L1.1. An Introduction to Classical Cryptosystems
description
Transcript of L1.1. An Introduction to Classical Cryptosystems
L1.1. An Introduction to Classical Cryptosystems
Rocky K. C. Chang, February 2013
2
This and the next set of slides
Secret keyfunctions
Public keyfunctions
Hashfunctions
Secrecyservice
Authenticationservice
Messageintegrity service
Nonrepudiationservice
3
Outline
Components of a cryptosystem Some modular arithmetic Some classical ciphers
Shift Cipher Substitution Cipher Affine Cipher Vigenère Cipher Permutation Cipher Stream Ciphers
Attack models and cryptanalysis
4
Elements of a secret-key cryptosystem
5
The Cryptosystem
Alice Encryptor decryptor Bob
Eve
Key source
m m c
K Secure channel
6
A cryptosystem consists of M: a finite set of possible plaintexts C: a finite set of possible ciphertexts K: the key space, a finite set of possible keys E: A set of encryption rules D: A set of decryption rules For each K K, there is an EK() E and a DK()
D, such that DK(EK(m)) = m for every m M.
7
Requirements for a practical cryptosystem
Note that EK() must be a 1-to-1 function. If M = C, then EK() is a permutation.
Practically, EK() and DK() should be efficiently computable. An attacker, upon seeing a ciphertext, should be
unable to determine the key or the plaintext. The attack models Cryptanalysis: attempt to compute K given some
ciphertexts.
8
Several classical ciphers
9
First, “recall” some modular arithmetic Suppose a and b are integers, and n is a
positive integer (modulus). a mod n = the remainder of a/n {0, 1, …, n –
1}. Congruence
a b (mod n) iff a mod n = b mod n, i.e., same remainders.
“a is congruent to b modulo n.” E.g.,
101 mod 7 = 714 + 3 = 3 -101 mod 7 = 7(-15) + 4 = 4
10
The Shift Cipher Let M = C = K = {0, 1, 2, …, 25} For 0 ≤ K ≤ 25, define
EK(m) = (m + K) mod 26 DK(c) = (c – K) mod 26
For example, K = 11 m: 22 4 22 8 11 11 12 4 4 19 c: 7 15 7 19 22 22 23 15 15 4
For K = 3, the Shift Cipher is often called the Caesar Cipher.
Show that DK(EK(m)) = m for every mM.
11
The Substitution Cipher Let M = C = {0, 1, 2, …, 25} K = {All possible permutations of the 26
numbers} For each permutation K K, define
EK(m) = K(m) = c DK(c) = K-1(c), the inverse permutation
For example, one possible K is a b c d e f g h i j k l m n o p q r s … X N Y A H P O G Z Q W B T S F L R C V … EK(a) = X and DK(X) = a
Is this cipher more secure?
12
Affine Cipher Let M = C = {0, 1, 2, …, 25} K = (a, b), where a, b {0, 1, 2, …, 25}. Encryption and decryption functions;
EK(m) = (am + b) mod 26 DK(c) = a-1(c - b) mod 26
EK(m) is not an one-to-one function for all a. When a = 1, Affine Cipher is the same as a Shift
Cipher. Affine Cipher is still a special case of the
Substitution Cipher.
13
The Vigenère (vee zhun AIR) Cipher Monoalphabetic (e.g., Shift and Substitution) vs
polyalphabetic (e.g., Vigenère) M = C = K = (Z26)n, where n is a positive integer.
For a key K (keyword) = (k1, k2, …, kn), define EK(m1, m2, …, mn) = (m1+k1, m2+k2, …, mn+kn)
DK(c1, c2, …, cn) = (c1 – k1, c2 – k2, …, cn – kn), where the additions and subtractions are done in mod 26.
For example, n= 6 and K = (2, 8, 15, 7, 4, 17), m: 19 7 8 18 2 17 24 15 19 14 18 24 K: 2 8 15 7 4 17 2 8 15 7 4 17 c: 21 15 23 25 6 8 0 23 8 21 22 15 …
14
The Permutation (or Transposition) Cipher
All the ciphers so far involve substitution: a plaintext symbol replaced by a different symbol.
A permutation cipher keeps the plaintext symbols unchanged but to alter their positions.
M = C = (Z26)n
K = {All permutations of 1, 2, …, n}. For a key K (a given permutation), define
EK(m1, m2, …, mn) = (mK(1), mK(2), …, mK(n)) DK(c1, c2, …, cn) = (cK
-1(1), cK
-1(2), …, cK
-1(n)).
15
The Permutation Cipher (cont’d) For example, n = 6
i: 1 2 3 4 5 6 K(i): 3 6 1 5 2 4 m : s h e s e l l s s e a s c : e e s l s h s a l s e s
16
The Stream Cipher The cryptosystems considered so far are known as
block ciphers. The plaintexts are encrypted using the same key.
An alternative is to generate a key stream y1y2y3, …. c = Ey1
(m1)Ey2(m2)Ey3
(m3) ….
M, C, and K are the same as before. g, the keystream generator, takes a key K to
generate y1y2y3, …, where yiL. For each y in the keystream, there is an
encryption rule Ey() and a corresponding decryption rule Dy(), such that Dy(Ey(m)) = m for every m M.
17
The Vigenère Cipher and the Stream Cipher Define Vigenère Cipher as a Stream Cipher:
M = C = L = Z26 (note the difference here) K = (Z26)n
For each y L, Ey(m) = (m + y) mod 26
Dy(m) = (c y) mod 26
The keystream: yi= ki if 1 ≤ i ≤ n; yi = ki-n, else.
18
Block cipher vs stream cipher Stream ciphers are typically faster than block. Block ciphers typically require more memory
as their operations are based on blocks. Stream ciphers are more difficult to
implement correctly. Block ciphers are more susceptible to noise in
transmission. Stream ciphers do not provide integrity
protection or authentication, whereas some block ciphers could provide them.
19
Attack models What kind of information available to the
attacker? Kerckhoff’s principle: a cryptosystem should be
secure even if everything about the system, except the key, is public knowledge. The attack’s objective is to determine the key in use.
Different attack models: Ciphertext-only attack: Eve possesses ciphertexts. Known-plaintext attack: Eve possesses plaintexts and the
corresponding ciphertexts. Chosen-plaintext attack: Eve can temporarily choose a
plaintext and construct the corresponding ciphertext. Chosen-ciphertext attack: Eve can temporarily choose a
ciphertext and construct the corresponding plaintext.
20
Cryptanalysis The Shift, Substitution, and Vigenère Ciphers are
vulnerable to ciphertext-only attacks. The Permutation and Stream Ciphers are
vulnerable to known-plaintext attacks. Most of the cryptanalysis are based on statistical
properties of the English language. E has the highest occurrence rate (0.12) T, A, O, I, N, S, H, R (0.06-0.09) … V, K, J, X, Q, Z (< 0.01) Popular digrams: TH, HE, IN, ER, … Popular trigrams: THE, ING, AND, HER, …
21
Cryptanalysis of the Vigenère Cipher The first step is to determine n, the keyword
length using Kasiski test. The method is based on
2 identical segments of plaintext will be encrypted to the same ciphertext if they are d positions apart, where d 0 (mod n).
If 2 identical segments of ciphertext found and each length ≥ 3, it is “likely” that they correspond to identical segments of plaintext.
The test: Search the ciphertext for pairs of identical segments of
length ≥ 3. If exists, record the distance between them, say d1, d2, …. n must divide the greatest common divisor of d1, d2, ….
22
Conclusions Classical ciphers can be classified as
Substitution vs permutation Monoalphabetic vs polyalphabetic Stream ciphers (e.g., JK Flip-Flop, A5, SEAL, RC4)
vs block ciphers (e.g., DES, IDEA, AES, RC2) Various stream ciphers:
http://en.wikipedia.org/wiki/Stream_cipher#Usage
Ciphers’ security The size of the key space Vulnerability under cryptanalysis
23
Acknowledgments This set of slides is prepared mainly based on
D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.
Some of the book’s materials can be found at http://www.maths.uwa.edu.au/~praeger/teaching/3CC/WWW/chapter2.html
The slide on block cipher vs stream cipher is based on http://security.stackexchange.com/questions/334/advantages-and-disadvantages-of-stream-versus-block-ciphers
Cryptool portal: http://www.cryptool.org/en/