Part 1: Foundations of Symmetric Cryptography

Why cryptography? Protect against passive adversaries (eavesdropping) and active adversaries (injection, modification, replay).

Core goals:

• Confidentiality: Ensure information is visible only to authorized parties. Symmetric encryption provides confidentiality, while integrity and authenticity require additional mechanisms such as MACs or AEAD.
• Integrity: Guarantee information is accurate and unmodified.
• Authenticity: Assurance that data or a message comes from the claimed source.
• Non-repudiation: Preventing a sender from denying authorship of a message later (a property of public-key systems).

Core terms. Plaintext (original readable data), ciphertext (the scrambled, unreadable output), cipher (the algorithm), key (the secret parameter that selects one transformation), encryption (converts plaintext into ciphertext), decryption (converts ciphertext back into plaintext), symmetric encryption (same secret key shared by sender and receiver).

Kerckhoffs's Principle. A system must remain secure even if everything about it is public except the key. Prefer standardized, openly analyzed algorithms; avoid secrecy of design.

Schneier's Law. Anyone can design a cipher they cannot break; confidence comes only after broad, sustained public scrutiny.

Part 2: Classical Ciphers (Substitution and Transposition)

Classical ciphers use hand (pencil-and-paper_ methods that illustrate substitution (change symbols) and transposition (reorder symbols).

Caesar cipher. Shift letters by a fixed amount; trivial to brute force and defeat via frequency counts.

Monoalphabetic substitution. Any fixed mapping; keyspace is large (\(26!\)) but still breakable because the statistical structure of a language shows up in ciphertext. In English, E, T, A, O, I, N are common; Z, Q, X, J are rare; frequent digraphs TH, HE, IN and trigrams THE, AND stand out.

Frequency analysis. A cryptanalytic technique: compare the frequencies of single letters, digraphs, and trigraphs in ciphertext with the known statistics of a language to recover the substitution.

Polyalphabetic substitution cipher.
Uses multiple substitution alphabets instead of just one. The cipher switches between different mappings during encryption so that the same plaintext letter can encrypt to different ciphertext letters, breaking simple frequency analysis.

• Alberti's cipher disk (1460s). Two concentric alphabets; rotate the inner disk to switch substitution alphabets periodically mid-message. Early polyalphabetic encryption that blurs single-letter statistics.

• Vigenère cipher (16th c.). Repeat a keyword over the plaintext; each key letter selects a Caesar shift alphabet (via a table lookup of plaintext row vs. key column). The same plaintext letter can encrypt differently depending on its alignment with the key.

• Breaking Vigenère. Find repeated ciphertext fragments; measure gaps; factor to guess key length; split text into that many streams and solve each stream as a Caesar cipher by frequency.

Transposition ciphers. Preserve letters, change order.

• Scytale: wrap a strip around a rod; write along the rod; read off unwrapped.
• Columnar transposition: write plaintext in rows under a keyword; read columns in keyword order. Padding (often X) fills incomplete rows and can leak hints.

Some later ciphers, like Playfair and ADFGVX combine substitution and transposition.

Lessons: Combining substitution and transposition helps, but hand systems leave structure to exploit. These methods motivated mechanized cryptography (rotor machines) and later, theory-driven designs that deliver confusion and diffusion deliberately.

Part 3: Mechanized Cryptography (Rotor Machines)

Machines automated polyalphabetic substitution and enhanced its security, but the complexity alone did not guarantee security.

Rotor machine. A stack of wired wheels applies a changing substitution on each keystroke; the rightmost rotor steps like an odometer, so the mapping evolves continuously. The Enigma, used by the Germans during World War II, is the most famous of the rotor machines.

Enigma workflow. Type a letter, current rotor positions map it through three rotors, a reflector sends it back through the rotors on a different path, and a lamp shows the ciphertext. Same setup decrypts. The use of a reflector implies that no letter ever encrypts to itself, which weakens the security of the system (i.e., if you see an 'A' in the ciphertext, then you know it can't be an 'A').

Keyspace (why it's huge). Choose and order 3 rotors from 5 (60 ways), choose 26 starting positions for each rotor (\(26^3=17{,}576\)), and set a plugboard that swaps letter pairs (about \(10^{14}\) possibilities). The combined space exceeds \(10^{23}\).

Strength vs. practice. The rotors and a repetition period of 17,576 characters suppressed simple frequency patterns, but design quirks and operating procedures leaked structure. Analysts used cribs (predictable text like headers), the "no self-encryption" property, operator mistakes (repeating message keys, key reuse), traffic habits, captured codebooks, and electromechanical search (predecessors to computers: Polish bombas, British bombes designed by Turing and Welchman).

Takeaway: Mechanization increased complexity and throughput but not proof of security. Operational discipline and small structural properties mattered.

Part 4: Shannon, Perfect Secrecy, and Randomness

One-time pad (OTP). Encrypt by XORing plaintext with a truly random, one-time key of equal length: \(C = P \oplus K \quad \text{and} \quad P = C \oplus K\). This gives perfect secrecy if the key is random, at least as long as the message, independent of the plaintext, and never reused.

Why OTPs are rare. Generating, distributing, and storing keys as long as the message is impractical; preventing reuse at scale is hard.

Shannon’s contribution. Two design properties for strong ciphers:

1. Confusion: Nonlinear substitution hides the relationship between key and ciphertext.
2. Diffusion: Structured mixing spreads each input bit across many output bits over multiple rounds.

Perfect vs. computational security. Perfect secrecy means ciphertext reveals nothing about plaintext (like the OTP). In practice we aim for computational security: no feasible attack with realistic resources.

Random vs. pseudorandom.

• Random values come from physical processes (e.g., thermal noise, hardware randomness). They are unpredictable but can be hard to generate in large amounts.

• Pseudorandom values are generated by an algorithm from a small random seed. They only appear random, but if the generator is weak, attackers may predict outputs.

• A CSPRNG (cryptographically secure pseudorandom number generator) is a special kind of pseudorandom generator designed so its outputs are computationally indistinguishable from true random and unpredictable without knowing the seed. Operating systems provide CSPRNGs and cryptographic libraries use them for keys, IVs, and nonces.

Shannon entropy (concept). Entropy measures unpredictability. High entropy keys resist guessing; good encryption removes observable structure so ciphertext looks random and does not compress well.

Bottom line. OTP proves perfect secrecy but isn’t practical; modern ciphers achieve security by iterating confusion and diffusion; strong randomness underpins everything.

Part 5: Modern Symmetric Cryptography

• Goal: Understand the structure of modern symmetric ciphers and how to use them. Most breakage is misuse (wrong mode, reused per-message input), not broken ciphers.
• Two families: Block ciphers (encrypt fixed-size blocks) and stream ciphers (keystream ⊕ plaintext).
• Within block ciphers, there are two main designs: Feistel networks and subsitution-permutation networks (SPNs)

Block ciphers

• Definition: A block cipher is a keyed permutation on fixed-size blocks of data. Different keys give different permutations. Block ciphers are the workhorses of symmetric cryptography.
• Structure: Most block ciphers are iterative: they apply the same round transformation repeatedly. Each round uses a round key derived from the master key.
• Building blocks: Rounds typically combine nonlinear substitution (S-boxes) with permutation or mixing steps (P-boxes or matrix operations).
• Design goals:
  • Confusion: Obscure the relationship between the key and ciphertext.
  • Diffusion: Spread the influence of each plaintext bit across many ciphertext bits.
  • Avalanche effect: A desired property of confusion and diffusion: flipping a single input bit should change about half the output bits, destroying patterns quickly.

Substitution-permutation networks (SPNs)

• Pattern: Substitute bytes via small lookup tables (S-boxes), mix/permute to spread changes, then XOR a round key: \(\text{state}\leftarrow \text{state}\oplus K_i\).
• Decryption: Apply inverse substitution and inverse mixing with round keys in reverse order.
• Example: AES.

Feistel networks

• Pattern: Split block \((L_i,R_i)\). One round: \[L_{i+1}=R_i,\qquad R_{i+1}=L_i \oplus F(R_i,K_i).\]
• Property: Always invertible even if \(F\) is not; decryption reuses \(F\) with round keys reversed.
• Example: DES.

DES and 3DES (historic examples)

DES (1977): The first U.S. encryption standard. A 16-round Feistel cipher with a 64-bit block and a 56-bit key. Hardware-friendly and influential, but the short key length made it vulnerable to brute force.

• Main issue: Key length (56-bit) is brute-forceable.
• Triple DES (3DES) (EDE: encrypt-decrypt-encrypt):
  • EDE1 (1 56-bit key): \(E_K(D_K(E_K(\cdot)))\) — backward compatibility; no strength gain.
  • EDE2 (2 56-keys = 112-bit key): \(E_{K_1}(D_{K_2}(E_{K_1}(\cdot)))\).
  • EDE3 (3 56-bit keys = 168-bit key): \(E_{K_1}(D_{K_2}(E_{K_3}(\cdot)))\).
• Status: Legacy algorithm; small block size, slow in software.

AES (modern standard)

• Block/key sizes: AES is the current global standard. It uses a 128-bit block and keys of 128, 192, or 256 bits, with 10, 12, or 14 rounds accordingly.
• Round steps: SubBytes (byte lookup table), ShiftRows (rearrange), MixColumns (mix bytes in a column), AddRoundKey (XOR).
• Why it's a good default: Strong safety margin, fast with crypto hardware extensions on many processors; good constant-time software exists.

Modes of operation

Block cipher modes define how to use a block cipher on long messages. They specify how blocks are linked and how per-message values (IVs or nonces) are used to keep encryptions distinct.

• ECB: Each block encrypted independently; identical plaintext blocks ⇒ identical ciphertext blocks; leaks structure and allows block cut-and-paste. Do not use for data.
• CBC: XOR plaintext with previous ciphertext block, then encrypt. First block uses an IV (initialization vector - must be fresh and unpredictable). Needs padding. Confidentiality only; beware implementation bugs that leak information through different error responses.
• CTR: Encrypt a per-message counter sequence to produce a keystream; XOR with plaintext. Unique per-message value under a key required (often called a nonce). No padding; parallelizable; random access friendly.
• GCM: CTR for encryption plus a tag to detect tampering (AEAD). Requires a unique per-message value (typically 96 bits).

AEAD: Authenticated Encryption with Associated Data: adding integrity checks to the encryption process. AEAD systems encrypt and return a tag so the receiver can detect and reject modified ciphertexts. We will cover integrity later; read AEAD as "encryption with a built-in tamper check."

Stream ciphers

Stream ciphers model the idea of the one-time pad: generate a keystream and XOR it with plaintext. Instead of a pad as long as the message, they expand a short key and a nonce into a long pseudorandom sequence.

• Model: Generate a keystream, then XOR: \(C=P\oplus \text{keystream}\) and \(P=C\oplus \text{keystream}\).
• Rule: Under one key, never reuse the per-message input that selects the keystream.

ChaCha20 is the most popular stream cipher today.

To avoid the problem of reusing a key, ChaCha20 takes as input to its keystream generator a secret key as well as a random nonce (a random bunch of bits).

Poly1305 is an add-on algorithm that creates a message authentication code: a 16-byte value that is affixed to each message and is a function of the message and the key. With Poly1305, ChaCha20 provides AEAD.

• What it does: Runs 20 rounds of add/rotate/XOR on a 512-bit internal state keyed by a 256-bit key and a per-message random value (nonce) to output a pseudorandom keystream; then XOR the keystream with the plaintext.
• Why used: Fast on general CPUs and embedded systems, constant-time without tables, robust side-channel profile.
• AEAD form: ChaCha20-Poly1305 (encryption + tag). Requires a unique per-message value under a key.

Quick reference

Common pitfalls

• ECB on data leaks patterns. Avoid using it.
• Per-message input errors:
• CBC: initialization vector (IV) must be fresh and unpredictable (random).
• CTR/GCM/ChaCha20: per-message value must be unique under a key (never reused, uniqueness is the rule).
• Implementation bugs in CBC from careless error handling that leak information.
• Ignoring data limits: 64-bit blocks hit a birthday bound after about \(2^{32}\) blocks.

Equations to recognize (not memorize)

• Feistel round: \(L_{i+1}=R_i,\; R_{i+1}=L_i \oplus F(R_i,K_i)\).
• Stream XOR: \(C=P\oplus \text{keystream}\) and \(P=C\oplus \text{keystream}\).

Part 6: Principles of Good Cryptosystems

Foundations

• Kerckhoffs's principle: Assume the attacker knows everything except the key. Publish algorithms; keep keys secret.
• Shannon: Confusion (hide key influence) + diffusion (spread local changes). Achieved by simple rounds that substitute, mix, and add key material.

Security properties

• Random-looking ciphertext: No patterns, no bias, does not compress. If identical plaintext blocks create repeated ciphertext, the mode/usage is wrong.
• No shortcuts to decryption without the key: Best generic attack is brute force over keys, not algebra on structure.
• Adequate key space; no weak keys: Each extra bit doubles search. \(2^{128}\) is beyond plausible brute force. Avoid key classes with special structure.
• Resistance across attack models: Aim for confidentiality under CPA (chosen plaintext attack); prefer AEAD so systems remain safe even when attackers can submit modified ciphertexts (CCA - chosen ciphertext attack settings).
• Side-channel robustness: Defend against timing/cache, power/electromagnetic emissions, and fault attacks with constant-time code, hardware instructions, masking/blinding, and no secret-indexed table lookups.
• Composability: Security should survive real use (chunking, retries, many senders). Use AEAD, keep per-message inputs correct, and separate keys by purpose.

Practical requirements

• Efficiency: Match the hardware. AES on architectures that accelerate it; ChaCha20 where AES support is weak. Efficient designs make constant-time code feasible.
• Minimal expansion: Small, predictable overhead (e.g., a per-message input + a tag in GCM but not overhead that is a multiple of the plaintext size). Avoid custom paddings and ad-hoc headers.
• Simplicity & universality: Few controls, clear defaults, mature libraries. Use high-level AEAD APIs; do not invent modes.
• Public algorithms, open analysis: Prefer widely vetted standards. "Proprietary crypto" is a red flag.

Keys (operational reminders)

• Generation: Use the operating system's cryptographically-secure pseudorandom number generator (CSPRNG). No ad-hoc randomness.
• Handling: Protect in storage and use; rotate before per-key data limits; destroy on retirement.
• Per-message input (random, non-secret parameter): Treat this as a first-class parameter. CBC needs a fresh, unpredictable IV. CTR/GCM/ChaCha20 need a value unique for a given key. This random data is referred to as a nonce or initialization vector.

Quick rules

• Prefer AES-GCM with hardware support; otherwise ChaCha20-Poly1305.
• Never use ECB for data.
• Padding is needed for ECB/CBC when message length ≠ block size; it is not needed for CTR/GCM/ChaCha20.
• Write constant-time code (no secret-dependent branches/lookups).
• Keep algorithms public; keep keys secret.

Common pitfalls

• Reusing the per-message input with the same key (CTR/GCM/ChaCha20).
• Predictable IVs in CBC
• Short keys, weak randomness, keys visible in logs/dumps.
• Secret-indexed tables causing cache leaks.

Part 7: Introduction to Cryptanalysis

What is cryptanalysis? The art and science of breaking cryptographic systems. Used by both attackers (malicious goals) and security researchers (testing and strengthening algorithms). Goal: recover plaintext from ciphertext without authorized access to the key.

Core assumptions: Analysts typically know the encryption algorithm (following Kerckhoffs's principle) and have some idea of content type (German text, machine code, file headers, etc.).

Attack models (what the analyst can access)

Brute force attack

Exhaustive key search — trying every possible key until meaningful plaintext emerges. Sets the security baseline: \(n\)-bit key requires at most \(2^n\) attempts (average \(2^{n-1}\)). Becomes infeasible with sufficient key length (128+ bits).

Ciphertext-only attack (COA)

Analyst has only encrypted messages with no corresponding plaintext. Extremely difficult against modern ciphers. Historically used frequency analysis against simple substitution. Modern secure ciphers resist COA by producing statistically random-looking ciphertext.

Known plaintext attack (KPA)

Analyst has matching plaintext-ciphertext pairs but cannot choose the plaintext. Can study correlations between inputs and outputs to find patterns. Example: Breaking Enigma using stolen plaintext-ciphertext pairs and predictable message formats.

Chosen plaintext attack (CPA)

Analyst can select specific plaintexts and observe the resulting ciphertext. Reflects scenarios where attackers influence message content. Enables systematic testing of cipher behavior and probing for structural weaknesses. Modern cipher design considers CPA resistance essential.

Chosen ciphertext attack (CCA)

Analyst can submit ciphertext for decryption and observe plaintext or error responses. Example: Implementation bugs in CBC mode where systems respond differently to valid vs. invalid padding, eventually revealing complete plaintext. Highlights why confidentiality alone is insufficient—need authenticated encryption (AEAD).

Cryptanalytic techniques

Differential cryptanalysis

Examines how differences in plaintext inputs propagate through a cipher to produce differences in ciphertext outputs. Seeks non-random behavior revealing information about internal structure or key bits. Typically requires chosen plaintext access. Modern ciphers are specifically designed to resist differential attacks.

Linear cryptanalysis

Attempts to find linear approximations (XOR equations) connecting plaintext bits, ciphertext bits, and key bits with probability significantly different from 50%. Works effectively with known plaintext. Complements differential techniques. Both approaches rarely recover complete keys but can reduce brute force search space.

Side-channel analysis

Exploits physical information leaked during cryptographic operations: timing, power consumption, electromagnetic emissions, cache access patterns, fault injection. Attacks the implementation rather than the mathematical algorithm.

Examples:

• Cache timing: AES table lookups leak key information via memory access patterns
• Power analysis: Different operations consume different amounts of electricity, revealing processed data
• Fault injection: Introducing errors during computation to extract secrets from faulty outputs

Defenses: Constant-time implementations, masking/blinding, hardware countermeasures, avoiding secret-indexed table lookups.

Key takeaways

• Good modern ciphers resist all standard attack models (COA, KPA, CPA, CCA) and major cryptanalytic techniques (differential, linear)
• Implementation matters — side-channel attacks often succeed where mathematical attacks fail
• Cryptanalysis serves defense — understanding attack techniques helps build stronger systems
• Open scrutiny is essential — algorithms gain trust through surviving public analysis, not through secrecy