Cryptographic Concepts

About This Presentation

Title:

Cryptographic Concepts

Description:

map text to short hash key; ideally, no collisions. Signature scheme ... Ciphertext does look garbled. Disadvantages. Not very good for long sequences of English words ... – PowerPoint PPT presentation

Number of Views:63

Avg rating:3.0/5.0

Slides: 50

Provided by: johncmi4

Learn more at: http://theory.stanford.edu

Category:

more less

Transcript and Presenter's Notes

Title: Cryptographic Concepts

1
Cryptographic Concepts
CS 99j

John C. Mitchell
Stanford University

2
Basic Concepts

Encryption scheme
functions to encrypt, decrypt data
key generation algorithm
Secret vs. public key
Public key publishing key does not reveal key-1
Secret key more efficient can have key key-1
Hash function
map text to short hash key ideally, no
collisions
Signature scheme
functions to sign data and confirm signature

3
Cryptosystem

A cryptosystem consists of five parts
A set P of plaintexts
A set C of ciphertexts
A set K of keys
A pair of functions
encrypt K ? P ? C
decrypt K ? C ? P
such that for every key k?K and plaintext p?P
decrypt(k, encrypt(k, p)) p
Good defn for now, but doesnt include key
generation or prob encryption.

4
Primitive example shift cipher

Shift letters using mod 26 arithmetic
Set P of plaintexts a, b, c, , x, y, z
Set C of ciphertexts a, b, c, , x, y, z
Set K of keys 1, 2, 3, , 25
Encryption and decryption functions
encrypt(key, letter) letter key
(mod 26)
decrypt(key, letter) letter - key
(mod 26)
Example
encrypt(3, stanford) vwdqirug

5
Evaluation of shift cipher

Advantages
Easy to encrypt, decrypt
Ciphertext does look garbled
Disadvantages
Not very good for long sequences of English words
Few keys -- only 26 possibilities
Regular pattern
encrypt(key,x) is same for all
occurrences of letter x
can use letter-frequency tables, etc

Brutus the cat from Rachel Levengood,
www.yerf.com/leverach/
6
Letter frequency in English

Five frequency groups Beker and Piper
E has probability
0.12
TAOINSHR have probability 0.06 - 0.09
DL have probability 0.04
CUMWFGYPB have probability 0.015 - 0.028
VKJXQZ have probability lt 0.01
Possible to break letter-to-letter substitution
ciphers.

7
One-time pad

Secret-key encryption scheme (symmetric)
Encrypt plaintext by xor with sequence of bits
Decrypt ciphertext by xor with same bit sequence
Scheme for pad of length n
Set P of plaintexts all n-bit sequences
Set C of ciphertexts all n-bit sequences
Set K of keys all n-bit sequences
Encryption and decryption functions
encrypt(key, text) key ? text
(bit-by-bit)
decrypt(key, text) key ? text
(bit-by-bit)

8
Example one-time pad
Plaintext
Key
Ciphertext
Key
Plaintext
Ciphertext
?

?

9
Evaluation of one-time pad

Advantages
Easy to compute encrypt, decrypt from key, text
As hard to break as possible
This is an information-theoretically secure
cipher
Given ciphertext, all possible plaintexts are
equally likely, assuming that key is chosen
randomly
Disadvantage
Key is as long as the plaintext
How does sender get key to receiver securely?
Idea can be combined with pseudo-random
generators ...

10
What is a secure cryptosystem?

Idea
If an enemy intercepts your ciphertext, cannot
recover plaintext
Issues in making this precise
What else might your enemy know?
The kind of encryption function you are using
Some plaintext-ciphertext pairs from last year
Some information about how you choose keys
What do we mean by cannot recover plaintext ?
Ciphertext contains no information about
plaintext
No efficient computation could make a reasonable
guess

11
Information-theoretic security

Remember conditional probability...
Random variables X, Y,
Conditional probability P(XxYy)
Probability that X takes value x, given that Yy

2
1
P(even red) 2/3
3
P(even) 1/2
4
5
6
12
Information-theoretic security

Cryptosystem is info-theoretically secure if
P(Plaintextp Ciphertextc)
P(Plaintextp)

Ciphertext gives no info about plaintext
Prob(1 is for Land) Prob(1 is for Sea)
assuming that all keys are equally likely

13
In practice ...

Information-theoretic security is possible
Shift cipher, one-time pad are info-secure
But often not practical
Keys would be long
No public-key system
Therefore
Cryptosystems in use are either
Just found to be hard to crack, or
Based on computational notion of security

14
Example cryptosystems

Feistel constructions
Iterate a scrambling function
Example DES,
Complexity-based cryptography
Multiplication, exponentiation are one-way
functions
Examples RSA, El Gamal, elliptic curve systems,
...

15
Feistel networks

Many block algorithms are Feistel networks
Examples
DES, Lucifer, FREAL, Khufu, Khafre, LOKI, GOST,
CAST, Blowfish,
Standard form for
Iterating a function f on parts of a message
Producing invertible transformation

16
Feistel network
Divide n-bit input in half and repeat

Scheme requires
Function f(Ri-1 ,Ki)
Computation for Ki
e.g., permutation of key K
Advantage
Systematic calculation
Easy if f is table, etc.
Invertible if Ki known
Get Ri-1 from Li
Compute f(R i-1 ,Ki)
Compute Li-1 by ?

f
K i
?
17
Data Encryption Standard

Developed at IBM, widely used
Feistel structure
Permute input bits
Repeat application of a S-box function
Apply inverse permutation to produce output
Appears to work well in practice
Efficient to encrypt, decrypt
Not provably secure

18
Review Complexity Classes
hard

Answer in polynomial space may need
exhaustive search
If yes, can guess and check in polynomial time
Answer in polynomial time, with high probability
Answer in polynomial time compute answer directly

PSpace
NP
BPP
P
easy
19
One-way functions

A function f is one-way if it is
Easy to compute f(x), given x
Hard to compute x, given f(x), for most x
Examples (we believe)
f(x) divide bits x y_at_z and multiply f(x)yz
f(x) 3x mod p, where p is prime
f(x) x3 mod pq, where p,q are primes with
pq

20
One-way trapdoor

A function f is one-way trapdoor if
Easy to compute f(x), given x
Hard to compute x, given f(x), for most x
Extra trapdoor information makes it easy to
compute x from f(x)
Example (we believe)
f(x) x3 mod pq, where p,q are primes with
pq
Compute cube root using (p-1)(q-1)

21
Public-key Cryptosystem

Trapdoor function to encrypt and decrypt
encrypt(key, message)
decrypt(key -1, encrypt(key, message)) message
Resists attack
Cannot compute m from encrypt(key, m) and key
(without key-1)

key pair
22
Example RSA

Arithmetic modulo pq
Generate secret primes p, q
Generate secret numbers a, b with xab ? x mod pq
Public encryption key ?n, a?
Encrypt(?n, a?, x) xa mod n
Private decryption key ?n, b?
Decrypt(?n, b?, y) yb mod n
Main properties
This works
Cannot compute b from n,a
Apparently, need to factor n pq

n
23
Group theory for RSA

Group G ?G, ?, e, ( )-1?
Set of elements with
associative multiplication ?
identity e with e?x x?e x
inverse ( )-1 with x?x-1 x-1 ?x e
Cyclic group
Group G ?G, ?, e, ( )-1? with
G g0, g1 , g2 , ... , gk g0
element g is called a generator of G
number of distinct elements if called the order
of group

24
Number theory for RSA

Group Zn of integers relatively prime to n
multiplication mod n is associative operation
1 is identity
x-1 computed by Euclidean algorithm for gcd
order of group is ?(n) kltn gcd(k,n) 1
What if x not relatively prime to n?
Can have zero divisors, no multiplicative inverse
If y divides x and n, then yix, yjn and
therefore xj yij ? 0 mod n
Only numbers relatively prime to n form group

25
RSA Encryption

Let p, q be two distinct primes and let npq
Encryption, decryption based on group Zn
For npq product of primes, ?(n) (p-1)(q-1)
Proof (p-1)(q-1) pq - p - q 1
Key pair ?a, b? with ab ? 1 mod ?(n)
Encrypt(x) xa mod n
Decrypt(y) yb mod n
Since ab ? 1 mod ?(n), have xab ? x mod n
Proof if gcd(x,n) 1, then by general group
theory, otherwise use Chinese remainder theorem.

26
How well does this work?

Can generate modulus, keys fairly efficiently
Efficient rand algorithms for generating primes
p,q
May fail, but with low probability
Given primes p,q easy to compute npq and ?(n)
Choose a randomly with gcd(a, ?(n))1
Compute b a-1 mod ?(n) by Euclidean algorithm
Public key n, a does not reveal b
This is not proven, but believed
But if n can be factored, all is lost ...

27
Message integrity

Theoretically, a weak point
encrypt(km) (km)e ke me
encrypt(k)encrypt(m)
This leads to chosen ciphertext form of attack
If someone will decrypt new messages, then can
trick them into decrypting m by asking for
decrypt(ke m)
Implementations reflect this problem
The PKCS1 RSA encryption is intended
primarily to provide confidentiality. It is not
intended to provide integrity. RSA Lab.
Bulletin

28
Digital Signatures

Public-key encryption
Alice publishes encryption key
Anyone can send encrypted message
Only Alice can decrypt messages with this key
Digital signature scheme
Alice publishes key for verifying signatures
Anyone can check a message signed by Alice
Only Alice can send signed messages

29
Properties of signatures

Functions to sign and verify
Sign(Key-1, message)
Verify(Key, x, m)
Resists forgery
Cannot compute Sign(Key-1, m) from m and Key
Resists existential forgery
given Key, cannot produce Sign(Key-1,
m)
for any random or otherwise arbitrary m
Look for where this is used!

true if x Sign(Key-1, m) false otherwise
30
RSA Signature Scheme

Publish decryption instead of encryption key
Alice publishes decryption key
Anyone can decrypt a message encrypted by Alice
Only Alice can send encrypt messages
In more detail,
Alice generates primes p, q and key pair ?a, b?
Sign(x) xa mod n
Verify(y) yb mod n
Since ab ? 1 mod ?(n), have xab ? x mod n

31
One-way hash functions

Length-reducing function h
Map arbitrary strings to strings of fixed length
One way
Given y, hard to find x with h(x)y
Given m, hard to find m with h(m) h(m)
Collision resistant
Hard to find any distinct m, m with h(m)h(m)

32
Applications of one-way hash

Password files (one
way)
Digital signatures
(collision resistant)
Sign hash of message instead of entire message
Data integrity
Compute and store hash of some data
Check later by recomputing hash and comparing
Keyed hash fctns for message authentication

33
Summary

Encryption scheme
encrypt(key, plaintext) decrypt(key
ciphertext)
Secret vs. public key
Public key publishing key does not reveal key
Secret key more efficient can have key key
Hash function
map long text to short hash key ideally, no
collisions
Signature scheme
private key and public key provide
authentication

-1
-1
-1
-1
34
(No Transcript)
35
(No Transcript)
36
Extra slides

Not used in WICS course

37
Dans info on crypto history

Substitution cipher
1400s Arabs did careful analysis of words in
Koran
1500s realized that with letter-frequency
information, could break substitution ciphers
Vigenere cipher
Permutation cipher
Rotor machines

38
Security objectives

Secrecy
Info not revealed
Authentication
Know identity of individual or site
Data integrity
Msg not altered
Message Authentication
Know source of msg

Receipt
Know msg received
Access control
Revocation
Anonymity
Non-repudiation

39
Properties of DES

Not a simple mathematical function
Difficult to analyze
All operations are linear except S-boxes
Security depends on magic S-box functions
These were designed secretly by NSA
No S-box is a linear function
Changing one input bit changes two output bits
Efficient to compute
Combination of bit operations and table lookup
Differential cryptanalysis of DES
Can break 8-round DES, but not 16-round DES (yet)

40
Complexity-based Cryptography

Some computational problems provably hard
Undecidability of halting problem
Presburger arithmetic is non-elementary
Commutative semi-groups require exponential space
Some problems are believed intractable
NP-complete optimization problems
Traveling salesman as hard as any problem in NP
No known polynomial time algorithm, in spite of
effort
Factoring is not believed to be poly-time
Not NP-complete, but many years of effort
Still, useful to relate crypto to standard
problems

41
Easy and hard (more precisely)

For any finite f, can build a table and invert f
Measure hardness using classes of functions
Want this to be hard as a function of choice of
f
A class fa Df ? Rf a?A is one-way if
Efficient algorithm for fa (x), given a, x
No efficient alg computes x, given a, fa (x)
where we assume Df , Rf finite and measure
running time as a function of a

42
Group theory for RSA

Group G ?G, ?, e, ( )-1?
Set of elements with
associative multiplication ?
identity e with e?x x?e x
inverse ( )-1 with x?x-1 x-1 ?x e
Cyclic group
Group G ?G, ?, e, ( )-1? with
G g0, g1 , g2 , ... , gk g0
element g is called a generator of G
number of distinct elements if called the order
of group

43
Number theory for RSA

Group Zn of integers relatively prime to n
multiplication mod n is associative operation
1 is identity
x-1 computed by Euclidean algorithm for gcd
order of group is ?(n) kltn gcd(k,n) 1
What if x not relatively prime to n?
Can have zero divisors, no multiplicative inverse
If y divides x and n, then yix, yjn and
therefore xj yij ? 0 mod n
Only numbers relatively prime to n form group

44
RSA Encryption

Let p, q be two distinct primes and let npq
Encryption, decryption based on group Zn
For npq product of primes, ?(n) (p-1)(q-1)
Proof (p-1)(q-1) pq - p - q 1
Key pair ?a, b? with ab ? 1 mod ?(n)
Encrypt(x) xa mod n
Decrypt(y) yb mod n
Since ab ? 1 mod ?(n), have xab ? x mod n
Proof if gcd(x,n) 1, then by general group
theory, otherwise use Chinese remainder theorem.

45
How well does this work?

Can generate modulus, keys fairly efficiently
Efficient rand algorithms for generating primes
p,q
May fail, but with low probability
Given primes p,q easy to compute npq and ?(n)
Choose a randomly with gcd(a, ?(n))1
Compute b a-1 mod ?(n) by Euclidean algorithm
Public key n, a does not reveal b
This is not proven, but believed
But if n can be factored, all is lost ...

46
Message integrity

Theoretically, a weak point
encrypt(km) (km)e ke me
encrypt(k)encrypt(m)
This leads to chosen ciphertext form of attack
If someone will decrypt new messages, then can
trick them into decrypting m by asking for
decrypt(ke m)
Implementations reflect this problem
The PKCS1 RSA encryption is intended
primarily to provide confidentiality. It is not
intended to provide integrity. RSA Lab.
Bulletin

47
Iterated hash functions