jan/feb 2002cryptography1 cryptography mathematical foundations, algorithms, and protocols klaus...

Jan/Feb 2002 Cryptography 1

CryptographyCryptographyMathematical Foundations, Algorithms, and ProtocolsMathematical Foundations, Algorithms, and Protocols

Klaus Köhler

Munich University of Applied Sciences

Fachhochschule München

E-Mail: [email protected]

Home Page: http://www.cs.fhm.de/~koehler

pgp key fingerprint: 8F 2A 16 D9 6A BF 2B F6 77 C2 39 82 1F D3 69 F4

X.509 Certificate: http://www.trustcenter.de/cgi-bin/Search.cgi

Klaus Köhler Cryptography 2

ContentsContents

• Requirements of IT-Security• Overview of Symmetric and Asymmetric Ciphers• Classical Ciphers• Stream Ciphers• Block Ciphers• Asymmetric Ciphers• Random Number Generators• Prime Number Generators• Hash Functionswith mathematical foundations interspersed

Not contained: Information Theory, Cryptanalysis


K.Köhler Munich, 2002-1-26FHM……

Crypto&Co.Random Road 13……

Order:

1 Cryptoboard 4711 € 249,-1 Card Reader 4712 € 49,-: :::: K. Köhler

Secure Transport

K.Köhler

Crypto&Co.Random Road 13

1�1.2.02

Letter Box

Sender

Time Stamp

Signature

Confidentiality, Privacy, Secrecy One Way Trapdoor

Function (with key)

Traditional Mail Traditional Mail E-mail E-mail

Security measures bound to physical mediumSecurity measures bound to physical medium

Security measures bound to messageSecurity measures bound to message


Goals of CryptographyGoals of Cryptography

• Privacy, Secrecy, Confidentiality Only intended receiver shall be able to read data. envelope

• IntegrityReceiver can check if transmitted data have been modified. untampered envelope

• AuthenticityReceiver can check that data were generated by sender. known handwriting, style, voice

• Liability (Non-repudiation)The receiver can proof that the data came from the sender. signature


Goals of IT-SecurityGoals of IT-SecurityJerome Saltzer and Michael Schroeder

• Privacy. A socially defined ability of an individual or organization to determine whether, when, and to whom personal or organizational information is to be released.

• Security. Techniques that control who may use or modify the computer or the information within it.

• Protection. The security techniques that control the access of executing programs to stored information.

• Integrity. Techniques that control the reliability of information storage and computing service despite accidental failure of individual components and programs.

• Reliability. A system is reliable if failures do not seriously impair its satisfactory operation.


Symmetric Encryption ModelSymmetric Encryption Model

Opponent XK

Cryptanalysis

X

plaintextEn-cryption

De-cryption

Key Generator

Plain text

Cipher text

X Y

K K

Alice Bob

Key Key

SourceSender

DrainReceiver

passive cryptanalyst Eve: eavesdropper active cryptanalyst Mallet: malicious attacker ciphertext-only attack: determine plaintext or key from ciphertext known plaintext attack: determine key from plaintext/ciphertext pair chosen plaintext attack: determine key from chosen plain/ciphertext pairs


Key Distribution in Symmetric SystemsKey Distribution in Symmetric Systems

Key Distribution Problem Authentic shared secret key must be exchanged prior to usage spontaneous communication impossible

n(n-1) keys for n participants, most of which are never used only suited for small groups

Solution: Active trust center (key distribution center)

EKAlice(Ksession) EKBob(Ksession)

senderAlice

receiverBob

EKsession(msg)

trusted partyTrent

name keyAlice 4711Bob \8%ö···

Only one key for each participant exchanged with Trent. Problem: Key directory must be secret and authentic.


Symmetric Encryption with Key DistributionSymmetric Encryption with Key Distribution

TrustCenter

certifies

X


De-cryption

Key Generator

Plain text

Cipher text

X Y

K K

Alice Bob

Sessionkey Sessionkey

SourceSender

DrainReceiver


X


De-cryption

Key Generator

Plain text

Cipher text

X Y

K K

Alice Bob

Key Key

SourceSender

DrainReceiver

K

Symmetric System

Asymmetric Encryption ModelAsymmetric Encryption Model

K’

Asymmetric System

K=PubKey(Bob) K’=PrivKey(Bob)

K = public key of receiver K' = private (secret) key of receiver K' cannot be determined from K (within a limited time span). K must be authentic, i.e. belong to the receiver.


Key Distribution in Asymmetric SystemsKey Distribution in Asymmetric Systems

Key Distribution Problem Sender has to know the public key of the receiver. Receiver's public key must be authentic.

Solution: Passive trust center (like telephone book)

Only one public key for each participant sent to Trent. Problem: Public directory must be authentic.

public directoryTrent

name pubkeyAlice 4711Bob \8%ö···

KBob authentic (notification) Kbob = \8%ö

Alice BobK'Bob private cipher = EKBob(msg)

msg =DK'Bob(cipher)


Authentication in Symmetric SystemsAuthentication in Symmetric SystemsPrerequisite: Sender and receiver share a secret key

Message redundant: like encryption

Problems: 1. Alice and Bob must trust each other as both can generate the same messages no proof of origin, no non-repudiation, no liability

2. Twice as much data transferred

Solutions:

1. Complicated protocol involving a trusted arbiter

2. Replace cipher with sighash = EK(H(msg)) using a hash function H that compresses msg to a short, fixed length fingerprint H(msg).

Alice Bob cipher = EK(msg) DK(cipher) sensible?

Message not redundant, e.g. compressed file: insert redundancy

Alice Bob (msg,cipher) msg = DK(cipher) ? (msg,sighash)

sighash = EK(H(msg))

Alice Bob H(msg) = DK(sighash) ?


Authentication in Asymmetric SystemsAuthentication in Asymmetric Systems With trusted party (authentic public directory), e.g. S/MIME, X.509

Digital Signature:

Proof of origin established since only Alice could create sigmsg or sighash Without trusted party, e.g. Pretty Good Privacy (pgp):

Trusted third party Trent is replaced by a web of trust = closed group of people who sign the public keys of friends

public directory Trent


KAlice = 4711 authentic

AliceK'Alice private

Bob

message redundant: sigmsg=DK'Alice(msg) msg = EKAlice(sigmsg) sensible?

not redundant: (msg,sighash) H(msg) = EKAlice(sighash) ?

sighash = DK'Alice(H(msg))


Confidentiality and Digital SignatureConfidentiality and Digital Signature

X


De-cryption

Key Generator

Plain text

Cipher text

X Y

K K

Alice Bob

Key Key

SourceSender

DrainReceiver

Opponent XK

cryptanalysis

K’

Asymmetric System

Confidentiality: K=PubKey(Bob) K’=PrivKey(Bob) Digital Signature: K=PrivKey(Alice) K’=PubKey(Alice)

TrustCenter

certifies

OKno

yes

Plain-textX

H(X) Fingerprint

HashHash =?

HashHash

H(X)

Fingerprint

Digital Signature

Fingerprint

H(X)


Combination of Confidentiality and Combination of Confidentiality and Authentication in Asymmetric SystemsAuthentication in Asymmetric Systems

With trusted party (authentic public directory)

not redundant: (cipher,sighash) msg = DK'Bob(cipher) cipher = EKBob(msg) H(msg) = EKAlice(sighash)) ?sighash = DK'Alice(H(msg)))

redundant msg: ciphsigmsg = EKBob(DK'Alice(msg)) msg = EKAlice(DK'Bob(ciphsigmsg)) sensible?

AliceK'Alice private

BobK'Bob private

KAlice = 4711 authentic KBob = \8%ö authentic

public directory Trent



Combination of Symmetric and Combination of Symmetric and Asymmetric SystemsAsymmetric Systems

Hashing is even faster than symmetric encryption Apply hash functions before digitally signing a message

Symmetric crypto systems are about 1000 times faster than asymmetric suffer from key distribution problems are less suited for authentication, in particular digital signatures

Use symmetric systems for bulk data encryption with session keys

Use asymmetric systems for key distribution, e.g. session key agreement or encryption digital signatures


Cryptographic Building BlocksCryptographic Building Blocks

• Symmetric Ciphers (bulk data encryption)– Block ciphers– Stream ciphers

• Asymmetric Ciphers– encryption of small quantities, e.g. symmetric keys (confidentiality)– digital signatures

• Random Generators – Key generation (asymmetric, symmetric)– Authentication, e.g. challenges and nonces

• Prime Number Generators (for asymmetric ciphers)• Hash Functions

– fixed, e.g. MD5, SHA-1, RIPE-MD– keyed (often a combination of block and stream ciphers)


Classical Ciphers, TaxonomyClassical Ciphers, Taxonomy

Transposition: Permutation of character positions (Skytala)

Substitution: Replacement of syntactic Units (characters, blocks) Monographic: Replacement of single characters

Monoalphabetic (simple substitution): Deterministic replacement Homophone: Probabilistic replacement Polyalphabetic: Position determines substitution (Vigenère Cipher)

Stream Cipher: Position (and state) determines substitution (Vernam Cipher) Polygraphic Substitution: Replacements of character sequences (Hill Cipher)

Block Cipher: Deterministic replacement of (fixed length) blocks

affineaffine

additiveadditive multiplicativemultiplicative

Stream CipherStream Cipher Block CipherBlock Cipher

TranspositionTransposition SubstitutionSubstitution

polygraphicpolygraphicmonographicmonographic

monoalphabeticmonoalphabetic homophonehomophone polyalphabeticpolyalphabetic


Transposition CiphersTransposition Ciphers

Skytala: • wind parchment tape around a roll • write plaintext in a row and read it

column by column, i.e. unwind tape• key k = |rows| = diameter

HKAO PT

EYLFAA

TSTASRHKAOPTEYLF AA

A O F S P AR T A

Transposition Cipher = block cipher EK:XmXm, EK(a0am-1) = a(0)a(m-1)

Plaintext = ciphertext alphabet = X (block size m = matrix size = whole text)

Permutation Sm of the positions {0,...,m-1}

• Positions of letters changed Ciphertext contains the same letters with the same frequencies

• Bigrams, e.g. "th", are separated by k letters distance = key

Diffusion = breaking local dependencies


Additive Substitution CiphersAdditive Substitution Ciphers

Cesar Cipher: • Replace each letter by the letter k=3 positions away in the alphabet

AD, BE, ..., WZ, XA, YB, ZC • Example: SECRET VHFUHW

Additive Cipher EK:XX, Ek(a) = (a + k) mod n (with encoding A0, B1,...)

Plaintext = ciphertext alphabet = X = {0,...,n-1}

Key k Z= {0,...,n-1} small key space enables brute force attack

Properties • Replace letters (not positions) plaintext letters appear with the same frequencies as their substitutes in the ciphertext

plaintext pairs (bigrams), triples, etc. appear with the same frequencies as their corresponding substitutes in the ciphertext

• Example (ciphertext frequencies): H: 2, U: 1, ... probably EH k=3


Multiplicative Substitution CiphersMultiplicative Substitution Ciphers

Multiplicative Cipher EK:XX, Ek(a) = a·k mod n Plaintext = ciphertext alphabet = X = {0,...,n-1},

Not all keys k {0,...,n-1} are valid, since EK must be invertible (injective)

Example: X = {0,...,25}, n=26, k=13,• A0 Ek(0) = 0·13 mod 26 = 0 A

• C2 Ek(2) = 2·13 mod 26 = 0 A not injective decryption impossible

Proposition:

EK:XX, Ek(a) = a·k mod n is invertible n and k are relatively prime i.e. gcd(n,k) = 1

The inverse key k-1 mod n can be determined by the extended Euclidean algorithm.

Example: n=26 • encryption k = 9: SECRET 18 4 2 17 4 19 6 10 18 23 10 15 GKSXKP

• decryption k-1=3 since 9·3 mod 26 = 1


Excursion: Modular ArithmeticExcursion: Modular Arithmetic

n= {0,1,...,n-1} with addition a+b = a+b mod nis a commutative group, i.e. the following axioms hold for all a,b,c n

– a+b n (closed)

– (a+b)+c = a+(b+c) (associative)

– a+b = b+a (commutative)

– 0+a = a (neutral element)

– (n-a)+a = 0 (inverse element: n-a is inverse to a)

n= {0,1,...,n-1} with multiplication a · b = a·b mod nis a commutative semigroup with neutral element, i.e. the following axioms hold for all a,b,c n

– a · b n (closed)

– (a · b) · c = a · (b · c) (associative)

– a · b = b · a (commutative)

– 1 · a = a (neutral element)

The inverse element need not exist, e.g. 2 26 is not invertible, but 9 is:9-1=3 because 9 · 3 = 27 mod 26 = 1 = neutral element.


Excursion: Modular Arithmetic, cont.Excursion: Modular Arithmetic, cont.Definition a, b are called relatively prime, if gcd(a,b) = 1.

Euclidean Algorithm (for determining the greatest common divisor)• Idea: gcd(a,b) = gcd(b,a-b) and hence gcd(a,b) = gcd(b,a mod b)

apply this transformation iteratively until b=0 obtaining gcd(a,0) = a

• Example: gcd(26,9) = gcd(9,26 mod 9) = gcd(9,8)= gcd(8,9 mod 8) = gcd(8,1)= gcd(1,8 mod 1) = gcd(1,0) = 1

int gcd(int a, int b) { // Euclidean Algorithm for integersint g = a, q = b, r;while(q!=0) { // Invariant: gcd(a,b) = gcd(g,q) && q != 0; Variant: |q|

r = g%q; // gcd(a,b) = gcd(g,q) = gcd(q,g%q) = gcd(q,r)g = q; // |r|<|q|=|g|q = r; // gcd(a,b) = gcd(g,q) |q|<|qold|

} // q = 0 and gcd(a,b) = gcd(g,q) // i.e. gcd(a,b) = gcd(g,0) = g

return g;}


Excursion: Modular Arithmetic, cont.Excursion: Modular Arithmetic, cont.

Proposition gcd(a,b) can be expressed as linear combination of a and b:

a,b a’,b’ such that gcd(a,b) = a' a + b' b

Extended Euclidean Algorithm (for determining the linear coefficients)

• Idea: Start the Eucidean Algorithm with a = g = 1a+0b, b = q = 0a+1b and apply the Euclidean transformations of g and q to the corresponding coefficients as well.

• Example: gcd(9,26)


Excursion: Extended Euclidean AlgorithmExcursion: Extended Euclidean Algorithm

int gcdExt(int a, int b, int& ga, int& gb) {int g, q, qa, qb, d, r, ra, rb; // auxiliary variablesg = a; ga = 1; gb = 0; // g = ga * a + gb * bq = b; qa = 0; qb = 1; // q = qa * a + qb * bwhile(q!=0) { // Variant: |q| // Invariant: g = ga * a + gb * b // q = qa * a + qb * b // q != 0 and gcd(a,b) = gcd(g,q)

d = g/q; r = g%q; // r = remainder of division of g by q // = g - d * q // gcd(a,b) = gcd(g,q) = gcd(q,g%q) = gcd(q,r)ra = ga - d * qa; rb = gb - d * qb; // r = ra * a + rb * bg = q; ga = qa; gb = qb; // g = ga * a + gb * bq = r; // gcd(a,b) = gcd(g,q)qa = ra; qb = rb; // q = qa * a + qb * b

} // q = 0 and gcd(a,b) = gcd(g,q) , g = ga * a + gb * b // i.e. gcd(a,b) = gcd(g,0) = g = ga * a + gb * b

return g;}


Excursion: Modular Arithmetic, cont.Excursion: Modular Arithmetic, cont.Corollary 1• a n := {0,1,...,n-1} with multiplication modulo n is invertible a and n are relatively prime, i.e. gcd(a,n) = 1

• a-1 can be determined by the extended Euclidean algorithm

Corollary 2 n* := {a n| a invertible} = {a n| gcd(a,n)=1}

with multiplication modulo n is a group. n* = n\{0} = {1,...,n-1} n is prime.

Euler's Totient Function• For n Euler's phi-Funktion (n) counts the natural numbers i < n

relatively prime to n: (n) = |{i | 0 < i < n, gcd(i,n) = 1}| (n) gives the number of invertible elements of n: (n) = |n*|

• n = p prim (p) = p-1• n = p2, p prim (p2) = p(p-1)• n = pq, p,q prim, pq (pq) = (p-1)(q-1)


Excursion: Rings and FieldsExcursion: Rings and Fields is a commutative ring, i.e. the following axioms hold for all a,b,c

is a commutative group with respect to addition is a commutative semigroup with respect to multiplication– (a+b) · c = a·c + b·c (distributive)

n= {0,1,...,n-1} with modular addition and multiplication is a commutative ring, too.

is a Euclidean ring, i.e. division is almost possible: a,b , a 0 q,r , so that b = q a + r and r = 0 or |r| < |a|

n is not euclidean.

• For primes p p is a Galois field, i.e.

p is a commutative ring with respect to addition and multiplication

p* = p\{0} = {1,...,n-1} is a group with respect to multiplication

(If n =p·q is not prime, p 1 and q 1 are not invertible, since p·q = n = 0 n)

is not a field, since the only multiplicatively invertible elements of are 1 and -1.


Excursion: Rings and Fields, cont.Excursion: Rings and Fields, cont.

Definition of substructures: U < SA subset U of an algebraic structure (group / ring / field) S is called a substructure (subgroup / subring / subfield) if it is a group / ring / field with respect to the operations of the superstructure S.

Examples of substructures• Subgroup: 2 < with respect to addition

The multiplicative group 5* = {1,2,3,4} has the subgroups {1}, {1,4}, 5*.

• Subring: 2 < with respect to addition and multiplicationThe ring 6 = {0,1,2,3,4,5} has the proper subrings {0}, {0,3}, {0,2,4}.

• Subfield: < with respect to addition and multiplication

Order of structures: |U| |S|• The number of elements of a algebraic structure S is called its order |S|.• The order of a substructure U of a finite algebraic structure S is a divisor

of the order of S: |U| |S|



Construction of finite fields (Galois fields)The field p was constructed from the Euclidean ring , addition + and multiplication · being defined modulo a prime p.

TheoremLet R be an Euclidean ring and p R a prime element (p is not invertible and has no proper divisors). Then R with addition + and multiplication · modulo p is a field R/p·R. (Abbreviation: p := /p·)

Proof parallels the proof of p being a field.

Corollary• Let F be a field and p(x) a prime polynomial (irreducible) of the ring of

polynomial F[x]. Then F[x]/p(x)·F[x] is a field. In particular q[x]/p(x)·q is a field, if q is prime in and p(x) is prime in q[x].

Proof: Polynomial division in F[x] yields a residue of smaller degree. Hence, F[x] is Euclidean. Inverse elements are determined by the extended Euclidean algorithm.



Example• q = 2 is prime and p(x) = x3 + x2 + 1 q[x] is irreducible.

Therefore, 2[x]/p(x)·2 is a field.

• Elements can be reduced modulo p(x) 8 polynomials of degree < 3: 0, 1, x, x+1, x2, x2+1, x2+x, x2+x+1

• Powers of x: x, x2, x3 = x2 + 1, x4 = x2+x+1, x5 = x+1, x6 = x2+x, x7 = 1 The multiplicative group of q[x]/p(x)·q is generated by x.



Theorem1 The only finite fields (up to isomorphism) are q and q[x]/p(x)·q, where

q is prime in and p(x) is prime in q[x].

2 The multiplicative group of a finite field is cyclic, i.e. generated by a primitive element.

3 The prime field q is a subfield of q[x]/p(x)·q.

q[x]/p(x)·q is a vector space over its prime field q.

q[x]/p(x)·q has qn, n = degree(p(x)) elements: |q[x]/p(x)·q| = qn.

6 For every prime q and every degree n there exist irreducible polynomials p(x) in q[x].

7 For every prime power qn there is exactly one field with qn elements (up to isomorphism).

Proof: For 1, 2, and 6 see any algebra book.The other proofs are left as exercises.


Stream CiphersStream Ciphers• Properties

– Encryption unit = bit, character, or block– Encryption of one unit can influence the following unit

• Simplest Model: independent encryption

– Vernam Cipher = One-time Pad• Encryption unit = 1 bit

• Substitution = XOR with running key i

• Unbreakable (absolute secure) for real random generator

• Key length plaintext length

• Secret key transmitted in advance

i

Plaintext X Ciphertext YSubstitution Ei

Running Key GeneratorTrigger


Stream Ciphers, cont.Stream Ciphers, cont.• Practically Used Model (RC4, OFB Mode of Block Ciphers)

– Pseudo-random Generator

• General Model (CBC, CFB Modes of Block Ciphers)

– Substitution depends on Key, Position, and previous encryption

i


State S

Transition

Key K

Trigger

iKey K


State S

Transition


Symmetric Block CiphersSymmetric Block CiphersDesign Principles• Desirable properties:

– confusion: hide statistical particularitiesgoal: equally distributed cipher text (for each key)

– diffusion: break up local dependenciesgoal: completeness (every ciphertext bit depends on each plaintext bit)

– avalanche effect: 1 bit change in plaintext swaps half of ciphertext bits

– non-linearity: no ciphertext bit is linearly dependent on the plaintext

• Block length: big equal distribution but long delay, more waste

• Key length: big more security but big effort (time and space)

• Encryption/Decryption similarity:– (almost) same algorithm for encryption and decryption


Symmetric Block Ciphers, cont.Symmetric Block Ciphers, cont.Efficiency• lookup table efficient (time) but too big (space)• pure calculation inefficient (time) but small (space) compromise: combine efficient building blocks

that operate on smaller partial blocks

Building blocks• (involutary) permutations of positions (transpositions) (diffusion)• (involutary) substitutions (confusion)• (incompatible) group operations

Resulting cipher: (cascaded) product cipher with several rounds (IDEA)

KS2 KSr

Key-Schedule Algorithm

ISKr(yr-1) y ISK2(y1) ... y ...

KS1

K

ISK1(x) x

KG1 KG2 KGr KGr+1

IP IP


Advanced Encryption Standard (AES)Advanced Encryption Standard (AES)History• 1997: National Institute of Standards and Technology (NIST) called for

a successor of DES. The proposed AES-algorithms should be– unclassified,

– publicly disclosed

– available royalty-free, worldwide.

The algorithm must implement – symmetric key cryptography as a block cipher and (at a minimum) support

block sizes of 128-bits and key sizes of 128-, 192-, and 256-bits.

• 1998: NIST announced a group of fifteen AES candidate algorithms• 1999: NIST selected five algorithms after in depth analysis conducted

by the global cryptographic community on the candidate algorithms:MARS (IBM), RC6 (RSA), Twofish (Counterpane), Rijndael, Serpent

• 2000: NIST proposed Rijndael for the AES• 2001: approval of the Federal Information Processing Standard (FIPS)

for the Advanced Encryption Standard


RijndaelRijndael (V. Rijmen, J. Daemon, University of Leuven)

Features• Key length Nk,,block length Nb: 32N, N = 4,...,8, (128, 160, 192, 224, 256)

independently chosen

• Block represented as state S = 4Nb-byte matrix

• r = max(Nb,Nk)+6 rounds

• Rounds transform state S through– ByteSub: parallel byte operations: confusion by non-linear substitution

– ShiftRow: parallel row operations: diffusion through linear operation

– MixColumn: parallel column operations: diffusion through linear operation

– AddRoundKey: matrix operation (XOR with key): dependency of key


y...

K

x ByteSub

ShiftRow

MixColm

ByteSub

ShiftRow

MixColm

ByteSub

ShiftRow

K0

K1

Kr-1

Kr


Rijndael, cont.Rijndael, cont.E/D-Similarity: same algorithm for decryption, only modified round keys

M-1(Kr-1) M-1(K1)

M-1(K0)

inv. BS

inv. SR

inv. MC

inv. BS

inv. SR

Reverse Key-Schedule Algorithm

x...

K

y

Kr

inv. BS

inv. SR

inv. MC

Ki

S M-1

M-1

same mapping

Ki

S M-1

• MixColumn and AddRoundKey almost commute


y ...

K

xinv.BS

inv.SR

inv.MC

inv.BS

inv.SR

inv.MC

inv.BS

inv.SR

Kr

Kr-1

K1

K0

• ByteSub and ShiftRow commute


Basic Rijndael OperationsBasic Rijndael Operations

AddRoundKey• XOR of state S and round key Ki

ShiftRow• row 1 fixed• row 2-4 cyclic shift by 1 to 4 positions

depending on the block length Nb

ByteSub• combination of

– affine mapping of the vector space GF(28) over its prime field GF(2)=2

– inverse mapping in the field GF(28)

MixColumn• linear transformation of the vector space GF(28)4 induced by a

polynomial multiplication


Rijndael Key SchedulingRijndael Key SchedulingPurpose: derive round keys from the cipher key

• r+1 keys K0, ... , Kr for r rounds necessary: (r+1) · Nb 32 bit words

• cipher key is expanded to an "expanded key" of that size (or more)


y...

K

x ByteSub

ShiftRow

MixColm

ByteSub

ShiftRow

MixColm

ByteSub

ShiftRow

K0

K1

Kr-1

Kr

recursion formula (for Nk 6, slightly different for Nk > 6):

– Wi = Wi-Nk Wi-1 if Nk is no divisor of i

– Wi = Wi-Nk (BS(SR(Wi-1)) RC[i/Nk] if Nk is a divisor of iBS = ByteSub, SR = ShiftRow 1 Byte, RC = (xi-1, 0016, 0016, 0016), xi-1 in GF(28), i.e. calculated modulo p(x) = x8+x4+x3+x+1

• round keys are taken from the expanded key in the order of rounds

W0 W1 ... WNk-1 WNk WNk+1 … W2Nk-1 W2Nk … Wn-1


Block Cipher Modes of OperationBlock Cipher Modes of Operation

Problem: Plaintext usually longer than block size Cut plaintext into slices (blocks) and pad the last incomplete block Electronic Codebook (ECB) (no stream cipher)

Independent encryption of each block with the same key Codebook attack (passive): Identical blocks are encrypted identically Replay attack (active): Insert/delete/replace blocks by preceding ones

Combine block ciphers with stream ciphers Stream Cipher Modes (CBC, CFB, OFB):

Stream cipher with a block as encryption unit

iKey K

Plaintext X Ciphertext YBlock Cipher Ei

State S

Transition


Block Cipher Modes of OperationBlock Cipher Modes of Operation

Assessment Criteria1 Propagation of transmission errors (change bits)2 Synchronisation errors (delete or insert bits)3 Code expansion4 Effective key size5 Cryptanalysis, security6 Application areas7 Effective encryption rate (compared with ECB)


Electronic Codebook (ECB)Electronic Codebook (ECB)

Assessment1 Propagation of transmission errors (change bits)

whole block corrupted, succeeding blocks unchanged2 Synchronisation errors (delete or insert bits)

all succeeding blocks corrupted3 Code expansion

last block expansion due to padding can be avoided (ciphertext stealing)

4 Effective key size= key size

5 Cryptanalysis, securitypoor security, codebook analysis for redundant plaintexts (e.g. English)

6 Application areasrandom access of single blocks, e.g. data bases

7 Effective encryption rate (compared with ECB)1


Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)

Construction• XOR of plaintext block with preceding ciphertext block• Initialisation vector IV needed for first encryption• IV not secret, but randomly chosen

to hide patterns at the beginning of the plaintext• IV transmitted as first block

xi yi-1 yi EK(xi yi-1)

Register

xi

K

yi-1

DK(yi) xi yi-1 yi

Register

xi

K

yi-1


Cipher Block Chaining (CBC), cont.Cipher Block Chaining (CBC), cont.Assessment1 Propagation of transmission errors (change bits)

block and next blocks corrupted, succeeding blocks unchanged2 Synchronisation errors (delete or insert bits)

all succeeding blocks corrupted3 Code expansion

last block expansion due to padding can be avoided (ciphertext stealing)

4 Effective key size= key size

5 Cryptanalysis, securityplaintext patterns hidden, no codebook analysis, no statistical analysis

6 Application areasencryption of long texts (archives) when random access is not essential,cope with synchronisation errors through transmission protocols

7 Effective encryption rate (compared with ECB)1


Output Feedback (OFB)Output Feedback (OFB)

Construction• Block cipher as Running Key Generator for stream cipher• Initialisation vector IV needed for RKG initialisation• IV not secret, but randomly chosen

to generate different random streams for same key• Part or whole of state register (block) used for encryption Average period: 2n-1 for n = m and 2n/2 for m < n

EK(si)

xi

Shift Register

K

yi

1 m n

ki

Encryption = Decryption


Output Feedback (OFB), cont.Output Feedback (OFB), cont.Assessment1 Propagation of transmission errors (change bits)

no error propagation at all2 Synchronisation errors (delete or insert bits)

all succeeding blocks corrupted3 Code expansion none4 Effective key size = key size5 Cryptanalysis, security

plaintext patterns hidden, no codebook analysis, no statistical analysis,short period 2n/2 sometimes insufficient, no error propagation active manipulations may remain undetected

6 Application areasonline transactions without delay or error propagationcope with manipulation problems through error detecting protocols

7 Effective encryption rate (compared with ECB)m/n if only m bits out of n (= block length) are used for encryption

EK(si)

xi

Shift Register

K

yi

1 m n

ki


Cipher Feedback (CFB)Cipher Feedback (CFB)

Construction• Feed back cipher text instead of random stream in OFB• Initialisation vector IV needed• IV not secret, but randomly chosen

to generate different random streams for same key• Part or whole of state register (block) used for encryption

EK(si)

xi

Shift Register

K

yi

1 m n

ki

K EK(si)

yi

Shift Register

xi

1 m n

ki


Cipher Feedback (CFB), cont.Cipher Feedback (CFB), cont.Evaluation1 Propagation of transmission errors (change bits)

affected block and n/m-1 succeeding blocks (of length m) corrupted2 Synchronisation errors (delete or insert bits)

erroneous blocks as long as shift register is corrupted completely self-synchronising for m=1

3 Code expansion none4 Effective key size = key size5 Cryptanalysis, security

plaintext patterns hidden, no codebook analysis, no statistical analysis,error propagation active manipulations can be detected

6 Application areasonline transactions without delay but detection of manipulations

7 Effective encryption rate (compared with ECB)m/n if only m bits out of n (= block length) are used for encryption


X


De-cryption

Key Generator

Plain text

Cipher text

X Y

K K'

Alice Bob

Key Key

SourceSender

DrainReceiver

Asymmetric CiphersAsymmetric Ciphers

Encryption EK(X) is a one-way function with trapdoor K',neither inverse key K' nor plaintext X can be derived from K and ciphertext Y= EK(X) (with limited resources)

Practically used one-way trapdoor functions: Diffie-Hellman-Pohlig one-way trapdoor function

f: p* p*, y = f(x) = ax mod p, with large prime number p, fixed aInverse function: x = f-1(y) = loga(y) mod p (discrete logarithm)

RSA one-way trapdoor functionf: n n, y = f(x) = xe mod n, with n = p·q, p,q prime, gcd(e,(n))=1

Inverse function: x = f-1(y) = yd mod n, e·d = 1 mod (n) (factoring n)


Diffie-Hellman one-way functionDiffie-Hellman one-way functionf: p* p*, y = f(k) = ak mod p, with large prime number p, fixed a

• Fast computation with Square-and-Multiply algorithm

• Idea: k = (bn-1,...,b1,b0)2 = bn-12n-1+...+b12+b0 (binary representation)

1n

1b0i

2bb2b

2b2b...2bk

i

i011n1n

011n

1n aaa...aaa

• Algorithm: Iteratively apply formula

k odd foraak even for²aa

1k

2 div kk

• Example:

a13 = aa12 = a(a2)6 = a((a2)2)3

= a a1

3 = aa1a12 = aa1(a1

2)1

= aa1(a2)1 = aa1a2a2

0

z : = 1; z := za; z := za1; z := z a2 1;


Square-and-MultiplySquare-and-Multiply/** Square-and-multiply algorithm for integral power calculation a^k, k>=0 */long power(long a, int k) { // a and z from any multiplicative group

long z = 1; // power = z * a^kwhile (k > 0) { // Variant: k;

// Invariant: power = z * a^k if (k%2 == 0) { // k is even

k /= 2; a *= a; // power = z * a^k } else { // k is odd

k--; z *= a; // power = z * a^k }

}return z; // k = 0 ==> power = z * a^k=z

}

• Time complexity: O(log(k)) for worst case and best casek even (bit = 0): 1 mult=square (a*=a), 1 shift (k/=2), ½kk odd (bit = 1): 1 mult=square (z*=a), 1 bit and (k--), k evenloop: 1 step for each bit=1 + 1 step for each bit: max 2·log2(k) steps

• Space complexity: O(1) = constant, independent of k


Diffie-Hellman Public Key-Distribution SystemDiffie-Hellman Public Key-Distribution System Establish a shared secret (e.g. a symmetric key ) using insecure

communication channels. Solve the key distribution problem for symmetric keys. No Public Key Cryptosystem!

Trent

Alice Bob

1. yB 4. yA

yA=gxA yB=gxB

2. K= yBxA

Y=EK(M)5. K= yA

xB

M=DK(Y)

3. Y

Protocol: Agree upon a common large prime p and a primitive element g of p

Each member A chooses a private random number xA and sends yA=gXA as public information to a (passive) trust center.

From the public key yB=gXB of the partner B calculate the shared secretK := yB

XA = (gXB)XA = (gXA)XB = yAXB


ELGamal CryptoELGamal Crypto System Based on Diffie-Hellman Different algorithms for encryption and digital signatures Encryption for confidentiality is an asynchronous variant of Diffie-Hellman.

Digital signatures are somewhat more complicated.

Encryption Protocol: As in the Diffie-Hellman protocol except that the receiver need not consult the trust center because the sender send his "public key" gXA along with his encrypted message EK(M) = K·M.

Trent

Alice Bob

1. yB 4. yA

yA=gXA yB=gXB

2. K= yBXA

Y=EK(M)5. K= yA

XB

M=DK(Y)

3. Y

Diffie-Hellman

Trent

Alice Bob

1. yB

yA=gXA yB=gXB

2. K=yBXA

Y=EK(M)=KM4. K=yA

XB

M=DK(Y)=Y yA-XB

3. yA|Y

ElGamal


Digital Signature Algorithm (DSA)Digital Signature Algorithm (DSA)

Based on ElGamal signatures More efficient than ElGamal signatures because

operations are performed in a smaller group (time complexity) only 2·160 bit for digital signature (space complexity)

Hash function SHA-1 used (160 bit) No legal or patent restrictions Used in pgp (version 6 and beyond)


Elliptic Curve Cryptography (ECC)Elliptic Curve Cryptography (ECC) Based on ElGamal ElGamal uses only multiplicative group p* any group will do if multiplication is fast (and therefore, rising to the nth power, too) inverse operation (logarithm) is hard.

ECC needs smaller keys (160 bit) than RSA (1024 bit) ECC best suited for smart cards

212

3 xxrx

1313 yxxry

21y2ax3

1221xx

yy

PPfür

P,PPfürr

1

21

12

12

neutral element (not representable as point) inverse element P-1 = (x,p-y) of P = (x,y).

Elliptic Curves are points P = (x,y) p p with

y2 = x3+ax+b, 4a3+27b2 0 mod p (with suitable a,b p)

multiplication defined by P3 = P1 P2 = (x3,y3) with


RSARSA Public Key Cryptosystem

Confidentiality Authenticity including digital signatures

Key generation for messages encoded as natural numbers M < m = 2l

Each member: Secretly choose two large primes p and q

and calculate n := pq > m (public) Choose e < (n)=(p-1)·(q-1), so that gcd(e,(n)) = 1, e.g. e = 3 or e = 216+1 Determine d < (n), so that ed = 1 mod (n) (extended Euclidean algorithm) (n,e) is the public key, d is the private key

Encrypt message M: Ee(M) = Me mod n, e = receiver's public key

Decrypt message C = Ee(M): Dd(C) = Cd mod n, d = receiver's private key

Sign message M: Dd(M) = Md mod n, d = sender's private key

Verify message C = De(M): Ee(C) = Ce mod n, e = sender's public key


Security of RSASecurity of RSA Known-Plaintext Attack = Chosen-Plaintext Attack

Determination of the private key d from plaintext M = Cd mod n and ciphertext C = Ee(M) ciphertext is a discrete logarithm problem.

Ciphertext-only Attacks Message-dependent attacks: Deriving

M from e, n and C = Ee(M) = Me mod n

is tantamount to determining the eth root modulo n.This problem is equivalent to factoring n.

d from e, n and C = Ee(M) = Me mod n

seems to be just as hard as the Message-independent attack: Deriving d from e and n

is assumed to be equivalent to factoring n. Factoring a large composite number n = p·q is a classical hard problem.

Best (known) algorithms have time complexity

3 23 lnlnln192.1 nnoeO


Security of RSA and Diffie-HellmanSecurity of RSA and Diffie-Hellman

Assumed security of RSA with respect to key length


Random Number GeneratorsRandom Number Generators

• Use– Key generation (asymmetric, symmetric)– Authentication, e.g. challenge and response– Nonces in key distribution schemes

to prevent replay attacks

• Requirements– Randomness:

• Uniform distribution of the values in the sequence(single numbers and subsequences of any length)

• Independence of the sequence values of each other

– Unpredictabilityof successive members of the sequence


Types of Random Number GeneratorsTypes of Random Number Generators

• Physical noise generators (stochastic)– ionising radiation events– leaky capacitors

• Pseudorandom Number Generators (deterministic)– linear congruential method (easy to break)

si=c·si-1+d mod p, p prime

– linear feedback shift registers (good statistics, easy to break)sj = -c1sj-1 - c2sj-2 - ... - clsj-l mod p

– nonlinear feedback shift registers (still insecure) filters, stop-and-go generators

• Cryptographical Random Number Generators– block cipher based (good statistics, secure, complex)– based on public key cryptography (equally secure)


Linear Congruential MethodLinear Congruential Method

si=c·si-1+d mod p, p prime

• c=1: si=si-1+d mod p linear sequence predictable

• d=0: si=c·si-1 mod p, s00,

c primitive, i.e. c:={1, c, c2, c3,..., cp-2}=p*={1,2,...,p-1}

{s0, s1=c·s0, s2= c2·s0,..., sp-2= cp-2·s0} = c·s0 = p*

Examples:

p=23-1=7, c=2 c:={1, 2, 4} not primitive

c=5 c:={1, 5, 4, 6, 2, 3} primitive (1 of ((p))=2)

s0=2: c·s0 = {2, 3, 1, 5, 4, 6} = p* random

p=231-1 is prime, c=75 is primitive: used in IBM 360


Linear Feedback Shift RegistersLinear Feedback Shift Registers

sj = -c1sj-1 - c2sj-2 - ... - clsj-l mod p, p prime

• maximum period pl-1 c(x) primitiv,i.e. the multiplicative group of the Galois field p[x]/c(x)p[x] is generated by the coset of x

• Example: p=2, c(x) = x3 + x2 + 1 is irreducible and primitive:x = {x, x2, x3=x2+1, x4=x2+x+1, x5=x+1, x6=x2+x, x7=1}, generated sequence with period 23-1=7: 1011100...

• can be broken, if a subsequence of 2·l elements is known

s0,s1,...

sj ... ... sj-2 sj-1

-c2 -c1

sj-l+1

-cl-1

sj-l

-cl


Cryptographic Random Number GeneratorsCryptographic Random Number Generators

• Cyclic Encryption

Counter Encryption

+1 Key

c Ek si=Ek(c)

si

Key EK

Shift Register

1 m n

• Output Feedback


Cryptographic Random Number GeneratorsCryptographic Random Number Generators

• ANSI X9.17 Pseudorandom Number Generator

EDE

EDE

EDE

Key

si

Seedi+1

Seedi

Date/Timei


Prime Number GeneratorsPrime Number Generators

Prime number tests deterministic: assure primality, but time consuming, e.g. factoring probabilistic: assure primality with a given probability (almost 1)

repeat n times (certainty 1-2n)test with a random witness if p may be prime

return true return false if p is definitely not prime

Algorithm:(probabilistic)

p prime: single test (witness) never fails (never signals "not prime")p composite: witness signals "not prime" with probability > 0.5

n/ln(n) prime numbers < n P(n is prime) ln(n) for a randomly chosen n only few tries necessary to catch a prime

repeat until p is prime

choose a random number p of appropriate size test if p is prime

Algorithm:


Prime Number TestsPrime Number Tests Lehmann

p prime p is a field (p) = |p*| = p-1 ap-1 mod p = 1 for a 0p composite ap-1 mod p need not be 1 for a 0, butP(a | ap-1 mod p 1) 0.5 for p composite Algorithm: choose a random number a < p

return ap-1 mod p == 1

Rabin-Miller p odd prime p-1 can easily be decomposed: p-1 = 2b·m

1 = ap-1 mod p = ap-1 = (am)2b = (···(am)2)···)2 mod p

while z 1 and i < b (invariant: ap-1 = z2b-i)

z = z2; i = i+1

yes z 1 nop is not prime p may be prime

z = am; i = 0

choose a random number a < p (am)2i mod p = 1 p may be prime

Use Lehmanns test, but avoid to calculate ap-1 if already (am)2i mod p = 1 Algorithm


Hash FunctionsHash Functions Requirements

Compressionmap a arbitrary-length input m on a fixed-length output h = H(m)that should depend on every input bit (typical length: 128 or 160 bit)

Equal distribution of the hash values Avalanche effect

One bit change in the message swaps half of the hash value bits (on average).

One-way Given m, it is easy to compute h = H(m). Given h, it is hard to compute an m' such that H(m') = h

Collision-resistant (stronger requirement than one-way) It is hard to find two random messages m and m' such that H(m) = H(M').

Examples MD5 (128 bit) SHA-1 (160 bit)


Hash Functions, cont.Hash Functions, cont.

Compression principle Cut message M into fixed-length blocks Mi

Apply a one-way function

hi+1 = f(Mi,hi) one-way function fMi

hi

hi+1

with an initial value h0 that contains the message length (MD strengthening)

n times. The last hi is the hash value of the entire message.

Hypothesis (not proved)The (iterated) variable-length hash function is secure

if the fixed-length one-way function f is secure

One-way function several rounds with non-linear operations


Message Authentication Code (MAC)Message Authentication Code (MAC)

Key-dependent one-way hash functionoften in combination with symmetric encryption

Message Authentication Authentication of files between users Proof that a file has not been changed, for example by a virus

Block 1

DES

Block 2

DES

Block 3

DES

Block k

...

K

MAC

Example

jan/feb 2002cryptography1 cryptography mathematical foundations, algorithms, and protocols klaus...

Documents