CNS(BCY602)

MODULE1
CHAPTER1: CLASSICAL ENCRYPTION TECHNIQUES

Symmetric Cipher Model:

A symmetric encryption scheme has five ingredients:

 Plaintext: This is the original intelligible message or data that is fed into the
algorithm as input.
 Encryption algorithm: The encryption algorithm performs various substitutions and
transformations on the plaintext.
 Secretkey: The secret key is also input to the encryption algorithm. The key is a value
independent of the plaintext and of the algorithm. The algorithm will produce a
different output depending on the specific key being used at the time.
 Ciphertext: This is the scrambled message produced as output. It depends on the
plaintext and the secret key.
 Decryption algorithm: This is essentially the encryption algorithm run in reverse. It
takes the ciphertext and the secret key and produces the original plaintext.

There are two requirements for secure use of conventional encryption:

 1. We need a strong encryption algorithm. At a minimum, we would like the
algorithm to be such that an opponent who knows the algorithm and has access to
oneormoreciphertextswouldbeunabletodeciphertheciphertextorfigureoutthe key.
2. Sender and receiver must have obtained copies of the secret key in a secure
fashion and must keep the key secure.

A source produces a message in plaintext, X = [X1, X2, …. XM]. The M elements of X are letters in
some finite alphabet. Traditionally, the alphabet usually consisted of the 26 capital letters.
For encryption, a key of the form K = [K1, K2, …., KJ] is generated .If the key is generated at the
message source, then it must also be provided to the destination by means of some secure channel.
Alternatively ,a third party could generate the key and securely deliver it to both source and
destination.
With the message X and the encryption key K as input, the encryption algorithm forms the cipher text
Y=[Y1, Y2,….., YN]. We can write this as
Y=E(K, X)
This notation indicates that Y is produced by using encryption algorithm E as a function of the
plaintext X, with the specific function determined by the value of the key K.
The intended receiver, in possession of the key ,is able to invert the transformation:
X=D(K, Y)

AbhijithHV Dept ofISE SVIT Bengaluru Pag

Cryptography

Cryptographic systems are characterized along three independent dimensions:

1. The type of operations used for transforming plaintext to ciphertext. All
encryption algorithms are based on two general principles: substitution, in which
each element in the plaintext (bit, letter, group of bits or letters) is mapped into
another element, and transposition, in which elements in the plaintext are
rearranged. The fundamental requirement is that no information be lost.
2. The number of keys used. If both sender and receiver use the same key, the
system is referred to as symmetric, single-key, secret-key, or conventional
encryption. If the sender and receiver use different keys, the system is referred to as
asymmetric, two-key, or public-key encryption.
3. The way in which the plain text is processed. A block cipher processes
the input one block of elements at a time, producing an output block for
each input block. A stream cipher processes the input elements
continuously, producing output one element at a time, as it goes along.

Cryptanalysis
There are two general approaches to attacking a conventional encryptionscheme:

Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus perhaps
some knowledge of the general characteristics of the plaintext.

Brute-force attack:The attacker tries every possible key on a piece of ciphertext until an
intelligible translation into plaintext is obtained. On average, half of all possible keys must
be tried to achieve success.

The various types of cryptanalytic attacks based on the amount of information known to
the cryptanalyst is given below.

AbhijithHV Dept ofISE SVIT Bengaluru Pag

 An encryption scheme is unconditionally secure if the ciphertext generated by the
scheme does not contain enough information to determine uniquely the corresponding
plaintext, no matter how much ciphertext is available.

 The cost of breaking the cipher exceeds the value of the encrypted information.
 The time required to break the cipher exceeds the useful life time of the
information.

An encryption scheme is said to be computationally secure if either of the foregoing two

criteria are met.

SubstitutionTechniques:

The two basic building blocks of all encryption techniques are substitution and
transposition.

A substitution technique is one in which the letters of plain text are replaced by other
letters or by numbers or symbols.

AbhijithHV Dept ofISE SVIT Bengaluru Pag

 1. Caesar Cipher:

The Caesar cipher involves replacing each letter of the alphabet with the letter standing
three places further down the alphabet. For example,

plain: meet me after the toga party

cipher: PHHWPHDIWHUWKHWRJDSDUWB

C=E(3,p)=(p+3)mod26

C=E(k,p)=(p+k)mod26, p=D(k,C)mod26

Three important characteristics of this problem enabled us to use a brute-force cryptanalysis:

1. The encryption and decryption algorithms are known.

2. There are only 25 key stotry.
3. The language of the plaintext is known and easily recognizable.
Below Figure shows the results of applying this strategy to the example ciphertext. In this
case, the plaintext leaps out as occupying the third line.

Harish K Dept ofICB DSTAM Bengaluru Pag

2. MonoalphabeticCiphers:

If the "cipher" line can be any permutation of the 26 alphabetic characters, then
there are 26! Possible keys.This is referred to as a monoalphabetic substitution
cipher,because a single cipher alphabet (mapping from plain alphabet to cipher alphabet) is
used per message.

If the cryptanalyst knows the nature of the plaintext (e.g., non compressed English
text),then the analyst can exploit the regularities of the language. the relative frequency of
the letters can be determined and compared to a standard frequency distribution for
English

3. PlayfairCipher:

The Playfair algorithm is based on the use of a 5 x 5 matrix of letters constructed using a
keyword.

I/J

 Repeating plaintext letters that are in the same pair are separated with a filler letter,
such as x, so that balloon would be treated as ba lx lo on.

 Two plaintext letters that fall in the same row of the matrix are each replaced by the
letter to the right, with the first element of the row circularly following the last. For
example, ar is encrypted as RM.

AbhijithHV Dept ofISE SVIT Bengaluru Pag

  Two plaintext letters that fall in the same column are each replaced by the letter
beneath, with the top element of the column circularly following the last. mu is
encrypted as CM.

 Otherwise, each plain text letter in a pair is replaced by the letter that lies in its own
row and the column occupied by the other plaintext letter. Thus, hs becomes BP and
ea becomes IM (or JM, as the encipherer wishes).

4. Hill Cipher
This encryption algorithm takes m successive plaintext letters and substitutes for them m ciphertext
letters. The substitution is determined by m linear equations in which each character is assigned a
numerical value (a = 0, b = 1, c, z = 25). For m = 3, the system can be described as
c1=(k11p1+k21p2+k31p3)mod26
c2=(k12p1+k22p2+k32p3)mod26
c3=(k13p1 +k23p2+k33p3) mod 26

This can be expressed in terms of row vectors and matrices

Where C and P are row vectors of length 3 representing the plaintext and ciphertext, and K is a3*3
matrix representing the encryption key. Operations are performed mod 26.

For example, consider the plaintext “pay more money” and use the encryption key

The first three letters of the plaintext “pay” are represented by the vector(15024). C
= PK mod 26

Pag
C =(15 024) mod 26
C =(303303 531)mod 26
C=(171711) C
= RRL

Same procedure is repeated for next set of letters “mor”,“emo”,“ney”. We get the ciphertexts as
“MWB”, “KAS”, “PDH”
So Plaintext “pay more money” is encrypted as RRLMWBKASPDH
Decryption requires using the inverse of the matrix K.
P=CK-1mod 26

PolyalphabeticCiphers
One of the way to improve on the simple mono alphabetic technique is to use different mono
alphabetic substitutions as one proceeds through the plaintext message.
The general name for this approach is poly alphabetic substitution cipher. All these techniques have
the following features in common:
1. A set of related monoalphabetic substitution rules is used.
2. A key determines which particular rule is chosen for a given transformation.

Vigenere Cipher
One of the simplest, poly alphabetic ciphers is the Vigenère cipher.

A general equation of the encryption process is

Similarly, decryption is a generalization of Equation

AbhijithHV Dept ofISE SVIT Bengaluru Pag

To encrypt a message, a key is needed that is as long as the message. Usually, the key is a
repeating keyword. For example, if the keyword is deceptive, the message "we are
discovered save yourself " is encrypted as follows:

key: deceptive deceptive

deceptive

plaintext: we are discovered save

yourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Decryption is equally simple. The key letter again identifies the row. The position of
the ciphertext letter in that row determines the column, and the plaintext letter is at the top of
that column.
The strength of this cipher is that there are multiple ciphertext letters for each plaintext
letter, one for each unique letter of the keyword. Thus, the letter frequency information is
obscured.
The periodic nature of the keyword can be eliminated by using an on repeating
keyword that is as long as the message itself. Vigenère proposed what is referred to as an
auto key system, in which a keyword is concatenated with the plaintext itself to provide a
running key. For our example,

key: deceptive we are discovered sav

plaintext:we are discovered save
yourself
ciphertext:ZICVTWQNGKZEIIGASXSTSLVVWLA

Even this scheme is vulnerable to cryptanalysis. Because the key and the plaintext
share the same frequency distribution of letters, a statistical technique can be applied.

AbhijithHV Dept ofISE SVIT Bengaluru Page

Vernam Cipher
The ultimate efense against such a cryptanalysis is to choose a keyword that is as long as the plaintext
and has no statistical relationship to it. Such a system was introduced by an AT&T engineer named
Gilbert Vernam in 1918.

Page
The system can be expressed as follows

Thus, the ciphertext is generated by performing the bitwise XOR of the plaintext and the key. Because
of the properties of the XOR, decryption simply involves the same bitwise operation:

One-TimePad:
The key is to be used to encrypt and decrypt a single message, and then is discarded.
Eachnewmessagerequiresanewkeyofthesamelengthasthenewmessage.Suchascheme, known
as a one-time pad, is unbreakable.

The one-timepad offers complete security but, in practice, has two fundamental difficulties:

1. There is the practical problem of making large quantities of random keys.

2. Evenmoredauntingistheproblemofkeydistributionandprotection.Forevery message to
be sent, a key of equal length is needed by both sender and receiver.

AbhijithHV Dept ofISE SVIT Bengaluru Page

 CHAPTER2.BLOCKCIPHERSANDTHEDATAENCRYPTION
STANDARD

 A block cipher is an encryption/decryption scheme in which a block of plain text is treated as

a whole and used to produce a cipher text block of equal length.
 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.

The Feistel Cipher

Feistel cipher is the execution of two or more simple ciphers in sequence in such a way
that the final result or product is cryptographically stronger than any of the component ciphers.

Diffusion and Confusion

Diffusion is the statistical structure of the plaintext is dissipated into long-range statistics of the
ciphertext.Thisisachievedbyhavingeachplaintextdigitaffectthevalueofmanyciphertextdigits;
generally this is equivalent to having each cipher text digit be affected by many plaintext digits.

Confusion seeks to make the relationship between the statistics of the ciphertext and the value of
the encryption key as complex as possible, again to thwart attempts to discover the key.

Feistel Cipher Structure

 The inputs to the encryption algorithm area plaintext block of length 2w bits and a key K.
The plaintext block is divided into two halves, L0and R0.
 The two halves of the data pass through n rounds of processing and then combine to produce
the ciphertext block.
 Each round i has as inputs Li-1and Ri-1, derived from the previous round, as well as a subkey
Ki, derived from the overall K.

 In general ,the sub keys Ki are different from K and from each other.

A substitution is performed on the left half of the data. This is done by applying around
function F to the right half of the data and then taking the exclusive-OR of the output of that
function and the left half of the data. Following this substitution ,a permutation is performed

Page
that

AbhijithHV Dept ofISE SVIT Bengaluru Page

Consists of the inter change of the two halves of the data. The exact realization of a Feistel network
depends on the choice of the following parameters and design features:

Blocksize: Larger block sizes mean greater security, but reduced encryption/decryption speed for
a given algorithm.

Key size: Larger key size means greater security but may decrease encryption/decryption speed.
The greater security is achieved by greater resistance to brute-force attacks and greater confusion.

Number of rounds: The essence of the Feistel cipher is that a single round offers inadequate security
but that multiple rounds offer increasing security. A typical size is 16 rounds.

Sub key generation algorithm: Greater complexity in this algorithm should lead to greater difficulty
of cryptanalysis.

Roundfunction: Again , greater complexity generally means greater resistance to cryptanalysis.

There are two other considerations in the design of a Feistel cipher:

 Fasts of twareencryption/decryption: The speed of execution of the algorithm
becomes a concern.
 Ease of analysis: if the algorithm can be concisely and clearly explained, it is easier
to analyze that algorithm for cryptanalytic vulnerabilities

AbhijithHV Dept ofISE SVIT Bengaluru Page

AbhijithHV Dept ofISE SVIT Bengaluru Page
Feistel Decryption Algorithm

The process of decryption with a Feistel cipher is essentially the same as the encryption
process. The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeys
Kiin reverse order. That is, use Knin the first round, Kn-1in the second round, and so on until K1is
used in the last round.

Now we would like to show that the output of the first round of the decryption process is
equal to a 32-bit swap of the input to the sixteenth round of the encryption process. First,
consider the encryption process. We see that

LE16=RE15

RE16=LE15xF(RE15,K16)

On the decryption side, LD1

= RD0= LE16=

RE15RD1=LD0xF(RD0,K

16)

=RE16xF(RE15,K16)

=[LE15xF(RE15,K16)]xF(RE15,K16)

The XOR has the following properties:

[AxB]x C=Ax[B x C]D x D

=0

Ex 0=E

AbhijithHV Dept ofISE SVIT Bengaluru Page

 Thus, we have LD1 =RE15 and RD1=LE15.Therefore, the output of the first round of the
decryption process is LE15||RE15, which is the 32-bit swap of the input to the sixteenth round of
the encryption. This correspondence holds all the way through the16iterations,as is easily shown.
We can cast this process in general terms. For the ith iteration of the encryption algorithm,

LEi=REi-1

REi=LEi-1xF(REi-1,Ki)

Rearranging terms,

REi-1= LEi

LEi-1=REixF(REi-1,Ki2=REixF(LEi,Ki)

The Data Encryption Standard

The most widely used encryption scheme is based on the Data Encryption Standard(DES)
adopted in 1977 by the National Institute of Standards and Technology (NIST).

The algorithm itself is referred to as the Data Encryption Algorithm(DEA). For DES, data
are encrypted in 64-bit blocks using a 56-bit key .The algorithm transforms 64-bit input in a
series of steps into a 64-bit output. The same steps, with the same key, are used to reverse the
encryption.

DES Encryption

As with any encryption scheme, there are two inputs to the encryption function: the
plaintext to be encrypted and the key. In this case, the plaintext must be 64 bits in length and the
key is 56 bits in length.

AbhijithHV Dept ofISE SVIT Bengaluru Page

Page
AbhijithHV Dept ofISE SVIT Bengaluru Page
 Looking at the left-hand side of the figure, the processing of the plain text proceeds in three
phases.

1. The 64-bit plaintext passes through an initial permutation (IP) that rearranges the
bits to produce the permuted input. This is followed by a phase consisting of
16rounds of the same function, which involves both permutation and substitution
functions.
2. The output of the last(sixteenth) round consists of 64 bits that are a function of the
input plaintext and the key. The left and right halves of the output are swapped to
produce the pre output.
3. Finally, the pre output is passed through a permutation (IP-1) that is the inverse of the
initialpermutationfunction,toproducethe64-bitciphertext.Withtheexceptionofthe initial
and final permutations, DES has the exact structure of a Feistel cipher

The right-hand portion shows the way in which the 56-bit key is used. Initially, the key is
passed through a permutation function. Then, for each of the16rounds,a subkey(Ki) is produced
by the combination of a left circular shift and a permutation.The permutation function is the
same for each round, but a different subkey is produced because of the repeated shifts of the key
bits.

Initial Permutation IP:

1. First step of the data computation
2. IP reorders the input data bits
3. Even bits to LH half ,Odd bits to RH half
4. Quite regular in structure(easy in h/w)

 Refer below Table for all permutation functions(IP,IP-1,E,P)

IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

Page
AbhijithHV Dept ofISE SVIT Bengaluru Page
Page
Details of Single Round:

 The left and right halves of each 64-bit intermediate value are treated as separate 32-
bit quantities, labeled L (left) and R (right).
 The overall processing a teach round can be summarized in the following

formulas: Li= Ri-1

Ri=Li-1xF(Ri-1, Ki)

 The round key Ki is 48bits.The R input is 32 bits. This R input is first expanded to 48
bits by using a table that defines a permutation plus an expansion that involves
duplication of 16 of the R bits.
 The resulting 48 bits are XORed with Ki.This48-bit result passes through a
substitution function that produces a 32-bit output.
 The substitution consists of a set of eight S-boxes , each of which accepts 6 bits as
input and produces 4 bits as output.
 The first and last bits of the input to box Si form a 2-bit binary number to select one of
four substitutions defined by the four rows in the table for Si.The middle four bits
select one of the sixteen columns.

AbhijithHV Dept ofISE SVIT Bengaluru Page

 The decimal value in the cell selected by the row and column is then converted to its
4-bit representation to produce the output. For example, in S1for input 011001, the
row is 01(row1) and the column is 1100(column12).The value in row1,column 12 is
9, so the output is 1001.

AbhijithHV Dept ofISE SVIT Bengaluru Page

KEY GENERATION:

 Returning to Figures3.5and3.6,we see that a 64-bitkeyisusedasinputtothe

algorithm.
 The bits of the key are numbered from 1 through 64 ; every eighth bit is ignored
,as indicated by the lack of shading in Table 3.4a.
 The key is first subjected to a permutation governed by a table labeled
Permuted Choice One (Table 3.4b).
 The resulting 56-bit key is then treated as two 28-bit quantities ,labeled C0 and D0.At
each round, Ci-1 and Di-1are separately subjected to a circular left shift or (rotation)
of 1 or 2 bits, as governed by Table 3.4d.

AbhijithHV Dept ofISE SVIT Bengaluru Page

 These shifted values serve as input to then extround. They also serve as input to the
part labeled Permuted Choice Two(Table3.4c), which produces a 48-bit output that

Serves as input to the function F(Ri-1,Ki).

AbhijithHV Dept ofISE SVIT Bengaluru Page

 CNS(21IS

The Avalanche Effect

A change in one bit of the plaintext or one bit of the key should produce a change
in many bits of the cipher text. If the change were small, this might provide away to
reduce the size of the plaintext or key space to be searched.

AbhijithHV Dept ofISE SVIT Bengaluru Page

 CNS

AbhijithHV Dept ofISE SVIT Bengaluru Page

 CNS(21IS

The Strength of DES:

TheUseof56-BitKeys
 With a key length of 56bits, there are 256possible keys, which is approximately
7.2x1016.Soabrute-forceattackappearsimpractical.
 Assuming that ,on average, half the key space has to be searched ,a single
machine performing one DES encryption per micro second would take more than
a thousand years to break the cipher.
 If the message is just plain text in English, then the task of recognizing English
would have to be automated.
 If the text message has been compressed before encryption, then recognition is
more difficult. And if the message is some more general type of data, such as a
numerical file, and this has been compressed, the problem becomes even more
difficult to automate.
 Thus, to supplement the brute-force approach, some degree of knowledge about
the expected plaintext is needed.

The Nature of the DES Algorithm

Another concern is the possibility that cryptanalysis is possible by exploiting the

characteristics of the DES algorithm.

Timing Attacks

A timing attack is one in which information about the key or the plaintext is
obtained by observing how long it takes a given implementation to perform decryptions
on various ciphertexts. This is a long way from knowing the actual key, but it is an
intriguing first step.

Page
 CNS

Differential and LinearCryptanalysis

Differential Cryptanalysis

One of the most significant advances in cryptanalysis in recent years is differential

cryptanalysis. In this section, we discuss the technique and its applicability to DES.The
differentialcryptanalysisattackiscomplex.Therationalebehinddifferentialcryptanalysis is to
observe the behavior of pairs of text blocks evolving along each round of the cipher,
instead of observing the evolution of a single text block.

Consider the original plain text block m to consist of two halves m0, m1 .Each
round of DES maps the right-hand input into the left-hand output and sets the right-hand
output to be a function of the left-hand input and the sub key forth is round .So ,a teach
round ,only one new 32-bit block is created. If we label each new block

m1(2≤i≤17),then the intermediate message halves are related as follows:

mi+1=mi-1⊕f(mi,Ki),i=1,2,...,16

In differential cryptanalysis, we start with two messages, m and m', with a known
XOR difference m = m⊕ m', and consider the difference between the intermediate
message halves: mi= mi⊕ mi'Then we have:

This attack is known as Differential Cryptanalysis because the analysis compares

differences between two related encryptions, and looks for a known difference in
leading to a known difference out with some(pretty small but still significant)

AbhijithHV Dept ofISE SVIT Bengaluru Page

 CNS

probability. If a number of such differences are determined, it is feasible to determine the

subkey used in the function f.

AbhijithHV Dept ofISE SVIT Bengaluru Page

 CNS

The overall strategy of differential cryptanalysis is based on these considerations

for a single round. The procedure is to begin with two plaintext messages m and m’ with
a given difference and trace through a probable pattern of differences after each round to
yield a probable difference for the ciphertext. You submit m and m’ for encryption to
determine the actual difference under the unknown key and compare the result to the
probable difference .If there is a match, then suspect that all the probable patterns at all
the intermediate rounds are correct. With that assumption, can make some deductions
about the key bits. This procedure must be repeated many times to determine all the key
bits.

Linear Cryptanalysis

A more recent development is linear cryptanalysis. This attack is based on finding

linearapproximationstodescribethetransformationsperformedinDES.Thismethodcan find a
DES key given 243 known plaintexts, as compared to 247 chosen plaintexts for
differentialcryptanalysis.Althoughthisisaminorimprovement,becauseitmaybeeasier to
acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis
infeasible as an attack on DES. Again, this attack uses structure not seen before. So far,
little work has been done by other groups to validate the linear cryptanalytic approach.

Block Cipher Design Principles

There are three critical aspects of block cipher design:

 The number of rounds,

 Design of the function F,
 Key scheduling.

AbhijithHV Dept ofISE SVIT Bengaluru Page

 CNS

The number of rounds

 The greater the number of rounds, the more difficult it is to perform

cryptanalysis, even for a relatively weak F.
 The criterion should be that the number of rounds is chosen so that known
cryptanalytic efforts require greater effort than a simple brute-force key search
attack.
 If DES had 15 or fewer rounds, differential cryptanalysis would require less
effort than brute-force key search.

Design of the function F

 The function F provides the element of confusion in a Feistel cipher, want it to

be difficult to “unscramble” the substitution performed by F.
 One obvious criterion is that F be nonlinear. The more nonlinear F, the more
difficult any type of cryptanalysis will be.
 One of the most intense areas of research in the field of symmetric block
ciphers is that of S-box design. Would like any change to the input vector to an
S-box to result in random-looking changes to the output. The relationship
should be nonlinear and difficult to approximate with linear functions.

Key scheduling

 A final area of block cipher design, and one that has received less attention than
S-box design, is the key schedule algorithm. With any Feistel block cipher, the
key schedule is used to generate a sub key for each round.
 Would like to select sub keys to maximize the difficulty of deducing
individual sub keys and the difficulty of working back to the main key. The key
schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit
Independence Criterion.

Page