Cryptography and Security of Digital Devices Exercise book Alessandro Barenghi, Gerardo Pelosi April 6, 2017- Rev 1.4.1 Contents 1 Historical Ciphers and Basic Principles 5 1.1 Substitution Ciphers . 5 1.1.1 Distinguishing ciphers . 5 1.1.2 Breaking Vigenére . 6 1.1.3 Breaking Playfair . 8 1.1.4 Breaking Nihilist . 10 1.2 Permutation Ciphers . 11 1.2.1 A simple permutation cipher . 11 1.2.2 Matrix Based Permutation Cipher . 11 1.3 Composition of historical ciphers . 12 1.3.1 Double Substitution . 12 1.3.2 Double Vigenére . 12 1.3.3 Double Permutation . 13 1.3.4 Mixing Substitutions and Permutations . 14 1.4 Enigma . 15 1.5 Principles of Information Theory . 18 1.5.1 Computing the entropy of random variables . 18 2 Block Ciphers 21 2.1 Data Encryption Standard . 21 2.1.1 DES-V and DES-W . 21 2.1.2 DES-A . 22 2.1.3 DES Collision attacks . 23 2.1.4 DES Block Widening . 24 2.2 Modes of Operation . 25 2.2.1 Error Recovery in CBC and ECB . 25 2.2.2 CBC Malleability . 25 2.2.3 CTR With Repeated IV . 26 2.2.4 Faulty Disk Encryption . 27 2.2.5 Altering messages with CBC and CTR . 28 2.3 Block Cipher Cryptanalysis . 28 2.3.1 S-Box Design . 28 2.3.2 Linear and Differential Cryptanalysis - (I) . 29 2.3.3 Linear and Differential Cryptanalysis - (II) . 32 2.3.4 Linear and Differential Cryptanalysis - (III) . 34 3 Stream Ciphers 37 3.1 Linear Feedback Registers . 37 3.1.1 LFSR (I) . 37 3.1.2 LFSR (II) . 38 3.1.3 LFSR (III) . 39 4 Cryptographic Hashes 41 2 A. Barenghi - G. Pelosi 4.0.1 Hashes with multiplicative groups . 41 4.1 Collisions . 41 4.1.1 Saving on digest size . 41 4.1.2 Strengthening MD5 . 42 4.1.3 Keyed and strengthened SHA-31337 . 42 4.1.4 Triple Collisions . 43 4.2 Length extension attacks . 43 4.2.1 The Gambling House . 43 5 Finite Fields 45 5.1 Prime Fields . 45 ∗ 5.1.1 Quick Computations over Fp .......................... 45 5.2 Polynomial Rings . 45 5.2.1 Irreducible and Primitive polynomials . 45 5.2.2 Irreducible and Primitive polynomials - 2 . 46 5.2.3 Zech Logarithm . 46 6 Public-Key Cryptosystems 49 6.1 RSA Cryptosystem . 49 6.1.1 Computing RSA . 49 6.1.2 Computing RSA - 2 . 49 6.1.3 Mental Poker . 50 6.1.4 Factoring n with collateral information . 51 6.2 Diffie-Hellman Cryptosystem . 53 6.2.1 Prime Field Choice . 53 6.2.2 Breaking DSS-DSA . 53 6.3 Elliptic Curve Cryptosystems . 54 6.3.1 Elliptic Curve Characterization - (I) . 54 6.3.2 Elliptic Curve Characterization - (2) . 55 6.3.3 Faulty RNG and ECDSA . 56 7 Fast Arithmetics, Discrete Logs and Factoring 57 7.1 Montgomery Multiplication . 57 7.1.1 Montgomery Multiplication in radix-4 . 58 7.2 Factoring . 59 7.2.1 Pollard’s P − 1 .................................. 59 7.2.2 Fermat’s Method . 59 7.2.3 Pollard Rho . 60 7.3 Discrete Logarithms . 60 7.3.1 Pohlig-Hellmann method - ex1 - . 60 7.3.2 Pohlig-Hellmann method - ex2 - . 61 8 Protocols 63 8.1 TLS . 63 8.1.1 Ciphersuite choices . 63 8.1.2 SSLv3 IV Flaw . 64 8.2 Custom Protocols Analysis . 65 8.2.1 (Un)Safe communication with symmetric key only . 65 8.2.2 Secure Password Storage . 65 8.2.3 Time-To-Memory tradeoff for bruteforcing - (I) . 66 8.3 Commitment schemes . 67 8.3.1 Washing Dishes . 67 9 Side Channel Attacks 69 3 A. Barenghi - G. Pelosi 9.1 Passive Side Channel Attacks . 69 9.1.1 Simple and Differential Power Analysis . 69 9.2 Fault Attacks . 70 9.2.1 Faulty RSA-CRT signatures . 70 A Useful notions for fast approximations 71 B Summary of linear algebra: Determinant and Matrix Inversion 73 4 Chapter 1 Historical Ciphers and Basic Principles Cryptanalyzing historical ciphers allows to see clearly what does it happen whenever pre-Kerchoff prin- ciple cryptographic schemes are scrutinized with full knowledge of their structure. More in detail, we will be breaking a couple of ciphers employing a known ciphertext only attack: the weakest possible condition for an attacker, sometimes despite the fact that the cipher keyspace is not negligible. 1.1 Substitution Ciphers 1.1.1 Distinguishing ciphers Examining the frequency of the single letters in an encrypted plaintext yields the results depicted in Figure 1.1. From the results of the frequency analysis, what can you infer on the following points: 0:12 0:1 0:08 0:06 0:04 0:02 0 E T A O I N H S R D L U M W C Y F G P B V K X J Q Z Figure 1.1: Letter frequencies of a large English text (the actual letter is employed as the x-axis label), and ciphertext . 1. Which is the plaintext language? 2. Is the employed cipher a substitution cipher of some kind? 3. Does the employed cipher include a permutation? 5 A. Barenghi - G. Pelosi Solution: 1. The letter frequencies match perfectly the ones of plain English: it is quite likely that the plaintext is expressed in it. 2. The match between the two histograms suggests a monoalphabetic substitution to be the technique in use. 3. It is not possible to infer whether or not the cipher includes a permutation from a single-letter frequency analysis, as permutations leave this quantity unaltered. 1.1.2 Breaking Vigenére The polyalphabetic substitution cipher known as the Vigenére cipher was invented by Giovan Battista Bellaso back in 1553, and later misattributed to Vigenére. The scheme exploits a keyword to define a set of shift ciphers which are applied to the plaintext depending on the plaintext letter position. This is done mapping each letter of the alphabet to a shift amount, and applying the circular shifts in the same order of the key letters, to the plaintext. The shifts are repeated enough times to get the whole plaintext mapped into ciphertext. As a simple running example, given HAL as a plaintext, and BBB as the key, the resulting shift amounts are 1-1-1, thus yielding IBM as ciphertext. The main advantage of the Vigenére cipher is a flattening effect on the frequency histogram of the ciphertext letters, as it can be seen in Figure 1.2. The flattening effect is more and more evident as the length of the cipher key grows. 0:12 0:1 0:08 0:06 0:04 0:02 0 E T A O I N H S R D L U M W C Y F G P B V K X J Q Z Figure 1.2: Letter Frequencies of different encrypted texts computed on a ≈450k characters ciphertext: Monoalphabetic Substitution , Vigenére w/ 6 letters key ,Vigenére w/ 30 letters key , One- Time-Pad The Vigenére cipher can be broken observing that, the ciphertext characters in sharing the same position modulo the key length are actually shifted by the same amount. This in turn leads to the possibility of finding out the key length via Kasiski examination, i.e. looking for repeated patterns in the ciphertext, and computing the greatest common divisor of their distances. This.