Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 229

Index

A attacks addition, sum of two points, 53–57 boomerang attack, 220–222 AddRoundKey operation, Rijndael encryption brute force attack, 150–151 algorithm, 123, 127 chosen-ciphertext attack, 150 Adleman, Leonard, 49 chosen-plaintext attack, 150 Advanced Encryption Standard ciphertext-only attack, 149 (AES)/Rijndael), Rijndael encryption collision attack, 162 algorithm, 123–127 Hellman time-space trade-off, affine equations, 168 153–154 algebra, 43–48 interpolation attack, 222–223 associativity, 45 known-plaintext attack, 149 finitefields,45–48 meet-in-the-middle attack, 151–152 functions in, 44 miss-in-the-middle attack, 217–218 identity elements, 44–45 pre-image attack, 162 inverse elements, 44–45 probable plaintext attack, 149–150 operations in, 43–44 slide attack, 158–162 algorithm(s),62–67 exponential-time, 63, 68 factorization, categorizing, 68 B linear, 63 baby-step giant-step algorithm, 82–83 order (Big-Oh), 62–64 analysis of, 83 polynomial-time, 63 discrete logarithm, computing, 82–83 running time, 63–64 bias and storage complexity,COPYRIGHTED 63 linear MATERIAL cryptanalysis, 169, 175–178 subexponential, 63 random number generators, 144 superpolynomial-time, 63 big endian, 92, 94 writing binary numbers, conversion to hexidecimal best approach, 64–65 (table), 93 invented programming language, 64 binary XOR long division, 125–126 programming language, 64 binomial coefficient, 27 pseudocode, 64 birthday paradox inPython, 65–67 collision in, 32–33, 162 alphabets, keyed alphabets, 4–5 as cryptographic tool, 36 AND operator, 93 probability, measuring, 32–36 associativity, algebraic, 45 bit mask, 104 asymmetric logarithms, defined, 91 bitoperations,94–95

229 Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 230

230 Index ■ B–C

block ciphers hashing algorithm, 37–38 Advanced Encryption Standard chosen-ciphertext attacks, 150 (AES)/Rijndael), 122–129 chosen-plaintext attacks, 150, 158, 160 block in, 91 cipher(s) blowfish, 120–122 keying, 4–6 cipher block chaining (CBC), 131–132 monoalphabetic, 2–4 cipher feedback mode (CFM), 133 polyalphabetic, 7–8 counter (CTR) mode, 133 transposition, 9–10 Data Encryption Standard (DES), 110–114 cipher block chaining (CBC), 131–132 defined, 2, 91 decryption algorithms, 131 electronic codebook (ECB), 129–131 encryption algorithm, 131 fast encipherment algorithm (FEAL), cipher feedback mode (CFM), 133 114–119 keystream, 133 Feistel structures, 106–109 ciphertext-only attack, 149 hash algorithms, 138–142 COCONUT98 algorithm, 222 message digests, 137, 140–141 coin flip, probability, 26 one-time pad, 145–146 collision(s) output feedback (OFB) mode, 133 in birthday paradox, 32–33, 162 padding, 132–133 chain collision, 155, 157 P-boxes, 98–101 defined, 162 productciphers,95–96 probability of, 32–33 random number generators, 143–145 and rainbow tables, 157 shift registers, 100 collision attacks Skipjack, 134–136 defined, 162 stream cipher, 133 types of, 162 substitution-permutation networks, 100–106 columnar transposition ciphers substitutions, 96–98 breaking block replay, and electronic codebook (ECB), digraph, 18–20 130–131 sliding window technique, 19–21 Blowfish, 120–122 trigraph,18–20 compared to DES, 120 elements of, 9–10 encryption algorithm, 121 commutative group, 45 key schedule, 120–121 complementation slide attacks, 161–162 P-values, 120–121 complete set of residues (CSR), 41 round function, 121–122 complex numbers, defined, 39 S-boxes, 120–121 conditional characteristics, 213–214 Boolean expressions, in Python, 67 conditionals, in Python, 67 boomerang attack, 220–222 congruence bruteforcealgorithms,68–70 congruence class, 41 advantages of, 70 defined, 40 analysis of, 69–70 Euler totient, 42–43 for discrete logarithms, 82 modulus,40–41 factoringby,68–70 continued fraction factorization, 79–80 pre-computing, 82 analysis of, 79 brute force attacks, 150–151 continued fractions, defined, 79 advantages of, 151 floor function, 79 bytes, 92 quadraticresidues,finding, 79–80 counter (CTR) mode, 133 C cryptanalysis Caesar cipher, 2–3 columnar transposition ciphers, breaking, chain collisions, 155, 157 18–21 characteristic differential cryptanalysis, 195–226 conditional characteristics, 213–214 double columnar transposition ciphers, differential cryptanalysis, 196 breaking,21–23 iterative, 200, 207 hash functions, 162–163 S-boxes, combining, 200–201 linear cryptanalysis, 167–192 checksums monoalphabetic ciphers, breaking, 11–15 functions of, 139 polyalphabetic ciphers, breaking, 15–18 Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 231

Index ■ C–E 231

random number generators, 163–165 s-box differentials, 197–201 time-space trade-offs, 151–158 second-order differentials, 214–215 cryptanalysis algorithms, as finite, 39–40 truncated differentials, 216–217 cryptograms, 1 Diffie-Hellman Key Exchange Protocol cryptographic hash algorithm as discrete logarithm, 81 defined, 38 elements of, 51–52 digital signatures, 138–139 with elliptical curve, 59 one-way hashes, 38 on finite field, 81 cryptographic hash functions, 138–139 digital signatures, cryptographic hash cryptoquips, 1 algorithm, 138–139 cyclic redundancy checks (CRC), 139–140 digraph, columnar transposition ciphers, breaking,18–20 D discretelogarithm(s),51–52,81–86 Daemen, Joan, 123 baby-step giant-step algorithm, 82–83 Data Encryption Standard (DES), 110–114 brute force method, 82 DESX, 113 compared to continuous logarithm, 51 differential cryptanalysis, 207–210 defined, 81 encryption algorithm, 110 Diffie-Hellman Key Exchange Protocol, key schedule, 111 51–52, 59, 81 linear cryptanalysis, 181–184 elements of, 51 Randomized DES, 213–214 index calculus method, 86 round function, 110–112 Pollard’s λ logarithmfor,83–85 successor to. See Advanced Encryption Pollard’s rho (ρ) methodfor,83–85 Standard (AES)/Rijndael) distinguished endpoint method, 156 3DES, 112–113, 152, 225–226 divisibility, prime numbers, 39 decryption algorithms double columnar transpositions cipher block chaining (CBC), 131 breaking Feistel structures, 109 method of, 21–22 Rijndael algorithm, 127–128 elements of, 10 Skipjack, 136 demultiplexing E fast encipherment algorithm (FEAL), Easy1 cipher 117–118 differential cryptanalysis, 197–198, 201–202, Python code for, 104 205 dependence linear cryptanalysis, 175–179 dependent events, 28 operation of, 102 versus independent events, 28 in Python, 102–106, 116–117 probability, measuring, 27–32 substitution-permutation networks, 101–102 dice roll, probability, 27–28 electronic codebook (ECB), 129–131 differential cryptanalysis weaknesses of, 130–131 advantages of, 210–211 El Gamal public key encryption, 81 boomerang attack, 220–222 elliptical curve factorization method (ECM), characteristic, 213–214 77–78 characteristics in, 196 analysis of, 78 Data Encryption Standard (DES), 207–210 factoring example, 77–78 defined, 195 elliptic curve(s), 52–59 differential-linear cryptanalysis, 211–212 defined, 52 differentials in, 196 Diffie-Hellman Key Exchange Protocol Easy1 cipher, 197–198, 201–202, 205 applied to, 59 fast encipherment algorithm (FEAL), 207 infinity, point at, 53–55 Feistel structures, 206–207 operations, performing, 58 higher-order differentials, 214–215 points,adding,53–57 impossible differentials, 217–219 tanget to curve, 55 interpolation attack, 222–223 Weierstrass form, 53 key derivative, 202–203 elliptic curve cryptography, 57–59 probability, 196, 210 advantages of, 52 in Python, 203–206 information, representing as points on related-key attack, 223–226 curve,57–58 Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 232

232 Index ■ E–I

encryption algorithms round function, 106–109 blowfish, 121 slide attacks, 160 cipher block chaining (CBC), 131 unbalanced, 107 Data Encryption Standard (DES), 110 Fermat’s difference of squares, 70–72 Feistel structures, 107–108 analysis of, 72 Rijndael algorithm, 123–127 factoring with, 70–72 Skipjack, 134–135 Fermat’s little theorem, and Pollard’s p − 1 Euclidean algorithm, 46–48 method,75–76 defined, 47 finite fields extended Euclidean algorithm, 48 defined, 45 inverse of finite field, finding, 46–48 as Galois fields, 45 Euler totient theorem, 42–43 inverses, Euclidean algorithm, 46–48 exponential factoring, 68–70 flipping, and XOR operator, 94 bruteforce,68–70 floor function, continued fraction discrete logarithms, 81–86 factorization, 79 elliptical curve factorization method (ECM), fraction(s), continued fractions, 79 77–78 frequency analysis Fermat’s difference of squares, 70–72 frequency distribution table, producing, Pollard’s p − 1 method,75–76 11–13 Pollard’s rho (ρ) method,72–75 monoalphabetic ciphers, breaking, 11–12 square forms factorization, 76–77 functions subexponential factoring, 78–81 algebraic, 44 exponential time algorithms, defined, 63, 68 in Python, 67 extended Euclidean algorithm elements of, 48 G with RSA algorithm, 50 Galois fields, finite fields as, 45 general number field sieve, factoring by, F 80–81 factorial, of number, defined, 27 German Enigma machine, 217 factoring-based cryptography, 49–51 glue operator, 94 RSA algorithm, 49–51 GOST cipher, related-key attack, 224 factorization greatest common divisor (GCD), 39 elements of, 61–62 group(s) elliptical curve factorization method (ECM), abelian group, 45 77–78 commutative group, 45 factoring problem, in cryptography, 49 exponential factoring methods, 67–78 index calculus method, 86 H hash algorithms and RSA algorithm, 62 checksums, 139 speed, meaning of, 67–68 collision attack, 37 subexponential factoring methods, 78–81 cryptographic hashes, 37–38 See also individual methods fast encipherment algorithm (FEAL), 114–119 cyclic redundancy checks (CRC), 139–140 differential cryptanalysis, 207 multi-hash security, 163 encryption structure, 115 preimage attack, 37 key-generating function, 116–117 Secure Hash Algorithm 1 (SHA-1), 141–143 key schedule, 119 hash functions multiplexing/demultiplexing, 117–118 cryptanalysis of, 162–163 round function, 117–118 cryptographic hash functions, 138–139 S-function, 114–116 elements of, 138 FEAL. See fast encipherment algorithm multi-hash security, 163 (FEAL) Hellman time-space trade-off, 153–154 Feistel, Horst, 106, 109 Heys, Howard, 168 Feistel structures, 106–109 higher-order differentials, 214–215 decryption algorithm, 109 differential cryptanalysis, 206–207 I encryption algorithm, 107–108 identity elements, 44–45 operation of, 107–109 impossible differentials, 217–219 Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 233

Index ■ I–M 233 independent events least significant byte, 92 birthday paradox, 32 linear algorithms versus dependent events, 28 defined, 63 index calculus method, discrete logarithm, running time, 63–64 computing, 86 linear binary equations, operation of, 168 index of coincidence linear congruential random number monoalphabetic ciphers, breaking, 12–15 generator, 144–145 polyalphabetic ciphers, breaking, 16 linear cryptanalysis, 167–192 infinity, point at, elliptic curves, 53–54 bias, 169, 175–178 integers,defined,38–39 Data Encryption Standard (DES), 181–184 interpolation defined, 168 defined, 222 differential-linear cryptanalysis, 211–212 interpolating polynomial, 222–223 Easy1 cipher, 175–179 Lagrange interpolating polynomial, 223 key recovery, 179–181 interpolation attack, 222–223 linear binary equations in, 168 inverse elements, 44–45 linear expressions for, finding, 185–187 irrational numbers, defined, 39 Matsui’s Algorithm 1, 169–170, 184 iterative characteristic, 200, 207 Matsui’s Algorithm 2, 170–171, 184 multiple linear approximations, 184–185 K piling-up lemma, 174–175 Kasiski, Friedrich, 16 principle of maximum likelihood in, 169 key(s) in Python, 187–192 defined, 4 S-boxes, linear expressions, finding, 171–178 differential cryptanalysis, 202–203 linear expressions split keys, 91 finding, 185–187 key exchange algorithms Matsui linear expression search, 186–187 Diffie-Hellman Key Exchange Protocol, for S-boxes, finding, 171–178 51–52, 59 logarithm(s) weaknesses of, 51–52 asymmetric, 91 key-generating function, fast encipherment discrete,81–86 algorithm (FEAL), 116–117 symmetric, 91 keying, 4–6 loops, Python for, 66 keyed alphabets, 4–5 Lucifer algorithm, 110 klingon, 6 ROT13, 5–6 M key ratio, 213 mathematics key recovery, linear cryptanalysis, 179–181 algebra, 43–48 key schedule discrete logarithm-based cryptography, blowfish, 120–121 51–52 Data Encryption Standard (DES), 111 elliptic curves, 52–59 defined, 101, 107 factoring-based cryptography, 49–51 fast encipherment algorithm (FEAL), 119 number theory, 38–43 substitution-permutation networks, 101 probability, 25–38 key space Matsui, Mitsuru, 167 in brute-force attack, 150 Matsui linear expression search, 186–187 defined, 18 Matsui’s Algorithm 1, 169–170, 184 in polyalphabetic ciphers, 18 Matsui’s Algorithm 2, 170–171, 184 keystream MD5 cipher feedback mode (CFM), 133 operation of, 140–141 output feedback (OFB) mode, 133 round function, 141–142 Klingon, ROT13 of text, 6 meet-in-the-middle attack known-plaintext attacks, 149, 159–160 boomerang attack, 220–222 brute-force attack, 150–151 elements of, 151–152 See also linear cryptanalysis message digests elements of, 137 L MD5, 140–141 Lagrange interpolating polynomial, 223 method of two kangaroos, discrete logarithm, least significant bit order, 92 computing,85–86 Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 234

234 Index ■ M–P

Microsoft LAN Manager, password hash, 158 P miss-in-the-middle attack, 217–218 padding, block ciphers, 132–133 MixColumns operation, Rijndael encryption parity, 168 algorithm, 123, 125–126 password hash, Microsoft LAN Manager, 158 modulus, congruence, 40–41 P-boxes, 98–101 monoalphabetic ciphers, 2–4 DES round function, 111–112 breaking graphical example of, 99 frequency analysis, 11–12 in Python, 102–103 index of coincidence, 12–15 specifying,98–99 strengthening permutations,26–27 monophones, 15 binomial coefficient, 27 polyphones, 15 P-boxes, 98–101 substitution ciphers permutation ciphers, 9 nulls, 15 permuted choices, 27 types of and Skipjack, 136–138 block ciphers, 2 substitution-permutation networks, 100–106 Caesar cipher, 2–3 piling-up lemma, linear cryptanalysis, substitution ciphers, 1 174–175 monophones, 15 points most significant bit order, 92 addition of, 53–57 most significant byte, 92 point at infinity, 53–55 multi-hash security, 163 poker game, probability, illustration of, 28–32 multiple linear approximations, linear Pollard, John M., 75 cryptanalysis, 184–185 Pollard’s λ logarithm multiplexing analysis of, 86 fast encipherment algorithm (FEAL), for discrete logarithms, 83–85 117–118 method of two kangaroos, 85–86 Python code for, 104 Pollard’s (ρ) method,72–75 multi-table approach, 155–156 analysis of, 72, 85 for discrete logarithms, 83–85 N factoring with, 72–73 NAND operator, 94 inPython,73–74 NOR operator, 94 Pollard’s p − 1 method,75–76 nulls, monoalphabetic ciphers, strengthening, analysis of, 75–76 15 factoringby,75–76 number theory, 38–43 and Fermat’s little theorem, 75–76 complex numbers, 39 polyalphabetic ciphers, 7–8 defined, 38 breaking integers,38–39 ciphertext, repetitions, 16–18 prime numbers, 39 index of coincidence, 16 rational and irrational numbers, 39 keyspace in, 18 real numbers, 39 types of, Vigenere` tableau, 7–8 polynomial-time algorithms, defined, 63 O polyphones, 15 Okrand, Marc, 6 pre-compute, brute force methods, 82 one-time pad, 145–146 pre-image attacks, 37, 162 problems of, 146 prime numbers one-way hashes, 38 Brute force factoring, 68–70 operations divisibility of, 39 algebraic, 43–44 elliptical curve factorization method (ECM), onbinarydata,93–95 77–78 gearing toward elliptical curve, 58 Pollard’s p − 1 factoring,75–76 groups, 45 principle of maximum likelihood, in linear ring, 45 cryptanalysis, 169 well-defined, 45 print statement, Python, 66 OR operator, 93 probability, 25–38 output feedback (OFB) mode, 133 birthday paradox, 32–36 keystream, 133 coin flip, 26 Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 235

Index ■ P–S 235

and cryptanalysis, 31–32 Rcon, Rijndael encryption algorithm, 128–129 cryptographic hashes, 37–38 real numbers, 39 defined,25–26 reduced set of residues (RSR), 41 dependence,27–32 Euler totient, 42 dice roll, 27–28 reduced square form, 76 differential cryptanalysis, 196, 210 related-key attack, 223–226 permutations,26–27 on 3DES, 225–226 poker game, example, 28–32 on GOST cipher, 224 probable plaintext attack, 149–150 residue class product ciphers complete set of residues (CSR), 41 defined, 96 quadratic residues, 79–80 example of, 96 reduced set of residues (RSR), 41 programming language right pair, plaintext, 200 algorithms, writing, 64–65 right quartet, 221 inventing, 64 Rijmen,Vincent,123 Python, 65–67 Rijndael decryption algorithm, 127–128 pseudocode, algorithms, writing, 64–65 Rijndael encryption algorithm pseudorandom number generator, 143 AddRoundKey operation, 123, 127 Python, 65–67 inverse operations, constructing, 127–178 advantages to use, 95 MixColumns operation, 123, 125–126 assignments in, 65 Rcon, 128–129 coding/output, example of, 65 RotWord, 128 conditionals in, 67 S-boxes, 123–125 differential cryptanalysis in, 203–206 ShiftRows operation, 123, 125 Easy1 cipher in, 102–106, 116–117 specifying, 123–124 factorial function, example of, 66 state, 123–124 functions in, 67 SubBytes operation, 123–125 integers, size of, 103 SubWord, 128 and large-precision numbers, 67 ring, algebraic operations, 45 linear cryptanalysis in, 187–192 Rivest, Ronald, 38, 49, 156 for loops, 66 ROT13, 5–6 multiplexing/demultiplexing, 104 of Klingon text, 6 P-boxes in, 102–103 RotWord, Rijndael encryption algorithm, 128 Pollard’s (ρ) method in, 73–74 round function print statement, 66 blowfish, 121–122 S-boxes in, 102–104 Data Encryption Standard (DES), 110–112 substitution-permutation networks, 102–106 fast encipherment algorithm (FEAL), while loop, 67 117–118 XOR operator, 104 Feistel structures, 106–109 issues related to, 109 Q MD5, 141–142 quadratic residues, continued fraction round key as input, 106 factorization, 79–80 round key, 106, 111 quadratic sieve, factoring by, 80 RSA algorithm, 49–51 breaking, 62 R cryptography with, 50–51 rainbow tables, 156–157 factoring, 62 advantages of, 157 operation of, 49–50 rainbow chain, 157 running time Randomized DES (RDES), 213–214 Bruteforcealgorithms,69–70 random number generators, 143–145 order (Big-Oh), 63–64 bias, reducing, 144 cryptanalysis of, 163–165 S linear congruential random number S-boxes,96–98 generator, 144–145 advantages of, 98 pseudorandom number generator, 143 Blowfish, 120–121 random number, defined, 143 characteristics, combining, 200–201 rational numbers, defined, 39 DES round function, 111–112 Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 236

236 Index ■ S–Y

S-boxes, (continued) subexponential factoring, 78–81 differential cryptanalysis, 197–201 continued fraction factorization, 79–80 linear expressions for, finding, 171–178 sieving methods, 80–81 in Python, 102–104 substitution ciphers, 1 Rijndael encryption algorithm, 123–125 S-boxes,96–98 and size, 97 substitution-permutation networks, 100–106 Schneier, Bruce, 120, 158 defined, 100 second-order differentials, 214–215 Easy1 cipher, 101–102 Secure Hash Algorithm 1 (SHA-1), 140–141 key schedule, 101 self-similarity, and slide attacks, 161 in Python, 102–106 S-function, fast encipherment algorithm SubWord, Rijndael encryption algorithm, 128 (FEAL), 114–116 superpolynomial-time algorithms, defined, 63 Shamir, Adi, 49 symmetric logarithms, defined, 91 shift registers, operation of, 100 ShiftRows operation, Rijndael encryption T algorithm, 123, 125 tanget, to elliptical curve, 55 sieving methods 3DES generalnumberfieldsieve,80–81 meet-in-the-middle attack, preventing, 152 quadratic sieve, 80 operation of, 112–113 signed hash, 139 related-key attack on, 225–226 size time-space trade-offs and S-boxes, 97 distinguished endpoint method, 156 specifying, 97 Hellman time-space trade-off, 153–154 Skipjack, 134–136 meet-in-the-middle attack, 151–152 decryption algorithms, 136 multi-table approach, 155–156 encryption algorithm, 134–135 problems of, 155 miss-in-the-middle attack, 217–218 success of method, 154 and permutations, 136–138 transposition ciphers, 9–10 Rules A and B, 135–136 columnar ciphers, 9–10 shift registers, 100 double columnar transpositions, 10 slide attacks, 158–162 trigraph, columnar transposition ciphers, chosen-plaintext attack, 158, 160 breaking complementation slide attack, 161–162 truncated differentials, 216–217 elements of, 159 on Feistel ciphers, 160 known-plaintext attack, 159–160 V and self-similarity, 161 Vigenere` tableau, 7–8 slide pair, 159 sliding with a twist, 161 W with a twist, 161 Weierstrass form, 53 sliding window technique, columnar while loop, Python, 67 transposition ciphers, breaking, 19–21 whitening, DESX, 113 square forms factorization, 76–77 words, and bits, 92 analysis of, 77 wrong pair, plaintext, 200 equivalence in, 76 reduced square form, 76 representation in, 76 X square form, defined, 76 XOR operator, 93, 102, 104 state, Rijndael encryption algorithm, 123–124 binary XOR long division, 125–126 storage complexity, algorithmic analysis for, checksum, 139 63 in Python, 104 stream cipher, 133 SubBytes operation, Rijndael encryption Y algorithm, 123–125 Y2K problem, 40 subexponential algorithms, defined, 63 Yamagishi, Atsuhiro, 167