0% found this document useful (0 votes)

325 views

Applied Cryptography and Data Security

The notes grew out of an introductory graduate course in cryptography. Focus is on private-key and public-key algorithms. Protocol-related issues such as security services, key distributions are also treated.

Uploaded by

Tolga Bayramoğlu

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

325 views

Applied Cryptography and Data Security

Uploaded by

Tolga Bayramoğlu

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 158

APPLIED CRYPTOGRAPHY AND DATA SECURITY

Dr. Christof Paar Cryptography and Information Security CRIS Group Department of Electrical & Computer Engineering Worcester Polytechnic Institute Worcester, MA 01609
http: www.ece.wpi.edu Research crypt

Lecture Notes

Preface
These lecture notes are not meant as a replacement of a more comprehensive textbook. Rather, the notes at hand present the essentials of modern applied cryptography in compact form and should accompany the lecture in conjunction with one of the books mentioned below. The notes grew out of an introductory graduate course in cryptography which I have taught twelve times by now at Worcester Polytechnic Institute and in industry. Remarks, questions, and classroom discussions by our graduate students as well as by the sta of GTE Governments Systems, MA, and Philips Research, NY, greatly helped to improve the lecture notes. I tried to present modern cryptography in a way that is accessible for engineers without any background in abstract mathematics. There is a focus on private-key and public-key algorithms, an understanding of which appears to be extremely helpful for the development of real-world applications. However, protocol-related issues such as security services, key distributions, and identi cation are also treated. The lecture notes work well together with an actual book. I've used Doug Stinson's excellent textbook, Sti95 , as well as Bruce Schneier's comprehensive compilation, Sch93 . The treatment of topics in these lecture notes loosely follow the presentation in Stinson's book. For those interested in an in-depth understanding of the eld, including many theoretical topics, the handbook by Alfred Menezes, Paul van Oorschot, and Scott Vanstone, AM97 , can be strongly recommended for additional reading. Another good book which is more introductory is William Stalling's recent text book Sta99 . I would like to express my deep gratitude to my graduate students Jorge Guajardo and Martin Rosner, who were in charge of typing the notes and of drawing all gures and tables. Their many suggestions and proof reading greatly improved the notes. Christof Paar May 2000

Table of Contents
1 Introduction to Cryptography and Data Security
1.1 1.2 1.3 1.4 Literature Recommendations . . . . . . . Overview . . . . . . . . . . . . . . . . . . Private-Key Cryptosystems . . . . . . . Cryptanalysis . . . . . . . . . . . . . . . 1.4.1 Attacks against Cryptoalgorithms 1.5 Some Number Theory . . . . . . . . . . 1.6 Simple Blockciphers . . . . . . . . . . . . 1.6.1 Shift Cipher . . . . . . . . . . . . 1.6.2 A ne Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . 1 . 2 . 4 . 4 . 5 . 9 . 10 . 12 . . . . . . .

2 Stream Ciphers

2.1 Introduction . . . . . . . . . . . . . . . . . . . . 2.2 One-Time Pad and Pseudo-Random Generators 2.3 Synchronous Stream Ciphers . . . . . . . . . . . 2.3.1 Linear Feedback Shift Registers LFSR 2.3.2 Clock Controlled Shift Registers . . . . . 2.4 Attacks . . . . . . . . . . . . . . . . . . . . . . 2.4.1 Known Plaintext Attack Against LFSRs

. . . . . . .

13 15 18 18 20 23 23

3 Some Results From Information Theory

3.1 3.2 3.3 3.4 Levels of Security . . . . . Computational Security . Cryptography and Coding Confusion and Di usion . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

25 25 26 27 28 30 31 31 34 36 38 38 38 38 39 40 40 41 43 43 44 46 47

4 Data Encryption Standard DES

4.1 Encryption . . . . . . . . . . . . . 4.1.1 Overview . . . . . . . . . . 4.1.2 Permutations . . . . . . . . 4.1.3 Core Iteration f-Function . 4.1.4 Key Schedule . . . . . . . . 4.2 Decryption . . . . . . . . . . . . . . 4.3 Implementation . . . . . . . . . . . 4.3.1 Hardware . . . . . . . . . . 4.3.2 Software . . . . . . . . . . . 4.4 Attacks . . . . . . . . . . . . . . . 4.4.1 Exhaustive Key Search . . . 4.4.2 Di erential Cryptanalysis . 4.4.3 Linear Cryptanalysis . . . . 4.5 DES Alternatives . . . . . . . . . .

. . . . . . . . . . . . . .

5 Rijndael The Advanced Encryption Standard

5.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.1 Basic Facts about AES . . . . . . . . . . . . . . . . . . . 5.1.2 Chronology of the AES Process . . . . . . . . . . . . . . 5.2 Rijndael Overview . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Some Mathematics: A Very Brief Introduction to Galois Fields . iii

5.4 Internal Structure . . . . . . . . 5.4.1 Byte Substitution Layer 5.4.2 Di usion Layer . . . . . 5.4.3 Key Addition Layer . . . 5.5 Decryption . . . . . . . . . . . .

. . . . .

. . . . . . . . . . . . . . . . . . . . .

52 52 53 54 55

6 More about Block Ciphers

6.1 Modes of Operation . . . . . . . . . . . . . . 6.1.1 Electronic Codebook Mode ECB . 6.1.2 Cipher Block Chaining Mode CBC 6.1.3 Cipher Feedback Mode CFB . . . . 6.1.4 Counter Mode . . . . . . . . . . . . . 6.2 Key Whitening . . . . . . . . . . . . . . . . 6.3 Multiple Encryption . . . . . . . . . . . . . 6.3.1 Double Encryption . . . . . . . . . . 6.3.2 Triple Encryption . . . . . . . . . . . 7.1 7.2 7.3 7.4 7.5 Principle . . . . . . . . . . . . . . . One-Way Functions . . . . . . . . . Overview of Public-Key Algorithms Important Public-Key Standards . More Number Theory . . . . . . . . 7.5.1 Euclid's Algorithm . . . . . 7.5.2 Euler's Phi Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

56 56 57 58 59 60 61 61 65 66 68 68 69 71 71 74

7 Introduction to Public-Key Cryptography

8 RSA

8.1 Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 8.2 Computational Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 iv

8.2.1 Choosing p and q . . . . 8.2.2 Choosing a and b . . . . 8.2.3 Encryption Decryption . 8.3 Attacks . . . . . . . . . . . . . 8.3.1 Brute Force . . . . . . . 8.3.2 Finding n . . . . . . 8.3.3 Finding a directly . . . . 8.3.4 Factorization of n . . . . 8.4 Implementation . . . . . . . . . 9.1 Some Algebra . . . . . . . . . 9.1.1 Groups . . . . . . . . . 9.1.2 Finite Groups . . . . . 9.2 The General DL Problem . . 9.3 Attacks for the DL Problem . 9.4 Di e-Hellman Key Exchange 9.4.1 Protocol . . . . . . . . 9.4.2 Security . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .

80 81 81 83 83 83 83 84 86

9 The Discrete Logarithm DL Problem

87 88 89 93 94 95 95 96

10 Elliptic Curve Cryptosystem

10.1 Elliptic Curves . . . . . . . . . . . . 10.2 Cryptosystems . . . . . . . . . . . . 10.2.1 Di e-Hellman Key Exchange 10.2.2 Menezes-Vanstone Encryption 10.3 Implementation . . . . . . . . . . . .

. . . . .

98 102 102 103 104

11 ElGamal Encryption Scheme

11.1 Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 v

105

11.2 Computational Aspects . 11.2.1 Encryption . . . 11.2.2 Decryption . . . 11.3 Security of ElGamal . .

. . . .

108 108 108 109

12 Digital Signatures

12.1 Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 12.2 RSA Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 12.3 ElGamal Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 13.2 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 13.3 Hash Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 14.1 Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 14.2 MACs from Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 14.3 HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 15.1 15.2 15.3 15.4 Attacks Against Information Systems Introduction . . . . . . . . . . . . . . Privacy . . . . . . . . . . . . . . . . . Integrity and Sender Authentication . 15.4.1 Digital Signatures . . . . . . . 15.4.2 MACs . . . . . . . . . . . . . 15.4.3 Integrity and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

110

13 Hash Functions

115

14 Message Authentication Codes MACs

122

15 Security Services

126

126 127 127 129 129 129 130

16 Key Establishment

16.1 Introduction . . . . . . . . . . . . . . . . . 16.2 Private-Key Approaches . . . . . . . . . . 16.2.1 The n2 Key Distribution Problem . 16.2.2 Key Distribution Center KDC . . 16.3 Public-Key Approaches . . . . . . . . . . . 16.3.1 Man-In-The-Middle Attack . . . . . 16.3.2 Certi cates . . . . . . . . . . . . . 16.3.3 Di e-Hellman Exchange with Certi 16.3.4 Authenticated Key Agreement . . .

.... .... .... .... .... .... .... cates .... . . . . .

. . . . . . . . . . . . . .

131

131 132 132 133 134 134 135 137 137 139 141 141 143 143

17 Case Study: The Secure Socket Layer SSL Protocol

17.1 Introduction . . . . . . . . . . . . . . . . . . . . 17.2 SSL Record Protocol . . . . . . . . . . . . . . . 17.2.1 Overview of the SSL Record Protocol . . 17.3 SSL Handshake Protocol . . . . . . . . . . . . . 17.3.1 Core Cryptographic Components of SSL

139

18 Introduction to Identi cation Schemes

18.1 Private-key Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

145

vii

Chapter 1 Introduction to Cryptography and Data Security

1.1 Literature Recommendations
Course Textbooks: Sti95 or Sch93 . Further Reading - the following books are excellent supplements to the course textbook:

1. AM97 - great compilation of theoretical and practical aspects of many crypto schemes. Unique since it includes many theoretical topics that are hard to nd otherwise. Highly recommended. 2. Sta95 - Very readable treatment of algorithms and standards relevant to cryptography in networks.

1.2 Overview
Brief History of Cryptography

Private-Key: all encryption and decryption schemes dating from BC to 1976. 1

CRYPTOLOGY

Cryptography

Cryptanalysis

Private-Key

Public-Key

Protocols

Block cipher

Stream cipher

Figure 1.1: Overview on the eld of cryptology Public-Key: in 1976 the rst public-key scheme was introduced by Di e-Hellman key exchange protocol. Hybrid Approach: in today's protocol, very often hybrid schemes are applied which use private and public-key algorithms.

1.3 Private-Key Cryptosystems

Sometimes these schemes are also referred to as symmetric, single-key, and secret-key approaches. Problem Statement: Alice and Bob want to communication over an un-secure channel e.g., computer network, satellite link. They want to prevent Oscar the bad guy from listening. Solution: Use of private-key cryptosystems these have been around since BC such that if Oscar reads the encrypted version of the message over the un-secure channel, he will not be able to understand its content because x is what really was sent.
y x

Oscar
(bad)

Alice
(good)

Encryption e() k Key Generator

Decryption d() k

Bob
(good)

Secure Channel

Figure 1.2: Private-key cryptosystem

Some important de nitions:

1a x is called the plaintext" 1b 2b 3b

P= f C= f

x1 ; x2 ; : : : ; xp

g is the nite

plaintext space" ciphertext space"

2a y is called the ciphertext"

y1 ; y2 ; : : : ; yc

g is the nite g is the

3a k is called the key"

K= f
ek1

k1 ; k2 ; : : : ; kl

nite key space"

4a There are l encryption functions eki : 4b There are l decryption functions dki 4c

P!C or: : C!P or:

eki x

= y = x

d ki y

and dk2 are inverse functions if k1 = k2 : dki y = dki eki x = x for all ki

Example: Data Encryption Standard DES

P = C = f0 1 2
; ; ;:::;

264 , 1g each
ki

has 64 bits:

= 010

:::

0110

K= f0 1 2
; ;

;:::;

256 , 1g each

has 56 bits
d

encryption k and decryption k will be described in Chapter 4

1.4 Cryptanalysis
knowledge of the key Oscar's job.

De nition: The science of recovering the plaintext x from the ciphertext y without the

Rules of the game: The cryptanalysis rules are known as Kerckho 's Principle: 1. Oscar knows the cryptosystem encryption and decryption algorithms. 2. Oscar does not know the key.

1.4.1 Attacks against Cryptoalgorithms

Oscar's knowledge: some Oscar's goal : obtain 1

1. Ciphertext-only attack
y1

x ; x2 ; : : :

= k 1 , 2 = k 2 , or the key .
e x y e x k

:::

Oscar's knowledge: some pairs Oscar's goal : obtain the key .

2. Known plaintext attack

x1 ; y1

= k 1
e x ;

x2 ; y2

= k 2
e x

:::

3. Chosen plaintext attack

x1 ; x2 ; : : :

Oscar's knowledge: some pairs Oscar's goal : obtain the key .

x1 ; y1

= k 1
e x ;

x2 ; y2

= k 2
e x

:::

of which he can choose

4. Chosen ciphertext attack

Oscar's knowledge: some pairs

x1 ; y1

= k 1
e x ;

x2 ; y2

= k 2
e x

:::

of which he can choose

y1; y2; : : : Oscar's goal : obtain the key k.

1.5 Some Number Theory

Modulo operation: Question: What is 12 mod 9? Answer: 12 mod 9 3 or 12 3 mod 9. De nition 1.5.1 Modulo Operation Let a; r; m 2 Z where Z is a set of all integers and m 0. We write a r mod m if m divides r , a.
m" is called the modulus. r" is called the remainder.

Some remarks on the modulo operation:

How is the remainder computed? It is always possible to write a 2 Z , such that a = q m + r; 0 r m Now since a , r = q m m divides a , r and a r mod m. Note that r 2 f0; 1; 2; : : : ; m , 1g.

Example:

a = 42; m = 9 42 = 4 9 + 6 therefore 42 6 mod 9.

C programming command : " C can return a negative value r = 42 9 returns r = 6 but r = -42 9 returns r = -6 ! if remainder is negative, add modulus m: ,6 + 9 = 3 ,42 mod 9

Ring: De nition 1.5.2 The ring Zm" consists of:

1. The set Zm = f0; 1; 2; : : : ; m , 1g 2. Two operations +" and " for all a; b 2 Zm such that:

a + b c mod m c 2 Zm a b d mod m d 2 Zm

Example: m = 9 Z9 = f0; 1; 2; 3; 4; 5; 6; 7; 8g 6 + 8 = 14 5 mod 9 6 8 = 48 3 mod 9

De nition 1.5.3 Some important properties of the ring Zm = f0; 1; 2; : : :; m , 1g

1. The additive identity is the element zero 0": a + 0 = a mod m, for any a 2 Zm. 2. The additive inverse ,a" of a" is such that a+,a 0 mod m: ,a = m,a, for any a 2 Zm. 3. Addition is closed: i.e., for any a; b 2 Zm, a + b 2 Zm . 4. Addition is commutative: i.e., for any a; b 2 Zm, a + b = b + a. 5. Addition is associative: i.e., for any a; b 2 Zm , a + b + c = a + b + c. 6. The multiplicative identity is the element one 1": a 1 a mod m, for any a 2 Zm. 7. The multiplicative inverse a,1 " of a" is such that a a,1 = 1 mod m: An element a has a multiplicative inverse a,1" if and only if gcda; m = 1. 8. Multiplication is closed: i.e., for any a; b 2 Zm , ab 2 Zm . 9. Multiplication is commutative: i.e., for any a; b 2 Zm , ab = ba. 10. Multiplication is associative: i.e., for any a; b 2 Zm , abc = abc.

Some remarks on the ring Zm:

Roughly speaking, a ring is a structure in which we can add, subtract, multiply, and sometimes divide.
multiplicative inverse of a exists.

De nition 1.5.4 If gcda; m = 1, then a and m are relatively prime" and the

Example: i Question: does multiplicative inverse exist with 15 mod 26? Answer: yes | gcd15; 26 = 1 ii Question: does multiplicative inverse exist with 14 mod 26? Answer: no | gcd14; 26 = 1 6
The modulo operation can be applied whenever we want: a + b mod m = a mod m + b mod m mod m. a b mod m = a mod m b mod m mod m. Example: 38 mod 7 = ? i 38 = 34 34 = 81 mod 7 81 mod 7 4 4 = 16 2 mod 7. ii 38 = 6561 2 mod 7, since 6561 = 937 7 + 2. As we see, it is almost always of computational advantage to apply the modulo reduction as soon as we can. The ring Zm, and thus the integer arithmetic with the modulo operation, is of central importance to modern public-key cryptography. In practice, the integers are represented with 150 2048 bits.

1.6 Simple Blockciphers

Recall:
Private-key Systems

Block ciphers

Stream ciphers

Figure 1.3: Classi cation of private-key systems encrypted and decrypted. Input: message string X ! X = x1 ; x2 ; x3; : : : ; xn, where each xi is one block. Cipher: Y = y1; y2; y3; : : : ; yn; with yi = ek xi where the key k is xed.

Idea: The message string is divided into blocks or cells of equal length that are then

1.6.1 Shift Cipher

One of the most simple ciphers where the letters of the alphabet are assigned a number as depicted in Table 1.1.
A 0 N 13 B 1 O 14 C 2 P 15 D 3 Q 16 E 4 R 17 F 5 S 18 G 6 T 19 H 7 U 20 I 8 V 21 J 9 W 22 K 10 X 23 L 11 Y 24 M 12 Z 25

Table 1.1: Shift cipher table

De nition 1.6.1 Shift Cipher Let P = C = K = Z26. x 2 P , y 2 C , k 2 K.

Encryption: ek x = x + k mod 26. Decryption: dk y = y , k mod 26.

Remark:

If k = 3 the the shift cipher is given a special name | Caesar Cipher".

Example:

k = 17, plaintext: X = x1 ; x2 ; : : : ; x6 = ATTACK . X = x1 ; x2 ; : : : ; x6 = 0; 19; 19; 0; 2; 10.

encryption: y1 = x1 + k mod 26 = 0 + 17 = 17 mod 26 = R 10

y2 = y3 = 19 + 17 = 36 10 mod 26 = K y4 = 17 = R y5 = 2 + 17 = 19 mod 26 = T y6 = 10 + 17 = 27 1 mod 26 = B

ciphertext: Y =y1; y2; : : : ; y6 = R K K R T B.

Attacks on Shift Cipher

1. Ciphertext-only: Try all possible keys jkj = 26. This is known as brute force attack" or exhaustive search". Secure cryptosystems require a su ciently large key space. Minimum requirement today is jK j 280 , however for long-term security, jK j 2100 is recommended. 2. Same cleartext maps to same ciphertext can also easily be attacked with letterfrequency analysis.

1.6.2 A ne Cipher
This cipher is an extension of the Shift Cipher yi = xi + k mod m.

De nition 1.6.2 A ne Cipher Let P = C = Z26. encryption: ek x = a x + b mod x. key: k = a; b where a; b 2 Z26. decryption: a x + b = y mod 26. a x = y , b mod 26. x = a,1 y , b mod 26.

restriction: gcda; 26 = 1 in order for the a ne cipher to work since a,1 does not always exist.

Question: How is a,1 obtained? Answer: a,1 a11 mod 26 the proof for this is in Chapter 6
or by trial-and-error for the time being.

Chapter 2 Stream Ciphers

Block Cipher: Y = y1; y2; : : : ; yn = ek x1; ek x2 ; : : : ; ek xn,

Zi Xi Yi

Zi Xi

Figure 2.2: Most Popular Encryption Decryption Function

Most popular en decryption function: modulo 2 addition Assume: xi ; yi; zi 2 f0; 1g

yi = ez xi = xi + zi mod 2 ! encryption xi = ez yi = yi + zi mod 2 ! decryption

i i

Remarks:
1. Developed by Vernam in 1917 for Baudot Code on teletypewriters. 2. The modulo 2 operation is equivalent to a 2-input XOR operation. Why are encryption and decryption identical operations? Truth table of modulo 2 addition:

a b c = a + b mod 2
0 0 1 1 0 1 0 1 0 + 0 = 0 mod 0 + 1 = 1 mod 1 + 0 = 1 mod 1 + 1 = 0 mod

2 2 2 2

modulo 2 addition yields the same truth table as the XOR operation.
3. Encryption and decryption are the same operation, namely modulo 2 addition or XOR. Why? We show that decryption of ciphertext bit yi yields the corresponding plaintext 14

bit. Decryption: yi + zi = xi + zi + zi = xi + zi + zi xi mod 2. | z encryption Note that zi + zi 0 mod 2 for zi = 0 and for zi = 1. `A' is given in ASCII code as 6510 = 10000012. Let's assume that the rst key stream bits are ! z1 ; : : : ; z7 = 0101101
Encryption by Alice: plaintext xi : key stream zi : ciphertext yi : Decryption by Bob: ciphertext yi : key stream zi : plaintext xi : 1000001 0101101 1101100 1101100 0101101 1000001 = `A' ASCII symbol = `l' = `l' ASCII symbol ASCII symbol

Example: Encryption of the letter `A' by Alice.

= `A' ASCII symbol

2.2 One-Time Pad and Pseudo-Random Generators

De nition 2.2.1 Unconditional Security
A cryptosystem is unconditionally secure if it cannot be broken even with in nite computational resources.

A cryptosystem developed by Mauborgne based on Vernam's stream cipher consisting of: jPj = jCj = jKj, with xi ; yi; ki 2 f0; 1g. encrypt ! ek xi = xi + ki mod 2. decrypt ! dk yi = yi + ki mod 2.
i i

De nition 2.2.2 One-time Pad OTP

Theorem 2.2.1 The OTP is unconditionally secure if keys are only

used once.

Remarks:
1. OTP is the only provable secure system:

y0 = x0 + K0 mod 2 y1 = x1 + K1 mod 2 ...

each equality is a linear equation with 2 unknowns. for every yi, xi = 0 and xi = 1 are equally likely. holds only if K0; K1 ; : : : are not related to each other, i.e., Ki must be generated trully randomly. 2. OTP are impractical for most applications.

Question: Can we emulate" a OTP by using a short key?

initial key (short)

k Oscar Alice key-stream generator zi xn ... x1 x0 yn ... y1 y0

key-stream generator zi

Bob

xn ... x1 x0

Figure 2.3: Stream cipher model 16

Classi cation by key-stream generator: a synchronous stream cipher" zi = f k ! pseudo-random generator PRG. b asynchronous stream cipher" zi = f k; yi,1; yi,2; : : : ; yi,N ! feedback of cipher. c The key issue is that Bob has to `match' the exact zi to get the correct message. In order to do this, both key-stream generators have to be synchronized.

Encr. xi xi zi f( ) zi = yi yi

feedback path only in asynchronous stream ciphers

Figure 2.4: Asynchronous stream cipher It is important to note that key stream generators must not only possess good statistical properties, which is true for other pseudo-random generatores as well, but they must also be cryptographically secure:

De nition 2.2.3 Cryptographically secure pseudo-random generators

A pseudo random generator key stream generator is cryptographically secure if it is unpredictable. That is, given the rst n output bits of the generator, it is computatinally infeasible to compute the bits n + 1; n + 2; : : :

2.3 Synchronous Stream Ciphers

The keystream z1 ; z2 ; : : : is a pseudo-random sequence which depends only on the key.
2.3.1 Linear Feedback Shift Registers LFSR

An LFSR consists of m storage elements ip- ops and a feedback network. The feedback network computes the input for the last" ip- op as XOR-sum of certain ip- ops in the shift register. Example: We consider an LFSR of degree m = 3 with ip- ops K2 , K1, K0 , and a feedback path as shown below.
mod 2 addition / XOR

K2 Z2 CLK

K1 Z1

K0 Z0 Z0 Z 1 ........ Z 6

Figure 2.5: Linear feedback shift register

K2 K1 K0
1 0 1 1 1 0 0 1 0 1 0 1 1 1 0 0 0 0 1 0 1 1 1 0

Mathematical description for keystream bits zi with z0 ; z1; z2 as initial settings: z3 = z1 + z0 mod 2 z4 = z2 + z1 mod 2 z5 = z3 + z2 mod 2 ... general case: zi+3 = zi+1 + zi mod 2; i = 0; 1; 2; : : : Expression for the LFSR:
........

K m-1

C m-1 ........

OUTPUT CLK

Figure 2.6: LFSR with feedback coe cients

C0 ; C1; : : : ; Cm,1 are the feedback coe cients. Ci = 0 denotes an open switch no connection, Ci = 1 denotes a closed switch connection. zi+m =
m,1 X j =0

Cj zi+j mod 2; Cj 2 f0; 1g; i = 0; 1; 2; : : :

The entire key consists of: k = fC0; C1; : : : ; Cm,1 ; z0; z1; : : : ; zm,1 ; mg

Example: k = fC0 = 1; C1 = 1; C2 = 0; z0 = 0; z1 = 0; z2 = 1; 3g

Theorem 2.3.1 The maximum sequence length generated by the LFSR is 2m , 1.

Proof:

There are only 2m di erent states k0; : : : ; km possible. Since only the current state is known to the LFSR, after 2m clock cycles a repetition must occur. The all-zero state must be excluded since it repeats itself immediately.

Remarks:

1. Only certain con gurations C0; : : : ; Cm,1 yield maximum length LFSRs. For example: if m = 4 then C0 = 1; C1 = 1; C2 = 0; C3 = 0 has length of 2m , 1 = 15 but C0 = 1; C1 = 1; C2 = 1; C3 = 1 has length of 5 2. LFSRs are sometimes speci ed by polynomials. such that the P x = xm + Cm,1 xm,1 + : : : + C1x + C0. Maximum length LFSRs have primitive polynomials". These polynomials can be easily obtained from literature Table 16.2 in Sch93 . For example: C0 = 1; C1 = 1; C2 = 0; C3 = 0 P x = 1 + x + x4

2.3.2 Clock Controlled Shift Registers

Example: Alternating stop-and-go generator.

LFSR1

Out1

LFSR2

Out2

Out4 = Zi (key stream)

CLK

LFSR3

Out3

Figure 2.7: Stop-and-go generator example

Basic operation: When Out1 = 1 then LFSR2 is clocked otherwise LFSR3 is clocked. Out4 serves as the keystream and is a bitwise XOR of the results from LFSR2 and LFSR3. Security of the generator: All three LFSRs should have maximum length con guration. If the sequence lengths of all LFSRs are relatively prime to each other, then the sequence length of the generator is the product of all three sequence lengths, i.e., L = L1 L2 L3 . A secure generator should have LFSRs of roughly equal lengths and the length should be at least 128: m1 m2 m3 128.

2.4 Attacks
2.4.1 Known Plaintext Attack Against LFSRs
Assumption: Idea:
For a known plaintext attack, we have to assume that m is known. This attack is based on the knowledge of some plaintext and its corresponding ciphertext. i Known plaintext ! x0 ; x1; : : : ; x2m,1 . ii Observed ciphertext ! y0; y1; : : : ; y2m,1. iii Construct keystream bits ! zi = xi + yi mod 2; i = 0; 1; : : : ; 2m , 1. To nd the feedback coe cients Ci.

Goal:

Using the LFSR equation to nd the Ci coe cients:

zi+m = i=0 i=1 ... i=m,1

Note:

m,1 X j =0

Cj zi+j mod 2; Cj 2 f0; 1g

mod 2: mod 2: ... mod 2:

We can rewrite this in a matrix form as follows:

zm zm+1 ... z2m,1

= = ... =

C0z0 + C1z1 + : : : + Cm,1zm,1 C0z1 + C1z2 + : : : + Cm,1zm ... C0zm,1 + C1 zm + : : : + Cm,1 z2m,2

2.1

We now have m linear equations in m unknowns C0; C1; : : : ; Cm,1. The Ci coe cients are constant making it possible to solve for them when we have 2m plaintext-ciphertext pairs. 23

Rewriting Equation 2.1 in matrix form, we get:

2 6 6 6 6 6 4

zm,1 : : :

z0 ...

:::

3 2 zm,1 7 6 c0 ... 7 6 ... 7 6 7 6 7 6 5 4 z2m,2 cm,1

3 2 7 6 7 6 7=6 7 6 7 6 5 4

3 zm 7 ... 7 mod 7 7 7 5 z2m,1 3 7 7 7 mod 7 7 5

2.2

Solving the matrix in 2.2 for the Ci coe cients we get:

2 6 6 6 6 6 4 3 2 c0 7 6 z0 ... 7 = 6 ... 7 6 7 6 7 6 5 4 cm,1 zm,1

::: :::

3,1 2 zm,1 7 6 zm ... 7 6 ... 7 6 7 6 7 6 5 4 z2m,2 z2m,1

2.3

Summary: By observing 2m output bits of an LFSR of degree m and matching them to the known plaintext bits, the Ci coe cients can exactly be constructed by solving a system of linear equations of degree m.

LFSRs by themselves are extremely un-secure! However, combinations of them such as the Alternating stop-and-go generator can be secure.

Chapter 3 Some Results From Information Theory

3.1 Levels of Security
De nition 3.1.1 Unconditional Security
A cryptosystem is unconditionally secure if it cannot be broken even with in nite computational resources.

Theorem 3.1.1 The OTP is unconditionally secure if keys are only

used once.

3.2 Computational Security

For all known practical cryptosystems we have:

De nition 3.2.1 Computational Security

A system is computational secure" if the best possible algorithm for breaking it requires N operations, where N is very large and known.

Unfortunately, all known practical systems are only computational secure for known algorithms.

De nition 3.2.2 Relative Security

A system is relative secure" if its security relies on a well studied, very hard problem.

Example:
A system S is secure as long as factoring of large integers is hard this is believed for RSA.

3.3 Cryptography and Coding

There are three basic forms of coding in modern communication systems: source coding, channel coding, and encryption. From an information theoretical and practical point of view, the three forms of coding should be applied as follows:
removes redundancy adds redundancy

Data Source

Source Coding

Encryption

Channel Coding
introduces errors and eavesdropping

Channel

Data Sink

Source Decoding

Decryption

Channel Decoding

Figure 3.1: Communication coding system model

3.4 Confusion and Di usion

According to Shannon, there are two basic approaches to encryption. 1. Confusion | encryption operation where the relationship between cleartext and ciphertext is obscured. Some examples are: a Shift cipher | main operation is substitution. b German Enigma broken by Turing | main operation is smart substitution. 2. Di usion | encryption by spreading out the in uence of one cleartext letter over many ciphertext letters. An example is: a permutations | changing the positioning of the cleartext.

Remarks:
1. Today ! changing of one bit of cleartext should result on average in the change of half the output bits. x1 = 001010 ! encr. ! y1 = 101110. x2 = 000010 ! encr. ! y2 = 001011. 2. Combining confusion with di usion is a common practice for obtaining a secure scheme. Data Encryption Standard DES is a good example of that.
x Diff-1 Conf-1 y Diff-2 Conf-2 ............... Diff-N Conf-N y_out

product cipher

Figure 3.2: Example of combining confusion with di usion

Chapter 4 Data Encryption Standard DES

General Notes:

DES is by far the most popular private-key algorithm. It was published in 1975 and standardized in 1977. Expired in 1998.

4.1 Encryption
System Parameters: ! block cipher. ! 64 input output bits. ! 56 bits of key. Principle: 16 rounds of encryption.

Initial Permutation

Encryption 1

Encryption 16

Final Permutation

K 1 K

K 16

Figure 4.1: General Model of DES

4.1.1

Overview

Message X
64

Key K

Initial Permutation IP(X)

56 64

R0
32

32 f 32

Transform 1 K1
56

round 1
32 32

L 15

R 15
32

32 f 32

Transform 16 K 16

round 16

32 32

L 16

R 16

Final Permutation IP
-1

(R , L ) 16 16

Cipher Y = DESK (X)

Figure 4.2: The Feistel Network 30

4.1.2 Permutations
a Initial Permutation IP.
58 60 62 64 57 59 61 63
1

50 52 54 56 49 51 53 55

42 44 46 48 41 43 45 47
50

IP 34 36 38 40 33 35 37 39

26 28 30 32 25 27 29 31
58

18 20 22 24 17 19 21 23

10 12 14 16 9 11 13 15
64

2 4 6 8 1 3 5 7

IP(X)
1 2 40

Figure 4.3: Initial permutation b Inverse Initial Permutation IP ,1 nal permutation.

Note:

IP ,1 IP X = X .

4.1.3 Core Iteration f-Function

General Description:
Li = Ri,1 .

IP (Z)
1

-1

Figure 4.4: Final permutation

Ri = Li,1 f Ri,1 ; ki.

The core iteration is the f-function that takes the right half of the output of the previous round and the key as input.
E 1 5 9 13 17 21 25 29 bit table 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1

32 4 8 12 16 20 24 28

S-boxes:

Contain look-up tables LUTs with 64 numbers ranging from 0 : : : 15. Input: Six bit code selecting one number. Output: Four bit binary representation of one number out of 64.

R i-1
32 Diffusion: Spreading influence of single bits

Expansion E(Ri-1 )

Ki
48

confusion: obscures ciphertext/cleartext relationship

f-function
S1
4

S8
4

L i-1

8 * 4 = 32 page 75 in Stinson

Permutation P
32

32 32

Figure 4.5: Core function of DES

Example:
14 0 4 15 4 15 1 12 13 7 14 8 1 4 8 2 2 14 13 4 15 2 6 9 11 13 2 1 8 1 11 7 S1 3 10 15 5 10 6 12 11 6 12 9 3 12 11 7 14 5 9 3 10 9 5 10 0 0 3 5 6 7 8 0 13

S-Box 1

Input: Six bit vector with MSB and LSB selecting the row and four inner bits selecting column. b = 100101. ! row = 112 = 3 forth row. ! column = 00102 = 2 third column. S1 37 = 1001012 = 8 = 10002.

Remark:
S-boxes are the most crucial elements of DES because they introduce a nonlinear function to the algorithm, i.e., S a XOR S b 6= S a XOR b.

4.1.4 Key Schedule

Note:
7 1 64 7 1

P P = parity bits

Figure 4.6: 64 bit DES block 34

In practice the DES key is arti cially enlarged with odd parity bits. These bits are stripped" in PC-1.
K
64

PC - 1
56

C0
28

D0
28

LS 1
28

K1
48

PC - 2
56

C1
28

D1
28

LS 2

LS 16

K 16
48

PC - 2
56

C 16

D 16

Figure 4.7: DES key scheduler The cyclic Left-Shift LS blocks have two modes of operation: a for LSi where i = 1; 2; 9; 16, the block is shifted once. b for LSi where i 6= 1; 2; 9; 16, the block is shifted twice.

Remark:
The total number of cyclic Left-Shifts is 4 1 + 12 2 = 28. As a results of this C0 = C16 and D0 = D16 .

4.2 Decryption
One advantage of DES is that decryption is essentially the same as encryption. Only the key schedule is reversed. This is due to the fact that DES is based on a Feistel network.

Question: Why does decryption work essentially the same as encryption?

a Find what happens in the initial stage of decryption! d Ld ; R0 = IP Y = IP IP ,1R16 ; L16 = R16 ; L16 . 0 d Ld ; R0 = IP Y = R16 ; L16. 0 Ld = R16 . 0 d R0 = L16 = R15 . b Find what happens in the iterations! d What are Ld ; R1 ? 1 d Ld = R0 = L16 = R15 . 1 substitute into the above equation to get: d d R1 = Ld f R0 ; k16 = R16 f L16 ; k16 . 0 d R1 = L15 f R15 ; k16 f R15 ; k16 . d R1 = L15 f R15 ; k16 f R15 ; k16 = L15 . in general: Ld = R16,i and Rid = L16,i ; i d d such that: L16 = R16,16 = R0 and R16 = R0 . c Find what happens in the nal stage! : d IP ,1R16 ; Ld = IP ,1 L0 ; R0 = IP ,1 IP X = X q.e.d. 16 36

Cipher Y = DES(X)
64

Key K
64

Initial Permutation IP
64

PC-1
56

d L0

d R0 32

32 f 32 32 32

Transform 16 K 16

L 15

R 15
32 48 f 32

Transform 1 K1

32 32

L 16

R 16

Final Permutation IP -1

X = DES

-1

(Y) = DES

-1

(DES(X))

Figure 4.8: Decryption of DES

Reversed Key Schedule: Question: Given K , how can we easily generate k16? k16 = P C 2C16; D16 = P C 2C0; D0 = P C 2P C 1k. k15 = P C 2C15; D15 = P C 2RS1C16 ; RS1 D16 = P C 2RS1C0 ; RS1 D0 .

4.3 Implementation
Note:
One design criteria for DES was fast hardware implementation.

4.3.1 Hardware
Since permutations and simple table look-ups are fast in hardware, DES can be implemented very e ciently AM97, page 362 . Fastest Implementation: 9 Gbit s as 0:6 m technology ASIC WPR+ 99 with 16 stage pipeline.

4.3.2 Software
Record: 130 Mbits s by Biham Bih97 . Typically: a few 10 Mbit s.

4.4 Attacks
There have been two major points of criticism about DES from the beginning: i key size is too small, ii the S-boxes contained secret design criteria. 38

K
56

PC - 1
56

K 16
48

PC - 2
56

C 16
28

D 16
28

RS 1
28

K 15
48

PC - 2
56

C 15
28

D 15
28

RS 2

RS 15

K1
48

PC - 2
56

Figure 4.9: Reversed key scheduler for decryption of DES

4.4.1 Exhaustive Key Search

Known Plaintext Attack:
known: X and Y . unknown: K , such that Y = DESk X . 39

? idea: test all 256 possible keys ! DESk X = Y ; i = 0; 1; : : : ; 256 , 1.

4.4.2 Di erential Cryptanalysis

Principle:
Proposed by Biham Shamir in 1990. To consider di erences in plain and ciphertext pairs and deduce the likelihood of certain keys. 16-round DES requirements: With chosen plaintext, 247 X,Y pairs are needed. With known plaintext, 255 X,Y pairs are needed. 237 arithmetic operations are needed. Since each X,Y pair is 128 bits long, large storage is needed which makes this attack highly impractical!

Remark: The DES S-boxes are optimized against di erential cryptanalysis.

4.4.3 Linear Cryptanalysis

Principal:
Proposed by Matsui in 1993 and presented at CRYPTO'94. To consider di erences in plain and ciphertext pairs and deduce the likelihood of certain key bits. The actual attack was implemented: ! with 243 known plaintexts, the key was recovered in 50 days. ! using 12 HP RISC workstations running at 99MHz.

Remark: The S-box design of DES is not optimized for this attack.
40

Date 1977 1990 1993 1993 Jun. 1997 Feb. 1998 Jul. 1998

Jan. 1999

Proposed implemented attack Di e & Hellman, estimate cost of key search machine underestimate Biham & Shamir propose di erential cryptoanalysis 247 chosen ciphertexts Mike Wiener proposes detailed hardware design for key search machine: average search time of 36 h @ $100,000 Matsui proposes linear cryptoanalysis 243 chosen ciphertexts DES Challenge I broken, distributed e ort took 4.5 months DES Challenge II 1 broken, distributed e ort took 39 days DES Challenge II 2 broken, key-search machine built by the Electronic Frontier Foundation EFF, 1800 ASICs, each with 24 search units, $250K, 15 days average actual time 56 hours DES Challenge III broken, distributed e ort combined with EFF's key-search machine, it took 22 hours and 15 minutes. Table 4.1: History of full-round DES attacks

4.5 DES Alternatives

There exists a wealth of other block ciphers. A small collection of as of yet unbroken ciphers is:
Algorithm Year Inventor X Y bits Key AES 2000+ ? 128 128 192 256 Triple DES 64 112 IDEA 90 92 Lai Massey 64 128 Cast 93 Adams Tavares 64 64 Safer 94 Massey 64 64 128 Core Operation ? S-box modulo arithmetic variable S-boxes modulo arithmetic

For further reading, consult Chapters 13 and 14 in Sch93 .

Chapter 5 Rijndael The Advanced Encryption Standard

5.1 History

5.1.1 Basic Facts about AES

Successor to DES. The AES selection process was administered by NIST. Unlike DES, the AES selection was an open i.e., public process. Likely to be the dominant secret-key algorithm in the next decade. Main AES requirements by NIST: Block cipher with 128 I O bits Three key lengths must be supported: 128=192=256 bits Security relative to other submitted algorithms E cient software and hardware implementations 43

See http:

www.nist.gov aes

for further information on AES

5.1.2 Chronology of the AES Process

Development announced on January 2, 1997 by the National Institute of Standards and Technology NIST. 15 candidate algorithms accepted on August 20th, 1998. 5 nalists announced on August 9th, 1999 Mars, IBM Corporation. RC6, RSA Laboratories. Rijndael, J. Daemen & V. Rijmen. Serpent, Eli Biham et al. Two sh, B. Schneier et al. Monday October 2nd, 2000, NIST chooses Rijndael as the AES. A lot of work went into software and hardware performance analysis of the AES candidate algorithms. Here are representative numbers:

Algorithm Pentium-Pro @ 200 MHz FPGA Hardware Mbit sec WWGP00 Gbit sec EYCP00 MARS 69 RC6 105 2.4 Rijndael 71 1.9 Serpent 27 4.9 Two sh 95 1.6 Table 5.1: Speeds of the AES Finalists in Hardware and Software

5.2

Rijndael Overview

128 Rijndael

128

k 128/192/256

Figure 5.1: AES Block and Key Sizes Both blocksize and keylength of Rijndael are variable. Sizes shown in Figure 5.2 are the ones required by the AES Standard. The number of rounds or iterations is a function of the key length: Key lengths bits 128 192 256
nr

= rounds 10 12 14

Table 5.2: Key lenghts and number of rounds for Rijndael However, Rijndael also allows blocksizes of 192 and 256 bits. For those blocksizes the number of rounds must be increased. an entire block per iteration e.g., in DES, 64=2 = 32 bits are encrypted in one iteration. Rijndael encrypts all 128 bits in one iteration. As a consequence, Rijndael has a comparably small number of rounds. 46

Important: Rijndael does not have a Feistel structure. Feistel networks do not encrypt

Rijndael uses three di erent types of layers. Each layer operates on all 128 bits of a block: 1. Key Addition Layer: XORing of subkey. 2. Byte Substitution Layer: 8-by-8 SBox substitution. 3. Di usion Layer: provides difussion over all 128 or 192 or 256 block bits. It is split in two sub-layers: a ShiftRow Layer. b MixColumn Layer. The ShiftRow and MixColumn stages form a linear Di usion Layer.

Remark: The ByteSubstitution Layer introduces confusion with a non-linear operation.

5.3 Some Mathematics: A Very Brief Introduction to Galois Fields

Galois elds" are used to perform substitution and di usion in Rijndael.

Galois elds are elds with a nite number of elements. Roughly speaking, a eld is a structure in which we ca add, subtract, multiply, and compute inverses. More exactly a eld is a ring in which all elements except 0 are invertible.
prime number of elements. All arithmetic in GF p is done modulo p.

Question: What are Galois elds?

Fact 5.3.1 Let p be a prime. GF p is a prime eld," i.e., a Galois eld with a

Example: GF 3 = f0; 1; 2g

Key Addition Layer

ByteSubstitution Layer ShiftRow SubLayer rounds 1 ... n r - 1 MixColumn Sublayer Key Addition Layer Diffusion Layer

ByteSubstitution Layer ShiftRow SubLayer Key Addition Layer round n r

addition + 0 1 0 0 1 1 1 2 2 2 0

Figure 5.2: Rijndael encryption block diagram additive inverse 2 ,0 = 0 2 ,1 = 2 0 ,2 = 1 1

multiplication 0 1 2 0 0 0 0 1 0 1 2 2 0 2 1

multiplicative inverse 0,1 does not exist 1,1 = 1 2,1 = 2, since 2 2 1 mod 3

Theorem 5.3.1 For every power pm, p a prime and m a positive integer, there exists
a nite eld with pm elements, denoted by GF pm .

Examples:
- GF 5 is a nite eld. - GF 256 = GF 28 is a nite eld. - GF 12 = GF 322 is NOT a nite eld in fact, the notation is already incorrect and you should pretend you never saw it.

Question: How to build extension elds" GF pm, m 1 ? Note: See also Sti95, Section 5.2.1
1. Represent elements as polynomials with m coe cients. Each coe cient is an element of GF p. Example: A 2 GF 28 A ! Ax = a7x7 + + a1x + a0 ; ai 2 GF 2 = f0; 1g 2. Addition and subtraction in GF pm C x = Ax + B x = Pii=m,1 ci xi; ci = ai + bi mod p =0 Example: A; B 2 GF 28 49

Ax = x7+ x6 + x4 + 1 B x = x4 + x2 + 1 C x = x7+ x6 + x2

3. Multiplication in GF pm : multiply the two polynomials using polynomial multiplication rule, with coe cient arithmetic done in GF p. The resulting polynomial will have degree 2m , 2.

Ax B x = am,1 xm,1 + + a0 bm,1 xm,1 + + b0 C 0 x = c02m,2 x2m,2 + + c00
where:

c00 = a0b0 mod p c01 = a0b1 + a1 b0 mod p ... c02m,2 = am,1 bm,1 mod p

Question: How to reduce C 0 x to a polynomial of maximum degree m , 1? Answer: Use modular reduction, similar to multiplication in GF p. For arithmetic

in GF pm we need an irreducible polynomial of degree m with coe cients from GF p. Irreducible polynomials do not factor except trivial factor involving 1 into smaller polynomials from GF p. Example 1: P x = x4 + x +1 is irreducible over GF 2 and can be used to construct GF 24. C = A B C x = Ax B x mod P x

Ax = x3 + x2 + 1 B x = x2 + x C 0 x = Ax B x = x5 + x4 + x2 + x4 + x3 + x = x5 + x3 + x2 + 1

x4 x4 x5 C x C x Ax B x

= 1 P x + x + 1 x + 1 mod P x

x2 + x mod P x C 0 x mod P x x2 + x + x3 + x2 + 1 = x3 x3

Note: in a typical computer representation, the multiplication would assign the following unusually looking operations:

A B = C 1 1 0 1 0 1 1 0 = 1 0 0 0

Example 2: x4 + x3 + x + 1 is reducible since x4 + x3 + x + 1 = x2 + x + 1x2 + 1.

4. Inversion in GF pm : the inverse A,1 of A 2 GF pm is de ned as: A,1x Ax = 1 mod P x perform the Extended Euclidean Algorithm with Ax and P x as inputs

sxP x + txAx = gcdP x; Ax = 1 txAx = 1 mod P x tx = A,1 x

Example: Inverse of x2 2 GF 23, with P x = x3 + x + 1

x3 + x + 1 = x x2 + x + 1 x+1= 1x+1 x= x1+0 x2 ,1 = tx = t3 = x + 1 t0 = 0, t1 = 1 t2 = t0 , q1t1 = ,q1 = ,x = x t3 = t1 , q2t2 = 1 , q2x = 1 , x = x + 1

Check: x + 1x2 = x3 + x = x + 1 + x 1 mod P x since x3 x + 1 mod P x. shown above to uniquely determine qi and ri.

Remark: In every iteration of the Euclidean algorithm, you should use long division not

5.4 Internal Structure

In the following, we assume a block length of 128 bits. The ShiftRow Sublayer works slightly di erently for other block sizes.

5.4.1 Byte Substitution Layer

Splits the incoming 128 bits in 128=8 = 16 bytes. Each byte A is considered an element of GF 28 and undergoes the following substitution individually 1. B = A,1 2 GF 28 where P x = x8 + x4 + x3 + x + 1 2. Apply a ne transformation de ned by:

0 1 0 B c0 C B 1 B C B Bc C B0 B 1C B B C B B C B B c2 C B 0 B C B B C B Bc C B0 B 3C B B C=B B C B B c4 C B 1 B C B B C B B C B B c5 C B 1 B C B B C B Bc C B1 B 6C B B C B @ A @ c7 1

1 1 0 0 0 1 1 1

1 1 1 0 0 0 1 1

1 1 1 1 0 0 0 1

1 1 1 1 1 0 0 0

0 1 1 1 1 1 0 0

0 0 1 1 1 1 1 0

10 1 0 1 0 C B b0 C B 0 C CB C B C CB C B C 0 C B b1 C B 1 C CB C B C CB C B C 0 C B b2 C B 1 C CB C B C CB C B C CB C B C 1 C B b3 C B 0 C CB C+B C CB C B C CB C B C 1 C B b4 C B 0 C CB C B C CB C B C 1 C B b5 C B 0 C CB C B C CB C B C CB C B C 1 C B b6 C B 1 C CB C B C A@ A @ A 1 b7 1

where b7 b0 is the vector representation of B x = A,1 x. 52

The vector C = c7 c0 representing the eld element c7 x7 + + c1 x + c0 is the result of the substitution: C = ByteSubA The entire substitution can be realized as a look-up in a 2568-bit table with xed entries.

Remark: Unlike DES, Rijndael applies the same S-Box to each byte.

5.4.2 Di usion Layer

Unlike the non-linear substitution layer, the di usion layer performs a linear operation on input words A; B . That means: DIFFA DIFFB = DIFFA + B The di usion layer consists of two sublayers.

ShiftRow SubLayer
1. Write an input word A as 128=8 = 16 bytes and order them in a square array: Input A = a0 ; a1; ; a15

a0 a1 a2 a3

a4 a5 a6 a7

a8 a9 a10 a11

a12 a13 a14 a15

2. Shift cyclically row-wise as follows:

a0 a5 a10 a15

a4 a9 a14 a3

a8 a13 a2 a7

a12 a1 , , , ,! a6 ,, ,! a11 , ,!

0 positions 3 positions right shift 2 positions right shift 1 position right shift

MixColumn SubLayer
Principle: each column of 4 bytes is individually transformed into another column.

Question: How?

Each 4-byte column is considered as a vector and multiplied by a 4 4 matrix. The matirx contains constant entries. Multiplication and addition of the coe cients is done in GF 28.

0 1 0 B c0 C B 02 B C B B c1 C B 01 B C B B C=B B C B B c2 C B 01 B C B @ A @ c3 03

03 02 01 01

01 03 02 01

10 1 01 C B b0 C CB C 01 C B b1 C CB C CB C CB C 03 C B b2 C CB C A@ A 02 b3

Remarks:
1. Each ci ; bi is an 8-bit value representing an element from GF 28. 2. The small values f01; 02; 03g allow for a very e cient implementation of the coe cient multiplication in the matrix. In software implementations, multiplication by 02 and 03 can be done through table look-up in a 256-by-8 table. 3. Additions in the vector-matrix multiplication are XORs.

5.4.3 Key Addition Layer

Simple bitwise XOR with a 128-bit subkey. 54

5.5 Decryption
Unlike DES and other Feistel ciphers, all of Rijndael layers must actually be inverted.
y

Key Addition Layer Inv ShiftRow SubLayer Inv ByteSubstitution Layer inverse of round n r

Key Addition Layer Inv MixColumn Sublayer Inv ShiftRow SubLayer Inv ByteSubstitution Layer inverse of rounds n r -1, ..., 1

Key Addition Layer x

Figure 5.3: Rijndael decryption block diagram

Chapter 6 More about Block Ciphers

Further Reading: Section 8.1 in Sch93 . Note: The following modes are applicable to all block ciphers e X .
k

6.1

Modes of Operation

6.1.1

Electronic Codebook Mode ECB

X0 X1 X2

Y Y Y 0 1 2

e-1

X0 X1 X2

Figure 6.1: ECB model

General Description: ,1 Y = e,1 e X = X ; where the encryption can, for instance, be DES. e
k i k k i i

Problem: This mode is susceptible to substitution attack because same X are mapped to same Y . Example: Bank transfer.
i i

Block #

1 Sending Bank A

Sending Receiving Receiving Amount Account # Bank B Account # $

Figure 6.2: ECB example 1. Tap encrypted line to bank B. 2. Send $1 00 transfer to own account at bank B repeatedly ! block 4 can be identi ed and recorded.
:

3. Replace in all messages to bank B block 4. 4. Withdraw money and y to Paraguay.

Note: This attack is possible only for single-block transmission.
6.1.2 Cipher Block Chaining Mode CBC
Y0 IV Yi

Beginning:
X0

ek X0 ek

Encryption: = , . Decryption: = , , .
ek Xi ek 1 Yi 1 Xi Yi Yi 1

,1 Y

.
IV

,1 e

= .
IV X0

Question: How does it work? = , , = , , .

Xi ek 1 ek Xi Yi Yi 1 Xi Xi 1 Yi 1

,1 .

i=0 IV Y i-1 Y i-1 Xi e e-1 IV Y i-1

i=0

Y i-1 Xi

Figure 6.3: CBC model

. q.e.d.

Remark: The Initial Vector IV can be transmitted initially in cleartext.

6.1.3 Cipher Feedback Mode CFB
b l

Assumption: block cipher with bits block width and message with block width , 1 .
l b

SR b ~ zi b k l Xi l b:l zi

SR b l l ~ zi b Y i-1 l Yi Y i-1 zi b:l l k

l Xi

Figure 6.4: CFB model

Procedure:
1. Load shift register with initial value IV. 2. Encrypt = ~ .
ek I V z0

3. Take leftmost bits: ~ ! .

l z0 z0

4. Encrypt data:

.
z0 Y0

5. Shift the shift register and load

into the rightmost SR position.

e SR

6. Go back to 2 substituting with

e IV

6.1.4

Counter Mode

Notes:

Another mode which uses a block cipher as a pseudo-random generator. Counter Mode does not rely on previous ciphertext for encrypting the next block. well suited for parallel hardware implementation, with several encryption blocks working in parallel. Counter Mode stems from the Security Group of the ATM Forum, where high data rates required parallelization of the encryption process.
Description of Counter Mode:

1. An -bit initial vector IV is loaded into a maximum length LFSR. The IV can be publically known, although a secret IV i.e., the IV is considered part of the private key turns the counter mode systems into a non-deterministic cipher which makes cryptoanalysis harder.
n

2. Encrypt block cipher input. 59

LFSR n

n n X n Y

Figure 6.5: Counter Mode model 3. The block cipher output is considered a pseudorandom mask which is XORed with the plaintext. 4. The LFSR is clocked once note: all input bits of the block cipher are shifted by one position. 5. Goto to Step 2. Note that the period of a counter mode is 2 which is very large for modern block ciphers, e.g., 128 2 = 2 for AES algorithms.
n
n

128

135

6.2

Key Whitening

Figure 6.6: Whitening example

Encryption: = Decryption: =
Y X

ek1 ;k2 ;k3 X ek 1 Y

= 1 . , . 1
ek X k2 k3 k3 k2

popular example: DESX

6.3 Multiple Encryption

6.3.1

Double Encryption
k
k k

Note: The keyspace of this encryption is j j = 2 2 = 2 .

However, using the meet-in-the-middle attack, the key search is reduced signi cantly.
e (X) = z (1) i
ki

-1 kj

(Y) = z (2) j

e k ki

Figure 6.7: Double encryption and meet-in-the-middle attack

Meet in the middle attack: Input ! some pairs 0 0, 00 00, . Idea ! compute = 0 and = , 0. Problem ! to nd a matching pair such that =
x ;y x ;y ::: 1 zi eki x 2 zj ek 1
j

1 zi

2 zj

Procedure:
1. Compute a look-up table for all , = 1 2 2 and store it in memory. Number of entries in the table is 2 with each entry being bits wide.
1 zi ; ki i ; ;:::;
k k

2. Find matching
2 zj

2 zj 1

.
2 zj 1 zi

a compute , 0 =
ek
j

b if is in the look-up table, i.e., if for the current keys and
ki kj ki kj kj

2 zj

, check a few other pairs 00 00 000 000

x ;y ; x ;y

;:::

c if and give matching encryptions stop; otherwise go back to a and try di erent key .

Question: How many additional pairs

x ;y

00 00; x000 ; y 000; : : : should we

t x ;y ; x ;y

test? .

General system: subsequent encryptions and pairs 0 0 00 00

;:::

1. In the rst step there are 2 possible key combinations for the mapping 0 = 0 = 0 but only 2 possible values for 0 and 0. Hence, there are
lk

E x

e e x

2 2
E x y

lk n

mappings 0 = 0. Note that only one mapping is done by the correct key!
2n

2lk 2n

mappings E(x) = y

Figure 6.8: Number of mappings 0 to 0 under -fold encryption

x y l

2. We use now a candidate key from step 1 and check whether 00 = 00. There are 2 possible outcomes for the mapping 00 . If a random key is used, the likelyhood that 00 = 00 is 1 2 If we check additionally a third pair 000 000 under the same random" key from step 1, the likelyhood that 00 = 00 and 000 = 000 is 1 2 If we check , 1 additional pairs 00 00 000 000 the likelyhood that a random key ful lls 00 = 00, 000 = 000 is 1 , 2
E x y
n

E x

x ;y

;:::

t t x ;y

E x

;:::

2n mappings E(x) = y

Figure 6.9: Number of mappings 00 to

x 2lk 2n E x y E x y ;:::

3. Since there are candidate keys in step 1, the likelyhood that at least one of the candidate keys ful lls all 00 = 00, 000 = 000 is 1 2 =2 , 2, 2 Example: Double encryption with DES. We use two pairs 0 0 00 00. The likelyhood that an incorrect key pair is picked is
lk n lk tn

x ;y

ki ; kj

2 , =2 ,
lk tn

112

128

= 2,

ki ; kj

If we use three pairs 0 0 00 00 000 000, the likelyhood that an incorrect key pair is picked is 2 , = 2112,192 = 2,80
x ;y ; x ;y ; x ;y
lk tn

Computational complexity:
Brute force attack: 22 . Meet in the middle attack: 2 encryptions + 2 decryptions = 2 +1 computations and 2 memory locations.
k k k k k

6.3.2

Triple Encryption

Option 1:
Y

Option 2:
Y

ek1 ek

,1 1 ; if 1 = 2 ! = 2
ek X k k Y k
k

ek1 X

ek3 ek2 ek1 X

; where j j 22

Option 2 should be preferred.

e z
1

Figure 6.10: Triple encryption example

Note:
Meet in the middle attack can be used in a similar way by storing results in memory. The computational complexity of this approach is 2 2 = 22 .
zi
k k k

Chapter 7 Introduction to Public-Key Cryptography

7.1 Principle
Quick review of private-key cryptography
e
k

Figure 7.1: Private-key model

Two properties of private-key schemes:

1. The algorithm requires same secret key for encryption and decryption. 2. Encryption and decryption are essentially identical symmetric algorithms. 66

Analogy for private key algorithms

Private key schemes are analogous to a safe box with a strong lock. Everyone with the key can deposit messages in it and retrieve messages.
Main problems with private key schemes are:

1. Requires secure transmission of secret key. 2. In a network environment, each pair of users has to have a di erent key resulting in too many keys , 1 2 key pairs.
n n

New Idea:

Make a slot in the safe box so that everyone can deposit a message, but only the receiver can open the safe and look at the content of it. This idea was proposed in WD76 in 1976 by Di e Hellman.

Idea: Split key.

public part (encryption)

private part (decryption)

Figure 7.2: Split key idea

Protocol:
1. Alice and Bob agree on a public-key cryptosystem. 2. Bob sends Alice his public key. 3. Alice encrypts her message with Bob's public key and sends the ciphertext. 4. Bob decrypts ciphertext using his private key. 67

Alice X Y = eK (X)
pub

Oscar
K pub

Bob
( K pub , K pr ) = K

2.) 3.) 4.)

Y X=d K (Y)
pr

Figure 7.3: Public-key encryption protocol

7.2 One-Way Functions

All public-key algorithms are based on one-way functions.

De nition 7.2.1 A function f is a one-way function"

if: a y = f x ! is easy to compute, b x = f ,1 y ! is very hard to compute.

Example: Discrete Logarithm DL one-way Function 2 mod 127 31

De nition 7.2.2 A trapdoor one function is a one-way

function whose inverse is easy to compute given a side information such as the private key.

7.3 Overview of Public-Key Algorithms

There are three families of Public-Key PK algorithms of practical relevance: 1. Integer factorization algorithms RSA, ... 68

2. Discrete logarithms D H, DSA, ... 3. Elliptic curves EC

Generally speaking, public-key algorithms are much slower than private-key algorithms. Public-Key algorithms are mainly used for key establishment and digital signatures and not for bulk data encryption.
Algorithm Family Bit length of the operands Integer Factorization RSA 1024 Discrete Logarithm D H, DSA 1024 Elliptic curves 160 Block cipher 80

Table 7.1: Bit lengths for security level of approximately 280 computations for successful attack.

7.4 Important Public-Key Standards

a IEEE P1363. Comprehensive standard of public-key algorithms. Collection of IF, DL, and EC algorithm families, including in particular: Key establishment algorithms Key transport algorithms Signature algorithms
Note: IEEE P1363 does not recommend any bit lengths or security levels.

b ANSI Banking Security standards.

ANSI X9.30 1 X9.30 2 X9.31 1 X9.32 2 X9.42 X9.62 draft X9.63 draft Subject digital signature algorithm DSA hashing algorithm for RSA RSA signature algorithm hashing algorithms for RSA key management using Di e-Hellman elliptic curve digital signature algorithm ECDSA elliptic curve key agreement and transport protocols

c U.S. Government standards FIPS

FIPS FIPS 180-1 FIPS 186 FIPS JJJ draft Subject secure hash standard SHA-1 digital signature standard DSA entity authentication asymetric

7.5 More Number Theory

7.5.1 Euclid's Algorithm
Basic Form Example 1:
Given r0 and r1 with one larger than the other, compute the gcdr0; r1.

r0 = 22; r1 = 6. gcdr0; r1 =?

6 4 6 6

r0 r1 r2 r3 2

11 00 2 11 00 11 00 11 00 11 00 11 00 2 11 00 11 00 11 00

11111 00000 11111 00000 4 11111 00000 11111 00000

gcd(22,6) = gcd(6,4) gcd(6,4) = gcd(4,2)

gcd(4,2) = 2

gcd(22, 6) = gcd(6, 4) = gcd(4, 2) = gcd(2, 0) = 2

Figure 7.4: Euclid's algorithm example

Example 2:

r0 = 973; r1 = 301. 973 = 3 301 + 70. 301 = 4 70 + 21. 70 = 3 21 + 7. 21 = 3 7 + 0. gcd973; 301 = gcd301; 70 = gcd70; 21 = gcd21; 7 = 7.
71

Algorithm:

input: r0 , r1 r0 = q1 r1 + r2 gcdr0 ; r1 = gcdr1 ; r2 r1 = q2 r2 + r3 gcdr1 ; r2 = gcdr2 ; r3 ... ... rm,2 = qm,1 rm,1 + rm gcdrm,2 ; rm,1 = gcdrm,1 ; rm rm,1 = qm rm + 0 y gcdr0 ; r1 = gcdrm,1 ; rm = rm y - termination criteria

Extended Euclidean Algorithm Theorem 7.5.1 Given two integers r0 and r1, there exist two other integers s and t such that s r0 + t r1 = gcdr0 ; r1.
Use Euclid's algorithm and express the current remainder ri in every iteration in the form ! ri = sir0 + tir1 . Note that in the last iteration rm = gcdr0; r1 = sm r0 + tm r1 = sr0 + tr1 .
index Euclid's Algorithm 2 r0 = q1 r1 + r2 3 r1 = q2 r2 + r3 .. . .. .

Question: How to nd s and t?

rj = sj r0 + tj r1 r2 = r0 , q1 r1 = s2 r0 + t2 r1 r3 = r1 , q2 r2 = r1 , q2 r0 , q1 r1 = ,q2 r0 + 1 + q1 q2 r1 = s3 r0 + t3 r1

.. .

i ri,2 = qi,1 ri,1 + ri i + 1 ri,1 = qi ri + ri+1 i + 2 ri = qi+1 ri+1 + ri+2

.. .

ri = si r0 + ti r1 ri+1 = si+1 r0 + ti+1 r1 ri+2 = ri , qi+1 ri+1 = si r0 + t1 r1 , qi+1 si+1 r0 + ti+1 r1 = si , qi+1 si+1 r0 + t1 , qi+1 ti+1 r1 = si+2 r0 + ti+2 r1
.. .

rm,2 = qm,1 rm,1 + rm rm = gcdr0 ; r1 = sm r0 + tm r1

Now: s = sm , t = tm Recursive formulae:

s0 = 1, t0 = 0 s1 = 0, t1 = 1 si = si,2 , qi,1 si,1, ti = ti,2 , qi,1 ti,1 ; i = 2; 3; 4 : : :

Remark:
a Extended Euclidean algorithm is commonly used to compute the inverse element in , Zm. If gcdr0 ; r1 = 1, then t = r1 1 mod r0. b For fast software implementation, the binary extended Euclidean algorithm" is more e cient AM97 because it avoids the division required in each iteration of the extended Euclidean algorithm shown above.

7.5.2 Euler's Phi Function

De nition 7.5.1 The number of integers in Zm relatively prime to m is denoted by m.

Example 1:

m = 6; Z6 = f0; 1; 2; 3; 4; 5g gcd0; 6 = 6 gcd1; 6 = 1 gcd2; 6 = 2 gcd3; 6 = 3 gcd4; 6 = 2 gcd5; 6 = 1 6 = 2

Example 2:

m = 5; Z5 = f0; 1; 2; 3; 4g gcd0; 5 = 5 gcd1; 5 = 1 gcd2; 5 = 1 gcd3; 5 = 1 gcd4; 5 = 1 5 = 4

Theorem 7.5.2 If m = pe pe : : : pe , where pi are 1 2 n

1 2
n

prime numbers and ei are integers, then:

n Ypei , pei , m =
i i

i=1

Example:

m = 40 = 8 5 = 23 5 = pe1 pe2 1 2 m = 23 , 2251 , 50 = 8 , 45 , 1 = 4 4 = 16

Theorem 7.5.3 Euler's Theorem

If gcda; m = 1, then:

am 1 mod m
.

Example:

m = 6; a = 5 6 = 3 2 = 3 , 12 , 1 = 2 56 = 52 = 25 1 mod 6

Chapter 8 RSA
1. Most popular public-key cryptosystem. 2. Invented by Rivest Shamir Adleman in 1977 at MIT. 3. Patented until 2000.

8.1 Cryptosystem
Set-up Stage
1. Choose two large primes and .
p q

2. Compute = .
n p q

3. Compute = , 1 , 1.

n p q

4. Choose random ; 0 , with gcd = 1. Note that has inverse in .

b b n b; n b Z
n

5. Compute inverse = ,1 mod :

a b n b

1 mod
a n; b

n :

6. Public key: Private key:

kpub kpr

= =

. .
kpub

p; q; a

Encryption: done using public key,

y x

ekpub x Zn

= mod . = f0 1 , 1g.
x
b

;:::;n

Decryption: done using private key,

kpr

dkpr y

mod .
n

Example:

Alice sends encrypted message = 4 to Bob after Bob sends her the public key.
x

Alice

x y

=4 = mod
x
b

kpub

= 43 = 64 31 mod 33

, =31 ,!
;

3 33

Bob 1 choose = 3; = 11 2 = = 33 3 = 3 , 111 , 1 = 2 10 = 20 4 choose = 3; gcd20 3 = 1 5 = ,1 = 7 mod 20 = = 317 4 mod 33
p q q n p n b ; a b y
a

Why does RSA work?

dk y
a

We have to show that: pr = pr pub = . = = mod . pr = 1 mod 1 + ; is an integer. = 1 = mod . pr = if 1 mod then pr = = 1 = 1 = mod .
dk y dk ek x x x
ba

n b

1. Case: gcd = gcd = 1 Euler's Theorem: 1 mod , q.e.d.

x; n x; p q x
n

2. Case: gcd = gcd 6= 1 either = or = ; are integers such that; , . assume = gcd = 1 = ,1 ,1 = ,1 = ,1 = 1 mod = 1 + ; where is an integer = + = + = + = + mod
x; n x; p q x r p x s q r; s r q s p x r p x; q
q

1 mod , q.e.d.
n

8.2 Computational Aspects

8.2.1 Choosing

and

q
p q

Problem: Finding two large primes , each Principle:

250 bits.

Pick a large integer and apply primality test. In practice, a Monte Carlo" test developed by Miller-Rabbin pg. 136 in Sti95 is used. Note that a primality test does NOT require factorization.

Miller-Rabin Algorithm:
Input: or and arbitrary number . is composite" ! always true. Output 1: Statement Output 2: Statement is prime" ! true with probability 0 75.
p q r p; q p; q p; q :

In practice, the above algorithm is run 3 times for a 1000 bit prime and upto 12 times for a 150 bit prime AM97, Table 4.4 page 148 with di erent parameters . If the answer is always is prime", then is with very high probability a prime.
r p p

P is composite 0 25 where = number of tries.

p :
t

Question: What is the likelihood that a randomly picked integer or is prime? Answer: P is prime 1 .
p q p
ln p

Example: 2250 ! 250 bits. 1 P is prime = ln21 173 .

p p

250

8.2.2
kpub b

Choosing

and
n

b
n p q

= ; condition: gcd = 1; where = , 1 , 1. = ; where = ,1 mod . Pick arbitrary large! and compute:
b; kpr a a b n b

1. Euclidean Algorithm: + = gcd

s n t b b; n

2. Test if gcd = 1
b; n

3. Calculate : Question: What is mod ?

a t b n

= , + 1 1 mod = ,1 = mod

t b s n t b t n b a n

Remark:

It is not necessary to nd for the computation of .

s a

8.2.3

Encryption Decryption
ekpub x dk y

encryption: decryption:

= mod = . mod = . pr =
x
b

Question: How many multiplications are required for computing 8 ? Answer: | z= 2 ; | 2 2z = 4 ; | 4 4z = 8 . 1 2 3 if 0 then O O .
x x x x x x x x x x b n n n

Question: How many multiplications are required for computing 13 ? Answer: | z= 2 ; | 2 z= 3 ; | 3 3z = 6 ; | 6 6z= 12 ; | 12 z=
x x x

MUL

13 .

First: binary representation of the exponent ! ; 15 = 3 23 + 2 22 + 1 21 + 0 = 3 2 + 2 22 + 1 2 + 0 = 3 2 + 2 2 + 1 2 + = 3 2+ 22+ 1 2+ 0

x
B

Square-and-multiply algorithm
B B x b b b b

Step 1 2 3 4 5 6

x x

2 2 x 2
b b b

b x 3 b x 3

2 x 2 2
b

2 x 2 2 x 1
b b

x x

2 x 2 2 x 1 2
b b

2 x 2 2 x 1 2 x 0
b

Example:

11012

b ;b2 ;b1 ;b0

1 3 2 = 2 2 2 3 = 2 = 3 3 3 2 = 6 4 6 0 6 1 = 6 5 6 2 = 12 6 12 0 = 12 = 13
x x
b

SQ MUL SQ SQ MUL

Complexity: log2 SQ + 1 log2 MUL. 2 1000 Comparison: = 2 Straight forward exponentiation: 21000 10300 multiplications ! computationally impossible. Square-and-multiply: 1 5 log2 21000 = 1500 multiplications and squarings ! relatively easy.
n n B :

Remark: Remember to apply modulo reduction after every multiplication and squaring Algorithm Sti95 : computes , where = P ,1 2 =0
x
B

operation.

1. =
z

2. for = , 1 downto 0 do:

i l

a =
z

mod

b if = 1 then = mod

bi z z x

8.3 Attacks
8.3.1
y

Brute Force
x
b

Given = mod , try all possible keys ; 0 practice jKj = 2500 impossible.
n a n n

to obtain =
n x

mod . In
n

8.3.2

Finding
n; b; y x
b

n
n n a b n n

Given = mod , nd and compute = ,1 mod . computing is believed to be as di cult as factoring .

8.3.3

Finding
n; b; y x
b

directly
n a x y
a

Given = mod , nd directly and compute = mod . computing directly is believed to be as di cult as factoring .
n a n

8.3.4

Factorization of
n; b; y x
b

n
q n

Given = mod , nd = and compute: = , 1 , 1 = ,1 mod = mod ! This approach is the only attack believed to be practical.
n p n p q b a n x y
a

Factoring Algorithms: 1. Quadratic Sieve QS: speed depends on the size of ; record: in 1994 factoring of =RSA129, log10 = 129 digits, log2 = 426 bits.
n n n n

2. Elliptic Curve: similar to QS; speed depends on the size of the smallest prime factor of , i.e., on and .
n p q

3. Number Field Sieve: asymptotically better than QS; record: in 1996 factoring of =RSA140; log10 = 140 digits; log2 = 466 bits.
n n n

Algorithm Quadratic Sieve Elliptic Curve Number Field Sieve

Complexity p 1+ 1 ln lnln Oe p Oe1+ 1 2 ln lnln Oe1 92+ 1ln 1=3 lnln
o n n o p p : o n

2=3

RSA-100 April 1991 RSA-110 April 1992 RSA-120 June 1993 RSA-129 April 1994 RSA-130 April 1996 RSA-140 February 1999 RSA-155 August 1999

number

month

MIPS-years
7 75 830 5000 500 1500 8000

quadratic sieve quadratic sieve quadratic sieve quadratic sieve generalized number eld sieve generalized number eld sieve generalized number eld sieve

algorithm

8.4 Implementation
Hardware: 1024 bit decryption in less that 5 ms. Software: 1024 bit decryption in 43 ms; 1024 bit encryption in 0.65 ms hybrid systems, consisting of public-key and private-key algorithms: most commonly used in practice 1. key exchange and authentication with slow public-key algorithm 2. bulk data encryption with fast block ciphers

Chapter 9 The Discrete Logarithm DL Problem

DL is the underlying one-way function for: 1. Di e-Hellman key exchange. 2. DSA digital signature algorithm. 3. ElGamal encryption digital signature scheme. 4. Elliptic curve cryptosystems. 5. : : : : : : DL is based on nite groups.

9.1 Some Algebra

De nition 9.1.1 A group is a set G of elements together with a binary operation

o" such that: 1. If a; b 2 G then a b = c 2 G ! closure. 2. If a b c = a b c ! associativity. 3. There exists an identity element e 2 G : e a = a e = a ! identity. 4. There exists an inverse element a, for all a 2 G : ~ a a = e ! inverse. ~

Examples:
1. G = Z = f: : : ; ,2; ,1; 0; 1; 2; : : :g = addition Z; + is a group with e = 0 and a = ,a ~ 2. G = Z = multiplication Z; is NOT a group since inverses a do not exist except for a = 1 ~ 3. G =C complex numbers u + iv = multiplication C ; is a group with e = 1 and

u a = a,1 = u2 , iv2 ~ +v

De nition 9.1.2 Zn" denotes the set of numbers i, 0 i n, which are relatively

prime to n.

Examples:
1. Z9 = f1; 2; 4; 5; 7; 8g 2. Z7 = f1; 2; 3; 4; 5; 6g

Multiplication Table

mod 9 1 2 4 5 7 8
1 2 4 5 7 8
ment is e = 1.

1 2 4 5 7 8

2 4 8 1 5 7

4 8 7 2 1 5

5 1 2 7 8 4

7 5 1 8 4 2

8 7 5 4 2 1

Theorem 9.1.1 Zn forms a group under modulo n multiplication. The identity ele-

Remark:

The inverse of a 2 Zn can be found through the extended Euclidean algorithm.

Finite Groups

9.1.2

De nition 9.1.3 A group G , is nite if it has a nite number of g elements. We denote the cardinality of G by jGj. Examples:
1. Zm; +: a + b = c mod m Question: What is the cardinality ! jZmj = m Zm = f0; 1; 2; : : : ; m , 1g 89

2. Zp ; : a b = c mod p; p is prime Question: What is the cardinality ! jZp j = p , 1 Zp = f1; 2; : : : ; p , 1g

De nition 9.1.4 The order of an element a 2 G ; is the smallest positive integer

o such that a a : : : a = ao = 1.
Example: Z11; , a = 3 Question: What is the order of a = 3?

a1 = 3 a2 = 32 = 9 a3 = 33 = 27 5 mod 11 a4 = 34 = 33 3 = 5 3 = 15 4 mod 11 a5 = a4 a = 4 3 = 12 1 mod 11 ord3 = 5

De nition 9.1.5 A group G which contains elements with maximum order ord = jGj is said to be cyclic. Elements with maximum order are called generators or primitive elements.
Example: 2 is a primitive element in Z11 jZ11j = jf1; 2; 3; 4; 5; 6; 7; 8; 9; 10gj = 10

a=2 a2 = 4 a3 = 8 a4 = 16 5 a5 = 10; a6 = 20 9 a7 = 18 7 a8 = 14 3; a9 = 6 a10 = 12 1 a11 = 2 = a. orda = 2 = 10 = jZ11 j 1 jZ11j is cyclic 2 a = 2 is a primitive element

Observation important: 2i; i = 1; 2; : : : ; 10 generates all elements of Z11

i 1 2 3 4 5 6 7 8 9 10 2i 2 4 8 5 10 9 7 3 6 1

Some properties of cyclic groups:

1. The number of primitive elements is jGj. 2. For every a 2 G : ajGj = 1. 3. For every a 2 G : orda divides jGj. Proof only for 2: a = i : ajGj= ijGj = jGji = 1i = 1.
Example: Z11; jZ11j = 10

1. 10 = 2 , 15 , 1 = 1 4 = 4 2. a = 3 ! 310 = 352 = 12 = 1 3. homework : : :

9.2 The General DL Problem

Given a cyclic subgroup G ; and a primitive element . Let =| be an arbitrary element in G .
i times

z: : : =

General DL Problem:
Given G , ; = i, nd i.
i = log

Examples:
1. Z ; +; = 2; = 2 + 2 +z: : : + 2 = i 2 |
11

i 1 2 3 4 5 6 7 8 9 10 11 2i 2 4 6 8 10 1 3 5 7 9 0 Let i = 7: = 7 2 3 mod 11 Question: given = 2, = 3 = i 2, nd i Answer: i = 2, 3 mod 11 Euclid's algorithm can be used to compute i thus this example is NOT a one-way function.
1

i times

2. Z ; ; = 2; = | 2 z : : 2 = 2i 2 :
11

= 3 = 2i mod 11 Question: i = log 3 = log 2i = ? Very hard computational problem!
2 2

i times

9.3 Attacks for the DL Problem

1. Brute force: check: = = ... i= Complexity: OjGj steps. Example: DL in Zp p, tests minimum security requirement p , 1 = jGj 2
1 ? 2 ? ? 1 2

2. Shank's algorithm Baby-step giant-step and Pollard's- method: Further reading: p. 165 in Sti95 . q Complexity: O jGj steps for both algorithms. Example: DL in Zp pp steps minimum security requirement p , 1 = jGj 2
160

3. Pohlig-Hellman algorithm: Let jGj = p p |pzl

1 2

Complexity: Oppl steps. Example: DL in Zp : pl of p , 1 must be 2 minimum security requirement pl 2

largest prime
160

160

4. Index-Calculus method: Further reading: AM97 . Applies only to Zp and Galois elds GF2k p p p O Complexity: O e steps. Example: DL in Zp : minimum security requirement p 2
1+ 1 ln lnln

1024

Remark: Index-Calculus is more powerful against DL in Galois Fields GF2k than against DL in Zp .

9.4 Di e-Hellman Key Exchange

Remarks:
Proposed in 1976 in Di e-Hellman paper. Used in many practical protocols. Can be based on any DL problem.
9.4.1 Protocol

Set-up: 1. Find a large prime p.

2. Find a primitive element of Zp or of a subgroup of Zp .

Protocol:
Alice pick kprA = aA 2 f2; 3; : : : ; p , 1g compute kpubA = bA = aA mod p
kAB = baA = aB aA B

bA ,! bB ,

pick kprB = aB 2 f2; 3; : : : ; p , 1g compute kpubB = bB = aB mod p

kAB = baB = aA aB A

Bob

Session key kses = kAB =

aB aA

aA aB

mod p. 95

9.4.2

Security

Question: Which information does Oscar have? Answer: ; p; bA; bB . Di e-Hellman Problem:
Given bA =
aA

mod p; bB =

mod p, and

aA aB

mod p.

One solution to the D-H problem:

1. Solve DL problem: aA = log bA mod p. 2. Compute: baA = B Choose p 2 .
1024

aB aA

aA aB

mod p.

Note:

There is no proof that the DL problem is the only solution to the D-H problem! However, it is conjectured.

Chapter 10 Elliptic Curve Cryptosystem

Further Reading: Chapter 6 in Kob94 . Book by Alfred Menezes Men93 .

Remarks:
Relatively new cryptosystem, suggested independently: ! 1987 by Koblitz at the University of Washington, ! 1986 by Miller at IBM.
It is believed to be more secure than RSA DL in Zp , but uses arithmetic with much shorter numbers 160 256 bits vs. 1024 2048 bits.

It can be used instead of D-H and other DL-based algorithms.

Drawbacks:
Not as well studied as RSA and DL-base public-key schemes. It is conceptually more di cult. Finding secure curves in the set-up phase is computationally expensive. 97

10.1 Elliptic Curves

Goal: To nd another instance for the DL problem in cyclic groups. Question: What is the equation x2 + y2 = r2 over reals? Answer: It is a circle.
y r2 x

Figure 10.1: x2 + y2 = r2 over reals

Question: What is the equation a x2 + b y2 = c over reals? Answer: It is an ellipsis.

Figure 10.2: a x2 + b y2 = c over reals

Note:

There are only certain points x,y which ful ll the equation. For example the point x = r; y = 1 ful lls the equation of a circle.

De nition 10.1.1 The elliptic curve over Zp, p 3, is a set of all pairs x, y 2 Zp
which ful ll: where and
y 2 x3 + a x + b mod p a; b; 2 Zp

4 a3 + 27 b2 6= 0 mod p
y

Question: How does y2 = x3 + a x + b look over reals?

Q+Q=2Q

Q P
x

P+Q

Figure 10.3: y2 = x3 + a x + b over the reals

Goal: Finding a cyclic group G , so that we can use the DL problem as a one-way
function. We have a set points on the curve. We only" need a group operation on the points. 99

Group G : Points on the curve given by x, y. Operation : P + Q = x1; y1 + x2 ; y2 = R = x3 ; y3. Question: How do we nd R? Answer: First geometrically.
a P 6= Q ! line through P and Q and mirror point of third interception along the x-axis. b P = Q P + Q = 2Q ! tangent line through Q and mirror point of second intersection along the x-axis.

Point Addition group operation:

x3 = 2 , x1 , x2 mod p y3 = x1 , x3 , y1 mod p

where
=

8 :

y2 ,y1 x2 ,x1 3x2 +a 1 2y1

mod p ; if P 6= Q mod p ; if P = Q

Remarks:
If x1 x2 mod p and y1 ,y2 mod p, then P + Q = O which is an abstract point at in nity.

O is the neutral element of the group: P +O= P ; for all P .

Additive inverse of any point x; y = P is P +,P = O such that x; y+x; ,y = O.

Theorem 10.1.1 The points on an elliptic curve together with O have

cyclic subgroups.

100

Remark: Under certain conditions all points on an elliptic curve form a cyclic group as
the following example shows.

Example: Finding all points on the curve E: y2 x3 + x + 6 mod 11.

E = 13. primitive element ! = 2; 7 generates all points. 2 = + = 2; 7 + 2; 7 = x3 ; y3 2 = 3x1y+a = 2 7,1 3 4 + 1 = 3,1 13 4 13 4 2 = 8 mod 11 21 x3 = 2 , x1 , x2 = 82 , 2 , 2 = 60 5 mod 11 y3 = x1 , x3 , y1 = 82 , 5 , 7 = ,24 , 7 = ,31 2 mod 11 2 = 2; 7 + 2; 7 = 5; 2 3 = 2 + = ::: ... 12 = 11 + = 2; 4 13 = 12 + = 2; 4 + 2; 7 = 2; 4 + 2; ,4 = O 14 = 13 + =O+ = ...

All 12 non-zero elements together with O form a cyclic group. = 2; 7 4 = 10; 2 7 = 7; 2 10 = 8; 8 2 5 8 11 = 5; 2 = 3; 6 = 3; 5 = 5; 9 3 6 9 12 = 8; 3 = 7; 9 = 10; 9 = 2; 4

Table 10.1: Non-zero elements of the group over y2 x3 + x + 6 mod 11

Remark: In general, nding of the group order E is computationally very complex.

101

10.2 Cryptosystems
10.2.1 Di e-Hellman Key Exchange
Set-up:
The cryptosystem is completely analogous to D-H in Zp .

1. Choose E: y2 x3 + a x + b mod p. 2. Choose primitive element = x ; y .

Protocol:
Alice choose kprA = aA 2 f2; 3; : : : ; E , 1g compute kpubA = bA = aA = xA; yA compute aA bB = aA aB = xk ; yk kAB = xk 2 Zp Bob choose kprB = aB 2 f2; 3; : : : ; E , 1g compute kpubB = bB = aB = xB ; yB compute aB bA = aB aA = xk ; yk kAB = xk 2 Zp

bA ,! bB ,

Security:
Di e-Hellman problem for elliptic curves

8 :
Oscar knows: Oscar wants to know:

E; p; ; bA = aA ; bB = aB kAB = aA aB

One possible solution to the D-H problem for elliptic curves: 1. Compute discrete logarithm: Given and | + +z: : : + = bA , nd aA. 2. Compute aA bB = aA aB . 102
aA times

Attacks:
Only possible attacks against elliptic curves are the Pohlig-Hellman scheme together with Shank's algorithm or Pollard's-Rho method. E must have one large prime factor pl 2160 pl 2250. So-called Koblitz curves" curves with a; b 2 f0; 1g For supersingular elliptic curves over GF2n, DL in elliptic curves can be solved by solving DL in GF2kn; k 6. stay away from supersingular curves despite of possible faster implementations. Powerful index-calculus method attacks are not applicable as of yet.
10.2.2 Menezes-Vanstone Encryption

Set-up:
1. Choose E: y2 x3 + a x + b mod p. 2. Choose primitive element = x ; y . 3. Pick random integer a 2 f2; 3; : : : ; E , 1g. 4. Compute a = = x ; y . 5. Public Key: kpub = E; p; ; . 6. Private Key: kpr = a.

103

Encryption:
1. Pick random k 2 f2; 3; : : : ; E , 1g. Compute k = c1; c2. 2. Encrypt ekpub x; k = Y0; Y1; Y2. Y0 = k ! point on the elliptic curve. Y1 = c1 x1 mod p ! integer. Y2 = c2 x2 mod p ! integer.

Decryption:
1. Compute a Y0 = c1; c2 . a Y0 = a k = k = c1 ; c2 . 2. Decrypt: dkpr Y0; Y1; Y2 = Y1 c,1 mod p; Y2 c,1 mod p = 1 2 x1 ; x2.

Remark: The disadvantage of this scheme is the message expansion factor:

bits y = 4dlog2 pe = 2 bits x 2dlog2 pe

10.3 Implementation
1. Hardware: Approximatly 0.2 msec for an elliptic curve point multiplication with 167 bits on an FPGA OP00 . 2. Software: One elliptic curve point multiplication a P in less than 10 msec over GF2155. Implementation on 8-bit smart card processor without coprocessor available 104

Chapter 11 ElGamal Encryption Scheme

11.1 Cryptosystem
Remarks:
Published in 1985.
Based on the DL problem in Zp or GF2k .

Extension of the D-H key exchange for encryption.

Protocol:
Alice choose private key kprA = aA compute kpubA = aA mod p = bA Bob choose private key kprB = aB compute kpubB = aB mod p = bB

kAB = baA = aA aB mod p B y = x kAB mod p

bA ,! bB , y ,!

kAB = baB = aB aA mod p A

,1 x = y kAB mod p

105

ElGamal: Set-up:
1. Choose large prime p.
2. Choose primitive element 2 Zp .

3. Choose secret key a 2 f2; 3; : : : ; p , 2g. 4. Compute =

mod p.

5. Public Key: Kpub = p; ; . 6. Private Key: Kpr = a.

Encryption:
1. Choose k 2 f2; 3; : : : ; p , 2g. 2. Y1 =
k

mod p.
k

3. Y2 = x

mod p.

4. Encryption: = ekpub x; k = Y1; Y2.

Decryption:
x = dkpr Y1 ; Y2 = Y2 Y1a ,1 mod p:

106

Question: How does the ElGamal scheme work?

dkpr Y1 ; Y2 = Y2 Y1a ,1 = x k k a ,1 ! but = a = x a k k a,1 = x ak ,ak =x

107

Remarks:
ElGamal is essentially an extension of the D-H key exchange protocol.
Y2 = x1 Y3 = x2 k
k

Thus for every message block xi choose a new k! Message expansion factor . of y bits = 2dlog 2py e = 2 of x bits dlog 2pxe

9 = ; if x1 is known,

can be found from Y2.

11.2 Computational Aspects

11.2.1 Encryption

Y1 = k mod p = apply the square-and-multiply for exponentiation Y2 = x k mod p ;

11.2.2 Decryption

x = dkpr Y1 ; Y2 = Y2 Y1a ,1 mod p.

Question: How can Y1a ,1 be computed e ciently? Derivation: b 2 Zp:

be = bqp,1+r = bp,1 q br

= 1q br mod p = br mod p

e = r mod p , 1
108

Thus, be be mod p,1 mod p, where b 2 Zp and e 2 Z

The above derivation can be used for decryption: Y1a,1 = Y1,a = Y1,a mod p,1 mod p = Y1p,1,a mod p

Note: Y1p,1,a mod p can be computed using the square-and-multiply algorithm.

11.3 Security of ElGamal

Oscar knows: p; ; = a; Y1 = k ; Y2 = x k . Oscar wants to know: x He attempts to nd the secret key a: 1. a = log mod p hard, DL problem. 2. x = Y2Y1a ,1 mod p easy. He attempts to nd the random exponent k: 1. k = log Y1 mod p hard, DL problem. 2. Y2 ,k = x easy.
In both cases Oscar has to compute the DL problem in nite elds Zp or GF2k . He can use index-calculus method which forces us to implement schemes with at least 1024 bits.

109

Chapter 12 Digital Signatures

Protocols use: Private-key algorithms. Public-key algorithms. Digital Signatures. Hash functions. Message Authentication Codes. as building blocks. In practice, protocols are often the most vulnerable part of a cryptosystem. The next two chapters deal with digital signature, message authentication codes MACs, and hash functions.

110

12.1 Principle
The idea is similar to a conventional signature where a given message x gets a unique digital signature which is a function of the message and is attached to the message.

message

signature

f(message) = f(x)

Figure 12.1: Digital signature and message block

message space

signature space sig

K pr

(x) = y

y x

ver

(x, y)=
K pub

true if y = sig(x) false if y == sig(x)

Figure 12.2: Digital signature and message domain

111

Basic protocol:
1. Bob signs his message x with his private key kpr : y = sigk x.
pr

2. Bob sends y; x to Alice. 3. Alice runs the veri cation function verk x; y with Bob's public key.
pub

Properties of digital signatures:

Only Bob can sign his document with kpr . Everyone can verify the signature with kpub. Authentication: Alice is sure that Bob signed the message. Integrity: Message x cannot be altered since that would be detected through veri cation. Non-repudiation

12.2 RSA Signature Scheme

Set-up: kpr = p; q; a; kpub = n; b. General Protocol:
1. Bob computes: y = sigk x = ek x = xa mod n.
pr pr

2. Bob sends x; y to Alice. 3. Alice veri es:

verkpub x; y = dkpub y = y b
8

= x true : 6= x false

112

Question: Why does it work?

dkpub y = dkpub ekpr x = x:

Remark:
The role of public private key are exchanged if compared with RSA public-key encryption. This algorithm was standardized in ISO IEC 9796.

Drawback:

Oscar can generate a valid signature for a random message x:

1. Choose signature y 2 Zn. 2. Encrypt: x = ek y = yb mod n ! outcome x cannot be controlled.

pub

3. Send x; y to Alice. 4. Alice veri es: verk x; y: yb x mod n true.
pub

12.3 ElGamal Signature Scheme

Remarks:
ElGamal signature scheme is di erent from ElGamal encryption. Digital Signature Algorithm DSA is a modi cation of ElGamal signature scheme. This scheme was published in 1985.

113

Set-up:
1. Choose a prime p.
2. Choose primitive element 2 Zp .

3. Choose random a 2 f2; 3; : : : ; p , 2g. 4. Compute = a mod p. Public key: kpub = p; ; . Private key: kpr = a.

Signing:
1. Choose random k 2 f0; 1; 2; : : : ; p,2g; such that gcdk; p,1 = 1. 2. Compute signature:
sigkpr x; k = ; ; where

mod p

= x , a k,1 mod p , 1

Public veri cation:

verkpub x; ; =

= : 6=

mod p valid signature x mod p invalid signature

Question: Why does this scheme work?

= a k x,a k, = =
a a
1

mod p,1

mod p

kk,1 x,a x

mod p

,a +x =

114

Chapter 13 Hash Functions

13.1 Introduction
The problem with digital signatures is that long messages require very long signatures. We would like for performance as well as for security reasons to have one signature for a message of arbitrary length. The solution to this problem are Hash functions.
x

x is of arbitrary length

zi = h ( xi ||zi-1 )
z sig (z)
kpr

z is of fixed length

y = sig (z)
kpr

y is of fixed length

Figure 13.1: Hash functions and digital signatures 115

Remarks:
z , x don't have the same length. hx has no key. hx is public.

Basic Protocol:
Alice 3 x;y 4 z = hx 5 verk z; y
pub

Bob 1 z = hx 2 y = sigk z

Potential hash function properties

a One-way: for almost all given output z, it is impossible to nd any input x such that hx = z . b Weak collision resistant: given x, and thus hx, it is impossible to nd any x0 such that hx = hx0 . c Strong collision resistant: it is impossible to nd any two pairs x; x0 such that hx = hx0 .

116

Requirements for a hash function Adopted from Sta95

1. hx can be applied to x of any size. 2. hx produces a xed length output. 3. hx is relatively easy to compute in software and hardware. 4. hx is one-way. 5. hx is weak collision resistant. 6. hx is strong collision resistant.

Discussion:
1 | 3 are practical requirements 4 if hx is not one-way, Oscar can compute x from hx in cases where x is encrypted. 5 if hx is not weak collission free, Oscar can replace x with x0 . Alice
y;x0

Oscar
x;y ,

z = hx0 = hx verKpub z; y = true

Bob z = hx y = sigK z

6 if hx is not strong collission free, Oscar runs the following attack: a Choose legitimate message x1 and fraudulent message x2 117

b Alter x1 and x2 at non-visible" location, i.e. replace tabs through spaces, append returns, etc., until hx01 = hx02 Note: e.g. 64 alteration locations allow 264 versions of a message with 264 di erent hash values. c Let Bob sign x01 ! x01 ; sigK hx01
pr

d Replace x01 ! x02 and x02 ; sigK hx02

13.2 Security Considerations

Question: How many people are needed at a party so that there is a 50 chance that at
least two people have the same birthday?

! , 1 1 , 2 1 , k , 1 = kY1 1 , i P no collission among k random elements = 1 ,

In general, given a large set with n di erent values:

n | zn k | = 2 elt.z | k = 3 elt. z k elt.

i=1

Often n is large n = 365 in birthday paradox, n = 2160 in hash functions. Recall: x2 x3 e,x = 1 , x + , + 2! 3! if x 1 e,x 1 , x Thus,
P no collision
k ,1 i=1 k ,1 i=1

Y ,i k, e n = e, n e, n e, n e, n
1 2 3

Y ,i e n = e,

1+2+3+

+k,1

118

Rewriting the exponent with the help of the following identity: 1 + 2 + 3 + + k , 1 = kk , 1=2 We obtain, De ne as
P at least one collission
DEF

P no collission e,

kk 1 2n

e, , ln 1 , , kk , 1 2n 1 kk + 1 ,2n ln 1 , = 2n ln 1,

1,
kk 1 2n

1 , e,

kk 1 2n

If k

1, then
k2

kk , 1 2n ln 1 , s 1 k 2n ln 1,
s

Example:

1 = p2 ln 2pn = 1:18pn k = 0:5 2n ln 1 , 0:5

A collission in a set of n values is found after about pn trials with a probability of 0.5. p In other words, hash funtion with 40 bit output collission after 240 = 220 trials.
should contain at least 2160 elements, that is, the hash function should have at least 160 p output bits. Finding a collision takes then roughly 2160 = 280 steps. 119

In order to provide collision resistance in practice, the output space of the hash function

13.3 Hash Algorithms

Overview:
Hash Algorithms

customized e.g. MD4 family

modular arithmetic based (rare, often unsecure) block cipher based

Figure 13.2: Family of Hash Algorithms a MD4 family 1. SHA-1 Output: 160 bits input size for DSS. Input: 512 bit chunks of message x. Operations: bitwise AND, OR, XOR, complement and cyclic shift. 2. RIPE-MD 160 Output: 160 bits. Input: 512 bit chunks of message x. Operations: same as SHA but runs two algorithms in parallel whose outputs are combined after each round.

120

b Hash functions from block ciphers

xi n H i-1

m K

e
Hi = e y
g(H i-1 )

( xi )

n Hi

Figure 13.3: Hash Functions from Block Ciphers where g is a simple n-to-m bit mapping function if n = m, g can be the identity mapping Last output Hl is the hash of the whole message x ,x ,: : :,xl
1 2

Also secure are:

Hi = Hi, ex Hi,
1
i

Hi = Hi, xi eg H ,1 xi
1
i

Remark:
For block ciphers with less than 128 bit block length, di erent techniques must be used Sec. 9.4.1 ii in AM97

121

Chapter 14 Message Authentication Codes MACs

Other names: cryptographic checksum" or keyed hash function". Private-key based.

14.1 Principle

message space "signing" signature space MACK (x) y x

? MACK (x) = y ; verification

Figure 14.1: MAC and message domain 122

Protocol:
Alice
x;y 2 ,

Bob 1 y = MACK x

3 y0 = MACK x y0 = y
?

Properties:
1. Generate signature for a given message. 2. Private-key based: signing and verifying party must share a secret key. 3. Accepts messages of arbitrary length and generates xed size signature.
Properties 2 and 3 are di erent from digital signatures.

Idea: To use block-cipher's one of the chaining modes to generate signature.

14.2 MACs from Block Ciphers

CBC mode:
0

y = ek x IV = ek x 0000 : : : yi = ek xi yi, X = x ; x ; : : : ; xm, MACk x = ym,

0 0 1 0 1 1 1

123

i=1

IV Y i-1

i=1

IV Y i-1

Y i-1

i=n
e

Y i-1

X n , ... , X2 , X 1

Y n X n , ... , X2 , X 1

Yi Y n

?
X n , ... , X2 , X 1

Figure 14.2: MAC in a CBC mode

Veri cation: Run the same process on the receiving end. Remark: CBC with DES is standardized ANSI X9.17.

14.3 HMAC
Popular in modern protocols such as SSL. Attractive property: HMAC can be proven to be secure under certain assumptions about the hash function. Secure" means here that the hash function has to be broken in order to break the HMAC.

Basic idea: Hash a secret key K together with the message M and consider the hash output the authentication tag for the message: H K jjM . Details:
HMACK M = H K opadjjH K ipadjjM
+ +

where

K = K padded with zeros on the left so that the result is b bits in length where b is the number of bits in a block.
+

124

ipad = 00110110 repeated b=8 times. opad = 01011010 repeated b=8 times.

125

Chapter 15 Security Services

15.1 Attacks Against Information Systems
Information source (a) Normal flow Information destination (b) Interruption

(d) Modification

(e) Fabrication

126

Remarks:
Passive attacks: c ! interception. Active attacks: b ! interruption, d ! modi cation, e ! fabrication.

15.2 Introduction
Security Services are goals which information security systems try to achieve. Note that cryptography is only one module in information security systems. The main security services are:

Con dentiality Privacy. Information is kept secret from all but authorized parties. Message Sender Authentication. Ensures that the sender of a message is who she he
claims to be.

Integrity. Ensures that a message has not been modi ed in transit. Non-repudiation. Ensures that the sender of a message can not deny the creation of
the message.

Identi cation Entity Authentication. Establishing of the identity of an entity e.g. a

person, computer, credit card.

Access Control. Restricting access to the resources to privileged entitites.

Remark: Message Authentication implies data integrity; the opposite is not true.

15.3 Privacy
Tool: Encryption algorithm.
127

a Private-Key
e
k

Provides: ,privacy 9 ,message authentication and thus = only if Bob can distinguish ,integrity between valid and invalid ; and if there are only two parties. ,no non-repudiation Remark:
X

In practice, authentication and integrity are often achieved with MACs Chapter 14 b Public-Key
e
kpub_B

Y ekpub_B (x)

dkpr_B

kpub_B

kpr_B

Provides:
- privacy - integrity if invalid can e detected
x

- no message authentication 128

15.4 Integrity and Sender Authentication

Recall: Sender authentication implies integrity.

15.4.1 Digital Signatures

x y = sig x h(x)
sig

(x, y)

(x, y) y x h(x) ver

(h(x))
Kpr_A

true / false

Kpr_A

Kpub_A

Provides:
- integrity - sender authentication - non-repudiation only Alice can construct valid signature

15.4.2 MACs
x (x, y) (x, y) y x MAC y x MAC true / false x

Provides:
129

- integrity - authentication - no non-repudiation

15.4.3 Integrity and Encryption

x (x, y)

e y
x h(x) K

eK (x, y)

d
y x K h(x) compare y

Provides:
- privacy - integrity - authentication - no non-repudiation

Remark:
Instead of hash functions, MACs are also possible. In this case: =
c e

K1 x; MACK2 y .

This scheme adds strong authentication and integrity to an encryption-protocol with very little computational overhead.

130

Chapter 16 Key Establishment

16.1 Introduction
Secret key establishment

key distribution One party generates secret key and distributes it

key agreement Both parties generate secret key jointly

Figure 16.1: Key establishment schemes

Remark:
Some schemes make use of trusted authority TA which is trusted by and can communicate with all users.

131

16.2 Private-Key Approaches

16.2.1 The n2 Key Distribution Problem
TA generates a key for every pair of users:

Example: = 4 users.
n

KAB KAC KAD A

KAB KBC KBD B

secure channels

D KAD KBD KCD

C KAC KBC KCD

Figure 16.2: The role of the Trusted Authority

Drawbacks:
n

secure channels are needed

each user must store , 1 keys TA must transmit , 1 keys

n n

TA must generate

nn,1
2

n keys
2
2

every new network user makes updates at all other user as of necessary scales badly

132

16.2.2 Key Distribution Center KDC

TA is a KDC: TA shares secret key with each user and generates session keys. a Basic protocol: k

= session key between Alice and Bob = secret key between Alice and KDC Key encryption key, KEK = secret key between Bob and KDC Key encryption key, KEK
ekA;KDC ks =yA

A;KDC B;KDC

Alice
k y

KDC

s = dkA;KDC yA

ekB;KDC ks =yB

Bob
k

ks x

y ,!

s = dkB;KDC yB

ks y

Remarks:
TA stores only keys
n

each user

stores only one key

b Modi ed advanced protocol: Alice 2 3

s = dkA yA
e

yA ;y , B

KDC 1a A = kA s 1b B = kB s

y y e k e k

Bob

4 =
y

ks x

y;y ,!B

7 s = kB B 6 = ks
k d y x d y

Remark: This approach is the basis for Kerberos.

133

16.3 Public-Key Approaches

16.3.1 Man-In-The-Middle Attack
D-H key exchange revised Set-up:
- nd large prime p - nd primitive element 2 Zp

Protocol:
Alice pick kprA = aA 2 f2; 3; : : : ; p , 2g compute kpubA = bA = aA mod p Bob pick kprB = aB 2 f2; 3; : : : ; p , 2g compute kpubB = bB = aB mod p

Security:

kAB = baA = B

aA aB

mod p

bA ,! bB ,

kAB = baB = A

aA aB

mod p

1. passive attacks security relies on Di e-Hellman problem thus p 2 2. active attack Man-in-the-middle attack: Alice

1000

kAO = oa = y = ekAO x

,! o ,
0

Oscar

kAO = a o kBO = ob = kBO = bo y ,! x = dkAO y y y = ekBO x ,! x = dkBO y

0 00
00

,! b ,

Bob

134

Remarks:
Oscar can read and alter x without detection. Underlying Problem: public keys are not authenticated.

Man-in-the-middle attack applies to all Public-key schemes.

16.3.2 Certi cates

Certi cates bind ID information e.g., name, social security number to a public key through digital signatures. General structure of certi cates: 1. Each user U : IDU = ID information such as user name, e-mail address, SS, etc. private key: KprU public key: KpubU 2. Certifying Authority CA: secret signature algorithm sigTA public veri cation algorithm verTA certi cates for each user U: C U = IDU ; KprU ; sigTAIDU ; KprU General requirement: all users have the correct veri cation algorithm verTA with TA's public key.

135

1111111 0000000 1111111 0000000 0000000 1111111 0000000 1111111 0000000 1111111 1111111 0000000 1111111 0000000 0000000 1111111 0000000 1111111

ID(U) K prU sig TA(ID(U), K prU )

Figure 16.3: General structure of the certi cate CU

Version Serial Number Algorithm Identifier: - Algorithm - Parameters Issuer Period of Validity: - Not Before Date - Not After Date Subject Subjects Public Key: - Algorithm - Parameters - Public Key Signature

Figure 16.4: Detailed structure of an X.509 certi cate

136

Remarks:
Certi cate structures are speci ed in X.509, authentication services for the X.500 directory recommendation CCITT.

16.3.3 Di e-Hellman Exchange with Certi cates

Idea: As standard D-H, but each users's public key is authenticated by a certi cate.
Alice Bob

KpubA = bA KprA = aA

C B=IDB;bB ;sigCA IDB;bB C A=

1. verCAIDB ; bB 2. kAB = baA = aB aA = B

, ID A ;bA ;sigCA ID A ;bA ,!

KpubB = bB KprB = aB
1. verCAIDA; bA 2. kAB = baB = aAaB A

aA aB

Remaining major problems with CAs:

1. The CA's public key must initially be distributed in an authenticated manner! 2. Identity of user must be established by CA. 3. Certi cate Revocation Lists CRLs must be distributed.

16.3.4 Authenticated Key Agreement

certi cates.

Idea: Alice and Bob sign their own public keys. Signatures can be correctly veri ed through

137

Set-up:
public veri cation key for verTA public prime p public primitive element 2 Zp

Protocol:
Alice

C A=IDA;verA ;sigTAIDA;verA C B=IDB;verB ;sigTA IDB;verB

1. kprA = aA 2. kpubA = bA =

, ,!

Bob

mod p

bA ,!

C B;bB ;yB

7. verTAC B : true false 8. verB yB : true false 9. kAB = baA = aAaB mod p B 10. yA = sigAbA ; bB

3. 4. 5. 6.

kprB = aB kpubB = bB = aB mod p kAB = baB = aAaB mod p A yB = sigB bB ; bA

C A;yA

11. verTAC A: true false 12. verAyA: true false

Remark:
This scheme is also known as station-to-station protocol and is the basis for ISO 9798-3.

138

Chapter 17 Case Study: The Secure Socket Layer SSL Protocol

Note:

This chapter describes the most important security mechanisms of the SSL Protocol. For more details references Sta99 and Netscape's SSL web page are recommended.
17.1 Introduction

SSL was developed by Netscape. TLS Transport Layer Security is the IETF standard version of SSL. TLS is very close to SSL. SSL provides security services for end-to-end applications. Most applications must be SSL enabled, i.e., SSL is not transparent. SSL is algorithm independent: for both public-key and symmetric-key operations, several algorithms are possible. Algorithms are negotiated on a per-session basis. 139

HTTP

FTP

SMTP

SSL or TLS TCP IP

Figure 17.1: Location of SSL in the TCP IP protocol stack. SSL consists of two main phases:

Handshake Protocol : provides shared secret key using public-key techniques and
mutual entity authentication.

Record Protocol : provides con dentiality and message integrity for application
data, using the shared secret established during the Handshake Protocol.

140

17.2

SSL Record Protocol

The SSL Record Protocol provides two main services: 1. Con dentiality: SSL payloads are encrypted with a symmetric cipher. The keys are for the symmetric cipher and they must be established during the preceding handshake protocol. 2. Message Integrity: the integrity of the message is provided through HMAC, a message authentication code.

17.2.1 Overview of the SSL Record Protocol

Application data Fragment

Add MAC

1111111 0000000 1111111 0000000 1111111 0000000 0000000 1111111

Encrypt

11 00 11 00 111111111 000000000 000000000 111111111 111111111 000000000 000000000 111111111

Append SSL record header

Figure 17.2: Simpli ed operations of the SSL Record Protocol

Description:

Fragmentation: the message is devided into blocks of 214 bytes. MAC: a derivative of the popular HMAC message authentication code. HMACs are
based on hash functions. MAC = Hsecret-key jj pad2 jj 141

Hsecret-key jj pad1 jj seq-num jj fragment-length jj fragment where: H = hash algorithm; either MD5 or SHA-1. secret-key = shared secret session key. pad1 = the byte 0x36 0011 0110 repeated 48 times 384 bits for MD5 and 40 times 320 bits for SHA-1. pad2 = the byte 0x5C 0101 1100 repeated 48 times for MD5 and 40 times for SHA-1. seq-num = the sequence number of the message. fragment-length = length of the fragment plaintext. fragment = the plaintext block for which the MAC is computed.

Encrypt: the following algorithms are allowed:

1. Block ciphers: IDEA 128-bit key RC-2 40-bit key DES-40 40-bit key DES 56-bit key 3DES 168-bit key Fortezza 80-bit key 2. Stream ciphers: RC4-40 40-bit key RC4-128 128-bit key

142

17.3

SSL Handshake Protocol

Remark: Most complex part of SSL, requires costly public-key operations

17.3.1 Core Cryptographic Components of SSL

CLIENT SERVER
random, cipher suite PHASE 1 random, cipher suite

certificate PHASE 2 key exchange parameters

certificate PHASE 3 key exchange parameters

Figure 17.3: Simpli ed SSL Handshake Protocol

Explanation:

Phase 1: establish security capabilities. random : 32-bit timestamp concatenated with 28-byte random value. Used
as nonces and to prevent replay attacks during the key exchange. cipher suite : several elds, in particular: 143

1. Key exchange method. a RSA: the secret key is encrypted with the receiver's public RSAkey. Certi cates are required. b Authenticated Di e-Hellman: Di e-Hellman with certi cate. c Anonymous Di e-Hellman: Di e-Hellman without authentication. d Fortezza 2. Secret-key algorithm see Section 17.2. 3. MAC algorithm MD5 or SHA-1.

Phase 2: server authentication and key exchange. Certi cate : authenticated public key for any key exchange method except
anonymous Di e-Hellman. Key exchange parameters : signed public-key parameters, depending on the key exchange method.

Phase 3: see Phase 2.

144

Chapter 18 Introduction to Identi cation Schemes

Examples for electronic identi cation situation: 1. Money withdrawal from ATM machine PIN. 2. Credit card purchase over telephone card number. 3. Remote computer login user name and password. Distinction between identi cation or entity authentication and message authentication: Identi cation schemes are performed online. Identi cation schemes do not require a meaningful message. Basis for identi cation techniques:

9 1. Something known password, PIN = cryptography based 2. Something possessed chipcard ;

3. Something inherent to a human individual ngerprint, retina pattern

145

Overview:
ID techniques weak identification (passwords, PINs) private-key public-key zero-knowledge strong identification

use challenge-response (CR) protocols

Figure 18.1: Identi cation Techniques

passwords and PINs are weak since they violate requirement 1 below.
Goals informal de nition:

1. Alice wants to prove her identity to Bob without revealing her identifying information to a listening Oscar. strong identi cation" 2. Also, Bob should not be able to impersonate Alice. To achieve these goals, Alice has to perform a proof of knowledge which in general involves a challenge-and-response protocol.

146

18.1 Private-key Approach

Challenge-and-response CR protocol: Assumption: Alice and Bob share a secret key kAB and a keyed one-way function f x. Alice
x , y 2 y = fkAB x ,!

Bob 1 generate challengex

3 y = fkAB x ? 4 veri cation: y = y

Example:

a fk x = DESk x. b fk x = H kjjx. c fk x = xk mod p.

Remarks:
CR protocols are standardized in ISO IEC 9798. There are many variations to the above protocol, e.g., including time stamps or serial numbers in the response. Instead of block ciphers, public-key algorithms and keyed hash functions can be used.

Variant with time stamp TS

147

Alice 1 y = ekAB T S; I DBob

Bob
y ,!

2 T S ; I D Bob = e,1 y kAB ? ? T S time T S +

0 0

148

Bibliography
AM97 Big85 Bih97 S.A. Vanstone A.J. Menezes, P.C. Oorschot. Handbook of Applied Cryptography. CRC Press, 1997. N.L. Biggs. Discrete Mathematics. Oxford University Press, New York, 1985. E. Biham. A Fast New DES Implementation in Software. In Fourth International Workshop on Fast Software Encryption , volume LNCS 1267, pages 260 272, Berlin, Germany, 1997. Springer-Verlag. A. J. Elbirt, W. Yip, B. Chetwynd, and C. Paar. An FPGA Implementation and Performance Evaluation of the AES Block Cipher Candidate Algorithm Finalists. In Third Advanced Encryption Standard AES3 Conference, pages 13 27, New York, USA, March 13 14, 2000. National Institute of Standards and Technology NIST. N. Koblitz. A Course in Number Theory and Cryptography. Springer-Verlag, New York, second edition, 1994. A.J. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, 1993. Gerardo Orlando and Christof Paar. A High-Performance recon gurable Elliptic Curve Processor for GF 2m. In Cetin K. Koc and Christof Paar, editors, Cryp149

EYCP00

Kob94 Men93 OP00

tographic Hardware and Embedded Systems CHES'2000, pages 41 56, Berlin, 2000. Springer-Verlag. Lecture Notes in Computer Science Volume.

Sch93 Sim92 Sta95 Sta99 Sti95 WD76

B. Schneier. Applied Cryptography. Wiley & Sons, 1993. G.J. Simmons. Contemporary Cryptology. IEEE Press, 1992. W. Stallings. Network and Internetwork Security. Prentice Hall, 1995. W. Stallings. Cryptography and Network Security Prentice Hall, 2nd edition, 1999.
Principles and Practice.

D.R. Stinson. Cryptography, Theory and Practice. CRC Press, 1995. M.E. Hellman W. Di e. New directions in cryptography. In IEEE Transactions on Information Theory, volume IT-22, pages 644 654, 1976.

WPR+99 D. Craig Wilcox, Lyndon G. Pierson, Perry J. Robertson, Edward L. Witzke, and Karl Gass. A DES ASIC Suitable for Network Encryption at 10 Gbps and Beyond. In Cetin K. Koc and Christof Paar, editors, Cryptographic Hardware and Embedded Systems CHES'99, pages 37 48, Berlin, 1999. Springer-Verlag. Lecture Notes in Computer Science Volume 1717. WWGP00 T. Wollinger, M. Wang, J. Guajardo, and C. Paar. How Well Are High-End DSPs Suited for the AES Algorithms? AES Algorithms on the TMS320C6x DSP. In Third Advanced Encryption Standard AES3 Conference, pages 94 105, New York, USA, March 13 14, 2000. National Institute of Standards and Technology NIST.

150

Automatic Creation of Business Partner in FSCM
100% (3)
Automatic Creation of Business Partner in FSCM
16 pages
Park Lynch PDF
No ratings yet
Park Lynch PDF
542 pages
Detecting and Solving Memory Problems in Net
No ratings yet
Detecting and Solving Memory Problems in Net
86 pages
Digital Forensics and Cyber Crime: Sanjay Goel Pavel Gladyshev Daryl Johnson Makan Pourzandi Suryadipta Majumdar
No ratings yet
Digital Forensics and Cyber Crime: Sanjay Goel Pavel Gladyshev Daryl Johnson Makan Pourzandi Suryadipta Majumdar
261 pages
Physics Modeling For Game Programmers
No ratings yet
Physics Modeling For Game Programmers
544 pages
GIT For Dummies
No ratings yet
GIT For Dummies
2 pages
Quick Reference
No ratings yet
Quick Reference
7 pages
DIY Cozmo Robot Expressions: Technology Workshop Craft Home Food Play Outside Costumes
No ratings yet
DIY Cozmo Robot Expressions: Technology Workshop Craft Home Food Play Outside Costumes
7 pages
CCNA 200-301 (Course Overview & Basic Networking)
No ratings yet
CCNA 200-301 (Course Overview & Basic Networking)
17 pages
Pre Calc
No ratings yet
Pre Calc
2 pages
Cake PHP Cookbook
No ratings yet
Cake PHP Cookbook
774 pages
Sword Making by Stock Removal
No ratings yet
Sword Making by Stock Removal
24 pages
Sample Chen Xin Book
100% (1)
Sample Chen Xin Book
92 pages
CSC101 Computer Science and Programming Ezeani Majesty Ignatius
No ratings yet
CSC101 Computer Science and Programming Ezeani Majesty Ignatius
114 pages
Engraving) SG
No ratings yet
Engraving) SG
140 pages
ECAN-E01-UserManual EN V1.0
No ratings yet
ECAN-E01-UserManual EN V1.0
19 pages
Untitled-8 - 0009172
No ratings yet
Untitled-8 - 0009172
298 pages
An878 Pic18c Ecan C Routines
No ratings yet
An878 Pic18c Ecan C Routines
50 pages
Calfem For Python
No ratings yet
Calfem For Python
63 pages
Contentfile 22842 PDF
No ratings yet
Contentfile 22842 PDF
175 pages
(Ebook) Advanced Node.js Development by Andrew Mead ISBN 9781788393935, 1788393937 - Get the ebook in PDF format for a complete experience
100% (2)
(Ebook) Advanced Node.js Development by Andrew Mead ISBN 9781788393935, 1788393937 - Get the ebook in PDF format for a complete experience
77 pages
4 Introduction To The Divergence Theorem and Stoke's Theorem (Short)
No ratings yet
4 Introduction To The Divergence Theorem and Stoke's Theorem (Short)
116 pages
Compiler Design
No ratings yet
Compiler Design
648 pages
An Introduction To Computer Networks PDF
No ratings yet
An Introduction To Computer Networks PDF
617 pages
Computer Vision Projects With Pytorch: Design and Develop Production-Grade Models
No ratings yet
Computer Vision Projects With Pytorch: Design and Develop Production-Grade Models
10 pages
Matlab Manual
No ratings yet
Matlab Manual
70 pages
Agent-Based Keynesian Macroeconomics
No ratings yet
Agent-Based Keynesian Macroeconomics
330 pages
How To Make A Sword A Comprehensive Guide
100% (1)
How To Make A Sword A Comprehensive Guide
64 pages
Python Fundamentals
No ratings yet
Python Fundamentals
982 pages
Deep Reinforcement Learning in Games
No ratings yet
Deep Reinforcement Learning in Games
9 pages
Ex60 Ex90 User Guide tc63
No ratings yet
Ex60 Ex90 User Guide tc63
72 pages
Aspen Energy Analyzer: User Guide
No ratings yet
Aspen Energy Analyzer: User Guide
204 pages
CATIA SheetMetal
No ratings yet
CATIA SheetMetal
23 pages
Snap7 Refman
No ratings yet
Snap7 Refman
286 pages
Python Tutorial
No ratings yet
Python Tutorial
32 pages
FINALBOOKPYTHON
100% (1)
FINALBOOKPYTHON
225 pages
Introduction To Computer Science in C Sharp Release 2
No ratings yet
Introduction To Computer Science in C Sharp Release 2
252 pages
Rsa - TCR PDF
No ratings yet
Rsa - TCR PDF
89 pages
Computer Programming
No ratings yet
Computer Programming
206 pages
Python Scientific
100% (1)
Python Scientific
88 pages
CalcII Complete Solutions
No ratings yet
CalcII Complete Solutions
404 pages
Introduction To AI Techniques: Game Search, Minimax, and Alpha Beta Pruning June 8, 2009
No ratings yet
Introduction To AI Techniques: Game Search, Minimax, and Alpha Beta Pruning June 8, 2009
19 pages
664 PythonBasics PDF
100% (1)
664 PythonBasics PDF
42 pages
Matrix Algebra For Engineers
No ratings yet
Matrix Algebra For Engineers
190 pages
Python 101 PDF
100% (4)
Python 101 PDF
295 pages
Elgg
No ratings yet
Elgg
265 pages
2020 Book CyberSecurityCryptographyAndMa
No ratings yet
2020 Book CyberSecurityCryptographyAndMa
265 pages
PDF Geberit Supertube Sovent Planning Manual
No ratings yet
PDF Geberit Supertube Sovent Planning Manual
42 pages
The Comprehensive LaTeX Symbol List
No ratings yet
The Comprehensive LaTeX Symbol List
152 pages
Data Structure and Algorithm Explaned
No ratings yet
Data Structure and Algorithm Explaned
342 pages
Graph Algorithms
No ratings yet
Graph Algorithms
45 pages
CNC Machines
No ratings yet
CNC Machines
44 pages
Vlsi Design Tutorial PDF
0% (1)
Vlsi Design Tutorial PDF
15 pages
Grabowski R.learn AutoCAD LT 2002.2002
No ratings yet
Grabowski R.learn AutoCAD LT 2002.2002
401 pages
Game Development Research
No ratings yet
Game Development Research
243 pages
Latex Intro
No ratings yet
Latex Intro
62 pages
Ns Notes and Documentation: February 25, 2000
No ratings yet
Ns Notes and Documentation: February 25, 2000
303 pages
Ns2 Manual
No ratings yet
Ns2 Manual
322 pages
HTK Manual
100% (1)
HTK Manual
368 pages
The Ns Manual (Formerly Ns Notes and Documentation) : August 24, 2000
No ratings yet
The Ns Manual (Formerly Ns Notes and Documentation) : August 24, 2000
316 pages
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
7075
100% (1)
7075
102 pages
On IT and Cybersecurity in Today's World
No ratings yet
On IT and Cybersecurity in Today's World
29 pages
Priya Final
No ratings yet
Priya Final
3 pages
Case Study Plug N Play
No ratings yet
Case Study Plug N Play
13 pages
CS3451 OS UNIT 2 NOTES EduEngg
No ratings yet
CS3451 OS UNIT 2 NOTES EduEngg
106 pages
AXIS Camera Station Solution Troubleshooting Guide: User Manual
No ratings yet
AXIS Camera Station Solution Troubleshooting Guide: User Manual
18 pages
Elib Users Guide
No ratings yet
Elib Users Guide
9 pages
Dell Latitude c400 Detailed Specifications
No ratings yet
Dell Latitude c400 Detailed Specifications
4 pages
CST 445-Python For Engineers
No ratings yet
CST 445-Python For Engineers
54 pages
Car Wash Service: Submitted by
No ratings yet
Car Wash Service: Submitted by
58 pages
NSE Partner Guide
No ratings yet
NSE Partner Guide
23 pages
A Guide For City Leaders - ITU-T
No ratings yet
A Guide For City Leaders - ITU-T
16 pages
ds791_axi_can
No ratings yet
ds791_axi_can
46 pages
BSNL Mobile Service Plus
No ratings yet
BSNL Mobile Service Plus
9 pages
Tigerpoint Pag7 10 Nm10 Chipset Datasheet
No ratings yet
Tigerpoint Pag7 10 Nm10 Chipset Datasheet
671 pages
Serial Keys Vegas Pro 11 PDF
67% (3)
Serial Keys Vegas Pro 11 PDF
1 page
Eligible Product Categories Detailed
No ratings yet
Eligible Product Categories Detailed
139 pages
Mit 214 - Introduction To Programming
100% (1)
Mit 214 - Introduction To Programming
8 pages
Operating Systems - Module 1
88% (8)
Operating Systems - Module 1
57 pages
TLE ICT CSS - Q1 Notes 2 - Tools and Equipment
No ratings yet
TLE ICT CSS - Q1 Notes 2 - Tools and Equipment
2 pages
Lecture No. 1a (Definitions of PECA)
No ratings yet
Lecture No. 1a (Definitions of PECA)
10 pages
oops pyq solved gtu
No ratings yet
oops pyq solved gtu
31 pages
DBMS Lab (18IS507) Manual With Solutions-1
No ratings yet
DBMS Lab (18IS507) Manual With Solutions-1
24 pages
Revit and Dynamo For Interior Deign: Learning Objectives
No ratings yet
Revit and Dynamo For Interior Deign: Learning Objectives
27 pages
Risk Analysis of E Banking Operations at Kotak Mahindra Bank Limited
No ratings yet
Risk Analysis of E Banking Operations at Kotak Mahindra Bank Limited
10 pages
Lab. Sheet Seven: Data Structure Laboratory
No ratings yet
Lab. Sheet Seven: Data Structure Laboratory
7 pages
Sap Ecc To S4hana Changes - 240717 - 190846
No ratings yet
Sap Ecc To S4hana Changes - 240717 - 190846
14 pages
Akinyede - Medale - Building A Customer-Centric Transformation For Next Generation E-Commerce
No ratings yet
Akinyede - Medale - Building A Customer-Centric Transformation For Next Generation E-Commerce
11 pages
LMS Algorithm and Distributed Arithmetic Based Adaptive FIR Filter With Low Area Complexity
No ratings yet
LMS Algorithm and Distributed Arithmetic Based Adaptive FIR Filter With Low Area Complexity
5 pages

Applied Cryptography and Data Security

Uploaded by

Applied Cryptography and Data Security

Uploaded by

APPLIED CRYPTOGRAPHY AND DATA SECURITY

3 Some Results From Information Theory

4 Data Encryption Standard DES

5 Rijndael The Advanced Encryption Standard

6 More about Block Ciphers

7 Introduction to Public-Key Cryptography

8.1 Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 8.2 Computational Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 iv

9 The Discrete Logarithm DL Problem

10 Elliptic Curve Cryptosystem

98 102 102 103 104

11 ElGamal Encryption Scheme

11.1 Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 v

108 108 108 109

14 Message Authentication Codes MACs

126 127 127 129 129 129 130

.... .... .... .... .... .... .... cates .... . . . . .

17 Case Study: The Secure Socket Layer SSL Protocol

18 Introduction to Identi cation Schemes

18.1 Private-key Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Chapter 1 Introduction to Cryptography and Data Security

Private-Key: all encryption and decryption schemes dating from BC to 1976. 1

1.3 Private-Key Cryptosystems

Encryption e() k Key Generator

Figure 1.2: Private-key cryptosystem

Some important de nitions:

plaintext space" ciphertext space"

2a y is called the ciphertext"

g is the  nite g is the

3a k is called the key"

nite key space"

P!C or: : C!P or:

Example: Data Encryption Standard DES

encryption  k  and decryption  k  will be described in Chapter 4

1.4.1 Attacks against Cryptoalgorithms

Oscar's knowledge: some pairs  Oscar's goal : obtain the key .

2. Known plaintext attack

3. Chosen plaintext attack

Oscar's knowledge: some pairs  Oscar's goal : obtain the key .

of which he can choose

4. Chosen ciphertext attack

Oscar's knowledge: some pairs 

of which he can choose

y1; y2; : : : Oscar's goal : obtain the key k.

1.5 Some Number Theory

Some remarks on the modulo operation:

a = 42; m = 9 42 = 4 9 + 6 therefore 42 6 mod 9.

Ring: De nition 1.5.2 The ring Zm" consists of:

a + b c mod m c 2 Zm a b d mod m d 2 Zm

Example: m = 9 Z9 = f0; 1; 2; 3; 4; 5; 6; 7; 8g 6 + 8 = 14 5 mod 9 6 8 = 48 3 mod 9

De nition 1.5.3 Some important properties of the ring Zm = f0; 1; 2; : : :; m , 1g

Some remarks on the ring Zm:

1.6 Simple Blockciphers

1.6.1 Shift Cipher

Table 1.1: Shift cipher table

De nition 1.6.1 Shift Cipher Let P = C = K = Z26. x 2 P , y 2 C , k 2 K.

If k = 3 the the shift cipher is given a special name | Caesar Cipher".

k = 17, plaintext: X = x1 ; x2 ; : : : ; x6 = ATTACK . X = x1 ; x2 ; : : : ; x6 = 0; 19; 19; 0; 2; 10.

y2 = y3 = 19 + 17 = 36 10 mod 26 = K y4 = 17 = R y5 = 2 + 17 = 19 mod 26 = T y6 = 10 + 17 = 27 1 mod 26 = B

Attacks on Shift Cipher

Chapter 2 Stream Ciphers

 Block Cipher: Y = y1; y2; : : : ; yn = ek x1; ek x2 ; : : : ; ek xn,

Figure 2.2: Most Popular Encryption Decryption Function

yi = ez xi  = xi + zi mod 2 ! encryption xi = ez yi = yi + zi mod 2 ! decryption

Example: Encryption of the letter `A' by Alice.

= `A' ASCII symbol

2.2 One-Time Pad and Pseudo-Random Generators

De nition 2.2.2 One-time Pad OTP

Theorem 2.2.1 The OTP is unconditionally secure if keys are only

y0 = x0 + K0 mod 2 y1 = x1 + K1 mod 2 ...

Question: Can we emulate" a OTP by using a short key?

k Oscar Alice key-stream generator zi xn ... x1 x0 yn ... y1 y0

Figure 2.3: Stream cipher model 16

feedback path only in asynchronous stream ciphers

De nition 2.2.3 Cryptographically secure pseudo-random generators

2.3 Synchronous Stream Ciphers

Figure 2.5: Linear feedback shift register

4 Data Encryption Standard DES

9 The Discrete Logarithm DL Problem

14 Message Authentication Codes MACs

17 Case Study: The Secure Socket Layer SSL Protocol

2a y is called the ciphertext"

g is the nite g is the

3a k is called the key"

P!C or: : C!P or:

Example: Data Encryption Standard DES

encryption k and decryption k will be described in Chapter 4

Oscar's knowledge: some pairs Oscar's goal : obtain the key .

Oscar's knowledge: some pairs Oscar's goal : obtain the key .

Oscar's knowledge: some pairs

a + b c mod m c 2 Zm a b d mod m d 2 Zm

Block Cipher: Y = y1; y2; : : : ; yn = ek x1; ek x2 ; : : : ; ek xn,

yi = ez xi = xi + zi mod 2 ! encryption xi = ez yi = yi + zi mod 2 ! decryption

= `A' ASCII symbol

De nition 2.2.2 One-time Pad OTP

Example: k = fC0 = 1; C1 = 1; C2 = 0; z0 = 0; z1 = 0; z2 = 1; 3g

Rewriting Equation 2.1 in matrix form, we get:

Solving the matrix in 2.2 for the Ci coe cients we get:

Chapter 4 Data Encryption Standard DES

Figure 4.3: Initial permutation b Inverse Initial Permutation IP ,1 nal permutation.

? idea: test all 256 possible keys ! DESk X = Y ; i = 0; 1; : : : ; 256 , 1.

Example: GF 3 = f0; 1; 2g

Ax = x7+ x6 + x4 + 1 B x = x4 + x2 + 1 C x = x7+ x6 + x2

Ax = x3 + x2 + 1 B x = x2 + x C 0 x = Ax B x = x5 + x4 + x2 + x4 + x3 + x = x5 + x3 + x2 + 1

x4 x4 x5 C x C x Ax B x

= 1 P x + x + 1 x + 1 mod P x

x2 + x mod P x C 0 x mod P x x2 + x + x3 + x2 + 1 = x3 x3

Example 2: x4 + x3 + x + 1 is reducible since x4 + x3 + x + 1 = x2 + x + 1x2 + 1.

Example: Inverse of x2 2 GF 23, with P x = x3 + x + 1

where b7 b0 is the vector representation of B x = A,1 x. 52