1

1. INTRODUCTION

Cryptography is a fundamental building block for building information systems, and as we enter the so-called "information age" of global networks, ubiquitous computing devices, and electronic commerce, we can expect that the cryptography will become more and more important with time. The main goal of cryptography is to adequately address the following four areas in both theory and practice: a. Confidentiality is a service used to keep the content of information from all but those authorized to have it. Secrecy

is a term synonymous with confidentiality and privacy. There are numerous approaches to providing confidentiality, ranging from physical protection to mathematical algorithms which render data unintelligible. b. Data integrity is a service which addresses the unauthorized alteration of data. To assure data integrity, one must have the ability to detect data manipulation by unauthorized parties. Data manipulation includes such things as insertion, deletion, and substitution. 3. Authentication is a service related to identification. This function applies to both entities and information itself. Two parties entering into a communication should identify each other. Information delivered over a channel should be authenticated as to origin, date of origin, data content, time sent, etc. For these reasons this aspect of cryptography is usually subdivided into two major classes: entity

authentication and data origin authentication. Data origin authentication implicitly provides data integrity (for if a message is modified, the source has changed). 4. Non-repudiation is a service which prevents an entity from denying previous commitments or actions. When disputes arise due to an entity denying that certain actions were taken, a means to resolve the situation is necessary. For example, one entity may authorize the purchase of property by another entity and later deny such authorization was granted. A procedure involving a trusted third party is needed to resolve the dispute.

* e-mail: psyllos@central.ntua.gr

Cryptography has a long and fascinating history [1]. The predominant practitioners of the art were those associated with the military, the diplomatic service and government in general. Cryptography was used as a tool to protect national secrets and strategies. The proliferation of computers and communications systems in the 1960s brought with it a demand from the private sector for means to protect information in digital form and to provide security services. Beginning with the work of Feistel [2] at IBM in the early 1970s and culminating in 1977 with the adoption as a U.S. Federal Information Processing Standard for encrypting unclassified information, DES, the Data Encryption Standard, is the most well-known cryptographic mechanism in history. It remains the standard means for securing electronic commerce for many financial institutions around the world. The most striking development in the history of cryptography came in 1976 when Diffie and Hellman published “New Directions in Cryptography” [3]. This paper introduced the revolutionary concept of public-key cryptography and also provided a new and ingenious method for key exchange, the security of which is based on the intractability of the discrete logarithm problem. Although the authors had no practical realization of a public-key encryption scheme at the time, the idea was clear and it generated extensive interest and activity in the cryptographic community. In 1978 Rivest, Shamir, and Adleman [4] discovered the first practical public-key encryption and signature scheme, now referred to as RSA. The RSA scheme is based on another hard mathematical problem, the intractability of factoring large integers. This application of a hard mathematical problem to cryptography revitalized efforts to find more efficient methods to factor. The 1980s saw major advances in this area but none which rendered the RSA system insecure. Another class of powerful and practical public-key schemes was found by El Gamal [5] in 1985. These are also based on the discrete logarithm problem. One of the most significant contributions provided by public-key cryptography is the digital signature. In 1991 the first international standard for digital signatures (ISO/IEC 9796) was adopted. It is based on the RSA public-key scheme. In 1994 the U.S. Government adopted the Digital Signature Standard [6] , a mechanism based on the El Gamal public key scheme.

ΕΡΓΑΣΙΑ ΓΙΑ ΤΟ ΜΕΤΑΠΤΥΧΙΑΚΟ ΜΑΘΗΜΑ: «∆ίκτυα Προστιθέµενης Αξίας EDI και Εφαρµογές Ηλεκτρονικού Εµπορίου»

ΨΥΛΛΟΣ Απόστολος, Υπ. ∆ιδάκτορας

*

Σχολή Ηλεκτρολόγων Μηχανικών & Μηχανικών Υπολογιστών, ΕΜΠ

Cryptographic Algorithms and current trends

2

The search for new public-key schemes, improvements to existing cryptographic mechanisms, and proofs of security continues at a rapid pace. Various standards and infrastructures involving cryptography are being put in place. Security products are being developed to address the security needs of an information intensive society. The purpose of this work is to give an up-to-date survey on algorithms of interest in cryptographic practice. Also to refer to the institutions involved in the creation of cryptographic products. 2. CRYPTOGRAPHY BASICS

In cryptographic terminology, the message is called plaintext or cleartext. Encoding the contents of the message in such a way that hides its contents from outsiders is called encryption. The encrypted message is called ciphertext. The process of retrieving the plaintext from the ciphertext is called decryption. Encryption and decryption usually make use of a key, and the coding method is such that decryption can be performed only by knowing the proper key. There are two classes of key-based encryption algorithms, symmetric (or secret-key) and asymmetric (or public-key) algorithms. The difference is that symmetric algorithms use the same key for encryption and decryption (or the decryption key is easily derived from the encryption key), whereas asymmetric algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key. Symmetric algorithms can be divided into stream ciphers and block ciphers. Stream ciphers encrypt a single bit of plaintext at a time, whereas block ciphers take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a single unit. Asymmetric ciphers (also called public-key algorithms) permit the encryption key to be public (it can even be published to a web site), allowing anyone to encrypt with the key, whereas only the proper recipient (who knows the decryption key) can decrypt the message. The encryption key is also called the public key and the decryption key the private key. The security provided by these ciphers is based on keeping the private key secret. 3. CRYPTOGRAPHY ALGORITHMS

3.1 SYMMETRIC KEY ALGORITHMS

I. BLOCK CIPHERS Symmetric (secret key) encryption schemes use the same key for encryption and decryption and usually have predefined key lengths. They provide a high security and a high performance, but suffer from the key exchange problem. A group of n entities needs to exchange n*(n−1)/2 different keys over secure channels.

The current state of the art in symmetric encryption is surely given by the five finalists of the AES selection process. In the AES competition, the winner, Rijndael, got 86 votes at the last AES conference while Serpent got 59 votes, Twofish 31 votes, RC6 23 votes and MARS 13 votes Nechvatal et al. [7]. We will focus on the winner of the AES selection process, namely Rijndael, as their representative.

TABLE 1. Encryption and decryption performance

TABLE 2. Key setup performance

NIST [24] has defined five modes of operation for AES and other FIPS- approved ciphers [8]: CBC (Cipher Block Chaining), ECB (Electronic CodeBook), CFB (Cipher FeedBack), OFB (Output FeedBack), and CTR (Counter). The CBC mode is well defined and well understood for symmetric ciphers, and it is currently required for all other ESP ciphers. ECB The simplest of the encryption modes is the electronic

codebook (ECB) mode, in which the message is split into blocks and each is encrypted separately. The disadvantage of this method is that identical plaintext blocks are encrypted to identical ciphertext blocks; thus, it does not hide data patterns well. In some senses it doesn't provide message confidentiality at all, and it is not recommended for cryptographic protocols.

CBC In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block is

32bit [C]

32bit [JAVA]

64bit[C and Assembly]

8bit [C and Assembly]

MARS ++ ++ ++ ++

RC6 +++ +++ ++ ++

RIJNDAEL ++ ++ +++ +++

SERPENT + + + +

TWOFISH ++ + +++ ++

32bit [C]

32bit [JAVA]

64bit[C and Assembly]

8bit [C and Assembly]

MARS ++ ++ + ++

RC6 ++ ++ ++ +

RIJNDAEL +++ +++ +++ +++

SERPENT + ++ ++ +

TWOFISH + + + ++

3

dependent on all plaintext blocks up to that point. Also, to make each message unique, an initialization vector is used in the first block.

CFB The cipher feedback (CFB) mode, a close relative of CBC, makes a block cipher into a self-synchronizing stream cipher. The operation is very similar; in particular, CFB decryption is almost identical to CBC decryption performed in reverse

OFB The output feedback (OFB) mode makes a block cipher into a synchronous stream cipher: it generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even if applied before encryption. Because of the symmetry of the XOR operation, encryption and decryption are exactly the same.

CTR Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any simple function which produces a sequence which is guaranteed not to repeat for a long time, although an actual counter is the simplest and most popular. CTR mode has very similar characteristics to OFB, but also allows a random access property for decryption and is probably secure if the block cipher is strong. CTR mode is also known as Segmented Integer Counter (SIC) mode. A. RIJNDAEL

Rijndael, is a block cipher adopted as an encryption standard by the US government. It is expected to be used worldwide and analysed extensively, as was the case with its predecessor, the Data Encryption Standard (DES). AES was adopted by National Institute of Standards and Technology (NIST) as US FIPS PUB 197 in November 2001 after a 5-year standardization process (see Advanced Encryption Standard process for more details).

The cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted to the AES selection process under the name "Rijndael", a combination of the names of the inventors..

Strictly speaking, AES is not precisely Rijndael (although in practice they are used interchangeably) as Rijndael supports a larger range of block and key sizes; AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits, whereas Rijndael can be specified with key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits. The key is expanded using Rijndael's key schedule. Most of AES calculations are done in a special finite field.

AES operates on a 4×4 array of bytes, termed the state -versions of Rijndael with a larger block size have additional

columns in the state. For encryption, each round of AES , except the last round consists of four stages:

� AddRoundKey — each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule.

� SubBytes — a non-linear substitution step where each byte is replaced with another according to a lookup table.

� ShiftRows — a transposition step where each row of the state is shifted cyclically a certain number of steps.

� MixColumns — a mixing operation which operates on the columns of the state, combining the four bytes in each column using a linear transformation.

The final round replaces the MixColumns stage with another instance of AddRoundKey.

FIGURE 1. Rijndael Add Round Key operation

In the AddRoundKey step, each byte of the state is combined with a byte of the round subkey using the XOR operation. For each round, a subkey is derived from the main key using the key schedule; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR.

4

FIGURE 2. Rijndael Sub Bytes operation

In the SubBytes step, each byte in the state is replaced with its entry in a fixed 8-bit lookup table, S; bij = S(aij). This operation provides the non-linearity in the cipher. The S-box used is derived from the inverse function over GF(28), known to have good non-linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the inverse function with an invertible affine transformation. The S-box is also chosen to avoid any fixed points (and so is a derangement), and also any opposite fixed points. The S-box is more fully described in the article Rijndael S-box.

FIGURE 3. Rijndael Shift Rows operation In the ShiftRows step, bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs for each row. For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively. In this way, each column of the output state of the ShiftRows step is composed of bytes from each column of the input state. (Rijndael variants with a larger block size have slightly different offsets).

FIGURE 4. Rijndael Mix Columns operation

In the MixColumns step, each column of the state is multiplied with a fixed polynomial c(x). The four bytes of each column of the state are combined using an invertible linear transformation. This function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with ShiftRows, MixColumns provides diffusion refers to the property that redundancy in the statistics of the plaintext is "dissipated" in the statistics of the ciphertext. Each column is treated as a polynomial over GF(28) and is then multiplied modulo x4 + 1 with a fixed polynomial c(x) = 3x

3 + x2 + x + 2. The MixColumns step can also be viewed as a matrix multiply in Rijndael's finite field.

On systems with 32-bit or larger words, it is possible to speed up execution of this cipher by converting the SubBytes, ShiftRows and MixColumns transformations into tables. One then has four 256-entry 32-bit tables, which utilizes a total of four kilobytes (4096 bytes) of memory--a kilobyte for each table. A round can now be done with 16 table lookups and 12 32-bit exclusive-or operations, followed by four 32-bit exclusive-or operations in the AddRoundKey step. If the resulting four kilobyte table size is too large for a given target platform, the table lookup operation can be performed with a single 256-entry 32-bit table by the use of circular rotates.

SECURITY

As of 2006, the only successful attacks against AES have been side channel attacks. The National Security Agency (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for US Government non-classified data. In June 2003, the US Government announced [9] that AES may be used for classified information:

“The design and strength of all key lengths of the AES

algorithm (i.e., 128, 192 and 256) are sufficient to protect

classified information up to the SECRET level. TOP

SECRET information will require use of either the 192 or

256 key lengths. The implementation of AES in products

intended to protect national security systems and/or

information must be reviewed and certified by NSA prior to

their acquisition and use."

This marks the first time that the public has had access to a cipher approved by NSA for TOP SECRET information. It is interesting to note that many public products use 128-bit secret keys by default; it is possible that NSA suspects a fundamental weakness in keys this short, or they may simply prefer a safety margin for top secret documents (which may require security decades into the future).

The most common way to attack block ciphers is to try various attacks on versions of the cipher with a reduced number of rounds. AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. As of 2006, the best known attacks are on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.

5

Some cryptographers worry about the security of AES. They feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small for comfort. The risk is that some way to improve these attacks might be found and that, if so, the cipher could be broken. In this meaning, a cryptographic "break" is anything faster than an exhaustive search, so an attack against 128-bit key AES requiring 'only' 2120 operations would be considered a break even though it would be, now, quite unfeasible. In practical application, any break of AES which is only this 'good' would be irrelevant. For the moment, such concerns can be ignored. The largest publicly-known brute-force attack has been against a 64 bit RC5 key by distributed.net (finishing in 2002; Moore's Law implies that this is roughly equivalent to an attack on a 66-bit key today).

Another concern is the mathematical structure of AES. Unlike most other block ciphers, AES has a very neat mathematical description [10]. This has not yet led to any attacks, but some researchers are worried that future attacks may find a way to exploit this structure.

In 2002, a theoretical attack, termed the "XSL attack", was announced by Nicolas Courtois and Josef Pieprzyk, showing a potential weakness in the AES algorithm. Several cryptography experts have found problems in the underlying mathematics of the proposed attack, suggesting that the authors may have made a mistake in their estimates. Whether this line of attack can be made to work against AES remains an open question. For the moment, the XSL attack against AES appears speculative; it is unlikely that anyone could carry out the current attack in practice.

PERFORMANCE Due to Aoki and Lipmaa [11] Rijndael–128 is able to encrypt a 128bit block within 237 cycles on a 450 MHz Pentium II. This leads to a throughput of 243 Mbit/s. Lipmaa [12] claims to have a Rijndael library which nearly reaches 1.5Gbit/s on a 3.06GHz Pentium IV. Hodjat and Verbauwhede [13] report about a Rijndael hardware implementation which reaches a throughput of up to 21.54Gbit/s. Following Schneier et al. [14] Rijndael encrypts 20% slower for 192bit keys and 40% slower for 256bit keys. According to Lenstra [15] a 128bit symmetric cipher is supposed to be secure against mathematic attacks until at least 2090 (192bit until 2186, 256bit until 2282). The estimates from ECRYPT [16] are done much more carefully. They estimate 128bit keys to be secure until 2035. The 256bit keys are supposed to be secure within the “foreseeable future” which explicitly includes quantum computers. Buchmann [17] reports about the ”Vernam–One–Time–Pad” which is mathematically proven unbreakable. But its heavy requirements regarding the keys make it unusable in normal practice.

B. CAMELLIA

The cipher was developed jointly by Mitsubishi and NTT in 2000 [18] , and has similar design elements to earlier block ciphers (E2 and MISTY1) from these companies.

Camellia has a block size of 128 bits, and can use 128-bit, 192-bit or 256-bit keys — the same interface as the Advanced Encryption Standard. It is a Feistel cipher with either 18 rounds (if the key is 128 bits) or 24 rounds (if the key is 192 or 256 bits). Every six rounds, a logical transformation layer is applied: the so-called "FL-function" or its inverse. The cipher also uses input and output key whitening. We will focus on the use of the Camellia block cipher algorithm in Cipher Block Chaining Mode, with an explicit Initialization Vector, as a confidentiality mechanism within the context of the IPsec Encapsulating Security Payload (ESP). Camellia was selected as a recommended cryptographic primitive by the EU NESSIE (New European Schemes for Signatures, Integrity and Encryption) project [16] and was included in the list of cryptographic techniques for Japanese e-Government systems that was selected by the Japan CRYPTREC (Cryptography Research, Evaluation Committees) [CRYPTREC]. Camellia has been submitted to several other standardization bodies, such as ISO (ISO/IEC 18033) and the IETF S/MIME Mail Security Working Group [19]. Camellia supports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e., the same interface specifications as the Advanced Encryption Standard (AES) [20]. Camellia is a symmetric cipher with a Feistel structure. Camillia was developed jointly by NTT and Mitsubishi Electric Corporation in 2000. It was designed to withstand all known cryptanalytic attacks, and it has been scrutinized by worldwide cryptographic experts. Camellia is suitable for implementation in software and hardware, offering encryption speed in software and hardware implementations that is comparable to AES. Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits. The default key size is 128 bits, and all implementations must support this key size. Implementations may also support key sizes of 192 bits and 256 bits. Camellia uses a different number of rounds for each of the defined key sizes. When a 128-bit key is used, implementations must use 18 rounds. When a 192-bit key is used, implementations must use 24 rounds. When a 256-bit key is used, implementations must use 24 rounds. At the time of writing this document, there are no known weak keys for Camellia. SECURITY Implementations are encouraged to use the largest key sizes they can, taking into account performance considerations for their particular hardware and software configuration. Note that encryption necessarily affects both sides of a secure channel, so such consideration must take into account not only the client side, but also the server.

6

However, a key size of 128 bits is considered secure for the foreseeable future. No security problem has been found on Camellia [CRYPTREC][16]. Although patented, Camellia is available under a royalty-free license [1]. PERFORMANCE Performance figures of Camellia are available at Camellia web site [18]. This web site also includes performance comparison with the AES cipher and other AES finalists. The NESSIE project [NESSIE] has reported performance of Optimized Implementations independently. As an opportunity to publish the Camellia open source codes, NTT offers the codes to the open source communities such as OpenSSL and Linux, and works so that Camellia will become standard-equipped at an early date. In addition, NTT plans to establish a support system for industrial enterprises and corporations that develop products incorporating Camellia to enrich the Camellia-equipped product lines. In order for Camellia to be more widely used, NTT advances actively the development of Camellia-equipped products and services, such as security products employing SSL/TLS. In addition, NTT continues to pursue research and development in order to contribute to achieving a securely advanced information society. II. STREAM CIPHERS

A. RABBIT

Rabbit is a high-speed stream cipher first presented in February 2003 at the 10th FSE workshop by Martin Boesgaard, Mette Vesterager, Thomas Christensen and Erik Zenner. In May 2005, it was submitted to the eSTREAM.

Cryptico has patented the algorithm and requires a license fee for commercial use of the cipher. The license fee is waived for non-commercial uses.

The internal state of the stream cipher consists of 513 bits. 512 bits are divided between eight 32-bit state variables xj,i and eight 32-bit counter variables cj,i, where xj,i is the state variable of subsystem j at iteration i, and cj,i denote the corresponding counter variables. There is one counter carry bit, Á7,i, which needs to be stored between iterations. This counter carry bit is initialized to zero. The eight state variables and the eight counters are derived from the key at initialization. The algorithm is initialized by expanding the 128-bit key into both the eight state variables and the eight counters such that there is a one-to-one correspondence between the key and the initial state variables, xj,0, and the initial counters, cj,0. The key, K[127..0], is divided into eight subkeys: k0 = K[15..0], k1 = K[31..16], ..., k7 =K[127..112]. The state and counter variables are initialized from the subkeys as follows:

The system is iterated four times, according to the next-state function defined below, to diminish correlations between bits in the key and bits in the internal state variables. Finally, the counter values are re-initialized according to: cj,4=cj,4 XOR x(j+4 mod 8),4 to prevent recovery of the key by inversion of the counter system. The core of the Rabbit algorithm is the iteration of the system defined by the following equations: x0,i+1 = g0,i + (g7,i<<< 16) + (g6,i<<< 16) x1,i+1 = g1,i + (g0,i<<< 8) + g7,i x2,i+1 = g2,i + (g1,i<<< 16) + (g0,i<<< 16) x3,i+1 = g3,i + (g2,i<<< 8) + g1,i x4,i+1 = g4,i + (g3,i<<< 16) + (g2,i<<< 16) x5,i+1 = g5,i + (g4,i<<< 8) + g3,i x6,i+1 = g6,i + (g5,i<<< 16) + (g4,i<<< 16) x7,i+1 = g7,i + (g6,i<<< 8) + g5,i gj,i = ((xj,i + cj,i)

2 XOR ((xj,i + cj,i)2 >> 32) mod 232

where all additions are modulo 232. This coupled system is schematically illustrated in Fig.5 .Before an iteration the counters are incremented as described below.

FIGURE 5. Graphical representation of RABBIT

7

SECURITY As of March 2006, no cryptographic weaknesses are known. PERFORMANCE

Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 cycles per byte on a Pentium 3, and of 9.7 cycles per byte on an ARM7. However, the cipher also turns out to be very fast and compact in hardware.

The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher.

3.2 PUBLIC KEY ALGORITHMS

A. RIVEST SHAMIR & ADELMAN (RSA)

RSA involves two keys: public key and private key (a key is a constant number later used in the encryption formula.) The public key can be known to everyone and is used to encrypt messages. These messages can only be decrypted by use of the private key. In other words, anybody can encrypt a message, but only the holder of a private key can actually decrypt the message and read it. Intuitive example: Bob wants to send Alice a secret message that only she can read. To do this, Alice sends Bob a box with an open lock, for which only Alice has the key. Bob receives the box, he writes the message in plain English, puts it in the box and locks it with Alice's lock (now Bob can no longer read the message.) Bob sends the box to Alice and she opens it with her key. In this example, the box with the lock is Alice's public key, and the key to the lock is her private key.

Key generation

Suppose Alice and Bob are communicating over an insecure (open) channel, and Alice wants Bob to send her a private (or secure) message. Using RSA, Alice will take the following steps to generate a public key and a private key:

1. Choose two large prime numbers p and q such that p≠q randomly and independently of each other.

2. Compute n=p·q.

3. Compute the totient function: φ(n)=(p-1)(q-1).

4. Choose an integer e such that 1<e<φ(n) which is coprime to φ(n).

5. Compute d such that de≡1(mod(φ(n)).

• The prime numbers can be probabilistically tested for primality.

• A popular choice for the public exponents is e=216+1=65537. Some applications choose smaller values such as e = 3,5, or 35 instead. This is done in order to make implementations on small devices (e.g. smart cards) easier, i.e. encryption and signature verification are faster. But choosing small public exponents may lead to greater security risks.

• Steps 4 and 5 can be performed with the extended Euclidean algorithm; see modular arithmetic.

• Step 3 changed in PKCS#1 v2.0 to

λ=LCM(p-1,q-1) instead of φ=(p-1)(q-1).

The public key consists of

• n, the modulus, and

• e, the public exponent (sometimes encryption

exponent).

The private key consists of

• n, the modulus, which is public and appears in the public key, and

• d, the private exponent (sometimes decryption

exponent), which must be kept secret.

For reasons of efficiency sometimes a different form of the private key (including CRT parameters) is stored:

• p and q, the primes from the key generation,

• d mod (p-1) and d mod (q-1) (often known as dmp1 and dmq1)

• (1/q) mod p (often known as iqmp)

Though this form allows faster decryption and signing using the Chinese Remainder Theorem (CRT), it considerably lowers the security. In this form, all of the parts of the private key must be kept secret. Yet, it is a bad idea to use it, since it enables side channel attacks in particular if implemented on smart cards, which would most benefit from the efficiency win. (Start with y = xe

modn and let the card decrypt that. So it computes yd(mod p) or y

d(mod q) whose results give some value z. Now, induce an error in one of the computations. Then gcd(z − x,n) will reveal p or q.)

Alice transmits the public key to Bob, and keeps the private key secret. p and q are sensitive since they are the factors of n, and allow computation of d given e. If p and q are not stored in the CRT form of the private key, they are securely

8

deleted along with the other intermediate values from the key generation.

1) Encrypting messages

Suppose Bob wishes to send a message M to Alice. He turns M into a number m < n, using some previously agreed-upon reversible protocol known as a padding scheme.

Bob now has m, and knows n and e, which Alice has announced. He then computes the ciphertext c corresponding to m:

c=me mod n

This can be done quickly using the method of exponentiation by squaring. Bob then transmits c to Alice.

[edit] 2) Decrypting messages

Alice receives c from Bob, and knows her private key d. She can recover m from c by the following procedure:

m=cd mod n

Given m, she can recover the original message M. The decryption procedure works because

cd ≡ (me)d

≡ med (mod n)

.

Now, since ed ≡ 1 (mod p-1) and ed ≡ 1 (mod q-1), Fermat's little theorem yields

med ≡ m (mod p) and med ≡ m (mod q)

Since p and q are distinct prime numbers, applying the Chinese remainder theorem to these two congruence yields

med ≡ m (mod pq). Thus, cd ≡ m (mod n).

PERFORMANCE

RSA is much slower than DES and other symmetric cryptosystems. In practice, Bob typically encrypts a secret message with a symmetric algorithm, encrypts the (comparatively short) symmetric key with RSA, and transmits both the RSA-encrypted symmetric key and the symmetrically-encrypted message to Alice.

This procedure raises additional security issues. For instance, it is of utmost importance to use a strong random number generator for the symmetric key, because otherwise Eve (an eavesdropper wanting to see what was sent) could bypass RSA by guessing the symmetric key.

SECURITY Public key algorithms have complex mathematics and need very long keys. Due to this public key cryptography is very much slower than secret key cryptography and needs times

which are some orders of magnitude over those of Rijndael. Due to this public key encryption is normally only used in hybrid encryption systems. Thereby the entities use the public key systems to exchange a secret key. This exchanged key is then used to encrypt the actual message with a symmetric encryption system. In opposite to symmetric systems the encryption performance of asymmetric systems may significantly differ from its decryption performance. The first invented public key encryption system RSA [26] is still the most used one. It is based on the factorization problem. According to Lenstra [22] RSA currently needs a modulus size somewhere between 2790bit and 3390bit to meet the security of a 128bit Rijndael encryption. Rijndael–192 security is reached by a modulus size somewhere between 7160bit and 8200bit. Rijndael–256 security implies an RSA modulus between 14200bit and 15800bit. ECRYPT [16] estimates RSA keys with the length of 3072, 7680 and 15360 offer equivalent security to Rijndael 128, 192 and 256,see TABLE 3. The most prominent alternative to RSA is elliptic curve cryptography (ECC). It is based on the discrete logarithm problem and is faster than RSA because it manages with shorter keys. Due to the table form Lenstra and Verheul [25] the security of 1024bit RSA is met by an ECC key between 138bit and 147bit. ECRYPT [16] estimates a 160bit ECC key provides RSA–1024 security. All widely used public key cryptosystems are broken by efficient algorithms for sufficiently large quantum computers. There is some research on quantum–safe public key cryptosystems in order to meet this threat.

TABLE 3. Key length comparison for the same security

4. HASH FUNCTIONS- DIGITAL SIGNATURES

Hash Functions take a block of data as input, and produce a hash or message digest as output. The usual intent is that the hash can act as a signature for the original data, without revealing its contents. Therefore, it's important that the hash function be irreversible - not only should it be nearly impossible to retrieve the original data, it must also be unfeasible to construct a data block that matches some

9

given hash value. Randomness, however, has no place in a hash function, which should be completely deterministic. Given the exact same input twice, the hash function should always produce the same output. Even a single bit changed in the input, though, should produce a different hash value. The hash value should be small enough to be manageable in further manipulations, yet large enough to prevent an attacker from randomly finding a block of data that produces the same hash .In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. A hash function takes a long string (or message) of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint.

FIGURE 6. Hash Function Properties

A typical use of a cryptographic hash would be as follows: Alice poses to Bob a tough math problem and claims she has solved it. Bob would like to try it himself, but would yet like to be sure that Alice is not bluffing. Therefore, Alice writes down her solution, appends a random nonce, computes its hash and tells Bob the hash value (whilst keeping the solution secret). This way, when Bob comes up with the solution himself a few days later, Alice can verify his solution but still be able to prove that she had the solution earlier.

In actual practice, Alice and Bob will often be computer programs, and the secret would be something less easily spoofed than a claimed puzzle solution. The above application is called a commitment scheme. Another important application of secure hashes is verification of message integrity. Determination of whether or not any changes have been made to a message (or a file), for example, can be accomplished by comparing message digests calculated before, and after, transmission (or any other event) (for example, see Tripwire , a system using this property as a defense against malware and malfeasance). A message digest can also serve as a means of reliably identifying a file. A related application is password verification. Passwords are usually not stored in clear text, for obvious reasons, but instead in digest form. To

authenticate a user, the password presented by the user is hashed and compared with the stored hash.

Hashes are also used to identify files on peer-to-peer filesharing networks. For example, in an ed2k link the hash is combined with the file size, providing sufficient information for locating file sources, downloading the file and verifying its contents. Magnet links are another example. Such file hashes are often the top hash of a hash list or a hash tree which allows for additional benefits.

For both security and performance reasons, most digital signature algorithms specify that only the digest of the message be "signed", not the entire message. Hash functions can also be used in the generation of pseudorandom bits.

The most widely used hash functions (and their modifications) are:

� MD5 of R. Rivest (RFC 1321)

� SHA-1 SHA-224, SHA-256, SHA-384, SHA-512 of NIST ( FIPS PUB 180-1)

� RIPEMD, RIPEMD-128, RIPEMD-160 H. Dobbertin, A. Bosselaers, B. Preneel

� WHIRLPOOL-0, WHIRLPOOL-T, WHIRLPOOL P. Barreto, V. Rijmen (NESSIE project ISO/IEC 10118-3:2004)

TABLE 4. Hash functions performance [27]

10

SHA-1, MD5, and RIPEMD-160 are among the most commonly-used message digest algorithms as of 2005. In August 2004, researchers found weaknesses in a number of hash functions, including MD5, SHA-0 and RIPEMD. This has called into question the long-term security of later algorithms which are derived from these hash functions. In particular, SHA-1 (a strengthened version of SHA-0), RIPEMD-128, and RIPEMD-160 (both strengthened versions of RIPEMD). Neither SHA-0 nor RIPEMD are widely used since they were replaced by their strengthened versions.

A. SHA-0,SHA-1

SHA-0 and SHA-1 produce a 160-bit digest from a message with a maximum size of 264 bits, and is based on principles similar to those used by Professor Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms.

The original specification of the algorithm was published in 1993 as the Secure Hash Standard, FIPS PUB 180, by US government standards agency NIST (National Institute of Standards and Technology). This version is now often referred to as "SHA-0". It was withdrawn by the NSA shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred to as "SHA-1".

SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function. this was done, according to the NSA, to correct a flaw in the original algorithm which reduced its cryptographic security. This function takes as input a 160-bit state and a 512-bit data word and outputs a new 160-bit state. The hash function works by repeatedly calling this compression function with successive 512-bit data blocks and each time updating the state accordingly. This compression function is easily invertible if the data block is known,- given the data block on which it acted and the output of the compression function, one can compute that state that went in.

Weaknesses have subsequently been reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater resistance to attacks, supporting the NSA's assertion that the change increased the security. In February 2005, an attack on SHA-1 was reported, finding collisions in about 269 hashing operations, rather than the 280 expected for a 160-bit hash function. In August 2005, another attack on SHA-1 was reported, finding collisions in 263 operations.

B. MD5 (Message-Digest algorithm 5) is a widely-used cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files.

MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design of MD5; while it was not a clearly fatal

weakness, cryptographers began to recommend using other algorithms, such as SHA-1 (recent claims suggest that SHA-1 has been broken, however). In 2004, more serious flaws were discovered making further use of the algorithm for security purposes questionable.

MD5 processes a variable length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks; the message is padded so that its length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits fewer than a multiple of 512. The remaining bits are filled up with a 64-bit integer representing the length of the original message.

The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B, C and D. These are initialized to certain fixed constants. The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation. There are four possible functions F; a different one is used in each round:

denote the XOR, AND, OR and NOT operations respectively.

C. WHIRLPOOL

WHIRLPOOL is a cryptographic hash function designed by Vincent Rijmen and Paulo S. L. M. Barreto. The hash has been recommended by the NESSIE project. It has also been adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard.

WHIRLPOOL is a hash designed after the Square block cipher. WHIRLPOOL is a Miyaguchi-Preneel construction based on a substantially modified Advanced Encryption Standard (AES). Given a message less than 2256 bits in length, it returns a 512-bit message digest.

The authors have declared that "WHIRLPOOL is not (and will never be) patented. It may be used free of charge for any purpose. The reference implementations are in the public domain."

D. RIPEMD

RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest) is a 160-bit message digest algorithm (and cryptographic hash function) developed in Europe by Hans

11

Dobbertin, Antoon Bosselaers and Bart Preneel, and first published in 1996. It is an improved version of RIPEMD, which in turn was based upon the design principles used in MD4, and is similar in performance to the more popular SHA-1.

There also exist 128, 256 and 320-bit versions of this algorithm, called RIPEMD-128, RIPEMD-256, and RIPEMD-320, respectively. The 128-bit version was intended only as a drop-in replacement for the original RIPEMD, which was also 128-bit, and which had been found to have questionable security. The 256 and 320-bit versions diminish only the chance of accidental collision, and don't have higher levels of security as compared to, respectively, RIPEMD-128 and RIPEMD-160.

RIPEMD-160 was designed in the open academic community, in contrast to the NSA-designed algorithm, SHA-1. On the other hand, RIPEMD-160 is a less popular and correspondingly less well-studied design. RIPEMD-160 is not constrained by any patents.

E. SHACAL

SHACAL-1 and SHACAL-2 are block ciphers based on cryptographic hash function from the SHA family. It was designed by Helena Handschuh and David Naccache, both cryptographers from the smart card manufacturer Gemplus. It is a 160-bit block cipher based on SHA-1, and supports keys from 128-bit to 512-bit. SHACAL-2 is a 256-bit block cipher based upon the larger hash function SHA-256.

SHACAL turns the SHA-1 compression function into a block cipher by using the state input as the data block and using the data input as the key input. In other words SHACAL views the SHA-1 compression function as 160-bit block cipher with a 512-bit key. Keys shorter than 512 bits are supported by padding them with zero up to 512. SHACAL is not intended to be used with keys shorter than 128 bit.

In 2003, SHACAL-2 was selected by the NESSIE project as one of their 17 recommended algorithms.

SECURITY OF HASH FUNCTIONS

In order to attack a hash function, the intruder must replace the initial message in such a way, by putting his own message, so as to produce the same output of the hash function. This is called collision and it’s very difficult to happen. Possibilities for finding collisions are given in the following TABLE 5, attacking of hash functions for the most popular hash algorithms.

TABLE 5. Security of hash functions (collisions)

5. CRYPTOGRAPHY INSTITUTIONS – PROJECTS

EUROPE

� ECRYPT (Network of Excellence in Cryptology) contract number IST-2002-507932 [13]

� e-Stream (2004-2008) is a project to identify new stream ciphers that might become suitable for widespread adoption, organised by the EU ECRYPT network. It was set up as a result of the failure of all six stream ciphers submitted to the NESSIE project. The call for primitives was first issued in November 2004. The project is due to complete in January 2008. The project is divided into separate phases and the project goal is to find algorithms suitable for different application profiles.

� e-Bats (2004-2008) contract number IST-2002-507932

� NESSIE (New European Schemes for Signatures,

Integrity, and Encryption) contract number IST-1999-12324 (2000-2004). NESSIE selected 17 algorithms out of 44, including the 39 proposed encryption algorithms. [23]

USA

� NIST -National Institute of Standards and Technology [24]

� FIPS -Federal Information Processing Standards [20]

� NSA The National Security Agency - Central Security Service is America’s cryptology organization. It coordinates, directs, and performs highly specialized activities to protect U.S. government information systems and produce foreign signals intelligence information. A high

12

technology organization, NSA is on the frontiers of communications and data processing. It is also one of the most important centers of foreign language analysis and research within the government.

JAPAN

� CRYPTREC -Cryptography Research and Evaluation Committees (2000-2005). CRYPTREC was organized to investigate and evaluate cryptographic techniques suitable for the Japanese electronic government in terms of security, implementation, and other characteristics from the viewpoints of various objective specialists. Out of the total 66, including the 52 proposed encryption algorithms, 31 encryption algorithms were selected.

INTERNATIONAL

IACR The International Association for Cryptologic Research (IACR) is a non-profit scientific organization whose purpose is to further research in cryptology and related fields.

CDT The Center for Democracy and Technology works to promote democratic values and constitutional liberties in the digital age. With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in global communications technologies. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media.

EPIC It is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC publishes an award-winning e-mail and online newsletter on civil liberties in the information age – the EPIC Alert.

6. REFERENCES

[1] D. Kahn, Codebreakers: The Story of Secret Writing, Macmillan, 1967 [2] H. Feistel, "Cryptographic coding for data bank privacy," IBM Corp. Res. Rep. RC 2827, Mar. 1970. (I-B4, III-B, SFR) [3] Diffie, W. & Hellman, M. E. (1976), ‘New directions in cryptography’, IEEE Trans. Inform. Theory IT-22 (6) 644–654. [4] R. Rivest, A. Shamir, L. Adleman,”A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Communications of the ACM 21,2 (Feb. 1978), 120-126

[5] T. El Gamal. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 31:469--472, 1985 [6] National Institute of Standards and Technology, NST FIPS PUB 186, Digital Signature Standard, U.S. Department of Commerce, May, 1994 [7] J. Nechvatal, E. Barker, L. Bassham, W. Burr, M. Dworkin, J. Foti and E.Roback, “Report on the Development of the Advanced Encryption Standard (AES)” , Journal of Research of the National Institute of Standards and Technology, 2000,Volume 106, pp. 511–576 [8] Dworkin, M., "Recommendation for Block Cipher Modes of Operation - Methods and Techniques", NIST Special Publication 800-38A, December 2001

[9] CNSS Policy No. 15, Fact Sheet No. 1, National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information , June 2003

[10] N. Ferguson, R. Schroeppel, D. Whiting, “A simple algebraic representation of Rijndael “, Selected Areas in Cryptography, Proc. SAC 2001, Lecture Notes in Computer Science 2259, pp. 103–111, Springer Verlag, 2001.

[11] K. Aoki and H. Lipmaa, “Fast Implementations of AES Candidates”, Third Advanced Encryption Standard Candidate Conference, 2000, pages 106–120. [12] H. Lipmaa, Fast Implementations of AES and IDEA fro Pentium 3 and 4, October 2005, http://home.cyber.ee/helger/implementations [13] A. Hodjat, I. Verbauwhede, “A 21.54 Gbit/s fully pipelined AES processor on FPGA”, Field–Programmable Custom Computing Machines 2004 (FCCM’04), 12th Annual IEEE Symposium, pages 308 – 309. [14] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall and N. Ferguson, “Performance Comparison of the AES Submissions”, Proc. Second AES Candidate Conference, NIST, 1999, pp. 15-34. [15] A. Lenstra, Key Length, Contribution to “The Handbook of Information Security”, 2004, http://cm.bell-labs.com/who/akl/key_lengths.pdf [16] ECRYPT Yearly Report on Algorithms and Keysizes 2005, http://www.ecrypt.eu.org/documents/D.SPA.16-1.0.pdf [17] J. Buchmann, Einf¨uhrung in die Kryptographie, Springer, 2001, ISBN: 3-540-41283-2, also available in English ISBN: 0-387-21156-X.

13

[18] K. Aoki et., al. “Camellia: A 128-Bit Block Cipher

Suitable for Multiple Platforms- Design and Analysis”, Selected Areas in Cryptography 2000, pp39–56 [19] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the Camellia Encryption Algorithm", RFC 3713, April 2004. [20] NIST, FIPS PUB 197, "Advanced Encryption Standard (AES)," November 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197 [21] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher Algorithm and Its Use With IPsec," RFC 3602, September 2003. [22] A. Lenstra, Unbelievable Security, 2001, http://www.win.tue.nl/~klenstra/aes_match.pdf [23] The NESSIE project (New European Schemes for Signatures, Integrity and Encryption), http://www.cosic.esat.kuleuven.ac.be/nessie/. [24] NIST Computer Security Division, http://csrc.nist.gov/ [25] Arjen Lenstra and E. Verheul, ”Selecting Cryptographic Key Sizes”, 2001, http://citeseer.ist.psu.edu/287428.html [26] RSA Security, PKCS #1: RSA Cryptography Standard, http://www.rsasecurity.com/rsalabs/node.asp?id=2125 [27] Ilya Mironov Microsoft Research, Silicon Valley Campus mironov@microsoft.com November 14, 2005 [IACR] http://www.iacr.org/

[CDT] http://www.cdt.org/crypto/

[EPIC ] http://www.epic.org/epic/about.html

[NSA] www.nsa.gov

[CRYPTREC] Information-technology Promotion Agency (IPA), Japan, http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html.