Deciphering. Suppose we begin with C = R r R r−1 = R ′ −1R ′ 0, and a reversed key sequenceK ′ 1, K ′ 2 . . . , K ′ r = K r , K r−1 . . . , K 1 . The deciphering follows the same algorithm asenciphering with respect to this key sequence:R ′ j+1 = R ′ j−1 ⊕ f K ′j+1(R ′ j). (5.2)Setting j = r − i − 1, we have K ′ j+1 = K ′ r−i = K i+1 . We moreover want to show therelationsR ′ −1 = R r , R ′ 0 = R r−1 , . . . , R ′ r−1 = R 0 , R ′ r = R −1 .In other words, we want to show that R ′ j = R i whenever i + j = r − 1.Clearly this relation holds for (i, j) = (r, −1) and (i, j) = (r − 1, 0). Assuming it holdsfor j − 1 and j we prove that it holds for j + 1. The deciphering sequence (5.2) can bereplaced byR ′ j+1 = R ′ j−1 ⊕ f K ′j+1(R ′ j) = R ′ r−i−2 ⊕ f K ′r−i(R ′ r−i−1) = R i+1 ⊕ f Ki+1 (R i )The expression R i+1 = R i−1 ⊕f Ki+1 (R i ) in (5.2) can be rearranged by adding (= substracting)f Ki+1 (R i ) to both sides to get R i+1 ⊕f Ki+1 (R i ) = R i−1 . We conclude that R ′ j+1 = R i−1 ,so the equality holds by induction.Example 5.1 (Feistel cipher) Let f Kicomposition of the following maps:be the block cipher, of block length 4, which is the1. The transposition cipher T = [4, 2, 1, 3]; followed by2. A bit-sum with the 4-bit key K i ; followed by3. A substitution cipher S applied to the 2-bit blocksS(00) = 10, S(10) = 01, S(01) = 11, S(11) = 00,i.e. b 1 b 2 b 3 b 4 ↦→ S(b 1 b 2 )S(b 3 b 4 ).Let C be the 3-round Feistel cryptosystem of key length 12, where the three internal keysK 1 , K 2 , K 3 are the first, second, and third parts of the input key K, and the round functionis f Ki .Exercise. Compute the enciphering of the text M = 11010100, using the key K =001011110011.Feistel ciphers 39
5.2 Digital Encryption Standard OverviewThe DES is a 16-round Feistel cipher, which is preceeded and followed by an initial permutationIP and its inverse IP −1 . That is, we start with a message M, and take L 0 R 0 = IP (M)as input to the Feistel cipher, with output IP −1 (R 16 L 16 ). The 64-bits of the key are usedto generate 16 internal keys, each of 48 bits. The steps of the round function f K is givenby the following sequence, taking on 32-bit strings, expanding them to 48-bit strings, andapplying a 48-bit block function.1. Apply a fixed expansion permutation E — this function is a permutation the 32 bitswith repetitions to generate a 48-bit block E(R i ).2. Compute the bit-sum of E(R i ) with the 48-bit key K i , and write this as 8 blocksB 1 , . . . , B 8 of 6 bits each.3. Apply to each block B j = b 1 b 2 b 3 b 4 b 5 b 6 a substitution S j . These substitutions arespecified by S-boxes, which describe the substitution as a look-up table. The outputof the substitution cipher is a 4-bit string C j , which results in the 32-bit stringC 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 .4. Apply a fixed 32-bit permutation P to C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 , and output the resultas f Ki (R).This completes the description of the round function f Ki .5.3 Advanced Encryption Standard OverviewIn 1997, the NIST called for submissions for a new standard to replace the aging DES.The contest terminated in November 2000 with the selection of the Rijndael cryptosystemas the Advanced Encryption Standard (AES).The Rijndael cryptosystem operates on 128-bit blocks, arranged as 4 × 4 matrices with8-bit entries. The algorithm consists of multiple iterations of a round cipher, each of whichis the composition of the following four basic steps:• ByteSub transformation. This step is a nonlinear substition, given by a S-box (lookuptable), designed to resist linear and differential cryptanalysis.• ShiftRow transformation. Provides a linear mixing for diffusion of plaintext bits.• MixColumn transformation. Provides a similar mixing as in the ShiftRow step.• AddRoundKey transformation. Bitwise XOR with the round key.40 Chapter 5. Block Ciphers
- Page 1 and 2: Author (David R. Kohel) /Title (Cry
- Page 4 and 5: CONTENTS1 Introduction to Cryptogra
- Page 6: PrefaceWhen embarking on a project
- Page 10 and 11: information. We introduce here some
- Page 12 and 13: ut strings in A ∗ map injectively
- Page 14 and 15: CHAPTERTWOClassical Cryptography2.1
- Page 16 and 17: LV MJ CW XP QO IG EZ NB YH UA DS RK
- Page 18 and 19: As a special case, consider 2-chara
- Page 20 and 21: Note that if d k = 1, then we omit
- Page 22: ExercisesSubstitution ciphersExerci
- Page 25 and 26: Ciphertext-only AttackThe cryptanal
- Page 27 and 28: of size n, suppose that p i is the
- Page 29 and 30: Note that ZKZ and KZA are substring
- Page 31: Checking possible keys, the partial
- Page 34 and 35: sage: X = pt.frequency_distribution
- Page 36 and 37: CHAPTERFOURInformation TheoryInform
- Page 38 and 39: For each of these we can extend our
- Page 40 and 41: in terms of the cryptosystem), then
- Page 42 and 43: CHAPTERFIVEBlock CiphersData Encryp
- Page 46 and 47: The Advanced Encryption Standard al
- Page 48 and 49: 1. Malicious substitution of a ciph
- Page 50 and 51: locks M j−1 , . . . , M 1 as well
- Page 52: where X = K ⊕ M = (X 1 , X 2 , X
- Page 55 and 56: 6.2 Properties of Stream CiphersSyn
- Page 57 and 58: Exercise. Verify that the equality
- Page 59 and 60: n 2 n − 11 12 33 74 155 316 637 1
- Page 61 and 62: Exercise 6.6 In the previous exerci
- Page 63 and 64: Exercise 6.9 Compute the first 8 te
- Page 65 and 66: which holds since −4 = 17 + (−1
- Page 67 and 68: must therefore have a divisor of de
- Page 69 and 70: Shrinking Generator cryptosystemLet
- Page 72 and 73: CHAPTEREIGHTPublic Key Cryptography
- Page 74 and 75: Initial setup:1. Alice and Bob publ
- Page 76 and 77: We apply this rule in the RSA algor
- Page 78 and 79: the discrete logarithm problem (DLP
- Page 80 and 81: Man in the Middle AttackThe man-in-
- Page 82: Exercise 8.6 Fermat’s little theo
- Page 85 and 86: k < p − 1 with GCD(k, p − 1) =
- Page 88 and 89: CHAPTERTENSecret SharingA secret sh
- Page 90: using any t shares (x 1 , y 1 ), .
- Page 93 and 94: sage-------------------------------
- Page 95 and 96:
sage: x.is_unit?Type:builtin_functi
- Page 97 and 98:
Python (hence SAGE) has useful data
- Page 99 and 100:
sage: n = 12sage: for i in range(n)
- Page 101 and 102:
sage: I = [55+i for i in range(3)]
- Page 103 and 104:
sage: I = [7, 4, 11, 11, 14, 22, 14
- Page 105 and 106:
ExercisesRead over the above SAGE t
- Page 107 and 108:
102
- Page 109 and 110:
Solution. The block length is the n
- Page 111 and 112:
Solution.below.The coincidence inde
- Page 113 and 114:
analysis of the each of the decimat
- Page 115 and 116:
arbitrary permutation of the alphab
- Page 117 and 118:
In order to understand naturally oc
- Page 119 and 120:
We do this by first verifying the e
- Page 121 and 122:
Solution.None provided.Linear feedb
- Page 123 and 124:
Multiplying each through by the con
- Page 125 and 126:
Solution. The linear complexity of
- Page 127 and 128:
If a, b, and c are as above, then f
- Page 129 and 130:
Exercise 8.5 Use SAGE to find a lar
- Page 131 and 132:
Solution. Now we can verify that e
- Page 133 and 134:
which has no common factors with p
- Page 135 and 136:
sage: p = 2^32+61sage: m = (p-1).qu
- Page 137 and 138:
sage: a5 := a^n5sage: c5 := c^n5sag
- Page 139 and 140:
The application of this function E
- Page 141 and 142:
5. (∗) How many elements a of G h
- Page 143:
1. The value f(0) of the polynomial