AR ENGINEERING COLLEGE

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

UNIT II - SYMMETRIC CIPHERS

Number theory – Algebraic Structures – Modular Arithmetic - Euclid‘s algorithm – Congruence and
matrices – Group, Rings, Fields, Finite Fields.

SYMMETRIC KEY CIPHERS: SDES – Block Ciphers – DES, Strength of DES – Differential and
linear cryptanalysis – Block cipher design principles – Block cipher mode of operation – Evaluation
criteria for AES – Pseudorandom Number Generators – RC4 – Key distribution.

PART-A
1. What is the purpose of the State array?
A single 128-bit block is depicted as a square matrix of bytes. This block is copied into the
State array, which is modified at each stage of encryption or decryption. After the final stage, State
is copied to an output matrix.
2. What is the difference between linear and differential cryptanalysis? (AU May/Jun 2011)
S.No Linear Cryptanalysis Differential Cryptanalysis
Linear cryptanalysis was basically Differential cryptanalysis was first defined
1 invented by Matsui and Yamagishi in in the year 1990 by Eli Biham and Adi
the year 1992. Shamir.
Linear cryptanalysis always works on a Differential cryptanalysis can work on
2
single bit (one bit at a time). multiple bits at a time.
In the case of Linear cryptanalysis,
In the case of differential cryptanalysis
3 ciphertext attack is a very big
plain text attack is a very big disadvantage
disadvantage.
Any random plaintext is selected in Plaintext is Carefully chosen in Differential
4
Linear Cryptanalysis. Cryptanalysis.
Plaintext is used one by one in linear Plaintext is used in pairs in Differential
5
Cryptanalysis. Cryptanalysis.
Complexity of attack is low in linear Complexity of attack is High in Differential
6
Cryptanalysis. Cryptanalysis
Table 2.1 – Linear vs. Differential Cryptanalysis
3. How is the S-box constructed?
 The S-box is constructed in the following fashion:

Page 1
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Initialize the S-box with the byte values in ascending sequence row by row. The first row
contains {00}, {01}, {02}... {0F}; the second row contains {10},{11},etc; and so on. Thus,
the value of the byte at row x, column y is {x y}.
 Map each byte in the S-box to its multiplicative inverse in the finite field GF (28); the value
{00} is mapped to itself. Consider that each byte in the S-box consists of 8 bits labeled (b7,
b6, b5, b4, b3, b2, b1,b0 ).Apply the following transformation to each bit of each byte in the
S-box.
4. What was the original set of criteria used by NIST to evaluate candidate AES cipher?
The original set of criteria used by NIST to evaluate candidate AES cipher was
 Security
 Actual Security
 Randomness
 Soundness
 Other security factors
 Cost
 Memory Requirements
 Algorithm and Implementation
 Characteristics
 Flexibility
 Hardware and software suitability
 Simplicity Licensing Requirements
 Computational Efficiency
5. What was the final set of criteria used by NIST to evaluate candidate AES Ciphers?
 The final set of criteria used by NIST to evaluate candidate AES ciphers Was:
 General Security
 Software Implementations Restricted-Space Environments Hardware
Potential for Instruction Level Parallelism
6. What is power analysis?
 Power analysis is the power consumed by the smart card at any particular time during the
cryptographic operation is related to the instruction being executed and to the data being

Page 2
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

processed.(Eg) Multiplication consumes more power than addition and writing 1s consumes
more power than writing 0s.
7. Briefly describe Shift Rows.
 In shift row, a row shift moves an individual byte from one column to another, which is a
linear distance of a multiple of 4 bytes.
 In Forward Shift Row, each row perform circular left shift.
 Second Row a 1-byte circular left shift is performed.
 Third Row a 2-byte circular left shift is performed.
 For the Fourth Row a 3-byte circular left shift is performed.
 In Inverse Shift Row, each row perform circular right shift. Implementations Attacks on
Implementations Encryption vs. Decryption, Key Agility, Other Versatility and Flexibility
8. Briefly describe Mix Columns.
 Mix Column is substitution that makes use of arithmetic over GF (28).Mix Column Operates
on each column individually.
 Each byte of a column is mapped into a new value that is a function of all four bytes in the
column.
 The Mix Column Transformation combined with the shift row transformation ensures that
after a few rounds, all output bits depend on all input bits.
9. Briefly describe Add Round Key.
 In Add Round Key, the 128 bits of State are bit wise XOR with the 128 bits of the round
key.
 The operation is viewed as a column wise operation between the 4 bytes of a State column
and one word of the round key; it can also be viewed as a byte-level operation.
 The Add Round Key transformation is as simple as possible and affects every bit of State.
10. Briefly describe the Key Expansion Algorithm.
 The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces linear
array of 44 words (156 bytes).
 This is sufficient to provide a 4-word round key for the initial Add Round Key stage and
each of the 10 rounds of the cipher
11. What is Sub Bytes and Sub Word?

Page 3
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Sub Bytes:
Sub Bytes uses an S-box to perform a byte-by-byte substitution of the block.
 Sub Word:
Sub Word performs a byte substitution on each byte of its input word, using the S-box.
12. Write the difference between Shift Rows and Rot Word.
S.No Shift Rows Rot Word
Shift Row is simple permutation,
Rot word performs a one-byte
1 that shift the rows circularly either
circular left shift on a word.
in the left or right direction
This means that just performing
This means that an input word
left circular shifts of rows 1, 2 and
[b0, b1, b2, b3] is transformed
2 3, by amounts of 1, 2, and 3 bytes
into [b1,b2,b3,b0].
respectively. Row 0 is not
changed.
Table 2.2 – Shift Rows vs. Rot Word
13. What is triple encryption?
 Tuchman proposed a triple encryption method that uses only two keys [TUCH79].The
function follows an encrypt – decrypt – encrypt (EDE) sequence.
C=Ek1 [Dk2 [Ek1 [P]]]
 There is no cryptographic significance to the use of decryption for the second stage. Its only
advantage is that it allows users of 3DES to decrypt data encrypted by users of the older
single DES:
C=Ek1 [Dk2 [Ek1 [P]]] = Ek1 [P]
14. What is a meet-in-the-middle attack?
 Meet-in-the-middle attack was first described in [DIFF77]. It is based on the Observation that,
if we have
C=Ek2 [Ek1 [P]] Then
X=Ek1 [P]= Dk2[C]
 Given a known pair, (P,C), the attack proceeds as follows.

Page 4
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 First, encrypt P for all 256 possible values of K1. Store these results in a table and then
sort the table by the values of X. Next, decrypt C using all 256 possible values of K2.
15. What is the key size for Blowfish?
 Blowfish makes use of a key that ranges from 32 bits to 448 bits (one to fourteen 32-bit
words).
 That key is used to generate 18 32-bit sub keys and four 8*32 S-boxes containing a total of
1024 32-bit entries.
 The total is 1042 32-bit values, or 4168 bytes.
16. Mention the functions involved in simplified DES.
 Initial permutation
A complex function Fk with a key k1
 Switching
A complex function Fk with a key k2
17. Define stream cipher and block cipher.
 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
 A block cipher is one in which a block of plaintext is treated as a whole and used to produce a
cipher text block of equal block.
18. Define symmetric key cryptography and public key cryptography.
 In symmetric key cryptography, only one key is used for encryption and decryption
 In public key cryptography, two keys (public key and private key) are used.
 When one key is used for encryption, then the other must be used for decryption. The
public key is known to all the participants but the private key is kept secret by the owner.
19. What are the various approaches to attacks the RSA algorithm?
 Brute force attack
 Mathematical attacks
 Timing attacks
20. What is called stream cipher and block cipher? Give an example.
Stream Cipher
 Processes the input stream continuously and producing one element at a time. Example:
caeser cipher.

Page 5
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Block cipher:
 Processes the input one block of elements at a time producing an output block for each
input block. Example: DES.
21. Define symmetric and asymmetric encryption.
Symmetric
 Symmetric Encryption: It is a form of cryptosystem in which encryption and decryption
performed using the same key. It is a form of cryptosystem in which encryption and
decryption performed using two keys. Eg: DES, AES Eg: RSA, ECC
Asymmetric
 Asymmetric Encryption: It is a form of cryptosystem in which encryption and
decryption performed using the different key. It is a form of cryptosystem in which
encryption and decryption performed using two keys. Eg: RSA, RC4
22. Define confidentiality and authentication.
Confidentiality - It means how to maintain the secrecy of message. It ensures that the information in a
computer system and transmitted information are accessible only for reading by authorized person.
 The term 'confidentiality' means preserving authorized restrictions on access and disclosure,
including means for protecting personal privacy and proprietary information.
Authentication:
 Authentication is the process of verifying the identity of a user or information. User
authentication is the process of verifying the identity of a user when that user logs in to a
computer system.
 It helps to prove that the source entity only has involved the transaction
23. Define Diffusion & confusion.
Diffusion:
 It means each plaintext digits affect the value of many cipher text digits which is
equivalent to each cipher text digit is affected by many plaintext digits. It can be achieved
by performing permutation on the data. It is the relationship between the plaintext and
cipher text.
 Diffusion is used to create cryptic plain texts
Confusion:

Page 6
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 It can be achieved by substitution algorithm. It is the relationship between ciphertext and

key.
 Confusion is a cryptographic technique that is used to create faint cipher texts.
24. Give the five modes of operation of Block cipher. (NOV/DEC 2020)
 Electronic Codebook (ECB)
 Cipher Block Chaining (CBC
 Cipher Feedback (CFB)
 Output Feedback (OFB)
 Counter (CTR)
25. Find gcd (1970, 1066) using Euclid’s algorithm. (NOV/DEC 2020)
gcd (1970,1066) = gcd(1066,1970 mod 1066)
= gcd (1066,904)
=2
26. What is the primitive root of a number? (NOV/DEC 2012)
 We can define a primitive root of a number p as one whose powers generate all the integers
from 1 to p-1. That is p, if a is a primitive root of the prime number p then the number
27. Find gcd (2740, 1760) using Euclid’s algorithm. (NOV/DEC 2020, 2021)
gcd (2740,1760) = gcd(2740,1760 mod 1760)
= gcd (1760,980)=2
28. What is Factoring? (MAY/JUN 2012)
 Factoring is the decomposition of an object into a product of other objects, or factors,
which when multiplied together give the original.
29. List the uses of RC4. (NOV/DEC 2013)
 It is used in the following protocols
o WEP (Wired Equivalent Privacy) protocol and
o The newer WiFi Protected Access (WPA) protocol that are part of the IEEE 802.11
wireless LAN standard.
30. Define Differential Cryptanalysis. (MAY/JUN 2012)
 A technique in which chosen plaintext with particular XOR difference patterns are
encrypted. These difference patterns of the resulting ciphertext provide information that
can be used to determine the encryption key.

Page 7
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

31. What is the disadvantage with ECB mode of operation? (MAY/JUN 2013)
 ECB encrypts highly deterministically
 Identical plaintexts result in identical ciphertexts
 an attacker recognizes if the same message has been sent twice
 Plaintext blocks are encrypted independently of previous blocks
 An attacker may reorder ciphertext blocks which results in valid plaintext
32. State whether symmetric and asymmetric cryptographic algorithm need key exchange.
(MAY 2014)
•An symmetric encryption (ie., symmetric ciphers), k must be secret. The sender and recipient must
agree (somehow) on k. No-one else can be allowed to find out k. Anyone else who finds out k, can
decrypt all the messages encrypted with k. For that reason, symmetric ciphers are often called "secret
key" ciphers
•An asymmetric encryption (ie., Asymmetric ciphers), the encryption key k is not secret. The
recipient (not sender) chooses a so-called "public key" k, and a so-called "private key" p. Then they
publish k for all to see - perhaps on their website - but keep p secret. Senders use k to encrypt their
messages to that recipient recipient keeps p secret. Since k is not only public - Asymmetric ciphers
are often called "public key" ciphers.
33. What are roles of public and private key in public-key encryption?
The two keys used for public-key encryption are referred to as the public key and the private key.
Invariably, the private key is kept secret and the public key is known publicly. Usually the public key
is used for encryption purpose and the private key is used in the decryption side.
Roles:
 First, the public key encrypts the plain text, converting it into ciphertext
 Then the private key is used for decrypting the converted ciphertext
 So the recipient can read the message.
 The public receives the appropriately named public key, and the receiver gets the private key.
34. List the applications of the public key cryptosystem.
The applications of the public-key cryptosystem can classified as follows
1. Encryption/Decryption: The sender encrypts a message with the recipient’s public key.

Page 8
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

2. Digital signature: The sender “signs” a message with its private key. Signing is achieved by a
cryptographic algorithm applied to a message or to a small block of data that is a function of the
message.
3. Key Exchange: Two sides cooperate to exchange a session key. Several different approaches
are possible, involving the private key(s) of one or both parties.
35. What requirements are must for a public key cryptosystem to fulfill to a secured algorithm?
The requirements of public-key cryptosystem are as follows:
1. It is computationally easy for a party B to generate a pair(Public key KUb, Private key KRb)
2. It is computationally easy for a sender A, knowing the public key and the message to be encrypted ,
M, to generate the corresponding ciphertext: C=EKUb(M)
3. It is computationally easy for the receiver B to decrypt the resulting ciphertext using the private key
to recover the original message : M=DKRb(C)=DKRb[EKUb(M)]
4. It is computationally infeasible for an opponent , knowing the public key, KU b,to determine the
private key, KRb.
5. It is computationally infeasible for an opponent , knowing the public key, KU b, and a ciphertext, C,
to recover the original message,M.
6. The encryption and decryption functions can be applied in either order:
M=EKUb [DKRb (M)]=DKUb [EKRb (M)]
36. What is a one way function?
One way function is one that map the domain into a range such that every function value has
a unique inverse with a condition that the calculation of the function is easy where as the calculations
of the inverse is infeasible.
37. Perform encryption and decryption using RSA Alg. for the following.
P=7; q=11; e=17; M=8.
Soln:
n = pq
n = 7*11=77
_Q_ _S-1) (q-1)
=6*10 = 60
e =17

Page 9
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

d =27
C = Me mod n
C = 817 mod 77
= 57
M = Cd mod n
= 5727 mod 77
=8
38. What is elliptic curve cryptography (ECC)? (Nov-Dec 2016)
 Elliptic Curve Cryptography (ECC) is an encryption technology comparable to RSA that
enables public-key encryption.
 While RSA’s security is dependent on huge prime numbers, ECC leverages the
mathematical theory of elliptic curves to achieve the same level of security with
considerably smaller keys.
 The principle attraction of ECC compared to RSA, is that it appears to offer equal security for
a far smaller key size, thereby reducing processing overhead.
39. Define Public-Key Cryptography (PKC).
 Public key cryptography (PKC) is an encryption technique that uses a paired public and
private key (or asymmetric key) algorithm for secure data communication. A message
sender uses a recipient’s public key to encrypt a message. To decrypt the sender’s message,
only the recipient’s private key may be used.

 Probably most significant advance in the 3000 year history of cryptography

 Uses two keys – a public & a private key
 Asymmetric since parties are not equal
 Uses clever application of number theoretic concepts to function
 Complements rather than replaces private key crypto
40. Why Public-Key Cryptography?
 Developed to address two key issues:
 Key distribution – how to have secure communications in general without having to trust a
KDC with your key
Page
10
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Digital signatures – how to verify a message comes intact from the claimed sender
 Public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976 known
earlier in classified community
41. Define ring and field in number theory. (NOV/DEC 2020)
RING:

 A RING is a set equipped with two operations, called addition and multiplication. A RING
is a GROUP under addition and satisfies some of the properties of a group for
multiplication.
 The simplest example of a ring is the collection of integers (…, −3, −2, −1, 0, 1, 2, 3, …)
together with the ordinary operations of addition and multiplication.
FIELD:
 A FIELD is a GROUP under both addition and multiplication.
 Fields are rich algebraic structures that can be thought of as number systems. Familiar
examples of fields in mathematics are the rational numbers, the real numbers, and the
complex numbers, denoted and respectively.
42. User A & B exchange the key using Diffie Hellman alg. Assume á=5 q=11 XA=2 XB=3. Find YA,
YB, K.
Soln:
YA = áXA mod q
=52 mod 11
=3
YB = áXB mod q
= 53 mod 11
=4
KA = YBXA mod q
= 42 mod 11
=5
KB = YAXB mod q
= 33 mod 11

Page
11
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

=5
43. What are the two different uses of public-key cryptography related to key distribution?
There are two aspects to the use of public-key cryptography In this regard:
 The distribution of public keys
 The use of public-key encryption to distribution secret keys
44. List four general categories of schemes for the distribution of public keys.
 Public announcement
 Publicly available directory
 Public-key authority
 Public-key certificates
45. Briefly explain the purpose of Diffie-Hellman key exchange algorithm.
 The purpose for this algorithm is to enable two users to exchange a key securely that can
then be used for subsequent encryption of messages. It depends for its effectiveness on
the difficulty of computing discrete logarithms.
46. Define Key Management.
 In cryptography, Key management is a very tedious task to distribute the public and
private keys between sender and receiver. If the key is known to the third party
(forger/eavesdropper) then the whole security mechanism becomes worthless. So, there comes
the need to secure the exchange of keys.
 There are two aspects for Key Management:
 Distribution of public keys
 Use of public-key encryption to distribute secret keys
47. Why Public-Key Authority is needed?
 Improve security by tightening control over distribution of keys from directory
 Has properties of directory
 And requires users to know public key for the directory
 Then users interact with directory to obtain any desired public key securely
 Does require real-time access to directory when keys are needed.
48. Briefly describe the strength of DES. (Nov-Dec 2016)

Page
12
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

The strength of DES

 The Use of 56-Bit Keys
 The Nature of the DES Algorithm
 Timing Attacks
49. Difference between private and public key encryption. (May 2017) (or) Write the difference
between symmetric and Asymmetric key encryption.
Symmetric Key Encryption (Private Asymmetric Key Encryption (Public
S.No
Key Encryption) key encryption)
It requires two keys, a public key and a
It only requires a single key for both
1 private key, one to encrypt and the
encryption and decryption.
other one to decrypt.
The size of cipher text is the same or The size of cipher text is the same or
2
smaller than the original plain text. larger than the original plain text.
3 The encryption process is very fast. The encryption process is slow.
It is used when a large amount of data It is used to transfer small amounts of
4
is required to transfer. data.
It provides confidentiality, authenticity,
5 It only provides confidentiality.
and non-repudiation.
The length of key used is 128 or 256 The length of key used is 2048 or
6
bits higher
Table 2.3 – Symmetric vs Asymmetric key encryption
50. Find residues of 6 when n=8. (NOV/DEC 2021)
Definition. Consider the function f(z) with an isolated singularity at z0,
i.e., defined on the region 0 < |z − z0| < r and with Laurent series (on that region)
f(z) = X∞ n=1 bn (z − z0) n + X∞ n=0 an(z − z0) n .
Find Residues of 6 when n = 8.

Z8 0 1 2 3 4 5 6 7

Multiply 0 6 12 18 24 30 36 42

Page
13
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Residues 0 6 4 2 0 6 4 2

PART-B
1. Explain in detail about pseudorandom number generators (PRNG).
Two types of algorithms for PRNGs.
Linear Congruential Generators
 A widely used technique for pseudorandom number generation is an algorithm first proposed
by Lehmer [LEHM51], which is known as the linear congruential method.The algorithm is
parameterized with four numbers, as follows:
m the modulus m 7 0
a the multiplier 0 6 a 6 m
c the increment 0 … c 6 m
X0 the starting value, or seed 0 … X0 6 m
 The sequence of random numbers {Xn} is obtained via the following iterative equation:
Xn+1 = (aXn + c) mod m
 If m, a, c, and X0 are integers, then this technique will produce a sequence of integers with
each integer in the range 0 … Xn 6 m.
 The selection of values for a, c, and m is critical in developing a good random number
generator. For example, consider a = c = 1. The sequence produced is obviously not satisfactory.
Now consider the values a = 7, c = 0, m = 32, and X0 = 1. This generates the sequence {7, 17, 23,
1, 7, etc.}, which is also clearly unsatisfactory. Of the 32 possible values, only four are used; thus,
the sequence is said to have a period of 4. If, instead, we change the value of a to 5, then the
sequence is {5, 25, 29, 17, 21, 9, 13, 1, 5, etc. }, which increases the period to 8.
 We would like m to be very large, so that there is the potential for producing
a long series of distinct random numbers. A common criterion is that m be nearlyequal to the
maximum representable nonnegative integer for a given computer.

Thus, a value of m near to or equal to 231 is typically chosen.

Page
14
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

[PARK88] proposes three tests to be used in evaluating a random number generator:

T1: The function should be a full-period generating function. That is, the function should
generate all the numbers from 0 through m - 1 before repeating.

T2: The generated sequence should appear random.

T3: The function should implement efficiently with 32-bit arithmetic.

With appropriate values of a, c, and m, these three tests can be passed. With respect to T1, it can be
shown that if m is prime and c = 0, then for certain values of a the period of the generating function is
m - 1, with only the value 0 missing. For 32-bit arithmetic, a convenient prime value of m is 231 - 1.
Thus, the generating function becomes

Xn+1 = (aXn) mod (231 - 1)

Of the more than 2 billion possible choices for a, only a handful of multipliers pass all three tests.
One such value is a = 75 = 16807, which was originally selected for use in the IBM 360 family of
computers [LEWI69]. This generator is widely used and has been subjected to a more thorough
testing than any other PRNG.

It is frequently recommended for statistical and simulation work (e.g., [JAIN91]). The strength of the
linear congruential algorithm is that if the multiplier and modulus are properly chosen, the resulting
sequence of numbers will be statistically indistinguishable from a sequence drawn at random (but
without replacement) from the set 1, 2, c, m - 1. But there is nothing random at all about the
algorithm, apart from the choice of the initial value X0. Once that value is chosen, the remaining
numbers in the sequence follow deterministically.

This has implications for cryptanalysis.

If an opponent knows that the linear congruential algorithm is being used and if the parameters are
known (e.g., a = 75, c = 0, m = 231 - 1), then once a single number is discovered, all subsequent
numbers are known. Even if the opponent knows only that a linear congruential algorithm is being

Page
15
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

used, knowledge of a small part of the sequence is sufficient to determine the parameters of the
algorithm.

Suppose that the opponent is able to determine values for X0, X1, X2, and X3.

Then X1 = (aX0 + c) mod m

X2 = (aX1 + c) mod m

X3 = (aX2 + c) mod m

These equations can be solved for a, c, and m.

Thus, although it is nice to be able to use a good PRNG, it is desirable to make the actual sequence
used nonreproducible, so that knowledge of part of the sequence on the part of an opponent is
insufficient to determine future elements of the sequence. This goal can be achieved in a number of
ways.
For example, [BRIG79]
suggests using an internal system clock to modify the random number stream. One way to use the
clock would be to restart the sequence after every N numbers using the current clock value (mod m)
as the new seed. Another way would be simply to add the current clock value to each random number
(mod m).
Blum Blum Shub Generator (Refer figure 2.1)

A popular approach to generating secure pseudorandom numbers is known as the Blum Blum Shub
(BBS) generator named for its developers [BLUM86]. It has perhaps the strongest public proof of its
cryptographic strength of any purpose-built algorithm. The procedure is as follows. First, choose two
large prime numbers, p and q, that both have a remainder of 3 when divided by 4. That is,
p K q K 3(mod 4)
This notation, explained more fully in Chapter 4, simply means that (p mod 4) = (q mod 4) = 3. For
example, the prime numbers 7 and 11 satisfy 7 K 11 K 3(mod 4).

Let n = p * q. Next, choose a random number s, such that s is relatively prime to n; this is equivalent
to saying that neither p nor q is a factor of s. Then the BBS generator produces a sequence of bits Bi
according to the following algorithm:

Page
16
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

X0 = s2 mod n

for i = 1 to ∞

Xi = (Xi−1)2 mod n

Bi = Xi mod 2

Thus, the least significant bit is taken at each iteration. Table 8.1 shows an example of BBS
operation. Here, n = 192649 = 383 * 503, and the seed s = 101355.

The BBS is referred to as a cryptographically secure pseudorandom bit generator (CSPRBG). A

CSPRBG is defined as one that passes the next-bit test, which, in turn, is defined as follows
[MENE97]: A pseudorandom bit generator is said to pass the next-bit test if there is not a polynomial-
time algorithm1 that, on input of the first k bits of an output sequence, can predict the (k + 1)st bit
with probability significantly greater than 1/2.

Figure 2.1 - Blum Blum Shub Generator Block Diagram

Page
17
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Table 2.4 – Example Operation of BBS Generator

In other words, given the first k bits of the sequence, there is not a practical algorithm that can even
allow you to state that the next bit will be 1 (or 0) with probability greater than 1/2. For all practical
purposes, the sequence is unpredictable. The security of BBS is based on the difficulty of factoring n.
That is, given n, we need to determine its two prime factors p and q.

2. What are the fundamental elements of branch of mathematics (Groups, Rings, Fields)?
(NOV/DEC 2020)

Page
18
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Contents
 Groups
 A1- Closure
 A2 - Associative
 A3 - Identity
 A4 - Inverse
 A5 - Commutative
 Rings
 M1- Closure under multiplication
 M2 - Associativity of multiplication
 M3 - Distributive law
 M4 – Commutativity of multiplication
 M5 – Multiplicative Identity
 M6 – No zero divisors
 Fields
 M7 – Multiplicative Inverse

 Groups, rings, and fields are the fundamental elements of a branch of mathematics known as
abstract algebra, or modern algebra.
Groups
A group G, sometimes denoted by {G, ∙}, is a set of elements with a binary operation denoted
by ∙ that associates to each ordered pair (a, b) of elements in G an element (a ∙ b) in G, such that the
following axioms are obeyed:

Page
19
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 If a group has a finite number of elements, it is referred to as a finite group, and the order of
the group is equal to the number of elements in the group. Otherwise, the group is an infinite
group.
 A group is said to be abelian if it satisfies the following additional condition:

 When the group operation is addition, the identity element is 0; the inverse element of a is -a;
and subtraction is defined with the following rule: a − b = a + (−b).
 A group G is cyclic if every element of G is a power ak (k is an integer) of a fixed element a €
G. The element a is said to generate the group G or to be a generator of G. A cyclic group is
always abelian and may be finite or infinite.
Rings
 A ring R, sometimes denoted by {R, +, *}, is a set of elements with two binary operations,
called addition and multiplication, such that for all a, b, c in R the following axioms are
obeyed.

 In essence, a ring is a set in which we can do addition, subtraction [a - b = a + (-b)], and

multiplication without leaving the set.
 A ring is said to be commutative if it satisfies the following additional condition:

 Next, we define an integral domain, which is a commutative ring that obeys the following
axioms.

Page
20
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fields
 A field F, sometimes denoted by {F, +, *}, is a set of elements with two binary operations,
called addition and multiplication, such that for all a, b, c in F the following axioms are
obeyed.

 In essence, a field is a set in which we can do addition, subtraction, multiplication, and

division without leaving the set. Division is defined with the following rule: a/b = a(b-1).
3. Discuss in detail about Modular arithmetic. What are the various operations involved in
Modular Arithmetic.
Contents
 The Modulus
 Properties of Congruences
 Modular Arithmetic Operations
 Properties of Modular Arithmetic
The Modulus
 If a is an integer and n is a positive integer, we define a mod n to be the remainder when a is
divided by n. The integer n is called the modulus. Thus, for any integer a, we can rewrite
Equation as follows:

 Two integers a and b are said to be congruent modulo n, if (a mod n) = (b mod n). This is
written as a K b (mod n).

Page
21
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Properties of Congruences
Congruences have the following properties:

To demonstrate the first point, if n | (a - b), then (a - b) = kn for some k.

 So when b is divided by n) = (b mod n). we can write a = b + k n. Therefore, (a mod n) =
(remainder when b + kn is divided by n) = remainder

The remaining points are as easily proved.

Modular Arithmetic Operations
 Note that, by definition (Table 2.5), the (mod n) operator maps all integers into the set of
integers {0, 1, c, (n - 1)}. this technique is known as modular arithmetic.
Modular arithmetic exhibits the following properties:

Properties of Modular Arithmetic

Define the set Zn as the set of nonnegative integers less than n:

This is referred to as the set of residues, or residue classes (mod n). To be more precise, each
integer in Zn represents a residue class (Refer figure 2.1). We can label the residue classes (mod n) as
[0], [1], [2], c, [n - 1], where

Page
22
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Table 2.5. Properties of modular arithmetic for integer in Zn

4. Explain in detail about the Euclid’s algorithm. (Nov/Dec-2018)

Introduction

 One of the basic techniques of number theory is the Euclidean algorithm, which is a simple
procedure for determining the greatest common divisor of two positive integers. First, we
need a simple definition: Two integers are relatively prime if their only common positive
integer factor is 1.
Greatest Common Divisor
 Recall that nonzero b is defined to be a divisor of a if a = mb for some m, where a, b, and m
are integers.
 We will use the notation gcd(a, b) to mean the greatest common divisor of a and b. The
greatest common divisor of a and b is the largest integer that divides both a and b.
 We also define gcd(0, 0) = 0. More formally, the positive integer c is said to be the greatest
common divisor of a and b if
1. c is a divisor of a and of b.
2. Any divisor of a and b is a divisor of c.
An equivalent definition is the following:

Page
23
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Because we require that the greatest common divisor be positive, gcd(a, b) = gcd(a, −b) =
gcd(−a, b) = gcd(−a,−b). In general, gcd(a, b) = gcd( |a| , |b|).

Finding the Greatest Common Divisor

 Suppose we have integers a, b such that d = gcd(a, b). Because gcd gcd( |a| , |b|) = gcd(a, b),
there is no harm in assuming a ≥ b > 0. Now dividing a by b and applying the division
algorithm, we can state:

 Let us now return to Equation and assume that r1 ≠ 0. Because b > r1, we can divide b by r1
and apply the division algorithm to obtain:

The result is the following system of equations:

 In this example, we begin by dividing 1160718174 by 316258250, which gives 3 with a

remainder of 211943424. Next we take 316258250 and divide it by 211943424. The process
continues until we get a remainder of 0, yielding a result of 1078.

Page
24
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Table 2.6 – Example of GCD

5. Explain in details Data Encryption Standard. Or Draw the block diagram of single round of DES
algorithm and explain the Processing carried out in each block. (NOV/DEC 2020), (NOV/DEC
2021)
Contents
 Introduction
 DES Encryption
 DES Decryption
 DES Example
 The Avalanche Effect
 The strength of DES
 The Use of 56-Bit Keys
 The Nature of the DES
Algorithm
 Timing Attacks
DES Encryption:
 The overall scheme for DES encryption is illustrated in fig.2.2. As with any encryption
scheme, there are two inputs to the encryption function: the plaintext to be encrypted and the

Page
25
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

key. In this case, the plaintext must be 64 bits in length and key is 56 in length.
 Looking at the left-hand side of the figure, we can see that the processing of the plaintext
proceeds in three phases. First, the 64-bit plaintext passes through an initial permutation (IP)
that rearranges the bits to produce the permuted input.
 This is followed by a phase consisting of sixteen rounds of the same function, which involves
both permutation and substitution functions.
 The output of the last (sixteenth) round consists of 64 bits that are a function of the input
plaintext and the key. The left and right halves of the output are swapped to produce the pre
output
 Finally, the preoutput is passed through a permutation [IP -1] that is the inverse of the initial
permutation function, to produce the 64-bit ciphertext. With the exception
 of the initial and final permutations, DES has the exact structure of a Feistel Cipher
 The right-hand portion of Figure shows the way in which the 56-bit key is used. Initially, the
key is passed through a permutation function. Then, for each of the sixteen rounds, a subkey
(Ki) is produced by the combination of a left circular shift and a permutation.
 The permutation function is the same for each round, but a different subkey is produced
because of the repeated shifts of the key bits.

Page
26
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig 2.2 General Depiction of DES Encryption Algorithm

DETAILS OF SINGLE ROUND

 Figure 2.3 shows the internal structure of a single round.
 Again, begin by focusing on the left-hand side of the diagram.
 The left and right halves of each 64-bit intermediate value are treated as separate 32-bit
quantities, labeled L (left) and R (right).
 As in any classic Feistel cipher, the overall processing at each round can be summarized in the
following formulas:

Fig. 2.3 Single Round of DES Algorithm

 The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and
produces 4 bits as output. These transformations are defined, which is interpreted as follows:

Page
27
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

o The first and last bits of the input to box form a 2-bit binary number to select one of
four substitutions defined by the four rows in the table for the middle four bits select
one of the sixteen columns.
o The decimal value in the cell selected by the row and column is then converted to its
4-bit representation to produce the output.
For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100 (column 12).The
value in row 1, column 12 is 9, so the output is 1001.
Each row of an S-box defines a general reversible substitution may be useful in understanding the
mapping. The figure 2.4 illustrates the concept of substitution of box.

Fig.2.4.Substitution Box
DES Decryption
As with any Feistel cipher, decryption uses the same algorithm as encryption, except that the
application of the subkeys is reversed. Additionally, the initial and final permutations are reversed.
DES Example
 For this example, the plaintext is a hexadecimal palindrome. The plaintext, key, and resulting
ciphertext are as follows:

Page
28
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Results
The first row shows the 32-bit values of the left and right halves of data after the initial
permutation. The next 16 rows show the results after each round. Also shown is the value of the 48-
bit subkey generated for each round. Note that Li = Ri-1. The final row shows the left- and right-hand
values after the inverse initial permutation. These two values combined form the ciphertext.
The Avalanche Effect
 A desirable property of any encryption algorithm is that a small change in either the plaintext
or the key should produce a significant change in the cipher text.
 In particular, a change in one bit of the plaintext or one bit of the key should produce a change
in many bits of the cipher text.
The strength of DES
 The Use of 56-Bit Keys
 The Nature of the DES Algorithm
 Timing Attacks
The Use of 56-Bit Keys
 With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2 * 1016
keys. Thus, on the face of it, a brute-force attack appears impractical.
 Assuming that, on average, half the key space has to be searched, a single machine performing
one DES encryption per microsecond would take more than a thousand years to break the
cipher.
The Nature of the DES Algorithm
 The focus of concern has been on the eight substitution tables, or S-boxes, that are used in
each iteration.
 Because the design criteria for these boxes, and indeed for the entire algorithm, were not
made public, there is a suspicion that the boxes were constructed in such a way that
cryptanalysis is possible for an opponent who knows the weaknesses in the S-boxes.

Page
29
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 This assertion is tantalizing, and over the years a number of regularities and unexpected
behaviors of the S-boxes have been discovered.
Timing Attacks
 Timing attacks in more detail in Part Two, as they relate to public-key algorithms. However,
the issue may also be relevant for symmetric ciphers.
 In essence, a timing attack is one in which information about the key or the plaintext is
obtained by observing how long it takes a given implementation to perform decryptions on
various cipher texts.
 A timing attack exploits the fact that an encryption or decryption algorithm often takes
slightly different amounts of time on different inputs.

6. Explain the Block cipher Design principles.

Contents
 Introduction
 Number of rounds
 Design of function
 Key Schedule Algorithm
Introduction
Although much progress has been made in designing block ciphers that are cryptographically
strong, the basic principles have not changed all that much since the work of Feistel and the DES
design team in the early 1970s.
 In this section we look at three critical aspects of block cipher design: the number of rounds,
design of the function F, and key scheduling
Number of Rounds
 The cryptographic strength of a Feistel cipher derives from three aspects of the design:
 The number of rounds, the function F, and the key schedule algorithm. Let us look first at the
choice of the number of rounds.

Page
30
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a
relatively weak F.
 In general, the criterion should be that the number of rounds is chosen so that known
cryptanalytic efforts require greater effort than a simple brute-force key search attack.
 This criterion was certainly used in the design of DES. Schneier [SCHN96] observes that for
16-round DES, a differential cryptanalysis attack is slightly less efficient than brute force:
 The differential cryptanalysis attack requires 255.1 operations, 10 whereas brute force
requires 255.
 If DES had 15 or fewer rounds, differential cryptanalysis would require less effort than a
brute-force key search.
 This criterion is attractive, because it makes it easy to judge the strength of an algorithm and
to compare different algorithms. In the absence of a cryptanalytic breakthrough, the strength
of any algorithm that satisfies the criterion can be judged solely on key length.

Design of Function F
 The heart of a Feistel block cipher is the function F, which provides the element of confusion
in a Feistel cipher. Thus, it must be difficult to “unscramble” the substitution performed by
F.
 One obvious criterion is that F be nonlinear, as we discussed previously. The more nonlinear
F, the more difficult any type of cryptanalysis will be.
 There are several measures of nonlinearity, which are beyond the scope of this book. In rough
terms, the more difficult it is to approximate F by a set of linear equations, the more nonlinear
F is. Several other criteria should be considered in designing F.
 We would like the algorithm to have good avalanche properties. Recall that, in general, this
means that a change in one bit of the input should produce a change in many bits of the
output.
 A more stringent version of this is the strict avalanche criterion (SAC) [WEBS86], which
states that any output bit j of an S-box (see Appendix S for a discussion of S-boxes) should
change with probability 1/2 when any single input bit i is inverted for all i, j.

Page
31
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Although SAC is expressed in terms of S-boxes, a similar criterion could be applied to F as a

whole. This is important when considering designs that do not include S-boxes.
 Another criterion proposed in [WEBS86] is the bit independence criterion (BIC), which
states that output bits j and k should change independently when any single input bit i is
inverted for all i, j, and k. The SAC and BIC criteria appear to strengthen the effectiveness of
the confusion function.
Key Schedule Algorithm
 With any Feistel block cipher, the key is used to generate one subkey for each round. In
general, we would like to select subkeys to maximize the difficulty of deducing individual
subkeys and the difficulty of working back to the main key.
 No general principles for this have yet been promulgated. Adams suggests [ADAM94] that, at
minimum, the key schedule should guarantee key/ciphertext Strict Avalanche Criterion
and Bit Independence Criterion.

7. Explain the Block cipher modes of operation in detail.

Contents
 Electronic Code Book
 Cipher Block Chaining Mode
 Cipher Feedback Mode
 Output Feedback Mode
 Counter Mode

Page
32
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Table 2.6. Block cipher modes of operation

Electronic Code Book

 The simplest mode is the Electronic codebook (ECB) mode, in which plaintext is handled
one block at a time and each block of plaintext is encrypted using the same key (Table 2.6
shows the modes of operation). The term codebook is used because, for a given key, there is a
unique cipher text for every b-bit block of plaintext.
 Fig.2.5.b Decryption For a message longer than b bits, the procedure is simply to break the
message into b-bit blocks, padding the last block if necessary. Decryption is performed one
block at a time, always using the same key.
 In Figure.2.5.a shows the Encryption, the plaintext (padded as necessary) consists of a
sequence of b-bit blocks, P1, P2,c, PN; the corresponding sequence of ciphertext blocks is C1,
C2, c, CN. We can define ECB mode as follows.

Page
33
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.5.Electronic codebook (ECB)Modes

 The ECB method is ideal for a short amount of data, such as an encryption key. Thus, if you
want to transmit a DES or AES key securely, ECB is the appropriate mode to use. For
example, if it is known that the message always starts out with certain predefined fields, then
the cryptanalyst may have a number of known plaintext– cipher text (Refer Fig 2.5) pairs to
work with. If the message has repetitive elements with a period of repetition a multiple of b
bits, then these elements can be identified by the analyst. This may help in the analysis or
may provide an opportunity for substituting or rearranging blocks
For evaluating and constructing block cipher modes of operation that are superior to ECB:
 Overhead: The additional operations for the encryption and decryption operation when
compared to encrypting and decrypting in the ECB mode.
 Error recovery: The property that an error in the ith cipher text block is inherited by only a
few plaintext blocks after which the mode resynchronizes.

Page
34
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Error propagation: The property that an error in the ith ciphertext block is inherited by the i
th and all subsequent plaintext blocks.
 Diffusion: How the plaintext statistics are reflected in the ciphertext. Low entropy plaintext
blocks should not be reflected in the ciphertext blocks.
 Security: Whether or not the ciphertext blocks leak information about the plaintext blocks.
Cipher Block Chaining Mode
 Encryption. To overcome the security deficiencies of ECB, we would like a technique in
which the same plaintext block, if repeated, produces different ciphertext blocks. A simple
way to satisfy this requirement is the cipher block chaining (CBC) mode. Refer fig. 2.6 (a)
 In this scheme, the input to the encryption algorithm is the XOR of the current plaintext block
and the preceding ciphertext block; the same key is used for each block. In effect, we have
chained together the processing of the sequence of plaintext blocks.
 The input to the encryption function for each plaintext block bears no fixed relationship to the
plaintext block. Therefore, repeating patterns of b bits are not exposed. As with the ECB
mode, the CBC mode requires that the last block be padded to a full b bits if it is a partial
block. fig.2.6 (b). For decryption, each cipher block is passed through the decryption
algorithm.
 The result is XORed with the preceding ciphertext block to produce the plaintext block. To
see that this works, we can write

 To produce the first block of ciphertext, an initialization vector (IV) is XORed with the first
block of plaintext. On decryption, the IV is XORed with the output of the decryption
algorithm to recover the first block of plaintext. The IV is a data block that is the same size as
the cipher block. We can define CBC mode as

Page
35
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig .2.6.Ciper block Chaining (CBC) mode

 The IV must be known to both the sender and receiver but be unpredictable by a third party.
In particular, for any given plaintext, it must not be possible to predict the IV that will be
associated to the plaintext in advance of the generation of the IV. For maximum security, the
IV should be protected against unauthorized changes.

Page
36
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Cipher Feedback Mode

 A stream cipher eliminates the need to pad a message to be an integral number of blocks. It
also can operate in real time. Thus, if a character stream is being transmitted, each character
can be encrypted and transmitted immediately using a character-oriented stream cipher.
 One desirable property of a stream cipher is that the ciphertext be of the same length as the
plaintext. Thus, if 8-bit characters are being transmitted, each character should be encrypted to
produce a ciphertext output of 8 bits. If more than 8 bits are produced, transmission capacity
is wasted.
 Figure 2.7. illustrates the CFB scheme. In the figure, it is assumed that the unit of
transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext are
chained together, so that the cipher text of any plaintext unit is a function of all the preceding
plaintext. In this case, rather than blocks of b bits, the plaintext is divided into segments of s
bits.
 The leftmost (most significant) s bits of the output of the encryption function are XORed
with the first segment of plaintext P1 to produce the first unit of ciphertext C1, which is then
transmitted.

 In CFB encryption, like CBC encryption, the input block to each forward Cipher function
(except the first) depends on the result of the previous forward cipher function; therefore,
multiple forward cipher operations cannot be performed in parallel.

Page
37
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.7. S-bit Cipher Feedback (CFB) mode

 In fig.2.7.b CFB decryption, the required forward cipher operations can be performed in
parallel if the input blocks are first constructed (in series) from the IV and the ciphertext
output feedback (OFB)
Output feedback (OFB) mode
 The output feedback (OFB) mode is similar in structure to that of CFB. For OFB, the output
of the encryption function is fed back to become the input for encrypting the next block of
plaintext (Refer Figure 2.8). In OFB, the output of the XOR unit is fed back to become input
for encrypting the next block.
 The other difference is that the OFB mode operates on full blocks of plaintext and ciphertext,
whereas CFB operates on an s-bit subset. OFB encryption can be expressed as

Page
38
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Let the size of a block be b. If the last block of plaintext contains u bits (indicated by *), with
u 6 b, the most significant u bits of the last output block ON are used for the XOR operation;
the remaining b - u bits of the last output block are discarded.
 Therefore, for a given key and IV, the stream of output bits used to XOR with the stream of
plaintext bits is fixed. If two different messages had an identical block of plaintext in the
identical position, then an attacker would be able to determine that portion of the O stream.
 One advantage of the OFB method is that bit errors in transmission do not propagate.
 The disadvantage of OFB is that it is more vulnerable to a message stream
modification attack than is CFB.

Page
39
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig .2.8. Output feedback (OFB) mode

Counter Mode
 Although interest in the counter (CTR) mode has increased recently with applications to
ATM (asynchronous transfer mode) network security and IP sec (IP security), this mode
was proposed early on (e.g., [DIFF79]).
 Figure 2.9. Illustrate the CTR mode. A counter equal to the plaintext block size is used. The
only requirement stated in SP 800-38A is that the counter value must be different for each
plaintext block that is encrypted. Typically, the counter is initialized to some value and then
incremented by 1 for each subsequent block (modulo 2b, where b is the block size).
 For encryption, the counter is encrypted and then XOR ed with the plaintext block to produce
the ciphertext block; there is no chaining.

Page
40
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 For decryption, the same sequence of counter values is used, with each encrypted counter
XOR ed with a ciphertext block to recover the corresponding plaintext block. Thus, the initial
counter value must be made available for decryption. Given a sequence of counters T1, T2, c,
TN, we can define CTR mode as follows.

 For the last plaintext block, which may be a partial block of u bits, the most significant u bits
of the last output block are used for the XOR operation; the remaining b - u bits are discarded.
Unlike the ECB, CBC, and CFB modes, we do not need to use padding because of the
structure of the CTR mode.
 This output allows any other plaintext blocks that are encrypted using the same counter value
to be easily recovered from their associated cipher text blocks.
 One way to ensure the uniqueness of counter values is to continue to increment the counter
value by 1 across messages. That is, the first counter value of the each message is one more
than the last counter value of the preceding message.
Lists the following advantages of CTR mode.
 Hardware efficiency: Unlike the three chaining modes, encryption (or decryption) in CTR
mode can be done in parallel on multiple blocks of plaintext or ciphertext.
 Software efficiency: Similarly, because of the opportunities for parallel execution in CTR
mode, processors that support parallel features, such as aggressive pipelining, multiple
instruction dispatch per clock cycle, a large number of registers, and SIMD instructions, can
be effectively utilized.
 Preprocessing: The execution of the underlying encryption algorithm does not depend on
input of the plaintext or ciphertext
 Random access: The ith block of plaintext or ciphertext can be processed in random-access
fashion. With the chaining modes, block Ci cannot be computed until the i - 1 prior block are
computed.
 Provable security: It can be shown that CTR is at least as secure as the other modes

Page
41
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Simplicity: Unlike ECB and CBC modes, CTR mode requires only the implementation of the
encryption algorithm and not the decryption algorithm.

Fig.2.9 Counter (CRT) Mode

.8. Explain in detail about the Advanced Encryption Standard (AES). (Nov-Dec 2021, 2020).
Introduction
 It is worth examining the criteria used by NIST to evaluate potential candidates. These criteria
span the range of concerns for the practical application of modern symmetric block ciphers.
Page
42
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 In fact, two set of criteria evolved. When NIST issued its original request for candidate
algorithm nominations in 1997 [NIST97], the request stated that candidate algorithms would
be compared based on the factors (ranked in descending order of relative importance).

Contents
 Introduction
 Finite Field Arithmetic
 AES Structure
o General Structure
o Detailed Structure
 AES Transformation Functions
o SubstituteBytes Transformation
o ShiftRows Transformation
o MixColumns Transformation
o AddRoundKey Transformation
 AES Key Expansion
o Key Expansion Algorithm
o Rationale
 An AES Example
o Results
o Avalanche Effect
 AES Implementation
o Equivalent Inverse Cipher
o Implementation Aspects
Finite Field Arithmetic
 In AES, all operations are performed on 8-bit bytes. In particular, the arithmetic operations of
addition, multiplication, and division are performed over the finite field GF(28).

Page
43
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 In essence, a field is a set in which we can do addition, subtraction, multiplication, and

division without leaving the set.
 Division is defined with the following rule: a/b = a(b-1). An example of a finite field (one
with a finite number of elements) is the set Zp consisting of all the integers {0, 1, c, p - 1},
where p is a prime number and in which arithmetic is carried out modulo p.
For example, the integer 2 has no multiplicative inverse in Z2n, that is, there is no integer b, such
that 2b mod 2n = 1. There is a way of defining a finite field containing 2n elements; such a field is
referred to as GF(2n). Consider the set, S, of all polynomials of degree n - 1 or less with binary
coefficients.
Thus, each polynomial has the form

Where, each ai takes on the value 0 or 1. There are a total of 2n different polynomials in S. For n = 3,
the 23 = 8 polynomials in the set are

With the appropriate definition of arithmetic operations, each such set S is a finite field.
The definition consists of the following elements.
1. Arithmetic follows the ordinary rules of polynomial arithmetic using the basic rules of algebra with
the following two refinements.
2. Arithmetic on the coefficients is performed modulo 2. This is the same as the XOR operation.
3. If multiplication results in a polynomial of degree greater than n - 1, then the polynomial is reduced
modulo some irreducible polynomial m(x) of degree n. That is, we divide by m(x) and keep the
remainder. For a polynomial f(x), the remainder is expressed as r(x) = f(x) mod m(x). A polynomial
m(x) is called irreducible if and only if m(x) cannot be expressed as a product of two polynomials,
both of degree lower than that of m(x).
AES Structure
 General Structure
 Detailed Structure
General Structure
 Figure 2.10. Shows the overall structure of the AES encryption process. The cipher takes a
plaintext block size of 128 bits, or 16 bytes. The key length can be 16, 24, or 32 bytes (128,
Page
44
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

192, or 256 bits). The algorithm is referred to as AES-128, AES-192, or AES-256, depending
on the key length.
 The input to the encryption and decryption algorithms is a single 128-bit block. In FIPS PUB
197, this block is depicted as a 4 * 4 square matrix of bytes. This block is copied into the
State array, which is modified at each stage of encryption or decryption. After the final
stage, State is copied to an output matrix.
 This key is then expanded into an array of key schedule words. The expansion for the 128-bit
key. Each word is four bytes, and the total key schedule is 44 words for the 128-bit key. Note
that the ordering of bytes within a matrix is by column.
 The cipher consists of N rounds, where the number of rounds depends on the key length: 10
rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key
(fig.2.11). The first N - 1 rounds consist of four distinct transformation functions: SubBytes,
ShiftRows, MixColumns, and AddRoundKey, which are described subsequently.

Page
45
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.10 AES Encryption Process

 The final round contains only three transformations, and there is a initial single transformation
(AddRoundKey) before the first round, which can be considered Round 0. Each
transformation takes one or more 4 * 4 matrices as input and produces a 4 * 4 matrix as
output.
 Figure 2.11 shows the output of each round is a 4 * 4 matrix, with the output of the final
round being the cipher text. Also, the key expansion function generates N + 1 round keys,
each of which is a distinct 4 * 4 matrix. Each round key serves as one of the inputs to the
AddRoundKey transformation in each round.

Page
46
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.11 AES Data Structures

Detailed Structure
Figure 2.12. Shows the AES cipher in more detail, indicating the sequence of transformations
in each round and showing the corresponding decryption function.
We can make several comments about the overall AES structure.
1. One noteworthy feature of this structure is that it is not a Feistel structure. Recall that, in the
classic Feistel structure, half of the data block is used to modify the other half of the data
block and then the halves are swapped. AES instead processes the entire data block as a single
matrix during each round using substitutions and permutation.
2. The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i].
Four distinct words (128 bits) serve as a round key for each round; these are indicated in
Figure 2.13
3. Four different stages are used, one of permutation and three of substitution:
• Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block
• ShiftRows: A simple permutation

Page
47
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

• MixColumns: A substitution that makes use of arithmetic over GF(28)

• AddRoundKey: A simple bitwise XOR of the current block with a portion of the
expanded Key
4. The structure is quite simple. For both encryption and decryption, the cipher begins with an
AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a tenth
round of three stages.
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends
with an AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible without
knowledge of the key and so would add no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. The other three stages together provide confusion, diffusion, and nonlinearity, but by
themselves would provide no security because they do not use the key.
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an
inverse function is used in the decryption algorithm.
8. Once it is established that all four stages are reversible, it is easy to verify that decryption does
recover the plaintext.
9. The final round of both encryption and decryption consists of only three stages.Again, this is a
consequence of the particular structure of AES and is required to make the cipher reversible

Page
48
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.12 .AES Encryption and Decryption

Page
49
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.13.AES Encryption Round

AES Transformation Functions (NOV/DEC2020)
The four transformations used in AES. For each stage, we describe the forward (encryption)
algorithm, the inverse (decryption) algorithm, and the rationale for the stage.
 Substitute Bytes Transformation
 Shift Rows Transformation
 Mix Columns Transformation
 AddRoundKey Transformation
Substitute Bytes Transformation
 Forward and Inverse Transformations The forward substitute byte transformation, called
SubBytes, is a simple table lookup (Refer Figure 2.14). AES defines a 16 * 16 matrix of byte
values, called an S-box (Refer Figure.2.15)), that contains a permutation of all possible 256
8-bit values.
 Each individual byte of State is mapped into a new byte in the following way:

Page
50
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a
column value.
 These row and column values serve as indexes into the S-box to select a unique 8-bit output
value. For example, the hexadecimal value {95} references row 9, column 5 of the S-box,
which contains the value {2A}. Accordingly, the value {95} is mapped into the value {2A}.

.
Fig.2.14.AES Byte-Level Operations

Fig.2.15 S Box

Page
51
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.16 Inverse box

Page
52
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.17. Construction of S-Box and IS-Box

Construction of S-Box and IS-Box
1. Fig.2.17. Illustrate the S-box with the byte values in ascending sequence row by row. The first row
contains {00}, {01}, {02}, c, {0F}; the second row contains {10}, {11}, etc.; and so on. Thus, the
value of the byte at row y, column x is {yx}.
2. Map each byte in the S-box to its multiplicative inverse in the finite field GF(28); the value {00} is
mapped to itself.
3. Consider that each byte in the S-box consists of 8 bits labeled (b7, b6, b5, b4, b3, b2, b1, b0).
Apply the following transformation to each bit of each byte in the S-box:

------ (2.1)
 where ci is the ith bit of byte c with the value {63}; that is, (c7c6c5c4c3c2c1c0) =
(01100011). The prime (_) indicates that the variable is to be updated by the value on the
right. The AES standard depicts this transformation in matrix form as follows.

-------- (2.2)
 Equation (2.1) has to be interpreted carefully. In ordinary matrix multiplication, 4 each
element in the product matrix is the sum of products of the elements of one row and one
column. In this case, each element in the product matrix is the bitwise XOR of products of
elements of one row and one column. Furthermore, the final addition shown in Equation (2.2)
is a bitwise XOR.

Page
53
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 The result is {2A}, which should appear in row {09} column {05} of the S-box. This is
verified by checking . The inverse substitute byte transformation, called InvSubBytes,
makes use of the inverse S-box. Note, for example, that the input {2A} produces the output
{95}, and the input {95} to the S-box produces {2A}.
 The inverse S-box is constructed by applying the inverse of the transformation in Equation
followed by taking the multiplicative inverse in GF(28). The inverse transformation is

Where byte d = {05}, or 00000101. We can depict this transformation as follows.

 To see that InvSubBytes is the inverse of SubBytes, label the matrices in SubBytes and
InvSubBytes as X and Y, respectively, and the vector versions of constants c and d as C and
D, respectively. For some 8-bit vector B, Equation (2.2) becomes We need to
show that To multiply out, we must show
 This becomes

Page
54
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

We have demonstrated that YX equals the identity matrix, and the YC = D, so that equals the
null vector.
ShiftRows Transformation
 Forward and Inverse Transformations The forward shift row transformation, called
ShiftRows,. The first row of State is not altered. For the second row, a 1-byte circular left
shift is performed. For the third row, a 2-byte circular left shift is performed. Refer fig.2.18.
(a).
 For the fourth row, a 3-byte circular left shift is performed. The following is an example of
ShiftRows.

 The inverse shift row transformation, called InvShiftRows, performs the circular shifts in
the opposite direction for each of the last three rows, with a 1-byte circular right shift for the
second row, and so on.

Page
55
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.18. AES Row and Column Operations

Mix Columns Transformation
 Forward and Inverse Transformations The forward mix column transformation, called
MixColumns, operates on each column individually. Each byte of a column is mapped into a
new value that is a function of all four bytes in that column. The transformation can be
defined by the following matrix multiplication on State
Refer fig.2.18.(b).

---- (2.3)
 Each element in the product matrix is the sum of products of elements of one row and one
column. In this case, the individual additions and multiplications5 are performed in GF(28).
The MixColumns transformation on a single column of State can be expressed as
Page
56
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

---- (2.4)
The following is an example of MixColumns:

 In particular, multiplication of a value by x (i.e., by {02}) can be implemented as a 1-bit left

shift followed by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the
original value (prior to the shift) is 1. Thus, to verify the MixColumns transformation on the
first column, we need to show that

For the first equation, we have {02} # {87} = (0000 1110) _(0001 1011) = (0001 0101) and {03} #
{6E} = {6E} _({02} # {6E}) = (0110 1110) _(1101 1100) = (1011 0010). Then,

The other equations can be similarly verified. The inverse mix column transformation, called
InvMixColumns, is defined by the following matrix multiplication

Page
57
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

------- (2.5)
It is not immediately clear that Equation (2.5) is the inverse of Equation (2.3). We need to show

which is equivalent to showing

---- (2.6)
That is, the inverse transformation matrix times the forward transformation matrix equals the identity
matrix. To verify the first column of Equation (2.6), we need to show

 The other equations can be similarly verified. The AES document describes another way of
characterizing the MixColumns transformation, which is in terms of polynomial arithmetic.

Page
58
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 In the standard, MixColumns is defined by considering each column of State to be a four-term

polynomial with coefficients in GF(28). Each column is multiplied modulo (x4 + 1) by the
fixed polynomial a(x), given by

------ (2.7)
 Appendix 5A demonstrates that multiplication of each column of State by a(x) can be written
as the matrix multiplication of Equation (2.3).
 Similarly, it can be seen that the transformation in Equation (2.5) corresponds to treating each
column as a four-term polynomial and multiplying each column by b(x), given by

-------------- (2.8)
It readily can be shown that b(x) = a-1(x) mod (x4 + 1).
However, encryption was deemed more important than decryption for two reasons:
1. For the CFB and OFB cipher modes only encryption is used.
2. As with any block cipher, AES can be used to construct a message authentication code and for this,
only encryption is used.
AddRoundKey Transformation
 Forward and Inverse Transformations In the forward add round key transformation, called
AddRoundKey, the 128 bits of State are bitwise XORed with the 128 bits of the round key.
Refer Figure 2.19
 The operation is viewed as a column wise operation between the 4 bytes of a State column
and one word of the round key; it can also be viewed as a byte-level operation. The following
is an example of AddRoundKey:

 The first matrix is State, and the second matrix is the round key. The inverse add round key
transformation is identical to the forward add round key transformation, because the XOR
operation is its own inverse.

Page
59
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.19. Inputs for Single AES Round

AES Key Expansion:
Key Expansion Algorithm
 The AES key expansion algorithm takes as input a four-word (16-byte) key and produces a
linear array of 44 words (176 bytes).
 This is sufficient to provide a fourword round key for the initial AddRoundKey stage and each
of the 10 rounds of the cipher. The pseudocode on the next page describes the expansion.
 The key is copied into the first four words of the expanded key. The remainder of the
expanded key is filled in four words at a time. Each added word w[i] depends on the
immediately preceding word, w[i - 1], and the word four positions back, w[i - 4].
 In three out of four cases, a simple XOR is used. For a word whose position in the w array is a
multiple of 4, a more complex function is used. the generation of the expanded key, using the
symbol g to represent that complex function. The function g consists of the following sub
functions. Refer fig 2.20

Page
60
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.20. AES Key Expansion

1. RotWord performs a one-byte circular left shift on a word. This means that an input word [B0, B1,
B2, B3] is transformed into [B1, B2, B3, B0].
2. SubWord performs a byte substitution on each byte of its input word, using the S-box
3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j].
 The round constant is a word in which the three rightmost bytes are always 0. Thus, the effect
of an XOR of a word with Rcon is to only perform an XOR on the leftmost byte of the word.
The round constant is different for each round and is defined as Rcon[j] = (RC[j], 0, 0, 0),
with RC[1] = 1, RC[j] = 2 # RC[j-1] and with multiplication defined over the field GF(28).
The values of RC[j] in hexadecimal are

Page
61
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

An AES Example
 We now work through an example and consider some of its implications. Although you are
not expected to duplicate the example by hand, you will find it informative to study the hex
patterns that occur from one step to the next. For this example, the plaintext is a hexadecimal
palindrome. The plaintext, key, and resulting ciphertext are

Results
 The expansion of the 16-byte key into 10 round keys. As previously explained, this process is
performed word by word, with each four-byte word occupying one column of the word round-
key matrix. The left-hand column shows
AES Implementation
 Fig.2.21 Equivalent Inverse Cipher the sequence of transformations for decryption differs
from that for encryption, although the form of the key schedules for encryption and decryption
is the same. This has the disadvantage that two separate software or firmware modules are
needed for applications that require both encryption and decryption.
 There is, however, an equivalent version of the decryption algorithm that has the same
structure as the encryption algorithm. The equivalent version has the same sequence of

Page
62
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

transformations as the encryption algorithm (with transformations replaced by their inverses).

To achieve this equivalence, a change in key schedule is needed.
 Two separate changes are needed to bring the decryption structure in line with the encryption
structure. As illustrated in Figure 2.21, an encryption round has the structure SubBytes,
ShiftRows, MixColumns, AddRoundKey.
.

Fig.2.21.AES Implementation
 The standard decryption round has the structure InvShiftRows, InvSubBytes, AddRoundKey,
InvMixColumns. Thus, the first two stages of the decryption round need to be interchanged,
and the second two stages of the decryption round need to be interchanged.
Implementation Aspects
 The Rijndael proposal [DAEM99] provides some suggestions for efficient implementationon
8-bit processors, typical for current smart cards, and on 32-bit processors,typical for PCs.8-Bit

Page
63
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Processor AES can be implemented very efficiently on an 8-bit processor.AddRoundKey is a

bytewise XOR operation. ShiftRows is a simple byteshiftingoperation. SubBytes operates at
the byte level and only requires a table of 256 bytes.
 The transformation MixColumns requires matrix multiplication in the fieldGF(28), which
means that all operations are carried out on bytes. MixColumns only requires multiplication
by {02} and {03}, which, as we have seen, involved simple shifts, conditional XORs, and
XORs.
 This can be implemented in a more efficientway that eliminates the shifts and conditional
XORs. Equation set (5.4) shows the equations for the MixColumns transformation on a single
column.

------ (2.9)
 Using the identity Equation set (5.9) is verified by expanding and eliminating terms. The
multiplication by {02} involves a shift and a conditional XOR. Such an implementation
may be vulnerable to a timing attack of the sort To counter this attack and to increase
processing efficiency at the cost of some storage, the multiplication can be replaced by a table lookup.
Define the 256-byte table X2, such that X2[i] = {02} # i. Then Equation set (2.9) can be rewritten as,

 32-Bit Processor The implementation described in the preceding subsection uses only 8-bit
operations. For a 32-bit processor, a more efficient implementation can be achieved if
operations are defined on 32-bit words.
 To show this, we first define the four transformations of a round in algebraic form. Suppose
we begin with a State matrix consisting of elements ai, j and a round-key matrix consisting of
elements ki, j. Then the transformations can be expressed as follows.

Page
64
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 In the ShiftRows equation, the column indices are taken mod 4. We can combine all of these
expressions into a single equation:

 In the second equation, we are expressing the matrix multiplication as a linear combination
of vectors. We define four 256-word (1024-byte) tables as follows.

 Thus, each table takes as input a byte value and produces a column vector (a 32-bit word) that
is a function of the S-box entry for that byte value. These tables can be calculated in advance.
We can define a round function operating on a column in the following fashion.

Page
65
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 As a result, an implementation based on the preceding equation requires only four table
lookups and four XORs per column per round, plus 4 Kbytes to store the table. The
developers of Rijndael believe that this compact, efficient implementation was probably one
of the most important factors in the selection of Rijndael for AES.
9. Explain in details multiple encryption and Triple DES. (NOV/DEC 2012, 2013)(MAY/JUN
2012)
Double DES:
 The simplest form of multiple encryptions has two encryption stages and two keys (Figure
2.22). Given a plaintext P and two encryption keys K1 and K2, cipher text C is generated as
C = E (K2, E (K1, P))

Fig.2.22. Multiple Encryption

 Decryption requires that the keys be applied in reverse order:
P = D (K1, D(K2, C))

Page
66
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 For DES, this scheme apparently involves a key length of 56 x 2 = 112 bits, of resulting in a
dramatic increase in cryptographic strength. But we need to examine the algorithm more
closely.
Reduction to a Single Stage:
 Suppose it were true for DES, for all 56-bit key values, that given any two keys K1 and K2, it
would be possible to find a key K3
E (k2, E(k1,p))=E(k3,p)
 Consider that encryption with DES is a mapping of 64-bit blocks to 64-bit blocks. In fact, the
mapping can be viewed as a permutation. Refer fig 2.22.
 That is, if we consider all 264 possible input blocks, DES encryption with a specific key will
map each block into a unique 64-bit block. Otherwise, if, say, two given input blocks mapped
to the same output block, then decryption to recover the original plaintext would be
impossible.
 With 264 possible inputs, how many different mappings is there that generate a permutation of
the input blocks? The value is easily seen to be
(264)! =10347380000000000000000> (101020)
On the other hand, DES defines one mapping for each different key, for a total number of mappings:
256>1017
 Therefore, it is reasonable to assume that if DES is used twice with different keys, it will
produce one of the many mappings that are not defined by a single application of DES.
 Although there was much supporting evidence for this assumption, it was not until 1992 that
the assumption was proved [CAMP92].
Meet-in-the-Middle Attack
 Thus, the use of double DES results in a mapping that is not equivalent to a single DES
encryption. But there is a way to attack this scheme, one that does not depend on any
particular property of DES but that will work against any block encryption cipher.
 The algorithm, known as a meet-in-the-middle attack, was first described in [DIFF77]. It is
based on the observation that, if we have
C = E (K2, E (K1, P))

Page
67
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

X = E (K1, P) = D (K2, P)
 Given a known pair, (P, C), the attack proceeds as follows. First, encrypt P for all 2 56 possible
values of K1 Store these results in a table and then sort the table by the values of X. Next,
decrypt C using all 256 possible values of K2.
 As each decryption is produced, check the result against the table for a match. If a match
occurs, then test the two resulting keys against a new known plaintext-cipher text pair. If the
two keys produce the correct cipher text, accept them as the correct keys.
 For any given plaintext P, there are 264 possible cipher text values that could be produced by
double DES. Double DES uses, in effect, a 112-bit key, so that there are 2112 possible keys.
 Therefore, on average, for a given plaintext P, the number of different 112-bit keys that will
produce a given cipher text C is 2112/264 = 248.
 Thus, the foregoing procedure will produce about 2 48 false alarms on the first (P, C) pair. A
similar argument indicates that with an additional 64 bits of known plaintext and cipher text,
the false alarm rate is reduced to 248-64 = 2-16.
 Put another way, if the meet-in-the-middle attack is performed on two blocks of known
plaintext-cipher text, the probability that the correct keys are determined is 1 2 -16.
 The result is that a known plaintext attack will succeed against double DES, which has a key
size of 112 bits, with an effort on the order of 2 56, not much more than the 2 55 required for
single DES.
Triple DES with Two Keys
 An obvious counter to the meet-in-the-middle attack is to use three stages of encryption with
three different keys.
 This raises the cost of the known-plaintext attack to 2 112, which is beyond what is practical
now and far into the future.
 However, it has the drawback of requiring a key length of 56 x 3 = 168 bits, which may be
somewhat unwieldy.
 As an alternative, Tuchman proposed a triple encryption method that uses only two keys
[TUCH79]. The function follows an encrypt-decrypt-encrypt (EDE) sequence .
C = E (K1, D (K2, E(K1, P)))

Page
68
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 There is no cryptographic significance to the use of decryption for the second stage. Its only
advantage is that it allows users of 3DES to decrypt data encrypted by users of the older single
DES:
C = E (K1, D (K1, E(K1, P))) = E(K1, P)
 3DES with two keys is a relatively popular alternative to DES and has been adopted for use in
the key management standards ANS X9.17 and ISO 8732.
The attack proceeds as follows:
1. Obtain n (P, C) pairs. This is the known plaintext. Place these in a table (Table 1) sorted on the
values of P (Figure 2.23).
2.For each Pi that matches an entry in Table 1, create an entry in Table 2 consisting of the K1 value
and the value of B that is produced for the (P, C) pair from Table 1, assuming that value of K1:
B = D (i, C)
At the end of this step, sort Table 2 on the values of B.

Fig.2.23. Known-Plaintext Attack on Triple DES

Page
69
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

3. We now have a number of candidate values of K1 in Table 2 and are in a position to search for a
value of K2. For each of the 256possible keys K2 = j, calculate the second intermediate value for our
chosen value of a:
Bj = D (j, a)
Triple DES with Three Keys
 Although the attacks just described appear impractical, anyone using two-key 3DES may feel
some concern.
 Thus, many researchers now feel that three-key 3DES is the preferred alternative (e.g.,
[KALI96a]).
 Three-key 3DES has an effective key length of 168 bits and is defined as follows = E(K3,
D(K2, E(K1, P)))Backward compatibility with DES is provided by putting K3 = K2 or K1 =
K2.

10. Demonstrate that blowfish decryption is the inverse of blowfish encryption.

Contents
 Characteristics
 Subkey and S-Box generation
 Steps in generating the P-array and S-boxes
 Encryption and decryption

 Blowfish is a symmetric block cipher developed by Bruce. Blowfish was designed to have the
following characteristics:
 Fast: Blowfish encrypts data on 32-bit microprocessors at a rate of 18 clock cycles per
byte
 Compact. Blowfish can run in less than 5K of memory.
 Simple: Blowfish's simple structure is easy to implement and eases the task of
determining the strength of the algorithm.

Page
70
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Variably secure: The key length is variable and can be as long as 448 bits. This
allows a tradeoff between higher speed and higher security.
 Blowfish encrypts 64-bit blocks of plaintext into 64-bit blocks of cipher text. Blowfish is
implemented in numerous products and has received a fair amount of scrutiny. So far, the
security of Blowfish is unchallenged.
Subkey and S-Box generation
 Blowfish makes use of a key that ranges from 32 bits to 448 bits (1 to 14 32--bit words). That
key is used to generate 18 32-bit subkeys and four 8 × 32 S-boxes containing a total of 1024
32-bit entries. The total is 1042 32-bit values, or 4168 bytes.
The keys are stored in a K-array.

The subkeys are stored in the P-array:

There are four S-boxes, each with 256 32--bit entries:

The steps in generating the P-array and S-boxes are as follows:

1. Initialize first the P-array and then the four S-boxes in order using the bits of the fractional
part of the constant π. Thus, the leftmost 32 bits of the fractional part of π become P 1, and
so one For example, in hexadecimal,

2. Perform a bitwise XOR of the P-array and the K-array, reusing the words from the K-
array as needed. For example, for the maximum length key ( 14 32-bit words),

Page
71
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

a. Encrypt the 64-bit block of all zeros using the current P-array and S-arrays , replace the
P1 and P2 with the output of encryption.
3. Encrypt the output of step 3 using the current P-array and S-arrays, replace P3 and P4 with
the resulting ciphertext.
4. Continue this process to update all the elements of P, and then, in order, all elements of S,
using at each step the output of the continuously changing Blowfish algorithm.
The update process can be summarized as follows:

 Where EP,S[Y] is the ciphertext produced by encrypting Y using blowfish with the arrays S
and P.
 A total of 521 executions of the Blowfish encryption algorithm are required to produce the
final S- and P arrays. Accordingly, Blowfish is not suitable for applications in which the
secret key changes frequently.
 Further, for rapid execution, the P- and S-arrays can be stored rather than rederived from the
key each time the algorithm is used. This requires over 4 kilobytes of memory. Thus Blowfish
is not appropriate for applications with limited memory, such as smart cards.
Encryption and decryption
Blowfish uses two primitive operations:
 Addition: Addition of words, denoted by +, is performed modulo 232.
 Bitwise exclusive—OR: This operation is denoted by
 The important thing about these two operations is that they do not commute. This
makes cryptanalysis more difficult.

Page
72
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Figure 2.24 depicts the Blowfish encryption operation. The plaintext is divided into
two 32-bit halves LE0 and RE0- We use the variables LE i and REi,- to refer to the left and
right half of the data after round i has completed. The algorithm can be defined by the
following pseudocode:

Fig.2.24.Blowfish uses two primitive operations:

 The resulting cipher text is contained in the two variables LE 17; and RB17. The function F
encryption is shown in Figure 2.24(a). The 32-bit input to F is divided into 4 bytes. If we
label those bytes a, b, c, and d, then the function can be defined as follows:

Page
73
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Thus, each round includes the complex use of addition modulo 2 32 and XOR, plus v
substitution using S-boxes.
 Decryption, shown in Figure 2.24.(b), is easily derived from the encryption algorithm. In this
case, the 64 bits of ciphertext are initially assigned to the two one-word variables LD 0 and
RD0.
 We use the variables LDi and RDi ; to refer to the left and right half of the data after round i.
As with most block ciphers, Blowfish decryption involves using the subkeys in reverse order-
However, unlike most block ciphers, Blowfish decryption occurs in the same algorithmic
direction as encryption, rather than the reverse. The algorithm can be defined as follows:

11. In the RC5-CBC-Pad mode, there are from one to bb bytes of padding. Why not allow zero
bytes of padding? That is, if the message to be encrypted IS an integer multiple of the block
size, why not refrain from padding?

Contents
 Characteristics
 RC5 Parameters
 Key Expansion
 Encryption
 Decryption
 RC5 Modes

RC5 is a symmetric encryption algorithm developed by Ron Rivest. RC5 was designed to have the
following characteristics:
 Suitable for hardware or software: RC5 uses only primitive computational operations
commonly found on microprocessors
Page
74
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Fast: To achieve this, RC5 is a simple algorithm and is word oriented. The basic operations
work on full words of data at a time.
 Adaptable to processors of different word lengths: The number of bits in a word is a
parameter of RC5; different word lengths yield different algorithms.
 Variable number of rounds: The number of rounds is a second parameter of RC5. This
parameter allows a tradeoff between higher speed and higher security.
 Variable-length key: The key length is a third pararneter of RC5- Again, this allows a
tradeoff between speed and security
 Simple: RCS’S simple structure is easy to implement and eases the task of determining the
strength of the algorithm.
 Low memory requirement: A low memory requirement makes RC5 suitable for smart cards
and other devices with restricted memory.
 High security: RC5 is intended to provide high security with suitable parameters.
 Data-dependent rotations: RC5 incorporates rotations (circular bit shifts) whose amount is
data dependent- This appears to strengthen the algorithm against cryptanalysis.
 RC5 has been incorporated into RSA Data Security, Inc-’s major products, including BSAFE,
JSAFE, and S/MAIL.
RC5 Parameters
RC5 is actually a family of encryption algorithms determined by three parameters, as follows:

Key Expansion
 RC5 performs a complex set of operations on the secret key to produce a total of t subkeys.
Two subkeys are used in each round, and two subkeys are used on an additional operation that
is not part of any round, so t = 2r + 2. Each subkey is one Word (w bits) in length.

Page
75
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Fig.2.25 illustrates the RC5 technique used to generate subkeys; The subkeys are stored in a t-
word array labeled S[0], S[1], ….,‘ S[t-1]. Using the parameters r and w as inputs, this array is
initialized to a particular fixed pseudorandom bit pattern. Then the b-byte key, K[0…. b - 1],
is converted into a c-word array L[0…. c -1]. On a little endian machine, this is accomplished
by zeroing out the array L and copying the string K directly into the memory positions
represented by L.
 If b is not an integer multiple of w, then a portion of L at the right end remains zero- Finally, a
mixing operation is performed that applies the contents of L to the initialized value of S to
produce a final value for the array S.

Fig.2.25.RC5 Key Expansion

 Let us look at this operations in detail. The initialize operation makes use of two word-length
constants defined as follows,

Where,

Page
76
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 And Odd[x] is the odd integer nearest to x. For example, Odd[e] = 3 and Odd[φ]=1. Using the
allowable values of w, the constants are,

Using these two constants, the array S is initialized in the following manner:

 Where addition is performed modulo 2 w. The initialized array S is then mixed with the key
array L to produce a final array S of sub keys. For this purpose, three passes are made through
the larger of the two arrays; the smaller array may be handled more times:

Encryption
 RC5 uses three primitive operations (and their inverses):
 Addition: Addition of words, denoted by +, is performed modulo 2 w. The inverse
operation, denoted by -, is subtraction modulo 2w.
 Bitwise exclusive-OR: This operation is denoted by
 Left circular rotation: The cyclic rotation of word x left by y bits is denoted by x <<< y.
The inverse is the right circular rotation of word x by y bits, denoted by x >>> y.
 Figure 2.26.(a). Depicts the encryption operation. Note that this is not a classic Feistel
structure. The plaintext is assumed to initially reside in the two w-bit registers A and B. We
use the variables LEi and REi to refer to the left and right half of the data after round i has
completed. The algorithm can be defined by the following pseudocode:

Page
77
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig . 2.26 RC5 Encryption& Decryption

Decryption
 Decryption, shown in Figure 2.26.(b), is easily derived from the encryption algorithm. In this
case, the 2w bits of cipher text are initially assigned to the two one-word variables LD r, and
RDr. We use the variables LDi and RDi to refer to the left and right half of the data before
round i has begun, where the rounds are numbered from r down to 1.

Page
78
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

RC5 Modes
 To enhance the effectiveness of RC5 in interoperable implementations, RFC 2040 defines
four different modes of operation:
 RC5 block cipher: This is the raw encryption algorithm that takes a fixed—size input
block (2w bits) and produces a ciphertext block of the same length using a transformation
that depends on a key.
 RCS-CBC: This is the cipher block chaining mode for RC5- CBC. CBC processes
messages whose length is a multiple of the RC5 block size (multiples of 2w bits. CBC
provides enhanced security compared to ECB because repeated blocks of plaintext
produce different blocks of ciphertext.
 RCS-CBC-Pad: This is a CBC style of algorithm that handles plaintext of any length-
The ciphertext will be longer than the plaintext by at most the size of a single RC5 block.
 RCS-CTS: This is the ciphertext stealing mode, which is also a CBC style of algorithm-
This mode handles plaintext of any length and produces ciphertext of equal length.
The encryption sequence is as follows:

12. List out any two di-gram, two tri-gram. Shortly describe the application of di-gram and tri-
gram in cryptography. (NOV/DEC 2021)

Page
79
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Monogram

 Bigram

 Trigram

 Frequency counts
Introduction to Frequency Analysis
 Frequency analysis is the practice of counting the number of occurrences of different cipher
text characters in the hope that the information can be used to break ciphers. Frequency
analysis is not only for single characters, it is also possible to measure the frequency
of bigrams (also called digraphs), which is how often pairs of characters occur in text. Trigram
frequency counts measure the occurrence of 3 letter combinations.
 When talking about bigram and trigram frequency counts, this page will concentrate on text
characterization as opposed to solving polygraphic ciphers e.g. playfair. The difference is that
text characterization depends on all possible 2 character combinations, since we wish to know
about as many bigrams as we can (this means we allow the bigrams to overlap).
 When cracking playfair, we do not allow the bigrams to overlap. If you want monogram,
bigram, trigram or quadgram frequencies pre-calculated for a certain language.
Monogram Counts
 Monogram frequency counts are most effective on substitution type ciphers such as the caesar
cipher, substitution cipher, polybius square etc. It works because natural english text follows a
very specific frequency distribution, which is not masked by substitution ciphers. The
distribution looks like:
Bigram Counts
 Bigram counts maintain the same principle as monogram counts, but instead of counting
occurances of single characters, bigram counts count the frequency of pairs of characters
Trigram Counts
 Just as bigram counts count the frequency of pairs of characters, trigram counts count the
frequency of triple characters.

13. Consider a banking application that is expected to provide cryptographic functionalities.

Assume that this application is running on top of another application wherein the end

Page
80
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

customers can perform a single task of fund transfer. The application requires cryptographic
requirements based on the transfer. . (NOV/DEC 2020)
Transfer amount Cryptography functions required

1 – 2000 Message digest

2001 – 5000 Digital signature
5000 and above Digital signature and encryption

Suggest the security scheme to be adopted in client and server side

GUIDANCE FOR BANKS

a) Roles and Responsibilities and Organizational Framework:
Well-defined roles and responsibilities of Board and Senior Management are critical, while
implementing IT Governance. Clearly-defined roles enable effective project control. People,
when they are aware of others' expectations from them, are able to complete work on time, within
budget and to the expected level of quality.
IT Governance Stakeholders include:
 Board of Directors
 IT Strategy Committees
 CEOs
 Business Executives
 CIOs
 IT Steering Committees (operating at an executive level and focusing on priority setting,
resource allocation and project tracking)
 Chief Risk Officer
 Risk Committees
b) Organization Structure:
i). Expertise at the Board Level:
IT Strategy Committees should have some form of participation at the Board level. This is to ensure
that as part of the Corporate Governance initiatives, IT Governance is also addressed, so as to advice
on strategic direction on IT and to review IT investments on Board's behalf.
Page
81
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

ii). Qualified and Independent IT Strategy Committee: A qualified and an independent IT

Strategy Committee should be set up with a minimum of two directors as members, one of whom
should be an independent director. IT Strategy Committee members should be technically competent.
At least one member should have substantial IT expertise in managing technology.
Explanation1: Technically competent herein will mean the ability to understand and evaluate
technology systems.
Explanation 2: A member will be considered to have “substantial IT expertise” if he has a minimum
of seven years of experience in managing IT systems and/or leading/guiding technology
initiatives/projects. Such a member should also have an understanding of banking processes at a
broader level and of the impact of IT on such processes. If not, then the member should be trained on
these aspects.)
iii). Chairman of an IT Strategy Committee shall be an independent director. Also, the CIO
should be a part of this committee, who should be present at Board meetings to help IT strategy align
with business goals. The IT Strategy Committee should meet at appropriate frequency as and when
needed (at least four times in a year) and not more than four months should elapse between two
meetings.
iv). Powers of IT Strategy Committee: It is recommended that the committee should have following
powers:
 Perform oversight functions over the IT Steering Committee (at a senior management level)
 Investigate activities within this scope
 Seek information from any employee
 Obtain outside legal or professional advice
 Secure attendance of outsiders with relevant expertise, if it considers necessary
 Work in partnership with other Board committees and Senior Management to provide input, review
and amend the aligned corporate and IT strategies. c) Recommended Roles and Responsibilities:
Board of Directors/ IT Strategy Committee: Some of the roles and responsibilities include:
Approving IT strategy and policy documents
 Ensuring that the management has put an effective strategic planning process in place
 Ratifying that the business strategy is indeed aligned with IT strategy

Page
82
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

 Ensuring that the IT organizational structure complements the business model and its
direction
 Ascertaining that management has implemented processes and practices that ensure that the IT
delivers value to the business
 Ensuring IT investments represent a balance of risks and benefits and that budgets are
acceptable
 Monitoring the method that management uses to determine the IT resources needed to achieve
strategic goals and provide high-level direction for sourcing and use of IT resources
 Ensuring proper balance of IT investments for sustaining bank’s growth
 Becoming aware about exposure towards IT risks and controls. And evaluating effectiveness
of management’s monitoring of IT risks
 Assessing Senior Management’s performance in implementing IT strategies
 Issuing high-level policy guidance (e.g. related to risk, funding, or sourcing tasks)
 Confirming whether IT or business architecture is to be designed, so as to derive the
maximum business value.
Advantages
1. Only one part must be kept secret
2. There is no need to change your public/private key pair (unless someone finds your public key)
3. For N people to communicate there need only be N public/private key pairs.
4. There is no need for initial key exchange

14. Explain the bitwise XOR operation which involved in RC4. (Nov/Dec2020)
 RC4 is a stream cipher and variable-length key algorithm. This algorithm encrypts one byte at
a time (or larger units at a time).
 A key input is pseudorandom bit generator that produces a stream 8-bit number that is
unpredictable without knowledge of input key, The output of the generator is called key-
stream, is combined one byte at a time with the plaintext stream cipher using X-OR operation.
Example:
RC4 Encryption
10011000 ? 01010000 = 11001000
Page
83
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

RC4 Decryption
11001000 ? 01010000 = 10011000
Types of RC4
There are various types of RC4 such as Spritz, RC4A, VMPC, and RC4A.
 SPRITZ: Spritz can be used to build a cryptographic hash function, a deterministic
random bit generator (DRBG), n an encryption algorithm that supports authenticated
encryption with associated data (AEAD).
 RC4A: Souraduyti Paul and Bart Preneel have proposed an RC4 variant, which they call
RC4A, which is stronger than RC4.
 VMPC: VMPC is another variant of RC4 which stands for Variably Modified
Permutation Composition.
 RC4A+: RC4A+ is a modified version of RC4 with a more complex three-phase key
schedule which takes about three times as long as RC4 and a more complex output
function which performs four additional lookups in the S array for each byte output, taking
approximately 1.7 times as long as basic RC4.
Algorithm
The algorithm operates on a user-selected variable-length key(K) of 1 to 256 bytes (8 to 2048
bits), typically between 5 and 16 bytes. To generate a 256-byte state vector S, the master key is used.
The first step is the array initialization. It is a character array of size 256 i.e. S[256]. After that, for
every element of the array, we initialize S[i] to i.
Code for array initialization:
Char S[256];
int i;
for(i=0;i<256;i++)
S[i] = i
The array will look like -
S[] = {0, 1, 2, 3, ------, 254, 255}
After this, we will run the KSA algorithm-

Page
84
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

KSA is going to use the secret key to scramble this array. KSA is a simple loop, in which we are
having two variable i and j. We are using these variables to rearrange the array. Rearranging the array
is done by using a secret key.
Code for KSA (Key Scheduling Algorithm ) :
int i, j=0;
for(i=0;i<256;i++)
{
j=( j + S[i] + T[i]) mod 256;
Swap(S[i], S[j]);
}
KSA has been scrambled, S[256] array is used to generate the PRGA(Pseudo Random Generation
Algorithm). This is the actual Keystream.

Code for PRGA ( Pseudo Random Generation Algorithm ):

i=j=0;
while(true)
{
i = ( i + 1 ) mod 256;
j = ( j + S[i] ) mod 256;
Swap( S[i], S[j] );
t = ( S[i] + S[j] ) mod 256 ;
k = S[t];
}
This is the next step of scrambling.

Page
85
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Fig.2.27 RC4 Block Diagram

Working of RC4

Encryption Procedure
 The user inputs a plain text file and a secret key.
 The encryption engine then generates the keystream by using KSA and PRGA Algorithm.
 This key stream is now XOR with the plain text, this XORing is done byte by byte to
produce the encrypted text.
 The encrypted text is then sent to the intended receiver, the intended receiver will then
decrypted the text and after decryption, the receiver will get the original plain text.
Decryption Procedure (Refer fig 2.27)
Decryption is achieved by doing the same byte-wise X-OR operation on the Ciphertext.
Example: Let A be the plain text and B be the keystream (A xor B) xor B = A
Advantages
 RC4 stream ciphers are simple to use.
 The speed of operation in RC4 is fast as compared to other ciphers.
 RC4 stream ciphers are strong in coding and easy to implement.
 RC4 stream ciphers do not require more memory.
 RC4 stream ciphers are implemented on large streams of data.

Page
86
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

Disadvantages
 If RC4 is not used with strong MAC then encryption is vulnerable to a bit-flipping attack.
 RC4 stream ciphers do not provide authentication.
 RC4 algorithm requires additional analysis before including new systems.
 RC4 stream ciphers cannot be implemented on small streams of data.
 RC4 fails to discard the beginning of output keystream or fails to use non-random
or related keys for the algorithm.
15. In finite field arithmetic, (x6+x4+x2+x+1)+(x7+x+1)=? (Nov/Dec-2021)

UNIVERSITY QUESTIONS
PART-A
1. What is the difference between differential and linear cryptanalysis? (May/June 2011)
2. What is the difference between Sub Bytes and Sub Word? (May/June 2011)
3. Explain Avalanche effect. (Nov/Dec 2012)
4. Give the five modes of operation of Block cipher. (Nov/Dec2012,May 2017)
5. What is the primitive root of a number? (Nov/Dec 2012)
6. What is Factoring? (May/June 2012)
7. List the uses of RC4. (Nov/Dec 2013)
8. Define Differential Cryptanalysis. (May/June 2012)

Page
87
 AR ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CB3491 CRYPTOGRAPHY AND CYBER SECURITY - UNIT 2

9. List the Block cipher Modes of operation. (Nov/Dec 2013)

10. What is the disadvantage with ECB mode of operation? (May/June 2013)
11. State whether symmetric and asymmetric cryptographic algorithms need key Exchange.
(Nov/Dec 2012)
12. Define elliptical curve. (Nov/Dec 2016)
13. Briefly defined in strength of triple DES. (Nov/Dec 2016)
14. State the difference between private key and public key algorithm. (May/June 2017)

PART –B
1. Explain Data Encryption Standard (DES) in detail.
(Apr/May-2011)(Nov/Dec 2012) (May/Jun 2013)(May/Jun 2014,2017) (NOV/DEC 2014)
2. Draw the block diagram of single round of DES algorithm and explain the Processing carried
out in each block. (Apr/May-2011)(Nov/Dec2012)(May/Jun 2013)
3. Explain the RC4 in details. (May/Jun 2012)
4. Explain in details multiple encryption and Triple DES. (Nov/Dec 2013) (May/Jun 2012)
5. Explain in detail about the AES algorithm with its all round of functions.(Nov/Dec 2016)
6. Explain in detail about the block cipher modes.

Page
88