III/ Cryptographic algorithms

• Symmetric
 DES
• Asymmetric
 RSA
 Digital signatures
1) TYPES OF CRYPTOGRAPHIC
SCHEMES
a) Totally secret schemes
b) Symmetric schemes
c) Asymmetric schemes
 1‐1) Totally secret schemes
• All aspects of the system are secret
Encryption/ Decryption
 The key

• When a member abandons, the algorithm

must be changed.

• Example: The Microsoft Xbox

 1‐2) Symmetric schemes
• The algorithms are known but the parameters (keys)
are secret
• Use the same key (K) for both encryption and
decryption
• Divided into two categories:
 Stream ciphers: Operate on plaintext one bit or byte at
a time.
 Block ciphers: Operate in groups of bits or bytes, a
typical block size used is 64 bits.
Examples of symmetrical algorithms are AES, IDEA, DES,
and 3DES.
 1‐3) Asymmetric schemes
• Use two keys, one for encryption (E), and one
for decryption (D).
• Very difficult to compute the D from E.
• Each user has a public E and a private D.
• Examples: RSA, Diffie‐Hellman key exchange
 1‐4) COMPARISON OF SCHEMES
1/ Advantages of symmetric cryptography:
• Can be designed to have high rates of data
throughput. Hundreds of megabytes/ sec for
Hardware implementations
• Keys are relatively short;
• Can be employed as primitives to construct
various cryptographic mechanisms e.g.
pseudorandom number generators, harsh
functions etc
• Can be composed to produce stronger ciphers
although on their own they might be weak.
 COMPARISON OF SCHEMES
2/ Disadvantages of symmetric‐key cryptography
• In a two‐party communication, the key must
remain secret at both ends;
• In a large network, there are many key pairs to
be managed;
• In a two‐party communication, sound
cryptographic practice dictates that the key be
changed frequently
 COMPARISON OF SCHEMES
3/ Advantages of asymmetric‐key cryptography
• Only the private key must be kept secret
• A private key/ public key pair may remain
unchanged for considerable periods of time e.g
many sessions (even several years)
• Yield relatively efficient digital signature
mechanisms. Key used to describe public
verification is typically much smaller compared to
that for symmetric‐key scheme
• In a large network, the number of keys necessary
may be considerably smaller
 COMPARISON OF SCHEMES
4/ Disadvantages of asymmetric‐key cryptography
• Throughput rates are several orders of magnitude
slower than the best known symmetric scheme
• Key sizes are typically much larger than those for
symmetric‐key encryption. Typically, 1024 bits for
RSA and 64 or 128 bits for secure symmetric‐key
schemes. This is because, attacks on symmetric‐key
schemes involve exhaustive key search whereas
attacks on public‐key systems are subject to “short‐
cut” attacks (e.g factoring)
 2) Symmetric ciphers

• Stream ciphers
• Block ciphers
 2‐1) Stream ciphers
• Individual characters (usually binary digits) of
a plaintext message are encrypted one at a
time using an encryption transformation
which varies with time.
• The simplest stream cipher is the one‐time
pad defined by

• Decryption is defined by
 Stream ciphers – The Vigenere
• A key is repeatedly added to the plaintext in mod
26 using convention that A = 0, B = 1, ‐ ‐ ‐, Z = 25.
C = P  K mod 26
For example P(15)  U(20) mod 26 = J(9). So the
encryption of P under key U is J and vice versa.
Drill question:
Plaintext: vigenerescipher
Key : keykeykeykeykey
Ciphertext:
 The Vigenere ‐ Cryptanalysis
• Ciphertext‐only attack, that is if the ciphertext
and the distribution of plaintext are known to
the attacker;
• The ciphertext is arranged in rows with the
same length as the key;
• Every column can be seen as encryption using
substitution process
• Decipher based on frequency in plaintext
 The Vigenere ‐ Cryptanalysis
• For example, the most frequently used letter
in an English word is e as shown below:
 The Vigenere ‐ Cryptanalysis
• Consider an arbitrary ciphertext for which the
frequency of letters in the first column is as
follows:

• The frequency in the second column is as

follows:
 The Vigenere ‐ Cryptanalysis
• Based on the frequencies, we can guess that,
in the second column e  M (i.e. the second
letter of the Vigenere key is I)
• In the first column, we might suspect that
e  G/J (i.e. the first letter of the Vignere key
is either C or F)
 Stream ciphers‐ One‐time pad
• Binary digits of a plaintext message are
encrypted one at a time using an encryption
transformation which varies with time.
• The simplest stream cipher is the one‐time
pad defined by

• Decryption is defined by
Stream ciphers‐ generalized form
 2‐2) Block ciphers
• A block cipher cuts up a plaintext of arbitrary
length into a series of blocks having a constant
size of n bits. It then encrypts a single block of
plaintext at a time and converts it into a block
of ciphertext. In a good block cipher, each of
the n bits of the ciphertext block is a function
of all n bits of the plaintext and the k bits of
the secret key.
 Block ciphers
• Block ciphers tend to simultaneously encrypt
groups of characters of a plaintext message
using a fixed encryption transformation.
• Example of a block cipher
Consider a 3‐bit input and a 3‐bit output block cipher
system shown below
 Block ciphers
Plaintext, m = {m0 ,m1 ,m2 }
Ciphertext, c= {c0 c1 c2 }
c = f(kE, m); m = f‐1(kD, c).
The key is a vector that determines the
permutation.
kE = {4, 0, 7, 1, 2, 5, 3, 6}8
kD = {1, 3, 4, 6, 0, 5, 7, 2}8
BLOCK CIPHER MODES ‐ ECB
 BLOCK CIPHER MODES ‐ ECB
• Electronic Code Book (ECB) block cipher mode, a
plaintext is mapped statically to a ciphertext output
block. With sufficient memory resources a lookup table
or ECB could be built linking any ciphertext block
pattern to its corresponding plaintext block.
• Block ciphers in ECB are vulnerable to block replay
attacks because an opponent (without knowing the
key) could replay an already transmitted ciphertext
block at a later time if he thinks that a block contained
e.g an encrypted money transfer
 BLOCK CIPHER MODES ‐ ECB
• If a session key is kept in use sufficiently long
an attacker could also try to build a codebook
of intercepted ciphertext blocks and guessed
plaintext blocks
BLOCK CIPHER MODES ‐ CBC
 BLOCK CIPHER MODES ‐ CBC
• Cipher Block Chaining (CBC) Mode is used inorder
to inhibit block replay attacks and codebook
compilation
• Modern block ciphers such as the DES are usually
in the CBC mode
• Each plaintext is XORed with the previous
ciphertext block before encryption, so that
identical plaintext blocks occuring in the same
message show up as different ciphertext blocks.
 BLOCK CIPHER MODES ‐ CBC
• At the receiving side, each block coming out of
the decryption algorithm must first be XORed
with the previously received ciphertext block
in order to recover the plaintext.
• Any CBC‐encrypted message must be
initialized by an initialization vector (IV) that is
openly transmitted over the insecure channel
at the beginning of the session.
 BLOCK CIPHER MODES ‐ CBC
• In order to avoid replay attacks an IV value
should be used only once and never be used
again. This can be achieved either by assigning
a monotonically increasing counter or a
random value to the IV
• Example: Use the 3‐bit block cipher in slide 20
and initialization vector (IV) of {0, 1, 1} to
encrypt the planitext message
{011011111000}
BLOCK CIPHER MODES ‐ OFB
 BLOCK CIPHER MODES ‐ OFB
• A block cipher in the Output Feedback Mode
(OFB) works as a key stream generator
producing a pseudo‐random key sequence a
block at a time. By XOR‐ing the key stream
with the plaintext the block cipher actually
works as a stream cipher.
COMPARISON – STREAM vs BLOCK
• Stream ciphers usually work on a bit‐level
architecture and were traditionally in dedicated
hardware (ASICs). Single bit errors in the
ciphertext affect only a single plaintext bit and do
not propagate;
• Block ciphers usually work on a word‐level
architecture and were traditionally implemented
as software functions. Single bit errors propagate
and affect two consecutive plaintext blocks in the
CBC mode.
 2‐3) PRODUCT CIPHERS
• A product cipher combines two or more
transformations in a manner intending that
the resulting cipher is more secure than the
individual components
• A substitution‐permutation (SP) network is a
product cipher composed of a network of
stages each involving substitutions and
permutations
 S‐BOXES AND P‐BOXES
• Substitution boxes or (S‐boxes) perform
pairwise substitution of plaintext bits to give
ciphertext bits.
• For 2‐bit plaintext, the following S‐box and P‐
box could be proposed
 S‐BOXES AND P‐BOXES
Propose S‐boxes and P‐boxes for the 8‐bit
plaintext [0 0 1 0 1 1 0 1] and find corresponding
ciphertext when
• S‐box is used
• P‐box is used
 S‐BOXES
• Using plaintex as [A1 A2 B1 B2 C1 C2 D1 D2]
 S‐boxes
• A possible shuffle using the S‐box could be [A3
A4 B3 B4 C3 C4 D3 D4]  [1 1 0 1 0 0 1 0].
Using this S‐box, [A1 A2 B1 B2 C1 C2 D1 D2] 
[A3 A4 B3 B4 C3 C4 D3 D4], the plaintext [0 0
1 0 1 1 0 1] could be shuffled to [1 1 0 1 0 0
1 0].
• The S‐boxes are in effect look‐up tables which
maps the bits from the plaintext to well‐
defined bits of the ciphertext.
 P‐boxes
• The plaintext bits and ciphertext bits could be
permuted or interconnected in at least 77 =
823543 ways.
• One possible way is as follows

• The corresponding ciphertext will be

[0 0 1 1 1 1 0 0 ]
 PRODUCT CIPHER
• Hence combining a series of S‐boxes and P‐
boxes in stages results in a product cipher
2‐4 Feistel cipher
2‐5) DATA ENCRYPTION STANDARD
• DES stands for Data Encryption Standard
• DES is the algorithm in which a 64‐bit block of
plaintext is transformed (encrypted/
enciphered) into a 64‐bit ciphertext under the
control of a 56‐bit internal key called the
secret key, by means of permutation and
substitution
 DES ‐ DEFINITIONS
• DES is related to two general concepts:
product ciphers and Feistel ciphers.
• DES is as a result of an iterated block cipher.
• An iterated block cipher is a block cipher
involving the sequential repetition of an
internal function called a round function.
Parameters include the number of rounds r,
the block bitsize n, and the bitsize k of the
input key K.
 DES ALGORITHM
The effective size of the secret key, k = 56 bits;
more precisely the input key, K is specified as a
64‐bit key, 8 bits of which (bits 8, 16, ‐ ‐ ‐, 64)
may be used as parity bits.
DES ALGORITHM
 DES ALGORITHM
The algorithm has 19 steps as shown below
 DES ALGORITHM
• The key consists of 8 groups of 8 bits. One bit
in each of these groups is a parity check bit
that makes the overall parity in each block
odd. Hence only 56 bits are used for
encryption.
• The 64 plaintext bits are divided into two
halves: the 32 leftmost bits form Lo and 32
rightmost bits form Ro.
 DES ALGORITHM
• In each round, a new L and R are defined by
Li = Ri‐1, 1 ≤ i ≤ 16
Ri = Li‐1  f(Ri‐1, Ki), 1 ≤ i ≤ 16
‐ Ki is a well‐defined subsequence of bits from
the key K
‐ function, f is defined by means of a collection
of fixed tables called substitution tables or boxes
(S‐boxes)
ONE ROUND OF DES
 DES ALGORITHM
DES consists of 16 identical rounds. A typical
round of DES is as follows:
 DES ALGORITHM – key generation
The key at each iteration is generated from the key
at the preceding iteration as follows:
• First a permutation is applied to the key;
• The result is partitioned into two 28‐bit blocks
each of which is independently rotated left by
some number of bits.
• The combined result undergoes another
permutation
• A subset of 48 bits is used for the key at the given
iteration
 DES ALGORITHM – substitution boxes
• The 48‐bit key word is divided into 8 groups of
6‐bit key word;
• The 6‐bit key words are converted to 4‐bit key
words using S‐boxes;
• Table below illustrates one of the S‐boxes used
by DES
 DES ALGORITHM – substitution boxes
• Let the input to the S‐box be a 6‐bit word
B1B2B3B4B5B6
• B1B6 is used to choose the row while B2B3B4B5
is used to choose the column.
• For example, suppose input string is ‘110010’
‐ binary ‘10’ is 2 => row 2
‐ binary ‘1001’ is 9 => column 9
 DES ALGORITHM – substitution boxes
• From the table, row 2 and column 9 is
1210 = 11002;
Hence ‘110010’ => ‘1100’
• The 8 resulting 4‐bit word are grouped to form
32‐bit function which is XORed with the
leftmost bits for a given iteration
• Cryptanalysis show that a knowledge of a
large number (> 240) of plaintext/ ciphertext
pairs is required to break DES
 DES KEY SCHEDULE
• INPUT: 64‐bit key
• OUTPUT: Sixteen 48‐bit keys(i.e one 48‐bit key
/round)
Algorithm:
 Form 2 28‐bit halves C0, D0 from table PC1 as
C0 = k57k49, ‐ ‐ ‐, k36; D0 = k63k55, ‐ ‐ ‐, k4
 Rotate Ci and Di 1 place to the left for i ϵ {1, 2,
9, 16} and 2 places for other values of i, where
i denotes a round
 DES KEY SCHEDULE
• Select 48 bits from the concatenated b1b2, _ _
‐, b56 of Ci and Di using table PC2.
• The final key ki = b14b17 ‐ ‐ ‐ b32
 DES – INVERSE ALGORITHM
• From the forward DES process in slide 14, it
can be seen that the inverse algorithm can be
computed by going from bottom to top.
Hence for all 1 ≤ i ≤ 16 we have
Ri‐1 = Li
Li‐1 = Ri  f(Ri‐1, Ki) = Ri  f(Li, Ki)
 DES ‐ SHORTCOMINGS
• The effective keysize (56 bits) is too small for
an organisation with sufficient resources. An
exhaustive key search is possible either by
using many machines over the Internet or
building a dedicated DES cracking machine
• Design criteria of the S‐boxes in the f‐function
are not known. Statistical tests show that
these tables are not completely random
 DES ‐ derivatives
• In 1998 a DES challenge was broken by a more
or less brute‐force attack
• To protect sensitive data therefore, a
modification called triple DES (3DES or TDES)
was introduced.
• There are different versions of TDES
 Encrypting plaintext 3 times using three
different keys
TDES(k1, k2, k3, m) = DES(k3, DES(k2, DES(k, m)))
 DES ‐ derivatives
 Replace middle DES encryption by a DES
decryption

 Since 3 DES encryptions triple encryption time

another version is DES‐X such that
DESX(k1, k2, k3, m) = k3 xor DES(k2, m xor k1)
 DES ‐ derivatives
• Other derivatives of DES are Advanced Encryption
Scheme (AES) and International Data Encryption
Algorithm (IDEA). Both derivatives use 128 bits
for keysize.
• AES is presently the legacy in the US as prescribed
by NIST since the keysize could be upgraded to
128, 192 or 256 bits.
• Other block ciphers include RC4 and RC5 which
has a word‐oriented architecture for variable
word sizes of 16, 32 or 64 bits. RC4 is used in
wired encryption privacy (WEP) protocol.
 3) Asymmetric algorithms
• Two different keys are used, one for
encryption, the public key, and other for
decryption, the private key hence the word
asymmetric as opposed to symmetric
cryptography were keys are identical.
• Asymmetric algorithms are also called public‐
key algorithms since the encryption key is
made public.
 Public‐key cryptography
• The idea behind public‐key cryptography is to
find a very tough problem in computer science
and then tie the cryptosystem to it. Ideally,
breaking the cryptosystem is computationally
equivalent to solving the difficult problem.
• Cryptanalysis shows that, it is practically
impossible in a human being’s lifetime to
completely break the cryptosystem or
computationally solve the tough problem
 Public‐key cryptography
• Although public key cryptography was
proposed in 1976, the first cryptosystem
appeared in 1978 as the RSA cryptosystem.
• The most well‐known and well‐established
public‐key cryptosystem is the Rivest‐Shamir‐
Adleman encryption scheme (RSA). RSA
public‐key cryptography is tied to the difficulty
of factoring large numbers.
 3‐1) RSA ALGORITHM
• Generate two distinct large primes p, q each roughly
the same size;
• Compute n = p . q and (n) = (p – 1) . (q – 1);
• Choose an integer e < (n) such that gcd (e, (n)) = 1
where gcd is the greatest common divisor;
• Calculate d such that d . e  1 mod (n) where e and d
are the public and private exponents respectively;
• Encrypt message, M as C  Me mod n;
• Decrypt ciphertext, C by computing M  Cd mod n.
 Bob Alice
Key Creation
Choose secret primes p and q.
Choose encryption exponent, e
with gcd (e, (p ‐1) . (q‐1)) = 1.
Publish m = p.q and e
Encryption
Choose plaintext X.
Use Bob’s public key (m, e) to compute

C  xe (mod m).
Send ciphertext, C to Bob
Decryption
Compute d satisfying
e.d  1 (mod (p – 1). (q – 1)).
Compute X’  Cd (mod m)
Then X’ equals the plaintext X
 RSA ‐ EXAMPLE
• Key generation
‐ Choose two secret primes
p = 1223 and q = 1987;
‐ Compute public modulus
m = p . q = 1223 x 1987 = 2430101
‐ Choose public encryption, e = 948047
such that
gcd (e, (p‐1)(q‐1)) = gcd (948047, 2426892) = 1
 RSA ‐ EXAMPLE
• Encryption
‐ Choose integer, X as plaintext message,
let X = 1070777 satisfying 1  X < m;
‐ Use public key
(m, e) = (2430101, 948047) to compute
C  Xe (mod m)
 C  1070777948047 (mod 243010)
 1473513 (mod 243010)
 RSA ‐ EXAMPLE
• Decryption
‐ Bob knows (p – 1) (q – 1) = 1222. 1986
= 2426892;
‐ Bob solves ed  (mod (p – 1) (q – 1))
 948047.d  1 (mod 2426892)
and finds that d = 1051235
‐ Bob takes the ciphertext C = 1473513 and computes
Cd (mod m),
14735131051235 = 1070777 (mod 2430101),
The value that he computes is Alice’s message,
X = 1070777.
 RSA – DRILL QUESTION
• Using the RSA algorithm, encrypt the following
a) p = 3; q = 11; e = 7; plaintext, P = 12
b) p = 7; q = 11; e = 17; plaintext, P = 25
• Find the corresponding d’s for (a) and (b) and
decrypt the ciphertexts, C
• The following table of prime numbers may
be useful
 RSA – DRILL QUESTION
• TABLE OF PRIME NUMBERS < 355
 RSA ‐ CRYPTANALYSIS
• The main methods used in the attacks against the
RSA cryptography are the factoring methods;
• The Number Field Sieve (NFS) method is the most
effective general‐purpose factorization method;
• The NFS is based on a method known as “Fermat
Factorization”: one tries to find integers x, y, such
that x2 ≡ y2 mod n but x ≠ ± y mod n.
 RSA ‐ CRYPTANALYSIS
• In RSA theory, the two primes p and q should
be close and approximately equal to the
square root of n, one of the integers could be
written as x = (p + q)/ 2 and the number of
steps, S required to factor the integer, n could
be computed as follows
 RSA ‐ CRYPTANALYSIS
• For example, to factor n = 5959, one computes
and performs trials starting from x> . For
different values of x, x2 ≡ y2 mod n are calculated.
The calculated values are as follows:
X 78 79 80
y2 128 282 441

• The third try produces a square, x = 80, y2 = 441

and y = 21. The factors of n = 5959 are therefore
x – y = 59 and x + y = 101.
 RSA ‐ CRYPTANALYSIS
• Three trials or steps have been performed to
obtain the factors. The same number of steps
could be obtained by using equation in slide
33 as follows:

• Hence, if one factor is known, the equation

could be used to establish the number of
steps required to compute the other factor.
 3‐2) ELLIPTIC CURVE CRYPTOGRAPHY
• Given an elliptic curve
y2 = x3 + ax + b mod p
and a basis point P, we can compute Q = Pk
through k‐1 iterative point additions.
• ECC is based on the fact that it is impossible to
compute k when the point Q is known. This is
the hard problem known as the Elliptic Curve
Discrete Logarithm (ECDLP)
 ECC
• Compute Q = Pk for the elliptic curve
y2 = x3 + x + 6 mod 11
 ECC
k 1 2 3 4 5 6 7 8 9 10 11 12 13

PK (2,4) (5,9) (8,8) (10, (3,5) (7,2) (7,9) (3,6) (10, (8,3) (5,2) (2,7) O
9) 2)

s 3 9 8 2 1 4 1 2 8 9 3  

yo 9 8 10 0 2 7 2 0 10 8 9 ‐ ‐
ECC – secret key exchange
EQUIVALENT CRYPTOGRAPHIC
STRENGTH
 EXAMPLES
1. Tony advertised the public key n = 3599, e =
31. Unfortunately, he has become confused as
to whether his PIN (private key) is 3301, 3031, or
3013. Which is it?
• SOLUTION
3599 = 61 x 59 , so (n) = 60 x 58 = 3480.
Thus the private key is given by
31 d = 1 (mod 3480) which is true when d =
3031
 EXAMPLES
2. Bob is using RSA with public key n = 4189, e = 97.
Eve has discovered that Bob’s value of  is 4060.
Find the primes p, q such that n = pq and Bob’s
private key d.
• SOLUTION
Given n = 4189 and  = 4060, it follows that p + q =
n ‐  + 1 = 130. Hence p and q are the roots of x2 –
130x + 4189 = 0. Using the formula we find p = 71, q
= 59. Finally
d = e‐1 (mod 4060) = 3023
 EXAMPLES
3. Suppose Fiona, Georgina and Henrietta have
agreed to encrypt their text messages using the
Diffie‐Hellman system with modulus, p = 101 and
base, r = 2. They have chosen the private keys f’ =
13, g’ = 21, h’ = 30 respectively.
a) What common information will be stored in the
directory of each girl’s phone?
b) What key will be used for messages between
Georgina and Henrietta and how do they obtain it?
c) How could Fiona eavesdrop on messages
between Georgina and Henrietta?
 SOLUTION – P3
a) Each directory will contain the values p = 101, r = 2, and the
public keys f, g, h computed by the rules f = 213, g = 221, h = 230
as follows
f g h
12 89 17
b) The key for communication between Georgina and
Henrietta is
kGH = 221x30 = 17
Georgina can calculate this as hg’ = 1721 and Henrietta as
gh’ = 8930
c) If Fiona wishes to discover kGH she could try to find either g’
or h’, by solving one of the equations 2x = 89, 2x = 17.
 EXAMPLES
4. Four people A, B, C, D have chosen to
communicate using the Diffie‐Hellman system, with
p = 149 and r = 2. If A has chosen the private key 33,
what is her public key?
• SOLUTION
Since A’s private key is xA = 33, her public key is yA =
x
2 A = 233 (mod 149).
If necessary, this can be calculated by hand as:
22 = 4, 24 = 16, 28 = 256 = 107, 216 = 1072 = 125,
232 = 1252 = 129, 233 = 109