Cryptography

9/21/21 Cryptography 1
 Symmetric Cryptosystem
• Scenario
– Alice wants to send a message (plaintext P) to Bob.
– The communication channel is insecure and can be eavesdropped
– If Alice and Bob have previously agreed on a symmetric encryption scheme
and a secret key K, the message can be sent encrypted (ciphertext C)
• Issues
– What is a good symmetric encryption scheme?
– What is the complexity of encrypting/decrypting?
– What is the size of the ciphertext, relative to the plaintext?

P encrypt C decrypt P

K K
9/21/21 Cryptography 2
 Basics
• Notation
– Secret key K
– Encryption function EK(P)
– Decryption function DK(C)
– Plaintext length typically the same as ciphertext length
– Encryption and decryption are permutation functions
(bijections) on the set of all n-bit arrays
• Efficiency
– functions EK and DK should have efficient algorithms
• Consistency
– Decrypting the ciphertext yields the plaintext
– DK(EK(P)) = P
9/21/21 Cryptography 3
 Attacks
Plaintext Encryption Ciphertext
• Attacker may have Hi, Bob.
Algorithm
Don’t
a) collection of ciphertexts (a) invite Eve
to the
party!
(ciphertext only attack) Love, Alice key

b) collection of Eve
plaintext/ciphertext pairs Plaintext Encryption Ciphertext
Algorithm
(known plaintext attack) Hi, Bob.
Don’t
(b) invite Eve
c) collection of to the
party! key
Love, Alice
plaintext/ciphertext pairs for
plaintexts selected by the
Eve
attacker (chosen plaintext Plaintext Encryption Ciphertext

attack) (c)
ABCDEFG
HIJKLMNO
PQRSTUV
Algorithm

d) collection of WXYZ.
key
plaintext/ciphertext pairs for
ciphertexts selected by the
Eve
attacker (chosen ciphertext Plaintext
IJCGA,
Encryption
Algorithm
Ciphertext

attack) (d)
CAN DO
HIFFA GOT
001101
TIME. 110111
key

9/21/21 Cryptography Eve 4

Eve
 Brute-Force Attack
• Try all possible keys K and determine if DK(C) is a likely plaintext
– Requires some knowledge of the structure of the plaintext (e.g., PDF file
or email message)
• Key should be a sufficiently long random value to make
exhaustive search attacks unfeasible

9/21/21 Cryptography 5
Image by Michael Cote from http://commons.wikimedia.org/wiki/File:Bingo_cards.jpg
 Encrypting English Text
• English text typically represented with 8-bit ASCII encoding
• A message with t characters corresponds to an n-bit array, with n = 8t

English Ciphertext of
• Redundancy due to text English text
repeated words
and patterns
– E.g., “th”, “ing”
• English plaintexts
are a very small
subset of all n-bit
arrays Plaintexts Ciphertexts
n-bit strings n-bit strings

9/21/21 Cryptography 6
 Entropy of Natural Language
• Information content (entropy) of
English: 1.25 bits per character
• t-character arrays that are English
text:
(21.25)t = 21.25 t
• n-bit arrays that are English text:
21.25 n/8 » 20.16 n
• For a natural language, constant
a < 1 such that there are 2an
messages among all n-bit arrays
• Fraction (probability) of valid
messages
2an / 2n = 1 / 2(1-a)n
9/21/21
• Brute-force decryption
– Try all possible 2k decryption keys
– Stop when valid plaintext
recognized
• Given a ciphertext, there are 2k
possible plaintexts
• Expected number of valid
plaintexts
2k / 2(1-a)n
• Expected unique valid plaintext ,
(no spurious keys) achieved at
unicity distance
n = k / (1-a)
• For English text and 256-bit keys,
unicity distance is 304 bits
Cryptography 7
 Substitution Ciphers
• One popular substitution
• Each letter is uniquely “cipher” for some
replaced by another. Internet posts is ROT13.
• There are 26! possible
substitution ciphers.
• There are more than
4.03 x 1026 such ciphers.

Public domain image from http://en.wikipedia.org/wiki/File:ROT13.png

9/21/21 Cryptography 8
 Frequency Analysis
• Letters in a natural language, like English, are
not uniformly distributed.
• Knowledge of letter frequencies, including pairs
and triples can be used in cryptologic attacks
against substitution ciphers.

9/21/21 Cryptography 9
 Substitution Boxes
• Substitution can also be done on binary
numbers.
• Such substitutions are usually described by
substitution boxes, or S-boxes.

9/21/21 Cryptography 10
 One-Time Pads
• There is one type of substitution cipher that is
absolutely unbreakable.
– The one-time pad was invented in 1917 by Joseph
Mauborgne and Gilbert Vernam
– We use a block of shift keys, (k1, k2, . . . , kn), to
encrypt a plaintext, M, of length n, with each shift
key being chosen uniformly at random.
• Since each shift is random, every ciphertext is
equally likely for any plaintext.
9/21/21 Cryptography 11
 Weaknesses of the One-Time Pad
• In spite of their perfect
security, one-time pads
have some weaknesses
• The key has to be as long
as the plaintext
• Keys can never be reused
– Repeated use of one-time
pads allowed the U.S. to
break some of the
communications of Soviet
spies during the Cold War.

9/21/21 Cryptography 12
Public domain declassified government image from
https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/venona-soviet-espionage-and-the-american-response-1939-1957/part2.htm
 Block Ciphers
• In a block cipher:
– Plaintext and ciphertext have fixed length b (e.g., 128 bits)
– A plaintext of length n is partitioned into a sequence of m
blocks, P[0], …, P[m-1], where n £ bm < n + b
• Each message is divided into a sequence of blocks and
encrypted or decrypted in terms of its blocks.

Requires padding
with extra bits.
Plaintext

Blocks of
plaintext

9/21/21 Cryptography 13
 Padding
• Block ciphers require the length n of the plaintext to be a multiple of the
block size b
• Padding the last block needs to be unambiguous (cannot just add zeroes)
• When the block size and plaintext length are a multiple of 8, a common
padding method (PKCS5) is a sequence of identical bytes, each indicating
the length (in bytes) of the padding
• Example for b = 128 (16 bytes)
– Plaintext: “Roberto” (7 bytes)
– Padded plaintext: “Roberto999999999” (16 bytes), where 9 denotes the
number and not the character
• We need to always pad the last block, which may consist only of padding

9/21/21 Cryptography 14
 Block Ciphers in Practice
• Data Encryption Standard (DES)
– Developed by IBM and adopted by NIST in 1977
– 64-bit blocks and 56-bit keys
– Small key space makes exhaustive search attack feasible since late 90s
• Triple DES (3DES)
– Nested application of DES with three different keys KA, KB, and KC
– Effective key length is 168 bits, making exhaustive search attacks unfeasible
– C = EKC(DKB(EKA(P))); P = DKA(EKB(DKC(C)))
– Equivalent to DES when KA=KB=KC (backward compatible)
• Advanced Encryption Standard (AES)
– Selected by NIST in 2001 through open international competition and public
discussion
– 128-bit blocks and several possible key lengths: 128, 192 and 256 bits
– Exhaustive search attack not currently possible
– AES-256 is the symmetric encryption algorithm of choice
9/21/21 Cryptography 15
 The Advanced Encryption Standard
(AES)
• In 1997, the U.S. National Institute for Standards and Technology
(NIST) put out a public call for a replacement to DES.
• It narrowed down the list of submissions to five finalists, and
ultimately chose an algorithm that is now known as the Advanced
Encryption Standard (AES).
• AES is a block cipher that operates on 128-bit blocks. It is designed to
be used with keys that are 128, 192, or 256 bits long, yielding ciphers
known as AES-128, AES-192, and AES-256.

9/21/21 Cryptography 16
 AES Round Structure
• The 128-bit version of the AES
encryption algorithm proceeds
in ten rounds.
• Each round performs an
invertible transformation on a
128-bit array, called state.
• The initial state X0 is the XOR of
the plaintext P with the key K:
• X0 = P XOR K.
• Round i (i = 1, …, 10) receives
state Xi-1 as input and produces
state Xi.
• The ciphertext C is the output of
the final round: C = X10.

9/21/21 Cryptography 17
 AES Rounds
• Each round is built from four basic steps:
1. SubBytes step: an S-box substitution step
2. ShiftRows step: a permutation step
3. MixColumns step: a matrix multiplication
step
4. AddRoundKey step: an XOR step with a
round key derived from the 128-bit
encryption key
9/21/21 Cryptography 18
 Block Cipher Modes
• A block cipher mode describes the way a block cipher
encrypts and decrypts a sequence of message blocks.
• Electronic Code Book (ECB) Mode (is the simplest):
– Block P[i] encrypted into ciphertext block C[i] = EK(P[i])
– Block C[i] decrypted into plaintext block M[i] = DK(C[i])

9/21/21 Cryptography 19
Public domain images from http://en.wikipedia.org/wiki/File:Ecb_encryption.png and http://en.wikipedia.org/wiki/File:Ecb_decryption.png
 Strengths and Weaknesses of ECB
• Strengths: • Weakness:
– Documents and images are not
– Is very simple suitable for ECB encryption since
– Allows for parallel patters in the plaintext are
encryptions of the blocks repeated in the ciphertext:
of a plaintext
– Can tolerate the loss or
damage of a block

9/21/21 Cryptography 20
 Cipher Block Chaining (CBC) Mode
• In Cipher Block Chaining (CBC) Mode
– The previous ciphertext block is combined with
the current plaintext block C[i] = EK (C[i -1] Å P[i])
– C[-1] = V, a random block separately transmitted
encrypted (known as the initialization vector)
– Decryption: P[i] = C[i -1] Å DK (C[i])
CBC Encryption: CBC Decryption:
P[0] P[1] P[2] P[3] P[0] P[1] P[2] P[3]

V V

EK EK EK EK DK DK DK DK

C[0] C[1] C[2] C[3] C[0] C[1] C[2] C[3]

9/21/21 Cryptography 21
 Strengths and Weaknesses of CBC
• Strengths:
– Doesn’t show patterns in
the plaintext
– Is the most common
mode
– Is fast and relatively
simple
• Weaknesses:
– CBC requires the reliable
transmission of all the
blocks sequentially
– CBC is not suitable for
applications that allow
packet losses (e.g., music
and video streaming)

9/21/21 Cryptography 22
 Java AES Encryption Example
• Source
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
• Generate an AES key
KeyGenerator keygen = KeyGenerator.getInstance("AES");
SecretKey aesKey = keygen.generateKey();
• Create a cipher object for AES in ECB mode and PKCS5 padding
Cipher aesCipher;
aesCipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
• Encrypt
aesCipher.init(Cipher.ENCRYPT_MODE, aesKey);
byte[] plaintext = "My secret message".getBytes();
byte[] ciphertext = aesCipher.doFinal(plaintext);
• Decrypt
aesCipher.init(Cipher.DECRYPT_MODE, aesKey);
byte[] plaintext1 = aesCipher.doFinal(ciphertext);

9/21/21 Cryptography 23
 Stream Cipher
• Key stream
– Pseudo-random sequence of bits S = S[0], S[1], S[2], …
– Can be generated on-line one bit (or byte) at the time
• Stream cipher
– XOR the plaintext with the key stream C[i] = S[i] Å P[i]
– Suitable for plaintext of arbitrary length generated on the fly, e.g., media
stream
• Synchronous stream cipher
– Key stream obtained only from the secret key K
– Works for unreliable channels if plaintext has packets with sequence numbers
• Self-synchronizing stream cipher
– Key stream obtained from the secret key and q previous ciphertexts
– Lost packets cause a delay of q steps before decryption resumes

9/21/21 Cryptography 24
 Key Stream Generation
• RC4
– Designed in 1987 by Ron Rivest for RSA Security
– Trade secret until 1994
– Uses keys with up to 2,048 bits
– Simple algorithm
• Block cipher in counter mode (CTR)
– Use a block cipher with block size b
– The secret key is a pair (K,t), where K a is key and t (counter) is a
b-bit value
– The key stream is the concatenation of ciphertexts
EK (t), EK (t + 1), EK (t + 2), …
– Can use a shorter counter concatenated with a random value
– Synchronous stream cipher

9/21/21 Cryptography 25
 Attacks on Stream Ciphers
• Repetition attack
– if key stream reused, attacker obtains XOR of two plaintexts
• Insertion attack [Bayer Metzger, TODS 1976]
– retransmission of the plaintext with
• a chosen byte inserted by attacker
• using the same key stream
– e.g., email message resent with new message number
P P[i] P[i+1] P[i+2] P[i+3]
Original S S[i] S[i+1] S[i+2] S[i+3]
C C[i] C[i+1] C[i+2] C[i+3]

P P[i] X P[i+1] P[i+2]

Retransmission S S[i] S[i+1] S[i+2] S[i+3]
C C[i] C¢[i+1] C¢[i+2] C¢[i+3]

9/21/21 Cryptography 26
 Public Key Encryption

9/21/21 Cryptography 27
 Facts About Numbers
• Prime number p:
– p is an integer
– p³2
– The only divisors of p are 1 and p
• Examples
– 2, 7, 19 are primes
– -3, 0, 1, 6 are not primes
• Prime decomposition of a positive integer n:
n = p1e1 ´ … ´ pkek
• Example:
– 200 = 23 ´ 52
Fundamental Theorem of Arithmetic
The prime decomposition of a positive integer is unique

9/21/21 Cryptography 28
 Greatest Common Divisor
• The greatest common divisor (GCD) of two positive integers a
and b, denoted gcd(a, b), is the largest positive integer that
divides both a and b
• The above definition is extended to arbitrary integers
• Examples:
gcd(18, 30) = 6 gcd(0, 20) = 20
gcd(-21, 49) = 7
• Two integers a and b are said to be relatively prime if
gcd(a, b) = 1
• Example:
– Integers 15 and 28 are relatively prime

9/21/21 Cryptography 29
 Modular Arithmetic
• Modulo operator for a positive integer n
r = a mod n
equivalent to
a = r + kn
and
r = a - ëa/nû n
• Example:
29 mod 13 = 3 13 mod 13 = 0 -1 mod 13 = 12
29 = 3 + 2´13 13 = 0 + 1´13 12 = -1 + 1´13
• Modulo and GCD:
gcd(a, b) = gcd(b, a mod b)
• Example:
gcd(21, 12) = 3 gcd(12, 21 mod 12) = gcd(12, 9) = 3

9/21/21 Cryptography 30
 Euclid’s GCD Algorithm
• Euclid’s algorithm for Algorithm EuclidGCD(a, b)
Input integers a and b
computing the GCD Output gcd(a, b)
repeatedly applies the
formula if b = 0
gcd(a, b) = gcd(b, a mod b) return a
else
• Example return EuclidGCD(b, a mod b)
– gcd(412, 260) = 4

a 412 260 152 108 44 20 4

b 260 152 108 44 20 4 0

9/21/21 Cryptography 31
 Analysis
• Let ai and bi be the arguments of the i-th recursive call of algorithm
EuclidGCD
• We have
ai + 2 = bi + 1 = ai mod ai + 1 < ai + 1
• Sequence a1, a2, …, an decreases exponentially, namely
ai + 2 £ ½ ai for i > 1
Case 1 ai + 1 £ ½ ai ai + 2 < ai + 1 £ ½ ai
Case 2 ai + 1 > ½ ai ai + 2 = ai mod ai + 1 = ai - ai + 1 £ ½ ai
• Thus, the maximum number of recursive calls of algorithm
EuclidGCD(a. b) is
1 + 2 log max(a. b)
• Algorithm EuclidGCD(a, b) executes O(log max(a, b)) arithmetic
operations
• The running time can also be expressed as O(log min(a, b))

9/21/21 Cryptography 32
 Multiplicative Inverses (1)
• The residues modulo a positive integer n are the set
Zn = {0, 1, 2, …, (n - 1)}
• Let x and y be two elements of Zn such that
xy mod n = 1
We say that y is the multiplicative inverse of x in Zn and we
write y = x-1
• Example:
– Multiplicative inverses of the residues modulo 11

x 0 1 2 3 4 5 6 7 8 9 10
x-1 1 6 4 3 9 2 8 7 5 10

9/21/21 Cryptography 33
 Multiplicative Inverses (2)
Theorem
An element x of Zn has a multiplicative inverse if and only if x and n are
relatively prime
• Example
– The elements of Z10 with a multiplicative inverse are 1, 3, 7, 9
Corollary
If is p is prime, every nonzero residue in Zp has a multiplicative inverse
Theorem
A variation of Euclid’s GCD algorithm computes the multiplicative inverse
of an element x of Zn or determines that it does not exist

x 0 1 2 3 4 5 6 7 8 9
x-1 1 7 3 9

9/21/21 Cryptography 34
 Example: Measuring Lengths
• Consider a stick of length a and a stick of length b such that a and b are
relatively prime
• Given two integers i and j, we can measure length
n = ia + jb
• We show that any integer n can be written as n = ia + jb for some integers
i and j
– Let s be the inverse of a in Zb We have sa mod b = 1
– There exists integer t such that sa + tb = 1
– Pick i = ns and j = nt
• Thus, given two sticks of relatively prime integer lengths, we can measure
any integer length
• Example, measure length 2 with sticks of length 3 and 7
3 3 3 3
7 7
9/21/21 Cryptography 35
 Example: Double Hashing
• Consider a hash table whose size n is a prime
• In open addressing with double hashing, an operation on key x
probes the following locations modulo n
i, i + d, i + 2d, i + 3d, …, i + (n – 1)d
where i = h1(x) and d = h2(x)
• We show that each table location is probed by this sequence once
– Suppose (i + jd) mod n = (i + kd) mod n for some integers j and k in the
range [0, n – 1]
– We have (j - k)d mod n = 0
– Since n is prime, we have that n and d are relatively prime
– Thus, d has an inverse d- 1 in Zn
– Multiplying each side by d- 1, we obtain (j - k) mod n = 0
– We conclude that j = k

9/21/21 Cryptography 36
 Powers
• Let p be a prime
• The sequences of successive powers of the elements of Zp exhibit
repeating subsequences
• The sizes of the repeating subsequences and the number of their
repetitions are the divisors of p - 1
• Example (p = 7)
x x2 x3 x4 x5 x6
1 1 1 1 1 1
2 4 1 2 4 1
3 2 6 4 5 1
4 2 1 4 2 1
5 4 6 2 3 1
6 1 6 1 6 1
9/21/21 Cryptography 37
 Fermat’s Little Theorem
Theorem
Let p be a prime. For each nonzero residue x of Zp, we have
xp - 1 mod p = 1
• Example (p = 5):
14 mod 5 = 1 24 mod 5 = 16 mod 5 = 1
34 mod 5 = 81 mod 5 = 1 44 mod 5 = 256 mod 5 = 1
Corollary
Let p be a prime. For each nonzero residue x of Zp, the
multiplicative inverse of x is xp - 2 mod p
Proof
x(xp - 2 mod p) mod p = xxp - 2 mod p = xp - 1 mod p = 1

9/21/21 Cryptography 38
 Euler’s Theorem
• The multiplicative group for Zn, denoted with Z*n, is the subset of
elements of Zn relatively prime with n
• The totient function of n, denoted with f(n), is the size of Z*n
• Example
Z*10 = { 1, 3, 7, 9 } f(10) = 4
• If p is prime, we have
Z*p = {1, 2, …, (p - 1)} f(p) = p - 1
Euler’s Theorem
For each element x of Z*n, we have xf(n) mod n = 1
• Example (n = 10)
3f(10) mod 10 = 34 mod 10 = 81 mod 10 = 1
7f(10) mod 10 = 74 mod 10 = 2401 mod 10 = 1
9f(10) mod 10 = 94 mod 10 = 6561 mod 10 = 1

9/21/21 Cryptography 39
 RSA Cryptosystem
• Setup: • Example
– n = pq, with p and q primes n Setup:
– e relatively prime to w p = 7, q = 17
f(n) = (p - 1) (q - 1) w n = 7×17 = 119
– d inverse of e in Zf(n) w f(n) = 6×16 = 96
• Keys: we=5
– Public key: KE = (n, e) w d = 77
– Private key: KD = d n Keys:
w public key: (119, 5)
• Encryption: w private key: 77
– Plaintext M in Zn n Encryption:
– C = Me mod n w M = 19
• Decryption: w C = 195 mod 119 = 66
– M = Cd mod n n Decryption:
w C = 6677 mod 119 = 19

9/21/21 Cryptography 40
 Complete RSA Example
• Setup: • Encryption
n C = M3 mod 55
– p = 5, q = 11
– n = 5×11 = 55 • Decryption
n M = C27 mod 55
– f(n) = 4×10 = 40
–e = 3
– d = 27 (3×27 = 81 = 2×40 + 1)

M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
C 1 8 27 9 15 51 13 17 14 10 11 23 52 49 20 26 18 2
M 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
C 39 25 21 33 12 19 5 31 48 7 24 50 36 43 22 34 30 16
M 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
C 53 37 29 35 6 3 32 44 45 41 38 42 4 40 46 28 47 54

9/21/21 Cryptography 41
 Security
• Security of RSA based on • In 2005, a team of researchers
difficulty of factoring factored the RSA-640 challenge
– Widely believed number using 30 2.2GHz CPU years
– Best known algorithm takes • In 2004, the prize for factoring RSA-
exponential time 2048 was $200,000
• RSA Security factoring • Current practice is 2,048-bit keys
• Estimated resources needed to
challenge (discontinued)
factor a number within one year
• In 1999, 512-bit challenge
factored in 4 months using Length PCs Memory
35.7 CPU-years (bits)
– 160 175-400 MHz SGI and Sun 430 1 128MB
– 8 250 MHz SGI Origin 760 215,000 4GB
– 120 300-450 MHz Pentium II 1,020 342´106 170GB
– 4 500 MHz Digital/Compaq 1,620 1.6´1015 120TB
9/21/21 Cryptography 42
 Correctness
• We show the correctness of the • Thus, we obtain
RSA cryptosystem for the case (Me)d mod n =
when the plaintext M does not Med mod n =
divide n Mkf(n) + 1 mod n =
• Namely, we show that MMkf(n) mod n =
(Me)d mod n = M M (Mf(n))k mod n =
• Since ed mod f(n) = 1, there is M (Mf(n) mod n)k mod n =
an integer k such that M (1)k mod n =
ed = kf(n) + 1 M mod n =
• Since M does not divide n, by M
Euler’s theorem we have • Proof of correctness can be
extended to the case when the
Mf(n) mod n = 1 plaintext M divides n

9/21/21 Cryptography 43
 Algorithmic Issues
• The implementation of the
RSA cryptosystem requires
various algorithms
• Overall
–Representation of integers of
arbitrarily large size and
arithmetic operations on
them
• Encryption
–Modular power
• Decryption
–Modular power
• Setup
–Generation of random
numbers with a given number
of bits (to generate candidates
p and q)
–Primality testing (to check
that candidates p and q are
prime)
–Computation of the GCD (to
verify that e and f(n) are
relatively prime)
–Computation of the
multiplicative inverse (to
compute d from e)

9/21/21 Cryptography 44
 Modular Power
• The repeated squaring algorithm • Example
speeds up the computation of a –318 mod 19 (18 = 10010)
modular power ap mod n
–Q1 = 31 mod 19 = 3
• Write the exponent p in binary
–Q2 = (32 mod 19)30 mod 19 = 9
p = pb - 1 pb - 2 … p1 p0
–Q3 = (92 mod 19)30 mod 19 =
• Start with 81 mod 19 = 5
Q1 = apb - 1 mod n –Q4 = (52 mod 19)31 mod 19 =
• Repeatedly compute (25 mod 19)3 mod 19 =
Qi = ((Qi - 1)2 mod n)apb - i mod n 18 mod 19 = 18
• We obtain –Q5 = (182 mod 19)30 mod 19 =
Qb = ap mod n (324 mod 19) mod 19 =
17×19 + 1 mod 19 = 1
• The repeated squaring algorithm
performs O (log p) arithmetic p5 - i 1 0 0 1 0
operations 2p5 - i 3 1 1 3 1
Qi 3 9 5 18 1
9/21/21 Cryptography 45
 Modular Inverse
Theorem • Given positive integers a and b, the
Given positive integers a and extended Euclid’s algorithm
b, let d be the smallest computes a triplet (d,i,j) such that
positive integer such that – d = gcd(a,b)
d = ia + jb – d = ia + jb
for some integers i and j. • To test the existence of and compute
We have the inverse of x Î Zn, we execute the
extended Euclid’s algorithm on the
d = gcd(a,b) input pair (x,n)
• Example • Let (d,i,j) be the triplet returned
– a = 21 – d = ix + jn
– b = 15 Case 1: d = 1
– d=3
i is the inverse of x in Zn
– i = 3, j = -4
Case 2: d > 1
– 3 = 3×21 + (-4)×15 =
63 - 60 = 3 x has no inverse in Zn

9/21/21 Cryptography 46
 Pseudoprimality Testing
• The number of primes less than or equal to n is about n / ln n
• Thus, we expect to find a prime among O(b) randomly generated numbers
with b bits each
• Testing whether a number is prime (primality testing) is a difficult
problem, though polynomial-time algorithms exist
• An integer n ³ 2 is said to be a base-x pseudoprime if
– xn - 1 mod n = 1 (Fermat’s little theorem)
• Composite base-x pseudoprimes are rare:
– A random 100-bit integer is a composite base-2 pseudoprime with probability
less than 10-13
– The smallest composite base-2 pseudoprime is 341
• Base-x pseudoprimality testing for an integer n:
– Check whether xn - 1 mod n = 1
– Can be performed efficiently with the repeated squaring algorithm

9/21/21 Cryptography 47
 Randomized Primality Testing
• Compositeness witness function Algorithm RandPrimeTest(n, k)
witness(x, n) with error probability q for a Input integer n,confidence
random variable x parameter k and composite
Case 1: n is prime witness function witness(x,n)
witness(x, n) = false always with error probability q
Case 2: n is composite
Output an indication of
witness(x, n) = true in most cases, false
with small probability q < 1
whether n is composite or prime
with probability 2-k
• Algorithm RandPrimeTest tests whether n
is prime by repeatedly evaluating t ¬ k/log2(1/q)
witness(x, n) for i ¬ 1 to t
• A variation of base- x pseudoprimality x ¬ random()
provides a suitable compositeness if witness(x, n) = true
witness function for randomized primality return “n is composite”
testing (Rabin-Miller algorithm) return “n is prime”
9/21/21 Cryptography 48
 Cryptographic Hash Functions

9/21/21 Cryptography 49
 Hash Functions
• A hash function h maps a plaintext x to a fixed-length value x = h(P) called
hash value or digest of P
– A collision is a pair of plaintexts P and Q that map to the same hash value,
h(P) = h(Q)
– Collisions are unavoidable
– For efficiency, the computation of the hash function should take time
proportional to the length of the input plaintext
• Hash table
– Search data structure based on storing items in locations associated with
their hash value
– Chaining or open addressing deal with collisions
– Domain of hash values proportional to the expected number of items to be
stored
– The hash function should spread plaintexts uniformly over the possible hash
values to achieve constant expected search time

9/21/21 Cryptography 50
 Cryptographic Hash Functions
• A cryptographic hash function satisfies additional properties
– Preimage resistance (aka one-way)
• Given a hash value x, it is hard to find a plaintext P such that h(P) = x
– Second preimage resistance (aka weak collision resistance)
• Given a plaintext P, it is hard to find a plaintext Q such that h(Q) = h(P)
– Collision resistance (aka strong collision resistance)
• It is hard to find a pair of plaintexts P and Q such that h(Q) = h(P)
• Collision resistance implies second preimage resistance
• Hash values of at least 256 bits recommended to defend against brute-
force attacks
• A random oracle is a theoretical model for a cryptographic hash function
from a finite input domain P to a finite output domain X
– Pick randomly and uniformly a function h: P® X over all possible such
functions
– Provide only oracle access to h: one can obtain hash values for given plaintexts,
but no other information about the function h itself
9/21/21 Cryptography 51
 Birthday Attack
• The brute-force birthday attack aims at finding a collision for a hash function h
– Randomly generate a sequence of plaintexts X1, X2, X3,…
– For each Xi compute yi = h(Xi) and test whether yi = yj for some j < i
– Stop as soon as a collision has been found
• If there are m possible hash values, the probability that the i-th plaintext does
not collide with any of the previous i -1 plaintexts is 1 - (i - 1)/m
• The probability Fk that the attack fails (no collisions) after k plaintexts is
Fk = (1 - 1/m) (1 - 2/m) (1 - 3/m) … (1 - (k - 1)/m)
• Using the standard approximation 1 - x » e-x
Fk » e-(1/m + 2/m + 3/m + … + (k-1)/m) = e-k(k-1)/2m
• The attack succeeds/fails with probability ½ when Fk = ½ , that is,
e-k(k-1)/2m = ½
k » 1.17 m½
• We conclude that a hash function with b-bit values provides about b/2 bits of
security
9/21/21 Cryptography 52
 Message-Digest Algorithm 5 (MD5)
• Developed by Ron Rivest in 1991
• Uses 128-bit hash values
• Still widely used in legacy applications although considered insecure
• Various severe vulnerabilities discovered
• Chosen-prefix collisions attacks found by Marc Stevens, Arjen
Lenstra and Benne de Weger
– Start with two arbitrary plaintexts P and Q
– One can compute suffixes S1 and S2 such that P||S1 and Q||S2 collide
under MD5 by making 250 hash evaluations
– Using this approach, a pair of different executable files or PDF
documents with the same MD5 hash can be computed

9/21/21 Cryptography 53
 Secure Hash Algorithm (SHA)
• Developed by NSA and approved as a federal standard by
NIST
• SHA-0 and SHA-1 (1993)
– 160-bits
– Considered insecure
– Still found in legacy applications
– Vulnerabilities less severe than those of MD5
• SHA-2 family (2002)
– 256 bits (SHA-256) or 512 bits (SHA-512)
– Still considered secure despite published attack techniques
• Public competition for SHA-3 announced in 2007

9/21/21 Cryptography 54
 Iterated Hash Function
• A compression function works on input values of fixed length
• An iterated hash function extends a compression function to inputs of
arbitrary length
– padding, initialization vector, and chain of compression functions
– inherits collision resistance of compression function
• MD5 and SHA are iterated hash functions
P1 P2 P3 P4

IV || || || || digest

SHA-1
Hashing Time MD5
0.06
0.05
0.04
msec

0.03
0.02
0.01
0
0 100 200 300 400 500 600 700 800 900 1000
Input Size (Bytes)

9/21/21 Cryptography 55