Part 9, Basic Cryptography

1

Introduction A cryptosystem is a tuple: (M,K,C, E,D)

where M is the set of plaintexts K the set of keys C the set of ciphertexts E: M K C is an enciphering function D: C K M is a deciphering function

2

The Caesar cipherM = C is the set of sequences of Roman letters

K : the set of integers: 0,1,…,25

E : is the enciphering function Ek , kK : Ek(m) = m+k (mod 26)

D : is the deciphering functions Dk , kK : Dk(c) = c - k (mod 26)

3

ExampleIf the key is k = 3, then: “HELLO” “KHOR”

Since: H 1 I 2J 3 K

E F G H

L M N O

O P Q R

4

CryptanalysisThe goal of the cryptographer is to protect the privacy of ciphertexts. The goal of the cryptanalyst (attacker) is to disambiguate a ciphertext.

Attacks on cryptosystems:Ciphertext only attacks: the adversary has only access to ciphertexts. The adversary must find the plaintext that corresponds to a ciphertext.

Known plaintext attacks: the adversary has access to some matched ciphertexts / plaintext pairs, as well as ciphertexts. The adversary must find the plaintext of some new ciphertext.

Chosen plaintext attacks: the adversary may ask that specific plaintexts are enciphered, as well as having access to ciphertexts. The adversary must find the plaintext that corresponds to a new ciphertext. 5

Kerchoffs’ assumption

The adversary knows all details of the encrypting functionexcept the secret key

6

The transposition cipherA transposition cipher rearranges the characters in the plaintext; the key is a permutation on the characters. The letters are not changed. So -- E(x) = (x) -- D(y) = -1(y)

Example: rail-fence cipherLet the ciphertext be “HELLO WORLD”:Write it in two columns as HLOOL ELWRDThe ciphertext is “HLOOLELWRD”

7

AnagrammingAttacking a transposition cipher requires a rearrangement of the letters of the ciphertext.Anagramming uses tables of n-gram frequencies to identify common n-grams.For example, for the ciphertext “HLOOLELWRD” the digram “HE” occurs with frequency 0.0305 in English (see textbook). Of the other possible digrams beginning with “H”, “HO” is the next highest. This suggest that “E” follows “H” in the plaintext. And so on.

8

The substitution cipherA substitution cipher changes the characters in the plaintext to produce the ciphertext.Caesar’s cipher is an example.Again the key for this cipher can be found by using a frequency analysis.

9

Difference between transposition and

substitution ciphersGiven the plaintext: wedo noth avea quiz todayand ciphertext yadot ziuq aeva hton odewWhat is the cipher used?

1. A transposition cipher2.A substitution cipher

Why?10

Block ciphersThe Transposition and Substitution Ciphers are block ciphers: successive plaintext elements (blocks) are encrypted using the same key. We now consider some other block ciphers.

The Affine Cipher, is a special case of the Substitution Cipher with

-- Ek(x) = ax + b mod26

-- Dk(y) = a-1y - a-1b mod26

where a,b x,y is in Z26, and a is invertible in Z26.11

Block ciphersThe Vigenere Cipher is polyalphabetic. Let m > 1 M = C = K = (Z26)m = Z26Z26 Z26

For a key k = (k1, …, km)

-- eK(x1,…, xm) = (x1 + k1, …, xm + km)

-- dK (y1,…, ym) = (y1 - k1, …, ym - km)

where all operations are in Z26.

12

Block ciphersThe Hill Cipher is also polyalphabetic. Let m > 1 M = C = (Z26)m , K is the set of all m

m invertible matrices over (Z26)m

For a key K in K -- eK(x) = xK -- dK (y)= yK-1

with all operations are in Z26.13

Stream Ciphers

The ciphers considered so far are block ciphers. Another type of cryptosystem is the stream cipher.

14

Stream Ciphers• A synchronous stream cipher is a tuple (M,C,K, L,E,D)

with a function g such that:• M, C, K, E, D are as before. L is the keysteam alphabet g is the keystream generator: it takes as input a key K

and outputs an infinite string z1, z2, … called the keystream, where zi are in L. • For each z are in L there is an encryption rule ez in E,

and a decryption rule dz in D such that: dz (ez(x)) = x for all plaintexts x in M. 15

Stream CiphersThe Linear Feedback Shift Register or LFSR. The keystream is computed as follows: Let• (c0, c1, … ,cm-1) be system parameters, and • (k1, k2, … ,km) be the initialized key vector at time t.

At the next time unit the key vector is updated as follows: -- k1 is output as the next keystream bit -- k2, … , km are each shifted one place to the left -- the “new” value of km is computed by m-1

km+1 =

cj kj+1

j=0 16

Stream CiphersLet x1, x2, … be the plaintext (a binary string).

Then the ciphertext is: y1, y2, …

where yi,= xi + ki, for i = 1,2,… and the sum

is bitwise xor .

17

Cryptanalysis Attacks on Cryptosystems

• Ciphertext only attack: the adversary has access a string of ciphertexts: y1, y2, …

• Known plaintext attack: the adversary has access a string of plaintexts x1, x2, … and the corresponding string of ciphertexts: y1, y2, …

18

Attacks on Cryptosystems• Chosen plaintext attack: the adversary can

choose a string of plaintexts x1, x2, … and obtain the corresponding string of ciphertexts: y1, y2, …

• Chosen ciphertext attack: the adversary can choose a string of ciphertexts: y1, y2, … and construct the corresponding string of plaintexts x1, x2, …

19

Attacks on CryptosystemsIn all these attacks the adversary is given a new ciphertext and must find the corresponding plaintext

20

Cryptanalysis• Cryptanalysis of the transposition cipher and substitution

cipher: Ciphertext attack -- use statistical properties of the language

• Cryptanalysis of the affine and Vigenere cipher: Ciphertext attack -- use statistical: properties of the language

• Attacks on the affine and Vigenere cipher: Ciphertext attack -- use statistical: properties of the language

21

Cryptanalysis• Cryptanalysis of the Hill cipher: Known plaintext attack

• Cryptanalysis of the LFSR stream cipher: Known plaintext attack

22

One-time pad This is a variant of the Vigenere cipher. The key string is chosen as a random bit string and is at least as long as the bit string message (plaintext)

This cipher has perfect secrecy (defined later).Very costly: the key is as long as the plaintext.

23

One-time padSuppose the key is the bit string k = (k1, …, km)

and the plaintext is the bit string (x1, …, xm).

Then -- ek (x1,…, xm) = (x1 XOR k1, …, xm XOR km)

-- dk (y1,…, ym) = (y1 XOR k1, …, ym XOR km)

Note that ((x XOR ki) XOR ki) = x for all bits x, ki. 24

Security• Computational security Computationally hard to break: requires super-polynomial

computations (in the length of the ciphertext)

• Provable security Security is reduced to a well studied problem though to be

hard, e.g. factorization.

• Unconditional security No bound on computation: cannot be broken even with

infinite power/space. Only way to break is by “lucky” guessing.

25

Some Probability Theory• The random variables X,Y are independent if:

Pr[X=x,Y=y] = Pr[X=x] . Pr[Y=y], for all x,y in X

In general,

Pr[X=x,Y=y] = Pr[X=x | X=y] . Pr[Y=y]

= Pr[Y=y | X=x] . Pr[X=x], for all x,y in X

26

Some Probability Theory• Bayes’ Law:

Pr[x|y] =

• Corollary: X,Y are independent random variables (r.v.) if and only if

Pr[x|y] = Pr[x] for all x,y in X

Pr[y] Pr[y|x] Pr[x]

---------------- for all x,y in X

27

Perfect secrecyA cryptosystem has perfect secrecy if : Pr[x|y] = Pr[x], for all x in M and y in C .That is: knowledge of the ciphertext y, offers no advantage to the

adversary to determine the plaintext x. (there is no advantage in eavesdropping)

28

DESDES is a Feistel cipher.Block length 64 bits (effectively 56)Key length 56 bitsCiphertext length 64 bits

29

DES

It has a round function g for which:

g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri),

where

Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki).

30

DES round encryption

31

DES inner function

32

DES computation path

33

Attacks on DES• Brute force• Linear Cryptanalysis -- Known plaintext attack• Differential cryptanalysis

– Chosen plaintext attack– Modify plaintext bits, observe change in ciphertext

No dramatic improvement on brute force

34

Countering Attacks• Large keyspace combats brute force attack• Triple DES (say EDE mode, 2 or 3 keys)• Use AES

35

AESBlock length 128 bits.Key lengths 128 (or 192 or 256).The AES is an iterated cipher with Nr=10 (or 12 or 14)In each round we have: • Subkey mixing • A substitution• A permutation

36

Modes of operationFour basic modes of operation are available for block ciphers:• Electronic codebook mode: ECB• Cipher block chaining mode: CBC• Cipher feedback mode: CFB• Output feedback mode: OFB

37

Electronic Codebook mode, ECB

Each plaintext xi is encrypted with the same key K:

yi = eK(xi).

So, the naïve use of a block cipher.

38

ECB (Electronic code Book)

x1 x2 x3 x4

y4y3y2y1

DES DES DES DES

39

Cipher Block Chaining, CBC

Each cipher block yi-1 is xor-ed with the next plaintext xi :

yi = eK(yi-1 XOR xi)

before being encrypted to get the next plaintext yi.

The chain is initialized with an initialization vector: y0 = IV

with length, the block size.

40

Cipher Block Chaining, CBCx1

+ + ++IV

x2 x3 x4

y4y3y2y1

DES DES DES DES

41

Cipher and Output feedback modes (CFB & OFB)

CFBz0 = IV and recursively:

zi = eK(yi-1) and yi = xi XOR zi

OFBz0 = IV and recursively:

zi = eK(zi-1) and yi = xi XOR zi

42

CFB mode

IV eK eK

y1

+

x1

eK

x2

y2

+

43

OFB modeIV eK eK

y1

+

x1 x2

y2

+

44

Public Key Cryptography

Alice Bob

Alice and Bob want to exchange a private key in public.

45

Public Key CryptographyAlice ga mod p Bob

gb mod p

The public key is: p, g, ga mod p, gb

mod p, where p is a prime and g is a generator of Zp

The private key is: aZp , which Alice knows and bZp , which Bob knows

The output generated is a shared key: gab mod p (only Alice and Bob can compute this) 46

The RSA cryptosystemLet n = pq, where p and q are primes.

Let M = C = Zn, and let a,b be such that ed = 1 mod (n).

Define

eK(x) = xe mod nand dK(y) = yd mod n,

where (x,y) Zn.

Public key = (n,e), Private key (n,d). 47

CheckWe have: ed = 1 mod (n), so ed = 1 + t(n).Therefore, dK(eK(m)) = (me)d = med = m t(n)+1

= (m(n)) t m = 1.m = m mod n

48

Examplep = 101, q = 113, n = 11413. (n) = 100x112 = 11200 = 26527For encryption use e = 3533.Then d = e-1 mod11200 = 6597.Bob publishes: n = 11413, e = 3533.Suppose Alice wants to encrypt: 9726.She computes 97263533 mod 11413 = 5761To decrypt it Bob computes: 57616597 mod 11413 = 9726

49

Example: how to find d from e

Use the Extended Euclidean Algorithm (EEA).

EEA takes as input two positive numbers a,b and outputs three numbers: s,t,d with, d = gcd(a,b) and sa+tb = d.

In our case we take a = e, b = (n), to get: sa = 1 mod (n).So d = s.

50

Security of RSA1. Relation to factoring. Recovering the plaintext m from an RSA ciphertext c is easy if factoring is possible.

2. The RSA problem Given (n,e) and c, compute: m such that me = c mod n

51

The Rabin cryptosystemLet n = pq, p,q primes with p,q 3 mod 4. Let P = C = Zn*

and define K = {(n,p,q)}.For K = (n,p,q) define eK(x) = x2 mod n

dK(y) = a square root of y mod n

The value of n is the public key, while p,q are the private key.One needs the factors p,q of n to find the square root.

52

The Rabin cryptosystemLet n = pq, p,q primes with p,q 3 mod 4, and K = (n,p,q) To find the square roots of y mod n we first find the square

roots yp = square root of y mod p yq = square root of y mod qAnd then use the CRTWe have: yp = y

(p+1)/4 mod p yq = y

(q+1)/4 mod q

53

The Rabin cryptosystemTo get the square root of y mod n (the quadratic residue) from: yp = y

(p+1)/4 mod p

yq = y (q+1)/4 mod q

We use the Extended Euclidean Algorithm on p, q.Let sp+tq = 1. Then the quadratic residue is:

y = tqyp + spyq mod n

Check: y tqyp + spyq tqyp yp mod p

spyq yq mod q54

The RSA digital signature schemeLet n = pq, where p and q are primes.Let P = C = Zn , and define

e,d such that ed = 1 mod (n).

Define

sigK(m) = md mod nand verK(m,y) = true m = ye mod n,

where (m,y) Zn.

Public key = (n,e), Private key (n,d).

55

The Digital Signature Algorithm

Let p be a an L-bit prime prime, 512 L 1024 and L 0 mod 64 ,let q be a 160-bit prime that divides p-1 and Let Zp

* be a q-th root of 1 modulo p.Let M = Zp-1, C = Zq x Zq and K = {(x,y): y =

x modp }.• The public key is : p, q ,, y.• The private key is : (p, q,), x.

56

The Digital Signature scheme

• Signing Let m Zp be a message.

For public key is p,g,,y, with y = x mod p, and

secret random number k Zp-1, define: sigK(m,k) = (s,t), where– s = (

k mod p) mod q– t = (SHA-1(m)+xs)k

-1 mod q• Verification Let

– e1 = SHA-1(m) t -1 mod q

– e2 = st -1 mod q

verK(m,(s,t)) = true ( e1 y e2 mod p) mod q = s. 57

Cryptographic hash functions

Message can be quite long. Therefore, before digitally signing a message it is hashed.

A hash function (unkeyed) is a mapping h: X Y, where

• X is a set of possible messages• Y is the set of possible message digestsMessage digests have fixed length: typically 160 bits (e.g., SHA-1), but also 256 or 516)

58

Properties of cryptographic hash functions

1. One way or preimage resistant: given a hash function h, and a message digest y, the equation y = h(x) cannot be solved efficiently for x.2. Second preimage resistant: given a hash function h, a message x and the message digest y = h(x), the equation y = h(x) cannot be solved efficiently for a second preimage x, different from x, with y = h(x).• Collision resistant: one cannot find efficiently a pair of

distinct messages x, x for which h(x)= h(x).

59