Tasneem Mirza

Cryptographic algorithms

Symmetric key Asymmetric key

(Shared secret key) (Public key)

Symmetric key –
Same key is used for encryption and decryption.
Hence the key is called the shared secret key.
Drawbacks of symmetric key :
◦ Key must remain secret at both ends
◦ In large networks, there are many keys pairs to be
managed
◦ Sound cryptographic practices dictates that the key be
changed frequently
◦ The shared secret key must be transmitted through an
insecure transmission channel.

 Asymmetric key encryption

• Uses 2 keys public and private key
• Public Key- known to all
• Private key – known only to the receiver.
 Every communicating entity creates 2 keys public and
private.
 Every communicating entity distributes it’s public key
to every other entity and keeps it’s private key to
itself.
 If Alice wants to send a message to Bob, Alice
encrypts the message with Bob’s public key and when
Bob receives the message, it decrypts it with its own
private key.
 Stream ciphers
◦ Encrypts one bit/character at a time
 Block ciphers
◦ Break plaintext message in equal-size blocks
◦ Encrypts each block as a unit
Stream cipher
 Converts one symbol of plaintext into a symbol of ciphertext.

i.e Encrypts data symbol by symbol

Call the plaintext stream P, the ciphertext stream C, and the key stream K.
Keystream may be a stream of predetermined values or
May be created by an algorithm or can be a single value.
Note : Monoalphabetic cipher
k={k,k,k…….}
Block Cipher:
Encrypts a group of plaintext symbols to produce a group of
ciphertext symbols of the same size.
A single key is used to encrypt the block even if the key is
made
up of multiple values.
 With the advent of computer –What we need is bit oriented
protocols.
 Since information to be encrypted is not just text but can
be numbers, graphics, audio and video data.
 Components used by a modern block cipher :
1. D-box /P- box(diffusion box/permutation box)
 Parallels the transposition cipher for characters.

 It transposes bits.

 3 types of D-boxes :

a) Straight D-box
Box with m inputs and n outputs where m=n
b) Compression D-box
Box with m inputs and n outputs where m>n.
Some of the inputs are blocked and do not reach the output.

Eg : 32 x 24 Compression D- box
c) Expansion D-box
A box with m inputs and n outputs where m<n

Eg :12 x 16 Expansion D-box

2. Substitution box (S-box)
 Input to an S box is a stream of bits with length N, the

result is another stream of bits with length M.

 M and N need not be the same.

 Used in the intermediate stage in the process of encryption

and decryption.
 The function that matches input to the output is defined by

a table.
 Eg :of a 3 x 2 S-box

 Based on the table, an input of 010 yields

the output 01
 An input of 101 yields the output of 00.
Eg 6 x 4 S-box

First an the last bits select the row. Middle 4 select the column
The input to S-box 8 is 000000. What is the output?
O/p- 1110
The input to S-box 1 is 100011. What is the output?
O/p- 1100
 An S-box may or may not be invertible. In an invertible S-
box, the number of input bits should be the same as the
number of output bits.
 For example, if the input to the left box is 001, the output is
101. The input 101 in the right table creates the output
001, which shows that the two tables are inverses of each
other.
3. XOR
An important component in most block ciphers is the
exclusive-or operation.
4. Rotation
Another component found in some modern block
ciphers is the
circular shift operation.
1. Diffusion
 Hides the relationship between the ciphertext and the

plaintext.
 This will frustrate the interceptor who uses the ciphertext

to
find the plain text.
 It implies that each symbol (char/bit) in the ciphertext is

dependent on some or all symbols in the plaintext.

OR
If a symbol in the plaintext is changed several or all
symbols in the ciphertext will also be changed.
In a cipher with good diffusion , o/p should depend on the
input symbols in a very complex way.
2. Confusion
 Hides the relationship between the ciphertext and the key.

 This will frustrate the interceptor who tries to use the

ciphertext to find the key.

 If a single bit in the key is changed most or all bits in the

ciphertext will also change.

Product Ciphers
 A product cipher is a complex cipher combining
substitution, permutation and other simple ciphers.
 Iterated product ciphers are used to achieve diffusion and

confusion.
 Each iteration is referred to as a round.

 A key generator creates different keys for each round from

the cipher key.

 In an N round cipher, the plaintext is encrypted N times to

create the ciphertext and the ciphertext is decrypted N

times to create the plaintext.
Eg: 2 round product cipher
3 transformations happen at each round :
a) The 8 bit text is mixed with the key to whiten the text(hide
the bits using the key). i.e. EXOR 8 bit word with the 8 bit
key.
b) The output of the whitener are organized into 2 bit groups
and fed into 4 S-boxes. The values of bits are changed
based on the structure of the S-box.
c) The outputs of S-boxes are passed to the P-box(Straight)
which transposes the bits so that in the next round each
box receives different input.
How is diffusion achieved?
i.e. changing a single bit in the plaintext affects many bits in
the ciphertext.
1. In the first round bit 8, after being EX-ored with the corresponding
bit of K1 affects 2 bits( 7 and 8) thru s-box 4. Bit 7 is permuted
and becomes bit 2; bit 8 is permuted and becomes bit 4.
After the first round bit 8 has affected bits 2 and 4.
2. In the second round bit 2 after being Ex-ored with the
corresponding bit in K2 affects 2 bits (bits 1 and 2) through S-box.
Bit 1 is permuted and becomes bit 6; bit 2 becomes bit 1.
Bit 4 after being Ex-ored with the corresponding bit in K2 affects
bits 3 and 4. Bit 3 remains same, 4 becomes 7.
Hence after the second round bit 8 has affected bits 1,3,6,7.
How is confusion achieved?
 The 4 bits of ciphertext 1,3,6,7 are affected by 3 bits in the key

(bit 8 in K1 and bit 2 and 4 in K2)

Note : To improve confusion and diffusion practical ciphers use

larger data blocks , more S boxes, and more rounds
 Modern block ciphers are all product ciphers, but they are
divided into two classes.

1. Feistel ciphers :
 A Feistel cipher can have three types of components: self-

invertible, invertible, and noninvertible.

Eg: DES

2. Non-Feistel ciphers :
Consists of only invertible components. Eg: AES
 A Feistel cipher can have three types of components: self-
invertible, invertible, and noninvertible.
 How are encryption and decryption algos. inverse of each

other if each has a non- invertible unit?

Eg of a non invertible component
Assume that the function takes the first and third bits of the
key, interprets these two bits as a decimal number, squares the
number, and interprets the result as a 4-bit binary pattern.
f(101) ---- The function extracts the first and third bits to get
11 in binary or 3 in decimal. The result of squaring is 9, which
is 1001 in binary.
f(101)= 1001
This function is non invertible.
In encryption , a non invertible function f(k) accepts the key as the input.
The o/p of this component is Ex-ored with the plaintext to get the ciphertext.
Combination of the function and the Ex-or is called the mixer.
Key K is the same.
 The plaintext and ciphertext are each 4 bits long and the
key is 3 bits long. Assume that the function takes the first
and third bits of the key, interprets these two bits as a
decimal number, squares the number, and interprets the
result as a 4-bit binary pattern. Show the results of
encryption and decryption if the original plaintext is 0111
and the key is 101.
Solution
The function extracts the first and third bits to get 11 in
binary
or 3 in decimal. The result of squaring is 9, which is 1001 in
binary.
 The function f(101)=1001 is non invertible, but the Exor
operation allows us to use the function in both encryption
and decryption.
Function is non-invertible but the mixer is self invertible.
In the initial feistal design only the key is input to the function.
Improvement –Let part of the plaintext in the encryption and part of
the ciphertext in the decryption be also the input to the function.
Key is the second input to the function.

Inputs to the funtion should be exactly the same in encrp. and decryp
Hence right side of PT in encrp and right side of CT in decry
must be the same
 Assume L3=L2 and R3=R2(i.e no change in ciphertext
during transmission)

R4=R3=R2=R1

L4=L3 ⊕ f(R3,K)

=L2 ⊕ f(R2,k)

=L1 ⊕ f(R1,k) ⊕ f(R1,k) =L1

L4=L1
Drawback of the previous design :
 The right side of the plaintext does not undergo
encryption.

Improvement
1. Increase the no. of rounds/iterations.
2. Add a new element to each round , a swapper which
swaps the left and right halves in each round.
Note : Instead of f(R5,K1) it is f(L5,K1)
Prove L6=L1 and R6=R1 if L4=L3 and R4=R3

First we prove L5=L2 and R5=R2

L5=R4 ⊕ f(L4,K2)
=R3 ⊕ f(R2,K2)

L5=L2 ⊕ f(R2,K2) ⊕ f(R2,K2) = L2

R5= L4=L3=R2
L6=R5 ⊕ f(L5,K1)
=R2 ⊕ f(L2,K1)

L6=L1 ⊕ f(R1,K1) ⊕ f(R1,K1)=L1

R6=L5=L2=R1
 Modern symmetric key block cipher
 Published by National Institute of standards and
technology(NIST).

Encryption and decryption with DES

 The encryption process is made of two permutations (P-boxes), which we
call initial and final permutations, and sixteen Feistel rounds.
 Each round uses a different 48 bit round key generated from the 56- bit
cipher key.
Each of these permutations take 64 bit input and permutes the bits according
to a predefined rule. Eg in the initial permutation 58th bit in the input becomes
bit no 1 and so on…
 DES uses 16 rounds. Each round of DES is a Feistel cipher.
 Each round has 2 cipher elements :
1. Mixer
2. Swapper
 Each of these is invertible.
 The mixer is invertible because of the Xor operation.
 All the non invertible elements are collected inside
f(Ri-1,ki)
 Heart of DES
 Input to DES function
1. 48 bit Key
2. Rightmost 32 bits
 Output ->
32 bit output
 DES function is made up of 4 sections.
1. Expansion Box
2. Whitener(XOR)
3. Group of S-boxes
4. A straight P-box
1. Expansion P- box
 Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need to expand
RI−1 to 48 bits.
 RI−1 is divided into 8 4-bit sections
 Each 4-bit section is expanded to 6 bits in the following manner :
• Input bits 1,2,3,4 are copied to output bits 2,3,4,5 respectively.
• O/p bit 1 comes from the input bit 4 of the previous section.
• O/p bit 6 comes from input bit 1 of the next section.
Expansion P-box table
2. Whitener(XOR)
After the expansion permutation, DES uses the XOR operation
on the expanded right section and the round key.
Note : Both the right section and the key are 48-bits in length.
The 48-bit output goes as input to the S-box.

3. S-boxes
 DES uses 8 S-boxes, each with a 6-bit input and a 4-bit output.

 Substitution follows a predetermined rule :

Outer 2 bits of the 6 bit input select the row.

Inner 4 bits select the column.
 Note : Each S-box has its own table

S box 1
4. Straight P-box
 The round-key generator creates sixteen 48-bit keys out of a 56-
bit cipher key.
 The cipher key is actually a 64-bit key in which 8 extra bits are

the parity bits which are dropped before the actual key
generation process.
Process :
1. Parity Drop :
Parity drop step is called the compression transposition step.
Step 1 : Drop the parity bits (bits 8,16,24,32,40,48,56,64) from
the 64-bit key.
Step2 : Permute the bits according to 
Key
generation
2. Shift left :
 Key is divided into 2 parts and each part is shifted left
(circular) 1 or 2 bits; depending on the round.
 The 2 parts are then combined to form a 56-bit part.

3. Compression box :
Changes 56 bits to 48 bits which are used as a key for a
round.
 The DES algorithm itself had become obsolete and was in
need of replacement.
 To this end, the National Institute of Standards and
Technology (NIST) ratified the Advanced Encryption
Standard (AES) as a replacement for DES.
 Triple DES had been endorsed by NIST as a temporary
standard to be used until AES was finished.
 Triple DES uses a "key bundle" which comprises three DES
keys, K1, K2 and K3, each of 56 bits (excluding parity bits)
 Each triple encryption encrypts one block of 64 bits of data.
The encryption algorithm is:

 ciphertext = EK3(DK2(EK1(plaintext)))
i.e., DES encrypt with K1, DES decrypt with K2, then DES
encrypt with K3.

Decryption is the reverse:

 plaintext = D (E (D (ciphertext))) I.e., decrypt with K ,
K1 K2 K3 3
encrypt with K2, then decrypt with K1
 K1 K2 K3

A B
P E D E C

(a) Encryption

K3 K2 K1

B A
C D E D P
(b) Decryption
Keying options
The standards define three keying options:
 Keying option 1:

All three keys are independent.

 Keying option 2:

K1 and K2 are independent, and K3 = K1.

 Keying option 3: All three keys are identical, i.e. K1 = K2 = K3.

Note : Keying option 1 is the strongest, with 3 × 56 = 168

independent key bits.
Keying option 2 provides less security, with 2 × 56 =
112 key bits.
Keying option 3 is equivalent to DES, with only 56 key bits

because the first and second DES operations cancel out

 The Advanced Encryption Standard (AES) is a symmetric-key block cipher
published by the National Institute of Standards and Technology (NIST) in
December 2001.
 AES is a non-Feistel cipher that encrypts and decrypts a data block of 128
bits.
 It uses 10, 12, or 14 rounds.
 The key size, which can be 128, 192, or 256 bits, depends on the number
of rounds.
 But the round keys are always 128 bits.
 3 versions are : AES - 128
AES - 192
AES - 256
Structure of AES
 The 128 bit block of plaintext (16 bytes) is organized as a

4 x 4 matrix called the state

 Hence we have s[0,0]……s[3,3]

i.e if inputs are 16 bytes (bo, b1……..b15)

They are represented as
s(i,j)
i- 0-3 bo b4 b8 b12
j-0-3 b1 b5 b9 b13
b2 b6 b10 b14
b3 b7 b11 b15
 Each round consists of 4 operations :
1. Byte Substitution
2. Shift row
3. Mix column
4. Add round key
1. Byte Substitution
 s(i,j) becomes s’(i,j) through a defined substitution table.

 To substitute a byte, we interpret the byte as two hexadecimal digits.

 Each byte b is replaced by another byte based on the sub bytes

transformation table.
(00100000)2 = (20)16
This byte is replaced by B7 (i.e. row 2 and column 0)
In decryption we have Inverse Sub bytes transformation
The SubBytes and InvSubBytes transformations
are inverses of each other.
2. Shift row
Each row of s’ undergoes a circular left shift.
Each row i is shifted left circular by i bytes where i  0-3
InvShiftRows
In the decryption, the transformation is called InvShiftRows and the shifting is to the
right.
3. Mix columns
 4 elements of each column are multiplied by a constant

matrix
 The MixColumns transformation operates at the column level; it

transforms each column of the state to a new column.

Byte substitution changes the value of the byte based on the
original value and an entry in the table;changing a byte does
not affect the neighboring bytes.

Similarly shifting rows exchanges bytes without permuting the

bits inside the bytes.

But what we need is an interbyte transformation that changes

the bits inside the byte, based on the bits inside the
neighboring bytes.
i.e. we need to mix bytes to provide diffusion at the bit level.
This is done by taking 4 bytes at a time and combining them
to
recreate 4 new bytes.
 This is achieved by multiplying a square matrix(constant)
by a column matrix, result is a new column matrix
 Note :
Multiplying by 1 means leaving it unchanged
Multiplying by 2 means shifting each byte left 1 bit and
exoring with 0001 1011 if the leftmost bit of the original
value (before the shift) is 1

Multiplying by 3 means shift left one bit and ex-oring with the
original unshifted value and exoring with 0001 1011 if the
leftmost bit of the original value (before the shift) is 1

InvMixColumns
The InvMixColumns transformation is basically the same as the MixColumns
transformation.

The MixColumns and InvMixColumns transformations are

inverses of each other.
InvMixColumns
The InvMixColumns transformation is basically the same as the
MixColumns transformation.

The MixColumns and InvMixColumns transformations are

inverses of each other.
 After row shifting

 Taking the first column

x
 =

0110 0011 – after left shifting--- 1100 0110

1111 0010 ---- after left shifting--- 1110 0100 exor 1111 0010 exor 0001 1011
0111 1101 --- leave unchanged
1101 0100 --- leave unchanged
11 00 0110
0000 1101
0111 1101
1101 0100
0110 0010 (62)
Step 4 : Add round key

The final step is to ex-or the key with the result so far.
 To create round keys for each round, AES uses a key-
expansion process. If the number of rounds is Nr , the key-
expansion routine creates Nr + 1 128-bit round keys from one
single 128-bit cipher key.
 The key expansion routine creates round keys word by word ,
where a word is an array of 4 bytes.
 In the AES-128 version(10 rounds) there are 44 words.
 In the AES-192 version(12 rounds) there are 52 words.
 In the AES-256 version(14 rounds) there are 60 words.
 Each round key is made up of 4 words
Creation of words from the original cipher key(128 bits)
The process is as follows :
 The first four words( w0,w1,w2,w3) are made directly from the

cipher key.
 The cipher is an array of 16 bytes(k0 to k15). The first 4 bytes (k0

to k3) become w0; the next 4 bytes (k4 to k7) become w1; and so
on. i.e the concatenation of first 4 words replicates the cipher
key.
 The rest of the words( wi for i=4 to 43) are made as follows:

1. If ( i mod 4) ≠ 0, wi=wi-1 ⊕ wi-4. i.e each word is made

from the one at the left and the top.
2. If ( i mod 4) = 0, wi=t ⊕ wi-4. Here t is a temporary word,
t is the result of applying 2 routines Subword and rotword on
wi-1 and exoring the result with a round constants RCon.
t= Subword ( Rotword( wi-1 ) ) ⊕ Rconi/4
Rotword : Rotate Word routine is similar to ShiftRows transformation, but
it is applied to only one row. The routine takes a word as an array of 4
bytes and shifts each byte to the left with wrapping.

Subword : The Subword (Substitute word) routine is similar to the

subBytes transformation , but is applied to only 4 bytes. The routine takes
each byte in the word and substitutes another byte for it.
 Following slide shows how the keys for each round are calculated assuming
that the 128-bit cipher key agreed upon by Alice and Bob is (24 75 A2 B3 34
75 56 88 31 E2 12 00 13 AA 54 87)16.
 In each round , the calculation of the last three words are very simple. For the
calculation of the first word we need to first calculate the value of the
temporary word (t).
 For example the first t for round 1 is calculated as----
24 75 A2 B3 34 75 56 88 31 E2 12 00 13 AA 54 87
w0 w1 w2 w3
Rotword(13 AA 54 87 ) = AA 54 87 13
Subword(AA 54 87 13) = AC 20 17 7D
t = AC 20 17 7D ⊕ 01 00 00 00 = AD 20 17 7D
To form w04 ---- w04= t ⊕ wi-4 = AD 20 17 7D ⊕ 24 75 A2 B3 = 89 55 B5 CE
S-box for key expansion
 RC4 (Stream Cipher)

 Most widely used stream cipher used to protect internet traffic and to secure
wireless networks.
 Designed by Ron Rivest in 1984.

 Hence the name RC4( Rivest cipher 4).

 8 bits of the plain text is Exored with a byte of the key to produce a byte of

ciphertext.
 Key stream is a a sequence of bytes( can contain 1-256 bytes).

 Based on the concept of state. At each moment, a state of 256 byte is active

from which one of the bytes is selected to serve as the key for encryption.
1. We have an array S ---
S[0], S[1],S[2]…… S[255]


 The contents of each element is also a byte ( 8 bits) that is
an integer between 0 and 255.
2. There is an array key of length varying from 1 to 256
bytes. Typically between 5 and 16 bytes. Typically between
40-128 bits.
Note: S is initialized to the identity permutation.

RC4 consists of 2 phases:

1. Key scheduling algorithm( key setup phase)

2. Pseudo- random generation algorithm(Ciphering or XOR)

 Use two array, state and key
1. 256-byte state table.
State[256]=[ 0 .. 255 ]
2. It has the capability of using keys between 1
and 256 bytes.
Key[1..256] = [ ……. ]
* Two phases
Key Setup
1. f = ( f + Si + Kg ) mod n n no. bytes in
state
2. Swapping Si with Sf
 Ciphering ( XOR )
1. i = ( i + 1 ) mod n , and f = ( f + Si ) mod n
2. Swapping Si with Sf
3. t = ( Si + Sf ) mod n
Random byte St
Example (Key Setup phase)

•We use 4 bytes state, and 2 bytes key for example.

S[]=[S0,S1,S2,S3]=[ 0, 1 ,2. 3]
K[]=[K0, K1]=[2,5]

Iteration 1:
– i=0, f=0, g=0
– S[ ]=[ S0, S1, S2, S3] = [ 0, 1, 2, 3 ]
– K[ ]=[ K0, K1] = [ 2, 5 ]

Because f=( f + S0 + K0 )mod 4=2, then swap S0 with S2

New array S[ ]=[ S0, S1, S2, S3 ] = [ 2, 1, 0, 3]
i = i +1 = 1
g =(g+1)mod 2 = 1
Example (Key Setup phase)

 Iteration 2:
– i=1, f=2, g=1
– S[ ]=[ S0, S1, S2, S3] = [ 2, 1, 0, 3 ]
– K[ ]=[ K0, K1] = [ 2, 5 ]

Because f=( f + S1 + K1 )mod 4=0, then swap S1

with S0
New array S[ ]=[ S0, S1, S2, S3 ] = [ 1, 2, 0, 3 ]
i = i +1 = 2
g =(g+1)mod 2 = 0
Example (Key Setup phase)

 Iteration 3:
– i=2, f=0, g=0
– S[ ]=[ S0, S1, S2, S3] = [ 1, 2, 0, 3]
– K[ ]=[ K0, K1] = [ 2, 5 ]

Because f=( f + S2 + K0 )mod 4=2, then swap S2

with S2
New array S[ ]=[ S0, S1, S2, S3 ] = [ 1, 2, 0, 3]
i = i +1 = 3
g =(g+1)mod 2 = 1
Example (Key Setup phase)

 Iteration 4:
– i=3, f=2, g=1
– S[ ]=[ S0, S1, S2, S3] = [ 1, 2, 0, 3 ]
– K[ ]=[ K0, K1] = [ 2, 5 ]

Because f=( f + S3 + K1 )mod 4=2, then swap S3

with S2
New array S[ ]=[ S0, S1, S2, S3 ] = [ 1, 2, 3, 0 ]
Example (Ciphering phase)

* For this example we use plaintext “HI”

“H”:

– i=0, f=0
– S[ ]=[ S0, S1, S2, S3] = [ 1, 2, 3, 0 ]

Because i = ( i + 1 )mod 4 = 1
f = ( f + S1 )mod 4 = 2, then swap S1with S2
New array S[ ]=[ S0, S1, S2, S3 ] = [ 1, 3, 2, 0 ]
Example (Ciphering phase)

t = ( S1 + S2 )mod 4 = 1
S1 = 3 ( 0000 0011 )

H
0100 1000
XOR 0000 0011
0100 1011
Example (Ciphering phase)

 “I”:
– i=1, f=2
– S[ ]=[ S0, S1, S2, S3] = [ 1, 3, 2, 0 ]

Because i = ( i + 1 )mod 4 = 2
f = ( f + S2 )mod 4 = 0, then swap S2with S0
New array S[ ]=[ S0, S1, S2, S3 ] = [ 2, 3, 1, 0 ]
Example (Ciphering phase)

t = ( S2 + S0 )mod 4 = 3
S3 = 0 ( 0000 0000 )

I
0100 1001
XOR 0000 0000
0100 1001

 Result
– Plaintext : 0100 1000 0100 1001
– Cipher : 0100 1011 0100 1001
 S={0,1,2,3}
 K={1,7,1,7}

I st iteration
f=0, i=0, g=0
f=(0 + 0 +1) mod 4
f=1
Swap S0 with S1
New S={S0,S1,S2,S3} ---{1, 0, 2, 3}
i=i+1, g=(g+1) mod 4 =1
II nd iteration
f=1, i=1, g=1
f=(1 + 0 +7) mod 4
f=0
Swap S0 with S1
New S={S0,S1,S2,S3} ---{0, 1, 2, 3}
i=i+1, g=(g+1) mod 4 =2
III rd iteration
f=0, i=2, g=2
f=(0 + 2 +1) mod 4
f=3
Swap S2 with S3
New S={S0,S1,S2,S3} ---{0, 1, 3, 2}
i=i+1=3, g=(g+1) mod 4 =3
I V rth iteration
f=3, i=3, g=3
f=(3 + 2 +7) mod 4
f=0
Swap S3 with S0
New S={S0,S1,S2,S3} ---{2, 1, 3, 0}
1. Speed of Transformation
Stream – Each symbol is encrypted as soon as it is read. Hence
the time to encrypt the symbol depends only on the encryption
algorithm.
Block – The system has to wait until an entire block of plaintext
has been received before staring the encryption process.
Hence slowness of encryption.
2. Diffusion
Stream- Low diffusion
Each symbol is seperately enciphered. Therefore all the
information of that symbol is contained in one symbol of the
ciphertext.
Block- High diffusion
Information from the plaintext is diffused into several ciphertext
symbols.
3. Error Propagation
Stream – Low error Propagation
Because each symbol is seperately encoded, an error in the encryption
process affects only that character.
Block- High error Propagation
An error will affect the transformation of all other characters in the
same block.
4. Insertion of symbols
Stream- Susceptibility to malicious insertions and modifications.
Because each symbol is seperately enciphered , an active interceptor
who has broken the code can splice together pieces of previous
messages and transmit a spurious new message that may look may
authentic.
Block- Immunity to insertion of symbols.
Because blocks of symbols are enciphered, it is impossible to insert a
single symbol into one block. The length of the block would then be
incorrect, and the decipherment would quickly reveal the insertion.
1. Speed of Transformation
Stream – Each symbol is encrypted as soon as it is read. Hence
the time to encrypt the symbol depends only on the encryption
algorithm.
Block – The system has to wait until an entire block of plaintext
has been received before staring the encryption process.
Hence slowness of encryption.
2. Diffusion
Stream- Low diffusion
Each symbol is seperately enciphered. Therefore all the
information of that symbol is contained in one symbol of the
ciphertext.
Block- High diffusion
Information from the plaintext is diffused into several ciphertext
symbols.
3. Error Propagation
Stream – Low error Propagation
Because each symbol is seperately encoded, an error in the encryption
process affects only that character.
Block- High error Propagation
An error will affect the transformation of all other characters in the
same block.
4. Insertion of symbols
Stream- Susceptibility to malicious insertions and modifications.
Because each symbol is seperately enciphered , an active interceptor
who has broken the code can splice together pieces of previous
messages and transmit a spurious new message that may look may
authentic.
Block- Immunity to insertion of symbols.
Because blocks of symbols are enciphered, it is impossible to insert a
single symbol into one block. The length of the block would then be
incorrect, and the decipherment would quickly reveal the insertion.
1. In a community of n people ->
Symmetric- Key cryptography requires n(n-1)/2 shared secret
keys
Asymmetric- key cryptography requires n personal secret keys
are needed
2. Symmetric Key cryptography is based on sharing secrecy.
Asymmetric- key cryptography is based on personal secrecy.
3. Symmetric – Plain text and ciphertext are
symbols(bits/characters).
Asymmetric- Plaintext and ciphertext are numbers.
4. Symmetric-Encryption and decryption is based on
permutation and substitution of symbols.
Asymmetric- Encryption and decryption are mathematical
functions
 Plaintext/Ciphertext
 Unlike in symmetric-key cryptography, plaintext and

ciphertext are treated as integers in asymmetric-key

cryptography.
Encryption/Decryption
C = f (Kpublic , P) P = g(Kprivate , C)
There is a very important fact that is sometimes misunderstood: The advent of
asymmetric-key cryptography does not eliminate the need for symmetric-key
cryptography.
 The main idea behind asymmetric-key cryptography is the
concept of the trapdoor one-way function.
Functions
One-Way Function (OWF)

1. f is easy to compute.
In other words, given x, y=f(x) can be
easily computed
2. f −1 is difficult to compute.
In other words, given y, it is
computationally infeasible to
calculate x= f −1(y).
A trapdoor one-way function is a one-way function with a third
property :
3. Given y and a trapdoor(secret), x can be computed easily.

Public-key cryptosystems are based on trap-door one-way

functions.
The public key gives information about the particular instance
of the function; the private key gives information about the trap
door.
Whoever knows the trap door can perform the function easily in
both directions, but anyone lacking the trap door can perform
the function only in the forward direction.
The forward direction is used for encryption and the inverse
direction is used for decryption
The modular multiplicative inverse of an
integer a modulo m is an integer x such that
a.x mod m =1
OR
The multiplicative inverse of a in Zm is x.
This no. x is between 0 to m-1.
For eg :
4 is the multiplicative inverse of 3 in Z11-
Since
4.3 mod 11=1
 An integer may or may not have a multiplicative inverse.
 We say that multiplicative inverse of a in Zm exists if
gcd(a,m)=1.
 Find the multiplicative inverse of 8 in Z10.
There is no multiplicative inverse because gcd (10, 8)
= 2 ≠ 1.
In other words, we cannot find any number between 0 and 9
such that when multiplied by 8 mod 10 =1.
Using extended Euclidean algorithm to find multiplicative inverse
i.e find multiplicative inverse of b in zn
 Find the multiplicative inverse of 11 in Z26.

The gcd (26, 11) is 1; the inverse of 11 is 7 or 19.

11x19 mod 26 =1
 Find the multiplicative inverse of 23 in Z100.

The gcd (100, 23) is 1; the inverse of 23 is 13 or 87.

  The first idea of public-key cryptography came from Merkle
and Hellman called as Knapsack cryptosystem.
Definition
Suppose we are given two k-tuples,
a = [a1, a2, …, ak ] and x = [x1, x2, …, xk].
The first tuple is a predefined set; the second tuple in which
xi is only 0 or 1, defines which elements of a are to be
dropped in the knapsack.

Given a and x, it is easy to calculate s. However, given s

and a it is difficult to find x.
  In other words, s=knapsackSum(a,x) is easy to calculate,
but x=inv_knapsackSum(s,a) is difficult.
 The function knapsackSum is a one-way function if a is a
general k-tuple.

Superincreasing Tuple

It is easy to compute knapsackSum and inv_knapsackSum if

the k-tuple a is superincreasing.

ai ≥ a1 + a2 + … + ai−1
In other words, each element(except a1) is greater than or equal to the sum
of all previous elements.
 As an example, assume that a = [17, 25, 46, 94,201,400] and s =
272 are given.
 Table shows how the tuple x is found using inv_knapsackSum
routine in Algorithm

. In this case x = [0, 1, 1, 0, 1, 0], which means that 25, 46, and 201 are
in the knapsack.
 Key Generation (Done by Bob)
1. Create a superincreasing k-tuple b = [b1, b2, …… ,bk]
2. Choose a modulus n, such that n > b1+ b2 + …. + bk

3. Select a random
integer r that is relatively prime with n and 1 <= r <=
n-1
4. Create a temporary k-tuple t = [t1 , t2 , ….. tk] in which
ti = r x bi mod n
5. Select a permutation
of k objects and find a new tuple a = permute(t)
6. The public key is the k tuple a. The private key
is n, r, and the k-tuple b
 Encryption Suppose Alice needs to send
a message to Bob
1. Alice converts her message to a k-tuple x = [x1, x2 , …,
xk] in which xi is either 0 or 1. The tuple x is the plaintext
2. Alice uses the knapsackSum(a,x) routine to calculate s.
She then sends the value of s as the ciphertext
 Decryption

Bob receives the ciphertext s

1. Bob calculates s’ = r-1 x s mod n.
2. Bob uses inv_knapsackSum to create x’
3. Bob permutes x’ to find x. The tuple x is
the recovered plaintext.
Note : 37-1 in Z900 is 73
Hence 2399 x 73 mod 900 =527
 The most common public-key algorithm is the RSA
cryptosystem, named for its inventors (Rivest, Shamir, and
Adleman).
 To generate the RSA public and private key pair-----
1. Choose 2 large prime nos. p and q.
2. Form the product n=p.q
3. Find ф(n)=(p-1).(q-1)
4. Choose e such that it is relatively prime to ф(n).
5. Choose d such that : e x d mod ф(n)=1
(Or d is the multiplicative inverse of e in Z ф(n) )
Public Key -- (e,n)
Private Key– d
Encryption and Decryption are accomplished via modular
exponentiation .
If M is the message :
Encryption --
C= Me mod n
Decryption --
M= Cd mod n
Example 1
1. Assume p=11 and q=3
2. n=11 x 3=33
3. ф(n)= 10 x 2 = 20
4. Let e be 3 ( prime to ф(n))
5. Choose d such that 3d mod 20 =1
Hence d=7
Public Key-----(3,33)
Private Key ----- 7
Let M =15
Encryption - C= 153 mod 33 = 9
Decryption – M= 97 mod 33=15
 To make RSA secure recommended size of
p and q is 512 bits(154 decimal digits).
 This makes n 1024 bits.
Example 2
Let p=17 q=11
n=17 x 11 =187
ф(n)=16 x 10 =160
Let e=7
7d mod 160 =1
d=23
Let M=88
Encryption ---
C=887 mod 187
=[(884 mod 187) x (882 mod 187) x (88 mod 187)] mod 187
88 mod 187 = 88
882 mod 187 = 7744 mod 187 = 77
884 mod 187 = [(882 mod 187) x (882 mod 187) ] mod 187 =132
C= (132 x 77 x 88) mod 187 =894,432 mod 187 = 11
In the preceding example shows, we can make use of a property of modular
arithmetic:
[(a mod n) * (b mod n)] mod n = (a * b) mod n
Decryption --
M= 1123 mod 187
1123 mod 187 =[(111 mod 187) x (112 mod 187) x (114 mod 187)
x 118 mod 187 x 118 mod 187 ) ] mod 187
111 mod 187=11
112 mod 187 =121
114 mod 187 = 14641 mod 187 =55
118 mod 187 = 33
1123 mod 187 = [(11 x 121 x 55 x 33 x 33)] mod 187 = 88
 Step 1. Choose two primes p and q.
 Example: p = 5 and q = 13.
 Step 2. Let n = pq.
 n = 5×13 = 65. Step 3.

 Let ф(n) = (p −1)(q −1). Example: ф(n) = 4×12

= 48.
 Choose E = 11.
 D = 35.
 For example, to encrypt 3, we find
 3^11 mod 65 =22
 22^35 mod 65 =3
 Symmetric key distribution needs a shared secret key
between 2 parties.
How are shared secret keys maintained and distributed?
1. Key distribution Centre : KDC
• Use atrusted third party : KDC
• Each person establishes a shared secret key with the
KDC.
A KDC creates a secret key for each member. This secret
key
can be used only between the member and the KDC, not
between two members.
 How can Alice send a confidential message to Bob?
1. Alice sends a request to the KDC stating that a
session(temporary) secret key is needed so that Alice could
communicate with Bob.
2. KDC informs Bob about Alice’s request.
3. If B agrees, a session key is created between the two.
One such protocol is KERBEROS
Note : KAlice and KBob is used to authenticate Alice and Bob to
the KDC to prevent Eve from impersonating either of them.
2. Establishing a session keywithout using a KDC.
Alice and Bob can create a session key between
themselves without using a KDC. This method of session-
key creation is referred to as the symmetric-key
agreement.
Eg: Diffie Hellman key agreement.

Here 2 parties need to choose 2 nos. p and g.

The first ‘p’ is a large prime no. i.e 300 decimal digits.
And the second no. g is the primitive root of the prime no. p
How to find a primitive root of a prime no. p ?
 Let p be a prime no.
 Then b is a primitive root for p if the first (p-1) powers of b are
different.
Eg: If p=7
Is 2 a primitive root of 7 ? ---
20 mod 7 =1
21 mod 7 =2
22 mod 7=4
23 mod 7= 1
24 mod 7 =2
25 mod 7 =4
26 mod 7 =1
(p-1) values not different. Hence 2 is not a primitive root of 7
Is 3 a primitive root of 7 ? ---
30 mod 7 =1
31 mod 7 =3
32 mod 7=2
No repetition
3 mod 7= 6
3

34 mod 7 =4
35 mod 7 =5
36 mod 7 =1
37 mod 7 =3
38 mod 7 =2
Hence 3 is a primitive root of 7
Note ; A prime no. can have a no. of primitive roots.
Eg 2 : If p=13 --
Is 2 a primitive root of 13 ?
1,2,4,8,3,6,12,11,9,5,10,7

no repetition
Hence 2 is a primitive root of 13.
1. Alice chooses a large random no. x such that 0<= x <= p-1 and calculates
R1= gx mod p.
2. Bob chooses another large random no. y such that 0<= y <= p-1 and
calculates R2=gy mod p.
3. Alice sends R1 to Bob. Alice does not send x; she only sends R1.
4. Bob sends R2 to Alice. Bob does not send y; he only sends R2.
5. Alice calculates K= (R2)x mod p.
6. Bob calculates K= (R1)y mod p.
  K is the symmetric key for the session.
 K = (gx mod p)y mod p = (gy mod p)x mod p = gxy mod
p.
 Both have reached the same value without Bob knowing
value of x and without Alice kowing the value of y.
 Eg: Assume (small nos. ) Let p=23 and g=7
1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21.
2. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4.
3. Alice sends the number 21 to Bob.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K = 43 mod 23 = 18.
6. Bob calculates the symmetric key K = 216 mod 23 = 18.
7. The value of K is the same for both Alice and Bob;
gxy mod p = 718 mod 23 = 18.
Security of Diffie Hellman
Susceptible to 2 attacks :
1. Discrete logarithm attack
2. Man in the middle attack.

1.Discrete log attack :

 Eve can intercept R1 and R2. If Eve can find x from R1=gx
mod p and y from R2=gy mod p then she can calculate k=gxy
mod p
To make diffie Hellman secure ---
1. Prime no. p must bvery large( 300 digits)
2. g must be a primitive root of p.
3. Bob and Alice must destroy x,y after they have calculated the
symmetric key. The values of x and y must be used only
once.
2. Man in the middle attack
 Eve does not have to know the value of y and x to attack

the protocol.
 1. Alice chooses x,
calculates R1= gx mod p
and sends R1 to Bob.
2. Eve, intercepts R1. She
chooses z, calculates
R2=gz mod p and sends R2
to both Alice & Bob.
3. Bob chooses y, calculates
R3= gy mod p and sends
R3 to Alice. R3 is
intecepted by Eve and
never reaches Alice.
4. Alice and Eve calculate
K1=gxz mod p, which
becomes the shared key
between Alice and Eve.
Alice however thinks that
it is a shared key between
Bob and herself.

5. Bob and Eve calculate K2=gzy mod p, which becomes the shared key between
Bob and Eve. Bob however thinks that it is a shared key between Alice and
himself.
 When Alice sends data to Bob encrypted with k1, Eve can
decipher the msg. or send a totally new message encrypted
by k2 to Bob.
 Bob is fooled into believing that the message has come
from Alice.
 Similar scenario can happen to Alice in the other direction.
 Called man in the middle attack because Eve comes in
between and intercepts R1 sent by Alice to Bob and R3 sent
by Bob to Alice.