Information and Network Security
Lecture 2
Dr. Hadi AL Saadi
Objectives
To introduce modern block ciphers and discuss theircharacteristics
To explain why modern block cipher needs to be designedas substitution ciphers
To introduce the components of block ciphers such as P-Box and S-Box
To introduce stream ciphers and to distinguish betweensynchronous and nonsynchronous stream ciphers.
To discuss linear and nonlinear feedback shift registers forimplementing stream ciphers.
2-1 MODERN BLOCK CIPHERS2-1 MODERN BLOCK CIPHERS
A symmetric-key modern block cipher encrypts ann-bit block of plaintext or decrypts an n-bit block ofciphertext. The encryption or decryption algorithm usesa k-bit key.A symmetric-key modern block cipher encrypts ann-bit block of plaintext or decrypts an n-bit block ofciphertext. The encryption or decryption algorithm usesa k-bit key.
The common value forn are 64,128,256 and512 bits
How many padding bits must be added to a message of 100characters if 8-bit ASCII is used for encoding and the block cipheraccepts blocks of 64 bits?How many padding bits must be added to a message of 100characters if 8-bit ASCII is used for encoding and the block cipheraccepts blocks of 64 bits?
Example 2. 1
Encoding 100 characters using 8-bit ASCII results in an 800-bitmessage. The plaintext must be divisible by 64. If | M | and|Pad| are the length of the message and the length of thepadding,Encoding 100 characters using 8-bit ASCII results in an 800-bitmessage. The plaintext must be divisible by 64. If | M | and|Pad| are the length of the message and the length of thepadding,
SolutionSolution
2.1.1 Substitution or Transposition
A modern block cipher can be designed to act as asubstitution cipher or a transposition cipher.
To be resistant to exhaustive-search attack,a modern block cipher needs to be designed asa substitution cipher.
Note
Suppose that we have a block cipher where n = 64. If there are10 1’s in the ciphertext, how many trial-and-error tests does Eveneed to do to recover the plaintext from the interceptedciphertext in each of the following cases?Suppose that we have a block cipher where n = 64. If there are10 1’s in the ciphertext, how many trial-and-error tests does Eveneed to do to recover the plaintext from the interceptedciphertext in each of the following cases?
a. The cipher is designed as a substitution cipher. a. The cipher is designed as a substitution cipher.
b. The cipher is designed as a transposition cipher. b. The cipher is designed as a transposition cipher.
Example 2.2
a.In the first case, Eve has no idea how many 1’s are in the plaintext. Eveneeds to try all possible 264 64-bit blocks to find one that makes sense.a.In the first case, Eve has no idea how many 1’s are in the plaintext. Eveneeds to try all possible 264 64-bit blocks to find one that makes sense.
SolutionSolution
b.In the second case, Eve knows that there are exactly 10 1’s in theplaintext because transposition does not change the number of 1’s ( or0’s) in the cipher text. Eve can launch an exhaustive-search attack usingonly those 64-bit blocks that have exactly 10 1’s.b.In the second case, Eve knows that there are exactly 10 1’s in theplaintext because transposition does not change the number of 1’s ( or0’s) in the cipher text. Eve can launch an exhaustive-search attack usingonly those 64-bit blocks that have exactly 10 1’s.
Note: to be resistant to exhaustive search attack , a modern block cipherneeds to be designed as substitution cipher
2.1.2 Block Ciphers as Permutation Groups
Full-Size Key Transposition Block Ciphers
In a full-size key transposition cipher We need to have n!possible keys, so the key should have log2 n! bits.
Example 2.3
Show the model and the set of permutation tables for a 3-bitblock transposition cipher where the block size is 3 bits.Show the model and the set of permutation tables for a 3-bitblock transposition cipher where the block size is 3 bits.
SolutionSolution
The set of permutation tables has 3! = 6 elements, as shown inFigure 2.2.The set of permutation tables has 3! = 6 elements, as shown inFigure 2.2.
Figure 2.2 A transposition block cipher modeled as a permutation
Full-Size Key Substitution Block Ciphers
A full-size key substitution cipher does not transpose bits; itsubstitutes bits. We can model the substitution cipher as apermutation if we can decode the input and encode theoutput. In a full-size key substitution cipher we need tohave 2n! possible keys, so the key should have log2 2n! bits
Example 2.4
Show the model and the set of permutation tables for a 3-bitblock substitution cipher.Show the model and the set of permutation tables for a 3-bitblock substitution cipher.
Figure 2.3 shows the model and the set of permutation tables.The key is also much longer, log240,320= 16 bits. (8!=40,320)Figure 2.3 shows the model and the set of permutation tables.The key is also much longer, log240,320= 16 bits. (8!=40,320)
SolutionSolution
2.1.3 Block Ciphers as Substitution Groups
Figure 2.3 A substitution block cipher model as a permutation
A full-size key n-bit transposition cipher or asubstitution block cipher can be modeled as apermutation, but their key sizes are different:
Note
Transposition: the key is log2n! bits long.
Substitution: the key is log2(2n)!bits long.
Modern block ciphers normally are keyed substitutionciphers in which the key allows only partial mappings fromthe possible inputs to the possible outputs.
2.1.3 Components of a Modern Block Cipher
A P-box (permutation box) parallels the traditionaltransposition cipher for characters. It transposes bits.
P-Boxes
Example 2.5
Figure 2.5 The possible mappings of a 3 × 3 P-box
Figure 2.5 shows all 6 possible mappings of a 3 × 3 P-box.Figure 2.5 shows all 6 possible mappings of a 3 × 3 P-box.
Table 2.1 Example of a permutation table for a straight P-box
Straight P-Boxes
Example 2.6
Design an 8 × 8 permutation table for a straight P-box thatmoves the two middle bits (bits 4 and 5) in the input word to thetwo ends (bits 1 and 8) in the output words. Relative positions ofother bits should not be changed.Design an 8 × 8 permutation table for a straight P-box thatmoves the two middle bits (bits 4 and 5) in the input word to thetwo ends (bits 1 and 8) in the output words. Relative positions ofother bits should not be changed.
SolutionSolution
We need a straight P-box with the table [4 1 2 3 6 7 8 5]. Therelative positions of input bits 1, 2, 3, 6, 7, and 8 have not beenchanged, but the first output takes the fourth input and theeighth output takes the fifth input.We need a straight P-box with the table [4 1 2 3 6 7 8 5]. Therelative positions of input bits 1, 2, 3, 6, 7, and 8 have not beenchanged, but the first output takes the fourth input and theeighth output takes the fifth input.
Compression P-Boxes
A compression P-box is a P-box with n inputs and moutputs where m < n.
Table 2.2 Example of a 32 × 24 permutation table
Expansion P-Boxes
An expansion P-box is a P-box with n inputs and m outputswhere m > n.
Table 2.3 Example of a 12 × 16 permutation table
P-Boxes: Invertibility
A straight P-box is invertible, but compression andexpansion P-boxes are not.
Note
Example 2.7
Figure 2.6 shows how to invert a permutation table representedas a one-dimensional table.Figure 2.6 shows how to invert a permutation table representedas a one-dimensional table.
Figure 2.6 Inverting a permutation table
Figure 2.7 Compression and expansion P-boxes are non-invertible
S-Box
An S-box (substitution box) can be thought of as aminiature substitution cipher.
An S-box is an m × n substitution unit, where m and nare not necessarily the same.
Note
Example 2.10
The following table defines the input/output relationship for anS-box of size 3 × 2. The leftmost bit of the input defines the row;the two rightmost bits of the input define the column. The twooutput bits are values on the cross section of the selected rowand column.The following table defines the input/output relationship for anS-box of size 3 × 2. The leftmost bit of the input defines the row;the two rightmost bits of the input define the column. The twooutput bits are values on the cross section of the selected rowand column.
Based on the table, an input of 010 yields the output 01. Aninput of 101 yields the output of 00.Based on the table, an input of 010 yields the output 01. Aninput of 101 yields the output of 00.
Exclusive-Or
An important component in most block ciphers is theexclusive-or operation.
Figure 2.9 Invertibility of the exclusive-or operation
Circular Shift
Another component found in some modern block ciphers isthe circular shift operation.
Figure 2.10 Circular shifting an 8-bit word to the left or right
Swap
The swap operation is a special case of the circular shiftoperation where k = n/2.
Figure 2.11 Swap operation on an 8-bit word
Split and Combine
Two other operations found in some block ciphers are splitand combine.
Figure 2.12 Split and combine operations on an 8-bit word
Shannon introduced the concept of a product cipher. Aproduct cipher is a complex cipher combining substitution,permutation, and other components discussed in previoussections.
2.1.4 Product Ciphers
Diffusion
The idea of diffusion is to hide the relationship betweenthe ciphertext and the plaintext.
If a symbol of plaintext is changed, several or all symbolsof ciphertext is changed. Diffusion
Diffusion hides the relationship between theciphertext and the plaintext.
Note
Confusion
The idea of confusion is to hide the relationship betweenthe ciphertext and the key.
If a symbol of key is changed, several or all symbols ofciphertext is changed.
Confusion hides the relationship between theciphertext and the key.
Note
Figure 2.13 A product cipher made of two rounds
Modern block ciphers are all product ciphers, but they aredivided into two classes.
1. Feistel ciphers
2. Non-Feistel ciphers
2.1.5 Two Classes of Product Ciphers
Feistel Ciphers
Feistel designed a very intelligent and interesting cipherthat has been used for decades. A Feistel cipher can havethree types of components: self-invertible, invertible, and
noninvertible.
Figure 2.15 The first thought in Feistel cipher design
A Fiestel cipher combines all noninvertible elements in a unit anduses the same unit in the encryption and decryption algorithms.
Example 2.12
This is a trivial example. The plaintext and ciphertext are each 4bits long and the key is 3 bits long. Assume that the functiontakes the first and third bits of the key, interprets these two bitsas a decimal number, squares the number, and interprets theresult as a 4-bit binary pattern. Show the results of encryptionand decryption if the original plaintext is 0111 and the key is101.This is a trivial example. The plaintext and ciphertext are each 4bits long and the key is 3 bits long. Assume that the functiontakes the first and third bits of the key, interprets these two bitsas a decimal number, squares the number, and interprets theresult as a 4-bit binary pattern. Show the results of encryptionand decryption if the original plaintext is 0111 and the key is101.
The function extracts the first and second bits to get 11 in binaryor 3 in decimal. The result of squaring is 9, which is 1001 inbinary.The function extracts the first and second bits to get 11 in binaryor 3 in decimal. The result of squaring is 9, which is 1001 inbinary.
SolutionSolution
Figure 2.16 Improvement of the previous Feistel design
Input to the function f only uses key.
Desired that function should use part of plaintext duringencryption And part of ciphertext during decryption.
Figure 2.17 Final design of a Feistel cipher with two rounds
A non-Feistel cipher uses only invertible components. Acomponent in the encryption cipher has the correspondingcomponent in the decryption cipher.
Non-Feistel Ciphers
2-2 MODERN STREAM CIPHERS2-2 MODERN STREAM CIPHERS
In a modern stream cipher, encryption and decryptionIn a modern stream cipher, encryption and decryption
are done r bits at a time. We have a plaintext bitstream P = pn…p2 p1, a ciphertext bit streamC = cn…c2 c1, and a key bit stream K = kn…k2 k1, in whichpi , ci , and ki are r-bit words.are done r bits at a time. We have a plaintext bitstream P = pn…p2 p1, a ciphertext bit streamC = cn…c2 c1, and a key bit stream K = kn…k2 k1, in whichpi , ci , and ki are r-bit words.
Figure 2.20 Stream cipher
2.2.1 Synchronous Stream Ciphers
In a synchronous stream cipher the key isindependent of the plaintext or ciphertext.
Note
Figure 2.22 One-time pad
Example 2.17
What is the pattern in the ciphertext of a one-time pad cipher ineach of the following cases?What is the pattern in the ciphertext of a one-time pad cipher ineach of the following cases?
a. The plaintext is made of n 0’s.a. The plaintext is made of n 0’s.
b. The plaintext is made of n 1’s.b. The plaintext is made of n 1’s.
c. The plaintext is made of alternating 0’s and 1’s.c. The plaintext is made of alternating 0’s and 1’s.
d. The plaintext is a random string of bits.d. The plaintext is a random string of bits.
SolutionSolution
a.Because 0 ki = ki , the ciphertext stream is the same as thekey stream. If the key stream is random, the ciphertext isalso random. The patterns in the plaintext are not preservedin the ciphertext.a.Because 0 ki = ki , the ciphertext stream is the same as thekey stream. If the key stream is random, the ciphertext isalso random. The patterns in the plaintext are not preservedin the ciphertext.
b.Because 1 ki = ǩi where ǩi is the complement of ki , theciphertext stream is the complement of the key stream. Ifthe key stream is random, the ciphertext is also random.Again the patterns in the plaintext are not preserved in theciphertext.b.Because 1 ki = ǩi where ǩi is the complement of ki , theciphertext stream is the complement of the key stream. Ifthe key stream is random, the ciphertext is also random.Again the patterns in the plaintext are not preserved in theciphertext.
c.In this case, each bit in the ciphertext stream is either thesame as the corresponding bit in the key stream or thecomplement of it. Therefore, the result is also a randomstring if the key stream is random.c.In this case, each bit in the ciphertext stream is either thesame as the corresponding bit in the key stream or thecomplement of it. Therefore, the result is also a randomstring if the key stream is random.
d.In this case, the ciphertext is definitely random because theexclusive-or of two random bits results in a random bit.d.In this case, the ciphertext is definitely random because theexclusive-or of two random bits results in a random bit.
Figure 2.23 Feedback shift register (FSR)
Example 2.18
Create a linear feedback shift register with 5 cells in whichCreate a linear feedback shift register with 5 cells in which
b5 = b4 b2 b0 .b5 = b4 b2 b0 .
SolutionSolution
If ci = 0, bi has no role in calculation of bm. This means that bi isnot connected to the feedback function. If ci = 1, bi is involved incalculation of bm. In this example, c1 and c3 are 0’s, whichmeans that we have only three connections. Figure 2.24 showsthe design.If ci = 0, bi has no role in calculation of bm. This means that bi isnot connected to the feedback function. If ci = 1, bi is involved incalculation of bm. In this example, c1 and c3 are 0’s, whichmeans that we have only three connections. Figure 2.24 showsthe design.
Figure 2.24 LSFR for Example 2.18
Example 2.19
Create a linear feedback shift register with 4 cells in whichCreate a linear feedback shift register with 4 cells in which
b4 = b1 b0. Show the value of output for 20 transitions (shifts) ifthe seed is (0001)2.b4 = b1 b0. Show the value of output for 20 transitions (shifts) ifthe seed is (0001)2.
SolutionSolution
Figure 2.25 LFSR for Example 2.19
Table 2.6 Cell values and key sequence for Example 2.19
The key stream generated from a LFSR is a pseudorandom sequence in which thesequence is repeated after N bits.The key stream generated from a LFSR is a pseudorandom sequence in which thesequence is repeated after N bits.