SYM M ETRIC

C
KEY AND
ASY M M ETRIC KEY
ENC IPHERM ENT
UNIT - 2
INTRODUCTION
• The A d v a n c e Encryption Standard (AES) is a symmetric-key block cipher
published by the National Institute of Standard a n d Technology(NIST) in December
2001.
• In 1997, NIST started looking for a replacement for DES, which would be called the
Advanced Encryption Standard or AES.
• The NIST specifications required a block size of 128 bits and three different key sizes of
128, 192, and 256 bits.
• Criteria:
• The criteria defined by NIST for selecting AES fall into three areas:
• Security  The main emphasis was on security. Because NIST explicitly demanded a
128-bit key, this criterion focused on resistance to cryptanalysis attacks other than brute-
force attack.
• Cost  Computational efficiency and storage requirements.
• Implementation  Flexibility(platform independent),simplicity and storage.
A d v a n c e Encryption Standard
Rounds
•AES is a non-Feistel cipher that encrypts and decrypts a data block of 128 bits.
•It uses 10, 12, or 14 rounds. The key size, which can be 128, 192, or 256 bits, depends on the
number of rounds.
•Figure 7.1 shows the general design for the encryption algorithm (called cipher); the decryption
algorithm (called inverse cipher) is similar, but the round keys are applied in the reverse order.
•In Figure 7.1, Nr defines the number of rounds. The figure also shows the relationship between the
number of rounds and the key size, which means that we can have three different AES versions;
they are referred as AES-128, AES-192, and AES-256.
•However, the round keys, which are created by the key-expansion algorithm are always 128 bits,
the same size as the plaintext or ciphertext block.
•The number of round keys generated by the key-expansion algorithm is always one more than the
number of rounds. In other words, we have
•Number of round keys = Nr + 1 We refer to the round keys as K0, K1, K2, …, KNr .
Data Units
• AES uses five units of measurement to refer to data: bits, bytes, words, blocks, and state. The bit is the smallest
and atomic unit; other units can be expressed in terms of smaller ones.

• Bit In AES, a bit is a binary digit with a value of 0 or 1. We use a lowercase letter to refer to a bit.
• Byte A byte is a group of eight bits that can be treated as a single entity, a row matrix (1 × 8) of eight bits, or a
column matrix (8 × 1) of eight bits. When treated as a row matrix, the bits are inserted to the matrix from left to
right; when treated as a column matrix, the bits are inserted into the matrix from top to bottom. We use a
lowercase bold letter to refer to a byte.
• Word A word is a group of 32 bits that can be treated as a single entity, a row matrix of four bytes, or a column
matrix of four bytes. When it is treated as a row matrix, the bytes are inserted into the matrix from left to right;
when it is considered as a column matrix, the bytes are inserted into the matrix from top to bottom. We use the
lowercase bold letter w to show a word.
• Block AES encrypts and decrypts data blocks. A block in AES is a group of 128 bits. However, a block can be
represented as a row matrix of 16 bytes.
• State AES uses several rounds in which each round is made of several stages. Data block is transformed from
one stage to another. At the beginning and end of the cipher, AES uses the term data block; before and after
each stage, the data block is referred to as a state.
Figure : Block-to-state a n d state-to-block
transformation
• Exa m p le : “AES use s a
m a trix”
• Structure of Each Round: the structure of each round at the encryption side. Each round, except the last, uses
four transformations that are invertible. The last round has only three transformations.
• each transformation takes a state and creates another state to be used for the next transformation or the next
round. The pre-round section uses only one transformation (AddRoundKey); the last round uses only three
transformation.
Transformations Used by AES
To provide security, AES uses four types of
transformations:
• Substitution
• Permutation
• M ixing a nd
• Key adding
Substitution
• A ES use s sub stitutio n
• M e c ha nism is d iffe re nt
1. Sub stitution d o ne fo r e a c h b yte
2. Ta b le is use d fo r sub stitution fo r e a c h b yte
3. Table Lookup process or mathematical calculation in GF(2 8
field)
• A ES use s tw o inv e rtib le tra nsfo rm a tio ns.
• Subbytes
• InvSubBytes
• Subbytes:
• The first transformation, SubBytes, is used at the encryption site.
• To substitute a byte, we interpret the byte as two hexadecimal
digits.
• Le ft d ig it – ro w
• Rig ht d ig it -c o lum n

Fig ure : Sub b yte

tra nsfo rm a tio n
• Example:
Tra nsfo rm a tion using GF(2^ 8)
fie ld
Permutation:
• Another transformation found in a round is shifting, which permutes the bytes.
• Shifting transformation in AES is d o n e at the byte level; the order of the bits in the byte
is not changed.
• ShiftRows:
• In the encryption, the transformation is called ShiftRows a n d the shifting is to the left.
• ShiftRows transformation operates o n e row at a time.

Fig ure : ShiftRo ws

tra nsfo rm a tion
InvShiftRows:
• In the decryption, the transformation is called InvShiftRows a n d shifting is to the
right.
•The number of shifts is the s a m e as the row number(0, 1, 2, 3) of the state
matrix. Note: The ShiftRows a n d InvShiftRows transformations are inverses of
e a c h other.
Mixing:
• Interbyte transformation.
• Interbyte transformation ch a n g e s the bits inside a byte, b a s e d on the bits inside
the neighboring bytes.
• The mixing c a n b e provided by matrix multiplication.
• First multiply e a c h byte with a different constant a n d then mixes them.

Figure: mixing bytes using matrix

multiplication
• AES defines a transformation, called MixColumns, to a chi e ve this
goal.
• There is also a n inverse transformation, called InvMixColumns.

Figure: Constant matrices used by MixColumns a n d

InvMixColumns
• MixColumns:
• The MixColumns transformation operates at the column level, it transforms e a c h column
of the state to a new column.

• InvMixColumns:
• It is basically s a m e as the MixColumns
transformation.
• Algorithm:
• Ke y A d d ing :
• AddRoundKey: AddRoundKey also proceeds one column at a time.
• It is sim ila r to M ixC olum ns.
• AddRoundKey adds a round key word with e a c h state column matrix.
• The operation in MixColumns is matrix multiplication; the operation in AddRoundKey
is matrix addition.

Fig ure : A d d Ro und Ke y

tra nsfo rm a tio ns
Key Expansion
• To create round keys for e a c h round, AES uses a keyexpansion process.
• If the number of rounds is Nr , the key-expansion routine creates Nr + 1 128-bit
round keys from on e single 128-bit cipher key.
• First round key is used for pre-round transformation.
• Remaining all for every round 4th transformation.
• Key expansion routine creates round keys word by word, where a word is a n array
of four bytes.

w 0, w 1, w 2, … … . W 4(N r + 1) - 1

Fig ure : W ord s fo r e a c h

ro und
• Ke y Exp a nsio n in A ES- 128
:
• Ke y Exp a nsio n in A ES-128 p ro c e ss
1. Cipher key is a n array of 16bytes(k0 to k15) The first 4 words(w0,w1,w2,w3) are
m a d e from cipher key
K0 to k3 -> w0
k4 to k7 -> w1
K8 to k11 ->w2
K12 to k15 ->w3
2. The rest of the words
(wi for i =4 to 43) are
m a d e as follows
i) if (i m o d 4) ≠
0, wi = wi-1
⊕wi-4
ii)if (i m o d 4) = 0, wi = t⊕wi-4
Te m p o ra ry w ord t
ti =
 ti = sub w ord (Ro tw ord (wi-1 )) ⊕Rc o n i/4
• Rotword : Applied to only on e row Rotate word routine takes a word as a n array
of 4bytes a n d shifts e a c h byte to the left with wrapping.
• Subword : Applied to 4 bytes. Substitute word routine takes e a c h byte in the word
a n d substitute another byte for it.
• Rcon : Round constant is a 4byte value in which the rightmost 3bytes are always
zero
• The key-expansion routine c a n either use the table when calculating the words or
use the GF(28 ) field to calculate the leftmost byte dynamically, as shown below
• A lg o rithm : p se ud o c o d e fo r key e xp a nsio n in A ES-
128
Key expansion in AES-192 a n d AES-256
• It is very similar to AES-128, with the following
difference:
Key-Expa nsio n Ana lysis
• Even if Eve knows only part of the cipher key or the values of the words in some
round keys, she still needs to find the rest of the cipher key before she can find all
round keys. This is because of the nonlinearity produced by SubWord transformation
in the key- expansion process.
• Two different cipher keys, no matter how similar to each other, produce two expansions
that differ in at least a few rounds.
• Each bit of the cipher key is diffused into several rounds. For example, changing a
single bit in the cipher key, will change some bits in several rounds.
• The use of the constants, the RCons, removes any symmetry that may have been
created by the other transformations.
• There a re no serio us wea k keys in AES, unlike in D ES.
• The key-expansion process can be easily implemented on all platforms.
• The key-expansion routines can be implemented without storing a single table; all
calculations can be done using the GF(2^8) and FG(2) fields.
AES Cipher
• AES uses four types of transformations for encryption a n d
decryption.
• Encryption algorithm is referred to as the cipher.
• Decryption algorithm as the inverse cipher.
• Tw o diffe re nt de sig n fo r im plem e nta tion.
• Original Design
• Alternative Design
• Original Design: The order of transformation in e a c h round is not s a m e in the cipher
a n d reverse cipher.
• A lte rna te D e sig n:
• In this version, transformation in the reverse cipher are rearranged to m a k e the order
of the transformations the s a m e in the cipher a n d reverse cipher.
• Sub Byte s/ShiftRows Pa irs:
• M ixC olum ns/A d d Ro und Ke y Pa ir:
• The pairs c a n b e c o m e inverses of e a c h other if we multiply the key matrix by
the inverse of the constant matrix used in MixColumns transformation.
Figure: Cipher a n d reverse cipher in alternate
design
Analysis of AES
Brie f re v iew o f the thre e c ha ra c te ristic s o f
A ES.
• Security
• Implementation
• Sim p lic ity a nd C o st
Security
• Brute-Force Attack :AES is definitely more secure than DES due to the larger-size key.
• Statistical Attacks :Numerous tests h a v e failed to d o statistical analysis of the
ciphertext.
• Differential a n d Linear Attacks :There are no differential a n d linear attacks on AES
as yet.
Implementation
• AES c a n b e implemented in software, hardware, a n d firmware.
• The implementation c a n use table lookup process or routines that use a well -
defined algebraic structure.

Sim p lic ity a nd c o st

• The algorithms used in AES are so simple that they c a n b e easily implemented
using c he a p p ro c e sso rs a nd a m inimum a m o unt o f m e m o ry.
A SYM M ETRIC
KEY
CRYPTOGRAPHY
Chapter - 2
Difference between Symmetric Key
a n d Asymmetric Key
Cryptography.
• Sym m etric key c ryp to g ra p hy is b a se d o n sha ring se c re c y.
• A sym m e tric key c ryp to g ra p hy is b a se d o n p e rso na l se c re c y.

• Symmetric key cryptography is b a s e d on substitution a n d permutation of

symbols.
• Asymmetric key cryptography is b a s e d on applying mathematical functions
to numbers.
• Ke ys
:

Figure: Locking a n d unlocking in asymmetric key

cryptosystem.
• G e ne ra l
Id e a :
Sev e ra l Im p o rta nt Fa c ts:
• First, It emphasizes the asymmetric nature of the cryptosystem.

• Second, asymmetric key cryptography means that Bob a n d Alice cannot use the
s a m e set of keys for two way communication.

• Third, asymmetric key cryptography means that Bob needs only one private key
to receive all correspondence from anyone in the community.
• Encryption a n d Decryption in asymmetric key cryptography are
mathematical functions applied over the numbers representing the
plaintext a n d ciphertext.

• The d e c ryp tio n func tio n f is use d o nly fo r

e nc ryp tio n.
• The d e c ryp tio n func tio n g is use d o nly fo r
d e c ryp tio n.
• N e e d fo r b o th:
• The advent of asymmetric key(public key) cryptography does not eliminate the
n e e d of symmetric key(secret key) cryptography.
 Asymmetric key cryptography, which uses mathematical functions for encryption a n d decryption
is much slower than symmetric key cryptography.
 For encipherment of large messages, symmetric key cryptography is still needed.
• The speed of symmetric key cryptography does not eliminate the n e e d of
asymmetric key cryptography.
 Asymmetric key cryptography is still n e e d e d for authentication, digital signatures a n d secret-
key exchanges.
Tra p d o o r o ne -w ay func tio n:

The main idea behind asymmetric-key cryptography is the conce p t of the
trapdoor one-way function.

Function:

A function is a rule that associates(maps) on e element in set A, called the domain,
to on e element in set B called the range.

An invertible function is a function that associates e a c h element in the range
with exactly on e element in the domain.

O ne -w ay
func tio n

 Kna p sa c k
•c ryp to systeEncryption
Knapsack m: Algorithm is the first general public key cryptography algorithm. It
is developed by Ralph Merkle and Mertin Hellman.
• Definition:
Suppose we are given two k-tuples, a = [a1, a2, ….. ,ak] and x = [x1, x2,…. , xk].
The first tuple is predefined set; the second tuple, in which xi is only 0 or 1, defines which
element of a are to be dropped in the knapsack.
• The sum o f e le m ents in the kna p sa c k is
s = knapsackSum (a, x) = x1a1+ x2a2 + … … + xkak.
• S = knapsackSum (x, a) is easy to calculate, but x = inv_knapsackSum(s,a) is difficult.
• Sup e rinc re a sing
Tup le :
RSA Cryptosystem
• The most c o m m o n public key algorithm is the RSA cryptosystem, names fir
its inventors(Rivest, Shamir a n d Adleman).

Fig ure : C o m p le xity o f o p e ra tio ns in

RSA
• Procedure:

Figure: Encryption, decryption a n d key generation in

RSA
• Tw o a lg e b ra ic
struc ture s:

• Encryption/decryption ring : Encryption a n d decryption are d o n e using

the commutative ring R = <Zn, +, x>.
• This ring is public b e c a us e modulus n is public.
• Anyone c a n send a messag e to Bob using this ring to d o encryption.
• Key generation group: RSA uses a multiplicative group for key generation.
• N e e d e d for generating public a n d private key.
• This group is hidden from public.
• Ke y
G e ne ra tio n:
• Ke y
G e ne ra tio n:

RSA A lg o rithm Exa m p le

C ho o se p = 3 a nd q = 11.
C o m p ute n = p * q = 3 * 11 =
33.
C o m p ute φ(n) = (p - 1) * (q - 1) = 2 * 10
= 20.
C ho o se e suc h tha t 1 < e < φ(n) a nd
e a nd φ (n) a re c o p rim e . ...
C o m p ute a v a lue fo r d suc h tha t (d
* e) %
φ(n) = 1. ...
Pub lic key is (e , n) => (7,
33) Priv a te key is (d , n) =>
(3, 33)
• Encryption:

• Decryption:
Examples
Solve
Show the steps of RSA Algorithm. If the RSA public key is (31, 3599), what is
the corresponding private key?
• e=31 a n d n=3599 p=59 a n d q=61 phi(n)= 3480
• d *e =1 m o d 3480
• d= 3031
• Priv a te key = 3031
Solve
1.Bob chooses 7 a n d 11 as p a n d q a n d calculates n value. Find the value of φ(n).
N o w ch oos e the two exponents e a n d d. N o w assume that Alice wants to send the
plain text 5 to Bob. Find the cipher text a n d decrypt it on receiving side to get
plaintext using RSA algorithm.

2.Show the steps of RSA Algorithm. If the RSA public key is (31, 3599), what is
the corresponding private key?

3.Bob chooses 13 a n d 11 as p a n d q a n d calculates n value. Find the value of φ(n).

Find the two exponents e a n d d. N o w assume that Alice wants to send the plain text
13 to Bob. Find the cipher text a n d decrypt it on receiving side to get plaintext using
RSA algorithm.
4. Bob chooses 61 a n d 53 as p a n d q a n d calculates n value. Find the value of φ(n).
Let e = 17, Find the exponents d. N o w assume that Alice wants to send the plain text
65 to Bob. Find the cipher text a n d decrypt it on receiving side to get plaintext
using RSA algorithm.

5. In a RSA cryptosystem a particular A uses two prime numbers p = 13 a n d q =17 to

generate her public a n d private keys. If the public key of A is 35. Then the private key
of A is .
• 11
• 13
• 16
• 17
• Attacks on RSA:
Factoring attacks
• Factoring is the act of splitting a n integer into a set of smaller integers (factors)
which, when multiplied together, form the original integer.
• The fa c to ring p ro b le m is to find 3 a nd 5 whe n g iv e n 15.
• Factoring a n RSA would allow a n attacker to figure out the private key
• This is the attack that attempts to find the key through the solving of the very large
prime number factor problem.
• If attacker will able to know P a n d Q using N, then he could find out value of
private key.
• This c a n b e failed when N contains atleast 300 longer digits in decimal terms,
attacker will not able to find.
C ho se n c ip he r a tta c k:
• Alice creates ciphertext C = P e m o d n a n d sends C to Bob. Bob will decrypt for e v e
Eve intercept C a n d uses following steps to find P.
Encryption exponent:
• C o m m o n a tta c k o c c ur whe n e is lo w, so use e = 2 16 +1 = 65537.
• C o p p e rsm ith a tta c k
• Broadcast attack
• Re la te d M e ssa g e a tta c k
• Short p a d attack

• C oppersmith attack :
• Theorem states that in a modulo n polynomial f (x) of degree e, on e c a n use a n
algorithm of the complexity log n to find the roots if on e of the roots is smaller than n
1/e
• Broadcast attack
• Suppose Alice wishes to send s a m e m e s s a g e to three recipients with the s a m e
public key exponent e a n d the moduli n1,n2,n3
Related Message attack
• If Alice encrypt two P1 a n d P2 with e =3 a n d send C 1 a n d C 2 to Bob.
• If P1 a n d P2 is related by a linear function, then e v e c a n recover P1 a n d p2 in
a feasible computation time.

• Short p a d attack:
• Alice has a m e s s a g e M to send to Bob. She pads the m e s s a g e with r1, encrypt
a n d send C 1 to Bob.
• Ev e inte rc e p t C 1 a nd d ro p s it
• Bob inform Alice that he has not received the message, so Alice pads the
m e s s a g e again with r2, encrypt a n d send to Bob.
• Ev e a lso will inte rc e p t the m e ssa g e .
• Eve now has C 1 a n d C2, knows both belong to s a m e plaintext .
• If r1 a n d r2 are short, e v e m a y b e able to recover M
Attacks on Decryption key:
• Revealed decryption exponent attack:
• If attacker som ehow guess decryption key d, cipher text generated by encryption
key is in danger, a n d e v e n future messages are also in danger.
• So, it is advised to take fresh values of two prime numbers (i.e; P a n d Q), N a n d E.

• Low decryption exponent attack:

• If we take smaller value of d in RSA this m a y occur, so to avoid take value of
• d = 216+1(atleast).
Plain text attacks: It is c la ssified into 3 sub c a te g o rie s:-
• Short message attack:
• Attacker knows s om e blocks of plain text. If this assumption is true, the attackers c a n
try encrypting e a c h plain-text block to view if it results into the known cipher-text.
• Therefore, it c a n avoid this short-message attack, it is suggested that it c a n p a d
the plain text before encrypting it.

• Cycling attack:
• Attacker will think that plain text is converted into cipher text using permutation.
• Continuous encryption of ciphertext will eventually result in plain text. But attacker
does not know the plain text. Hence will keep doing it until gets the ciphertext,
goes b a ck on e step find the plain text
• Unconcealed Message attack:
• For s om e plain-text messages, encryption provides cipher-text which is the equal as
the original plain-text.
• If this appears, the original plain-text message cannot b e secret.
• Therefore, this attack is known as u n con ce a le d message attack.
• Attacks on the Modulus – C ommon modulus attack
• If a community uses a c o m m o n modulus n, select p a n d q, calculate n a n d Φ(n),
and
create a pair of exponents(ei, di) for e a c h entity.
• The p ro b le m is e v e c a n a lso d e c ryp t the m e ssa g e , if he is a m e m b e r o f the
c o m m unity a n d assigned a pair of exponent (ee, d e )
• Implementation –Timing attack:
• Ev e inte rc e p t a la rg e num b e r o f c ip he rte xt C 1,C 2… to C m .
• Eve observe how long it takes for the underlying hardware to calculate a
multiplication operation from t1 to tm( t is time required to calculate the
multiplication operation)
• The timing difference allows Eve to find the value of bits in d, on e by on e
Implementation – Power attack
• Eve c a n precisely measure the power con s u m e d during decryption, c a n launch
power attack.
• M ultip lic a tio n a nd sq ua ring c o nsum e s m o re p o w er.
• O p tic a l A sym m e tric Enc ryp tio n
Pa d d ing (O A EP)