IN2120 Information Security Cryptography Outline Terminology

Outline

What is cryptography? Brief crypto history IN2120 Information Security Symmetric cryptography Stream ciphers Cryptography Block ciphers Hash functions Asymmetric cryptography Encryption Nils Gruschka Diffie-Hellman key exchange University of Oslo Digital signatures Post-Quantum Crypto

Cryptography IN2120 2

Terminology What can cryptography do?

Cryptology Crypto can provide the following security services:

Confidentiality: Cryptography Cryptanalysis Makes data unreadable to entities who do not have the appropriate cryptographic keys, even if they have the data. Data Integrity: Cryptography is the science of secret writing with the goal of Entities with the appropriate cryptographic keys can verify that data is correct and has hiding the meaning of a message. not been altered, either deliberately or accidentally. Authentication: Cryptanalysis is the science of breaking cryptography. Entities who communicate can be assured that the other user/entity or the sender of a Cryptology covers both cryptography and cryptanalysis. message is what it claims to be. Digital Signature and PKI (Public-Key Infrastructure): Strong proof of data origin which can be verified by 3rd parties. Scalable (to the whole Internet) distribution of cryptographic keys.

Cryptography IN2120 3 Cryptography IN2120 4

Taxonomy of cryptographic Evolution of Ciphers functions Cryptographic Functions Classical Medieval Pre-WW2 WW2 Pre-2000 Post-2000 ciphers ciphers ciphers ciphers ciphers ciphers Transposition Poly- One-time Complex DES AES alphabetic mechanics Scytale pad Feistel Rijmen & Hash Substitution Ciphers Enigma Daemen Functions + Vernam Transposition 1916 Vigenère Symmetric S Asymmetric A Substution 1566 SP-networks Asymmetric One secret key Public key used for Caesar Info-theory crypto cipher Post- used for both encryption and private Shannon Diffie Quantum encryption and decryption key used for decryption Hellman Asymmetric crypto

Block Stream Also called BC AD 1799 1800 1939 1940 1975 1976 2000 2001 -key Cryptography IN2120 5 Cryptography IN2120 6 Terminology Symmetric cryptography (secret key)

Encryption: plaintext (cleartext) M is converted into a ciphertext C Alice Bob under the control of a key k. Secret key Secret key We write C = E(M, k). Decryption with key k recovers the plaintext M from the ciphertext C.

We write M = D(C, k). Message Message Symmetric ciphers: the secret key is used for both encryption and decryption. Algorithm Algorithm Ciphertext Asymmetric ciphers: Pair of private and public keys where it is encryption decryption computationally infeasible to derive the private decryption key from Plaintext Plaintext the corresponding public encryption key.

authorized to encrypt and decrypt

Cryptography IN2120 7 Cryptography IN2120 8

Strength of Ciphers

Factors for cryptographic strength: Historic ciphers, like the Caesar Letter frequencies Key size. Cipher, are weak because they in English Exhaustive key-search time depends on the key size. fail to hide statistical regularities in the ciphertext. Typical key size for a symmetric cipher is 256 bit. 256 Attacker must try 2 /2 keys on average to find the key, which would take CC millions of years, which is not practical. Caesar Cipher With N different keys, the key size is log2(N). Algorithm strength. Key discovery by cryptanalysis can exploit statistical regularities in the ciphertext. by Unknown Author licensed is under To prevent cryptanalysis, the bit-patterns / characters in the ciphertext

should have a uniform distribution, i.e. all bit-patterns / characters should be Photo This BY-SA equally probable.

Cryptography IN2120 9 Cryptography IN2120 10

Claude Shannon (1916 2001) -P Network The Father of Information Theory MIT / Bell Labs Removes statistical regularities in ciphertext plaintext Information Theory - Defined the binary digit bit) as information unit Substitutions & Permutations S S . . . . S Substitute bits e.g. 0001 with 0110 Defined information entropy to measure P amount of information Permute parts e.g. part-1 to part-2 S S . . . . S Cryptography relationship between input and output Model of secrecy systems D influences many output bits ... E Defined perfect secrecy Iterated S-P functions a specific S S S Principle of S-P encryption (substitution & number of times . . . . permutation) to hide statistical regularities Functions must be invertible P ciphertext

Cryptography IN2120 11 Cryptography IN2120 12 AES - Advanced Encryption Standard Block Cipher

DES (Data Encryption Standard) from 1977 had a 56-bit key and a Block cipher 64-bit block. In the mid-1990s DES could be cracked with exhaustive key search. Plaintext blocks In 1997, NIST announced an open competition for a new block n bits cipher to replace DES. Rijndael designed by Vincent Rijmen Key Block and Joan Daemen from Belgium) was Cipher nominated as AES (Advanced Encryption Standard) in 2001. n bits AES has key sizes of 128, 192 or 256 bit and block size of 128 bit. Ciphertext blocks

Cryptography IN2120 13 Cryptography IN2120 14

Block Ciphers: Modes of Operation Electronic Code Book (ECB)

Block ciphers can be used in different modes in order to provide Simplest mode of operation specific security protection. Plaintext data is divided into blocks M1, M2 n Common modes include: Each block is then processed separately Plaintext block and key used as inputs to the encryption algorithm

M M Electronic Code Book (ECB) Insecure 1 2 Mn

Cipher Block Chaining (CBC) K Encrypt K Encrypt K Encrypt Output FeedBack (OFB) C1 C2 Cn Cipher FeedBack (CFB) Secure CounTeR Mode (CTR) K Decrypt K Decrypt K Decrypt

M1 M2 Mn

Cryptography IN2120 15 Cryptography IN2120 16

Electronic Code Book (ECB-mode) Vulnerability of ECB-mode

THIS IS A SIMPLE PLAINTEXT MESSAGE.

Encryption Encryption Encryption

X&jÜ Ji8(clÄ+#/2Haq% 7Ö1k5a$jA~Kq1 ü

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Encryption Encryption Encryption

Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0

Cryptography IN2120 17 Cryptography IN2120 18 CTR One-Time-Pad (Gilbert Vernam, 1917) Counter Mode Bob Alice Shared secret Shared secret OTP key K OTP key K

k1, k2, k3 ki k1, k2, k3 ki

Message Message encryptionCiphertext decryption

ci = mi ki mi = ci ki c1, c2, c3 ci bitwise bitwise Plaintext XOR addition XOR-addition Plaintext message M message M

Property of bitwise XOR addition: ki ki = 0 and mi = ci ki = mi ki ki OTP offers perfect security assuming the OTP key is perfectly random, of same length as the message, and only used once

Cryptography Cryptography IN2120 20

The perfect cipher: One-Time-Pad Block Cipher vs. Stream Cipher

Block cipher Stream cipher

Plaintext blocks Key Note that the key n bits stream repeats itself and is not totally random, hence a Key stream cipher is not Key Block stream a One-Time-Pad. Cipher generator Key stream n bits Old version used a paper tape of random data Ciphertext blocks Plaintext stream Ciphertext stream Modern versions can use DVDs with Gbytes of random data

Cryptography IN2120 21 Cryptography IN2120 22

Hash Functions

Idea:

characteristic for the large dataset or

(Extremely simple) example: take the last 4 digits of a credit card number INTEGRITY CHECK FUNCTIONS Image Source: https://www.syssolutionsllc.com/page/Addons/CreditCardHolderName

Cryptography IN2120 23 Cryptography IN2120 24 Hash functions (message digest functions) Properties of hash functions

Requirements for a one-way hash function h: x ? x x ? ? ? 1.Ease of computation: given x, it is easy to compute h(x). 2.Compression: h maps inputs x of arbitrary bitlength to outputs h(x) of a fixed bitlength n.

3.One-way: given a value y, it is computationally infeasible to find an h(x) h(.) h(x) h(x) h(.) input x so that h(x)=y. 4.Collision resistance: it is computationally infeasible to find x and , Ease of Pre-image Collisions Weak collision Strong where x , with h(x)=h( ) (note: two variants of this property). computation resistance exist but are resistance collision hard to find (2nd pre-image resistance resistance)

Cryptography IN2120 25 Cryptography IN2120 26

Applications of hash functions Well-known hash functions

Comparing files MD5 (1991): 128 bit digest. Relatively easy to break by finding collisions, due to short digest and poor design. Not to be used in new applications, but may be used in Protection of password legacy applications. Authentication of SW distributions SHA-1 (Secure Hash Algorithm):160 bit digest. Designed by NSA in 1995 to operate Bitcoin with DSA (Digital Signature Standard). Attacks exist. Not recommended, but Generation of Message Authentication Codes (MAC) sometimes still in use. Digital signatures SHA-2 designed by NSA in 2001 provides 224, 256, 384, and 512 bit digest. Pseudo number generation/Mask generation functions Considered secure. Replacement for SHA-1.

Key derivation SHA-3: designed by Joan Daemen + others in 2010. Standardized in 2015. Digest of: 224, 256, 384, and 512 bit. SHA-3 has little use, because SHA-2 is considered strong.

Cryptography IN2120 27 Cryptography IN2120 28

Hash Function for Integrity Protection Message Authentication Codes h(M) A message M with a simple message hash h(M) can be changed by attacker. hash In communications, we need to verify the origin of data, i.e. we need message hash sent together Verify h(M) = h( ) authentication. with message M MAC (message authentication code) can use hash function as h(M, k) i.e. with hash h( ) message M and a secret key k as input. Hash To validate and authenticate a message, the receiver has to share the same function secret key used to compute the MAC with the sender. Hash A third party who does not know the key cannot validate the MAC. function

Received Alice Message M Bob message

Cryptography IN2120 29 Cryptography IN2120 30 Practical message integrity with MAC MAC and MAC functions h(M,K) Terminology MAC MAC is the computed message authentication code h(M, k) MAC sent Verify h(M,K) = h( ) MAC function is the algorithm used to compute a MAC together with message M MAC functions, a.k.a. keyed hash functions, support data origin ? MAC h( ) authentication services. MAC function Different types of MAC functions, e.g. MAC HMAC (Hash-based MAC algorithm) Shared function secret CBC-MAC (CBC based MAC algorithm) Shared key secret key CMAC (Cipher-based MAC algorithm) Modern encryption modes (e.g. AES-GCM) perform encryption and Alice Message M Received Bob MAC calculation at the same time message

Cryptography IN2120 31 Cryptography IN2120 32

Problem of symmetric key distribution

Shared key between each pair In network of n users, each participant needs n-1 keys.

Number of exchanged secret keys: n(n-1)/2 Network of 5 nodes = number of glasses touching at cocktail party Grows exponentially, which is a major problem. PUBLIC-KEY CRYPTOGRAPHY Is there a better way? Public-key cryptography Cocktail party

Cryptography IN2120 34

James H. Ellis (1924 1997) Clifford Cocks (1950 ) Inventor of pub-key crypto, but received little recognition Inventor of RSA algorithm in 1973, recognized in 1998 British engineer and mathematician British mathematician and cryptographer Worked at GCHQ (Government Communications Silver medal at the International Mathematical Olympiad, Headquarters) 1968 Worked at GCHQ (equivalent to NSA) Idea of non-secret encryption to solve key Heard from James Ellis the idea of non-secret encryption in distribution problem 1973 Encrypt with non-secret information in a way Spent 30 minutes in 1973 to invent a practical method which makes it impossible to decrypt without Equivalent to the RSA algorithm related secret information Was classified TOP SECRET Never found a practical method Result revealed in 1998 Fellow of the British Royal Society in 2015.

Cryptography IN2120 35 Cryptography IN2120 36 Malcolm J. Williamson (1950 2015) Inventor of key exchange but received little recognition Ralph Merkle, Martin Hellman and Whitfield Diffie British mathematician and cryptographer Merkle invented (1979) the Gold medal at the International Mathematical Olympiad, 1968 Merkle Hash Tree and the Worked at GCHQ until 1982 Merkle Digital Signature Scheme, used e.g. in Bitcoin. Heard from James Ellis the idea of non-secret encryption, and from Clifford Cocks the practical method. Resistant to quantum Intrigued, spent 1 day in 1974 to invent a method for computers. secret key exchange without secret channel Diffie & Hellman (1976) D&H defined public-key Equivalent to the Diffie-Hellmann key exchange algorithm invented a practical key encryption (equiv. to non-secret exchange algorithm with encryption) (1976) discrete exponentiation. Defined digital signature

Cryptography IN2120 37 Cryptography IN2120 38

Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange

Alice picks private Bob picks private Problem: random integer b random integer a ga mod p Provides no authentication Alice and Bob can not be sure with whom they are communicating Man-in-the-middle attack possible gb mod p Applications: Alice computes the Bob computes the IKE (Internet Key Exchange), part of IPSec (IP Security) shared secret same shared secret TLS (Transport Layer Security) (gb)a = gab mod p (ga)b = gab mod p.

Attackers can not recover the integers a or b because discrete logarithm of large integers is computationally difficult. Hence, attackers are unable to compute the secret key = gab mod p.

Cryptography IN2120 39 Cryptography IN2120 40

Ron Rivest, Adi Shamir and Len Adleman Asymmetric Encryption: Basic encryption operation

Alice Bob public-key ? ring private key Read about public-key cryptography in 1976 article by Diffie & Hellman: public Plaintext M key Ciphertext C Plaintext M

Intrigued, they worked on finding a practical algorithm Asymmetric Asymmetric Spent several months in 1976 to re-invent the method for non-secret/public- encryption decryption key encryption discovered by Clifford Cocks 3 years earlier C = E(M,Kpub(B)) M = D(C,Kpriv(B)) Named RSA algorithm Uses a pair of keys: public key and private key

Cryptography IN2120 41 Cryptography IN2120 42 Asymmetric Ciphers: Examples of Cryptosystems Hybrid Cryptosystems

RSA: best known asymmetric algorithm. Symmetric ciphers are faster than asymmetric ciphers (because RSA = Rivest, Shamir, and Adleman (published 1977) they are less computationally expensive ), but ... Historical Note: U.K. cryptographer Clifford Cocks invented the same Asymmetric ciphers simplify key distribution, therefore ... a combination of both symmetric and asymmetric ciphers can be ElGamal Cryptosystem used a hybrid system: Based on the difficulty of solving the discrete log problem. The asymmetric cipher is used to distribute a randomly chosen symmetric Elliptic Curve Cryptography key. Based on the difficulty of solving the EC discrete log problem. The symmetric cipher is used for encrypting bulk data. Provides same level of security with smaller key sizes.

Cryptography IN2120 43 CryptographyIN2120 44

Hybrid Cryptosystems

Alicepublic-key Bob ring private key

Kpriv(B) public key Kpub(B) Generate secret symmetric key K E(K,K (B)) Asymmetric pub Asymmetric Shared secret encryption Encrypted decryption symmetric key K key K DIGITAL SIGNATURES Symmetric Ciphertext C Symmetric encryption decryption C = E(M,K) M = D(C,K) Plaintext M Plaintext M

CryptographyIN2120 45 Cryptography IN2120 46

Non-repudiation? The MAC was made Digital Signature Mechanisms with the secret key, Shared so I know that Alice Alice secret key Bob sent the message. A MAC cannot be used as evidence to be verified by a 3rd party But you have the (details below) Symmetric same secret key, authentication Digital signatures can be verified by 3rd party so maybe you sent the message. Used for non-repudiation, MAC data origin authentication and data integrity Digital signature mechanisms have three components: key generation signing procedure (private) verification procedure (public)

Cryptography IN2120 47 Cryptography IN2120 48 Digital signature: Basic operation Practical digital signature based on hash value

Alice Bob public-key Alice Bob ring public-key key ring private key public public key Digital Plaintext M C = (Signed M) key Plaintext M Signature Sign Recover Encryption Decryption hashed hash h(M) = D(Sig,Kpub(A)) operation operation message from Sig (Signing) (Validation) Sig = E(h(M),K (A)) priv Verify h(M) = h( ) C = E(M,Kpriv(A)) M = D(C,Kpub(A)) Compute hash h(M) Compute hash In practical applications, message M is not signed directly, only a h( ) hash value h(M) is signed. Plaintext M Received plaintext

Cryptography IN2120 49 Cryptography IN2120 50

Non-repudiation The MAC was made with the secret key, Shared so I know that Alice Alice secret key Bob sent the message.

But you have the Symmetric same secret key, authentication so maybe you sent the message. MAC

Private key The message was Alice Pulic key Bob signed by Alice, so I know that she sent the message. POST-QUANTUM CRYPTOGRAPHY Non-repudiatable authentication You are right, only Alice could have Digital signature signed the message.

Cryptography IN2120 51 Cryptography IN2120 52

DN.no, December1 2017 Principle of Quantum Computing

Quantum Computing (QC) uses quantum superpositions instead of binary bits to perform computations.

Experimental Quantum Computer

Quantum algorithms, i.e. algorithms for quantum computers, can solve certain problems much faster than classical computer algorithms.

Cryptography IN2120 53 Cryptography IN2120 54 QC Threat to Traditional Cryptography Cryptographic Functions and Services

Symmetric Confidentiality logarithms efficiently. With a powerful quantum computer (at least 1 million encryption Authentcity / Integrity algorithms. Hash- -force search functions for a k-bit secret key with an effort of only Digital Signature PKI / key distribution T Asymmetric which effectively doubles the required key sizes for ciphers. encryption & Confidentiality digital signature QC has been dismissed by most cryptographers until recent years. General (Traditional), purpose quantum computers do not currently exist but are predicted to be built e.g. RSA, ECC, Quantum Threat in foreseeable future. Diffie-Hellman

Cryptography IN2120 55 Cryptography IN2120 56

Cryptographic Functions and Services Collapse of traditional asymmetric crypto?

Quantum Computer ? Symmetric Confidentiality Qubit size encryption 10.000.000 ? Authentcity / Integrity Collapse Hash- 1.000.000 functions No collapse 100.000 Digital Signature PKI / key distribution 10.000 PQ Asymmetric encryption & digital signature (Post- Confidentiality ? Quantum), e.g., Lattice- 50 qubit 1000 based, Multivariate, Hash- Thanks to PQ Crypto we can still computer based, Code-based, Elliptic use DigSig and PKI even with Veryuncertain prediction curve isogeny scale Logaritmic quantum computers of 1 million 0 Year qubit 20202030 2040 2050 2060 2070 2080 2090

Cryptography IN2120 57 Cryptography IN2120 58

PQC already works

Many initiatives for prototyping PQC in real applications Version of Chrome Browser with PQC TLS END OF LECTURE Disadvantage of PQC is high complexity and computation load

Cryptography IN2120 60