2. Introduction
Cryptosystem: (E,D,M,K,C)
M is the set of plaintexts
K the set of keys
C the set of ciphertexts
E: M × K→ C the set of enciphering
functions
D: C × K→ M the set of deciphering
functions
3. Introduction
• Shift Cipher: M = C = K = Z26, with
-- eK(x) = x + K mod26
-- dK(y) = y – K mod26
where x,y is in Z26
• Substitution Cipher: P = C = Z26, with K
the set of permutations π on Z26 and
-- eπ(x) = π(x)
-- dπ(y) = π-1
(y).
4. Cryptosystems
Block ciphers
The Shift Cipher and Substitution Cipher are block
ciphers: successive plaintext elements (blocks) are
encrypted using the same key.
We now consider some other block ciphers.
• The Affine Cipher, is a special case of the
• Substitution Cipher with
• -- eK(x) = ax + b mod26
-- dK(y) = a-1
y - a-1
b mod26
where a,b x,y is in Z26 and x is invertible.
5. Block ciphers
The Vigenere Cipher is polyalphabetic.
Let m > 1
• M = C = K = (Z26)m
• For a key K = (k1, …, km)
• -- eK(x1,…,xm) = (x1 + k1, …, xm + km)
-- dK(y1,…,ym) = (y1 - k1, …, ym - km)
where all operations are in Z26.
6. Block ciphers
The Hill Cipher is also polyalphabetic.
Let m > 1
• M = C = (Z26)m
, K is the set of all m by m
invertible matrices over (Z26)m
• For a key K
• -- eK(x) = xK
-- dK(y)= yK-1
with all operations are in Z26.
7. Block ciphers
The Permutation Cipher. Let m > 1
M = C = (Z26)m
,
K is the set of all permutations of {1,…,m}.
• For a key (permutation) π
• -- eπ(x1,…,xm) = (xπ(1),…, xπ(m))
-- dπ(y1,…,ym) = (yπ−1(1),…, yπ−1(1))
where π−1
(1) is the inverse of π.
8. Stream Ciphers
The ciphers considered so far are block ciphers.
Another type of cryptosystem is the stream cipher.
9. Stream Ciphers
• A synchronous stream cipher is a tuple (E,D,M,C,K,L,)
with a function g such that:
• M, C, K, E, D are as before.
• L is the keysteam alphabet
• g is the keystream generator: it takes as input a key K
and outputs an infinite string
z1,z2, …
called the keystream, where zi are in L.
• For each ziare in L there is an encryption rule ez in E,
and a decryption rule dz in D such that:
dz (ez(x)) = x
for all plaintexts x in M.
10. Stream Ciphers
The Linear Feedback Shift Register or LFSR.
The keystream is computed as follows:
Let (k1,k2, … ,km) be the initialized key vector at
time t.
At the next time unit the key vector is updated as
follows:
-- k1 is tapped as the next keystream bit
-- k2, … , km are each shifted one place to the left
-- the “new” value of km is computed by
m-1
km+1 = Σcjkj+1
j=0
11. Stream Ciphers
Let x1,x2, … be the plaintext (a binary string).
Then the ciphertext is:
y1,y2, …
where yi,= xi+ ki, for i=1,2,… and the sum
is bitwise xor .
12. Cryptanalysis
Attacks on Cryptosystems
• Ciphertext only attack: the opponent possesses
a string of ciphertexts: y1,y2, …
• Known plaintext attack: the opponent
possesses a string of plaintexts x1,x2, … and the
corresponding string of ciphertexts: y1,y2, …
13. Attacks on Cryptosystems
• Chosen plaintext attack: the opponent can
choose a string of plaintexts x1,x2, … and
obtain the corresponding string of
ciphertexts: y1,y2, …
• Chosen ciphertext attack: the opponent can
choose a string of ciphertexts: y1,y2, … and
construct the corresponding string of
plaintexts x1,x2, …
14. Cryptanalysis
• Cryptanalysis of the shift cipher and substitution cipher:
Ciphertext attack -- use statistical properties of the
language
• Cryptanalysis of the affine and Vigenere cipher:
Ciphertext attack -- use statistical: properties of the
language
• Attacks on the affine and Vigenere cipher:
Ciphertext attack -- use statistical: properties of the
language
15. Cryptanalysis
• Cryptanalysis of the Hill cipher:
Known plaintext attack
• Cryptanalysis of the LFSR stream cipher:
Known plaintext attack
16. One time pad
This is a binary stream cipher whose key
stream is a random stream
This cipher has perfect secrecy
17. Security
• Computational security
Computationally hard to break: requires super-
polynomial computations (in the length of the
ciphertext)
• Provable security
Security is reduced to a well studied problem
though to be hard, e.g. factorization.
• Unconditional security
No bound on computation: cannot be broken even
with infinite power/space.
Only way to break is by “lucky” guessing.
18. Some Probability Theory
• The random variables X,Y are independent
if:
Pr[x,y] = Pr[x] . Pr[y], for all x,y in X
In general,
Pr[x,y] = Pr[x|y] . Pr[y]
= Pr[y|x] . Pr[x], for all x,y in X
19. Some Probability Theory
• Bayes’ Law:
Pr[x|y] =
• Corollary:
X,Y are independent random variables (r.v.)
iff
Pr[x|y] = Pr[x] for all x,y in X
Pr[y]
Pr[y|x] . Pr[x]
---------------- for all x,y in X
20. Perfect secrecy
• A cryptosystem is perfectly secure if :
Pr[x|y] = Pr[x],
for all x in M and y in C
21. Perfect secrecy
Theorem
Let |K|=|C|=|M| for a cryptosystem.
We have perfect secrecy iff :
• Every key is used with equal probability,
• For each x in P and y in C there is a unique key K
in K that encrypts x to y
1
|K |
------
22. One time pad
We have K = C = M = Z2
n
.
Also given:
x = x1,…,xn and y = y1,…,yn,
the key K = K1,…,Kn is unique because K = x+y mod 2
Finally all keys are chosen equiprobably.
Therefore,
the one time pad has perfect secrecy
29. Attacks on DES
• Brute force
• Linear Cryptanalysis
-- Known plaintext attack
• Differential cryptanalysis
– Chosen plaintext attack
– Modify plaintext bits, observe change in
ciphertext
No dramatic improvement on brute force
30. Countering Attacks
• Large keyspace combats brute force attack
• Triple DES (say EDE mode, 2 or 3 keys)
• Use AES
31. AES
Block length 128 bits.
Key lengths 128 (or 192 or 256).
The AES is an iterated cipher with Nr=10 (or 12 or 14)
In each round we have:
• Subkey mixing
• A substitution
• A permutation
32. Modes of operation
Four basic modes of operation are available for
block ciphers:
• Electronic codebook mode: ECB
• Cipher block chaining mode: CBC
• Cipher feedback mode: CFB
• Output feedback mode: OFB
33. Electronic Codebook mode, ECB
Each plaintext xi is encrypted with the same key K:
yi = eK(xi).
So, the naïve use of a block cipher.
35. Cipher Block Chaining mode, CBC
Each cipher block yi-1 is xor-ed with the next plaintext xi :
yi = eK(yi-1XOR xi)
before being encrypted to get the next plaintext yi.
The chain is initialized with
an initialization vector: y0 = IV
with length, the block size.
37. Cipher and Output feedback
modes (CFB & OFB)
CFB
z0 = IV and recursively:
zi = eK(yi-1) and yi = xiXOR zi
OFB
z0 = IV and recursively:
zi = eK(zi-1) and yi = xiXOR zi
41. Public Key Cryptography
Alice ga
mod p Bob
gb
mod p
The private key is: gab
mod p
where p is a prime and g is a generator of Zp
42. The RSA cryptosystem
Let n = pq, where p and q are primes.
Let M = C = Zn, and let
a,b be such that ab = 1 mod φ(n).
Define
eK(x) = xb
mod n
and
dK(y) = ya
mod n,
where (x,y)ε Zn.
Public key = (n,b), Private key (n,a).
43. Check
We have: ed = 1 mod φ(n), so ed = 1 + tφ(n).
Therefore,
dK(eK(m)) = (me
)d
= med
= mtφ(n)+1
= (mφ(n)
)t
m = 1.m = m mod n
44. Example
p = 101, q = 113, n = 11413.
φ(n) = 100x112 = 11200 = 26
52
7
For encryption use e = 3533.
Then d = e-1
mod11200 = 6597.
Bob publishes: n = 11413, e = 3533.
Suppose Alice wants to encrypt: 9726.
She computes 97263533
mod 11413 = 5761
To decrypt it Bob computes:
57616597
mod 11413 = 9726
45. Security of RSA
1. Relation to factoring.
Recovering the plaintext m from an RSA ciphertext c is
easy if factoring is possible.
2. The RSA problem
Given (n,e) and c, compute: m such that me
= c mod n
46. The Rabin cryptosystem
Let n = pq, p,q primes with p,q 3 mod 4. Let P = C = Zn*
and define K = {(n,p,q)}.
For K = (n,p,q) define
eK(x) = x 2
mod n
dK(y) = mod n
The value of n is the public key, while p,q are the private key.
≡
y
47. The RSA digital signature scheme
Let n = pq, where p and q are primes.
Let P = A = Zn, and define
e,d such that ed = 1 mod φ(n).
Define
sigK(m) = md
mod n
and
verK(m,y) = true y = me
mod n,
where (m,y)εZn.
Public key = (n,e), Private key (n,d).
⇔
48. The Digital Signature Algorithm
Let p be a an L-bit prime prime,
512 ≤ L ≤ 1024 and L ≡ 0 mod 64 ,
let q be a 160-bit prime that divides p-1 and
Let α ε Zp
*
be a q-th root of 1 modulo p.
Let M = Zp-1,
A = Zqx Zq and
K = {(x,y): y = αx
modp }.
• The public key is p,q,α,y.
• The private key is (p,q,α), x.
49. The Digital Signature scheme
• Signing
Let m ε Zp-1 be a message.
For public key is p,g,α,y, with y = αx
modp, and
secret random number k ε Zp-1, define: sigK(m,k) = (s,t), where
– s = (αk
modp) mod q
– t = (SHA1(m)+xs)k-1
modq
• Verification
Let
– e1 = SHA-1(m) t-1
modq
– e2 = st-1
modq
verK(m,(s,t)) = true (αe1
ye2
modp) mod q = s.
⇔
Editor's Notes
<number>
- Brute force we've already discussed. If a suitable "Break DES" version were created, brute force could find the key in a matter of hours because of computing power advances.
<number>
One DES round only scrambles half of the input data (the left half). Since the last step in the mangle is to reverse the halfs, the other half of the data is scrambled in the second (and fourth ... and 6th, and 8th, etc. rounds).
Also, as stated by the scribe: "The 32 bit Right half becomes the 32 bit Left half for the next round (not the mangled output) unless the textbook diagram is wrong also (Page 68 of the text Figure 3-6). The Right half goes into the mangler and that output is XOR'd with the 32 bit Left half to create the 32 bit Right half for the next round. The Right half (unmangled) simply becomes the Left half for the next round, according to the book and the formulas they give for reversing it. "
<number>
One DES round only scrambles half of the input data (the left half). Since the last step in the mangle is to reverse the halfs, the other half of the data is scrambled in the second (and fourth ... and 6th, and 8th, etc. rounds).
Also, as stated by the scribe: "The 32 bit Right half becomes the 32 bit Left half for the next round (not the mangled output) unless the textbook diagram is wrong also (Page 68 of the text Figure 3-6). The Right half goes into the mangler and that output is XOR'd with the 32 bit Left half to create the 32 bit Right half for the next round. The Right half (unmangled) simply becomes the Left half for the next round, according to the book and the formulas they give for reversing it. "