Chapter Two

Elementary Cryptography

Part Three
DES and DES types, AES and RSA
Outline
 Review of Encryption

 Symmetric and Asymmetric Encryption

 Data Encryption Standard (DES) Algorithm

 DES Background and History

 Overview of the DES Algorithm

 Double and Triple DES

 Security of the DES

 The AES(Advanced Encryption Standard) Encryption Algorithm

 Overview of Rijndael algorithm and its strength

 Comparison of DES and AES

 Public key encryption

 Characteristics of public key Encryption algorithms

2
 Rivest-Shamir-Adelman (RSA) Encryption
 Review of Encryption
 A message in its original form (plaintext) is converted (encrypted) into an

unintelligible form (ciphertext) by a set of procedures known as an

encryption algorithm (cipher) and a variable, called a key.

 The ciphertext is transformed (decrypted) back into plaintext using the

encryption algorithm and a key.

Encryption C = EK(P)

Decryption P = EK-1(C)

 EK is chosen from a family of transformations known as a cryptographic

system.

 The parameter that selects the individual transformation is called the key K,
3
selected from a keyspace K. For a K-bit key the keyspace size is 2 K
Symmetric and Asymmetric Encryption Algorithms

4
 Data Encryption Standard (DES) History
 The Data Encryption Standard (DES) was developed in the 1970s by the

National Bureau of Standards with the help of the National Security Agency.
 Its purpose is to provide a standard method for protecting sensitive

commercial and unclassified data.

 IBM created the first draft of the algorithm, calling it LUCIFER.

 DES officially became a federal standard in November of 1976.

 In May 1973, and again in Aug 1974 the NBS (now NIST) called for

possible encryption algorithms for use in unclassified government

applications.
 Response was mostly disappointing, however, IBM submitted their Lucifer

design
5

DES - As a Federal Standard

 DES was adopted as a (US) federal standard in November 1976,

published by NBS as a hardware only scheme in January 1977 and

by ANSI for both hardware and software standards in ANSI X3.92-

1981 (also X3.106-1983 modes of use)

 Subsequently DES has been widely adopted and is now published in

many standards around the world.

6
 Overview of DES Algorithm
 The DES algorithm is a careful and complex combination of two

fundamental building blocks of encryption: substitution and

transposition.
 DES begins by encrypting the palintext as block of 64 bits.

 DES uses a 56-bit key. In fact, the 56-bit key is divided into eight 7-

bit blocks and an 8th odd parity bit is added to each block (i.e., a "0"
or "1" is added to the block so that there are an odd number of 1 bits
in each 8-bit block).
 By using the 8 parity bits for rudimentary error detection, a DES key

is actually 64 bits in length for computational purposes (although it

7
only has 56 bits worth of randomness, or entropy).
Contd.
 DES is a symmetric-key block cipher published by the National

Institute of Standards and Technology (NIST).

Fig. Encryption and decryption with DES

8
DES Structure
 The encryption process is made of two permutations (P-boxes), which

we call initial and final permutations, and sixteen Feistel rounds.

 The P-boxes provide diffusion across S-box inputs.

 The S-boxes provide confusion of input bits.

Confusion
 A technique that seeks to make the relationship between the

statistics of the ciphertext and the value of the encryption keys as

complex as possible.
Diffusion
 A technique that seeks to obscure the statistical structure of the

9
plaintext by spreading out the influence of each individual plaintext
DES Structure
 Permutation is an operation performed by a function, which moves an

element at place j to the place k.

 The key-dependent computation can be simply defined in terms of a

function f, called the cipher function, and a function KS, called the key

DES Desired Effects

schedule.
Avalanche effect
 A characteristic of an encryption algorithm in which a small change in

the plaintext gives rise to a large change in the ciphertext

 Best: changing one input bit results in changes of approx half the

output bits

10
Completeness effect
Feistel Cipher
 Invented by Horst Feistel,

working at IBM Thomas J Watson research labs in early 70's,

 The idea is to partition the input block into two halves, l(i-1)

and r(i-1),

use only r(i-1) in each round i (part) of the cipher

 The function f incorporates one stage of the S-P network,

controlled by part of the key k(i) known as the ith subkey

Feistel Encryption and Decryption
Contd.

13
Fig. General structure of DES
DES Basics
 DES uses the two basic techniques of cryptography - confusion and

diffusion.
 At the simplest level, diffusion is achieved through numerous

permutations and confusions is achieved through the XOR

operation.

rk
o
tw
Ne
-P
eS
Th
g.
14

Fi
DES - The 16 Rounds
 The basic process in
enciphering a 64-bit data
block and a 56-bit key
using the DES consists of:

1. An initial permutation
(IP)

2. 16 rounds of a complex
key dependent calculation
f

3.
15 A final permutation, being
 DES Encryption
1. The 64-bit plaintext passes through an initial permutation (IP)
that rearranges the bits to produce the permuted input.

2. This is followed by a phase consisting of 16 rounds of the same

function (f) which involves both permutation and substitution
functions.
 Function f can be described as
 L(i) = R(i-1)
 R(i) = L(i-1)  P(S( E(R(i-1))  K(i) ))

 The output of the last (sixteenth) round consists of 64-bit text

that are functions of the input plaintext and the key.

16 3. Finally, the output is passed through an inverse permutation

Initial and Final Permutations

17
Fig. Initial and final permutation steps in DES
 DES - Swapping of Left and Right Halves
 The 64-bit block being enciphered is broken into two halves.

 The right half goes through one DES round, and the result

becomes the new left half.

 The old left half becomes the new right half, and will go through

one round in the next round.

 This goes on for 16 rounds, but after the last round the left and

right halves are not swapped, so that the result of the 16th round
becomes the final right half, and the result of the 15th round
(which became the left half of the 16th round) is the final left
18
half.
Contd.

19
 The 16 Rounds of F Consist Of:

20
Initial Permutation Vs. Inverse (Final) Permutation Tables
 The Initial permutation and its inverse are defined by tables.

 The Input to the table consists of 64-bits numbered from 1 to 64.

Bit 0 1 2 3 4 5 6 7 Bit 0 1 2 3 4 5 6 7

1 58 50 42 34 26 18 10 2 1 40 8 48 16 56 24 64 32

9 60 52 44 36 28 20 12 4 9 39 7 47 15 55 23 63 31

17 62 54 46 38 30 22 14 6 17 38 6 46 14 54 22 62 30

25 64 56 48 40 32 24 16 8 25 37 5 45 13 53 21 61 29

33 57 49 41 33 25 17 9 1 33 36 4 44 12 52 20 60 28

41 59 51 43 35 27 19 11 3 41 35 3 43 11 51 19 59 27

49 61 53 45 37 29 21 13 5 49 34 2 42 10 50 18 58 26

57 63 55 47 39 31 23 15 7 57 33 1 41 9 49 17 57 25

Initial Permutation Final Permutation

Note: IP(IP-1) = IP-1(IP) = I

Expansion Permutation Vs. Permutation Function Tables

Expansion Permutation E() table

32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 45 16 17
16 17 18 19 20 21 Permutation P() table
20 21 22 23 24 25 16 7 20 21 29 12 28 17
24 25 26 27 28 29
1 15 23 26 5 18 31 10
28 29 30 31 32 1
2 8 24 14 32 27 3 9

9 13 30 6 22 11 4 25
Expansion
Substitution Boxes (S-Box)
F

 In the S-box the substitution consists of a set of eight S-Boxes, each

of which accepts six-bits as input and produces four-bits as output.

 The first and last bits of the input to Si form a 2-bit binary number

to select one of the four substitutions defined[1 by a the four rows in

]
Contd.
 The middle four bits select one of the 16 columns.

 The decimal value in the cell selected by the row and column is

then converted in to its 4-bit representation to produce the output.

 That is, S-Box is a fixed 4 by 16 array

Given 6-bits B=b1b2b3b4b5b6,

Row r=b1b6 Column c=b2b3b4b5

S(B)=S(r,c) written in binary of length 4

Example: In S1, for input 011001, the row is 01(row 1) and the
column is 1100(column 12).
[1
]
 The Value in row 1 and column 12 is 9, so the
Substitution Boxes (S-Box)

[1
]
DES Key Generation
 The key is first subjected to permutation governed by a table labeled as

permuted choice One.

 The resulting 56-key is then treated as two 28-bit quantities labeled as C0 and

D0 .

 At each round, Ci-1 and Di-1 are separately subjected to a circular left shift, or

rotation of 1 or 2 bits as governed by left shift table.

 The shifted values serve as input to the next round. They also serve as input to

permuted choice 2, produces a 48-bit output that serve as input to the

26
function F(Ri-1, Ki).
 Permutation Tables
57 49 41 33 25 17 9

1 58 50 42 34 26 18

10 2 59 51 43 35 27
14 17 11 24 1 5 3 28
19 11 3 60 52 44 36 15 6 21 10 23 19 12 4

63 55 47 39 31 23 15 26 8 16 7 27 20 13 2

7 62 54 47 38 30 22 41 52 31 37 47 55 30 40

51 45 33 48 44 49 39 56
14 6 61 53 45 37 29
34 53 46 42 50 36 29 32
21 13 5 28 20 12 4

Permutation table PC-2

Permutation table PC-1

27
 DES - Example

Given

Key (K) = 581FBC94D3A452EA

Plaintext (P) = 3570E2F1BA4682C7

Required

Encryption Using a one-round version of DES algorithm

28
 Double and Triple DES
 The simplest form of double DES encryption has two encryption

stages and two keys.

 Given a plaintext p and two encryption keys k1 and k2 and ,

ciphertext C is generated as : C=EK2 (E K1(p))

Decryption requires that the keys be applied in reverse order:

P=DK1 (DK2 (C))

For Double DES, this scheme apparently involves a key

length of 562 bits, resulting in a dramatic increase in

29
Contd.

30 Fig. Double and Triple DES encryption and Decryption

Meet-in-the-Middle Attack on Double DES
Double-DES: C = EK2(EK1(P))

So, X = EK1(P) = DK2(C)

 Given a known pair (P, C), attack as follows:

Encrypt P with all 256 possible keys for K1.

Decrypt C with all 256 possible keys for K2.

If EK1(P) = DK2(C), try the keys on another (P’, C’).

If works, (K1’, K2’) = (K1, K2) with high probability.

31 Takes O(256) steps; not much more than attacking Single-DES.

Triple DES
 Also referred as EDE (Encryption Decryption Encryption)

 Using two keys and applying them in three operations adds apparent

strength.

 Triple DES procedure is C=EK1 (DK2 (EK1(p))), that is, you encrypt

with one key, decrypt with the second key and encrypt with the first

key again.

 Although this process is called Triple DES, because of the three

32 applications of the DES algorithm, it only doubles the effective key

Contd.
 A straightforward implementation of Triple DES would be:

C=EK1(EK2(EK1(P))) but in practice: C = EK1(DK2(EK1(P)))

 If K1=K2, then 3DES = 1DES. Thus, a 3DES software can be

used as a single-DES.

 Standardized in ANSI X9.17 & ISO8732

 No current known practical attacks

 What about the meet-in-the-middle attack?

33
Meet-in-the-Middle Attack on Triple DES

K1 K2 K1
A B
P E D E C

1. For each possible key for K1, encrypt P to produce a possible

value for A.

2. Using this A, and C, attack the 2DES to obtain a pair of keys

(K2, K1’).

3. If K1’ = K1, try the key pair (K1, K2) on another (C’,P’).

4. If it works, (K1, K2) is the key pair with high probability.

34 5. It takes O(255 x 256) = O(2111) steps on average.

Triple DES with Three Keys

 Encryption: C = EK3(DK2(EK1(P)))

 If K1=K3 , we have 3DES with 2 keys.

 If K1=K2=K3, we have the regular DES.

 So, 3DES with 3keys is backward compatible with 3DES with 2

keys and with the regular DES

 Some internet applications have adopted 3DES with three keys.

35  E.g. PGP and MIME.

AES: Advanced Encryption Standard
 In1997, NIST began the process of choosing a replacement for DES

and called it the Advanced Encryption Standard.

 Requirements: block length of 128 bits, key lengths of 128, 192,

and 256 bits.

 AES was adopted for use by the US government in December 2001

and be came the Federal Information Processing standard.

 In 2000, Rijndael cipher (by Rijmen and Daemen) was selected.

 An iterated cipher, with 10, 12, or 14 rounds.

 Rijndael allows various block lengths. But AES allows only one
block size: 128 bits.
36
Overview of Rijndael Algorithm
 Ii is a fast algorithm that can be implemented easily on simple

processes.

 Although it has a strong mathematical application, it primarily uses

substitution, transposition and the shift, exclusive OR and

addition operations.

 Like DES, AES uses repeated cycles. That is , there are 9, 11 or 13

cycles for keys of 128, 192, and 256 bits respectively.

 Each cycle (round) consists of four steps:

1. Byte Substitution:- uses a substitution box structure similar to DES.

37  Substituting each bytes of a 128-bit block according to a substitution

Contd.
2. Shift Rows (transposition step):- for 128 and 192-bit block size, row
n is shifted left circular (n-1) bytes: for 256-bit blocks, row 2 is shifted
1 byte and rows 3 and 4 are shifted 3 and 4 bytes respectively.
 This is a straight diffusion operation.

3. Mix Columns:- this step involves shifting left and exclusive-ORing

bits with themselves.
 These Operations provide both confusion and diffusion.

4. Add Subkeys:- Here, a portion of the key unique to this cycle is

exclusive-ORed with the cycle result.
 This operation provides confusion and incorporates the key.

38
Comparison of DES and AES
DES AES
Date 1976 1999

Block Size 64-bits 128-bits

Key length 56-bits(effective Key 128,192,256 [and possibly more]

length) -bits
Encryption Primitives Substitution, Permutation Substitution, shift, bit mixing

Cryptographic Confusion, Diffusion Confusion, Diffusion

Primitives
Design Open Open

Design Rationale Closed Open

Selection Process Secret Secret, but accepted open public

comment
Source IBM, enhanced by NSA Independent Dutch
cryptographers
39
Public Key Encryption
 Private Vs. Public-Key Cryptography
 Traditional private/secret/single key cryptography uses one key shared

by both sender and receiver

 If this key is disclosed communications are compromised

 also is symmetric, parties are equal

 Hence does not protect sender from receiver forging a message &

claiming is sent by sender

 But public-key cryptography uses two keys – a public & a private key

 asymmetric since parties are not equal

 uses clever application of number theoretic concepts to function


41 complements rather than replaces private key crypto
  Public-key cryptography was
Contd. designed by Whitfield Diffie
& Martin Hellman at
Stanford University in 1976
 The public-key cryptography
involves the use of two keys:
1. Public-key, which may be
known by anybody, and can
be used to encrypt
messages, and verify
signatures
2. Private-key, known only
to the recipient, used to
decrypt messages, and
sign (create) signatures
 is asymmetric because those
who encrypt messages or
42 verify signatures cannot
decrypt messages or create
Public-Key Characteristics
 Each user has two keys: a public key and a private key.

 The two keys operate as inverse, meaning that one key undoes the encryption

provided by the other.

 A user can encrypt a message with a public key and the message can be revealed
only with the corresponding private key. P=Dkpriv(Ekpub(P))
 A user can encrypt a message with a private key and the message can be
revealed only with the corresponding public key. P=Dkpub(Ekpriv(P))
 Public-Key algorithms rely on two keys with the characteristics that it is:

1. computationally infeasible to find decryption key knowing only algorithm &

encryption key
2. computationally easy to en/decrypt messages when the relevant (en/decrypt) key
is known
3.
43 either of the two related keys can be used for encryption, with the other used for
decryption (in some schemes)
Public-Key Cryptosystems

 can classify uses into 3 categories:

1. Encryption/decryption (provide secrecy)

2. Digital signatures (provide authentication)

3. Key exchange (of session keys)

44
 some algorithms are suitable for all uses, others are specific to one
 Security of Public Key Schemes
 Like private key schemes brute force exhaustive search attack is

always theoretically possible

 But keys used are too large (>512bits)

 Security relies on a large enough difference in difficulty between

easy (en/decrypt) and hard (cryptanalytic) problems

 More generally the hard problem is known, its just made too hard to

do in practise

 Requires the use of very large numbers

 Hence is slow compared to private key schemes

45
Comparing Secret-key and Public-key Encryption
Secret key Public key (Asymmetric)
(Symmetric)
Number of Keys One Two

Protection of key Must be kept secret One key must be kept secret: the
other can be freely exposed.

Best Uses Cryptographic workhorse: Key exchange, authentication

secrecy and integrity of data-
single characters to blocks of
data, messages, files

Key Distribution Must be out-of-band Public key can be used to

distribute other keys

Speed Fast Slow: typically, 10,000 times

slower than secret key

46
 RSA Encryption
 RSA cryptosystems, named after its inventors R. Rivest, S. Shamir and

A. Adelman, is the most widely used public-key cryptosystems.

 It may be used to provide both secrecy and digital signatures and its

security is based on the intractability of integer factorization problems.

 It is based on exponentiation in a finite (Galois) field over integers

modulo a prime

exponentiation takes O((log n)3) operations (easy)

 uses large integers (eg. 1024 bits)

 security due to cost of factoring large numbers:

47 factorization takes O(e log n log log n) operations (hard)

 Contd.
 The RSA encryption algorithm combines results from number theory

with the degree of difficulty in determining the prime factors of a given

numbers.

 The two keys used in RSA, d and e, are used for decryption and

encryption.

 They are actually interchangeable: Either can be chosen as the public

but, having chosen one, you must keep the other one private.

P=E(D(P))=D(E(P))

 Any plaintext block P is encrypted as Pe mod n. Because the

48
e
 RSA Key Setup
 Each user generates a public/private key pair by:

 Selecting two large primes at random - p, q

 Computing their system modulus N=p.q

note ø(N)=(p-1)(q-1)

 Selecting at random the encryption key e

where 1<e<ø(N), gcd(e,ø(N))=1

 Solve following equation to find decryption key d

e.d=1 mod ø(N) and 0≤d≤N

 Publish their public encryption key: KU={e,N}

49  Keep secret private decryption key: KR={d,p,q}

 RSA Key Generation
 users of RSA must:

 determine two primes at random - p, q

 select either e or d and compute the other

 primes p,q must not be easily derived from modulus N=p.q

 means must be sufficiently large

 typically guess and use probabilistic test

 exponents e, d are inverses, so use Inverse algorithm to

50
compute the other
 RSA Use
 to encrypt a message M the sender:

 obtains public key of recipient KU={e,N}

 computes: C=Me mod N, where 0≤M<N

 to decrypt the ciphertext C the owner:

 uses their private key KR={d,p,q}

 computes: M=Cd mod N

 note that the message M must be smaller than the modulus N

(block if needed)
51
 Prime Numbers
 prime numbers only have divisors of 1 and self

 they cannot be written as a product of other numbers

 note: 1 is prime, but is generally not of interest

 eg. 2,3,5,7 are prime, 4,6,8,9,10 are not

 prime numbers are central to number theory

 list of prime number less than 200 is:

2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61
67 71 73 79 83 89 97 101 103 107 109 113 127 131
137 139 149 151 157 163 167 173 179 181 191 193

52
197 199
 Prime Factorisation
 To factor a number n is to write it as a product of other

numbers: n=a × b × c

 Note that factoring a number is relatively hard compared

to multiplying the factors together to generate the number

 The prime factorisation of a number n is when its written

as a product of primes

 eg. 91=7×13 ; 3600=24×32×52

53
 Relatively Prime Numbers & GCD
 Two numbers a, b are relatively prime if have no common

divisors apart from 1

eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8

and of 15 are 1,3,5,15 and 1 is the only common factor

 Conversely can determine the greatest common divisor by

comparing their prime factorizations and using least powers

eg. 300=21×31×52 18=21×32

54 hence GCD(18,300)=21×31×50=6
 RSA Example
1. Select primes: p=17 & q=11

2. Compute n = pq =17×11=187

3. Compute ø(n)=(p–1)(q-1)=16×10=160

4. Select e : gcd(e,160)=1; choose e=7

5. Determine d: de=1 mod 160 and d < 160 Value is d=23

since 23×7=161= 10×160+1

6. Publish public key KU={7,187}

55 7. Keep secret private key KR={23,17,11}

 Contd.
 sample RSA encryption/decryption is:

 given message M = 88 (nb. 88<187)

 encryption: C = 887 mod 187 = 11

 decryption: M = 1123 mod 187 = 88

56
 RSA Security
Three approaches to attacking RSA:

1. brute force key search (infeasible given size of numbers)

2. mathematical attacks (based on difficulty of computing

ø(N), by factoring modulus N)

3. timing attacks (on running of decryption)

57
 Factoring Problem
 mathematical approach takes 3 forms:

 factor N=p.q, hence find ø(N) and then d

 determine ø(N) directly and find d

 find d directly

 currently believe all equivalent to factoring

 have seen slow improvements over the years

 as of Aug-99 best is 130 decimal digits (512) bit with GNFS

 biggest improvement comes from improved algorithm

 cf “Quadratic Sieve” to “Generalized Number Field Sieve”

 barring dramatic breakthrough 1024+ bit RSA secure

58  ensure p, q of similar size and matching other constraints
 Timing Attacks
 developed in mid-1990’s

 exploit timing variations in operations

eg. multiplying by small vs large number

or IF's varying which instructions executed

 infer operand size based on time taken

 RSA exploits time taken in exponentiation

 countermeasures

use constant exponentiation time

add random delays

59 blind values used in calculations