ECE 646 – Lecture 1 CRYPTOLOGY

CRYPTOGRAPHY CRYPTANALYSIS Basic Concepts of

Cryptography from Greek cryptos - hidden, secret logos - word graphos - writing

2 1 2

Basic Vocabulary Cryptosystem (Cipher)

encryption decryption message ciphertext N bits message (cryptogram, message (plaintext, encrypted (plaintext, clear message) message) clear message) cryptographic key M C M K bits Sender Receiver M bits

ciphertext

3 4 3 4

1 Definition of a cryptosystem (cipher) Substitution Cipher

encryption function EK(M) a b c d e f g h i j k l m n o p q r s t u v w x y z Key = family of encryption f q i s h n c v j t y a u w d r e x l b m z o g k p functions message space key space ciphertext space TO BE OR NOT TO BE encryption M K key K C BD QH DX WDB BD QH decryption family of decryption TO BE OR NOT TO BE functions

26 decryption function DK(C) Number of keys = 26! ≈ 4 ∙ 10 K Î K M Î M DK(EK(M)) = M 5 6 5 6

Unpublished vs. published algorithm? Kerckhoffs’s principle Unpublished algorithm Published algorithm 1. The only reliable way of The security of a cipher MUST NOT depend 1. Cryptanalysis must include assessing cipher security recovering the algorithm on anything that cannot be easily changed 2. Prevents backdoors hidden by designers 2. Smaller number of users, 3. Large number of implementations smaller motivation to break = low cost + high performance 4. No need for anti-reverse- 3. Unavailable for other engineering protection Auguste Kerckhoffs, 1883, countries 5. Software implementations Dutch Linguist and 6. Domestic and international Cryptographer standardization

7 8 7 8

2 Fundamental Tenet of Cryptography Breaking ciphers used in GSM, 1999 (1)

GSM - protocols for second-generation (2G) digital cellular networks used by mobile devices such as mobile phones and tablets. If lots of smart people have failed to solve • Developed in late 1980’s and early 1990’s a problem, then it probably will not be • Over 100 million GSM subscribers by 1998 solved anytime soon. Initially, two voice encryption algorithms: A5/1 – for use in Europe and U.S.A. A5/2 – for use in other countries. Goal: encrypt voice between a cell phone and a base station

9 10 9 10

Breaking ciphers used in GSM (2) Breaking ciphers used in GSM (3) Published attacks Both voice encryption algorithms A5/2 • never published August 1999, Ian Goldberg and David Wagner, U.C. Berkeley • designed and analyzed by the secretive "SAGE" group Number of operations in the attack ~ 216 (part of ETSI – European Telecommunications Standard Institute) A5/1 • A5/1 believed to be based on the modified French May 1999, Jovan Golic naval cipher Number of operations in the attack ~ 240 Both algorithms reverse-engineered by December 1999, Alex Biryukov and Adi Shamir Marc Briceno (Smartcard Developer Association) Less than 1 second on a single PC with 128 MB RAM published by the Berkeley crypto group and two 73 GB hard disks. A5/1 in May 1999, Based on the analysis of the A5/1 output A5/2 in August 1999 during the first two minutes of the conversation. 11 12 11 12

3 Breaking ciphers used in GSM (4) Breaking ciphers used in GSM (5) Recent Attacks Recent Attacks A5/2 A5/3 German computer engineer Karsten Nohl published a 2 TB Crypto conference, August 15-19, 2010 rainbow table which enables deriving a session key for any particular conversation with minimal hardware support. An attack against Kasumi announced by Israeli researchers Orr Dunkelman, Nathan Keller, Adi Shamir. A5/3 Complexity:

Published in 2003, based on the Japanese cipher Kasumi. 226 bytes of encrypted data, 230 bytes of memory, 232 operations:

single PC, 96-bit key in a few minutes 128-bit key in less then two hours 13 14 13 14

Breaking ciphers used in GSM (5) Breaking ciphers used in GSM (5) Recent Attacks Recent Attacks A5/3 A5/3 Crypto conference, August 15-19, 2010 Crypto conference, August 15-19, 2010 An attack against Kasumi announced by Israeli researchers An attack against Kasumi announced by Israeli researchers Orr Dunkelman, Nathan Keller, Adi Shamir. Orr Dunkelman, Nathan Keller, Adi Shamir. Complexity: Complexity:

226 bytes of encrypted data, 230 bytes of memory, 226 bytes of encrypted data, 230 bytes of memory, 232 operations: 232 operations:

single PC, 96-bit key in a few minutes single PC, 96-bit key in a few minutes 128-bit key in less then two hours 128-bit key in less then two hours 15 16 15 16

4 Breaking ciphers used in GSM (6) Mifare Classics Recent Attacks Secret algorithm Crypto-1 developed by NXP Semiconductors, A5/3 used, among the others, in the public transport system cards in 2010 attack is a related-key attack – attacker must be able London (Oyster card), Boston (CharlieCard), Perth (SmartRider), to observe the results of encryptions using keys that have Seoul (T-money), Busan (Mybi), and in Netherlands (OV-Chipkaart) easily broken after successful reverse engineering of the chip. a known relationship. It is not clear that the Kasumi A total of about 1 billion cards all over the world. algorithm (A5/3) is used by the protocol in a way that would allow this attack to succeed.

Interestingly, the Kasumi algorithm is closely based on a Mitsubishi algorithm known as MISTY1. MISTY1 is not vulnerable to the 2010 attack…

17 18 17 18

Attacks against Mifare Classics Crypto-1 Dec 2007-Apr 2008 • Proprietary encryption algorithm developed by Ø In 2007, Karsten Nohl and Henryk Plötz reverse engineered NXP Semiconductors MIFARE Classic • The security relies on the secrecy of Crypto-1 algorithm, Ø In 2009, researcher Flavio D. Garcia discovered card only • Pseudo random number generator attack that does not require a valid reader • 48-bit LFSR and two non-linear filter generators Ø In 2009, Nicolas T. Courtois form University College of London discovered an attack that can break Crypto-1 in just 1 second

19 20 19 20

5 SmarTrip SmarTrip Ø The Washington Metropolitan Area Transit Authority • MiFare Plus X (WMATA) SmartTrip card, 1999, the first contactless Ø NXP semiconductors, compatible with MiFare Classic 1K and 4K smartcard for transit in the U.S. Ø SmarTrip card uses MIFARE Plus X version based on 128-bit AES

21 22 21 22

Features required from today’s ciphers

PERFORMANCE STRENGTH • software Types of Cryptosystems (1) • hardware

Block vs. stream ciphers FUNCTIONALITY • easy key distribution • digital signatures

23 24 23 24

6 Block vs. stream ciphers Typical stream cipher

M1, M2, …, Mn m1, m2, …, mn Sender Receiver initialization initialization key vector (seed) key vector (seed) Internal state - IS Block K K Stream cipher Pseudorandom Pseudorandom cipher Keystream Keystream Generator Generator

C1, C2, …, Cn c1, c2, …, cn ki keystream ki keystream

Ci=fK(Mi) ci = fK(mi, ISi) ISi+1=gK(mi, ISi) m c c Every block of ciphertext i i i mi Every block of ciphertext is a function of the current block plaintext ciphertext ciphertext plaintext is a function of only one of plaintext and the current internal state corresponding block of plaintext of the cipher 25 26 25 26

Classification of cryptosystems Terminology Types of Cryptosystems (2) secret-key public-key symmetric asymmetric

Secret-key vs. public-key ciphers symmetric-key

27 28 27 28

7 Secret-key (Symmetric) Cryptosystems Key Distribution Problem

key of Alice and Bob - KAB key of Alice and Bob - KAB

Network

Encryption Decryption Alice Bob Users Keys N · (N-1) N - Users Keys 100 5,000 2 1000 500,000 29 30 29 30

Features of Secret-Key Ciphers Major operations of secret-key ciphers (1) S-box Software Hardware PERFORMANCE C ROM STRENGTH • software S-box n x m n-bit address • hardware WORD S[1<

FUNCTIONALITY ASM m-bit output • easy key distribution m • digital signatures S DW 23H, 34H, direct logic 56H y ….. x1 1 ...

... y x2 2 Primary Application: Bulk data encryption ym xn 31 32 31 32

8 Major operations of secret-key ciphers (2) Major operations of secret-key ciphers (3) Variable Rotation Permutation Software Hardware Software Hardware Mux-based rotation A<<<0 A<<<16 x x x x n x1 2 3 n-1 n C C . . . C = (A << B) | (A >> (32-B)); B[4] complex B[3] P sequence of B[2] instructions B[1] . . . A <<< B <<, |, & B[0] n 32 y1 y2 y3 yn-1 yn A<<

Major operations of secret-key ciphers (4) Public-Key (Asymmetric) Cryptosystems Addition/subtraction Software Hardware A B Public key of Bob - KB Private/Secret key of Bob - kB w w C n n unsigned long A, B, C;

ADD C = A+B;

n ASM n Network C ADD Adder/subtractor Encryption Decryption C=A+B mod 2w Alice Bob w=32, 16

35 36 35 36

9 One-way function Trap-door one-way function X f(X) Y Whitfield Diffie and Martin Hellman “New directions in cryptography,” 1976 f-1(Y) PUBLIC KEY EXAMPLE: f: Y=f(X) = AX mod P X f(X) Y where P and A are constants, P is a large prime, A is an integer smaller than P f-1(Y) Number of bits of P Average number of multiplications necessary to compute f f -1 1000 1500 1030 PRIVATE KEY 37 38 37 38

Key Distribution Digital Signature Alice Bob Alice Bob message message signature signature

Bob’s Bob’s Bob’s Alice’s Alice’s Alice’s public private public private public public key key key key key key

ciphertext ciphertext message message message signature signature Intruder Judge Bob’s Alice’s Alice’s public Intruder public public key key key

ciphertext 39 message message 40 39 40

10 Features of Public-Key Ciphers Basic Operations of RSA Encryption L < k e public key exponent PERFORMANCE STRENGTH • software C = M mod N • hardware ciphertext plaintext public key modulus k-bits Best attack: Building blocks: k-bits k-bits Solving the underlying Complex arithmetic operations on large math problem, such as Decryption L=k factoring of large integers private key integers: FUNCTIONALITY d exponent • easy key distribution Given N=P∙Q, M = C mod N find P and Q. • digital signatures plaintext ciphertext private key modulus k-bits k-bits Primary Applications: Exchange of keys for secret-key ciphers k-bits Digital signatures 41 42 41 42

Basic Operations of Basic Operations of Elliptic Curve Cryptography (1) Elliptic Curve Cryptography (2)

2 3 Y = X + X mod 23 Scalar Multiplication

Y 25 Points fullfiling the equation of the curve

20 Q = k . P = P + P + P + ------+ P P=(6,19) Addition + special point J 15 P=(3,13) A k- times Q=(7,12) (point at infinity) point number point 10 D 2P=P+P=(7,11) such that: (scalar) Doubling R=P+Q=(13,7) PPP+=+=JJ 5

0 0 5 10 15 20 X

43 44 43 44

11 To be Ideal or not Ideal? Basic Operations of Effect of Quantum Computers on Two importantLattice lines of research:-Based randomCryptographylattices and ideal lattices Secret-Key Algorithms • Major impact on implementation (theory not that much) • Security for random lattices is better understoodCiphers Based on 1996: Grover’s Algorithm, (idealCiphers lattices Based are more on structured) Unstructured (Random) Structured (Ideal) reduces the time of the exhaustive-key search for secret key ciphers Random LatticesLattices Ideal LatticesLattices

k k/2 • Operations on large matrices • Operations on polynomials with 256 or from 2 to 2 operations, for a k-bit key, (e.g., 532x840) 512 coefficients 128 64 e.g., from 2 to 2 operations, for a 128-bit key or • Mostly matrix-vector multiplication modulo � 2 • Mostly polynomial multiplication modulo 256 128 from 2 to 2 operations, for a 256-bit key • Large public keys (e.g., 532x840 matrix) � 2 • Public keys are one (or two) polynomials with 256 or 512 coefficients assuming a sufficiently powerful and reliable quantum computer available

Easy Countermeasure: Double the size of a key

45 46 45 46

Effect of Quantum Computers on Public-Key Algorithms 1994: Shor’s Algorithm breaks major public key cryptosystems based on

factoring: RSA Evaluating the security of discrete logarithm problem (DLP): DSA, Diffie-Hellman secret-key ciphers Elliptic Curve DLP: Elliptic Curve Cryptosystems

independently of the key size assuming a sufficiently powerful and reliable quantum computer available No known countermeasures New algorithms and standards required 47 48 47 48

12 Classification of attacks (1) Classification of attacks (2) Ciphertext-only attack Known plaintext attack Given: ciphertext Given: ciphertext guessed fragment of the plaintext Looked for: Looked for: remaining plaintext plaintext or key or key Example: Example: successive exhaustive key search cipher Frequency analysis of letters in the ciphertext keys (brute-force ) attack (effective only for the simplest historical ciphers)

49 50 49 50

Classification of attacks (3) Classification of attacks (4) Chosen plaintext attack Chosen ciphertext attack Given: Capability to encipher Given: an arbitrarily chosen Encryption module Capability to decipher key an arbitrarily chosen Encryption module fragment of the plaintext key fragment of the ciphertext Looked for: key Looked for: key * Example: Mi Mi i=1..N

Differential cryptanalysis Encryption module key

* Ci Ci 51 52 51 52

13 Attacks Against Public-Key Ciphers (1)

Public key of Bob - KB Private/Secret key of Bob - kB Evaluating the security of public-key ciphers

53 54 53 54

Attacks Against Public-Key Ciphers (2)

Set of likely messages directed to Bob

Public key of Bob - KB cipher Implementing Cryptography

Comparison vs. known ciphertext

55 56 55 56

14 Software or hardware? Basic hardware implementations of cryptography SOFTWARE HARDWARE

security of data • VLSI chip (ASIC, FPGA) during transmission speed • smart card random key • cryptographic card low cost generation access control • stand-alone cryptographic device to keys flexibility (new cryptoalgorithms, tamper resistance protection against new attacks) (viruses, internal attacks)

57 58 57 58

Why are cryptographic chips needed? Why are cryptographic chips needed? • hardware accelerators for Virtual Private Networks (VPNs) • hardware accelerators for web servers IPSec (Secure Internet Protocol) – cryptographic protocol SSL (Secure Sockets Layer)/TLS (Transport Layer Security) used to support VPNs (Virtual Private Networks), i.e., secure – cryptographic protocols used by the majority of today’s web servers communication between remote Local Area Networks (LANs) to protect credit card numbers and other sensitive information using Internet for on-line transactions, such as buying a book on amazon.com IPSec optional in IP ver. 4, required in IP ver. 6 SSL 2.0 => SSL 3.0 => TLS 1.0 => TLS 1.1 => TLS 1.2 => TLS 1.3 Acceleration can be provided using: - secure gateways

59 60 59 60

15 Virtual Private Network Why are cryptographic chips needed? Remote user • hardware accelerators for wireless gateways Security Security Host . gateway gateway Host. IEEE 802.11 – most popular wireless protocol including . . strong encryption and authentication . Internet . . .

Wireless Cryptographic end points Host Host gateway

• local networks may belong to the same or different organizations • security gateways may come from different vendors 61 62 61 62

Why are cryptographic chips needed? Evolution of cryptography and cryptanalysis 1920 1940 1970 1980 1990 2000 2010 2020 Pairing- PQC cryptography DES RSA ECC based Lightweight • secure storage mathematics algebra statistics number theory • secure supply chain communication engineering rotor enciphering integrated software operating specialized • secure satellite communications machines devices circuits packages systems instructions physics quantum cryptography • bitcoin mining cryptanalysis mathematics statistics permutation number theory algebra theory engineering cryptologic mainframes supercomputers computer specialized GPUs bombs networks hardware ASICs physics 63 quantum computing 64 63 64

16 Progress in Implementations Jefferson disk, 1795 of Cryptography

65 66 65 66

First Rotor Machines

Enigma

Hebern Machine, 1917-1918 Hagelin Machine, 1925-1940’s

67 68 67 68

17 Cryptographic chips and boards

Progress in Implementations of Cryptoanalysis

69 70 69 70

British Cryptologic Bomb Used to Break Enigma Colossus: First Mainframe

71 72 71 72

18 Supercomputer Cray COPACOBANA Ruhr University, Bochum, University of Kiel, Germany, 2006

Cost: € 8980

120 Spartan 3 FPGAs Clock frequency 100 MHz Computer Museum, Mountain View, CA 73 74 73 74

CAIRN 3 – Specialized Machine to Break RSA Quantum Computers

2007 • Substantial investments by: Google, IBM, Intel, Microsoft, Alcatel-Lucent, NTT, as well as governments of multiple countries

• November 2017: IBM’s 50-qubit processor • January 2018: Intel’s 49-qubit processor, “Tangle-Lake” Japan Tetsuya Izu and Jun Kogure • March 2018: Google’s 72-qubit processor “Bristlecone” and Takeshi Shimoyama (Fujitsu) • October 2019: IBM announces the biggest yet quantum computer based on a 53-qubit CHES 2007 – September 2007 processor 75 Photos: https://www.technologyreview.com 76 75 76

19 Quantum Computers Quantum Computers

Most powerful quantum processors based on superconducting circuits operating in the temperature close to absolute 0 (~0.01 K)

Photo: https://www.technologyreview.com 77 Photos: https://www.technologyreview.com 78 77 78

20