.
So, welcome back. So, today we shallwe studying
our;on our next topic which is essentially
a Background on Cryptography and also to have
an understanding of what is meant by Cryptanalysis.
So, and finally, we shall be talking about
the Advanced Encryption Standard or AES.
So, to start withourour concepts that the
concept that we shall be covering in today's
class; we shall be trying to understand the
goals of cryptography, try to understand the
various types of cryptographic algorithms
ah; I would say like the broad classifications
of cryptographic algorithms . In particular,
we shall be trying to look into block ciphers
which is a very common form of cryptographic
algorithm which is used to encrypt bulk volumes
of information or data.
And we shall be looking into one particularencryption
or block cipher which is called as a AES or
Advanced Encryption Standard; which is the
de facto worldwide standard for block ciphers.
So, to begin withlet us try to look into the
goals of cryptography. So, so the goals of
cryptography can be are typically depicted
bythese three party scenario; where you have
got two legitimate players Bob and Alice who
are essentially trying to share some information
over an untrusted channel. So, this untrusted
channel is essentially also observed by an
attacker or an adversary which is typically
denoted as Eve.
So, Eve is interested to know; what is the
communication which is essentially being done
by between Bob and Alice? So, in order to
prohibit Eve from getting access to this information
; Bob tries to resort to cryptography. What
Bob tries to apply cryptography and tries
to apply the in the data or tries to apply
it on the data and communicate this information
to Alice .
So, there can be different goals of cryptography;
confidentiality is one of the most important
goals as I said because Eve will be probably
curious to know what is the information being
exchanged and in that context Bob of an encrypts
this information and sends it to Alice. So,
once it is encrypted the idea is that it looks
like a jumbled piece of data from which Eve
is not able to understand or make any inference
about the actual content of the message .
So, so now I would like to mention here that
although we often you know like kind of synonymously
use cryptography with confidentiality , but
that is not the sole goal of encryption or
cryptography ok that is not the sole goal
of cryptography . So,so there may be other
important goals for example, I may be only
bothered about integrity of information.
So, I may be only bothered to ensure that
I do not really; I am not really bothered
to to ensure that Eve does not have access
to information but rather I may be bothered
to know to ensure that Eve is not able to
corrupt that information or he is not able
to modify that information ok . So, therefore
right while confidentiality is often insured
by encryption ; for integrity there may be
other primitives which are used. So, it could
be typically a hash function or a message
authentication code which could be deployed
to achieve integrity .
But at the end of the day you know like with
several goals like you may have confidentiality
as your goal, integrity as your goal and you
may try to apply cryptographic algorithms,
but all cryptographic algorithms comes with
over it; comes with essentially you know like
making the process flow, kind of making the
process cumbersome. So, therefore, right we
should ensure at the end of the day that data
should be available.
So, we should ensure the data should be available
to the;to the legitimate persons like Bob
and an Alice and Eve should not be able to
somewhat availability of information ok. So,
there may be there should be suitable mechanisms
which also allows you or which allows you
to have; I would say like you know like uninterrupted
access to information or on and inter to access
to data.
So so therefore, right I mean let us try to
take a; you know like one by one look into
these various objectives ; so the first objective
whether I said is confidentiality. So, information
is exchanged over the untrusted network . So,
information while exchange should remain secret;
that means, you know like when you are exchanging
information over the untrusted network, you
should ensure that it should remain secret
to the legitimate players; to the sender and
to the receiver; that means, Alice and Bob
in our context .
So, confidentiality is related to both not
you know like not; I mean not only with respect
to transmission of information, but also it
could be with respect to data addressed; that
means, it should be also it could be it should
be related to also data; which is kept in
your storages. So, it could be in your disks
it could be in your drives and other storage
media ok .
So so likewise right I said that integrity
is also an important objective. So, as we
know that information right one of the important
criteria of information is that it is always
changing and that is probably even more relevant
with today's talk discussions on you know
like big data and so on where information
is continuously being generated and is an
expensiveexpensive data base right .
So, but the charge; so therefore, right we
should ensure that the responsibilitythe;
of the of the persons who are you know likeessentially
providing service should be that unauthorized
people should not be able to modify that information.
So; that means, you know like for example,
if I have got some amount of data which isfor
example, measuring the amount of money that
I have in my bank and unauthorized person
should not be able to modify that data ok.
Because you can easily understand that if
that data is modified then that can that can
lead to catastrophic consequences ok . So,
therefore we need to techniques to ensure
that there is integrity of data which means
like somebody should be; who is not licensed
or is not legitimate should not be able to
modify the data. And moreover like if there
is any modification which is going down; I
should be able to readily understand that
there has been a modification being done.
That means, it should be detected any modifications
should be easily detected and should be essentially
you know lead to follow of measures to ensure
that there is in really integrity of information
ok .
So, likewise confidentiality and integrity
should not hinder the availability of data.
That means, right I mean I may apply cumbersome
techniques, but at the same time right; we
should ensure that availability is a very
important goal right I want to make things
efficient .
So, therefore, right data must be available
to authorized users at any time ok and therefore,
right we should also always keep in mind cryptographic
mechanisms, which we are adopting should essentially
be implemented in a manner that they essentially
incurred less overhead; in terms of various
performance foot prints it should have less
food it should have a less footprint ok. And
that essentially makes hardware design so
important because when you have hardware design
for cryptographic algorithms, you essentially
have an opportunity of making them optimized
ok.
But at the same time right we also need to
tackle other criteria like for example, various
kind of threats which can also be targeted
specifically for hardware ok. But in terms
of performance right; hardware provides immense
opportunity of realizing lesser footprints
on variouscriteria ok. So, for example, like
you can as I said probably in one of my introductory
classes that if you go for hardware design
of complex cryptographic algorithms, there
is this there is an there is an order improvement
over your software designs ok and therefore,
we need to probably study about how we can
make efficient hardware implementations of
cryptographic algorithms .
So, therefore, right you can actually definitelyhave
different mechanisms like cryptography off
cryptographic algorithms, you can have encryption,
you can have hash functions, you can have
signature schemes; you can you know you can
apply public key cryptography for signatures.
So, there you know like lot of cryptographic
algorithms which you have; which have been
developed, but we need to understand about
where to apply what ok and that is typically
what we studying in in cryptographic course
.
So, therefore,one of the you know like I would
say salient features of all these cryptographic
algorithms is that the algorithms are published;
that means, the algorithms that we deploy
for encryption or for signatures; they are
all published. That means, they are available
to even our adversaries; what is not available
to an adversary is this piece of secret which
is called often as the key ok. And therefore,
right the objective of the attacker is to
obtain this key from the communication.
And the objective of the defender or the designer
is to ensure that the the information that
is exchanged; it could be the cipher text,
it could be the plaintext, it could be the
cipher text plaintext combinations that should
not reveal information about the secret key
ok and therefore, what we write as designers
want to protect is the secret key ok; so,so
therefore, right if you if you try to understand
in a more formal setting what is a cryptosystem?
So, essentially cryptosystem is a five tuple
often denoted by this like P, C, K, E and
D where P stands for the set of possible or
finite set of possible plain texts, C stands
for the finite set of possible cipher texts,
K is the key space ok; it is a finite set
of possible keys from which I choose a specific
key. Now, the moment I choose a specific key
for example, a small k for example, then two
things this gets decided; one is what is called
as an encryption rule and the other one is
what is called as a decryption rule.
So, the encryption rule which is denoted as
say e k belongs to this encryption family
and likewise d k belongs to this decryption
family. So, so that is a very important criteria
which you can easily probably understand is
thatthe process should be reversible right;
that means, when I encrypt a piece of information
and when I decrypt it; I should get back the
original data. And that is being denoted here
in a more formal way which says that for each
e k; that means, which is essentially a mapping
from the plaintext space to the ciphertext
space and for each d k which is essentially
the divorce mapping from ciphertext to the
plaintext space.
So, these are functions such that for all
x which is essentially belonging to the plaintext
when I apply the encryption function on x
and I get e k of x and then I apply d k of
x; which is the decryption function, I should
get back x. So, therefore, this process should
be reversible; so this invertibility is an
is a feature which all encryption whether
it isyou know like symmetric key or public
key as will soon study; all of them should
satisfy this property ok there is a salient
feature because we want to decrypt back the
original data.
So, therefore right there are two different
broad classes of cryptography which people
have studied. The first one is probably very
intuitive which is called a symmetric key
cryptography; which means essentially it means
those encryption algorithms, where the encryption
key and the decryption key are same. That
means, if I want to encrypt a piece of information
and if I want to decryptthe cipher; then I
essentially; essentially share that key with
my recipient ok.
So, there has to be some kind of cross state
channel through which that secret key has
been shared. Now you can immediately; immediately
understand that if there are n players in
a network and if all of them are connected
with each other then the number of keys can
increase exorbitantly; can increase quadratically.
And therefore, we need to have efficient mechanisms
to do this key exchange and therefore, right
there is another class of tiptographic algorithms
which are called as a symmetric key cryptography
which essentially gives a very nice solution
for this particular problem .
So, therefore, in this in this setting of
asymmetric key cryptography; there are two
keys. One which is called as a public key
the other one which is called as a private
key or the decryption key ; the idea is that
the first important things to note is that
the encryption key and the decryption key
or the public key and the private key are
not the same ok.
So, what we often do is that with public key
we can encrypt; that means, suppose I want
suppose Alice wants to send a piece of information
to Bob; So, therefore, what Alice does is
that Alice encrypts it ok and it encrypts
it with bobs public key. And now Bob since
Bob only has his private key can only decrypt
that message; that means, anybody can encrypt
that message and send it to Alice, but I mean
send it to bob, but only Bob can decrypt it
because its bobs own private key ok.
So, therefore, right I mean that essentially
is nice because in that case the key exchange
problem is nicely handled in that case. And
the assumption behind these class of problems
is often rely based upon a candidate hard
problem; that means, a problem which is believed
to be hard. The idea is that it is believed
to to be hard to to derive the private key
from the public key; note that Alice's public
key is known to everyone.
But what is important is to ensure that it
should be difficult for Eve; who is an attacker
to infer the corresponding private key of
Alice from the public data ok and that the
way that this kind of reasonings are done
is often based upon a hard problem. So, the
hard problem could be for example, factorization
or some other hard problem which is believed
to be hard; which is believed to be computationally
intensive.
So,so therefore, let us first of all try to
look into the one in very important class
of symmetric key encryption which is called
as block cipher and block ciphers are typically
used for bulk data encryption . So, in therefore
in block cipherwhat essentially is done is
that as the name suggests right; it basically
encrypts in bits of plaintext which is called
as a block. So, what essentially is done here
is that you take the plaintext and you divide
it into chunks of data; all of them are like
blocks of information and then you start applying
your block cipher.
So, the block cipher takes one block of data,
takes the secret key and then obtains another
block of cipher text. This process could be
either repeated block by block or there could
be some modes where you do chaining for example,
ok. But the whole idea is that when you are
having this kind of encryption algorithm;
then this encryption algorithm applies on
one block of data. Say for example, it could
be 128 bits of data as we will see in the
case of AES 128 and produces hypertext; which
is also 128 bits of data .
Now the key right is often also of the similar
dimension; so it could be like say 128 bits
or say 256 bits on which you are applying
your encryption process. So, therefore, the
block cipher takes two important two inputs
ok; it takes the plaintext and the key and
produces a cipher text. So, it basically it
is a mapping from the plaintext and the key
to a cipher text space ok. So, therefore,
that is denoted here as this function; which
is C is equal to E k P which means like it
is an encryption function which is kept kind
of parameterized by the key and it operates
on a plaintext P and produces a cipher text
C ok. So, now you can if you want to decrypt
it as you can easily understand then you need
to have an invertible process.
So, you did not have a reversible process
right; so therefore, what the decryption function
does? It applies on the cipher text again
on a block of data, again apply the same secret
key; remember it is a symmetric key algorithm.
So, it has got the same secret key on which
this also works and therefore, right finally,
produces that the startingthe block the starting
block of the plaintext ok. And that by that
way the the plaintext is recovered block by
block. Again you can if you are depending
upon the mode you in which you are applying
the encryption; you have to apply a suitable
mode for decryption ok .
So, therefore the block cipher decryption
algorithm is is denoted by this function where
I take the C which is my ciphertext and again
I take my function which is denoted as D k
and I obtain back the plaintext ok.
So, now,so therefore right if I want to know
zoom into the block cipher for example, then
this is how the internal of a block cipher
typically looks like. So, these block ciphers
are water often called as product ciphers
or iterative ciphers.
So, what it does here is that it takes a plaintext
block; it takes a secret key and the first
step is usually a key whitening step. This
key whitening is usually applied or obtained
by some kind of reversible key mixing process;
a very common form of reversible key mixing
is by applying a bitwise exclusive or so therefore,
I take this plaintext, I take the secret key
and I do an exorb between the plaintext and
the key and obtain the input to the first
round.
And then I have a period you know like a very
very regular structure of applying the rounds;
that means, rounds essentially are constituted
by some kind of operations; these operations
are applied one by one in an iterative manner.
For example, in this case I have shown that
there are n rounds; this number of rounds
is often fixed by something which is called
as script analysis which is essentially an
evaluation methodology of the cipher against
various known attacks. And then once you know
that the ok n rounds are required by the cipher;
then for every round you also need to have
something which is called as a round key .
So, this round key is derived by an algorithm
which is called as the key expansion algorithm
or also called as the key scheduling algorithm.
So, this key scheduling algorithm takes the
secret key and derives the round keys one
by one. So, here you can see that from the
secret key we have got the round key 1, round
key 2 and so on till round key n and all of
these round keys are mixed with these rounds
ok.
So, this mixing is also done by a similar
step as the key whitening step for example,
it could be done through a bitwise exclusive
or ok. So, you can also apply other kind of
whitening things for whitening steps for example,
you can probably try with an interior module
or addition also. So, there could be other
kind of reversible functions which you can
also try to apply over here, but the most
common is probably exclusive what where you
do an xor between the plaintext and the secret
key or the key components. So, finally, after
n rounds you obtain an output which is called
as a cipher ok.
Now, you can you should note here at this
point that what the designer wants you to
essentially see is that it once that the adversary
should only see these plain text and the cipher
text block. It wants that the cipher that
the adversary should not see any intermediate
data. If the if the adversary is able to see
any intermediate data then the designer cannot
give any guarantees of security ok. And what
we will see later on in side channel attacks
which we try to do in various hardware designs
on hardware various hardware designs is that
through side channels; we get try to get information
about these internal rounds ok and therefore,
we try to retrieve the key in very in a in
a very efficient manner ok.
But in a in a very black box sense what I
want to show here is that that attacker should
only see the plaintext and the cipher text
and then the mathematics or the algorithm
guarantees that there should not be any any
efficient attacked better than the brute force
search. That means, for example, if the key
is of dimension 128 bit; then a brute force
search would be a 2 to the power of 128 guess;
that means, I guess with the complexity of
2 to the power of 128 .
So, what I want as a designer is that there
should be no attack which is better than this
brute force search.
So, therefore, right typically the key lengths
and the block lengths are preferred as 128
bits, 192 or 256; the key and the block length
can be independent of each other. So, therefore,
you can have for example, our cipher where
there is 128 bit blocks and there the key
I mean the key right can be independently
chosen from the block length that it can essentially
make it either 128 or 192 or 256 ok. You can
also check change the block length to say
192 and again you can make independent choices
of the key length.
So, therefore, right the key length and the
block length could be independently chosen
of each other . And the choice of the length
often depends upon how effective the cipher
is against brute force search ok. So, therefore,
typically it is assumed that we should have
at least 80 bits of security to ensure that
we have gotyou know like enough amount of
protection against computationally bounded
adversaries and the longer length should you
know like we can of course, keep longer length.
But you should also again keep in mind that
if you have longer length then that will incur
into more performance overhead. So, you will
if you take more time; it will be you know
like if you are talk talking about hardware
design, it will consume more power, it will
have more area requirement or resource requirement.
So, we should try to you know like provide
good amount of security with minimum resource
that is always an objective of both algorithm
designers or both cipher designers; as well
as people who are implementing them who wants
to make efficient implementations out of ciphers
.
So, therefore rightif just want to also look
into what are the important criteria inside
an encryption round. So, again as we have
seen that in block cipher is made of rounds,
but if you go into a round right; you will
typically see that the cried that there are
two important blocks in a round . So, one
of them essentially tries to hide the relationship
between the cipher text and the key and that
is called as confusion . And the other one
is what what tries to hide relationship between
the cipher text and the plaintext and that
is what is called as diffusion .
So, therefore right you will see that in a
block cipher round typically there are the
constructions; which provides both confusion
and diffusion ok . So, typically the the artifact
or the block which produces or provides confusion
is called as S box or substitution box ok
. So, so we will see in more details as we
study AES and other ciphers and the other
layer which is called as diffusion is typically
produced provided by permutations by you know
like linearpermutation; so linear mappings.
And then as I said the third important block
or three that the third important component
of the round is where you are mixing the round
key with your state ok. And that is typically
done by a round key process which is often
realized by exclusive hours . So, the number
of rounds is determined by the ciphers resistant
to known attacks and that is called as script
analysis ok.
So, therefore, right talking about crypto
cryptographic attacks; so what essentially
you know like. So, therefore, the overall
subject is what is called as cryptology ok
and there are two important components. One
is where you talk about cryptography, where
you design things and the other one is what
is called as script analysis; where you try
to analyze your ciphers or you try to attack
your ciphers, but with the objective of analyzing
them .
So, what we try to do in cryptanalytic attacks
is we try to apply mathematical techniques
to obtain the key better than a brute force
search. Because a brute force search would
mean that suppose there is an n bit key then
that would imply a 2 to the power of n guess.
And we try to ensure that our construction
should not be being it should not be able
to be attacked by an adversary who has access
to plaintext cipher text plaintext cipher
text combination; whether you know like when
it is knowing the plaintext or whether it
is able to choose the plaintext should not
be able to do an attack which is better than
a brute force attack or brute force attack
.
So, therefore right we will see thatmost of
the attacks that we essentially see essentially
are basically distinguish or based on something
which is called as a distinguisher. Because
a good ciphered essentially tries to randomize
things ok; for example, right he tries to
transform the plaintext distribution to appear
as random in the cipher . So, the goal of
an attack in general is to find out properties
in the cipher which does not exist in random
distribution.
So, you may probably appreciate by this fact
that suppose you have got a plaintext size
of say 128 bits and a key size of 128 bits;
it is not possible for someone someone write
to evaluate all the possible mappings because
simply because the mapping is huge . So, therefore
the attacker always tries to you know like
tries to see or tries to kind of explored,
whether there is some property which the cipher
still has which makes it distinctly different
from a random distribution ok.
And that is really a challenging objective
from the designers perspective because the
designer cannot simply see all the possible
ah; all the possible configurations because
the the space is huge. So, therefore, right
what the attacker tries to do is that in their
in in efficient attacks is tries to do something
which is like a divide and conquer attack.
So, what it tries to do is that it tries to
guess a portion of the key and then it checks
for the property.
So, any attack any attack which is better
than a brute force search will qualify as
an attack. So, therefore, right if the attacker
is able to find out a property which essentially
is distinctly different from a random distribution
then; that means, that that key essentially
or that portion of the key gets explored.
And if you can do it in a divide and conquer
manner then you essentially have an efficient
key retrieval process which is better than
a brute force search.
So, the objective of the designer is to ensure
that our designs are not amenable to such
a brute a better than brute force such attack
and therefore, they are resistant against
such attacks ok. And may not be you know like
often these attacks may not be practical;
that means, suppose there is in a rather than
2 to the power of 128; if I do an attack we
say complexity of 2 to the power of 120; it
is not a practical attack but you definitely
expose a design flaw which we would like to
prevent ok .
So, therefore, right I mean I mean one very
important message is that there is a principle
which is called as Kerckhoff's principle which
says thatyou know like the cryptographic algorithm
is always assumed to be known to the adversary.
And this is something that we have understood
historically that we may try to develop proprietary
algorithms, but they are often you know like
various ways through which the proprietary
algorithm eventually comes to the public ok.
So, therefore people can either reverse engineer
or even they can compromise a person who has
knowledge about the about the algorithm. So,
rather a better approach is that we will try
to you know like rely on something which is
called as a scheme ok. We will try to rely
upon the fact that there is a piece of information
which is called as the key and the attacker
does not know the key.
And therefore, the security should be reliant
on the key and therefore, even if you you
know like get hold about the encryption algorithm;
then the securitys security is not compromised.
Moreover, it also tries to tell that you know
like you; you essentially you know like the
moment you open up your algorithm to public
scrutiny, then your algorithm gets better
analyzed right and therefore, you really come
to know about some kind of flaws which may
be you know like we may which may be have
been overlooked by the designer ok .
So so therefore, right I mean there are different
ways in which you can do crypt analysis. So,
I will try to give you a basic notion about
an attack an attack strategy which is called
as differential analysis ok . So, therefore,
right when you talk about differential analysis
then the usual; so as I said that suppose
you consider a cipher which is made of c equal
to m xor k ok where m is the message and k
is the key ok.
So, therefore, write each variable you can
assume to be b bit of information. So, if
the key is chosen at random and used only
once; then the crypt analysis is guessed no
information about m from c ok what happens
right if the key is used twice. So, you will
see that you know like. So, this is something
which is. So, often called as a one time pad,
but rather what we do in practice right we
try to use the same key for different encryptions.
So, imagine that the same key is used for
two encryptions; that means, for encrypting
m 0 and as well as for encrypting m 1. So,
therefore, right if I take the cipher c 0
and c 1 and if I xor them; then I know that
this k and this k gets cancelled because k
xor k will get cancelled and so therefore,
I will have m 0 xor with m 1 . So, this immediately
shows that the notion of difference actually
does not depend upon the key and the key gets
cancelled.
So, this notion of difference is actually
technically called as differential ok and
therefore, we try to calculate the differential
of two states ok which essentiallydoes not
depend upon the secret key.
So, let us do a very simple exercise on crypt
analysis. So, suppose I have got a message
m; I have got this k 0 key and I obtain some
intermediate data which is called as u and
pass it through an S box. So, the S box is
as small as box which I have shown here in
the table. So, that just stands for a mapping;
that means, if I have got 0 as input then
this gets mapped into 6; if 1 is an input
it gets mapped into 4 and so on. So, you can
imagine that this is just as a lookup table.
So, this S box or S function does that look
up and transforms u into v and finally, I
apply k 1 to xor with k 1 and I get c ok.
So, you can see that if I study the differential
behavior then we can do an interesting attack;
rather than you know like guessing all the
possible values of k 0 and k 1 ok . So, what
essentially you can do here. So, you can observe
that k 0 is a 4 bit of information; k 1 is
also a 4 bit of information. So, a brute force
search would therefore, require 2 to the power
of 4 into 2 to the power of 4; that means
2 to the power of 8 possible guesses.
So, we can do better than that ok and as I
will show here in thisthese two these slides.
So, suppose you consider encryptions with
a pair of plaintext m 0 and m 1; so therefore,
as I said in a previous slide, if you know
m 0 and m 1; you also know u 0 xor u 1 because
the k will have no effect on that differ on
the differential.
So, once you observe u 0 xor u 1; you also
see that u 0 xor u 1 is nothing, but S inverse
v 0 xor with S inverse of v 1 ok.
So, you see that if I just go back here then
this xor; the differential here can be obtained
by the by xor in S inverse of v 0 with S inverse
of v 1 ok . Andso therefore the so now what
the attacker will do is that the attacker
will guess k 1 ok and we estimate v 0 and
v 1 and evaluate the above ok; if more than
one value of k 1 will satisfy, then it will
try with other messages.
So, the observation is that the difference
between internal variables will get exposed
because of the difference and weaker and this
will help us to recover key information by
guessing parts of the key and testing whether
the differential holds. So, note that when
you are guessing here you are just guessing
for k 1; it is independent of the guess of
k 0. So, you are doing an analysis which does
not depend upon k 0 and you can only constant
on one part of the key; so you can do a divide
and conquer analysis ok.
So, here is the; you know likethe actual differential
attack. So, here you can see what we have
done here is that you have got a, which is
one of the message and you have got k 0 you
have got u 0 and so what I mean other in the
other paired we choose 5 as the message ok.
So, if you exhort between a and 5; then you
get f ok and therefore, u 0 xor with u 1 is
also equal to f ok. So, usually xor with u
1 is equal to a xor with 5 and that is equal
to f. So, now if you obtain the reverse S
box which you can also write write because
it is a bijective maps. So, you can rather
than expressing v 0 in terms of u 0; you can
also express u 0 in terms of v 0 ok . And
therefore, this is the corresponding mapping
which you cananalyze ok; which you can test
for its validity given the previous S box
and now you can observe that for each value
t of k 1; we want to ensure that r t xor with
9 ok.
So, is here you can see that 9 is the cipher;
so 9 xor with k 1 and if I apply the r function
I come to this point u 0. So, I xor R t xor
with 9 and here I xor R t xor with 6; t is
the candidate for k 1. So, I xor t with 6
and then I apply the inverse function which
is R. And then if I xor then I should get
used it or xor with u 1 which is f ok. So,
here you can observe that if I see the inverse
function; then there are two t values shown
as 7 and 8; for which I get these two fs ok
and therefore, 7 and 8 are my candidate keys
for k 1 ok.
So, then I repeat this process for another
such pair. So, here for example, I have got
it for 9 and 8 and I again repeat this process
ok. So, now, I have got two key values for
k k k 1 which is shown as 0 and 7. So, now,
if I take an intersection if we do in previous
one like 7 and 8 and between 0 and 7; then
I know that 7 is my candidate for k 1 and
then I can calculate k 0 is d ok. So, you
see that the brute force search here is now
was 2 power of 8.
But I am doing this attack with a complexity
of 2 power of 4 and that is definitely better
than a brute force search ok; so therefore,
this is an attack.
So,talking about you like what we will be
talking subsequently is that we will talking
about a full-fledged cipher which is called
as AES which was that which is also called
as the Advanced Encryption Standard. So, this
is a de facto worldwide standard from 2000
and there are different versions ofthis algorithm.
So, there are AES 128, AES 192 and AES 256.
So, the idea is that all of them have got
128 bit block will be bit of plaintext, but
they have got different sizes of the keys.
For example, AES 128 has 16 bytes and it operates
on 10 rounds. And likewise AES 192 operates
on 24 bytes ok and so on and it has got a
number of rounds is 12. And likewise AES 256
operates on 256 bytes; 256 bits of key and
has got fourteen rounds for its encryption.
Each round has got different steps as I said
for for doing the exhorting with the key and
that is typically done by round; round key
addition. It also does several you know like
functions for confusion which is often done
by a process which is called as byte substitution
which we will see in the next classes. So,
it also does a interesting diffusion it has
an interesting interesting diffusion layer
which is done by shift row and mix columns
and the final round does not have mix columns
because it does not add to any conventional
security.
So so therefore, right what is AES? We will
be you know looking into this in the next
class andthere are you know like they were
I would like to mention here that in the original
proposal for AES; there were different algorithms
which we wereyou know like proposed, but or
there is not as was the name of the original
algorithm that won over several other algorithms
because of not only security, but also because
of implementational advantages ok.
So, this is this particular cartoon or stick
diagram I have taken from this you know like
this url. So, I would like to thank for that.
Andand finally, right we will try to take
a look into how the AES looks like and that
is something thatwe will be trying to study
more in more details in the next classes ok.
So so here I would of course, like I have
tried to give you an overview behind this
cryptographic algorithms, but we will be studying
aboutyou know like AES in more details in
the next classes ok.
So, this is my reference for the book.
Andso what we basically studied is we tried
to understand that cryptographic implementations
should be lightweight because we need to ensure
that our designs have less overhead.
We studied about different types of ciphers
or broad types of ciphers, westudied about
block cipher constructions constitutes of
both non-linear and linear components. That
means, which produces the confusion and the
diffusion respectively , we studied aboutthe
fact that encryption algorithms are published;
the secret is often in the key.
And we discussed about an idea of differential
attacks we also discussed that AES is composed
of different sub operations add round key
and byte substitution which we will take up
in more details in the next class ok; so add
round key, byte substitution, shift rows and
mix columns. So, these are different operations
which you will try to study in the next class
ok. So, with this I would like to say.
Thank you.
