 Before we start to go into block ciphers, and the main example of the block cipher desk, we'll just recap on what we know, or some parts of what we know from classical ciphers. We went through several example, very simple ciphers, starting from 2,000 years old, the Caesar cipher, and they were transposition techniques. We, sorry, wrong way around. Substitution techniques. We substitute one element with another. We used English characters, so we were substituting a h with a j, for example. And then there were transposition techniques, where we take the plain text, a set of characters, and rearrange them, transpose, we change the position of the characters. Did we finish? Actually, I think we've got, we can go back to that one last transposition techniques. We got to rail fence. We still have one more thing to do. We got through some examples of the two transposition techniques, just two basic ones. Rail fence, where we write the plain text in a set of rows, writing the first letter in the first row, the second letter in the second row, and so on. So that the key, in fact, was the depth, the number of rows. And then we finish with an example of rows, columns transposition, where, again, we write our plain text in rows, and then the key determines which columns we read first to get our plain text, sorry, to get our ciphertext. So we write security and cryptography in a set of rows, and then the key is a set of integers that says the second column is read first, because the one is in the second position of the key. The fifth column is read second, and we read column by column to get our ciphertext. So we had an example of that, both of them simply rearranged the letters. This example tries to illustrate the case that when we repeatedly apply the same algorithm, we can improve the security of the resulting ciphertext. And this simple case uses a rows column cipher, so I've got the answers here. We start with some plain text, attack postponed until 2 a.m., x, y, z, the x, y, z, we're going to use to pad out. So we've got a correct number of characters because our key, 4, 3, 1, 2, 5, 6, 7, tells us that we're going to have to write this plain text in 7 columns. And with 7 columns, I think if you count the characters, how many are there? Anyone count for me? How many characters? 28, I think, I hope so. How many characters in the plain text? Yeah, 28 characters, we'll see here, I've got numbers. 28 characters, 7 columns, so we write our plain text in 4 rows, 28 divided by 7. And then, so attack post, so the first 7 letters in the first row, the next 7 letters in the second row and so on. And then to get the ciphertext, we read the third column, because the 1 in the key is in the third position, read the third column, so down and that produces t, t, n, a. So if you look at the third column, you'll see t, t, n, a under each other. And then we read the fourth column, because that's where the 2 is in the fourth position. And we get this ciphertext, so you can try that in your own time, we're not going through it now. What we show, and we'll do it again in a moment, but what we show here is, let's not worry about the individual letters, let's look at the ordering and see how the transposition rearranges these letters and see the patterns. Let's say we number these 28 letters from 1 through to 28, and I can't fit it all on one line, so I've wrapped it across two lines, so a, t, t, a, c, k, p, and so on. That's how we interpret it, so 1, 2, 3, 28, that is character 28 in our plain text. So just number them 1 through to 28, and we get these. Then we apply the rose columns transposition cipher, and we get this ciphertext. But remember transposition, transposition, we just rearrange. So if we follow where do the letters end up, where does the first letter a end up in the ciphertext? That's what this set of numbers tell us. The first letter, 01 here, ends up in which position? It's here, the 13th letter. I think it's this a here. If you follow through the cipher, you'll see that this a ends up here. Or if we look at numbers, the first letter in the plain text ends up in the 13th position in the ciphertext after the rearrangement after the transposition. The third letter in the plain text, which was a t, ends up in the first position of the ciphertext, actually moves to here, when we apply this algorithm. So that's all these numbers are showing us. How did we rearrange them? Because we want to do some analysis and see how good this rearrangement, this transposition is. So if we start with some plain text, after applying our cipher, we get this arrangement of the letters. Now look at these numbers on the screen, on the printout in front of you. Look at this set of numbers. What pattern do you see? Look at this set of numbers. Describe the pattern you see. Just tell me if you see any pattern, if so, what is the pattern? Just look at the numbers, yeah? I'll check that later, okay? All right, thank you. Someone made a point that maybe there's a mistake in one of these. And good chance of being correct. There may be a mistake in one of these, but we'll survive with this mistake until later, okay? I don't know, but I think it won't make any difference. Maybe one letter has shifted, but I'll check that later. Looking at the, coming back to these numbers. This is, let's say it's all correct. This is the output after the first encryption. What pattern do you see in these numbers? Just looking at the numbers. Does anyone see a pattern? So look at those 28 numbers. Do you see some ordering of the numbers that make some pattern, make some sense, or is it all random, these numbers? Random? What's the pattern we see? What do you see there? Plus seven, okay? Look at the numbers. Easy. I don't ask complex questions, okay? Look at these numbers. Three, 10, 17, 24. There's a difference of seven between these four numbers. Just incrementing. All right, 24 to four. Well, that's strange. That's not a difference of seven. But four, 11, 18, 25, a difference of seven. If I ask you, does this sequence of numbers look random? Yes or no? Hands up for yes. Do they look random? Do they look random? This sequence of numbers. If I tell you, here's a random sequence. Three, four, three, 10, 17, 24. I think you'll start to see a pattern. A random sequence should not have any pattern. There should be no structure in a random sequence. This has some structure that we can obviously see. Four, 11, 18, 25, a difference of seven. Two, nine, 16, 23, a difference of seven. So every four digits, every four numbers have a difference of seven. Why? Well, the way that the rows column works in that we have seven columns. Every four numbers because we had 28 characters, seven columns, groups of four. The point is, when we apply a cipher, we take some structured plaintext. We'd like to get random looking ciphertext. Ciphertext should be hard to work out what the plaintext is. So it should be, we say, simply random looking. This is obviously not random. We can easily see the pattern. So it's not very secure, this cipher on its own. But if we take this ciphertext and apply the exact same cipher with the same key, again, on the ciphertext, and you can check, we get this ciphertext as an output. And instead of looking at the letters, we look at where do the original plaintext letters end up? After the first transposition, the first letter ended up in the 13th position. But after the second application of our cipher, the first letter ends up in wherever the 20-something position, here. Similar, the third letter of plaintext, the T, after the first time we applied the cipher, went to the first position of the output, but then we apply the cipher again on this, and that third letter moves to here, the 13th position. Now look at these numbers, sequence of numbers, 17, 9, 5, 27, 24, tell me the pattern you see. So in the previous sequence, we saw this difference of seven. What do you see in the next sequence? Try and find it. Look at those numbers at the bottom of the slide and see what pattern you see between the numbers, if any, these ones. Of course, I think you'll quickly see our difference of seven has disappeared. We don't have a difference of seven between the neighbor numbers. 17 down to nine, some difference of eight, down to five, minus four, but up to 27 plus 12, okay? There's some differences in how they differ between those numbers. Anyone want to guess? Not so obvious to see any pattern in these numbers. To me, and hopefully to most of you that are following these sequence of numbers look more random than this sequence of numbers. This one, we can see a pattern plus seven, plus seven, plus seven, and then plus seven, seven, seven. In this one, there's no similar pattern, no obvious pattern at least. They're going down and then up. The point is that the second output of applying the cipher is more random, if we can say that, than the first application. And less of an obvious pattern in this case using the same cipher and leads to a more secure ciphertext. What we'd like is a ciphertext which is completely random. That is, there's no pattern that can be observed by the attacker. The point is here that by applying the transposition twice we've improved the security of the output ciphertext. And it's a concept that's applied in most ciphers today. Take some simple operation, rearrange these letters and repeat it multiple times. So after the first application maybe the output's not very secure but after you apply it again it's better and again and again and again. It keeps mixing things up. And the more mixed up it is, the harder it is for the attacker to take the resulting ciphertext and work back and find the original plaintext. So this is an important concept that we use in real ciphers. Apply simple operations multiple times and similar with substitutions, not just with transpositions. So we've covered the two main techniques, substitution, transposition, last one. What's the message? For those who haven't sat in my lecture before what's the plaintext if you one or two minutes? Here's a message you receive. It has a hidden message. What is it? And we'll come back and explain what we're doing. There's a hidden message in there. It's in fact a real message but there's some secret hidden. It's some real message between two professors or two people at a university, someone sending a greeting to George. Anyone want to have an attempt? What's the first word? Second word. Okay, he has election notes from last year. He's got it. Anyone else? What's the message? We'll come back, give you a chance. Let's explain what we're doing. This is another, a different thing than what we're gonna cover in this course, steganography. This is the process of hiding a real message inside a fake but meaningful message. So what we do is I send some message that makes sense, not encrypted, so I send this letter to someone but inside that real message that inside that message that makes sense, I hide another secret message, one that I don't want other people to know. This is the process of steganography. And this assumes that the person who receives this message knows the method I'm using to hide the secret. And there are different examples of how to hide a secret in some other message. In the old days, for example, a written letter, you write a letter and you put small pinholes above the characters that make up your secret message and if you hold it up for the light or you hold it so you can see the pinholes, then you identify the characters and read off the secret message or some form of invisible ink where you write a normal message but something's marked such that there's some secret identified in there as well. We'll see in the next slide our secret message in a moment. Today, more practical, you send an image or a video across a network say a JPEG and you modify that JPEG a little bit such that some bits in the binary representation of that image make up some hidden message. The output is that from the user's perspective, it doesn't look like the image is any different from some original image. Some bits have changed, meaning maybe some pixels change in color but from the human eye it's hard to detect but in fact there's some coded message included and similar can be done with videos. This is not encryption but we can use it for a similar purpose of hiding a secret and communicating between two entities and the advantage of this compared to encryption is it doesn't look like you're hiding anything. I send someone a normal message from an attacker's or an observer's perspective. They cannot, it doesn't look like I'm communicating a secret to the other person and that can be a benefit sometimes for example to avoid traffic analysis. The problem with steganography is that once the attacker knows how I'm hiding the message, they can find everything that I've sent in those messages and it can be inefficient in that I need to send a large amount of information to get a short message from A to B. We're not gonna cover steganography in this course but it's an interesting thing for you to do outside of the course. But we'll finish. Anyone else have the message? What's the secret? Well, George knows the procedure in this case. George knows when he receives this message from an attacker's perspective, it just looks like a normal message or email or letter someone would send someone in a university but George the receiver knows the method is to read the last word of each line. Try. The last word of each line. Your package ready Friday 21st, room three, please destroy this immediately. Chaos yours. So here's the secret message included inside this fake message. Of course, once you know that method, read the last word of each line, it's very easy to see and it's very easy for the attacker to find it. But if you don't know the method, it's hard to find what that secret is. But again, steganography will not cover that anymore in this course. What's the best cipher we've got so far? Which cipher is the most secure? I've gone through Caesar, mono-alphabetic, play fair, vision air, one time pad, rail fence, rose columns. They'll all be in your quiz online and all be in your quiz next week in the lecture. Which one's the best of those seven? One time pad is the best. Best in terms of security, okay? So it's the most secure. And in fact, it's the most secure cipher that we know of. We saw the one time pad, we applied the Caesar cipher changing that assuming we had a random key as long as the input plain text. You can implement the one time pad in practice as an exclusive or. Let's move from English to computing. And instead of A to Z, we'll look at zeros and ones binary. I don't think you have this one, sorry, but let's, you don't need it. It's just an example, no need to copy it down. Let's just have a quick look and just demonstrate that, okay, I wanna send a message. So this is actually an example of a brute force attack, but that's not so important. Have a message, hello, I wanna send that to someone. Well, we represent that in binary. So how do we do that? We can use an ASCII conversion where we do a look up and see the letter uppercase H converts to some seven bit value. And I've done that. And it turns out that uppercase H corresponds to 10010000. You look up in an ASCII table and it'll tell you that. And similar for the other. So we can treat any message as binary and we'll do so when we look at our ciphers from now on. Zeros and ones. And a second example, okay, let's say we have the message Steve is what we wanna send. Then here's the binary form of the four letters and of course E is repeated at the end. So in decimal from the ASCII table and the binary form. So Steve can be represented as a seven by five, 35 bit plain text value. So now from now on we're going to deal in binary for our ciphers not with English characters. One operation that we can use to encrypt and it becomes in fact the one time pad is to take our plain text and apply the exclusive or operation. Take the plain text input and exclusive or with a key. And it's the same as the one time pad that we saw where we take our plain text as a set of letters and apply the Caesar cypher where our key is as long as the plain text. If our key is as long as the plain text and random, just applying the exclusive or between the plain text and the key, I will not show the example yet, the plain text and a key is the same length as the plain text will give us ciphertext which is perfectly secure. There'll be no way for the attacker to take that ciphertext and determine the correct key nor do a brute force attack. So exclusive or is a way to implement the one time pad. Everyone remember exclusive or, zero XOR zero, zero XOR one, one XOR zero, one XOR one. When they are different, one is the answer, when they are the same, zero is the answer. Zero XOR zero is zero, for example. We're going to see XOR used and some other operations used when we look at our real ciphers. So just a warning, let's treat everything as binary from now on. So let's look at some real or a real cipher and the first generally the concepts of block ciphers, the principles. So we're going to talk about block ciphers but first we need to define what do we mean by block cipher? Well there's an alternative, a stream cipher and we distinguish sometimes between stream ciphers and block ciphers and the main difference is on how much of plain text do they operate on at a time? Stream cipher typically operates and encrypts one bit or more commonly one byte at a time. Block cipher usually encrypts say 64 bits or 128 bits at a time. We'll see some examples. We will not cover much of stream ciphers yet, we'll see an example later. Stream ciphers normally use some, take some plain text as input and generate some random sequence of bits and apply the XOR operation, exclusive OR between that random sequence of bits and the plain text and get our cipher text. So stream ciphers usually use exclusive OR and the complexity of stream ciphers is in generating a random sequence of bits. So we'll return to that later when we look at random numbers. How do we generate them? The one time pad is an example of a stream cipher. Assuming we have a random, a long random sequence of bits that's our key, simply XOR with the plain text and you get your cipher text. Block ciphers operate on some block of plain text at a time, typically 64 or 128 bits in most ciphers we'll see, we take the input bits and apply some encryption algorithm and we'll see that usually much more complex than just an exclusive OR and we get our cipher text as output. And of course that encryption algorithm takes a key as input. We're gonna focus on block ciphers for now. We'll return to stream ciphers later and discuss the differences. So some characteristics of block ciphers. In fact, this is a characteristic of any cipher but we need reversible mappings. What a cipher does is take some plain text and produces cipher text. So it maps the plain text bits to a set of cipher text bits, perform some mapping. These bits become these other bits. Reversible means that we must be able to successfully decrypt. If we have some mapping as defined in this table where we have two bits of plain text at a time, a block size of two bits and we define the mapping that if we encrypt zero zero we get one one as an output. If we encrypt zero one we get one zero one zero maps to zero zero one one maps to zero one. Then this mapping is reversible because if we take our cipher text we can get the original plain text back. If my plain cipher text, if my cipher text is one one then I know for sure the plain text is zero zero. Because we have a one to one mapping the table on the right here is an example of an irreversible mapping. If I encrypt plain text zero zero I get one one. Zero one maps to one zero one zero to zero one one one to zero one. Now I receive some cipher text I receive the cipher text zero one. What's the plain text? If I receive zero one I need to decrypt and get the original plain text back but I cannot do it because if I have cipher text zero one I don't know whether the original plain text was one zero or one one. So it's not a reversible mapping. We cannot do the opposite mapping. So we must have a one to one mapping between plain text and cipher text. The plain text cannot map to, a different plain text cannot map to the same values cipher text. That's the principle. Otherwise we cannot decrypt. So let's look at it. Let's look at a cipher and then talk about a block ideal block cipher. You have the one I'm about to show. It's an example of an ideal block cipher. You have this in your lecture notes. Let's start with a very simple block cipher that we'll treat it as a mapping and it maps two bits of plain text to a set of possible cipher text values. So if you find this one I'll show just the mapping and explain it. Let's say our block size is two bits. That means what we do when we have a plain text message to send, let's assume we have a cipher that encrypts two bits at a time. We take two bits of plain text, encrypt and get two bits of cipher text. Then we take the next two bits of plain text and get two more bits of cipher text and we keep doing so. That's our encryption approach. So we can think of the cipher as mapping two bits of plain text to two bits of cipher text. What this diagram that's from the print out you have that shows all possible mappings for every two bits of plain text given 24 different keys. So we have a two bit block in this example. That means our plain text and our cipher text will be two bits long. If our plain text is longer we separate it into blocks. So what this diagram is showing is that if we just look at the top if my plain text is zero zero and if I use key one then the cipher text will be zero zero as an output. That's one mapping. Using the same key, key one, plain text zero one, output is zero one. And one zero goes to one zero, one one to one one. There's one mapping using a particular key. So how many possible plain text values do we have? We see there are two to the power of two possible input plain text. This is I think on your hand out. With a two bit block cipher the set of plain text values we can have is four to the power of two. And we've listed them in the first column. And our cipher maps plain text bits to cipher text bits. How many possible mappings do we have? And the answers in front of you, it's on the screen. Well there are 24 possible mappings. They're all listed here. So the first 12 are on the top and the second 12 underneath that. There are 24 possible mappings. From those four plain text values to reversible mappings to cipher text. Why 24? What's the equation? How do we get 24? Four factorial. There are four factorials, 24 in this case. We have four inputs. We can rearrange them in how many ways? Well, you can check and see that this all 24 possible rearrangements of them. Four by three by two by one. 24 or four factorial arrangements or combinations. So if you look at the first column at the top, you'll see that's one arrangement of those four values. And so this is one of the arrangements. And with K2, that's a different arrangement and so on. So we have a total of 24 possible different arrangements of those four values. And they are our possible mappings from plain text to cipher text. What arrangement do we use to encrypt? Well, that is the key. That is the key for our cipher. So this is a definition or this is an example of a ideal block cipher. So how it works is we take some plain text as input and we, and produce a cipher text as output where the input to the encryption is also a key. That's our normal operation. For example, plain text 01, the encryption is defined by all of this data here. Plain text 01, okay, we find the plain text value and then the key determines which mapping do we use of those 24 possible mappings. So if, for example, we have a key of, if we choose a key of K17, for example, key 17, mapping 17 in our list, what's the cipher text? Well, plain text 01, plain text 01, the third row, key 17, mapping number 17, the output will be zero zero as a cipher text. Plain text, sorry, plain text is zero one. Let's try that again. Plain text is the second row, zero one, key 17, output zero one. Key 17, plain text, zero one, output zero one for this case. So here's a cipher. What we do is we take all possible plain text values and define all possible mappings or all possible arrangements of those plain text values. And the key determines which arrangement we use to determine the cipher text. This is what we call an ideal block cipher. We can implement any block cipher like this. How big is the key? What is the key length in this case? What is the key? I said key K17. Well, the key tells us which mapping to use. So K17 means use mapping number 17. So what the source does, the source that has the plain text, they have this table, these tables. They define the mappings, all possible mappings and they take their plain text and they choose the secret key and they get their cipher text. They send the cipher text to the recipient. The recipient must have the same set of tables to decrypt. But in fact, the key can tell us the mapping to use. K17, we could write as those eight bits. Which eight bits? These eight bits. K17 we can say is one one, zero one, zero zero, one zero. How that works is that we read this. So it's meaning, okay, zero, the plain text zero zero maps to this value. Plain text zero one maps to the second value. Plain text one zero maps to the third and plain text one one maps to the fourth value. So we order the plain text. So if this is the key, what we do now is that the source chooses the key that is this specific mapping. They encrypt and they get zero one as the output. They send zero one to the recipient. If the recipient also knows this key, then what do they get as the output? Well, they receive ciphertext zero one, which is in the second position of the key. And therefore the plain text is zero one of output. Because it's right at blue, we have our ciphertext, the plain text. The key is the blue value. And this is just the values in order. So we always write these in order. So if recipient receives zero one from the key, they know that zero one goes to zero one in the plain text. If the recipient received one zero as the ciphertext, they know the plain text is one one. If they receive one one, they know the plain text is zero zero. So the key in this case defines the mapping. This is an ideal block cipher in that we can implement any block cipher just as this mapping from plain text values to a ciphertext. The problem with using this is that it's impractical to implement. Let's return to our slides for a moment. An ideal block cipher, we take an n-bit input, n-bit plain text. That can map to two to the power of n possible states. We can think of that. So we had our two-bit plain text. We got four possible plain text inputs to the power of two. And we do some substitution. We take the input and replace it with one of the other possible value, or one possible value. So there are two to the power of n possible outputs which map back to a two-bit input, a two-bit output. This allows for all possible combinations of plain text to ciphertext mappings. And another example, the one that we saw, another example is shown on this slide, but maybe better to show just as these tables. Just one other example, where here's a mapping from, on the left-hand table, the encryption table, the 16 plain text values can map to the 16 ciphertext values. That's one possible mapping. In this cipher, how many mappings are there in total? How many possible mappings? We saw in our previous example, we had 24 possible mappings. 24 possible keys. Here I've shown just one mapping for a different cipher. How many possible in total? How many possible mappings? If you want to find the answer, maybe start writing them all out. It'll take you a long time though. But just focus on the left table. The other one's the decryption. Let's go back to our, sorry, wrong direction. Our first example, we had a two-bit block. Two bits of plain text. Gives us four possible plain text values. 00, 01, 10, 11. And how many arrangements of those four values can we have? How many different ways can we arrange them? All of these 24 values are there, the possible arrangements. There are 24 or four factorial arrangements, combinations. So with this was a two-bit block cipher. What about with our other cipher? How many possible mappings? 16 factorial. Why? It is a four-bit block cipher. Plain text, four bits. How many possible plain text values are there? 16, they're listed here. Two to the power of four. 16 possible plain text. I challenge you to go and write those 16 values. Or if you want to do it in decimal rather than binary, write the values zero to 15. And then try an arrangement. Arrange them in different orders. See how many different arrangements you can make. And it'll be 16 factorial, which is what? Calculator, how many arrangements? We have a four-bit block cipher. So two to the power of four possible plain text. 16 factorial possible arrangements. Again, 16 factorial to 20 trillion different arrangements. So you go and write them all down. And that's how many possible arrangements we have in that case. Maybe that should be the penalty for those who cannot answer the quiz in the next lecture. Anyone who gets less than 50% has to write them all down. Sounds okay. Doesn't sound that hard to write 20 trillion different arrangements. Okay, all right. So the point is that this is just one of those 20 trillion different arrangements. We have many others. Which arrangement do we use to encrypt? This is one. Well, the one that we use is defined by the key. How long is our key in this case? What is the key? And go back to our easier example where we have just 24 arrangements. We have a two-bit block cipher, 24 possible arrangements that key determines the arrangement we're using. For example, key 17 tells us the order in which our plain text values map to our ciphertext. So we could write the key, key 17, as, in fact, 11, 0, 1, 0, 0, 1, 0, 8 bits. And the way that we interpret the key is that since we know it's a two-bit block cipher, we know that the first two bits in the key map to 0, 0, the second two bits map to 0, 1, the third to 1, 0, and the last two to 1, 1. So in that case, we could represent the key as 8 bits. How big is our key with our other cipher in this case? Well, the key would be all of these values. What we would send or what we could store as the key is 1, 1, 1, 0. So every four bits identify the ciphertext for the in-order plain text. So four by 16 or 64 bits would be the length of the key in this case. Because if we know the key, if we know these 64 bits and store them in order, when I receive ciphertext 1, 0, 1, 0, from the key, I can determine, well, that's in the, what is it, in the ninth position and therefore maps to decimal nine or binary 1, 0, 0, 1. So we could use a key in that way. So the key in this case in general is how big this is with four bits. We have four by 16 with a four bit block cipher, four by 16 or N bit block cipher, N by two to the power of N. Four by 16, four by two to the power of four is the key length in bits in this case. So what, yeah, the key tells us the mapping. Let's go back to our simple one. 24 mappings, okay, and let's keep it simple. But which mapping, in which order do we do these mappings? We need to define that. Yeah, the key length, yes, correct. What did I say? Oh, sorry, N times two to the power of N, correct. So in our case, 64, four by two to the power of four. So in this case, we have a block size two bits, N equals to two. The key is two times two to the power of two or eight bits. That is these eight bits is key 17. If I want to encrypt using a different mapping, for example, key 13, then I could set the key to be zero one one zero zero one one. And when the receiver receives the ciphertext zero zero, if they know this key from the key, they determine that the plaintext is one zero. But that leads to our problem with this ideal block cipher. Let's say we have a large block size, N, for example, is 64, 64 bits. So we've seen an example of a block of two bits, a block of four bits. Let's say we have a block of 64 bits, which we'll see is typical. Then the key length is 64 times two to the power of 64 bits, which is too large, because it's too large to be able to distribute to someone. It's too hard to write down and to record. And it becomes very hard to implement when you have such large values. So using a large block size is not possible if we use such a cipher. Using a small block size therefore makes the key more manageable, but it turns out the smaller the block, if we have a typically large plaintext, we have more blocks and it becomes much easier to perform an attack by using the statistical characteristics of the plaintext. So we have a problem. We can't use a small block size because it makes attacks easier based on statistical analysis, but we can't use a large block size because it makes the key too large. So we need some alternative approach. So an ideal block cipher allows all possible mappings. Real block ciphers today do not use this approach. They only allow a select number of mappings, but they make the trade-off of being able to use a large block by keeping the key small. And there are different ways of doing it. And there's one common approach which was devised by a guy called Feistel. The approach in general is to use simple ciphers, smaller blocks, but apply them multiple times and in some structured manner to make the output cryptographically strong. So to use two or more simple ciphers but repeat one after another. And that's the concept that we started to introduce with our classical ciphers by repeating the same simple cipher, we can get more strength in the output ciphertext. And what did we have? We had, in our ideal cipher, and let's write it down, with our ideal cipher, we said with an n-bit block, n-bit block size, how many transformations or mappings did we have? We had two to the power of n factorial. Transformations or mappings. Which is good, we want as many as possible. But the key, key length, becomes n times two to the power of n, which is bad because if n is large, that key length becomes too large. If n is 10, for example, then this is a thousand times 10, this 10,000 bits is the key length. It's bad because of the management problem for the key, distributing the key. With a five-stool block cipher, it makes a trade-off. We have an n-bit block size, and the mappings is not determined by the block size, but by the key length. We also define a k-bit key, so we set the key length, and the number of mappings depends upon the key length. So, key length is k-bits. The number of mappings is two to the power of k, which is this trade-off of, we reduce the number of mappings in practice. Let's say n and k are the same length. With an ideal block cipher, we have two to the power of n factorial mappings, which is much, much more than just two to the power of n, if n and k are the same. So, we reduce the number of mappings, but we have a manageable key length, k-bits. So, if we define k as 64, say, 64 bits, we have two to the power of 64 possible mappings, but we have a manageable key length. If we have a 64-bit block with an ideal cipher, the key length is two to the power of 64, a two to the power of 64 times 64, which is just too large. Here's just 64 bits. So, Faisal structure allows us a much more manageable size in the key length. But, by repeating the simple encryption operations, provides almost equal security as what an ideal block cipher, and sufficient security. The picture on the next slide shows the structure, actually the next one. We will not go into much detail because we'll see it in des. It repeats the general design of a cipher. It's not a specific cipher, it's a general design, and it breaks the cipher into a set of rounds. A round is the same each time, the same algorithm. We just repeat this algorithm multiple times or multiple rounds. And it involves splitting the plain text into left and right halves. So, if we have a 64-bit plain text, we break it into two 32-bit portions. Swapping the halves, we'll see some different operations like swapping the halves, using an exclusive or and applying some function. And he generalized that some function will see some specific instances. And a key is an input, and then repeating, and repeat, and repeat as per how many rounds we have. So, we'll come back to that when we see des, because it's an example of the Faisal structure. For the concepts, there's an alternation between substitutions and transpositions. So, coming back to our classical ciphers, we're using these basic operations. Replacing and rearranging. Substitution is replacing, transposition is rearranging. Permutations. And we'll see shortly that we talk about S operations and P, P for permutation is commonly used. P operations. And applies the concepts of diffusion and confusion. Anyone understand confusion? I think everyone's experts, because many people look confused. We will look and come back to these concepts of, what do we mean by diffusion and confusion with respect to ciphers? But let's move on from some of the abstract concepts and look at some specific examples. We'll come back to that next lecture. Let's go to des, and then we'll see a few examples before going through the details. The data encryption standard. It was probably, it maybe still is, it was the most widely used cipher in the world. Symmetric block cipher. It was developed about 40 years ago. Designed by people at IBM and NSA apparently had input, and it was standardised by what was then called NBS, but is now called the National Institute of Standards and Technology, NIST. So US standards organisation created the standard for des. And the idea was that when this organisation creates the standard, all the US government departments must use that for encryption. And because the US government is using it for encryption, many companies use it for encryption, and not just in the US outside. It's spread across the world in that des become effectively a worldwide standard for encryption. A symmetric block cipher. It operates on a 64-bit input block. So to encrypt, we take 64 bits of plain text, and we produce 64 bits output. So we produce 64-bit cipher text. What if my plain text is larger than 64 bits? Well, we break our plain text into blocks of 64 bits in length, encrypt them one at a time, and then we've got different ways of combining those output cipher text together. And the next topic we'll talk about how to combine them, modes of operation. So des just looks at 64 bits at a time. It has a 64-bit key, but we'll see when we look at the details that only 56 bits of those 64 were actually used in the encryption. The other eight bits were used as a parity check. So a parity check to check if there's any errors. So from a security perspective, it's effectively a 56-bit key. How long does our brute force take against 64 bits? A 56-bit brute force. Worst case, we need to do a brute force of two to the power of 56 operations. If you go back to the last set of lecture notes, what, days, hours, seconds, if we have ultra-fast machines. From a key length perspective, it's insecure, it's too short nowadays. But in the 70s, 80s, and 90s, it was okay. But now it's not okay. The principles used in des have been applied in other ciphers. So to overcome the short key length, there were improvements like triple des. And they are still in use today. So the principles used will see in other ciphers. What we're gonna do, and we'll not go through the details today, but in the next lecture, we're gonna go through the details of how des works. But because it's quite complex, what I'll use is take a cut-down version. It works on 64 bits. I cannot write 64 bits on the board and do an operation, or it takes too long. So some people have developed one for teaching called simplified des, which will cut things down to smaller chunks, smaller sizes. Eight bits, 10 bits. And we'll go through one example to show the operations. It's not a real cypher, it's just for teaching. But we'll go through that next week. So we'll go through simplified des as an example, and then we'll look at real des, and look at the details, and some of the design issues and possible attacks on real des. To finish today, I wanna move on and look at some software that we can use for encryption. I know we've talked about a lot of concepts today, so let's look at some practice. First, let's remind you what your homework tasks are. You have a quiz to do before the lecture next week. Okay, you must do the quiz. And there's a new exercise that I've added. But the exercise is not marked or anything, and you should only do the exercise if you understand from the quiz. I've just added it today. You don't have to do it. It may just help you with understanding some of the more advanced concepts. But before I talk about the exercise, I've mentioned before, and I also pointed on the website, there are some, that's the wrong one, I've written up some examples using classical cyphers and attacking classical cyphers. So in this webpage, and you've got a printout, describes how to do a brute force, and more importantly, how to do frequency analysis attacks on very simple classical cyphers. I recommend you read that and understand that, because if you can understand how the attacks can be performed, then you understand the limitations and approaches for your attacks on real cyphers. And there's another one about the one-time pad. So I recommend reading that and looking at the example to see, well, why is the one-time pad unbreakable? Why does it provide perfect security? If you don't understand, then have a read through this. It talks about with an example, why even a brute force attack on the one-time pad will be unsuccessful. So read them. Coming back, exercise one. Only do this if you are okay with all the other concepts so far, because it can be time for change. Quite simple. Here's some ciphertext, find the plaintext or key. I give you, I think there's four different ciphertext values. For example, this, I give you a hint, all right? Caesar cipher was used, find the key. Find the plaintext and key. Some are easy, the first one should be easy. The second one is some ciphertext. Braille fence was used, find the key. Then you'll find the plaintext. And I think that one's easy, most people can do that. Three, some ciphertext, rose columns was used. This takes a little bit of thinking and a bit of trial and error to break that one. Maybe you could write some software to automate it, but you can do it on paper as well, that one. Those you can do it on paper. You can do it with software, fine, but what I don't suggest is find some website that solves it for you, no point. But if you want to write software or use a spreadsheet or some scripting language to automate the tasks, recommend it. And especially for the last one. Ciphertext four, mono-alphabetic cipher was used, using English only, so the key length is 26 characters. Perfectly randomly arranged. Here's the ciphertext, find the plaintext. I think most people can do one and two quite easily. Three and four take a bit more time and thinking. But if you can do them, then you'll probably fully understand both how the ciphers work and how the attacks work. Let's move to real ciphers for the last five minutes or so. Another printout I've provided you on the website here is, well, let's use some software to encrypt. Once we go through desks, let's encrypt something with desks. So you can get different software implementations of many of the ciphers that we talk about. One common open source library and application for encryption is OpenSSL. And we'll use it for demos and examples throughout the course, OpenSSL. It provides a command line interface. It's usually available for most Linux and Mac operating systems already installed. I'll just quickly show some examples. So this webpage describes how to use it. Let's look at a few examples of how to use it. Let's encrypt some data. First, let's encrypt some plaintext. And I'll take a plaintext file, for example. Okay, so I've created a plaintext file, which is just some text message. Hello, this is our super secret message. Keep it secret. Let's encrypt it using OpenSSL. And we'll choose a cipher as we go. Different ways of doing it. First, let's find some details about our plaintext. All right. How long is the plaintext? I have a, here's a software word count. It tells me it's 72 characters long. Okay, let's start with that. It's 72 characters. In fact, it's 72 bytes. One character is one byte. We look at our plaintext.txt file. It's 72 bytes. So we're gonna encrypt a 72 byte plaintext. Have a look at the details in maybe hexadecimal. Everything I'm doing is on the website, on those instructions. So I would not explain too much. Just do the steps. So that's our message. So this is the ASCII, this is the hexadecimal. Remember, our ASCII maps back to binary. Or we can represent that binary as hexadecimal. So H-E-L-L-O dot space t is in fact represented as these hexadecimal digits. Or even nicer, binary. Hard to see. Do it again. Hard to see. Of course, I don't expect you to read this, but this is H-E-L-L-O dot space t. So just a binary representation. So when we're applying our rule cycle, we're actually operating on the binary form. When we apply DES, AES, and others, we take the binary values and apply our cipher on those binary values. But of course, hard to show binary values sometimes. So let's encrypt. And I'll encrypt using DES, but we need a key. I need to encrypt with some key. And with DES, we have a 64-bit key. Although we only use 56, we need to specify a 64-bit key. And it turns out with the software we can use, we can use hexadecimal. I don't have to write in binary 64 bits or 16 hexadecimal digits. Anyone suggest a key for me? 64-bit value or 16 hexadecimal digits? Well, it's best to choose a random key. Remember, a key should be such that, it should be secret, so I shouldn't tell you, but it should be such that no one can guess it. If I choose a key of all zeros, well, an attacker could just try all zeros and it's not very sensible to choose that. So ideally, your key should be generated randomly. You should not choose it. You should let a computer generate it for you. So generate some random number. Different ways to generate random numbers. The program that we're gonna use to encrypt is called OpenSSL. And it includes many different encryption operations, including random number generation. It has an operation to generate a random number, eight hexadecimal, eight bytes in hexadecimal. That's what we're saying here. Here it is. So what I did is generate an eight byte random number and output in hexadecimal. That's the value. Sorry, if we lose a little bit, let's make sure you can see it. Again, we haven't explained it yet, but it turns out to encrypt, we need a key and some initial value and I'm gonna use some random initial value. But let's encrypt. And we use OpenSSL. We say we want to encrypt with a symmetric cipher. What cipher? Desk. And in the next topic, we'll see that ECB means something, electronic code book, but not so important yet. But desk, ECB, encrypt, minus E, input, plain text, file, output, cipher text, ENC, whatever extension I like, it's not so important. Input key, my random value, use my key to encrypt, and we need some initial value. Let's not explain that yet, but we'll need that. And I'll choose this other random number for an initial value. And sometimes our cipher, when our text is not of a particular length, will pad the plain text. I don't wanna do any padding here. It's not necessary. So I'm gonna specify an option to not pad, no pad. And done, we encrypt it. So you don't have to remember all these operations. I'm just giving you an example. And we have our cipher text, which is 72 bytes long. That's our cipher text. Let's look at the cipher text now. There it is. It is our cipher text. I mean, encrypting our message, hello. This is a super secret message. Here's our cipher text. And as you see, it's just a random set of these a hexadecimal digits. There's no meaning in ASCII, so it doesn't make sense to look at this from a text file perspective because we get any of those ASCII characters. The dots mean unprintable. And we could look at in binary as well, but I will not show you in binary. You could convert to binary. So we've encrypted using OpenSSL. You can do that on any file. It doesn't have to be a text file. It can be an image. It can be a word document, any file you like because OpenSSL just treats it in its binary form. It's zeros and minuses. And to finish, of course, let's decrypt. And decrypt is almost the same as encrypt. So I'll almost repeat the command. Instead of minus e, what do we have? Minus d to decrypt. And the input is, of course, the ciphertext. And the output is some file, let's say, it's my received. Same key. We need to decrypt with the same key as we encrypted with and the same initiative. And let's look at our received message. And it should be the same as our plaintext message. Yes, okay. So we decrypted successfully, that's all. Our received message, which was output from the decryption, is identical to the original plaintext, which was the input to the encryption. So just to taste it, become experts in OpenSSL because you use that, you may use that in your homeworks and you'll use it in practice in the future to encrypt data. So have a look on some of the websites to see how OpenSSL works and start to use it, especially as we go through the real science. Enough for today, Tom. Next week we'll look at the details of deaths by going through simplified deaths.