Register now to access 7 million high quality study materials (What's Course Hero?) Course Hero is the premier provider of high quality online educational resources. With millions of study documents, online tutors, digital flashcards and free courseware, Course Hero is helping students learn more efficiently and effectively. Whether you're interested in exploring new subjects or mastering key topics for your next exam, Course Hero has the tools you need to achieve your goals.

162 Pages

ee578_notes

Course: ECE 578, Fall 2008
School: Uni. Worcester
Rating:

Word Count: 15737

Document Preview

Unformatted Document Excerpt

Coursehero >> United Kingdom >> Uni. Worcester >> ECE 578

Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.

Course Hero has millions of student submitted documents similar to the one below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.

CRYPTOGRAPHY APPLIED AND DATA SECURITY Dr. Christof Paar Cryptography and Information Security CRIS Group Department of Electrical & Computer Engineering Worcester Polytechnic Institute Worcester, MA 01609 http: www.ece.wpi.edu Research crypt Lecture Notes Preface These lecture notes are not meant as a replacement of a more comprehensive textbook. Rather, the notes at hand present the essentials of modern applied cryptography in compact form and should accompany the lecture in conjunction with one of the books mentioned below. The notes grew out of an introductory graduate course in cryptography which I have taught twelve times by now at Worcester Polytechnic Institute and in industry. Remarks, questions, and classroom discussions by our graduate students as well as by the sta of GTE Governments Systems, MA, and Philips Research, NY, greatly helped to improve the lecture notes. I tried to present modern cryptography in a way that is accessible for engineers without any background in abstract mathematics. There is a focus on private-key and public-key algorithms, an understanding of which appears to be extremely helpful for the development of real-world applications. However, protocol-related issues such as security services, key distributions, and identi cation are also treated. The lecture notes work well together with an actual book. I've used Doug Stinson's excellent textbook, Sti95 , as well as Bruce Schneier's comprehensive compilation, Sch93 . The treatment of topics in these lecture notes loosely follow the presentation in Stinson's book. For those interested in an in-depth understanding of the eld, including many theoretical topics, the handbook by Alfred Menezes, Paul van Oorschot, and Scott Vanstone, AM97 , can be strongly recommended for additional reading. Another good book which is more introductory is William Stalling's recent text book Sta99 . I would like to express my deep gratitude to my graduate students Jorge Guajardo and Martin Rosner, who were in charge of typing the notes and of drawing all gures and tables. Their many suggestions and proof reading greatly improved the notes. Christof Paar May 2000 Table of Contents 1 Introduction to Cryptography and Data Security 1.1 1.2 1.3 1.4 Literature Recommendations . . . . . . . Overview . . . . . . . . . . . . . . . . . . Private-Key Cryptosystems . . . . . . . Cryptanalysis . . . . . . . . . . . . . . . 1.4.1 Attacks against Cryptoalgorithms 1.5 Some Number Theory . . . . . . . . . . 1.6 Simple Blockciphers . . . . . . . . . . . . 1.6.1 Shift Cipher . . . . . . . . . . . . 1.6.2 A ne Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . 1 . 2 . 4 . 4 . 5 . 9 . 10 . 12 . . . . . . . 1 2 Stream Ciphers 2.1 Introduction . . . . . . . . . . . . . . . . . . . . 2.2 One-Time Pad and Pseudo-Random Generators 2.3 Synchronous Stream Ciphers . . . . . . . . . . . 2.3.1 Linear Feedback Shift Registers LFSR 2.3.2 Clock Controlled Shift Registers . . . . . 2.4 Attacks . . . . . . . . . . . . . . . . . . . . . . 2.4.1 Known Plaintext Attack Against LFSRs . . . . . . . 13 13 15 18 18 20 23 23 ii 3 Some Results From Information Theory 3.1 3.2 3.3 3.4 Levels of Security . . . . . Computational Security . Cryptography and Coding Confusion and Di usion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 25 25 26 27 28 30 31 31 34 36 38 38 38 38 39 40 40 41 43 43 44 46 47 4 Data Encryption Standard DES 4.1 Encryption . . . . . . . . . . . . . 4.1.1 Overview . . . . . . . . . . 4.1.2 Permutations . . . . . . . . 4.1.3 Core Iteration f-Function . 4.1.4 Key Schedule . . . . . . . . 4.2 Decryption . . . . . . . . . . . . . . 4.3 Implementation . . . . . . . . . . . 4.3.1 Hardware . . . . . . . . . . 4.3.2 Software . . . . . . . . . . . 4.4 Attacks . . . . . . . . . . . . . . . 4.4.1 Exhaustive Key Search . . . 4.4.2 Di erential Cryptanalysis . 4.4.3 Linear Cryptanalysis . . . . 4.5 DES Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5 Rijndael The Advanced Encryption Standard 5.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.1 Basic Facts about AES . . . . . . . . . . . . . . . . . . . 5.1.2 Chronology of the AES Process . . . . . . . . . . . . . . 5.2 Rijndael Overview . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Some Mathematics: A Very Brief Introduction to Galois Fields . iii 43 5.4 Internal Structure . . . . . . . . 5.4.1 Byte Substitution Layer 5.4.2 Di usion Layer . . . . . 5.4.3 Key Addition Layer . . . 5.5 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 52 53 54 55 6 More about Block Ciphers 6.1 Modes of Operation . . . . . . . . . . . . . . 6.1.1 Electronic Codebook Mode ECB . 6.1.2 Cipher Block Chaining Mode CBC 6.1.3 Cipher Feedback Mode CFB . . . . 6.1.4 Counter Mode . . . . . . . . . . . . . 6.2 Key Whitening . . . . . . . . . . . . . . . . 6.3 Multiple Encryption . . . . . . . . . . . . . 6.3.1 Double Encryption . . . . . . . . . . 6.3.2 Triple Encryption . . . . . . . . . . . 7.1 7.2 7.3 7.4 7.5 Principle . . . . . . . . . . . . . . . One-Way Functions . . . . . . . . . Overview of Public-Key Algorithms Important Public-Key Standards . More Number Theory . . . . . . . . 7.5.1 Euclid's Algorithm . . . . . 7.5.2 Euler's Phi Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 56 56 57 58 59 60 61 61 65 66 68 68 69 71 71 74 7 Introduction to Public-Key Cryptography 66 8 RSA 8.1 Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 8.2 Computational Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 iv 77 8.2.1 Choosing p and q . . . . 8.2.2 Choosing a and b . . . . 8.2.3 Encryption Decryption . 8.3 Attacks . . . . . . . . . . . . . 8.3.1 Brute Force . . . . . . . 8.3.2 Finding n . . . . . . 8.3.3 Finding a directly . . . . 8.3.4 Factorization of n . . . . 8.4 Implementation . . . . . . . . . 9.1 Some Algebra . . . . . . . . . 9.1.1 Groups . . . . . . . . . 9.1.2 Finite Groups . . . . . 9.2 The General DL Problem . . 9.3 Attacks for the DL Problem . 9.4 Di e-Hellman Key Exchange 9.4.1 Protocol . . . . . . . . 9.4.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 81 81 83 83 83 83 84 86 9 The Discrete Logarithm DL Problem 87 87 88 89 93 94 95 95 96 10 Elliptic Curve Cryptosystem 10.1 Elliptic Curves . . . . . . . . . . . . 10.2 Cryptosystems . . . . . . . . . . . . 10.2.1 Di e-Hellman Key Exchange 10.2.2 Menezes-Vanstone Encryption 10.3 Implementation . . . . . . . . . . . . . . . . . 98 102 102 103 104 97 11 ElGamal Encryption Scheme 11.1 Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 v 105 11.2 Computational Aspects . 11.2.1 Encryption . . . 11.2.2 Decryption . . . 11.3 Security of ElGamal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 108 108 109 12 Digital Signatures 12.1 Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 12.2 RSA Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 12.3 ElGamal Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 13.2 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 13.3 Hash Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 14.1 Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 14.2 MACs from Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 14.3 HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 15.1 15.2 15.3 15.4 Attacks Against Information Systems Introduction . . . . . . . . . . . . . . Privacy . . . . . . . . . . . . . . . . . Integrity and Sender Authentication . 15.4.1 Digital Signatures . . . . . . . 15.4.2 MACs . . . . . . . . . . . . . 15.4.3 Integrity and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 13 Hash Functions 115 14 Message Authentication Codes MACs 122 15 Security Services 126 126 127 127 129 129 129 130 vi 16 Key Establishment 16.1 Introduction . . . . . . . . . . . . . . . . . 16.2 Private-Key Approaches . . . . . . . . . . 16.2.1 The n2 Key Distribution Problem . 16.2.2 Key Distribution Center KDC . . 16.3 Public-Key Approaches . . . . . . . . . . . 16.3.1 Man-In-The-Middle Attack . . . . . 16.3.2 Certi cates . . . . . . . . . . . . . 16.3.3 Di e-Hellman Exchange with Certi 16.3.4 Authenticated Key Agreement . . . .... .... .... .... .... .... .... cates .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 131 132 132 133 134 134 135 137 137 139 141 141 143 143 17 Case Study: The Secure Socket Layer SSL Protocol 17.1 Introduction . . . . . . . . . . . . . . . . . . . . 17.2 SSL Record Protocol . . . . . . . . . . . . . . . 17.2.1 Overview of the SSL Record Protocol . . 17.3 SSL Handshake Protocol . . . . . . . . . . . . . 17.3.1 Core Cryptographic Components of SSL 139 18 Introduction to Identi cation Schemes 18.1 Private-key Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 145 vii Chapter 1 Introduction to Cryptography and Data Security 1.1 Literature Recommendations Course Textbooks: Sti95 or Sch93 . Further Reading - the following books are excellent supplements to the course textbook: 1. AM97 - great compilation of theoretical and practical aspects of many crypto schemes. Unique since it includes many theoretical topics that are hard to nd otherwise. Highly recommended. 2. Sta95 - Very readable treatment of algorithms and standards relevant to cryptography in networks. 1.2 Overview Brief History of Cryptography Private-Key: all encryption and decryption schemes dating from BC to 1976. 1 CRYPTOLOGY Cryptography Cryptanalysis Private-Key Public-Key Protocols Block cipher Stream cipher Figure 1.1: Overview on the eld of cryptology Public-Key: in 1976 the rst public-key scheme was introduced by Di e-Hellman key exchange protocol. Hybrid Approach: in today's protocol, very often hybrid schemes are applied which use private and public-key algorithms. 1.3 Private-Key Cryptosystems Sometimes these schemes are also referred to as symmetric, single-key, and secret-key approaches. Problem Statement: Alice and Bob want to communication over an un-secure channel e.g., computer network, satellite link. They want to prevent Oscar the bad guy from listening. Solution: Use of private-key cryptosystems these have been around since BC such that if Oscar reads the encrypted version of the message over the un-secure channel, he will not be able to understand its content because x is what really was sent. y x 2 Oscar (bad) Alice (good) x Encryption e() k Key Generator y Decryption d() k x Bob (good) Secure Channel Figure 1.2: Private-key cryptosystem Some important de nitions: 1a x is called the plaintext" 1b 2b 3b P= f C= f x1 ; x2 ; : : : ; xp g is the nite plaintext space" ciphertext space" 2a y is called the ciphertext" y1 ; y2 ; : : : ; yc g is the nite g is the 3a k is called the key" K= f ek1 k1 ; k2 ; : : : ; kl nite key space" 4a There are l encryption functions eki : 4b There are l decryption functions dki 4c P!C or: : C!P or: eki x = y = x d ki y and dk2 are inverse functions if k1 = k2 : dki y = dki eki x = x for all ki 2K Example: Data Encryption Standard DES P = C = f0 1 2 ; ; ;:::; 264 , 1g each ki xi has 64 bits: xi = 010 ::: 0110 K= f0 1 2 ; ; ;:::; 256 , 1g each has 56 bits d encryption k and decryption k will be described in Chapter 4 e 3 1.4 Cryptanalysis knowledge of the key Oscar's job. De nition: The science of recovering the plaintext x from the ciphertext y without the Rules of the game: The cryptanalysis rules are known as Kerckho 's Principle: 1. Oscar knows the cryptosystem encryption and decryption algorithms. 2. Oscar does not know the key. 1.4.1 Attacks against Cryptoalgorithms Oscar's knowledge: some Oscar's goal : obtain 1 1. Ciphertext-only attack y1 x ; x2 ; : : : = k 1 , 2 = k 2 , or the key . e x y e x k ::: Oscar's knowledge: some pairs Oscar's goal : obtain the key . k 2. Known plaintext attack x1 ; y1 = k 1 e x ; x2 ; y2 = k 2 e x ::: 3. Chosen plaintext attack x1 ; x2 ; : : : Oscar's knowledge: some pairs Oscar's goal : obtain the key . k x1 ; y1 = k 1 e x ; x2 ; y2 = k 2 e x ::: of which he can choose 4. Chosen ciphertext attack Oscar's knowledge: some pairs x1 ; y1 = k 1 e x ; x2 ; y2 = k 2 e x ::: of which he can choose 4 y1; y2; : : : Oscar's goal : obtain the key k. 1.5 Some Number Theory Modulo operation: Question: What is 12 mod 9? Answer: 12 mod 9 3 or 12 3 mod 9. De nition 1.5.1 Modulo Operation Let a; r; m 2 Z where Z is a set of all integers and m 0. We write a r mod m if m divides r , a. m" is called the modulus. r" is called the remainder. Some remarks on the modulo operation: How is the remainder computed? It is always possible to write a 2 Z , such that a = q m + r; 0 r m Now since a , r = q m m divides a , r and a r mod m. Note that r 2 f0; 1; 2; : : : ; m , 1g. Example: a = 42; m = 9 42 = 4 9 + 6 therefore 42 6 mod 9. 5 C programming command : " C can return a negative value r = 42 9 returns r = 6 but r = -42 9 returns r = -6 ! if remainder is negative, add modulus m: ,6 + 9 = 3 ,42 mod 9 Ring: De nition 1.5.2 The ring Zm" consists of: 1. The set Zm = f0; 1; 2; : : : ; m , 1g 2. Two operations +" and " for all a; b 2 Zm such that: a + b c mod m c 2 Zm a b d mod m d 2 Zm Example: m = 9 Z9 = f0; 1; 2; 3; 4; 5; 6; 7; 8g 6 + 8 = 14 5 mod 9 6 8 = 48 3 mod 9 6 De nition 1.5.3 Some important properties of the ring Zm = f0; 1; 2; : : :; m , 1g 1. The additive identity is the element zero 0": a + 0 = a mod m, for any a 2 Zm. 2. The additive inverse ,a" of a" is such that a+,a 0 mod m: ,a = m,a, for any a 2 Zm. 3. Addition is closed: i.e., for any a; b 2 Zm, a + b 2 Zm . 4. Addition is commutative: i.e., for any a; b 2 Zm, a + b = b + a. 5. Addition is associative: i.e., for any a; b 2 Zm , a + b + c = a + b + c. 6. The multiplicative identity is the element one 1": a 1 a mod m, for any a 2 Zm. 7. The multiplicative inverse a,1 " of a" is such that a a,1 = 1 mod m: An element a has a multiplicative inverse a,1" if and only if gcda; m = 1. 8. Multiplication is closed: i.e., for any a; b 2 Zm , ab 2 Zm . 9. Multiplication is commutative: i.e., for any a; b 2 Zm , ab = ba. 10. Multiplication is associative: i.e., for any a; b 2 Zm , abc = abc. 7 Some remarks on the ring Zm: Roughly speaking, a ring is a structure in which we can add, subtract, multiply, and sometimes divide. multiplicative inverse of a exists. De nition 1.5.4 If gcda; m = 1, then a and m are relatively prime" and the Example: i Question: does multiplicative inverse exist with 15 mod 26? Answer: yes | gcd15; 26 = 1 ii Question: does multiplicative inverse exist with 14 mod 26? Answer: no | gcd14; 26 = 1 6 The modulo operation can be applied whenever we want: a + b mod m = a mod m + b mod m mod m. a b mod m = a mod m b mod m mod m. Example: 38 mod 7 = ? i 38 = 34 34 = 81 mod 7 81 mod 7 4 4 = 16 2 mod 7. ii 38 = 6561 2 mod 7, since 6561 = 937 7 + 2. As we see, it is almost always of computational advantage to apply the modulo reduction as soon as we can. The ring Zm, and thus the integer arithmetic with the modulo operation, is of central importance to modern public-key cryptography. In practice, the integers are represented with 150 2048 bits. 8 1.6 Simple Blockciphers Recall: Private-key Systems Block ciphers Stream ciphers Figure 1.3: Classi cation of private-key systems encrypted and decrypted. Input: message string X ! X = x1 ; x2 ; x3; : : : ; xn, where each xi is one block. Cipher: Y = y1; y2; y3; : : : ; yn; with yi = ek xi where the key k is xed. Idea: The message string is divided into blocks or cells of equal length that are then 9 1.6.1 Shift Cipher One of the most simple ciphers where the letters of the alphabet are assigned a number as depicted in Table 1.1. A 0 N 13 B 1 O 14 C 2 P 15 D 3 Q 16 E 4 R 17 F 5 S 18 G 6 T 19 H 7 U 20 I 8 V 21 J 9 W 22 K 10 X 23 L 11 Y 24 M 12 Z 25 Table 1.1: Shift cipher table De nition 1.6.1 Shift Cipher Let P = C = K = Z26. x 2 P , y 2 C , k 2 K. Encryption: ek x = x + k mod 26. Decryption: dk y = y , k mod 26. Remark: If k = 3 the the shift cipher is given a special name | Caesar Cipher". Example: k = 17, plaintext: X = x1 ; x2 ; : : : ; x6 = ATTACK . X = x1 ; x2 ; : : : ; x6 = 0; 19; 19; 0; 2; 10. encryption: y1 = x1 + k mod 26 = 0 + 17 = 17 mod 26 = R 10 y2 = y3 = 19 + 17 = 36 10 mod 26 = K y4 = 17 = R y5 = 2 + 17 = 19 mod 26 = T y6 = 10 + 17 = 27 1 mod 26 = B ciphertext: Y =y1; y2; : : : ; y6 = R K K R T B. Attacks on Shift Cipher 1. Ciphertext-only: Try all possible keys jkj = 26. This is known as brute force attack" or exhaustive search". Secure cryptosystems require a su ciently large key space. Minimum requirement today is jK j 280 , however for long-term security, jK j 2100 is recommended. 2. Same cleartext maps to same ciphertext can also easily be attacked with letterfrequency analysis. 11 1.6.2 A ne Cipher This cipher is an extension of the Shift Cipher yi = xi + k mod m. De nition 1.6.2 A ne Cipher Let P = C = Z26. encryption: ek x = a x + b mod x. key: k = a; b where a; b 2 Z26. decryption: a x + b = y mod 26. a x = y , b mod 26. x = a,1 y , b mod 26. restriction: gcda; 26 = 1 in order for the a ne cipher to work since a,1 does not always exist. Question: How is a,1 obtained? Answer: a,1 a11 mod 26 the proof for this is in Chapter 6 or by trial-and-error for the time being. 12 Chapter 2 Stream Ciphers Further Reading: Sim92, Chapter 2 2.1 Introduction Remember classi cation: Private-key Systems Block ciphers Stream ciphers Figure 2.1: Private-key cipher classi cation e.g. the key does not change with every block Stream Cipher: Y = y1; y2; : : : ; yn = ez1 x1 ; ez2 x2 ; : : : ; ez xn with the keystream" = z1 ; z2; : : : ; zn n Block Cipher: Y = y1; y2; : : : ; yn = ek x1; ek x2 ; : : : ; ek xn, 13 Zi Xi Yi Zi Xi Figure 2.2: Most Popular Encryption Decryption Function Most popular en decryption function: modulo 2 addition Assume: xi ; yi; zi 2 f0; 1g yi = ez xi = xi + zi mod 2 ! encryption xi = ez yi = yi + zi mod 2 ! decryption i i Remarks: 1. Developed by Vernam in 1917 for Baudot Code on teletypewriters. 2. The modulo 2 operation is equivalent to a 2-input XOR operation. Why are encryption and decryption identical operations? Truth table of modulo 2 addition: a b c = a + b mod 2 0 0 1 1 0 1 0 1 0 + 0 = 0 mod 0 + 1 = 1 mod 1 + 0 = 1 mod 1 + 1 = 0 mod 2 2 2 2 . modulo 2 addition yields the same truth table as the XOR operation. 3. Encryption and decryption are the same operation, namely modulo 2 addition or XOR. Why? We show that decryption of ciphertext bit yi yields the corresponding plaintext 14 bit. Decryption: yi + zi = xi + zi + zi = xi + zi + zi xi mod 2. | z encryption Note that zi + zi 0 mod 2 for zi = 0 and for zi = 1. `A' is given in ASCII code as 6510 = 10000012. Let's assume that the rst key stream bits are ! z1 ; : : : ; z7 = 0101101 Encryption by Alice: plaintext xi : key stream zi : ciphertext yi : Decryption by Bob: ciphertext yi : key stream zi : plaintext xi : 1000001 0101101 1101100 1101100 0101101 1000001 = `A' ASCII symbol = `l' = `l' ASCII symbol ASCII symbol Example: Encryption of the letter `A' by Alice. = `A' ASCII symbol 2.2 One-Time Pad and Pseudo-Random Generators De nition 2.2.1 Unconditional Security A cryptosystem is unconditionally secure if it cannot be broken even with in nite computational resources. A cryptosystem developed by Mauborgne based on Vernam's stream cipher consisting of: jPj = jCj = jKj, with xi ; yi; ki 2 f0; 1g. encrypt ! ek xi = xi + ki mod 2. decrypt ! dk yi = yi + ki mod 2. i i De nition 2.2.2 One-time Pad OTP 15 Theorem 2.2.1 The OTP is unconditionally secure if keys are only used once. Remarks: 1. OTP is the only provable secure system: y0 = x0 + K0 mod 2 y1 = x1 + K1 mod 2 ... each equality is a linear equation with 2 unknowns. for every yi, xi = 0 and xi = 1 are equally likely. holds only if K0; K1 ; : : : are not related to each other, i.e., Ki must be generated trully randomly. 2. OTP are impractical for most applications. Question: Can we emulate" a OTP by using a short key? initial key (short) k Oscar Alice key-stream generator zi xn ... x1 x0 yn ... y1 y0 k key-stream generator zi Bob xn ... x1 x0 Figure 2.3: Stream cipher model 16 Classi cation by key-stream generator: a synchronous stream cipher" zi = f k ! pseudo-random generator PRG. b asynchronous stream cipher" zi = f k; yi,1; yi,2; : : : ; yi,N ! feedback of cipher. c The key issue is that Bob has to `match' the exact zi to get the correct message. In order to do this, both key-stream generators have to be synchronized. Encr. xi xi zi f( ) zi = yi yi feedback path only in asynchronous stream ciphers k Figure 2.4: Asynchronous stream cipher It is important to note that key stream generators must not only possess good statistical properties, which is true for other pseudo-random generatores as well, but they must also be cryptographically secure: De nition 2.2.3 Cryptographically secure pseudo-random generators A pseudo random generator key stream generator is cryptographically secure if it is unpredictable. That is, given the rst n output bits of the generator, it is computatinally infeasible to compute the bits n + 1; n + 2; : : : 17 2.3 Synchronous Stream Ciphers The keystream z1 ; z2 ; : : : is a pseudo-random sequence which depends only on the key. 2.3.1 Linear Feedback Shift Registers LFSR An LFSR consists of m storage elements ip- ops and a feedback network. The feedback network computes the input for the last" ip- op as XOR-sum of certain ip- ops in the shift register. Example: We consider an LFSR of degree m = 3 with ip- ops K2 , K1, K0 , and a feedback path as shown below. mod 2 addition / XOR K2 Z2 CLK K1 Z1 K0 Z0 Z0 Z 1 ........ Z 6 Figure 2.5: Linear feedback shift register K2 K1 K0 1 0 1 1 1 0 0 1 0 1 0 1 1 1 0 0 0 0 1 0 1 1 1 0 18 Mathematical description for keystream bits zi with z0 ; z1; z2 as initial settings: z3 = z1 + z0 mod 2 z4 = z2 + z1 mod 2 z5 = z3 + z2 mod 2 ... general case: zi+3 = zi+1 + zi mod 2; i = 0; 1; 2; : : : Expression for the LFSR: ........ K m-1 C m-1 ........ K1 C1 K0 C0 OUTPUT CLK Figure 2.6: LFSR with feedback coe cients C0 ; C1; : : : ; Cm,1 are the feedback coe cients. Ci = 0 denotes an open switch no connection, Ci = 1 denotes a closed switch connection. zi+m = m,1 X j =0 Cj zi+j mod 2; Cj 2 f0; 1g; i = 0; 1; 2; : : : The entire key consists of: k = fC0; C1; : : : ; Cm,1 ; z0; z1; : : : ; zm,1 ; mg Example: k = fC0 = 1; C1 = 1; C2 = 0; z0 = 0; z1 = 0; z2 = 1; 3g 19 Theorem 2.3.1 The maximum sequence length generated by the LFSR is 2m , 1. Proof: There are only 2m di erent states k0; : : : ; km possible. Since only the current state is known to the LFSR, after 2m clock cycles a repetition must occur. The all-zero state must be excluded since it repeats itself immediately. Remarks: 1. Only certain con gurations C0; : : : ; Cm,1 yield maximum length LFSRs. For example: if m = 4 then C0 = 1; C1 = 1; C2 = 0; C3 = 0 has length of 2m , 1 = 15 but C0 = 1; C1 = 1; C2 = 1; C3 = 1 has length of 5 2. LFSRs are sometimes speci ed by polynomials. such that the P x = xm + Cm,1 xm,1 + : : : + C1x + C0. Maximum length LFSRs have primitive polynomials". These polynomials can be easily obtained from literature Table 16.2 in Sch93 . For example: C0 = 1; C1 = 1; C2 = 0; C3 = 0 P x = 1 + x + x4 2.3.2 Clock Controlled Shift Registers Example: Alternating stop-and-go generator. 20 LFSR1 Out1 LFSR2 Out2 Out4 = Zi (key stream) CLK LFSR3 Out3 Figure 2.7: Stop-and-go generator example 21 Basic operation: When Out1 = 1 then LFSR2 is clocked otherwise LFSR3 is clocked. Out4 serves as the keystream and is a bitwise XOR of the results from LFSR2 and LFSR3. Security of the generator: All three LFSRs should have maximum length con guration. If the sequence lengths of all LFSRs are relatively prime to each other, then the sequence length of the generator is the product of all three sequence lengths, i.e., L = L1 L2 L3 . A secure generator should have LFSRs of roughly equal lengths and the length should be at least 128: m1 m2 m3 128. 22 2.4 Attacks 2.4.1 Known Plaintext Attack Against LFSRs Assumption: Idea: For a known plaintext attack, we have to assume that m is known. This attack is based on the knowledge of some plaintext and its corresponding ciphertext. i Known plaintext ! x0 ; x1; : : : ; x2m,1 . ii Observed ciphertext ! y0; y1; : : : ; y2m,1. iii Construct keystream bits ! zi = xi + yi mod 2; i = 0; 1; : : : ; 2m , 1. To nd the feedback coe cients Ci. Goal: Using the LFSR equation to nd the Ci coe cients: zi+m = i=0 i=1 ... i=m,1 Note: m,1 X j =0 Cj zi+j mod 2; Cj 2 f0; 1g mod 2: mod 2: ... mod 2: We can rewrite this in a matrix form as follows: zm zm+1 ... z2m,1 = = ... = C0z0 + C1z1 + : : : + Cm,1zm,1 C0z1 + C1z2 + : : : + Cm,1zm ... C0zm,1 + C1 zm + : : : + Cm,1 z2m,2 2.1 We now have m linear equations in m unknowns C0; C1; : : : ; Cm,1. The Ci coe cients are constant making it possible to solve for them when we have 2m plaintext-ciphertext pairs. 23 Rewriting Equation 2.1 in matrix form, we get: 2 6 6 6 6 6 4 zm,1 : : : z0 ... ::: 3 2 zm,1 7 6 c0 ... 7 6 ... 7 6 7 6 7 6 5 4 z2m,2 cm,1 3 2 7 6 7 6 7=6 7 6 7 6 5 4 3 zm 7 ... 7 mod 7 7 7 5 z2m,1 3 7 7 7 mod 7 7 5 2 2.2 Solving the matrix in 2.2 for the Ci coe cients we get: 2 6 6 6 6 6 4 3 2 c0 7 6 z0 ... 7 = 6 ... 7 6 7 6 7 6 5 4 cm,1 zm,1 ::: ::: 3,1 2 zm,1 7 6 zm ... 7 6 ... 7 6 7 6 7 6 5 4 z2m,2 z2m,1 2 2.3 Summary: By observing 2m output bits of an LFSR of degree m and matching them to the known plaintext bits, the Ci coe cients can exactly be constructed by solving a system of linear equations of degree m. LFSRs by themselves are extremely un-secure! However, combinations of them such as the Alternating stop-and-go generator can be secure. 24 Chapter 3 Some Results From Information Theory 3.1 Levels of Security De nition 3.1.1 Unconditional Security A cryptosystem is unconditionally secure if it cannot be broken even with in nite computational resources. Theorem 3.1.1 The OTP is unconditionally secure if keys are only used once. 3.2 Computational Security For all known practical cryptosystems we have: De nition 3.2.1 Computational Security A system is computational secure" if the best possible algorithm for breaking it requires N operations, where N is very large and known. 25 Unfortunately, all known practical systems are only computational secure for known algorithms. De nition 3.2.2 Relative Security A system is relative secure" if its security relies on a well studied, very hard problem. Example: A system S is secure as long as factoring of large integers is hard this is believed for RSA. 3.3 Cryptography and Coding There are three basic forms of coding in modern communication systems: source coding, channel coding, and encryption. From an information theoretical and practical point of view, the three forms of coding should be applied as follows: removes redundancy adds redundancy Data Source Source Coding Encryption Channel Coding introduces errors and eavesdropping Channel Data Sink Source Decoding Decryption Channel Decoding Figure 3.1: Communication coding system model 26 3.4 Confusion and Di usion According to Shannon, there are two basic approaches to encryption. 1. Confusion | encryption operation where the relationship between cleartext and ciphertext is obscured. Some examples are: a Shift cipher | main operation is substitution. b German Enigma broken by Turing | main operation is smart substitution. 2. Di usion | encryption by spreading out the in uence of one cleartext letter over many ciphertext letters. An example is: a permutations | changing the positioning of the cleartext. Remarks: 1. Today ! changing of one bit of cleartext should result on average in the change of half the output bits. x1 = 001010 ! encr. ! y1 = 101110. x2 = 000010 ! encr. ! y2 = 001011. 2. Combining confusion with di usion is a common practice for obtaining a secure scheme. Data Encryption Standard DES is a good example of that. x Diff-1 Conf-1 y Diff-2 Conf-2 ............... Diff-N Conf-N y_out product cipher Figure 3.2: Example of combining confusion with di usion 27 Chapter 4 Data Encryption Standard DES General Notes: DES is by far the most popular private-key algorithm. It was published in 1975 and standardized in 1977. Expired in 1998. 4.1 Encryption System Parameters: ! block cipher. ! 64 input output bits. ! 56 bits of key. Principle: 16 rounds of encryption. 28 X Initial Permutation Encryption 1 Encryption 16 Final Permutation Y K 1 K K 16 Figure 4.1: General Model of DES 29 4.1.1 Overview Message X 64 Key K Initial Permutation IP(X) 56 64 L0 R0 32 32 f 32 48 Transform 1 K1 56 round 1 32 32 L1 R1 L 15 R 15 32 32 f 32 48 Transform 16 K 16 round 16 32 32 L 16 R 16 Final Permutation IP -1 (R , L ) 16 16 Cipher Y = DESK (X) Figure 4.2: The Feistel Network 30 4.1.2 Permutations a Initial Permutation IP. 58 60 62 64 57 59 61 63 1 50 52 54 56 49 51 53 55 42 44 46 48 41 43 45 47 50 IP 34 36 38 40 33 35 37 39 26 28 30 32 25 27 29 31 58 18 20 22 24 17 19 21 23 10 12 14 16 9 11 13 15 64 2 4 6 8 1 3 5 7 X IP(X) 1 2 40 Figure 4.3: Initial permutation b Inverse Initial Permutation IP ,1 nal permutation. Note: IP ,1 IP X = X . 4.1.3 Core Iteration f-Function General Description: Li = Ri,1 . 31 40 Z IP (Z) 1 -1 Figure 4.4: Final permutation Ri = Li,1 f Ri,1 ; ki. The core iteration is the f-function that takes the right half of the output of the previous round and the key as input. E 1 5 9 13 17 21 25 29 bit table 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 32 4 8 12 16 20 24 28 S-boxes: Contain look-up tables LUTs with 64 numbers ranging from 0 : : : 15. Input: Six bit code selecting one number. Output: Four bit binary representation of one number out of 64. 32 R i-1 32 Diffusion: Spreading influence of single bits Expansion E(Ri-1 ) 48 48 Ki 48 6 6 confusion: obscures ciphertext/cleartext relationship f-function S1 4 S8 4 L i-1 8 * 4 = 32 page 75 in Stinson Permutation P 32 32 32 Ri Figure 4.5: Core function of DES 33 Example: 14 0 4 15 4 15 1 12 13 7 14 8 1 4 8 2 2 14 13 4 15 2 6 9 11 13 2 1 8 1 11 7 S1 3 10 15 5 10 6 12 11 6 12 9 3 12 11 7 14 5 9 3 10 9 5 10 0 0 3 5 6 7 8 0 13 S-Box 1 Input: Six bit vector with MSB and LSB selecting the row and four inner bits selecting column. b = 100101. ! row = 112 = 3 forth row. ! column = 00102 = 2 third column. S1 37 = 1001012 = 8 = 10002. Remark: S-boxes are the most crucial elements of DES because they introduce a nonlinear function to the algorithm, i.e., S a XOR S b 6= S a XOR b. 4.1.4 Key Schedule Note: 7 1 64 7 1 P P = parity bits P Figure 4.6: 64 bit DES block 34 In practice the DES key is arti cially enlarged with odd parity bits. These bits are stripped" in PC-1. K 64 PC - 1 56 C0 28 D0 28 LS 1 28 LS 1 28 K1 48 PC - 2 56 C1 28 D1 28 LS 2 LS 2 LS 16 LS 16 K 16 48 PC - 2 56 C 16 D 16 Figure 4.7: DES key scheduler The cyclic Left-Shift LS blocks have two modes of operation: a for LSi where i = 1; 2; 9; 16, the block is shifted once. b for LSi where i 6= 1; 2; 9; 16, the block is shifted twice. 35 Remark: The total number of cyclic Left-Shifts is 4 1 + 12 2 = 28. As a results of this C0 = C16 and D0 = D16 . 4.2 Decryption One advantage of DES is that decryption is essentially the same as encryption. Only the key schedule is reversed. This is due to the fact that DES is based on a Feistel network. Question: Why does decryption work essentially the same as encryption? a Find what happens in the initial stage of decryption! d Ld ; R0 = IP Y = IP IP ,1R16 ; L16 = R16 ; L16 . 0 d Ld ; R0 = IP Y = R16 ; L16. 0 Ld = R16 . 0 d R0 = L16 = R15 . b Find what happens in the iterations! d What are Ld ; R1 ? 1 d Ld = R0 = L16 = R15 . 1 substitute into the above equation to get: d d R1 = Ld f R0 ; k16 = R16 f L16 ; k16 . 0 d R1 = L15 f R15 ; k16 f R15 ; k16 . d R1 = L15 f R15 ; k16 f R15 ; k16 = L15 . in general: Ld = R16,i and Rid = L16,i ; i d d such that: L16 = R16,16 = R0 and R16 = R0 . c Find what happens in the nal stage! : d IP ,1R16 ; Ld = IP ,1 L0 ; R0 = IP ,1 IP X = X q.e.d. 16 36 Cipher Y = DES(X) 64 Key K 64 Initial Permutation IP 64 PC-1 56 d L0 d R0 32 32 f 32 32 32 48 Transform 16 K 16 L1 d R1 d 56 L 15 d R 15 32 48 f 32 d 32 Transform 1 K1 32 32 L 16 d R 16 d Final Permutation IP -1 X = DES -1 (Y) = DES -1 (DES(X)) Figure 4.8: Decryption of DES 37 Reversed Key Schedule: Question: Given K , how can we easily generate k16? k16 = P C 2C16; D16 = P C 2C0; D0 = P C 2P C 1k. k15 = P C 2C15; D15 = P C 2RS1C16 ; RS1 D16 = P C 2RS1C0 ; RS1 D0 . 4.3 Implementation Note: One design criteria for DES was fast hardware implementation. 4.3.1 Hardware Since permutations and simple table look-ups are fast in hardware, DES can be implemented very e ciently AM97, page 362 . Fastest Implementation: 9 Gbit s as 0:6 m technology ASIC WPR+ 99 with 16 stage pipeline. 4.3.2 Software Record: 130 Mbits s by Biham Bih97 . Typically: a few 10 Mbit s. 4.4 Attacks There have been two major points of criticism about DES from the beginning: i key size is too small, ii the S-boxes contained secret design criteria. 38 K 56 PC - 1 56 K 16 48 PC - 2 56 C0 = C 16 28 D0 = D 16 28 RS 1 28 RS 1 28 K 15 48 PC - 2 56 C 15 28 D 15 28 RS 2 RS 2 RS 15 RS 15 K1 48 PC - 2 56 C1 D1 Figure 4.9: Reversed key scheduler for decryption of DES 4.4.1 Exhaustive Key Search Known Plaintext Attack: known: X and Y . unknown: K , such that Y = DESk X . 39 ? idea: test all 256 possible keys ! DESk X = Y ; i = 0; 1; : : : ; 256 , 1. i 4.4.2 Di erential Cryptanalysis Principle: Proposed by Biham Shamir in 1990. To consider di erences in plain and ciphertext pairs and deduce the likelihood of certain keys. 16-round DES requirements: With chosen plaintext, 247 X,Y pairs are needed. With known plaintext, 255 X,Y pairs are needed. 237 arithmetic operations are needed. Since each X,Y pair is 128 bits long, large storage is needed which makes this attack highly impractical! Remark: The DES S-boxes are optimized against di erential cryptanalysis. 4.4.3 Linear Cryptanalysis Principal: Proposed by Matsui in 1993 and presented at CRYPTO'94. To consider di erences in plain and ciphertext pairs and deduce the likelihood of certain key bits. The actual attack was implemented: ! with 243 known plaintexts, the key was recovered in 50 days. ! using 12 HP RISC workstations running at 99MHz. Remark: The S-box design of DES is not optimized for this attack. 40 Date 1977 1990 1993 1993 Jun. 1997 Feb. 1998 Jul. 1998 Jan. 1999 Proposed implemented attack Di e & Hellman, estimate cost of key search machine underestimate Biham & Shamir propose di erential cryptoanalysis 247 chosen ciphertexts Mike Wiener proposes detailed hardware design for key search machine: average search time of 36 h @ $100,000 Matsui proposes linear cryptoanalysis 243 chosen ciphertexts DES Challenge I broken, distributed e ort took 4.5 months DES Challenge II 1 broken, distributed e ort took 39 days DES Challenge II 2 broken, key-search machine built by the Electronic Frontier Foundation EFF, 1800 ASICs, each with 24 search units, $250K, 15 days average actual time 56 hours DES Challenge III broken, distributed e ort combined with EFF's key-search machine, it took 22 hours and 15 minutes. Table 4.1: History of full-round DES attacks 4.5 DES Alternatives There exists a wealth of other block ciphers. A small collection of as of yet unbroken ciphers is: Algorithm Year Inventor X Y bits Key AES 2000+ ? 128 128 192 256 Triple DES 64 112 IDEA 90 92 Lai Massey 64 128 Cast 93 Adams Tavares 64 64 Safer 94 Massey 64 64 128 Core Operation ? S-box modulo arithmetic variable S-boxes modulo arithmetic 41 For further reading, consult Chapters 13 and 14 in Sch93 . 42 Chapter 5 Rijndael The Advanced Encryption Standard 5.1 History 5.1.1 Basic Facts about AES Successor to DES. The AES selection process was administered by NIST. Unlike DES, the AES selection was an open i.e., public process. Likely to be the dominant secret-key algorithm in the next decade. Main AES requirements by NIST: Block cipher with 128 I O bits Three key lengths must be supported: 128=192=256 bits Security relative to other submitted algorithms E cient software and hardware implementations 43 See http: www.nist.gov aes for further information on AES 5.1.2 Chronology of the AES Process Development announced on January 2, 1997 by the National Institute of Standards and Technology NIST. 15 candidate algorithms accepted on August 20th, 1998. 5 nalists announced on August 9th, 1999 Mars, IBM Corporation. RC6, RSA Laboratories. Rijndael, J. Daemen & V. Rijmen. Serpent, Eli Biham et al. Two sh, B. Schneier et al. Monday October 2nd, 2000, NIST chooses Rijndael as the AES. A lot of work went into software and hardware performance analysis of the AES candidate algorithms. Here are representative numbers: 44 Algorithm Pentium-Pro @ 200 MHz FPGA Hardware Mbit sec WWGP00 Gbit sec EYCP00 MARS 69 RC6 105 2.4 Rijndael 71 1.9 Serpent 27 4.9 Two sh 95 1.6 Table 5.1: Speeds of the AES Finalists in Hardware and Software 45 5.2 Rijndael Overview x 128 Rijndael 128 y k 128/192/256 Figure 5.1: AES Block and Key Sizes Both blocksize and keylength of Rijndael are variable. Sizes shown in Figure 5.2 are the ones required by the AES Standard. The number of rounds or iterations is a function of the key length: Key lengths bits 128 192 256 nr = rounds 10 12 14 Table 5.2: Key lenghts and number of rounds for Rijndael However, Rijndael also allows blocksizes of 192 and 256 bits. For those blocksizes the number of rounds must be increased. an entire block per iteration e.g., in DES, 64=2 = 32 bits are encrypted in one iteration. Rijndael encrypts all 128 bits in one iteration. As a consequence, Rijndael has a comparably small number of rounds. 46 Important: Rijndael does not have a Feistel structure. Feistel networks do not encrypt Rijndael uses three di erent types of layers. Each layer operates on all 128 bits of a block: 1. Key Addition Layer: XORing of subkey. 2. Byte Substitution Layer: 8-by-8 SBox substitution. 3. Di usion Layer: provides difussion over all 128 or 192 or 256 block bits. It is split in two sub-layers: a ShiftRow Layer. b MixColumn Layer. The ShiftRow and MixColumn stages form a linear Di usion Layer. Remark: The ByteSubstitution Layer introduces confusion with a non-linear operation. 5.3 Some Mathematics: A Very Brief Introduction to Galois Fields Galois elds" are used to perform substitution and di usion in Rijndael. Galois elds are elds with a nite number of elements. Roughly speaking, a eld is a structure in which we ca add, subtract, multiply, and compute inverses. More exactly a eld is a ring in which all elements except 0 are invertible. prime number of elements. All arithmetic in GF p is done modulo p. Question: What are Galois elds? Fact 5.3.1 Let p be a prime. GF p is a prime eld," i.e., a Galois eld with a Example: GF 3 = f0; 1; 2g 47 x Key Addition Layer ByteSubstitution Layer ShiftRow SubLayer rounds 1 ... n r - 1 MixColumn Sublayer Key Addition Layer Diffusion Layer ByteSubstitution Layer ShiftRow SubLayer Key Addition Layer round n r y addition + 0 1 0 0 1 1 1 2 2 2 0 Figure 5.2: Rijndael encryption block diagram additive inverse 2 ,0 = 0 2 ,1 = 2 0 ,2 = 1 1 48 multiplication 0 1 2 0 0 0 0 1 0 1 2 2 0 2 1 multiplicative inverse 0,1 does not exist 1,1 = 1 2,1 = 2, since 2 2 1 mod 3 Theorem 5.3.1 For every power pm, p a prime and m a positive integer, there exists a nite eld with pm elements, denoted by GF pm . Examples: - GF 5 is a nite eld. - GF 256 = GF 28 is a nite eld. - GF 12 = GF 322 is NOT a nite eld in fact, the notation is already incorrect and you should pretend you never saw it. Question: How to build extension elds" GF pm, m 1 ? Note: See also Sti95, Section 5.2.1 1. Represent elements as polynomials with m coe cients. Each coe cient is an element of GF p. Example: A 2 GF 28 A ! Ax = a7x7 + + a1x + a0 ; ai 2 GF 2 = f0; 1g 2. Addition and subtraction in GF pm C x = Ax + B x = Pii=m,1 ci xi; ci = ai + bi mod p =0 Example: A; B 2 GF 28 49 Ax = x7+ x6 + x4 + 1 B x = x4 + x2 + 1 C x = x7+ x6 + x2 3. Multiplication in GF pm : multiply the two polynomials using polynomial multiplication rule, with coe cient arithmetic done in GF p. The resulting polynomial will have degree 2m , 2. Ax B x = am,1 xm,1 + + a0 bm,1 xm,1 + + b0 C 0 x = c02m,2 x2m,2 + + c00 where: c00 = a0b0 mod p c01 = a0b1 + a1 b0 mod p ... c02m,2 = am,1 bm,1 mod p Question: How to reduce C 0 x to a polynomial of maximum degree m , 1? Answer: Use modular reduction, similar to multiplication in GF p. For arithmetic in GF pm we need an irreducible polynomial of degree m with coe cients from GF p. Irreducible polynomials do not factor except trivial factor involving 1 into smaller polynomials from GF p. Example 1: P x = x4 + x +1 is irreducible over GF 2 and can be used to construct GF 24. C = A B C x = Ax B x mod P x Ax = x3 + x2 + 1 B x = x2 + x C 0 x = Ax B x = x5 + x4 + x2 + x4 + x3 + x = x5 + x3 + x2 + 1 50 x4 x4 x5 C x C x Ax B x = 1 P x + x + 1 x + 1 mod P x x2 + x mod P x C 0 x mod P x x2 + x + x3 + x2 + 1 = x3 x3 Note: in a typical computer representation, the multiplication would assign the following unusually looking operations: A B = C 1 1 0 1 0 1 1 0 = 1 0 0 0 Example 2: x4 + x3 + x + 1 is reducible since x4 + x3 + x + 1 = x2 + x + 1x2 + 1. 4. Inversion in GF pm : the inverse A,1 of A 2 GF pm is de ned as: A,1x Ax = 1 mod P x perform the Extended Euclidean Algorithm with Ax and P x as inputs sxP x + txAx = gcdP x; Ax = 1 txAx = 1 mod P x tx = A,1 x Example: Inverse of x2 2 GF 23, with P x = x3 + x + 1 x3 + x + 1 = x x2 + x + 1 x+1= 1x+1 x= x1+0 x2 ,1 = tx = t3 = x + 1 t0 = 0, t1 = 1 t2 = t0 , q1t1 = ,q1 = ,x = x t3 = t1 , q2t2 = 1 , q2x = 1 , x = x + 1 51 Check: x + 1x2 = x3 + x = x + 1 + x 1 mod P x since x3 x + 1 mod P x. shown above to uniquely determine qi and ri. Remark: In every iteration of the Euclidean algorithm, you should use long division not 5.4 Internal Structure In the following, we assume a block length of 128 bits. The ShiftRow Sublayer works slightly di erently for other block sizes. 5.4.1 Byte Substitution Layer Splits the incoming 128 bits in 128=8 = 16 bytes. Each byte A is considered an element of GF 28 and undergoes the following substitution individually 1. B = A,1 2 GF 28 where P x = x8 + x4 + x3 + x + 1 2. Apply a ne transformation de ned by: 0 1 0 B c0 C B 1 B C B Bc C B0 B 1C B B C B B C B B c2 C B 0 B C B B C B Bc C B0 B 3C B B C=B B C B B c4 C B 1 B C B B C B B C B B c5 C B 1 B C B B C B Bc C B1 B 6C B B C B @ A @ c7 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 10 1 0 1 0 C B b0 C B 0 C CB C B C CB C B C 0 C B b1 C B 1 C CB C B C CB C B C 0 C B b2 C B 1 C CB C B C CB C B C CB C B C 1 C B b3 C B 0 C CB C+B C CB C B C CB C B C 1 C B b4 C B 0 C CB C B C CB C B C 1 C B b5 C B 0 C CB C B C CB C B C CB C B C 1 C B b6 C B 1 C CB C B C A@ A @ A 1 b7 1 where b7 b0 is the vector representation of B x = A,1 x. 52 The vector C = c7 c0 representing the eld element c7 x7 + + c1 x + c0 is the result of the substitution: C = ByteSubA The entire substitution can be realized as a look-up in a 2568-bit table with xed entries. Remark: Unlike DES, Rijndael applies the same S-Box to each byte. 5.4.2 Di usion Layer Unlike the non-linear substitution layer, the di usion layer performs a linear operation on input words A; B . That means: DIFFA DIFFB = DIFFA + B The di usion layer consists of two sublayers. ShiftRow SubLayer 1. Write an input word A as 128=8 = 16 bytes and order them in a square array: Input A = a0 ; a1; ; a15 a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 53 2. Shift cyclically row-wise as follows: a0 a5 a10 a15 a4 a9 a14 a3 a8 a13 a2 a7 a12 a1 , , , ,! a6 ,, ,! a11 , ,! 0 positions 3 positions right shift 2 positions right shift 1 position right shift MixColumn SubLayer Principle: each column of 4 bytes is individually transformed into another column. Question: How? Each 4-byte column is considered as a vector and multiplied by a 4 4 matrix. The matirx contains constant entries. Multiplication and addition of the coe cients is done in GF 28. 0 1 0 B c0 C B 02 B C B B c1 C B 01 B C B B C=B B C B B c2 C B 01 B C B @ A @ c3 03 03 02 01 01 01 03 02 01 10 1 01 C B b0 C CB C 01 C B b1 C CB C CB C CB C 03 C B b2 C CB C A@ A 02 b3 Remarks: 1. Each ci ; bi is an 8-bit value representing an element from GF 28. 2. The small values f01; 02; 03g allow for a very e cient implementation of the coe cient multiplication in the matrix. In software implementations, multiplication by 02 and 03 can be done through table look-up in a 256-by-8 table. 3. Additions in the vector-matrix multiplication are XORs. 5.4.3 Key Addition Layer Simple bitwise XOR with a 128-bit subkey. 54 5.5 Decryption Unlike DES and other Feistel ciphers, all of Rijndael layers must actually be inverted. y Key Addition Layer Inv ShiftRow SubLayer Inv ByteSubstitution Layer inverse of round n r Key Addition Layer Inv MixColumn Sublayer Inv ShiftRow SubLayer Inv ByteSubstitution Layer inverse of rounds n r -1, ..., 1 Key Addition Layer x Figure 5.3: Rijndael decryption block diagram 55 Chapter 6 More about Block Ciphers Further Reading: Section 8.1 in Sch93 . Note: The following modes are applicable to all block ciphers e X . k 6.1 Modes of Operation 6.1.1 Electronic Codebook Mode ECB X0 X1 X2 e Y Y Y 0 1 2 e-1 X0 X1 X2 K K Figure 6.1: ECB model General Description: ,1 Y = e,1 e X = X ; where the encryption can, for instance, be DES. e k i k k i i 56 Problem: This mode is susceptible to substitution attack because same X are mapped to same Y . Example: Bank transfer. i i Block # 1 Sending Bank A 2 3 4 5 Sending Receiving Receiving Amount Account # Bank B Account # $ Figure 6.2: ECB example 1. Tap encrypted line to bank B. 2. Send $1 00 transfer to own account at bank B repeatedly ! block 4 can be identi ed and recorded. : 3. Replace in all messages to bank B block 4. 4. Withdraw money and y to Paraguay. Note: This attack is possible only for single-block transmission. 6.1.2 Cipher Block Chaining Mode CBC Y0 IV Yi Beginning: X0 = ek X0 ek Encryption: = , . Decryption: = , , . ek Xi ek 1 Yi 1 Xi Yi Yi 1 = ,1 Y . IV 0 = IV ek ,1 e k X0 = . IV X0 Question: How does it work? = , , = , , . Xi ek 1 ek Xi Yi Yi 1 Xi Xi 1 Yi 1 Yi ,1 . 57 i=0 IV Y i-1 Y i-1 Xi e e-1 IV Y i-1 i=0 Y i-1 Xi Yi k k Figure 6.3: CBC model Xi = Xi . q.e.d. Remark: The Initial Vector IV can be transmitted initially in cleartext. 6.1.3 Cipher Feedback Mode CFB b l Assumption: block cipher with bits block width and message with block width , 1 . l b SR b ~ zi b k l Xi l b:l zi l SR b l l ~ zi b Y i-1 l Yi Y i-1 zi b:l l k l e e l Xi Figure 6.4: CFB model 58 Procedure: 1. Load shift register with initial value IV. 2. Encrypt = ~ . ek I V z0 3. Take leftmost bits: ~ ! . l z0 z0 4. Encrypt data: Y0 = X0 . z0 Y0 5. Shift the shift register and load into the rightmost SR position. e SR 6. Go back to 2 substituting with e IV . 6.1.4 Counter Mode Notes: Another mode which uses a block cipher as a pseudo-random generator. Counter Mode does not rely on previous ciphertext for encrypting the next block. well suited for parallel hardware implementation, with several encryption blocks working in parallel. Counter Mode stems from the Security Group of the ATM Forum, where high data rates required parallelization of the encryption process. Description of Counter Mode: 1. An -bit initial vector IV is loaded into a maximum length LFSR. The IV can be publically known, although a secret IV i.e., the IV is considered part of the private key turns the counter mode systems into a non-deterministic cipher which makes cryptoanalysis harder. n 2. Encrypt block cipher input. 59 LFSR n k e n n X n Y Figure 6.5: Counter Mode model 3. The block cipher output is considered a pseudorandom mask which is XORed with the plaintext. 4. The LFSR is clocked once note: all input bits of the block cipher are shifted by one position. 5. Goto to Step 2. Note that the period of a counter mode is 2 which is very large for modern block ciphers, e.g., 128 2 = 2 for AES algorithms. n n 128 135 6.2 Key Whitening Xi e Yi k2 k1 k3 Figure 6.6: Whitening example 60 Encryption: = Decryption: = Y X ek1 ;k2 ;k3 X ek 1 Y = 1 . , . 1 ek X k2 k3 k3 k2 popular example: DESX 6.3 Multiple Encryption 6.3.1 Double Encryption k k k Note: The keyspace of this encryption is j j = 2 2 = 2 . 2k However, using the meet-in-the-middle attack, the key search is reduced signi cantly. e (X) = z (1) i ki e -1 kj (Y) = z (2) j X n e k ki z e Y kj Figure 6.7: Double encryption and meet-in-the-middle attack Meet in the middle Input attack: ! some pairs 0 0, 00 00, . Idea ! compute = 0 and = , 0. Problem ! to nd a matching pair such that = x ;y x ;y ::: 1 zi eki x 2 zj ek 1 j y 1 zi 2 zj . Procedure: 1. Compute a look-up table for all , = 1 2 2 and store it in memory. Number of entries in the table is 2 with each entry being bits wide. 1 zi ; ki i ; ;:::; k k n 61 2. Find matching 2 zj 2 zj 1 . 2 zj 1 zi a compute , 0 = ek j y b if is in the look-up table, i.e., if for the current keys and ki kj ki kj kj = 2 zj , check a few other pairs 00 00 000 000 x ;y ; x ;y ;::: c if and give matching encryptions stop; otherwise go back to a and try di erent key . Question: How many additional pairs l x ;y 00 00; x000 ; y 000; : : : should we t x ;y ; x ;y test? . General system: subsequent encryptions and pairs 0 0 00 00 ;::: 1. In the rst step there are 2 possible key combinations for the mapping 0 = 0 = 0 but only 2 possible values for 0 and 0. Hence, there are lk E x e e e x y n x y 2 2 E x y lk n mappings 0 = 0. Note that only one mapping is done by the correct key! 2n X Y 2lk 2n mappings E(x) = y Figure 6.8: Number of mappings 0 to 0 under -fold encryption x y l 62 2. We use now a candidate key from step 1 and check whether 00 = 00. There are 2 possible outcomes for the mapping 00 . If a random key is used, the likelyhood that 00 = 00 is 1 2 If we check additionally a third pair 000 000 under the same random" key from step 1, the likelyhood that 00 = 00 and 000 = 000 is 1 2 If we check , 1 additional pairs 00 00 000 000 the likelyhood that a random key ful lls 00 = 00, 000 = 000 is 1 , 2 E x y n y E x E x y n x ;y E x y E x y 2n t x ;y ; x ;y ;::: t t x ;y E x y E x y ;::: t 1n 2n X Y 2n mappings E(x) = y Figure 6.9: Number of mappings 00 to x 2lk 2n E x y E x y ;::: y 3. Since there are candidate keys in step 1, the likelyhood that at least one of the candidate keys ful lls all 00 = 00, 000 = 000 is 1 2 =2 , 2, 2 Example: Double encryption with DES. We use two pairs 0 0 00 00. The likelyhood that an incorrect key pair is picked is lk n lk tn t 1n x ;y ; x ;y ki ; kj 2 , =2 , lk tn 112 128 = 2, 16 63 ki ; kj If we use three pairs 0 0 00 00 000 000, the likelyhood that an incorrect key pair is picked is 2 , = 2112,192 = 2,80 x ;y ; x ;y ; x ;y lk tn Computational complexity: Brute force attack: 22 . Meet in the middle attack: 2 encryptions + 2 decryptions = 2 +1 computations and 2 memory locations. k k k k k 64 6.3.2 Triple Encryption Option 1: Y Option 2: Y = ek1 ek ,1 1 ; if 1 = 2 ! = 2 ek X k k Y k k ek1 X . = ek3 ek2 ek1 X ; where j j 22 Option 2 should be preferred. e z 1 X e e Y k1 k2 k3 Figure 6.10: Triple encryption example Note: Meet in the middle attack can be used in a similar way by storing results in memory. The computational complexity of this approach is 2 2 = 22 . zi k k k 65 Chapter 7 Introduction to Public-Key Cryptography 7.1 Principle Quick review of private-key cryptography e k X Y dk X k k Figure 7.1: Private-key model Two properties of private-key schemes: 1. The algorithm requires same secret key for encryption and decryption. 2. Encryption and decryption are essentially identical symmetric algorithms. 66 Analogy for private key algorithms Private key schemes are analogous to a safe box with a strong lock. Everyone with the key can deposit messages in it and retrieve messages. Main problems with private key schemes are: 1. Requires secure transmission of secret key. 2. In a network environment, each pair of users has to have a di erent key resulting in too many keys , 1 2 key pairs. n n New Idea: Make a slot in the safe box so that everyone can deposit a message, but only the receiver can open the safe and look at the content of it. This idea was proposed in WD76 in 1976 by Di e Hellman. Idea: Split key. K public part (encryption) private part (decryption) Figure 7.2: Split key idea Protocol: 1. Alice and Bob agree on a public-key cryptosystem. 2. Bob sends Alice his public key. 3. Alice encrypts her message with Bob's public key and sends the ciphertext. 4. Bob decrypts ciphertext using his private key. 67 Alice X Y = eK (X) pub Oscar K pub Bob ( K pub , K pr ) = K 2.) 3.) 4.) Y Y X=d K (Y) pr Figure 7.3: Public-key encryption protocol 7.2 One-Way Functions All public-key algorithms are based on one-way functions. De nition 7.2.1 A function f is a one-way function" if: a y = f x ! is easy to compute, b x = f ,1 y ! is very hard to compute. Example: Discrete Logarithm DL one-way Function 2 mod 127 31 x x =? De nition 7.2.2 A trapdoor one function is a one-way function whose inverse is easy to compute given a side information such as the private key. 7.3 Overview of Public-Key Algorithms There are three families of Public-Key PK algorithms of practical relevance: 1. Integer factorization algorithms RSA, ... 68 2. Discrete logarithms D H, DSA, ... 3. Elliptic curves EC Generally speaking, public-key algorithms are much slower than private-key algorithms. Public-Key algorithms are mainly used for key establishment and digital signatures and not for bulk data encryption. Algorithm Family Bit length of the operands Integer Factorization RSA 1024 Discrete Logarithm D H, DSA 1024 Elliptic curves 160 Block cipher 80 Table 7.1: Bit lengths for security level of approximately 280 computations for successful attack. 7.4 Important Public-Key Standards a IEEE P1363. Comprehensive standard of public-key algorithms. Collection of IF, DL, and EC algorithm families, including in particular: Key establishment algorithms Key transport algorithms Signature algorithms Note: IEEE P1363 does not recommend any bit lengths or security levels. 69 b ANSI Banking Security standards. ANSI X9.30 1 X9.30 2 X9.31 1 X9.32 2 X9.42 X9.62 draft X9.63 draft Subject digital signature algorithm DSA hashing algorithm for RSA RSA signature algorithm hashing algorithms for RSA key management using Di e-Hellman elliptic curve digital signature algorithm ECDSA elliptic curve key agreement and transport protocols c U.S. Government standards FIPS FIPS FIPS 180-1 FIPS 186 FIPS JJJ draft Subject secure hash standard SHA-1 digital signature standard DSA entity authentication asymetric 70 7.5 More Number Theory 7.5.1 Euclid's Algorithm Basic Form Example 1: Given r0 and r1 with one larger than the other, compute the gcdr0; r1. r0 = 22; r1 = 6. gcdr0; r1 =? 6 4 6 6 r0 r1 r2 r3 2 11 00 2 11 00 11 00 11 00 11 00 11 00 2 11 00 11 00 11 00 11111 00000 11111 00000 4 11111 00000 11111 00000 gcd(22,6) = gcd(6,4) gcd(6,4) = gcd(4,2) gcd(4,2) = 2 2 gcd(22, 6) = gcd(6, 4) = gcd(4, 2) = gcd(2, 0) = 2 Figure 7.4: Euclid's algorithm example Example 2: r0 = 973; r1 = 301. 973 = 3 301 + 70. 301 = 4 70 + 21. 70 = 3 21 + 7. 21 = 3 7 + 0. gcd973; 301 = gcd301; 70 = gcd70; 21 = gcd21; 7 = 7. 71 Algorithm: input: r0 , r1 r0 = q1 r1 + r2 gcdr0 ; r1 = gcdr1 ; r2 r1 = q2 r2 + r3 gcdr1 ; r2 = gcdr2 ; r3 ... ... rm,2 = qm,1 rm,1 + rm gcdrm,2 ; rm,1 = gcdrm,1 ; rm rm,1 = qm rm + 0 y gcdr0 ; r1 = gcdrm,1 ; rm = rm y - termination criteria 72 Extended Euclidean Algorithm Theorem 7.5.1 Given two integers r0 and r1, there exist two other integers s and t such that s r0 + t r1 = gcdr0 ; r1. Use Euclid's algorithm and express the current remainder ri in every iteration in the form ! ri = sir0 + tir1 . Note that in the last iteration rm = gcdr0; r1 = sm r0 + tm r1 = sr0 + tr1 . index Euclid's Algorithm 2 r0 = q1 r1 + r2 3 r1 = q2 r2 + r3 .. . .. . Question: How to nd s and t? rj = sj r0 + tj r1 r2 = r0 , q1 r1 = s2 r0 + t2 r1 r3 = r1 , q2 r2 = r1 , q2 r0 , q1 r1 = ,q2 r0 + 1 + q1 q2 r1 = s3 r0 + t3 r1 .. . i ri,2 = qi,1 ri,1 + ri i + 1 ri,1 = qi ri + ri+1 i + 2 ri = qi+1 ri+1 + ri+2 m .. . .. . ri = si r0 + ti r1 ri+1 = si+1 r0 + ti+1 r1 ri+2 = ri , qi+1 ri+1 = si r0 + t1 r1 , qi+1 si+1 r0 + ti+1 r1 = si , qi+1 si+1 r0 + t1 , qi+1 ti+1 r1 = si+2 r0 + ti+2 r1 .. . rm,2 = qm,1 rm,1 + rm rm = gcdr0 ; r1 = sm r0 + tm r1 Now: s = sm , t = tm Recursive formulae: s0 = 1, t0 = 0 s1 = 0, t1 = 1 si = si,2 , qi,1 si,1, ti = ti,2 , qi,1 ti,1 ; i = 2; 3; 4 : : : 73 Remark: a Extended Euclidean algorithm is commonly used to compute the inverse element in , Zm. If gcdr0 ; r1 = 1, then t = r1 1 mod r0. b For fast software implementation, the binary extended Euclidean algorithm" is more e cient AM97 because it avoids the division required in each iteration of the extended Euclidean algorithm shown above. 7.5.2 Euler's Phi Function De nition 7.5.1 The number of integers in Zm relatively prime to m is denoted by m. Example 1: m = 6; Z6 = f0; 1; 2; 3; 4; 5g gcd0; 6 = 6 gcd1; 6 = 1 gcd2; 6 = 2 gcd3; 6 = 3 gcd4; 6 = 2 gcd5; 6 = 1 6 = 2 74 Example 2: m = 5; Z5 = f0; 1; 2; 3; 4g gcd0; 5 = 5 gcd1; 5 = 1 gcd2; 5 = 1 gcd3; 5 = 1 gcd4; 5 = 1 5 = 4 Theorem 7.5.2 If m = pe pe : : : pe , where pi are 1 2 n 1 2 n prime numbers and ei are integers, then: n Ypei , pei , m = i i 1 . i=1 Example: m = 40 = 8 5 = 23 5 = pe1 pe2 1 2 m = 23 , 2251 , 50 = 8 , 45 , 1 = 4 4 = 16 Theorem 7.5.3 Euler's Theorem If gcda; m = 1, then: am 1 mod m . Example: m = 6; a = 5 6 = 3 2 = 3 , 12 , 1 = 2 56 = 52 = 25 1 mod 6 75 76 Chapter 8 RSA 1. Most popular public-key cryptosystem. 2. Invented by Rivest Shamir Adleman in 1977 at MIT. 3. Patented until 2000. 77 8.1 Cryptosystem Set-up Stage 1. Choose two large primes and . p q 2. Compute = . n p q 3. Compute = , 1 , 1. n p q 4. Choose random ; 0 , with gcd = 1. Note that has inverse in . b b n b; n b Z n 5. Compute inverse = ,1 mod : a b n b 1 mod a n; b n : 6. Public key: Private key: kpub kpr = = . . kpub p; q; a Encryption: done using public key, y x = 2 ekpub x Zn = mod . = f0 1 , 1g. x b . n ; ;:::;n Decryption: done using private key, x kpr = dkpr y = y a mod . n . Example: Alice sends encrypted message = 4 to Bob after Bob sends her the public key. x 78 Alice x y =4 = mod x b kpub n = 43 = 64 31 mod 33 y , =31 ,! ; 3 33 x Bob 1 choose = 3; = 11 2 = = 33 3 = 3 , 111 , 1 = 2 10 = 20 4 choose = 3; gcd20 3 = 1 5 = ,1 = 7 mod 20 = = 317 4 mod 33 p q q n p n b ; a b y a Why does RSA work? dk y a a We have to show that: pr = pr pub = . = = mod . pr = 1 mod 1 + ; is an integer. = 1 = mod . pr = if 1 mod then pr = = 1 = 1 = mod . dk y dk ek x x x ba x ab n b b n a t n t dk x ab x t n x x n t x n x n n dk x n t x t x x x n 1. Case: gcd = gcd = 1 Euler's Theorem: 1 mod , q.e.d. x; n x; p q x n n 2. Case: gcd = gcd 6= 1 either = or = ; are integers such that; , . assume = gcd = 1 = ,1 ,1 = ,1 = ,1 = 1 mod = 1 + ; where is an integer = + = + = + = + mod x; n x; p q x r p x s q r; s r q s p x r p x; q q x n x q p x p x q p q x n c q c x x n x x c q x r p c q x r c p q x r c n x x n x n 79 x n 1 mod , q.e.d. n 8.2 Computational Aspects 8.2.1 Choosing p and q p q Problem: Finding two large primes , each Principle: 250 bits. Pick a large integer and apply primality test. In practice, a Monte Carlo" test developed by Miller-Rabbin pg. 136 in Sti95 is used. Note that a primality test does NOT require factorization. Miller-Rabin Algorithm: Input: or and arbitrary number . is composite" ! always true. Output 1: Statement Output 2: Statement is prime" ! true with probability 0 75. p q r p; q p; q p; q : In practice, the above algorithm is run 3 times for a 1000 bit prime and upto 12 times for a 150 bit prime AM97, Table 4.4 page 148 with di erent parameters . If the answer is always is prime", then is with very high probability a prime. r p p P is composite 0 25 where = number of tries. p : t t Question: What is the likelihood that a randomly picked integer or is prime? Answer: P is prime 1 . p q p ln p Example: 2250 ! 250 bits. 1 P is prime = ln21 173 . p p 250 80 8.2.2 kpub b Choosing a and n b n p q = ; condition: gcd = 1; where = , 1 , 1. = ; where = ,1 mod . Pick arbitrary large! and compute: b; kpr a a b n b 1. Euclidean Algorithm: + = gcd s n t b b; n 2. Test if gcd = 1 b; n 3. Calculate : Question: What is mod ? a t b n = , + 1 1 mod = ,1 = mod t b s n t b t n b a n Remark: It is not necessary to nd for the computation of . s a 8.2.3 Encryption Decryption ekpub x dk y encryption: decryption: = mod = . mod = . pr = x b n y y a n x Question: How many multiplications are required for computing 8 ? Answer: | z= 2 ; | 2 2z = 4 ; | 4 4z = 8 . 1 2 3 if 0 then O O . x x x x x x x x x x b n n n Question: How many multiplications are required for computing 13 ? Answer: | z= 2 ; | 2 z= 3 ; | 3 3z = 6 ; | 6 6z= 12 ; | 12 z= x x x SQ x x MUL x x x x SQ x x x SQ x x MUL x x 13 . 81 First: binary representation of the exponent ! ; 15 = 3 23 + 2 22 + 1 21 + 0 = 3 2 + 2 22 + 1 2 + 0 = 3 2 + 2 2 + 1 2 + = 3 2+ 22+ 1 2+ 0 x B Square-and-multiply algorithm B B x b b b b B b b b b b b b b 0 B x b b b b Step 1 2 3 4 5 6 x x B b3 2 2 x 2 b b b 2 x b3 b x 3 b x 3 2 x 2 2 b 2 x 2 2 x 1 b b x x b3 2 x 2 2 x 1 2 b b b3 2 x 2 2 x 1 2 x 0 b Example: x 13 = x 11012 = x 3 b ;b2 ;b1 ;b0 1 3 2 = 2 2 2 3 = 2 = 3 3 3 2 = 6 4 6 0 6 1 = 6 5 6 2 = 12 6 12 0 = 12 = 13 x x b x x b x x x x x SQ MUL SQ SQ MUL x x x x x x x x b x x x Complexity: log2 SQ + 1 log2 MUL. 2 1000 Comparison: = 2 Straight forward exponentiation: 21000 10300 multiplications ! computationally impossible. Square-and-multiply: 1 5 log2 21000 = 1500 multiplications and squarings ! relatively easy. n n B : 82 Remark: Remember to apply modulo reduction after every multiplication and squaring Algorithm Sti95 : computes , where = P ,1 2 =0 x B operation. B l i bi i 1. = z x 2. for = , 1 downto 0 do: i l a = z z 2 mod n b if = 1 then = mod bi z z x n 8.3 Attacks 8.3.1 y Brute Force x b Given = mod , try all possible keys ; 0 practice jKj = 2500 impossible. n a n n a to obtain = n x y a mod . In n 8.3.2 Finding n; b; y x b n n n a b n n Given = mod , nd and compute = ,1 mod . computing is believed to be as di cult as factoring . n 8.3.3 Finding n; b; y x b a directly n a x y a Given = mod , nd directly and compute = mod . computing directly is believed to be as di cult as factoring . n a n 83 8.3.4 Factorization of n; b; y x b n q n Given = mod , nd = and compute: = , 1 , 1 = ,1 mod = mod ! This approach is the only attack believed to be practical. n p n p q b a n x y a n Factoring Algorithms: 1. Quadratic Sieve QS: speed depends on the size of ; record: in 1994 factoring of =RSA129, log10 = 129 digits, log2 = 426 bits. n n n n 2. Elliptic Curve: similar to QS; speed depends on the size of the smallest prime factor of , i.e., on and . n p q 3. Number Field Sieve: asymptotically better than QS; record: in 1996 factoring of =RSA140; log10 = 140 digits; log2 = 466 bits. n n n Algorithm Quadratic Sieve Elliptic Curve Number Field Sieve Complexity p 1+ 1 ln lnln Oe p Oe1+ 1 2 ln lnln Oe1 92+ 1ln 1=3 lnln o n n o p p : o n n 2=3 84 RSA-100 April 1991 RSA-110 April 1992 RSA-120 June 1993 RSA-129 April 1994 RSA-130 April 1996 RSA-140 February 1999 RSA-155 August 1999 number month MIPS-years 7 75 830 5000 500 1500 8000 quadratic sieve quadratic sieve quadratic sieve quadratic sieve generalized number eld sieve generalized number eld sieve generalized number eld sieve algorithm 85 8.4 Implementation Hardware: 1024 bit decryption in less that 5 ms. Software: 1024 bit decryption in 43 ms; 1024 bit encryption in 0.65 ms hybrid systems, consisting of public-key and private-key algorithms: most commonly used in practice 1. key exchange and authentication with slow public-key algorithm 2. bulk data encryption with fast block ciphers 86 Chapter 9 The Discrete Logarithm DL Problem DL is the underlying one-way function for: 1. Di e-Hellman key exchange. 2. DSA digital signature algorithm. 3. ElGamal encryption digital signature scheme. 4. Elliptic curve cryptosystems. 5. : : : : : : DL is based on nite groups. 9.1 Some Algebra Further Reading: Big85 . 87 9.1.1 Groups De nition 9.1.1 A group is a set G of elements together with a binary operation o" such that: 1. If a; b 2 G then a b = c 2 G ! closure. 2. If a b c = a b c ! associativity. 3. There exists an identity element e 2 G : e a = a e = a ! identity. 4. There exists an inverse element a, for all a 2 G : ~ a a = e ! inverse. ~ Examples: 1. G = Z = f: : : ; ,2; ,1; 0; 1; 2; : : :g = addition Z; + is a group with e = 0 and a = ,a ~ 2. G = Z = multiplication Z; is NOT a group since inverses a do not exist except for a = 1 ~ 3. G =C complex numbers u + iv = multiplication C ; is a group with e = 1 and u a = a,1 = u2 , iv2 ~ +v De nition 9.1.2 Zn" denotes the set of numbers i, 0 i n, which are relatively prime to n. 88 Examples: 1. Z9 = f1; 2; 4; 5; 7; 8g 2. Z7 = f1; 2; 3; 4; 5; 6g Multiplication Table mod 9 1 2 4 5 7 8 1 2 4 5 7 8 ment is e = 1. 1 2 4 5 7 8 2 4 8 1 5 7 4 8 7 2 1 5 5 1 2 7 8 4 7 5 1 8 4 2 8 7 5 4 2 1 Theorem 9.1.1 Zn forms a group under modulo n multiplication. The identity ele- Remark: The inverse of a 2 Zn can be found through the extended Euclidean algorithm. Finite Groups 9.1.2 De nition 9.1.3 A group G , is nite if it has a nite number of g elements. We denote the cardinality of G by jGj. Examples: 1. Zm; +: a + b = c mod m Question: What is the cardinality ! jZmj = m Zm = f0; 1; 2; : : : ; m , 1g 89 2. Zp ; : a b = c mod p; p is prime Question: What is the cardinality ! jZp j = p , 1 Zp = f1; 2; : : : ; p , 1g De nition 9.1.4 The order of an element a 2 G ; is the smallest positive integer o such that a a : : : a = ao = 1. Example: Z11; , a = 3 Question: What is the order of a = 3? a1 = 3 a2 = 32 = 9 a3 = 33 = 27 5 mod 11 a4 = 34 = 33 3 = 5 3 = 15 4 mod 11 a5 = a4 a = 4 3 = 12 1 mod 11 ord3 = 5 90 De nition 9.1.5 A group G which contains elements with maximum order ord = jGj is said to be cyclic. Elements with maximum order are called generators or primitive elements. Example: 2 is a primitive element in Z11 jZ11j = jf1; 2; 3; 4; 5; 6; 7; 8; 9; 10gj = 10 a=2 a2 = 4 a3 = 8 a4 = 16 5 a5 = 10; a6 = 20 9 a7 = 18 7 a8 = 14 3; a9 = 6 a10 = 12 1 a11 = 2 = a. orda = 2 = 10 = jZ11 j 1 jZ11j is cyclic 2 a = 2 is a primitive element Observation important: 2i; i = 1; 2; : : : ; 10 generates all elements of Z11 i 1 2 3 4 5 6 7 8 9 10 2i 2 4 8 5 10 9 7 3 6 1 91 Some properties of cyclic groups: 1. The number of primitive elements is jGj. 2. For every a 2 G : ajGj = 1. 3. For every a 2 G : orda divides jGj. Proof only for 2: a = i : ajGj= ijGj = jGji = 1i = 1. Example: Z11; jZ11j = 10 1. 10 = 2 , 15 , 1 = 1 4 = 4 2. a = 3 ! 310 = 352 = 12 = 1 3. homework : : : 92 9.2 The General DL Problem Given a cyclic subgroup G ; and a primitive element . Let =| be an arbitrary element in G . i times z: : : = i General DL Problem: Given G , ; = i, nd i. i = log Examples: 1. Z ; +; = 2; = 2 + 2 +z: : : + 2 = i 2 | 11 i 1 2 3 4 5 6 7 8 9 10 11 2i 2 4 6 8 10 1 3 5 7 9 0 Let i = 7: = 7 2 3 mod 11 Question: given = 2, = 3 = i 2, nd i Answer: i = 2, 3 mod 11 Euclid's algorithm can be used to compute i thus this example is NOT a one-way function. 1 i times 2. Z ; ; = 2; = | 2 z : : 2 = 2i 2 : 11 = 3 = 2i mod 11 Question: i = log 3 = log 2i = ? Very hard computational problem! 2 2 i times 93 9.3 Attacks for the DL Problem 1. Brute force: check: = = ... i= Complexity: OjGj steps. Example: DL in Zp p, tests minimum security requirement p , 1 = jGj 2 1 ? 2 ? ? 1 2 80 2. Shank's algorithm Baby-step giant-step and Pollard's- method: Further reading: p. 165 in Sti95 . q Complexity: O jGj steps for both algorithms. Example: DL in Zp pp steps minimum security requirement p , 1 = jGj 2 160 3. Pohlig-Hellman algorithm: Let jGj = p p |pzl 1 2 Complexity: Oppl steps. Example: DL in Zp : pl of p , 1 must be 2 minimum security requirement pl 2 largest prime 160 160 4. Index-Calculus method: Further reading: AM97 . Applies only to Zp and Galois elds GF2k p p p O Complexity: O e steps. Example: DL in Zp : minimum security requirement p 2 1+ 1 ln lnln 1024 94 Remark: Index-Calculus is more powerful against DL in Galois Fields GF2k than against DL in Zp . 9.4 Di e-Hellman Key Exchange Remarks: Proposed in 1976 in Di e-Hellman paper. Used in many practical protocols. Can be based on any DL problem. 9.4.1 Protocol Set-up: 1. Find a large prime p. 2. Find a primitive element of Zp or of a subgroup of Zp . Protocol: Alice pick kprA = aA 2 f2; 3; : : : ; p , 1g compute kpubA = bA = aA mod p kAB = baA = aB aA B bA ,! bB , pick kprB = aB 2 f2; 3; : : : ; p , 1g compute kpubB = bB = aB mod p kAB = baB = aA aB A Bob Session key kses = kAB = aB aA = aA aB mod p. 95 9.4.2 Security Question: Which information does Oscar have? Answer: ; p; bA; bB . Di e-Hellman Problem: Given bA = aA mod p; bB = aB mod p, and nd aA aB mod p. One solution to the D-H problem: 1. Solve DL problem: aA = log bA mod p. 2. Compute: baA = B Choose p 2 . 1024 aB aA = aA aB mod p. Note: There is no proof that the DL problem is the only solution to the D-H problem! However, it is conjectured. 96 Chapter 10 Elliptic Curve Cryptosystem Further Reading: Chapter 6 in Kob94 . Book by Alfred Menezes Men93 . Remarks: Relatively new cryptosystem, suggested independently: ! 1987 by Koblitz at the University of Washington, ! 1986 by Miller at IBM. It is believed to be more secure than RSA DL in Zp , but uses arithmetic with much shorter numbers 160 256 bits vs. 1024 2048 bits. It can be used instead of D-H and other DL-based algorithms. Drawbacks: Not as well studied as RSA and DL-base public-key schemes. It is conceptually more di cult. Finding secure curves in the set-up phase is computationally expensive. 97 10.1 Elliptic Curves Goal: To nd another instance for the DL problem in cyclic groups. Question: What is the equation x2 + y2 = r2 over reals? Answer: It is a circle. y r2 x Figure 10.1: x2 + y2 = r2 over reals Question: What is the equation a x2 + b y2 = c over reals? Answer: It is an ellipsis. y x Figure 10.2: a x2 + b y2 = c over reals Note: There are only certain points x,y which ful ll the equation. For example the point x = r; y = 1 ful lls the equation of a circle. 98 De nition 10.1.1 The elliptic curve over Zp, p 3, is a set of all pairs x, y 2 Zp which ful ll: where and y 2 x3 + a x + b mod p a; b; 2 Zp 4 a3 + 27 b2 6= 0 mod p y Question: How does y2 = x3 + a x + b look over reals? Q+Q=2Q Q P x P+Q Figure 10.3: y2 = x3 + a x + b over the reals Goal: Finding a cyclic group G , so that we can use the DL problem as a one-way function. We have a set points on the curve. We only" need a group operation on the points. 99 Group G : Points on the curve given by x, y. Operation : P + Q = x1; y1 + x2 ; y2 = R = x3 ; y3. Question: How do we nd R? Answer: First geometrically. a P 6= Q ! line through P and Q and mirror point of third interception along the x-axis. b P = Q P + Q = 2Q ! tangent line through Q and mirror point of second intersection along the x-axis. Point Addition group operation: x3 = 2 , x1 , x2 mod p y3 = x1 , x3 , y1 mod p where = 8 : y2 ,y1 x2 ,x1 3x2 +a 1 2y1 mod p ; if P 6= Q mod p ; if P = Q Remarks: If x1 x2 mod p and y1 ,y2 mod p, then P + Q = O which is an abstract point at in nity. O is the neutral element of the group: P +O= P ; for all P . Additive inverse of any point x; y = P is P +,P = O such that x; y+x; ,y = O. Theorem 10.1.1 The points on an elliptic curve together with O have cyclic subgroups. 100 Remark: Under certain conditions all points on an elliptic curve form a cyclic group as the following example shows. Example: Finding all points on the curve E: y2 x3 + x + 6 mod 11. E = 13. primitive element ! = 2; 7 generates all points. 2 = + = 2; 7 + 2; 7 = x3 ; y3 2 = 3x1y+a = 2 7,1 3 4 + 1 = 3,1 13 4 13 4 2 = 8 mod 11 21 x3 = 2 , x1 , x2 = 82 , 2 , 2 = 60 5 mod 11 y3 = x1 , x3 , y1 = 82 , 5 , 7 = ,24 , 7 = ,31 2 mod 11 2 = 2; 7 + 2; 7 = 5; 2 3 = 2 + = ::: ... 12 = 11 + = 2; 4 13 = 12 + = 2; 4 + 2; 7 = 2; 4 + 2; ,4 = O 14 = 13 + =O+ = ... All 12 non-zero elements together with O form a cyclic group. = 2; 7 4 = 10; 2 7 = 7; 2 10 = 8; 8 2 5 8 11 = 5; 2 = 3; 6 = 3; 5 = 5; 9 3 6 9 12 = 8; 3 = 7; 9 = 10; 9 = 2; 4 Table 10.1: Non-zero elements of the group over y2 x3 + x + 6 mod 11 Remark: In general, nding of the group order E is computationally very complex. 101 10.2 Cryptosystems 10.2.1 Di e-Hellman Key Exchange Set-up: The cryptosystem is completely analogous to D-H in Zp . 1. Choose E: y2 x3 + a x + b mod p. 2. Choose primitive element = x ; y . Protocol: Alice choose kprA = aA 2 f2; 3; : : : ; E , 1g compute kpubA = bA = aA = xA; yA compute aA bB = aA aB = xk ; yk kAB = xk 2 Zp Bob choose kprB = aB 2 f2; 3; : : : ; E , 1g compute kpubB = bB = aB = xB ; yB compute aB bA = aB aA = xk ; yk kAB = xk 2 Zp bA ,! bB , Security: Di e-Hellman problem for elliptic curves 8 : Oscar knows: Oscar wants to know: E; p; ; bA = aA ; bB = aB kAB = aA aB One possible solution to the D-H problem for elliptic curves: 1. Compute discrete logarithm: Given and | + +z: : : + = bA , nd aA. 2. Compute aA bB = aA aB . 102 aA times Attacks: Only possible attacks against elliptic curves are the Pohlig-Hellman scheme together with Shank's algorithm or Pollard's-Rho method. E must have one large prime factor pl 2160 pl 2250. So-called Koblitz curves" curves with a; b 2 f0; 1g For supersingular elliptic curves over GF2n, DL in elliptic curves can be solved by solving DL in GF2kn; k 6. stay away from supersingular curves despite of possible faster implementations. Powerful index-calculus method attacks are not applicable as of yet. 10.2.2 Menezes-Vanstone Encryption Set-up: 1. Choose E: y2 x3 + a x + b mod p. 2. Choose primitive element = x ; y . 3. Pick random integer a 2 f2; 3; : : : ; E , 1g. 4. Compute a = = x ; y . 5. Public Key: kpub = E; p; ; . 6. Private Key: kpr = a. 103 Encryption: 1. Pick random k 2 f2; 3; : : : ; E , 1g. Compute k = c1; c2. 2. Encrypt ekpub x; k = Y0; Y1; Y2. Y0 = k ! point on the elliptic curve. Y1 = c1 x1 mod p ! integer. Y2 = c2 x2 mod p ! integer. Decryption: 1. Compute a Y0 = c1; c2 . a Y0 = a k = k = c1 ; c2 . 2. Decrypt: dkpr Y0; Y1; Y2 = Y1 c,1 mod p; Y2 c,1 mod p = 1 2 x1 ; x2. Remark: The disadvantage of this scheme is the message expansion factor: bits y = 4dlog2 pe = 2 bits x 2dlog2 pe 10.3 Implementation 1. Hardware: Approximatly 0.2 msec for an elliptic curve point multiplication with 167 bits on an FPGA OP00 . 2. Software: One elliptic curve point multiplication a P in less than 10 msec over GF2155. Implementation on 8-bit smart card processor without coprocessor available 104 Chapter 11 ElGamal Encryption Scheme 11.1 Cryptosystem Remarks: Published in 1985. Based on the DL problem in Zp or GF2k . Extension of the D-H key exchange for encryption. Protocol: Alice choose private key kprA = aA compute kpubA = aA mod p = bA Bob choose private key kprB = aB compute kpubB = aB mod p = bB kAB = baA = aA aB mod p B y = x kAB mod p bA ,! bB , y ,! kAB = baB = aB aA mod p A ,1 x = y kAB mod p 105 ElGamal: Set-up: 1. Choose large prime p. 2. Choose primitive element 2 Zp . 3. Choose secret key a 2 f2; 3; : : : ; p , 2g. 4. Compute = a mod p. 5. Public Key: Kpub = p; ; . 6. Private Key: Kpr = a. Encryption: 1. Choose k 2 f2; 3; : : : ; p , 2g. 2. Y1 = k mod p. k 3. Y2 = x mod p. 4. Encryption: = ekpub x; k = Y1; Y2. Decryption: x = dkpr Y1 ; Y2 = Y2 Y1a ,1 mod p: 106 Question: How does the ElGamal scheme work? dkpr Y1 ; Y2 = Y2 Y1a ,1 = x k k a ,1 ! but = a = x a k k a,1 = x ak ,ak =x 107 Remarks: ElGamal is essentially an extension of the D-H key exchange protocol. Y2 = x1 Y3 = x2 k k Thus for every message block xi choose a new k! Message expansion factor . of y bits = 2dlog 2py e = 2 of x bits dlog 2pxe 9 = ; if x1 is known, k can be found from Y2. 11.2 Computational Aspects 11.2.1 Encryption Y1 = k mod p = apply the square-and-multiply for exponentiation Y2 = x k mod p ; 11.2.2 Decryption 9 x = dkpr Y1 ; Y2 = Y2 Y1a ,1 mod p. Question: How can Y1a ,1 be computed e ciently? Derivation: b 2 Zp: be = bqp,1+r = bp,1 q br = 1q br mod p = br mod p e = r mod p , 1 108 Thus, be be mod p,1 mod p, where b 2 Zp and e 2 Z The above derivation can be used for decryption: Y1a,1 = Y1,a = Y1,a mod p,1 mod p = Y1p,1,a mod p Note: Y1p,1,a mod p can be computed using the square-and-multiply algorithm. 11.3 Security of ElGamal Oscar knows: p; ; = a; Y1 = k ; Y2 = x k . Oscar wants to know: x He attempts to nd the secret key a: 1. a = log mod p hard, DL problem. 2. x = Y2Y1a ,1 mod p easy. He attempts to nd the random exponent k: 1. k = log Y1 mod p hard, DL problem. 2. Y2 ,k = x easy. In both cases Oscar has to compute the DL problem in nite elds Zp or GF2k . He can use index-calculus method which forces us to implement schemes with at least 1024 bits. 109 Chapter 12 Digital Signatures Protocols use: Private-key algorithms. Public-key algorithms. Digital Signatures. Hash functions. Message Authentication Codes. as building blocks. In practice, protocols are often the most vulnerable part of a cryptosystem. The next two chapters deal with digital signature, message authentication codes MACs, and hash functions. 110 12.1 Principle The idea is similar to a conventional signature where a given message x gets a unique digital signature which is a function of the message and is attached to the message. message x signature f(message) = f(x) Figure 12.1: Digital signature and message block message space signature space sig K pr (x) = y y x ver (x, y)= K pub true if y = sig(x) false if y == sig(x) Figure 12.2: Digital signature and message domain 111 Basic protocol: 1. Bob signs his message x with his private key kpr : y = sigk x. pr 2. Bob sends y; x to Alice. 3. Alice runs the veri cation function verk x; y with Bob's public key. pub Properties of digital signatures: Only Bob can sign his document with kpr . Everyone can verify the signature with kpub. Authentication: Alice is sure that Bob signed the message. Integrity: Message x cannot be altered since that would be detected through veri cation. Non-repudiation 12.2 RSA Signature Scheme Set-up: kpr = p; q; a; kpub = n; b. General Protocol: 1. Bob computes: y = sigk x = ek x = xa mod n. pr pr 2. Bob sends x; y to Alice. 3. Alice veri es: verkpub x; y = dkpub y = y b 8 = x true : 6= x false 112 Question: Why does it work? dkpub y = dkpub ekpr x = x: Remark: The role of public private key are exchanged if compared with RSA public-key encryption. This algorithm was standardized in ISO IEC 9796. Drawback: Oscar can generate a valid signature for a random message x: 1. Choose signature y 2 Zn. 2. Encrypt: x = ek y = yb mod n ! outcome x cannot be controlled. pub 3. Send x; y to Alice. 4. Alice veri es: verk x; y: yb x mod n true. pub 12.3 ElGamal Signature Scheme Remarks: ElGamal signature scheme is di erent from ElGamal encryption. Digital Signature Algorithm DSA is a modi cation of ElGamal signature scheme. This scheme was published in 1985. 113 Set-up: 1. Choose a prime p. 2. Choose primitive element 2 Zp . 3. Choose random a 2 f2; 3; : : : ; p , 2g. 4. Compute = a mod p. Public key: kpub = p; ; . Private key: kpr = a. Signing: 1. Choose random k 2 f0; 1; 2; : : : ; p,2g; such that gcdk; p,1 = 1. 2. Compute signature: sigkpr x; k = ; ; where = k mod p = x , a k,1 mod p , 1 Public veri cation: verkpub x; ; = = : 6= 8 mod p valid signature x mod p invalid signature x Question: Why does this scheme work? = a k x,a k, = = a a 1 mod p,1 mod p kk,1 x,a x mod p ,a +x = 114 Chapter 13 Hash Functions 13.1 Introduction The problem with digital signatures is that long messages require very long signatures. We would like for performanc...

Find millions of documents on Course Hero - Study Guides, Lecture Notes, Reference Materials, Practice Exams and more. Course Hero has millions of course specific materials providing students with the best way to expand their education.

Below is a small sample set of documents:

yfcy2005.pdf

East Texas Baptist University - OIRE - 0405

2005 Your First College Year SurveyExecutive Summary East Texas Baptist UniversityPrepared by IPAR Office September 2005BACKGROUNDThe Higher Education Research Institute (HERI) at UCLA joined forces with the Policy Center on the First Year of C

68.txt

USC - CS - 551

Return-Path: william@bourbon.usc.eduDelivery-Date: Mon Sep 8 09:34:45 2008X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on merlot.usc.eduX-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00 autolearn=hamversion

Acheson-1975.pdf

UCSD - ECON - 281

Sanchirico et al MPA.pdf

UCSD - ECON - 281

Marine Protected Areas: Economic and Social ImplicationsJames N. Sanchirico, Kathryn A. Cochran, and Peter M. EmersonMay 2002 Discussion Paper 0226Resources for the Future 1616 P Street, NW Washington, D.C. 20036 Telephone: 2023285000 Fax: 20293

slac-pub-13268.pdf

Stanford - PUBS - 13250

SLAC-PUB-13268 June 2008Computational science research in support of petascale electromagnetic modelingL Lee1 , V Akcelik1 , L Ge1 , S Chen1 , G Schussman1 , A Candel1 , Z Li1 , L Xiao1 , A Kabel1 , R Uplenchwar1 , C Ng1 , and K Ko11Stanford Li

Neurotransmitter table

UCSD - BICD - bipn 100

NOTICE THAT THE EFFECT OF A NEUROTRANSMITTER DEPENDS ON THE RESPONSE OF THE TARGET CELL, AND NOT ON THE CHEMICAL NATURE OF THE TRANSMITTER.

1st mt key SP09

UCSD - BICD - bipn 100

Page 1 1st midterm exam key Question 1 Part aPart bPart cPart dPart eQuestion 2 Part aPart bPage 2 Part cPart dQuestion 3 Part aPart bPart cQuestion 4 Part aPage 3 Part bPage 4 Question 5Page 5 Question 5 (make-up exam)

Electrolysis

UCSD - CHEM - chem6ch

ElectrolysisProcess of driving a reaction in a non-spontaneous direction by using an electric current; done using an electrolytic cell; Two things need to be considered: the voltage the power supply or galvanic cell provides and the current at which

Electrochemistry

UCSD - CHEM - chem6ch

ElectrochemistryElectrochemistryThe area of chemistry that studies the use of chemical reactions to produce electricity and the use of electricity to produce chemical change Study of the transfer of electrons and redox chemistry Oxidation: the lo

Coordination Complexes

UCSD - CHEM - chem6ch

Coordination ComplexesCoordination ComplexesSlide 1Coordination Complexes: BasicsConsider Fe3+(aq): actually [Fe (H2O)6] 3+:3+H 2O H 2O Fe H 2O OH2 OH2 OH23X Lewis acid/Lewis base interaction Waters form coordinate covalent bonds to the

Transition Elements

UCSD - CHEM - chem6ch

The d-Block ElementsTransition MetalsTransition MetalsSlide 1Transition Metals The d-block represents the transition from the reactive s-block elements to the less reactive pblock elementsAvailability of d-orbitals governs their chemistry: v

Nomenclature slides

UCSD - CHEM - chem6ch

CauldronCast #1Nomenclature of Inorganic CompoundsNaming Simple Inorganic Compounds Dr. Carl Hoeger profcahBasic Nomenclature 1Nomenclature-History Early: Compounds named by those who discovered them; usually had some historic significance Oi

Nomenclature

UCSD - CHEM - chem6ch

Rules of Nomenclature for Binary CompoundsThere are three types of binary compounds: Type I. A metal of fixed charge and a nonmetal; Type II. A metal of variable charge and a nonmetal; and Type III. Two nonmetals Metals of `variable charge' tend to

Kinetics

UCSD - CHEM - chem6ch

Rate Laws An expression of how the reaction rate depends on the concentrations of all substances in the reaction For a reaction:rate= k A B C D wxyzWhere k is the rate constant and w, x, y and z are the orders Expression can contain

Final Essay Question

UCSD - HILD - hild7a

Pat Washington, Instructor Fall 2008 7A Final Take Home Essay Question (30 points maximum possible) Final Exam Essay must be submitted before you begin the in-class portion of your final examination for the course. Points will be deducted for late su

673.pdf

USC - LAS - 673

1History 673 North American Colonial History Spring, 2003Faculty: Peter C. Mancall: 285 SOS. Phone: 1-2151. Email: mancall@usc.edu. Robert C. Ritchie: Director of Research, Huntington. Email: ritchie@huntingon.org Course purpose: This course is d

BA421 Case Projects

Penn State - MKTG - 347347

Matthew Jackson BA 421 Case StudiesFactory Expansion Project Case1. Andy should have done some research before he went to Jacobs office in order to see if Jacob was telling the truth. Research will help a person out when they are trying to do bus

MKTG342W-09_SYLLABUS

Penn State - MKTG - 347347

MARKETING RESEARCH COURSE SYLLABUS PENN STATE WILKES- BARRE Term: Spring, 2009 Course Number: MKTG342 Time/Location: Online Delivery, Anytime, Anywhere Instructor: Mrs. Terry Clemente Office Phone: 675-9293 Office Location: H307 Email: tmc12@psu.edu

Coyle_Chapter_1_PowerPoint_slides

Penn State - MKTG - 347347

Chapter 1: Supply Chain Management: An OverviewLearning ObjectivesAfter reading this chapter, you should be able to do the following: Discuss the major change drivers in our economy and in the global marketplace. Understand the rationale for the

Practice

Penn State - MKTG - 347347

I found the drop box.

Chap002

Penn State - MKTG - 347347

Human Resource Management Gaining a Competitive AdvantageChapter 2 Strategic Human Resource ManagementMcGraw-Hill/Irwin Copyright 2008 by The McGraw-Hill Companies, All Rights Reserved.1-1Learning ObjectivesAfter reading this chapter, you s

Chap003

Penn State - MKTG - 347347

Human Resource Management Gaining a Competitive AdvantageChapter 3 The Legal Environment: Equal Employment Opportunity and SafetyMcGraw-Hill/Irwin Copyright 2008 by The McGraw-Hill Companies, All Rights Reserved.1-1Learning ObjectivesAfter

Chap004

Penn State - MKTG - 347347

Human Resource Management Gaining a Competitive AdvantageChapter 4 The Analysis and Design of WorkMcGraw-Hill/Irwin Copyright 2008 by The McGraw-Hill Companies, All Rights Reserved.1-1Learning ObjectivesAfter reading this chapter, you shoul

Ch2Classstud

Penn State - MKTG - 347347

Ch. 2 Diversity Legislation in a Global PerspectiveDr. Denise T. Ogden PSU Lehigh ValeyAll human beings are born free and equal in dignity and rights. They are endowed with reason and conscience and should act towards one another in a spirit of

Ch1_IntroClassStud

Penn State - MKTG - 347347

Ch1 Introduction and Conceptual FrameworkDr. Denise T. OgdenSuccessful Diversity Managements s s s s sVision Ethics Respect Creativity Business goal orientation Striving for excellenceChallengess s s s s s ssHomogenous societies now hete

Ch3ClassStud

Penn State - MKTG - 347347

Ch 3 Discrimination, Equality and Fairness in EmploymentDr. Denise T. OgdenDiscriminationsNegative laws sPositive laws DefinitionsssEmployment Discrimination occurs when (a) individuals, institutions, or governments treat people d

Coyle_Chapter_8__PowerPoint_Slides

Penn State - SCM - 301

Chapter 8 Order Management and Customer ServiceLearning Objectives n After reading this chapter, you should be able to do the following:Understand the relationships between order management and customer service. Appreciate how organizations influe

Coyle_Chapter_7__PowerPoint_Slides

Penn State - SCM - 301

Chapter 7 Demand ManagementLearning ObjectivesnAfter reading this chapter, you should be able to do the following: Understand the critical importance of outbound-to-customer logistics systems. Appreciate the growing need for effective demand mana

Coyle_Chapter_2_PowerPoint_slides

Penn State - SCM - 301

Chapter 2: Role of Logistics in Supply ChainsLearning ObjectivesAfter reading this chapter, you should be able to do the following: n Understand the role and importance of logistics in private and public organizations.nDiscuss the impact of logi

Coyle_Chapter_4_PowerPoint_Slides

Penn State - SCM - 301

Chapter 4 Supply Chain RelationshipsLearning ObjectivesAfter reading this chapter, you should be able to do the following:Understand the types of supply chain relationships and their importance. Describe a process model that will facilitate the

Coyle_Chapter_6_PowerPoint_Slides

Penn State - SCM - 301

Chapter 6 Supply Chain TechnologyManaging Information FlowsLearning ObjectivesAfter reading this chapter, you should be able to do the following:Appreciate the overall importance of information to supply chain management. Understand the role of

IntroToDiversity2009

Penn State - SCM - 301

An Introduction to Diversity Dimensions of DiversitySubtitle: Ive a Feeling Were Not in Kansas Anymore Dr. Denise T. Ogden, PSU1-1EEO, AA, Diversity, Leveraging Diversity Theyre Not All The Same!Equal Employment Opportunity (EEO) laws that prev

Brandywine_Calculator_Presentation

Penn State - SCM - 301

Present Value of a Single Sum PVSSProblem FV =$1,000 I/YR = 4% N=5 PV = ? Keystrokes 1000,FV 4, I/YR 5, N PV -821.93PVSS Solving for NProblem FV = $1,000 I/YR = 6% PV = -$800 N= ? Keystrokes 1000, FV 6, I/YR 800, +/-, PV N 3.83PVSS Solving for

Chapter_01

Penn State - FIN - 301

CHAPTER 1 Introduction to Financial Management Forms of Businesses Goals of the Corporation Stock Prices and Intrinsic Value Some Recent Trends Conflicts Between Managers and Shareholders1-1Alternative Forms of Business Organization Pro

Chapter_07

Penn State - FIN - 301

CHAPTER 7 Bonds and Their Valuation Key features of bonds Bond valuation Measuring yield Assessing risk7-1What is a bond?A long-term debt instrument in which a borrower agrees to make payments of principal and interest, on specific dates,

Chapter_04

Penn State - FIN - 301

CHAPTER 4 Analysis of Financial Statements Ratio Analysis Du Pont system Effects of improving ratios Limitations of ratio analysis Qualitative factors4-1Balance Sheet: Assets2006E Cash 85,632 A/R 878,000 Inventories 1,716,480 Total CA 2,680

Formula_Sheet_First_Exam

Penn State - FIN - 301

Formula Sheet First Exam FIN 301EBIT= Sales Operating Costs Net cash flow = Net income + Depreciation & Amortization Net Operating Working Capital = (Cash & Equivalents + A/R + INV) (A/P + Accruals) Total Operating Capital = NOWC + Net fixed Asset

BA 421 notes

Penn State - FIN - 301

Stage One : Need Identification Consumer gets involved. There is a group to see the following questions from different areas, marketing, engineering, accounting, etc. See if there is an opportunity for the business. Does it go with the business goals

Coyle_Chapter_3_PowerPoint_Slides

Penn State - FIN - 301

Chapter 3 Global Dimensions of Supply Chains Learning ObjectivesAfter reading this chapter, you should be able to do the following:nDescribe the scope of a global companys supply chain network and understand what questions are appropriate for t

Taylor_FIN_301_Summer_09_Syllabus

Penn State - FIN - 301

PENN STATE BRANDYWINE FIN 301 CORPORATE FINANCE Summer 2009Professor: Dr. Don Taylor, CFA, CFP, ChFC Phone: 610-892-1471 (W) E-mail: dat17@psu.edu Course Information: www.angel.psu.edu Office: 207D TMZKO Office hours: T, R 4:45-5:45 All other times

SCM301_SYLLABUS_-_Spring_2009

Penn State - FIN - 301

The Pennsylvania State University Berks Campus SCM 301: Supply Chain Management Section 50 Spring Semester 2009Course DescriptionThe student will be required to demonstrate a basic understanding in the follow areas for successful completion of the

Powerpoint__1

Penn State - FIN - 301

C H A P T E R1The Role of Marketing Research in Strategic Planning1234 0001 897251 000001-2How does Marketing Research fit into Marketing as a function of business? Information gathering functionMarketing Research definedThe systematic g

Ch4ClassStud

Penn State - FIN - 301

Global Demographic TrendsDr. Denise T. OgdenWorld WorkforcesEconomic integration Global economic integration, employers also migrate to find workers Societal globalization changes in demographicsssPopulation TrendssLess developed cou

Chap005

Penn State - FIN - 301

Human Resource Management Gaining a Competitive AdvantageChapter 5 Human Resource Planning and RecruitmentMcGraw-Hill/Irwin Copyright 2008 by The McGraw-Hill Companies, All Rights Reserved.1-1Learning ObjectivesAfter reading this chapter, y

hw6b.pdf

UNC Charlotte - MATH - 1120

Math 1120 1.Homework #6Find the absolute maximum and absolute minimum values for f ( x)x33x 2 on [-2, 3].2.Find the absolute maximum and absolute minimum values for f ( x) on [-2, 6].x44 x 3 8x 253.A farmer has 460 feet of fenci

hw12009.pdf

UNC Charlotte - MATH - 1120

Homework #1 1. Given f x Name _ x1 2 Find the domain and range.2.Given f x 1 x 3 1 x 2 2x 2 3 2 Find the intervals where the function is increasing and decreasing.3.Given f x x 231Find the intervals were f x 0 and f x 04.Si

hw8c.pdf

UNC Charlotte - MATH - 1120

Math 1120Homework #81.2.3.4.5.6.7.8.9.10.

q1q2sol.pdf

UNC Charlotte - STAT - 1222

fin_for.pdf

UNC Charlotte - STAT - 1222

FORMULAS FOR STAT 1222DESCRIPTIVE: Sample Mean: x = PROBABILITY: x n(Larson and Farber)Sample Standard Deviation s =(x x)2 = n1n(x2 ) ( x)2 n(n 1)P (A or B) = P (A) + P (B) P (A and B) DISCRETE RANDOM VARIABLE: = Standard deviation

extrahw.pdf

UNC Charlotte - MATH - 3176

1. Construct a 2-point dierentiation formula of the form: f (x) = a f (x 2h) + b f (x + 2h) using the method of undetermined coecients. Here h denotes the step size. Please do not just provide the values of a and b. For any credit you must show all

3203reg.ppt

UNC Charlotte - OPER - 3203

Regression Analysis In dealing with problems in social sciences, business, or economics, often we are interested in determining whether a noticeable relationship exists between two or more variables.Do SAT scores predict college performance?

3-BandB+Trees.ppt

Wisc Eau Claire - CS - 245

BalancedTrees (BandB+)CompletelyBalancedTrees Sofar,wevealwaysgrownourtreesfromthe roottotheleafnodes Problem Goals Unequalpathlengths Somemaximumnumberofleveltraversals ExpandfrombinarytoNarytreesForatreecontainingNnodes,havingMchildrenper

Exam1A_Sp09_Key.doc

North Texas - DSCI - 3710

COURSE: DSCI 3710 Exam 1 version A Spring 2009Print Name: Signature: Student ID#:INSTRUCTIONS: Please print your name and student ID number on this exam. Also, put your signature on this exam. On your scantron PRINT your name and exam version

Chapter01.ppt

North Texas - COURSEWEB - 4100

I ntegr a ti ng Educa ti ona l T echnol ogy i nto T ea chi ngCha pter 1 Educa ti ona l T echnol ogy i n Context: T he Bi g Pi ctur e By M . D . Robl yerSITE 2002Wha t You N eed to KnowD efi ni ti on of I ntegr a ti ng Educa ti ona l T echnol o

Podcast_Assignment.pdf

Wisc Eau Claire - EDMT - 380

Enhanced Podcast AssignmentMr. Rubenzer's Class Directions: For this assignment you will be creating an enhanced podcast in which you will be imagining that you can fly anywhere in the world and visit anyplace. I want you to describe the different f

bininfo.txt

Washington University in St. Louis - MGST - 1154

PDS_VERSION_ID = PDS3RECORD_TYPE = STREAMOBJECT = TEXT PUBLICATION_DATE = 2002-07-01 NOTE = "Description of the BIN directory contents

docinfo.txt

Washington University in St. Louis - MGST - 1154

PDS_VERSION_ID = PDS3RECORD_TYPE = STREAMOBJECT = TEXT PUBLICATION_DATE = 1999-05-14 NOTE = "Description of the DOC directory contents

userdoc.txt

Washington University in St. Louis - MGST - 1154

PDS_VERSION_ID = PDS3RECORD_TYPE = STREAMOBJECT = TEXT PUBLICATION_DATE = 2002-01-01 NOTE = "User documentation for vanilla software."END_OBJECT

srcinfo.txt

Washington University in St. Louis - MGST - 1154

PDS_VERSION_ID = PDS3RECORD_TYPE = STREAMOBJECT = TEXT PUBLICATION_DATE = 2002-01-01 NOTE = "Description of the SRC directory contents

grades_4_16.xls

Virginia Tech - STAT - 5124

ID 904196238 904196605 904201136 904322133 904411045 904418861 904471291 904475655 904558583 904575922 904629618 904736083 905085649 905127013 905133422 905134531 905140423 905140439 905140441 905143647 905144878 905151909 905155611 905155675 9051598

HW3.pdf

Virginia Tech - STAT - 5124

STAT 5124 Linear Models Homework #3 1. Consider the model y = X + where X has full column rank and N (0, 2 V ). (a) Develop an appropriate test statistic for ,H0 : H = 0 Ha : H = 0. (b) Develop a (1 )* 100% condence region for H. 2. Consider a r