scrambling and encrypting using cipher parameters hopping...chapter one: introduction 1.1...

Ministry of Higher Education and Scientific Research University of Baghdad College of Engineering

Scrambling and

Encrypting using Cipher

Parameters Hopping

A thesis submitted to the College of Engineering - University of Baghdad in partial fulfillment of the requirements for the

degree of Master of Science in Control and Computers Engineering

By: Mohammed Jafar Ali Al-Shammaa

Supervised By: Asst. Prof. Tarik Zeyad Ismaeel

(2008) (1429)

i

Abstract

Cryptography is the most important aspect of communications security. The vast majority of network-based symmetric cryptographic applications make use of block ciphers. However, it seems like it is difficult to design both a fast and secure cipher.

In this thesis the design of an encryption algorithm that provides both high security and high performance is presented. The proposed algorithm, Scrambling and Encrypting with Cipher Parameter Hopping (SECPH), is composed of two main blocks: a scrambler and a block cipher with parameters hopping (CPH).

The scrambler allows the encryption of only one block with a security equivalent to encrypting the entire message, yields an all-or-nothing encryption mode, increases the encryption key length and increases the desired property of diffusion. The purpose of the CPH is to achieve high security and performance by using different cipher versions with different security/performance levels.

SECPH has many interesting features including proven security, high performance, flexibility and the easiness to implement.

SECPH is implemented in C++ programming language. Results indicate that SECPH has a better image encryption quality than Rijndael and RC6 regardless the plain-images and the modes of operation. For example, some cipher-image encrypted by SECPH has an Irregular Deviation (ID) value of 2677 and entropy value of 7.995 compared to an ID value of 70900 and entropy value of 4.4 for it when encrypted by Rijndael and an ID value of 70862 and entropy value of 4.401 for it when encrypted by RC6 in ECB mode of operation (smaller ID is better).

SECPH is more resistive to differential cryptanalysis than Rijndael and RC6. It has Number of Pixels Change Rate (NPCR) values equal or greater than 99.5% regardless the plain-images, the position of the changed pixel and the mode of operation in contrast to Rijndael and RC6 which have different NPCR values those range from 0.04% to 87%.

SECPH has a better performance (throughput) than Rijndael (about 26% and 25% faster in ECB and CBC modes of operation respectively) and RC6 (about 30% and 32% faster in ECB and CBC modes of operation respectively).

ii

Acknowledgements

Thank to Allah for providing me the willingness and strength to

establish this work.

I would like to express my deep gratitude and appreciation to my

supervisor Asst. Prof. Dr. Tarik Zeyad Ismaeel for his support and

assistance during the whole phase of my research. His assistance and

encouragement has contributed essentially to finishing this work.

I am deeply grateful to my family, especially my parents, for their

endless support, understanding and encouragement. Special thanks to my

wife for her help, patience, understanding and encouragement.

My deep gratitude goes to all people who provided me with any kind

of help during this work.

Finally, I would like to acknowledge the Electrical Engineering

Department in University of Baghdad and my colleagues for their help.

iii

Dedication

To my parents, my wife and my daughter,

with all love.

iv

Table of Contents

Abstract ........................................................................................................................ i

Acknowledgements ..................................................................................................... ii

Dedication .................................................................................................................. iii

Table of Contents ....................................................................................................... iv

List of Tables ............................................................................................................. vii

List of Figures .......................................................................................................... viii

List of Abbreviations and Symbols .......................................................................... iiv

Chapter One: Introduction ......................................................................................... 1

1.1 Network security............................................................................................. 1

1.2 Block cipher ................................................................................................... 2

1.3 Aim of the thesis ............................................................................................. 4

1.4 Literature Survey ............................................................................................ 5

1.5 Thesis Outline ................................................................................................. 8

Chapter Two: Cryptography and Block Ciphers .................................................... 10

2.1 Introduction .................................................................................................. 10

2.2 Network Security .......................................................................................... 10

2.3 Cryptology and Cryptography ....................................................................... 11

2.4 Public (Asymmetric) Key Encryption ........................................................... 13

2.5 Secret (Symmetric) Key Encryption .............................................................. 14

2.6 Stream Ciphers ............................................................................................. 15

2.7 Block ciphers ................................................................................................ 17

2.8 Block Cipher Modes of Operation ................................................................. 19

v

2.9 The RC6 Block Cipher .................................................................................. 26

2.10 Hash Functions, Digital Signature and Message Authentication Code ........... 31

2.11 The UMAC Algorithm .................................................................................. 34

2.12 Pseudorandom Number Generator (PRNG) ................................................... 36

2.13 Cryptanalysis ................................................................................................ 37

Chapter Three: Scrambling and Encrypting with Cipher Parameter Hopping

Algorithm .................................................................................................................. 40

3.1 Introduction .................................................................................................. 40

3.2 General description of the proposed algorithm .............................................. 41

3.3 Cipher Parameter Hopping (CPH) technique ................................................. 43

3.4 The Scrambler .............................................................................................. 49

3.5 The PRNG .................................................................................................. 577

3.6 SECPH Encryption Algorithm .................................................................... 577

3.7 SECPH Decryption Algorithm ...................................................................... 59

3.8 Security and Performance of the SECPH ...................................................... 60

3.9 Comparison of SECPH and Other Related Works ......................................... 62

3.10 SECPH Features and Advantages.................................................................. 63

Chapter Four: Implementation and Experimental Results .................................... 65

4.1 Introduction .................................................................................................. 65

4.2 Implementation of SECPH ............................................................................ 65

4.3 Image Encryption Quality ............................................................................. 66

4.4 Visual Inspection .......................................................................................... 67

4.5 Cipher-image Histogram Analysis ................................................................ 69

4.6 The Irregular Deviation Measuring Factor .................................................... 72

4.7 Entropy Measure........................................................................................... 74

vi

4.8 Number of Pixels Change Rate (NPCR) ........................................................ 77

4.9 Unified Average Changing Intensity (UACI) ................................................ 80

4.10 Performance Analysis ................................................................................... 81

4.11 Experimental Results Summary .................................................................... 85

Chapter Five: Conclusions and Future Work ......................................................... 87

5.1 Conclusions .................................................................................................. 87

5.2 Suggestions for Future Work ...................................................................... 888

References ................................................................................................................. 90

Appendix A: SECPH C++ Implementation Code.................................................... 95

vii

List of Tables

Table 4.1 ID values of the three images encrypted by the three block ciphers in ECB

mode of operation. ...................................................................................................... 73

Table 4.2 ID values of the three images encrypted by the three block ciphers in CBC

mode of operation. ...................................................................................................... 74

Table 4.3 Entropy values of the three cipher-images produced by the three block ciphers

in ECB mode of operation. .......................................................................................... 76

Table 4.4 Entropy values of the three cipher-images produced by the three block ciphers

in CBC mode of operation. ......................................................................................... 76

Table 4.5 NPCR values of the Bridge.bmp cipher-image produced by the three block

ciphers in ECB mode of operation. .............................................................................. 79

Table 4.6 NPCR values of Bridge1.bmp, Bridge2.bmp and Bridge3.bmp cipher-images

produced by the three block ciphers in CBC mode of operation................................... 79

Table 4.7 UACI values of the Bridge.bmp cipher-image produced by the three block

ciphers in ECB mode of operation. .............................................................................. 81

Table 4.8 UACI values of Bridge1.bmp, Bridge2.bmp and Bridge3.bmp cipher-images

produced by the three block ciphers in CBC mode of operation................................... 81

Table 4.9 Throughput in MB/S of the three block ciphers in ECB mode of operation. . 83

Table 4.10 Throughput in MB/S of the three block ciphers in CBC mode of operation.

................................................................................................................................... 84

viii

List of Figures

Figure 2.1 Cryptographic Primitives............................................................................ 12

Figure 2.2 Public Key Encryption. .............................................................................. 14

Figure 2.3 Secret Key Encryption. .............................................................................. 15

Figure 2.4 Electronic Codebook (ECB) Mode ............................................................. 19

Figure 2.5 Cipher Block Chaining (CBC) Mode.. ........................................................ 20

Figure 2.6 Cipher Feedback (CFB) Mode. ................................................................... 22

Figure 2.7 Output Feedback (OFB) Mode. .................................................................. 24

Figure 2.8 Counter (CTR) Mode. ................................................................................ 25

Figure 2.9 RC6 Encryption. ........................................................................................ 30

Figure 2.10 Message authentication using a one-way hash function. ........................... 34

Figure 3.1 block diagram of the SECPH algorithm. ..................................................... 42

Figure 3.2 the scrambling scheme. .............................................................................. 51

Figure 3.3 the descrambling scheme. ........................................................................... 53

Figure 3.4 the SECPH decryption scheme. .................................................................. 60

Figure 4.1 Three images used for image encryption quality comparison. ..................... 66

Figure 4.2 Cipher-images of the three images in Figure 4.1. ........................................ 68

Figure 4.3 Histogram of the cipher-images of the three images encrypted by the three

block ciphers ............................................................................................................... 71

Figure 4.4 Chart of the throughput in MB/S of the three block ciphers in ECB mode of

operation. .................................................................................................................... 84

Figure 4.5 Chart of the throughput in MB/S of the three block ciphers in CBC mode of

operation. .................................................................................................................... 85

ix

List of Abbreviations and Symbols

Acronyms Definition/Description

3DES Tipple Data Encryption Standard

AES Advanced Encryption Standard

ASCII American Standard Code for Information Interchange

BBS Blum Blum Shub

CBC Cipher Block Chaining

CFB Cipher Feedback

CPH Cipher Parameters Hopping

CPU Central Processing Unit

CTR Counter

DES Data Encryption Standard

ECB Electronic Codebook

FIPS Federal Information Processing Standard

HMAC Hash based Message Authentication Code

IBM International Business Machines

ID Irregular Deviation

ISAAC Indirection, Shift, Accumulate, Add, and Count

IV Initialization Vector

LCG Linear Congruential Generators

MAC Message Authentication Code

MIT Massachusetts Institute of Technology

MMH Multilinear Modular Hashing

NBS National Bureau of Standards

NH New universal Hash-function family

NIST National Institute of Standards and Technology

NPCR Number of Pixels Change Rate

NSA National Security Agency

OFB Output Feedback

PRNG Pseudorandom Number Generator

RAM Random Access Memory

RC5 Rivest Cipher 5

RC6 Rivest Cipher 6

x

RSA Rivest, Shamir and Adleman

SEAL Software-optimized Encryption Algorithm

SECPH Scrambling and Encrypting with Cipher Parameter Hopping

SHA1 Secure Hash Algorithm 1

SIMD Single Instruction Multiple Data

UACI Unified Average Changing Intensity

UMAC Universal hash-function based Message Authentication Code

XOR exclusive Or

Symbol Definition/Description

Ck The kth ciphertext block

DK ( ) Decryption using key K

EK ( ) Encryption using key K

H ( ) Histogram function

He Entropy

K Encryption (decryption, MAC) key

KS Scrambling key

Pk The kth plaintext block

S Scrambled message

SK ( ) Stream cipher encryption using key K

S'K ( ) Stream cipher decryption using key K

Chapter One: Introduction 1.1 Cryptography and Network Security

1

Chapter One

Introduction

1.1 Cryptography and Network Security

The need for network security is a relatively new requirement. Prior

to the 1980s most computers were not networked as a result to the lack of

technology. Most systems were mainframes or midrange systems that were

centrally controlled and administered. But now, as millions of ordinary

citizens are using networks for banking, shopping, and filing their tax

returns, network security is looming on the horizon as a potentially massive

problem.

Cryptography is the most important aspect of communications

security and is becoming increasingly important as a basic building block

for computer security [1]. The fundamental and classical task of

cryptography is to provide confidentiality by encryption methods.

Encryption (also called enciphering) is the process of scrambling the

contents of a file or message to make it unintelligible to anyone not in

possession of the key required to unscramble the file or message. The

reverse process of transforming the ciphertext back to the original plaintext

is known as decryption. A cipher can be seen as a combination of a general

cryptographic algorithm and a key that decides the encryption details in the

specific case. If we compare with ordinary locks, all the locks of a specific

type works in the same way, but all the keys are different. The key in

modern ciphers is often a sequence of bits (zeros and ones). As the general

algorithm is often publicly known, the confidentiality of the message

depends on the secrecy of the key (Kerckhoffs’ law) [1, 2].

Chapter One: Introduction 1.2 Block cipher

2

As old as the need of secrecy is the urge to read others encrypted

messages. Cryptanalysis is the science of recovering information without

knowledge of the key. The term cryptology is sometimes used for the area

of cryptography and cryptanalysis together. The scientific study of

cryptology started around World War II with a pioneering paper written by

Shannon. Cryptology uses ideas from several other fields such as

information theory, computer science, number theory, and abstract algebra.

Cryptologic research has historically been done by governments and kept

secret. Only the last decades there has been a widespread open research in

cryptology [1, 2].

1.2 Block cipher

A block cipher is an encryption/decryption scheme in which a block

of plaintext is treated as a whole and used to produce a ciphertext block of

equal length [1].

Block cipher algorithm is a type of symmetric key encryption.

Symmetric key encryption is a key-based encryption in which the same key

that is used to encrypt sensitive data is used to decrypt these data. One

would have to get the key to the recipient of the secure transmissions in a

secure fashion, such as hand delivering the key. Many times, public key

encryption methods are used to send the secret key generated by symmetric

key algorithms. Then, the sender and the receiver can use that key to

encrypt and decrypt (respectively) the massage [1, 2].

Symmetric key algorithms are broken down into block cipher and

stream cipher algorithms. Block cipher algorithms work by breaking up the

message into smaller blocks and encrypting each block individually.

Stream ciphers, on the other hand, encrypt data one bit at a time. The

Chapter One: Introduction 1.2 Block cipher

3

advantage of a block cipher is that it can reuse keys. However, if two

plaintexts are encrypted with the same key using a stream cipher, then

cryptanalysis is often quite simple. The primary disadvantage of a block

cipher is that it is almost always slower and uses far more code than do

stream ciphers. For applications that require encryption/decryption of a

stream of data, such as over a data communications channel or a

browser/Web link, a stream cipher might be the better alternative. For

applications that deal with blocks of data, such as file transfer, e-mail, and

database, block ciphers may be more appropriate. However, either type of

cipher can be used in virtually any application [1].

Far more effort has gone into analyzing block ciphers. In general,

they seem applicable to a broader range of applications than stream ciphers.

The vast majority of network-based symmetric cryptographic applications

make use of block ciphers [1].

Many block ciphers have a Feistel structure. Such a structure consists

of a number of identical rounds of processing. In each round, a substitution

is performed on one half of the data being processed, followed by a

permutation that interchanges the two halves. The original key is expanded

so that a different key is used for each round [1].

There are several cryptanalysis attacks on block cipher. The simplest

approach to cryptanalyzing a block cipher is exhaustive key search. The

cryptanalyst tries decrypting the known ciphertext with each possible key

in turn until the correct key is found. Implicit in the definition of exhaustive

search is the assumption that the cryptanalyst can tell whether a given

guess of the key is correct. This requires that the cryptanalyst has some

information about the plaintext. For example, the bytes of the plaintext may

be limited to ASCII (American Standard Code for Information Interchange)

Chapter One: Introduction 1.3 Aim of the thesis

4

character values. In general, the cryptanalyst requires as much information

about the plaintext as he has uncertainty about the key. Otherwise, there are

likely to be many keys corresponding to plausible plaintexts. The time

required to complete an exhaustive key search depends on the number of

possible keys (and hence on the key length), the time it takes to test a

candidate key, and the number of processors performing the search [2, 3].

DES (Data Encryption Standard), Rijndael and RC6 (Rivest Cipher)

are good examples of publicly known block ciphers.

1.3 Aim of the thesis

The principal goal guiding the design of any encryption algorithm

must be security against unauthorized attacks. However, for all practical

applications, performance and the cost of implementation are also

important concerns.

So given a fixed level of security the goal is to optimize

performance. Performance can be measured as speed or chip area. Other

important features are clarity of the design and flexibility in its

implementation. It seems like it is difficult to design both a fast and secure

cipher. The area can be expressed in the number of gates or the amount of

memory required to run the algorithm. Speed can be measured in the

number of encryption bits versus the clock frequency, which is technology

dependent.

When designing a cipher there is also a trade-off between the speed

in software and hardware, as it is difficult to optimize for both at the same

time.

Chapter One: Introduction 1.4 Literature Survey

5

The aim of this thesis is to design and implement an encryption

algorithm that provides both high security and performance. Also, other

features such as flexibility, simplicity and easiness of implementation are

taken into account when designing the algorithm. In addition, it is

implemented using existing cryptographic primitives and it is provably

secure in the sense that attacks which find its key would yield attacks on

one or more of the underlying components.

1.4 Literature Survey

Lucifer is generally considered to be the first civilian block cipher,

developed at International Business Machines (IBM) in 1973 based on

work done by H. Feistel [4]. It uses a 128-bit key and operates on 128-bit

blocks. The cipher is a substitution-permutation network and uses two 4-bit

S-boxes. The key selects which S-box is used. After some redesign (a

reduction to a 56-bit key and 64-bit block due to the discussion between

IBM and NSA, National Security Agency) it became the DES in 1977

which adopted by the National Bureau of Standards (NBS), now the

National Institute of Standards and Technology (NIST), as Federal

Information Processing Standard (FIPS) and it has been (reluctantly)

reaffirmed as a standard several times [5]. In 1977, two Stanford

cryptography researchers, Diffie and Hellman, designed a machine to break

DES and estimated that it could be built for 20 million dollars. Given a

small piece of plaintext and matched ciphertext, this machine could find the

key by exhaustive search of the 256-entry key space in less than 1 day [6].

As DES began approaching the end of its useful life, NIST invited

researchers from all over the world to submit proposals for a new standard,

to be called Advanced Encryption Standard (AES) in January 1997. Fifteen

serious proposals were made, and then (in August 1998) NIST selected five


6

finalists primarily on the basis of their security, efficiency, simplicity,

flexibility, and memory requirements [7]. Two of them are Rivest Cipher 6

(RC6) by R. L. Rivest [8], and Rijndael (which was finally adopted by

NIST to be the AES) by J. Daemen and V. Rijmen [9]. In November 2001

Rijndael became a U.S. Government standard published as Federal

Information Processing Standard FIPS 197.

Rijndael supports key lengths and block sizes from 128 bits to 256

bits in steps of 32 bits. The key length and block length may be chosen

independently. However, AES specifies that the block size must be 128 bits

and the key length must be 128, 192, or 256 bits. A 128-bit key gives a key

space of 2128 ≈ 3 x 1038 keys. Even if a machine is managed to build with 1

billion parallel processors, each being able to evaluate one key per

picosecond, it would take such a machine about 1010 years to search the key

space [7].

RC6 was based around RC5 which was published in December 1994.

In many situations and environments its performance is at least equal to,

and in several places better than, the other AES finalists, a good

comparison between RC6 and Rijndael was introduced by M.J.B. Robshaw

in 2001 [10].

Many works and researches had been done attempting to improve the

security and/or performance of block ciphers. In 1996, R. Anderson and E.

Biham suggested two new block ciphers, called BEAR and LION. They

were composed of two components: a hash function and a stream cipher.

Some of their properties were: they had large block sizes, they were fast in

many applications and they were provably secure in the sense that attacks

which find their keys would yield attacks on one or both of the underlying

components [11].


7

In 1997, R. L. Rivest introduced the all-or-nothing encryption mode

implemented using the “package transform” [12]. The goal of this

encryption mode is to increase the difficulty of an exhaustive key search on

symmetric encryption schemes, while keeping the key size the same and

not overly burdening the legitimate users. The all-or-nothing mode had the

property that one must decrypt the entire cipher text before one could

determine even one message block.

Another, and similar, work was done by M. Jakobsson, J. P. Stern,

and M. Yung in 1999. They proposed a design tool for block encryption to

solve the problem of remotely keyed encryption, allowing the

en/decryption of arbitrarily long messages, but performing en/decryption

on only a single block [13].

R. L. Rivest presented multi-grade cryptography in 2001 which made

a single cryptosystem appear to present multiple levels of security. It was

based on computational complexity and was designed so that breaking the

first key has one difficulty level (hard) while finding later keys has another

difficulty level (easier). No matter which key the adversary attacks first, it

will be quite difficult for him to figure out that key. But once he has broken

his first key, he learns something about how the keys are created, and

subsequent keys will be much easier for him to break [14].

In 2001 a solution was outlined by H. Ashman and M. Gilbert to

make it possible to transmit quantities of data with reasonable commercial

security but not too much performance degradation. They described the use

of hierarchical encryption which applies the principle of cryptographic

strength appropriate to the value and duration of secrecy of the data [15].

Chapter One: Introduction 1.5 Thesis Outline

8

The tweakable block cipher was proposed by M. Liskov, R. L.

Rivest, and David Wagner in 2002. Such a cipher has not only the usual

inputs message and cryptographic key but also a third input, the tweak. The

tweak serves much the same purpose that an initialization vector does for

Cipher Block Chaining (CBC) mode or that a nonce does for Output

Feedback (OFB) mode. Tweakable block cipher thus brings this feature

down to the primitive block-cipher level with small cost and ease of design,

instead of incorporating it only at the higher modes-of-operation levels

[16].

In 2005, D. N. Serpanos and A. G. Voyiatzis proposed a scheme that

allows multiple keys to be valid at any moment and describe a method that

allows the receiver to identify the key used for each encryption with

minimum effort, while not allowing an attacker to deduce this information.

The scheme was based on controlled randomness [17].

P. Mroczkowski and P. Rodwald proposed a general framework for

improving the security of the symmetric block cipher cryptosystem in

2007. The main idea was based on possibility of chancing S-boxes in

encryption/decryption algorithm. This was done by generating identical

substitution boxes by an encryption and decryption party using a

deterministic methods of generating S-boxes based on the pseudorandom

sequences [18].

1.5 Thesis Outline

This thesis is composed of five chapters. This chapter gives an

introduction to network security, cryptography and block cipher. Literature

survey, aim of the thesis and thesis outline are also presented.

Chapter One: Introduction 1.5 Thesis Outline

9

In Chapter Two, several aspects of cryptography are presented. The

concept of symmetric encryption using block cipher is discussed in details

and it is compared to other encryption algorithms such as stream cipher and

public key encryption. In addition, other cryptographic primitives such as

Message Authentication Code (MAC) algorithms and Pseudorandom

Number Generators (PRNGs) are presented.

The proposed algorithm Scrambling and Encrypting with Cipher

Parameters Hopping (SECPH) is presented in Chapter Three. The security

of SECPH is discussed and compared to other existing algorithms. Also,

advantages and features of SECPH are presented.

Chapter Four presents the implementation of SECPH and

summarizes the experimental results obtained by comparing its image

encryption quality to that of other existing block ciphers (Rijndael and

RC6) using six measures in two modes of operation. In addition, the

performance (throughput) of SECPH is compared to that of Rijndael and

RC6 in two modes of operation.

The conclusions of this thesis and some suggestions for future work

are presented in Chapter Five.

Chapter Two: Cryptography

and Block Ciphers

2.2 Network Security

Requirements

10

Chapter Two

Cryptography and Block Ciphers

2.1 Introduction

Cryptography is the most important aspect of communications

security and is becoming increasingly important as a basic building block

for computer security. The fundamental and classical task of cryptography

is to provide confidentiality by encryption methods.

In this chapter, the principle of encryption is presented.

Subsequently, symmetric encryption using block cipher is discussed in

details and it is compared to other encryption algorithms such as stream

cipher and public key encryption. In addition, other cryptographic

primitives such as Message Authentication Code (MAC) algorithms and

Pseudorandom Number Generators (PRNGs) are presented.

2.2 Network Security Requirements

With the introduction of the computer, the need for automated tools

for protecting files and other information stored on the computer became

evident. This is especially the case for a shared system, such as a time-

sharing system, and the need is even more acute for systems that can be

accessed over a public telephone network, data network, or the Internet.

[1].

Network security addresses these requirements: [19, 20, 21]

Confidentiality (secrecy) is a service used to keep the content of

information from all but those authorized to have it.


and Block Ciphers

2.3 Cryptology and Cryptography

11

Data integrity is a service which addresses the unauthorized alteration

of data.

Authentication is a service related to identification. Two parties

entering into a communication should identify each other. Information

delivered over a channel should be authenticated as to origin, date of

origin, data content, time sent, etc.

Non-repudiation is a service which prevents an entity from denying

previous commitments or actions.

Availability: Requires that computer system assets are available to

authorized parties.


Cryptology is the discipline of cryptography and cryptanalysis and of

their interaction.

The word “cryptography” is derived from the Greek words kryptos,

meaning hidden, and graphien, meaning to write. It is the science of

keeping secrets secret. One objective of cryptography is protecting a secret

from adversaries. Professional cryptography protects not only the plaintext,

but also the key and more generally tries to protect the whole cryptosystem

[2]. Cryptographic primitives can be classified into two classes: keyed

primitives and unkeyed primitives as in Figure 2.1 [20].

The fundamental and classical task of cryptography is to provide

confidentiality by encryption methods. Encryption (also called enciphering)

is the process of scrambling the contents of a file or message to make it

unintelligible to anyone not in possession of the "key" required to


and Block Ciphers


12

unscramble the file or message [3]. Providing confidentiality is not the only

objective of cryptography. Cryptography is also used to provide solutions

for other problems: Data integrity, Authentication, Non-repudiation [21].

Figure 2.1 Cryptographic Primitives.

Encryption methods have historically been divided into two

categories: substitution ciphers and transposition ciphers. In a substitution

cipher the letters of plaintext are replaced by other letters or by numbers or

symbols. If the plaintext is viewed as a sequence of bits, then substitution

involves replacing plaintext bit patterns with ciphertext bit patterns.


and Block Ciphers

2.4 Public Key

(Asymmetric) Encryption

13

Substitution ciphers preserve the order of the plaintext symbols but

disguise them.

Transposition ciphers, in contrast, reorder the letters but do not

disguise them. This is achieved by performing some sort of permutation on

the plaintext letters [22, 23].

There are two types of encryption: symmetric (private/secret)

encryption key and asymmetric (public) key encryption [3].

2.4 Public Key (Asymmetric) Encryption

Historically, distributing the keys has always been the weakest link

in most cryptosystems. Cryptologists always took for granted that the

encryption key and decryption key were the same (or easily derived from

one another). But the key had to be distributed to all users of the system.

Thus, it seemed as if there was an inherent built-in problem. Keys had to be

protected from theft, but they also had to be distributed [7].

In 1976, two researchers at Stanford University, Diffie and Hellman

(1976), proposed a radically new kind of cryptosystem, one in which the

encryption and decryption keys were different, and the decryption key

could not feasibly be derived from (but related to) the encryption key [7].

This is illustrated in Figure 2.2. With this approach, all participants

have access to public keys, and private keys are generated locally by each

participant and therefore need never be distributed. As long as a system

controls its private key, its incoming communication is secure. At any time,

a system can change its private key and publish the companion public key

to replace its old public key [19, 24].


and Block Ciphers

2.5 Secret Key (Symmetric)

Encryption

14

Figure 2.2 Public Key Encryption.

One of the first public-key schemes (RSA) was developed in 1977 by

Ron Rivest, Adi Shamir, and Len Adleman at MIT (Massachusetts Institute

of Technology), and first published in 1978. The RSA scheme has since

reigned supreme as the only widely accepted and implemented approach to

public-key encryption. It’s based on the difficulty of factoring large

numbers. Other public-key schemes, invented by El Gamal (1985) and

Schnorr (1991), are based on the difficulty of computing discrete

logarithms. A few other schemes exist, such as those based on elliptic

curves (Menezes and Vanstone, 1993) [7, 24].

The major disadvantage of Public Key Encryption is that it quite

slow [24, 25].

2.5 Secret Key (Symmetric) Encryption

Symmetric encryption, also referred to as secret key encryption, is

based on a single key and algorithm being shared between the parties who


and Block Ciphers

2.6 Stream Ciphers

15

are exchanging encrypted information. The same key both encrypts and

decrypts messages as illustrated in Figure 2.3.

The strength of the scheme is largely dependent on the size of the

key and on keeping it secret. Generally, the larger the key, the more secure

the scheme. In addition, symmetric key encryption is relatively fast, but it

requires secret sharing since the key has to be shared and the sender can't

share the key information over an unsecured network without

compromising the key [3].

Figure 2.3 Secret Key Encryption.

Symmetric ciphers usually fall into one of two categories: block

ciphers or stream ciphers [3].

2.6 Stream Ciphers

The stream cipher encrypts data by generating a key stream from the

key and performing the XOR function on the key stream with the plaintext

data. The key stream can be any size that matches the size of the plaintext


and Block Ciphers

2.6 Stream Ciphers

16

stream to be encrypted. The key stream, or the running-key, is a

pseudorandom sequence that produced by a finite state automaton whose

initial state is determined by a secret key. The ith key stream digit only

depends on the secret key and on the (i − 1) previous plaintext digits. Then,

the ith ciphertext digit is obtained by combining the ith plaintext digit with

the ith key stream digit [2].

The most famous stream cipher is the Vernam cipher, also called

one-time pad, which leads to perfect secrecy (the ciphertext gives no

information about the plaintext) [2].

Stream ciphers have several advantages which make them suitable

for some applications. Most notably, they are usually faster and have a

lower hardware complexity than block ciphers. They are also appropriate

when buffering is limited, since the digits are individually encrypted and

decrypted. Moreover, synchronous stream ciphers are not affected by error

propagation [2].

One desirable property of a stream cipher is that the ciphertext be of

the same length as the plaintext. Thus, if 8-bit characters are being

transmitted, each character should be encrypted to produce a cipher text

output of 8 bits. If more than 8 bits are produced, transmission capacity is

wasted [1].

However, stream ciphers are vulnerable to attack if the same key is

used twice or more. This can be illustrated as follows:

Let A and B be messages of the same length, both encrypted using

same key, K. The stream cipher produces a key stream CK the same length

as the messages. The encrypted versions of the messages then are:


and Block Ciphers

2.7 Block Ciphers

17

EK(A) = A XOR CK 2-1

EK(B) = B XOR CK 2-2

where XOR is performed bit by bit. If an adversary has intercepted

EK(A) and EK(B), he can easily compute EK (A) XOR EK (B). However

XOR is commutative and has the property that X XOR X = 0 (self-inverse)

so:

EK (A) XOR EK (B) = (A XOR CK) XOR (B XOR CK) = A XOR B 2-3

which often be broken by simple calculations even if neither

message is known, as long as the adversary has some information about

these messages (e.g. in ASCII character encoding) [1].

2.7 Block ciphers

A block cipher fragments the message into blocks of a predetermined

size and performs the XOR function on each block with the key stream

generated by the cipher algorithm. Each block must be of the

predetermined size, and leftover message fragments are padded to the

appropriate block size [25, 26].

Block ciphers differ from stream ciphers in that they encrypt and

decrypt information in fixed size blocks rather than encrypting and

decrypting each letter or word individually. A block cipher passes a block

of data or plaintext through its algorithm to generate a block of ciphertext.

One advantage of a block cipher is diffusion where bits or bytes are

dispersed throughout the cipher text such that a single change of one bit

affects multiple bits during subsequent rounds. However this may have a


and Block Ciphers

2.7 Block Ciphers

18

drawback that errors can spread easily such that one error can cause an

entire block to be misinterpreted.

Confusion and diffusion are two properties of the operation of a

secure cipher. Confusion refers to making the relationship between the key

and the ciphertext as complex and involved as possible; diffusion refers to

the property that redundancy in the statistics of the plaintext is "dissipated"

in the statistics of the ciphertext [27].

Diffusion is associated with dependency of bits of the output on bits

of the input. In a cipher with good diffusion, flipping an input bit should

change each output bit with a probability of one half (this is termed the

Strict Avalanche Criterion).

Substitution (a plaintext symbol is replaced by another) has been

identified as a mechanism for primarily confusion; conversely transposition

(rearranging the order of symbols) is a technique for diffusion, although

other mechanisms are also used in modern practice, such as linear

transformations (e.g. in Rijndael). Product ciphers use alternating

substitution and transposition phases to achieve both confusion and

diffusion respectively [1].

Ideally, a block cipher should generate ciphertext roughly equivalent

in size (in terms of number of blocks) to the plaintext.

Another drawback to block ciphers is that they are time consuming,

compared to stream ciphers [2].


and Block Ciphers

2.8 Block Cipher Modes of

Operation

19

Examples of well known block ciphers include the Advanced

Encryption Standard (AES), Data Encryption Standard (DES), and the

Rivest Cipher 6 (RC6) [7].

2.8 Block Cipher Modes of Operation

A mode of operation is a technique for enhancing the effect of a

cryptographic algorithm or adapting the algorithm for an application. To

apply a block cipher in a variety of applications, five "modes of operation"

have been defined. These modes are intended to cover virtually all the

possible applications of encryption for which a block cipher could be used

[1, 7, 25].

i. Electronic Codebook Mode

The simplest mode is the electronic codebook (ECB) mode, in which

plaintext is handled one block at a time and each block of plaintext is

encrypted using the same key (Figure 2.4).

Figure 2.4 Electronic Codebook (ECB) Mode. (a) Encryption. (b) Decryption.


and Block Ciphers


Operation

20

For a message longer than b bits (block size), the procedure is to

break the message into b-bit blocks, padding the last block if necessary.

Decryption is performed one block at a time, always using the same key.

The most significant characteristic of ECB is that the same b-bit block of

plaintext, if it appears more than once in the message, always produces the

same ciphertext. For lengthy messages the ECB mode may not be secure. If

the message is highly structured, it may be possible for a cryptanalyst to

exploit these regularities [1, 7].

ii. Cipher Block Chaining Mode

In cipher block chaining (CBC) mode the same plaintext block, if

repeated, produces different ciphertext blocks. As in Figure 2.5, in this

scheme, the input to the encryption algorithm is the XOR of the current

plaintext block and the preceding ciphertext block; the same key is used for

each block. The input to the encryption function for each plaintext block

bears no fixed relationship to the plaintext block. Therefore, repeating

patterns of b bits are not exposed [1, 7].

Figure 2.5 Cipher Block Chaining (CBC) Mode. (a) Encryption. (b) Decryption.


and Block Ciphers


Operation

21

For decryption, each cipher block is passed through the decryption

algorithm. The result is XORed with the preceding ciphertext block to

produce the plaintext block as follows:

Cj = E(K, [Cj-1Pj]) 2-4

then D(K, Cj) = D(K, E(K, [Cj-1Pj])) = Cj-1Pj 2-5

Cj-1D(K, Cj) = Cj-1Cj-1 Pj = Pj, 2-6

Where: Pj, Cj: the jth plaintext and ciphertext block respectively,

K: the encryption key,

E( ), D( ): encryption and decryption function respectively.

To produce the first block of ciphertext, an initialization vector (IV)

is XORed with the first block of plaintext. On decryption, the IV is XORed

with the output of the decryption algorithm to recover the first block of

plaintext. The IV is a data block that is the same size as the cipher block.

The IV must be known to both the sender and receiver but be unpredictable

by a third party. For maximum security, the IV should be protected against

unauthorized changes [1, 7].

Because of the chaining mechanism of CBC, it is an appropriate

mode for encrypting messages of length greater than b bits. However,

cipher block chaining has the disadvantage of requiring an entire block to

arrive before decryption can begin [1, 7].

iii. Cipher Feedback Mode

It is possible to convert a block cipher into a stream cipher, using

either the cipher feedback (CFB) or the output feedback mode. A stream


and Block Ciphers


Operation

22

cipher eliminates the need to pad a message to be an integral number of

blocks. It also can operate in real time [1, 7].

Figure 2.6 depicts the CFB scheme. It is assumed that the unit of

transmission is s bits; a common value is s = 8 and that the block size of the

block cipher is 64 bit. As with CBC, the units of plaintext are chained

together, so that the ciphertext of any plaintext unit is a function of all the

preceding plaintext. In this case, rather than units of b bits, the plaintext is

divided into segments of s bits.

Figure 2.6 Cipher Feedback (CFB) Mode. (a) Encryption. (b) Decryption.


and Block Ciphers


Operation

23

The input to the encryption function is a b-bit shift register that is

initially set to some initialization vector (IV). The leftmost (most

significant) s bits of the output of the encryption function are XORed with

the first segment of plaintext P1 to produce the first unit of ciphertext C1,

which is then transmitted. In addition, the contents of the shift register are

shifted left by s bits and C1 is placed in the rightmost (least significant) s

bits of the shift register. This process continues until all plaintext units have

been encrypted.

For decryption, the same scheme is used, except that the received

ciphertext unit is XORed with the output of the encryption function to

produce the plaintext unit. It must be noticed that it is the encryption

function that is used, not the decryption function. Let Ss(X) be defined as

the most significant s bits of X. Then

C1 = P1Ss[E(K, IV)] 2-7

Therefore, P1 = C1Ss[E(K, IV)] 2-8

The same reasoning holds for subsequent steps in the process.

iv. Output Feedback Mode

The output feedback (OFB) mode is similar in structure to that of

CFB, as illustrated in Figure 2.7. As it can be seen, it is the output of the

encryption function that is fed back to the shift register in OFB, whereas in

CFB the ciphertext unit is fed back to the shift register [1, 7].

One advantage of the OFB method is that bit errors in transmission

do not propagate [1, 7]. For example, if a bit error occurs in C1 only the

recovered value of P1 is affected; subsequent plaintext units are not


and Block Ciphers


Operation

24

corrupted. With CFB, C1 also serves as input to the shift register and

therefore causes additional corruption downstream.

The disadvantage of OFB is that it is more vulnerable to a message

stream modification attack than is CFB. That is complementing a bit in the

ciphertext complements the corresponding bit in the recovered plaintext.

Thus, controlled changes to the recovered plaintext can be made.

Figure 2.7 Output Feedback (OFB) Mode. (a) Encryption. (b) Decryption.


and Block Ciphers


Operation

25

v. Counter Mode

Figure 2.8 depicts the Counter (CTR) Mode. A counter, equal to the

plaintext block size is used with different values for each plaintext block

that is encrypted. Typically, the counter is initialized to some value and

then incremented by 1 for each subsequent block. For encryption, the

counter is encrypted and then XORed with the plaintext block to produce

the ciphertext block; there is no chaining [1, 7].

Figure 2.8 Counter (CTR) Mode. (a) Encryption. (b) Decryption.

For decryption, the same sequence of counter values is used, with

each encrypted counter XORed with a ciphertext block to recover the

corresponding plaintext block. The advantages of CTR mode are the

following: [1]


and Block Ciphers

2.9 The RC6 Block Cipher

26

Hardware efficiency: Unlike the three chaining modes, encryption (or

decryption) in CTR mode can be done in parallel on multiple blocks

of plaintext or ciphertext.

Software efficiency: Because of the opportunities for parallel

execution in CTR mode, processors that support parallel features can

be effectively utilized.

Preprocessing: The execution of the underlying encryption algorithm

does not depend on input of the plaintext or ciphertext. Therefore, if

sufficient memory is available and security is maintained,

preprocessing can be used to prepare the output of the encryption

boxes that feed into the XOR functions in Figure 2.8. When the

plaintext or ciphertext input is presented, then the only computation is

a series of XORs.

Random access: The ith block of plaintext or ciphertext can be

processed in random-access fashion.

Provable security: It can be shown that CTR is at least as secure as the

other modes discussed in this section.

Simplicity: Unlike ECB and CBC modes, CTR mode requires only the

implementation of the encryption algorithm and not the decryption

algorithm.


National Institute of Standards and Technology (NIST) invited

researchers from all over the world to submit proposals for a new standard,

to be called Advanced Encryption Standard (AES) in January 1997. NIST


and Block Ciphers


27

selected five finalists (from fifteen proposals) primarily on the basis of their

security, efficiency, simplicity, flexibility, and memory requirements. NIST

adjudged all these five algorithms to have “an adequate security margin”.

One of them was Rivest Cipher 6 (RC6) by Ronald L. Rivest [8, 10].

RC6 was the simplest of the AES finalists. It is a fully parameterized

family of encryption algorithms. A version of RC6 is more accurately

specified as RC6-w/r/b where the word size is w bits, encryption consists of

a nonnegative number of rounds r, and b denotes the length of the

encryption key in bytes. Since the AES submission is targeted at w = 32

and r = 20, RC6 will be used as shorthand to refer to such versions. When

any other value of w or r is intended in the text, the parameter values will

be specified as RC6-w/r [8, 10].

For all variants, RC6-w/r/b operates on units of four w-bit words

using the following six basic operations. The base-two logarithm of w will

be denoted by log w.

a + b integer addition modulo 2w a - b integer subtraction modulo 2w a b bitwise exclusive-or of w-bit words a × b integer multiplication modulo 2w a<<<b rotate the w-bit word a to the left by the amount

given by the least significant log w bits of b a>>>b rotate the w-bit word a to the right by the amount

given by the least significant log w bits of b.

It must be noticed that in the description of RC6 the term “round” is

somewhat analogous to the usual DES-like idea of a round: half of the data

is updated by the other half; and the two are then swapped [8].


and Block Ciphers


28

2.9.1 Key schedule for RC6

The key schedule of RC6-w/r/b is presented here [8]. The user

supplies a key of b bytes. Sufficient zero bytes are appended to give a key

length equal to a non-zero integral number of words; these key bytes are

then loaded in little-endian fashion into an array of c w-bit words L[0],…,

L[c - 1]. Thus the first byte of key is stored as the low-order byte of L[0],

etc., and L[c - 1] is padded with high-order zero bytes if necessary. (Note

that if b = 0 then c = 1 and L[0] = 0.) The number of w-bit words that will

be generated for the additive round keys is 2r + 4 and these are stored in the

array S[0,…,2r + 3].

Algorithm 2-1: Key schedule for RC6-w/r/b

Input: User-supplied b byte key preloaded into the c-word array L[0,…, c - 1]. Number r of rounds.

Output: w-bit round keys S[0,…, 2r + 3]. Procedure: S[0] = Pw

for i = 1 to 2r + 3 do S[i] = S[i - 1] + Qw

A = B = i = j = 0 v = 3× max {c, 2r + 4} for s = 1 to v do { A = S[i] = (S[i] + A + B)<<<3 B = L[j] = (L[j] + A + B)<<<(A + B) i = (i + 1) mod (2r + 4) j = (j + 1) mod c }

The constants P32 = B7E15163 and Q32 = 9E3779B9 (hexadecimal)

are called the “magic constants”. The value of P32 is derived from the

binary expansion of e - 2, where e is the base of the natural logarithm

function. The value of Q32 is derived from the binary expansion of Φ - 1,

where Φ is the Golden Ratio. These values are somewhat arbitrary, and


and Block Ciphers


29

other values could be chosen to give custom or proprietary versions of RC6

[8].

2.9.2 Encryption and decryption

Figure 2.9 depicts the RC6 encryption algorithm. RC6 works with

four w-bit registers A, B, C, D which contain the initial input plaintext as

well as the output ciphertext at the end of encryption. The first byte of

plaintext or ciphertext is placed in the least-significant byte of A; the last

byte of plaintext or ciphertext is placed into the most-significant byte of D.

The notion (A, B, C, D) = (B, C, D, A) is used to mean the parallel

assignment of values on the right to registers on the left [8].

Algorithm 2-2: Encryption with RC6-w/r/b

Input: Plaintext stored in four w-bit input registers A, B, C, D. Number r of rounds. w-bit round keys S[0,…,2r + 3].

Output: Ciphertext stored in A, B, C, D. Procedure: B = B + S[0]

D = D + S[1] for i = 1 to r do { t = (B × (2B + 1))<<<lg w u = (D × (2D + 1))<<<lg w

A = ((A t)<<<u) + S[2i]

C = ((C u)<<<t) + S[2i+ 1]

(A, B, C, D) = (B, C, D, A) } A = A + S[2r + 2] C = C + S[2r + 3]

Algorithm 2-3: Decryption with RC6-w/r/b

Input: Ciphertext stored in four w-bit input registers A, B, C, D. Number r of rounds. w-bit round keys S[0,…,2r + 3].

Output: Plaintext stored in A, B, C, D.


and Block Ciphers


30

Procedure: C = C - S[2r + 3] A = A - S[2r + 2] for i = r downto 1 do { (A, B, C, D) = (D, A, B, C) u = (D × (2D + 1))<<<lg w t = (B × (2B + 1))<<<lg w

C = ((C - S[2i + 1])>>>t) u

A = ((A - S[2i])>>>u) t

} D = D - S[1] B = B - S[0]

Figure 2.9 RC6 Encryption.


and Block Ciphers

2.10 Hash Functions,

Digital Signature and MAC

31

2.10 Hash Functions, Digital Signature and Message Authentication

Code

A hashing function h is a mapping from values x in some finite set X

into a value y contained in another (larger) set Y that mixes up the values x.

Hashing is a synonym for a (uniformly distributed) random mapping in

cryptography. A cryptographic hash function h(x) must provide the

following: [28]

Compression: For any size of input x, the output length of y = h(x) is

small. In practice, cryptographic hash functions produce a fixed size

output, regardless of the length of the input.

Efficiency: It must be easy to compute h(x) for any input x. The

computational effort required to compute h(x) will certainly grow

with the length of x, but it should not grow too fast.

One-way: Given any value y, it’s computationally infeasible to find a

value x such that h(x) = y.

Weak collision resistance: Given x and h(x), it’s infeasible to find y,

with y ≠ x, such that h(y) = h(x).

Strong collision resistance: It’s infeasible to find any x and y, with x

≠ y, such that h(x) = h(y).

A message digest is a hash function that derives a fixed-length hash

value for every message in some message domain. Hash functions are

widely used to protect against active attack (falsification of data and

transactions). Protection against such attacks is known as message


and Block Ciphers



32

authentication. Message authentication can be achieved using Message

Authentication Code (MAC) [28, 19].

Message authentication code is an authentication technique involves

the use of a secret key to generate a small block of data that is appended to

the message. This technique assumes that two communicating parties, say

A and B, share a common secret key KAB. When A has a message to send

to B, it calculates the message authentication code as a function of the

message and the key: MACM = F(KAB, M). The message plus code are

transmitted to the intended recipient. The recipient performs the same

calculation on the received message, using the same secret key, to generate

a new message authentication code. The received code is compared to the

calculated code (Figure 2.10). If it is assumed that only the receiver and the

sender know the identity of the secret key, and if the received code matches

the calculated code, then, [19]

1. The receiver is assured that the message has not been altered. If an

attacker alters the message but does not alter the code, then the

receiver's calculation of the code will differ from the received code.

Because the attacker is assumed not to know the secret key, the

attacker cannot alter the code to correspond to the alterations in the

message.

2. The receiver is assured that the message is from the alleged sender.

Because no one else knows the secret key, no one else could prepare

a message with a proper code.


and Block Ciphers



33

3. If the message includes a sequence number then the receiver can be

assured of the proper sequence, as an attacker cannot successfully

alter the sequence number.

To authenticate a message using a hash function, the message digest

is sent with the message in such a way that the message digest is authentic.

Figure 2.10 illustrates three ways in which the message digest can be

authenticated [19].

The message digest can be encrypted using conventional encryption

(part (a)); if it is assumed that only the sender and receiver share the

encryption key, then authenticity is assured. The message can also be

encrypted using public-key encryption (part (b)). The public-key approach

has two advantages: It provides a digital signature as well as message

authentication; and it does not require the distribution of keys to

communicating parties.

The third technique is a technique that uses a hash function but no

encryption for message authentication. This technique assumes that two

communicating parties, say A and B, share a common secret value SAB.

When A has a message to send to B, it calculates the hash function over the

concatenation of the secret value and the message: MDM = H (SAB || M)

where || denotes concatenation. It then sends [M||MDM] to B. Because B

possesses SAB, it can recompute H(SAB || M) and verify MDM, and, because

the secret value itself is not sent, it is not possible for an attacker to modify

an intercepted message. As long as the secret value remains secret, it is also

not possible for an attacker to generate a false message [19].


and Block Ciphers

2.11 The UMAC Algorithm

34

Figure 2.10 Message authentication using a one-way hash function.


UMAC is a Message Authentication Code Algorithm that uses a

universal hash-function family “NH” and a design which allows effective

exploitation of Single Instruction Multiple Data (SIMD) parallelism. The

“cryptographic” work of UMAC is done using standard primitives of the

user's choice, such as a block cipher or cryptographic hash function [29].

Universal hashing is a randomized algorithm for selecting a hash

function F with the following property: for any two distinct inputs x and y,

the probability that F(x)=F(y) (i.e. that there is a hash collision between x


and Block Ciphers


35

and y) is the same as if F was a random function. Thus, if F has function

values in a range of size r, the probability of any particular hash collision

should be 1/r. There are universal hashing methods that give a function F

that can be evaluated in a handful of computer instructions [29].

UMAC has been designed with two main goals in mind: extreme

speed and provable security. It is parallelizable, and will have ever-faster

implementation speeds as machines offer up increasing amounts of

parallelism [29].

The algorithm works as follows: The parties share a secret and

randomly chosen hash function from the hash-function family, and a secret

encryption key. A message is authenticated by hashing it with the shared

hash function and then encrypting the resulting hash. The above approach

is a promising one for building a highly-secure and ultra-fast MAC. The

reasoning is like this: the speed of a universal-hashing MAC depends on

the speed of the hashing step and the speed of the encrypting step. But if

the hash function compresses messages well (i.e., its output is short) then

the encryption shouldn't take long simply because it is a short string that is

being encrypted. On the other hand, since the combinatorial property of the

universal hash-function family is mathematically proven, it needs no “over-

design” or “safety margin” the way a cryptographic primitive would. Quite

the opposite: the hash-function family might as well be the fastest, simplest

thing that one can prove universal [29].

Equally important, the above approach makes for desirable security

properties. Since the cryptographic primitive is applied only to the (much

shorter) hashed image of the message, a cryptographically conservative

design for this step can be selected and pay with only a minor impact on


and Block Ciphers

2.12 Pseudorandom Number

Generator (PRNG)

36

speed. The fact that the underlying cryptographic primitive is used only on

short and secret messages eliminates many avenues of attack [29].

2.12 Pseudorandom Number Generator (PRNG)

There are many situations in cryptography where it is important to be

able to generate random numbers, bit-strings, etc. For example,

cryptographic keys are to be generated at random from a specified key

space, and many protocols require random numbers to be generated during

their execution. Generating random numbers by means of physical

processes is time-consuming and expensive, so in practice it is common to

use a pseudo-random number generator (or PRNG). A PRNG starts with a

random number (a seed) and expands it into a long “random-looking”

number sequence. Thus a PRNG reduces the amount of random numbers

that are required in an application [30]. Traditionally, the concern in the

generation of a sequence of allegedly random numbers has been that the

sequence of numbers be random in some well-defined statistical sense. The

following two criteria are used to validate that a sequence of numbers is

random: [1]

Uniform distribution: The distribution of numbers in the sequence

should be uniform; that is, the frequency of occurrence of each of the

numbers should be approximately the same.

Independence: No one value in the sequence can be inferred from the

others.

Well known examples of PRNG are Linear Congruential Generators

(LCG), Blum Blum Shub (BBS) Generator and cryptographically generated

random numbers like cyclic encryption. [30, 1]


and Block Ciphers

2.13 Cryptanalysis

37

2.13 Cryptanalysis

Cryptanalysis is the discipline of deciphering a ciphertext without

having access to the key, usually by recovering more or less directly the

plaintext or even the key used, in cases favorable for the attacker by

reconstructing the whole cryptosystem used. This being the worst case

possible for the attacked side, an acceptable level of security should rest

completely in the key (Kerckhoff’s law) [2].

A brute force attack or exhaustive key search is the attack in which

all possible keys are tried out to decrypt a ciphertext (knowing or guessing

the cryptosystem used). At present, with the still growing speed of

supercomputers, every 10 years the number of trial and error steps that is

feasible is increased by a factor of roughly 25. In a ciphertext-only attack,

only one or more ciphertexts under the same key are known. In a known-

plaintext attack one knows one or more matching pairs of plaintext–

ciphertext. Frequently, this attack is carried out with rather short fragments

of the plaintext (e.g., probable words and phrases). In a chosen plaintext

attack one can choose plaintexts and obtain the corresponding ciphertexts.

Sometimes this can be done with the provision that the plaintexts may be

chosen in a way that depends on the previous encryption outcomes. How to

impose the plaintext on the adversary is not a cryptographer’s problem, but

is a problem of misleading the adversary and is to be executed by the secret

services. Finally, in a chosen-ciphertext attack there is the possibility to

choose different ciphertexts to be decrypted, with the cryptanalyst having

access to the decrypted plaintext. An example may be the investigation of a

tamperproof decryption box, with the hope of finding the key [2].


and Block Ciphers

2.13 Cryptanalysis

38

Cryptanalysis encountered four developments. The first development

is differential cryptanalysis. This technique can be used to attack any block

cipher. It works by beginning with a pair of plaintext blocks that differ in

only a small number of bits and watching carefully what happens on each

internal iteration as the encryption proceeds. In many cases, some bit

patterns are much more common than other patterns, and this observation

leads to a probabilistic attack.

The second development worth noting is linear cryptanalysis. It

works by XORing certain bits in the plaintext and ciphertext together and

examining the result for patterns. When this is done repeatedly, half the bits

should be 0s and half should be 1s. Often, however, ciphers introduce a

bias in one direction or the other, and this bias, however small, can be

exploited to reduce the work factor.

The third development is using analysis of the electrical power

consumption to find secret keys. Computers typically use 3 volts to

represent a 1 bit and 0 volts to represent a 0 bit. Thus, processing a 1 takes

more electrical energy than processing a 0. If a cryptographic algorithm

consists of a loop in which the key bits are processed in order, an attacker

who replaces the main n-GHz clock with a slow (e.g., 100-Hz) clock and

puts alligator clips on the CPU's power and ground pins, can precisely

monitor the power consumed by each machine instruction. From this data,

deducing the key is surprisingly easy. This kind of cryptanalysis can be

defeated only by carefully coding the algorithm in assembly language to

make sure power consumption is independent of the key and also

independent of all the individual round keys.


and Block Ciphers

2.13 Cryptanalysis

39

The fourth development is timing analysis. Cryptographic algorithms

are full of if statements that test bits in the round keys. If the then and else

parts take different amounts of time, by slowing down the clock and seeing

how long various steps take, it may also be possible to deduce the round

keys. Once all the round keys are known, the original key can usually be

computed. Power and timing analysis can also be employed simultaneously

to make the job easier. While power and timing analysis may seem exotic,

in reality they are powerful techniques that can break any cipher not

specifically designed to resist them. [2, 7]

Chapter Three: The SECPH

Algorithm

3.1 Introduction

40

Chapter Three

Scrambling and Encrypting with Cipher Parameter Hopping

Algorithm

3.1 Introduction

The proposed algorithm Scrambling and Encrypting with Cipher

Parameters Hopping (SECPH) is presented in this chapter. The security of

SECPH is discussed and compared to other existing algorithms. Also,

advantages and features of SECPH are presented.

A data encryption algorithm would not be of much use if it is secure

enough but slow in performance because it is a common practice to embed

encryption algorithms in other applications such as e-commerce, banking,

and online transaction processing applications. Other important features

are the easiness of implementation and use, clarity of the design and

flexibility in its implementation.

Encryption algorithms are implemented in hardware and software and

replacing an existing one with a new more secure and efficient is not an

easy job. One way to make a feasible implementation and use of an

algorithm is to build it using existing cryptographic primitives.

The aim of this chapter is to design an encryption algorithm that

provides both high security and high performance. Also, other features

such as flexibility, simplicity and easiness of implementation are taken into

account when designing the algorithm.


Algorithm

3.2 General description of

the proposed algorithm

41

3.2 General description of the proposed algorithm

The block diagram of the proposed algorithm is shown in Figure 3.1.

It is composed of two main blocks: a scrambler and a block cipher with

parameters hopping and hence the name “Scrambling and Encrypting with

Cipher Parameters Hopping (SECPH) algorithm”.

A scrambler like that described in [13] is used with three differences

discussed later in §3.5.

Cipher Parameter Hopping (CPH) is a technique in which a parameterized

block cipher, such as RC6, is used to encrypt/decrypt each block of

plaintext/ciphertext with one of r different parameter sets.

These different parameter sets are defined as a part of the encryption

algorithm and are publicly known according to Kerckhoffs’ law: “No

inconvenience should occur if the cryptosystem falls into the hands of the

enemy” [2]. The “hopping” of the parameter sets is made according to a

pseudorandom sequence generated by a cryptographic secure PRNG with a

seed that is kept secret and shared between the two communicated parties.

The PRNG used is any cryptographic secure one with a good performance.

Since the sequence generated is pseudorandom (i.e. it is

deterministic that is given the same initial seed, the same sequence is

generated), decryption process can be done easily using the same

parameter set used for encrypting each block.

The parameter set includes encryption key length, number of rounds

and word size. The block cipher used must be parameterized that is it

supports multiple values for each of the parameters mentioned above.


Algorithm

3.2 General description of

the proposed algorithm

42

Figure 3.1 block diagram of the SECPH algorithm.

The block cipher may be operated in any defined mode of operation

(e.g. ECB, CBC…etc.)

The principal goal guiding the design of SECPH algorithm is the

security against unauthorized attacks. However, for SECPH algorithm to

be useful for practical applications, performance is also important concern.

So given a fixed level of security the goal is to optimize performance.

Other important feature is clarity of the design and flexibility in its

implementation.

SECPH algorithm is a fully parameterized algorithm since it is

composed of parameterized units, and hence it is flexible and has a


Algorithm

3.3 Cipher Parameter

Hopping (CPH) technique

43

multilevel of security/performance. More discussion on the features of

SECPH algorithm is found in §3.6.

3.3 Cipher Parameter Hopping (CPH) technique

The main purpose of CPH is to allow the use of different cipher’s

parameters with different level of security and performance to improve the

overall security and performance. That is using a cipher version with high

security level to encrypt some message blocks and the same cipher with

less security level and higher performance version to encrypt the other

blocks. For example, different key lengths may be used to encrypt different

blocks, so some blocks will be encrypted using a key of, for example, 128

bit length while other blocks will be encrypted using a key of 64 bit length

which is less secure than the former but it is faster. To improve the overall

security some technique must be used to make it impossible to decrypt any

block of the message without decrypting the entire message. This is done

using the package transform or a scrambler.

The package transform was suggested in [12] as a pre-processing

step to an ordinary encryption mode. It makes the brute-force search

(exhaustive key search) slower by a factor equal to the number of blocks in

the cipher text. However, the cost of the package transform is

approximately twice as the cost of the actual encryption [12].

A scrambling scheme was suggested in [13]. It has the property that

no information can be gained on the pre-image of a scrambling as soon as

any block is missing. The two preprocessing steps (the package transform

and the scrambler) are interchangeable: the package transform could be

followed by a single encryption, and the scrambling yields an all-or-


Algorithm



44

nothing encryption mode. However, the motivations of the two notions are

very different [13].

The goal of the scrambler is to design a scheme which minimizes

encryption with a given key, while the goal of the package transform is to

make brute-force attack more difficult to an adversary. So, on one hand,

the scrambler increases the performance since it allows encrypting only

one block with a security equivalent to encrypting the entire message. On

the other hand, the package transform increases the security but it requires

encrypting the entire message. The purpose of the CPH is to achieve the

two goals using a cipher version with high security level to encrypt some

message blocks and the same cipher with less security level and higher

performance version to encrypt the other blocks. Hence, the requirement of

the package transform to encrypt the entire message is achieved and the

scrambler advantage of minimizing the encryption is utilized by the use of

the high performance cipher versions to encrypt some message blocks. As

a final note, it should be noticed that the scrambler is much more efficient

than the package transform, notably because the scrambler do not use

encryption during the preprocessing step in contrast to the package

transform. For this reason, the scrambler used in SECPH is similar to that

in [13] with some differences discussed in the following section.

So, in CPH, to break any block encrypted using a cipher with some

parameters, the cryptanalyst has to break all the other blocks encrypted

using that cipher with the other parameters. This requires the cryptanalyst

to know the hopping sequence (to break the PRNG) and to break the

scrambler which makes SECPH provably secure in the sense that attacks


Algorithm



45

which find its key would yield attacks on one or more of the underlying

components.

Other than the exhausted key search, the cryptanalyst has to try all

the combinations of the cipher’s parameters to break SECPH (this is

because that the descrambling process requires that all the blocks of the

encrypted message to be decrypted with the same sequence of cipher

parameters hopping used to encrypt the message). So, if r different sets of

parameters are used to encrypt an n block message using a block cipher

then the time required to this type of attacks is equal to

T= rn × tavg 3-1

where tavg is the average time required to break that block cipher

with these r different sets of parameters (assuming the use of a uniform

PRNG to determine the hopping sequence). However, since there must be

a secret and shared key that determines the hopping sequence (hopping

key) in order to recover (decrypt) the message, exhaustive key search

regarding the seed of the PRNG (in addition to cipher and scrambler keys)

may be the best attack on SECPH (assuming rn > 2k where k is the length

of the block cipher key, e.g. if r=8, block size=16 byte and k=128 bit then

n>43 which gives a minimum message length of 688 byte).

The number of different sets of parameters (r) was selected to be 8

but it can be any other number.


Algorithm



46

Parameters Set Key length Block size No. of rounds

Parameters Set 1 128-bit 128-bit 20








Table 3.1 Parameters sets used in CPH.

The block cipher used in SECPH is RC6 block cipher. It was

submitted by RSA Laboratories to NIST as a candidate for the AES. It was

one of the five finalists in the second round of evaluation. All of the

selected RC6 versions (RC6 block cipher with different sets of parameters)

have the same 128-bit encryption key but they differ in the number of

rounds which vary from 20 rounds to 6 rounds as in Table 3.1. RC6 was

selected due to many features it has: [8, 10]

Simplicity and adequate security: RC6 was the simplest of the AES

finalists, and as a result it received considerable cryptanalytic

scrutiny. NIST adjudged all the five finalists algorithms, including

RC6, to have “an adequate security margin”. It uses four working

registers, and its structure includes integer multiplication as an

additional primitive operation. The use of multiplication greatly

increases the diffusion achieved per round, allowing for greater


Algorithm



47

security. In addition, the heavy use of data-dependent rotations in

encryption in RC6 is very useful in preventing differential and linear

cryptanalysis.

High performance: RC6 uses integer multiplication which greatly

increases the diffusion achieved per round, allowing for fewer

rounds, and increased throughput. In ‘C’ implementations, and hand-

optimized assembly on Pentium II, Pentium Pro, Pentium III, and

PowerPC, RC6 generally out-performs Rijndael (the AES). At times

the performance figures are roughly comparable, but the difference

in performance can sometimes amount to a factor of two or more.

On some other processors RC6 performs at up to a factor of two

faster than Rijndael. Support for the 32-bit multiplication seems to

most determine the performance of RC6. In chapter four, the

performance of SECPH is compared to that of RC6 (an AES

candidate) and Rijndael (AES).

Easiness to implement: from the description of the algorithm given

in §2.9, RC6 is remarkably compact. It was estimated that for Intel's

Pentium Pro microprocessor, a fast assembly language

implementation of RC6 could easily be written with well under 256

bytes of code each for the tasks of key setup, block encryption, and

block decryption. Unlike many other encryption algorithms, RC6

does not use look-up tables during encryption. This means that RC6

code and data can readily fit within today's on-chip cache memory,

and typically do so with room to spare. For a key of 128 bit length,

RC6 encryption and decryption make use of a 176-byte key schedule

and a bare minimum of additional memory; to compute that 176-


Algorithm



48

byte key schedule, the RC6 key setup process requires little more

than an auxiliary array of approximately the same size as the user's

supplied key. In addition, since the key schedule is only 176 bytes, it

is possible to precompute and store the key schedules for hundreds

of keys. Then switching to one of these keys only requires switching

the pointer to the relevant key schedule, thereby providing key

agility. Further, it can be noticed that the structure of RC6 allows

one to exploit a certain degree of parallelism in the encryption and

decryption routines. For example, in algorithms 2-2 and 2-3, the

computation of t and u at each round can be computed in parallel as

can the updates of A and C. As processors move to include an

increasingly amount of internal parallelism (e.g., with the move to

superscalar architectures), implementations of RC6 should show

increased throughput.

Flexibility: as it was observed, RC6 is a fully parameterized family

of encryption algorithms. It provides the user with a great amount of

flexibility with regards to the size of the encryption key, the number

of rounds and the word size of the basic computational unit. RC6 is

based around the use of 32-bit words (giving a block size of 128

bits), future developments and market demand might encourage an

extension of RC6 to other block sizes. Of most importance may be

block sizes of 256 bits which would make advantage of a word size

of 64 bits and the performance offered by the next generation of

system architectures.


Algorithm

3.4 The Scrambler

49

3.4 The Scrambler

As mentioned above, the scrambler used in SECPH is similar to that

in [13]. However, there are three differences:

In [13] the quadratic construction H(x) was defined as being the

concatenation of the Hi(x) so that the size of H(x) matches the size of x:

H(x) = H0 || H1 || … || Hn/( −1) 3-2

Where Hi is defined as

Hi(x) = h(t || i || h(x)), 3-3

|| denotes the concatenation, x is a message of size n, h() be an ideal

hash function, is the size of the hash produced by this function, and t is a

tag designated specifically for this usage of the hash function, and which

can include a specific number and the length of x. The above construction

allows building a pseudo-random stream of the same size of the message

without relying on other assumptions than idealness of the hash function.

In SECPH, for efficiency reasons, the above quadratic construction, H(x),

is replaced by a faster one, namely a pseudorandom number sequence of a

stream cipher with a single regular MAC of the message (using a shared

key) as a seed (key). It could be noticed that the scrambler in SECPH is

much faster than that suggested in [13] since the quadratic function H(x) in

[13] requires computing the hash function Hi(x) for n/( -1) which is

slower than the PRNG of the stream cipher used in SECPH.

Another difference is that the scrambler in SECPH involves security

since it uses a key for scrambling process in contrast to that suggested in

[13].


Algorithm

3.4 The Scrambler

50

The third difference is that the random IV which is of the form U ||

h(M, U) is discarded since its function is not necessary in SECPH.

3.4.1 The scrambling scheme

The scrambling scheme is illustrated in Figure 3.2 and goes as

follows:

First the message (M) is divided into two halves Ma and Mb, then

the MAC of Ma is computed using the scrambler key (64-bit length) and

fed to the PRNG as a seed. The PRNG generates a pseudorandom

sequence that has a length equal to that of Mb and it XORed with Mb to

produce Sb. Since the PRNG used is that of a stream cipher then the

generation of the pseudorandom sequence and the XORing process can be

viewed as encryption using the stream cipher with the MAC as encryption

key. Sa is computed using the same scheme but, here, Sb is used instead of

Mb. So MAC of Sb is computed using the scrambler key and used as an

encryption key to the stream cipher to encrypt Ma and produce Sa. The

scrambled message is the concatenation of Sa and Sb that is:

S= Sa || Sb 3-4

where:

Sb= SMAC1 (Mb), 3-5

Sa= SMAC2 (Ma), 3-6

MAC1 =MACKs (Ma), 3-7

MAC2 =MACKs (Sb), 3-8

MACKs ( ) is a MAC algorithm with a key KS,

KS is the 64-bit scrambler key,

SK ( ) is the encryption using stream cipher with a key K.


Algorithm

3.4 The Scrambler

51

In Figure 3.2 the same scrambler key is used for computing Sa and

Sb, however one can use different keys, namely KS1, KS2, to increase the

key length and hence the security associated with the scrambler without

any effect on the performance of the scheme.

Figure 3.2 the scrambling scheme.

Algorithm 3-1: Scrambling Scheme

Input: Unscrambled message M Message length messageLength Scrambling key KS.

Output: Scrambled message S. Procedure: halfLength= messageLength / 2

Ma= getFirstHalf(M) Mb= getSecondHalf(M) initializeMAC(KS) Key= MAC (Ma)


Algorithm

3.4 The Scrambler

52

initializeStreamCipher(Key, halfLength) Sb=streamCipherEncrypt(Mb) Key= MAC (Sb) initializeStreamCipher(Key, halfLength) Sa=streamCipherEncrypt(Ma) S= merge(Sa,Sb)

3.4.2 The Descrambling Scheme

Ma and Mb can be recovered easily from Sa and Sb. From equation

3-6:

Ma= S'MAC2 (Sa), 3-9

and from equation 3-5:

Mb= S'MAC1 (Sb), 3-10

using the same definitions of symbols for equations 3-5 and 3-6, and

S'K () is the decryption using stream cipher with a key K.

Algorithm 3-2: Descrambling Scheme

Input: Scrambled message S Message length messageLength Scrambling key KS.

Output: Unscrambled message M. Procedure: halfLength= messageLength / 2

Sa= getFirstHalf(S) Sb= getSecondHalf(S) initializeMAC(KS) Key= MAC (Sb) initializeStreamCipher(Key, halfLength) Ma=streamCipherDecrypt(Sa) Key= MAC (Ma)


Algorithm

3.4 The Scrambler

53

The descrambling scheme is illustrated in Figure 3.3.

Figure 3.3 The descrambling scheme.

From Figures 3.2 and 3.3 it can be seen that the descrambling

scheme and the scrambling scheme are the same if the two halves of input

of the descrambling scheme (scrambled message) are swapped, and the

two halves of its output are swapped too.

In addition, one can notice that the scrambler uses a stream cipher as

a main component. However, there is a significant difference between the

initializeStreamCipher(Key, halfLength) Mb=streamCipherDecrypt(Sb) M= merge(Ma,Mb)


Algorithm

3.4 The Scrambler

54

scrambler and the stream cipher that is the key of the stream cipher used in

the scrambler is generated using the MAC of the message with the

scrambler key not only the key as it the case in the ordinary stream cipher.

This makes the scrambler more secure and practical than the stream cipher

because it can be used to scramble more than one message using the same

key without decreasing its security, while stream cipher cannot be used to

encrypt more than one message using the same key as illustrated in §2.6.

From the discussion of the CPH and the scrambler, four functions

can be figured out for the scrambler:

It allows the encryption of only one block with a security equivalent

to encrypting the entire message. This greatly improves the

performance of the SECPH. In addition, it improves the security if

different blocks are encrypted using different version of the cipher.

It yields an all-or-nothing encryption mode since the descrambling

process depends on the entire scrambled message (the cryptanalyst

cannot tell if the data obtained from decrypting one block is the

desired data until decrypting all the other blocks). So, encrypting the

entire message increases the difficulty of exhausted key search by a

factor equal to the number of blocks in the ciphertext.

It increases the key length (and hence the security) of SECPH since

it uses a key for the scrambling process.

It greatly increases the desired property of diffusion of the SECPH

that is redundancy in the statistics of the unscrambled message is

dissipated in the statistics of the scrambled message. This is because


Algorithm

3.4 The Scrambler

55

that the scrambler output statistics depends on the statistics of the

stream cipher output not on the statistics of the unscrambled

message. In addition, changing one bit in the unscrambled message

results in changing about 50% (if the bit changed is in the second

half of the unscrambled message) or 100% (if the bit changed is in

the first half of the unscrambled message) of the scrambled message.

If the scrambled message is encrypted using an encryption mode

other than ECB and the encryption is started from the second half of

the scrambled message, then the effect of changing one bit in the

unscrambled message results in changing about 100% of the SECPH

output regardless of the position of changed bit in the unscrambled

message. This is can be seen in the experimental results in chapter 4.

3.4.3 The Scrambler’s MAC algorithm

The MAC algorithm used in the scrambler is the UMAC introduced

in [29]. It uses a universal hash-function family, NH, and a design which

allows effective exploitation of SIMD parallelism. The cryptographic work

of UMAC is done using RC6 block cipher with 64-bit key and 20 rounds.

UMAC was designed to achieve two main goals: extreme speed and

provable security. It was selected due to many features it has: [29]

Proven security: the security of UMAC is rigorously proven, in the

sense of giving exact and quantitatively strong results which

demonstrate an inability to forge UMAC-authenticated messages

assuming an inability to break the underlying cryptographic

primitive which is RC6 in the case of SECPH. The use of a universal

hash-function family is a promising one for building a highly-secure


Algorithm

3.4 The Scrambler

56

MAC. Since the cryptographic primitive is applied only to the (much

shorter) hashed image of the message, a cryptographically

conservative design for this step could be selected with only a minor

impact on speed.

Extreme speed: UMAC can authenticate messages roughly an order

of magnitude faster than other MAC algorithms (e.g., HMAC –

Hash based Message Authentication Code and SHA1 - Secure

Hashing Algorithm), and about twice as fast as times previously

reported for the universal hash-function family MMH (Multilinear

Modular Hashing). To achieve such speeds, UMAC uses a design

which allows effective exploitation of SIMD parallelism in addition

to the use of a universal hash-function family, NH.

Flexibility: UMAC depends on a few different parameters. Some of

them are the word size, block size, the pseudorandom function used

(such as HMAC-SHA1) and the cryptographic standard primitive

used (such as a block cipher or cryptographic hash function). This

allows more flexibility in design and implementation of SECPH.

Also it provides different choices regarding the tradeoff between the

security level and the performance.

3.4.4 The Scrambler’s Stream Cipher

The stream cipher used is SEAL (Software optimized Encryption

ALgorithm) stream cipher. SEAL is a fast software stream cipher designed

by P. Rogaway and D. Coppersmith in 1993, and patented by IBM. It has

been designed to be really efficient in its software implementation, mainly

for 32-bit processors. It is a length-increasing pseudorandom function that


Algorithm

3.6 SECPH Encryption

Algorithm

57

maps a 32-bit sequence number n to an L-bit keystream, under control of a

160-bit secret key [32, 2, 20].

3.5 The PRNG

The PRNG used in SECPH is ISAAC which is one of a sequence of

new pseudorandom number generators developed in [31]. ISAAC requires

an amortized 18.75 instructions to produce each 32-bit value. There are no

cycles in ISAAC shorter than 240 values and the results of ISAAC are

unbiased and uniformly distributed so, it is cryptographically secure. There

are no bad initial states. The internal state has 8288 bits, so the expected

cycle length is 28287 calls (or 28295 32-bit values). Deducing the internal

state appears to be intractable. The code is easy to memorize and it is

optimized for speed [31].

3.6 SECPH Encryption Algorithm

The encryption process begins when the two communicated parties

share the necessary secret information like the encryption key (256-bit

length and the block cipher’s IV (if it run in a mode of operation that

require an IV). This can be done using hybrid cryptosystem that is using

public key cryptosystem scheme like RSA to securely share this

information. Using this cryptosystem enables combining the efficient

encryption of the symmetric cryptosystem and the ease of key sharing and

distributing of the asymmetric cryptosystem.

After the key exchange process is completed, SECPH can start

encrypting the data (plaintext message) using that key (which is named

here the main key). First, the 256-bit main key is divided into three

portions as illustrated in Figure 3.1. The first portion (64 bit) represents the


Algorithm

3.6 SECPH Encryption

Algorithm

58

scrambler key while the second (64 bit) is the hopping key (PRNG’s seed)

and the third (128 bit) is the block cipher key. Then, the plaintext message

is scrambled using the scrambling scheme presented in algorithm 3-1 with

the scrambler key. As mentioned previously, the output of this stage,

which is the scrambled message, is fed to the other stage, the CPH.

The second 64-bit portion of the main key is the hopping key which

is the seed used to initialize the ISAAC PRNG whose output determines

the hopping sequence of RC6 block cipher parameters to be used. So, each

block of the scrambled message is encrypted using one version of RC6

block cipher (RC6 with specific parameters) which is selected, from r=8

different versions, according to the corresponding pseudorandom value

generated by ISAAC PRNG.

All versions of the RC6 block cipher may use the same 128-bit key

with different other parameter, the number of rounds (however, they may

use different keys for each one or any number of them). The output of

these RC6 versions is the final output, namely the ciphertext message.

Algorithm 3-3: SECPH Encryption

Input: Plaintext message P Message length messageLength Main key K. RC6 IV IVRC6

Output: Ciphertext message C. Procedure: nBlocks= messageLength / cipherBlockSize

Kscrambler= getFirstPortion(K) KPRNG= getSecondPortion(K) initializeScrambler S= scramble(P, messageLength, Kscrambler) initializePRNG (KPRNG) for i=1 upto nBlocks do


Algorithm

3.7 SECPH Decryption

Algorithm

59

{ randomValue= generateNextPRN() RC6Version= getRC6Version (randomValue) C[i]= encrypt (RC6Version, S[i], IVRC6) }

3.7 SECPH Decryption Algorithm

The decryption scheme is similar to the encryption scheme. The

only difference is that the scrambling algorithm is replaced by

descrambling algorithm and encryption is replaced by decryption. Also

decryption (with CPH) is done before descrambling. This is illustrated in

Figure 3.4. The algorithm is listed below.

Algorithm 3-4: SECPH Decryption

Input: Ciphertext message C Message length messageLength Main key K. RC6 IV IVRC6

Output: Plaintext message P. Procedure: nBlocks= messageLength / cipherBlockSize

Kscrambler= getFirstPortion(K) KPRNG= getSecondPortion(K) initializePRNG (KPRNG) for i=1 upto nBlocks do

{ randomValue= generateNextPRN() RC6Version= getRC6Version (randomValue) S[i]= decrypt (RC6Version, C[i], IVRC6) }

initializeDescrambler P= descramble(S, messageLength, Kscrambler)


Algorithm

3.8 Security and

Performance of the SECPH

60

Figure 3.4 The SECPH decryption scheme.

3.8 Security and Performance of the SECPH

As mentioned above, SECPH is a provably secure cipher in the

sense that attacks which find its key would yield attacks on one or more of

the underlying components. To show this, a simple case is considered

where only one block of the scrambled message is encrypted. This is

equivalent to scramble-all-encrypt-small scheme which was shown that it

is secure as long as the cipher used and the scrambling function are secure.

[13]

However, if the message is to be encrypted one time more (double

encrypted) then this is equivalent to encrypt another block of the scrambled

message with different cipher parameters. This is because that scramble-

all-encrypt-small scheme makes sure that missing a small piece of the


Algorithm

3.8 Security and

Performance of the SECPH

61

scrambled data (via encryption) while keeping the rest available makes it

hard to recover the message, so missing two different blocks (via different

cipher parameters) doubles the difficulty to recover the message and

requires breaking the cipher twice.

So, encrypting the entire scrambled message with r different cipher

parameters for r different blocks is equivalent to r-multiple encryption.

Also, if these blocks are selected randomly according to a pseudorandom

number sequence, then the best attack will be the exhaustive key search,

where the key here is the seed of the PRNG in addition to the cipher key.

However, encrypting the entire scrambled message using CPH, as it is the

case in the proposed algorithm (SECPH), slows down the exhaustive key

search by a factor of approximately n/r, where n is the number of blocks in

the scrambled message. This is because that scramble-all-encrypt-small

scheme is equivalent to all-or-nothing encryption mode (if all message

blocks are encrypted) which slows down exhaustive key search by a factor

of approximately n/r (the number of blocks encrypted by each cipher

version assuming uniformly distributed pseudorandom sequence that

determines the cipher version used). For example, encrypting a 2MB

message using SECPH make the exhaustive key search slower than

encrypting only r randomly chosen blocks (using r different cipher version)

by a factor of 217/r (which equals 214 for r=8).

In addition, using some high performance low security versions

(such as using small number of rounds) increases the performance of

SECPH significantly with small increase in the speed of the exhaustive key

search. This, with the fact that the scrambler is much faster than the block

cipher (with CPH), makes SECPH have a good performance. In the next


Algorithm

3.9 Comparison of SECPH

and Other Related Works

62

chapter, SECPH is implemented and its performance is compared to two

other block ciphers.

3.9 Comparison of SECPH and Other Related Works

Three differences between SECPH and scramble-all-encrypt-small

scheme were discussed previously in § 3.5. However there is another

significant difference that is the entire scrambled message is encrypted in

SECPH in contrast to scramble-all-encrypt-small scheme where only one

block is encrypted. This makes SECPH more secure than scramble-all-

encrypt-small scheme since it is equivalent to multiple encryptions and it

slows down exhaustive key search by a factor of approximately n/r as

discussed in the previous section.

Another related work is all-or-nothing encryption mode which has

the property of slowing down exhaustive key search by a factor equal to

the number of blocks in the ciphertext message. However, it differs from

SECPH in that:

SECPH uses different versions of the block cipher (RC6) for

encryption which are selected randomly in contrast to all-or-nothing

encryption mode which uses only one version. This greatly increases

the security of SECPH since it requires the adversary to break as

many as cipher versions used. Also, since these cipher versions are

randomly selected, the adversary cannot guess the sequence of them

without performing an additional exhaustive key search regarding

the key (seed) of the PRNG used to determine this sequence.


Algorithm

3.10 SECPH Features and

Advantages

63

SECPH is much faster than all-or-nothing encryption mode since the

scrambler used in SECPH does not use encryption during the

preprocessing step which makes it faster than the transform package

used in all-or-nothing encryption mode. Also, using different

versions of the block cipher (RC6) for encryption greatly improves

performance since it allows mixing some high performance low

security versions (such as using small number of rounds) with other

high security low performance versions without greatly decreasing

the overall security as discussed in the previous section.

3.10 SECPH Features and Advantages

A. Proven security: in §3.4 it was shown that SECPH is a provably

secure cipher in the sense that attacks which find its key would yield

attacks on one or more of the underlying components. It was shown

also that SECPH with r different cipher parameters is equivalent to

r-multiple encryption and furthermore encrypting the entire

scrambled message using CPH slows down the exhaustive key

search by a factor of approximately n/r, where n is the number of

blocks in the scrambled message. This is a significant improvement

to the security of the existing block ciphers.

B. High performance: in §3.4 it was shown that SECPH has a good

performance because it allows the use of some high performance

low security versions (such as using small number of rounds) and

the fact that the scrambler is much faster than the block cipher.

C. Flexibility: since the underlying components of SECPH are

parameterized (they have a variable key length, word size and


Algorithm

3.10 SECPH Features and

Advantages

64

number of rounds), SECPH is parameterized too. It provides a high

level of flexibility regarding security and/or performance. It has a

variable key length (since it can use a variable key length for

UMAC, ISAAC and RC6 block cipher).

D. Easiness to implement: since SECPH is composed of existing

cryptographic primitives (UMAC, ISAAC and RC6) the

implementation is very simple and straightforward because these

primitives are widely used and implemented for optimal

performance in different environments.

E. Multilevel security/performance: using the same encryption key one

can obtain different levels of security/performance by choosing

different cipher parameter sets. For example, increasing the

probability of using high performance versions of RC6 (i.e. using

RC6 versions with small number of rounds to encrypt scrambled

message blocks more than the other versions) increases the

performance with some small decrease in the security.

Chapter Four: Implementation

and Experimental Results

4.2 Implementation of SECPH

65

Chapter Four

Implementation and Experimental Results

4.1 Introduction

The proposed algorithm, SECPH, is implemented in this chapter.

The image encryption quality of SECPH is discussed and compared to

other existing algorithms (Rijndael and RC6) using six measures. In

addition, the performance (throughput) of SECPH is compared to that of

Rijndael and RC6 for several message sizes.

4.2 Implementation of SECPH

The SECPH algorithm was implemented in C++ programming

language. Crypto++ library was used in the implementation of the

underlying components UMAC, SEAL and RC6. Crypto++ library is a free

C++ class library of cryptographic schemes and it is widely used in

cryptographic related researches [25, 33].

The implementation of ISAAC PRNG used was that provided by the

author [31].

SECPH was coded in C++, compiled with Microsoft Visual C++

2008 (whole program optimization, optimize for speed), and ran on a

Pentium D 3.00 GHz processor with 2.00 GB RAM under Windows XP

SP2. The C++ implementation code of SECPH for encryption and

decryption algorithms in addition to the image encryption quality measures

and processing time computations is given in Appendix A.



4.3 Image Encryption Quality

66

4.3 Image Encryption Quality

To measure the image encryption quality six quality measures are

used: visual inspection, histogram analysis, entropy, Irregular Deviation

(ID) factor, Number of Pixels Change Rate (NPCR) and Unified Average

Changing Intensity (UACI). For each quality measure the SECPH image

encryption quality was compared to that of two other block ciphers: RC6

and Rijndael for three images (except for NPCR and UACI which use only

one image) and two modes of operation (except for visual inspection and

histogram analysis in which only one mode of operation is used). These

three images (200 × 200 pixels, 256 gray levels) are shown in Figure 4.1.

a) b) c)

Figure 4.1 Three images used for image encryption quality comparison a)

Nike.bmp b) Balloon.bmp c) Bridge.bmp.

Nike.bmp is an example of an image of low number of high

frequency components and it has large areas of single color. Balloon.bmp

has a number of high frequency components greater than Nike.bmp;

however, it has some small areas of single colors. Bridge.bmp has a large

number of high frequency components and has no significant areas of

single color.



4.4 Visual Inspection

67

Block ciphers operate in several modes of operation; however, two

of them were used to compare the image encryption quality of the three

block ciphers: ECB and CBC.

ECB is the basic, simplest and fastest mode of operation, but it has

the property that encrypting the same block of data produces the same

output regardless the previous output. So, encrypting images that have

large or even small areas of single color or repeated patterns of pixels

produces areas of repeated pixel patterns in the cipher-image which bears

some information about the plain-image.

Both Rijndael and RC6 have an adequate security and high

performance [10]. Rijndael was adopted by NIST as the AES and it is

widely used in many scientific and commercial applications.


For a high quality image encryption it must be very difficult for the

intruder to recognize any information about the plain-image by visual

inspection. However, cipher-images produced by most block ciphers in

ECB mode have some amount of visual information about the

corresponding plain-images for a wide range of images that have large or

even small areas of single color or repeated patterns of pixels. This is

shown in Figure 4.2.

From the figure it can be seen that for Nike.bmp image SECPH is

greatly more secure and has a higher image encryption quality than

Rijndael and RC6 whose cipher-images bear some information about

Nike.bmp as it can be seen in Figure 4.2 (a-c).




68

a) b) c)

d) e) f)

g) h) i)

Figure 4.2 Cipher-images of the three images in Figure 4.1 a) Nike.bmp cipher-

image using Rijndael b) Nike.bmp cipher-image using RC6 c) Nike.bmp cipher-

image using SECPH d) Balloon.bmp cipher-image using Rijndael e)

Balloon.bmp cipher-image using RC6 f) Balloon.bmp cipher-image using

SECPH g) Bridge.bmp cipher-image using Rijndael h) Bridge.bmp cipher-

image using RC6 i) Bridge.bmp cipher-image using SECPH.



4.5 Cipher-image Histogram

Analysis

69

Rijndael and RC6 have a better image encryption quality for

Balloon.bmp than it for Nike.bmp; however Balloon.bmp cipher-images

produced by Rijndael and RC6 bear some information about Balloon.bmp.

This can be noticed by inspecting the “textures” enclosed by circles in the

cipher-images in Figure 4.2 (d and e). These textures correspond to the

single color areas that exist in Balloon.bmp.

No textures can be found in the cipher-image produced by SECPH

in Figure 4.2 (f) so it is more secure and has a higher image encryption

quality than Rijndael and RC6.

For Bridge.bmp no difference can be found by visual inspection

between the three block ciphers and all cipher-images produced by them

have no textures as it can be noticed in Figure 4.2 (g-i). This is because

that Bridge.bmp has a large number of high frequency components and has

no significant areas of single color as mentioned before.

So, SECPH is more secure and has a higher image encryption

quality than Rijndael and RC6 in ECB mode of operation for a wide range

of images that have large or even small areas of single color or repeated

patterns of pixels and this can be seen clearly by visual inspection.

However, for other modes of operation and images, the difference of the

image encryption quality of the three block ciphers is small so that visual

inspection fails to measure it.

4.5 Cipher-image Histogram Analysis

One desired property of a block cipher is that cipher-images

histogram is uniformly distributed so that the cipher-images do not bear

any statistical information about their corresponding plain-images. An




Analysis

70

image histogram illustrates how pixels in an image are distributed by

graphing the number of pixels at each gray level. Histogram analysis is

widely used to measure the image encryption quality of a block cipher [34,

35].

The histograms of the cipher-images in Figure 4.2 are shown in

Figure 4.3.

From the figure, Nike.bmp cipher-images produced by Rijndael and

RC6 have poor distributed histograms since they have large spikes. The

histogram of Nike.bmp cipher-image produced by SECPH is greatly more

uniform.

For Balloon.bmp, cipher-images produced by Rijndael and RC6

have histograms with better distributions than those of Nike.bmp cipher-

images, but they still have large spikes. The histogram of Balloon.bmp

cipher-image produced by SECPH, like that of Nike.bmp cipher-image, is

more uniform.

All cipher-images produced by the three block ciphers have

approximately uniform distributed histograms for Bridge.bmp.

So, SECPH has a better histogram distribution than Rijndael and

RC6 in ECB mode of operation for images of the same properties like that

of Nike.bmp and Balloon.bmp. However, for the other image, Bridge.bmp,

the difference of the image encryption quality of the three block ciphers is

small so that histogram analysis fails to measure it. In addition, cipher-

images produced by SECPH have approximately uniform distributed

histograms regardless the corresponding plain-images.




Analysis

71

a) b) c)

d) e) f)

g) h) i)

Figure 4.3 Histogram of the cipher-images of the three images encrypted by the

three block ciphers a) Nike.bmp cipher-image using Rijndael b) Nike.bmp

cipher-image using RC6 c) Nike.bmp cipher-image using SECPH d)

Balloon.bmp cipher-image using Rijndael e) Balloon.bmp cipher-image using

RC6 f) Balloon.bmp cipher-image using SECPH g) Bridge.bmp cipher-image

using Rijndael h) Bridge.bmp cipher-image using RC6 i) Bridge.bmp cipher-

image using SECPH.



4.6 The Irregular Deviation

Measuring Factor

72

4.6 The Irregular Deviation Measuring Factor

The Irregular Deviation (ID) measuring factor is based on how much

the deviation caused by encryption is irregular. It gives an attention to each

individual pixel value and the deviation caused at every location of the

input image before getting the histogram which does not preserve any

information about the location of the pixels. For 256 gray levels image,

this method can be summarized in the following steps: [36, 37, 38]

Calculate the ‘D’ matrix which represents the absolute values of the

difference between each pixel values before and after encryption

(i.e. each pixel in plain-image and the corresponding pixel in the

cipher-image). So, D can be represented as:

D =| I − J | 4-1

where I is the plain-image, and J is the cipher-image.

Construct the histogram distribution ‘H’ of the absolute deviation

D. So, H = histogram (D).

Get the average value of how many pixels are deviated at every

deviation value (i.e., the number of pixels at the histogram if the

statistical distribution of the deviation matrix is a uniform

distribution). This average (DC) value can be calculated as:

DC =

255

0

)(256

1

i

iH , 4-2

where H(i) is the amplitude of the absolute difference histogram at

the value i.



4.6 The Irregular Deviation

Measuring Factor

73

Subtract this average from the deviation histogram, and then take the

absolute value of the result.

AC(i) =| H(i) − DC | 4-3

Count the area under the absolute AC value curve, which is the sum

of variations of the deviation histogram from the uniformly

distributed histogram.

ID =

255

0

)(i

iAC 4-4

The lower the ID value, the better the image encryption quality of a

block cipher.

For ECB mode of operation, the ID values of the three images

encrypted by the three block ciphers are presented in Table 4.1. As it is

shown in the table, SECPH has the lowest (and hence the best) ID values

for all the images with the largest difference corresponds to Nike.bmp.

Block Cipher

Image Rijndael RC6 SECPH

Nike.bmp 70900 70862 2677

Balloon.bmp 9782 10780 9348

Bridge.bmp 12640 12646 12548

Table 4.1 ID values of the three images encrypted by the three block ciphers in

ECB mode of operation.



4.7 Entropy Measure

74

For CBC mode of operation, the ID values of the three images


shown in the table, SECPH has the lowest (and hence the best) ID values

for all the images with small difference.

Block Cipher


Nike.bmp 2735 2713 2656

Balloon.bmp 9520 9531 9390

Bridge.bmp 12531 12498 12447

Table 4.2 ID values of the three images encrypted by the three block ciphers in

CBC mode of operation.

So, ID values of cipher-images encrypted by SECPH are better than

those encrypted by RC6 and Rijndael for all the three images in ECB and

CBC modes of operation; however, the differences between the ID values

for SECPH and those for Rijndael and RC6 are small in CBC mode of

operation.

4.7 Entropy Measure

Entropy value is a concept of information theory which is a

mathematical measure of information or uncertainty of a true value of a

random variable. If Pi is the probability of the occurrence of the gray level i

then the entropy value He can be computed for a 256 gray level image

using this formula: [39, 40]



4.7 Entropy Measure

75

He = -

255

02 )(log

iii PP , 4-5

where Pi equals to:

Pi = HW

iH

)(, 4-6

where:

H(i) is the histogram value of the gray level i,

W is the image width,

and H is the image height.

In general, the greater the entropy, the harder to break a

cryptosystem [34].

The entropy values of the three cipher-images encrypted by the three

block ciphers in ECB mode of operation are presented in Table 4.3. As it is

shown in the table, SECPH has the highest (and hence the best) entropy

values for all the images (except for Bridge.bmp which has approximately

equal entropy values for all the block ciphers) with the largest difference

corresponds to Nike.bmp.

For CBC mode of operation, the entropy values of the three images


shown in the table, SECPH has the highest (and hence the best) entropy

values for all the images (except for Bridge.bmp for which RC6 has the

highest entropy value) with small difference.



4.7 Entropy Measure

76

Block Cipher


Nike.bmp 4.4 4.401 7.995

Balloon.bmp 7.986 7.963 7.996

Bridge.bmp 7.996 7.996 7.996

Table 4.3 Entropy values of the three cipher-images produced by the three block

ciphers in ECB mode of operation.

Block Cipher


Nike.bmp 7.9947 7.995 7.9951

Balloon.bmp 7.9949 7.9949 7.995

Bridge.bmp 7.9952 7.9952 7.9952

Table 4.4 Entropy values of the three cipher-images produced by the three block

ciphers in CBC mode of operation.

So, entropy values of cipher-images encrypted by SECPH are better

than those encrypted by RC6 and Rijndael for Nike.bmp and Balloon.bmp

in ECB and CBC modes of operation. For Bridge.bmp all block ciphers

have equal results in ECB and CBC modes of operation. However, the

differences between the entropy values for SECPH and those for Rijndael

and RC6 are small in CBC mode of operation. In addition, as it can be

seen, the entropy values of cipher-images encrypted by SECPH are

independent of the plain-images and the modes of operation.



4.8 Number of Pixels

Change Rate

77

4.8 Number of Pixels Change Rate (NPCR)

In general, the opponent may make a slight change such as

modifying only one pixel of the plain-image, and then observes the change

of the result. In this way, he may be able to find out a statistical

relationship between the plain-image and the cipher-image. If one minor

change in the plain-image can cause a significant change in the cipher-

image, with respect to diffusion and confusion, then this differential attack

(which discussed in § 2.13) would become very inefficient and practically

useless. To test the influence of one-pixel change in the plain-image on the

whole cipher-image, the common measure Number of Pixels Change Rate

(NPCR) is used [41, 42].

Let two cipher-images, whose corresponding plain-images have only

one pixel difference, be denoted by C1 and C2. Label the grey-scale values

of the pixels at grid (i,j) in C1 and C2 by C1(i,j) and C2(i,j), respectively.

Define a bipolar array, D, with the same size as images C1 and C2. Then,

D(i,j) is determined by C1(i,j) and C2(i,j) as follows:

if C1(i,j) = C2(i,j) then D(i,j) = 1; otherwise, D(i,j) = 0.

Then, the NPCR is defined as:

NPCR= %100),(

,

HW

jiDji

, 4-7

Where W and H are the width and the height of C1 (or C2) in pixels.

It is clear that for Rijndael and RC6, in ECB mode of operation,

only one block of the cipher-image will be affected by changing one pixel




Change Rate

78

in the plain-image. So, NPCR for Rijndael and RC6, assuming 256 gray

level (each pixel is stored in one byte), will equal:

%100%1001

HW

B

N, 4-8

where N is the number of blocks in the cipher-image,

B is the block size in bytes,

W and H are the width and the height of the image in pixels.

Since NPCR is independent on the plain-image, only one image is

used to compare the three block ciphers, namely, Bridge.bmp. For this

image W × H = 40000 pixel and (for RC6 and Rijndael) B=128 bit=16

byte. So expected NPCR for Rijndael and RC6 is 16/40000

×100%=0.04%. This is can be seen in the experimental results shown in

the Table 4.5.

For SECPH in ECB mode of operation, NPCR is close to 100% due

to the scrambling process which greatly improves the diffusion as

discussed in § 3.5. This can be seen in the results shown in Table 4.5.

For CBC mode of operation, the position of the changed pixel in the

plain-image affects the NPCR values of cipher-images encrypted by

Rijndael and RC6. So, three different images correspond to Bridge.bmp

were chosen for different positions of the changed pixel: in the first third

(Bridge1.bmp), in the second third (Bridge2.bmp), and in the last third

(Bridge3.bmp). For SECPH, the position of the changed pixel does not

affect the NPCR value. The results are shown in Table 4.6.




Change Rate

79

So, NPCR value of cipher-images encrypted by SECPH is greatly

better than those encrypted by RC6 and Rijndael for all images in ECB

mode of operation. For CBC mode of operation, the NPCR values of

cipher-images encrypted by SECPH are better than those encrypted by

Rijndael and RC6 and they are independent of the position of the changed

pixel in the plain-image in contrast to Rijndael and RC6. In addition, as it

can be seen, the NPCR values of cipher-images encrypted by SECPH are

independent of the mode of operation.

Block Cipher


Bridge.bmp 0.04% 0.04% 99.6%

Table 4.5 NPCR values of the Bridge.bmp cipher-image produced by the three

block ciphers in ECB mode of operation.

Block Cipher


Bridge1.bmp 87% 87% 99.5%

Bridge2.bmp 61.1% 61.1% 99.7%

Bridge3.bmp 11.8% 11.8% 99.6%

Table 4.6 NPCR values of Bridge1.bmp, Bridge2.bmp and Bridge3.bmp cipher-

images produced by the three block ciphers in CBC mode of operation.



4.9 Unified Average

Changing Intensity

80

4.9 Unified Average Changing Intensity (UACI)

Another measure used to test the influence of one-pixel change in

the plain-image on the whole cipher-image is the Unified Average

Changing Intensity (UACI) [41, 42].

Let two cipher-images, whose corresponding plain-images have only

one pixel difference, be denoted by C1 and C2. Label the grey-scale values

of the pixels at grid (i,j) in C1 and C2 by C1(i,j) and C2(i,j), respectively.

Then, the UACI is defined as:

UACI = %100255

|),(),(|1,

21

ji

jiCjiC

HW, 4-9

where W and H are the width and the height of C1 (or C2) in pixels.

Like for NPCR it is clear that for Rijndael and RC6, in ECB mode

of operation, UACI will be very small. In addition, like NPCR, only one

image is used to compare the three block ciphers, namely, Bridge.bmp.

The results are shown in Table 4.7.

For CBC mode of operation, the position of the changed pixel

affects the UACI values of cipher-images encrypted by Rijndael and RC6.

So, like NPCR, three different images correspond to Bridge.bmp were

chosen for different positions of the changed pixel: in the first third

(Bridge1.bmp), in the second third (Bridge2.bmp), and in the last third

(Bridge3.bmp). For SECPH, the position of the changed pixel does not

affect the NPCR value. The results are shown in Table 4.8.

So, UACI value of cipher-images encrypted by SECPH is greatly

better than those encrypted by RC6 and Rijndael for all images in ECB



4.10 Performance Analysis

81

mode of operation. For CBC mode of operation, the UACI values for

SECPH are better than those for Rijndael and RC6 and they are

independent of the position of the changed pixel in the plain-image in

contrast to Rijndael and RC6. In addition, as it can be seen, the NPCR

values of cipher-images encrypted by SECPH are independent of the mode

of operation.

Block Cipher


Bridge.bmp 0.012% 0.014% 33.57%

Table 4.7 UACI values of the Bridge.bmp cipher-image produced by the three

block ciphers in ECB mode of operation.

Block Cipher


Bridge1.bmp 29.3% 29.21% 33.56%

Bridge2.bmp 20.53% 20.65% 33.41%

Bridge3.bmp 4% 3.92% 33.7%

Table 4.8 UACI values of Bridge1.bmp, Bridge2.bmp and Bridge3.bmp cipher-

images produced by the three block ciphers in CBC mode of operation.


To compare the throughput of SECPH to those of Rijndael and RC6,

the time required to encrypt a fixed length message was computed for the

three block ciphers then it was divided by the message length to produce

the throughput (in MB/S). Many message lengths were chosen to compare




82

the throughput of the three block ciphers and to illustrate the effect of

increasing the message length on the throughput.

Computing the time required to encrypt the message was done by

computing the time required to encrypt it n times with a “for” loop and

then dividing the overall time taken by n. This is because that very small

time is required to encrypt messages with small size (1-100 KB).

Computing the time required by a “for” loop was done by calling the

function clock () (which is defined in the standard C++ library in the

header file time.h) before and after the loop and computing the difference

between the two values. The following C++ code illustrates the above

procedure:

long start = clock(); for(int loop=0;loop<n;loop++) { . . //Encrypt the message . . } double timeTaken = double(clock() - start);

The throughput values of SECPH for different message sizes

compared to those of Rijndael and RC6 in ECB mode of operation are

shown in Table 4.9 and are presented graphically in the chart in Figure 4.4.

From the table it is clear that SECPH is faster than Rijndael (about 26%

faster) and RC6 (about 30% faster). In addition, SECPH is slightly slower




83

for small message size (1KB and smaller); however, for most applications

(like image encryption) messages usually have a larger size.

For CBC mode of operation, similar results were obtained and they

are shown in Table 4.10 and are presented graphically in the chart in

Figure 4.5. The three block ciphers are slower than they in ECB mode of

operation but SECPH is still faster than Rijndael (about 25% faster) and

RC6 (about 32% faster).

Block Cipher

Message Size

Rijndael RC6 SECPH

1 KB 66.007 62.775 78.064

2 KB 65.317 63.072 83.16

5 KB 65.359 63.291 82.102

10 KB 65.317 63.371 82.034

20 KB 65.789 63.052 82.271

50 KB 65.359 63.291 84.317

100 KB 65.274 63.091 82.781

Table 4.9 Throughput in MB/S of the three block ciphers in ECB mode of

operation.




84

Figure 4.4 Chart of the throughput in MB/S of the three block ciphers in ECB

mode of operation.

Block Cipher

Message Size

Rijndael RC6 SECPH

1 KB 61.538 58.72 72.727

2 KB 61.538 58.72 76.22

5 KB 61.576 59.312 76.22

10 KB 61.538 58.207 77.042

20 KB 61.237 58.445 77.071

50 KB 61.576 58.48 78.125

100 KB 61.538 59.277 77.101

Table 4.10 Throughput in MB/S of the three block ciphers in CBC mode of

operation.



4.11 Experimental Results

Summary

85

Figure 4.5 Chart of the throughput in MB/S of the three block ciphers in CBC

mode of operation.

4.11 Experimental Results Summary

In this chapter, SECPH was implemented and its image encryption

quality was compared to those of Rijndael and RC6 using some statistical

and other measures. In addition, the performance (throughput) of SECPH

was compared to those of Rijndael and RC6 for several message sizes.

From these results the following features of SECPH were figured out:

SECPH has a great advantage for the image encryption over

Rijndael and RC6 in ECB mode of operation. For Rijndael and RC6,

ECB mode of operation is impracticable to use for the purpose of

image encryption; however, SECPH in ECB mode of operation has a

high image encryption quality.



4.11 Experimental Results

Summary

86

SECPH has a better image encryption quality than, but close to,

Rijndael and RC6 for most images and measures in CBC mode of

operation.

SECPH has a good image encryption quality regardless the mode of

operation and the plain-image in contrast to Rijndael and RC6 whose

image encryption quality is greatly affected by the mode of

operation and the plain-image.

SECPH is more resistive to differential cryptanalysis than Rijndael

and RC6. It has NPCR values equal or greater than 99.5% regardless

the plain-images, the position of the changed pixel and the modes of

operation in contrast to Rijndael and RC6 which have an NPCR

value of 0.04% in ECB mode of operation and different NPCR

values those range from 11.8% to 87% in CBC mode of operation.

SECPH has UACI values about 33% regardless the plain-images, the

position of the changed pixel and the modes of operation in contrast

to Rijndael and RC6 which have an UACI value of 0. 012% in ECB

mode of operation and different UACI values those range from

3.92% to 29.3% in CBC mode of operation.

SECPH has a better performance (throughput) than Rijndael (about

26% and 25% faster in ECB and CBC modes of operation

respectively) and RC6 (about 30% and 32% faster in ECB and CBC

modes of operation respectively).

SECPH has a slightly better performance in messages of sizes larger

than 1 KB which is the case in most of the applications including the

image encryption.

Chapter Five: Conclusions

and Future Work

5.1 Conclusions

87

Chapter Five

Conclusions and Future Work

5.1 Conclusions

In this work, the design and implementation of an encryption

algorithm that provides both high security and performance were

presented. Also, other features such as flexibility, simplicity and easiness

of implementation are taken into account when designing the algorithm.

The proposed algorithm was named Scrambling and Encrypting with

Cipher Parameter Hopping (SECPH) algorithm. It is composed of two

main blocks: a scrambler and a block cipher with parameter hopping. It is

composed of existing cryptographic primitives and it is provably secure in

the sense that attacks which find its key would yield attacks on one or

more of the underlying components. SECPH was implemented in C++

programming language. Crypto++ library was used in the implementation

of the most of the underlying components. The image encryption quality of

SECPH is discussed and compared to other existing algorithms (Rijndael

and RC6) using six measures.

From the design, implementation and experimental results, SECPH

has many interesting features. It was shown that SECPH with 8 different

cipher parameters is equivalent to 8-multiple encryption and furthermore

encrypting the entire scrambled message using CPH slows down the

exhaustive key search by a factor of approximately n/8, where n is the

number of blocks in the scrambled message. This is a significant

improvement to the security of the existing block ciphers.


and Future Work

5.2 Suggestions for Future

Work

88

SECPH has a better performance (throughput) than Rijndael and

RC6.

SECPH provides a high level of flexibility regarding security and/or

performance and since it is composed of existing cryptographic primitives

the implementation is very simple and straightforward because these

primitives are widely used and implemented for optimal performance in

different environments.

Different levels of security/performance can be obtained using

SECPH with the same encryption key by choosing different cipher

parameter sets.

SECPH has a great advantage for the image encryption over

Rijndael and RC6. It has a good image encryption quality regardless the

mode of operation and the plain-image in contrast to Rijndael and RC6

whose image encryption quality is greatly affected by the mode of

operation and the plain-image.

SECPH is more resistive to differential cryptanalysis than Rijndael

and RC6.

5.2 Suggestions for Future Work

1. Hardware implementation of SECPH using FPGA.

2. Assembly level optimization of the SECPH software

implementation.

3. Using a parameterized block cipher faster than RC6 (e.g. a

parameterized version of Rijndael) in CPH block of SECPH.


and Future Work

5.2 Suggestions for Future

Work

89

4. A detailed (linear, differential and other) cryptanalysis study of

SECPH.

5. Evaluating the encryption quality of SECPH for video encryption.

6. Implementing SECPH in parallel computing environment.

References

90

References

[1] W. Stallings, “Cryptography and Network Security Principles and

Practices”, Fourth Edition, Prentice Hall, November 16, 2005.

[2] H. C. A. van Tilborg, “Encyclopedia of Cryptography and Security”,

Springer Science+Business Media, 2005.

[3] J. E. Canavan, “Fundamentals of Network Security”, ARTECH

HOUSE, 2001.

[4] H. Feistel, “Cryptography and data security”, Scientific American, Vol.

228, No. 5, 15-23, May 1973.

[5] National Institute of Standards and Technology, Data Encryption

Standard, FIPS PUB 46-3, October 25, 1999.

[6] W. Diffie and M. Hellman, “Exhaustive Cryptanalysis of the NBS Data

Encryption Standard”, Computer, June 1977.

[7] A. S. Tanenbaum, “Computer Networks”, Fourth Edition, Prentice Hall,

March 17, 2003.

[8] R.L. Rivest, M.J.B. Robshaw, R. Sidney and Y.L. Yin, “The RC6 Block

Cipher”, v1.1, AES proposal: National Institute of Standards and

Technology (NIST), 1998. Available at www.rsa.com/rsalabs/aes/.

[9] J. Daemen and V. Rijmen, “AES Proposal: Rijndael”, AES proposal:

National Institute of Standards and Technology (NIST), October 6,

1998. Available at www.csrc.nist.gov/encryption/aes/.

References

91

[10] R.L. Rivest, M.J.B. Robshaw and Y.L. Yin, “RC6 as the AES”,

Provided at 3rd AES conference, New York, April 2000. Available at

www.rsalabs.com/rc6/.

[11] R. Anderson and E. Biham, “Two Practical and Provably Secure

Block Ciphers: BEAR and LION”, Fast Software Encryption, Lecture

Notes in Computer Science, Vol. 1039, ed. D. Gollmann, Springer-

Verlag, Berlin, 113–120, 1996.

[12] R. L. Rivest, “All-Or-Nothing Encryption and the Package

Transform”, Fast Software Encryption ’97, 4th International

Workshop, Lecture Notes in Computer Science, Vol. 1267, ed. E.

Biham, Springer-Verlag, Berlin, 210–218, 1997.

[13] M. Jakobsson, J. P. Stern, M. Yung, “Scramble All, Encrypt Small”,

Fast Software Encryption, Lecture Notes in Computer Science Vol.

1636, Springer-Verlag, 95-111, 1999.

[14] http://people.csail.mit.edu/rivest/Rivest-multigrade.pdf.

[15] H. Ashman and M. Gilbert, “And now for something completely

different: The future of encryption and secrecy protocols”,

Communications Design Conference, Nottingham ePrints, USA,

October 2001.

[16] M. Liskov, R. Rivest, and D. Wagner,“Tweakable Block Ciphers”,

Advances in Cryptology—CRYPTO 2002, Lecture Notes in Computer

Science, vol. 2442, ed. M. Yung. Springer-Verlag, Berlin, 31–46,

2002.

[17] D. N. Serpanos and A. G. Voyiatzis, “Increasing symmetric key

lifetime by controlled randomness”, 10th IEEE Conference on

References

92

Emerging Technologies and Factory Automation, Vol. 2, 19-22

September 2005.

[18] P. Mroczkowski and P. Rodwald, “How to Improve the Security of the

Cryptosystem Based on a Block Cipher?”, Military Communications

and Information Systems Conference, Bonn, Germany, 25-26

September 2007.

[19] W. Stallings, “Data And Computer Communications”, Fifth Edition,

Prentice Hall, 1996.

[20] A. Menezes, P. van Oorschot and S. Vanstone, “Handbook of Applied

Cryptography”, CRC Press, 1997.

[21] H. Delfs and H. Knebl, “Introduction to Cryptography: Principles and

Applications”, Second Edition, Springer-Verlag, 2007.

[22] W. Mao, “Modern Cryptography: Theory and Practice”, Prentice Hall,

July 25, 2003.

[23] R. Lehtinen, D. Russell, and G.T. Gangemi Sr. “Computer Security

Basics”, Second Edition, O'Reilly Media, June, 2006.

[24] J. M. Kizza, “Computer Network Security”, Springer

Science+Business Media, 2005.

[25] T. S. Denis and S. Johnson, “Cryptography for Developers”, Syngress

Publishing, 2007.

[26] K. T. Fung, “Network Security Technologies”, Second Edition,

Auerbach Publications, CRC Press, 2005.

References

93

[27] C. E. Shannon, “Communication Theory of Secrecy Systems”, Bell

Systems Technical Journal, Vol. 27, 623–656, October 1948.

Continued from July 1948 issue.

[28] M. Stamp, “Information Security Principles and Practice”, JohnWiley

& Sons, 2006.

[29] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway,

"UMAC: Fast and Secure Message Authentication", Advances in

Cryptology - CRYPTO '99, Lecture Notes in Computer Science, Vol.

1666, Springer-Verlag, 216-233, 1999.

[30] D. Stinson, “Cryptography: Theory and Practice”, CRC Press, March

17, 1995.

[31] R. J. Jenkins, “ISAAC and RC4”, available online at

http://www.burtleburtle.net/bob/rand/isaacafa.html.

[32] B. Schneier and D. Whiting, “Fast Software Encryption: Designing

Encryption Algorithms for Optimal Software Speed on the Intel

Pentium Processor”, Fast Software Encryption, Lecture Notes in

Computer Science, Vol. 1437, Spingler-Verlag, 1997.

[33] http://www.cryptopp.com.

[34] Y. A. Alsultanny, “Testing Image Encryption by Output Feedback

(OFB)”, Journal of Computer Science Vol. 4 No. 2, Science

Publications,125-128, 2008.

[35] H. H. Ahmed, H. M. Kalash and O. S. Farag Allah, “Encryption

Efficiency Analysis and Security Evaluation of RC6 Block Cipher for

Digital Images”, Informatica, 121-129, 2007.

References

94

[36] N. El-Fishawy and O. M. Abu Zaid, “Quality of Encryption

Measurement of Bitmap Images with RC6, MRC6, and Rijndael Block

Cipher Algorithms”, International Journal of Network Security, Vol. 5,

No. 3, 241–251, November 2007.

[37] I. A. Ismail, M. Amin and H. Diab, “How to Repair the Hill Cipher”,

Journal of Zhejiang University SCIENCE A, Vol. 7, No. 12, 2022-

2030, 2006.

[38] H. M. Elkamchouchi and M. A. Makar, “Measuring Encryption

Quality for Bitmap Images Encrypted with Rijndael and KAMKAR

Block Ciphers”, Proceedings of the Twenty-Second National Radio

Science Conference, Cairo, Egypt, 277 – 284, March 15-17, 2005.

[39] M. A. B. Younes and A. Jantan, “Image Encryption Using Block-

Based Transformation Algorithm”, IAENG International Journal of

Computer Science, Vol. 35, No. 1, February 19, 2008.

[40] M. Zeghid, M. Machhout, L. Khriji, A. Baganne and R. Tourki, “A

Modified AES Based Algorithm for Image Encryption”, International

Journal of Computer Science and Engineering, Vol. 1, No. 1, March 4,

2007.

[41] H. H. Ahmed, H. M. Kalash and O. S. Farag Allah, “An Efficient

Chaos-Based Feedback Stream Cipher (ECBFSC) for Image

Encryption and Decryption”, Informatica, Vol. 31, 121–129, 2007.

[42] F. Maleki, A. Mohades, S. M. Hashemi and M. E. Shiri, “An Image

Encryption System by Cellular Automata with Memory”, Third

International Conference on Availability, Reliability and Security,

1266 – 1271, March 4-7, 2008.

Appendix A: SECPH C++

Implementation Code

A.1 Encryption Algorithm

95

Appendix A

SECPH C++ Implementation Code


Following is the C++ implementation code of SECPH encryption

algorithm using Crypto++ library in addition to the implementation code of

the image encryption quality measure (ID, Entropy, NPCR, UACI) and

processing time computing.

#include "secblock.h" #include "vmac.h" #include "aes.h" #include "IsaacRand.h" #include "modes.h" #include "cryptlib.h" #include "rc6.h" #include "seal.h" #include "randpool.h" #include <iostream> #include <fstream> #include <math.h> #include <time.h> USING_NAMESPACE(CryptoPP) USING_NAMESPACE(std) int CRYPTOPP_API main(int argc, char *argv[]) {

//--------------------------------------------------------------//Message and key setup

int const width=200; int const height=200;

int const mLen=40000; int const mLen2=mLen/2;

int const mLen3=mLen2/4; int const nBlocks=mLen/16; char message[mLen]; const byte *mainKey=(byte *)"abcdefghijklmnopqrstuvwxyz123456"; const byte *pbIV=(byte *)"mjhjsdkjfksdlasd"; char buffer;

char buffer0[53]; fstream myFile; //Reading plain-image myFile.open("image.bmp",ios_base::in | ios_base::binary); myFile.read (buffer0, 53); //Reading image header


Implementation Code


96

for (int i=0;i<mLen;i++) { myFile.get(buffer); myFile.get(buffer); myFile.get(message[i]); } AlignedSecByteBlock m_M1(mLen);

byte * m_M2=m_M1.BytePtr()+mLen2; memcpy(m_M1, message, mLen);

AlignedSecByteBlock m_C(mLen);

//-------------------------------------------------------------- //VMAC initialization byte digest[8]; VMAC<RC6,64> mac; //-------------------------------------------------------------- //RNG initialization unsigned int *seed; byte RN[nBlocks]; //-------------------------------------------------------------- //RC6 initialization CryptoPP::ECB_Mode<RC6 >::Encryption rc6[8];

rc6[0].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 20)); rc6[1].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 18)); rc6[2].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 16)); rc6[3].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 14)); rc6[4].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 12)); rc6[5].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 10)); rc6[6].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 8)); rc6[7].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 6));

//-------------------------------------------------------------- //SEAL initialization SEAL<BigEndian>::Encryption seal; //-------------------------------------------------------------- //VMAC processing mac.SetKeyWithIV(mainKey, 8, pbIV); start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number

mac.Update(m_M1,mLen2); double timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"MAC processing:"<<timeTaken<<endl; start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number mac.Final(digest); timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"MAC FINAL processing:"<<timeTaken<<endl;


Implementation Code


97

//-------------------------------------------------------------- //SEAL processing byte SCSeed[20]; for (int i=0;i<8;i++) { SCSeed[2*i]=digest[i]; SCSeed[2*i+1]=digest[i]; } for (int i=0;i<4;i++) SCSeed[i+16]=digest[i]; seal.SetKeyWithIV(SCSeed,20,pbIV); start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number seal.ProcessData(m_M2,m_M2,mLen2); timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"SEAL processing:"<<timeTaken<<endl; //-------------------------------------------------------------- //VMAC processing mac.SetKeyWithIV(mainKey, 8, pbIV); start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number mac.Update(m_M2,mLen2); timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"MAC processing:"<<timeTaken<<endl; start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number mac.Final(digest); timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"MAC FINAL processing:"<<timeTaken<<endl;

//-------------------------------------------------------------- //SEAL processing for (int i=0;i<8;i++) { SCSeed[2*i]=digest[i]; SCSeed[2*i+1]=digest[i]; } for (int i=0;i<4;i++) SCSeed[i+16]=digest[i]; seal.SetKeyWithIV(SCSeed,20,pbIV); start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number seal.ProcessData(m_M1,m_M1,mLen2); timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"SEAL processing:"<<timeTaken<<endl; //-------------------------------------------------------------- //ISAAC processing seed=(unsigned int*)(mainKey+8); IsaacRand rng3(seed[0]);


Implementation Code


98

start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number for(int i=0; i<nBlocks; i++) RN[i]=(byte)rng3.getNext()&7; timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"ISAAC processing:"<<timeTaken<<endl; //-------------------------------------------------------------- //RC6 processing start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number { byte *output=m_C.BytePtr(); byte *input=m_M1.BytePtr(); for(int i=0; i<nBlocks; i++,input+=16,output+=16) rc6[RN[i]].ProcessBlocks(output,input,1); } timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"RC6 processing:"<<timeTaken<<endl;

//--------------------------------------------------------------//Image encryption Quality Measures

int DH[256],D[mLen];

double DC=0,AC[256],ID=0; for (int i=0;i<256;i++) DH[i]=0; for (int i=0;i<256;i++) AC[i]=0; for (int i=0;i<mLen;i++) D[i]=abs((int)m_C[i]-(int)message[i]); for (int i=0;i<256;i++) for (int j=0;j<mLen;j++) if (D[j]==i) DH[i]++; for (int i=0;i<256;i++) DC+=DH[i]/256.0; for (int i=0;i<256;i++) if((float)DH[i]-DC<0) AC[i]=DC-(float)DH[i]; else AC[i]=(float)DH[i]-DC; for (int i=0;i<256;i++) ID+=AC[i]; cout<<"SECPH ID:"<<ID<<endl; long double PH[256],PHe=0; for (int i=0;i<256;i++) PH[i]=0; for (int i=0;i<mLen;i++) PH[(int)message[i]]++; for (int i=0;i<256;i++) if (PH[i]!=0) PHe+=PH[i] * log(PH[i]/mLen) / (log(2.0) * mLen); cout<<"Plainimage entropy:"<<PHe <<endl;


Implementation Code


99

long double CH[256],CHe=0; for (int i=0;i<256;i++) CH[i]=0; for (int i=0;i<mLen;i++) CH[(int)m_C[i]]++; for (int i=0;i<256;i++) if (CH[i]!=0) CHe+=CH[i] * log(CH[i]/mLen) / (log(2.0) * mLen); cout<<"SECPH cipherimage entropy:"<<CHe <<endl; fstream myFile2; //Reading previous cipher-image myFile2.open("image2.bmp",ios_base::in | ios_base::binary); myFile2.read (buffer0, 53); char preImage[mLen]; for (int i=0;i<mLen;i++) { myFile2.get(buffer); myFile2.get(buffer); myFile2.get(preImage[i]); } byte Dnpcr[mLen]; double NPCR=0; for (int i=0;i<mLen;i++) if (preImage[i]==(char)m_C[i]) Dnpcr[i]=0; else Dnpcr[i]=1; for (int i=0;i<mLen;i++) NPCR+=Dnpcr[i]; NPCR*=100/(double)mLen; cout<<"SECPH NPCR:"<<NPCR<<endl; double UACI=0; for (int i=0;i<mLen;i++) UACI+=abs(preImage[i]-(char)m_C[i]); UACI*=100/((double)mLen*255); cout<<"SECPH UACI:"<<UACI<<endl; fstream myFile1; myFile1.open("image1.bmp",ios_base::out | ios_base::binary);

buffer=0; for (int i=0;i<53;i++) myFile1.put(buffer0[i]); myFile1.put(buffer); for (int i=0;i<mLen;i++) { myFile1.put(m_M1[i]); myFile1.put(m_M1[i]); myFile1.put(m_M1[i]); } myFile1.close(); myFile.close(); int wait; cin>>wait; }


Implementation Code

A.2 Decryption Algorithm

100


Following is the C++ implementation code of SECPH decryption

algorithm using Crypto++ library.

#include "secblock.h" #include "vmac.h" #include "aes.h" #include "IsaacRand.h" #include "modes.h" #include "cryptlib.h" #include "rc6.h" #include "seal.h" #include "randpool.h" #include <iostream> #include <fstream> #include <math.h> #include <time.h> USING_NAMESPACE(CryptoPP) USING_NAMESPACE(std) int CRYPTOPP_API main(int argc, char *argv[]) {

//--------------------------------------------------------------//Message and key setup

int const width=200; int const height=200;

int const mLen=40000; int const mLen2=mLen/2;

int const mLen3=mLen2/4; int const nBlocks=mLen/16; char message[mLen]; const byte *mainKey=(byte *)"abcdefghijklmnopqrstuvwxyz123456"; const byte *pbIV=(byte *)"mjhjsdkjfksdlasd"; char buffer;

char buffer0[53]; fstream myFile; //Reading plain-image myFile.open("image.bmp",ios_base::in | ios_base::binary); myFile.read (buffer0, 53); //Reading image header for (int i=0;i<mLen;i++) { myFile.get(buffer); myFile.get(buffer); myFile.get(message[i]); }

AlignedSecByteBlock m_C(mLen); memcpy(m_C, message, mLen);


Implementation Code


101

AlignedSecByteBlock m_M1(mLen); byte * m_M2=m_M1.BytePtr()+mLen2;

//-------------------------------------------------------------- //VMAC initialization byte digest[8]; VMAC<RC6,64> mac; //-------------------------------------------------------------- //RNG initialization unsigned int *seed; byte RN[nBlocks]; //-------------------------------------------------------------- //RC6 initialization CryptoPP::ECB_Mode<RC6 >::Decryption rc6[8];

rc6[0].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 20)); rc6[1].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 18)); rc6[2].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 16)); rc6[3].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 14)); rc6[4].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 12)); rc6[5].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 10)); rc6[6].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 8)); rc6[7].SetKey(mainKey+16,16,MakeParameters(Name::Rounds(), 6));

//-------------------------------------------------------------- //SEAL initialization SEAL<BigEndian>::Decryption seal; //-------------------------------------------------------------- //ISAAC processing seed=(unsigned int*)(mainKey+8); IsaacRand rng3(seed[0]); start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number for(int i=0; i<nBlocks; i++) RN[i]=(byte)rng3.getNext()&7; timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"ISAAC processing:"<<timeTaken<<endl; //-------------------------------------------------------------- //RC6 processing start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number { byte *output=m_M1.BytePtr(); byte *input=m_C.BytePtr(); for(int i=0; i<nBlocks; i++,input+=16,output+=16) rc6[RN[i]].ProcessBlocks(output,input,1); } timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"RC6 processing:"<<timeTaken<<endl;


Implementation Code


102

//-------------------------------------------------------------- //VMAC processing mac.SetKeyWithIV(mainKey, 8, pbIV); start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number

mac.Update(m_M2,mLen2); double timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"MAC processing:"<<timeTaken<<endl; start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number mac.Final(digest); timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"MAC FINAL processing:"<<timeTaken<<endl;

//-------------------------------------------------------------- //SEAL processing byte SCSeed[20]; for (int i=0;i<8;i++) { SCSeed[2*i]=digest[i]; SCSeed[2*i+1]=digest[i]; } for (int i=0;i<4;i++) SCSeed[i+16]=digest[i]; seal.SetKeyWithIV(SCSeed,20,pbIV); start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number seal.ProcessData(m_M1,m_M1,mLen2); timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"SEAL processing:"<<timeTaken<<endl; //-------------------------------------------------------------- //VMAC processing mac.SetKeyWithIV(mainKey, 8, pbIV); start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number mac.Update(m_M1,mLen2); timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"MAC processing:"<<timeTaken<<endl; start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number mac.Final(digest); timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"MAC FINAL processing:"<<timeTaken<<endl;

//-------------------------------------------------------------- //SEAL processing for (int i=0;i<8;i++) { SCSeed[2*i]=digest[i]; SCSeed[2*i+1]=digest[i];


Implementation Code


103

} for (int i=0;i<4;i++) SCSeed[i+16]=digest[i]; seal.SetKeyWithIV(SCSeed,20,pbIV); start = clock(); for(int loop=0;loop<102400;loop++) //102400 can be any number seal.ProcessData(m_M2,m_M2,mLen2); timeTaken = double(clock() - start) / CLOCKS_PER_SEC; cout<<"SEAL processing:"<<timeTaken<<endl;

الخلاصة

ت من تطبیقا ة الاتصالات. الأغلبیة الواسعةمنیّ أفي التشفیر ھو الجانب الأكثر أھمیة ،یة حالعلى أ .)block cipherتلي (ر الكُ ساسھا الشبكات تستخدم المشفِّ التشفیر المتماثل التي أ

واحد. نٍ آمن وسریع في آیبدو من الصعب تصمیم مشفر

داء ھ والأمنیّ من الأ میم خوارزمیة تشفیر توفر كلاً یتم تقدیم تص في ھذه الأطروحة،)، تتألف SECPHر (شفِّ ل عوامل المُ دّ بَ العالیین. الخوارزمیھ المقترحة، الخلط والتشفیر باستخدام تَ

).CPHلة (دّ بَ لي ذو عوامل متَ تَ ر كُ شفِّ ) ومُ scramblerمن وحدتین أساسیتین: خالط (

) واحدة فقط مع أمنیة مكافئة لتشفیر كل الرسالة، ینتج blockن الخالط من تشفیر كتلة (كّ مَ یُ و لا شيء، یزید من طول مفتاح التشفیر ویزید من خاصیة الانتشار المرغوبة. إن أنمط تشفیر الكل

مختلفة ذات مستویات ر شفِّ خ مُ سَ ة والأداء العالیین باستخدام نُ ھو تحقیق الأمنیّ CPHالھدف من داء مختلفة.أمن/ أ

الكثیر من المیزات المھمة والتي تشمل: الأمنیة المبرھنة، الأداء العالي، SECPHتمتلك المرونة وسھولة التنفیذ.

تمتلك SECPH. أشارت النتائج الى أن ++Cباستخدام لغة البرمجة SECPHتم تنفیذ بغض النظر عن الصور غیر المشفرة ونمط RC6و Rijndaelجودة تشفیر صور أفضل من

تمتلك قیمة SECPHعلى سبیل المثال، فان واحدة من الصور المشفرة باستخدام التشغیل. IDمقارنة بقیمة 7,995وقیمة انتروبي مساویة لـ 2677) مساویة لـ IDالانحراف غیر المنتظم (

وقیمة Rijndaelلنفس الصورة مشفرة باستخدام 4,4وقیمة انتروبي مساویة لـ 70900مساویة لـ ID لنفس الصورة مشفرة باستخدام 4,401وقیمة انتروبي مساویة لـ 70862مساویة لـRC6 في

الاصغر ھي الافضل). ID(قیم ECBنمط التشغیل

. تمتلك RC6و Rijndaelأكثر مقاومة لتحلیل التشفیر التبایني من SECPHإن SECPH قیم معدل تغیر عدد البكسلاتNPCR بغض النظر عن 99,5مساویة أو اكبر من %

RC6و Rijndaelالصور غیر المشفرة، موقع البكسل المتغیر ونمط التشغیل على العكس من %.87% الى 0,04مختلفة تتراوح من NPCRاللذین یمتلكان قیم

% أسرع 25% و 26(تقریباً Rijndael) أعلى من throughputأداءاً ( SECPHتمتلك % أسرع في نمط 32% و 30(تقریباً RC6على الترتیب) و CBCو ECBتشغیل في نمط ال

على الترتیب). CBCو ECBالتشغیل

العالي التعليم وزارة

العلمي البحث و

بغداد جامعة

الهندسة كلية

الخلط والتشفير باستخدام تَـبَدّل

عوامل المُشفِّر -الهندسة كلية إلى مقدمة أطروحة

نيل متطلبات من جزء غدادب جامعة

في الماجستير درجة

السيطرة و الحاسبات هندسة

من قبل:

الشماع محمّد جعفر علي عبد الأمير

بإشراف

المساعد طارق زياد إسماعيلالاستاذ

)2008( )1429(

scrambling and encrypting using cipher parameters hopping...chapter one: introduction 1.1...

Documents