UNIT II PUBLIC KEY CRYPTOGRAPHY

SIMPLIFIED DES
Encryption takes an 8-bit block plaintext, a 10 –bit key and produces an 8-bit block of cipher
text
Decryption takes the 8-bit block of cipher text, the same 10-bit key and produces the original
8-bit block of plaintext
The encryption algorithm involves five functions
 IP – an initial permutation
 fk - a complex function, which involves both permutation and substitution
operations and depends on a key input.
 SW – a simple permutation that swaps the two halves of the data.
 fk - a complex function again
 IP-1 – inverse initial permutation

Block diagram of S-DES

Cipher text=IP-1(fK2(SW(f K1(IP(Plaintext)))))
Plaintext=IP-1 (fK1(SW(f K2(IP(Cipher text)))))

1
S-D ES Key Generation:

Generate two 8-bit subkeys from the original 10-bit key

 The key is first subjected to a permutation (P10).
 Divide the output of P10 in to two halves and perform circular left shift one bit
position (LS-1) on the two halves and then passes through a permutation function
(P8) that produces an 8-bit output for the first subkey (K1).
 The output of the shift operation is given as input into another shift (LS-
2) (left shift by 2 bits on the two halves of the data) and another instance of
(P8) to produce the second subkey (K2)

K1=P8(Shift(P10(key)))
K2=P8(Shift(Shift(P10(key)

P10
3 5 2 7 4 10 1 9 8 6

P8
3 3 7 4 8 5 10 9

2
 P4
2 4 3 1

IP
2 6 3 1 4 8 5 7

IP-1
4 1 3 5 7 2 8 6

E/P
4 1 2 3 2 3 4 1

The first and fourth bits are treated as a 2 bit number that specify a row of the s-box and the
second and third bits specify a column of the S-boxes.

Example

Plain text – 10111101

Key – 1010000010

Key Generation
1) Applying P10 on key, we get: 1000001100
2) Applying circular left shift by 1 bit on two 5 bits part, we get: 00001 11000
3) Applying P8, we get K1: 10100100
4) Applying circular left shift by 2 bits: 00100 00011
5) Applying P8, we get K2: 01000011

Steps for S-DES encryption

1) Initial Permutation on plain text IP (plain text)= 0111 1110
2) Now applying FK1 on 0111 1110
i) Apply E/P on 1110: 0111 1101
ii) XOR with K1:11011001
iii) Pass 1101 to S0 box: 11
iv) Pass 1001 to S1 box: 10
v) Combining both results from s. boxes: 1101
vi) Applying P4 on it: 1011
Now we have an intermediary output: 1100 1110
3) Applying SW: 1110 1100.
4) Applying fK2 on 1110 1100

3
 i) Apply E/P on 1100: 0110 1001
ii) XOR with K2:0010 1010
iii) Pass 0010 to S0 box: 00
iv) Pass 1010 to S1 box: 00
v) Combining both results from s. boxes: 0000
vi) Applying P4 on it: 0000
Now we have at the end: 1110 1100
5) Apply IP-1 on it we get: 0111 0101 which is our cipher text.
Cipher text= 0111 0101
Inverse operation for this cipher text will give plain text.

4
 DES-DATA ENCRYPTION STANDARD
DES is also called as Data Encryption Algorithm. This algorithm is proposed by National
Institute of Standards and Technology (NIST) in 1977.
DES working principle:
DES is a block cipher.
DES takes plain text of block size 64 bits and produces 64-bit as cipher text.
Key is of 56 bit size.
DES has 16 rounds.
Same algorithm is used for encryption and decryption.
DES is based on substitution and Transposition.
The processing of the algorithm proceeds in 3 phases
Phase 1- Permutation phase, which rearranges the bits to produce permuted input (IP)
Phase 2- This phase has 16 rounds. Each round has permutation and substitution steps.
Phase 3- The output of the phase 2 is passed through permutation which is the inverse of initial
permutation. The final output is 64 bit cipher text.

General depiction of DES encryption algorithm

Single Round of DES
1. Key transformation
2. Expansion permutation
3. S-box substitution
4. Permutation
5. XOR and swap

5
 Single round of a DES algorithm

1. Key transformation
56-bit key is divided into two halves. Each of 28 bits are circularly shifted one or two
positions based on the round
After appropriate shifts 48 bits of 56 bits are selected as key for each round
2. Expansion permutation
In this step Right Plain text is expanded from 32bits to 48 bits.
48 bit key is XOR with 48 bit Right Plain text and resulting output is given to next step.
3. Substitution Boxes S
S-box substitution is a process that accepts 48-bit input from XOR operation and
produces 32 bit output
4. Permutation
The output of s-box consists of 32 bits. These 32 bits are permuted using p-box.
5. XOR and swap
All the above operations are performed only on 32 bits Right Plain text.
Now Left Plain text is XOR with p-box output.
The result of XOR operation becomes the new right half. The old right half becomes
the new left half.
Inverse Initial permutation
At the end of 16 rounds simple transposition is performed.
DES decryption
It uses the same algorithm as encryption except the key is used in reverse order.

Avalanche Effect
When there is a small change in either the plaintext or the key should produce a significant
change in the cipher text. In particular, a change in one bit of the plaintext or one bit of the key
should produce a change in many bits of the cipher text. This is referred to as the avalanche
effect.
DES exhibits a strong avalanche effect.

6
Strength of DES
1) The use of 56 bit Key
As the key length is 56 bits, for brute force attack there are 256 possible keys. Hence, it
is impractical.
2) The Nature of the DES Algorithm
For cryptanalysis attack, the characteristic of DES needs to be analysed. Hence, it
makes use of substitution boxes called S-boxes. Algorithm for the design of S- box was known
to the public.
When this algorithm is known, then then there is a crypt analytic attack. But until now
there is no such attack.
3) Timing attack
Timing attack is one in which information about the key or the plaintext is obtained by
observing how long it takes a given implementation to perform decryptions on various cipher
texts. A timing attack exploits the fact that an encryption or decryption algorithm often takes
slightly different amounts of time on different inputs. An approach known as Hamming weight,
yields number of bits equal to the secret key. This is a long way from knowing the actual key.
The authors conclude that DES appears to be fairly resistant to a successful timing attack.

BLOCK CIPHER DESIGN PRINCIPLES

The cryptographic strength of a Feistel cipher derives from three aspects of the design:
1) The number of rounds,
2) The function F, and
3) The key schedule algorithm.

1) Number of Rounds
When the number of round increases the difficulty to perform cryptanalysis also increases even
when weak F. The number of rounds is to be chosen so that known cryptanalytic efforts should
be greater than the efforts of brute-force attack.
2) Design of Function F
Criteria needed for F,
 It must be difficult to unscramble the substitution done by F.
 The function should satisfy strict avalanche effect.
 The function should satisfy bit independence criterion. Output bits j and k should
change independently when any single input bit i is inverted for all i, j, and k.
 The S- box should have guaranteed avalanche effect.
3) Key Schedule Algorithm
The key generation algorithm is used to generate one subkeys for each round. The subkeys
should be different for each round and it should be difficult to deduce the subkeys and trace
the main key.

7
 BLOCK CIPHER MODES OF OPERATION
To apply a block cipher in a variety of applications, four "modes of operation" have been
defined by NIST.
A mode of operation is a technique for enhancing the effect of a cryptographic algorithm
or adapting the algorithm for an application, such as applying a block cipher to a sequence of
data blocks or a data stream.

(i) Electronic Code Book (ECB)

The simplest mode is the electronic codebook (ECB) mode, in which plaintext is handled one
block at a time and each block of plaintext is encrypted using the same key.

CN=E(K, PN), N=1,…,n

PN=D(K,CN), N=1,…,n
Advantages
 The ECB method is ideal for a short amount of data, such as an encryption key.
Disadvantages
 For the same b-bit block of plaintext, if it appears more than once in the message, ECB
always produces the same cipher text.
 For lengthy messages, the ECB mode may not be secure.

(ii) Cipher Block Chaining Mode (CBC)
To overcome the drawback of ECB, a technique in which the same plaintext block if repeated,
produces different ciphertext blocks. In this scheme, the input to the encryption algorithm is
the XOR of the current plaintext block and the preceding ciphertext block; the same key is used
for each block.

8
where - IV- Initialization vector (only known to the communication parties)
The input to the encryption function for each plain text block bears no fixed relationship to the
plain text block. Therefore, repeating patterns of bits are not exposed. For decryption, each
cipher block is passed through the decryption algorithm. The result is XORed with the
preceeding cipher text block to produce the plain text block.
Encryption : Cj = E(K, [Cj-1⊕Pj])
Decryption :D(K, Cj) = D(K, E(K, [Cj-1⊕Pj]))
Advantages :
 An appropriate mode for encrypting messages of length greater than b bits.
 In addition to its use to achieve confidentiality, the CBC mode can be used for
authentication.

(iii) Cipher Feedback Mode

The input to the encryption function is a b-bit shift register that is initially set to some
initialization vector (IV). The leftmost (most significant) s bits of the output of the encryption
function are XORed with the first segment of plaintext P1 to produce the first unit of ciphertext
C1. The contents of the shift register are shifted left by s bits and C1 is placed in the rightmost.
This process continues until all plaintext units have been encrypted.

For decryption, the same scheme is used, except that the received ciphertext unit is XORed
with the output of the encryption function to produce the plaintext unit.
Encryption function
Let Ss(X) be defined as the most significant s bits of X.
C1 = P1⊕Ss[E(K, IV)]
Therefore,
P1 = C1⊕Ss[E(K, IV)]

9
(iv) Output feedback mode
The output feedback (OFB) mode is similar in structure to that of CFB. The output of the
encryption function that is fed back to the shift register in OFB, whereas in CFB the cipher text
unit is fed back to the shift register.

Advantage
One advantage of the OFB method is that bit errors in transmission do not propagate.
Disadvantage
The disadvantage of OFB is that it is more vulnerable to a message stream modification
attack than is CFB.

10
(v) Counter Mode – (CTR)
Here, the counter is equal to the plaintext block size is used. The counter value must be
different for each plain text block. The counter is initialized to some value and then incremented
by 1 for each subsequent block. For encryption, the counter is encrypted and then XORed with
the plaintext block to produce the cipher text block; there is no chaining.
For decryption, the same sequence of counter values is used, with each encrypted counter
XORed with a cipher text block to recover the corresponding plaintext block.

11
Advantages
Hardware efficiency: Unlike the three chaining modes, encryption (or decryption) in CTR
mode can be done in parallel on multiple blocks of plaintext or cipher text.
Software efficiency: Similarly, because of the opportunities for parallel execution in CTR
mode, processors that support parallel features can be utilized.
Preprocessing: The execution of the underlying encryption algorithm does not depend on
input of the plaintext or cipher text.
Random access: The ith block of plaintext or ciphertext can be processed in random-access
fashion.

ADVANCED ENCRYPTION STANDARD (AES)

The Advanced Encryption Standard (AES) was published by the National Institute of
Standards and Technology (NIST) in 2001. AES is a symmetric block cipher that is intended
to replace DES as the approved standard for a wide range of applications.

The cipher takes a plaintext block size of 128 bits, or 16 bytes. The key length can be
16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128, AES-192,
or AES-256, depending on the key length.

The cipher consists of N rounds, where the number of rounds depends on the key length:
10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key. The
first N - 1 rounds consist of four distinct transformation functions:
 SubBytes,
 ShiftRows,
 MixColumns, and
 AddRoundKey

The final round contains only three transformations, and there is a initial single transformation
(AddRoundKey) before the first round, which can be considered Round 0. Each transformation
takes one or more 4 x4 matrices as input and produces a 4x4 matrix as output. Also, the key
expansion function generates N + 1 round keys, each of which is a distinct 4x4 matrix. Each
round key serves as one of the inputs to the AddRoundKey transformation in each round.

Detailed Structure
1. AES is not a Feistel structure. In Feistel structure, half of the data block is used to modify
the other half of the data block and then the halves are swapped. AES instead processes the
entire data block as a single matrix during each round using substitutions and permutation.
2. The key expanded into an array of forty-four 32-bit words.
3. Four different stages are used,
• Substitute bytes
• ShiftRows
• MixColumns
• AddRoundKey
4. The structure is simple. For both encryption and decryption, the cipher begins with an
AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by
a tenth round of three stages.

12
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and
ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is
reversible without knowledge of the key and so would add no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. This scheme is both efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages,
an inverse function is used in the decryption algorithm.
8. The decryption algorithm uses the expanded key in reverse order.
9. Once it is established that all four stages are reversible, it is easy to verify that decryption
reverse order. However, the decryption algorithm is does recover the plaintext. At each
horizontal point (e.g., the dashed line in the figure), State is the same for both encryption and
decryption.
10. The final round of both encryption and decryption consists of only three stages.

Substitute Bytes Transformation

The forward substitute byte transformation is called SubBytes. It is represented by
16x16 matrix called an S-box. For each individual byte of State the value is mapped into a new
byte. The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used
as a column value. These row and column values serve as indexes into the S-box to select a
unique 8-bit output value. For example, the hexadecimal value {95} references row 9, column
5 of the S-box, which contains the value {2A}.

13
ShiftRows Transformation
The forward shift row transformation, also called [Link] first row of State is
not altered. For the second row, a 1-byte circular left shift is performed. For the third row, a 2-
byte circular left shift is performed. For the fourth row, a 3-byte circular left shift is performed.
The following is an example of ShiftRows.
The inverse shift row transformation, called InvShiftRows, performs the circular shifts
in the opposite direction for each of the last three rows, with a 1-byte circular right shift for the
second row, and so on.

14
MixColumns Transformation
The forward mix column transformation, called MixColumns, operates on each column
individually. Each byte of a column is mapped into a new value that is a function of all four
bytes in that column. The transformation can be defined by the following matrix

The following is an example for mixcolumns

Multiplication of a value by x (i.e., by {02}) can be implemented as a 1-bit left shift

followed by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the original value
(prior to the shift) is 1. Thus, to verify the MixColumns transformation on the first column, we
need to show that

AddRoundKey Transformation
In the forward add round key transformation, called AddRoundKey, the 128 bits of
State are bitwise XORed with the 128 bits of the round key.

15
Key Expansion Algorithm
The input to this algorithm is 4 word key. The output is 44 words. The key is copied
to the first 4-words of the expanded key. The remainder of the expanded key is filled in four
words at a time. Each added word depends on the immediately preceding wordw(i-1) and the
word four positions back, w(i-4).
KeyExpansion (byte key[16], word w[44])
{
word temp
for (i = 0; i < 4; i++)
w[i] = (key[4*i], key[4*i+1], key[4*i+2], key[4*i+3]);
for (i = 4; i < 44; i++)
{
temp = w[i - 1];
if (i mod 4 = 0)
temp = SubWord (RotWord (temp))⊕Rcon[i/4];
w[i] = w[i-4] ⊕ temp
}
}

16
 DOUBLE DES
The simplest form of multiple encryption has two encryption stages and two keys. Given a
plaintext P and two encryption keys K1 and K2, ciphertext C is generated as
C = E(K2, E(K1, P))

Drawback
 Meet-in-the-middle attack
Given a known pair, (P, C), the attack proceeds as follows. First, encrypt P for all 256 possible
values of K1. Store these results in a table and then sort the table by the values of X. Next,
decrypt C using all 256 possible values of K2. As each decryption is produced, check the result
against the table for a match. If a match occurs, then test the two resulting keys against a new
known plaintext-ciphertext pair. If the two keys produce the correct ciphertext, accept them as
the correct keys.

TRIPLE DES
To overcome the meet-in-the-middle attack, three stages of encryption with the
different key is used. This is called triple DES.
Tuchman proposed a triple encryption method that uses only two keys. The function
follows an encrypt-decrypt-encrypt sequence

C = E(K1, D(K2, E(K1, P)))

There is no cryptographic significance to the use of decryption for the second stage. Its
only advantage is that it allows users of 3DES to decrypt data encrypted by users of the older
single DES:

C = E(K1, D(K1, E(K1, P))) = E(K1, P)

3DES with two keys is a relatively popular alternative to DES and has been adopted for
use in the key management standards

17
RC5 is a family of ciphers RC5-w/r/b
– w = word size in bits (16/32/64) nb data=2w
– r = number of rounds (0..255)
– b = number of bytes in key (0..255)
• nominal version is RC5-32/12/16
– ie 32-bit words so encrypts 64-bit data blocks
– using 12 rounds
– with 16 bytes (128-bit) secret key

PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEMS

Asymmetric algorithm uses one key for encryption and another key for decryption. Tthe
essential steps for public key cryptography are:
 Each user generates a pair of keys to be used for the encryption and decryption.
 Each user places one of the two keys in a public register. This is the public key. The
companion key is jept private.
 If Bob wishes to send a confidemtial message to alice,bob encrypts the message using
alice public key.
 When Alice receives the message and decrypts it using her private key. No other
receipent can decrypt the message because only Alice knows Alice’ s private key.

Public-Key Cryptosystem: Secrecy

18
 Source A that produces a message in plaintext, X =[X 1, X2,..., XM]. The message is intended
for destination B. B generates a related pair of keys: a public key, PUb, and a private key, PRb.
PRb is known only to B, whereas PUb is publicly available and therefore accessible by A.
Encryption
Y = E(PUb, X)
Decryption
X = D(PRb, Y)

The above scheme provides confidentiality.

Public-Key Cryptosystem: Authentication

In this case, A prepares a message to B and encrypts it using A's private key before
transmitting it. B can decrypt the message using A's public key. the message was encrypted
using A's private key, only A could have prepared the message. Therefore, the entire encrypted
message serves as a digital signature. In addition, it is impossible to alter the message without
access to A's private key, so the message is authenticated both in terms of source and in terms
of data integrity.
But this encryption process doesnot provide confidentiality. The message being sent is
safe from alteration but not from eavesdropping. Here, there is no protection of confidentiality
but any observer can decrypt the message by using senders public key.

19
Public-Key Cryptosystem: Authentication and Secrecy

It is possible to provide both the authentication function and confidentiality by a double use of
the public-key scheme.
Z = E(PUb, E(PRa, X))
X = D(PUa, E(PRb, Z))
First, encrypt a message, using the sender's private key. This provides the digital signature.
Next, encrypt again, using the receiver's public key. The final ciphertext can be decrypted only
by the intended receiver, who alone has the matching private key. Thus, confidentiality is
provided. The disadvantage of this approach is that its complexity.

20
 KEY MANAGEMENT
There are two distinct aspects to the use of public-key cryptography:
I) The distribution of public keys
II) The use of public-key encryption to distribute secret keys
I) Distribution of Public Keys
There are four different schemes
i. Public announcement
ii. Publicly available directory
iii. Public-key authority
iv. Public-key certificates

(i) Public announcement

Any participant can send his or her public key to any other participant or broadcast the key to
the community.

Limitation
Anyone can forge such a public announcement. That is, some user could pretend to be user A
and send a public key to another participant or broadcast such a public key. Authentication is
needed to avoid this problem.

(ii) Publicly Available Directory

A greater degree of security can be achieved by maintaining a publicly available dynamic
directory of public keys. Maintenance and distribution of the public directory would have to be
the responsibility of some trusted entity or organization.
• The authority maintains a directory with a {name, public key} entry for each participant.
• Each participant registers a public key with the directory authority.
• Participants could also access the directory electronically.
• Participant may replace the existing key with new one at any time to avoid the attack
on that key.
• Periodically, the authority publishes the entire directory or updates of the directory to
all participants in the form of telephone index.

21
 Advantage
More secure than individual public announcement.

Limitation
Problem arises if the opponent captures the private key of the directory authority.

(iii) Public-key authority

Stronger security for public-key distribution can be achieved by providing tighter control over
the distribution of public keys from the directory. The central authority maintains all public
keys of participants in its dynamic directory. Each participant knows the public key of the
authority, but the private key of the authority is kept secret.

1. A sends a timestamped request to public-key authority for the public key of B.

2. The authority replies with a message that is encrypted using the authority's private
key, PRauth. A is know the public key of authority. Therefore, A decrypts the
message. The message includes the following:
• B's public key, PUb
• Request already sent by A (for verification)

22
 • Time1 already sent by A (prove that the message is old or not)
3. A stores B's public key and send message to B in an encrypted format using B’s
public key. This message consists of
• A’s identity, (IDA)
• Nonce (N1), which is used to identify this transaction uniquely.
4. B retrieves A's public key from the authority in the same manner as A retrieved B's
public key.
5. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as
a new nonce generated by B (N2)
6. A returns N2, encrypted using B's public key, to assure B that its correspondent is A.
Advantage
More secure and attractive than previous two.
Limitations
• Each and every time the user must appeal to the authority for a public key for every
other user that it wishes to contact.
• The directory of names and public keys maintained by the authority is vulnerable to
tampering.
(iv) Public key certificate
It uses certificates that can be used by participants to exchange keys without contacting a public
key authority for its every transaction.

Each certificate contains a public key and other information created by certificate authority.
Each participant conveys its key information to its corresspondant by transmitting their
certificates. Other participant can verify that the certificate was created by the authority.

The requirements of the scheme are

1. Any participant can read a certificate to determine name and public key of the certificate
owner.
2. Any participant can verify that the certificate originated from certificate authority.
3. Only the certificate authority can create and update the certificates.
4. Any participant can verify the currency of the certificate.

23
II) Public key encryption to distribute
(i) Simple secret key distribution
(ii) Secret key distribution with confidentiality and authntication
(i) Simple secret key distribution

Steps used for communication between A and B are

1. A generates a public/private key pair {PUa, PRa} and transmits a message intended for B
consisting of PUa and an identifier of A, IDA.
2. B generates a secret key, Ks, encrypted using A’s public key and transmit to A.
3. A computes D(PRe, E(PUe, Ks)) to recover Ks. Now, both A and B knows Ks..
Once communication is over both a and B discard Ks.
Problem : Man in the middle attack . It can be rectified by using authentication.

(ii) Secret Key Distribution with Confidentiality and Authentication

1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and
a nonce (N1), which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as
a new nonce generated by B (N2).
3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this
message with B's public key ensures that only B can read it; encryption with A's private
key ensures that only A could have sent it.
5. B then computes D(PUa, D(PRb, M)) to recover the secret key.

24