Chapter 3 Encryption Principles and Algorithms

Chapter 3-Encryption Principles and Algorithms
What is cryptography?
Cryptography is the science of using mathematics to encrypt and decrypt data. Cryptography
enables you to store sensitive information or transmit it across insecure networks (like the
Internet) so that it cannot be read by anyone except the intended recipient.
While cryptography is the science of securing data, cryptanalysis is the science of analyzing and
breaking secure communication. Classical cryptanalysis involves an interesting combination of
analytical reasoning, application of mathematical tools, pattern finding, patience,
determination, and luck. Cryptanalysts are also called attackers. Cryptology embraces both
cryptography and cryptanalysis.
There are two forms of encryption in common use: conventional, or symmetric encryption and
public-key, or asymmetric, encryption.
Symmetric algorithms: (also called “secret key”) use the same key for both encryption and
decryption; asymmetric algorithms: (also called “public key”) use different keys for encryption
and decryption.
Symmetric encryption scheme has five ingredients
1. Plaintext: This is the original intelligible message or data that is fed into the algorithm as
input.
2. Encryption algorithm: The encryption algorithm performs various substitutions and
transformations on the plaintext.
3. Secret key: The secret key is also input to the encryption algorithm. The key is a value
independent of the plaintext and of the algorithm. The algorithm will produce a
different output depending on the specific key being used at the time. The exact
substitutions and transformations performed by the algorithm depend on the key.
4. Cipher text: This is the scrambled message produced as output. It depends on the
plaintext and the secret key. For a given message, two different keys will produce two
different cipher texts. The cipher text is an apparently random stream of data and, as it
stands, is unintelligible.
5. Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes
the cipher text and the secret key and produces the original plaintext.
1
Compiled and Prepared by: Wondimagegn Leta (MSC software Engineering; BSC, computer science)
There are two requirements for secure use of conventional encryption:
We need a strong encryption algorithm. At a minimum, we would like the algorithm to be such
that an opponent who knows the algorithm and has access to one or more cipher texts would
be unable to decipher the cipher text or figure out the key.
This requirement is usually stated in a stronger form: The opponent should be unable to
decrypt cipher text or discover the key even if he or she is in possession of a number of cipher
texts together with the plaintext that produced each cipher text.
Sender and receiver must have obtained copies of the secret key in a secure fashion and must
keep the key secure. If someone can discover the key and knows the algorithm, all
communication using this key is readable.
We assume that it is impractical to decrypt a message on the basis of the cipher text plus
knowledge of the encryption/decryption algorithm. In other words, we do not need to keep the
algorithm secret; we need to keep only the key secret. This feature of symmetric encryption is
what makes it feasible for widespread use.
A source produces a message in plaintext, X = [X1, X2, ..., XM]. The M elements of X are letters
in some finite alphabet. Traditionally, the alphabet usually consisted of the 26 capital letters.
Nowadays, the binary alphabet {0, 1} is typically used. For encryption, a key of the form K = [K1,
K2, ..., KJ] is generated. If the key is generated at the message source, then it must also be
provided to the destination by means of some secure channel. Alternatively, a third party could
generate the key and securely deliver it to both source and destination.
2
With the message X and the encryption key K as input, the encryption algorithm forms the
cipher text Y = [Y1, Y2, ..., YN]. We can write this as Y = E(K, X)
This notation indicates that Y is produced by using encryption algorithm E as a function of the
plaintext X, with the specific function determined by the value of the key K. The intended
receiver, in possession of the key, is able to invert the transformation:
X = D(K, Y)
An opponent, observing Y but not having access to K or X, may attempt to recover X or K or
both X and K. It is assumed that the opponent knows the encryption (E) and decryption (D)
algorithms. If the opponent is interested in only this particular message, then the focus of the
effort is to recover X by generating a plaintext estimate . Often, however, the opponent is
interested in being able to read future messages as well, in which case an attempt is made to
recover K by generating an estimate .
Cryptography
Cryptographic systems are characterized along three independent dimensions:
1. The type of operations used for transforming plaintext to cipher text. All encryption
algorithms are based on two general principles: substitution, in which each element in
the plaintext (bit, letter, group of bits or letters) is mapped into another element, and
transposition, in which elements in the plaintext are rearranged. The fundamental
3
requirement is that no information be lost (that is, that all operations are reversible).
Most systems, referred to as product systems, involve multiple stages of substitutions
and transpositions.
2. The number of keys used. If both sender and receiver use the same key, the system is
referred to as symmetric, single-key, secret-key, or conventional encryption. If the
sender and receiver use different keys, the system is referred to as asymmetric, two-
key, or public-key encryption.
3. The way in which the plaintext is processed. A block cipher processes the input one
block of elements at a time, producing an output block for each input block. A stream
cipher processes the input elements continuously, producing output one element at a
time, as it goes along.
Cryptanalysis
Typically, the objective of attacking an encryption system is to recover the key in use
rather than simply to recover the plaintext of a single cipher text.
There are two general approaches to attacking a conventional encryption scheme:
 Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus
perhaps some knowledge of the general characteristics of the plaintext or even
some sample plain text cipher text pairs.
This type of attack exploits the characteristics of the algorithm to attempt to
deduce a specific plaintext or to deduce the key being used.
 Brute-force attack: The attacker tries every possible key on a piece of cipher text
until an intelligible translation into plaintext is obtained. On average, half of all
possible keys must be tried to achieve success.
If either type of attack succeeds in deducing the key, the effect is catastrophic: All future and
past messages encrypted with that key are compromised.
The most difficult problem is presented when all that is available is the cipher text only. In some
cases, not even the encryption algorithm is known, but in general we can assume that the
opponent does know the algorithm used for encryption. One possible attack under these
circumstances is the brute-force approach of trying all possible keys. If the key space is very
large, this becomes impractical. Thus, the opponent must rely on an analysis of the cipher text
itself, generally applying various statistical tests to it. To use this approach, the opponent must
have some general idea of the type of plaintext that is concealed, such as English or French text,
an EXE file, a Java source listing, an accounting file, and so on.
4
The cipher text-only attack is the easiest to defend against because the opponent has the least
amount of information to work with. In many cases, however, the analyst has more
information. The analyst may be able to capture one or more plaintext messages as well as
their encryptions. Or the analyst may know that certain plaintext patterns will appear in a
message. For example, a file that is encoded in the Postscript format always begins with the
same pattern, or there may be a standardized header or banner to an electronic funds transfer
message, and so on. All these are examples of known plaintext. With this knowledge, the
analyst may be able to deduce the key on the basis of the way in which the known plaintext is
transformed.
Closely related to the known-plaintext attack is what might be referred to as a probable-word

attack. If the opponent is working with the encryption of some general prose message, he or
she may have little knowledge of what is in the message. However, if the opponent is after
some very specific information, then parts of the message may be known. For example, if an
entire accounting file is being transmitted, the opponent may know the placement of certain
key words in the header of the file. As another example, the source code for a program
developed by Corporation X might include a copyright statement in some standardized position.
5
An encryption scheme is unconditionally secure if the cipher text generated by the scheme
does not contain enough information to determine uniquely the corresponding plaintext, no
matter how much cipher text is available. That is, no matter how much time an opponent has, it
is impossible for him or her to decrypt the cipher text, simply because the required information
is not there. All that the users of an encryption algorithm can strive for is an algorithm that
meets one or both of the following criteria:
 The cost of breaking the cipher exceeds the value of the encrypted information.
 The time required to break the cipher exceeds the useful lifetime of the
information.
An encryption scheme is said to be computationally secure if either of the foregoing two
criteria are met. The rub is that it is very difficult to estimate the amount of effort required to
cryptanalyze cipher text successfully.
A brute-force attack involves trying every possible key until an intelligible translation of the
cipher text into plaintext is obtained. On average, half of all possible keys must be tried to
achieve success. The 56-bit key size is used with the DES (Data Encryption Standard) algorithm,
and the 168-bit key size is used for triple DES. The minimum key size specified for AES
(Advanced Encryption Standard) is 128 bits.
Average Time Required for Exhaustive Key Search
Stream Ciphers and Block Ciphers

A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
A block cipher is one in which a block of plaintext is treated as a whole and used to produce a
cipher text block of equal length.
A block cipher operates on a plaintext block of n bits to produce a cipher text block of n bits.
There are 2n possible different plaintext blocks and, for the encryption to be reversible (i.e., for
decryption to be possible), each must produce a unique cipher text block. Such a
6
transformation is called reversible, or nonsingular. The following examples illustrate
nonsingular and singular transformation for n = 2.
Reversible Mapping
Plaintext Cipher text
00 11
01 10
10 00
11 01
Irreversible Mapping
Plaintext Cipher text
00 11
01 10
10 01
11 01
Though any size of block is acceptable, following aspects are borne in mind while selecting a
size
of a block.
Avoid very small block size − Say a block size is m bits. Then the possible plaintext bits
combinations are then 2m. If the attacker discovers the plain text blocks corresponding to some
previously sent ciphertext blocks, then the attacker can launch a type of ‘dictionary attack’ by
building up a dictionary of plaintext/ciphertext pairs sent using that encryption key. A larger
block size makes attack harder as the dictionary needs to be larger.
Do not have very large block size − With very large block size, the cipher becomes inefficient to
operate. Such plaintexts will need to be padded before being encrypted.
Multiples of 8 bit − A preferred block size is a multiple of 8 as it is easy for implementation as
most computer processor handle data in multiple of 8 bits.
In general, for an n-bit ideal block cipher, the length of the key defined in this fashion is n x 2n
bits. For a 64-bit block, which is a desirable length to prevent statistical attacks, the required
key length is 64 x 264 = 270 1021bits.
Block ciphers process blocks of fixed sizes say 64 bits. The length of plaintexts is mostly not a
multiple of the block size. For example, a 150-bit plaintext provides two blocks of 64 bits each
with third block of balance 22 bits. The last block of bits needs to be padded up with redundant
information so that the length of the final block equal to block size of the scheme. In our
example, the remaining 22 bits need to have additional 42 redundant bits added to provide a
complete block. The process of adding bits to the last block is referred to as padding. Too much
7
padding makes the system inefficient. Also, padding may render the system insecure at times, if
the padding is done with same bits always.
Feistel Block Cipher

The input block to each round is divided into two halves that can be denoted as L and R for the
left half and the right half. In each round, the right half of the block, R, goes through
unchanged. But the left half, L, goes through an operation that depends on R and the
encryption key. First, we apply an encrypting function ‘F’ that takes two input − the key K and R.
The function produces the output fR, K. Then, we XOR the output of the mathematical function
with L. In real implementation of the Feistel Cipher, such as DES, instead of using the whole
encryption key during each round, a round-dependent key a subkey is derived from the
encryption key. This means that each round uses a different key, although all these subkeys are
related to the original key.
The permutation step at the end of each round swaps the modified L and unmodified R.
Therefore, the L for the next round would be R of the current round. And R for the next round
be the output L of the current round. Above substitution and permutation steps form a ‘round’.
The number of rounds is specified by the algorithm design. Once the last round is completed
then the two sub blocks, ‘R’ and ‘L’ are concatenated in this order to form the cipher text block.
8
The process of decryption in Feistel cipher is almost similar. Instead of starting with a block of
plaintext, the ciphertext block is fed into the start of the Feistel structure and then the process
thereafter is exactly the same as described in the given illustration. The process is said to be
almost similar and not exactly same. In the case of decryption, the only difference is that the
subkeys used in encryption are used in the reverse order.
The number of rounds used in a Feistel Cipher depends on desired security from the system.
More number of rounds provide more secure system. But at the same time, more rounds mean
the inefficient slow encryption and decryption processes.
9
The Data Encryption Standard
The most widely used encryption scheme is based on the Data Encryption Standard (DES)
adopted in 1977 by the National Bureau of Standards, now the National Institute of Standards
and Technology (NIST), as Federal Information Processing Standard 46 (FIPS PUB 46). The
algorithm itself is referred to as the Data Encryption Algorithm (DEA).
For DES, data are encrypted in 64-bit blocks using a 56-bit key. The algorithm transforms 64-bit
input in a series of steps into a 64-bit output. The same steps, with the same key, are used to
reverse the encryption.
Looking at the left-hand side of the figure below, we can see that the processing of the plaintext
proceeds in four phases.
I. First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the
bits to produce the permuted input.
II. This is followed by a phase consisting of sixteen rounds of the same function, which
involves both permutation and substitution functions.
III. The output of the last (sixteenth) round consists of 64 bits that are a function of the
input plaintext and the key. The left and right halves of the output are swapped to
produce the pre-output.
IV. Finally, the pre-output is passed through a permutation that is the inverse of the initial
permutation function, to produce the 64-bit cipher text.
The right-hand portion of the Figure below shows the way in which the 56-bit key is used.
Initially, the key is passed through a permutation function. Then, for each of the 16 rounds, a
subkey (Ki) is produced by the combination of a left circular shift and a permutation. The
permutation function is the same for each round, but a different subkey is produced because of
the repeated shifts of the key bits.
10
11
DES is a block cipher--meaning it operates on plaintext blocks of a given size (64-bits) and
returns ciphertext blocks of the same size. Thus, DES results in a permutation among the 264
(read this as: "2 to the 64th power") possible arrangements of 64 bits, each of which may be
either 0 or 1. Each block of 64 bits is divided into two blocks of 32 bits each, a left half
block L and a right half R. (This division is only used in certain operations.)
Example: Let M be the plain text message M = 0123456789ABCDEF, where M is in hexadecimal

(base 16) format. Rewriting M in binary format, we get the 64-bit block of text:
M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
L = 0000 0001 0010 0011 0100 0101 0110 0111
R = 1000 1001 1010 1011 1100 1101 1110 1111
The first bit of M is "0". The last bit is "1". We read from left to right.
DES operates on the 64-bit blocks using key sizes of 56- bits. The keys are actually stored as
being 64 bits long, but every 8th bit in the key is not used (i.e. bits numbered 8, 16, 24, 32, 40,
48, 56, and 64). However, we will nevertheless number the bits from 1 to 64, going left to right,
in the following calculations. But, as you will see, the eight bits just mentioned get eliminated
when we create subkeys.
Example: Let K be the hexadecimal key K = 133457799BBCDFF1. This gives us as the binary key
(setting 1 = 0001, 3 = 0011, etc., and grouping together every eight bits, of which the last one in
each group will be unused):
K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001
The DES algorithm uses the following steps:
Step 1: Create 16 sub-keys, each of which is 48-bits long.

The 64-bit key is permuted according to the following table, PC-1. Since the first entry in the
table is "57", this means that the 57th bit of the original key K becomes the first bit of the
permuted key K+. The 49th bit of the original key becomes the second bit of the permuted key.
The 4th bit of the original key is the last bit of the permuted key. Note only 56 bits of the
original key appear in the permuted key.
12
PC-1
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
Example: From the original 64-bit key
K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001
We get the 56-bit permutation
K+ = 1111000 0110011 0010101 0101111 0101010 1011001 1001111 0001111
Next, split this key into left and right halves, C0 and D0, where each half has 28 bits.
Example: From the permuted key K+, we get
C0 =11110000 11001100 10101010 1111

D0 = 0101010 1011001 1001111 0001111
With C0 and D0 defined, we now create sixteen blocks Cn and Dn, 1<=n<=16. Each pair of

blocks Cn and Dn is formed from the previous pair Cn-1 and Dn-1, respectively, for n = 1, 2, ..., 16,
using the following schedule of "left shifts" of the previous block. To do a left shift, move each
bit one place to the left, except for the first bit, which is cycled to the end of the block.
Iteration Number of
Number Left Shifts
1 1
2 1
13
3 2
4 2
5 2
6 2
7 2
8 2
9 1
10 2
11 2
12 2
13 2
14 2
15 2
16 1
This means, for example, C3 and D3 are obtained from C2 and D2, respectively, by two left shifts,
and C16 and D16 are obtained from C15 and D15, respectively, by one left shift. In all cases, by a
single left shift is meant a rotation of the bits one place to the left, so that after one left shift the
bits in the 28 positions are the bits that were previously in positions 2, 3,..., 28, 1.
Example: From original pair pair C0 and D0 we obtain:
C0 = 1111000011001100101010101111
D0 = 0101010101100110011110001111
C1 = 1110000110011001010101011111
D1 = 1010101011001100111100011110
C2 = 1100001100110010101010111111
D2 = 0101010110011001111000111101
C3 = 0000110011001010101011111111
D3 = 0101011001100111100011110101
C4 = 0011001100101010101111111100
D4 = 0101100110011110001111010101
14
C5 = 1100110010101010111111110000
D5 = 0110011001111000111101010101
C6 = 0011001010101011111111000011
D6 = 1001100111100011110101010101
C7 = 1100101010101111111100001100
D7 = 0110011110001111010101010110
C8 = 0010101010111111110000110011
D8 = 1001111000111101010101011001
C9 = 0101010101111111100001100110
D9 = 0011110001111010101010110011
C10 = 0101010111111110000110011001
D10 = 1111000111101010101011001100
C11 = 0101011111111000011001100101
D11 = 1100011110101010101100110011
C12 = 0101111111100001100110010101
D12 = 0001111010101010110011001111
C13 = 0111111110000110011001010101
D13 = 0111101010101011001100111100
C14 = 1111111000011001100101010101
D14 = 1110101010101100110011110001
C15 = 1111100001100110010101010111
D15 = 1010101010110011001111000111
C16 = 1111000011001100101010101111
D16 = 0101010101100110011110001111
We now form the keys Kn, for 1<=n<=16, by applying the following permutation table to each of
the concatenated pairs CnDn. Each pair has 56 bits, but PC-2 only uses 48 of these.
15
14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
Therefore, the first bit of Kn is the 14th bit of CnDn, the second bit the 17th, and so on, ending
with the 48th bit of Kn being the 32nd bit of CnDn.
Example: For the first key we have C1D1 = 1110000 1100110 0101010 1011111 1010101
0110011 0011110 0011110
Which, after we apply the permutation PC-2, becomes
K1 = 000110 110000 001011 101111 111111 000111 000001 110010
For the other keys we have
K2 = 011110 011010 111011 011001 110110 111100 100111 100101

K3 = 010101 011111 110010 001010 010000 101100 111110 011001
K4 = 011100 101010 110111 010110 110110 110011 010100 011101
K5 = 011111 001110 110000 000111 111010 110101 001110 101000
K6 = 011000 111010 010100 111110 010100 000111 101100 101111
K7 = 111011 001000 010010 110111 111101 100001 100010 111100
K8 = 111101 111000 101000 111010 110000 010011 101111 111011
K9 = 111000 001101 101111 101011 111011 011110 011110 000001
K10 = 101100 011111 001101 000111 101110 100100 011001 001111
K11 = 001000 010101 111111 010011 110111 101101 001110 000110
K12 = 011101 010111 000111 110101 100101 000110 011111 101001
K13 = 100101 111100 010111 010001 111110 101011 101001 000001
K14 = 010111 110100 001110 110111 111100 101110 011100 111010
K15 = 101111 111001 000110 001101 001111 010011 111100 001010
K16 = 110010 110011 110110 001011 000011 100001 011111 110101
So much for the subkeys. Now we look at the message itself.
Step 2: Encode each 64-bit block of data.

There is an initial permutation IP of the 64 bits of the message data M. This rearranges the bits
according to the following table, where the entries in the table show the new arrangement of the
bits from their initial order. The 58th bit of M becomes the first bit of IP. The 50th bit
of M becomes the second bit of IP. The 7th bit of M is the last bit of IP.
16
IP
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
Example: Applying the initial permutation to the block of text M, given previously, we get
M =00000001 00100011 01000101 01100111 10001001 10101011 11001101 11101111

IP =11001100 00000000 11001100 11111111 11110000 10101010 11110000 10101010
Here the 58th bit of M is "1", which becomes the first bit of IP. The 50th bit of M is "1", which
becomes the second bit of IP. The 7th bit of M is "0", which becomes the last bit of IP.
Next divide the permuted block IP into a left half L0 of 32 bits, and a right half R0 of 32 bits.
Example: From IP, we get L0 and R0
L0 = 1100 1100 0000 0000 1100 1100 1111 1111

R0 = 1111 0000 1010 1010 1111 0000 1010 1010
We now proceed through 16 iterations, for 1<=n<=16, using a function f which operates on two
blocks--a data block of 32 bits and a key Kn of 48 bits--to produce a block of 32 bits. Let ⊕
denote XOR addition. Then for n going from 1 to 16 we calculate
Ln = Rn-1
Rn = Ln-1 ⊕ f(Rn-1,Kn)
This results in a final block, for n = 16, of L16R16. That is, in each iteration, we take the right 32
bits of the previous result and make them the left 32 bits of the current step. For the right 32 bits
in the current step, we XOR the left 32 bits of the previous step with the calculation f .
Example: For n = 1, we have
K1 = 000110 110000 001011 101111 111111 000111 000001 110010

L1 = R0 = 1111 0000 1010 1010 1111 0000 1010 1010
R1 = L0 + f(R0,K1)
It remains to explain how the function f works. To calculate f, we first expand each block Rn-
1 from 32 bits to 48 bits. This is done by using a selection table that repeats some of the bits
17
in Rn-1 . We'll call the use of this selection table the function E. Thus E(Rn-1) has a 32 bit input
block, and a 48 bit output block.
Let E be such that the 48 bits of its output, written as 8 blocks of 6 bits each, are obtained by
selecting the bits in its inputs in order according to the following table:
E BIT-SELECTION TABLE
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
Thus the first three bits of E(Rn-1) are the bits in positions 32, 1 and 2 of Rn-1 while the last 2 bits
of E(Rn-1) are the bits in positions 32 and 1.
Example: We calculate E(R0) from R0 as follows:
R0 = 11110000 10101010 11110000 10101010

E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101
(Note that each block of 4 original bits has been expanded to a block of 6 output bits.)
Next in the f calculation, we XOR the output E(Rn-1) with the key Kn:
Kn ⊕ E(Rn-1).
Example: For K1, E (R0), we have
K1 = 000110 110000 001011 101111 111111 000111 000001 110010

E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101
K1⊕E(R0) = 011000 010001 011110 111010 100001 100110 010100 100111.
We have not yet finished calculating the function f . To this point we have expanded Rn-1 from 32
bits to 48 bits, using the selection table, and XORed the result with the key Kn . We now have 48
bits, or eight groups of six bits. We now do something strange with each group of six bits: we
use them as addresses in tables called "S boxes". Each group of six bits will give us an address in
a different S box. Located at that address will be a 4 bit number. This 4 bit number will replace
the original 6 bits. The net result is that the eight groups of 6 bits are transformed into eight
groups of 4 bits (the 4-bit outputs from the S boxes) for 32 bits total.
Write the previous result, which is 48 bits, in the form:
Kn ⊕ E(Rn-1) =B1B2B3B4B5B6B7B8,
18
where each Bi is a group of six bits. We now calculate
S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8)
where Si(Bi) refers to the output of the i-th S box.
To repeat, each of the functions S1, S2,..., S8, takes a 6-bit block as input and yields a 4-bit block
as output. The table to determine S1 is shown and explained below:
S1
Column Number
Row
No. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
If S1 is the function defined in this table and B is a block of 6 bits, then S1(B) is determined as
follows: The first and last bits of B represent in base 2 a number in the decimal range 0 to 3 (or
binary 00 to 11). Let that number be i. The middle 4 bits of B represent in base 2 a number in the
decimal range 0 to 15 (binary 0000 to 1111). Let that number be j. Look up in the table the
number in the i-th row and j-th column. It is a number in the range 0 to 15 and is uniquely
represented by a 4 bit block. That block is the output S1(B) of S1 for the input B. For example,
for input block B = 011011 the first bit is "0" and the last bit "1" giving 01 as the row. This is
row 1. The middle four bits are "1101". This is the binary equivalent of decimal 13, so the
column is column number 13. In row 1, column 13 appears 5. This determines the output; 5 is
binary 0101, so that the output is 0101. Hence S1(011011) = 0101.
The tables defining the functions S1,...,S8 are the following:
S1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
19
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S3
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S7
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S8
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
Example: For the first round, we obtain as the output of the eight S boxes:
K1 ⊕ E(R0) = 011000 010001 011110 111010 100001 100110 010100 100111.
S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010 1011 0101 1001 0111

20
The final stage in the calculation of f is to do a permutation P of the S-box output to obtain the
final value of f:
f = P(S1(B1)S2(B2)...S8(B8))
The permutation P is defined in the following table. P yields a 32-bit output from a 32-bit input
by permuting the bits of the input block.
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
Example: From the output of the eight S boxes:
S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010 1011 0101 1001 0111
we get
f = 0010 0011 0100 1010 1010 1001 1011 1011
R1 = L0 ⊕ f(R0 , K1 )
= 1100 1100 0000 0000 1100 1100 1111 1111

+ 0010 0011 0100 1010 1010 1001 1011 1011
= 1110 1111 0100 1010 0110 0101 0100 0100
In the next round, we will have L2 = R1, which is the block we just calculated, and then we must
calculate R2 =L1 + f(R1, K2), and so on for 16 rounds. At the end of the sixteenth round we have
the blocks L16 and R16. We then reverse the order of the two blocks into the 64-bit block
R16L16
and apply a final permutation IP-1 as defined by the following table:
IP-1
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
21
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its
second bit, and so on, until bit 25 of the preoutput block is the last bit of the output.
Example: If we process all 16 blocks using the method defined previously, we get, on the 16th
round,
L16 = 0100 0011 0100 0010 0011 0010 0011 0100

R16 = 0000 1010 0100 1100 1101 1001 1001 0101
We reverse the order of these two blocks and apply the final permutation to
R16L16 = 00001010 01001100 11011001 10010101 01000011 01000010 00110010 00110100
IP-1 = 10000101 11101000 00010011 01010100 00001111 00001010 10110100 00000101
which in hexadecimal format is
85E813540F0AB405.
This is the encrypted form of M = 0123456789ABCDEF: namely, C = 85E813540F0AB405.
Decryption is simply the inverse of encryption, following the same steps as above, but reversing
the order in which the subkeys are applied.
Cryptographic Hash Function

A hash function is a mathematical function that converts a numerical input value into another
compressed numerical value. The input to the hash function is of arbitrary length but output is
always of fixed length. A hash function H accepts a variable-length block of data as input and
produces a fixed-size hash value. Values returned by a hash function are called message digest
or simply hash values. The kind of hash function needed for security applications is referred to
as a cryptographic hash function. The Purpose of Hash function is to produce a fixed-size
“fingerprint” or digest of arbitrarily long input data to guarantee integrity.
In general, the hash is much smaller than the input data, hence hash functions are sometimes
called compression functions. Since a hash is a smaller representation of a larger data, it is also
referred to as a digest. Hash function with n bit output is referred to as an n-bit hash function.
Popular hash functions generate values between 160 and 512 bits. Generally, for any hash
function h with input x, computation of h x is a fast operation. It should be computationally
hard to reverse a hash function.
22
In other words, if a hash function h produced a hash value z, then it should be a difficult
process to find any input value x that hashes to z. This property is called pre-image
resistance and it protects against an attacker who only has a hash value and is trying to
find the input. Second Pre-Image Resistance property means given an input and its hash, it
should be hard to find a different input with the same hash. In other words, if a hash function h
for an input x produces hash value hx, then it should be difficult to find any other input value y
such that hy = hx. This property of hash function protects against an attacker who has an input
value and its hash, and wants to substitute different value as legitimate value in place of
original input value.
APPLICATIONS OF CRYPTOGRAPHIC HASH FUNCTIONS

1. Message Authentication
Message authentication is a mechanism or service used to verify the integrity of a message. Message authentication
assures that data received are exactly as sent (i.e., contain no modification, insertion, deletion, or replay). In many
cases, there is a requirement that the authentication mechanism assures that purported identity of the sender is valid.
When a hash function is used to provide message authentication, the hash function value is often referred to as a
message digest.
23
a. The message plus concatenated hash code is encrypted using symmetric encryption.
Because only A and B share the secret key, the message must have come from A and has
not been altered. The hash code provides the structure or redundancy required to
achieve authentication. Because encryption is applied to the entire message plus hash
code, confidentiality is also provided.
b. Only the hash code is encrypted, using symmetric encryption. This reduces the
processing burden for those applications that do not require confidentiality.
c. It is possible to use a hash function but no encryption for message authentication. The
technique assumes that the two communicating parties share a common secret value S.
24
A computes the hash value over the concatenation of M and S and appends the
resulting hash value to M. Because B possesses, it can re-compute the hash value to
verify. Because the secret value itself is not sent, an opponent cannot modify an
intercepted message and cannot generate a false message.
d. Confidentiality can be added to the approach of method (c) by encrypting the entire
message plus the hash code.
When confidentiality is not required, method (b) has an advantage over methods (a) and (d),
which encrypts the entire message, in that less computation is required. Nevertheless, there
has been growing interest in techniques that avoid encryption.
 Encryption software is relatively slow. Even though the amount of data to be encrypted
per message is small, there may be a steady stream of messages into and out of a
system.
 Encryption hardware costs are not negligible. Low-cost chip implementations of DES are
available, but the cost adds up if all nodes in a network must have this capability.
 Encryption hardware is optimized toward large data sizes. For small blocks of data, a
high proportion of the time is spent in initialization/invocation overhead.
 Encryption algorithms may be covered by patents, and there is a cost associated with
licensing their use.
2. Digital Signatures
Another important application, which is similar to the message authentication application, is
the digital signature. The operation of the digital signature is similar to that of the MAC. In the
case of the digital signature, the hash value of a message is encrypted with a user’s private key.
Anyone who knows the user’s public key can verify the integrity of the message that is
associated with the digital signature. In this case, an attacker who wishes to alter the message
would need to know the user’s private key. As we shall see in Chapter 14, the implications of
digital signatures go beyond just message authentication.
a. The hash code is encrypted, using public-key encryption with the sender’s private key.
As with Figure above b, this provides authentication. It also provides a digital signature,
because only the sender could have produced the encrypted hash code. In fact, this is
the essence of the digital signature technique.
If confidentiality as well as a digital signature is desired, then the message plus the private-key-
encrypted hash code can be encrypted using a symmetric secret key. This is a common
technique.
25

Chapter 3 Encryption Principles and Algorithms

Uploaded by

Chapter 3 Encryption Principles and Algorithms

Uploaded by

Chapter 3-Encryption Principles and Algorithms

Closely related to the known-plaintext attack is what might be referred to as a probable-word

Stream Ciphers and Block Ciphers

Feistel Block Cipher

Example: Let M be the plain text message M = 0123456789ABCDEF, where M is in hexadecimal

K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001

The DES algorithm uses the following steps:

Step 1: Create 16 sub-keys, each of which is 48-bits long.

Example: From the original 64-bit key

K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001

We get the 56-bit permutation

K+ = 1111000 0110011 0010101 0101111 0101010 1011001 1001111 0001111

Example: From the permuted key K+, we get

C0 =11110000 11001100 10101010 1111

With C0 and D0 defined, we now create sixteen blocks Cn and Dn, 1<=n<=16. Each pair of

Example: From original pair pair C0 and D0 we obtain:

Which, after we apply the permutation PC-2, becomes

K1 = 000110 110000 001011 101111 111111 000111 000001 110010

For the other keys we have

K2 = 011110 011010 111011 011001 110110 111100 100111 100101

So much for the subkeys. Now we look at the message itself.

Step 2: Encode each 64-bit block of data.

M =00000001 00100011 01000101 01100111 10001001 10101011 11001101 11101111

L0 = 1100 1100 0000 0000 1100 1100 1111 1111

denote XOR addition. Then for n going from 1 to 16 we calculate

K1 = 000110 110000 001011 101111 111111 000111 000001 110010

Example: We calculate E(R0) from R0 as follows:

R0 = 11110000 10101010 11110000 10101010

Next in the f calculation, we XOR the output E(Rn-1) with the key Kn:

Example: For K1, E (R0), we have

K1 = 000110 110000 001011 101111 111111 000111 000001 110010

Write the previous result, which is 48 bits, in the form:

where Si(Bi) refers to the output of the i-th S box.

The tables defining the functions S1,...,S8 are the following:

Example: For the first round, we obtain as the output of the eight S boxes:

K1 ⊕ E(R0) = 011000 010001 011110 111010 100001 100110 010100 100111.

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010 1011 0101 1001 0111

Example: From the output of the eight S boxes:

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010 1011 0101 1001 0111

f = 0010 0011 0100 1010 1010 1001 1011 1011

= 1100 1100 0000 0000 1100 1100 1111 1111

and apply a final permutation IP-1 as defined by the following table:

L16 = 0100 0011 0100 0010 0011 0010 0011 0100

R16L16 = 00001010 01001100 11011001 10010101 01000011 01000010 00110010 00110100

IP-1 = 10000101 11101000 00010011 01010100 00001111 00001010 10110100 00000101

which in hexadecimal format is

This is the encrypted form of M = 0123456789ABCDEF: namely, C = 85E813540F0AB405.

Cryptographic Hash Function

APPLICATIONS OF CRYPTOGRAPHIC HASH FUNCTIONS

You might also like