Introduction to Cryptography and Security

Introduction

1 / 53
 Textbook
https://www.crypto-textbook.com

2 / 53
 Outline

1 Introduction

2 Symmetric Cryptography

3 Cryptanalysis

4 Modular Arithmetic and More Historical Ciphers

5 Lessons Learned
 World War II
German Enigma encryption machine

4 / 53
Back to about 2000 B.C
Scytale of Sparta

5 / 53
 Classification

Cryptology

Cryptography Cryptanalysis

Symmetric Ciphers Asymmetric Ciphers Protocols

6 / 53
 Outline

1 Introduction

2 Symmetric Cryptography

3 Cryptanalysis

4 Modular Arithmetic and More Historical Ciphers

5 Lessons Learned
 Encryption
Goal: Confidentiality of transmitted (or stored) message.

Characters in the game :

• Alice, Bob are “good guys” (by Wikipedia)
• Oscar is “eavesdropper”, “adversary”

Insecure channel

Alice Listen Modify Bob

Oscar

8 / 53
 Cryptography Approach

Insecured channel

Alice Listen Modify Bob

Oscar
• Bob knows a key k that Oscar doesn’t (Oscar know the
system).
• Alice can encrypt x such that knowledge of k allows for
decryption.
• Oscar sees ciphertext y, but learns nothing about x.

9 / 53
 Notation

• x, m are plaintext or • Enc is the encryption

message; function;
• y, c are ciphertexts; • Dec is the decryption
• k is the key; function;
• Gen is the key generation
function.

10 / 53
 Symmetric Cryptography
Alice & Bob both know key k. shared symmetric key

Algorithms:

k ← Gen(1λ ) generate key of length λ

y ← Enc(k, x) encrypt message x with key k, result is y
x = Dec(k, y) decrypt y using k to obtain x.

Setup:
• Someone (may be Alice or Bob) computes k ← Gen(1λ ).
• and ensures that Alice & Bob both have k (and Oscar doesn’t)
(How?!)

11 / 53
 Symmetric-key cryptosystem

y ← Enc(k, x) x = Dec(k, y)

y ← Enc(k, x)
k k

Alice Listen Bob

Oscar

12 / 53
 Questions

• Can Oscar know the encryption and decryption functions?

• Yes. She knows.

• Why not hide the encryption and decryption functions?

• Because it’s safer to make the functions public!

13 / 53
 Kerckhoffs’ Principle

A cryptosystem should be secure even if the attacker (Os-

car) knows all details about the system, with the exception
of the secret key. In particular, the system should be secure
when the attacker knows the encryption and decryption al-
gorithms.

Remark: Kerckhoffs’ Principle is is counterintuitive.

14 / 53
 NaCl (Networking and Cryptography
library)

• NaCl (pronounced "salt") is a new easy-to-use high-speed

software library for network communication, encryption,
decryption, signatures, etc.
• NaCl’s goal is to provide all of the core operations needed to
build higher-level cryptographic tools.
• NaCL in Wikipedia
https://en.wikipedia.org/wiki/NaCl_(software)
• NaCl was created by the mathematician and programmer
Daniel J. Bernstein (Daniel J. Bernstein)

15 / 53
 Substitution Cipher

Example

A→k
B→d
C→w
···

For instance, the pop group ABBA would be encrypted as kddk.

What is the key k of this cipher?

16 / 53
 Exercise

Consider the ciphertext that is encrypted by the substitution cipher.

1 iq ifcc vqqr fb rdq vfllcq na rdq cfjwhwz hr bnnb
2 hcc hwwhbsqvqbre hwq vhlq

Question
• Can you guess what the plaintext is?
• Is the substitution cipher secure?

17 / 53
 Outline

1 Introduction

2 Symmetric Cryptography

3 Cryptanalysis

4 Modular Arithmetic and More Historical Ciphers

5 Lessons Learned
 First Attack: Brute-Force or
Exhaustive Key Search

• Let (x, y) denote the pair of plaintext and ciphertext,

• and let K = {k1 , . . . , kn } be the key space of all possible
keys ki .
• A brute-force attack now checks for every ki ∈ K if

Dec(ki , y) = x.

• If the equality holds, a possible correct key is found; if not,

proceed with the next key.

19 / 53
 Brute-Force Attack for
Substitution Cipher

Question
What is the key space of the cipher?

20 / 53
 Second Attack: Letter Frequency Analysis

The major weakness of the substitution cipher is that each

plaintext symbol always maps to the same ciphertext symbol.
Example

A→k
B→d
C→w
···

For instance, the pop group ABBA would be encrypted as kddk.

21 / 53
• For instanc, „e“ is the most common letter in English; almost 13% of all letters in a
typical English text are „e“.
Second
• The next most Attack:
common one is „t“ withLetter
about 9%.Frequency Analysis
Letter frequencies in English
14.0000

12.0000

10.0000
Frequency in %

8.0000

6.0000

4.0000

2.0000

0.0000
E T A O I N S H R D L C U M W F G Y P B V K J X Q Z

Letters

19/36 Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

Figure: Relative letter frequencies of the English language

22 / 53
• Letters have very different frequencies in the English language
• Moreover: the frequency ofExercise:
plaintext letters is preserved in the ciphertext.
Decrypt the ciphertext
• For instanc, „e“ is the most common letter in English; almost 13% of all letters in a
typical English text are „e“.
1 iq ifcc vqqr fb rdq vfllcq na rdq cfjwhwz hr bnnb
• The
2 next most common one is „t“ with about 9%.
hcc hwwhbsqvqbre hwq vhlq
Letter frequencies in English
14.0000

12.0000

10.0000
Frequency in %

8.0000

6.0000

4.0000

2.0000

0.0000
E T A O I N S H R D L C U M W F G Y P B V K J X Q Z

Letters

19/36 Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

23 / 53
 Security Objective

• Oscar cannot distinguish

y1 = Enc(k, x 1 ) and y2 = Enc(k, x 2 )

even if she knows (or chooses) x 1 , x 2 (of same length).

Encryption typically does not hide the message length.
• The security notion is called “ciphertext indistinguishability”
or “semantic security”.

24 / 53
 Attacks
Assume k is reused

• Known ciphertext: the adversary has access only to the

ciphertext.
• Known ciphertext/plaintext pairs: the adversary has access to
both the ciphertext and the corresponding plaintext.
• Chosen plaintext: the adversary can choose arbitrary
plaintexts to be encrypted and then obtain the corresponding
ciphertexts.
• Chosen ciphertext: Chosen plaintext and the adversary can
choose arbitrary ciphertexts to be decrypted and then obtain
the corresponding plaintexts.
Question: Which of these attacks is the most powerful?

25 / 53
 Overview of Cryptanalysis

Cryptanalysis

Classical Implementation Social

Cryptanalysis Attack Engineering

Mathematical Brute-Force
Analysis Attack

26 / 53
 Types of Cryptanalysis: A Diverse Toolkit

• Classical Cryptanalysis: Exploits the mathematical structure of

the encryption algorithm itself.
• Brute-Force Attacks: Exhaustively trying all possible keys until
the correct one is found.
• Implementation Attacks: Targeting weaknesses in the
implementation of a cryptosystem, such as timing differences,
power consumption patterns, or code vulnerabilities.
• Social Engineering Attacks: Manipulating people to reveal
secrets or gain access to sensitive information.

27 / 53
 Key Length: A Measure of Strength

Key length Security estimation

56–64 bits short term: a few hours or days
112–128 bits long term: several decades in the absence of
quantum computers
256 bits Long term: several decades, even with
quantum computers that run the currently
known quantum computing algorithms

28 / 53
 Key Lengths: A Matter of Context

Symmetric crypto algorithms

• The discussion of key lengths for symmetric crypto algorithms
is only relevant if a brute-force attack is the best known attack.

Symmetric vs. Asymmetric

• The key lengths for symmetric and asymmetric algorithms are
dramatically different.
• For instance, an 80-bit symmetric key provides roughly the
same security as a 1024-bit RSA (RSA is a popular asymmetric
algorithm) key.

29 / 53
 Foretelling the Future

• It is hard to know what kinds of computers will be available in

the year 2030.
• Moore’s Law predicts a doubling of computing power every 18
months, while costs remain constant.
• This exponential growth impacts cryptography: attacks
become faster and cheaper over time.
• Cryptography must adapt and evolve to stay ahead of this
exponential trend.

30 / 53
 Outline

1 Introduction

2 Symmetric Cryptography

3 Cryptanalysis

4 Modular Arithmetic and More Historical Ciphers

5 Lessons Learned
 Example

• We consider the set of the nine numbers:

{0, 1, 2, 3, 4, 5, 6, 7, 8}

• We can do regular arithmetic as long as the results are smaller

than 9. For instance:

2×3=6
4+4=8

• But what about 8 + 4? We can use modular arithmetic to

simplify the result.

8 + 4 ≡? mod 9

32 / 53
Modulo Operation
• Let a, r, m ∈ Z (where Z is the set of all integers) and m > 0.
We write
a ≡ r mod m
if m divides (a − r).
• The integer m is called the modulus and r is called the
remainder.

Example
• Let a = 13 and m = 9. Find a value r.
• 13 ≡ 4 mod 9.
• Check: (a − r) = (13 − 4) = 9.

33 / 53
 Computation of the Remainder

• It is always possible to write a ∈ Z, such that

a =q·m+r for 0 ≤ r < m.

• Since a − r = q · m, we can now write:

a ≡ r mod m.

Example
• Let a = 42 and m = 9. Then 42 = 4 · 9 + 6 and therefore
42 ≡ 6 mod 9.
• Let a = 58 and m = 7. Then 58 = 8 · 7 + 2 and therefore
58 ≡ 2 mod 7.

34 / 53
 The Remainder Is Not Unique

Example
Let a = 42 and m = 9.
• 42 = 4 · 9 + 6 then r = 6, check (42 − 6) = 36 and 9 | 36.
• 42 = 3 · 9 + 15 then r = 15, check (42 − 15) = 27 and 9 | 27.
• 42 = 5 · 9 + (−3) then r = −3, check (42 + 3) = 45 and 9 | 45.

35 / 53
 All Members of a Given Equivalence
Class Behave Equivalently
Let’s look at all equivalent class for m = 5.

A = {· · · , −10, −5, 0, 5, 10, · · · }

B = {· · · , −9, −4, 1, 6, 11 · · · }
C = {· · · , −8, −3, 2, 7, 12, · · · }
D = {· · · , −7, −2, 3, 5, 10, · · · }
E = {· · · , −6, −1, 4, 9, 14, · · · }

We can perform calculations on equivalence classes:

D·B−D=A
13 · 6 − 8 = 208 − 8 = 200 ≡ 0 (mod 5)
13 · 1 − 3 = 3 − 3 = 0 (mod 5)
8 · 6 − (−7) = 48 + 7 = 55 ≡ 0 (mod 5)

36 / 53
 Important Application
Example
How to calculate 38 mod 7?

1 way: 38 = 6561 ≡ 2 mod 7

2 way: 38 = 34 · 34 = 81 · 81 mod 7
38 = 34 · 34 = 4 · 4 mod 7
38 = 34 · 34 = 16 mod 7
38 = 34 · 34 = 2 mod 7

37 / 53
Definition (Integer Rings)
The “integer ring” Zm consists of:
1 The set Zm = {0, 1, 2, · · · , m − 1}
2 Two operations “+” and “·” for all a, b ∈ Zm such that:
• a + b ≡ c mod m for some c ∈ Zm
• a · b ≡ d mod m for some d ∈ Zm

38 / 53
Example
• Let m = 9, i.e., we are dealing with the ring
Z9 = {0, 1, 2, 3, 4, 5, 6, 7, 8}.
• Here are two simple computations in this ring:

6 + 8 = 14 ≡ 5 mod 9
6 · 8 = 48 ≡ 3 mod 9

39 / 53
 Properties of Rings 1

• We can add and multiply any two numbers from the set and
the result is always in the ring. A ring is said to be closed.
• Addition and multiplication are associative:

a + (b + c) = (a + b) + c
a · (b · c) = (a · b) · c

• Addition is commutative: a + b = b + a.
• There is the neutral element 0 with respect to addition, i.e.,
for every element a ∈ Zm it holds that a + 0 ≡ a mod m.

40 / 53
 Properties of Rings 2

• For any element a in the ring, there is always the negative

element −a such that a + (−a) ≡ 0 mod m.
• There is the neutral element 1 with respect to multiplication,
i.e., for every element a ∈ Zm it holds that a · 1 ≡ a mod m.
• The multiplicative inverse exists only for some, but not for all,
elements.
Let a ∈ Zm . The inverse a−1 is defined such that a · a−1 ≡ 1
mod m. If an inverse exists for a, we can divide by this
element since b/a ≡ b · a−1 mod m.
• The distributive law holds: a · (b + c) = (a · b) + (a · c).

41 / 53
 Multiplicative Inverse

Definition (Multiplicative Inverse)

Let a, m ∈ Z and m > 0. The multiplicative inverse of a modulo m
is an integer a−1 such that

a · a−1 ≡ 1 mod m.

• An element a ∈ Z has a multiplicative inverse a−1 if and only

if gcd(a, m) = 1.
• If gcd(a, m) = 1, then a and m are said to be relatively prime
or coprime.

42 / 53
 Multiplicative Inverse in Z26

• Does the multiplicative inverse of 15 exist in Z26 ?

• Because gcd(15, 26) = 1, the inverse must exist. In fact, the
inverse is 7 since

7 · 15 ≡ 1 mod 26.

• On the other hand, the multiplicative inverse of 14 does not

exist in Z26 .

43 / 53
 Encoding of Letters for the Shift Cipher

A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
Table: Encoding of letters for the shift cipher

44 / 53
 Shift Cipher

Definition (Shift Cipher)

Let x, y, k ∈ Z26 .
• Encryption: ek (x) ≡ (x + k) mod 26.
• Decryption: dk ( y) ≡ ( y − k) mod 26.

45 / 53
Example
• Let the key be k = 17, and the plaintext is:

ATTACK = x 1 , x 2 , . . . , x 6 = 0, 19, 19, 0, 2, 10.

• The ciphertext is then computed as:

y1 , y2 , . . . , y6 = 17, 10, 10, 17, 19, 1 = rkkrtb.

46 / 53
 Affine Cipher

Definition (Affine Cipher)

Let x, y, a, b ∈ Z26 .
• Encryption: ek (x) ≡ (a · x + b) mod 26.
• Decryption: dk ( y) ≡ (a−1 · ( y − b)) mod 26.
with the key: k = (a, b), which has the restriction: gcd(a, 26) = 1.

The decryption is easily derived from the encryption function:

a · x + b ≡ y mod 26
a · x ≡ ( y − b) mod 26
x ≡ a−1 · ( y − b) mod 26

47 / 53
Example
Let the key be k = (a, b) = (9, 13), and the plaintext be ATTACK:

x 1 , x 2 , . . . , x 6 = 0, 19, 19, 0, 2, 10

The ciphertext is computed as:

y1 , y2 , . . . , y6 = 13, 2, 2, 13, 5, 25 = nccnfz

For decryption, the inverse of a needs to be determined, which

turns out to be a−1 = 3.

48 / 53
 Affine Cipher Security

• Is the affine cipher secure? No!

• The key space is only a bit larger than in the case of the shift
cipher:

Key space = (#values for a) · (#values for b)

= 12 · 26 = 312

49 / 53
 Outline

1 Introduction

2 Symmetric Cryptography

3 Cryptanalysis

4 Modular Arithmetic and More Historical Ciphers

5 Lessons Learned
 Lesson Learned (Part 1)

• Never ever develop your own cryptographic algorithm unless

you have a team of experienced cryptanalysts checking your
design.
• Do not use unproven cryptographic algorithms (i.e.,
symmetric ciphers, asymmetric ciphers, hash functions) or
unproven protocols.
• Attackers always look for the weakest point of a cryptosystem.
For instance, a large key space by itself is no guarantee of a
cipher being secure; the cipher might still be vulnerable
against analytical attacks.

51 / 53
 Lesson Learned (Part 2)
• Key lengths for symmetric algorithms in order to thwart
exhaustive key-search attacks are:
• 64 bits: insecure except for data with extremely short-term
value.
• 112–128 bits: long-term security of several decades, including
attacks by intelligence agencies unless they possess quantum
computers. Based on our current knowledge, attacks are only
feasible with quantum computers (which do not exist but
might become reality in 1–2 decades).
• 256 bits: as above, but possibly secure against attacks by
quantum computers.
• Modular arithmetic is a tool for expressing historical
encryption schemes, such as the affine cipher, in a
mathematically elegant way and provides the fundamental
basis for many modern cryptographic schemes.

52 / 53
Thank you!

53 / 53