Savefrom:www.uotechnology.edu.

iq/depcs

ComputerandDatasecurity
4thClass
. :

Introduction to Data Security

Basic Terminology
Suppose that someone wants to send a message to a receiver, and wants to be sure
that no-one else can read the message. However, there is the possibility that
someone else opens the letter or hears the electronic communication.
In cryptographic terminology, the message is called plaintext or cleartext.
Encoding the contents of the message in such a way that hides its contents from
outsiders is called encryption. The encrypted message is called the ciphertext.
The process of retrieving the plaintext from the ciphertext is called decryption.
Encryption and decryption usually make use of a key, and the coding method is
such that decryption can be performed only by knowing the proper key.
Cryptography is the art or science of keeping messages secret. Cryptanalysis is
the art of breaking ciphers, i.e. retrieving the plaintext without knowing the proper
key. People who do cryptography are cryptographers, and practitioners of
cryptanalysis are cryptanalysts.
Cryptography deals with all aspects of secure messaging, authentication, digital
signatures, electronic money, and other applications. Cryptology is the branch of
mathematics that studies the mathematical foundations of cryptographic methods.
Basic Cryptographic Algorithms
A method of encryption and decryption is called a cipher. Some cryptographic
methods rely on the secrecy of the algorithms; such algorithms are only of
historical interest and are not adequate for real-world needs. All modern algorithms
1

use a key to control encryption and decryption; a message can be decrypted only if
the key matches the encryption key. The key used for decryption can be different
from the encryption key, but for most algorithms they are the same.
There are two classes of key-based algorithms, symmetric (or secret-key) and
asymmetric (or public-key) algorithms. The difference is that symmetric
algorithms use the same key for encryption and decryption (or the decryption key
is easily derived from the encryption key), whereas asymmetric algorithms use a
different key for encryption and decryption, and the decryption key cannot be
derived from the encryption key.
Symmetric algorithms can be divided into stream ciphers and block ciphers.
Stream ciphers can encrypt a single bit of plaintext at a time, whereas block ciphers
take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a
single unit.
Asymmetric ciphers (also called public-key algorithms or generally public-key
cryptography) permit the encryption key to be public (it can even be published in
a newspaper), allowing anyone to encrypt with the key, whereas only the proper
recipient (who knows the decryption key) can decrypt the message. The encryption
key is also called the public key and the decryption key the private key or secret
key.
Modern cryptographic algorithms cannot really be executed by humans. Strong
cryptographic algorithms are designed to be executed by computers or specialized
hardware devices. In most applications, cryptography is done in computer
software, and numerous cryptographic software packages are available.
2

Generally, symmetric algorithms are much faster to execute on a computer than

asymmetric ones. In practice they are often used together, so that a public-key
algorithm is used to encrypt a randomly generated encryption key, and the random
key is used to encrypt the actual message using a symmetric algorithm.
Many good cryptographic algorithms are widely and publicly available in any
major bookstore, scientific library, or patent office, and on the Internet. Wellknown symmetric functions include DES and IDEA.RSA is probably the best
known asymmetric algorithm. Thebooks page lists several good textbooks on
cryptography and related topics.

Digital Signatures
Some public-key algorithms can be used to generate digital signatures. A
digital signature is a block of data that was created using some secret key, and
there is a public key that can be used to verify that the signature was really
generated using the corresponding private key. The algorithm used to generate the
signature must be such that without knowing the secret key it is not possible to
create a signature that would verify as valid.
Digital signatures are used to verify that a message really comes from the claimed
sender (assuming only the sender knows the secret key corresponding to his/her
public key). They can also be used to timestamp documents: a trusted party signs
the document and its timestamp with his/her secret key, thus testifying that the
document existed at the stated time.

Digital signatures can also be used to testify (or certify) that a public key belongs
to a particular person. This is done by signing the combination of the key and the
information about its owner by a trusted key. The reason for trusting that key may
again be that it was signed by another trusted key. Eventually some key must be a
root of the trust hierarchy (that is, it is not trusted because it was signed by
somebody, but because you believe a priori that the key can be trusted). In a
centralized key infrastructure there are very few roots in the trust network (e.g.,
trusted government agencies; such roots are also called certification authorities).
In a distributed infrastructure there need not be any universally accepted roots,
and each party may have different trusted roots (such of the party's own key and
any keys signed by it). This is the web of trust concept used e.g. in PGP.
A digital signature of an arbitrary document is typically created by computing a
message digest from the document, and concatenating it with information about
the signer, a timestamp, etc. The resulting string is then encrypted using the private
key of the signer using a suitable algorithm. The resulting encrypted block of bits
is the signature. It is often distributed together with information about the public
key that was used to sign it. To verify a signature, the recipient first determines
whether it trusts that the key belongs to the person it is supposed to belong to
(using the web of trust or a priori knowledge), and then decrypts the signature
using the public key of the person. If the signature decrypts properly and the
information matches that of the message (proper message digest etc.), the signature
is accepted as valid.
Several methods for making and verifying digital signatures are freely available.
The most widely known algorithm is RSA.
4

Cryptographic Hash Functions

Cryptographic hash functions are typically used to compute the message digest
when making a digital signature. A hash function compresses the bits of a message
to a fixed-size hash value in a way that distributes the possible messages evenly
among the possible hash values. A cryptographic hash function does this in a way
that makes it extremely difficult to come up with a message that would hash to a
particular hash value.
Cryptographic hash functions typically produce hash values of 128 or more bits.
This number is vastly larger than the number of different messages likely to ever
be exchanged in the world.
Many good cryptographic hash functions are freely available. Well-known ones
include MD5 and SHA.

Cryptographic Random Number Generators

Cryptographic random number generators generate random numbers for use in
cryptographic applications, such as for keys. Conventional random number
generators

available

in

most

programming

languages

or

programming

environments are not suitable for use in cryptographic applications (they are
designed for statistical randomness, not to resist prediction by cryptanalysts).
In the optimal case, random numbers are based on true physical sources of
randomness that cannot be predicted. Such sources may include the noise from a
semiconductor device, the least significant bits of an audio input, or the intervals
5

between device interrupts or user keystrokes. The noise obtained from a physical
source is then "distilled" by a cryptographic hash function to make every bit
depend on every other bit. Quite often a large pool (several thousand bits) is used
to contain randomness, and every bit of the pool is made to depend on every bit of
input noise and every other bit of the pool in a cryptographically strong way.
When true physical randomness is not available, pseudorandom numbers must be
used. This situation is undesirable, but often arises on general purpose computers.
It is always desirable to obtain some environmental noise - even from device
latencies, resource utilization statistics, network statistics, keyboard interrupts, or
whatever. The point is that the data must be unpredictable for any external
observer; to achieve this, the random pool must contain at least 128 bits of true
entropy.
Cryptographic pseudorandom generators typically have a large pool ("seed value")
containing randomness. Bits are returned from this pool by taking data from the
pool, optionally running the data through a cryptographic hash function to avoid
revealing the contents of the pool. When more bits are needed, the pool is stirred
by encrypting its contents by a suitable cipher with a random key (that may be
taken from an unreturned part of the pool) in a mode which makes every bit of the
pool depend on every other bit of the pool. New environmental noise should be
mixed into the pool before stirring to make predicting previous or future values
even more impossible.
Even though cryptographically strong random number generators are not very
difficult to built if designed properly, they are often overlooked. The importance of

the random number generator must thus be emphasized - if done badly, it will
easily become the weakest point of the system.

Strength of Cryptographic Algorithms

Good cryptographic systems should always be designed so that they are as difficult
to break as possible. It is possible to build systems that cannot be broken in
practice (though this cannot usually be proved). This does not significantly
increase system implementation effort; however, some care and expertise is
required. There is no excuse for a system designer to leave the system breakable.
Any mechanisms that can be used to circumvent security must be made explicit,
documented, and brought into the attention of the end users.
In theory, any cryptographic method with a key can be broken by trying all
possible keys in sequence. If using brute force to try all keys is the only option,
the required computing power increases exponentially with the length of the key. A
32 bit key takes 2^32 (about 10^9) steps. This is something any amateur can do on
his/her home computer. A system with 40 bit keys (e.g. US-exportable version of
RC4) takes 2^40 steps - this kind of computing power is available in most
universities and even smallish companies. A system with 56 bit keys (such as
DES) takes a substantial effort, but is quite easily breakable with special hardware.
The cost of the special hardware is substantial but easily within reach of organized
criminals, major companies, and governments. Keys with 64 bits are probably
breakable now by major governments, and will be within reach of organized
criminals, major companies, and lesser governments in a few years. Keys with 80
bits may become breakable in future. Keys with 128 bits will probably remain
7

unbreakable by brute force for the foreseeable future. Even larger keys are
possible; in the end we will encounter a limit where the energy consumed by the
computation, using the minimum energy of a quantum mechanic operation for the
energy of one step, will exceed the energy of the mass of the sun or even of the
universe.
However, key length is not the only relevant issue. Many ciphers can be broken
without trying all possible keys. In general, it is very difficult to design ciphers that
could not be broken more effectively using other methods. Designing your own
ciphers may be fun, but it is not recommended in real applications unless you are a
true expert and know exactly what you are doing.
One should generally be very wary of unpublished or secret algorithms. Quite
often the designer is then not sure of the security of the algorithm, or its security
depends on the secrecy of the algorithm. Generally, no algorithm that depends on
the secrecy of the algorithm is secure. Particularly in software, anyone can hire
someone to disassemble and reverse-engineer the algorithm. Experience has shown
that a vast majority of secret algorithms that have become public knowledge later
have been pitifully weak in reality.
The key lengths used in public-key cryptography are usually much longer than
those used in symmetric ciphers. There the problem is not that of guessing the right
key, but deriving the matching secret key from the public key. In the case of RSA,
this is equivalent to factoring a large integer that has two large prime factors. In the
case of some other cryptosystems it is equivalent to computing the discrete
logarithm modulo a large integer (which is believed to be roughly comparable to
factoring). Other cryptosystems are based on yet other problems.
8

To give some idea of the complexity, for the RSA cryptosystem, a 256 bit modulus
is easily factored by ordinary people. 384 bit keys can be broken by university
research groups or companies. 512 bits is within reach of major governments. Keys
with 768 bits are probably not secure in the long term. Keys with 1024 bits and
more should be safe for now unless major algorithmic advances are made in
factoring; keys of 2048 bits are considered by many to be secure for decades. More
information on RSA key length is in an article by Bruce Schneier.
It should be emphasized that the strength of a cryptographic system is usually
equal to its weakest point. No aspect of the system design should be overlooked,
from the choice algorithms to the key distribution and usage policies.

Cryptanalysis and Attacks on Cryptosystems

Cryptanalysis is the art of deciphering encrypted communications without knowing
the proper keys. There are many cryptanalytic techniques. Some of the more
important ones for a system implementor are described below.

Ciphertext-only attack: This is the situation where the attacker does not
know anything about the contents of the message, and must work from
ciphertext only. In practice it is quite often possible to make guesses about
the plaintext, as many types of messages have fixed format headers. Even
ordinary letters and documents begin in a very predictable way. It may also
be possible to guess that some ciphertext block contains a common word.

Known-plaintext attack: The attacker knows or can guess the plaintext for
some parts of the ciphertext. The task is to decrypt the rest of the ciphertext
9

blocks using this information. This may be done by determining the key
used to encrypt the data, or via some shortcut.

Chosen-plaintext attack: The attacker is able to have any text he likes

encrypted with the unknown key. The task is to determine the key used for
encryption. Some encryption methods, particularly RSA, are extremely
vulnerable to chosen-plaintext attacks. When such algorithms are used,
extreme care must be taken to design the entire system so that an attacker
can never have chosen plaintext encrypted.

Man-in-the-middle attack: This attack is relevant for cryptographic

communication and key exchange protocols. The idea is that when two
parties are exchanging keys for secure communications (e.g., using DiffieHellman), an adversary puts himhelf between the parties on the
communication line. The adversary then performs a separate key exchange
with each party. The parties will end up using a different key, each of which
is known to the adversary. The adversary will then decrypt any
communications with the proper key, and encrypt them with the other key
for sending to the other party. The parties will think that they are
communicating securely, but in fact the adversary is hearing everything.
One way to prevent man-in-the-middle attacks is that both sides compute a
cryptographic hash function of the key exchange (or at least the encryption
keys), sign it using a digital signature algorithm, and send the signature to
the other side. The recipient then verifies that the signature came from the
desired other party, and that the hash in the signature matches that computed
locally. This method is used e.g. in Photuris.

10

Timing Attack: This very recent attack is based on repeatedly measuring

the exact execution times of modular exponentiation operations. It is
relevant to at least RSA, Diffie-Hellman, and Elliptic Curve methods. More
information is available in the original paper and various followup articles.

There are many other cryptographic attacks and cryptanalysis techniques.

However, these are probably the most important ones for a practical system
designer. Anyone contemplating to design a new encryption algorithm should have
a much deeper understanding of these issues.
Disclaimer: Any opinions and evaluations presented here are speculative, and the
author cannot be held responsible for their correctness.

11

Mathematical Background
-1-5:
Finite Fields
.
( AES )Advanced Encryption Standard
. Curve Elliptic

. .


.

.
-2-5 :Prime Numbers
) (
. 2357 11 .
) (x
= 1

) (x
Lim x ---------X
--------)ln (x

X ) (x
)X / ln (x

x:

M 200 .
10 200
P

10 200
P

N (10 200) = -----------= ---------- = ------------- = 2.17147* 10 197

)Ln(x
ln(10 200) 460.5
X
10 199
10 199
N (10 199) = ----------- = ----------- = ------------- = 2.1823*10 196
)Ln (x
ln (10 199) 458.214
P

M = N (10 200) N (10 199) = 1.95 * 10 197

P

-3-5

)Greatest Common Divisor(GCD

) ( a, b D a, b D

a mod D =0 and b mod D = 0
10 15 5
GSD(10,15) = 5
10 5
15 5

)GCD(a, b) =GCD(b, a
a, b ) (prime number GCD( a, b) = 1
a b ( a > b) a:
GCD(a ,b) = 1

:
)GCD(a, b) = GCD(b, a mod b

:
)GCD( 39,36

)GCD(93,36) = GCD(36,93 mod 36 ) = GCD (36,21

)GCD(36,21) = GCD(21,36 mod 21 ) = GCD (21,15
)GCD(21,15) = GCD(15,21 mod 15 ) = GCD (15,6
)GCD(15,6) = GCD(6,15 mod 6 ) = GCD (6,3
)GCD(6,3) = GCD(3,6 mod 3 ) = GCD (3,0
GCD(93,36) = 3
- 1 :

=)GCD (A1,B1
R1

Q1

* B1

A1

R2

Q2

* B2

A2

R3

Q3

* B3

A3

+ R4

Q4

B4

A4

1
A1
B1
Q1
R1

.
.
.
.
.
.
.
.
An = Bn * Qn + Rn
GCD (A1,B1) = Bn

)GCD( 1970,1066
)= 1066 * 1 + 904 . GCD(1970,1066
)= 904 * 1 + 162 .. GCD(1066,904
= 162 * 5 + 94
) GCD(904,162
= 94 * 1 + 68
)GCD(94 , 68
)= 68 * 1 + 26 .. GCD( 68 ,26
= 26 * 2 + 16
). GCD( 26,16
= 10 * 1 + 6
) GCD(16,10
= 6*1+4
) GCD(10,6
= 4*1 +2

)GCD(6,4
= 2* 2 + 0

)GCD(4,2
Bn

1970
1066
904
162
94
86
16
10
6
4

GCD(1970,1066) = 2

)Least Common Multiple (LCM

-4-5
-1
:
: )LCM(4864,3458

)LCM(a, b) = |a * b | GCD(a, b
)GCD(4864,3458
4864 = 3458 * 1 + 1406
3458= 1046 *2 + 646
1406 = 646 *2 + 114
646 = 114* 5 + 76
114 = 67 * 1 + 38
76 = 38 *2 + 0
GCD(4864,3458) = 38
)LCM(3864,3458) = |3864 * 3458 | / GCD(4864,3458
= 16819712 / 38
= 442624
-2

: )LCM(4864,3458
3458
1729
247
19
1

2 4864
2 2432
2 1216
2 608
2 304
2 152
2 76
2
38
2 19
19
1

2
7
13
19

4864 = 28 * 19
3458 = 2 * 7 * 13 * 19
3459
LCM(4864,3458) = 28 * 7 * 13 * 19
= 442624
P

: )LCM(93,36
)LCM(93,36) = |93 * 36| / GCD(93,36
= 3348 / 3

= 1116
-5-5

Modular

Modular
C = a MOD b

a

b

C
a , n :
0 r < n

q= a/n
a=q n+r
r=aq*n

: a = 11 , n = 7 q , r
q
= a / n = 11/ 7 = 1
r
= 11 1 * 7 = 4
11 = 1 * 7 + 4
: a = -11 , n = 7 q , r
q = a / n = -11 / 7 = -1
r = a - q * n = -11 - (-1) * 7 = -4
-11 = -1 * 7 + (-4) = -11
-6-5 :
C = a mod b
C = Remainder of dividing a by b.
C = 25 mod 6
C=1
n a a n
q r :
q = a/n

;0r<n

A = qn + r

:
;11 = 1 * 7 + 4

;n = 7

;A = 11

r=4

-11 = (-2) * 7 + 4; r = 3

;n = 7

;A = -11

11 mod 7 = 4;

-11 mod 7 = 3;

(a mod n) = (b mode n). n b a

as a = b mod n.
37 4 mod 23;

21 -9 mod 10
:
:

123-

a b mod n if n (a-b).
a b mod n implies b a mod n.
a b mod n and b c mod n imply a c mod n

23 8 (mod 5) because 23-8 = 15 = 5*3

-11 5(mod 8) because -11-5=-16=8*(-2)
81 0 (mod 27) because 81-0 = 81 = 27*3

:
:

1- [(a mod n)]+(b mod n)] mod n =(a + b) mod n

2- [(a mod n)]-(b mod n)] mod n =(a - b) mod n
3- [(a mod n)]*(b mod n)] mod n =(a *b) mod n
:
11 mod 8 =3;
15 mod 8 =7
[(11 mod 8 )+(15 mod 8)] mod 8 =10 mod 8 =2
(11+15) mod 8 = 26 mod 8 =2

[(11 mod 8 )-(15 mod 8)] mod 8 = -4 mod 8 =4

(11-15) mod 8 = -4 mod 8 =4
[(11 mod 8 )*(15 mod 8)] mod 8=21 mod 8 =5
(11*15) mod 8 = 165 mod 8 = 5

To find 117 mod 13 , we can proceed as follows:

:
U

117 mod 13
112 = 121= 4 mod 13
114 = 42 = 3 mod 13
117=11*4*3 132 2 mod 13 = 2

-7-5 :Euler Function

) ( reduce
.
m k m > k
gcd(k, m) = 1 :
- 1
:

(m) = m - 1

)(5

= }{ 1, 2, 3, 4

(5) = m -1= 5 - 1 = 4
Gcd(5,1) = 1

gcd(5,2) = 1 gcd(5,3) =1 gcd(5,4) =1

- 2 m

)(mr) = mr-1 (m-1

P

: )(3 3
P

(3 )=3 (3-1) =9*2 = 18

P

}{ 1,2,3,4,5,7,8,10,11,13,14,16,17,19,20,22,23,24,25,26
-3

m1 , m2 :
)(m1*m2) =(m1-1)(m2-1

(10) :
)(10) = ( 2 * 5 ) = (2 -1) (5-1

= 1* 4 = 4

= }{ 1,3,7,9

-4 m :
1

e 1

Pi
i =1

= )(m

(m) = (p 1 r,p 2 r1)

= (p 1 r)* (p 2 r1)
= (p 1 r-1)(p 1 -1)* (p 2 r1-1)(p 2 -1)
R

RP

RP

RP

RP

RP

RP

(20)

(20)= (2 ) * (5 )
=(22-1)(2-1)(51-1)(5-1)
= (2)(1)(1)(4) = 2*4= 8
{ 1,3,9,11.13.17.19}=
2

Inverse Algorithm (inv)

-8-5

X
. a , n ,b
a X mod n = b
, gcd (a, n) =1
X=[ b * inv(a , n ) ] mod n
X inv
Algorithm inv(a ,n);
{
' Return x such that ax mod n = 1 where 0 < a < n '
g0 = n ; g1 = a ;
u 0 = 1 ; v0 = 0;
u1 = 0; v1 = 1;
i=1;
while g i <> 0 do "g i =ui *n + vi *a;
{
y= gi-1 div g i ;
g i+1 = gi-1 y * gi ;
u i+1 = u i-1 y * u i ;
v i+1 = v i-1 y * v i ;
i =i
+1
}
x= vi-1;
if x >= 0 then inv = x else inv = x + n;
}
R

3 X mod 26 = 6

: X :

a= 3 n= 26

b = 6

Inv(3,26)
g0 = 26
g1 = 3
U0 = 1 V0 = 0
U 1 =0 v1 =1
i=1
g1 <> 0
y =g0 div g 1 = 26 div 3 = 8
g 2 = g0 y * g 1 = 26 8*3 =26 -24 =2
u2 = u0 y * u1 = 1 8 * 0 = 1- 0 =1
v 2 = v0 - y * v 1 = 0 8 * 1 = 0 8 = - 8
R

i=i+1 = 1+1 = 2
y= g 1 div g 2 = 3 div 2 = 1
g 3 = g 1 y * g2 = 3 1 * 2 = 3 2 = 1
u 3 = u1 y * u 2 = 0 1 * 1 = 0 1 = -1
v 3 = v1 - y * v 2 = 1 1 * -8 = 1 + 8 = 9
R

i=i+1 = 1+2 = 3
y= g 2 div g 3 = 2 div 1 = 2
g4 = g2 y * g 3 = 3 1 * 2 = 3 2 = 1
u 4 = u2 y * u 3 = 0 1 * 1 = 0 1 = -1
v 4 = v2 - y * v 3 = 1 1 * -8 = 1 + 8 = 9
i=i+1 = 1+3 = 4
g4= 0
x = v i-1 = v 3 = 9
if x >= 0 then inv = x=9
R

X=[ b * inv(a , n ) ] mod n

= [ 6 * 9 ] mod 26
= 54 mod 26 = 2

3 X mod 26 = 6
3* 2 mod 26 = 6

fast exponentiation

-9-5
algorithm

Algorithm fastexp(a,z,n)
Begin "return x = az nod n "
A1 = a ; z1 = z ;
X =1 ;

While z1 0
{
while z1 mod 2 = 0
{
z1 = z1 div 2
a1 = (a1 * a1 ) mod n
}
z1 = z1 - 1
x = ( x * a1 ) mod n
}
fastexp = x
end

:
3 X mod 26 = 6
n= 26
n= 2 *13
(n)= 2(1-1)*(-2)*13(1-1)*(13-1)
= 12
(n)-1 = 12 - 1 = 11
P

fastexp(a, (n)-1,n)
fastexp(3,11,26)
a1= 3

z1 = 11 n=26

first ilt
x=1
while z1 mod 2 = 0 false
z1 = z1 v- 1 = 11-1 = 10
x = (x * a1 ) nod n = (1 * 2 ) nod 26 = 3
second while
while z1 mod 2 = 0 true
z1 = z1 div 2 = 10 div 2 = 5
a1 = ( a1 * a1 ) mod n = ( 3 * 3 ) mod 26 = 9
z1 = z1 -1 = 5 - 1 = 4
x = ( x * a1 ) mod n = ( 3 * 9 ) mod 26 = 1
third ilt
while z1 mod 2 = 0 true
z1 = z1 div 2 = 2

a1 = (a1 * a1 ) mod n = ( 9 * 9 ) mod 26 = 3

while z1 mod 2 = 0 true
z1 = z1 div 2 = 2 div 2 = 1
a1 =( a1 * a1 ) mod n = ( 3 * 3 ) mod 26 = 9

z1 =z1-1 = 1- 1 = 0
final x = 9
x= b * fastexp(a, (n) -1,n ) mod n
= 6 * 9 mod 26
=3
X
3
X= 2 mod 5
X = a1z1 mod n
a1 = 2
z1 = 3 x = 1 n = 5
First ilt
P

while z1 mod 2 = 0 false

z1 = z1 1 = 3 1 = 2
x = ( x * a1 ) mod n = ( 1 * 2 ) mod 5 = 2
second ilt
while z1 mod 2 = 0 true
z1 = z1 div 2 = 2 div 2 = 1
a1 = ( a1 * a1 ) mod n = ( 2 * 2 ) mod 5 = 4
while z1 mod 2 = 0 false
z1 = z1 -1 = 1 1 = 0
x = ( x * a1 ) mod n = ( 2 * 4 ) mod 5 = 3
fastexp = X= 23 mod 5 = 3
modular Arithmetic Operations
1- [ ( a mod n] + ( b mod n ) ] mod n = (a + b ) mod n
P

11 mod 8 = 3 , 15 mod 8 = 7
[ ( 11mod 8] + ( 15 mod 8 ) ] mod 8 = ( 11 + 15 ) mod 8
= 26 mod 8 = 2
2- [ ( a mod n] - ( b mod n ) ] mod n = (a + b ) mod n
[ ( 11mod 8] - ( 15 mod 8 ) ] mod 8 = ( 11 - 15 ) mod 8
= -4 mod 8 = 4
3- [ ( a mod n] * ( b mod n ) ] mod n = (a *b ) mod n
[ ( 11mod 8] * ( 15 mod 8 ) ] mod 8 = ( 11 * 15 ) mod 8
= 165 mod 8 = 5

4 mod 11
4 * 4 mod
5 * 5 mod
3 * 5 mod
4 * 4 mod
7
4 mod 11 =
P

= ( 4 * 4 + 4*4 + 4*4 + 4 ) mod 11
11 = 16 mod 11 = 5
11 = 25 mod 11 = 3
11 = 15 mod 11 = 4
11 = 5
5
10-5

(w+x) mod n = ( x + w ) mod n

= ( x * w ) mod n
[( w + x) + y ] mod n = [ w + ( x + y ) ] mod n
[( w * x) * y ] mod n = [ w * ( x * y ) ] mod n
[ w * x( + y) ] mod n = [ (w * x) + ( w * y ) ] mod n
[ w + x( * y) ] mod n = [ (w + x) * ( w + y ) ] mod n
( 0 + w ) mod n = w mod n
( 1 * w ) mod n = w mod n

Commutative

Associative

Distributive
Identities

X+Y MOD 7
+
0
1
2
3
4
5

0
0
1
2
3
4
5

1
1
2
3
4
6
0

2
2
3
4
5
6
0

3
3
4
5
6
0
1

4
4
5
6
0
1
2

5
5
6
0
1
2
3

6
6
0
1
2
3
4

X*Y MOD 7

0
5
6
0
1
2
3

0
6
0
1
2
3
4

0
3
4
5
6
0
1

0
4
5
6
0
1
2

0
2
3
4
5
6
0

0
0
0
0
0
0
5

0
1
2
3
4
6
0

*
0
1
2
3
4
5

11-5
) ( Mod
.

.
):(2x2
-b
a

d
-c

ad bc

-1
P

b
d
P

=
2
4

a
c
=A

1
3

det(A) = ad bc = 1*4 3*2 = 4 6 = -2

1/det (A) mod 11 = 1/-2 mod 11
= ( 5*(-2)) mod 11 1 mod 11
mod 11

-2

-3

-2

-3

-1

1
---2
P

5*4 mod 11 = 20 mod 11 = 9

5 * -2 mod 11 = -10 mod 11
=( z + 10 ) mod 11
=1
5 * -3 mod 11 = -15 mod 11
= (z+15) mod 11
=7
5 * 1 mod 11 = 5
1

-1
P

-1
P

23

11

55

mod 11=

23

:( 3*3)
D i,j / det(A)

i,j

[A ] i,j = (-1 )

D i,j
j i

det(A)
A-1


R

K 11 k12 k13
A=
k 21 k22 k23
K 31 k32 k33
R

Det(A) = (K 11 * k 22 *k33 + k 21 * k 32 * k13 + K 31 * k 12 * k23 )

(K31 * k22 * k13 + k 21 *k12 * k33 + K 11 * k32 * k23 )
R

M=

1 1 1
1 2 3
1 7 9

n= 11

det(A) = ( 1* 2 *9 + 1*4*1 + 1*1*3 ) (1*2*1 + 1*1*9 + 1*4*3)

= 25 23
= 2
1/det(A ) mod n = 1/2 mod 11 = 2-1 mod 11
(z * 2 ) mod 11 1 mod 11
z = 6
1/ det(A) = 6
P

K 11 =
R

2 3
4 9

(-1) 1+1

= abs( 18 12 ) = 6
K 11 mod n = 6 mod 11 = 6
R

1 3
1 9

k 12 = (-1) 1+2
R

= -1 abs (9-3 ) = -6
mod n = - 6 mod 11

k12
R

k13 = (-1) 1+3

R

1
1

2
3

= (3 -2 ) = 1
1
4

k21 = (-1) 2+1

R

1
9

= - ( 9 - 4 ) = -5
k22 = (-1) 2+2

1
1

=( 9 -1 )

= 8

k23 = ( -1 ) 2+3
R

1
1

1
9

1
4

= -1 ( 4 -1 ) = -1 * 3 = -3
K 31 = (-1) 3+1
R

1
2

1
3

=( 3 -2) = 1
1
1

k 32 = ( -1 ) 3+2
R

1
3

= (-1) ( 3 1 ) = -2
1
1

k33 =(-1) 3+3

R

=( 2

-1)=1
6 -6
-5 8
1 -8

D =

6
-6
2

D=

1
2

2
-3
-1

-5
8
-3

1
-2
1

a-111 = 1/det (a) *K 11 mod 11

= (6 * 6 ) mod 11 = 36 mod 11 = 3
P

PR

a-112
P

PR

= 1/det(A) * k12 mod 11 = (6 * (-5) ) mod 11

= - 30 mod 11
= 30 + z mod 11 0 mod 11
=3

a-113 = 1/det(A) * k13 mod 11

=( 6 * 1 ) mod 11 = 6 mod 11
=6
P

PR

a-121 = 1/det(A) * k21 mod 11

=( 6 * -6 ) mod 11 = -36 mod 11
= z + 36 mod 11
=8
-1
a 22
= 1/det(A) * k22 mod 11
= (6 * 8 ) mod 11 = 48 mod 11
= 4
-1
a 23 = 1/det (A) * k23 mod 11
P

PR

PR

a-131
P

PR

= ( 6 * -2 ) mod 11 = -12 mod 11

= (z+ 12) mod 11
= 10
= 1/ det (A) * K31 mod 11
= ( 6 * 2 ) mod 11
=1
= 1/det(A) * k23 mod 11
= (6 * -3 ) mod 11 = -18 mod 11
= (z+18) mod 11
=4
= 1/det(A) * k33 mod 11
= ( 6* 1 ) mod 11 = 6 mod 11
= 6
R

a-132
P

PR

a-133

PR

Classical Encryption
Codes, Ciphers, Encryption and Cryptography

Cryptography is the discipline of using codes and ciphers to encrypt a

message and make it unreadable unless the recipient knows the secret to decrypt it.
Encryption has been used for many thousands of years. The following codes and
ciphers can be learned and used to encrypt and decrypt messages by hand.
Monoalphabetic Ciphers
A monoalphabetic cipher uses the same substitution across the entire message. For
example, if you know that the letter A is enciphered as the letter K, this will hold
true for the entire message. These types of messages can be cracked by
using frequency analysis, educated guesses or trial and error.

Caesar Cipher

Atbash Cipher

Keyword Cipher

Pigpen / Masonic Cipher

Polybius Square

Polyalphabetic Ciphers

In a polyalphabetic cipher, the substitution may change throughout the message. In

other words, the letter A may be encoded as the letter K for part of the message,
but later on it might be encoded as the letter W.

Vigenre Cipher

Beaufort Cipher

Autokey Cipher

Running Key Cipher

Polygraphic Ciphers
Instead of substituting one letter for another letter, a polygraphic cipher performs
substitutions with two or more groups of letters. This has the advantage of masking
the frequency distribution of letters, which makes frequency analysis attackes
much more difficult.

Playfair Cipher

Bifid Cipher

Trifid Cipher

Four-square cipher

Transposition Ciphers
Unlike substitution ciphers that replace letters with other letters, a transposition
cipher keeps the letters the same, but rearranges their order according to a specific
algorithm.

Rail Fence

Route Cipher

Columnar Transposition
2

Other Ciphers and Codes

Book Cipher

Beale Cipher

Morse Code

Tap Code

One-time Pad

Scytale

Semaphore

ASCII

Steganography

Transposition Ciphers
Rail Fence
In the rail fence cipher, the plaintext is written downwards on successive "rails" of
an imaginary fence, starting a new column when the bottom is reached. The
message is then read off in rows. For example, if we have 3 rails and a message of
"This is a secret message", you would write out:
TSACTSG
HISRMSE
ISEEEAJ
The last J is just a random letter to fill in the space. The secret message is then
condensed and regrouped.
3

TSACT SGHIS RMSEI SEEEA JGURL

To decipher a message you must know the number of rails that were used to
encipher it. You then break up the letters into equal groups for each rail. For
example, if you are using 3 rails, you would break the secret message into 3 equal
groups. Now you stack the groups on top of each other and read off the message
vertically. If you get gibberish, then there are probably some extra letters tacked on
the end of the message that are throwing off the grouping. Try removing one letter
from the end and try again.
Rail Fence Encoder / Decoder
Number of rails:
Plaintext

Ciphertext

This is a secret message

TSACTSGHISRMSEISEEEAJ

Decipher

Encipher

Route Cipher
A Route Cipher is very similar to a Rail Fence cipher with one exception. You still
write the message vertically in columns, but instead of reading off the secret
message horizontally, you read it off using a predetermined pattern. For example,
lets use a spiral pattern for this one:

TSACTSG
HISRMSE
ISEEEAJ
The last J is just a random letter to fill in the space. If we are using a clockwise
spiral to read off the message, then it becomes:
TSACTSGEJAEEESIHISRMSE
A more complex pattern could be, "every other letter going backwards to the front
and then every other letter going forwards to the end again", which would give you
a secret message of:
JEEISRIGTATSCSHSMESEA
The complex pattern makes this algorithm difficult to decipher unless you know
the key.
Columnar Transposition
In a columnar transposition, the message is written out in rows of a fixed length.
The message is then read out by column by column, where the columns are chosen
in some scrambled order. The number of columns and the order in which they are
chosen is defined by a keyword. For example, the word ZEBRAS is 6 letters long.
Therefore, there are 6 columns that will be read of in the following order: 6 3 2 4 1
5. The order is chosen by the alphabetical order of the letters in the keyword.
****************Regular Case

In a regular columnar transposition cipher, the empty spaces are filled with random
letters. For example, suppose we use the keyword ZEBRAS and the message WE
ARE DISCOVERED FLEE AT ONCE. Our grid would look like this:
ZEBR AS
632415
-----WEARED
ISCOVE
REDFLE
EATONC
EQKJEU
The six columns are now written out in the scrambled order defined by the
keyword:
EVLNE ACDTK ESEAQ ROFOJ DEECU WIREE
**************************** Irregular Case
In the irregular case, the empty letters are not filled in with random letters:
ZEBR AS
632415
-----WEARED
ISCOVE
REDFLE
EATONC
E
6

This results in the following (shorter) ciphertext:

EVLNA CDTES EAROF ODEEC WIREE
To decipher it, the recipient has to work out the column lengths by dividing the
message length by the key length. This step is slightly more difficult if the irregular
case is used. After determining the number of columns, the message can be written
in columns and rearranged back into the plaintext message.
Double Column Transposition
To make the message even more difficult to decipher, you can take the ciphertext
produced by this algorithm and run it through the encryption again using a
different keyword. This transposes the columns twice and makes the message
extremely difficult to decipher.
Keyword Cipher Encoder
Keyword:

Use Irregular Case

ZEBRAS

Plaintext

Ciphertext

WEAREDISCOVEREDFLEEATONCE

EVLNAACDTJESEAIROFOFDEECBWIREE

Encipher

Decipher

Monoalphabetic Ciphers
Caesar Cipher
A Caesar cipher is one of the simplest (and easiest cracked) encryption methods.
It is a Substitution Cipher that involves replacing each letter of the secret message
with a different letter of the alphabet which is a fixed number of positions further
in t he a lphabet. B ecause each letter in t he message has a di rect t ranslation t o
another l etter, frequency a nalysis can b e u sed to decipher t he message. F or
example, the l etter E is the most commonly used letter in t he E nglish language.
Thus, i f t he most co mmon letter in a s ecret message i s K, i t is like ly t hat K
represents E . Additionally, c ommon word endings s uch a s I NG, L Y, a nd ES a lso
give clues. A brute-force a pproach of trying all 25 possible combinations would
also work to decipher the message.
Example
In this example, each letter in the plaintext message has been shifted 3 letters down
in the alphabet.
Plaintext: This is a secret message
Ciphertext: wklv lv d vhfuhw phvvdjh

Caesar Encoder / Decoder

Number of letters to shift to the right:

Plaintext

Ciphertext

w klv lv d vhfuhw phvvdjh

This is a secret message

Encipher

Decipher

Atbash Cipher
The Atbash cipher is a very specific case of a substitution cipher where the
letters of the alphabet are reversed. In otherwords, all As are replaced with Zs, all
Bs are replaced with Ys, and so on. Because reversing the alphabet twice will get
you actual alphabet, you can encipher and decipher a message using the exact same
algorithm.
Example
Plaintext: This is a secret message
Ciphertext: Gsrh rh z hvxivg nvhhztv

Atbash Encoder / Decoder

Plaintext

Ciphertext

This is a secret message

Gsrh rh z hvxivg nvhhztv

Encipher

Keyword Cipher
The Keyword cipher is identical to the Caesar Cipher with the exception that the
substitution alphabet used can be represented with a keyword. To create a
substitution alphabet from a keyword, you first write down the alphabet. Below
this you write down the keyword (omitting duplicate letters) followed by the
remaining unused letters of the alphabet.
ABCDEFGHIJKLMNOPQRSTUVWXYZ
KEYWORDABCFGHIJLMNPQSTUVXZ
To encipher a plaintext message, you convert all letters from the top row to their
correspondng letter on the bottom row (A to K, B to E, etc). These types of simple
substitution ciphers can be easily cracked by using frequency analysis and some
educated guessing.
Keyword Cipher Encoder
Keyword:

keyw ord

Plaintext

Ciphertext

this is a secret message

qabp bp k poynoq hoppkdo

Encipher

Decipher

10

Pigpen / Masonic Cipher

The p igpen c ipher ( sometimes ca lled t he masonic c ipher o r
Freemason's c ipher) is a s imple s ubstitution c ipher e xchanging letters
for s ymbols based on a grid. The scheme was developed and used b y
the Freemasons in t he ear ly 1700s f or r ecord-keeping a nd
correspondence. T he ex ample ke y s hows on e w ay t he letters can be
assigned to the grid.

Polybius Square
A Polybius Square is a table that allows someone to translate letters
into numbers. To give a small level of encryption, this table can be
randomized and shared with the recipient. In order to fit the 26 letters
of the alphabet into the 25 spots created by the table, the letters i and j are usually
combined.To encipher a message you replace each letter with the row and column
in which it appears. For example, D would be replaced with 14. To decipher a
message you find the letter that intersects the specified row and column.

1 A B

C D E

2 F

H I

3 L

M N O P

11

4 Q R

5 V W X Y Z

Example:
Plaintext: This is a secret message
Ciphertext: 44232443 2443 11 431513421544 32154343112215

Polybius Square Encoder / Decoder

Plaintext

Ciphertext

This is a secret message

44232443 2443 11 431513421544 321543

Decipher

Encipher

Polyalphabetic Ciphers
Vigenre Cipher
In a Caesar Cipher, each letter of the alphabet is shifted along some number of
places; for example, in a Caesar cipher of shift 3, A would become D, B would

12

become E and so on. The Vigenere cipher consists of using several Caesar ciphers
in sequence with different shift values.
To encipher, a table of alphabets can be used, termed a tabula recta, Vigenre
square, or Vigenre table. It consists of the alphabet written out 26 times in
different rows, each alphabet shifted cyclically to the left compared to the previous
alphabet, corresponding to the 26 possible Caesar ciphers. At different points in the
encryption process, the cipher uses a different alphabet from one of the rows. The
alphabet used at each point depends on a repeating keyword.
For example, suppose that the plaintext to be encrypted is:
ATTACKATDAWN
The person sending the message chooses a keyword and repeats it until it matches
the length of the plaintext, for example, the keyword "LEMON":
LEMONLEMONLE
Each letter is encoded by finding the intersection in the grid between the plaintext
letter and keyword letter. For example, the first letter of the plaintext, A, is
enciphered using the alphabet in row L, which is the first letter of the key. This is
done by looking at the letter in row L and column A of the Vigenere square,
namely L. Similarly, for the second letter of the plaintext, the second letter of the
key is used; the letter at row E and column T is X. The rest of the plaintext is
enciphered in a similar fashion:
Plaintext: ATTACKATDAWN
Key:

LEMONLEMONLE

Ciphertext: LXFOPVEFRNHR
13

Decryption is performed by finding the position of the ciphertext letter in a row of

the table, and then taking the label of the column in which it appears as the
plaintext. For example, in row L, the ciphertext L appears in column A, which
taken as the first plaintext letter. The second letter is decrypted by looking up X in
row E of the table; it appears in column T, which is taken as the plaintext letter.
A Gronsfeld cipher is identical to the Vigenere cipher with the exception that only
10 rows are used which allows the keyword to be a number instead of a word.
A Beaufort cipher uses the same alphabet table as the Vigenre cipher, but with a
different algorithm. To encode a letter you find the letter in the top row. Then trace
down until you find the keyletter. Then trace over to the left most column to find
the enciphered letter. To decipher a letter, you find the letter in the left column,
trace over to the keyletter and then trace up to find the deciphered letter.
An Autokey cipher is identical to the Vigenre cipher with the exception that
instead of creating a keyword by repeating one word over and over, the keyword is
constructed by appending the keyword to the begining of the actual plaintext
message.
A Running Key cipher is identical to the Vigenre cipher with the exception that
the keyword is chosen to be a book or long passage.
Beaufort Cipher
To encrypt a plaintext message using the Vigenre Cipher, one locates the row
with the first letter to be encrypted, and the column with the first letter of the
keyword. The ciphertext letter is located at the intersection of the row and column.
This continues for the entire length of the message.
14

A Beaufort cipher uses the same alphabet table as the Vigenre cipher, but with a
different algorithm. To encode a letter you find the letter in the top row. Then trace
down until you find the keyletter. Then trace over to the left most column to find
the enciphered letter. To decipher a letter, you find the letter in the left column,
trace over to the keyletter and then trace up to find the deciphered letter. Some
people find this easier to do than finding the intersection of a row and column

Autokey Cipher
To encrypt a plaintext message using the Vigenre Cipher, one locates the
row with the first letter to be encrypted, and the column with the first letter of the
keyword. The ciphertext letter is located at the intersection of the row and column.
this continues for the entire length of the message.
An Autokey cipher is identical to the Vigenre cipher with the exception that
instead of creating a keyword by repeating one word over and over, the keyword is
constructed by appending the keyword to the beginning of the actual plaintext
message.
For example, if your plain text message was:
This is a secret message
And your keyword was "zebra", then your actual keyword would be:
zebrathisisasecretmessage
Enciphering and deciphering the message is performed using the exact same
method as the Vigenre Cipher
15

Running Key Cipher

To encrypt a plaintext message using the Vigenre Cipher, one locates the row
with the first letter to be encrypted, and the column with the first letter of the
keyword. The ciphertext letter is located at the intersection of the row and column.
This continues for the entire length of the message.
In a Running Key cipher, the keyword is the text of a predetermined book or
passage. For example, if the chossed book was "A Tale of Two Cities" by Charles
Dickens, then the keyword would be It was the best of times, it was the worst of
times...
Enciphering and deciphering the message is performed using the exact same
method as the Vigenre Cipher. If the predetermined passage is a string of random
letters that is only used once and then discarded, this is similar to a One-time Pad.

Polygraphic Ciphers
Instead of substituting one letter for another letter, a polygraphic cipher
performs substitutions with two or more groups of letters. This has the advantage
of masking the frequency distribution of letters, which makes frequency analysis
attackes much more difficult.
Playfair Cipher
The Playfair cipher encrypts pairs of letters (digraphs), instead of single letters.
This is significantly harder to break since the frequency analysis used for simple
substitution ciphers is considerably more difficult.
16

Memorization of the keyword and 4 simple rules is all that is required to create the
5 by 5 table and use the cipher.
KEYWO
RDABC
FG H I J
LM N PS
TUVXZ
The Playfair cipher uses a 5 by 5 table containing a key word or phrase. To
generate the table, one would first fill in the spaces of the table with the letters of
the keyword (dropping any duplicate letters), then fill the remaining spaces with
the rest of the letters of the alphabet in order (to reduce the alphabet to fit you can
either omit "Q" or replace "J" with "I"). In the example to the right, the keyword is
"playfair example".
To encrypt a message, one would break the message into groups of 2 letters. If
there is a dangling letter at the end, we add an X. For example. "Secret Message"
becomes "SE CR ET ME SS AG EX". We now take each group and find them out
on the table. Noticing the location of the two letters in the table, we apply the
following rules, in order.
1. If both letters are the same, add an X between them. Encrypt the new pair,
re-pair the remining letters and continue.
2. If the letters appear on the same row of your table, replace them with the
letters to their immediate right respectively, wrapping around to the left side
of the row if necessary. For example, using the table above, the letter pair GJ
would be encoded as HF.
17

3. If the letters appear on the same column of your table, replace them with the
letters immediately below, wrapping around to the top if necessary. For
example, using the table above, the letter pair MD would be encoded as UG.
4. If the letters are on different rows and columns, replace them with the letters
on the same row respectively but at the other pair of corners of the rectangle
defined by the original pair. The order is important - the first letter of the
pair should be replaced first. For example, using the table above, the letter
pair EB would be encoded as WD.
To decipher, ignore rule 1. In rules 2 and 3 shift up and left instead of down and
right. Rule 4 remains the same. Once you are done, drop any extra Xs that don't
make sense in the final message and locate any missing Qs or any Is that should be
Js.
Playfair Cipher Encoder / Decoder
Keyword:

keyw ord

Omit Q

Plaintext

Replace J with I
Ciphertext

thisisasecretmessage

vf jp jp cn od dk ul om nc md

Encipher

Decipher

18

Bifid Cipher
The Bifid Cipher uses a Polybius Square to encipher a message in a way that
makes it fairly difficult to decipher without knowing the secret. This is because
each letter in the ciphertext message is dependent upon two letters from the
plaintext message. As a result, frequency analysis of letters becomes much more
difficult.
1 2 3 4 5
1 A B C D E
2 F G H I

3 L M N O P
4 Q R S T U
5 V W X Y Z

The first step is to use the Polybius Square to convert the letters into numbers. We
will be writing the numbers vertically below the message.
secret message
411414 3144121
353254 2533125
The numbers are now read off horizontally and grouped into pairs.
41 14 14 31 44 12 13 53 25 42 53 31 25

19

The Polybius Square is used again to convert the numbers back into letters which
gives us our ciphertext.
qddltbcxkrxlk
Since the first letter in the plaintext is encoded into the first and middle letters of
the ciphertext, the recipient of the message must have the entire message before
they can decode it. This means that if part of the ciphertext is discovered by a third
party, it is unlikely that they will be able to crack it.
To decipher a Bifid encrypted message, you first convert each letter into its
corresponding number via the Polybius Square. Now, divide the long string of
numbers into two equal rows. The digit in the top row and the digit in the bottom
row will together reference the decoded letter in the Polybius Square.
The Bifid Cipher can be taken into three dimensions to slightly increase the
security of the message. This new cipher is called the Trifid Cipher.
Bifid Encoder / Decoder
Plaintext

Ciphertext

secretmessage

qddltbcxkrxlk

Decipher

Encipher

20

Trifid Cipher
The Trifid Cipher is the Bifid Cipher taken to one more dimension. Instead of
using a 5x5 Polybius Square, you use a 3x3x3 cube. Otherwise everything else
remains the same. As with the Bifid Cipher, the cube can be mixed to add an extra
layer of protection, but for these examples we not be using a mixed alphabet cube.
The first step is to use the cube to convert the letters into numbers. We will be
writing the numbers vertically below the message in the order of Layer, Column,
Row.
secret message
311213 2133111
123322 1211112
121321 2211132
The numbers are now read off horizontally and grouped into triplets.
311 213 213 311 112 332 212 111 121 213 212 211 132
The cube is used again to convert the numbers back into letters which gives us our
ciphertext.
Sppsdxmabpmjf

21

To decipher a Trifid encrypted message, you first convert each letter into its
corresponding number via the cube. Now, divide the long string of numbers into
three equal rows. Now, read off each column and use the cube to convert the three
numbers into the plaintext letter.
Layer 2

Layer 1

1 2 3

1 2 3

Layer 3
1

2 3

1 A B C

1 J

K L

1 S T U

2 D E F

2 M N O

2 V W X

3 G H I

3 P Q R

3 Y Z .

Trifid Encoder / Decoder

Plaintext

Ciphertext

secretmessage

sppsdxmabpmjf

Encipher

Decipher

22

Four-square cipher
The four-square cipher encrypts pairs of letters (digraphs) and is thus less
susceptible to frequency analysis attacks.
The four-square cipher uses four 5 by 5 matrices arranged in a square. Each of the
5 by 5 matrices contains the letters of the alphabet (usually omitting "Q" or putting
both "I" and "J" in the same location to reduce the alphabet to fit). In general, the
upper-left and lower-right matrices are the "plaintext squares" and each contain a
standard alphabet. The upper-right and lower-left squares are the "ciphertext
squares" and contain a mixed alphabetic sequence.
abcde

EXAM P

fghi j

LBC D F

klmno

GHIJK

prstu

NORST

vw xyz

UVWYZ

KEYWO

ab cde

RDABC

fgh ij

FG HIJ

k l mno

LMNPS

prstu

TUVXZ

vwxyz

To generate the ciphertext squares, one would first fill in the spaces in the matrix
with the letters of a keyword or phrase (dropping any duplicate letters), then fill the
remaining spaces with the rest of the letters of the alphabet in order. The foursquare algorithm allows for two separate keys, one for each of the two ciphertext
23

matrices. In the example to the right, "EXAMPLE" and "KEYWORD" have been
used as keywords. To encrypt a message you would first split the message into
digraphs. "This is a secret message" would become:
TH IS IS AS EC RE TM ES SA GE
abcde

EXAM P

fghi j

LBC D F

klmno

GHIJK

prstu

NORST

vw xyz

UVWYZ

KEYWO

abcde

RDABC

fg hij

FG HIJ

k l mno

LMNPS

prstu

TUVXZ

vwx yz

Once that was complete, you would take the first pair of letters and find the first
letter in the upper left square and the second letter in the lower right square. In this
example we are enciphering TH, so we locate T and H in the grid below (see blue
characters). Now, we find the intersections of the rows and columns of the plain
text letters. In this example, they have been highlighted in red (R and B). These
new letters are the enciphered digraph (RB).
You continue enciphering digraphs in this way until you reach the end of the
message. To continue our example, "This is a secret message" would be enciphered
as:

24

RB CP CP AL AO TE RI AS NY FE
Other Ciphers and Codes
ASCII
ASCII is a code used by computers to represent characters as numbers. This allows
computers to store a letter as one byte of information. One byte of information
allows you to represent 256 different values, which is enough to encode all the
letters (uppercase and lowercase) as well as the numbers 0-9 and other special
characters such as the @ symbol.
ASCII Encoder / Decoder
Plaintext

ASCII

This is a secret message

84 104 105 115 32 105 115 32 97 32 115

Convert to ASCII

Convert from ASCII

Beale Cipher
A beale cipher is a modified Book Cipher. Instead of replacing each word in the
secret message with a number, you replace each letter in the secret message with a
number. The letter by letter method makes it easier to encode a message with
unusual words that may not appear in the book. With this method, each letter in the
25

secret message is replaced with a number which represents the position of a word
in the book which starts with this letter. For example, if we are enciphering the
word "attack" we would start with the letter A. We would find a word in the book
that started with A. Lets say that the 27th word was "and". The letter A is now
translated to 27. An encoded message may look something like this.
713 23 245 45 124 1269 586 443 8 234
It should be noted that for enhanced security, the same number should not be used
for the same letter throughout the secret message. Because you have a book, you
can pick multiple numbers for each letter and use them interchangeably.
Beale Encoder
Plaintext

Book

secret

seven crazy termites eat rotten elderberrie

(To protect our server, these fields can hold a maximum of 5000 characters each)

Encipher

Beale Decoder
Ciphertext

Book

26

seven crazy termites eat rotten elderberrie

142563

(To protect our server, these fields can hold a maximum of 5000 characters each)

Decipher

Book Cipher
A book cipher uses a large piece of text to encode a secret message. Without the
key (the piece of text) it is very difficult to decrypt the secret message. To
implement a book cipher, each word in the secret message would be replaced with
a number which represents the same word in the book. For example, if the word
"attack" appeared in the book as word number 713, then "attack" would be
replaced with this number. The result would be an encoded message that looked
something like this.
713 23 245 45 124 1269 586 443 8 234

To decipher the message you simply count the number of words in the book and
write down each one

Frequency Analysis
Frequency Analysis is a cryptanalysis technique of studying the frequency that
letters occur in the encrypted ciphertext. In English, certain letters are more
27

commonly used than others. This fact can be used to take educated guesses at
deciphering a Monoalphabetic Substitution Cipher.
Here is the alphabet in order of the frequency that each letter is used.
E, T, A, O, I, N, S, R, H, L, D, C, U, M, F, P, G, W, Y, B, V, K, X, J, Q, Z

Morse Code
Morse code is a method for transmitting information, using standardized
sequences of short and long marks or pulses - commonly known as "dots" and
"dashes" - for the letters, numerals, punctuation and special characters of a
message.
Originally created for Samuel Morse's electric telegraph in the mid-1830s, it was
also extensively used for early radio communication beginning in the 1890s.
However, with the development of more advanced communications technologies,
the widespread use of Morse code is now largely obsolete.
When using morse code, a dash is equal to three dots. A space between parts of the
same letter is equal to one dot. A space between two letters is equal to three dots
and a space between two words is equal to five dots.
Morse Code Encoder / Decoder
Please use a period (.) for a dot and a minus (-) for a dash. When typing morse
code, use a space to separate letters and a double space to separate words.
Plaintext

Morse Code
28

- .... .. ... .. ... .- -- . ... ... .- --. .

This is a message

Encode

Decode

One-time Pad
The one-time pad is a long sequence of random letters. These letters are combined
with the plaintext message to produce the ciphertext. To decipher the message, a
person must have a copy of the one-time pad to reverse the process. A one-time
pad should be used only once (hence the name) and then destroyed. This is the first
and only encryption algorithm that has been proven to be unbreakable.
To encipher a message, you take the first letter in the plaintext message and add it
to the first random letter from the one-time pad. For example, suppose you are
enciphering the letter S (the 19th letter of the alphabet) and the one-time pad gives
you C (3rd letter of the alphabet). You add the two letters and subtract 1. When
you add S and C and subtract 1, you get 21 which is U. Each letter is enciphered in
this method, with the alphabet wrapping around to the begining if the addition
results in a number beyond 26 (Z).
To decipher a message, you take the first letter of the ciphertext and subtract the
first random letter from the one-time pad. If the number is negative you wrap
around to the end of the alphabet.
Example
29

plaintext : SECRETMESSAGE
one-time pad: CIJTHUUHMLFRU
ciphertext : UMLKLNGLEDFXY
One-time Pad Encoder / Decoder
Plaintext / Ciphertext

One-time pad
CIJTHUUHMLFRU

SECRETMESSAGE

Encipher

Decipher

Enciphered Message:
UMLKLNGLEDFXY
Semaphore
Sempahore is similar to Morse code in that each letter of a message is translated
into another form to allow it to be more easily communicated. While Morse code is
used to send messages electronically over a telegraph line, semaphore is used to
visually communicate information over long distances.
To use semaphore, an operator holds a flag or lighted wand in each hand. The
operator extends their arms to the correct position and pauses for each letter of the
message. "Attention" is the only signal that involves movement and the "rest"
position is the only time when the flags should cross.

30

Tap Code
The Tap Code is a code (similar to Morse Code), commonly used by prisoners in
jail to communicate with one another. The method of communicating is usually by
"tapping" either the metal bars or the walls inside the cell, hence its name. It is a
very simple code, not meant to avoid interception, since the messages are sent in
cleartext.
It was reportedly invented by four POWs imprisoned in
Vietnam and is sometimes called "Smitty Code" after Captain
Carlyle ("Smitty") Harris. Harris remembered an Air Force

1 2 3 4 5
1 A B C D E

instructor who had shown him a code based on a five-by-five

alphabet matrix (a Polybius square), as shown on the graph.

2 F G H I

Each letter was communicated by tapping two numbers. The

3 L M N O P

first designated the horizontal row and the second designated

the vertical row. The letter "X" was used to break up sentences 4 Q R S T U
and the letter "C" replaced the letter "K".

5 V W X Y Z

For example, to communicate the word "WATER" the code

would be the following
..... .. . . .... .... . ..... .... ..
Because of the difficulty and length of time required for specifying a single letter,
most prisoners devised abbreviations and acronyms for common items or phrases.
Tap Code Encoder / Decoder

31

Please use a period (.) for a tap. When typing tap code, use a space to separate tap
groups, a double space to separate letters and a / to separate words.
Plaintext

Morse Code

This is a message

.... .... .. ... .. .... .... ... / .. .... .... ... / . .

Encode

Decode

32

Data Encryption Standard (DES)

Block Cipher
Block Cipher - An encryption scheme that "the clear text is broken up into blocks of fixed length, and encrypted
one block at a time".
Usually, a block cipher encrypts a block of clear text into a block of cipher text of the same length. In this case, a
block cipher can be viewed as a simple substitute cipher with character size equal to the block size.
ECB Operation Mode - Blocks of clear text are encrypted independently. ECB stands for Electronic Code
Book. Main properties of this mode:

Identical clear text blocks are encrypted to identical cipher text blocks.
Re-ordering clear text blocks results in re-ordering cipher text blocks.
An encryption error affects only the block where it occurs.

CBC Operation Mode - The previous cipher text block is XORed with the clear text block before applying the
encryption mapping. Main properties of this mode:

An encryption error affects only the block where is occurs and one next block.

Product Cipher - An encryption scheme that "uses multiple ciphers in which the cipher text of one cipher is
used as the clear text of the next cipher". Usually, substitution ciphers and transposition ciphers are used
alternatively to construct a product cipher.
Iterated Block Cipher - A block cipher that "iterates a fixed number of times of another block cipher, called
round function, with a different key, called round key, for each iteration".
Feistel Cipher - An iterate block cipher that uses the following algorithm:
Input:
T: 2t bits of clear text
k1, k2, ..., kr: r round keys
f: a block cipher with bock size of t
Output:
C: 2t bits of cipher text
Algorithm:
(L0, R0) = T, dividing T in two t-bit parts
(L1, R1) = (R0, L0 ^ f(R0, k1))
(L2, R2) = (R1, L1 ^ f(R1, k2))
......
C = (Rr, Lr), swapping the two parts

^ is the XOR operation.

DES Cipher - A 16-round Feistel cipher with block size of 64 bits. DES stands for Data Encryption Standard.

Data Encryption Standard (DES)

The Data Encryption Standard (DES), known as the Data Encryption Algorithm (DEA) by
ANSI and the DEA-1 by the ISO, has been most widely used block cipher in world,
especially in financial industry. It encrypts 64-bit data, and uses 56-bit key with 16 48-bit
sub-keys.
6.1 DES (Data Encryption Standard) history
In the early 1970s, there are no cryptagraphic equipment available on the market. Although
several small companies made and sold cryptographic equipment. The equipment was all
different and couldn't interoperate. No one really knew if any of it was secure; there was no
independent body to certify the security.
In 1972, the National Bureau of Standards (NBS), now the National Institute of Standards
and Technology (NIST), initiated a program to protect computer and communications data.
As part of that program, they wanted to develop a single, standard cryptographic algorithm.
A single algorithm could be tested and certified, and different cryptographic equipment
using it could interoperate. It would also be cheaper to implement and readily available.
In the May, 1973 and again in August, 1974, the NBS issued a public request for proposals
for a standard cryptographic algorithm. They specified a series of design criteria:
The algorithm must be:

security

completely specified
2

easy to understand

public

available to all users

efficient to use

able to be validated

exportable

Public response indicated that there was considerable interest in a cryptographic standard,
but little public expertise in the field. Most of the submissions are reworked classical or
machine cipher; none of the submissions came close to meeting the requirements.
However, IBM submitted an algorithm based on one developed by IBM during the early
1970s, called Lucifer. The algorithm, although complicated, was straightforward. It used
only simple logical operations on small groups of bits and could be implemented fairly
efficiently in hardware.
The proposed standard was adopted as a federal standard in November, 1976 and authorized
for use on all unclassified government communications. ANSI approved DES as a privatesector standard in 1980.
6.2 Description of DES
DES is a block cipher; it encrypts data in 64-bit blocks. A 64-bit block of plaintext
goes in one end of the algorithm and a 64-bit block of ciphertext comes out
the other end. DES is a symmetric algorithm: The same algorithm and key are used for both
encryption and decryption (except for minor differences in the key
schedule).
The key length is 56 bits. (The key is usually expressed as a 64-bit number, but
3

every eighth bit is used for parity checking and is ignored. These parity bits are
the least- significant bits of the key bytes.) The key can be any 56-bit number and can be
changed at any time. All security rests within the key.
At its simplest level, the algorithm is nothing more than a combination of the two
basic techniques of encryption: confusion and diffusion. The fundamental building block of
DES is a single combination of these techniques (a substitution followed by a permutation)
on the text, based on the key. This is known as a round. DES has 16 rounds; it applies the
same combination of techniques on the plaintext block 16 times (see Figure 6.1).

Figure 6.1 DES

Outline of the Algorithm
The basic process in enciphering a 64-bit data block using the DES consists of:

an initial permutation (IP)

16 rounds of a complex key dependent calculation f

5

final permutation, being the inverse of IP

In each round (see Figure 6.2), the key bits are shifted, and then 48 bits are selected from the
56 bits of the key. The right half of the data is expanded to 48 bits via an expansion
permutation, combined with 48 bits of a shifted and permuted key via an XOR, sent through
8 S-boxes producing 32 new bits, and permuted again. These four operations make up
Function f. The output of Function f is then combined with the left half via another XOR.
The result of these operations becomes the new right half; the old right half becomes the
new left half.
If Bi is the result of the ith iteration, Li and Ri are the left and right halves of Bi, Ki is the
48-bit key for round i, and f is the function that does all the substituting and permuting and
XORing with the key, then a round looks like:
Li = R j-1
Ri = L i-1 Xor f (R i-1 , K i )

Figure 6.2 One round of DES

The Initial Permutation

The initial permutation occurs before round 1; it transposes the input block as described in
Table 6.1. This table, like all the other tables in this lecture, should be read left to right, top
to bottom. For example, the initial permutation moves bit 58 of the plaintext to bit position
1, bit 50 to bit position 2, bit 42 to bit position 3, and so forth.
The initial permutation and the corresponding final permutation do not improve DES's
security, just make DES more complex.

Example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
Note that all numbers are written in hexadecimal as a "short-form" version of the binary
actually used, since 1 Hex digit = 4 Binary bits. The digit mapping is:
0=0000 1=0001 2=0010 3=0011 4=0100 5=0101 6=0110 7=0111
8=1000 9=1001 a=1010 b=1011 c=1100 d=1101 e=1110 f=1111
The Key Transformation
Initially, the 64-bit DES key is reduced to a 56-bit key by ignoring every eighth bit. Let us
call this operation PC1. This is described in Table 6.2.
PC2 is the operation which reduces the 56-bits key to a 48-bits subkey for each of the 16
rounds of DES. These subkeys, Ki, are determined in the following manner. PC1 splits the
key bits into 2 halves (C and D), each 28-bits. The halves C and D are circularly shifted left
by either one or two bits, depending on the round. This shift is given in Table 6.3.
After being shifted, 48 out of the 56 bits are selected. This is done by an operation called
compression permutation, it permutes the order of the bits as well as selects a subsets of
bits. Table 6.4 defines the compression permutation.
Example:
keyinit(5b5a5767, 6a56676e)
PC1(Key) C=00ffd820,

D=ffec9370
8

KeyRnd01 C1=01ffb040,

D1=ffd926f0,

PC2(C,D)=(38 09 1b 26 2f 3a 27 0f)

KeyRnd02 C2=03ff6080,

D2=ffb24df0,

PC2(C,D)=(28 09 19 32 1d 32 1f 2f)

KeyRnd03 C3=0ffd8200,

D3=fec937f0, PC2(C,D)=(39 05 29 32 3f 2b 27 0b)

KeyRnd04 C4=3ff60800,

D4=fb24dff0,

KeyRnd05 C5=ffd82000,

D5=ec937ff0, PC2(C,D)=(03 25 1d 13 1f 3b 37 2a)

KeyRnd06 C6=ff608030,

D6=b24dfff0,

KeyRnd07 C7=fd8200f0,

D7=c937ffe0, PC2(C,D)=(03 3c 07 09 13 3f 39 3e)

KeyRnd08 C8=f60803f0,

D8=24dfffb0,

PC2(C,D)=(06 34 26 1b 3f 1d 37 38)

KeyRnd09 C9=ec1007f0, D9=49bfff60,

PC2(C,D)=(07 34 2a 09 37 3f 38 3c)

PC2(C,D)=(29 2f 0d 10 19 2f 1d 3f)
PC2(C,D)=(1b 35 05 19 3b 0d 35 3b)

KeyRnd10 C10=b0401ff0, D10=26fffd90, PC2(C,D)=(06 33 26 0c 3e 15 3f 38)

KeyRnd11 C11=c1007fe0, D11=9bfff640, PC2(C,D)=(06 02 33 0d 26 1f 28 3f)
KeyRnd12 C12=0401ffb0, D12=6fffd920, PC2(C,D)=(14 16 30 2c 3d 37 3a 34)
KeyRnd13 C13=1007fec0, D13=bfff6490, PC2(C,D)=(30 0a 36 24 2e 12 2f 3f)
KeyRnd14 C14=401ffb00, D14=fffd9260, PC2(C,D)=(34 0a 38 27 2d 3f 2a 17)
KeyRnd15 C15=007fec10, D15=fff649b0, PC2(C,D)=(38 1b 18 22 1d 32 1f 37)
KeyRnd16 C16=00ffd820, D16=ffec9370, PC2(C,D)=(38 0b 08 2e 3d 2f 0e 17)

Table 6.1
Initial Permutation
58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7.

Table 6.2
Key Permutation
57,

49,

41,

33,

25,

17,

9,

1,

58,

50, 42,

34,

26,

18,

10,

2,

59,

51,

43,

35,

27,

19,

11,

3,

60,

52,

44,

36,

63,

55,

47,

39,

31,

23, 15,

7,

62,

54, 46,

38,

30,

22,

14,

6,

61,

53,

45,

37,

21,

13,

5,

20,

12,

4.

29,

28,

Table 6.3
Number of Key Bits Shifted per Round
Round

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Number 1 1 2 2 2 2 2 2 1

Table 6.4
Compression Permutation
14, 17, 11, 24, 1, 5,

3, 28, 15, 6, 21, 10,

23, 19, 12, 4, 26, 8, 16,

7, 27, 20, 13,

2,

41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32.

10

The Expansion Permutation

This operation expands the right half of the data, R i , from 32 bits to 48 bits. Because this
operation changes the order of the bits as well as repeating certain bits, it is known as an
expansion permutation. This operation has two purposes: It makes the right half the same
size as the key for the XOR operation and it provides a longer result that can be compressed
during the substitution operation. However, neither of those is its main cryptographic
purpose.
For each 4-bit input block, the first and fourth bits each represent two bits of the output
block, while the second and third bits each represent one bit of the output block. Table 6.5
shows which output positions correspond to which input positions. For example, the bit in
position 3 of the input block moves to position 4 of the lutput block, and the bit in position
21 of the input block moves to positions 30 and 32 of the output block.

Table 6.5
Expansion Permutation
32,

1,

2,

3,

4,

5,

4,

5,

6,

7,

8,

9,

8.

9,

10,

11,

12,

13,

12,

13,

14,

15,

16, 17,

16,

17,

18,

19,

20,

21,

20,

21,

22,

23,

24, 25,

24,

25,

26,

27,

28,

29,

28,

29,

30,

31,

32,

The S-Box Substitution

After the compressed key is XORed with the expanded block, the 48-bit result moves to a
substitution operation. The substitutions are performed by eight substitution boxes, or S11

boxes.
Each S-box has a 6-bit input and a 4-bit output, and there are eight different S-boxes. The 48
bits are divided into eight 6-bit sub-blocks. Each separate block is operated on by a separate
S-box: The first block is operated on by S-box 1, the second block is operated on by S-box
2, and so on.
Each S-box is a table of 4 rows and 16 columns. Each entry in the box is a 4-bit number.
The 6 input bits of the S-box specify under which row and column number to look for the
output. Table 6.6 shows all eight S-boxes.
The input bits specify an entry in the S-box in a very particular manner. Consider an S-box
input of 6 bits, labeled bi, b2, b3, b, b, and b6. Bits b, and b6are combined to form a 2-bit
number, from 0 to 3, which corresponds to a row in the table. The middle 4 bits, b2 through
b5, are combined to form a 4-bit number, from 0 to 15, which corresponds to a column in
the table.
For example, assume that the input to the sixth S-box (i.e., bits 31 through 36 of the XOR
function) is 110011. The first and last bits combine to form 11, which corrspends to row 3 of
the sixth S-box. The middle 4 bits combine to form 1001, which corresponds to the column
9 of the same S-box. The entry under row 3, column 9 of S-box 6 is 14. (Remember to count
rows and columns from 0 and not from 1.) The value 1110 is substituted for 110011.
The S-box substitution is the critical step in DES. The algorithm's other operanons are linear
and easy to analyze. The S-boxes are nonlinear and, more than any.hing else, give DES its
security.
The result of this substitution phase is eight 4-bit blocks which are recombined into a single
32-bit block. This block moves to the next step: the P-box permutation.

12

Table 6.6
S-Boxes

S-box 1:
14,

4, 13, 1,

0, 15,
4,

2, 15, 11,

7, 4, 14,

2, 13,

1, 14, 8, 13,

15, 12,

8,

8, 2, 4,

3, 10,

1, 10,

6, 12,

5,

9, 0,

7,

6, 12, 11,

9,

5, 3,

8,

3, 10, 5,

0,

6,

2, 11, 15, 12,

9,

9,

1,

3, 14, 10, 0, 6, 13,

7,

5, 11,

7,

S-box 2:
15,

1,

8, 14,

6,

11,

3,

4,

9,

7,

2,

13,

12,

3, 13,

4, 7,

15,

2,

8,

14,

12,

0,

1,

10,

0, 14,

7, 11,

10,

4,

13,

1,

5,

8,

12,

6,

3, 15,

4,

2,

11,

6,

7, 12,

13,

8, 10, 1,

0,

5,

10,

6,

9, 11,

5,

9,

3,

2,

15,

0, 5, 14,

9,

S-box 3:
10,

0,

9,

14,

6,

3,

15,

5,

1,

13,

12,

7,

11,

4,

2,

8,

13,

7,

0,

9,

3,

4,

6,

10,

2,

8,

5,

14,

12,

11,

15, 1,

13,

6,

4,

9,

8,

15,

3,

0,

11,

1,

2,

12,

5,

10,

14,

7,

1, 10, 13, 0,

6,

9,

8,

7,

4,

15,

14,

3,

11,

5,

2,

12,

S-box 4:
7, 13,

14,

3,

0,

6,

9,

10,

1,

2,

8,

5,

11,

12,

4, 15,

3,

4,

7,

2,

12,

1,

10,

14,

9,

13, 15,

1,

3,

14,

5,

2,

8,

4,

13,

8,

11,

5,

6,

15,

0,

10,

6,

9,

0,

12,

11,

7,

13

3, 15,

0,

6,

10,

1,

13,

8,

9,

4,

5,

11,

12,

7,

2, 14,

S-box 5:
2, 12,

4,

1,

7,

10,

11,

6,

8,

5,

3,

15,

13,

0, 14,

9,

14, 11,

2, 12,

4,

7,

13,

1,

5,

0,

15,

10,

3,

9,

8,

6,

41, 2,

1, 11,

10, 13,

7,

8,

15,

9,

12,

5,

6,

3,

0,

14,

1,

14,

2,

13,

6,

15,

0,

9,

10,

4,

5,

3,

9,

2,

6,

8,

0, 13,

3,

4,

14,

7,

5, 11,

11, 8, 12, 7,
S-box 6:
12,

1, 10, 15,

10, 15,

4,

2,

7,

12,

9,

5,

6,

1,

13,

14,

0,

11,

3,

8,

9, 14, 15,

5,

2,

8,

12,

3,

7,

0,

4,

10,

1,

13,

11,

6,

4,

12,

9,

5,

15, 10, 11, 14,

1,

7,

6,

0,

3, 2,

8,

13,

S-box 7:
4, 11,
13,
1,

2, 14,

15,

0,

8,

13,

3,

12,

9,

7,

5,

10,

6,

1,

7,

4,

9,

1,

10,

14,

3,

5,

12,

2,

15,

8,

6,

4, 11, 13,

12,

3,

7,

14,

10,

15,

6,

8,

0,

5,

9,

2,

1,

4,

10,

7,

9,

5,

0,

15,

14,

2,

3,

12,

0, 11,

6, 11, 13,

8,

S-box 8:
13,

8, 4,

6,

15,

11,

1, 10,

9,

3,

14,

5,

1, 15, 13, 8,

10,

3,

7,

4, 12,

5,

6,

11,

0, 14,

9,

2,

7, 11,

4, 1,

9,

12,

14,

2,

6,

10,

13,

15,

3,

5,

8,

1, 14, 7,

4,

10,

8, 13, 15, 12,

9,

0,

3,

5,

6,

11

-2,

2,

0,

14

0, 12,

7,

Example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
The P-Box Permutation
The 32-bit output of the S-box substitution is permuted according to a P-box. This
permutation maps each input bit to an output position; no bits are used twice and no bits are
ignored. Table 12.7 shows the position to which each bit moves. For example, bit 21 moves
to bit 4. while bit 4 moves to bit 3 1.
Table 6.7
P-Box Permutation
16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
Finally, the result of the P-box permutation is XORed with the left half of the initial 64-bit
block. Then the left and right halves are switched and another round begins.
The Final Permutation
The final permutation is the inverse of the initial permutation and is described in Table 6.8.
Note that the left and right halves are not exchanged after the last round of DES; instead the
concatenated block R 16 L16 is used as the input to the final permutation. There's nothing
going on here; exchanging the halves and shifting around the permutation would yield
exactly the same result. This is so that the algorithm can be used to both encrypt and
decrypt.
15

Table 6.8
Final Permutation
40,

8,

48,

16,

56,

24,

64,

32,

39,

7,

47,

15,

55,

23,

63,

31,

38,

6,

46, 14,

54,

22,

62

30,

37,

5,

45,

13,

53,

21,

61,

29,

36,

4,

44,

12,

52,

20,

60,

28,

35,

3,

43,

11,

51,

19,

59,

27,

34,

2,

42,

10,

50,

18,

58,

26,

33,

1,

41,

9,

49,

17,

57,

25.

Decrypting DES
After all the substitutions, permutations, XORs, and shifting around, you might think that
the decryption algorithm is completely different and just as confusing as the encryption
algorithm. On the contrary, the various operations were chosen to produce a very useful
property: The same algorithm works for both encryption and decryption.
With DES it is possible to use the same function to encrypt or decrypt a block. The only
difference is that the keys must be used in the reverse order. That is, if the encryption keys
for each round are K1, K2, K3, . . . , K16, then the decryption keys are K16, K15, K14, . . . ,
K1,. The algorithm that generates the key used for each round is circular as well. The key
shift is a right shift and the number of positions shifted is 0, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2,
2, 1.

Summary
DES is a widely used symmetric block cipher. It encrypts 64-bit data, and uses 56-bit key

16

with 16 48-bit sub-keys. The basic process in enciphering a 64-bit data block using the DES
consists of:

an initial permutation (IP).

16 rounds of a complex key dependent calculation f

a final permutation, being the inverse of IP.

Review Questions
1. How many bit of data does DES encrypt?
2. What is the length of the key of DES?
3. How many rounds of key dependent calculation does DES need to encrypt data?
4. Which step in DES algorithm gives DES security?
5. If K1, K2, ..., K16 are encryption key, What is the decryption key?

17

Answers:
1. 64 bits.
2. 56 bits.
3. 16 rounds of calculation.
4. S-box substitution.
5. The decryption key is K16, K15, K14, K13,..., K2, K1.

Practice Test
1. True or false:
DES is a block symmetric cipher which encrypt 64 bits data using same length key.
2. True or false:
The same algorithm works for both encryption and decryption.
3. Which step in the algorithm gives DES security.

18

A)P-box permuation B)S-box substitution C) Initial permuation

4. How many boxes in the S-box substitution step?
5. In decryption, the order of key is
A) same as in encryption

B) the reverse order

Answers:
1. F
2. T
3. B
4. Eight
5. B

19

Exponential Cipher
Introduction
traditional private/secret/single key cryptography uses one key
shared by both sender and receiver
if this key is disclosed communications are compromised
also is symmetric, parties are equal
hence does not protect sender from receiver forging a message & claiming is
sent by sender
Public-Key Cryptography
probably most significant advance in the 3000 year history of cryptography
uses two keys a public & a private key
asymmetric since parties are not equal
uses clever application of number theoretic concepts to function
complements rather than replaces private key crypto
Why Public-Key Cryptography?
developed to address two key issues:
key d istribution how t o have secure communications i n g eneral
without having to trust a KDC with your key
digital s ignatures how t o verify a message co mes intact from t he
claimed sender
public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni
in 1976
known earlier in classified community
1

Public-Key Cryptography
public-key/two-key/asymmetric cryptography involves the use of two keys:
a public-key, w hich may be k nown b y a nybody, a nd c an be used t o
encrypt messages, and verify signatures
a private-key, known only to the recipient, used to decrypt messages,
and sign (create) signatures
is asymmetric because
those who encrypt messages or verify signatures cannot decrypt
messages or create signatures

Public-Key Characteristics
Public-Key algorithms rely on two keys where:
it i s computationally i nfeasible t o f ind decryption ke y k nowing o nly
algorithm & encryption key
2

 it is co mputationally easy t o en/decrypt messages w hen the r elevant

(en/decrypt) key is known
either o f t he t wo related keys c an be us ed for e ncryption, w ith t he
other used for decryption (for some algorithms)

Public-Key Applications
can classify uses into 3 categories:
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)
some algorithms are suitable for all uses, others are specific to one
Security of Public Key Schemes
like pr ivate ke y s chemes br ute force e xhaustive s earch at tack is a lways
theoretically possible
3

 but keys used are too large (>512bits)

security relies o n a large e nough d ifference in d ifficulty be tween eas y
(en/decrypt) and hard (cryptanalyse) problems
more generally the hard problem is known, but is made hard enough to be
impractical to break
requires the use of very large numbers
hence is slow compared to private key schemes

Exponentiation Ciphers
We w ill c onsider two kinds of e xponentiation c iphers de veloped by the
following people:
Pohlig and Hellman
Rivest, Shamir, and Adleman (RSA)

Both schemes e ncipher a message b lock M [0, n 1] b y c omputing the

exponential C = M e mod n,
where e and n are the key to the enciphering transformation.
M is restored by the same operation, but using a different exponent d for the
key: M = C d mod n.
Enciphering a nd deciphering can be i mplemented using t he fast
exponentiation algorithm:
C = fast_exp(M, e, n)
M = fast_exp(C, d, n)
4

 Thm: Given e, d, M such that ed mod (n)

= 1,M [0, n -1] ,gcd(M, n) = 1,
Then (M e mod n) d mod n = M.
Proof:
(M e mod n) d mod n = M ed mod n
ed mod (n) = 1 ed = t (n) + 1
M ed mod n
= M t(n)+1 mod n
= M M t(n) mod n
= M (M t(n) mod n) mod n = M
where
= M t(n) mod n
= (M (n) mod n) t mod n
= 1t mod n = 1 .
Note t hat b y s ymmetry, e nciphering a nd deciphering a re c ommutative a nd
mutual inverses; thus,
(M d mod n) e mod n = M de mod n = M
5

 Given (n), it is easy to generate a pair (e, d) such that ed mod (n) = 1. This
is done by first choosing d relatively prime to (n), and then computing e as
e = inv(d, (n))
Because e and d are symmetric, we could also pick e and compute d = inv(e,
(n)).
Given e, it is easy to compute d (or vice versa) if (n) is known. But if e and
n can be r eleased without giving aw ay (n) o r d, t hen t he de ciphering
transformation can be kept secret, while t he enciphering transformation is
made public.
It is the ability to hide (n) that distinguishes the two schemes.

Pohlig-Hellman Scheme
The modulus is chosen to be a large prime p.
To encipher:
C = M e mod p
To decipher:
M = C d mod p
Because p is prime, (p) = p 1.
Thus the scheme can only be used for conventional encryption, where e and
d are both kept secret.
6

 Ex. Le t p = 11, (p) = 10. C hoose d = 7 a nd compute e = inv(7, 10) = 3.

Suppose M = 5. Then M is enciphered as:
C = M e mod p = 53 mod 11 = 4.
Similarly, C is deciphered as:
C d mod p = 47 mod 11 = 5 = M .
Security Concern
The s ecurity o f t he s cheme r ests on t he complexity o f c omputing discrete
logarithms.
A c ryptanalyst may deduce p by obs erving t he s izes o f p laintext a nd
ciphertext blocks.
Under a k nown-plaintext attack, a cr yptanalyst can compute e (and t hereby
d) given a pair (M, C):
e = log M C
Pohlig a nd Hellman show t hat if (p 1) ha s only small prime factors, it is
possible to compute the logarithm in O(log2p) time, which is unsatisfactory
even for large values of p.
They recommend picking p = 2p + 1, where p is also a large prime.

Discrete Logarithm
The fastest kn own al gorithm for co mputing t he d iscrete l ogarithm takes
about

((ln p )1 / 3 ln(ln p )) 2 / 3
7

steps.
If p is a few hundred decimal digits long, it will take several billion years to
compute.

RSA description and algorithm

RSA stands for Rivest, Shamir, and Adleman, t hey are the inventors of the
RSA c ryptosystem. R SA is o ne o f t he a lgorithms used in P KI ( Public Key
Infrastructure), as ymmetric ke y e ncryption s cheme. R SA is a b lock chiper, it
encrypt message in blocks (block by block).
RSA c an be used for s ecurity (encryption), c onfidentiality ( signature), a nd ke y
exchange p urposes. Nowadays, it is o ften used for s ignature a nd key e xchange
only, this is because the encryption and decryption are slow, it consumes times.
RSA s ecurity is s o much depends o n t he d ifficulty o f factoring large pr ime
number. At this time (writing time, 2001) the calculation required to find the factor
the value t o break t he ke y is s low, many cryptanalysts co nsider t hat linear attack
and differential at tack are d ifficult to applied in R SA, onl y mathematical a ttack
(eg: number field sieve factoring algorithm by John M. Pollard) and brute force are
feasible, but the time needed to use these attacks are quite long, therefore they are
considered as impractical. May be later in the future as computer speed increased,
this encryption algorithm may consider i nsecure and unused, b ut do nt f orget we
can just s imply increase t he s ize o f t he ke y t o prevent it from at tacker. T he
common size for the key length now is 1024 bits for P and Q, therefore N is 2048
8

bits, if the implementation (the library) of RSA is fast e nough, we can double the
key size.
Below is the algorithms for creating key, encryption, decryption, the signing is the
same like decryption and verification is the same like encryption. These three main
functions are very simple.
1. Creating keys:
1. Generate (find) two large prime numbers (P and Q)
2. Calculate N = PQ
3. Calculate M = phi(N) = (P - 1)(Q - 1) = (Euler totient function)
4. Select any integer E, the rules to select E are:
a. E is positive integer
b. 0 < E < M
c. GCD (M, E) = 1 ... (GCD = Greater Common Divisor)
NOTE: It is recommended to use E = 65537 (17 bits).
2. 5. Calculate D a use Extended Euclid Theorem (mod inverse)
(E * D) = 1 (mod M)
(E * D) mod M = 1
3. Public key: E, N
Private key:
Normal (slow): D and N

Chinese
Remainder
Theorem
(faster):

P, Q, dP, dQ, invQ

dP =

E * dP mod (P-1) = 1

dQ =

E * dQ mod (Q-1) = 1

invQ =

Q * invQ mod P = 1

4. Encryption / Verification:
Original plain text (a block value) = X ... X < N
Chipertext = C ... C = (X^E) mod N
5. Decryption / Signing:
Chipertext = C
Dechiper text = Y
Normal (slow way):

Y = (C^D) mod N
M1 = (C^dP) mod P

CRT (faster way):

M2 = (C^dQ) mod Q
H = (M1 - M2) invQ mod P
Y = M2 + (Q * H)

If everything goes fine, t he value o f Y a nd X s hould be equal (Y = X), ot herwise

there is must be something wrong with the program (implementation).
Note t hat bo th e ncryption a nd decryption in R SA involve raising a large integer
power followed b y mod ope ration. I f the e xponential is first do ne o ver t he t wo
values and then reduced by the modulo, this operation requires very big space and
many computing po wer, b ut we can reduce (divide) the e xponent value b y 2 then
continue with mod operation, repeating this simple operation is faster and use less
10

space a nd l ess c omputing p ower. A SIMPLE ps eudo c ode f or t his a lgorithm is

below:
E = exponential value,
M = message to encrypt,
N = modulo value
C = chipertext value
C = 1 ... set it as default value
While E
If E is odd
C=C*M
C=C%N
E=E/2
M= M *M
M=M%N
While Loop

Security Concern
Because (n) cannot be determined without knowing the prime factors p and
q, it is possible to keep d secret even if e and n are made public.
11

 Thus t he R SA s cheme c an be used for public-key e ncryption, w here t he

enciphering t ransformation

is

made pu blic and

the de ciphering

transformation is kept secret.

The security of the system depends on the difficulty of factoring n into p and
q. T he fastest k nown factoring algorithm takes a bout the s ame number of
steps required for solving the discrete logarithm problem.

More About Euler's Theorem

Recall that for Pohlig-Hellman and RSA schemes to work, we must have M
< n and gcd(M, n) = 1.
For Pohlig-Hallman scheme, this is for sure since n is prime. But how about
RSA? Since n equals pq, it is possible t hat M is a mul tiple o f p or a
multiple of q (but not both, of course).
We want to show that even if M is a multiple of p or q, the RSA scheme still
works.
What Happens When gcd(M, n) 1
Suppose M is a multiple of p, so that M = cp for some c and gcd(M, q) = 1.
M(q) mod q = 1

(M(q)) (p) mod q = 1

M(n) mod q = 1

Therefore, there is some k such that

12

M(n) = kq + 1
Multiply each side by M = cp,
M(n)+1 = M + kqcp = M + ckn
Thus
M(n)+1 mod n = M .
The case when M is a multiple of q is similar.

Public-Key Systems
In a public-key system, each user has bot h a public and private key, and two
users can communicate knowing only each other's public keys.
User A has a public enciphering transformation EA , which may be registered
with a public directory, and a private deciphering transformation D A , which
is known only to user A.
The pr ivate transformation D A is described by a private key, and the p ublic
transformation EA by a public key derived from the private key by a one-way
transformation.
It must be computationally infeasible to determine D A from EA .

Secrecy And Authenticity

In a public-key system, secrecy and authenticity are both provided.
13

 Secrecy Suppose user A wishes to send a message M to another user B. If A

knows B's public transformation E B , A can transmit M to B in secrecy by
sending the ciphertext C = E B (M).
On receipt, B deciphers C using B's private transformation D B , getting
D B (C) = D B (EB (M)) = M
protected
EK

DK

disallowed
M

public

private

EB

DB

M
B

The s cheme does not pr ovide a uthenticity be cause a ny user w ith a ccess t o
B's p ublic t ransformation c ould substitute a nother message M' for M by
replacing C with C' = EB(M' ).

AuthenticityFor authenticity, M must be transformed by A's own private

transformation D A . A sends C = D A (M) to B.
On receipt, B uses A's public transformation EA to compute
EA (C) = EA (D A (M)) = M .

14

protected
EK

DK

C
disallowed
M

private

public

DA

EA

M
B

Authenticity is provided because only A can apply the transformation D A .

Secrecy is n ot pr ovided because any

user w ith acces s t o A's pub lic

transformation can recover M.

Both Secrecy And Authenticity
To use a public-key system for both secrecy and authenticity:
the c iphertext s pace must be e quivalent to the p laintext s pace s o that
EA and D A can operate on both plaintext and ciphertext messages.
Both E A and D A must be m utual i nverses so that EA (D A (M)) =
D A (EA (M)) = M.

Suppose A wishes to send a message M to B. A sends to B the ciphertext

C = EB (D A (M)) .
On receipt, B deciphers C by
15

EA (D B (C))
= EA (D B (E B (D A (M))))
= EA (D A (M))
=M.

private

public

private

public

DA

EB

DB

EA

M
A

secrecy

M
B

authenticity

RSA scheme can be used for both secrecy and authenticity.

Merkle-Hellman Knapsacks
Knapsack problem: How to find the optimal way to pack a knapsack enclosing
the maximum number of objects.
Numerically:
target sum: 17
set
one solution set:

S {4, 7, 1,12,10}
{4,

1,12

}=17
16

V {1, 0, 1, 1, 0 }
N-P Complete
basically: a n N P c omplete p roblem has a de terministic e xponential time
solution. For example, 2n
This allows us to control the brute force attack. Ie, make time to break very
large!

Merkle-Hellman Knapsacks

17

MH Knapsack
Each element is larger than the previous
Example a 1 , a 2 , a 3 , a 4 , a 5 , a k-1 , a k
sums between a k and a k+1 must contain a k
superincreasing knapsack-each integer is > a k
also called simple knapsack
S=[1,4,11,17,38,73] is a superincreasing knapsack

Diffie-Hellman
Diffie-Hellman found a way to break the superincreasing sequence of integers. w
* x mod n. If w and n are relatively prime, w will have a multiplicitive inverse. w
* w-1 = 1 mod n. (w*q) w-1 = q

18

Why so important?
This allows us to create a p ublic knapsack (Hard) which can be based on a
secret simple knapsack and a secret w, and n.
Example
Create a Superincreasing (or simple) knapsack

S=[1,2,4,9,19]

m=5

Example
S=[1,2,4,9,19]

m=5

Choose a multiplier w, and modulus n

n should be larger than the largest integer in your knapsack
Hint: Choose modulus (n) to be a prime number.
Generate the Hard knapsack by h i =w * s i mod n
H=[h 1 , h 2 , h 3 , .. Hm ]
S=[1,2,4,9]
19

Example (decipher)

20

MH Practical Implementations
Choose value of n to be large, 100 to 200 binary digits.
Each element in the knapsack is 2200 apart
200 terms in the knapsack
large S and H make it infeasible to use brute force. 2200 for each element in
S, 1047 years to crack.

Cryptanalysis Reality!
Merkle-Hellman was cracked in 1980 by Shamir and Zipple
interceptor does not have to s olve t he basic knapsack problem to b reak t he
encryption.
Shamir points out another flaw.
21

One-Time Pad or Vernam Cipher

The one-time pad, which is a provably secure cryptosystem,
was developed by Gilbert Vernam in 1918.
The message is represented as a binary string (a sequence of
0s and 1s using a coding mechanism such as ASCII coding.
The key is a truly random sequence of 0s and 1s of the
same length as the message.
The encryption is done by adding the key to the message
modulo 2, bit by bit. This process is often called exclusive or,
and is denoted by XOR. The symbol is used.
a

c=ab

One-Time Pad & Stream Ciphers

One-Time Pad or Vernam Cipher

Example: Let the message be IF then its ASCII code be
(1001001 1000110) and the key be (1010110 0110001).
The ciphertext can be found exoring message and key bits

Encryption:
1001001 1000110
1010110 0110001
0011111 1110110

plaintext
key
ciphertext

= (
v)

Decryption:
0011111 1110110
1010110 0110001
1001001 1000110

ciphertext
key
plaintext

One-Time Pad & Stream Ciphers

Why One-Time Pad is provably secure?

Or how can we prove it is unbreakable?

The security depends on the randomness of the key.

It is hard to define randomness.
In cryptographic context, we seek two fundamental
properties in a binary random key sequence:
1. Unpredictability: Independent of the number of the bits
of a sequence observed, the probability of guessing
the next bit is not better than . Therefore, the
probability of a certain bit being 1 or 0 is exactly equal
to .
2. Balanced (Equal Distribution): The number of 1s and
0s should be equal.
One-Time Pad & Stream Ciphers

Mathematical Proof

the probability of a key bit being 1 or 0 is exactly equal to

.
The plaintext bits are not balanced. Let the probability of
0 be x and then the probability of 1 turns out to be 1-x.
Let us calculate the probability of ciphertext bits.
mi

prob.

ki

prob.

ci

prob.

1-x

(1-x)

1-x

(1-x)

We find out the probability of a ciphertext bit being 1 or 0

is equal to ()x + ()(1-x) = . Ciphertext looks like a
random sequence.
One-Time Pad & Stream Ciphers

A Practical One-Time Pad

A satellite produces and broadcasts several random

sequences of bit at a rate fast enough such that no
computer can store more than a very small fraction of
them.
Alice & Bob use a PKC to agree on a method of sampling
bits from these random sequences.
They use these bits to form a key for one-time pad.
Eve, in theory, can break the PKC they used even though
doing so is difficult.
But by the time she breaks it, random bits Alice & Bob
collected disappeared and Eve can not decrypt the message
since she hasnt got the resources to store all the random
bits that have been broadcast.
One-Time Pad & Stream Ciphers

 Symmetric-key ciphers
Encrypt individual characters at a time,
Faster and less complex in hardware,
They are desirable in some applications in which
buffering is limited
bits must be individually processed as they are
received.
Transmission errors are highly probable.
Vast amount of theoretical knowledge.
Various design principles.
Widely being used at present, will probably be
used in the future.
One-Time Pad & Stream Ciphers

Basic Idea comes from One-Time-Pad cipher,

i = 1,2,3,...
: ci = mi ki
mi : plain-text bits.
ki : key (key-stream ) bits
ci : cipher-text bits.
Decryption
: mi = ci ki
i = 1,2,3,...
Provably Secure.
Drawback : Key-stream should be as long as plain-text.
Key distribution & Management difficult.
Solution : Stream Ciphers (in which key-stream is
generated in pseudo-random fashion from relatively
short secret key.
Encryption

One-Time Pad & Stream Ciphers

Randomness : Closely related to unpredictability.

Pseudo-randomness :PR sequences appears random to a
computationally bounded adversary.
Stream Ciphers can be modeled as Finite-state machine.
Si+1

Si : state of the cipher

at time t = i.
F : state function.
G : output function.

Si

F
G
mi

ki

ci

Initial state, output and state

functions are controlled by the
secret key.

One-Time Pad & Stream Ciphers

1.Synchronous Stream Ciphers

Key-stream is independent of plain and cipher-text.
Both sender &receiver must be synchronized.
Resynchronization can be needed.
No error propagation.
Active attacks can easily be detected.
2. Self-Synchronizing Stream Ciphers
Key-stream is a function of fixed number t of cipher-text
bits.
Limited error propagation (up to t bits).
Active attacks cannot be detected.
At most t bits later, it resynchronizes itself when
synchronization is lost.
It helps to diffuse plain-text statistics.
One-Time Pad & Stream Ciphers

Analysis
Efforts to evaluate the security of stream ciphers.
1. Mathematical Analysis
Period and Linear Complexity,
Security against Correlation Attacks.
2. Pseudo-randomness Testing
Statistical Tests,
Linear Complexity,
Ziv-Lempel Complexity
Maximum Order Complexity,
Maurers Universal Test.
In testing, all the tests are applied to as many key-streams
of different lengths as possible.
One-Time Pad & Stream Ciphers

10

Linear Feedback Shift Register - LFSR

Output sequence

c1

c2

cL

ci= 0 or 1

C ( x) = 1 + c1 x + c2 x 2 + + cL x L : Connection Polynomial

If C(x) is primitive, LFSR is called maximum-length, and

the output sequence is called m-sequence and its period is
T = 2L-1.
m-sequences have good statistical properties.
However, they are predictable.
One-Time Pad & Stream Ciphers

11

 If 2L successive bits of an m-sequence are known, the

shortest LFSR which produces the rest of the sequence
can be found using Berlekamp-Massey (BM) algorithm.
Generally, the length of the shortest LFSR which generates
a sequence is called linear complexity.
Stream Cipher Designs Based on LFSRs
LFSRs generate m-sequence.
However, Linearity is the curse of cryptographer.
The methods of utilizing LFSRs as building blocks in the
stream cipher design.
The design principle :
Use other blocks which introduce non-linearity while
preserving the statistical properties of m-sequences.
One-Time Pad & Stream Ciphers

12

Nonlinear combination Generators

LFSR-L1
LFSR-L2

Nonlinear
Combiner
Function

output

F
LFSR-Ln

The Combiner Function should be,

1. Balanced,
2. Highly nonlinear,
3. Correlation Immune.
One-Time Pad & Stream Ciphers

13

 Utilizing the algebraic normal form of the combiner function

we can compute the linear complexity of the output sequence.
Example (Geffe Generator ) :
F ( x1 , x2 , x3 ) = x1 x2 x2 x3 x3
If the lengths of the LFSRs are relatively prime and all
connection polynomials are primitive, then
L = L1 L2 + L2 L3 + L3

T = (2 L1 1) (2 L2 1) (2 L3 1)

When we inspect the truth table of the combiner function we

gain more insight about the security of Geffe generator.
One-Time Pad & Stream Ciphers

14

x1

x2

x3

z = F(x1,x2,x3)

0
0
0
1
1
1
1

0
1
1
0
0
1
1

1
0
1
0
1
0
1

1
0
0
0
1
1
1

The combiner function is balanced.

However, the correlation probability,
P ( z = x1 ) = 3 / 4.
Geffe generator is not secure.
One-Time Pad & Stream Ciphers

15

Nonlinear Filter Generator

LFSR

Filter
Function

output

Upper bound for linear complexity,

m L
m : nonlinear order of the filter function.
Lm =
i =1 i
When L and m are big enough, the linear complexity
will become large.
One-Time Pad & Stream Ciphers

16

Clock-controlled Generators
An LFSR can be clocked by the output of another LFSR.
This introduces an irregularity in clocking of the first LFSR,
hence increase the linear complexity of its output.
Example : Shrinking Generator
LFSR - S

si

LFSR - A

ai

si = 1

output ai

si = 0

discard ai

One-Time Pad & Stream Ciphers

17

 Relatively new design.

However, it is analyzed and it seems secure under certain
circumstances.
if gcd( Ls , LA ) = 1
T = (2 LA 1) 2 LS 1
LA 2 LS 2 < L < LA 2 LS 1

One-Time Pad & Stream Ciphers

18

Different Designs
SEAL, RC4.
They use expanded key tables,
Fast in software,
Look secure,
They have not been fully analyzed yet,
Efficient analysis tools are not developed.

One-Time Pad & Stream Ciphers

19