Cloud Security & Cryptography Fundamentals

Welcome to the foundational study guide for Cloud Security Encryption. This documentation explores how data is protected in the cloud, covering everything from the fundamental secret key encryption model and classical ciphers to the modern mechanics of the Simplified Advanced Encryption Standard (S-AES).

1. Cloud Encryption Basics

When securing data in environments like AWS, encryption generally falls into two categories:

Server-Side Encryption: The cloud provider encrypts your data upon upload and stores it. When you download the data, the cloud decrypts it and sends it back to you.
Client-Side Encryption: You encrypt the data locally before uploading it to the cloud. Upon downloading, you perform the decryption locally. This ensures the cloud provider never sees the plaintext data.

Both methods typically rely on the Advanced Encryption Standard (AES).

2. The Secret Key Encryption Model

All secret key encryption systems (including classical ciphers and AES) rely on a shared secret key between the sender and receiver.

The Cryptosystem 5-Tuple

A formal cryptosystem is defined mathematically as a five-tuple: (P, C, K, E, D).

Component	Description
P	A finite set of all possible Plaintexts (the original message).
C	A finite set of all possible Ciphertexts (the scrambled message).
K	The Keyspace, a finite set of all possible keys.
E	The Encryption rule ($e_K: P \rightarrow C$).
D	The Decryption rule ($d_K: C \rightarrow P$).

💡 Core Rule of Cryptography: For every plaintext $x$ in $P$, applying the encryption rule followed by the decryption rule must yield the original plaintext: $d_K(e_K(x)) = x$.

3. Classical Cryptography

Modern algorithms like AES are built on two classical principles: Substitution and Permutation (Transposition).

3.1 Substitution Ciphers

Substitution ciphers replace plaintext letters with other letters, numbers, or symbols. To optimize this for computation, we map the English alphabet to integers $Z_{26} = {0, 1, 2, ..., 25}$ (where A=0, B=1, ... Z=25).

The Shift Cipher

The shift cipher offsets the plaintext integer by a key $k$.

Encryption: $c = (p + k) \pmod{26}$
Decryption: $p = (c - k) \pmod{26}$
Note: The famous Caesar Cipher is simply a shift cipher where $k=3$.

⚠️ Security Flaw: The shift cipher has a keyspace of only 25 possible keys. It is highly insecure because an attacker can easily use a brute-force attack to try all 25 keys until a meaningful message appears.

The Affine Cipher

To increase the keyspace, the Affine cipher uses two key parameters, $K_1$ and $K_2$.

Encryption: $c = (K_1 \times p + K_2) \pmod{26}$
Decryption: $p = K_1^{-1} \times (c - K_2) \pmod{26}$

Breaking the Affine Cipher: If an attacker knows just two pairs of corresponding plaintext and ciphertext letters, they can set up a system of linear equations modulo 26 to solve for $K_1$ and $K_2$ without brute-forcing the entire keyspace.

3.2 Transposition Ciphers (Permutation)

Transposition ciphers do not change the letters; they scramble the order of the letters.

Keyword Columnar Transposition

Plaintext is written horizontally into columns, and the ciphertext is read vertically. The order of the columns is dictated by the alphabetical order of a keyword (which must not contain repeating letters).

Keyword:     S  T  O  C  K
Order:       4  5  3  1  2
--------------------------
Plaintext:   T  H  E  M  E
             E  T  I  N  G
             H  A  S  B  E

Ciphertext output order: Column 4 (C=1), then Column 5 (K=2), then Column 3 (O=3), etc..

4. Simplified Advanced Encryption Standard (S-AES)

The Data Encryption Standard (DES) was developed in the 1970s, but its 56-bit key size eventually became too small and vulnerable to cracking. AES replaced it.

Simplified AES (S-AES) is an educational model designed to teach the mechanics of the full AES.

Block Size: 16 bits.
Key Size: 16 bits.
Structure: 2 Rounds of transformations.

The S-AES Architecture

The 16-bit plaintext is arranged into a $2 \times 2$ State Matrix of 4-bit blocks (called nibbles).

[ Nibble 0 (bits 0-3) ]  [ Nibble 2 (bits 8-11)  ]
[ Nibble 1 (bits 4-7) ]  [ Nibble 3 (bits 12-15) ]

The Four Core Transformations

Each round in S-AES uses a combination of substitution and permutation transformations.

Add Round Key: A Bitwise XOR operation between the 16-bit state matrix and the 16-bit round sub-key.
Substitute Nibbles (SubNib): Each 4-bit nibble is passed through an S-Box (Substitution Box) lookup table to generate a new 4-bit nibble. Unlike DES (whose S-boxes were secret IBM designs), AES S-boxes are mathematically derived using Galois Field arithmetic.
Shift Rows: A permutation operation. The first row of the state matrix remains unchanged. The two nibbles in the second row swap positions.
Mix Columns: A specialized matrix multiplication where the state matrix is multiplied by a constant matrix over Galois Field $GF(16)$. (Note: This step is skipped in the final round).

Key Expansion Schedule

S-AES requires three 16-bit sub-keys (Key 0, Key 1, Key 2) to perform the Add Round Key operations. These are generated from the original 16-bit key via a key expansion schedule.

Split the original 16-bit key into two 8-bit words: $w_0$ and $w_1$.
Pass $w_1$ through a function $g()$, which involves:
- RotWord: Swapping the two 4-bit nibbles.
- SubWord: Passing both nibbles through the S-Box.
- Rcon: XORing the result with a round constant (e.g., $10000000_2$ for round 1, $00110000_2$ for round 2).
Calculate $w_2 = w_0 \oplus g(w_1)$.
Calculate $w_3 = w_2 \oplus w_1$.
$w_2$ and $w_3$ combine to form Key 1. The process repeats to find $w_4$ and $w_5$ for Key 2.

5. Mathematical Foundations: Galois Field GF(16)

The advanced mathematics of AES (Mix Columns and S-Boxes) operate within a Galois Field, specifically $GF(16)$ or $GF(2^4)$.

💡 Historical Fact: Galois Fields are named after Évariste Galois, a genius French mathematician who laid the foundations for group theory as a teenager before dying in a duel at age 20.

Elements: The field consists of 16 elements (integers 0 through 15), represented as 4-bit binary numbers.
Polynomial Representation: Elements are treated as polynomials. For example, $15 = 1111_2 = x^3 + x^2 + x + 1$.
Addition / Subtraction: Handled via a simple bitwise XOR operation. In this field, addition and subtraction are exactly the same thing ($a \oplus a = 0$, so $a = -a$).
Multiplication: Polynomial multiplication modulo an irreducible polynomial (specifically $x^4 + x + 1$, which is $10011_2$ in binary). If the multiplication results in a degree of 4 or higher (5 bits or more), long division via XOR is used to find the remainder.

🔗 Connections Between Topics

Classical Cryptography supports AES Structure: The core operations of AES are direct descendants of classical ciphers. The Substitute Nibbles step is a highly advanced mathematical version of the classical Substitution Cipher (like Caesar/Affine). The Shift Rows step is a modern application of the classical Transposition (Permutation) Cipher.
Galois Field Arithmetic works together with AES Operations: Regular computer math causes binary bits to overflow beyond their boundaries. The $GF(16)$ mathematical system (where addition is XOR and multiplication uses modulo polynomials) is explicitly used so that the Mix Columns matrix multiplication and the S-Box generation always produce exact 4-bit bounds without data loss.
Cloud Infrastructure works together with AES: When you utilize AWS Server-side or Client-side encryption to protect your cloud assets, the underlying engine rapidly executing these Add, Shift, Sub, and Mix transformations is AES.

📝 Quick Revision Section

Server vs Client Side: Server-side = Cloud encrypts. Client-side = User encrypts before uploading.
5-Tuple of Cryptosystems: $(P, C, K, E, D)$ — Plaintext, Ciphertext, Keyspace, Encryption, Decryption.
Shift Cipher Formula: $C = (P + K) \pmod{26}$.
Affine Cipher Formula: $C = (K_1 \times P + K_2) \pmod{26}$.
Transposition: Alters the order of characters, not their identity.
S-AES Specs: 16-bit plaintext, 16-bit key, 2 encryption rounds.
S-AES Transformations: Add Round Key (XOR), Substitute Nibbles (S-Box), Shift Rows (Swap), Mix Columns (GF Matrix Math).
GF(16) Addition: Always performed using a bitwise XOR.
GF(16) Multiplication: Polynomial multiplication modulo $x^4+x+1$ ($10011_2$).

🎓 Possible Exam Questions

Short Answer

Define the 5 variables in the cryptosystem tuple $(P, C, K, E, D)$.
What is the mathematical equation for encryption and decryption in a Shift Cipher?
In Galois Field $GF(16)$, what standard bitwise logical operation is used to perform both addition and subtraction?
How many bits is the block size and key size in Simplified AES (S-AES)?

Conceptual Questions

Why was the Data Encryption Standard (DES) phased out and replaced by the Advanced Encryption Standard (AES)? Explain in terms of key size and computation.
Why is the Shift Cipher considered highly insecure? Describe how an attacker would break it without knowing the key.
Explain the difference between a Substitution Cipher and a Transposition Cipher. Which S-AES transformation corresponds to which classical principle?
In the S-AES Key Expansion schedule, describe the three operations that make up the $g()$ function applied to word $w_1$.

Scenario Questions

Shift Cipher: Given the plaintext letter "y" (integer 24) and a key $k = 5$, calculate the encrypted ciphertext integer using the Shift Cipher formula. Show your modulo 26 arithmetic.
Affine Cipher Break: You intercept an Affine ciphertext and know that the plaintext "P" (15) maps to ciphertext "R" (17), and plaintext "G" (6) maps to ciphertext "Y" (24). Set up the two linear equations modulo 26 you would use to solve for the keys $K_1$ and $K_2$.
S-AES Add Round Key: Your S-AES 16-bit plaintext is 1101 0111 0010 1000 and your Round 1 Key is 0100 1010 1111 0101. Perform the Add Round Key operation and provide the resulting 16-bit output.

summary

Audio Summary

Video Lecture