S. Erfani, ECE Dept.

, University of Windsor

0688-590-18 Network Security

2.3-Cipher Block Modes of operation

2.3-1 Model of Conventional Cryptosystems
The following figure, which is on the next page, illustrates the conventional
encryption process. The original plaintext is converted into apparently random
nonsense, called ciphertext. The encryption process consists of an algorithm
and a key. The key is a value independent of the plaintext. The algorithm will
produce a different output depending on the specific key being used at the time.
Changing the key changes the output of the algorithm, i.e., the ciphertext.
Once the ciphertext is produced, it may be transmitted. Upon reception, the
ciphertext can be transformed back to the original plaintext by using a decryption
algorithm and the same key that was used for encryption.

X^
Cryptanalyst
Y^

Message
Source

Encryption
Algorithm

Decryption
Algorithm

Destination

K
Secure Channel
Key
Source

Figure. 1:

Model of Conventional Cryptosystem

The security of conventional encryption depends on several factors:

The Encryption Algorithm- It must be powerful enough that it is impractical

to decrypt a message on the basis of the ciphertext alone.

Sep. 23.2003

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Secrecy of the key- It was shown that the security of conventional

encryption depends on the secrecy of the key, not the secrecy of the
algorithm.

Referring to Fig. 1 above, with the message X and the encryption key K as input,
the encryption algorithm forms the ciphertext.
Y=Ek (X)
The intended receiver, in possession of the key is able to invert the
transformation
X=Dk (Y)
An opponent, observing Y but not having access to K or X, may attempt to
recover X or K or both X and K. It is assumed that the opponent knows the
encryption (E) and decryption (D) algorithms. If the opponent is interested in only
this particular message, then the focus of the effort is to recover X by generating
a plaintext estimate X^. Often, however, the opponent is interested in being able
to read future messages as well, in which case an attempt is made to recover K
by generating an estimate K^.
2.3-2 Cryptanalysis
The process of attempting to discover X or Y or both is known as cryptanalysis.
The strategy used by the cryptanalysis depends on the nature of the encryption
scheme and the information available to the cryptanalyst.
The following table summarizes the various types of cryptanalytic attacks based
on the amount of information known to the cryptanalyst.

Table 1: Types of Attacks on Encrypted Message

Attack Type
Ciphertext only
Known Plaintext

Chosen Plaintext

Sep. 23.2003

Knowledge Known to Cryptanalyst

Encryption algorithm
Ciphertext to be decoded
Encryption algorithm
Ciphertext to be decoded
One or more plaintext-ciphertext pairs formed with
the same secret key
Encryption algorithm
Ciphertext to be decoded
Plaintext message chosen by cryptanalyst, together
with its corresponding ciphertext generated with

S. Erfani, ECE Dept., University of Windsor

Chosen Ciphertext

Chosen text

0688-590-18 Network Security

the same secret key

Encryption algorithm
Ciphertext to be decoded
Purported ciphertext chosen by cryptanalyst,
together with its corresponding decrypted plaintext
generated with the secret key
Encryption algorithm
Ciphertext to be decoded
Plaintext message chosen by cryptanalyst, together
with its corresponding ciphertext generated with
the secret key
Purported ciphertext chosen by cryptanalyst,
together with its corresponding decrypted plaintext
generated with the secret key

2.3-3 -Transposition Ciphers: Moving around

Changing the positions of plaintext letters is another enciphering technique. It is
called transposition, as in transferring position. Please note that many
newspapers have transposition puzzles called jumbles.
To illustrate this technique, lets do the following example.

Example 1:
Plaintext: last nite was heaven please marry me
We use a 5x6 grid to write the plaintext as:
Read
down

L
T
E
L
A

A
E
A
E
R

S
W
V
A
R

T
A
E
S
Y

N
S
N
E
M

I
H
P
M
E

To encipher the text, we only read letters down the first column, then letters down
from the second column, and so on. The ciphered letters are the same as the
plaintext letters except that they are positioned to form a new pattern, as given
below.
Ciphertext:

LTELA AEAER SWVAR TAESY NSNEM IHPME

To decipher the received ciphertext, the receiver must know two things: the
length and width of the grid and the way letters are read from the grid.

Sep. 23.2003

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Note 1:
The transposition cipher is also known as permutation cipher. We
know give the mathematical description of the permutation cryptosystem as
follows:
Def:

Permutation Cipher

Let m be a positive integer. Let P =C = (Z26)m and let K consist of all permutations
of {1, , m}. For a key (i.e., a permutation) , we define
e (x1, , x m)=( x(1), , x(m)) and
d (y1, , ym)=( y-1(1), , y-1(m)) ,
where -1 is the inverse permutation to .
Example 2: Suppose m = 6 and the key is the following permutation :
x
(x)

1
3

2
6

3
1

4
5

5
2

6
4

Note that the first row of this diagram lists the values of x, 1 x 6, and the 2nd
row lists the corresponding values of (x).
The inverse permutation -1 can be constructed by interchanging the two rows in
this diagram, and rearranging the columns so that the first row is in increasing
order. Thus, carrying out these operations, we get the following decryption
permutation -1 as:
x
(x)
-1

1
3

2
5

3
1

4
6

5
4

6
2

Now, suppose we are given the plaintext

Plaintext: she sells seashells by the seashore
We first partition the plaintext into groups of six letters, and then rearrange each
group of six letters according to permutation . The result is shown in the
following 6x6 grid.
x
(x)

Sep. 23.2003

1
E
S
L
H

2
E
A
S
S

3
S
L
H
Y

4
L
S
B
E

5
S
E
L
E

6
H
S
E
T

S. Erfani, ECE Dept., University of Windsor

H

0688-590-18 Network Security

2.3-4 Hill Cipher

Another interesting multi-alphabetic cipher is the Hill cipher, developed by the
mathematician Lester Hill in 1929.
The idea is based on linear transposition. In fact, permutation cipher is a special
case of the Hill cipher.

In this scheme, we take m linear combinations of the m successive plaintext

alphabetic characters and produce an m ciphertext letters for them. The
substitution is determined by m linear equations in which each letter is assigned
its numerical value; i.e. {0, 1, 2, 25} = Z26.
For m = 3, the system can be described as follows:
y1 (k11 x1 k12 x2 k13 x3 ) mod 26
y2 (k21 x1 k22 x2 k23 x3 ) mod 26
y3 (k31 x1 k32 x2 k33 x3 ) mod 26

This can be expressed in terms of column vectors and matrices:

y1 k11
y k
2 21
y3 k31

k12
k22
k32

k13 x1
k23 x2
k33 x3

or in a compact form
Y=KX
Where Y and X are column vectors of length 3, representing the ciphertext and
plaintext letters, and K is a 33 matrix, representing the encryption key.
Operations are performed mod26. Decryption requires using the inverse of matrix
K.
Example 1: Consider the plaintext paymoremoney, and use the
encryption key

Sep. 23.2003

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

17 17 5

K 21 18 21
2 2 19

Find the resulting ciphertext.

Solution:
Plaintext:

paymoremoney
15 0 24

The first three letters of the plaintext are represented by vector (x1, x2, x3)=(15, 0,
24)
Thus:
y1
x1 17 17 5 15



y2 K x2 21 18 21 0
y
x 2 2 19 24

3
3

That is:
y1 375
11 L

y2 819 mod 26 13 N
18 S
y 489

Continuing in this fashion, the ciphertext for the entire plaintext is:

Ciphertext: LNSHDLEWMTRW
Q.E.D.
Decryption requires using the inverse of the matrix K. The inverse K of a matrix
K is defined by the equation K K1= K1K =I, where I is the diagonal matrix that is
all zeros except for ones along the main diagonal from upper left to lower right.
1

Note 2:
The inverse of a matrix does not always exist, but when it does, it
satisfies the preceding equation.
Exercise 1:

Sep. 23.2003

Show that the inverse of matrix K used in above example is

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

4 9 15

15 17 6
24 0 17

Note 3:
It is easily shown that if the matrix K1 is applied to the above
resulting ciphertext, then the plaintext can be recovered.

Exercise 2:

A cryptanalyst receives the following ciphertext:

LNSHDLEWMTRW
He has also estimated the decryption matrix from some previous analysis for this
Hill Cipher to be:
4 9 15

1
K 15 17 6
24 0 17

What is the plaintext?

We now give a precise description of the Hill Cipher over Z26.
Definition:

Hill Cipher Cryptosystem

Let m 2 be an integer, Let P=C=(Z26)m

and let
K = {mm invertible matrix over Z26}.
For a key K, we define:

C = EK(P)=KP
P = DK(C) = K1 C= K1 KP = P

Note 1:
Hill Cipher completely hides single-letter frequencies. Use of a
larger matrix hides more frequency information.

Sep. 23.2003

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Note 2:
The weakness of the Hill Cipher is that it is easily broken with a
known plaintext attack.
To show this, suppose we have m plaintext-ciphertext pairs, each of length m.

Let
Pj=(P1j, P2j, , Pmj)
Cj=(C1j, C2j, , Cmj)
Therefore, we can write
Cj=KPj

1jm

for some known key matrix K.

We now define the following two mm square matrices:
X = (Pij)
Y = (Cij)
Then, we can form the matrix equation Y=XK.
Now, we can find the unknown key matrix K from the equation K=X-1Y
Let us illustrate the above attack by a simple example.
Example 2: It is known that the plaintext friday is encrypted using a 22 Hill
Cipher to yield the ciphertext PQCFKU. Find the key matrix K for this
cryptosystem.
Solution:
Plaintext:
Pij :
Ciphertext:
Cij :

f
15
P
15

r
17
Q
16

i
8
C
2

d
3
F
5

a y
0 24
K U
10 20

For the unknown key matrix is K, we can write the following plaintext-ciphertext
pairs:
KPj = Cj

Sep. 23.2003

1jm

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Using the first two plaintext-ciphertext pairs, we can write the following matrix
equation:
15 16 5 17

K
2 5 8 3

mod 26

5 17 15 16
K =

8 3 2 5
9 1 15 16
=

2 15 2 5

mod 26
mod 26
7 19
=

8 3

Therefore, we obtained the key matrix! The result can be verified by testing the
remaining plaintext- ciphertext pair.
From the above example and other examples worked out so far, we
may conclude that neither cipher schemes of Substitution nor Transposition are
strong enough to stand cryptanalytic attacks. One may find that using the two
types together creates much better concealment than either method above. In
fact, using substitution and transposition cipher methods repeatedly on ciphertext
provides strong disguising patterns.
Note 3 :

We will discuss this scheme in the next chapter.

Exercise 2:

Why transposition ciphers are used if they are so easy to crack?

Answer:
Transposition can be looked at a set of instructions, one instruction
for each letter, easily implemented by a computer and can be difficult to crack if
they are repeatedly used on the same plaintext!
Exercise 3: Repeat the transposition cipher used in Exercise 1 (on page 17)
twice for the plaintext used:
Solution:

Sep. 23.2003

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Plaintext:
lastnitewasheavenpleasemarryme
1st transposed ciphertext: LTELAAEAERSWVARTAESYNSNEMIHPME
2nd transposed ciphertext: LEVSMTAAYIEERNHLRTSPASANMAWEE
LTELA AEAER SWVAR TAESY
NSNEM I HPME

last nite was heaven please marry me

Read
down

(a) 1st transposed cipher.

Sep. 23.2003

(b) The ou

10

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Cryptography:
Cryptographic systems are characterized along
three independent dimensions.
The type of operations used for
transforming plain text to cipher text. All
encryption algorithms are based on two general
principles: substitution, in which each element in
the plaintext (bit, letter, group of bits or letters)
is mapped in to another element, and
transposition, in which elements in the plaintext
are rearranged. The fundamental requirement is
that no information be lost. Most systems,
referred to as product systems, involve multiple
stages of substitutions and transpositions.
The number of keys used. If both sender
and receiver use the same key, the system is
referred to as symmetric, single-key, secret-key,
or conventional encryption. If the sender and
receiver each use a different key, the system is
referred to as asymmetric, two-key, or publickey encryption.

Sep. 23.2003

11

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

The way in which the plaintext is

processed. A block cipher processes the input
one block of elements at a time, producing an
output block for each input block. A stream
cipher processed the input elements
continuously, producing output one element at a
time, as it goes along.
Cryptanalysis:
There are two general approaches to attacking a
conventional encryption scheme:
Cryptanalysis:
Cryptanalytic attacks rely on the nature of the
algorithm plus perhaps some knowledge of the
general characteristics of the plaintext or even
some sample plaintext-cipher text pairs. This
type of attack exploits the characteristics of the
algorithm to attempt to deduce a specific
plaintext or to deduce the key being used. If the
attack succeeds in deducing the key, the effect
is catastrophic: All future and past messages
encrypted with that key are compromised.

Sep. 23.2003

12

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Brute-force attack:
The attacker tries every possible key on a piece
of cipher text until an intelligible translation into
plaintext is obtained. On average, half of all
possible keys must be tried to achieve success.
Classical Encryption Techniques:
A study of these techniques unable us to
illustrate the basic approaches to symmetric
encryption used today and the types of
cryptanalytic that must be anticipated.
The two basic building blocks of all encryption
techniques are substitution and transposition.
We examine these in the next two sections.
Finally, we discuss a system that combines both
substitution and transposition.
Substitution Techniques:
A substitution technique is one in which the
letters of plaintext are replaced by other letters
or by numbers or symbols. If the plaintext is
viewed as a sequence of bits, then substitution

Sep. 23.2003

13

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

involves replacing plaintext bit patterns with

cipher text bit patterns.
Caesar Cipher:
The earliest known use of a substitution cipher,
and the simplest, was by Julius Caesar. The
Caesar cipher involves replacing each letter of
the alphabet with the letter standing three
places further down the alphabet. For example
Plain: meet me after the toga party
Cipher: PHHW PH DIWHU WKH WRJD SDUWB
Note that the alphabet is wrapped around, so
that the latter following Z is
A. We can define the transformation by listing all
possibilities, as follow:
Plain: a b c d e f g h I j k l m n o p q r s t u v w
xyz
Cipher: D E F G H I J K L M N O P Q R S T U V
WXYZABC

Sep. 23.2003

14

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Let us assign a numeric equivalent to each

letter:
Then the algorithm can be expressed as follows.
For each plaintext letter p, substitute the cipher
letter C:

C = E (p) = (P+3) mod (26)

A shift may be of any amount, so that the
general Caesar algorithm is

C = E (p) = (p+k) mod (26)

Where k takes on a value in the range 1 to 25.
The decryption algorithm is simply

P = D(C) = (C-k) mod (26)

Transposition Techniques:
All the techniques examined so far involve the
substitution of a cipher text symbol for a
plaintext symbol. A very different kind of
mapping is achieved by performing some sort of
permutation on the plaintext letters. This

Sep. 23.2003

15

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

technique is referred to as a transposition

cipher.
The simplest such cipher is the rail fence
technique, in which the plaintext is written down
as a sequence of diagonals and then read off as
a sequence of rows. For, example, to encipher
the message meet me after the toga party
with a rail fence of depth 2, we write the
following.
Mematrhtgpry
Etefeteoaat
The encrypted message is
MEMATRHTGPRYETEFETEOAAT
This sort of thing would be trivial to crypt
analyze. A more complex scheme is to write the
messages in a rectangle, row by row, and read
the message off, column by column, but
permute the order of the columns. The order of
the columns then becomes, the key to the
algorithm. For example,

Sep. 23.2003

16

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
ostpone
duntIlt
woamxyz
Cipher
text: TTNAAPTMTSUOAODWCOIXKNLYPETZ
A pure transposition cipher is easily recognized
because it has the same letter frequencies as
the original plaintext. For the type of columnar
transposition just shown, cryptanalysis is fairly
straightforward and involves laying out the
cipher text in a matrix and playing around with
column positions. Digram and trigram frequency
tables can be useful.
The transposition cipher can be made
significantly more secure by performing more
than one stage of transposition. The result is a
more complex permutation that is not easily

Sep. 23.2003

17

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

reconstructed. Thus, if the foregoing message is

re-encrypted using the algorithm.
Key: 4 3 1 2 5 6 7
Input: t t n a a p t
mtsuoao
dwcoIxk
nlypetz
Output: NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Modern Techniques:
Virtually all-symmetric block encryption
algorithm in current use is based on a structure
referred to as a Feistel block cipher. We begin
with a comparison of stream ciphers and block
ciphers.
Stream ciphers:
A stream cipher is one that encrypts a digital
data stream one bit or one byte at a time.
Sep. 23.2003

18

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Example of classical stream ciphers is auto

keyed Vigenere cipher and the Vernam cipher.
Block ciphers:
A block cipher is one in which a block of
plaintext is treated as a whole and used to
produced a cipher text block of equal length.
Typically, a block size of 64 or 128 bits is used.
Using some of the modes of operation explained
later in this chapter, a block cipher can be used
to achieve the same effect as a stream
cipher. Far more effort has gone into analyzing
block ciphers. In general, they seem applicable
to a broader range of applications than stream
ciphers. The vast majority of network-based
symmetric cryptographic applications make use
of block ciphers.
Diffusion and Confusion:
The terms diffusion and confusion were
introduced by Claude Shannon to capture the
two basic building blocks for any cryptographic
system. Shannons concern was to thwart
cryptanalysis based on statistical analysis. The
reasoning is as follows. Assume the attacker has
Sep. 23.2003

19

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

some knowledge of the statistical characteristics

of the plaintext. For example, in a human readable message in some language, the
frequency distribution of the various letters may
be known. Or there may be words or phrases
likely to appear in the message. If these
statistics are in any way reflected in the cipher
text, the cryptanalyst may be able to deduce the
encryption key, or part of the key, or at least a
set of keys likely to contain the exact key.
Other than recourse to ideal systems, Shannon
suggests two methods for frustrating statistical
cryptanalysis: diffusion and confusion.
In diffusion, the statistical structure of the
plaintext is dissipated into long-range statistics
of the cipher text. This is achieved by having
each plaintext digit affect the value of many
cipher text digits, which is equivalent to saying
that ciphertext digit is affected by many
plaintext digits. An example of diffusion is to
encrypt a message M = m1, m2, m3, of
characters with an averaging operation :
k

Yn = S mn + i (mod 26)
Sep. 23.2003

20

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

i=1

Adding k successive letters to get a ciphertext

letter Yn. One can show that the statistical
structure of the plaintext has been dissipated.
Thus the letter frequencies in the ciphertext will
be more nearly equal than in the plaintext; the
Digram frequencies will also be more nearly
equal, and so on. In a binary block cipher,
diffusion can be achieved by repeatedly
performing some permutation of the sata
followed by applying a function to that
permutation; the effect is that bits from different
positions in the original plaintext contribute to a
single bit of ciphertext.
Every block cipher involves a transformation of a
block of plaintext into a block of ciphertext,
where the transformation depends on the key.
The mechanism of diffusion seeks to make the
statistical relationship between the plaintext and
ciphertext as complex as possible in order to
thwart attempts to deduce that key. On the
other hand, confusion seeks to make the
relationship between the statistics of the
ciphertext and the value of the encryption key
as complex as possible, again to thwart
Sep. 23.2003

21

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

attempts to discover the key. Thus, even if the

attacker can get some handle on the statistics of
the ciphertext, where the transformation
depends on the key. The mechanism of diffusion
seeks to make the statistical relationship
between the plaintext and ciphertext as complex
as possible in order to thwart attempts to
deduce that key. On the other hand, confusion
seeks to make the relationship between the
statistics of the ciphertext and the value of the
encryption key as complex as possible, again to
thwart attempts to discover the key. Thus, even
if the attacker can get some handle on the
statistics of this, as Federal Information
Processing Standards 46 (FIPS pub 46). The
algorithm itself is referred to as the Data
Encryption Algorithm (DEA). For EDS, data are
encrypted in 640bit blocks using a 56-bit key.
The algorithm transforms 64-bit input in a series
of steps into a 64-bit output. The same steps,
with the same key, are used to reverse the
encryption
.

Sep. 23.2003

22