Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums

Cryptography CS3SR3/SE3RA3

Ryszard Janicki

Acknowledgments: Material based on Computer Security: Art and Science by Matt Bishop (Chapter 9)

Ryszard Janicki Cryptography 1 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Cryptography and Cryptosystems

Cryptography ≡ Secret Writing in Greek

Denition (Cryptosystem) A cryptosystem is a 5-tuple (E, D, M, K, C), where: M is the set of plaintexts, K is the set of keys,

E = {Ek | k ∈ K}, where each Ek : M → C, is the set of enciphering functions,

D = {Dk | k ∈ K}, where each Dk : C → M, is the set of deciphering functions.

Ryszard Janicki Cryptography 2 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Caesar Cipher

Example (Caesar Cipher) Idea: letters are shifted and key=shift. If k = 3 the A → D, B → E,..., Z → C, and HELLO → KHOOR. M = all sequences in Roman letters = {A, B, C,..., Z}∗, K = {i | 0 ≤ i ≤ 25}, or K = {i | 1 ≤ i ≤ 26},

E = {Ek | k ∈ K}, where for each m ∈ M, Ek (m) = mk , and mk is derived from m by shifting each letter by k,

D = {Dk | k ∈ K}, where for each c ∈ C, Dk (c) = ck , and ck is derived from c by shifting back each letter by k C = M.

Ryszard Janicki Cryptography 3 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Goals and Adversaries

The goal of cryptography is to keep enciphered information secret. An adversary wants to break a cipher-text. Adversary knows D and E. Three types of attacks: 1 Ciphertext only - Adversary has only the ciphertext. Goal: plaintext and, if possible, the key. 2 Known Plaintext - Adversary has the ciphertext and the plaintext that was enciphered. Goal: the key 3 Chosen Plaintext - Adversary may ask that specic plaintexts be enciphered, and is given the corresponding ciphetexts. Goal: the key A good cryptosystem protects against all three types of attacks.

Ryszard Janicki Cryptography 4 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Classical Cryptosystems Denition Classical cryptosystems (also called single-key or symmetric cryptosystems) are cryptosystems that use the same key for encipherement and decipherement. In these systems, for all Ek ∈ C −1 and k ∈ K, there is a Dk ∈ D such that Dk = Ek .

Example The Caesar cipher discussed earlier had a key of 3, so the enciphering function was E3. To decipher KHOOR, we used the same key in decipherment function D3. Hence, the Caesar cipher is a classical cipher.

There are two basic types of classical ciphers: transposition ciphers, and substitution ciphers.

Ryszard Janicki Cryptography 5 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Transposition Ciphers Denition A transposition cipher rearranges the characters in the plaintext to form the ciptertext. The letters are not changed.

Example (Rail-Fence Cipher) The rail-fence cipher is composed by writing the plaintext in two rows, proceeding down, then across, and reading the ciphertext across. 1 3 5 7 1 2 3 4 5 6 7 8 =⇒ 2 4 6 8 =⇒ 1 3 5 7 =⇒ 1 3 5 7 2 4 6 8 2 4 6 8 HLOOL For example: HELLOWORLD =⇒ ELWRD =⇒ HLOOLELWRD

Ryszard Janicki Cryptography 6 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Transposition Ciphers

Example (Rail-Fence Cipher. Version 2) 1 4 7 1 2 3 4 5 6 7 8 9 =⇒ 2 5 8 =⇒ 3 6 9 1 4 7 2 5 8 =⇒ 1 4 7 2 5 8 3 6 9 3 6 9 HLWL For example: HELLO WORLD =⇒ EOOD =⇒ LR HLWLEOODL R

Ryszard Janicki Cryptography 7 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Transposition Ciphers Mathematically, the key to a transposition cipher is a permutation function. Permutations does not change the frequency of plaintext characters, which provides means of attack. Example For instance because HE has frequency 3.05% in English, one may assume that in HLOOLELWRD, E should follow H, so one may try: HE LL OW OR LD Reading the letters across and down produces  HELLOWORLD.

Ryszard Janicki Cryptography 8 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Substitution Ciphers

Denition A substitution cipher changes characters in the plaintext to produce the ciphertexts.

Example Consider Caesar cipher with the key k = 3 or D, i.e. A → D, B → E,..., X → A, Y → B, Z → C. HELLOWORLD → KHOORZRUOG

A Caesar cipher is susceptible to a statistical ciphertext-only attack.

Ryszard Janicki Cryptography 9 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Substitution Ciphers Example Ciphertext: KHOORZRUOG (length is 10 characters). Numbering of letters: A → 0, B → 1,..., Z → 25. STATISTICAL ATTACK: Frequencies of letters in KHOORZRUOG: 6 7 10 14 17 20 25 c = G H K O R U Z f (c) = 0.1 0.1 0.1 0.3 0.2 0.1 0.1 Correlation with average English text:

25 X Φ(i) = f (c)p(c − i), c=0

where p(x) are character frequencies in English (see Table 9-1 on page 11).

Ryszard Janicki Cryptography 10 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Character Frequencies in English

• p(0) = p(a) = 0.080, p(1) = p(b) = 0.015,..., p(25) = p(z) = 0.002

Ryszard Janicki Cryptography 11 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Substitution Ciphers

Example (continuation) Ciphertext: KHOORZRUOG. Numbering of letters: A → 0, B → 1,..., Z → 25. STATISTICAL ATTACK: For KHOORZRUOG, we have Φ(i) = 0.1p(6 − i) + 0.1p(7 − i) + 0.1p(10 − i) + 0.3p(14 − i) + 0.1p(20 − i) + 0.1p(25 − i) We are looking to the biggest Φ(i), i = 0,..., 25.

Ryszard Janicki Cryptography 12 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Values of Φ(i) for `KHOORZROOG` in English

Φ(6) = 0.0660 =⇒ KHOORZROOG → EBIILTLOIA, Φ(10) = 0.0635 =⇒ KHOORZROOG → AXEEHPHKEW , Φ(3) = 0.0575 =⇒ KHOORZROOG → HELLOWORLD, Φ(14) = 0.0535 =⇒ KHOORZROOG → WTAADLDGAS,

Ryszard Janicki Cryptography 13 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Vigenère Cipher

Invented by Blaise de Vigenère in 1586. Denition The Vigenère cipher chooses a sequence of keys, represented by a string. The key letters are applied to successive plaintext characters, and when the end of the key is reached, the key starts over. The length of the key is called the period of the cipher.

In other words, like Caesar cipher, but we use a phrase. Figure 9-3 on page 15 shows a tableau to implement this cipher eciently. Because this requires several dierent key letters, this type of cipher is called polyalphabetic.

Ryszard Janicki Cryptography 14 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums

Ryszard Janicki Cryptography 15 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Vigenère Cipher

Example Letters enumeration: A → 0,..., G → 6,..., I → 8,..., V → 21,..., Z → 25. Message: THE BOY HAS THE BALL Key: VIG or 21-8-6. We encipher using Caesar cipher for each letter:

Plaintext THEBOYHASTHEBALL Keys VIGVIGVIGVIGVIGV Ciphertext OPKWWECIYOPKWIMG,

since (T + V ) mod 26 = O, (H + I ) mod 26 = P, (E + G) mod 26 = K, etc.

Ryszard Janicki Cryptography 16 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Vigenère Cipher

Breaking is not easy but possible (Friedrich Kasiski in 1863). Breaking is based on the observation, that repetitions occur when characters of the key appear over the same characters in the ciphertext. Example Plaintext THE BOYHASTHE BALL Keys VIGVIGVIGVIGVIGV Ciphertext OPK WWECIYOPK WIMG, The string OPK appears twice. The ciphertext repetitions are nine character apart. Hence 9 is a multiple of the period, i.e. period must be either 3 or 9. We can then use some statistical analysis to break the cipher, however it is not easy.

Ryszard Janicki Cryptography 17 / 38 7. A noted computer security expert has said that without integrity, no system can provide confidentiality.

a. Do you agree? Justify your answer. b. Can a system provide integrity without confidentiality? Again, justify your answer.

8. A cryptographer once claimed that security mechanism other than cryptography were unnecessary because cryptography could provide any desired level of confidentiality and integrity. Ignoring availability, either justify or refute the cryptographer claim.

9. Given the security levels TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED (ordered from highest to lowest), and the categories A, B and C, specify what type of access (read, write, both, or neither) is allowed in each of the following situations. Assume that discretionary access controls allow anyone access unless otherwise specified.

a. Paul, cleared for (TOP SECRET, {A, C}), wants to access a document classified (SECRET, {B, C}).

b. Anna, cleared for (CONFIDENTIAL, {C}), wants to access a document classified (CONFIDENTIAL, {B}).

c. Jesse, cleared for (SECRET, {C}), wants to access a document classified (CONFIDENTIAL, {C}).

d. Sammi, cleared for (TOP SECRET, {A, C}), wants to access a document classified (CONFIDENTIAL, {A}).

e. Robin, who has no clearances (and so works at the UNCLASSIFIED level), wants to access a document classified (CONFIDENTIAL, {B}).

10. Give an example that demonstrates that the integrity level of subjects decreases in Biba’s low-water-mark policy. Under what conditions will the integrity level remain unchanged?

11. Decipher the following ciphertext, which was enciphered using the Caesar cipher: TEBKFKQEBZLROPBLCERJXKBSBKQP Cryptography Example (VigenèreClassical Cipher) Cryptosystems 12. Exercise 8 from page Public242 of Key Bishop’s Cryptography textbook. See below: The following messageCryptographic was Checksums enciphered with a Vigenère cipher. Find the key and decipher it:

2 SOLUTION We begin by looking for repetitions in the ciphertext. IYO appears twice 25 spaces apart. KRG also appears twice, 20 spaces apart. LVF is also repeated 55 spaces apart. This leads us to the likelihood that the key is a common divisor of these, so (as a rst guess) we take the key length to be 5. This means we should try breaking the message into 5 sequences:

Ryszard Janicki Cryptography 18 / 38 Example This means we shouldCryptography try breaking the message into 5 sequences: Classical Cryptosystems Public Key Cryptography TSMVM Cryptographic Checksums Counting characters in each column (alphabet) yields: MPPCW Column #1 #2 #3 # 4 #5 CZUGX A 1 1 2 0 2 HPECP B 0 0 2 0 0 RFAUE C 1 0 0 4 1 IOBQW D 1 3 1 1 0 PPIMS E 2 0 1 0 2 FXIPC F 2 1 0 2 1 TSQPK G 2 0 1 2 0 SZNUL H 3 1 0 0 1 OPACR I 3 0 5 1 1 DDPKT J 0 0 0 2 0 SLVFW K 0 0 0 4 1 ELTKR L 0 4 0 0 2 GHIZS M 1 1 3 1 2 FNIDF N 1 1 1 0 0 ARMUE O 1 2 2 0 0 NOSKR P 0 4 2 3 2 GDIPH Q 0 0 2 1 0 WSGVL R 2 1 0 0 2 EDMCM S 3 3 1 0 3 SMWKP T 3 0 1 0 1 IYOJS U 0 0 1 4 0 TLVFA V 0 0 2 2 0 HPBJI W 1 0 1 0 4 RAQIW X 0 1 0 0 2 HLDGA Y 0 2 0 0 0 IYOUX Z 0 2 0 1 0 Ryszard Janicki Cryptography 19 / 38

16 Example Observe that the highestCryptography frequency character in column 3 (`i') Classical Cryptosystems seems to correspondPublic Key Cryptography to the letter `a' due to the gap following Cryptographic Checksums it, according to the frequencies of characters on right side of page 219 of the textbook and page 11 of this Lecture Notes. We decrypt the 3rd character, and then every 5th, according to this, and from the Vignère tableau we guess that the 3rd character in the key is `i'. TSeNM MPhCW CZmGX HPwCP RFsUE IOtQW PPaMS FXaPC TSiPK SZfUL OPsCR DDhKT SLnFW ELlKR GHaZS FNaDF AReUE NOkKR GDaPH WSyVL EDeCM SMoKP IYgJS TLnFA HPuJI RAiIW HLvGA IYgUX Next we guess that column 1 does not appear shifted since the frequencies are about the same as the standard, so the rst character could be `a'. tSeNM mPhCW cZmGX hPwCP rFsUE iOtQW pPaMS fXaPC tSiPK sZfUL oPsCR dDhKT sLnFW eLlKR gHaZS fNaDF aReUE nOkKR gDaPH wSyVL eDeCM sMoKP iYgJS tLnFA hPuJI rAiIW hLvGA iYgUX

Ryszard Janicki Cryptography 20 / 38 Example Cryptography tSeNM mPhCWClassical cZmGX Cryptosystems hPwCP rFsUE iOtQW pPaMS fXaPC Public Key Cryptography tSiPK sZfULCryptographic oPsCR dDhKT Checksums sLnFW eLlKR gHaZS fNaDF aReUE nOkKR gDaPH wSyVL eDeCM sMoKP iYgJS tLnFA hPuJI rAiIW hLvGA iYgUX The rst word may be `the' and the frequencies of the second column t in the right places, so assume S maps to h in the 2nd column, making the frst three letters of the key: `ali'. theNM mehCW comGX hewCP rusUE idtQW peaMS fmaPC thiPK sofUL oesCR dshKT sanFW ealKR gwaZS fcaDF ageUE ndkKR gsaPH whyVL eseCM sboKP ingJS tanFA heuJI rpiIW havGA ingUX Now we can look for parts of words to give us a clue. `com' could be `come', `thi' could be `this', or `hav' could be `have'. Since the rst and third of these examples use the same mapping but the second uses a dierent one, we rst try the letter `C' as the key for the column 4 since that maps `G' to `e'. thetM mehaW comeX hewaP russE idtoW peakS fmanC thinK sofsL oesaR dshiT sandW ealiR gwaxS fcabF agesE ndkiR gsanH whytL eseaM sboiP inghS tandA heuhI rpigW haveA ingsX

Ryszard Janicki Cryptography 21 / 38 Example Cryptography Classical Cryptosystems Public Key Cryptography thetM mehaWCryptographic comeX Checksums hewaP russE idtoW peakS fmanC thinK sofsL oesaR dshiT sandW ealiR gwaxS fcabF agesE ndkiR gsanH whytL eseaM sboiP inghS tandA heuhI rpigW haveA ingsX Now we can begin to read parts of the text. the second group of characters seems to be `has'. To map the plain text s to cipher text w, we would have had to use the key letter `e', which makes sense as we now have a full keyword: `Alice' and we can now decrypt the full text: theti mehas comet hewal russa idtos peako fmany thing sofsh oesan dship sands ealin gwaxo fcabb agesa ndkin gsand whyth eseai sboil ingho tandw heuhe rpigs havew ingst with punctuation: The time as come the walrus said to speak of many things of shoes and ships and sealing wax of cabbages and kings and why the sea is boiling hot and whether pigs have wingst.

Ryszard Janicki Cryptography 22 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums One-Time Pad

A Vigenère cipher with a random key at least as long as the message. Proven unbreakable. Why? Look at ciphertext DXQR. Equally likely to correspond to plaintext DOIT (Key AJIY) and to DONT (key AJDY) and any other 4 letters. Warning: keys must be random, or you can attack the cipher by trying to regenerate the key. Approximations, such as using pseudo-random number generators to generate keys, are not random.

Ryszard Janicki Cryptography 23 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Hybrid Ciphers

We can (and often do) use more than one technique, for example use both transposition ciphers and substitution ciphers. We will show later how Vigenère cipher (substitution cipher) composed with rail-fence (transposition cipher) can be used to encrypt passwords.

Ryszard Janicki Cryptography 24 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Public Key Cryptography

Two keys: PRIVITE KEY known only to individual PUBLIC KEY available to anyone

A has private key kA and public key KA, while B has private key kB and public key KB . A message send by A and encrypted using kA and KB practically can only be decrypted when B will use kB and KA. How is it possible? The private key k and the public key K are not random. The public key K is a function of the private key k, i.e. K = f (k) for some function f (hence KA = f (kA) and KB = f (kB )). The function f must have the property that for any K, nding f −1(K) is practically impossible.

Ryszard Janicki Cryptography 25 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Public Key Cryptography

Conditions: 1 It must be computationally easy to encipher or decipher a message given the appropriate key. 2 It must be computationally infeasible to derive the private key from the public key. 3 It must be computationally infeasible to determine the private key from a chosen plaintext attack.

Ryszard Janicki Cryptography 26 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Die-Hellman Scheme

First proposed by James Ellis in 1970, but classied until 1997. Reinvented by W. Die and M. Hellman in 1976. It is based on the Discrete Logarithm Problem. Denition (Discrete Logarithm Problem) Find k such that n = g k mod p for a given natural numbers n, g and a prime number p. The Discrete Logarithm Problem is infeasible for big p.

Ryszard Janicki Cryptography 27 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums

Algorithm (Die-Hellman Protocol) Shared Knowledge: p and g, where g 6= 0, 1, p − 1.

Each user choosesa private keyk a and computesa public key k Ka = g a mod p. If A and B want to communicate, they encipher the other's public key using they own public key using the formulas: kA SA,B = KB mod p (used by A), and kB SB,A = KA mod p (used by B). The protocol is based on the following theorem: Theorem

SA,B = SB,A

The keyS A,B = SB,A is used for communication between A and B.

Ryszard Janicki Cryptography 28 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Die-Hellman Scheme

The Die-Hellman Protocol is a symmetric key exchange protocol.

Example

Let p = 53, g = 17 and kA = 5, kB = 7. Hence k 5 KA = g A mod p = 17 mod 53 = 40 k 7 KB = g B mod p = 17 mod 53 = 6 Now we have: kA 5 SA,B = KB mod p = 6 mod 53 = 38 kB 7 SB,A = KA mod p = 40 mod 53 = 38

The prime number p must be large, hundreds or even thousands of bits!!!

Ryszard Janicki Cryptography 29 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums RSA Protocol Invented by R. Rivest, A. Shamir and L. Adleman in 1978. It is based on the properties of the totient function Φ(n). Denition A number k is relatively prime to a number n if k has no factors in common with n.

Denition The totient function Φ(n) is the number of positive integers less than n and relatively prime to n.

Example Φ(10) = 4, as 1, 3, 7, 9 are relatively prime to 10. Φ(21) = 12, as 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are relatively prime to 21.

Ryszard Janicki Cryptography 30 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums

Theorem If p and q are two distinct primes, then Φ(pq) = (p − 1)(q − 1).

Algorithm (RSA Protocol) Choose two large prime numbersp andq. Computen = pq. Then Φ(n) = (p − 1)(q − 1). Choosee < n such that e is relatively prime to Φ(n). Computed such that ed mod Φ(n) = 1. PUBLIC KEY: (e, n) PRIVITE KEY: d ENCIPHER: c = me mod n (uses PUBLIC KEY (e, n)) DECIPHER: m = cd mod n (uses PRIVATE KEY d) Actual RSA primes p and q should be at least 512 bits long, giving a modulus, i.e. n = pq, of at least 1024 bits. Ryszard Janicki Cryptography 31 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Example (Condentiality)

p = 7, q = 11, n = pq = 77, Φ(n) = (p − 1)(q − 1) = 60. A chooses e = 17 (e < n and e must be relatively prime to Φ(n), making d = 53 (ed mod Φ(n) = 1, and here 17 · 53 mod 60 = 1). B wants to send A secret message HELLO. We assume each character in plaintext is represented by a number between 00(A) and 25(Z); 26 representing blank. Hence HELLO ≡ 07 04 11 11 14. ENCIPHER: c = me mod n (uses PUBLIC KEY (e, n)) 0717 mod 77 = 28 0417 mod 77 = 16 1117 mod 77 = 44 1117 mod 77 = 44 1417 mod 77 = 42 B sends 28 16 44 44 42

Ryszard Janicki Cryptography 32 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums

Example (Condentiality - Continuation) B sends 28 16 44 44 42 A receives B sends 28 16 44 44 42 A uses private key: d = 53. DECIPHER: m = cd mod n (uses PRIVATE KEY d) 2853 mod 77 = 07 → H 1653 mod 77 = 04 → E 4453 mod 77 = 11 → L 4453 mod 77 = 11 → L 4253 mod 77 = 14 → O No one else could read it, as only A knows her private key and that is needed for decryption. However A cannot be sure it it was B who sent it!

Ryszard Janicki Cryptography 33 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Example (Condentiality & Authentication) p = 7, q = 11, n = pq = 77, Φ(n) = (p − 1)(q − 1) = 60. A chooses e = 17, making d = 53. B chooses e = 37, making d = 13. A wants to send B secret message HELLO in condence and authenticated. ENCIPHER: c = (mdA mod n)eB mod n (it uses PUBLIC KEY (eB , n) and PRIVATE KEY dA). HELLO ≡ 07 04 11 11 14 (0753 mod 77)37 mod 77 = 07 (0453 mod 77)37 mod 77 = 37 (1153 mod 77)37 mod 77 = 44 (1153 mod 77)37 mod 77 = 44 (1453 mod 77)37 mod 77 = 14 B receives 07 37 44 44 14

Ryszard Janicki Cryptography 34 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums

Example (Condentiality & Authentication - Continuation) B receives 07 37 44 44 14 DECIPHER: m = (cdB mod n)eA mod n (it uses PUBLIC KEY (eA, n) and PRIVATE KEY dB ). (0753 mod 77)17 mod 77 = 07 → H (3753 mod 77)17 mod 77 = 04 → E (4453 mod 77)17 mod 77 = 11 → L (4453 mod 77)17 mod 77 = 11 → L (4253 mod 77)17 mod 77 = 14 → O

Ryszard Janicki Cryptography 35 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Cryptographic Checksums - Motivation

Alice wants to send Bob a message of n bits, and she wants Bob to be able to verify that the message he receives is the same one that was sent. Alice applies a checksum function to generate a much smaller set of k bits (called the checksum of message digest) from the original n bits. Alice then sends Bob both the message and the checksum. When Bob gets the message, he recomputes the checksum and compares it with the one Alice sent. If they match, Bob assumes that message has not been changed. Every transmission of data is a subject to some errors. The longer message the greater probability of error. Hence k-long checksum is more reliable than n-long message.

Ryszard Janicki Cryptography 36 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Cryptographic Checksums

Example (Parity Bit) The parity bit is a single-bit checksum. Odd Parity: the sum of the 1-bits in the character or number representation and the parity bit is odd. In ASCII: A → 0111101, hence p0111101 = 00111101, where p is the parity bit (and p = 0 in this case). the message00111101 means A and a conrmation that the message has arrived unchanged.

Ryszard Janicki Cryptography 37 / 38 Cryptography Classical Cryptosystems Public Key Cryptography Cryptographic Checksums Cryptographic Checksums

Denition (Cryptographic Checksum Function) A cryptographic checksum function (or strong hash function) h : A → B is a function that has the following properties. 1 For any x ∈ A, h(x) is easy to compute. 2 For any y ∈ B, it is computationally infeasible to nd x ∈ A such that h(x) = y. 3 Given any x ∈ A, it is computationally infeasible to nd another x0 ∈ A such that x 6= x0 and h(x0) = h(x).

Checksums are mainly used to detect transmission errors. However they can also indicate attacks during transmissions.

Ryszard Janicki Cryptography 38 / 38