Simple DES – Differential cryptoanalysis – DES – Modes of operation – Triple DES – AES – RC4 – RSA – Attacks – Primality test – factoring.

1. IT2352 CRYPTOGRAPHY AND
NETWORK SECURITY
UNIT – II
Dr.A.Kathirvel, Professor and Head, Dept of IT
Anand Institute of Higher Technology, Chennai

2. UNIT - II
Simple DES – Differential cryptanalysis – DES – Modes
of operation – Triple DES – AES – RC4 – RSA – Attacks
– Primality test – factoring.

3. DATA ENCRYPTION
• Encryption Definition:
– The action of disguising information so that it can
be recovered easily by the persons who have the
key, but is highly resistant to recovery by persons
who do not have the key.

4. DATA ENCRYPTION
– A message is cleartext (plaintext) is encrypted
(disguised) through the use of an encryption key
to create a Ciphertext.

5. DATA ENCRYPTION
– The encryption key may be changed from time to
time to make an intruder’s task more difficult.
– Restoration of a ciphertext to cleartext is achieved
by the action of decryption using a decryption key.
• In symmetric (Single key) - The encryption and
decryption keys are the same.
• In asymmetric (two keys) - The encryption and
decryption keys are different.

6. DATA ENCRYPTION
• Encryption Methods - Encryption is accomplished
by scrambling the bits, characters, words, or
phrases in the original message. Scrambling
involves two activities:
• Transposition - In which the order of the bits
patterns, characters, words or phrases is
rearranged.
• Substitution - In which new bit patterns,
characters, words, or phrases are substituted
for the originals without changing their order.

7. DATA ENCRYPTION
• Data Encryption Standard (DES):
– Most widely used algorithm
– Pioneered by IBM
– It is symmetric cryptosystem
– Developed to protect sensitive, unclassified, US
government, Computer data.
– Used to provide authentication of electronic funds
transfer messages.

8. DATA ENCRYPTION
 DES Algorithm
 The algorithm accepts plaintext, P, and performs an
initial permutation, IP, on P producing P0, The block is
then broken into left and right halves, the Left (L0)
being the first 32 bits of P0 and the right (R0) being
the last 32 bits of P0.
 With L0 and R0, 16 rounds are performed until L16 and
R16 are generated.
 The inverse permutation, IP-1, is applied to L16R16 to
produce ciphertext C.

9. DATA ENCRYPTION
• Public Key Cryptosystem
– It is an asymmetric cryptosystem.
– First announced in 1976.
– Offer a radically different approach to encryption.
– The idea depends on the use of a pair of keys that
differ in a complementary way.
– Several algorithms are proposed
– RSA algorithm is considered to be highly secure.
• Public key encryption can achieved
– Privacy
– Authentication

10. DIFFERENTIAL CRYPTANALYSIS
• one of the most significant recent (public) advances
in cryptanalysis
• known in 70's with DES design
• Murphy, Biham & Shamir published 1990
• powerful method to analyse block ciphers
• used to analyse most current block ciphers with
varying degrees of success
• DES reasonably resistant to it

11. DIFFERENTIAL CRYPTANALYSIS
• a statistical attack against Feistel ciphers
• uses cipher structure not previously used
• design of S-P networks has output of function f
influenced by both input & key
• hence cannot trace values back through cipher
without knowing values of the key
• Differential Cryptanalysis compares two related pairs
of encryptions

12. DIFFERENTIAL CRYPTANALYSIS
COMPARES PAIRS OF ENCRYPTIONS
• Differential cryptanalysis is complex
• with a known difference in the input
• searching for a known difference in output

13. DIFFERENTIAL CRYPTANALYSIS
• have some input difference giving some output
difference with probability p
• if find instances of some higher probability input /
output difference pairs occurring
• can infer subkey that was used in round
• then must iterate process over many rounds

14. DIFFERENTIAL CRYPTANALYSIS
• perform attack by repeatedly encrypting plaintext
pairs with known input XOR until obtain desired
output XOR
• when found
– if intermediate rounds match required XOR have a
right pair
– if not then have a wrong pair
• can then deduce keys values for the rounds
– right pairs suggest same key bits
– wrong pairs give random values
• larger numbers of rounds makes it more difficult
• Attack on full DES requires an effort on the order of
247, requiring 247 chosen plaintexts to be encrypted

15. LINEAR CRYPTANALYSIS
• another recent development
• also a statistical method
• based on finding linear approximations to model the
transformation of DES
• can attack DES with 247 known plaintexts, still in
practise infeasible

16. • have considered:
– terminology
– classical cipher techniques
– substitution ciphers
• cryptanalysis using letter frequencies
– transposition ciphers
DATA ENCRYPTION STANDARD

17. MODERN BLOCK CIPHERS
• will now look at modern block ciphers
• one of the most widely used types of cryptography
algorithms
• provide strong secrecy and/or authentication
services
• in particular will introduce DES (Data Encryption
Standard)

18. BLOCK VS STREAM CIPHERS
• block ciphers process messages into blocks, each of
which is then en/decrypted
• like a substitution on very big characters
– 64-bits or more
• stream ciphers process messages a bit or byte at a
time when en/decrypting
• many current ciphers are block ciphers
• hence are focus of course

19. BLOCK CIPHER PRINCIPLES
• block ciphers look like an extremely large
substitution
• would need table of 264 entries for a 64-bit block
• arbitrary reversible substitution cipher for a large
block size is not practical
– 64-bit general substitution block cipher, key size
264!
• most symmetric block ciphers are based on a Feistel
Cipher Structure
• needed since must be able to decrypt ciphertext to
recover messages efficiently

20. C. SHANNON AND SUBSTITUTION-
PERMUTATION CIPHERS
• in 1949 Shannon introduced idea of substitution-
permutation (S-P) networks
– modern substitution-transposition product cipher
• these form the basis of modern block ciphers
• S-P networks are based on the two primitive
cryptographic operations we have seen before:
– substitution (S-box)
– permutation (P-box) (transposition)
• provide confusion and diffusion of message

21. DIFFUSION AND CONFUSION
• Introduced by Claude Shannon to thwart cryptanalysis based on
statistical analysis
– Assume the attacker has some knowledge of the statistical
characteristics of the plaintext
• cipher needs to completely obscure statistical properties of
original message
• a one-time pad does this
• more practically Shannon suggested combining elements to
obtain:
• diffusion – dissipates statistical structure of plaintext over bulk of
ciphertext
• confusion – makes relationship between ciphertext and key as
complex as possible

22. FEISTEL CIPHER STRUCTURE
• Horst Feistel devised the feistel cipher
– implements Shannon’s
substitution-permutation network
concept
• partitions input block into two halves
– process through multiple rounds
which
– perform a substitution on left data
half
– based on round function of right
half & subkey
– then have permutation swapping
halves

23. FEISTEL CIPHER
• n sequential rounds
• A substitution on the left half Li
– 1. Apply a round function F to the right half Ri and
– 2. Take XOR of the output of (1) and Li
• The round function is parameterized by the subkey Ki
– Ki are derived from the overall key K

24. FEISTEL CIPHER DESIGN PRINCIPLES
• block size - increasing size improves security, but slows
cipher
• key size - increasing size improves security, makes
exhaustive key searching harder, but may slow cipher
• number of rounds - increasing number improves
security, but slows cipher
• subkey generation - greater complexity can make
analysis harder, but slows cipher
• round function - greater complexity can make analysis
harder, but slows cipher
• fast software en/decryption & ease of analysis - are
more recent concerns for practical use and testing

25. FEISTEL CIPHER DECRYPTION

26. DATA ENCRYPTION STANDARD (DES)
• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST) - as FIPS PUB 46
• encrypts 64-bit data using 56-bit key
• has widespread use
• IBM developed Lucifer cipher - by team lead by Feistel
– used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with input from
NSA and others
• in 1973 NBS issued request for proposals for a national
cipher standard
• IBM submitted their revised Lucifer which was eventually
accepted as the DES

27. DES DESIGN CONTROVERSY
• although DES standard is public
• was considerable controversy over design -in choice of
56-bit key (vs Lucifer 128-bit)
•subsequent events
and public analysis
show in fact design
was appropriate
•DES has become
widely used,
especially in financial
applications

28. INITIAL PERMUTATION IP
• first step of the data computation
• IP reorders the input data bits
• quite regular in structure
– see text Table 3.2
• example:
IP(675a6967 5e5a6b5a) = (ffb2194d
004df6fb)

29. DES ROUND STRUCTURE
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
• takes 32-bit R half and 48-bit subkey and:
– expands R to 48-bits using Expansion Permutation
E (Table 3.2 c.)
– adds to subkey
– passes through 8 S-boxes to get 32-bit result
– finally permutes this using 32-bit Permutation
Function P (Table 3.2 d)

30. THE ROUND FUNCTION F(R,K)

31. SUBSTITUTION BOXES S
• 8 S-boxes (Table 3.3 )
• Each S-Box mapps 6 to 4 bits
– outer bits 1 & 6 (row bits) select the row
– inner bits 2-5 (col bits) select the column
– For example, in S1, for input 011001,
• the row is 01 (row 1)
• the column is 1100 (column 12).
• The value in row 1, column 12 is 9
• The output is 1001.
• result is 8 X 4 bits, or 32 bits

32. DES Key Schedule
• forms subkeys used in each round
• 1. initial permutation of the key PC1 (Table 3.4b)
• 2. divide the 56-bits in two 28-bit halves
• 3. at each round
– 3.1. Left shift each half (28bits) separately either 1 or 2
places based on the left shift schedule (Table 3.4d)
• Shifted values will be input for next round
– 3.2. Combine two halfs to 56 bits, permuting them by PC2
(Table 3.4c) for use in function f
• PC2 takes 56-bit input, outputs 48 bits

33. DES DECRYPTION
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again
• using subkeys in reverse order (SK16 … SK1)
• note that IP undoes final FP step of encryption
• 1st round with SK16 undoes 16th encrypt round
• ….
• 16th round with SK1 undoes 1st encrypt round
• then final FP undoes initial encryption IP
• thus recovering original data value

34. DES Decryption (Reverse encryption)

35. AVALANCHE EFFECT
• key desirable property of encryption alg
• DES exhibits strong avalanche
• where a change of one input or key bit results in
changing approx half output bits

36. STRENGTH OF DES – KEY SIZE
• 56-bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
– in 1997 on Internet in a few months
– in 1998 on dedicated hardware (EFF) in a few days
– in 1999 above combined in 22hrs!
• still must be able to recognize plaintext
• now considering alternatives to DES

37. STRENGTH OF DES – TIMING ATTACKS
• attacks actual implementation of cipher
• use knowledge of consequences of implementation
to derive knowledge of some/all subkey bits
• specifically use fact that calculations can take varying
times depending on the value of the inputs to it

38. STRENGTH OF DES – ANALYTIC ATTACKS
• now have several analytic attacks on DES
• these utilise some deep structure of the cipher
– by gathering information about encryptions
– can eventually recover some/all of the sub-key bits
– if necessary then exhaustively search for the rest
• generally these are statistical attacks
• include
– differential cryptanalysis
– linear cryptanalysis
– related key attacks

39. MODES OF OPERATION
• block ciphers encrypt fixed size blocks
• eg. DES encrypts 64-bit blocks, with 56-bit key
• need way to use in practise, given usually have
arbitrary amount of information to encrypt
• four were defined for DES in ANSI standard ANSI
X3.106-1983 Modes of Use
• subsequently now have 5 for DES and AES
• have block and stream modes

40. ELECTRONIC CODEBOOK BOOK (ECB)
• message is broken into independent blocks which are
encrypted
• each block is a value which is substituted, like a
codebook, hence name
• each block is encoded independently of the other
blocks
Ci = DESK1 (Pi)
• uses: secure transmission of single values

41. ELECTRONIC CODEBOOK BOOAK (ECB)

42. ADVANTAGES AND LIMITATIONS OF ECB
• repetitions in message may show in ciphertext
– if aligned with message block
– particularly with data such graphics
– or with messages that change very little, which
become a code-book analysis problem
• weakness due to encrypted message blocks being
independent
• main use is sending a few blocks of data

43. CIPHER BLOCK CHAINING (CBC)
• message is broken into blocks
• but these are linked together in the
encryption operation
• each previous cipher blocks is chained with
current plaintext block, hence name
• use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
• uses: bulk data encryption, authentication

44. CIPHER BLOCK CHAINING (CBC)

45. ADVANTAGES AND LIMITATIONS OF CBC
• each ciphertext block depends on all message blocks
• thus a change in the message affects all ciphertext blocks after
the change as well as the original block
• need Initial Value (IV) known to sender & receiver
– however if IV is sent in the clear, an attacker can change bits
of the first block, and change IV to compensate
– hence either IV must be a fixed value (as in EFTPOS) or it
must be sent encrypted in ECB mode before rest of message
• at end of message, handle possible last short block
– by padding either with known non-data value (eg nulls)
– or pad last block with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes
pad+count

46. CIPHER FEEDBACK (CFB)
• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8 or 64 or
whatever) to be feed back
– denoted CFB-1, CFB-8, CFB-64 etc
• is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
• uses: stream data encryption, authentication

47. CIPHER FEEDBACK (CFB)

48. Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block
encryption after every n-bits
• note that the block cipher is used in
encryption mode at both ends
• errors propagate for several blocks after the
error

49. OUTPUT FEEDBACK (OFB)
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
• uses: stream encryption over noisy channels
• Note: the OFB mode description presented in Fig 3.14
on page 96 of Stallings’ text is incorrect. Refer to the
NIST Spl Pubs 800-38A - Fig 4/page 14

50. ADVANTAGES AND LIMITATIONS OF OFB
• used when error feedback a problem or where need to
encryptions before message is available
• superficially similar to CFB
• but feedback is from the output of cipher and is
independent of message
• a variation of a Vernam cipher
– hence must never reuse the same sequence (key+IV)
• sender and receiver must remain in sync, and some
recovery method is needed to ensure this occurs
• originally specified with m-bit feedback in the standards
• subsequent research has shown that only OFB-64 should
ever be used

51. COUNTER (CTR)
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value rather than
any feedback value
• must have a different key & counter value for every
plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
• uses: high-speed network encryptions

52. Counter (CTR)

53. ADVANTAGES AND LIMITATIONS OF CTR
• efficiency
– can do parallel encryptions
– in advance of need
– good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values,
otherwise could break (cf OFB)

54. TRIPLE DES
• clearly a replacement for DES was needed
– theoretical attacks that can break it
– demonstrated exhaustive key search attacks
• AES is a new cipher alternative
• prior to this alternative was to use multiple
encryption with DES implementations
• Triple-DES is the chosen form

55. WHY TRIPLE-DES?
• why not Double-DES?
– NOT same as some other single-DES use, but have
• meet-in-the-middle attack
– works whenever use a cipher twice
– since X = EK1[P] = DK2[C]
– attack by encrypting P with all keys and store
– then decrypt C with keys and match X value
– can show takes O(256) steps

56. TRIPLE-DES WITH TWO-KEYS
• hence must use 3 encryptions
– would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
– C = EK1[DK2[EK1[P]]]
– nb encrypt & decrypt equivalent in security
– if K1=K2 then can work with single DES
• standardized in ANSI X9.17 & ISO8732
• no current known practical attacks

57. TRIPLE-DES WITH THREE-KEYS
• although are no practical attacks on two-key Triple-
DES have some indications
• can use Triple-DES with Three-Keys to avoid even
these
– C = EK3[DK2[EK1[P]]]
• has been adopted by some Internet applications, eg
PGP, S/MIME

58. RC4
• a proprietary cipher owned by RSA DSI
• another Ron Rivest design, simple but effective
• variable key size, byte-oriented stream cipher
• widely used (web SSL/TLS, wireless WEP)
• key forms random permutation of all 8-bit values
• uses that permutation to scramble input info
processed a byte at a time

59. RC4 SECURITY
• Claimed secure against known attacks
– Have some analyses, none practical
• Result is very non-linear
• Since RC4 is a stream cipher, must never reuse a key
• Have a concern with WEP, but due to key handling
rather than RC4 itself

60. ADVANCED ENCRYPTION STANDARD
• Replacement for DES was needed
– Theoretical attacks that can break it
– Demonstrated exhaustive key search attacks
• Can use Triple DES – but slow, small block size
• NIST issued a call for a new AES in 1997
• 15 candidates accepted in Jun 1998
• 5 candidates were short-listed in Aug 1999
• Rijndael was selected as the AES in Oct 2000
• Published as FIPS PUB 197 standard in Dec 2001

61. AES REQUIREMENTS
• Symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• Stronger & faster than triple DES
• Active life of 20-30 years (+ archival use)
• Provide full specification & design details
• Both C & Java implementations
• NIST have released all submissions & unclassified
analyses

62. AES EVALUATION CRITERIA
• Initial criteria:
– Security – effort for practical cryptanalysis
– Cost – in terms of computational efficiency (speed, memory)
– Algorithm & implementation characteristics
• flexibility, algorithm simplicity
• Final criteria
– General security
– Ease of software & hardware implementation
– Restricted-space environments
– Attacks on implementations
• timing attack, power analysis
– Flexibility (in en/decrypt, keying, other factors)

63. AES SHORT-LIST
• After testing and evaluation, short-list in Aug 1999:
– MARS (IBM) - complex, fast, high security margin
– RC6 (USA) - very simple, very fast, low security margin
– Rijndael (Belgium) - clean, fast, good security margin
– Serpent (Euro) - clean, slow, very high security margin
– Twofish (USA) - complex, very fast, high security
margin
• Then subject to further analysis & comment
• Saw contrast between algorithms with
– Few complex rounds vs. many simple rounds
– Refined existing ciphers vs. new proposals

64. THE AES CIPHER - RIJNDAEL
• Designed by Rijmen-Daemen in Belgium
• Block length: 128 bits
• Key length: 128/192/256 bits
• Number of Rounds: 10/12/14 rounds
• An iterated cipher (rather than Feistel cipher)
– Processes data as block of 4 columns of 4 bytes
– Operates on entire data block in every round
• Designed to be:
– Resistance against all known attacks
– Speed and code compactness on a wide range of platforms
– Design simplicity

65. OVERALL AES STRUCTURE
• Data block of 4 columns of 4 bytes is “state”
• Key is expanded to array of words
• Has 9/11/13 rounds in which state undergoes:
– Substitute bytes (1 S-box used on every byte)
– Shift rows (permute bytes between columns)
– Mix columns (substitute using matrix
multiplication of columns)
– Add round key (XOR state with key material)
– View as alternating XOR key & scramble data bytes
• Initial XOR key material & incomplete last round
• With fast XOR & table lookup implementation

66. AES Encryption & Decryption

67. AES DATA STRUCTURES
Plaint
ext
Ciphert
ext

68. AES ENCRYPTION ROUND

69. SUBSTITUTE BYTES (SUBBYTES)
• Simple substitution on each byte of state
independently
• Use an S-box of 16x16 bytes containing a permutation
of all 256 8-bit values
• Each byte of state is replaced by a new byte indexed
by row (left 4-bits) & column (right 4-bits)
– eg. byte {95} is replaced by {2A} in row 9 column 5
• S-box constructed using defined transformation of
values in GF(28)
• Designed to be resistant to all known attacks

70. SUBSTITUTE BYTES

71. SUBSTITUTE BYTES
• GF(28) = 2[x] / (x8+x4+x3+x+1)
SubBytes(a7a6a5a4a3a2a1a0)
1. z ← BinaryToField(a7a6a5a4a3a2a1a0)
2. if z ≠ 0
3. then z ← FieldInv(z)
4. (a7a6a5a4a3a2a1a0) ← FieldToBinary(z)
5. (c7c6c5c4c3c2c1c0) ← (01100011)
6. for i ← 0 to 7
7. do bi ←
(ai+ai+4+ai+5+ai+6+ai+7+ci) mod 2
8. return (b7b6b5b4b3b2b1b0)

72. SUBSTITUTE BYTES
• Example
– Input: a = 0x53 = 01010011 (x6+x4+x3+1)
– Multiplicative inverse a-1 = x7+x6+x3+x (mod
x8+x4+x3+x+1)
– (a7a6a5a4a3a2a1a0) = (11001010)
– (c7c6c5c4c3c2c1c0) = (01100011)
– b0 = a0+a4+a5+a6+a7+c0 mod 2 = 0+0+0+1+1+1
mod 2 = 1
– b1 = a1+a5+a6+a7+a8+c1 mod 2 = 1+0+1+1+0+1
mod 2 = 0
– (b7b6b5b4b3b2b1b0) = (11101101) = 0xED

73. INVERSE SUBBYTES
InvSubBytes(b7b6b5b4b3b2b1b0)
1. (d7d6d5d4d3d2d1d0) ← (00000101)
2. for i ← 0 to 7 do
3. ai ← (bi+2+bi+5+bi+7+di) mod 2
4. z ←
BinaryToField(a7a6a5a4a3a2a1a0)
5. if z ≠ 0 then
6. z ← FieldInv(z)
7. (a7a6a5a4a3a2a1a0) ←
FieldToBinary(z)
8. return (a7a6a5a4a3a2a1a0)

74. SHIFT ROWS
• A circular byte shift in each
– 1st row is unchanged
– 2nd row does 1 byte circular shift to left
– 3rd row does 2 byte circular shift to left
– 4th row does 3 byte circular shift to left
• Decrypt inverts using shifts to right
• Since state is processed by columns, this step permutes bytes
between the columns

75. MIX COLUMNS
• Each column is processed separately
• Each byte is replaced by a value dependent on all 4 bytes
in the column
• Effectively a matrix multiplication in GF(28) using
irreducible polynomial m(x) = x8 + x4 + x3 + x + 1

76. GF(28)[x] / (x4+1)
• GF(28) = 2[x] / (x8+x4+x3+x+1)
• Let
a(x) = a3x3+a2x2+a1x+a0, ai 2 GF(28)
b(x) = b3x3+b2x2+b1x+b0, bi 2 GF(28)
• Addition
a(x) + b(x) = (a3+b3)x3+(a2+b2)x2+(a1+b1)x+(a0+b0)
• Multiplication
c(x) = a(x)b(x) = c6x6 + c5x5 + c4x4 + c3x3 + c2x2 + c1x1 + c0
c0 = a0b0 c4 = (a3b1 + a2b2 + a1b3)
c1 = (a1b0 + a0b1) c5 = (a3b2 + a2b3)
c2 = (a2b0 + a1b1 + a0b2) c6 = a3b3
c3 = (a3b0 + a2b1 + a1b2 + a0b3)

77. GF(28)[x] / (x4+1)
d(x) = c(x) mod (x4+1)
= c6x6 + c5x5 + c4x4 + c3x3 + c2x2 + c1x1 + c0
= c3x3 + (c2+c6)x2 + (c1+c5)x + (c0+c4)
= d3x3 + d2x2 + d1x + d0
d0 = a0b0 + a3b1 + a2b2 + a1b3
d1 = a1b0 + a0b1 + a3b2 + a2b3
d2 = a2b0 + a1b1 + a0b2 + a3b3
d3 = a3b0 + a2b1 + a1b2 + a0b3
d0 a0 a3 a2 a1 b0 d0 02 03 01 01 b0
d1 a1 a0 a3 a2 b1 d1 01 02 03 01 b1
d2 a2 a1 a0 a3 b2 d2 01 01 02 03 b2
d3 a3 a2 a1 a0 b3 d3 03 01 01 02 b3
=
a(x) = {03}x3+{01}x2+{01}x+{02}
=

78. INVERSE MIXCOLUMNS
b0 0E 0B 0D 09 d0
b1 09 0E 0B 0D d1
b2 0D 09 0E 0B d2
b3 0B 0D 09 0E d3
=
a(x) = {03}x3+{01}x2+{01}x+{02}
a(x)-1 mod (x4+1) = {0B}x3+{0D}x2+{09}x+{0E}

79. ADD ROUND KEY
• XOR state with 128-bits of the round key
• Again processed by column (though effectively a series of byte
operations)
• Inverse for decryption identical
– Since XOR own inverse, with reversed keys
• Designed to be as simple as possible
– A form of Vernam cipher on expanded key
– Complexity of other stages ensures security

80. AES Key Expansion
• Takes 128-bit (16-byte; 4-word) key
and expands into array of 44 32-bit
words
• Start by copying key into first 4 words
• Then loop creating words that
depend on values in previous & 4
places back
– In 3 of 4 cases just XOR these
together
– 1st word in 4 has rotate + S-box +
XOR round constant on previous,
before XOR 4th back

81. AES Key Expansion
KeyExpasion(key)
1. RCon[1] ← 0x01000000
RCon[2] ← 0x02000000
RCon[3] ← 0x04000000
RCon[4] ← 0x08000000
RCon[5] ← 0x10000000
RCon[6] ← 0x20000000
RCon[7] ← 0x40000000
RCon[8] ← 0x80000000
RCon[9] ← 0x01B00000
RCon[10] ← 0x36000000
2. for i ← 0 to 3 do
3. w[i] ← (key[4i],key[4i+1],key[4i+2],key[4i+3])
4. for i ← 4 to 43 do
5. temp ← w[i-1]
6. if i  0 mod 4 then
7. temp ← SubWord(RotWord(temp))© Rcon[i/4]
8. w[i] ← w[i-4]© temp

82. AES KEY EXPANSION
• RotWord(B0,B1,B2,B3) = (B1,B2,B3,B0)
• SubWord(B0,B1,B2,B3) = (B0’,B1’,B2’,B3’), where
Bi’ = SubBytes(Bi), i = 0,1,2,3

83. KEY EXPANSION RATIONALE
• Designed to resist known attacks
• Design criteria included
– Knowing part key insufficient to find many more
– Invertible transformation
– Fast on wide range of CPU’s
– Use round constants to break symmetry
– Diffuse key bits into round keys
– Enough non-linearity to hinder analysis
– Simplicity of description

84. AES DECRYPTION
• AES decryption is not identical to
encryption since steps done in
reverse
• But can define an equivalent
inverse cipher with steps as for
encryption
– But using inverses of each step
– With a different key schedule
• Works since result is unchanged
when
– Swap byte substitution & shift
rows
– Swap mix columns & add
(tweaked) round key

85. IMPLEMENTATION ASPECTS
• Can efficiently implement on 8-bit CPU
– byte substitution works on bytes using a table of 256 entries
– shift rows is simple byte shift
– add round key works on byte XOR’s
– mix columns requires matrix multiply in GF(28) which works on byte
values, can be simplified to use table lookups & byte XOR’s
• Can efficiently implement on 32-bit CPU
– redefine steps to use 32-bit words
– can precompute 4 tables of 256-words
– then each column in each round can be computed using 4 table
lookups + 4 XORs
– at a cost of 4Kb to store tables
• Designers believe this very efficient implementation was a key
factor in its selection as the AES cipher

86. PRIVATE-KEY CRYPTOGRAPHY
• traditional private/secret/single-key cryptography uses
one key
• shared by both sender and receiver
• if this key is disclosed communications are compromised
• also is symmetric, parties are equal
• hence does not protect sender from receiver forging a
message & claiming it’s sent by sender
• probably most significant advance in the 3000 year
history of cryptography
• uses two keys – a public & a private key
• asymmetric since parties are not equal

87. PUBLIC-KEY CRYPTOGRAPHY
• uses clever application of number theoretic concepts to
function
• complements rather than replaces private key crypto
• public-key/two-key/asymmetric cryptography involves the
use of two keys:
– a public-key, which may be known by anybody, and can
be used to encrypt messages, and verify signatures
– a private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
• is asymmetric because
– those who encrypt messages or verify signatures cannot
decrypt messages or create signatures

88. PUBLIC-KEY CRYPTOGRAPHY

89. WHY PUBLIC-KEY CRYPTOGRAPHY?
• developed to address two key issues:
– key distribution – how to have secure
communications in general without having to trust
a KDC with your key
– digital signatures – how to verify a message
comes intact from the claimed sender
• public invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976

90. PUBLIC-KEY CHARACTERISTICS
• Public-Key algorithms rely on two keys with
the characteristics that it is:
– computationally infeasible to find decryption key
knowing only algorithm & encryption key
– computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
– either of the two related keys can be used for
encryption, with the other used for decryption (in
some schemes)

91. PUBLIC-KEY CRYPTOSYSTEMS

92. PUBLIC-KEY APPLICATIONS
• can classify uses into 3 categories:
– encryption/decryption (provide secrecy)
– digital signatures (provide authentication)
– key exchange (of session keys)
• some algorithms are suitable for all uses, others are
specific to one

93. SECURITY OF PUBLIC KEY SCHEMES
• like private key schemes brute force exhaustive
search attack is always theoretically possible
• but keys used are too large (>512bits)
• security relies on a large enough difference in
difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems
• more generally the hard problem is known, its just
made too hard to do in practise
• requires the use of very large numbers
• hence is slow compared to private key schemes

94. RSA
• by Rivest, Shamir & Adleman of MIT in 1977
• best known & widely used public-key scheme
• based on exponentiation in a finite (Galois) field over
integers modulo a prime
– nb. exponentiation takes O((log n)3) operations (easy)
• uses large integers (eg. 1024 bits)
• security due to cost of factoring large numbers
– nb. factorization takes O(e log n log log n) operations (hard)

95. RSA Key Setup
• each user generates a public/private key pair by:
• selecting two large primes at random - p, q
• computing their system modulus N=p.q
– note ø(N)=(p-1)(q-1)
• selecting at random the encryption key e
• where 1<e<ø(N), gcd(e,ø(N))=1
• solve following equation to find decryption key d
– e.d=1 mod ø(N) and 0≤d≤N
• publish their public encryption key: KU={e,N}
• keep secret private decryption key: KR={d,p,q}

96. RSA Use
• to encrypt a message M the sender:
– obtains public key of recipient KU={e,N}
– computes: C=Me mod N, where 0≤M<N
• to decrypt the ciphertext C the owner:
– uses their private key KR={d,p,q}
– computes: M=Cd mod N
• note that the message M must be smaller
than the modulus N (block if needed)

97. RSA Example
1. Select primes: p=17 & q=11
2. Compute n = pq =17×11=187
3. Compute ø(n)=(p–1)(q-1)=16×10=160
4. Select e : gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23×7=161= 10×160+1
6. Publish public key KU={7,187}
7. Keep secret private key KR={23,17,11}

98. RSA EXAMPLE CONT
• sample RSA encryption/decryption is:
• given message M = 88 (nb. 88<187)
• encryption:
C = 887 mod 187 = 11
• decryption:
M = 1123 mod 187 = 88

99. RSA KEY GENERATION
• users of RSA must:
– determine two primes at random - p, q
– select either e or d and compute the other
• primes p,q must not be easily derived from
modulus N=p.q
– means must be sufficiently large
– typically guess and use probabilistic test
• exponents e, d are inverses, so use Inverse
algorithm to compute the other

100. SECURITY OF RSA
• How to attack RSA?
– we have public key (n,e)
– compute (n) and get d
• Easier said than done!!
– If we have n and (n)
then we can factor n
– If we have e and d
then we can factor n
Adi Shamir

101. Attacks on RSA
• Various attacks on RSA
– known digits attack
– low exponent attack
– short plaintext attack
– timing attack
– factoring
Len Adleman

102. KNOWN DIGITS ATTACK
• Theorem
n = pq – has m digits
If we know the first
or the last m/4
digits of either p or
q, then we can
efficiently factor n
• Theorem
(n,e) – RSA public key
n has m digits, and
we know the last
m/4 digits of d
We can find d in time
linear in e log e
Conclusion: Need care about the choice of p and q!

103. LOW EXPONENT ATTACK
• Theorem
– p,q – RSA primes, q < p < 2q
– 1 ≤ d, e < (n)
– de = 1 (mod (n))
– If d < ⅓n1/4 , then d can be calculated quickly
• Consequences
– cannot optimize decryption via small exponents
– how to choose good d’s?

104. SHORT PLAINTEXT ATTACK
• Scenario
– DES – symmetric cipher, used in the past
– Two banks exchange DES keys over RSA
– DES key m: 56 bits (m < 256 < 1017)
– RSA encryption
• c = me (mod n)
• m small, but c will have many digits
• Defense:
– do not use short messages!
– pad with random bits
– Optimal Assymetric Encryption Padding

105. SHORT PLAINTEXT ATTACK
• C = ME (MOD N)
M < 256 < 1017
• EVE PREPARES TWO LISTS:
– CX-E (MOD N), 1 ≤ X ≤ 109
– YE (MOD N) 1 ≤ Y ≤ 109
• IF THERE IS A MATCH ON THE LISTS THEN
– C = (XY)E (MOD N)
– THUS: M = XY (MOD N)
• IF M IS A MULTIPLE OF TWO NUMBERS <109 THEN
THIS ATTACK WILL SUCCEED

106. OPTIMAL ASSYMETRIC ENCRYPTION PADDING
• n – k bits
• k0, k1 – two numbers s.t.
k0 + k1 < k
• Message can have
k - k0 - k1 bits
• r – random string of k0
bits
• G: k
0  k-k
0
• H: k-k
0  k
0
• The method
x1 = m0k
1  G(r)
x2 = r  H(x1)
The message is x1x2
Bob decrypts and gets
m0k
1 = x1  G(H(x1)  x2)

107. TIMING ATTACK
• Within RSA computation we do perform
exponentiaiton
– quick exponentiation procedure
– multiplications occur for each bit of the exponent
that is 1
– these multiplications take „random” amounts of
time (variation)
• Very hard in practice!
– Initiated a big discussion

108. EXPONENTIATION ALGORITHM
• Goal: yd (mod n)
– d = b1b2...bw
(in binary left-to-right)
• Algorithm
1. k = 1, s1 = 1
2. if bk = 1 then rk = sky (mod n)
else rk = sk
3. sk+1 = rk
2 (mod n)
4. if k = w, stop
else set k to k+1, goto 2
5. output rw

109. FACTORING AND PRIMALITY TESTING
• Factoring
– Input: n  N
– Output: nontrivial
factor of n
• Primality testing
– Input n  N
– Output:
• the number is
composite
• the number is
probably prime
• Is there a difference?
– Yes! – primality
testing much easier!
– You do not need to
factor the number to
see it is composite

110. MILLER-RABIN TEST
• Generalization of the
Fermat’s test
• Principle
– if p is a prime then
x2 = 1 (mod p)
has only two
solutions:
x = 1 and x = -1
• Why does the principle
hold?
• Gist of the MR test
– find a number b such
that b2 = 1 (mod p)
– If b  {-1,1} then
composite

111. MILLER-RABIN TEST
MR( int n ):
let n-1 = 2km
a  random in {2, 3, ..., n-2 }
b0 = am (mod n)
if b0 = ±1 (mod n) then declare
prime
for j = 1 to k-1 do
bj = bj-1
2 (mod n)
if bj = 1 (mod n) then
declare composite
if bj = -1 (mod n) then
declare prime
declare composite
• What are we doing?
– b0 = am (mod n)
– b1 = a2m (mod n)
– b2 = a4m (mod n)
– ...
– bj = a2jm (mod n)
– ...
– bk-1 = a(n-1)/2 (mod n)

112. MILLER-RABIN TEST: EXAMPLES
• n = 5*7*11 = 385
n -1 = 384 = 27*3
k = 7, m = 3
a = 9
b0 = 93 = 344 (mod 385)
b1 = 93*2 = 141 (mod 385)
b2 = 93*22
= 246 (mod 385)
b3 = 93*23
= 71 (mod 385)
b4 = 93*24
= 36 (mod 385)
b5 = 93*25
= 141 (mod 385)
• n = 3*11*17 = 561
n -1 = 560 = 24*35
k = 4, m = 35
a = 2
b0 = 235 = 263 (mod 561)
b1 = 235*2 = 166 (mod 561)
b2 = 235*22
= 67 (mod 561)
b3 = 235*23
= 1 (mod 561)
Proof of compositeness!

113. MILLER-RABIN TEST: EXAMPLES
• n = 401
n -1 = 400 = 24*25
k = 4, m = 25
a = 3
b0 = 325 = 268 (mod 401)
b1 = 325*2 = 45 (mod 401)
b2 = 325*22
= 20 (mod 401)
b3 = 325*23
= 400 (mod 401)
= -1 (mod 401)
• n = 401
n -1 = 400 = 24*25
k = 4, m = 25
a = 2
b0 = 225 = 356 (mod 401)
b1 = 225*2 = 20 (mod 401)
b2 = 225*22
= 400 (mod 401)
Evidence of primality!

114. MILLER-RABIN TEST
• if b0 = ±1 (mod n)
– all bi’s (i > 0) will be 1
– can’t find nontrivial roots of 1
• i  {1, ..., k-1}
– if bi = 1 (mod n) then
• bi-1 is neither 1 nor -1
• bi-1
2 = 1 (mod n)
• we found a nontrivial root
– if bi = -1 (mod n) then
• bi+1 through bk are all 1 (mod
n)
• can’t find nontrivial roots of 1
• Why this works?
– n-1 = 2km
– b0 = am (mod n)
– b1 = a2m (mod n)
– b2 = a4m (mod n)
– ...
– bj = a2jm (mod n)
– ...
– bk-1 = a(n-1)/2 (mod n)

115. MILLER-RABIN TEST: QUALITY
• MR test is probabilistic
• Answer
– composite – the
number is certainly
composite
– prime – the number
is prime with high
probability
• Errors
– MR(n) says prime but
n is composite
– Pr[error] ≤ ¼
– Repeat the test to
downgrade the prob.
of error

116. OTHER PRIMALITY TESTS
• Solovay-Strassen Test
– similar in nature to
MR
– uses so called Jacobi
symbol
– fast in practice
– probabilistic
• Deterministic test
– Agrawal, Kayal, and
Saxena 2002
– extremely slow
• Tests that prove
primality
– MR tests
compositeness!
– fairly slow
– needed in very few
cases

117. FACTORING
• Huge amount of work
on factoring!
– we look at some
simple algorithms
• Some best algorithms
– quadratic sieve
– elliptic curve
– number field sieve
• Assumption
– Factor an odd integer
– produce one factor
– how to get all of
them?
O(e(1+o(1))sqrt(lnn lnln n))
O(e(1+o(1))sqrt(lnp lnln p))
O(e(1.92+o(1))(lnn)1/3(lnlnn)2/3
)

118. FACTORING
• Factoring
– Input: n  N
– Output: nontrivial
factor of n
• There are about
(n) = n / ln n
primes ≤ n
• Trivial methods
– divide by all numbers
in
{2, ... , n-1}
– or by all primes p
p ≤ sqrt(n)
– These are
exponential!

119. FERMAT’S METHOD
• the principle
– express n as a difference
of squares
– n = x2 - y2
– n = (x-y)(x+y)
• the algorithm
– compute: n + i2
for i  {1,2, ... }
– stop when n + i2 is a
square (i.e., x2 = n+i2)
– then we have n = x2 – i2
• Examples
15 = 42 – 12
= (4-1)(4+1)
= 3*5
21 = 52 – 22
= 25 - 4
= (5-2)(5+2)
= 3*7

120. Fermat’s Method
• The principle
– express n as a difference
of squares
– n = x2 - y2
– n = (x-y)(x+y)
• The algorithm
– Compute: n + i2
for i 2 {1,2, ... }
– Stop when n + i2 is a
square (i.e., x2 = n+i2)
– Then we have n = x2 – i2
• Performance
– depends on
distance
between x and y
– could be very
slow!
• Conclusion for RSA
– p and q should
differ by a large
value

121. POLLARD’S P-1 METHOD
• The method
input: n
choose a > 1 (e.g., a = 2)
choose B
let b = aB! (mod n)
d = gcd( b - 1, n )
d is a factor of n
• Goal of the method
– factor n = pq...
– provided p-1 has only
small prime factors
• Example
n = 7 * 11 = 77
a = 2
B = 4, B! = 2*3*4 = 24
b = 224 = 71 (mod 77)
gcd(b-1, n) = gcd(70,77) = 7

122. Pollard’s p-1 Method
• The method
input: n
choose a > 1 (e.g., a = 2)
choose B
let b = aB! (mod n)
d = gcd( b - 1, n )
d is a factor of n
• Goal of the method
– factor n = pq...
– provided p-1 has only small
prime factors
• Example
n = 7 * 11 = 77
a = 2
B = 2, B! = 2
b = 22 = 4 (mod 77)
gcd(b-1, n) = gcd(3,77) = 1

123. POLLARD’S P-1 METHOD
• The method
input: n
choose a > 1 (e.g., a = 2)
choose B
let b = aB! (mod n)
d = gcd( b - 1, n )
d is a factor of n
• Goal of the method
– factor n = pq...
– provided p-1 has only small
prime factors
• Example
n = 7 * 11 = 77
a = 2
B = 6, B! = 2*3*4*5*6 = 720
b = 2720 = 1 (mod 77)
gcd(b-1, n) = gcd(0,77) = 77

124. POLLARD’S P-1 METHOD
• In symbols:
– b1 = a (mod n)
– b2 = b1
2 (mod n)
– ...
– bi = bi-1
i
– ...
• How to compute aB!
– B! – can be very big
– 5! = 120
– 6! = 720
– 10! = 3628800
– 20! =
2432902008176640000
– n! – about n log2 n bits

125. POLLARD’S P-1 METHOD
• In symbols:
– b1 = a (mod n)
– b2 = b1
2 (mod n)
– ...
– bi = bi-1
i
– ...
• How to compute aB!
–a = 2, B = 4, n = 77
–b1 = 2 (mod 77)
–b2 = 22 = 4 (mod 77)
–b3 = 43 = 64 (mod 77)
–b4 = 644 = 1677721
= 71 (mod 77)

126. POLLARD’S P-1 METHOD
• The method
input: n
choose a > 1 (e.g., a = 2)
choose B
let b = aB! (mod n)
d = gcd( b - 1, n )
d is a factor of n
• Why does it work?
– p – prime factor of n
– suppose:
p-1 has only small
prime factors
– Then likely
p-1 | B!
– Then
B! = k(n-1)
b = (ap-1)k (mod p)
b = 1 (mod p)
p | b - 1

127. POLLARD’S P-1 METHOD
• Potential problems
– n = pq
– both p and q have small
factors
• b = 1 (mod p)
• b = 1 (mod q)
– Method fails
• Choice of B
– too small  method
won’t work
– too big  works slowly
or fails
• Example
n = 7 * 11 = 77
a = 2
B = 2  to small
B = 4  worked
B = 6  to big
7 - 1 = 6 = 2*3
2! – does not contain 3
4! – contains 2 and 3
6! – contains 2,3 and 5 
covers both factors!

128. POLLARD’S P-1 METHOD
• Conclusions for RSA
– n = pq
– p-1 or q-1 has small
prime factors?
• then RSA can be
broken
• How to defend?
– p0  chose a large
prime
– e.g., p0 > 1040
– try numbers of the
form:
• kp0 + 1
• k – needs to be
even!
• k > 1060
• test kp0+1 for
primality

129. FACTORING
• Relation to squares
– n – an integer
– x,y – to integers s.t.
• x2 = y2 (mod n)
• x  y (mod n)
– if such x, y exist
then n is composite
• gcd( x-y, n ) is a
nontrivial factor
• Examples
– 112 = 121 = 1 (mod
12)
– 52 = 25 = 1 (mod 12)
– 11  5 (mod 12)
– gcd(11-5, 12 ) = 6

130. FACTORING
• Relation to squares
– n – an integer
– x,y – to integers s.t.
• x2 ´ y2 (mod n)
• x  y (mod n)
– if such x, y exist
then n is composite
• gcd( x-y, n ) is a
nontrivial factor
• Examples
– 52 = 25 = 7 (mod 9)
– 142 = 196 = 7 (mod
9)
– 14 = 9+5 = 5 (mod 9)
– gcd(14-5, 9 ) = 9

131. QUADRATIC SIEVIE
• Idea
– try to apply the
principle from the
previous slide
– find x,y such that
x2 = y2 (mod n)
x  y (mod n)
x  -y (mod n)
– finding such x, y 
not obvious
– Take “random”
squares
– Reduce modulo n
– Factor (hope for
small factors!)
– Try to build squares
from what you get

132. QUADRATIC SIEVE: EXAMPLE
n = 3837523
93982 = 55  19 (mod n)
190952 = 22  5  11  13  19 (mod n)
19642 = 32  133 (mod n)
170782 = 26  32  11 (mod n)
80772 = 2  19 ( mod n)
33972 = 25  5  132 (mod n)
142622 = 52  72  13 (mod n)
(9398  19095  1964  17078)2 = 28  32  56  112  134  192
= (24  3  53  11  132  19)2 (mod n)
22303872 = 25867052 (mod n)
gcd( 2230387 – 2586705, 3837523) = 1093

133. QUADRATIC SIEVE: EXAMPLE
n = 3837523
93982 = 55  19 (mod n)
190952 = 22  5  11  13  19 (mod n)
19642 = 32  133 (mod n)
170782 = 26  32  11 (mod n)
80772 = 2  19 ( mod n)
33972 = 25  5  132 (mod n)
142622 = 52  72  13 (mod n)
(9398  8077  3397)2 = 26  56  132  192 = (23  53  13  19)2
(mod n)
35905232 = 2470002 (mod n)
BUT: n – 247000 = 3590523  3590523 = -247000 (mod n)

134. HOW TO FIND THE SQUARES?
• What squares to use?
– we want small
prime factors?
– so x2 should be
slightly above n
• Idea: Try integers close to:
– sqrt(i  n) + j
– small j, various i
– (sqrt(i  n) + j)2 ≈ in + 2j
sqrt(in) +j2
– approx: 2j sqrt(in) + j2
(mod n)

135. Questions ?