1
00:00:21,289 --> 00:00:27,179
Welcome to today's class on Symmetric Key
ciphers. So, the objectives of today's class,
2
00:00:27,179 --> 00:00:33,590
as we follow, that first we will start with
definition of, symmetric types of, symmetric
3
00:00:33,590 --> 00:00:37,399
key ciphers. So, essentially, what I mean
to say is that, we have two, as we have discussed,
4
00:00:37,399 --> 00:00:41,470
that there are two classes of ciphers, one
is called symmetric ciphers and other one
5
00:00:41,470 --> 00:00:45,269
is called asymmetric ciphers.
So, we will try to understand, what is the
6
00:00:45,269 --> 00:00:50,239
symmetricity? What is the implication of symmetricity
in that kind of ciphers? And then, talk about
7
00:00:50,239 --> 00:00:53,250
something called, full size and partial size
key ciphers.
8
00:00:53,250 --> 00:00:59,619
So, we will follow that up with discussions
on certain components of modern block ciphers;
9
00:00:59,619 --> 00:01:05,560
so they are as follows, like P-box, S-box,
which we called as permutation box and substitution
10
00:01:05,560 --> 00:01:10,280
box, and then discuss about another component,
a very simple component called swap, but very
11
00:01:10,280 --> 00:01:13,810
useful component.
And then discuss about certain properties
12
00:01:13,810 --> 00:01:18,380
of the Exclusive OR function, because that
is very, sort of, central to the construction
13
00:01:18,380 --> 00:01:23,540
of present block ciphers. And then, discuss
about another concept, which Shannon gave
14
00:01:23,540 --> 00:01:28,500
in his paper, is called diffusion and confusion,
and try to understand, how modern block ciphers
15
00:01:28,500 --> 00:01:34,850
achieved them. And then, conclude with discussion
on two types of block ciphers, they are called
16
00:01:34,850 --> 00:01:37,830
Feistel block ciphers and non-Feistel block
ciphers.
17
00:01:37,830 --> 00:01:43,880
So, we straightaway start with the symmetric
key setting; this is a sort of a diagram,
18
00:01:43,880 --> 00:01:48,150
which shows how a symmetric key setting looks
like. So, you will see that there are two
19
00:01:48,150 --> 00:01:53,310
players in this game, one is called Alice
and the other one is called Bob. So, Alice
20
00:01:53,310 --> 00:01:58,580
and Bob, essentially, they want to communicate
certain secret data over a communication channel.
21
00:01:58,580 --> 00:02:03,580
So, therefore, you have, there are two parts
of, I mean, two ends of, one is the sender
22
00:02:03,580 --> 00:02:07,439
and the other one is the receiver. So, we
have an encrypting algorithm called E and
23
00:02:07,439 --> 00:02:12,569
we have decrypting algorithm called D. So,
the encrypting algorithm uses a key, which
24
00:02:12,569 --> 00:02:19,439
is denoted by K a and the decrypting algorithm
uses a key which is denoted by K b. So, there
25
00:02:19,439 --> 00:02:25,250
is an evesdropper whose name is Eve, who tries
to sneak into the communication channel and
26
00:02:25,250 --> 00:02:29,439
his objective is to understand what is the
message.
27
00:02:29,439 --> 00:02:35,689
So, therefore, Alice and Bob are trying to
use cryptography or encryption to stop Eve
28
00:02:35,689 --> 00:02:40,769
from knowing what he is supposed not to know,
essentially. So, therefore, you will find
29
00:02:40,769 --> 00:02:45,799
that the, what are the assumptions? The assumptions
are that K a is the encryption key and K b
30
00:02:45,799 --> 00:02:48,889
is the decryption key.
So, therefore, the encryption key is denoted
31
00:02:48,889 --> 00:02:55,059
by K a, and decryption key is denoted by K
b, and in the symmetric key setting the assumption
32
00:02:55,059 --> 00:03:00,139
is that K a and K b are the same; therefore,
the encrypting key and the decrypting key
33
00:03:00,139 --> 00:03:04,680
are the same things as in there.
So, therefore, for symmetric key ciphers,
34
00:03:04,680 --> 00:03:10,029
K a is equal to K b as opposed to the asymmetric
key setting, that there is a slight distinction,
35
00:03:10,029 --> 00:03:16,079
which you will discuss in the following classes.
So, our assumption is that only Alice and
36
00:03:16,079 --> 00:03:21,519
Bob know the values of K a or K b.
So, therefore, Eve does not have the key material,
37
00:03:21,519 --> 00:03:26,409
but Eve knows the encrypting algorithm and
the decrypting algorithm, but he does not
38
00:03:26,409 --> 00:03:32,329
know, what is the value of the key? That is
only what Eve does not know and the objective
39
00:03:32,329 --> 00:03:36,779
of Eve too, is to understand the corresponding
value of the message. So, that is essentially
40
00:03:36,779 --> 00:03:41,230
setting of the symmetric key ciphers.
But the setting of symmetric key ciphers and
41
00:03:41,230 --> 00:03:45,249
as in this particular setting, where your
encryption algorithm or decryption algorithm
42
00:03:45,249 --> 00:03:50,709
are in public domain, where only the secret,
that is, the key is not known to the attacker
43
00:03:50,709 --> 00:03:56,709
or the adversary, you have to provide a guarantee
of security. And as we discussed in our previous
44
00:03:56,709 --> 00:04:03,709
classes, that security against an unbound
adversary is quite difficult to achieve, but
45
00:04:04,059 --> 00:04:09,849
what we are striving to achieve in our classes
is what we know as, computational security.
46
00:04:09,849 --> 00:04:15,449
So, Eve has access to E, D and the communication
channel, but does not know the key K a or
47
00:04:15,449 --> 00:04:21,680
K b, and how do I provide a guarantee of security
to Alice and Bob? So, that is we will try
48
00:04:21,680 --> 00:04:27,150
to see under these setting. So, the obvious
problem here, I mean, although we will not
49
00:04:27,150 --> 00:04:33,389
discuss right now, right away, right now,
so is, that how does Alice and Bob share this
50
00:04:33,389 --> 00:04:38,180
piece of information that is the key. So,
that is called the key distribution problem.
51
00:04:38,180 --> 00:04:43,630
So, we will come to that later on, but essentially
we are assuming at this point, that there
52
00:04:43,630 --> 00:04:47,880
is a secret channel through which Alice and
Bob has established the encrypting and the
53
00:04:47,880 --> 00:04:51,830
decrypting key.
But that, that, the point is that to be known,
54
00:04:51,830 --> 00:04:55,730
I mean, to be noted here is that, here what
we are encrypting is large, large traffic
55
00:04:55,730 --> 00:05:00,110
of information and what we are exchanging
is a comparatively small bit of data.
56
00:05:00,110 --> 00:05:05,430
So, therefore, we are, we are assuming, rather
is, it is a practical assumption to make that
57
00:05:05,430 --> 00:05:09,270
although we have a secret channel through
which we are establishing the key, but we
58
00:05:09,270 --> 00:05:14,700
are using that for a very small quantity of
data because we value that channel; that channel
59
00:05:14,700 --> 00:05:19,090
is quite, supposedly quite costly.
60
00:05:19,090 --> 00:05:26,090
So, the types of symmetric key ciphers that
essentially we will encounter are two-fold,
61
00:05:26,120 --> 00:05:31,230
is called block ciphers and stream ciphers.
So, block ciphers, as the name suggests is,
62
00:05:31,230 --> 00:05:36,360
when we are encrypting a block of data. And
in symmetric key ciphers, if we just replace
63
00:05:36,360 --> 00:05:40,790
or rather substitute, that if we assume that
the block size is 1, that is, if you process
64
00:05:40,790 --> 00:05:43,140
1 bit at a time, it is known as the stream
ciphers.
65
00:05:43,140 --> 00:05:47,660
So, it is supposedly, as streams of data are
coming in and they are getting encrypted.
66
00:05:47,660 --> 00:05:53,620
So, we will start with block ciphers and that
is the objective of today's class. Therefore,
67
00:05:53,620 --> 00:05:58,310
as you see, that essentially, we are handling
tons of data, we are handling blocks of data;
68
00:05:58,310 --> 00:06:03,980
so therefore, let us try to understand, how
block ciphers work? So, this is the block
69
00:06:03,980 --> 00:06:09,830
box and we will be trying to go into the block
box.
70
00:06:09,830 --> 00:06:13,860
As we told, that we are striving to achieve
computational security, so the thumb rule
71
00:06:13,860 --> 00:06:20,370
is 2 power 80 is, as in today's computational
power, we say that 2 power of 80 is the reasonable
72
00:06:20,370 --> 00:06:23,680
amount of security; therefore, anything beyond
80 bits would be quite o.k.
73
00:06:23,680 --> 00:06:29,640
So, this, the answer to your question is actually
time dependent, what is today correct may
74
00:06:29,640 --> 00:06:36,640
not be correct ten years later. So, therefore,
what is a block cipher? A block cipher is
75
00:06:37,560 --> 00:06:42,110
a symmetric key modern cipher, which encrypts
an n-bit block of plain text or decrypts an
76
00:06:42,110 --> 00:06:47,450
n-bit block of cipher text. Therefore, it
works on n-bits at a time.
77
00:06:47,450 --> 00:06:53,870
So, obviously, we, we understand that if the
message is not a multiple of n bits, then
78
00:06:53,870 --> 00:06:58,740
what do we do? If it is less, the size is
less than n bits, then we will pad it and
79
00:06:58,740 --> 00:07:03,840
pad it by says 0s and make it n bits, and
if it is greater than n bits, but it is not
80
00:07:03,840 --> 00:07:09,270
a multiple of n, then what we do is that we
divide them into n bit blocks, and the last
81
00:07:09,270 --> 00:07:14,030
block, which is left is obviously, lesser
than n bits; in that case, we also pad the
82
00:07:14,030 --> 00:07:19,639
last block and make it equal to n bits. Therefore,
we perform padding if it is not a multiple
83
00:07:19,639 --> 00:07:24,670
of n bits. So, we can therefore, for all our
discussions, we can assume that the message
84
00:07:24,670 --> 00:07:29,380
is actually a multiple of n bits; it does
not really make any difference to what we
85
00:07:29,380 --> 00:07:32,960
will discuss in this class.
86
00:07:32,960 --> 00:07:39,680
So, first we will start with the concept of
full size key ciphers. Therefore, let us,
87
00:07:39,680 --> 00:07:44,490
we have seen two kinds of ciphers - one, former
classical discussions where you have seen,
88
00:07:44,490 --> 00:07:48,830
that there are, we have got the class of ciphers
called transposition ciphers and there is
89
00:07:48,830 --> 00:07:52,280
another class, which is called substitution
ciphers.
90
00:07:52,280 --> 00:07:57,310
So, what were transposition ciphers? What
was it involved with? It was involve with
91
00:07:57,310 --> 00:08:02,460
essentially, the rearrangement of the bits.
Therefore, consider that we make an n bit
92
00:08:02,460 --> 00:08:07,930
cipher or n bit block cipher using the transposition
function only, so then, what does it encompass?
93
00:08:07,930 --> 00:08:13,200
It encompass with rearrangement of the bits.
So, how many such rearrangements are possible?
94
00:08:13,200 --> 00:08:18,380
Obviously, n factorial. So, therefore, if
I just try to encode each particular rearrangement
95
00:08:18,380 --> 00:08:22,940
by one value of the key, then how many values
of the keys do we require? We require log
96
00:08:22,940 --> 00:08:27,320
n factorial base 2, such, so many number of
bits and we will for example, ceil log.
97
00:08:27,320 --> 00:08:32,430
So, therefore, it is the ceiling of log n
factorial base 2; so many amount of keys are
98
00:08:32,430 --> 00:08:39,430
required if we want to encode each and every
possible term position. So, as opposed to
99
00:08:39,940 --> 00:08:44,260
that, suppose this was a substitution cipher,
then what would have been the size of the
100
00:08:44,260 --> 00:08:50,070
key? So, consider for example, that in a case
of, in a substitution cipher it does not transpose
101
00:08:50,070 --> 00:08:53,620
the bits, but it was essentially substituting
the values.
102
00:08:53,620 --> 00:09:00,620
So, therefore, can we model this as a permutation?
Can we model a substitution as a permutation?
103
00:09:00,809 --> 00:09:07,449
So, what was important to, yes we can do that
right, because the object, because the point
104
00:09:07,449 --> 00:09:11,759
that we observe is that what, when we, if
we do substitution, the mapping is still one-to-one.
105
00:09:11,759 --> 00:09:18,490
So, therefore, in a substitution cipher, also
if you, for example consider a 3-bit substitution
106
00:09:18,490 --> 00:09:22,769
ciphers, then we can actually encode this
in the form of a table. Therefore, we can
107
00:09:22,769 --> 00:09:28,870
say that a 3-bit substitution cipher, all
the inputs if we denote in the form of a table,
108
00:09:28,870 --> 00:09:35,870
would be like 0, 1, 2, 3, 4, 5, 6 and 7.
So, therefore, all, for all these possible,
109
00:09:38,309 --> 00:09:45,189
so therefore, for all these possible inputs,
we essentially allocate or substitute them
110
00:09:45,189 --> 00:09:52,189
by some other values. So, therefore, if I
consider a 3-bit substitution cipher, so essentially
111
00:09:54,439 --> 00:10:01,439
they, for example, if I just substitute 0
by say 7, 1 I would have substituted by some
112
00:10:02,259 --> 00:10:07,160
other value, so therefore, it could be say,
4 or something like that. Therefore, just
113
00:10:07,160 --> 00:10:12,220
imagine, therefore, if I just fill up this
with some, some, such essential values, so
114
00:10:12,220 --> 00:10:16,480
that is a, therefore for example, we can fill
up this with say 3, we can fill up this we
115
00:10:16,480 --> 00:10:22,040
say 2, we can fill up this with 1, 0, 6 and
5.
116
00:10:22,040 --> 00:10:26,999
So, what is the observation value we make
out here? Is that the output of this table
117
00:10:26,999 --> 00:10:31,499
is nothing but a rearrangement of these 8
terms. So, how many are possible, rearrangements
118
00:10:31,499 --> 00:10:38,079
are possible? It is 8 factorial. So, therefore,
number of possible rearrangements, number
119
00:10:38,079 --> 00:10:45,079
of possible rearrangements
is equal to 8 factorial.
So, therefore, how many, so if I represent
120
00:10:49,819 --> 00:10:56,819
them by, by keys, what would have been the
size of the key? The size of the key would
121
00:10:58,240 --> 00:11:05,240
have been log 8 factorial base 2 and ceiling
of that. So, therefore, you note that in our
122
00:11:08,279 --> 00:11:14,160
previous case when we had a, when we are discussing
about a permutation cipher and a 3-bit permutation
123
00:11:14,160 --> 00:11:21,160
cipher, so in case of, in case of a 3-bit
transposition cipher error, transposition
124
00:11:25,860 --> 00:11:32,860
cipher, what was the size of the key? It was
3 factorial and log base 2 and a ceiling of
125
00:11:45,529 --> 00:11:46,259
that.
126
00:11:46,259 --> 00:11:52,369
So, therefore, coming back to our generalized
discussion on n-bit ciphers. So, if it is
127
00:11:52,369 --> 00:11:59,369
a permutation, so it is an essentially, if
you are considering n-bit substitution ciphers,
128
00:12:00,089 --> 00:12:07,089
then it is a permutation of 2 to the power
of n values. So, therefore, how many size,
129
00:12:08,910 --> 00:12:15,139
so what is the size of the key? In that case,
it is logarithm of 2 to the power of n factorial
130
00:12:15,139 --> 00:12:19,809
base 2 and we take a ceiling of that. So,
I guess, this is clear.
131
00:12:19,809 --> 00:12:24,809
So, therefore, this is what we discussed just
now. So, we can just see that if I consider,
132
00:12:24,809 --> 00:12:31,420
I mean, the value of 8 factorial works to
around 40,320. Therefore, there are so many
133
00:12:31,420 --> 00:12:37,429
possible substitution values, so if we take
ceil of that, then the size of the key is
134
00:12:37,429 --> 00:12:42,519
around 16.
So, how many, so if we, if we can see, that
135
00:12:42,519 --> 00:12:48,699
2 to the power of 16 is actually a much larger
term than 40,320, so that means, that there
136
00:12:48,699 --> 00:12:55,519
are lots of unused keys. Similarly, for your
transposition cipher also, it works to 3-bits,
137
00:12:55,519 --> 00:13:00,769
so how many possible values mappings are therefore,
possible? 8 values, but out of them, you are
138
00:13:00,769 --> 00:13:06,470
just using 6 values. So, you see that in such
kind of ciphers, when we are using, considering
139
00:13:06,470 --> 00:13:12,850
full size ciphers, full size key ciphers,
then there is lot of unused values are in
140
00:13:12,850 --> 00:13:16,990
a key.
So, this is one observation that we make and
141
00:13:16,990 --> 00:13:23,990
also the size of the key is also quite large.
So, for example, so we will come to that,
142
00:13:24,449 --> 00:13:29,069
why, I mean, about that point. Therefore,
next thing that we observe is that... So,
143
00:13:29,069 --> 00:13:34,240
therefore, so we discuss about something,
which is called a permutation group.
144
00:13:34,240 --> 00:13:40,889
So, the fact, that the full size key's transposition
or substitution cipher is essentially, a permutation,
145
00:13:40,889 --> 00:13:46,449
so therefore, transposition cipher is a permutation
of n-bits and a substitution cipher of n-bits
146
00:13:46,449 --> 00:13:51,429
is a permutation of 2 to the power of n values.
So, therefore, you can essentially denote
147
00:13:51,429 --> 00:13:58,429
a transposition cipher or a substitution cipher
by a permutation. So, therefore, if I cascade
148
00:13:58,790 --> 00:14:03,819
such kind of operations, if I just repeat
the same operations again and again, then
149
00:14:03,819 --> 00:14:09,350
you still get another permutation. So, therefore
you do not get some other kind of transformation,
150
00:14:09,350 --> 00:14:13,910
which means what? The permutations essentially,
form something, which is like a group under
151
00:14:13,910 --> 00:14:20,220
the composition operation; so, under the composition
operation your permutation forms a group.
152
00:14:20,220 --> 00:14:27,220
So, this is because permutation forms a group
under the composition operation, we can, we
153
00:14:28,160 --> 00:14:32,470
can conclude, the multiple applications of
the cipher has got the same effect as the
154
00:14:32,470 --> 00:14:36,529
single application of the transformation.
So, therefore, it really does not help in
155
00:14:36,529 --> 00:14:42,149
getting something that we strive for in the
last day's class, the concept of rounds. So,
156
00:14:42,149 --> 00:14:47,600
we want to increase our security, therefore
this essentially, really, does not help that
157
00:14:47,600 --> 00:14:52,709
much. So, a full size key cipher, we found,
that has got certain disadvantages. So, one
158
00:14:52,709 --> 00:14:58,790
of the disadvantages is that the, which we
found, that there are lot of unused keys;
159
00:14:58,790 --> 00:15:05,499
another thing was that, if I, I mean, cascading
of such kind of ciphers really does not help;
160
00:15:05,499 --> 00:15:12,389
another point, that we observe is that, I
mean, that we will be observing is that the
161
00:15:12,389 --> 00:15:14,860
size of the key is actually, quite large.
162
00:15:14,860 --> 00:15:21,860
So, therefore, we essentially, introduce the
concept of partial-size keys ciphers and that
163
00:15:22,179 --> 00:15:29,179
is essentially, used in all modern day cryptographic
systems, symmetric cryptographic systems.
164
00:15:29,420 --> 00:15:36,420
So, actual ciphers cannot use full size keys,
why? And because of size is quite large, therefore,
165
00:15:36,889 --> 00:15:43,889
let us see for example, in the case of DES,
so DES has got typically 64-bit, is typically
166
00:15:44,670 --> 00:15:49,579
a 64-bit block cipher.
So, therefore, if we, if we had used full
167
00:15:49,579 --> 00:15:54,149
size key, then the value of the, or the size
of the key would have been around logarithm
168
00:15:54,149 --> 00:15:59,670
base 2 of 2 to the power of 64 factorial because
it is a substitution cipher. Can you tell
169
00:15:59,670 --> 00:16:05,980
me that why block ciphers or substitution
ciphers are not transposition ciphers? Modern
170
00:16:05,980 --> 00:16:12,980
day block ciphers are substitution ciphers
and not transposition ciphers, why?
171
00:16:17,610 --> 00:16:24,610
Something, can we relate this to what we have
learnt, like can we relate this to information
172
00:16:24,670 --> 00:16:30,189
of the plaintext. So, that is some information,
which has been leaked in transposition ciphers,
173
00:16:30,189 --> 00:16:35,759
can you guess what?
Typically all types of the block are replaced
174
00:16:35,759 --> 00:16:40,369
by some other block.
There is a substitution cipher so...
175
00:16:40,369 --> 00:16:42,720
It is a rearrangement or a....
It is a rearrangement, but can we conclude
176
00:16:42,720 --> 00:16:47,579
that can we get some information of the plaintext,
if we had only transposition ciphers?
177
00:16:47,579 --> 00:16:54,579
Yeah, that happens in substitution ciphers
also.
178
00:16:54,929 --> 00:17:01,929
Yeah, but can you quantize the some information
is getting leaked?
179
00:17:03,889 --> 00:17:10,819
Frequency of the letters in the English language
are same...
180
00:17:10,819 --> 00:17:15,850
Something much more simple. Consider that
your plain text is made of only 1s and 0s
181
00:17:15,850 --> 00:17:19,459
and just consider a transposition cipher,
so what is the information that is getting
182
00:17:19,459 --> 00:17:23,260
leaked?
Number of 0s and number of 1s.
183
00:17:23,260 --> 00:17:26,230
Number of 0s and number of 1s. Therefore,
you see that the humming rate of your inputs
184
00:17:26,230 --> 00:17:30,660
gets leaked, so humming rate, you know, the
number of 1s is essentially, so you see, that
185
00:17:30,660 --> 00:17:35,180
have got a very straight forward information,
which gets leaked in transposition ciphers.
186
00:17:35,180 --> 00:17:40,100
But it is not the same case in case of substitution
ciphers. It is a completely different mapping;
187
00:17:40,100 --> 00:17:45,450
it has got nothing to do with the number of
1s in an input and number of 0s in the input.
188
00:17:45,450 --> 00:17:50,080
So, therefore, you see that modern day block
ciphers are essentially substitution ciphers
189
00:17:50,080 --> 00:17:54,900
and not transposition ciphers.
So, therefore, DES which is a 64-bit block
190
00:17:54,900 --> 00:18:00,340
ciphers is also a 64-bit substitution block
ciphers. Therefore, the number of or the size
191
00:18:00,340 --> 00:18:05,510
of the full key would have been logarithm
of 2 to the power of 64 factorial because
192
00:18:05,510 --> 00:18:10,060
it is a permutation in 2 to the power of 64
values. So, therefore, there are 2 to the
193
00:18:10,060 --> 00:18:14,570
power of 64 factorial possible arrangements.
So, if I represent them by keys, the size
194
00:18:14,570 --> 00:18:20,540
of the key, you can find out would have worked
out to 2 the power of 70. So, that is the
195
00:18:20,540 --> 00:18:25,640
very large number, so we cannot really handle
a, such a large key, so we require a much
196
00:18:25,640 --> 00:18:28,190
shorter key.
So, therefore, you will find that in our standards,
197
00:18:28,190 --> 00:18:34,190
we find that we use 56-bits key, which is
actually much smaller; so, we use 56-bit keys
198
00:18:34,190 --> 00:18:38,770
compared to 2 to the power of 70. So, you
see, that there is a large amount of keys,
199
00:18:38,770 --> 00:18:45,530
which is being required for a, for realizing
a full size key ciphers. Therefore a, so therefore,
200
00:18:45,530 --> 00:18:49,850
a partial size key cipher is also practical,
much more practical.
201
00:18:49,850 --> 00:18:56,850
So, so, so, as we have discussed, that our
full size key cipher was a permutation group,
202
00:18:57,620 --> 00:19:04,620
so which will reflect upon this question that,
is the partial key cipher also a group? So,
203
00:19:05,020 --> 00:19:09,980
it is important because if yes, then again,
multiple applications of the cipher are useless
204
00:19:09,980 --> 00:19:14,700
and we want to apply them the same operation
again and again. Something to, like rounds,
205
00:19:14,700 --> 00:19:17,190
we keep on applying the same operation again
and again.
206
00:19:17,190 --> 00:19:21,760
So, what I am trying to say to you is that
if I apply DES for example, for two times
207
00:19:21,760 --> 00:19:28,760
it is still DES. So, can I, I mean, suppose
I take DES and I apply that by using two values
208
00:19:29,760 --> 00:19:36,200
of keys, I take k 1 and I take k 2 and I apply
them. Can I represent that by DES with a third
209
00:19:36,200 --> 00:19:39,520
value of the key? You understand, what I am
saying?
210
00:19:39,520 --> 00:19:45,050
So, that is, if that would have been the case,
then DES also would have formed a group. So,
211
00:19:45,050 --> 00:19:49,350
but the point is that therefore, a partial
key size cipher is a group, if it is actually
212
00:19:49,350 --> 00:19:53,500
a sub-group of the corresponding full key
cipher. So, therefore, you can understand
213
00:19:53,500 --> 00:19:58,370
that a sub-group means essentially it will,
if you have got n number of values in your
214
00:19:58,370 --> 00:20:03,290
group, then you, in your sub-group we have
got n values, where n is a subset of n and
215
00:20:03,290 --> 00:20:07,360
it still forms a group under the composition
operation, under, under whatever operations,
216
00:20:07,360 --> 00:20:14,050
it could be plus, so in those operations in
which the group was defined, because that
217
00:20:14,050 --> 00:20:19,940
is a definition of the sub-group.
So, it has been proved that that the multistage
218
00:20:19,940 --> 00:20:26,640
DES with a 56-bit key is not a group because
no sub-group with 2 power of 56 mappings there,
219
00:20:26,640 --> 00:20:31,550
are possible. How many possible mappings with
56 bit key? There are 2 power of 56 mappings.
220
00:20:31,550 --> 00:20:36,750
So, no sub-groups with 2 power of 56 mappings
exist from the corresponding group, which
221
00:20:36,750 --> 00:20:42,060
has actually got 2 power of 64 factorial mappings.
Therefore, the original mappings has, which
222
00:20:42,060 --> 00:20:45,420
forms the group, has got 2 power of 64 factorial
mappings.
223
00:20:45,420 --> 00:20:51,320
So, out of them, these 2 power of 56 mappings
does not form a sub-group. So, that proves
224
00:20:51,320 --> 00:20:57,120
that multiple applications of DES essentially
enhances security, that means, it is the key,
225
00:20:57,120 --> 00:21:01,920
is actually not 1 value of the key, but actually
it is a 2 values of the key, so that is, it
226
00:21:01,920 --> 00:21:05,440
was not only you cannot encode them by another
56-bit value.
227
00:21:05,440 --> 00:21:11,940
So, you can actually, in order to encode that
you require a 112-bit key, 56 into 2, so that
228
00:21:11,940 --> 00:21:18,450
means, your security is actually increasing.
So, therefore, that is another advantage of
229
00:21:18,450 --> 00:21:21,830
partial size keys ciphers.
230
00:21:21,830 --> 00:21:28,830
So, then we will come to certain discussions
about components of a modern block ciphers.
231
00:21:28,990 --> 00:21:34,210
This has been proved for DES, so therefore,
we have to be careful that it has to be, it
232
00:21:34,210 --> 00:21:41,210
holds or not. So, there is actually a paper,
which says, does DES form a group? We will
233
00:21:46,240 --> 00:21:53,240
discuss about that.
So, so, therefore, and we, I mean, so therefore,
234
00:21:53,640 --> 00:21:58,780
initially when DES was evolving, at that time,
the construction were very, sort of, nascent,
235
00:21:58,780 --> 00:22:04,180
so, they were just discussing, I mean, developing.
But now that we know lot of construction methodologies
236
00:22:04,180 --> 00:22:08,710
through which we can actually make block ciphers
and know ahead of times, that it does not
237
00:22:08,710 --> 00:22:14,160
form a group because we know how to maintain
this. But during those times actually, when
238
00:22:14,160 --> 00:22:18,930
DES was made at those times, actually the
techniques through which DES was made was
239
00:22:18,930 --> 00:22:23,930
really not made by, on public domain. Those
were the days when ciphers were classified,
240
00:22:23,930 --> 00:22:29,500
so they were kept in details of books only,
but now actually, we use it for non-needed
241
00:22:29,500 --> 00:22:34,600
application; also, it is more of an academic
study that we do.
242
00:22:34,600 --> 00:22:38,060
So, therefore, the other components are, we
will be discussing is the components of a
243
00:22:38,060 --> 00:22:43,020
modern block cipher. So, the most important
components are P-boxes and S-boxes. So, what
244
00:22:43,020 --> 00:22:50,020
is a P-box? It is a key-less fixed transposition
cipher and an S-box is a key-less fixed substitution
245
00:22:50,900 --> 00:22:56,390
cipher. So, you see that the same concepts
exist in today's ciphers also and they are
246
00:22:56,390 --> 00:23:01,220
used to provide something, which we called
as diffusion. So, what is diffusion? The diffusion
247
00:23:01,220 --> 00:23:07,570
is a property, which hides the relationship
between the ciphertext and the plaintext to
248
00:23:07,570 --> 00:23:13,820
the attacker and confusion is the property,
which hides the relationship between the ciphertext
249
00:23:13,820 --> 00:23:17,650
and the value of the key.
So, we will try to understand, how diffusion
250
00:23:17,650 --> 00:23:23,460
and confusion are achieved in today's ciphers?
So, you see that for example, in a transposition
251
00:23:23,460 --> 00:23:28,130
cipher there was an absence of diffusion,
why? Because we were able to relate the hamming
252
00:23:28,130 --> 00:23:32,450
weight of the ciphertext with the hamming
weight of the plaintext. Similar to that,
253
00:23:32,450 --> 00:23:37,550
we essentially, we will try to hide the relationship
between the ciphertext and the plaintext and
254
00:23:37,550 --> 00:23:44,410
try to make the mapping as random as possible.
So, the central idea behind any attack is
255
00:23:44,410 --> 00:23:49,250
a distinguisher form, a random mapping. If
we can distinguish a mapping from a random
256
00:23:49,250 --> 00:23:55,350
mapping, then because, actually, I mean, when
we are saying that there is an algorithm to
257
00:23:55,350 --> 00:24:00,730
make a cipher, it automatically implies it
is not random. So, therefore, it is called
258
00:24:00,730 --> 00:24:05,120
something, which is related, called pseudorandom.
Therefore, any attacker would try to find
259
00:24:05,120 --> 00:24:11,950
out a property, which distinguishes the corresponding
mapping with the random mapping. So, if you
260
00:24:11,950 --> 00:24:16,850
can find out a distinguisher that is equivalent,
you can, it has been shown historically, that
261
00:24:16,850 --> 00:24:20,160
you can actually transform a distinguisher
into an attacker.
262
00:24:20,160 --> 00:24:25,280
The first objective is to find a property,
find, which essentially proves that the given
263
00:24:25,280 --> 00:24:30,970
cryptosystem is not random and if you are
able to find out the distinguisher, then you
264
00:24:30,970 --> 00:24:36,430
can convert the distinguisher into a real
life attack. So, therefore, finding out property
265
00:24:36,430 --> 00:24:39,280
is essentially alarming.
So, therefore, the objective of diffusion
266
00:24:39,280 --> 00:24:44,620
and confusion is essentially to hide those
properties. So, it tries to hide the relationship
267
00:24:44,620 --> 00:24:48,780
between the ciphertext and the plaintext and
a confusion tries to hide the relationship
268
00:24:48,780 --> 00:24:51,530
between the ciphertext and the key.
269
00:24:51,530 --> 00:24:56,750
So, the principle of confusion and diffusion,
we will see, I mean, the design principles
270
00:24:56,750 --> 00:25:01,630
of block ciphers depends on these properties.
The S-box is generally used to produce, to
271
00:25:01,630 --> 00:25:07,130
provide confusion as it is dependent on the
unknown value of the key, we will see how?
272
00:25:07,130 --> 00:25:12,530
And the P box is fixed, there is no confusion
due to it, but it does provide diffusion.
273
00:25:12,530 --> 00:25:17,830
So, properly combining these is actually very
much necessary for obtaining security in the
274
00:25:17,830 --> 00:25:18,760
block cipher.
275
00:25:18,760 --> 00:25:24,680
So, let us see one example of a diffusion
box, so this is a straight box. Therefore,
276
00:25:24,680 --> 00:25:30,630
the diffusion boxes are of generally of three
types, it is: straight box, expansion box
277
00:25:30,630 --> 00:25:34,510
and compression box.
So, I have referred this P in bracket because
278
00:25:34,510 --> 00:25:40,190
I was little bit hesitant in writing a P-box
or a permutation box implying an expansion
279
00:25:40,190 --> 00:25:45,100
and compression because they are not truly
permutations by definition, but it generally
280
00:25:45,100 --> 00:25:52,100
used in literature. Therefore, we just keep
in mind that a diffusion box or a P-box essentially,
281
00:25:52,140 --> 00:25:56,150
are of three types: one is straight box, other
one is expansion box and other one is compression
282
00:25:56,150 --> 00:26:00,900
box. So, as the name suggests, in a straight
box you have got a bijective mapping, therefore
283
00:26:00,900 --> 00:26:07,570
you take inputs of 24 bits for example, your
output is also 24 bits, so that you can actually
284
00:26:07,570 --> 00:26:10,950
encode in the form of a table. So, you see
that table, what does it imply?
285
00:26:10,950 --> 00:26:16,030
It implies that of, so you see, that there
are 12 columns in each row, so therefore,
286
00:26:16,030 --> 00:26:21,640
you see that there are, the first bit of the
output is derived from the first bit of the
287
00:26:21,640 --> 00:26:27,990
input, but the second bit of the output is
derived from the 15th bit of the output, the
288
00:26:27,990 --> 00:26:32,900
third bit of the output is derived from the
second bit of the input; therefore, it is
289
00:26:32,900 --> 00:26:36,790
just a permutation.
Similarly, you see, for expansion boxes, you
290
00:26:36,790 --> 00:26:42,510
have got a 12 cross 24, which means that your
input size is actually small and your output
291
00:26:42,510 --> 00:26:47,120
size is large, so what does it imply? There
are repetitions. So, you see, that in your
292
00:26:47,120 --> 00:26:51,910
first case, this one is 1 and you find that
there is another one, so I made the table
293
00:26:51,910 --> 00:26:54,660
in such a way, there are actually, there are
two repetitions of each.
294
00:26:54,660 --> 00:27:00,340
So, you will find a 1 1 here, a 3 here and
3 here and similarly, we will find that there
295
00:27:00,340 --> 00:27:06,780
frequency of each element is actually 2, so
what about a compression box? So, just the
296
00:27:06,780 --> 00:27:12,320
opposite of expansion, expansion box, you
take 24- bits and compress that into 12-bits
297
00:27:12,320 --> 00:27:14,640
of the output, so which means, you have to
drop some bits.
298
00:27:14,640 --> 00:27:20,920
So, can you tell me from the point of loss
of information, which is essentially a, which
299
00:27:20,920 --> 00:27:24,830
is essentially gives you the same information
in the output as the input and which gives
300
00:27:24,830 --> 00:27:30,150
you the minimum number of information in the
output or which gives you a more information
301
00:27:30,150 --> 00:27:33,980
in the output? Can you order them by information
leakage?
302
00:27:33,980 --> 00:27:40,980
See for example, compression box obviously
leads to a loss of information. So, in an,
303
00:27:42,250 --> 00:27:48,130
I mean, in an expansion box we have got redundancy
and in a straight box, it is essentially as
304
00:27:48,130 --> 00:27:52,790
same thing, what is one-to-one. So, you see,
that information, through information actually,
305
00:27:52,790 --> 00:27:59,350
you can nicely, sort of, quantize, if you
would like to do so. So, essentially the constructions
306
00:27:59,350 --> 00:28:04,380
of all these boxes, follows its root from
information theory; although, we will not
307
00:28:04,380 --> 00:28:09,810
be discussing those things in our class, but
just thought of hinting in the class.
308
00:28:09,810 --> 00:28:14,040
Say, the other important thing that we will
be using is an S-box or a substitution box.
309
00:28:14,040 --> 00:28:19,220
So, a substitution box is typically an m cross
n substitution box, which means, that there
310
00:28:19,220 --> 00:28:24,490
are m-bit inputs and n-bit corresponding outputs,
where m and n are not necessarily the same.
311
00:28:24,490 --> 00:28:30,430
So, if the m and n are not the same, then
obviously it is not a bijective mapping, it
312
00:28:30,430 --> 00:28:33,810
is not invertible mapping anymore.
So, you can obviously understand, that each
313
00:28:33,810 --> 00:28:38,160
output bit, which is a, has to be a Boolean
function of the inputs, so that if you consider,
314
00:28:38,160 --> 00:28:42,620
that your inputs are nothing but 0s and 1s,
that is, their Boolean functions, then all
315
00:28:42,620 --> 00:28:47,780
these n outputs, you can indicate or denote
them by n corresponding Boolean functions
316
00:28:47,780 --> 00:28:54,700
in the input. So, x 1 to x n are your input
and y 1 to y m are your output. Do you understand
317
00:28:54,700 --> 00:28:56,040
this?
318
00:28:56,040 --> 00:29:03,040
So, what I am saying is this, that is, your
S-box essentially takes in inputs which are
319
00:29:06,290 --> 00:29:13,290
denoted by say x 1, x 2 and so until x n and
your outputs are y 1, y 2 and so until y m.
320
00:29:15,630 --> 00:29:22,440
So, these y 1 is supposable a mapping of or
a Boolean function of x 1, x 2 and so until
321
00:29:22,440 --> 00:29:28,780
x n. So, all of them, all of the outputs are
essentially a Boolean map of x 1 to x n. Similarly,
322
00:29:28,780 --> 00:29:34,550
y 2 is also a Boolean function of x 1 to x
n and there are certain properties which the
323
00:29:34,550 --> 00:29:39,880
S-box must satisfy, they are called interesting
properties. So, we will try to keep one class
324
00:29:39,880 --> 00:29:44,470
to understand how or rather, the some of the
principles behind design of S-boxes.
325
00:29:44,470 --> 00:29:49,880
But temporarily, let us assume, that just
let us note one thing, that a non-linear,
326
00:29:49,880 --> 00:29:54,500
what is a definition of a non-linear S-box?
So, I essentially give you, given you some
327
00:29:54,500 --> 00:30:00,650
Boolean mappings here, like y 1 to y n expanded
upon the previous f 1 to f m functions. So,
328
00:30:00,650 --> 00:30:07,550
for example, here you note that I can denote
y 1 as y 1 is equal to a 1 1 x 1 XORed with
329
00:30:07,550 --> 00:30:13,090
a 1 2 x 2 and so until y a 1 and x n. Similarly,
I do it for the all n-bit outputs.
330
00:30:13,090 --> 00:30:17,480
So, this mapping is actually a linear mapping
with respect to, with the Exclusive OR operation,
331
00:30:17,480 --> 00:30:22,950
why? Because easily you can understand that
you can represent this by a matrix transformation;
332
00:30:22,950 --> 00:30:27,970
I can represent this by a matrix transformation
and this is the something, which is called
333
00:30:27,970 --> 00:30:31,570
linear function.
So, we have defined, what is the linear function
334
00:30:31,570 --> 00:30:36,850
in the last day's class; so, this is linear
with respect to the Exclusive OR operation.
335
00:30:36,850 --> 00:30:43,440
So, if in a particular S-box, each of the
elements cannot be expressed as above, then
336
00:30:43,440 --> 00:30:48,820
we call that to be a non-linear S-box.
So, in our last day's class, we discussed
337
00:30:48,820 --> 00:30:54,260
that actually, we require non-linearity to
define the concept of rounds. Therefore, we,
338
00:30:54,260 --> 00:30:59,910
if we essentially require non-linearity also,
therefore, this is a typical, this some example
339
00:30:59,910 --> 00:31:05,710
of a non-linear S-box you see, that y 1 is
equal to x 1 into x 3 XORed with x 2 and y
340
00:31:05,710 --> 00:31:11,970
2 is equal to x 1 into x 3 x 2; this is a
Boolean add, so x 1 into XORed with x 3.
341
00:31:11,970 --> 00:31:17,850
So this is a mapping for example, which you
cannot denote in this form. Therefore, you
342
00:31:17,850 --> 00:31:24,840
see that this is an example of a non-linear
S-box; so, this is the typical example of
343
00:31:24,840 --> 00:31:29,420
a non-linear S-box. And we will try to see
what, how do I measure this amount of non-linearity
344
00:31:29,420 --> 00:31:35,710
also, but this is just to indicate, that here
actual S-boxes, if represent them by Boolean
345
00:31:35,710 --> 00:31:42,710
mappings, would look like this or this; it
would look like this, it would look like this
346
00:31:42,770 --> 00:31:48,460
transformations and not like this.
If we find that there is an S-box, there is
347
00:31:48,460 --> 00:31:53,760
an S-box given to you, which you can represent
this, I mean, which you can represent in this
348
00:31:53,760 --> 00:31:59,090
form, it is considered to be a bad design;
a good design would also give you a good amount
349
00:31:59,090 --> 00:32:05,320
of non-linearity. Is this clear?
350
00:32:05,320 --> 00:32:12,320
So, others, some other components are as follows,
see, consider a circular shift, so in a circular
351
00:32:12,580 --> 00:32:17,700
shift, each, so essentially, as the name suggests,
what we take, do is that you take some bits
352
00:32:17,700 --> 00:32:19,230
and you do a circular shift. So, it is very
simple.
353
00:32:19,230 --> 00:32:23,920
It is actually an invertible transformation
also. So, therefore, you know, that if you
354
00:32:23,920 --> 00:32:30,330
shift left, the reverse operation would be,
shift right. So, the other operations that
355
00:32:30,330 --> 00:32:34,430
we use is the swap operation, it is a special
type of shift operation or a circular shift
356
00:32:34,430 --> 00:32:39,900
operation, where k is equal to, n-bits, n
by 2-bits. So, therefore, in a circular shift,
357
00:32:39,900 --> 00:32:45,300
what we do is that you shift each bit in an
n-bit word k positions to the left and the
358
00:32:45,300 --> 00:32:47,750
leftmost k bits become the rightmost bits.
359
00:32:47,750 --> 00:32:54,750
Therefore, in a circular shift what you do?
You take n bits and the first k bits essentially,
360
00:32:56,730 --> 00:33:02,370
come here and the other ones get shifted left,
so therefore, you shift them. So, therefore,
361
00:33:02,370 --> 00:33:07,430
if the value of k is equal to n by 2, then
you get a swap operation.
362
00:33:07,430 --> 00:33:14,430
So, in a swap operation, typically you have
got n by 2 bits and you take this and you
363
00:33:14,820 --> 00:33:19,540
place this here, and you take this and you
place this here. Therefore, this is a typical
364
00:33:19,540 --> 00:33:26,540
example of a swap operation. So, some other
operations are split and combine, which is
365
00:33:31,690 --> 00:33:35,809
very simple, like you take a block of data
and you split that into two components and
366
00:33:35,809 --> 00:33:38,010
the reverse operation would be to combine.
367
00:33:38,010 --> 00:33:43,270
But we will be discussing in details about
an important concept, which is the exclusive-or
368
00:33:43,270 --> 00:33:49,390
operation or the Ex-or operation. So, let
us see some properties of the Ex-or operation.
369
00:33:49,390 --> 00:33:54,200
So, the properties of the Ex-or, I mean, Ex-or
is a binary operator. We know it is a binary
370
00:33:54,200 --> 00:34:00,480
operator, which results in 1 when both the
inputs have got a different logic, otherwise
371
00:34:00,480 --> 00:34:04,710
it computes to 0.
So, we know, that of an Ex-or, the symbol
372
00:34:04,710 --> 00:34:11,129
that we will be using is this and it satisfied
certain properties, like: closure, associativity,
373
00:34:11,129 --> 00:34:18,129
commutavity, identity and inverse. So, therefore,
can you tell me that what does it form?
374
00:34:19,960 --> 00:34:26,960
Not only a group, but it forms an abelian
group, it forms a commutative group. Therefore,
375
00:34:27,480 --> 00:34:31,929
you see, that it satisfies closure because
the result of Ex-ORing 2 n-bit numbers, you
376
00:34:31,929 --> 00:34:38,429
can encode that by another n-bit number, it
follows associativity because it allows to
377
00:34:38,429 --> 00:34:43,450
use more than one Ex-ors in any order.
So, if I want to do x Ex-or y Ex-or z and
378
00:34:43,450 --> 00:34:47,960
this is the associativity, I can also do it
like doing an Ex-or of x and y first and then
379
00:34:47,960 --> 00:34:53,139
doing an Ex-or with that; commutavity, because
it do, if you do x Ex-or y, it is same as
380
00:34:53,139 --> 00:35:00,139
doing y Ex-or x; identity, why? Because the
all 0 or I denote them by 0 power n is an
381
00:35:00,960 --> 00:35:07,119
identity in the group because if I do x Ex-ORed
with 0 power n, then I obtain back x.
382
00:35:07,119 --> 00:35:14,119
It also has an inverse because each word is
its self-inverse. So, if we take x and we
383
00:35:14,930 --> 00:35:18,680
Ex-or that with x, then you get back 0 n.
therefore, this is it, this proves that it
384
00:35:18,680 --> 00:35:23,580
also has got inverse and it acts actually
as self-inverse.
385
00:35:23,580 --> 00:35:28,740
So, an application of Ex-or would be like
this. So, when you want to do an encryption,
386
00:35:28,740 --> 00:35:33,150
then what we do is that you take the plaintext
and we Ex-or that with the key and you obtain
387
00:35:33,150 --> 00:35:36,310
the ciphertext.
And if you want to do the opposite, then seems
388
00:35:36,310 --> 00:35:40,290
we have, also have the key-in material, what
you do is that you take this ciphertext, Ex-or
389
00:35:40,290 --> 00:35:45,270
it with the key again and you obtain back
this. So, the key is known to both, the encryptor
390
00:35:45,270 --> 00:35:49,070
and the decryptor, and this helps to recover
the plaintext.
391
00:35:49,070 --> 00:35:55,550
So, this is quite self-explanatory from the
previous things that we proved because if
392
00:35:55,550 --> 00:36:02,550
I denote here ciphertext to the m Ex-or Ex-or
of your message and your key, then if you
393
00:36:04,190 --> 00:36:08,590
can easily show, that if you do C an Ex-or
that with k, then that means, what you do
394
00:36:08,590 --> 00:36:14,610
an m Ex-or with k and Ex-or that with k. So,
because of the associativity, you can actually
395
00:36:14,610 --> 00:36:21,610
write this as m Ex-or with k Ex-or k and since
k is a self-inverse, then you obtain back
396
00:36:22,680 --> 00:36:28,650
m Ex-or with 0 n, and you know that 0 m is
an identity in the group and therefore, you
397
00:36:28,650 --> 00:36:35,650
obtain back m. So, therefore, you can prove
from the previous results that we had. So,
398
00:36:38,400 --> 00:36:44,900
therefore, this is a typical example.
Since, we have known the components we can
399
00:36:44,900 --> 00:36:48,290
actually try to think of how modern block
cipher would have looked like? Therefore,
400
00:36:48,290 --> 00:36:50,190
this is an example of a product cipher.
401
00:36:50,190 --> 00:36:54,670
We discussed, what is a product cipher in
last day's class and it is made of two rounds.
402
00:36:54,670 --> 00:36:59,050
So, you see, that here, there is an 8-bit
plaintext and there is some key mixer operation,
403
00:36:59,050 --> 00:37:03,830
which is a whitener like, it is also called
key whitener. So, it is typically an Ex-or
404
00:37:03,830 --> 00:37:06,420
operation, Exclusive-OR operation with the
key.
405
00:37:06,420 --> 00:37:11,619
So, what you do is that there are four S-boxes,
four simple S-boxes being placed here and
406
00:37:11,619 --> 00:37:15,380
then there is a permutation; so, therefore,
it is nothing but a P-box or a permutation
407
00:37:15,380 --> 00:37:20,760
box. So, you see, that is a transposition
of bits, it is a wiring in terms, if you would
408
00:37:20,760 --> 00:37:25,430
like to implement as a hardware, it is just
a rewiring, it is a fixed mapping; it is a
409
00:37:25,430 --> 00:37:29,490
fixed transposition mapping.
So, then you obtain something, which we have
410
00:37:29,490 --> 00:37:33,560
called as 8-bit middle texts and then you
take the output, again Ex-or that with the
411
00:37:33,560 --> 00:37:37,150
next round key, and then something which is
called the key scheduling algorithm. What
412
00:37:37,150 --> 00:37:42,710
it does? It takes the input key and produces
all the round keys. So, you take k, you produce
413
00:37:42,710 --> 00:37:48,260
k 1, you take actually k 1 may be, and produce
k 2 and you just try to make all the round
414
00:37:48,260 --> 00:37:49,770
keys, one after the other.
415
00:37:49,770 --> 00:37:55,470
So, this is a typical example of a product
cipher, which is made of two rounds. In order
416
00:37:55,470 --> 00:37:59,520
to appreciate the confusion and diffusion
property of this cipher, we can observe through
417
00:37:59,520 --> 00:38:06,280
this particular, sort of, flow of data. See,
consider this last bit, of the output, of
418
00:38:06,280 --> 00:38:11,470
the input. So, you see, that this is essentially
getting Ex-or with 8-bit of the key because
419
00:38:11,470 --> 00:38:17,540
that the 8-bit, and I have considered 8-bit
of the plaintext is getting Ex-or with the
420
00:38:17,540 --> 00:38:23,440
8-bit of the key and then, you put that, that
output goes to the S-box, the 4th S-box. So,
421
00:38:23,440 --> 00:38:27,390
how many bits does it affect in the 4th, I
mean, how many bits of the output does it
422
00:38:27,390 --> 00:38:32,330
get, gets affected? 2 bits.
These 2 bits essentially, goes to also 2 another
423
00:38:32,330 --> 00:38:37,830
bits here. So, you see, here it goes to 2
and 4. So, now, you see, that this bit affects
424
00:38:37,830 --> 00:38:42,950
this S-box and this bit affects this S-box,
so which means, that you have got more number
425
00:38:42,950 --> 00:38:48,530
of disturbed S-boxes.
And then this particular bit is getting Ex-or
426
00:38:48,530 --> 00:38:54,960
with second bit of the key and this 4th bit
is getting Ex-or with the 4th bit of the key
427
00:38:54,960 --> 00:38:59,990
and they go to the these S-box 1 and S-box
two of the second round. And similarly, it
428
00:38:59,990 --> 00:39:05,200
is also affecting 2 bits here and 2 bits here
and both of them are, both the S-box outputs
429
00:39:05,200 --> 00:39:09,869
are getting transposed into 4 output bits.
So, the point you observe is that if I have
430
00:39:09,869 --> 00:39:13,930
disturbed only 1 bit in the input, now we
have got 4 bits in the output, which have
431
00:39:13,930 --> 00:39:17,630
got disturbed.
We also know n, that 4 is actually n by 2,
432
00:39:17,630 --> 00:39:21,770
approximately. So, therefore, in a random
mapping also, if I would have changed only
433
00:39:21,770 --> 00:39:27,260
1 bit in the input, then half of the output
bits would have been affected approximately,
434
00:39:27,260 --> 00:39:31,560
so that is something which is called avalenge
affect or something which is called an avalenge
435
00:39:31,560 --> 00:39:37,030
criteria. Therefore, this is an example of
an avalenge criteria and also an example of
436
00:39:37,030 --> 00:39:42,060
diffusion. So, you see, that this is the essentially,
you see that there is an obscurity of the
437
00:39:42,060 --> 00:39:47,530
number of bits of the output between the number
of bits of the output and the bits in the
438
00:39:47,530 --> 00:39:51,950
input, and the confusion, you can also observe,
through this phenomenon, that the 1st, 3rd,
439
00:39:51,950 --> 00:39:56,750
6th and 7th bit of the output, essentially
a dependent on the 8-bit of the key, second
440
00:39:56,750 --> 00:40:01,960
bit of the key, and the 4th bit of the key.
So, therefore, there is a problem of, or rather
441
00:40:01,960 --> 00:40:08,500
there is a hiding of, hiding of, hiding of
mapping, hiding of how the outputs bit have
442
00:40:08,500 --> 00:40:13,180
been generated or rather, hiding of the relation
of the output bits with the plaintext and
443
00:40:13,180 --> 00:40:18,160
hiding of the relation of the cipher text
with the key bits. Also, the first one is
444
00:40:18,160 --> 00:40:22,940
the example of diffusion and the second one
is an example of confusion.
445
00:40:22,940 --> 00:40:29,940
No, no, in those cases we cannot do decryption,
but those things we can actually apply in
446
00:40:43,660 --> 00:40:47,050
a certain technique, which is known as Feistel
ciphers; we will come to that, how we can
447
00:40:47,050 --> 00:40:53,280
apply them? Now, what you say is correct,
that if these boxes would have been essentially
448
00:40:53,280 --> 00:40:58,040
something like a compression function, then
we would not have been able to recover, obviously;
449
00:40:58,040 --> 00:41:05,040
but we can apply them, using, in another scenario.
So, in practical ciphers, actually you require
450
00:41:07,440 --> 00:41:12,490
large data blocks than 8-bits and you require
more S-boxes to get disturbed, and you require
451
00:41:12,490 --> 00:41:19,270
more number of rounds, and this helps to improve
the diffusion and confusion properties in
452
00:41:19,270 --> 00:41:23,790
the cipher. So, that is the final objective
that I want to enhance or improve the diffusion
453
00:41:23,790 --> 00:41:26,520
and confusion properties in the cipher.
454
00:41:26,520 --> 00:41:33,520
So, we will just discuss about two classes
of product ciphers, one is called a Feistel
455
00:41:34,000 --> 00:41:40,170
ciphers, example of that - DES, it is called
Data Encryption Standard and also non-Feistel
456
00:41:40,170 --> 00:41:45,970
ciphers, and example of that is AES. So, non-Feistel
ciphers are also called Substitution Permutation
457
00:41:45,970 --> 00:41:51,960
Networks or SPN ciphers. So, we will try to
understand these two things, may be in our
458
00:41:51,960 --> 00:41:57,859
next day's class, but just in today's class,
we will try to understand the concept of Feistel
459
00:41:57,859 --> 00:41:59,830
ciphers without going into DES.
460
00:41:59,830 --> 00:42:06,060
So, a Feistel cipher refers to a type of block
cipher design and not a specific cipher. So,
461
00:42:06,060 --> 00:42:12,460
it is not a fixed cipher that we will discussing,
but it is a general class of ciphers. So,
462
00:42:12,460 --> 00:42:18,850
for, what we do is that the first thing that
we do is that we take a plaintext and we divide
463
00:42:18,850 --> 00:42:23,510
that into two parts, one of the parts is called
the, left mode, left block and the other part
464
00:42:23,510 --> 00:42:25,440
is called the right block.
465
00:42:25,440 --> 00:42:29,560
And then, you do certain transformations,
may be, you do n rounds. So, first thing what
466
00:42:29,560 --> 00:42:36,560
you do is that you consider this, take a left
block and you would essentially one, you also
467
00:42:39,440 --> 00:42:44,740
have right block here, so I call that by L
i minus 1 and R i minus 1 to denote, that
468
00:42:44,740 --> 00:42:49,540
this is the..., What is the output of the
i minus 1 in step, and I would like to obtain
469
00:42:49,540 --> 00:42:56,540
L i and R i, so question is how? So, we want
to understand this internal mapping.
470
00:42:59,900 --> 00:43:06,710
So, you see, that if I had taken this for
example, this input, I call that by say, L
471
00:43:06,710 --> 00:43:13,710
i minus 1 and would have obtained L i. One
possible way would have been to take this
472
00:43:14,920 --> 00:43:21,920
and Ex-OR this with the output of a function
f, whose input is k and obtain the output.
473
00:43:27,020 --> 00:43:34,020
So, you see, that this function f could actually
had been a compression function and still,
474
00:43:34,119 --> 00:43:39,640
we would have been able to recover the input,
why? Because we know the k value and therefore,
475
00:43:39,640 --> 00:43:44,290
we would have felt, fading this value of k
and again, the decrypter also would have obtained
476
00:43:44,290 --> 00:43:48,920
the value of f k. And then, you would have
simply Ex-OR with this output and obtain back
477
00:43:48,920 --> 00:43:55,030
the plaintext. Therefore, you see that actually
a compression function can be applied for
478
00:43:55,030 --> 00:43:59,480
cryptography also, for block cipher designs
also. So, this answers probably, little bit
479
00:43:59,480 --> 00:44:02,780
of your questions.
But the other thing that we would also want
480
00:44:02,780 --> 00:44:07,760
to do is that we are not very comfortable
with having the input only as key. So, we
481
00:44:07,760 --> 00:44:13,220
would also like a part of the input to go
to this function f also. So, what we do is
482
00:44:13,220 --> 00:44:20,220
that we extend this and observe R i minus
1, and this output of R i minus 1, we feed
483
00:44:20,730 --> 00:44:27,480
to the other part of the function f.
And now, you see, that in order to obtain,
484
00:44:27,480 --> 00:44:32,510
or rather in order to decrypt, you actually,
require this value of R i minus 1 also. So,
485
00:44:32,510 --> 00:44:36,220
one simple thing, that we could have done
is that we could have just passed this R i
486
00:44:36,220 --> 00:44:43,220
minus 1 to the output as R i.
But what is the problem in this case? If you
487
00:44:44,990 --> 00:44:47,840
had just iterated this block again and again,
what would have been the problem?
488
00:44:47,840 --> 00:44:53,200
The problem would have been that right hand
just would have remained the same. So, what
489
00:44:53,200 --> 00:45:00,200
we do is that after this, we do a swap operation.
So, you follow that with the swap operations,
490
00:45:00,390 --> 00:45:06,600
you see, that actually, this property also
gets disturbed. So, now you see, the how essentially,
491
00:45:06,600 --> 00:45:12,859
that how the Feistel cipher mapping look like.
It was just like this, that is, L i has been
492
00:45:12,859 --> 00:45:16,350
attributed to R i minus 1 is equal to R i
minus 1.
493
00:45:16,350 --> 00:45:23,350
The R i minus 1 value is assigned to L i and
L i minus 1 Ex-OR with f of R i minus 1 and
494
00:45:23,520 --> 00:45:29,690
comma K i is been assigned to R i. So, therefore,
if cryptographically this would have been
495
00:45:29,690 --> 00:45:36,140
look like this, therefore you take L i minus
1 R i minus 1, you put in this function f
496
00:45:36,140 --> 00:45:42,180
K i here, you obtain this output, Ex-OR this
and you obtain this R i output, and R i minus
497
00:45:42,180 --> 00:45:48,609
1 has been passed to the L i output. So, therefore
this is the same thing that we saw here with
498
00:45:48,609 --> 00:45:50,400
the extra swap.
499
00:45:50,400 --> 00:45:54,320
So, therefore, I mean, this would have been
the same thing essentially, if you had just
500
00:45:54,320 --> 00:46:01,320
swapped this output. So, decryption is also
quite easy now, you see the decryption, how
501
00:46:07,520 --> 00:46:11,520
decryption would have worked? You just take
R i minus 1 and you have, you can obtain L
502
00:46:11,520 --> 00:46:18,440
i and L i minus 1 is equal to R i Ex-OR with
f(R i minus 1, K i). So, you, all of us know
503
00:46:18,440 --> 00:46:24,580
the value of R i minus 1 because that is exactly
equal to the value of L i. So, therefore,
504
00:46:24,580 --> 00:46:29,869
the point is, that here this actually, this
actually, this function f, any function f,
505
00:46:29,869 --> 00:46:33,200
here would have sufficed.
The decryption would not have been a problem,
506
00:46:33,200 --> 00:46:37,990
any function f you take, we can still do the
decryption. So, therefore, it works, the formula
507
00:46:37,990 --> 00:46:42,760
works for any function f, but security will
not obtain for any function f; there is only
508
00:46:42,760 --> 00:46:48,920
certain functions f which will give you security.
So, therefore, the, now you see, that the,
509
00:46:48,920 --> 00:46:54,240
this capital F is actually a small f; so you
can utilize this capital F by small f. Therefore,
510
00:46:54,240 --> 00:47:01,030
you see, that the problem of security, now
we have actually, sort of, reduced our problem
511
00:47:01,030 --> 00:47:06,869
to the design of the small function f. So,
where the big problem, like we have to design
512
00:47:06,869 --> 00:47:11,700
say, a 128-bit block cipher or a 64-bit block
cipher, so we have actually reduced that problem
513
00:47:11,700 --> 00:47:14,859
now to the design of a small function called
f.
514
00:47:14,859 --> 00:47:19,210
So, you see that this is the typical round
of a DES, without going into the details because
515
00:47:19,210 --> 00:47:23,580
we will discuss this in our next class. Just
observe one thing; this is nothing but the
516
00:47:23,580 --> 00:47:28,340
application of the Feistel cipher. You take
L, this is being Ex-ORed with the corresponding
517
00:47:28,340 --> 00:47:33,150
output of a function f and the function f
has got two inputs - one is the R part of
518
00:47:33,150 --> 00:47:36,770
the previous round and the other part is the
value of the key.
519
00:47:36,770 --> 00:47:42,890
And this goes to here, right part of the output
ciphertext, output of this round and this
520
00:47:42,890 --> 00:47:48,099
part, that is, the left part is being assigned
from the right part of the previous round.
521
00:47:48,099 --> 00:47:53,859
Now, you see, that internally there are lot
of things inside this function f. So, you
522
00:47:53,859 --> 00:47:59,940
take a 32 bit in case of DES because DES has
got totally 64 bits, we divide that into 2
523
00:47:59,940 --> 00:48:04,890
parts - 32 bits, 32 bits.
Then we expand this 32 bits using a P-box
524
00:48:04,890 --> 00:48:11,890
expansion diffusion box, expanded to 48 bits,
you Ex-OR that with 48 bits of the round keys
525
00:48:13,210 --> 00:48:18,750
and then you obtain 48 bits here, then you
take this 48 bits and you pass that in through
526
00:48:18,750 --> 00:48:23,859
an S-box, which actually takes 48 bits and
compresses that to 32 bits.
527
00:48:23,859 --> 00:48:27,440
And then you pass that again through a P-box,
this is a straight box. So, therefore, you
528
00:48:27,440 --> 00:48:31,800
take 32 bits and you map that into a 32 bits
and you Ex-OR that with 32 bits of your left
529
00:48:31,800 --> 00:48:34,619
part, and you obtain the output, 32 bits of
the round.
530
00:48:34,619 --> 00:48:41,290
So, here, you, that there are 48 bits of the
key and they actually derive by using a function,
531
00:48:41,290 --> 00:48:45,540
which is called the key scheduling function.
So, you take the input key and there is a
532
00:48:45,540 --> 00:48:50,150
certain algorithm through which the 48 bit
round key is derived.
533
00:48:50,150 --> 00:48:54,119
And another thing we noted here is that, I
will come to this in our next day's class,
534
00:48:54,119 --> 00:48:59,650
that is, this S-box, although it shows that
it is a 48 to 32 bit mapping, is actually
535
00:48:59,650 --> 00:49:04,480
composed of the smaller S-boxes. So, all the
smaller S-boxes are 6 to 4 mappings, that
536
00:49:04,480 --> 00:49:07,690
is, it takes 6 bits and maps that to 4 bits
of the output.
537
00:49:07,690 --> 00:49:14,260
So, how many S-boxes are here? There are 8
S-boxes, S 1 to S 8. So, each of these S-boxes,
538
00:49:14,260 --> 00:49:18,590
there is a principle behind the design of
this S boxes, there is an application of lot
539
00:49:18,590 --> 00:49:23,320
of communitative coding theories and stuff
like that. So, that, we will come to that
540
00:49:23,320 --> 00:49:26,570
at the end in our class.
What the point is, that note that the design
541
00:49:26,570 --> 00:49:32,830
of the DES is reduced to the design of function
f, which works on shorter lengths. This is
542
00:49:32,830 --> 00:49:36,730
typically what we do as computer scientist
is that when we have a bigger problem as the
543
00:49:36,730 --> 00:49:40,920
engineers, we reduce that to a small problem
and solve that. And what we have done exactly
544
00:49:40,920 --> 00:49:44,700
is that we have taken a big problem and we
have converted that into a small and much
545
00:49:44,700 --> 00:49:47,450
manageable problem.
546
00:49:47,450 --> 00:49:54,450
So, the other part of ciphers is called non-Feistel
ciphers. It is composed of only invertible
547
00:49:54,480 --> 00:49:57,550
components.
So, you see that the input to round, put in,
548
00:49:57,550 --> 00:50:03,510
the input to round function consists of keys
and the output of the previous round. So,
549
00:50:03,510 --> 00:50:08,230
in this case actually, we will discuss this
when you talk about AES, whatever mappings
550
00:50:08,230 --> 00:50:13,260
or whatever transformations that we do here,
are all of them are actually, invertible mappings.
551
00:50:13,260 --> 00:50:20,260
So, like in Feistel ciphers, we had used non-invertible
mappings also, but in SPN ciphers or in substitution
552
00:50:20,510 --> 00:50:24,880
permutation networks are what I classify as
non-Feistel ciphers, all of the mappings to
553
00:50:24,880 --> 00:50:31,880
be essentially composed of invertible mappings.
The S-box would be invertible, all the permutations
554
00:50:32,040 --> 00:50:35,470
will be invertible, and all the transformations
are essentially one-to-one.
555
00:50:35,470 --> 00:50:41,030
So, these are some of the references that
we have used in our class. Obviously, we have
556
00:50:41,030 --> 00:50:45,430
used certain books of Shannon's paper, we
have used our standard text book of Douglas
557
00:50:45,430 --> 00:50:48,770
Stinson and I have also referred to another
book, which is written by Forouzan. It is
558
00:50:48,770 --> 00:50:54,050
a recent book on Cryptography and Network
Security and this chapter is slightly brief
559
00:50:54,050 --> 00:51:01,050
in chapter 5. So, you can, so there is an
Indian edition of this book also available,
560
00:51:01,630 --> 00:51:05,280
so maybe, you can refer to this book also.
561
00:51:05,280 --> 00:51:09,690
And certain points to ponder, so you can just
think of these questions, well, you do not
562
00:51:09,690 --> 00:51:13,890
require to submit, but you just think of these
questions. It says, that a following key mixing
563
00:51:13,890 --> 00:51:17,470
technique, you have to just say whether it
is true or false, it is linear with the respective
564
00:51:17,470 --> 00:51:19,890
Exclusive-OR.
So, what I have done is that I have taken
565
00:51:19,890 --> 00:51:24,640
x, I have added that with the value of the
key, that is, the k and here, the plus is
566
00:51:24,640 --> 00:51:30,200
essentially an integer addition. So, it is
x plus k modulo 2 power of 8, so where x and
567
00:51:30,200 --> 00:51:34,099
k are 8-bit numbers and plus denotes integer
addition, so what you have to say is that
568
00:51:34,099 --> 00:51:39,060
whether each of this bits of the output, each
of the output bits are essentially, are linear
569
00:51:39,060 --> 00:51:42,820
mapping of the inputs or rather, they are
non-linear mappings of the inputs?
570
00:51:42,820 --> 00:51:48,119
And the other thing to be thought is that
having, so we are discussing about substitutions
571
00:51:48,119 --> 00:51:52,710
and permutations, so let us imagine, that
before in the final stage, that is, having
572
00:51:52,710 --> 00:51:57,580
a final permutation step in an SPN cipher,
whether that would have increased the security
573
00:51:57,580 --> 00:52:01,780
of the cipher or not?
So, therefore, to consider that whether having
574
00:52:01,780 --> 00:52:07,030
a final permutation state in an SPN cipher
has got no effect on the security of a block
575
00:52:07,030 --> 00:52:10,810
cipher? So, you have to reflect, whether it
is true or false.
576
00:52:10,810 --> 00:52:14,150
So our next day's topic will be designs of
modern block ciphers. We will try to understand,
577
00:52:14,150 --> 00:52:18,869
or rather go into the, or rather at least,
look into the design of DES and AES, without
578
00:52:18,869 --> 00:52:20,849
really going into the design methodologies.