CSE345/545 - Winter 2025

Foundations of Computer Security

Overview of Cryptography
Dr. Arun Balaji Buduru
Founding Head, Usable Security Group (USG)
Associate Professor, Dept. of CSE | HCD, IIIT-Delhi, India
Visiting Faculty, Indiana University – Bloomington, USA

Thanks to PK, Kohno, Kurose, Ross and others for sample slides and materials
Cryptography
1

 In Greek means “secret writing”

 An outsider (interceptor/intruder/adversary) can
make following threats:
 Block message (affecting availability)
 Intercept message (affecting secrecy)

 Modify message (affecting integrity)

 Fabricate message (affecting integrity)

 The fundamental technique to counter these threats

 Cryptography (cont.)
2

 Cryptography: Study of mathematical techniques related to

certain aspects of information security, such as confidentiality,
data integrity, entity authentication, and data origin
authentication.
 The basic component of cryptography is a cryptosystem
 Cryptographer: Person working for legitimate sender or receiver.
A cryptographer will use cryptography to convert plaintext
into ciphertext.
 Cryptanalyst: Person working for unauthorized interceptor. A
cryptanalyst will use cryptanalysis to attempt to turn ciphertext
back into plaintext.
 Cryptology: Study of encryption and decryption, including
cryptography and cryptanalysis.
 Cryptosystem
3

 A cryptosystem is a 5-tuple (, D, M, K, C),

where M is the set of plaintexts, K is the set of keys, C is
the set of ciphertexts, :   K→C is the set of encipher
(encryption) functions, and D: C  K→M is the set of
deciphering (decryption) functions.
 PlaintextM: set of messages in original form
 Ciphertext C: set of messages in encrypted form
Classical Cryptography
4

 Basic techniques for classical ciphers

 Substitution:One letter is exchanged for another
 Transposition: The order of the letters is rearranged

 Classical ciphers
 Mono-alphabetic: Letters of the plaintext alphabet are
mapped into other unique letters
 Poly-alphabetic: Letters of the plaintext alphabet are
mapped into letters of the ciphertext space depending
on their positions in the text
 Substitution
5

 Substitute each letter in the plaintext for another

one.
 Example (Caesar Cipher)

a b c d e f g h i j k l m n o p q r s t u v w x y z
q e r y u i o p a s d f g w h j k l z x c v b n m t
Plaintext: under attack we need help
Ciphertext: cwyul qxxqrd bu wuuy pufj
 [from Stallings, Cryptography & Network Security]

6
Transposition
7

 Change the positions of the characters in the

plaintext
 Example:
message: meet me after the toga party
m e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext: MEMATRHTGPRYETEFETEOAAT
 Vigenere Cipher
7-8

 Idea: Uses Caesar's cipher with various different shifts, in

order to hide the distribution of the letters.
 A key defines the shift used in each letter in the text
 A key word is repeated as many times as required to
become the same length

Plain text: I a t t a c k
Key: 2342342 (key is “234”)
Cipher text: K d x v d g m
 Problem of Vigenere Cipher
7-9

 Vigenere is easy to break (Kasiski, 1863):

 Assume we know the length of the key. We can organize the
ciphertext in rows with the same length of the key. Then, every
column can be seen as encrypted using Caesar's cipher.

 The length of the key can be found using several methods:

1. If short, try 1, 2, 3, . . . .
2. Find repeated strings in the ciphertext. Their distance is expected to be a
multiple of the length. Compute the gcd of (most) distances.
3. Use the index of coincidence.
 Types of Cryptosystems
10

 Symmetric cryptosystems (also called single-key

cryptosystems) are classical cryptosystems:
M = D(K, E(K, M))
 The encryption key and decryption key are the same.
 Asymmetric cryptosystems:
M = D(Kd, E(Ke, M))
 Kd is the decryption key and Ke is the encryption key
 Kd ≠ Ke

 Hash Functions
 No keys
Symmetric Key Cryptography
11

AKA secret key cryptography

AKA conventional cryptography
Secure Key Distribution Strategies for Symmetric
Cryptosystems
12

 A key K can be selected by A to be shared with B, and

K needs to be physically delivered to B
 A third party can select the same key K and physically
deliver K to A and B
 If A and B have previously used a key K’, one party can
transmit the new key K to the other, encrypted using the
old key K’
 If A and B each has an encrypted connection to a third
party C, C can transmit the new key K on the encrypted
links to both A and B
 Any other means?
Symmetric Key Applications
13

 Transmission over insecure channel

 Shared secret (transmitter, receiver)
 Secure storage on insecure media
 Authentication
 Strong authentication: prove knowledge
without revealing key
A simple example
14

 KAB = +3 (Caesar cipher), known by Alice & Bob

 rA = “marco”
 rA encrypted with KAB: “pdufr”
 rB = “polo”
 rA encrypted with KAB: “sror”
 (“marco”, “pdufr”), (“polo”, “sror”)
Block Ciphers
15  In a block cipher:
 Plaintext and ciphertext have fixed length b (e.g., 128 bits)
 A plaintext of length n is partitioned into a sequence of m
blocks, P[0], …, P[m−1], where n  bm  n + b
 Each message is divided into a sequence of blocks and
encrypted or decrypted in terms of its blocks.
Requires padding
with extra bits.
Plaintext

Blocks of
plaintext
Padding
16

 Block ciphers require the length n of the plaintext to be a multiple of the

block size b
 Padding the last block needs to be unambiguous (cannot just add zeroes)
 When the block size and plaintext length are a multiple of 8, a common
padding method (PKCS5) is a sequence of identical bytes, each indicating
the length (in bytes) of the padding
 Example for b = 128 (16 bytes)
 Plaintext: “Roberto” (7 bytes)
 Padded plaintext: “Roberto999999999” (16 bytes), where 9 denotes the
number and not the character
 We need to always pad the last block, which may consist only of padding
Block Ciphers in Practice
17
 Data Encryption Standard (DES)
 Developed by IBM and adopted by NIST in 1977
 64-bit blocks and 56-bit keys
 Small key space makes exhaustive search attack feasible since late 90s
 Triple DES (3DES)
 Nested application of DES with three different keys KA, KB, and KC
 Effective key length is 168 bits, making exhaustive search attacks unfeasible
 C = EKC(DKB(EKA(P))); P = DKA(EKB(DKC(C)))
 Equivalent to DES when KA=KB=KC (backward compatible)
 Advanced Encryption Standard (AES)
 Selected by NIST in 2001 through open international competition and public
discussion
 128-bit blocks and several possible key lengths: 128, 192 and 256 bits
 Exhaustive search attack not currently possible
 AES-256 is the symmetric encryption algorithm of choice
 Symmetric key crypto: DES
7-18

DES operation
initial permutation
16 identical “rounds” of
function application,
each using different 48
bits of key
final permutation
The Advanced Encryption Standard (AES)
19
 In 1997, the U.S. National Institute for Standards and Technology (NIST)
put out a public call for a replacement to DES.
 It narrowed down the list of submissions to five finalists, and ultimately
chose an algorithm that is now known as the Advanced Encryption
Standard (AES).
 AES is a block cipher that operates on 128-bit blocks. It is designed to
be used with keys that are 128, 192, or 256 bits long, yielding ciphers
known as AES-128, AES-192, and AES-256.
20

AES Round Structure

 The 128-bit version of the AES
encryption algorithm proceeds in
ten rounds.
 Each round performs an invertible
transformation on a 128-bit array,
called state.
 The initial state X0 is the XOR of the
plaintext P with the key K:
X0 = P XOR K.
 Round i (i = 1, …, 10) receives
state Xi-1 as input and produces
state Xi.
 The ciphertext C is the output of the
final round: C = X10.
AES Rounds
21

 Each round is built from four basic steps:

1. SubBytes step: an S-box substitution step
2. ShiftRows step: a permutation step
3. MixColumns step: a matrix multiplication step
4. AddRoundKey step: an XOR step with a round key
derived from the 128-bit encryption key
Block Cipher Modes
22  A block cipher mode describes the way a block cipher
encrypts and decrypts a sequence of message blocks.
 Electronic Code Book (ECB) Mode (is the simplest):
 Block P[i] encrypted into ciphertext block C[i] = EK(P[i])
 Block C[i] decrypted into plaintext block M[i] = DK(C[i])
Strengths and Weaknesses of ECB
23

 Weakness:
 Strengths:
 Documents and images are not
 Is very simple suitable for ECB encryption since
 Allows for parallel patters in the plaintext are
encryptions of the blocks repeated in the ciphertext:
of a plaintext
 Can tolerate the loss or
damage of a block
 Cipher Block Chaining (CBC) Mode
24
 In Cipher Block Chaining (CBC) Mode
 The previous ciphertext block is combined with the
current plaintext block C[i] = EK (C[i −1]  P[i])
 C[−1] = V, a random block separately transmitted
encrypted (known as the initialization vector)
 Decryption: P[i] = C[i −1]  DK (C[i])
CBC Encryption: CBC Decryption:
P[0] P[1] P[2] P[3] P[0] P[1] P[2] P[3]
V
V

EK EK EK EK DK DK DK DK

C[0] C[1] C[2] C[3] C[0] C[1] C[2] C[3]

Strengths and Weaknesses of CBC
25

 Strengths:  Weaknesses:
 Doesn’t show patterns in  CBC requires the reliable
the plaintext transmission of all the
 Is the most common mode
blocks sequentially
 Is fast and relatively
 CBC is not suitable for
simple
applications that allow
packet losses (e.g., music
and video streaming)
Stream Cipher
26
 Key stream
 Pseudo-random sequence of bits S = S[0], S[1], S[2], …
 Can be generated on-line one bit (or byte) at the time
 Stream cipher
 XOR the plaintext with the key stream C[i] = S[i]  P[i]
 Suitable for plaintext of arbitrary length generated on the fly, e.g., media
stream
 Synchronous stream cipher
 Key stream obtained only from the secret key K
◼ Independent with plaintext and ciphertext
 Works for high-error channels if plaintext has packets with sequence numbers
 Sender and receiver must synchronize in using key stream
 If a digit is corrupted in transmission, only a single digit in the plaintext is
affected and the error does not propagate to other parts of the message.
Stream Cipher
27

 Self-synchronizing stream cipher

 Key stream obtained from the secret key and N previous
ciphertexts
 the receiver will automatically synchronize with the keystream
generator after receiving N ciphertext digits, making it easier to
recover if digits are dropped or added to the message stream.
 Lost packets cause a delay of q steps before decryption resumes

 Single-digit errors are limited in their effect, affecting only up to

N plaintext digits.
Key Stream Generation
28

 RC4
 Designed in 1987 by Ron Rivest for RSA Security
 Trade secret until 1994
 Uses keys with up to 2,048 bits
 Simple algorithm
 Block cipher in counter mode (CTR)
 Use a block cipher with block size b
 The secret key is a pair (K,t), where K is key and t (counter) is a b-
bit value
 The key stream is the concatenation of ciphertexts
EK (t), EK (t + 1), EK (t + 2), …
 Can use a shorter counter concatenated with a random value
 Synchronous stream cipher
Hash Functions
29

 A hash function h maps a plaintext x to a fixed-

length value x = h(P) called hash value or digest of P
 Usually x is much smaller in size compared to P.
A collision is a pair of plaintexts P and Q that map to the
same hash value, h(P) = h(Q)
 Collisions are unavoidable
 For efficiency, the computation of the hash function should
take time proportional to the length of the input plaintext
Cryptographic Hash Functions
30

 A cryptographic hash function satisfies additional properties

 Preimage resistance (aka one-way)
◼ Given a hash value x, it is hard to find a plaintext P such that h(P) = x
 Second preimage resistance (aka weak collision resistance)
◼ Given a plaintext P, it is hard to find a plaintext Q such that h(Q) =
h(P)
 Collision resistance (aka strong collision resistance)
◼ It is hard to find a pair of plaintexts P and Q such that h(Q) = h(P)
 Collision resistance implies second preimage resistance
 Hash values of at least 256 bits recommended to defend
against brute-force attacks
7-31

Hash Function Algorithms

 MD5 hash function widely used (RFC 1321)
 computes 128-bit message digest in 4-step process.
 arbitrary 128-bit string x, appears difficult to construct
msg m whose MD5 hash is equal to x.
 SHA-1 is also used.
 USstandard [NIST, FIPS PUB 180-1]
 160-bit message digest

 There are many hash functions, but most of them do

not satisfy cryptographic hash function requirements
 example: checksum
Message-Digest Algorithm 5 (MD5)
32

 Developed by Ron Rivest in 1991

 Uses 128-bit hash values
 Still widely used in legacy applications although considered
insecure
 Various severe vulnerabilities discovered
 Chosen-prefix collisions attacks found by Marc Stevens, Arjen
Lenstra and Benne de Weger
 Start with two arbitrary plaintexts P and Q
 One can compute suffixes S1 and S2 such that P||S1 and Q||S2
collide under MD5 by making 250 hash evaluations
 Using this approach, a pair of different executable files or PDF
documents with the same MD5 hash can be computed
Secure Hash Algorithm (SHA)
33

 Developed by NSA and approved as a federal standard by NIST

 SHA-0 and SHA-1 (1993)
 160-bits
 Considered insecure
 Still found in legacy applications
 Vulnerabilities less severe than those of MD5
 SHA-2 family (2002)
 256 bits (SHA-256) or 512 bits (SHA-512)
 Still considered secure despite published attack techniques
 Public competition for SHA-3 announced in 2007
Iterated Hash Function
34
 A compression function works on input values of fixed length
 An iterated hash function extends a compression function to inputs of
arbitrary length
 padding, initialization vector, and chain of compression functions
 inherits collision resistance of compression function
 MD5 and SHA are iterated hash functions
P1 P2 P3 P4

IV || || || || digest

SHA-1
Hashing Time MD5
0.06
0.05
0.04
msec

0.03
0.02
0.01
0
0 100 200 300 400 500 600 700 800 900 1000
Input Size (Bytes)
Cryptographic Hash Lifecycle
35

http://valerieaurora.org/hash.html

[via http://www.schneier.com/blog/archives/2011/06/the_life_cycle.html]
Birthday Attack
36

 The brute-force birthday attack aims at finding a collision for a hash function h
 Randomly generate a sequence of plaintexts X1, X2, X3,…
 For each Xi compute yi = h(Xi) and test whether yi = yj for some j < i
 Stop as soon as a collision has been found
 If there are m possible hash values, the probability that the i-th plaintext does not collide
with any of the previous i −1 plaintexts is 1 − (i − 1)/m
 The probability Fk that the attack fails (no collisions) after k plaintexts is
Fk = (1 − 1/m) (1 − 2/m) (1 − 3/m) … (1 − (k − 1)/m)
 Using the standard approximation 1 − x  e−x
Fk  e−(1/m + 2/m + 3/m + … + (k−1)/m) = e−k(k−1)/2m
 The attack succeeds/fails with probability ½ when Fk = ½ , that is,
e−k(k−1)/2m = ½
k  1.17 m½
 We conclude that a hash function with b-bit values provides about b/2 bits of security
Public Key Cryptography
37

AKA asymmetric cryptography

AKA unconventional cryptography (?)

Public key: published, ideally known widely

Private key (NOT “secret key”): not published
Public key cryptography

+ Bob’s public
K
B key

- Bob’s private
K
B key

plaintext, P encryption ciphertext decryption Plaintext, P

algorithm algorithm
C=EK+B(P) P=DK-B(C)
Facts About Numbers
39

 Prime number p:
 p is an integer
 p2
 The only divisors of p are 1 and p
 Examples
 2, 7, 19 are primes
 −3, 0, 1, 6 are not primes
 Prime decomposition of a positive integer n:
n = p1e1  …  pkek
 Example:
 200 = 23  52
Fundamental Theorem of Arithmetic
The prime decomposition of a positive integer is unique
Greatest Common Divisor
40

 The greatest common divisor (GCD) of two positive integers a and b,

denoted gcd(a, b), is the largest positive integer that divides both a
and b
 The above definition is extended to arbitrary integers
 Examples:
gcd(18, 30) = 6 gcd(0, 20) = 20
gcd(−21, 49) = 7
 Two integers a and b are said to be relatively prime if
gcd(a, b) = 1
 Example:
 Integers 15 and 28 are relatively prime
Modular Arithmetic
41
 Modulo operator for a positive integer n
r = a mod n
equivalent to
a = r + kn
and
r = a − a/n n
 Example:
29 mod 13 = 3 13 mod 13 = 0 −1 mod 13 = 12
29 = 3 + 213 13 = 0 + 113 12 = −1 + 113
For a<0, we first add a large kn to a such that it becomes positive
 Modulo and GCD:
gcd(a, b) = gcd(b, a mod b)
 Example:
gcd(21, 12) = 3 gcd(12, 21 mod 12) = gcd(12, 9) = 3
42

Euclid’s GCD Algorithm

 Euclid’s algorithm for Algorithm EuclidGCD(a, b)
Input integers a and b
computing the GCD Output gcd(a, b)
repeatedly applies the
formula if b = 0
return a
gcd(a, b) = gcd(b, a mod b)
else
 Example return EuclidGCD(b, a mod b)
 gcd(412, 260) = 4

a 412 260 152 108 44 20 4

b 260 152 108 44 20 4 0
 RSA: Choosing keys
7-43

1. Choose two large prime numbers p, q.

(e.g., 1024 bits each)

2. Compute n = pq, z = (p-1)(q-1)

3. Choose e (with e<n) that has no common factors

with z. (e, z are “relatively prime”).

4. Choose d such that ed-1 is exactly divisible by z.

(in other words: ed mod z = 1 ).

5. Public key is (n,e). Private key is (n,d).

+ -
KB KB
 RSA: Encryption, decryption
7-44

0. Given (n,e) and (n,d) as computed above

1. To encrypt bit pattern, m, compute

e e
c = m mod n (i.e., remainder when m is divided by n)

2. To decrypt received bit pattern, c, compute

d (i.e., remainder when cd is divided by n)
m = c mod n

Magic d
m = (m e mod n) mod n
happens!
c
RSA example:
45

Bob chooses p=5, q=7. Then n=35, z=24.

e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z).

letter m me c = me mod n
encrypt:
l 12 1524832 17

d
decrypt:
c c m = cd mod n letter
17 481968572106750915091411825223071697 12 l

Computational extensive
RSA: Why is that m = (m e mod n)
d
mod n

Useful number theory result: If p,q prime and

n = pq, then: y y mod (p-1)(q-1)
x mod n = x mod n

e
(m mod n) d mod n = medmod n
ed mod (p-1)(q-1)
= m mod n
(using number theory result above)
1
= m mod n
(since we chose ed to be divisible by
(p-1)(q-1) with remainder 1 )

= m
 RSA: another important property
7-47

The following property will be very useful later:

use public key use private key

first, followed first, followed
by private key by public key

Result is the same!

RSA Cryptosystem
48

 Setup: Example
n = pq, with p and q primes ◼ Setup:
 e relatively prime to  p = 7, q = 17
(n) = (p − 1) (q − 1)  n = 717 = 119
 d inverse of e in Z(n)  (n) = 616 = 96
◼ ed mod z = 1 e=5
 Keys:  d = 77
 Public key: KE = (n, e) ◼ Keys:
 Private key: KD = d  public key: (119, 5)
 private key: 77
 Encryption:
◼ Encryption:
 Plaintext M in Zn
 M = 19
 C = Me mod n  C = 195 mod 119 = 66
 Decryption: ◼ Decryption:
M = Cd mod n  C = 6677 mod 119 = 19
Digital Signatures
49

Asymmetry:
Signature can only be generated by owner/knower of private key
Signature can be verified by anyone via public key

Non-repudiation:
Sender cannot prove message (signature) was not sent
Key may have been stolen
 Public Key Distribution and Authentication
50

 Using the “right” Public Key:

 Must be authentic, not necessarily secret
 Obtaining the “right” Public Key:
 Directly from its owner
 Indirectly, in a signed message from a Certification
Authority (CA):
◼ A Certificate is a digitally signed message from
a CA binding a public key to a name
◼ Certificates can be passed around, or managed
in directories
◼ Protocols for certificate generation: e.g. X.509
(RFC 2459), SPKI/SDSI
Public Key Cryptography Issues
51

 Efficiency
 Publickey cryptographic algorithms are orders of magnitude
slower than symmetric key algorithms
 Hybrid model
 Public
key used to establish temporary shared key
 Symmetric key used for remainder of communication
 Computational Security
52

 An encryption scheme is computationally secure if it

takes exponentially long time to break the ciphertext.
 Lifetime of a cryptosystem: The minimum time for
unauthorized decoding of encrypted message
 Defined for each application
◼ Examples:
◼ Military orders = 1 hour to 3 years
◼ Check transactions = 1 year
◼ Business agreements = 10-15 years
 Quantum Cryptography
53

 Quantum cryptography uses quantum mechanical effects (in

particular quantum communication and quantum computation) to
perform cryptographic tasks or to break cryptographic systems
 Quantum communication (or qubit-communication)
◼ Example: The parties can use exchange of photons through an optical fiber to
transmit data
 Quantum computation
◼ In a general computational state model, there are two definite states (0 or 1),
whereas quantum computation uses qubits (quantum bits) which can be a
superposition [0 and/or 1] of both the states
 Quantum mechanics
◼ The body of scientific principles that explains the behavior of matter and its
interactions with energy on the small scale of atoms and subatomic particles.
 Quantum Cryptography (Cont.)
54
 Quantum cryptography uses
◼ a quantum mechanical property of an electron existing partly in all its
theoretically possible states simultaneously; but when measured or
observed, gives a result corresponding to only one of the possible
configurations
◼ transmission of information in quantum states, to implement a
communication system that detects eavesdropping.
 Quantum key distribution (QKD)* describes the process to
establish a shared key between two parties which include
encoding the bits of the key as quantum states and transmitting
them. If eavesdropper tries to learn these bits, the messages will
be disturbed and can be easily detected due to the above
quantum mechanical property
*http://en.wikipedia.org/wiki/Quantum_key_distribution
 Quantum Cryptography (Cont.)
55
 Major advantages:
A key that is guaranteed to be secure can be produced,
under realistic constraints
 It allows the completion of various cryptographic tasks
which are shown or conjectured to be impossible using only
classical cryptographic techniques (example)
 Major limitation
 Quantum cryptography can only provide 1:1 connection
 Quantum Cryptography (Cont.)
56

 Protocols for Quantum Key Exchange,

 BB84 protocol: Charles H. Bennett and Gilles Brassard
 E91 protocol: Artur Ekert
 Some of the Quantum Key distribution networks,
 DARPA
 SECOQC
 SwissQuantum
 Tokyo QKD Network
 Los Alamos National Labs
 The major advantage of quantum key distribution is its ability to
detect any interception of the key
http://en.wikipedia.org/wiki/Quantum_cryptography
http://en.wikipedia.org/wiki/Quantum_key_distribution
 Steganography
57

⚫ In Greek, steganography means “covered writing”

⚫ The art of hiding information is ways that prevent
detection of hidden messages.
⚫ Steganography and cryptography are cousins in
the spy craft family
⚫ Different goals:
• Cryptography: conceal the content of the messages
• Steganography: conceal the existence of the
messages
Steganography (cont.)
58

⚫ What to hide
⚫ Texts
⚫ Images
⚫ Sound
⚫ ……
⚫ How to hide
– embed text in text/images/audio/video files
– embed image in text/images/audio/video files
– embed sound in text/images/audio/video files
A Real Steganographic Example
59
 During WWI the following cipher message was
actually sent by a German spy
 “Apparently neutral’s protest is thoroughly discounted
and ignored. Isman hard hit. Blockade issue affects
pretext for embargo on by-products, ejecting suets and
vegetable oils”
 Hidden Message
 “Pershingsails from NY June 1”
 How to extract the hidden message from the sent
message?
 A Steganographic System
60