exercise in the previous class

1 / 30

# exercise in the previous class - PowerPoint PPT Presentation

exercise in the previous class. give proof for the discussion in p.19. see http ://apal.naist.jp/~kaji/lecture /. chapter 4: cryptography. what we do, and what we do not in this class. cryptography is discusses in many contexts management politics history philosophy

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'exercise in the previous class' - amory

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
exercise in the previous class
• give proof for the discussion in p.19

see http://apal.naist.jp/~kaji/lecture/

### chapter 4:cryptography

what we do, and what we do not in this class

cryptography is discusses in many contexts

• management
• politics
• history
• philosophy
• In this class, we focus on the technical aspects of cryptography.
terminology

encryption (暗号化)

E

p

E(p)

D

D(c)

c

decryption (復号)

plaintexts(平文，ひらぶん);

make sense by themselves

ciphertexts(暗号文);

make no sense by themselves

• cryptography (暗号) = pair of E and D such that D(E(p)) = p
• many variations and confusions on the words:

crypto  cipher, text  data, cryptography  encryption

three types of cryptography
• key-less cryptography
• E(p) (resp. D(c)) is solely determined by p (resp. c).
• no key ... the algorithms must be kept secret
• security relies on the “gap of wisdom” of the recipients
• “O, draconian devil”  “Leonardo da Vinci”
• common-key cryptography
• E and D must use the same key
• public-key cryptography
• E and D use different keys which are in special relation
class plan
• today: common-key cryptography
• widely known algorithms
• key agreement protocol
• next: public-key cryptography
• RSA
• related algorithms

June 4 (MON): exercise

June 5 (TUE): test

common-key cryptography

symmetric-key―, classic ―, ...

• E (resp. D) takes two inputs: key and plaintext (resp. ciphertext)
• E(k, p): the ciphertext of p encrypted with the key k
• D(k, c): the plaintext of c decrypted with the key k
• D(k, E(k, p)) = p, but D(k’, E(k, p)) p if k’k

k1

k2

p, if k1 = k2

p

E

c

D

?, if k1k2

substitution cipher

substitution cipher (換字暗号):

• encrypt: replace characters in plaintexts to different characters
• decrypt: do the inverse replacement of encoding
• key: the table of the character replacement

．．．

plaintext

A

B

C

Y

Z

ciphertext

．．．

E

K

A

Z

G

• the number of possible keys = 26! for English alphabet

... too many even for today’s computers

• the statistics of the plaintexts can be observed in cipherexts
frequency attack

in a naive substitution cipher...

• a character is always replaced to the identical character
• in many data, there is bias on the frequencies of characters

in English...

• characters such as “e”, “t”, “a”, and “s” occur frequently
• characters which occur frequently in a ciphertext

= replacements of the above four frequent characters

A.C. Doyle, 1903,

The Adventure of the Dancing Men

h

x

a

c

a

b

c

d

8.4%

1.5%

2.7%

3.8%

8.6%

1.4%

2.8%

3.8%

plaintext

theory in modern

english is a concept

which originally

derives from

classical greek

sketch of the frequency attack

typical English texts

information as a

concept has many

meanings the

concept of

information is

ciphertext of

unknowntext

zpunim gt oncuit

utqvgwp gw h

antaubz spgap

nigqgthvvm

cuigluw eino

→ a

→ b

→ c

→ d

many improvements

The vulnerability (脆弱性) of the substitution cipher was

well-known to cryptographers from early days...

many improvements were considered...

• one-to-many substitution
• substitution of N-grams or words
• use of multiple substitution tables
• dynamically change the substitution table

 Enigma

Enigma
• used by German military in the World War II
• the substitution is determined by “rotor wheels”
• the rotor wheels rotate as one character is processed

A

B

D

Enigma showed that

machine power >> human power

C

DES (Data Encryption Standard)

DES (Data Encryption Standard)

• developed in the US in 70’s to secure classified data
• not the “first-class” cryptography
• “good security with reasonable cost”
• insecure nowadays, but played important role in cryptology

1973 NBS solicited (公募する) encryption algorithms

1974 IBM submitted a candidate

1977 published as federal standard

1997 NIST (formerly NBS) solicited newer AES

encryption of DES

56...# of bits

56

56

RK1

RK2

RK16

key

round keys

48

48

48

32

R1

R2

R15

R16

R0

plaintext

f

f

f

IP

IP

IP-1

ciphertext

64

64

initial

permutation

L1

L2

L15

L16

L0

32

round 1

round 2

round 16

Feistel structure
• each round of DES has the Fesitel structure

Li

Ri

RKi+1

f

Li+1

Ri+1

• the Fesitel structure is easy to

invert if RKi+1 is provided correctly

• the inversion can be done with

the same Feistel mechanism

(with left and right exchanged)

Ri+1

Li+1

RKi+1

f

Ri

Li

decryption of DES

RK16

RK15

RK1

key

R1

R2

R15

R16

R0

ciphertext

plaintext

f

f

f

IP

IP

IP-1

L1

L2

L15

L16

L0

inside this box is the same as the encryption

 one circuit is used for both of encryption and decryption

security of DES
• theoretical attacks
• differential analysis by Biham & Shamir (1990)
• investigated at the design phase of DES...
• linear analysis by Matsui (1993)
• succeeded to break DES first time
• exhaustive attacks
• 22hours, 100K computers connected by network (1999)
• 9days, FPGA-based parallel machine (2006)

DES is not secure anymore!

rumor of DES

rumor, or urban legend: “NSA must settle a back-door in DES”

NSA: National Security Agency

• intelligence agency of the US
• some activities not revealed
• commitment to the Echelon system

evidence?

• the key length is shortened from the IBM proposal
• some substitution tables in DES is replaced by NSA
• NSA did know the differential analysis

there is no way to verify what is true and what is not true...

AES and others
• DES is no more secure
• there is no way to deny the bad rumor

 the newer and stronger cryptography is needed

1997 NIST solicited Advanced Encryption Standard (AES)

15 candidate algorithms from 12 countries

1999 5 candidates passed the screening

2000 Rijndael, from Belgium, was selected as winner

2001 published as federal standard

There are many other algorithms: Blowfish, IDEA, Camellia...

key agreement

Any common-key cryptography faces to one serious problem:

How can we share a key with a person at remote place?

• the sender and the receiver must have the same key
• the key must not be known to anyone else

solution...

• use an expensive but secure communication channel
• secret agent, registered mail, pigeon, etc...
• utilize mathematical trick key agreement protocol

?

key agreement protocol

We consider a protocol between two users A and B:

• the communication channel is not secure
• an attacker C can wiretap (盗聴する) the communication,

but does not modify data in the channel

• after the protocol execution...
• A and B know a certain information in common
• C does not know the information
Diffie-Hellman protocol

Diffie-Hellman protocol;

• is proposed by Diffie & Hellman in 1976
• makes use of the property that

it is difficult to solve the discrete logarithm problem

preliminary

• Fq = {0, ..., q – 1} with q a big prime number
• g, a generator of Fq

(any nonzero aFq is written as a = gx mod q)

• discrete logarithm problem (DLP):

“given q, g and a, determine x with a = gx mod q”

6

5

4

3

2

1

0

1

2

3

4

5

6

example
• F7 = {0, 1, 2, ..., 6}
• g = 3 is a generator of F7

x

1 = 36 mod 7

2 = 32 mod 7

3 = 31 mod 7

4 = 34 mod 7

5 = 35 mod 7

6 = 33 mod 7

log3 1 = 6

log3 2 = 2

log3 3 = 1

log3 4 = 4

log3 5 = 5

log3 6 = 3

a

no smart algorithm known today

... the only means to solve the problem is by exhaustive search

... nobody can solve the problem if q is large (> thousands bits)

the protocol

step 1: A and B agree the prime q and the generator g (in public)

step 2a: A chooses random x, and sends mA= gx mod q to B

step 2b: B chooses random y, and sends mB= gymod q to A

step 3a: A computes(mB)xmod q =gxymod q

step 3b: A computes(mA)y mod q = gxymod q

determine q & g

mA = gx mod q

x

mB = gy mod q

y

gxy mod q

gxy mod q

example

How can we compute 3851 mod 197?

• 3851 mod 197

= (3832 mod 197) (3816mod 197) (382mod 197) (381mod 197) mod 197

• 382nmod 197 = (38nmod 197)2mod 197

q = 197, g = 3

71 = 351mod 197

51

38 = 355mod 197

55

122 = 3851 mod 197

122 = 7155mod 197

381

382

384

388

3816

3832

mod 197

security

Is the protocol secure?

determine q & g

mA = gx mod q

x

• C finds q, g, mA and mB
• C cannot know x and yunless he/she solves DLP
• C cannot know the value of the shared gxy mod q

mB = gy mod q

y

gxy mod q

gxy mod q

another security

What happens if the attacker do more than wiretapping?

• C communicates with A pretending B
• C communicates with B pretending A

A and B communicate with C, believing that

he/she is communicating with a valid opponent.

 man-in-the-middle attack(中間一致攻撃)

summary
• classification of cryptography
• key-less, common-key and public-key
• common-key cryptography
• substitution cipher
• DES
• key-agreement protocol
exercise

Decrypt the following ciphertext.

qiwaufmlyngcmwzyz c mcxaeyoqweocqyaocuwpwoqjwcqkeyogzkmmwe cod vyoqwezlaeqz, yoviyniqiakzcodzajcqiuwqwzlceqynylcqwyo c pceywqfajnamlwqyqyaoz. qiwaufmlyngcmwzicpwnamwqahwewgcedwdczqiwvaeud'zjaewmazqzlaeqznamlwqyqyaoviwewmaewqicoqvaikodewdocqyaozlceqynylcqw. qiwgcmwzcewnkeewoqufiwudwpwefqvafwcez, vyqizkmmwe cod vyoqweaufmlyngcmwzcuqweocqyog, cuqiakgiqiwfannkewpwefjakefwcezvyqiyoqiwyeewzlwnqypwzwczaocugcmwz.