1. symmetric key cryptography

2. Symmetric Encryption Classic ciphers also known as (AKA)
single key
Secret key
sender and recipient share a common key
was only type prior to invention of public-key cryptography
until second half of 1970’s

3. Symmetric Cipher Model
there must be a secure mechanism for the distribution of this key a priori
source: William Stallings

4. Requirements two requirements for secure use of symmetric encryption:
a strong encryption algorithm
a secret key known only to sender / receiver
Y = EK(X)
X = DK(Y)
assume encryption algorithm is known
Kerckhoffs’s Principle: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge
imply a secure channel to distribute the key

5. cryptographic attacks
The language of the plaintext and the nature of the cipher are assumed to be known to the adversary.
Ciphertext-only attack: The adversary knows only a number of ciphertexts.
Known-plaintext attack: The adversary knows some pairs of ciphertext and corresponding plaintext.
Chosen-plaintext attack: The adversary can choose a number of messages and obtain the ciphertexts
Chosen-ciphertext attack: The adversary can choose a number of ciphertexts and obtain the plaintexts.
* These attacks are also applicable to PKC

6. requirements for a secure cipher
In cryptography, confusion and diffusion are two properties of the operation of a secure cipher [Claude Shannon]
Diffusion means that if we change a character of the plaintext, then several characters of the ciphertext should change, and similarly, if we change a character of the ciphertext, then several characters of the plaintext should change
Confusion means that the key does not relate in a simple way to the ciphertext. In particular, each character of the ciphertext should depend on several parts of the key

7. popular primitives Substitution Permutation/transposition
exclusive-OR: 

8. first substitution (shift) cipher
Caesar Cipher: E(x) = x+3 (mod 26)
monoalphabetic cipher
then, how to decrypt? D(y)?
is it secure?

9. affine cipher another monoalphabetic substitution cipher
for English alphabet, m is 26 below
E(x) = (ax+b) mod m
D(y) = a-1(y-b) mod m
how many keys?
26 letters
12 numbers for a, 26 numbers for b
is it secure?

10. Monoalphabetic Substitution Cipher
The key space: all permutations of  = {A, B, C, …, Z}
Encryption given a key :
each letter X in the plaintext P is replaced with (X)
Decryption given a key :
each letter Y in the ciphertext C is replaced with -1(Y)
Example:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
= B A D C Z H W Y G O Q X S V T R N M L K J I P F E U
BECAUSE  AZDBJSZ
Cipher alphabet
is it secure?

11. frequency analysis
Frequency analysis is based on the fact that, in any given stretch of written language, certain letters and combinations of letters occur with varying frequencies.

12. another hints to guess
Most common English bigrams (frequency in 1000 words)

13. Vigenère Cipher polyalphabetic (polygraphic) substitution
[A=0, B=1, …, Z=25], Zn= {0, 1, …, n-1}, P = C = (Z26)*
Definition:
Given m (key length), and K = (k1, k2, … , km) a key,
Encryption:
ek(p1, p2… pm) = (p1+k1, p2+k2…pm+km) (mod 26)
Decryption:
dk(c1, c2… cm) = (c1-k1, c2-k2 … cm- km) (mod 26)
Example:
Plaintext: C R Y P T O G R A P H Y
Key: L U C K L U C K L U C K
Ciphertext: N L A Z E I I B L J J I

14. Vigenère Cipher An attacker can figure out key length m?
If the attacker finds the key length, then what happens?

15. Hill Cipher polygraphic substitution cipher based on linear algebra
C1 = 9*p1 + 18*p2 + 10*p3 (mod 26)
C2 = 16*p1 + 21*p2 + 1*p3 (mod 26)
C3 = 5*p1 + 12*p2 + 23*p3 (mod 26)
C p1
C2 = p2 (mod 26)
C p3
how to decrypt?

16. Hill cipher: A key is a matrix
k11 k12 k13
k21 k22 k23
k31 k32 k33
Generalize to any size, larger blocks
matrix multiplication can provide diffusion
Matrix must be invertible
is it secure?
is vulnerable to a known-plaintext attack

17. transposition cipher
aka permutation cipher
columnar cipher

18. X-or() in cryptography
Sender wants to send M to receiver
M (Original plaintext): 1010
K (Key): 0011
M  K = 1001 (Encrypted ciphertext)
1001 transmitted
Receiver already knows K
(M  K)  K= 1001  0011 = 1010 = M
-> original message is restored!

19. one time pad (OTP)
The one-time pad, which is a provably secure cryptosystem, Gilbert Vernam in 1918.
aka Vernam cipher
The message is represented as a binary string (a sequence of 0’s and 1’s using a coding mechanism such as ASCII coding.
The key is a truly random sequence of 0’s and 1’s of the same length as the message.
The encryption is done by adding the key to the message modulo 2, bit by bit. This process is often called exclusive or, XOR ()

20. OTP: Example message =‘IF’ then its ASCII code =(1001001 1000110)
key = ( )
Encryption:
plaintext
key
ciphertext
Decryption:
ciphertext
plaintext

21. OTP problems Key should be as long as plaintext
key should not be reused
Key distribution & Management difficult

22. Two types of symmetric ciphers
Stream cipher
Encrypts one bit at a time
mimicking OTP
e.g. RC4
Block cipher
Encrypts a block of bits at a time
e.g. DES, AES

23. stream cipher Generalization of one-time pad
Stream cipher is initialized with key
Key is “stretched” into long keystream
Keystream  plaintext = ciphertext
Stream cipher is a keystream generator
Keystream
Generator
Keystream
Generator = 
Key
Ciphertext
Stream
Plaintext
Keystream Ki
Keystream Ki Pi Å Å Pi Ci
Plaintext
Plaintext
Ciphertext

24. stream cipher: LFSR linear feedback shift register (LFSR) S0 S1 S2
st+3 = st+1+ st
S S S2
Initial fill determines the sequence of states
Generates a periodic sequence …
Maximal period 23-1=7

25. revisit confusion and diffusion
confusion refers to making the relationship between the ciphertext and the symmetric key as complex and involved as possible;
diffusion refers to dissipating the statistical structure of plaintext over bulk of ciphertext.
This complexity is generally implemented through a series of substitutions and permutations
The simplest way to achieve both diffusion and confusion is to use a substitution-permutation network

26. advanced encryption standard (AES)
based on Rijndael cipher
data block viewed as 4-by-4 table of bytes
Such a table is called the current state
3 key lengths (128/192/256), 128 bit key is assumed here
key is expanded to array of words
each word is 128 bit long
has 10 rounds in which state goes through the following transformations (called `layers’):
SubBytes: byte substitution (1 S-box used on every byte)
ShiftRows: shift rows (permute bytes between groups/columns)
MixColumns: mix columns (uses matrix multiplication in GF(256))
AddRoundKey: add round key (XOR state with round key)
First and last round are a little bit different

27. AES: 50,000 feet view

28. AES: SubBytes (S-box) a simple substitution of each byte
a byte = two nibbles
S-box has 16x16 entries: all possible 8-bit values
each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)

29. AES: ShiftRows a circular byte shift in each row (permutation)
1st row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left

30. AES: Mix Columns each column is processed separately
each byte is replaced by a value dependent on all 4 bytes in the column
effectively a matrix multiplication (Hill Cipher)

31. AES: Add Round Key
XOR state with 128-bits of the round key

32. Modes of Operations message is typically longer than the block size
DES and AES have multiple modes of operations
depending on how consecutive blocks are processed
five modes
ECB
CBC
CFB
OFB
CTR

33. Electronic CodeBook (ECB)
message is broken into independent blocks which are encrypted
each block is a value which is substituted, like a codebook, hence name
each block is encoded independently of the other blocks
Ci = EK1 (Pi)
uses: secure transmission of single values

34. Electronic Codebook Mode (ECB)
64 bit (8 byte) blocks in DES
Ci-1 Ci
Ci+1
Pi-1 Pi
Pi+1 Ek Ek Ek Dk Dk Dk
Ci-1 Ci
Ci+1
Pi-1 Pi
Pi+1
Ciphertext = (C0 C1 ... Cn)

35. Advantages and Limitations of ECB
repetitions in message may show in ciphertext
if aligned with message block
particularly with data such graphics
or with messages that change very little, which become a code-book analysis problem
weakness due to encrypted message blocks being independent
ECB mode is susceptible to substitution attacks
main use is sending a few blocks of data
ECB is not appropriate for any quantity of data, since repetitions can be seen, esp. with graphics, and because the blocks can be shuffled/inserted without affecting the en/decryption of each block.

36. Cipher Block Chaining (CBC)
Two identical plain messages produce two different cipher messages.
This prevents Chosen plaintext attack.

37. Cipher Block Chaining (CBC)
message is broken into blocks
but these are linked together in the encryption operation
each previous cipher blocks is chained with current plaintext block, hence name
use Initialization Vector (IV) to start process
Ci = EK1(Pi XOR Ci-1)
C-1 = IV
uses: bulk data encryption, authentication
To overcome the problems of repetitions and order independence in ECB, want some way of making the ciphertext dependent on all blocks before it. This is what CBC gives us, by combining the previous ciphertext block with the current message block before encrypting. To start the process, use an Initial Value (IV), which is usually well known (often all 0's), or otherwise is sent, ECB encrypted, just before starting CBC use. CBC mode is applicable whenever large amounts of data need to be sent securely, provided that its available in advance (eg , FTP, web etc)

38. Cipher Block Chaining Mode (CBC)
Encryption
Decryption
C0 = Ek(P0 Å IV)
P0 = IV Å Dk(C0)
Ci = Ek(Pi Å Ci-1)
Pi = Ci-1 Å Dk(Ci) P0
Pi-1 Pi
Pi+1
Ci-1 Ci
Ci+1 IV Å
Ci-2 Å Å Å Ek Ek Ek Ek Dk Dk Dk
Ci-2 Å Å Å C0
Ci-1 Ci
Ci+1
Pi-1 Pi
Pi+1
Ciphertext = (IV C0 C1 ... Cn)

39. CBC – Error Propagation
1 bit error in the plaintext feed
Will affect that block and all others
Decryption will correct all but the flipped bit
1 bit error in the ciphertext feed
Will affect two blocks
CBC mode is self recovering

40. CBC – Initialization Vector (IV)
If IV is same, every encryption of the same plaintext is the same.
With the IV being a random number, the same plaintext will be all different
IV can be in public, but should satisfy two req’s
otherwise, some attacks possible
two requirements for IV usage
no IV is reused under the same key
IV change should be unpredictable

41. Advantages and Limitations of CBC
each ciphertext block depends on all previous blocks
encrypting a block requires the finish of encryption of all the previous blocks
no parallelism in encryption
parallelism in decryption
CBC is the generally used block mode. The chaining provides an avalanche effect, which means the encrypted message
cannot be changed or rearranged without totally destroying the subsequent data.
One issue is how to handle the last block, which may well not be complete. In general have to pad this block (typically with 0's), and then must recognise padding at other end - may be obvious (eg in text the 0 value should usually not occur), or otherwise must explicitly have the last byte as a count of how much padding was used (including the count). Note that if this is done, if the last block IS an even multiple of 8 bytes, will have to add an extra block, all padding so as to have a count in the last byte.

42. Cipher FeedBack (CFB) message is treated as a stream of bits
can be a stream cipher
added to the output of the block cipher
result is feed back for next stage (hence name)
standard allows any number of bits (1,8 or 64 or whatever) to be feedback
denoted CFB-1, CFB-8, CFB-64 etc
is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR EK1(Ci-1)
C-1 = IV
If the data is only available a bit/byte at a time (eg. terminal session, sensor value etc), then must use some other approach to encrypting it, so as not to delay the info. Idea here is to use the block cipher essentially as a pseudo-random number generator (see stream cipher lecture later) and to combine these "random" bits with the message. Note as mentioned before, XOR is an easily inverted operator (just XOR with same thing again to undo). Again start with an IV to get things going, then use the ciphertext as the next input. As originally defined, idea was to "consume" as much of the "random" output as needed for each message unit (bit/byte) before "bumping" bits out of the buffer and re-encrypting. This is wasteful though, and slows the encryption down as more encryptions are needed. An alternate way to think of it is to generate a block of "random" bits, consume them as message bits/bytes arrive, and when they're used up, only then feed a full block of ciphertext back. This is CFB-64 mode, the most efficient. This is the usual choice for quantities of stream oriented data, and for authentication use.

43. Cipher Feedback Mode (CFB)
Encryption
Decryption
C0 = P0 Å Ek(IV)
P0 = Ek(IV) Å C0
Ci = Pi Å Ek(Ci-1)
Pi = Ci Å Ek(Ci-1)
Pi+1
Pi-1
Ci-1 P0 Pi Ci
Ci+1 Ek IV
Ci-2 Å Ek Å Ek Å Ek Å Å Ek Å C0
Ci-1 Ci
Ci+1 Pi
Pi+1
Ciphertext = (IV C0 C1 ... Cn)

44. CFB – Initialization Vector
CFB must use an IV
same requirements as CBC

45. CFB – Error Propagation
CFB mode is self recovering
one bit error in ciphertext corrupts some # of blocks
CFB-8 -> 8 bytes are garbled
Bit errors in the incoming cipher block (i.e. a byte) will cause bit error at the same bit positions in the first plaintext block. This cipher block will then be fed to the shift register and cause bit errors in the plaintext for as long as the erroneous bits stay in the shift register. Hence, for 8-bit CFB, the following 8 bytes will be garbled. After that, the system recovers, and all following bytes is decrypted correctly.

46. Advantages and Limitations of CFB
appropriate when data arrives in bits/bytes: stream cipher
most common stream mode
encryption is not parallelizable
keystream cannot be generated in advance
decryption is parallelizable
note that the block cipher is used in encryption mode at both ends
CFB is the usual stream mode. As long as can keep up with the input, doing encryptions every 8 bytes. A possible problem is that if its used over a "noisy" link, then any corrupted bit will destroy values in the current and next blocks (since the current block feeds as input to create the random bits for the next). So either must use over a reliable network transport layer (pretty usual) or use OFB.

47. output feedback mode (OFB)
can be a stream cipher
IV is used as a seed to generate OTP
actual encryption/decryption is only X-or
fast
no dependency
parallel encryption/decryption

48. Output Feedback Mode (OFB)
Encryption
Decryption
Note: The plaintext is never encrypted. IV and successive encryptions act as an one time pad generator.
C0 = P0 Å Ek(IV)
P0 = Ek(IV) Å C0
Ci = Pi Å Ek(Si-1)
Pi = Ci Å Ek(Si-1)

49. OFB: advantages and limitations
no error propagation
1 bit error in ciphertext affects only one bit in plaintext
a (key)stream can be generated in advance
fast due to parallelism
if attacker knows plaintext and ciphertext, he can modify the plaintext

50. counter mode (CTR) can be a stream cipher IV is called a counter
highly parallelizable
no linkage between blocks
very fast
counter should not be repeated for the same key
can decrypt from any arbitrary position unlike OFB
attacker can get  of two plaintext blocks by taking the  of two ciphertext blocks like OFB

51. counter (CTR) mode

52. other usage of modes of operations: message authentication code (MAC)
CBC can be used to check message integrity