1. Classical Cryptography
Some Simple Cryptosystems • Shift Cipher, • Substitution Cipher, • Affine Cipher, • Vigenere Cipher, • Hill Cipher, • Permutation Cipher, • Stream Cipher Modular Arithmetic, Number theory, and Group Cryptanalysis The RSA Cryptosystem
1 Classical Cryptography
Definition 1.1: A cryptosystem is a five-tuple (P, C, H, E, D), where the following conditions are satisfied: 1. P is a finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. H the keyspace, is a finite set of possible keys 4. For each K H, there is an encryption rule eK E : P C and a corresponding decryption rule dK D: C P such that x C, dK (eK(x)) = x Oscar x y x Alice Encrypter Decrypter Bob
Secure chanel K Key source
2 Modular Arithmetic Definition 1.2: Suppose a and b are integers, and m is positive integer. Then we write a b (mod m) if m divides b-a.
• a b mod m if and only if (a-b) = km for some k
•Zm the equivalence class under mod m • Canonical form Zm = {0,1,2,…,m-1}, we use the positive remainder as the standard representation. • -1 m -1 mod m
• (Zm, +, 0) is a Group . + is closed . Associative: (a + b) + c = a + (b + c) . Commutative: a + b = b + a (abelian group) . 0 is the identity for +: a + 0 = a + 0 = a . Additive inverse: (-a) + a = a + (-a) = 0 3 Modular Arithmetic
• (Zm, +, , 0, 1) is a Ring . +, are closed . +, are associative and commutative (abelian ring) . Operation distributes over +: a (b + c) = a b + a c . 0 is the identity for + and 1 for . Additive inverse
• (Zp, +, , 0, 1) is a Field (when p is a prime number.) . +, are closed . +, are associative and commutative . Operation distributes over + . 0 is the identity for + and 1 for . Additive inverse and multiplicative inverse
4 Shift Cipher
Cryptosystem 1.1: (Shift Cipher) Let P = C = H = Z26. For 0 K 25, define eK(x) = (x+K) mod 26 (xZ26) and dK(y) = (y-K) mod 26 (yZ26)
A B C D E F G H I J K L M N 0 1 2 3 4 5 6 7 8 9 10 11 12 13 O P Q R S T U V W X Y Z 14 15 16 17 18 19 20 21 22 23 24 25
Example 1.1: K=11 and the plaintext is wewillmeetatmidnight. Then the ciphertext is HPHTWWXPPELEXTOYTRSE.
1. eK and dK should be efficiently computable 2. An opponent, upon seeing a ciphertext string y, should be unable to determine the key K that was used, or the plaintext string x. 3. Process of attempting to compute the key K is called cryptanalysis. 5 Substitution Cipher
Cryptosystem 1.2: (Substitution Cipher) Let P = C = Z26 and H consist all permutations on Z26. For each permutation H, define e (x) = (x) -1 and d(y) = (y) -1 where is the inverse permutation to and x,yZ26. A B C D E F G H I J K L M N 0 1 2 3 4 5 6 7 8 9 10 11 12 13 O P Q R S T U V W X Y Z 14 15 16 17 18 19 20 21 22 23 24 25
A permutation can be x a b c d e f g h i j k l m n o p q r s t u v w x y z (x) X N Y A H P O G Z Q W B T S F L R C V M U E K J D I
6 Congruence Equations
• Consider the congruence equation ax = b (mod m), a, b Zm • 5x = 8 mod 12 x = 4 a unique solution in Z12 • 3x = 8 mod 12 no solution • 3x = 9 mod 12 x can be 3, 7, or 11
multiple solutions in Z12 • gcd(5,12) = 1 • gcd(3,12) = 3 Theorem 1.1: ax = b (mod m) has a unique solution in Zm for every number b in Zm iff gcd(a,m) = 1 Definition 1.3: Suppose a1 and m2 are integers. If gcd(a,m)=1, then we say that a and m are relatively prime.
7 Multiplicative Inverses
Definition 1.4: Suppose aZm. The multiplicative inverse of a modulo m is an element bZm such that ab=ba=1 mod m. 1. If the multiplicative inverse of a exists, it is unique. Denoted by a-1 2. If b is the inverse of a, then a is the inverse of b.
3. a in Zm has a multiplicative inverse in Zm if and only if gcd(a, m)=1 * Multiplication Group Z m = {aZm : gcd(a, m) = 1} * Euler phi function (m) = | Z m | n ei ei ei 1 Theorem 1.2 m pi (m) ( pi pi ). i1 * Z 26 = {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25} * -1 (Z 26) = {1, 9, 21, 15, 3, 19, 7, 23, 11, 5, 17, 25}
* If p is a prime, then Z p = {1, 2, …, p-1}. Note: (Zp, +, , 0, 1) is a field. 8 Affine Cipher
* Cryptosystem 1.3: (Affine Cipher) Let P = C = Z26 and H = Z 26Z26. For each K=(a,b) H, define
eK (x) = (ax+b) mod 26 (xZ26). and -1 dK(y) = a (y-b) mod 26 (yZ26).
Example 1.3 Suppose that K=(a, b)=(7, 3)
eK (x) = ? dK(y) = ? dK(eK (x)) = ? Encrypt the plaintext hot.
9 Vigenère Cipher
Cryptosystem 1.4: (Vigenere Cipher) Let m be a positive integer. Let m P = C = H = (Z26) . For a K = (k1, k2, …, km) H, define eK (x1, x2, . . . , xm) = (x1+k1, x2+ k2, …, xm+ km) and
dK(y1, y2 , . . . , ym) = (y1-k1, y2- k2, …, ym- km) where all operations are performed in Z26
Example 1.4 Suppose that m=6 and the key is CIPHER, i.e., K=(2, 8, 15, 7, 4, 17) Encrypt the plaintext Thiscryptosystemisnotsecure.
Polyalphabetic cryptosystem: The key of the system contains multiple alphabetic characters
10 Linear Transformation and Matrix y (11x 3x ) mod 26 11 8 1 1 2 (y1, y2 ) (x1, x2 ) mod 26 y2 (8x1 7x2 ) mod 26 3 7
If A=(ai,j) and B=(bi,j) are two lm matrixes, Then the sum A+B is defined as (ai,j+bi,j).
If A=(ai,j) is an lm matrix and B=(bi,j) is an mn matrix , then the product AB = (ci,j) is an ln matrix and is defined by the formula m ci, j ai,k bk, j k 1
(Z26)nn : all nn matrixes over Z26. In : the nn identity matrix. For any A(Z26)nn, InA=AIn=A. 0n: the nn zero matrix. For any A(Z26)nn, 0n+A=A+0n=A. ((Z26)nn, 0n, In, +, ) is a ring. 11 The Inverse of a Matrix
Definition: Suppose A (Z26)nn. The inverse of A over (Z26)nn is a matrix B (Z26)nn such that AB=BA=In. 1. If the inverse of A exists, it is unique. Denoted by A-1 2. If B is the inverse of A, then A is the inverse of B.
Definition 1.5: Suppose A = (ai,j) is an mm matrix. For 1 i m, 1 j m, define Ai,j to be the matrix obtained from A by deleting the ith row and the jth column.
The determinant of A, denoted det A, is the value of a1,1 if m=1. If m > 1, the det A is computed recursively from the formula. n i j det A (1) ai, j det Ai,j , where i is fixed and 1 i n j1 det A = a11a22-a12a21 if m=2 det A = a11a22a33+a21a32a13 +a31a12a23 -a13a22a31-a12a21a33 -a11a23a32 if m=3 12 The Inverse of a Matrix
Properties: 1. det In = 1. & 2. det (AB)= det A det B
Theorem 1.3: Suppose A = (ai,j) is an mm matrix over Zn such that -1 -1 * det A is invertible in Zn. Then A =(det A) A , where A* is the adjoint * * * i+j matrix of A. That is A =(a i,j), a i,j =(-1) det Aj,i. a a a a 1,1 1,2 1 1 2,2 1,2 A A (det A) a2,1 a2,2 a2,1 a1,1
Example 1.6 Example 1.5 10 5 12 11 8 -1 A A-1=? A 3 14 21 A =? 3 7 8 9 11
13 Hill Cipher
Cryptosystem 1.5: (Hill Cipher) Let m2 be an integer. Let m P = C = (Z26) and H = GL(m, Z26). For a key K, define eK (x) = xK -1 and dK(y) = yK where GL(m, Z26) = {A (Z26)mm : A is invertible} and all operations are performed in Z26. 11 8 Example 1.5: Suppose the key is K . 3 7 Want to encrypt the plaintext july 7 18 Since July = 9 20 11 24 1 K 23 11 11 8 (9,20)K (9,20) (3,4) DE The ciphertext is 3 7 DELW 11 8 (11,24)K (11,24) (11,22) LW 3 7 14 Permutation Cipher
Cryptosystem 1.6: (Permutation Cipher) Let m be a positive integer. m Let P = C = (Z26) and H consist all permutations of {1,…,m}. For a key , define
e (x1, x2, …, xm) = (x(1), x(2), …, x(m)) and d (y1, y2 ,...ym ) (y 1 (1) , y 1 (2) ,...y 1 (m) ) where -1 is the inverse permutation to .
Example 1.7 Suppose m=6 and the key is the following permutation : x 1 2 3 4 5 6 -1=? (x) 3 5 1 6 4 2 Encrypt the following plaintext: shesellsseashellsbytheseashore
15 Stream Cipher
Block cipher: x=x1x2… & a key K y=y1y2… = eK(x1)eK(x2)… Steam cipher: x=x1x2… & a key K a key stream z=z1z2… y y y ... e (x )e (x )... 1 2 z1 1 z2 2 Definition 1.6: A synchronous steam cipher is a tuple (P, C, H, L, E, D), together with a function g, such that the following conditions are satisfied: 1. P is a finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. H the keyspace, is a finite set of possible keys 4. L is finite set called keystream alphabet 5. g is the keystream generator. g takes a key K as input, and generate an infinite string z1z2…called the keystream, where zi L for all i 1. 6. For each z L, there is an encryption rule ez E : PC and a corresponding decryption rule dzD: CP such that xP, dz (ez(x)) = x 16 Stream Cipher (Cont.)
The Vigenère cipher defined as a synchronous stream cipher
m • Let P=C=L=Z26, H=(Z26) . • For K=(k1, k2,…,km), define
ki mod m if i mod m 0 zi km if i mod m 0
This generates the key stream k1k2…kmk1k2…kmk1k2…km… • For zL define
ez(x)=(x+z) mod 26 and dz(y)=y-z mod 26
A stream cipher is a periodic stream cipher with period d
if zi+d=zi
17 Stream Cipher (Cont.)
Generating the keystream using linear recurrence of degree m m1 z c z mod 2 (z1,..., zm ) (k1,...,km ) and im j i j j0 for all i1, where c0, …, cm-1 Z2 are constants and c00.
Encryption: yi = (xi+zi) mod 2 and Decryption: yi = (xi-zi) mod 2
Example 1.8: m=4, zi+4=(zi+zi+1) mod 2, K = (k1, k2, k3, k4) = (1, 0, 0, 0). The key stream z1z2z3… = ? And period d = ? + Linear Feed Back Register (LFBR) k1 k2 k3 k4
18 Non-Synchronous Stream Cipher
A non-synchronous stream cipher is a stream cipher in which each
keystream element zi depends on previous plaintext or ciphertext elements (x1…xi-1 and/or y1…yi-1) as well as the key K.
Cryptosystem 1.7: (Autokey Cipher) Let P=C=H=L=Z26. Let z1=K, and define zi=xi-1 for all i2. For 0 z 25, define ez (x) = (x+z) mod 26 and dz(y) = (y-z) mod 26 (x,y) Z26
Example 1.9: K = 8 and plaintext is rendezvous
The key stream z1z2z3… = ? The ciphertext y1y2…. = ?
19 Cryptanalysis Cryptanalysis: the process of attempting to compute the key K, given a string of ciphertext y Kerckhoffs’ principle: the opponent knows the cryptosystem being used. Common types of attack models • Ciphertext only attack The opponent possesses a string of ciphertext, y • Known plaintext attack The opponent possesses a string of plaintext, x, and the corresponding ciphertext, y. • Chosen plaintext attack The opponent can use the encryption machine. • Chosen ciphertext attack The opponent can use the decryption machine.
20 Cryptanalysis of the Affine Cipher
Statistical properties of the English language • Relatively frequencies of the 26 letters • Common sequences of two or three consecutive letters Example 1.10 Ciphertext obtained from an Affine Cipher R: 8 Occurrences, D: 7 Occurrences, E, H, K: 5 Occurrences
First guess: eR eK(4)=17 4a+b=17 a=6 tD eK(19)=3 19a+b=3 b=19
Second guess: eR eK(4)=17 4a+b=17 a=13 tE eK(19)=4 19a+b=4 b=9
Third guess: eR eK(4)=17 4a+b=17 a=8 tH eK(19)=7 19a+b=7 b=?
Fourth guess: eR eK(4)=17 4a+b=17 a=3 tK eK(19)=10 19a+b=10 b=5 21 Cryptanalysis of the Hill Cipher Known plaintext attack on the Hill Cipher (m is known also)
/x1…xm/xm+1…x2m/x2m+1… /y1…ym/ym+1…y2m/y2m+1 a1 a2 a3 eK b1 b2 b3 1 1 b1 a1 b1 a1 a1 b1 1 or K K K a b bm am bm am m m
Example 1.13: plaintext: friday 5 17 / 8 3 / 0 24 m=2 ciphertext: PQCFKU 15 16 / 2 5 / 10 20 15 16 5 17 eK(5, 17) = (15, 16) K 2 5 8 3 eK(8, 3) = (2, 5) 1 eK(0, 24) = (10, 20) 5 17 15 16 9 1 15 16 7 19 K 8 3 2 5 2 15 2 5 8 3 22 Cryptanalysis of the LFSR Cipher
yi = (xi+zi) mod 2 zi = (yi–xi) mod 2 z1 z2 zm m1 z2 z3 zm1 zim c j zi j mod 2 (z , z ,..., z ) (c ,c ,...,c ) m1 m2 2m 0 1 m1 j0 1 z z z z z z m m1 2m1 1 2 m z z z (c ,c ,...,c ) (z , z ,..., z ) 2 3 m1 0 1 m1 m1 m2 2m zm zm1 z2m1 Example 1.14: plaintext: 101101011110010 The key stream: m=5 ciphertext: 011001111111000 110100100001010
1 1 1 0 1 0 0 1 0 0 1 1 0 1 0 0 1 0 0 1 0 ( c 0 , c 1 ,..., c 4 ) ( 0 ,1 , 0 , 0 , 0 ) 0 1 0 0 1 ( 0 ,1 , 0 , 0 , 0 ) 0 0 0 0 1 (1 , 0 , 0 ,1 , 0 ) 1 0 0 1 0 0 1 0 1 1 0 0 1 0 0 1 0 1 1 0
zi+5 = (zi + zi+3) mod 2 23 More Number Theory
The Euclidean Algorithm (to compute gcd(r0, r1)) r0 = q1r1 + r2, 0 r2 < r1 r1 = q2r2 + r3, 0 r3 < r2 …
rm-2 = qm-1rm-1 + rm, 0 rm < rm-1 rm-1 = qmrm + 0 gcd (r0, r1) = gcd (r1, r2) = … = gcd (rm-2, rm-1) = gcd (rm-1, rm) = rm gcd (r0, r1) = rm
The Extended Euclidean Algorithm (to find the inverse of r1Zn , (n=r0)) 1. Perform the Euclidean Algorithm for r0 and r1. Record the quotients q1, q2, …, qm. 2. Compute t0, t1, …, tm recursively as follows t0 = 0, s0 = 1 t1 = 1, s1 = 0 tj = tj-2 – qj-1tj-1, 2jm, sj = sj-2-qj-1sj-1, 2jm, -1 3. r1 = tm. 24 More Number Theory (Cont.)
Theorem 5.1 rj = sjr0 + tjr1, for 0 j m. -1 Corollary 5.2 If gcd(r0, r1) = 1, then r1 = tm mod r0 -1 -1 Example 5.1 Compute 28 in Z75 and 17 in Z523.
25 Other Useful Facts Group: A group is a nonempty set G equipped with an operation • such that the following axioms are satisfied. 1. (a•b)•c = a•(b•c), a, b, c G 2. identity element e G such that a•e = e•a = a, a G. 3. a G, a-1 G such that a•a-1 = a-1 •a = e. Order of an element in a group a G, the smallest positive integer m s.t. am = e is called the order of a, and is denoted by o(a). If there is no positive integer m s.t. am = e, we say that o(a) = . Theorem 5.4 (Lagrange) Let G be a finite group with |G| = n. Then a G, o(a) divides n. In particular, a|G| = e.
* (n) Corollary 5.5 If b Z n, then b 1 mod n.
p Corollary 5.6 (Fermat) Let p be a prime and b Zp. Then b b mod p.
26 Other Useful Facts (Cont.) Cyclic Group: Let G be a group and G. If all the elements in G are of form n (n Z), we say that G is a cyclic group generated by . In this case, we write G = () and is called generating element.
* Theorem 5.7 If p is prime, then (Z p, •) is a cyclic group. * An primitive element modulo p: A generating element of Z p Fact: Let be a primitive element modulo p. Then 1. the order of = i (0ip-2) is (p-1)/gcd(p-1, i). 2. = i (0ip-2) is a primitive element modulo p iff gcd(p-1, i) = 1. 3. The number of primitive elements modulo p is (p-1).
Example 5.4: Find primitive elements modulo 13
* Theorem 5.8 Suppose p>2 is prime and Z p, Then is a primitive element modulo p iff (p-1)/q 1 (mod p) for all primes q s.t. q|(p-1).
27 The RSA Cryptosystem Cryptosystem 5.1 RSA Cryptosystem Let n = pq, where p and q are primes. Let P = C = Zn, and define K={(n, p, q, a, b) : ab 1 (mod (n))} For K = (n, p, q, a, b), define b a eK(x) = x mod n & dK(y) = y mod n, (x, y Zn) The values n and b comprise the public key, and the values p, q, and a form the private key.
b a We need to verify dK(eK(x)) = x, i.e. (x ) x (mod n) Example 5.5 1. Bob picks p=101 and q=113. Then n = 11413 and (n) = 11200. 2. Bob chooses b = 3533. Then a = b-1 mod (n) = 6597 3. Alice encrypts the plaintext 9726 using the public key n and b 97263533 mod 11413 = 5761 4. Bob decrypts the ciphertext using the private key p, q and a 57616597 mod 11413 = 9726 28 Implementing RSA
Represent c in binary notation l1 i l1 l2 1 0 c ci 2 cl 1 2 cl 2 2 ... c1 2 c0 2 i0
c The following algorithm computes x in Zn very efficiently Algorithm 5.5 Square-And-Multiply(x, c, n) z 1 for i l-1 downto 0 do z z2 mod n
If ci = 1 then z (zx) mod n return (z)
Example 5.5 (Cont.) Recall n = 11413, b=3533, and plaintext = 9726. Compute 97263533 mod 11413
29