Cryptography involves many topics and theories. This article covers topics including Symmetric Encryption Algorithms (also known as block ciphers), Hash Functions, Message Authentication Code (MAC), Authenticated Encryption (AE), Modes of Operation, Common Cryptography Terms, Cryptographic Applications, Approval Status, Random Number Generators, Seeds and XOR Calculation.
- Keyless Algorithms
- Symmetric Encryption Algorithms
- Hash Functions
- Message Authentication Code (MAC)
- Authenticated Encryption (AE)
- Modes of Operation
- Common Cryptography Terms
- Cryptographic Applications
- Approval Status
- Random Number Generators
- Seeds
- XOR Calculation
- Conversion
- References
Keyless Algorithms
Keyless algorithms do not use a secret key for encryption or decryption. They are generally used for data integrity verification and generating a random number. Hashing algorithms (MD5, SHA) and Random Generators (PRNG, RNG) are examples of keyless algorithms. Message Authentication Codes (MACs) are not counted as keyless algorithms because they require a key to provide authenticity.
Algorithm | Keyless |
Hash (MD5, SHA) | Y |
Random Number Generator | Y |
Message Authentication Codes (MACs including HMAC and CMAC) | N |
Symmetric / Asymmetric Algorithms (e.g., AES, DES, RSA, EC) | N |
Symmetric Encryption Algorithms (Single-key Encryption)
The same key is used for encrypting and decrypting data for single-key encryption. It is also known as symmetric key encryption. Examples of symmetric key encryption include:
AES
AES block size is 128 bits. The key sizes include 128, 192 and 256. It is commonly known as AES-128, AES-192 and AES-256. As a block cipher, it is a building block for Encryption, Decryption, Message Authentication Codes (CMAC – Cipher-based Message Authentication Code) and CSPRNG (Cryptographically Secure Pseudorandom Number Generator). AES is considered a computationally secure encryption algorithm as an adversary could not decrypt a ciphertext to plaintext without the required information.
The block size of AES is fixed to 128 bits. Therefore, it cannot be changed to another block size to make it become a stream cipher.
Applicability | Examples |
Encryption/Decryption | Encrypt / decrypt files with AES |
Message Authentication Codes | CMAC |
Random Number Generator | CSPRNG |
A ciphertext generated using a computationally secure encryption algorithm takes a very long time / powerful computer to crack. It is not impossible to brute-force the password. However, the usefulness of the information may become expired by the time it is cracked through brute-forcing.
Computationally secure
DES
DES block size is 64 bits. The key size is 56 bits.
Primary concern of DES:
DES’s key size of 56 bits is a concern for the algorithm’s security in modern standards. Modern computers can perform a brute-force attack against a password encrypted with DES and obtain the passphrase within hours because of the relatively short key size.
Two-key DES (2TDEA)
Two-key triple DES (2TDEA) has a total key size of 112 bits as it includes two keys of 56 bits. It is vulnerable to meet-in-the-middle attacks.
Triple DES (3DES / 3TDEA)
3DES also has a block size of 64 bits. The key size of 3DES is 168 bits, three times the size of DES. 3DES uses the DES algorithm three times to provide a higher level of security. It performs an encrypt-decrypt-encrypt (EDE) mode of operation. It is, however, slower, less efficient and less secure than modern encryption algorithms such as AES.
Backward Compatibility with DES
3DES can become backward compatible with DES. Assume there are three encryption keys used for 3DES. If all three encryption keys have the same value, backward compatibility with DES can be achieved. If a message is encrypted using 3DES with three identical keys, the same message can be decrypted with DES.
# | Cipher | Key Size (bits) | Block Size (bits) |
1 | DES | 56 | 64 |
2 | Two-key Triple DES | 112 | 64 |
2 | AES | 128, 192, 256 | 128 |
3 | Triple DES (3DES) | 168 | 64 |
4 | Twofish | 128, 192, 256 | 128 |
5 | Blowfish | 32-448 | 64 |
Symmetric Block Cipher Algorithms with Acceptable Status
According to NIST Special Publication 800-131A Rev 2, the following block cipher algorithms are acceptable.
# | Cipher | Acceptable | Usage | Validity |
2 | AES | Y | Encryption and Decryption | Not Applicable |
3 | Triple DES (3DES) | Y | Legacy System Only (Can no longer be used to encrypt new data, Decryption of existing data only) | Till the end of 2023 |
Hash Functions
Hash is useful for verifying the integrity of data. It can be used to verify if there is file corruption on an operating system. There are various characteristics of a Hash Function. The following table summarizes the requirements of a hash function. The principal object of a hash function is to map messages.
# | Requirement | Explanation |
1 | Accept a Variable Input Size | Hash functions are applied to files of different sizes. |
2 | Produce a Fixed Output Size | Hash functions shall produce fixed output size For example, the hash function SHA512 shall always produce a fixed output size of 512 bits. |
3 | Efficiency | Hash functions shall be easy to compute. No matter the size of a file, producing the hash value of the file shall be fast. |
4 | Pre-image resistant | Hashing is performed in only one way. It is computationally infeasible to find out the plaintext from its hash value. |
5 | Second pre-image resistant | Given an input message (M1), it should be difficult to find another plaintext message (M2) which produces the same hash values. Provides assurances that it is computationally infeasible to find another plaintext message / input that produces the same hash output. Assume an attacker has the plaintext, they cannot find a different message with the same hash value. |
6 | Collision resistant | Given a hash value, it should be difficult to find another hash value that is not the same plaintext message. Assume an attacker has the hash values, they cannot find an alternative plaintext. |
Message Authentication Codes (MACs)
Message Authentication Codes (MACs) are used to verify the integrity and authenticity of a message. MACs do not provide confidentiality or non-repudiation. MACs are not hash functions, but they are commonly used in combination with block ciphers. There are two categories of MACs, including HMAC and CMAC. They are attached to the majority of encrypted data we send over the Internet. MACs do not represent a digital signature because both the sender and receiver share the same key (shared secret key). Note that only one secret key along with the message is fed into a hash function to produce an HMAC. Likewise, only one secret key along with the message is fed into a block cipher algorithm to produce a CMAC.
Assume we have a message with a hash attached to it. An attacker can modify the message and change the hash value attached to it. Without a MAC, we cannot verify the authenticity of the message.
Scenario #1: Without a MAC
The hash value can be changed by an attacker when the data is sent over an insecure medium
Message | Hash |
m | h(m) |
Scenario #2: With a MAC
With a MAC, a key will be included in the hash function. Therefore, the calculated hash value will be different and cannot be modified by an attacker who does not have knowledge regarding the key. The hash cannot be recomputed without access to the key.
Message | Key + Hash |
m | h[k2+(h(k1+m)] |
HMAC
For HMAC, a hash function such as SHA-512 is used along with a secret key to produce an HMAC-based Message Authentication Code (MAC). It is also known as an HMAC tag. The HMAC tag will be generated from plaintext.
HMAC consists of a private key and a hash algorithm. It does not contain a block cipher. A PRNG can be used to generate a secret key. However, a PRNG by itself is not a component of HMAC.
HMAC
How to verify that a HMAC tag is valid:
The receiver can perform the following steps to verify the authenticity of a ciphertext with a HMAC tag.
Step 1: View the HMAC tag of a file provided by the sender.
Step 2: Recompute the HMAC tag of the file by applying the same hash function (e.g. SHA-512) and secret key on the received file.
Step 3: Compare the original and recomputed HMAC tags to see any difference. If they are not the same, the integrity and authenticity of the file cannot be trusted.
CMAC
CMAC is based on a block cipher algorithm (AES) rather than a hash function. Typically used with industrial standards block ciphers such as AES, CMAC encrypts a message in CBC mode of operation. A CMAC tag will be generated from plaintext. It currently has an approved status according to NIST SP 800-38B.
CMAC consists of a private key and a block cipher algorithm. It does not contain a hash function. A PRNG can be used to generate a secret key. However, a PRNG by itself is not a component of CMAC.
CMAC
How to verify that a CMAC tag is valid:
The receiver can perform the following steps to verify the authenticity of a ciphertext with a CMAC tag.
Step 1: The sender generates a fixed-size tag with the message and a shared secret key. The recipient can then verify the message by recomputing the MAC using the same secret key and comparing it with the received MAC.
Step 1: View the CMAC tag of a file provided by the sender.
Step 2: Recompute the CMAC tag of the file by applying the same block cipher algorithm (e.g. AES-256) and the shared secret key. The input consists of the file, the shared secret key and the CMAC algorithm.
Step 3: Compare the received and recomputed CMAC tags to identify any differences. If they are not the same, the integrity and authenticity of the file cannot be trusted.
Authenticated Encryption (AE)
Authenticated Encryption (AE) combines a Symmetric Encryption Algorithm with a Message Authentication Code (MAC).
Encrypt-and-MAC (E&M)
Encrypt-and-MAC (E&M) provides confidentiality and integrity by encrypting a message with a block cipher algorithm to produce a ciphertext and generating a MAC on the original plaintext using HMAC or CMAC. For decryption, MAC verification will first be performed, followed by decrypting the message with the encryption key. Encrypt-and-MAC is considered less secure than other authenticated encryption models.
Examples:
SSH
MAC-then-Encrypt (MtE)
MAC-then-Encrypt (MtE) allows a sender to generate a MAC using HMAC or CMAC. After that, the sender encrypts the plaintext and MAC together using a block cipher algorithm. The resulting ciphertext (which involves both the MAC and encrypted message) will be sent to the receiver.
Examples:
TLS, SSL
Encrypt-then-MAC (EtM)
For Encrypt-then-MAC (EtM), the plaintext is first encrypted. A MAC will then be produced based on the ciphertext. Rather than generating a MAC based on plaintext directly like Encrypt-and-MAC (E&M) or MAC-then-Encrypt (MtE), Encrypt-then-MAC (EtM) generates a MAC based on a ciphertext. As all information, including the data/text, is encrypted before applying MAC, it provides the highest level of security in authenticated encryption (AE).
Examples:
IPsec
Scenario
Assume we use AES and HMAC to protect a plaintext message and send it over an insecure channel.
- AES-128 in CBC mode of operation can protect the confidentiality.
- HMAC-SHA3 can be used to protect the integrity and authenticity.
- The input to AES-128 encryption algorithm is a shared secret key and the plaintext.
- The input to HMAC-SHA3 is the another shared secret key, the plaintext, and an IV.
- The output of the AES-128 block cipher algorithm is a ciphertext.
- The output of HMAC-SHA3 is a Message Authentication Code (MAC).
- The Message Authentication Code (MAC) created from HMAC-SHA3 shall be combined with the ciphertext created from AES-128 block cipher algorithm, and sent to the receiver.
- The receiver will decrypt the ciphertext using the shared secret key and re-compute the hash value (HMAC-SHA3) to compare that with the received HMAC-SHA3 value to see if the message was modified. Then, use the other shared secret key to decrypt the message.
A Summary of Authenticated Encryption (AE) Implementations
# | Protocol | Authenticated Encryption (AE) Method |
1 | SSH | Encrypt-and-MAC (E&M) |
2 | TLS/SSL | MAC-then-Encrypt (MtE) |
3 | IPsec, WinZip | Encrypt-then-MAC (EtM) |
Authenticated Encryption (AE) Modes
CCM (Counter with CBC-MAC) and GCM (Galois/Counter Mode) are authenticated encryption modes based on block cipher algorithms. They are modes of operation for block ciphers and are not intended for use in stream ciphers. Both of them provide confidentiality and authenticity.
Counter with CBC-MAC (CCM)
As the name suggests, Counter with CBC-MAC (CCM) combines Counter Mode (CTR) for encryption and CBC-MAC for authentication purposes. The advantages of CCM include the benefits of CTR mode of operation and MAC authentication. For example, confidentiality, integrity, and authenticity of information protected with CCM are guaranteed. Remember that just as CTR mode of operation, a nonce must be included in every encryption process of a block. The nonce must also be incremented for every operation. It is insecure when used for variable-length messages. An Initialization Vector (IV) must also be used to produce a keystream and then XOR with the plaintext for producing the ciphertext. The IV is not recommended to be the same value as the passphrase/key.
Consists of AES encryption algorithm, CTR mode of operation, and the CMAC authentication algorithm
CCM: Counter with CBC-MAC
Galois/Counter Mode (GCM)
Like CCM, GCM also uses the Counter (CTR) mode of operation. However, it does not use make use of the CMAC authentication algorithm. it employs GHASH, which generates a MAC based on the ciphertext (not plaintext).
Consists of AES encryption algorithm, CTR mode of operation. Does not make use of CMAC.
GCM: Galois/Counter Mode
Examples:
TLS, IPsec
Modes of Operation
A mode of operation is combined with a block cipher algorithm to encrypt and decrypt data. Various modes of operation have different characteristics. They protect data confidentiality and are used together with an encryption algorithm like AES. It is worth noting that these modes of operation are vulnerable to tampering without detection when they are used without Message Authentication Codes (MAC). A traditional mode of operation only provides confidentiality but not integrity and authenticity. Mode of Operation without a MAC (HMAC/CMAC) does not guarantee integrity and authenticity because keystreams can be changed without anyone noticing. For all modes of operation, the Initialization Factor (IV) shall be unpredictable and not reused.
1. Electronic Code Book (ECB)
In ECB mode, every plaintext block is encrypted using the same key. Therefore, it is only secure for encrypting a message with one block. Otherwise, the ciphertext will be vulnerable to a pattern recognition attack. For example, ECB is a poor choice for encrypting an image because the colour and pattern of an image are often repeated. The ECB mode of operation has a simple structure as it does not include a nonce or initialization vector.
Calculating ECB Block Size
- Assuming we are using a block cipher algorithm – AES-256 to encrypt a plaintext message of 780 bits.
After performing the encryption operation, the number of ciphertext blocks will be 4, which is the round-up of (780/256 = 3.04).
Even though the last block is not entirely filled, the block size will also be 256 bits for the last ciphertext block. Since the plaintext size in the last block is smaller than the whole block, padding will be added to fill up the block. Therefore, the block size is still 256 bits.
- Assume we are using a block cipher algorithm – AES-192 to encrypt a plaintext message of 750 bits.
Afer performing the encryption operation, the number of ciphertext blocks will be 4.
Even though the last block is not entirely filled, the block size will also be 192 bits for the last ciphertext block. Since the plaintext size in the last block is smaller than the whole block, padding will be added to fill up the block. Therefore, the block size is still 192 bits.
2. Cipher Block Chaining (CBC)
For CBC mode, every plaintext block is XORed with the previous ciphertext block before encryption. Therefore, it is secure from a pattern recognition attack as long as the encryption key is kept secret and the IV is not reused. Note that the IV shall be unpredictable. The last ciphertext block shall not be reused as the IV for the next message because it contributes to the predictability of the IV.
The input to the encryption algorithm is the XOR of the next plaintext block with the last ciphertext block.
CBC by itself only protects the confidentiality of data. It does not protect the integrity/authenticity of data. CMAC / HMAC must be used in conjunction with a mode of operation like CBC to protect the integrity and authenticity of data.
CBC Encryption
For a ciphertext produced with CBC: C1C2C3C4, assume there was a transmission error for C2, the subsequent block will be affected. Plaintext P2 and P3 will be affected as the transmission error affects the current block and also propagate to the next block.
CBC Mode of Operation
3. Cipher Feedback (CFB)
In CFB mode, a keystream block is generated with the previous block’s ciphertext. A shift register stores the previous ciphertext blocks and feeds itself into the encryption algorithm to generate the next keystream block. An initialization vector (IV) will be transmitted along with the encrypted data. Therefore, IV does not need to be secret, but it must be unpredictable and not reused.
In CFB mode of operation, encryption can be performed 1 bit at a time, which acts like a stream cipher.
Cipher Feedback (CFB)
4. Counter (CTR)
CTR mode of operation is resistant to the majority of attacks. A counter is encrypted and XORed with plaintext to generate the ciphertext. Therefore, the counter values must be unpredictable. The counter value must also be incremented for each block. A nonce and an IV are used in the Counter mode. For encrypting every block, the nonce will be increased by 1. Combined with an IV, they feed into the encryption algorithm. The nonce and IV must not be reused for encrypting blocks. g
For a ciphertext produced with CTR: C1C2C3C4, assume there was a transmission error for C2, only the corresponding block P2 will be affected. The subsequent blocks will not be affected.
CTR Mode of Operation
5. Output Feedback (OFB)
In OFB, the output of the encryption algorithm function will become the input for encrypting the next block. The IV must be unique for each encryption operation. Therefore, the IV is also a Nonce in the OFB mode. It does not need to be secret but should be unpredictable.
A Summary of Modes of Operation
# | Mode of Operation | Conversion into a Stream Cipher | Random Access Available | Error propagates to another block | Parallel Encryption | Parallel Decryption | Advantages | Disadvantages |
1 | Electronic Code Book (ECB) | N | Y | N | Y | Y | Supports random access to encrypted data. Simplicity High efficiency as parallel processing is available for both encryption and decryption. | Insecure when used to encrypt data larger than one block due to pattern recognition attack. Cannot be turned into a stream cipher. |
2 | Cipher Block Chaining (CBC) | N | Y | Y | N | Y | Supports random access to encrypted data. Parallel decryption is supported. | Requires the entire message to be decrypted before a part of the message can be accessed. It is not possible to skip through a video encrypted with CBC. Only sequential processing is available. Parallel encryption is not supported. Does not tolerate missing ciphertext blocks. Cannot perform bit-level encryption because it encrypts the entire plaintext blocks. It cannot be turned into a stream cipher. Any error in a block will be propagated to subsequent blocks because every ciphertext will be XORed with the plaintext in the next block. |
3 | Cipher Feedback (CFB) | Y | Y | Y | N | Y | Supports random access to encrypted data. Allows bit-level encryption, so there is no need to encrypt all plaintext blocks. An error in a block will not be propagated to subsequent blocks. Bit errors in the ciphertext only affect the corresponding plaintext bit. Parallel decryption is supported. | Parallel encryption is not supported. Affected by bit error propagation. If there is an error in one block, the error will be propagated and subsequent block encryption operations will fail. |
4 | Counter (CTR) | Y | Y | N | Y | Y | Supports random access to encrypted data. High efficiency as parallel processing is available for both encryption and decryption. It has a faster performance compared to CBC mode because multiple blocks can be encrypted and decrypted at the same time. Does not affected by bit errors in transmission and an error does not propagate. | |
5 | Output Feedback (OFB) | Y | N | N | N | N | Supports resynchronization. If there is an error in one block, the subsequent block encryption can continue. An error in a block will not be propagated as it only affect the corresponding block. | Does not support random access to encrypted data. Parallel encryption / decryption processing is not available. |
Common Cryptography Terms
Computationally Secure
The information we try to protect has value and lifetime. When the cost of breaking the ciphertext exceeds the value of the encrypted data, and the time of breaking the ciphertext exceeds its usefulness, it is called computationally secure.
Confusion
Confusion attempts to make the relationship between the plaintext, ciphertext and encryption keys more complex. Even if an attacker can find out the statistics of the ciphertext, it is still difficult to deduce the key. It makes sure that no one can determine the original plaintext message without an encryption key.
Diffusion
Diffusion attempts to spread the influence of plaintext bits over many ciphertext bits. With diffusion, it is difficult for attackers to perform a cryptoanalysis and figure out the original key’s structure. With diffusion techniques, a slight change in the input message causes significant changes in the output ciphertext. For example, changing just one byte of the input message will change multiple bytes of the output ciphertext.
Substitution
Substitution refers to replacing letters in plaintext with other letters, numbers or symbols. One of the earliest examples of substitution in Cryptography is Caesar Cipher. It involves replacing alphabets with ones which are further down the alphabet. Note that substitution is susceptible to frequency analysis attacks.
Permutation
Permutation refers to reordering elements in a sequence. No element will be added, deleted or replaced. It is simply the order of elements that are changed.
Feistel Cipher
The Feistel cipher structure is used by symmetric block ciphers algorithms like AES, DES, 3DES and blowfish. It was based on a proposal dated back to 1945. It is an encryption algorithm which uses substitution and permutation techniques to secure data by alternating them.
# | Components used in the Feistel Cipher |
1 | Substitution |
2 | Permutation |
Block Cipher
Block ciphers operate on fixed-size data blocks. A block cipher algorithm like AES cannot be changed to perform stream cipher functions. The block size of a block cipher algorithm is already pre-defined. For example, the block size of AES must be 128 bits, and the block size of DES and 3DES must be 64 bits. However, the key size of a block cipher algorithm can be changed. As an example, AES key size can be 128, 192 or 256 bits.
Stream Cipher
A stream cipher encrypts the data stream one bit/byte at a time rather than encrypting data with a fixed block size. It can be used to encrypt data in real time. Examples of stream cipher include RC4 and ChaCha20. A stream cipher is conducted one bit at a time. A stream cipher is typically used with a Message Authentication Code (MAC) to ensure the authenticity and integrity of the data sent over an insecure medium such as the Internet.
- Characteristics:
- Operate in real-time
- Padding is not required
- There is no need to pad plaintext to a block.
PBKDF2
Based on a hash function, PBKDF2 is a key derivation function (KDF) commonly used to derive a cryptographic key from a passphrase. It can be used to generate keys for HMAC authentication. An iteration count can be specified when applying PBKDF2 on a passphrase – it determines the number of times for applying the hash function to the plaintext. A high iteration count means it is slower to generate a hashed value. However, it is also slower for an attacker to perform a brute force attack on a hash generated with PBKDF2 KDF than a simple hash generated using a standard cryptographic hash function.
Apply hashing to a key/passphrase multiple times so that it is more difficult for an attacker to deduce the key via a rainbow table attack. A cost factor makes it difficult for an attacker to deduce the passphrase.
PBKDF2
OpenSSL> aes-128-cbc -pbkdf2
Meet-in-the-middle (MTIM) Attack
Meet-in-the-middle (MTIM) Attack typically applies to insecure symmetric encryption algorithms like 2DES. As 2DES split into two calculations during the encryption process, the attacker can gain information regarding the subset of keys used in the 2DES encryption process. Additional information is available to the attacker to perform cryptoanalysis to crack the passphrase.
Initialization Factor (IV)
An Initialization Vector (IV) is a random or pseudo-random value used as input to an encryption algorithm, including AES, to ensure that an encryption algorithm produces a unique output even if the same input is provided. Therefore, using an IV in encryption prevents attackers from cracking a ciphertext by performing cryptoanalysis. When an IV is used in performing a mode of operation, it includes the following characteristics:
# | Characteristics | Explanation |
1 | Unpredictable | An IV should be random and not related to the passphrase / plaintext. It can be generated using a PRNG. |
2 | Not reused in encryption operation (Unique) | For every encryption operation, an IV shall be unique. If multiple encryption operations were performed with the same IV, an attacker might discover the pattern. |
3 | Need not be secret | Unlike an encryption key or a seed, an IV does not need to be kept secret. |
4 | Known by the sender and receiver | Both the sender and receiver must perform encryption and decryption using the IV. Therefore, in modes of operations such as CBC and CTR, IV must be supplied to both parties. |
P.S. Nonce is similar to IV, but it does not need to be randomly generated. It can only be used once for an encryption operation.
IV is used in the following modes of operation:
# | Mode of Operation | How an IV is used for encrypting the first block? | How IVs are used to encrypt the remaining blocks? |
1 | Cipher Block Chaining (CBC) | An IV will XOR with the first plaintext block before performing encryption using a block cipher algorithm. | The previous ciphertext is used as an IV for the next encryption operation. |
2 | Cipher Feedback (CFB) | An IV will be the input to the encryption function. | A shifted register will be the input to the encryption function. (Keep in mind that an IV is used as the first input to the encryption function) |
3 | Counter (CTR) | A unique counter value will be created by combining an IV with a nonce. The counter will be used to encrypt a message with an encryption algorithm. | The subsequent blocks will be encrypted along with incremented counter values. |
4 | Output Feedback (OFB) | An IV will be supplied to the encryption algorithm during the encryption of the first block. The IV must also be a nonce. | The output of the encryption algorithm, rather than the ciphertext, will be used for encrypting the next block. |
Cryptographic Applications
Network-based applications
Most network-based applications make use of block ciphers, including AES and 3DES. Secure communication protocols such as SSL/TLD, IPsec and SSH use block ciphers to encrypt the traffic so that it can be sent over an insecure medium such as the Internet.
Approvals of Cryptographic Algorithms in Governments
The Canadian Government
The following list show the types of cryptographic algorithms approved for use by the Canadian federal government.
Cryptographic block cipher algorithms (one-key):
- AES
- 3DES (To be depreciated after the end of 2023)
Asymmetric algorithms (public-key / two-key):
- ECC
- RSA
Hash algorithms (key-less):
- SHA-2
Random Number Generators
Pseudo Random Number Generator (PRNG)
A PRNG takes a fixed value (seed) and generates a number based on it. PRNG is considered deterministic because the same seed will always generate the same output (i.e., the same input will always generate the same output). Therefore, PRNG can be predictable if the attacker knows the seed. However, it is considered safe when the seed is kept a secret. The principal requirement of a random number generator is that without access to the seed, the generated number stream shall be unpredictable.
The common use cases of PRNG are generating random numbers for use as initialization vectors (IV) and nonces in block cipher modes of operation.
Pseudo-Random Function (PRF)
Similar to PRNG, a Pseudo-Random Function (PRF) generates values from input, but a PRF function will also take a secret key in addition to a seed.
Cryptographically Secure Pseudorandom Number Generator (CSPRNG)
A CSPRNG produces output that is computationally indistinguishable from true randomness. The seed should be derived from a high-entropy source (e.g., noise) to ensure the output is difficult to predict. It uses a cryptographic algorithm like AES to repeatedly generate a sequence of random numbers.
Random Number Generator (RNG) or True Random Number Generator (TRNG)
An RNG or TRNG device generates random numbers by measuring environmental factors such as current noise levels. There is no seed in an RNG device, and the resulting number is unpredictable. As there is no input that will generate the same output, an RNG or TRNG is considered non-deterministic.
# | Difference | PRNG / PRF | RNG / TRNG |
1 | A seed is required | Y | N |
2 | A hardware device is required | N | Y |
3 | Absolute unpredictability | N | Y |
4 | Deterministic | Y | N |
Seeds
For a seed to be suitable for use by a PRNG/PRF, the following requirements are required.
# | Seed Requirement | Explanation |
1 | Appropriate Size | As a seed is used to provide entropy for RNG/TRNG, the seed size should be large enough to remain difficult to guess. |
2 | Random | The seed should not be predictable. Therefore, randomness is a requirement. |
3 | Kept Secret | The seed should be kept from anyone besides the sender. Even the receiver does not need to have the seed. |
XOR Calculation
A XOR 0
A XOR 0 will not have any effect on the result.
Assume A is 10110001. A XOR 0 will produce 10110001.
A | 1 | 0 | 1 | 1 | 0 | 0 | 0 | 1 |
B | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Result | 1 | 0 | 1 | 1 | 0 | 0 | 0 | 1 |
A XOR A
A XOR A will result in every number becoming 0.
Assume A is 10110001. A XOR A will produce 00000000.
A | 1 | 0 | 1 | 1 | 0 | 0 | 0 | 1 |
B | 1 | 0 | 1 | 1 | 0 | 0 | 0 | 1 |
Result | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Conversion
Conversion between encoding schemes and numerical systems is a common practice in Cryptography. The following table summarizes common cryptography data types and their associated data units.
# | Data Type | Bit | Byte |
1 | ASCII Character | 8 | 1 |
2 | Byte | 8 | 1 |
3 | Hexadecimal | 4 | 0.5 |