S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
2.3-Cipher Block Modes of operation
2.3-1 Model of Conventional Cryptosystems
The following figure, which is on the next page, illustrates the conventional
encryption process. The original “plaintext” is converted into apparently random
nonsense, called “ciphertext”. The encryption process consists of an algorithm
and a key. The key is a value independent of the plaintext. The algorithm will
produce a different output depending on the specific key being used at the time.
Changing the key changes the output of the algorithm, i.e., the ciphertext.
Once the ciphertext is produced, it may be transmitted. Upon reception, the
ciphertext can be transformed back to the original plaintext by using a decryption
algorithm and the same key that was used for encryption.
X^
Cryptanalyst
Y^
Message
Source
X
Encryption
Algorithm
Y
Decryption
Algorithm
Destination
K
Secure Channel
Key
Source
Figure. 1:
Model of Conventional Cryptosystem
The security of conventional encryption depends on several factors:

The Encryption Algorithm- It must be powerful enough that it is impractical
to decrypt a message on the basis of the ciphertext alone.
Sep. 23.2003
S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security
Secrecy of the key- It was shown that the security of conventional
encryption depends on the secrecy of the key, not the secrecy of the
algorithm.
Referring to Fig. 1 above, with the message X and the encryption key K as input,
the encryption algorithm forms the ciphertext.
Y=Ek (X)
The intended receiver, in possession of the key is able to invert the
transformation
X=Dk (Y)
An opponent, observing Y but not having access to K or X, may attempt to
recover X or K or both X and K. It is assumed that the opponent knows the
encryption (E) and decryption (D) algorithms. If the opponent is interested in only
this particular message, then the focus of the effort is to recover X by generating
a plaintext estimate X^. Often, however, the opponent is interested in being able
to read future messages as well, in which case an attempt is made to recover K
by generating an estimate K^.
2.3-2 Cryptanalysis
The process of attempting to discover X or Y or both is known as cryptanalysis.
The strategy used by the cryptanalysis depends on the nature of the encryption
scheme and the information available to the cryptanalyst.
The following table summarizes the various types of cryptanalytic attacks based
on the amount of information known to the cryptanalyst.
Table 1: Types of Attacks on Encrypted Message
Attack Type
Ciphertext only
Known Plaintext
Chosen Plaintext
Sep. 23.2003
Knowledge Known to Cryptanalyst








Encryption algorithm
Ciphertext to be decoded
Encryption algorithm
Ciphertext to be decoded
One or more plaintext-ciphertext pairs formed with
the same secret key
Encryption algorithm
Ciphertext to be decoded
Plaintext message chosen by cryptanalyst, together
with its corresponding ciphertext generated with
2
S. Erfani, ECE Dept., University of Windsor
Chosen Ciphertext



Chosen text




0688-590-18 Network Security
the same secret key
Encryption algorithm
Ciphertext to be decoded
Purported ciphertext chosen by cryptanalyst,
together with its corresponding decrypted plaintext
generated with the secret key
Encryption algorithm
Ciphertext to be decoded
Plaintext message chosen by cryptanalyst, together
with its corresponding ciphertext generated with
the secret key
Purported ciphertext chosen by cryptanalyst,
together with its corresponding decrypted plaintext
generated with the secret key
2.3-3 -Transposition Ciphers: Moving around
Changing the positions of plaintext letters is another enciphering technique. It is
called transposition, as in transferring position. Please note that many
newspapers have transposition puzzles called “jumbles”.
To illustrate this technique, let’s do the following example.
Example 1:
Plaintext: “last nite was heaven please marry me”
We use a 5x6 grid to write the plaintext as:
Read
down
L
T
E
L
A
A
E
A
E
R
S
W
V
A
R
T
A
E
S
Y
N
S
N
E
M
I
H
P
M
E
To encipher the text, we only read letters down the first column, then letters down
from the second column, and so on. The ciphered letters are the same as the
plaintext letters except that they are positioned to form a new pattern, as given
below.
Ciphertext:
LTELA AEAER SWVAR TAESY NSNEM IHPME
To decipher the received ciphertext, the receiver must know two things: the
length and width of the grid and the way letters are read from the grid.
Sep. 23.2003
3
S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
Note 1:
The transposition cipher is also known as permutation cipher. We
know give the mathematical description of the permutation cryptosystem as
follows:
Def:
Permutation Cipher
Let m be a positive integer. Let P =C = (Z26)m and let K consist of all permutations
of {1, …, m}. For a key (i.e., a permutation) , we define
e (x1, …, x m)=( x(1), …, x(m)) and
d (y1, …, ym)=( y-1(1), …, y-1(m)) ,
where -1 is the inverse permutation to .
Example 2: Suppose m = 6 and the key is the following permutation :
x
(x)
1
3
2
6
3
1
4
5
5
2
6
4
Note that the first row of this diagram lists the values of x, 1 x 6, and the 2nd
row lists the corresponding values of (x).
The inverse permutation -1 can be constructed by interchanging the two rows in
this diagram, and rearranging the columns so that the first row is in increasing
order. Thus, carrying out these operations, we get the following decryption
permutation -1 as:
x
 (x)
-1
1
3
2
5
3
1
4
6
5
4
6
2
Now, suppose we are given the plaintext
Plaintext: “she sells seashells by the seashore”
We first partition the plaintext into groups of six letters, and then rearrange each
group of six letters according to permutation . The result is shown in the
following 6x6 grid.
x
(x)
Sep. 23.2003
1
E
S
L
H
2
E
A
S
S
3
S
L
H
Y
4
L
S
B
E
5
S
E
L
E
6
H
S
E
T
4
S. Erfani, ECE Dept., University of Windsor
H
R
A
0688-590-18 Network Security
E
O
S
2.3-4 Hill Cipher
Another interesting multi-alphabetic cipher is the Hill cipher, developed by the
mathematician Lester Hill in 1929.
The idea is based on linear transposition. In fact, permutation cipher is a special
case of the Hill cipher.
In this scheme, we take m linear combinations of the m successive plaintext
alphabetic characters and produce an m ciphertext letters for them. The
substitution is determined by m linear equations in which each letter is assigned
its numerical value; i.e. {0, 1, 2, …25} = Z26.
For m = 3, the system can be described as follows:
y1  (k11 x1  k12 x2  k13 x3 ) mod 26
y2  (k21 x1  k22 x2  k23 x3 ) mod 26
y3  (k31 x1  k32 x2  k33 x3 ) mod 26
This can be expressed in terms of column vectors and matrices:
 y1   k11 k12
 y   k
 2   21 k22
 y3   k31 k32
k13   x1 
k23   x2 
k33   x3 
or in a compact form
Y=KX
Where Y and X are column vectors of length 3, representing the ciphertext and
plaintext letters, and K is a 33 matrix, representing the encryption key.
Operations are performed mod26. Decryption requires using the inverse of matrix
K.
Example 1: Consider the plaintext “paymoremoney,” and use the
encryption key
Sep. 23.2003
5
S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
17 17 5 


K   21 18 21
 2 2 19 


Find the resulting ciphertext.
Solution:
Plaintext:
paymoremoney
15 0 24 …
The first three letters of the plaintext are represented by vector (x1, x2, x3)=(15, 0,
24)
Thus:
 y1 
 x1  17 17 5 15 
 
  
 
 y2   K  x2    21 18 21 0 
y 
 x   2 2 19  24 
 
 3
 3 
That is:
 y1   375 
11   L 
  

   
 y2    819  mod 26  13    N 
18   S 
 y   489 

   
 3 
Continuing in this fashion, the ciphertext for the entire plaintext is:
Ciphertext: LNSHDLEWMTRW
Q.E.D.
Decryption requires using the inverse of the matrix K. The inverse
of a matrix
K is defined by the equation K K1= K1K =I, where I is the diagonal matrix that is
all zeros except for ones along the main diagonal from upper left to lower right.
K1
Note 2:
The inverse of a matrix does not always exist, but when it does, it
satisfies the preceding equation.
Exercise 1:
Sep. 23.2003
Show that the inverse of matrix K used in above example is
6
S. Erfani, ECE Dept., University of Windsor
K
1
0688-590-18 Network Security
 4 9 15 


  15 17 6 
 24 0 17 


Note 3:
It is easily shown that if the matrix K1 is applied to the above
resulting ciphertext, then the plaintext can be recovered.
Exercise 2:
A cryptanalyst receives the following ciphertext:
LNSHDLEWMTRW
He has also estimated the decryption matrix from some previous analysis for this
Hill Cipher to be:
 4 9 15 


1
K   15 17 6 
 24 0 17 


What is the plaintext?
We now give a precise description of the Hill Cipher over Z26.
Definition:
Hill Cipher Cryptosystem
Let m  2 be an integer, Let P=C=(Z26)m
and let
K = {mm invertible matrix over Z26}.
For a key K, we define:
C = EK(P)=KP
P = DK(C) = K1 C= K1 KP = P
Note 1:
Hill Cipher completely hides single-letter frequencies. Use of a
larger matrix hides more frequency information.
Sep. 23.2003
7
S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
Note 2:
The weakness of the Hill Cipher is that it is easily broken with a
known plaintext attack.
To show this, suppose we have m plaintext-ciphertext pairs, each of length m.
Let
Pj=(P1j, P2j, …, Pmj)
Cj=(C1j, C2j, …, Cmj)
Therefore, we can write
Cj=KPj
1jm
for some known key matrix K.
We now define the following two mm square matrices:
X = (Pij)
Y = (Cij)
Then, we can form the matrix equation Y=XK.
Now, we can find the unknown key matrix K from the equation K=X-1Y
Let us illustrate the above attack by a simple example.
Example 2: It is known that the plaintext “friday” is encrypted using a 22 Hill
Cipher to yield the ciphertext PQCFKU. Find the key matrix K for this
cryptosystem.
Solution:
Plaintext:
Pij :
Ciphertext:
Cij :
f
15
P
15
r
17
Q
16
i
8
C
2
d
3
F
5
a y
0 24
K U
10 20
For the unknown key matrix is K, we can write the following plaintext-ciphertext
pairs:
KPj = Cj
Sep. 23.2003
1jm
8
S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
Using the first two plaintext-ciphertext pairs, we can write the following matrix
equation:
15 16   5 17 


K
 2 5  8 3 
mod 26
1
 5 17  15 16 
K = 
 

8 3   2 5 
 9 1 15 16 
=


 2 15  2 5 
mod 26
mod 26
 7 19 
=

8 3 
Therefore, we obtained the key matrix! The result can be verified by testing the
remaining plaintext- ciphertext pair.
From the above example and other examples worked out so far, we
may conclude that neither cipher schemes of Substitution nor Transposition are
strong enough to stand cryptanalytic attacks. One may find that using the two
types together creates much better concealment than either method above. In
fact, using substitution and transposition cipher methods repeatedly on ciphertext
provides strong disguising patterns.
Note 3 :
We will discuss this scheme in the next chapter.
Exercise 2:
Why transposition ciphers are used if they are so easy to crack?
Answer:
Transposition can be looked at a set of instructions, one instruction
for each letter, easily implemented by a computer and can be difficult to crack if
they are repeatedly used on the same plaintext!
Exercise 3: Repeat the transposition cipher used in Exercise 1 (on page 17)
twice for the plaintext used:
Solution:
Sep. 23.2003
9
S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
Plaintext:
lastnitewasheavenpleasemarryme
1st transposed ciphertext: LTELAAEAERSWVARTAESYNSNEMIHPME
2nd transposed ciphertext: LEVSMTAAYIEERNHLRTSPASANMAWEE
LTELA AEAER SWVAR TAESY
NSNEM I HPME
last nite was heaven please marry me
Read
down
L
A
S
T
N
I
L
T
E
L
A
A
T
E
W
A
S
H
E
A
E
R
S
W
E
A
V
E
N
P
V
A
R
T
A
E
L
E
A
S
E
M
S
Y
N
S
N
E
A
R
R
Y
M
E
M
I
H
P
M
E
(a) 1st transposed cipher.
Sep. 23.2003
(b) The ou
10