biomedical securityliacs.leidenuniv.nl/~bakkerem2/ibs/02_algorithms_and... · 2017. 9. 15. ·...
TRANSCRIPT
-
9/15/2017
1
Biomedical SecurityErwin M. Bakker
Overview
Cryptography: Algorithms
Cryptography: Protocols
Pretty Good Privacy (PGP) / B. Schneier Workshop
Biomedical Security
Biomedical Application Security (guest lecture by Dr. Erik van der Kouwe
Student Presentations
Student Presentations
Grading: Class participation, assignments, technical paper (4 pages), and presentation(s)
-
9/15/2017
2
Cryptography: Sharing Secrets
CAESAR a substitution cipher
Secret Key: 3
Plain Text: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Cipher Text: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
https://www.theregister.co.uk/2006/04/19/mafia_don_clueless_crypto/
Mafia boss Bernardo Provenzano's cipher: ‘A’ -> 4, ‘B’ -> 5, etc.
In April 2006, Provenzano was captured in Sicily partly because
messages encrypted using his cipher, were broken.
DWWDFFKL E3(HELP) = KHOSD3(KHOS) = HELP D3 = E26-k
Cryptography: Sharing Secrets
Alice Bob
Eve
C = EK (‘HELLO BOB’)
Secret key K
DK (C) = ‘HELLO BOB’
Secret key K
Crypto-text C
Crypto-Analyst Eve
• Crypto-text only
• Known Plaintext
• Chosen Plaintext
K?
-
9/15/2017
3
Enigma
Encryption as a product of permutations:
P the plug-board transformation
U the reflector
L, M, and R the three rotors
Then encryption is E = PRMLUL-1M-1R-1P-1
After each key press the rotors turn i positions changing the
transformation: R becomes CiRC-i, where C is the cyclic permutation
(A->B, B-> C, etc. …)
the military Enigma has
158,962,555,217,826,360,000 settings
http://enigmamuseum.com/replica/https://en.wikipedia.org/wiki/Enigma_machine
ONE-TIME PAD
A crypto system with perfect secrecy
Plaintext: 01000110101110100110
Key: 11010100001100010010
Crypto-text: 10010010100010110100
Uses XOR for both encryption and decryption.
-
9/15/2017
4
Classical Symmetric or Two-way Crypto
Systems
A shared secret key K used for both encryption as well as decryption.
Plaintext P
Crypto-text C
C = EK(P)
P = E-1K(C)=DK(C)
Classical Symmetric Crypto System:
Data Encryption Standard (DES)
March 17, 1975 published by the National Bureau of Standards (NBS)
NSA reduced key-size from the original 128-bit to 56-bit
At the time NSA studied it and said it was secure to use as a standard SKCS.
Next government standard was classified: Skipjack
Block cipher encrypting data in 64-bit blocks
Key length 56-bits
16 rounds: in each round a substitution followed by a permutation
-
9/15/2017
5
IBM’s Cipher LUCIFER
designed by H. Feistel and
D. Coppersmith in 1973 used
Feistel Networks for encryption
and decryption.
LUCIFER is one of the first
commercial block ciphers
on which DES is based.
-
9/15/2017
6
Encryption in DES
12Classical Symmetric Crypto System:
International Data Encryption Algorithm (IDEA)
IDEA is a Block Cipher designed by X. Lai and J. Massey in 1990. Revised in 1991 to withstand differential cryptanalysis.
Block Length
64-bit Data Blocks Is considered safe against statistical attacks. Cipher Feedback Mode enhances cryptographic strength.
128-bit Key
Safe against brute-force attacks.
Good Confusion
By using three operations: XOR, Addition mod 216, Multiplication mod 216+1 (compare with DES: XOR, small S-Boxes)
Good Diffusion
Every plaintext bit and every key-bit influences every ciphertextbit.
-
9/15/2017
7
13 Symmetric Cryptosystem: BLOWFISH
Blowfish is a symmetric block cipher
designed by Bruce Schneier in 1993.
Block Length
64-bit data blocks encrypted in 64-bit ciphertext Blocks.
Key Length
32- 448 bits (1 to 14 32-bit key-blocks).
Variable Security
Key generates 18 32-bit subkeys, and 4 8x32 bit S-boxes.
The algorithm itself is used for this.
Fast, simple, and compact
On a 32-bit processor: 18 clock cycles per encrypted bye.
Uses less than 5K of memory (was too big for smart-cards).
14
-
9/15/2017
8
15 Rivest Cipher 5 (RC5)
RC5 is a block-cipher by R. Rivest in 1994.
Efficient Hard and Software Implementations
Simple structure, simple operations, low memory requirements, fast and simple implementations.
Variable Word Length:
w = 16, 32,or 64 Length of the plaintext blocks is 2w
Variable Key-Length
b = 0,..,255 bytes
Variable Security
Depending on the parameters, number of rounds: r = 0,..255
Data-Dependent Rotations
Circular Bit Shifts. RC5-w/r/b = RC5-32/12/16 considered to have “Nominal” Security. Incorporated in the products BSAFE, JSAFE, and S/MAIL of RSA Data Security, Inc.
16
Rivest Cipher 5 (RC5) Modes
Block Cipher Mode
Cipher Block Chaining Mode
RC5-CBC-Pad
RC5-CTS Ciphertext Stealing
Mode: CBC style.
-
9/15/2017
9
17 CAST-128
A symmetric encryption cipher by
C. Adams and S. Tavares in 1997.
Uses four primitive operations
addition and substraction mod 232, XOR, left circular rotations.
Uses fixed non-linear S-boxes, also for sub-key generation.
A function F is used with good confusion, diffusion, and
avalanche properties.
its strength is based on the S-boxes. F differs per round.
increase of strength of CAST-128 using more rounds is not (yet) demonstrated.
64-bits data blocks
40- 128-bits key
CAST-128 is used in PGP.
18 Rivest Cipher 2 (RC2)
A symmetric encryption cipher by
R. Rivest in 1997.
Designed for 16-bit microprocessors
Uses 6 primitive operations
addition and subtraction mod 232, XOR, COMPL, AND, and Left
Circular Rotation.
No Feistel Structure.
18 rounds: 16 mixing rounds, and 2 mashing rounds.
64-bits data blocks
8 - 1024-bits key
RC2 is used in S/MIME with 40-, 64-, and 128-bits keys.
-
9/15/2017
10
19 Characteristics of Advanced Symmetric Block
Ciphers
Variable Key Length Blowfish, RC5, CAST-128, and RC2
Mixed Operators
Data-Dependent Rotation An alternative to S-boxes. No dependence
on sub-keys. RC5.
Key-Dependent Rotation CAST-128
Key-Dependent S-Boxes Blowfish
Lengthy Key Schedule Algorithm Against brute-force attacks. Blowfish
Variable F to complicate cryptanalysis. CAST-128
20 Advanced Symmetric Block Ciphers
Variable Plaintext/Ciphertext Block Length
For convenience and cryptographic strength (longer blocks
is better) RC5
Variable Number of Rounds
More rounds increase cryptographic strength. Trade-off
between execution time and security. RC5
Operation on Both Data Halves in Each Round
AES, IDEA, Blowfish, and RC5
-
9/15/2017
11
Advanced Encryption Standard (AES)
Block-size: 128
Key-sizes: 128, 192, 256
NIST Specification 2001
Origin: a subset of 3 out of the Rijndael Cipher by V. Rijmen and J. Daemen
(NIST paper 2003)
Substitution-permutation network
From the cipher key the keys per round are derived.
Each round
has a non-linear substitution step implemented using a lookup table
Followed by transposition using cyclic shifts
And a mixing step on the columns of the internal state matrix.
The round ends with an add key operation.
Public Key Crypto Systems
Idea by Diffie and Hellman [1976]
Encryption method made public.
Decryption method kept secret.
Closely related to the idea of cryptographic one-way functions:
f(x)xeasy
intractable
But there exists a trapdoor that makes it easy to calculate x given f(x).
Note: No known cryptographic one-way functions. Only likely to be intractable!
-
9/15/2017
12
Public Key Crypto System: RSA
Key Generation
Select p, q, both primes.
Calculate n = p * q
Calculate φ(n) = (p-1)(q-1)
Select integer e, such that gcd(φ(n) ,e) =1, and 1< e< φ(n)
Calculate d, such that d = e-1 mod φ(n)
Public key is (e, n)
Secret key is (d, n)
Encryption of plaintext M < n
C = Me mod n
Decryption of ciphertext/crypto-text C
M = Cd mod n
Public Key Crypto System: RSA Example
Key Generation
p= 5, q = 11
=> n = p x q = 5x11 = 55 and φ(n) = (p-1)(q-1) = 4x10 = 40
e = 7, is such that gcd(φ(n) ,e) = gcd(40,7) = 1 and clearly 1< 7 < φ(n)
then d = 23 = e-1 mod φ(n) as 7x23 mod 24 = 161 mod 40 ≡ 1
Public key is (7, 55)
Secret key is (23, 55)
Encryption of plaintext M = 3 < n = 55
C = Me mod n = 27 mod 55 = 128 mod 55 = 18 mod 55 ≡ 18
Decryption of ciphertext/crypto-text C
now Cd mod n = 1823 mod 55 = 223x346mod 55 = 4x18x18x18x36mod 55 =
32 x 312mod 55 = 32x263mod 55 = 2x18x133mod 55 = 79092 mod 55 =
1438x55 +2 mod 55 = 2 mod 55 ≡ 2 = M
-
9/15/2017
13
RSA Chosen Ciphertext Attack
Note for RSA: Ee(M1)xEe(M2) = Ee(M1xM2)
Assume (e,n) is the public keys and (d,n) the private key.
Assume C ≡ Me mod n is intercepted.
Chosen Ciphertext attack:
Compute X ≡ (C x 2e) mod n
Submit X as a chosen ciphertext and receive back Y ≡ Xd mod n
X ≡ (C x 2e) mod n = (C mod n) x (2e mod n) = (Me mod n) x (2e mod n) = (2M)e mod n
Thus Y ≡ Xd mod n = (2M)ed mod n = 2M mod n
Unsafe Modes of RSA
Unsafe primes, etc.
D. Boneh et al. Why Textbook ElGamal and RSA Encryption Are Insecure, T.
Okamoto (Ed.): ASIACRYPT2000, LNCS 1976, pp. 30–43, 2000:
without proper preprocessing of the plaintexts, both E lGamal and RSA encryption are fundamentally insecure.
when these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext.
Conclusion: Preprocessing messages prior to encryption is an essential
part of both systems.
Optimal Asymmetric Encryption Padding (OAEP)
Introduced by Bellare and Rogaway in 1994.
-
9/15/2017
14
Safe Mode of
RSA
Optimal Asymmetric Encryption Padding (OAEP)
Introduced by Bellare and Rogaway in 1994.
Note:
We can randomly pad the plaintext prior to
encryption,
Then for this adapted version of RSA:
ξe(M1)x ξ e(M2) ≠ ξ e(M1xM2), but this is not enough.
OAEP is a solution:
• P is a set of optional parameters.
• MGF is jus another hash function.
• EM is finally encoded using RSA.
Diffie-Hellman Key Exchange Algorithm Global and Public
Prime q, and α < q a primitive root of q,
i.e., α generates the multiplicative group of integers mod q
Alice Key Generation
Select private 𝑋𝐴 < 𝑞
Calculate public 𝑌𝐴 = α𝑋𝐴𝑚𝑜𝑑 𝑞
Bob Key Generation
Select private 𝑋𝐵 < 𝑞
Calculate public 𝑌𝐵 = α𝑋𝐵𝑚𝑜𝑑 𝑞
Generation of the Exchanged Secret Key by Alice
𝐾 = 𝑌𝐵𝑋𝐴𝑚𝑜𝑑 𝑞
Generation of the Exchanged Secret Key by Bob
𝐾 = 𝑌𝐴𝑋𝐵𝑚𝑜𝑑 𝑞
-
9/15/2017
15
Diffie-Hellman Key-Exchange Example α generates the multiplicative group of integers mod q
For example:
If α = 2, q = 7, then α is no generator of ℤ7∗ ={1, 2, 3, 4, 5, 6} as
{20 mod 7, 21 mod 7, 22 mod 7, 23 mod 7, 24 mod 7, 25 mod 7} = {1, 2, 4, 1, 2, 4,1} ≠ ℤ7∗
If α = 3, q = 7, then
{30 mod 7, 31 mod 7, 32 mod 7, 33 mod 7, 34 mod 7, 35 mod} = {1, 3, 2, 6, 4, 5} = ℤ7∗
Note: Assuming the generalized Riemann hypothesis, the least primitive root αp = O(log
6 p) (Shoup,1990, 1992).
Alice Key Generation:
Select private 𝑋𝐴 < 𝑞
Calculate public 𝑌𝐴 = α𝑋𝐴𝑚𝑜𝑑 𝑞
From 𝑌𝐴 it should be difficult to calculate 𝑋𝐴.
Calculating 𝑋𝐴 can be done taking the discrete log of 𝑌𝐴 to the base α modulo q
Diffie-Hellman Key Exchange
Complexity of Discrete Log
Calculating 𝑋𝐴 by taking the discrete log of 𝑌𝐴 to the base α modulo q is assumed to be intractable.
Shor, Peter (1997). "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer". SIAM Journal on Computing. 26 (5): 1484–1509.
Adrian, David et al. (October 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice“:
Logjam a flaw in TLS that lets man-in-the middle downgrade connections to ‘export-grade’-DH
Precomputations of a week for a 512-bit group => calculate discrete log for that group in ~ 1 minute.
They found that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites.
WeakDH.org: use a 2048-bit Diffie-Hellman group
-
9/15/2017
16
Digital Signatures
Alice Bob
Message M and signature S = DAlice (M)Checks with public EAliceif EAlice(S) = EAlice(DAlice(M)) = M
(M,S)
Using a public key crypto system.
Public Key Crypto System ElGamal
Public Key
p a prime
g < p
𝑦 = 𝑔𝑥𝑚𝑜𝑑 𝑝
Private Key
x < p
Encryption of message M
random k, with gcd(k,p-1)=1
𝐶 = 𝑎, 𝑏 , 𝑤ℎ𝑒𝑟𝑒 𝑎 = 𝑔𝑘𝑚𝑜𝑑 𝑝 a𝑛𝑑 𝑏 = 𝑦𝑘𝑀 𝑚𝑜𝑑 𝑝
Decryption
𝑀 = 𝑏/𝑎𝑥mod p
-
9/15/2017
17
ElGamal Signatures
Public Key
p a prime
g < p
𝑦 = 𝑔𝑥𝑚𝑜𝑑 𝑝
Private Key
x < p
Signing of message M
random k, with gcd(k,p-1)=1
Signature S = 𝑎, 𝑏 , 𝑤ℎ𝑒𝑟𝑒
𝑎 = 𝑔𝑘𝑚𝑜𝑑 𝑝 a𝑛𝑑 𝑏 𝑠𝑢𝑐ℎ 𝑡ℎ𝑎𝑡 𝑀 = (𝑥𝑎 + 𝑘𝑏) 𝑚𝑜𝑑 𝑝-1
Verification
Accept as valid if 𝑦𝑎𝑎𝑏 𝑚𝑜𝑑 𝑝 = 𝑔𝑀𝑚𝑜𝑑 𝑝
34 Cryptographic Hash Functions
An hash function H has the following properties:
H can be applied to data of any size.
H produces fixed length output.
H(x) is easy to compute for any given x.
One-way
for any given hash-code h, it is computationally infeasible to find x such
that H(x) = h.
Weak collision resistance
for any given x, it is computationally infeasible to find y (not equal to x)
such that H(y) = H(x).
Strong collision resistance
it is computationally infeasible to find any pair (x,y) such that H(x) = H(y).
-
9/15/2017
18
35 Cryptographic Hash FunctionsAn hash function H has the following properties:
H can be applied to data of any size.
H produces fixed length output.
H(x) is easy to compute for any given x.
One-way
for any given hash-code h, it is computationally infeasible to find x such that H(x) = h.
Weak collision resistance
for any given x, it is computationally infeasible to find y (not equal to x) such that H(y) = H(x).
Strong collision resistance
it is computationally infeasible to find any pair (x,y) such that H(x) = H(y).
Could you use DES to implement a Cryptographic Hash Function?
Secure Hash Algorithm (SHA) Developed by NSA in 1993. Based on MD4.
In 20002 a revised version by NIST. In 2005 SHA-1 started to be phased out by NIST. By
2010 SHA-256, SHA-384, and SHA-512.
Around 2005 an attach were 2 different message could be found using 269 operations
yielding the same SHA-1 hash! (280 operations were expected to be necessary)
-
9/15/2017
19
Secure Hash Algorithm
(SHA)
Basic Cryptographic Protocols
-
9/15/2017
20
Authentication: Passwords
Password file protected by:
One-way encryption: only encrypted passwords are stored
Access control: password files only accessed only by a few accounts
Passwords cracked by:
Trying default passwords, all short passwords.
Dictionary attacks, license plates, etc.
User’s information: pets, names, children names, etc.
Trojan Horse to bypass access restrictions
Line tap between user and system.
Authentication:
Passwords
Salt:
• No duplicate password visible
• 12-bit salt makes it 4096x more difficult
to guess password
• Prevents a hardware implementation
of crypt
Crypt
• Password -> 56-bit key
• 64-bit block of 0’s as input
• DES modified with the 12-bit salt
• 12 passes output is input for next pass
-
9/15/2017
21
Message Authentication Requirements
Disclosure
Release of message contents to any person or process not possessing the appropriate cryptographic key
Traffic analysis
Discovery of the pattern of traffic between parties
Masquerade
Insertion of messages into the network from a fraudulent source
Content modification
Changes to the contents of a message, including insertion, deletion, transposition, and modification
Sequence modification
Any modification to a sequence of messages between parties, including insertion, deletion, and reordering
Timing modification
Delay or replay of messages
Source repudiation
Denial of transmission of message by source
Destination repudiation
Denial of receipt of message by destination
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved. From Stallings Cryptography and Network Security 2017
Message Authentication Functions
Two levels of functionality: Hash function
A function that maps a message of any length into a fixed-length hash value which serves as the authenticator
Message encryption
The ciphertext of the entire message serves as its authenticator
Message authentication code (MAC)
A function of the message and a secret key that produces a fixed-length value that serves as the authenticator
Lower level
•There must be some sort of function that produces an authenticator
Higher-level
•Uses the lower-level function as a primitive in an authentication protocol that enables a receiver to verify the authenticity of a message
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved. From Stallings Cryptography and Network Security 2017
-
9/15/2017
22
Authentication:
Authenticated Secure Communication
Man in the middle Attack
Or Actually: Eve the Man in the Middle
Alice Bob
Eve
S = Signature(M) = Ed (‘HELLO BOB’)
Message M
Receive M and S
Check that S is from Alice
M, S
…?
-
9/15/2017
23
Man-in-the-Middle-Attack-Attack
https://www.bleepingcomputer.com/news/security/google-chrome-will-
soon-warn-you-of-software-that-performs-mitm-attacks/
Number TheoryBasic Definitions and Algorithms
https://www.bleepingcomputer.com/news/security/google-chrome-will-soon-warn-you-of-software-that-performs-mitm-attacks/
-
9/15/2017
24
47 Public-Key Cryptography Fast Exponentiation
Calculate ab mod n = 7560 mod 561
a = 7, b = 560 = 1000110000, n = 561
I bi c d ->7560
9 1 1 7 71
8 0 2 49 72
7 0 4 157 74
6 0 8 526 78
5 1 17 160 716+1
4 1 35 241 732+2+1
3 0 70 298 764+4+2
2 0 140 166 7128+8+4
1 0 280 67 7256+16+8
0 0 560 1 7512+32+16
resultExponent
48
Number Theory
Definition (Divisors):
b 0 divides a, if a = mb for some m.
Notation: b|a
Example: divisors of 24 are
1, 2, 3, 4, 6, 8, 12, and 24
The following relations hold:
if a|1, then a = ±1
if a|b and b|a, then a = ±b
any b 0 divides 0
if b|g and b|h, then b|(mg+nh) for arbitrary integers m and n
-
9/15/2017
25
49
Number Theory
Definition (Prime Numbers):
An integer p>1 is a prime number if its only divisors are ±1 and ±p.
Theorem: Any positive integer a>1 can be factored in a unique way as:
a = p1a1.p2
a2…ptat,
where p1 > p2 >…> pt are prime,
and ai >0
Example: 91 = 7 x 13,
11011 = 7 x 112 x 13
0 each where,or pP
aaPa p
50
Number Theory
Definition1 (GCD):
The positive integer c is said to be the greatest common divisor of a and b if:
1) c|a and c|b
2) if d|a and d|b, then d|c
Notation: c = gcd(a,b)
Definition2 (GCD):
gcd(a,b) = max[k, such that k|a and k|b]
Example: 192 = 22 x 31 x 42
18 = 21 x 32
gcd(18,192) = 21 x 31 x 40 = 6
-
9/15/2017
26
51
Number Theory
Definition1 (Relative Prime):
The integers a and b are said to be relatively prime if gcd(a,b) = 1.
Example:
192 and 18 are not relatively prime:
192 = 22 x 31 x 42
18 = 21 x 32
gcd(18,192) = 21 x 31 x 40 = 6
74 and 75 are relatively prime:
74 = 2 x 37
75 = 3 x 52
gcd(74,75) = 1
52
Number Theory: Modular Arithmetic
Given any positive integer n and any integer a we can write:
a = qn + r, where 0 r < n, q = a/n
r is called the residue (mod n)
Definition: If a is an integer and n is a positive integer we define a mod n to be the remainder when a is divided by n.
Thus, a = a/n x n + (a mod n)
Definition: Two integers are said to be congruent modulo n if
(a mod n) = (b mod n)
Notation: a b mod n
-
9/15/2017
27
53
Number Theory: Modular Arithmetic
Examples: 73 4 mod 23 as
73 = 3 x 23 + 4, hence
4 = 73 mod 23, and clearly
4 = 4 mod 23
21 -9 mod 10 as
1 = 21 mod 10 and
1 = -9 mod 10
Properties (Check):
a b mod n if n|(a-b)
(a mod n) = (b mod n) implies a b mod n
a b mod n implies b a mod n
a b mod n and b c mod n implies a c mod n
54
Number Theory: Modular Arithmetic
The mod n operator maps all integers into the set of integers Zn = 0,1,…,(n-1), the set of all residues modulo n.
The following properties hold for modular arithmetic within Zn:
(w +x) mod n = (x + w) mod n
((w+x)+y) mod n = (w+(x+y)) mod n
(0+w) mod n = w mod n
w Zn z Zn such that w + z 0 mod n
(w x) mod n = (x w) mod n
((wx)y) mod n = (w(xy)) mod n
(1 w) mod n = w mod n
(w(x+y)) mod n = ((wx)+(wy)) mod n
-
9/15/2017
28
55
Number Theory: Modular Arithmetic
Z8: 0 1 2 3 4 5 6 7
6: 0 6 12 18 24 30 36 42
mod 8: 0 6 4 2 0 6 4 2
Z8: 0 1 2 3 4 5 6 7
5: 0 5 10 15 20 25 30 35
mod 8: 0 5 2 7 4 1 6 3
Note: gcd(6,8) = 2, and gcd(5,8) = 1
Notation: Zp*= 1,2,…,(p-1)
Theorem: Let p prime, then for each w Zp* there exists a
z such that w z 1 mod p,
z is equal to the multiplicative inverse w-1 of w
56
Number Theory: Euler Totient Function
Definition: The Euler’s totient function (n) of n is equal to the
number of positive integers
-
9/15/2017
29
57
Number Theory: Euler’s Totient Function
Fermat’s Theorem (1640): For every prime p and any integer a, the following holds:
ap-1 1 mod p.
Euler’s Theorem (~1740): For any positive integer n, and any integer a relative prime to n, the following holds:
a(n) 1 mod n
Corollary: Let p,q be prime, and n = pq, m an integer such that gcd(m,n)=1, then
m(p-1)(q-1) 1 mod n
Examples:
26 = 64 = 63 + 1 1 mod 7
4(5-1)(7-1) = 424 = (48)3mod 35 163mod 35 4096 mod 35 1 mod 35
58
Number Theory: Testing for Primality
[Miller’75, Rabin’80]
Procedure Witness(a,n) n is to be tested for primality, a is some integer less than n.
if (not an-1 1 mod n) or
(x: x2 1 mod n and x1)
then return TRUE {n is no prime}
else return FALSE {n may be prime}
If n is no prime the probability that Witness
returns FALSE is
-
9/15/2017
30
59
Number Theory: Number of Primes
Definition: (n) is equal to the number of primes p that satisfy 2pn.
Theorem (The Prime Number Theorem, conjectured by Legendre,
Gauss, Dirichlet, Chebyshev, and Riemann; proven by
Hadamard and de la Vallee Poussin in 1896).
(n)~ n/ln(n)
Thus there are about
10100/ln(10100)-1099/ln(1099) =
0.039x1099 100-digit primes
There are 4.5x1099 100-digit odd numbers.
That is, about 1 of every 115 100-digit odd numbers is prime.
60
Number Theory: Euclid’s Algorithm
Finding the Greatest Common Divisor
Theorem: For any integer a0, and any integer b>0: gcd(a,b) = gcd(b,a mod
b)
Proof: Let d = gcd(a,b) => d|a and d|b => a = kb + a mod b for some integer
k => (a mod b) = a -kb => d|(a mod b) (as d|a and d|kb). Thus d is a
common divisor of b and (a mod b).
Conversely, if d = gcd(b, a mod b), then d|kb and thus also d|(kb + a mod b)
=> d|a. Thus d is also a common divisor of a and b.
qed
Example (Calculation of GCD):
gcd(12,18) = gcd(18,6) = gcd(6,0) = 6
gcd(10,11) = gcd(11,1) = gcd(1,0) = 1
-
9/15/2017
31
61
Number Theory: Euclid’s Extended Algorithm
Finding the Multiplicative Inverse
If gcd(d,n) = 1, then (d-1 mod n) exists.
I.e., dd-1 = 1 mod n.
Complexity: The multiplicative inverse can be found in O(log2n)
time.
62
Number Theory: Discrete Logarithm
Definition: Let Zn*={1,2,…,(n-1)}, and g in Zn
*. Then any integer x such that:
gx = y mod n
is called a discrete logarithm of y to base g.
Example:
Z7* 1 2 3 4 5 6
31 32 33 34 35 36
g=3 3 2 6 4 5 1
Z7* 1 2 3 4 5 6
log3 6 2 1 4 5 3
N.B. g=3 is a generator of Z7*
Definition: If for g in Zp* {g1,…,g(p-1)} = Zp
* holds, then g is a generator of Zp*.
-
9/15/2017
32
63
Number Theory: Complexity of PRIMES, Discrete Log, FACTORIZE, etc.
Finding Primes (PRIMES is in P, AKS-Algorithm, August 2002)
After 1/115 tries success. Each try fastexp and some tests are executed => O(log n) time.
Finding Safe Primes
It is unknown whether there exist infinitely many safe primes.
Calculating the Discrete Logarithm
If the prime factors of (p-1) are small there exist efficient algorithms, otherwise roughly the same complexity as factorising.
Factorising n (b-bits)
Peter Shor(1994): O(b3) and O(b) space on a quantum computer.
Kleinjung et al. (2010) used general number field sieve GNFS- approach,
O(𝑒3 64
9𝑏(log 𝑏)2
time, for the factorization of a 768-bit RSA modulus n.
Calculating Euler’s Phi Function of n
It is unknown if this can be done without factorising n.
Finding the multiplicative inverse mod n
O(log2n)
Assignment Set 1
-
9/15/2017
33
Set 1 Assignment 1
Note that if the hardware of the Military Enigma would not have been known
you have to take the number of configurations for all rotors and the switch-
board into account.
In practice our key-space size is determined by:
- 5 possible known rotors out of which 3 were selected: 53
= 60 possibilities
- Initial rotor settings (3), (known) reflector was fixed: 263 = 17576
- Notch settings, rotation after each key-stroke: 262 = 676
- Switchboard configuration defined using 10 cables: 150,738,274,937,250
- Key-space size is: 107,458,687,327,250,619,360,000 = 1.07 X 1023
DES Key-space size: 72,057,594,037,927,936 = 7.2x1016
From: http://ciphermachines.com/enigma.html#key
Assignment 2: Differential Cryptanalysis
Idea by Biham and Shamir
A chosen plaintext attack: attacker nows (many) plaintext-cryptotext pairs.
Differential because the difference (through XOR) of 2 plaintexts and their corresponding 2 ciphertexts are taken.
The distribution of these differences give information on key-bits.
After the distributions let you determine several bits with high probability you use brute force on the rest of the key-space ( key-space 247) as the NSA/IBM was aware of this attack in 1974 about 10 years before this was rediscovered.
M.Matsui (1993/1994) Linear Cryptanalysis of DES
8 rounds of DES-algorithm for 211 known plaintexts
16 rounds of DES for 243 known plaintexts
Use this data to find the key (exhaustive search may still be more effective…)
-
9/15/2017
34
Set 1 Assignment 3
DES Key-Space size is 256~7.2 𝑥 1016
Titan X performance 11 TFLOPS is 1.1x1013 FLOPS
One 64-bit block DES encryption needs FDES FLOPS
Time to do a known plaintext attack: FDESx7.2 𝑥 1016/ 1.1x1013 = FDESx6.5x10
3sec
… note …
Set 1 Assignment 4
ONE-TIME PAD used twice with same key
P1: 0100011010 P2: 1110100110
Key: 1101010000 Key: 1101010000
C1: 1001001010 C2: 0011110110
C1: 1001001010 P1: 0100011010
C2: 0011110110 P2: 1110100110
C1⨂C2: 1010111100 P1⊗P2: 1010111100
Note: 8-bits often asci-codes