SCOPE/BCE309-CNS/MODULE 2
STRENGTH OF RC4

 A fundamental vulnerability was revealed in the RC4 key scheduling algorithm that
reduces the amount of effort to discover the key
 Recent cryptanalysis results exploit biases in the RC4 keystream to recover
repeatedly encrypted plaintexts
 As a result of the discovered weaknesses the IETF issued RFC 7465 prohibiting the
use of RC4 in TLS
 In its latest TLS guidelines, NIST also prohibited the use of RC4 for government use

146

VIT/SCOPE/BCE309-CNS/MODULE 2
EXAMPLE

 Consider the following State vector, key, and plaintext values and perform RC4
encryption
 S=[0 1 2 3 4 5 6 7]
 K=[2 3 4 5]
 P= [ 4 5 6 7]
SOLUTION

 Initialization
 S=[0 1 2 3 4 5 6 7]
 T=[ 2 3 4 5 2 3 4 5]
 After Initial Permutation of S =[ 5 7 3 0 2 1 4 6 ]
 Stream Generation
 Key Stream k =[ 1 4 3 2 ]→ 0001 0100 0011 0010
 Plaintext P = [ 4 5 6 7] → 0100 0101 0110 0111
 Ciphertext = P XOR k → 0101 0001 0101 0101 = [5 1 5 5]