Download to read offline
![IX
Acknowledgements
Jonathan Katz: I am indebted to Zvi Galil, Moti Yung, and Rafail Ostrovsky
for their help, guidance, and support throughout my career.This book would
never have come to be without their contributions to my development. I
would also like to thank my colleagues with whom I have enjoyed numerous
discussions on the "right" approach to writing a cryptography textbook. My
work on this project was supported in part by the National Science Foundation
under Grants #0627306, #0447075, and #0310751. Any opinions, findings,
and conclusions or recommendations expressed in this book are my own, and
do not necessarily reflect the views of the National Science Foundation.
Yehuda Lindell: I wish to first and foremost thank Oded Goldreich and Moni
Naor for introducing me to the world of cryptography. Their influence is felt
until today and will undoubtedly continue to be felt in the future. There are
many, many other people who have also had considerable influence over the
years and instead of mentioning them all, I will just say thank you - you
know who you are.
We both thank Zoe Bermant for producing the figures used in this book; David
Wagner for answering questions related to block ciphers and their cryptanal
ysis; and Salil Vadhan and Alon Rosen for experimenting with this text in
an introductory course on cryptography at Harvard University and providing
us with valuable feedback. We would also like to extend our gratitude to
those who read and commented on earlier drafts of this book and to those
who sent us corr�ctions to previous printings: Adam Bender, Chiu-Yuen Koo,
Yair Dombb, Michael Fuhr, William Glenn, S. Dov Gordon, Carmit Hazay,
Eyal Kushilevitz; Avivit Levy, Matthew Mah, Ryan Murphy, Steve Myers,
Martin Paraskevov, Eli Quiroz, Jason Rogers, Rui Xue, ])icky Yan,_ Arkady
Yerukhimovich, and Hila Zarosim. Their comments have greatly imp:rovedthe
book and helped minimize the number of errors. We are extremely grateful
to all those who encouraged us to write this book; and concurred with our
feeling that a book
·
of this nature is badly needed.
Finally, we thank our (respective) wives and children for all their support and
understanding during :the many hours, days, and months that we have spent
on this project.](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-13-2048.jpg)
![Introduction 11
all finite strings of characters from theEnglish alphabet (note that numbers,
punctuation, or other characters are not allowed in this scheme) .
A more mathematical description of this method can be obtained by viewing
the alphabet as the numbers 0, ... , 25 (rather than as English characters).
First, some notation: if a is an integer and N is an integer greater than 1,
. we define [a modN] as the remainder of a upon division by N. Note that
[a modN] is an integer between 0 and N - 1, inclusive. We refer to the
process mapping a to [a modN] as reduction modulo N; we will have much
more to say about reduction modulo N beginning in Chapter7 .
Using this notation, encryption of a plaintext charactermi with the key k
gives the ciphertext character[(mi+k) mod26], and decryption of a ciphertext
characterCi is defined by [(ci - k) mod26]. In this view, the message spaceM
is defined to be any finite sequence of integers that lie in the range {0, . . . , 25}.
Is the shift cipher secure? Before reading on, try to decrypt the following
message that was encrypted using the shift cipher and a secret key k (whose
value we will not reveal) :
OVDTHUFWVZZPISLRLFZHYLAOLYL.
Is it possible to decrypt this message without knowing k? Actually, it is
completely trivial! The reason is that there are only 26 possible keys. Thus,.
it is easy to try every key
, and see which key decrypts the ciphertext into
a plaintext that "makes sense" . Such an attack on an encryption scheme is
called abrute-force attack or exhaustive search. Clearly, any secure encryption
scheme must not be vulnerable to such a brute-force attack; otherwise, it
can be completely broken, irrespective of how sophisticated the encryption
algorithmis. This brings us to a trivial, yet important, principle called the
"sufficientkey space principle" :
Any secure encryption scheme must have a key space that is not
vulnerable to exhaustive search.4
In today's age, an exhaustive search may use very powerful computers, -or
many thousands of PC's that are distributed around the world. Thus, the
number of possible keys must be very large (at least 260 or 270 ) .
We emphasize that the above principle gives a necessary condition for se
curity
, not a sufficient one. We will see next an encryption scheme that has
a very large key space but which is still insecure.
Mono-alphabetic substitution. The shift cipher maps each plaintext char
acter to a diff�rent ciphertext character, but the mapping in each case is given
by the same shift (the value of which is determined by the key). The idea
4This is actually only true if the message space is larger than the key space (see Chapter 2
for an example where security is achieved using a small key space as long as the message
space is even smaller). In practice, when very long messages are typically encrypted with
the same key, the key space must not be vulnerable to exhaustive search.](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-33-2048.jpg)
![14
distributed according to English-language text but the plaintext itself is not
valid English text, making the problem harder.
As before, associate the letters ·of the English alphabet with the numbers
0, . . . , 25 . LetPi, for 0 < i < 25, denote the probability of the ith letter in
normal English text. A simple calculation using known values ofPi gives
25
LPI � 0.065 .
i=O
(1.1)
Now, say we are given some ciphertext and letqi denote the probability of the
ith letter in this ciphertext (qi is s imply the number of occurrences of theith
letter divided by the length of the ciphertext). If the key is k, then we expect
that Qi+k should be roughly equal toPi for every i. (We use i+ k instead of
the more cumbersome [i+ k mod26]. ) Equivalently
, if we compute
25
clef�
Ij = �Pi · qi+j
i=O
for each value ofj E {0, ... , 25}, then we expect to findthatIk .� 0. 065 where
k is the key that is actually being used ( whereas Ij for j =!= k is expected to
be different) . This leads to a key-recovery attack that is easy to automate:
compute" Ij for all j, and then output the value· k for which h is Closest
to 0. 065 .
The Vigenere (poly-alphabetic shift) cipher. As we have described, the
statistical attack on the mono-alphabetic substitution cipher could be carried
out because the mapping of each letter wa$ fixed. Thus, such an attack can
be thwarted by mapping different instances of the same plaintext character
to different ciphertext characters. This has the effect of "smoothing out"
the probability distribution of characters in the ciphertext. For example,
consider the case that e is sometimes mapped to G, sometimes to P, and
sometimes to Y. Then, the ciphertext letters G, P, and Y will most likely not
stand out as more frequent, because other less-frequent c haracters will be also
be mapped to them. Thus, counting the character frequencies will not offer
much information about the mapping.
The Vigenere cipher works by applying multiple shift ciphers in sequence.
That is, a short, secret word is chosen as the key
, and then the plaintext is
encrypted by "adding" each plaintext character to the next character of the
key ( as in the shift cipher) , wrapping around in the key when necessary. For
example, an encryption of the message tellhimaboutme using thekey cafe·
would work as follows:
Plaintext:
Key:
Ciphertext:
tellhimaboutme
cafecafecafeca
WFRQKJSFEPAYPF](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-36-2048.jpg)
![Introduction 23
definition; the problem was simply that there was a mismatch between the
definition and the real-world implementation of the scheme on a smart-card.
This should not be taken to mean that definitions (or proofs, for that mat
ter) are useless! The definition - and the scheme that satisfies it - may still
be appropriate for other settings, such as when encryption is performed on
. an end-host whose power usage cannot be monitored by an adversary. Fur
thermore, one way to achieve secure encryption on a smart-card would be to
further refine the definition so that it takes power analysis into account. Or,
perhaps hardware countermeasures for power analysis can be developed, with
the effect of making the original definition (and hence the original scheme)
appropriate for smart-cards. The point is that with a definition you at least
know where you stand, even if the definition turns out not to accurately model
the particular setting in which a scheme is used. In contrast, with no definition
it is not even clear what went wrong.
This possibility of a disconnect between a mathematical model and the
reality it is supposed to be modeling is not unique to cryptography but is
something that occurs throughout science. To take an example from the field
of computer science, consider the meaning of a mathematical proof that there
exist well-defined problems that· computers cannot solve.7 The immediate
question that arises is what does it mean for "a computer to solve a problem"?
Specifically, a mathematical proof can be provided only when there is some
mathematical definition of what a computer is (or to be more exact, what the
process of computation is). The problem is that computation is a real-world
process, and there are Illany different ways of computing. In order for us to be
really convinced that the "unsolvable problem" is really unsolvable, we must
be convinced that our mathematical definition of computation captures the
real-world process of computation. How do we know when it does?
This inherent difficulty was noted by Alan Turing who studied questions of ·
what can and cannot be solved by a computer. We quote from his original
paper [140] (the text in square brackets replaces original text in order to make
it more reader friendly):
No attempt has yet been made to show [that the problems we have
defined to be solvable by a computer} include [exactly those prob
lems} which would naturally be regarded as computable. All argu
ments which can be given are bound to be, fundamentally, appeals
to intuition, and for this reason rather unsatisfactory mathemati
cally. The real question at issue is "What are the possible processes
which can be carried out in [computation}?"
The arguments which I shall use are of three kinds.
(a) A direct appeal to intuition.
7Those who have taken a course in computability theory will be familiar with the fact that
such problems dp indeed exist (e.g. , the Halting Problem).](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-45-2048.jpg)
![window. The conjecture is, at least, as plausible as another that has been
advanced; namely, that Arundel is derived from Hirondelle[41], the name of
Bevis’s horse.”
The Park of Arundel, which contains much picturesque scenery and many
thriving plantations, was originally the hunting-forest of the ancient
Counts, and covered a great extent of country,
which is now either under cultivation, or
converted into pasture. Beyond the pleasure-
grounds, immediately under the Keep, is the
Inner Park, entirely surrounded by an artificial
earth-work, still perfect, and adorned with
magnificent elm and beech trees. The new, or
Outer Park, comprises an extent of nearly twelve
hundred acres, enclosed by a high wall with
lodges, and stocked with a thousand head of deer.
The scenery is variegated by numerous
undulations of surface—alternate ridge and
ravine, grove and glade, and watered by rivulets
that derive their source from the neighbouring
Downs.
At a short distance from the entrance to the Park, on the south side, is
Hiorne’s Tower, the subject of the accompanying view. It is a triangular
building, about fifty feet in height, with a turret at each angle, and in design
and execution presents an admirable specimen of Gothic architecture. The
merit of the design is due to the late distinguished architect, Mr. Hiorne, who
superintended its erection, and left it as a monument to his name. The view
from this tower, under a favourable atmosphere, presents a magnificent](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-50-2048.jpg)
![prospect of the adjoining Park. The soft pastoral hills that trace their bold
outline on the sky; the umbrageous woods that cover the nearer acclivities;
the villages, hamlets, and isolated dwellings that infuse life and activity into
the picture; the herds of deer that are seen at intervals through the trees; the
distant channel with its shipping, and the shining meanders of the river Arun
—all present, in combination, one of the most richly diversified landscapes
on which the eye of poet or of painter could love to expatiate.
To the readers of romance this scene is rendered doubly interesting by its
immediate vicinity to Pugh-dean, where the graves of Bevis, the giant
castellan of Arundel, and his horse Hirondelle, carry us back to the days of
King Arthur and his knights. To this personage we have already adverted[42];
“but of his connexion with the Castle of Arundel,” says Tierney, “it were
difficult to trace the origin, although there can be little doubt that it existed at
a very early period. At the bottom of the valley called Pugh-dean, the
locality now under notice, is a low oblong mound, resembling a raised grave
in its form, and known in the traditions of the neighbourhood as ‘Bevis’s
burialplace.’ It is about six feet wide, and not less than thirty feet long. It is
accompanied by several
smaller but similar mounds; and although peculiar in its shape, as compared
with Roman and other tumuli which have been examined at different times,
has, nevertheless much of a sepulchral character in its appearance. It was
lately opened to a depth of several feet, but nothing was discovered in it. In](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-51-2048.jpg)
![however, threw the army of King Stephen into immediate motion, and
brought the engines of war under the walls of the Castle. Fearful of the
consequences, Queen Adeliza determined to try the effects of policy in lieu
of force, and appealed to the chivalrous feelings of the incensed Monarch, in
behalf of her illustrious but ill-timed visitor. She assured him that the only
object of her royal guest in making this visit, was to gratify those feelings of
love and relationship, which might be reasonably supposed to exist between
mother and daughter; that the gates of the Castle had been thrown open to
her, not as a rival to the throne, but as a peacefully disposed visitor, who had
a longing desire to see her native land, and who was ready to depart
whenever it should please the King to grant her his safe-conduct to the
nearest port. It was, moreover, delicately insinuated, that to lay siege to a
Castle, where the only commander of the garrison was a lady, and where the
only offence complained of was a mere act of hospitality to a female
relation, was surely an enterprise neither worthy of a hero such as his
Majesty, nor becoming in him who was the crowned head of the English
chivalry.
The result of this appeal, or of some more convincing argument[43], has
been already stated in the safe retirement of Matilda from the scene of
danger, and her return to Normandy. But a small chamber over the inner
gateway enjoys
the traditionary fame of having been her sleeping room, during her sojourn
in the Castle. It is a low square apartment, such as the castellan might have
occupied during a siege. But, as an imperial chamber, it never could have
had more than one recommendation, namely its security, in times when
security was the chief object to be kept in view; and six centuries ago it was
no doubt a very eligible state chamber. The bedstead on which the Empress
is said to have reposed—for we would not disturb any point of popular and
poetical faith—is certainly a relic of considerable antiquity. Its massive
walnut posts are elaborately carved, but so worm-eaten, that, unless tenderly
scrutinised, the wood would be apt to fall into powder in the hands of the
visitor. Looking upon this, as a relic of the twelfth century, it may be
imagined with what feelings the daughter of a King, the consort of an
Emperor, and mother of a King, laid her head upon that humble couch,
reflected on her checkered fate, and felt the shock of warlike engines under
the battlements.](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-53-2048.jpg)
![“ ’Mid crash of states, exposed to fortune’s frown,
Uneasy lies the head that wears a crown.”
The other events and incidents which give Arundel particular distinction
among the ancient baronial seats of England, are partly owing to the regal
dignity of its visitors. It was here that Alfred and Harold are believed to have
resided; and it was in the castle of Arundel that William Rufus, on his return
from Normandy, celebrated the feast of Easter.[44] In 1302, King Edward the
First spent some time within its walls: and from the fact of its containing an
apartment familiarly known as the ‘King’s Chamber,’ it is probable that, in
later times, it was often graced by the royal presence.[45] The luxury and
splendour of its apartments are amply attested by the minute inventories of
the costly materials employed in their decoration; while the princely
revenues of many of its lords permitted them to indulge in a style of
hospitality to which few subjects could aspire. It was frequented by the élite
of our English chivalry; beauty and valour were its hereditary inmates; its](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-54-2048.jpg)
![court resounded to the strains of music; while military fêtes and religious
solemnities gave alternate life and interest to its halls. Many a plan,
afterwards developed in the field or the senate, was first conceived and
matured in the baronial fastness of Arundel. One of the dark yet dramatic
scenes of which it has been the theatre, is the conspiracy, in which the Earls
of Arundel, Derby, Marshall, and Warwick; the Archbishop of Canterbury,
the Abbot of St. Alban’s and the Prior of Westminster, met the Duke of
Gloucester, for the final ratification of the plot. After receiving the
sacrament, says the Chronicle, they solemnly engaged, each for himself, and
for one another, to seize the person of King Richard the Second; his brothers,
the Dukes of Lancaster and York; and, finally, to cause all the lords of the
King’s Council to be ignominiously put to death. This plot, however, was
happily divulged in time to defeat its execution; and Arundel was brought to
the block on the evidence of his son-in-law, Earl Marshall, then deputy-
governor of Calais.[46]
So great, says Caraccioli, “was the hereditary fame of Arundel Castle,
and so high its prerogative, that Queen Adeliza’s brother, Joceline of
Lorraine, though a lineal descendant of Charlemagne, felt himself honoured
in being nominated to the title of its Castellan.” From William de Albini,
Joceline received in gift Petworth, with its large demesne; and on his
marriage with Agness, heiress of the Percies, took the name of Percy—and,
hence, probably, the origin of “Percy’s Hall,” an apartment which has existed
from time immemorial in Arundel Castle.
Of Isabel de Albini, the widow of Earl Hugh, the following anecdote is
preserved:[47]—Having applied to the King for the wardship of a certain
person, which she claimed as her right, and failing in her suit, she addressed
him in these spirited words:—“Constituted and appointed by God for the just
government of your people, you neither govern yourself nor your subjects as
you ought to do. You have wronged the Church, oppressed the nobles, and to
myself, personally, have refused an act of justice, by withholding the right to
which I am entitled.” “And have the Barons,” said the King, “formed a
charter, and appointed you their advocate, fair dame?” “No,” replied the
Countess; “but the King has violated the charter of liberties given them by
his father, and which he himself solemnly engaged to observe; he has
infringed the sound principles of faith and honour; and I, although a woman,
yet with all the freeborn spirit of this realm, do here appeal against you to the
tribunal of God. Heaven and earth bear witness how injuriously you have](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-55-2048.jpg)
![dealt with us, and the avenger of perjury will assert the justice of our cause.”
Conscious that the charge, though boldly spoken, was the voice of public
opinion, and struck with admiration of her frank spirit, the King, stifling
resentment, merely rejoined, “Do you wish for my favour, kinswoman?”
“What have I to hope from your favour,” she replied, “when you have
refused me that which is my right? I appeal to Heaven against these evil
counsellors, who, for their own private ends, have seduced their liege lord
from the paths of justice and truth.”
We now take a short retrospect of the public services, patriotic
achievements, and traits of personal character, which have distinguished the
thirty-two lords of Arundel from the period of the Conquest down to our
own times. Of several of these, however, our notice must be exceedingly
brief.—Of Roger Montgomery and his family we have little to add beyond
what has appeared in Mr. Tierney’s elaborate History of Arundel, to which
we have so often referred in the preceding pages. Of William de Albini, the
fourth earl, the following historical incident is recorded:—When at length,
after
much fruitless warfare, Henry Plantagenet appeared in England at the head
of the nobles who espoused his rights, Albini had the happiness to achieve
what may be justly considered greater than any victory; he prevented the
effusion of blood. Henry’s army was then at Wallingford, where Stephen, at
the head of his forces, was arranging the line of battle. The armies were
drawn out in sight of each other; Stephen, attended by Albini, was
reconnoitring the position of his opponent; when his charger becoming
unmanageable, threw his rider[48]. He was again mounted; but a second and
a third time a similar accident occurred, which did not fail to act as a
dispiriting omen upon the minds of those who were witnesses of the
occurrence. Taking advantage of the superstitious dread thus excited among
the troops, Albini represented in emphatic terms to Stephen the weakness of
his cause when opposed by right and justice, and how little he could
calculate upon men whose resolution in his service had been already shaken
by the incident which had just occurred. His counsel was taken in good part;
Stephen and Henry, adds the historian, met in front of the two armies: an
explanation ensued, reconciliation was effected; and in the course of the year
a solemn treaty was ratified, by which Stephen adopted the young
Plantagenet as his successor to the throne. The most important affair in
which Albini’s service was called for, was the splendid embassy to Rome,](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-56-2048.jpg)
![lustye knights fought eagerly, but also such as before were discomfited,
gathered a newe courage unto them, and fought without feare, in so much
that the King’s vaward lost their places. Then was the field covered with
dead bodyes, and gasping and groning was heard on every syde; for eyther
of them was desyrous to bring others out of lyfe. And the father spared not
the sonne, neyther yet the sonne spared the father! Alliaunce at that time was
bound to defiaunce, and Christian bloud that day was shed without pittie.
Lastly the victory fell to the Barons; so that there was taken the King, and
the King of Romaynes, Sir Edward the King’s sonne, with many other
noblemen,” among whom was Fitzalan, Earl of Arundel, “to the number of
fifteen barons and banerets; and of the common people, that were slain,
about twenty thousand, as saith Fabian.”
This was Fitzalan’s last appearance in the field; and, as a security for his
good behaviour, he was required “to surrender the Castle of Arundel or
deliver his son as a hostage,” into the hands of the Earl of Leicester. “For
their safe keeping, the prisoners were sente unto dyverse castellis and
prysons, except the King, his brother the King of Almayne, and Sir Edwarde
his sonne; the which the barons helde with them vntill they came to
London.”
Richard the third earl takes an eminent station in the family history. He
first travelled in France and Italy, in compliance with the rules of his
order[49]; then served in Wales, performed several exploits against Madoc;
became distinguished among the chivalry of his day; held a command in the
expedition organised for the subjugation of Scotland; fought at Falkirk; and
subsequently took part at the siege of Caerlaverock Castle, where in the
language of the minstrel, “who witnessed the fray,” he is complimented as—
“Richard le Conte de Aroundel,
Beau chivalier, et bien aimé,
I vi je richement armé;
En rouge au lyon rampart de or—[50]”
and in various capacities appears to have done the state much acceptable
service.
1306. During the life of Edmund, the fourth Earl, the affairs of Scotland
assumed a threatening aspect; and the King, exasperated by the murder of
Comyn, resolved to march an army across the frontier. Great preparations
were made to render the expedition, in all respects, worthy of the grand](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-60-2048.jpg)
![1340. His next public service was off the harbour of Sluys, where, in an
engagement with the French fleet, he was second in command under King
Edward the Third, and gained a complete victory.
“When the king’s fleet,” says the chronicler, “was almost got to Sluys,
they saw so many masts standing before it, that they looked like a wood. The
king asked the commander of his ship what they could be, who answered
that he imagined they must be that armament of Normans which the King of
France kept at sea, and which had so frequently done him much damage, had
burnt the good town of Southampton, and taken his large ship the
‘Christopher.’ The king replied, I have for a long time wished to meet with
them, and now, please God and St. George, we will fight with them; for in
truth they have done me so much mischief, that I will be revenged upon
them if possible.”
The large ships under Lord Arundel, the bishop of Norwich, and others,
now advanced, adds Froissart, and ran in among those of Flanders: but they
had not any advantage; for the crossbow-men defended themselves gallantly
under their commander Sir John de Bucque. He and his company were well
armed in a ship equal in bulk to any they might meet, and had their cannons
on board, which were of such a weight, that great mischief was done by
them. This battle was very fierce and obstinate, for it continued three or four
hours; and many of the vessels were sunk by the “large and sharply-pointed
bolts of iron which were cast down from the maintops, and made large holes
in their decks.” When night came on, they separated, and cast anchor to
repair their damage and take care of the wounded. But at the next flow of the
tide, they again set sail and renewed the combat; yet the English continually
gained on the Flemings, and, having got between them and Blanquenberg
and Sluys, drove them on Cadsand, where the defeat was completed.
So great was the disaster to the French monarch on this day, that none of
his ministers would venture to communicate to him the amount of life and
property which had been sacrificed. What the minister, however, durst not
reveal, the king’s jester found means to divulge. “What arrant cowards are
those English!” said the jester. “How so?” demanded Philip. “Because,”
answered zany, “they had not courage to jump overboard, as the French and
Normans did lately at Sluys[51].” This opened the king’s eyes, and prepared
him for the disastrous tidings that were now poured in upon him.
Six years later, Arundel was appointed admiral of the king’s fleet, and
conveyed the great military expedition from Southampton to Normandy.](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-65-2048.jpg)
![When the troops were disembarked at La Hogue, he was created constable of
the forces; and with Northampton and other noblemen commanded the
second division at the battle of Cressy[52].
During the heat of the combat, when Prince Edward was surrounded by
the enemy and in personal jeopardy, Arundel and Northampton hastened to
his support; ordered their division forward, and closed with the enemy. The
English rushed upon their assailants with renewed ardour; the French line
was charged, broken, and dispersed; “earls, knights, squires, and men-at-
arms, continuing the struggle in confused masses, were mingled in one
promiscuous slaughter.” When night closed, King Philip, with a retinue of
only five barons and sixty knights, fled in dismay before the cry of “St.
George for England!” Eleven princes, twelve hundred knights, and thirty
thousand soldiers, had fallen on the side of the French.
On another occasion, but on a different element, Arundel was present
with the king, in his “chivalrous engagement with the French fleet, off
Winchelsea;” and four years later was deputed to the court of Pope Innocent,
then at Avignon, in the fruitless attempt to arrange the articles of a
permanent reconciliation between the Crowns of England and France.
Arundel survived these brilliant events many years; and during the leisure
secured to him by his great public services, appears to have found
occupation for his active mind and munificent taste in repairing and
embellishing his ancestral[53] Castle, where he died at an advanced age, and
bequeathed immense possessions to his family.
The contrast presented in the life and destinies of his son forms a
melancholy page in the family history. He was a brave man, and had
performed several gallant exploits. But it was his misfortune to fall upon evil
times, of which intrigue, disaffection, private revenge, and outward violence
were leading characteristics. Associating with the turbulent spirits who
surrounded an imbecile and capricious monarch, his character took the
complexion of the age.
1397. He is said to have been at the head of a conspiracy already
mentioned in this work, page 39, and which is thus recorded by Holinshed,
Grafton, and others of the old chroniclers[54]. The Earls of Arundel, Derby,
Marshal, and Warwick; the Archbishop of Canterbury, Arundel’s brother; the
Abbot of St. Alban’s, and the Prior of Westminster, met the Duke of
Gloucester[55] in Arundel Castle, where, receiving first the sacrament by the](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-66-2048.jpg)
![hand
s of
the
Arch
bish
op,
they
resol
ved
to
seize
the
pers
on of
King
Rich
ard
the
Seco
nd,
and
his
brothers the Dukes of Lancaster and York, to commit them to prison, and
cause the lords of the King’s Council to be drawn and hanged. This plot,
however, was divulged, it is said, by the Earl Marshal, and the apprehension
of Arundel led to the family catastrophe, which with some little abridgment
of the original authors is related as follows:—
Apprehended under assurances of personal security, he was hurried to the
Tower, and finally tried and condemned by the Parliament at Westminster.
On the feast of St. Matthew, Richard Fitz Alaine, Earl of Arundel, was
brought forth to swear before the King and whole Parliament to such articles
as he was charged with.[56] And as he stood at the bar, the Lord Neville was
commanded by the Duke of Lancaster, which sat that day as High Steward
of England, to take the hood from his neck, and the girdle from his waist.
Then the Duke of Lancaster declared unto him that for his manifold
rebellions and treasons against the king’s majesty, he had been arrested, and
hitherto kept in ward, and now at the petitions of the lords and commons, he](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-67-2048.jpg)
![After this, when the Earl had nothing more to say for himself, the Duke
pronounced judgment against him as in cases of treason is used.
But after he had made an end, and paused a little, he said, “The King our
sovereign lord of his mercy and grace, because thou art of his blood, and one
of the Peers of the realm, hath remitted all other pains, saving the last that is
to say, the beheading, and so thou shalt only lose thy head;”—and forthwith
he was had away, and led through London, unto the Tower-hill. There went
with him to see the execution done, six great lords, of whom there were three
earls, Nottingham, that had married his daughter; Kent, that was his
daughter’s son; and Huntington, being mounted on great horses, with a great
company of armed men, and the fierce bands of the Cheshiremen, furnished
with axes, swords, bows and arrows, marching before and behind him, who
only in this parliament had licence to bear weapon, as some have written.
When he should depart the palace, he desired that his hands might be loosed
to dispose of such money as he had in his purse, betwixt that place and
Charing Cross. This was permitted; and so he gave such money as he had in
alms with his own hands, but his arms were still bound behind him.
When he came to the Tower-hill, the noblemen that were about him
moved him right earnestly to acknowledge his treason against the king. But
he in no wise would do so; but maintained that he was never traitor in word
nor deed; and herewith perceiving the Earls of Nottingham and Kent, that
stood by with other noblemen, busy to further the execution, and being, as ye
have heard, of kin, and allied to him, he spake to them, and said, “Truly it
would have beseemed you rather to have been absent, than here at this
business. But the time will come ere it be long, when as many shall marvel
at your misfortune as do now at mine.” After this, forgiving the executioner,
he besought him not to torment him long, but to strike off his head at one
blow, and feeling the edge of the sword, whether it was sharp enough or not,
he said, “It is very well, do that thou hast to do quickly,”—and so kneeling
down, the executioner with one stroke, strake off his head. “Then returned
they that were at the execution and shewed the kinge merily of the death of
the erle; but although the kinge was then merry and glad that the dede was
done, yet after exceedingly vexed was he in his dremes.” The Earl’s body
was buried, together with his head, in the church of the Augustine Friars in
Bread-street, within the city of London.
The death of this earl[57] was much lamented among the people,
considering his sudden fall and miserable end, whereas, not long before](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-69-2048.jpg)
![among all the noblemen of this land, there was none more esteemed; so
noble and valiant he was that all men spake honour of him.
After his death, as the fame went, the king was sore vexed in his sleep
with horrible dreams, imagining that he saw this earl appear unto him,
threatening him, and putting him in horrible fear, as if he had said with the
poet to King Richard—
“Nunc quoque factorum venio memor umbra tuorum,
In sequor et vultus ossea forma tuos.”—
With which visions being sore troubled in sleep, he cursed the day that ever
he knew the earl. And he was the more unquiet, because he heard it reported
that the common people took the earl for a martyr, insomuch that some came
to visit the place of his sepulture, for the opinion they had conceived of his
holiness. And, when it was bruited abroad, as for a miracle, that his head
should be grown to his body again, the tenth day after his burial; the king
sent about ten of the clock in the night certain of the nobility to see his body
taken up, that he might be certified of the truth. Which done, and perceiving
it was a fable, he commanded the friars to take down his arms, that were set
up about the place of his burial, and to cover the grave, so as it should not be
perceived where he was buried.
In less than two years, however, King Richard himself was a captive in
the hands of his subjects. Young Arundel and the son of the late Duke of
Gloucester were appointed his keepers. “Here,” said Lancaster, as he
delivered[58] Richard into their custody[59], “here is the king; he was the
murderer of your fathers; I expect you to be answerable for his safety.”
During the first five years of Henry the Fourth, young Arundel, among
other services, shared with his sovereign the reverses which attended his
invasion of the Welsh frontier, and his campaign against Owen Glendower.
—But at length the scenes of the camp gave place to domestic festivities;
and his approaching marriage with Donna Béatrice, daughter of John the
First, king of Portugal, was publicly announced. Great preparations were
made to receive the bride with all the honours due to her beauty and station;
the royal palace and the earl’s ancestral castle were sumptuously fitted up for
her reception. She left Portugal with a splendid retinue, made a prosperous
voyage, and arrived in London in the middle of November. On the twenty-
sixth of the same month the solemnity took place in the Royal Chapel,](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-70-2048.jpg)
![to the English monarch for assistance.” His request was instantly complied
with; for Henry had “private motives which prompted him in this instance.”
1411. Arundel, at the head of a strong body of archers and men-at-arms,
was despatched to join the Burgundian leader, whom he met at Arras; and
thence directing their march upon the capital, arrived on the twenty-third of
October. The first point of attack was St. Cloud, where Arundel took charge
of the assault, and marching his men to the bridge which here crosses the
Seine, carried it by storm; took possession of the town with severe loss to the
enemy, and returned with numerous prisoners, immense booty, and the
thanks of the Burgundian chief.
The same Earl was also present at the siege of Harfleur, in the subsequent
reign; and under both sovereigns held many distinguished posts of high trust
and honour. But returning from the last campaign in ill health, he died at his
paternal seat of Arundel, where a magnificent monument, quartered with the
royal arms of Portugal, attests his virtues and patriotic services.
Of John Fitzalan, the eighth Earl, the public services and achievements,
“during the French wars,” are not sufficiently prominent to demand any
special notice in these pages; but John Fitzalan, the ninth Earl, is justly
celebrated for his abilities both as a soldier and a senator.
In the grand tournament[60] which took place in the French capital in
honour of the coronation of Henry the Fifth, the English monarch, there was
a brilliant display of all that was most dazzling to the eye, and daring to the
imagination. But at the close of the scenes in which the pride and prowess of
chivalry were never more strikingly exemplified, Arundel[61] and the Comte
de St. Pol, grand master of the household, were acknowledged to have
carried away the prize from every competitor[62].
Four years later, an event occurred which was destined to close his
military career and carry him off in “the blaze of his fame.” This happened
in an attack upon the old castle of Gerberoi, near Beauvais, during the
operations of the English army in Picardy.](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-72-2048.jpg)
![heading at the same time a resolute detachment, took his station in the
entrenchments. There, while the shot and shell struck and exploded in the
ramparts over his head, he waited till a breach in the masonry was effected;
and then throwing himself into the gap, cheered on his men to the assault.
Inspired by their leader’s example, every soldier did his duty; the besieged
were driven from the works; their guns were turned against themselves, the
ramparts were cleared; capitulation was effected, and before morning the
flag of England floated in triumph from the Castle of Boulogne.[63]
But neither prowess in the field nor wisdom in the cabinet could exempt
Arundel from the trials, calumnies, and persecutions of those who only saw,
in the royal favour extended to him, a grand obstacle to their own
advancement. After the demise of Henry, charges were accordingly brought
against him, which—although never proved—formed the ground of his
exclusion from the council, were attended with a heavy fine, and aggravated
by imprisonment. The false evidence, however, on which these penalties
were inflicted, being speedily detected, his confinement was very brief. A
large portion of the fine was remitted, but the remembrance of such
unmerited treatment was never to be effaced. Subsequently, on the exhibition
of further charges against him, he was again sent to the Tower, where he was
detained a close prisoner during thirteen months, and was then enlarged on
payment of a heavy fine, and admonished to “behave himself according to
the duty of a nobleman, and to prove in deeds what he professed in words.”
But events were now fast hastening to a crisis. The demise of the royal
minor, the elevation of Lady Jane Grey, the ebullitions of party violence—all
spread universal excitement and alarm throughout the country.
Arundel, who had long fostered a spirit of secret enmity and revenge
against Northumberland, as the author of his misfortunes, now perceived that
the moment of retaliation was at hand. He invited and promised the full
weight of his support to the Princess Mary in private; but in public he
zealously espoused the cause of her rival, the Lady Jane; and was among the
first who offered her homage, and swelled the magnificence of her entry into
London.
1544. Northumberland was blinded by so much apparent devotion to the
cause; and when he reluctantly quitted London to stem the torrent that was
now rapidly setting in from the east, Arundel, says Stow, took leave of him
in these specious and hollow terms: “Farewell, my lord; and I pray God be
with your grace. Sorry indeed am I, that it is not my chance to go with you,](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-76-2048.jpg)
![and bear you company, in whose presence I could find in my heart to shed
my blood, even at your feet.” But as soon as Northumberland was gone,
Arundel changed his tone; denounced him as a traitor; declared his
sentiments; and boldly asserted the sovereign right of the eldest daughter of
Henry the Eighth. His fervid eloquence and appeal to the nobles present
made a deep and visible impression. Pembroke[64], infected by the
enthusiasm of the speaker, starting up, and grasping the hilt of his sword,
exclaimed, “Either this sword shall make Mary queen, or I will die in her
quarrel!” The result needs not be told. In an instant the whole aspect of
affairs was changed. That very night Mary was proclaimed in every street of
the city—banquets, bonfires, riots, and illuminations, were called to attest
the fact.
The news of the revolution were scattered in all points of the compass,
and at Cambridge reached the Duke of Northumberland, who was astounded
at what had happened, and felt all the paralysing influence of his critical
position.
When Arundel, whose revenge was now secure, arrived with the warrant
for his apprehension, the duke threw himself upon his mercy, and implored
him, says the Chronicler, “to be good to him for the love of God!” But
Arundel coldly replied that his grace should have sought for mercy sooner,
and then committing him to safe custody, ordered him off to the Tower.
During the reign of Mary, Arundel had many honours heaped upon him,
and filled several important offices of state; nor did court favour desert him
on the accession of Elizabeth, who even made him her familiar companion,
and became his frequent guest. She visited him at her splendid palace of
Nonsuch, of which he was keeper; joined in all the revels in celebration of
her visit; accepted at her departure a “cupboard of plate” and repaid him
with assurances of cordial regard and unlimited confidence.
Flattered by such manifestations of royal favour, Arundel went so far in
his loyal attachment as to become one of her Majesty’s impassioned suitors.
He was a Catholic indeed, but love and loyalty were divinities to which
religion had been often known to bend; and having given his vote and
influence to all her state measures—and not weighing the “queen’s sincerity
by his own”—he looked forward with bright anticipations of the future. But
Elizabeth was as much an adept in manœuvring as the earl; her chief object
had now been accomplished; she no longer required his services—she
remembered his support of her sister Mary; and when Arundel ventured to](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-77-2048.jpg)
![address her as the royal Chloë of his admiration, the queen threw off the
mask, and instead of receiving the homage thus tendered, in the sense it was
meant, ordered the noble earl to be placed under arrest. Well might he
exclaim—
“Tantæne animis cœlestibus iræ?”
The arrest however was soon removed; and with his enlargement a more
rational course presented itself for his choice. His health requiring change of
climate, he went abroad; and after spending fourteen months in travel
beyond seas, he returned to London in a style that resembled the triumphant
progress of a sovereign, and to present, as a peace-offering to her Majesty, “a
pair of the first silk stockings[65] ever seen in England.”
Once more restored to favour, he did not long maintain his position; but
again lapsing into unlawful practices, by tampering in the question
respecting Mary, Queen of Scotland, and the Duke of Norfolk, his son-in-
law; he finally lost the queen’s countenance, and was recommitted as a
prisoner to the palace of Nonsuch. The dreams of ambition were now past.
On his liberation, he retired from the political world to spend the remainder
of his days in study and domestic seclusion, where he could moralise on the
mad projects of ambition, the vexations and vanities of court life.
1589. He died at Arundel House in the Strand, and was buried “with
solemn pomp and costly funerall” in the collegiate Chapel of Arundel, where
his monument is still an object of no common interest to the stranger.
We shall next, in accordance with our plan, proceed to notice such
passages in the history of the Howards, Earls of Arundel, as may best
exhibit some of the public services, the extraordinary events, or striking
incidents in which they have severally been engaged. In these sketches,
however, we purpose to exemplify the character of each by authentic traits of
conduct in the field and the cabinet; in the noon of fame, and in the night of
misfortune.
In a review of their history and achievements, however, our notice,
strictly speaking, ought to commence at that period when the titles of
Arundel and Norfolk became first united in the same Peer. But the task will
not be tedious, and cannot be uninteresting, to present our readers with a
genealogical epitome of the Howards of Norfolk.](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-78-2048.jpg)
![support of the house of Lancaster. De Vere was also first-cousin to Norfolk,
whose blood he was destined to shed on this disastrous field. The other
divisions of Richmond’s army were led by Sir John Savage, and Sir Gilbert
Talbot; while Richmond himself took up a conspicuous station in the field
under his uncle the Earl of Pembroke.
After a night of fearful preparation, Norfolk, in issuing forth early in the
morning, discovered the following rhyme rudely pencilled on the door of his
tent—sadly ominous of the event at hand—
“Jack of Norfolk, be not too bold,
For Dickon, thy master, is bought and sold[66].”
The battle, now set in array, commenced with a discharge of arrows; after
which, the Earl of Oxford, in order to concentrate his forces, issued a
command, that every man should fight close to his standard. In this
movement, Norfolk and Oxford, leading their respective vans, approached
each other. With a rancour sharpened at this moment by their very
relationship, each singled out the other as an object worthy of his lance. With
cool determined intrepidity they dashed forward to the rencontre; and
shivering their spears at the first thrust, drew their swords and resumed the
trial of strength and skill. Rushing in upon his antagonist’s guard, Norfolk’s
powerful arm made a sweeping blow at the head of De Vere; but the blade
glancing down from his polished helmet failed in its effect, and only
wounded him in the left arm.](https://image.slidesharecdn.com/58852-250507111205-e234d8b8/75/Introduction-to-Modern-Cryptography-Principles-and-Protocols-1st-Edition-Jonathan-Katz-81-2048.jpg)
More Related Content
Similar to Introduction to Modern Cryptography Principles and Protocols 1st Edition Jonathan Katz
Introduction to Modern Cryptography Principles and Protocols 1st Edition Jonathan Katz
- 1. Introduction to ModernCryptography Principles and Protocols 1st Edition Jonathan Katz download https://ebookgate.com/product/introduction-to-modern- cryptography-principles-and-protocols-1st-edition-jonathan-katz/ Get Instant Ebook Downloads – Browse at https://ebookgate.com
- 2. Get Your DigitalFiles Instantly: PDF, ePub, MOBI and More Quick Digital Downloads: PDF, ePub, MOBI and Other Formats Introduction to Modern Cryptography 2nd Edition Jonathan Katz https://ebookgate.com/product/introduction-to-modern- cryptography-2nd-edition-jonathan-katz/ Serious Cryptography a practical introduction to modern encryption 1st Edition Jean-Philippe Aumasson https://ebookgate.com/product/serious-cryptography-a-practical- introduction-to-modern-encryption-1st-edition-jean-philippe- aumasson/ Cryptography Protocols Design and Applications 1st Edition Kamol Lek https://ebookgate.com/product/cryptography-protocols-design-and- applications-1st-edition-kamol-lek/ An introduction to cryptography 2nd ed Edition Richard A. Mollin https://ebookgate.com/product/an-introduction-to- cryptography-2nd-ed-edition-richard-a-mollin/
- 3. Introduction to ReferenceWork Volume I 8th Edition William Katz https://ebookgate.com/product/introduction-to-reference-work- volume-i-8th-edition-william-katz/ An Introduction to Political Philosophy Jonathan Wolff https://ebookgate.com/product/an-introduction-to-political- philosophy-jonathan-wolff/ Principles of Cybercrime 1st Edition Jonathan Clough https://ebookgate.com/product/principles-of-cybercrime-1st- edition-jonathan-clough/ Chemical Biology Methods and Protocols 1st Edition Jonathan E. Hempel https://ebookgate.com/product/chemical-biology-methods-and- protocols-1st-edition-jonathan-e-hempel/ Introduction to Cognitive Analytic Therapy Principles and Practice 1st Edition Anthony Ryle https://ebookgate.com/product/introduction-to-cognitive-analytic- therapy-principles-and-practice-1st-edition-anthony-ryle/
- 5. CHAPMAN & HALL/CRC CRYPTOGRAPHYAND NETWORK SECURITY lnt:roduct:ion t:o Modern Cryptography
- 6. CHAP N &HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY Series Editor Douglas R. Stinson Published Titles Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography Forthcoming Titles Burton Rosenberg, Handbook of Financial Cryptography Maria Isabel Vasco, Spyros Magliveras, and Rainer Steinwandt, Group Theoretic Cryptography Shiu-Kai Chin and Susan Beth Older, A Mathematical Introduction to Access Control
- 7. CHAPMAN & HALL/CRC CRYPTOGRAPHYAND NETWORK SECURITY Introduction to Modern Cryptography _jtJna1:han Ka1:z Yehuda Lindell Boca Raton London New York Chapman & Haii/CRC is an imprint of the Taylor & Francis Group, an informa business
- 8. Chapman & Hall/CRC Taylor& Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2008 by Taylor & Francis Group, LLC Chapman & Hall/CRC is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 . International Standard Book Number-13: 978-1-58488-551-1 (Hardcover) This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the conse quences of their use. No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieyal system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www. copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that · provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Katz, Jonathan. Introduction to modern cryptography : principles and protocols I Jonathan Katz and Yehuda Lindell. p.cm. Includes bibliographical references and index. ISBN 978-1-58488-551-1 (alk. paper) 1. Computer security. 2. Cryptography. I. Lindell, Yehuda. II. Title. QA76.9.A25K36 2007 005.8--dc22 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com 2007017861
- 9. Preface This book presentsthe basic paradigms and principles of modern cryptogra phy.It is designed to serve as a textbook for undergraduate- or graduate-level courses in cryptography (in computer science or mathematics departments), as a general introduction suitable for self-study (especially for beginning grad uate students), and as a reference for students, researchers, and practitioners. There are numerous other cryptography textbooks available today, and the reader may rightly ask whether another book on the subject is needed. We would not have written this book if the answer to that question were anything other than an unequivocal yes. The novelty of this book- and what, in our opinion, distinguishes it from all other books currently available- is that it provides a rigorous treatment of modern cryptography in an accessible manner appropriate for an introduction to the topic. As mentioned, our focus is on modem (post-1980s) cryptography, which is distinguished from classical cryptography by its emphasis on definitions, precise assumptions, and rigorous proofs of security. We briefly discuss each of these in turn (these principles are explored in greater detail in Chapter 1): • The central role of definitions: A key intellectual contribution of modern cryptQgraphy has been the recognition that formal definitions of security are an essential first step ·'in the design of any cryptographic primitive or-protocol. The reason, in retrospect, is simple; ifyop don't know what it is you are trying to achieve, how can you hope to know when you have achieved it? As we will see in this book, cryptographic definitions of security are quite strong and - at first glance- may appear impossible to achieve. One of the most amazing aspects of cryp tography is that {under mild and widely-believed assumptions) efficient· constructions satisfying such strong definipons can be proven to exist. • The importance of formal and precise assumptions: As will be explained in Chapters 2 and 3, many cryptographic constructions can not currently be proven secure in an unconditional sense. Security often relies, instead, on some widely-believed (albeit unproven) assumption. The modern cryptographic approach dictates that any such assumption must be clearly stated and unambiguously defined. This not only al lows for objective evaluation of the assumption but, more importantly, enables rigorous proofs of security as described next. • The possibility of rigorous proofs of security: The previous two ideas lead naturally to the current one, which is the realization that cryp- v
- 10. Vl tographic constructions canbe proven secure with respect to a clearlY stated definition of security and relative to a well-defined cryptographic assumption. This is the essence of modern cryptography, and what lJ.aS transformed cryptography from an art to a science. The importance of this idea cannot be over-emphasized. HistoricallY, cryptographic schemes were designed in a largely ad-hoc fashion, a:o.d were deemed to be secure if the designers themselves could not fi:o.d any attacks. In contrast, modern cryptography promotes the desig:Il of schemes with formal, mathematical proofs of security in well-defi:o.e d models. Such schemes are guaranteed to be secure unless the underlY ing assumption is false (or the security definition did not appropriatelY model the real-world security concerns). By relying on long-st_andillg assumptions (e.g., the assumption that "factoring is hard"), it is thllS possible to obtain schemes that are extremely unli�ely to be broken. A unified approach. The above contributions of modern cryptography are relevant not only to the "theory of cryptography" community. The impor tance of precise definitions is, by now, widely understood and appreciated bY those in the security community who use cryptographic tools to build secure systems, and rigorous proofs of security have become one of the requirements for cryptographic schemes to be standardized. As such, we do not separate "applied cryptography" from "provable security"; rather, we present practical and widely-used constructions along with precise statements (and, most of the time, a proof) of what definition of security is achieved. Guide to Using this Book_ · This section is intended primarily for instructors seeking to adopt this book for their course, though the student picking up this book on his or her own may also find it a useful overview of the topics that will be covered. Required background. This book uses definitions, proofs, and mathemat ical concepts, and therefore requires some mathematical maturity. In par ticular, the reader is assumed to have·had some exposure to proofs at the college level, say in an upper-level mathematics course or a course on discrete mathematics, algorithms, or computabiiity theory. Having said this, we have made a significant effort to simplify· the presentation and make it generallY accessible. It is our belief that this book is not more difficult than analogous textbooks that are less rigorous. On the contrary, we believe that (to take one example) once security goals are clearly formulated, it often becomes easier · to understand the design choices made in a particular construction. We have structured the book so that the only formal prerequisites are a course in algorithms and a course in discrete mathematics.Even here we relY on very little material: specifically, we assume some familiarity with basic probability and big-0 notation, modular arithmetic, and the idea of equating
- 11. Vll efficient algorithms withthose running in polynomial time. These concepts are reviewed in Appendix A and/or when first used in the book. Suggestions for course organization. The core material of this book, which we strongly recommend should be covered in any introductory course on cryptography, consists of the following (starred sections are excluded in what follows; see further discussion regarding starred material below): • Chapters 1 -4 (through Section 4.6), discussing classical cryptography, modern cryptography, and the basics of private-key cryptography (both private-key encryption and message authentication). • Chapter 5, illustrating basic design principles for block ciphers and in cluding material on the widely-used block ciphers DES and AES. 1 • Chapter 7, introducing concrete mathematical problems believed to be "hard" , and providing the number-theoretic background needed to un derstand the RSA, Diffie-Hellman, and El Gamal cryptosystems. This chapter also gives the first examples of how number-theoretic assump tions are used in cryptography. • Chapters 9 and 10, motivating the public-key setting and discussing public-key encryption (including RSA-based schemes and El Gamal en cryption). • Chapter 12, describing digital signature schemes. • Sections 13.1 and 13.3, introducing the random oracle model and the RSA-FDH signature scheme. We believe that this core material - possibly omitting some of the'more in depth discussion and proofs- dm be covered in a 30-35-hour undergraduate course. Instructors with more time available could proceed at a more leisurely pace, e. g.; giving details of all proofs and going more slowly when introducing the underlying group theory and number-theoretic background. Alternatively, additional topics could be incorporated as discussed next. Those wishing to cover additional material, in either a longer course or a faster-paced graduate course, will find that the book has been structured to allow flexible incorporation of other topics as time permits (and depending on the instructor's interests). Specifically, some of the chapters and sections are starred (* ) . These sections are not less important in any way, but arguably do not constitute "core material" for an introductory course in cryptography. As made evident by the course outline just given (which does not include any starred material), starred chapters and sections may be skipped- or covered at any point subsequent to their appearance in the book - without affecting 1 Although we consider this to be core material, it is not used in the remainder of the book 1 and so this chapter can be skipped if desired.
- 12. Vlll the flow ofthe course. In particular, we have taken care to ensure that none of the later un-starred material depends on any starred material. For the most part, the starred chapters also do not depend on each other (and when they do, this dependence is explicitly noted). We suggest the following from among the starred topics for those wishing to give their course a particular flavor: • Theory: A more theoretically-inclined course could include material from Section 3.2.2 (building to a definition of semantic security for en cryption); Sections 4. 8 and 4.9 (dealing with stronger notions of secu rity for private-key encryption); Chapter 6 (introducing one-way func tions and hard-core bits, and constructing pseudorandom generators and pseudorandom functions/permutations starting from any one-way permutation); Section 10.7 (constructing public-key encryption from trapdoor permutations); Chapter 11 (describing the Goldwasser-Micali, Rabin, and Paillier encryption schemes); and Section 12.6 (showing a signature scheme that does not rely on random oracles). • Applications: An instructor wanting to emphasize practical aspects of cryptography is highly encouraged to cover Section 4.7 (describing HMAC) and all of Chapter 13 (giving cryptographic constructions in the random oracle model). • Mathematics: A course directed at students with a strong mathematics background- or taught by someone who enjoys this aspect of crypt?g raphy - could incorporate some of the more advanced number th�ory from Chapter 7 (e. g., the Chinese remainder theorem and/or elliptic curve groups); all of Chapter 8 (algorithms for factoring and computing discrete logarithms); and selections from Chapter 11 (describing the Goldwasser-MicaH, Rabin, and Paillier encryption schemes along with the necessary number-theoretic background). Comments and Errata Our goal in writing this book was to make modern cryptography accessible to a wide audience outside the "theoretical computer science" community.We· hope you will let us know whether we have succeeded.In particular, we are always more than happy to receive feedback on this book, especially construc tive comments telling us how the book can be improved.We hope there are no errors or typos in the book; if you do find any, however, we would greatly appreciate it if you let us know. (A list of known errata will be maintained at http: I/www.cs.umd.edu/-jkatz/imc.html.) You can email your com ments and errata to jkatz@cs.umd.edu and lindell@cs.biu.ac. il; please put "Introduction to Modern Cryptography" in the subject line.
- 13. IX Acknowledgements Jonathan Katz: Iam indebted to Zvi Galil, Moti Yung, and Rafail Ostrovsky for their help, guidance, and support throughout my career.This book would never have come to be without their contributions to my development. I would also like to thank my colleagues with whom I have enjoyed numerous discussions on the "right" approach to writing a cryptography textbook. My work on this project was supported in part by the National Science Foundation under Grants #0627306, #0447075, and #0310751. Any opinions, findings, and conclusions or recommendations expressed in this book are my own, and do not necessarily reflect the views of the National Science Foundation. Yehuda Lindell: I wish to first and foremost thank Oded Goldreich and Moni Naor for introducing me to the world of cryptography. Their influence is felt until today and will undoubtedly continue to be felt in the future. There are many, many other people who have also had considerable influence over the years and instead of mentioning them all, I will just say thank you - you know who you are. We both thank Zoe Bermant for producing the figures used in this book; David Wagner for answering questions related to block ciphers and their cryptanal ysis; and Salil Vadhan and Alon Rosen for experimenting with this text in an introductory course on cryptography at Harvard University and providing us with valuable feedback. We would also like to extend our gratitude to those who read and commented on earlier drafts of this book and to those who sent us corr�ctions to previous printings: Adam Bender, Chiu-Yuen Koo, Yair Dombb, Michael Fuhr, William Glenn, S. Dov Gordon, Carmit Hazay, Eyal Kushilevitz; Avivit Levy, Matthew Mah, Ryan Murphy, Steve Myers, Martin Paraskevov, Eli Quiroz, Jason Rogers, Rui Xue, ])icky Yan,_ Arkady Yerukhimovich, and Hila Zarosim. Their comments have greatly imp:rovedthe book and helped minimize the number of errors. We are extremely grateful to all those who encouraged us to write this book; and concurred with our feeling that a book · of this nature is badly needed. Finally, we thank our (respective) wives and children for all their support and understanding during :the many hours, days, and months that we have spent on this project.
- 15. To our wives·andchildren
- 17. Contents I Introduction andClassical Cryptography 1 Introduction 1.1 Cryptography and Modern Cryptography 1.2 The Setting of Private-Key Encryption 1.3 Historical Ciphers and Their Cryptanalysis 1.4 The Basic Principles of Modern Cryptography 1.4.1 Principle 1 - Formulation of Exact Definitions 1.4.2 Principle 2- Reliance on Precise Assumptions 1.4.3 Principle 3- Rigorous Proofs of Security References and Additional Reading Exercises . . . . . . . . . . . . . 2 Perfectly-Secret Encryption 2.1 Definitions and Basic Properties 2.2 The One-Time Pad (Vernam's Cipher) 2.3 Limitations of Perfect Secrecy 2.4 *Shannon's Theorem . . . . . 2.5 Summary . . . . . . . . . . . . References and Additional Reading Exercises . . . . . . . . . . . . . . . II Private-Key (Symmetric) Cryptography 1 3 3 4 9 18 18 24 26 27 27 29 29 34 36 37 40 40 41 45 3 Private-Key Encryption and Pseudorandomness 47 3.1 A Computational Approach to Cryptography . . . 47 3.1.1 The Basic Idea of Computational Security . 48 3.1.2 Efficient Algorithms and Negligible Success Probability 54 3.1.3 Proofs by Reduction . . . . . . . . . . 58 3.2 Defining Computationally-Secure Encryption 60 3.2.1 The Basic Definition of Security 61 3.2.2 *Properties of the Definition . . . 64 3.3 Pseudorandomness . . . . . . . . . . . . . 69 3.4 Constructing Secure Encryption Schemes 3.4.1 A Secure Fixed-Length Encryption Scheme 3.4.2 Handling Variable-Length Messages . . . l 3.4.3 Stream Ciphers and Multiple Encryptions . 72 72 76 77 Xlll
- 18. XIV 3.5 Security AgainstChosen-Plaintext Attacks (CPA) 82 3.6 Constructing CPA-Secure Encryption Schemes . . 85 3.6.1 Pseudorandom Functions . . . . . . . . . . 86 3.6.2 CPA-Secure Encryption from Pseudorandom Functions 89 3.6.3 Pseudorandom Permutations and Block Ciphers 94 3.6.4 Modes of Operation . . . . . . . . . . . . . . .· 96 3.7 Security Against Chosen-Ciphertext Attacks (CCA) 103 References and Additional Reading 105 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 4 Message Authentication Codes and Collision-Resistant Hash Functions 111 4.1 Secure Communication and Message Integrity 111 4.2 Encryption vs.Message Authentication . . . 112 4.3 Message Authentication Codes- Definitions 114 4.4 Constructing Secure Message Authentication Codes 118 4.5 CBC-MAC . . . . . . . . . . . . . . . 125 4.6 Collision-Resistant Hash Functions .......... 4.6.1 Defining Collision Resistance ......... 4.6.2 Weaker Notions of Security for Hash Functions 4.6.3 A Generic "Birthday" Attack ......... . 4.6.4 The Merkle-Damgard Transform ........ 4.6.5 Collision-Resistant Hash Functions in Practice 4.7 *NMAC and HMAC .... 4.7.1 Nested MAC (NMAC) ........... . �.7.2 HMAC . . . . . · . i · · · · · · · · · · · 4.8 *·Constructing CCA-Secure Encryption Schemes 4.9 *Obtaining Privacy and Message Authentication References and Additional Reading Exercises ......................... .· 127 128 130 131 133 136 . 138 138 141 144 148 154 155 5 Practical Constructions of Pseudorandom Permutations (Block Ciphers}··. 5.1 Substitution-Permutation Networks 5.2 Feistel Networks ........... 5.3 DES - The Data Encryption Standard· 5.3.1 The Design of DES ....... 5.3.2 Attacks on Reduced-Round Variants ofDES 5.3.3 The Security of DES ... . . . . . . . 5.4 Increasing the Key Length of a Block Cipher .... 5.5 AES- The Advanced Encryption Standard ..... 5.6 Differential and Linear Cryptanalysis- A Brief Look Additional Reading and References Exercises ............. .............. 159 162 170 173 173 176 179· 181 185 187 189 189
- 19. XV 6 * TheoreticalConstructions of Pseudorandom Objects 193 601 One-Way Functions 0 0 0 0 0 0 0 0 0 0 194 6°1.1 Definitions 0 0 0 0 0 0 0 0 0 0 . 194 6°1.2 Candidate One-Way Functions 197 6°1.3 Hard-Core Predicates 0 0 0 0 . 198 602 Overview: From One-Way Functions to Pseudorandomness 200 603 A Hard-Core Predicate for Any One-Way Function 202 6.301 A Simple Case 0 0 0 0 202 60302 A More Involved Case . 0 . . . . 203 60303 The Full Proof 0 0 0 0 0 . . 0 . 0 208 604 Constructing Pseudorandom Generators 213 6.401 Pseudorandom Generators with Minimal Expansion 214 60402 Increasing the Expansion Factor . . 0 0 . 0 0 215 605 Constructing Pseudorandom Functions 0 . 0 . 0 0 0 221 6.6 Constructing (Strong) Pseudorandom Permutations 225 607 Necessary Assumptions for Private-Key Cryptography 227 608 A Digression - Computational Indistinguishability 0 . 232 608.1 Pseudorandomness and Pseudorandom Generators 233 6.802 Multiple Samples 0 0 0 0 234 References and Additional Reading 237 Exercises- 0 0 . . 0 0 0 0 0 . 0 . 0 . . 237 III Public-Key (Asymmetric) Cryptography 7 Number Theory and Cryptographic Hardness Assumptions 7.1 Preliminaries and Basic Group Theory 7.1.1 Primes and Divisibility 0 7.1.2 Modular Arithmetic 701.3 Groups 0 . 0 0 0 . . . . 701.4 The Group ZjV . . . . 0 7.1.5 *Isomorphisms and the Chinese Remainder Theorem 7.2 Primes, Factoring, and RSA 7.201 Generating Random Primes 7.2.2 *Primality Testing . . . 0 0 7°203 The Factoring Assumpti�n 70204 The RSA Assumption 0 0 0 703 Assumptions in Cyclic Groups 7.3°1 Cyclic Groups and Generators 70302 The Discrete Logarithm and Diffie-Hellman Assump tions 0 0 0 0 0 0 . 0 . . 0 0 0 0 0 7.3.3 Working in (Subgroups of) z; 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7.3.4 *Elliptic Curve Groups 0 0 0 . 0 . 0 0 . 0 0 . 0 0 . 0 0 7.4 Cryptographic Applications of Number-Theoretic Assumptions 7.401 One-Way Functions and Permutations 0 . 0 0 0 0 l 7.402 Constructing Collision-Resistant Hash Functions 241 243 245 246 248 250 254 256 261 262 265 271 271 274 274 277 281 282 287 287 290
- 20. XVl References and AdditionalReading Exercises .. . . ... .. ... .. 293 294 8 * Factoring and Computing Discrete Logarithms 297 297 298 301 303 305 307 309 310 311 8.1 Algorithms for Factoring 8.1.1 Pollard's p- 1 Method. . . . . . 8.1.2 Pollard's Rho Method . . . . . . 8.1.3 The Quadratic Sieve Algorithm . 8.2 Algorithms for Computing Discrete Logarithms 8.2.1 The Baby-Step/Giant-Step Algorithm . 8.2.2 The Pohlig.,.Hellman Algorithm . . . . . 8.2.3 The Discrete Logarithm Problem in ZN 8.2.4 The Index Calculus Method . References and Additional Reading 313 Exercises . . . . . . . . . . . . . . . . . . 314 9 Private-Key Management and the Public-Key Revolution 315 9.1 Limitations of Private-Key Cryptography . . · . 315 9.2 A Partial Solution- Key Distribution Centers 317 9.3 The Public-Key Revolution .. 320 9.4 Diffie-Hellman KeyExchange 324 References and Additional Reading 330 Exercises . .... .. .. . 10 Public-Key Encryption 10.1 Public-KeyEncryption- An Overview' . . . 10.2 Definitions . . . . . . . . . . . . . . . . . . . . . . 10.2.1 Security against Chosen-Plaintext Attacks . 10.2.2 MultipleEncryptions . . . . . 10.3 HybridEncryption ... . . . .... . . . . . . . 10.4 RSAEncryption . . . . . . . . . . . . . . · :.· .· . . 10.4.1 "Textbook RSA" and its Insecurity .. ·.: ·.: . 10.4.2 Attacks on Textbook RSA . 10.4.3 Padded RSA . . . . . . . . . . . . . . 10.5 TheEl GamalEncryption S{::heme . :- . . . . 10.6 Security Against Chosen-Ciphertext Attacks 10.7 *Trapdoor Permutations . . . . . . . . . . . 10.7.1 Definition .. . . . . . . . . . . . . . . 331 333 333 336 337 340 347 355 355 359 362 364 369 373 374 10.7.2 Public-KeyEncryption from Trapdoor Permutations 375 References and Additional Reading 378 Exercises . . . . . . . . . . . . . . . . . . . . . . . . 379
- 21. 11 * AdditionalPublic-Key Encryption Schemes 11.1 The Goldwasser-Micali Encryption Scheme . . 11.1.1 Quadratic Residues Modulo a Prime . . 11.1.2 Quadratic Residues Modulo a Composite 11.1.3 The Quadratic Residuosity Assumption . 11.1.4 The Goldwasser-MicaH Encryption Scheme 11.2 The Rabin Encryption Scheme . . . . . . . . . . . 11.2.1 Computing Modular Square Roots . . . . . 11.2.2 A Trapdoor Permutation Based on Factoring 11.2.3 The Rabin Encryption Scheme 11.3 The Paillier Encr_yption Scheme 11.3.1 The Structure of Z?v2 11.3.2 The Paillier Encryption Scheme . 11.3.3 Homomorphic Encryption References and Additional Reading Exercises . . . . . . . . . . . . .12 Digital Signature Schemes 12.1 Digital Signatures- An Overview 12.2 Definitions . . . . . . . . . . . . . 12.3 RSA Signatures . . . . . . . . . . 12.3.1 "Textbook RSA" and its Insecurity . 12.3.2 Hashed RSA . . . . . . . . . . . 12.4 The "Hash-and-Sign" Paradigm . . . . 12.5 Lamport's One-Time Signature Scheme 12.6 *Signatures from Collision-Resistant Hashing 12.6.1 "Cha:ln-Based" Signatures . . . . 12.6.2 "Tree-Based" Signatures . . . . . . . 12.7 The Digital Signature Standard (DSS) 12.8 Certificates and Public-Key Infrastructures References and Additional Reading Exercises . . . . . . . . . . . . . . . . . . . . . . :·'· ., ..... "·· 13 Public-Key Cryptosystems in the Random Oracle Model 13.1 The Random Oracle Methodology . . . . . . . . . 13.1.1 The Random Oracle Model in Detail . . . . . 13.1.2 Is the Random Oracle Methodology Sound? . 13.2 Public-Key Encryption in the Random Oracle Model 13.2.1 Security Against Chosen-Plaintext Attacks . 13.2.2 Security Against Chosen-Ciphertext Attacks 13.2.3 OAEP . . . . . . . . . . . . . . . 13.3 Signatures in the Random Oracle Model References and Additional Reading Exercises . . . . . . . . . . . . . . . . . . . . xvii 385 386 386 389 392 394 397 397 402 406 408 409 411 416 418 418 421 421 423 426 426 428 429 432 435 436 439 445 446 453 454 457 458 459 465 469 469 473 479 481 486 , 486
- 22. XVlll Index of CommonNotation 489 A Mathematical Background 493 A.1 Identities and Inequalities 493 A.2 Asymptotic Notation 493 A.3 Basic Probability . . . . 494 A.4 The "Birthday" Problem 496 B Supplementary Algorithmic Number Theory 499 B.1 Integer Arithmetic . . . . . . . . . . . . . . . . . . . . . . . 501 B.l.1 Basic Operations . . . . . . . . . . . . . . . . . . . . 501 B.l.2 The Euclidean and Extended Euclidean Algorithms 502 B.2 Modular Arithmetic . . . . . . . . . 504 B.2.1 Basic Operations . . . . . . . 504 B.2.2 Computing Modular Inverses 505 B.2.3 Modular Exponentiation . . . 505 B.2.4 Choosing a Random Group Element 508 B.3 * Finding a Generator of a Cyclic Group 512 B.3.1 Group-Theoretic Background 512 B.3.2 Efficient Algorithms . . 513 References and Additional Reading 515 Exercises . . . . . . . . . . . . . . . 515 References 517 Index 529
- 23. Part I Introduction andClassical ·� Cryptography 1
- 25. Chapter 1 Introduction 1.1 Cryptographyand Modern Cryptography The Concise Oxford Dictionary (2006) defines cryptography as the art of writing or solving codes. This definition may be historically accurate, but it does not capturethe essence of modern cryptography .First, it focuses solely on the problem of secret communication. This is evidenced by the fact that the definition specifies"codes", elsewheredefined as "a system of pre-arranged signals, especially used to ensure secrecy in transmitting messages" . Second, the definition refers to cryptography as an art form. Indeed, until the 20th century ( and arguably until late in that century), cryptography was an art. Constructing good codes, or breaking existing ones, relied on creativity and personal skill. There was very little theory that could be relied upon and there was noteven a well-defined notion of what constitutes a good code. In the late 20th century , this picture of cryptography radically changed. A rich theory emerged, enabling the rigorous study of cryptography - as a sci ence. Furthermore, the field of cryptography now encompasses.much more than secret communication. For example, it deals with the problems of mes sage authentication, digital signatures, protocols for exchanging secre t keys, authentication protocols, electronic auctions and elections, digital cash and more. In fact, modern cryptography can be said to be concern�d with prob lems that may arise in any distributed computation that may come- und er internal or external attack. Without attempting to provide a perfect_ defi nition of modern cryptography , we would say that it is the scientifi�· . study of techniques for securing digital information, transactions, and distributed computations. Another very important difference between classical cryptography (say, be fore the 1980s) and modern cryptography relates to who uses it. Historically , the major consumers of cryptography were military and intelligence organi zations. Today , however, cryptography is everywhere! Security mechanisms that rely on cryptography are an integral part of almost any computer sys tem.Users ( often unknowingly) rely on cryptography every time they access a secured website. Cryptographic methods are used to enforce access control in multi-user operating systems, and toprevent thievesfrom extracting trade secrets from stolen laptops.Software protection methods employ encryption, authentication, and other tools to prevent copying. The list goes on and on. 3
- 26. 4 In short, cryptographyhas gone from an art form that dealt with secret communication for the military to a science that helps to secure systems for ordinary people all across the globe. This also means that cryptography is becoming a more and more central topic within computer science. The focus of this book is modern cryptography. Yet we will begin our study by examining the state of cryptography before the changes mentioned above. Besides allowing us to ease into the material, it will also provide an understanding of where cryptography has come from so that we can later appreciate how much it has changed. The study of "classical cryptography" - replete with ad-hoc constructions of codes, and relatively simple ways to break them- serves as good motivation for the more rigorous approach that we will be taking in the re�t of the book.1 1.2 The Setting of Private-Key Encryption As noted above, cryptography was historically concerned with secret com munication. Specifically , cryptography was concerned with the construction of ciphers ( now called encryption schemes) for providing secret communica tion between two parties sharing some information in advance. The setting in which the communicating parties share some secret information in advance is now known as the private-key ( or the symmetric-key) setting. Before descr ib ing some historical ciphers, we discuss the private-key setting and encryption in more genera1 terms. In the private-key setting, two parties share some secret information called a key, and use this key when they wish to communicate secretly with each other. A party se nding a message uses the key to encr:ypt ( or "scramble" ) the message before it is sent, and the· receiver uses the same key to decrypt ( or "unscramble" ) and recover the message upon receipt. The message itself is called the plaintext, and the "scrambled" information that is actually trans- , mitted from the sender to the receiver is called the ciphertext; ,seeFigure 1.1. The shared key serves to distinguish the communicating parties from any · · _ other parties who may be eavesdropping on their communication ( assumed to take place over a public channel) . In this setting, the same key is used to convert th e plaintext into a ciphertext and back. This explains why this setting is also known as the symmetric2key setting, where the symmetry lies in the fact that both parties hold the same key whichis used for both encryption and decryption. This is in contrast to 1This is our primary intent in presenting this material and, as such, this chapter should not be taken as a representative historical account. The reader interested in the history of cryptography shoulq consult the references at the end of this chapter.
- 27. Introduction m FIGURE 1.1: Thebasicsetting of private-key encryption. 5 the setting of asymmetric encryption (introduced in Chapter 9), where the sender and receiver do not share any secrets and different keys are used for encryption and decryption. The private-key setting is the classic one, as we will s·ee· later in this chapter. An implicit assumption in any system using private-key encryption is that the communicating parties have some way of initially sharing a key in. a secret manner. (Note that if one party simply sends the key to the other over the public channel, an eavesdropper obtains the key too! ) In military settings, this is not a severe problem because communicating parties are able to physically meet in a secure location in order to agree upon a key. In many modern settings, however, parties cannot arrange any such physical meeting. As we will see in Chapter 9, this is asource of great concern and actually limits the applicability of cryptographic systems that rely solely on private-key methods. Despite this, there are still many settings where private-key methods suffice and are in wide use; one example is disk encryption, where the same user (at different points in time) uses a fixed secret key to both write to and read from the disk. As we will explore further in Chapter 10, private-key encryption is also widely used in conjunction with asymmetric methods. The syntax of encryption. A private-key encryption scheme is comprised of three algorith e · · the first is a procedure for generating keys, the second a procedure for encr pting, and the third a procedure for decrypting. These have the following unctionality: 1. The key-generation algorithm Gen is a pro babilistic algorithm that out puts a key k chosen according to some distribution that is determined by the scheme.
- 28. 6 2. The encryptionalgorithm Enc takes as input a key k and a plaintext message m and outputs a ciphertext c. We denote by Enck(m) the encryption of the plaintextm using the key k. 3. The decryption algorithm Dec takes as input a keyk and a ciphertext c and outputs a plaintextm. We denote the decryption of the ciphertext c using the key k by Deck(c). The set of all possible keys output by the key-generation algorithm is called the key space and is denoted byK. Almost always, Gen simply chooses a key uniformly at random from the key space (infact, one can assume without loss of generality that this is the case). The set of all "legal" messages (i.e., those supported by the encryption algorithm) is denotedM and is called the plaintext (or message) space, Since any ciphertext is obtained by encrypting some plaintext under some key , the setsK andM together define a set of all possible ciphertexts denoted by C. An encryption scheme is fully defined by specifying the three algorithms (Gen, Enc, Dec) and the plaintext space M. The basic correctness requirement ofany encryption scheme is that for every key k output by Gen and every plaintext messagem E M, it holds that In words, decrypting a ciphertext (using the appropriate key) yields the orig inal message that was encrypted. Recapping our earlier discussion, an encryption scheme would be used by two parties who wish to communicate as follows. First,,Gen is run to obtain a key k that the parties share. When one party wants to send a plaintextm to the other, he computes c :---:·Erick(m) and sends the resulting ciph ertext c over the public channel to the other. party.2 Upon receivingc, the other party computesm := Deck(c) to recoverthe original plaintext. Keys and Kerckhoffs' principle. As is clear from the above formulation, if an eavesdropping adversary kno�s the algorithm Dec as well as the key k shared by the two communicating parties, then that adversary will be able to decrypt all communication between·th�se parties. It is for this reason that the communicating parties must sha:r;e: the key k secretly , and keep k com pletely secret from everyone else. But maybe they should keep the decryptio n algorithm Dec a secret, too? For-that matt er, perhaps all the algorithms constituting the encryption scheme (i. e., Gen andEnc as well) shouldbe kept secret? (Note that the plaintext spaceM is typically assumedto be kndwn, e.g., it may consist of English-language sentences. ) In thelate 19th century , AugusteKerckhoffs gave his opinion on this matter in a paper he published outlining important design principles for military 2Throughout the book, we use ":=" to denote the assignment operation. A list of common notation can be found in the back of the book. /
- 29. Introduction 7 ciphers. Oneof the most important of these principles (now known simply as Kerckhoffs' principle) is th e following: The cipher method must not be required to be secret, and it must be able to faltirito the hands_,of the enemy without inconvenience. In other words, the encryption scheme itself should not be kept secret, and so qnly the key should constitute th e secret information shared by the com municating parties. Kerckhoffs' intention was that an encryption scheme should be designed so as to be secure even if an adversary knows the details of all the compone nt algoritl_lms of the scheme, as long as the adversary doesn' t know the key being used. Stated differently, Kerckhoffs' principle demands that security rely solely on the secrecy of the key. But why? There are three primary arguments in favor of Kerckhoffs' principle. The first is that it is much easier for the parties to maintain secrecy of a short key than to maintain secrecy of an algorithm. It is easier to share a short (say , 100-bit) string and store this string securely than it is to share and securely store a program that is thousands of times larger. Furthermore, details of an algorithm can be leaked (perhaps by an insider) or learned through reverse engineering; this is unlikely when the secret information takes the form of a randomly-generated string.� A second argument in favor of Kerckhoffs' principle is that in casethe key is exposed, it will b_e much easier for the honest parties to cJ;u1nge the key than to replace thealgorithm being-used. Actually , it is good security practice to refresh a key frequently evenwhen it has not been exposed, and it would be much more cumbersome to replace the software being used instead. Finally , in case many pairs ofpeople (say, :vithin a co�pany) _ne�<J -�9. en crypt their communication, it•wHl he significantlyeasier for all parties to - use the same algorithm/program, but different keys, than for everyone to use a different program (which would furthermore depend onthe party. with whom they are communicating) . Today , Kerckhoffs' principle is understood as not only advocating that secu rity should not rely onsecrecy of the algorithms being used, but also demand ing that these algorithms be made public. This stands in stark contrast to the notion of "security by obscurity " which is the idea that improvedsecurity can be achieved by keeping a cryptographic algorithm hidden. Some of the ad vantages of "open cryptographic design" , where algorithm specifications are made public, include the following: 1. Published designs undergo public scrutiny and are there fore likely to be stronger. Many years of experience have demonstrated that it is very difficult to construct good cryptographic schemes. Therefore, our confidence in the security of a scheme is much higher if it has been extensively studied (by experts other than the designers of the scheme themselves) and no weaknesses have been fodnd.
- 30. 8 2. It isbetter for security flaws, if they exist, to be revealed by "ethi cal hackers" (leading, hopefully, to the system being fixed) rather than having these flaws be known· only tomalicious parties. 3. If the security of the system relies on the secrecy of the algorithm, then reverse engineering of the code(or leakage by industrial espionage) poses a serious threat to security. This is in contrast to the secret key which is not part of the code, and so is not vulnerable to reverse engineering. 4. Public design enables the establishment of standards. As si mple and obvious as it may sound, the principle of open cryptographic design (i. e., Kerckhoffs' principle) is ignored over and over again with dis astrous results. It is very dangerous to use a proprietaryalgorithm (i. e., a non-standardized algorithm that was designed in secret by some company), and only publicly tried and tested algorithms should be used. Fortunately , there are enough good algorithms that are standardized and not patented, so that there is no reason whatsoever today to use something else. Attack scenarios. We wrap up our general discussion of encryption with a brief discussion of some basic types of attacks against encryption schemes. In order of severity , these are: • Ciphertext-only attack: This is themost basic type of attack and refers to the scenario where the adversary just observes a ciphertext (ormultiple ciphertexts) and attempts to determine the underlying plaintext (or plaintexts) . • Known-plaintext attack: Here, the adversary learns orie or more pairs of plaintexts/ciphertexts encrypted under the same k�y. The ai m of the adversary is then to determine the plaintext that was encrypted in some other ciphertext (for which it does not know the corresponding plaintext) . • Chosen-plaintext attack: In this attack, the adversary hasthe ability to obtain the encryption of plaintexts of its choice. It then attempts to determine the plaintext that was encrypted in some other dphertext. • Chosen-ciphertext attack: Thefinaltype of attack is one where·th� adver sary is even given the capability to obtain the decryption of ciphertexts of its choice. The adversary' s aim, once again, is to determine the plain te xt that was encrypted in some other ciphertext(whose decryptiol!l the adversary is unable to obtain directly) . The first two types of attacks are passive in that the adversaryjust receives some ciphertexts (and possibly some corresponding plaintexts as well) and then launches its attack. In contrast, the last two types of attacks are active in that the adversary can adaptively ask for encryptions and/or decryptions of its choice.
- 31. Introduction 9 The firsttwo attacks described above are clearly realistic. A ciphertext-only attack is the easiest to carryout in practice; the only thing the adversary needs is to eavesdrop on the public communication line over which encrypted mes sages are sent. In a known-plaintext attack it is assumed that the adversary somehow also obtains the plaintext messages corresponding to the ciphertexts . that it viewed. This is often realistic because not all encrypted messages are confidential, at least not indefinitely. As a trivial example, two parties may always encrypt a "hello" message whenever they begin communicating. As a more complex example, encryption may be used to keep quarterly earn ings results secret until their release date. In this case, anyone eavesdropping and obtaining the ciphertext will later obtain the corresponding plaintext. Any reasonable encryption scheme must therefore remain secure against an adversary that can launch a known-plaintext attack. The two latter active attacks may seem somewhat strange and requirejus tification. (When do parties encrypt and decrypt whatever an adversary wishes?) We defer a more detailed discussion of these attacks to the place in the text where security against these attacks is formally defined: Section 3 .5 for chosen-plaintext attacks and Section 3.7 for chosen-ciphertext attacks. Different applications of encryption may require the encryption scheme to be resilient to different types of attacks. It is not always the case that an encryption scheme secure against the "strongest1' type of attack s�hould be used, since it may be less efficient than an encryption scheme secure against "weaker" attacks. Therefore, the latter may be preferred if it suffices for the application at hand. . . .· .. ·. __ _ 1.3 HistOrical Ciphers and Their Cryptanalysis In our study of "classical cryptography" wewill examine somehistorical ci phers and show that they are completely insecure. As stated earlier, our main aims in preseritihg this material are (1) to highlight the weaknesses of an "ad-hoc" approach to cryptography, and thus motivate the modern, rigorous approach that will· be discussed in the following section, and (2) to demon strate that "simple approaches" to achieving secure encryption are unlikelyto succeed, and show why thisis the case. Along the way , we will present some central principles of cryptography which can be learned from the weaknesses of thesehistorical schemes. In this section (and this section only), plaintext characters are written in lower case and ciphertext characters are written inUPPER CASE. When de scribing attackson schemes, we always applyKerckhoffs' principle and assume that the scheme is known to the adversary (but the key being used is not).
- 32. 10 Caesar's cipher. Oneof the oldest recorded ciphers, known as Caesar' s cipher, is described in "DeVita Caesarum, Divus Iulius" ("The Lives of the Caesars, The Deified Julius" ) , written in approximately 110 C.E.: There are also letters of his to Cicero, as well as to his intimates on private affairs, and in the latter, if he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. Jf anyone wishes to decipher these, and get at their meaning, he must substitute the fourth letter of the alphabet, namely D, for A, and so with the others. That is, JuliusCaesar encrypted by rotating the letters of the alphabet by. 3 places: a was replaced withD, b withE, and so on. Of course, at the end of the alphabet, the letters wrap around and sox was replaced withA, y withB, andz with C. For example, the short messagebegin the attack now, with spaces removed, would be encrypted as: EHJLQWKHDWWDFNQRZ making it unintelligible. An immediate problem with this cipher is that the method is fixed. Thus, anyone·learning howCaesar encrypted his messages would be able to decrypt effortlessly. This can be seen also if one tries to fit Caesar's cipher into the syntax of encryption described earlier: the key-generation algorithm Gen is trivial (that is, it does nothing) and there is no secret key to speak of.. Interestingly, a variant of this cipher called ROT-13 (where the shift is 13 places instead of 3 ) is widely used nowadays in various online forums. It is understood.that this does not provide any cryptographic security, andROT- 13 is used merely to ensure that the text(say, a movie spoiler) is unintelligible unless the reade:r of a message consciously chooses to decrypt it. The shift cipher and the sufficient key space principle. Caesar's cipher suffers from the fact that encryption is always done in the same way, and there is no secret key. The shift cipher is similar toCaesar's cipher, but a secret key is introduced.3 Specifically, in the shift cipher the keyk is a number between 0 and25. Then, to encrypt, letters are rotated byk places as inCaesar' s cipher. Mapping this to the syntax of encryption described earlier, this me9.-ns that algorithm Gen outputs a random number k in the set {0, . . . , 25}; algorithm Enc takes a key k and a plaintext written using English letters and shifts each letter of the plaintext forward k positions (wrapping around from z to . a); and algorithm Dec takes a key k and a ciphertext written using English letters and shifts every letter of the ciphertext backward k positions(this time wrapping around froma toz). The plaintext message spaceM is defined to be 3In some books, "Caesar's cipher" and "shift cipher" are used interchangeably. J
- 33. Introduction 11 all finitestrings of characters from theEnglish alphabet (note that numbers, punctuation, or other characters are not allowed in this scheme) . A more mathematical description of this method can be obtained by viewing the alphabet as the numbers 0, ... , 25 (rather than as English characters). First, some notation: if a is an integer and N is an integer greater than 1, . we define [a modN] as the remainder of a upon division by N. Note that [a modN] is an integer between 0 and N - 1, inclusive. We refer to the process mapping a to [a modN] as reduction modulo N; we will have much more to say about reduction modulo N beginning in Chapter7 . Using this notation, encryption of a plaintext charactermi with the key k gives the ciphertext character[(mi+k) mod26], and decryption of a ciphertext characterCi is defined by [(ci - k) mod26]. In this view, the message spaceM is defined to be any finite sequence of integers that lie in the range {0, . . . , 25}. Is the shift cipher secure? Before reading on, try to decrypt the following message that was encrypted using the shift cipher and a secret key k (whose value we will not reveal) : OVDTHUFWVZZPISLRLFZHYLAOLYL. Is it possible to decrypt this message without knowing k? Actually, it is completely trivial! The reason is that there are only 26 possible keys. Thus,. it is easy to try every key , and see which key decrypts the ciphertext into a plaintext that "makes sense" . Such an attack on an encryption scheme is called abrute-force attack or exhaustive search. Clearly, any secure encryption scheme must not be vulnerable to such a brute-force attack; otherwise, it can be completely broken, irrespective of how sophisticated the encryption algorithmis. This brings us to a trivial, yet important, principle called the "sufficientkey space principle" : Any secure encryption scheme must have a key space that is not vulnerable to exhaustive search.4 In today's age, an exhaustive search may use very powerful computers, -or many thousands of PC's that are distributed around the world. Thus, the number of possible keys must be very large (at least 260 or 270 ) . We emphasize that the above principle gives a necessary condition for se curity , not a sufficient one. We will see next an encryption scheme that has a very large key space but which is still insecure. Mono-alphabetic substitution. The shift cipher maps each plaintext char acter to a diff�rent ciphertext character, but the mapping in each case is given by the same shift (the value of which is determined by the key). The idea 4This is actually only true if the message space is larger than the key space (see Chapter 2 for an example where security is achieved using a small key space as long as the message space is even smaller). In practice, when very long messages are typically encrypted with the same key, the key space must not be vulnerable to exhaustive search.
- 34. 12 behind mono-alphabetic substitutionis to map each plaintext character to a different ciphertext character in an arbitrary manner, subject only to the fact that the mapping must be one-to-one in order to enable decryption. The key space thusconsists of all permutations of the alphabet, meaning that the size of the key space is 26! = 26 · 25 · 24 · · · 2 ·1 (or approximately 288) if we are working with theEnglish alphabet. As an example,_the key.. a b c d e f g h i j k 1 m n o p q r s t u v w x y z X E U A D N B K V M R 0 C Q F S Y H W G L Z I J P T in which a maps to X, etc., would encrypt the message tellhimaboutme to GDOOKVCXEFLGCD. A brute force attack on the key space for this cipher takes much longer than a lifetime, even using the most powerful computer known today. However, this does not necessarily mean thatthe cipher is secure. In fact, as wewill show now, it is easy to break this scheme even though it has a very large key space. Assume that English-language text is being encrypted (i.e. , the text is grammatically-correctEnglish writing, not just text written using characters of the English alphabet). It is then possible to attack the mono-alphabetic substitution cipher by utilizing statistical patterns of theEnglish language (of course, the same attack works for any language) . The two properties of this cipher that are utilized in the attack are as follows: 1. In this cipher, the mapping of each letter is fixed, and so ife is mapped toD, then every appearance of e in the plaintext will result in the ap.,. pearan ce ofD in the ciphertext. 2. The probability distribution of individualletters in theEnglish language. · (or any other) is known. That is, the average frequency counts of the dif ferentJ�ip.glish letters are quite invariant over different texts. Of<;QUfS+4 the longer the text, the closer the frequency counts will be to the·av erage. However, even relatively short texts (consisting of only tens of words) have distributions that are "close enough" to the average. The attack works by tabulating the probability distribution of the ciphertext and then comparing it to the known probability distribution of letters in English text (see Figure 1.2). The probability distribution being tabulated in the attack is simply the frequency count of each letter in the ciphertext (i.e. , a table saying thatA appeared4 times, B appeared11 times, �nd so on) . Then, we make an initial guess of the mapping defined by the keybased on the frequency counts. For example, sincee is the most frequent letter in English, · we will guess that the most frequent character in the ciphertext corresponds to the plaintext character e, and so on. Unless the ciphertext is quite long, some of the guesses are likely to be wrong. Even for quite short ciphertexts, however, the guesses will be good enough to enable relatively quick decryption (especially utilizing other knowledge of theEnglish language, such as the fact
- 35. Introduction 13 14.0 12.0 10.0 ... 8.0 � ::: ... <J .... ... l:l., 6.0 4.0 2.0 0.0 Letter FIGURE1.2: Average letter frequencies for English-language text. that betweent and e, the characterh is likely to appear, and the fact thatu generally followsq). Actually, it should not be very surprising that the mono-alphabetic substi tution cipher can be quickly broken, since puzzlesbased on this cipher appear in newspapers ( and are solved by some people before their morning coffee)1 We recommend that you try to decipher the following message- this should help convince you how easythe attack isto carry out ( of course, you should use Figure 1.2 to help you) : JGRMQOYGHMVBJWRWQFPWHGFFDQGFPFZRKBEEBJIZQQOCIBZKLFAFGQVFZFWWE OGWOPFGFHWOLPHLRLOLFDMFGQWBLWBWQOLKFWBYLBLYLFSFLJGRMQBOLWJVFP FWQVHQWFFPQOQVFPQOCFPOGFWFJIGFQVHLHLROQVFGWJVFPFOLFHGQVQVFILE OGQILHQFQGIQVVOSFAFGBWQVHQWIJVWJVFPFWHGFIWIHZZRQGBABHZQOCGFHX We conclude that, although the mono-alphabetic cipher has a very large key space, it is still completely insecure. An improved attack on the shift cipher. We can use character frequency tables to give an improved attack on theshift cipher. Specifically , our previous attack on the shift cipher required us to decrypt the ciphertext using each possible key , and then check to see which key results in a plaintext that "makes sense" . A drawback of this approach is that it is difficult to automate, since it is difficult for a computer to check whether some plaintext "makes sense" . (We do not claim this is impossible, as it can certainlybe done using a dictionary of validEnglish words. We only claim that it is not trivial.} Moreover, there may be cases- we will see one below - where the plaintext characters are ' )
- 36. 14 distributed according toEnglish-language text but the plaintext itself is not valid English text, making the problem harder. As before, associate the letters ·of the English alphabet with the numbers 0, . . . , 25 . LetPi, for 0 < i < 25, denote the probability of the ith letter in normal English text. A simple calculation using known values ofPi gives 25 LPI � 0.065 . i=O (1.1) Now, say we are given some ciphertext and letqi denote the probability of the ith letter in this ciphertext (qi is s imply the number of occurrences of theith letter divided by the length of the ciphertext). If the key is k, then we expect that Qi+k should be roughly equal toPi for every i. (We use i+ k instead of the more cumbersome [i+ k mod26]. ) Equivalently , if we compute 25 clef� Ij = �Pi · qi+j i=O for each value ofj E {0, ... , 25}, then we expect to findthatIk .� 0. 065 where k is the key that is actually being used ( whereas Ij for j =!= k is expected to be different) . This leads to a key-recovery attack that is easy to automate: compute" Ij for all j, and then output the value· k for which h is Closest to 0. 065 . The Vigenere (poly-alphabetic shift) cipher. As we have described, the statistical attack on the mono-alphabetic substitution cipher could be carried out because the mapping of each letter wa$ fixed. Thus, such an attack can be thwarted by mapping different instances of the same plaintext character to different ciphertext characters. This has the effect of "smoothing out" the probability distribution of characters in the ciphertext. For example, consider the case that e is sometimes mapped to G, sometimes to P, and sometimes to Y. Then, the ciphertext letters G, P, and Y will most likely not stand out as more frequent, because other less-frequent c haracters will be also be mapped to them. Thus, counting the character frequencies will not offer much information about the mapping. The Vigenere cipher works by applying multiple shift ciphers in sequence. That is, a short, secret word is chosen as the key , and then the plaintext is encrypted by "adding" each plaintext character to the next character of the key ( as in the shift cipher) , wrapping around in the key when necessary. For example, an encryption of the message tellhimaboutme using thekey cafe· would work as follows: Plaintext: Key: Ciphertext: tellhimaboutme cafecafecafeca WFRQKJSFEPAYPF
- 37. Introduction 15 (The keyneed not be an actual English word.) This is exactly the same as encrypting the first, fifth, ninth, and so on characters with the shift cipher and key k = 3, the second, sixth, tenth, and so on characters with key k = 1, the third, seventh, and so on characters with k = 6 and the fourth, eighth, and so on characters with k = 5 . Thus, it is a repeated shift cipher using different keys. Notice that in the above example 1 is mapped once toR and once toQ. Furthermore, the ciphertext characterF is sometimes obtained from e and sometimes from a. Thus, the character frequencies in the ciphertext are "smoothed" , as desired. If the key is a sufficiently-long word (chosen at random), then cracking this cipher seems to be a daunting task. Indeed, it was considered by many to be an unbreakable cipher, and although it was invented in the 16th century a systematic attack on the scheme was only devised hundreds of years later. Breaking the Vigenere cipher. A first observation in attacking the Vi genere cipher is thatif the length of the key is known, then the task is relatively easy . Specifically, say the length of the key is t (this is sometimes called the period). Then the ciphertext can be divided into t parts where each part can be viewed as being encrypted using a single instance of the shift cipher. That is, let k = k1, ..., kt be the key (each ki is a letter of the alphabet) and let c1, c2, . .. be the ciphertext characters. Then, for everyj (1 < j < t) the set of characters were all encrypted by a shift cipher using key kj. All that remains is therefore to determine, for eachj, which of the26 possible keys is the correct one. This _ - is not as trivial as in the case of the shiftc_ipher, because by guessing a single -- letter of the key it isno longer possible to determine if the decryption "makes sense" . Furthermore, checking for all values ofj simultaneously would require a bruteforce search through26t different possible keys (which isinfe3:sible fo� t greater than, say , 15 ). Nevertheless, we can still use the statistical method described earlier. That is, for every set of ciphertext characters relating to a given key(that is, for each value ofj), it is possible to tabulate the frequency of each ciphertext character and then check which of the26 possible shifts yields the ''right" probability distribution. Since this can be carried out separately for-each key , the attack can be carried out very quickly; all that is required is to build t frequency tables (one for each of the subsets of the characters) and compare them to the real probability distribution. An alternate, somewhat easier approach, is to use the improved method for attacking the shift cipher that we showed earlier. Recall that this improved attack does not rely on checking for a plaintext that "makes sense" , but only relies on the underlying probability distribution of characters in the plaintext. Either of the above approaches give successful attacks when the key length is known. It remains to show how to determinethe length of the key. Kasiski's method, published in the mid-19th century , gives one approach for solving this problem. The first step is to identify repeated patterns of length2 l
- 38. 16 or3 in theciphertext. These are likely to be due to certain bigrams or trigrams that appear very often in the English language. For example, consider the word "the" that appears very often in English text. Clearly, "the" will be mapped to different ciphertext characters, depending on its position in the text. However, if it appears twice in the same relative position, then it will be mapped to the same cipherteJ:Ct eharact�rs. For example, if it appears in positions t + j and 2t + i ( where i -1- j) then it will be mapped to different characters each time. However, if it appears in positions t + j and2t+ j, then it will be mapped to the same ciphertext characters. In a long enough text, there is a good chance that "the" will be mapped repeatedly to the same ciphertext characters. Consider the following concrete example with the key beads ( spaces have been added for clarity) : Plaintext: Key: Ciphertext: the man and the woman retrieved the letter from the post office bea dsb ead sbe adsbe adsbeadsb ean sdeads bead sbe adsb eadbea VMF QTP FOH MJJ XSFCS SIMTNFZXF YIS EIYUIK HWPQ MJJ QSLV TGJKGF The wordthe is mapped sometimes toVMF, sometimes toMJJ and sometimes to YIS. However, it is mapped twice to MJJ, and in a long enough text it is likely that it would be mapped multiple times to each of the possibilities. The main observation of Kasiski is that the distance between such multiple appearances ( except for some coincidental ones) is� a multiple of the period length. ( In the above example, the period length is5 and the distance between the two appearances ofMJJ is40, which is 8 times the period length.) There fore, the greatest common divisor of all the distances between the repeated sequences should yield the period lengtht or a multiple thereof. An alternative approach called the index of coincidence method, . is a bit more algorithmic and hence easier to automate. Recall that if the key-length is t, then the ciphertext characters are encrypted using the same shift. This means that the frequencies of the ·_characters in this sequence are expected to be identical to the character fre- - . quencies of standardEnglish text except in some shifted order. In more detail: h�t . qi denote the frequency of theithEnglish letter in the sequence above( once again, this is simply the number of occurrences of the ith letter divided by the total number of letters in the sequence) . If the shift used here is k1 ( this is just the first character of the key) , then we expect qi+k1 to be roughly equal toPi for all i, wherePi is again the frequency of the ith letter in stan-. dard English text. But this means that the sequence Po, ... ,p25 is just the sequence qo, ... , q25 shifted by k1 places. As a consequence, we expect. that ( see Equation (1.1)) : 25 25 Lqi = LP7 � 0.065 . i=O i=O I
- 39. Introduction 17 This leadsto a nice way to d etermine the key length t. For T = 1, 2, . . ., look at the sequence of ciphertext characters ClJ cl+r, cl+2r, . . . and tabulate q0,... , q25 for this sequence. Then compute . 25 S def � ? r � qt. i=O When T = t we expect tosee Sr � 0.065 as discussed above. On the other hand, for T =/= t we expect· (roughly speaking) that all characters will occur with roughly equal probability in the sequence c1, cl+n cl+2r, . . ., and so we expectqi � 1/26 for alli. In this case we will obtain 25 1 Sr � L 26 � 0.038, i=O which is sufficiently different from0.065 for this technique to work. Ciphertext length and cryptanalytic attacks. The above attacks on the Vigenere cipher require a longer ciphertext than for previous schemes. For example, a large ciphertext is needed for determining the period if Kasiski' s method is used. Furthermore, statistics are needed for t different parts of the ciphertext, and the frequency table of a message converges to the average as its length grows (and so the ciphertext needs to be approximately t times lo nger than in the case of the mono-alphabetic substitution cipher) . Simi larly, the attack that we showed for the mono-alphabeticsubstitution cipher requires a longer ciphertext than for the attacks on the·shift· cipher (which can work for messages consisting of just a single word) . This phenomenon: is not coincidental, and relates to the size of the keyspace for each encryption scheme. Ciphertext-only vs. known-plaintext attacks. The attacks described above are all ciphertext-only attacks (recall that this is the .easiest type of attack to carry out in practice) . All the above ciphers are trivially broken if the adversary is able to carry out a known-plaintext attack; we leave a demonstration of this as an exercise. Conclusions and discussion. We have presented only a few historical ci phers. Beyond their gener al historical interest, our a1m in presenting them was to illustrate some important lessons regarding cryptographic design. Stated briefly , these lessons are: 1. Sufficient key space principle: Assuming sufficiently-long messages are being encrypted, a secure encryption scheme must have a key space that cannot be searched exhaustively in a reasonable amount of time. However, a large key space does not by itself imply security (e.g., the mono-alphabetic substitution cipher has a large key space but is trivial to break) . Thus, a large key space1s a necessary requirement, but not a sufficient one. J
- 40. 18 2. Designing secureciphers is a hard task: The Vigenere cipher remained unbroken for a long time, partially due to its presumed complexity. Far more complex schemes havealso been used, such as theGermanEnigma. Nevertheless, this complexity does not imply security and all historical ciphers can be completely broken. In general, it is very hard to design a secure encryption scheme, and such design shouldbe left to experts. The history of classical encryption schemes is fascinating, both with respect to the methods used as well as the influence of cryptography and cryptanalysis on world history (inWorldWar II, for example). Here, we have only tried to give a taste of some of the more basic methods, with a focus on what modern cryptography can learn from these attempts. 1.4 The Basic Principles of Modern Cryptography The previous section has given a taste of historical cryptography. It is fair to say that, historically, cryptography was more of an art than any sort of science: schemes were designed in an ad-hoc manner and then evaluated based on their perceived complexity or cleverness. Unfortunately , as we have seen, all such schemes (no matter how clever) were eventually broken. Modern cryptography, now resting on firmer and more scientific founda tions, gives hope of breaking out of the endless cycle of constructing schemes and watching them get broken. In this section we outline the main principles and paradigms that distinguish modern cryptography from classical cryptog raphy. We. identify three main principles: 1. Principle 1 -the first step in solving any cryptographic problem is the formulation of a rigorous and precise definition of securiti · 2. Principle 2 - when the security of a cryptographic construction relies on an unproven assumption_, . �his assumption must be precisely stated. Furthermore, the assumption should be as minimal as possible. 3. Principle 3- cryptographicconstructions should be accompanied by a rigorous proof of security with respect to a definition formulated accord ing to principle 1, and relative to an assumption stated as in principle2 (if an assumption is needed at all). We now discuss each of these principles in greater depth. 1.4.1 Principle 1 - Formulation of Exact Definitions One of the keyintellectual contributionsof modern cryptography has been the realization that formal definitions of security are essential prerequisites
- 41. Introduction 19 for thedesign, usage, or study of any cryptographic primitive or protocol. Let us explain each of these in turn: 1. Importance for design: Say we are interested in constructing a secure encryption scheme. If we do not have a firm understanding of what it is we want to achieve, how can we possibly know whether (or when) we have achieved it? Having an exact definition in mind enables us to better direct our design efforts, as wellas to evaluate the quality ofwhat we build, thereby improving the end construction. In particular, it is much better to define what is needed first and then begin the design phase, rather than to come up with a post facto definition of what has been achieved once the design is complete. The latter approach risks having the design phase end when the designers' patience is tried (rather than when the goal has been met), or may result in a construction that achieves more than is needed and is thus less efficient than a better solution. 2. Importance for usage: Say we want to use an encryption scheme within some larger system. How do we know which encryption scheme to use? If presented with a candidate encryption scheme, how can we tell whether it suffices for our application? Having a precise definition of the security achieved by a given scheme (coupled with a security proof relative to a formally-stated assumption as discussed in principles 2 and 3) allows us to answer these questions. Specifically, we can define·the security that· we desire in our system (see . point 1 , above),· arid.fuen verify whether · . the definition satisfied by a given encryption scheme suffices for our purposes. Alternatively, we can specify the definition that we need the encryption scheme to satisfy, and look for an encryption scheme satis fying this definition. Note that it may not be ·wise to choose the "most secure" scheme, since a weaker notion of security may suffice for our application and we may then be able to use a more efficient scheme. 3. Importance for study: Given two encryption schemes, how can we com- · pare them? Without any definition ·of security, the only point of com parison is efficiency, but efficiency alone is a poor criterion since a highly efficient scheme that is completely insecure is of no use. Precise specifi cation of the level of security achieved by a scheme offers another point of comparison. If two schemes are equally efficient but the first one satisfies a stronger definition of security than the second, then the first is preferable.5 There may also be a trade-off between security and effi ciency (see the previous two points), but at least with precise definitions we can understand what this trade-off entails. 5 0f course, things are rarely this simple. ·J
- 42. 20 Of course, precisedefinitions also enable rigorous proofs (as we will discuss when we come to principle 3), but the above reasons stand irrespective of this. It is a mistake to think that formal definitions are not needed since "we have an intuitive idea of what security means" . For starters, different people have different intuition regarding what is considered secure. Even one person might have multiple intuitive ideas of what security means, depending on the context. For example, in Chapter 3 we will study four different definitions of security for private-key encryption, each of which is useful in a different scenario. In any case, a formal definition is necessary for communicating your "intuitive idea" to someone else. An example: secure encryption. It is also a mistake to think that formal izing definitions is trivial. For example, how would you formalize the desired notion of security for private-key encryption? (The reader may want to pause to think about this before reading on.) We have asked students many times how secure encryption should be defined, and have received the following an swers (often in the following order): 1. A nswer 1 - an encryption scheme is secure if no adversary can find the secret key when given a ciphertext. Such a definition of encryption completely misses the point. The aim of encryption is to protect the message being encrypted and the secret key is just the means of achiev ing this. To take this to an absurd level, consider an encryption scheme that ignores the secret key and just outputs the plaintext. Clearly, no adversary can find the secret key. However, it is also clear that no secrecy whatsoever is provided.6 2. A nswer 2 - an encryption scheme is secure if no adver:sary can find the plaintext that corresponds to the ciphertext. This defhiition already looks better and can even be found in some texts on cryptography. However, after some more thought, it is also far from satisfactory. For example, an enc;ryption scheme that reveals 90% of the plaintext would still be considered secure under this definition, as long as i_t is hard to find the remaining 10%. But this is clearly unacceptable in most common applications ofencryption. For example, employment·contracts are mostly standard text, and only the salary might need to be kept secret; if the salary is in the 90% of the plaintext that is revealed-then nothing is gained by encrypting. If you find the above counterexample silly, refer again to footnote 6. The point once again is that if the definition as stated isn't what was meant, then a scheme could be proven secure without actually providing the necessary level of protection. (This is a good example of why exact definitions are important.) 6 And lest you respond: "But that's not what I meant!" , well, that's exactly the point: it is often not so trivial to formalize what one means.
- 43. Introduction 2 1 3.Answer 3 - an encryption scheme is secure if no adversary can deter mine any character of the plaintext that corresponds to the ciphertext. This already looks like an excellent definition. However, other subtleties can arise. Going back to the example ofthe employment contract, it may be impossible to determine the actual salary or even any digit thereof. However, should the encryption scheme be considered secure if it leaks whether the encrypted salary is greater than or less than $100,000 per year? Clearly not. This leads us to the next suggestion. 4. A nswer 4 - an encryption scheme is secure if no adversary can de rive any meaningful information about the plaintext from the ciphertext. This is already close to the actual definition. However, it is lacking in one respect: it does not define what it means for information to be "meaningful" . Different information may be meaningful in different ap plications. This leads to a very important principle regarding definitions of security for cryptographic primitives: definitions of security should suffice for all potential applications. This is essential because one can never know what applications may arise in the future. Furthermore, im plementations typically become part of general cryptographic libraries which are then used in may different contexts and for many different applications. Security should ideally be guaranteed for all possible uses. 5. The final answer - an encryption scheme is secure if no adversary can compute any function of the plaintext from the ciphertext. This provides · a very strong guarantee and, when formulated properly, is considered today to be the "right" definition of security for encryption. Even here, there are questions regarding the attack model that should be consid ered, and how this aspect of security should be defined. Even though we have now hit upon the correct requirement for secure encryp tion, conceptually speaking, it remains to state this requirement mathemat ically and formally, and this is in itself a non-trivial task (one that we will address in detail in Chapters 2 and 3). As noted in the "final answer" , above, our formal definition must also spec ify the attack model: i.e., whether we assume a ciphertext--o�ly attack or a chosen-plaintext attack. This illustrates a general principle used :vhen formu lating cryptographic definitions. Specifically, in order to fu_lly define security of some cryptographic task, there are two distinct issues that must be ex plicitly addressed. The first is what is considered to be a break, and the second is what is assumed regarding the power of the adversary. The break is exactly whay we have discussed above; i.e., an encryption scheme is con sidered broken if an adversary learns some function of the plaintext from a ciphertext. The power of the adversary relates to assumptions regarding the actions the adversary is assumed to be able to take, as well as the adversary's computational power. The former refers to considerations such as whether the adversary is assumed only to be able to eavesdrop on encrypted messages
- 44. 22 (i.e., a ciphertext-onlyattack), or whether we assume that the adversary can also actively request encryptions of any plaintext that it likes (i.e., carry out a chosen-plaintext attack). A second issue that must be considered is the computational power of the adversary. For all of this book, except Chapter 2, we will want to ensure security against any efficient adversary, by which we mean any adversary running in polynomial _time. (A full discussion of this point appears in Section 3.1.2. For now, it suffices to say that an "efficient" strategy is one that can be carried out in a lifetime. Thus "feasible" is ar guably a more accurate term.) When translating this into concrete terms, we might require security against any adversary utilizing decades of computing time on a supercomputer. In summary, any definition of security will take the following general form: A cryptographic scheme for a given task is secure i f n? adversary of a speci fied power can achieve a speci fied break. We stress that the definition never assumes anything about the adversary's strategy. This is an important distinction: we are willing to assume something about the adversary's capabilities (e.g., that it is able to mount a chosen plaintext attack but not a chosen-ciphertext attack), but we are not willing to assume anything about how it uses its abilities.· We call this the "arbitrary adversary -principle" : security must be guaranteed for any adversary within the class of adversaries having the specified power: · This principle is impor tant because it is impossible to foresee what strategies might be used in an adversarial attack (and history has proven that attempts to do so are doomed to failure). Mathematics and the real world. A definition of security essentially pro vides a mathematical formulation of a real-world problem. If the mathemati""' cal definition does not appropriately model the real world, then the definitiq1.1 may be useless. For example, if the adversarial -power under consideration is too weak (and, in practice, adversaries have more power), or the break is such that it allows real attacks that were not foreseen (like one of the early answers regarding encryption) , then "real security" is n()t_ obtained, even if a "mathematically-secure" construction is used. In short, a definition of se curity must accurately model the real world in order for tfto deliver on its mathematical promise of security. _ · It is quite common, in fact, for a widely-accepted definition to be ill-suited for some new application. As one notable example, there are encryption schemes that were proven secure (relative to some definition like the ones we have discussed above) and then implemented on smart-cards. Due to physical · properties of the smart-cards, it was possible for an adversary to monitor the power usage of the smart-card (e.g., how this power usage fluctuated over time) as the encryption scheme was being run, and it turned out that this information could be used to determine the key. There was nothing wrong with the security definition or the proof that the scheme satisfied this
- 45. Introduction 23 definition; theproblem was simply that there was a mismatch between the definition and the real-world implementation of the scheme on a smart-card. This should not be taken to mean that definitions (or proofs, for that mat ter) are useless! The definition - and the scheme that satisfies it - may still be appropriate for other settings, such as when encryption is performed on . an end-host whose power usage cannot be monitored by an adversary. Fur thermore, one way to achieve secure encryption on a smart-card would be to further refine the definition so that it takes power analysis into account. Or, perhaps hardware countermeasures for power analysis can be developed, with the effect of making the original definition (and hence the original scheme) appropriate for smart-cards. The point is that with a definition you at least know where you stand, even if the definition turns out not to accurately model the particular setting in which a scheme is used. In contrast, with no definition it is not even clear what went wrong. This possibility of a disconnect between a mathematical model and the reality it is supposed to be modeling is not unique to cryptography but is something that occurs throughout science. To take an example from the field of computer science, consider the meaning of a mathematical proof that there exist well-defined problems that· computers cannot solve.7 The immediate question that arises is what does it mean for "a computer to solve a problem"? Specifically, a mathematical proof can be provided only when there is some mathematical definition of what a computer is (or to be more exact, what the process of computation is). The problem is that computation is a real-world process, and there are Illany different ways of computing. In order for us to be really convinced that the "unsolvable problem" is really unsolvable, we must be convinced that our mathematical definition of computation captures the real-world process of computation. How do we know when it does? This inherent difficulty was noted by Alan Turing who studied questions of · what can and cannot be solved by a computer. We quote from his original paper [140] (the text in square brackets replaces original text in order to make it more reader friendly): No attempt has yet been made to show [that the problems we have defined to be solvable by a computer} include [exactly those prob lems} which would naturally be regarded as computable. All argu ments which can be given are bound to be, fundamentally, appeals to intuition, and for this reason rather unsatisfactory mathemati cally. The real question at issue is "What are the possible processes which can be carried out in [computation}?" The arguments which I shall use are of three kinds. (a) A direct appeal to intuition. 7Those who have taken a course in computability theory will be familiar with the fact that such problems dp indeed exist (e.g. , the Halting Problem).
- 46. 24 (b) A proofof the equivalence of two definitions (in case the new definition has a greater intuitive appeal). (c) Giving examples of large classes of (problems that can be solved using a given definition of computation}. In some sense, Turing faced the exact same problem as cryptographers. He developed a mathematical model of computation but needed -to somehow be convinced that the model was a good one. Likewise, cryptographers define notions ofsecurity and need to be convinced that their definitions imply mean ingful security guarantees in the real world. As with Thring, they may employ the following tools to become convinced: 1. A ppeals to intuition: the first tool when contemplating a new definition of security is to see whether it implies security properties that we in tuitively expect to hold. This is a minimum requirement, since (as we have seen in our discussion of encryption) our initial intuition usually results in a notion of security that is too weak. 2. Proofs of equivalence: it is often the case that a new definition of secu rity is justified by showing that it is equivalent to (or stronger than) a definition that is older, more familiar, or more intuitively-appealing. 3. Examples: a useful way of being convinced that a definition of security suffices is to show that the different re�l-world attacks we are familiar with are ruled out by the definition. In addition to all of the above, and perhaps most importantly, we rely on the test of time and the fact that with time, the scrutiny and investigation of both researchers and practitioners testifies to the soundness of a definition. 1.4.2 Principle 2 - Reliance on Precise Assumptions Most modern cryptographic constructions cannot be proven secure uncon ditionally. Indeed, proofs of this sort would require resolving questions in the theory of computational complexity that seem far from being answered today. The result of this unfortunate state of affairs is that security t-ypically relies upon some asl)umption. The second principle of modern cryptography states that assumptions,must be precisely stated. This is for three main reasons: 1. Validation of the assumption: By their very nature, assumptions are statements that are not proven but are rather conjectured to be true. In order to strengthen our belief in some assumption, it is necessary for the assumption to be studied. The more the assumption is examined and tested without being successfully refuted, the more confident we are that the assumption is true. Furthermore, study of an assumption can provide positive evidence of its validity by showing that it is implied by some other assumption that is also widely believed. l
- 47. Introduction 25 If theassumption being relied upon is not precisely stated and presented, it cannot be studied and (potentially) refuted. Thus, a pre-condition to raising our confidence in an assumption is having a precise statement of what exactly is assumed. 2. Comparison of schemes: Often in cryptography, we may be presented with two schemes that can both be proven to satisfy some definition but each with respect to a different assumption. Assuming both schemes are equally efficient, which scheme should be preferred? If the assumption on which one scheme is based is weaker than the assumption on which the second scheme is based (i.e., the second assumption implies the first)-, then the first scheme is to be preferred since it may turn out that the second assumption is false while the first assumption is true. If the assumptions used by the two schemes are incomparable, then the general rule is to prefer the scheme that is based on the better studied assumption, or the assumption that is simpler (for the reasons highlighted in the previous paragraphs). 3. Facilitation of proofs of security: As we have stated, and will discuss in more depth in principle 3, modern cryptographic constructions are presented together with proofs of security. If the security of the scheme cannot be proven unconqitionally and must rely on some assumption, then a mathematical proof that "the construction is secure if the as sumption is true" can only be provided if there is a precise statement of what the assumption is. One observation is that it is always possible to just assume that a construc tion itself is secure. Ifsecurity is well defined, this is also a precise assumption (and the proof of security for the construction is trivial)! Of course, this is not accepted practice in cryptography for a number of reasons. First of all, as noted above, an assumption that has been tested over the years is preferable to a new assumption that is introduced just to prove a given construction secure. Second, there is a general preference for assumptions that are simpler to state, since such assumptions are easier to study and to refute. So, for example, an assumption of the type that some mathematical problem is hard to solve is simpler to study and work with than an assumption that an encryp tion schemes satisfies a complex (and possibly unnatural) security definition. When a simple assumption is studied at length and still no refutation is found, we have greater confidence in its being correct. Another advantage of relying on "lower-level" assumptions (rather than just assuming a construction is se cure) is that these low-level assumptions can typically be shared amongst a number of constructions. If a specific instantiation of the assumption turns out to be false, it can simply be replaced (within any higher-level construction based on that assumption) by a different instantiation of that assumption. The above methodology is used throughout this book. For example, Chap ters 3 and 4 show how to achieve secure communicatiop (in a number of ways),
- 48. 26 assuming that aprimitive called a "pseudorandom function" exists. In these chapters nothing is said at all about how such a primitive can be constructed. In Chapter 5, we then discuss how pseudorandom functions are constructed in practice, and in Chapter 6 we show that pseudorandom functions can be constructed from even lower-level primitives. 1.4.3 Principle 3 - Rigorous Proofs of Security The first two principles discussed above lead naturally to the current one. Modern cryptography stresses the importance of rigorous proofs of security for proposed schemes. The fact that exact definitions and precise assumptions are used means that such a proof of security is possible. However, why is a proof necessary? The main reason is that the security of a construction or protocol cannot be checked in the same way that software is typically checked. For example, the fact that encryption and decryption "work" and that the ciphertext looks garbled, does not mean that a sophisticated adversary is unable to break the scheme. Without a proof that no adversary ofthe specified power can break the scheme, we are left only with our intuition that this is the case. J?xperience has shown that intuition in cryptography and computer security is disastrous. There are countless examples of unproven schemes that were broken, sometimes immediately and sometimes years after being: presented or deployed. Another reason why proofs of security are so important is related to the potential damage that can result if an insecure system is used. Although soft ware bugs can sometimes be very costly, the potential damage that may result from someone breaking the encryption scheme or authentication mechanism of a bank is huge. Finally, we note that although many bugs exist in software, things basically work due to the fact that typical users do not try to make their software fail. In contrast, attackers use_, amazingly complex and intri cate means (utilizing specific properties of the construction) to attack security mechanisms with the clear aim of breaking them. Thus, although proofs of correctness are always desirable in computer science, they are absolutely es sential in the realm of cryptography and computer security. We stress that the above observations are not just hypothetical, but are conclusions that have been reached after years of empirical evidence and experience. · The reductionist approach. We conclude by noting that most proofs in modern cryptography use what may be called the reductionist approach. Given a theorem of the form "Given that Assumption X is true, Construction Y is secure ac cording to the given definition", a proof typically shows how to reduce the problem given by Assumption X to the problem of breaking Construction Y. More to the point, the proof will typically show (via a constructive argument) how any adversary breaking
- 49. Discovering Diverse ContentThrough Random Scribd Documents
- 50. window. The conjectureis, at least, as plausible as another that has been advanced; namely, that Arundel is derived from Hirondelle[41], the name of Bevis’s horse.” The Park of Arundel, which contains much picturesque scenery and many thriving plantations, was originally the hunting-forest of the ancient Counts, and covered a great extent of country, which is now either under cultivation, or converted into pasture. Beyond the pleasure- grounds, immediately under the Keep, is the Inner Park, entirely surrounded by an artificial earth-work, still perfect, and adorned with magnificent elm and beech trees. The new, or Outer Park, comprises an extent of nearly twelve hundred acres, enclosed by a high wall with lodges, and stocked with a thousand head of deer. The scenery is variegated by numerous undulations of surface—alternate ridge and ravine, grove and glade, and watered by rivulets that derive their source from the neighbouring Downs. At a short distance from the entrance to the Park, on the south side, is Hiorne’s Tower, the subject of the accompanying view. It is a triangular building, about fifty feet in height, with a turret at each angle, and in design and execution presents an admirable specimen of Gothic architecture. The merit of the design is due to the late distinguished architect, Mr. Hiorne, who superintended its erection, and left it as a monument to his name. The view from this tower, under a favourable atmosphere, presents a magnificent
- 51. prospect of theadjoining Park. The soft pastoral hills that trace their bold outline on the sky; the umbrageous woods that cover the nearer acclivities; the villages, hamlets, and isolated dwellings that infuse life and activity into the picture; the herds of deer that are seen at intervals through the trees; the distant channel with its shipping, and the shining meanders of the river Arun —all present, in combination, one of the most richly diversified landscapes on which the eye of poet or of painter could love to expatiate. To the readers of romance this scene is rendered doubly interesting by its immediate vicinity to Pugh-dean, where the graves of Bevis, the giant castellan of Arundel, and his horse Hirondelle, carry us back to the days of King Arthur and his knights. To this personage we have already adverted[42]; “but of his connexion with the Castle of Arundel,” says Tierney, “it were difficult to trace the origin, although there can be little doubt that it existed at a very early period. At the bottom of the valley called Pugh-dean, the locality now under notice, is a low oblong mound, resembling a raised grave in its form, and known in the traditions of the neighbourhood as ‘Bevis’s burialplace.’ It is about six feet wide, and not less than thirty feet long. It is accompanied by several smaller but similar mounds; and although peculiar in its shape, as compared with Roman and other tumuli which have been examined at different times, has, nevertheless much of a sepulchral character in its appearance. It was lately opened to a depth of several feet, but nothing was discovered in it. In
- 52. the middle, however,at the bottom to which the ground was originally made to shelve from each end, a level space of about six feet in length had been left, as if for the reception of a deposit; and as the lightness of the soil above seemed to indicate that it had been merely removed, it is not improbable that this deposit may have rewarded some antiquary more fortunate than those who were engaged in the late excavation.” Not far from this retired valley a different interest is excited by its having been the site of the chapel and hermitage of St. James—an hospital for lepers, and built soon after the middle of the thirteenth century, for the reception of the unhappy outcasts who were afflicted with that loathsome malady. The clump of trees observed in the view marks the locale of this ancient sanctuary, which must have enclosed a very considerable area. A pleasing incident in the history of Arundel, is the visit of the Empress Matilda to her step-mother, Queen Adeliza, as already alluded to in our notice of Albini. Accompanied by her natural-brother, Robert of Gloucester, and a retinue of one hundred and forty knights, she was received within the walls of the Castle, and treated with all the distinction which her own dignity and the affection of her relative could bestow. The news of her arrival,
- 53. however, threw thearmy of King Stephen into immediate motion, and brought the engines of war under the walls of the Castle. Fearful of the consequences, Queen Adeliza determined to try the effects of policy in lieu of force, and appealed to the chivalrous feelings of the incensed Monarch, in behalf of her illustrious but ill-timed visitor. She assured him that the only object of her royal guest in making this visit, was to gratify those feelings of love and relationship, which might be reasonably supposed to exist between mother and daughter; that the gates of the Castle had been thrown open to her, not as a rival to the throne, but as a peacefully disposed visitor, who had a longing desire to see her native land, and who was ready to depart whenever it should please the King to grant her his safe-conduct to the nearest port. It was, moreover, delicately insinuated, that to lay siege to a Castle, where the only commander of the garrison was a lady, and where the only offence complained of was a mere act of hospitality to a female relation, was surely an enterprise neither worthy of a hero such as his Majesty, nor becoming in him who was the crowned head of the English chivalry. The result of this appeal, or of some more convincing argument[43], has been already stated in the safe retirement of Matilda from the scene of danger, and her return to Normandy. But a small chamber over the inner gateway enjoys the traditionary fame of having been her sleeping room, during her sojourn in the Castle. It is a low square apartment, such as the castellan might have occupied during a siege. But, as an imperial chamber, it never could have had more than one recommendation, namely its security, in times when security was the chief object to be kept in view; and six centuries ago it was no doubt a very eligible state chamber. The bedstead on which the Empress is said to have reposed—for we would not disturb any point of popular and poetical faith—is certainly a relic of considerable antiquity. Its massive walnut posts are elaborately carved, but so worm-eaten, that, unless tenderly scrutinised, the wood would be apt to fall into powder in the hands of the visitor. Looking upon this, as a relic of the twelfth century, it may be imagined with what feelings the daughter of a King, the consort of an Emperor, and mother of a King, laid her head upon that humble couch, reflected on her checkered fate, and felt the shock of warlike engines under the battlements.
- 54. “ ’Mid crashof states, exposed to fortune’s frown, Uneasy lies the head that wears a crown.” The other events and incidents which give Arundel particular distinction among the ancient baronial seats of England, are partly owing to the regal dignity of its visitors. It was here that Alfred and Harold are believed to have resided; and it was in the castle of Arundel that William Rufus, on his return from Normandy, celebrated the feast of Easter.[44] In 1302, King Edward the First spent some time within its walls: and from the fact of its containing an apartment familiarly known as the ‘King’s Chamber,’ it is probable that, in later times, it was often graced by the royal presence.[45] The luxury and splendour of its apartments are amply attested by the minute inventories of the costly materials employed in their decoration; while the princely revenues of many of its lords permitted them to indulge in a style of hospitality to which few subjects could aspire. It was frequented by the élite of our English chivalry; beauty and valour were its hereditary inmates; its
- 55. court resounded tothe strains of music; while military fêtes and religious solemnities gave alternate life and interest to its halls. Many a plan, afterwards developed in the field or the senate, was first conceived and matured in the baronial fastness of Arundel. One of the dark yet dramatic scenes of which it has been the theatre, is the conspiracy, in which the Earls of Arundel, Derby, Marshall, and Warwick; the Archbishop of Canterbury, the Abbot of St. Alban’s and the Prior of Westminster, met the Duke of Gloucester, for the final ratification of the plot. After receiving the sacrament, says the Chronicle, they solemnly engaged, each for himself, and for one another, to seize the person of King Richard the Second; his brothers, the Dukes of Lancaster and York; and, finally, to cause all the lords of the King’s Council to be ignominiously put to death. This plot, however, was happily divulged in time to defeat its execution; and Arundel was brought to the block on the evidence of his son-in-law, Earl Marshall, then deputy- governor of Calais.[46] So great, says Caraccioli, “was the hereditary fame of Arundel Castle, and so high its prerogative, that Queen Adeliza’s brother, Joceline of Lorraine, though a lineal descendant of Charlemagne, felt himself honoured in being nominated to the title of its Castellan.” From William de Albini, Joceline received in gift Petworth, with its large demesne; and on his marriage with Agness, heiress of the Percies, took the name of Percy—and, hence, probably, the origin of “Percy’s Hall,” an apartment which has existed from time immemorial in Arundel Castle. Of Isabel de Albini, the widow of Earl Hugh, the following anecdote is preserved:[47]—Having applied to the King for the wardship of a certain person, which she claimed as her right, and failing in her suit, she addressed him in these spirited words:—“Constituted and appointed by God for the just government of your people, you neither govern yourself nor your subjects as you ought to do. You have wronged the Church, oppressed the nobles, and to myself, personally, have refused an act of justice, by withholding the right to which I am entitled.” “And have the Barons,” said the King, “formed a charter, and appointed you their advocate, fair dame?” “No,” replied the Countess; “but the King has violated the charter of liberties given them by his father, and which he himself solemnly engaged to observe; he has infringed the sound principles of faith and honour; and I, although a woman, yet with all the freeborn spirit of this realm, do here appeal against you to the tribunal of God. Heaven and earth bear witness how injuriously you have
- 56. dealt with us,and the avenger of perjury will assert the justice of our cause.” Conscious that the charge, though boldly spoken, was the voice of public opinion, and struck with admiration of her frank spirit, the King, stifling resentment, merely rejoined, “Do you wish for my favour, kinswoman?” “What have I to hope from your favour,” she replied, “when you have refused me that which is my right? I appeal to Heaven against these evil counsellors, who, for their own private ends, have seduced their liege lord from the paths of justice and truth.” We now take a short retrospect of the public services, patriotic achievements, and traits of personal character, which have distinguished the thirty-two lords of Arundel from the period of the Conquest down to our own times. Of several of these, however, our notice must be exceedingly brief.—Of Roger Montgomery and his family we have little to add beyond what has appeared in Mr. Tierney’s elaborate History of Arundel, to which we have so often referred in the preceding pages. Of William de Albini, the fourth earl, the following historical incident is recorded:—When at length, after much fruitless warfare, Henry Plantagenet appeared in England at the head of the nobles who espoused his rights, Albini had the happiness to achieve what may be justly considered greater than any victory; he prevented the effusion of blood. Henry’s army was then at Wallingford, where Stephen, at the head of his forces, was arranging the line of battle. The armies were drawn out in sight of each other; Stephen, attended by Albini, was reconnoitring the position of his opponent; when his charger becoming unmanageable, threw his rider[48]. He was again mounted; but a second and a third time a similar accident occurred, which did not fail to act as a dispiriting omen upon the minds of those who were witnesses of the occurrence. Taking advantage of the superstitious dread thus excited among the troops, Albini represented in emphatic terms to Stephen the weakness of his cause when opposed by right and justice, and how little he could calculate upon men whose resolution in his service had been already shaken by the incident which had just occurred. His counsel was taken in good part; Stephen and Henry, adds the historian, met in front of the two armies: an explanation ensued, reconciliation was effected; and in the course of the year a solemn treaty was ratified, by which Stephen adopted the young Plantagenet as his successor to the throne. The most important affair in which Albini’s service was called for, was the splendid embassy to Rome,
- 57. the object of whichwas to counteract the effect of à- Becket’s personal representations at the papal court. That mission failed in effecting the reconciliation intended, owing to the intemperate language of the prelates who were associated with Albini in the cause. His own speech, as recorded by Grafton, is characteristic of good sense and moderation: —“Although to me it is unknown, saith the Erle of Arundell, which am but unlettered and ignorant, what it is that these bishoppes here have sayde, (their speeches being in latin,) neyther am I in that tongue able to expresse my minde as they have done; yet, beyng sent and charged thereunto of my prince, neyther can, nor ought I but to declare, as well as I may, what the cause is of our sendyng hether; not to contende or strive with any person, nor to offer any iniury or harm unto any man, especially in this place, and in the presence here of such a one unto whose becke and authoritye all the worlde doth stoope and yelde. But for this intent in our Legacy hether directed, to present here before You and in the presence of the whole Church of Rome, the devocion and loue of our king and master, which ever he hath had and yet hath still toward You.
- 58. And that thesame may the better appere to yr. Excellencie, hee hath assigned and appointed to the furniture of this Legacy, not the least, but the greatest; not the worst, but the best and chiefest of all his subiects; both archbishoppes, bishoppes, erles, barons, with other potentates mo, of such worthinesse and parentage, that if he could have found greater in all his realme he would have sent them both for the reverence of Your Person and of the Holy Church of Rome,” &c. But this oration, “although it was liked for the softnesse and moderation thereof, yet it failed of its object; it could not perswade the bishop of Rome to condescende to their sute and request, which was to have two legates or arbiters to be sent from him into England, to examine and to take up the controversie betwene the kinge and the archbishoppe.” Subsequently to this, Albini was sent on a more agreeable mission, that of conducting the Princess Matilda into Germany, on the eve of her marriage with Henry, Duke of Saxony; and five years later was selected by the king as one of his “own trustees to the treaty of marriage between his son Prince John, and the daughter of Hubert, Count of Savoy.” Shortly afterwards he commanded the royal forces at Fornham in Suffolk, and gained a complete victory over the rebellious sons of King Henry—in whose unnatural cause the disaffected at home had been joined by a numerous body of foreigners— and took prisoners the Earl of Leicester, with his Countess and all his retinue of knights. Albini was a great benefactor of the church; he built “the abbey of Buckenham; endowed various prebends in Winchester; founded the priory of Pynham, near Arundel; the chapel of St. Thomas at Wymundham,” and died at Waverley in Surrey. To Albini’s son and grandson we have already adverted, but conclude with a brief incident in the life of William, the third earl of his family. When the banner of the cross was waving under the walls of Damietta, and the chivalry of Christendom flew to the rescue, the gallant Albini was too keenly alive to the cause to resist the summons. In that severe struggle, he hoped to acquire those laurels which would leave all other trophies in the shade; and with the flower of our English chivalry embarked for the Holy Land, and served at the siege of that fortress. Two years he remained a staunch supporter of the cross—a soldier whom no dangers could dismay, no difficulties intimidate; and long after his companions had returned to the white cliffs of Albion, the lion-standard of Albini shone in the van of the Christian army. On his way home, however, he had only strength
- 59. to reach an obscuretown in the neighbourhood of Civita Vecchia, near Rome, where he was taken ill and expired. His eldest son, the fourth earl, died without issue; and the short life of his successor, Hugh de Albini, appears to have passed without any remarkable event or incident, save latterly in active warfare in France, where, at the battle of Taillebourg, in Guienne, he displayed, though ineffectually, the hereditary valour of his family. The first of the Fitzalans who held the title and estates of Arundel was appointed one of the Lord Marchers, or Wardens of the Welsh Border; and found to his cost that the Ancient Britons did not submit to the daily encroachment made upon their rights and hereditary privileges, without having frequent and formidable recourse to arms. He maintained a high station at court, was admitted to the royal confidence, and had the “command of the Castle of Rochester when the approach of the King’s forces compelled the disaffected Barons to raise the siege.” At the battle of Lewes he distinguished himself in the royal cause; but at the close of that disastrous field—along with the two princes, Edward and Henry—fell into the “hands of the victorious Barons.” Of the battle of Lewes, we select the following graphic picture from Grafton:—“Upon Wednesday the 23rd of May, early in the morning, both the hostes met; where, after the Londoners had given the first assault, they were beaten back, so that they began to drawe from the sharpe shot and strokes, to the discomfort of the Barons’ hoste. But the Barons encouraged and comforted their men in such wise, that not all onely, the freshe and
- 60. lustye knights foughteagerly, but also such as before were discomfited, gathered a newe courage unto them, and fought without feare, in so much that the King’s vaward lost their places. Then was the field covered with dead bodyes, and gasping and groning was heard on every syde; for eyther of them was desyrous to bring others out of lyfe. And the father spared not the sonne, neyther yet the sonne spared the father! Alliaunce at that time was bound to defiaunce, and Christian bloud that day was shed without pittie. Lastly the victory fell to the Barons; so that there was taken the King, and the King of Romaynes, Sir Edward the King’s sonne, with many other noblemen,” among whom was Fitzalan, Earl of Arundel, “to the number of fifteen barons and banerets; and of the common people, that were slain, about twenty thousand, as saith Fabian.” This was Fitzalan’s last appearance in the field; and, as a security for his good behaviour, he was required “to surrender the Castle of Arundel or deliver his son as a hostage,” into the hands of the Earl of Leicester. “For their safe keeping, the prisoners were sente unto dyverse castellis and prysons, except the King, his brother the King of Almayne, and Sir Edwarde his sonne; the which the barons helde with them vntill they came to London.” Richard the third earl takes an eminent station in the family history. He first travelled in France and Italy, in compliance with the rules of his order[49]; then served in Wales, performed several exploits against Madoc; became distinguished among the chivalry of his day; held a command in the expedition organised for the subjugation of Scotland; fought at Falkirk; and subsequently took part at the siege of Caerlaverock Castle, where in the language of the minstrel, “who witnessed the fray,” he is complimented as— “Richard le Conte de Aroundel, Beau chivalier, et bien aimé, I vi je richement armé; En rouge au lyon rampart de or—[50]” and in various capacities appears to have done the state much acceptable service. 1306. During the life of Edmund, the fourth Earl, the affairs of Scotland assumed a threatening aspect; and the King, exasperated by the murder of Comyn, resolved to march an army across the frontier. Great preparations were made to render the expedition, in all respects, worthy of the grand
- 61. object in view.The royal armies were ordered from their cantonments, and hastened into the field under the command of Aymer de Valence, Earl of Pembroke. In preparation for the expedition, “proclamation was made, that a grand national fete would solemnise the movement; that the Prince of Wales
- 62. would be knightedon the Feast of Pentecost; and all the young nobility of the kingdom were summoned to appear at Westminster to receive that honour along with him. On the eve of the appointed day (the 22nd of May) 270 noble youths, with their pages and retinues, assembled in the Gardens of
- 63. the Temple, inwhich the trees were cut down that they might pitch their tents; they watched their arms all night, according to the usage of chivalry; the prince, and some of those of highest rank, in the Abbey of Westminster; the others in the Temple Church. On the morrow, Prince Edward was knighted by his father in the Hall of the Palace, and then proceeding to the Abbey, conferred the like honour on his companions. A magnificent feast followed, at which two swans covered with nets of gold being set on the table by the minstrels, the King rose, and made a solemn vow to God and to the swans, that he would avenge the death of Comyn and punish the perfidy of the Scottish rebels. Then, addressing his son and the rest of the company, he conjured them, in the event of his death, to keep his body unburied until his successor should have accomplished this vow. The next morning the prince, with his companions, departed for the Borders; Edward himself followed by slow journeys, being only able to travel in a litter.” Such was the bright morning of Edmund Fitzalan’s life; and the annexed gives us the dark contrast in his tragical end. 1326. The citizens, says Froissart, seeing they had no other means of saving the town, their lives, and their fortunes, acceded to the Queen’s terms, and opened their gates to her. She entered the town attended by Sir John de Hainault, with all her barons, knights, and esquires, who took their lodging therein. The others, for want of accommodation, remained without. Sir Hugh Spencer and the Earl of Arundel were then delivered to the Queen to do with them according to her good pleasure. The Queen then ordered the elder Spencer and Arundel to be brought before her eldest son and the barons assembled, and said that she and her son would see that Justice should be done unto them according to their deeds. “Ah, madam,” said Spencer, “God grant us an upright judge and a just sentence; and that if we cannot find it in this world, we may find it in another.” The charges against them being read, an old knight was called upon to pass sentence; and her son, with the other barons and knights, pronounced the prisoners guilty. Their sentence was, that they, the said Earl of Arundel and Spencer, should be drawn in a hurdle to the place of execution, there to be beheaded, and afterwards to be hung on a gibbet. “The which was duly carried into effect on the feast of St, Denis,” at Bristol—or, according to others, at Hereford. Richard, the son and successor of Edmund, became highly distinguished among the great men of his time. His life and exploits make no inconsiderable figure in the national annals.
- 64. When a fleetof cruisers, sent out by the French for the annoyance of British commerce in the Channel, had made prizes of many of our best merchant ships, pillaged several towns on the coast, and caused much consternation to all who were interested in the prosperity of commerce, Arundel hoisted his flag on board the “Admiral,” and put to sea. Another fleet was ordered to co-operate with him in the eastern coast; the first cruise checked the audacity of the enemy, and re-established public confidence and good order.
- 65. 1340. His nextpublic service was off the harbour of Sluys, where, in an engagement with the French fleet, he was second in command under King Edward the Third, and gained a complete victory. “When the king’s fleet,” says the chronicler, “was almost got to Sluys, they saw so many masts standing before it, that they looked like a wood. The king asked the commander of his ship what they could be, who answered that he imagined they must be that armament of Normans which the King of France kept at sea, and which had so frequently done him much damage, had burnt the good town of Southampton, and taken his large ship the ‘Christopher.’ The king replied, I have for a long time wished to meet with them, and now, please God and St. George, we will fight with them; for in truth they have done me so much mischief, that I will be revenged upon them if possible.” The large ships under Lord Arundel, the bishop of Norwich, and others, now advanced, adds Froissart, and ran in among those of Flanders: but they had not any advantage; for the crossbow-men defended themselves gallantly under their commander Sir John de Bucque. He and his company were well armed in a ship equal in bulk to any they might meet, and had their cannons on board, which were of such a weight, that great mischief was done by them. This battle was very fierce and obstinate, for it continued three or four hours; and many of the vessels were sunk by the “large and sharply-pointed bolts of iron which were cast down from the maintops, and made large holes in their decks.” When night came on, they separated, and cast anchor to repair their damage and take care of the wounded. But at the next flow of the tide, they again set sail and renewed the combat; yet the English continually gained on the Flemings, and, having got between them and Blanquenberg and Sluys, drove them on Cadsand, where the defeat was completed. So great was the disaster to the French monarch on this day, that none of his ministers would venture to communicate to him the amount of life and property which had been sacrificed. What the minister, however, durst not reveal, the king’s jester found means to divulge. “What arrant cowards are those English!” said the jester. “How so?” demanded Philip. “Because,” answered zany, “they had not courage to jump overboard, as the French and Normans did lately at Sluys[51].” This opened the king’s eyes, and prepared him for the disastrous tidings that were now poured in upon him. Six years later, Arundel was appointed admiral of the king’s fleet, and conveyed the great military expedition from Southampton to Normandy.
- 66. When the troopswere disembarked at La Hogue, he was created constable of the forces; and with Northampton and other noblemen commanded the second division at the battle of Cressy[52]. During the heat of the combat, when Prince Edward was surrounded by the enemy and in personal jeopardy, Arundel and Northampton hastened to his support; ordered their division forward, and closed with the enemy. The English rushed upon their assailants with renewed ardour; the French line was charged, broken, and dispersed; “earls, knights, squires, and men-at- arms, continuing the struggle in confused masses, were mingled in one promiscuous slaughter.” When night closed, King Philip, with a retinue of only five barons and sixty knights, fled in dismay before the cry of “St. George for England!” Eleven princes, twelve hundred knights, and thirty thousand soldiers, had fallen on the side of the French. On another occasion, but on a different element, Arundel was present with the king, in his “chivalrous engagement with the French fleet, off Winchelsea;” and four years later was deputed to the court of Pope Innocent, then at Avignon, in the fruitless attempt to arrange the articles of a permanent reconciliation between the Crowns of England and France. Arundel survived these brilliant events many years; and during the leisure secured to him by his great public services, appears to have found occupation for his active mind and munificent taste in repairing and embellishing his ancestral[53] Castle, where he died at an advanced age, and bequeathed immense possessions to his family. The contrast presented in the life and destinies of his son forms a melancholy page in the family history. He was a brave man, and had performed several gallant exploits. But it was his misfortune to fall upon evil times, of which intrigue, disaffection, private revenge, and outward violence were leading characteristics. Associating with the turbulent spirits who surrounded an imbecile and capricious monarch, his character took the complexion of the age. 1397. He is said to have been at the head of a conspiracy already mentioned in this work, page 39, and which is thus recorded by Holinshed, Grafton, and others of the old chroniclers[54]. The Earls of Arundel, Derby, Marshal, and Warwick; the Archbishop of Canterbury, Arundel’s brother; the Abbot of St. Alban’s, and the Prior of Westminster, met the Duke of Gloucester[55] in Arundel Castle, where, receiving first the sacrament by the
- 67. hand s of the Arch bish op, they resol ved to seize the pers on of King Rich ard the Seco nd, and his brothersthe Dukes of Lancaster and York, to commit them to prison, and cause the lords of the King’s Council to be drawn and hanged. This plot, however, was divulged, it is said, by the Earl Marshal, and the apprehension of Arundel led to the family catastrophe, which with some little abridgment of the original authors is related as follows:— Apprehended under assurances of personal security, he was hurried to the Tower, and finally tried and condemned by the Parliament at Westminster. On the feast of St. Matthew, Richard Fitz Alaine, Earl of Arundel, was brought forth to swear before the King and whole Parliament to such articles as he was charged with.[56] And as he stood at the bar, the Lord Neville was commanded by the Duke of Lancaster, which sat that day as High Steward of England, to take the hood from his neck, and the girdle from his waist. Then the Duke of Lancaster declared unto him that for his manifold rebellions and treasons against the king’s majesty, he had been arrested, and hitherto kept in ward, and now at the petitions of the lords and commons, he
- 68. was called toanswer such crimes as were there to be objected against him, and so to purge himself, or else to suffer for his offences, such punishment as the law appointed. First he charged him that he had ridden in armour against the King in company of the Duke of Gloucester, and of the Earl of Warwick, to the breach of peace and disquieting of the realm. His answer hereunto was, that he did not this upon any evil meaning towards the King’s person, but rather for the benefit of the King and realm, if it were interpreted aright and taken as it ought to be. It was further demanded of him, why he procured letters of pardon from the King, if he knew himself guiltless. He answered he did not purchase them for any fear he had of faults committed by him, but to stay the malicious speech of them that neither loved the King nor him. He was again asked whether he would deny that he had made any such rade with the persons before named, and that in company of them he entered not armed unto the King’s presence against the King’s will and pleasure. To this he answered he could not deny it, but that he so did. Then the speaker, Sir John Bushie, with open mouth besought that judgment might be had against such a traitor; and “your faithful commons,” said he to the King, “ask and require that so it may be done.” The Earl, turning his head aside, quietly said to him, “Not the King’s faithful commons” require this, “but thou, and what thou art I know.” Then the eight appellants standing on the other side, cast their gloves at him, and in prosecuting their appeal—which already had been read—offered to fight with him, man to man, to justify the same. “Then,” said the Earl, “if I were at libertie, and that it might so stande with the pleasure of my sovereign, I would not refuse to prove you all liars in this behalfe.” Then spake the Duke of Lancaster, saying to him, “What have you further to say to the points laid before you?” He answered, that of the King’s grace he had his letters of general pardon, which he required to have allowed. Then the duke told him that the pardon was revoked by the prelates and noblemen in Parliament; and therefore willed him to make some other answer. The Earl told him again that he had another pardon under the King’s great seal, granted him long after the King’s own motion, which also he required to have allowed. The Duke told him that the same was likewise revoked.
- 69. After this, whenthe Earl had nothing more to say for himself, the Duke pronounced judgment against him as in cases of treason is used. But after he had made an end, and paused a little, he said, “The King our sovereign lord of his mercy and grace, because thou art of his blood, and one of the Peers of the realm, hath remitted all other pains, saving the last that is to say, the beheading, and so thou shalt only lose thy head;”—and forthwith he was had away, and led through London, unto the Tower-hill. There went with him to see the execution done, six great lords, of whom there were three earls, Nottingham, that had married his daughter; Kent, that was his daughter’s son; and Huntington, being mounted on great horses, with a great company of armed men, and the fierce bands of the Cheshiremen, furnished with axes, swords, bows and arrows, marching before and behind him, who only in this parliament had licence to bear weapon, as some have written. When he should depart the palace, he desired that his hands might be loosed to dispose of such money as he had in his purse, betwixt that place and Charing Cross. This was permitted; and so he gave such money as he had in alms with his own hands, but his arms were still bound behind him. When he came to the Tower-hill, the noblemen that were about him moved him right earnestly to acknowledge his treason against the king. But he in no wise would do so; but maintained that he was never traitor in word nor deed; and herewith perceiving the Earls of Nottingham and Kent, that stood by with other noblemen, busy to further the execution, and being, as ye have heard, of kin, and allied to him, he spake to them, and said, “Truly it would have beseemed you rather to have been absent, than here at this business. But the time will come ere it be long, when as many shall marvel at your misfortune as do now at mine.” After this, forgiving the executioner, he besought him not to torment him long, but to strike off his head at one blow, and feeling the edge of the sword, whether it was sharp enough or not, he said, “It is very well, do that thou hast to do quickly,”—and so kneeling down, the executioner with one stroke, strake off his head. “Then returned they that were at the execution and shewed the kinge merily of the death of the erle; but although the kinge was then merry and glad that the dede was done, yet after exceedingly vexed was he in his dremes.” The Earl’s body was buried, together with his head, in the church of the Augustine Friars in Bread-street, within the city of London. The death of this earl[57] was much lamented among the people, considering his sudden fall and miserable end, whereas, not long before
- 70. among all thenoblemen of this land, there was none more esteemed; so noble and valiant he was that all men spake honour of him. After his death, as the fame went, the king was sore vexed in his sleep with horrible dreams, imagining that he saw this earl appear unto him, threatening him, and putting him in horrible fear, as if he had said with the poet to King Richard— “Nunc quoque factorum venio memor umbra tuorum, In sequor et vultus ossea forma tuos.”— With which visions being sore troubled in sleep, he cursed the day that ever he knew the earl. And he was the more unquiet, because he heard it reported that the common people took the earl for a martyr, insomuch that some came to visit the place of his sepulture, for the opinion they had conceived of his holiness. And, when it was bruited abroad, as for a miracle, that his head should be grown to his body again, the tenth day after his burial; the king sent about ten of the clock in the night certain of the nobility to see his body taken up, that he might be certified of the truth. Which done, and perceiving it was a fable, he commanded the friars to take down his arms, that were set up about the place of his burial, and to cover the grave, so as it should not be perceived where he was buried. In less than two years, however, King Richard himself was a captive in the hands of his subjects. Young Arundel and the son of the late Duke of Gloucester were appointed his keepers. “Here,” said Lancaster, as he delivered[58] Richard into their custody[59], “here is the king; he was the murderer of your fathers; I expect you to be answerable for his safety.” During the first five years of Henry the Fourth, young Arundel, among other services, shared with his sovereign the reverses which attended his invasion of the Welsh frontier, and his campaign against Owen Glendower. —But at length the scenes of the camp gave place to domestic festivities; and his approaching marriage with Donna Béatrice, daughter of John the First, king of Portugal, was publicly announced. Great preparations were made to receive the bride with all the honours due to her beauty and station; the royal palace and the earl’s ancestral castle were sumptuously fitted up for her reception. She left Portugal with a splendid retinue, made a prosperous voyage, and arrived in London in the middle of November. On the twenty- sixth of the same month the solemnity took place in the Royal Chapel,
- 71. where, in the presenceof the King and Queen, Donna Béatrice gave her hand to the young Earl of Arundel. Their subsequent arrival at Arundel, and the rejoicings which there met the royal bride, may be better imagined than described. All that could add to the splendour of the gala was ingeniously arranged and displayed; and on her triumphant entry under the old Norman gateway of her husband’s castle, Donna Béatrice might well confess that “the castled heights of Algarva were not so beautiful as the verdant hills, and embattled towers, of Arundel.” Among the personal exploits by which his brief career was subsequently distinguished, is the following.—During the excitement which prevailed in France in consequence of the murder of the Duke of Orleans, “the author of that assassination, Charles Duke of Burgundy, now taking the alarm, applied
- 72. to the Englishmonarch for assistance.” His request was instantly complied with; for Henry had “private motives which prompted him in this instance.” 1411. Arundel, at the head of a strong body of archers and men-at-arms, was despatched to join the Burgundian leader, whom he met at Arras; and thence directing their march upon the capital, arrived on the twenty-third of October. The first point of attack was St. Cloud, where Arundel took charge of the assault, and marching his men to the bridge which here crosses the Seine, carried it by storm; took possession of the town with severe loss to the enemy, and returned with numerous prisoners, immense booty, and the thanks of the Burgundian chief. The same Earl was also present at the siege of Harfleur, in the subsequent reign; and under both sovereigns held many distinguished posts of high trust and honour. But returning from the last campaign in ill health, he died at his paternal seat of Arundel, where a magnificent monument, quartered with the royal arms of Portugal, attests his virtues and patriotic services. Of John Fitzalan, the eighth Earl, the public services and achievements, “during the French wars,” are not sufficiently prominent to demand any special notice in these pages; but John Fitzalan, the ninth Earl, is justly celebrated for his abilities both as a soldier and a senator. In the grand tournament[60] which took place in the French capital in honour of the coronation of Henry the Fifth, the English monarch, there was a brilliant display of all that was most dazzling to the eye, and daring to the imagination. But at the close of the scenes in which the pride and prowess of chivalry were never more strikingly exemplified, Arundel[61] and the Comte de St. Pol, grand master of the household, were acknowledged to have carried away the prize from every competitor[62]. Four years later, an event occurred which was destined to close his military career and carry him off in “the blaze of his fame.” This happened in an attack upon the old castle of Gerberoi, near Beauvais, during the operations of the English army in Picardy.
- 73. Leaving Gournay atmidnight, the Earl arrived in eight hours with the advanced guard in sight of the towers of Gerberoi. But in his impatience to reduce the fortress, he had miscalculated the strength of its walls and garrison, with the experience of its veteran commandant La Hire, and his own diminutive force. “The enemy,” says Holinshed, “perceiving that his horses were weary and his archers not yet come up, determined to set upon him before the arrival of his footmen, which they knew to be a mile behind.” As soon as he came in sight the gates were suddenly thrown open, and three thousand troops rushing upon the handful of men under his command, threw them into confusion. An unequal conflict ensued—struck with panic, and pressed by an overwhelming majority, the rout of the English became general. Arundel, with a few undaunted followers, who had sworn to share his glory or his grave, took up his position in “a little close” or corner of a field, where his rear was under cover of a strong hedge, threw up a hasty fortification of pointed stakes, and thus protected, kept the enemy at bay. But other and more powerful means of annoyance were at hand. La Hire ordered three culverins to be brought from the castle, and planted in front of the
- 74. “forlorn hope.” Thefirst shot told sadly upon the members of this intrepid band; but in the presence of their chief, nothing could damp their fortitude, nothing could paralyse their exertions. The first discharge was received with a shout of triumph and defiance. But the third striking Arundel in the knee, shattered the bone and threw him to the ground. This shot was the loss of the day. The French commander, seizing the favourable moment, rushed upon the entrenchment—and while Arundel, though faint with loss of blood and racked with pain, still continued to cheer on his men—effected a breach and took captive the gallant earl and his companions. Arundel survived the disaster for some time, but died at last of his wound, and was buried in the church of the Grey Friars—the Frères Mineurs—of Beauvais. In the collegiate church of Arundel, where he had previously selected his own place of interment, a cenotaph of beautiful design and elaborate workmanship still marks the spot; but, owing to some unknown cause, as Mr. Tierney informs us, “his executor neglected this last injunction;” and the soldier was not permitted to find rest in the sepulchre of his fathers. 1304. Humphrey, his son, became heir to his titles and estates; but, not surviving his father more than three years, they again passed to his uncle, William Fitzalan, then in his twenty-first year. The events of his life, however, are not of a character to interest the reader by any bright displays of moral excellence, which could be handed down as examples to posterity. “Obsequious—veering round with every change, Now to the liege professing homage fervent; Then as the sceptre dropp’d, could it seem strange That faction found him its most humble servant!” Yet with all his political faults, there was much in his private life and conversation—much in his munificence to the church—and still more in his encouragement of learning, to rescue his name from oblivion. He died at Arundel, and was buried with his ancestors in the Chapel, where a splendid altar-tomb attests his love and patronage of the fine arts. In the preface to Caxton’s Golden Legende, honourable mention is made of the puissant, “noble and vertuous lorde, Willyam, Erle of Arundelle.” Dallaway quoting Vincent says—“William Earle of Arundell, a very father of nurture and courtesy, died at a great age at Arundell, and there triumphantly lieth buried.”
- 75. His successor, ThomasFitzalan, was a man whose address and accomplishments found ready acceptance at court, and secured the good-will and approbation of more than one sovereign. 1543. Henry Fitzalan, on succeeding his father this year, returned from Calais to England, and at Arundel kept the Christmas festivities in such style with his neighbours, that it is known, says the MS. Life quoted by Mr. Dallaway, as “the great Xmas of Arundel.” 1544. At the siege of Boulogne, in the following year, he was nominated by King Henry as marshal of the field. The siege on this occasion proved tedious; the town and garrison were resolute in their defence, and day after day the besiegers were baffled in their efforts to force them to a capitulation. At last, however, a mine, which had been successfully worked beneath the castle, was sprung at midnight; the explosion shook the whole citadel, and general confusion ensued. Seizing the favourable moment, Arundel ordered the battering ordnance to play with redoubled fury upon the walls; and
- 76. heading at thesame time a resolute detachment, took his station in the entrenchments. There, while the shot and shell struck and exploded in the ramparts over his head, he waited till a breach in the masonry was effected; and then throwing himself into the gap, cheered on his men to the assault. Inspired by their leader’s example, every soldier did his duty; the besieged were driven from the works; their guns were turned against themselves, the ramparts were cleared; capitulation was effected, and before morning the flag of England floated in triumph from the Castle of Boulogne.[63] But neither prowess in the field nor wisdom in the cabinet could exempt Arundel from the trials, calumnies, and persecutions of those who only saw, in the royal favour extended to him, a grand obstacle to their own advancement. After the demise of Henry, charges were accordingly brought against him, which—although never proved—formed the ground of his exclusion from the council, were attended with a heavy fine, and aggravated by imprisonment. The false evidence, however, on which these penalties were inflicted, being speedily detected, his confinement was very brief. A large portion of the fine was remitted, but the remembrance of such unmerited treatment was never to be effaced. Subsequently, on the exhibition of further charges against him, he was again sent to the Tower, where he was detained a close prisoner during thirteen months, and was then enlarged on payment of a heavy fine, and admonished to “behave himself according to the duty of a nobleman, and to prove in deeds what he professed in words.” But events were now fast hastening to a crisis. The demise of the royal minor, the elevation of Lady Jane Grey, the ebullitions of party violence—all spread universal excitement and alarm throughout the country. Arundel, who had long fostered a spirit of secret enmity and revenge against Northumberland, as the author of his misfortunes, now perceived that the moment of retaliation was at hand. He invited and promised the full weight of his support to the Princess Mary in private; but in public he zealously espoused the cause of her rival, the Lady Jane; and was among the first who offered her homage, and swelled the magnificence of her entry into London. 1544. Northumberland was blinded by so much apparent devotion to the cause; and when he reluctantly quitted London to stem the torrent that was now rapidly setting in from the east, Arundel, says Stow, took leave of him in these specious and hollow terms: “Farewell, my lord; and I pray God be with your grace. Sorry indeed am I, that it is not my chance to go with you,
- 77. and bear youcompany, in whose presence I could find in my heart to shed my blood, even at your feet.” But as soon as Northumberland was gone, Arundel changed his tone; denounced him as a traitor; declared his sentiments; and boldly asserted the sovereign right of the eldest daughter of Henry the Eighth. His fervid eloquence and appeal to the nobles present made a deep and visible impression. Pembroke[64], infected by the enthusiasm of the speaker, starting up, and grasping the hilt of his sword, exclaimed, “Either this sword shall make Mary queen, or I will die in her quarrel!” The result needs not be told. In an instant the whole aspect of affairs was changed. That very night Mary was proclaimed in every street of the city—banquets, bonfires, riots, and illuminations, were called to attest the fact. The news of the revolution were scattered in all points of the compass, and at Cambridge reached the Duke of Northumberland, who was astounded at what had happened, and felt all the paralysing influence of his critical position. When Arundel, whose revenge was now secure, arrived with the warrant for his apprehension, the duke threw himself upon his mercy, and implored him, says the Chronicler, “to be good to him for the love of God!” But Arundel coldly replied that his grace should have sought for mercy sooner, and then committing him to safe custody, ordered him off to the Tower. During the reign of Mary, Arundel had many honours heaped upon him, and filled several important offices of state; nor did court favour desert him on the accession of Elizabeth, who even made him her familiar companion, and became his frequent guest. She visited him at her splendid palace of Nonsuch, of which he was keeper; joined in all the revels in celebration of her visit; accepted at her departure a “cupboard of plate” and repaid him with assurances of cordial regard and unlimited confidence. Flattered by such manifestations of royal favour, Arundel went so far in his loyal attachment as to become one of her Majesty’s impassioned suitors. He was a Catholic indeed, but love and loyalty were divinities to which religion had been often known to bend; and having given his vote and influence to all her state measures—and not weighing the “queen’s sincerity by his own”—he looked forward with bright anticipations of the future. But Elizabeth was as much an adept in manœuvring as the earl; her chief object had now been accomplished; she no longer required his services—she remembered his support of her sister Mary; and when Arundel ventured to
- 78. address her asthe royal Chloë of his admiration, the queen threw off the mask, and instead of receiving the homage thus tendered, in the sense it was meant, ordered the noble earl to be placed under arrest. Well might he exclaim— “Tantæne animis cœlestibus iræ?” The arrest however was soon removed; and with his enlargement a more rational course presented itself for his choice. His health requiring change of climate, he went abroad; and after spending fourteen months in travel beyond seas, he returned to London in a style that resembled the triumphant progress of a sovereign, and to present, as a peace-offering to her Majesty, “a pair of the first silk stockings[65] ever seen in England.” Once more restored to favour, he did not long maintain his position; but again lapsing into unlawful practices, by tampering in the question respecting Mary, Queen of Scotland, and the Duke of Norfolk, his son-in- law; he finally lost the queen’s countenance, and was recommitted as a prisoner to the palace of Nonsuch. The dreams of ambition were now past. On his liberation, he retired from the political world to spend the remainder of his days in study and domestic seclusion, where he could moralise on the mad projects of ambition, the vexations and vanities of court life. 1589. He died at Arundel House in the Strand, and was buried “with solemn pomp and costly funerall” in the collegiate Chapel of Arundel, where his monument is still an object of no common interest to the stranger. We shall next, in accordance with our plan, proceed to notice such passages in the history of the Howards, Earls of Arundel, as may best exhibit some of the public services, the extraordinary events, or striking incidents in which they have severally been engaged. In these sketches, however, we purpose to exemplify the character of each by authentic traits of conduct in the field and the cabinet; in the noon of fame, and in the night of misfortune. In a review of their history and achievements, however, our notice, strictly speaking, ought to commence at that period when the titles of Arundel and Norfolk became first united in the same Peer. But the task will not be tedious, and cannot be uninteresting, to present our readers with a genealogical epitome of the Howards of Norfolk.
- 79. The origin of thisfamily is involved in obscurity, which the diligence of research appears to have rendered more obscure, making darkness visible. For antiquity’s sake, however, it is sufficient to state that the name was of some distinction in the 13th century; and that the ancestor of the present family, John Howard of Wigen Hall, in Norfolk, was a Judge of Common Pleas, summoned to Parliament by Edward the First, and distinguished for his talents and public services. 1298-1307. Sir Robert Howard, the fifth in regular descent, had the good fortune to contract a marriage alliance with the second daughter of Mowbray, Duke of Norfolk, and his Duchess Elizabeth, sister and co-heir of Thomas Fitzalan, Earl of Arundel. By her father’s side, the noble bride was a grand-daughter of Margaret Plantagenet, whose father—Thomas de Brotherton—was the fifth son of Edward the First. This alliance, by connecting Sir Robert and his descendants with the blood royal of England, opened a path to those splendid honours by which they were subsequently distinguished. Sir John Howard, his immediate descendant, was promoted during the reign of three successive sovereigns to many high 1483. posts of trust and dignity; and at last summoned to Parliament by the title of Baron
- 80. Howard. Thirteen yearslater he was elevated to the highest title in the peerage; his son was created Earl of Surrey, by Richard the Third; he was invested with the hereditary office of Earl Marshal of England; dignities which his ancestors Mowbray, Thomas de Brotherton, and Roger Bigod, had severally enjoyed as Dukes of Norfolk. But the high honours thus showered upon him, were doomed very shortly after to be blasted. The battle of Bosworth was at hand; he had “touched the highest point of all his greatness,” and whilst— He bore his blushing honours thick upon him, The third day came a frost, a killing frost. The following letter, written only a very few days previous to the battle, and addressed to the Sheriff of Norfolk, is a document of no inconsiderable interest:—“To my well-beloved Friend John Paston, be this bill delivered in haste.—Well beloved Friend, I commend me to you, letting you to understand that the King’s enemies be a-land, and that the King would have set forth as upon Monday, but only for our Lady-day; but for certain he goeth forth as upon Tuesday, for a servant of mine hath brought to me the certainty. Whereupon I pray you that ye meet with me at Bury, as upon Tuesday night, and that ye bring with you such company of tall men, as ye may goodly make at my cost and charge; beside that which ye have promised the King; and I pray you, ordain them jackets of my livery, and I shall content you at your meeting with me—Your lover, J. Norfolk.”— Green. One of the most important days in the annals of Great Britain was now at hand. The royal family was nearly extinct; the nobility was sadly diminished and cut off; the nation itself was thinned of its best and bravest inhabitants— the sad results of twelve sanguinary engagements; and again two formidable armies had taken the field under two of the ablest politicians that ever hoisted the standard of ambition or revenge. On this memorable day King Richard’s front was commanded by the subjects of this notice, John Duke of Norfolk, and his son, the Earl of Surrey; the second by Richard in person; and the right wing by Henry, Earl of Northumberland. Richmond’s front, being very inferior in numbers to that of his rival, was thinly extended over a wide surface, so as to present a more formidable appearance, and was commanded by John de Vere, Earl of Oxford, whose father and brother had both perished on the scaffold in
- 81. support of thehouse of Lancaster. De Vere was also first-cousin to Norfolk, whose blood he was destined to shed on this disastrous field. The other divisions of Richmond’s army were led by Sir John Savage, and Sir Gilbert Talbot; while Richmond himself took up a conspicuous station in the field under his uncle the Earl of Pembroke. After a night of fearful preparation, Norfolk, in issuing forth early in the morning, discovered the following rhyme rudely pencilled on the door of his tent—sadly ominous of the event at hand— “Jack of Norfolk, be not too bold, For Dickon, thy master, is bought and sold[66].” The battle, now set in array, commenced with a discharge of arrows; after which, the Earl of Oxford, in order to concentrate his forces, issued a command, that every man should fight close to his standard. In this movement, Norfolk and Oxford, leading their respective vans, approached each other. With a rancour sharpened at this moment by their very relationship, each singled out the other as an object worthy of his lance. With cool determined intrepidity they dashed forward to the rencontre; and shivering their spears at the first thrust, drew their swords and resumed the trial of strength and skill. Rushing in upon his antagonist’s guard, Norfolk’s powerful arm made a sweeping blow at the head of De Vere; but the blade glancing down from his polished helmet failed in its effect, and only wounded him in the left arm.
- 82. Quickly recovering hisbalance, and exasperated by the dread of discomfiture more than the pain of his wound, Oxford returned the blow with tremendous effect; hewed the visor from Norfolk’s helmet, and thereby exposed his face to the missiles that were falling in showers around them. Oxford, like a generous knight, disdaining to take advantage of his gallant adversary, instantly dropped the point of his weapon. But his forbearance did not save his noble kinsman; for, at the same instant, struck in the forehead by a shaft which penetrated the brain, Norfolk made a convulsive spring in the saddle, and fell prostrate on the field. Oxford, deeply affected by his death, sadly exclaimed—“A better knight cannot die, though he might in a better cause!” The result of this day needs not to be told; but the anecdote of the young Surrey, embarked in the same cause, and in fulfilment of the same oath of fidelity which bound his father to the standard of King Richard, is worth repeating in this place. During the heat of the battle, conscious of his father’s fall, and exhausted by extraordinary exertions of mind and body, he was surrounded by a powerful body of his antagonists, each of whom was ambitious to distinguish himself by disabling or making him prisoner. Observing at this moment the brave Sir John Stanley in the last charge, Surrey presented to him the hilt of his sword, and said, “The day is your own, there is my sword;
- 83. let me dieby yours—but not by an ignoble hand!” “God forbid,” replied the generous Stanley—“live for new honours. Stanley will never shed the blood of so brave a youth. No fault attaches to you! the error was your father’s!” “What!” rejoined Surrey, again recovering his sword; “does the noble Talbot insult the vanquished? Loyalty, Sir Knight, is the watchword of our house. My father revered the sacred authority of the king, though he lamented the errors of the man. Never shall I repent the choice I have made, seeing that it can leave no stain upon my honour. Whoever wears the crown, him will I fight for; nay, were it placed on nothing better than a stake in that hedge, I would draw my sword in its defence.” The same frank and gallant bearing in the presence of Richmond after the battle, secured for young Surrey the royal confidence. The scene is thus described by Sir John Beaumont, in his “Bosworth Field.”
- 84. Welcome to OurBookstore - The Ultimate Destination for Book Lovers Are you passionate about books and eager to explore new worlds of knowledge? At our website, we offer a vast collection of books that cater to every interest and age group. From classic literature to specialized publications, self-help books, and children’s stories, we have it all! Each book is a gateway to new adventures, helping you expand your knowledge and nourish your soul Experience Convenient and Enjoyable Book Shopping Our website is more than just an online bookstore—it’s a bridge connecting readers to the timeless values of culture and wisdom. With a sleek and user-friendly interface and a smart search system, you can find your favorite books quickly and easily. Enjoy special promotions, fast home delivery, and a seamless shopping experience that saves you time and enhances your love for reading. Let us accompany you on the journey of exploring knowledge and personal growth! ebookgate.com