Topics in Algebra: Cryptography

Univ.-Prof. Dr. Goulnara ARZHANTSEVA

WS 2018

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 1 / 44

Cryptography: Overview
Cryptography

I Past: Diffie–Hellman (1976) and Rivest-Shamir-Adleman (1977)

II Nowadays: Blockchain ([1991], 2008)
III Future: Quantum ([1927, 1982], 1983) and Post-quantum
cryptography (1994,1996)

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 2 / 44

Cryptography: Overview
Cryptography

I Past: Diffie–Hellman (1976) and Rivest-Shamir-Adleman (1977)

II Nowadays: Blockchain ([1991], 2008)
III Future: Quantum ([1927, 1982], 1983) and Post-quantum
cryptography (1994,1996)

1. Martin, Keith M. Everyday cryptography. Fundamental principles

and applications. Second edition. Oxford, 2017.
2. Stinson, Douglas R. Cryptography. Theory and practice. Third
edition. Discrete Mathematics and its Applications (Boca Raton).
Chapman & Hall/CRC, Boca Raton, FL, 2006.
3. Daniel J. Bernstein & Tanja Lange, Post-quantum cryptography,
Nature, 2017, Vol.549, 188–194.
c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 2 / 44
Cryptography: Overview
Cryptography

I Past: Diffie–Hellman (1976) and Rivest-Shamir-Adleman (1977)

II Nowadays: Blockchain ([1991], 2008)
III Future: Quantum ([1927, 1982], 1983) and Post-quantum
cryptography (1994,1996)

Cryptography principles

1 Confidentiality: limits access to information

2 Data Integrity: accuracy of data
3 Authentication : confirms the truth of data / entity
4 Non-Repudiation: a technical/legal proof of authorship

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 3 / 44

Cryptography principles = security services

Confidentiality / secrecy

limits access to information

not always required / not alone

Data Integrity

data was not altered (intentionally or accidentally)

detection of alteration (not prevention)

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 4 / 44

Cryptography principles = security services

Data origin authentication / message authentication

confirms the origin of data with no temporal aspect

not necessarily an immediate source / not when

Entity authentication

a given entity is involved and currently active

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 5 / 44

Cryptography principles = security services

Non-Repudiation

a source of data cannot deny to a third party being at the origin

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 6 / 44

Cryptography principles = security services

Non-Repudiation

a source of data cannot deny to a third party being at the origin

Data origin authentication ⇒ Data integrity

Non-Repudiation ⇒ Data origin authentication

Data origin authentication 6= Entity authentication

Secrecy 6⇒ Data origin authentication

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 6 / 44

Cryptography system as a part of a security service

Cryptography = toolkit
Cryptographic primitive = a basic tool in this toolkit
Examples:
Encryption, hash function, MAC (message authentication code),
digital signature, etc.

Cryptographic algorithm = Cipher = a specification of a primitive

Cryptographic protocol = a way to choose primitives and use them

for a security goal

Cryptosystem = implementation of primitives and the infrastructure

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 7 / 44

Cryptosystem: basic model for secrecy

Basic model of a cryptosystem [image: K. Martin’s book]

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 8 / 44

Cryptosystem: basic model for secrecy

Basic model of a cryptosystem [image: K. Martin’s book]

An interceptor may or may not know the encryption / decryption

algorithm and the encryption key. The encryption key is known by the
receiver. The decryption key may or may not be known by the sender.
c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 8 / 44
Cryptosystem: basic model for secrecy

Encryption does not prevent communication interception.

For example, it is used over open networks.

Encryption of the communication channel does not guarantee

‘end-to-end’ confidentiality.
For example, the plaintext may be vulnerable.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 9 / 44

Cryptosystem: basic model for secrecy

Encryption does not prevent communication interception.

For example, it is used over open networks.

Encryption of the communication channel does not guarantee

‘end-to-end’ confidentiality.
For example, the plaintext may be vulnerable.

Secrecy can be provided by (combination of):

(1) Cryptography (via encryption)

(2) Steganography (via information hiding)

(3) Access control (via software or hardware)

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 9 / 44

Cryptography systems for secrecy

?
Encryption key ←→ Decryption key

Symmetric = Secret-key cryptosystem: same keys

Asymmetric = Public-key cryptosystem: Public vs Private keys

Theoretical security: mathematics

Practical security: implementation

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 10 / 44

Cryptosystem: basic model for secrecy
Definition: Cryptosystem is a 5 -tuple (P, C, K, E, D) satisfying:

P is a finite set of possible plaintexts;

C is a finite set of possible ciphertexts;
K, the keyspace, is a finite set of possible keys;
E = {Ek : k ∈ K} consists of encryption functions Ek : P → C;
D = {Dk : k ∈ K} consists of decryption functions Dk : C → P;
For all e ∈ K there exists d ∈ K such that for all plaintexts p ∈ P
we have:
Dd (Ee (p)) = p

Symmetric cryptosystem: d = e
Public-key cryptosystem: d cannot be derived from e in a
computationally feasible way
c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 11 / 44
Cryptography applications

Securing Internet
WLAN = Wireless Local Area Network
Mobile communications (GSM, etc.)
Payment card transactions
Video broadcasting
Identity Cards
Online Anonimity (Tor, etc.)
Digital currency
File protection
Email security
Messaging security (WhatsApp, Telegram, etc.)
Platform security (iOS, etc.)
c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 12 / 44
Breaking encryption algorithms

• A practical method of determining the decryption key is found.

• A weakness in the encryption algorithm leads to a plaintext.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 13 / 44

Key lengths and sizes

Length of the key = number of bites it takes to represent the key

Size of the keyspace = number of possible different decryption keys

?
Length ←→ Size

Symmetric: Size 6 2 Length

Example: Size of a 256-bit keyspace is 2128 times as big as Size
of a 128-bit key.
Asymmetric: Length is an indication on Size

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 14 / 44

Exhaustive key search = brute-force attack

1. Select a decryption key from the keyspace

2. Decrypt the ciphertext

3. Check if the plaintext makes sense

4. If ‘yes’ then label the decryption key as a candidate;

otherwise, select a new decryption key

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 15 / 44

Exhaustive key search = brute-force attack

Assumptions:

– All keys from the keyspace are equally likely to be selected

– The correct decryption key is identified as soon as it is tested

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 16 / 44

Exhaustive key search = brute-force attack

Assumptions:

– All keys from the keyspace are equally likely to be selected

– The correct decryption key is identified as soon as it is tested

If Size = n = 2k , then, on average, one needs ∼ 2k −1 attempts to find

the correct decryption key:
n
1 n(n + 1) 1 2k + 1
∼ 2k −1
X
E [X ] = i· = · =
i=1
n 2 n 2

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 16 / 44

Exhaustive key search = brute-force attack

If Size = n = 2k , then, on average, one needs ∼ 2k −1 attempts to find

the correct decryption key.

1 year = 31556926 seconds ∼ 3 · 107 seconds ∼ 225 = 33554432 sec.

1000 ∼ 210 = 1024 and 1000000 ∼ 220 = 1048576

In 1 year, 1000 processors testing 1000000 keys per second will test in
total:
∼ 225 · 210 · 220 = 255 keys

Therefore, a 56-bit key will be enough if the cover time is 1 year.

Cover time = the time for which a plaintext must be kept secret.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 17 / 44

Exhaustive key search = brute-force attack

Key lengths needed to protect against a brute-force attack if the cover

time is 1 year:

Strength of attack Key length

Human: one key per second 26 bits

1 processor: 1000000 keys per second 46 bits
1000 processors: each 1000000 keys per second 56 bits
1000000 processors: each 1000000 keys per second 66 bits

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 18 / 44

Types of attack

Passive attack = unauthorized access to data (remains unnoticed)

Traffic analysis (location / hosts / frequency / length of messages)

Release of message contents
Monitoring processor computations (timing / power analysis)

Active attack = changing the information in an unauthorized way

Initiating unintended or unauthorized transmission of information.

Unauthorized deletion of data
Denial of access to information for legitimate users (denial of
service).

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 19 / 44

Examples of symmetric cryptosystems: Caesar
Caesar
Caesar Cipher = Shift Cipher Vienna −→ Ylhqqd
Replace each alphabet by another alphabet which is ‘shifted’ by some
fixed number between 0 and 25. Key = ’secret shift number’. Length=1

Caesar Cipher with a shift of 3 [image: geeksforgeeks.org]

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 20 / 44

Examples of symmetric cryptosystems: Caesar
Caesar
Caesar Cipher = Shift Cipher Vienna −→ Ylhqqd
Replace each alphabet by another alphabet which is ‘shifted’ by some
fixed number between 0 and 25. Key = ’secret shift number’. Length=1

Caesar Cipher with a shift of 3 [image: geeksforgeeks.org]

Plaintext / Ciphertext: strings of letters (or numbers between 0 and 25)

Encryption / Decryption key: a number between 0 and 25, Size = 26

Ciphertext letter = Plaintext letter + Key mod 26

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 20 / 44
Examples of symmetric cryptosystems: Substitution

Substitution
Simple Substitution Cipher Vienna −→ Saiffp
Replace each alphabet by another alphabet which is its random
permutation. Key = a permutation of 26 letters. Length = 26

Plain alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Cipher alphabet: PHQGIUMEAYLNOFDXJKRCVSTZWB

Plaintext / Ciphertext: strings of letters (or numbers between 0 and 25)

Encryption / Decryption key: a permutation σ ∈ Sym(26), Size = 26!

Ciphertext letter = σ (Plaintext letter)

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 21 / 44

Examples of symmetric cryptosystems: Substitution

Caesar Cipher is a specific example of Simple Substitution cipher.

26! = 4.0329146e + 26 ∼ 4 · 1026  1022 = number of stars in universe

Exhaustive key search is currently not feasible.

Simple Substitution Ciphers are examples of monoalphabetic ciphers

(each given letter is encrypted into a unique letter).

Simple Substitution Cipher is breakable by Letter frequency analysis.

(A long enough plaintext is required.)

A large keyspace is necessary but not sufficient for security.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 22 / 44

Example: Letter frequency analysis

English Letter Frequencies. Ciphertext letter frequencies

[image: Crypto Corner] [image: Crypto Corner]

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 23 / 44

Examples of symmetric cryptosystems: Vigenère
Vigenère
Vigenère Cipher Vienna −→ Bwyyaa
Generate a key by repeating a given key until it matches the length of
the plaintext. Replace each plaintext letter by another letter using a
Caesar Cipher, whose key is the number associated to the
corresponding letter of the generated key. Key = a string of letters.

Plaintext: U N I VERS I TY Key: GOULNARA

Generated key: GOU LNARAGO
Ciphertext: A BCGRR J I Z M

Plaintext / Ciphertext: strings of letters (or numbers between 0 and 25)

Encryption / Decryption generated key length = length of the plaintext

Ciphertext letteri = Plaintext letteri + Keyi mod 26

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 24 / 44

Examples of symmetric cryptosystems: Vigenère

Vigenère Cipher table [image: geeksforgeeks.org]

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 25 / 44
Examples of symmetric cryptosystems: Vigenère

Vigenère Cipher is an example of polyalphabetic ciphers (each given

letter can be encrypted into ‘length of the key’ different letters).

Same letter is encrypted differently depending on its position in the

plaintext. Hence, a natural letter frequency analysis is not feasible.

For large enough plaintexts the exhaustive key search is currently not
feasible.

Vigenère Cipher is breakable by breaking a sequence of Caesar

Ciphers in a strict rotation. (A length of the given key is required.)

Enigma machine: a sequence of component substitution encryption

processes in rotation, using a long key.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 26 / 44

Test questions

Question 1
Give an example of an application where
(i) entity authentication and data origin authentication are both
required;
(ii) data origin authentication is required but not data integrity.

Question 2
If the given key of a Vigenère Cipher has repeated letters, does it
make it any easier to break?

Question 3
Invent and analyze (length, size, attacks?) an Affine Cipher.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 27 / 44

Computational complexity
Operation Complexity
Addition of two n-bit numbers n
Multiplication of two n-bit numbers n2
Raising a number to an n-bit power n3
Exhaustive key search for an n-bit key 2n

Complexity of multiplication

ak · 2k × cm · 2m , cm =
X X X X
b` · 2` = ak b`
06k 6n−1 06`6n−1 06m62(n−1) k +l=m

Calculation of each cm requires 6 2n − 1 elementary multiplications

and 6 2n − 2 additions and corresponding carries, thus the algorithm
requires less than 2n · 4n steps, hence, at most quadratic complexity.
c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 28 / 44
Computational complexity of attacks

We can estimate real attack times.

Assumption: computer makes 1000 operations per second

Exhaustive key search real attack time for a 30-bit key

230
sec. = 1073.741824 seconds = 17.8956970667 minutes
106

Computational complexity is an indication on a real attack time,

on a computational security.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 29 / 44

Test questions

Question 4
How long (in years, days, hours, seconds) it will take 1000000
computers, each processing 1000000 operations per second, to
(1) multiply two 1000-bit numbers together;
(2) perform an exhaustive search for a 128-bit key;
(3) find the correct key (on average) while performing a brute-force
attack on a 128-bit key.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 30 / 44

Evaluating security

Computational security: computational complexity is high.

Provable security: breaking the cryptosystem would solve a problem

known to be hard.

Unconditional security: breaking is not possible even if computational

resources are unlimited.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 31 / 44

Perfect secrecy

A cryptosystem has perfect secrecy if seeing the ciphertext gives not

extra information about the plaintext.

A cryptosystem with perfect secrecy is unconditionally secure against

a ciphertext only attack.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 32 / 44

Probability distributions on plaintexts and keyspace

Let (P, C, K, E, D) be a cryptosystem and probability distributions are

given on P and K:

Pr [p = p] denotes the probability that a plaintext p ∈ P occurs,

Pr [k = k ] denotes the probability that a key k ∈ K is chosen.

Analogously, Pr [c = c] denotes the probability that a ciphertext c ∈ C

transmitted.

Assumptions:
– the key and the plaintext are independent random variables;
– each key is used for only one encryption.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 33 / 44

Probability distribution on ciphertexts
For k ∈ K, let C(k ) := {Ek (p) : p ∈ P} be the set of possible ciphertexts
if k is the key. Then ∀c ∈ C we have:
X
Pr [c = c] = Pr [k = k ] Pr [p = Dk (c)]
{k : c∈C(k )}

X
Then: Pr [c = c | p = p] = Pr [k = k ]
{k : p=Dk (c)}

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 34 / 44

Probability distribution on ciphertexts
For k ∈ K, let C(k ) := {Ek (p) : p ∈ P} be the set of possible ciphertexts
if k is the key. Then ∀c ∈ C we have:
X
Pr [c = c] = Pr [k = k ] Pr [p = Dk (c)]
{k : c∈C(k )}

X
Then: Pr [c = c | p = p] = Pr [k = k ]
{k : p=Dk (c)}

Pr [X ] Pr [Y | X ]
 
Using Bayes’ theorem Pr [X | Y ] = if Pr [Y ] > 0 :
Pr [Y ]
X
Pr [p = p] Pr [k = k ]
{k : p=Dk (c)}
Pr [p = p | c = c] = X
Pr [k = k ] Pr [p = Dk (c)]
{k : c∈C(k )}

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 34 / 44

Perfect secrecy

Definition: Perfect secrecy Shannon’49

A cryptosystem has perfect secrecy if Pr [p = p | c = c] = Pr [p = p] for
all p ∈ P, c ∈ C.

Proposition:
TFAE:
1 (P, C, K, E, D) has perfect secrecy;
2 random variables p and c are independent;
3 Pr [c = c | p = p] = Pr [c = c];
4 ∀p1 , p2 ∈ P Pr [c = c | p = p1 ] = Pr [c = c | p = p2 ]

In particular, a cryptosystem has perfect secrecy independently of the

language used in the plaintext (prob. distribution on P is irrelevant).
c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 35 / 44
Perfect secrecy: Example
P = {a, b} with Pr [a] = 1/4, Pr [b] = 3/4 and C = {1, 2, 3, 4}
K = {k1 , k2 , k3 } with Pr [k1 ] = 1/2, Pr [k2 ] = Pr [k3 ] = 1/4.
Let the encryption be defined by:

Ek a b
k1 1 2
k2 2 3
k3 3 4

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 36 / 44

Perfect secrecy: Example
P = {a, b} with Pr [a] = 1/4, Pr [b] = 3/4 and C = {1, 2, 3, 4}
K = {k1 , k2 , k3 } with Pr [k1 ] = 1/2, Pr [k2 ] = Pr [k3 ] = 1/4.
Let the encryption be defined by:

Ek a b
k1 1 2
k2 2 3
k3 3 4

Then the induced probability distribution on C is defined, e.g.

Pr [2] = 7/16, Pr [3] = 1/4, etc.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 36 / 44

Perfect secrecy: Example
P = {a, b} with Pr [a] = 1/4, Pr [b] = 3/4 and C = {1, 2, 3, 4}
K = {k1 , k2 , k3 } with Pr [k1 ] = 1/2, Pr [k2 ] = Pr [k3 ] = 1/4.
Let the encryption be defined by:

Ek a b
k1 1 2
k2 2 3
k3 3 4

Then the induced probability distribution on C is defined, e.g.

Pr [2] = 7/16, Pr [3] = 1/4, etc.
Then the conditional probability distributions on the plaintext, given a
certain ciphertext can be computed, e.g. Pr [b | 2] = 6/7, etc.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 36 / 44

Perfect secrecy: Example
P = {a, b} with Pr [a] = 1/4, Pr [b] = 3/4 and C = {1, 2, 3, 4}
K = {k1 , k2 , k3 } with Pr [k1 ] = 1/2, Pr [k2 ] = Pr [k3 ] = 1/4.
Let the encryption be defined by:

Ek a b
k1 1 2
k2 2 3
k3 3 4

Then the induced probability distribution on C is defined, e.g.

Pr [2] = 7/16, Pr [3] = 1/4, etc.
Then the conditional probability distributions on the plaintext, given a
certain ciphertext can be computed, e.g. Pr [b | 2] = 6/7, etc.
Hence, this cryptosystem has no perfect secrecy (although, it has it on
a specific ciphertext c = 3).

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 36 / 44

Perfect secrecy: Shannon’s theorem

Theorem: Perfect secrecy Shannon’49

Let (P, C, K, E, D) be a cryptosystem with |K| = |C| = |P|. Then it has
perfect secrecy if and only if every key is used with equal probability
1/|K|, and ∀p ∈ P, ∀c ∈ C, there is a unique key k ∈ K such that
Ek (p) = c.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 37 / 44

Perfect secrecy: Shannon’s theorem

Theorem: Perfect secrecy Shannon’49

Let (P, C, K, E, D) be a cryptosystem with |K| = |C| = |P|. Then it has
perfect secrecy if and only if every key is used with equal probability
1/|K|, and ∀p ∈ P, ∀c ∈ C, there is a unique key k ∈ K such that
Ek (p) = c.

Proof: (⇒) We can assume that ∀p ∈ P Pr [p] > 0, ∀c ∈ C Pr [c] > 0.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 37 / 44

Perfect secrecy: Shannon’s theorem

Theorem: Perfect secrecy Shannon’49

Let (P, C, K, E, D) be a cryptosystem with |K| = |C| = |P|. Then it has
perfect secrecy if and only if every key is used with equal probability
1/|K|, and ∀p ∈ P, ∀c ∈ C, there is a unique key k ∈ K such that
Ek (p) = c.

Proof: (⇒) We can assume that ∀p ∈ P Pr [p] > 0, ∀c ∈ C Pr [c] > 0.

We have Pr [c | p] = Pr [c] > 0, that is, ∀c ∈ C there is at least one
p ∈ P with Ek (p) = c.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 37 / 44

Perfect secrecy: Shannon’s theorem

Theorem: Perfect secrecy Shannon’49

Let (P, C, K, E, D) be a cryptosystem with |K| = |C| = |P|. Then it has
perfect secrecy if and only if every key is used with equal probability
1/|K|, and ∀p ∈ P, ∀c ∈ C, there is a unique key k ∈ K such that
Ek (p) = c.

Proof: (⇒) We can assume that ∀p ∈ P Pr [p] > 0, ∀c ∈ C Pr [c] > 0.

We have Pr [c | p] = Pr [c] > 0, that is, ∀c ∈ C there is at least one
p ∈ P with Ek (p) = c.
Therefore, |C| = |{Ek (p) | k ∈ K}| 6 |K| and, as |K| = |C|, there is no
distinct k1 6= k2 with Ek1 (p) = Ek2 (p) = c. That is, ∀p ∈ P, ∀c ∈ C, there
is a unique key k ∈ K such that Ek (p) = c.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 37 / 44

Perfect secrecy: Shannon’s theorem

Theorem: Perfect secrecy Shannon’49

Let (P, C, K, E, D) be a cryptosystem with |K| = |C| = |P|. Then it has
perfect secrecy if and only if every key is used with equal probability
1/|K|, and ∀p ∈ P, ∀c ∈ C, there is a unique key k ∈ K such that
Ek (p) = c.

Proof: (⇒) We can assume that ∀p ∈ P Pr [p] > 0, ∀c ∈ C Pr [c] > 0.

We have Pr [c | p] = Pr [c] > 0, that is, ∀c ∈ C there is at least one
p ∈ P with Ek (p) = c.
Therefore, |C| = |{Ek (p) | k ∈ K}| 6 |K| and, as |K| = |C|, there is no
distinct k1 6= k2 with Ek1 (p) = Ek2 (p) = c. That is, ∀p ∈ P, ∀c ∈ C, there
is a unique key k ∈ K such that Ek (p) = c.

(Analogously, |P| 6 |K|.)

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 37 / 44

Perfect secrecy: Shannon’s theorem (continued)

Let n = |K|, P = {p1 , . . . , pn }, and c ∈ C be fixed. Let ki ∈ K be so that

Eki (pi ) = c. Using Bayes’ theorem:

Pr [c | pi ] Pr [pi ] Pr [ki ] Pr [pi ]

Pr [pi | c] = = .
Pr [c] Pr [c]

Perfect secrecy implies that ∀i Pr [ki ] = Pr [c], all keys are used with
equal probability. Since there are |K| keys, the probability is 1/|K|.
(⇐) ∀p ∈ P, ∀c ∈ C Pr [c | p] = 1/|K|, hence, we conclude by the
Proposition. 

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 38 / 44

One-time pad

Definition: One-time pad Vernam’1917

Let P = C = K = (Z/2Z)n and Ek (p) = k + p mod 2.

One-time pad has perfect secrecy:

∀p ∈ P, ∀c ∈ C Pr [c | p] = 1/|K|,

hence, we conclude by the Proposition (alternatively, one can use

Shannon’s theorem).

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 39 / 44

Test questions

Question 5
(1) Does one-time pad remain with perfect secrecy if we reuse the
same key twice?
(2) Has Vigenère Cipher perfect secrecy?
(3) Could we use one-time pads in practice?

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 40 / 44

Symmetric encryption

DES = Data Encryption Standard’1975

AES = Advanced Encription Standard’2000

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 41 / 44

Asymmetric encryption: Public-key encryption

RSA = Rivest-Shamir-Adleman cryptosystem’[1970] 1977

ECC = Elliptic curves cryptography’[1985] 2004

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 42 / 44

Asymmetric encryption: Public-key encryption

RSA = Rivest-Shamir-Adleman cryptosystem’[1970] 1977

ECC = Elliptic curves cryptography’[1985] 2004

Public-key cryptosystem can never provide unconditional security.

Therefore, we study the computational security of public-key
cryptosystems.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 42 / 44

RSA cryptosystem

Definition: RSA cryptosystem

Let n = pq, where p, q are primes. Let P = C = Z/nZ and

K = {(n, p, q, a, b) : ab = 1 mod φ(n)}

For k = (n, p, q, a, b), we define

Ek (x) = x b mod n and Dk (c) = c a mod n.

Public-key is (n, b) and private-key is (p, q, a).

Here, x is a plaintext.
Euler’s function φ(n) = the number of positive integers less than n and
relatively prime to n.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 43 / 44

RSA cryptosystem

Encryption and decryption are inverse operations.

n = pq ⇒ φ(n) = (p − 1)(q − 1)
We have that ab = 1 mod φ(n), i.e. ab = tφ(n) + 1 for some t ∈ Z.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 44 / 44

RSA cryptosystem

Encryption and decryption are inverse operations.

n = pq ⇒ φ(n) = (p − 1)(q − 1)
We have that ab = 1 mod φ(n), i.e. ab = tφ(n) + 1 for some t ∈ Z.
(1) Suppose that x ∈ (Z/nZ)∗ , then

(x b )a = x tφ(n)+1 mod n = (x φ(n) )t x mod n = 1t x mod n = x mod n.

c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 44 / 44

RSA cryptosystem

Encryption and decryption are inverse operations.

n = pq ⇒ φ(n) = (p − 1)(q − 1)
We have that ab = 1 mod φ(n), i.e. ab = tφ(n) + 1 for some t ∈ Z.
(1) Suppose that x ∈ (Z/nZ)∗ , then

(x b )a = x tφ(n)+1 mod n = (x φ(n) )t x mod n = 1t x mod n = x mod n.

(2) If x 6∈ (Z/nZ)∗ , then x = 0 mod p or x = 0 mod q.

If x = 0 mod p, then (x b )a = 0 mod p as well. If the same holds for
mod q we are done by the Chinese remainder theorem.
Otherwise, x 6= 0 mod q. Then, by Fermat’s little theorem,
(x b )a = x ba−1 x = x t(p−1)(q−1) x = (x q−1 )t(p−1) x = 1t(p−1) x mod q = x
mod q. We conclude by the Chinese remainder theorem.
c Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 01: Introduction 44 / 44