Classic Cryptosystems Key Points Modulo Operation Ring Division
3/1/2014
Ring
RingRing ZZmm is:is: ––SetSet of integers: ZZ ={={00,,11,,22,…,m,…,m--11}} Classic Cryptosystems mm ––TwoTwo operation: “+” and “ ××”” →→ ≡≡ ∈∈ “+” a + b c mod m (c ZZmm)) ×× →→ ×× ≡≡ ∈∈ ““ ” a b d mod m (d ZZmm)) Example:
–– m = 77, Z, Z 77={={00,,11,,22,,33,,44,,55,,66}} 6 + 5 = 11 mod 7 = 44 6 ×× 5 = 30 mod 7 = 22
6262//٤٤ ١١
Key Points Ring Z mm Properties & Operations Field: set of elements with + & * IdentityIdentity:: additive ‘00’‘ ’ , multiplicative ‘11’’‘ Modular Arithmetic: reduces all a+a+00=a=a , a ××11=a=a mod m numbers to fixed set [[00…n…n--11]] InverseInverse:: additive ‘--a’,‘ a’, multiplicative ‘a --11’’ GCD: largest positive integer dividing a+(a+(--a)=a)=00 mod m, a ×× aa--11 ==11 mod m Finite Field: finite number of elements Multiplicative inverse exist if gcd (a,m) = 11 n Order Finite Field: power of a prime PP Ring Addition and Multiplication is: where n = integer ClosedClosed,, Commutative,Commutative , Associative Finite Field: of order p can be defined using normal arithmetic mod p
6262//٥٥ 6262//٢٢
Modulo Operation Division on Ring ZZmm Q:Q: What is 12 mod 99?? Ring Division: 44//1515 mod 2626?????? A:A: 12 mod 9 ≡≡33 44//1515 mod 26 = 4 ×× 1515 --11 mod 2626 Let a,r,m ∈∈ ΖΖ 1515 --11 mod 2626exist if gcd(1515,,2626)=)=11gcd( 1515 --11 mod 26 = 7 ((Ζ = set of all integers ) and m >00..>m ÏÏ 44//1515 mod 26 = 44××7 mod 26 = 28 mod 2626==22 We write r ≡ a mod m if m ––rr divides aa.. Note that the modulo operation can be applied mm is called the modulus. whenever we want: rr is called the remainder. (a + b) mod m = [(a mod m)+ (b mod m)] mod m q · a = m --rr 0 ≤ r< m (a ×× b) mod m = [(a mod m) ×× (b mod m)] mod m
6262//٦٦ 6262//٣٣
1 3/1/2014
Exponentiation in ZZ mm Substitution Ring Exponentiation: 338 mod 7 =???=??? 338 mod 7 = 6561 mod 77 6561 mod 7 = 2 →→ 65616561=(=(937937 ××77)+)+22 A => 0 Or = 3388 = 3344××3344= 3322××3322××3322××3322 NUCLEAR B => 1 8 2 ×× 2 ×× 2 C => 2 33 mod 7 = [(33[(= mod 77)) ((33 mod 77)) ((33 mod 77)) Key ××((332 mod 77)])] mod 77 D => 3 E => 4 338 mod 7 = (2(= 2 ×× 2 ×× 2 ×× 22)) mod 7 = 16 mod 77==22 Encryption .. Note that ring ΖΖmm (modulo arithmetic) is of .. central importance to modern publicpublic--keykey cryptography. In practice,the order of the .. integers involved in PKC are in the range of[of[22160160 , 13 20 2 11 4 0 17 X => 23 2210241024 ]. Perhaps even larger Y => 24 Z => 25 6262// ١٠١٠ 6262//٧٧
Advance Substitution Classic Cryptography (Random) Key
Substitution A => D F => I K => N P => S U => G B => A G => J L => O Q => F V => Y Transposition C => T H => U M => P R => K W => Q Enigma Machine D => X I => L N => Z S => V X => E ShiftShift E => H J => R O => M T => W Y => B Z => C Affine Vigenere Block (Hill) Vernam (one time pad) NUCLEAR Encryption ??????? Stream
6262// ١١١١ 6262//٨٨
Substitution Transposition (Permutation)
Substitution reserves places A => B But NUCLEAR B => C Transposition reserves content C => D D => E Key E => F Encryption ...... NUCLEAR Encryption LUCNARE OVDMFBS X => Y Y => Z Z => A 6262// ١٢١٢ 6262//٩٩
2 3/1/2014
Breaking a Transposition (Permutation) Monoalphabetic Substitution
X ydis pq yjc xzpvpyw ya icqdepzc ayjceq xq COMPUTER ENGINEER A tact is the ability to describe others as
yjcw qcc yjcuqcvrcq. Encryption Cipher text they see themselves. COM PUT Xzexjxu Vpsdavs CPEEIE.OURNNR.MT GE . ER Abraham Lincoln ENG I NE Character Frequency: c-10, y-8, q-7, x-6, j-5, p-5, v-4, d-3 ER a-3, e-3, z-3, s-2, u-2, w-2, i-1, r-1 6262// Alphabet frequency: e t a o i n s r h l d c u m f p g w y b v k x j q z١٦١٦ 6262// ١٣١٣
Security Enigma Machine GermanyGermany--WorldWorld War 11 Encryption: Keys are typed in normally Machine output: Cipher text -- encrypted message typed on paper Decryption: Normal typing cipher text ––MachineMachine output: Plain text on paper Keys: Mechanical rotors
6262// ١٧١٧ 6262// ١٤١٤
Wheel Cipher
6262// ١٨١٨ 6262// ١٥١٥
3 3/1/2014
Shift Cipher Analysis Affine Cipher Algorithm: Alphabet letters are substituted by numbers: Encryption: Ek(x) = y = α· x + β mod 26. Key: k = (α, β) where α, β ∈ Ζ Key Space??? AA BB CC DD EE FF GG HH II JJ KK LL MM 26 Key space = 26 . 26 = 676 Possibilities are they all possible? 00 11 22 33 44 55 66 77 88 99 1010 1111 1212 NN OO PP QQ RR SS TT UU VV WW XX YY ZZ Example: 1313 1414 1515 1616 1717 1818 1919 2020 2121 2222 2323 2424 2525 k = (α, β) = (13, 4) INPUT = (8, 13, 15, 20, 19) RingRing:: ZZ x = plaintext k = key Y = (4, 17, 17, 4, 17) = ERRER 2626 ALTER = (0, 11, 19, 4, 17) –– EE (x) = x + k mod 26 ((EncryptionEncryption)) kk Y = (4, 17, 17, 4, 17) = ERRER –– DD (x) = x ––kk mod 26 ((DecryptionDecryption)) kk No one-to-one map within plaintext and ciphertext. What went wrong? 6262// ٢٢٢٢ -1 6262// ١٩١٩ Caser Cipher: k = 33 Decryption: D k(x) = x = α · y +γ
Affine Cipher Analysis Caesar Shift Key Space: β can be any number in Ζ26 ⇒ 26 possibilities -1 Since α has to exist, only selected integers in Ζ26 are useful .e.g. gcd( α, 26) = 1. Ï {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25} Therefore, the key space has 12 · 26 = 312 candidates. Attack types: PLAINTEXT a b c de f gh i j k lm 1. Ciphertext only: exhaustive search or frequency analysis 2. Known plaintext: two letters in the plaintext and corresponding ciphertext letters CIPHERTEXT D E F GH I JK L M N OP would be sufficient to find the key. n o p qr s tu v w x yz PLAINTEXT Example : plaintext: IF=(8, 5) and ciphertext PQ=(15, 16) CIPHERTEXT Q R S TU V WX Y Z A BC – 8 · α + β ≡ 15 mod 26 – 5 · α + β ≡ 16 mod 26 → α = 17 and β = 9 What happens if we have only one letter of known plaintext?
3. Chosen plaintext: Chose A and B as the plaintext. The first character of the Hello There → khoor wkhuh ciphertext will be equal to 0·α + β = β and the second will be α + β. 4. Chosen ciphertext : Chose A and B as the ciphertext. 6262// ٢٣٢٣ 6262// ٢٠٢٠
Shift Cipher Example Vigenere Cipher Assume: key k = 17 Vigenere Cipher encrypts mm Plaintext: X = A T T A C K = (0, 19, 19, 0, 2, 10). Ciphertext: Y = (0+17 mod 26, 19+17 mod 26,…) alphabetic characters at a time Y = (17, 10, 10, 17, 19, 1) = R K K R T B
Attacks on Shift Cipher each plaintext element is equivalent 1. Exhaustive Search: to mm alphabetic characters – Try all possible keys. |K|= 26. – Nowadays, for moderate security, |K| ≥280 , – recommended security |K| ≥2100 . key KK is a keyword that associate 2. Letter frequency analysis (Same plaintext maps to same ciphertext) with an alphabetic string of length mm
6262// ٢٤٢٤ 6262// ٢١٢١
4 3/1/2014
Example Block ciphers Substitution ciphers: changing one letter in the plaintext changes mm = 55;; KK = (22,(= , 88,, 1515,, 77,, 2020).). exactly one letter in the ciphertext. P = 44,,55,,22,,88,,1111,,22,,1414,,2020,,11,,22,,44,,55,,1616 This greatly facilitates finding the key using frequency analysis. Block ciphers: prevents this by encrypting a block of letters simultaneously. Encryption: Many of the modern (symmetric) cryptosystems are block ciphers. 44 55 22 88 1111 22 1414 2020 11 22 33 44 55 1616 DES operates on 64 bits of blocks 22 88 1515 77 2020 22 88 1515 77 2020 22 88 1515 77 AES uses blocks of 128 bits (192 and 256 are also possible). 66 1313 1717 1515 3131 44 2222 99 88 2222 55 1212 2020 2323 Example: Hill Cipher (1929)
The key is an n × n matrix whose entries are integers in Ζ26 .
6262// ٢٨٢٨ 6262// ٢٥٢٥
Vigenere Cipher Secrecy Block cipher: Hill cipher number of possible keywords of length mm ÏÏ 2626 mm Encryption: vector-matrix multiplication if mm = 55,, then the keyspace has size exceeding 11..11 ×× 1010 77. 321 This is already large enough to preclude Example: Let n=3, key matrix ‘M’ be M = 654 exhaustive key search by hand (but not by 8911 computer). assume the plaintext is ABC=(0,1,2) having keyword length mm, an alphabetic 321 character can be mapped to one of mm possible )2,1,0( × 654 ≡ = )22,23,0(26mod)22,23,26( ⇒ AXW (ciphertext ) alphabetic characters (assuming that the keyword contains mm distinct characters). 8911 Such a cryptosystem is called polyalphabetic . Decryption: 1522 In general, cryptanalysis is more difficult for 22 15 = polyalphabetic than for monoalphabetic inverse ‘N’ of key matrix M is needed: N 24176 cryptosystems. )22,23,0( × 24176 ≡ = )2,1,0(26mod)574,677,468( ⇒ ABC ( plain11315 − text ) 6262// ٢٩٢٩ 1315 1 6262// ٢٦٢٦
Vigenere Cipher Attack Hill Cipher If we change one letter in the plaintext, all the letters of observe two identical segments in the ciphertext will be affected. Ciphertext each of length at least Example: three, then there is a good chance Let the plaintext be ABB instead of ABC then the ciphertext is that they do correspond to identical 321 segments of plaintext. )1,1,0( × 654 ≡ mod)14,14,15( = )14,14,15(26 ⇒ POO (ciphertext ) 8911
6262// ٣٠٣٠ 6262// ٢٧٢٧
5 3/1/2014
Another Example One-Time Pad (Vernam Cipher) Vernam in 1918, proposed the one-time Use Key: pad, which is a provably secure 1246 cryptosystem. M = 101613 151720 Messages are represented as a binary string (a sequence of 0’s and 1’s using a coding mechanism such as ASCII coding.) Decryption Key: The key is a truly random sequence of 0’s and 1’s of the same length as the message. 1058 N = 21821 The encryption is done by adding the key to 81221 the message modulo 2, bit by bit as ⊕ 6262// ٣٤٣٤ .(exclusive OR, (XOR 6262// ٣١٣١
Hill Cipher Attack OneOne--timetime pad
Ciphertext: SecretSecret--keykey encryption scheme (symmetric) ––Hill Cipher is more difficult to break ––EncryptEncrypt plaintext by XOR with sequence of bits with a ciphertextciphertext--onlyonly attack. ––DecryptDecrypt ciphertext by XOR with same bit sequence Scheme for pad of length nn Plaintext + Ciphertext: ––SetSet P of plaintexts: all n--bitnall bit sequences 1.1.Opponent has determined the value of mm ––SetSet C of ciphertexts: all n--bitnall bit sequences 2.2.Compute the key ––SetSet K of keys: all n--bitnall bit sequences ––EncryptionEncryption and decryption functions encrypt(key, text) = key ⊕⊕ text (bit(bit--byby--bit)bit) decrypt(key, text) = key ⊕⊕ text (bit(bit--byby--bit)bit)
6262// ٣٥٣٥ 6262// ٣٢٣٢
Properties of Good Unconditional Secure
Cryptosystems 01111 01000 01101 01001
Diffusion: one character change in the plaintext should effect as many ciphertext ⊕ characters as possible.
Confusion: The key should not relate to the 01101 01010 01111 01011 ciphertext in a simple way.
Shannon (1949) 00010 00010 00010 00010 6262// ٣٦٣٦ ???Cipher 6262// ٣٣٣٣
6 3/1/2014
True random number generation Why One-Time Pad is secure? (RNG) The security depends on the randomness of the key Requires a naturally occurring source of randomness It is hard to define randomness (randomness exists in the nature) In cryptographic context, we seek two fundamental properties Hardware based random number generators (RNG) in a binary random key sequence: exploit the randomness which occurs in some physical phenomena – Unpredictability – Elapsed time between emission of particles during radioactive decay probability of a certain bit being 1 or 0 is exactly equal to ½. – Thermal noise from a semiconductor diode or resistor – Frequency instability of a free running oscillator – The amount which a metal insulator semiconductor capacitor is charged – Unbiased (Equal Distribution ) during a fixed period of time. numbers of 1’s and 0’s are expected to be equal The first two are subject to observation and manipulation by adversaries.
6262// ٤٠٤٠ 6262// ٣٧٣٧
Evaluation of oneone--timetime pad Software base RNG Advantages 1. The system clock 2. Elapsed time between keystrokes or mouse movement ––EasyEasy to compute encrypt, decrypt fromfrom key, 3. Content of input/output buffer texttext 4. User input ––AsAs hard to break as possible 5. OS values such as system load and network statistics. This is an informationinformation--theoreticallytheoretically secure cipher Given ciphertext, all possible plaintexts are equally All of them are subject to observation and manipulation. likely, assuming that key is chosen randomly Individually these sources are very “weak”. Disadvantage The randomness can be increased by combining the outputs of ––KeyKey is as long as the plaintext these sources using a complex mixing function (e.g. hashing the concatenation of the output bits). How does sender get key to receiver securely?
Idea for stream cipher: use pseudopseudo--randomrandom generatorsgenerators for key... Still, not quite secure! 6262// ٤١٤١ 6262// ٣٨٣٨
Pseudorandom number generation Randomness & Pseudo-randomness A pseudorandom number generator (PRNG) is a deterministic algorithm, which, given a truly random binary sequence of length Randomness: Closely related to k (random seed ), outputs a binary sequence of length l >> k which unpredictability “appears” to be random. Pseudo-randomness : PR sequences appears The output of a PRNG is not random. However, it is impractical random to a computationally bounded (improbable) for a anyone (adversary) to distinguish a pseudorandom sequence from a truly random sequence of the adversary same length. Cryptosystems need random unpredictable numbers for No practical test to check if a sequence is truly random. One-time pad Thus, we can’t define exactly what the pseudo randomness. Secret key for DES, AES, etc. Golomb’s postulates was one of the first attempt to establish necessary conditions for a periodic sequence to look random. It Primes p, q for RSA has only historical importance nowadays. Private key for ECC However, more recent attempts may not offer a more thorough
6262// ٤٢٤٢ .6262 conditions// Challenges used in challenge based identification systems٣٩٣٩
7 3/1/2014
Statistical Tests for Pseudo-randomness Binary Stream 1. Frequency test (mono bit test): • Stream ciphers are often described in terms of # of 1s and 0s must be approximately the same 2. Poker test binary alphabets A sequence is divided into k non-overlapping segments of length m. • the encryption and decryption operation are This test determines if the segments of length m each appear just addition modulo 2 approximately the same number of times. ⊕ 3. Runs Test • exclusive-or operation: XOR ‘ ’ Determines if the # of runs of various lengths is similar to those of truly random sequences • implemented very efficiently in hardware 4. Long run test The long run test is passed if there are no runs of length 34 or more.
62/ ٤٦ 6262// ٤٣٤٣
Basic Idea
Basic Idea comes from One-Time-Pad and Vigenere Cipher Stream Ciphers ⊕ • Encryption : ci = m i zi i = 1,2,3,4…..
– mi : plain-text bits – ki : key (key-stream) bits – ci : cipher-text bits
⊕ • Decryption : mi = c i zi i = 1,2,3,4…..
62/ ٤٧ 62/ ٤٤
Basic Idea Stream Cipher
• Block ciphers: y = y 1 y2 y3 = E K(x 1) E K(x 2) E K(x 3) • Drawback :
• Stream cipher: y = y 1 y2 y3 = E z1(x 1)E z2(x 2)E z3(x 3) – Key-stream should be as long as plain-text. – Key distribution & Management difficult. • Stream cipher Key: zi = f (K, x 1 , x 2) • block cipher can be a special case of a stream • Solution : cipher where the key-stream is constant – Stream Ciphers (in which key-stream is generated in pseudo-random fashion from relatively short secret key .)
62/ ٤٨ 62/ ٤٥
8 3/1/2014
LFSR Stream ciphers Connection Polynomial Generation • Randomness : –CCCClosely related to unpredictability . • Pseudo-randomness : – PR sequences appears random to a computationally bounded adversary.
– Stream Ciphers can be modeled as Finite- state machine.
62/ ٥٢ 62/ ٤٩
LFSR Linear Feedback Shift Register (LFSR) Example: C(x) = x 3 + x 2 + 1 • Well-suited for hardware implementation 100 010 • Very low implementation costs • Produce sequences: 001 101 – having large periods – having good statistical properties – readily analyzed using algebraic techniques 011 110 • But, the output sequences of LFSRs are easily predictable. 111 3 62/ ٥٣ Compare with: C(x) = x + x + 1 62/ ٥٠
Linear Feedback Shift Register (LFSR) LFSR Example
when initial state is (0001) LSFR Output: 100011110101100 100011110101100 …
⊕ ⊕ sj=(c 1.Stage L-1) (c 1.Stage L-2)…. (c L-1.Stage 1) (c L.Stage 0) Connection Polynomial: C(x)= 2 3 L 1+c1 x + c2 x + c3 x + …… + cL x • What is Connection Polynomial? If C(x) is chosen carefully the output of LFSR can have • C(x) = x 4 + x + 1 L maximum period of 2 -1 • Compare with: C(x) = x 4 + x 3 + x 2 + 1 62/ ٥٤ 62/ ٥١
9 3/1/2014
LFSR Geffe Generator Example Study
• LFSR have good statistical properties. • LFSR#1: 1+x+x4. Initial key1: 1000 3 • However, they may be predictable • LFSR#2: 1+x+x . Initial key2: 110 • LFSR#3: 1+x2+x5. Initial key3: 10101
Caveat/Warning: • Key sequence 1 (x1): 100011110101100 • Mathematical proofs of security of such • Key sequence 2 (x2): 010011101001110 generators are not known. • Key sequence 3 (x3): 101011101100011 • Output sequence ( z): 101011100101101 • They are deemed to be computationally secure after having withstood sufficient public • Exhaustive search: 15 ×7×31= 3255 scrutiny and inspection.
62/ ٥٨ 62/ ٥٥
Nonlinear Combination Generator Correlation Attack Combiner function must be • If we have n LFSRs, the key space of the non-linear • Balanced combination generator is the product of their non- • highly nonlinear repetitive shortest sequence terms. • carefully selected Ï no dependence between any Exhaustive search = Brute force attack: 15 ×7×31= 3255 trial subset of LFSR sequences and the output sequence
• However, if there is correlation between the output LFSR 1 sequence and each input sequence then the effective Nonlinear Output LFSR 2 key length can be reduced to the summation of their Combination sequence Function non-repetitive shortest sequence terms. LFSR 3 Input Correlation attack: 15+7+31 = 53 trial sequence 62/ ٥٩ 62/ ٥٦
Example: Geffe generator Correlation Attack ⊕ ⊕ F( x1,x2,x3)= x1x2 x2x3 x3 x1 x2 x3 F • The method requires a sufficiently long output • inspect the truth table of the 0 0 0 0 sequence. combiner function to gain more insight about the security of Geffe 0 0 1 1 • Input sequences of the same length will be generator. 0 1 0 0 compared against the output sequence. 0 1 1 0 • The combiner function is balanced • And the input sequence that has a matching 1 0 0 0 correlation to the predefined one to the output • However, the correlation of z to 1 0 1 1 sequence will be taken. – x1 is P( z= x 1) = ¾ 1 1 0 1 – x2 is P( z= x 2) = ½
– x3 is P( z= x 3) = ¾ 1 1 1 1 62/ ٦٠ 62/ ٥٧
10 3/1/2014
Synchronous Stream Ciphers • Key-stream is independent of plain and cipher-text. • Both sender &receiver must be synchronized. • Resynchronization can be needed. • Active attacks can easily be detected. (insertion, deletion, replay) • No Error Propagation.
62/ ٦١
Self-Synchronizing (Asynchronous) Stream Ciphers • key stream generated as function of fixed number of previous ciphertext bits • Active attacks cannot be detected. • At most t bits later than synchronization is lost, it resynchronizes itself • Limited error propagation (up to t bits).
62/ ٦٢
SEAL (just an idea)
• SEAL (Software-optimized Encryption Algorithm) is a binary additive stream cipher (proposed 1993) • specifically designed for efficient software implementation for 32-bit processors • it has not yet received much scrutiny from the cryptographic community
62/ ٦٣
11