Course: Cryptography and Network Security

Code: CS-34310
Branch: M.C.A - 4th Semester
Lecture – 5b: Symmetric-Key Ciphers

Faculty & Coordinator : Dr. J Sathish Kumar (JSK)

Department of Computer Science and Engineering

Motilal Nehru National Institute of Technology Allahabad,
Prayagraj-211004
Symmetric-key Cipher
 Symmetric-key Cipher
• Symmetric-key encipherment uses a single key for both encryption and decryption.

• Encryption and decryption algorithms are inverses of each other.

• If P is the plaintext, C is the ciphertext, and K is the key, the encryption algorithm Ek(x)
creates the ciphertext from the plaintext; the decryption algorithm Dk(x) creates the
plaintext from the ciphertext.

• We assume that Ek(x) and Dk(x) are inverses of each other: they cancel the effect of each
other if they are applied one after the other on the same input.
 Kerckhoff’s Principle
• Although it may appear that a cipher would be more secure if we hide both the
encryption/decryption algorithm and the secret key, this is not recommended.
• Based on Kerckhoff’s principle, one should always assume that the adversary,
Eve, knows the encryption/decryption algorithm.
• The resistance of the cipher to attack must be based only on the secrecy of the key.
• In other words, guessing the key should be so difficult that there is no need to hide
the encryption/decryption algorithm.
• This principle manifests itself more clearly when we study modern ciphers.
• There are only a few algorithms for modern ciphers today.
• The key domain for each algorithm, however, is so large that it makes it difficult
for the adversary to find the key.
Cryptanalysis
 Ciphertext-Only Attack
• In a ciphertext-only attack, Eve has access to only some ciphertext.
• She tries to find the corresponding key and the plaintext.
• The assumption is that Eve knows the algorithm and can intercept the ciphertext.
• The ciphertext-only attack is the most probable one because Eve needs only the
ciphertext for this attack.
• To thwart the decryption of a message by an adversary, a cipher must be very
resisting to this type of attack.
 Ciphertext-Only Attack
• Brute-Force Attack
• In the brute-force method or exhaustive-key-search method, Eve tries to use all possible keys.
• We assume that Eve knows the algorithm and knows the key domain (the list of all possible keys).
• Using the intercepted cipher, Eve decrypts the ciphertext with every possible key until the plaintext makes sense.
• Using brute-force attack was a difficult task in the past; it is easier today using a computer.
• To prevent this type of attack, the number of possible keys must be very large.
• Statistical Attack
• The cryptanalyst can benefit from some inherent characteristics of the plaintext language to launch a
statistical attack.
• For example, we know that the letter E is the most frequently used letter in English text.
• The cryptanalyst finds the mostly-used character in the ciphertext and assumes that the corresponding
plaintext character is E.
• After finding a few pairs, the analyst can find the key and use it to decrypt the message.
• To prevent this type of attack, the cipher should hide the characteristics of the language.
• Pattern Attack
• Some ciphers may hide the characteristics of the language, but may create some patterns in the ciphertext.
• A cryptanalyst may use a pattern attack to break the cipher.
• Therefore, it is important to use ciphers that make the ciphertext look as random as possible.
 Known-Plaintext Attack

• In a known-plaintext attack, Eve has access to some

plaintext/ciphertext pairs in addition to the intercepted ciphertext
that she wants to break.
 Known-Plaintext Attack
• The plaintext/ciphertext pairs have been collected earlier.
• For example, Alice has sent a secret message to Bob, but she has later made
the contents of the message public.
• Eve has kept both the ciphertext and the plaintext to use them to break the
next secret message from Alice to Bob, assuming that Alice has not changed
her key.
• Eve uses the relationship between the previous pair to analyze the current
ciphertext.
• The same methods used in a ciphertext-only attack can be applied here.
• This attack is easier to implement because Eve has more information to use
for analysis.
• However, it is less likely to happen because Alice may have changed her
key or may have not disclosed the contents of any previous messages.
 Chosen-Plaintext Attack
• The chosen-plaintext attack is similar to the known-plaintext attack,
but the plaintext/ciphertext pairs have been chosen by the attacker
herself.
 Chosen-Plaintext Attack
• This can happen, for example, if Eve has access to Alice’s computer.
• She can choose some plaintext and intercept the created ciphertext.
• Of course, she does not have the key because the key is normally
embedded in the software used by the sender.
• This type of attack is much easier to implement, but it is much less
likely to happen.
 Chosen-Ciphertext Attack
• The chosen-ciphertext attack is similar to the chosen-plaintext attack,
except that Eve chooses some ciphertext and decrypts it to form a
ciphertext/plaintext pair.
• This can happen if Eve has access to Bob’s computer.
 Categories of Traditional Ciphers

• Substitution ciphers and Transposition ciphers.

• In a substitution cipher, we replace one symbol in the ciphertext with

another symbol.

• In a transposition cipher, we reorder the position of symbols in the

plaintext.
 SUBSTITUTION CIPHERS
• A substitution cipher replaces one symbol with another.
• Monoalphabetic Ciphers
• In monoalphabetic substitution, the relationship between a symbol in the
plaintext to a symbol in the ciphertext is always one-to-one.
•
 Additive Cipher
• This cipher is sometimes called a shift cipher and sometimes a Caesar
cipher, but the term additive cipher better reveals its mathematical
nature.
• When the cipher is additive, the plaintext, ciphertext, and key are
integers in Z26.

Representation of plaintext and ciphertext characters in Z26

Additive Cipher
 Example #1:
Use the additive cipher with key = 15 to encrypt the message “hello”.
And decrypt to verify using the same key
 • Additive ciphers are vulnerable to ciphertext-only attacks using
exhaustive key searches (brute-force attacks).
• The key domain of the additive cipher is very small;there are only 26
keys.
• However, one of the keys, zero, is useless (the ciphertext is the
same as the plaintext).
• This leaves only 25 possible keys.
• Eve can easily launch a bruteforce attack on the ciphertext.
s
 Example #2
Eve has intercepted the ciphertext “UVACLYFZLJBYL”. Show how
she can use a brute-force attack to break the cipher.
 Cryptanalysis
• Additive ciphers are also subject to statistical attacks. This is
especially true if the adversary has a long ciphertext.
• The adversary can use the frequency of occurrence of characters for a
particular language.
 Cryptanalysis

The most common two-letter groups (digrams) and three-letter groups

(trigrams) for the English text are shown in Table
 Example #3
• Eve has intercepted the following ciphertext. Using a statistical attack,
find the plaintext.

• When Eve tabulates the frequency of letters in this ciphertext, she gets: I =14, V =13, S =12,
and so on.
• The most common character is I with 14 occurrences.
• This shows that character I in the ciphertext probably corresponds to the character e in
plaintext. This means key = 4. Eve deciphers the text to get
 Multiplicative Ciphers

In a multiplicative cipher, the plaintext and ciphertext are integers in Z26;

The key is an integer in Z26*.
 Multiplicative Ciphers
• What is the key domain for any multiplicative cipher?
• The key needs to be in Z26*. This set has only 12 members: 1, 3, 5, 7, 9, 11, 15,
17, 19, 21,23, 25.
• We use a multiplicative cipher to encrypt the message “hello” with a
key of 7.
 Affine Cipher
• Combine the additive and multiplicative ciphers to get what is called the affine
cipher-a combination of both ciphers with a pair of keys.
• The first key is used with the multiplicative cipher; the second key is used with the
additive cipher.
 Affine Cipher

Use an affine cipher to encrypt the message “hello” with the key pair (7, 2).
 Affine Cipher
• Use the affine cipher to decrypt the message “ZEBBW” with the key pair (7,
2) in modulus 26.
• Add the additive inverse of −2 ≡ 24 (mod 26) to the received ciphertext.
• Then multiply the result by the multiplicative inverse of 7−1 ≡ 15 (mod 26)
to find the plaintext characters.
• Because 2 has an additive inverse in Z26 and 7 has a multiplicative inverse in
Z26∗
 Cryptanalysis of Affine Cipher

Although the brute-force and statistical method of ciphertext-only attack can be used, let us try a
chosen-plaintext attack.

Eve also very briefly obtains access to Alice’s computer and has only enough time
to type a two-letter plaintext: “et”.

She then tries to encrypt the short plaintext using two different algorithms, because she is not sure which
one is the affine cipher.
 Cryptanalysis of Affine Cipher
Eve knows that if the first algorithm is affine, she can construct the following two equations based
on the first data set.

These two congruence equations can be solved and the values of k1 and k2 can be found.

However, this answer is not acceptable because k1 = 16 cannot be the first part of the key.
Its value, 16, does not have a multiplicative inverse in Z26*.
 Cryptanalysis of Affine Cipher
Eve now tries the result of the second set of data

The square matrix and its inverse are the same. Now she has k1 = 11 and k2 = 4.
This pair is acceptable because k1 has a multiplicative inverse in Z26∗.
She tries the pair of keys (19, 22), which are the inverse of the pair (11, 4), to decipher the
message. The plaintext is