# Block Cipher

Unlike Stream Ciphers that encrypt one bit at a time, Block Ciphers encrypt a **block of text**. For example, AES encrypts 128 bit blocks. 

Since a block cipher is suitable only for the encryption of a single block under a fixed key, a multitude of **modes of operation** have been designed to allow their repeated use in a secure way.

Moreover, block ciphers may also feature as **building blocks** in other cryptographic protocols, such as universal hash functions and pseudo-random number generators.

Most block cipher algorithms are obtained by iterating an invertible transformation. Each iteration is called **round** and the repeated transformation is known as **round function**.
Usually, the round function takes different **round keys**, which are derived by expanding the original key.




### Advanced Encryption Standard (AES)

AES is a specification for the symmetric-key encryption established by the [NIST](https://www.nist.gov/) in 2001 and then adopted by the U.S. government.
The standard comprises three block ciphers from a larger collection originally published as **Rijndael**. Each of these ciphers has a 128-bit block size, with key sizes of 128, 192 and 256 bits.

Rijndael is designed to resist against all known attacks and to be fast and compact when implemented in most platforms. It is composed of a **key expansion** block and a **data path** that can be viewed as an iterated block cipher, where each iteration is called **round**. The number of rounds depends on the block (for AES fixed to 128bit) and key length.

| key length | #rounds $N_r$ |
|:----------:|:-------------:|
|        128 |            10 |
|        192 |            12 |
|        256 |            14 |


[1] *FIPS PUB 197, Advanced Encryption Standard (AES), National Institute of Standards and Technology, U.S. Department of Commerce, November 2001.*

[2] *Joan Daemen and Vincent Rijmen, The Design of Rijndael, AES - The Advanced Encryption Standard, Springer-Verlag 2002 (238 pp.)*



### Python Packages for Cryptography


Here a short list of the most used libraries for Cryptography:
- [**Pycryptodome**](https://github.com/Legrandin/pycryptodome): self contained Python package of low level cryptographic primitives. It is a fork of [PyCrypto](https://github.com/dlitz/pycrypto) that has been enhanced to add more implementations and fixes to the original library.
- [**PyNaCl**](https://github.com/pyca/pynacl): Python binding to [libsodium](https://github.com/jedisct1/libsodium) , which is a fork of the [Networking and Cryptography library](https://nacl.cr.yp.to/). These libraries have a stated goal of improving usability, security and speed.
- [**Cryptography**](https://github.com/pyca/cryptography): cryptography is a package which provides cryptographic recipes and primitives to Python developers. It includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and key derivation functions.

#### Pycryptodome

PyCryptodome is a self contained Python package of low level cryptographic primitives. It is organized in sub packages dedicated to solving a specific class of problems:

- `Crypto.Cipher`: Modules for protecting confidentiality that is, for encrypting and decrypting data (example: AES).
- `Crypto.Signature`: Modules for assuring authenticity , that is, for creating and verifying digital signatures of messages ( example: PKCS#1)
- `Crypto.Hash`: Modules for creating cryptographic digests (example: SHA 256).
- `Crypto.PublicKey`: Modules for generating, exporting or importing public keys (example: RSA or ECC).

##### `Crypto.Cipher` subpackage

The base API of a cipher is fairly simple:
- You instantiate a cipher object by calling the `new()` function from the relevant cipher module. The first parameter is always the cryptographic key . You can (and sometimes must) pass additional cipher or mode specific parameters such as a nonce or a mode of operation.
- For encrypting data, you call the `encrypt()` method of the cipher object with the plaintext. The method returns the piece of ciphertext. For most algorithms, you may call `encrypt()` multiple times (i.e. once for each piece of plaintext).
- For decrypting data, you call the `decrypt()` method of the cipher object with the ciphertext. The method returns the piece of plaintext.


In [None]:
from Cryptodome.Cipher import AES

# Example of AES in Electronic Codebook
key = b'0123456701234567'        # 128bit key
aes = AES.new(key, AES.MODE_ECB) # AES instance

# in ECB plaintext must have length equal to block-size (128bit)
plaintextA = b'this is a secret' 
ciphertext = aes.encrypt(plaintextA) # encryption
plaintextB = aes.decrypt(ciphertext) # decryption

print(plaintextA) # b'this is a secret'
print(ciphertext) # b'\x8dk\x84\xcey*h\xach\x9b\xd0[\xb6pR\x95'
print(plaintextB) # b'this is a secret'

## Task 1: Estimation of $\pi$ with MonteCarlo Simulations

> Get familiarity with MonteCarlo Simulations by estimating the value of $\pi$

### MonteCarlo Simulations (MCS)

A Monte Carlo simulation is a statistical technique that allows for the modelling of complex situations where many random variables are involved. It uses the process of repeated random sampling to model stochastic systems and determine the odds for a variety of outcomes.

The idea comes from the Law of Large Numbers that states: 
> *the average of the results obtained from a large number of trials should be close to the expected value and will tend to become closer to the expected value as more trials are performed.*

Roughly speaking, If you do not know some parameters of your sistem, you can make several trials and then take the average.

### Estimating $\pi$ with MCS

A classical example is the estimation of $\pi$.
We know that $\pi r^2$ corresponds to the area of a circle with radius $r$, so we can estimate the value of $\pi$ as four times the ratio between the area of a square and the inscribed circle.

$$ 4 \frac{A_{\circ}}{A_{\Box}} = 4 \frac{\pi r^2}{(2r)^2} = 4 \frac{\pi}{4} = \pi $$

The ratio between the two areas can be estimate by drawing $N$ coordinates $(x,y)$ as instances of uniform random variables $x,y \in U(0,1)$ and count how many fall into the circle with respect to the total.

In [None]:
import matplotlib.pyplot as plt
import numpy as np
from scipy import random

In [None]:
random.seed(2) # set a seed for repeatablity

N = 10000 # number of MonteCarlo trials

# generate N pairs of random coordinates uniformely 
# distributed in the square [0,1]x[0,1]
x, y = random.rand(2, N)

# compute the distance from the origin for each pair of coordinates
r = np.sqrt(x**2 + y**2)

# count how many points lay inside the unit circle
inside = sum(r <= 1)

# estimate pi
pi = 4*inside/N

print('estimate value of $\pi$ after {} trials: {}'.format(N, pi))

In [None]:
# create a figure
fig, ax = plt.subplots(figsize=(8,4))

# scatter plot of the generated coordinates with different colors for
# the points that lay inside and outside the unit circle
ax.scatter(x, y, s=16, c=(r > 1), alpha=0.8, cmap='Paired')

# plot of the unit circle circonference
theta = np.linspace(0, np.pi/2, 100)
ax.plot(np.cos(theta), np.sin(theta), '--k')

# make the plot prettier
ax.set(xlabel='$x$', ylabel='$y$', aspect='equal', xlim=(0, 1), ylim=(0, 1))
ax.text(0.05, 0.1, 'N = {}, $ \hat{{\pi}} $ = {}'.format(N, pi))
# plt.savefig('pi_N={}.png'.format(N)) # save figure as .png

plot the same figure for three different values of N.

In [None]:
Ns = 100, 1000, 10000

# create a figure with subplots
fig, axs = plt.subplots(1, len(Ns), figsize=(4*len(Ns),4))

# x and y coordinates of the unit circle circonference
theta = np.linspace(0, np.pi/2, 100)
circx, circy = np.cos(theta), np.sin(theta)

# a scatter plot for each value of Ns
for ax, n in zip(axs, Ns):
    ax.scatter(x[:n], y[:n], s=16, c=(r[:n] > 1), alpha=0.8, cmap='Paired')
    ax.plot(circx, circy, '--k')
    ax.set(xlabel='$x$', ylabel='$y$', aspect='equal', xlim=(0, 1), ylim=(0, 1))
    pin = 4*sum(r[:n] <= 1)/n
    ax.text(0.05, 0.1, 'N = {}, $ \hat{{\pi}} $ = {}'.format(n, pin))

fig.tight_layout() # automatically adjust spaces between axes and borders

### MCS convergence

As first attempt, we can observe how estimation error depends on the number of trials $N$. We can define the estimation error as the absolute value of the difference between the estimate and the actual value of $\pi$
$$ \text{error} = |\hat{\pi} - \pi| $$

In [None]:
# estimate $\pi$ for each new trial
def estimate_pi(x, y):
    ''' return an estimate of the value of \pi (float) from a set of 
    coordinates x and y (1D-numpy.ndarray) '''
    # check x and y arrays have the same length
    assert len(x) == len(y)
    N = len(x)
    # compute distance from the origin for each point and estimate pi
    r = np.sqrt(x**2 + y**2)
    pi = 4*sum(r <= 1)/N
    return pi

pi = np.array([estimate_pi(x[:1+i], y[:1+i]) for i in range(N)])

In [None]:
err = abs(pi - np.pi)

In [None]:
fig, (ax1, ax2) = plt.subplots(2, 1, figsize=(8,5), sharex=True)

n = 1+np.arange(N)

ax1.axhline(np.pi, ls='--', c='k', label='$\pi$')
ax1.plot(n, pi, label='$\hat{\pi}$')
ax1.set(ylabel='$\hat{\pi}$')

ax2.plot(n, err, label='$|\hat{\pi} - \pi|$')
ax2.plot(n, 1/np.sqrt(n), label='$1/\sqrt{N}$')
ax2.set(yscale='log')
ax2.set(xlabel='N', ylabel='$|\hat{\pi} - \pi|$')

for ax in (ax1, ax2):
    ax.set(xscale='log')
    ax.legend()
    ax.grid(True)
fig.tight_layout(h_pad=0)

From the plots above, it is evident that, as expected, the more trials are computed the more accurate is the estimate. We can also notice that the convergence goes as $1/\sqrt{N}$. Thus, there is a law that rules the trade-off between accuracy and number of trials.

However, MonteCarlo simulations are not used to estimate quantities that are already well known. As a consequence, one needs criteria to set the number of trials that are independent from the actual values of the parameters one wants to estimate.

Let's have a look on the estimate changes everytime a new trial is performed.

In [None]:
# compute the difference between the current estimate and the previous one
dpi = np.diff(pi)
dpi

In [None]:
# savgol_pars = {'window_length': 101, 'polyorder': 1}
# dpi_filt = signal.savgol_filter(abs(dpi), **savgol_pars)

fig, ax = plt.subplots(figsize=(8,4))
ax.plot(n, err, label='$|\hat{\pi} - \pi|$')
ax.plot(n, 1/np.sqrt(n), label='$1/\sqrt{N}$')
ax.plot(n[1:], abs(dpi), label='$|\Delta \hat{\pi}|$')
ax.plot(n, 1/n, label='$1/N$')
# ax.plot(n[1:], dpi_filt, label='$|\Delta \hat{\pi}}|$ filtered')

ax.set(
    title='variation of estimate',
    xlabel='N', ylabel='$|\Delta \hat{\pi}|$',
    xscale='log', yscale='log')
ax.legend()
ax.grid(True)

fig.tight_layout()

It is evident that while the estimate coverges to the actual value as $1/\sqrt{N}$, the variation of the estimete goes as $1/N$. This relationship allows us to make an idea of the estimation error (that we cannot know) by observing how the estimate varys by increasing $N$.

## Task 2: Diffusion and Confusion in AES

> Apply MonteCarlo Simulations to AES with the aim of observing the effect of diffusion and confusion.

### Diffusion

- **Diffusion**: *if we change a single bit of the plaintext, then (statistically) half of the bits in the ciphertext should change.*

We want to test qualitatively if AES provides diffusion. 
To do so, we can randomly draw a plaintext and a key, change a bit in the plaintext and then observe how this change affects the ciphertext.

We can define $\text{d}(y,y')$ the distance between $y$ and $y'$ as the number of bit $y'$ differs from $y$. This distance is the quantity we want to estimate by means of Monte Carlo simulation and more than its average we are interested in its **distribution**.

We do not expect to find that $\text{d}(y,y')$ is always $n/2$ (where $n$ is the number of bits in the ciphertext) but we expect to find a distribution that is concentrated around $n/2$.

#### single MonteCarlo Trial

Firstly, we set up the code for a single simulation and we leave for a second moment the repeatition the trial for many times.

In [None]:
# here we define two function that will be helpful for the execution of the MCS

def flip_bit(text, ibit):
    ''' return `text` (bytes) with the bit at position `ibit` (int) flipped '''
    # copy text in a bytesarray to allow changes
    flipped_text = bytearray(text) 
    # flip the bit by xoring it with a 1
    flipped_text[ibit//8] ^= 1 << (ibit%8) 
    # turn text back into bytes
    return bytes(flipped_text)

def text_distance(textA, textB):
    ''' return the distance between `textA` (bytes) and `textB` (bytes) 
    defined as the number of bits they differ from each other '''
    
    # by xoring textA and textB, I get a bytes string where bits equal to 0
    # correspond to bits that have the same value in textA and textB, while
    # bits equal to 1 correspond to bits that are different.
    
    # xor textA and textB one byte at a time
    AxorB = bytes(a ^ b for (a, b) in zip(textA, textB))
    # counting 1s in AxorB
    distance = sum([bin(byte).count('1') for byte in AxorB])
    
    return distance

In [None]:
# set a key and initiate AES cipher
key = b'0123456789ABCDEF'
aes = AES.new(key, AES.MODE_ECB)

# set a plaintext and flip one of its bit
x = b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
x1 = flip_bit(x, 10)
plain_dist = text_distance(x, x1)

print('original plaintext:', x)
print(' flipped plaintext:', x1)
print('distance between plaintexts:', plain_dist)

# encrypt both plaintexts and measure their distance
y = aes.encrypt(x)
y1 = aes.encrypt(x1)
cipher_dist = text_distance(y, y1)
print('original ciphertext:', y)
print(' flipped ciphertext:', y1)
print('distance between ciphertexts:', cipher_dist)

#### MonteCarlo simulation (fixed key length)

Once the code for a single trial is ready, we can repeat it for $N$ times.
Here we consider the case for a single key length.

In [None]:
def mcs_diffusion(key_length):
    ''' perform a single trial of a MonteCarlo simulation that measure the 
    distance between two ciphertexts obtained by encrypting two plaintexts 
    that differ by only one bit by means of AES with a fixed key. 
    The key has length `key_length` bytes (int, (16, 24, 32)) '''
    
    # check key_length is allowed
    assert key_length in AES.key_size
    
    # randomly generate a key and initiate AES cipher
    key = bytes(random.randint(256, size=(key_length,), dtype='uint8'))
    aes = AES.new(key, AES.MODE_ECB)
    
    # randomly generate a plaintext and flip a bit in a random position
    x = bytes(random.randint(256, size=(AES.block_size,), dtype='uint8'))
    x1 = flip_bit(x, random.randint(8*AES.block_size))
    
    # encrypt both plaintexts and measure their distance
    y = aes.encrypt(x)
    y1 = aes.encrypt(x1)
    distance = text_distance(y, y1)
    
    return distance

In [None]:
N = 10000 # number of MonteCarlo trials
key_length = 16 # key length in bytes (16, 24, 32)

results = np.zeros((N,), dtype=int)
for i in range(N):
    results[i] = mcs_diffusion(key_length)
    
print('average: {}'.format(np.mean(results)))
print('min, max: {}, {}'.format(min(results), max(results)))

In [None]:
fig, ax = plt.subplots(figsize=(8,4))
ax.hist(results, bins=np.arange(1+8*AES.block_size), density=True)[0]
ax.set(xticks=8*np.arange(AES.block_size+1, step=2))
ax.set(title='distance distribution', xlabel='distance', ylabel='prob.density')
ax.grid(True)
fig.tight_layout()

As we expected, we find that $\text{d}(y,y')$ has a distribution concentrated in $N/2=64$.

#### Convergence

We can characterize our distribution by considering its mean and standard deviation (stdev). So we will consider these two quantities to observe the convergence.

In [None]:
mean = np.array([np.mean(results[:1+i]) for i in range(N)])
stdev = np.array([np.std(results[:1+i]) for i in range(N)])

In [None]:
fig, (ax1, ax2) = plt.subplots(2, 1, figsize=(6,4), sharex=True)
ax1.plot(1+np.arange(N), mean)
ax2.plot(1+np.arange(N), stdev)

ax1.set(title="mean and stdev of d($y$, $y$')", ylabel='mean')
ax2.set(xlabel='N', ylabel='stdev')
for ax in (ax1, ax2):
    ax.set(xscale='log')
    ax.grid(True)
fig.tight_layout(h_pad=0)

As we expected the mean approaches to $N/2$ as the number of trials increases. On the contrary, we did not have any idea about the stdev and now it is evident that its estimate tend to a value slightly below 6.

So, let's observe their variation over $N$.

In [None]:
from scipy import signal

In [None]:
dmean = np.diff(mean)
dstdev = np.diff(stdev)

In [None]:
savgol_pars = {'window_length': 101, 'polyorder': 1}

fig, (ax1, ax2) = plt.subplots(2, 1, figsize=(6,4), sharex=True)
ax1.plot(2+np.arange(N-1), abs(dmean))
ax1.plot(2+np.arange(N-1), signal.savgol_filter(abs(dmean), **savgol_pars))
ax2.plot(2+np.arange(N-1), abs(dstdev))
ax2.plot(2+np.arange(N-1), signal.savgol_filter(abs(dstdev), **savgol_pars))

ax1.set(title="variation of mean and stdev of d($y$, $y$')", ylabel='mean')
ax2.set(xlabel='N', ylabel='stdev')
for ax in (ax1, ax2):
    ax.set(xscale='log', yscale='log')
    ax.grid(True)
fig.tight_layout(h_pad=0)

#### MonteCarlo simulation

Now we extend the analysis by considering all three values of key length allowed by the AES block cipher.

In [None]:
N = 10000 # number of MonteCarlo trials

In [None]:
# building a dict where key lengths are the keys and the correspondant
# results are the values.
results = dict(
    (key_length, np.array([mcs_diffusion(key_length) for _ in range(N)]))
    for key_length in AES.key_size
)

display(results)

# print summary table
print('| key length | average | min | max |')
print('|------------|---------|-----|-----|')
for key_length, dist in results.items():
    print('| {:10d} | {:7.3f} | {:3d} | {:3d} |'.format(
        key_length, np.mean(dist), min(dist), max(dist)))
    
    

In [None]:
fig, axs = plt.subplots(1, len(results), figsize=(4*len(results),4), sharey=True)
for ax, (key_length, dist) in zip(axs, results.items()):
    ax.hist(dist, bins=np.arange(1+8*AES.block_size), density=True)[0]
    ax.set(xticks=8*np.arange(AES.block_size+1, step=4))
    ax.set(title='{}bit key'.format(8*key_length), xlabel='distance', )
    ax.grid(True)

axs[0].set(ylabel='prob.density')
fig.tight_layout(w_pad=0)

### Confusion

- **Confusion**: *the relationship between the key and the ciphertext must be very complicated and impossible (hard) to invert.*

At bit level, it means that each bit of the ciphertext depends on several parts of the key. As a result, if a single bit is changed in the key, many bits in the ciphertext change.

Again, we want to assess qualitatively confusion of AES qualitatively.

In [None]:
def mcs_confusion(key_length):
    ''' perform a single trial of a MonteCarlo simulation that measure the 
    distance between two ciphertexts obtained by encrypting with AES the same 
    plaintext with two keys that differ by only one bit. 
    The key has length `key_length` bytes (int, (16, 24, 32)) '''
    
    # check key_length is allowed
    assert key_length in AES.key_size
    
    # randomly generate a plaintext
    x = bytes(random.randint(256, size=(AES.block_size,), dtype='uint8'))
    
    # randomly generate a key and initiate AES cipher
    key = bytes(random.randint(256, size=(key_length,), dtype='uint8'))
    aes = AES.new(key, AES.MODE_ECB)
    # generate a second key by flipping one bit of the previous key
    # and initiate a new AES cipher
    key1 = flip_bit(text, random.randint(8*key_length))
    aes1 = AES.new(key, AES.MODE_ECB)
    
    # encrypt both plaintexts and measure their distance
    y = aes.encrypt(x)
    y1 = aes1.encrypt(x1)
    distance = text_distance(y, y1)
    
    return distance

In [None]:
N = 10000 # number of MonteCarlo trials

In [None]:
results = dict(
    (key_length, np.array([mcs_diffusion(key_length) for _ in range(N)]))
    for key_length in AES.key_size
)

display(results)

# print summary table
print('| key length | average | min | max |')
print('|------------|---------|-----|-----|')
for key_length, dist in results.items():
    print('| {:10d} | {:7.3f} | {:3d} | {:3d} |'.format(
        key_length, np.mean(dist), min(dist), max(dist)))

In [None]:
fig, axs = plt.subplots(1, len(results), figsize=(4*len(results),4), sharey=True)
for ax, (key_length, dist) in zip(axs, results.items()):
    ax.hist(dist, bins=np.arange(1+8*AES.block_size), density=True)[0]
    ax.set(xticks=8*np.arange(AES.block_size+1, step=4))
    ax.set(title='{}bit key'.format(8*key_length), xlabel='distance', )
    ax.grid(True)

axs[0].set(ylabel='prob.density')
fig.tight_layout(w_pad=0)