Documente Academic
Documente Profesional
Documente Cultură
CRYPTOGRAPHY
Ashutosh Bhatia
BITS Pilani
ashutosh.bhatia@pilani.bits-pilani.ac.in
Objectives
To introduce modern block ciphers and discuss their characteristics
To introduce the components of block ciphers such as P-Box and S-Box
MODERN BLOCK CIPHERS
A symmetric-key modern block cipher encrypts an
n-bit block of plaintext or decrypts an n-bit block of ciphertext. The
encryption or decryption algorithm uses a k-bit key.
Substitution or Transposition
A modern block cipher can be designed to act as a substitution cipher or a
transposition cipher.
Example
Show the model and the set of permutation tables for a 3-bit block
transposition cipher where the block size is 3 bits.
Solution
Solution
The key is also much longer, log240,320 = 16 bits. (8!=40,320)
A substitution block cipher model as a permutation
Permutation Group
All practical ciphers use a much smaller key size and hence cover only a
fraction of total mapping
Only the partial key ciphers that are not permutation group can be used to
combine to make a more secure cipher.
Most of the classical ciphers such as substitution, shift etc. are permutation
groups
Keyless Cipher
Not useful alone, but used within keyed ciphers
Modern block ciphers normally are keyed substitution ciphers in which the
key allows only partial mappings from the possible inputs to the possible
outputs.
P-Boxes or D-boxes
A P-box (permutation box) parallels the traditional transposition cipher
for characters. It transposes bits.
A straight P-box
is invertible, but
compression and
expansion P-
boxes are not.
S-Boxes
An S-box (substitution box) can be thought of as a miniature
substitution cipher. An S-box is an m × n substitution unit, where m
and n are not necessarily the same.
K3
K1
K2
Product Cipher
The concept was introduced by
Shanon
R0 R1 R2 Rd-1 Rd
fk1 fk2
⋯ fkd
n-bits
L0 ⊕ L1 ⊕ L2 Ld-1 ⊕ Ld
input output
Feistel network is invertible
Li-1 ⊕ Li Li = Ri-1
Feistel network is invertible
Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n
Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible
Rd ⊕
Rd-1 Rd-2 R1 R0
fd fd-1
⋯ f1
n-bits
Ld Ld-1 Ld-2 L1 L0
R0 R1 R2 R3
f f f
L0 ⊕ L1 ⊕ L2 ⊕ L3
input output
Abstractly: PRPs and PRFs
• Pseudo Random Function (PRF) defined over (K,X,Y):
F: K X Y
such that exists “efficient” algorithm to evaluate F(k,x)
SF Funs[X,Y]
|X|
Size |Y|
Size |K|
Secure PRFs
• Let F: K X Y be a PRF
Funs[X,Y]: the set of all functions from X to Y
f Funs[X,Y]
xX
???
f(x) or F(k,x) ? kK
Secure PRPs (secure block cipher)
• Let E: K X Y be a PRP
Perms[X]: the set of all one-to-one functions from X to Y
π Perms[X]
xX
??? kK
π(x) or E(k,x) ?
Exercise
𝑛 𝑛 𝑛
• Let 𝐹: 0,1 𝑋 0,1 → 0,1 be a secure PRF. Which of the following
is secure.
′ 𝐹 𝑘, 𝑥 when 𝑥 ≠ 0𝑛
• 𝐹 𝑘, 𝑥 = ቊ 𝑛
0 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
• 𝐹 ′ 𝑘, 𝑥 = 𝐹 𝑘, 𝑥 ⊕ 𝐹(𝑘, 𝑥 ⊕ 1𝑛 )
ሼ𝐹 𝑥, 𝑘 when 𝑥 ≠ 0𝑛
• 𝐹′ 𝑘, 𝑥 = ቊ
𝑘 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
ሼ𝐹 𝑥, 𝑘1 when 𝑥 ≠ 0𝑛
• 𝐹′ 𝑘1 , 𝑘2 , 𝑥 = ቊ
𝑘2 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
Exercise
• Let us see, what goes wrong, if we only use two rounds of Feistel
network.
n-bits
R0 R1 R2
fk1 fk2
n-bits
L0 L1 L2
⊕ ⊕
input
output