CRYPTOGRAPHY:

AN INTRODUCTION
Magdy Saeb
OUTLINE
o IIntroduction
t d ti
o Cryptographic Algorithms I: Basic Concepts
o C
Cryptographic
hi Algorithms
Al ih II:
II Discussion
Di i off
some ciphers
o Key Exchange or Distribution
o Cryptanalysis
o I t d ti
Introduction tto N
Network
t kSSecurity
it
INTRODUCTION
| Objectives
Obj ti
| One-time pads

| Construction
C i off Modern
M d Ci
Ciphers
h
 INFORMATION SECURITY OBJECTIVES
J

| Privacy or confidentiality:
Keeping information secret from all but those who are
authorized.
| Data
D Integrity:
I i
Ensuring information has not been altered by
unauthorized or unknown meansmeans.
| Identification:

V lid ti
Validating off th
the identity
id tit off an entity
tit ((e.g., a person, a
computer terminal, a credit card, etc.).
| Message Authentication:

Validating the source of information; also known as data

origin authentication
authentication.
 INFORMATION SECURITY OBJECTIVES (CONT.)
| Signature:
A means tot bind
bi d iinformation
f ti tto an entity.
tit
| Authorization:
Conveyance to another entity,
Conveyance, entity of official sanction to do or
be something.
| Validation:
A means to provide timeliness of authorization to use or
manipulate information or resources.
| Access control:
Restricting access to resources to privileged entities.
| Certification:
Endorsement of information by a trusted entity.
 INFORMATION SECURITY OBJECTIVES
J (CONT.))
| Time-Stamping:
Recording the time of creation or existence of
information.
| Witnessing:
Wi i
Verifying the creation or existence of information by an
entity other than the creator.
creator
| Receipt:

A k
Acknowledgement
l d t th
thatt iinformation
f ti h
has bbeen received.
i d
| Confirmation:

A k
Acknowledgement
l d that
h servicesi h
have bbeen provided.
id d
| Ownership:

A means to provided an entity with h the

h legal
l l right
h to use
or transfer a resource to others.
 INFORMATION SECURITY OBJECTIVES
J ((CONT.))
| Anonymity:
C
Concealing
li th
the identity
id tit off an entity
tit iinvolved
l d iin some
process.
| Non-repudiation:
Non repudiation:
Preventing the denial of previous commitments or
actions.
actions
| Revocation:

Retraction of certification or authorization

authorization.
 A MODEL OF TWO-PARTY COMMUNICATION
USING ENCRYPTION

Alice

Bob
k

C= Ek(m)
m
k

Dk(C)
m

Mallory Eve
 MODERN CRYPTOGRAPHY
| 1977: Data Encryption Standard (DES)
Adopted by the U.S. Federal Information
Processing g for encryptingg unclassified
information
9 6 Diffie
| 1976: eaandd Hellman
e a
Introduced the concept of public-key
cryptography Security is based on the
cryptography.
intractability of the discrete logarithm problem
| 1978: Rivest,
Rivest Shamir,
Shamir and Adleman (RSA)
The most well-known scheme; security is based
on the
th intractability
i t t bilit off factoring
f t i large
l integers.
i t
 BASIC CONCEPTS IN CRYPTOGRAPHY
| Message Space and Plain Texts:
M denotes a set called the message space.
M consists of strings of symbols from an alphabet of
d fi i i
definition. A
An element
l off M is
i called
ll d a plaintext
l i
message or simply a plaintext. For example, M may
consist of binary strings
strings, English text,
text computer code,
code
etc.

| Example: Plain text in English could be the message

space.
p
 BASIC CONCEPTS IN CRYPTOGRAPHY

| Ciphertext:
C denotes a set called the ciphertext space. C consists of
strings of symbols from an alphabet of definition, which
may differ from the alphabet of definition for M. An
element of C is called a ciphertext.

| Example: (a) C can be a character string from the

English alphabet.
(b) If M is all plain English text, then C can be
binary
y strings.
g
 ENCRYPTION TRANSFORMATIONS

M = {m1,m m3 } C = {c1,cc2 ,cc3 }

m2 ,m

Ek : Encryption function for

key = k

| An encryption function Ek is a bijection from M

to C ((otherwise the message g cannot be
recovered)
| An encryption scheme consists of a set { Ek : k
K} off encryption
ti t
transformations.
f ti
| K is the set of all possible keys
 DECRYPTION TRANSFORMATIONS
| An encryption has a corresponding { Dd : d K} of
decryption
yp transformations with the p
property
p y that for
each e K there is a unique key d K such that
Dd ( Ek (m)) = m for all m M.
| An encryption scheme is sometimes referred to as a
cipher.
| (k,d
k d) iis referred
f d to as a key
k pair.
i
| Hence, an encryption is comprised of a message
space, M, a cipher
i h space, C, a key
k space, K, a sett off
encryption fns. { Ek : k K} , and a corresponding set
of decryption fns. { Dd : d K}
A TAXONOMY OF CRYPTOGRAPHIC PRIMITIVES
DISTRIBUTION OF LETTERS IN ENGLISH
HOMOPHONIC SUBSTITUTION CIPHERS
POLYALPHABETIC SUBSTITUTION CIPHER

o Polyalphabetic ciphers have the advantage over

simple substitution ciphers that symbol
f
frequencies
i are not preserved. d IIn the
h example
l
above, the letter E is encrypted to both O and L.
o However, polyalphabetic ciphers are not
significantly more difficult to crypt-analyze.
o In fact, once the block length t is determined,
the ciphertext letters can be divided into t groups
( h
(where group i, 1 i t, consists
i off those
h
ciphertext letters derived using permutation Pi),
and a frequency analysis can be done on each
group.
 TRANSPOSITION CIPHERS

o Definition: Consider a symmetric-key block

encryption scheme with block length t. Let K be
the set of all permutations on the set { 1,
1 2,
2 ..., t} .
For each e K define the encryption function:
Ee(m) = {me(1)me(2) ...me(t)}, where m = {mlm2.
..mt) M, the message space. The set of all such
transformations is called a simple transposition
cipher.
o The decryption
yp key
y corresponding
p g to e is the
inverse permutation d = e-l. To decrypt c = {C1C2
...Ct}, compute Dd(c) = {Cd(1)Cd(2) ...Cd(t)}
PRODUCT CIPHERS
 BLOCK CIPHERS BASICS

o Confusion and Diffusion:

A substitution in a round is said to add confusion to the
yp
encryption p
process whereas a transposition
p is said to add
diffusion.
o Confusion is intended to make the relationship between
the key and ciphertext as complex as possible.
o Diffusion refers to rearranging or spreading out the bits
in the message so that any redundancy in the plaintext is
spread out over the ciphertext. A round then can be said
to add both confusion and diffusion to the encryption.
p
o Most modern block cipher systems
y apply
pp y a number of
rounds in succession to encrypt plaintext.
 ONE-TIME PAD

The Vernam Cipher is a stream cipher defined

on the alphabet A = {0,1 } as:
A binary message mlm2 ...mt is operated on by
a binary
y key
y string
g klk2 ...kt of the same length
g
to produce a ciphertext string Cl C2 ...Ct where
Ci = mi ki,
y string
If the key g is randomly
y chosen and never
used again, the Vernam cipher is called a one-
time system or a one-time pad.
 ONE-TIME PAD
oThe one-time pad can be shown to be theoretically
unbreakable.
u b ea ab e That at is,
s, if a c
cryptanalyst
ypta a yst has
as a c
ciphertext
p e te t
string Cl C2 ...Ct encrypted using a random key string
which has been used only once, the cryptanalyst can do no
better than guess at the plaintext being any binary string
of length t (i.e., t-bit binary strings are equally likely as
plaintext).
o It has been proven that to realize an unbreakable system
requires a random key of the same length as the message.
This reduces the practicality of the system in all but a few
specialized situations.
o Reportedly, until very recently the communication line
between Moscow and Washington was secured by a one-
time pad.
Transport of the key was done by trusted courier
oTransport courier.
WWII: THE ENIGMA MACHINE

Electromechanical Device:
Three Rotors are the primary features of the machine
ENIGMA ARCHITECTURE
A CASE FOR (OR AGAINST) ONE
ONE--TIME PAD ?
UNCONDITIONALLY SECURED?
| Conventional Wisdom:
IF the OTP is used properly, with all the reservations that we clearly
know by now, it is unconditionally secure. However, the OTP is a very
difficult system to use properly, and the chance of a catastrophic key-
management failure is too high to neglect in most situations.

| Perspective:
The OTP which is "unconditionally secure" is not the same as the realized
OTP which is used in practice. The theoretical OTP has an ideal
random keying source. This source does not exist in reality.
Subsequently, the "unconditionally secure" OTP also does not exist in
reality.

There
h is another
h level
l l off deviation
d here
h before
b f discussing
d a stream
cipher. That is the ever-increasing "entropy in the output of the
practically-realized random generator used for OTP keying material.
actually, we cannot measure this entropy. However, there is the
possibility
p y that a the g generator pproduces less "entropy"
py than we do
expect, and d the
h plaintext
l h
has more "entropy"
" " than
h we dod expect. In
this case, the plaintext will not be protected. Actually, it will "leak"
information even if just a one bit.

Clearly,
Cl l any such h system
t could
ld nott b
be unconditionally
diti ll secure, even if
generally secure in practice.
FEISTEL NETWORKS
Remember the iterated step of DES:
L1=R0, R1=L0f(R0,K0).

Suppose
S that
h computing f(R f( 0,K0) is easy iff you know
k R0 and
d K0 but
b
impossible if you do not know K0.

If
If you know
k L1, R1 andd K0 then
th R0=L L1 and
d L0=RR1 f(L1,K
K0).
)
If you do not know f(L1,K0) it is impossible to learn L0.
By iterating twice it becomes impossible to learn R0 or L0 from R2 and
L2 without K.
K

Note that we never invert f!

To the degree that K is hard to guess and f does not leak
leak information
about K, we get security.

The art is to design such an f that is as easy to implement as possible.

The possible
GOST PICTORIAL

Key schedule is simple

S-boxes are 4 bit permutations
and are left unspecified.
nspecified
Example S-boxes are given.
The left circular shift is 11 bits.
L
Li=R
Ri-1, Ri=L
Li-1f(Ri-1,K
Ki-1).
)

Does this look familiar?

Its exactly the same
Feistel network as DES!
USING CIPHERS (ECB MODE)

| We h
W have so ffar discussed
di d only
l bl
block
k ciphers.
i h
These are ciphers that operate on fixed
lengths of data.
data What if you wish to encrypt
more than the block size?

| The simplest mode of operation is called

Electronic Codebook mode ((ECB).
) The data is
broken into segments the size of the ciphers
block size (padding may be necessary).

| Each block is then encrypted.

Are there any problems with this mode?
 ONE PROBLEM WITH ECB
| If the block size of the algorithm is b, then ECB with a fixed key defines a mapping from b-bit
blocks of plaintext to bb-bit
bit blocks of ciphertext.
ciphertext

| A table could be compiled with 2b elements defining the mapping. This would usually not be
practical. The name ECB came from here!

| If messages have lots of redundancy, or common runs of bits, these blocks will always encrypt
to the same plain text, and will be potentially recognized by an attacker irrespective of the
g of the cipher.
strength p

| Suppose the responses yes or no are often sent, if they are ever distinguished, then in the
future the attacker will always be able to distinguish

| Soldiers usually use certain . words in the battle field!!!

| These words are used for Probable Text Attack!
ANOTHER PROBLEM WITH ECB: BLOCK REPLAY
| Suppose messages have some standard formatting,
an attacker could replay old blocks to modify a
message.

| Suppose a bank uses sends deposit notifications to

other banks with 2 blocks, the first block has the
account number to deposit into, and the second
block has the amount.
amount By saving messages and
attacker could change the amounts or account
number to previously sent blocks.

| The attacker might not even know how the message

was changed, but the authenticity of the message has
y .
been destroyed
ECB SUMMARY
| S
Security:
it
1. Plaintext patterns are not concealed.
2
2. Input to the block cipher is not randomized; it is
the same as the plaintext.
3. More than one message g can be encrypted
yp with
the same key
4. Plaintext is easy to manipulate; blocks can be
removed repeated,
removed, repeated or interchanged
interchanged.

Conclusion: In block ciphers

ciphers, DO NOT use ECB mode
CIPHER BLOCK CHAINING (CBC MODE)
| One solution to the
problems of ECB is
to chain the output
from one block to
the next. To start
the chaining an
initial block (unique
to each message) is
used (call it C0).

| In this mode,
identical message
encrypt to different
Attacks on this modes are outputs. This
now almost automated!! makes replay
impossible.
CBC SUMMARY (CONT)
| Efficiency:
+ Speed is the same as the block cipher.
Ciphertext is up to one block longer than the
-Ciphertext
plaintext, not counting the IV.
-No preprocessing is possible.
+/- Encryption is not parallelizable;
ll l bl
decryption is parallelizable and has a
random-access property.
p p y
| Fault-tolerance:
-A ciphertext error affects one full block of
plaintext
l i t t andd th
the corresponding
di bit iin th
the
next block.
y
-Synchronization error is unrecoverable.
CBC SUMMARY (CONT)
| Efficiency:

+ Speed is the same as the block cipher.

- Ciphertext is up to one block longer than the
plaintext, not counting the IV.
- No
N preprocessing
i iis possible.
ibl
+/- Encryption is not parallelizable; decryption
is parallelizable and has a random-access
random access
property.
| Fault-tolerance:

-A ciphertext
h error affects
ff one full
f ll block
bl k off
plaintext and the corresponding bit in the next
block.
-Synchronization error is unrecoverable.
CIPHER FEEDBACK (CFB MODE)
| Suppose you must encrypt blocks smaller than
the block size of the cipher. Cipher Feedback is
a mode that allows one to turn a block cipher
into a stream cipher:
CFB SUMMARY
| Security:
S i
+Plaintext patterns are concealed.
+Input to the block cipher is randomized.
+ More than one message can be encrypted
with
h the
h same provided
d d that
h a different
d ff IV is
used.
+/ l i t t iis somewhat
+/-plaintext h t difficult
diffi lt to
t
manipulate; blocks can be removed from the
beginning and end of the message,
message bits of
the first block can be changed, and
repetition allows some controlled changes.
CFB SUMMARY (CONT).
| Efficiency:
y
- Speed strictly less than the same as the block cipher.
+Ciphertext is the same size as the plaintext, not
countingg the IV.
+/- Encryption is not parallelizable; decryption is
parallelizable and has a random-access property.
-Some ppreprocessing
p g is p
possible before a block is seen;;
the previous ciphertext block can be encrypted.
| Fault-tolerance:
-A
A ciphertext error affects the corresponding bit of
plaintext and the next full block.
+ Synchronization errors of full block sizes are
recoverable. l-bit CFB can recover from the addition or
loss of single bits.
OUTPUT FEEDBACK (OFB MODE)
| OFB is
i another
th way tot encryptt smaller
ll blocks
bl k
of data at a time. This is very similar to CFB.
OFB SUMMARY
| S
Security:
it
+ Plaintext patterns are concealed.
+ Input to the block cipher is randomized.
randomized
+ More than one message can be encrypted with
the same key,y, p
provided that a different IV is
used.
-Plaintext is very easy to manipulate; any change in
ciphertext directly affects the plaintext
plaintext.
OFB SUMMARY (CONT.)
| Efficiency
y
-Speed is strictly less than the block cipher.
-Ciphertext is the same size as the plaintext, not
count-
+Speed is the same as the block cipher.
-Ciphertext is the same size as the plaintext, not
counting
g IV
+ Processing is possible before the message is seen.
+ OFB processing is not parallelizable
| Fault
Fault-tolerance:
tolerance:
+ A ciphertext error affects only the corresponding
bit of plaintext.
-Synchronization
Synchronization error is unrecoverable.
BLOCK CIPHER OR STREAM CIPHER?
THAT IS THE QUESTION!
STREAM CIPHER STRUCTURE

IV
Key

message
g PRG

Key stream

Cipher IV

Emulates a one-time
one time pad
PRG WITH KEY ONLY (old version)

Key

Key
y
setup S
Setup phase
h

Inner
f Key-stream
State
generation
phase
h
g
 PRG WITH KEY/IV (new version)
Key
y IV

Hash
Key derivation
function Key/IV
Pseudo-random setup Setup phase
function

Inner
f Key-stream
State
generation
phase
g
STREAM CIPHERS: NARROW DEFINITION
| Let b be the block length of the stream cipher
cipher. Let
denote bitwise XOR, then the stream cipher works as
follows:
1. A pseudo
pseudo-random
random generator (PRG) expands a short
key and initialization vector (IV) into a long pseudo-
random key stream, consisting of b-bit words s0 , s1 ,
2. The plaintext is divided into b-bit blocks
m0 , m1 , ., ml-1
3. It is encrypted by computing b-bit ciphertext blocks ci =
mi si for i =0,1, 2, .., l-1
4. Decryption is performed by reconstructing the message: mi
= ci si for i =0,1, 2, .., l-1

The problem with this definition is that it does not cover all
types of stream ciphers, such as self-synchronizing stream
ciphers or stream ciphers with authentication. Also b can
be 1,
1 8,
8 32,
32 or even 64 bits!
UNIVERSAL SECURE ENCRYPTION (USE)
| Definition:
A universal secure encryption scheme is a cipher with
the additional p
properties
p that: ((a)) It can p
process
messages of arbitrary bit length and (b) it is
secure.

Problem: Block ciphers in ECB mode are not secure!

Block ciphers should never be used in ECB mode!

Actually one has to use block ciphers in a mode,

such as CTR or OFB, that resembles stream cipher
to be USE!
STREAM CIPHERS: BROAD DEFINITION
| Encrypt individual characters of a plaintext
message one at a time, using an encryption
transformation which varies with time.

| By contrast, block ciphers tend to simultaneously

encrypt groups of characters of a plaintext
message using a fixed encryption transformation.
Transformation is done in a time-varying fashion

| In practice both Stream and Block ciphers work on

b-bit
b bit blocks from 1 to 256 bits.
bits
| All USE are stream ciphers according to this
definition, however block ciphers in CTR, CBC or
OFB are USE,
USE but
b t nott iin EBC mode.
d
WHICH IS SECURE; BLOCK OR STREAM CIPHER?
| Depending
D di on th
the iinterpretation
t t ti off stream
t
cipher, some or all block cipher modes of
operation are stream ciphers
ciphers.

| Therefore, stream ciphers

Therefore ciphers, in general
general, are not
less secure than block ciphers.

| Bad reputation of stream ciphers came from

using
g LFSR
S approach
pp making
g it easy
y for linear
attacks.
| However, this siuation has considerablyy
changed !
CIPHER SECURITY
A cipher
i h isi secure if an adversary
d is
i unable
bl tto
win this informal game:

1. Adversary sends (IV, k, m) for stream ciphers

or (k
(k, m) for block ciphers to an oracle and
receives a bit stream of length equal to
messageg size in reply.
py

2. He wins if he can tell whether the bit stream

was generated by a cipher or whether it is
random.
SEMANTIC SECURITY
Magdy Saeb
SEMANTIC SECURITY
Goldwasser & Micali demonstrated that semantic security
is equivalent to ciphertext indistinguishability.
Indistinguishability under Chosen Plaintext Attack (IND-
CPA) is
i commonly l defined
d fi d by
b the
h following
f ll i game:
1. A probabilistic polynomial time-bounded adversary is given
a public key, which he may use to generate any number of
ciphertexts (within polynomial bounds)
2. The adversary generates two equal-length messages and
sends them to a challenge oracle along with the key.
3. The challenge oracle selects one of the messages by
flipping a fair coin, encrypts the message and then sends
the resulting ciphertext to the adversary.
4. The adversary wins the game if he can distinguish which
message was chosen
h by
b the
h oraclel with
i h a probability
b bili
significantly greater then 1/2. ( success rate of random
guessing)
Results of encrypting images using Pyramids
and
d RC6
RC6 (ECB mode)
d )
Original Image

Encrypted Image using

Pyramids

Encrypted Image using

RC6
VIRTUAL PRIVATE NETWORKS
EXAMPLE OF THE VPN USING
ENCRYPTION ALGORITHMS
LOW-LEVEL OPERATIONS
DES : The
h Data Encryption Standard
d d is the
h most
well-known symmetric key block cipher.
After
f analyzing
l the
h DES S algorithm,
l h we have
h
deduced the following low level operations

- Integer
g addition.
- Bitwise exclusive or (XOR).
- Concatenation.
RSA : THE RSA CRYPTO SYSTEM IS NAMED AFTER ITS
INVENTORS RIVEST, SHAMIR, AND ADLEMAN. AFTER
STUDYING THIS ALGORITHM, WE HAVE EXTRACTED THE
FOLLOWING LOW-LEVEL OPERATIONS:

- INTEGER MULTIPLICATION.
- INTEGER DIVISION.
- INVERSE.
- MOD.
- COMPARE.
- CONCATENATE
IDEA: ANALYZING THE INTERNATIONAL DATA
ENCRYPTION ALGORITHM, WE WERE ABLE TO EXTRACT
THE FOLLOWING LOW-LEVEL OPERATIONS:

- INTEGER ADDITION.
- INTEGER MULTIPLICATION.
- BITWISE EXCLUSIVE OR.
- SHIFT LEFT.
- SHIFT RIGHT.
SAFER: STUDYING THE SECURE AND FAST
ENCRYPTION ROUTINE ALGORITHM, WE HAVE
FOUND THAT THIS ALGORITHM IS BASED ON THE
FOLLOWING LOW-LEVEL OPERATIONS:
- BITWISE XOR.
- ADDITION.
- CIRCULATE LEFT.
- CIRCULATE
CU G .
RIGHT
RC5: RC5 IS A SYMMETRIC ENCRYPTION ALGORITHM
DEVELOPED BY RON RIVEST. RC5 WAS DESIGNED TO BE
SUITABLE FOR HARDWARE AND SOFTWARE
IMPLEMENTATIONS. WE HAVE FOUND THAT THIS
ALGORITHM IS BASED ON FOUR LOW-LEVEL
OPERATIONS:

- BITWISE XOR.
- ADDITION.
- SHIFT LEFT.
- SHIFT RIGHT.
YAEA : YET-A
ANOTHER-E
ENCRYPTION-A
ALGORITHM
WAS DEVELOPED BY SAEB AND BAITH. THIS ALGORITHM
CONTAINS ONLY TWO LOW-LEVEL OPERATIONS

- CIRCULATE LEFT.
- BITWISE XOR.
AES CANDIDATES
RC6 : RC6 IS ONE OF THE FIVE FINALISTS FOR THE
ADVANCED ENCRYPTION STANDARD (AES). RC6 ALGORITHM
WAS DEVELOPED BY THE RSA SECURITY LABORATORIES. IT IS A
BLOCK CIPHER ALGORITHM DESIGNED TO HANDLE 128
INPUT/OUTPUT BLOCKS, WE HAVE DEDUCED THE FOLLOWING
LOW-LEVEL OPERATIONS.
- BASE-TWO LOGARITHM
- BITWISE EXCLUSIVE OR.
- INTEGER ADDITION.
- INTEGER SUBTRACTION.
- INTEGER MULTIPLICATION.
- CIRCULATE LEFT.
- CIRCULATE RIGHT.
MARS : AFTER ANALYZING MARS ALGORITHM, WE
HAVE DEDUCED SEVEN OPERATIONS.

- BITWISE XOR.
- ADDITION.
- SHIFT LEFT.
- SHIFT RIGHT.
- MULTIPLICATION.
- CIRCULATE LEFT.
- CIRCULATE RIGHT.
RIJNDAEL : AFTER ANALYZING THE RIJNDAL
ALGORITHM, WE FOUND ONLY TWO OPERATIONS.

- MATRIX MULTIPLICATION.
- BITWISE XOR.
SERPENT: WE HAVE DEDUCED THE FOLLOWING
THREE OPERATIONS THAT ARE EASY TO IMPLEMENT IN
FPGA.

- BITWISE XOR.
- CIRCULATE LEFT.
- CIRCULATE RIGHT.
TWOFISH: AFTER ANALYZING THE TWOFISH
ALGORITHM, WE HAVE DEDUCED THE FOLLOWING FIVE
OPERATIONS

- BITWISE XOR.
- ADDITION.
- SHIFT RIGHT
- SHIFT LEFT.
- MULTIPLICATION.
 Ciphers number of low-
low-level operations
versus time

Average number of operations = 4.167 Average number of operations = 3.67

DES IDEA RC5 SAFER RC6 TwoFish YAEA MARS Rijndael SERPENT

3 5 4 4 5 4 2 5 3 3

1976 1990 1995 1994 1998 1998 1998 1999 1999 2000

Time

As time goes by,

by the number of operations is decreasing and
approaching two operations!
Remember, the most secure OTP is only one operation (XOR)!
Bit-
Bit -balanced Operations:

| XOR
| INV

| ROT

Remember that OTP has only one operation (XOR)

(XOR).

Actually a computer can be built with a single operation

instruction set (SUBST)!
NOTES ON WELL-KNOWN CIPHERS
RELATIVE STANDING OF FINALISTS
MARS Rijndael
Software Hardware

RC6 TwoFish SERPENT

j
Rijndael SERPENT MARS
Simplicity Complexity

RC6 TwoFish

Rijndael MARS
S ll
Small L
Large
Security Security
Margin RC6 TwoFish SERPENT Margin
 RELATIVE SCORES FINALISTS
MARS RC6 Rijndael Serpent TwoFish
General Security 3 2 2 3 3
Implementation 1 1 3 3 2
Software 2 2 3 1 1
Performance
Hardware 1 2 3 3 2
Performance
Design Features 2 1 2 1 3
ROUNDS AND KEY SPACE FOR A SELECTED
NUMBER OF CIPHERS

Cipher Rounds Key Size in bits

MARS 8 128,192,256
RC6 20 128,192,256
Serpent 32 128,192,256
TwoFish 16 128,192,256
Rijndael
d l 10,12,14 128,192,256
Pyramids 8 64, 128, 256
Chameleon-192
Chameleon 192 Variable
Variable, Variable,
Variable
minimum 4 standard 192,
384
WHY WE NEED A KEY?

K K
e e
y y

Ordered
O d d IInformation
f i Disordered
Di d dDData
(Entropy is low) (Entropy is High)

Bijection Function
k
Plaintext Ciphertext

k
The better the key (more random for the same number of bits), the more separation, measured in
Hamming Distance, between the plaintext and the ciphertext. As the key approaches an empty
set,, then the separation
p tends to be zero or collapsed
p state. The maximum separation
p or in other
words, Hamming distance equal to 1.0 is achieved by the most robust key!. The key represents
not only the excitation agent required to change the state from plaintext to ciphertext, but also the
required external input to perform this process.
KEYLESS?

| NO!
| The
Th kkey iis the
h E
Entropy S
Source!
!
| You have to have a secret to secretly
communicate.
i t
VISUAL CRYPTOGRAPHY
| Example
E l
| Secret Sharing
y All n parties
i can get together
h to recover a secret S
y Less than n parties can not recover secret

| Model
y Introduced by Shamir and Naor at Eurocrypt 94.
y Used to encrypt printed material
y Decoding is performed by human visual system
directly
y The image is encoded into n shadow images and
each participant receives one share
BASIC METHOD

0011 1100 0101 1010 0110 1001

h
horizontal
l shares
h verticall shares
h diagonal
d l shares
h
RIJMEN AND PRENEELS METHOD

Pattern1 Pattern2 combined result Pattern1 Pattern2 combined result

SELECTED REFERENCES
| Naor, M.
N M and dAA. Sh
Shamir,
i Visual
Vi l Cryptography,
C t h
Eurocrypt 94 Proceedings
| G.Ateniese,
G Ateniese C.
C Blundo,
Blundo A.
A De Santis and D
D.R.
R
Stinson. Visual Cryptography for General
Access Structures, Information and
Computation, 1996