 So, to overcome this problem with the ideal block cipher, FISTA will come up with some generic structure of ciphers, and it's used in the one that will go through desks. So, it's not a specific cipher, it's the way to design ciphers, the FISTA structure. And the approach is combining, as I said before, combining operations that substitute some characters with others and other operations that rearrange characters, transposition operations. And doing multiple iterations, substitute transposition, then repeat. Substitute transposition and so on. We saw this advantage of doing multiple iterations when we looked at the rose columns example. When we encrypt once with rose columns, we could see some structure in the output arrangement of letters. When we encrypt it again, that cipher text using a rose column, it looks more random in the output. So, by repeating the operations, it can improve. Of course, if you repeat the operations too often, your performance goes down because each operation takes time to implement or to execute. So, that's the basic concept. We'll see in the next slides the, well, let's see now the structure. And not so clear here, and in fact, you do not need to remember this. We'll see the structure with an example. It's a way to design ciphers. On the left-hand side here is the encryption, and the decryption is on the right where we go up. The idea is we take an input plain text at the top when we encrypt, we split it into two halves. So, we take our block of n bits and split it into two halves, and we operate on a half of the plain text at a time. We operate on the right half. We apply some function f using a key. So, we have a key as an input, but in fact, we have multiple keys as an input. We're going to apply operations and repeat them. We'll call them rounds. We'll do one round and then another round and another round, and each round we'll use a different key. So, we have what's called round keys, and we see here k1, k2, and this example up to round 16, k16. In fact, the users do not have multiple keys. The user selects one key and generates round keys from that one key. We have one key as input. We'll have some algorithmic such that we can calculate 16 different keys. They're called the round keys k1 through to k16 in this example. In each round, we take the right half, apply some function, and that's where we'll do our substitution, and use the key as an input, and the result we XOR with a left half, and then the original right half becomes the left half, and the output here becomes the right half, and we do it all again. We apply the same function with a new round key, XOR, swap the halves, and keep going. Until the end, we do a final swap and we get our psychotext. So, the swapping of the halves is doing a transposition. It's rearranging the characters, and it means we're applying some substitution, which is in the function, on different sets of bits each time. We'll see this more clearly when we go through desks. Importantly, the decryption is just the inverse or the opposite. We take psychotext and we apply the same operations, the same approach. Left half, right half, apply the same function, XOR, and do it in rounds. In the decryption, we use the same code as we use for encryption. We use the same operations. We, of course, have a different input. In the encryption, we have plaintext in the decryption psychotext. We have the keys, the same keys in decryption as in the encryption, but we use them in the opposite order. Here we use k1, k2, through to k16. In the decryption, we use k16 first, and then k15, and then finally k1 at the end. The practical consequence here is that, if you implement the encryption, your decryption is already implemented. You just need one implementation because it's the same code for encryption and decryption. So, that makes the practical implementation easier. The piece of hardware that does the encryption also does decryption. It's just the inputs vary. So, that's useful for ciphers because it cuts down on the cost and the memory requirements for encryption, for implementing the algorithm. But let's see some examples. What have I skipped? Ah, diffusion and confusion. The FISAL structure is applied in many ciphers today, so it's a way to design ciphers. It's not a specific cipher itself. We split the plain text into halves. We have round keys, or subkeys, which are generated from the original key. We have some round function, some function or operation. We do substitutions using an XOR and permutations or transpositions by rearranging the halves. It applies the concepts of diffusion and confusion, which are important in ciphers. The person who came up with a description of these concepts, you know him. You know him from ITS 323, Shannon. Remember the Shannon capacity? Shannon was a guy who came up with a lot of mathematics about data communications, how fast we can send data. Shannon capacity. And he also did a lot of things on cryptography. There's similar concepts. It's about manipulating information, manipulating bits. So he was quite famous, both for cryptography and data communications. And he described diffusion and confusion and the concepts. They're reasonably simple. Diffusion is this concept of, in the plain text, there's some statistical characteristics. I always use the example in typical English language. You count the number of letters. Approximately 12% will be the letter E, because the letter E is the most frequently used in English words. That's some statistical nature of the plain text. That's always there. Diffusion is about reducing that in the ciphertext. That's the idea. If there's some statistical characteristics of the plain text, diffusion reduces those statistical characteristics in the ciphertext. Such that, for example, in the ciphertext, there are just as many E's as there are F's as there are the letter X and so on. There are no, in the ciphertext, one letter does not occur more frequently than another letter. That's the idea of truly random distribution of letters in the ciphertext. An example is that, one way for diffusion is that we have one letter in the plain text impacts upon multiple letters in the ciphertext. In some of our classical ciphers, we saw that's not the case. We encrypt a mono-alphabetic cipher. We encrypt the letter A in the plain text and we get some letter Q in the ciphertext. This letter on the input only impacts upon one letter on the output. One way to achieve diffusion, to reduce the statistics in the ciphertext, is to have an algorithm so that one plain text letter changes many ciphertext letters. So if I change, let's say a different example, my plain text was hello and let's say I get using one cipher, some ciphertext Q, S, B, X, C. Don't care what the cipher is, but I have some plain text. I get some ciphertext. Let's take another plain text, different by one letter. Changing that one letter, if that gives us Q, S, B, X, T, for example our algorithm, this one letter changes just one letter in the ciphertext. That's bad from the diffusion perspective. What we'd like is changing one letter in the plain text to produce many changes in the ciphertext. For example, changing from hello to hells, changing one letter, changes multiple letters in the ciphertext. That's diffusion and that's desirable because it spreads out the statistics of the ciphertext. How do you do that? How do you achieve diffusion? One way is to repeatedly do a transposition, rearrange letters and then apply some function on those letters. We'll see the example of the function in des. Then do that again, rearrange the letters on the input, rearrange them, apply some substitution function, then do it again. Take the output letters, rearrange them, some substitution function and so on. Keep repeating that. The idea is then, by changing one letter on the input, multiple letters on the output will change. Diffusion is to get rid of the statistics in the ciphertext. Another concept, confusion. Make the relationship between the ciphertext and the key very complex. Remember, if we have the ciphertext, one thing is to find the plain text. Given the ciphertext, the attacker or malicious user wants to find the plain text. With diffusion, we make that hard because if we have diffusion, there are no statistics in the ciphertext. So just by looking at the ciphertext, it should be hard to find the plain text. But what if there's some relationship between the ciphertext and the key? Then what the attacker could do is look at the ciphertext and find the key. That would be bad. Confusion is making this relationship between the key and the ciphertext very complex. Such that the attacker, if they know the ciphertext, they cannot derive the key. Even if they can see some statistical characteristics in the ciphertext, even if diffusion is not perfect, it still should be hard to find the key. That's the idea. One way to do that, and we'll see the Fierce Destruction and Desk applies a complex substitution algorithm. You replace some characters with other characters. We'll see an example of why a nonlinear and complex substitution algorithm is useful. In summary, diffusion removes the statistical characteristics from the plain text when we get the ciphertext. Confusion makes it a complex relationship between ciphertext and key. As I've said, the Feistel structure is a design, how to design ciphers. It's not a specific cipher. There are many parameters unspecified, so you can get a cipher by setting those parameters. How big should the block be? Feistel structure doesn't tell us how big the block should be, but people have come up with reasonable values. For example, it can be typical values include 64 bits, maybe 128 bits. The larger the block size in the Feistel structure, the more diffusion is present. The key size. First, a key should be large enough such that a brute force attack is not possible. Remember, brute force, try all keys. 128 bits is large enough because, going back to some of our earlier slides, 128 bits, two to the power of 128 combinations, even with the fastest computers, not possible to break in our lifetime. So make it large enough so there's no brute force attack. And also, with the Feistel structure, the larger the values, the more confusion present. How many times do we repeat the operations? The more times you repeat, the better or the more secure the ciphertext. So the more rounds, the better. A typical value is 16. We will see that's a common value used. But the more rounds, the slower your encryption will take because every round takes some time to perform. And if you keep repeating that, it increases the time to encrypt your data. In each round, we need to generate subkeys or round keys. How do we do that? Well, we need a complex algorithm for doing that. And each round we apply some function f. What is it? Well, we'll see an example. It should be complex. A key point or a key trade-off we see and we see that in all of this course is the trade-off between security and performance. To get a more secure ciphertext, we use a larger block size, a larger key, more rounds. But making each of these values larger leads to poorer performance in our implementation. More rounds means more time to encrypt. Larger keys, larger to distribute, again longer to encrypt, and larger block sizes, normally longer to encrypt. So that's a key trade-off with security. We either get very, very good security, very hard to find the plain text, but at the expense of it takes longer to encrypt. And in practice, that's important. We need to consider practical implementations, not just security. We'll not go through the example. What we'll do is use the data encryption standard as an example. So the FISL structure has been used. The people who designed the data encryption standard followed the FISL structure to design how this specific cipher works. Death, it's a symmetric block cipher. So it's a block cipher, not a stream cipher. Symmetric, what does that mean? What's a symmetric block cipher? A symmetric cipher. Same keys. The person encrypts has a key. To decrypt, you need the same key. There's just one key. Both sides use the same key. Later, after the midterm, we'll see an asymmetric cryptography, an alternative. In death, there is 64-bit, it's a 64-bit block. So there's 64-bit input plain text, 64-bit output cipher text. And the key length, the effective key length is 56 bits. In fact, the key is 64 bits. It's just that eight of those bits are used for a parity check. They're not used for the encryption. So effectively, the key from a security perspective is 56 bits. But the key that you must choose as a user is 64 bits. But you don't use eight of them in the algorithm. It's one of the most used ciphers in the world. It was developed by the National Institute of Standards and Technology, NIST. So the US organization that creates standards there. And they've created many security standards. It was actually designed by IBM. They come up with a cipher. It was called Lucifer. And NSA had an input on that. And it was eventually standardised by NIST. So using the IBM design. And the principles that in DES have been used in other ciphers. So even though DES is not recommended for use today, we'll see why. But it's still used or the principles in other ciphers like triple DES and IDEA. With a 64-bit cipher, we cannot go through examples on the board. Because I cannot write 64 bits down and show you all the operations and go through 16 rounds. So to demonstrate some of the concepts and some of the algorithms used in DES, we're going to use what's called simplified DES. It's a cipher that uses the same concepts as the real DES, but it's just smaller. Instead of 64 bits, we have a smaller block size. Smaller key. Everything's shrunk. It's only used for teaching. It's not secure. It's only used to demonstrate the concepts of DES. You cannot go and implement. No one uses simplified DES to encrypt data. We just use it to demonstrate how DES works. So from now on, or for the next few slides, I'm going to demonstrate DES using simplified DES. So we'll go through the algorithm of simplified DES, and then at the end, we'll come back and compare that to the real DES. And you'll see how close they are. And with simplified DES, I'll go through an example. So real DES, 64-bit input, 56-bit key, simplified DES, 8-bit input, 8-bit plain text, 8-bit output, 10-bit key. Of course, subject to brute force attack, 10 bits is easy, a thousand possible keys, but it's just for teaching. It's just so I can do some examples on the board. And just two rounds. Instead of the 16 rounds that DES has, it just has two rounds. In this, we'll see that we need to generate sub-keys in this case. So we have a key of 10 bits. We'll see when we compare back to the exact values that DES uses, the correspondence. It's, the values are chosen so that we can apply all the operations of DES, but just use smaller values. Let's go through it. The example I'm going to go through, I'll go through on the board. I think you have it somewhere in your handouts. Let's hope so. Hopefully, at the end of the DES lecture notes, maybe not. Anywhere at the end of the handouts. Okay, if you don't have it, then, in fact, it looks like you don't have it. It's on the website. I'll put it in the copy center. It's just a single page. So if you miss something on what I go through on the board, then you'll get it there. We're going to encrypt some data with simplified depths. Just to demonstrate the steps. This is the algorithm for simplified depths. And here's the encryption. Focus on the encryption first. These steps. It's a block diagram. We take, as it input, eight bits of plain text. We're going to apply some operation. And in this case, IP stands for not the internet protocol, but initial permutation. A permutation is a rearrangement, a transposition described. So initial permutation. That's what it is. So we're going to rearrange the eight bits in the initial step. And then we're going to perform our round operation. So we have two rounds. One, two. We're going to apply some function. That function will take, as an input, a key, K1. Then as the output, we're going to swap the halves. SW swap or switch the halves. We're going to have two halves and just move them to the other side. And then we'll apply the same function, F of K. But use a different key, K2. Then we'll take the output and do the inverse of the original initial permutation. IP to the minus one, the inverse operation. That's encryption. And the result will be eight bits of ciphertext. I will go through and explain what each block does. This is just the algorithm at a high level. Decryption is the same. We see that we start with a ciphertext, initial permutation, same function, swap the halves, same function, F of K, inverse initial permutation. It's the same as encryption. The same steps. Except we use the keys in the opposite order. Here we use K1 and then K2. In the decryption we'll use K2 and then K1. So this is the concept in DES as well. Decryption is the same steps as encryption. So you just need one piece of code, one piece of hardware to implement that. We have a 10-bit key as an input. Where do we go? 10-bit key is an input, one key. In each round we use what's called a round key or a subkey, K1 and K2, a round keys. We need to generate them. So there's an algorithm that we use at the start to generate the keys. So we start with our 10-bit key and apply some steps and we'll produce K1 and K2 as an output. Then we'll use them to encrypt. We'll use the same values to decrypt. And the algorithm to generate the key, the keys, P is a permutation. So P stands for permutation. Transposition, rearrangement. P10 will define what the exact permutation is. A shift, we'll see it's a left shift of our bits. Another permutation, another shift, and another permutation. We'll define those steps in our example. Let's go to our example, this one. Let's check it's the same one I've got. So we have some plain text that we want to encrypt. The user has a key, a 10-bit key. We're going to encrypt that plain text with a key and everything. If we go correct in the example, we shall get that ciphertext as an output. So I'll show you the operations using this example. What do we do first? I want to encrypt the plain text. What am I going to do? Again, split them up. You're too far ahead. What do I need first? Well, actually you could, but the first thing we need to do in fact is to generate the keys. So I think before we encrypt, we do this middle part which is the key generation. We have one key. We're going to need k1 and k2. The key generation algorithm, these steps, is the same at both encrypt and decrypt. So let's go through the first step of key generation and it's a bit more detail here. How to read this diagram is that we have a 10-bit key. This line, this arrow with the slash and the 10 means the number of bits that are passed along that arrow. We start with 10 bits. We apply a permutation, p10. That is, we rearrange those 10 bits. The rearrangement is fixed. Whenever we have some 10 bits, we always rearrange them in the same way, according to p10. What is p10? What is that rearrangement? It's defined here. This is p10. The way to read that is that we have 10 bits on input. The first bit becomes the seventh bit. The second bit becomes the third bit. The third bit of our input becomes the first bit of our output. That's how to read this diagram, the permutation. It tells us when we have 10 bits of input how to rearrange those 10 bits. That's fixed for the algorithm. The attacker knows that, so everyone knows that, and it's always the same. The same in real desk. There's a permutation. It's much bigger. It's not on 10 bits. It's much bigger, but again it's defined and fixed, publicly known. Similar, we'll see some other permutations, p8 and p4. Let's do it, p10. We take our key and apply permutation to p10. We'll do it slowly at the start. I need it, so I can remember. The definition of p10 is take the third bit becomes the first bit. This is p10 we're doing here just to make it clear. The third bit becomes the first bit. The fifth bit becomes the second bit. Bit five, and then we have the second bit. Bit two, bit seven, which is here. Bit four, 10, 1, 9, 8 and 6. 9, 8 and 6. So let's just rearrange those bits. Any questions on that? Because we'll use the same concept in other permutations, and I won't go through it in all the detail. So the output of the p10 operation is the 10 bits, 1, 0, 0, 0, 0, 1, 1, 0, 0. Nothing complex about that. Just make sure you understand the notation we use on the slides. Okay, easy. Not easy. Why? Rearranged 10 bits. It's one of the easiest things you'll get in this course. The ordering is told to you. That is in the exam, I would give you this information in p10, so that's given. You don't have to remember the exact rearrangement. It's defined as part of the algorithm. It's a transposition, similar to the rose column cipher, the rail fence cipher. They just rearrange the letters. This is just rearranging the bits. Of course on its own, there's no security value in it, because on its own, if the attacker has this and they know the arrangement, they can easily get this. But we'll see as we go through, as we apply multiple transpositions and substitutions, it should be hard for the attacker to work out, given the cipher text, what the plain text is. So let's keep going. What's the time? We'll go through for another 20 minutes or so, this example, and then we won't get through the end. And then at the end, I'll give it another example on our steganography, see how far we can go. That's p10, this step. And now we split it into two halves, the left and the right half. So we're going to operate on each half and we'll do a left shift by one position. LS means left shift. So as simple, you've seen these in computer hardware courses and so on. We just shift all the bits to the left by one position. Of course, the leftmost bit wraps around and becomes the rightmost bit. Try it. But do it on five bits at a time. That is, do a left shift on these five bits, and then do a left shift on these five bits separately. So this was p10. Now we're doing a left shift. What's the first? What do we get? So the second bit becomes the first bit. So it's just this. And the leftmost bit becomes wraps around to the rightmost bit. Everything shifted left. But you do it on the two halves separately. Then do it on the second half, the right half. It becomes 1100. And that becomes at the end 0. And then we join them together again. We've got the 10 bits back together and apply p8. P8 is both a permutation and a selection. Note there are 10 bits in 5 plus 5, 10 bits in, 8 bits come out. So 10 bits come in, 8 bits come out. We rearrange and discard 2 bits. And it's defined here. 10 bits in, the 8 bits out, we get rid of bit 1 and 2. So apply p8 on these 10 bits. What do we get? We get bit 6, 3, 7, 4. 6, 3, 7, 4. 8, 5, 10, 9. 8 is 0. 5 is 1. 10 is 0. And 9 is 0. So that's p8 being applied. We rearrange those bits, but only 8 of them. Bits 1 and 2, we discard it. And now we have k1, the round key for round 1, or the subkey k1. That's the output here. So this value is k1. We'll use that later when we encrypt and also use it when we decrypt. The next step, if we go back up a bit, the output of our left shift, those 10 bits, we perform another left shift on each half. LS2 means a left shift by 2 bits, 2 positions. So take this 5 bits again and do a 2-bit left shift. And same with the right half. So this was LS1. And now do LS2 on these and see what you get. And to finish, do p8 again. Tell me what you get. Do p8 and you'll get the k2, the second round key. Yeah, LS2, we apply on the... This we're finished with. We don't use this again. It's k1. We see here, we take the output of the LS1 and input it into LS2. And same with the right-hand side. It is take these 5 bits and do a left shift by 2 positions. Shift everything left and we'll get 00100. Let's just make this clear. And then apply p8 on those 10 bits and you'll get the final result. So the last 10 bits, we apply p8 again. We'll get rid of bits 1 and 2 and rearrange the other 8 bits. And the result is k2, the second round key. You can try it and then we'll check our answers. Okay. And I'll just make some space and I'll clean these off. So p10, rearrange the first 10 bits, a left shift on each of the halves and then p8 gave us k1. And then going back to these 10 bits, we apply a second left shift by 2 positions and then p8 gives us the k2. This is p8. So let's record k1 and k2, the round keys. We've just done the middle part, these steps. We now need to encrypt our plain text. With our encryption, we take our 8-bit plain text, apply some permutation. Again, that's defined. It's just another rearrangement shown here. It's an initial permutation. We just do it at the start and we do an inverse at the end. And then we apply some function f of k. So let's first do the initial permutation and then describe the function. Take our plain text, 0111, 01. There's our plain text. Apply ip, the initial permutation. We get the second bit, bit 2, bit 6, bit 3, bit 1. So reading through here, bit 4, 8, 5 and 7. 4, 8, 5 and 7. That was applying ip from our plain text. That was this step. 8 bits in, 8 bits out. In fact, we have a more detailed description here. This is the detailed encryption algorithm. It shows us the function f of k. This dark gray box on the, the larger dark gray box is f of k, a function that takes a key as an input. Takes 8 bits in, takes a key as input and produces 8 bits out here. Then we'll do swap the halves and then we'll apply the same function. Take 8 bits in, k2 as an input. We'll get 8 bits out and then we'll do the inverse initial permutation and get the ciphertext. So we've just done ip at the top. Now we need to go into the details of this function. We see it involves multiple steps. Let's describe them. The first step, again, we, as in the FISAL structure, we operate on the left and the right half separately. So we split our input into two halves. And you see here, the left half, follow this line, 4 bits, the left half is not used until the end. We do all of this on the right half. So the rightmost 4 bits. We take the right 4 bits, ip, expand and permutate. We take 4 bits in, we're going to get 8 bits out. Permutate, we'll rearrange as well. We'll define, it's defined on the previous slides. Then we'll take those 8 bits and exclusive all with the key, k1, which we just calculated, the round key. Then we'll take each half, so we have 8 bits, so 4 bits at a time, and apply an s-box. And this is not an x-box, an s-box. S stands for what? S stands for what? Substitution box. This is our complex substitution, s-box. No, this s0 and s1. P is permutation or transposition. We've called it transposition in the classical ciphers. So two main operations in ciphers. Rearrange, P, permutation, or substitute, which are the s-boxes here. In fact an xor also does a substitution. But we'll see that the s-boxes are the complexity, the non-linear substitution. So we'll describe them. We take the outputs, a permutation, xor with a left half, take 8 bits, swap, do it all again. Do an inverse initial permutation, and we get our ciphertext. Let's just get started on this block in here. So we take 4 bits. We're just going to operate on the right half now. That's, we're at this point, the 4 bits here. And we're going to go into this light gray box here, where we first expand and permutate. It's defined here. We take 4 bits in, bit 1, 2, 3, 4, and we get 8 bits out. Bits 4, 1, 2, 3, and bits 2, 3, 4, 1. We took 4 bits, and we get 8 bits out using the EP operation. That's this. We repeat, we repeat the bits 2 times and reorder them. Any problem so far? Always an exam question. Encrypt this with simplified desks, or even quiz questions. Next. Exclusive or with k2. So we've got 8 bits. Exclusive or with k2. Sorry, k1, k1. Xor with 1, 0, 1, 0. 0, 1, 0, 0. This is our input. This is k2, k1. Why am I confused? We're going to xor. What's the answer? So perform the xor. What's 1, xor, 1? You've got two choices. It's not 1. Exclusive or 1, xor, 1 is 0. 1, xor, 0, 1, 1. Did I get that correct? 0, 1 gives us 1. The other just gives us 0. So simple, exclusive or. And we're now about to start our S-box. We split that into two halves again, two 4-bit values, and we feed the left half into what's called S-box 0, S0, and the right half into S-box S1. What are the S-boxes? Well, we're going to substitute some values with other values, and they're defined where? They're defined here. So let's first consider the left half. The input is 0, 1, 1, 0, and the input to S-box S0. There are two S-boxes. So we first take the left half, 0, 1, 1, 0, and it's an input to this first S-box S0. The way to read this, we can think of it as a matrix where we have 4-bit input, bits 1 and 4 specify the row, and bits 2 and 3, the middle two bits specify the column and simply look up the matrix and we get the output value. We'll have 4-bits in, we'll get 2-bits out. We substitute some 4-bits with 2-bits. Note that, of course, remember the index in the array we start, in the matrix we start with rows 0, 1, 2, and 3. We're using binary, so if we use these values to determine an index in the matrix, then bit 1 and 4, in our case, bits, bit 1, bit 4 tells us the row, our case, 0, 0, and bit 2 and bit 3 tells us the column, 1, 1. In decimal, row 0, column 3, assuming our index starts at 0. What's the output? Row 0, so be careful. Row 0, 1, 2, 3, column 0, 1, 2, 3. Now just look up row 0, column 3, output is 1, 0. So be careful with the indexes here. Our index starts with 0s. The index to the matrix starts with 0, 0, 1, 2, 3, not 1, 2, 3, 4, because with 2-bits we cannot get the value 4. And then on the right half we had over here, 0, 1, 1, 1, we apply that on S-box S1. So try that. So what we just did was for the left half here on S0 and take the right half and input into S1. Try it. So take those 4-bits and use them as the indexes for the index to find the element of S1. And the output, we get row 0, 1, column 1, 1, the middle 2-bits, and simply look up row 0, 0, 0, row 0, 1. Column 1, 1 is here. 1, 1 is the output. So that's how we use the S-boxes. And these are a substitution and an important part of the algorithm. Note that if you look at the values, they're designed in a way such that it's hard to go backwards. To give them one of these values, tell us what the input was. So given, if I give you 1, 1, what was the input? Well, it can be many possible values. So going backwards, there's no way to find the exact value, the correct value going backwards. If you knew that the output was 1, 1, the input could have been for this value, this value, this one, or this one. But that's one of the features of the S-boxes. I think what we'll do in the last 10 minutes, we'll try and finish this first round and then we'll leave it till next week to show the steganography example. Where are we going? Where are we? We are here. 2-bits as the output of each of the S-boxes. Okay. And now you need to do P4. Try it. We have 4-bits, 1, 0, 1, 1. We took the 2-bits from S0, the 2-bits from S1, and now apply P4. P4 is defined for us somewhere. 2, 4, 3, 1. 2, 4, 3, 1. We get our output. We're now here. After applying P4, we get 4-bits. And now we take the left side from IP, which I just removed. What's the left side of IP? The left side of output of the initial permutation. When we did the initial permutation at the start, I had it up there. I removed it. We took the right side and now we take the left 4-bits from the output of the initial permutation and XOR with these 4-bits. What were they? The output of IP was 1, 0, 1, 0. This is the left bits out of IP. When you perform the initial permutation, you got 8-bits out. These are left 4-bits. XOR. And we're now here. And the right bits out of IP, the right bits, 1, 0, 0, 1. So the output of IP, we take the right bits and bring them to here. So we have, let's say, 1, 1, 0, 1 at this point plus the right bits from the output of IP, which is what? 1, 0, 1, 0? Again. One more time. 1, 0, 0, 1. This is the left, the right bits out of IP. That is, we did P4. We took the left bits from IP, XOR, and then combined with the right bits out of IP. And we are here. We're at the end of f of k, our function. We swap the halves, swap these two. So we end up. So again, we have 1, 1, 0, 1, 1, 0, 0, 1. And now swap the halves. And we now start round two. We do exactly the same from what's in the dark gray box at the top. We apply the same steps, but we just have a different input here. And the only difference is that we use k2. But the operations are the same. And you will do that and find out that the output here, you'll apply f of k. And you'll get, so from this point, we have these eight bits. We apply f of k, the lower case f, with a k, k2. And the output of that here is 1, 1, 1, 0, 1, 1, 0, 1. Then there's one last thing to do. And it's the inverse initial permutation. In the exam, you may see from last past year exams, then I've given you, for example, the pictures of the algorithm and the permutations. And it simply encrypt this, decrypt this. Usually it's not the whole step. It may be, for example, here's the input to this block. Tell me the output or the ciphertext. Takes you 10 minutes. Doesn't take long. You'll see from past exams. But I think recently I haven't given long questions on this. So in fact, each individual operation is quite simple. Permutate and the permutations are defined. And a substitution. Well, two things. There's XORs and there's the S-boxes. But again, quite simple on their own. Combined, without doing a brute force attack, if you have the ciphertext, you will find it very hard to get the plaintext to go backwards if you don't have the key. And so the algorithm itself is quite secure. Any questions on those steps? We're not going to go through the second round yet. How do we build an inverse? Okay. How do you do the inverse permutation? That will be your homework. Work out the inverse permutation. What do we mean by the inverse? Here it is. It's the inverse of IP. You work it out. Because I've given you the this is the input to the inverse. And the answer, the ciphertext is on the slides. You should get this as the output. So try and work out what do we mean by the inverse permutation. So try and work that out, that one. Any other questions on the individual steps? Sorry? For sure. Simplified desks, we can do a brute force. But simplified desks is simple for teaching. Real desks, 56 bit key, also susceptible to brute force. But it's no longer used. Because the same concepts are used in other ciphers. We'll look at the advantages and disadvantages of real desks next week. So next week what we'll do is summarize on simplified desks and more importantly compared with real desks and see the similarities. Five minutes, one last example. Here's a flag, a picture, a JPEG. We've got a picture. I want to apply steganography. So the concept or the idea is I'm going to send someone this picture and hidden inside the picture is going to be a message. That's steganography. And I've got some software that will do it. It's very simple. It's not that efficient. The program is, so I want a message. So we have our secret message and I'm going to save that in a file. So this is what I do as the sender. I create my message, save it in a file. Whatever we want to call it, my message. So we have our message in a file and then we use some program. The idea is to take a JPEG and a JPEG is an image is a set of pixels. And each pixel, each dot there is represented by some number, some integer, or some binary value. And the idea is that what we can do in the structure of the JPEG file is change some of the bits. It may possibly change some of the pixels, the exact values, but from what you see you will not notice any change. So change some of the bits such that we use those bits to carry the message. Because our message, if we convert using ASCII, we can convert to binary. My message is in binary and those bits are then encoded inside the JPEG image. So I have a program that will do it for us called out guests. There are others that do it. It takes as the input the message, takes my picture and produces another picture as the output, a second JPEG. It gives some statistics, not explained, but it shows some statistics about the bits that have been changed in there. 118 bits changed. And it's created an image. And then I take that second image and send it to someone. So I take the second image and I send that to you and this is what you see. So you receive this and when you look at it I'll just, what's the difference? So this is the first image and the second image. There's no difference in fact in this case. In this case because I think we have some extra bits that in a JPEG you can change some bits and not even change like any of the pixels because there's some extra information that we can change. So we can encode depending upon the length of your message. If you had a longer message then maybe some pixels that change. But again it would be very hard to notice. So we send the second message across the internet. Someone may intercept it but all they see is a picture. They don't know that it carries a hidden message. Except the person who receives it knows that it carries a hidden message and they use the software to take the received picture, the second JPEG. So we take the received picture and put the message into some file. Now you get some statistics and if we look at the file we get the message out. So the receiver has an image only and this program decodes or extracts the hidden message from that image and puts it into a file received.txt and it's of course the same message. Sorry? No, no. From I create, I take the original image, I encode the message in that original image and I get a second image. It's different. The bits are different but when I send that from the view of someone looking at it they cannot see the difference. You cannot perceive any bit changes but in fact the bits are different. The bits contain the message that was encoded. So the receiver gets the received message, decodes and gets the hidden message out. That assumes that of course we can use that image and change some of the bits without someone noticing. So long as your message is small you can do that. If the message was a 10 kilobyte document it would be much harder to do that. You may see the changes in the image. So that's a quick example of steganography. There's a link to that example so you can see the code or you can see the program on the course website. You'll find a link to that example. Let's continue next week.