UNIT II CNS Reg 2017

UNIT II NOTES CS8792 CRYPTOGRAPHY AND NETWORK SECURITY
UNIT II SYMMETRIC KEY CRYPTOGRAPHY 9
MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY: Algebraic structures –

Modular arithmetic-Euclid‟s algorithm- Congruence and matrices – Groups, Rings, Fields-
Finite fields- SYMMETRIC KEY CIPHERS: SDES – Block cipher Principles of DES –
Strength of DES – Differential and linear cryptanalysis – Block cipher design principles –
Block cipher mode of operation – Evaluation criteria for AES – Advanced Encryption Standard
– RC4 – Key distribution.
Sl.no Table of contents Page number

1 MATHEMATICS OF SYMMETRIC KEY 2
CRYPTOGRAPHY
Algebraic structures
Modular arithmetic 6
Euclid‟s algorithm 9
Congruence and matrices
Groups, Rings, Fields 3
Finite fields 10
2 SYMMETRIC KEY CIPHERS: SDES 12
Block cipher Principles of DES 13
Data Encryption Standard(DES) 18
Strength of DES 21
Differential and linear cryptanalysis 23
Block cipher design principles 24
Block cipher modes of operation 25
- Electronic Code book(ECB) 26
- Cipher Block Chaining Mode(CBC) 28
- Cipher Feedback Mode(CFB) 30
- Output Feedback Mode(OFB) 32
- Counter Mode(CTR) 34
Evaluation criteria for AES – Advanced 37
Encryption Standard
RC4
Key distribution
MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY

1
 Algebraic structures
 Modular arithmetic
 Euclid‟s algorithm
 Congruence and matrices
 Groups, Rings, Fields- Finite fields
Groups, Rings, Fields
2
 Groups, rings, and fields are the fundamental elements of a branch of mathematics
known as abstract algebra, or modern algebra.
 In abstract algebra, we are concerned with sets on whose elements we can operate
algebraically; that is, we can combine two elements of the set, perhaps in several ways,
to obtain a third element of the set.
 These operations are subject to specific rules, which define the nature of the set. By
convention, the notation for the two principal classes of operations on set elements is
usually the same as the notation for addition and multiplication on ordinary numbers.
 However, it is important to note that, in abstract algebra, we are not limited to ordinary
arithmetical operations.
 Groups
 Cyclic group
 Rings
 Fields
Groups
.
 A group G, sometimes denoted by {G, }, is a set of elements with a binary operation
denoted by . that associates to each ordered pair (a, b) of elements in G an element

.
(a b) in G, such that the following axioms are obeyed.
 If a group has a finite number of elements, it is referred to as a finite group, and the
order of the group is equal to the number of elements in the group. Otherwise, the
group is an infinite group.
 A group is said to be abelian if it satisfies the following additional condition:
 When the group operation is addition, the identity element is 0; the inverse element of a
is -a; and subtraction is defined with the following rule: a - b = a + (-b).
Cyclic Group
 We define exponentiation within a group as a repeated application of the group
. .
operator, so that a3 = a a a. Furthermore, we define a0 = e as the identity element, and
a- n = (a’ )n, where a’ is the inverse element of a within the group.
3
 A group G is cyclic if every element of G is a power ak (k is an integer) of a fixed

element a€G. The element a is said to generate the group G or to be a generator of G.
A cyclic group is always abelian and may be finite or infinite.
Rings
 A ring R, sometimes denoted by {R, +, X}, is a set of elements with two binary
operations, called addition and multiplication, such that for all a, b, c in R the following
axioms are obeyed.
 In essence, a ring is a set in which we can do addition, subtraction [a - b = a + (-b)], and

multiplication without leaving the set.
 A ring is said to be commutative if it satisfies the following additional condition:
 Next, we define an integral domain, which is a commutative ring that obeys the
following axioms.
Fields
 A field F, sometimes denoted by {F, +, X}, is a set of elements with two binary
operations, called addition and multiplication, such that for all a, b, c in F the following
axioms are obeyed.
 In essence, a field is a set in which we can do addition, subtraction, multiplication, and

division without leaving the set. Division is defined with the following rule: a/b = a(b-
1
).
 Figure 4.2 summarizes the axioms that define groups, rings, and fields.
4
5
Modular arithmetic
 The Modulus
 Properties of Congruences
 Modular arithmetic operations
 Properties of Modular arithmetic
 The Modulus
If a is an integer and n is a positive integer, we define a mod n to be the
remainder when a is divided by n. The integer n is called the modulus. Thus, for any
integer a, we can rewrite Equation (4.1) as follows:
Two integers a and b are said to be congruent modulo n, if (a mod n) = (b mod

n). This is written as a K b (mod n).
Example:
73 mod 23 = 4mod 23
4=4
Therefore,
 Properties of Congruences
Congruences have the following properties:
 Modular Arithmetic Operations

Modular arithmetic exhibits the following properties:
6
Example:
 Properties of Modular Arithmetic

Define the set Zn as the set of nonnegative integers less than n:
This is referred to as the set of residues, or residue classes (mod n).
7
8
Euclid’s algorithm or Eucledian algorithm
 One of the basic techniques of number theory is the Euclidean algorithm, which is a
simple procedure for determining the greatest common divisor of two positive integers.
First, we need a simple definition: Two integers are relatively prime if their only
common positive integer factor is 1.
 Greatest common divisor

 Finding Greatest common divisor
Greatest common divisor (GCD) or Greatest common factor(GCF)

We will use the notation gcd(a, b) to mean the greatest common divisor of a and b.
The greatest common divisor of a and b is the largest integer that divides both a and b. We also
define gcd(0, 0) = 0.
More formally, the positive integer c is said to be the greatest common divisor of a and
b if
1. c is a divisor of a and of b.
2. Any divisor of a and b is a divisor of c.
An equivalent definition is the following:
Because we require that the greatest common divisor be positive,

gcd(a, b) = gcd(a, -b) = gcd(-a, b) = gcd(-a,-b).
In general, gcd(a, b) = gcd( a , b ).
Finding Greatest common divisor

Steps:
 Divide the larger number by the smaller number.
 Don’t stop dividing until you get zero(0) remainder.
 If you get the zero remainder, the divisor that gives you zero remainder is considered as
GCD or GCF.
9
Finite fields
 Finite fields play a crucial role in many cryptographic algorithms.

 It can be shown that the order of a finite field (number of elements in the field) must be
a power of a prime pn, where n is a positive integer.
 A prime number is an integer whose only positive integer factors are itself and 1. That
is, the only positive integers that are divisors of p are p and 1.
 The finite field of order pn is generally written GF(pn);
 GF stands for Galois field, in honor of the mathematician who first studied finite fields.
 For n = 1, we have the finite field GF(p);
Finite Fields of Order p

 For a given prime, p, we define the finite field of order p, GF(p), as the set Zp of
integers {0, 1….…p - 1} together with the arithmetic operations modulo p.
 Any integer in Zn has a multiplicative inverse if and only if that integer is relatively
prime to n.
 If n is prime, then all of the nonzero integers in Z n are relatively prime to n, and
therefore there exists a multiplicative inverse for all of the nonzero integers in Zn.
Finding the Multiplicative Inverse in GF(p)

 It is easy to find the multiplicative inverse of an element in GF(p) for small values of p.
 You simply construct a multiplication table, such as shown in Table 4.5b, and the
desired result can be read directly.
10
Summary
 We defined GF(p) with the following properties.
a. GF(p) consists of p elements.
b. The binary operations + and * are defined over the set. The operations of addition,
subtraction, multiplication, and division can be performed without leaving the set. Each
element of the set other than 0 has a multiplicative inverse.
11
SYMMETRIC KEY CIPHERS: SDES
 Block cipher Principles of DES

 Strength of DES
 Differential and linear cryptanalysis
 Block cipher design principles
 Block cipher mode of operation
 Evaluation criteria for AES
 Advanced Encryption Standard
 RC4
 Key distribution
12
BLOCK CIPHER PRINCIPLES OF DES
- Many symmetric block encryption algorithms in current use are based on a structure
referred to a Feistel block cipher.
 Stream Ciphers and Block Ciphers

 Motivation for the Feistel Cipher Structure
 The Feistel Cipher
o Feistel Cipher Structure
Stream Ciphers and Block Ciphers:
Stream cipher:
- A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
- Examples of classical stream ciphers are the autokeyed Vigenère cipher and the
Vernam cipher.
- The bit-stream generator must be implemented as an algorithmic procedure, so that the

cryptographic bit stream can be produced by both users.
- In this approach (Figure 3.1a), the bit-stream generator is a key-controlled algorithm
and must produce a bit stream that is cryptographically strong.
- The two users need only share the generating key, and each can produce the keystream.
13
Block cipher:
- A block cipher is one in which a block of plaintext is treated as a whole and used to
produce a ciphertext block of equal length.
- Typically, a block size of 64 or 128 bits is used. As with a stream cipher, the two users
share a symmetric encryption key (Figure 3.1b).
Motivation for the Feistel Cipher Structure:

- A block cipher operates on a plaintext block of n bits to produce a cipher text block of n
bits.
- There are 2n possible different plaintext blocks and, for the encryption to be reversible
(i.e., for decryption to be possible), each must pro-duce a unique cipher text block.
Such a transformation is called reversible, or nonsingular.
The Feistel Cipher:

- Feistel proposed the use of a cipher that alternates substitutions and permutations,
where these terms are defined as follows:
o Substitution: Each plaintext element or group of elements is uniquely replaced
by a corresponding ciphertext element or group of elements.
o Permutation: A sequence of plaintext elements is replaced by a permutation of
that sequence. That is, no elements are added or deleted or replaced in the
sequence, rather the order in which the elements appear in the sequence is
changed.
Feistel Cipher Structure

 The left-hand side of Figure 3.3 depicts the structure proposed by Feistel.
 The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key
K.
 The plaintext block is divided into two halves, L0 and R0.
 The two halves of the data pass through n rounds of processing and then combine to
produce the ciphertext block.
 Each round i has as inputs Li - 1 and Ri - 1 derived from the previous round, as well as a
subkey Ki derived from the overall K.
 In general, the subkeys Ki are different from K and from each other.
 In Figure 3.3, 16 rounds are used, although any number of rounds could be
implemented.
 All rounds have the same structure. A substitution is performed on the left half of the
data.
 This is done by applying a round function F to the right half of the data and then taking
the exclusive-OR of the output of that function and the left half of the data.
 The round function has the same general structure for each round but is parameterized
by the round subkey Ki.
 Another way to express this is to say that F is a function of right-half block of w bits
and a subkey of y bits, which produces an output value of length w bits: F(REi, Ki+1).
14
 Following this substitution, a permutation is performed that consists of the interchange

of the two halves of the data.
 This structure is a particular form of the substitution-permutation network (SPN)

proposed by Shannon.
The exact realization of a Feistel network depends on the choice of the

following parameters and design features:
1. Block size
2. Key size
3. Number of rounds
4. Subkey generation algorithm
5. Round function F
15
Block size:
- Larger block sizes mean greater security (all other things being equal) but reduced
encryption/decryption speed for a given algorithm.
Key size:
- Larger key size means greater security but may decrease encryption/ decryption speed.
The greater security is achieved by greater resistance to brute-force attacks and greater
confusion. Key sizes of 64 bits or less are now widely considered to be inadequate, and
128 bits has become a common size.
Number of rounds:
- The essence of the Feistel cipher is that a single round offers inadequate security but
that multiple rounds offer increasing security. A typical size is 16 rounds.
Subkey generation algorithm:

- Greater complexity in this algorithm should lead to greater difficulty of cryptanalysis.
Round function F:
- Again, greater complexity generally means greater resistance to cryptanalysis.
There are two other considerations in the design of a Feistel cipher:

 Fast software encryption/decryption
 Ease of analysis
Fast software encryption/decryption:

- In many cases, encryption is embedded in applications or utility functions in such a way
as to preclude a hardware implementation. Accordingly, the speed of execution of the
algorithm becomes a concern.
Ease of analysis:
- Although we would like to make our algorithm as difficult as possible to cryptanalyze,
there is great benefit in making the algorithm easy to analyze. That is, if the algorithm
can be concisely and clearly explained, it is easier to analyze that algorithm for
cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its
strength.
Feistel Decryption Algorithm

The process of decryption with a Feistel cipher is essentially the same as the
encryption process. The rule is as follows: Use the ciphertext as input to the algorithm, but
use the subkeys Ki in reverse order. That is, use Kn in the first round, Kn - 1 in the second
round, and so on, until K1 is used in the last round. This is a nice feature, because it means
we need not implement two different algorithms; one for encryption and one for
decryption.
To see that the same algorithm with a reversed key order produces the correct
result, Figure 3.3 shows the encryption process going down the left-hand side and the
16
decryption process going up the right-hand side for a 16-round algorithm. For clarity, we
use the notation LEi and REi for data traveling through the encryption algorithm and LDi
and RDi for data traveling through the decryption algorithm. The diagram indicates that, at
every round, the intermediate value of the decryption process is equal to the corresponding
value of the encryption process with the two halves of the value swapped. To put this
another way, let the output of the ith encryption round be LEi||REi (LEi concatenated with
REi). Then the corresponding output of the (16 – i) th decryption round is REi LEi or,
equivalently, LD16 - i RD16 - i.
Let us walk through Figure 3.3 to demonstrate the validity of the preceding
assertions. After the last iteration of the encryption process, the two halves of the output are
swapped, so that the ciphertext is RE16 LE16. The output of that round is the ciphertext. Now
take that ciphertext and use it as input to the same algorithm. The input to the first round is
RE16 LE16, which is equal to the 32-bit swap of the output of the sixteenth round of the
encryption process.
Now we would like to show that the output of the first round of the decryption
process is equal to a 32-bit swap of the input to the sixteenth round of the encryption
process. First, consider the encryption process. We see that
On the decryption side,
Thus, we have LD1 = RE15 and RD1 = LE15. Therefore, the output of the first
round of the decryption process is RE15 LE15, which is the 32-bit swap of the input to
the sixteenth round of the encryption. This correspondence holds all the way through
the 16 iterations, as is easily shown. We can cast this process in general terms. For the
ith iteration of the encryption algorithm,
Rearranging terms:
Thus, we have described the inputs to the ith iteration as a function of the
outputs, and these equations confirm the assignments shown in the right-hand side of
Figure 3.3.
Finally, we see that the output of the last round of the decryption process is RE0 || LE0.
17
THE DATA ENCRYPTION STANDARD
 Until the introduction of the Advanced Encryption Standard (AES) in 2001, the Data
Encryption Standard (DES) was the most widely used encryption scheme.
 DES was issued in 1977 by the National Bureau of Standards, now the National Institute
of Standards and Technology (NIST), as Federal Information Processing Standard 46
(FIPS PUB 46).
 The algorithm itself is referred to as the Data Encryption Algorithm (DEA).
 For DEA, data are encrypted in 64-bit blocks using a 56-bit key.
 The algorithm transforms 64-bit input in a series of steps into a 64-bit output.
 The same steps, with the same key, are used to reverse the encryption.
 Over the years, DES became the dominant symmetric encryption algorithm, especially in
financial applications.
 In 1994, NIST reaffirmed DES for federal use for another five years; NIST recommended
the use of DES for applications other than the protection of classified information.
 In 1999, NIST issued a new version of its standard (FIPS PUB 46-3) that indicated that
DES should be used only for legacy systems and that triple DES (which in essence
involves repeating the DES algorithm three times on the plaintext using two or three
different keys to produce the ciphertext) be used.
 DES Encryption
 DES Decryption
DES Encryption
 The overall scheme for DES encryption is illustrated in Figure 3.5.
 As with any encryption scheme, there are two inputs to the encryption function: the
plaintext to be encrypted and the key.
 In this case, the plaintext must be 64 bits in length and the key is 56 bits in length.
 Looking at the left-hand side of the figure, we can see that the processing of the plaintext
proceeds in three phases.
 First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the
bits to produce the permuted input.
 This is followed by a phase consisting of sixteen rounds of the same function, which
involves both permutation and substitution functions.
 The output of the last (sixteenth) round consists of 64 bits that are a function of the input
plaintext and the key.
 The left and right halves of the output are swapped to produce the preoutput.
 Finally, the preoutput is passed through a permutation [IP -1] that is the inverse of the
initial permutation function, to produce the 64-bit ciphertext.
18
 With the exception of the initial and final permutations, DES has the exact structure of a
Feistel cipher, as shown in Figure 3.3.
 The right-hand portion of Figure 3.5 shows the way in which the 56-bit key is used.
 Initially, the key is passed through a permutation function.
 Then, for each of the sixteen rounds, a subkey (Ki) is produced by the combination of a
left circular shift and a permutation.
 The permutation function is the same for each round, but a different subkey is produced
because of the repeated shifts of the key bits.
DES Decryption
As with any Feistel cipher, decryption uses the same algorithm as encryption, except that
the application of the subkeys is reversed. Additionally, the initial and final permutations are
reversed.
Figure 3.5 General Depiction of DES Encryption Algorithm
19
The Avalanche Effect

A desirable property of any encryption algorithm is that a small change in either the
plaintext or the key should produce a significant change in the ciphertext. In particular, a change
in one bit of the plaintext or one bit of the key should produce a change in many bits of the
ciphertext. This is referred to as the avalanche effect.
20
STRENGTH OF DES
 The Use of 56-Bit Keys

 The nature of the DES algorithm
 The Use of 56-Bit Keys:

- With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2 * 1016
keys.
- Thus, on the face of it, a brute-force attack appears impractical.
- Assuming that, on average, half the key space has to be searched, a single machine
performing one DES encryption per microsecond would take more than a thousand
years to break the cipher.
- It is important to note that there is more to a key-search attack than simply
running through all possible keys.
- Unless known plaintext is provided, the analyst must be able to recognize plaintext as
plaintext.
- If the message is just plain text in English, then the result pops out easily, although the
task of recognizing English would have to be automated.
- If the text message has been compressed before encryption, then recognition is more
difficult.
- And if the message is some more general type of data, such as a numerical file, and this
has been compressed, the problem becomes even more difficult to automate.
- Thus, to supplement the brute-force approach, some degree of knowledge about the
expected plaintext is needed, and some means of automatically distinguishing plaintext
from garble is also needed
 The nature of the DES algorithm:

- Another concern is the possibility that cryptanalysis is possible by exploiting the
characteristics of the DES algorithm.
- The focus of concern has been on the eight substitution tables, or S-boxes, that are used
in each iteration.
- Because the design criteria for these boxes, and indeed for the entire algorithm, were not
made public, there is a suspicion that the boxes were constructed in such a way that
cryptanalysis is possible for an opponent who knows the weaknesses in the S-boxes.
Timing Attacks:
- A timing attack is one in which information about the key or the plaintext
is obtained by observing how long it takes a given implementation to perform
decryptions on various cipher texts.
21
- A timing attack exploits the fact that an encryption or decryption algorithm often takes
slightly different amounts of time on different inputs.
22
Differential and linear cryptanalysis
 Differential cryptanalysis
 Linear cryptanalysis
 Differential cryptanalysis:
 Differential cryptanalysis is the first published attack that is
capable of breaking DES in less than 2 encryptions.
55
 The scheme, as reported in can successfully cryptanalyze DES with an effort on the order
of 247encryptions, requiring 247 chosen plaintexts.
 Although 247 is certainly significantly less than 255, the need for the adversary to find
chosen plaintexts makes this attack of only theoretical interest.
 Differential cryptanalysis of an eight-round LUCIFER algorithm requires only 256
chosen plaintexts, whereas an attack on an eight-round version of DES requires 2 14chosen
plaintexts.
 Linear cryptanalysis:
 This attack is based on finding linear approximations to describe the transformations
performed in DES.
 This method can find a DES key given 243 known plaintexts, as compared to 247 chosen
plaintexts for differential cryptanalysis.
 Although this is a minor improvement, because it may be easier to acquire known
plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an
attack on DES.
23
Block cipher design principles

 Number of rounds
 Design of Function F
 Key schedule algorithm
Number of Rounds
 The cryptographic strength of a Feistel cipher derives from three aspects of the design:
the number of rounds, the function F, and the key schedule algorithm.
 The greater the number of rounds, the more difficult it is to perform cryptanalysis, even
for a relatively weak F.
 In general, the criterion should be that the number of rounds is chosen so that known
cryptanalytic efforts require greater effort than a simple brute-force key search attack.
 This criterion was certainly used in the design of DES.
 This criterion is attractive, because it makes it easy to judge the strength of an algorithm
and to compare different algorithms.
 In the absence of a cryptana-lytic breakthrough, the strength of any algorithm that
satisfies the criterion can be judged solely on key length.
Design of Function F
 The heart of a Feistel block cipher is the function F, which provides the element of
confusion in a Feistel cipher.
 Thus, it must be difficult to “unscramble” the substitution performed by F.
 The more nonlinear F, the more difficult any type of cryptanalysis will be.
 In rough terms, the more difficult it is to approximate F by a set of linear equations, the
more nonlinear F is.
 Several other criteria should be considered in designing F.
 We would like the algorithm to have good avalanche properties.
 Recall that, in general, this means that a change in one bit of the input should produce a
change in many bits of the output.
 A more stringent version of this is the strict avalanche criterion (SAC), which states
that any output bit j of an S-box should change with probability 1/2 when any single input
bit i is inverted for all i, j.
 Another criterion proposed in is the bit independence criterion (BIC), which states that
output bits j and k should change independently when any single input bit i is inverted for
all i, j, and k.
Key Schedule Algorithm
 With any Feistel block cipher, the key is used to generate one subkey for each round.
 In general, we would like to select subkeys to maximize the difficulty of deducing
individual subkeys and the difficulty of working back to the main key.
 No general principles for this have yet been promulgated.
24
Block cipher modes of operation

A mode of operation is a technique for enhancing the effect of a cryptographic
algorithm or adapting the algorithm for an application, such as applying a block cipher to a
sequence of data blocks or a data stream.
 Electronic Code book

 Cipher Block Chaining Mode
 Cipher Feedback Mode
 Output Feedback Mode
 Counter Mode
25
Electronic Code book (ECB) mode
 The simplest mode is the electronic codebook (ECB) mode, in which plaintext is
handled one block at a time and each block of plaintext is encrypted using the same key
(Figure 6.3).
 The term codebook is used because, for a given key, there is a unique ciphertext for every
b-bit block of plaintext.
 Therefore, we can imagine a gigantic codebook in which there is an entry for every
possible b-bit plaintext pattern showing its corresponding ciphertext.
 For a message longer than b bits, the procedure is simply to break the message into b-bit
blocks, padding the last block if necessary.
 Decryption is performed one block at a time, always using the same key.
 In Figure 6.3, the plaintext (padded as necessary) consists of a sequence of b-bit blocks,
P1, P2,c, PN; the corresponding sequence of ciphertext blocks is C1, C2, c, CN.
 We can define ECB mode as follows.
26
 The ECB method is ideal for a short amount of data, such as an encryption key.
 Thus, if you want to transmit a DES or AES key securely, ECB is the appropriate mode
to use.
 Merit of ECB:
o The most significant characteristic of ECB is that if the same b-bit block of
plaintext appears more than once in the message, it always produces the same
ciphertext.
 Demerit of ECB:
o For lengthy messages, the ECB mode may not be secure. If the message is highly
structured, it may be possible for a cryptanalyst to exploit these regularities.
 We now turn to more complex modes of operation. The following are criteria and
properties for evaluating and constructing block cipher modes of operation that are
superior to ECB:
o Overhead:
 The additional operations for the encryption and decryption operation
when compared to encrypting and decrypting in the ECB mode.
o Error recovery:
 The property that an error in the ith ciphertext block is inherited by only a
few plaintext blocks after which the mode resynchronizes.
o Error propagation:
 The property that an error in the ith ciphertext block is inherited by the ith
and all subsequent plaintext blocks. What is meant here is a bit error that
occurs in the transmission of a ciphertext block, not a computational error
in the encryption of a plaintext block.
o Diffusion:
 How the plaintext statistics are reflected in the ciphertext. Low entropy
plaintext blocks should not be reflected in the ciphertext blocks. Roughly,
low entropy equates to predictability or lack of randomness.
o Security:
 Whether or not the ciphertext blocks leak information about the plaintext
blocks.
27
Cipher Block Chaining Mode(CBC)
 To overcome the security deficiencies of ECB, we would like a technique in which the
same plaintext block, if repeated, produces different ciphertext blocks.
 A simple way to satisfy this requirement is the cipher block chaining (CBC) mode
(Figure 6.4).
 In this scheme, the input to the encryption algorithm is the XOR of the current plaintext
block and the preceding ciphertext block; the same key is used for each block.
 In effect, we have chained together the processing of the sequence of plaintext blocks.
 The input to the encryption function for each plaintext block bears no fixed relationship
to the plaintext block.
 Therefore, repeating patterns of b bits are not exposed. As with the ECB mode, the CBC
mode requires that the last block be padded to a full b bits if it is a partial block.
 For decryption, each cipher block is passed through the decryption algorithm.
 The result is XORed with the preceding ciphertext block to produce the plaintext block.
To see that this works, we can write
28
Then
 To produce the first block of ciphertext, an initialization vector (IV) is XORed with the
first block of plaintext.
 On decryption, the IV is XORed with the output of the decryption algorithm to recover
the first block of plaintext.
 The IV is a data block that is the same size as the cipher block.
 We can define CBC mode as
 The IV must be known to both the sender and receiver but be unpredictable by a third
party.
29
 In particular, for any given plaintext, it must not be possible to predict the IV that will be
associated to the plaintext in advance of the generation of the IV.
 For maximum security, the IV should be protected against unauthorized changes.
 This could be done by sending the IV using ECB encryption.
 One reason for protecting the IV is as follows: If an opponent is able to fool the receiver
into using a different value for IV, then the opponent is able to invert selected bits in the
first block of plaintext.
 To see this, consider
 Now use the notation that X[i] denotes the ith bit of the b-bit quantity X. Then
 Now use the notation that X[i] denotes the ith bit of the b-bit quantity X. Then
where the prime notation denotes bit complementation.

 This means that if an opponent can predictably change bits in IV, the corresponding bits
of the received value of P1 can be changed.
Cipher Feedback Mode(CFB)
 It is possible to convert a block cipher into a stream cipher, using one of the three modes
to be discussed in this and the next two sections:
o cipher feedback (CFB) mode
o output feedback (OFB) mode
o counter (CTR) mode
 Figure 6.5 depicts the CFB scheme. In the figure, it is assumed that the unit of
transmission is s bits; a common value is s = 8.
 As with CBC, the units of plaintext are chained together, so that the ciphertext of any
plaintext unit is a function of all the preceding plaintext.
 In this case, rather than blocks of b bits, the plaintext is divided into segments of s bits.
 First, consider encryption. The input to the encryption function is a b-bit shift register that
is initially set to some initialization vector (IV).
 The leftmost (most significant) s bits of the output of the encryption function are XORed
with the first segment of plaintext P1 to produce the first unit of ciphertext C1, which is
then transmitted.
30
 In addition, the contents of the shift register are shifted left by s bits, and C1 is placed in
the rightmost (least significant) s bits of the shift register.
 This process continues until all plaintext units have been encrypted.
 For decryption, the same scheme is used, except that the received ciphertext unit is
XORed with the output of the encryption function to produce the plaintext unit.
 Note that it is the encryption function that is used, not the decryption function.
 This is easily explained. Let MSBs(X) be defined as the most significant s bits of X. Then
Therefore, by rearranging terms:
The same reasoning holds for subsequent steps in the process.
We can define CFB mode as follows.
31
 Demerit of CFB:
o In CFB encryption, like CBC encryption, the input block to each forward cipher
function (except the first) depends on the result of the previous forward cipher
function; therefore, multiple forward cipher operations cannot be performed in
parallel. In CFB decryption, the required forward cipher operations can be
performed in parallel if the input blocks are first constructed (in series) from the
IV and the ciphertext.
32
Output Feedback Mode(OFB)
 The output feedback (OFB) mode is similar in structure to that of CFB.

 For OFB, the output of the encryption function is fed back to become the input for
encrypting the next block of plaintext (Figure 6.6).
 In CFB, the output of the XOR unit is fed back to become input for encrypting the next
block.
 The other difference is that the OFB mode operates on full blocks of plaintext and
ciphertext, whereas CFB operates on an s-bit subset.
 OFB encryption can be expressed as
where
 Some thought should convince you that we can rewrite the encryption expression as:
By rearranging terms, we can demonstrate that decryption works.
 We can define OFB mode as follows.
 Let the size of a block be b.

 If the last block of plaintext contains u bits (indicated by *), with u<b, the most
significant u bits of the last output block ON are used for the XOR operation; the
remaining b - u bits of the last output block are discarded.
 As with CBC and CFB, the OFB mode requires an initialization vector.
 In the case of OFB, the IV must be a nonce; that is, the IV must be unique to each
execution of the encryption operation.
 The reason for this is that the sequence of encryption output blocks, Oi, depends only on
the key and the IV and does not depend on the plaintext.
 The nonce must be a data block that is unique to each execution of the encryption
operation.
33
 Therefore, for a given key and IV, the stream of output bits used to XOR with the stream
of plaintext bits is fixed.
 If two different messages had an identical block of plaintext in the identical position, then
an attacker would be able to determine that portion of the Oi stream.
 Merit of OFB:
o One advantage of the OFB method is that bit errors in transmission do not
propagate.
o For example, if a bit error occurs in C1, only the recovered value of P1 is affected;
subsequent plaintext units are not corrupted.
 Demerit of OFB:
o The disadvantage of OFB is that it is more vulnerable to a message stream
modification attack than is CFB.
34
Counter Mode(CTR)
 Figure 6.7 depicts the CTR mode.

 A counter equal to the plaintext block size is used.
 The only requirement stated is that the counter value must be different for each plaintext
block that is encrypted.
 Typically, the counter is initialized to some value and then incremented by 1 for each
subsequent block (modulo 2b, where b is the block size).
 For encryption, the counter is encrypted and then XORed with the plaintext block to
produce the ciphertext block; there is no chaining.
 For decryption, the same sequence of counter values is used, with each encrypted counter
XORed with a ciphertext block to recover the corresponding plain-text block.
 Thus, the initial counter value must be made available for decryption. Given a sequence
of counters T1, T2,……TN, we can define CTR mode as follows.
35
 For the last plaintext block, which may be a partial block of u bits, the most significant u
bits of the last output block are used for the XOR operation; the remaining b - u bits are
discarded.
 Unlike the ECB, CBC, and CFB modes, we do not need to use padding because of the
structure of the CTR mode.
 As with the OFB mode, the initial counter value must be a nonce; that is, T1 must be
different for all of the messages encrypted using the same key.
 Further, all Ti values across all messages must be unique. If, contrary to this requirement,
a counter value is used multiple times, then the confidentiality of all of the plaintext
blocks corresponding to that counter value may be compromised.
 In particular, if any plaintext block that is encrypted using a given counter value is
known, then the output of the encryption function can be determined easily from the
associated ciphertext block.
 This output allows any other plaintext blocks that are encrypted using the same counter
value to be easily recovered from their associated cipher-text blocks.
 One way to ensure the uniqueness of counter values is to continue to increment the
counter value by 1 across messages. That is, the first counter value of the each message is
one more than the last counter value of the preceding message.
 Advantages of CTR mode:

o Hardware efficiency:
 Unlike the three chaining modes, encryption (or decryption) in CTR mode
can be done in parallel on multiple blocks of plaintext or ciphertext.
 For the chaining modes, the algorithm must complete the computation on
one block before beginning on the next block.
o Software efficiency:
 Similarly, because of the opportunities for parallel execution in CTR
mode, processors that support parallel features, such as aggressive
pipelining, multiple instruction dispatch per clock cycle, a large number of
registers, and SIMD instructions, can be effectively utilized.
o Preprocessing:
 The execution of the underlying encryption algorithm does not depend on
input of the plaintext or ciphertext.
36
 Therefore, if sufficient memory is available and security is maintained,

preprocessing can be used to prepare the output of the encryption boxes
that feed into the XOR functions, as in Figure 6.7.
 When the plaintext or ciphertext input is presented, then the only
computation is a series of XORs.
 Such a strategy greatly enhances throughput.
o Random access:
 The ith block of plaintext or ciphertext can be processed in random-access
fashion.
 With the chaining modes, block Ci cannot be computed until the i - 1 prior
block are computed. There may be applications in which a ciphertext is
stored and it is desired to decrypt just one block; for such applications, the
random access feature is attractive.
o Provable security:
 It can be shown that CTR is at least as secure as the other modes discussed
in this section.
o Simplicity:
 Unlike ECB and CBC modes, CTR mode requires only the
implementation of the encryption algorithm and not the decryption
algorithm.
 This matters most when the decryption algorithm differs substantially
from the encryption algorithm, as it does for AES. In addition, the
decryption key scheduling need not be implemented.
37
Advanced Encryption Standard (AES)
 AES Structure
o General Structure
o Detailed Structure
 AES Transformation Functions
o Substitute Bytes Transformation
o ShiftRows Transformation
o MixColumns Transformation
o AddRoundKey Transformation
 AES Key Expansion
o Key Expansion Algorithm
 AES Structure
General Structure:
 Figure 5.1 shows the overall structure of the AES encryption process.
 The cipher takes a plaintext block size of 128 bits, or 16 bytes.
 The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits).
 The algorithm is referred to as AES-128, AES-192, or AES-256, depending on the key
length.
 The input to the encryption and decryption algorithms is a single 128-bit block and this
block is depicted as a 4 * 4 square matrix of bytes.
 This block is copied into the State array, which is modified at each stage of encryption or
decryption.
 After the final stage, State is copied to an output matrix.
 These operations are depicted in Figure 5.2a. Similarly, the key is depicted as a square
matrix of bytes.
 This key is then expanded into an array of key schedule words.
 Figure 5.2b shows the expansion for the 128-bit key.
 Each word is four bytes, and the total key schedule is 44 words for the 128-bit key.
 Note that the ordering of bytes within a matrix is by column.
 So, for example, the first four bytes of a 128-bit plaintext input to the encryption cipher
occupy the first column of the in matrix, the second four bytes occupy the second
column, and so on.
 Similarly, the first four bytes of the expanded key, which form a word, occupy the first
column of the w matrix.
38
 The cipher consists of N rounds, where the number of rounds depends on the key length:
10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte
key.
39
 The first N - 1 round consist of four distinct transformation functions: SubBytes,

ShiftRows, MixColumns, and AddRoundKey, which are described subsequently.
 The final round contains only three transformations, and there is a initial single
transformation (AddRoundKey) before the first round, which can be considered Round 0.
 Each transformation takes one or more 4 * 4 matrices as input and produces a 4 * 4
matrix as output.
 Figure 5.1 shows that the output of each round is a 4 * 4 matrix, with the output of the
final round being the ciphertext.
 Also, the key expansion function generates N + 1 round keys, each of which is a distinct
4 * 4 matrix.
 Each round key serves as one of the inputs to the AddRoundKey transformation in each
round.
Detailed Structure
 Figure 5.3 shows the AES cipher in more detail, indicating the sequence of
transformations in each round and showing the corresponding decryption function.
1. One noteworthy feature of this structure is that it is not a Feistel structure. Recall that, in
the classic Feistel structure, half of the data block is used to modify the other half of the
data block and then the halves are swapped. AES instead processes the entire data block
as a single matrix during each round using substitutions and permutation.
40
2. The key that is provided as input is expanded into an array of forty-four 32-bit words,
w[i]. Four distinct words (128 bits) serve as a round key for each round; these are
indicated in Figure 5.3.
3. Four different stages are used, one of permutation and three of substitution:
i. Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block.
ii. ShiftRows: A simple permutation
iii. MixColumns: A substitution that makes use of arithmetic over GF(28).
41
iv. AddRoundKey:A simple bitwise XOR of the current block with a portion of the
expanded key.
4. The structure is quite simple. For both encryption and decryption, the cipher begins with
an AddRoundKey stage, followed by nine rounds that each includes all four stages,
followed by a tenth round of three stages. Figure 5.4 depicts the structure of a full
encryption round.
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins
and ends with an AddRoundKey stage. Any other stage, applied at the beginning or end,
is reversible without knowledge of the key and so would add no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. The other three stages together provide confusion, diffusion, and
nonlinearity, but by themselves would provide no security because they do not use the
key. We can view the cipher as alternating operations of XOR encryption
(AddRoundKey) of a block, followed by scrambling of the block (the other three stages),
followed by XOR encryption, and so on. This scheme is both efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns
stages, an inverse function is used in the decryption algorithm. For the AddRoundKey
stage, the inverse is achieved by XORing the same round key to the block, using the
result that A _ B _ B = A.
8. As with most block ciphers, the decryption algorithm makes use of the expanded key in
reverse order. However, the decryption algorithm is not identical to the encryption
algorithm. This is a consequence of the particular structure of AES.
9. Once it is established that all four stages are reversible, it is easy to verify that decryption
does recover the plaintext. Figure 5.3 lays out encryption and decryption going in
opposite vertical directions. At each horizontal point (e.g., the dashed line in the figure),
State is the same for both encryption and decryption.
10. The final round of both encryption and decryption consists of only three stages. Again,
this is a consequence of the particular structure of AES and is required to make the cipher
reversible.
42
 AES Transformation Functions
Substitute Bytes Transformation

 Forward and Inverse Transformations: The forward substitute byte transformation, called
SubBytes, is a simple table lookup (Figure 5.5a). AES defines a 16 * 16 matrix of byte
values, called an S-box (Table 5.2a), that contains a permutation of all possible 256 8-bit
values. Each individual byte of State is mapped into a new byte in the following way:
The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as
a column value. These row and column values serve as indexes into the S-box to select a
unique 8-bit output value. For example, the hexadecimal value {95} references row 9,
column 5 of the S-box, which contains the value {2A}. Accordingly, the value {95} is
mapped into the value {2A}.
ShiftRows Transformation
 Forward and Inverse Transformations: The forward shift row transformation, called
ShiftRows, is depicted in Figure 5.7a. The first row of State is not altered. For the second
row, a 1-byte circular left shift is performed. For the third row, a 2-byte circular left shift
43
is performed. For the fourth row, a 3-byte circular left shift is performed. The inverse
shift row transformation, called InvShiftRows, performs the circular shifts in the opposite
direction for each of the last three rows, with a 1-byte circular right shift for the second
row, and so on.
MixColumns Transformation
 Forward and Inverse Transformations: The forward mix column transformation, called
MixColumns, operates on each column individually. Each byte of a column is mapped
into a new value that is a function of all four bytes in that column. The transformation can
be defined by the following matrix multiplication on State (Figure 5.7b). Each element in
the product matrix is the sum of products of elements of one row and one column.
AddRoundKey Transformation
 Forward and Inverse Transformations: In the forward add round key transformation,
called AddRoundKey, the 128 bits of State are bitwise XORed with the 128 bits of the
round key. As shown in Figure 5.5b, the operation is viewed as a columnwise operation
between the 4 bytes of a State column and one word of the round key; it can also be
viewed as a byte-level operation. The first matrix is State, and the second matrix is the
44
round key. The inverse add round key transformation is identical to the forward add
round key transformation, because the XOR operation is its own inverse.
 AES Key Expansion
Key Expansion Algorithm

 The AES key expansion algorithm takes as input a four-word (16-byte) key and produces
a linear array of 44 words (176 bytes). This is sufficient to provide a fourwordb round
key for the initial AddRoundKey stage and each of the 10 rounds of the cipher. The
pseudocode on the next page describes the expansion. The key is copied into the first four
words of the expanded key. The remainder of the expanded key is filled in four words at
a time. Each added word w[i] depends on the immediately preceding word, w[i - 1], and
the word four positions back, w[i - 4].
45
 In three out of four cases, a simple XOR is used. For a word whose position in the w
array is a multiple of 4, a more complex function is used. Figure 5.9 illustrates the
generation of the expanded key, using the symbol g to represent that complex function.
The function g consists of the following subfunctions.
46

UNIT II CNS Reg 2017

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UNIT II CNS Reg 2017

Uploaded by

Copyright:

Available Formats

UNIT II NOTES CS8792 CRYPTOGRAPHY AND NETWORK SECURITY

UNIT II SYMMETRIC KEY CRYPTOGRAPHY 9

MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY: Algebraic structures –

Sl.no Table of contents Page number

MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY

Groups, Rings, Fields

denoted by . that associates to each ordered pair (a, b) of elements in G an element

 A group is said to be abelian if it satisfies the following additional condition:

 A group G is cyclic if every element of G is a power ak (k is an integer) of a fixed

 In essence, a ring is a set in which we can do addition, subtraction [a - b = a + (-b)], and

 In essence, a field is a set in which we can do addition, subtraction, multiplication, and

Two integers a and b are said to be congruent modulo n, if (a mod n) = (b mod

 Modular Arithmetic Operations

 Properties of Modular Arithmetic

This is referred to as the set of residues, or residue classes (mod n).

Euclid’s algorithm or Eucledian algorithm

 Greatest common divisor

Greatest common divisor (GCD) or Greatest common factor(GCF)

An equivalent definition is the following:

Because we require that the greatest common divisor be positive,

Finding Greatest common divisor

 Finite fields play a crucial role in many cryptographic algorithms.

Finite Fields of Order p

Finding the Multiplicative Inverse in GF(p)

SYMMETRIC KEY CIPHERS: SDES

 Block cipher Principles of DES

BLOCK CIPHER PRINCIPLES OF DES

 Stream Ciphers and Block Ciphers

Stream Ciphers and Block Ciphers:

- The bit-stream generator must be implemented as an algorithmic procedure, so that the

Motivation for the Feistel Cipher Structure:

The Feistel Cipher:

Feistel Cipher Structure

 Following this substitution, a permutation is performed that consists of the interchange

 This structure is a particular form of the substitution-permutation network (SPN)

The exact realization of a Feistel network depends on the choice of the

Subkey generation algorithm:

There are two other considerations in the design of a Feistel cipher:

Fast software encryption/decryption:

Feistel Decryption Algorithm

On the decryption side,

THE DATA ENCRYPTION STANDARD

Figure 3.5 General Depiction of DES Encryption Algorithm

The Avalanche Effect

 The Use of 56-Bit Keys

 The Use of 56-Bit Keys:

 The nature of the DES algorithm:

Differential and linear cryptanalysis

Block cipher design principles

Block cipher modes of operation

 Electronic Code book

Electronic Code book (ECB) mode

Cipher Block Chaining Mode(CBC)

where the prime notation denotes bit complementation.

Cipher Feedback Mode(CFB)

Therefore, by rearranging terms:

The same reasoning holds for subsequent steps in the process.

We can define CFB mode as follows.

Output Feedback Mode(OFB)

 The output feedback (OFB) mode is similar in structure to that of CFB.

By rearranging terms, we can demonstrate that decryption works.

 We can define OFB mode as follows.