This document discusses symmetric cryptography and provides an overview of symmetric cipher systems including stream ciphers like the Vernam cipher and one-time pad, as well as block ciphers like DES, Triple DES, and AES. It describes the basic components of a symmetric cipher model and the properties and modes of operation for symmetric encryption algorithms. Key topics covered include the Feistel cipher structure used by DES, the cryptanalysis of DES leading to its replacement by AES, and the advantages and disadvantages of stream and block ciphers.
2. 22
ReferencesReferences
1.1. Cryptography and Network SecurityCryptography and Network Security , By W., By W.
Stallings. Prentice Hall, 2003.Stallings. Prentice Hall, 2003.
2.2. Handbook of applied CryptographyHandbook of applied Cryptography by A. Menezes,by A. Menezes,
P. Van Oorschot and S. Vanstone. 5P. Van Oorschot and S. Vanstone. 5thth
printing, 2001printing, 2001
http://www.cacr.math.uwaterloo.ca/hachttp://www.cacr.math.uwaterloo.ca/hac
1.1. Cryptography: A Very Short Introduction (VeryCryptography: A Very Short Introduction (Very
Short Introduction S.)Short Introduction S.) , by, by Fred Piper and SeanFred Piper and Sean
Murphy, Oxford University Press, 2002.Murphy, Oxford University Press, 2002.
3. 33
OutlineOutline
1.1. CryptographyCryptography
2.2. Symmetric Cipher systemsSymmetric Cipher systems
3.3. Stream CipherStream Cipher
– Vernam CipherVernam Cipher
– One-time padOne-time pad
1.1. Block cipherBlock cipher
– DESDES
– Triple DESTriple DES
– AESAES
1.1. Modes of operationModes of operation
– ECBECB
– CBCCBC
4. 44
1. Cryptography1. Cryptography
Cryptography is a means of providing information security.Cryptography is a means of providing information security.
Cryptography is the study of mathematical techniques related toCryptography is the study of mathematical techniques related to
aspects of information security such as confidentiality, integrity,aspects of information security such as confidentiality, integrity,
authentication, and non-repudiation which form the mainauthentication, and non-repudiation which form the main
objectives of ISSobjectives of ISS
Other ISS objectives are derived upon these four aspectsOther ISS objectives are derived upon these four aspects
5. 55
CryptographyCryptography
Cryptanalysis: the study of mathematical techniques forCryptanalysis: the study of mathematical techniques for
attempting to defeat cryptographic techniques.attempting to defeat cryptographic techniques.
Cryptanalyst: is the one who engages in cryptanalysis.Cryptanalyst: is the one who engages in cryptanalysis.
Cryptology: the study of cryptanalysis and cryptography.Cryptology: the study of cryptanalysis and cryptography.
Cryptosystem (Cryptographic system): is a general termCryptosystem (Cryptographic system): is a general term
referring to a set of cryptographic primitives used to providereferring to a set of cryptographic primitives used to provide
information security services.information security services.
– Also called aAlso called a ciphercipher..
6. 66
A cipher modelA cipher model
A (Symmetric) cipher model consists of:A (Symmetric) cipher model consists of:
– Plaintext,Plaintext, mm: the original intelligible message fed into the encryption algo.: the original intelligible message fed into the encryption algo.
– Encryption algo.,Encryption algo., EE: performs various substitutions and transformation on: performs various substitutions and transformation on mm..
– Secret key,Secret key, KK: an input to: an input to EE, and a value independent of, and a value independent of mm..
– Ciphertext,Ciphertext, CC: scrambled message produced as output of: scrambled message produced as output of EE. it depends on. it depends on mm andand
KK..
– Decryption algo.,Decryption algo., DD: the reverse of: the reverse of EE. it takes. it takes CC andand KK and producesand produces mm..
ciphertextciphertextEncryption
Algorithm
(eg, AES)
Decryption
algorithm
secret key secret key
plaintextplaintext
Sender Receiver
7. 77
Symmetric-key systemsSymmetric-key systems
Symmetric cipher
– Encryption key and decryption key are exactly the same, or
– Decryption key is easily obtained from the encryption key.
All practical cipher systems prior to the 1980’s were symmetric
cipher systems.
The study of symmetric cipher systems is often referred to as
symmetric cryptography.
– Also referred to as conventional cryptography, single-key
cryptography, or secret-key cryptography.
8. 88
Public-key systemsPublic-key systems
In public-key cipher systems
– Computationally infeasible (in other words, practically impossible)
to determine the decryption key from the encryption key.
In this case the encryption key and the decryption key
must be different. For this reason, public key cipher
systems are sometimes referred to as asymmetric cipher
systems.
The study of public key cipher systems is often referred to
as public-key or asymmetric cryptography.
10. 1010
2. Symmetric ciphers2. Symmetric ciphers
There are two classes: Block cipher and Stream cipher.There are two classes: Block cipher and Stream cipher.
1 …… 1 …… 0 ……0 ……0
E
1……...1……..1…….0…….1
100110110100010111010010
110010011101010010001001
E E E E
100110110100010111010010
110010011101010010001001
100110 110100 010111 010010
E E E E
110010 011101 010010 001001
… … … …
Stream cipher Block cipher
11. 1111
3. Stream Ciphers3. Stream Ciphers
AA stream cipherstream cipher is an encryption scheme which treats theis an encryption scheme which treats the
plaintext symbol-by-symbol (e.g., bit or character)plaintext symbol-by-symbol (e.g., bit or character)
– AA keystreamkeystream is a sequence of symbolsis a sequence of symbols ee11ee22ee33….…. ∈∈ KK (the key space for a(the key space for a
set of encryption transformations)set of encryption transformations)
– AA an alphabet of definition ofan alphabet of definition of qq symbolssymbols
– Encryption:Encryption: EEee is a simple substitution cipher with block length 1, where eis a simple substitution cipher with block length 1, where e
∈∈ KK EEee == EEee11
(m(m11)) EEee22
(m(m22) …= c) …= c11cc22……
PlaintextPlaintext m= mm= m11 mm22.... and ciphertextand ciphertext c = cc = c11cc22……
– Decryption:Decryption: DDdd == DDdd11
(c(c11) D) Ddd22
(c(c22) …= m) …= m11mm22…… ,, ddii=e=eii
-1-1
The security stream ciphers depends on the changing keysteamThe security stream ciphers depends on the changing keysteam
rather than the encryption function (may be simple, e.g., XOR).rather than the encryption function (may be simple, e.g., XOR).
12. 1212
Vernam CipherVernam Cipher
random key bits k1, k2,…, kn
plaintext bits p1, p2,…, pn
+
p1 ⊕ k1 p2 ⊕ k2…pn ⊕ Kn
ciphertext bits
A stream cipher defined on the alphabet A={0,1}
The keystream is a binary string (k=k1…kt) of the same length as
the plaintext m (=m1 … mt)
Encryption ccii=mi ⊕ ki , Decryption mmii=ci ⊕ ki
13. 1313
One-time padOne-time pad
If the key string is randomly chosen and never used again then
Vernam cipher is called a one-time pad
One-time pad’s drawback: The keystream must be as long as theOne-time pad’s drawback: The keystream must be as long as the
plaintext.plaintext.
– This increases the difficulty of key distribution and key managementThis increases the difficulty of key distribution and key management
Solution: generate the key stream pseudorandomly (Solution: generate the key stream pseudorandomly (i.e.i.e., keystream, keystream
generated from a smaller secret key).generated from a smaller secret key).
Keystream
generator
key random key bits
k1 k2… kn
plaintext bits
p1 p2… pn
+
p1 ⊕ k1,…, pn ⊕ kn
ciphertext bits
Model
of a
stream
cipher
14. 1414
Properties of stream ciphersProperties of stream ciphers
Advantages:Advantages:
– No error propagation: a ciphertext digit is modified during transmissionNo error propagation: a ciphertext digit is modified during transmission
doesn’t affect the decryption of other ciphertext digitsdoesn’t affect the decryption of other ciphertext digits
– Easy for implementationEasy for implementation
– FastFast
Drawbacks:Drawbacks:
– Requirement for synchronization: sender and receiver must beRequirement for synchronization: sender and receiver must be
synchronizedsynchronized (ie, they must use the same key and operate on the same(ie, they must use the same key and operate on the same
position (digit)). If synchronization is lost due to digit insertion orposition (digit)). If synchronization is lost due to digit insertion or
deletion then re-synchronization is required.deletion then re-synchronization is required.
They are suitable for applications where errors are intolerable.They are suitable for applications where errors are intolerable.
– GSM and phone networks.GSM and phone networks.
A Modern Stream cipher: RC4 (1987).A Modern Stream cipher: RC4 (1987).
15. 1515
4. Block ciphers4. Block ciphers
AA block cipherblock cipher is an encryption scheme which breaks up theis an encryption scheme which breaks up the
plaintext message into blocks of a fixed length and producesplaintext message into blocks of a fixed length and produces
ciphertext blocks of the same length.ciphertext blocks of the same length.
Block ciphers encrypt one block at a time, using a complexBlock ciphers encrypt one block at a time, using a complex
encryption functionencryption function
ExamplesExamples
– DES: operates on blocks of 64 bitsDES: operates on blocks of 64 bits
– AES: operates on blocks of 128 bitsAES: operates on blocks of 128 bits
Block ciphers can be used in various modes (Block ciphers can be used in various modes (modes ofmodes of
operationoperation).).
16. 1616
Data Encryption Standard (DES)Data Encryption Standard (DES)
DES design is based on two general concepts:DES design is based on two general concepts:
– product cipher: combination of two or more operationsproduct cipher: combination of two or more operations
(transposition, translation (e.g., XOR), arithmetic operations,(transposition, translation (e.g., XOR), arithmetic operations,
modular multiplication, simple substitutions.)modular multiplication, simple substitutions.)
– Feistel Concept:Feistel Concept:
Block of ciphertextBlock of ciphertextEncryption
Algorithm
(DES)
Encryption key
Block of plaintext
64
56
64
17. 1717
Feistel principleFeistel principle
AnAn iterated block cipheriterated block cipher is a block cipher involving theis a block cipher involving the
sequential repetition of an internal function calledsequential repetition of an internal function called roundround
functionfunction. Parameters include:. Parameters include:rr, number of rounds,, number of rounds,nn block sizeblock size
andand kk, the input key from which, the input key from which rr subkeyssubkeys kkii ((round keysround keys) are) are
derived.derived.
AA Feistel CipherFeistel Cipher is an iterated cipher mapping a 2is an iterated cipher mapping a 2tt-bit plaintext-bit plaintext
((LL00, R, R00), for), for tt-bit blocks-bit blocks LL00 andand RR00, to a ciphertext (, to a ciphertext (RRrr, L, L rr),),
through anthrough an rr-round process (-round process (rr ≥≥ 11) for each) for each 11 ≤≤ ii ≤≤ rr, round, round ii
maps (maps (LLi-1i-1,R,Ri-1i-1))→→((LLii,R,Rii) as follows:) as follows:
– LLii = R= Ri-1i-1
– RRii = L= Li-1i-1 + f(R+ f(Ri-1i-1,k,kii))
Decryption is achieved by the same r-round process but withDecryption is achieved by the same r-round process but with
subkeys in reverse order.subkeys in reverse order.
19. 1919
DES EncryptionDES Encryption (ch 7 ,[2])(ch 7 ,[2])
L0 R0
f
L1=R0
R1 = L0 ⊕ f (R0, k1)
Key k1
Plaintext
⊕
IP
L16 = R15
IP-1
R16 = L15 ⊕ f (R15, k16)
Ciphertext
64
3232
48
32 32
64
3232
20. 2020
DES’sDES’s ff functionfunction
Ri-1 (32 bits)
Expansion
Permutation
Ri-1 (48 bits)
Ki (48 bits)
⊕
S1 S2 S3 S4 S5 S6 S7 S8
6 bits into each
P
32 bits
4 bits out of each
21. 2121
DES propertiesDES properties
DES has 4 weak keys and six pairs of semi-weak keysDES has 4 weak keys and six pairs of semi-weak keys
– A DES weak key is a keyA DES weak key is a key kk such thatsuch that EEkk(E(Ekk(x))=x(x))=x for allfor all xx
– A pair of DES semi weak keys is a pair (A pair of DES semi weak keys is a pair (KK11,K,K22) with) with EEkk11
(E(Ekk22
(x))=x(x))=x Tables 7.5Tables 7.5
and 7.6, of weak and semi-weak keys on pp. 258 of [2].and 7.6, of weak and semi-weak keys on pp. 258 of [2].
DES TodayDES Today
– A DES key can be found by anyone determined enough.A DES key can be found by anyone determined enough.
In 1998 Electronic Frontier Foundation managed to break DES (using DESIn 1998 Electronic Frontier Foundation managed to break DES (using DES
Cracker, costing < $250,000 ) in less than 3 days.Cracker, costing < $250,000 ) in less than 3 days.
– Differential and linear cryptanalysis provide academic attacks on DES.Differential and linear cryptanalysis provide academic attacks on DES.
– However, DES is still in use in many applications.However, DES is still in use in many applications.
– Triple DES or AES are commonly recommended instead of DES.Triple DES or AES are commonly recommended instead of DES.
23. 2323
Advanced EncryptionAdvanced Encryption
StandardStandard
In November 2001 the USA NIST announcedIn November 2001 the USA NIST announced RijndaelRijndael algorithm asalgorithm as
the AES to replace DES as a FIPS 197the AES to replace DES as a FIPS 197
Became effective in May 2002Became effective in May 2002
AES is a symmetric encryption algorithmAES is a symmetric encryption algorithm
Block size 128, rounds 10, 12, or 14 depending on the key size (128,Block size 128, rounds 10, 12, or 14 depending on the key size (128,
192, or 256)192, or 256)
AES will probably be worldwide used very soonAES will probably be worldwide used very soon
It’s security not proved yetIt’s security not proved yet
Block of ciphertextBlock of ciphertext
AES
Encryption key
Block of plaintext
128
128, 196, or 256
128
24. 2424
Other Block ciphersOther Block ciphers
IDEA (International Data Encryption Algorithm)IDEA (International Data Encryption Algorithm)
– Published in 1991Published in 1991
– Operates on 64-bit blocks, and 128-bit key and produces blocks ofOperates on 64-bit blocks, and 128-bit key and produces blocks of
64 bits64 bits
Other ciphers: FEAL, SAFER, RC5, …Other ciphers: FEAL, SAFER, RC5, …
Block of ciphertextBlock of ciphertext
IDEA
Encryption key
Block of plaintext
64
128
64
25. 2525
5. Modes of operation5. Modes of operation
1.1. Electronic CodeBookElectronic CodeBook
(ECB):(ECB):
Identical plaintext blocks (under the sameIdentical plaintext blocks (under the same
key) result in identical ciphertext.key) result in identical ciphertext.
Chaining dependency: blocks areChaining dependency: blocks are
enciphered independently of other blocks.enciphered independently of other blocks.
Error propagation: one or more bit errorsError propagation: one or more bit errors
in a single ciphertext affect deciphermentin a single ciphertext affect decipherment
of that block only.of that block only.
ECB is not recommended for messagesECB is not recommended for messages
longer than one block, or if keys arelonger than one block, or if keys are
reused for more than one-block message.reused for more than one-block message.
Security of ECB may be improved bySecurity of ECB may be improved by
inclusion of random padding bits in eachinclusion of random padding bits in each
block.block.
E E
key
xj
n
-1
n
cj
Encryption Decryption
Electronic CodeBookElectronic CodeBook
(ECB)(ECB)
key
xj
26. 2626
6. Modes of operation6. Modes of operation
2.2. Cipher-Block ChainingCipher-Block Chaining
(CBC):(CBC):
E E
key
n
-1
n
Encryption decryption
+
key
c0=IV
+
Cipher-Block ChainingCipher-Block Chaining
(CBC)(CBC)
cj-1
xj
xj
cj
cj-1
Identical plaintexts: identical ciphertext
blocks result when the same plaintext is
enciphered under the key and IV.
Chaining dependency: a ciphertext cj
depends on xj and all preceding plaintext
blocks ⇒ rearranging the order of
ciphertext blocks affects decryption.
Error propagation: a single bit error in
ciphertext block cj affects decipherment of cj
and cj+1.
Error recovery: CBC is self-synchronizing
in the sense that if an error occurs in block
cj, cj+2 is correctly recovered.
IV is not secret but needs integrity.
27. 2727
Properties of block ciphersProperties of block ciphers
Block ciphers do propagate errors (to a limited extent), but areBlock ciphers do propagate errors (to a limited extent), but are
quite flexible and can be used in different ways in order toquite flexible and can be used in different ways in order to
provide different security properties.provide different security properties.
The properties of cryptographic algorithms are not only affectedThe properties of cryptographic algorithms are not only affected
by algorithm design, but also by the ways in which theby algorithm design, but also by the ways in which the
algorithms are used. Different modes of operation canalgorithms are used. Different modes of operation can
significantly change the properties of a block cipher.significantly change the properties of a block cipher.
The security of block ciphers mainly depends on the complexityThe security of block ciphers mainly depends on the complexity
of the encryption function whereas thus of stream ciphersof the encryption function whereas thus of stream ciphers
depend on the keystream randomness.depend on the keystream randomness.
They can be used to provide confidentiality, data integrity, orThey can be used to provide confidentiality, data integrity, or
user authentication, and can even be used to provide theuser authentication, and can even be used to provide the
keystream generator for stream cipherskeystream generator for stream ciphers
Editor's Notes
Weak keys results in k1=k16, k2=k15, .. (K1,K2) semi weak keys=> k1_1=k2-16, …. For each key of the 4 weak keys there is 2^32 x such that Ek(x)=x (fixed points) 4 of the semi-weak keys, each have 2^32 x such that E(x)=x’ (anti-fixed points)