Traditional

Symmetric-Key Ciphers
Dr. Bimal Kumar Meher
Associate Professor, Dept. of CSE
Silicon Institute of Technology
Symmetric Key Cipher Model
Symmetric Key Cipher Model (Contd…)
If P is the plaintext, C is the cipher text, and K is the key,
Then we represent the encryption done by Alice as:

Similarly, for a given C , and shared key K, we represent

the decryption done by Bob as:
 Kerckhoff’s Principle

• Always assume that the adversary Eve,

knows the encryption/decryption algorithm.
• So, the resistance of the cipher must be based
only on the secrecy of the key.
 Cryptography vs Cryptanalysis

As cryptography is the science and art of creating

secret codes, cryptanalysis is the science and art of
breaking the codes.
 Cryptanalysis
Cipher-text only attack (COA):
Here, the attacker is assumed to have access only to
a set of ciphertexts. No knowledge of plain text. Ex. WEP
Known plaintext attack (KPA):
Here, the attacker has a set of ciphertexts to which he
knows the corresponding plaintext. Ex. Caesar Cipher.
Chosen plaintext attack (CPA):
Here, the attacker can obtain the ciphertexts for arbitrary
plaintexts he chooses. Ex. Enigma Cipher, Caesar Cipher
Chosen ciphertext attack (CCA):
Here, the attacker can obtain the plaintexts corresponding
to an arbitrary set of ciphertexts he chooses. Ex. ElGamal
SUBSTITUTION CIPHERS
• It is an encryption technique which
replaces/substitutes one symbol of the plain
text with another symbol.
• There are 3 types of Substitution ciphers :
• Additive cipher
• Multiplicative cipher
• Affine cipher
• Also we can classify this technique as:
• Monoalphabetic Substitution cipher
• Polyalphabetic Substitution cipher
 Monoalphabetic vs Polyalphabetic

Note
• In monoalphabetic substitution, the relationship
between a symbol in the plaintext to a symbol
in the ciphertext is always one-to-one.

• But in polyalphabetic substitution, that

relationship is one-to-many.
 Monoalphabetic vs Polyalphabetic Substitution

Example 1
The following shows a plaintext and its corresponding
ciphertext. The cipher is monoalphabetic because both l’s
are encrypted as O’s.

Example 2
The following shows a plaintext and its corresponding
ciphertext. The cipher is not monoalphabetic because each l
is encrypted by a different character.
ABNFZ
 Additive Cipher

• The simplest substitution cipher is the additive

cipher.
• This cipher is sometimes called a shift cipher or a
Caesar cipher, but the term additive cipher better
reveals its mathematical nature.

Table : Plaintext and cipher text in Z26

 Additive Cipher (Contd…)

Note
• When the cipher is additive, the plaintext,
ciphertext, and key are integers in Z26.
 Additive Cipher(Contd…)
Example
Use the additive cipher with key = 15 to encrypt the
message “hello”.
Solution
We apply the encryption algorithm to the plaintext,
character by character:
 Additive Cipher(Contd…)
Example

Use the additive cipher with key = 15 to decrypt the

message “WTAAD”.
Solution
We apply the decryption algorithm to the plaintext
character by character as follows:
 Brute force attack or exhaustive key search
To try all possible keys of the domain to break the cipher.
Eve has intercepted the ciphertext “UVACLYFZLJBYL”.
Show how she can use a brute-force attack.
Solution
Eve tries keys from 1 to 7. And he got the result at K=7.
 Statistical attack
Based on the inherent properties of the language of plaintext
Table :Frequency of occurrence of letters in English

Table : digrams and trigrams

 Statistical attack (Contd…)
Example

Eve has intercepted the following ciphertext. Using a

statistical attack, find the plaintext.

Solution
When Eve tabulates the frequency of letters in this
ciphertext, she gets: I =14, V =13, S =12, and so on. The
most common character is I with 14 occurrences. This
means key = 4.
 Multiplicative Ciphers

P (C x

Note
• In a multiplicative cipher, the plaintext and
ciphertext are integers in Z26
• But, the key is an integer in Z26*.
 Multiplicative Ciphers(Contd…)

Example 1
What is the key domain for any multiplicative cipher?
Solution The key needs to be in Z26*. This set has only 12
members: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25.
Example 2
Use a multiplicative cipher to encrypt the message “hello”
with a key of 7.
 Affine Ciphers
• It is a combination of additive and multiplicative
ciphers with a pair of keys.
 Affine Ciphers(Contd…)

Example
What is the key domain and its size in affine cipher ?
The affine cipher uses a pair of keys in which the first
key is from Z26* and the second is from Z26. The size
of the key domain is 26 × 12 = 312.
Example
Use affine cipher to encrypt the message “hello” with
the key pair (7, 2).
 Affine Ciphers(Contd…)

Example
Use the affine cipher to decrypt the message “ZEBBW”
with the key pair (7, 2) in mod 26.

Note
• The additive cipher is a special case of an affine cipher in
which k1 = 1.
• The multiplicative cipher is a special case of affine cipher
in which k2 = 0.
 Monoalphabetic Substitution Cipher

Is there any drawback of Affine cipher?

• Affine ciphers including additive and multiplicative
ciphers have small key domains, hence very
vulnerable to brute-force attack.
• A better solution is to create a mapping between
each plaintext character and the corresponding
ciphertext character.
• Alice and Bob can agree on a table showing the
mapping for each character.
 Monoalphabetic Substitution Cipher(Contd…)
Figure :An example key for monoalphabetic substitution cipher

Cryptanalysis: What is the Size of the key space ?

26!=4 x 1026 ,hence extremely difficult to brute force
attack,

But easy to statistical attack(?)

 Playfair Cipher
• A multiple-letter encryption cipher developed by
Charles Wheatstone, but named after his friend
Baron Playfair who promoted it.
 The secret key in this cipher is made by a 5x5
matrix(I and J considered as one element).
 The encryption algo. takes a pair of letters (digrams)
form the plain text and translates into ciphertext pair.
 If two letters in the pair is same, then insert a bogus
letter.
 The cipher uses 3 rules for encryption:
Playfair Cipher(Contd…)
 If the two letters in a pair are located in the same row
of the secret key, the corresponding encrypted
character for each letter is the next letter to the right in
the same row(with wrapping to the beginning)
 If the two letters in a pair are located in the same
column of the secret key, the corresponding encrypted
character for each letter is the letter beneath it in the
same column(with wrapping to the beginning)
 If the two letters in a pair are not in the same row or
column of the secret key, the corresponding encrypted
character for each letter is a letter that is in its own row
but in the same column as the other.
 Playfair Cipher(Contd..)

Example
Encrypt the plaintext “hello” using the key in above figure.

Cryptanalysis: Its key domain is 25!

• Hence difficult for brute force attack.
• Although it hides the single letter frequency, but digram
frequency is available for the attacker.
 Hill Cipher
Invented by Lester S. Hill.
Here the plaintext is divided into equal-sized(m) blocks.
The key is a square matrix of size m x m , where m is the
block size.
Note:
Encryption: C=PK

Decryption: P=CK-1,
K is invertible.

The key matrix in the Hill cipher needs to have a

multiplicative inverse.
 Hill Cipher (Contd…)
If plain text P = {P1, P2,…,Pm } and
cipher text C = {C1,C2,…,Cm} then we have:

Cryptanalysis: Brute force attack is difficult as the key

is a matrix of size mxm.
• And each entry in the matrix is chosen out of 26 values,
• Hence the size of the key domain is 26mxm.
• It also doesn’t preserve the letter frequencies.
Assignment-1
(Submission deadline: 20.10.22)
1. Show the process of encryption and decryption
for the plaintext “play" by using the Hill cipher
with the key K= 3 3
2 5
2. Find the multiplicative inverse of 15 in Z26 by
using Extended Euclidean Algorithm (show all
the steps involved in a table).
 Polyalphabetic Substitution Ciphers
• A better method than Monoalphabetic
substitution.
• Here, each occurrence of a character in plaintext
may have a different substitute in cipher text.
• The relationship between a character in the
plaintext to a character in the ciphertext is one-to-
many.
• All the ciphers has some common techniques:
• A set of related monoalphabetic substitution
rules is used
• A key determines which particular rule is
chosen for a given transformation
 Vigenere Cipher
• It is a polyalphabetic cipher designed by
Blaise de Vigenere, French Mathematician (16th century)
• Here the key stream is a repetition of an initial secret
key stream of length m
• Let the plaintext P = p0, p1, p2,… , pn-1 and
• Key consisting of the sequence of letters K = k0, k1,
k2,…,km-1, where m < n.
• Then the ciphertext letters C = C0, C1, C2, …, Cn-1 is
calculated as follows:
Ci = (pi + ki mod m) mod 26
• Similarly, the plaintext can be calculated as
pi = (Ci - ki mod m) mod 26
 Vigenere Cipher (Contd…)
Example
Encrypt the message “She is listening” using the 6-character
key “PASCAL”.
The initial key stream is (15, 0, 18, 2, 0, 11). The key stream
is the repetition of this initial key stream (as many times as
needed).
 Vigenere Cipher (Contd…)
Cryptanalysis: Can we say Vigenere cipher is
secure ?
• The attacker has to know the Key length to attack.
• Once he knows the key length (say m), then he can apply
frequency analysis of plaintext language to attack each of
the m monoalphabetic ciphers.
• For example, with the keyword PASCAL, the letters in
positions 1, 7, 13, and so on are all encrypted with the
same letter of the Key.
• Key length can be predicted, if there occurs two identical
sequences of plaintext letters , as they will generate
identical ciphertext sequences.
 Another Example of Vigenere Cipher

Plain Text (P): we are discovered save yourself

Key (K) : deceptive
 Autokey Cipher

• The periodic nature of the keyword can be eliminated

by using a non-repeating keyword that is as long as
the message itself.
• So, Vigenere proposed an autokey system, in which a
keyword is concatenated with the plaintext itself to
provide a running key.
 Autokey Cipher (Contd…)
Example

Plain Text (P): we are discovered save yourself

Key (K) : deceptive

Cryptanalysis :
Because the key and the plaintext share the
same frequency distribution of letters, a statistical
technique can be applied.
 Vernam Cipher
 Introduced by an AT&T engineer Gilbert Vernam in
1918.
 He proposed to choose a very long Key that has no
statistical relationship to the plaintext.
 His system works on binary data (bits) rather than
letters.
 Vernam Cipher (Contd…)

 So the Encryption process is given by:

where pi = ith binary digit of plaintext

ki = ith binary digit of key
ci = ith binary digit of ciphertext
 = exclusive-or (XOR) operation
 Because of the properties of the XOR, decryption
simply involves the same bitwise operation:
 One-Time Pad
 It was an improvement over Vernam’s cipher.
 Vernam’s scheme, was using the key from a punched
paper tape which was running in loop.
 So, a key was used again when the tape completed a
cycle.
 Joseph Mauborgne (Army Signal Corp officer),
proposed an improvement to the Vernam cipher
 He suggested to use a random key as long as the size
of the message, so that the key need not be repeated.
 This is the only cryptosystem that exhibits perfect
secrecy.
 One-Time Pad (Contd…)
 The key is to be used to encrypt and decrypt a single
message, and then it is discarded.
 Each new message requires a new key of the same
length as the new message.
 Therefore, it is called one-time pad, and has been
proved unbreakable.
 Drawbacks:
 There is the practical problem of creating large number of
random keys.
 Difficulty in key distribution and protection
TRANSPOSITION CIPHERS
• A transposition cipher does not substitute one
symbol for another, instead it changes the location of
the symbols.
• Therefore, it only transposes or reorders the
symbols.
• Two types: keyless or keyed (transposition cipher)
Keyless Transposition Cipher (Rail Fence Cipher)

• The plaintext is arranged in two lines as a zigzag pattern

• The ciphertext is created reading the first line and
then the second line.
• After receiving the ciphertext, the receiver divides it into
two lines from the middle and then read the characters
in zigzag.
 Example
 Let the plain text is: m e e t m e t o n i g h t
 Encryption:
 Arrange it in zigzag pattern:
 m e m t n g t
 e t e o i h
 Then read line by line.
 So the cipher text is: M E M T N G T E T E O I H
 Decryption:
 Divide the cipher text into two parts from the middle:
 M E M T N G T
 E T E O I H
 Then read in zig-zag style.
TRANSPOSITION CIPHERS (contd…)
Keyed Transposition Cipher:
• The drawback of keyless transposition is that, it has only
two rows (fixed).
• So, the cryptanalysis will be very easy for the attacker.
• only he has to know that rail fence has been used.

So, an improved method would be to use the key. It has

the following three steps:
• First the plaintext is written into a table row by row.
• Then the permutation is done by using a Permutation
Key (reordering the columns).
• Finally the new table is read column by column.
 Example(Transposition Cipher)
Alice needs to send the message “Enemy attacks tonight” to
Bob.

The key used for encryption and decryption is a permutation

key, which shows how the characters are permuted assuming
5 columns

The permutation yields:

Example(with steps)
 Expressing Permutation Table as Keys
 Encryption Key : Permutation key for encryption can
be expressed as a sequence of column numbers of the
plaintext with index values of those positions as
column numbers in the ciphertext.
 Example: Let the encryption key is (3 1 4 5 2). First
entry (3) means content of column 3 of plaintext
becomes column 1 (1 is the index of that position) in
ciphertext. Second entry (1) means column 1 in
plaintext becomes column 2 in ciphertext and so on.
 Decryption Key : The decryption key for the above
example will be (2 5 1 3 4). First entry(2) means
content of column 2 in ciphertext would be column 1
(1 is the index of that position) in plaintext and so on.
 Cryptanalysis of Transposition Cipher
• Statistical attack is possible as it preserves the
single letter frequency, but not the digrams &
trigrams.
• Bruteforce attack although possible, but Key
domain is huge
i.e. 1!+2!+3!+…+L!, where, L is the length
of the ciphertext.
• An attack called Pattern attack would be possible.
• It can be made more secure by using double
transposition.
Double Transposition Ciphers
 Rotor Cipher
• It is based on the idea of multiple stages of
monoalphabetic substitution.
• It is an electro-mechanical system having a set of
independently rotating cylinders
through which electrical pulses
can flow.
• Each cylinder has 26 input pins
and 26 output pins, with internal
wiring that connects each input pin to a unique
output pin.
• If we map each input and output pin with a letter
of the alphabet, then a single cylinder defines a
mono-alphabetic substitution.
 Rotor Cipher
• But the mapping between plaintext and ciphertext
characters changes after each rotation.
• Following is an example of rotations with 6 input and
6 output pins for simplicity.
 Rotor Cipher (Contd…)
Cryptanalysis:
• If there is only one cylinder, then we have 26 different
substitutions(keys).
• If you have two cylinders then we have 26*26 keys.
• If you have three cylinders then we have 26 * 26 * 26 =
17,576 different substitutions.
• So, by adding more cylinders the keys can be increased.
• Also it is much more resistive to statistical attack,
when the no. of cylinders=5 (11,881,376 substitutions)
Because of this, a modified version of Rotor cipher
called Enigma Machine was extensively used by
German Army during World War-II.
German Military’s Enigma Machine
STREAM AND BLOCK CIPHERS

In a stream cipher, the encryption or decryption are done

on one symbol(such as a character or bit) at a time.
• Additive Cipher
• Monoalphabetic Substitution Cipher
• Vigenere Cipher
But, in a block cipher, a group of plaintext symbols of
size m(m>1) are encrypted together creating a group
of ciphertext of the same size.
Typically, a single key is used to encrypt the whole block.
• Playfair Cipher
• Hill Cipher