PART 2: Caesar cipher: Replace each letter in the alphabet with the Multiplication in GF(2^8): polynomial multiplication modulo m(x), so in Length extension attack: using H(m1) and m1.length -> H(m1 || m2),
letter k places further. General substitution: each plain text letter is case result is > GF(2^8) => c(x) mod x^8 + x^4 + x^3 + x + 1. c(x) this is because we use H_N = H(K || M || P) to continue our Hasing ->
assigned a unique random letter from the alphabet. Frequency mod m(x) can be found with c(x) / m(x). Remainder => solution. H’_N = H(K || M || P || M’ || P’). SHA-3: sponge function with
attack: track letters based on most used letters in the alphabet. Multiplicative Inverse in GF(2^8): Extended euclidian: Init: r_{-1} = parameters: block size r and capacity c = 1600 bits. M || P = k x r bits,
Vignere: Use all 26 mono-alphabetic general Caesar cipher m(x), r0 = a(x), w_{-1} = 0, w0 = , Recursive algo: ri(x) = r_{i-2}(x) M = n bits -> sponge function -> r bit blocks Z_{j-1} = I + extra padding
substitution rules. A key represents the order in which the 26 mod r_{i-1}(x), qi = r_{i-2}(x)/r_{i-1}(x), wi(x) = w_{i-2}(x) - qi(x)w_{i- bits. Capacity reduces vulnerability to the length extension attack.
substitution rules are used to encode subsequent plaintext letters. 1}(x) Stop condition: if ri(x) = 1 => wi(x) = a^{-1}(x). In case wi(x) not MAC = message authentication code: Fixed-length value resulting
Encr: ci = (pi + k_imodM) mod N Decr: pi = (ci - k_imodM) mod N in GF(2^8) => wi(x) mod m(x). AES details: Step 1: SubBytes: from message and secret key serves as authenticator. M || H(M || S) =
One Time Pad: M, C, K element of {0,1)^n. Encr: C = M xor K, M = C forward substitution byte transformation = table look up. S_{i, j}: first O => compare H(M || S) and O to check if message is not altered.
xor K RC4: PRG (pseudo random generator) maintains an internal 4 bits = x (which column), last 4 bits = y (which row) -> mapped on Encryption as auth: yes but in case we use encryption method where
state S of 256 bytes -> init S, S[0] = 0, ..., S[255] = 255 -> Temp vect S’_{i,j}. S box = 16 x 16 matrix and contains a permutation of all content is malleable -> then no. MAC: cryptographic checksum based
T, if T.length = K.length => T = K else K copied on T, and then K possible 256 8-bit values. S-box van be calculated: byte at row y and on a secret key. Does not need to be reversible (compared to encr).
repeated till T is filled with K -> j = 0 for i = 0 to 255 do: j = (j + S[i] + column x = yx => inverse in GF(2^8) -> convert to bit -> {b7, ..., b0}. Security Req: 1. observes M and Mac(K, M) -> Infeasible to construct
T[i]) mod 256; swap(S[i], S[j]) -> Stream gen, i, j =0 while true: (i+1) bi' = bi xor b_{i+4 mod 8} xor b_{i+5 mod 8} xor b_{i+6 mod 8} xor M’ -> Mac(K, M) = Mac(K, M’). 2. two random M and M’ => probability
mod 256; j = (j + S[i]) mod 256: swap(S[i], S[j]); t = (S[i] + S[j]) mod b_{i+7 mod 8} xor ci and c = {c7, ..., c0} = 01100011. -> covert bit Mac(K, M) = Mac(K, M’) is 2^{-n}. 3. if M’ is a known transformation of
256; k = S[t]; Encr: Xor the value k with next byte of plaintext Decr: column vector b’ -> byte = S(yx). Step 2: Shift rows: First row: not M => P(Mac(K, M) = Mac(K, M’)) = 2{-n}. CMAC: M1->Encr with key K
Xor the value k with next byte of the ciphertext. Salsa- ChaCha20: altered, Second row: left shift and first element to the right end, Third (truncated k bits)->output xor M2 -> Encr with key K -> ... -> xor with
PRG is bade on add-rotate-XOR, 32-byte addition, bitwise addition, row: double left shift, last row: right shift. Step 3: MixColumns: s’_{0, Mn and output of M_{n-1} encryption and K1 -> MSB(mac with length
fixed binary rotation. Input: 256-bit key, 64-bit nonce, 64-bit counter. j} = (2 * s_{0, j}) xor (3 * s_{1,j}) xor s_{2,j} xor s_{3,j}, s’_{1, j} = (2 * of T) = T (left most bits). Pad incase message is not a multiple of b.
Internal state = {C1, K1, K2, K3; K4, C2, N1, N2; P1, P2, C3, K5; K6, s_{1, j}) xor (3 * s_{2,j}) xor s_{3,j} xor s_{0,j}, s’_{2, j} = (2 * s_{2, j}) HMAC: hash function based mac. Advantages: 1. faster, more support.
K7, K8, C4}, C = 128-bit constant “expand 32-byte k”, K = 256-bit xor (3 * s_{3,j}) xor s_{0,j} xor s_{1,j}, s’_{3, j} = (2 * s_{3, j}) xor (3 * But we need to fix that we don’t use a secret key, “black box
key, N = 64-bit Nonce, P = 64-bit position (counter). Little endian s_{0,j}) xor s_{1,j} xor s_{2,j}. Step 4: AddRoundKey: bitwise Xor interpretation”. Authenticated Encryption: Protects confidentiality and
format, so split and convert to little endian. QR() round function: (y0, 128-bit input state and 128-bit round key. 4x4 matrix xor 4x4 matrix. authenticity. 1. H -> E 2. A -> E 3. E -> A 4. E + A. CCM (CTR with
y1, y2, y3) = QR(x0, x1, x2, x3) => y1 = x1 xor ((x0 + x3)<<<7), y2 = AES key expansion: w = B0 B1 B2 B3 -> B1 B2 B3 B0 -> Substitution CBC auth code): variation of E + A, 4 inputs: secret key K, plaintext P,
x2 xor ((y1 + x0)<<<9), y3 = x3 xor ((y2 + y1)<<<13), y0 = x0 xor ((y3 using S-box table, So SubByte on Bi -> B’1 B’2 B’3 B’0 -> result xor associated data A for mac, unique nonce N. Mac = CMAC(K, N || A ||
+ y2)<<<18). Key reuse attack: c1 = m1 xor PRG(k) and c2 = m2 xor with Rcon = RC[j] 0 0 0 and RC[1] = 1, RC[j] = 2 * RC[j-1] and P), CTR(K, P) || (MSB(E(K, Ctr0))_Tlen xor Mac). GCM (Galois /
PRG(k) => c1 xor c2 = m1 xor m2 => dictionary attack m1, m2. multiplication defined in the field of GF(2^8). Electronic code block counter mode): variation of E->A. Efficient. Uses variant of CTR that
Stream ciphers are malleable: E(k,m) xor t = m xor S(k) xor t = E(k, (ECB): plaintext split in N parts and encrypt with key K. Cipher Block includes mac. Part 4: RSA: p, q prime numbers, n = p * q, e: with
m xor t) => bit flipping attack. -> can be prevented with MAC. Feistel Chaining (CBC): P1 xor Init vector (IV) -> encrypt with key K -> C1 = gcd(phi(n), e) = 1 and 1 < e < phi(n) and d = e^{-1} mod phi(n) => C =
cipher: each block is 2w bits long, round funtion uses K1 derived new IV, P2 xor new IV (C1) -> encrypt with key K -> C2, ..., PN xor M^e mod n and M = C^d mod n. PU = {e, n} and PR = {d, n}. Phi(n) =
from K. block = LE0 || RE0 => LE1 = RE0 and RE1 = F(K1, RE0) xor C_{N-1} -> encrypt with key K -> CN. C = C1 || .. || CN. Cipher (p-1)(q-1). Efficient exponentiation: f = 1 for i = k to 0 do: f = (f * f) mod
LE0 => new block = LE1 || RE1. DES (Data encryption standard): 64- Feedback (CFB): stream cipher mode that operates on small blocks n; if bi == 1: f = (f * a) mod n; return f; Elgamel: Ingredients: q prime
bit blocks and 56-bit keys. DES makes use of 16 rounds of Feistel of s bits => IV -> Encrypt with key K -> select s bits = t1 and discard number, q primitive root alpha < q. Key gen: random int Xa such that 1
encryption and makes use of left shift to make “unique keys” out of b-s bits -> P1 of size s xor t1 -> C1 -> feedback to create I2 => I_j = < Xa < q – 1. => Ya = alpha^Xa mod q public key. Encr: for M, k such
the original. Tripple DES: Three stages, making use of 2 or 3 keys. 2- LSB_{b-s}(I_{j-1} || C_{j-1} and Cj = MSB_s(E(K, I_j)) xor Pj. Output that 1<= M <= q-1 => one time use key K = Ya^k mod q => C1 =
key variant reuses the first key in third stage, and 3-key variant Feedback (OFB): Nonce -> Encrypt with key K = O1 -> use as nonce alpha^k mod q and C2 = (K * M) mod q. Decr: K = C1^Xa mod q and
makes use of 3 unique keys. E -> D -> E (Encryption), D -> E -> D for C2 and P1 xor O1 = C1, repeat till CN. Counter (CTR): Counter M = (C2 * K^{-1}) mod q. Elliptic curve: Xr = (lambda^2 – Xp – Xq0
(Decryption). AES: 128-bit blocks, 128, 192, 256 keys. AES general as nonce => Counter 1 -> Encrypt with key K = O1 -> P1 xor O1 -> mod p and Yr = (lambda(Xp – Xr) - Yp) mod p and lambda = (Yq –
structure: Ptext = 16 bytes -> 4x4 matrix and M bytes 4x4 byte matrix C1. XEX-based tweaked-codebook mode with ciphertext stealing: Yp)/(Xq-Xp) if P not equal to Q else (3Xp^2 + a)/2Yp mod p. Digital
-> initial transformation -> transformations (key size = 16 bytes => 10 Tweak T -> H(T) xor P -> C = E(K, H(T) xor P) xor H(T). XTS-AES: K signatures: Signing: M -> crypto hash function -> h -> signature gen
rounds, = 24 bytes => 12 rounds, = 32 bytes => 14 rounds) -> Every = K1 || K2 in total 256 or 512 bits, i = 128 bit tweak, alpha = primive algo with signers private key -> M || S. Sig verification: M || S -> M ->
round 4 transformations except round N = 3 transformations. Key of GF(2^128) (GF(2^128) = x^128 + x^7 + x^2 + x + 1), a = multiplied crypto hash function -> h -> sig veri function + sig public key + S. Must
format: 4x4 matrix -> w0 w1 ... wN where N = 43, 52, 60 depending by itself j times, j is the jthe block => E(K2, i) -> Modular multiplication verify: author and time, authenticate the contents, verfiiable by third
on key size. Every word is 32-bit. Round x = substitute bytes -> shift of two polynomials between alpha and E(K2, i) = T-> E(K1, T xor P) parties. DSA (digital signature algo): M -> H(M) -> sign with global pub
rows -> Mix columns -> add round key. And key is w[x * 4, x * 4 + 3] xor T = C. PART 3: Security requirements: Variable input size = input key and sender private key = O -> M || O (O = s || r) -> r == verifier(s,
so for round 1 => w[4, 7]. Round N = substitute bytes -> Shift rows -> data, Fixed output size = Output of fixed size, Efficiency = H(x) is H(M), PUg, PUa). DSA key gen: PUg: p prime number of length L (with
Add round key. Decryption: add round key <- w[40, 43] -> Round x: easy to compute, Preimage resistant = given h, it is hard to find y: L a multiple of 64 and at least 512), prime divisor of (𝑝 – 1) of 𝑁 bits, h
inverse shift row -> inverse sub bytes -> add round key <- w[40 – x * H(y) = h, second preimage resistant = given x, it is hard to find y: y an integer between 1 and (𝑝 – 1), commonly ℎ = 2 is used, g = h^{(p-
4, 43 – x * 4] -> inverse mix cols. Round N: inverse shift rows -> not equal to x and H(y) = H(x), Collision resistant = it is hard to find 1/q)} mod q and g > 1. private key: x: 0 < x < q and pub key: y = g^x
inverse sub bytes -> add round key. Fields: Fields with an inf number (x,y): H(x) = H(y). SHA-512: pad message so m.length = 896 mod mod p. RSA PSS: sign: M -> message encoding with salt ->
of elements or finite fields -> GF(p) finite fields with p elements or 1024, single 1 bit followed by 0’s -> append length block of 128 bits, MaskedDB || H || bc -> s = em^d mod n -> s, veri: s -> em = s^ e mod
GF(p^n0 finite fields with p^n. GF = galois field. GF(p) for a given unsigned 128-bit integer, length of original message -> init buffer, 8 n -> maskedDB || H || bc -> veri with message M. PART 5: Symmetric
prime p => Zp = {0, 1, ..., p-1} if numbers are outside this scope, then 64-bit bit registers. Process message in blocks of 1024 bit -> F key distribution: 1. physical delivery 2. third party physical 3. new key
number mod p = new number. AES = GF(2^8) = x^8 + x^4 + x^3 + x function -> H_{i-1} xor F_{output}. F = 80 rounds of processing based on existing shared key 4. Encrypted connection with third party
+ 1. Addition in GF(2^8) = bit-per-bit XOR. making use of buffer. and exchange through encrypted link.
