Chapter 1

Introduction to Cryptography
1.1 Preliminaries
The basic cryptography nomenclature is below.
Cryptography: The study of protecting the secu-
rity and privacy of data against unauthorized
access and manipulations by use of encryption.
Encryption: Transforming data into an unintelli-
gent form to conceal it.
Decryption: The reverse process of encryption.
Cipher: A method or an algorithm for encryption
and decryption.
Key: A side information needed by a cipher for the
encryption or decryption of data.
Cryptanalysis: The discipline of breaking the
cryptographic systems.
Cryptology: The study of cryptography and
cryptanalysis.
Plaintext: Original data.
Ciphertext: Encrypted data.
Symmetric cipher: A cipher using a single secret
key to encrypt and decrypt.
Asymmetric cipher: Ciphers using dierent keys
to encrypt and decrypt.
A Simple Crypto Application
Alice has a message (plaintext) to transmit to
Bob. As illustrated in Figure 1.1, she encrypts the
message with a key (side information) to transform
it into some unintelligent form before transmission.
During transmission, enemies may obtain a copy of
the encrypted message (ciphertext). However, the
decryption algorithm requires a key which is a secret
known to Bob but unknown to enemies. Thus, Bob
can decrypt the encrypted message into the original
message, while enemies cannot.
To establish a secure channel, Alice and Bob use a
cipher having a single key for both encryption and
decryption. Alice and Bob encrypt all the commu-
nication between them with this mutual secret key.
Figure 1.1: Alice sends encrypted messages
A Simple Cipher (Shift Cipher)
For encryption, each plaintext letter is replaced
with the letter k positions later in the alphabet. Let
k = 3. Then, the encryption is the following substi-
tution.
a , b , c , d , e , . . . , u, v , x, y , z

d , e , f , g , h, . . . , y , z , a , b , c
Let us encrypt the message this is a secret with
the shift cipher for k = 3.
Encrypt(this is a secret, k) =
xklv lv d vhfuhx
The ciphertext, xklv lv d vhfuhx, is a nonsense
uninterpretable by the enemy. The decryption is
the reverse process. The value of k is the secret side
information needed to be known in both encryption
and decryption. Thus,
encryption/decryption key = k.
Shift Cipher with a Larger Key
Using the shift cipher, one can encrypt the plain-
text in m-letter blocks with m dierent subkeys
k
1
, k
2
, . . . , k
m
as described below.
Divide the plaintext into m-letter blocks.
1
Encrypt
the 1st letter of each block with k
1
,
the 2nd letter of each block with k
2
,

the mth letter of each block with k
m
.
The decryption is the reverse process. Note that
the subkeys k
1
, k
2
, . . . , k
m
are the side information
needed to encrypt and decrypt. Thus,
encryption/decryption key = k
1
, k
2
, . . . , k
m
.
Simple Cryptanalysis of Shift Cipher
Apply a combination of the following methods.
First method: Exploit the language statistics.
The most common letters in English are, in de-
creasing order,
e, t, a, o, i, n, h, r, s, d, l, c, u, f, g, j, m, w, y, p, b, k
The most common bigrams in English are, in
decreasing order,
th, he, in, er, an, re, ed, on, es, st, en, at, to, nt, ha
The most common trigrams in English are, in
decreasing order,
the, ing, and, her, ere, ent, tha, nth, was, eth, for
Second method: Use brute force, i.e. try all possible
keys one by one until getting a meaningful decryp-
tion.
Say key size equals to 1, i.e. key is k
1
where 0 < k
1
<
26. It is very likely that the most common letters in
the ciphertext correspond the most common letters
in English e t, a and so on. Thus, one can
guess the single shift value k
1
. Or, one can try 25
possible keys one by one until getting a meaningful
decryption.
Say key size equals to 2, i.e. key is k
1
, k
2
where
0 < k
1
, k
2
< 26. It is very likely that the most
common bigrams in the ciphertext correspond the
most common bigrams in English th, he, in
and so on. Thus, one can guess the shift values k
1
and k
2
. Or, one can try 2525 possible keys one by
one until getting a meaningful decryption.
Say key size equals to 3, i.e. key is k
1
, k
2
, k
3
where
0 < k
1
, k
2
, k
3
< 26. It is very likely that the
most common trigrams in the ciphertext correspond
the most common trigrams in English the, ing,
and and so on. Thus, one can guess the shift val-
ues k
1
, k
2
, and k
3
. Or, one can try 25 25 25
possible keys one by one until getting a meaningful
decryption.
1.2 Cipher Security
Simple cryptanalysis of the shift cipher shows that
1. Encrypting the data with a larger key increases
the number of all possible keys and thus, the
number of key trials in the exhaustive key
search.
2. Encrypting the data in larger blocks hides the
language statistics better. This is because the
frequency dierences of letter combinations will
disappear as the data blocks contain more and
more letters.
Ciphertext only attack Attacker has a cipher-
text but no corresponding plaintext.
He decrypts it with dierent keys until get-
ting a meaningful result (brute force).
Or, he uses the weakness in the cipher to
reduce the burden of brute force.
Known plaintext attack: Atacker has both a ci-
phertext and the corresponding plaintext.
He decrypts it with dierent keys until get-
ting the plaintext (brute force).
Or, he uses the weakness in the cipher to
reduce the burden of brute force.
Kerchkos Princible
A cryptographer should always assume that the
enemy knows the encryption method used. Thus,
the security of an encryption method must be based
on
its quality (strength)
the key size.
1.3 Classic Ciphers
There are many ciphers used in history. These ci-
phers can easily be broken with the technology and
cryptanalytic techniques available today. Thus, they
are out of our scope. Some of them are
Caesar cipher
Vigenere cipher
Rotor machines
Enigma
Hill cipher
Playfair cipher
Ane cipher
2
1.4 Computer Era Ciphers
The modern ciphers is divided into two groups.
Symmetric ciphers: Private key cryptography.
encryption key = decryption key
Asymmetric ciphers: Public key cryptography.
encryption key = decryption key
1.4.1 Symmetric Ciphers
They can be implemented as block and stream
ciphers
They are fast and used to encrypt the large
amount of data.
They are useless if the secure exchange of the
key is not achieved.
Key exchange problem for symmetric ciphers:
A message sender may securely send zillion
Gbytes of data, encrypting it with a key. But,
he must send the same key to the receiver so
that the receiver can do the decryption. Of
course, sender cannot simply send the key over
a channel open to public.
1.4.2 Asymmetric Ciphers
Asymmetric Ciphers are the solution to the key ex-
change problem.
Encryption key is open to public but decryption
key is secret. Thus, everyone can encrypt but
only the owner of the corresponding decryption
key can decrypt.
Note that decryption key and encryption key
are related to each other since
plaintext = Decrypt(
Encrypt(plaintext,encryption key),
decryption key)
However, deducing decryption key from encryp-
tion key is very hard (computationally infeasi-
ble).
They are slow and used to encrypt the small
data like symmetric cipher keys.
3
Chapter 2
The Rijndael Cipher
2.1 Introduction
The Rijndael is a symmetric block cipher with a vari-
able block size and key size. The Rijndael with 128
bit block size is adopted as the AES in Oct 2000 by
NIST. This new standard is a replacement for the
obsolete DES (Data Encryption Standard).
The Rijndael algorithm encrypts data in Nb word
blocks with an Nk word key where a word is 32 bits.
Nb and Nk can be 4, 5, 6, 7 or 8 words (128, 160,
192, 224 or 256 bits) independently of each other.
The 128 bit encryption is sucient for most security
applications. This corresponds the Rijndael encryp-
tion with the parameters Nb = Nk = 4.
Figure 2.1 illustrates the Rijndael encryption. The
Figure 2.1: AES encryption and key expansion.
encryption starts with the addition (actually bitwise
XOR) of the plaintext block with a subkey (key 0).
Then, it continues with the Nr rounds of a nonlinear
transformation where
Nr = max(Nb, Nk) + 6
Each round uses a dierent subkey (key 1, 2, ... ,
Nr) called the round key. Each subkey is Nb words.
They are all generated by the expansion of the Nk
word key with a key scheduling algorithm. The key
scheduling algorithm needs to work only one time.
Once the subkeys are generated, they can be stored
in memory and used in the encryption of the multi-
ple data blocks.
The Nb word intermediate results between the
rounds are called state. Let {s
0,j
, s
1,j
, s
2,j
, s
3,j
}
denote the bytes of the jth word of a state. As
shown below, the Rijndael algorithm arranges these
bytes in a (4 Nb) state matrix.
state =

s
0,0
s
0,1
. . . s
0,nb1
s
1,0
s
1,1
. . . s
1,nb1
s
2,0
s
2,1
. . . s
2,nb1
s
3,0
s
3,1
. . . s
3,nb1

(2.1)
Each round consists of four transformations which
process the state matrix. The following pseudo code
shows the transformations in a round.
Round(state, subkey)
{
SubByte(state);
ShiftRow(state);
if(not last round)
MixColumn(state);
AddRoundKey(state,subkey);
}
In encryption, the MixColumn transformation is
omitted in the last round.
The decryption is illustrated in Figure 2.2. It is the
inverse of the encryption operation. From the last
one to the rst one, the inverses of the encryption
steps are performed in the reverse order. Naturally,
the subkeys are used in the reverse order too.
The decryption rounds contain the inverses of the
four transformations in the encryption rounds as
shown below.
5
Figure 2.2: AES decryption.
InverseRound(state,subkey)
{
InverseShiftRow(state);
InverseSubByte(state);
AddRoundKey(state,subkey);
if(not last round)
InverseMixColumn(state);
}
In decryption, the InverseMixColumn transforma-
tion is omitted in the last round. Also, note that
the inverse of AddRoundKey is equivalent to itself.
This is because the addition is actually dened as
XOR (exclusive or) operation in the Rijndael.
2.1.1 SubByte and Inverse SubByte
Transformations
The SubByte transformation substitutes each byte
in the state matrix (2.1) with another byte using a
xed 256 byte lookup table as shown below.
state =

sbox[s
0,0
] sbox[s
0,1
] . . . sbox[s
0,nb1
]
sbox[s
1,0
] sbox[s
1,1
] . . . sbox[s
1,nb1
]
sbox[s
2,0
] sbox[s
2,1
] . . . sbox[s
2,nb1
]
sbox[s
3,0
] sbox[s
3,1
] . . . sbox[s
3,nb1
]

where sbox[ ] denotes the lookup table used for

the SubByte transformation. The inverse SubByte
transformation performs the inverse operation by us-
ing another 256 byte lookup table.
The lookup table sbox[ ] actually implements a pre-
computed nonlinear function over the nite eld
GF(2
8
). This function treats each byte s
i,j
in the
state matrix as a degree 7 binary polynomial (poly-
nomial over GF(2)) and its bits as the binary coe-
cients. Then, it processes the bytes by the following
operations according to the rules of the binary poly-
nomial arithmetic.
1. s
i,j
= s
1
i,j
mod p (assume 0
1
mod p = 0).
2. s
i,j
= s
i,j
f mod x
8
+ 1
3. s
i,j
= s
i,j
+ g
Here, p is a degree 8 binary irreducible polynomial
(preferably, (p = x
8
+ x
4
+ x
3
+ x + 1). And, f and
g are the following binary polynomials.
f = x
4
+ x
3
+ x
2
+ x + 1
g = x
6
+ x
5
+ x + 1
2.1.2 ShiftRow and Inverse Shift-
Row Transformations
The ShiftRow transformation cyclically shifts left
(rotates left) the rows of the state matrix (2.1).
The cyclic left shift amounts depend on the row
number i = 0, 1, 2, 3 and the plaintext block size
Nb = 4, 5, 6, 7, 8. Table 2.1 gives the shift amount
for each row.
shift
row# i
0 1 2 3
4,5,6 0 1 2 3
Nb 7 0 1 2 4
8 0 1 3 4
Table 2.1: Cyclic left shift amounts for each row in
ShiftRow transformation.
After ShiftRow transformation, the new elements of
the state matrix, s
i,j
, are as follows

s
0,j
s
1,j
s
2,j
s
3,j

s
0,j
s
1,(j+1 mod nb)
s
2,(j+sh2 mod nb)
s
3,(j+sh3 mod nb)

Here, sh2 and sh3 are the shift amounts for the 2nd
and the 3rd rows respectively. sh2 = 2 or 3 and
sh3 = 3 or 4 according the block size nb.
The inverse ShiftRow transformation cyclically
shifts the rows to the right instead of the left to
undo the ShiftRow transformation. Thus, after this
transformation, we have the following.

s
0,j
s
1,j
s
2,j
s
3,j

s
0,j
s
1,(j1 mod nb)
s
2,(jsh2 mod nb)
s
3,(jsh3 mod nb)

6
2.1.3 MixColumn and Inverse Mix-
Column Transformation
The MixColumn treats the state matrix bytes as de-
gree 7 binary polynomials and its bits as binary co-
ecients. The MixColumn transforms each column
of the state matrix (2.1) into a new column by mul-
tiplying it with a (4 4) constant matrix in GF(2
8
)
as shown below.
_

_
s
0,j
s
1,j
s
2,j
s
3,j
_

_
=
_

_
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
_

_
_

_
s
0,j
s
1,j
s
2,j
s
3,j
_

_
(2.2)
Here, 03 = x + 1, 02 = x, and 01 = 1 are the
elements in GF(2
8
).
The inverse MixColumn transformation is the fol-
lowing matrix multiplication.
_

_
s
0,j
s
1,j
s
2,j
s
3,j
_

_
=
_

_
0E 0B 0D 09
09 0E 0B 0D
0D 09 0E 0B
0B 0D 09 0E
_

_
_

_
s
0,j
s
1,j
s
2,j
s
3,j
_

_
(2.3)
Here, 0E = x
3
+ x
2
+ x, 0D = x
3
+ x
2
+ 1, 0B =
x
3
+ x + 1, and 09 = x
3
+ 1 are the elements in
GF(2
8
).
The equation (2.3) gives really the inverse trans-
formation because the multiplication of the (4 4)
constant byte matrices in (2.2) and (2.3) in GF(2
8
)
yields the identity matrix.
2.1.4 AddRoundKey Transformation
and Key Scheduling
The AddRoundKey transformation XORs the Nb
word plaintext block with an Nb word subkey. The
Rijndael uses Nr + 1 subkeys as seen in Figure 2.3.
The required (Nr +1)Nb word key material is gen-
erated from the Nk word secret key by a key expan-
sion algorithm. In this section, we rst illustrate the
key expansion algorithm of the Rijndael. Then, we
present an implementation avoiding the modulo and
division operations, which are slow on the resource
limited devices.
The key expansion algorithm consists of a series
of expansion rounds. Each expansion round gener-
ates a new Nk word key material as output, taking
the key material generated by the previous round
as input. Figure 2.3 illustrates the kth key expan-
sion round having the input words W
j
and the out-
put words

W
j
for j = 1, . . . , Nk 1. The inputs
of the inital key expansion round are the words of
the secret key. Because we need (Nr + 1)Nb word
key material, the round number k = 1, . . . , (Nr +
1)Nb/Nk.
The input and output words of the kth round are
related as follows.

W
0
= W
0
XOR f(W
Nk1
, k)

W
j
= W
j
XOR

W
j1
for j = 1, . . . , Nk 1
Figure 2.3: Key expansion round having the input
words W
j
and the output words

W
j
.
where f is a transformation on the 32 bit words.
Let the word w have the bytes b
0
, b
1
, b
2
and b
3
from
least to most signicant. f is the following nonlinear
transformation.
f(w, k) = f
_
_
_
_
_

_
b
0
b
1
b
2
b
3
_

_
, k
_
_
_
_
=
_

_
sbox[b
1
]
sbox[b
2
]
sbox[b
3
]
sbox[b
0
]
_

_
XOR
_

_
Rcon[k]
00
00
00
_

_
where Rcon[k] is a table of constants such that
Rcon[k] = 02
k1
= x
k1
in GF(2
8
). As can be
understood, the transformation f rotates a word 8
bits right, performs the SubByte transformation to
its bytes and XORs it by an 8-bit constant Rcon[k].
If Nk > 6, the expansion round becomes

W
0
= W
0
XOR f(W
nk1
, k)

W
j
= W
j
XOR

W
j1
for j = 1, 2, 3

W
4
= W
4
XOR g(

W
3
)

W
j
= W
j
XOR

W
j1
for j = 5, . . . , Nk 1
where g is a transformation performing the SubByte
transformation to the bytes of its input.
g(w) = g
_
_
_
_
_

_
b
0
b
1
b
2
b
3
_

_
_
_
_
_
=
_

_
sbox[b
0
]
sbox[b
1
]
sbox[b
2
]
sbox[b
3
]
_

_
The key expansion algorithm can be given in pseudo
C code as follows.
KeyExpansion(int key[Nk], int W[Wlen])
{
for(j=0; j<Nk; j++)
W[j] = key[j];
7
for(j=Nk, k=0; j<=Wlen-Nk; j+=Nk)
{
W[j ] = W[j-Nk] ^ f(W[j-1],k++);
W[j+1] = W[j-Nk+1] ^ W[j];
W[j+2] = W[j-Nk+2] ^ W[j+1];
W[j+3] = W[j-nk+3] ^ W[j+2];
if(Nk == 4) continue;
if(Nk>6) tmp = g(W[j+3]);
else tmp = W[j+3];
W[j+4] = W[j-Nk+4] ^ tmp;
if(Nk == 5) continue;
W[j+5] = W[j-Nk+5] ^ W[j+4];
if(Nk == 6) continue;
W[j+6] = W[j-Nk+6] ^ W[j+5];
if(Nk == 6) continue;
W[j+7] = W[j-Nk+7] ^ W[j+6];
}
if(Wlen-j != 0)
{
W[j++] = W[j-Nk] ^ f(W[j-1],k++);
while(Wlen-j > 0)
W[j++] = W[j-Nk] ^ W[j-1];
}
}
Here, the rst Nk words of the expanded key are
set to the secret key. The remaining Wlen Nk
words are generated by a series of iterations. Each
iteration expands the key Nk words. Let q be the
number of the iterations. Then, we have
Wlen Nk = q Nk + r
for some r < Nk. If r = 0, the iteration stops. If
not, r more words are generated. Also, we use only
the transformation f but not g in this last expansion,
because of the fact that r < 4 for all possible values
of Nb when Nk > 6.
8