Topic 2.

Principles of Data Protection

COURSE DATA PROTECTION & CYBERSECURITY

 Contents

2.1 Introduction to cryptography-based data protection

2.2 Symmetric and asymmetric ciphers
2.3 Hash functions and message authentication codes
2.4 Digital signature and public key certificates
2.5 Confidentiality and integrity in communications: HTTPS
and VPN

2
Sergio Pastrana
 Contents

2.2 Symmetric and asymmetric ciphers

2.2.1 Introduction
2.2.2 Classical cryptography
2.2.3 Symmetric encryption
2.2.3.1 Introduction
2.2.3.2 Stream ciphers
2.2.3.3 Block ciphers
2.2.3.4 Confidentiality operation modes
2.2.4 Asymmetric encryption

3
Sergio Pastrana
 CRYPTOSYSTEM MODEL (encryption)

Key
generation

kE kD

Cryptogram
or Cyphertext
Plaintext Plaintext
(CT)
ALICE (PT) Encrypt Decrypt (PT) BOB
(insecure
channel)

kE and kD might or might not coincide

4
Sergio Pastrana
 CRYPTOSYSTEM MODEL (encryption)
• Message space:
M = {m1, m2, ... , mn}
• Ciphertext space:
C = {c1, c2, ... , cn}
• Key space:
K = {k1, k2, ..., knk}
• Set of encryption functions:
Ek : M 🡪 C
• Set of decryption functions:
Dk : C 🡪 M

5
Sergio Pastrana
 CRYPTOSYSTEM MODEL (encryption)

• Characterized along three independent dimensions:

– Type of operations used for transforming plaintext to ciphertext
• Generally, substitutions and transpositions without information loss.
• Typically, algorithms use the product of various operations.
– Number of keys used
• Symmetric or with one key (also known as secret key algorithms)
• Asymmetric or with two keys (also known as public key algorithms)
– Way of processing plaintext
• A block of N elements at a time (Block Cipher algorithms)
• A stream of byte or bit elements (Stream Cipher algorithms)

6
Sergio Pastrana
 CODES VS CIPHERS
– Coding system

M Algorithm C

C=f(M)
– Encryption system

M Algorithm C

C=E(k, M)=Ek(M)

7
Sergio Pastrana
 CRYPTANALYSIS
• CRYPTANALYSIS:
– Methods used to extract knowledge from encrypted data,
without having access to the secret information

– Kerckhoffs's principle:

A cryptosystem should be secure even if everything about the system,

except the key, is public knowledge.

La cryptographie militaire, 1883.

Auguste Kerckhoffs von Nieuwenhof (1835-1903)
– ‘Security through obscurity’ should not be the choice
• In other words, better consider a white-box adversary

8
Sergio Pastrana
 CRYPTANALYSIS

• Goal of the cryptanalyst:

– Main: Recover decryption key
– Secondary: Decrypt a ciphertext

• Approaches of the cryptanalyst / attacker:

Brute force attacks Attacks to the algorithm
A cryptographic "break" is anything
faster than a brute-force attack

9
Sergio Pastrana
 Contents

2.2 Symmetric and asymmetric ciphers

2.2.1 Introduction
2.2.2 Classical cryptography
2.2.3 Symmetric encryption
2.2.3.1 Introduction
2.2.3.2 Stream ciphers
2.2.3.3 Block ciphers
2.2.3.4 Confidentiality operation modes
2.2.4 Asymmetric encryption

10
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
• INTRODUCTION

CLASSIC CRYPTOGRAPHY (5th century B.C.)

greek: kryptos = hidden

• Needed a key and a ciphering algorithm.

• Symmetric ciphers: both parties must use the same key for encryption
and decryption.
• The intention was to guarantee confidentiality concealing the contents of
the messages.

11
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
• INTRODUCTION

Two basic techniques are used. Both of them work with characters:

– Substitution: each character or letter in the plaintext is modified or

substituted by another element in the ciphertext.

– Transposition or permutation: all characters or letters in the plaintext are

reallocated in the ciphertext, according to some rule, without any
modification.

(Shannon formalized these statements some centuries later)

12
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
• EXAMPLE: TRANSPOSITION BY COLUMNS/ROWS
• How it works:
1. Symbols are placed following a certain geometric pattern,
2. And then extracted according to a certain path.
Bidimensional pattern (matrix).
– Symbols are placed in consecutive rows (columns) and then extracted column by column
(row by row) from the first to the last.
T H I S I
S A N E X
M = THIS IS AN EXAMPLE OF COLUMN TRANSPOSITION A M P L E
O F C O L
C = TSAOUASN HAMFMNIX INPCNSTX SELOTPIX IXELROOX
U M N T R
A N S P O
S I T I O
N X X X X
13
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
• EXAMPLE: COLUMNAR TRANSPOSITION, WITH A KEY
Key = SPAIN (alphabetical order: A,I,N,P,S)
M = THIS IS AN EXAMPLE OF COLUMN TRANSPOSITION
S P A I N A I N P S
T H I S I I S I H T
S A N E X N E X A S
A M P L E P L E M A
O F C O L C O L F O
U M N T R N T R M U
A N S P O S P O N A
S I T I O T I O I S
N X X X X X X X X N
C = INPCNSTX SELOTPIX IXELROOX HAMFMNIX TSAOUASN

14
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
• SUBSTITUTION
Spanish
NUMERICAL REPRESENTATION OF THE ALPHABETS alphabet ->
27 letters
• 27 letters alphabet: (A, B,..., Z) 🡪 (0, 1,...,26)
• 37 letters alphabet: (A, B,..., Z, 0, 1, ...9) 🡪 (0, 1,...,36)

English
alphabet ->
26 letters

15
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
– EXAMPLE: SIMPLE MONOALPHABETIC SUBSTITUTION - CAESAR
CIPHER Spanish
alphabet 🡪
E3(x) = (x + 3) mod 27 mod 27
D3(x) = (x - 3) mod 27
English
alphabet 🡪
mod 26

M = NUNCA VI NEVAR TANTO

C = PXPFD YL PHYDU WDPWR

16
Sergio Pastrana
 Reminder: mod n

• Reduction modulo n
Let be a, n ∈ Z (n ≠ 0). Reduction modulo n is the function that
applied to a, returns r ∈ Z+ + ⎨0⎬ / r ∈ ⎨0,1,...n-1⎬ and a ≡ r (mod
n)
a (mod. n) = r ⇒ a ≡ r (mod. n) and r ∈ ⎨0,1,...n-1⎬

Note: “r is the reminder of the integer division of a and n (for a > 0)”
26 (mod. 5) = 5 · 5 + 1 (mod. 5) = 1 (1<5-1) p.t. 26 ≡ 1 (mod. 5)
30 (mod. 7) = 4 · 7 + 2 (mod. 7) = 2 (2<7-1) p.t. 30 ≡ 2 (mod. 7)
11 (mod. 33) = 11 (11<33-1)
256 (mod. 8) = 32·8+0 (mod. 8) = 0 (0<8-1) p.t. 256 ≡ 0 (mod. 8)
-17 (mod. 12) ≡ -17 + 2 · 12 = 7 (7<12-1) p.t. -17 ≡ 7 (mod. 12)

17
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
• SIMPLE MONOALPHABETIC SUBSTITUTION (MONOGRAPHIC)
Substitution of 1 character of plaintext by 1 character of ciphertext

E(mi)=(ami+b) mod. n
a : decimation constant
b : shift constant
n : number of letters of the alphabet (26 for English, 27 for Spanish)

Key = (a,b)

Condition for the existence of solution of the equation, and hence, to allow
decryption
gcd(a,n) = 1

18
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
• PERIODIC POLYALPHABETIC SUBSTITUTION

Blaise de Vigenére (french cryptographer, 1523-1596)

– 26 encryption alphabets === 26 possible Caesar monoalphabetic substitutions

– Key determines the used encryption alphabet. Each char ki 🡪 1 shift bi
– K = k0, k1, …, ki, …, kL-1 🡪 periodic sequence of shifts == b0, b1, …, bi, …, bL-1

E(mj) = (mj + b(i = j mod L)) mod. 26

where:
bi = shift for alphabet i
mj = letter in the j-th position in the text
E(mj) = Encrypted character

19
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
Vigenére’s table (English alphabet, 26 letters)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A : A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B : B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C : C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D : D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E : E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F : F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G : G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
… … … … … … … … … … … … … … … … … … … … … … … … …
T : T U V W X Y Z A B C D E F G H I J L K M N O P Q R S
U : U V W X Y Z A B C D E F G H I J L K M N O P Q R S T
V : V W X Y Z A B C D E F G H I J L K M N O P Q R S T U
W : W X Y Z A B C D E F G H I J L K M N O P Q R S T U V
X : X Y Z A B C D E F G H I J L K M N O P Q R S T U V W
Y : Y Z A B C D E F G H I J L K M N O P Q R S T U V W X
Z : Z A B C D E F G H I J L K M N O P Q R S T U V W X Y
20
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
Vigenére’s table (English alphabet, 26 letters)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A : A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B : B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C : C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D : D E F G H I J K L M N O PPlaintext
Q R S alphabets
T U V W X Y Z A B C
E : E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F : F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G : G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
… … … … … … … … … … … … … … … … … … … … … … … … …
T : T U V W X Y Z A B C D E F G H I J L K M N O P Q R S
U : U V W X Y Z A B C D E F G H I J L K M N O Encryption
P Q R S alphabet
T
V : V W X Y Z AEncryption F G H I J L K M N O P with
B C D Ealphabet Q Rki S
== T“Y”U(bi = 24)
W : W X Y Z A B C D E F G H I J L K M N O P Q R S T U V
X : X Y Z A B C D E F G H I J L K M N O P Q R S T U V W
Y : Y Z A B C D E F G H I J L K M N O P Q R S T U V W X
Z : Z A B C D E F G H I J L K M N O P Q R S T U V W X Y
21
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
Vigenére’s key:

• The key defines the shift used for each letter in the plaintext,
i.e.: SOL

• Encryption
Message: H E L L O M A T E
Periodic key: S O L S O L S O L
Chipertext: Z S W D C X S H P

• Using the table:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
S: S T U V W X Y Z A B C D E F G H I J L K M N O P Q R
O: O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
L: L M N O P Q R S T U V W X Y Z A B C D E F G H I J K

22
Sergio Pastrana
 CLASSICAL CRYPTOGRAPHY
• Enigma machine
• Used in World War II by Germany for encryption and decryption of top
secret documents.

23
Sergio Pastrana
 CRYPTANALYSIS
EXAMPLE: CIPHER TEXT: HAAH JRHA KHDU
• Brute-force attack ---------------------------
Shift: 0: haah jrha khdu
– Try every possible key Shift: 1: ibbi ksib liev
Shift: 2: jccj ltjc mjfw
Shift: 3: kddk mukd nkgx
– Worst case (for the Shift: 4: leel nvle olhy
Shift: 5: mff mowmf pmiz
attacker): try all the keys Shift: 6: nggn pxng qnja
Shift: 7: ohho qyoh rokb
Shift: 8: piip rzpi splc
– Best case (for the attacker): Shift: 9: qjjq saqj tqmd
Shift: 10: rkkr tbrk urne
try only one key Shift: 11: slls ucsl vsof
Shift: 12: tmmt vdtm wtpg
– On average, half of the keys Shift: 13: unnu weun xuqh
Shift: 14: voov xfvo yvri
Shift: 15: wppw ygwp zwsj
must be tried Shift: 16: xqqx zhxq axtk
Shift: 17: yrry aiyr byul
Shift: 18: zssz bjzs czvm
Shift: 19: atta ckat dawn
Shift: 20: buub dlbu ebxo
Shift: 21: cvvc emcv fcyp
Shift: 22: dwwd fndw gdzq
Shift: 23: exxe goex hear
Shift: 24: fyyf hpfy ifbs
Shift: 25: gzzg iqgz jgct

So the decryption key is 19, the encryption key is

therefore 7 = 26 -19.

24
Sergio Pastrana
 CRYPTANALYSIS
• Average time required for exhaustive key search (half of the keys)
Reasonable Parallel processing
assumption assumption

Key size (bits) Number of Time required at 109 Time required at

alternative keys decryption/s 1013 decryptions/s
56 256 = 7,2 · 1016 255 ns = 1,125 years 1 hour

128 2128 = 3,4 · 1038 2127 ns = 5,3 · 1021 years 5,3 · 1017 years

168 2168 = 3,7 · 1050 2167 ns = 5,8 · 1033 years 5,8 · 1029 years

192 2192 = 6,3 · 1057 2191 ns = 9,8 · 1040 years 9,8 · 1036 years

256 2256 = 1,2 · 1077 2255 ns = 1,8 · 1060 years 1,8 · 1056 years

26 characters 26! = 4 · 1026 2 · 1026ns = 6,3 · 109 years 6,3 · 106 years
(permutation)

25 Source: Cryptography and Network Security. Principles and Practice. Stallings

Sergio Pastrana
 CRYPTANALYSIS

All classical ciphers

are vulnerable

Frequency Analysis
Letter
distribution in
English language

26 Sergio Pastrana
 CRYPTANALYSIS
Frequency Analysis

English also has a number of common letter patterns

that we can also use to help decrypt monoalphabetic ciphers:

TH, EA, OF, TO, IN, IT, IS, BE, AS, AT,
Common pairs SO, WE, HE, BY, OR, ON, DO, IF, ME,
MY, UP
Common repeated letters SS, EE, TT, FF, LL, MM and OO
Common triplets THE, EST, FOR, AND, HIS, ENT or THA

Visit
https://www.simonsingh.net/The_Black_Chamber/crackingsubstitution.html

27 Sergio Pastrana
 Contents

2.2 Symmetric and asymmetric ciphers

2.2.1 Introduction
2.2.2 Classical cryptography
2.2.3 Symmetric encryption
2.2.3.1 Introduction
2.2.3.2 Stream ciphers
2.2.3.3 Block ciphers
2.2.3.4 Confidentiality operation modes
2.2.4 Asymmetric encryption

28
Sergio Pastrana
 Modern ciphers

• Classification of modern ciphers

– According to the number of symbols encrypted at a time

• Stream (1 symbol or a few)
• Block (many)

– According to the key used:

• Symmetric (Secret key)
• Asymmetric (Public key)

29
Sergio Pastrana
 Symmetric cryptosystem model (encryption)
k = secret key k k
shared between
sender and receiver

M
C M
Plaintext Cryptogram Plaintext
Sender Encryption Decryption Receiver
(insecure channel
)

Secure channel needed to share k

C= E (k, M) = Ek (M)

M= D (k, C) = Dk (C)

30
Sergio Pastrana
 Asymmetric (public key) cryptosystem model (encryption)

ku = receiver’s kv = receiver’s private

ku kv key, known ONLY by
public key, known
by the receiver the receiver

M C M
Sender Encryption Cryptogram Decryption Plaintext Receiver
Plaintext

(insecure channel
)

C= E (ku, M) = Eku (M)

M= D (kv, C) = Dkv (C)

31
Sergio Pastrana
 Modern ciphers

STREAM CIPHERS BLOCK CIPHERS

SECRET KEY PUBLIC KEY

Or Or
Symmetric Asymmetric

32
Sergio Pastrana
 Stream ciphers vs block ciphers

Stream ciphers Block ciphers

• Bit by bit, or byte by byte • Symmetric: blocks of 128 bits (16
bytes), 256 bits (32 bytes)

• Asymmetric: “blocks” (data

payload) of 128, 256, 512 bytes

33
Sergio Pastrana
 Contents

2.2 Symmetric and asymmetric ciphers

2.2.1 Introduction
2.2.2 Classical cryptography
2.2.3 Symmetric encryption
2.2.3.1 Introduction
2.2.3.2 Stream ciphers
2.2.3.3 Block ciphers
2.2.3.4 Confidentiality operation modes
2.2.4 Asymmetric encryption

34
Sergio Pastrana
 Stream ciphers. Introduction
• They divide the whole message in symbols
(characters or bits):
M = m1, m2, ... mn

• They encrypt each of those symbols mi with the

corresponding symbol ki of a keystream of a given
length
– Ideally infinite and random
• K = k1, k2, ... kn, kn+1, …

• EK (M) = Ek1 (m1) Ek2 (m2)... Ekn (mn)

35
Sergio Pastrana
 One-time-pad (Vernam)
• Encryption: E(M) = M ⊕ K = m1 ⊕ k1, m2 ⊕ k2, …, mn ⊕ kn

1 0 0 1 1 1 0 1 M
⊕ 0 0 1 0 0 1 0 1 K
1 0 1 1 1 0 0 0 C = E(M)

• Decryption: M = C ⊕ K

• Shannon showed that the one-time pad is unconditionally

secure (perfect secrecy). I.e., if the key K in Vernam cipher is:
– Truly random
– Its length is equal or greater to the message (M) length
– Used only once

36
Sergio Pastrana
 Stream ciphers. Introduction
• Vernam is not a practical cipher

• Instead stream ciphers are used, where a deterministic

keystream K is obtained from a base key (seed) with a
PRNG
(securely shared)

Keystream Keystream
Base key Base key
generator generator
(PRNG) (PRNG)

K=k1 k2 k3… K=k1 k2 k3…

(insecure M
M ⊕ C cannel) C ⊕

37
Sergio Pastrana
Pseudorandom Number Generators (PRNG)

• Deterministic algorithmic techniques are used to create

“random numbers”
– They are not truly random
– But they can pass many tests of “randomness”
– They must be also unpredictable (forward and backward)
• Known as “pseudorandom numbers”
• Characteristics of the seed
– Securely transmitted/stored
– If known, adversary can determine output (keystream and
plaintext); so it must be random or pseudorandom

Sergio Pastrana
 Pseudorandom Number Generators (PRNG)
• Based on existing cryptographic algorithms
– Symmetric ciphers
– Asymmetric ciphers
– Hash functions
• Ad-hoc
– Shift register generator
– LFSR (linear feed-back shift register)
– A5/1 (2000)
– A5/2 (2001)
– RC4 PRNG

39
Sergio Pastrana
 Types of stream ciphers
• Synchronous
• Sender and receiver have to be externally synchronized
• Keystream generation is done independently of the plaintext and
the ciphertext

Base key Base key

Keystream Keystream
generator generator

⊕
K ⊕
K
M C M

40
Sergio Pastrana
 Types of stream ciphers
• Self-synchronyzed
• Sender and receiver are automatically synchronyzed
– by means of a certain number of keystream bits
• Keystream is a function of previously encrypted symbols

Base key Base key

Keystream Keystream
generator generator

K K
M ⊕ C ⊕ M

41
Sergio Pastrana
 Stream ciphers. Pros & cons
• Advantages:
– Character by character (8-bit) or bit by bit transformation
• High encryption rates
– Easy implementation
– Error resistance. Channel errors do not propagate through
the sequence

• Disadvantages:
– Poor diffusion of the information
• Information of each symbol of plaintext M is exclusively
passed onto the corresponding ciphertext (C) element
– Keystreams are never purely random
• Deterministic keystream generation
– Key reuse issue
42
Sergio Pastrana
 Stream ciphers. Cryptanalysis
• Key reuse issues:
– Known plaintext attack
Having M and C, K is calculated as follows:
M⊕C=M⊕M⊕K=K

– Known ciphertext attack

It is possible to obtain Mi choosing 2 ciphertexts (Ci y Cj chosen,
with Mj predictable):
Ci ⊕ Cj = M i ⊕ K ⊕ M j ⊕ K = M i ⊕ M j
Ci ⊕ Cj ⊕ M j = M i

43
Sergio Pastrana
 Stream ciphers. Robustness

• New stream ciphers: eStream competition

https://competitions.cr.yp.to/estream.html
• Robustness of current stream ciphers:

Secure Legacy Not recommended

HC-128 Grain 128 Grain A5/1
ChaCha Snow 2.0 Rabbit A5/2
Salsa20/20 Snow 3G MICKEY 2.0 E0
SOSEMANUK Trivium RC4

Source: ECRYPT-CSA. Algorithms, Key Size and Protocols Report (2018), 28 February 2018
https://www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf

44
Sergio Pastrana
 Contents

2.2 Symmetric and asymmetric ciphers

2.2.1 Introduction
2.2.2 Classical cryptography
2.2.3 Symmetric encryption
2.2.3.1 Introduction
2.2.3.2 Stream ciphers
2.2.3.3 Block ciphers
2.2.3.4 Confidentiality operation modes
2.2.4 Asymmetric encryption

45
Sergio Pastrana
 Block ciphers
• M is divided in blocks of equal length:
M1, M2, ... Mn

• Each block is encrypted with the same key

C = Ek (M) = Ek (M1) Ek (M2) ... Ek (Mn)

• Typical block sizes 64, 128 or 256 bits

• Reversible mapping between M and C blocks

46
Sergio Pastrana
 Block ciphers. Very simple BC

• Naive block cipher defined by

this table
– block size of 4 bits
– key size of 3 bits

Source: Criptografía y Ocultación de la Información (2015).

J. Tapiador, P. Peris
47
Sergio Pastrana
 Block ciphers. Very simple BC

• Key = 4
• Encrypted message:

2F E5 E3 E5 2D 2D E5 22 D0 7F
D0 20 E3

• plaintext?

Source: Criptografía y Ocultación de la Información (2015).

J. Tapiador, P. Peris
48
Sergio Pastrana
 Decryption

• 2F E5 E3 E5 2D 2D E5 22 D0 7F D0 20 E3
Using the cipher table
• 74 6f 6d 6f 72 72 6f 77 20 34 20 70 6d
https://www.binaryhexconverter.com/hex-to-binary-converter
• 0111010001101111011011010110111101110010011100100110
1111011101110010000000110100001000000111000001101101
https://www.binaryhexconverter.com/binary-to-ascii-text-converter
• tomorrow 4 pm

49
Sergio Pastrana
 Encryption

• M: tomorrow 4 pm
https://www.binaryhexconverter.com/ascii-text-to-hex-converter
• 74 6f 6d 6f 72 72 6f 77 20 34 20 70 6d
Using the cipher table (K = 4)
• 2F E5 E3 E5 2D 2D E5 22 D0 7F D0 20 E3

50
Sergio Pastrana
 Block ciphers. Principles
• Substitution of very long “characters”
– 64 bits or more

• Ideal block cipher

– n: block size. E.g.: 64
– Substitution tables (mapping) of 2n bits
• 2n! possible keys (the key is the mapping of Mi to Ci)
– Not practical

51
Sergio Pastrana
 Block ciphers. Principles

• Block cipher (Feistel 1975)

– Confine to a subset of the 2n! possible keys
• k: key size
• 2k possible keys
– Product cipher
• Substitution (S-box)
• Permutation (P-box)
– Practical application of Shannon’s proposal (1949)
• Diffusion
• Confusion

52 Sergio Pastrana
 Block ciphers. Principles

• Methods to thwart cryptanalysis

– Diffusion
• statistical structure of M is dissipated in C
• each C bit is affected by many M bits
• achieved performing some permutation on Mi followed by a function on that
permutation

– Confusion
• seeks to make C - k statistical relationship as complex as possible
• achieved by the use of a complex substitution algorithm

53 Sergio Pastrana
 Block ciphers. Scheme
INPUT

INITIAL
TRANSFORMATION

NON LINEAR SUBKEY

NUMBER OF CRYPTOGRAPHIC GENERATION KEY
ROUNDS TRANSFORMATION ALGORITHM

FINAL
TRANSFORMATION

OUTPUT

54 Sergio Pastrana
 Block ciphers. Scheme

• Main options for non-linear cryptographic transformation

– Feistel scheme
• Camellia
• Blowfish, KASUMI, Three-Key 3DES, Two-Key 3DES
• DES

– Substitution-permutation network scheme

• AES, SERPENT

55
Sergio Pastrana
 Block ciphers. Feistel scheme
Mi
L0 R0
k1
Repeated in each ⊕ F
round

L1 R1

.
.
.
Ln-1 Rn-1

Ln Rn
Ci
56
Sergio Pastrana
 Block ciphers. Feistel scheme
• Divide the block into two halves L0 and R0

• Substitute the left half

– Apply a round function F (non linear) to the right half of
the data and then XOR the output and the left half
• F is a function of the right half and the round subkey ki

• Permute the two halves

• Repeat it n rounds

57
Sergio Pastrana
 Block ciphers. Feistel scheme
• Decryption uses the same circuit as encryption
– Just use the subkeys in reverse order
– A final permutation is needed

• In practice the design problem is reduced to:

– Develop a good subkey generation algorithm
– Develop a good round function F

– Many BC follows Feistel scheme but not all

58
Sergio Pastrana
Block ciphers. Substitution–permutation network
scheme
• Round function usually
consists in three steps:
– Mix Mi with subkey ki
– Substitution using a set of
Substitution-Boxes (S-boxes)
– Permutation using a set of
Permutation-Boxes (P-boxes)

Repeated in each
round

By GaborPete - Own work, CC BY-SA 3.0,

https://commons.wikimedia.org/w/index.php?curid=6420152
59
Sergio Pastrana
 Data Encryption Standard (DES)
• Key: 64 bits INPUT [plaintext] (64 INPUT [cipheretext]
bits) (64 bits)
– (8 parity bits)
• Block size: 64 bits
• Rounds: 16 INITIAL INITIAL
– Last one needs one PERMUTATION (IP) KEY (56 useful PERMUTATION(IP)
bits)
additional
permutation (*)
ROUNDS KEY EXPANSION ROUNDS
• Internal keys: C1 to C*16 (K1 … K16) C16 to C*1
– 16 48-bits keys
• Mathematical basis:
INVERSE INITIAL INVERSE INITIAL
– substitutions
PERMUTATION PERMUTATION
• linear (IP-1) (IP-1)
• non linear
– permutations OUTPUT [C] (64 OUTPUT [M] (64
bits) bits)
60
Sergio Pastrana
 Data Encryption Standard (DES)
• 1971 LUCIFER: IBM research project finishes (Feistel)
– Key size: 128 bits

• 1974: NBS (now NIST) request for proposals for a national

(USA) cipher standard

• 1976: A modified version of LUCIFER wins

– Key size reduced to 56 in order to fit on a single chip
– NSA changed the S- boxes

• 1977: DES standard for commercial, bank and unclassified

communications

• 1983, 1988, 1993: NIST reaffirmed DES as a standard

61
Sergio Pastrana
 Data Encryption Standard (DES)
• 1990: Differential cryptanalysis (Biham and Shamir)
– 247 chosen plaintexts needed. Effort on 247 encryptions
– Lucifer was vulnerable but DES is not

• 1993: Linear Cryptanalysis (Matsui)

– 243 known plaintexts needed

• 1998: DES Cracker from Electronic Frontier Foundation

• 56 hours
• Using 1536 dedicated chips
• $250K, less than a year to build it

• 1999: DES Cracker version 2

• 22 hours
• Combines 100K PCs

62
Sergio Pastrana
 Data Encryption Standard (DES)
• 1999: Triple DES as new standard
– 3 DES with 2 keys => 112 bit key
• C = E(k1, D(k2, E(k1,M)))
• Compatibility with simple DES if k1=k2
– 3 DES with 3 keys => 168 bit key
• C = E(k3, D(k2, E(k1,M)))
– DES just for legacy systems

• 1997-2001: new contest and new standard

– AES (Advanced Encryption Standard)
– AES contest:
(https://csrc.nist.gov/projects/cryptographic-standards-and-guideli
nes/archived-crypto-projects/aes-development)

63
Sergio Pastrana
 Advanced Encryption Standard (AES)
Sept 1997 Call for proposals A lot of candidates

Aug 1998 First AES conference 15 candidates

Jun 1999 Second AES conference Analysis of the 15 candidates

Aug 1999 5 finalists announced Second phase starts

Apr 2000 Third AES Conference Analysis of the 5 finalists

Oct 2,
The winner is announced Rijndael is the winner!!!!!!!!
2000

• Rijndael (Belgium), MARS (USA), RC6 (USA),

Twofish (USA), Serpent (UK,ISRAEL,NORWAY)

64
Sergio Pastrana
 Advanced Encryption Standard (AES)
• Operates on blocks of 16 bytes (128 bits)

• Accepts 3 key sizes of 16, 24 or 32 bytes (128, 192, 256 bits)

• Substitution-permutation network (not a Feistel network)
• Fast in SW and HW, easy to implement and low memory
requirements
• Based on 4 reversable functions, applied n rounds
• State matrix evolution
• Informal description:
– http://www.moserware.com/2009/09/stick-figure-guide-to-advanced
.html

65
Sergio Pastrana
 66
Advanced Encryption Standard (AES)

Sergio Pastrana
 Block ciphers. Pros and cons
Advantages: Disadvantages:
• Symmetry: • Slower than stream ciphers
– Encryption and decryption are • Error propagation (within block)
similar
• Need padding
– Same circuit allows encryption and
decryption (not always, e.g. AES) – Padding gives clues to cryptanalists
– If M length is not a multiple of the
• High difussion block size, C length is bigger
• Fundamentals studied in depth • Vulnerable to attacks if blocks
• Efficiency are repeated and other vul. 🡪
– High encryption speed Need of operation modes
– Easy implementation

67 Sergio Pastrana
 Block ciphers. Cryptanalysis
• Calculating an AES key (brute force)
https://security.stackexchange.com/questions/82389/calculate-time-taken-to-br
eak-aes-key

68
Sergio Pastrana
 Block ciphers. Cryptanalysis

69
Sergio Pastrana
 Block ciphers. Cryptanalysis

• First key-recovery attacks on full AES (2011)

– Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
– Meet-in-the-middle attacks with bicliques
– It is faster than brute force by a factor of about four.
– It requires 2126.2 operations to recover an AES-128 key, and storage
space for 288 bits of data.
– Still billions of years to brute force on current and foreseeable
hardware and about 38 trillion terabytes of data.
• Improved attack (2015)
– Biaoshuai Tao, Hongjun Wu
– Same time complexity but reduced data complexity to 256

70
Sergio Pastrana
 Block ciphers. Robustness

• Robustness of current (symmetric) block ciphers:

Secure Legacy Not recommended

AES Three-Key 3DES DES
Camellia Two-Key 3DES
Serpent Kasumi
Blowfish >= 80b

Source: ECRYPT-CSA. Algorithms, Key Size and Protocols Report (2018), 28 February 2018
https://www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf

71
Sergio Pastrana
 Contents

2.2 Symmetric and asymmetric ciphers

2.2.1 Introduction
2.2.2 Classical cryptography
2.2.3 Symmetric encryption
2.2.3.1 Introduction
2.2.3.2 Stream ciphers
2.2.3.3 Block ciphers
2.2.3.4 Confidentiality operation modes
2.2.4 Asymmetric encryption

72
Sergio Pastrana
 Confidentiality operation modes
• Technique for enhancing the effect of a cryptographic
algorithm or adapting the algorithm for an application
• Intended for use with any symmetric block cipher
• Five confidentiality modes defined by NIST (SP 800-38A)

Electronic Code Book ECB

Cipher Block Chaining CBC
Cipher Feedback CFB
Output Feedback OFB
Counter Mode CTR

There are other modes designed for other or more specific needs

73
Sergio Pastrana
Electronic CodeBook (ECB)

74
Sergio Pastrana
 ECB mode. Problem
• The same block of plaintext produces the same ciphertext

Original
image

75
Sergio Pastrana
 ECB mode. Problem
• The same block of plaintext produces the same ciphertext

Image encrypted
using ECB

76
Sergio Pastrana
 ECB mode. Problem
• The same block of plaintext produces the same ciphertext

Image encrypted using

any other mode

77
Sergio Pastrana
 ECB mode.
Advantages and disadvantages
• Advantages:
– Block encryption and decryption can be executed in parallel
– Ideal for a short amount of data
• e.g. symmetric key
– Bit errors in transmission do not propagate

• Disadvantages:
– Repeated plaintext blocks produce repeated ciphertext blocks
– It is possible to modify the order of the blocks or eliminate them
– Padding of the last block is neccesary
• E.g.: add zero bytes and a last byte reporting #padding_bytes

78
Sergio Pastrana
 ECB mode insecurity

• What if two plaintext blocks are encrypted?

– Patterns in encrypted data
– Adversary knows it does not come from an ideal block cipher

• What if the same message is encrypted twice with the same

key?
– We would know that two ciphertexts come from the same plaintext

79
Sergio Pastrana
 Cipher Block Chaining (CBC). Encryption

• IV confidential to parties (integrity reasons)

– Use ECB for its transmission

80
Sergio Pastrana
 Cipher Block Chaining (CBC). Decryption

• A bit error in transmission affects two Mi

• Padding needed

81
Sergio Pastrana
 Counter mode (CTR)
• Uses a counter of the size of a block (n)

• Initialized with a nonce (number used once)

– Incremented by 1 mod 2n across consecutive blocks

• Does not need padding

– Remaining bits of the last output block are discarded

• Converts a block cipher into a stream cipher

– Keystream does not depend on the plaintext
– Works over blocks not over segments

82
Sergio Pastrana
 Counter mode (CTR). Encryption
• Simplicity and random access

83
Sergio Pastrana
 Counter mode (CTR). Decryption

• A bit error in transmission does not propagate

– It only affects a single bit of a block

84
Sergio Pastrana
 CTR. Advantages

• Advantadges of using CTR

– Parallel processing
– No padding
– No expansión of C over M
– Only the encryption algorithm is necessary
• Disadvantages
– Insecure if counter value is reused with the same key

– Long term 🡪 better to use authenticated encryption modes

85
Sergio Pastrana
 Block ciphers. Very simple BC with CTR OM

• Key = 4
• Plaintext message:

HI! → in ASCII!

• Nonce = 6
• Encrypted text? (in Hex)

Source: Criptografía y Ocultación de la Información (2015).

J. Tapiador, P. Peris
86
Sergio Pastrana
 Encryption
• Plaintext message in ASCII: HI!
• Convert ASCII to HEX (https://coding.tools/ascii-to-hex)
• Plaintext message in hex: M(i): 48 49 21
• We use the encryption table to generate the keystream with Key = 4(10
and Nonce = 6(10
– Counter register will take the following values: CTR(i)={6, 7, 8, 9, A, B}
– Keystream (output of the cipher): Enc(CTR(i), K=4)={E,2, 8, 6, A, 4}
• Now we compute XOR between plaintext and keystream
(http://www.xor.pw/# )
• C = XOR(CTR(i)), M(i)) = aa cf 8a

87
Sergio Pastrana
 Confidentiality operation modes. Robustness

• Robustness of current confidentiality operation modes

Secure Legacy Not recommended

EME OFB ECB
FFX CFB
CTR
CBC

Source: ECRYPT-CSA. Algorithms, Key Size and Protocols Report (2018), 28 February 2018
https://www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf

88
Sergio Pastrana
 Contents

2.2 Symmetric and asymmetric ciphers

2.2.1 Introduction
2.2.2 Classical cryptography
2.2.3 Symmetric encryption
2.2.3.1 Introduction
2.2.3.2 Stream ciphers
2.2.3.3 Block ciphers
2.2.3.4 Confidentiality operation modes
2.2.4 Asymmetric encryption

89
Sergio Pastrana
 Asymmetric encryption
• Asymmetric/public key/two keys
– Uses pairs of keys: (public key, private key)
– Public key (kU)
• Known by everyone (it’s public!)
• Used by a sender A to encrypt messages to B, the owner of the
key pair
– Private key (kV)
• Known only by the owner of the key pair
• Used by owner to decrypt messages sent by anyone to him/her

• Computationally infeasible to determine the private key

from the public one

Sergio Pastrana
 Asymmetric encryption
• Computational infeasibility assumption
– It is impossible to perform an exhaustive search
– Key size must be large enough
• Based on hard mathematical problems
– Not belonging to class P (polynomial time)
• Make use of trapdoor one-way function
– Prime factorization (large numbers)
– Discrete logarithm
• They are slow in comparison with symmetric
cryptosystems

Sergio Pastrana
 Asymmetric encryption
• Notion of asymmetric encryption (Diffie-Hellman, 1976)

ku kv

M ENCRYPT C DECRYPT M

C= E (ku, M) = Eku (M)

M= D (kv, C) = Dkv (C)

92
Sergio Pastrana
 Asymmetric encryption. Algorithms

• Based on integer factorization problem

– RSA (Rivest-Shamir-Adleman, 1977)

• Based on discrete logarithm problem

– ElGamal (Elgamal, 1985)

• Based on elliptic curve logarithm problem

– ECC (Miller, 1985; Koblitz, 1987)

93
Sergio Pastrana
 RSA
• Bob:
1. Chooses pB, qB (very big primes, private)
2. Computes nB = pB · q B
3. Calculates φ(nB) = φ(pB) · φ(qB)
4. Chooses eB ∈ Z+ / m.c.d. (eB, φ(nB))=1
5. Calculates dB such that eB · dB = 1 mod. φ(nB)

• public key: kU,B = (eB, nB)

• private key: kV,B = (dB, nB)

94
Sergio Pastrana
 RSA
• Alice sends an encrypted message M to Bob

• (A) Computes ciphertext: C = MeB mod. nB

C=MeB mod. nB
A B

• (B) Decrypts ciphertext: CdB mod. nB = M

95
Sergio Pastrana
 RSA
• Proof:

• Because C=Me mod. n ⇒ Cd mod. n=Med mod. n

• By hypothesis ed=1 mod. φ(n) ⇒ ed=1+kφ(n)
• By Euler, Mφ(n) mod. n=1
• Then Med mod. n=M1+k φ(n) mod. n=M

• So Cd mod. n=M

96
Sergio Pastrana
 RSA. Cryptanalysis

• Brute force
• Mathematical attacks (factoring the product of two primes)
• Side-channel attacks (e.g., Timing)
• Chosen ciphertext attacks
– RSA property: E(KU, M1) x E(KU, M2) = E(KU, [M1 x M2])
– Given C, we want to decrypt it
• Compute X = (C x 2e ) mod n
• Submit X as chosen ciphertext to obtain decryption Y = Xd mod n
• X = (C x 2e ) mod n = (Me mod n) x (2e mod n) = (2M)e mod n
• Therefore Y = 2M mod n, from which we can deduce M
– Recommended: Optimal Asymmetric Encryption Padding (OAEP)

97
Sergio Pastrana
 RSA. Cryptanalysis
• RSA security is based on problem of factoring large integers =
product of two primes
• In order to compute d = inv [e, φ(n)]
– It is needed to compute φ(n) = (p-1)(q-1)
– So it is needed to know p and q (factorization of n)
• RSA factoring challenge
– https://en.wikipedia.org/wiki/RSA_Factoring_Challenge
– RSA-768 (768 bits, 232 decimal digits): 12/12/2009
– RSA-230 (762 bits, 230 decimal digits): 15/08/2018
• Modulus recommended length
– At least 2048 bits (NIST 2016) or 3072 bits (ECRYPT-CSA 2018)

98
Sergio Pastrana
Wrap up. Key length with similar security

Symmetric ECC RSA/DSA

(key length (modulus size (modulus size
in bits) in bits) in bits)
56 112 512
80 160 1024 legacy
112 224 2048
128 256 3072
near term
192 384 7680
256 512 15360 long term

Sergio Pastrana
 Wrap up. Symmetric cryptography

• Advantages • Disadvantages
– Symmetry – Need a secure
– High speed channel for sharing
the key
– Huge number of keys
for large number of
users

100
Sergio Pastrana
 Wrap up. Public key cryptography

• Advantages • Disadvantages
– No need of a secure – Asymmetry
channel – Very low speed
– Simpler key – Public keys need
management for large authentication
number of users (1
public key per user +
own private key)

10
1 Sergio Pastrana
 Wrap up. Hybrid encryption scheme
• Combine symmetric and asymmetric encryption schemes to
overcome their disadvantages
– A choses KS, symmetric key for this session
– A encrypts M using Ks, and sends a first ciphertext CM to B
CM = ESYM (KS, M)
– B will need KS to decrypt ciphertext 🡪
– A encrypts KS using B’s public key KU,B and sends this second
ciphertext CS to B
CKS= EASYM(KU,B, KS)
• How does B decrypt M? B only knows his own private key
– First decrypts CKS using his private key KV,B to obtain KS
– Then decrypts CM using KS, the symmetric key just decrypted in
previous step

102
Sergio Pastrana
COURSE DATA PROTECTION & CYBERSECURITY