CS6701 Cryptography and Network Security

UNIT II BLOCK CIPHERS & PUBLIC KEY CRYPTOGRAPHY

Data Encryption Standard- Block cipher principles- block cipher modes of operation- Advanced
Encryption Standard (AES)- Triple DES-Blowfish- RC5 algorithm. Public key cryptography:
Principles of public key cryptosystems- The RSA algorithm-Key management - Diffie Hellman
Key exchange- Elliptic curve arithmetic- Elliptic curve cryptography.

Data Encryption Standard

 The most widely used private key block cipher, is the Data Encryption Standard (DES). It
was adopted in 1977 by the National Bureau of Standards as Federal Information
Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit
key. The DES enjoys widespread use. It has also been the subject of much controversy its
security
 In the late 1960s, IBM set up a research project in computer cryptography led by Horst
Feistel. The project concluded in 1971 with the development of the LUCIFER algorithm.
LUCIFER is a Feistel block cipher that operates on blocks of 64 bits, using a key size of
128 bits.
 Because of the promising results produced by the LUCIFER project, IBM embarked on
an effort, headed by Walter Tuchman and Carl Meyer, to develop a marketable
commercial encryption product that ideally could be implemented on a single chip. It
involved not only IBM researchers but also outside consultants and technical advice from
NSA. The outcome of this effort was a refined version of LUCIFER that was more
resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip.
 In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a
national cipher standard. IBM submitted the modified LUCIFER. It was by far the best
algorithm proposed and was adopted in 1977 as the Data Encryption Standard.

1
The overall scheme for DES encryption is illustrated in Stallings Figure 3.4, which takes as input
64-bits of data and of key.

The left side shows the basic process for enciphering a 64-bit data block which consists of:

- an initial permutation (IP) which shuffles the 64-bit input block

- 16 rounds of a complex key dependent round function involving substitutions & permutations

- a final permutation, being the inverse of IP

The right side shows the handling of the 56-bit key and consists of:

- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-
bit halves

- 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two
28-bit halves

1
We now review the internal structure of the DES round function F, which takes R
half & subkey, and processes them. The round key Ki is 48 bits. The R input is 32
bits. This R input is first expanded to 48 bits by using a table that defines a
permutation plus an expansion that involves duplication of 16 of the R bits (Table
3.2c). The resulting 48 bits are XORed with Ki This 48-bit result passes through a
substitution function that produces a 32-bit output, which is permuted as defined
by Table 3.2d. This follows the classic structure for a feistel cipher.

Note that the s-boxes provide the “confusion” of data and key values, whilst the
permutation P then spreads this as widely as possible, so each S-box output
affects as many S-box inputs in the next round as possible, giving “diffusion”.

1
 Modes of Operation

 Block ciphers encrypt fixed size blocks

 eg. DES encrypts 64-bit blocks, with 56-bit key
 Need way to use in practise, given usually have arbitrary amount of
information to encrypt
 Partition message into separate block for ciphering
 A mode of operation describes the process of encrypting each of these
blocks under a single key
 Some modes may use randomized addition input value

Modes of Operation

 Topics

 Overview of Modes of Operation

 EBC, CBC, CFB, OFB, CTR

 Notes and Remarks on each modes

Electronic Codebook Book (ECB)

 Message is broken into independent blocks which are encrypted

 Each block is a value which is substituted, like a codebook, hence name

 Each block is encoded independently of the other blocks

o Ci = EK (Pi)

 Uses: secure transmission of single values

 Remarks on ECB

 Strength: it’s simple.

 Weakness:

o Repetitive information contained in the plaintext may show in the ciphertext, if

aligned with blocks.

o If the same message is encrypted (with the same key) and sent twice, their
ciphertext are the same.

1
 Typical application:

o secure transmission of short pieces of information (e.g. a temporary encryption

key)

 Cipher Block Chaining (CBC)

 Solve security deficiencies in ECB

 Repeated same plaintext block result different ciphertext block

 Each previous cipher blocks is chained to be input with current plaintext block, hence
name

 Use Initial Vector (IV) to start process

Ci = EK (Pi XOR Ci-1)

C0 = IV

 Uses: bulk data encryption, authentication

 CBC scheme

 Remarks on CBC

 The encryption of a block depends on the current and all blocks before it.

 So, repeated plaintext blocks are encrypted differently.

 Initialization Vector (IV)

 May sent encrypted in ECB mode before the rest of ciphertext

 Cipher FeedBack (CFB)

 Use Initial Vector to start process

 Encrypt previous ciphertext , then combined with the plaintext block using X-OR to
produce the current ciphertext

 Cipher is fed back (hence name) to concatenate with the rest of IV

 Plaintext is treated as a stream of bits

1
  Any number of bit (1, 8 or 64 or whatever) to be feed back (denoted CFB-1, CFB-
8, CFB-64)

 Relation between plaintext and ciphertext

Ci = Pi XOR SelectLeft(EK
(ShiftLeft(Ci-1)))

C0 = IV

 Uses: stream data encryption, authentication

 CFB Scheme

 CFB Encryption/Decryption

 CFB as a Stream Cipher

 In CFB mode, encipherment and decipherment use the encryption function of the
underlying block cipher.

 Remark on CFB

 The block cipher is used as a stream cipher.

• enable to encrypt any number of bits e.g. single bits or single characters (bytes)

• S=1 : bit stream cipher

• S=8 : character stream cipher)

 A ciphertext segment depends on the current and all preceding plaintext segments.

 A corrupted ciphertext segment during transmission will affect the current and next
several plaintext segments.

 Output FeedBack (OFB)

 Very similar to CFB

 But output of the encryption function output of cipher is fed back (hence name), instead
of ciphertext

 Feedback is independent of message

 Relation between plaintext and ciphertext

1
 Ci = Pi XOR Oi

Oi = EK (Oi-1)

O0 = IV

 Uses: stream encryption over noisy channels

 CFB V.S. OFB

 OFB Scheme

 OFB Encryption and Decryption

 OFB as a Stream Cipher

 In OFB mode, encipherment and decipherment use the encryption function of the
underlying block cipher.

 Remarks on OFB

 Each bit in the ciphertext is independent of the previous bit or bits. This avoids error
propagation

 Pre-compute of forward cipher is possible

 Security issue

 when jth plaintext is known, the jth output of the forward cipher function will be
known

 Easily cover jth plaintext block of other message with the same IV

 Require that the IV is a nonce

 Counter (CTR)

 Encrypts counter value with the key rather than any feedback value (no feedback)

 Counter for each plaintext will be different

 can be any function which produces a sequence which is guaranteed not to repeat
for a long time

 Relation

Ci = Pi XOR Oi

1
 Oi = EK (i)

 Uses: high-speed network encryptions

 CTR Scheme

 CTR Encryption and Decryption

 OFB as a Stream Cipher

 Remark on CTR

 Strengthes:

 Needs only the encryption algorithm

 Random access to encrypted data blocks

 blocks can be processed (encrypted or decrypted) in parallel

 Simple; fast encryption/decryption

 Counter must be

 Must be unknown and unpredictable

 pseudo-randomness in the key stream is a goal

 Topics

 Overview of Modes of Operation

 EBC, CBC, CFB, OFB, CTR

 Notes and Remarks on each modes

 Remark on each mode

 Basically two types:

 block cipher

 stream cipher

 CBC is an excellent block cipher

 CFB, OFB, and CTR are stream ciphers

1
 CTR is faster because simpler and it allows parallel processing

1
What is AES?

The Advanced Encryption Standard (AES), also known as Rijndael, is a specification for

the encryption of electronic data established by the U.S. National Institute of Standards and
Technology (NIST) in 2001.
AES is a subset of the Rijndael cipher developed by two Belgian cryptographers, Joan
Daemen and Vincent Rijmen, who submitted a proposal to NIST during the AES selection
process. Rijndael is a family of ciphers with different key and block sizes.
For AES, NIST selected three members of the Rijndael family, each with a block size of 128
bits, but three different key lengths: 128, 192 and 256 bits.
AES has been adopted by the U.S. government and is now used worldwide. It supersedes
the Data Encryption Standard (DES),[8]which was published in 1977. The algorithm described by
AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and
decrypting the data.
In the United States, AES was announced by the NIST as U.S. FIPS PUB 197 (FIPS 197) on
November 26, 2001. This announcement followed a five-year standardization process in which
fifteen competing designs were presented and evaluated, before the Rijndael cipher was selected
as the most suitable .
AES became effective as a federal government standard on May 26, 2002 after approval by
the Secretary of Commerce. AES is included in the ISO/IEC 18033-3 standard. AES is available
in many different encryption packages, and is the first (and only) publicly
accessible cipher approved by the National Security Agency (NSA) for top secret information
when used in an NSA approved cryptographic module .
The name Rijndael  is a play on the names of the two inventors (Joan Daemen and Vincent
Rijmen).

1
1
Some Comments on AES
1. an iterative rather than Feistel cipher
2. key expanded into array of 32-bit words
̶ four words form round key in each round
3. 4 different stages are used as shown
4. has a simple structure
5. only AddRoundKey uses key
6. AddRoundKey a form of Vernam cipher
7. each stage is easily reversible
8. decryption uses keys in reverse order
9. decryption does recover plaintext
10.final round has only 3 stages

AES Decryption
• AES decryption is not identical to

1
 encryption since steps done in reverse
• but can define an equivalent inverse
cipher with steps as for encryption
– but using inverses of each step
– with a different key schedule
• works since result is unchanged when
– swap byte substitution & shift rows
– swap mix columns & add (tweaked) round key

Triple DES
In cryptography, Triple DES (3DES), officially the Triple Data Encryption
Algorithm (TDEA or Triple DEA), is a symmetric-keyblock cipher, which applies the Data
Encryption Standard (DES) cipher algorithm three times to each data block.
The original DES cipher's key size of 56 bits was generally sufficient when that algorithm was
designed, but the availability of increasing computational power made brute-force
attacks feasible. Triple DES provides a relatively simple method of increasing the key size of
DES to protect against such attacks, without the need to design a completely new block cipher
algorithm.

1
Triple DES - Algorithm

Triple DES uses a "key bundle" that comprises three DES keys, K1, K2 and K3, each of 56 bits
(excluding parity bits). The encryption algorithm is:
ciphertext = EK3(DK2(EK1(plaintext)))
I.e., DES encrypt with K1, DES decrypt with K2, then DES encrypt with K3.
Decryption is the reverse:
plaintext = DK1(EK2(DK3(ciphertext)))
I.e., decrypt with K3, encrypt with K2, then decrypt with K1.
Each triple encryption encrypts one block of 64 bits of data.
In each case the middle operation is the reverse of the first and last. This improves the
strength of the algorithm when using keying option 2, and provides backward
compatibilitywith DES with keying option 3

Need for Triple DES

• A replacement for DES was needed

– theoretical attacks that can break it

– demonstrated exhaustive key search attacks

• AES is a new cipher alternative

• Before AES alternative

– use multiple encryptions with DES

• Triple-DES is the chosen form

BlowFish

• a symmetric block cipher designed by Bruce Schneier in 1993/94

• characteristics

– fast implementation on 32-bit CPUs, 18 clock cycles per byte

– compact in use of memory, less than 5KB

– simple structure for analysis/implementation

– variable security by varying key size

1
 • Allows tuning for speed/security tradeoff

BlowFish Key Schedule

• uses a 32 to 448 bit key

• used to generate

– 18 32-bit subkeys stored in P-array: P1 to P18

– S-boxes stored in Si,j,

• i=1..4

• j=0..255

Public-key cryptography

1
Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses
pairs of keys: public keys that may be disseminated widely paired with private keys which are
known only to the owner. There are two functions that can be achieved: using a public key to
authenticate that a message originated with a holder of the paired private key; or encrypting a
message with a public key to ensure that only the holder of the paired private key can decrypt it.
In a public-key encryption system, any person can encrypt a message using the public key of the
receiver, but such a message can be decrypted only with the receiver's private key. For this to
work it must be computationally easy for a user to generate a public and private key-pair to be
used for encryption and decryption. The strength of a public-key cryptography system relies on
the degree of difficulty (computational impracticality) for a properly generated private key to be
determined from its corresponding public key. Security then depends only on keeping the private
key private, and the public key may be published without compromising security.

In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but
only the holder of the paired private key can decrypt. Security depends on the secrecy of the
private key.

 public-key/two-key/asymmetric cryptography involves the use of two keys:

 a public-key, which may be known by anybody, and can be used to encrypt

messages, and verify signatures

1
  a related private-key, known only to the recipient, used to decrypt messages,
and sign (create) signatures

 infeasible to determine private key from public

 is asymmetric because

 those who encrypt messages or verify signatures cannot decrypt messages or

create signatures

1
RSA

RSA is the best known, and by far the most widely used general public key encryption
algorithm, and was first published by Rivest, Shamir & Adleman of MIT in 1978
[RIVE78]. The Rivest-Shamir-Adleman (RSA) scheme has since that time reigned
supreme as the most widely accepted and implemented general-purpose approach to
public-key encryption. It is based on exponentiation in a finite (Galois) field over integers
modulo a prime, using large integers (eg. 1024 bits). Its security is due to the cost of
factoring large numbers.

The scheme developed by Rivest, Shamir, and Adleman makes use of an expression with
exponentials. Plaintext is encrypted in blocks, with each block having a binary value less
than some number n. The actual RSA encryption and decryption computations are each
simply a single exponentiation mod (n). Both sender and receiver must know the value of
n. The sender knows the value of e, and only the receiver knows the value of d. Thus, this
is a public-key encryption algorithm with a public key of PU = {e, n} and a private key of
PR = {d, n}. Note that the message must be smaller than the modulus. The “magic” is in
the choice of the modulus and exponents which makes the system work.

Diffie–Hellman key exchange (D–H) 

Diffie–Hellman key exchange (D–H) [nb 1] is a specific method of securely

exchanging cryptographic keys over a public channel and was one of the first public-key
protocols as originally conceptualized by Ralph Merkle and named after Whitfield
Diffie and Martin Hellman.[1][2]D–H is one of the earliest practical examples of public key
exchange implemented within the field of cryptography.

1
 Traditionally, secure encrypted communication between two parties required that they
first exchange keys by some secure physical channel, such as paper key lists transported
by a trusted courier. The Diffie–Hellman key exchange method allows two parties that
have no prior knowledge of each other to jointly establish a shared secret key over
an insecure channel. This key can then be used to encrypt subsequent communications
using a symmetric key cipher.
Diffie–Hellman is used to secure a variety of Internet services. However, research
published in October 2015 suggests that the parameters in use for many D–H Internet
applications at that time are not strong enough to prevent compromise by very well-
funded attackers, such as the security services of large governments.[3]
• Diffie-Hellman Key Exchange

• first public-key type scheme proposed

• by Diffie & Hellman in 1976 along with the exposition of public key concepts

– note: now know that James Ellis (UK CESG) secretly proposed the concept in
1970

• is a practical method for public exchange of a secret key

• used in a number of commercial products

• Diffie-Hellman Key Exchange

• a public-key distribution scheme

– cannot be used to exchange an arbitrary message

– rather it can establish a common key

– known only to the two participants

• value of key depends on the participants (and their private and public key information)

• based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy

• security relies on the difficulty of computing discrete logarithms (similar to factoring) –

hard

• Diffie-Hellman Setup

• all users agree on global parameters:

– large prime integer or polynomial q

– α a primitive root mod q

1
• each user (eg. A) generates their key

– chooses a secret key (number): xA < q

– compute their public key: yA = αxA mod q

• each user makes public that key yA

• Diffie-Hellman Key Exchange

• shared session key for users A & B is KAB:

KAB = αxA.xB mod q

= yAxB mod q (which B can compute)

= yBxA mod q (which A can compute)

• KAB is used as session key in private-key encryption scheme between Alice and Bob

• if Alice and Bob subsequently communicate, they will have the same key as before,
unless they choose new public-keys

• attacker needs an x, must solve discrete log

• Diffie-Hellman Example

• users Alice & Bob who wish to swap keys:

• agree on prime q=353 and α=3

• select random secret keys:

– A chooses xA=97, B chooses xB=233

• compute public keys:

– yA=397 mod 353 = 40 (Alice)

– yB=3233 mod 353 = 248 (Bob)

• compute shared session key as:

KAB= yBxA mod 353 = 24897 = 160 (Alice)

KAB= yAxB mod 353 = 40233 = 160 (Bob)

• Elliptic Curve Cryptography

1
• majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic
with very large numbers/polynomials

• imposes a significant load in storing and processing keys and messages

• an alternative is to use elliptic curves

• offers same security with smaller bit sizes

• Real Elliptic Curves

• an elliptic curve is defined by an equation in two variables x & y, with coefficients

• consider a cubic elliptic curve of form

• y2 = x3 + ax + b

• where x,y,a,b are all real numbers

• also define zero point O

• have addition operation for elliptic curve

• geometrically sum of Q+R is reflection of intersection R

Elliptic Curve Cryptography

• majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic
with very large numbers/polynomials

• imposes a significant load in storing and processing keys and messages

• an alternative is to use elliptic curves

• offers same security with smaller bit sizes

• Real Elliptic Curves

• an elliptic curve is defined by an equation in two variables x & y, with coefficients

• consider a cubic elliptic curve of form

– y2 = x3 + ax + b

– where x,y,a,b are all real numbers

– also define zero point O

1
• have addition operation for elliptic curve

– geometrically sum of Q+R is reflection of intersection R

Finite Elliptic Curves

• Elliptic curve cryptography uses curves whose variables & coefficients are finite

• have two families commonly used:

– prime curves Ep(a,b) defined over Zp

• use integers modulo a prime

• best in software

– binary curves E2m(a,b) defined over GF(2n)

• use polynomials with binary coefficients

• best in hardware

• Elliptic Curve Cryptography

• ECC addition is analog of modulo multiply

• ECC repeated addition is analog of modulo exponentiation

1
• need “hard” problem equiv to discrete log

– Q=kP, where Q,P belong to a prime curve

– is “easy” to compute Q given k,P

– but “hard” to find k given Q,P

– known as the elliptic curve logarithm problem

• Certicom example: E23(9,17)