Real scripts Real scripts –– backgrounder 3backgrounder 3-- Polyalphabetic enciphermentPolyalphabetic encipherment

-- XOR as a cipherXOR as a cipher

-- RSA algorithmRSA algorithm

David Morgan

XOR as a cipherXOR as a cipher

Bit element Bit element enciphermentencipherment

� elements are 0 and 1

� use modulo-2 arithmetic

1 0 0 0 1 1 0 1 1 1 0 0

1 1 1 0 0 1 1 0 1 1 1 0

message stream

key stream

0 1 1 0 1 0 1 1 0 0 1 0 resulting ciphertext

Example:

XOR XOR -- frequent appearancesfrequent appearances

XOR is often the operation when the data is binary

http://en.wikipedia.org/wiki/XOR_cipher

Binary XOR operationBinary XOR operation

XORing with 1:

1 XOR 1 is 0

0 XOR 1 is 1

XORing with 0:

1 XOR 0 is 1

0 XOR 0 is 0

� XORing a bit with 1 inverts it

� XORing a bit with 0 leaves it alone

XOR is mod2 additionXOR is mod2 addition

XORing with 1:

1 XOR 1 is 0

0 XOR 1 is 1

XORing with 0:

1 XOR 0 is 1

0 XOR 0 is 0

adding 1 mod2:

1 + 1 = 10 0

0 + 1 = 1

adding 0 mod2:

1 + 0 = 1

0 + 0 = 0

same thing

XOR twice with same bitXOR twice with same bit

leaves input as isleaves input as is

XORing twice with 1:

1 XOR 1 is 0 0 XOR 1 is 1

0 XOR 1 is 1 1 XOR 1 is 0

� by inverting twice (if XORing with 1)

– changes it, changes it back, or

� by inverting never (if XORing with 0)

XORing twice with 0:

1 XOR 0 is 1 1 XOR 0 is 1

0 XOR 0 is 0 0 XOR 0 is 0

or: ( A XOR B ) XOR B = A

double XOR = alteration & restorationdouble XOR = alteration & restoration

11000000 10101000 00000100 00000001

10111110 01001010 10111001 00001101

input:

XOR with:

result: 01111110 11100010 10111101 00001100

01111110 11100010 10111101 00001100

10111110 01001010 10111001 00001101

above result:

again with:

above input: 11000000 10101000 00000100 00000001

XOR becomes a symmetric stream cipherXOR becomes a symmetric stream cipher

11000000 10101000 00000100 00000001

10111110 01001010 10111001 00001101

plaintext:

key:

ciphertext: 01111110 11100010 10111101 00001100

01111110 11100010 10111101 00001100

10111110 01001010 10111001 00001101

ciphertext:

same key:

plaintext: 11000000 10101000 00000100 00000001

XOR operationXOR operation

� XORing key with plaintext yields ciphertext(that’s called encryption)

� XORing key with ciphertext yields plaintext(that’s called decryption)

and also

� XORing plaintext and ciphertext yields key

If key is random, so is If key is random, so is ciphertextciphertext

11000000 10101000 00000100 00000001

10111110 01001010 10111001 00001101

plaintextA:

keyA:

ciphertext: 01111110 11100010 10111101 00001100

01010110 11101010 00100001 01101001

00101000 00001000 10011100 01100101

plaintextB:

keyB:

ciphertext: 01111110 11100010 10111101 00001100

The (single) ciphertext shown is representative of both plaintexts, given the

corresponding key. A key can be constructed to convert any plaintext to this same

ciphertext. Attacker must ask which key was actually used, to arrive at the actual

plaintext. If key is produced randomly, he has no basis to choose any particular key

therefore none to choose the actual one.

For For unbreakabilityunbreakability

� keystream must be as long as the plaintext

� keystream elements must be random

� same keystream must never be re-used

– possession of 2 ciphertexts from same keystream

facilitates recovering it

� same keystream must be shared by encryptorand decryptor

OneOne--time padtime pad

� this technique is called “one-time pad”(sometimes one-time tape or one-time key)

– random keystreams were written on paper pads

– each sheet to be used, torn off, and destroyed

– paper tapes were used later

� it is the only unbreakable cipher

� unless misued

– Soviet codes broken due to pad/keystream re-use(Venona project)

http://users.telenet.be/d.rijmenants/en/onetimepad.htm

XOR based oneXOR based one--time padtime pad

� XOR needs a random stream producer

� rc4 is (nearly) that

rc4 rc4 –– a stream ciphera stream cipherrc4 serves as a keystream machine, an endless font of utility data

"RC4 generates a pseudorandom stream of bits (a keystream). As with any

stream cipher, these can be used for encryption by combining it with the plaintext"

http://en.wikipedia.org/wiki/Rc4"

� physically secure hand delivery

� rc4 keystream reproducible on demand with a given key – don’t share the keystream, share the key that produces it

– shifts (and reduces) the keystream distribution problem to a key distribution problem

How to achieve How to achieve keystreamkeystream sharingsharing

Polyaphabetic Polyaphabetic

enciphermentencipherment

Demo Demo ––

trying to thwart frequency analysistrying to thwart frequency analysis

� plain text exhibits letter frequency patterns

� monoalphabetic substitution preserves patterns

� polyalphabetic substitution destroys them

Occurrence of English lettersOccurrence of English letters

Occurrence of letters:Occurrence of letters:

Gettysburg addressGettysburg address

http://www.mtholyoke.edu/courses/quenell/s2002/crypto/js/count.html

Occurrence of letters: Gettysburg Occurrence of letters: Gettysburg

address thru address thru ((monoalphabeticmonoalphabetic)) Caesar cipherCaesar cipher

Letters changed but statistical pattern preserved

Occurrence of letters: Gettysburg Occurrence of letters: Gettysburg

address thru differently sequenced* address thru differently sequenced*

monoalphabeticmonoalphabetic ciphercipher

*the substitution mapping, unlike that of Caesar cipher, doesn’t preserve the letters in the same sequence as that of the alphabet. They’re all there, but in reassigned positions.This mapping was: bdfhjlnprtvxzacegikmoqsuwye became j , t became m , etc(seen in both the mapping and the chart)

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A

C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B

D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D

F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F

H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G

I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H

J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I

K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J

L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K

M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L

N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N

P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O

Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P

R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q

S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R

T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S

U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U

W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V

X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W

Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X

Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

PolyalphabeticPolyalphabetic* ciphering* cipheringVigenereVigenere table, mod26 arithmetic helpertable, mod26 arithmetic helper

*use many alphabets--different ones for determining what to substitute for each letter in the plaintext. Without resequencing letters, there are 25 other alphabets readily available.

How many alphabets exist, altogether, if we do allow resequencing?

26*25*24*… = 26! = 4.03 x 1026

encrypt - take plaintext letter in the column header, key letter in row header. Ciphertext letter at intersection.

decrypt - take key letter in the row header, find ciphertextletter in that row. Plaintext letter at that column's header.

Occurrence of letters: Gettysburg Occurrence of letters: Gettysburg

address thru address thru polyalphabeticpolyalphabetic ciphersciphers

Letters changed and statistical pattern destroyed

Each time you remap a letter:

shift mapping alphabet fwd 1

letter, or

shift mapping alphabet back 1

letter, or

randomly generate a whole new one

RSARSA

Several algorithms withSeveral algorithms with

““publicpublic--key propertieskey properties””

� RSA Rivest, Shamir, Adelman; MIT

� ElGamal Taher ElGamal, Netscape

� DSA NSA, NIST

RSA key generation stepsRSA key generation steps

1. choose 2 primes call them p, q

2. multiply them call product n

3. multiply their “predecessors” (p-1,q-1) call product φ

4. pick some integer call it e

– between 1 and φ (exclusive)

– sharing no prime factor with φ

5. find the integer (there’s only one) that call it d

– times e divided by φ leaves 1

then your keys are:

– public: e together with n (e is for “encryption”)

– private: d together with n (d is for “decryption”)

Encrypting with public key Encrypting with public key {{e,ne,n}}( c = m( c = mee mod mod nn ))

1. choose a cleartext message call it m

– in the form of a number less than n

2. raise it to power e

3. divide that by n call remainder c

then your ciphertext result is c

Decrypting with private key Decrypting with private key {{d,nd,n}}

( m = ( m = ccdd mod mod nn ))

1. take ciphertext c

2. raise it to power d

3. divide that by n call remainder r

then your recovered result is r

– r is identically the original cleartext message m

How will we do How will we do keygenkeygen step 4?step 4?

1. choose 2 primes easy

2. multiply them easy

3. multiply their “predecessors” (p-1,q-1) easy

4. pick some integer e not easy

– between 1 and φ (exclusive)

– sharing no prime factor with φ

5. find the integer d (there’s only one) that not easy

– times e divided by φ leaves 1

then your keys are:

– public: e together with n (e is for “encryption”)

– private: d together with n (d is for “decryption”)

Numbers Numbers sanssans common prime factorcommon prime factor

� numbers whose gcd* is 1 will do

� find x such that gcd(x, φ)=1

� how do we find gcd of 2 numbers

– Euclid’s algorithm

*greatest common divisor

How will we do How will we do keygenkeygen step 5?step 5?

1. choose 2 primes easy

2. multiply them easy

3. multiply their “predecessors” (p-1,q-1) easy

4. pick some integer e not easy

– between 1 and φ (exclusive)

– sharing no prime factor with φ

5. find the integer d (there’s only one) that not easy

– times e divided by φ leaves 1

then your keys are:

– public: e together with n (e is for “encryption”)

– private: d together with n (d is for “decryption”)

Successively test candidatesSuccessively test candidates

� multiply each integer, from 1, by e

� divide by φ

� check if remainder is 1

� keep going till you find the one that is

RSA key generation exampleRSA key generation example

1. choose 2 primes p=5 q=11

2. multiply them n=55

3. multiply their “predecessors” (p-1,q-1) φ=40

4. pick some integer e=3

– between 1 and φ (exclusive)

– sharing no prime factor with φ

5. find the integer (there’s only one) that d=27

– times e divided by φ leaves 1

then your keys are:

– public: e together with n 3, 55

– private: d together with n 27, 55

Encrypting with public key Encrypting with public key {{e,ne,n}}( c = m( c = mee mod mod nn ))

1. choose a cleartext message m=7

– in the form of a number less than n

2. raise it to power e 73=343

3. divide that by n 343 = 55x6+13

then your ciphertext result is c c=13

e = 3

n = 55

Decrypting with private key Decrypting with private key {{d,nd,n}}

( m = ( m = ccdd mod mod nn ))

1. take ciphertext c 13

2. raise it to power d1327

=1192533292512492016559195008117

3. divide that by n1192533292512492016559195008117 = 55 x 2497646399408352339319763167 + 7

then your recovered result is r r=7

– r is identically the original cleartext message m

d = 27

n = 55

How to encrypt messages?How to encrypt messages?

� RSA doesn’t encrypt “messages”

� only individual numbers

� but all digital data is numeric

� so split arbitrary data into “small-enough” bit blocks, then treat them individually

� how?

– any way it can be done, doesn’t matter in theory

– up to you

Blocking data Blocking data -- possibility 1possibility 1

� RED APPLE = 826968326580807669

� use 3-decimal-digit blocks

� separately encrypt:826 968 326 580 807 669

� be prepared for maximum ~ 999

� minimum φ 1000, eg p=31 q=37

Blocking data Blocking data -- possibility 2possibility 2

� ABC = 01000001 01000010 01000011

� use 12-bit blocksize

� separately encrypt:010000010100 001001000011

� be prepared for maximum – 4096

� minimum φ 4097, eg p=67 q=71

Some considerationsSome considerations

� RSA “key size” – refers to n

� p and q should be about equal length

� but not extremely close (eg avoid successive primes)

� larger key, slower operation

– double n � pubkey ops 2x slower, privkey 4x

– e can stay fixed while n rises, but d up proportionately

� practical keylengths, 1024 or 2048 bits

� RSA and DES per-keylength security comparisons apples and oranges

http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/how-large-a-key-should-be-used.htm

Info sources Info sources -- RSARSA

� RSA and “A Miniature RSA Example”http://www.informit.com/articles/article.aspx?p=102212&seqNum=4

� “Exploring RSA Encryption, ” Linux Journalhttp://www.linuxjournal.com/article/6695