Lecture 2: Classical and Modern Ciphers

• Admin

• Recap

• Classical Ciphers: Substitution and Permutation

• One-time Pad and Stream Cipher

• Modern Ciphers and Mode of Operation

o Meet in the Middle Attack
o Padding Oracle Attack
0 Admin
Admin

• 1st Quiz: Open today at 12 PM, deadline until tomm night

• Piazza: Use Piazza for all questions
o https://piazza.com/nus.edu.sg/spring2025/cs2107

• Tutorials:
o Starts next week
o Tuesday: no tutorials after 2PM (either attend other tutorials sessions or use video)

https://pollev.com/nitya
1 Recap
CIA Triad

• Confidentiality: Assures that private or confidential information is not made

available or disclosed to unauthorized individuals.
o Achieved via symmetric key encryption

• Integrity: Assures that the data has not been altered or tampered with by
unauthorized users.
• Availability: Assures that systems work promptly, and service is not denied to
authorized users.

https://pollev.com/nitya
Attack Model

• Attacker Goal: Total break, partial break, distinguishability

• Attacker Capability: amount of information attacker have, different attacks:
o Ciphertext-only attack (CTO)
o Known plaintext attack (KPA)
o Chosen plaintext attack (CPA)
o Chosen ciphertext attack (CCA2)

• Kerckhoffs’s Principle: A system should be secure even if everything about the

system, except the secret key, is public knowledge.
o Should not rely on Security by Obscurity

https://pollev.com/nitya
2 Classical Ciphers: Substitution and Permutation
Substitution Cipher

• Plaintext and ciphertext: a string over a set of symbols U.

o E.g., Let U = {"a", "b", "c", ..., "z", "_"}

• Key: a substitution table S, representing an 1-1 onto function from U to U

(each letter in the plaintext is mapped to a unique letter in the ciphertext).
• E.g., S(a) = g, S(b) = v, ...

• The inverse of S => S-1(g) = a, S-1 (v) = b

https://pollev.com/nitya
Substitution Cipher: Encryption

• Given a plaintext: X = x1 x2 x3 ... xn and key S,

• Ciphertext: ES(X) = S(x1) S(x2) S(x3) ... S(xn)

• Plaintext: h e l l o _ wo r l d

• Ciphertext: h n l l q p o q i l b

https://pollev.com/nitya
Substitution Cipher: Decryption

• Given a ciphertext: C = c1 c2 ... cn and the key S,

• Plaintext: DS(C) = S-1(c1) S-1 (c2) ... S-1 (cn)

• Ciphertext: h n l l q p o q i l b
• Plaintext: h e l l o _ wo r l d

https://pollev.com/nitya
Permutation Cipher/Transposition Cipher

• The encryption first groups the plaintext into blocks of t characters, and then
apply a secret “permutation” to each block by shuffling the characters.
• The key is the secret “permutation”, which is an 1-1 onto function, e
from {1, 2, …, t} to {1, 2, …, t}

• The size t could be part of the key, that is, t is also kept secret.
• Permutation p as a sequence p = (p1, p2, p3,..., pt)
o shifts the character at position i to the position pi.

https://pollev.com/nitya
Permutation Cipher: Example

• Given the plaintext and the key t = 5, p = (1, 5, 2, 4, 3)

Plaintext:

Ciphertext:

https://pollev.com/nitya
3 Attacks On Substitution and Permutation Cipher
Exhaustive Search (aka Brute-Force Search)
• Attacker’s goal: is to find the key or to obtain some information of the
plaintext.
• Attack step: exhaustively search the keys, examine all possible keys one by
one.
o Eventually (although this might take very long time) the correct key can be found.

• For a cipher to be secure => exhaustive search must be computationally

infeasible
• Sophisticated attacks exploit weakness of the encryption scheme so that it can
break faster than exhaustive search.

https://pollev.com/nitya
Terminology

• The key space is the set of all possible keys.

o For a 3-bit key, key space = { 000, 001, 010, 011, 100, 101, 110, 111}

• The key space size or size of key space is the total number of possible keys.
o For a 3-bit key, key space size = 8 (23)

• The key size or key length is the number of bits required to represent a key.
o For a 3-bit key, key length = 3

https://pollev.com/nitya
Exhaustive Search on Substitution Cipher
• Assume that the attacker knows a ciphertext C and the corresponding plaintext X.
• The attacker wants to find the key.
• Let S be the set of all possible substitution tables (i.e., the key space).
• Given X, C.
What is the key
o For each s in S space size here
− Compute X’ = DS(C); to find the key?
− If (X’== X) then break
o end-for Can the
attacker do
o Display ( “The key is ”, s ); better?

https://pollev.com/nitya
Known-Plaintext Attack on Substitution Cipher

• Does the attacker need to carry out exhaustive search ?

• Plaintext: h e l l o _ wo r l d Here the attacker needs
to obtain at least a pair
• Ciphertext: h n l l q p o q i l b of ciphertext and the
corresponding plaintext.
• The attacker can figure out the entries in the key

• So, substitution cipher is not secure under known plaintext attack.

https://pollev.com/nitya
Ciphertext-Only Attack on Substitution Cipher
• The attackers have access to ciphertext only (i.e., without the corresponding plaintext).
• Suppose an attacker knows that the plaintext is an English sentence.
• Let S be the set of all possible substitution tables. Given C.
o For each s in S
− Compute X = DS(C);
Can the
− if X contains words in the English dictionary, then break
attacker
o end-for do better?
o Display ( “The key is ”, s );

• Likewise, eventually, the exhaustive search will find the key.

https://pollev.com/nitya
Ciphertext-Only Attack on Substitution Cipher
• Are there efficient ciphertext-only attacks on substitution cipher?
o Yes. Substitution cipher is vulnerable to frequency analysis attack.

• Suppose the plaintexts are English sentences.

o The frequency of letters used in English is not uniform, for e.g. “e” is more
commonly used than “z”.
o Given a sufficiently long ciphertext attacker may correctly guess the plaintext by
mapping frequent characters in the ciphertext to the frequent character in English.

• Hence, substitution cipher is not secure under ciphertext only attack, when
the plaintexts are English sentences.

https://pollev.com/nitya
https://pollev.com/nitya
Known-Plaintext Attack on Permutation Cipher

• Permutation cipher fails miserably under known-plaintext attack.

• Given a plaintext and a ciphertext, it is very easy to determine the secret key.

m= h e l l o wo r l d

c = e h l o l o wr d l

• What is the permutation?

https://pollev.com/nitya
Attack

Plaintext: h e l l o w o r l d

P= (2, 1, 3 , 5, 4)

Ciphertext: e h l o l o w r d l

• Permutation cipher is also easily broken under ciphertext-only attack if the

plaintext is English text

https://pollev.com/nitya
Takeaway

• S and P cipher are not secure.

• Performing substitution twice using two tables does not increase difficulty of
attack.
o It simply reduces to one table (try to see why.).
o Same for permutation.

• However, by interlacing them, attacks become more difficult.

• Indeed, many modern encryption scheme (e.g. AES) is designed using rounds of
S and P.

https://pollev.com/nitya
4 One-Time Pad
Recap: XOR Operation

• Commutative : A⊕B=B⊕A

• Associative : A⊕(B⊕C)=(A⊕B)⊕C

• Identity element : A ⊕ 0 = A

• Self-inverse : A ⊕ A = 0

https://pollev.com/nitya
One-Time Pad
• It is a pure substitution cipher.

• The name comes from an encryption method in which a large, non-repeating

set of keys is written on sheets of paper, glued together into a pad.

• Property of the key:

o The key cannot be re-used. That is, a key can only be used once.
o Key should be as long as the plaintext. E.g., a 1GB plaintext would need a 1GB
key to encrypt.

Src: https://www.cryptomuseum.com/crypto/otp/index.htm
https://pollev.com/nitya
Example

• Encryption : plaintext ⊕ key

• Decryption : ciphertext ⊕ key Plaintext 0 0 1 0 1 1 0
⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕
Key 1 1 0 0 1 1 1

• Correctness
Ciphertext 1 1 1 0 0 0 1
o For any x, k
o (x ⊕ k) ⊕ k = x ⊕ (k ⊕ k)=(x ⊕ 0) = x
Ciphertext Plaintext

https://pollev.com/nitya
Is this Secure?

• Leaks no information of the plaintext, hence called “unbreakable

For a 1KB
• However, OTP is secure only if these rules are followed: plaintext, what
is the key
o The OTP should consist of truly random characters (noise). space size?
o The OTP (i.e., the key) should have the same length as the plaintext.
o Only two copies of the OTP should exist.
o The OTP should be used only once.
o Both copies of the OTP are destroyed immediately after use.

• Not Practical: long key renders one-time-pad impractical

https://pollev.com/nitya
5 Stream Cipher and IVs
OTP vs Stream Cipher

OTP Stream Cipher

• Theoretical • Practical construct - more usable
• Uses a genuine random number • Uses a pseudo-random number
stream for the pad or keystream stream for the keystream
o Pseudorandom numbers calculated by a
computer through a deterministic
process, cannot, by definition, be
random.

• Key size must be as long as • Use short keys to generate long

plaintext. pseudo-random keystream

https://pollev.com/nitya
Stream Cipher

• Stream cipher encrypts plaintext 1 byte at a time

o May be designed to operate on 1 bit at a time or on units larger than a byte at a
time.

• Is this secure if we re-use keystream?

o If two messages are identical and if the same keystream is used to encrypt the
message, the corresponding ciphertext is going to be identical.
o Can lead to keystream reuse attack
o If an attacker intercepts multiple ciphertexts generated with the same key and identical
keystreams, they could potentially derive information about the plaintexts or even
recover the encryption key.

https://pollev.com/nitya
Stream Cipher With Same Keystream
• Consider that the same key is used to encrypt two different plaintexts
o X = x1 x2 x3 x4 x5 ; Y = y1 y2 y3 y4 y5
oU = X ⊕ K ; V = Y ⊕ K

• Suppose the attacker eavesdropped to get two corresponding ciphertexts U, V.

• The attacker can now compute
What is a big deal about
o U ⊕ V = (X ⊕ K) ⊕ (Y ⊕ K) revealing X ⊕ Y?
o By associative and commutative property of XOR
− U ⊕ V = (X ⊕ Y) ⊕ (K ⊕ K) = X ⊕ Y
− So, from U and V, the attackers can obtain information about X ⊕ Y,
o Basically =>(x1 ⊕ y1 ) (x2 ⊕ y2 ) (x3 ⊕ y3 ) (x4 ⊕ y4 ) (x5 ⊕ y5 )

https://pollev.com/nitya
Stream Cipher With Same Keystream
Reveals some
partial
information
X Y ⊕ about the PT

⊕ ⊕
X⊕Y

U V ⊕

https://pollev.com/nitya
Stream Cipher with Initialization Vector (IV)
• IV is random value used as additional input to generate the keystream
• Ensures that even if the same key is used for multiple encryptions, the generated
keystream will be different if unique IV is used.
• Pseudo-random generator (PRG or G) to generate keystream from a seed (i.e., IV).
• Encryption: use shared key k and initialization vector IV for the seed.
ciphertext = plaintext ⊕ PRG( k, IV)

• Send IV, ciphertext

• Example: RC4, AES in CTR mode

https://pollev.com/nitya
 Example: Stream Cipher with IV
Sender
0 0 1 0 1 1 0 Plaintext

⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕
K PRG 1 1 0 0 1 1 1 Key stream

Transmit CT, IV
IV
IV need not secret 1 1 1 0 0 0 1 Ciphertext

⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕
K PRG 1 1 0 0 1 1 1 Key stream

Receiver 0 0 1 0 1 1 0 Plaintext

https://pollev.com/nitya
Stream Cipher With IV

X Y ⊕
K1 K2

⊕ ⊕

X ⊕ Y ⊕ (K1⊕ K2)
U V ⊕

https://pollev.com/nitya
6 Modern Ciphers – DES and AES
Modern Cipher
• Designs of modern ciphers take into considerations of
o known-plaintext-attack, frequency analysis and other known attacks

• E.g.
o DES (Data Encryption Standard, 1977)
o RC4 (Rivest’s Cipher 4, 1987)
o A5/1 (used in GSM, 1987)
o AES (Advanced Encryption Standard, 2001)

• They are “supposed” to be secure so that any successful attack does not
perform noticeably better than exhaustive search.

https://pollev.com/nitya
Data Encryption Standard (DES)
• Symmetric-key block cipher developed by IBM in the early 1970s

• Block size: 64 bits ; Key size: 56 bits.

• Security Concerns: Over time, DES's 56-bit key length has proven vulnerable to
brute-force attacks.
o There are 256 possible keys.
o While exhaustive search on 56 bits seemed infeasible in the 70s
o In 1998, a DES key was found in approximately 56 hours

https://pollev.com/nitya
Advanced Encryption Standard (AES)

• In 2000, a new standard introduced, AES (Advanced Encryption Standard), was

proposed by NIST.
• NIST called for proposal in 1997 and in 2000, Rijndael was selected as AES.
• AES block length is 128, and key length can be 128, 192 or 256 bits.

• Currently, no known attacks on AES (there are some attacks on the mode-of-
operation)
• How many key bits is considered “secure”?
o NIST (link)

https://pollev.com/nitya
7 Block Cipher & Mode-of-Operations
Block Cipher
• DES and AES are also known as “Block Cipher”.
What?! Only 128 bits!
• A block cipher has fixed size input/output. How to encrypt the
Key ( 128, 192, 256 bits) movie!!!

AES block cipher

128-bit input (Plaintext) 128-bit output (ciphertext)
encryption

• For large plaintext (say 10 MB), first divide into blocks, and then apply block cipher.

• The method of extending encryption from a single block to multiple blocks to

encrypt is called mode-of-operation.

https://pollev.com/nitya
Mode-of-Operation: Electronic Code Book (ECB)

• Divides plaintext into blocks and then applies block cipher to each block, all
with the same key.
PT1 PT2 PT3
• CTj = EK(PTj)
• PTj = E-1K(CTj) K E K E K E
EK: encryption function using key K
E-1K: decryption function using key K
CT1 CT2 CT3
• Disadvantage?
o Same plaintext always corresponds to same ciphertext

https://pollev.com/nitya
Problem with ECB

plaintext ciphertext of ECB mode We want ciphertext

like this!

https://pollev.com/nitya
Mode-of-Operation: Cipher Block Chaining (CBC)

• CTj = EK(PTj ⊕ CTj-1) PT1 PT2 PT3

• PTj = E-1K(CTj) ⊕ CTj-1

• CT0 = IV called initialization vector IV ⊕ ⊕ ⊕

• Advantages
o Semantic security
K E K E K E
• Disadvantages
o Cannot be parallelized
CT1 CT2 CT3

https://pollev.com/nitya
Mode-of-Operation: Counter Mode (CTR)

• X1 = IV called initialization vector X1 X2 X3

• Xj = X 1 + j – 1
• CTj = EK(Xj) ⊕ PTj
K E K E K E
• PTj = EK(Xj) ⊕ CTj
• Advantages PT1 ⊕ PT2 ⊕ PT3 ⊕
o Semantic security
o Can be parallelized
CT1 CT2 CT3
• Similar to stream cipher

https://pollev.com/nitya
8 Meet in the Middle Attack ( on DES)
2-DES
• DES is not secure: improve it by multiple encryptions; c = DESk2(DESk1(m))
• Using exhaustive search, what is the amount of DES encryption/decryption
required?
o 256+56, meaning key-strength could be 112 bits ?
o Unfortunately, it is much less than that via “meet-in-the-middle” attack.

• Let us consider double encryption under known plaintext attack.

o Attacker has a plaintext m and the corresponding ciphertext c, [m, c = DESk2(DESk1(m))]
o Goal: find the two secret keys k1, k2.

https://pollev.com/nitya
Meet-in-the-Middle Attack

• Attacker has: [m, c = DESk2(DESk1(m)]

• The attacker’s goal is to find the key, i.e., k1 and k2

• Exhaustive search all k1 and k2

c' = DESk1(m)
k1 k2 c = DESk2(c')

m c' m' c m' = DES-1k2(c)

E E m = DES-1k1(m')
Find c' == m'

Encrypt using k1 Decrypt using k2

 Meet-in-the-Middle Attack( Illustration 3-bit key)
m'0
c'0 k2 = 000
k1 = 000
m'1 k2 = 001
c'1

Meet-in-the-middle
k1 = 001
m'2 k2 = 010
k1 = 010 c'2

m'3 k2 = 011
Plaintext m, k1 = 011 c'3 Ciphertext c
m'4 k2 = 100
k1 = 100 c'4
Encryption k2 = 101 Decryption
k1 = 101 m'5
c'5
k2 = 110
k1 = 110 m'6
c'6
k2 = 111
k1 = 111 m'7
c'7

stored in some data structures, e.g. hash table https://pollev.com/nitya

Storage and Operations

• Previous Example
o Assumes 3-bit keys, 2 such keys.
o Using two keys, there are 23 + 23 = 2 x 23 = 24 = 16 possibilities.
o However, the attack only perform 8 encryptions and 8 decryptions.

• In general, for k-bit keys

o The number of crypto operations is reduced to 2k+1
o Using approx 2k+1 units of storage space

https://pollev.com/nitya
Remedy: 3-DES with 2 keys

• Use triple encryptions, but 2 keys.

o Ek1(Ek2(Ek1(x))) Or
o Ek1(Dk2(Ek1(x)))

• Both are believed to have the same level of security.

• By choosing k1 = k2, then it is same as single encryption.

• Also known as 3DES, TDES, TDEA, 2TDES, 3TDES (using 3 keys)

https://pollev.com/nitya
9 Padding Oracle Attack (on AES CBC)
Recall: Oracle in Security Analysis

• Encryption Oracle. On query a plaintext x, the oracle outputs the ciphertext Ek(x)
where the key k is a secret key.

• Decryption Oracle. On query a ciphertext c, the oracle outputs the plaintext

Dk(x) where the key k is a secret key.

• While encryption oracle make sense, it is not immediately clear why we need to
consider attacker with decryption oracle. Padding oracle attack illustrate the
need.

https://pollev.com/nitya
Padding Format

• The block size of AES is 128 bits (or 16 bytes).

• Suppose the length of the plaintext is 25 bytes, it will be fitted into two blocks,
with the remaining 7 bytes “padded” with some values.
16 bytes 9 bytes 7 bytes

• There are many ways to fill in the values.

o An important piece of information must be encoded: the number of padded bits.
o If this info is missing, the receiver will not know the length of the plaintext.

https://pollev.com/nitya
Padding - PKCS#7 (Padding Standard)

• Suppose the block size is 8 bytes, and the last block has 5 bytes (thus 3 extra
bytes required), padding is done as follow: Value of each
DD DD DD DD DD DD DD DD DD DD DD DD DD 03 03 03 padded byte is the
number of bytes
• In general, padding are: that are added

01
If the last block is full, i.e., it has 8 bytes,
02 02 an extra block is added where each byte is
03 03 03 08 (i.e., the block size).

08 08 08 08 08 08 08 08

https://pollev.com/nitya
Padding Oracle

• Padding Oracle: decrypts and check if padding format is correct

o Query: Any ciphertext.
o Output:
− YES, if the plaintext is in the correct “padding” format.
− No, otherwise

• What the attacker have:

o Access to a Padding Oracle.
o A ciphertext (iv, c). The ciphertext is encrypted using secret key k.

• Attacker’s goal:
o The plaintext of (iv, c)

https://pollev.com/nitya
Padding Oracle Attack on AES CBC Mode

• AES block is 16 bytes, for ease of presentation, we consider 8-byte block here
• AES CBC mode is not secure against padding oracle attack.

• Main Idea (for ease of illustration, let’s assume)

o The block size is 8 bytes;
o The c is also 1 block;
o The attacker knows that the block is padded with 3 bytes;
o The attacker is only interested in the value of X4 (i.e., 5th bytes of the plaintext).

https://pollev.com/nitya
 PTj = E-1K(CTj) ⊕ CTj-1
PT1 = E-1K(CT1) ⊕ CT0
AES Decryption by the Oracle
8 bytes 1 block of IV 8 bytes 1 block of ciphertext

CT0 = IV = IV0 IV1 IV2 IV3 IV4 IV5 IV6 IV7 C0 C1 C2 C3 C4 C5 C6 C7 = CT1
Block Cipher
decryption

I0 I1 I2 I3 I4 I5 I6 I7 Intermediate state

1. Original, X4 = I4 ⊕ IV4 X0 X1 X2 X3 X4 03 03 03
2. Original, I4 = X4 ⊕ IV4 What is X4?

https://pollev.com/nitya
Attackers Steps

• For t = 00 to FF (hexadecimal representation, i.e. 0 to 255 in decimal)

o Let IV' = IV ⊕ 0 0 0 0 t 07 07 07
o Sends the two-block query ( IV' ∥ c ) to Oracle.
o If Oracle gives YES, then outputs (04 ⊕ t) as the X4

• End-for-loop
• Idea: Attacker uses the padding oracle by submitting modified CTs and
observing the system's responses (yes/no) to infer the correct padding bytes,
eventually to learning about the plaintext.

https://pollev.com/nitya
 Force a padding of 0x04 so that padding
oracle return yes when last 4 bytes is 0x04
Why Last Three Bytes 0x07?
8 bytes 1 block of IV 8 bytes 1 block of ciphertext
IV0 IV1 IV2 IV3 IV4 IV5 IV6 IV7 C0 C1 C2 C3 C4 C5 C6 C7
⊕
Block Cipher
0 0 0 0 t ?07 ?
07 ?
07 decryption

IV '= IV'0 IV'1 IV'2 IV'3 IV'4 IV'5 IV'6 IV'7 I0 I1 I2 I3 I4 I5 I6 I7 Intermediate state

⊕
1. No change for I7 = X7 ⊕ IV7 = 0x03 ⊕ IV7
2. When IV' is used X'7 = 0x04 = I7 ⊕ IV'7 X0 X1 X2 X3 X4 03
04 03
04 03
04
3. Replace I7 from step 1,
1. 0x04 = 0x03 ⊕ IV7 ⊕ IV'7 What is X4?
2. IV'7 = IV7 ⊕ 0x03 ⊕ 0x04 = IV7 ⊕ 0x07

https://pollev.com/nitya
 Brute force t until the padding oracle return
How about t? yes when last 4 bytes is 0x04

8 bytes 1 block of IV 8 bytes 1 block of ciphertext

IV0 IV1 IV2 IV3 IV4 IV5 IV6 IV7 C0 C1 C2 C3 C4 C5 C6 C7
⊕
Block Cipher
0 0 0 0 t ?07 ?
07 ?
07 decryption

IV '= IV'0 IV'1 IV'2 IV'3 IV'4 IV'5 IV'6 IV'7 I0 I1 I2 I3 I4 I5 I6 I7 Intermediate state

1. Brute force, t = 0x00 to 0xFF, find IV' X0 X1 X2 X3 04 03

04 03
04 03
04
2. Send (IV'||c) to oracle until oracle return yes
Find t such that X'4 = 0x04,
Until oracle return yes

https://pollev.com/nitya
 How to Compute X4?
8 bytes 1 block of IV 8 bytes 1 block of ciphertext
IV0 IV1 IV2 IV3 IV4 IV5 IV6 IV7 C0 C1 C2 C3 C4 C5 C6 C7
⊕
Block Cipher
0 0 0 0 t ?07 ?
07 ?
07 decryption

IV '= IV'0 IV'1 IV'2 IV'3 IV'4 IV'5 IV'6 IV'7 I0 I1 I2 I3 I4 I5 I6 I7 Intermediate state

1. No change, I4 = IV4 ⊕ X4
2. X'4 = 0x04 = I4 ⊕ IV'4 X0 X1 X2 X3 04 03
04 03
04 03
04
3. X'4 = 0x04 = IV4 ⊕ X4 ⊕ t ⊕ IV4 Find t such that X'4 = 0x04,
4. X4 = 0x04 ⊕ IV4 ⊕ t ⊕ IV4 = t ⊕ 0x04 Until oracle return yes

https://pollev.com/nitya
Remarks
• We can easily extend the algorithm to find the full plaintext.
• There is still a gap. The algorithm needs to know the initial padding length.
• Fortunately, it is easy to determine the length (exercise).
• This attack is practical. There are protocols between a client and server which
performs this:
o If the client submits a ciphertext whose plaintext is not padded correctly, the server will reply
with an error message.
o Now, if an attacker obtaines a ciphertext, the attacker could interact with the server to get the
plaintext.

https://pollev.com/nitya
More on Padding Oracle Attack

• Prevention:
o One method is to deny access to such oracle.
− Might not be feasible in some applications.
o Changing the padding standard may mitigate the attack.
− However, there could be other smarter way to attack the new padding.

• CTR mode also vulnerable to padding oracle.

• Padding oracle is a weaker form of Decryption oracle.

https://pollev.com/nitya
Summary
• Designs of various symmetric key encryption schemes
o One-time pad: “unbreakable” even if attacker has sufficient time to exhaustively search
o Stream Cipher: xor’ing with a “pseudo-random” string
o Block Cipher: Mode of operations (CBC, ECB, CTR)

• Crucial role of IV (need randomness to have indistinguishability)

• AES CBC mode vulnerable to padding oracle attack
Next week
Asymmetric Encryption Scheme: RSA
Data integrity and authentication:
Hash, MAC, Digital signature

https://pollev.com/nitya