introduction to cryptography - courses to cryptography cmp s1 , ... quantum cryptography: perfect...

1

Introduction to Cryptography

Introduction to Cryptography 2CMPS 122, Spring 2004

What is cryptology?

• Greek: “krypto” = hide• Cryptology – science of hiding

⇒ cryptography + cryptanalysis + steganography• Cryptography – secret writing• Cryptanalysis – analyzing (breaking) secrets

◆ Decipher (decryption) is what we do◆ Cryptanalysis is what they do

2


Steganography

• “Covered” messages• Technical steganography

◆ Invisible ink, shaved heads, microdots• Linguistic steganography

◆ “Open code” – secret message appears innocent– “East wind rain” = war with USA– Broken dolls in WWII

◆ Hide message in low-order bits in GIF


Cryptology vs. security

• Cryptology is a branch of mathematics◆ Lots of formal representation◆ Proofs about encryption are possible

• Security is a system issue◆ Easiest way to violate security is through people!◆ Security uses cryptology and other tools

3


Terminology

Encrypt DecryptPlaintext Plaintext

Alice BobEve

Insecure Channel

C = E(P)P = D(C)E must be invertible

Ciphertext


Kerckhoff’s Principle

• Cryptography always involves two things◆ Transformation◆ Secret

• Security should depend only on the secrecy of thekey◆ Assume the enemy can get the algorithm

– Can capture machines (or people), disassemble programs, etc.– Very expensive and difficult to invent a new algorithm if the old

one might have been compromised◆ Security through obscurity isn’t

– Look at history of examples– Better to have scrutiny by open experts

• “The enemy knows the system being used.” (ClaudeShannon)

4


Alice and Bob

KE KD

C = E(KE, P) = EKE (P)P = D(KD, C) = DKD (C)KE = KD => symmetric encryptionKE ≠ KD => asymmetric encryption


Alice Bob

Ciphertext


Overview of modern cryptography

• Three basic types of algorithms◆ Symmetric (shared) key encryption◆ Asymmetric (public key) encryption◆ Secure hash functions

• For each type of algorithm, many choices◆ Symmetric key: DES, AES, Blowfish, RC5, RC6◆ Asymmetric key: RSA, El-Gamal, elliptic curve◆ Secure hash function: MD4, MD5, SHA-1, RIPEMD

• Different implementations within a type of algorithm sharemany characteristics◆ Goal, approach are similar◆ Specific implementation details may differ

• Good books on algorithms include Applied Cryptography(somewhat dated) and Practical Cryptography

5


Symmetric key encryption

• Encryption key and decryption key are identical• Strength of algorithm is usually proportional to 2key length

◆ Assumes a truly random key!• Algorithm is usually fast

◆ Around 20 cycles per byte for many algorithms◆ Upwards of 100 MB/s possible on today’s CPUs◆ Straightforward to build hardware to run the algorithm

• Decryption may be the same algorithm as encryption, but isn’t always

KS KS


Alice Bob

Ciphertext


Asymmetric key encryption

• Keys come in pairs: <KU,KR> (KU is public, KR is private)◆ Designation of which is public and which is private is arbitrary◆ Knowing one key of a pair won’t help you figure out the other one

• Encryption and decryption are typically the same algorithm◆ May be applied in either order (public or private encrypt first)◆ DKR(EKU(m)) = DKU(EKR(m)) = m

• Usually much slower than symmetric key encryption◆ Speed much less than 1 MB/s

KU KR


Alice Bob

Ciphertext

6


Secure hash functions• Variable-length input produces fixed-size output

◆ Similar to encryption, but without a key and output blocks collapsed together• Secure: “difficult” to construct fake plaintexts

◆ Weak collision resistance: difficult to find a plaintext with the same hash value as anyrandomly-chosen plaintext

◆ Strong collision resistance: difficult to find pairs of plaintexts with the same hash value• Useful because secure hash function can serve as a stand-in for the plaintext for

various other functions…

Secure hashPlaintext

Alice Bob

Hash value


Simple cipher: Substitution Cipher

• C = EK(p)• Ci = K[pi]• Key is alphabet mapping

◆ a → J, b → L, ...• Suppose attacker knows algorithm but not key, how

many keys to try?◆ Answer: 26! (26 factorial)◆ If every person on earth tried one per second, it would

take 5 billion years

7


Monoalphabetic Cipher

“XBW HGQW XS ACFPSUWG FWPGWXFCF AWWKZV CDQGJCDWA CD BHYJDDJXHGW; WUWD XBW ZWJFX PHGCSHFYCDA CF GSHFWA LV XBW KGSYCFW SIFBJGCDQ RDSOZWAQW OCXBBWZAIGSY SXBWGF.”

We know:This is English text.It uses a monoalphabetic cipher


Frequency Analysis

“XBW HGQW XS ACFPSUWG FWPGWXF CF AWWKZVCDQGJCDWA CD BHYJD DJXHGW; WUWD XBWZWJFX PHGCSHF YCDA CF GSHFWA LV XBWKGSYCFW SI FBJGCDQ RDSOZWAQW OCXBBWZAIGSY SXBWGF.”

W: 20 “Normal” English:C: 11 e 12%F: 11 t 9%G: 11 a 8%

8


Pattern Analysis

Most common trigrams in English:the = 6.4%and = 3.4%

XBe = “the”?

“XBe HGQe XS ACFPSUeG FePGeXF CFAeeKZV CDQGJCDeA CD BHYJD DJXHGe; eUeDXBe ZeJFX PHGCSHF YCDA CF GSHFeA LVXBe KGSYCFe SI FBJGCDQ RDSOZeAQeOCXBBeZA IGSY SXBeGF.”


Guessing

“the HGQe tS ACFPSUeG FePGetF CF AeeKZVCDQGJCDeA CD hHYJD DJtHGe; eUeD the ZeJFtPHGCSHF YCDA CF GSHFeA LV the KGSYCFeSI FhJGCDQ RDSOZeAQe OCthheZA IGSYStheGF.”

tS = to ➞ S = “o”

9


Guessing

“the HGQe to ACFPoUeG FePGetF CF AeeKZVCDQGJCDeA CD hHYJD DJtHGe; eUeD the ZeJFtPHGCoHF YCDA CF GoHFeA LV the KGoYCFe oIFhJGCDQ RDoOZeAQe OCthheZA IGoY otheGF.”

F appears at the end of many words ➞ likely a consonantCF is a common two-letter word ➞ C likely a vowelF = “s” and C = “i”otheGs = others ➞ G = “r”


Guessing

“the HrQe to AisPoUer sePrets is AeeKZViDQrJiDeA iD hHYJD DJtHre; eUeD the ZeJstPHrioHs YiDA is roHseA LV the KroYise oI shJriDQRDoOZeAQe OithheZA IroY others.”

sePrets = “secrets” ➞ P = “c”AiscoUer = discover ➞ A = “d”, U = “v”iD = “if” or “in”, but “D” ends two words (unlikely to be “f”)oI = “on” or “of”, (“r” already deciphered)D = “n” and I = “f”

10


Guessing

“the HrQe to discover secrets is deeKZVinQrJined in hHYJn nJtHre; even the ZeJstcHrioHs Yind is roHsed LV the KroYise ofshJrinQ RnoOZedQe OithheZd froY others.”

At this point, start completing individual words.Yind = “mind” & froY = “from” ➞ Y = “m”Kromise = “promise” ➞ K = “p”cHrioHs = “curious” ➞ H = “u”And so on…


Monoalphabetic Cipher

“The urge to discover secrets is deeply ingrainedin human nature; even the least curious mindis roused by the promise of sharing knowledgewithheld from others.”

- John Chadwick, The Decipherment of Linear B

11


Why was it so easy?

• Doesn’t hide statistical properties of plaintext◆ Common letters in plaintext will result in common

symbols in ciphertext• Doesn’t hide relationships in plaintext

◆ EE cannot match dg• English (and all natural languages) are very

redundant◆ About 1.3 bits of information per letter

– Many combinations of letters simply don’t exist or aren’t common◆ Running English thru gzip reduces size by a factor of 6

– 8 bits/letter / 1.3 bits of information per letter ≈ 6


How can we make it tougher?

• Cosmetic: use different symbols• Hide statistical properties:

◆ Encrypt “e” with 12 different symbols, “t” with 9different symbols, etc.

◆ Add nulls, remove spaces• Polyalphabetic cipher

◆ Use different substitutions• Transposition

◆ Scramble order of letters

12


Types of attacks

• Ciphertext-only — how much ciphertext is needed?• Known plaintext — often “guessed plaintext”• Chosen plaintext (get ciphertext)

◆ Not as uncommon as it sounds!• Chosen ciphertext (get plaintext)• Leave these to the professionals:

◆ Dumpster diving◆ Social engineering◆ “Rubber-hose cryptanalysis” (actually an advanced form

of social engineering)– Use threats, blackmail, torture, and bribery to get the key.


Really brief history: first 4000 years

Cryptographers

Cryptanalysts

3000BC

monoalphabetics

900

al-Kindi - frequency analysis

Alberti – first polyalphabetic cipher

1460

Vigenère

1854

Babbage breaks Vigenère;Kasiski (1863) publishes

13


Really brief history: last 100 years

Cryptographers

Cryptanalysts

1854 1918

Mauborgne – one-time pad

Mechanical ciphers - Enigma

1939

Rejewski repeatedmessage-key attack

Turing’s loop attacks,Colossus

Enigma adds rotors, stops repeated key

1945

Feistel block cipher, DES

Linear, DifferentialCryptanalysis

?

1973

Public-Key

Quantum Crypto


How does cryptology advance?

• Arms race between cryptographers and cryptanalysts◆ Often, disconnect between two (e.g., Mary Queen of Scots used

monoalphabetic cipher long after known breakable)• Multi-disciplinary field

◆ Linguists, classicists, mathematicians, computer scientists, physicists• Secrecy often means advances rediscovered and miscredited

◆ Public-key cryptography first done by British security agency, rediscoveredby Diffie & Hellman

• Dominated by needs of government: war is the great catalyst• Cryptanalysis advances led by most threatened countries:

◆ France (1800s), Poland (1930s), England/US (WWII), Israel? (Today)

14


Security vs. Pragmatics

• Trade-off between security and effort◆ one-time pad: perfect security, but requires distribution

and secrecy of long key◆ DES: short key, fast algorithm, but breakable◆ quantum cryptography: perfect security, guaranteed

secrecy of key, slow, requires expensive hardware• Don’t spend $10M to protect $1M• Don’t protect $1B with encryption that can be

broken for $1M


Unbreakable cipher: one-time pad

• Mauborgne/Vernam [1917]• XOR (⊕):

◆ 0 ⊕ 0 = 0 1 ⊕ 0 = 1◆ 0 ⊕ 1 = 1 1 ⊕ 1 = 0◆ a ⊕ a = 0◆ a ⊕ 0 = a◆ a ⊕ b ⊕ b = a

• E(P, K) = P ⊕ K• D(C, K) = C ⊕ K = (P ⊕ K) ⊕ K = P

15


Why perfectly secure?

• For any given ciphertext, all plaintexts are equallypossible.

• Ciphertext: 0100111110101◆ Key1: 1100000100110◆ Plaintext1: 1000111010011 = “CS”◆ Key2: 1100010100110◆ Plaintext2: 1000101010011 = “BS”


Perfect security => our job is done?

• Can’t reuse K◆ What if receiver has

C1 = P1 ⊕ K and C2 = P2 ⊕ KC1 ⊕ C2 = P1 ⊕ K ⊕ P2 ⊕ K

= P1 ⊕ P2• Need to generate truly random bit sequence as long

as all messages• Need to securely distribute keys

16


Vigenère

• Invented by Blaise de Vigenère, ~1550• Considered unbreakable for 300 years• Broken by Charles Babbage but kept secret to help

British in Crimean War (circa 1854)• Attack discovered independently by Friedrich

Kasiski, 1863


Key is an N-letter stringAlphabet has Z symbolsEK(P) = C where

Ci = (Pi + Ki MOD N) MOD Z

E“KEY” (“test”) = DIQDC0 = (‘t’ + ‘K’) mod 26 = ‘D’C1 = (‘e’ + ‘E’) mod 26 = ‘I’C2 = (‘s’ + ‘Y’) mod 26 = ‘Q’C3 = (‘t’ + ‘K’) mod 26 = ‘D’

Vigenère Encryption

17


Babbage’s Attack

• Use repetition to guess key length:◆ Suppose sequence XFO appears at 65, 71, 122, 176◆ Calculate distances between occurrences

– (71 – 65) = 6 = 3 * 2– (122 – 65) = 57 = 3 * 19– (176 – 122) = 54 = 3 * 18

◆ Key is probably 3 letters long• This approach isn’t foolproof

◆ XFO could correspond to different sequences at differentlocations

◆ Use lots of different trigrams (or longer!) to find the keylength


Index of coincidence

• Calculate index of coincidence by◆ Taking two strings and pairing their letters by position◆ Computing the fraction of paired letters that are the same

• For English, index of coincidence is◆ About 3.8% for randomly chosen letters (= 1/26)◆ About 6.6% for real English text◆ Reason: some letters (and sequences) are more common than others

in English• Index of coincidence is unaffected by simple substitution

ciphers (assuming both strings encrypted with the same key)!◆ Take the encrypted text and compare it with itself shifted

(horizontally) by N positions (do this for values of N from 1 –maximum key length)

◆ If N is a multiple of the key length, the index of coincidence willjump to a higher value

18


PAMP DOKW SCAO PBSJ VFSV HRGE ASEX BRQR AGMR KOPZ HBOI KIZH LFSV HRGE ASEM UHQV LGFI KWZE UMAJ AVQW LODI HGAJ YSEI HFOL PTKS BFDI ZSMV JVSS HZEQ HHOL AVAW LCRT YCVI JHEJ VFIL PQTM OOHI LLFI YBMP ZIBT VFFM TOKF LONP LHAW BDBS YHKS BOEE YSEI HFOL HGEM ZHMR A

Key length and frequency

• Once you think you know the key length◆ Slice the ciphertext◆ Use the frequency methods we looked at earlier

• Example:◆ Key length = 4◆ For first letter, H=9, L=7 & A=6 are most common => guess a, e, t◆ Keep going like this…

• Even if each position in key is fully scrambled (not just shifted), thismechanism works


Vigenère simplification

• Use binary alphabet:◆ Ci = (Pi + Ki mod N) mod 2◆ Ci = Pi ⊕ Ki mod N

• Use a key as long as P:◆ Ci = Pi ⊕ Ki

• One-time pad—perfect cipher!

19


How do you know the cipher’s good?

• “I tried really hard to break my cipher, but couldn’t. I’m agenius, so I’m sure no one else can break it either.”

• “Lots of really smart people tried to break it, and couldn’t.”• Mathematical arguments

◆ Key size (dangerous!)◆ Statistical properties of ciphertext◆ Depends on some provably (or believed) hard problem

• Invulnerability to known cryptanalysis techniques (but whatabout undiscovered techniques?)

• Show that ciphertext could match multiple reasonableplaintexts without knowing key◆ Simple monoalphabetic secure for about 10 letters of English:XBCF CF FWPHGWThis is secureSpat at troner


Real world standard

• Attacker almost certainly has details of algorithm• Attacker has access to

◆ Limited (maybe) amount of ciphertext◆ Known plaintext (sometimes)◆ Chosen plaintext (occasionally)

• Breaking a cipher means the attacker can read asecret message◆ May mean the attacker can read many secret messages if

the key is reused (think PGP…)

20


“Academic” standard

• Harsher than real-world standard (but not always)• Assume the attacker has

◆ Full details of the algorithm◆ An unlimited number of chosen plaintext/ciphertext pairs

• Assume attacker can perform a very large numberof computations◆ Up to, but not including, 2n, where n is the key size in bits

– This means that the attacker can’t mount a brute force attack, butcan get close

• Ciphers that meet this standard may be stronger thanthose designed for the “real world”◆ Example: ENIGMA (more on this later) relied upon

secrecy of the algorithm as well as the key


Showing a cipher is imperfect

• Two (easy?) ways to show a cipher is imperfect◆ Find a ciphertext that is more likely to be one message

than another◆ Show that there are more messages than keys

– Can be easy if message is longer than key…– Implies that there is some message more likely to be a given

ciphertext, even if you can’t find it• Since most ciphers have more messages than keys,

they’re imperfect◆ One-time pad is an exception!

21


Entropy & rate

• The entropy (H) of a message M is the amount ofinformation in the message◆ H(M) = log2 n where n is the number of possible meanings◆ Example:

H (month of year) = log2 12 ≈ 3.6 (need 4 bits to encode a year)

◆ Rounding up can give misleading results– Encoding three (independent months) requires log2 123 ≈ 10.8 bits– Using 4 bits per month would require 12 bits…

• Absolute rate: how much information can be encoded◆ R = log2 Z, where Z is the size of the alphabet◆ REnglish = log2 26 ≈ 4.7 bits/letter

• Actual rate of a language:r = H(M) / N, where M is an N-letter message.◆ r of months spelled out using ASCII:

r = log2 12 / (8 letters * 8 bits/letter) ≈ 0.06


r = H(M) / N1.3 = H(M)/20H(M) = 26 = log2 n n = 226 = 6.7 million (of 2×1028 possible)One out of 7×1020 randomly selected 20-letter groups

Rate of English

• rEnglish is about 1.3 bits/letter (.28 letters/letter).◆ Many letter combinations don’t occur (or don’t occur frequently) in

English (qz, xg, cfn)◆ Many words don’t occur together often (“educated car”)◆ This ratio can be derived by compressing English text and looking at

the compression ratios (8/1.3 ≈ 6)• How many meaningful 20-letter messages are there in

English?

22


Redundancy & unicity

• Redundancy (D) is defined as:◆ D = R – r

• Redundancy in English:◆ DEnglish = 4.7 – 1.3 = 3.4 bits/letter◆ Each letter is 1.3 bits of content, and 3.4 bits of redundancy. (~72%)

• English encoded as ASCII: 1 byte per letter◆ D = 8 – 1.3 = 6.7◆ 84% redundancy, 14% information

• Unicity◆ Theoretical and probabilistic measure of how much ciphertext is

needed to determine a unique plaintext◆ Does not indicate how much ciphertext is needed for cryptanalysis◆ U = H(K) / D

– Minimum amount of ciphertext needed for brute-force attack tosucceed.


Unicity Examples

• One-Time Pad◆ H(K) = infinite◆ U = H(K)/D = infinite

• Monoalphabetic Substitution◆ H(K) = log2 26! ≈ 87◆ D = 3.4 (redundancy in English)◆ U = H(K)/D ≈ 25.5

– Intuition: if you have 25 letters, probably only matches onepossible plaintext.

• Random bit stream (message)◆ D = 0◆ U = H(K)/D = infinite◆ No amount of text will be enough!

23


introduction to cryptography - courses to cryptography cmp s1 , ... quantum cryptography: perfect...

Documents