Documente Academic
Documente Profesional
Documente Cultură
iq/depcs
ComputerandDatasecurity
4thClass
. :
use a key to control encryption and decryption; a message can be decrypted only if
the key matches the encryption key. The key used for decryption can be different
from the encryption key, but for most algorithms they are the same.
There are two classes of key-based algorithms, symmetric (or secret-key) and
asymmetric (or public-key) algorithms. The difference is that symmetric
algorithms use the same key for encryption and decryption (or the decryption key
is easily derived from the encryption key), whereas asymmetric algorithms use a
different key for encryption and decryption, and the decryption key cannot be
derived from the encryption key.
Symmetric algorithms can be divided into stream ciphers and block ciphers.
Stream ciphers can encrypt a single bit of plaintext at a time, whereas block ciphers
take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a
single unit.
Asymmetric ciphers (also called public-key algorithms or generally public-key
cryptography) permit the encryption key to be public (it can even be published in
a newspaper), allowing anyone to encrypt with the key, whereas only the proper
recipient (who knows the decryption key) can decrypt the message. The encryption
key is also called the public key and the decryption key the private key or secret
key.
Modern cryptographic algorithms cannot really be executed by humans. Strong
cryptographic algorithms are designed to be executed by computers or specialized
hardware devices. In most applications, cryptography is done in computer
software, and numerous cryptographic software packages are available.
2
Digital Signatures
Some public-key algorithms can be used to generate digital signatures. A
digital signature is a block of data that was created using some secret key, and
there is a public key that can be used to verify that the signature was really
generated using the corresponding private key. The algorithm used to generate the
signature must be such that without knowing the secret key it is not possible to
create a signature that would verify as valid.
Digital signatures are used to verify that a message really comes from the claimed
sender (assuming only the sender knows the secret key corresponding to his/her
public key). They can also be used to timestamp documents: a trusted party signs
the document and its timestamp with his/her secret key, thus testifying that the
document existed at the stated time.
Digital signatures can also be used to testify (or certify) that a public key belongs
to a particular person. This is done by signing the combination of the key and the
information about its owner by a trusted key. The reason for trusting that key may
again be that it was signed by another trusted key. Eventually some key must be a
root of the trust hierarchy (that is, it is not trusted because it was signed by
somebody, but because you believe a priori that the key can be trusted). In a
centralized key infrastructure there are very few roots in the trust network (e.g.,
trusted government agencies; such roots are also called certification authorities).
In a distributed infrastructure there need not be any universally accepted roots,
and each party may have different trusted roots (such of the party's own key and
any keys signed by it). This is the web of trust concept used e.g. in PGP.
A digital signature of an arbitrary document is typically created by computing a
message digest from the document, and concatenating it with information about
the signer, a timestamp, etc. The resulting string is then encrypted using the private
key of the signer using a suitable algorithm. The resulting encrypted block of bits
is the signature. It is often distributed together with information about the public
key that was used to sign it. To verify a signature, the recipient first determines
whether it trusts that the key belongs to the person it is supposed to belong to
(using the web of trust or a priori knowledge), and then decrypts the signature
using the public key of the person. If the signature decrypts properly and the
information matches that of the message (proper message digest etc.), the signature
is accepted as valid.
Several methods for making and verifying digital signatures are freely available.
The most widely known algorithm is RSA.
4
available
in
most
programming
languages
or
programming
environments are not suitable for use in cryptographic applications (they are
designed for statistical randomness, not to resist prediction by cryptanalysts).
In the optimal case, random numbers are based on true physical sources of
randomness that cannot be predicted. Such sources may include the noise from a
semiconductor device, the least significant bits of an audio input, or the intervals
5
between device interrupts or user keystrokes. The noise obtained from a physical
source is then "distilled" by a cryptographic hash function to make every bit
depend on every other bit. Quite often a large pool (several thousand bits) is used
to contain randomness, and every bit of the pool is made to depend on every bit of
input noise and every other bit of the pool in a cryptographically strong way.
When true physical randomness is not available, pseudorandom numbers must be
used. This situation is undesirable, but often arises on general purpose computers.
It is always desirable to obtain some environmental noise - even from device
latencies, resource utilization statistics, network statistics, keyboard interrupts, or
whatever. The point is that the data must be unpredictable for any external
observer; to achieve this, the random pool must contain at least 128 bits of true
entropy.
Cryptographic pseudorandom generators typically have a large pool ("seed value")
containing randomness. Bits are returned from this pool by taking data from the
pool, optionally running the data through a cryptographic hash function to avoid
revealing the contents of the pool. When more bits are needed, the pool is stirred
by encrypting its contents by a suitable cipher with a random key (that may be
taken from an unreturned part of the pool) in a mode which makes every bit of the
pool depend on every other bit of the pool. New environmental noise should be
mixed into the pool before stirring to make predicting previous or future values
even more impossible.
Even though cryptographically strong random number generators are not very
difficult to built if designed properly, they are often overlooked. The importance of
the random number generator must thus be emphasized - if done badly, it will
easily become the weakest point of the system.
unbreakable by brute force for the foreseeable future. Even larger keys are
possible; in the end we will encounter a limit where the energy consumed by the
computation, using the minimum energy of a quantum mechanic operation for the
energy of one step, will exceed the energy of the mass of the sun or even of the
universe.
However, key length is not the only relevant issue. Many ciphers can be broken
without trying all possible keys. In general, it is very difficult to design ciphers that
could not be broken more effectively using other methods. Designing your own
ciphers may be fun, but it is not recommended in real applications unless you are a
true expert and know exactly what you are doing.
One should generally be very wary of unpublished or secret algorithms. Quite
often the designer is then not sure of the security of the algorithm, or its security
depends on the secrecy of the algorithm. Generally, no algorithm that depends on
the secrecy of the algorithm is secure. Particularly in software, anyone can hire
someone to disassemble and reverse-engineer the algorithm. Experience has shown
that a vast majority of secret algorithms that have become public knowledge later
have been pitifully weak in reality.
The key lengths used in public-key cryptography are usually much longer than
those used in symmetric ciphers. There the problem is not that of guessing the right
key, but deriving the matching secret key from the public key. In the case of RSA,
this is equivalent to factoring a large integer that has two large prime factors. In the
case of some other cryptosystems it is equivalent to computing the discrete
logarithm modulo a large integer (which is believed to be roughly comparable to
factoring). Other cryptosystems are based on yet other problems.
8
To give some idea of the complexity, for the RSA cryptosystem, a 256 bit modulus
is easily factored by ordinary people. 384 bit keys can be broken by university
research groups or companies. 512 bits is within reach of major governments. Keys
with 768 bits are probably not secure in the long term. Keys with 1024 bits and
more should be safe for now unless major algorithmic advances are made in
factoring; keys of 2048 bits are considered by many to be secure for decades. More
information on RSA key length is in an article by Bruce Schneier.
It should be emphasized that the strength of a cryptographic system is usually
equal to its weakest point. No aspect of the system design should be overlooked,
from the choice algorithms to the key distribution and usage policies.
Ciphertext-only attack: This is the situation where the attacker does not
know anything about the contents of the message, and must work from
ciphertext only. In practice it is quite often possible to make guesses about
the plaintext, as many types of messages have fixed format headers. Even
ordinary letters and documents begin in a very predictable way. It may also
be possible to guess that some ciphertext block contains a common word.
Known-plaintext attack: The attacker knows or can guess the plaintext for
some parts of the ciphertext. The task is to decrypt the rest of the ciphertext
9
blocks using this information. This may be done by determining the key
used to encrypt the data, or via some shortcut.
10
11
Mathematical Background
-1-5:
Finite Fields
.
( AES )Advanced Encryption Standard
. Curve Elliptic
. .
.
.
-2-5 :Prime Numbers
) (
. 2357 11 .
) (x
= 1
) (x
Lim x ---------X
--------)ln (x
X ) (x
)X / ln (x
x:
M 200 .
10 200
P
10 200
P
-3-5
) ( a, b D a, b D
a mod D =0 and b mod D = 0
10 15 5
GSD(10,15) = 5
10 5
15 5
)GCD(a, b) =GCD(b, a
a, b ) (prime number GCD( a, b) = 1
a b ( a > b) a:
GCD(a ,b) = 1
:
)GCD(a, b) = GCD(b, a mod b
:
)GCD( 39,36
=)GCD (A1,B1
R1
Q1
* B1
A1
R2
Q2
* B2
A2
R3
Q3
* B3
A3
+ R4
Q4
B4
A4
1
A1
B1
Q1
R1
.
.
.
.
.
.
.
.
An = Bn * Qn + Rn
GCD (A1,B1) = Bn
)GCD( 1970,1066
)= 1066 * 1 + 904 . GCD(1970,1066
)= 904 * 1 + 162 .. GCD(1066,904
= 162 * 5 + 94
) GCD(904,162
= 94 * 1 + 68
)GCD(94 , 68
)= 68 * 1 + 26 .. GCD( 68 ,26
= 26 * 2 + 16
). GCD( 26,16
= 10 * 1 + 6
) GCD(16,10
= 6*1+4
) GCD(10,6
= 4*1 +2
)GCD(6,4
= 2* 2 + 0
)GCD(4,2
Bn
1970
1066
904
162
94
86
16
10
6
4
GCD(1970,1066) = 2
)LCM(a, b) = |a * b | GCD(a, b
)GCD(4864,3458
4864 = 3458 * 1 + 1406
3458= 1046 *2 + 646
1406 = 646 *2 + 114
646 = 114* 5 + 76
114 = 67 * 1 + 38
76 = 38 *2 + 0
GCD(4864,3458) = 38
)LCM(3864,3458) = |3864 * 3458 | / GCD(4864,3458
= 16819712 / 38
= 442624
-2
: )LCM(4864,3458
3458
1729
247
19
1
2 4864
2 2432
2 1216
2 608
2 304
2 152
2 76
2
38
2 19
19
1
2
7
13
19
4864 = 28 * 19
3458 = 2 * 7 * 13 * 19
3459
LCM(4864,3458) = 28 * 7 * 13 * 19
= 442624
P
: )LCM(93,36
)LCM(93,36) = |93 * 36| / GCD(93,36
= 3348 / 3
= 1116
-5-5
Modular
Modular
C = a MOD b
a
b
C
a , n :
0 r < n
q= a/n
a=q n+r
r=aq*n
: a = 11 , n = 7 q , r
q
= a / n = 11/ 7 = 1
r
= 11 1 * 7 = 4
11 = 1 * 7 + 4
: a = -11 , n = 7 q , r
q = a / n = -11 / 7 = -1
r = a - q * n = -11 - (-1) * 7 = -4
-11 = -1 * 7 + (-4) = -11
-6-5 :
C = a mod b
C = Remainder of dividing a by b.
C = 25 mod 6
C=1
n a a n
q r :
q = a/n
;0r<n
A = qn + r
:
;11 = 1 * 7 + 4
;n = 7
;A = 11
r=4
-11 = (-2) * 7 + 4; r = 3
;n = 7
;A = -11
11 mod 7 = 4;
-11 mod 7 = 3;
21 -9 mod 10
:
:
123-
a b mod n if n (a-b).
a b mod n implies b a mod n.
a b mod n and b c mod n imply a c mod n
:
:
:
U
117 mod 13
112 = 121= 4 mod 13
114 = 42 = 3 mod 13
117=11*4*3 132 2 mod 13 = 2
(m) = m - 1
)(5
= }{ 1, 2, 3, 4
(5) = m -1= 5 - 1 = 4
Gcd(5,1) = 1
: )(3 3
P
}{ 1,2,3,4,5,7,8,10,11,13,14,16,17,19,20,22,23,24,25,26
-3
m1 , m2 :
)(m1*m2) =(m1-1)(m2-1
(10) :
)(10) = ( 2 * 5 ) = (2 -1) (5-1
= 1* 4 = 4
= }{ 1,3,7,9
-4 m :
1
e 1
Pi
i =1
= )(m
RP
RP
RP
RP
RP
RP
(20)
(20)= (2 ) * (5 )
=(22-1)(2-1)(51-1)(5-1)
= (2)(1)(1)(4) = 2*4= 8
{ 1,3,9,11.13.17.19}=
2
-8-5
X
. a , n ,b
a X mod n = b
, gcd (a, n) =1
X=[ b * inv(a , n ) ] mod n
X inv
Algorithm inv(a ,n);
{
' Return x such that ax mod n = 1 where 0 < a < n '
g0 = n ; g1 = a ;
u 0 = 1 ; v0 = 0;
u1 = 0; v1 = 1;
i=1;
while g i <> 0 do "g i =ui *n + vi *a;
{
y= gi-1 div g i ;
g i+1 = gi-1 y * gi ;
u i+1 = u i-1 y * u i ;
v i+1 = v i-1 y * v i ;
i =i
+1
}
x= vi-1;
if x >= 0 then inv = x else inv = x + n;
}
R
3 X mod 26 = 6
: X :
a= 3 n= 26
b = 6
Inv(3,26)
g0 = 26
g1 = 3
U0 = 1 V0 = 0
U 1 =0 v1 =1
i=1
g1 <> 0
y =g0 div g 1 = 26 div 3 = 8
g 2 = g0 y * g 1 = 26 8*3 =26 -24 =2
u2 = u0 y * u1 = 1 8 * 0 = 1- 0 =1
v 2 = v0 - y * v 1 = 0 8 * 1 = 0 8 = - 8
R
i=i+1 = 1+1 = 2
y= g 1 div g 2 = 3 div 2 = 1
g 3 = g 1 y * g2 = 3 1 * 2 = 3 2 = 1
u 3 = u1 y * u 2 = 0 1 * 1 = 0 1 = -1
v 3 = v1 - y * v 2 = 1 1 * -8 = 1 + 8 = 9
R
i=i+1 = 1+2 = 3
y= g 2 div g 3 = 2 div 1 = 2
g4 = g2 y * g 3 = 3 1 * 2 = 3 2 = 1
u 4 = u2 y * u 3 = 0 1 * 1 = 0 1 = -1
v 4 = v2 - y * v 3 = 1 1 * -8 = 1 + 8 = 9
i=i+1 = 1+3 = 4
g4= 0
x = v i-1 = v 3 = 9
if x >= 0 then inv = x=9
R
fast exponentiation
-9-5
algorithm
Algorithm fastexp(a,z,n)
Begin "return x = az nod n "
A1 = a ; z1 = z ;
X =1 ;
While z1 0
{
while z1 mod 2 = 0
{
z1 = z1 div 2
a1 = (a1 * a1 ) mod n
}
z1 = z1 - 1
x = ( x * a1 ) mod n
}
fastexp = x
end
:
3 X mod 26 = 6
n= 26
n= 2 *13
(n)= 2(1-1)*(-2)*13(1-1)*(13-1)
= 12
(n)-1 = 12 - 1 = 11
P
fastexp(a, (n)-1,n)
fastexp(3,11,26)
a1= 3
z1 = 11 n=26
first ilt
x=1
while z1 mod 2 = 0 false
z1 = z1 v- 1 = 11-1 = 10
x = (x * a1 ) nod n = (1 * 2 ) nod 26 = 3
second while
while z1 mod 2 = 0 true
z1 = z1 div 2 = 10 div 2 = 5
a1 = ( a1 * a1 ) mod n = ( 3 * 3 ) mod 26 = 9
z1 = z1 -1 = 5 - 1 = 4
x = ( x * a1 ) mod n = ( 3 * 9 ) mod 26 = 1
third ilt
while z1 mod 2 = 0 true
z1 = z1 div 2 = 2
z1 =z1-1 = 1- 1 = 0
final x = 9
x= b * fastexp(a, (n) -1,n ) mod n
= 6 * 9 mod 26
=3
X
3
X= 2 mod 5
X = a1z1 mod n
a1 = 2
z1 = 3 x = 1 n = 5
First ilt
P
11 mod 8 = 3 , 15 mod 8 = 7
[ ( 11mod 8] + ( 15 mod 8 ) ] mod 8 = ( 11 + 15 ) mod 8
= 26 mod 8 = 2
2- [ ( a mod n] - ( b mod n ) ] mod n = (a + b ) mod n
[ ( 11mod 8] - ( 15 mod 8 ) ] mod 8 = ( 11 - 15 ) mod 8
= -4 mod 8 = 4
3- [ ( a mod n] * ( b mod n ) ] mod n = (a *b ) mod n
[ ( 11mod 8] * ( 15 mod 8 ) ] mod 8 = ( 11 * 15 ) mod 8
= 165 mod 8 = 5
4 mod 11
4 * 4 mod
5 * 5 mod
3 * 5 mod
4 * 4 mod
7
4 mod 11 =
P
= ( 4 * 4 + 4*4 + 4*4 + 4 ) mod 11
11 = 16 mod 11 = 5
11 = 25 mod 11 = 3
11 = 15 mod 11 = 4
11 = 5
5
10-5
Commutative
Associative
Distributive
Identities
X+Y MOD 7
+
0
1
2
3
4
5
0
0
1
2
3
4
5
1
1
2
3
4
6
0
2
2
3
4
5
6
0
3
3
4
5
6
0
1
4
4
5
6
0
1
2
5
5
6
0
1
2
3
6
6
0
1
2
3
4
X*Y MOD 7
0
5
6
0
1
2
3
0
6
0
1
2
3
4
0
3
4
5
6
0
1
0
4
5
6
0
1
2
0
2
3
4
5
6
0
0
0
0
0
0
0
5
0
1
2
3
4
6
0
*
0
1
2
3
4
5
11-5
) ( Mod
.
.
):(2x2
-b
a
d
-c
ad bc
-1
P
b
d
P
=
2
4
a
c
=A
1
3
-2
-3
-2
-3
-1
1
---2
P
-1
P
-1
P
23
11
55
mod 11=
23
:( 3*3)
D i,j / det(A)
i,j
[A ] i,j = (-1 )
D i,j
j i
det(A)
A-1
R
K 11 k12 k13
A=
k 21 k22 k23
K 31 k32 k33
R
M=
1 1 1
1 2 3
1 7 9
n= 11
K 11 =
R
2 3
4 9
(-1) 1+1
= abs( 18 12 ) = 6
K 11 mod n = 6 mod 11 = 6
R
1 3
1 9
k 12 = (-1) 1+2
R
= -1 abs (9-3 ) = -6
mod n = - 6 mod 11
k12
R
1
1
2
3
= (3 -2 ) = 1
1
4
1
9
= - ( 9 - 4 ) = -5
k22 = (-1) 2+2
1
1
=( 9 -1 )
= 8
k23 = ( -1 ) 2+3
R
1
1
1
9
1
4
= -1 ( 4 -1 ) = -1 * 3 = -3
K 31 = (-1) 3+1
R
1
2
1
3
=( 3 -2) = 1
1
1
k 32 = ( -1 ) 3+2
R
1
3
= (-1) ( 3 1 ) = -2
1
1
=( 2
-1)=1
6 -6
-5 8
1 -8
D =
6
-6
2
D=
1
2
2
-3
-1
-5
8
-3
1
-2
1
PR
a-112
P
PR
PR
PR
PR
a-131
P
PR
a-132
P
PR
a-133
PR
Classical Encryption
Codes, Ciphers, Encryption and Cryptography
Caesar Cipher
Atbash Cipher
Keyword Cipher
Polybius Square
Polyalphabetic Ciphers
Vigenre Cipher
Beaufort Cipher
Autokey Cipher
Polygraphic Ciphers
Instead of substituting one letter for another letter, a polygraphic cipher performs
substitutions with two or more groups of letters. This has the advantage of masking
the frequency distribution of letters, which makes frequency analysis attackes
much more difficult.
Playfair Cipher
Bifid Cipher
Trifid Cipher
Four-square cipher
Transposition Ciphers
Unlike substitution ciphers that replace letters with other letters, a transposition
cipher keeps the letters the same, but rearranges their order according to a specific
algorithm.
Rail Fence
Route Cipher
Columnar Transposition
2
Book Cipher
Beale Cipher
Morse Code
Tap Code
One-time Pad
Scytale
Semaphore
ASCII
Steganography
Transposition Ciphers
Rail Fence
In the rail fence cipher, the plaintext is written downwards on successive "rails" of
an imaginary fence, starting a new column when the bottom is reached. The
message is then read off in rows. For example, if we have 3 rails and a message of
"This is a secret message", you would write out:
TSACTSG
HISRMSE
ISEEEAJ
The last J is just a random letter to fill in the space. The secret message is then
condensed and regrouped.
3
Ciphertext
TSACTSGHISRMSEISEEEAJ
Decipher
Encipher
Route Cipher
A Route Cipher is very similar to a Rail Fence cipher with one exception. You still
write the message vertically in columns, but instead of reading off the secret
message horizontally, you read it off using a predetermined pattern. For example,
lets use a spiral pattern for this one:
TSACTSG
HISRMSE
ISEEEAJ
The last J is just a random letter to fill in the space. If we are using a clockwise
spiral to read off the message, then it becomes:
TSACTSGEJAEEESIHISRMSE
A more complex pattern could be, "every other letter going backwards to the front
and then every other letter going forwards to the end again", which would give you
a secret message of:
JEEISRIGTATSCSHSMESEA
The complex pattern makes this algorithm difficult to decipher unless you know
the key.
Columnar Transposition
In a columnar transposition, the message is written out in rows of a fixed length.
The message is then read out by column by column, where the columns are chosen
in some scrambled order. The number of columns and the order in which they are
chosen is defined by a keyword. For example, the word ZEBRAS is 6 letters long.
Therefore, there are 6 columns that will be read of in the following order: 6 3 2 4 1
5. The order is chosen by the alphabetical order of the letters in the keyword.
****************Regular Case
In a regular columnar transposition cipher, the empty spaces are filled with random
letters. For example, suppose we use the keyword ZEBRAS and the message WE
ARE DISCOVERED FLEE AT ONCE. Our grid would look like this:
ZEBR AS
632415
-----WEARED
ISCOVE
REDFLE
EATONC
EQKJEU
The six columns are now written out in the scrambled order defined by the
keyword:
EVLNE ACDTK ESEAQ ROFOJ DEECU WIREE
**************************** Irregular Case
In the irregular case, the empty letters are not filled in with random letters:
ZEBR AS
632415
-----WEARED
ISCOVE
REDFLE
EATONC
E
6
ZEBRAS
Plaintext
Ciphertext
WEAREDISCOVEREDFLEEATONCE
EVLNAACDTJESEAIROFOFDEECBWIREE
Encipher
Decipher
Monoalphabetic Ciphers
Caesar Cipher
A Caesar cipher is one of the simplest (and easiest cracked) encryption methods.
It is a Substitution Cipher that involves replacing each letter of the secret message
with a different letter of the alphabet which is a fixed number of positions further
in t he a lphabet. B ecause each letter in t he message has a di rect t ranslation t o
another l etter, frequency a nalysis can b e u sed to decipher t he message. F or
example, the l etter E is the most commonly used letter in t he E nglish language.
Thus, i f t he most co mmon letter in a s ecret message i s K, i t is like ly t hat K
represents E . Additionally, c ommon word endings s uch a s I NG, L Y, a nd ES a lso
give clues. A brute-force a pproach of trying all 25 possible combinations would
also work to decipher the message.
Example
In this example, each letter in the plaintext message has been shifted 3 letters down
in the alphabet.
Plaintext: This is a secret message
Ciphertext: wklv lv d vhfuhw phvvdjh
Plaintext
Ciphertext
Encipher
Decipher
Atbash Cipher
The Atbash cipher is a very specific case of a substitution cipher where the
letters of the alphabet are reversed. In otherwords, all As are replaced with Zs, all
Bs are replaced with Ys, and so on. Because reversing the alphabet twice will get
you actual alphabet, you can encipher and decipher a message using the exact same
algorithm.
Example
Plaintext: This is a secret message
Ciphertext: Gsrh rh z hvxivg nvhhztv
Ciphertext
Encipher
Keyword Cipher
The Keyword cipher is identical to the Caesar Cipher with the exception that the
substitution alphabet used can be represented with a keyword. To create a
substitution alphabet from a keyword, you first write down the alphabet. Below
this you write down the keyword (omitting duplicate letters) followed by the
remaining unused letters of the alphabet.
ABCDEFGHIJKLMNOPQRSTUVWXYZ
KEYWORDABCFGHIJLMNPQSTUVXZ
To encipher a plaintext message, you convert all letters from the top row to their
correspondng letter on the bottom row (A to K, B to E, etc). These types of simple
substitution ciphers can be easily cracked by using frequency analysis and some
educated guessing.
Keyword Cipher Encoder
Keyword:
keyw ord
Plaintext
Ciphertext
Encipher
Decipher
10
Polybius Square
A Polybius Square is a table that allows someone to translate letters
into numbers. To give a small level of encryption, this table can be
randomized and shared with the recipient. In order to fit the 26 letters
of the alphabet into the 25 spots created by the table, the letters i and j are usually
combined.To encipher a message you replace each letter with the row and column
in which it appears. For example, D would be replaced with 14. To decipher a
message you find the letter that intersects the specified row and column.
1 A B
C D E
2 F
H I
3 L
M N O P
11
4 Q R
5 V W X Y Z
Example:
Plaintext: This is a secret message
Ciphertext: 44232443 2443 11 431513421544 32154343112215
Ciphertext
Decipher
Encipher
Polyalphabetic Ciphers
Vigenre Cipher
In a Caesar Cipher, each letter of the alphabet is shifted along some number of
places; for example, in a Caesar cipher of shift 3, A would become D, B would
12
become E and so on. The Vigenere cipher consists of using several Caesar ciphers
in sequence with different shift values.
To encipher, a table of alphabets can be used, termed a tabula recta, Vigenre
square, or Vigenre table. It consists of the alphabet written out 26 times in
different rows, each alphabet shifted cyclically to the left compared to the previous
alphabet, corresponding to the 26 possible Caesar ciphers. At different points in the
encryption process, the cipher uses a different alphabet from one of the rows. The
alphabet used at each point depends on a repeating keyword.
For example, suppose that the plaintext to be encrypted is:
ATTACKATDAWN
The person sending the message chooses a keyword and repeats it until it matches
the length of the plaintext, for example, the keyword "LEMON":
LEMONLEMONLE
Each letter is encoded by finding the intersection in the grid between the plaintext
letter and keyword letter. For example, the first letter of the plaintext, A, is
enciphered using the alphabet in row L, which is the first letter of the key. This is
done by looking at the letter in row L and column A of the Vigenere square,
namely L. Similarly, for the second letter of the plaintext, the second letter of the
key is used; the letter at row E and column T is X. The rest of the plaintext is
enciphered in a similar fashion:
Plaintext: ATTACKATDAWN
Key:
LEMONLEMONLE
Ciphertext: LXFOPVEFRNHR
13
A Beaufort cipher uses the same alphabet table as the Vigenre cipher, but with a
different algorithm. To encode a letter you find the letter in the top row. Then trace
down until you find the keyletter. Then trace over to the left most column to find
the enciphered letter. To decipher a letter, you find the letter in the left column,
trace over to the keyletter and then trace up to find the deciphered letter. Some
people find this easier to do than finding the intersection of a row and column
Autokey Cipher
To encrypt a plaintext message using the Vigenre Cipher, one locates the
row with the first letter to be encrypted, and the column with the first letter of the
keyword. The ciphertext letter is located at the intersection of the row and column.
this continues for the entire length of the message.
An Autokey cipher is identical to the Vigenre cipher with the exception that
instead of creating a keyword by repeating one word over and over, the keyword is
constructed by appending the keyword to the beginning of the actual plaintext
message.
For example, if your plain text message was:
This is a secret message
And your keyword was "zebra", then your actual keyword would be:
zebrathisisasecretmessage
Enciphering and deciphering the message is performed using the exact same
method as the Vigenre Cipher
15
Polygraphic Ciphers
Instead of substituting one letter for another letter, a polygraphic cipher
performs substitutions with two or more groups of letters. This has the advantage
of masking the frequency distribution of letters, which makes frequency analysis
attackes much more difficult.
Playfair Cipher
The Playfair cipher encrypts pairs of letters (digraphs), instead of single letters.
This is significantly harder to break since the frequency analysis used for simple
substitution ciphers is considerably more difficult.
16
Memorization of the keyword and 4 simple rules is all that is required to create the
5 by 5 table and use the cipher.
KEYWO
RDABC
FG H I J
LM N PS
TUVXZ
The Playfair cipher uses a 5 by 5 table containing a key word or phrase. To
generate the table, one would first fill in the spaces of the table with the letters of
the keyword (dropping any duplicate letters), then fill the remaining spaces with
the rest of the letters of the alphabet in order (to reduce the alphabet to fit you can
either omit "Q" or replace "J" with "I"). In the example to the right, the keyword is
"playfair example".
To encrypt a message, one would break the message into groups of 2 letters. If
there is a dangling letter at the end, we add an X. For example. "Secret Message"
becomes "SE CR ET ME SS AG EX". We now take each group and find them out
on the table. Noticing the location of the two letters in the table, we apply the
following rules, in order.
1. If both letters are the same, add an X between them. Encrypt the new pair,
re-pair the remining letters and continue.
2. If the letters appear on the same row of your table, replace them with the
letters to their immediate right respectively, wrapping around to the left side
of the row if necessary. For example, using the table above, the letter pair GJ
would be encoded as HF.
17
3. If the letters appear on the same column of your table, replace them with the
letters immediately below, wrapping around to the top if necessary. For
example, using the table above, the letter pair MD would be encoded as UG.
4. If the letters are on different rows and columns, replace them with the letters
on the same row respectively but at the other pair of corners of the rectangle
defined by the original pair. The order is important - the first letter of the
pair should be replaced first. For example, using the table above, the letter
pair EB would be encoded as WD.
To decipher, ignore rule 1. In rules 2 and 3 shift up and left instead of down and
right. Rule 4 remains the same. Once you are done, drop any extra Xs that don't
make sense in the final message and locate any missing Qs or any Is that should be
Js.
Playfair Cipher Encoder / Decoder
Keyword:
keyw ord
Omit Q
Plaintext
Replace J with I
Ciphertext
thisisasecretmessage
vf jp jp cn od dk ul om nc md
Encipher
Decipher
18
Bifid Cipher
The Bifid Cipher uses a Polybius Square to encipher a message in a way that
makes it fairly difficult to decipher without knowing the secret. This is because
each letter in the ciphertext message is dependent upon two letters from the
plaintext message. As a result, frequency analysis of letters becomes much more
difficult.
1 2 3 4 5
1 A B C D E
2 F G H I
3 L M N O P
4 Q R S T U
5 V W X Y Z
The first step is to use the Polybius Square to convert the letters into numbers. We
will be writing the numbers vertically below the message.
secret message
411414 3144121
353254 2533125
The numbers are now read off horizontally and grouped into pairs.
41 14 14 31 44 12 13 53 25 42 53 31 25
19
The Polybius Square is used again to convert the numbers back into letters which
gives us our ciphertext.
qddltbcxkrxlk
Since the first letter in the plaintext is encoded into the first and middle letters of
the ciphertext, the recipient of the message must have the entire message before
they can decode it. This means that if part of the ciphertext is discovered by a third
party, it is unlikely that they will be able to crack it.
To decipher a Bifid encrypted message, you first convert each letter into its
corresponding number via the Polybius Square. Now, divide the long string of
numbers into two equal rows. The digit in the top row and the digit in the bottom
row will together reference the decoded letter in the Polybius Square.
The Bifid Cipher can be taken into three dimensions to slightly increase the
security of the message. This new cipher is called the Trifid Cipher.
Bifid Encoder / Decoder
Plaintext
Ciphertext
secretmessage
qddltbcxkrxlk
Decipher
Encipher
20
Trifid Cipher
The Trifid Cipher is the Bifid Cipher taken to one more dimension. Instead of
using a 5x5 Polybius Square, you use a 3x3x3 cube. Otherwise everything else
remains the same. As with the Bifid Cipher, the cube can be mixed to add an extra
layer of protection, but for these examples we not be using a mixed alphabet cube.
The first step is to use the cube to convert the letters into numbers. We will be
writing the numbers vertically below the message in the order of Layer, Column,
Row.
secret message
311213 2133111
123322 1211112
121321 2211132
The numbers are now read off horizontally and grouped into triplets.
311 213 213 311 112 332 212 111 121 213 212 211 132
The cube is used again to convert the numbers back into letters which gives us our
ciphertext.
Sppsdxmabpmjf
21
To decipher a Trifid encrypted message, you first convert each letter into its
corresponding number via the cube. Now, divide the long string of numbers into
three equal rows. Now, read off each column and use the cube to convert the three
numbers into the plaintext letter.
Layer 2
Layer 1
1 2 3
1 2 3
Layer 3
1
2 3
1 A B C
1 J
K L
1 S T U
2 D E F
2 M N O
2 V W X
3 G H I
3 P Q R
3 Y Z .
Ciphertext
secretmessage
sppsdxmabpmjf
Encipher
Decipher
22
Four-square cipher
The four-square cipher encrypts pairs of letters (digraphs) and is thus less
susceptible to frequency analysis attacks.
The four-square cipher uses four 5 by 5 matrices arranged in a square. Each of the
5 by 5 matrices contains the letters of the alphabet (usually omitting "Q" or putting
both "I" and "J" in the same location to reduce the alphabet to fit). In general, the
upper-left and lower-right matrices are the "plaintext squares" and each contain a
standard alphabet. The upper-right and lower-left squares are the "ciphertext
squares" and contain a mixed alphabetic sequence.
abcde
EXAM P
fghi j
LBC D F
klmno
GHIJK
prstu
NORST
vw xyz
UVWYZ
KEYWO
ab cde
RDABC
fgh ij
FG HIJ
k l mno
LMNPS
prstu
TUVXZ
vwxyz
To generate the ciphertext squares, one would first fill in the spaces in the matrix
with the letters of a keyword or phrase (dropping any duplicate letters), then fill the
remaining spaces with the rest of the letters of the alphabet in order. The foursquare algorithm allows for two separate keys, one for each of the two ciphertext
23
matrices. In the example to the right, "EXAMPLE" and "KEYWORD" have been
used as keywords. To encrypt a message you would first split the message into
digraphs. "This is a secret message" would become:
TH IS IS AS EC RE TM ES SA GE
abcde
EXAM P
fghi j
LBC D F
klmno
GHIJK
prstu
NORST
vw xyz
UVWYZ
KEYWO
abcde
RDABC
fg hij
FG HIJ
k l mno
LMNPS
prstu
TUVXZ
vwx yz
Once that was complete, you would take the first pair of letters and find the first
letter in the upper left square and the second letter in the lower right square. In this
example we are enciphering TH, so we locate T and H in the grid below (see blue
characters). Now, we find the intersections of the rows and columns of the plain
text letters. In this example, they have been highlighted in red (R and B). These
new letters are the enciphered digraph (RB).
You continue enciphering digraphs in this way until you reach the end of the
message. To continue our example, "This is a secret message" would be enciphered
as:
24
RB CP CP AL AO TE RI AS NY FE
Other Ciphers and Codes
ASCII
ASCII is a code used by computers to represent characters as numbers. This allows
computers to store a letter as one byte of information. One byte of information
allows you to represent 256 different values, which is enough to encode all the
letters (uppercase and lowercase) as well as the numbers 0-9 and other special
characters such as the @ symbol.
ASCII Encoder / Decoder
Plaintext
ASCII
Convert to ASCII
Beale Cipher
A beale cipher is a modified Book Cipher. Instead of replacing each word in the
secret message with a number, you replace each letter in the secret message with a
number. The letter by letter method makes it easier to encode a message with
unusual words that may not appear in the book. With this method, each letter in the
25
secret message is replaced with a number which represents the position of a word
in the book which starts with this letter. For example, if we are enciphering the
word "attack" we would start with the letter A. We would find a word in the book
that started with A. Lets say that the 27th word was "and". The letter A is now
translated to 27. An encoded message may look something like this.
713 23 245 45 124 1269 586 443 8 234
It should be noted that for enhanced security, the same number should not be used
for the same letter throughout the secret message. Because you have a book, you
can pick multiple numbers for each letter and use them interchangeably.
Beale Encoder
Plaintext
Book
secret
(To protect our server, these fields can hold a maximum of 5000 characters each)
Encipher
Beale Decoder
Ciphertext
Book
26
142563
(To protect our server, these fields can hold a maximum of 5000 characters each)
Decipher
Book Cipher
A book cipher uses a large piece of text to encode a secret message. Without the
key (the piece of text) it is very difficult to decrypt the secret message. To
implement a book cipher, each word in the secret message would be replaced with
a number which represents the same word in the book. For example, if the word
"attack" appeared in the book as word number 713, then "attack" would be
replaced with this number. The result would be an encoded message that looked
something like this.
713 23 245 45 124 1269 586 443 8 234
To decipher the message you simply count the number of words in the book and
write down each one
Frequency Analysis
Frequency Analysis is a cryptanalysis technique of studying the frequency that
letters occur in the encrypted ciphertext. In English, certain letters are more
27
commonly used than others. This fact can be used to take educated guesses at
deciphering a Monoalphabetic Substitution Cipher.
Here is the alphabet in order of the frequency that each letter is used.
E, T, A, O, I, N, S, R, H, L, D, C, U, M, F, P, G, W, Y, B, V, K, X, J, Q, Z
Morse Code
Morse code is a method for transmitting information, using standardized
sequences of short and long marks or pulses - commonly known as "dots" and
"dashes" - for the letters, numerals, punctuation and special characters of a
message.
Originally created for Samuel Morse's electric telegraph in the mid-1830s, it was
also extensively used for early radio communication beginning in the 1890s.
However, with the development of more advanced communications technologies,
the widespread use of Morse code is now largely obsolete.
When using morse code, a dash is equal to three dots. A space between parts of the
same letter is equal to one dot. A space between two letters is equal to three dots
and a space between two words is equal to five dots.
Morse Code Encoder / Decoder
Please use a period (.) for a dot and a minus (-) for a dash. When typing morse
code, use a space to separate letters and a double space to separate words.
Plaintext
Morse Code
28
This is a message
Encode
Decode
One-time Pad
The one-time pad is a long sequence of random letters. These letters are combined
with the plaintext message to produce the ciphertext. To decipher the message, a
person must have a copy of the one-time pad to reverse the process. A one-time
pad should be used only once (hence the name) and then destroyed. This is the first
and only encryption algorithm that has been proven to be unbreakable.
To encipher a message, you take the first letter in the plaintext message and add it
to the first random letter from the one-time pad. For example, suppose you are
enciphering the letter S (the 19th letter of the alphabet) and the one-time pad gives
you C (3rd letter of the alphabet). You add the two letters and subtract 1. When
you add S and C and subtract 1, you get 21 which is U. Each letter is enciphered in
this method, with the alphabet wrapping around to the begining if the addition
results in a number beyond 26 (Z).
To decipher a message, you take the first letter of the ciphertext and subtract the
first random letter from the one-time pad. If the number is negative you wrap
around to the end of the alphabet.
Example
29
plaintext : SECRETMESSAGE
one-time pad: CIJTHUUHMLFRU
ciphertext : UMLKLNGLEDFXY
One-time Pad Encoder / Decoder
Plaintext / Ciphertext
One-time pad
CIJTHUUHMLFRU
SECRETMESSAGE
Encipher
Decipher
Enciphered Message:
UMLKLNGLEDFXY
Semaphore
Sempahore is similar to Morse code in that each letter of a message is translated
into another form to allow it to be more easily communicated. While Morse code is
used to send messages electronically over a telegraph line, semaphore is used to
visually communicate information over long distances.
To use semaphore, an operator holds a flag or lighted wand in each hand. The
operator extends their arms to the correct position and pauses for each letter of the
message. "Attention" is the only signal that involves movement and the "rest"
position is the only time when the flags should cross.
30
Tap Code
The Tap Code is a code (similar to Morse Code), commonly used by prisoners in
jail to communicate with one another. The method of communicating is usually by
"tapping" either the metal bars or the walls inside the cell, hence its name. It is a
very simple code, not meant to avoid interception, since the messages are sent in
cleartext.
It was reportedly invented by four POWs imprisoned in
Vietnam and is sometimes called "Smitty Code" after Captain
Carlyle ("Smitty") Harris. Harris remembered an Air Force
1 2 3 4 5
1 A B C D E
2 F G H I
3 L M N O P
5 V W X Y Z
31
Please use a period (.) for a tap. When typing tap code, use a space to separate tap
groups, a double space to separate letters and a / to separate words.
Plaintext
Morse Code
This is a message
Encode
Decode
32
Block Cipher
Block Cipher - An encryption scheme that "the clear text is broken up into blocks of fixed length, and encrypted
one block at a time".
Usually, a block cipher encrypts a block of clear text into a block of cipher text of the same length. In this case, a
block cipher can be viewed as a simple substitute cipher with character size equal to the block size.
ECB Operation Mode - Blocks of clear text are encrypted independently. ECB stands for Electronic Code
Book. Main properties of this mode:
Identical clear text blocks are encrypted to identical cipher text blocks.
Re-ordering clear text blocks results in re-ordering cipher text blocks.
An encryption error affects only the block where it occurs.
CBC Operation Mode - The previous cipher text block is XORed with the clear text block before applying the
encryption mapping. Main properties of this mode:
An encryption error affects only the block where is occurs and one next block.
Product Cipher - An encryption scheme that "uses multiple ciphers in which the cipher text of one cipher is
used as the clear text of the next cipher". Usually, substitution ciphers and transposition ciphers are used
alternatively to construct a product cipher.
Iterated Block Cipher - A block cipher that "iterates a fixed number of times of another block cipher, called
round function, with a different key, called round key, for each iteration".
Feistel Cipher - An iterate block cipher that uses the following algorithm:
Input:
T: 2t bits of clear text
k1, k2, ..., kr: r round keys
f: a block cipher with bock size of t
Output:
C: 2t bits of cipher text
Algorithm:
(L0, R0) = T, dividing T in two t-bit parts
(L1, R1) = (R0, L0 ^ f(R0, k1))
(L2, R2) = (R1, L1 ^ f(R1, k2))
......
C = (Rr, Lr), swapping the two parts
DES Cipher - A 16-round Feistel cipher with block size of 64 bits. DES stands for Data Encryption Standard.
security
completely specified
2
easy to understand
public
efficient to use
able to be validated
exportable
Public response indicated that there was considerable interest in a cryptographic standard,
but little public expertise in the field. Most of the submissions are reworked classical or
machine cipher; none of the submissions came close to meeting the requirements.
However, IBM submitted an algorithm based on one developed by IBM during the early
1970s, called Lucifer. The algorithm, although complicated, was straightforward. It used
only simple logical operations on small groups of bits and could be implemented fairly
efficiently in hardware.
The proposed standard was adopted as a federal standard in November, 1976 and authorized
for use on all unclassified government communications. ANSI approved DES as a privatesector standard in 1980.
6.2 Description of DES
DES is a block cipher; it encrypts data in 64-bit blocks. A 64-bit block of plaintext
goes in one end of the algorithm and a 64-bit block of ciphertext comes out
the other end. DES is a symmetric algorithm: The same algorithm and key are used for both
encryption and decryption (except for minor differences in the key
schedule).
The key length is 56 bits. (The key is usually expressed as a 64-bit number, but
3
every eighth bit is used for parity checking and is ignored. These parity bits are
the least- significant bits of the key bytes.) The key can be any 56-bit number and can be
changed at any time. All security rests within the key.
At its simplest level, the algorithm is nothing more than a combination of the two
basic techniques of encryption: confusion and diffusion. The fundamental building block of
DES is a single combination of these techniques (a substitution followed by a permutation)
on the text, based on the key. This is known as a round. DES has 16 rounds; it applies the
same combination of techniques on the plaintext block 16 times (see Figure 6.1).
In each round (see Figure 6.2), the key bits are shifted, and then 48 bits are selected from the
56 bits of the key. The right half of the data is expanded to 48 bits via an expansion
permutation, combined with 48 bits of a shifted and permuted key via an XOR, sent through
8 S-boxes producing 32 new bits, and permuted again. These four operations make up
Function f. The output of Function f is then combined with the left half via another XOR.
The result of these operations becomes the new right half; the old right half becomes the
new left half.
If Bi is the result of the ith iteration, Li and Ri are the left and right halves of Bi, Ki is the
48-bit key for round i, and f is the function that does all the substituting and permuting and
XORing with the key, then a round looks like:
Li = R j-1
Ri = L i-1 Xor f (R i-1 , K i )
Example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
Note that all numbers are written in hexadecimal as a "short-form" version of the binary
actually used, since 1 Hex digit = 4 Binary bits. The digit mapping is:
0=0000 1=0001 2=0010 3=0011 4=0100 5=0101 6=0110 7=0111
8=1000 9=1001 a=1010 b=1011 c=1100 d=1101 e=1110 f=1111
The Key Transformation
Initially, the 64-bit DES key is reduced to a 56-bit key by ignoring every eighth bit. Let us
call this operation PC1. This is described in Table 6.2.
PC2 is the operation which reduces the 56-bits key to a 48-bits subkey for each of the 16
rounds of DES. These subkeys, Ki, are determined in the following manner. PC1 splits the
key bits into 2 halves (C and D), each 28-bits. The halves C and D are circularly shifted left
by either one or two bits, depending on the round. This shift is given in Table 6.3.
After being shifted, 48 out of the 56 bits are selected. This is done by an operation called
compression permutation, it permutes the order of the bits as well as selects a subsets of
bits. Table 6.4 defines the compression permutation.
Example:
keyinit(5b5a5767, 6a56676e)
PC1(Key) C=00ffd820,
D=ffec9370
8
KeyRnd01 C1=01ffb040,
D1=ffd926f0,
PC2(C,D)=(38 09 1b 26 2f 3a 27 0f)
KeyRnd02 C2=03ff6080,
D2=ffb24df0,
PC2(C,D)=(28 09 19 32 1d 32 1f 2f)
KeyRnd03 C3=0ffd8200,
KeyRnd04 C4=3ff60800,
D4=fb24dff0,
KeyRnd05 C5=ffd82000,
KeyRnd06 C6=ff608030,
D6=b24dfff0,
KeyRnd07 C7=fd8200f0,
KeyRnd08 C8=f60803f0,
D8=24dfffb0,
PC2(C,D)=(06 34 26 1b 3f 1d 37 38)
PC2(C,D)=(07 34 2a 09 37 3f 38 3c)
PC2(C,D)=(29 2f 0d 10 19 2f 1d 3f)
PC2(C,D)=(1b 35 05 19 3b 0d 35 3b)
Table 6.1
Initial Permutation
58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7.
Table 6.2
Key Permutation
57,
49,
41,
33,
25,
17,
9,
1,
58,
50, 42,
34,
26,
18,
10,
2,
59,
51,
43,
35,
27,
19,
11,
3,
60,
52,
44,
36,
63,
55,
47,
39,
31,
23, 15,
7,
62,
54, 46,
38,
30,
22,
14,
6,
61,
53,
45,
37,
21,
13,
5,
20,
12,
4.
29,
28,
Table 6.3
Number of Key Bits Shifted per Round
Round
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Number 1 1 2 2 2 2 2 2 1
Table 6.4
Compression Permutation
14, 17, 11, 24, 1, 5,
2,
41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32.
10
Table 6.5
Expansion Permutation
32,
1,
2,
3,
4,
5,
4,
5,
6,
7,
8,
9,
8.
9,
10,
11,
12,
13,
12,
13,
14,
15,
16, 17,
16,
17,
18,
19,
20,
21,
20,
21,
22,
23,
24, 25,
24,
25,
26,
27,
28,
29,
28,
29,
30,
31,
32,
boxes.
Each S-box has a 6-bit input and a 4-bit output, and there are eight different S-boxes. The 48
bits are divided into eight 6-bit sub-blocks. Each separate block is operated on by a separate
S-box: The first block is operated on by S-box 1, the second block is operated on by S-box
2, and so on.
Each S-box is a table of 4 rows and 16 columns. Each entry in the box is a 4-bit number.
The 6 input bits of the S-box specify under which row and column number to look for the
output. Table 6.6 shows all eight S-boxes.
The input bits specify an entry in the S-box in a very particular manner. Consider an S-box
input of 6 bits, labeled bi, b2, b3, b, b, and b6. Bits b, and b6are combined to form a 2-bit
number, from 0 to 3, which corresponds to a row in the table. The middle 4 bits, b2 through
b5, are combined to form a 4-bit number, from 0 to 15, which corresponds to a column in
the table.
For example, assume that the input to the sixth S-box (i.e., bits 31 through 36 of the XOR
function) is 110011. The first and last bits combine to form 11, which corrspends to row 3 of
the sixth S-box. The middle 4 bits combine to form 1001, which corresponds to the column
9 of the same S-box. The entry under row 3, column 9 of S-box 6 is 14. (Remember to count
rows and columns from 0 and not from 1.) The value 1110 is substituted for 110011.
The S-box substitution is the critical step in DES. The algorithm's other operanons are linear
and easy to analyze. The S-boxes are nonlinear and, more than any.hing else, give DES its
security.
The result of this substitution phase is eight 4-bit blocks which are recombined into a single
32-bit block. This block moves to the next step: the P-box permutation.
12
Table 6.6
S-Boxes
S-box 1:
14,
4, 13, 1,
0, 15,
4,
2, 15, 11,
7, 4, 14,
2, 13,
1, 14, 8, 13,
15, 12,
8,
8, 2, 4,
3, 10,
1, 10,
6, 12,
5,
9, 0,
7,
6, 12, 11,
9,
5, 3,
8,
3, 10, 5,
0,
6,
9,
9,
1,
7,
5, 11,
7,
S-box 2:
15,
1,
8, 14,
6,
11,
3,
4,
9,
7,
2,
13,
12,
3, 13,
4, 7,
15,
2,
8,
14,
12,
0,
1,
10,
0, 14,
7, 11,
10,
4,
13,
1,
5,
8,
12,
6,
3, 15,
4,
2,
11,
6,
7, 12,
13,
8, 10, 1,
0,
5,
10,
6,
9, 11,
5,
9,
3,
2,
15,
0, 5, 14,
9,
S-box 3:
10,
0,
9,
14,
6,
3,
15,
5,
1,
13,
12,
7,
11,
4,
2,
8,
13,
7,
0,
9,
3,
4,
6,
10,
2,
8,
5,
14,
12,
11,
15, 1,
13,
6,
4,
9,
8,
15,
3,
0,
11,
1,
2,
12,
5,
10,
14,
7,
1, 10, 13, 0,
6,
9,
8,
7,
4,
15,
14,
3,
11,
5,
2,
12,
S-box 4:
7, 13,
14,
3,
0,
6,
9,
10,
1,
2,
8,
5,
11,
12,
4, 15,
3,
4,
7,
2,
12,
1,
10,
14,
9,
13, 15,
1,
3,
14,
5,
2,
8,
4,
13,
8,
11,
5,
6,
15,
0,
10,
6,
9,
0,
12,
11,
7,
13
3, 15,
0,
6,
10,
1,
13,
8,
9,
4,
5,
11,
12,
7,
2, 14,
S-box 5:
2, 12,
4,
1,
7,
10,
11,
6,
8,
5,
3,
15,
13,
0, 14,
9,
14, 11,
2, 12,
4,
7,
13,
1,
5,
0,
15,
10,
3,
9,
8,
6,
41, 2,
1, 11,
10, 13,
7,
8,
15,
9,
12,
5,
6,
3,
0,
14,
1,
14,
2,
13,
6,
15,
0,
9,
10,
4,
5,
3,
9,
2,
6,
8,
0, 13,
3,
4,
14,
7,
5, 11,
11, 8, 12, 7,
S-box 6:
12,
1, 10, 15,
10, 15,
4,
2,
7,
12,
9,
5,
6,
1,
13,
14,
0,
11,
3,
8,
9, 14, 15,
5,
2,
8,
12,
3,
7,
0,
4,
10,
1,
13,
11,
6,
4,
12,
9,
5,
1,
7,
6,
0,
3, 2,
8,
13,
S-box 7:
4, 11,
13,
1,
2, 14,
15,
0,
8,
13,
3,
12,
9,
7,
5,
10,
6,
1,
7,
4,
9,
1,
10,
14,
3,
5,
12,
2,
15,
8,
6,
4, 11, 13,
12,
3,
7,
14,
10,
15,
6,
8,
0,
5,
9,
2,
1,
4,
10,
7,
9,
5,
0,
15,
14,
2,
3,
12,
0, 11,
6, 11, 13,
8,
S-box 8:
13,
8, 4,
6,
15,
11,
1, 10,
9,
3,
14,
5,
1, 15, 13, 8,
10,
3,
7,
4, 12,
5,
6,
11,
0, 14,
9,
2,
7, 11,
4, 1,
9,
12,
14,
2,
6,
10,
13,
15,
3,
5,
8,
1, 14, 7,
4,
10,
9,
0,
3,
5,
6,
11
-2,
2,
0,
14
0, 12,
7,
Example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
The P-Box Permutation
The 32-bit output of the S-box substitution is permuted according to a P-box. This
permutation maps each input bit to an output position; no bits are used twice and no bits are
ignored. Table 12.7 shows the position to which each bit moves. For example, bit 21 moves
to bit 4. while bit 4 moves to bit 3 1.
Table 6.7
P-Box Permutation
16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
Finally, the result of the P-box permutation is XORed with the left half of the initial 64-bit
block. Then the left and right halves are switched and another round begins.
The Final Permutation
The final permutation is the inverse of the initial permutation and is described in Table 6.8.
Note that the left and right halves are not exchanged after the last round of DES; instead the
concatenated block R 16 L16 is used as the input to the final permutation. There's nothing
going on here; exchanging the halves and shifting around the permutation would yield
exactly the same result. This is so that the algorithm can be used to both encrypt and
decrypt.
15
Table 6.8
Final Permutation
40,
8,
48,
16,
56,
24,
64,
32,
39,
7,
47,
15,
55,
23,
63,
31,
38,
6,
46, 14,
54,
22,
62
30,
37,
5,
45,
13,
53,
21,
61,
29,
36,
4,
44,
12,
52,
20,
60,
28,
35,
3,
43,
11,
51,
19,
59,
27,
34,
2,
42,
10,
50,
18,
58,
26,
33,
1,
41,
9,
49,
17,
57,
25.
Decrypting DES
After all the substitutions, permutations, XORs, and shifting around, you might think that
the decryption algorithm is completely different and just as confusing as the encryption
algorithm. On the contrary, the various operations were chosen to produce a very useful
property: The same algorithm works for both encryption and decryption.
With DES it is possible to use the same function to encrypt or decrypt a block. The only
difference is that the keys must be used in the reverse order. That is, if the encryption keys
for each round are K1, K2, K3, . . . , K16, then the decryption keys are K16, K15, K14, . . . ,
K1,. The algorithm that generates the key used for each round is circular as well. The key
shift is a right shift and the number of positions shifted is 0, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2,
2, 1.
Summary
DES is a widely used symmetric block cipher. It encrypts 64-bit data, and uses 56-bit key
16
with 16 48-bit sub-keys. The basic process in enciphering a 64-bit data block using the DES
consists of:
Review Questions
1. How many bit of data does DES encrypt?
2. What is the length of the key of DES?
3. How many rounds of key dependent calculation does DES need to encrypt data?
4. Which step in DES algorithm gives DES security?
5. If K1, K2, ..., K16 are encryption key, What is the decryption key?
17
Answers:
1. 64 bits.
2. 56 bits.
3. 16 rounds of calculation.
4. S-box substitution.
5. The decryption key is K16, K15, K14, K13,..., K2, K1.
Practice Test
1. True or false:
DES is a block symmetric cipher which encrypt 64 bits data using same length key.
2. True or false:
The same algorithm works for both encryption and decryption.
3. Which step in the algorithm gives DES security.
18
Answers:
1. F
2. T
3. B
4. Eight
5. B
19
Exponential Cipher
Introduction
traditional private/secret/single key cryptography uses one key
shared by both sender and receiver
if this key is disclosed communications are compromised
also is symmetric, parties are equal
hence does not protect sender from receiver forging a message & claiming is
sent by sender
Public-Key Cryptography
probably most significant advance in the 3000 year history of cryptography
uses two keys a public & a private key
asymmetric since parties are not equal
uses clever application of number theoretic concepts to function
complements rather than replaces private key crypto
Why Public-Key Cryptography?
developed to address two key issues:
key d istribution how t o have secure communications i n g eneral
without having to trust a KDC with your key
digital s ignatures how t o verify a message co mes intact from t he
claimed sender
public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni
in 1976
known earlier in classified community
1
Public-Key Cryptography
public-key/two-key/asymmetric cryptography involves the use of two keys:
a public-key, w hich may be k nown b y a nybody, a nd c an be used t o
encrypt messages, and verify signatures
a private-key, known only to the recipient, used to decrypt messages,
and sign (create) signatures
is asymmetric because
those who encrypt messages or verify signatures cannot decrypt
messages or create signatures
Public-Key Characteristics
Public-Key algorithms rely on two keys where:
it i s computationally i nfeasible t o f ind decryption ke y k nowing o nly
algorithm & encryption key
2
Public-Key Applications
can classify uses into 3 categories:
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)
some algorithms are suitable for all uses, others are specific to one
Security of Public Key Schemes
like pr ivate ke y s chemes br ute force e xhaustive s earch at tack is a lways
theoretically possible
3
Exponentiation Ciphers
We w ill c onsider two kinds of e xponentiation c iphers de veloped by the
following people:
Pohlig and Hellman
Rivest, Shamir, and Adleman (RSA)
Given (n), it is easy to generate a pair (e, d) such that ed mod (n) = 1. This
is done by first choosing d relatively prime to (n), and then computing e as
e = inv(d, (n))
Because e and d are symmetric, we could also pick e and compute d = inv(e,
(n)).
Given e, it is easy to compute d (or vice versa) if (n) is known. But if e and
n can be r eleased without giving aw ay (n) o r d, t hen t he de ciphering
transformation can be kept secret, while t he enciphering transformation is
made public.
It is the ability to hide (n) that distinguishes the two schemes.
Pohlig-Hellman Scheme
The modulus is chosen to be a large prime p.
To encipher:
C = M e mod p
To decipher:
M = C d mod p
Because p is prime, (p) = p 1.
Thus the scheme can only be used for conventional encryption, where e and
d are both kept secret.
6
Discrete Logarithm
The fastest kn own al gorithm for co mputing t he d iscrete l ogarithm takes
about
((ln p )1 / 3 ln(ln p )) 2 / 3
7
steps.
If p is a few hundred decimal digits long, it will take several billion years to
compute.
bits, if the implementation (the library) of RSA is fast e nough, we can double the
key size.
Below is the algorithms for creating key, encryption, decryption, the signing is the
same like decryption and verification is the same like encryption. These three main
functions are very simple.
1. Creating keys:
1. Generate (find) two large prime numbers (P and Q)
2. Calculate N = PQ
3. Calculate M = phi(N) = (P - 1)(Q - 1) = (Euler totient function)
4. Select any integer E, the rules to select E are:
a. E is positive integer
b. 0 < E < M
c. GCD (M, E) = 1 ... (GCD = Greater Common Divisor)
NOTE: It is recommended to use E = 65537 (17 bits).
2. 5. Calculate D a use Extended Euclid Theorem (mod inverse)
(E * D) = 1 (mod M)
(E * D) mod M = 1
3. Public key: E, N
Private key:
Normal (slow): D and N
Chinese
Remainder
Theorem
(faster):
E * dP mod (P-1) = 1
dQ =
E * dQ mod (Q-1) = 1
invQ =
Q * invQ mod P = 1
4. Encryption / Verification:
Original plain text (a block value) = X ... X < N
Chipertext = C ... C = (X^E) mod N
5. Decryption / Signing:
Chipertext = C
Dechiper text = Y
Normal (slow way):
Y = (C^D) mod N
M1 = (C^dP) mod P
M2 = (C^dQ) mod Q
H = (M1 - M2) invQ mod P
Y = M2 + (Q * H)
Security Concern
Because (n) cannot be determined without knowing the prime factors p and
q, it is possible to keep d secret even if e and n are made public.
11
is
the de ciphering
M(n) mod q = 1
M(n) = kq + 1
Multiply each side by M = cp,
M(n)+1 = M + kqcp = M + ckn
Thus
M(n)+1 mod n = M .
The case when M is a multiple of q is similar.
Public-Key Systems
In a public-key system, each user has bot h a public and private key, and two
users can communicate knowing only each other's public keys.
User A has a public enciphering transformation EA , which may be registered
with a public directory, and a private deciphering transformation D A , which
is known only to user A.
The pr ivate transformation D A is described by a private key, and the p ublic
transformation EA by a public key derived from the private key by a one-way
transformation.
It must be computationally infeasible to determine D A from EA .
DK
disallowed
M
public
private
EB
DB
M
B
The s cheme does not pr ovide a uthenticity be cause a ny user w ith a ccess t o
B's p ublic t ransformation c ould substitute a nother message M' for M by
replacing C with C' = EB(M' ).
14
protected
EK
DK
C
disallowed
M
private
public
DA
EA
M
B
EA (D B (C))
= EA (D B (E B (D A (M))))
= EA (D A (M))
=M.
private
public
private
public
DA
EB
DB
EA
M
A
secrecy
M
B
authenticity
Merkle-Hellman Knapsacks
Knapsack problem: How to find the optimal way to pack a knapsack enclosing
the maximum number of objects.
Numerically:
target sum: 17
set
one solution set:
S {4, 7, 1,12,10}
{4,
1,12
}=17
16
V {1, 0, 1, 1, 0 }
N-P Complete
basically: a n N P c omplete p roblem has a de terministic e xponential time
solution. For example, 2n
This allows us to control the brute force attack. Ie, make time to break very
large!
Merkle-Hellman Knapsacks
17
MH Knapsack
Each element is larger than the previous
Example a 1 , a 2 , a 3 , a 4 , a 5 , a k-1 , a k
sums between a k and a k+1 must contain a k
superincreasing knapsack-each integer is > a k
also called simple knapsack
S=[1,4,11,17,38,73] is a superincreasing knapsack
Diffie-Hellman
Diffie-Hellman found a way to break the superincreasing sequence of integers. w
* x mod n. If w and n are relatively prime, w will have a multiplicitive inverse. w
* w-1 = 1 mod n. (w*q) w-1 = q
18
Why so important?
This allows us to create a p ublic knapsack (Hard) which can be based on a
secret simple knapsack and a secret w, and n.
Example
Create a Superincreasing (or simple) knapsack
S=[1,2,4,9,19]
m=5
Example
S=[1,2,4,9,19]
m=5
Example (decipher)
20
MH Practical Implementations
Choose value of n to be large, 100 to 200 binary digits.
Each element in the knapsack is 2200 apart
200 terms in the knapsack
large S and H make it infeasible to use brute force. 2200 for each element in
S, 1047 years to crack.
Cryptanalysis Reality!
Merkle-Hellman was cracked in 1980 by Shamir and Zipple
interceptor does not have to s olve t he basic knapsack problem to b reak t he
encryption.
Shamir points out another flaw.
21
c=ab
Encryption:
1001001 1000110
1010110 0110001
0011111 1110110
plaintext
key
ciphertext
= (
v)
Decryption:
0011111 1110110
1010110 0110001
1001001 1000110
ciphertext
key
plaintext
Mathematical Proof
prob.
ki
prob.
ci
prob.
1-x
(1-x)
1-x
(1-x)
Symmetric-key ciphers
Encrypt individual characters at a time,
Faster and less complex in hardware,
They are desirable in some applications in which
buffering is limited
bits must be individually processed as they are
received.
Transmission errors are highly probable.
Vast amount of theoretical knowledge.
Various design principles.
Widely being used at present, will probably be
used in the future.
One-Time Pad & Stream Ciphers
Si
F
G
mi
ki
ci
Analysis
Efforts to evaluate the security of stream ciphers.
1. Mathematical Analysis
Period and Linear Complexity,
Security against Correlation Attacks.
2. Pseudo-randomness Testing
Statistical Tests,
Linear Complexity,
Ziv-Lempel Complexity
Maximum Order Complexity,
Maurers Universal Test.
In testing, all the tests are applied to as many key-streams
of different lengths as possible.
One-Time Pad & Stream Ciphers
10
c1
c2
cL
ci= 0 or 1
C ( x) = 1 + c1 x + c2 x 2 + + cL x L : Connection Polynomial
11
12
Nonlinear
Combiner
Function
output
F
LFSR-Ln
13
T = (2 L1 1) (2 L2 1) (2 L3 1)
14
x1
x2
x3
z = F(x1,x2,x3)
0
0
0
1
1
1
1
0
1
1
0
0
1
1
1
0
1
0
1
0
1
1
0
0
0
1
1
1
15
Filter
Function
output
16
Clock-controlled Generators
An LFSR can be clocked by the output of another LFSR.
This introduces an irregularity in clocking of the first LFSR,
hence increase the linear complexity of its output.
Example : Shrinking Generator
LFSR - S
si
LFSR - A
ai
si = 1
output ai
si = 0
discard ai
17
18
Different Designs
SEAL, RC4.
They use expanded key tables,
Fast in software,
Look secure,
They have not been fully analyzed yet,
Efficient analysis tools are not developed.
19