UNIT II PART A 1. What is the purpose of the S-boxes in DES? The S-boxes do the real mixing (confusion).

They are the nonlinear part of DES that makes it difficult to break the algorithm and secure against linear and differential cryptanalysis. the s-boxes provide the "confusion" of data and key values, whilst the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving "diffusion. 2. Give short notes on S-boxes in DES? There are 8 s-boxes also known as the substitution boxes, is a table that consist of four rows and 16 columns with 64 entries all together. They take in 6-bits and produce or output 4-bits. That is, the 48-bits into 8 S-boxes will be 6-bits each. 3. Write the row and column description of S-box in DES? The two outer bits (the first and the last bit) represents the row (one of the four rows) and the inner four bits represent the columns (one of the 16 columns). The cell where the row and the column meets represents the value in decimal of the output. This is then converted to binary as the output. From the example 010100, the first and last digits 00 = the row which is the first row (00, 01, 10, 11) and the inner four digits 1010= the column. All 8 S-boxes will output 4-bits each in similar way and that is 32-bits output that is then permutated and further processed in the next round. 4. in DES? Give the diagrammatic representation of encryption and decryption process

5. What is the purpose of whiter in DES? After the expansion permutation, DES uses the XOR operation on the expanded right section and the round key. Note that both the right section and the key are 48-bits in length. Also note that the round key is used only in this operation 6. What is linear cryptanalysis? Linear cryptanalysis is newer than differential cryptanalysis. DES is more vulnerable to linear cryptanalysis than to differential cryptanalysis. S-boxes are not very resistant to linear cryptanalysis. It has been shown that DES can be broken using 243 pairs of known plaintexts. However, from the practical point of view, finding so many pairs is very unlikely. 7. What is Brute Force Attack? In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space. 8. Define Triple-DES In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. Triple DES provides a relatively simple method of increasing the key size of DES to protect against such attacks, without the need to design a completely new block cipher algorithm. 9. List the features of RC4 ? 1. RC4 uses a variable length key from 1 to 256 bytes to initialize a 256-byte state table. 2. The state table is used for subsequent generation of pseudo-random bytes and then to generate a pseudo-random stream which is XORed with the plaintext to give the ciphertext. 3. Each element in the state table is swapped at least once.

4. The RC4 key is often limited to 40 bits, because of export restrictions but it is sometimes used as a 128 bit key. 5. It has the capability of using keys between 1 and 2048 bits. 6. RC4 is used in many commercial software packages such as Lotus Notes, Oracle Secure SQL.

10. List the strength of RC4? 1. The difficulty of knowing where any value is in the table. 2. The difficulty of knowing which location in the table is used to select each value in the sequence. 3. A particular RC4 key can be used only once. 4. Encryption is about 10 times faster than DES. 11. List the Weakness of RC? 1. The RC4 algorithm is vulnerable to analytic attacks of the state table. 2. One in every 256 keys can be a weak key. These keys are identified by cryptanalysis that is able to find circumstances under which one of more generated bytes are strongly correlated with a few bytes of the key. 3. WEAK KEYS: these are keys identified by cryptanalysis that is able to find circumstances under which one or more generated bytes are strongly correlated with small subset of the key bytes. These keys can happen in one out of 256 keys generated. 12. State the misconception in public-key algorithm ? 1. That p-k encryption is more secure from cryptanalysis than conventional encryption. In fact the security of any system depends on key length and the computational work involved in breaking the cipher. 2. That p-k encryption has superseded single key encryption. This is unlikely due to the increased processing power required. 3. That key management is trivial with public key cryptography, this is not correct. 13. Write steps in public-key process ? 1. Each system generates a pair of keys. 2. Each system publishes its encryption key (public key) keeping its companion key private. 3. If A wishes to send a message to B it encrypts the message using Bs public key.

4. When B receives the message, it decrypts the message using its private key. No one else can decrypt the message because only B knows its private key. 14. Applications of P-K System ? 1. Encryption/decryption: where the sender encrypts the message with the receivers public key. 2. Digital signature: where the sender signs a message with his private key. 3. Key exchange: several approaches later. 15. List the possible attacks in RSA Algorithm ? 1. 2. 3. Brute-Force Attaks Mathematical Atacks Timing Attacks

16. What are the two broad categories of symmetric key cipher? Substitution Cipher Transposition Cipher 17. What is substitutional cipher? Letters of plaintext are replaced by other letters or by numbers or symbols Plaintext is viewed as a sequence of bits, then substitution replaces plaintext bit patterns with ciphertext bit patterns It can be categorized as either monoalphabetic ciphers and polyalphabetic ciphers 18. What is Caesar cipher? Earliest known substitution cipher Replaces each letter by 3rd letter on Example: meet me after the toga party PHHW PH DIWHU WKH WRJD SDUWB 19. Lists the cryptanalysis of Caesar cipher? Only have 25 possible ciphers It is vulnerable to ciphertext only attacks using exhaustive key searches (brute force attacks) 20. What is monoalphabetic cipher? Rather than just shifting the alphabet Could shuffle (jumble) the letters arbitrarily

Each plaintext letter maps to a different random ciphertext letter Key is 26 letters long Example : Plain: abcdefghijklmnopqrstuvwxyz Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN Plaintext: ifwewishtoreplaceletters Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA

21. What is one time pad? If a truly random key as long as the message is used, the cipher will be secure One-Time pad E.g., a random sequence of 0s and 1s XORed to plaintext, no repetition of keys Unbreakable since ciphertext bears no statistical relationship to the plaintext For any plaintext, it needs a random key of the same length Hard to generate large amount of keys Have problem of safe distribution of key 22. What is transposition cipher? It is otherwise known as permutation ciphers These hide the message by rearranging the letter order, without altering the actual letters used Can recognise these since have the same frequency distribution as the original text 23. What are the drawbacks in monoalphabetic cipher? In monoalphabetic cipher the problem was that each character was substituted by a single character Cryptanalysts are helped by the fact that they have to see what character would correspond in plaintext for a given ciphertext character. 24. What is polyalphabetic cipher? In polyalphabetic cipher, each plaintext character may be replaced by more than one character Since there are only 26 alphabets this process will require using a different representation than the alphabets Alphabets A through Z are replaced by 00, 01, 02, , 25 We need two digits in this representation since we need to know how to reverse the process at the decryption side 25. What are the types involved in polyalphabetic cipher? Hill cipher One time pad Vigenere cipher Play fair cipher

26. What are the steps involved in vigenere cipher? Vigenre cipher starts with a 26 x 26 matrix of alphabets in sequence. First row starts with A, second row starts with B, etc. Like the ADFGVX cipher, this cipher also requires a keyword that the sender and receiver know ahead of time Each character of the message is combined with the characters of the keyword to find the ciphertext character 27. Give an example of vigenere cipher? E.g., Message = SEE ME IN MALL Take keyword as INFOSEC Vigenre cipher works as follows: P.T=S E E M E I N M A L L Key= I N F O S E C I N F O ------------------------------------C.T=A R J A W M P U N Q Z 28. What is playfair cipher? Playfair cipher is a multiple letter cipher Each plaintext letter is replaced by a key in this cipher Number of keys is 26 x 26 = 676 User chooses a keyword and puts it in the cells of a 5 x 5 matrix. I and J stay in one cell. Duplicate letters appear only once. Alphabets that are not in the keyword are arranged in the remaining cells from left to right in successive rows in ascending order 29. What are the rules involved in playfair cipher? Group plaintext letters two at a time Separate repeating letters with an x Take a pair of letters from plaintext Plaintext letters in the same row are replaced by letters to the right (cyclic manner) Plaintext letters in the same column are replaced by letters below (cyclic manner) Plaintext letters in different row and column are replaced by the letter in the row corresponding to the column of the other letter and vice versa 30. Give an example of playfair cipher? E.g., Plaintext: CRYPTO IS TOO EASY Keyword is INFOSEC Grouped text: CR YP TO IS TO XO EA SY Ciphertext: AQ VT YB NI YB YF CB OZ To decrypt, the receiver reconstructs the 5 x 5 matrix using the keyword and then uses the same rules as for encryption

31. What is vernam cipher? U.S. Army Major Joseph Mauborgne and AT&Ts Gilbert Vernam developed a cipher in 1917 Uses a one time arrangement of a key string that is as long as the plaintext Plaintexts are assumed to be short Also known as One-Time Pad cipher Key is used only once but characters in key may not be distinct 32. Give an example of vernam cipher? E.g., Plaintext: HELLO Key: KTBXZ -------------Ciphertext: RXMIN (using addition mod 26) Key: KTBXZ -------------Plaintext: HELLO (using subtraction mod 26) 33. Define block cipher and stream cipher? Block ciphers process messages in into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream ciphers process messages a bit or byte at a time when en/decrypting Many current ciphers are block ciphers, one of the most widely used types of cryptographic algorithms PART-B 1. Elaborate about AES? AES is based on a design principle known as a substitution-permutation network, and is fast in both software and hardware. Unlike its predecessor DES, AES does not use a Feistel network. AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, the Rijndael specification per se is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits. AES operates on a 44 column-major order matrix of bytes, termed the state, although some versions of Rijndael have a larger block size and have additional columns in the state. Most AES calculations are done in a special finite field.

The key size used for an AES cipher specifies the number of repetitions of transformation rounds that convert the input, called the plaintext, into the final output, called the cipher text. The number of cycles of repetition is as follows:

10 cycles of repetition for 128 bit keys. 12 cycles of repetition for 192 bit keys. 14 cycles of repetition for 256 bit keys.

Each round consists of several processing steps, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform cipher text back into the original plaintext using the same encryption key.

High-level description of the algorithm

1. Key Expansionround keys are derived from the cipher key using Rijndael's key schedule 2. Initial Round 1. Add Round Keyeach byte of the state is combined with the round key using bitwise xor 3. Rounds 1. Sub Bytesa non-linear substitution step where each byte is replaced with another according to a lookup table. 2. Shift Rowsa transposition step where each row of the state is shifted cyclically a certain number of steps. 3. Mix Columnsa mixing operation which operates on the columns of the state, combining the four bytes in each column. 4. Add Round Key 4. Final Round (no Mix Columns) 1. Sub Bytes 2. Shift Rows 3. Add Round Key

The Shift

Rows

step

In the Shift Rows step, bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs for each row.

The Shift Rows step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain offset. For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively. For blocks of sizes 128 bits and 192 bits, the shifting pattern is the same. Row n is shifted left circular by n-1 bytes. In this way, each column of the output state of the Shift Rows step is composed of bytes from each column of the input state. (Rijndael variants with a larger block size have slightly different offsets). For a 256-bit block, the first row is unchanged and the shifting for the second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectivelythis change only applies for the Rijndael cipher when used with a 256-bit block, as AES does not use 256bit blocks.

The Mix

Columns

step

In the Mix Columns step, each column of the state is multiplied with a fixed polynomial c(x). In the Mix Columns step, the four bytes of each column of the state are combined using an invertible linear transformation. The Mix Columns function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with Shift Rows, Mix Columns provides diffusion in the cipher. During this operation, each column is multiplied by the known matrix that for the 128 bit key is

The multiplication operation is defined as: multiplication by 1 means no change, multiplication by 2 means shifting to the left, and multiplication by 3 means shifting to the left and then performing xor with the initial un shifted value. After shifting, a conditional xor with 0x11B should be performed if the shifted value is larger than 0xFF.

In more general sense, each column is treated as a polynomial over GF(28) and is then multiplied modulo x4+1 with a fixed polynomial c(x) = 0x03 x3 + x2 + x + 0x02. The coefficients are displayed in their hexadecimal equivalent of the binary representation of bit polynomials from GF(2)[x]. The Mix Columns step can also be viewed as a multiplication by a particular MDS matrix in a finite field. This process is described further in the article Rijndael mix columns.

The Add

Round Key

step

In the Add Round Key step, each byte of the state is combined with a byte of the round sub key using the XOR operation In the Add Round Key step, the sub key is combined with the state. For each round, a sub key is derived from the main key using Rijndael's key schedule; each sub key is the same size as the state. The sub key is added by combining each byte of the state with the corresponding byte of the sub key using bitwise XOR.

Optimization of the cipher

On systems with 32-bit or larger words, it is possible to speed up execution of this cipher by combining the Sub Bytes and Shift Rows steps with the Mix Columns step by transforming them into a sequence of table lookups. This requires four 256-entry 32-bit tables, and utilizes a total of four kilobytes (4096 bytes) of memory one kilobyte for each table. A round then be done with 16 table lookups and 12 32-bit exclusive-or operations, followed by four 32-bit exclusive-or operations in the Add Round Key step.[6]

If the resulting four kilobyte table size is too large for a given target platform, the table lookup operation can be performed with a single 256-entry 32-bit (i.e. 1 kilobyte) table by the use of circular rotates. Using a byte-oriented approach, it is possible to combine the Sub Bytes, Shift Rows, and Mix Columns steps into a single round operation.

2. Briefly explain the concepts of DES? The algorithm's overall structure is shown in Figure below: there are 16 identical stages of processing, termed rounds. There is also an initial and final permutation, termed IP and FP, which are inverses (IP "undoes" the action of FP, and vice versa). IP and FP have almost no cryptographic significance, but were apparently included in order to facilitate loading blocks in and out of mid-1970s hardware. Before the main rounds, the block is divided into two 32-bit halves and processed alternately; this criss-crossing is known as the Feistel scheme. The Feistel structure ensures that decryption and encryption are very similar processes the only difference is that the subkeys are applied in the reverse order when decrypting. The rest of the algorithm is identical. This greatly simplifies implementation, particularly in hardware, as there is no need for separate encryption and decryption algorithms. The F-function scrambles half a block together with some of the key. The output from the F-function is then combined with the other half of the block, and the halves are swapped before the next round. After the final round, the halves are not swapped; this is a feature of the Feistel structure which makes encryption and decryption similar processes.

Overall Structure of DES

The Feistel (F) function

The F-function, depicted in Figure 2, operates on half a block (32 bits) at a time and consists of four stages:

The Feistel function (F-function) of DES 1. Expansion - the 32-bit half-block is expanded to 48 bits using the expansion permutation, denoted E in the diagram, by duplicating half of the bits. The output consists of eight 6-bit (8 * 6 = 48 bits) pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit from each of the input pieces to either side. 2. Key mixing - the result is combined with a sub key using an XOR operation. 16 48bit sub keys one for each round are derived from the main key using the key schedule (described below). 3. Substitution - after mixing in the sub key, the block is divided into eight 6-bit pieces before processing by the S-boxes, or substitution boxes. Each of the eight S-boxes replaces its six input bits with four output bits according to a non-linear transformation, provided in the form of a lookup table. The S-boxes provide the core of the security of DES without them, the cipher would be linear, and trivially breakable. 4. Permutation - finally, the 32 outputs from the S-boxes is rearranged according to a fixed permutation, the P-box. This is designed so that, after expansion, each S-box's output bits are spread across 6 different S boxes in the next round. The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-expansion provides so-called "confusion and diffusion" respectively, a concept identified by Claude Shannon in the 1940s as a necessary condition for a secure yet practical cipher The main operations on the data are encompassed into what is referred to as the cipher function and is labeled F. This function accepts two different length inputs of 32 bits and 48 bits and outputs a single 32 bit number. Both the data and key are operated on in parallel, however the operations are quite different. The 56 bit key is split into two 28 bit halves Ci and Di (C and D being chosen so as not to be confused with L and R). The value of the key used in any round is simply a left cyclic shift and a permuted contraction of that used in the previous round. Mathematically, this can be written as Ci = Lcsi(Ci1),Di = Lcsi(Di1) Ki = PC2(Ci,Di) where Lcsi is the left cyclic shift for round i, Ci and Di are the outputs after the shifts, PC2(.) is a function which permutes and compresses a 56 bit number into a 48 bit number and Ki is the actual key used in round i. The number of shifts is either one or two and is determined by the round number i. For i = {1, 2, 9, 16} the number of shifts is one and for every other round it is two.

The common formulas used to describe the relationships between the input to one round and its output (or the input to the next round) are: Li = Ri1 (2.3) Ri = Li1 _ F(Ri1,Ki) where L and R have their usual meaning and F(.) is the cipher function. This function F is the main part of every round and consists of four separate stages 1. The E-box expansion permutation - here the 32-bit input data from Ri1 is expanded and permuted to give the 48 bits necessary for combination with the 48 bit key (defined in table 2.1). The E-box expansion permutation delivers a larger output by splitting its input into 8, 4-bit blocks and copying every first and fourth bit in each block into the output in a defined manner. The security offered by this operation comes from one bit affecting two substitutions in the S-boxes. 2.The bit by bit addition modulo 2 (or exclusive OR) of the E-box output and 48 bit sub key Ki. The S-box substitution - this is a highly important substitution which accepts a 48-bit input and outputs a 32-bit number (defined in table 2.3). The S-boxes are the only non-linear operation in DES and are therefore the most important part of its security.
3.

4. The P-box permutation - This simply permutes the output of the S-box without

changing the size of the data. It is simply a permutation and nothing else. It has a one to one mapping of its input to its output giving a 32 bit output from a 32 bit input.

Strength The strength of DES lies on two facts:

The use of 56-bit keys: 56-bit key is used in encryption, there are 256 possible keys. A brute force attack on such number of keys is impractical. The nature of algorithm: Cryptanalyst can perform cryptanalysis by exploiting the characteristic of DES algorithm but no one has succeeded in finding out the weakness.

Weakness Weakness has been found in the design of the cipher:

Two chosen input to an S-box can create the same output. The purpose of initial and final permutation is not clear.

3. Briefly explain RC4 Algorithm? Introduction: In cryptography, RC4 (also known as ARC4 or ARCFOUR meaning Alleged RC4, see below) is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and WEP (to secure wireless networks). While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure cryptosystems such as WEP. For a detailed exposition on RC4 stream cipher, refer to the book by Paul and Maitra. Description RC4 generates a pseudorandom stream of bits (a keystream). As with any stream cipher, these can be used for encryption by combining it with the plaintext using bit-wise exclusive-or; decryption is performed the same way (since exclusive-or is a symmetric operation). (This is similar to the Vernam cipher except that generated pseudorandom bits, rather than a prepared stream, are used.) To generate the keystream, the cipher makes use of a secret internal state which consists of two parts: 1. A permutation of all 256 possible bytes (denoted "S" below). 2. Two 8-bit index-pointers (denoted "i" and "j").

The permutation is initialized with a variable length key, typically between 40 and 256 bits, using the key-scheduling algorithm (KSA). Once this has been completed, the stream of bits is generated using the pseudo-random generation algorithm (PRGA). The key-scheduling algorithm (KSA) The key-scheduling algorithm is used to initialize the permutation in the array "S". "keylength" is defined as the number of bytes in the key and can be in the range 1 keylength 256, typically between 5 and 16, corresponding to a key length of 40 128 bits. First, the array "S" is initialized to the identity permutation. S is then processed for 256 iterations in a similar way to the main PRGA, but also mixes in bytes of the key at the same time. Algorithm: for i from 0 to 255 S[i] := i endfor j := 0 for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap values of S[i] and S[j] endfor The pseudo-random generation algorithm (PRGA) For as many iterations as are needed, the PRGA modifies the state and outputs a byte of the keystream. In each iteration, the PRGA increments i, looks up the ith element of S, S[i], and adds that to j, exchanges the values of S[i] and S[j], and then uses the sum S[i] + S[j] (modulo 256) as an index to fetch a third element of S, (the keystream value K below) which is XORed with the next byte of the message to produce the next byte of either ciphertext or plaintext. Each element of S is swapped with another element at least once every 256 iterations Algorithm: i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap values of S[i] and S[j] K := S[(S[i] + S[j]) mod 256] output K endwhile Implementation:

Many stream ciphers are based on linear feedback shift registers (LFSRs), which, while efficient in hardware, are less so in software. The design of RC4 avoids the use of LFSRs, and is ideal for software implementation, as it requires only byte manipulations. It uses 256 bytes of memory for the state array, S[0] through S[255], k bytes of memory for the key, key[0] through key[k-1], and integer variables, i, j, and K. Performing a modular reduction of some value modulo 256 can be done with a bitwise AND with 255 (which is equivalent to taking the low-order byte of the value in question). Security: Unlike a modern stream cipher (such as those in eSTREAM), RC4 does not take a separate nonce alongside the key. This means that if a single long-term key is to be used to securely encrypt multiple streams, the cryptosystem must specify how to combine the nonce and the long-term key to generate the stream key for RC4. One approach to addressing this is to generate a "fresh" RC4 key by hashing a long-term key with a nonce. However, many applications that use RC4 simply concatenate key and nonce; RC4's weak key schedule then gives rise to a variety of serious problems. Because RC4 is a stream cipher, it is more malleable than common block ciphers. If not used together with a strong message authentication code (MAC), then encryption is vulnerable to a bit-flipping attack. It is noteworthy, however, that RC4, being a stream cipher, is the only common cipher which is immune to the 2011 BEAST attack on TLS 1.0, which exploits a known weakness in the way cipher block chaining mode is used with all of the other ciphers supported by TLS 1.0, which are all block ciphers. Fluhrer, Mantin and Shamir attack: In 2001, a new and surprising discovery was made by Fluhrer, Mantin and Shamir: over all possible RC4 keys, the statistics for the first few bytes of output keystream are strongly non-random, leaking information about the key. If the long-term key and nonce are simply concatenated to generate the RC4 key, this long-term key can be discovered by analysing a large number of messages encrypted with this key. This and related effects were then used to break the WEP ("wired equivalent privacy") encryption used with 802.11 wireless networks. This caused a scramble for a standards-based replacement for WEP in the 802.11 market, and led to the IEEE 802.11i effort and WPA. Cryptosystems can defend against this attack by discarding the initial portion of the keystream. Such a modified algorithm is traditionally called "RC4-drop[n]", where n is the number of initial keystream bytes that are dropped. The SCAN default is n = 768 bytes, but a conservative value would be n = 3072 bytes. The Fluhrer, Mantin and Shamir attack does not apply to RC4-based SSL, since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys.

Klein's attack: In 2005, Andreas Klein presented an analysis of the RC4 stream cipher showing more correlations between the RC4 keystream and the key.[23] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pychkine used this analysis to create aircrack-ptw, a tool which cracks 104-bit RC4 used in 128-bit WEP in under a minute. [24] Whereas the Fluhrer, Mantin, and Shamir attack used around 10 million messages, aircrack-ptw can break 104bit keys in 40,000 frames with 50% probability, or in 85,000 frames with 95% probability. Combinatorial problem: A combinatorial problem related to the number of inputs and outputs of the RC4 cipher was first posed by Itsik Mantin and Adi Shamir in 2001, whereby, of the total 256 elements in the typical state of RC4, if x number of elements (x 256) are only known (all other elements can be assumed empty), then the maximum number of elements that can be produced deterministically is also x in the next 256 rounds. This conjecture was put to rest in 2004 with a formal proof given by Souradyuti Paul and Bart Preneel.

4. Briefly explain RSA Cryptosystem ? The RSA algorithm was developed by Ron Rivest, Adi Shamir and Len Adleman at MIT in 1978. Since this time it has reigned supreme as the most widely accepted and implemented general-purpose approach to public-key encryption. The RSA scheme is a block cipher in which the plaintext and ciphertext are integers between 0 and n 1 for some n. The scheme makes use of an expression with exponentials. Plaintext is encrypted in blocks having a binary value less than some number n. For some plaintext block M and ciphertext block C we have:

C = Me (mod n) M = Cd (mod n) = (Me)d (mod n) M = Med (mod n)

Both sender and receiver know n. The sender knows the value of e and only the receiver knows the value of d. To restate:

KU = {e, n} KR = {d, n}
For this algorithm to be satisfactory for public-key encryption, the following requirements must be met:

1. It is possible to find values of e, d and n such that Med = M (mod n) for all M < n. 2. It is relatively easy to calculate Me and Cd for all values of M < n. 3. It is infeasible to determine d given e and n. Focusing initially on the first question we need to find a relationship of the form:

Med = M (mod n).

If we recall that Eulers theorem states that

a_(m) _ 1 (mod m) gcd(a,m) = 1

There is a corollary to this theorem that can be used to produce the required relationship. Given two prime numbers p and q and integers n = pq and m, with 0 < m < n, the following relationship holds:

m_(n)+1 _ m(p1)(q1)+1 _ m (mod n)

If gcd(m, n) = 1 then this holds by virtue of Eulers theorem. Suppose however that gcd(m, n) 6= 1. What does this mean? Well, because n = pq, the equality gcd(m, n) = 1 is equivalent to the logical expression (m is not a multiple of p) AND (m is not a multiple of q). If m is a multiple of p then n and m share the prime factor p and are not relatively prime (the same can be said for q). Therefore, the expression gcd(m, n) 6= 1 must be equivalent to the negation of the foregoing logical expression. Therefore, gcd(m, n) 6= 1 is equivalent to the logical expression (m is a multiple of p) OR (m is a multiple of q). Looking at the case in which m is a multiple of p, so that the realtionshipm = cp holds for some positive integer c. In this case we must have gcd(m, q) = 1. Otherwise, we have m a multiple of p and m a multiple of q and yet m < pq. If gcd(m, q) = 1 then Eulers theorem holds and

m_(q) _ 1 (mod q)
But then, by the rules of modular arithmetic,

[m_(q)]_(p) _ 1 (mod q) m_(n) _ 1 (mod q)

Therefore, there is some integer k such that

m_(n) = 1 + kq
Multiplying each side by m = cp,

m_(n)+1 = m + kcpq = m + kcn m_(n)+1 _ m (mod n)

A similar line of reasoning is used for the case in which m is a multiple of q. Thus, equation 8.5 is proven. An alternative form of this corollary is directly relevant to

RSA:

mk_(n)+1 =[(m_(n))k m)] (mod n) = [(1)k m)] (mod n) by Eulers theorem = m (mod n)
We can now state the RSA scheme. The ingredients are the following: p, q, two primes (private, chosen) n = pq (public, calculated) e, with gcd(_(n), e) = 1; 1 < e < _(n) (public, chosen) d _ e1 (mod _(n)) (private, calculated) The private key consists of {d, n} and public key is {e, n}. Suppose that user A has published his public key and that user B wishes to send the message M to A. B calculates C = Me (mod n) and transmits C. On receipt of the ciphertext user A decrypts by calculating the following: M = Cd (mod n). Figure 8.5 summarises the algorithm. Example: a) Select p=7 ,q=17 b) Calculate n = pq = 7 17 = 11 c) Calculate _(n) = (p 1)(q 1) = 96. d) Select e, relatively prime to and less than _(n), say e = 5. e) Determine d such that de = 1 (mod 96) and d < 96. f) The correct value for d is 77 because 77 5 = 385 = 4 96 + 1 (can be calculated using the extended version of Euclids algorithm).

g) The resulting public key is KU= {5, 119} and private key is KR{77, 119}. Say the plaintext is M = 19. For encryption 194 is raised to the 5th power, yielding 2, 476, 099. Upon division by 119, the remainder is 66, hence ciphertext sent is 66. For decryption it is determined using KR that 6677 _ 19 (mod 119) so the recovered plaintext is 19.

5. Explain monoalphabetic cipher in detail:

A substitution cipher replaces one symbol with another. Substitution ciphers can be categorized as either monoalphabetic ciphers or polyalphabetic ciphers. A substitution cipher replaces one symbol with another. Monoalphabetic Ciphers In monoalphabetic substitution, the relationship between a symbol in the plaintext to a symbol in the ciphertext is always one-to-one The following shows a plaintext and its corresponding ciphertext. The cipher is probably monoalphabetic because both ls (els) are encrypted as Os.

Additive Cipher The simplest monoalphabetic cipher is the additive cipher. This cipher is sometimes called a shift cipher and sometimes a Caesar cipher, but the term additive cipher better reveals its mathematical nature Plaintext and ciphertext in Z26

Additive cipher

When the cipher is additive, the plaintext, ciphertext, and key are integers in Z26.

Shift Cipher and Caesar Cipher Historically, additive ciphers are called shift ciphers. Julius Caesar used an additive cipher to communicate with his officers. For this reason, additive ciphers are sometimes referred to as the Caesar cipher. Caesar used a key of 3 for his communications Additive ciphers are sometimes referred to as shift ciphers or Caesar cipher

Multiplicative Ciphers

In a multiplicative cipher, the plaintext and ciphertext are integers in Z26; the key is an integer in Z26*.

Affine Ciphers

Monoalphabetic Substitution Cipher Because additive, multiplicative, and affine ciphers have small key domains, they are very vulnerable to brute-force attack. A better solution is to create a mapping between each plaintext character and the corresponding ciphertext character. Alice and Bob can agree on a table showing the mapping for each character An example key for monoalphabetic substitution cipher

6. Explain polyalphabetic cipher in detail

In polyalphabetic substitution, each occurrence of a character may have a different substitute. The relationship between a character in the plaintext to a character in the ciphertext is one-to-many. Autokey Cipher

Playfair cipher Playfair cipher is a multiple letter cipher Each plaintext letter is replaced by a key in this cipher Number of keys is 26 x 26 = 676 User chooses a keyword and puts it in the cells of a 5 x 5 matrix. I and J stay in one cell. Duplicate letters appear only once. Alphabets that are not in the keyword are arranged in the remaining cells from left to right in successive rows in ascending order An example of a secret key in the Playfair cipher

encrypt the plaintext hello using the key

Vigenere Cipher Vigenre cipher starts with a 26 x 26 matrix of alphabets in sequence. First row starts with A, second row starts with B, etc. Like the ADFGVX cipher, this cipher also requires a keyword that the sender and receiver know ahead of time Each character of the message is combined with the characters of the keyword to find the ciphertext character

encrypt the message She is listening using the 6-character keyword PASCAL.

Hill Cipher Key in the Hill cipher

The key matrix in the Hill cipher needs to have a multiplicative inverse. vernam cipher U.S. Army Major Joseph Mauborgne and AT&Ts Gilbert Vernam developed a cipher in 1917 Uses a one time arrangement of a key string that is as long as the plaintext Plaintexts are assumed to be short Also known as One-Time Pad cipher Key is used only once but characters in key may not be distinct

E.g., Plaintext: HELLO Key: KTBXZ -------------Ciphertext: RXMIN (using addition mod 26) Key: KTBXZ -------------Plaintext: HELLO (using subtraction mod 26)

7. Explain transposition cipher in detail?

A transposition cipher does not substitute one symbol for another, instead it changes the location of the symbols. A transposition cipher reorders symbols. Keyless Transposition Ciphers Simple transposition ciphers, which were used in the past, are keyless A good example of a keyless cipher using the first method is the rail fence cipher. The ciphertext is created reading the pattern row by row. For example, to send the message Meet me at the park to Bob, Alice writes

She then creates the ciphertext MEMATEAKETETHPR. Alice and Bob can agree on the number of columns and use the second method. Alice writes the same plaintext, row by row, in a table of four columns

She then creates the ciphertext MMTAEEHREAEKTTP. Keyed Transposition Ciphers The keyless ciphers permute the characters by using writing plaintext in one way and reading it in another way The permutation is done on the whole plaintext to create the whole ciphertext. Another method is to divide the plaintext into groups of predetermined size, called blocks, and then use a key to permute the characters in each block separately Alice needs to send the message Enemy attacks tonight to Bob..

The key used for encryption and decryption is a permutation key, which shows how the characters are permuted.

The permutation yields Combining Two Approaches

Double Transposition Ciphers