1. 5.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 5 Introduction to Modern Symmetric-key Ciphers

2. 5.2 Figure 5.1 A modern block cipher 5.1 Continued

3. 5.3 5.1 Continued Example 5.1 How many padding bits must be added to a message of 100 characters if 8-bit ASCII is used for encoding and the block cipher accepts blocks of 64 bits? Encoding 100 characters using 8-bit ASCII results in an 800- bit message. The plaintext must be divisible by 64. If | M | and |Pad| are the length of the message and the length of the padding, Solution

4. 5.4 A modern block cipher can be designed to act as a substitution cipher or a transposition cipher. 5.1.1 Substitution or Transposition To be resistant to exhaustive-search attack, a modern block cipher needs to be designed as a substitution cipher. Note

5. 5.5 Example 5.2 5.1.1 Continued Suppose that we have a block cipher where n = 64. If there are 10 1’s in the ciphertext, how many trial-and-error tests does Eve need to do to recover the plaintext from the intercepted ciphertext in each of the following cases? a. The cipher is designed as a substitution cipher. a. The cipher is designed as a substitution cipher. b. The cipher is designed as a transposition cipher. b. The cipher is designed as a transposition cipher. a.In the first case, Eve has no idea how many 1’s are in the plaintext. Eve needs to try all possible 2 64 64-bit blocks to find one that makes sense. Solution If Eve could try 1 billion blocks per second, it would still take hundreds of years, on average.

6. 5.6 Example 5.2 5.1.1 ContinuedSolution b.In the second case, Eve knows that there are exactly 10 1’s in the plaintext. Eve can launch an exhaustive-search attack using only those 64-bit blocks that have exactly 10 1’s. There are only (64!) / [(10!) (54!)] = 151,473,214,816 Eve can test all of them in less than 3 minutes.

7. 5.7 Figure 5.2 A transposition block cipher modeled as a permutation 5.1.2 Continued

8. 5.8 Full-Size Key Substitution Block Ciphers A full-size key substitution cipher does not transpose bits; it substitutes bits. We can model the substitution cipher as a permutation if we can decode the input and encode the output. 5.1.2 Continued Example 5.4 Show the model and the set of permutation tables for a 3-bit block substitution cipher. Figure 5.3 shows the model and the set of permutation tables. The key is also much longer,  log 2 40,320  = 16 bits. Solution

9. 5.9 Figure 5.3 A substitution block cipher model as a permutation 5.1.2 Continued

10. 5.10 5.1.2 Continued A full-size key n-bit transposition cipher or a substitution block cipher can be modeled as a permutation, but their key sizes are different: Note  Transposition: the key is  log 2 n! bits long.  Substitution: the key is  log 2 (2 n )!  bits long. A partial-key cipher is a group under the composition operation if it is a subgroup of the corresponding full-size key cipher. Note

11. 6.11 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 6 Data Encryption Standard (DES)

12. 6.12 6-1 INTRODUCTION The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST).

13. 6.13 DES is a block cipher, as shown in Figure 6.1. 6.1.2 Overview Figure 6.1 Encryption and decryption with DES

14. 6.14 6-2 DES STRUCTURE The encryption process is made of two permutations (P-boxes), which we call initial and final permutations, and sixteen Feistel rounds.

15. 6.15 6-2 Continue Figure 6.2 General structure of DES

16. 6.16 6.2.1 Initial and Final Permutations Figure 6.3 Initial and final permutation steps in DES

17. 6.17 6.2.1 Continue Table 6.1 Initial and final permutation tables

18. 6.18 Example 6.1 6.2.1 Continued Find the output of the initial permutation box when the input is given in hexadecimal as: Only bit 25 and bit 63 are 1s; the other bits are 0s. In the final permutation, bit 25 becomes bit 64 and bit 63 becomes bit 15. The result is Solution

19. 6.19 Example 6.2 6.2.1 Continued Prove that the initial and final permutations are the inverse of each other by finding the output of the final permutation if the input is The input has only two 1s; the output must also have only two 1s. Using Table 6.1, we can find the output related to these two bits. Bit 15 in the input becomes bit 63 in the output. Bit 64 in the input becomes bit 25 in the output. So the output has only two 1s, bit 25 and bit 63. The result in hexadecimal is Solution

20. 6.20 6.2.1 Continued The initial and final permutations are straight P-boxes that are inverses of each other. They have no cryptography significance in DES. Note

21. 6.21 DES uses 16 rounds. Each round of DES is a Feistel cipher. 6.2.2 Rounds Figure 6.4 A round in DES (encryption site)

22. 6.22 The heart of DES is the DES function. The DES function applies a 48-bit key to the rightmost 32 bits to produce a 32-bit output. 6.2.2 Continued DES Function Figure 6.5 DES function

23. 6.23 Expansion P-box Since R I−1 is a 32-bit input and K I is a 48-bit key, we first need to expand R I−1 to 48 bits. 6.2.2 Continue Figure 6.6 Expansion permutation

24. 6.24 Although the relationship between the input and output can be defined mathematically, DES uses Table 6.2 to define this P-box. 6.2.2 Continue Table 6.6 Expansion P-box table

25. 6.25 Whitener (XOR) After the expansion permutation, DES uses the XOR operation on the expanded right section and the round key. Note that both the right section and the key are 48-bits in length. Also note that the round key is used only in this operation. 6.2.2 Continue

26. 6.26 S-Boxes The S-boxes do the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and a 4-bit output. See Figure 6.7. 6.2.2 Continue Figure 6.7 S-boxes

27. 6.27 6.2.2 Continue Figure 6.8 S-box rule

28. 6.28 Table 6.3 shows the permutation for S-box 1. For the rest of the boxes see the textbook. 6.2.2 Continue Table 6.3 S-box 1

29. 6.29 Example 6.3 6.2.2 Continued The input to S-box 1 is 100011. What is the output? If we write the first and the sixth bits together, we get 11 in binary, which is 3 in decimal. The remaining bits are 0001 in binary, which is 1 in decimal. We look for the value in row 3, column 1, in Table 6.3 (S-box 1). The result is 12 in decimal, which in binary is 1100. So the input 100011 yields the output 1100. Solution

30. 6.30 Example 6.4 6.2.2 Continued The input to S-box 8 is 000000. What is the output? If we write the first and the sixth bits together, we get 00 in binary, which is 0 in decimal. The remaining bits are 0000 in binary, which is 0 in decimal. We look for the value in row 0, column 0, in Table 6.10 (S-box 8). The result is 13 in decimal, which is 1101 in binary. So the input 000000 yields the output 1101. Solution

31. 6.31 Straight Permutation 6.2.2 Continue Table 6.11 Straight permutation table

32. 6.32 6.2.3 Continued Figure 6.9 DES cipher and reverse cipher for the first approach

33. 7.33 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 7 Advanced Encryption Standard (AES)

34. 7.34 7-1 INTRODUCTION The Advanced Encryption Standard (AES) is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST) in December 2001.

35. 7.35 7.1.3 Rounds. AES is a non-Feistel cipher that encrypts and decrypts a data block of 128 bits. It uses 10, 12, or 14 rounds. The key size, which can be 128, 192, or 256 bits, depends on the number of rounds. AES has defined three versions, with 10, 12, and 14 rounds. Each version uses a different cipher key size (128, 192, or 256), but the round keys are always 128 bits. Note

36. 7.36 7.1.3 Continue Figure 7.1 General design of AES encryption cipher

37. 7.37 7.1.4 Data Units. Figure 7.2 Data units used in AES

38. 7.38 7.1.4 Continue Figure 7.3 Block-to-state and state-to-block transformation

39. 7.39 7.1.4 Continue Example 7.1 Figure 7.4 Changing plaintext to state Continue

40. 7.40 7.1.5 Structure of Each Round Figure 7.5 Structure of each round at the encryption site

41. 7.41 7-2 TRANSFORMATIONS To provide security, AES uses four types of transformations: substitution, permutation, mixing, and key-adding.

42. 7.42 7.4.1 Original Design Figure 7.17 Ciphers and inverse ciphers of the original design

43. 10.43 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 10 Asymmetric-Key Cryptography

44. 10.44 10-1 INTRODUCTION Symmetric and asymmetric-key cryptography will exist in parallel and continue to serve the community. We actually believe that they are complements of each other; the advantages of one can compensate for the disadvantages of the other.

45. 10.45 10-1 INTRODUCTION Symmetric and asymmetric-key cryptography will exist in parallel and continue to serve the community. We actually believe that they are complements of each other; the advantages of one can compensate for the disadvantages of the other. Symmetric-key cryptography is based on sharing secrecy; asymmetric-key cryptography is based on personal secrecy. Note

46. 10.46 Asymmetric key cryptography uses two separate keys: one private and one public. 10.1.1 Keys Figure 10.1 Locking and unlocking in asymmetric-key cryptosystem

47. 10.47 10.1.2 General Idea Figure 10.2 General idea of asymmetric-key cryptosystem

48. 10.48 Plaintext/Ciphertext Unlike in symmetric-key cryptography, plaintext and ciphertext are treated as integers in asymmetric-key cryptography. 10.1.2 Continued C = f (K public, P) P = g(K private, C) Encryption/Decryption

49. 10.49 There is a very important fact that is sometimes misunderstood: The advent of asymmetric-key cryptography does not eliminate the need for symmetric-key cryptography. 10.1.3 Need for Both

50. 10.50 The main idea behind asymmetric-key cryptography is the concept of the trapdoor one- way function. 10.1.4 Trapdoor One-Way Function Functions Figure 10.3 A function as rule mapping a domain to a range

51. 10.51 Trapdoor One-Way Function (TOWF) 10.1.4 Continued One-Way Function (OWF) 1. f is easy to compute. 2. f −1 is difficult to compute. 3. Given y and a trapdoor, x can be computed easily.

52. 10.52 10.1.4 Continued Example 10. 1 Example 10. 2 When n is large, n = p × q is a one-way function. Given p and q, it is always easy to calculate n ; given n, it is very difficult to compute p and q. This is the factorization problem. When n is large, the function y = xk mod n is a trapdoor one-way function. Given x, k, and n, it is easy to calculate y. Given y, k, and n, it is very difficult to calculate x. This is the discrete logarithm problem. However, if we know the trapdoor, k′ such that k × k ′ = 1 mod  (n), we can use x = yk′ mod n to find x.