UNIT III

SIMPLIFIED DATA ENCRYPTION STANDARD (S-DES)

The overall structure of the simplified DES shown in Figure 2.5. The S-DES encryption
algorithm takes an 8-bit block of plaintext (example: 10111101) and a 10-bit key as input and
produces an 8-bit block of ciphertext as output.
The S-DES decryption algorithm takes an 8-bit block of ciphertext and the same 10-bit key
used to produce that ciphertext as input and produces the original 8-bit block of plaintext.

Figure 2.5 Overview of S-DES Algorithm

The encryption algorithm involves five functions:

 An initial permutation (IP)

 A complex function labeled fk, which involves both permutation and substitution
operations and depends on a key input.
 A simple permutation function that switches (SW) the two halves of the data.
 The function fk again.
A permutation function that is the inverse of the initial permutation
The function fk takes as input not only the data passing through the encryption algorithm,
but also an 8-bit key. Here a 10-bit key is used from which two 8-bit subkeysare generated.
The key is first subjected to a permutation (P10). Then a shift operation is performed. The
output of the shift operation then passes through a permutation function that produces an 8-bit
output (P8) for the first subkey (K1).
 The output of the shift operation also feeds into another shift and another instance of P8 to
produce the second subkey (K2).

The encryption algorithm can be expressed as a composition composition1 offunctions:IP-

1 ο fK2 ο SW ο fk1 ο IP, which can also be written asCiphertext
= IP-1 (fK2 (SW (fk1 (IP (plaintext)))))
Where
K1 = P8 (Shift (P10 (Key)))
K2 = P8 (Shift (shift (P10 (Key))))
Decryption can be shown as Plaintext = IP-1 (fK1 (SW (fk2 (IP (ciphertext)))))

S-DES Key Generation

S-DES depends on the use of a 10-bit key shared between sender and receiver. From this
key, two 8-bit subkeys are produced for use in particular stages of the encryption and decryption
algorithm.(Figure 2.6)

Figure 2.6 S-DES Key Generation

First, permute the key in the following fashion. Let the 10-bit key be designated as(k1,
K2, k3, k4, k5, k6, k7, k8, k9, k10). Then the permutation P10 is defined as:
P10 (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, K2, k7, k4, k10 10, k1, k9,k8,
k6).
P10 can be concisely defined by the display:
 This table is read from left to right; each position in the table gives the identity of the
input bit that produces the output bit in that position. So, the first output bit is bit 3 ofthe input;
the second output bit is bit 5 of the input, and so on.

Example

The 10 bit key is (1010000010), now find the permutation from P10 for this key so
it becomes (10000 01100).

Next, perform a circular left shift (LS-1), or rotation, separately on the first five bits and
the second five bits. In our example, the result is (00001 11000).

Next, apply P8, which picks out and permutes 8 of the 10 bits according to the following
rule:

So, The result is subkey 1 (K1). In our example, this yield (10100100).

Then go back to the pair of 5-bit strings produced by the two LS-1 functions and performs
a circular left shift of 2 bit positions on each string. In our example, the value (00001 11000)
becomes (00100 00011).

Finally, P8 is applied again to produce K2. In our example, the result is (01000011).
S-DES Encryption
Encryption involves the sequential application of five functions (Figure 2.7).
1. Initial Permutations
The input to the algorithm is an 8-bit block of plaintext, which we first permute using the
IP function

The plaintext is 10111101

Permutated output is 01111110
 Figure 2.7 S-DES Encryption
2. The Function fk

The most complex component of S-DES is the function fk, which consists of a
combination of permutation and substitution functions. The functions can be expressed asfollows.
Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-bit input to f K, and let F be a
mapping (not necessarily one to one) from 4-bit strings to 4-bit strings. Then we let
Fk (L, R) = (L⊕F (R, SK), R)
Where SK is a sub key and ⊕is the bit-by- bit exclusive OR function
Now, describe the mapping F. The input is a 4-bit number (n1 n2 n3 n4). The firstoperation is
an expansion/permutation operation:

Now, find the E/P from IP IP

= 01111110, it becomesE/P =
01111101
Now, XOR with K1
=> 01111101 ⊕10100100 = 11011001
 The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to produce a 2-
bit output, and the remaining 4 bits (second row) are fed into S1 to produce another 2-bit output.
These two boxes are defined as follows:

The S-boxes operate as follows. The first and fourth input bits are treated as a 2- bit
number that specify a row of the S-box, and the second and third input bits specify a column of the
S-box. Each s box gets 4-bit input and produce 2 bits as output. It follows 00- 0, 01-1, 10-2, 11-3
scheme.
Here, take first 4 bits, Second 4 bits
S0 => 1101 S1 => 1001

11 - > 3 11 -> 3

10 -> 2 => 3 =>11 00 -> 0 = > 2 => 10

So, we get 1110

 Now, find P4

After P4, the value is 1011

Now, XOR operation 1011⊕ 0111 => 1100

3. The Switch function

 The switch function (sw) interchanges the left and right 4 bits.
1100 1110

1110 1100

4. Second function fk
 First, do E/P function and XOR with K 2, the value is 01101001⊕01000011, the answer is
00101010
 Now, find S0 and S1
S0 => 00 - > 0 S1 = > 10 -> 2

01 -> 1 => 0 = 00 01 -> 1 = > 0 => 00

 Value is 0000

 Now, find P4 and XOR operation

After P4 => 0000 ⊕ 1110 = 1110, then concatenate last 4 bits after interchange in sw.

 Now value is 11101100

5. Find IP-1

So, value is 01110101

The Ciphertext is 01110101

S-DES Decryption
 Decryption involves the sequential application of five functions.
1. Find IP
 After IP, value is 11101100
2. Function fk
 After step 2, the answer is 11101100
3. Swift
 The answer is 11001110
4. Second fk
 The answer is 01111110
5. Find IP-1
 101111101 -> Plaintext

DATA ENCRYPTION STANDARD

The most widely used encryption scheme is based on the Data Encryption Standard (DES)
adopted in 1977. The algorithm itself is referred to as the Data Encryption Algorithm (DEA).

For DES, data are encrypted in 64-bit blocks using a 56-bit key. The algorithm transforms 64-bit
input in a series of steps into a 64-bit output.

DES Encryption
The overall scheme for DES encryption is illustrated in the Figure 2.8. There are two inputs to the
encryption function: the plaintext to be encrypted and the key. The plaintext must be 64 bits in length
and the key is 56 bits in length.

General Depiction of DES Encryption AlgorithmPhase

1
Looking at the left-hand side of the figure 2.8, we can see that the processing of the plaintext
proceeds in three phases.
First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to
produce the permuted input.
Phase 2:

This is followed by a phase consisting of 16 rounds of the same function, which involves both
permutation and substitution functions.
The output of the last (sixteenth) round consists of 64 bits that are a function of the input
plaintext and the key. The left and right halves of the output are swapped to produce the preoutput.

Phase 3:

Finally, the preoutput is passed through a permutation (IP -1) that is the inverse of theinitial
permutation function, to produce the 64-bit ciphertext.
The right-hand portion of Figure shows the way in which the 56-bit key is used.

Operation on key:
Initially, the key is passed through a permutation function. Then, for each of the 16 rounds, a
subkey (Ki) is produced by the combination of a left circular shift and a permutation. The permutation
function is the same for each round, but a different subkey is producedbecause of the repeated shifts of
the key bits.

Figure 2.8 DES Encryption Algorithm

Initial Permutation
The input to a table consists of 64 bits numbered from 1 to 64. The 64 entries in the permutation
table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the
position of a numbered input bit in the output, which alsoconsists of 64 bits.
Permutation Tables for DES

(a) Initial Permutation (IP)

58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7

Inverse Initial Permutation (IP-1)

40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
Expansion Permutation (E)
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1

Permutation Function (P)

16 7 20 21 29 12 28 17
1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9
19 13 30 6 22 11 4 25

Consider the following 64-bit input M:

M1 M2 M3 M4 M5 M6 M7 M8
M9 M10 M11 M12 M13 M14 M15 M16
M17 M18 M19 M20 M21 M22 M23 M24
 M25 M26 M27 M28 M29 M30 M31 M32
M33 M34 M35 M36 M37 M38 M39 M40
M41 M42 M43 M44 M45 M46 M47 M48
M49 M50 M51 M52 M53 M54 M55 M56
M57 M58 M59 M60 M61 M62 M63 M64

where Mi is a binary digit. Then the permutation X = IP(M) is as follows:

M58 M50 M42 M34 M26 M18 M10 M2
M60 M52 M44 M36 M28 M20 M12 M4
M62 M54 M46 M38 M30 M22 M14 M6
M64 M56 M48 M40 M32 M24 M16 M8
M57 M49 M41 M33 M25 M17 M9 M1
M59 M51 M43 M35 M27 M19 M11 M3
M61 M53 M45 M37 M29 M21 M13 M5
M63 M55 M47 M39 M31 M23 M15 M7

Inverse permutation Y = IP-1 (X) = IP-1(IP(M)),Therefore we can see that the original ordering ofthe bits is
restored.

Details of Single Round

The below figure 2.9 shows the internal structure of a single round. The left and right halves of each 64-
bit intermediate value are treated as separate 32-bit quantities, labeled L (left) and R (right). The overall
processing at each round can be summarized in the following formulas:
Li= Ri-1

Ri= Li-1 x F(Ri-1, Ki)

Figure 2.9 Single Round of DES Algorithm

U19CS702
Cryptography and
Network Security

The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by using a
table that defines a permutation plus an expansion that involves duplication of 16 of the R bits. The
resulting 48 bits are XORed with Ki. This 48-bit result passes through a substitution function that
produces a 32-bit output, which is then permuted.

Definition of S-Boxes
The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and
produces 4 bits as output. The first and last bits of the input to box Si form a 2-bit binary number to select
one of four substitutions defined by the four rows in the table for Si. The middle four bits select one of the
sixteen columns as shown in figure 2.10.
The decimal value in the cell selected by the row and column is then converted to its 4- bit
representation to produce the output.
For example, in S1 for input 011001, the row is 01 (row 1) and the column is 1100 (column 12).
The value in row 1, column 12 is 9, so the output is 1001.

Fig 2.10 Calculation of F(R, K)

Key Generation
The 64-bit key is used as input to the algorithm. The bits of the key are numbered from 1 through
64; every eighth bit is ignored. The key is first subjected to a permutation governed by a table labeled
Permuted Choice One. The resulting 56-bit key is then treated as two 28-bit quantities, labeled C0 and
D0.
At each round, Ci-1 and Di-1 are separately subjected to a circular left shift, or rotation,of 1 or
2 bits. These shifted values serve as input to the next round. They also serve as input to Permuted Choice
2, which produces a 48-bit output that serves as input to the function F(Ri-1, Ki).

DES Key Schedule Calculation

1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24
U19CS702
Cryptography and
Network Security
25 26 27 28 29 30 31 32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56

57 58 59 60 61 62 63 64

(b) Permuted Choice One (PC-1)

57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
(c) Permuted Choice Two (PC-2)
14 17 11 24 1 5 3 28
15 6 21 10 23 19 12 4
26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40
51 45 33 48 44 49 39 56
34 53 46 42 50 36 29 32

(d) Schedule of Left Shifts

Roundnumber:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Bits rotated : 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

DES Decryption:

As with any Feistel cipher, decryption uses the same algorithm as encryption,except that the application
of the subkeys is reversed. Additionally, the initial andfinal permutations are reversed.

The Avalanche Effect:

A desirable property of any encryption algorithm is that a small change in either the plaintext or the key
should produce a significant change in the ciphertext. In particular, a change in one bitof the plaintext
or one bit of the key should produce a change in many bits of the ciphertext.
U19CS702
Cryptography and
Network Security
U19CS702
Cryptography and
Network Security

THE STRENGTH OF DES

The strength of DES depends on two factors: key size and the nature of the algorithm.

1. The Use of 56-Bit Keys

With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2 x 1016. Thus,
a brute-force attack appears impractical.

2. The Nature of the DES Algorithm

In DES algorithm, eight substitution boxes called S-boxes that are used in each iteration. Because
the design criteria for these boxes, and indeed for the entire algorithm, were not made public, there is a
suspicion that the boxes were constructed in such a way that cryptanalysis is possible for an opponent
who knows the weaknesses in the S-boxes. Despite this, no one hasso far succeeded in discovering the
supposed fatal weaknesses in the S-boxes.

3. Timing Attacks
A timing attack is one in which information about the key or the plaintext is obtained by
observing how long it takes a given implementation to perform decryptions on various ciphertexts. A
timing attack exploits the fact that an encryption or decryption algorithm often takes slightly different
amounts of time on different inputs.

Attacks on DES:

Two approaches are:

1. Differential crypt analysis
2. Linear crypt analysis

Differential Cryptanalysis

Differential cryptanalysis is the first published attack that is capable of breaking DES in less than 255
complexities. The need to strengthen DES against attacks using differential cryptanalysis played a large
part in the design of the S-boxes and the permutation P.
 One of the most significant recent (public) advances in cryptanalysis
 Powerful method to analyze block ciphers
 Used to analyze most current block ciphers with varying degrees of success
U19CS702
Cryptography and
Network Security

Differential Cryptanalysis Attack:

The differential cryptanalysis attack is complex. The rationale behind differential cryptanalysis is
to observe the behavior of pairs of text blocks evolving along each round of the cipher, instead of
observing the evolution of a single text block.
Consider the original plaintext block m to consist of two halves m0, m1. Each round of DES maps
the right-hand input into the left-hand output and sets the right-hand output to be a function of the left-
hand input and the subkey for this round.
So, at each round, only one new 32-bit block is created. If we label each new block
m1(2 ≤ i ≤17), then the intermediate message halves are related as follows:

mi+1 = mi-1 f(mi, Ki), i = 1, 2, ..., 16

In differential cryptanalysis, we start with two messages, m and m', with a known XOR difference Δm=
m m', and consider the difference between the intermediate message halves: mi= mi mi' Then we have:

∆mi+1 = mi+1 m‟i-1

= [mi-1 f(mi,ki ] )] [ m‟i-1 f(m‟i,ki)]

= ∆mi-1 [ f(mi,ki ) f(m‟i,ki)]

Let us suppose that there are many pairs of inputs to f with the same difference yield the same
output difference if the same subkey is used.
Therefore, if we know Δmi-1 and Δmi with high probability, then we know Δmi+1 with high
probability. Furthermore, if a number of such differences are determined, it is feasible to determine the
subkey used in the function f.

Linear Cryptanalysis

This attack is based on the fact that linear equation can be framed to describe thetransformations.
The principle of linear crypt analysis is as followsLength of
CT and PT =n bits;
key=mbit
Block of cipher text is c[1]c[2]…c[n]; Block
of key is k[1]k[2]….k[m]
A[I,j,..k] = A[i] A[j] . A[k]

 Can attack DES with 247 known plaintexts, still in practice infeasible
 Find linear approximations with prob p != ½
 P[i1,i2,...,ia](+)c[j1,j2,...,jb] = k[k1,k2,...,kc]Where ia, jb, kc are bit locations in p, c, k
U19CS702
Cryptography and
Network Security

BLOCK CIPHER PRINCIPLES

There are three critical aspects of block cipher design:
1. Number of rounds,
2. Design of the function F
3. Key scheduling.

Number of Rounds
 When the greater the number of rounds, the more difficult it is to perform cryptanalysis,even
for a relatively weak F.
 The number of rounds is chosen so that known cryptanalytic efforts require greater effortthan a
simple brute-force key search attack
 When round DES S= 16, a differential cryptanalysis attack is slightly less efficient thanbrute
force, the differential cryptanalysis attack requires 255 operations.
 It makes it easy to judge the strength of an algorithm and to compare different algorithms.

Design of Function F

This is the most important function

Criteria needed for F,

 It must be difficult to “unscramble” the substitution performed by F.
 The function should satisfy strict avalanche criterion (SAC) which states that any output bit j of
an S-box should change with probability 1/2 when any single input bit i is inverted for all i, j.
 The function should satisfy bit independence criterion(BIC), which states that output bits j and
k should change independently when any single input bit i is inverted for all i, j, and k.

Key Schedule Algorithm

 The key is used to generate one sub key for each round.
 The sub keys to maximize the difficulty of deducing individual sub keys and the difficulty of
working back to the main key.

Stream Cipher and Block Cipher

A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.E.g,
vigenere cipher. Figure (2.11a)

A block cipher is one in which a block of plaintext is treated as a whole and used to produce acipher
text block of equal length. Typically, a block size of 64 or 128 bits is used. Figure (2.11b)
U19CS702
Cryptography and
Network Security

Figure 2.11 Stream Cipher and Block Cipher

 Many block ciphers have a Feistel structure. Such a structure consists of a number ofidentical
rounds of processing.
 In each round, a substitution is performed on one half of the data being processed,followed
by a permutation that interchanges the two halves.
 The original key is expanded so that a different key is used for each round.
 The Data Encryption Standard (DES) has been the most widely used encryption algorithm. It
exhibits the classic Feistel structure.
 The DES uses a 64-bit block and a 56-bit key. Two important methods of cryptanalysis are
differential cryptanalysis and linear cryptanalysis. DES has been shown to be highly resistant to
these two types of attack.
 A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits.
There are possible different plaintext blocks and, for the encryption to be reversible (i.e., for
decryption to be possible), each must produce a unique ciphertext block. Such a transformation is
called reversible, or non singular
 In particular, Feistel proposed the use of a cipher that alternates substitutions and permutations,
where these terms are defined as follows:
 Substitution: Each plaintext element or group of elements is uniquely replaced by a
corresponding ciphertext element or group of elements.

 Permutation: A sequence of plaintext elements is replaced by a permutation of that

sequence. That is, no elements are added or deleted or replaced in thesequence, rather the
order in which the elements appear in the sequence is changed.
U19CS702
Cryptography and
Network Security

 Two methods for frustrating statistical cryptanalysis are:

 Diffusion – Each plaintext digit affects many ciphertext digits, or each ciphertext digit is
affected by many plaintext digits.
 Confusion – Make the statistical relationship between a plaintext and the
corresponding ciphertext as complex as possible in order to thread attempts to deduce
the key.

Feistel cipher structure

 The left-hand side of figure 2.12 depicts the structure proposed by Feistel.
 The input to the encryption algorithm is a plaintext block of length 2w bits and a key K. the
plaintext block is divided into two halves L0 and R0.
 The two halves of the data pass through n rounds of processing and then combine to produce the
ciphertext block. Each round i has inputs Li-1 and Ri-1, derived from theprevious round, as well as
the subkey Ki, derived from the overall key K.
 In general, the subkeys Ki are different from K and from each other. All rounds have the same
structure.
 A substitution is performed on the left half of the data (as similar to S-DES). This is done by
applying a round function F to the right half of the data and then taking the XOR of the output of
that function and the left half of the data.
 The round function has the same general structure for each round but is parameterizedby the
round subkey ki. Following this substitution, a permutation is performed that consists of the
interchange of the two halves of the data.
 This structure is a particular form of the substitution-permutation network.
U19CS702
Cryptography and
Network Security

Figure 2.12 Feistel Encryption and Decryption (16 rounds)

The features of Feistel network are:
 Block size - Increasing size improves security, but slows cipher 
 Key size - Increasing size improves security, makes exhaustive key searching harder,but may
slow cipher
 Number of rounds - Increasing number improves security, but slows cipher
 Subkey generation - Greater complexity can make analysis harder, but slows cipher
 Round function - Greater complexity can make analysis harder, but slows cipher 
 The process of decryption is essentially the same as the encryption process.
 The rule is as follows: use the cipher text as input to the algorithm, but use the subkeyki in
reverse order. i.e., kn in the first round, kn-1 in second round and so on.
 For clarity, we use the notation LEi and REi for data traveling through the decryption algorithm
and LDi and RDi.
 The above diagram indicates that, at each round, the intermediate value of the decryptionprocess is
same (equal) to the corresponding value of the encryption process with two halves of the value
swapped.
 U19CS702
Cryptography and
Network Security

i.e., REi || LEi (or) equivalently RD16-i || LD16-i

 After the last iteration of the encryption process, the two halves of the output areswapped, so that
the cipher text is RE16 || LE16.
 The output of that round is the cipher text. Now take the cipher text and use it as input tothe
same algorithm.
 The input to the first round is RE16 || LE16, which is equal to the 32-bit swap of the outputof the
sixteenth round of the encryption process.
 Now we will see how the output of the first round of the decryption process is equal to a32-bit
swap of the input to the sixteenth round of the encryption process.
 First consider the encryption process,
LE16 = RE15
RE16 = LE15 ⊕F (RE15, K16)

On the decryption side,

LD1 = RD0 = LE16 = RE15
RD1 = LD0 ⊕F (RDO, K16)
= RE16 ⊕F (RE15, K16)
= [LE15 ⊕F (RE15, K16)] ⊕F (RE15, K16)
= LE15
Therefore, LD1 = RE15, RD1 = LE15
In general, for the ith iteration of the encryption algorithm,
LEi = REi-1
REi = LEi-1 ⊕F (REi-1, Ki)

 Finally, the output of the last round of the decryption process is RE0 || LE0. A 32-bit swap
recovers the original plaintext.

ADVANCED ENCRYPTION STANDARD (AES)

AES is a symmetric block cipher that is intended to replace DES as the approved standard for a
wide range of applications. Compared to public-key ciphers such as RSA, the structure of AES and most
symmetric ciphers is quite complex and cannot be explained as easily as many other cryptographic,
algorithms.

Finite Field Arithmetic

In AES, all operations are performed on 8-bit bytes. The arithmetic operations of addition,
multiplication, and division are performed over the finite field GF.A field is a set inwhich we can
do addition, subtraction, multiplication, and division without leaving the set.Division is defined with the
following rule: a/b = a(b-1).
An example of a finite field (one with a finite number of elements) is the set Zp consisting of all the
integers {0, 1, c, p - 1}, where p is a prime number and in which arithmetic is carried out modulo p.
The way of defining a finite field containing 2nelements; such a field is referred to as GF(2n).
Consider the set, S, of all polynomials of degree n - 1 or less with binary coefficients. Thus, each
polynomial has the form
U19CS702
Cryptography and
Network Security
Where each ai takes on the value 0 or 1. There are a total of 2ndifferent polynomials in S.For n = 3,
the 23 = 8 polynomials in the set are

Appropriate definition of arithmetic operations, each such set S is a finite field.

The definition consists of the following elements.
1. Arithmetic follows the ordinary rules of polynomial arithmetic using the basic rulesof
algebra with the following two refinements.
2. Arithmetic on the coefficients is performed modulo 2. This is the same as theXOR
operation.
3. If multiplication results in a polynomial of degree greater than n - 1, then the n polynomial is
reduced modulo some irreducible polynomial m(x) of degree n. That is, we divide by m(x) and
keep the remainder. For a polynomial f(x), the remainder is expressed as r(x) = f(x) mod m(x). A
polynomial m(x) is called irreducible if and only if m(x) cannot be expressed as a product of two
polynomials, both of degree lower than that of m(x).
A polynomial in GF(2n) can be uniquely represented by its n binary coefficients(an-1an-2 ca0).
Therefore, every polynomial in GF(2n) can be represented by an n-bit number.

AES Structure
General Structure
 Figure 2.20 shows the overall structure of the AES encryption process. The cipher takes a plaintext
block size of 128 bits, or 16 bytes. The key length can be 16, 24, or32 bytes (128, 192, or 256 bits).
The algorithm is referred to as AES-128, AES-192, orAES-256, depending on the key length.
U19CS702
Cryptography and
Network Security

 The input to the encryption and decryption algorithms is a single 128-bit block. The block is depicted
as a 4 * 4 square matrix of bytes. This block is copied into the State array, which is modified at each
stage of encryption or decryption. After the final stage, State is copied to an output matrix. These
operations are depicted in Figure 2.21a. Similarly, the key is depicted as a square matrix of bytes.
This key is then expanded into an array of key schedule words.
 Below Figure 2.20 shows the expansion for the 128-bit key. Each word is four bytes, and the total key
schedule is 44 words for the 128-bit key. Note that the ordering of bytes within a matrix is by column.
The first four bytes of a 128-bit plaintext input to the encryption cipher occupy the first column of the
in matrix. The second four bytes occupy the second column, and so on. Similarly, the first four bytes
of the expanded key, which form a word, occupy the first column of the w matrix. The cipher consists
of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key, 12
rounds for a 24-byte key, and 14 rounds for a 32-byte key (Table 2.3).
 The first N - 1 round consist of four distinct transformation functions: Sub Bytes, Shift Rows, Mix
Columns, and AddRoundKey, which are described subsequently. The final round contains only three
transformations, and there is an initial single transformation (AddRoundKey) before the first round,
which can be considered Round 0. Eachtransformation takes one or more 4 * 4 matrices as input and
produces a 4 * 4 matrix as output Figure 5.1 shows that the output of each round is a 4 * 4 matrix,
with the output of the final round being the cipher text.
U19CS702
Cryptography and
Network Security

Figure 2.20 AES Encryption Process

Table 2.3 AES Parameters

Detailed Structure
Below Figure 2.20 shows the AES cipher shows the sequence of transformations in each roundand
showing the corresponding decryption function.
U19CS702
Cryptography and
Network Security

Fig: 2.21 Detail AES structure

Overall detail about AES structure.
1. It is not a Feistel structure. Recall that, in the classic Feistel structure, half of the data block is
used to modify the other half of the data block and then the halves are swapped. AES instead
processes the entire data block as a single matrix during each round using substitutions and
permutation.
2. The key that is provided as input is expanded into an array of forty-four 32-bitwords, w[i]. Four
distinct words (128 bits) serve as a round key for each round as shown in figure 2.22;
3. Four different stages are used, one of permutation and three of substitution:
 Substitute bytes: Uses an S-box to perform a byte-by-byte substitution oftheblock
 ShiftRows: A simple permutation
 MixColumns: A substitution that makes use of arithmetic over GF(28)
 AddRoundKey: A simple bitwise XOR of the current block with a portion ofthe
expanded key
4. The structure is quite simple. For both encryption and decryption as shown in figure 2.22, the
cipher begins with an AddRoundKey stage, followed by nine rounds that each includes all four
stages, followed by a tenth round of three stages.
5. Only the AddRoundKey stage makes use of the key. The AddRoundKey stage would provide no
security because they do not use the key. We can view the cipher as alternating operations of
XOR encryption (AddRoundKey) of a block, followed by scrambling of the block (the other three
stages), followed by XOR encryption, and so on. This scheme is both efficient and highly secure.
U19CS702
Cryptography and
Network Security

Fig 2.22 AES Encryption and Decryption

6. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an
inverse function is used in the decryption algorithm. For the AddRoundKey stage, the inverse is
achieved by XORing the same round key to the block, using the result that.

7. The decryption algorithm makes use of the expanded key in reverse order. However, the
decryption algorithm is not identical to the encryption algorithm. This is a consequenceof the
particular structure of AES.
U19CS702
Cryptography and
Network Security

Fig 2.23 AES Encryption Round

8. Once it is established that all four stages are reversible, it is easy to verify that
decryption does recover the plaintext.
9. The final round of both encryption and decryption consists of only three stages. Again, this is a
consequence of the particular structure of AES and is required, to make the cipherreversible

AES Transformation Functions

Four transformations used in AES. For each stage, we describe the forward (encryption)algorithm, the
inverse (decryption) algorithm, and the rationale for the stage.

Substitute Bytes Transformation

Type 1: Forward and Inverse Transformations:

The forward substitute byte transformation, called Sub Bytes, is a simple tablelookup (Figure
2.24a). AES defines a 16 * 16 matrix of byte values, called an S-box that contains a permutation of all
possible 256 8-bit values.
U19CS702
Cryptography and
Network Security

Each individual byte of State is mapped into a new byte in the following way: The leftmost 4
bits of the byte are used as a row value and the rightmost 4 bits are used as a column value. These row
and column values serve as indexes into the S-box to select a unique8-bit output value as shown in figure
2.25.
For example, the hexadecimal value {95} references row 9, column 5 of the S-box, whichcontains
the value {2A}. Accordingly, the value {95} is mapped into the value {2A}.

Figure 2.24 AES Byte level Operations

U19CS702
Cryptography and
Network Security

Figure 2.25 AES S-Boxes

Here is an example of the SubBytes transformation:

The S-box is constructed in the following fashion (Figure 2.26a).

1. Initialize the S-box with the byte values in ascending sequence row by row. The first row contains
{00}, {01}, {02}, c, {0F}; the second row contains {10}, {11}, etc.; and so on. Thus, the value of the
byte at row y, column x is {yx}.
2. Map each byte in the S-box to its multiplicative inverse in the finite field GF(28); the value
{00} is mapped to itself.
3. Consider that each byte in the S-box consists of 8 bits labeled (b7, b6, b5, b4, b3,b2, b1, b0).Apply the
following transformation to each bit of each byte in the S-box:

Where ci is the ith bit of byte c with the value {63}; that is, (c7c6c5c4c3c2c1c0) = (01100011). Theprime ( „)
indicates that the variable is to be updated by the value on the right.
U19CS702
Cryptography and
Network Security

Figure 2.26 Construction of S-Box and IS-Box

The AES standard depicts this transformation in matrix form as follows.

 In ordinary matrix multiplication, each element in the product matrix is the sum of products of
the elements of one row and one column. Each element in the product matrix is the bitwise XOR
of products of elements of one row and one column.
 As an example, consider the input value {95}. The multiplicative inverse in GF(28) is
{95}- 1 = {8A}, which is 10001010 in binary. Using above Equation
U19CS702
Cryptography and
Network Security

The result is {2A}, which should appear in row {09} column {05} of the S-box.

Type 2: Inverse Substitute Byte Transformation:

The inverse substitute byte transformation, called InvSubBytes, For example, that the input
{2A}produces the output {95}, and the input {95} to the S-box produces {2A}. The inverse S-box is
constructed by applying the inverse of the transformation is followed by taking the

multiplicative inverse in GF(28). The inverse transformation is

where byte d = {05}, or 00000101. We can depict this transformation as follows.

InvSubBytes is the inverse of Sub Bytes, label the matrices in sub Bytes and InvSubBytes as X
and Y, respectively, and the vector versions of constants c and d as C and D, respectively. For some 8-
bit vector B, becomes . We need to show that
. To multiply out, we must show . This becomes
U19CS702
Cryptography and
Network Security

We have demonstrated that YX equals the identity matrix, and the YC = D,so that YC D
equals the null vector.

Type 3: Shift Rows Transformation

Forward and Inverse Shift RowsTransformations:

The forward shift row transformation, called Shift Rows, is depicted in Figure 2.27. The first
row of State is not altered. For the second row, a 1-byte circular left shift is performed. For the third row,
a 2-bytecircular left shift is performed. For the fourth row, a 3-byte circular left shift is performed. The
following is an example of Shift Rows

Figure 2.27 Forward Shift Row Transformation

The inverse shift row transformation, called InvShiftRows, performs the circular shifts in the
opposite direction for each of the last three rows, with a 1-byte circular right shift for the second row, and
as shown in figure 2.28
U19CS702
Cryptography and
Network Security

Figure 2.28 AES Row and Column Operations

Type 4: Mix Columns Transformation

Forward and Inverse Transformations: The forward mix column transformation, called
MixColumns, operates on each column individually. Each byte of a column is mapped into a new
value that is a function of all four bytes in that column. The transformation can be defined by the
following matrix multiplication on State

Each element in the product matrix is the sum of products of elements of one rowand one
column. In this case, the individual additions and multiplications are performed in GF(28).

The MixColumns transformation on a single column of State can be expressed asThe

following is an example of MixColumns:

The MixColumns transformation on the first column, we need to show that

For the first equation, we have {02}.{87} =(0000 1110) (0001 1011) =(0001 0101) and

{03}. {6E} = {6E} ({02}. {6E}) = (0110 1110) (1101 1100) = (1011 0010) then
U19CS702
Cryptography and
Network Security

The inverse mix column transformation, called InvMixColumns, is defined bythe

following matrix multiplication:

The inverse of Equation need to show

That is, the inverse transformation matrix times the forward transformation matrixequals the
identity matrix. To verify the first column of above Equation.
For the first equation, we have {0E}.{02} =00011100 and {09}.{03} ={09} {09}.{02} =
00001001 00010010 =00011011then

The encryption was deemed more important than decryption for two reasons:
1. For the CFB and OFB cipher modes only encryption is used.
2. AES can be used to construct a message authentication code and for this, only encryption isused.

Type 5: AddRoundKey Transformation

Forward and Inverse Transformations

In the forward add round key transformation, called AddRoundKey, the 128 bits of State arebitwise
XORed with the 128bits of the round key.

The operation is viewed as a column wise operation between the 4 bytes of a State column andone word
of the roundkey; it can also be viewed as a byte-level operation.
The following is an example ofAddRoundKey:
U19CS702
Cryptography and
Network Security

The first matrix is State, and the second matrix is the round key.

The inverse add round key transformation is identical to the forward addround keytransformation,
because the XOR operation is its own inverse.

The Figure 2.29 is another view of a single round of AES, emphasizing the mechanisms andinputs of each
transformation.

Fig 2.29 AES Key ExpansionType

6: Key Expansion Algorithm
The AES key expansion algorithm takes as input a four-word (16-byte) key and producesa linear
array of 44 words (176 bytes). This is sufficient to provide a four word round key for the initial
AddRoundKey stage and each of the 10 rounds of the cipher.
Each added word w[i]depends on the immediately preceding word, w[i - 1], and the word four
positions back, w[i - 4]. In three out of four cases, a simple XOR is used. For a word whose position in
the w array is a multiple of 4, a more complex function is used.
Figure 2.30 illustrates the generation of the expanded key, using the symbol g to represent that
complex function. The function g consists of the following sub functions
U19CS702
Cryptography and
Network Security

Figure 2.30 Key Expansion Algorithm

1. RotWord performs a one-byte circular left shift on a word. This means that a input word [B0,B1, B2,
B3] is transformed into [B1, B2, B3, B0].
2. SubWord performs a byte substitution on each byte of its input word, using the S-box.
3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j].
The round constant is a word in which the three rightmost bytes are always 0.Thus, theeffect of
an XOR of a word with Rcon is to only perform an XOR on the leftmost byte of the word. The round
constant is different for each round and is defined as Rcon[j] = (RC[j], 0, 0, 0),
with RC[1] = 1, RC[j] = 2 # RC[j-1] and with multiplication defined over the field GF(28). Thevalues of
RC[j] in hexadecimal are

For example, suppose that the round key for round 8 is

EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D 29 2F
Then the first 4 bytes (first column) of the round key for round 9 are calculated asfollows:
U19CS702
Cryptography and
Network Security

An AES Example
For this example, the plaintext is a hexadecimal palindrome. The plaintext,key, and resulting
ciphertext are

Results
Table 2.4 shows the expansion of the 16-byte key into 10 round keys. The process is formedword by
word, with each four-byte word occupying one column of the word round-key matrix.

Table 2.4 Expansion of the 16-byte key into 10 round keys

The left-hand column shows the four round-key words generated for each round. The right-hand
column shows the steps used to generate the auxiliary word used in key expansion. The key itself serving
as the round key for round 0.
Next, Table 2.5 shows the progression of State through the AES encryption process. The first
column shows the value of State at the start of a round. For the first row, State is just the matrix
arrangement of the plaintext. The second, third, and fourth columns show the value ofState for that round
after the SubBytes, ShiftRows,andMixColumns transformations, respectively. The fifth column shows the
roundkey.
 Table 2.5 progression of State through the AES encryption process

Principles of public key cryptosystems

The concept of public key cryptography evolved from an attempt to attack two of the most
difficult problems associated with symmetric encryption. Key distribution under symmetric
key encryption requires either
(1) Two communicants already share a key, which someone has been distributed to them
(2) The use of a key distribution center.

Characteristics of Public key cryptosystems

Public key algorithms rely on one key for encryption and a different but related key for
decryption. These algorithms have the following important characteristics:
• It is computationally infeasible to determine the decryption key given only the
knowledge of the cryptographic algorithm and the encryption key
In addition, some algorithms, such as RSA, also exhibit the following characteristic:
• Either of the two related keys can be used for encryption, with the other usedfor
decryption.

INGREDIANTS OF PUBLIC KEY CRYPTOGRAPHY

1. Plaintext: This is the readable message or data that is fed into the algorithm as input.
2. Encryption algorithm: The encryption algorithm performs various transformations on the
plaintext.
3. Public and private keys: This is a pair of keys that have been selected so that if one is used for
encryption, the other is used for decryption. The exact transformations performed by the algorithm
 depend on the public or private key that is provided as input.
4. Ciphertext: This is the scrambled message produced as output. It depends on the plaintextand
the key. For a given message, two different keys will produce two different cipher texts.
5. Decryption algorithm: This algorithm accepts the ciphertext and the matching key and
produces the original plaintext.

Encryption:

The essential steps are the following:

1. Each user generates a pair of keys to be used for encryption and decryptionof
messages.
2. Each user places one of the two keys in a public register or other accessible file.This
is the public key. The companion key is kept private.
3. If A wishes to send a confidential message to B, A encrypts the message usingB"s
public key.
4. When B receives the message, it decrypts using its private key.

With this approach(Fig), all participants have access to public keys and private keys are generatedlocally
by each participant and therefore, need not be distributed.

Fig . Public Key Cryptography For Authentication

Let the plaintext be X=[X1, X2. X3, . .,X ] where m is the number of letters in some finite
alphabets. Suppose A wishes to send a message to B.
 B generates a pair of keys: a public key KUb and a private key KRb KRb is known only toB,
whereas KUb is publicly available and therefore accessible by A.

With the message X and encryption key KUb as input, A forms the cipher text Y=[Y1, Y2, Y3›

. Y n]

i.e., Y=EKUb(X)

The receiver can decrypt it using the private key KRb i.e., X=D KRb(Y)

The other approach (using sender―s private key for encryption and sender―s public key for
decryption) will provide authentication which is illustrated in the following diagram.

Plaintext Encryption function

Fig .Private Key Cryptography For Authentication

The encrypted message serves as a digital signature. It is important to emphasize that theencryption
process just described does not provide confidentiality.

Public Key Cryptography for Security

There is some source A that produces a message in plaintext, X —— [X 1, +2, . ,X ]. The

elements of X are letters in some finite alphabet.

The message is intended for destination B. B generates a related pair of keys: a publickey,
PUT, and a private key, PRb PRtis known only to B, whereas PL/his publicly available andtherefore
accessible by A. With the message and the encryption key PL/,as input, A forms the ciphertext Y =[Y
1. Yo. . ,YN]
 Figure.PubIic-Key Cryptosystem: Secrecy

The intended receiver, in possession of the matching private key, is able to invertthe transformation:

X—— D (PRd›

An adversary, observing Y and having access to PUT, but not having access to PRbor X, must
attempt to recover X and/or PRb It is assumed that the adversary does have knowledge of the
encryption (E) and decryption (D) algorithms.

If the adversary is interested only in this particular message, then the focus of effort is to
recover A by generating a plaintext estimate X *. Often, however, the adversary is interested in being
able to read future messages as well, in which case an attempt is made to recover PRtby generating an
estimate PRb.

Y = E(PRa1)
X = D(PUa1 Y)

In this case, A prepares a message to B and encrypts it using A‘s private key before
transmitting it. B can decrypt the message using A‘s public key. Because the message was encrypted
using A‘s private key, only A could have prepared the message.

Therefore, the entire encrypted message serves as a digital signature. In addition, it is

impossible to alter the message without access to A‘s private key, so the message is authenticated both
in terms of source and in terms of data integrity.

Figure .Public-Key Cryptosystem: Authentication

 It is important to emphasize that the encryption process depicted in above Figures does not
provide confidentiality. That is, the message being sent is safe from alteration but not from eaves
dropping. This is obvious in the case of a signature based on a portion of the message, because the rest
of the message is transmitted in the clear. Even in the case of complete encryption, as shown in
Figure13, there is no protection of confidentiality because any observer can decrypt the message by
using the sender‘s public key.

Authentication and Secrecy

It is, however, possible to provide both the authentication function and confidentiality by a
double use of the public-key scheme (Figure 2.29):

Ciphertext Z = EKUb[EKRa (X)]

Plaintext X = EKUa[EKRb (Y)]

Figure .PubIic-Key Cryptosystem: Authentication and Secrecy

Initially, the message is encrypted using the sender―s private key. This provides the digital
signature. Next, we encrypt again, using the receiver―s public key. The final ciphertext can be
decrypted only by the intended receiver, who alone has the matching private key. Thus confidentiality
is provided.

Applications for Public-Key Cryptosystems

We can classify the use of public-key cryptosystems into three categories

1. Encryption /decryption: The sender encrypts a message with the recipient‘s public key.

2. Digital signature: The sender ―signs" a message with its private key. Signing is achieved by a
cryptographic algorithm applied to the message or to a small block of data that is a function of
the message.
3. Key exchange: Two sides cooperate to exchange a session key. Several different
approaches are possible, involving the private key(s) of one or both parties.
 Requirements for public key cryptography

• It is computationally easy for a party B to generate a pair [KUb ,KRb]

• It is computationally easy for a sender A, knowing the public key and the message to be
encrypted M, to generate the corresponding ciphertext: C=EKUb(M).
• It is computationally easy for the receiver B to decrypt the resulting ciphertext usingthe
private key to recover the original message:

M = DKRb (C) = DKRb [E KUb (M)]

• It is computationally infeasible for an opponent, knowing the public key KUb, to

determine the private key KRb
• It is computationally infeasible for an opponent, knowing the public key KUb, and a
ciphertext C, to recover the original message M.
• The encryption and decryption functions can be applied in either order:
M = EKUb [D KRb (M) = DKUb [E KRb (M)]

Public-Key Cryptanalysis

Attack Type 1 :

The public-key encryption scheme is vulnerable to a brute-force attack; therefore use large
key.The tradeoff is that makes use of some sort of invertible mathematical function.

Therefore choose key size such that the brute force attack is not possible, at the sametime
should not be too slow for general use.

Attack type 2:

Attack is of other types (i.e.) given the algorithm and the public key deduce private key. This
method has not been successful till date.

Attack Type 3:
A probable-message attack. When a confidential message is to be transmitted using DES,the
56
attacker will find all 2 possible keys using the public key and discover the encrypted
key by matching the generated cipher text and the actual cipher. This attack can be avoided by
appending some random bits to the message.

RSA ALGORITHM

It was developed by Rivest, Shamir and Adleman. This algorithm makes use of an expression
with exponentials. Plaintext is encrypted in blocks, with each block having a binary value less than
some number n.The RSA scheme is a cipher in which the plaintext and cipher text are integers
between 0 and n - 1 for some n. A typical size for n is 1024 bits, or 309 decimal digits. That is, n is
less than 2 1024
 That is, the block size must be less than or equal to log 2 (n); in practice, the block size
is k-bits, where 2k< n < 2 k*1. Encryption and decryption are of the following form, for some
plaintext block M and ciphertext block C:

c = Me mod n
M = Cd mod n

= (Me)d mod n

= Me*mod n

Both the sender and receiver know the value of n. the sender knows the value of e andonly
the receiver knows the value of d. thus, this is a public key encryption algorithm with a public key of
KU = {e, n) and a private key of KR = {d, n}. For this algorithm to be satisfactory for public key
encryption, the following requirements must be met:
ed
1. It is possible to find values of e, d, n such that M = M mod n for all M < n.
e d
2. It is relatively easy to calculate M and C for all values of M < n.
3. It is infeasible to determine d given e and n.

Fig . The RSA Algorithm

Let us focus on the first requirement. We need to find the relationship of the form:
Med = M mod n

Given two prime numbers p and q and two integers, n and m, such that n=pq and 0<m<n, andarbitrary
integer k, the following relationship holds

k6 (n) +1 k(p-1)(q-1) +1 m mod n

where 6(n) — Euler totient function, which is the number of positive integers less than n
and relatively prime to n. we can achieve the desired relationship, if
 This is equivalent to saying:
ed = k6(n)+1 ed - 1 mod 6(n)

d = e1 - mod 6(n)

That is, e and d are multiplicative inverses mod 6(n). According to the rule of modular arithmetic,this
is true only if d (and therefore e) is relatively prime to 6(n). Equivalently, gcd(6(n), d) = 1.

We are now ready to state the RSA scheme. The ingredients are the following:

p, q, two prime numbers (private, chosen)

n —— pq (public, calculated)

e, with gcd(6 (n), e) = 1; 1 <e < 6 (n) (public, chosen)

d-Ke-1 (mod 6 (n)) (private, calculated)

The steps involved in RSA algorithm for generating the key are

• Select two prime numbers, p = 17 and q = 11.

• Calculate n = p*q = 17*11 = 187
• Calculate 6(n) = (p-1)(q-1) = 16*10 = 160.
• Select e such that e is relatively prime to 6(n) = 160 and less than 6(n); we choose e= 7
• Determine d such that de K 1 (mod 160) and d < 160.The correct value is d —— 23, because
23 • 7 = 161 = (1 • 160) + 1; d can be calculated using the extended Euclid‘s algorithm

The resulting keys are public key PU —— {7, 187} and private key PR —— {23, 187}.

The example shows the use of these keys for a plaintext input of M—— 88.
For encryption,we need to calculate C = 887 mod 187.

Exploiting the properties of modular arithmetic, we can do this as follows.

7 4 2 1
88 mod 187 = [(88 mod 187) • (88 mod 187)x (88 mod 187)] mod 187
881 mod 187 = 88
2
88 mod 187 = 7744 mod 187 = 77
4
88 mod 187 = 59,969,536 mod 187 = 132
7
88 mod 187 = (88 • 77 • 132) mod 187 = 894,432 mod 187 = 11

For decryption, we calculate M —— 1123 mod 187:

23 1 2 4
11 mod 187 = [(11 mod 187) • (11 mod 187) • (11 mod 187)• (11‘ mod 187) •
(11 mod 187)] mod 187

11 mod 187 = 11

mod 187 = 121

11 mod 187 = 14,641 mod 187 = 55

8
11 mod 187 = 214,358,881 mod 187 = 33

23
11 mod 187 = (11 • 121 • 55 • 33 33) mod 187 = 79,720,245 mod 187 = 88

Security of RSA:

There are three approaches to attack the RSA:

1. Brute force: This involves trying all possible private keys.
2. Mathematical attacks: There are several approaches, all equivalent in effort to
factoring the product of two primes.
3. Timing attacks: These depend on the running time of the decryption algorithm.

Type 1 RSA Attack: Defense to Brute Force attack:

Use large key space (i.e) large number of bits in e and d the better secured but problems are,

1. Increases computing power

2. Factoring Problem

Type 2 RSA Attack: Mathematical Attack:

Mathematical approach takes 3 forms:

• Factor n = p*q, hence find 6(n) and then d.

• Determine 6(n) 1directly without determining p and q and find

d. d=e- (mode (n))

• Find d directly, without first determination 6(n).

Type 3 RSA Attack: Timing attacks:

This attack is learning for 2 reasons

1. Comes completely from unexpected direction

 2. Cipher text only attack

Attack:

If the system does lastly the modular multiplication in majority of cases but takes longertime in
few cases. The average is also longer.

The attack is done bit by bit Start

with left most bit b„

Suppose first j bits are known.

For a given cipher text the attacker completes the j iteration.

If the bit is set then d<- (d * a) mod n.

Methods to overcome Timing attacks:

1. Constant exponentiation time: All exponentiations take the same amount of time before
returning a result. This is a simple fix but does degrade performance.
2. Random delay: Better performance could be achieved by adding a random delay to the
exponentiation algorithm to confuse the timing attack.
3. Blinding: Multiply the cipher text by a random number before performing exponentiation. This
process prevents the attacker from knowing what cipher text bits are being processedinside the
computer and therefore prevents the bit-by-bit analysis essential to the timing attack.

KEY MANAGEMENT

There are two uses of public key cryptography regarding the issues of key distribution. They are

1. Distribution of public keys

2. Use of public key encryption to distribute secret keys

Distribution of Public Keys

Several techniques have been proposed for the distribution of public keys. Virtually all
these proposals can be grouped into the following general schemes:

a) Public announcement
b) Publicly available directory
c) Public-key authority
d) Public-key certificates

(a) Public Announcement of Public Keys

In public-key encryption the public key is public. Thus, if there is some broadly accepted
public-key algorithm, such as RSA, any participant can send his or her public key to any other
participant or broadcast the key to the community at large as shown in Figure 2.32.

Figure. Uncontrolled Public-Key Distribution

Disadvantage:

Anyone can forge such a public announcement. That is, some user could pretend tobe user
A and send a public key to another participant or broadcast such a public key.
Until such time as user A discovers the forgery and alerts other participants, the forgeris able to
read all encrypted messages intended for A and can use the forged keys for authentication.

(b) Publicly Available Directory

A greater degree of security can be achieved by maintaining a publicly available dynamic

directory of public keys. Maintenance and distribution of the public directory would have to be the
responsibility of some trusted entity or organization as shown in Figure Such a scheme would include
the following elements:

1. The authority maintains a directory with a (name, public key} entry for each participant.
2. Each participant registers a public key with the directory authority. Registration wouldhave to
be in person or by some form of secure authenticated communication.
3. A participant may replace the existing key with a new one at any time, due to either the key
has been used for a large amount of data, or the corresponding private key has been
compromised in some way.
4. Participants could also access the directory electronically. For this purpose, secure,
authenticated communication from the authority to the participant is mandatory

Figure Public-Key Publications

Vulnerabilities:

Tamper the records of public key directories.

If an adversary succeeds in obtaining or computing the private key of the directory authority, the
adversary could authoritatively pass out counterfeit public keys and impersonate any
participant and eavesdrop on messages sent to any participant.

(c) Public-Key Authority

Stronger security for public-key distribution can be achieved by providing tighter control over
the distribution of public keys from the directory. A typical scenario is illustrated in Figure 2.34.

As before, the scenario assumes that a central authority maintains a dynamic directory of
public keys of all participants. In addition, each participant reliably knows a public key for the
authority, with only the authority knowing the corresponding private key. The following steps
(matched by number to Figure 2.34) occur:
 Figure .PubIic-Key Distribution Scenario

1. A sends a time stamped message to the public-key authority containing a request for thecurrent
public key of B.

2. The authority responds with a message that is encrypted using the authority‘s private key,PRauthT
hus, A is able to decrypt the message using the authority's public key. Therefore, A is assured that the
message originated with the authority. The message includes the following:

• B‘s public key, PL/,which A can use to encrypt messages destined for B
• The original request, to enable A to match this response with the corresponding earlier
request and to verify that the original request was not altered before reception by the authority
• The original timestamp, so A can determine that this is not an old message from the
authority containing a key other than B‘s current public key
3. A stores B's public key and also uses it to encrypt a message to B containing an identifier of A
(IDA) and a nonce (/\/1), which is used to identify this transaction uniquely.

4,5 B retrieves A‘s public key from the authority in the same manner as A retrieved B‘spublic key.

6.B sends a message to A encrypted with K aand containing A‘s nonce (/V1) as well as anew
nonce generated by B (/V2) Because only B could have decrypted message (3), the presence of /V1 in
message (6) assures A that the correspondent is B.

7. A returns 2. encrypted using B‘s public key, to assure B that its correspondent is A.

Thus, a total of seven messages are required. However, the initial four messages need be used
only infrequently because both A and B can save the other‘s public key for future use, a technique
known as caching.

Disadvantages:

• Bottle neck at the authority.

(d) Public-Key Certificates

The scenario of Figure is attractive, yet it has some drawbacks. The public-key authority
could be somewhat of a bottleneck in the system, for a user must appeal to the authority for a public
 key for every other user that it wishes to contact. As before, the directory of names and public keys
maintained by the authority is vulnerable to tampering.
An alternative approach is to use certificates that can be used by participants to exchange keys
without contacting a public-key authority.
A certificate consists of a public key plus an identifier of the key owner, with the whole block
signed by a trusted third party.
A user can present his or her public key to the authority in a secure manner, and obtain a
certificate. The user can then publish the certificate. Anyone needed this user's public key can obtain
the certificate and verify that it is valid by way of the attached trusted signature.

1. Any participant can read a certificate to determine the name and public key of the
certificate‘s owner.

2. Any participant can verify that the certificate originated from the certificate authority and is not
counterfeit.
3. Only the certificate authority can create and update certificates.
These requirements are satisfied by the original proposal in. Denning added the following
additional requirement:

4. Any participant can verify the currency of the certificate.

A certificate scheme is illustrated in Figure. Each participant applies to the certificateauthority,
supplying a public key and requesting a certificate.

Public-Key distribution of Secret Keys using public key cryptography:

 Use previous methods to obtain public-key

 Can use for secrecy or authentication
 Public-key algorithms are slow so usually want to use private-key encryption to protect
message contents, Hence need a session key

a) Simple
b) Secret key distribution with confidentiality and authentication
c) Hybrid
d) Diffie Hell man key exchange

(a) SimpIe Secret Key Distribution:

1. A generates a public/private key pair (KUa,KRa) and transmits a message to B consisting of

KUa and an identifier of A,IDA.
2. B generates a secret key , and transmits it to A, encrypted with A‘s public key.
3. A computes DKRa [EKUa [ s]] to recover the secret key. Because only A can decrypt the
message, only A and B will know the identity of Ks -
4. A discards KUaand KRa and B discards KUa•

Advantages:

• No keys exist before the start of the communication no key exist after the completion of
communication
• Secure from eaves dropping
Disadvantages:

• Replay attack
• Meet in the middle attack
• A generates a public/private key pair {PUa, PRaj and transmits a message intended forB
consisting of PL/aand an identifier of A, IDA.
• D intercepts the message, creates its own public/private key pair \PUd, PRO and
transmits PUs 0 0 IDA to B.
• B generates a secret key, Ks, and transmits E(PL/s, Ks).
• D intercepts the message and learns Ks by computing D(PRd, E(PL/d, Ks)).
• D transmits E(PL/a, Ks) to A.

(b) Secret Key Distribution with Confidentiality and Authentication:

1. A uses B‘s public key to encrypt a message to B containing an identifier of A (ID A) anda
nonce (N1),which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with KUa and containing A‘s decrypted message
(1) ,the presence of N1 in message (2) assures A that correspondent is B.
3. A returns Ne. encrypted using B‘s public key, to assurer B that its correspondent is A.

4. A select a secret key s find sends M = EKUb[EKRa[Ks]] TO B. Encryption of this message

with B‘s public key ensures that only B can read it.;encryption with A‘s private key ensures
that only A could have sent it.
5. Computes DxUa[DKRb[M]]to recover thesecret key.

Figure . Public Key Distribution of secret Keys

Advantages:

Scheme ensures both confidentiality and authentication in the exchange of a secret key.
 (c) A Hybrid Scheme

Public-key scheme isused to distribute the master keys. The following rationale is providedfor
using thisthree-level approach:

1. Performance:

The public key encryption is used occasionally to update the master key between usesand
KDC When the distribution of session keys is done by public key encryption the performance
degrades because of high computation needed by P.K.E.

2. Backward compatibility: The hybrid scheme is easily overlaid on an existing KDC

scheme with minimal disruption or software changes.

The addition of a public-key layer provides a secure, efficient means of distributing master keys.

DIFFIE HELLMAN KEY EXCHANGE

The purpose of the algorithm is to enable two users to exchange a key securely that can then be
used for subsequent encryption of messages. The Diffie-Hellman algorithm depends for its
effectiveness on the difficulty of computing discrete logarithms.

First, we define a primitive root of a prime number p as one whose power generate all the
integers from 1 to (p-1) i.e., if ‗a‘ is a primitive root of a prime number p, then the numbers

2 p-1
a a mod p,
a mod p, ... mod p

are distinct and consists of integers from 1 to (p-1) in some permutation.

For any integer ‗b‘ and a primitive root ‗a‘ of a prime number ‗p‘, we can find a uniqueexponent ‗i‘ such that

b - a' mod p where 0 i 1 (p-1)

The exponent ‗i‘ is referred to as discrete logarithm.

The Alqorithm

Figure 2.37 summarizes the Diffie-Hellman key exchange algorithm.There are publicly known
numbers: a prime number ‗q‘ and an integer a that is primitive root of q. suppose users A and B wish
to exchange a key. User A selects a random integer XA‹ q and computes YA = a XA mod q.

A lice and Bob share u

prime numher § and en
 integer o. szsch that a < g' azid

Fig.Diffie Hellman Key Exchange

Similarly, user B independently selects a random integer XB< q and computes YB a XB mod
q. Each side keeps the X value private and makes the Y value available publicly to the other side.

User A computes the key as

K = (YB) mod q and

User B computes the key as
XB
K = (YA) mod q

Global Public Elements

prime number
a<q and a is the primitive root of q
User A Key generation
Select XA Xy< q
Calculate public Yr YA mod q
User B Key generation
Select XB XB‹ q
XB
Calculate public YB YB= mod q
Generation of secret key by User AK = (YB)
mod q
Generation of secret key by User B
K = (YA) XB mod q
The result is that two sides have exchanged a secret key. The security of the algorithm lies in the fact that, while it is
relatively easy to calculate exponentials modulo a prime, it is very difficult to calculate discrete logarithms.

Key Exchanqe Protocols

Figure .Diffe-Hellman Key Exchange

The protocol depicted in figure is insecure against a man-in-the-middle attack. Suppose Aliceand Bob
wish to exchange keys, and Darth is the adversary. The attack proceeds as follows:

1. Darth prepares for the attack by generating two random private keys XD1 and XD2 and then
computing the corresponding public keys YD1 and
Yo2-2. Alice transmits YA to Bob.

X
Darth intercepts YA and transmits YD1 to Bob. Darth aXlso calculates = (YA) D mod q.

Bob receives YD1 and calculates K1 = (YD1) B mod q.

3. Bob transmits XA to Alice.
X
Darth intercepts XA and transmits YD2 to Alice. Darth calculates 1 " (YB) D1 mod q.
Alice receives Yo2 and calculates 2' (YD2) X mod q.
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share secret
key K1 and Alice and Darth share secret key All future communication between Bob and Alice is
compromised in the following way:

1. Alice sends an encrypted message M: E( 2. M).

2. Darth intercepts the encrypted message and decrypts it, to recover M.
3. Darth sends Bob E(K1. M) or E(K1. M‘), where M‘ is any message
Example:

Key exchange is based on the use of the prime number q —— 353 and a primitive root of 353, inthis
case a = 3. A and B select secret keys EA—— 97 and XB—— 233, respectively.
Each computes its public key:
7
A computes YA 3 mod 353 = 40.
233
B computes YB—— 3 mod 353 = 248.
After they exchange public keys, each can compute the common secret key:Acomputes K
—— (Yy) mod 353 = 248 mod 353 = 160.
XB 2 3
B computes K —— (Y A) mod 353 = 40 * mod 353 = 160.