Symmetric

Cryptosystem
Some Basic Terminology
• plaintext - original message
• ciphertext - coded message
• cipher - algorithm for transforming plaintext to ciphertext
• key - info used in cipher known only to sender/receiver
• encipher (encrypt) - converting plaintext to ciphertext
• decipher (decrypt) - recovering plaintext from ciphertext
• cryptography - study of encryption principles/methods
• cryptanalysis (codebreaking) - study of principles/ methods of
deciphering ciphertext without knowing key
• cryptology - field of both cryptography and cryptanalysis
Symmetric Cipher Model
Requirements
• To requirements for secure use of symmetric encryption:
• a strong encryption algorithm
• a secret key known only to sender / receiver
• mathematically have:
Y = E(K, X)
X = D(K, Y)
• assume encryption algorithm is known
• implies a secure channel to distribute key
Cryptography
Can characterize cryptographic system by:
• Type of encryption operations used
• substitution
• transposition
• product
• Number of keys used
• single-key or private
• two-key or public
• way in which plaintext is processed
• block
• stream
Cryptanalysis
• objective to recover key not just message
• general approaches:
• cryptanalytic attack
• brute-force attack
• if either succeed all key use compromised
Encryption Terms
⮚ unconditional security
● no matter how much computer power or time is available, the
cipher cannot be broken since the ciphertext provides
insufficient information to uniquely determine the
corresponding plaintext
⮚ computational security
● given limited computing resources (eg time needed for
calculations is greater than age of universe), the cipher
cannot be broken
Brute Force Search
► always possible to simply try every key
► most basic attack, proportional to key size
► assume either know / recognize plaintext
Key Size (bits) Number of Alternative Time required at 1 Time required at 106
Keys decryption/µs decryptions/µs
32 232 = 4.3 × 109 231 µs = 35.8 minutes 2.15 milliseconds
56 256 = 7.2 × 1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4 × 1038 2127 µs = 5.4 × 1024 years 5.4 × 1018 years

168 2168 = 3.7 × 1050 2167 µs = 5.9 × 1036 years 5.9 × 1030 years

26 characters 26! = 4 × 1026 2 × 1026 µs = 6.4 × 1012 years 6.4 × 106 years
(permutation)
Classical Substitution Ciphers
► Where letters of plaintext are replaced by other letters
or by numbers or symbols
► Or if plaintext is viewed as a sequence of bits, then
substitution involves replacing plaintext bit patterns
with ciphertext bit patterns
► plain text characters are replaced with other
characters, numbers and symbols as well as in
substitution Cipher Technique, character’s identity is
changed while its position remains unchanged.
Classical Transposition Ciphers
► Technique rearranges the position of the plain text’s
characters.

► In transposition Cipher Technique, The position of the

character is changed but character’s identity is not
changed.

► Transposition cipher is a type of encryption technique where

the positions of the letters in the plaintext message are
rearranged to form a ciphertext message.
► This technique does not alter the letters themselves but
rather the order in which they appear.
Caesar Cipher
► earliest known substitution cipher
► by Julius Caesar
► first attested use in military affairs
► replaces each letter by 3rd letter on
► example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
Caesar Cipher
► can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
► mathematically give each letter a number
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

► then have Caesar cipher as:

c = E(k, p) = (p + k) mod (26)
p = D(k, c) = (c – k) mod (26)
Cryptanalysis of Caesar Cipher
⮚ Only have 26 possible ciphers
●A maps to A,B,..Z
⮚ Could simply try each in turn
⮚ A brute force search
⮚ Given ciphertext, just try all shifts of letters
⮚ Do need to recognize when have plaintext
⮚ eg. break ciphertext "GCUA VQ DTGCM"
Monoalphabetic Cipher
► rather than just shifting the alphabet
► could shuffle (jumble) the letters arbitrarily
► each plaintext letter maps to a different random
ciphertext letter
► hence key is 26 letters long

Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
Block vs Stream Ciphers
► block ciphers process messages in blocks, each of which is then
en/decrypted
► like a substitution on very big characters
► 64-bits or more
► stream ciphers process messages a bit or byte at a time when
en/decrypting
► many current ciphers are block ciphers
► better analysed
► broader range of applications
Block vs Stream Ciphers
Block Cipher Principles

► most symmetric block ciphers are based on a

Feistel Cipher Structure
► needed since must be able to decrypt ciphertext
to recover messages efficiently
► block ciphers look like an extremely large
substitution
► would need table of 264 entries for a 64-bit block
► instead create from smaller building blocks
► using idea of a product cipher
Ideal Block Cipher
 Claude Shannon and Substitution-
Permutation Ciphers

⮚ Claude Shannon introduced idea of substitution-

permutation (S-P) networks in 1949 paper
⮚ form basis of modern block ciphers
⮚ S-P nets are based on the two primitive
cryptographic operations seen before:
● substitution (S-box)
● permutation (P-box)
⮚ provide confusion & diffusion of message & key
Confusion and Diffusion

► cipher needs to completely obscure statistical

properties of original message
► a one-time pad does this
► more practically Shannon suggested combining S & P
elements to obtain:
► diffusion – dissipates statistical structure of plaintext
over bulk of ciphertext
► confusion – makes relationship between ciphertext
and key as complex as possible
Feistel Cipher Structure
► Horst Feistel devised the feistel cipher
► based on concept of invertible product cipher
► partitions input block into two halves
► process through multiple rounds which perform a
substitution on left data half
► based on round function of right half & subkey
► then have permutation swapping halves
► implements Shannon’s S-P net concept
 Feistel Cipher Structure

⮚ block size
⮚ key size
⮚ number of rounds
⮚ subkey generation algorithm
⮚ round function
⮚ fast software en/decryption
⮚ ease of analysis
Data Encryption Standard (DES)

► most widely used block cipher in world

► adopted in 1977 by NBS (now NIST)
►as FIPS PUB 46
► encrypts 64-bit data using 56-bit key
► has widespread use
► has been considerable controversy over its
security
DES Design Controversy
► although DES standard is public
► had considerable controversy over design
► in choice of 56-bit key (vs Lucifer 128-bit)
► and because design criteria were classified
► subsequent events and public analysis show in
fact design was appropriate
► use of DES has flourished
► especially in financial applications
► still standardised for legacy application use
DES
Encryption
Overview
 Initial Permutation IP

⮚ first step of the data computation

⮚ IP reorders the input data bits
⮚ even bits to LH half, odd bits to RH half
⮚ quite regular in structure (easy in h/w)
⮚ example:

IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

DES Round Structure
► uses two 32-bit L & R halves
► as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 ⊕ F(Ri–1, Ki)
► F takes 32-bit R half and 48-bit subkey:
► expands R to 48-bits using perm E
► adds to subkey using XOR
► passes through 8 S-boxes to get 32-bit
result
► finally permutes using 32-bit perm P
 DES Key Schedule
⮚ forms subkeys used in each round
●initial permutation of the key (PC1) which selects
56-bits in two 28-bit halves
●16 stages consisting of:
►rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
►selecting 24-bits from each half & permuting
them by PC2 for use in round function F
⮚ note practical use issues in h/w vs s/w
DES Decryption
► decrypt must unwind steps of data computation
► with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
► IP undoes final FP step of encryption
► 1st round with SK16 undoes 16th encrypt
round
► ….
► 16th round with SK1 undoes 1st encrypt
round
► then final FP undoes initial encryption IP
► thus recovering original data value
Avalanche Effect

► key desirable property of encryption alg

► where a change of one input or key bit results
in changing approx half output bits
► making attempts to “home-in” by guessing
keys impossible
► DES exhibits strong avalanche
Strength of DES – Key Size

► 56-bit keys have 256 = 7.2 x 1016 values

► brute force search looks hard
► recent advances have shown is possible
► in 1997 on Internet in a few months
► in 1998 on dedicated h/w (EFF) in a few days
► in 1999 above combined in 22hrs!
► still must be able to recognize plaintext
► must now consider alternatives to DES
 Advanced Encryption
Standard (AES)
► A clear replacement for DES was needed
► have theoretical attacks that can break it
► have demonstrated exhaustive key search attacks
► can use Triple-DES – but slow, has small blocks
The AES Cipher

► designed by Rijmen-Daemen in Belgium

► has 128/192/256 bit keys, 128 bit data
► an iterative rather than feistel cipher
► processes data as block of 4 columns of 4 bytes
► operates on entire data block in every round
► designed to be:
► resistant against known attacks
► speed and code compactness on many CPUs
► design simplicity
AES
Encryption
Process
 ⮚ data block of 4 columns of 4 bytes is state
⮚ key is expanded to array of words
⮚ has 9/11/13 rounds in which state undergoes:
AES ● byte substitution (1 S-box used on every byte)
● shift rows (permute bytes between groups/columns)
Structure
● mix columns (subs using matrix multiply of groups)
● add round key (XOR state with key material)
● view as alternating XOR key & scramble data bytes
⮚ initial XOR key material & incomplete last round
⮚ with fast XOR & table lookup implementation
AES
Structure
 1. an iterative rather than feistel cipher
2. key expanded into array of 32-bit words
1. four words form round key in each round
3. 4 different stages are used as shown
4. has a simple structure
Some 5. only AddRoundKey uses key
Comments 6. AddRoundKey a form of Vernam cipher
7. each stage is easily reversible
on AES
8. decryption uses keys in reverse order
9. decryption does recover plaintext
10.final round has only 3 stages
AES Example
Avalanche
Asymmetric Cryptography
Private-Key Cryptography

⮚ traditional private/secret/single key cryptography

uses one key
⮚ shared by both sender and receiver
⮚ if this key is disclosed communications are
compromised
⮚ also is symmetric, parties are equal
⮚ hence does not protect sender from receiver forging a
message & claiming is sent by sender
Public-Key Cryptography

► probably most significant advance in the 3000 year

history of cryptography
► uses two keys – a public & a private key
► asymmetric since parties are not equal
► uses clever application of number theoretic concepts
to function
► complements rather than replaces private key
crypto
Why Public-Key Cryptography?

► developed to address two key issues:

► key distribution – how to have secure
communications in general without having to
trust a KDC with your key
► digital signatures – how to verify a message
comes intact from the claimed sender
Public-Key Cryptography

► public-key/two-key/asymmetric
cryptography involves the use of two keys:
► a public-key, which may be known by anybody,
and can be used to encrypt messages, and
verify signatures
► a related private-key, known only to the
recipient, used to decrypt messages, and sign
(create) signatures
► infeasible to determine private key from
public
► is asymmetric because
► those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
Public-Key Cryptography
Public-Key Cryptography…
Conventional and Public-Key Encryption
Public-Key Cryptosystem: Secrecy
Public-Key Cryptosystem: Authentication
Public-Key Cryptosystem : Authentication and
Secrecy
Public-Key Applications

►can classify uses into 3 categories:

►encryption/decryption (provide secrecy) The sender encrypts a
message with the recipient's public key
►digital signatures (provide authentication) The sender “signs” a
message with its private key.
►key exchange (of session keys)
►some algorithms are suitable for all uses, others are specific to one
Public-Key Characteristics
• Public-Key algorithms rely on two keys with the characteristics
that it is:
• Computationally infeasible to find decryption key knowing
only algorithm & encryption key

• Computationally easy to en/decrypt messages when the

relevant (en/decrypt) key is known

• Either of the two related keys can be used for encryption,

with the other used for decryption (in some schemes)
Security of Public Key Schemes

• Brute force exhaustive search attack is always theoretically possible

• but keys used are too large (>512bits)
• security relies on a large enough difference in difficulty between easy
(en/decrypt) and hard (cryptanalyse) problems
• more generally the hard problem is known, its just made too hard to do in
practise
• requires the use of very large numbers
• hence is slow compared to private key schemes
 RSA

⮚ by Rivest, Shamir & Adleman of MIT in 1977

⮚ best known & widely used public-key scheme
⮚ based on exponentiation in a finite (Galois) field over integers modulo
a prime
●nb. exponentiation takes O((log n)3) operations (easy)
⮚ uses large integers (eg. 1024 bits)
⮚ security due to cost of factoring large numbers
●nb. factorization takes O(e log n log log n) operations (hard)

712657787088003462042414252127656101329447684093588414795351507176463595017227211072970118841762091485375709799542405462152560279704449496220875560157388
117857017106951260533934394968488825754114064349823293869738163117013385530132755261840984711025345525941897156084900461928551937940530567038846534744251
27
RSA En/decryption
►to encrypt a message M the sender:
►obtains public key of recipient PU={e,n}
►computes: C = Me mod n, where 0≤M<n
►to decrypt the ciphertext C the owner:
►uses their private key PR={d,n}
►computes: M = Cd mod n
►note that the message M must be smaller than the modulus n (block if needed)
RSA Key Setup
►each user generates a public/private key pair by:
►selecting two large primes at random: p, q
►computing their system modulus n=p.q
►note ø(n)=(p-1)(q-1)
►selecting at random the encryption key e
►where 1<e<ø(n), gcd(e,ø(n))=1
►solve following equation to find decryption key d
►e.d=1 mod ø(n) and 0≤d≤n
►publish their public encryption key: PU={e,n}
►keep secret private decryption key: PR={d,n}
Why RSA Works
►because of Euler's Theorem:
►aø(n)mod n = 1 where gcd(a,n)=1
►in RSA have:
►n=p.q
►ø(n)=(p-1)(q-1)
►carefully chose e & d to be inverses mod ø(n)
►hence e.d=1+k.ø(n) for some k
►hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
RSA Example - Key Setup

1. Select primes: p=17 & q=11

2. Calculate n = pq =17 x 11=187
3. Calculate ø(n)=(p–1)(q-1)=16x10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since
23x7=161= 10x160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
RSA Example - En/Decryption

⮚sample RSA encryption/decryption is:

⮚given message M = 88 (nb. 88<187)
⮚encryption: C = Me mod n
C = 887 mod 187 = 11
⮚decryption: M = Cd mod n
M = 1123 mod 187 = 88
RSA Key Generation
En/Decryption
1. Select two Prime Numbers: P and Q • The formula to Encrypt Message
• Let’s take numbers P = 7 and Q = 19 (M) with RSA keys is:
2. Calculate the Product: N = (P*Q) • Cipher Text = ME MOD N
• (P*Q) = (7 * 19) = 133
• The formula to Decrypt with RSA
3. Calculate the Totient of N: ø(n) =(P-1)*(Q-1)
• ø(n) = (7-1)*(19-1) = 6 * 18 = 108
keys is:
• Original Message = MD MOD N
4. Select a Public Key: E
 It must be Prime • Let’s say our message M is 99
 It must be less than the Totient
• Cipher text
 It must NOT be a factor of the Totient
• 9929 MOD 133 = 92
• Let’s take 29
5. Select a Private Key: D • Original text
 Must satisfy: (D*E) MOD ø(n) = 1 • 9241 MOD 133 = 99
• Let’t take 41
• (41*29) MOD 108 =1189 MOD 108 = 1