EE 418 Network Security and Cryptography Lecture #7 October 20, 2016

Perfect Secrecy and One-time Pads. Block and stream cipher. DES, Triple DES and AES. Modes of operation. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle

Outline:

1. Background: Uncertainty, entropy and conditional entropy 2. Perfect secrecy and one-time pads 3. Block and stream cipher 4. Data Encryption Standard (DES) 5. Triple DES 6. Advanced Encryption Standard (AES) 7. Encrypting large plaintexts: Modes of operation – Electronic Code Book (ECB) mode – Cipher Block Chaining (CBC) mode – Counter (CTR) mode

1 Background: Uncertainty, Entropy and Conditional Entropy

The idea of having knowledge (or an information) about something is closely related to the idea of uncertainty. Intuitively, it is not hard to see that information increases as an uncertainty decreases. To measure an increase in information, or a decrease in uncertainty we typically use entropy. Before we can talk about entropy, though, let’s briefly refresh our memory about probability.

1.1 Random Variable Let’s consider an experiment X with possible outcomes in some set X . Let’s assume that each outcome from that set has some probability of occurring. If that is the case, then we can talk about an outcome of the considered experiment as a random variable. Therefore, for every possible outcome, x ∈ X , we can now denote the probability that the outcome of the experiment is equal to x as follows:

pX (x) = px = P[X = x] (1) For example, let’s assume that we are rolling a six-sided fair die for our experiment. Then the set of all possible outcomes are numbers one through six, {1, 2,..., 6}, and each of them is equally likely to occur. Then the probability of seeing any of the numbers 1–6 is equal to: 1 p (1) = p = [X = 1] = [X = 2] = [X = 3] = [X = 4] = [X = 5] = [X = 6] = X 1 P P P P P P 6

1.2 Entropy Let’s now consider the following two simple experiments: rolling a six-sided and a ten-sided die. Intuitively, which of these two experiments do you think has more uncertainty? Well, if you make a guess at the outcome of a roll for each of the dies, you are more likely to be wrong with the ten-sided die than with the six-sided die. Therefore, the ten-sided die has more uncertainty.

1 Question: If this is our intuition about uncertainty, how do we measure it? Answer: We typically measure uncertainty with an entropy.

Definition 1: For each random variable X with outcomes X = {x1, . . . , xn} having probabilities p1, . . . , pn, an entropy H is a function satisfying a set of specific conditions [2]:

1. For each set of non-negative numbers p1, . . . , pn where p1 + ··· + pn = 1, the uncertainty is given by a number H(p1, . . . , pn). 2. Function H is a continuous function of the probability distribution, which means that a small change in the probability distribution does not cause a drastic change in uncertainty. 3. In a situation where all outcomes are equally likely, the uncertainty increases when there are more possible outcomes:  1 1   1 1  H ,..., ≤ H ,..., ∀n > 0 n n n + 1 n + 1

4. If a j-outcome can be broken into two suboutcomes, with probabilities qpj and (1 − q)pj, then the entropy increases by the uncertainty caused by the choice between the two suboutcomes, multiplied by the probability pj that we are in the j-th outcome to begin with:

H(p1, . . . , qp1, (1 − q)pj, . . . , pn) = H(p1, p2, . . . , pn) + pjH(q, 1 − q) Function H(X) is itself defined as: X H(X)− = p(x) log2(p(x)) (2) x∈X

1.3 Conditional Entropy H(Y|X) In many cryptosystems, we might want to know the uncertainty of the cryptographic key, given knowledge about the ciphertext. This leads to the concept of conditional entropy, defined next.

Definition 2: Conditional entropy is the amount of information in a random variable Y , given that we know random variable X: X X X pX (x)H(Y |X = x) = − pX,Y (x, y) log2 pY (y|x) (3) x x y

2 Perfect Secrecy and One-time Pads

Let’s assume that we have a cryptosystem with the set of possible plaintext P, the set of possible ciphertexts C and the set of possible keys K. Each plaintext in P has a certain probability of occurring, and some plaintexts are more likely than others. The choice of a key K in K is always assumed to be independent of the choice of plaintext. The possible ciphertexts in C can therefore take on various probabilities, depending on the probability distributions of P and C.

The question that we are considering is: if an attacker intercepts a ciphertext y, how much information does (s)he obtain about the key? This question can be formalized by asking what is the conditional entropy of a key K given that we know a ciphertext C, H(K|C)?

Initially, the entropy of the key is equal to H(K), but we are now investigating how has the knowledge of the ciphertext decreased the uncertainty. This leads us to the definition of perfect secrecy.

Definition 3: A cryptosystem has perfect secrecy if it holds that knowing a ciphertext does not reveal anything about the chosen cryptographic key:

H(P |C) = H(P ) (4)

One-time pads are an example of a cryptographic system with perfect secrecy.

2 2.1 One-Time Pads The one-time pad is a cryptosystem developed by Gilbert Vernam and Joseph Mauborgne around 1918. In this cryptosystem, we start by representing a message as a binary string, i.e., a sequence of zeros and ones. This can be accomplished by using ASCII conversion to binary representation, or by trying to encrypt video and audio signals. The key is now a random sequence of zeros and ones, and it has the same length as the message being encrypted. The encryption consists of XOR-ing the key to the message bit by bit. Once the key used for encryption, it is discarded and never used again.

Example 1: Let’s assume that we are trying to encrypt message 00101001 using the one-time pad key 10101100. The ciphertext can then be found as follows:

plaintext 00101001 key 10101100 ciphertext 10000101

Question 1: Why is the cryptographic key discarded after every use? Because of a low computational load of a bitwise XOR operation, if a cryptographic key was being used multiple times, both a chosen plaintext or a chosen ciphertext attacks would be very efficient in finding the key, and compromising the confidentiality of the communication. Because of that, the key is typically not being reused. Not reusing the key guarantees that, even if the part of the key gets compromised, the whole system is still secure, since the knowledge of used key does not reveal anything about the next key to be used.

Theorem 1. The one-time pad cryptosystem has perfect secrecy.

Proof. Please refer to Trappe and Washington, Section 14.4.

A disadvantage of the one-time pads is that this cryptosystem requires a very long cryptographic key, which is in general expensive to generate and to transmit. Moreover, once such key is used, it is being discarded. To reduce the cost of key generation and transmission, various approximation to one-time pads are being used. In those methods, a small input is typically used to generate a reasonably random sequence of zeros and ones. One such approximation method is the Linear Feedback Shift Register, which we consider next.

3 Block and Stream Cipher

A block cipher is a cryptosystem in which successive plaintext elements are encrypted using the same cryptographic key, K. That is, the ciphertext string y is obtained as follows:

y = y1y2 ··· = eK (x1)eK (x2) ... (5)

All of the cryptosystems that we have seen thus far (expect one-time pads) are examples of block ciphers, where a successive plaintext element can be a single alphabetic character (e.g., Shift and Affine ciphers) or blocks of several alphabetic characters (e.g., Vigenere and Hill ciphers). The alternative idea to block ciphers are cryptosystems referred to as stream ciphers. The idea of a stream cipher is to generate a keystream z = z1z2 ... , and then encrypt each successive element xi of the plaintext with a different key zi:

y = y1y2 ··· = ez1 (x1)ez2 (x2) ... In its simplest form, the keystream is independent of the plaintext, and it is generated from a unique key K using some specified algorithm. This type of a stream is called synchronous stream cipher.

Definition 4: A synchronous stream ciphers are tuples (P, C, K, L, E, D), together with function g, where:

3 – P represents a finite set of possible plaintexts, – C a finite set of possible ciphertexts, – K a finite set of possible keys (keyspace), – L a finite set called the keystream alphabet

Function g is the keystream generator. It takes a key K as input, and generates an infinite string z1z2 ... called keystream, where zi ∈ L∀i ≥ 1. For every z ∈ L, there exists an encryption rue ez ∈ E, and a corresponding decryption rule, dz ∈ D, such that dz(ez(x)) = x for every plaintext element x ∈ P.

Note 1: We can think of any block cipher as a special case of a stream cipher where the keystream is aa constant, zi = K for all i ≥ 1.

Note 2: A stream cipher is a periodic stream cipher with period d if for all integers i ≥ 1 it holds that:

zi+d = zi (6)

3.1 Generating a Keystream: Linear Feedback Shift Register (LFSR)

Let’s assume we are encrypting a plaintext represented using a binary alphabet. A keystream can now be generated using a linear recurrence of some degree m:

m−1 X zi+m = cjzi+j mod (2) (7) j=0 where c0, c1, . . . , cm−1 represent some pre-specified linear weights. In order to generate the keystream z, we need to initialize its first m values (this would be the key from which the stream is generated). The initialization vector should not consist entirely of zeros to avoid generating the zero keystream. For any other initialization, the resulting key stream will be periodic. The maximum possible period is 2m − 1, although not all initialization vectors will result in this period.

Example 2: Let m = 4, and let the keystream be generated using linear recurrence:

zi+4 = (zi + zi+1) mod (2), i ≥ 1

If we assume an initialization key (1, 0, 0, 0), this keystream is periodic with period 15.

An appealing aspect of this key generation method is that the keystream can be produced very efficiently in hardware, using a linear feedback shift register (LFSR) [1]. Unfortunately, the presented method is very susceptible to a known plaintext attack. If an attacker knows only a few consecutive bits of plaintext, along with the corresponding bits of ciphertext, then (s)he can easily determine the recurrence relation, and therefore compute all subsequent bits of the key. Let’s therefore turn our attention again to commonly-used block ciphers, such as DES and AES.

4 Data Encryption Standard (DES)

The Data Encryption Standard (DES) was designed by IBM in collaboration with NIST. DES takes as input a 64-bit plaintext and a 56-bit key, and gives as output a 64-bit ciphertext. Hence, the plaintext space P and the ciphertext space C both consist of all 64-bit strings; formally, we write P = C = {0, 1}64. The set of possible keys K is equal to the set of all 56-bit strings, i.e., K = {0, 1}56.

4.1 Encryption in DES

DES encryption consists of the following three steps:

4 – Initial permutation, – Iterated round function, and – Final permutation, which are illustrated in Figure 1. The encryption takes a plaintext string x and key K as inputs, and gives as output a ciphertext y.

Plaintext Key

Initial permutation (IP)

L0 R0 K1

Round 1 F (L0,R0,K1)

L1 R1 K2

Round 2 F (L1,R1,K2)

. . . .

L15 R15 K16

Round 16 F (L15,R15,K16)

L16 R16

Inv. IP

Ciphertext

Fig. 1. Block diagram of DES encryption.

1. Initial permutation: The initial permutation is applied to the plaintext x. This step reorders the bits of the plaintext, and the output of it is a 64-bit string. This string is written as (L0,R0), where L0 and R0 are the left and right 32 bits, respectively. The initial permutation is fixed and is specified by the design of DES. It was chosen by the designers to make DES easier to implement in hardware. 2. Iterated round function: This step consists of 16 rounds of operations. For each i = 1, 2,..., 16, the inputs to the round are the left and right bit strings Li−1 and Ri−1, and the round key Ki. The first round key K1 is computed using the key K, an every other round key Ki is computed as a function of the previous round key, Ki−1 for i = 2,..., 16. The output of the round is (Li,Ri), and the procedure for computing (Li,Ri) is described in detail below. 3. Final permutation: The final permutation is applied to the output of the 16th round of iterated round function, (L16,R16), in order to obtain the ciphertext. The final permutation is fixed and is equal to the inverse of the initial permutation.

5 Computation of each round of DES encryption. The i-th round of DES takes as input (Li−1,Ri−1) and the round key Ki, and gives output (Li,Ri), where

Li = Ri−1

Ri = Li−1 ⊕ f(Ri−1,Ki)

Here, ⊕ denotes bitwise XOR (e.g., 0⊕0 = 0, 1⊕1 = 0, and 0⊕1 = 1⊕0 = 1). The function f is an “S-box”. The S-box combines and “randomizes” the right block and the round key. This computation is illustrated in Figure 2.

Li−1 Ri−1

f Key, Ki

⊕

Li Ri

Fig. 2. Block diagram of one round of DES encryption.

The goal of the 16 rounds of DES is to randomize the original plaintext x. At each round, the two blocks Li−1 and Ri−1 are swapped, and f(Ri−1,Ki) is added to further randomize Ri. Since f is computed using the round key, which is unknown to the adversary, the output of each block will be unpredictable to the adversary.

4.2 Decryption in DES

Decryption in DES has the same basic structure as encryption and is accomplished via three steps, namely, Initial permutation, Iterated round function, and Final permutation.

1. Initial permutation: The inverse of the final permutation is applied to the ciphertext, in order to obtain (L16,R16). 2. Iterated round function: For i = 1,..., 16, (Li−1,Ri−1) are computed from (Li,Ri) as

Ri−1 = Li

Li−1 = Ri ⊕ f(Li,Ki)

After the 16 rounds, (L0,R0) is obtained. The derivation of the decryption rule at each round is given below. 3. Final permutation: The inverse of the initial permutation is applied to (L0,R0), resulting in the plaintext.

Computation of each round of DES decryption. At round i of the DES decryption, we are given (Li,Ri) and need to compute (Li−1,Ri−1). From the encryption rule, (Li−1,Ri−1) and (Li,Ri) are related by

Li = Ri−1 (8)

Ri = Li−1 ⊕ f(Ri−1,Ki) (9)

6 We then have

Li = Ri−1 ⇒ Ri−1 = Li (10)

Ri = Li−1 ⊕ f(Ri−1,Ki) (11)

⇒ Li−1 = Ri ⊕ f(Ri−1,Ki) (12)

= Ri ⊕ f(Li,Ki) (13)

Eq. (12) follows by XORing both sides of (11) with f(Ri−1,Ki), using the fact that a ⊕ a = 0 for any bit string a. Substituting Eq. (10) into Eq. (12) yields Eq. (13).

Li Ri

Key, Ki f

⊕

Li−1 Ri−1

Fig. 3. Block diagram of one round of DES decryption.

Security of DES. The main security drawback of DES is the use of a 56-bit key. A brute-force search over the 256 possible keys is possible using existing hardware. Indeed, customized hardware has been developed to discover a DES key in a matter of hours. A symmetric-key cryptosystem with a longer key was therefore needed, which motivated the Advanced Encryption Standard discussed below.

4.3 Triple DES

DES uses a 56-bit key. Since exhaustive search over 256 possible keys is within the limits of modern computing power, a modification of DES, denoted Triple DES, has been designed to increase the size of the key space while maintaining the basic functionality of DES. Like DES, Triple DES has plaintext space P = {0, 1}64 and ciphertext space C = {0, 1}64. The main difference is that Triple DES uses three keys, KA, KB, and KC . In order to encrypt using triple DES, the

ciphertext Y is given by Y = EKC (DKB (EKA (x))). This encryption is illustrated in Figure 4. Note that the middle operation is DES decryption using the key KB.

x E D E Y

KA KB KC

Fig. 4. Triple DES encryption.

7 In order to decrypt a ciphertext Y that was encrypted using Triple DES, the plaintext is given by

x = DKA (EKB (DKC (Y ))). Depending on the key length, different relationships between the keys KA, KB, and KC have been prescribed, as shown in Table 1. Triple DES greatly increases the workload of an attacker attempting to perform exhaustive search.

Table 1. Relationship between triple DES keys based on the key length.

Key Length Relationship Between Keys 56 bits KA = KB = KC 112 bits KA = KC , KB independent of KA and KC 168 bits KA, KB , and KC are independent of each other

5 Advanced Encryption Standard

The Advanced Encryption Standard (AES) is a symmetric-key cipher selected by the National Institute of Standard and Technology (NIST) in 2007. AES is based on the Rijndael cipher designed by Joan Daemen and Vincent Rijmen. AES has a fixed block size of 128 bits and three different key sizes, namely 128, 192, and 256 bits. Like DES, AES is an iterated block cipher, but its design principle is based on a substitution- permutation network. The cipher has a key schedule algorithm which takes a key of length 128 (or 192, 256) and generates round keys of length 128 bits for each round.

5.1 AES Encryption Algorithm We describe AES with 128-bit block size and key size of 128 bits, so that P = {0, 1}128, C = {0, 1}128, and 128 K = {0, 1} . A plaintext of 128 bits is divided as m = m0m1...m15 where each m0 is a byte and we write the plaintext block as follows   m0 m1 m2 m3  m4 m5 m6 m7  State =   .  m8 m9 m10 m11  m12 m13 m14 m15 The entries in the above 4 × 4 matrix are considered as elements in GF (28) where GF (28) is a Galois field with 28 elements. Like DES, AES consists of multiple rounds. The input to the first round is the plaintext and the output of the final round is the ciphertext. The number of rounds Nr depends on the length of the key; for key lengths 128, 192, and 256, Nr = 10, 12, and 14, respectively. Each round function of AES is composed of four different transformations, namely: – SubBytes, – ShiftRows, – MixColumns, and – AddRoundKey. We briefly describe these transformations below. 1. SubBytes: This is a nonlinear substitution layer where each byte in the matrix is replaced by using 8-bit substitution-box. Usually the substitution layer is implemented as a look-up table. 2. ShiftRows: In this phase, the rows of the matrix are cyclically shifted to the left. Each byte in second, third and fourth rows are shifted one, two and three, respectively to the left. 3. MixColumns: This transformation operates on each column of the state. A column is considered a polynomial over GF (28) and multiplicative modulo x4 + 1 with a fixed polynomial. 4. AddRoundKey: In this phase a round key is added to the state by performing bitwise XOR operations. The round keys are obtained from the key scheduling algorithm, described in Section 3.5.3 of Kaufman, Perlman, and Speciner. Note that the round keys are different for different rounds. The round transformations are invertible for the decryption purpose.

8       m0 m1 m2 m3 a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3 MixColumns  m4 m5 m6 m7  SubBytes  a1,0 a1,1 a1,2 a1,3  ShiftRows  b1,0 b1,1 b1,2 b1,3    −→   −→   ↓  m8 m9 m10 m11   a2,0 a2,1 a2,2 a1,3   b2,0 b2,1 b2,2 b1,3  m12 m13 m14 m15 a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3     d0,0 d0,1 d0,2 d0,3 c0,0 c0,1 c0,2 c0,3  d1,0 d1,1 d1,2 d1,3  AddRoundKey  c1,0 c1,1 c1,2 c1,3    ←−    d2,0 d2,1 d2,2 d1,3   c2,0 c2,1 c2,2 c1,3  d3,0 d3,1 d3,2 d3,3 c3,0 c3,1 c3,2 c3,3

Fig. 5. AES Round Function Transition.

5.2 AES Decryption Algorithm

The decryption function of AES is composed of four inverse transformations, which are the inverse transfor- mations of ShiftRows, SubBytes, MixColumns, and AddRoundKey.

6 Encrypting Large Plaintext: Modes of Operation

Thus far, we considered the encryption of plain texts with specific length (64 bits for DES, 128 bits for AES). In practice, however, plaintexts will typically be (much) larger than 128 bits. In order to encrypt larger plaintexts without increasing the size of the key, while still providing the same security guarantees as DES and/or AES, the plaintext is broken into blocks of equal size (e.g., 64 bits if DES is to be used, or 128 bits if AES is to be used). The ciphertext is then generated by performing encryption operations on smaller blocks. There are many methods for computing the ciphertext based on the ciphertexts of each block; these methods are called modes of operation.

6.1 Electronic Code Book (ECB) mode

Electronic Code Book (ECB) is the most straightforward approach to encrypting a large plaintext. ECB divides the plaintext x into m blocks, each consisting of n bits. If the plaintext length L is not a multiple of n, then ECB pads the plaintext with n − (L mod n) bits according to a prespecified padding rule. We denote the blocks as x1, . . . , xm. The block size n depends on the cryptosystem that is used. For DES, the blocks should be 64 bits, while the blocks should be 128 bits for AES. In ECB, the encryption function EK (·) is applied to each block separately, and we let Yi = EK (xi) for i = 1, . . . , m. The ciphertext Y corresponding to plaintext x is equal to the concatenation of the blocks: Y = Y1||Y2|| · · · ||Ym. Hence, under ECB, the plaintext is divided into m blocks, each block is encrypted separately using the key K, and the ciphertext is formed by combining the blocks. To decrypt, divide the ciphertext into m blocks, Y = Y1|| · · · ||Ym, and perform decryption on each ciphertext block to obtain xi = DK (Yi). The plaintext is given by x = x1|| · · · ||xm. ECB is illustrated in Figure 6.

Problems with ECB mode: While ECB is straightforward to compute, it also potentially leaks information regarding the plaintext when the attacker knows the block size (which is a reasonable assumption, since the block size is usually defined by standards). In particular, if two plaintext blocks are the same (i.e., xi = xj for some i 6= j), then the corresponding ciphertext blocks will be the same, since Yi = EK (xi) = EK (xj) = Yj. Ensuring that repeated blocks of plaintext do not result in repeated blocks of ciphertext is a desirable prop- erty of modes of operation. Two such modes of operation, CBC and Counter, are described below.

6.2 Cipher Block Chaining (CBC) mode

CBC mode was created to address the security flaw in ECB, namely, the fact that two identical blocks of plaintext will also yield identical blocks of ciphertext. CBC avoids this problem by introducing dependencies

9 x1 x2 x3 x4 x5

K E K E K E K E K E

Y1 Y2 Y3 Y4 Y5

Fig. 6. ECB mode for encryption

between the blocks of ciphertext, so that each ciphertext block acts as an input to encryption of the next block of plaintext. Hence, even if two plaintext blocks are identical, the corresponding ciphertext blocks will be different because the preceding blocks of plaintext are different. We formalize the definition and argument as follows.

Encryption in CBC mode. Encryption in CBC mode is illustrated in Figure 7. As in ECB, the plaintext x is divided into m blocks of size n, denoted x1, . . . , xm. If the plaintext length L is not a multiple of n, then CBC pads the plaintext with n − (L mod n) bits according to a prespecified padding rule. The first step is to randomly generate an initialization vector IV . The encryption of the first block is equal to EK (x1 ⊕ IV ). For each subsequent block xi, i > 1, the ciphertext Yi is given as Yi = EK (Yi−1 ⊕ xi). Thus each block of ciphertext is obtained by XOR-ing the ciphertext of the previous block with the current plaintext, and then encrypting using key K. The output is the ciphertext Y = Y1|| · · · ||Ym, together with IV .

x1 x2 x3 x4 x5 x6 x7

IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

E E E E E E E Enc. with secret key

Y1 Y2 Y3 Y4 Y5 Y6 Y7

Fig. 7. CBC encryption

Remarks on CBC mode encryption. We observe that even if xi = xj for some i 6= j, Yi 6= Yj unless Yi−1 = Yj−1, which is mathematically unlikely if the cryptosystem is well-designed. We remark briefly on the role of the initialization vector, IV . In some implementations of CBC, IV is chosen to be a fixed value, or set to 0. This reduces the length of the message, since the IV is no longer sent with the ciphertext. On the other hand, if the same IV is used to encrypt each message, then encrypting the same plaintext twice the same key will result in the same ciphertext. This would allow an eavesdropper to infer that the same message was sent twice. Changing the value of IV at each encryption ensures that the ciphertexts will be different, even if the key and corresponding plaintexts are the same. Decryption in CBC mode. Decryption in CBC mode is similar to the encryption operation. Decryption of each ciphertext block Yi is performed using the previous ciphertext block Yi−1.

10 m1 m2 m3 m4 m5 m6 m7

IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

E E E E E E E Dec. with secret key

c1 c2 c3 c4 c5 c6 c7

Fig. 8. CBC decryption

6.3 Counter (CTR) mode

Counter mode provides an alternative approach to encrypting blocks of text, while still avoiding the problem of the same blocks of plaintext yielding the same ciphertext. The counter mode encryption is described as follows.

Encryption in CTR mode. As in the EBC and CBC modes, the plaintext x is divided into m blocks, denoted x1, . . . , xm, each consisting of n bits. If the plaintext length L is not a multiple of n, then CTR pads the plaintext with n − (L mod n) bits according to a prespecified padding rule. First, a string IV of n bits is generated uniformly at random. For each block of plaintext xi, the corresponding ciphertext is given by n Yi = EK (IV + i − 1) ⊕ xi, where ‘+’ denotes addition mod 2 . The CTR mode encryption is described in Figure 9.

IV IV+1 IV+2 IV+3 IV+4

K E K E K E K E K E

x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕

Y1 Y2 Y3 Y4 Y5

Fig. 9. Counter mode for encryption

Encryption in CTR mode can be interpreted as generating a different random string (EK (IV + i)) for each plaintext block, and then XOR-ing the plaintext with the random string. The resulting ciphertext will then appear random and uncorrelated with the original plaintext. As in CBC mode, both the ciphertext Y and the IV are sent to the receiver.

Decryption in CTR mode. In CTR mode, each block xi of the plaintext is decrypted by first computing EK (IV + i − 1). xi is then computed as xi = Yi ⊕ EK (IV + i − 1).

11 In CTR mode, each block can be decrypted using knowledge of IV without decrypting any other blocks. This provides an advantage in applications where blocks arrive or are accessed out of order, since each block can be decrypted without waiting for the others.

IV IV+1 IV+2 IV+3 IV+4

K E K E K E K E K E

Y1 ⊕ Y2 ⊕ Y3 ⊕ Y4 ⊕ Y5 ⊕

x1 x2 x3 x4 x5

Fig. 10. Counter mode for decryption

Table 2. Application of Triple-DES and AES

Primitive Use in Real System Triple DES Electronic payment industry, Windows OS AES SSL/TLS, Wireless Sensor Net. IEEE 802.15.4, Zigbee network, CCMP CBC Mode SSL/TLS, Wireless Sensor Net. IEEE 802.15.4, Zigbee network CTR Mode CCMP (WEP2), IPSec, TLS 1.2, Wireless Sensor Network

Sources for Today’s Lecture:

1. Douglas R. Stinson, Cryptography, Theory and Practice, 3rd edition. CRC Press, 2005, p. 21–26 and 37–39 and 45–54 and 73–114. 2. Wade Trappe and Lawrence C. Washington Introduction to Cryptography with Coding Theory. Prentice Hall, 2002, p. 38–49 and 97–123 and 127–136 and and 250–260. 3. Charlie Kaufman, Radia Perlman, and Mike Speciner Network Security: Private Communication in Public World, 2nd Edition. Prentice Hall, 2002, p. 59–74 and 81–92 and 95–105.

12