Department of Computer Science & Engineering

Cipher Block Modes of operation Model of Conventional Cryptosystems The following figure, which is on the next page, illustrates the conventional encryption process. The original plaintext is converted into apparently random nonsense, called ciphertext. The encryption process consists of an algorithm and a key. The key is a value independent of the plaintext. The algorithm will produce a different output depending on the specific key being used at the time. Changing the key changes the output of the algorithm, i.e., the ciphertext. Once the ciphertext is produced, it may be transmitted. Upon reception, the ciphertext can be transformed back to the original plaintext by using a decryption algorithm and the same key that was used for encryption.

X^ Cryptanalyst Y^

Message Source

Encryption Algorithm

Decryption Algorithm

Destination

K Secure Channel Key Source

Figure. 1:

Model of Conventional Cryptosystem

The security of conventional encryption depends on several factors: The Encryption Algorithm- It must be powerful enough that it is impractical to decrypt a message on the basis of the ciphertext alone.

Information Security Lecture Notes

Prof. A. L. Narasimha Rao

Department of Computer Science & Engineering

Secrecy of the key- It was shown that the security of conventional encryption depends on the secrecy of the key, not the secrecy of the algorithm.

Referring to Fig. 1 above, with the message X and the encryption key K as input, the encryption algorithm forms the ciphertext. Y=Ek (X) The intended receiver, in possession of the key is able to invert the transformation X=Dk (Y) An opponent, observing Y but not having access to K or X, may attempt to recover X or K or both X and K. It is assumed that the opponent knows the encryption (E) and decryption (D) algorithms. If the opponent is interested in only this particular message, then the focus of the effort is to recover X by generating a plaintext estimate X^. Often, however, the opponent is interested in being able to read future messages as well, in which case an attempt is made to recover K by generating an estimate K^. Cryptanalysis The process of attempting to discover X or Y or both is known as cryptanalysis. The strategy used by the cryptanalysis depends on the nature of the encryption scheme and the information available to the cryptanalyst. The following table summarizes the various types of cryptanalytic attacks based on the amount of information known to the cryptanalyst.

Table 1: Types of Attacks on Encrypted Message

Attack Type Ciphertext only Known Plaintext Knowledge Known to Cryptanalyst Encryption algorithm Ciphertext to be decoded Encryption algorithm Ciphertext to be decoded One or more plaintext-ciphertext pairs formed with the same secret key Encryption algorithm Ciphertext to be decoded Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with

Chosen Plaintext

Information Security Lecture Notes

Prof. A. L. Narasimha Rao

Department of Computer Science & Engineering

Chosen Ciphertext

Chosen text

the same secret key Encryption algorithm Ciphertext to be decoded Purported ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key Encryption algorithm Ciphertext to be decoded Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key Purported ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key

Transposition Ciphers: Moving around Changing the positions of plaintext letters is another enciphering technique. It is called transposition, as in transferring position. Please note that many newspapers have transposition puzzles called jumbles. To illustrate this technique, lets do the following example.

Example 1: Plaintext: last nite was heaven please marry me We use a 5x6 grid to write the plaintext as: Read down L T E L A A E A E R S W V A R T A E S Y N S N E M I H P M E

To encipher the text, we only read letters down the first column, then letters down from the second column, and so on. The ciphered letters are the same as the plaintext letters except that they are positioned to form a new pattern, as given below. Ciphertext: LTELA AEAER SWVAR TAESY NSNEM IHPME

To decipher the received ciphertext, the receiver must know two things: the length and width of the grid and the way letters are read from the grid.

Information Security Lecture Notes

Prof. A. L. Narasimha Rao

Department of Computer Science & Engineering

The transposition cipher is also known as permutation cipher. We Note 1: know give the mathematical description of the permutation cryptosystem as follows: Def: Permutation Cipher

Let m be a positive integer. Let P =C = (Z26)m and let K consist of all permutations of {1, , m}. For a key (i.e., a permutation) , we define e (x1, , x m)=( x(1), , x(m)) and d (y1, , ym)=( y-1(1), , y-1(m)) , where -1 is the inverse permutation to . Example 2: Suppose m = 6 and the key is the following permutation : x (x)

1 3

2 6

3 1

4 5

5 2

6 4

Note that the first row of this diagram lists the values of x, 1 x 6, and the 2nd row lists the corresponding values of (x). The inverse permutation -1 can be constructed by interchanging the two rows in this diagram, and rearranging the columns so that the first row is in increasing order. Thus, carrying out these operations, we get the following decryption permutation -1 as: x (x)
-1

1 3

2 5

3 1

4 6

5 4

6 2

Now, suppose we are given the plaintext Plaintext: she sells seashells by the seashore We first partition the plaintext into groups of six letters, and then rearrange each group of six letters according to permutation . The result is shown in the following 6x6 grid. x (x)

1 E S

2 E A

3 S L

4 L S

5 S E

6 H S

Information Security Lecture Notes

Prof. A. L. Narasimha Rao

Department of Computer Science & Engineering

L H H

S S R

H Y A

B E E

L E O

E T S

Hill Cipher Another interesting multi-alphabetic cipher is the Hill cipher, developed by the mathematician Lester Hill in 1929. The idea is based on linear transposition. In fact, permutation cipher is a special case of the Hill cipher.

In this scheme, we take m linear combinations of the m successive plaintext alphabetic characters and produce an m ciphertext letters for them. The substitution is determined by m linear equations in which each letter is assigned its numerical value; i.e. {0, 1, 2, 25} = Z26. For m = 3, the system can be described as follows: y1 = (k11 x1 + k12 x2 + k13 x3 ) mod 26 y2 = (k21 x1 + k22 x2 + k23 x3 ) mod 26 y3 = (k31 x1 + k32 x2 + k33 x3 ) mod 26 This can be expressed in terms of column vectors and matrices:
y1 k11 y2 = k21 y3 k31 k12 k22 k32 k13 x1 k23 x2 k33 x3

or in a compact form Y=KX Where Y and X are column vectors of length 3, representing the ciphertext and plaintext letters, and K is a 33 matrix, representing the encryption key. Operations are performed mod26. Decryption requires using the inverse of matrix K.

Information Security Lecture Notes

Prof. A. L. Narasimha Rao

Department of Computer Science & Engineering

Example 1: Consider the plaintext paymoremoney, and use the encryption key
17 17 5 K = 21 18 21 2 2 19

Find the resulting ciphertext. Solution: Plaintext: paymoremoney

15 0 24

The first three letters of the plaintext are represented by vector (x1, x2, x3)=(15, 0, 24) Thus:
y1 x1 17 17 5 15 y2 = K x2 = 21 18 21 0 y x 2 2 19 24 3 3

That is:
y1 375 11 L y2 = 819 mod 26 = 13 = N 18 S y 489 3

Continuing in this fashion, the ciphertext for the entire plaintext is:

Ciphertext: LNSHDLEWMTRW Q.E.D. Decryption requires using the inverse of the matrix K. The inverse K1 of a matrix K is defined by the equation K K1= K1K =I, where I is the diagonal matrix that is all zeros except for ones along the main diagonal from upper left to lower right. Note 2: The inverse of a matrix does not always exist, but when it does, it satisfies the preceding equation.

Information Security Lecture Notes

Prof. A. L. Narasimha Rao

Department of Computer Science & Engineering

Exercise 1:

Show that the inverse of matrix K used in above example is

4 9 15 K 1 = 15 17 6 24 0 17

Note 3: It is easily shown that if the matrix K1 is applied to the above resulting ciphertext, then the plaintext can be recovered.

Exercise 2:

A cryptanalyst receives the following ciphertext:

LNSHDLEWMTRW He has also estimated the decryption matrix from some previous analysis for this Hill Cipher to be: 4 9 15 1 K = 15 17 6 24 0 17 What is the plaintext? We now give a precise description of the Hill Cipher over Z26. Definition: Hill Cipher Cryptosystem

Let m 2 be an integer, Let P=C=(Z26)m and let K = {mm invertible matrix over Z26}. For a key K, we define:

C = EK(P)=KP
P = DK(C) = K1 C= K1 KP = P

Information Security Lecture Notes

Prof. A. L. Narasimha Rao

Department of Computer Science & Engineering

Note 1: Hill Cipher completely hides single-letter frequencies. Use of a larger matrix hides more frequency information. Note 2: The weakness of the Hill Cipher is that it is easily broken with a known plaintext attack. To show this, suppose we have m plaintext-ciphertext pairs, each of length m.

Let
Pj=(P1j, P2j, , Pmj) Cj=(C1j, C2j, , Cmj) Therefore, we can write Cj=KPj for some known key matrix K. We now define the following two mm square matrices: X = (Pij) Y = (Cij) Then, we can form the matrix equation Y=XK. Now, we can find the unknown key matrix K from the equation K=X-1Y Let us illustrate the above attack by a simple example. Example 2: It is known that the plaintext friday is encrypted using a 22 Hill Cipher to yield the ciphertext PQCFKU. Find the key matrix K for this cryptosystem. Solution: Plaintext: Pij : Ciphertext: Cij : f 15 P 15 r 17 Q 16 i 8 C 2 d 3 F 5 a y 0 24 K U 10 20 1jm

For the unknown key matrix is K, we can write the following plaintext-ciphertext pairs: KPj = Cj 1jm

Information Security Lecture Notes

Prof. A. L. Narasimha Rao

Department of Computer Science & Engineering

Using the first two plaintext-ciphertext pairs, we can write the following matrix equation: 15 16 5 17 = K 2 5 8 3 5 17 15 16 K = 8 3 2 5 9 1 15 16 = 2 15 2 5
1

mod 26 mod 26 mod 26 7 19 = 8 3

Therefore, we obtained the key matrix! The result can be verified by testing the remaining plaintext- ciphertext pair. From the above example and other examples worked out so far, we may conclude that neither cipher schemes of Substitution nor Transposition are strong enough to stand cryptanalytic attacks. One may find that using the two types together creates much better concealment than either method above. In fact, using substitution and transposition cipher methods repeatedly on ciphertext provides strong disguising patterns.
Note 3 :

We will discuss this scheme in the next chapter. Exercise 2: Why transposition ciphers are used if they are so easy to crack?

Answer: Transposition can be looked at a set of instructions, one instruction for each letter, easily implemented by a computer and can be difficult to crack if they are repeatedly used on the same plaintext! Exercise 3: Repeat the transposition cipher used in Exercise 1 (on page 17) twice for the plaintext used: Solution:

Information Security Lecture Notes

Prof. A. L. Narasimha Rao

Department of Computer Science & Engineering

Plaintext: lastnitewasheavenpleasemarryme 1st transposed ciphertext: LTELAAEAERSWVARTAESYNSNEMIHPME 2nd transposed ciphertext: LEVSMTAAYIEERNHLRTSPASANMAWEE
LTELA AEAER SWVAR TAESY NSNEM I HPME

last nite was heaven please marry me Read down

L T E L A

A E A E R

S W V A R

T A E S Y

N S N E M

I H P M E

L E V S M

T A A Y I

E E R N H

L R T S P

A S A N M

A W E E E

(a) 1st transposed cipher.

(b) The ou

Information Security Lecture Notes

Prof. A. L. Narasimha Rao