cryptology for smarties

7/28/2019 Cryptology for Smarties

http://slidepdf.com/reader/full/cryptology-for-smarties 1/101

© 2006 Peter Škvarenina



I would like to thank Martin Stanek for his excellent cryptology

lectures at the Faculty of Mathematics, Physics and Computer Science

of the Comenius University, for his willingness to allow the use

of translations of some parts of his lectures within this book and for his

encouraging and helpful comments during the preparation of this book.

Futurama series characters used in this book are © Matt Groening.

All graphics in this book is either a work of the author or is obtained from the Internet

and is believed to be taken from sources under public domain.

2



Table of Contents

Cryptology basics................................................................................................................................6

Encryption and decryption...............................................................................................................6

Cryptanalysis characters.................................................................................................................. 7

A little about the history of cryptology.............................................................................................8

4000 BCE - Egypt, Menet-Khufu - Khnumhotep II tomb inscriptions........................................... 8

500 BCE - Greece, Sparta - Scythale, transposition cipher............................................................. 8

100 BCE - Substitution cipher.........................................................................................................9

1466 CE - Polyalphabetic cipher, Vigenère square......................................................................... 9

1914-1918 CE - One-time pad, Vernam cipher.............................................................................10

1976 CE - Public key cryptography...............................................................................................11

1984 CE - Quantum cryptography.................................................................................................12

Basic ciphers......................................................................................................................................13

Simple substitution cipher............................................................................................................. 13

Permutation cipher.........................................................................................................................15

Vernam cipher (one-time pad).......................................................................................................16Vigenère cipher..............................................................................................................................16

Types of attacks............................................................................................................................. 20

Symmetric cryptography................................................................................................................. 21

Block and stream ciphers...............................................................................................................21

Modes of operation........................................................................................................................ 21

ECB (Electronic Code Book)....................................................................................................22

CBC (Cipher Block Chaining).................................................................................................. 22

OFB (Output Feedback)............................................................................................................23

CFB (Cipher Feedback)............................................................................................................ 23

Iterated ciphers...............................................................................................................................24

Cipher standards............................................................................................................................ 24Feistel ciphers........................................................................................................................... 25

DEA / DES (Data Encryption Algorithm / Standard)...............................................................25

Multiple encryption...................................................................................................................27

2TDES.......................................................................................................................................27

“Meet in the Middle” attack................................................................................................. 27

Triple DES (TDES / TDEA / 3TDES / 3DES)......................................................................... 27

AES (Advanced Encryption Standard / Rijndael).....................................................................28

IDEA (International Data Encryption Algorithm).................................................................... 30

Blowfish....................................................................................................................................31

Asymmetric cryptography...............................................................................................................33

Basics of asymmetric (public key) cryptography.......................................................................... 33Hybrid encryption..........................................................................................................................33

Asymmetric protocols....................................................................................................................34

RSA...........................................................................................................................................34

Correctness of RSA..............................................................................................................35

Security of RSA....................................................................................................................38

Elgamal .......................................................................................................................... 39

Correctness of Elgamal........................................................................................................ 39

Rabin ................................................................................................................................40

Security of Rabin..................................................................................................................40

Diffie-Hellman key exchange (DH)..........................................................................................41

3



“Man in the Middle” attack..................................................................................................41

Another asymmetric cryptosystems.......................................................................................... 42

Merkle-Hellman................................................................................................................... 42

Paillier.................................................................................................................................. 42

Cryptographic hash functions.........................................................................................................43

Use of cryptographic hash function...............................................................................................43

Commitment scheme.................................................................................................................43Message integrity...................................................................................................................... 43

Cryptographic hash function properties and weaknesses.............................................................. 43

One-way function......................................................................................................................44

Weakly collision-free hash function (second preimage resistance)..........................................44

Strongly collision-free hash function (collision resistance)......................................................44

Birthday attack..........................................................................................................................44

Probability computation....................................................................................................... 44

The attack............................................................................................................................. 45

Replay attack.............................................................................................................................45

Construction of cryptographic hash functions...............................................................................46

Constructions from block ciphers............................................................................................. 46Iterated hash functions..........................................................................................................46

Merkle-Damgård construction.........................................................................................47

Construction of compression function................................................................................. 47

Davies-Meyer scheme..................................................................................................... 47

Matyas-Meyer-Oseas scheme..........................................................................................47

Miyaguchi-Preneel...........................................................................................................48

Contemporary cryptographic hash functions.................................................................................48

Message Digest Algorithm 5 - MD5.........................................................................................48

Secure Hash Algorithm - SHA..................................................................................................51

Whirlpool.................................................................................................................................. 54

Message Authentication Code (MAC).......................................................................................... 55

CBC-MAC................................................................................................................................ 56

HMAC.......................................................................................................................................56

Preserving confidentiality with MAC....................................................................................... 56

Digital signatures.............................................................................................................................. 58

Electronic signatures......................................................................................................................58

Reasons to use digital signatures................................................................................................... 58

Public key digital signatures.......................................................................................................... 59

Relation to common law................................................................................................................60

Digital signature schemes.............................................................................................................. 61

Elgamal scheme........................................................................................................................ 61Digital Signature Standard (DSS)............................................................................................. 61

RSA scheme......................................................................................................................... 62

Digital Signature Algorithm (DSA)..................................................................................... 62

Blind signatures............................................................................................................................. 64

RSA blind signature scheme..................................................................................................... 64

Public key infrastructure (PKI)...................................................................................................... 65

Certificates and certification authorities........................................................................................65

Benefits of public key infrastructure............................................................................................. 65

Planning a public key infrastructure.............................................................................................. 66

Structure of a public key infrastructure......................................................................................... 67

Trust models.................................................................................................................................. 67

4



Cross-certification..........................................................................................................................67

X.509 Public Key Infrastructure Standard.....................................................................................68

Cryptographic protocols..................................................................................................................69

Diffie-Hellman key-exchange protocol......................................................................................... 70

Modified Diffie-Hellman key-exchange protocol using certification authorities......................... 71

Station to Station protocol............................................................................................................. 71

Interlock protocol...........................................................................................................................71Otway-Rees protocol..................................................................................................................... 72

Needham-Schroeder protocol........................................................................................................ 73

Needham-Schroeder public-key protocol......................................................................................74

Yahalom protocol.......................................................................................................................... 75

Denning-Sacco protocol................................................................................................................ 75

Wide Mouth Frog protocol............................................................................................................ 76

Modified Wide Mouth Frog protocol............................................................................................ 77

Kerberos protocol.......................................................................................................................... 77

Agora protocol............................................................................................................................... 78

Cryptographic protocol construction security advices...................................................................79

Quantum cryptography................................................................................................................... 80Quantum theory basics...................................................................................................................80

Quantum cryptography principles................................................................................................. 81

Polarized photons......................................................................................................................81

Entangled photons.....................................................................................................................81

Classical cryptography versus quantum cryptography.................................................................. 82

Privacy amplification................................................................................................................ 82

No deniability............................................................................................................................82

Attacks...................................................................................................................................... 82

Quantum key distribution (QKD)..................................................................................................83

BB84 quantum coding scheme................................................................................................. 83

Algorithm............................................................................................................................. 84

Example without eavesdropping.......................................................................................... 85

Example with eavesdropping............................................................................................... 85

B92 quantum coding scheme.................................................................................................... 87

Einstein-Podolsky-Rosen (ERP) protocol.................................................................................87

Practical implementations..............................................................................................................89

Elliptic curve cryptography.............................................................................................................90

Cryptographic schemes..................................................................................................................91

Trusted Computing.......................................................................................................................... 92

Trust............................................................................................................................................... 92

Concepts of trusted computing...................................................................................................... 92Controversy....................................................................................................................................93

Owner override.............................................................................................................................. 94

Secure bootstrap.............................................................................................................................95

Hardware boot process verification............................................................................................... 97

Virtualization technologies in trusted computing..........................................................................98

Digital Rights Management........................................................................................................... 99

Literature........................................................................................................................................ 101

5



Cryptology basics

Cryptology is a scientific field concerned with mathematical and physical techniques of securing

information during communication. In early years, cryptology concerned itself mainly with the

construction of methods of privacy preservation, ciphers. As the technology developed, the scope of

the field substantially widened and now includes another security requirements, such as integrity,authorship verification, authentication protocols, digital signatures, electronic elections etc.

Cryptology can be basically divided into two parts:

– cryptography – the art of cipher (algorithm, protocol) construction

– cryptanalysis – the art of cipher breaking and attack prevention

Encryption and decryption

The objective of encryption is to transform input data into state unrecognizable to the potential

attacker that is not able to reconstruct their original state. It is also demanded that authorized

recipients should be able to reconstruct original data from the encrypted form. Input data in their original form will be denoted as the plaintext. The process of transformation is called encryption

and is realized by encryption algorithm (function) - cipher. Result of the encryption is called

ciphertext. Encryption algorithm could be also parametrized by another input – encryption key,

independent on the plaintext.

Process of inverted transformation (ciphertext to plaintext) is called decryption and is realized by

decryption algorithm (also parametrized by key).

Formal notation

Let P, C, K be finite sets:

P – set of all plaintexts

C – set of all ciphertexts

K – set of encryption keys

We say that the function E: P × K → C is encryption function iff there exists function

D: C × K → P that the following holds:

∀ k ∈ K ∀ p∈ P : D E p , k , k = p

Tuple (E, D) then forms encryption system.

In other words, E is encryption function only if a correct decryption function D exists.

6

encryption

algorithm

plaintext

key

ciphertext



Cryptanalysis characters

As a part of cryptanalysis culture, roles of participants in the secured communication have been

given unique names that quickly blended with the rest of the used jargon.

These names were chosen by Ron Rivest for the 1978 Communications of the ACM

article presenting the RSA cryptosystem.

Alice – wants to send a message to Bob

Bob – receiver of Alice's messages

Eve – eavesdropper , only listens to Alice – Bob communication

Mallory – malicious attacker, listens to and modifies communication between Alice and Bob

Oscar – opponent , same as Mallory

7

Alice Bob

Eve

Mallory

Oscar



A little about the history of cryptology

4000 BCE

Egypt, town Menet-Khufu; hieroglyphic inscriptions on the tomb of nobleman Khnumhotep II ,

written with a number of unusual symbols to confuse or obscure the meaning of the inscriptions.

500 BCE

Σπάρτη (Sparta), 'Eλλάς (Greece); first cryptographic device called σκυτάλη (scythale)

Wooden cylinder; both sender and receiver of a message

owned scythale of the same diameter.

To prepare encrypted message, a narrow strip of parchment

was wound around the scythale and the message was writtenin the rows, with subsequent characters in consecutive

columns.

Unwound strip then displayed sequence of meaningless

letters, suitable for transportation. To successfully decipher

the message, strip had to be re-wound onto a scythale of the

same diameter.

Let's demonstrate functionality of scythale on a message sent by Spartan outpost related to the

leader of Athens, Pericle:

Plain text: PERICLE ENTERED SPARTA

Scythale:

cipher text: PCNEAELTDRREESTIERPA

This is the first known occurrence of transposition cipher in history. The letters remain the same,

but their order is shuffled.

8

P

C

N

E

A

E

L

T

D

R

R

E

E

S

T

I

E

R

P

A



100 BCE

Gaivs Ivlivs Caesar , first appearance of a substitution cipher. Messages were encoded by

substituting the letter in the text by one that is three positions to the right. A became D, etc.

Plaintext alphabet A B C D E F G H I K L M N O P Q R S T V X Y Z

Ciphertext alphabet D E F G H I K L M N O P Q R S T V X Y Z A B C

Decipher alphabet X Y Z A B C D E F G H I K L M N O P Q R S T V

Let's demonstrate the usage of Caesar's shift:

Plain text: VENI VIDI ET OCCVLOS MEOS CREDERE NON POTVI

cipher text: ZHQMZMGMHYRFFZORXPHRXFVHGHVHQRQSRYZM

1466 CE

Leon Battista Alberti, invention of polyalphabetic ciphers, followedin 1586 by Blaise De Vigenère with his Vigenère's Square, at the

time considered as “ Le Chiffre Indechiffrable”.

Polyalphabetic ciphers transform plaintext character into different

ciphertext characters accordingly to the position in the plaintext using

an encryption key.

The Vigenère square is a 26x26 table that consists of a rows that

represent consecutive Caesar's shifts of the alphabet. Thus the first row contains

original alphabet, second row contains Caesar's shift of 1 of the original alphabet,

third row Caesar's shift of 2 etc.

Plaintext should be encrypted using different row (Caesar's shift) for each character. The row is

determined by the encryption key. The encryption key is prolonged to match the length of the

message by repeating itself (we can represent this by spelling out the keyword above plaintext

message). Then each character of the plaintext is encrypted using character that lies in the Vigenère

square in the intersection of the column that is headed by the plaintext character and row headed by

the matching encryption key character.

Example:

We would like to encrypt a plaintext message ' MEETING STARTS AT EIGHT' using encryption

key 'RADS'

Repeating encryption key RADSRADSRADSRADSRADS

Plaintext MEETINGSTARTSATEIGHT

Ciphertext DEHLZNJKKAULJAWWZGKL

Although considered as uncrackable cipher for over 150 years, in 1854 Charles Babbage

introduced statistical method used successfully to break Vigenère cipher. Method was

later (1863) formalized by major of Prussian army, Friedrich Kasiski, now known as

Kasiski test.

9



Principle of Kasiski test lies in the observation that the same groups of plaintext characters encode

into the same cryptotext characters when their positions are shifted by the multiple of the length of

encoding keyword. Therefore, it is essential to find all groups of the repeating characters.

Principially, the weakness is the repetition of the key.

A B C D E F G H I J K L M N O P Q R S T U V W X Y ZB C D E F G H I J K L M N O P Q R S T U V W X Y Z A

C D E F G H I J K L M N O P Q R S T U V W X Y Z A B

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

E F G H I J K L M N O P Q R S T U V W X Y Z A B C D

F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

G H I J K L M N O P Q R S T U V W X Y Z A B C D E F

H I J K L M N O P Q R S T U V W X Y Z A B C D E F G

I J K L M N O P Q R S T U V W X Y Z A B C D E F G H

J K L M N O P Q R S T U V W X Y Z A B C D E F G H I

K L M N O P Q R S T U V W X Y Z A B C D E F G H I J

L M N O P Q R S T U V W X Y Z A B C D E F G H I J K

M N O P Q R S T U V W X Y Z A B C D E F G H I J K L

N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

O P Q R S T U V W X Y Z A B C D E F G H I J K L M N

P Q R S T U V W X Y Z A B C D E F G H I J K L M N O

Q R S T U V W X Y Z A B C D E F G H I J K L M N O P

R S T U V W X Y Z A B C D E F G H I J K L M N O P Q

S T U V W X Y Z A B C D E F G H I J K L M N O P Q R

T U V W X Y Z A B C D E F G H I J K L M N O P Q R S

U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

V W X Y Z A B C D E F G H I J K L M N O P Q R S T U

W X Y Z A B C D E F G H I J K L M N O P Q R S T U V

X Y Z A B C D E F G H I J K L M N O P Q R S T U V W

Y Z A B C D E F G H I J K L M N O P Q R S T U V W X

Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

Vigenère square

1914-1918 CE (World War I)

Joseph Mauborgne, major of US Army, first randomized cipher, one time pad. First and to

date only cipher system that has the property of perfect secrecy, i.e. the ciphertext gives

absolutely no additional information about the plaintext (proved by Claude Shannon).

Variation of the Vigenère cipher; employs the use of randomized keys – the same

randomness found in keys is inserted into ciphertext, therefore disallowing the findings of repetitive

patterns in ciphertext. The a priori probability of a plaintext message is the same as the a posteriori

probability of a plaintext message given the corresponding ciphertext. And in fact all plaintexts are

equally probable. This is a strong notion of cryptanalytic difficulty.

10



1917 CE

Gilbert Sandford Vernam, co-inventor of one time pad (U.S. Patent 1310719), also called Vernam

cipher or XOR cipher.

Each plaintext is XORed with randomly generated stream of data of the same length to generate

ciphertext.

The problem of secure transport of the plaintext changes into the problem of secure transport

of the key of the same length, i.e. yields recurrent problem.

Contemporary usage includes wide range of applications. Vernam cipher is now part of RC4, the

Rivest Cipher 4 ( ARCFOUR), heavily used in Wi-Fi (WEP and WPA) and SSL.

1976 CE

Whitfield Diffie, Martin Hellman, dawn of public key cryptography

(asymmetric cryptography). Sender has two keys – private and public

key. Public key is usually distributed to anyone who is willing to send

encrypted message and “locks” the message; whilst the private key

“unlocks” the message. Sender encrypts the message using receiver's public

key, receiver then uses its private key to decipher encoded message.

Originally, Diffie & Hellman utilized discrete logarithm problem.

Telephone directory encoding example:

Let's take a telephone directory of a large city (e.g. 2512 inhabitants). This directory is usually sorted

by name. Assume that Alice wants to send a secure message to Bob. She therefore replaces all

characters of her message with the telephone number of randomly chosen name from the telephone

directory that begins with actually encoded character. Bob is somehow only person in the world that

possesses also inverted telephone directory, i.e. he owns telephone directory that is actually sorted

by telephone numbers. When Alice's message arrives, Bob simply looks up for telephone numbers

in inverted lists and notes the first character of the name. But Eve is not able to decipher the

message as the number of people in the city is too huge to be feasible to search through normal

telephone directory.

11

1001010010111010110101011

1100101001011101110101101

+ 0101111011100111000000110

Plaintext

Random key

Ciphertext



1984 CE

Charles Bennet , Gilles Brassard , Quantum Cryptography using polarized photons. Instead of

using NP-Complete problems as in the public key cryptography, quantum cryptography relies on physical properties of subatomic particles.

Quantum cryptography provides means to securely transport encryption/decryption key between

Alice and Bob. Alice and Bob can then for rest of the communication use one-time pad (Vernam's

cipher) that guarantees perfect secrecy.

Therefore, quantum cryptography solves “Catch XXII” of classical (mathematically based)

cryptography.

Catch XXII: Before Alice and Bob can communicate in secret, they must first communicate in

secret.

Catch XXII(a): Even if Alice and Bob somehow succeed in communicating their key over a securecommunication channel, there is simply no classical cryptographic mechanism guaranteeing with

total certainty that their key was transmitted securely, i.e., that their “secure” communication

channel is free of Eve’s unauthorized intrusion.

Polarized light scheme

Scheme uses pulses of polarized light, with one photon per pulse. Consider two types of

polarization, linear and circular. Linear polarization can be vertical or horizontal and circular

polarization can be left-handed or right-handed. Any type of polarization of a single photon can

encode one bit of information, for example, vertical polarization for "0" and horizontal polarization

for "1" or left-handed polarization for "0" and right-handed polarization for "1". In order to generate

a random key, Alice must send either horizontal or vertical polarization with equal probability. Tokeep Eve from successfully eavesdropping, Alice also uses randomly the alternative circular

polarizations randomly choosing between left-handed and right-handed photons. The security of

this scheme is based on the fact that Eve does not know whether any given pulse codes for 0 or 1

using the linear or the circular polarizations. If Eve tries to measure the state and guesses wrongly,

she will disturb it, and Alice and Bob can monitor for such disturbances to test for possible

eavesdropping and even estimate what fraction of the transmitted key Eve might have obtained.

Bob does not know which polarizations were used for any given pulse coding either. ( Alice could

tell him, but since it has to be kept secret from Eve they would need a cryptographically secure

communication channel to do this, and if they had one they wouldn't need this scheme.) However,

he can guess, and half the time he will get it right. Once the photons are safely received, so that Eve

cannot use the information, Alice can tell him which guesses were right and which wrong.

12

Hi Bob...

Bender, Charles 913

...

Brainiac, Mark 017

...Henin, Paulette 524

...

Irving, John 245

...

O'Reily, Jim 175

...

Public key Plaintext

Alice

524 245 017 175 913

Cyphertext

...

017 Brainiac, Mark

...

175 O'Reily, Jim

...245 Irving, John

...

524 Henin, Paulette

...

913 Bender, Charles

...

Bob

Private key



Basic ciphersSimple substitution cipher

The cipher first introduced by Caesar and in later centuries extended and developed is now known

as the substitution cipher.

Simple substitution cipher encodes messages by changing the order of characters in the alphabet of the ciphertext. Both the plaintext and ciphertext use the same set of characters (referred to as an

alphabet) but the order of ciphertext alphabet is a permutation of the order of plaintext alphabet. If

we assume that the typical english alphabet consists of 26 characters, total number of possible

ciphertext alphabets is 26! (cca 4E24) and their number is too ample to be prone to exhaustive

search attack.

Formally, we can express simple substitution cipher as follows:

Let A (or P ) be plaintext alphabet, C be ciphertext alphabet (same as A), where K is the set of all

keys, i.e. set of all bijections from A to A (therefore k ( A) is one particular permutation of A using the

key k from K ). Then the encryption and decryption functions are defined as

E k p=k p

Dk c=k −1c

p ∈ P , c∈C , k ∈ K

Both the encryption and decryption keys are applied character by character and the corresponding

cipher- or plaintext is obtained at the end of the only pass.

The following table demonstrates the encryption function k as the projection from plaintext alphabet

to ciphertext alphabet.

P A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

K(p) E Q R D I P K A F L W S B G C T Y Z J M X U H V O N

Plaintext: REPETITIO EST MATER STVDIORVM

Ciphertext: ZITIMFMFCIJMBEMIZJMUDFCZUB

Breaking the cipher

Imagine we received this ciphertext:

AIZEGKMAIFGJXZEGRIQZCWIZFGRCSRAIJMIZMCSIEZGMAEMMAIMIBTCZEZORCUIZGCMIPCZMAIBCMCRO

RSIAEDQIIGFJJXIDMAIZXJJFEGEJWIDMAIQZCWIZGCMMCBEFSFMAIHCXSDRCSSIRMFMAFBJISPMAFJAIDFDFBBIDFEMISOEGDSEMIMAEMEPMIZGCCGBCUIDFGMCGXBQIZMHISUIRAIZZOAEOIJAIJTIGMTEZMCPM

AIGFKAMHCZWFGKREZIPXSSOHFMAAFJCGIMFBITEDJTZITEZFGKERCDIDBIJJEKIMAEMGCRCBTXMIZHCX

SDQZIEWRCDIQZIEWFGKAIWGIHFJQEJIDCGTEMMIZGJEGDZITIMFMFCGJACHIUIZJCTAFJMFREMIDMAIR

CBTXMIZXJIDMCRZERWMAIRCDIXJFGKECGIMFBITEDPCZIERAHCZDCPEJACZMBIJJEKISIEUIJGCTEMMI

ZGJEGDGCZITIMFMFCGJ

How to decipher this message? If we look at the simple substitution cipher, we could easily see, that

some statistical characteristics of the text remain unchanged in the ciphertext. One of them is the

frequency characteristics. Even if the characters morph into different characters in the ciphertext,

the distribution of characters remain the same (as we substitute character for character). Therefore,

it is possible to compare distribution of ciphertext characters to the character distribution of a

“typical” text in English. Let's look at these distributions:

13



As we can see, these distributions look very familiar. Let's say, that our initial guess will be, that E

morphed into I, T into M, O into C and A into E. Also, we see that ciphertext characters V, Y, L

and N have zero occurrence, therefore we assume that they correspond to the characters J, X, Q, Zin english.

Our ciphertext will be now changed into:

AeZaGKtAeFGJXZaGReQZoWeZFGRoSRAeJteZtoSeaZGtAattAeteBToZaZORoUeZGotePoZtAeBotoZR

ORSeAaDQeeGFJJXeDtAeZXJJFaGaJWeDtAeQZoWeZGottoBaFSFtAeHoXSDRoSSeRtFtAFBJeSPtAFJA

eDFDFBBeDFateSOaGDSatetAataPteZGooGBoUeDFGtoGXBQeZtHeSUeRAeZZOAaOeJAeJTeGtTaZtoP

tAeGFKAtHoZWFGKRaZePXSSOHFtAAFJoGetFBeTaDJTZeTaZFGKaRoDeDBeJJaKetAatGoRoBTXteZHo

XSDQZeaWRoDeQZeaWFGKAeWGeHFJQaJeDoGTatteZGJaGDZeTetFtFoGJAoHeUeZJoTAFJtFRateDtAe

RoBTXteZXJeDtoRZaRWtAeRoDeXJFGKaoGetFBeTaDPoZeaRAHoZDoPaJAoZtBeJJaKeSeaUeJGoTatt

eZGJaGDGoZeTetFtFoGJ

After close examination, we can see, that some strings in the text are repeating. For example, we

can see TatteZGJ twice, ZeTetFtFoGJ twice etc. Searching through dictionary, we can guess the plaintext form of TatteZGJ as the patterns. By substituting T with p, Z with r, G with n and J with s,

we can try decipher second repetitive string – ZeTetFtFoGJ as repetFtFons. Therefore, we can guess

that F represents i in the plaintext, obtaining repetitions as the plaintext. We also should check,

whether suggested substitution matches distribution. This is our case. Therefore we get:

AeranKtAeinsXranReQroWerinRoSRAestertoSearntAattAeteBporarORoUernotePortAeBotorR

ORSeAaDQeenissXeDtAerXssianasWeDtAeQroWernottoBaiSitAeHoXSDRoSSeRtitAiBseSPtAisA

eDiDiBBeDiateSOanDSatetAataPternoonBoUeDintonXBQertHeSUeRAerrOAaOesAespentpartoP

tAeniKAtHorWinKRarePXSSOHitAAisonetiBepaDspreparinKaRoDeDBessaKetAatnoRoBpXterHo

XSDQreaWRoDeQreaWinKAeWneHisQaseDonpatternsanDrepetitionsAoHeUersopAistiRateDtAe

RoBpXterXseDtoRraRWtAeRoDeXsinKaonetiBepaDPoreaRAHorDoPasAortBessaKeSeaUesnopatt

ernsanDnorepetitions

Another guesses by looking into partially deciphered text reveal, that P probably means f in

plaintext (aPternoon), K means g (preparinK), A means h (spent part oP tAe), D is d (patterns anD

repetitions), B is m (one tiBe paD), R is c (sopAistiRateD), H is w (Por eaRA HorD oP sAort

BessaKe):

herangtheinsXranceQroWerincoSchestertoSearnthatthetemporarOcoUernoteforthemotorc

OcSehadQeenissXedtherXssianasWedtheQroWernottomaiSithewoXSdcoSSectithimseSfthish

edidimmediateSOandSatethatafternoonmoUedintonXmQertweSUecherrOhaOeshespentpartof

thenightworWingcarefXSSOwithhisonetimepadspreparingacodedmessagethatnocompXterwo

XSdQreaWcodeQreaWingheWnewisQasedonpatternsandrepetitionshoweUersophisticatedthe

compXterXsedtocracWthecodeXsingaonetimepadforeachwordofashortmessageSeaUesnopatt

ernsandnorepetitions

14

I M C E Z G A J F D R S T B X H W K Q P O U V Y L N

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

Ciphertext

Character

F r e q u e n c y

E T A O I N S H R D L C U MW F G Y P B V K J X Q Z

0

1

2

3

4

5

6

7

8

9

10

11

12

13

Typical english text

Character

F r e q u e n c y



Final guesses are now trivial, as they can be easily obtained from the context. We get O

representing y (temporarO), U is v (coUer note), X is u (insXrance), S is l (message SeaUes no

patterns), W is k (Xsed to cracW the code) and finally Q is b. By applying the rest of substitutions,

we obtain plaintext:

He rang the insurance broker in Colchester, to learn that the temporary cover

note for the motorcycle had been issued. The Russian asked the broker not to

mail it; he would collect it himself.

This he did immediately, and late that afternoon moved into number twelve

Cherryhayes. He spent part of the night working carefully with his one-time

pads, preparing a coded message that no computer would break. Codebreaking, he

knew, is based on patterns and repetitions, however sophisticated the computer

used to crack the code. Using a one time pad for each word of a short message

leaves no patterns and no repetitions.

The plaintext is an excerpt from the Frederick Forsyth's book “The Fourth Protocol”.

Our example was straightforward; in reality, the advancements in deciphering will be hindered by

incorrect guesses that will require backtrackings. Nevertheless, this process can be almost

automated by using language dictionaries.

Permutation cipher

This cipher uses different approach, transposition, first introduced by Spartians with their famous

scythale. Complementary to the approach in the simple substitution cipher, the permutation cipher

divides plaintext into partitions of the same size and the characters in each partition are positionally

shuffled, using the same shuffling pattern in each partition. If the plaintext does not cover the last

partition, that (or the first) partition can be extended using padding. Both plain- and ciphertext

alphabet remain the same. The term transposition denotes one swap of positions, affecting always

two characters. Each permutation can be decomposed into set of transposition, hence giving reason

to name the principle of the permutation cipher.Formally, let m ≥ 1 (length of the partition). Let A be the alphabet of plaintext language. Then P =

C = Am, i.e. m-tuples of the characters in the alphabet A. Set of keys K is a set of permutations of the

set {1, 2, ..., m}. Encryption and decryption functions are defined as follows:

E p1 p2... pm , k = pk 1 pk 2 ... pk m

D c1 c2... cm , k =ck

−11

ck

−12

...ck

−1 m

Example:

Let's use the permutation of the set {1, 2, 3, 4} as the key, e.g. {3, 1, 4, 2}; i.e. the first character

will shuffle to the second position, the second character to the last position, the third character to

the first position and the last character to the third position.

Plaintext: USE TRANSPOSITION

Partitioned plaintext: USET RANS POSI TION

Cipher text: EUTS NRSA SPIO OTNI

Weaknesses

As the cipher operates on the blocks whose length matches the length of the key, the length of the

whole ciphertext is divisible by the length of the key. This allows us to reduce the potential length

of the key. With the different possible key sizes different possible permutations are tried to find the

permutation which results in the highest number of frequent bigrams and trigrams as found in the

underlying language of the plaintext.

15



Vernam cipher (one-time pad)

Suppose that we want to encrypt plaintext of the length m ≥ 1 whose alphabet A consists of 0 and 1,

i.e. A = {0, 1}. Length of plaintext, ciphertext and key is m, P = C = K = {0, 1}m. Encryption is

performed by adding key to plaintext bit by bit modulo 2 (XOR operation):

E k p= p⊕k = p1⊕k 1 , ... , pm⊕k m

To decipher ciphertext, we can utilize the fact that for each x ∈ {0, 1} holds that x ⊕ x = 0.

Therefore, it is sufficient to only add key to the ciphertext to obtain plaintext:

D k c =c⊕k = p⊕k ⊕k = p

Vernam cipher provides us with perfect secrecy, i.e. attacker is not able to obtain plaintext from

ciphertext regardless on the computing power the attacker possesses, when the following conditions

are satisfied:

1. Keys are chosen from the set K randomly, independently and with the same probability.

2. To encrypt new plaintext, the new key from K is always chosen.

WeaknessesAssume that we use the same key k to encrypt two plaintexts p1 and p2. Then by summing both

plaintexts we can eliminate the effect of the key k and obtain

p1⊕k ⊕ p2⊕k = p1⊕ p2

From the sum of two plaintexts, if they are redundant (that is a normal case for a natural language)

it is possible to obtain both plaintexts.

Another annoyance when using Vernam cipher is the fact that we exchanged secure transport of

information for secure transport of encryption key of the same size as information. But in cases

when required bits are generated in advance in sufficient amount, this does not necessarily cause

significant security problems.

Vigenère cipher

A polyalphabetic substitution cipher, where the same plaintext character can be encrypted into

various ciphertext characters, depending on the position in the plaintext. Let n ≥ 1 is a length of a

key, plaintext alphabet A has m characters. Each character is numbered by the number 0 .. m – 1

(e.g. accordingly to the alphabet order). Each key is n-tuple of numbers from 0 .. m – 1. Then the

encryption and decryption functions are:

E p1 p2... pn , k = p1k 1 mod m , ... , pnk n mod m

D c1 c2... cn , k =c1−k 1 mod m , ... ,cn−k n mod m

Longer text is encrypted in the blocks of n characters, using padding if required.

Example:

Key H7

S18

I8

V21

H7

S18

I8

V21

H7

S18

I8

V21

Plaintext P

15

O

14

P

15

O

14

C

2

A

0

T

19

E

4

P

15

E

4

T

19

L

11

Ciphertext W

22

G

6

X

23

J

9

J

9

S

18

B

1

Z

25

W

22

W

22

B

1

G

6

16



Breaking the cipher

Cryptanalysis of the Vigenère cipher advances in two steps:

1. Determination of the size of the key (value of n)

2. Determination of the key (k 1, k 2, ... k n)

First phaseTo determine the size of the key, we can use the procedure invented by William

Frederick Friedman in 1920, the index of coincidence I c. Index of coincidence of t -

character text x = ( x1, x2, ... xt ) (denoted as I c( x)) is a probability that two randomly

chosen characters from x are equal. Assume that f 1, f 2, ... f m are numbers of occurrences

of characters in x. Then the index of coincidence can be computed as follows:

I c x=

∑i=1

m

f i2

t 2

=∑i =1

m

f i f i−1

t t −1

If x is a natural language text, we expect that I c≈∑i=1

m

p i

2, where pi is probability of occurrence of

the i-th character in the corresponding language. As longer the text x is, the closer the index of

coincidence should be to the theoretical value. For English, theoretical value can be computed as:

12,702 + 9,062 + ... + 0,102 + 0,072 = 0,0655

(the values were obtained from the frequency tables of English language)

If the text x was filled with random characters, we would expect I c( x) = 26.(1/26)2 = 0,0385.

Interesting is that index of coincidence remains invariant to any polyalphabetic substitution (such as

Vigenère cipher).

The length of key n = 1, 2, ... will be tested. For exact length of the key, the characters in the text x

on the positions i, n + i, 2n + i, ... (1 ≤ i ≤ n) are encrypted using the same k i. Therefore, ciphertext

could be partitioned into n partitions:

k 1: x1 xn+1 x2n+1 ...

k 2: x2 xn+2 x2n+2 ...

...

k n: xn x2n x3n ...

whereas each partition is obtained from the plaintext using simple substitution. Therefore, weexpect that each partition has index of coincidence close to the index of coincidence of the language

and distant to the randomize text. If the text x is split into partitions of size that mismatches the size

of key, these partitions will be obtained as combinations of two or more simple substitution,

therefore their index of coincidence will move closer to the randomized text. Also, multiplies of the

length of the key should be closer to the index of coincidence of natural language. By computing

the average indexes of coincidence of partitions for each possible length of key and comparing them

to the index of coincidence of natural language and randomized text should yield the correct length

of key.

Second phase

Now the task is to obtain the key, whose length is known. To successfully obtain components of the

17



key k = (k 1, k 2, ... , k n), we first determine relative distances of k 1 to each part of the key, i.e. k 2-k 1, ...,

k n-k 1. To determine these distances, we use the mutual index of coincidence MI c( x, y) of two strings

x and y. Mutual index of coincidence is probability that a randomly chosen character from x is equal

to a randomly chosen character y. If we denote number of occurrences of individual characters in x

as f 1, f 2, ..., f m and similarly for y as f' 1, f' 2, ..., f' m, then mutual index of coincidence can be obtained

from:

MI c x , y=∑i=1

m

f i⋅ f ' i

t ⋅t '

, where t is | x| and t' is | y|

Mutual index of coincidence of two strings x and y does not change, when the same simple

substitution is applied on both of the strings. We expect that natural language strings have mutual

index of coincidence approximately equal to the to the index of coincidence of the language.

Determination of relative distance k i - k 1 (i = 2, ... , n) advances by shifting characters corresponding

to the partition of k i by δ = (0, 1, ... , m-1) and examining mutual index of coincidence with the

partition of component k 1. If k i – k 1 = δ , the index is approximately equal to the index of coincidence

of the natural language. In other case, the index is closer to the index for randomly distributedcharacters.

The only thing left is to determine the value of k 1. This can be done by evaluating all possibilities

(their number is the number of characters in alphabet). By substituting particular k i and decrypting

the ciphertext, only one text can be meaningful. This fact will determine the correct value of k 1.

Example

Imagine we received following ciphertext (letters are organized in quintuples for higher lucidity):

VIYNZ HWZLV EHDGA ZKDGA PJAGS DOUYS PYAJH ICQZF VIJON LZUUB JOJZZ LSWHL SHSOA

OCQZD HBPOU NHKNP APARV DWPLV EKWYR UCSTP UZKTK VBBUY OWOGJ LFXOJ DWPNL OOZSH

KSDOZ TONQH AOJKH YZUSL LHETN VTPNL QCETA PBPKS SWCKU JSYUT TWPZL LKDKU ZWNGU

AVKTF WZQSI OOZHL LBYUT WZWOU PBCZO HHQTS PYAGS SHDKV AVAXZ OSDGK UCJOJ LZEZA

SSWIY VBUSA VRAYJ YWXKO PGFUI OSSGZ QIOZA OSYNH PFIGU VTPNL QWYUY AVAIV VFZOU

HHKXV MWJZL SZEML UQACO FQKAS KVATV AVWBL HUNUB WCBOU PHEGS ZHDGA TOZKB WOONV

YHSUY KWJZO LAOKS CSONV DOXUB ARNGD SSZLV ETNUT OWOKU KCBZO LHWHS LGQVY LAANL

HRKLP UHARS PUATJ LHWXN LHETN ZWNGU AVKTF WFALL YFAJU VHPUI LYJUD UOOZO LGDOA

VTSNP ASDGS SOJJK YCLVL KHDKT HHPKY VTPNL HQNUU FA

First phase

We compute indexes of coincidence for various lengths of key. The following table is therefore

obtained:

n I c n I c n I c n I c n I c

1 0,0470 5 0,0645 9 0,0453 13 0,0489 17 0,0425

2 0,0466 6 0,0454 10 0,0647 14 0,0461 18 0,0443

3 0,0456 7 0,0484 11 0,0468 15 0,0586 19 0,0491

4 0,0454 8 0,0458 12 0,0435 16 0,0451 20 0,0629

As explained above, for the key of the correct length we expect to obtain value closer to the 0,0655

whereas for the mismatched size of the key we expect value closer to the 0,0385.

As we clearly see, multiplies of 5 are much closer to the desired value than any other length, thus

we figured out that the length of the key is 5.

Now we can proceed to identify the individual components of the key.

18



Second phase

We proceed with the computation of the mutual index of coincidences for each key difference. The

presented table summarizes results of differences of key components for various character shifts:

δ k 2 - k 1 k 3 - k 1 k 4 - k 1 k 5 - k 1

0 0,0457 0,0448 0,0383 0,0622

1 0,0338 0,0338 0,0276 0,03032 0,0319 0,0386 0,0375 0,0324

3 0,0480 0,0393 0,0459 0,0398

4 0,0419 0,0483 0,0374 0,0441

5 0,0283 0,0437 0,0330 0,0368

6 0,0337 0,0345 0,0417 0,0387

7 0,0646 0,0352 0,0351 0,0425

8 0,0366 0,0399 0,0315 0,0325

9 0,0307 0,0375 0,0372 0,0382

10 0,0364 0,0341 0,0425 0,0398

11 0,0503 0,0467 0,0403 0,0452

12 0,0404 0,0309 0,0319 0,0282

13 0,0355 0,0311 0,0346 0,0391

14 0,0414 0,0402 0,0474 0,0350

15 0,0396 0,0605 0,0349 0,0432

16 0,0284 0,0353 0,0322 0,0386

17 0,0334 0,0285 0,0341 0,0310

18 0,0443 0,0398 0,0463 0,0357

19 0,0403 0,0424 0,0334 0,0388

20 0,0323 0,0393 0,0338 0,0368

21 0,0318 0,0351 0,0521 0,0336

22 0,0547 0,0360 0,0394 0,043023 0,0355 0,0299 0,0265 0,0382

24 0,0349 0,0359 0,0385 0,0358

25 0,0352 0,0394 0,0675 0,0412

By inspecting the table, we can see some underlined values that are most close to the value we

expected. Therefore, we obtained these relative components of the key k : (0, 7, 15, 25, 0). The only

missing fact is now the value of k 1, other values can be obtained by shifting this value by the

relative distance. Thus, we can explore all k 1 values, apply corresponding component shifts and see,

which of the 26 texts makes some sense. The following fragment of “decipherized” ciphertext

demonstrates this process:

...

F ...WMSAYLRQCCYZCJRUGRFMSRUYLRGLE...

G ...XNTBZMSRDDZADKSVHSGNTSVZMSHMF...

H ...YOUCANTSEEABELTWITHOUTWANTING...

I ...ZPVDBOUTFFBCFMUXJUIPVUXBOUJOH...

J ...AQWECPVUGGCDGNVYKVJQWVYCPVKPI...

...

As we can see, the only meaningful value of k 1 is H, therefore our key is HOWGH.

19



Finally, we get the plaintext (the punctuation marks were added to achieve better readability):

'Ouch,' said Fox, 'that's what I've always liked about you, Nigel. You can't

see a belt without wanting to hit below it.'

Fox was known in London for his acerbic wit. He had made his mark at an early

meeting of the Joint Intelligence Committee when Sir Anthony Plumb had been

complaining that unlike all the others he had no nice little acronym to describe

his job. He was just the Chairman of the JIC, or the Coordinator of

Intelligence. Why could he not have a group of initials that made up a short word in themselves?

'How about,' drawled Fox from his end of the table, 'Supreme Head of

Intelligence Targeting?'

Sir Anthony preferred not to be known as the SHIT of Whitehall and dropped the

matter of the acronym.

Again, this is an excerpt from the Frederick Forsyth's book “The Fourth Protocol”.

Types of attacks

We recognize the following types of cryptanalysis attacks (ordered by ascending severity):

1. COA – Ciphertext only attack . Attacker possesses list of ciphertexts E k ( p1), ..., E k ( pn), but

does not know corresponding plaintexts. Attacker usually tries to gather k, determine some

plaintext or create E k ( pi) for a given plaintext pi.

2. KPA – Known plaintext attack . Attacker possesses list of tuples of plaintexts and

corresponding ciphertexts - ( p1, E k ( p1)), ..., ( pn, E k ( pn)). Attacker has the same goals as for the

CCA.

3. CPA – Chosen plaintext attack . Attacker has the option to choose few plaintexts to whom

he can obtain corresponding ciphertexts using the same key k . Goals of attack are the same

as in previous cases.

4. CCA – Chosen ciphertext attack . Attacker has the option to choose few ciphertexts towhom he can obtain corresponding plaintexts using the same key k . Again, goals are the

same as in all prior cases.

For CPA and CCA we can also think about their adaptive variants when attacker repeats selection

of texts after analysis of obtained data. Modern cryptographic systems are expected to be resistant

to such attacks.

Kerckhoff's principle

The security of a cryptosystem shall not be based on keeping the algorithm secret but solely on

keeping the key secret. In other words, assume your opponent knows the cryptosystem being used.

As we saw, Scythale and Caesar's shift directly violate Kerckhoff's principle, as the knowledge of

cryptosystem is sufficient to decipher the message.

20



Contemporary cryptography

Symmetric cryptography

Block and stream ciphers

Contemporary symmetric cryptosystems usually utilize keys of fixed length (e.g. 256 bits) which

can be used to encrypt substantially longer plaintexts. Aside from the secure transport of the short

key, there arises the problem of the transfer of the confidential information of virtually any length.

According to the way how the cipher achieves this goal, the symmetric ciphers can be basically

divided into two categories – block and stream ciphers.

Block ciphers

Block ciphers encrypt plaintext by splitting it into blocks of fixed length. They process each block separately and resulting encrypted blocks are concatenated sequentially and form the ciphertext.

Stream ciphers

Stream ciphers imitate Vernam cipher using shorter key. Key is used to initialize a deterministicfinite state machine (DFSM) that produces a stream of bits. This stream is then used as a key for

Vernam cipher. Stream of bits is added modulo 2 (XOR) with the bits of the plaintext. Receiver of

the ciphertext uses the same key to initialize its DFSM, generates the same stream of bits and adds

it to the ciphertext, obtaining the plaintext.

Modes of operation

Basic cipher transformation of a block can be combined in multiple modes in case of longer

plaintext. Each mode has its weak and strong sides and it generally depends on a situation or

environment, which mode is chosen to be used. The following paragraph depicts few of the most

used modes. Plaintext blocks will be referred to as P i and ciphertext blocks as C i.

21

E E E

plaintext

ciphertext

k k k

DFSM

plaintext ciphertext

key

sender receiver

DFSM key

plaintext



ECB (Electronic Code Book)

ECB represents straightforward use of block cipher. Plaintext blocks are encrypted independently

using the same key. Encryption and decryption can be thus expressed as follows:

C i= E k P i

P i= D k C i

Properties

Same blocks of plaintext are encrypted into the same blocks of ciphertext, this allows the attacker to

search for repetitions. Attacker can remove or change order of the block without being caught

(assuming no other integrity mechanism is present). Error in decrypting one block does not affectany subsequent blocks.

CBC (Cipher Block Chaining)

CBC solves some security problems plaguing ECB mode by linking the encryption of the block of

the plaintext with the ciphertext of the previous block:

C i= E k P i⊕C i−1 ∀ i≥1

P i=C i−1⊕ D k C i ∀ i≥1

Value of C 0 is not available at the beginning. CBC mode therefore uses initialization vector IV (string of bits of the same length as the block).

Properties

The same plaintexts encrypted using the same key lead to different ciphertext assuming the

initialization vectors are different. Ciphertext block C i depends on the value of plaintext P i as it

depends on the value of all prior plaintext blocks P 1 , ..., P i-1. This ensures that the change in the

order of the ciphertext blocks will affect decryption. Change of bit in the ciphertext affects two

blocks of plaintext – if the change occurred in the block C i, plaintext block P i will be affected as a

whole whereas the block P i+1 will be affected only at the position of the changed bit.

CBC also offers the property of “self-synchronization”, where the loss of one ciphertext block leads

to the wrong decryption of the subsequent block but further consecutive blocks are not affected.

22

Ek

P1

C1

Ek

P2

C2

Ek

P3

C3

Ek

P1

C1

Ek

P2

C2

Ek

P3

C3

IV ...



Initialization vector does not need to be held secret, usually is generated randomly as the first block

of the ciphertext. The only important thing is to preserve integrity of IV , because change of the bits

of IV will propagate into corresponding positions in the plaintext P 1.

OFB (Output Feedback)

OFB uses block cipher as the synchronous stream cipher. Therefore can be used as a recipe how totransform block cipher into stream cipher. Encryption transformation is used only within the

generator of the stream of the blocks that are being XORed with the blocks of plaintexts. Internal

state of generator during the i-th step will be denoted as Ri and its length matches the length of the

block. Remarkable fact is, that in OFB mode the existence of decryption function does not play any

role.

C i= P i ⊕ Ri Ri= E k Ri−1 ∀ i≥1

P i=C i ⊕ Ri Ri= E k Ri−1 ∀ i≥1

Similarly to CBC, initialization vector is used to initialize generator of the strem of blocks and can

be transmitted in the open form along with the ciphertext.

Properties

Likewise to what we've seen in CBC mode, the encryption of the same plaintext with the same key

using different IV leads to different ciphertexts. Stream of generated blocks is independent on the

plaintext; therefore it is necessary to use different IV whenever we want to communicate with the

same key, because in the other case, attacker by adding two ciphertexts receives the sum of two

plaintexts and as mentioned in the Vernam cipher, this could lead to revelation of both plaintexts.

Change (invertion) of bits in ciphertext is carried as a change of corresponding bits in the plaintext.

This allows the attacker to influence plaintext in the desired way without its knowledge. If attacker

knows plaintext, then she is able to compute stream of blocks Ri and construct ciphertext to

plaintext of her choice.

Loss of any part of ciphertext block means that the rest of the ciphertext is affected with this loss.

Main requirement during the construction of a stream cipher is to guarantee appropriate length of

the period of generated stream.

CFB (Cipher Feedback)

CFB mode transforms block cipher into stream cipher in the similar fashion as OFB. Contrary, CFB

constructs self-synchronizing stream cipher with the feedback from ciphertext. Block of plaintext is

encrypted by adding ciphertext of the previous plaintext block. Again, CFB does not employ use of

the decryption function.

C i= P i ⊕ E k C i−1 ∀ i≥1

P i=C i ⊕ E k C i−1 ∀ i≥1

Again, computation is initialized using initialization vector IV used instead of C 0. Initialization

vector is generated similarly to previous modes.

23

Ek

Pi

Ci

IV



Properties

Like as with CBC and OFB, encryption of the same plaintext with the same key using different

initialization vectors yields different ciphertexts. Initialization vector does not need to be held

secret. Use of the same IV and key allows attacker to obtain sum of the first blocks of the plaintexts.

Similarly to CBC, ciphertext block C i depends on the value of plaintext P i as it depends on the value

of all prior plaintext blocks P 1 , ..., P i-1. Change in the order of ciphertext influences decryption.

Correct decryption of a block requires correct previous block. Again, change of a bit in the

ciphertext affects two blocks of plaintext – if the change occurred in the block C i, plaintext block P iwill be affected as a whole whereas the block P i+1 will be affected only at the position of the

changed bit.As with CBC, CFB has the property of “self-synchronization”.

Iterated ciphers

Largest group of block cipher form the iterated ciphers. Idea of iterated ciphers consists in the

definition of a basic transformation (round) that is then used multiple times.

Subsequent rounds usually employ subkeys of the encryption key – in the first round subkey k 1, in

the second k 2, etc. Subkeys are streams of bits deterministically inferred from the encryption key.Process of inference of subkeys is called key scheduling .

Cipher standards

Modern block ciphers are realized electronically as hardware modules or as software, therefore it is

safe to assume that the used alphabet is binary. We can formally express block cipher as follows:

Let V n = {0,1}n, set of n-bit vectors. Block cipher is a tuple of mappings E :V n× K V n and D : V n× K V n that the following holds:

∀ k ∈ K ∀ p ∈V n: Dk E k p= p ,

24

Ek

Pi

Ci

IV

F

plaintext

·

·

·

F

ciphertext

subkey k 1

subkey k r

round 1

round r

·

·

·



where K is a finite set of keys. Number n is called length of a block. Keys are retrieved from K

independently and with the same probability. If K = V l , we say that the effective length of key is l

bits. During the cipher construction, two opposite requirements arise – the security of key (usually,

the larger the set K is, the more secure the key is) and the performance of the cipher (the shorter the

set K is, the faster/less space the cipher runs/occupies)

Feistel ciphers

Feistel ciphers is a class of iterated block ciphers with the same structure of encryption algorithm as

the decryption algorithm. Feistel cipher splits the text into two halves, first (left) will be denoted as

L0 and second (right) as R0. In each round the values of Li, Ri are computed from the previous values

according to the formulas: Li = Ri−1

Ri= Li−1⊕ f k i , Ri−1 1≤ir ,

where f is a transformation affected by subkey k i. Output after r rounds is a tuple Lr , Rr , whereas in

the last round no swap of halves is performed:

Lr

= Lr −1

⊕ f k r

, Rr −1

Rr = Rr −1

To decrypt a Feistel cipher, it is sufficient to use the same scheme, only order of used subkeys

ought to be reversed. Cryptographic properties of an algorithm are determined by the properties of

the Feistel function f .

Feistel network

The following ciphers are based on (generalized) Feistel network: Blowfish, Camellia, CAST-128,

CAST-256, DES, FEAL, KASUMI, LOKI97, Lucifer, MacGuffin, MAGENTA, MISTY1, RC2,

RC5, RC6, Skipjack, TEA, TripleDES, Twofish, XTEA.

DEA / DES (Data Encryption Algorithm / Standard)

DEA originates from the Feistel family of ciphers and employs the Feistel network using its own

Feistel function and key-scheduling. In 1976, it was selected in USA as the Federal Information

25



Processing Standard (FIPS) and the DEA is then known as DES. DEA was originally designed by

team at IBM in 1972-3. DEA was suspected of being tampered by NSA and having backdoors in

the forms of mysterious substitution boxes. On the other hand, DES was the first spark that ignited

popularization of cryptanalysis amongst techie people in USA.

Nowadays, DES is outdated due to its small, 56-bit size of key that allows successful attacks in less

than 24 hours. However, originating from the IBM Lucifer cipher, DES provides ground for more

secure derived ciphers such as Triple DES, G-DES, DES-X, LOKI89, ICE, etc.

The DEA uses Feistel network consisting of 16 stages. The DEA block has a size of 64 bits. The

key has also size of 64 bits, however, the effective size is only 56 bits, as 8 bits are used only for

parity checking during key scheduling and thereafter discarded.

Structure of the DEA Feistel f-function

The f -function operates on half a block (32 bits) at a time and consists of four stages:

1. Expansion - 32-bit half-block is expanded to 48 bits

using the expansion permutation by duplicating some

of the bits

2. Key mixing - the result is combined with a subkey using

an XOR operation. Sixteen 48-bit subkeys are derived

from the main key using the key schedule.

3. Substitution — after mixing in the subkey, the block is

divided into eight 6-bit pieces before processing by the

substitution (S-) boxes. Each S-box replaces its 6 input

bits with 4 output bits according to a non-linear

transformation obtained from hardwired lookup table.

Without substitution the cipher would be linear, and

trivially breakable.

4. Permutation - the 32bit output from the S-boxes isrearranged according to a fixed permutation ( P-box)

Key scheduling

Initially, 56 bits of the key are selected

from the initial 64 by Permuted Choice 1 -

the remaining 8 bits are either discarded or

used as parity check bits. The 56 bits are

then divided into two 28-bit halves; each

half is thereafter treated separately. In

successive rounds, both halves are rotated

left by one or two bits (specified for eachround), and then 48 subkey bits are selected

by Permuted Choice 2 - 24 bits from the

left half, and 24 from the right. The

rotations (denoted by [<<<] in the diagram)

mean that a different set of bits is used in

each subkey; each bit is used in

approximately 14 out of the 16 subkeys.

The key schedule for decryption is similar -

it must generate the keys in the reverse

order. Rotations are then to the right.

26

Expansion

half block subkey

Substitution Box 1-8

Permutation

Feistel output

32 bit 48 bit

48 bit

32 bit

32 bit

48 bit

Permuted choice 1

Input key

Permuted choice 2

<<< <<<

subkey 1

Permuted choice 2

<<< <<<

subkey 2

·

·

·

·

·

·

64 bit

56 bit

28 bit28 bit

28 bit 28 bit48 bit

48 bit

56 bit

56 bit



Breaking the DES

There are various known attacks on the DES:

1. Brute force – attack is performed by trying every possible key. The length of key specifies

the number of possible keys. It is assumed that NSA possessed enough power to break DES

in the mid '70s. Still, the time complexity is 256 of iterations.

2. Differential cryptanalysis – DES was designed to withstand this form of attack, however,the DC is capable of breaking the DES using 247 chosen plaintexts.

3. Linear cryptanalysis – basic version of attack requires 243 known plaintexts, however refined

versions are capable of breaking DES using 239 known plaintexts.

Multiple encryption

This metamethod is based on the fact, that multiple encryption passes enhance the security of the

cipher by simulating enlargement of a key. Let's use X k to denote cipher transformation (either

encryption or decryption) using the key k . Then we can concatenate encryption transformations and

get double encryption: c= X k 2

' ' X k 1

' p

or triple encryption: c= X k 3

' ' ' X k 2

' ' X k 1

' p

2TDES

Basically, it is a concatenation of two DES encryptions. We can use 3 modes of operation, denoted

as EE, ED and DE, according to the cipher transformations used. For example, this is EE mode:

c= E k 2 E k 1

p

2TDES is prone to the following type of attacks:

“Meet in the Middle” attack (MIM)The MIM attack is an attack against multiple encryption using the same encryption algorithm that is

capable of reducing the time complexity of the brute force attack at the price of expanded space

complexity. The attack will be demonstrated on the 2TDES cipher in EE mode. Our ciphertext c

will be c = E k 2( E k 1( p)). Let the size of key k 1 and k 2 be l bits. We have n tuples of plain- and

ciphertext ⟨ pi , c i ⟩ ,i =1.. n encrypted using the same key. Brute force attack tries each tuple of

keys k 1 and k 2 and tests the correctness of the choice by evaluating whether ci= E k 2

E k 1 pi , ∀ i=1 .. n . Time complexity is in the average case O(22l ), space complexity is

O(1).

MIM attack can lower time complexity by enlarging the space complexity. For tuple ⟨ p1, c1⟩ we at

first compute the D k 2c1 for every possible key k 2. Computed tuples ⟨ Dk 2c1 , k 2⟩ will be stored

in the hash table and indexed by the first component. Then we try to encrypt the plaintext p1 using

each key k 1 and test whether the value of E k 1 p1 is stored in the hashtable. If we found the match,

it means, that we found such keys k 1 and k 2 that E k 1 E k 2

p1=c1 . There can be more tuples of

keys thislike; we have to test them at first on the remaining tuples of plain- and ciphertexts. Time

complexity of the attack is then O(2l ) and space complexity O(2l ).

As a result, 2TDES can be broken in the same time as the DES.

Triple DES (TDES / TDEA / 3TDES / 3DES)

Triple DES effectively triples the length of the DES key, obtaining the size of 168 bits (3x 56 bits).

The Triple DES operates in multiple modes, similarly to the 2TDES.

27



Very popular mode is EDE:

c= E k 3 D k 2

E k 1 p

Decryption applies inverse transformations:

p= D k 1 E k 2

D k 3c

Very often we can observe the choice of k 1 = k 3. Another advantage of EDE mode is its backwardscompatibility – when we use k 1 = k 2 = k 3, we obtain original DES.

The best attack known (2005) on 3TDES requires around 232 known plaintexts, 2113 steps, 290 single

DES encryptions and 288 memory cells. Triple DES is now being widely replaced by AES.

AES (Advanced Encryption Standard / Rijndael)

This cipher was introduced by Vincent Rijmen and Joan Daemen and because of its qualities (fast,

low memory requirements, safer), it won a NIST competition held in 1997-2000 to be selected as a

replacement of DES and as a result is now being deployed in a large scale.

The NIST competition included following ciphersystems (the finalists are in bold):

CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6,

Rijndael, SAFER+, Serpent and Twofish.

Rijndael is an iterated substitution-permutation network block cipher that uses the block of size of

128 bits. The length of key can be 128, 192 or 256 bits and the corresponding numbers of rounds

are 10, 12 and 14. Internally, the block of processed plain- or ciphertext is represented as two

dimensional array of bytes 4 × 4. Bytes are aligned in the array (known as the state of algorithm) as

follows:

∣0 4 8 12

1 5 9 132 6 10 14

3 7 11 15∣Similarly to other iterated ciphers, Rijndael also uses key scheduling to construct subkeys from the

original encryption key.

Encryption

Rijndael transforms plaintext blocks using four operations:

1. SubBytes – substitution of bytes. Each byte of the state of algorithm is replaced by new byte

accordingly to the defined substitution S : {0,1}

8

{0,1}

8

. S is a bijection and beside other functions, it assures that the encryption is non-linear.

2. ShiftRows – cyclic shift of the rows of state of algorithm. Each row is shifted to the left by

different number of bytes (first rows does not change, subsequent rows are shifted by

incremental number of bytes)

∣ s0,0 s0,1 s0,2 s0,3

s1,0 s1,1 s1,2 s1,3

s2,0 s2,1 s2,2 s2,3

s3,0 s3,1 s3,2 s3,3

∣ ∣ s0,0 s0,1 s0,2 s0,3

s1,1 s1,2 s1,3 s1,0

s2,2 s2,3 s2,4 s2,1

s3,3 s3,4 s3,0 s3,2

∣28



3. MixColumns – transformation of the columns of the state of algorithm. Each column

(consisting of bytes s0,c, ..., s3,c) is replaced by a new column according to the following

formula:

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

s0,c

s1, c

s2,c

s3,c

In this matrix multiplication the components of both matrices are interpreted as the elements

of finite field GF(28) generated by irreducible polynomial x8 + x4 + x3 + x + 1. Addition is

realized as a simple byte XOR.

4. AddRoundKey – addition of subkey of 16-byte length (128 bits) to the state of algorithm.

Addition is performed as XOR of corresponding bytes of subkey and state of algorithm.

Each round consists of the same sequence of these operations, except the beginning (where before

the first round, the operation AddRoundKey is inserted) and the last round (the MixColumn

operation is omitted). Schematically, we can express sequence of encryption and decryption

operations in this diagram:

Decryption

Transformation of the ciphertext during decryption uses inverse transformations to those used in the

encryption, with only exception in the operation AddRoundKey (XOR of the same subkey as in the

encryption removes the subkey from the ciphertext). Therefore, we use following operations:

1. InvSubBytes – substitution of the bytes of the state of algorithm; the inverse function

(permutation) S-1 is used

2. InvShiftRows – cyclic shift of rows of the state of algorithm to the right (as opposed to

29

plaintext

⊕ AddRoundKeys

S SubBytes

≈ ShiftRows

MixColumns

⊕ AddRoundKeys

S SubBytes

≈ ShiftRows

⊕ AddRoundKeys

ciphertext

ciphertext

⊕ AddRoundKeys

≈ InvShiftRows

S-1 InvSubBytes

⊕ AddRoundKeys

InvMixColumns

≈ InvShiftRows

S-1 InvSubBytes

⊕ AddRoundKeys

plaintext

r - 1 rounds

last round



encryption). First row remains the same, the rest is shifted by one, two and three bytes.

3. InvMixColumns – transformation of the columns of the state of the algorithm using inverse

matrix to the matrix used during encryption.

Key scheduling

Key scheduling has to take in account the variable length of a key and different number of rounds.

Word in the Rijndael algorithm denotes a sequence of 4 bytes. Words are basic units of the keyscheduling algorithm. Algorithm creates sufficiently large array of words w and the subkeys are

extracted consecutively during the algorithm run.

Let k denote number of words – for keys of size 128, 192 and 256 bits the value of k is 4, 6 and 8.

Beginning of the array w is filled with the encryption key. Another words in w are computed as a

XOR of the words w[i – 1] and w[i – k ]. In case that the actual position of the word ( i) is divisible

by the k , transformation of the w[i – 1] is executed. Transformation consists of cyclic shift of the

bytes to the right followed by substitution of each byte in a word using the SubBytes S function. At

last, the predefined constant is also added to this word.

Security

The only known successful attack to date (2006) is a side channel attack (any attack based on

information gained from the physical implementation of a cryptosystem rather than theoretical

weaknesses in the algorithms). Side channel attacks do not attack the underlying cipher, but attack

implementations of the cipher on systems which inadvertently leak data.

In April 2005, D.J. Bernstein announced a cache timing attack , that was used to break a custom

server that used OpenSSL's AES encryption. The custom server was designed to give out as much

timing information as possible, and the attack required over 200 million chosen plaintexts.

In October 2005, Adi Shamir presented a paper demonstrating several cache timing attacks against

AES. One attack was able to obtain an entire AES key after only 800 writes, in 65 milliseconds.

These attacks require the attacker to be able to run programs on the same system that is performingAES encryptions.

AES is recognized as the first public cipher that was approved by NSA for Top Secret information.

IDEA (International Data Encryption Algorithm)

Designed in ETH Zürich during 1991, the IDEA is a block cipher used in PGP 2.0 and remains as

the option in the OpenPGP.

IDEA operates on a 64-bit blocks using 128-bit key, and consists of a series of eight identical

transformations (rounds) and an output transformation (the half-round). The processes for

encryption and decryption are similar. IDEA derives much of its security by interleaving operationsfrom different groups – modular addition and multiplication, and bitwise XOR - which are

algebraically "incompatible" in some sense. All of these operations deal with 16-bit quantities:

1. Bitwise eXclusive OR

2. Addition modulo 216

3. Multiplication modulo 216 + 1 , where the all-zero word (0000H) is interpreted as 216

The following diagram demonstrates the round of IDEA algorithm:

30



IDEA network round

Security

The designers analyzed IDEA to measure its strength against differential cryptanalysis and

concluded that it is immune under certain assumptions. No successful linear or algebraicweaknesses have been reported. Some classes of weak keys have been found, although their

cardinality is practically irrelevant. As of 2004, the best attack which applies to all keys can break

IDEA reduced to 5 rounds (the full IDEA cipher uses 8.5 rounds).

The problem that hindered the wide adoption of IDEA are the US patents, that expire in 2011.

Blowfish

Blowfish is an iterated block cipher based on Feistel network, designed

by Bruce Schneier. The Blowfish is adopted by many products as its

availability is granted by its public domain status.

Notable features of the design include key-dependent S-boxes and ahighly complex key schedule.

Blowfish operates over blocks of the 64-bits and uses keys of 32-448

bits length. It is a 16 round Feistel cipher and uses large key-dependent

S-boxes.

The diagram to the left shows the action of Blowfish. Each line

represents 32 bits. The algorithm keeps two subkey arrays: the 18-entry

P-array and four 256-entry S-boxes. The S-boxes accept 8-bit input and

produce 32-bit output. One entry of the P-array is used every round,

and after the final round, each half of the data block is XORed with one

of the two remaining unused P-entries.

31

P1

P2

P3

P4

C1

C2

C3

C4

k 1

k 2

k 3

k 4

k 5

k 6

L0

R0

f

·

·

·

f

Lr Rr

P 1

P 16

P 18

P 17

14 rounds·

·

·



Feistel function

The function splits the 32-bit input into four eight-bit quarters, and uses the quarters as input to the

S-boxes. The outputs are added modulo 232 and XORed to produce the final 32-bit output.

Key scheduling

Blowfish's key schedule starts by initializing the P-array and S-boxes with values derived from the

hexadecimal digits of π, which contain no obvious pattern. The secret key is then XORed with the

P-entries in order (cycling the key if necessary). A 64-bit all-zero block is then encrypted with the

algorithm as it stands. The resultant ciphertext replaces P1 and P2. The ciphertext is then encryptedagain with the new subkeys, and P

3and P

4are replaced by the new ciphertext. This continues,

replacing the entire P-array and all the S-box entries. In all, the Blowfish encryption algorithm will

run 521 times to generate all the subkeys - about 4KB of data is processed.

Security

As of 2006, there is no known effective attack on Blowfish. Still, its 64-bit large block size has a

drawback for large files, as encrypting more than 232 blocks would leak information about the

plaintext due to birthday attack .

Practical usage

Blowfish is one of the fastest block ciphers in widespread use except in case of changing keys. Eachnew key requires preprocessing equivalent to encrypting about 4 kB of text (very slow). This

prevents its use in certain memory constrained applications. The password-hashing method used in

OpenBSD uses an algorithm derived from Blowfish that makes use of the slow key schedule; the

idea is that the extra computational effort required gives protection against dictionary attacks.

In some implementations, Blowfish has a relatively large memory footprint of just over 4 kB. This

is not a problem even for older smaller desktop and laptop computers, but it does prevent use in the

smallest embedded systems such as early smartcards.

Blowfish is not subject to any patents and is therefore freely available for anyone to use. This has

contributed to its popularity in cryptographic software.

32

8 bits 8 bits 8 bits 8 bits

S-Box

1

S-Box

2

S-Box

3

S-Box

4

output

32 bit 32 bit 32 bit 32 bit



Asymmetric cryptographyBasics of asymmetric (public key) cryptography

Beginning of the asymmetric (public key) cryptography officially dates back to year 1976, when

Whitfield Diffie and Martin Hellman published their key-exchange algorithm. Unofficially, though,there are rumors that NSA used public key cryptography already in the late '60s of the 20th century

as a part of security mechanism embedded into PAL (Permissive Action Link) of nuclear missiles.

First applications were constructions of asymmetric cryptosystems and key-exchange protocols.

Nowadays, the asymmetric cryptography provides base for various systems, such as digital

signatures, electronic money or electronic elections.

Formally, we can express asymmetric system this way:

Asymmetric cryptosystem is a pair of functions – public and private. Both of these functions are

constructed (chosen) by the user. Public function is made public by user and is available to anyone.

Private function is an unpublished property of the user. Public function serves the encryption

purposes whilst private function the decryption purposes. Therefore, encryption can be executed byanyone; decryption only by the owner of private function. Sometimes, the asymmetric system is

being presented as a class of functions parametrized by keys. Then we talk about public and private

key.

Let's denote the set of all plaintexts as P , ciphertexts as C , and R be denoting the set {0, 1}*. Let E : P × R C be public function, D : C P be private function. The meaning of set R in the

encryption function E consists in the facilitation of random choice during encryption. In that case,

the plaintext is encrypted into one of potential ciphertexts. Some cryptosystems do not use

randomization (RSA), in some it is essential component of encryption (Elgamal). Systems that use

randomized encrypton are called randomized .

Asymmetric system must satisfy the following properties to be usable:

1. Correctness – Deciphering the ciphertext leads to original plaintext:

∀ m∈ P ∀ r ∈ R : D E m , r =m

2. Realizability – Functions E and D are algoritmically effectively realizable. Therewithal, its

construction by the user is also effective. “Effective” usually means with deterministic

(probabilistic) polynomial time complexity.

3. Security – From the knowledge of E is practically impossible to determine function D* that

D* is effectively realizable and for considerable amount of c ∈C : D∗c = Dc . The

inverse function cannot be therefore easily determined only from the knowledge of E .

Hybrid encryption

Contemporary asymmetric cryptosystems are substantially slower than symmetric cryptosystems in

both encryption and decryption. As the speed is one of the most substantial requirements entailed

from a cryptosystem, this represents a major drawback of asymmetric cryptography. To avoid this

obstacle, hybrid encryption concept was introduced that combines strengths of both asymmetric

(better security and maintenance) and symmetric systems (faster operation).

Hybrid system uses symmetric system to encrypt transmitted data using randomly generated key.

Asymmetric system is used to encrypt this key using public function of recipient. After receiving

33



ciphertext, receiver deciphers at first the key using her private function and then deciphers data

using obtained key.

Let E A, D A denote public and private function of user A, that is also recipient of a message m. E and

D are encryption and decryption algorithm of some symmetric system. Hybrid encryption consists

of following steps:

Choose random symmetric key k . Following tuple will be sent to recipient A:⟨ E A k , r , E k m⟩

where r is randomly chosen from R (that represents random part of asymmetric encryption)

User A then deciphers symmetric key: D A E A k , r =k

and subsequently also message: D k E k m=m

Security of hybrid encryption depends on the security of both used asymmetric and symmetric

system – compromise of any of them causes compromise of the whole hybrid system.

Asymmetric protocols

In electronic space we would like to construct objects and procedures common in real world, such

as signatures, money, elections etc. Most of their real-world properties cannot be transformed

directly into electronic space, therefore we need to create their electronic equivalents and ensure

their usability amongst other means also by cryptography. Solutions using exclusively symmetric

cryptography either do not exists or are very ineffective. Usable constructions are therefore based

on asymmetric cryptography and other cryptographic primitives, such as one-way functions,

cryptographic hash functions or secret sharing schemes.

RSARSA is one of most known and used asymmetric cryptography

protocols. It was published in 1978 by Ronald R ivest, Adi Shamir

and Leonard Adleman from MIT and its name is composed of first

letters of its authors' surnames. Its cryptographic strength is based

on a problem of factorization.

Initialization

Initialization is a process of creation of the respective RSA instance – private and public key.

1. Two different “sufficiently large” prime numbers p and q are chosen. Let n= p⋅q .

2. Natural number e is chosen that satisfies 1e n and gcd e , n=1 , wheren= p−1q−1 is Euler function and gcd denotes greatest common divisor (highest

common factor) of its arguments. Therefore, e does not divide n .

3. Number d is computed that satisfies e⋅d ≡1 mod n .

What are the “sufficiently large” prime numbers depends on efficiency of contemporary

factorization methods (factorization extracts prime number factors from the number) and on the

degree of security we request from our system. Nowadays, 512-bit prime numbers are considered to

be safe (after multiplication we get at least 1024-bit modulus).

Public key is then duo ⟨e , n ⟩ . Private key is the value of d . Parameter d is also called private

exponent and parameter e public exponent. Prime numbers p and q are not required for the use of

34



RSA, and we can dispose them after initialization. It's however important not to pass p and q to the

hands of potential attackers.

Both plaintext and ciphertext utilize space ℤn={0,1,... , n−1 } . The essential parts of RSA

cryptosystem can be finally expressed:

encryption: E m=memod n

decryption: D c=cd

mod n

During the computation of decrypting transformation it's required to know the value of n beside the

value of private key d . But n is already a part of public key.

RSA can be used as a typical block cipher; the block has the size of number of bits of n.

Correctness of RSA

In this section we will show the mathematical correctness of RSA – that after decryption of

ciphertext we get again the original plaintext.

Theorem (Correctness of RSA)

For each instance RSA holds ∀ m∈ ℤn: D E m=m .

Proof: Let e and d be public and private exponent in the instance of RSA system with n= p⋅q . We

need to show that memod nd

mod n=m ∀ m∈ℤn .

Special case is form m = 0. Then E (m) = D(m) = 0.

For m∈ℤn ∖ {0} we will consider two cases: gcd(n, m) = 1 and gcd(n, m) ≠ 1. We know that

e⋅d ≡1 mod n . Thus ∃ k ∈ℕ :ed =1k n .

1. gcd(n, m) = 1. Let's compute:

D E m =memod nd

mod n

=med mod n

=m1k n

mod n

=m⋅ m n

k

mod n

=m mod n=m .

Penultimate equivalence is a consequence of Euler theorem.

2. gcd(n, m) ≠ 1. Then either p | m or q | m (but not both at the same time, because 0 < m < n).

Without any loss of generality we assume that m=l ⋅ p s , where s ≥ 1 and gcd(n, l ) = 1,

s , l ∈ℕ . Then

D E m =med

mod n = lp

s1k n mod n

=l ⋅ p1k n s

mod n (1)

According to the small Fermat (Euler) theorem pq−1≡1 mod q . Therefore

pq −1 p−1 ≡1 mod q

pk n ≡1a q , a∈ℤ

pk n1 ≡ papq= pan

pk n1 ≡ p mod n

After instantianting into (1) we get:

D E m=lp smod n=m QED

To sufficiently prove the last step, we need at first to take a look into number theory.

35



Extended Euclidean algorithm:

The algorithm computes for a given pair of natural numbers a, b their greatest common divisor

(denoted as gcd(a, b)) and integer numbers u, v such that ub + va = gcd(a, b). Without loss of any

generality we assume that a ≥ b.

Procedure:

s0 = a; s1 = b; u0 = 0; u1 = 1; v0 = 1; v1 = 0;

n = 1;

while sn > 0

n = n + 1;

qn = sn-2 / sn-1; // integer division

sn = sn-2 – qn ∙ sn-1;

un = qn ∙ un-1 + un-2;

vn = qn ∙ vn-1 + vn-2;

end

u = (-1)n un-1;

v = (-1)n vn-1;

gcd(a, b) = sn-1;

In the following auxiliary the correctness of extended Euclidean algorithm will be proven.

Auxiliaryア: Let a, b be natural numbers, where a ≥ b. Then

gcd(a, b) = sn-1 (*)

ub + va = gcd(a, b) (**)

Proof: Property (*) (corresponds to classical Euclidean algorithm) is obtained from this fact:

gcd(a, b) = gcd(b, a mod b) = gcd(b, s2)

= gcd( s2, b mod s2) = gcd( s2, s3)

= ...

= gcd( sn-2, sn-1) = sn-1

Now, the characteristics (**) will be proven. At first, using mathematical induction we show, that∀ k ∈0,... , n : −1k 1 uk b−1k vk a= sk :

1. k =0 : −11u0 b−10

v0a= s0

k =1 : −12u1 b−11

v1 a= s1

2. Assume, that identity holds for k – 1. We show the validity for k .

−1k 1uk b−1k

vk a=−1k 1 qk uk −1uk −2b−1k qk vk −1vk −2 a=

=−qk −1k uk −1b−1k −1

vk −1 a−1k 1uk −2b−1k vk −2a=

=−qk sk −1−1

k −1

uk −2 b−1

k −2

vk −2a=

36



=−qk sk −1 sk −2= sk

From he proven identity and using property (*) we obtain:

−1n

un−1

u

b−1n−1vn−1

v

a= sn−1=gcd a , bQED

Auxiliaryイ

: Let a ≠ b are two mutually indivisible integer numbers, i.e. gcd(n, m) = 1. Then ∃ u , v ∈ℤ : vaub=1 .

Proof: This fact can be obtained directly from the extended Euclidean algorithm.

Let a ≠ b be two mutually indivisible natural numbers. Then according to auxiliary 1 there exist two

numbers u, v such that va + ub = 1. Thus va = 1 + b(-v) and this implies that va≡1 mod b

Extended Euclidean algorithm therefore proves the existence of inverse of a according to the

multiplication modulo b. Moreover, algorithm provides a recipe how to compute this inverse (in our

case v). Additionally, the same inverse are also numbers in the form of v + bt for any integer t .

Euler's theorem

At first, some auxiliary statements will be provided.

Auxiliaryウ: Let n∈ℕ , a , b , k ∈ℤ . If ka ≡kb mod n and gcd k , n=1 , then a≡b mod n

Proof: If a = b, auxiliary holds trivially. Without any loss of generality we can expect a > b.

Therefore exists l ∈ℕ :k a−b=ln. (***)

Because gcd(k , n) = 1, then according to auxiliaryイ ∃u , v ∈ℤ :kunv=1 . From this formula we

express k and instantiate into (***):

k a−b=1−nv

u⋅a−b=ln

a−b=lnunv a−b

a−b=nluv a−b

Therefore, a≡b mod n .

Definition: For arbitrary natural number n, let symbol ℤn

∗denote set of all numbers indivisible

with n, that are smaller than n and larger than 0:

ℤn

∗={a∨a∈{1 , ... , n−1} ∧ gcd a , n=1}

Additionally, symbol n will denote cardinality of the set ℤn

∗: n=∣ℤn

∗∣ . Function n is

called Euler function.

Remark: If p is a prime number, then ℤ p∗= {1,... , p−1} . If n = p ∙ q is a product of two prime

numbers, then n= p−1q−1 .

Auxiliaryエ: Let ℤn

∗={r 1, ... , r n } are all natural numbers smaller than n and mutually indivisible

with n. Let a be integer number and gcd(a, n) = 1. Then {ar 1 mod n , ... , ar n mod n}=ℤn

∗.

Proof: We need to show that numbers ar 1 mod n ,... , ar n mod n are mutually different and

indivisible with n. It can be easily shown that 0 < ar i mod n < n for i = 1, ..., n .

1. Let i , j∈{1,... , n} are such indexes that ar i mod n = ar j mod n. Because gcd(a, n) = 1

37



then according to auxiliaryウ holds that r i≡r j mod n . According to the assumption, r i, r j

< n and thus r i = r j ⇒ i = j. Therefore in the sequence ar 1 mod n ,... , ar n mod n are

mutually different numbers.

2. For all i∈{1,... , n}:gcd r i , n=1 . Similarly, gcd(a, n) = 1. Therefore also

gcd a r i mod n , n=1 .

Euler theorem: Let n∈ℕ , a ∈ℤ and gcd(a, n) = 1. Then an ≡1 mod n .

Proof: Let ℤn

∗={r 1, ... , r n } . Then following relation holds:

∏i=1

n

r i ≡∏i=1

n

ar i≡a n∏

i=1

n

r i mod n

Let's remind that the first congruence is a consequence of auxiliary エ. Because gcd∏i=1

n

r i , n=1 ,

accordingly to the auxiliaryウ we get:

a n ≡1 mod n QED

Corollary (Small Fermat theorem): Let p be a prime number and let a ∈ℤ be that p ∤a ( p does

not divide a). Then a p−1≡1 mod p .

Proof: p= p−1 .

Security of RSA

Security of RSA depends on a problem of factorization, i.e. on the problem of decomposition of

value of n into product of two primes p and q. If n were easily factorizable, then anybody is capable

of obtaining values of d in the same way as we do it in the initialization step from the values of e

and n . Therefore, if we are able to factor n, we are able to break RSA. However, the opposite isan open problem (whether breaking the RSA solves factorization).

Factorization of n using the knowledge of n

Anybody knowing the value of n is capable of finding prime factors p and q by solving system

of two equations:

p⋅q=n

p−1q−1= n

Factorization of n using the knowledge of e and d

There is possibility of factoring n using the knowledge of e and d , therefore it is strongly advisednot to share the value of n amongst more users, as the knowledge of one pair of e and d leads to

effective factorization of n and thus the communication between those users cannot be considered

as safe.

Special factorization algorithms

If primes p and q are of special structure, we can use special factorization algorithms.

One algorithm exploits the case when p and q are close ( |p – q| is not “large” enough), another one

can factor n when both p – 1 and q – 1 do not have large prime factor.

38



Small message space

Attacker intercepts the message and using his knowledge of public expontent e, tries to generate

possible messages and encrypt them. If one of the encrypted messages matches intercepted

message, then she was able to find exact plaintext. This can be reasonably done only when there is

small message space – i.e. cardinality of plaintexts is low.

Attack on the small public exponent eAdvantage of small public exponent e lies in the speed of encryption or verification of digital

signatures and smaller memory storage requirements. But these advantages are also accompanied

by the security risks, especially in the cases of sending the same messages or sending messages that

are polynomially dependent.

Attack on the short private exponent d

Similarly to previous case, small private exponent d allows faster decryption and lowers memory

requirements, however, there is known attack that is able to compute values of e and n if d < n0.292

and e < n1.875. Second relation is usually satisfied in practical cases.

Elgamal

This cryptosystem was published in 1984 by Taher Elgamal, later chief scientist at

Netscape Corporation and inventor of SSL. It is based on a problem of discrete

logarithm.

Discrete logarithm: Let G ,⋅ be finite group and b , y∈G . Then discrete logarithm

y in base b is arbitrary x ∈ℕ , such that b x= y . Discrete logarithm problem denotes the

problem of finding discrete logarithm for given values of b and y. For cyclic groups, it is possible to

formulate stronger statement: Let G ,⋅ be finite cyclic group of the order n∈ℕ and g ∈G be its

generator. For a given y ∈G it is necessary to compute x ∈ℤn such that g

x

= y .Intialization

Choose large prime number p and g ∈ℤ p*

(does not necessarily have to be a generator). Values of

p and g can be shared by the users. Next, choose random x ∈ R {2,3, p−2} and compute

y= g x mod p . Public key is then triple ( y, p, g ) and private key value of x.

Encryption

Plaintext space is a set ℤ p

*, for larger texts these can be split into the blocks of required size. Let

the m ∈ℤ p*

be plaintext (message) we intend to encrypt:

1. We choose random x ∈ R {1,2, p−1} .

2. Ciphertext is a pair ⟨ r , s ⟩ , where r = g k

mod p and s= yk ⋅m mod p ( y is part of public

key).

Decryption

User with the knowledge of private key x can decipher the message:

m=r x−1⋅ s mod p

Correctness of Elgamal

We have an instance of Elgamal system and its parameters p, g , y, x. m∈ℤ p

*is a message and

39



⟨ r , s ⟩ its encrypted form. Then

r x −1 ⋅ s mod p = g

kx−1⋅ yk ⋅m mod p = g

−kx⋅ g kx⋅m mod p = m mod p=m

Elgamal cryptosystem is used in SSH and inspired the basis of Digital Signature Algorithm (DSA).

Rabin

Michael Oser Rabin published in 1979 first mathematically proven asymmetric

cryptosystem. Its strength is based on the problem of factorization and mathematically

is based on the quadratic residues.

Quadratic residue: Number a ∈ℤn*={1 , ... , n−1} that is mutually indivisible with n is

called quadratic residue modulo n and denoted QR n, if there exists b∈ℤn such that

b2≡a mod n . If such b does not exist, we call a quadratic non-residue modulo n and denote as

QNR n.

Initialization

Choose two large prime numbers p, q, p ≠ q. To simplify computation of square roots modulo p and

q, the prime numbers could be chosen to satisfy p≡q≡3 mod 4 , but this is not necessary.

Let n = p ∙ q; then n is the public key, p and q are the private key.

Encryption

Ciphertext is simply the square of the message, i.e. ∀ m∈ℤn: c= E m=m2

mod n .

Decryption

Due to the nature of quadratic residues, one ciphertext can be obtained from four plaintexts.

If gcd(m, n) = 1, then E(m) is QR n. Because n is a product of two primes, then each QR n (denoted as

c) has exactly four square roots. Leave the possibility that gcd(m, n) ≠ 1 (very improbable). Four

square roots can be computed by determining both square roots modulo p and modulo q. We obtain:

r 1,2=±c p1

4 mod p

r 3,4=±c p 1

4 mod q

Square roots of c modulo n will be obtained by their linear combination according to Chinese

remainder theorem:

M 1=ar 1br 3mod n M 2=ar 1br 4 mod n

M 3=ar 2br 3 mod n M 4=ar 2br 4 mod n ,

where a=q⋅q−1

mod p and b= p⋅ p−1

mod q .

To identify the correct plaintext, we have to either specify the format of the message or use

additional techniques, such as padding.

Security of Rabin

The great advantage of the Rabin cryptosystem is that the code can only be broken if the

codebreaker is capable of efficiently factoring the public key n.

40



It has been proven that decoding the Rabin cryptosystem is equivalent to the factorization problem,

unlike in RSA. Thus the Rabin system is more secure than RSA, and will remain so until a general

solution for the factorization problem is discovered. (This assumes that the plaintext was not created

with a specific structure to ease decoding).

The problem of factorization is still considered as unbreakable (although for quantum computers

there exists Shor algorithm to compute factors) and thus prevents any eavesdropper nowadays to

break the code.

Rabin system is prone to chosen ciphertext attack.

Diffie-Hellman key exchange (DH)

This is the first known asymmetric protocol, published by Whitfield Diffie

and Martin Hellman in 1976. It is based on the problem of discrete

logarithm. Later emerged that it had been discovered a few years earlier

within GCHQ (Government Communications Headquarters), the British

signals intelligence agency, by Malcolm J. Williamson, but was kept

classified.

Goal of DH is to allow two parties A, B to jointly establish a shared secret key K for secure

communication. Protocol assumes shared values of p and g for all potential parties of the protocol.

Value of p is sufficiently large prime and g ∈ℤ p*

can be (but does not need to be) a generator of the

group ℤ p

* ,⋅ .

Protocol:

1. A → B : X ; where X = g x mod p and x ∈ R ℤ p

*is chosen by A randomly

2. B → A : Y ; where Y = g y mod p and y ∈ R ℤ p

*is chosen by B randomly

3. A computes K = Y x mod p

4. B computes K = X y mod p

It can be shown easily that both A and B compute the same key:

Y x

mod p= g xy

mod p= X ymod p

“Man in the Middle” attack

DH protocol is prone to type of attack when active attacker M ( Mallory) lies in the communication

channel between A ( Alice) and B ( Bob). Mallory intercepts the first message and instead of value of

X , sends Bob the value of U = g u mod p, where u chooses randomly (similarly as Alice chooses x).

Similarly, intercepts the message Y and instead sends Alice value of V = g v mod p. The attack therefore advances as follows:

1. A → M ( B) : X = g x mod p

2. M ( A) → B : U = g u mod p

3. B → M ( A) : Y = g y mod p

4. M ( B) → A : V = g v mod p

5. A computes K 1 = V x mod p

6. B computes K 2 = U y mod p

41



Notation A → M ( B) means that Alice sends message to Bob, but is intercepted by Mallory. Notation

M ( A) → B means that Mallory sends message to Bob in the name of Alice.

Important fact for Mallory is, that both Alice and Bob can't reveal her presence in the protocol and

she is able to compute both keys K 1 and K 2:

K 1= X vmod p= g

xvmod p

K 2=Y umod p= g

yumod p

Another asymmetric cryptosystems

Merkle-Hellman

This cryptosystem from the year 1978 is based on the KNAPSACK (its variation subset sum) NP-

complete problem. Its ideas are very elegant, much simpler than RSA, but it was broken by Adi

Shamir. The subset sum problem can be formulated as follows:

Given a list of numbers and a third number, which is the sum of a subset of these numbers,

determine the subset.

This problem is NP complete, although some instances are easily solvable. Merkle-Hellman tries to

transform an easy instance into hard one and then back. Adi Shamir successfully attacked the

process of converting easy instance into difficult one.

Paillier

The Paillier cryptosystem is a probabilistic asymmetric cryptosystem, invented by Pascal Paillier in

1999. The problem of computing n-th residue classes is believed to be computationally difficult.

This is known as the Composite Residuosity (CR) assumption upon which this cryptosystem is

based.

The scheme is an additive homomorphic cryptosystem; this means that, given only the public-key

and the encryption of m1 and m2, one can compute the encryption of m1 + m2.

It found its usage in the electronic voting and electronic cash, although there are some possibilities

of attacks.

42

M A B

K 1

K 2



Cryptographic hash functionsCryptographic hash function produces digest (fingerprint) from an electronic document, usually

much shorter than original document. Hash function is usually projection h : X → Y , where Y is a

finite set and X can but does not need to be finite set. Value of x ∈ X is called document, message;value of h( x) is called digest . Value of h( x) can be used as a substitute of original document x.

Use of cryptographic hash function

Range of use of the cryptographic hash functions include integrity checks, authentication, digital

signature schemes, cryptographic protocols etc.

Commitment scheme

A typical case of use of a cryptographic hash would be as follows: Alice poses to Bob a difficult

math problem and claims she has solved it. Bob of course would like to try it himself, but would yet

like to be sure that Alice is not bluffing. Therefore, Alice writes down her solution, appends a

random word (nonce), computes its hash and tells Bob the hash value (without revealing thesolution). When Bob finds the solution himself later, he can append the same nonce to his solution

and compute the hash value, verifying whether his solution is equal to the Alice's by comparing

both hash digests.

In practice, Alice and Bob represent computer programs and secret is an information more

important than mere solution of a puzzle.

Message integrity

Cryptographic hash function serves also purpose of ensuring that the original message arrives intact,

untainted, as was originally intended by the sender. Hash digest provides a way to verify whether

message was modified by simply comparing digest computed by receiver after transmission and the

digest value provided by sender using secure channel.

This principle can be also extended to identify modified files by malware/viruses or some other

sorts of malfeasance.Another typical example of the use of cryptographic hash function is the password verification.

Passwords are typically not stored in their plain form, rather their hash digest is preserved. To

authenticate an user, his typed password is digested and then compared to stored digest. To provide

even stronger security, plain information is often concatenated with random words – salt or nonces.

Cryptographic hash function properties and weaknesses

To measure security of cryptographic hash functions, it is vital to define some vital properties of

hash functions that would allow to analyze security of a particular implementation.

43

Look at this, I solved it!

Nice, but I need a proof

you really solved it

Here is the hash!

(...solving, computing hash...)Now I believe you

#

# #=

?

?



One-way function

Hash function h : X → Y is one-way, if for a given y ∈Y there is no possibility to effectively find

x ∈ X such that h( x) = y.

This property is also called preimage resistance, and means that from the digest alone it is not

possible to reconstruct the original document or its substitute.

Weakly collision-free hash function (second preimage resistance)

Hash function h : X → Y is weakly collision-free, if for a given x ∈ X it is not effectively possible

to find x ' ∈ X ∖ { x } such that h( x) = h( x' ).

This means that for a given document we are unable to find another one with the same hash digest.

Strongly collision-free hash function (collision resistance)

Hash function h : X → Y is strongly collision-free, if it is not effectively possible to find such that x , x ' ∈ X such that x≠ x ' and h( x) = h( x' ).

This means that we cannot effectively find two documents with the same digest. This could lead to

substitution of the document with the tampered or fake document with the same digest – e.g. twodifferent contracts with the same digest could lead to undesired results.

Birthday attack

This type of attack is inspired by following problem known as birthday paradox:

How many people in room is enough to have at least 50% probability that there are at least two

people that share the common birthday?

It can be shown, that 23 people is a sufficient amount. This is somewhat surprising fact, if we

investigate how many people ought to be present to have at least 50% probability that one of them

has birthday on a chosen day. 253 is the required amount of people. It can be also further shown,

that for 60 people, the probability of birthday paradox exceeds 99%.If we put it into perspective, the second question is an analogy to guessing the key of some method

of symmetric cryptography, whereas the first question is an analogy to finding collisions of the hash

functions. The outcome is, that finding digest collision of two messages is much easier than finding

the key, therefore the size of hash digest ought to be larger than the size of symmetric key. Usually

the size of digest is chosen to double the bits of the symmetric key.

Intuitively, it is good to view the birthday paradox this way: it is helpful to realize, that there are

many possible unordered pairs of people, that can share common birthday. For 23 people, there are

23

2 =253 possible pairs, and that could indicate, why the paradox occurs. Alternatively, the

paradox can be analyzed by thinking about chances of no two people having matching birthday – second person cannot share the birthday of the first, third of the first two, fourth of the first three

etc. By adding more persons, it becomes more likely that some of them share the birthday.

Therefore the paradox pertains to the question, whether any of 23 persons shares birthday with any

other person - not with one in particular.

Probability computation

Assuming, that all 365 possibilities are equally likely, the probability can be computed this way:

First, the probablity p n that all n birthdays are different is expressed.

p n=1⋅1−

1

365

⋅1−

2

365

⋅⋅⋅ 1−

n−1

365

, n≤365 . This is obtained from the fact, that second

44



person cannot have the same birthday as the first one, leaving 364 out of 365 free days, third person

cannot share birthday with first two persons, leaving 363 free days etc. Resulting probability of

birthday paradox, i.e. that there are at least two persons sharing birthday is a complement of the

probability, that there are no persons sharing a birthday, p n .

p n=1− p n=1−1−1

365⋅1−2

365 ⋅⋅⋅ 1−n−1

365 , n≤365

To approximate the probability, the Taylor series expansion can be used:

p n≈1⋅e

−1

365⋅e

−2

365⋅⋅⋅e

−n−1

365 =1⋅e

−12...n−1

365 =e

−n n−1

2⋅365 ≈e

−n2

2⋅365

p n=1− p n≈1−e

−n2

2⋅365

The attack

Birthday attack is a type of cryptographic attack that exploits principles of birthday paradox,

making use of space-time tradeoff.

Let H denote cardinality of the set of all hash values, e.g. for 64-bit hash output, H = 264. It isexpected, that hash function distributes all values evenly, therefore is balanced . Then by

substituting number of days in the Taylor series formula for birthday paradox, the following

formula for computation of probability that after n attempts the collision is found amongst H

possible values can be obtained:

p n≈1−e

−n2

2⋅ H

By inverting this expression, the following formula is obtained:

n p≈

2⋅ H ⋅ln

1

1− p

The formula can be used to compute number of tries to achieve desired probability, in our case 50%:

n1

2≈1.1774⋅ H

For 64-bit hash function, the amount of all hash values is H ≈1.9⋅1019 , but to generate a collision,

it is sufficient to try “only” n 1

2≈5.1⋅109

attempts with the 50% probability of success. If hash

function is not balanced, the number of required attempts decrease.

This is the main reason, why for hash functions we typically double number of bits comparing to

their symmetric cipher counterparts.

Replay attack

During authentication process, computing hash of password alone and sending it through the

communication channel represents a security risk, as Mallory in the middle can eavesdrop hash of

password and reuse it next time on behalf of Alice. This scheme depicts this weakness:

45

# #

#



Therefore it is vital to somehow randomize the process of digesting. This can be accomplished by

appending random strings to password and hashing them together each time the authentication

process is being run. This random string is called nonce (number used once) or salt . Authentication

protocol then consists of generating the nonce by Trent, passing it to Alice, computing hash of

password with nonce, sending it to Trent and verifying the hash, as the following scheme shows:

Notice, that even if Mallory eavesdrops in the middle, she is not able to reuse password hash next

time, as Trent generates a different nonce for each session.During authentication, the nonce is being transferred unencrypted and for the purpose of

verification, nonce is being appended after hash of password concatenated with nonce. Trent is then

immediately able to detect whether the password hash is fresh by simply extracting unencrypted

nonce from the digest and comparing it to the nonce value stored within his system for that

particular session, and also computing digest of password concatenated with that nonce to verify

Alice's input. Alice's output can be thus computed as:

output password , nonce=nonce ∥ h password ∥ nonce

where h is a cryptographic hash function and || denotes operation of concatenation. This process is

called key strengthening .

Construction of cryptographic hash functions

Hash functions can be based on various principles. NP-hard problems, modified block ciphers or

dedicated hash function can be designed or reused.

Constructions from block ciphers

When constructing hash function from block ciphers, the input message is divided into blocks

corresponding to the blocks of used cipher or length of a key. If m is a message, its division into

block is m1m2..mk and E is a symmetric cipher, there exist some secure schemes if the cipher has

desired properties.

Iterated hash functionsIterated hash functions process input data in blocks of fixed length. The input therefore must be

aligned accordingly and divided into blocks m1m2..mk .

Blocks of input are processed with the “compression” function f and temporary digest is being

computed:

H 0= IV

H i= f mi , H i−1 , i=1.. k

where IV is a constant initialization vector for a given hash function. The output is a value of H k or

g ( H k ), where g is an output function.

46

I want to authenticate

Use this nonce: @

@ #

All right, you are i n



Construction of hash function as an iterated hash function is the most common type amongst

contemporary hash functions. One of the reasons is that if the used compression function has

suitable properties, these can be also proved for the iterated hash function (using suitable

construction).

Merkle-Damgård construction

This construction extends the collision-free function f :0,1n r 1

0,1n

, r ≥1 into h :0,1*

0,1n

that is also collision-free. Most of the popular contemporary hash functions follow this construction.

1. Let x be the input of the size l bits. Let x be partitioned into blocks x1 x2.. xt of the length of r

bits.

2. Let xi+1 be additional block containing binary representation of l .

3. The hash function h( x) = H t +1 is being computed:

H 1= f 0n1∥ x1 H i= f H i −1∥1∥ xi , i=2 ..t

Additionally, resulting value could be also processed by output function g , that assures that

additional properties of resulting hash are satisfied. These properties are often compression of internal state to output consisting of less bits, mixing of bits or avalanche effect (small change in

input causes big change in output).

Construction of compression function

The compression function is the core of the cryptographic hash function. During construction, theinput message m is divided into blocks m1m2..mk . Contemporary compression functions are usually

constructed accordingly to various known schemes.

Davies-Meyer scheme

H i= E mi H i−1⊕ H i −1 , i=1 .. k ,

where final digest is a value of H k and H 0 is a fixed initialization vector.

Matyas-Meyer-Oseas scheme

H i= E g H i−1 mi⊕mi , i=1 .. k ,

where g is a converting/padding function.

47

Emi

Hi

Hi-1

g

E

mi

Hi-1 Hi

f

x1

f

x2

IV f

xt -1

f g H

xt



Miyaguchi-Preneel

H i= E g H i−1 mi ⊕ H i −1⊕mi , i=1 .. k

This is an extended version of previous scheme.

Of course, length of the block must be large enough to prevent birthday type of attacks.

Contemporary cryptographic hash functions

The following table shows some of the contemporary cryptographic hash functions:

Hash

algorithm

Hash sum

size (bits)

Internal state

size (bits)

Block size

(bytes)

HAVAL 128-256

MD2 128 512 16

MD4 128 128 64

MD5 128 128 64

RIPEMD-128 128 128 64

RIPEMD-160 160 160 64

SHA-0 160

SHA-1 160 160 64

SHA-224 224 256 64

SHA-256 256 256 64

SHA-284 384 512 128

SHA-512 512 512 128

Snefru 128-256

Tiger-128 128 192 64

Tiger-160 160 192 64

Tiger / Tiger2 192 192 64

WHIRLPOOL 512 512 64

Message Digest Algorithm 5 - MD5

MD5 is an iterated hash function, introduced by Ronald Rivest in 1991 as a successor to

MD4 and became an internet standard RFC 1321, ensuring its widespread occurrence in

many contemporary applications and standards. It found its main use as a mean to check

the integrity of files.

Algorithm background

MD5 processes a variable length message into fixed-length output of 128-bits. Input message is

48

Emi

Hi

Hi-1

g



broken into 512-bit segments and message is padded accordingly. The padding works as follows:

first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are

required to bring the length of the message up to 64 bits fewer than a multiple of 512. The

remaining bits are filled up with a 64-bit integer representing the length of the original message.

The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B,

C and D. These are initialized to certain fixed constants. The main algorithm then operates on each

512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages (rounds); each round is composed of 16 similar operations based on a

non-linear function F , modular addition, and left rotation. There are four possible functions F , a

different one is used in each round:

F X ,Y , Z = X ∧Y ∨¬ X ∧Y

G X , Y , Z = X ∧ Z ∨Y ∧¬ Z

H X , Y , Z = X ⊕Y ⊕ Z

I X ,Y , Z =Y ⊕ X ∨¬ Z

MD5 consists of 64 of these operations, grouped in four

rounds of 16 operations. F is a nonlinear function; one

function is used in each round. M i

denotes a 32-bit

block of the message input, and K i

denotes a 32-bit

constant, different for each operation.

denotes addition modulo 232

<<<s denotes left rotation by s places

Pseudocode

The following code snippet demonstrates implementation of MD5.

//Note: All variables are unsigned 32 bits and wrap modulo 2^32 when calculating

//Define r as the following

var int[64] r, k

r[ 0..15] := {7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22}

r[16..31] := {5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20}

r[32..47] := {4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23}

r[48..63] := {6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21}

//Use binary integer part of the sines of integers as constants:

for i from 0 to 63

k[i] := floor(abs(sin(i + 1)) × 2^32)

//Initialize variables:

var int h0 := 0x67452301

var int h1 := 0xEFCDAB89

49

A B C D

A B C D

<<<s

F

M i

K i



var int h2 := 0x98BADCFE

var int h3 := 0x10325476

//Pre-processing:

append "1" bit to message

append "0" bits until message length in bits ≡ 448 (mod 512)

append bit length of message as 64-bit little-endian integer to message

//Process the message in successive 512-bit chunks:

for each 512-bit chunk of message

break chunk into sixteen 32-bit little-endian words w(i), 0 ≤ i ≤ 15

//Initialize hash value for this chunk:

var int a := h0

var int b := h1

var int c := h2

var int d := h3

//Main loop:

for i from 0 to 63

if 0 ≤ i ≤ 15 then

f := (b and c) or ((not b) and d)g := i

else if 16 ≤ i ≤ 31

f := (d and b) or ((not d) and c)

g := (5×i + 1) mod 16

else if 32 ≤ i ≤ 47

f := b xor c xor d

g := (3×i + 5) mod 16

else if 48 ≤ i ≤ 63

f := c xor (b or (not d))

g := (7×i) mod 16

temp := d

d := cc := b

b := ((a + f + k(i) + w(g)) rotate left r(i)) + b

a := temp

//Add this chunk's hash to result so far:

h0 := h0 + a

h1 := h1 + b

h2 := h2 + c

h3 := h3 + d

var int digest := h0 append h1 append h2 append h3 //(expressed as little-

endian)

Applications

Digests produced by MD5 are heavily utilized in downloading software, ensuring that downloaded

file was not modified. Trusted party provides MD5 digest of a downloaded file, after download, its

MD5 digest is computed and verified. If trusted party is the same as the provider of the file, MD5

digest loses its security meaning and can be only used as the way to preserve integrity.

MD5 also often serves the purpose of securing passwords. Of course, key strengthening shall be

applied.

Security

MD5 is since 2006 considered to be unsafe, as Vlastimil Klíma proposed a method, based on

50



previous work from Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu, called tunneling ,

that is able to find a collision within one minute. Further use of MD5 is not secure and is strongly

deprecated.

Secure Hash Algorithm - SHA

SHA is a class of iterated hash functions. The first hash function, SHA or SHA-0 was first published in 1993. Two years later, SHA-1, was published. Later SHA-2 family has been issued

with slightly modified design. SHA-2 family consists of SHA-224, SHA-256, SHA-384 and SHA-

512 functions.

The original specification of the algorithm (SHA-0) was published in 1993 as the Secure Hash

Standard, FIPS PUB 180 by NIST. It was withdrawn by the NSA shortly after publication and was

superseded by the revised version (SHA-1), published in 1995 in FIPS PUB 180-1. This corrected a

flaw in the original algorithm which reduced its cryptographic security.

SHA-0 and SHA-1 produce a 160-bit digest, maximal size of a message is limited to 2 64 bits.

Algorithm is based on similar principles to those used in MD5.

In 2001, NIST published additional hash functions in the SHA family, each with longer digests,

collectively known as SHA-2 (draft FIPS PUB 180-2). In February 2004, a change notice was

published for FIPS PUB 180-2, specifying an additional variant (SHA-224), defined to match the

key length of two-key Triple DES.

SHA-256 and SHA-512 are cryptographic hash functions computed with 32- and 64-bit words,

respectively. They use different shift amounts and additive constants, but their structures are

otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are

simply truncated versions of the first two, computed with different initial values.

Algorithm

Compression function of SHA-1

This diagram depicts one iteration within the

SHA-1 compression function.

A, B, C, D and E are 32-bit words of the state

F is a nonlinear function that varies

<<<n denotes a left bit rotation by n places; n

varies for each operation.

denotes addition modulo 232.

K tis a constant.

In the following paragraph, the SHA-256 will be described, as a representat of modern

cryptographic hash functions.

SHA-256 is defined for messages of size smaller than 264, processed in the blocks of 512 bits (64

bytes). All computations in algorithm are realized on 32-bit words. Opening input transformation is

a padding to have their sizes aligned to be multiplies of 512 bits:

behind the message, bit 1 is appended and last 64 bits are reserved for the binary representation of

51

A B C D

A B C D

<<<S

F

W t

K t

E

E

<<<30



length of the message. Between 1 and length, corresponding number of 0s is added.

Intermediate result of computation will be further denoted as H (i). This result is of 256-bit length

and is divided into 8 words - H 0i ,... , H 7

i. Value of H (0) is defined as a constant initialization

vector.

From each block of input, divided into 16 words (denoted as m0, ..., m15), the sequence of 64 words

W 0, ..., W 63 is computed:

W t ={ mt 0≤t ≤15

G1W t −2W t −7G0W t −15W t −16 16≤t ≤63}Addition is interpreted as modulo 2 and functions G0, G1 are defined as follows ( RRk is a cyclic

rotation to the right by k bits and SRk is a shift to the right by k bits)

G0 x= RR7 x⊕ RR

18 x ⊕SR3 x

G1 x= RR17 x ⊕ RR

19 x⊕SR10 x

Subsequently, the words W t are processed in the loop. In the loop, the temporary variables a, b, c, d ,

e, f , g , h are declared and at first, the following assignment is executed:

a= H 0i −1 b= H 1

i−1 c= H 2i −1 d = H 3

i−1

e= H 4i −1 f = H 5

i−1 g = H 6 i−1 h= H 7

i−1

In the loop for t = 0, ..., 63, the temporary variables are modified accordingly to following

assignments:

a=T 1T 2 b=a c=b d =c

e=d T 1 f =e g = f h= g

where T 1 and T 2 are computed by following equations:T 1=h F 1eCh e , f , g K t W t

T 2= F 0 a Maj a , b , c

F 0 x = RR6 x⊕ RR11 x ⊕ RR25 x

F 1 x= RR2 x⊕ RR13 x ⊕ RR22 x

Ch x , y , z = x ∧ y ⊕¬ x ∧ z

Maj x , y , z = x∧ y ⊕ x ∧ z ⊕ y∧ z

where functions F 0, F 1, Ch and Maj are logic functions evaluated bit after bit and K t are algorithmconstants.

Final computation of H (i) is obtained by executing following assignments:

a=a H 0 i−1

b=b H 1 i−1

c=c H 2 i−1

d =d H 3 i−1

e=e H 4 i−1

f = f H 5 i−1

g = g H 6i −1

h=h H 7i−1

Message digest is given by the value of H (i) after processing the last block of the aligned message.

Variants

The following table demonstrates all variants of SHA:

52



Hash

algorithm

Hash sum

size (bits)

Internal

state size

(bits)

Block size

(bytes)

SHA-0 160

SHA-1 160 160 64

SHA-224 224 256 64

SHA-256 256 256 64

SHA-384 384 512 128

SHA-512 512 512 128

The internal state means the "internal hash sum" after each compression of a data block. SHA also

internally use some additional variables such as length of the data compressed so far since that is

needed for the length padding in the end.

SecurityBoth early members, SHA-0 and SHA-1 are prone to certain identified attacks. SHA-2 seems to be

resistant to them at this time, but as SHA-2 is similar to SHA-1, work on new and better hashing

standard is undergoing.

In early 2005, Rijmen and Oswald published an attack on a reduced version of SHA-1 - 53 out of

80 rounds - which finds collisions with a complexity of fewer than 280 operations.

In February 2005, an attack by Xiaoyun Wang, Yiqun Lisa Yin and Hongbo Yu was announced.

The attacks can find collisions in the full version of SHA-1, requiring fewer than 269 operations (a

brute-force search would require 280). The analysis was built on the original differential attack on

SHA-0, the near collision attack on SHA-0, the multi-block collision techniques, as well as the

message modification techniques used in the collision search attack on MD5.

On 17 August 2005, an improvement on the SHA-1 attack was announced on behalf of Xiaoyun

Wang, Andrew Yao and Frances Yao, lowering the complexity required for finding a collision in

SHA-1 to 263.

In academic cryptography, any attack that has less computational complexity than the expected time

needed for brute force is considered a break. This does not, however, necessarily mean that the

attack can be practically exploited. It has been speculated that finding a collision for SHA-1 is

within reach of massive distributed Internet search.

Applications

SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are the required secure hash algorithms for

use in U.S. Federal applications, including use by other cryptographic algorithms and protocols, for

the protection of sensitive unclassified information. FIPS PUB 180-1 also encouraged adoption and

use of SHA-1 by private and commercial organizations.

A prime motivation for the publication of the Secure Hash Algorithm was the Digital Signature

Standard (DSS), in which it is incorporated.

The most commonly used function in the family, SHA-1, is employed in a large variety of popular

security applications and protocols, including TLS, SSL, PGP, SSH, S/MIME and IPSec. SHA-1 is

considered to be the successor to MD5, an earlier, widely-used hash function

The SHA hash functions have been used as the basis for the SHACAL block ciphers.

53



The copy prevention system of Microsoft's Xbox game console relies on the security of SHA-1.

SHA-1 hashing has also been employed by many file sharing applications to link multiple sources

for the same file, that may not have the same name, as well as to avoid matching nonidentical

sources that may have the same name.

Whirlpool

Whirlpool is a cryptographic hash functions based on a similar ideas to those

used in the AES symmetric cryptosystem, introduced by Vincent Rijmen and

Paulo S. L. M. Barreto. Whirlpool operates on messages less than 2256 bits in

length and produces 512-bit digest. Whirlpool is standardized under ISO/IEC

10118-3:2004; final version comes from the predecessors called Whirlpool-0

and Whirlpool-T. Cipher is named after the Whirlpool galaxy M51 (NGC 5194) in Canes Venatici.

Whirlpool uses Merkle-Damgård strengthening and the Miyaguchi-

Preneel hashing scheme with a dedicated 512-bit block cipher

called W . The bit string to be hashed is padded with bit values of

one, then with a sequence of zero bits, and finally with the originallength (in the form of a 256-bit integer value), so that the length

after padding is a multiple of 512 bits. The resulting message string

is divided into a sequence of 512-bit blocks m1, m2, ... mt which is

then used to generate a sequence of intermediate hash values H 0, H 1, H 2, ... H t . By definition, H 0 is a

string of 512 zero bits. To compute H i, W encrypts mi using H i-1 as a key, and XORs the resulting

ciphertext with both H i and mi, as specified by Miyaguchi-Preneel scheme. Final message hash

digest is then H t .

Block cipher

The 512-bit block cipher W is very similar to AES algorithm, Rijndael. The main differences are

summarized in the following table:

AES / Rijndael W / Whirlpool

Block size (bits) 128. 160, 192, 224, 256 512

Number of rounds 10-14 10

Key schedule dedicated a priori algorithm round function itself

GF(28) reduction polynomial x8 + x4 + x3 + x + 1 (0x11B) x8 + x4 + x3 + x2 + 1 (0x11D)

Substitution (S)-box origin mapping u → u-1 over GF(28),

affine transform

recursive structure

Round constants origin polynomials xi over GF(28) successive entries of S-box

Diffusion layer left-multiplication by the 4×4

circulant MDS matrix

cir(2, 3, 1, 1)

right-multiplication by the 8×8

circulant MDS matrix

cir(1, 1, 4, 1, 8, 5, 2, 9)

Differences between Whirlpool's W block cipher and AES (Rijndael)

The W 's S-box, which in the original submission is generated entirely at random (i.e. lacks any

internal structure), by a recursive structure: the new 8×8 substitution box is composed of smaller

4×4 "mini-boxes" (the exponential E -box, its inverse, and the pseudo-randomly generated R-box).

54

W Hi-1

Hi

mi



u 0 1 2 3 4 5 6 7 8 9 A B C D E F

E (u) 1 B 9 C D 6 F 3 E 8 7 4 A 2 5 0

u 0 1 2 3 4 5 6 7 8 9 A B C D E F E -1(u) F 0 D 7 B E 5 A 9 2 C 1 3 4 8 6

u 0 1 2 3 4 5 6 7 8 9 A B C D E F

R(u) 7 C B D E 4 9 F 6 3 8 A 2 5 1 0

W's S-Box

Assume we take as hash result the value of any n-bit substring of the full Whirlpool output. The

design of Whirlpool sets the following security goals:

• The expected workload of generating a collision is of the order of 2n/2

executions of Whirlpool .

• Given an n-bit value, the expected workload of finding a message that hashes to that value

is of the order of 2n executions of Whirlpool.

• Given a message and its n-bit hash result, the expected workload of finding a second

message that hashes to the same value is of the order of 2n executions of Whirlpool.

• It is infeasible to detect systematic correlations between any linear combination of input bits

and any linear combination of bits of the hash result, or to predict what bits of the hash

result will change value when certain input bits are flipped (this means resistance against

linear and differential attacks).

These claims result from the considerable safety margin taken with respect to all known attacks.

The authors also claim that Whirlpool does not contain any trapdoors deliberately introduced in the

algorithm.

Message Authentication Code (MAC)

For the situations during the communication, when there is no requirement to preserve secrecy of a

transmitted data but rather their integrity and authenticity is important, the Message Authentication

Code provides a mean how to fulfill these goals.

Roughly said, MAC is a cryptographic hash function with a key. Beside the original message, the

message digest depends also on the secret key known only to the communication parties. MAC is

transmitted alongside the message. To create correct MAC, the knowledge of the key is required.

Most common is a construction of MAC from the symmetric block ciphers and cryptographic hash

functions. MACs based on symmetric block ciphers are usually slower.

Elementary constructions of cryptographic hash functions, when key is concatenated to the message

and digest is computed from the modified message have security weaknesses. If used hash function

is iterated and key is appended before message m, then it is possible to compute MAC also for

arbitrary message that begins with m without the knowledge of m, as subsequent iterations do not

depend on the key. If the used hash function is iterative and key is appended after message, then

MACs for the messages that yield collision are equal.

55

E E -1

R

E E -1



Following is a list of some of the contemporary methods for obtaining MAC:

• CBC-MAC

• HMAC

• UMAC

•Data Authentication Code

• Poly1305-AES

CBC-MAC

CBC-MAC is a construction of MAC from the block

ciphers. Idea is to use CBC mode of block cipher, where

the last block of ciphertext will be the resulting MAC. To

enhance security of the scheme, this block is then

postprocessed.

Let m = m1m2...mt be a message divided into blocks of

length corresponding to the length of a block of used cipher

algorithm. Computation of MAC M processes as follows:

1. H 0 = IV , IV is an initialization vector

2. H i= E k H i−1⊕mi , i=1 , ... ,t

3. M = E k D k ' H t

Construction uses two symmetric keys – k and k '. Last block of the message is processed using

triple encryption in the EDE mode. It is necessary to have k ≠ k ', in practice k ' can be derived from k – e.g. k ' = E k (k ), k ' =k (negation of k ) etc. If keys are equal, last step of algorithm does not occur

and scheme can be compromised.

HMAC

HMAC is most known and used construction method from a cryptographic hash function. Its main

advantage lies in the fact, that if used cryptographic hash function satisfies some assumptions, the

resulting construction is provably secure.

Computation of HMAC is given by following formula:

HMAC k x= H k ⊕opad∥ H k ⊕ipad∥ x ,

where k is a key, x is a message, opad and ipad are strings of a sufficient length and || denotesconcatenation. Despite the double use of cryptographic hash function, the computation of HMAC

has essentially the same complexity as the computation of message digest, because outer use of H

computes digest from a short string.

Construction of HMAC is an internet standard RFC 2104 and is implemented and employed in

various standards such as IPSec, SSL and TLS. In this standard, the values of opad and ipad are

chosen for MD5 and SHA-1 algorithms as 64-times repeating byte 0x5C, 0x36 respectively.

Preserving confidentiality with MAC

Interesting use of MAC to preserve confidentiality was introduced by Ronald Rivest in 1998.

Encryption has not necessarily to be the only way how to preserve confidentiality. Valid

56

Ek

m1

H 1

Ek

m2

H 2

Ek

m3

H 3

IV ...



information can be hidden amongst plenty of misleading messages, where the valid MAC is

computed only for the “real” information – in the other case, some random data are used in the

place of MAC.

Example

Alice and Bob communicate and share a common secret key k for MAC. Message sent in the step i

is denoted as mi and MAC of the message x is denoted as H k ( x). Original message transfer dividedinto five packets could be for example arranged like this:

1. A → B: (1, “Hi Bob,”, H k (1 || m1))

2. A → B: (2, “we will meet”, H k (2 || m2))

3. A → B: (3, “tomorrow at 5 p.m.”, H k (3 || m3))

4. A → B: (4, “at the main square,”, H k (4 || m4))

5. A → B: (5, “Alice”, H k (5 || m5))

Packets are numbered and MAC is a part of each packet. Adding “misleading” packets with the

same numbers of packets but random numbers instead of MAC, the communication could look for example like this:

1. A → B: (1, “Hi Bob,”, H k (1 || m1))

1'. A → B: (1, “Hi Mallory,”, ...)

2'. A → B: (2, “concert starts”, ...)

2. A → B: (2, “we will meet”, H k (2 || m2))

3. A → B: (3, “tomorrow at 5 p.m.”, H k (3 || m3))

3'. A → B: (3, “today afternoon”, ...)

4. A → B: (4, “at the main square,”, H k (4 || m4))4'. A → B: (4, “at the railway station”, ...)

5. A → B: (5, “Alice”, H k (5 || m5))

5'. A → B: (5, “Oscar”, ...)

Bob is easily able to identify the correct information, due to his knowledge of the key k , whereas

Eve does not know k and this leads her to many combinations of given information, each

meaningful without any clue which ones are right. In this example, from the messages it is possible

to construct 32 more or less meaningful messages.

57



Digital signaturesElectronic signatures

Historically, digital signatures evolved from what is now known as electronic signature. Century

ago, people used Morse code alongside with telegraph to accept contracts electronically. In '80s of 20th century, the fax machines began to spread around the globe and companies started to utilize

them to transfer high priority paper documents. These papers often accompanied real physical

signature, but images of these were electronically transferred to recipient. Contemporary electronic

signatures can be found in email agreements, person identification numbers – PINs in ATM

machines, signing on a digital pen pad at the checkout counter or POS, accepting the user

agreement through clickwrap when installing software, signing electronic documents online, etc.

Electronic signature can be defined as an electronic sound, symbol, or process, attached to or

logically associated with a contract or other record and executed or adopted by a person with the

intent to sign the record (US Electronic Signatures in Global and National Commerce Act, 2000).

In common law, the term denotes also several mechanisms for identification of the originator of anelectronic message, such as cable and Telex addresses and fax transmission of handwritten

signatures on a paper document.

Digital signatures are a subset of electronic signatures, usually mean those electronic signatures that

employ cryptography. Sometimes the term widens its scope to encompass broader range of means,

such as message authentication codes, file integrity hashes and digital pen pad devices.

Public-key digital signature is an encryption scheme for authentication of users that sign digital

information through the binding of public keys to users using asymmetric cryptography. Generally,

two methods are provides, one for signing and the other for the verification process. Output of this

signing process is called digital signature.

Digital signature tries to mimic real-world signature, while taking into account specific properties of

the electronic world, such as the easy way to copy information. Therefore, digital signature does not

only depend on the identity of the signer (private key), but also on the document that is being signed

(document digest). Otherwise, it would be extremely easy to append arbitrary signature to any

document.

Reasons to use digital signatures

The following properties should be provided and assured by the use of digital signatures:

Authenticity

Verifier after successful verification should be assured, that document was signed by the provider of the digital signature. Of course, this is not feasible, as the cryptosystem could be broken, but

nevertheless, verifier should at least be confident.

Integrity

Both the sender and receiver of a signed document shall be confident that a message has not been

modified during the transmission. Unfortunately, even if encryption makes it impossible to third

party to read a message, it still does not necessarily mean that it also disallows the third party from

making useful modifications into original message. For example, homomorphism attack can be used

for schemes not using cryptographic hash functions to alter message, while preserving correct

digital signature.

58



Non-repudiation

Signing user shall not be allowed to repudiate (deny the association with) the message. The

recipient of a message may insist that the sender attach a signature in order to prevent any later

repudiation. Recipient may show the message to a third party to prove its origin. Compromise of

private key brings a threat of repudiation of all digitally signed documents.

Public key digital signatures

Public key digital signature schemes rely on asymmetric cryptography, using private keys for

signing and public key for verification purposes.

A general public key digital signature scheme consists of three parts (algorithms):

• Key generation algorithm (similar to asymmetric system)

• Signing algorithm (private key encryption)

• Verification algorithm (public key decryption)

How it works?

Alice wants to send Bob a message and be able to prove that it came from her. Alice sends the

message to Bob and attaches a digital signature. This digital signature is generated using the private

key owned by Alice and applying it on the hash digest of the transmitted document. Signature is

then transmitted in the form of string of characters (binary data). On reception, Bob can check

whether the message is from Alice using verification on the message and its signature. Verification

algorithm uses Alice's public key to obtain hash digest of the transmitted document. By computing

hash digest of the message and comparing its value to the digest from digital signature, he can

decide, whether Alice is originator of the message. If those values match, Bob can be confident, that

Alice originated the message. Conversely, if these two values don't match, either signature is

generated with wrong private key or the document was changed during the transmission.

59

' O u c h , ' s aid F o x , ' th a t ' s w h a t I ' v e a lw ay s l ik e d a b o u t y o u ,

N ig e l . Y o u c an ' t s e e a b e l t w i th o u t w a n t in g to h i t b e lo w i t . '

F o x w a s k n o w n in Lo n d o n fo r h i s a c erb ic w i t . H e h a d

madehis mark at an early meeting o f theJoin t Intelligence

Co m m itte e w h e n S i r A n th o n y P lu m b h a d b e en

c o m p lain in g th a t u n l ik e a l l th e o th e r s h e h a d n o n ic e l i t t l e

a cro n y m to d e sc r ib e h i s jo b . H e w a s ju s t th e Ch a i rma n

o f th e J IC , o r th e Co o rd in a to r o f I n te l l ig e n ce . Wh y

c o u ld h e n o t h a v e a g ro u p o f in i t i a l s th a t ma d e u p

asho rt word in themselves?

' H o w a b o u t , ' d r a w led F o x f ro m h is e n d o f th e ta b le ,

'Sup remeHead of Intelligence Targeting?'

S i r A n th o n y p re f e rr e d n o t to b e k n o w n a s th e S H IT

o f Wh i te h a l l a n d d ro p p e d th e m at te r o f th e a c ro n y m .

# 0110 ... 1010 #

Compute

hash digest

# 0110 ... 1010 #

Encrypt hash digest

with the private key

of sender

# 0110 ... 1010 #

Digitally signed

document

# 0110 ... 1010 #

Compute

hash digest

# 0110 ... 1010 #

Decrypt the signature

with the public key

of sender

=?

Signing

Verification

' O u c h , ' s aid F o x , ' th a t ' s w h a t I ' v e a lw ay s l ik e d a b o u t y o u ,

N ig e l . Y o u c an ' t s e e a b e l t w i th o u t w an t in g to h i t b e lo w i t . '

F o x w a s k n o w n in L o n d o n fo r h i s a c erb ic w i t . H e h a d

madehis mark at an early meeting of the Joint Intellig ence

Co m m itte e w h e n S i r A n th o n y P lu m b h a d b e en

c o m p lain in g th a t u n l ik e a l l th e o th e r s h e h a d n o n ic e l i t t l e

a cro n y m to d e s cr ib e h i s jo b . H e w a s ju s t th e Ch a i rm a n

o f th e J IC , o r th e Co o rd in a to r o f I n te l l ig e n ce . Wh y

c o u ld h e n o t h a v e a g ro u p o f in i t i al s th a t m ad e u p

asho rt word in themselves?

' H o w a b o u t , ' d r a w led F o x f ro m h is e n d o f th e ta b le ,

'Sup remeHead of IntelligenceT argeting?'

S i r A n th o n y p re f e rr e d n o t to b e k n o w n a s th e S H IT

o f Wh i te h a l l a n d d ro p p e d th e m at te r o f th e a c ro n y m .



Relation to common law

Legal issue, that often arises in the legislation process of e-commerce promotion is the validity of

electronic contracts and other electronic documents. Following section takes a mild look into some

legal aspects of digital signatures relating to their use as the validation mechanism.

Validity of an agreement and status of its binding

The question is, whether an agreement is valid and binding, if it is made by e-mail or at a web site.

Legislative in many countries often banks upon the prerequisite, that each contract must be “in

writing” or must be “signed”. Another problem, the implementation of an e-government breeds

problems related to records or forms required to be filled with the government – as they must be

signed or filled “in writing”. The problem how to define these legal terms in regard to the Internet is

approached in different ways.

To a limited extent, these issues can be resolved relatively simply by a minimalistic law providing

that "a signature, contract or other record may not be denied legal effect, validity or enforceability

solely because it is in electronic form."

The United Nations Comission on International Trade Law (UNICITRAL) adopted a minimalistic

model law on electronic commerce in 1996.

Legislation based on the UNCITRAL model has been adopoted in several countries including USA

(US Electronic Signatures in Global and National Commerce Act ["E-SIGN"] Public Law 106-229

[2000]), Australia, France, Hong-Kong, Ireland etc.

European Union has taken a different approach in its Electronic Signatures Directive (1999). The

directive relates to a core area of contract law – that concerned with form requirements (the need for

a writing record and the requirement of a signature). The directive provides the grounds to estimate

whether an electronic record that matches the capabilities of a hand-written signature complies with

the signatures requirement. It was further complemented by the Electronic Commerce Directivewhich provided the grounds to estimate whether the electronic format complies with the writing

requirement.

There may be, however, a need of exceptions to the general acceptability of electronic documents,

in cases of particularly momentous matters, such as wills, divorces or child adoption matters. Also,

use of electronic means must be voluntary and mutually acceptable to the parties. For example, by

posting required information only online, businesses could avoid consumer protection

responsibilities and this is not desired situation.

Minimalist approach does not resolve some very important questions, such as authentication,

integrity and non-repudiation.

These issues can be solved using modern cryptographic methods. Practically, these techniques

require an existence of trusted parties – entities – certification authorities, that can be trusted and

certify the other, lesser entities using encryption.

Very difficult question is, who should be the certifying authority – is government trustworthy to

play that role? Is it better to leave it to the marketplace with the hope that trustworthy private

certificate authorities develop? Should the government license certificate authorities? Should

private industry accredit such authorities, pursuant to standards developed by private industry?

In recent years, it became clear that government cannot initiate the creation of a certificate authority

system at will – the problems are primarily technological and related to markets rather than to law.

60



Digital signature schemes

Elgamal scheme

This scheme is based upon Elgamal asymmetric cryptosystem. The process is divided into two parts, initialization and signing , similarly to original asymmetric cryptosystem.

Initialization

Large prime number p and g ∈ℤ p

∗are chosen, where g can but does not need to be a generator of

the group ℤ p

∗ ,⋅ . Values of p and g can be shared amongst multiple users. Further, the random

value of x ∈ R {2 , 3 ,... , p−2} is chosen and y= g x

mod p is computed. Public key ( y, p, g ) then

serves for the purpose of verification of a signature. Private key is a value of x and is used in the

signing process.

Signing

Let m be the document to be signed, H be the cryptographic hash function with the output in the

ℤ p

∗. Then the signing process advances in the following steps:

1. Choose random k ∈ R {1 , 2 ,... , p −2} such that gcd(k , p-1) = 1.

2. Compute r = g k mod p .

3. Compute s such that the following equation holds:

H m= xr ks mod p−1

4. Digital signature of the message m is a pair ⟨ r , s ⟩ .

Value of s can be obtained during the signing from the expression:

s= H m− xr k −1

mod p−1

This equation shows why it is necessary to choose k in the first step such that it is mutually

indivisible with p – 1. In that case, there exists inverse number to k (modulo p).

Verification

Anybody with the knowledge of public key ( y, p, g ) and message m can verify the correctness of

digital signature ⟨ r , s ⟩ . Signature is correct if and only if:

yr ⋅r

s≡ g H m mod p ∧ 1≤r p

Correctness is implied from the following expression (last congruence is a consequence of SmallFermat Theorem):

yr ⋅r

s≡ g xr ⋅ g

ks≡ g rx ks≡ g

H m mod p

Digital Signature Standard (DSS)

Digital Signature Standard comprises of RSA scheme, Digital Signature Algorithm (DSA) and

ECDSA (DSA that operates on elliptic curves). Originally was introduced by NIST in 1991 and

adopted in 1993 as FIPS 186, further developed in 1996 as FIPS 186-1 and in 2000 as FIPS 186-2.

61



RSA scheme

This scheme closely follows asymmetric cipher RSA. As a signing algorithm, the decryption

function of RSA is used, whereas for verification, the RSA encryption function is used. Similarly

to the RSA, user has at first initialize the instance, obtaining a private key d and public key tuple of

public exponent e and the value of n. Having the original document m and a cryptographic hash

function H with output in ℤn , user can proceed with the document signing and verifying:

Signing: s= H md mod n

Verification: Signature of the document m is correct if and only if H m= semod n .

Correctness

Correctness implies from the fact, that encrypting and decrypting functions are mutually inverse in

the RSA cryptosystem:

semod n= H med

mod n= H m

Security weaknesses

Small message digest space

Traditionally, the bit length of a module n in RSA (e.g. 1024-bit) is often larger than the bit length

of a hash digest (e.g. 256 bits). This could lead to weakness related to the fact that space of potential

texts for RSA is vastly reduced. To avoid potential security problems, before signing

transformation, the value of H (m) should be padded – filled with random bits up to the size of

module n. During verification, these aditional bits are ignored.

RSA homomorphism attack

RSA scheme can be compromised, if the hash function is not used. Direct use of decrypting (for

signing) and encrypting (for verification) transformation can lead to construction of the third

correctly signed document from two other correctly signed documents. This is possible due tohomomorphic (multiplicative) structure of RSA:

m1d ⋅m2

d mod n=m1 m2d mod n

If ⟨ m1 , m1

d mod n ⟩ and ⟨m2 , m2

d mod n⟩ are pairs of documents along with their digital signatures.

Then a new correctly signed document can be constructed without any knowledge of private key:

⟨ m1 m2 mod n ,m1 m2d mod n⟩

Of course, the new document will be most probably preposterous.

Use of hash function typically solves this problem, as H usually does not have multiplicative

property of homomorphism, i.e. H m1 m2= H m1 H m2 .

Random message forgery

Another type of attack is based on the idea that attacker chooses a random signature s∈ℤn and

computes m= semod n . If RSA does not use cryptographic hash function, then s is a correct

signature of the document m. Otherwise, the attack is not possible, due to one-way property of

cryptographic hash functions.

Digital Signature Algorithm (DSA)

DSA is an Elgamal-type algorithm. Standard specifies the use of SHA-1 as the hash function H .

62



Initialization

At the beginning, parameters p, q and g are chosen. They can be shared amongst multiple users.

p – 1024-bit randomly chosen prime number.

q – 160-bit prime number such that q∣ p−1 .

g – compute g =h

p−1

q , where h ∈ R {2 , 3 , ... , p−2} , h

p−1

q 1 .

At first, the value of q is chosen and the appropriate value of p is then sought. Choice of g

guarantees, that g has order of q in the group ℤ p

∗ ,⋅ . Accordingly to the Small Fermat theorem:

g q=h

p−1q

⋅q

=1 , therefore the order of g , ord( g ) ≤ q. If g k = 1, then also g 2k = 1, g 3k = 1, etc. This

implies, that ord( g ) | q. Because g > 1 and q is a prime number, ord( g ) = q. Therefore g is a

generator of the group of the order q.

User chooses private key x ∈ R ℤq*

and computes the value of y= g x

mod p . Public key is then

quadruple ( y, p, q, g ).

Signing

Signing process advances in the following steps:

1. Choose random k ∈ R {1 , 2 ,... , q−1}

2. Compute r = g k mod p mod q

3. Compute s=k −1 H m xr mod q

4. Digital signature of the message m is a pair ⟨ r , s ⟩ .

If during the signing process r = 0 or s = 0 is obtained, then new k shall be generated.

Verification

Assume, that signed document is m, its digital signature is ⟨ r , s ⟩ and ( y, p, q, g ) is a public key of

the signing user. The signature can be then verified.

At first, it is necessary to check whether both r and s belong to ℤq*

. Then these parameters shall be

computed:

u= H m⋅ s−1

mod q v =r ⋅ s−1

mod q

Digital signature is correct, if and only if g u⋅ y

vmod p mod q=r .

Correctness

If ⟨ r , s ⟩ is a digital signature of the document m, the following holds:

g u⋅ g

vmod p mod q= g

H m s−1

⋅ g xrs

−1

mod p mod q

= g s

−1 H m xr mod p mod q

= g k mod p mod q

=r

Example

Initialization

Let's choose q = 7, then suitable p would be 43, as q | ( p – 1), i.e. 7 | 42. Also let's choose random h

63



< p – 1, h = 5. Then g =h

p−1q =5

6=15625 . Private key x will be chosen by the signing user, e.g. x

= 4.Afterwards, y= g x

mod p=156254

mod 43=164

mod 43=4 . Public key is then quadruple4,43,7,15625 .

Signing

Assume, that cryptographic hash digest of a document m is H (m) = 735.At first, random k < q is chosen, e.g. k = 2. Then r = g

k mod p mod q=15625

2mod 43 mod7=

=162 mod 43 mod 7=256 mod 43 mod 7=41 mod 7=6 and s=k −1 H m xr mod q=

=2−17354⋅6 mod7=4⋅759 mod 7=3036mod 7=5 . Therefore, signature of a document m is

the tuple ⟨ r , s ⟩=⟨6,5⟩ .

Verification

At first, computing parameters u a v yields following values:

u= H m⋅ s−1

mod q=735⋅3 mod 7=0

v =r ⋅ s

−1

mod q=6⋅3 mod 7=4Then the verification can proceed:

g u⋅ y

vmod p mod q=15625

0⋅44mod 43 mod7=256 mod 43 mod 7=41 mod 7=6=r .

Blind signatures

Blind signature disguises (blinds) the content of a message before signing. The resulting signature

can be publicly verified against the original, unblinded message similarly to verification of digital

signature. Blind signatures are employed in privacy-related protocols where signer and message

author are different parties, such as electronic election systems, digital cash schemes, electronicnotary, etc.

Real world analogy to blind signature is the physical act of enclosing a message in an envelope that

is then sealed and signed by a signing agent. Thus, the signer does not view the message content,

but a third party can later verify the signature and know that the signature is valid.

Blind signatures can also be used to provide unlinkability, which prevents the signer from linking

the blinded message it signs to a later un-blinded version that it may be called upon to verify. In this

case, the signer's response is first "un-blinded" prior to verification in such a way that the signature

remains valid for the un-blinded message. This can be useful in anonymous schemes.

RSA blind signature scheme

Let S be the signing party, e, n is the public key and d the private key of S . Let A denote the party

willing to obtain the signature of a document m. The process of signing can be described in the

following steps:

1. A S : r = H m⋅ xe mod n, x ∈ R ℤn*

2. S A: s=r d

mod n , S signs the message m and sends A the signature

3. A computes digital signature of m out of received signature from S :

s⋅ x−1 mod n=r d mod n⋅ x−1 mod n= H md ⋅ xed ⋅ x−1 mod n= H md mod n

Because x is chosen randomly by A in the first step, S is unable to retrieve the document the A wants

to sign in reality.

64



Public key infrastructure (PKI)

Public key cryptography provides a viable solution to security related problems, such as

authentication, integrity, non-repudiation and confidentiality. Implementation of public keycryptography within a given framework is, however, a very difficult task. The underlying

infrastructure must be well designed and planned to suit all business requirements and to pass all

desired security measures.

A public key infrastructure (PKI) is a foundation on which other applications, system, and network

security components are built. A PKI is an essential component of an overall security strategy that

must work in concert with other security mechanisms, business practices, and risk management

efforts.

Certificates and certification authorities

PKI is essentially an arrangement that provides examination and verification of user identities for

trusted third party. It also allows binding of public keys to users, usually utilizing centralizedauthority coordinated with other authorities at distributed locations. The public keys are typically in

certificates.

Certificates are employed to bind the communication party with their public key. This binding is

carried out by trusted third-party authority – certification authority. Certification of a user, denoted

as C (U ) is a tuple ID U , yU , while this is digitally signed by certification authority (CA).

Therefore certificate can be of this form:

C U = IDU , yU ,signatureCA ID U , yU ,

where ID(U ) is an identification of a subject and certificate (such as name, address, validity of

certificate, certification authority identification, etc.) and yU is a public key of U. It is assumed, that

each communication party knows the public key of a certification authority and is capable of

verification of the certifications signed by that authority.

Benefits of public key infrastructure

The increasingly significant presence of Internet and e-commerce technologies provides many

opportunities, but also poses severe security and integrity issues. To enable sustained grow and e-

commerce to be thriving, all business parties (customers, vendors, suppliers, regulatory agencies,

stakeholders, etc.) must be assured that trusted business relationships are maintained.

Typical real world face-to-face transactions do not require additional security precautions, that,

however, became necessary, when these transactions started to be initiated electronically. For

example, e-shops are typically unwilling to ship goods or perform services until a payment has been

accepted by their bank for them. Customer also shall be not allowed to repudiate a valid contract.

Both the seller and the customer should be able to verify each other's identity; for customer to be

assured, that he is purchasing from a legitimate entity and not from cracker site designated to collect

credit card numbers; for seller this typically means that bank transaction from customer occurred.

Therefore, there must be a mechanism (infrastructure), that ensures trusted relationships are

established and maintained. Various implementations of PKI can be then used to ensure that

confidentiality, authentication, integrity and non-repudiation are provided.

65



PKI enables the basic security services for various applications:

• communication and transportation security in SSL, IPsec, HTTPS

• email security in S/MIME and PGP

• value exchange in SET

•B2B in Identrus

Key benefits offered by PKI to e-commerce are:

• reduction of transaction processing expenses

• reduction and compartmentalization of risk

• enhancements of efficiency and performance of systems and networks

• reduction of complexity of security systems with binary symmetrical methods

Additionally, many other solutions rely on fundamentals public key cryptography, such as

symmetric key management, voting, anonymous value exchange, transit ticketing, identification

(passports and driver licences), notarization (contracts, mail), software distribution, etc.

PKI is, however, not an authentication, authorization, auditing, privacy or integrity mechanism by

itself; rather is an enabling infrastructure that supports variety of business and technical needs. PKI

only allows for the identification of entities. PKI does not infer trust by itself, but depends on the

establishment of a reliable trusted base. Therefore, the basis of trust must be established elsewhere

(on personal, business, etc. level) before it can be accepted by the PKI.

Trust

The issue of trust often arises when designing a PKI. The complexity of an underlying PKI is

dependent on the amount of risk the organization is willing to endure during transaction. If the

transaction of high-value or with significant legal consequences occur in the organization, then tightset of tests should be performed to authenticate customer or entity. Conversely, if there is low-risk

during transaction, a simple set of test should suffice. During high risk scenarios, it can be intended

that the part of entity authentication occur offline. This implies, that the original entity

authentication problem is not solved by PKI, rather must be addressed in each unique business

environment.

This problem is magnified when organization moves from local to international environments.

There arises problem of authentication of document issued by other governments or foreign

organizations. How does the organization determine if they should trust the credentials presented?

What mechanisms do they use to make that determination? How did the original authority, which

issued the credentials, determine the identity of the requestor? Is the originating authority

trustworthy? These are fundamental issues the PKI must consider.

Planning a public key infrastructure

Besides standard set of problems, that arise from the confidentiality, authentication, integrity and

non-repudiation requirements, following problems should be also considered when creating

business requirements:

• careful planning

• interoperability

• determine a PKI system and vendor

•

performance and capacity

66



Structure of a public key infrastructure

PKI framework

The framework consists of security and operational policies, security services and interoperability

protocols supporting the use of public-key cryptography for the management of keys and

certificates. The generation, distribution and management of keys are done using Certification

Authorities (CA), Registration Authorities (RA) and directory services. All together establish achain of trust. Main purpose of a framework is to support secured exchange of data, credentials,

value (money, etc.) in various insecure environments, such as Internet.

To provide risk management control, a hierarchy of trust must be established using PKI. In the

insecure environments, such as Internet, mutually unknown entities do not have sufficient trust to

perform business transactions. The implementation of a PKI using a certification authority

establishes this trust hierarchy.

Mutually unknown entities individually establish a trust relationship with a CA. The CA performs

authentication, according to rules noted in its Certificate Practices Statement (CPS) and then issues

each individual a digital certificate. CA then vouches for the identity of the entities. Unknown

entities can then use their certificates to establish trust between them because they trust CA, and

they have access to public key of CA, thus can verify certificates of other entities.This establishment of trust hierarchy scales well in heterogeneous networks and therefore provides

one of major benefits of PKI.

Trust models

An implementation of PKI requires careful analysis of mutual trust relationship of participating

entities. This analysis later leads to establishment of trust, later enforced by PKI.

Hierarchical model

This is a most typical representation of PKI. Rather than having one single CA, there are multiple

CAs with limited range of functionality or extent. For example, there is one international CA that

serves all international entities, more subsequent national CAs that serve entities at the nationallevel, then regional entities etc. The main advantage of this model is its scalability, whereas the

main drawback is the higher cost to maintain such hierarchy. Compartmentalization of a risk can be

established, where compromise of one CA does not affect all issued certificates.

Distributed (Web of trust) model

A distributed web of trust does not incorporate a CA. No trusted third party actually vouches for the

identity or integrity of any entity. This trust model does not scale well into Internet based e-

commerce world because each end entity must alone determine the acceptable level of trust for

other entities. This model is used in Pretty Good Privacy (PGP).

Direct (peer-to-peer) model

Direct models are used with symmetric key-based systems. Again, a trusted third party does not

exist. Each end entity establishes trust with each other entity directly. Main drawbacks are limited

scalability into the Internet e-commerce world and large number of required operations.

Cross-certification

Instead of using one global CA, cross-certification allows users to choose amongst multiple CAs

adjusting to their needs. Cross-certification is basically done that way that one CA certifies another

CA. A relying entity then can validate the public key certificate of an end entity whose signing CA's

public key is not aware of, by trusting a cross-certificate signed by its own CA.

Cross-certification therefore allows PKI deployments to be both scalable and extensible.

67



X.509 Public Key Infrastructure Standard

X.509 is an ITU-T (International Telecommunication Union Telecommunication Standardization

Sector) standard for PKI and specifies standard formats for public key certificates and a certification

path validation algorithm. X.509 was introduced in 1998 and was closely associated with the X.500

electronic directory services standard (DAP etc.). It assumed a strict hierarchical system of CAs.

Later, version 3 introduced support to other topologies, such as bridges, meshes and peer-to-peer web of trust. Nowadays, the term X.509 certificate refers to the IETF's (Internet Engineering Task

Force) PKIX certificate and CRL profile of the X.509 v3 certificate standard, specified in RFC

3280, referred to as PKIX (Public Key Infrastructure X.509).

Certificates

CA issues a certificate binding a public key to a particular distinguished name in the X.500 tradition

or to an alternate name such as an e-mail address or a DNS-entry.

Trusted root certificates can be distributed to all employees so that they can use the PKI system.

Browsers usually come with some root certificates preinstalled; essentially, the browser owners

determine which CAs are trusted third parties.X.509 also includes standards for certificate revocation list (CRL) implementations. Online

Certificate Status Protocol (OCSP) is approved by IETF to check a certificate validity.

Structure of a certificate includes information such as version, serial number, algorithm ID, issuer,

validity (not before, not after), subject, subject public key info (algorithm, public key), issuer

unique identifier, subject unique identifier, extensions, certificate signature algorithm and certificate

signature.

Certificates can be recognized via extensions of their filenames; commonly used extensions are .cer,

.der, .pem, .p7b, .p7c, .pfx and .p12.

If certificates use MD5 function, there is a possibility of obtaining two X.509 certificates that

contain identical signatures and differ only in the public keys, clearly demonstrated by Lenstra,

Wang and de Weger in 2005.

There are many protocols and standards that support X.509, such as TLS/SSL, S/MIME, IPSec,

SSH, Smartcard, HTTPS, EAP, LDAP, Trusted Computing Group TNC TMP NGSCB, etc.

Why does X.509 do otherwise straightforward things in such a weird way?

“[The] standards have been written by little green monsters from outer space in order to confuse

normal human beings and prepare them for the big invasion” — comp.std.internat

68



Cryptographic protocols

To successfully initiate a communication, communicating parties have to execute a sequence of

steps to agree upon the communication details. These steps are denoted as cryptographic protocol ,

and have to serve the communication goals of participants and to satisfy their security needs.

Goals of cryptographic protocols vary – they can be constructed to provide a key management,authentication, electronic cash, electronic elections etc. Protocols use and create framework for the

use of basic cryptographic primitives, such as encryption, cryptographic hash functions, digital

signatures and secret sharing schemes.

The most important part of cryptographic protocols concern with the key management.

Attacks on the cryptographic protocols

Basically, attacks can be divided into two groups – active and passive. Passive attacks consists only

from eavesdropping, whereas active give freedom to modify protocol run in any possible way. We

assume, that attacker is a legitimate participant of the communication.

Shortly, there are three main types of attacks:

• Replay attack – exploit of older messages in the actual run of the protocol be repeatingthem. To counter this attacks, additional cryptographic primitives such as nonces and

timestamps are used.

• Man in the middle – attacker as invisible participant of the communication. To counter this

threat, the digital signatures, MACs or similar mechanisms shall be applied.

• Utilization of the weaknesses of used cryptographic primitives – this includes all security

related problems related to encryption, hashing, signing etc.

Notation

Usually, final forms of protocols employ participants such as Alice, Bob, Dave, trusted third party

Trent and their analysis employ attackers such as Eve, Mallory and Oscar .

Protocols will be described in steps; notation “3. A → B : M “ means that in the third step Alice

sends Bob a message M . On the other hand, “1. A → M ( B) : S “ means that in the first step of the

protocol Alice sends the message S to Bob but this message is intercepted by Mallory disguised as

Bob. Similarly, “1. M ( B) → A : S “ means that Mallory acting as Bob sends message S to Alice.

Notation { M } K ABmeans that message M is encrypted using symmetric cipher that employs a key

69

Alice Bob

Dave

Eve

Trent

Oscar

Mallory



K AB shared by both Alice and Bob. Conversely, notation { M } K A means that message M is encrypted

by the asymmetric cipher using the public key K A of Alice. Finally, notation { M } K

A

−1 means that

message M is digitally signed by private key K A−1

of Alice.

Diffie-Hellman key-exchange protocol

This protocol was demonstrated in the asymmetric cryptography chapter, nevertheless, it is vital to

mention it also in this chapter.

Goal : To achieve an agreement between two users about their communication key (key-exchange).

Protocol:

1. A → B : X = g x mod p , x ∈ R ℤ p*

( x is chosen by Alice randomly) ( A sends to B)

2. B → A : Y = g y mod p , y ∈ R ℤ p

*

3. A computes K = Y x mod p

4. B computes K = X y mod p

It can be shown easily that both Alice and Bob compute the same key:

Y x

mod p= g xy

mod p= X ymod p

“Man in the Middle” attack

As a reminder, DH protocol is prone to type of attack when an active attacker M ( Mallory) lies in

the communication channel between Alice and Bob. The attack therefore advances as follows:

1. A → M ( B) : X = g x

mod p

2. M ( A) → B : U = g u mod p

3. B → M ( A) : Y = g y mod p

4. M ( B) → A : V = g v mod p

5. A computes K 1 = V x mod p

6. B computes K 2 = U y mod p

Notation A → M ( B) means that Alice sends message to Bob, but is intercepted by Mallory. Notation

M ( A) → B means that Mallory sends message to Bob in the name of Alice.

Important fact for Mallory is, that both Alice and Bob can't reveal her presence in the protocol and

she is able to compute both keys K 1 and K 2:

K 1= X vmod p= g

xvmod p

K 2=Y umod p= g

yumod p

70

M A B

K 1

K 2



Modified Diffie-Hellman key-exchange protocol using certification authorities

One of possibilities how to prevent a man-in-the-middle attack lies in the use of certificate

authorities. To recap, certificates have the following form:

C U = IDU , yU ,signatureCA ID U , yU ,

where ID(U ) is an identification of a subject and certificate (such as name, address, validity of

certificate, certification authority identification, etc.) and yU is a public key of U .

Using certificates, it is possible to modify DH protocol to be resistant to a man-in-the-middle attack.

Assume, that each participant U has its public key yU = g xU mod p , xU ∈ℤ p

*. DH then can

advance by simple exchange and verification of certificates and subsequent computation of a key K.

Protocol:

1. A → B : C A=[ ID A, y A ,signatureCA ID A , y A] , y A= g x A mod p , x A∈ R ℤ p

*

2. B → A : C B=[ ID B , y B ,signatureCA ID B , y B] , y B= g x B mod p , x B∈ R ℤ p*

3. A computes K = y B x A= g

x A x B mod p

4. B computes K = y A

x B= g x A x B mod p

Man in the middle is not able to construct correct certificates for her “fictional” public keys that

those were bound to the identity of participants. Major drawback of this modification lies in the fact

that the key K is always the same for a given pair of participants (until the change of one of their

certificates).

Station to Station protocol

This protocol solves the problem of modified DH protocol – participants are able to retrieve a

different key K for each instance of the protocol.

Protocol:

1. A → B : X = g x

mod p , x ∈ R ℤ p*

2. B → A : [Y , E K signature B X , Y , C B] , Y = g y

mod p , y ∈ R ℤ p*, K = X

ymod p

3. A computes K =Y x

mod p , A deciphers signature B( X , Y ), A verifies certificate C ( B), A

extracts public key y B from C ( B) and verifies signature B( X , Y ). If successful, key K is safe.

4. A → B : [ E K signature A X ,Y , C A]

5. B verifies C ( A), deciphers and verifies signature A( X , Y )

Man in the middle falls short as she is not able to falsify digital signatures.

Interlock protocol

Goal : Detection of the man in the middle attack

To detect a man in the middle, special Interlock protocol was developed. Assume, that participants

Alice and Bob ciphers their communication using a key K, agreed upon using DH protocol. It

71



means, that attacker could deliver fictional keys K 1 to Alice and K 2 to Bob. As the attacker is not

able to guarantee the equality of the keys K 1 and K 2, unless she is capable of solving the Diffie-

Hellman problem that has equivalent complexity to the Elgamal cryptosystem, Interlock protocol

focuses on this characteristics. Assume that Alice and Bob prepared messages mA and mB.

Protocol:

1. A → B : c A1, where c A = E K (m A), c A = c A1 ⊕ c A2 (c A is partitioned into two halves, E K is an

encryption function with a key K )

2. B → A : c B1 , where c B = E K (m B ), c B = c B1 ⊕ c B2

3. A → B : c A2

4. B → A : c B2 , B is now able to obtain c A and decipher message m A

5. A is now able to obtain c B and decipher message m B

Man in the middle is forced to choose her own messages m'A or m'B as the first half is useless

without the second half. Herewith, as K 1 ≠ K 2, it is not possible to send unchanged parts of messages

- after deciphering with a different key K , they turn into meaningless messages.Unfortunately, even Interlock protocol has its weakness. Attacker needs to deceive only one

participant; she can at first run the whole communication with Alice with an imaginary message m'B,

obtaining a message mA, and then repeat the whole process with Bob. Importance of Interlock

protocol lies in the fact that attacker is forced to actively interfere with communication, increasing

the chance of her uncovering.

Interlock protocol can be helpful in a case of hybrid encryption over insecure channel, when two

parties at first exchange their public keys, then exchange symmetric key and use symmetric

cryptosystem for further communication. Attacker is able to intercept asymmetric cryptosystem,

exchange public keys for her own public key, allowing access to the communication. Interlock

protocol prevents this from happening.

Otway-Rees protocol

Goal : Distribution of key K AB of participants Alice and Bob with authentication of Alice, using

trusted third party Trent .

Communication key K AB is generated by trusted third party Trent , authentication of Bob is

completed after first use of key K AB. Both Alice and Bob share a key K AT and K BT with Trent for their

own communication. To ensure freshness of transferred messages, nonces N A and N B are generated

by Alice and Bob. Protocol uses random identifier M to prevent replay attack by using messages

from older instances of communication. This identifier is chosen by Alice.

Protocol:

1. A → B : M , A, B, { N A, M , A , B } K AT

2. B → T : M , A, B, { N A , M , A , B } K AT , { N B , M , A , B} K BT

3. T → B : M , { N A, K AB} K AT , { N B , K AB} K BT

4. B → A : M , { N A, K AB} K AT

Assume, that Trent in the second step does not verify identity match in both plain and ciphertext,

but only in ciphertext. Then Oscar can advance as follows:

Replay attack:

72



1. A → B : M , A, B, { N A, M , A , B } K AT

2. B → O(T ) : M , A, B, { N A, M , A , B } K AT , { N B , M , A , B} K BT

O → T : M , A, O, { N A, M , A , B } K AT , { N O , M , A , O} K OT

3. T → O : M , { N A, K AB} K AT , { N O , K AB} K OT

4. O( B) → A : M , { N A, K AB} K AT

Attacker after interception of a message in the second step sends Trent his own message acting as a

regular communication participant. Response then allows Oscar to obtain key K AB alongside with a

message he needs to send to Alice acting as Bob.

Needham-Schroeder protocol

Goal : Mutual authentication of Alice and Bob using trusted third party Trent alongside with a key

distribution K AB.

Assume, that both Alice and Bob share communication key with Trent , K AT and K BT . Key K AB is provided by Trent . Alice and Bob use nonces N A and N B and are generated by them as sufficiently

long strings of bits.

Protocol:

1. A → T : A, B, N A

2. T → A : { N A, B , K , { K AB , A} K BT } K AT

3. A → B : { K AB , A} K BT

4. B → A : { N B} K AB

5. A → B : { N B−1} K AB

Weakness of Needham-Schroeder protocol lies in an insufficient assurance of a freshness of sent

message in the third step. Assume, that Mallory eavesdrops communication between Alice and Bob.

Assume, that later the key K AB is compromised – either is revealed by Alice or Bob or is obtained by

cryptanalysis. Mallory is then able to force Bob to use old key again, acting in the name of Alice by

replaying a message from old instance of the protocol.

Attack:

3'. M ( A) → B : { K AB , A} K BT

4'. B → M ( A) : { N B ' } K AB

5'. M ( A) → B : { N B ' −1} K AB

This problem was that from Bob's view, message in the third step had no means to guarantee its

freshness associated. One of possible workarounds can be summarized in following steps:

Attack resistent protocol:

1. A → B : A, B, N A

2. B → T : A, B, N A, N B

3. T → A : { N A, B , K AB, { N B , A , K AB} K BT } K AT

73



4. A → B : { N B , A , K AB} K BT

Bob sends its nonce to Trent at the beginning of the protocol. Trent then incorporates this nonce to a

message to Alice, who in turn passes { N B , A , K AB} K BT to Bob, assuring that the message is now

fresh.

Needham-Schroeder public-key protocol

Goal : Mutual authentication of participants with key agreement for secure communication.

This protocol does not rely on trusted third party, however, assumes, that participants know public

key of each other – K A and K B. Protocol expects nonces N A and N B to be provided by participants.

Protocol:

1. A → B : { N A, A} K B

2. B → A : { N A, N B} K A

3. A → B : { N B} K B

Oracle replay attack:

Despite the simplicity of the protocol, it took 17 years to find an effective attack. Mallory utilizes

the facts that Alice initiates a communication with her and immediately begins to communicate with

Bob in parallel:

1. A → M : { N A, A} K M

1'. M ( A) → B :{ N

A

, A} K B

2. B → M ( A) : { N A, N B} K A

2'. M → A : { N A, N B} K A

3. A → M : { N B} K M

3'. M ( A) → B : { N B} K B

Both instances of the protocol are successfully completed, where Mallory used Alice as an oracle to

initiated and perform steps of the protocol with Bob. At the end, Bob is convinced he communicates

with Alice whereas Mallory has a full disposal of both nonces N A and N B, therefore can construct the

key for further communication.The prevention can be achieved by breaking the symmetry, for example this way:

Protocol:

1. A → B : { N A, A} K B

2. B → A : { N A, N B , B} K A

3. A → B : { N B} K B

74



Yahalom protocol

Goal : Mutual authentication of participants and distribution of a key for secure communication

provided by Trent .

Protocol assumes that both Alice and Bob provide nonces N A and N B and share communication keys

with Trent , K AT and K BT . Protocol:

1. A → B : A, N A

2. B → T : B, { A, N A , N B} K BT

3. T → A : { B , K AB, N A, N B } K AT , { A , K AB} K BT

4. A → B : { A , K AB} K BT ,{ N B} K AB

At the beginning, Alice wants to communicate with Bob. She sends him her identificator alongside

with nonce. Bob prepares a request for a key for Trent . Bob adds his own nonce to the message

from Alice, encrypts it using he shared key between him and Trent . Trusted party Trent deciphersthe message and prepares a response to Alice. This message consists of two parts, one is intended

for Alice, the other one for Bob. Both messages contain K AB for further communication. Message to

Alice contains also nonce from her, to convince Alice about the origin and actuality of the

communication (only Alice and Trent know the key K AT ). Alice deciphers her part, extracts nonce

from Bob and sends Bob his part of the message alongside with his nonce encrypted using their new

shared key K AB. Bob deciphers first part of the message and verifies the identifier of Alice. Obtained

key K AB uses to decrypt the second part of the message to obtain his nonce. Because nonce N B is

sent exclusively in the encrypted form, it is known only to Alice, Bob and Trent . Its presence in the

fourth step of the protocol show that Alice believes in the freshness of the key K AB. That alongside

to the fact that the first part of the message is from Trent convinces Bob that K AB is a suitable key

for the subsequent communication with Alice.

Alice is convinced about identity of Bob via Trent after third step of the protocol. Bob is convinced

about the identity of Alice after successful fourth step.

Some alterations of Yahalom protocol are prone to attacks.

Denning-Sacco protocol

Goal: Authentication of Alice using certificates provided by trusted third party Trent and key K AB

distribution for further secure communication.Let C A and C B be certificates of public keys of Alice and Bob respectively (in fact, these are “just”

signed public keys by Trent ). Alice generates key K and timestamp T A. Notation {{ K , T A} K

A

−1} K B

means that a message K , T A is digitally signed by Alice and subsequently encrypted for Bob using

his public key.

Protocol:

1. A → T : A, B

2. T → A : C A, C B

3. A → B : C A, C B , {{ K , T

A

} K A

−1} K B

75



Attack:

Mallory can exploit situation when Alice wants to communicate with her, to obtain a disguise for

the communication with Bob. It took 12 years to find this attack.

1. A → T : A, M

2. T → A : C A, C M

3. A → M : C A, C M , {{ K , T A} K

A

−1} K M

3'. M ( A) → B : C A, C B , {{ K , T A} K

A

−1} K B

After receiving a message in the third step of the protocol, Mallory deciphers the message, obtains

the key K , verifies the timestamp and digital signature of Alice. Signed key along with timestamp

then encrypts using public key of Bob and immediately sends as the third step of the protocol. As

timestamp T A is still fresh, Bob does not suspect he is manipulated, accepts the message,

authentication of Alice and key K . Attacker obtains the certificate C A from Trent .

To avoid this type of attack, it is sufficient to add identifiers of participants into signed message inthe third step of the protocol:

3. A → B : C A, C B , {{ A , B , K , T A} K

A

−1} K B

Wide Mouth Frog protocol

Goal : Distribution of a key K AB between participants Bob and Alice using trusted third party Trent

and authentication of Alice.

Protocol uses timestamps T A ( Alice's) and T T (Trent's) to ensure a freshness of transmitted messages.

Encryption of communication is achieved using keys K AT and K BT . Protocol:

1. A → T : A, {T A, B , K AB ,} K AT

2. T → B : {T T , A, K AB,} K BT

Replay attack :

Assume that Alice begins protocol with the intention to communicate securely with Bob. Mallory

intercepts a message to Bob in the second step and passes it to Bob:

1. A → T : A, {T A, B , K AB,} K AT

2. T → M ( B) : {T T , A, K AB,} K BT

M (T ) → B : {T T , A, K AB,} K BT

Intercepted message has the same structure as the message in the first step; therefore can be used to

initialize a fake instance of a protocol:

1'. M ( B) → T : B, {T T , A, K AB,} K BT

2'. T → M ( A) : {T ' T , B , K AB ,} K AT

Received message has again suitable structure; therefore can be used for a new instance:

1''. M ( A) → T : A, {T ' T , B , K AB ,} K AT

76



2''. T → M ( B) : {T T

2, A , K AB ,} K

BT

Utilizing this process, Mallory keeps the timestamps always refreshed and meanwhile works on the

compromise of a key K AB. After obtaining the key K AB, Mallory uses last intercepted message to

instantiate a new protocol run and forces Bob to use K AB as a suitable key for communication.

1(k ). M ( A) → T : A, {T T

k −1, B , K AB ,} K

AT

2(k). T → B : {T T

k , A , K AB,} K

BT

Prevention of this attack breaks the symmetry, as demonstrated in the following modification.

Modified Wide Mouth Frog protocol

Goal : Distribution of a key K AB between participants Bob and Alice using trusted third party Trent

and authentication of Alice.

Protocol:

1. A → T : A, {T A, B , K AB ,} K AT

2. T → B : {T T , A, B , K AB ,} K BT

3. T → B : {T B , A , B ,} K AB(optional)

Bob is convinced about the identity of Alice via Trent , because at first, Trent verified correctness

and freshness of the message in the first step, otherwise he would not advance to the next step and

secondly, key K BT is known only to Trent and Bob and the message from Trent is fresh.

Alice is convinced about the identity of Bob after she receives a message encrypted using the key

K AB.

Kerberos protocol

Goal : Authenticate participants of the communication using trusted third party in the network

(client-server) environment.

Kerberos name originates in the Greek mythology, where Cerberos stands for monstrous three-

headed dog guarding the Hades. Kerberos prevents eavesdropping, replay attacks and ensures the

integrity of the data. Utilizes symmetric cryptography and trusted third party. It was introduced by

MIT, now is in its fifth incarnation, Kerberos V, RFC 4120 (2005). There are various

implementations, such as KTH-KRB and Heimdal.

Microsoft uses Kerberos as its default authentication protocol since introduction of Windows 2000.

Protocol is based on the Needham-Schroeder protocol.

Protocol:

1. A → T : A, B

2. T → A : {T T , L , K AB, B , {T T , L , K AB , A} K BS } K AS

3. A → B : {T T , L , K AB, A} K BS , { A , T A} K AB

4. B → A : {T A1} K AB

77



L is a lifespan data, similar to a timestamp.

Basically, client authenticates itself to Authentication Server, then demonstrates to the Ticked

Granting Server that it's authorized to receive a ticket for a service (and receives it), then

demonstrates to the Service Server that it has been approved to receive the service.

Drawbacks

As Kerberos requires continuous availability of a central server, this introduces the single point of failure property of the protocol. Kerberos also requires the clocks of the involved hosts to be

synchronized. The tickets have time availability period and, if the host clock is not synchronized

with the clock of Kerberos server, the authentication will fail. The default configuration requires

that clock times are no more than 10 minutes apart. At last, password changing is not standardized,

and differs between server implementations.

Agora protocol

A minimal distributed protocol for electronic commerce introduced by Gabber in 1996.

Goal : Enable simple payments for the information stored on web pages.

Protocol utilizes certificates and digital signatures to ensure authenticity of sent messages. Let Alice be customer and Bob be merchant selling goods over the internet. Symbols C A and C B denote

certificates of their public keys. Assume, that certificate are provided by trusted third party. Let M

be request to obtain the price, N is a counter of requests and P is the price for the information.

Protocol:

1. A → B : A, M

2. B → A : {C B , N , P } K

B

−1

3. A → B : {C A , N , P } K

A

−1

In the second and third step, the messages are signed by participants using their private keys, but arenot encrypted.

Protocol interaction attack

It is possible to construct special protocol that violates the security of the Agora protocol. This

protocol will serve of purpose of verifying the age – as a “safety barrier” to prevent access for some

web pages. Assume, that certificate contains birth date or that certificate is issued only to persons of

the required age. Participant proves her age by knowing her private key, i.e. by her ability to sign

random request R:

1. A → B : A

2. B → A : R

3. A → B : {C A , R} K

A

−1

If the length of the random request R is equal to the sum of the lengths of N and P , attacker Mallory

advances in the following steps:

1. A → M ( D) : A

1'. M ( A) → B : A, M

2. B → M ( A) : {C B , N , P } K

B

−1

2'. M ( D) → A : R ( R = N , P )

3. A → M ( D) : {C A , R} K A

−1

78



3'. M ( A) → B : {C A , N , P } K

A

−1

Mallory uses a concatenation of N , P as the random request in the protocol for age verification.

Subsequent response of Alice is then immediately usable as the response that validates the buy in

the Agora protocol. Dave ( D) can be arbitrary participant.

Cryptographic protocol construction security advices

Many attacks can be prevented by following a few security advices related to the construction of

cryptographic protocols. Some of the problems can be avoided by specific implementation details,

such as remembering old keys, verification of diversity of used nonces, but these significantly

increase the complexity of the protocol implementation. Similarly, parallel run check prevents the

attacks exploiting multiple protocol runs, but decreases performance of the system.

Therefore, the aim for cryptographic protocol construction is to create such a protocol, whose

security properties are guaranteed by its own construction and the sequence of steps alongside with

precisely formulated prerequisites.

Some of the advices are formulated in the following section.

1. Explicitness – the meaning of the message shall be dependent only on the message alone.

Message is supposed to contain every information required for its interpretation, including

the identity of the participants. Examples of failures include Denning-Sacc protocols or

Needham-Schroeder public key protocol.

2. Assumptions – for each message that causes any action all required assumptions shall be

provided.

3. Use of ciphers – it must be clearly stated which purpose the encryption of the text serves.

Amongst the common purposes, an encryption can be used to provide confidentiality,

authenticity, mutual binding of the messages, randomness, etc.4. Signing and encryption – digital signature does not guarantee that the sender knows the

plaintext. It is vital to at first sign plaintext and then encrypt whole message. On the other

hand, even this does not guarantee security, as Denning-Sacc protocol proves.

5. Nonces – for each nonce it is mandatory to provide its goal and expected properties. Otway-

Reese protocol is an example of security risk regarding this advice.

6. Security of predictable information – predicable information (counters) used to ensure

freshness of transferred messages must be secured in the protocol.

7. Timestamps – if the timestamps are used to preserve the freshness, it is mandatory to

synchronize local clocks. In addition, system of time administration becomes a critical

component of the security system.

8. Freshness vs usage – actual use of an entity (e.g. key to encryption) is not the same as thefreshness of the entity.

9. Exactness (unicity) – protocol message shall be exactly decipherable – participant is able to

determine pertinence of a message to the protocol, protocol process and order of a message

within the protocol.

10. Trust – it is mandatory to formulate and give reasons to all assumptions about the trusts the

protocol expets.

11. Use of private key – if possible, it is better to avoid use of private key for various purposes,

such as signing or decryption. For example, with RSA it is possible to obtain private key

from the process of decryption and publishing of the decrypted messages.

12. Assume nothing – do not assume anything that is not stated in the protocol definition.

79



Quantum cryptography

Quantum cryptography revolutionized the approach to solve cryptographic problems by relying on

the properties of subatomic particles rather than on clever mathematical ideas. Quantum

cryptography utilizes principles of quantum mechanics and the physics of information to achieve a

secure communication. Eavesdropping can be then viewed as measurements on a physical objectsthat carries the information. It is then possible to detect an eavesdropping attempt, using quantum

phenomena such as quantum superposition or quantum entanglement . According to laws of

quantum mechanics, measurement on the quantum carrier of information disturbs it and leaves

traces of tampering.

Quantum theory basics

"I think, I can suggest, that nobody understands the quantum mechanics." Richard P. Feynman

Uncertainty principle

Introduced in 1927 by Werner Heisenberg, uncertainty principle states that one cannotmeasure with arbitrary precision values of certain conjugate quantities, which are pairs

of observables of a single elementary particle. These pairs include the position and

momentum. It is however possible to obtain a positive lower bound for the product of

the uncertainties of measurements of the conjugate quantities.

Entanglement of particles

Quantum entanglement is a “strange” phenomenon of quantum mechanics whose effect is that the

quantum states of two or more objects have to be described with reference to each other, even if

they are spatially separated. This inevitably leads to correlations between observable physical

properties of the system, e.g. it is possible to prepare two electrons in the same quantum state,

where the first electron is observed to be spin-up whereas the second to be spin-down. Still, it is not possible to predict which set of measurements will be observed for each system, although the

measurement of the first system instantaneously influences the other system entangled with it.

Quantum entanglement is closely related to new technologies of quantum cryptography, quantum

computing in general and also to quantum teleportation. Quantum entanglement however brings

some philosophical problems, as the correlations predicted by quantum mechanics and observed in

experiment reject the principle of local realism, which states that information about the state of a

system should only be mediated by interactions in its immediate surroundings.

Quantum computing

Quantum computers are still a dream yet to come true; however, there are already known someapplications, with a serious implication on current cryptography standards. For example, quantum

computer is theoretically able to solve problem of factorization (basis of RSA cryptosystem) in

polynomial time using a probabilistic algorithm invented by Peter Shor, that computes factors in

Olog n3 and O log n space, where n is a product of two prime numbers.

Qubit

Qubit (qbit), an acronym for quantum bit, is a unit of quantum information, first invented

by Brian W. Schumacher, that found a way how a quantum state can represent an

information (Schumacher compression). Quantum information is described by a state

vector in a two-level quantum mechanical system, formally equivalent to a two-

dimensional vector space over the complex numbers. A qubit differs from classical bit in a way, that

80



qubit, similarly to bit, has only two possible values – a 0 or a 1, but in a given time can be 0, 1, or a

superposition of both. 0 and 1 are called base states.

Formally, 0 and 1 state is usually presented in a Dirac (bra-ket) form, ∣0 ⟩ (ket 0) and ∣1⟩ (ket 1).

Pure qubit state is their linear superposition, ∣ ⟩=∣0⟩∣1⟩ , where and are complex

probability amplitudes and 22=1 . Qubit can be simultaneously in all available states,

however, any attempt to measure the state causes the qubit to collapse into one of two base states.Base states are obtained according to probability – there is a 2

probability of achieving 0 and 2

probability of obtaining 1.

Another important property of qubit lies in entanglement; the maximally entangled quantum state of

two qubits, called Bell state, can be described as:

∣+ ⟩= 1

2∣0⟩ A⊗∣0 ⟩ B∣1⟩ A⊗∣1⟩ B=

1

2∣00 ⟩∣11⟩ ,

where ⊗ denotes tensor product. Even if Alice possesses one qubit and Bob the other, as those

qubits were entangled and are now spatially separated, they still exhibit perfect correlations.

Quantum cryptography principles

Polarized photons

In 1984, Charles H. Bennet and Gilles Brassard proposed the first method how to

implement a cryptographic scheme employing quantum theory. The scheme,

known as BB84, uses pulses of polarized light, one photon per pulse. Scheme

uses two types of polarization, rectilinear and diagonal (or circular ). Rectilinear

can be either vertical or horizontal , diagonal (circular ) can be left-handed or

right-handed . Using any type of polarization, a bit can be encoded – e.g. vertical and left-handed

polarizations as 1, horizontal and right-handed as 0. To generate a random key, Alice must send polarizations with equal probability. To mislead Eve, Alice has to choose between alternative

rectilinear and circular polarizations.

Entangled photons

In 1991, Arthur Ekert proposed a scheme that uses entangled pairs of photons. These

photons are prepared by either Alice, Bob or any other source different from them, such

as Eve. The photons are distributed so that both Alice and Bob each receive one photon

from each pair.

The scheme is based on three properties of entanglement: First property allows to utilize the fact, that it is possible to make entangled states that are perfectly

correlated. That means that if Alice and Bob both test whether their particles have vertical or

horizontal polarizations, they will always get opposite answers. Similarly, the same opposite result

are obtained if they measure any other pair of complementary orthogonal polarizations. Their

individual results are, however, completely random, as they can not predict whether they obtain

vertical or horizontal polarization.

Second property is often called quantum non-locality, and causes the correlation between the

measurements of Alice and Bob. These correlations are not perfect, however, there is more than

50% probability that Alice can correctly deduce Bob's measurements from her own measurements

and vice versa. These correlations are even stronger that any model based on classical physics or

ordinary intuition would predict.

81



Third property is related to eavesdropping; any attempt at eavesdropping by Eve weakens these

correlations and Alice and Bob can detect changes in the correlations.

Classical cryptography versus quantum cryptography

As the classical cryptography is based on difficult mathematical problems, whereas quantum

cryptography is based upon properties of subatomic particles, there are some fundamentaldifferences in outcomes of these two types of cryptography.

Privacy amplification

Quantum cryptography protocols allow Alice and Bob to generate and share random keys that are

very similar (under perfect conditions identical), but there will be an error rate. They allow Alice

and Bob to estimate the level of eavesdropping. It is possible to estimate maximum amount of

information Eve can have about their shared key. Eve however should be prevented from obtaining

some parts of the key, when they result in obtaining a critical part of a message. Another disturbing

fact is that the channel noise cannot be distinguished from eavesdropping, therefore it must be

regarded as an attempt to eavesdrop.

Privacy amplification is a “cryptographic” version of error correction. It allows Alice and Bob tostart with similar shared random keys about which Eve has some information and then shorten these

keys which are thereafter identical and about which Eve has no information whatsoever.

Privacy amplification can be used in both the Bennett-Brassard and Ekert schemes, although the

Ekert's entanglement-based cryptography allows privacy amplification to be performed directly at

the quantum level. Alongside to being more efficient, it also brings the possibility to transmit

quantum cryptography over arbitrarily long distances using quantum repeater stations.

No deniability

Bennett and Brassard's scheme has a deniability limitation. Even as this scheme can be used to

create one time pad keys and achieve perfect security, it may affect one time pad's deniability property, i.e. Alice may encrypt a message with one key but after sending the ciphertext pretend that

the message was a different one, encrypted with a different key.

Reason for deniability lies in a possible eavesdropping; Eve that listens to a small portion of the key

exchange (and therefore probably disturbs a few bits, but not enough to invalidate the protocol) will

know what has happened in a limited number of bits exchanged. If Alice and Bob have to reveal

what was sent and the key used, Alice and Bob must change the key, therefore must alter their

records which were used to obtain it, in order to deny the message. But there is non-zero probability

that Eve has successfully listened to a parts of their records they changed and therefore know that

the key they are pretending to have used is not correct.

The problem is closely related to the impossibility of a bit commitment ( Age problem) usingquantum protocols.

Attacks

“Man in the Middle” attacks, as known from the classical cryptograpy cannot occur in quantum

cryptography due to the observer effect . If Mallory tries to intercept the stream of photons, she will

alter them with some probability. She then cannot re-emit the photons correctly to Bob, as her

measurement destroyed the information about photon's state and entanglement.

Entangled photons scheme is virtually impossible to hijack, because creating three entangled

photons would decrease the strength of each photon and this could be easily detected. Mallory

cannot use a man-in-the-middle attack as she has to measure an entangled photon and disrupt the

other photon and then re-emit both photons. The laws of quantum physics disallow this.

82



However, there are different versions of man-in-the-middle attacks still applicable in quantum

cryptography. For example, if Eve pretends to be Alice to Bob and vice versa, she can perform

quantum cryptography negotiations with both sides simultaneously, using two keys. This attack

fails if both sides can verify each other's identity.

Denial of service (DoS) attack can be easily performed by cutting a dedicated fiber optic line or by

attempting to tap it.

Random number generator attack can be performed if the equipment used to generate the keys

could be tampered with.

Polarization schemes are also susceptible to an attack, proposed by Adi Shamir. Mallory can send a

large pulse of light back to Alice in between transmitted photons. Alice equipment inevitably

reflects some of Mallory light back. This light is polarized, as Alice's equipment was in some

polarization state; Mallory therefore can try to measure the photons and extract the state of Alice's

polarizer.

Quantum key distribution (QKD)

Quantum cryptography can solve the problem the one-time pad faced in conjunction with the use of

classical cryptography – the requirement to safely transmit a key of the same length as the message prior to an encryption of a message. Quantum cryptography can be used to exchange or distribute

shared secure keys between participants in a communication, forcing a potential eavesdropper to

become an active participant in the communication, increasing the chances to detect any unwanted

activities. Quantum channel can be used to exchange or distribute keys, whereas the transmission

alone could be done using one-time pad, achieving a perfect secrecy. Keys can be changed on-the-

fly, at any moment, making it even harder to achieve a successful eavesdropping.

BB84 quantum coding scheme

The BB84 quantum coding scheme was the first proposed quantum encoding of classical

information in such a way that the receiver (legitimate or illegitimate) cannot recover with 100%

reliability. It is the basic tool most of the quantum protocols are based upon

The BB84 coding scheme makes a correspondence between classical bits and quantum states. Each

classical bits corresponds to a superposition of two equally probable non-orthogonal quantum

states. One representation looks like:

We denote ∣0 ⟩+ and ∣1⟩+states related to a rectilinear base, whereas the states for a diagonal base

will be denoted as ∣0 ⟩x and ∣1⟩x . In some literature, a circular base is used instead of the diagonal.

Information to be sent over the quantum channel is encoded by the transmission of photons in some

polarization states. The direction of the polarization encodes a classical bit. BB84 coding scheme

has two base states representing classical state of 0, that is encoded either by a photon with athe

horizontal polarization or a photon with the polarization at 45° of the horizontal direction.

Remaining orthogonal states, i.e. vertical and 135° polarization encode classical 1.

Quantum mechanics laws state, that it is impossible to distinguish with certainty two non-

orthogonal quantum states. In order to distinguish these states, a quantum measurement must be

performed providing a classical output trying to identify the received state. The obliviousness of the

83

0x

0+

1+

1x

45°

45°



transmitted information provides the cryptographic properties needed in quantum cryptography.

The following measurements will be used for the description of the BB84 coding scheme described

below:

– denotes a measurement in rectilinear basis, the Von Neumann measurement allowing to

distinguish between ∣0 ⟩+ and ∣1⟩+states.

– denotes a measurement in diagonal basis, the Von Neumann measurement allowing to

distinguish between ∣0 ⟩x and ∣1⟩x states.

Algorithm

Alice wants to send a secret key to Bob. She therefore generates a random key of length of n-bits

{ai } and also vector that contains the decisions which type of polarization (rectilinear or diagonal)

to use – {bi}. She then encodes these two vectors as a string of n qubits:

∣ ⟩=⊗i=1n ∣a

ib

i⟩ ,

where each qubit can be in one of these four states (depending on aibi):

∣00 ⟩=∣0⟩+

∣10 ⟩=∣1⟩+

∣01 ⟩=∣0⟩x=

1

2∣0 ⟩+

1

2∣1⟩+

∣11 ⟩=∣1⟩x=

1

2∣1 ⟩+

−1

2∣0⟩+

The qubits are now in states that are not mutually orthogonal, thus it is not possible to distinguish

them with certainty without a prior knowledge of bi.

Alice thereafter sends ∣ ⟩ to Bob over a public quantum channel. Bob receives a state

∣ ⟩=∣ ⟩ ⟨∣ , where represents both noise and eavesdropping by Eve. After Bob receives the

string of qubits, all three parties – Alice, Bob and Eve have their own states. Only Alice knows the

polarization sequence – {bi}, making it almost impossible for both Bob and Eve to distinguish the

states of the qubits. Eve however cannot be in a possession of a copy of the qubits sent to Bob (no

cloning theorem of quantum mechanics), unless she tried to measure them. Her measurements could

cause with an increasing probability disturbances of qubits; each qubit can be disturbed with

probability of 50%, if she guesses a wrong basis.

On the other side, Bob generates a string of random bits {bi' } of the same length as {bi}, which he

uses as his guesses for the type of the polarization used for a given ai' he received from Alice ( Eve).

Then he measures these values and obtains the values ai'' . Bob afterwards announces through a

public channel that he received all of Alice's qubits. Next, Bob and Alice can communicate through

a public channel and find which polarizations were received right and which were wrong (bi ≠ bi' ).Both Alice and Bob the remove all qubits that were measured by Bob with the wrong polarization.

Finally, eavesdropping check is performed. Out of remaining k qubits ai, Alice chooses randomly

half of them and discloses her choices over the public channel. Both Alice and Bob announce these

bits publicly and run a check whether all of them match (ai = ai'' ). If it is the case, they then proceed

with the use of information reconciliation and privacy amplification techniques to create some

number of shared secret keys. Otherwise, they found a possible eavesdropping (or noise), as the Eve

possibly guessed wrong polarization type at the position where Bob used the correct measurement,

disrupting the qubit at the j-th place, causing Bob's measurement to fail - ai ≠ ai' ≠ ai'' . If there is

more than certain amount of misses, they start over with the protocol.

84



Example without eavesdropping

Alice sends Bob a stream of 16 photons, representing a string “1100011101010011” of qubits:

Bob randomly chooses the type of measurement (rectilinear or diagonal) for each photon Alice sent:

Bob's equipment used to measure photons has a 0.5 probability of failing in the detection of a

photon at all. Therefore Bob will receive these results during his measurement:

Empty circles represent a failure to detect a photon at all; measurements in squares are incorrect

( Bob of course is not aware of that).

Bob then uses a public channel and tells Alice which types of measurements he made for received

photons, but does not tell her the detected values:

Alice then tells Bob which measurements were of the correct type:

The probability that Bob makes the same type of measurement as Alice did is just one half, his

equipment has also one half probability of detecting no photon at all. As the result, only about one

quarter of sent photons can be expected to be correctly received. From the stream of the 16 photons

in this example it is expected to receive only 4 of them correctly on the Bob's side. In fact, in this

example Bob retrieved 6 photons correctly. These photons and the qubits they represent can be used

to construct a secret key used by Alice and Bob in their communication using symmetric

cryptography on an insecure channel, e.g. Vernam cipher.To review the steps of this example:

Alice sends:

Bob measures:

Bob reads:

Bob sends:

Alice tells:

Example with eavesdropping

Alice sends Bob a stream of 16 photons, representing a string “0010001110110000” of qubits:

Eve randomly chooses the type of measurement (rectilinear or diagonal) for each photon Alice sent:

85

1 01 1 1 1 1 1 1 10 0 0 0 0 0

1 01 1 1 1 1 1 1 10 0 0 0 0 0

0 10 0 1 1 0 1 0 00 0 1 1 0 0



Eve's equipment used to measure photons has a 0.5 probability of failing in the detection of a

photon at all. Eve will receive these results during her measurement:

Measurement in a diamond is an incorrect guess of Eve and will be sent further to Bob.

Bob randomly chooses the type of measurement (rectilinear or diagonal) for each photon Alice(Eve) sent:

Again, Bob will receive these results during his measurement as there is a possibility that his

equipment fails during the measurement:

Bob then uses a public channel and tells Alice which types of measurements he made for his

successful measurements:

Alice then tells Bob which measurements were of the correct type:

There were 8 usable qubits retrieved at the end.

Both Bob and Alice want to know if anyone has been eavesdropping. They decided to compare 50%

of these shared qubits. Thus they agreed on a random subset of these digits, so Eve can not predict

which qubits will be checked and therefore she can not tamper with them.

Alice refines her earlier answer to reveal half of the shared qubits:

Bob tells Alice what his corresponding qubits are:

One of three qubits was wrong – the qubit in a diamond. Therefore Alice and Bob came to

conclusion that Eve was listening to their communication.

To review the steps of this example:

Alice sends:

Eve measures:

Eve reads:

Bob measures:

Bob reads:

86

0 10 0 1 1 0 1 0 00 0 1 1 0 0



Bob tells:

Alice tells:

Alice tells:

Bob tells:

B92 quantum coding scheme

The B92 quantum coding scheme, introduced by Charles H. Bennett in 1992, is similar to the

BB84, but utilizes only 2 out of the 4 BB84 qubit states. It encodes classical bits in two non-

orthogonal BB84 states. No measurement can disinguish two non-orthogonal quantum states, thus it

is impossible to identify the given bit with certainty. Any attempt to learn the bit will modify the

state in a observeable way. By contrast to the BB84 coding scheme, the B92 coding scheme allows Bob to know whenever he gets the bit sent without further discussion with Alice. B92 coding

scheme is easier to implement, as it uses only 2 states. However, security seems to be substantially

reduced comparing to BB84 in some situations, often being totally insecure.

To send a bit ai, Alice prepares a photon in the following state:

These states correspond to the states ∣0 ⟩+

and ∣0 ⟩x

of the BB84. Bob then chooses a basis for ameasurement and performs it. According to the outcome, the received bit ai' is set to be:

In the B92 coding scheme, the classical bit 0 is encoded by a photon with horizontal polarization

and the classical bit 1 is encoded by a photon with polarization angle of 45°. If the outcome of the

transmission is ∣1⟩+

or ∣1⟩x

, then Bob can immediately identify the bit sent by Alice; otherwise itis an transmission error (if the received bit was ∣1⟩+

, then ai was 0, if Bob received ∣1⟩x , then the

bit ai was 1).

Einstein-Podolsky-Rosen (ERP) protocol

Arthur Ekert introduced in 1991 a protocol based on a famous paper of Einstein, Podolsky and

Rosen, Can quantum, mechanical description of physical reality be considered complete? (1935)

that uses quantum entanglement as its core principle.

EPR quantum protocol is a 3-state protocol, that uses Bell's inequality to detect a presence of Eve in

the system as a hidden variable. These three basic polarization states are chosen as follows:

87

1

045°

?

?

1

0

45°

45°



∣0⟩=1

2∣0⟩1∣3

6⟩

2

−∣3

6⟩

1

∣0⟩2∣1⟩=

1

2∣

6 ⟩1∣4

6⟩

2

−∣4

6⟩

1∣

6 ⟩2

∣2⟩= 1 2∣

26

⟩1∣56

⟩2

−∣56

⟩1∣26

⟩2For each of these linear polarization states, the mutually non-orthogonal alphabets A0, A1 and A2 can

be constructed, mapping the state to classical bits:

A0 : ∣0 ⟩=0 A1 : ∣6 ⟩=0

A2 : ∣2

6⟩=0

∣

3

6

⟩=1

∣

4

6

⟩=1

∣

5

6

⟩=1

For each of these alphabets, corresponding measurement operators M 0, M 1 and M 2 are constructed:

M 0 : ∣0 ⟩ ⟨0∣ M 1 : ∣6 ⟩⟨

6 ∣ M 2 : ∣2

6⟩⟨ 2

6∣

For each bit ai Alice chooses a state ∣i⟩ is chosen with equal probability from amongst all states.

Then an EPR pair is created in the selected state ∣i⟩ . One photon of the constructed pair is sent to

Alice, the other to Bob. Alice and Bob choose at random independently the type of measurement M iand measure their respective photons accordingly. Alice records her bit, Bob records a complement

of his bit.

Next, Alice and Bob communicate through a public channel about their chosen measurement types

to determine the bits with the same measurement type. They then construct two sequences, raw key

sequence consisting of those bits that used the same measurement type and rejected key consisted of

those bits for whose the types mismatched.

Rejected key is used to detect a presence of Eve – if the Bell inequality is satisfied, then Eve's

presence is detected, otherwise not.

For the ERP protocol, the Bell's inequality can be written as follows:

Let P ≠ | i , j denote probability that two corresponding bits of rejected key do not match given

that the measurement operators chosen by Alice and Bob are M i and M j or M j and M i. Let

P = | i , j =1− P ≠ | i , j .

Let i , j = P ≠ | i , j − P = | i , j and =1 1,2−∣0,1−0,2∣ .

Then Bell's inequality reduces to:

≥0

For quantum mechanics (no hidden variables):

=−1

2

That is a clear violation of Bell's inequality.

88



Practical implementations

Navajo

The first known commercial system for QKD, named Navajo, was introduced in 2003 by MagiQ

Technologies Inc. MagiQ's system uses a fibre-optic link which updates its encryption key, encoded

as qubits, every second. Its communication link, Quantum Private Network (QPN), consists of two black boxes connected by a 30 km optic link that implement the BB84 quantum coding scheme.

The following figure shows a basic layout of Navajo:

More detailed view of quantum key distribution system is depicted below:

ClavisClavis is an ancient latin word for key. Switzerland based ID Quantique introduced another QKD

system – id 3000 Clavis in 2005. This system is capable of transferring secure key qubits in

distances up to 100 km with a minimal transfer rate of 1500 bits/s. This system employs two

quantum protocols, BB84 and SARG. Conventional channel cryptography is based on Triple DES

and AES standards. Its architecture resembles that of Navajo.

89

VPN

VPN

Plain text

Quantum

Private

Net work

VPN

VPN

Plain text

Quantum

Private

Net work

Ciphertext

Quantum Key Distribution

Internet traffic

Router

Sonet telecommunication

prot oco l Wave division

multiplexer (W DM)

Optical

amplifier

QPN repeater QPN repeater

Internet traffic

Router

SonetWDM

Optical

amplifier

Quantum Private Network

(QPN)

Quantum Private Network

(QPN)

Quantum Key

Distribution

Encrypted

message



Elliptic curve cryptography

Elliptic Curve Cryptography (ECC) is an approach to public-key cryptography based on the

algebraic structure of elliptic curves over a finite field. This approach was introduced in 1985 by

Neal Koblitz and Victor S. Miller.

An elliptic curve is a plane curve defined by an equation of the form

y2 = x3 + ax + b

The set of points on elliptic curve form an abelian group (with identity element as the point at

infinity). If the coordinates x and y are chosen from a large finite field, the solutions form a finite

abelian group. The discrete logarithm problem on such elliptic curve groups is believed to be more

difficult than the corresponding problem in the underlying finite field. As a result, keys in the

elliptic curve cryptography can be chosen to be much shorter and still attain a comparable level of

security.

No mathematical proof of difficulty has been published for ECC as of 2006. The NSA has endorsed

ECC by including it in its Suite B of recommended algorithms.

Elliptic curve y2 = x3 + x over F 23

90

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 x

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

1617

18

19

20

21

22

y



Cryptographic schemes

As the elliptic curve extends the problem of discrete logarithm, the problem related to the use of

discrete logarithm over an elliptic curve is called elliptic curve discrete logarithm problem

(ECDLP). The hardness of several problems related to the discrete logarithm in the subgroup of

elliptic curve E over a finite field Fq, E (Fq) allows cryptographic use of elliptic curves. Most of theelliptic cryptographic schemes are related to the discrete logarithm schemes, therefore yield new

modification of existing modular arithmetic schemes:

– Elliptic Curve Diffie-Hellman (ECDH) key agreement scheme based on the Diffie-Hellman key

agreement scheme

– Elliptic Curve Digital Signature Algorithm (ECDSA) based on the Digital Signature Algorithm

(DSA)

– ECMQV key agreement scheme based on the MQV key agreement scheme

The famous Elgamal encryption scheme cannot be, however, easily ported to the elliptic curve

domain. The scheme was never standardized and cannot be directly used over an elliptic curve. Thereason is that even if it is easy to convert an arbitrary message to an integer modulo p, it is not easy

to convert an arbitrary bitstring to a point on a curve (for a given x it is not always possible to find

an y that lies on the curve). Elgamal is also vulnerable to chosen ciphertext attacks (CCA).

Therefore, a modification of Elgamal scheme, called Elliptic Curve Integrated Encryption Scheme

(ECIES) was introduced.

It is accepted that the ECDLP-based cryptography will replace a cryptography based on integer

factorization (RSA) and finite field cryptography (DSA). In 2005, NSA announced its Suite B of

recommended algorithm that exclusively uses ECC for digital signature generation and key

exchange.

91



Trusted Computing

Today, we are in the midst of a quiet cryptographic revolution that would affect each computer user

all around the world. Rapidly increased number of virus attacks, trojan horses, denial of service

attacks, spyware, online piracy and other security related problems prompted commercial vendors

to join their efforts and propose a technology that would help to solve these difficult problems.The Trusted Computing Group (TCG), formerly known as Trusted

Computing Platform Alliance (TCPA) is an initiative of vendors to

implement trusted computing . Trusted computing is a term that covers the

use of trusted systems, systems which user has no choice but to trust .

The main purpose of TCG was to develop a hardware device, a Trusted Platform Module (TPM)

that enables trusted computing features. Basically, it is an integrated circuit that provides some

cryptographic features, such as random number generator, RSA cryptosystem, cryptographic hash

storage, etc. It is expected, that by 2010 all notebooks and desktop PCs will include a TPM in their

motherboards. Another objective of TCG is to release a Trusted Network Connect (TNC)

architecture to enable network operators to provide endpoint integrity at every network connection,

thus enabling interoperability among multi-vendor network endpoints.

Trust

In the field of security, the term trusted system denotes a system which has to be trusted for the

security of a larger system to hold. Trusted system is therefore a system that can break the user's

security policy, i.e. system you are forced to trust because you have no choice. Trusted system does

not mean that the system is trustworthy. For example, a hard drive controller must be trusted by its

users that it works as expected in each case. A secure web site must also be trusted it is secure, as

the user cannot verify this alone. Trust is always a kind of compromise or weakness, although

undesirable, still inevitable.

The term trust causes the main controversy, as the TCG defines technical trust as “an entity can be

trusted if it always behaves in the expected manner for the intended purpose”. The controversycomes from the fact, that rather than define a trustworthy system, it leads to a system user is forced

to trust.

Another concern is that the concept of TPM cannot be always used to a full extent as there are cases

when it is not possible to examine all hardware components, which presents a security risk to

overall platform integrity and data.

Another problem is the pace of cryptography advancements, that quickly obsolete hardware

implementations of algorithms.

While on the one hand, trusted computing increases security, it also allows to force user to use

mandatory digital rights management, harm privacy and impose other restrictions on users. Trusting

networked computers to authorities could lead to censorship. As a result new concept of secure

computing was introduced where the anonymity is the main concern.

Concepts of trusted computing

Trusted computing encompasses five essential key technology concepts of trusted system:

1. Endorsement Key

2. Secure Input and Output

3. Memory curtaining, protected execution

4. Sealed storage

5. Remote attestation

92



Endorsement key

The endorsement key is a 2,048-bit RSA public and private key pair, created at manufactured time,

stored in the chip and cannot be changed. The private key is stored in the chip, the public key is

disclosed to other modules for attestation and for encryption of information sent to the chip.

This key allows the executions of secure transactions. Each TPM is required to sign a random

number to prove its identity; this makes impossible for a software TPM emulator to start a secure

transaction with a trusted entity. The TPM is designed to avoid the extraction of this key byhardware analysis.

Secure Input and Output

There must be established a protected path between the computer user and the software. Secure I/O

uses checksums to identify any potential tampering of the information exchanged. Secure I/O is

however not resistant to hardware based attacks, such as keylogger devices.

Memory curtaining, protected execution

Memory curtaining isolates sensitive areas of memory (e.g. areas containing cryptographic keys).

Using virtualization techniques, even OS does not have access to this part of the memory.

Sealed storage

Another form of security protection can be achieved by encrypting the data using a key derived

from the software and hardware being used. Effectively, this means that the data can be read only

by the same combination of software and hardware. As the effect, only unmodified software can

work with some data and any attempt to modify original program leads to cryptographic failure

when reading the data.

Remote attestation

Remote attestation allows the changes to the computer to be detected by the user and remote

administrator. As a result, it is possible to detect compromised computer and exclude it from thesecure network or from making important decisions. Hardware generates a certificate of the

software currently running that can be shown to a remote party to provide an assurance that the

computer has not been tampered with. Remote attestation usually uses public key cryptography.

Controversy

The main controversy behind Trusted Computing can be attributed to the fact that TC can be used

in a way that the data are controlled by their creators rather than user of a computer where they are

stored. This could lead to a remote censorship.

Another issue is a vendor lock-down, where vendor can force the users to use only its software, as

the output of the software will be encrypted by private keys only vendor has access to.Whoever controls TC infrastructure will acquire a huge amount of power. And as the history shows,

this always leads to abuses.

Control of the received information

Users cannot control the information they receive due to a remote attestation. For example, buying

Digital Rights Management (DRM)–enabled music online could allow the music industry to impose

inappropriate restrictions on the user, such as preventing the user from playing a song more than

specified amount of time without additional paying. Remote attestation can be used to send music

only to a conforming music players, sealed storage can prevent the user from playing music by

different music player and memory curtaining can prevent user from making a copy of the music.

93



Inability to change software

Whereas the trusted computing can prevent some forms of malicious behavior, it also prevents

competition between various software products by the use of sealing storage and remote attestation.

For example, internet browsers often behave as another browsers to enable some features on the

web page that require a presence of a given browser. Use of remote attestation will reject these

browsers as inappropriate.

Control of the data

Users do not control their data anymore. The sealed storage could prevent the data from moving to a

new computer. If the TPM is outdated, it could be impossible to transfer files from the older

computer to a new one.

Loss of Internet anonymity

TC-enabled computer is able to uniquely identity its owner by the use of remote attestation. As a

consequence, researchers invented direct anonymous attestation that copes with this problem.

Censorship

The trusted computing brings new forms of censorship possibilities. For example, a newspaper could require that its readers read the articles only using the trusted application. This could lead to

situations, where the application forces the user to read only the last version of the article without

any possibility to store the content of the previous, uncensored version. It effectively enables the

author of the article to deny access to older versions of the article. Therefore, as a consequence, the

history could be rewritten by changing or deleting the articles.

Web censorship could be implemented using trusted browser, that could deny the user the access to

web sites the author of the browser found inappropriate.

Impracticality of trusted computing

As the hardware is not error prone, the potential to fail still exists and this could lead to disastrous

results if the trusted computing principles are tightly implemented. User might be irrevocably

prevented from the access to its information in the case of hardware failure. The sealed storage will

prevent the information to be read using a different computer.

Owner override

To solve at least some of the problems the trusted computing is facing now lies in the ability of the

owner override, where owner can disable parts of the trusted computing.

Trusted computing protects programs against everything, even the owner. Owner override is a

suggested fix to this problem, however, it was rejected by TCG. Whereas still impractical, as itrequires non-automatic effort from the user, it at least enables the use of different software in lieu of

required ones by the action of the owner and manual certification of owner's presence. Instead of

preventing the software change, the remote attestation would indicate when the software was

changed without owner permission.

Problem of the owner override lies in the fact, that it defeats the trust in other computers, since the

remote attestation is not enforced centrally. The fundamental premise behind trusted computing lies

in the fact that owner cannot be trusted . And owner override allows the user to waive the rules or

restriction on her own computer.

94



Secure bootstrap

The cornerstone of trusted computing is a secured boot process. It is extremely important to provide

a secure initialization of the computer, as any malicious modifications to initialization procedure

could lead to the permanent compromise of the system. Therefore, TCG has put a great emphasis on

the resolution of this problem. TCG adopted the AEGIS boot mechanism as its official standard.

AEGIS

Developed in University of Pennsylvania by William A. Arbaugh, Angelos D. Keromytis, David J.

Farber and Jonathan M. Smith, provides a way how to implement a secured boot process based on

the usage of a public key infrastructure, digital signatures and cryptographic hash functions. AEGIS

was designed with the following assumptions on mind:

1. CPU, motherboard and a portion of the system BIOS are not compromised.

2. Existence of a cryptographic certificate authority infrastructure to bind an identity with a

public key, although no limits are placed on the type of infrastructure.

3. A trusted repository exists for recovery purposes. This repository may be a host on a

network that is reachable through a secure communications protocol, or it may be a trustedROM card located on the protected host.

Existence of a trusted repository allows to prevent some forms of Denial of Service (DoS) attacks,

as the failing components can be substituted by their trusted repository counterparts.

The goals of AEGIS can be summarized as follows:

1. Allow the AEGIS client and the trusted repository to mutually authenticate their identities

with limited or no prior contact (mobility between domains).

2. Prevent man in the middle attacks.

3. Prevent replay attacks.

4. Mitigate certain classes of denial of service attacks.

5. Allow the participating parties to agree upon a shared secret in a secure manner in order to

optimize future message authentication.

6. Keep It Simple and Secure: Complexity breeds design and implementation vulnerabilities.

Guaranteed secure boot process

AEGIS relies on two rules of the boot mechanism:

1. No code is executed unless it is explicitly trusted or verified prior to an execution.

2. When an integrity failure is detected a process can recover a suitable replacement module.

AEGIS divides boot process into levels. The lowest level is Level 0. Level 0 contains the smallsection of trusted software, digital signatures, public key certificates, and recovery code. The

integrity of this level is assumed to be valid. However, an initial checksum test to identify PROM

failures is performed. The first level contains the remainder of the usual BIOS code, and the CMOS.

The second level contains all of the expansion cards and their associated ROMs, if any. The third

level contains the operating system boot sector. This is resident on the bootable device and is

responsible for loading the operating system kernel. The fourth level contains the operating system,

and the fifth and final level contains user level programs and any network hosts.

The transition between levels in a traditional boot process is accomplished with a jump or a call

instruction without any attempt at verifying the integrity of the next level. AEGIS, on the other

hand, uses public key cryptography and cryptographic hashes to protect the transition from each

95



lower level to the next higher one, and its recovery process ensures the integrity of the next level in

the event of failures. Before passing the control to a higher level, the certificate for a new level is

obtained and verified. If the verification is successful, the control

The pseudo code for the action taken at each level, L, before transition to level L+1 is shown below:

int IntegrityValid(Level L)

{

Certificate c = LookupCert(L);

int result;

if (result = VerifyCertChain(c)) return DSAVerify(SHA1(L), c);

else return result;

}

if (IntegrityValid(L+1)))

{

ControlTransition(L+1);

}

else

{

RecoveryTransition(L+1);

}

The boot process can be seen in a nutshell on the following figure:

AEGIS does not utilize the X.509 PKI standard; rather employs more suitable concepts from the

SDSI/SPKI 2.0 standard. X.509 is not suitable because of its large certificates and the ambiguity in

the parsing of compliant certificates because of its use of the Basic Encoding Rules (BER).

96

BIOS Section 1

BIOS Section 2

Boot Block

Operating System

AEGIS ROM

Expansion ROMs

User Programs Network Host

Initiate POST

Level 0

Level 1

Level 2

Level 3

Level 4

Level 5

Control transition

Recovery transition



SDSI/SPKI provides for the notion of a capability. In a capability based model, the certificate

carries the authorizations of the holder eliminating the need for an identity infrastructure and access

control lists. AEGIS uses two capabilities, SERVER and CLIENT .

AEGIS also uses three types of certificates. The first is an authorization certificate. This certificate,

signed by a trusted third party or certificate authority, grants to the private key holder the capability

to generate the second type of certificate - an authentication certificate. The authenticationcertificate demonstrates that the client or server actually holds the private key corresponding to the

public key identified in the authentication certificate. A nonce field is used along with a

corresponding nonce in the server authentication certificate to ensure that the authentication

protocol is Fail Stop detecting and preventing active attacks such as a man–in–the–middle. The

third type of certificate, component signature certificate, is either embedded in a component or

stored in a table. It is used with the AEGIS boot process.

AEGIS employs a modification of Station-to-Station protocol and SHA-1 MAC to communicate

with a trusted repository through IPSEC and using DHCP. AEGIS acts as a client whereas trusted

repository as a server. The server and client have to agree on a trusted third party and obtain its

public key to perform any further communication. Subsequent messages are then authorized by theuse of SHA1 HMAC.

Hardware boot process verification

Secure bootstrap mechanism is not sufficient to provide a trustworthy computing , as the peripherals

can be used to perform an attack (due to a CPU-centric approach in AEGIS and similar solutions).

Therefore, TCG advocates to use a secure hardware device to verify the boot sequence and

authenticate this verification. This can be even used by a remote administrator to verify whether the

system at least started from a trustworthy state. Currently, the Trusted Platform Module (TPM)

provides this kind of functionality. TPM enables a remote observer to verify the integrity of a

running operating system, and this in turn enables more security guarantees found in complex

systems, such as Microsoft's NGSCB.

TPM can be used to verify the integrity of a computing system.

TPM employs cryptographic hash functions to measure data.

TPM contains 16 Platform Configuration Registers (PCR) that

hold hash digests of programs/firmwares. It extends a

measurement to a PCR by hashing together the current value of

the PCR and the hash of the data and storing the result in the

PCR. To measure to a PCR , the TPM measures data and extends

it to a PCR. All code must be measured before control is

transferred to it.

During a computer reset, the control is given to the Core Root of

Trust for Measurement (CRTM), a small and immutable code.

The CRTM measures all executable firmware connected to the

motherboard, such as BIOS, to PCR0. The CRTM in turn

transfers the control to the BIOS that measures the hardware

configuration to PCR1 and option ROM to PCR2 prior to

execution of these ROMs. Each of these ROMs must measure

configuration and data to PCR3. Thereafter, the Initial Program Loader (IPL/MBR) is measured by

BIOS to PCR4 before transferring the control to it. The IPL measures its configuration and data to

PCR5. PCR6 is used during power state transitions (sleep, suspend, etc.), and PCR7 is reserved.

97

PCR15

PCR14

PCR13

PCR12

PCR11

PCR10

PCR9

PCR8

PCR7PCR6

PCR5

PCR4

PCR3

PCR2

PCR1

PCR0 BIOS

Hardware configuration

Option ROMs

Option ROM configuration

Boot loader

Boot loader configuration

Reserved

Operating sys tem

(kernel, devices,

applications)



The remaining eight PCRs can be used to measure the kernel, device drivers, applications, etc. in a

similarly. At this point, the bootstrap code, operating system, and some applications have been

loaded. A remote observer can verify which bootstrap code or operating system has been loaded by

asking the TPM to sign a message with each PCR – this operation is called attestation. After

successful attestation, remote observer can trust the system.

Security problemsWeakness of this approach lies in the possibility of a tampered hardware. As the most practical

attacks seems to be the changes of a firmware (such as DVDs with region-free firmware, X-BOX

hacked to become a cheap computer, etc.), it is natural to find a solutions to suppress the possibility

of negative effects of the malicious firmware changes. Therefore, it is required to handle

untrustworthy devices by restricting their possible negative effects. One of the solution is called

sandboxing , which usually means that these devices have restricted access to some resources and

are expelled from some services that require a trust. Sandboxing is now usually done by relying on

the virtualization techniques.

The following figure demonstrates the functionality of the hardware boot verification:

After the reset, the CRTM measures the BIOS to PCR[0] before transferring control to it. The BIOS

recursively measures devices on the PCI bus and PCI-X bus. The IDE controller and Gigabit

Ethernet controller do not support firmware measurements; as a result, they cannot be trusted and

DMA must be sandboxed. The SCSI controller reports that one of its disks cannot be trusted with

unencrypted or unauthenticated sensitive data. The USB controller reports that the Camera cannot

be trusted; however, the USB controller itself can still utilize DMA.

Virtualization technologies in trusted computing

With the emergence of hardware virtualization platforms, such as Intel Vanderpool and AMD

Pacifica, new possibilities were uncovered for the trusted computing. Virtual machines enable

containment of attacks and scoping of trust (sandboxing), and this alongside with the core of trust

provided by the trusted hardware enables remote verification and local fallback security in case thesoftware is compromised. There are however technological challenges that result from the

combination of these two technologies:

1. providing an infrastructure with a set of services implementing scalable security for virtual

machines

2. hardening the virtualization software with the goal of providing an isolation degree among

virtual machines that is as close as possible to the isolation among physical machines

3. leveraging Trusted Computing technology (e.g. for attesting to the integrity of the

virtualization layer) while providing a choice of acceptable policies to the users (e.g.

satisfying privacy concerns).

98

CRTM

PCR0

BIOS

PCR1

PCI

PCI-X

USB

IDE

Camera

GLAN

SCSI

Disk 1

Disk 2



Virtualization however does not solve all security problems, even alone introduces new security

problems.

Basically, architecture of a trusted system that utilizes virtualization can be described on the

following diagram:

Hardware platform shall allow the use of virtualization technology; processors since Intel (Core)

and AMD (AM2) pass this requirement. The hardware platform shall support Trusted Platform

Modules (TPM), which must be supported by all peripherals of the system. On the top of hardware

platform lies a tiny layer of TC and virtualization enabled BIOS that provides a secure bootstrap

mechanism and starts the main virtualization operating system. This system controls hardware,

provides virtualization of hardware devices and sandboxes user operating systems (Windows,

Linux, etc.), running in a separate virtual machines.

Digital Rights Management

One of the most controversial topics of Trusted Computing is the Digital Rights Management

(DRM). On the one hand, it is strongly demanded by content providers, as the Internet represents a

threat to their profits, on the other hand, it puts too many restriction on the users and buyers of a

digital content.

DRM is any of several technologies used by publishers to control access to digital data (such as

software, music, movies) and hardware, handling usage restrictions associated with a specific

instance of a digital work.

Protected Video Path – Output Protection Management (PVP-OPM)

PVP-OPM is a form of DRM implemented in Windows Vista operating system. Microsoft states thatthe PC's video outputs have the required protection or that they are turned off in the case of no such

protection is available.

Windows Vista provides process isolation to prevent users from copying DRM content. If an

unverified component in the kernel mode is loaded, Vista will stop playing DRM content rather.

The Protected Environment (PE) in which DRM is played contains the media components that play

DRM content, therefore there is no need to handle unprotected content data; it is sufficient to

provide only basic playing controls (Play, Stop, Pause...) to the user. Content therefore can be

processed without making the content available to unapproved software; PE assures that no

untrusted application (non-certified by Microsoft) will have an access to unprotected content. The

PE is based on the Intel LaGrande or AMD Presidio technology.

From the hardware point of view, the digital outputs of PC must be under control to not to allow

99

Hardware platform

(Intel LaGrande, AMD Presidio)

Virtualization Technology BIOS (EFI)

Virtualization Platform

(Intel Vanderpool, AMD Pacifica)

TPM

Main

Virtualization

Operating

System

Virtual Machines

Operating Systems

TC Applications , Legacy ApplicationsManagement Apps



unrestricted content output being transferred through unencrypted line. Therefore, digital outputs

such as Digital Visual Interface (DVI) or High-Definition Multimedia Interface (HDMI) will have

High-bandwidth Digital Content Protection (HDCP) enabled to prevent the recording of digital

content.

HDCP is a form of DRM developed by Intel to control the transfer of video and audio streams

through digital outputs.

Main targt of HDCP is to prevent a transmission of non-encrypted high definition content. Toachieve that goal, three systems were developed:

1. authentication process prevents the non-genuine devices to receive high definition content

2. encryption of the actual data sent over DVI or HDMI interface prevents eavesdropping and

man-in-the-middle attacks.

3. key revocation procedures ensure that devices that violate the license agreement could be

easily blocked from high definition content.

Each HDCP capable device model has a unique set of keys; there are 40 keys, each 56 bits long.

These keys are confidential and failure to keep them secret may be seen as a violation of the license

agreement. For each set of keys a special key called a Key Selection Vector (KSV) is created. EachKSV has exactly 20 bits set to 0 and 20 bits set to 1.

During the authentication process, both parties exchange their KSVs. Then each device adds

(without overflow) its own secret keys according to a KSV received from another device. If a

particular bit in the vector is set to 1, then the corresponding secret key is used in the addition,

otherwise it is ignored. Keys and KSVs are generated in such a way that during this process both

devices get the same 56 bit number as a result. That number is later used in the encryption process.

Encryption is done by a stream cipher. Each decoded pixel is encrypted by applying an XOR

operation with a 24-bit number produced by a generator. The HDCP specifications ensure constant

updating of keys (after each encoded frame).

If some particular model is considered compromised, its KSV is put into revocation lists, which arewritten e.g. on newly produced disks with HD content. Each revocation list is signed with a digital

signature using the DSA algorithm; this is supposed to prevent malicious users from revoking

legitimate devices. During the authentication process, if the receiver's KSV is found by a transmitter

in the revocation list, then the transmitter considers the receiver to be compromised and refuses to

send HD data to it.

Weaknesses

It turned out to be that the HDCP is not a well-thought out mechanism as it allows broad range of

attacks. HDCP linear key exchange is a fundamental weakness. It is possible to eavesdrop on any

data, clone any device with only its public key, avoid any blacklist on devices, create new device

key selection vectors and usurp the authority completely.

HDCP is therefore considered to be broken, even if its occurrence in a modern hardware is still rare.

The most well-known attack on HDCP is the conspiracy attack , where a number of devices are

compromised and the information gathered is used to reproduce the private key of the central

authority.

100



Literature

Martin Stanek – Základy kryptológie (verzia 0.16 z 12. decembra 2004), in Slovak language,

lecture material for the Cryptology course at the Faculty of Mathematics, Physics and Computer

Science of the Comenius University in Bratislava, Slovakia

Joel Weise - Public Key Infrastructure Overview – SunPSSM Global Security Practice, Sun

BluePrintsTM OnLine, August 2001, http://www.sun.com/blueprints/0801/publickey.pdf

Peter Gutmann – Everything you Never Wanted to Know about PKI but were Forced to Find Out ,

University of Auckland, http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf

Paulo S. M. L. Baretto, The Whirlpool hash function,

http://paginas.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html

http://www.sun.com/blueprints/0801/publickey.pdf

http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf


http://www.google.com/

http://www.wikipedia.org/

http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf


http://www.sun.com/blueprints/0801/publickey.pdf

cryptology for smarties

Documents