06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 29 September, 2009 Handout 0 General Information

Staff Dr Volker Sorge Teaching Assistant Office: 207 Ms Katrina Samperi Tel: 43746 Office: 117 Email: [email protected] Tel: 43707 Office hours: Tuesdays, 3–4pm Email: [email protected] URL: www.cs.bham.ac.uk/∼vxs URL: www.cs.bham.ac.uk/∼kxs401

Lectures Tuesdays, 2pm–3pm, Watson LTC (Building R15 on the Campus Map) Friday, 11am–12pm, Gisbert Kapp LT1 (Building G8 on the Campus Map)

Exercises Friday, 3pm–4pm, Sport & Exercise Science LT3, (Building Y14 on the Campus Map) There will be no exercise class in the first week of term!

Handouts ... will be provided (normally) on a weekly basis. Sources for all handouts (in PS and PDF format) will be kept on the webpage. Spare copies are kept in the School Library. The handouts will come in three parts: General lecture notes, Mathematical topics, and a Glossary. The latter two are intended for looking things up when going through the lecture notes.

Assessment ... is in two parts: Exam: 80% of your course mark will be determined by a 1.5-hour examination in May (or early June). Continuous Assessment:20% of the mark is determined by continuous assessment. Most handouts will contain an exercise section together with a deadline for handing in the solutions (usually every week). Each exercise is worth a certain number of points. The total number of points throughout the term will add up to 120% of marks. However, maximally 100% of marks can be counted for he assessment mark, and every mark above 100% will be capped at 100%. Homework must be handed in through one of the departmental pigeon holes on the Ground Floor (next to the General Office) by the given deadline. Late submissions will not be accepted because I will provide model answers to all exercises. Exercises are of a style similar to those appearing in the May examination and they will be discussed in the exercise classes. However, I will throw in the occasional programming exercise. Programming exercises can be done in a programming language of your choice, provided that it is available under Linux on the School computers. Solutions to programming exercises consist of the (commented) code, brief instructions how to run it, and solutions to the questions posed in the exercises. Instructions how exactly to hand in programming exercises will be given later.

1 Policy on plagiarism: As preparation for the May exam I recommend that you attempt the exercises individually, but you may still find it helpful to discuss the assignments with others. In any case, work submitted must be formulated by yourself. If I find evidence of plagiarism then I will award zero marks, irrespective of whether you copied from others or whether your work was copied by others. More serious cases will be dealt with according to the School’s policy on plagiarism, a copy of which is kept at http: //www.cs.bham.ac.uk/resources/studentinfo/plagiarism.htm

Anonymous marking and Data Protection Act: We are required to mark anonymously wherever possible. There is no reason why I should not follow this rule for the exercises in this course. Please note, however, that this means that you always have to write your registration number on your submitted work. Since lecturing staff are not allowed to see lists which contain both name and registration number of students I cannot infer your registration number from your name. Scripts which do not contain the registration number will have to be ignored. Scripts with both registration number and name can not be returned!

Resits There is one resit opportunity for this course in September 2008 for students that are eligible. Please consult http://www.cs.bham.ac.uk/internal/modules/resit.html for eligibility cri- teria.

Textbooks It is not necessary for you to buy a textbook for this course as the handouts should be sufficiently detailed for revision and self-study. Some students, however, do like to see the material explained by another au- thor and this can help to understand the more difficult parts. You can examine some of these textbooks in the Central Library and the School Library.

Texts accompanying the lecture: Fergueson, Schneier: Practical Cryptography. John Wiley & Sons, 2003. Schneier: Applied Cryptography. John Wiley & Sons, 1996. Second edition. Menezes, Oorschot, Vanstone: Handbook of Applied Cryptography, CRC Press, 1996. http://www.cacr.math.uwaterloo.ca/hac/ Smart: Cryptography: An Introduction. McGraw Hill, 2003. [The book is no longer in print, but you can download a newer edition at: http://www.cs.bris.ac.uk/∼nigel/Crypto Book/book.ps]

A book on programming: Hook: Beginning Cryptography with Java. John Wiley & Sons, 2005.

Some more advanced, mathematical material: Catalano, Cramer, Damgard, diCrescenzo, Pointcheval, Takagi: Contemporary Cryptology. Springer, 2005.

Web page There is additional information about the syllabus and textbooks on the web page at http://www.cs.bham.ac.uk/∼vxs/teaching/crypt/

2 Tentative Syllabus • Overview on Historical Ciphers

• Symmetric Ciphers

– Block Ciphers ∗ DES (Feistel) ∗ AES (RIJNDAEL) ∗ Cryptomeria, AACS – Stream Ciphers ∗ Pseudo-random generators/functions ∗ LFSR ∗ RC4, CSS – Key Exchange and Management ∗ Diffie-Hellman-Merkle, Needham-Schroeder – Cryptographic Hash Functions ∗ Merkle-Damg˚ard ∗ MD4, MD5, SHA-1 – Message Authetication Codes

• Asymmetric Ciphers

– Public Key Cryptography – ElGamal, Cramer Shoup – Diffie-Hellman, RSA

• Digital Signatures

– Schnorr Signatures, DSA

• Certificates

– VeriSign, PGP

• Commitment Schemes, Zero Knowledge Proofs

• Quantum Cryptography (A guest lecture by Iain Styles)

Some of the Mathematical topics we will touch on:

• Permutations

• Modular Arithmetic and Residue Classes

• Finite Fields

• Matrix Arithmetic

• Discrete Logarithm and Subgroups

• Arithmetic Modulo a Composite ;

3 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 29 September, 2009 Handout 1 Summary of this handout: Overview of historical cryptographic techniques — Definition of some im- portant cryptographic concepts — Math: Permutations and Residue Classes

I. Historical Overview

1. Secret Writing Communicating secretly in writing is probably as old as writing itself. Already the Egyptians are known to have included secret hieroglyphs in their writing. In ancient times secret writing has mainly been used for religious purposes and mysticism. In the classical antiquity are the first accounts of secret writing being used for military purposes by the ancient Greeks. From there on the ability to secretly pass messages was a major factor for military and diplomatic communication. It is therefore little surprising that many of the techniques for secret communication known today have been developed by government agencies and often only made known to the public long after their invention. Since the ancient Greeks many methods of exchanging secret messages have been developed (and successfully broken). This handout gives an overview over some of the historical techniques and also introduces some basic and simple mathematical concepts used. The Science of Secret Writing can be roughly divided into the following branches:

Steganography Code Secret Writing Substitution Cryptography Cipher Transposition

2. Hiding Messages The best form of sending a secret message is by concealing that a message has been sent. The study of how to effectively hide messages such that only the intended receiver can find them is called Steganog- raphy. Traditionally secret messages used to be hidden physically, for instance by using invisible ink, or within unobtrusive communications. Nowadays there are many more ways of sending concealed mes- sages, for instance by hiding them in unsuspicious file formats, such as pictures or sound files, or in propaganda videos. In this course we will be not concerned with techniques to hide messages but only with hiding the information contained in a message. 3. Scrambling Messages In many situations it is obvious that messages are sent. For instance, it is clear that during a phone conversation some information is communicated, thus “hiding the message” is essentially impossible. To guard against interception or eavesdropping, messages can be scrambled in a way that they only make sense to the receiver but not to an uninitiated eavesdropper. The scientific study of scrambling messages is the mathematical discipline of Cryptography. In this handout I will give a short overview over some historical cryptographic techniques and their underlying mathematics. 4. Cryptography can be divided into two main branches: Transposition techniques encrypt messages by permuting the components of a message within itself.

Substitution techniques encrypt messages by replacing the components of a message. There are two main branches for substitution techniques:

4 Codes are algorithms that substitute entire words or phrases of a message, i.e. they work on a level of meaning. Ciphers are algorithms that substitute the single letters or characters of a message, i.e. they work on a level of individual letters, small groups of letters, or individual bits.

5. Some basic definitions Let’s first define some more concepts that will be useful throughout the lecture.

Encrypt The process of scrambling a message.

Decrypt The process of unscrambling a message.

Encode The process of encrypting a message with respect to some code.

Decode The process of decrypting a message with respect to some code.

Encipher The process of encrypting a message with respect to some cipher.

Decipher The process of decrypting a message with respect to some cipher.

Plaintext A message before it is encrypted.

Codetext An encoded message. Since we will concentrate on ciphers in this lecture we will rarely use this term.

Ciphertext An enciphered message.

Cryptography The science of keeping messages secure.

Cryptographer A practitioner of cryptography.

Cryptanalysis The science of breaking ciphertexts. While we will mainly concentrate on cryptography in this course I will also discuss some cryptanalytic techniques.

Cryptanalyst A practitioner of cryptanalysis.

Cryptology The branch of mathematics encompassing both cryptography and cryptanalysis

Cryptologist A practitioner of cryptology.

6. Sending Secret Messages We can describe the process of sending encrypted messages with the following schematic view:

Plaintext Encryption Cipher-/Codetext Decryption Orig. Plaintext

From a practical point of view, codes are relatively useless as they require far too much overhead to be effective. In theory, one would have to design an entire dictionary of code words before commencing communication. Obviously, this makes it not only difficult to work with a code, but also insecure as a code book can not easily be hidden or memorised, as well as very costly to change a code. While codes have a certain usefulness for ad hoc communication, they are not relevant for the type of efficient cryptography we are interested in. With ciphers on the other hand one only has to know how to encipher and decipher the basic set of symbols, for example the 26 letters of the alphabet. Therefore, ciphers are far easier to apply, to keep secret and to change in order to guarantee prolonged secure communication. In this lecture we will therefore discuss cryptographic methods based on ciphers and will start with a look at some of the classical ciphers.

5 I.1 Transposition Ciphers The basic idea of a transposition cipher is to scramble a message by transposing the single letters of a message in a particular order that is only known to the sender and receiver. Transposition ciphers are the oldest form of enciphering messages. They can be traced back to the ancient Egyptians where they were mainly used for religious purposes. The order of hieroglyphs of single words would be changed probably for mystical purposes. Similarly the Jewish mystics used temurah to rearrange words and sentences to find hidden meanings in the Bible. 7. Rail Fence Cipher The first known military use of a transposition cipher was by the Spartans. They invented the rail fence cipher to send messages between troops. We write the plain text message in columns of a particular height and then compose the ciphertext from the resulting rows. To decipher we divide the length of the overall message by the height of the columns and break the ciphertext into rows whose length corresponds to the quotient. Writing the rows again one upon the other, we can read off the original plaintext. Example: We take the plaintext: When shall we three meet again in thunder lightning or in rain We then write it as a rail fence of height 5: WHEEAINIIIN HATMGNDGNNE ELHEATEHGRU NLREIHRTOAK SWETNULNRIE

Observe that the original message had 51 characters. In order to complete the rail fence I added four nonsense characters. These characters are meaningless and can be discarded after deciphering. We call meaningless characters added to the ciphertext nulls. Reading off row by row gives the following ciphertext: WHEEAINIIINHATMGNDGNNEELHEAREHGRUNLREIHRTOAKSWETNUL NRIE In order to decrypt the message the receiver, who knows the height of the rail fence, divides the length of the message by the height and thus gets the length of the single rows. In our case we get 55/5 = 11: WHEEAINIIINHATMGNDGNNEELHEAREHGRUNLREIHRTOAKSWETNULNRIE Adding nulls is not strictly necessary, we could have just combined the rows of different lengths and nevertheless could have decrypted the message without problems. In fact not adding nulls can make the work for a cryptanalyst more difficult. But in either case the rail fence cipher is very easy to break as we only have to test all possible divisors up to half the length of the text. 8. Permutation Cipher We can obtain a more elaborate cipher by transposing the characters in the plaintext in a less regular fashion using permutations. Suppose we take a permutation s ∈ Sn, we then divide the plaintext into chunks of length n and permute the letters in each chunk according to our chosen s, which results in the −1 ciphertext. To decipher the text we simply take the inverse of s, s ∈ Sn and apply it to the ciphertext divided into chunks of length n. 123456 Example: We take s = = (1 2 3)(5 6) ∈ S as permutation. 231465 6 We divide our plaintext from above into chunks of length 6. WHENSHALLWETHREEMEETAGAININTHUNDERLIGHTNINGORINRAINEUK Applying the permutation yields EWHNHSLALWTEEHREEMAETGIANNITUHENDRILTGHNNIRGOIRNNAIEKU and thus the ciphertext EWHNHSLALWTEEHREEMAETGIANNITUHENDRILTGHNNIRGOIRNNAIEKU In order to decrypt the message we use the inverse of s, which is (1 3 2)(5 6).

6 I.2 Substitution Ciphers A substitution cipher is a method to replace units of the plaintext with parts of the ciphertext. Substitution ciphers are nearly as old as transposition ciphers. One of the earliest examples is the Atbash, used in Jewish mysticism, a cipher that substitutes the first letter of the Hebrew alphabet with the last, the second letter with the one before last, and so on. For simplicity, we will for now assume that the units of our plaintext are always the 26 letters of the alphabet only, without spaces, punctuation, etc. 9. Shift Cipher and Caesar’s Cipher The oldest form of substitution ciphers is the shift cipher. Its idea is to shift every letter in the message by a set number of places in the alphabet. For example a shift cipher with a shift of 1 simply replaces every letter by its successor and Z by A. More mathematically, if we enumerate all letters of the alphabet from 0 to 25 then we can express the shift cipher as an operation in modular arithmetic as c ≡ p + s(mod 26), where p is the plaintext letter, s is the shift, and c is the enciphered letter. Decryption can be performed similarly with the reverse operation: p ≡ c − s(mod 26). Julius Caesar used this Cipher with a fixed shift of s = 3, which is nowadays known as Caesar Cipher. Since there are only 26 possible shift ciphers they make for very weak security. 10. Using Keys Obviously all the ciphers we have encountered so far are relatively easy to break. In fact their security hinges on the fact that a potential cryptanalyst does not know the method of encryption, i.e. the particular rail fence or shift, etc. Once broken the encryption method has to be changed. An invention that avoided having to come up constantly with new encryption techniques, was the intro- duction of keys into cryptography. A key is some auxiliary information that is used to vary the encryption procedure and its knowledge is crucial to successfully decrypt a message. The advantage of using a key is, that even if the algorithm for encryption is known, a cryptanalyst can nevertheless not decrypt the message without knowing the key. One additional complication is that sender and intended receiver have to agree on a common, secret key and have to exchange this key at some point before the actual communication. The secret communication would then look something like this.

Key Key Encryption Ciphertext Decryption Plaintext Plaintext

11. Monoalphabetic Substitution Ciphers Instead of just shifting the letters of the alphabet we can define a substitution by explicitly assigning each plaintext letter a corresponding cipher letter. In other words we define a substitution by giving a mapping from a plaintext-alphabet (i.e., the normal 26 letters) to a cipher-alphabet. This mapping could be arbitrary, giving us 26! ≈ 286 different ways of encrypting a message. However, in order to make it easier to memorise the cipher-alphabet one generally constructs it by:

1. choosing a keyword,

2. removing all duplicate letters from the keyword

3. start the cipher-alphabet with the letters from duplicate-free keyword

4. at the end of the codeword continue with the next unused letter of the alphabet that follows the last letter in the codeword

5. continue filling in letters in alphabetical order leaving out those letters already used; if necessary, start from the beginning of the alphabet again similar to a shift cipher

7 Example: Taking my own name as keyword, I can construct the following substitution cipher: Plaintext-alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher-alphabet: VOLKERSGHIJMNPQTUWXYZABCDF A monoalphabetic substitution cipher can be expressed as a single permutation on the letters of the alphabet or the first 26 integers. I.e. the cipher is essentially equivalent to some permutation s ∈ S26. In our example we get:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 = 22 23 24 25 5 26 8 9 10 11 4 3 12 13 2 14 15 6 7 16 17 1 18 19 20 21   (1 22)(2 23 18 6 26 21 17 15)(3 24 19 7 8 9 10 11 4 25 20 16 14 13 12)(5) ∈ S26 We now want to encrypt the message Attack at dawn. Plaintext: ATTACKATDAWN Ciphertext: VYYVLJVYKVBP One weakness of the chosen key is that the letter E encoded by itself. While this does not have much effect in the message above, if we consider the Ciphertext: BENEEYVYYGWEE it is quite obvious that the plaintext means We meet at three. 12. Breaking Monoalphabetic Substitution Ciphers Apart from the obvious weakness when letters are replaced by themselves, monoalphabetic ciphers suffer from the problem that the encryption does not disguise the structure of the text or words. This fact was first exploited by an Arab Theologian al-Kind¯ıin the ninth century. He discovered a technique known as frequency analysis, at statistical method to analyse texts with respect to the frequency of occurrences of the different letters of the alphabet. Each language has a characteristic distribution of occurrences of the letters. For instance for the English an approximate table is: Letter Percentage Letter Percentage Letter Percentage Letter Percentage Letter Percentage a 8.2 f 2.2 k 0.8 p 1.9 u 2.8 b 1.5 g 2.0 l 4.0 q 0.1 v 1.0 c 2.8 h 6.1 m 2.4 r 6.0 w 2.4 d 4.3 i 7.0 n 6.7 s 6.3 x 0.2 e 12.7 j 0.2 o 7.5 t 9.1 y 2.0 z 0.1 Cryptanalysis can exploit this fact by compiling the occurrence percentages of the letters in the ciphertext and then comparing them with the frequency table. One then starts to guess the decryption of the letters, first by inserting those with the most frequent occurrence, i.e., e,a,t, and so on. 13. Homophonic Substitution Ciphers One way of tricking frequency analysis was by introducing nulls or null ciphers and giving frequently occurring letters more than one possible encryption. I.e. we can give each letter in the alphabet a number of different symbols they can be encoded with that would balance their actual frequency of occurrence, for instance we give E seven counterparts in the cipher-alphabet, but Z only one. This means, of course, that the cipher-alphabet now has to contain more symbols than the plaintext-alphabet. While this makes frequency analysis more difficult, it does not make it impossible. 14. Vigenere` Cipher An answer to attacks by frequency analysis was the use of several cipher-alphabets, so called polyal- phabetic substitution ciphers. The idea is that during the encryption one changes cipher-alphabets in a certain order thereby encoding the same letter according to different ciphers and thus hiding their fre- quency. One polyalphabetic cipher that was considered unbreakable for a very long time is the Vigenere` Cipher (which was already invented in the 16th century by the Italian Belaso but later reinvented and attributed to Vigen`ere). It’s idea is based on 26 cipher-alphabets that represent all possible shift ciphers. They are compiled in a square (see below). A keyword is then used to decide which particular alphabet is used to encipher a particular letter. Each letter in the keyword defines a different cipher-alphabet, depending on its place in the alphabet, e.g. the letter A defines the first cipher-alphabet, B the second and so on. We can easily

8 read off the cipher-alphabet determined by the letters of the keyword by looking at the first letter of the cipher-alphabet in the Vigen´ere square. Example: If we use the keyword MACBETH then M determines the 13th alphabet. Using the keyword we encipher our message by writing the keyword over the message as often as necessary and then for each letter reading of the corresponding cipher in the square. Thus W is enciphered with row 13 into I, H with row 1 into H, etc. Key: MACBETHMACBETHMACBETHMACBETHMACBETHMACBETHMACBETHMA Plain: WHENSHALLWETHREEMEETAGAININTHUNDERLIGHTNINGORINRAIN Cipher: IHGOWAHXLYFXAYQEOFIMHSAKOMGATUPEIKSUGJVRBUSOTJRKHUN

Plain ABCDEFGHIJKLMNOPQRSTUVWXYZ Shift 1 ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 2 BCDEFGHIJKLMNOPQRSTUVWXYZA 1 3 CDEFGHIJKLMNOPQRSTUVWXYZAB 2 4 DEFGHIJKLMNOPQRSTUVWXYZABC 3 5 EFGHIJKLMNOPQRSTUVWXYZABCD 4 6 FGHIJKLMNOPQRSTUVWXYZABCDE 5 7 GHIJKLMNOPQRSTUVWXYZABCDEF 6 8 HIJKLMNOPQRSTUVWXYZABCDEFG 7 9 IJKLMNOPQRSTUVWXYZABCDEFGH 8 10 JKLMNOPQRSTUVWXYZABCDEFGHI 9 11 KLMNOPQRSTUVWXYZABCDEFGHIJ 10 12 LMNOPQRSTUVWXYZABCDEFGHIJK 11 13 MNOPQRSTUVWXYZABCDEFGHIJKL 12 14 NOPQRSTUVWXYZABCDEFGHIJKLM 13 15 OPQRSTUVWXYZABCDEFGHIJKLMN 14 16 PQRSTUVWXYZABCDEFGHIJKLMNO 15 17 QRSTUVWXYZABCDEFGHIJKLMNOP 16 18 RSTUVWXYZABCDEFGHIJKLMNOPQ 17 19 STUVWXYZABCDEFGHIJKLMNOPQR 18 20 TUVWXYZABCDEFGHIJKLMNOPQRS 19 21 UVWXYZABCDEFGHIJKLMNOPQRST 20 22 VWXYZABCDEFGHIJKLMNOPQRSTU 21 23 WXYZABCDEFGHIJKLMNOPQRSTUV 22 24 XYZABCDEFGHIJKLMNOPQRSTUVW 23 25 YZABCDEFGHIJKLMNOPQRSTUVWX 24 26 ZABCDEFGHIJKLMNOPQRSTUVWXY 25

We can regard the Vigen`ere cipher also algebraically in modular arithmetic. If we again enumerate the letters A–Z with the numbers 0–25, we can directly compute the numerical value of the letter in the ciphertext from the value of the plaintext letter plus the shift determined by the numerical value of the respective letter in the keyword. The right-most column of the above Vigen`ere square gives all the shift th values explicitly. Formally we can compute the i letter of the ciphertext ci as

ci ≡ pi + si(mod 26),

th th where pi represents the i plaintext letter and si the i letter in the repeated key. Similarly we can express decryption as pi ≡ ci − si(mod 26). Example: When enciphering W (which corrsponds to letter number 22) wrt. the key M (number 12), we get 22 + 12 ≡ 8(mod 26), which corresponds to I. For an abbreviated version of our example text (When shall we three meet again) we get the following equations in Z26: Key: 1202 1 419712 0 21 419 7120 214197120 2 1 Plain: 22 7 4 13 18 7 0 11 11 22 4 19 7 17 4 4 12 4 4 19 0 6 0 8 13 Cipher: 8 7 6 14 22 0 7 23 11 24 5 23 0 24 16 4 14 5 8 12 7 18 0 10 14

9 15. Breaking Vigenere` The Vigen`ere cipher is similar to the homophonic substitution ciphers in that both can encipher the same letter in different ways. The advantage of the Vigen`ere cipher is, however, that it can also encipher different letters into the same letter and therefore does not need a larger cipher-alphabet. This fact makes it also invulnerable to straight-forward frequency analysis. The Vigen`ere cipher was nevertheless broken by Friedrich Kasiski in 1863 (but very likely already by Charles Babbage in 1854). The idea is to first find out the length of the keyword. This is done by determining all repeated sequences of letters of length at least four in the ciphertext. Then we count for each such sequence after how many letters it is repeated. Comparing these numbers we usually narrow down the possible key length to only one or two candidates. Once the (likely) length of the key is determined we can use ordinary frequency analysis separately on all the letters of the message encrypted with the same cipher-alphabet. 16. Rotor Machines At the beginning of the twentieth century encryption was mechanised. Particularly successful were so called rotor machines of which Enigma and Lorenz, two machines used by the Germans during WWII, are examples. The Enigma was originally a commercial encryption machine that was later adopted by the military. The basic machine comprises the following main elements: A keyboard with letters from A to Z, a plug board, three rotors and a reflector. In a first step, the letters from the keyboard are substituted using the plug board with a substitution cipher. In the next step, the electric signal passes the three rotors, each of which applies a fixed substitution to the letters. If these rotors were static, this step would yield nothing than a substitution cipher again. However, after encrypting one letter, the rightmost rotor advances one step. After one full turn the middle rotor advances as well, and after one full turn of the middle rotor the leftmost rotor advances as well. Thus each letter is treated with a different substitution. After passing the three rotors the signal enters the reflector. It reflects the signal, applying one more permutations, then passing all three rotors in opposite direction, passing the plug board one more time, and then reaching the lamps. The reflector was invented to simplify decryption: The same setting can be used to decrypt the message. Thus the key for the Enigma consisted of the order and setting of the three rotors and the plug board configuration. The Enigma was successfully broken during the second world war at Bletchley Park exploiting weak- nesses such as that with the reflector, a letter is never encrypted to the same letter, as the three rotors perform a substitution and the reflector cannot ”reflect” the signal back the same path through the rotors, as no electric circuit would be established then. Breaking the Enigma and Lorenz ciphers also initiated the development of modern day computers. 17. One Time Pad One of the weaknesses why Enigma could be successfully broken, was that keys were reused. For example, the day key had to be used in all communications of a particular day in order to establish the message key and therefore the first six letters of all intercepted messages where encrypted with the same key. However, already during the first world war a absolute secure way of encrypting messages was developed. It depends on three factors: Firstly, the key has to be as long as the message to encrypt. Secondly, there should be no repetition or obvious pattern in the key,i.e., it should be a random combination of letters. And thirdly, the key should never be reused. The cipher is called the One Time Pad and while this guarantees security it is impractical in most sit- uations. Not only is the key size and distribution a major problem and moreover it is very difficult to produce proper random keys in the necessary quantity. This is a problem we will get back to later in this term. Nevertheless, One Time Pads have been employed, for instance, to encrypt the telephone line between Washington and Moscow during the cold war.

10 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 29 September, 2009

Exercise Sheet 1

Submit via the correct pigeon hole before 9 October, 11am.

1. Encrypt the following Winston Churchill quote with a rail fence cipher of height 8 (ignore spaces and punctuation):

However beautiful the strategy, you should occasionally look at the results.

4

2. The following text is enciphered with a monoalphabetic substitution cipher. Decrypt it using fre- quency analysis. What was the keyword? YLTMJNOEBRMIPSNPNSVENMLRXTHRJJTMUJNPPCITRIRMIVLT YLEVTGMEOLVEUVRJGEMOARBGYRSIURMIVLTSTIQWTTM'U ``NHH YEVL LTS LTRI!'' STKTKATS YLRV VLT INSKNWUT UREI. (I’ve retained spaces and punctuation to make it easier!) 6

3. Carry out the following computations on residue classes:

(a) [7]11 + [8]11 (c) [7]11 ∗ [8]11

(b) [6]12 − [11]12 (d) [6]12 ∗ [11]12 1+1+1+1

4. (a) Carry out the following muliplication on permutations: (1 6)(4 3 2) ∗ (2 1)(5 4) (b) Compute the inverse of the following permutation: (1 2 5 4)(3 8 6) (c) Apply the permutation (1 2 7)(5 4)(6 3) to the list of letters ABCDEFG . 1+1+1

5. Let a, b, n ∈ Z with a ≡ b(mod n). Show that for every m ∈ Z,m ≥ 1 the following holds:

am ≡ bm(mod n)

5

11 11 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 9 October, 2009

Solutions for Exercise Sheet 1

1. The rail fence looks like this:

HETEOSLE OAHGUIOR WUEYLOOE ETSYDNKS VITOOAAU EFRUCLTL RUASCLTT BLTHAYHS

The resulting ciphertext is therefore: HETEOSLEOAHGUIORWUEYLOOEETSYDNKSVITOOAAUEFRUCLTLRUASCLTTBLTHAYHS

2. We first count the occurrences of every single characters and compile a table of percentages: A 2 1.50 F 0 0.00 K 3 2.26 P 4 3.01 U 6 4.51 B 2 1.50 G 3 2.26 L 11 8.27 Q 1 0.75 V 9 6.77 C 1 0.75 H 3 2.26 M 9 6.77 R 12 9.02 W 2 1.50 D 0 0.00 I 10 7.52 N 8 6.02 S 8 6.02 X 1 0.75 E 8 6.02 J 5 3.76 O 3 2.26 T 17 12.78 Y 5 3.76 Z 0 0.00 We first observe that the letter T has the highest frequency in the ciphertext. We therefore map it to the letter E in the plaintext. The set of next most frequent letters is {R,L,I,M,V}, which conveniently all appear in the three letter words RMI and VLT. VLT can be mapped to the and R as the letter with the next highest frequence can then be mapped to a. Some further testing should eventually yield the proper translation and the resulting plaintext is then:

When logic and proportion Have fallen sloppy dead And the White Knight is talking backwards And the Red Queen’s “off with her head!” Remember what the dormouse said.

We can therefore identify the following cipher-alphabet. Plaintext-alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher-alphabet: RABITHOLEFGJKMNPQSUVWXYZCD The keyword is therefore RABBIT HOLE.

3. (a) [7]11 + [8]11 = [4]11 (c) [7]11 ∗ [8]11 = [1]11

(b) [6]12 − [11]12 = [7]12 (d) [6]12 ∗ [11]12 = [6]12 4. (a) (1 6 2 5 4 3) (b) (1 4 5 2)(3 6 8)

(c) GAFEDCB

a 5. Conjecture: Let a, b, n ∈ Z with a ≡ b(mod n). Then for every m ∈ Z,m ≥ 1:

am ≡ bm(mod n)

There are two ways to show this:

(a) Firstly, we can exploit the binomial formula

m m − (x + y)m = xm iyi. (1) i i X=0   Proof. With a ≡ b(mod n) follows that there exists a k ∈ Z such that a = kn + b. Using equation (1) we get

m m − am = (kn + b)m = (kn)m ibi = i i X=0   m m − m = (kn)mb0 + . . . + (kn)1bm 1 + (kn)0bm (2) 0 m − 1 m       Clearly in (2) only the last summand does not contain the factor n. Therefore we can sim- plify (2) to − (kn)m + . . . + mknbm 1 + bm ≡ bm(mod n).

(b) Secondly, we can proof the conjecture with an induction on m.

Proof. We have that a ≡ b(mod n) and therefore there exists a k ∈ Z such that a = kn + b. Base case m = 1: a ≡ b(mod n) holds by assumption. Induction hypotheses: We assume that for all 1 ≤ r ≤ m − 1 holds:

ar ≡ br(mod n)

Step case m − 1 7→ m: We then have

− − am = a am 1 = (kn + b)am 1 − − = kn am 1 + b am 1 (3)

Here the first summand in (3) contains the factor n and therefore vanishes modulo n. On the second factor we can apply our induction hypothesis am−1 ≡ bm−1(mod n). Therefore we can simplify (3) to

− − − kn am 1 + b am 1 ≡ b bm 1 = bm(mod n).

b 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 29 September, 2009

Mathematics 1 – Permutations

The concept of a permutation expresses the idea that discreet, distinguishable objects may be arranged in various different orders. Consider, for instance, the integers from one to three, and all possible lists of the numbers without repetition. There are altogether six: (1, 2, 3) (1, 3, 2) (2, 1, 3) (2, 3, 1) (3, 1, 2) (3, 2, 1). A permutation describes the rearrangement of the elements of an ordered list into a one-to- one correspondence of itself. For example, we can describe how we get (3, 1, 2) from (1, 2, 3) by a 1 2 3 permutation s = , which essentially describes that 1 moves to the place where 2 was, 2 to 2 3 1 the place of 3, and3 back to the place of 1. As abbreviation we use a linear notation, so called cycles. For example we can write s as (1 2 3), which expresses 1 7→ 2, 2 7→ 3, 3 7→ 1. The notation is cyclic in the sense, that (1 2 3) = (2 3 1) = (3 1 2). We normally start with the smallest element of the list. 123456 As another example consider t = = (1 2 3)(5 6). Observe that we omit the 231465 elements of the permutation that are not changed, e.g. 4, when denoting the cycles. Observe also that the cycles of a permutation are always disjoint and duplicate free. We denote the identity permutation, i.e. the permutation that does not change the order of the list at all, by (1). The set of all possible permutations of a list of size n is denoted by Sn and is of size n!. We call Sn the symmetric group of order n. In our above examples we had s ∈ S3 and t ∈ S6; S3 contains 6 elements and S6 has 720 elements. Applying Permutations We can use permutations to express rearranging lists of other discreet objects. We simply enumerate the positions of the list and rearrange the objects according to their positions. For instance we can permute the list of letters A B C D according to s = (1 2 4) ∈ S4 to get D A C B, i.e., the letter at position 1 is moved to position 2, which in turn is moved to position 4, etc. Conversely we can express the rearranging of any list of discreet objects as a permutation. If we have three mugs, a blue, a yellow, and a white one, that have originally the order B Y W and are rearranged to Y W B, then we first enumerate the single positions in the list. That is, B is at position 1, Y at 2, and W at 3. Then rearrangement corresponds to B being moved from position 1 to position 3, W from 3 to 2, and Y from 2 to 1. This can be easily expressed as the cycle (1 3 2). Multiplying Permutations Permutations are one-to-one mappings between lists of objects. We can therefore define an operation between two permutations by composing the mappings. We will call the operation multiplication be- tween permutations, but observe that it has nothing to do with multiplication on numbers (or vectors or matrices)! Instead the result of multiplying two permutations s ∗ t is determined by the result of applying first s and then t. For example, take s,t ∈ S3 with s = (1 2 3), t = (1 2). s ∗ t is then determined by 1 7→ 2 7→ 1, 2 7→ 3 7→ 3 (as there is no mapping specified for 3 in t and therefore it remains identical), 3 7→ 1 7→ 2. In other words 1 is mapped onto itself, 2 onto 3, and 3 onto 2, which results in the cycle (2 3). We can also determine this again by the more extensive matrix notation from above. Starting with the two separate permutations we can combine them into one matrix with three rows where the second row corresponds to the application of s and the third row to the application of t. I have shaded the columns below that represent the mapping for 1 by s and t. Obviously we can again collapse the three row form into the first and last row only and read off the result of multiplying s with t.

1 2 3 1 2 3 1 2 3 1 2 3 s ∗ t = ∗ = 2 3 1 = = (2 3)∈S 2 3 1 2 1 3   1 3 2 3     1 3 2     i Let’s have another look at an example from S6:

123456 s ∗ t = (1 2 3)(5 6) ∗ (1 4)(3 5) = 231465 = (1 2 5 6 3 4) ∈ S   6 254163   Observe that, in this example, permutation t leaves 2 and 6 unchanged. Note that multiplication on permutations is generally not commutative, i.e. the order does matter! For example, (1 4)(3 5) ∗ (1 2 3)(5 6) = (1 4 2 3 6 5). Inverses The inverse of a permutation s is that permutation that undoes the operation of s and results in the original ordered list. That is, applying first s and then its inverse to a list returns the original list, or, in other words, multiplying s and its inverse gives the identity permutation. We denote the inverse of s by s−1, and say that s ∗ s−1 = (1) For instance the inverse of s = (1 2 3) is s−1 = (1 3 2). We can verify this by multiplying the two together:

1 2 3 − 1 2 3 1 2 3 1 2 3 s ∗ s 1 = ∗ = 2 3 1 = = (1)∈S , 2 3 1 3 1 2   1 2 3 3     1 2 3    −1  For the example from S6, s = (1 2 3)(5 6) the inverse is s = (1 3 2)(5 6). Observe that a permutation that only transposes two numbers, e.g. (1 2), is its own inverse. The same holds for a permutation that only consists of cycles of length 2. While multiplication of permutations is generally not commutative, it is easy to see that

− − s ∗ s 1 = s 1 ∗ s = (1)

.

ii 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 29 September, 2009 Mathematics 2 – Modular Arithmetic and Residue Classes Modulo Operation Modular arithmetic defines standard arithmetic operations, i.e. +, −, ∗, on finite sets of integers. We first define a modulo operation mod on the set of integers Z as follows: we say for that two numbers a, b ∈ Z are congruent modulo some n ∈ Z if a − b is divisible by n. For example, if we have n = 5, a = 6, and b = 1 then 5 divides 6 − 1 and we say 6 modulo 5 is congruent 1 and write 6 ≡ 1(mod 5). We call 1 the remainder or residue. Observe that the modulo operation is related to division with remainder but not the same! Indeed for positive integers it is very similar: For example, if we divide 6 by 5 we have a remainder of 1. Likewise if we divide 17 by 6 we have a remainder of 5 or 17 mod 6 ≡ 5. More systematically we can then write down for the modulo 5 operation as: 0 ≡ 0(mod 5) 1 ≡ 1(mod 5) 2 ≡ 2(mod 5) 3 ≡ 3(mod 5) 4 ≡ 4(mod 5) 5 ≡ 0(mod 5) 6 ≡ 1(mod 5) 7 ≡ 2(mod 5) 8 ≡ 3(mod 5) 9 ≡ 4(mod 5) 10 ≡ 0(mod 5) · · · etc. However, while we can say that 11 ≡ 6(mod5), the remainder of 11 divided by 5 is still 1. The difference becomes even more apparent when we move to negative integers. While −6 divided by 5 has −1 as remainder, with respect to the modulo operation we can also express −6 ≡ 4(mod 5). Thus we can write a prequel to the above table: · · · −10 ≡ 0(mod 5) −9 ≡ 1(mod 5) −8 ≡ 2(mod 5) −7 ≡ 3(mod 5) −6 ≡ 4(mod 5) −5 ≡ 0(mod 5) −4 ≡ 1(mod 5) −3 ≡ 2(mod 5) −2 ≡ 3(mod 5) −1 ≡ 4(mod 5) 0 ≡ 0(mod 5) · · · see above Residue Classes Suppose that we now want to solve congruence equations, i.e. we are interested in the question for which x holds x ≡ 1(mod 5). Then obviously there is more than one correct answer and we can obtain them by repeatedly adding 5 to or subtracting 5 from 1. Thus x can be equal to ..., −9, −4, 1, 6, 11,.... All these values are equally valid and we can thus say they are equivalent with respect to the (mod 5) operation. It is easy to see that the (mod 5) operation partitions the integers into exactly 5 sets of numbers, or five different equivalence classes. (One can easily show that every modulo operation forms an equivalence relation, i.e., is reflexive, symmetric, and transitive.) We call these equivalence classes residue classes modulo 5 and introduce a shorthand notation by denoting a residue class by its smallest positive integer representant and the modulo factor as subscript. For example we write [0]5 for the residue class 0 modulo 5, which is the set of all integers that are congruent to 0 under the modulo 5 operation.

We can now write down the set of all residue classes modulo 5 as Z5 = {[0]5, [1]5, [2]5, [3]5, [4]5}. Sim- ilarly we can denote the residue class for the modulo 6 operation Z6 = {[0]6, [1]6, [2]6, [3]6, [4]6, [5]6} Observe that [1]5 and [1]6 are different objects, since the sets they represent are not equal, i.e. [1]5 = {..., −9, −4, 1, 6, 11,...}= 6 {..., −11, −5, 1, 7, 13,...} = [1]6! In general we will denote the set of all residue classes modulo some n by Zn={[0]n, [1]n,..., [n − 1]n}. In case it is clear from the context we will sometimes write only the integer representant for a residue class in question, i.e. we write 0 instead of [0]n. Arithmetic on Residue Classes We can now define arithmetic operations on residue classes via the underlying modulo operation. For example when we want to add [3]5 and [4]5 we compute (3 + 4) = 7 ≡ 2(mod 5) and thus get [3]5 + [4]5 = [2]5. Similarly we can define multiplication [3]5 ∗ [4]5 = [2]5 as (3 ∗ 4) = 12 ≡ 2(mod 5). Generally we define addition (subtraction) and multiplication for residue classes as [a]n + [b]n = [c]n if (a + b) ≡ c(mod n) [a]n ∗ [b]n = [c]n if (a ∗ b) ≡ c(mod n) Observe that these operations are only defined wrt. to residue classes modulo the same factor n. Never mix residue classes of unequal modulo operator!

iii 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 9 October, 2009 Handout 2 Summary of this handout: Symmetric Ciphers Overview — Block Ciphers — Feistel Ciphers — DES

II. Symmetric Ciphers

18. Symmetric Ciphers In a symmetric cipher the same key is used to both encrypt and decrypt a message. Therefore, both sender and receiver have to have knowledge of that key for encryption and decryption. Sometimes the keys are not exactly the same, but only trivially related. For instance, in the permutation cipher we can view the permutation as the encryption key and its inverse permutation as its trivially related decryption key. Symmetric ciphers are the classic variant of cryptographic algorithms, as opposed to asymmetric ciphers, in which both sender and receiver use different keys. We will learn about asymmetric ciphers later. Symmetric ciphers can be divided into two main types: Block Cipher A symmetric key cipher, which operates on fixed-length groups of bits, named blocks. Stream Cipher A symmetric cipher that encrypts plaintext continuously. Digits are enciphered one at a time and the transformation of successive digits varies during the encryption.

19. Problems with Symmetric Ciphers There are a number of obvious problems with symmetric ciphers. Since all parties involved in the communication have to use the same key there need to be secure ways of distributing the key and keeping it secret. To guarantee continuous secure communication keys have to be changed often and therefore new, non-trivial keys have to be generated. All these problems are known as key management problems and we will touch on them at the end of this section. Another drawback is that symmetric-key algorithms can not be used to authenticate the sender of a message. This is a problem we will get back to towards the end of this term. Before we have a closer look at block ciphers we will first define some terminology that we will use throughout the course. 20. The Players We will name our three main players in the game of cryptology:

Alice The sender of an encrypted message. Bob The intended receiver of an encrypted message. Bob is assumed to have the key to decrypt it. Eve The eavesdropper who tries to intercept and to cryptanalyse messages passed between Bob and Alice.

These three names are used throughout the literature to illustrate cryptographic algorithms and proto- cols. They are invariably supplemented by other players to mark additional participants in multi-party communication (names with ‘C’ and ‘D’) or additional attackers, arbitrators, trusted third parties, etc.

Eve Key Key Encryption Decryption Alice Bob

12 21. Mathematical Notation For a more abstract depiction of the encryption and decryption process, let • M be the plaintext, • K be the secret key, • E be the encryption function, • D be the decryption function, • C be the ciphertext. We can then simplify the above diagram. K K

M E C D M The encryption function E can be seen either as a binary function taking two arguments K and M or as a generic function which is customised by the key K. We will generally adopt that latter view both for E and D and express encryption and decryption as:

EK(M)= C DK (C)= M The communication is performed under the constant thread that Eve is listening in! We have to assume that Eve is familiar with the particular cryptographic algorithm used by Alice and Bob, i.e., with the generic functions E and D. Thus the security of the communication depends on the cryptographic strength of the customised system EK and DK, such that it is impossible for Eve to (1) find the key K and to (2) find a function f such that f(C)= M.

II.1 Block Ciphers We will first have a look at the basic building blocks for many modern block ciphers and then inspect two algorithms (DES and Rijndael) in detail.

II.1.1 Feistel Ciphers The Feistel cipher is a basic block cipher, which was developed by Horst Feistel at IBM. Its particular structure forms the bases of many modern block ciphers. The first Feistel cipher patented was the Lucifer Cipher in 1971. A Feistel cipher is a product cipher in that it applies the same basic encryption scheme iteratively for several rounds. It works on a block of bits of a set size and applies in each iteration a so called round function, i.e. an encryption function parameterised by a round key. Round keys are often derived from a general key and therefore called sub-keys. They are invoked in the encryption scheme by some function called a Feistel function. Each round of encryption works then as follows:

(i) Split the input in half.

(ii) Apply the Feistel function parameterised by the key to the right half.

(iii) Compute the xor of the result with the left half.

(iv) Swap the old left and new right half, unless we are in the last round, where we do not swap.

In the following we will denote the xor operation on two bit blocks by ⊕. Example: Consider the following xor operation on two four-bit blocks: 1010⊕1100 = 0110. Observe that this operation corresponds to a bit-wise addition modulo 2 and that it is self-inverse. Example: 1010⊕1100 = 0110 and 0110⊕1100 = 1010.

13 22. Feistel Cipher Encryption Algorithm We can formally define the encryption algorithm for an r-round Feistel cipher working on a plaintext M, with respect to a Feistel function F and round keys K0,...,Kr−1 as

1. Split the plaintext block into two equal pieces, M = (L0, R0)

2. For each round i = 0, 1,...,r − 1, compute Li+1 = Ri

Ri+1 = Li⊕F (Ki, Ri)

3. Then the ciphertext is C = (Rr,Lr). [Observe that this means we do not swap in the last round!] Step 2 of the algorithm (except for the last round where there is no swap) is graphically shown below:

Li Ri

Ki

⊕ F

Li+1 Ri+1 The interesting property of the Feistel Cipher is that regardless of choice of the particular Feistel function F , the round function can be inverted. In fact the decryption algorithm works exactly as encryption, just with a reversed order of keys:

1. Split the ciphertext block into two equal pieces, C = (Rr,Lr) [Observe that we start with the ciphertext coming from the encryption, i.e. R and L are reversed!]

2. For each round i = r, r − 1,..., 1, compute Ri−1 = Li

Li−1 = Ri⊕F (Ki−1,Li)

3. This results in the plaintext M = (L0, R0). [Again, no swap in the last round!] ere is an overview of the entire algorithm. For the decryption note that left and right hand sides of the ciphertext are swapped in from the beginning, i.e., except for the last round, the Ri parts are on the left and the Li parts on the right. Observe in particular the last round of en-/decryption: Source: Wikipedia

Ciphers can now be built from the basic Feistel cipher design (1) by specifying the generation of round keys, (2) by fixing the number of rounds, and (3) by defining the Feistel function F . 23. Some Feistel Ciphers are for instance Lucifer, Blowfish, Twofish, RC5, FEAL, DES, 3DES

14 II.1.2 DES The Data Encryption Standard (DES) was one of the most widely applied block ciphers. It was designed by IBM in collaboration with the NSA and adopted as an official Federal Information Processing Stan- dard (FIPS) for the United States in 1976 (FIPS PUB 46-3). There were rumours about backdoors the NSA had built into it, but until now no evidence was found for this. DES has a fairly small key size and is therefore considered too weak today. Indeed the world record for breaking DES encryption is currently 10 hours. Nevertheless, we will study it here since it provides the basis for several variants of DES that still provide good security. Some examples of variants are Triple-DES (TDES), DES-X, or ICE. 24. Overview of the DES Algorithm DES is a slightly modified Feistel cipher, in that it adds an initial permutation of the plaintext and a final permutation of the ciphertext to 16 rounds of Feistel encryption. The overview of the DES procedure is therefore: Plaintext Block

Initial Permutation IP

L0 R0

Li Ri

Ki

⊕ F

Li+1 Ri+1

R16 L16

Final Permutation IP −1

Ciphertext Block The design parameters of the DES cipher are:

• Block length n is 64 bits.

• Number of rounds r is 16.

• Key lengths is 56 bits.

• Round keys length is 48 bits for each sub-key K0,...,K15. The sub-keys are derived from the 56 bit key with a special key schedule. The most important part of DES is of course its specialist Feistel Function F . 25. The DES Feistel Function The Feistel function consists of four stage procedure: 1. Expansion Permutation: Expand the 32-bit message half block to a 48-bit block by doubling 16 bits and permuting them. [Observe that this permutation is different from the initial permutation IP !]

2. Round Key Addition: Compute the xor of the resulting 48-bit block with the round-key Ki.

15 3. S-Box: Split the 48-bit into eight 6-bit blocks. Each of those is then given as input to eight Substitution Boxes (S-Boxes), which substitute the 6-bit blocks by 4-bit blocks.

4. P-Box: The eight 4-bit output blocks from the S-Boxes are combined to a 32-bit block and per- muted in the Permutation Box (P-Box) to result in the final output of the function F .

The following is an overview of the DES Feistel function: Source: Wikipedia

26. Operations of DES Before we examine DES step-by-step, there are three new operations we have to get familiar with:

1. Cyclic shifts on bit strings blocks.

2. Permutations in DES

3. S-Box substitutions.

1. Cyclic left shifts The idea of a cyclic left shift on a bit block is to move the bits of a block left by a constant number of positions and to add every bit that would have “fallen out” of the block on the left side on the right of the block. We denote the cyclic left shift operation by ‘≪’. More formally we can define ≪ as: Suppose B is a block of n bits, B = b1b2 ...bn and 0 ≤ k ≤ n then B ≪ k = bk+1bk+2 ...bnb1 ...bk. Example: Let B = 01101001 and k = 3 then B ≪ k = 01101001 ≪ 3 = 01001011. Similarly we can define cyclic right shifts ≫. 2. Permutations Permutations in DES are not necessarily permutations in the strictly mathematical sense as they might drop or duplicate bits. Moreover, they use a particular notation one has to get familiar with. Instead of using, for example, a cycle notation, DES permutations are denoted in a form that specifies the output order of the input bits. For example, the permutation 4123 means that

• the fourth input bit becomes the first output bit,

• the first input bit becomes the second output bit,

• the second input bit becomes the third output bit, and

• the third input bit becomes the fourth output bit.

16 Example: Suppose we apply 4123 to the bit block 0101 we then get the result 1010. As mentioned before DES permutations are not necessarily one-to-one mappings. The can duplicate bits or they can drop bits or they can do both at the same time. Most importantly, the size of a bit block before a permutation is applied is not necessarily equal to the size of the resulting bit block. (This is also the reason why the standard mathematical notation is not appropriate for DES “permutations”). Example: Suppose we apply

• 4123 to the bit block 010101 we still get the result 1010. Notice that bits 5 and 6 have been dropped.

• 412314 to the bit block 0101 we get 101001. Notice that bits 1 and 4 have been duplicated.

• 412314 to the bit block 010101 we still get 101001. Notice that bits 5 and 6 have been dropped, bits 1 and 4 have been duplicated, and that we therefore get an output block of the same length as the input block.

3. S-Box Substitutions An S-Box substitution is essentially a table look-up. In DES S-Box substitutions work on 6 bit input blocks, yielding 4 bit output blocks. The basic idea is to use the input block to compute the row and column of the S-Box to look-up the output block. In detail this works as follows: First the outer bits of the 6 bit input are stripped of and joined. This results in a two bit number, which as the row number for the table look-up, while the four inner bits, i.e. bits 2, 3, 4, 5, are used as column number. The entry in the corresponding S-Box cell is then the resulting substitution. As an example S-Box we first have a look at the table below (which corresponds DES’s S-box S5) in bit notation:

Middle 4 bits of input S5 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 00 0010 1100 0100 0001 0111 1100 1011 0110 1000 0101 0011 1111 1101 0000 1110 1001 01 1110 1011 0010 1100 0100 0111 1101 0001 0101 0000 1111 1100 0011 1001 1000 0110

Outer bits 10 0100 0010 0001 1011 1100 1101 0111 1000 1111 1001 1100 0101 0110 0011 0000 1110 11 1011 1000 1100 0111 0001 1110 0010 1101 0110 1111 0000 1001 1100 0100 0101 0011

Example: Suppose we feed 101100 into S-Box S5. We first take bits 1 and 6 and get 10 as row number. This leaves the inner bits 0110 as column number. The correct substitution is then 0111. To preserve space S-Boxes are generally given in integer notation. For example the S-Box S5 from above can also be written as:

S5 2 12 4 1 7 1011 6 8 5 3 1513014 9 1411 2 12 4 7 13 1 5 0 1510 3 9 8 6 4 2 1 111013 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 104 5 3 Observe that we have also omitted to enumerate rows and columns as they are implicit. Note, however, that similar to the binary representation of the S-Box we enumerate rows from 0 to 3 and columns from 0 to 15, i.e., column 0 consists of entries 2, 14, 4, 11 and row 0 consists of 2, 12, 3, 1,..., 9. We can now perform S-Box substitutions of 6 bit integers from 0 to 63 by 4 bit integers 0 to 15. Example: Suppose we feed 47 into S5 we first translate 47 into its binary representation 101111. We then compute the row and column for our look-up, which corresponds to 11 and 0111, i.e. row 3 and column 7. Thus the result of our substitution is 13. 27. Steps of DES We now examine the single steps of DES. 1. The Initial Permutation IP is given in the following table. It permutes the 64 bits of the input, i.e. the plaintext. IP is given in a form that specifies the output order of the 64 input bits, e.g., the 58 in the first position means that the first bit of the output is the 58th bit of the input.

17 IP : 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7

After the application of IP the resulting 64 bit are split into the initial left and right half L0 and R0. R0 is then passed on into the Feistel function, starting with the expansion permutation E. 2. The Expansion Permutation E is, strictly speaking, not a permutation in the mathematical sense, since it does not only permute bits but also duplicates them (thus it is not a one-to-one mapping). The table below specifies E in the same notation as IP above. E moves all bits and duplicates half of them. For example, input bit 1 is mapped to output bit 2 and output bit 48, whereas input bit 2 is only mapped to output bit 3.

E : 321 2 3 4 5 −→ S1 456789 −→ S2 8 9 10 11 12 13 −→ S3 12 13 14 15 16 17 −→ S4 16 17 18 19 20 21 −→ S5 20 21 22 23 24 25 −→ S6 24 25 26 27 28 29 −→ S7 28 29 30 31 32 1 −→ S8

We can observe that every row in E overlaps in two (input) bits with the row directly above and directly below it. This has the effect that one bit of input affects two substitutions performed in the S-Boxes, which means that only a small change in the plaintext produces a large difference in the ciphertext. Each row in the output of E corresponds to an input into the indicated S-boxes. However, before the substitutions are performed in step 4, the 48-bit round key Ki is xor-ed with the result of E.

3. Xor-ing the round key Ki At this point we have to take a closer look at how the round keys are com- puted from the original 56-bit key. The function to determine the sub-keys is called a key schedule. The key K is actually given as a 64-bit key, where each 8th bit is a parity bit. In a first step the parity bits are stripped and the remaining 56-bits are permuted with respect to the permutation PC-1 below.

PC-1 : 57 49 41 33 25 17 9 PC-2 : 14 17 11 24 1 5 1 58 50 42 34 26 18 3 28 15 6 21 10 10 2 59 51 43 35 27 23 19 12 4 26 8 19 11 3 60 52 44 36 16 7 27 20 13 2 63 55 47 39 31 23 15 41 52 31 37 47 55 7 62 54 46 38 30 22 30 40 51 45 33 48 14 6 61 53 45 37 29 44 49 39 56 34 53 21 13 5 28 20 12 4 46 42 50 36 29 32

The result of PC-1 is divided into a 28-bit left half C0 and a 28-bit right half D0. Now for each round we compute

Ci = Ci−1 ≪ pi

Di = Di−1 ≪ pi

1 if i = 1, 2, 9, 16 where x ≪ p means the cyclic shift on x to the left by p positions with p = i i i 2 otherwise For example 10101101 ≪ 2 = 10110110.  Ci and Di are then joined together again and permuted with PC-2 above. Observe, that PC-2 is again not a permutation in the strict sense since it drops some of the input bits, for instance bit 9 and 18 and thereby produces the final 48 bit round key.

18 4. S-Boxes Once the round key has been xor-ed to the output of the expansion permutation each 6 bit row is fed into an S-Box to be substituted. DES uses eight different S-Boxes, which are given below in decimal notation:

S1 14 4 13 1 2 1511 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 1211 9 5 3 8 4 1 14 8 13 6 2 111512 9 7 3 10 5 0 1512 8 2 4 9 1 7 5 11 3 1410 0 6 13

S2 15 1 8 14 6 11 3 4 9 7 2 1312 0 5 10 3 13 4 7 15 2 8 1412 0 1 10 6 9 11 5 0 14 7 1110 4 13 1 5 8 12 6 9 3 2 15 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

S3 10 0 9 14 6 3 15 5 1 1312 7 11 4 2 8 13 7 0 9 3 4 6 10 2 8 5 14121115 1 13 6 4 9 8 15 3 0 11 1 2 12 5 1014 7 1 1013 0 6 9 8 7 4 1514 3 11 5 2 12

S4 7 1314 3 0 6 9 10 1 2 8 5 1112 4 15 13 8 11 5 6 15 0 3 4 7 2 12 1 1014 9 10 6 9 0 1211 7 1315 1 3 14 5 2 8 4 3 15 0 6 10 1 13 8 9 4 5 1112 7 2 14

S5 2 12 4 1 7 1011 6 8 5 3 1513 0 14 9 1411 2 12 4 7 13 1 5 0 1510 3 9 8 6 4 2 1 111013 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

S6 12 1 1015 9 2 6 8 0 13 3 4 14 7 5 11 1015 4 2 7 12 9 5 6 1 1314 0 11 3 8 9 1415 5 2 8 12 3 7 0 4 10 1 1311 6 4 3 2 12 9 5 15101114 1 7 6 0 8 13

S7 4 11 2 1415 0 8 13 3 12 9 7 5 10 6 1 13 0 11 7 4 9 1 1014 3 5 12 2 15 8 6 1 4 111312 3 7 141015 6 8 0 5 9 2 6 1113 8 1 4 10 7 9 5 0 1514 2 3 12

S8 13 2 8 4 6 1511 1 10 9 3 14 5 0 12 7 1 1513 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 1214 2 0 6 101315 3 5 8 2 1 14 7 4 10 8 131512 9 0 3 5 6 11

The S-Box substitution is the important part that provides security of DES. In fact, the composition of the S-Boxes is crucial and even only small changes to the substitution schemes can reduce the security of DES drastically. The correct eight S-Boxes are given on the next page. The output of the eight S-Box substitution are eight 4-bit numbers, which are passed on to the P-Box. 5. P-Box The P-Box takes the eight 4-bit pieces and combines them using the following permutation scheme. P : 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

This results again in 32 bits, which are xor-ed with the 32 bits of the original left half of the input text. Unless we are in the last round of the algorithm the new right half and the original left half are swapped and concatenated.

19 − 6. Final Permutation IP 1 Once steps 2–5 have been iterated for 16 rounds the resulting 64 bits are again permuted with respect to the inverse of the initial permutation: − IP 1 : 40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25 28. An Example Round Let’s have a look at an example round of the DES cipher. We take a very simple message and a nearly trivial key: M = 0000000000000000000000000000000100000000000000000000000000000001 and K = 1000000000000000000000000000000010000000000000000000000000000000 The first round key is the computed as follows: PC-1(K)= PC-1(1000000000000000000000000000000010000000000000000000000000000000) = 00010001000000000000000000000000000000000000000000000000 C1 = C0 ≪ 1 = 0001000100000000000000000000 ≪ 1 = 0010001000000000000000000000 D1 = D0 ≪ 1 = 0000000000000000000000000000 ≪ 1 = 0000000000000000000000000000 PC-2(C1kD1)= PC-2(00100010000000000000000000000000000000000000000000000000) = 000000100000000000010000000000000000000000000000

The following is the first round of DES (observe that we start with round 1 as opposed to round 0 in the usual Feistel ciphers): Round 1: L1 = 00000000000000000000000000000001 R1 = 00000000000000000000000000000001 Apply E: 100000000000000000000000000000000000000000000010 Xor K1: 000000100000000000010000000000000000000000000000⊕ 100000000000000000000000000000000000000000000010 = 100000k100000k000000k010000k000000k000000k000000k000010 S-Box S1: 0100 S-Box S2: 0000 S-Box S3: 1010 S-Box S4: 0001 S-Box S5: 0010 S-Box S6: 1100 S-Box S7: 0100 S-Box S8: 0010 P-Box: 10010000000100101000000110001100 Xor L1: 10010000000100101000000110001100⊕00000000000000000000000000000001 = 10010000000100101000000110001101 R1kL1 = 00000000000000000000000000000001k10010000000100101000000110001101

The remaining 15 rounds are left as an exercise. The final resulting ciphertext is:

1010010101001001101011110101011101010110111010110010100010000111 We can observe the avalanche effect, i.e., a small change of the plaintext triggers a big change in the ciphertext, already after the first round. Suppose we change the message ever so slightly to M = 0000000000000000000000000000000100000000000000000000000000000000 and retain the key as K = 1000000000000000000000000000000010000000000000000000000000000000 Then result after the first round is R1kL1 = 00000000000000000000000000000000k10011000100100001000101110101101 which is already (at least the right half) significantly different from the first round result of the previous encryption. This is even more apparent when comparing the final result of the encryption:

1011110101001011010000110011101010010000001101111000011011110100 with the previous one above. It is obvious that despite having chosen fairly trivial messages and triv- ial keys, the difference of only one bit in the original message leads to significant a difference in the ciphertexts, which makes it not obvious that the original plaintexts are actually very similar.

20 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 9 October, 2009

Exercise Sheet 2

Submit via the correct pigeon hole before 16 October, 11am.

6. Compute the following bit-wise operations:

(a) (100100111011 ≪ 5)⊕(111011010001 ≪ 4) (b) ((100100111011 ≫ 3)⊕111011010001) ≪ 4 1+1

7. Perform the following S-Box substitutions:

(a) 001011 in S7

(b) 37 in S8 1+1

8. (a) Let (2 3 1 6 5 4) ∈ S6. Apply the permutation to the list of letters ABCDEF . (b) Let 231654 be a DES-style permutation. Apply it to the list of letters ABCDEF . 1+1

9. Assume a simplified, DES algorithm that takes an 8-bit plaintext input M and a 6-bit key K. Its components are defined as follows:

• initial permutation IP = (1 4 7 6)(2 8 5 3). • a Feistel function F where – Expansion permutation E has the schema 312341 .

– The only S-Box is S6 from the normal DES Feistel function. – P-Box has the permutation schema 3241 .

• a key schedule defined simply via shifts without additional permutations as: C0kD0 = K, Ki = Ci+1kDi+1, i = 0, 1, 2,... where Ci and Di are both of 3-bit length and computed by

Ci = ((Ci−1 ≪ 2)⊕Ci−1) ≪ 1

Di = ((Di−1 ≪ 1)⊕Di−1) ≪ 2

Let M = 01011100 and K = 011010.

(a) Compute the sub-keys K0, K1, K2 for the first three rounds. (b) Encrypt M with three iterations of F . Take the resulting ciphertext and decrypt it. Note carefully all the intermediate results of the single steps of the procedure. 3+17

21 33 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 16 October, 2009

Solutions for Exercise Sheet 2

6. (a) (100100111011≪5)⊕(111011010001≪4) = 011101110010⊕110100011110 = 101001101100 (b) ((100100111011≫3)⊕111011010001)≪4 = (011100100111⊕111011010001)≪4= 100111110110≪4 = 111101101001

7. (a) 001011 in S7 is 1001 (b) 37 corresponds to 100101 and is substituted in S8 to 1110 or 14.

8. (a) CDBEFA

(b) BCAFED

9. (a) The keys are K0 = 101011, K1 = 110110, and K2 = 011101. − (b) First we note that IP 1 = (1 6 7 4)(2 3 5 8). Encryption: M = 01011100 IP (M) = 10100011 Round 0: L0 = 1010 R0 = 0011 Apply E: 100110 Xor K0: 101011⊕100110 = 001101 S-Box S6: 1001 P-Box: 0011 Xor L0: 0011⊕1010 = 1001 Round 1: L1 = 0011 R1 = 1001 Apply E: 010011 Xor K1: 110110⊕010011 = 100101 S-Box S6: 0010 P-Box: 1000 Xor L1: 1000⊕0011 = 1011 Round 2: L2 = 1001 R2 = 1011 Apply E: 110111 Xor K2: 011101⊕110111 = 101010 S-Box S6: 1000 P-Box: 0001 Xor L2: 0001⊕1001 = 1000 C′ = 10001011 − C = IP 1(C′) = 01010101

c Decryption: C = 01010101 IP (C) = 10001011 Round 2: L2 = 1000 R2 = 1011 Apply E: 110111 Xor K2: 011101⊕110111 = 101010 S-Box S6: 1000 P-Box: 0001 Xor L2: 0001⊕1000 = 1001 Round 1: L1 = 1011 R1 = 1001 Apply E: 010011 Xor K1: 110110⊕010011 = 100101 S-Box S6: 0010 P-Box: 1000 Xor L1: 1000⊕1011 = 0011 Round 0: L0 = 1001 R0 = 0011 Apply E: 100110 Xor K0: 101011⊕100110 = 001101 S-Box S6: 1001 P-Box: 0011 Xor L0: 0011⊕1001 = 1010 M ′ = 10100011 − M = IP 1(M ′) = 01011100

d 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 16 October, 2009 Handout 3 Summary of this handout: Block Ciphers continued — AES (Rijndael) — AACS — Finite Fields — Revision: Matrix Arithmetic

II.1.3 AES (Rijndael) The advanced encryption standard (AES) is the successor of the outdated DES. It was developed by the two Belgian cryptographers Joan Daemen and Vincent Rijmen. It was originally named Rijndael, but renamed to AES when it was adopted as official US standard in November 2001. Rijndael is a block cipher, however, it does not rely on the basic design of the Feistel cipher. In particular is has distinct encryption and decryption algorithms. But similar to DES, it is round based and relies on a combination of substitutions, permutations and key addition. AES is motivated by arithmetic operations in the field F28 , and its implementation in hardware and software is compact and fast. Rijndael is parameterisable in that it can work with:

• block sizes of 128, 192, and 256 bits,

• key sizes of 128, 192, and 256 bits, and

• 10, 12, or 14 rounds of encryption.

Rijndael performs encryption, decryption and computes the key schedule using arithmetic in F28 with 8 4 3 8 4 respect to the irreducible polynomial p(x) = x + x + x + x + 1. That is, F28 = F2[x]/(x + x + x3 + x + 1). 29. Operation of AES We will discuss the basic operations of Rijndael for the case of 128 bit block and key size and 10 rounds of encryption. Rijndael arranges both message and key in 4 × 4 matrices of 8-bit elements, i.e., each element is exactly one byte and each column and each row contain 32-bit words. If m = m0km1k . . . km15 is the message, then Rijndael initialises the so called state matrix A as follows:

m0 m4 m8 m12 a0,0 a0,1 a0,2 a0,3 m1 m5 m9 m13 a1,0 a1,1 a1,2 a1,3   −→ A =   m2 m6 m10 m14 a2,0 a2,1 a2,2 a2,3 m m m m  a a a a   3 7 11 15  3,0 3,1 3,2 3,3     Each round applies the following manipulations to the state matrix:

1. a substitution operation on every single byte SubBytes,

2. a byte permutation ShiftRows,

3. a column manipulation MixColumns,

4. and an xor of the state with the round key AddRoundKey.

An exception is the last round, where the MixColumns operation is skipped. For each of these operations, except for AddRoundKey, we need corresponding inverse operations for the decryption. Here is an overview of the encryption and decryption algorithms:

22 EK(M) DK(C)

A := M A := C A := AddRoundKey(A, K0) A := AddRoundKey(A, K10) for i = 1 to 9 do A := InverseShiftRows(A) A := SubBytes(A) A := InverseSubBytes(A) A := ShiftRows(A) for i = 9 downto 1 do A := MixColumns(A) A := AddRoundKey(A, Ki) A := AddRoundKey(A, Ki) A := InverseMixColumns(A) end A := InverseShiftRows(A) A := SubBytes(A) A := InverseSubBytes(A) A := ShiftRows(A) end A := AddRoundKey(A, K10) A := AddRoundKey(A, K0) C := A M := A Here are the single operations in detail. 1. SubBytes: This operation is similar to the S-Box substitution of DES. Each byte ai,j of the state is substituted by the output of a single S-Box. This S-Box corresponds to an algebraic operation in Rijndael’s finite field F28 . Each byte ai,j = [z7,...,z0] is considered as a polynomial in F28 . Its substitution is then computed in two steps:

−1 1. First we compute the multiplicative inverse of ai,j in F28 to get ai,j = [x7,...,x0]. (The zero element is mapped to [0,..., 0].)

2. We then compute a new bit vector bi,j = [y7,...,y0] with the following transformation in F2 (observe that the vector addition is the same as an xor ⊕):

y0 10001111 x0 0 y1 11000111 x1 1         y2 11100011 x2 1 y  11110001 x  0  3 =   ·  3 +   y  11111000 x  0  4    4   y  01111100 x  0  5    5   y  00111110 x  1  6    6   y  00011111 x  1  7    7           The substitution can be schematically displayed as: Source: Wikipedia

For the decryption algorithm we can define an inverse operation InverseSubBytes by first reversing the transformation:

23 x0 00100101 y0 0 x1 10010010 y1 1         x2 01001001 y2 1 x3 10100100 y3 0   =     +   x  01010010 y  0  4    4   x  00101001 y  0  5    5   x  10010100 y  1  6    6   x  01001010 y  1  7    7           and then computing the multiplicative inverse of [x7,...,x0] in F28 . 2. ShiftRows: This operation performs a cyclic shift on the state matrix by shifting each row separately. This ensures that the columns of the state matrix interact over several rounds of encryption. The lower three rows are shifted by one, two, and three positions, respectively: Source: Wikipedia

For the decryption the InverseShiftRows does the reverse shift. 3. MixColumns: This operation ensure interaction of the rows of the state matrix by mixing each column separately. For this it performs the following matrix multiplication for each column i = 1, 2, 3, 4 over F28 , where the entries of the matrix are hexadecimal representations of polynomials of degree 7 (e.g. 0x03 corresponds to x + 1.)

b0,i 0x02 0x03 0x01 0x01 a0,i b1,i 0x01 0x02 0x03 0x01 a1,i   =   ·   b2,i 0x01 0x01 0x02 0x03 a2,i b  0x03 0x01 0x01 0x02 a   3,i    3,i       4 This operation actually corresponds to a polynomial multiplication in F28 [x]/(x + 1), the ring of poly- 4 nomials whose coefficient are in F28 , i.e., they are polynomials themselves. Observe that x + 1 is not 4 irreducible in F28 and therefore F28 [x]/(x + 1) is indeed a ring not a field.

3 2 3 2 4 a(x) · c(x) = (a3x + a2x + a1x + a0) · (0x03x + 0x01x + 0x01x + 0x02)(mod x + 1)

We can picture MixColumns as Source: Wikipedia

24 − The inverse operation InverseMixColumns is then simply the multiplication with c(x) 1, which has an 4 inverse in the ring F28 [x]/(x + 1). 4. AddRoundKey: As mentioned earlier, the key size of AES is 128 bits. All the round keys K0,...,K10 derived from the key K are also 128 bits and can therefore be expressed as a 4 × 4 matrix:

k0,0 k0,1 k0,2 k0,3 k1,0 k1,1 k1,2 k1,3 Ki =   k2,0 k2,1 k2,2 k2,3 k k k k   3,0 3,1 3,2 3,3   Adding the round key is simply the xor-ing of the state matrix and the round key matrix byte by byte: A⊕Ki. The inverse of this operation is obviously the same and we do not need a special operation for the decryption. Source: Wikipedia

30. Key Schedule of AES The round keys K0,...,K10 are derived from the key K. Since K is 128 bits we can divide it into 4 words of 32 bits each: K = W0kW1kW2kW3, which also corresponds to round key K0. All subse- quent round keys Ki = W4ikW4i+1kW4i+2kW4i+3 are then computed using an 8 bit left rotation, an S-Box substitution with the SubBytes function, and a scrambling sequence, which is started with a round constant RCi that is computed in F28 by

i 8 4 3 RCi = x (mod x + x + x + x + 1).

The algorithm then looks like this:

KeySchedule(K)

W0kW1kW2kW3 := K for i := 1 to 10 do T := W4i−1 ≪ 8 T := SubBytes(T ) T := T ⊕RCi W4i := W4i−4⊕T W4i+1 := W4i−3⊕W4i W4i+2 := W4i−2⊕W4i+1 W4i+3 := W4i−1⊕W4i+2 end

25 II.1.4 AACS — Advanced Access Content System The Advanced Access Content System (AACS) is a Digital Rights Management system for HD-DVD and Blu-Ray Discs developed by a consortium that includes Disney, Intel, Microsoft, Matsushita (Panasonic), Warner Brothers, IBM, Toshiba, and Sony. The general idea of Digital Rights Management (DRM) is to restrict access control to electronic media and playback devices to retain full control by the copyright owner. We first give a brief overview of AACS and then dicuss some of the issues arising from AACS and DRM in general. 31. Overview AACS uses encryption, hash functions, and watermarking schemes based on AES. Exact specifications for parts of the technology are published by the AACS licensing authority at http:// www.aacsla.com. Below is a schematic overview of the mechanism of AACS. The content of a disc is encrypted with AES using a collection of title keys. The encrypted content, together with the encrypted title keys, a media key block (MKB), and the unique disc ID are all stored on the disc. An AACS encrypted disc can only be accessed with a fully licensed player. Each licensed player gets a unique set of device keys as well as a unique Host Private Key. The latter makes it possible that par- ticular playback devices or programmes can be indi- vidually revoked. The device keys are used to compute a key from the MKB. The host private key is needed to retrieve the disc ID. Both values are then processed by an AES- based one-way function, AES-G. (One-way func- tions are functions easy to compute, but infeasible

to invert. We will discuss one-way functions in more Source: arstechnica.com detail later in the lecture.) The result of AES-G is then used to decrypt the title keys, which in turn are used to finally decrypt the content. 32. Security Issues Here are some of the security requirements for AACS implementations to ensure DRM requirements:

• The content should “not be present on any User-Accessible Bus in analog or unencrypted, com- pressed form”, because users could possibly record or redirect that content. • Implementations must use “encryption, execution of a portion of the implementation in ring zero or supervisor mode (i.e., in kernel mode), and/or embodiment in a secure physical implementation,” to keep encryption keys secret at all times. • They must also use “techniques of obfuscation clearly designed to effectively disguise and hamper attempts to discover the approaches used”.

Thus, video content must travel through the system encrypted and must only interact with authorized components over authorized pathways. For example in Windows Vista AACS is implemented via the Protected Video Path (PVP), which stops DRM-restricted content from playing while unsigned software is running in order to prevent the unsigned software from accessing the content. Additionally, PVP can encrypt information during transmission to the monitor or the graphics card, which makes it more difficult to make unauthorized recordings. In other word, you cannot watch a video, while running your own programmes.

26 33. Legal and Ethical Issues It is obvious that to fully comply with the DRM requirement specification, AACS has to be deeply embedded into an operating system. This essentially rules out any open source implementation of the AACS as the algorithms to decrypt keys would be easily accessible and therefore security would be compromised. But even if only proprietary implementations are licensed and allowed, any Operating System can (at least theoretically) be emulated by a virtual machine. But running an AACS compliant software player on the VR would give access to the unsecured data streams. This has indeed already been done: In December 2006 the first software was announced and subsequently published that enables to backup AACS encrypted content. In order to keep the software legal, it cannot actually be used on its own, but an appropriate key must be supplied manually. Since extracting a key without license would be illegal, 128 bit keys were quickly made available throughout the Internet. The AACS licensing agency tried to put a stop to this by suing websites publishing keys as well as by revoking keys (in particular for Windows based software like WinDVD). However, the more they sued, the more keys were published, etc. The issue remains unsolved to date, in particular since much is a legal grey area. Some of the issues of DRM highlighted by this controversy are:

• The AACS licensing agency argued that publishing the keys is illegal since they would fall under their software patent. However, is it possible to patent single 128-bit numbers? And if so, in which form? Only the hexadecimal representation, or all other representations as well, i.e. decimal, binary, octal, sum of two or several values, etc.? AACS can be used with millions of keys. Are they all patented? Can I be sued if I use one, publish one, etc.

• Under the laws of many countries making one backup of media content is legal. AACS however effectively prevents this.

• AACS protected media can only be played on specially licensed devises, not necessarily on the playback devise of my choice. In other words, although I own the content of the disc (not the Copyright!) I can not play it the way I want to. As a comparison: If I buy a bottle of Coke, I am not allowed to reproduce its content, as it is a patented formula. However, no-one can force me to only drink it out of a particular licensed glass.

• The DRM requirements of AACS can only be realised when fully embedded into the operating system. In order not to compromise security (and thus violate the licensing terms) information on the embedding cannot be made public or even given to competitors. However, this amounts essentially to a similar controversy that has led to anti-trust law suits, by companies like Netscape, RealPlayer etc, against Microsoft.

These are just some issues. There are plenty more. . .

27 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 16 October, 2009

Exercise Sheet 3

Submit via the correct pigeon hole before 23 October, 11pm.

10. Carry out the following polynomial divisions 3+3

(a) (20 x5 + 22 x4 + 6 x3 + 5 x2 + 4 x + 2)/(5 x2 + 3 x) over Z 7 6 4 3 2 (b) x + x + x + x + x + 1/x + 1 over F2[x]

8 4 3 11. Compute the following bit operations in Rijndael’s finite field F28 , i.e., modulo x +x +x +x+1: (a) 0x55 ⊗ 0x91 (b) 0xC1 ⊗ 0x17 Give the result again in hexadecimal format. 5+5

12. Perform the following matrix multiplications 3+8 1 00 11 0 0xA 0x5 0xD 4 (a) 01 01 ·   in F2. (b) · in F2[x]/(x +x+1)   1 0xC 0x3 0x9 11 11     1       13. Consider the following algebraic structure (A, ◦), given by its multiplication table. 4+5+4

◦ 12345 1 12345 2 24153 3 35421 4 41532 5 53214

Observe that the elements of A are neither integers nor residue classes!

(a) Determine which of the group properties hold for A. (b) The so-called Latin square property on an algebraic structure G is defined as follows: For each a, b ∈ G there exist x,y ∈ G, such that (a ◦ x)= b and (y ◦ a)= b. Show that A has the Latin square property. (c) Show for an arbitrary closed algebraic structure G: If G is both associative and has the Latin square property, then G is a group.

28 55 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 23 October, 2009 Solutions for Exercise Sheet 3 10. (a) (20 x5 + 22 x4 + 6 x3 + 5 x2 + 4 x + 2) ≡ (x + 2)(mod (5 x2 + 3 x)), since we have: 20 x5 +22 x4 +6 x3 +5 x2 +4 x +2 /5 x2 + 3 x = 4 x3 + 2 x2 + 1 −20 x5 −12 x4 10 x4 +6 x3 +5 x2 +4 x +2 −10 x4 −6 x3 5 x2 +4 x +2 −5 x2 −3 x x +2 Hence the remainder is: x + 2 (b) x7 + x6 + x4 + x3 + x + 1 ≡ x2 + 1(mod x + 1), since we have: x7 +x6 +x4 +x3 +x +1 / x2 +1= x5 + x4 + x3 x7 +x5 x6 +x5 +x4 +x3 +x +1 x6 +x4 x5 +x3 +x +1 x5 +x3 x +1 Hence the remainder is: x + 1.

11. We first translate the hexadecimal numbers via bit vectors into polynomials over F2[x], then mul- tiply the two resulting polynomials and finally perform the polynomial division with the Rijndael polynomial compute the remainder and hence the resultant of the modulo operation. I have not explicitly carried out the polynomial divisions this time. 5 5 ⊗ 9 1 (a) Translate: 010 1 0 1 01 ⊗ 100 1 0001 x6 +x4 +x2 +1 · x7 +x4 +1 Multiply: (x6 + x4 + x2 + 1) · (x7 + x4 +1) = x13 + x11 + x10 + x9 + x8 + x7 + x2 + 1 Divide: x13 + x11 + x10 + x9 + x8 + x7 + x2 + 1 ≡ x6 + x4 +1(mod x8 + x4 + x3 + x + 1) Result: 0x51 C 1 ⊗ 1 7 (b) Translate: 1 1 000001 ⊗ 00010 1 1 1 x7 +x6 +1 · x4 +x2 +x +1 Multiply: (x7 + x6 + 1) · (x4 + x2 + x +1) = x11 + x10 + x9 + x6 + x4 + x2 + x + 1 Divide: x11+x10+x9+x6+x4+x2+x+1 ≡ x7+x6+x4+x2+1( mod x8+x4+x3+x+1) Result: 0xD5 1 0 01 1 1 + 1 0 0 12. (a) 0 10 1 ·   = 1 = 1   1     1 11 1 1+1+1 1 1         0xA 0x5 0xD 1010 0101 1101 x3 + x x2 + 1 x3 + x2 + 1 (b) · = · = · = 0xC 0x3 0x9 1100 0011 1001 x3 + x2 x + 1 x3 + 1             x3 + x x3 + x2 + 1 + x2 + 1 x3 + 1 x6 + x3 + x4 + x + x2 + 1 = = x3 + x2 x3 + x2 + 1 + (x + 1) x3 + 1 x6 + x2 + x + 1 



   0 0x0
=

x3 + x + 1 0xB     e 13. (a) Closure: A is clearly closed under the operation ◦. Identity Element: A has 1 as identity element, which is obvious from the first column and row of the multiplication table. Associativity: A is not associative. Taking, for example, 2 ∈ A we have

(2 ◦ 2) ◦ 2 = 4 ◦ 2 = 1 and 2 ◦ (2 ◦ 2) = 2 ◦ 4 = 5.

[Also it is not a necessary group property, we can also observe that A is not commutative, as, for example, 4 ◦ 2 6= 2 ◦ 4.] Inverses: Not all elements of A have a unique inverse element, as we, for example, get for 2 ∈ A: 2 ◦ 3 = 1 and 4 ◦ 2 = 1. [Observe that here the uniqueness postulated in the group axioms is indeed important, as every element has a left and right inverse.] (b) We essentially test for every combination of a, b ∈ G if there are appropriate x,y ∈ G: b b a = 1 12345 a = 2 12345 etc. x 12345 x 31524 y 12345 y 41523 (c) Let G be an arbitrary closed algebraic structure. If G is both associative and has the Latin square property, then G is a group. Proof. We have to show (1) that there exists a unique identity e ∈ G and (2) that every element in G has an inverse wrt. e. (1) Since ax = b is solvable for all a, b ∈ G, there exists a x′ ∈ G, such that ax′ = a. This right identity is indeed unique as we have bx′ = (ya)x′ = y(ax′) = ya = b. (Here we are using associativity!) Analogously with ya = b we have a unique left identity y′ with y′a = a. We can also show that both left and right identity are indeed the same as we get x′ = y′x′ = y′ = e. (2) With the Latin square property we have elements x∗,y∗ ∈ G such that ax∗ = e und y∗a = e. Furthermore x∗ = ex∗ = y∗ax∗ = y∗e = y∗ shows the uniqueness of these inverses.

f 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 16 October, 2009 Mathematics 3 – Finite Fields Finite fields are an important algebraic concepts used in more advanced cryptographic techniques. This section will introduce the very basics, as far as we need them in this lecture. For a more in-depth introduction, see for instance: Lidl & Niederreiter, Introduction to finite fields and their applications, Cambridge University Press, 1994. We first define some basic algebraic notions characterising sets together with binary operations. Definition 1 (Group) Let G be a set and ◦ be a binary operation defined on G, i.e., ◦ : G × G → G. We say (G, ◦) is a group if ◦ (i) is closed: that is for each a, b ∈ G we have a ◦ b ∈ G. (ii) is associative: that is for each a, b, c ∈ G we have (a ◦ b) ◦ c = a ◦ (b ◦ c). (iii) has an identity element: that is there exists e ∈ G s.t. for each a ∈ G we have a ◦ e = e ◦ a = a. − − − (iv) every element has an inverse: that is for every a ∈ G there is a 1 ∈ G with a◦a 1 = a 1 ◦a = e. We call (G, ◦) a commutative group if in addition ◦ (v) is commutative: that is for each a, b ∈ G we have a ◦ b = b ◦ a. Example: An easy example are the integers with addition (Z, +). They form a commutative group, since they are clearly closed and associative, the identity element is 0 and each element a ∈ Z has an inverse, namely −a ∈ Z. On the contrary the integers with times (Z, ·) are not a group! Although they are closed under ·, times is associative, and 1 ∈ Z is an identity element, not every element has an inverse. For example 2 ∈ Z 1 would have 2 as inverse, which is not an integer! However, the relationship between + and · gives rise to the following definition: Definition 2 (Ring) Let R be a set with two binary operations + and ·, then (R, +, ·) is a ring if • (R, +) is a commutative group, • (R, ·) is closed, associative and has an identity. • + and · are (i) left distributive: that is for each a, b, c ∈ Z we have a · (b + c) = (a · b) + (a · c), (ii) right distributive: that is for each a, b, c ∈ Z we have (b + c) · a = (b · a) + (c · a). Example: (Z, +, ·) is a ring, since we can easily verify the distributivity laws. If the multiplication has inverses as well, we can extend our ring definition to the following: Definition 3 (Field) Let F be a set with two binary operations + and ·. Let F ∗ be the set that contains all elements of F except the identity for +, i.e. we let F ∗ = F \ {0}, where 0 is the identity for +. Then (F, +, ·) is a field if • (F, +) is a commutative group, • (F ∗, ·) is a commutative group, • + and · are left and right distributive. Example: The rational numbers with addition and multiplication form a field: (Q, +, ·). Both operations are obviously closed, associative and commutative. For addition 0 is the identity and for every a ∈ Q the additive inverse is −a ∈ Q∗. Then Q∗ = Q \ {0}, 1 is the identity for multiplication and every a ∈ Q∗ 1 ∗ has a multiplicative inverse, namely a ∈ Q .

iv Some Finite Examples In the following we want to restrict ourselves to finite sets. We have already seen some examples of finite sets in Mathematics 1 + 2. For example, the set of all permutations of n elements forms non- commutative(!) group, the symmetric group Sn. Other finite sets are the sets of residue classes modulo some n, Zn, for which we now want to check what structure they form. For finite sets one can use a very easy technique to verify the properties of a particular operation, by simply writing down the entire operation in the form of a multiplication table. For example we can use the following multiplication tables (Z2, +): (Z2, ·): (Z3, +): (Z3, ·): + [0]2 [1]2 · [0]2 [1]2 + [0]3 [1]3 [2]3 · [0]3 [1]3 [2]3 [0]2 [0]2 [1]2 [0]2 [0]2 [0]2 [0]3 [0]3 [1]3 [2]3 [0]3 [0]3 [0]3 [0]3 [1]2 [1]2 [0]2 [1]2 [0]2 [1]2 [1]3 [1]3 [2]3 [0]3 [1]3 [0]3 [1]3 [2]3 [2]3 [2]3 [0]3 [1]3 [2]3 [0]3 [2]3 [1]3 to determine that (Z2, +) and (Z3, +) are commutative groups. Obviously (Z2, ·) and (Z3, ·) are not groups, since neither [0]2 nor [0]3 have a multiplicative inverse. However, if we get rid of the 0 element ∗ ∗ in both tables, it is easy to see that we get commutative groups for Z2 and Z3:

· [1]3 [2]3 ∗ · [1]2 ∗ (Z2, ·): (Z3, ·): [1]3 [1]3 [2]3 [1]2 [1]2 [2]3 [2]3 [1]3 Since one can also easily check that both distributivity laws hold, we can thus conclude that both (Z2, +, ·) and (Z3, +, ·) are fields. The natural next question is: Do all residue class sets form a field together with addition and multiplica- tion? Let’s have a look at Z4:

+ [0]4 [1]4 [2]4 [3]4 · [1]4 [2]4 [3]4 [0]4 [0]4 [1]4 [2]4 [3]4 ∗ [1]4 [1]4 [2]4 [3]4 (Z4, +): [1]4 [1]4 [2]4 [3]4 [0]4 (Z4, ·): [2]4 [2]4 [0]4 [2]4 [2]4 [2]4 [3]4 [0]4 [1]4 [3]4 [3]4 [2]4 [1]4 [3]4 [3]4 [0]4 [1]4 [2]4

∗ We can see, while (Z4, +) is a commutative group, (Z4, ·) is not a group: It is not even closed, as ∗ [2]4 · [2]4 = [0]4 and [0]4 is not an element of Z4, and there is also no inverse element for [2]4. Thus (Z4, +, ·) is a ring ([1]4 is the neutral element for ·), but not a field. Indeed one can show the following two theorems:

Theorem 4 (Zn, +, ·) is a ring for every n ≥ 2.

Theorem 5 (Zp, +, ·) is a field if and only if p is a prime number.

Definition 6 (Finite Field) Let (F, +, ·) be a field. If F is a finite set with p elements, we call (F, +, ·) a finite field or order p and denote it by Fp.

Example: We can now write F2 = (Z2, +, ·), F3 = (Z3, +, ·), etc. In general we have for every prime number p: Fp = (Zp, +, ·). So far we know that for every prime number p there exists a finite field of that order. In addition one can easily show that this is (up to isomorphism) the only finite field of that order. That is, every finite field of prime order has the structure of Zp. Our next question is, are these the only finite fields, or are there any others, i.e. of an order that is not a prime number. In order to answer this question, we have to make a little detour via the theory of polynomials.

v Polynomials I assume that everyone is familiar with polynomials. The following is just to recall some important concepts. While we can define polynomials essentially over any ring, we will restrict ourselves, for now, to polynomials over the integers Z. n 2 Definition 7 (Polynomial) We call an expression of the form anx +. . .+a2x +a1x+a0 a polynomial in the variable x over Z, if all ai ∈ Z, i = 0,...,n and all exponents 0,...,n are non-negative integers. We denote the set of all polynomials in one variable over Z as Z[x]. i We call a summand aix of a polynomial a monomial of degree i with coefficient ai. We say a polynomial p ∈ Z[x] is of degree n if its greatest non-zero monomial is of degree n. We generally write deg(p)= n. Example: p(x)= x4 + 3x3 + 2x2 − 10 is a polynomial of degree 4. n 2 Definition 8 (Polynomial Arithmetic) Let p(x),q(x) ∈ Z[x] be p(x)= anx + . . . + a2x + a1x + a0 n 2 and q(x)= bnx + . . . + b2x + b1x + b0. We define addition + and multiplication · as component-wise operations as: n 2 (i) p(x)+ q(x) = (an + bn)x + . . . + (a2 + b2)x + (a1 + b1)x + (a0 + b0) (n+m) (n+(m−1)) n (ii) p(x) ∗ q(x) = (an ∗ bm)x +(an ∗ bm−1)x + . . . +(an ∗ b0)x . . m m−1 + (a0 ∗ bm)x +(a0 ∗ bm−1)x + . . . +(a0 ∗ b0) Example: Let p(x)= x4 + 3x3 + 2x2 − 10 and q(x) = 2x3 − 9x2 + 2x − 3. Then we have p(x)+ q(x) = x4 + 5x3 − 7x2 + 2x − 13 p(x) · q(x) = 2x7 − 3x6 − 21x5 − 15x4 − 25x3 + 84x2 − 20x + 30. Recall that (Z, +, ·) forms a ring. Similarly we can show that (Z[x], +, ·) forms a ring with the addition and multiplication over polynomials. We now observe some more parallels between Z and Z[x]: Z Z[x]

Division with Remainder Divide 323 by 7 Divide x3 + 4x2 + 6x − 1 by x2 + 2x + 1 323 / 7 = 46 x3 +4x2 +6x −1 /x2 + 2x +1= x + 2 −28 −x3 −2x2 − x 43 2x2 +5x −1 − 42 −2x2 −4x −2 1 x −3 In general for every a, b ∈ Z In general for every p(x),q(x) ∈ Z[x] with deg(p) ≥ deg(q) we find with a ≥ b we find s, r ∈ Z s(x), r(x) ∈ Z[x] with deg(s) < deg(p) and deg(r) < deg(q) such that with |s| < |a| and |r| < |b| k · p(x)= s(x) · q(x)+ r(x), with k ∈ Z. such that a = s · b + r. Observe that k guarantees integer division for the coefficients (e.g. x2 +1 is not divisible by 2x + 1 in Z, but 4x2 + 4 is). Such a k always exists!

Modular Arithmetic Recall: 323 ≡ 1(mod 7). Similarly we can write x3 + 4x2 + 6x − 1 ≡ x − 3(mod x2 + 2x + 1) The modulo operation divides Given a polynomial p(x) ∈ Z[x], the modulo p(x) operation induces Z into a finite number of residue classes on Z[x]. We denote the set of all residue classes modulo residue classes, e.g., for mod n: p(x) by Z[x]/p(x). It contains one residue class for each polynomial in Zn = {0, 1,...,n − 1} Z[x] of degree less then p(x). These are, however, infinitely many!.

Irreducibility p ∈ Z is prime if it is only di- p(x) ∈ Z[x] is called irreducible if it is only divisible by p(x) and the 0 2 visible by 1 and p. trivial polynomial a0x = a0 ∈ Z. E.g., x + 1 is irreducible in Z[x].

vi Polynomials over Finite Fields As mentioned earlier we can construct polynomials over arbitrary rings and therefore also fields. We will now look at the residue class construction for polynomials over finite fields. While the following could be done with any finite field of the form Fp, where p is a prime number, we will restrict ourselves to the finite field F2, in which we are most interested in. Recall that F2 = (Z2, +, ·), i.e. contains only the elements 0 and 1. We will from now on omit the residue class notation and write 0 and 1 instead of [0]2 and [1]2, respectively! We now define the polynomial ring over F2 as F2[x]. We first have a look at the general polynomial arithmetic in F2[x], which works modulo 2, that is we only have 0 and 1 as coefficients and the addition and multiplication of coefficient is performed modulo 2. We observe this with an example: 2 3 2 Example: Let x + x + 1 and x + x + x be polynomials over F2[x] then we have: (x2 + x + 1) + (x3 + x2 + x)= x3 + 2x2 + 2x +1 = x3 + 1 (x2 + x + 1) · (x3 + x2 + x)= x5 + 2 ∗ x4 + 3 ∗ x3 + 2 ∗ x2 + x = x5 + x3 + x

This also means that we do not need negative coefficients, as x + 1= − x + 1=x − 1= − x − 1 in F2[x]. 4 Modular Arithmetic Let p(x)= x + x + 1 ∈ F2[x]. Then we have (x2 + x + 1) · (x3 + x2 + x)= x5 + x3 + x ≡ x3 + x2(mod x4 + x + 1) To verify this we look at the following polynomial division: x5 +x3 +x /x4 + x +1= x x5 +x2 +x x3 +x2

In a next step we can now define the residue classes for F2[x]/p(x). For simplification we take p(x) to 2 be polynomial of degree 2 first. Thus let p(x)= x + 1 ∈ F2[x]/p(x). We then get four residue classes 2 modulo x + 1, represented by [0], [1], [x], [x + 1], i.e., all polynomials in F2[x] with degree less than 2. We can then construct the following tables for + and ·: 2 2 (F2[x]/(x + 1), +): (F2[x]/(x + 1), ·): + [0] [1] [x] [x + 1] · [0] [1] [x] [x + 1] [0] [0] [1] [x] [x + 1] [0] [0] [0] [0] [0] [1] [1] [0] [x + 1] [x] [1] [0] [1] [x] [x + 1] [x] [x] [x + 1] [0] [1] [x] [0] [x] [1] [x + 1] [x + 1] [x + 1] [x] [1] [0] [x + 1] [0] [x + 1] [x + 1] [0] We can see that, even when we delete the [0] lines in the multiplication table, the group axioms will not hold for ‘·’, as [x + 1] does not have an inverse element. This can be explained by the fact that x2 + 1 is 2 not an irreducible polynomial in F2[x], since it can be factorised into x +1=(x + 1)(x + 1). We recall 2 that for those Zn where n was a prime number we could construct a finite field. If we replace x + 1 by an irreducible polynomial we should therefore also get a finite field. Let’s try instead the polynomial 2 p(x)= x + x + 1, which is indeed irreducible over F2[x]. 2 2 (F2[x]/(x + x + 1), +): (F2[x]/(x + x + 1), ·): + [0] [1] [x] [x + 1] · [0] [1] [x] [x + 1] [0] [0] [1] [x] [x + 1] [0] [0] [0] [0] [0] [1] [1] [0] [x + 1] [x] [1] [0] [1] [x] [x + 1] [x] [x] [x + 1] [0] [1] [x] [0] [x] [x + 1] [1] [x + 1] [x + 1] [x] [1] [0] [x + 1] [0] [x + 1] [1] [x] 2 2 ∗ The two tables demonstrate that both (F2[x]/(x + x + 1), +) and ((F2[x]/(x + x + 1)) , ·) form 2 ∗ 2 commutative groups. [Recall that (F2[x]/(x + x + 1)) = F2[x]/(x + x + 1) \ {[0]}.] We can also 2 ∗ show that the two distributivity laws hold and that therefore ((F2[x]/(x + x + 1)) , +, ·) is a finite field of order 4. This construction demonstrates that for every irreducible polynomial p(x) ∈ F2[x] of degree n, F2[x]/p(x) yields a finite field of order 2n, independent of the concrete choice of p(x). The more general result is:

Theorem 9 For every prime p and every positive integer n there exists one finite field of order Fpn .

vii Finite Fields as Binary Operations What does all this have to do with computer science? Recall that we restricted ourselves to polynomials in p(x) ∈ F2[x]. This means each monomial in p(x) has as coefficient either 1 or 0, i.e. the coefficients are binary. We can therefore straightforwardly translate polynomials of degree d into bit strings of length d + 1 by just taking the coefficients of each monomial. Example: Consider the translation of a polynomial of degree 7 into 8 bits:

x7 +x6 +x4 +x3 +1 1 101 1001

We now can use the operations on the finite field F2n to define operations on bit strings of length n + 1. 3 For brevity we will take our examples from F8 = F2[x]/p(x) with p(x) = x + x + 1 as irreducible polynomial. We first observe that addition on F2n is the same as the xor operation ⊕ on bits. (x2 + x + 1) + (x2 +1) = x Example: 111 ⊕ 101 = 010 While addition does not give us a new operation, we can use multiplication on F8 to define a new bitwise ∗ operation ⊗. First here is the multiplication table for F8: ∗ 2 2 2 2 (F8, ·) [1] [x] [x +1] [x ] [x +1] [x + x] [x + x + 1] [1] [1] [x] [x +1] [x2] [x2 +1] [x2 + x] [x2 + x + 1] [x] [x] [x2] [x2 + x] [x +1] [1] [x2 + x +1] [x2 + 1] [x + 1] [x +1] [x2 + x] [x2 +1] [x2 + x +1] [x2] [1] [x] [x2] [x2] [x +1] [x2 + x +1] [x2 + x] [x] [x2 + 1] [1] [x2 + 1] [x2 +1] [1] [x2] [x] [x2 + x +1] [x +1] [x2 + x] [x2 + x] [x2 + x] [x2 + x +1] [1] [x2 +1] [x +1] [x] [x2] [x2 + x + 1] [x2 + x +1] [x2 +1] [x] [1] [x2 + x] [x2] [x + 1]

The operation b1 ⊗ b2 on 3-bit strings b1, b2 is then defined taking the two polynomials corresponding to b1 and b2, respectively, multiplying them according to the above multiplication table and transforming the result again into a 3-bit string. (x2 + x + 1) · (x2 + 1) ≡ x2 + x (mod x3 + x + 1) Example: 111 ⊗ 101 = 110 Observe that the choice of irreducible polynomial really matters in the definition of ⊗. For instance, if our choice of irreducible polynomial were x3 + x2 + 1 then the example would look like this: (x2 + x + 1) · (x2 + 1) ≡ 1 (mod x3 + x2 + 1) Example: 111 ⊗ 101 = 001 Finally we consider another two, more complex examples, where again the choice of irreducible polyno- mial matters: Example:

(x6 + 1) · (x4 + 1) ≡ x5 + x4 + x3 + x2 +1 (mod x8 + x4 + x3 + x + 1) 01000001 ⊗ 00010001 = 00111101

(x6 + 1) · (x4 + 1) ≡ x5 + x2 +1 (mod x8 + x4 + x3 + x2 + 1) 01000001 ⊗ 00010001 = 00100101 Observe that the bit strings are of length 8, which is a multiple of 4. We can therefore express the above multiplications in terms of hexadecimal numbers, indicated by prefix 0x: 0x41 ⊗ 0x11 = 0x3D and 0x41 ⊗ 0x11 = 0x25

viii 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 16 October, 2009

Mathematics 4 – Matrix Arithmetic

I assume that everyone is familiar with matrices and basic operations on them. This handout should serve as a reminder. Recall that a matrix is a rectangular array of elements. Abstractly a m × n matrix can be displayed as:

a1,1 · · · a1,n . . A =  . · .  a · · · a  m,1 m,n   We will refer to a particular element in the i’s row and j’s column as A[i, j]= ai,j. 1 2 3 1 2 7 Example: A =   is a 4 × 3 matrix. The element a2,3 is 7. 4 9 2 6 0 5   The matrix R =123456789 is a 1 × 9 matrix, or 9-element row vector.   Matrix Addition Given m×n matrices A and B, their sum A+B is the m×n matrix computed by adding corresponding elements (i.e. (A + B)[i, j]= A[i, j]+ B[i, j]). 1 3 0 0 1+0 3+0 1 3 Example: 1 0 + 7 5 = 1+7 0+5 = 8 5         1 2 2 1 1+2 2+1 3 3         Matrix Multiplication Multiplication of two matrices is well-defined only if the number of columns of the left matrix is the same as the number of rows of the right matrix. If A is an m × n matrix and B is an n × p matrix, then their matrix product AB is the m × p matrix (m rows, p columns) given by:

(AB)[i, j]= A[i, 1]B[1, j]+ A[i, 2]B[2, j]+ ... + A[i, n]B[n, j] for each pair i and j.

3 1 1 0 2 (1 · 3 + 0 · 2 + 2 · 1) (1 · 1 + 0 · 1 + 2 · 0) 5 1 Example: · 2 1 = = −1 3 1   (−1 · 3 + 3 · 2 + 1 · 1) (−1 · 1 + 3 · 1 + 1 · 0) 4 2   1 0       Matrix Multiplication over F2 So far we have implicitly assumed that our matrices are defined over the integers. However, we can likewise define matrices with elements from F2. Addition and multiplication are then similarly defined as above with the exception that the operations on the single components are performed modulo 2. 1 0 1 1 0 1 Example: Addition: + = 1 1 0 1 1 0       1 10 11 1+1+1 1 0 Example: Multiplication: 11 01 ·   = 1 + 1 = 0   1     01 01 1 1 1         Similarly, we can define matrices and matrix arithmetic over other fields, in particular over all finite fields of the form F2n .

ix 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 27 October, 2009 Handout 4 Summary of this handout: Block Ciphers continued — Modes of Operation — Cryptomeria

II.1.5 Modes for Block Ciphers In practical use block ciphers are used to encode messages many times longer than the block size of a particular cipher. There are several different ways of applying block ciphers in order to encrypt long messages, which are called Modes of Operation There are five major modes of operation that we will have a closer look at. In the following, let (E, D) be a block cipher with block length n, where E is the encryption and D is the decryption algorithm of the cipher. 34. ECB The Electronic Codebook mode (ECB) corresponds to the “na¨ıve” use of a block cipher. The message M is split into a sequence M1,...,Mt of blocks of the length n that is handled by E. If necessary, the last block is padded, i.e. it is filled up with bits that do not obscure the message, such that its original length can be recovered. The simplest padding is achieved by adding null bits. Each block Mi is then with the same key K. Thus we obtain Ci := EK(Mi) with resulting ciphertexts C1,...,Ct. Encryption and decryption works therefore as follows: Source: Wikipedia Source: Wikipedia

Since every block is encrypted independently the advantage of ECB is that if one block Ci gets corrupted due to unreliable channels, then only one block is affected while all other blocks can still be decrypted. However, the main weakness of ECB is that identical blocks Mi are encrypted to the same ciphertext Ci, which makes the cipher vulnerable. Moreover, there is no protection against deletion or insertion of blocks. Thus Bob has no way of knowing if the message from Alice is complete or that Eve has not inserted something.

29 35. CBC The Cipher Block Chaining mode (CBC) overcomes the problem of unwanted insertion and deletion by adding information on the context of the message. Again, the message M is split into a sequence M1,...,Mt of blocks of length n. Encryption is then performed by the following operations:

C1 = EK(M1⊕IV )

Ci = EK(Mi⊕Ci−1), for i> 1

Note that to start off CBC encryption we need an initial value (or initialisation vector) IV to be passed to the encryption function. The initial value is used to ensure that two encryptions of the same plaintext yield different ciphertexts. IV does not have to be kept secret and is usually transmitted as plaintext together with the ciphertext message. Encryption is shown below: Source: Wikipedia

Decryption is achieved by “xor-ing out” the previous ciphertext from the decrypted message:

M1 = DK (C1)⊕IV

Mi = DK (Ci)⊕Ci−1 for i> 1 Source: Wikipedia

Since each Ci is xor-ed with the next block of the plaintext, a one-bit error in the ciphertext gives not only a one-block error in the corresponding message block but also a one-bit error in the next decrypted plaintext block.

30 36. CFB The Cipher Feedback mode (CFB) uses again an initial value IV to kick off encryption. It encrypts IV with EK and then xor-s the first plaintext block with the result. This yields the first ciphertext block, which is used in the next round of encryption, where it is passed to EK again and the next plaintext block is xor-ed to the result. Encryption thus works as follows:

C1 = EK(IV )⊕M1

Ci = EK(Ci−1)⊕Mi Source: Wikipedia

Observe that the plaintext messages are never actually encrypted directly with EK. This has two effects. Firstly the length of plaintext message blocks does not necessarily have to be the same as the block length n of the cipher. Instead it is allowable to have any plaintext message block length 1 ≤ j ≤ n, since only IV and the resulting ciphertext blocks have to have block size n. Obviously only the relevant j bits have to be sent and the value of j then needs to be known for decryption. Secondly during decryption we only need to reproduce that part of the cipher that has to be “xor-ed out” from the received ciphertext, which can be done with initial value IV and the right encryption function EK alone, i.e., we do not need DK . Decryption works than as follows:

M1 = EK(IV )⊕C1

Mi = EK(Ci−1)⊕Ci Source: Wikipedia

In CFB a one-bit error in the ciphertext causes a one-bit error in the corresponding plaintext block and a block-error in the next decrypted plaintext block, i.e., the opposite of what happens in the CBC mode.

31 37. OFB The Output Feedback mode (OFB) is very similar to CFB with the exception that the result of EK is passed on directly into the encryption of the next block. Thus the encryption depends essentially on the initialisation vector IV only:

O1 = EK (IV ), C1 = O1⊕M1

Oi = EK (Oi−1), Ci = Oi⊕Mi Source: Wikipedia

Decryption again only needs the encryption function EK and the initial value IV :

O1 = EK (IV ), M1 = O1⊕C1

Oi = EK (Oi−1), Mi = Oi⊕Ci Source: Wikipedia

Similar to CFB, OFB mode can work on smaller plaintext block sizes. Since it does not propagate the context by carrying over ciphertexts it has the advantage that a one-bit error in the ciphertext gives only a one-bit error in the decrypted ciphertext. Nevertheless it is immune to deletion or insertion attacks since decryption of plaintext is only successful if performed in sync with the Oi values.

32 38. CTR The Counter mode (CTR) is an even simpler variant of OFB. It generates each block of ciphertext by encrypting successive values of a counter and xor-ing it with the plaintext blocks. The counter can be any simple function that produces a sequence that is guaranteed not to repeat for a long time. However, using an actual counter is the simplest and most popular choice. In the graph below we use a counter together with a Nonce combined for example by xor or concatenation. This results in a non-trivial counter. The expression Nonce stands for “a number that is only used once” and is similar to the initial value IV used in the previous block modes. Encryption can therefore be implemented easily as:

Ci = EK (Counti)⊕Mi Source: Wikipedia

And similarly decryption is implemented as:

Mi = EK (Counti)⊕Ci Source: Wikipedia

CTR has similar properties to OFB in that a one-bit error in a ciphertext block also only results in a one- bit error in the decrypted ciphertext. Moreover, each round of encryption and decryption is independent of the previous round and therefore parallelisation can be used for both types of algorithms. Finally, while it is impossible to recover decryption for CFB if blocks have been lost during message transmission and it is relatively difficult to do for OFB, in CTR error recovery on missing blocks, i.e. decrypting successfully the received part of the message is fairly easy.

Observe that the CFB, OFB, and CTR modes of operation turn a block cipher effectively into a stream cipher since we essentially have an encryption method that on the one hand keeps track of states and on the other hand is independent of the actual plaintext message to transmit. We will have a close look at stream ciphers, nonces and their creation later on in this term.

33 II.1.6 Cryptomeria Cryptomeria (or C2) is a Feistel Cipher derived from DES that is used as an content protection mechanism for some modern multimedia DVDs and was developed by a consortium of IBM, Intel, Matsushita and Toshiba. It has a block size of 64 bit, a key size of 56 bit, and uses 10 rounds of encryption. Its structure and implementation is publicly available, with the exception of a proprietary secret constant, which is essentially an S-Box substitution, that is used in the Feistel function and the key schedule. Here is an overview of the Feistel function. Observe, that the topmost operation is an actual arithmetic plus that adds the two 32 bit numbers of the half block and the round key together. Source: Answers.com

The key schedule for Cryptomeria works as follows: The round key is produced by taking the third 8 bit block of the key K, xor-ing it with the round number, and substituting it in the secret S-Box. The result is then shifted (not cyclically!) 4 bits left and added (again arithmetically) to the right 32 bits of the key. This yields the round key. For the next round the key K is then shifted cyclically left by 9 bits, i.e. K ≪ 9. DVD content encryption is done in four layers of encryption using Cryptomeria in a Cipher Block Chain- ing mode. Copy protection is achieved essentially by the following means:

1. A Media Key Block (MKB) is stored as a file on the disc and contains a very large number of keys. Each licensed DVD player has assigned to it a set of unique device keys that allow it to obtain the Media Key from the MKB and decrypt the audio content. This makes it possible to revoke hacked devices (i.e. a player that has been purpose built or manipulated to crack the cipher).

2. Each medium has a unique media ID given as a bar code in the so called Burst Cutting Area around the disc hub. This ID is used for decryption and prevents bit-wise copying as a different DVD will have a different ID number.

34 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 27 October, 2009

Exercise Sheet 4

Submit via the correct pigeon hole before 30 October, 11am.

14. We define a Feistel cipher that has the following parameters:

• 8-bit plaintext input M, • 4-bit key K, • 2 rounds of encryption,

• Key schedule: K0 = K, Ki = Ki−1 ≪ 1, i = 1, 2,...,

• Feistel function: Ri⊕Ki⊕(Ki ≪ 2).

Encipher the 24 bit plaintext 00110101 10101101 00110111 with key K = 1001 using

(a) the Cipher Block Chaining mode (CBC) with initial value IV = 10101010 (b) the Cipher Feedback mode (CFB) with initial value IV = 10101010

15+15

35 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 27 October, 2009

Programming Exercise 1

Implement the exercises in a programming language of your choice. The only requirement is that the program should be runnable on the Linux machines in the department. Include sufficient explicit output into your program so I can convince myself that the encryption actually works. Submit the source of your program with included comments how to run it and your student ID number by 13 November, 11am via Moodle (https://moodle.cs.bham.ac.uk/). Also include a file that contains the requested answers (not the full verbose output!) in ASCII format.

15. Programming Exercise. Consider the following miniature version of Rijndael: Block size and key size is 12 bits and both state and key matrix are 2 × 2 matrices with 3 bit entries. Arithmetic 3 operations are performed in F23 with respect to the irreducible polynomial p(x)= x + x + 1. We customise the encryption operations as follows:

SubBytes In the first step take the inverse of the input in F23 and then perform the transformation with the inverse matrix of the matrix used in SubBytes:

y0 1 0 0 x0 1 y = 1 1 0 · x + 0  1    1   y2 0 1 1 x2 1         ShiftRows Cyclically shift the lower row one left. MixColumns Perform the transformation for i = 0, 1:

b 0x03 0x07 a 0,i = · 0,i b 0x04 0x03 a  1,i    1,i While the AddRoundKey function stays the same, for the key schedule perform each operation with a byte lengths of 3 bits, i.e., each Wi is of lengths 3 bits. Replace the rotation operation by i 3 T := W4i−1 ≪ 2 and compute the round constant as RCi = x (mod x + x + 1). For encryption perform 6 rounds of the above algorithm and apply your program to the following messages and keys:

(a) M = 011111010010, K = 001100100001 (b) M = 001010101101, K = 001101100011 (c) M = 101011110010, K = 000100110000 (d) M = 011011001100, K = 001110100111 (e) M = 011101101111, K = 001101101100 (f) M = 000010001001, K = 001100100001 (g) M = 110100010110, K = 001101100011 (h) M = 110101101011, K = 000100110000 (i) M = 011101100100, K = 001110100111 (j) M = 110101100001, K = 001101101100

[For debugging purposes I will provide a set of plaintext/key pairs with the resulting ciphertexts soon.] 100

36 77 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 30 October, 2009

Solutions for Exercise Sheet 4

14. (a) We encipher the message M1kM2kM3 = 00110101 10101101 00110111 with CBC: IV ⊕M1 = 10101010⊕00110101 = 10011111 Round 0: L0 = 1001 R0 = 1111 R0⊕K0⊕(K0 ≪ 2) = 1111⊕1001⊕0110 = 0000   L0⊕0000 = 1001⊕0000 = 1001 EK(10011111) :   Round 1: L1 = 1111 R1 = 1001  R1⊕K1⊕(K1 ≪ 2) = 1001⊕0011⊕1100 = 0110  L1⊕0110 = 1111⊕0110 = 1001  C1 = 10011001   C1⊕M2 = 10011001⊕10101101 = 00110100 Round 0: L0 = 0011 R0 = 0100 R ⊕K ⊕(K ≪ 2) = 0100⊕1001⊕0110 = 1011  0 0 0  L0⊕1011 = 0011⊕1011 = 1000 EK(00110100) :   Round 1: L1 = 0100 R1 = 1000  R1⊕K1⊕(K1 ≪ 2) = 1000⊕0011⊕1100 = 0111  L1⊕0111 = 0100⊕0111 = 0011  C2 = 00111000   C2⊕M3 = 00111000⊕00110111 = 00001111 Round 0: L0 = 0000 R0 = 1111 R ⊕K ⊕(K ≪ 2) = 1111⊕1001⊕0110 = 0000  0 0 0  L0⊕0000 = 0000⊕0000 = 0000 EK(00001111) :   Round 1: L1 = 1111 R1 = 0000  R1⊕K1⊕(K1 ≪ 2) = 0000⊕0011⊕1100 = 1111  L1⊕1111 = 1111⊕1111 = 0000  C3 = 00000000   C1kC2kC3 = 10011001 00111000 00000000

g (b) We encipher the message M1kM2kM3 = 00110101 10101101 00110111 with CFB: IV = 10101010 Round 0: L0 = 1010 R0 = 1010 R ⊕K ⊕(K ≪ 2) = 1010⊕1001⊕0110 = 0101  0 0 0  L0⊕0101 = 1010⊕0101 = 1111 EK(10101010) :   Round 1: L1 = 1010 R1 = 1111  R1⊕K1⊕(K1 ≪ 2) = 1111⊕0011⊕1100 = 0000  L1⊕0000 = 1010⊕0000 = 1010  EK(IV ) = 10101111  C1 = 10101111⊕M1 = 10101111⊕00110101 = 10011010 Round 0: L0 = 1001 R0 = 1010 R0⊕K0⊕(K0 ≪ 2) = 1010⊕1001⊕0110 = 0101   L0⊕0101 = 1001⊕0101 = 1100 EK(10011010) :   Round 1: L1 = 1010 R1 = 1100  R1⊕K1⊕(K1 ≪ 2) = 1100⊕0011⊕1100 = 0011  L1⊕0011 = 1010⊕0011 = 1001  EK(C1) = 10011100  C2 = 10011100⊕M2 = 10101010⊕10101101 = 00110001 Round 0: L0 = 0011 R0 = 0001 R0⊕K0⊕(K0 ≪ 2) = 0001⊕1001⊕0110 = 1110   L0⊕1110 = 0011⊕1110 = 1101 EK(00110001) :   Round 1: L1 = 0001 R1 = 1101  R1⊕K1⊕(K1 ≪ 2) = 1101⊕0011⊕1100 = 0010  L1⊕0010 = 0001⊕0010 = 0011  EK(C2) = 00111101  C3 = 00111101⊕M3 = 00111101⊕00110111 = 00001010

C1kC2kC3 = 10011010 00110001 00001010

h 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 30 October, 2009 Handout 5 Summary of this handout: Stream Ciphers — RC4 — Linear Feedback Shift Registers — CSS — A5/1

II.2 Stream Ciphers A stream cipher is a symmetric cipher that encrypts the plaintext units one at a time and that varies the transformation of successive units during the encryption. In practise, the units are typically single bits or bytes. In contrast to a block cipher, which encrypts one block and then starts over again, a stream cipher encrypts plaintext streams continuously and therefore needs to maintain an internal state in order to avoid obvious duplication of encryptions. The main difference between stream ciphers and block ciphers is that stream ciphers have to maintain an internal state, while block ciphers do not. Recall that we have already seen how block ciphers avoid duplication and can also be transformed into stream ciphers via modes of operation. Basic stream ciphers are similar to the OFB and CTR modes for block ciphers in that they produce a continuous keystream, which is used to encipher the plaintext. However, modern stream ciphers are computationally far more efficient and easier to implement in both hard- and software than block ciphers and are therefore preferred in applications where speed really matters, such as in real-time audio and video encryption. Before we look at the technical details how stream ciphers work, we recall the One Time Pad, which we have briefly discussed in Handout 1. The One Time Pad is essentially an unbreakable cipher that depends on the fact that the key

1. is as long as the message, and

2. is a truly random sequence of letters that cannot be guessed.

Both points are reasons, why the One Time Pad is unpractical, since one has to constantly exchange new keys and getting true randomness in practise is difficult to achieve. 39. Pseudo-random Generators One idea to overcome this problem is to not use keys that are fully random but keys that only look random. A relatively short string which is truly random is used to compute a larger string which, while of course not being truly random, is as good as being random. This large string is called a pseudo-random string, and it can be used to replace the random key in the One Time Pad. Algorithms that produce pseudo-random strings are called pseudo-random generators (PRG). The short string that initialises a pseudo-random generator is called a seed and takes the place of the secret key for stream ciphers. In overview a stream cipher works like this:

Plaintext ⊕ Ciphertext Key/Seed Pseudo-random Generator Keystream

40. Getting True Randomness The seed for a pseudo-random generator, and keys for symmetric encryption schemes in general, should be as random as possible. One uses for example physical random number generators to get good random- ness. There are some physical sources that are supposed to produce good randomness, but the resulting bits may have a certain bias or some correlation. One usually circumvents this by taking the xor of bits obtained from different such sources. Typical physical sources of randomness include:

• Thermal noise in various electric circuits,

37 • Radioactive decay, • Atmospheric noise. In practise more easily available are events in computer hardware such as • measurement of times between user key-strokes, and • time needed to access different sectors on the hard-disk drive (the air turbulence caused by the spinning disk is supposed to be random). 41. Properties of Pseudo-random Generators One of the most important improper usages of stream ciphers is to re-use the seed and therefore the keystream twice, i.e., to encrypt several messages with the same key. Assume Eve intercepts two en- cryptions C1 = K⊕M1 and C2 = K⊕M2 for two messages M1, M2 with the same key K then she can simply compute the xor of C1 and C2 yielding:

C1⊕C2 = (M1⊕K)⊕(M2⊕K)= M1⊕M2 Thus re-using the key leaks the xor of the actual plaintexts. Assuming that both messages contain ordi- nary text, Eve can use frequency analysis to recover the plaintexts M1 and M2 from M1⊕M2. Thus one has to be careful not to re-use a key when using stream ciphers. There are mainly two methods to realise this: • One might use successive parts of the output stream to encrypt successive messages. This requires synchronisation of the senders and the receivers streams by some means, usually by transmitting its position along with the encrypted message. This has disadvantages if the order of messages is changed in the transmission line or by the protocol. • One might create a new seed for each message that needs to be encrypted. Then one additionally transmits the seed along with the message. Of course, the seed has to be transmitted secretly somehow. This can be done by combining the stream cipher with a block cipher and to transmit the seed enciphered with the block cipher before the actual ciphertext encrypted with the stream cipher. As a consequence it is important that stream ciphers appear random — which can be checked with sta- tistical methods — and have a long period, i.e. can produce a large number of bits before the same keystream is produced again. Generally determining more of the sequence from a part should be compu- tationally infeasible. Ideally, even if one knows the first one billion bits of the keystream sequence, the probability of guessing the next bit correctly should be no better than one half. We now have a look at several pseudo-random generators.

II.2.1 RC4 RC4 is a stream-cipher invented by Ron Rivest in 1987 for RSA Security, which also holds the trademark for it. The source code was originally not released to the public because it was a trade secret, but was posted to a newsgroup some time ago; thus people referred to this version as alleged RC4. Today it is known that alleged RC4 indeed equals RC4. While RC4 does not hold up to most randomness tests, it is considered secure from a practical point of view if one takes certain precautions. It works on bytes instead of bits and can therefore be very efficiently implemented. It is used in many protocols such as SSL/TLS and 802.11b WEP. RC4 consists of two phases: an initialisation phase, which can also be understood as a key schedule, and a keystream generation phase. Its main data structure is an array S of 256 bytes. The array is initialised to the identity before any output is generated, i.e., the first cell is initialised with 0, the second with 1 and so on. Then the cells are permuted using a swap operation that depends on the current state and the chosen key K. The key K can be of variable size between 5 and 16 bytes. This keylength is a constant that is exploited during the initialisation algorithm. In pseudo code, the RC4 initialisation phase works as follows:

38 for i := 0 to 255 do S[i] := i end j := 0 for i := 0 to 255 do j := (j + S[i]+K[i mod keylength]) mod 256 swap(S[i],S[j]) end

After initialisation has been completed, the following procedure computes the pseudo-random sequence. For each output byte, new values of the variables i, j are calculated, the corresponding cells are swapped, and the content of a third cell is output. The algorithm looks as follows: i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(S[i],S[j]) output S[(S[i]+S[j]) mod 256] end In the while loop the first line makes sure every array element is used once after 256 iterations; the second line makes the output depend non-linearly on the array; the third line makes sure the array is evolved and modified as the iteration continues; and the fourth line makes sure the output sequence reveals little about the internal state of the array. The generated keystream is then xor-ed with the plaintext byte by byte. Here is a graphical depiction of RC4. Observe that the K here stands for the generated keystream byte and not for the initial key. Source: Wikipedia

Nevertheless we can see that the first output byte depends on the content of 3 cells, only. This property can be used to launch attacks against the cipher, so one usually discards the first 256 bytes of output generated by this algorithm to prevent these attacks.

II.2.2 LFSR Linear Feedback Shift Registers (LFSR) is a pseudo-random generator that is used as a building block for many modern stream ciphers. They can be very efficiently implemented in both hardware and software and constitute a very fast way to produce keystreams. They consist of a shift register, which is a group of single bit cells that shift by one cell at every clock cycle together with a linear function f, called the feedback function, that determines the new incoming bit for the shift register. The function f generally uses some of the bits in the shift register to determine the new input bit. For instance below we have a 4 bit shift register, and the feedback function uses bit 1 and 4 to compute the new input.

39 The process of taking certain bits, but not all bits from a shift register is referred to as tapping. Thus the feedback function f above taps the bits 1 and 4. The sequence of bits tapped from a shift register by a feedback function is also referred to as the tapping sequence. Since normally the feedback function f is a simple xor of the tapped bits, the behaviour of an LFSR is determined by the tapping sequence together with the initial content of the shift register, which serves as seed for the PRG, and thereby as the key for the cipher. As an example take the following 16 bit LFSR with tapping sequence [11, 13, 14, 16]: Source: Wikipedia

42. Properties of LFSRs The main property one is interested in for an LFSR is of course the length of its period, i.e. how long it takes before the same keystream is reproduced. Since during the construction of the LFSR we can only choose the tapping sequence, as the seeds are random, we have to examine the effect of particular tapping sequences on the set of all possible initial states. This is done mathematically via computations in F2. I will only sketch this process here: Let L be a LFSR, then we define

1. the state vector of L for the shift register s with n cells as s = [s1,s2,...,sn], where sn is the highest bit, i.e., the next output bit. s1 is the lowest bit, the one that will be filled with the result of the feedback function in the next step.

n 2. the connection polynomial c(x) ∈ F2[x] as follows: c(x)= cnx + . . . + c1x + 1, where ci is 1 if the ith cell in s is tapped or 0 if it is not tapped. For instance the connection polynomial for the above 16 bit LFSR is x16 + x14 + x13 + x11 + 1. Observe that the trailing 1 does not correspond to a cell in the shift register as we start counting the registers from 1 (i.e., x1) rather then from 0 (i.e., x0).

c1 c2 · · · cn−1 cn 1 0 · · · 0 0   3. a matrix M = 0 1 · · · 0 0  . . . . .   ......     0 · · · 0 1 0      We can now easily express the transitions of the state vector s for L by s = M · s and observe the be- haviour of L given different seeds for s. The properties of L depend strongly on the algebraic properties of the connection polynomial c(x) and reasoning about the security of L or how it could be attacked is done via examining c(x). We will not go into any detail and only have a brief look at two examples how to generate sequences of states. Example: Let L be a 4 bit register with connection polynomial c(x) = x3 + x + 1. Thus we get 1 01 0 1 00 0 M =   We denote the single states s of L by their corresponding integer value and recall 0 10 0 0 01 0     40 that the highest bit is right and the lowest left, e.g., s = [1, 0, 0, 0] is 1 and s = [0, 0, 0, 1] is 8. Observe that for state 0 we will always get the 0 state as a result. We get then the following sequences of states: 1 11 15

3 7 14 8 0 9 4 10 13

12 2 5 6

The sequence can be easily computed using all 16 possible values for s. In the example for s = 8 we get 10 10 0 1 · 0 + 0 · 0 + 1 · 0 + 0 · 1 0 10 00 0 1 · 0 + 0 · 0 + 0 · 0 + 0 · 1 0 M · s =   ·   =   =   01 00 0 0 · 0 + 1 · 0 + 0 · 0 + 0 · 1 0 00 10 1 0 · 0 + 0 · 0 + 1 · 0 + 0 · 1 0                 Example: Let L be a 4 bit register with connection polynomial c(x) = x4 + x + 1. Thus we get 1 00 1 1 00 0 M =   and the following sequences of states: 0 10 0 0 01 0     1 3 7 15 14 13 10 5 0 8 4 2 9 12 6 11

43. Combining multiple LFSRs While LFSR are easy to build they are very insecure in practise. Even for large shift registers with good security properties, there are fairly efficient algorithms to compute the connection polynomial from a sufficiently long keystream. Thus in practise stream ciphers are built by combining multiple LFSRs in a non-linear fashion (i.e., with functions other than simple xor). The picture below illustrates how the output keystreams of n LFSRs are combined with a function F to produce the eventual keystream K. As an example for a non-linear function F consider F (x1,x2,x3) = x1 · x2⊕x1 · x3, where the xi are output bits of three different LFSRs and · is bit-wise and or multiplication in F2. We will discuss two examples of stream ciphers using multiple LFSRs below. Source: Wikipedia

Normally LFSRs are clocked regularly, i.e., for each bit of output they perform one shift. One way of introducing non-linearity is to make shifts dependent on the output of a second LFSR. Or, when combining several LFSRs, to express the clock of a each LFSR as a function in selected bits of the other LFSRs. We will discuss this in more detail for the A5/1 stream cipher.

41 II.2.3 CSS The content scrambling system (CSS) was the old proprietary standard to encrypt multimedia DVDs for copy protection. It is a stream cipher with a 40 bit key and two combined LFSRs and combines these with a fairly complex authentication and key extraction protocols. DVD players contain a CSS decryption module that performs key extraction and unscrambling. In a first step the DVD and the player authenticate each other and check their regional compatibility. (There are 8 different regions for DVDs and players in the world. DVDs released in each region will typically only play on players sold in that region. I.e., a DVD released in the UK “Region 2” would not play on a player sold in the US “Region 1”.) Each player has roughly 400 Player Keys that are used to extract a Disk Key from the DVD, which is in turn used to extract a title key for each individual track. The title key is then used to extract for each single sector a 5 byte sector key, which is stored in bytes 80–84 of a DVD sector. The 40 bits of the sector key are used as seed for the two LFSRs to start the actual decryption process. Each sector key is of the form K0kK1kK2kK3kK4, where each Ki has 8 bits. The pseudo random generator consists of:

15 • a 17 bit LFSR with connection polynomial x + x + 1 and seed 1kK0kK1,

23 20 19 11 • a 25 bit LFSR with connection polynomial x + x + x + x and seed 1kK2kK3kK4, • a combination function that adds every 8 bits of output from the LFSR modulo 256 while observing the carry bit from the previous addition.

seed 8 bits 1kK0kK1 17 bit LFSR add modulo 256 Keystream

1kK2kK3kK4 25 bit LFSR 8 bits 44. Security and Legal Issues In 1999 CSS was successfully re-engineered and is effectively insecure. Copies of the deCSS libraries started appearing on the Internet and Open Source solutions to playback CSS encrypted DVDs where created. However, the CSS licensing agency obtained court injunctions against both people developing deCSS tools as well as web sites distributing the code. Eventually in 2003 the California Supreme Court threw out the last law suit on grounds that deCSS falls under “freedom of speech”. According to the court’s decision it is not legal to offer binary tools to enable illegal copying of protected content, however, it is perfectly legal to develop alternative means to decrypt CSS for legal purposes, such as the replay of legally purchased DVD content, as well as offering source code for others to read and to work on. In 2003 the European Parliament passed the European Directive on Copyright and Related Rights Regu- lations in which the development, provision, and possession of tools, “the sole intended purpose of which is to facilitate the unauthorised removal or circumven- tion of the technical device” is prohibited. As this definition is fairly vague, different member states implemented the directive differ- ently in their respective national legislation. Some went so far as to even outlaw the discussion of how such tools could be built, as they are part of the development process. In the UK legislation the concept “fair dealing” prevents these extremities as working with protected content “for the purposes . . . of research for a non-commercial purpose. . . the purpose of criticism or review . . . does not infringe any copyright in the work provided it is accompanied by a sufficient acknowledgement” Some of the issues debated how digital copyright differs from normal copyright are:

42 Fair Use goes further than just fair dealing. It allows the use of copyright protected material also in commercial context for a number of purposes, such as criticism, parody and in education.

Lifetime of Copyrights is normally limited in order to protect the copyright owner and enable them to earn proceeds for a finite time before their intellectual property will become public domain. An effective, enforceable digital content protection makes copyright effectively infinite.

Liability Issues The focus on who commits a copyright infringement shifts from the actual perpetrators (i.e. the person that illegally copies content) to the tool-maker (i.e. the person providing software to unscramble content). For other copyrighted material, this is not the case: For example a pho- tocopier can easily be abused to mass-copy a copyrighted book. However, no-one would sue the manufacturer of the photocopier. DeCSS is a library that can of course be used for ripping DVDs illegally, but also for playing back legally purchased content.

45. Illegal Primes Since any data on a computer is essentially only a string of binary numbers, it can be represented as a single number. Therefore, any program can simply be published as a single number as well. The C implementation of DeCSS for the Linux operation system was probably the first program to be published as a single, executable decimal number in 2001. Interestingly enough, it turned out that the number representing the program was a prime number. Since it was argued at the time that DeCSS was an illegal means to copyright infringement, DeCSS was the first known instance of a number, whose possession was deemed illegal by some, or simply an illegal prime number. Illegal primes are special instances of illegal numbers that represent some secret which is illegal to possess or distribute. These not only include implementations such as DeCSS but also software product keys, etc. As already mentioned for the AACS controversy, the question is, is it possible to patent a number and enforce that patent by stopping others from using and, in particular, publishing such a number as it might infringe a patent or copyright. Since I can represent any number in different bases (binary, octal, decimal, hexadecimal,. . . ) as well as a combination of other numbers using mathematical operations, would that imply that all representations are illegal? In the particular case of AACS, it can be used with millions of keys. Are all those illegal numbers and can one be prevented from using these numbers? Thinking this through further, illegal numbers have even more implications: One can mathematically show that you can produce an infinite number of primes that represent the “compressed” version of a program. (I put compressed in quotation marks since clearly some of the compressed programs are larger than the uncompressed ones.) This would mean that there is a potentially infinite number of numbers illegal.

II.2.4 A5/1 A5/1 is a stream cipher used in GSM mobile phone communication. It was developed in 1987 in Europe and, while it was initially kept secret, it became public knowledge through leaks and reverse engineering. It is a stream cipher built from three LFSRs with irregular clock cycle, that use a 64 bit secret key (actually only 54 bits are relevant as 10 bits are fixed to 0) and 22 bit publicly available frame number for initialisation. In detail the pseudo random generator consists of:

• a 19 bit LFSR with connection polynomial x19 + x5 + x2 + x + 1 and clock bit 9,

• a 22 bit LFSR with connection polynomial x22 + x + 1 and clock bit 11,

• a 23 bit LFSR with connection polynomial x23 + x15 + x2 + x + 1 and clock bit 11, The output of the LFSRs is simply xor-ed together to compute the keystream. The idea of the clock bits is that a shift register is only shifted if its clock bit is the same as the majority of the three clock bits of the three LFSRs taken together. For example if two clock bits are 0 and one is

43 1 than only those two registers with clock bits 0 will be shifted. Thus in each cycle either two or three registers are shifted. The following graphic illustrates A5/1. Observe that the registers are enumerated starting with 0, thus the clock bits are labelled 8 and 10. Source: Wikipedia

The shift registers are initialised by xor-ing the 64 bit key and the 22 bit frame number step-wise into the originally empty register. This takes 86 cycles. The next 100 cycles are then computed and discarded. Afterwards communication can begin. Call transmission is consists of sequences of bursts, one burst is sent every 4.615 milliseconds and contains 114 bits of information. For each burst A5/1 produces a 114 bit key stream which is xor-ed with the 114 bits before the digital signal is transformed into an audio signal.

44 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 30 October, 2009

Exercise Sheet 5

Submit via the correct pigeon hole before 6 November, 11am.

16. Consider a simplified version of RC4 working with an 8 byte array and 2 byte key. I.e., all the (modulo 256) operations are to be replaced by (modulo 8) operations and the keylength is 2. Given key K[0] = 4 and K[1] = 5 initialise the array S and compute 4 bytes of the output keystream. 12

9 5 2 17. Let L0 be a 10 bit LFSR with connection polynomial c(x) = x + x + x + x + 1 and seed s = [0, 1, 0, 1, 1, 1, 0, 0, 1, 0] and let L1 be a 8 bit LFSR with connection polynomial c(x) = 7 4 x + x + x + 1 and seed s = [1, 0, 0, 1, 0, 1, 1, 0]. Let x0 and x1 be the output bits of L0 and L1, respectively, we construct the keystream by the function (x0 · x1)⊕x0, where ‘·’ is the bit-wise and.

(a) Compute 10 bits of the keystream.

(b) Now let the last bits of LFSR L0 and L1 be the clock bits c0 and c1, respectively. Combine the clock bits by c0⊕c1 and only shift Li if i = c0⊕c1. Compute 10 bits of the keystream.

7+5

18. Take a 4 bit LFSR L with connection polynomial c(x) = x3 + x2 + 1. Compute the possible sequences of states for L. 8

45 99 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 6 November, 2009 Solutions for Exercise Sheet 5

15. We first initialise the array S and compute the key schedule: S := [0, 1, 2, 3, 4, 5, 6, 7] i = 0 : j := (j + S[0] + K[(0mod2)])mod8=(0+0+4)mod8=4 Swap(S[0],S[4]) → S = [4, 1, 2, 3, 0, 5, 6, 7] i = 1 : j := (j + S[1] + K[(1mod2)])mod8=(4+1+5)mod8=2 Swap(S[1],S[2]) → S = [4, 2, 1, 3, 0, 5, 6, 7] i = 2 : j := (j + S[2] + K[(2mod2)])mod8=(2+1+4)mod8=7 Swap(S[2],S[7]) → S = [4, 2, 7, 3, 0, 5, 6, 1] i = 3 : j := (j + S[3] + K[(3mod2)])mod8=(7+3+5)mod8=7 Swap(S[3],S[7]) → S = [4, 2, 7, 1, 0, 5, 6, 3] i = 4 : j := (j + S[4] + K[(4mod2)])mod8=(7+0+4)mod8=3 Swap(S[4],S[3]) → S = [4, 2, 7, 0, 1, 5, 6, 3] i = 5 : j := (j + S[5] + K[(5mod2)])mod8=(3+5+5)mod8=5 Swap(S[5],S[5]) → S = [4, 2, 7, 0, 1, 5, 6, 3] i = 6 : j := (j + S[6] + K[(6mod2)])mod8=(5+6+4)mod8=7 Swap(S[6],S[7]) → S = [4, 2, 7, 0, 1, 5, 3, 6] i = 7 : j := (j + S[7] + K[(7mod2)])mod8=(7+6+5)mod8=2 Swap(S[7],S[2]) → S = [4, 2, 6, 0, 1, 5, 3, 7] Then we compute 4 rounds of keystream output: Round 1 : j := (j + S[1])mod8=(0+2)mod8=2 Swap(S[1],S[2]) → S = [4, 6, 2, 0, 1, 5, 3, 7] Output: S[(S[1] + S[2]) mod 8] = S[(6 + 2) mod 8] = 4 Round 2 : j := (j + S[2])mod8=(2+2)mod8=4 Swap(S[2],S[4]) → S = [4, 6, 1, 0, 2, 5, 3, 7] Output: S[(S[2] + S[4]) mod 8] = S[(1 + 2) mod 8] = 0 Round 3 : j := (j + S[3])mod8=(4+0)mod8=4 Swap(S[3],S[4]) → S = [4, 6, 1, 2, 0, 5, 3, 7] Output: S[(S[3] + S[4]) mod 8] = S[(2 + 0) mod 8] = 1 Round 4 : j := (j + S[4])mod8=(4+0)mod8=4 Swap(S[4],S[4]) → S = [4, 6, 1, 2, 0, 5, 3, 7] Output: S[(S[4] + S[4]) mod 8] = S[(0 + 0) mod 8] = 4

16. (a) We first construct the keystream for L1, since we can reuse the one of L0 from the previous exercise. Again the tapped bits are framed. Register Content Keystream Feedback 1 0 0 1 0 1 1 0 −→ 0 1 1 1 0 0 1 0 1 1 −→ 1 0 0 1 1 0 0 1 0 1 −→ 1 0 0 0 1 1 0 0 1 0 −→ 0 0 0 0 0 1 1 0 0 1 −→ 1 1 1 0 0 0 1 1 0 0 −→ 0 1 1 1 0 0 0 1 1 0 −→ 0 0 0 1 1 0 0 0 1 1 −→ 1 1 1 0 1 1 0 0 0 1 −→ 1 0 0 1 0 1 1 0 0 0 −→ 0 1

x0 0100111010 The combined keystream is then: x1 0110100110 (x0 · x1)⊕x0 0000011000

i [Obviously that is not a very good non-linear function!] (b) Clock bits are doubly framed. Register Content c0 −→Keystream Feedback 0 1 0 1 1 1 0 0 1 0 −→ 0 1 1 0 1 0 1 1 1 0 0 1 −→ 1 0 1 0 1 0 1 1 1 0 0 1 −→ 1 0 0 1 0 1 0 1 1 1 0 0 −→ 0 1 0 1 0 1 0 1 1 1 0 0 −→ 0 1 0 1 0 1 0 1 1 1 0 0 −→ 0 1 1 0 1 0 1 0 1 1 1 0 −→ 0 1 1 1 0 1 0 1 0 1 1 1 −→ 1 1 1 1 0 1 0 1 0 1 1 1 −→ 1 1 1 1 1 0 1 0 1 0 1 1 −→ 1 0

Register Content c1 −→Keystream Feedback 1 0 0 1 0 1 1 0 −→ 0 1 1 0 0 1 0 1 1 0 −→ 0 1 1 1 0 0 1 0 1 1 −→ 1 0 1 1 0 0 1 0 1 1 −→ 1 0 0 1 1 0 0 1 0 1 −→ 1 0 0 0 1 1 0 0 1 0 −→ 0 0 0 0 1 1 0 0 1 0 −→ 0 0 0 0 1 1 0 0 1 0 −→ 0 0 0 0 0 1 1 0 0 1 −→ 1 1 0 0 0 1 1 0 0 1 −→ 1 1

x0 0110000111 The combined keystream is then: x1 0011100011 (x0 · x1)⊕x0 0100000100

0 11 0 1 00 0 17. We get the connection matrix   and the following sequence of states: 0 10 0 0 01 0     0 1 2 5 11 7 14 12 9

8 10 13 3 15 6 4

Here are two example computations for the sequence 1 → 2 → 5:

01 10 1 0 01 10 0 1 10 00 0 1 10 00 1 0   ·   =     ·   =   01 00 0 0 01 00 0 1 00 10 0 0 00 10 0 0                        

j 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 6 November, 2009 Handout 6 Summary of this handout: Cryptographic Hash Functions — Merkle-Damgard˚ — MD4 — MD5 — SHA-1 — Message Authentication Codes — HMAC — CBC-MAC — PMAC As we have seen in the previous handout, when designing key exchange protocols, it is difficult to defend against replay attacks or malicious modification of content. While the use of nonces and timestamps can prevent some of these attacks, this is far from perfect. In particular, they cannot guarantee that the message has not been tampered with. In this handout we will look at some cryptographic techniques that aim to guarantee the authenticity of messages: Cryptographic hash functions and message authentication codes (MACs for short).

II.3 Cryptographic Hash Functions Cryptographic hash functions provide a tool to test the integrity of messages. A cryptographic hash function takes an arbitrarily long message as input and produces, a generally much shorter, fixed length string, called hash value (or simply hash) or fingerprint, as output. Hash functions are used in principle in the following way: Suppose Alice wants to give Bob some means to check if he has received her message intact. She does this by taking a hash function to compute the fingerprint for here message and sends it alongside the (possibly encrypted) message. Upon receiving the message Bob can now use the same hash function as Alice to compute a second hash for the decrypted plaintext and compare his value with the one provided by Alice. Are the values the same, then the message is intact. If the values differ, then Bob knows that the message has been mutilated during transmission. In addition, Alice also wants to avoid that Eve can infer the message from the hash value (e.g., if the message was sent encrypted) or that Mallory can generate and send Bob a different message that has the same hash value as Alice’s original message. In summary, a cryptographic hash function h should have the following properties: 1. The input can be of any length. 2. The output has a fixed length. 3. For any message or string x, h(x) is easy to compute. 4. h is one-way, i.e., it is hard to invert, in the sense that for any y it is computationally infeasible to find an x such that y = h(x) 5. h is collision-free, i.e., for any x it is computationally infeasible to find an x′ such as h(x)= h(x′). 46. One-way Functions A one-way function is one that is easy to compute but hard to invert. Or, in other words, given the output of the function it is difficult to find any input which yields this output. Good candidate one-way functions should be computable in polynomial time, but the best known algorithm to compute their inverse should take at least exponential time. Functions of this nature are, for instance, the prime-factorisation of large integers (multiplication is obviously easy, the factorisation is not) and the discrete logarithm problem. We will learn about these at a later point in the term. But to get an impression what the concept means, we consider a simple example from modular arith- metic. Suppose we know the value c a number is congruent to modulo some n. We are then faced with the problem to find the x such that x ≡ c(mod n) holds. While it is computationally still easy to compute the inverse, i.e., the possible candidate values for x, it is not necessarily easy to deter- mine what the original value of x was. For example, it is easy to compute 17 ≡ 2(mod 3). How- ever, finding the original value for x in x ≡ 2(mod3) is not that straightforward as x can be in {..., −4, −1, 2, 5, 8, 11, 14, 17, 20,...}.

46 47. The Birthday Paradox Obviously no cryptographic hash function can be completely collision free. But we want at least that computing x′ with h(x′) = h(x) should be only possible in exponential time, even when given x and h(x). It is therefore important to know to what extend a function is “collision free”. This is done by reasoning how probable it is that two different values have the same footprint and how related those values can be. While we do not go into the probability theoretical details here, we observe a little example that illustrates how difficult it is to find good, collision free functions.

The birthday paradox states that given a group of 23 (or more) randomly chosen people, the probability is more than 50% that at least two of them will have the same birthday. For 60 or more people, the prob- ability is greater than 99%. Obviously it cannot be 100% unless there are at least 366 people. The full distribution is given on the right. Source: Wikipedia 48. Cryptographic Hash Functions vs. Hash (Table) Functions Cryptographic Hash Functions should not be confused with hash functions used to implement a hash table data structure! The latter are used to map a data object to a value that assigns it a particular place in a hash table for easy storage and retrieval. There is a certain similarity between cryptographic hash functions and hash table functions in that both map long bit strings to small values. However, in general hash table functions are easy to invert and, while a minimum of collisions is desirable, they do not have negative effects as there exist different strategies to deal with them in hash tables.

II.3.1 Merkle-Damgard˚ Construction We will first look at a general methodology to construct hash functions and then discuss some particular examples of hash functions. The Merkle-Damg˚ard construction is a method to extend a fixed size compression function to an arbitrary size compression function. The compression function can either be specially designed for hashing or be built from a block cipher. The Merkle-Damg˚ard approach is to break the input into blocks, and process them one at a time with the compression function, each time combining a block of the input with the output of the previous round. Source: Wikipedia

If the length of the original message is not a multiple of the block size of the compression function f, we apply padding to extend the message length. However, simply padding with 0 bits is a potential security risk, since consider two bit strings of the form 0110 and 011000. If f works with blocks of size 8 then padding both bit strings with 0 would yield the same message and therefore the same result for f. To avoid this, one pads the message with a bit representation of the length of the message, which leads to different hashes in our example and leads to additional security for Bob as he can now also check for the right message length. This method is called Merkle-Damgard˚ strengthening. To harden the hash further the last result is then often fed through a finalisation function g. The finalisa- tion function can have several purposes such as compressing a bigger internal state (the last result) into a smaller output hash size or to guarantee a better mixing and avalanche effect on the bits in the hash sum. The finalisation function is often built by using the compression function.

47 Finally the whole procedure is kicked off by an initialisation value IV (similar to stream ciphers or some modes of operations for block ciphers), which is generally publicly available. The algorithm corresponds to the following operations, where Hi are intermediate hash values.

H1 = f(IV,x1)

Hi = f(Hi−1,xi), i = 2,...,l

H(x) = g(Hl) Source: Wikipedia

II.3.2 Example Hash Functions We have a look at a family of hash functions called the Message Digest algorithms or MD for short and its successors Secure Hash Algorithms or SHA. The algorithms not only vary in block size and number of layers of compression functions but also in speed and security. Generally one can say that the more secure a hash functions is the more time is needed to compute it. Here are some basic facts about some algorithms in the MD/SHA family:

MD4 128-bits hash length, hashes roughly 270 MB per second. Collisions can be found in a matter of seconds. MD5 128-bits hash length, hashes roughly 216 MB per second. Collisions can be found in less than an hour on an ordinary PC. SHA-1 160-bits hash length, hashes roughly 68 MB per second. Has been theoretically broken and a new, not brute-force attack has been published in 2005. However, it is still infeasible in practise.

SHA-256 256-bits hash length, hashes roughly 44.5 MB per second. Still considered secure.

49. Basic Structure of the MD and SHA Algorithms All MD and SHA algorithms are essentially round based, where in each round a different non-linear logical function is used for hashing. Each round in turn is broken down into a number of steps that iter- atively apply the non-linear function of that round. Additionally, depending on round and step, different constants and/or parts of the message block are used during the hashing. The strengthening method is similar to all algorithms. First a 1 bit is appended to signal the end of the message. Then 0 bits are added to pad to a multiple of the block length. Finally the number of bits of the message is added as a separate final block. 50. MD4 We first look at the MD4 algorithm, from which many algorithms in the MD and SHA family are derived. Variants of MD4 are still used in Peer-to-Peer networks to provide unique file identifiers, for instance in the ED2K URI scheme of eMule. MD4 has 3 rounds of 16 steps for hashing message blocks of 512 bit length. Its final hash is 128-bits. I will not go into the gory details of the algorithm but rather present an overview. Throughout its computations MD4 maintains the 128 bit hash state as four chunks of 32 bit words (A,B,C,D). (A,B,C,D) is initialised with a fixed initialisation vector IV and, after hashing one block, is passed as initialisation to the hash function applied to the next block. The message is partitioned into 512 bit blocks, which in turn are broken down into 16 chunks of 32 bits each, M0,...,M15. Each message chunk is used for hashing once in each round, however, the order in which messages are used depends on the round.

48 The three non-linear function F,G,H for rounds 1, 2, 3, respectively, take three 32 bit variables as input and produce a 32 bit output each. In detail the functions are:

F (X,Y,Z) = (X ∧ Y ) ∨ (¬X ∧ Z) G(X,Y,Z) = (X ∧ Z) ∨ (Y ∧¬Z) H(X,Y,Z) = X ⊕ Y ⊕ Z

After the three rounds have been executed the four 32 bit chunks of the initial hash values are added to the resulting hash values and the concatenation of the result is returned as hash. Here is an overview of the algorithm and its first round: (H1,H2,H3,H4) := (A,B,C,D) Round 1 for i := 0 to 15 do t := A + F (B,C,D)+ Mi + K1 (A,B,C,D) := (D,t ≪ si,B,C) end Round 2 for i := 16 to 31 do t := A + G(B,C,D)+ Mz(i) + K2 (A,B,C,D) := (D,t ≪ si,B,C) end Round 3 for i := 32 to 47 do t := A + H(B,C,D)+ Mz(i) + K3 (A,B,C,D) := (D,t ≪ si,B,C)

end Source: Wikipedia (A,B,C,D) := (H1 + A, H2 + B,H3 + C,H4 + D)

Observe that in MD4 several elements vary from round to round or from step to step of the algorithm:

• K1, K2, K3 are three constants of a known, fixed value.

• The operants si of the left rotations vary from step to step. They are odd numbers between 3 and 19.

• z(i) is a function mapping a step value to a value between 0 and 15 in order to select a message. Observe that in the first round z is the identity mapping.

Finally, the addition is on 32 bit numbers or modulo 232. 51. MD5 MD5 is an extension of MD4. It has the same basic parameters, i.e. it works on works on 512 bit message blocks and produces 128 bit hashes. It also uses the same initialisation vector as MD4. But while MD4 operates in 3 rounds, MD5 performs 4 rounds of 16 steps. Rounds one to three are the same as those in MD4, including the constants and rotation operants. Round 4 is of a similar structure as the other rounds, however, it employs a different non-linear function, namely I(X,Y,Z)= Y ⊕ (X ∨¬Z).

Round 4 for i := 48 to 63 do t := A + I(B,C,D)+ Mz(i) + K4 (A,B,C,D) := (D,t ≪ si,B,C) end

49 MD5 is widely used to ensure file integrity for software downloads, in particular for software distribution packages on UNIX systems. It is also used for password storage. The following is an example of MD5 hashes for two simple texts that vary in one letter only (the quotation marks are NOT part of the string and thus do not affect the hash value). We can see the avalanche effect, i.e. how much a small change in the input affects the output hash. MD5(“School of Computer Science”) = 0x27E6E3664889DF33AC499909E886BE19 MD5(“School Of Computer Science”) = 0x1AF64C0CDC566FCFE2101EF221D62B43 52. SHA-1 While MD5 strengthened MD4 by adding one more round of hashing with a new non-linear function, SHA-1 extends the hash size by one more 32 bit block to 160 bit. Although SHA-1 uses 4 rounds of 20 steps each, it can nevertheless be seen as an extension of MD4 since it reuses the MD4’s non-linear functions, F in round 1, G in round 3, and H in rounds 2 and 4. It also reuses the constants and initial value IV of MD4, but extends it by one more 32 bit block. On the other hand SHA-1 has a different approach to using the message blocks. Instead of reusing the same message blocks throughout all steps of the algorithm and only permuting the order of their use, SHA-1 uses the initially 16 blocks of 32 bits to compute another 64 different blocks with the following scheme: for j := 16 to 79 do Xj := ((Xj−3 ⊕ Xj−8 ⊕ Xj−14 ⊕ Xj−16) ≪ 1) end SHA-1 also works with slightly changed permutations and rotations in the actual functions. For example the first round of the algorithm looks like this: Source: Wikipedia

SHA-1 is employed in many applications, such as TSL, SSL, SSH, or BitTorrent. Here is our example text as an SHA-1 hash: SHA-1(“School of Computer Science”) = 0xC413EE5FA5A7F89B30FD576852A76DC5320F142B SHA-1(“School Of Computer Science”) = 0x2202ED5DBE2A59D7F07EB1888D0F99B453F1F757 53. SHA-2 Since SHA-1 will be fully broken in a matter of time, the new generation are the SHA-2 algorithms, which are named after their hash length, e.g., SHA-256, SHA-384, SHA-512. They increase the security by introducing more different bitwise operations as well as working with longer block sizes.

II.3.3 Building Hashes from Block Ciphers We can also construct hash functions from block ciphers. We will have a brief look at three of these schemes, all of which use a constant public initial value IV to kick off hashing. In addition some of

50 the schemes employ a function to compute keys from message blocks. In the following let E be the encryption function of an n-bit block cipher. And let g be a function that maps n-bit inputs to keys.

Davies-Meyer Matyas-Meyer-Oseas Miyaguchi-Preneel

H0 = IV H0 = IV H0 = IV − Hi = Emi (Hi−1) ⊕ Hi−1 Hi = Eg(Hi−1)(mi) ⊕ mi Hi = Eg(Hi−1)(mi) ⊕ Hi 1 ⊕ mi Source: Wikipedia Source: Wikipedia Source: Wikipedia 54. Example An example of a hash function built from a block cipher is Whirlpool. It is based on a modified version of the AES block cipher and computes a 512-bit hash from 2256 bits input. It hashes roughly 12.1 MB per second.

II.4 Message Authentication Codes (MAC) A message together with its fingerprint computed by a cryptographic hash function, ensures that data has not been tampered with during transmission if Bob can successfully recompute the same hash value Alice has attached to her message. However, using a hash function in this way requires the hash value itself to be protected in some way, as otherwise the hash itself could be tampered with. To avoid this problem one can use a form of keyed hash function called a message authentication code, or MAC. This is a symmetric key algorithm where both Alice and Bob need to share a key. Alice can then protect the integrity of her message by sending the keyed MAC that only Bob can reproduce from the message. For a message M and a key K we denote the MAC value by MACK (M). The message from Alice to Bob is then of the form MkMACK (M) We do not assume that the message M is encrypted. In fact, if Alice and Bob want to keep the message secret as well, they can send a MAC for the ciphertext C rather than the message:

CkMACK(C)

′ Note that the MAC key K can be different from the encryption key K used in EK′ = C. There are various ways to build MACs from hash functions or from block ciphers. We will have a look at three of them.

II.4.1 HMAC HMAC is a method to build MACs from a hash function. Let h be the hash function that operates on block length n, where the length of key K is less or equal to n. We also have two publicly known padding constants P1 and P2 both of length n. An HMAC is then computed by:

HMACK (M)= h (K ⊕ P1)kh (K ⊕ P2)kM , !   This method looks awfully complicated. However, just concatenating the key and the message and then applying the hash function to it can be easily broken if the hash function is known and the message is sent plaintext.

51 II.4.2 CBC-MAC CBC-MAC is a method to build a MAC from a block cipher using the Code Book Chaining mode of operation. It produces an m-bit MAC from an n-bit block cipher, where m ≤ n by

1. padding M to be divisible into n-bit blocks, 2. encrypt M with the block cipher in CBC mode with initial value 0, 3. take the final block as MAC.

Schematically the CBC-MAC method works as follows: Source: Wikipedia

II.4.3 PMAC The problem with CBC-MAC is that it needs to encrypt the entire message with a computationally expensive block cipher before we obtain the MAC both when sending the MAC and when verifying it. While this is very secure, it is also rather slow. The PMAC method addresses this problem by introducing parallelisation. PMAC makes use of the following components:

• The message M = M1kM2k . . . kMr−1kMr partitioned into r blocks of size n. • Two keys K and L • A special efficient function P that takes K and the block number 1 ≤ i ≤ r and computes K ⊗ xi in a finite field of order 2n. Here n is the block size of the block cipher and K is viewed as a polynomial of order at most n.

• We compute bi := E(K, Mi ⊕ P (K, i)) for i = 1,...,r.

• Finally we compute PMAC = E(L, b1 ⊕ . . . ⊕ br). In overview PMAC looks like this:

M1 M2 . . . Mr−1 Mr

P (K, 1) ⊕ P (K, 2) ⊕ P (K, r − 1) ⊕ P (K, r) ⊕

K E K E K E K E

⊕

L E result One can show for PMAC that the MAC function is as secure as the underlying block cipher used. 55. Other MACs Various other approaches of constructing MACs for arbitrary length messages from block ciphers or hashes include UMAC, OMAC, CMAC.

52 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 6 November, 2009

Exercise Sheet 6

Submit via the correct pigeon hole before 20 November, 12pm.

19. Consider the MD5 functions:

F (X,Y,Z) = (X ∧ Y ) ∨ (¬X ∧ Z) G(X,Y,Z) = (X ∧ Z) ∨ (Y ∧¬Z) H(X,Y,Z) = X ⊕ Y ⊕ Z I(X,Y,Z) = Y ⊕ (X ∨¬Z)

Apply each function to the following arguments:

(a) X := 1010, Y := 1011, Z := 1110, (b) X := 0011, Y := 0101, Z := 0001,

8

20. Perform hashing with an adapted SHA1-like hash function:

(X0, X1, X2, X3) := (M0, M1, M2, M3) for i := 4 to 7 do Xi := (Xi−1⊕Xi−4) ≪ 1 end (H1,H2,H3,H4) := (A,B,C,D) for i := 0 to 7 do t := A + F (B,C,D)+ Xi (A,B,C,D) := (D,t ≪ i,B,C) end (A,B,C,D) := (H1 + A, H2 + B,H3 + C,H4 + D)

Assume that we compute a 16 bit hash, i.e., A,B,C,D are 4 bit words, F takes three 4 bit argu- ments and the message blocks are 16 bits partitoned into 4 bit chunks. Consequently the Xi, i = 0,..., 7 are 4 bit words. Addition is modulo 24. Initially let (A,B,C,D) = (0x2, 0x5, 0x9, 0xD). Compute the 16 bit hash for the 32 bit message given as hexadecimal number 0xFAB1756E. 24

53 1111 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 20 November, 2009

Solutions for Exercise Sheet 6

F (1010, 1011, 1110) G(1010, 1011, 1110) X 1010 X 1010 Y 1011 Y 1011 Z 1110 Z 1110 18. (a) X ∧ Y 1010 X ∧ Z 1010 ¬X 0101 ¬Z 0001 ¬X ∧ Z 0100 Y ∧¬Z 0001 (X ∧ Y ) ∨ (¬X ∧ Z) 1110 (X ∧ Z) ∨ (Y ∧¬Z) 1011 I(1010, 1011, 1110) H(1010, 1011, 1110) X 1010 X 1010 Y 1011 Y 1011 Z 1110 Z 1110 ¬Z 0001 X⊕Y ⊕Z 1111 X ∨¬Z 1011 Y ⊕(X ∨¬Z) 0000 F (0011, 0101, 0001) G(0011, 0101, 0001) X 0011 X 0011 Y 0101 Y 0101 Z 0001 Z 0001 (b) X ∧ Y 0001 X ∧ Z 0001 ¬X 1100 ¬Z 1110 ¬X ∧ Z 0000 Y ∧¬Z 0100 (X ∧ Y ) ∨ (¬X ∧ Z) 0001 (X ∧ Z) ∨ (Y ∧¬Z) 0101 I(0011, 0101, 0001) H(0011, 0101, 0001) X 0011 X 0011 Y 0101 Y 0101 Z 0001 Z 0001 ¬Z 1110 X⊕Y ⊕Z 0111 X ∨¬Z 1111 Y ⊕(X ∨¬Z) 1010

19. M0|M1|M2|M3|M4|M5|M6|M7 := 0xF |0xA|0xB|0x1|0x7|0x5|0x6|0xE (A,B,C,D) := (0x2, 0x5, 0x9, 0xD) Block 1: (X0, X1, X2, X3):=(M0, M1, M2, M3) = (0xF, 0xA, 0xB, 0x1) X4 := (X3⊕X0) ≪ 1 = (0x1⊕0xF ) ≪ 1 = 0xD X5 := (X4⊕X1) ≪ 1 = (0xD⊕0xA) ≪ 1 = 0xE X6 := (X5⊕X2) ≪ 1 = (0xE⊕0xB) ≪ 1 = 0xA X7 := (X6⊕X3) ≪ 1 = (0xA⊕0x1) ≪ 1 = 0x7 (H1,H2,H3,H4) = (0x2, 0x5, 0x9, 0xD)

k Step 0: Step 4: F (0101, 1001, 1101) F (0111, 0010, 0001) X 0101 X 0111 Y 1001 Y 0010 Z 1101 Z 0001 X ∧ Y 0001 X ∧ Y 0010 ¬X 1010 ¬X 1000 ¬X ∧ Z 1000 ¬X ∧ Z 0000 (X ∧ Y ) ∨ (¬X ∧ Z) 1001 (X ∧ Y ) ∨ (¬X ∧ Z) 0010 t := A + F (B,C,D)+ X0 = 0x2 + 0x9 + 0xF = 0xA t := A + F (B,C,D)+ X4 = 0xA + 0x2 + 0xD = 0x9 (A,B,C,D):=(D,t≪0,B,C):=(0xD, 0xA, 0x5, 0x9) (A,B,C,D):=(D,t≪4,B,C):=(0x1, 0x9, 0x7, 0x2) Step 1: Step 5: F (1010, 0101, 1001) F (1001, 0111, 0010) X 1010 X 1001 Y 0101 Y 0111 Z 1001 Z 0010 X ∧ Y 0000 X ∧ Y 0001 ¬X 0101 ¬X 0110 ¬X ∧ Z 0001 ¬X ∧ Z 0010 (X ∧ Y ) ∨ (¬X ∧ Z) 0001 (X ∧ Y ) ∨ (¬X ∧ Z) 0011 t := A + F (B,C,D)+ X1 = 0xD + 0x1 + 0xA = 0x8 t := A + F (B,C,D)+ X5 = 0x1 + 0x3 + 0xE = 0x2 (A,B,C,D):=(D,t≪1,B,C):=(0x9, 0x1, 0xA, 0x5) (A,B,C,D):=(D,t≪5,B,C):=(0x2, 0x4, 0x9, 0x7) Step 2: Step 6: F (0001, 1010, 0101) F (0100, 1001, 0111) X 0001 X 0100 Y 1010 Y 1001 Z 0101 Z 0111 X ∧ Y 0000 X ∧ Y 0000 ¬X 1110 ¬X 1011 ¬X ∧ Z 0100 ¬X ∧ Z 0011 (X ∧ Y ) ∨ (¬X ∧ Z) 0100 (X ∧ Y ) ∨ (¬X ∧ Z) 0011 t := A + F (B,C,D)+ X2 = 0x9 + 0x4 + 0xB = 0x8 t := A + F (B,C,D)+ X6 = 0x2 + 0x3 + 0xA = 0xF (A,B,C,D):=(D,t≪2,B,C):=(0x5, 0x2, 0x1, 0xA) (A,B,C,D):=(D,t≪6,B,C):=(0x7, 0xF, 0x4, 0x9) Step 3: Step 7: F (0010, 0001, 1010) F (1111, 0100, 1001) X 0010 X 1111 Y 0001 Y 0100 Z 1010 Z 1001 X ∧ Y 0000 X ∧ Y 0100 ¬X 1101 ¬X 0000 ¬X ∧ Z 1000 ¬X ∧ Z 0000 (X ∧ Y ) ∨ (¬X ∧ Z) 1000 (X ∧ Y ) ∨ (¬X ∧ Z) 0100 t := A + F (B,C,D)+ X3 = 0x5 + 0x8 + 0x1 = 0xE t := A + F (B,C,D)+ X7 = 0x7 + 0x4 + 0x7 = 0x2 (A,B,C,D):=(D,t≪3,B,C):=(0xA, 0x7, 0x2, 0x1) (A,B,C,D):=(D,t≪7,B,C):=(0x9, 0x1, 0xF, 0x4)

(A,B,C,D) := (A+H1,B+H2,C +H3, D+H4) := (0x9+0x2, 0x1+0x5, 0xF +0x9, 0x4+ 0xD) := (0xB, 0x6, 0x8, 0x1) Block 2: (X0, X1, X2, X3):=(M4, M5, M6, M7) = (0x7, 0x5, 0x6, 0xE) X4 := (X3⊕X0) ≪ 1 = (0xE⊕0x7) ≪ 1 = 0x3 X5 := (X4⊕X1) ≪ 1 = (0x3⊕0x5) ≪ 1 = 0xC X6 := (X5⊕X2) ≪ 1 = (0xC⊕0x6) ≪ 1 = 0x5 X7 := (X6⊕X3) ≪ 1 = (0x5⊕0xE) ≪ 1 = 0x7 (H1,H2,H3,H4) = (0xB, 0x6, 0x8, 0x1)

l Step 0: Step 4: F (0110, 1000, 0001) F (0011, 0001, 0000) X 0110 X 0011 Y 1000 Y 0001 Z 0001 Z 0000 X ∧ Y 0000 X ∧ Y 0001 ¬X 1001 ¬X 1100 ¬X ∧ Z 0001 ¬X ∧ Z 0000 (X ∧ Y ) ∨ (¬X ∧ Z) 0001 (X ∧ Y ) ∨ (¬X ∧ Z) 0001 t := A + F (B,C,D)+ X0 = 0xB + 0x1 + 0x7 = 0x3 t := A + F (B,C,D)+ X4 = 0x3 + 0x1 + 0x3 = 0x7 (A,B,C,D):=(D,t≪0,B,C):=(0x1, 0x3, 0x6, 0x8) (A,B,C,D):=(D,t≪4,B,C):=(0x0, 0x7, 0x3, 0x1) Step 1: Step 5: F (0011, 0110, 1000) F (0111, 0011, 0001) X 0011 X 0111 Y 0110 Y 0011 Z 1000 Z 0001 X ∧ Y 0010 X ∧ Y 0011 ¬X 1100 ¬X 1000 ¬X ∧ Z 1000 ¬X ∧ Z 0000 (X ∧ Y ) ∨ (¬X ∧ Z) 1010 (X ∧ Y ) ∨ (¬X ∧ Z) 0011 t := A + F (B,C,D)+ X1 = 0x1 + 0xA + 0x5 = 0x0 t := A + F (B,C,D)+ X5 = 0x0 + 0x3 + 0xC = 0xF (A,B,C,D):=(D,t≪1,B,C):=(0x8, 0x0, 0x3, 0x6) (A,B,C,D):=(D,t≪5,B,C):=(0x1, 0xF, 0x7, 0x3) Step 2: Step 6: F (0000, 0011, 0110) F (1111, 0111, 0011) X 0000 X 1111 Y 0011 Y 0111 Z 0110 Z 0011 X ∧ Y 0000 X ∧ Y 0111 ¬X 1111 ¬X 0000 ¬X ∧ Z 0110 ¬X ∧ Z 0000 (X ∧ Y ) ∨ (¬X ∧ Z) 0110 (X ∧ Y ) ∨ (¬X ∧ Z) 0111 t := A + F (B,C,D)+ X2 = 0x8 + 0x6 + 0x6 = 0x4 t := A + F (B,C,D)+ X6 = 0x1 + 0x7 + 0x5 = 0xD (A,B,C,D):=(D,t≪2,B,C):=(0x6, 0x1, 0x0, 0x3) (A,B,C,D):=(D,t≪6,B,C):=(0x3, 0x7, 0xF, 0x7) Step 3: Step 7: F (0001, 0000, 0011) F (0111, 1111, 0111) X 0001 X 0111 Y 0000 Y 1111 Z 0011 Z 0111 X ∧ Y 0000 X ∧ Y 0111 ¬X 1110 ¬X 1000 ¬X ∧ Z 0010 ¬X ∧ Z 0000 (X ∧ Y ) ∨ (¬X ∧ Z) 0010 (X ∧ Y ) ∨ (¬X ∧ Z) 0111 t := A + F (B,C,D)+ X3 = 0x6 + 0x2 + 0xE = 0x6 t := A + F (B,C,D)+ X7 = 0x3 + 0x7 + 0x7 = 0x1 (A,B,C,D):=(D,t≪3,B,C):=(0x3, 0x3, 0x1, 0x0) (A,B,C,D):=(D,t≪7,B,C):=(0x7, 0x8, 0x7, 0xF )

(A,B,C,D) := (A+H1,B+H2,C+H3, D+H4) := (0x7+0xB, 0x8+0x6, 0x7+0x8, 0xF + 0x1) := (0x2, 0xE, 0xF, 0x0) The final hashvalue is 0x2EF 0

m 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 10 November, 2009 Handout 7 Summary of this handout: Key Exchange Protocols — Wide-Mouth Frog — Needham-Schroeder — Kerberos — Otway-Rees — Some Cryptanalysis Techniques — Overview on Passive and Active Attacks

II.5 Key Exchange Protocols For the symmetric ciphers discussed so far we have assumed that both sender and receiver are familiar with the key used for encryption and decryption. In practise, however, exchanging and maintaining keys is a major issue. In particular, in the situation where many users want to communicate over an insecure network (e.g., the Internet), it is important that shared keys are exchanged in a manner that is private and integrity-assured. Moreover, we need to be able to establish ad hoc communications between participants unknown to each other. This is achieved by means of key exchange protocols Some of the important aspects for key maintenance are:

Key Lifetime The longer a key is used the more vulnerable the communication. Keys therefore have to be renewed frequently and old keys have to be properly destroyed.

Key Security Keys should never be reused and should be chosen as randomly as possible in order to increase security. Key reuse is theoretically not a problem. Suppose we take Rijndael in its eas- iest form, i.e., with keylength of 128 bits, then even if we would have used one new key every nanosecond since the beginning of the universe (which is assumed to be 234 years old), we still would have 286 keys left. Although we can assume that the security of a cipher does not depend on the particular choice of key, i.e., all keys lead to an equally secure cipher, it is nevertheless important that the key is random and can therefore not be easily guessed. [See point 39 below.]

Key Distribution The most vulnerable part of key management is the actual exchange of keys. The main idea of symmetric key exchange protocols is that one uses a trusted third party. Both Alice and Bob only share a permanent key only with this trusted third party, which then produces session keys that are distributed to Alice and Bob and used for their subsequent communication. We will discuss some of the key exchange protocols in this handout.

56. Aside: Non-linear Keyspaces Most ciphers are designed such that they provide full security no matter what the secret key is. However, occasionally one might want to design a cipher that behaves differently, in that it is secure only for some keys in the space of all possible keys, while it is deliberately defined to be weak for other keys. Such keyspaces are called non-linear. If a user is unaware which keys make the cipher secure and which leave it weak, the cipher designer can use this knowledge as a back door. The NSA is known to have defined ciphers that had non-linear keyspaces. 57. New People Involved We need some new players in our game of Cryptography:

Trent A trusted third party that is often central to symmetric key exchange. For example, this can be an authentication server or an Internet service provider.

Mallory A malicious attacker, who can modify messages, substitute her own messages, replay old mes- sages, and so on. Unlike defending against Eve, who can only eavesdrop, securing a system against Mallory is much harder.

54 58. Notation Recall, that the main idea of the symmetric key exchange protocols is that both Alice and Bob only share a permanent key with Trent and get a unique session key issued by Trent for communication. In order to establish this session key, however, we will need additional information that is to be exchanged. Here is an overview of the concepts we will use for defining the protocols: A Alice’s name. B Bob’s name. T Trent’s name. EA Encryption with a key Trent shares with Alice. EB Encryption with a key Trent shares with Bob. K The session key produced by Trent for communication between Bob and Alice. EK Encryption with the session key K. I An index number. SA,SB,ST A timestamp issued by Alice, Bob, or Trent, respectively. L The lifetime of timestamps. NA, NB A nonce chosen by Alice or Bob, respectively. M An additional nonce. In addition, we have to denote the direction of message passing. We will for instance write A → B when a message is sent from Alice to Bob or T → A if Trent sends a message to Alice. For the definition of protocols we will employ the notation we have used so far during the handouts. Since our notation varies somewhat from the notation for cryptographic protocols used in many textbooks and research papers here is a brief comparison. If we write

A −→ B : SAkAkEK(BkNAkM)

which means that Alice sends Bob the concatenation of a timestamp, Alice’s name, and Bob’s name, a nonce and the plaintext encrypted with Alice’s and Bob’s shared key. One can express this in security protocol notation as A −→ B : SA, A, {B, NA, M}K

where {M}K means everything inside the curly brackets is encrypted with key K.

II.5.1 Wide-Mouth Frog Wide-mouth frog is a very simple protocol that transfers a key K from Alice to Bob via Trent, using only two messages. It uses timestamps to synchronise clocks between the parties involved, which makes it often difficult to implement. In addition the protocol relies on Alice to choose the session key K and then transports this key over to Bob. This implies that Bob trusts Alice to be competent in making secure keys and keeping them secret. This is a very strong assumption and the main reason that this protocol is not used much in real life. However, it is very simple and gives a good example of how protocols are described.

Trent

1:AkEA(SAkKkB) 2:EB(ST kKkA)

Alice Bob

55 First Alice sends her name together with an encrypted timestamp and session key to Trent.

A −→ T : AkEA(SAkKkB)

On obtaining the first message Trent decrypts the last part and checks that the timestamp is recent. This decrypted message tells Trent he should forward the key to Bob. If the timestamp is verified to be recent, Trent encrypts the key along with his timestamp and passes this encryption to Bob.

T −→ B : EB(ST kKkA)

On obtaining this message Bob decrypts it and checks if the timestamp is recent, then he can recover both the key K and the name of Alice, i.e., the person who wants to send data to him using this key. Observe that the concept of “recent” is left open for interpretation!

II.5.2 Needham-Schroeder In Needham-Schroeder Alice initiates the communication directly with Bob, but first obtains the rele- vant information and session key K from Trent. During the key exchange nonces are used to ensure authenticity of messages:

Trent

1:AkBkNA

2:EA(NAkKkBkEB(KkA))

3:EB(KkA)

4:EK(NB) Alice Bob 5:EK(NB − 1)

First Alice sends a message to Trent identifying herself and Bob, telling Trent she wants to communicate with Bob: A −→ T : AkBkNA Trent generates K and sends back to Alice two copies of the key. One decipherable by Alice and one encrypted with EB for Alice to forward to Bob. Since Alice may be requesting keys for several different people, the nonce NA assures Alice that the message is fresh and that Trent is replying to that particular message and the inclusion of Bob’s name tells Alice who she is to share this key with:

T −→ A : EA(NAkKkBkEB(KkA))

Alice forwards the key to Bob who can decrypt it with the key he shares with Trent, thus authenticating the data: A −→ B : EB(KkA) Bob needs to check that the third message was not a replay. So he needs to know if Alice is still alive, hence, in the fourth message he encrypts a nonce back to Alice:

B −→ A : EK(NB)

Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that she is still alive and that she holds the key: A −→ B : EK(NB − 1)

56 Since Alice and Bob have their secret session key generated by Trent neither needs to trust the other to produce secure keys. They of course trust Trent to generate secure keys since everyone trusts Trent. In some applications this last assumption is not valid and more involved algorithms, such as public key algorithms, are required. We will get to public key cryptography later in this lecture. The main problem with the NeedhamSchroeder protocol is that Bob does not know that the key he shares with Alice is fresh, a weakness which can be exploited for an attack as we will see later. This weakness has been avoided in the Kerberos protocol.

II.5.3 Kerberos Kerberos is a variant of Needham-Schroeder that uses timestamps of a limited lifetime instead of nonces. It was developed 1987 at MIT and is now widely used in many applications such as Secure Shell or Windows 2000. Kerberos works with a network of clients and servers (i.e., Trents). Clients log into the server to obtain a session key for EA and can then initiate communications or obtain secure access to resources.

Trent

1:AkB

2:EA(ST kLkKkBkEB(ST kLkKkA))

3:EB(ST kLkKkA)kEK(AkSA)

Alice 4:EK(SA + 1) Bob

If Alice wishes to communicate with Bob (or access the resource Bob), she asks Trent to initiate com- munication with Bob: A −→ T : AkB

If Trent allows this access then a ticket is created consisting of the session key K, a timestamp ST together with its lifetime L. Alice gets two versions of this ticket: one encrypted with its own key and one encrypted with Bob’s key used to authenticate subsequent communication with Bob:

T −→ A : EA(ST kLkKkBkEB(ST kLkKkA))

Then Alice wants to verify that the ticket is valid and that Bob is alive. Hence, she sends an encrypted timestamp SA to Bob: A −→ B : EB(ST kLkKkA)kEK(AkSA)

Bob sends back the encryption of SA + 1, after checking that the timestamp SA is recent, thus proving he knows the key and is alive: B −→ A : EK(SA + 1) We can observe that all authentication messages are marked with the names of the respective communica- tion partner, either A or B. This enables the parties involved to initiate or reply to several communication requests from different parties without confusion. The security of Kerberos relies heavily on timestamps and lifetime L as reliable indicators of the fresh- ness of a communication.

57 II.5.4 Otway-Rees As opposed to all protocols discussed so far, in the Otway-Rees protocol communication is initiated by Alice via contacting Bob who then gets the session key from Trent. The protocol itself uses nonces to flag that encrypted messages are recent similar to Needham-Schroeder. In addition a nonce M is used to flag that the current set of communications are linked.

Trent

3:MkEA(NAkK)kEB(NBkK)

2:MkAkBkEA(MkAkBkNA)kEB(MkAkBkNB )

1:MkAkBkEA(MkAkBkNA)

Alice 4:MkEA(NAkK) Bob

Alice initiates the communication by sending Bob the general message nonce M, her name, Bob’s name and another copy of this message together with a specific nonce NA encrypted with EA:

A −→ B : MkAkBkEA(MkAkBkNA)

Bob then adds its own encryption of the message with its own nonce NB and sends it for authentication to Trent: B −→ T : MkAkBkEA(MkAkBkNA)kEB(MkAkBkNB ) Trent can compare the plaintext message with the encrypted parts from Alice and Bob. If they match he returns the session key K together with the nonces NA and NB encrypted by Alice’s and Bob’s key respectively: T −→ B : MkEA(NAkK)kEB(NBkK) Now Bob gets the session key and initiates the actual communication by passing the session key to Alice.

B −→ A : MkEA(NAkK)

Observe that the nonce NA has never been decrypted by Bob and therefore receiving it back guarantees Alice the authenticity of the communication. However, Bob does not know whether the original nonce was fresh or a replay. The Otway-Rees protocol has several drawbacks, which we will discuss at the end of this handout.

II.6 Example: WPA2 As an example of a technology that brings many of the components of symmetric cryptography we have seen so far together, we consider the WPA2 or 802.11i standard to ensure privacy in wireless networks. WPA2 supersedes the previous standards WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access), which are considered insecure for wireless network communication. Both WEP and WPA are based on the RC4 stream cipher. WEP has a 64 or 128 bit encryption mode corresponding to an 8 or 16 byte RC4 key that is computed by concatenating a 40 or 104 bit WEP key with a 24 bit initialisation vector (IV). For each transmitted package a new RC4 stream is computed using the same WEP key and an unprotected potentially, but not necessarily, new IV. Moreover, WEP only implements a weak checksum check to guarantee message integrity. To counter WEP’s weaknesses, in particular against replay attacks and packet injections, WPA aimed at strengthening WEP mainly by

58 1. using a 48 bit IV, 2. replacing the simple key concatenation by a Temporal Key Integrity Protocol (TKIP) that imple- ments a mixing function to combine key and IV to get derived keys, 3. a sequence counter for packets, 4. as well as a non-linear message integrity check. However, it retained the RC4 stream cipher which meant it was backward compatible for old hardware. But mainly due to the insecurity of RC4 both WEP and WPA can be broken in a matter of minutes. The address all the security problems with WEP and WPA, their successor WPA2 works with keys and IVs of length 128 bits and uses 1. AES in Counter Mode (CTR) for encryption, 2. CBC-MAC based on AES to guarantee message integrity, 3. a unique 48 bit packet number (PN), 4. Extensible Authentication Protocol (EAP) for client authentication. We have a look at the simplified EAP, where a client connects to a network via an access point (AP) and is authorised by the Authentication Server:

Auth Server

8:Unblock (if successful) 7:Challenge Reply 4:Challenge 3:Send Identity

0:Establish Link 1:Request Identity 2:Send Identity Client 5:Challenge AP 6:Challenge Reply In addition WPA2 has four-way handshake protocols to derive temporary keys for communication be- tween client and AP as well as for multicasting. It also has hand-off protocols to handle the transition between different access points. The actual packets that are transmitted have the following composition (called the CCMP packet format): MAC PN0 Res Res Ext Key PN2...PN5 Data Payload MIC Header PN1 IV ID 16bit 8bit 5bit 1bit 2bit 32bit 64bit MAC Header here stands for Medium Access Control address, which is unique to every ethernet device. MIC is the actual message integrity code computed from Data plus MAC Header using CBC-MAC. PN0–PN5 are the 6 bytes of the package number PN. Res are reserved areas (for possible future extensions,e.g., to other variants of AES). Ext IV indicates whether PN2–PN5 are present. Key ID stores the index of the key, within the default key table, which holds different keys for pairwise or group communication.

59 III. Cryptanalysis

We give a brief overview on different cryptanalysis attacks on ciphers and protocols. Attacks can be roughly divided into passive or active attacks. Passive attacks are considered to be just eavesdropping on transmitted information. Active attacks on the other hand rely on actively modifying data, disrupting communication or forcefully accessing data. Therefore, detecting a passive attack is more difficult than an active attack, requiring prevention by defencive means. Active attacks on the other hand, become often apparent by their disruptive nature. So to defend against an active attack is to detect them where possible and recover. In the game of cryptography the passive attacks are carried out by Eve a (not necessarily harmless) eavesdropper, whereas active attacks are carried out by Mallory, a malicious attacker.

III.1 Different Forms of Passive Attacks Passive attacks are classified by the information available to Eve into:

Ciphertext-only Attack Eve has access only to a collection of ciphertexts or codetexts.

Known-plaintext Attack Eve has a set of ciphertexts to which she knows the corresponding plaintext.

Chosen-plaintext Attack Eve can obtain the ciphertexts corresponding to arbitrary plaintexts of her choice.

Chosen-ciphertext Attack Eve can obtain the plaintexts corresponding to arbitrary ciphertexts of her choice.

Adaptive chosen-plaintext Attack Similar to chosen-plaintext attack but Eve can choose subsequent plaintexts based on information learnt from previous encryptions.

Adaptive chosen-ciphertext Attack Similar to chosen-ciphertext attack but Eve can choose subsequent ciphertexts based on information learnt from previous encryptions.

Related-key Attack Similar to a chosen-plaintext attack, except that Eve can obtain ciphertexts en- crypted under two different keys. The keys are unknown, but the relationship between them is known; for example, two keys that differ in one bit.

Having obtained the information, Eve now has to analyse the data. There are essentially two major analytical techniques for passive attacks:

Linear Cryptanalysis is the approximation of the action of a cipher by some function. Linear crypt- analysis is generally performed with a known plaintext attack, but there are variants for some of the other attacks above.

Differential Cryptanalysis is the study of how differences in an input can affect the resulting difference at the output. While differential cryptanalysis is usually a chosen plaintext attack, there are extensions that would allow for instance also known plaintext or even ciphertext-only attacks. For example, one can successfully cryptanalyse DES using around 247 chosen plaintexts.

There are various other analytical techniques that do not only use the actual texts for an attack. For instance, for certain block ciphers one can measure the CPU cycles used for en-/decryption and thereby deduce keys. Those types of attacks are generally referred to as side-channel attacks.

60 III.2 Different Forms of Active Attacks There are many forms of active attacks. We will only mention a few important ones here: Insertion Attack Data is modified by inserting parts into the ciphertext. Deletion Attack Data is modified by deleting parts of the ciphertext. We have briefly discussed inser- tion and deletion attacks for the ECB mode of operation for block ciphers. Substitution Attack Data is modified by substituting parts of the ciphertext. These attacks are partic- ular effective on stream ciphers, if one knows the plaintext for a sequence of intercepted bits. One can then xor out this plaintext and substitute it by xor-ing in malicious content. Replay Attack Mallory repeats or delays a valid data transmission maliciously or fraudulently. Replay attacks are often part of masquerading attacks. For example, suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity (possibly encrypted). Mallory eavesdrops the conversation and keeps the password. After the interchange is over, Mallory connects to Bob posing as Alice; when asked for a proof of identity, Mallory sends Alice’s password read from the last session, which Bob must accept. Masquerading Attack An attack in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Masquerading attacks are also known as spoofing attacks. Some examples of masquerading attacks are:

Man-in-the-Middle Attack Mallory spoofs Alice into believing she’s Bob, and spoofs Bob into believing she’s Alice, thus gaining access to all messages in both directions without the trouble of any cryptanalytic effort. It is often abbreviated with MITM. Phishing A legitimate web page such as a bank’s site is reproduced in ”look and feel” on another server under Mallory’s control. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords. IP Spoofing A computer poses as another computer by illegitimately assuming its IP address. This attack is often used to gain access to a closed LAN or to pose as some trusted server. MAC Spoofing Similar to IP Spoofing only with respect to the Medium Access Code, e.g. of a wireless ethernet card.

Denial of Service Attack This is an attempt to make a computer resource unavailable to its intended users. It is often abbreviated with DoS. Let’s have a look at a few attacks on the key exchange protocols from above: 59. Attacks on Needham-Schroeder The protocol is vulnerable to a replay attack. If Mallory records one run of this protocol, then subse- quently learns the value K used, she can then replay the message EB(KkA) to Bob, who will accept it, being unable to tell that the key is not fresh. Hence Bob thinks he is communicating with Alice instead of Mallory. This flaw is fixed in the Kerberos protocol by the inclusion of a timestamp. There is also a public key variant of Needham-Schroeder, which is vulnerable to man-in-the-middle attack. We will discuss this later. 60. Attacks on Otway-Rees One problem with the Otway-Rees protocol is that Mallory can arrange for Alice and Bob to end up with different keys: After Alice and Bob execute the first three messages, Bob has received the key K. Mallory then intercepts the fourth message. She resends message 2, which results in Trent generating a new key K′, subsequently sent to Bob. Mallory intercepts this message too, but sends to Alice the part of it that Bob would have sent to Alice. So now Alice has finally received the expected fourth message, but with K′ instead of K. Otway-Rees is also vulnerable to replay attacks, since although Trent tells Bob that Alice used a nonce, Bob doesn’t know if this was a replay of an old message.

61 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 10 November, 2009

Programming Exercise 2

Implement the exercises in a programming language of your choice. The only requirement is that the program should be runnable on the Linux machines in the department. Include sufficient explicit output into your program so I can convince myself that the encryption actually works. Submit the source of your program with included comments how to run it and your student ID number by 11 December, 12pm via Moodle (https://moodle.cs.bham.ac.uk/). Also include a file that contains the requested answers (not the full verbose output!) in ASCII format.

21. Programming Exercise. Consider the following SHA-like hash function that uses the ternary bit-wise functions F and G from MD4:

(X0, X1, X2, X3, X4) := (M0, M1, M2, M3, M4) for i := 5 to 20 do Xi := (Xi−1⊕Xi−4⊕Xi−5) ≪ 1 end (H1,H2,H3,H4,H5) := (A,B,C,D,E) Round 1 for i := 0 to 9 do t := (A ≪ 1) + F (B,C,D)+ Xi + E (A,B,C,D,E) := (t ≪ i, A, B ≪ 3,C,D) end Round 2 for i := 10 to 19 do t := (A ≪ 3) + G(B,C,D)+ Xi + E (A,B,C,D,E) := (t ≪ i, A, B ≪ 1,C,D) end (A,B,C,D,E) := (H1 + A, H2 + B,H3 + C,H4 + D,H5 + E)

Assume that we compute a 20 bit hash, i.e., A,B,C,D,E are 4 bit words, F, G take three 4 bit arguments and the message blocks are 20 bits partitoned into 4 bit chunks. Consequently the 4 Xi, i = 0,..., 20 are 4 bit words. Addition is modulo 2 . If necessary, message padding is done by simply adding 0x0 blocks. Initially let (A,B,C,D,E) = (0x2, 0x5, 0x9, 0xB, 0xE).

(a) Implement the above hash function and compute the 20 bit hashes for the following messages given as hexadecimal numbers: i. 0xFAB17E668145A9BCC783BFEE70013522734 ii. 0xFAB17E668145A9BCC783BFEE70013521912 iii. 0xEAB17E668145A9BCC783BFEE70013521558 iv. 0x24A7B9FD294AFE569BB23197FFEAB67D v. 0x24A7B9FD294222569BB23197FFEAB11192110D vi. 0x348F305182AEFD986C458AB394BB4399AFBD23C vii. 0x0123456789ABCDEFFEDCBA98765432107DB91A9F viii. 0x00112233445566778899AABBCCDD ix. 0xFFEEDDCCBBAA998877665544332211001098 x. 0x5555555555555555555555555555555555555555

62 (b) Implement a brute force attack on the hash function that tries to find a collision by systemat- ically searching the message space. Assume that messages are at least 40 bits in length. Give collisions for the following messages: i. 0xABCDEF1234 ii. 0xFAB17E6681 iii. 0xFAB17E6682 iv. 0xEAB17E6681 (c) The Birthday-Attack on hash functions exploits the birthday paradox by searching for a col- lision employing randomised generation of messages. Implement a Birthday Attack for the above hash function, assuming that messages are 40 bits in length. Do not forget to count and output the number of steps your program needs to find a collision.

Please comment the code for parts 21b and 21c well as I will not be able to test all of the imple- mentations extensively. [For debugging purposes I will provide a set of messages and their fingerprints soon.] 40+20+20

63 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 17 November, 2009 Handout 8 Summary of this handout: Asymmetric Cryptography — Public Key Cryptography — Diffie-Hellman Key Exchange — ElGamal — Cramer-Shoup — Discrete Logarithms — Subgroups

IV. Asymmetric Ciphers and Public Key Cryptography

So far we have been talking about symmetric key cryptography only, where all the communicating parties need to be in possession of the same key in order to encrypt and decrypt messages. As we have seen, one major problem of symmetric ciphers is key distribution as well as key management. These problems can be overcome by using asymmetric ciphers. The idea of asymmetric cryptography algorithms is that Alice encrypts a message with one key and Bob can encrypt it with a different key without having any knowledge of Alice’s key. and ideally Alice and Bob should be able to communicate without ever exchanging keys first. This can be achieved by means of public key cryptography, where each participant has two keys: a private key and a public key, and can use someone’s public key to encrypt a message and only the person with the right private key can decrypt it. Since the majority of asymmetric ciphers are public key ciphers both expressions have become synonymous by now.

61. An Analogy We first have a look at a well known analogy about sending secret messages, in order to illustrate the basic idea of asymmetric ciphers. Suppose Alice and Bob do not trust the postal service and want to send a message secretly by using a box and padlocks. With a symmetric key system, Alice first puts the secret message in a box, and then locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alice’s key to open the box, and reads the message. Bob can then use the same padlock to send his secret reply. Obviously Alice and Bob have to exchange at some point the keys to the padlock. And they can not do this via the postal service as this would comprise their secret.

Alice Bob

To see that an exchange of key is not mandatory to exchange the secret message securely picture the following scenario of an asymmetric key system. Alice puts her secret message in a box, padlocks it and sends it to Bob. When the box arrives, Bob adds his own padlock and sends the box back to Alice. When Alice receives the box, it is now secured by two padlocks. She removes her own padlock, leaving just Bob’s padlock to secure the box. Finally she sends the box back to Bob. Bob can now open the box to retrieve the message. At no point was the secrecy of the message compromised nor was it necessary to exchange keys.

Alice Bob

64 Finally in an public key system the exchange of messages is even easier. Again Bob and Alice have separate padlocks. Firstly, Alice asks Bob to send his open padlock to her through regular mail, keeping its key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice’s open padlock to lock the box before sending it back to her. Again no keys had to be exchanged. However, it is crucial now that nobody is able to forge a copy of Bob’s key given Bob’s padlock alone.

Alice Bob

62. A Formal View Let us put the two last cases in the the above analogy into our formal cipher notation. The operations of padlocks and keys correspond to the operations of a cipher. I.e., closing the padlock is encryption and opening the padlock is decryption. We first consider the general asymmetric case with the two padlocks. We have two ciphers (EA, DA) and (EB, DB), where A, B are Alice’s and Bob’s keys, respectively. We get the following chain of messages:

EA(M) → EB(EA(M)) → DA(EB(EA(M))) = EB(M) → DB(EB(M)) = M

The crucial point here is the equation DA(EB(EA(M))) = EB(M). This will only hold if we have encryption functions EB and EA that commute (or if DA and EB commute). We know from our sym- metric ciphers, that this property does in general not hold. So in order to make the asymmetric scenario work, one has to carefully design the encryption functions. Now consider the public key scenario. Let B be the key Bob sends to Alice (open padlock in our analogy). We will call B a public key. Let B be the key he keeps secret (the actual key for the padlock in our analogy). We will call B Bob’s privateb key. Then Bob makes B public and, upon receiving a message encrypted withbB decrypts it with B: b b B → EBb(M) → DB(EBb(M))

Obviously it is important for the designb of the encryption function that it can be inverted with a different key. Again this is in general not possible with the symmetric ciphers we have seen so far. Moreover, it is crucial that there is no way for Eve to infer B from B, even though she knows the basic working of the encryption and decryption scheme. This is a complication that we did not have for symmetricb ciphers. In a symmetric cipher we could use essentially any key (we preferred randomly generated ones of course) and en-/decryption would work. In a public key cipher, however, the right choice of public and private key are crucial and can not be left to chance, but have to be done systematically using a generation algorithm. Hence public key ciphers consist of three important components:

• A key generator G.

• An encryption function E.

• A decryption function D.

63. Trapdoor One-way Functions When designing functions for public key ciphers it is important that they are easy to compute given the public key but that they are invertible alone when one has knowledge of the private key. In particular the inversion should be independent from the public key.

65 We have already discussed one-way functions in point 44 in handout 7. A one-way function is a function that is easy to compute but hard to invert. We have seen their uses as hash-functions, where inversion was not only not wanted, but also in general impossible to compute. (Recall that hash functions compress arbitrary length messages to a fixed length hash value.) Thus simple one-way functions are not useful for encryption, since their decryption is nearly always impossible to compute. However, there are certain types of one-way function that are hard to invert unless some secret information, a so called trapdoor, is known. This type of function is called trapdoor one-way function or trapdoor permutation. Here are some possible candidate functions:

∗ ∗ x Discrete Logarithm Problem: Let g be a generator in Zp. For h ∈ Zp find x ∈ N such that g ≡ h(mod p). [gx can be computed efficiently.]

∗ x y ∗ Diffie-Hellman Problem: Let g be a generator in Zp. Given a = g and b = g , find c ∈ Zp such that c = gxy. [Again the exponentiations can be computed efficiently.]

Integer Factorisation: Let n be a large integer number. Find the prime factors of n. [Multiplying primes together is easy.] 64. A Historical Note It was a long upheld paradigm that cryptography was only possible symmetrically, i.e. with some prior exchange of a key. However, in 1976 Whitfield Diffie and Martin Hellman from Stanford published a first asymmetric key cryptosystem. It was a method of public key agreement, which came to be known as Diffie-Hellman key exchange, and was the first published practical method for establishing a shared secret key over an unprotected communications channel without using a prior shared secret. The work was influenced by Ralph Merkle’s work on public key distribution, whose technique became known as Merkle’s Puzzles, and was published in 1978. Inspired by this work, Rivest, Shamir and Adleman from MIT, invented in 1977 the first public key cipher. The authors published their work in 1978, and the algorithm appropriately came to be known as RSA. In 1997 GCHQ in the UK publicly announced that they were aware of public key cryptography several years before Diffie and Hellman published their paper. Indeed the first invention of asymmetric key algorithms was by James H. Ellis, Clifford Cocks, and Malcolm Williamson at GCHQ in the early 1970s; they invented both the Diffie-Hellman key exchange, as well as a special case of RSA. We will follow the historical order and first have a look at the Diffie-Hellman key exchange protocol before having a look at some public key ciphers.

IV.1 Diffie-Hellman Key Exchange The Diffie-Hellman key exchange was invented by Wittfield Diffie and Martin Hellman in 1976. Using this protocol it is possible for Alice and Bob to agree on a secret value in the presence of Eve observing their entire communication. It is an asymmetric algorithm since there is no need for a trusted third party Trent or for the exchange of any secret information anytime before the exchange. The main idea of the protocol is to agree on a key given as an integer by using discrete exponentiation. Thus its security is based on the hardness of the discrete logarithm problem. The algorithm was originally ∗ ∗ proposed for Zp for a large prime p but is today usually used in subgroups Gq of Zp. The protocol has essentially 5 steps, where the first is a public initialisation:

∗ ∗ 1. Alice and Bob agree (publicly) on a prime number p (i.e., on Zp) and on an element g ∈ Zp that generates the the finite group Gq. 2. Alice picks a random positive integer a and sends ga to Bob.

3. Bob picks a random positive integer b and sends gb to Alice.

4. Alice computes the key K = (gb)a = gba.

5. Bob computes the key K = (ga)b = gab.

66 Observe that in steps 4 and 5 we exploit the commutativity of discrete exponentiation, similar to our padlock example. Eve knows g and p. She also can observer ga and gb. However, due to discrete exponentiation being a one-way function, she cannot infer the key K = gab Here is an overview of the protocol: Source: Wikipedia

Example:

1. Alice and Bob agree to use a prime number p = 23 and base g = 5.

2. Alice chooses a secret integer a = 6, then sends Bob (ga mod p): 56 = 15625 ≡ 8(mod 23).

3. Bob chooses a secret integer b = 15, then sends Alice (gb mod p): 515 = 30517578125 ≡ 19(mod 23).

4. Alice computes (gb mod p)a mod p: 196 = 47045881 ≡ 2(mod 23).

5. Bob computes (ga mod p)b mod p: 815 = 35184372088832 ≡ 2(mod 23).

After the Diffie-Hellman key exchange both Alice and Bob have agreed on the key 2. In the above example I have given the full integers of the exponentiations only as an illustration. When we solve the problem we of course do NOT carry out the exponentiations explicitly. Instead, we construct the subgroup generated by the given generator and simply count the elements until we have the result of the exponentiation in question. Here is an example for 815: ∗ The subgroup for generated by 8 in Z23 is

{80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 810} = {1, 8, 18, 6, 2, 16, 13, 12, 4, 9, 3}

Starting from 81 = 8 we can now simply count the next 15 elements. At 810 we restart from the beginning, i.e, with 80 = 811 = 1. The 15th generated element is then 2.

IV.2 ElGamal The ElGamal algorithm is an asymmetric key encryption algorithm for public key cryptography which is based on the same principles as Diffie-Hellman key agreement, i.e., it uses discrete exponentiation and its security therefore relies on the hardness of the discrete logarithm problem. It was invented by Taher Elgamal in 1984 and is, for instance, used in the GNU implementation of the PGP protocol. Similar ∗ to Diffie-Hellman ElGamal can be defined over any cyclic group Gq as subgroups of Zp. However, in concrete implementations one generally takes p to be a prime number of around 1024 bits and q to be of around 160 bits such that q divides p − 1. ElGamal then consists of three components: the key generator G, the encryption algorithm E, and the decryption algorithm D. The key generator G generates a key for Alice as follows: ∗ • Generate primes p and q as well as an element g ∈ Zp that generates the subgroup Gq.

67 • Choose a random x from {0,...,q − 1}.

• Compute h = gx.

• Publish the public key K = (Gq,q,g,h).

• Retain the private key Kb = x.

To encrypt a message M to Alice using her public key K = (Gq,q,g,h), Bob uses the following encryption algorithm E: b • M is considered to be an element of G

y y • Choose a random y from {0,...,q − 1}, then calculate c1 = g and c2 = M · h .

• The ciphertext is then C = (c1, c2).

Bob now sends the ciphertext C = (c1, c2) to Alice who can decrypt the message with the following decryption algorithm D using her secret key K = x:

−x −x −1 x th • Compute M = c2 · c1 , where c1 = (c1 ) is the x exponent of the inverse of c1 in Gq. Here is a quick verification that the decryption algorithm really produces the original message:

x y −xy xy −xy c2 · c1 = M · h · g = M · g · g = M

Notice, that we assume the message M to be an element of Gq. Should the message however be to large it is split into several pieces and each piece is encrypted independently. Example: As a very simple example we take p = 11, q = 5, and g = 3. The group generated by g is then G5 = {1, 3, 9, 5, 4}. We assume also that Bob wants to send the message 10. Key generation algorithm G:

• Choose random x = 2.

• h = gx = 32 = 9.

• Public key K = ({1, 3, 9, 5, 4}, 5, 3, 9).

• Private key Kb = 2. Encryption algorithm E:

• Choose random y = 4.

y 4 • Set c1 = g = 3 = 4.

y 4 • Set c2 = M · h = 10 · 9 = 6

• Ciphertext is C = (c1, c2) = (4, 6) Decryption algorithm D:

−2 −1 −1 −2 • Compute M = c2 · c1 . Since c1 = 4 = 3 we have c1 = 9 and M = 6 · 9 = 10.

68 IV.3 Cramer-Shoup The ElGamal public key algorithm is vulnerable to chosen-ciphertext attacks, i.e., attacks where the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key. Choosing the ciphertexts carefully and adapting them can lead to information about the key used. The Cramer-Shoup algorithm avoids this by using a cryptographic hash function H. Cramer-Shoup public key encryption was developed in 1998 and is for example used in IBM’s ACE package. Similar to ElGamal its security is based on the hardness of the discrete logarithm problem. The key generator G works as follows: ∗ • Generate primes p and q, and the subgroup Gq of Zp. Choose randomly two generators g1 and g2 of Gq.

• Choose six random values (x1,x2,y1,y2, z1, z2) from {0,...,q − 1}.

x1 x2 y1 y2 z1 z2 • Compute c = g1 g2 , d = g1 g2 , and h = g1 g2 .

• Publish the public key K = (Gq,q,g1, g2, c, d, h).

• Retain the private key Kb = (x1,x2,y1,y2, z1, z2).

The encryption algorithm E encrypts a message M under public key K = (Gq,q,g1, g2, c, d, h) as follows: b • M is considered to be an element of Gq

• Choose a random k from {0,...,q − 1} then calculate:

k k – u1 = g1 , u2 = g2 – e = hk · M

– α = H(u1, u2, e), where H is the hash function – v = ck · dkα

• Ciphertext is C = (u1, u2, e, v).

The decryption algorithm D decrypts a ciphertext C = (u1, u2, e, v) with the secret key K = (x1,x2,y1,y2, z1, z2) as follows:

x1 x2 y1 y2 α • Compute α = H(u1, u2, e) and verify that u1 · u2 · (u1 · u2 ) = v. If this test fails, further decryption is aborted and the output is rejected.

z1 z2 −1 • Otherwise, compute the plaintext as M = e · (u1 u2 ) . Observe that H will only produce the right result if the same value of k was used in all three variables. But neither k nor x1,x2,y1,y2 are known to the cryptanalyst. Here is a quick verification that the decryption algorithm really produces the original message:

z1 z2 kz1 kz2 k −k u1 u2 = g1 g2 = h , and M = e · h

As for ElGamal a given message might not fit into Gq. It is then split into several blocks and each block is encrypted independently.

69 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 17 November, 2009

Exercise Sheet 8

Submit via the correct pigeon hole before 27 November, 11am.

∗ ∗ 22. Consider Z11. Compute all the subgroups generated by an element of Z11. 10 ∗ 23. Compute the following discrete exponentiations in Z11: (a) 413 (b) 33 (c) 512 (d) 10−10 1+1+1+1

∗ 24. Compute the following inverses in Z11: (a) 9−1 (b) 3−1 (c) 8−1 1+1+1 25. Consider the Diffie-Hellman key exchange protocol. Give the single steps of the protocol for the following values:

(a) p = 11, g = 3, a = 17, b = 13 (b) p = 11, g = 7, a = 5, b = 11 (c) p = 11, g = 8, a = 9, b = 19

3+3+3

26. Consider the ElGamal public key cipher. We fix the values for p = q = 11 and g = 7, i.e. G11 = h7i. Compute the single steps of key generation, encryption, and decryption for the following values:

(a) x = 6, y = 10, and M = 9 (b) x = 4, y = 8, and M = 10 (c) x = 3, y = 3, and M = 3

4+4+4

27. Let G be a group and H, K be subgroups of G. Then H ∪ K is a subgroup if and only if H ⊆ K or K ⊆ H. 5

70 1414 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 27 November, 2009

Solutions for Exercise Sheet 8

20.

h1i = {1} h6i = {6, 3, 7, 9, 10, 5, 8, 4, 2, 1} h2i = {2, 4, 8, 5, 10, 9, 7, 3, 6, 1} h7i = {7, 5, 2, 3, 10, 4, 6, 9, 8, 1} h3i = {3, 9, 5, 4, 1} h8i = {8, 9, 6, 4, 10, 3, 2, 5, 7, 1} h4i = {4, 5, 9, 3, 1} h9i = {9, 4, 3, 5, 1} h5i = {5, 3, 4, 9, 1} h10i = {10, 1}

21. (a) 413 ≡ 9(mod 11) (b) 33 ≡ 5(mod 11) (c) 512 ≡ 3(mod 11) (d) 10−10 = (10−1)10 = 1010 ≡ 1(mod 11)

22. (a) 9−1 ≡ 5(mod 11) (b) 3−1 ≡ 4(mod 11) (c) 8−1 ≡ 7(mod 11)

23. (a) 7−1 ≡ 8(mod 11) (b) 6−1 ≡ 2(mod 11) (c) 4−1 ≡ 3(mod 11)

24. (a) 1. Prime number p = 11 and generator g = 3. We first compute the subgroup generated by g. h3i = {3, 9, 5, 4, 1} 2. Alice’s secret key is a = 17. A → B : ga = 317 ≡ 9(mod 11) 3. Bob’s secret key is b = 13. B → A : gb = 313 ≡ 5(mod 11) 4. Alice computes key K as (gb)a = 517 ≡ 3(mod 11) 5. Bob computes key K as (ga)b = 913 ≡ 3(mod 11) Thus the agreed key is K = 3. (b) 1. Prime number p = 11 and generator g = 7. We first compute the subgroup generated by g. h7i = {7, 5, 2, 3, 10, 4, 6, 9, 8, 1} 2. Alice’s secret key is a = 5. A → B : ga = 75 ≡ 10(mod 11) 3. Bob’s secret key is b = 11. B → A : gb = 711 ≡ 7(mod 11) 4. Alice computes key K as (gb)a = 75 ≡ 10(mod 11) 5. Bob computes key K as (ga)b = 1011 ≡ 10(mod 11) Thus the agreed key is K = 10. (c) 1. Prime number p = 11 and generator g = 8. We first compute the subgroup generated by g. h8i = {8, 9, 6, 4, 10, 3, 2, 5, 7, 1} 2. Alice’s secret key is a = 9. A → B : ga = 89 ≡ 7(mod 11) 3. Bob’s secret key is b = 19. B → A : gb = 819 ≡ 7(mod 11) 4. Alice computes key K as (gb)a = 79 ≡ 8(mod 11) 5. Bob computes key K as (ga)b = 719 ≡ 8(mod 11) Thus the agreed key is K = 8. (This key would be very easy for Eve to analyse, as both ga and gb are the same!)

26. Let G be a group and H, K be subgroups of G. Then H ∪ K is a subgroup if and only if H ⊆ K or K ⊆ H.

Proof. We need to show both directions of the equivalence.

n (i) Assume that H ∪ K is a subgroup and neither is contained in the other. Then there exist elements h ∈ H with h 6∈ K and k ∈ K with k 6∈ H. Since both h, k ∈ H ∪ K and H ∪ K is a subgroup, it follows that the element hk ∈ H ∪ K. Then we have two cases to consider: • Case hk ∈ H: Then with h ∈ H, we get k ∈ H, which is a contradiction. • Case hk ∈ K: Then with k ∈ K, we get h ∈ K, which is also a contradiction. Thus our assumption was false, and either H is contained in K or vice versa. (ii) The reverse direction is trivial. If H ⊆ K or K ⊆ H we have either H ∪ K = K or H ∪ K = H. Since both H and K are subgroups, so is H ∪ K.

o 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 17 November, 2009

Mathematics 5 – Discrete Logarithm and Subgroups

In this handout we look at some basic group theory that is necessary to understand some of the public key ciphers. We first recall a few facts from previous mathematics handouts:

• Recall that Zn was the set of all residue classes modulo a positive integer n. I.e., Zn = {0, 1,...,n− 1} where we omit the special notations for residue classes. (Mathematics 2)

• Recall that we could define arithmetic on Zn, i.e., addition, subtraction, and multiplication via their corresponding operations on Z modulo n. (Mathematics 2) ∗ • Recall that for a prime p, Zp was a finite field. That meant in particular, that (Zp, ·) was a group, ∗ where Zp = {1,...,p − 1}. (Mathematics 3) ∗ −1 −1 −1 • Recall that every element x ∈ Zp has an inverse element x such that x · x = x · x = 1. (Mathematics 3) ∗ For the remainder of this handout we restrict ourselves to (Zp, ·), where p is a prime number. ∗ Inverses in Zp ∗ ∗ We first have a brief look at inverse elements in Zp. We take the concrete example of Z5 = {1, 2, 3, 4} ∗ and write down its multiplication table. We can then easily read of the inverses for each element of Z5: −1 ∗ 1 = 1 Z 1 234 5 −1 1 1 234 2 = 3 − 2 2 413 3 1 = 2 − 3 3 142 4 1 = 4 4 4 321 Multiplying with an inverse can be viewed as division modulo p. Discrete Exponentiation ∗ We have now defined all simple arithmetic functions on Zp. As a next step we will define discrete ∗ exponentiation as an iterated multiplication. Let n be a non-negative integer, i.e. n ∈ N, and let g ∈ Zp, we can then define gn iteratively via multiplication as

n ∗ g = g · . . . · g ∈ Zp this is equivalent to the modulo computation in Z: g · . . . · g modp n n ∗ together with| the{z obvious} rules for exponents, i.e. let n,m ∈ N and g ∈ Zp then | {z } 1. g0 = 1

2. gn · gm = g(n+m)

3. (gn)m = gnm

∗ 3 Example: For 3 ∈ Z5 we get 3 = 3 · 3 · 3 = 4 · 3 = 2, which we can also express as a modulo computation in Z: 33 = 27 ≡ 2(mod 5) ∗ We can also define the exponent for inverse elements such that for a g ∈ Zp and n ∈ N we have − g−n = (g−1)n = (gn) 1 with gn · g−n = 1. ∗ −3 3 −1 −1 −3 −1 3 −1 3 Example: For 3 ∈ Z5 we get 3 = (3 ) = 2 = 3 or 3 = (3 ) = (2 ) = 3. ∗ Discrete exponentiation gives rise to more efficient way of computing the inverse of an element in Zp using the following theorem:

∗ p−1 Theorem 10 (Fermat’s Little Theorem) For any g ∈ Zp we have g ≡ 1 (mod p)

x We can use this fact to compute the inverse of g simply as gp−2. Example: The inverse of 3 modulo 5 by 35−2 = 27 ≡ 2(mod 5). ∗ x Finally define the discrete logarithm for g, h ∈ Zp as that x ∈ N such that g ≡ h(mod p). The discrete logarithm problem is then the problem of finding a solution to the modulo equation gx ≡ h(mod p). This is a computationally hard problem.

Generated Subgroups We can now use the discrete exponentiation operation to introduce the concept of generated groups and subgroups. We start with the following important fact:

∗ ∗ 0 2 3 p−2 Theorem 11 For every prime p there exists some g ∈ Zp such that Zp = {1= g ,g,g , g ,...,g }. ∗ An element g with this property is called a generator of Zp.

∗ ∗ In other words, if g is a generator of Zp, then for every h ∈ Zp there exists some i ∈ {0,...,p − 2}, such that h = gi. ∗ 2 3 4 5 6 ∗ Example: The element 3 is a generator of Z7 since {1, 3, 3 , 3 , 3 , 3 , 3 } = {1, 3, 2, 6, 4, 5} = Z7 . ∗ ∗ However, not every element of Z7 is a generator. The number 2, for example, is not a generator of Z7 , 2 3 4 5 6 ∗ since we we have {1, 2, 2 , 2 , 2 , 2 , 2 } = {1, 2, 4}= 6 Z7. ∗ ∗ ∗ While 2 ∈ Z7 does not generate Z7, the set it generates is a subgroup in Z7. More formally we define a subgroup as follows:

Definition 12 Let G be a group. A subset S ⊆ G a subgroup, if S is a group with the operation of G.

We note that every subgroup of G shares unit element and inverses with G. That is, for a ∈ S its inverse a−1 ∈ S is the same as a−1 ∈ G. ∗ Every element g ∈ Zp generate a subgroup. We call the size of the subgroup the g generates the order of ∗ ∗ g and we denote a subgroup generated by g with hgi. If g is a generator of Zp we have hgi = Zp. ∗ Example: Generate all subgroups of Z5: h1i = {1}, h2i = {2, 4, 3, 1}, h3i = {3, 4, 2, 1}, h4i = {4, 1} We conclude with the following important theorem of Lagrange:

∗ Theorem 13 (Lagrange) For all g ∈ Zp we have that the order of g divides p − 1. This fact is frequently exploited in public key ciphers, where computations are performed in a subgroup ∗ ∗ Gq of Zp, where q is a prime number and q divides p − 1, the order of Zp.

Computing Discrete Exponentiation with Subgroups Finally I present a method that exploits generated subgroups in order to compute results for discrete exponentiations with large exponents, avoiding the actual modulo calculation, which might involve very large integers. ∗ 16 Assume we have Z7 and want to compute the exponent 3 (which is 43046721 mod 7 and not really ∗ feasible to compute by hand). We compute the subgroup generated by 3. Since 3 is a generator of Z7, this will be the entire group. However, for our purpose it is important, that we denote the elements of the group in the order they are actually generated:

h3i = {30, 31, 32, 33, 34, 35} = {1, 3, 2, 6, 4, 5}

We can now compute 316 by simply counting the elements in the set. We start with 31 = 3 and the next 16 elements by cyclically restarting at 30 whenever we have reached 35. I.e., we get:

31, 32, 33, 34, 35, 36 = 30, 37 = 31, 38 = 32,..., 315 = 33, 316 = 34 and hence get 316 = 4.

xi 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 27 November, 2009 Handout 9 Summary of this handout: RSA — Generating Prime Numbers — Arithmetic Modulo a Composite

IV.4 RSA RSA was the first public key cipher, invented by Ronald Rivest, Adi Shamir and Leonard Adleman in 1978 and it is probably the most widely used public key cipher today. Its security is based on the difficulty of factoring large integers, a problem that has been studied for more than 2000 years. RSA has properties similar to the Diffie-Hellman key exchange since it is also based on discrete expo- nentiation. However, instead of using a one-way function as Diffie-Hellman (gx (mod p) can be easily computed but not inverted), it uses a trap-door one way function: Given the public information e and n, it is easy to compute M e (mod n) for a message M. This is still infeasible to invert, but given as additional information the factorisation of n, it is easy to invert the function. Thus the factorisation of n is the trapdoor, often called RSA trapdoor function. 65. Key Generation As usual the RSA cipher consists of three algorithms (G, E, D) for key generation, encryption and decryption. The key generator G works as follows:

• Choose two large random prime numbers p and q.

• Compute n = p · q.

• Compute ϕ(n) = (p − 1) · (q − 1).

• Choose an integer e > 1 such that gcd(e, ϕ(n)) = 1.

• Compute a d such that d · e ≡ 1(mod ϕ(n)).

• Publish the public key K = (e, n).

• Retain the private key Kb = d. 66. Encryption The encryption algorithm E takes the public key K = (e, n) to encrypt the message M. This time we assume that M is a number with M

M e ≡ C(mod n).

67. Decryption Given the ciphertext C, Alice can now use her secret K = d to recover the original message M by computing Cd ≡ M(mod n). 68. Correctness The obvious next question is of course, why does that work? Let’s have a look: First we note that Cd ≡ (M e)d ≡ M ed (mod n). We now want to show that we have M ed ≡ M(mod n)

71 We know that ed ≡ 1(mod (p − 1)(q − 1)). We therefore have ed − k(p − 1)(q − 1) = 1 for some k ∈ Z and hence get:

− − − − − − M ed = M 1+k(p 1)(q 1) = M · M k(p 1)(q 1) = M · (M (p 1)(q 1))k ≡ M(mod n), where the last step follows

1. either from Euler’s theorem, i.e., M ϕ(n) = M (p−1)(q−1) ≡ 1(modn) for M,n ∈ Z when gcd(M,n) = 1,

2. or using the Chinese Remainder Theorem: Given that 0 ≤ M

And what does all this have to do with factorisation? Only if we know ϕ(n) we can then efficiently decrypt the message. However, Eve could only learn ϕ(n) if she was able to factorise n into p and q. For large enough primes this is, however, infeasible. Nevertheless there need to be some precautions for the choice of parameters of RSA as we will see later. Example: Here is a very simple example of RSA encryption. The key generation G consists of the steps:

• We choose p = 7 and q = 11.

• We compute n = p · q = 77.

• And also ϕ(n) = (p − 1)(q − 1) = 6 · 10 = 60.

• We now need an exponent e such that gcd(e, 60) = 1. We pick e = 43, for which it is easy to see that gcd(43, 60) = 1 as 43 is a prime number.

• To obtain the secret key we have to compute d using the extended Euclidean algorithm. This results in d = 7 since 43 · 7 = 301 ≡ 1(mod 60).

• We now publish the public key K = (43, 77).

• We retain the secret key K = 7.b Suppose we now want to transmit the message M = 14. We then encrypt it by computing

M e ≡ C(mod n) as 1443 ≡ 49(mod 77).

To decrypt the ciphertext C = 49 we compute

Cd ≡ M(mod n) as 497 ≡ 14(mod 77).

Note that not all elements are invertible elements in Z77 and we can therefore not always generate sub- groups. However, we can still using counting for computing the discrete exponentiations. For example

h14i = {141 = 14, 142 = 42, 143 = 49, 144 = 70, 145 = 56, 146 = 14,...} = {14, 42, 49, 70, 56}

72 IV.4.1 Attacks on RSA There are many attacks on RSA, most of them challenging its structure with sophisticated mathematical tools. Discussing these attacks would go beyond the scope of this lecture. However, we can easily demonstrate that RSA is already vulnerable to a chosen-ciphertext attack, i.e., an attack in which Eve can obtain decrypted plaintexts for ciphertexts of her choice. e Suppose RSA is used as defined above, that is, messages are encrypted with EKb (M) = M (mod n) d and decrypted with DK (C) = C (mod n). Suppose also Eve has intercepted a ciphertext C that she wants to decrypt. She then starts a chosen ciphertext attack by:

• Choose C1 ∈ Zn arbitrary and ask for its decryption, yielding a message M1.

−1 • Let C2 := C · C1 and ask for its decryption, yielding a message M2.

d d d d −d d ed • Compute M1 · M2 = C1 · C2 = C1 · C · C1 = 1 · C = M = M. Eve can do even better and break the message with only one chosen ciphertext. Again we assume she has intercepted the ciphertext C.

e • Choose M1 ∈ Zn arbitrary and let C1 := M1 (mod n).

• Let C2 := C · C1 and ask for its decryption, yielding a message M2.

d d −d d −1 e d −1 ed • Compute M1 ·M2 = M1 ·C2 = M1 ·C ·C1 = M1 ·C ·M1 = M1 ·(M ) ·M1 = M = M.

IV.4.2 Using RSA in Practice While brute force attacks on RSA are still computationally infeasible, many attacks become possible if only a tiny bit of information is leaked or if the RSA parameters have not been chosen carefully. Here are a number of criteria that should be met in order to operate RSA securely:

• Choose e such that both e and d are large numbers.

• Never leak even a small number of bits of p,q, and d.

• Never encrypt small messages (corresponding to small numbers in Zn.) as they are easy to attack. But despite all these precautions the main problem with RSA is that it has too much mathematical struc- ture and is therefore vulnerable. Recall that for symmetric ciphers we always required a cipher to act as randomly as possible, i.e., there should be no obvious connection between the plaintext and the cipher- text and small changes in the plaintext should lead to big changes in the ciphertext. Ideally, the same plaintext should also be enciphered differently at different times (for block ciphers we have achieved this for example with different modes of operation). For the RSA and most public ciphers this is however not the case. 69. Encryption Schemes One way to overcome the mathematical regularity of many public key ciphers is by using so called Encryption Schemes. They aim at

1. adding randomness to the encryption, and

2. preventing attacks of the form presented above.

There are several general encryption schemes for public key ciphers as well as specialist schemes for RSA known as PKCS standards. They pre-process the messages before applying the RSA function in order to achieve the above goals. This can be done, for example, by adding random bit strings to a message or applying hash functions, in order to vary the resulting ciphertext.

73 70. Combining Asymmetric and Symmetric Ciphers Another problem with RSA and other public key ciphers is that they are computationally very expensive. For efficiency and also security reasons they are therefore often used in combination with symmetric ciphers, e.g., block or stream ciphers, which can be much more efficiently computed. For example, Alice can use RSA to communicate with Bob using a symmetric cipher without having to exchange keys first. Here is a simple scenario: Let K be a randomly generated key for a symmetric cipher (E, D). Alice can then encrypt the message M with key K in the chosen symmetric cipher and then use RSA to encrypt the message K and send it as the prefix of the ciphertext to Bob: ERSA(K)kEK (M)

IV.5 Computing Large Prime Numbers One necessary prerequisite for all the public key ciphers we have seen so far is the ability to generate large prime numbers. Unfortunately, this is not a straight forward task. Due to the nature of prime numbers, it is not possible to use a composite approach, i.e., starting with small primes and deriving larger prime numbers from them. The opposite approach is to pick a number and then test whether or not it is prime. Obviously this problem is as hard as factoring numbers in general, since we have to find — or rather reconfirm — the single prime factor of the picked number. The problem is therefore computationally infeasible. Moreover, there are not many number theoretic guidelines on which numbers should be picked, apart from that the number should be odd. This leaves probabilistic test algorithms as the only computationally feasible approach. A probabilistic test algorithm picks a number and tests whether or not it is prime to a certain extend only, until it is very likely that the picked number is actually a prime number. However, there always remains a certain small probability that the generated number is not a prime number. We will have a look at two such algorithms.

IV.5.1 Fermat’s Test The algorithm is based on Fermat’s little theorem. Recall that this states for a given prime p and 1 ≤ a

for i := 0 to k − 1 do Pick a ∈ {2,...,n − 1} if an−1 6≡ 1 (mod n) then return (“n is a composite”) end return(”n is probably prime”)

Obviously the larger we pick k the likelier it is that n is a prime. In fact, probability that n is a composite 1 k after k tests is ( 2 ) . While Fermat’s primality test is not perfect, it is nevertheless used in practice, for instance in the Pretty Good Privacy (PGP) implementations.

IV.5.2 Miller-Rabin Test The main problem with Fermat’s primality test is that there are numbers n, so-called Carmichael num- bers, for which we have an−1 ≡ 1(mod n) for all 1 ≤ a

74 for i := 0 to k − 1 do Pick a ∈ {1,...,n − 1} if an−1 6≡ 1 (mod n) then for j := 0 to r − 1 do j if a(2 ·s) 6≡ −1 (mod n) then return (“n is a composite”) end end end return(”n is probably prime”)

The Miller-Rabin algorithm gives us some higher probability of not mistaking a Carmichael number for a prime. In addition it also computes a “highly probable prime” (i.e., a number for which we can be fairly sure that it is indeed a prime) more quickly, since the probability that n is a composite after k tests is 1 k ( 4 ) . In practice it is sufficient to test with a value k = 20. Observe that the bound for k is independent of the actual size of n.

75 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 27 November, 2009

Exercise Sheet 9

Submit via the correct pigeon hole before 4 December, 11am.

Please hand in Exercise 26 from Exercise Sheet 8 together with the answers for this week.

28. Perform RSA secret key generation, encryption, and decryption for the following parameters:

(a) p = 11, q = 13, e = 41, M = 55 (b) p = 7, q = 13, e = 35, M = 19

5+5

29. Solve the following simultaneous congruences:

x ≡ 11(mod 31) x ≡ 14(mod 35)

Show some of your workings. 5+5

30. Carry out the extended Euclidean algorithm for the following pairs of values:

(a) a = 78, b = 27 (b) a = 276, b = 338

5

31. Consider the following small version of RSA: Messages are grouped into blocks of three characters and converted into base 26 integers, using A = 0, B = 1,..., Z = 25. For example, ABC is converted into 0 · 262 + 1 · 261 + 2 · 260 = 28. The maximum value of a block would be ZZZ : 263 − 1 = 17575. Using an RSA with parameters p = 127, q = 139, e = 17, decrypt the message UDENGSKNMDBCCBIJMG. Hint: You need to use a scientific calculator with arbitrary precision integers for this. For example, kcalc in Linux is a good choice. 15

76 1616 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 5 December, 2009

Solutions for Exercise Sheet 9

26. There is a mistake in the formulation of the exercise. Obviously with p = 11 we cannot have q = 11. Since we have g = 7 we get q = 10, which is not a prime number and therefore strictly speaking not a legal parameter for Elgamal. However, for the sake of the exercise, we ignore this here and accept q = 10.

(a) Key generation algorithm G: Encryption algorithm E: Decryption algorithm D: −6 −6 • Choose x = 6 • Choose y = 10 • Compute M = c2 · c1 =9 · 1 y 10 −6 −1 6 6 • h = gx = 76 ≡ 4(mod 11) • c1 = g =7 ≡ 1(mod 11) 1 = (1 ) =1 ≡ 1(mod 11) y 10 • Public Key K = • c2 = M · h = 9 · 4 ≡ M =9 · 1 ≡ 9(mod 11) 9(mod 11) = • Ciphertext is C = (c1,c2)=(1, 9) ({7, 5, 2, 3, 10,b4, 6, 9, 8, 1}, 10, 7, 4) • Private Key K = 6

(b) Key generation algorithm G: Encryption algorithm E: Decryption algorithm D: −4 −4 • Choose x =4 • Choose y =8 • Compute M = c2 · c1 =6 · 9 x 4 y 8 −4 −1 4 4 • h = g =7 ≡ 3(mod 11) • c1 = g =7 ≡ 9(mod 11) 9 = (9 ) =5 ≡ 9(mod 11) y 8 • Public Key K = • c2 = M · h = 10 · 3 ≡ M =6 · 9 ≡ 10(mod 11) = 6(mod 11) ({7, 5, 2, 3, 10b, 4, 6, 9, 8, 1}, 10, 7, 3) • Ciphertext is C = (c1,c2)=(9, 6) • Private Key K =4

(c) Key generation algorithm G: Encryption algorithm E: Decryption algorithm D: −3 −3 • Choose x =3 • Choose y =3 • Compute M = c2 · c1 =2 · 2 x 3 y 3 −3 −1 3 3 • h = g =7 ≡ 2(mod 11) • c1 = g =7 ≡ 2(mod 11) 2 = (2 ) =6 ≡ 7(mod 11) y 3 • Public Key K = • c2 = M · h =3 · 2 ≡ 2(mod 11) M =2 · 7 ≡ 3(mod 11) = • Ciphertext is C = (c1,c2)=(2, 2) ({7, 5, 2, 3, 10b, 4, 6, 9, 8, 1}, 10, 7, 2) • Private Key K =3

28. (a) • Choose two prime numbers p = 11 and q = 13. • Compute n = p · q = 11 · 13 = 143. • Compute ϕ(143) = (p − 1) · (q − 1) = 10 · 12 = 120. • Choose e = 41 with gcd(41, 120) = 1. • Then d = 41 as d · e = 41 · 41 ≡ 1(mod 120). • Publish the public key K = (41, 143). • Retain the private key K = 41. Encrypt plaintext M = 55: Mb e = 5541 ≡ 22(mod 143). Thus we get ciphertext C = 22. Decrypt ciphertext C = 22: Cd = 2241 ≡ 55(mod 143). Thus we get plaintext M = 55.

(b) • Choose two prime numbers p = 7 and q = 13. • Compute n = p · q = 7 · 13 = 91. • Compute ϕ(91) = (p − 1) · (q − 1) = 6 · 12 = 72. • Choose e = 35 with gcd(35, 72) = 1. • Then d = 35 as d · e = 35 · 35 ≡ 1(mod 72). • Publish the public key K = (35, 91).

b p • Retain the private key K = 35. Encrypt plaintext M = 19: M e = 1935 ≡ 24(mod 91). Thus we get ciphertext C = 24. Decrypt ciphertext C = 24: Cd = 2435 ≡ 19(mod 91). Thus we get plaintext M = 19.

29. From the congruences we get: m = 31,n = 35, a = 11, b = 14 Since gcd(31, 35) = 1 we first compute u, v ∈ Z such that 31u + 35v = 1 with the extended Euclidean Algorithm with m = 31 and n = 35:

m n (xm,ym) (xn,yn) 31 35 (1, 0) (0, 1) 31 35 − 1 · 31=4 (1, 0) (0, 1) − 1 · (1, 0)=(−1, 1) 31 − 7 · 4=34 (1, 0) − 7 · (−1, 1) = (8, −7) (−1, 1) 3 4 − 1 · 3=1 (8, −7) (−1, 1) − 1 · (8, −7)=(−9, 8) 3 − 3 · 1=01 (8, −7) − 3 · (−9, 8) = (35, −31) (−9, 8) xna + ynn = −9 · 31 + 8 · 35 = 1, thus u = −9 and v = 8. Consequently, we get umb + vna = −9 · 31 · 14 + 8 · 35 · 11 ≡−826 = 259(mod 1085). Thus the solution of the two congruences is:

259 ≡ 11(mod 31) 259 ≡ 14(mod 35)

a b (xa,ya) (xb,yb) 78 27 (1, 0) (0, 1) 30. (a) 78 − 2 · 27=2427 (1, 0) − 2 · (0, 1) = (1, −2) (0, 1) 24 27 − 1 · 24=3 (1, −2) (0, 1) − 1 · (1, −2)=(−1, 3) 24 − 8 · 3=0 3 (1, −2) − 8 · (−1, 3) = (9, −26) (−1, 3) xba + ybb = −1 · 78 + 3 · 27 = 3

a b (xa,ya) (xb,yb) 276 338 (1, 0) (0, 1) 276 338 − 1 · 276 = 62 (1, 0) (0, 1) − 1 · (1, 0)=(−1, 1) − · − · − − − (b) 276 4 62 = 28 62 (1, 0) 4 ( 1, 1) = (5, 4) ( 1, 1) 28 62 − 2 · 28 = 6 (5, −4) (−1, 1) − 2 · (5, −4)=(−11, 9) 28 − 4 · 6=4 6 (5, −4) − 4 · (−11, 9) = (49, −40) (−11, 9) 4 6 − 1 · 4 = 2 (49, −40) (−11, 9) − 1 · (49, −40) = (−60, 49) 4 − 2 · 2=0 2 (49, −40) − 2 · (−60, 49) = (169, −138) (−60, 49) xba + ybb = −60 · 276 + 49 · 338 = 2 31. We first perform the key generation algorithm:

• Choose two prime numbers p = 127 and q = 139. • Compute n = p · q = 127 · 139 = 17653. • Compute ϕ(17653) = (p − 1) · (q − 1) = 126 · 138 = 17388. • Choose e = 17 with gcd(17, 17388) = 1. • Then d = 6137 as d · e = 6137 · 17 ≡ 1(mod 17388). • Publish the public key K = (17, 17653). • Retain the private key K = 6137. b We then decrypt the message UDENGSKNMDBCCBIJMG: Block UDE is converted into 13602. Decrypt ciphertext C = 13602: Cd = 136026137 ≡ 13306(mod 17653). Thus we get plaintext M = 13306. Integer 13306 is converted into block TRU. Block NGS is converted into 8962. Decrypt ciphertext C = 8962: Cd = 89626137 ≡ 12686(mod 17653). Thus we get plaintext

q M = 12686. Integer 12686 is converted into block STY. Block KNM is converted into 7110. Decrypt ciphertext C = 7110: Cd = 71106137 ≡ 10001(mod 17653). Thus we get plaintext M = 10001. Integer 10001 is converted into block OUR. Block DBC is converted into 2056. Decrypt ciphertext C = 2056: Cd = 20566137 ≡ 8218(mod 17653). Thus we get plaintext M = 8218. Integer 8218 is converted into block MEC. Block CBI is converted into 1386. Decrypt ciphertext C = 1386: Cd = 13866137 ≡ 4745(mod 17653). Thus we get plaintext M = 4745. Integer 4745 is converted into block HAN. Block JMG is converted into 6402. Decrypt ciphertext C = 6402: Cd = 64026137 ≡ 5483(mod 17653). Thus we get plaintext M = 5483. Integer 5483 is converted into block ICX. The result is therefore: TRUSTYOURMECHANICX or simply “Trust your mechanic” if we assume that the final X is padding.

r 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 27 November, 2009

Mathematics 6 – Arithmetic Modulo a Composite

So far our algorithms have worked in Zp with p is prime, for which we knew that it was a field and ∗ therefore, in particular, that (Zp, ·) is a group. In the following we are moving into Zn where n is a composite, i.e., not a prime number. We will be especially interested in the case where n = p · q, with p,q prime numbers. We recall that for n we have Zn = {0, 1, 2,...,n − 1} and that the arithmetic operations (i.e. addition, subtraction, multiplication, and exponentiation) are defined modulo n as usual. But we also recall that ∗ while (Zn, +, ·) is a ring, it is in general not a field and therefore the multiplicative part (Zn, ·) is not a group. Nevertheless, Zn has some very interesting properties that are exploited for the RSA public key cipher, which we shall explore in this handout.

Multiplicative Inverses in Zn ∗ ∗ We already know that (Zn, ·) is not a group and, therefore, that not all elements of Zn have inverses ∗ with respect to ·. Nevertheless we can find some elements in Zn that have multiplicative inverses, that is, −1 elements x ∈ Zn for which an element y ∈ Zn exists, such that x · y ≡ 1(mod n). We then write x instead of y provided that the inverse exists. Example: Let n = 2 · 3 = 6 we can easily check that 1 ∈ Z6 and 5 ∈ Z6 have inverses, since 1 ∗ 1 ≡ 1(mod 6) and 5 ∗ 5 ≡ 1(mod 6), and that no other element in Z6 has an inverse. In the example it is trivial to see that 1 has in inverse in every Zn. However, our next question is, can we somehow characterise the other elements that have inverses in Zn. In order to do that we need to define the concept of greatest common divisor.

Definition 14 (Greatest Common Divisor) Let a, b ∈ Z with a 6= 0 and b 6= 0. The greatest common divisor for a and b, written gcd(a, b), is the largest positive integer that divides both numbers without remainder.

Example: Let a = 8 and b = 12, then we get gcd(a, b) = 4. Having the gcd available, we can now characterise the elements in Zn that are invertible with respect to multiplication:

Theorem 15 (Inverse) Let x ∈ Zn. x has an inverse in Zn if and only if gcd(x,n) = 1.

In order to be able to decide whether or not an element in Zn has an inverse, we need a way to compute the gcd. This is done with Euclidean Algorithm, which has been around for more than two millennia.

Euclidean Algorithm Given two integers a, b we can compute gcd(a, b) by means of one of the two algorithms below. The left one is the classical Euclidean algorithm, whereas the right one is a more efficient variant, that uses modular arithmetic: while a 6= b do if a > b then while b 6= 0 do a := a − b c := b else b := a mod b b := b − a a := c end end end return a return a

xii Example: Let a = 90 and b = 126, we compute gcd(a, b) as follows: a b a b 90 126 90 126 90 126 − 90 = 36 126 90 mod 126 = 90 90 − 36 = 54 36 90 126 mod 90 = 36 54 − 36 = 18 36 36 90 mod 36 = 18 18 36 − 18 = 18 18 36 mod 18 = 0 gcd(90, 126) = 18 gcd(90, 126) = 18

Extended Euclidean Algorithm Using the Euclidean algorithm we can determine if a has an inverse modulo n by testing whether gcd(a, n) = 1. But we still do not know how to determine the inverse when it exists. To do this we use a variant of Euclid’s gcd algorithm, called the extended Euclidean algorithm. It relies on the fact that for every two integers a and b with gcd(a, b)= r there exist x,y ∈ Z such that x · a + y · b = r. Example: For a = 8 and b = 12 we had gcd(a, b) = 4. With x = −1 and y = 1 we get −1·8+1·12 = 4. Here is schematic overview of the algorithm:

1. We start with integers a and b, together with two corresponding (x,y) pairs (xa,ya) and (xb,yb), that are initialised as (xa,ya) = (1, 0) and and (xb,yb) = (0, 1). 2. Divide the larger of the two numbers a and b by the smaller using integer division. Call this quotient q.

3. Subtract q times the smaller from the larger number.

4. Subtract q times the vector corresponding to the smaller number from the vector corresponding to the larger number.

5. Repeat steps 2 through 4 until one of the numbers equals zero. The vector that corresponds to the number that is not zero, contains the two desired numbers x,y.

Here is the corresponding algorithm in pseudo-code for given a, b ∈ Z. Observe that “div” is integer division and that addition and operation on (xa,ya) and (xb,yb) are to be considered component-wise.

(xa,ya) = (1, 0) (xb,yb) = (0, 1) while a 6= 0 and b 6= 0 do if a > b then q := a div b a := a − q · b (xa,ya) := (xa,ya) − q · (xb,yb) else q := b div a b := b − q · a (xb,yb) := (xb,yb) − q · (xa,ya) end end if a = 0 then return b, xb,yb else return a, xa,ya end

xiii Example: And finally, here is an example of the algorithm applied to a = 53 and b = 30: a b (xa,ya) (xb,yb) 53 30 (1, 0) (0, 1) 53 − 1 · 30=2330 (1, 0) − 1 · (0, 1) = (1, −1) (0, 1) 23 30 − 1 · 23=7 (1, −1) (0, 1) − 1 · (1, −1)=(−1, 2) 23 − 3 · 7=2 7 (1, −1) − 3 · (−1, 2) = (4, −7) (−1, 2) 2 7 − 3 · 2=1 (4, −7) (−1, 2) − 3 · (4, −7)=(−13, 23) 2 − 2 · 1=0 1 (4, −7) − 2 · (−13, 23) = (30, −53) (−13, 23)

The final result is therefore xba + ybb = r, which is −13 · 53 + 23 · 30 = −689 + 690 = 1. We can now solve our original problem of determining the inverse of a modulo n, when such an inverse exists. We first apply the extended Euclidean algorithm to a and n so as to compute r,x,y such that

r = gcd(a, n)= xa + yn.

We can solve the equation ax ≡ 1(mod n), since we have r = xa+yn ≡ xa(mod n). Hence, we have a solution x = a−1 , precisely when r = 1. Observe that in many cases the inverse will be actually a negative number, that we might need to convert into the corresponding positive number modulo n. Example: From the previous example of the extended Euclidean algorithm we can see that 23 is the inverse of 30 modulo 53, i.e., we have 30 · 23 ≡ 1(mod 53)

Euler’s Totient Function We now know how to check whether or not an element of Zn has a multiplicative inverse and also how to compute that inverse. We now investigate how many elements in Zn are invertible. The number theoretic ∗ tool to count the invertible elements in Zn is called Euler’s Totient function and is traditionally denoted by ϕ(n). (ϕ is the small Greek letter “phi”.) The function ϕ(n) turns out to be easily computable, provided that the factorisation of n is known. Given all the prime factors of n and their multiplicity there exists a single formula to compute the value of ϕ(n). But since the general formula is rather complicated we restrict ourselves to the two special cases that are of interest to us: ∗ 1. For a prime p we already know that ϕ(p)= p − 1 or, in other words, that Zp has p − 1 elements. 2. For positive integers p,q with gcd(p,q) = 1 we have ϕ(pq) = (p − 1)(q − 1) or, in other words, ∗ that Zpq has (p − 1)(q − 1) invertible elements. Finally, we finish with the following theorem, important for the correctness of the RSA cipher: Theorem 16 (Euler) Let n ∈ N and a ∈ Z, with gcd(a, n) = 1, then we have aϕ(n) ≡ 1(mod n). Counting Exponents Recall from Mathematics 5 how we can use generated subgroups to compute discrete exponentiation. ∗ But since Zpq is not a multiplicative group, its elements also do not necessarily generate subgroups. In particular all non-invertible elements, i.e. multiples of p and q do not generate subgroups! Nevertheless we can compute discrete exponentiations using a slightly more general counting technique: ∗ Let n = pq, where p and q are prime numbers, then each element g ∈ Zn generates a multiplicative ∗ 1 2 ∗ subset of Zn (which is generally not a group!) by taking S = {g , g ,...}. Since Zn is finite this set has to be finite and thus the sequence of exponentiations will eventually cycle, i.e., gn ∈ {g1, g2,...,gn−1}. ∗ For example take 14 ∈ Z77 h14i = {141 = 14, 142 = 42, 143 = 49, 144 = 70, 145 = 56, 146 = 14,...} = {14, 42, 49, 70, 56}

Thus we can compute 1443 ≡ 49(mod 77). [Observe that in general we have no guarantee that the cycle will “restart” at the first element g1. How- ever, if n is of the form pq this will always be the case. For more general n the “restart” has to be taken ∗ into account when counting exponents. For instance, for 2 ∈ Z60 we have h2i = {2, 4, 8, 16, 32, 4,...} and thus 28 ≡ 16(mod 60).]

xiv Chinese Remainder Theorem The Chinese Remainder Theorem was first published by the Chinese mathematician Sun Tzu around the third centry BC, but is probably a lot older. It is a statement about simultaneously solving congruence equations with different modulo factors. Here is the statement:

Let m,n ∈ Z with gcd(m,n) = 1. Then for any given a, b ∈ Z there exists and x ∈ Z such that

x ≡ a(mod m) and x ≡ b(mod n)

Moreover, every solution x is congruent modulo m·n. Or in other words the solution x ∈ Zmn is unique.

To elaborate the last point: If we have two solutions x1,x2 such that x1 ≡ a(mod m) and x1 ≡ b(mod n) as well as x2 ≡ a(mod m) and x2 ≡ b(mod n), then we know that x1 = x2 +knm for some k ∈ Z. This is actually quite easy to see: Solutions for the first congruence have to be multiples of m apart, i.e. with x a solution to x ≡ a(mod m), so is x + lm for every l ∈ Z. And, to satisfy the second congruence they have to be multiples of n apart. Since m,n have no common factor (recall gcd(n,m) = 1) they can only coincide when they are multiples of mn apart. The Chinese Remainder Theorem can easily be generalised to systems of simultaneous congruences. However, for our purposes it is enough to consider pairs. Particularly useful is the following alternative formulation:

Let m,n ∈ Z with gcd(m,n) = 1. Then for every pair a, b ∈ Z such that a ≡ b(mod m) and a ≡ b(mod n) we have a ≡ b(mod mn).

Finally, we can also give the following efficient algorithm to compute the solution guaranteed by the Chinese Remainder Theorem, using the extended Euclidean algorithm:

Let n 6= m with gcd(n,m) = 1 and let a, b ∈ Z. Then compute u, v ∈ Z with um + vn = 1 using the extended Euclidean algorithm and compute x as umb + vna ≡ x(mod nm).

Example: Let m = 4,n = 5, a = 3, b = 4 then we can compute u = 4 and v = −3 with the extended Euclidean algorithm. This yields 4 · 4 · 4 + (−3) · 5 · 3 = 64 − 45 ≡ 19(mod 20). This means that 19 is a solution the single congruence relations, i.e., 19 ≡ 3(mod 4) and 19 ≡ 4(mod 5), and so is every integer of the form 19 + 20k, k ∈ Z and only those integers.

xv 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 4 December, 2009 Handout 10 Summary of this handout: Digital Signatures — Attack on Diffie-Hellman — Schnorr Signatures — DSA — RSA Signatures — Lamport Signatures

IV.6 Digital Signatures We have already seen earlier that one major concern of Cryptography is to guarantee authenticity of communication. In handout 7 we have discussed the necessity to use message authentication codes (MAC) for secure key exchange in symmetric cryptography, to verify the authenticity of a message sender. While MACs ensure to a certain extend the integrity of the parties participating in a protocol, they can not be used to uniquely identify a sender of a message or to uniquely associate a message with a particular sender. Since there are always several parties who can potentially produce a MAC, as the symmetric key is known to more than one individual, it is in particular always possible for an individual to repudiate the authorship of a message. Traditionally, authorship of a document is assumed by signing it. A signature is generally taken to be a unique form of identification. Only one person can sign the document, but everyone can check and verify who has signed the document. In addition signatures should be difficult to forge. With public key cryptography we now have the means available to do the equivalent for electronic mes- sages: We have a secret key that is only known to one individual, which can be used to sign a message. We have a public key that can be used to verify a signature. In addition we need some means to ensure that signatures can not be produced by an attacker. The idea of digital signatures is to provide a secure mechanism for unique signature and public verifica- tion. Similar to public key ciphers they consist of three components:

• A key generator G.

• A signature function S.

• A verification function V .

Digital signatures are used in various contexts and applications in practice, e.g., in electronic payment systems and for issuing certificates. They might be of higher importance than encryption in the future as ensuring integrity in electronic communication is of more practical importance, for instance in e- commerce, than fully encrypted communication. We further motivate the need for digital signatures by first looking at a man-in-the-middle attack on the Diffie-Hellman key exchange. 71. Attacking Diffie-Hellman Suppose Alice wants to agree a key with Bob using the Diffie-Hellman key exchange. Suppose also that Mallory can intercept all communication between Alice and Bob as well as send messages to both. She can then stage the following attack:

• Alice uses her secret key a to initiate communication, sending ga.

• Mallory intercepts ga and, posing as Bob, replies gm to Alice using a key m.

• Alice now believes she has agreed the key gma with Bob.

• In the next stage Mallory sends Bob a message gn, using a new key n and posing as Alice.

• Bob uses his secret key b to reply gb.

77 • Mallory intercepts gb and has now agreed the key gnb with Bob.

• Mallory can now intercept every message from Alice to Bob, decrypt it with gma, and encrypt it with gnb, before sending it on to Bob. Similarly she can intercept the communication in the other direction. Alice and Bob have no knowledge of Mallory and also no means of detecting the attack. Here’s a schematic overview of the attack: Alice Mallory Bob a −→ ga Alice thinks she is sending to Bob. gm ←− m Alice thinks she gets a reply from Bob. gma gma Alice believes she has agreed a key with Bob. n −→ gn Bob thinks he is contacted by Alice. gb ←− b Bob believes he is replying to Alice. gnb gnb Bob believes he has agreed a key with Alice. gma ←→ gma, gnb ←→ gnb Mallory reads and passes on all messages. In order to prevent this attack both Alice and Bob need some way of uniquely authenticating the message to verify who they are talking to. This can be achieved by using digital signatures. 72. Principle of Signatures Digital signatures are almost always used together with cryptographic hash functions. Generally, given a hash function h and a message M, one computes the signature by applying the signature function S to h(M) and attaches the signature to the message, i.e., we send

MkS(h(M)).

To verify the signature one then computes again the hash value h(M) and uses it together with the signature in the verification function V . It is important that it is hard to find a collision for a hash functions used in a digital signature. I.e., it should be infeasible to find two messages that hash to the same value. Otherwise it is easy to swap the message M for a forgery M ′, while the signature stays the same and can be successfully verified. In general, one can derive a digital signature scheme from every public key cipher. We will look at three particular examples of signatures: Schnorr Signature A digital signature derived from ElGamal, whose security is based on discrete log- arithms.

Digital Signature Algorithm A digital signature using SHA hash functions, whose security is based on discrete logarithm.

RSA Signatures A digital signature derived from RSA, whose security is based on factorising numbers. We will also look at a general digital signature scheme called Lamport Signatures that is considered particularly secure as it uses signatures exactly once.

IV.6.1 Schnorr Signatures Schnorr signatures have been developed in 1989 by Claus-Peter Schnorr and are based on the principles of the ElGamal cipher. In fact they are a variant of the class of ElGamal signatures, that are rarely used by themselves. The basic parameters are therefore similar to those of ElGamal and its security is based on the hardness of the discrete logarithm problem. In particular, Schnorr signatures are based on :

∗ • a 1024 bit prime p that fixes Zp, ∗ • a 360 bit prime q, such that q divides p − 1 and q is the order of a subgroup Gq of Zp, • a cryptographic hash function h.

The single functions then work as follows: We start with the key generation G.

78 ∗ • Generate primes p and q as well as an element g ∈ Zp that generates the subgroup Gq. • Choose a random x from {1,...,q − 1}.

• Compute y = gx. (Observe that this corresponds to h in ElGamal; but here h is our hash function!)

• Publish the public key K = (p,q,g,y).

• Retain the private key Kb = (p,q,g,x). The signature function S signs a message M using the private key K = (p,q,g,x) as follows:

• Choose a random r from {1,...,q − 1}.

• Compute s = h(Mkgr).

• Compute t = (r + x · s) mod q.

• Attach the signature (s,t) to the message.

Given the message M, the signature (s,t), and the public key K = (p,q,g,y) we can now verify the authenticity of the message using the verification function V : b • Accept the signature if h(Mk|gty−s)= s.

• Otherwise reject the signature.

We quickly convince ourselves why the verification works:

− h(Mk|gty s) = s − h(Mk|gr+xsy s) = h(Mkgr) − h(Mk|gr+xsg xs) = h(Mkgr) h(Mk|gr) = h(Mkgr)

Example: Here is a small example for Schnorr signatures where we simply assume the value of the hash function h. Key generation G: Signature function S

• q = 101, p = 607, and g = 601. • r = 65.

• x = 3. • Let s = h(mk60165) = 93.

• y = 6013 ≡ 391(mod 607). • Then t = 65 + 3 · 93 ≡ 41(mod 101).

• Public key K = (607, 101, 601, 391). • Signature (93, 41).

• Private key Kb = (607, 101, 601, 3).

IV.6.2 Digital Signature Algorithm The Digital Signature Algorithm (DSA) was developed in 1990 and has been adopted as a standard by the US FIPS. Similar to Schnorr signatures its security is based on the hardness of the discrete logarithm problem. In its modern form it uses the following basic parameters:

∗ • a 1024 bit prime p that fixes Zp, ∗ • a 160 bit prime q, such that q divides p − 1 and q is the order of a subgroup Gq of Zp,

79 • the cryptographic hash function SHA-1. Here are the details of the signature. First the key generation G: • Generate primes p and q such that p = z · q + 1, with z ∈ Z. • Choose g such that j · z ≡ g(mod p), where 1

IV.6.3 RSA Signatures The following signature is based on the RSA trapdoor function. Thus its security depends on the hardness of factoring large integers. The key generation for RSA signatures works exactly as for the public key cipher. • Choose two large random prime numbers p and q. • Compute n = p · q. • Compute ϕ(n) = (p − 1) · (q − 1). • Choose an integer e > 1 such that gcd(e, ϕ(n)) = 1. • Compute a d such that d · e ≡ 1(mod ϕ(n)). • Publish the public key K = (e, n). • Retain the private key K = d. b We assume the message M to be a number in {1,...,n − 1}. Let h be a cryptographic hash function, then we compute the signature by s = h(M)d mod n. Given the public key K = (e, n) we can verify the signature s by comparing h(M) with se mod n. b One can also define naive RSA signatures without using a hash function. However, they are as vulnerable to attacks as RSA itself and should therefore be avoided.

80 IV.6.4 Lamport Signatures Lamport signatures are a generic method to construct digital signatures using arbitrary one way functions, such as cryptographic hash functions. They derive their strength from the fact that signatures are used only once. Lamport signatures are believed to be secure even under Quantum Cryptanalysis. However, their drawback is that they grow with the size of the messages they sign. We first assume a one-way function f that takes a random key K′ and a bit as input and returns one bit as output. We also assume that we want to sign a message of length n. Key generation G works as follows:

• Generate a key K′.

• Randomly choose yi,j ∈ {0, 1} for 1 ≤ i ≤ n and j ∈ {0, 1}. ′ • Compute all zi,j = f(K ,yi,j) for 1 ≤ i ≤ n and j ∈ {0, 1}.

′ • Publish the public key K = (K , (zi,j)), i.e. 2n values zi,j.

• Retain the private key Kb = ((yi,j)), i.e. 2n values yi,j.

Given a message M = M1k .b . . kMn, where each Mi ∈ {0, 1}, 1 ≤ i ≤ n. we compute the signature by

(s1,...,sn) = (y1,M1 ,...,yn,Mn ).

Given the signature (s1,...,sn) and the public key K we can verify the signature by comparing

′ f(K ,yi,Mi ) with zi,Mb i for all 1 ≤ i ≤ n. If only one of the bits does not match the signature we reject it. Obviously the length of the signature is the same length as the message, which makes it rather impractical. But in theory, each signature is new and random and has therefore similar security properties as the one-time pad.

Field Trip to Bletchley Park, Wednesday 3rdof March, 2010: We will leave at 10 am sharp(!) from the roundabout between University station and building B1. See the Blue Zone on the campus map. We will be back before 6pm.

Next week, Friday 11th of December at 2pm, Iain Styles will give a guest lecture on “Quantum Cryptography”. There will be no lecture at 11am!

81 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 8 December, 2009 Handout 11 Summary of this handout: Certificates — VeriSign — PGP — Commitment Schemes — Mental Coin Flipping — Mental Poker — Zero Knowledge Proofs

IV.7 Digital Certificates For the public key ciphers as well as the digital signature algorithms discussed so far, we have only been concerned with the question how public keys can be generated, but not looked at the question how a public key can be published securely. We have simply assumed that Alice’s public key, once published, is available somewhere for Bob to encrypt messages and to check Alice’s signatures. However, Bob can never be absolutely certain that the public key he picks up has really been issued by Alice and not by some imposter. If a public key does not belong to the person that, for instance, claims has signed a message, Bob can be tricked into accepting and verifying signatures that are actually send by Mallory posing as Alice. It is therefore important that public keys can be reliably associated with a particular party. This goal can be achieved by digital certificates. We note that in a symmetric key system, we do not have to certify which key belongs to which partici- pating party, as we assume that the key distribution is secure and that keys are only in the hands of the parties legitimately participating in the communication. Only if the key distribution mechanism fails or a key is compromised we have to renew and redistribute the common symmetric key to all parties involved, which should lead again to a closed and secure system. In this section we will have a brief look at how digital certificates can be build and how the process of certification can be handled. 73. Certification Authorities Similar to symmetric key distribution, for certification one relies on a trusted third party, a so called certification authority (CA), which is known to every user. The role of the authority is to correctly check the identity of every person that is willing to create a key pair for a public key cryptosystem, and then issue a certificate. 74. Issuing Certificates A certificate consists of a digital signature over the user’s name and additional unique identification information, the issuer’s identification, a serial number, an expiration date, the user’s public key, as well as additional technical information and various optional extensions. The signature is created using the secret signing key of the CA. Ideally, every user knows the corresponding public key of the CA so that the validity of every certificate can be locally tested by everybody. This is generally achieved by pre-distributing the certification authority’s own certificate to all participants. Certificates of important CAs are usually included immediately in web browsers and in other relevant software. The resulting infrastructure is often called a public-key infrastructure (PKI). Note that the CA itself is an off-line entity in the sense that it only takes action when issuing a certificate, but it does not participate in the actual distribution and verification of the certificate in the future. Note further that this constitutes an important advantage over key distribution centres for symmetric keys, as these centres have to be online all the time. 75. Using Certificates In a first step Alice has to obtain or purchase a certificate from a CA. She creates a key pair and presents her public key to the CA together with her proof of identity. The latter is generally done by non-electronic means (e.g., official documents of an organisation, a passport). If the CA can successfully verify Alice’s identity, the CA issues a certificate on her public key and identity, and hands this certificate over to Alice. When Bob wants to send Alice a message that is encrypted with the certified public key he has to go through the following steps:

82 1. Bob requests Alice to send him her certificate. 2. When receiving Alice’s certificate, Bob verifies the validity of the certificate’s signature with re- spect to the public key of the CA (recall that we assumed so far that the public key of the CA is known to everybody) and also checks that the certificate is indeed associated with Alice. 3. If this verification succeeds, Bob retrieves the public key of Alice from the certificate, encrypts the desired message using this key, and sends the ciphertext to Alice. 76. Multiple Certification Authorities So far we have assumed that we have a single CA in a PKI. However, this is not necessarily the case and one has to interact with certificates issued by multiple CAs. There are several ways to combine CAs:

Hierarchical CAs Several CAs are certified by a single root CA.

Root-CA CertCA1 CertCA2

CA1 CA2

CertAlice CertBob Alice Bob

Cross-Certification Several CAs are linked by exchanging certificates directly with each other.

CertCA2

CA1 CA2

CertAlice CertCA1 CertBob Alice Bob

Web of Trust A decentralised public key infrastructure, in which certification is achieved by authenti- cation via several already known and trusted others. The Pretty Good Privacy programme (see below) implements the web of trust. 77. Revoking Certificates Eventually it may happen that a secret key gets compromised. We then need a mechanism to invalidate the corresponding certificates; one says that these certificates are revoked. Such a revocation can be seen as a statement, signed by the CA, that certain explicitly specified certificates should be considered invalid. The statement needs to be signed, as otherwise an attacker could easily revoke any certificate, resulting in a denial-of-service attack. There are several ways of revoking certificates; from simply publishing lists of invalid certificates to more efficient and complicated protocols. We will not go into details of revocation. Instead with have a quick look at two certification methods used today.

IV.7.1 VeriSign VeriSign is a company founded in 1995 by RSA Security. It is a certification authority using RSA public key cipher and DSA signature algorithm to issue certificates. VeriSign currently has more than 3,000,000 certificates in operation. VeriSign is essentially a single central authority, that uses three classes of digital certificates:

• Class 1 for individuals, intended for email; • Class 2 for organisations, for which proof of identity is required; and • Class 3 for servers and software signing, for which independent verification and checking of iden- tity and authority is done by the issuing CA.

83 IV.7.2 PGP Pretty Good Privacy (PGP) is a computer program that provides cryptographic privacy and authenti- cation. The first PGP version, was designed and implemented by Phil Zimmermann, and made freely available in 1991. Already with its first implementation PGP has incorporated the Web of Trust cer- tification method. And, although modern implementations of PGP also provide alternative certification methods, the Web of Trust is still central to the PGP idea. Here is a quick sketch how it works in practice: Each user typically trusts several other users, say friends or colleagues. These in turn trust other users, and so on. Now one can hope (and in practice this seems to work pretty well) that if Bob can identify one or even multiple paths between Alice and himself, the public key of Alice can be trusted. Suppose Bob wants to verify Alice’s certificate but does not trust her. However, there exists a third party, say Carol that Bob knows and trusts and Carol in turn knows and trusts Alice. Carol can then certify Alice’s public key for Bob by signing it with her own secret key. Since Bob already trusts Carol he can use her public key to verify the certificate thus obtaining Alice’s public key. To counter the case that one party in such a path is corrupted, one requires to have at least two (or better even multiple) different paths to establish trust in a user’s public key. For example Bob could trust Dave who in turn trusts Eric who in turn trusts Alice. This would lead to another chain of certificates. The web of trust relies on a similar principle as the Internet, i.e. multiple path routing. It therefore, im- plements a very sturdy method of certification that is fairly immune to failure of a certification authority. Its obvious drawback is that one “has to make friends” first before being able to certify the public keys of others. 78. Socio-ethical motivations for PGP Zimmermann’s development of PGP was mainly motivated by polit- ical considerations and his concerns of a working democratic society in the age of digital communication. He was particularly worried about how to retain privacy of personal communication in the face of an in- creasingly controlling government. Previously, when intending to spy on its citizens, governments had to expend a considerable effort to intercept communication while running a relatively high risk that the interference was detected. In the age of electronic communication however, interception, copying, and scanning of email etc. can not only be done very easily but also in arbitrary large numbers. Moreover, it can be carried out without leaving obvious traces. Zimmermann viewed this as the biggest thread to the freedom of speech and therefore democracy as a whole. And he argued that only by making powerful encryption available to every citizen one could prevent the vision of an Orwellian state.

IV.8 Commitment Schemes A commitment scheme is a method of sending secret information such that it cannot be altered at a later stage; neither by the sender nor the receiver. Commitment schemes are particularly important for electronic contract signing, e-voting, and online games. In general, commitment schemes consist of a commit phase and an open phase. The idea is that in the commit phase Alice commits to a value such that it cannot be changed later, while still keeping the value hidden. In the open phase the value is shown to Bob. Commitment schemes should be binding, i.e., Alice cannot change the value after the commit phase, and concealing, i.e., Bob cannot guess the value before the open phase. 79. Guaranteeing Commitment There are various ways of cryptographically guaranteeing commitment. We give two examples, one using hash functions and one employing public key ciphers.

Hash Function Assume Alice wants to commit to some information. She can then use a hash function to compute the hash value for the information and send it to Bob. Once the information is released Bob can compute the hash value himself and verify Alice’s commitment. Alice can also not (at least not realistically) alter her commitment without altering the hash value.

84 Public Key Cipher Assume again Alice wants to commit to some information. She can then generate a public/private key pair, encrypt the information with the public key and only publish the private key once the information needs to be verified by Bob.

80. Building Commitment Schemes Commitment schemes are a core building block for larger cryptographic protocols. I will not look at the full technical details but rather give an intuition by explaining two “mental games”.

IV.8.1 Mental Coin Flipping The most basic of commitment scheme’s in Cryptography is bit commitment, where Alice and Bob want to reach a binary decision via a single bit. This comparable with Alice and Bob trying to flip a coin, without actually physically meeting and flipping a coin. First they decide which one of the two will make the call. We assume this is Bob who calls — instead of heads or tails — either 0 or 1. Next they somehow have to flip the coin. Since we assume that neither Alice nor Bob trust the other, we cannot leave the coin toss to either one alone. They could involve Trent to simulate the coin toss, but we also assume that neither Alice nor Bob would trust him. Thus we have to come up with a way to flip the coin that is acceptable to both. In fact, we can simulate flipping the coin by using xor. Both Alice and Bob choose a bit 0 or 1, announce their choices, and the xor of the two 1 bits gives the result of the coin flip. The probability for both 0 or 1 is 2 each, i.e., exactly the probability distribution of a regular coin flip. However, we still have to prevent either party from cheating. Since Bob has already announced his call, if one of the players learns about the other’s choice of bit before they announce theirs, they can adjust their choice to win. E.g., if Bob has called 0 and learns that Alice has chosen 1, he would choose 1 himself and win. One way to prevent cheating is that both players announce their chosen bits simultaneously. However, in reality this is nearly impossible to achieve. We therefore use a commitment scheme to make the play work: One player, say Alice, commits secretly to a value. That is, she chooses either 0 or 1 before the game and cannot change the value anymore. Bob then calls the coin toss, i.e., announces publicly 0 or 1. Bob then also announces publicly his choice of bit to be xor-ed with Alice’s choice. (Observe that Bob’s choice is independent from his previous call.) Finally, Alice’s bit is revealed and xor-ed to Bob’s resulting in the final coin flip. While this approach is certainly concealing, Bob has no real guarantee that it is actually binding. So how can we ensure that Alice does not change the value she has committed to without involving a trusted third party? In order to ensure that Alice cannot change the value of her commitment anymore, she has to publish it while still keeping it secret. While this sounds contradictory it can be quite easily achieved using an arbitrary cipher:

1. Alice commits to b = 0 or b = 1, encrypts the value using a secret key K and publishes EK(b).

2. Bob calls the coin toss, i.e., announces publicly 0 or 1.

3. Bob then also announces publicly his choice of bit c = 0 or c = 1.

4. Alice publishes the key K.

5. Both Alice and Bob can now compute DK (EK(b))⊕c to see who has won.

Obviously it is not strictly necessary for Bob to contribute to the actual coin flipping anymore. Thus here is an even simpler version of mental coin flipping that uses a cryptographic hash function:

1. Alice flips a coin and commits to the value using, for example, a hash function and publishes the hash value. 2. Bob then makes his call (i.e., either 0 or 1). 3. Alice then publishes the outcome of the original flip, which Bob can verify using the hash function.

85 In practice one generally does not use the bits directly, as this would be too easy for Bob to break, in particular if the hash function has been previously agreed on. Instead Alice uses a nonce to which she adds the bit she commits to before hashing and then publishes both nonce and bit for Bob to verify.

IV.8.2 Mental Poker Now suppose Alice and Bob want to play poker without physically playing cards. We play a simplified game that consists of

1. shuffling the cards, 2. distributing five cards each, 3. calling the cards to see who has won.

[Parts of the following was taken directly from Wikipedia.org.] In the following we use a cipher for encryption and decryption. It is not important which particular cipher we use, but it is important that encryption and decryption commute. Shuffling: 1. Alice and Bob agree on a deck of cards (e.g., a set of numbers representing cards). 2. Alice picks an encryption key A and uses this to encrypt each card of the deck. 3. Alice shuffles the cards. 4. Alice passes the encrypted and shuffled deck to Bob. With the encryption in place, Bob cannot know which card is which. 5. Bob picks an encryption key B and uses it to encrypt each card of the encrypted and shuffled deck. 6. Bob shuffles the deck. 7. Bob passes the double encrypted and shuffled deck back to Alice. 8. Alice decrypts each card using her key A. This still leaves Bob’s encryption in place and she cannot know which card is which.

9. Alice picks one encryption key for each card (A1, A2, etc.) and encrypts them individually. 10. Alice passes the deck to Bob. 11. Bob decrypts each card using his key B. This still leaves Alice’s individual encryption in place though so he cannot know which card is which.

12. Bob picks one encryption key for each card (B1, B2, etc) and encrypts them individually. 13. Bob passes the deck back to Alice. 14. Alice publishes the deck for everyone playing.

The deck is now shuffled and the order is fixed such that it cannot be changed by either player without letting the other player know. Next we distribute cards. Dealing: 1. Alice gets cards 1 to 5. This information is published. 2. Bob gets cards 6 to 10. This information is published.

3. Alice requests keys B1 to B5 from Bob in order to see her cards.

4. Bob requests keys A6 to A10 from Alice in order to see his cards. The information on who drew which cards needs to be published in order for the players to be able check that an opponent is requesting keys for the correct cards, and does not cheat by requesting a key for a card s/he does not own. Now Bob can see his cards, but still not Alice’s and vice versa. Next we could have a round of betting and then see who has won. Calling:

86 1. Alice gives keys A1 to A5 to Bob. Bob can now decrypt Alice’s cards.

2. Bob gives keys B6 to B10 to Alice. Alice can now decrypt Bob’s cards. 3. The player with the better cards wins.

We can expand the play to an arbitrary number of players by extending the single steps of the protocol, i.e., shuffling, dealing, and calling. We can also extend the game to several rounds of betting by including a protocol for exchanging cards.

IV.9 Zero Knowledge Proofs In commitment schemes one commits to a value and reveals it at a later stage of the protocol for others to verify it. In zero knowledge proofs the object is now to never reveal a secret and only to convince others that one actually knows the secret. Zero knowledge proofs are a two party protocol, where one party is the prover and the other is the ver- ifier, often called Peggy and Victor. In general one uses hard, computationally infeasible, mathematical problems as secret and demonstrate the knowledge of the solution to the verifier. Since one never re- leases the actual secret, Victor can never be 100% certain that Peggy actually knows it. However, the idea is to gain a certain level of confidence such that it is very unlikely that Peggy can answer correctly without knowing the actual secret. I will not go into any mathematical detail on zero knowledge proofs but instead give their intuition with the well-known cave story. In this story, Peggy has uncovered the secret word used to open a magic door in a cave. The cave is shaped like a circle, with the entrance in one side and the magic door blocking the opposite side. Victor says he’ll pay her for the secret, but not until he’s sure that she really knows it. Peggy says she’ll tell him the secret, but not until she receives the money. They devise a scheme by which Peggy can prove that she knows the word without telling it to Victor. First, Victor waits outside the cave as Peggy goes in. We label the left and right paths from the entrance A and B. She randomly takes either path A or B. Then, Victor enters the cave and shouts the name of the path he wants her to use to return, either A or B, chosen at random. Providing she really does know the magic word, this is easy: she opens the door, if necessary, and returns along the desired path. Note that Victor does not know which path she has gone down. However, suppose she does not know the word. Then, she can only return by the named path if Victor gives the name of the same path that she entered by. Since Victor chooses A or B at random, she has at most a 50% chance of guessing correctly. If they repeat this trick many times, say 20 times in a row, her chance of successfully anticipating all of Victor’s requests becomes vanishingly small, and Victor is convinced that she knows the secret. You may ask, why not just make Peggy take a known path that will force her through the door, and make Victor wait at the entrance? Certainly, that will prove that Peggy knows the secret word, but it also allows the possibility of eavesdropping. By randomising the initial path that Peggy takes and preventing Victor from knowing it, it reduces the chances that Victor can follow Peggy and learn not just that she knows the secret word, but what the secret word actually is. This part of the exchange is important for keeping the amount of information revealed to a minimum. This example as well as the illustrations below has been taken directly from the Wikipedia. Source: Wikipedia

87 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 8 December, 2009

Exercise Sheet 11

This exercise sheet is unassessed!

32. Extend the mental poker protocol presented in the handout by one round in which each player can exchange 0 to 3 cards.

33. Which parts of the mental poker protocol presented in the handout have to be extended to accom- modate a third player Carol?

88 1919 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 14 December, 2009

Solutions for Exercise Sheet 11

32. When designing a protocol for the exchange of cards, there are two important points that we have to take into account:

(I) When a player exchanges a card from his hand, this card needs to be properly discarded. In particular, it should not be possible for the exchanging player to access a discarded card again in order to revoke an earlier decision. (II) No keys that have been already been used in the protocol can be reused. In particular, any key that has been made public to let players see their cards cannot be reused.

The card exchange protocol then looks like this:

1. Alice publishes the cards she wants to exchange. Note that each card is still encrypted with a key Ai that only Alice knows.

2. Bob encrypts the published cards using a new keys BRound1 . Now neither Bob nor Alice can access the cards. 3. Alice replaces the discarded cards with the next cards on the deck.

4. Bob gives the corresponding Bi keys to Alice so she can see the newly drawn cards. The same four steps of the protocol are repeated for each player, in our case just Bob.

5. Bob publishes the cards he wants to exchange. Note that each card is still encrypted with a key Bi that only Bob knows.

6. Alice encrypts the published cards using a new keys ARound1 . Now neither Alice nor Bob can access the cards. 7. Bob replaces the discarded cards with the next cards on the deck.

8. Alice gives the corresponding Ai keys to Bob so she can see the newly drawn cards. After the game is over, both Alice and Bob can verify that no-one has cheated by decrypting all cards and comparing them to the original deck. Note, in order to protect the strategies of different players (i.e., how they exchange cards, when they bluff, etc.) during a game of poker, it is often desirable that the order of the cards is again randomised before the integrity of the deck is verified. This can be done by Alice and Bob (1) encrypting all the cards with new keys A′ and B′ again, (2) removing all the keys that have been used during the game by publishing them, (3) shuffling the deck, (4) before removing the keys A′ and B′ by publishing them.

33. Here is the extended protocol of three players: Shuffling: 1. Alice, Bob, and Carol agree on a deck of cards (e.g., a set of numbers representing cards). 2. Alice picks an encryption key A and uses this to encrypt each card of the deck. 3. Alice shuffles the cards. 4. Alice passes the encrypted and shuffled deck to Bob. 5. Bob picks an encryption key B and uses it to encrypt each card of the encrypted and shuffled deck. 6. Bob shuffles the deck. 7. Bob passes the double encrypted and shuffled deck to Carol.

s 8. Carol picks an encryption key C and uses it to encrypt each card of the encrypted and shuffled deck. 9. Carol shuffles the deck. 10. Carol passes the double encrypted and shuffled deck back to Alice. 11. Alice decrypts each card using her key A.

12. Alice picks one encryption key for each card (A1, A2, etc.) and encrypts them individually. 13. Alice passes the deck to Bob. 14. Bob decrypts each card using his key B.

15. Bob picks one encryption key for each card (B1, B2, etc) and encrypts them individually. 16. Bob passes the deck to Carol. 17. Carol decrypts each card using his key C.

18. Carol picks one encryption key for each card (C1, C2, etc) and encrypts them individually. 19. Carol passes the deck back to Alice. 20. Alice publishes the deck for everyone playing.

Dealing: 1. Alice gets cards 1 to 5. This information is published. 2. Bob gets cards 6 to 10. This information is published. 3. Carol gets cards 11 to 15. This information is published.

4. Alice requests keys B1 to B5 from Bob and C1 to C5 from Carol in order to see her cards. 5. Bob requests keys A6 to A10 from Alice and C6 to C10 from Carol in order to see his cards. 6. Carol requests keys A11 to A15 from Alice and B11 to B15 from Bob in order to see her cards.

Calling: 1. Alice gives keys A1 to A5 to Bob and Carol. Bob gives keys B1 to B5 to Carol and Carol gives Bob keys C1 to C5 in return. Both can now decrypt Alice’s cards.

2. Bob gives keys B6 to B10 to Alice and Carol. Alice gives keys A6 to A10 to Carol and Carol gives Alice keys C6 to C10 in return. Both can now decrypt Bob’s cards.

3. Carol gives keys C10 to C15 to Alice and Bob. Alice gives keys A11 to A15 to Bob and Bob gives Alice keys B11 to B15 in return. Both can now decrypt Carol’s cards. 4. The player with the better cards wins.

t 06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 11 December, 2009 Handout 12 Review Suggestions There will be revisions lectures in the week 27 April – 1 May 2009. In general you should be able to

1. answer some knowledge questions on the topics of the module,

2. work with some of the algorithms we have discussed in the module,

3. apply some of the maths presented in the module.

There will be choice in the exam. Here is a more detailed (non-exhaustive!) list of topics you should review for the final exam.

Historic Ciphers and Overview • Basic concepts (e.g. substitution, transposition, code, cipher,decrypt, encrypt, etc.) • Basic divisions of ciphers (symmetric, asymmetric, block, stream etc.) • Apply permutation, shift, mono-alphabetic ciphers • Apply Vigen´ere cipher • NO CRYPTANALYSIS OF HISTORIC CIPHERS!

Block Ciphers • Basic scheme of block ciphers and some examples • Functioning of Feistel Ciphers • Apply a simple Feistel Cipher when given the function F • Schematic overview and components of DES (DON’T LEARN THE DETAILS BY HEART!) • Apply S-Box and P-Box substitutions, when given S-Boxes or P-Boxes (AGAIN, DON’TLEARN S-BOXESOR P-BOXES BY HEART!) • Schematic overview and components of Rijndael (DON’T MEMORISE THE DETAILS OF THE OP- ERATIONS!) • Functioning of some modes of operation

Stream Ciphers • Basic scheme of stream ciphers and some examples • Idea of Pseudo-random Generators • Basic idea of RC4 (DON’T LEARN IT BY HEART!) • Functioning of LFSRs and their combination • Apply LFSR when given a connection polynomial

89 Key Exchange Protocols • Basic principles of symmetric key exchange • Be familiar with the main components of key exchange protocols and their major differences • Analyse protocols for weaknesses

Hash Functions and MACs • Basic principles of Hash functions and some examples • Idea of one-way functions • Merkle-Damg˚ard construction • Apply Hash functions, when given their algorithm (DONOTLEARN MD4, SHA-1, ETC. BY HEART!) • Basic idea of MACs • Basic scheme of HMAC, CBC-MAC, PMAC (DO NOT LEARN ALL THE DETAILED FORMULAS BY HEART!)

Public Key Ciphers • Basic scheme of asymmetric cryptography and public key ciphers • Components of public key ciphers • Role of one-way functions and trapdoor one-way functions plus some examples • Apply Diffie-Hellman key exchange (YOU REALLY NEED TO KNOW THIS ONE!) • Apply ElGamal when given the details • Know RSA and apply it (YOU ALSO NEED TO KNOW RSA!)

Digital Signatures • Basic scheme and components of a digital signature • Examples of different signature algorithms (NOT IN DETAIL!) • Apply a signature algorithm when given its details • Explain the idea of Lamport signatures

Cryptanalysis • Difference between active and passive attacks • Some examples of active and passive attacks • Wireless protocols: What’s the difference between WEP, WPA, WPA-2? Basic working, weak- nesses, possible attacks.

Certificates& Commitment Schemes • Basic idea of certificates • Basic idea of commitment schemes

90 Legal & Ethical Issues • AACS controversies • Motivations of PGP

Mathematics • Permutations

– Application, multiplication, and computing inverses

• Modular Arithmetic

– Addition, subtraction, and multiplication modulo

• Finite Fields

– Polynomial Division in Z

– Polynomial division in F2[x]

– Arithmetic in F2[x]/p(x) – Translate between binary numbers, hexadecimal numbers, and polynomials

• Discrete Logarithm and Subgroups

– Generate subgroups ∗ – Compute inverses in Zp – Discrete exponentiation

• Arithmetic Modulo a Composite ∗ – Compute inverses in Zn – Euclidean algorithm – Extended Euclidean algorithm

91