COMPUTER SECURITY OBJECTIVES (CIA)

— Confidentiality
o Data confidentiality
 Assures that private or confidential information is not made available of
disclosed to unauthorised individuals
o Privacy
 Assures that individuals control or influence what information related
to them may be collected and stored and by whom and to whom that
information may be disclosed
— Integrity
o Data integrity
 Assures that information and programs are changed only in a specified
and authorised manner
o System integrity
 Assures that a system performs its intended function in an unimpaired
manner free from deliberate or inadvertent authorised manipulation of
the system
— Availability
o Assures that systems work promptly and service is not denied to authorised
users
SECURITY ATTACKS
— Classification means (X.800 and RFC 4949) = passive attacks & active attacks
o Passive attacks: attempts to learn or make use of info from the system but does
not affect system resources. E.g. sniff wireless signals
o Active attacks: attempts to alter system resources to affect their operation. E.g.
man-in-the-middle attack
PASSIVE ATTACKS
— In nature of eavesdropping on, or monitoring of, transmissions
— Goal of the opponent is to obtain info that is being transmitted
— Two types of passive attacks are:
o The release of message contents
o Traffic analysis

ACTIVE ATTACKS
— Involves some modification of the data stream or the creation of a false stream
— Difficult to prevent because of the wide variety of potential physical, software, and
network vulnerabilities
— Goal is to detect attacks and to recover from any disruption or delays caused by them
— Some types:
o Masquerade:
 Takes place when one entity pretends to be a different entity
 Usually includes one of the other forms of active attack
o Replay:
 Involves the passive capture of a data unity and its subsequent
retransmission to produce an unauthorised effect
o Modification of messages:
 Some portion of a legitimate message is altered, or messages are
delayed or reordered to produce an unauthorised effect
o Denial of service:
 Prevents or inhibits the normal use or management of communications
facilities
SECURITY MECHANISMS (X.800)
— Specific Security Mechanisms: may be incorporated into the appropriate protocol
layer in order to provide some of the OSI security services
o Encipherment: use of mathematical algorithms to transform data into a form
that is not readily intelligible. The transformation and subsequent recovery of
the data depend on an algorithm and zero or more encryption keys
o Digital Signature: data appended to, or a cryptographic transformation of, a
data unit that allows a recipient of the data unit to prove the source and integrity
of the data unit and protect against forgery (e.g., by the recipient)
o Access Control: variety of mechanisms that enforce access rights to resources
o Data Integrity: variety of mechanisms used to assure the integrity of a data
unit or stream of data units
o Authentication Exchange: mechanism intended to ensure the identity of an
entity by means of information exchange
o Traffic Padding: insertion of bits into gaps in a data stream to frustrate traffic
analysis attempts
o Routing Control: enables selection of particular physically secure routes for
certain data and allows routing changes, especially when a breach of security is
suspected
 oNotarisation: use of a trusted third-party to assure certain properties of a data
exchange
— Pervasive Security Mechanisms: mechanisms that are not specific to any particular
OSI security service or protocol layer
o Trusted Functionality: that which is perceived to be correct with respect to
some criteria (e.g., as established by a security policy)
o Security Label: the marking bound to a resource (which may be a data unit)
that names or designates the security attributes of that resource
o Event Detection: detection of security-related events
o Security Audit Trail: data collected and potentially used to facilitate a security
audit, which is an independent review and examination of system records and
activities
o Security Recovery: deals with requests from mechanisms, such as event
handling and management functions, and takes recovery actions
MODEL FOR NETWORK SECURITY

CRYPTOGRAPHIC ALGORITHMS AND PROTOCOLS CAN BE GROUPED INTO FOUR

MAIN AREAS
— Symmetric encryption: used to conceal the contents of blocks or streams of data of any
size, including messages, files, encryption keys, and passwords
— Asymmetric encryption: used to conceal small blocks of data, such as encryption keys
and hash function values, which are used in digital signatures
— Data integrity algorithms: used to protect blocks of data, such as messages, from
alteration
— authentication protocols: schemes based on the use of cryptographic algorithms
designed to authenticate the identity of entities
BASIC TERMINOLOGY
— plaintext: the original message
— ciphertext: the coded message
— enciphering or encryption: process of converting from plaintext to cyphertext
— deciphering or decryption: restoring the plaintext from the ciphertext
— cryptography: study of encryption
— cryptographic system or cipher: schemes used for encryption
 — cryptanalysis: techniques used for deciphering a message without any knowledge of the
enciphering details
— cryptology: areas of cryptography and cryptanalysis together
ENCRYPTION SCHEME SECURITY
— unconditionally secure: due to lack of required information it is impossible for the
opponent to decrypt the ciphertext regardless of time
— computationally secure: cost of breaking cipher exceeds value of the encrypted
information. Time required to break the cipher exceeds the useful lifetime of the
information
TYPES OF ATTACKS ON ENCRYPTED MESSAGES

Type of Attack Known to Cryptanalysis

Ciphertext only — Encryption algorithm
— Ciphertext
Known Plaintext — Encryption algorithm
— Ciphertext
— One or more plaintext-ciphertext
pairs formed with the secret key
Chosen Plaintext — Encryption algorithm
— Ciphertext
— Plaintext message chosen by
cryptanalyst, together with its
corresponding ciphertext generated
with the secret key
Chosen Ciphertext — Encryption algorithm
— Ciphertext
— Ciphertext chosen by cryptanalyst,
together with its corresponding
decrypted plaintext generated with
the secret key

CRYPTANALYSIS AND BRUTE-FORCE ATTACK

— Cryptanalysis:
o Attack relies on the nature of the algorithm plus some knowledge of the general
characteristics of the plaintext
o Attack exploits the characteristics of the algorithm to attempt to deduce a
specific plaintext or to deduce the key being used
— Brute-force attack:
o Attacker tries every possible key on a piece of ciphertext until an intelligible
translation into plaintext is obtained
o On average, half of all possible keys must be tried to achieve success

CRYPTOGRAPHIC SYSTEMS
— Substitution & Transposition = the types of operations used for transforming plaintext
to ciphertext
 — Symmetric, single-key, secret key, conventional encryption & Asymmetric, two-key, or
public-key encryption = the number of keys used
— Block cipher & Stream cipher = the way in which the plaintext is processed
SYMMETRIC ENCRYPTION
— also called conventional encryption or single-key encryption
— only type of encryption used prior to development of public-key encryption in 1970s
— remains by far the most widely used of the two types of encryption
o DES (Data Encryption Standard)
o AES (Advanced Encryption Standard)

SIMPLIFIED MODEL OF SYMMETRIC ENCRYPTION

(Figure.2.1.)
SUBSTITUITION TECHNIQUE
— Letters of plaintext are replaced by other letters or by numbers or symbols
— If plaintext viewed as sequence of bits: then substitution involves replacing plaintext bit
patterns with ciphertext bit patterns
CAESAR CIPHER
— Simplest and earliest known use of a substitution cipher
— Used by Julius Caesar
— Method: replace each letter of the alphabet with the letter standing three places further
down the alphabet | Note: Alphabet wrapped around (letter A follows after Z)
— E.g. meet (PHHW)
CASESAR CIPHER ALGORITHM

— Algorithm can be expressed as: c = E(3, p) = (p + 3) mod (26)

 — A shift may be of any amount, so that the general Caesar algorithm is:
o C = E(k, p) = (p + k) mod 26
 k takes on a value in the range of 1 to 25;
 the decryption algorithm is simply:
 p = D(k, C) = (C - k) mod 26
BRUTE-FORCE CRYPTANALYSIS OF CASESAR CIPHER
1. the encryption and decryption algorithms are known
2. there are only 25 keys to try
3. the plaintext is known or easily recognisable

MONOALPHABETIC CIPHER
— permutation:
o of a finite set of elements S is an ordered sequence of all the elements of S, with
each element appearing exactly once
o if the ‘cipher’ line can be any permutation of the 26 alphabetic characters, then
there are 26! or greater than 4 x 1026 possible keys
 this is orders of magnitude greater than the key space for DES
 this approach is referred to as a monoalphabetic substitution cipher
because a single cipher alphabet is used per message
MONOAPLHABETIC CIPHERS
— easy to break because they reflect the frequency data of the original alphabet
— digram: two-letter combination. Most common is ‘th’
— trigram: three-letter combination. Most frequent is ‘the’
— countermeasure: provide multiple substitutes (homophones) for a single letter
PLAYFAIR CIPHER
 — best known multiple-letter encryption cipher
— treats digrams in the plaintext as single units and translates these units into ciphertext
digrams
— based on the use of a 5 x 5 matrix of letters constructed using a keyword
— used as the standard file system by the British Army in WW1 and the U.S Army and
other Allied Forces during WW2
PLAYFAIR KEY MATRIX
— fill in letters of keyword (minus duplicates) from left to right and from top to bottom,
then fill in the remainder of the matrix with the remaining letters in alphabetic order
— using the keyword ‘MONARCHY’:
1. repeating the plaintext letters that are in the same pair are separated with a
filler letter, such as x, so that balloon would be treated as ‘ba lx lo on’
2. two plaintext letters that fall in the same row of the matrix are each
replaced by the letter to the right, with the first element of the row
circularly following the last. For example, ‘ar’ is encrypted as ‘RM’
3. two plaintext letters that fall in the same column are each replaced by the
letter beneath, with the top element of the column circularly following the
last. For example, ‘mu’ is encrypted as CM
4. otherwise, each plaintext letter in a pair is replaced by the letter that lies in
its own row and the column occupied by the other plaintext letter. Thus,
‘hs’ becomes ‘BP’ and ‘ea’ becomes ‘IM’ or (JM, as the encipherer) wishes

RAIL FENCE CIPHER

— simplest transposition cipher
 — plaintext is written down as a sequence of diagonals and then read off as a sequence of
rows
— to encipher the message “meet me after the toga party” with a rail fence of depth 2, we
would write:

ROW TRANSPOSITION CIPHER

— is a more complex transposition
— write the message in a rectangle, row by row, and read the message off, column by
column, but permute the order of the columns
— the order of the columns then becomes the key to the algorithm
— key: 4 3 1 2 5 6 7
— plaintext: attack postponed until two am xyz

ROTOR MACHINES
— Enigma in WW2
— Multiple stages of encryption
o Each cylinder has 26 input pins and 26 output pins, with internal wiring that
connects each input pin to a unique output pin
o There are 26 * 26 * 26 = 17,576 different substitution alphabets
— Significance of rotor machine today is that it points the way to the most widely used
cipher: the Data Encryption Standard (DES)
STREAM CIPHER
— Encrypts a digital data stream one bit or one byte at a time
o Examples:
 Autokeyed Vigenère cipher
 Vernam cipher
— In the ideal case a one-time pad version of the Vernam cipher would be used, in which
the keystream is as long as the plaintext bit stream
o If the cryptographic keystream is random, then this cipher is unbreakable by
any means other than acquiring the keystream
 Keystream must be provided to both users in advance via some
independent and secure channel
 This introduces insurmountable logistical problems if the intended data
traffic is very large
— For practical reasons the bit-stream generator must be implemented as an algorithmic
procedure so that the cryptographic bit stream can be produced by both users
o It must be computationally impractical to predict future portions of the bit
stream based on previous portions of the bit stream
o The two users need only share the generating key and each can produce the
keystream
BLOCK CIPHER
— Stream cipher: encrypt bit by bit
— Block cipher: encrypt block by block
— A block of plaintext is treated as a whole and used to produce a ciphertext block of
equal length
— Typically a block size of 64 or 128 bits is used
— As with a stream cipher, the two users share a symmetric encryption key
 — The majority of network-based symmetric cryptographic applications make use of
block ciphers

STREAM CIPHER AND BLOCK CIPHER

IDEAL BLOCK CIPHER

FEISTEL CIPHER
— Proposed the use of a cipher that alternates substitutions and permutations
o Substitution: each plaintext element or group of elements is uniquely replaced
by a corresponding ciphertext element or group of elements
o Permutation: no elements are added or deleted or replaced in the sequence,
rather the order in which the elements appear in the sequence is changed
— Is a practical application of a proposal by Claude Shannon to develop a product cipher
that alternates confusion and diffusion functions
— Is the structure used by many significant symmetric block ciphers currently in use

DIFFUSION AND CONFUSION

— Terms introduced by Claude Shannon to capture the two basic building blocks for any
cryptographic system
o Shannon’s concern was to thwart cryptanalysis based on statistical analysis
— Diffusion:
o The statistical structure of the plaintext is dissipated into long-range statistics of
the ciphertext
o This is achieved by having each plaintext digit affect the value of many
ciphertext digits
— Confusion:
o Seeks to make the relationship between the statistics of the ciphertext and the
value of the encryption key as complex as possible
o Even if the attacker can get some handle on the statistics of the ciphertext, the
way in which the key was used to produce that ciphertext is so complex as to
make it difficult to deduce the key
FEISTEL CIPHER STRUCTURE
— Li=Ri-1
— Ri=Li-1 xor F(Ri-1,Ki)
— F function performs the substitution
— A permutation is performed by interchanging the two halves of the data
— This structure is a particular form of the substitution-permutation network (SPN)
proposed by Shannon
FESTIAL EXAMPLE
FEISTEL CIPHER DESIGN FEATURES
— Block size
o Larger block sizes mean greater security but reduced encryption/decryption
speed for a given algorithm
— Key size
o Larger key size means greater security but may decrease
encryption/decryption speeds. Key sizes of 64 bits or less are now widely
considered to be inadequate, and 128 bits has now become a common size
— Number of rounds
o The essence of the Feistel cipher is that a single round offers inadequate
security but that multiple rounds offer increasing security
— Subkey generation algorithm
o Greater complexity in this algorithm should lead to greater difficulty of
cryptanalysis
— Round function F
o Greater complexity generally means greater resistance to cryptanalysis
— Fast software encryption/decryption
o In many cases, encrypting is embedded in applications or utility functions in
such a way as to preclude a hardware implementation; accordingly, the speed
of execution of the algorithm becomes a concern
— Ease of analysis
o If the algorithm can be concisely and clearly explained, it is easier to analyse
that algorithm for cryptanalytic vulnerabilities and therefore develop a higher
level of assurance as to its strength

BLOCK CIPHER DESIGN PRINCIPLES: NUMBER OF ROUNDS

— The greater the number of rounds, the more difficult it is to perform cryptanalysis
— In general, the criterion should be that the number of rounds is chosen so that known
cryptanalysis efforts require greater effort than a simple brute-force key search attack
— If DES had 15 or fewer rounds, differential cryptanalysis would require less effort than
a brute-force key search
DESIGN OF FUNCTION F
 — The heart of a Feistel block cipher is the function F
— The more nonlinear F, the more difficult any type of cryptanalysis will be
— The SAC and BIC criteria appear to strengthen the effectiveness of the confusion
function
— The algorithm should have good avalanche properties
o Strict avalanche criterion (SAC):
 States that any output bit j of an S-box should change with probability
½ when any single input bit i is inverted for all i, j
o Bit independence criterion (BIC):
 States that output bits j and k should change independently when any
single input bit i is inverted for all i, j, and k
BLOCK CIPHER DESIGN PRINCIPLES: KEY SCHEDULE ALGORITHM
— With any Feistel block cipher, the key is used to generate one subkey for each round
— In general, we would like to select subkeys to maximise the difficulty of deducing
individual subkeys and the difficulty of working back to the main key
— It is suggested that, at a minimum, the key schedule should guarantee key/ciphertext
Strict Avalanche Criterion and Bit Independence Criterion
DATA ENCRYPTION STANDARD (DES)
— Issued in 1977 by the National Bureau of Standards (now NIST) as Federal Information
Processing Standard 46
— Was the most widely used encryption scheme until the introduction of the Advanced
Encryption Standard (AES) in 2001
— Algorithm itself is referred to as the Data Encryption Algorithm (DEA)
o Data are encrypted in 64-bit blocks using a 56-bit key
o The algorithm transforms 64-bit input in a series of steps in a 64-bit output
o The same steps, with the same key, are used to reverse the encryption

DES ENCRYPTION ALGORITHM

— A 48-bit subkey (Ki) is produced by the combination of a left circular shift and a
permutation
F FUNCTION IN DES
— Expansion P-box (Permutation box)
o 32 bits to 48 bits
— 8 S-box (Substitution box)
— Straight P-box
F FUNCTION IN DES

DES EXAMPLE
— Plaintext: 02468aceeca86420
— Key: 0f1571c947d9e859
— Ciphertext: da02ce3a89ecac3b
— Note: DES subkeys are shown as eight 6-bit values in hex format
AVALANCHE EFFECT IN DES: CHANGE IN PLAINTEXT

AVALANCHE EFFECT IN DES: CHANGE IN KEY

— Original Key: 0f1571c947d9e859
— Altered Key: 1f1571c947d9e859
AVERAGE TIME REQUIRED FOR EXHAUSTIVE KEY SEARCH

CRACK DES: TIMING ATTACK

— Information about the key or the plaintext is obtained by observing how long it takes a
given implementation to perform decryptions on various ciphertexts
— Exploits the fact that an encryption or decryption algorithm often takes slightly different
amounts of time on different inputs
— So far it appears unlikely that this technique will ever be successful against DES or
more powerful symmetric ciphers such as triple DES and AES
TWO WEEKS TO AES
— The Advanced Encryption Standard (AES) uses arithmetic in the finite field GF (28),
with the irreducible polynomial m(x) = x8 + x4 + x3 + x + 1
DIVISIBILITY
— We say that a nonzero b divides a if a = mb for some m, where a, b, and m are integers
— b divides a if there is no remainder on division
— The notation b | a is commonly used to mean b divides a
— The positive divisors of 24 are 1, 2, 3, 4, 6, 8, 12, and 24
13 | 182; - 5 | 30; 17 | 289; - 3 | 33; 17 | 0
PROPERTIES OF DIVISIBILITY
— If a | 1, then a = ±1
— If a | b and b | a, then a = ±b
— Any b ≠ 0 divides 0
— If a | b and b | c, then a | c [11 | 66 and 66 | 198 = 11 | 198]
— If b | g and b | h, then b | (mg + nh) for arbitrary integers m and n
MODULAR ARITHMETIC
— The modulus
— if a is an integer and n is a positive integer, we define a mod n to be the remainder
when a is divided by n; the integer n is called the modulus
— thus, for any integer a:
o a = qn + r 0 ≤ r < n; q = [a/ n]
o a = [a/ n] * n + ( a mod n)
o 11 mod 7 = 4; -11 mod 7 = 3
— Congruent modulo n
o Two integers a and b are said to be congruent modulo n if (a mod n) = (b mod
n)
o This is written as a = b(mod n)2 or a≡b(mod n)
o Note that if a = 0(mod n), then n | a
o 73 ≡ 4 (mod 23); 21 ≡ - 9 (mod 10)

PROPERTIES OF CONGRUENCE
— Congruences have the following properties:
1. a = b (mod n) if n|(a – b)
2. a = b (mod n) implies b = a (mod n)
3. a = b (mod n) and b = c (mod n) imply a = c (mod n)
— To demonstrate the first point, if n|(a - b), then (a - b) = kn for some k
o So we can write a = b + kn
o Therefore, (a mod n) = (remainder when b + kn is divided by n) = (remainder
when b is
o divided by n) = (b mod n)

23 = 8 (mod 5) because 23 - 8 = 15 = 5 * 3
- 11 = 5 (mod 8) because - 11 - 5 = - 16 = 8 * (- 2)
81 = 0 (mod 27) because 81 - 0 = 81 = 27 * 3
MODULAR ARITHMETIC
— Modular arithmetic exhibits the following properties:
1. [(a mod n) + (b mod n)] mod n = (a + b) mod n
2. [(a mod n) - (b mod n)] mod n = (a - b) mod n
3. [(a mod n) * (b mod n)] mod n = (a * b) mod n
— We demonstrate the first property:
— Define (a mod n) = ra and (b mod n) = rb. Then we can write a = ra + jn for some integer
j and b = rb + kn for some integer k. Then
o (a + b) mod n = (ra + jn + rb + kn) mod n
o = (ra + rb + (k + j)n) mod n
o = (ra + rb) mod n
o = [(a mod n) + (b mod n)] mod n

11 mod 8 = 3; 15 mod 8 = 7
[(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 = 2
(11 + 15) mod 8 = 26 mod 8 = 2
[(11 mod 8) - (15 mod 8)] mod 8 = - 4 mod 8 = 4
(11 - 15) mod 8 = - 4 mod 8 = 4
[(11 mod 8) * (15 mod 8)] mod 8 = 21 mod 8 = 5
(11 * 15) mod 8 = 165 mod 8 = 5
ADDITION MODULO 8 AND MULTIPLICATION MODULO 8
PROPERTIES OF MODULAR ARITHMETIC FOR INTEGERS IN Zn

GREATEST COMMON DIVISOR (GCD)

— The greatest common divisor of a and b is the largest integer that divides both a and b
— We can use the notation gcd(a,b) to mean the greatest common divisor of a and b
— We also define gcd(0,0) = 0
— Positive integer c is said to be the gcd of a and b if:
o c is a divisor of a and b
o Any divisor of a and b is a divisor of c
— An equivalent definition is:
o gcd(a,b) = max[k, such that k | a and k | b]

GCD
— Because we require that the greatest common divisor be positive, gcd(a,b) = gcd(a,-b) =
gcd(-a,b) = gcd(-a,-b)
— In general, gcd(a,b) = gcd(| a |, | b |)
gcd(60, 24) = gcd(60, - 24) = 12
— Also, because all nonzero integers divide 0, we have gcd(a,0) = | a |
— We stated that two integers a and b are relatively prime if their only common positive
integer factor is 1;
o This is equivalent to saying that a and b are relatively prime if gcd(a,b) = 1

8 and 15 are relatively prime because

the positive divisors of 8 are 1, 2, 4, and 8,
the positive divisors of 15 are 1, 3, 5, and 15.
So 1 is the only integer on both lists.
EUCLIDEAN ALGORITHM
— an efficient way to find the GCD(a,b)
— uses theorem that:
 o d=GCD(a,b) = GCD(b, a mod b)
— Euclidean Algorithm is:
— EUCLID(a,b)
1. A = a; B = b
2. if B = 0 return A = gcd(a, b)
3. R = A mod B
4. A = B
5. B = R
6. goto 2

EXTENDED EUCLIDEAN ALGORITHM EXAMPLE

GROUPS
— A set of elements with a binary operation denoted by */Ÿ that associates to each ordered
pair (a,b) of elements in G an element (a Ÿ b ) in G , such that the following axioms are
obeyed:
o (A1) Closure:
 If a and b belong to G, then a Ÿ b is also in G
o (A2) Associative:
 a Ÿ (b Ÿ c) = (a Ÿ b) Ÿ c for all a, b, c in G
o (A3) Identity element:
 There is an element e in G such that a Ÿ e = e Ÿ a = a for all a in G;
e.g., 0 in additive and 1 for the multiplication
o (A4) Inverse element:
 For each a in G, there is an element a’ in G such that aŸa’ = a’ Ÿ a = e
o (commutative group or Abelian Group) Commutative:
 a Ÿ b = b Ÿ a for all a, b in G
CYCLIC GROUP
— A ring R , sometimes denoted by {R , + , * }, is a set of elements with two binary
operations, called addition and multiplication, such that for all a , b , c in R the
following axioms are obeyed:
o (A1–A5) ：R is an abelian group with respect to addition; that is, R satisfies
axioms A1 through A5. For the case of an additive group, we denote the
identity element as 0 and the inverse of a as –a
o (M1) Closure under multiplication: If a and b belong to R , then ab is also in R
o (M2) Associativity of multiplication: a (bc ) = (ab)c for all a , b , c in R
o (M3) Distributive laws: a(b+c) = ab + ac for all a , b , c in R and (a + b )c = ac +
bc for all a , b , c in R
— In essence, a ring is a set in which we can do addition, subtraction and multiplication
without leaving the set
— A ring is said to be commutative if it satisfies the following additional condition:
o (M4) Commutativity of multiplication: ab = ba for all a, b in R
— An integral domain is a commutative ring that obeys the following axioms.
 o (M5) Multiplicative identity: There is an element 1 in R such that a 1 = 1a = a
— for all a in R
o (M6) No zero divisors: If a , b in R and ab = 0, then either a = 0 or b = 0

FIELDS
— A field F , sometimes denoted by {F, +,* }, is a set of elements with two binary
operations, called addition and multiplication, such that for all a, b, c in F the following
axioms are obeyed:
o (A1–M6)
 F is an integral domain; that is, F satisfies axioms A1 through A5 and
M1 through M6
o (M7) Multiplicative inverse:
 For each a in F, except 0, there is an element a-1 in F such that aa-1 =
(a-1 )a = 1
— In essence, a field is a set in which we can do addition, subtraction, multiplication,
and division without leaving the set. Division is defined with the following rule: a /b
= a (b-1 )

FINITE FIELDS OF THE FORM GF(p)

— Finite fields play a crucial role in many cryptographic algorithms
— The output of encryption algorithms are within the same set of the input.
— It can be shown that the order of a finite field (the number of elements in the field) must
be a power of a prime p, i.e., pn , where n is a positive integer
— The only positive integers that are divisors of p are p and 1
— The finite field of order pn is generally written GF(pn )
— GF stands for Galois Field, in honor of the mathematician who first studied finite fields
HOW TO CONSTRUCT A FINITE FIELD OF ORDER A PRIME P
— GF(p) is defined with the following properties:
1. GF(p) consists of p elements
2. The binary operations + and * are defined over the set. The operations of addition,
subtraction, multiplication, and division can be performed without leaving the
set. Each element of the set other than 0 has a multiplicative inverse
— We have shown that the elements of GF(p) are the integers {0, 1, . . . , p – 1} and
— the arithmetic operations are addition and multiplication mod p
What if 2n bits data? 2n is not a prime
POLYNOMIAL ARITHMETIC
— We can distinguish three classes of polynomial arithmetic:
o Ordinary polynomial arithmetic, using the basic rules of algebra
o Polynomial arithmetic in which the arithmetic on the coefficients is performed
modulo p; that is, the coefficients are in GF(p )
o Polynomial arithmetic in which the coefficients are in GF(p ), and the
polynomials are defined modulo a polynomial f (x ) whose highest power is
some integer n
ORDINARY POLYNOMIAL ARITHMETIC EXAMPLE
— As an example:
o let f(x) = x3 + x2 + 2 and g(x) = x2 - x + 1,
— Then:
o f(x) + g(x) = x3 + 2x2 - x + 3
o f(x) - g(x) = x3 + x + 1
o f(x) * g(x) = x5 + 3x2 - 2x + 2
 POLYNOMIAL ARITHMETIC WITH COEFFICIENTS IN Zp
— If each distinct polynomial is considered to be an element of the set, then that set is a
ring
— When polynomial arithmetic is performed on polynomials over a field, then division is
possible
o Note: this does not mean that exact division is possible
— If we attempt to perform polynomial division over a coefficient set that is not a field, we
find that division is not always defined
o Even if the coefficient set is a field, polynomial division is not necessarily exact
o With the understanding that remainders are allowed, we can say that
polynomial
o division is possible if the coefficient set is a field

POLYNOMIAL DIVISION
— We can write any polynomial in the form:
o f(x) = q(x) g(x) + r(x)
— r(x) can be interpreted as being a remainder
— So r(x) = f(x) mod g(x)
— If there is no remainder, we can say g(x) divides f(x)
o Written as g(x) | f(x)
o We can say that g(x) is a factor of f(x)
o Or g(x) is a divisor of f(x)
— A polynomial f(x) over a field F is called irreducible if and only if f(x) cannot be
expressed as a product of two polynomials, both over F, and both of degree lower than
that of f(x)
o An irreducible polynomial is also called a prime polynomial
EXAMPLE OF POLYNOMIAL ARITHMETIC OVER GF(2)

POLYNOMIAL ARITHMETIC MODULO (X3 + X + 1)

ARITHMETIC IN GF(23)
POLYNOMIAL GCD
— The polynomial c(x) is said to be the greatest common divisor of a(x) and b(x) if the
following are true:
o c(x) divides both a(x) and b(x)
o Any divisor of a(x) and b(x) is a divisor of c(x)
— An equivalent definition is:
o gcd[a(x), b(x)] is the polynomial of maximum degree that divides both a(x) and
b(x)
— The Euclidean algorithm can be extended to find the greatest common divisor of two
polynomials whose coefficients are elements of a field
EXTENDED EUCLID [(X8 + X4 + X3 + X + 1), (X7 + X + 1)]
COMPUTATIONAL CONSIDERATIONS
— Since coefficients are 0 or 1, they can represent any such polynomial as a bit string
— Addition becomes XOR of these bit strings
— Multiplication is shift and XOR
— Modulo reduction is done by repeatedly substituting highest power with remainder of
irreducible polynomial (also shift and XOR)
in GF(23) have (x2+1) is 1012 & (x2+x+1) is 1112
so addition is
(x2+1) + (x2+x+1) = x
101 XOR 111 = 0102
and multiplication is
(x+1)·(x2+1) = x·(x2+1) + 1·(x2+1)= x3+x+x2+1 = x3+x2+x+1
011·101 = (101)<<1 XOR (101)<<0 = 1010 XOR 101 = 11112
USING A GENERATOR
— A generator g of a finite field F of order q (contains q elements) is an element whose
first q-1 powers generate all the nonzero elements of F
o The elements of F consist of 0, g0, g1, . . . ., gq-2
— Consider a field F defined by a polynomial f(x)
o An element b contained in F is called a root of the polynomial if f(b) = 0
— Finally, it can be shown that a root g of an irreducible polynomial is a generator of the
finite field defined on that polynomial
GENERATOR FOR GF(23) DEFINED ON X3 + X + 1
— Let us consider the finite field GF(23), defined over the irreducible polynomial x3 + x +
1,
— Generator g satisfies
f(g)=g3+g+1=0
— Then we have
g3 = -g-1=g+1
g4 = g(g3)=g(g+1)= g2 +g
g5 = g(g4)=g(g2 +g)= g3 + g2 = g2 +g+1
g6 = g(g5)=g(g2 +g+1)= g3+g2+g= g2 +g+g+1= g2 +1
g7 = g(g6)=g(g2 +1)= g3+g=g+g+1=1=g0
GF(23) ARITHMETIC USING GENERATOR FOR THE POLYNOMIAL (X3 + X + 1)
TWO WEEKS TO AES
FINITE FIELD ARITHMETIC
— In Advanced Encryption Standard (AES) all operations performed on 8-bit bytes
— The arithmetic operations of addition, multiplication, and division are performed over
the finite field GF(28)
— Field = a set in which we can do addition, subtraction, multiplication, and division
without leaving the set
— Division is defined with the following rule:
o a / b = a (b-1)
— An example of a finite field (one with a finite number of elements) is the set Z p
consisting of all the integers {0, 1, . . . . , p - 1}, where p is a prime number and in
which arithmetic is carried out modulo p
— Virtually all encryption algorithms, both conventional and public-key, involve
arithmetic operations on integers.
— Why finite field? Why polynomial arithmetic?

AES ENCRYPTION PROCESS

AES DATA STRUCTURES

AES PARAMETERS

AES ENCRYPTION AND DECRYPTION

DETAILED STRUCTURE
— Processes the entire data block as a single matrix during each round (Different from
Feistel in DES)
— The 128-bit key that is provided as input is expanded into an array of forty-four 32-
bit words
— Four different states per round:
o Substitute bytes, ShiftRows, MixColumns and AddRoundKey
— The cipher begins and ends with an AddRoundKey stage
— Can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a
block, followed by scrambling of the block (the other three stages), followed by XOR
encryption
— Each stage is easily reversible
— The decryption algorithm makes use of the expanded key in reverse order, however
the decryption algorithm is not identical to the encryption algorithm
— State is the same for both encryption and decryption
— Final round of both encryption and decryption consists of only three stages
 — State: 4 words / 16 bytes / 128 bits
1. Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block
2. ShiftRows: a simple permutation
3. MixColumns: a substitution that makes use of arithmetic over GF(2 8)
4. AddRoundKey: a simple bitwise XOR of the current block with a portion of the
expanded key
— SubBytes and AddRoundKey are on bytes
AES BYTE LEVEL OPERATIONS
— Substitute bytes (SubBytes)
o Table lookup
LOOKUP TABLE FOR BYTES
INVERSE S-BOX FOR THE DECRYPTION

CONSTRUCTION OF S-BOX AND IS-BOX

— Key steps:
o Calculate multiplication inverse in GF(28) Transformation
— Note:
o Define the multiplicative inverse of 00 is 00
CONSTRUCTION OF S-BOX --- MULTIPLICATIVE INVERSE EXTENDED EUCLID [(x8
+ x4 + x3 + x + 1), (x7 + x + 1)]

TRANSFORMATION
S-BOX RATIONALE
— The S-box is designed to be resistant to known cryptanalytic attacks
— The Rijndael developers sought a design that has a low correlation between input bits
and output bits and the property that the output is not a linear mathematical function of
the input
— The nonlinearity is due to the use of the multiplicative inverse
SHIFT-ROW TRANSFORMATION

SHIFT ROW RATIONALE

— More substantial than it may first appear
 — The State, as well as the cipher input and output, is treated as an array of four 4-byte
columns
— On encryption, the first 4 bytes of the plaintext are copied to the first column of State,
and so on
— The round key is applied to State column by column
o Thus, a row shift moves an individual byte from one column to another,
which is a linear distance of a multiple of 4 bytes
— Transformation ensures that the 4 bytes of one column are spread out to four different
columns
MIXCOLUMN TRANSFORMATION

MIXCOLUMN RATIONALE
— Coefficients of a matrix based on a linear code with maximal distance between code
words ensures a good mixing among the bytes of each column
— The mix column transformation combined with the shift row transformation ensures
that after a few rounds all output bits depend on all input bits

ADDROUNDKEY TRANSFORMATION
— The 128 bits of State are bitwise XOR with the 128 bits of the round key
— Operation is viewed as a columnwise operation between the 4 bytes of a State column
and one word of the round key
 o Can also be viewed as a byte-level operation
— Rationale:
o Is as simple as possible and affects every bit of State
o The complexity of the round key expansion plus the complexity of the other
stages of AES ensure security

KEY EXPANSION

— Takes as input a four-word (16 byte) key and produces a linear array of 44 words (176
bytes)
— This is sufficient to provide a four-word round key for the initial AddRoundKey stage
and each of the 10 rounds of the cipher
— Key is copied into the first four words of the expanded key
— The remainder of the expanded key is filled in four words at a time
— Each added word w[i] depends on the immediately preceding word, w[i – 1], and the
word four positions back, w[i – 4]
— In three out of four cases a simple XOR is used
— For a word whose position in the w array is a multiple of 4, a more complex function is
used
KEY EXPANSION RATIONALE
— The Rijndael developers designed the expansion key algorithm to be resistant to
known cryptanalytic attacks
— Inclusion of a round-dependent round constant eliminates the symmetry between the
ways in which round keys are generated in different rounds
— The specific criteria that were used are:
o Knowledge of a part of the cipher key or round key does not enable calculation
of many other round-key bits
o An invertible transformation
o Speed on a wide range of processors
o Usage of round constants to eliminate symmetries
o Diffusion of cipher key differences into the round keys (each key bit affects
many round key bits)
o Enough nonlinearity to prohibit the full determination of round key differences
from cipher key differences only
o Simplicity of description

AES EXAMPLE
AVALANCHE EFFECT
— Change in plaintext:
o One-bit difference
 0123456789abcdeffedcba9876543210 to
0023456789abcdeffedcba9876543210
AVALANCHE EFFECT (2)

AVALANCHE EFFECT (3)

— Change in key:
o One bit difference:
 0f1571c947d9e8590cb7add6af7f6798 to
0e1571c947d9e8590cb7add6af7f6798
IMPLEMENTATION ASPECTS
— AES can be implemented very efficiently on an 8-bit processor, e.g., smart cards
— AddRoundKey is a bytewise XOR operation
— ShiftRows is a simple byte-shifting operation
— SubBytes operates at the byte level and only requires a table of 256 bytes
— MixColumns requires matrix multiplication in the field GF(28), which means that all
operations are carried out on bytes
— Can efficiently implement on a 32-bit processor:
o Redefine steps to use 32-bit words
o Can precompute 4 tables of 256-words
o Then each column in each round can be computed using 4 table lookups + 4
XORs
o At a cost of 4Kb to store tables
o Designers believe this very efficient implementation was a key factor in its
selection as the AES cipher

SUMMARY
— Finite field arithmetic
— AES structure
o General structure
 o Detailed structure
— AES key expansion
o Key expansion algorithm
o Rationale
— AES transformation functions
o Substitute bytes
o ShiftRows
o MixColumns
o AddRoundKey
— AES implementation
o Equivalent inverse cipher
o Implementation aspects
DOUBLE DES
— Given a plaintext P and two encryption keys K1 and K2 , ciphertext C is generated as
o C = E(K2 , E(K1 , P ))
— Decryption requires that the keys be applied in reverse order:
o P = D(K1 , D(K2 , C ))
— For DES, this scheme apparently involves a key length of 56 * 2 = 112 bits, resulting in
a dramatic increase in cryptographic strength

MEET-IN-THE-MIDDLE ATTACK
— The use of double DES results in a mapping that is not equivalent to a single DES
encryption
— The meet-in-the-middle attack algorithm will attack this scheme and does not depend
on any particular property of DES but will work against any block encryption cipher
— Given a known pair, (P, C), the attack proceeds as follows:
o First, encrypt P for all possible values of K1 and store results in a sorted table
o Next, decrypt C using all possible values of K2
o As each decryption, check the table for a match.
o If a match occurs, then test the two resulting keys against a new known
plaintext–ciphertext pair
o If the two keys produce the correct ciphertext, accept them as the correct keys.

TRIPLE-DES WITH TWO-KEYS

— Obvious counter to the meet-in-the-middle attack is to use three stages of encryption
with three different keys
— This raises the cost of the meet-in-the-middle attack to 2112, which is impractical
 — Has the drawback of requiring a key length of 56 x 3 = 168 bits, which may be
somewhat unwieldy
— As an alternative Tuchman proposed a triple encryption method that uses only two keys

TRIPLE DES WITH THREE KEYS

— Many researchers now feel that three-key 3DES is the preferred alternative

— A number of Internet-based applications have adopted three-key 3DES including PGP

and S/MIME
WHY BLOCK CIPHER OPERATIONS
— Block encryption can only be performed on a single block of data
— Block size is usually small (16 bytes blocks for AES)
— Message to be sent is usually large (web page + assets ≈ 500kB)
— Need a way to repeatedly apply the cipher with the same key to a large message
o By using different modes of operation, messages of an arbitrary length can be
split into blocks and encrypted using a block cipher.
o Each mode of operation describes how a block cipher is repeatedly applied to
encrypt a message and each has certain advantages and disadvantages.
MODES OF OPERATION
— A technique for enhancing the effect of a cryptographic algorithm or adapting the
algorithm for an application
— To apply a block cipher in a variety of applications, five modes of operation have been
defined by NIST
o The five modes are intended to cover a wide variety of applications of
encryption for which a block cipher could be used
o These modes are intended for use with any symmetric block cipher, including
triple DES and AES
BLOCK CIPHER MODES OF OPERATIONS

ELECTRONIC CODEBOOK MODE (ECB)

— Ideal for a short amount of data

— If the same b -bit block of plaintext appears more than once in a message, it always
produces the same ciphertext
— Weak for lengthy messages, e.g.,
o If it is known that the message always starts out with certain predefined fields
o If the message has repetitive elements with a period of repetition a multiple of b
bits
CRITERIA AND PROPERTIES FOR EVALUATING AND CONSTRUCTING BLOCK
CIPHER MODES OF OPERATION THAT ARE SUPERIOR TO ECB:
— Overhead: The additional operations for the encryption and decryption operation when
compared to encrypting and decrypting in the ECB mode.
 — Error recovery: The property that an error in the i-th ciphertext block is inherited by
only a few plaintext blocks after which the mode resynchronizes.
— Error propagation: The property that an error in the i-th ciphertext block is inherited
by the i-th and all subsequent plaintext blocks.
— Diffusion: How the plaintext statistics are reflected in the ciphertext
— Security: Whether or not the ciphertext blocks leak information about the plaintext
blocks
CIPHER BLOCK CHAINING (CBC)

CBC PROPERTIES

— Identical plaintexts result in identical ciphertexts when the same plaintext is enciphered
using the same key and IV. Changing at least one of [k, IV, m0] affects this.
— Rearrangement of ciphertext blocks affects decryption. As ciphertext part c j depends on
all of [p0, p1, · · · , pj].
— Error propagation:
o Bit error in ciphertext cj affects deciphering of cj and cj+1. Recovered block pj
typically results in random bits.
o Bit errors in recovered block pj+1 are precisely where cj was in error
o Attacker can cause predictable bit changes in pj+1 by altering cj.
— Bit recovery:
o CBC is self-synchronising if a bit error occurs in cj but not cj+1, then cj+2
correctly decrypts to pj+2.
CIPHER FEEDBACK MODE
— For AES, DES, or any block cipher, encryption is performed on a block of b bits In the
case of DES b = 64; In the case of AES b = 128

S-BIT CIPHER FEEDBACK (CFB) MODE

OUTPUT FEEDBACK (OFB) MODE

OFB PROPERTIES
— Identical plaintext results in identical ciphertext when the same plaintext is enciphered
using the same key and IV/nonce
o Chaining Dependencies: (Same as a stream cipher) The key stream is plaintext
independent.
o Error propagation: (Same as a stream cipher) Bit errors in ciphertext blocks
cause errors in the same position in the plaintext.
o Error recovery: (Same as a stream cipher) Recovers from bit errors, but not bit
loss
o Throughput: Key stream may be calculated independently — e.g.
precomputed — before encryption/decryption.
 o IV must change: Otherwise it becomes a two-time pad.

COUNTER (CTR) MODE

CTR PROPERTIES
— Identical plaintext results in identical ciphertext when the same plaintext is enciphered
using the same key and IV/Couter.
o Chaining Dependencies: (Same as a stream cipher) The key stream is plaintext
independent.
o Error propagation: (Same as a stream cipher) Bit errors in ciphertext blocks
cause errors in the same position in the plaintext.
o Error recovery: (Same as a stream cipher) Recovers from bit errors, but not bit
loss(misalignment of key stream)
o Throughput: Both encryption and decryption can be randomly accessed and/or
parallelised: the best we could hope for.
o IV must change: Otherwise it becomes a two-time pad

ADVANTAGES OF CTR
— Can do in parallel
o Hardware efficiency
o Software efficiency
— Pre-processing
— Random access
o Blocks can be encrypted/decrypted independently
— Provable security
o As secure as other modes
— Simplicity
o Encryption algorithm only
FEEDBACK CHARACTERISTICS OF MODES OF OPERATION
— The input registers are updated according to the output register
— Both OFB and CTR produce output that is independent of both the plaintext and the
ciphertext.

XTS-AES MODE FOR BLOCK-ORIENTED STORAGE DEVICES

— Approved as an additional block cipher mode of operation by NIST in 2010
— Mode is also an IEEE Standard, IEEE Std 1619-2007
o Standard describes a method of encryption for data stored in sector-based
devices where the threat model includes possible access to stored data by the
adversary Has received widespread industry support
— XEX-based Tweaked-codebook mode with ciphertext Stealing (XTS)
— Xor–encrypt–xor (XEX)
TWEAKABLE BLOCK CIPHERS
— XTS-AES mode is based on the concept of a tweakable block cipher
— General structure:
— Has three inputs:
 — Tweak need not be kept secret
o Purpose is to provide variability

TWEAKABLE BLOCK CIPHER

XTS-AES OPERATION ON SINGLE BLOCK

XTS-AES MODE

— Suitable for parallel operation, like CTR

— If the last block has less than 128 bits, the last two blocks use a cipher-text-stealing
technique instead of padding.
SUMMARY
— Multiple encryption and triple DES
o Double DES
o Triple DES with two keys
o Triple DES with three keys
— Electronic code book
— Cipher block chaining mode
— Cipher feedback mode
— Output feedback mode
— Counter mode
— XTS-AES mode for block-oriented storage devices
o Storage encryption requirements
o Operation on a single block
o Operation on a sector
RANDOM NUMBERS
— A number of network security algorithms and protocols based on cryptography make
use of random binary numbers:
o Generation of a bit stream for symmetric stream encryption
o Session key generation
o Generation of keys for the RSA public-key encryption algorithm
o Key distribution and reciprocal authentication schemes

RANDOMNESS
— The generation of a sequence of allegedly random numbers being random in some well-
defined statistical sense has been a concern.
— Two criteria are used to validate that a sequence of numbers is random:
o Uniform distribution:
 The frequency of occurrence of ones and zeros should be
approximately equal.
o Independence:
 No one subsequence in the sequence can be inferred from the others.

— Usually it can be tested but not proved.

UNPREDICTABILITY
— The requirement is not just that the sequence of numbers be statistically random, but
that the successive members of the sequence are unpredictable.
— With “true” random sequences each number is statistically independent of other
numbers in the sequence and therefore unpredictable
o True random numbers have their limitations, such as inefficiency, so it is more
common to implement algorithms that generate sequences of numbers that
appear to be random.
 o Care must be taken that an opponent is not able to predict future elements of the
sequence on the basis of earlier elements.
TRUE RANDOM NUMBER GENERATOR (TRNG)
— Takes as input a source that is effectively random.
— The source is referred to as an entropy source and is drawn from the physical
environment of the computer.
o Includes things such as keystroke timing patterns, disk electrical activity,
mouse movements, and instantaneous values of the system clock.
o The source, or combination of sources, serve as input to an algorithm that
produces random binary output.
— The TRNG may simply involve conversion of an analog source to a binary output.
— The TRNG may involve additional processing to overcome any bias in the source.
PSEUDORANDOM NUMBER GENERATOR (PRNG)
— Takes as input a fixed value, called the seed, and produces a sequence of output bits
using a deterministic algorithm
o Quite often the seed is generated by a TRNG.
— The output bit stream is determined solely by the input value or values, so an adversary
who knows the algorithm and the seed can reproduce the entire bit stream
— Other than the number of bits produced there is no difference between a PRNG and a
PRF
— Two different forms of PRNG
o Pseudorandom number generator:
 An algorithm that is used to produce an open-ended sequence of bits.
 Input to a symmetric stream cipher is a common application for an
open-ended sequence of bits.
o Pseudorandom function (PRF):
 Used to produce a pseudorandom string of bits of some fixed length.
 Examples are symmetric encryption keys and nonces.

PSEUDORANDOM NUMBERS
— Cryptographic applications typically make use of algorithmic techniques for random
number generation.
 — These algorithms are deterministic and therefore produce sequences of numbers that
are not statistically random.
— If the algorithm is good, the resulting sequences will pass many tests of randomness and
are referred to as pseudorandom numbers.
TRNG / PRNG / PRF

PRNG REQUIREMENTS
— The basic requirement when a PRNG or PRF is used for a cryptographic application is
that an adversary who does not know the seed is unable to determine the
pseudorandom string.
— The requirement for secrecy of the output of a PRNG or PRF leads to specific
requirements in the areas of:
o Randomness
o Unpredictability
o Characteristics of the seed

RANDOMNESS
— The generated bit stream needs to appear random even though it is deterministic.
— There is no single test that can determine if a PRNG generates numbers that have the
characteristic of randomness
o If the PRNG exhibits randomness on the basis of multiple tests, then it can be
assumed to satisfy the randomness requirement.
— NIST SP 800-22 specifies that the tests should seek to establish three characteristics:
o Uniformity: # 1= #0
o Scalability: sub-sequences are random as well
o Consistency: consistent across seeds

UNPREDICTABILITY
— A stream of pseudorandom numbers should exhibit two forms of unpredictability:
 — Forward unpredictability:
o If the seed is unknown, the next output bit in the sequence should be
unpredictable in spite of any knowledge of previous bits in the sequence.
— Backward unpredictability:
o It should not be feasible to determine the seed from knowledge of any
generated values. No correlation between a seed and any value generated from
that seed should be evident; each element of the sequence should appear to be
the outcome of an independent random event whose probability is ½.
— The same set of tests for randomness also provides a test of unpredictability.
o A random sequence will have no correlation with a fixed value (the seed)

SEED REQUIREMENTS
— The seed that serves as input to the PRNG must be secure and unpredictable.
— The seed itself must be a random or pseudorandom number.
— Typically the seed is generated by TRNG.
GENERATION OF SEED INPUT TO PRNG
— PRN is much longer than TRN.
— TRNG may produce a binary string with some bias.
— TRNG may be not fast enough.

PRNG DESIGN
— Algorithms fall into two categories:
o Purpose-built algorithms:
 Algorithms designed specifically and solely for the purpose of
generating pseudorandom bit streams.
 Example RC4 in WEP
o Algorithms based on existing cryptographic algorithms:
 Have the effect of randomizing input data.
LINEAR CONGRUENTIAL GENERATOR
— An algorithm first proposed by Lehmer that is parameterized with four numbers:
o m the modulus m>0
o a the multiplier 0 < a< m
o c the increment 0≤ c < m
o X0 the starting value, or seed 0 ≤ X0 < m
— The sequence of random numbers {Xn} is obtained via the following iterative equation.
— Xn+1 = (aXn + c) mod m
— If m , a , c , and X0 are integers, then this technique will produce a sequence of integers
with each integer in the range 0 ≤ Xn < m
— The selection of values for a , c , and m is critical in developing a good random number
generator m is typically near to or equal to 231.

BLUM BLUM SHUB (BBS) GENERATOR

— Has perhaps the strongest public proof of its cryptographic strength of any purpose-
built algorithm
— Referred to as a cryptographically secure pseudorandom bit generator (CSPRBG)
o A CSPRBG is defined as one that passes the next-bit-test if there is not a
polynomial-time algorithm that, on input of the first k bits of an output
sequence, can predict the (k + 1)st bit with probability significantly greater than
½
— The security of BBS is based on the difficulty of factoring n.
EXAMPLE OPERATION OF BBS GENERATOR

PRNG USING BLOCK CIPHER MODES OF OPERATION

— Two approaches that use a block cipher to build a PRNG have gained widespread
acceptance:
o CTR mode:
 Recommended in NIST SP 800-90, ANSI standard X.82, and RFC
4086
o OFB mode:
 Recommended in X9.82 and RFC 4086
PRNG USING BLOCK CIPHER MODES OF OPERATION
— Seed consists of two parts
o Key K and a value V
— V is updated every round
o CTR V+1 >V
o OFB output > V
— Pseudorandom bits are produced one block at a time.
o E.g., 128 bits for AES

EXAMPLE RESULTS FOR PRNG USING OFB

EXAMPLE RESUTS FOR PRNG USING CTR

ANSI X9.17 PRNG

TRNG AND POSSIBLE SOURCES OF RANDOMNESS
— A true random number generator (TRNG) uses a nondeterministic source to produce
randomness
— Most operate by measuring unpredictable natural processes.
— RFC 4086 lists the following possible sources of randomness that can be used on a
computer to generate true random sequences:

SKEW
— A TRNG may produce an output that is biased in some way, such as having more ones
than zeros or vice versa.
o Deskewing algorithms
o Methods of modifying a bit stream to reduce or eliminate the bias.
o One approach is to pass the bit stream through a hash function such as MD5
or SHA-1
o RFC 4086 recommends collecting input from multiple hardware sources and
then mixing these using a hash function to produce random output.
— Operating systems typically provide a built-in mechanism for generating random
numbers:
o Linux uses four entropy sources: mouse and keyboard activity, disk I/O
operations, and specific interrupts.
 o Bits are generated from these four sources and combined in a pooled buffer.
o When random bits are needed the appropriate number of bits are read from the
buffer and passed through the SHA-1 hash function
COMPARISON OF PRNGs AND TRNGs

STREAM CIPHERS

STREAM CIPHER DESIGN CONSIDERATIONS

RC4 (A STREAM CIPHER)

— Designed in 1987 by Ron Rivest for RSA Security
 — Variable key size stream cipher with byte-oriented operations
— Based on the use of a random permutation
— Eight to sixteen machine operations are required per output byte and the cipher can be
expected to run very quickly in software
— Used in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) standards
that have been defined for communication between Web browsers and servers.
— Is also used in the Wired Equivalent Privacy (WEP) protocol and the newer WiFi
Protected Access (WPA) protocol that are part of the IEEE 802.11 wireless LAN
standard

STRENGTH OF RC4

SUMMARY
— Principles of pseudorandom number generation
o The use of random numbers
 o TRNGs, PRNGs, and PRFs
o PRNG requirements
o Algorithm design
— Pseudorandom number generators
o Linear congruential generators
o Blum Blum Shub generator
— Pseudorandom number generation using a block cipher.
o PRNG using block cipher modes of operation.
o ANSI X9.17 PRNG
— Stream ciphers
— RC4
o Initialization of S
o Stream generation
o Strength of RC4
— True random number generators
o Entropy sources
o Comparison of PRNGs and TRNGs
o Skew