Introduction to

Cryptography and Security

Mechanisms
Dr Keith Martin
McCrea 349 01784 443099
keith.martin@rhul.ac.uk

Before we start

Quiz 1
The unicity distance is:
A

The amount of ciphertext that you need before single letter

frequency analysis is likely to be successful

The amount of ciphertext that you need before any type of

frequency analysis is likely to be successful

C
The amount of ciphertext that you need in order to be
reasonably sure that there are is at most one meaningful
plaintext / encryption key pair that result in a given ciphertext
D
The amount of ciphertext that you need in order to be
reasonably sure that there exists at least one meaningful
plaintext / encryption key pair that results in a given ciphertext

Introduction to Cryptography and Security

Quiz 2
The main problem with homophonic encoding is:

Message expansion

Frequency analysis

Positional dependence

Insufficient key space

Introduction to Cryptography and Security

Quiz 3
If a cipher system has perfect secrecy then which of the
following is not true:
A

An interceptor does not learn anything new about

the cipher system if they observe a ciphertext that
was sent using it

B
An interceptor has no information about the
cipher system that was used to encrypt the
plaintext
C

The cipher system might be insecure

The best theoretical breaking of the cipher system

has a probability of success equal to that of
guessing the plaintext
Introduction to Cryptography and Security

Quiz 4
If a search of a complete key space takes 20 years
then which of the following is most accurate:
A

The key could be found at any time

The key will not be found in less than 20 years

The key will probably be found in just less than

20 years

The key will most likely be found in the first

10 years

Introduction to Cryptography and Security

Introduction to Cryptography and Security Mechanisms:

Unit 6
Symmetric Algorithms
Dr Keith Martin
McCrea 349 01784 443099
keith.martin@rhul.ac.uk

Learning Outcomes
Recognise the different components of the cryptographic process
Identify some of the factors involved in selecting a cryptographic
algorithm
Describe the model of a stream cipher
Appreciate the types of application where a stream cipher is most
appropriate
Describe the model of a block cipher
Recall the basic design features and history of DES
Comment on the security issues surrounding modern use of DES
Explain the reasoning behind the basic specifications for AES
Describe three different modes of operation of a block cipher
Compare the different properties of the different modes of operation

Introduction to Cryptography and Security

Sections
1.
2.
3.
4.

Cryptographic algorithms
Stream ciphers
Block ciphers
Modes of operation

Introduction to Cryptography and Security

1. Cryptographic algorithms

Cryptographic process
A cryptographic algorithm itself is just one component
part of an entire process, which must all come together
before we can claim that any particular application is
using a secure cipher system.
This process includes:
Selection (or design) of an algorithm
Deciding how an algorithm is to be used
Implementing an algorithm within a communications
system
Devising a key management scheme
Introduction to Cryptography and Security

11

A symmetric classification
Most ciphers systems effective scramble one sequence
of binary digits into another:
Plaintext
100110110100010111010010
Scrambling operation
1100100111010100100010011
Introduction to Cryptography and Security

12

A symmetric classification
Stream cipher
100110110100010111010010
1 1 0 0 0
E E E E E

Block cipher
100110110100010111010010
100110 110100 010111 010010
E

1...1..1.0.1

110010 011101 010010 001001

110010011101010010001001

1100100111010100100010011

Introduction to Cryptography and Security

13

A public key classification?

Can public key cipher systems also

be classified into stream and block
ciphers?

Introduction to Cryptography and Security

14

Error propagation
A decryption process involves error propagation if a
ciphertext input that has one incorrect bit produces a
plaintext output that has more than one incorrect bit.
1. To what extent does error propagation occur in
basic stream and block ciphers?
2. Does error propagation have anything to with
error prevention or error correction?
3. Is error propagation a good thing?

Introduction to Cryptography and Security

15

2. Stream ciphers

The idea behind stream ciphers

Recall from Unit 5

Stream ciphers attempt to simulate the onetime pad by using short keys to generate
longer keys that can then be used in a onetime pad encryption

Introduction to Cryptography and Security

17

Vernam cipher
random key bits

K1, K2,, Kn

+
plaintext bits

P1 K1, P2 K2,, Pn Kn
ciphertext bits

P1, P2,, Pn

How do you decrypt using the Vernam cipher?

Introduction to Cryptography and Security

18

Model of a stream cipher

Keystream
generator

keystream

key

K1,K2,,Kn

+
plaintext bits

P1 K1,P2 K2,,Pn Kn
ciphertext bits

P1,P2,,Pn

Introduction to Cryptography and Security

19

Model of a stream cipher

1. How do you decrypt using a

stream cipher?

2. How would go about trying to

break:
a) The Vernam Cipher?
b) A typical stream cipher?

Introduction to Cryptography and Security

20

Security of stream ciphers

Designing good stream ciphers and assessing their
security primarily involves analysis of the keystream
generator and the properties of the resulting keystream.
Research is focussed on designing keystream
generators that produce a keystream that looks
random (even though it clearly cannot be since it is
generated using a deterministic process based on a
finite key).
Sequences of ones and zeros that look random (but
arent) are usually referred to as pseudorandom
sequences.
Introduction to Cryptography and Security

21

Pseudorandomness

1. How can you tell if a sequence has

good pseudorandom properties?

2. What do you call a stream cipher

whose keystream is truly random?

Introduction to Cryptography and Security

22

Properties of stream ciphers

CONS

PROS
No error propagation
Ease of
implementation
Fast

(No error propagation)

Requirement for
synchronisation

How might you go about resynchronising the

keystream of a stream cipher that had got out
of sequence?
Introduction to Cryptography and Security

23

3. Block ciphers

Model of a block cipher

encryption key

block of plaintext

Encryption
algorithm

block of ciphertext

Introduction to Cryptography and Security

25

Block size
Normally the block size is fixed, and the block of ciphertext
produced by the block cipher is usually also the same
length as the plaintext block size.
Typical block sizes are 64 (DES) and 128 (AES).
1. What happens if the block size is too
short?
2. What happens if the block size is too
long?
3. Why are most block sizes multiples of 8?
Introduction to Cryptography and Security

26

A Feistel cipher
plaintext
1

L0

R0

Key K
2

L1=R0

f
Key K
6

R1 =L0 f (R0,K)

L2=R1

R2 =L1 f (R1,K)
7

Introduction to Cryptography and Security

27

Feistel ciphers
1. How do you choose the round function f ?
2. How do you decrypt using a Feistel cipher?
3. How many rounds should a Feistel cipher
have?

In order to understand the cleverness of the Feistel

cipher design methodology, attempt Exercises 1 and 2
for this unit.

Introduction to Cryptography and Security

28

DES
Parameter

DES specification

Type of design

Feistel Cipher

Number of rounds

16

Block size

64

Length of key

56

Public / proprietary

Published as FIPS 46

Introduction to Cryptography and Security

29

Brief history of DES

In 1973 the National Bureau of Standards (NBS) in the United States
published a call for proposals for an encryption algorithm standard.
IBM was encouraged to submit an encryption algorithm that they had
been developing for a second call in 1974.
After a due consultation process (including NSA) this algorithm was
adopted as a federal standard in 1976 and published as DES in 1977.
DES became mandatory for Federal Agencies in 1977 and after
adoption as ANSI X3.92, a banking standard, found widespread use
throughout the international financial industry.
DES essentially now becomes a de facto encryption standard.
Although DES was predicted to have a 15-year lifespan, the NSA
removed its endorsement of DES in 1988.
The NBS reaffirmed the use of DES in the same year, largely to
appease the financial industry, which by then relied heavily upon it.
NIST finally acknowledged that DES no longer offered adequate
cryptographic protection by issuing a new call for an algorithm in 1998.

Introduction to Cryptography and Security

30

Design criticisms
Criticism

Comment

Design criteria of round function / key schedules secret.

Secret design criteria (although actual design public)
Fear of trapdoors has proved unfounded.
Weak keys

Certain DES keys are weak.

(encryption and decryption has same effect)
Few such keys and their use easily avoided.

Inadequate key
length

56 bits an inadequate key length.

Criticised even in 1975
Unsubstantiated claims that NSA insisted on the
small key length.

Introduction to Cryptography and Security

31

Searching for a DES key

Suppose that we have a machine consisting

of one million processors, each of which can
test one million keys per second.
How long is it likely to take before we find a
DES key during an exhaustive key search?

Introduction to Cryptography and Security

32

Searching for a DES key

Year

Source

Implemented? (Estimated)
Cost in US$

(Estimated)
Search time

1977

Diffie
Hellman

No

20 million

20 hours

1993

Wiener

No

10.5 million
1.5 million
600 000

21 minutes
3.5 hours
35 hours

1997

Internet

Yes

Unknown

140 days

1998

Electronic
Frontier
Foundation
[www.eff.org]

Yes

210 000

56 hours

Introduction to Cryptography and Security

33

DES today
Well accepted that a DES key can be found
by anyone determined enough.
Differential and linear cryptanalysis provide
academic attacks on DES.
DES is still in use in many applications.
Triple DES or AES are commonly
recommended instead of DES .

Introduction to Cryptography and Security

34

Triple DES
plaintext
1

Key K1

Encrypt
Using DES

Key K2

Decrypt
Using DES

Key K1

Encrypt
Using DES

Key K = K1 and K2

ciphertext

Introduction to Cryptography and Security

35

Triple DES

1. Could you encrypt at step 3 of Triple DES

instead of decrypting?
2. Could you use a third key K3 at step 4 of
Triple DES, rather than reapplying K1 ?

Introduction to Cryptography and Security

36

Design requirements of AES

In 1998 NIST issued a call for proposals for a new block
cipher standard, to be referred to as the Advanced
Encryption Standard or AES.

The selection would be a public process and the

chosen algorithm and design details would be made
freely available for public use.
The block size should be 128 bits.
The block cipher would be designed to offer variable
key lengths of 128, 192 and 256 bits, to allow for
future developments in exhaustive key search efforts.
The block cipher had to operate at a faster speed
than Triple DES across a number of different
platforms.
Introduction to Cryptography and Security

37

Development of AES
15 candidate proposals, quickly reduced to 11 in August
1998.
In April 1999, after a public consultation process, this
was reduced to five candidates: MARS, RC6, Rijndael,
SERPENT and TWOFISH.
In October 2000 the winning algorithm Rijndael was
selected.
Federal Information Processing Standard FIPS 197, the
Advanced Encryption Standard, published early 2001.
This standard specifies AES (Rijndael) as a FIPSapproved symmetric encryption algorithm that may be
used by U.S. Government organizations (and others) to
protect sensitive information.
AES now widely adopted and supported.

Introduction to Cryptography and Security

38

AES encryption round

current state

Byte
substitution

AES
S-box

Shift rows

Mix
columns

key

Key
schedule

round key

++

Introduction to Cryptography and Security

new state

39

AES

Do you think that the standardisation of

AES means the end of Triple DES?

Introduction to Cryptography and Security

40

4. Modes of operation

Modes of operation
Modes of operation of a block cipher are operational rules for
a generic block cipher that each result in different properties
being achieved.
In theory any block cipher could be used in any mode of
operation, and the decision concerning which mode of
operation to use will in practice be influenced by the application
and the properties desired.
The three modes of operation that we will study are not the
only modes of operation proposed for block ciphers, but they
are three of the most commonly used.

Introduction to Cryptography and Security

42

Electronic Code Book (ECB)

100110110100010111010010
100110 110100 010111 010010
E

110010 011101 010010 001001

1100100111010100100010011

Introduction to Cryptography and Security

43

Problem with ECB mode

Try to come up with at least three reasons
why ECB mode is rarely used and generally
regarded as an insecure mode of operation.

Make sure you attempt Exercise 6 for this unit in order

to further appreciate these problems with ECB mode.

Introduction to Cryptography and Security

44

Cipher Feedback Mode (CFB)

1

10

Sender

Introduction to Cryptography and Security

Receiver

45

Cipher Feedback Mode

Paradoxically, when using CFB mode you never actually use the
encryption algorithm to decrypt anything!

CFB mode is actually using a block cipher to make a sort of stream

cipher. The encryption algorithm is used as a keystream generator to
produce key material.

This key material is then added to the plaintext very much in the
style of a stream cipher.

The receiver also uses the encryption algorithm to generate the

same keystream that is needed to decrypt the ciphertext.

Introduction to Cryptography and Security

46

CFB in practice
Most practical implementations of CFB mode process the plaintext
in units of bits that are smaller than the block size.
For example, when using an encryption algorithm with a block size
of 64 in 8-bit CFB mode the plaintext is processed 8 bits at a time.
This produces only 8 bits of ciphertext.
When these 8 bits of ciphertext are fed back, they are not sufficient
to replace the current register contents, so the existing entries are
shifted along, with the 8 furthest bits dropping out.

For what reasons might you want to use 8-bit

CFB mode, rather than full block CFB mode?

Introduction to Cryptography and Security

47

Effect of error in CFB mode

1

Ci

Pi

Ci+1

Pi+1

Introduction to Cryptography and Security

Ci+2

Pi+2

48

Properties of CFB mode

Message dependence
Limited error propagation
No block synchronisation required
Efficiency
To what extent do these properties also hold
for 8-bit CFB mode?

Introduction to Cryptography and Security

49

Cipher Block Chaining (CBC)

1

10

E
C

Sender

Introduction to Cryptography and Security

Receiver

50

CBC mode
All CBC mode is doing is adding each plaintext block to
the previous ciphertext block, and then encrypting the
result with the key:

C1 = EK (P1 IV)
Ci = EK (Pi Ci-1 )
It is worth working through a simple example to get the hang of
CBC mode: one such example is provided in Chapter 7 of Piper
and Murphy.

Introduction to Cryptography and Security

51

Decrypting using CBC mode

First step (7 on diagram):

DK (Ci )

DK ( EK (Pi Ci-1 ) )

Pi Ci-1

Second step (8 on diagram):

( Pi Ci-1 ) Ci-1 = Pi
Introduction to Cryptography and Security

52

Effect of error in CBC mode

1

Ci

Pi

Pi+1

Ci+1

Introduction to Cryptography and Security

Ci+2

Pi+2

53

Properties of CBC mode

Recall the properties of CFB mode.
To what extent does CBC mode offer these
properties?

We will see later that CBC mode can also be used

to design a Message Authentication Code

Introduction to Cryptography and Security

54

Summary
Stream ciphers and block ciphers are different types of
symmetric encryption algorithm. They offer slightly
different properties and are therefore suitable for
different applications.
Simple stream ciphers are fast and do not propagate errors,
making them suitable for poor quality channels and for
applications where errors are intolerable.
Block ciphers do propagate errors (to a limited extent), but are
quite flexible and can be used in different ways in order to
provide different security properties (in some cases to achieve
some of the benefits of stream ciphers).

The properties of cryptographic algorithms are not only

affected by algorithm design, but also by the ways in
which the algorithms are used. Different modes of
operation can significantly change the properties of a
block cipher.

Introduction to Cryptography and Security

55