CNS Unit II Notes

UNIT II SYMMETRIC KEY CRYPTOGRAPHY
MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY: Algebraic structures - Modular

arithmetic-Euclids algorithm- Congruence and matrices - Groups, Rings, Fields- Finite fields-
SYMMETRIC KEY CIPHERS: SDES – Block cipher Principles of DES – Strength of DES –
Differential and linear cryptanalysis - Block cipher design principles – Block cipher mode of
operation – Evaluation criteria for AES – Advanced Encryption Standard - RC4 – Key distribution.
2.1 ALGEBRAIC STRUCTURES
Cryptography requires sets of integers and specific operations that are defined for those sets. The
combination of the set and the operations that are applied to the elements of the set is called an
algebraic structure.
Common algebraic structures include Groups, Ring and Fields
2.2 MODULAR ARITHMETIC
Mod-arithmetic is the central mathematical concept in cryptography. Computations

involving the modulus to determine remainders are called “Modular Arithmetic.
Almost any cipher from the Caesar Cipher to the RSA Cipher uses it.
 define modulo operator “a mod n” to be remainder when a is divided by n
 where integer n is called the modulus
 b is called a residue of a mod n
 since with integers can always write: a = qn + b
 usually chose smallest positive remainder as residue
• ie. 0 <= b <= n-1
1
CS 8792-CNS UNIT II Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 process is known as modulo reduction
• eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7
 a&b are congruent if: a mod n = b mod n
 when divided by n, a & b have same remainder
 eg. 100 mod 11 = 34 mod 11
so 100 is congruent to 34 mod 11
Modular Arithmetic Operations
1. [(a mod n) + (b mod n)] mod n = (a + b) mod n
2. [(a mod n) – (b mod n)] mod n = (a – b) mod n
3. [(a mod n) x (b mod n)] mod n = (a x b) mod n
e.g.
[(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 = 2 (11 + 15) mod 8 = 26 mod 8 = 2
[(11 mod 8) – (15 mod 8)] mod 8 = –4 mod 8 = 4 (11 – 15) mod 8 = –4 mod 8 = 4
[(11 mod 8) x (15 mod 8)] mod 8 = 21 mod 8 = 5 (11 x 15) mod 8 = 165 mod 8 = 5
Modular Arithmetic Properties
2
Modular Exponentiation Example:
117 mod 13 = (11 mod 13) (11 mod 13) (11 mod 13) (11 mod 13) (11 mod 13) (11 mod 13)
(11 mod 13)
= (-2) (-2) (-2) (-2) (-2) (-2) (-2) mod 13
= - 128 mod 13
= - 11
= 2
117 mod 13 = 2
Example1: 764 mod 41
Example2: 785 mod 41
3
2.3 EUCLID’S ALGORITHM
This is an efficient way to find the GCD(a,b)
Euclid’s Algorithm uses theorem that:
 GCD(a,b) = GCD(b, a mod b)
Euclidean Algorithm to compute GCD(a,b) is:
Euclid(a,b)
if (b=0) then
return a;
else
return Euclid(b, a mod b);
Example:
1. Find the GCD(50,12)

Here a=50, b=12
We know that
GCD(a,b) = GCD(b, a mod b) --- eqn 1
Substitute a and b in eqn 1

GCD(50,12) = GCD(12,50 mod 12) = GCD(12,2)
GCD(12,2) = GCD(2, 12 mod 2) = GCD(2,0)
//
Since b=0 , 2 is the GCD.
Therefore GCD(50,12)=2
2. Find the GCD(100,25)

Here a=100, b=25
We know that
GCD(a,b) = GCD(b, a mod b) --- eqn 1
Substitute a and b in eqn 1
4
GCD(100,25) = GCD(25,100 mod 25) = GCD(25,0)
//
Since b=0 , 25 is the GCD.
Therefore GCD(100,25) = 25
2.4 CONGRUENCE AND MATRICES

In cryptography we use the concept of congruences(≡) instead of equality(=)
Examples:
a. 13 mod 10 ≡ 3 // 13 when it is divided by 10 we get 3as remainder
b. 23 mod 10 ≡ 3
c. 33 mod 10 ≡ 3 and so on.
d. 33 mod 5 ≡ 3 is a valid congruence where as 33 mod 5 ≡ 2 is an invalid congruence because
33 when it is divided by 5 we get a remainder 3 not 2.
e. 26 mod 4 ≡ 2 is a valid congruence where as 33 mod 7 ≡ 4 is an invalid congruence because
33 when it is divided by 7 we get a remainder 5 not 4.
In cryptography we need to handle matrices. The following shows the matrix and its forms
5
2.5 GROUPS, RINGS, FIELDS
GROUP
A group (G) is a set of elements with a binary operation (•) that satisfies four properties (or
axioms). A commutative group satisfies an extra property, commutativity
A set S of elements or “numbers” may be finite or infinite with some operation ‘.’ so G=(S,.) is
said to be a group if it obeys CAIN:
 C - Closure: a,b in S, then a.b in S
 A - Associative law: (a.b).c = a.(b.c)
 I - Identity e: e.a = a.e = a
 N - iNverses a-1: a.a-1 = e
ABELIAN GROUP
A Group is said to be an abelian group if it already satisfying CAIN and commutative property
i.e.
 a,b in S then a.b = b.a
RING
A ring, R = <{…}, •, >, is an algebraic structure with two operations.
A set of “numbers” with two operations (addition and multiplication) which form:
6
 an abelian group with addition operation and multiplication:
 has closure
 is associative
 distributive over addition: a(b+c) = ab + ac will form a ring.
FIELD
A field, denoted by F = <{…}, •, > is a commutative ring in which the second operation satisfies
all five properties defined for the first operation except that the identity of the first operation has
no inverse.
A set of numbers with two operations which form:
 abelian group for addition
 abelian group for multiplication (ignoring 0)
 ring
 A field will have hierarchy with more axioms/laws
 group -> ring -> field
7
Fig 1.13 Field
Group
–A set of numbers with some addition operation whose result is also in the set (closure).
–Obeys associative law, has an identity, has inverses.
–If group is commutative, we say Abelian group. Otherwise Non-Abelian group
Ring
–Abelian group with a multiplication operation.
–Multiplication is associative and distributive over addition.
–If multiplication is commutative, we say a commutative ring.
–e.g., integers mod N for any N.
Field
–An Abelian group for addition.
–A ring.
–An Abelian group for multiplication (ignoring 0).
–e.g., integers mod P where P is prime.
8
2.6 FINITE FIELD
A field is an algebraic structure that supports 2 pairs of operations such as (+,-, * and %)
A Finite field is a field with a finite number of elements.
Finite fields play a key role in cryptography
GALOIS FIELD
The number of elements in a finite field must be a power of a prime pn known as Galois
fields.
A Galois Field GF (Pn) is a finite field with pn elements. Galois showed that for a field to
be finite the number of elements should be pn where ‘p’ is a prime number and ‘n’ is a positive
integer.
2.7 DATA ENCRYPTION STANDARD (DES)
DES algorithm is a block cipher algorithm with a block size of 64 bits and a key size of 56 bits.
The same algorithm is used for decryption.
There are 16 rounds in DES algorithm. In each round a different key is generated. DES has become
widely used, especially in financial applications
The basic process consists of:
 an initial permutation (IP)
 16 rounds of a complex key dependent calculation f
 a final permutation, being the inverse of IP
 Function f can be described as
L(i) = R(i-1)
R(i) = L(i-1)  P(S( E(R(i-1))  K(i) ))
9
DES ENCRYPTION
Figure: General Depiction of DES Encryption Algorithm
10
DES SINGLE ROUND
Figure: Single Round of DES Algorithm

• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li= Ri–1
Ri= Li–1xorF(Ri–1, Ki)
• takes 32-bit R half and 48-bit subkey and:
• expands R to 48-bits using perm E
• adds to subkey
• passes through 8 S-boxes to get 32-bit result
• finally permutes this using 32-bit perm P
11
SUBSTITUTION BOX
Figure: Calculation of F(R, K)

• have eight S-boxes which map 6 to 4 bits
• each S-box is actually 4 little 4 bit boxes
• outer bits 1 & 6 (row bits) select one rows
• inner bits 2-5 (col bits) are substituted
• result is 8 lots of 4 bits, or 32 bits
• row selection depends on both data & key
DES Key Schedule

• forms subkeys used in each round
• consists of:
• initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves
• 16 stages consisting of:
• selecting 24-bits from each half
• permuting them by PC2 for use in function f,
• rotating each half separately either 1 or 2 places depending on the key

rotation schedule K
DES Decryption
12
• decrypt must unwind steps of data computationwith Feistel design
• do encryption steps again using subkeys in reverse order (SK16 … SK1)
• IP undoes final FP step of encryption
• 1st round with SK16 undoes 16th encrypt round
• 16th round with SK1 undoes 1st encrypt round
• then final FP undoes initial encryption IP
• thus recovering original data value
2.8 STRENGTH OF DES
KEY SIZE
 56-bit keys have 256 = 7.2 x 1016 values
 Brute-force search looks hard
 Recent advances have shown possibility
 in 1997 on Internet in a few months
 in 1998 on dedicated h/w (EFF) in a few days
 in 1999 above combined in 22hrs!
 Still, must be able to recognize plaintext
 Now considering alternatives to DES
TIMING ATTACK
 Attack actual implementation of cipher
 Use knowledge of consequences of implementation to derive knowledge of some/all
subkey bits
 Specifically use fact that calculations can take varying times depending on the value of
the inputs to it
 Particularly problematic on smartcards
ANALYTIC ATTACKS
 Several analytic attacks on DES
 Utilize some deep structure of the cipher
 by gathering information about encryptions
 can eventually recover some/all of the sub-key bits
 if necessary then exhaustively search for the rest
13
 Generally are statistical attacks
 differential cryptanalysis
 linear cryptanalysis
 related key attacks
AVALANCHE EFFECT
• Desirable property of an encryption algorithm where a change of one input or key bit
results in changing approximately half output bits.
TRIPLE DES (3-DES)

The simplest form of Triple DES has three encryption stages and three keys
• Uses 3 keys and 3 DES executions
• using 3 keys 3DES has an effective key length of 168 bits (3*56)
• follows encrypt-decrypt-encrypt (EDE) sequence
C = EK3(DK2(EK1(P)))
 It can also use 2 keys with E-D-E sequence as follows
 C = EK1(DK2(EK1(P)))
Figure: Triple DES

 So far no current known practical attacks have been reported against 3-DES
 This has been adopted by some Internet applications, e.g., PGP, S/MIME
14
2.9 DIFFERENTIAL AND LINEAR CRYPTANALYSIS
LINEAR CRYPTANALYSIS
It is a known plaintext attack used to extract the key
Consider a linear equality involving i, o, and k
e.g.: k1 © k6 = i2 © i4 © i5 © o4
To be secure this should be true with p = .5 (probability over all inputs and keys)
If true with p = 1, then linear and easy to break
If true with p = .5 + e then you might be able to use this to help break the system
DIFFERENTIAL CRYPTANALYSIS
It is a chosen plaintext attack used to extract the key
Considers fixed “differences” between inputs,

DI = I1 - I2, and sees how they propagate into differences in the outputs, DO = O1 - O2.
“difference” is often exclusive OR
Assigns probabilities to different keys based on these differences. With enough and appropriate
samples (I1, I2, O1, O2), the probability of a particular key will converge to 1.
2.10 BLOCK CIPHER DESIGN PRINCIPLES
 Most symmetric block ciphers are based on a Feistel Cipher Structure

 Needed since must be able to decrypt ciphertext to recover messages efficiently
 Block ciphers look like an extremely large substitution
15
 Would need table of 264 entries for a 64-bit block
 Instead, create from smaller building blocks using idea of product cipher
 Block size :increasing size improves security, but slows cipher
 Key size :increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
 Number of rounds :increasing number improves security, but slows cipher
 Subkey generation :greater complexity can make analysis harder, but slows
cipher
 Round function :greater complexity can make analysis harder, but slows cipher
 Fast software en/decryption & ease of analysis: are more recent concerns for
practical use and testing
2.11 BLOCK CIPHER MODE OF OPERATION
To apply a block cipher in a variety of applications, five "modes of operation" have been defined
by NIST (SP 800-38A). The five modes are intended to cover a wide variety of applications of
encryption for which a block cipher could be used. These modes are intended for use with any
symmetric block cipher, including triple DES and AES.
The 5 modes of operation are

1. Electronic Codebook Book (ECB)
2. Cipher Block Chaining (CBC)
3. Cipher FeedBack (CFB)
4. Output FeedBack (OFB)
5. Counter mode(CTR)
ELECTRONIC CODEBOOK BOOK (ECB)

 message is broken into independent blocks that are encrypted
 each block is a value which is substituted, like a codebook, hence name
 each block is encoded independently of the other blocks
16
Advantages:
 message repetitions may show in ciphertext
 weakness is due to the encrypted message blocks being independent
 vulnerable to cut-and-paste attacks
Uses:
 secure transmission of single values
CIPHER BLOCK CHAINING (CBC)
 Message is broken into blocks

 Each previous cipher blocks is chained with current plaintext block, hence name
 Use Initial Vector (IV) to start process
Ci = EK(Pi XOR Ci-1)
C-1 = IV
 IV prevents same P from making same C
17
Advantages:
 a ciphertext block depends on all blocks before it
 any change to a block affects all following ciphertext blocks.
 NeedInitialization Vector (IV) which must be known to sender & receiver
Uses:
Bulk data encryption, authentication
CIPHER FEEDBACK (CFB)
 Message is treated as a stream of bits

 Output is added to the next block
 result is feed back for next stage (hence name)
18
Ci = Pi XOR EK(Ci-1)
C-1 = IV
Advantages and Limitations
 most common stream mode

 appropriate when data arrives in bits/bytes
 limitation is need to stall while do block encryption after every s-bits
 errors propagate for several blocks after the error
Uses:
Stream data encryption, authentication
OUTPUT FEEDBACK (OFB)
 message is treated as a stream of bits

 output of cipher is added to message
 output is then feed back (hence name)
19
Oi = EK(Oi-1)
Ci = Pi XOR Oi
O-1 = IV
Advantages:
 Needs an IV which is unique for each use. If ever reuse attacker can recover outputs.
 Bit errors do not propagate
 More vulnerable to message stream modification...
 Sender & receiver must remain in sync
 Feedback is independent of message
 Can be computed in advance
Uses:
Stream encryption on noisy channels
20
COUNTER MODE (CTR)
Similar to OFB but encrypts counter value rather than any feedback value
Oi = EK(i)
Ci = Pi XOR Oi
Advantages:
 efficiency
 can do parallel encryptions in h/w or s/w
 can preprocess in advance of need
 random access to encrypted data blocks
 must have a different key & counter value for every plaintext block (never reused)
Uses:
High-speed network encryptions
2.12 ADVANCED ENCRYPTION STANDARD (AES)
 It is a private key symmetric block cipher designed by Rijmen-Daemen in Belgium

 It uses 28-bit data, 128/192/256-bit keys
 The data block of 4 columns of 4 bytes is state
 The key is expanded to array of words
 AES has 9/11/13 rounds in which state undergoes:
 byte substitution (1 S-box used on every byte)
21
 shift rows (permute bytes between groups/columns)
 mix columns (subs using matrix multipy of groups)
 add round key (XOR state with key material)
Figure : AES Encryption and Decryption
BYTE SUBSTITUTION
 a simple substitution of each byte
 uses one table of 16x16 bytes containing a permutation of all 256 8-bit values
 each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)
22
Figure : Substitute byte transformation
SHIFT ROWS
 a circular byte shift in each each

 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 decrypt inverts using shifts to right
Figure: Shift Rows

MIX COLUMNS
 each column is processed separately

 each byte is replaced by a value dependent on all 4 bytes in the column
23
 effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1
Figure :Mix columns
 can express each col as 4 equations

 to derive each new byte in col
 decryption requires use of inverse matrix
 with larger coefficients, hence a little harder
ADD ROUND KEY
 XOR state with 128-bits of the round key

 again processed by column (though effectively a series of byte operations)
 inverse for decryption identical
 since XOR own inverse, with reversed keys
Figure :Add Round Key

24
AES KEY EXPANSION
 It takes 128-bit (16-byte/four word) key and expands into array of 44 words
 The key is copied into the first 4 words of the expanded key
 The remainder of the expanded key is filled in 4 words at a time
 Each added word w[i] depends on the immediately preceding word w[i-1]and the word 4
positions back w[i-4]
 In 3 of 4 cases just XOR is used
25
For a word whose position in the w array is a multiple of 4, a more complex function(g) is used
The function g consists of the following subfunctions:
(i) Rotword performs one byte circular left shift on the word
(ii) Subword performs a byte substitution on each byte of the input word
(iii) the results of steps 1 and 2 is XORed with a round constant, Rcon
AES DECRYPTION
 AES decryption is not identical to encryption since steps done in reverse
 but can define an equivalent inverse cipher with steps as for encryption
 but using inverses of each step
 with a different key schedule
 works since result is unchanged when
 swap byte substitution & shift rows
 swap mix columns & add (tweaked) round key
2.13 RC4 (RIVEST CIPHER 4)
 A variable key size byte oriented stream cipher

 Designed by Ron Rivest for RSA security
 RC4 is based on the use of a random permutation
 RC4 is widely used in SSL/TLS standards and WEP(Wired Equivalent Privacy) protocol
 A variable length key from 1 to 256 bytes is used to initialize a 256 byte state vector S
with elements S[0], S[1], …….S[255]
 At all times S contains a permutation of all 8 bit numbers from 0 through 255
26
 For encryption and decryption a byte key k is generated from S by selecting one of the
255 entries in a systematic fashion
 As each value of k is generated, the entries in S are once again permuted
RC4 SECURITY
 secure against known attacks
 since RC4 is a stream cipher, the key must never be reused
INITIALIZATION OF S
Entries in S are set equal to the values from 0 through 255 in ascending order
S[0]= 0, S[1]= 1, ……….S[255]= 255
A temporary vector T is also created
If length of key K is 256 bytes, then T is transferred to T. Otherwise , for a key of length keylen
bytes, the first keylen elements of T are copied from K
27
 Then K is repeated as many times as necessary to fill out T
for i= 0 to 255 do
S[i] = i;
T[i] = K[ i mod keylen];
INITIAL PERMUTATION OF S
Next we use T to produce the initial permutation of S.
This involves starting with S[0] and going through to S[255] and for each S[i], swapping S[i] with
another byte in S
j=0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256);
swap (S[i], S[j]);
 The only operation on S is a swap. So S contains all the numbers from 0 through 255
STREAM GENERATION
Once S vector is initialized, the input key is no longer used
Stream generation involves cycling through all the elements of S[i] and for each S[i] swapping S[i]
with another byte in S
After S[255] is reaches, the process continues starting over again at S[0]
i = j = 0;
for each message byte Mi
i = (i + 1) (mod 256);
j = (j + S[i]) (mod 256);
swap(S[i], S[j]);
t = (S[i] + S[j]) (mod 256) ;
k = S[t]
To encrypt, XOR k with the next byte of plaintext
To decrypt, XOR k with the next byte of ciphertext
2.14 KEY DISTRIBUTION
 symmetric schemes require both parties to share a common secret key

 issue is how to securely distribute this key
28
 often secure system failure due to a break in the key distribution scheme
 given parties A and B have various key distribution alternatives:
1. A can select key and physically deliver to B
2. third party can select & deliver key to A & B
3. if A & B have communicated previously can use previous key to encrypt a new key
4. if A & B have secure communications with a third party C, C can relay key between
A&B
KEY HIERARCHY
 typically have a hierarchy of keys
 session key
 temporary key
 used for encryption of data between users
 for one logical session then discarded
 master key
 used to encrypt session keys
 shared by user & key distribution center
KEY DISTRIBUTION SCENARIO
29
KEY DISTRIBUTION ISSUES
 hierarchies of KDC’s required for large networks, but must trust each other
 session key lifetimes should be limited for greater security
 use of automatic key distribution on behalf of users, but must trust system
 use of decentralized key distribution
 controlling key usage
30

CNS Unit II Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CNS Unit II Notes

Uploaded by

Copyright:

Available Formats

UNIT II SYMMETRIC KEY CRYPTOGRAPHY

MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY: Algebraic structures - Modular

2.1 ALGEBRAIC STRUCTURES

Common algebraic structures include Groups, Ring and Fields

2.2 MODULAR ARITHMETIC

Mod-arithmetic is the central mathematical concept in cryptography. Computations

 where integer n is called the modulus

 b is called a residue of a mod n

 since with integers can always write: a = qn + b

 usually chose smallest positive remainder as residue

• ie. 0 <= b <= n-1

• eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7

 a&b are congruent if: a mod n = b mod n

 when divided by n, a & b have same remainder

 eg. 100 mod 11 = 34 mod 11

so 100 is congruent to 34 mod 11

Modular Arithmetic Operations

1. [(a mod n) + (b mod n)] mod n = (a + b) mod n

2. [(a mod n) – (b mod n)] mod n = (a – b) mod n

3. [(a mod n) x (b mod n)] mod n = (a x b) mod n

Modular Arithmetic Properties

Example1: 764 mod 41

Example2: 785 mod 41

This is an efficient way to find the GCD(a,b)

Euclid’s Algorithm uses theorem that:

 GCD(a,b) = GCD(b, a mod b)

Euclidean Algorithm to compute GCD(a,b) is:

return Euclid(b, a mod b);

1. Find the GCD(50,12)

GCD(a,b) = GCD(b, a mod b) --- eqn 1

Substitute a and b in eqn 1

2. Find the GCD(100,25)

GCD(a,b) = GCD(b, a mod b) --- eqn 1

Substitute a and b in eqn 1

2.4 CONGRUENCE AND MATRICES

 C - Closure: a,b in S, then a.b in S

 A - Associative law: (a.b).c = a.(b.c)

 I - Identity e: e.a = a.e = a

 N - iNverses a-1: a.a-1 = e

 a,b in S then a.b = b.a

A ring, R = <{…}, •, >, is an algebraic structure with two operations.

 distributive over addition: a(b+c) = ab + ac will form a ring.

A set of numbers with two operations which form:

 abelian group for addition

 abelian group for multiplication (ignoring 0)

 A field will have hierarchy with more axioms/laws

 group -> ring -> field

Finite fields play a key role in cryptography

2.7 DATA ENCRYPTION STANDARD (DES)

Figure: General Depiction of DES Encryption Algorithm

Figure: Single Round of DES Algorithm

Figure: Calculation of F(R, K)

• each S-box is actually 4 little 4 bit boxes

• outer bits 1 & 6 (row bits) select one rows

• inner bits 2-5 (col bits) are substituted

• result is 8 lots of 4 bits, or 32 bits

• row selection depends on both data & key

DES Key Schedule

• 16 stages consisting of:

• selecting 24-bits from each half

• permuting them by PC2 for use in function f,

• rotating each half separately either 1 or 2 places depending on the key

• do encryption steps again using subkeys in reverse order (SK16 … SK1)