1 / 59

Part 9, Basic Cryptography

Part 9, Basic Cryptography. Introduction. A cryptosystem is a tuple: ( M,K,C, E,D ) where M is the set of plaintexts K the set of keys C the set of ciphertexts E: M  K  C is an enciphering function D: C  K  M is a deciphering function. The Caesar cipher.

gavan
Download Presentation

Part 9, Basic Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Part 9, Basic Cryptography

  2. Introduction A cryptosystem is a tuple: (M,K,C, E,D) where M is the set of plaintexts K the set of keys C the set of ciphertexts E: M  K C is an enciphering function D: C  K Mis a deciphering function

  3. The Caesar cipher M = C is the set of sequences of Roman letters K : the set of integers: 0,1,…,25 E : is the enciphering function Ek , kK : Ek(m) = m+k (mod 26) D : is the deciphering functions Dk , kK : Dk(c) = c - k (mod 26)

  4. Example If the key is k = 3, then: “HELLO”  “KHOR” Since: H 1I 2J 3K E  F G H L  M  N  O O  P  Q  R

  5. Cryptanalysis The goal of the cryptographer is to protect the privacy of ciphertexts. The goal of the cryptanalyst (attacker) is to disambiguate a ciphertext. Attacks on cryptosystems: • Ciphertext only attacks: the adversary has only access to ciphertexts. The adversary must find the plaintext that corresponds to a ciphertext. • Known plaintext attacks: the adversary has access to some matched ciphertexts / plaintext pairs, as well as ciphertexts. The adversary must find the plaintext of some new ciphertext. • Chosen plaintext attacks: the adversary may ask that specific plaintexts are enciphered, as well as having access to ciphertexts. The adversary must find the plaintext that corresponds to a new ciphertext.

  6. Kerchoffs’ assumption The adversary knows all details of the encrypting function except the secret key

  7. The transposition cipher Atransposition cipherrearranges the characters in the plaintext; the key is a permutation p on the characters. The letters are not changed. So -- Ep(x) = p(x) -- Dp(y) = p-1(y) Example: rail-fence cipher Let the ciphertext be “HELLO WORLD”: Write it in two columns as HLOOL ELWRD The ciphertext is “HLOOLELWRD”

  8. Anagramming Attacking a transposition cipher requires a rearrangement of the letters of the ciphertext. Anagramming uses tables of n-gram frequencies to identify common n-grams. For example, for the ciphertext “HLOOLELWRD” the digram “HE” occurs with frequency 0.0305 in English (see textbook). Of the other possible digrams beginning with “H”, “HO” is the next highest. This suggest that “E” follows “H” in the plaintext. And so on.

  9. The substitution cipher A substitution cipher changes the characters in the plaintext to produce the ciphertext. Caesar’s cipher is an example. Again the key for this cipher can be found by using a frequency analysis.

  10. Difference between transposition and substitution ciphers Given the plaintext: wedo noth avea quiz today and ciphertext yadot ziuq aeva hton odew What is the cipher used? • A transposition cipher • A substitution cipher Why?

  11. Block ciphers The Transposition and Substitution Ciphers are block ciphers: successive plaintext elements (blocks) are encrypted using the same key. We now consider some other block ciphers. The Affine Cipher, is a special case of the Substitution Cipher with -- Ek(x) = ax + b mod26 -- Dk(y) = a-1y - a-1b mod26 wherea,bx,y is in Z26, andais invertible in Z26.

  12. Block ciphers The Vigenere Cipher is polyalphabetic. Let m > 1 M = C = K = (Z26)m = Z26Z26Z26 For a key k = (k1, …, km) -- eK(x1,…,xm) = (x1 + k1, …, xm + km) -- dK (y1,…,ym) = (y1 - k1, …, ym - km) where all operations are in Z26.

  13. Block ciphers The Hill Cipher is also polyalphabetic. Let m > 1 M = C = (Z26)m, Kis the set of all m  m invertible matrices over (Z26)m For a key K inK -- eK(x) = xK -- dK(y)= yK-1 with all operations are in Z26.

  14. Stream Ciphers The ciphers considered so far are block ciphers. Another type of cryptosystem is the stream cipher.

  15. Stream Ciphers • A synchronous stream cipher is a tuple (M,C,K, L,E,D) with a function g such that: • M, C, K, E, Dare as before. L is the keysteam alphabet g is the keystream generator: it takes as input a key K and outputs an infinite string z1,z2, … called thekeystream, where zi are in L. • For each zare in L there is an encryption rule ez in E, and a decryption rule dz in D such that: dz (ez(x)) = x for all plaintexts x in M.

  16. Stream Ciphers The Linear Feedback Shift Register orLFSR. The keystream is computed as follows: Let • (c0,c1, … ,cm-1) be system parameters, and • (k1,k2, … ,km) be the initialized key vector at time t. At the next time unit the key vector is updated as follows: -- k1 is output as the next keystream bit -- k2, … , kmare each shifted one place to the left -- the “new” value of km is computed by m-1 km+1 =Scj kj+1 j=0

  17. Stream Ciphers Let x1,x2, … be the plaintext (a binary string). Then the ciphertext is: y1,y2, … where yi,= xi + ki, for i = 1,2,… and the sum is bitwise xor .

  18. Cryptanalysis Attacks on Cryptosystems • Ciphertext only attack: the adversary has access a string of ciphertexts: y1,y2, … • Known plaintext attack: the adversary has access a string of plaintexts x1,x2, … and the corresponding string of ciphertexts: y1,y2, …

  19. Attacks on Cryptosystems • Chosen plaintext attack: the adversary can choose a string of plaintexts x1,x2, … and obtain the corresponding string of ciphertexts: y1,y2, … • Chosen ciphertext attack: the adversary can choose a string of ciphertexts: y1,y2, … and construct the corresponding string of plaintexts x1,x2, …

  20. Attacks on Cryptosystems In all these attacks the adversary is given a new ciphertext and must find the corresponding plaintext

  21. Cryptanalysis of the transposition cipher and substitution cipher: Ciphertext attack --use statistical properties of the language Cryptanalysis of the affine and Vigenere cipher: Ciphertext attack --use statistical: properties of the language Attacks on the affine and Vigenere cipher: Ciphertext attack --use statistical: properties of the language Cryptanalysis

  22. Cryptanalysis of the Hill cipher: Known plaintext attack Cryptanalysis of the LFSR stream cipher: Known plaintext attack Cryptanalysis

  23. One-time pad This is a variant of the Vigenere cipher. The key string is chosen as a random bit string and is at least as long as the bit string message (plaintext) This cipher has perfect secrecy (defined later). Very costly: the key is as long as the plaintext.

  24. One-time pad Suppose the key is the bit string k = (k1, …, km) and the plaintext is the bit string (x1, …, xm). Then -- ek(x1,…,xm) = (x1XOR k1, …, xmXOR km) -- dk(y1,…,ym) = (y1XOR k1, …, ymXOR km) Note that ((x XORki) XOR ki) = x for all bits x, ki.

  25. Security • Computational security Computationally hard to break: requires super-polynomial computations (in the length of the ciphertext) • Provable security Security is reduced to a well studied problem though to be hard, e.g. factorization. • Unconditional security No bound on computation: cannot be broken even with infinite power/space. Only way to break is by “lucky” guessing.

  26. Some Probability Theory • The random variables X,Y areindependent if: Pr[X=x,Y=y] = Pr[X=x] . Pr[Y=y], for all x,y in X In general, Pr[X=x,Y=y] = Pr[X=x | X=y] . Pr[Y=y] = Pr[Y=y | X=x] . Pr[X=x], for all x,y in X

  27. Some Probability Theory • Bayes’ Law: Pr[x|y] = • Corollary: X,Yare independentrandom variables (r.v.) if and only if Pr[x|y] = Pr[x] for all x,yinX Pr[y|x]  Pr[x] ----------------for allx,y inX Pr[y]

  28. Perfect secrecy A cryptosystem has perfect secrecy if : Pr[x|y] = Pr[x], for allx in Mand yin C . That is: knowledge of the ciphertexty, offers no advantage to the adversary to determine the plaintext x. (there is no advantage in eavesdropping)

  29. DES DES is a Feistel cipher. Block length 64 bits (effectively 56) Key length 56 bits Ciphertext length 64 bits

  30. DES It has a round function g for which: g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri), where Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki).

  31. DES round encryption

  32. DES inner function

  33. DES computation path

  34. Attacks on DES • Brute force • Linear Cryptanalysis -- Known plaintext attack • Differential cryptanalysis • Chosen plaintext attack • Modify plaintext bits, observe change in ciphertext No dramatic improvement on brute force

  35. Countering Attacks • Large keyspace combats brute force attack • Triple DES (say EDE mode, 2 or 3 keys) • Use AES

  36. AES Block length 128 bits. Key lengths 128 (or 192 or 256). The AES is an iterated cipher with Nr=10 (or 12 or 14) In each round we have: • Subkey mixing • A substitution • A permutation

  37. Modes of operation Four basic modes of operation are available for block ciphers: • Electronic codebook mode: ECB • Cipher block chaining mode: CBC • Cipher feedback mode: CFB • Output feedback mode: OFB

  38. Electronic Codebook mode, ECB Each plaintext xi is encrypted with the same key K: yi = eK(xi). So, the naïve use of a block cipher.

  39. x1 x2 x3 x4 DES DES DES DES y1 y2 y3 y4 ECB (Electronic code Book)

  40. Cipher Block Chaining, CBC Each cipher block yi-1 is xor-ed with the next plaintext xi : yi = eK(yi-1 XOR xi) before being encrypted to get the next plaintext yi. The chain is initialized with an initialization vector: y0 = IV with length, the block size.

  41. x1 x2 x3 x4 IV + + + + DES DES DES DES y1 y2 y3 y4 Cipher Block Chaining, CBC

  42. Cipher and Output feedback modes (CFB & OFB) CFB z0 = IV and recursively: zi = eK(yi-1) and yi = xi XOR zi OFB z0 = IV and recursively: zi = eK(zi-1) and yi = xi XOR zi

  43. CFB mode x1 x2 IV eK + eK + eK y1 y2

  44. OFB mode IV eK eK x1 x2 + + y1 y2

  45. Public Key Cryptography AliceBob Alice and Bob want to exchange a private key in public.

  46. Public Key Cryptography Alicega mod pBob gb mod p The public key is: p, g, gamodp, gbmodp, where p is a prime and g is a generator of Zp The private key is: aZp, which Alice knows and bZp, which Bob knows The output generated is a shared key:gab mod p (only Alice and Bob can compute this)

  47. The RSA cryptosystem Let n = pq, where p and q are primes. Let M = C= Zn, and let a,b be such that ed = 1 mod f(n). Define eK(x) = xe mod n and dK(y) = yd mod n, where (x,y)e Zn. Public key = (n,e), Private key (n,d).

  48. Check We have: ed = 1 modf(n), so ed = 1 + tf(n). Therefore, dK(eK(m)) = (me)d = med = mtf(n)+1 = (mf(n))t m = 1.m = m mod n

  49. Example p = 101, q = 113, n = 11413. f(n) = 100x112 = 11200 = 26527 For encryption use e = 3533. Then d = e-1 mod11200 = 6597. Bob publishes: n = 11413, e = 3533. Suppose Alice wants to encrypt: 9726. She computes 97263533 mod 11413 = 5761 To decrypt it Bob computes: 57616597 mod 11413 = 9726

  50. Example: how to find d from e Use the Extended Euclidean Algorithm (EEA). EEA takes as input two positive numbers a,b and outputs three numbers: s,t,d with, d = gcd(a,b) and sa+tb = d. In our case we take a = e, b = f(n), to get: sa = 1 modf(n). So d = s.

More Related