exercise in the previous class n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
exercise in the previous class PowerPoint Presentation
Download Presentation
exercise in the previous class

Loading in 2 Seconds...

play fullscreen
1 / 30

exercise in the previous class - PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on

exercise in the previous class. give proof for the discussion in p.19. see http ://apal.naist.jp/~kaji/lecture /. chapter 4: cryptography. what we do, and what we do not in this class. cryptography is discusses in many contexts management politics history philosophy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'exercise in the previous class' - amory


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
exercise in the previous class
exercise in the previous class
  • give proof for the discussion in p.19

see http://apal.naist.jp/~kaji/lecture/

what we do and what we do not in this class
what we do, and what we do not in this class

cryptography is discusses in many contexts

    • management
    • politics
    • history
    • philosophy
  • In this class, we focus on the technical aspects of cryptography.
terminology
terminology

encryption (暗号化)

E

p

E(p)

D

D(c)

c

decryption (復号)

plaintexts(平文,ひらぶん);

make sense by themselves

ciphertexts(暗号文);

make no sense by themselves

  • cryptography (暗号) = pair of E and D such that D(E(p)) = p
  • many variations and confusions on the words:

crypto  cipher, text  data, cryptography  encryption

three types of cryptography
three types of cryptography
  • key-less cryptography
    • E(p) (resp. D(c)) is solely determined by p (resp. c).
    • no key ... the algorithms must be kept secret
    • security relies on the “gap of wisdom” of the recipients
    • “O, draconian devil”  “Leonardo da Vinci”
  • common-key cryptography
    • E and D must use the same key
  • public-key cryptography
    • E and D use different keys which are in special relation
class plan
class plan
  • today: common-key cryptography
    • widely known algorithms
    • key agreement protocol
  • next: public-key cryptography
    • RSA
    • related algorithms

June 4 (MON): exercise

June 5 (TUE): test

common key cryptography
common-key cryptography

symmetric-key―, classic ―, ...

  • E (resp. D) takes two inputs: key and plaintext (resp. ciphertext)
    • E(k, p): the ciphertext of p encrypted with the key k
    • D(k, c): the plaintext of c decrypted with the key k
  • D(k, E(k, p)) = p, but D(k’, E(k, p)) p if k’k

k1

k2

p, if k1 = k2

p

E

c

D

?, if k1k2

substitution cipher
substitution cipher

substitution cipher (換字暗号):

  • encrypt: replace characters in plaintexts to different characters
  • decrypt: do the inverse replacement of encoding
  • key: the table of the character replacement

...

plaintext

A

B

C

Y

Z

ciphertext

...

E

K

A

Z

G

  • the number of possible keys = 26! for English alphabet

... too many even for today’s computers

  • the statistics of the plaintexts can be observed in cipherexts
frequency attack
frequency attack

in a naive substitution cipher...

  • a character is always replaced to the identical character
  • in many data, there is bias on the frequencies of characters

in English...

  • characters such as “e”, “t”, “a”, and “s” occur frequently
  • characters which occur frequently in a ciphertext

= replacements of the above four frequent characters

A.C. Doyle, 1903,

The Adventure of the Dancing Men

sketch of the frequency attack

h

x

a

c

a

b

c

d

8.4%

1.5%

2.7%

3.8%

8.6%

1.4%

2.8%

3.8%

plaintext

theory in modern

english is a concept

which originally

derives from

classical greek

sketch of the frequency attack

typical English texts

information as a

concept has many

meanings the

concept of

information is

ciphertext of

unknowntext

zpunim gt oncuit

utqvgwp gw h

antaubz spgap

nigqgthvvm

cuigluw eino

→ a

→ b

→ c

→ d

many improvements
many improvements

The vulnerability (脆弱性) of the substitution cipher was

well-known to cryptographers from early days...

many improvements were considered...

  • one-to-many substitution
  • substitution of N-grams or words
  • use of multiple substitution tables
  • dynamically change the substitution table

 Enigma

enigma
Enigma
  • used by German military in the World War II
  • the substitution is determined by “rotor wheels”
  • the rotor wheels rotate as one character is processed

A

B

D

Enigma showed that

machine power >> human power

C

des data encryption standard
DES (Data Encryption Standard)

DES (Data Encryption Standard)

  • developed in the US in 70’s to secure classified data
  • not the “first-class” cryptography
    • “good security with reasonable cost”
  • insecure nowadays, but played important role in cryptology

1973 NBS solicited (公募する) encryption algorithms

1974 IBM submitted a candidate

1977 published as federal standard

1997 NIST (formerly NBS) solicited newer AES

encryption of des
encryption of DES

56...# of bits

56

56

RK1

RK2

RK16

key

round keys

48

48

48

32

R1

R2

R15

R16

R0

plaintext

f

f

f

IP

IP

IP-1

ciphertext

64

64

initial

permutation

L1

L2

L15

L16

L0

32

round 1

round 2

round 16

feistel structure
Feistel structure
  • each round of DES has the Fesitel structure

Li

Ri

RKi+1

f

Li+1

Ri+1

  • the Fesitel structure is easy to

invert if RKi+1 is provided correctly

  • the inversion can be done with

the same Feistel mechanism

(with left and right exchanged)

Ri+1

Li+1

RKi+1

f

Ri

Li

decryption of des
decryption of DES

RK16

RK15

RK1

key

R1

R2

R15

R16

R0

ciphertext

plaintext

f

f

f

IP

IP

IP-1

L1

L2

L15

L16

L0

inside this box is the same as the encryption

 one circuit is used for both of encryption and decryption

security of des
security of DES
  • theoretical attacks
    • differential analysis by Biham & Shamir (1990)
      • investigated at the design phase of DES...
    • linear analysis by Matsui (1993)
      • succeeded to break DES first time
  • exhaustive attacks
    • 22hours, 100K computers connected by network (1999)
    • 9days, FPGA-based parallel machine (2006)

DES is not secure anymore!

rumor of des
rumor of DES

rumor, or urban legend: “NSA must settle a back-door in DES”

NSA: National Security Agency

  • intelligence agency of the US
  • some activities not revealed
  • commitment to the Echelon system

evidence?

  • the key length is shortened from the IBM proposal
  • some substitution tables in DES is replaced by NSA
  • NSA did know the differential analysis

there is no way to verify what is true and what is not true...

aes and others
AES and others
  • DES is no more secure
  • there is no way to deny the bad rumor

 the newer and stronger cryptography is needed

1997 NIST solicited Advanced Encryption Standard (AES)

15 candidate algorithms from 12 countries

1999 5 candidates passed the screening

2000 Rijndael, from Belgium, was selected as winner

2001 published as federal standard

There are many other algorithms: Blowfish, IDEA, Camellia...

key agreement
key agreement

Any common-key cryptography faces to one serious problem:

How can we share a key with a person at remote place?

  • the sender and the receiver must have the same key
  • the key must not be known to anyone else

solution...

  • use an expensive but secure communication channel
    • secret agent, registered mail, pigeon, etc...
  • utilize mathematical trick key agreement protocol
key agreement protocol

?

key agreement protocol

We consider a protocol between two users A and B:

  • the communication channel is not secure
    • an attacker C can wiretap (盗聴する) the communication,

but does not modify data in the channel

  • after the protocol execution...
    • A and B know a certain information in common
    • C does not know the information
diffie hellman protocol
Diffie-Hellman protocol

Diffie-Hellman protocol;

  • is proposed by Diffie & Hellman in 1976
  • makes use of the property that

it is difficult to solve the discrete logarithm problem

preliminary

    • Fq = {0, ..., q – 1} with q a big prime number
    • g, a generator of Fq

(any nonzero aFq is written as a = gx mod q)

    • discrete logarithm problem (DLP):

“given q, g and a, determine x with a = gx mod q”

example

6

5

4

3

2

1

0

1

2

3

4

5

6

example
  • F7 = {0, 1, 2, ..., 6}
  • g = 3 is a generator of F7

the answer of the DLP

x

1 = 36 mod 7

2 = 32 mod 7

3 = 31 mod 7

4 = 34 mod 7

5 = 35 mod 7

6 = 33 mod 7

log3 1 = 6

log3 2 = 2

log3 3 = 1

log3 4 = 4

log3 5 = 5

log3 6 = 3

a

no smart algorithm known today

... the only means to solve the problem is by exhaustive search

... nobody can solve the problem if q is large (> thousands bits)

the protocol
the protocol

step 1: A and B agree the prime q and the generator g (in public)

step 2a: A chooses random x, and sends mA= gx mod q to B

step 2b: B chooses random y, and sends mB= gymod q to A

step 3a: A computes(mB)xmod q =gxymod q

step 3b: A computes(mA)y mod q = gxymod q

determine q & g

mA = gx mod q

x

mB = gy mod q

y

gxy mod q

gxy mod q

example1
example

How can we compute 3851 mod 197?

  • 3851 mod 197

= (3832 mod 197) (3816mod 197) (382mod 197) (381mod 197) mod 197

  • 382nmod 197 = (38nmod 197)2mod 197

q = 197, g = 3

71 = 351mod 197

51

38 = 355mod 197

55

122 = 3851 mod 197

122 = 7155mod 197

381

382

384

388

3816

3832

mod 197

security
security

Is the protocol secure?

determine q & g

mA = gx mod q

x

  • C finds q, g, mA and mB
  • C cannot know x and yunless he/she solves DLP
  • C cannot know the value of the shared gxy mod q

mB = gy mod q

y

gxy mod q

gxy mod q

another security
another security

What happens if the attacker do more than wiretapping?

  • C communicates with A pretending B
  • C communicates with B pretending A

A and B communicate with C, believing that

he/she is communicating with a valid opponent.

 man-in-the-middle attack(中間一致攻撃)

summary
summary
  • classification of cryptography
    • key-less, common-key and public-key
  • common-key cryptography
    • substitution cipher
    • DES
  • key-agreement protocol
exercise
exercise

Decrypt the following ciphertext.

qiwaufmlyngcmwzyz c mcxaeyoqweocqyaocuwpwoqjwcqkeyogzkmmwe cod vyoqwezlaeqz, yoviyniqiakzcodzajcqiuwqwzlceqynylcqwyo c pceywqfajnamlwqyqyaoz. qiwaufmlyngcmwzicpwnamwqahwewgcedwdczqiwvaeud'zjaewmazqzlaeqznamlwqyqyaoviwewmaewqicoqvaikodewdocqyaozlceqynylcqw. qiwgcmwzcewnkeewoqufiwudwpwefqvafwcez, vyqizkmmwe cod vyoqweaufmlyngcmwzcuqweocqyog, cuqiakgiqiwfannkewpwefjakefwcezvyqiyoqiwyeewzlwnqypwzwczaocugcmwz.

about test
about test
  • June 4(Mon), 9:20AM, exercise
  • June 5 (Tue), 9:20AM, this room
    • you can bring books, notes and copies of slides
    • you can bring a calculator and/or PC
    • PC must be disconnectedfrom the network:

download all needed material before the test starts

    • 本,ノート,資料,電卓,PC ...なんでも持ちこみ可
    • PC 等の通信機能は使用不可

必要な資料類は事前にダウンロードしておくこと