Voice and image encryption, and performance analysis of counter mode advanced encryption standard for WiMAX

Transcription

1 The University of Toledo The University of Toledo Digital Repository Theses and Dissertations 2013 Voice and image encryption, and performance analysis of counter mode advanced encryption standard for WiMAX Srinivasa Rao Basavarasu The University of Toledo Follow this and additional works at: Recommended Citation Basavarasu, Srinivasa Rao, "Voice and image encryption, and performance analysis of counter mode advanced encryption standard for WiMAX" (2013). Theses and Dissertations This Thesis is brought to you for free and open access by The University of Toledo Digital Repository. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of The University of Toledo Digital Repository. For more information, please see the repository's About page.

2 A Thesis entitled Voice and Image Encryption, and, Performance Analysis of Counter Mode Advanced Encryption Standard for WiMAX by Srinivasa Rao Basavarasu Submitted to the Graduate Faculty as partial fulfillment of the requirements for the Master of Science Degree in Electrical Engineering Dr. Junghwan Kim, Committee Chair Dr. Mansoor Alam, Committee Member Dr. Richard Molyet, Committee Member Dr. Patricia R. Komuniecki, Dean College of Graduate Studies The University of Toledo December 2013

3 Copyright 2013, Srinivasa Rao Basavarasu This document is copyrighted material. Under copyright law, no parts of this document may be reproduced without the expressed permission of the author.

4 An Abstract of Voice and Image Encryption, and Performance Analysis implementing the Advanced Encryption Standard in Counter Mode for WiMAX by Srinivasa R Basavarasu Submitted to the Graduate Faculty as partial fulfillment of the requirements for the Master of Science Degree in Electrical Engineering The University of Toledo December 2013 This thesis deals with the implementation of the Advanced Encryption Standard's (AES) counter mode (CTR/ CM) as a standalone engine for securing voice and image data. This implementation can be easily adapted to the latest fourth generation (4G) wireless broadband technologies like WiMAX, with improved performance. Data, when transmitted through a noisy communication channel, is adversely affected by it resulting in errors. Forward error correcting codes are conventionally employed to correct these errors. However, when data that is encrypted using a secret key algorithm is transmitted through such noise however, the errors increase exponentially. Forward error correction proves to be a futile endeavor to correct such errors and new techniques are needed to correct these errors. iii

5 The approach in this thesis is twofold, first to use the counter mode to encrypt audio and image data, to show the feasibility of implementation and, then to arrive at a new technique to improve performance of encrypted data in the presence of noise. A Bose, Chauduri and Hocquenheim (BCH) code is then used in conjunction with this new method to reduce the overall Bit Error Rate (BER) compared to those techniques which use standard error correction procedures only. iv

6 This is dedicated to Christ who saved me (John 3:16-17)

7 Acknowledgements I am greatly indebted to my advisor, Dr. Junghwan Kim, who has supported me throughout my Master s program. This work would not have been possible without his expertise in the area of communication systems. He has provided me with valuable insights, and guided me accurately through this research. I would also like to thank the Chair of EECS, Dr. Mansoor Alam and Dr. Richard Molyet for serving as members on my defense committee. I am also very thankful to the Information Technology Department for providing me a professional atmosphere to work in. A special thanks goes out to Dominic D Emilio, Tim Sanderson, Christopher Gail, and Patricia Pulcini. I also welcome this opportunity to thank my Church family at Calvary Chapel for sustaining me with biblical teaching, discipleship and Christ-centered fellowship. Graduate school has not been easy and their every prayer has proved to be more worth than pure gold. I wouldn't have known Christ's love if not for them I also would like to thank my close friends, Manoj Kodigudla, Nikhil Katakam, Phani Pudi, Bharat Palatla, David Reamey, Purnima Mulagaleti and Sandesh Puligundla. My deepest gratitude goes to my mother, Malathi Rao and father, B. R. Rao. They have given me everything to satisfy my needs and wants. This thesis wouldn't have been possible without their constant encouragement, love and support. I thank my brother Eashwar, who loves me more than any friend. vi

8 Table of Contents Abstract... iii Acknowledgements... vi Table of Contents... vii List of Tables... xi List of Figures... xii 1 Introduction Secure Digital Communication System Overview of WiMAX WiMAX Security Architecture Fundamentals of Encryption Implementing a Cryptosystem Outline of Thesis The Advanced Encryption Standard The AES Algorithm Encryption A Sub-bytes step Shift rows step Mix columns step Add round key step...25 vii

9 Key Schedule Decryption AES Modes of Operation Electronic codebook mode Cipher block chaining mode Cipher feedback mode Output feedback mode Counter mode Benefits of using Counter Mode Audio and Image Encryption in MATLAB using AES -CTR Audio Encryption AES CTR Encryption Process PCM Decimal to binary stream Implementing the encryption engine Substitution of bytes (SUB_SBOX) Shift rows Mix columns Add round key Key Expansion Decryption Voice Encryption Results Image Encryption and Results...57 viii

10 4 Error Properties of AES Avalanche Effect Bit Error Expansion Bit Error Propagation in Counter Mode Results of Improved AES CTR Performance with FEC in AWGN BPSK Modulator and Demodulator Forward Error Correction Using BCH Code (n, k) = (31, 16) Binary BCH code Berlekamp algorithm for decoding Binary BCH (31, 16) code Analysis of AES CTR Mode Error Performance AES in ECB mode with BPSK AES in CTR mode perfect synchronization Case Case AES CTR mode with counter transmittal Case Case Performance of AES CTR compared with AES ECB Binary BCH (31, 16) coded performance of AES -CTR Case Case Case Conclusion and Future Work...99 ix

11 6.1 Conclusion Future Work References x

12 List of Tables 1.1 Comparison of WiMAX and broadband technologies SBOX with hex values BCH codeword format Berlekamp decoding coefficients...86 xi

13 List of Figures 1-1 Block diagram of a secure communication system WiMAX security architecture Secure and insecure domains in WiMAX (a) Previous vs. (b) Proposed solution State mappings Top level view of the AES algorithm Substitution box or s-box Sub-bytes in action Pseudo code for finding the inverse from the given s-box Polynomial multiplication referred by poly_mult Pseudo code for creating inverse s-box Shift rows operation on intermediate state Mix columns transformation Adding round key to intermediate state Key expansion concept Key expansion process AES -ECB mode Spoofing attack AES -CBC mode...31 xii

14 2-16 AES -CFB mode AES -OFB mode AES -CTR mode Overview of audio encryption experiment Top-level view of counter mode encryption Pseudo code for PCM Flowchart of decimal to binary transformation Counter mode implementation SUB_SBOX module Pseudo code Substitution process Pseudo code for shift rows Shift rows operation Pseudo code for mix columns Pre-computed key expansion Amplitude vs. time waveforms of input audio vs. encrypted audio Comparison of number of samples as a function of amplitude Binary values of input data vs. bit position Binary values of encrypted data vs. bit position Binary value comparison of encrypted vs. plain data Original Color Image Image encryption process Input image vs. encrypted image vs. decrypted image...59 xiii

15 3-21 Comparison of pixel intensity Avalanche effect in ECB mode Bit error expansion in CBC mode Stochastic error model for ECB and CBC modes Mean recurrent and holding times for ECB block cipher Plot of mean recurrent and holding times for ECB Bit error expansion in ECB mode State of the decryption process in counter mode Implementation method BER of BPSK theoretical vs. simulation BCH (31, 16) encoded BPSK signal vs. unencoded signal Performance degradation of AES -ECB in AWGN BER of AES CTR with ciphertext alone affected by noise BER of AES -CTR with counter alone affected by noise (case 3) BER of AES-CTR worst case (case 4) Performance improvement of AES CTR over AES -ECB BER of BCH (31, 16) encoded AES-CTR data only vs. encoded plaintext BER of BCH (31,16) encoded counter vs. encoded data vs. encoded plaintext BER of BCH (31, 16) Encoded data + counter vs. encoded plaintext Performance of all schemes...98 xiv

16 Chapter 1 Introduction Chapter 1 This chapter provides a brief understanding of the concepts of security in a modern day digital communication system, discusses the security shortcomings in a leading market standard called WiMAX [1] and a potential solution to answer some of these shortfalls. We present the outline of the thesis in the last section of this chapter. 1.1 Secure Digital Communication System With the advent of personal communication systems like laptops, mobile phones and personal tablets, and the increasing dependence on the Internet for business transactions, customers today are placing extremely stringent requirements on services confidentiality. Adopting different cryptographic algorithms in modern digital communication systems using a variety of techniques ensures confidentiality. The term cryptography originated from the ancient Greek origin words kryptos which means hidden and graphein which means writing [2]. This shows that ever since the early ages two parties had vested interest to communicate with each other securely to protect their own vested interests. These communications were military by nature, but today with the 1

17 proliferation of personal communication systems, communication secrecy has value in military as well as civilian communication scenarios. In Figure 1-1, we describe the general block diagram of a secure digital communication system. The user enters the information that he wants to transmit through a computing terminal (more recently a smartphone s user interface). The user is usually oblivious to the underlying broadcasting system and operates at a high level of abstraction. The first stage of this communication starts at the source coder. User Input Digital Source Coding Digital Encryption Channel Coding Modulation Output for User Digital Source Decoding Digital Decryption Channel Decoding Demod Figure 1-1: Block Diagram of a secure communication system The source coder takes the analog or high-level digital input and reformats it according to the digital input requirements of the communication system. Modern radios use both proprietary standards like AMBE+ [3] as well as open source standards like G.711 [4], based on standardized coders like the Pulse Code Modulation (PCM). The selection of the right source coding system depends on the requirements of the 2

18 communication channel and the level of interoperability that needs to be achieved for this purpose. Interoperability can be defined as the ability of diverse systems and organizations to work together (or interoperate). Interoperability for information technology is a property of a product or process, whose interfaces are fully understood, to work with other products or systems, current or future, without any restricted access or implementation [5]. Digital encryption is the main element to ensure the secure transmission of a message. The input to this system is commonly called as plaintext. The encryption device converts this plaintext into a cryptic form ( ciphertext ), which can either be a hardware implementation or more typically a software implementation, and the sender transmits this ciphertext to the intended recipient of this information by applying the appropriate digital coding and modulation techniques. The channel coding block, modulation block and, channel are all necessary components for digital communication. They offer error correction, throughput increment, bandwidth management, synchronization, and modulation. The channel in specific is the medium through which data traverses on its path to the receiver. Channels can be classified into two types, static or fixed channels like the traditional Public Telephone Switching Network (PTSN) and mobile channels, which typically model a wireless metropolitan network channel. Furthermore, channels can also be classified as homogeneous channels or heterogeneous channels. Most current real time channels are heterogeneous in nature, which means they contain both static, as well as dynamic channels. The digital receiver in a secure communication system is similar to the transmitter with the exception that the demodulation, decoding and decryption blocks follow inverse 3

19 processes to reconstruct the signal to a form that human subject can understand. In the next section, we introduce the WiMAX system. 1.2 Overview of WiMAX WiMAX (Worldwide Interoperability for Microwave Access) is the IEEE standard [6] based communication system, which is fundamentally flexible and robust in its operation with a well-designed physical and wireless channel interface. The design of the Physical layer includes Orthogonal Frequency Division Multiplexing (OFDM). This enables best performance by negating multipath distortion effects, which are common in metropolitan wireless channels. In built into the physical layer is support for advanced techniques for performance optimization, which incorporate robust Forward Error Correction (FEC) like Low Density Parity Check (LDPC) codes and Turbo codes, and hybrid Automatic Request (ARQ) feedback mechanisms, as well as robust antennas for multi-user operation. System capacity improvements are supported by the use of adaptive modulation-coding, spatial multiplexing and multi-user diversity [1]. WiMAX also offers powerful encryption and user authentication, providing support for voice, video and multimedia data types. It runs on flexible all-ip network architecture [1] on top of which end-end functions like security and mobility management are built. Refer to Table 1-1 [1] for the overview of the specification of the WiMAX standard and comparison with other broadband technologies. 1.3 WiMAX Security Architecture To ensure privacy in WiMAX communication, the specifications of the standard indicate two techniques implemented in conjunction: authentication and encryption. WiMAX uses DES in order to satisfy the interoperability with legacy encryption devices 4

20 or the Advanced Encryption Standard (AES) [7], to provide encryption support for modern security systems. Table 1-1: Comparison of WiMAX with modern broadband technologies [1] WiMAX constructs data packets at the Media Access Control (MAC) layer and these packets are called MAC PDU s [8]. In Figure 1-2, we show the current security architecture in WiMAX also called ROSEMEX [9]. 5

21 When the data first enters the WiMAX network, significant physical layer variables, performance variables, and security parameters are exchanged between the Subscriber Station (SS) and the Base Station (BS). The base station and the Authentication, Authorization, and, Accounting (AAA) server are both a part of the Access Service Network gateway. The vulnerability of using Ranging Request Response (RNG REQ, RNG RSP) messages to exchange information between SS and BS has been published in this regard [9]. The SS first sends RNG REQ message to the BS which is trying to access the network for the first time. The RNG RQ requests for the transmission timing, power, frequency and burst profile information [10]. They say, the variables that are sent back and forth while establishing a connection are not securely protected thereby compromising the secrecy of the data that are transmitted. The secure and insecure regions are highlighted in Figure 1 3 [9]. We can see that till the connection is complete, the network passes the variables and various other parameters in an insecure manner, giving rise to the possibility of masquerading attacks, where a rogue station can try to impersonate a legitimate BS to gain access to the secure data. The customer's data is not completely secure due to the protocol implementation in WiMAX. A possible solution to counter this problem is to see if the end user encrypts the data before sending it through the WiMAX channel. Because the new solution encrypts the data before transmission, an attacker will not be able to gain access to it. This can be achieved by implementing the cryptographic engine as a part of a software or hardware implementation residing in the customer s transmitting device. To understand this work, a necessary prerequisite is to understand the fundamentals of encryption and decryption. 6

22 SS BS ASN/ GW AAA 1. Choosing Ranging Code 2.Generate SS PK =Generates PRE-TEK UL-MAP(Initial Ranging Codes) Initial Ranging Codes Global parameters SS Public Key RNG-RSP BS Public Key Connection Establishment =Verifying p Generates BS PK =Generates PRE-TEK Secure Ranging Method with PRE-TEK Secure SBC Negotiation Secure Authentication and Key Exchange Figure 1-2: WiMAX security architecture 7

23 SS BS ASN/ GW AAA Ranging SBC Negotiation Secure Authentication and Key Exchange Registration Insecure Region A Data Communication Secure Region Insecure Region B Insecure Region C Figure 1-3: Secure and insecure domains in WiMAX 8

24 1.4 Fundamentals of Encryption following: A cryptographic system can be defined as a system that consists of the A plaintext message space M: a set of binary strings over some alphabet. A ciphertext message space C: a set of possible encrypted messages. equation: An secure key space K K' : a set of possible encryption/decryption keys An efficient key generating algorithm G: N K K' An efficient encryption algorithm E:MK C An efficient decryption algorithm D: C K M [11] The ciphertext is related to the plaintext according to the following mathematical c E ( m) (1.1) k Such that m is a string belonging to the message space M. The plaintext can be retrieved from the ciphertext c, belonging to the ciphertext space C, provided there is an efficient decryption algorithm according to the equation: m D () c (1.2) 9 k The end of the decryption process from the original source should not alter the plaintext as shown by the equation: D E ( m) m (1.3) k k In this work, the efficient algorithm used is the Rijndael Algorithm [12], which is Advanced Encryption Standard [7]. Shannon described the one-time pad as a modulo-2 operation (XOR) between the plaintext bits and key bits (length of binary key string is equal to the length of the plaintext binary string). His theorem of perfect secrecy states

25 that: A cryptosystem has perfect secrecy if p ( x y) p ( x) for all x P, y C. That is, the a posteriori probability that the plaintext is x, given that the ciphertext y is observed, is identical to the a posteriori probability that the plaintext is x [13]. p p 1.5 Implementing a Cryptosystem To counter the problems posed by WiMAX, we implement a crypto engine outside the protocols framework and simulated the encryption as if it were located on the end user s device. When transmitting this information across noisy channels encryption degrades performance due to the Error Propagation [14] caused by the ciphers Avalanche Effect as well as the Error-Propagation [14] caused due to channel noise. Simple use of Forward Error Correction (FEC) was previously proposed to negate the error-propagation [15, 16] effect but this introduces latency, complexity in decoding and weak error correction. A single bit of error in ciphertext corrupts an entire block of received plaintext in block ciphers [14]. Since AES uses 128 bit blocks of data in its algorithm and there is increased noise when the noise spectral density is high, the errors that occur in the received data are burst errors that can corrupt all received data. Since the data is corrupt when we use the original key to decrypt the received ciphertext, we get garbled data. To use FEC, one must employ lengthy codes to correct these types of burst errors in the ciphertext [14]. This decreases the coding rate thus affecting the throughput of the system. Therefore much of the implementations in previous works are not feasible to be applied to real-time communication sources like voice and video data. In our work, we show that the counter mode of AES provides significant protection against burst errors. We also provide a new implementation of the Counter 10

26 Mode to further increase performance. By combining with standard FEC coding techniques, we analyze the Bit Error Rate (BER) performance so that future research can use these results to design encryption systems for hardware and software. Encryption systems designed with this implementation will be able to adapt to any of the 4G protocols such as WiMAX, HSPA and 3GEV-DO Rev A. We show the overview of the implementations of previous works as compared to the encryption done in this work in Figure 1-4. Figure 1-4: (a) Previous vs. (b) Proposed implementation 11

27 1.6 Outline of Thesis Chapter 1 is devoted to the introduction of the topic, the security threats in WiMAX networks, the previous work on FEC of block ciphers, and the proposed solution of implementing AES in counter mode for encrypting real time data and to reduce the Bit Error Rate naturally caused by the block ciphers avalanche effect. We also touched upon the elementary topics on data encryption and the current research undertaken in the area of joint encryption and channel coding. The research in this work is divided into two parts: 1) AES operation in CTR mode for encryption of voice and image data and 2) Implementation of CTR mode in conjunction with Forward Error Correction to improve Bit Error Rate (BER) performance in AWGN channels. Chapter 2 introduces the literature related to the Advanced Encryption Standard and its modes of operation. Chapter 3 is devoted to the implementation methodology of CTR mode for encrypting voice and image data. Chapter 4 talks about the types of errors that occur in encrypted data when passed through noisy channels and develops the basis for the new type of counter implementation. Chapter 5 is devoted to the methodology of implementing counter mode using standard WiMAX modulation schemes for efficient BER performance and compares the results with block cipher performance using BCH codes. In Chapter 6, we conclude and briefly mention about the future scope of this work. 12

28 Chapter 2 The Advanced Encryption Standard The National Institute of Standards and Technology (NIST) adopted the Rijndael Algorithm [12] as the Advanced Encryption Standard in This algorithm was invented by two Belgian scientists, Vincent Rijmen and Jon Daemen. The first round of the selection process was focused on the three main criteria that were evaluated to select a winner of the AES process were security, costs, and its implementation characteristics (should be easily understood and implemented). The Advanced Encryption Standard has no weakness in its security. Its cost with regards to intellectual patent rights is free, and implementation on hardware and software is cheapest among all the finalists. AES is versatile in that it can be implemented on both memory-bound hardware like 8-bit microcontrollers as well as dedicated hardware to provide real-time encryption of streaming data at processing rates reaching gigabits per second. All new processors(major seller being Intel) like the Core series and Xeon series of processors, used in computers ranging from personal tablets to industry grade servers incorporate the AES new instruction set (AES-NI). The key scheduling algorithm used in AES produces agile round keys. In other encryption algorithms, there is a significant overhead in the initial key set up phase. In applications which require extensive key changes (for example in 13

29 Internet Protocol Security (IPsec) every packet has to be encrypted using the same key), AES performed better than its competitors due to its fast key setup. AES is simple to understand, and documentation of its description is relatively small. Five finalists passed through to the next round. The second round for the selection involved sessions on cryptanalysis, and dedicated hardware implementations (FPGA and ASICS) of the finalists. NIST's rationale for the choice of Rijndael as the AES is as follows [12]: Rijndael appears to be consistently a very good performer in both hardware and software across a wide range of computing environments regardless of its use in feedback or non-feedback modes. Its key setup time is excellent, and its key agility is good. Rijndael s low memory requirements make it very well suited for restricted space environments in which it also demonstrates excellent performance. Rijndael's operations are the easiest to defend against power and timing attacks compared to other block ciphers. Additionally, it appears that some defense can be provided against such attacks without significantly impacting Rijndael's performance. Finally, Rijndael's internal round structure appears to have good potential to benefit from instruction-level parallelism." [12] Rijndael differs from AES in the range of supported block lengths for the given key length. A key for use in enciphering the information using this algorithm is either 128, 192 or 256 bits in length. AES only supports 128 bits input blocks, whereas Rijndael supports 128, 192, and 256 bit input blocks. For the sake of generalization, we use the terms "Rijndael" and "AES" interchangeably. The only reason why AES uses 128 bit input blocks is because the other input block lengths were not evaluated in the AES selection process. 14

30 Before we explain the AES algorithm, it is important to understand the concept of block ciphers. Any input, which needs to be encrypted, is known as plaintext. When the input is in terms of blocks, then the input blocks are called plaintext blocks. The process of transforming these input plaintext blocks using an encryption algorithm is known as Encryption and the resulting output blocks are called ciphertext blocks. When the 128-bit encryption key in AES transforms 128-bit input blocks to ciphertext the resultant operation will consist of total permutations (A bit can be one or zero). The reverse process of transforming the ciphertext into plaintext is called Decryption. All block ciphers are specified by their respective encryption algorithms which is essentially a sequence of permutations and substitutions in case of AES; hence AES cipher is also known as a substitution-permutation network. Each key when encrypting a plaintext block, produces a unique ciphertext block. For a block cipher to be considered legitimate it has to pass the two conditions of efficiency and security. In order to be efficient a block cipher should be able to execute on a variety of hardware and software in its implementation, both the original permutation and its inverse variant. In order to be secure, given that the attacker fully knows the algorithm's underlying system or its components, it must be impossible to attack the algorithm without the knowledge of the encryption key. The inputs and outputs of AES, namely the plaintext and ciphertext blocks, are 128 bits in length, or 16 8-bit-bytes, normally loaded into the enciphering mechanism as 1-D arrays. For the purpose of encryption the inputs are the 16 bytes of plaintext block and a key. In AES, round transformations (permutations and substitutions) operate on a temporary state, usually depicted as 16 bytes arranged in a 2 dimensional rectangular 15

31 matrix. The number of columns of this state matrix is the block length (128) divided by 32, which is 4. So the plaintext matrix can be mathematically shown as [12] ppp... p Nb 128 / 32 4 (2.1) Nb 1 Where pk denotes the th k byte, and p4 1 N b denotes the last (16th ) byte. In the same way the ciphertext matrix can be mathematically shown as [12]: ccc... c N 128/ 32 4 (2.2) Nb 1 Let the state be denoted by, ij b a 0i4,0 j Nb, where ij a refers to the byte in the i th row and the th j column. The input bytes of the plaintext ppp p4n b 1 are mapped to the state matrix (depicted in the Figure 2.1) column wise, i.e. in the order a a a... a. 0,0 1,0 2,0 4, N b 1 The mapping is given by the equation [12]: a, p 4 where0 in ;0 j N (2.3) ij i j b b After the last transformation in the encryption algorithm the ciphertext is derived according to the following equation [12] c a 4, i/ 4, 0 i N (2.4) i i b Before decryption the mapping of ciphertext to the intermediate state matrix is as follows[12]: a, c 4 where 0 in ; 0 j N (2.5) i j i j b b At the end of the decryption process the plaintext is extracted from the intermediate cipher state according to the following equation [12]: p a 4, i/ 4 0 i4 Nb i i b N b (2.6) 16

32 Similarly the AES key is mapped onto a 2-D state matrix with 4 rows and key length divided by 32) columns. If the key is referred by [12]: zzz... z N k 1 k N (the N k (2.7) Then the mapping equation is as follows [12]: k, z 4 where 0i4; 0 j4 Nk i j i j k N k (2.8) Figure 2-1 shows the representations of the intermediate state matrix and the key matrix. The key matrix is then sent to the key-scheduling algorithm which produces 10 additional round keys. The state matrix is sent to the encryption algorithm where 10 round transformations affect the intermediate state, which results in the ciphertext. The resulting ciphertext can be decrypted back to the original plaintext when the same key is used to decrypt the ciphertext. In the following sections, we explain the logic behind the various sub-functions of the AES algorithm. Chapter 2 Figure 2-1: Key State Mappings 17

33 2.1 The AES algorithm Figure 2-2 depicts the top-level view of the AES cipher function. There are three stages in the AES algorithm. The first stage is the key schedule algorithm, which generates the 10 round keys which are to be used in the encryption and decryption operation. The encryption operation produces the ciphertext and the decryption operation produces the original plaintext. Each sub-transformation in every round is called a step. There are 4 such steps in the encryption operation, which are "Add Round Key", "Sub Bytes", "Shift-Rows" and Mix Columns" in that order. These steps are common in every round of the encryption algorithm except for the last round where the Mix-Columns step is omitted. The "Sub-bytes" and "Mix-Columns" steps have their inverse counterparts in the decryption operation and are called "inv-sub-bytes" and "inv-mix-columns" respectively. The decryption operation also features the same sequence of steps as the encryption operation where the last round transformation is missing the inv-mixcolumns step. Before the beginning of the first round, the initial state matrix of the plaintext data is bit-wised XORed with the round key as explained in the Add Round Key Step Encryption The following steps are executed one after the other for 10 rounds to form the encryption process of the AES algorithm Sub-bytes step The Sub-Bytes [12] step differs from the other round transformation functions with respect to an important property called linearity. The other transformations are linear in nature whereas the sub-bytes step is non-linear in nature. The S-Box of the AES 18

34 algorithm, shown in Figure 2-3 is applied to the state of the intermediate matrix and each byte is substituted according to the value present in the state. Figure 2-2: Top level view of the AES algorithm 19

35 The action of the Sub-Byte function on the intermediate state is shown in Figure 2-4. The S-Box of the AES in its original form was designed to be to have the non-linear properties of minimal maximum input-output correlation amplitude and minimal maximum difference propagation probability. The expression used to derive the S-Box relationship was also designed to be algebraically complex. The S-BOX is defined in GF (2 8 ) according to the relation [12]: g: a b a 1 (2.9) In most real-world applications of AES, the S-Box is "hard-coded" into them by the use of look-up-tables (LUTs) and codebooks. The pseudo code described in Figure 2.5 searches for the multiplicative inverses of all the elements in GF ( 2 8 ). If all possible 2 8 values of the bytes in GF ( 2 8 ) is b, then the inverse is found according to the relation [17] in Figure 2-6. bb 1 1 (2.10) Where * is the polynomial multiplication given by poly_mult [17] described Figure 2-3: Substitution box or s-box 20

36 Figure 2-4: Sub-bytes in action Figure 2-5: Pseudo code for finding the inverse from the given s-box 21

37 Figure 2-6: Polynomial multiplication referred by poly_mult [17] Figure 2-7: Pseudo code for creating inverse s-box After finding the inverses of all possible byte combinations in the GF (2 8 ) an affine transformation is applied to the inverses to generate the S-Box table. The affine transformation is given by the following relation [17]: b b (2.11) out in d d d 22

38 31, 257 and 99 are three constants defined in the AES standard. These three constants can be any arbitrary values in the GF (2 8 ). After the S-Box is created the inverse S-Box is found according the loop shown in Figure Shift rows step: After the intermediate state is passed through the Sub-bytes step, it is passed through the shift row [12] step. This step is essentially a shift function that cyclically shifts rows according the row number. Row 1 is not shifted. Row 2 is shifted cyclically to the left once. Row 3 is shifted cyclically to the left twice. Row 3 is cyclically shifted the left thrice. This provides optimal diffusion and maximum resistance against truncated differential attacks. This operation is depicted in Figure 2-8. The inverse operation of shift rows, usually called "inverse-shift-rows", is the exact reverse of the shift rows operation. The first row is not shifted, the second once to the right, the 3 rd row is shifted twice to the right, and the 4 th row is shifted three times to the right. Figure 2-8: Shift rows operation on intermediate state 23

39 Mix-columns step: This transformation was designed to be linear over GF (2 8 ). The transformation is a bricklayer permutation on 4-byte columns with high performance [12]. The coefficients for the MixColumns matrix polynomial, cx () ax ax axax have been determined by the AES authors, as the matrix (shown by C in the equation 2.12). B is the output matrix column and the A is the input matrix column. So BC A or C (2.12) b b b b a a (2.13) a a Figure 2-9 depicts the Mix Column Transformation. The inverse operation can be described by the mathematical equation 4 (03 x 3 x x 02) d ( x ) 01 x Therefore dx ( ) 0B x +0D x +09 x +0E (all the coefficients are in hexadecimal). The matrix notation is as follows: h h h h b b b b 0E 0B 0D 09 a0 09 0E 0B 0D a (2.14) 0D 09 0E 0B a2 0B 0D 09 0E a

40 Figure 2-9: Mix columns transformation Add round key step: The intermediate state which passes as an input to this function is modified by a bit-wise XOR operation by its combining with the round key. The round key is the i th key from the expanded key, derived from the original key. The expanded key is derived from the key expansion algorithm of the AES. The length of the round key is equal to the length of the plaintext block. Figure 2-10 represents this operation. Figure 2-10: Adding round key to intermediate state 25

41 Key schedule: The key expansion [12] (Figure 2-11) is done by the key schedule algorithm with the total number of bits in the expanded key equal to the number of rounds plus 1 multiplied by the block size of the AES algorithm in contention. The AES authors designed the key schedule algorithm to be efficient with minimal working memory and high performance. There is also maximum diffusion in creation of the round keys. After the expanded keys are selected, the round keys are extracted from it and sent to the cipher in operation. The key schedule algorithm also exhibits high non-linearity to aid in prohibiting the attacker from deducing the differences in the original key and the expanded keys. When the key expansion algorithm is applied to the cipher key, this results in the expanded key array denoted by W[4][ N ( N 1)] having 4 rows and N ( N 1) columns. The i th round key is denoted by ExpandedKey[K], which we get b r from the columns N iton( ( i1) 1 of W b b. b r ExpandedKey[i]=W Nb1 W N b i 1... W N b ( i 1) 1 ; 0 inr (2.15) The basic principle of key expansion is an element by element XOR sum of two previous rows, the direct predecessor row and four rows up. The seventh row k71... k 74, shown in Figure 2-12, results from the XORing the sixth row ( k k 64 ) and the third row. Additionally every fourth row is created differently. Before applying the XOR operation, the preceding row is rotated, substituted and XORed with its corresponding round constant rcon [17]. n 26

42 Figure 2-11: Key expansion concept Figure 2-12: Key expansion process 27

43 2.1.2 Decryption The decryption operation follows an exact reverse process of the encryption algorithm. The decryption algorithm differs from the encryption algorithm in the subbytes step, the shift row step and the mix column step. The sub-bytes step uses the inverse form of the S-BOX table. The shift row step as explained before shifts the intermediate state to the right instead of the left. The inverse Mix Columns uses polynomial multiplication of the column arrays and the hexadecimal valued matrix shown by Equation (2.14). 2.2 AES Modes of Operation AES supports five secure modes of operation approved by the Federal Information Processing Standard (FIPS). They are Electronic Code Book Mode (ECB), Cipher Block Chaining Mode (CBC), Cipher Feedback Mode (CFB), Output Feedback Mode (OFB), and Counter Mode (CTR) [7]. The mode of operation is crucial to the successful encryption of data for the purpose of preserving the cipher against attacks. The FIPS 97 [7] recommendation assumes that a symmetric block cipher algorithm is being used to encrypt the data and a confidential random key is unknown to everyone except the transmitter and the receiver. The underlying encryption algorithm and its operating modes are public knowledge and this knowledge should not be a detriment to the security of the data being encrypted. The mode of operation of a block cipher mainly comprises of two processes, encryption and decryption. 28

44 2.2.1 Electronic codebook mode The electronic code book mode is a secure code book mode operation that uses a codebook format with each plaintext block having a corresponding cipher block which is predetermined [18]. Encryption : C AES ( P ) for j 1...n (2.16) j E j Decryption : P AES (C ) for j 1...n (2.17) j D j In AES -ECB encryption, the cipher algorithm is applied separately to each plaintext block generating a ciphertext block that is unique to the plaintext being encrypted. For any given sequence of plaintext blocks ( P j ) the output the sequence of ciphertext blocks ( C ) are constant. In AES -ECB decryption, the inverse cipher j algorithm is applied to the sequence of ciphertext blocks that generate the original sequence of ciphertext blocks. Since all the cipher blocks are independent each other this mode is parallelizable and multiple cores in hardware can be used to compute the cipher blocks and plaintext blocks. The ECB mode is susceptible to the attack known as spoofing where the attacker can attack the ciphertext blocks by replacing them with ciphers which generate plaintext according to the attackers liking as described in Figure This mode is described in Figure

45 Figure 2-13: AES ECB mode Figure 2-14: Spoofing attack 30

46 2.2.2 Cipher block chaining mode The cipher block chaining (CBC) mode [18] is a secure mode of operation of the AES cipher, where the encryption process consists of the chaining of the previous cipher blocks with the current plaintext block being fed into the encryption process. This requires the usage of the Initialization Vector (IV) to combine with the first block of plaintext data. The IV should remain random and must be generated by a pseudorandom generator. Although the IV need not be secure, its integrity must be shielded against attacks. The encryption and decryption functions of AES-CBC can be mathematically described by the following equations [18]: Figure 2-15: AES CBC mode 31

47 CBC Encryption: C AES (P C ) where j 2... n (2.18) j E j j1 C AESE ( P IV ) (2.19) 1 1 CBC Decryption: P AES ( C C ) where j 2... n (2.20) j D 1 1 j j1 P AESD ( C IV ) (2.21) In AES CBC encryption (Figure 2-15), the first cipher block (ciphertext 1) is obtained XORing the plaintext block (plaintext 1) with the IV. Second block on, the rest of the plaintext is XORed with the previous ciphertext block and passed through the AES encryption algorithm and the resulting cipher blocks are transmitted to be decrypted. The AES CBC decryption uses the inverse AES algorithm to decrypt the result obtained by the XOR of the first cipher block with the known pseudorandom IV to produce the first plaintext block (plaintext 1). The decrypted plaintext is then XORed with the next ciphertext block (ciphertext 2) and the result is decrypted by the inverse AES algorithm to produce plaintext 2. This process repeats itself by traversing through all the received ciphertext blocks. Although this mode eliminates the problem of spoofing (shown in Figure 2-14), which is encountered by AES ECB, by maintaining dependence of the subsequent cipher blocks with the previous cipher blocks, we lose the ability to parallelize this function Cipher feedback mode The cipher feedback operating mode (CFB) [18] is the implementation of symmetric block cipher where the output block of the cipher function is XORed with its corresponding plaintext block to produce the ciphertext which is in turn passed to the cipher function as input by the means of a feedback loop. Firstly s bits are selected 32

48 from the output block and 'b-s' bits are discarded. The s bits of output block are XORed with s bits of the input plaintext to produce the first ciphertext block of s bits. Like in the case of CBC, the IV of cipher has to be the output of a pseudorandom number generator. The s bits is the integer parameter (where 1<=s<=b). The usage of s is sometimes included in the implementation of the CFB mode, e.g. 1-bit CFB, 64-bit CFB or 128 -CFB. The CFB mode of operation can be expressed mathematically using the following relations [18]. CFB Encryption: I1 = IV; CFB Decryption: I1 = IV: I LSB ( I C ) for j 2... n (2.22) j bs j1 j1 O AES ( I ) j (2.23) E j Cj Pj MSBs( Oj) (2.24) I LSB ( I C ) for j 2... n (2.25) j bs j1 j1 O AES ( I ) j (2.26) D j Pj Cj MSBs( Oj) (2.27) Figure 2-16 depicts the AES -CFB encryption and decryption operation in detail. During encryption, the first block uses the pseudorandom IV, then the AES -CFB operation is applied to the IV to generate the initial output block. Then the s most significant bits of the output block are XORed with s input bits to produce the first cipher block. s bits of this ciphertext is appended with b-s bits of the IV to from the second input block. This operation is re-iterated for the entire length of the plaintext. During 33

49 decryption, IV is the first input block, and each consecutive block is formed in the same fashion as encryption. The s most significant bits of the output block are XORed with the incoming ciphertext block to generate the original plaintext. Parallelization is possible if the input blocks are first constructed before the start of the encryption process. Figure 2-16: AES CFB Mode 34

50 2.2.4 Output feedback mode The output feedback mode (OFB) [18] is a mode of operation of a symmetric block cipher that consists of encrypting an IV iteratively to generate a series of blocks which are in turn XORed with the plaintext to produce the ciphertext. When the cipher is employed in the backward direction we get the original plaintext. The IV in the case of OFB is a nonce, which is a unique IV for each iteration of the forward cipher and the backward cipher. The OFB encryption and decryption functions can be expressed mathematically by the following expressions [18]. OFB Encryption: I1 IV (2.28) I j (2.29) Oj 1 O j AES( I ) (2.30) j Cj Pj Oj (2.31) C n MSB( O ) (2.32) n OFB Decryption I1 IV (2.33) I j (2.34) Oj 1 O j AES( I ) (2.35) j Pj Cj Oj (2.36) P C MSB( O ) (2.37) n n n 35

51 During encryption, the IV is first passed through the AES cipher algorithm and the resultant output block is XORed with the plaintext block to produce the first ciphertext block. The output block is then fed to the next AES encryption function as its input. This input is then encrypted again using AES algorithm and the output is XORed with the second plaintext block. This process repeats itself over the entire length of the input plaintext. This process in described in Figure Figure 2-17: AES OFB mode 36

52 2.2.5 Counter mode In CTR [18, 19] encryption, an arbitrary block of a length N bits is encrypted with the secure key and then XORed with the input plaintext of length N. After the plaintext block is encrypted, this arbitrary block is incremented by 1. This operation is analogous to that of a packet counter. Each packet is encrypted and an output packet stream is formed. The value of this arbitrary counter is incremented by one for every packet encrypted. Let the sequence of counters bettt T n. No same counter block should be used with the same key otherwise the security of the AES algorithm can be compromised. If the last block of the encryption and decryption consist of u bits then the most significant u bits of the encrypted counter are XORed with the plaintext. The CTR encryption and decryption functions are essentially the same algorithm and an inverse cipher operation need not be employed. CTR mode can be expressed mathematically as follows [18]: CTR encryption: O j AES(T ) (2.38) j Cj Pj Oj (2.39) C P MSB ( O ) (2.40) n n u n CTR decryption: O j AES(T ) (2.41) j Pj Cj Oj (2.42) P C MSB ( O ) (2.43) n n u n The counter mode as recommended by NIST is shown in Figure

53 Figure 2-18: AES CTR mode 38

54 2.3 Benefits of Using Counter Mode Most modern processors from manufacturers like Intel and AMD support features like advanced pipelining, large number of registers and Single Instruction Multiple Devices (SIMD) instructions. Because one counter block is computationally independent from other counter blocks, AES -CTR mode can be made to run exceedingly faster than other secure modes of AES without sacrificing the security requirements of a secure cipher. CTR encryption and decryption are parallelizable. The sequence of counters can be generated during the initialization/ set-up phase (preprocessing efficiency) of the encryption function before the input plaintext is sent for encryption. This sequence of counters can be encrypted/decrypted in-parallel using a multi-core processor and the plaintext can be XORed with this counter stream in the final step. In applications that require encrypting file systems, Counter mode performs superior to other modes due to the fact that the cipher algorithm needs to only access data randomly. The last sector of a hard drive can be encrypted before the first sector without corrupting the data, whereas this type of application is not possible when using block cipher modes like CBC, or CFB. The security of AES is not compromised when implementing the counter mode. The requirement of any secure cipher is that the output should be theoretically random, and the actual implementation should produce pseudorandom permutation of bits. Finally, a word or two has to be mentioned about the simplicity of implementing the counter mode. Because encryption and decryption use the same function, the code takes up less memory and reduces area of hardware implementation. Due to these reasons, AES -CTR can be implemented in embedded applications which are in most cases memory-bound due to the scarcity of device memory. 39

55 The review of counter mode [20] provides a list of disadvantages of using counter mode. Since CTR-mode does not provide any message integrity, some sort of message authentication code needs to be used in conjunction with the implementation. Since this thesis deals with the error performance of Counter mode, we have excluded the use of this procedure in our implementation. Given that adjacent counter values have a very small distance, it was noted by some researchers that the attacker can obtain many plaintext pairs with a known plaintext difference facilitating differential cryptanalysis. This can occur only in cases where the cipher under question is weak. Since AES is a strong cipher and robust against differential cryptanalysis we are assured of the security of AES counter mode. Chapter 3 40

56 Chapter 3 Audio and Image Encryption in MATLAB using AES- CTR This chapter introduces and explains the methods we used to simulate the first part of the results, namely, the encryption results of the AES-CTR mode. We discuss the implementation of the CTR mode in the context of encrypting audio and image data in the MATLAB environment. 3.1 Audio Encryption Figure 3-1 shows the top-level view of the experimental setup. The human subject inputs voice into the computer. The computer s sound card encodes the analog input using Pulse Coded Modulation (PCM) and compresses and stores the audio samples as a WAVE file. We loaded this file into the MATLAB environment and stored it as a MATLAB array variable. We performed the audio encryption by using the AES block cipher operating in stream mode, also known as the counter mode. We obtained three outputs from this experiment. The first output is sampled from the stream of bits, which are packetized, after which these packets are constructed into frames according to the WiMAX channel coding requirements. The second output is the encrypted audio signal. This signal, when 41

57 heard, sounds like a series of beeps and tones. This is due to the change in the amplitude levels and change in bit positions, affected by the ciphers functions. Converting the final binary encrypted audio bits (first output) into quantized audio that is written into another WAVE file, resulting in the reconstructed signal. The third output is sampled directly from the input WAVE file. We compare the encrypted signal with the original audio sample in the results section of this chapter. We describe the implementation of the various sub-modules of encryption and decryption implementation in the following sections. Figure 3-1: Overview of audio experiment 3.2 AES CTR Encryption Process As discussed in the second chapter of this work, the AES cipher has to operate in one of the defined modes according to the specifications of NIST [18] to protect the security of the input data. We apply the Counter Mode of operation to encrypt the audio 42

58 data by the use of a stream transformation function. The AES cipher operating in Counter mode serves both purposes of encryption and decryption. For this reason, we implement the same encryption mechanism for decrypting data at the receiver. The simplified block diagram of the counter mode implementation can be found in Figure 3-2. PCM outputs the quantized audio. We deliver this output the Decimal to Binary Stream transformation function. This function converts the quantized audio into a binary stream. As observed from the diagram in the discussion, there are two inputs to the encryption engine. The first input is the value held in the counter. The second input is the binary stream that needs to be encrypted. The output encrypt_data is the encrypted binary stream. Figure 3-2: Top-level view of counter mode encryption PCM In Figure 3-3, we discuss the PCM implementation using pseudo code. The PCM takes in 8 bits of input and quantizes them into 64 levels ( 2 8 ). We sample the original 43

59 audio at 8000 bits per second, which is the sampling frequency. The next step is to calculate the maximum value of the audio input signal. The quantization step size is two times the maximum value. The step size is divided by the number of levels. We set the sampling frequency according to the Nyquist s criterion and the audio signal as a maximum frequency of 4 KHz. The criterion shows that bit rate is the sampling frequency multiplied by the number of bits. After this step, we quantize the signal and calculate the value of the quantized signal. This step then sends the signal to the Decimal to Binary Stream Transformation function Decimal to Binary stream We show the flowchart for the stream transformation operation in Figure 3-4. The input is the quantized signal, which has integer values. The output is a binary stream. The index variable is used to traverse entire vector of the quantized input, which is transformed, to the binary stream by the MATLAB function dec2bin (). The loop ends when the index has finished traversing the length of the input. Figure 3-3: Pseudo code for PCM 44

60 Figure 3-4: Flowchart of decimal to binary transformation Implementing the encryption engine As discussed in Chapter 2, the counter mode differs from AES block modes in the following. In Figure 3-5, the input key, which is a hexadecimal value, is used to encrypt the value of the counter CTR (hexadecimal), and the AES encrypted counter value is then XORed with the binary stream data_in, the output of the Decimal to Stream Transformation function. The resulting output is the binary stream data_out. At first the counter value, which is in binary, is converted to hexadecimal using the MATLAB function bin2hex(). The hexadecimal values are then packed into a 4 by 4 matrix. This is the input state matrix described in the previous chapter. All submodule operations operate on this state. The key is then loaded into the MATLAB environment and also initialized into a 4 by 4 state matrix. This variable is sent to the Key Expansion module [12]. Each cell in these matrices holds a hex value and is 16 bits long. The key expansion module produces 10 other keys deriving from the initial key, so the 45

61 total key length is 176 bits. The first round key is added to the input state. The modified state is now called data_temp. We supply this data_temp to the confusion and diffusion phase of the AES process. This confusion and diffusion blocks comprise of SUB_SBOX, Shift_Row, Mix_Column and Round_Key modules. The SUB_SBOX substitutes bytes in the intermediate state, data_temp. The Shift_Row module shifts the rows according to a set pattern and the Mix_Column function shuffles the columns of the temporary state data_temp. This process is repeated 9 times with the other 9 round keys as supplied by the Key Expansion phase. The final round is devoid of the Mix_Column function and the output data_outp (key stream) is XORed with data_in (input data stream). The resultant output is the data_out variable, which is the encrypted data stream. Figure 3-5: Counter mode implementation 46

62 Substitution of bytes (SUB_SBOX) The SUB_SBOX module is shown in Figure 3-6, and the corresponding pseudo code is shown in Figure 3-7. The first step is to initialize the output data_out. The data_in and data_out are two variables, which we used in this function, to aid in modifying the value of the data_temp variable. We traverse row-wise and then columnwise using index variables x and y. The data_out at an index is the value as specified by the S-BOX (Buchholz, 2001) [17], shown in Table 3-1, at the same index. So the value in the state matrix becomes the index of the S_BOX from which the particular value is extracted and substituted in place of the old value. This is done for all cells in the 4 by 4 state matrix data_temp. The substitution process is shown in Figure 3-8. The initial state, the intermediate state after substituting with the corresponding hex value from the S-BOX, and the final state of this transformation can be observed. Figure 3-6: SUB_SBOX module Figure 3-7: Pseudo code 47

63 Shift rows The shift rows step of the intermediate state data_temp is shown in Figure 3-10, and its corresponding pseudo code shown in Figure 3-9, show cyclic shift row operations, which were performed, on the temporary data variable, data_temp. The first row remains unaltered; the second row is cyclically shifted one to the left, the third two times and the fourth thrice. Table 3-1: Substitution box or SBOX with hexadecimal values 48

64 Figure 3-8: Substitution process Figure 3-9: Pseudo code for shift rows 49

65 Figure 3-10: Shift rows operation Mix columns In Figure 3-11, we show the pseudo code for the Mix Columns step. After initializing row and column indexes, we initialized the modulation polynomial (decimal value 283 according the AES standard). We used the mod_pol function[17] to multiply the input state data_temp with the polynomial matrix. This operation is performed across all cells in this bit-wise multiplication. Figure 3-11: Pseudo code for mix columns 50

66 Add round key The Add Round Key step is a relatively simple operation. It XORs the temporary state matrix with the round key which is derived from the Key Expansion module Key expansion The key expansion module provides the AES encryption process with the 10 round keys. For 128-AES, which we implemented in this work, the 128 bit initial key is expanded to form 10 round keys each of 128 bits in length. Consequently, the total key bits in question are 1408 bits or 176 bytes. In Figure 3-12 the variable data_in is the input key state matrix, S_BOX is the substitution box shown in Table 3-1, and rcon [17] is the round constant matrix. The bytes in the key state matrix are then rotated and shifted as described in the Chapter 2. The resultant keys that are formed and appended to the original key to form the 176 bytes. In this implementation, we pre-computed the key expansion by hard coding the algorithm for this module. Figure 3-12: Pre-computed key expansion 51

67 3.2.4 Decryption The decryption process is as same as encryption due to the nature of the counter mode operation. The decrypted binary stream is the XOR of encrypted stream and encrypted counter value to produce the final output. We tested this encryption algorithm with the test vectors as specified by NIST [21]. 3.3 Voice Encryption Results For the purpose of simulating encryption, we took two input sources, an input audio signal and input image. The input audio signal sounds This is a test signal. We made the following considerations in the process of these simulations: For the purpose of depicting the results, the input data which is quite lengthy, in the order of a few thousand samples (at a sampling rate of 8000 samples per second), we took a small clipping of the audio input in the sample range of samples. It is not feasible, nor practical, to plot the results for the entire audio clip. We chose the sample range arbitrarily and any sample range chosen would produce the desired results. The AES encryption engine performs the encryption and decryption by operating in CTR mode as described in sections and We assumed perfect synchronization of the counter s initial vector between the simulation s transmitter and receiver. For the purpose of speeding up the simulation times, we hard-coded the AES S- Boxes and implemented them as Look up Tables (LUT). Figure 3-13 shows the difference between waveforms of the audio input and the AES encrypted audio output. We extracted this plot from the output of the encryption engine. It is simple to observe that the encrypted output waveform looks remarkably 52

68 different from the original audio samples, and it is impossible to deduce the original. It is also intriguing to compare the number of samples as a function of amplitude in Figure In the input clip, we can see that there is a higher concentration of samples at lower amplitudes. This is obvious because of the many low amplitude values that occur in human speech. The highest amplitude is at 0.6. Alternatively, the encrypted samples scatter somewhat equally between the maximum and minimum values, according the confusion and diffusion properties of the AES algorithm. 53

69 Figure 3-13: Amplitude vs. Time waveforms of input audio vs. Encrypted audio 54

70 Figure 3-14: Comparison of the number of samples as a function of amplitude Figure 3-15: Binary values of input data vs. Bit position 55

71 Figure 3-16: Binary values of encrypted data vs. Bit position Figure 3-17: Comparison of input (green) and encrypted audio (red) binary values vs. Bit position 56

72 The attacker cannot retrieve the input signal based on the information contained in the encrypted output. In Figure 3-15 and Figure 3-16 we observed the input and output bit streams of the AES-CTR engine. The encrypted binary stream has many more 1 s compared to the input stream. It is impossible to pinpoint the bit values based on the time position of samples. We interlaced both Figures to get Figure There is no resemblance between the input and output binary streams and the attacker cannot reconstruct the audio sample from the encrypted binary stream. 3.4 Image Encryption and Results We used an input image, that of a young lion resting on a tree, shown in Figure Since the image is a color image, it slowed down simulation time by 300%. Since MATLAB is not designed to handle real-time simulation scenarios, we first converted this color image into gray scale before the encryption process. This can be done with the help of a simple in-built command rgb2gray (). Figure 3-18: Original color image 57

73 In Figure 3-19, we explain the experimental setup for image encryption and decryption. The imread () MATLAB function reads the image and stores it as an array. This array is that of the color image. We convert the color image into grayscale, to reduce processing time and system complexity. The output array vector is then initialized in the program. The grayscale integer vector represents the pixel values at the individual pixel positions. The gray scale image is 128x128, which are pixel values in length with integer values. We then send this to the decimal-to-binary transform function. Counter mode performs audio decryption the same way as encryption. After encryption, we convert the binary encrypted stream to decimal and plot the bar graphs. The encryptor again decrypts the binary encrypted stream, converts to decimal and we retrieve the original image. Figure 3-19: Image encryption process 58

74 Figure 3-20: Input image vs. Encrypted image vs. Decrypted image Figure 3-21: Comparison of pixel intensity vs. Pixel position of input and encrypted images 59