Cryptographic Concepts

1
Cryptographic Concepts
CS 99j

• John C. Mitchell
• Stanford University

2
Basic Concepts

• Encryption scheme
• functions to encrypt, decrypt data
• key generation algorithm
• Secret vs. public key
• Public key publishing key does not reveal key-1
• Secret key more efficient can have key key-1
• Hash function
• map text to short hash key ideally, no
  collisions
• Signature scheme
• functions to sign data and confirm signature

3
Cryptosystem

• A cryptosystem consists of five parts
• A set P of plaintexts
• A set C of ciphertexts
• A set K of keys
• A pair of functions
• encrypt K ? P ? C
• decrypt K ? C ? P
• such that for every key k?K and plaintext p?P
• decrypt(k, encrypt(k, p)) p
• Good defn for now, but doesnt include key
  generation or prob encryption.

4
Primitive example shift cipher

• Shift letters using mod 26 arithmetic
• Set P of plaintexts a, b, c, , x, y, z
• Set C of ciphertexts a, b, c, , x, y, z
• Set K of keys 1, 2, 3, , 25
• Encryption and decryption functions
• encrypt(key, letter) letter key
  (mod 26)
• decrypt(key, letter) letter - key
  (mod 26)
• Example
• encrypt(3, stanford) vwdqirug

5
Evaluation of shift cipher

• Advantages
• Easy to encrypt, decrypt
• Ciphertext does look garbled
• Disadvantages
• Not very good for long sequences of English words
• Few keys -- only 26 possibilities
• Regular pattern
• encrypt(key,x) is same for all
• occurrences of letter x
• can use letter-frequency tables, etc

Brutus the cat from Rachel Levengood,
www.yerf.com/leverach/
6
Letter frequency in English

• Five frequency groups Beker and Piper
• E has probability
  0.12
• TAOINSHR have probability 0.06 - 0.09
• DL have probability 0.04
• CUMWFGYPB have probability 0.015 - 0.028
• VKJXQZ have probability lt 0.01
• Possible to break letter-to-letter substitution
  ciphers.

7
One-time pad

• Secret-key encryption scheme (symmetric)
• Encrypt plaintext by xor with sequence of bits
• Decrypt ciphertext by xor with same bit sequence
• Scheme for pad of length n
• Set P of plaintexts all n-bit sequences
• Set C of ciphertexts all n-bit sequences
• Set K of keys all n-bit sequences
• Encryption and decryption functions
• encrypt(key, text) key ? text
  (bit-by-bit)
• decrypt(key, text) key ? text
  (bit-by-bit)

8
Example one-time pad
Plaintext
Key
Ciphertext
Key
Plaintext
Ciphertext
?

?

9
Evaluation of one-time pad

• Advantages
• Easy to compute encrypt, decrypt from key, text
• As hard to break as possible
• This is an information-theoretically secure
  cipher
• Given ciphertext, all possible plaintexts are
  equally likely, assuming that key is chosen
  randomly
• Disadvantage
• Key is as long as the plaintext
• How does sender get key to receiver securely?
• Idea can be combined with pseudo-random
  generators ...

10
What is a secure cryptosystem?

• Idea
• If an enemy intercepts your ciphertext, cannot
  recover plaintext
• Issues in making this precise
• What else might your enemy know?
• The kind of encryption function you are using
• Some plaintext-ciphertext pairs from last year
• Some information about how you choose keys
• What do we mean by cannot recover plaintext ?
• Ciphertext contains no information about
  plaintext
• No efficient computation could make a reasonable
  guess

11
Information-theoretic security

• Remember conditional probability...
• Random variables X, Y,
• Conditional probability P(XxYy)
• Probability that X takes value x, given that Yy

2
1
P(even red) 2/3
3
P(even) 1/2
4
5
6
12
Information-theoretic security

• Cryptosystem is info-theoretically secure if
• P(Plaintextp Ciphertextc)
  P(Plaintextp)

• Ciphertext gives no info about plaintext
• Prob(1 is for Land) Prob(1 is for Sea)
• assuming that all keys are equally likely

13
In practice ...

• Information-theoretic security is possible
• Shift cipher, one-time pad are info-secure
• But often not practical
• Keys would be long
• No public-key system
• Therefore
• Cryptosystems in use are either
• Just found to be hard to crack, or
• Based on computational notion of security

14
Example cryptosystems

• Feistel constructions
• Iterate a scrambling function
• Example DES,
• Complexity-based cryptography
• Multiplication, exponentiation are one-way
  functions
• Examples RSA, El Gamal, elliptic curve systems,
  ...

15
Feistel networks

• Many block algorithms are Feistel networks
• Examples
• DES, Lucifer, FREAL, Khufu, Khafre, LOKI, GOST,
  CAST, Blowfish,
• Standard form for
• Iterating a function f on parts of a message
• Producing invertible transformation

16
Feistel network
Divide n-bit input in half and repeat

• Scheme requires
• Function f(Ri-1 ,Ki)
• Computation for Ki
• e.g., permutation of key K
• Advantage
• Systematic calculation
• Easy if f is table, etc.
• Invertible if Ki known
• Get Ri-1 from Li
• Compute f(R i-1 ,Ki)
• Compute Li-1 by ?

f
K i
?
17
Data Encryption Standard

• Developed at IBM, widely used
• Feistel structure
• Permute input bits
• Repeat application of a S-box function
• Apply inverse permutation to produce output
• Appears to work well in practice
• Efficient to encrypt, decrypt
• Not provably secure

18
Review Complexity Classes
hard

• Answer in polynomial space may need
  exhaustive search
• If yes, can guess and check in polynomial time
• Answer in polynomial time, with high probability
• Answer in polynomial time compute answer directly

PSpace
NP
BPP
P
easy
19
One-way functions

• A function f is one-way if it is
• Easy to compute f(x), given x
• Hard to compute x, given f(x), for most x
• Examples (we believe)
• f(x) divide bits x y_at_z and multiply f(x)yz
• f(x) 3x mod p, where p is prime
• f(x) x3 mod pq, where p,q are primes with
  pq

20
One-way trapdoor

• A function f is one-way trapdoor if
• Easy to compute f(x), given x
• Hard to compute x, given f(x), for most x
• Extra trapdoor information makes it easy to
  compute x from f(x)
• Example (we believe)
• f(x) x3 mod pq, where p,q are primes with
  pq
• Compute cube root using (p-1)(q-1)

21
Public-key Cryptosystem

• Trapdoor function to encrypt and decrypt
• encrypt(key, message)
• decrypt(key -1, encrypt(key, message)) message
• Resists attack
• Cannot compute m from encrypt(key, m) and key
• 
  (without key-1)

key pair
22
Example RSA

• Arithmetic modulo pq
• Generate secret primes p, q
• Generate secret numbers a, b with xab ? x mod pq
• Public encryption key ?n, a?
• Encrypt(?n, a?, x) xa mod n
• Private decryption key ?n, b?
• Decrypt(?n, b?, y) yb mod n
• Main properties
• This works
• Cannot compute b from n,a
• Apparently, need to factor n pq

n
23
Group theory for RSA

• Group G ?G, ?, e, ( )-1?
• Set of elements with
• associative multiplication ?
• identity e with e?x x?e x
• inverse ( )-1 with x?x-1 x-1 ?x e
• Cyclic group
• Group G ?G, ?, e, ( )-1? with
• G g0, g1 , g2 , ... , gk g0
• element g is called a generator of G
• number of distinct elements if called the order
  of group

24
Number theory for RSA

• Group Zn of integers relatively prime to n
• multiplication mod n is associative operation
• 1 is identity
• x-1 computed by Euclidean algorithm for gcd
• order of group is ?(n) kltn gcd(k,n) 1
  
• What if x not relatively prime to n?
• Can have zero divisors, no multiplicative inverse
• If y divides x and n, then yix, yjn and
  therefore xj yij ? 0 mod n
• Only numbers relatively prime to n form group

25
RSA Encryption

• Let p, q be two distinct primes and let npq
• Encryption, decryption based on group Zn
• For npq product of primes, ?(n) (p-1)(q-1)
• Proof (p-1)(q-1) pq - p - q 1
• Key pair ?a, b? with ab ? 1 mod ?(n)
• Encrypt(x) xa mod n
• Decrypt(y) yb mod n
• Since ab ? 1 mod ?(n), have xab ? x mod n
• Proof if gcd(x,n) 1, then by general group
  theory, otherwise use Chinese remainder theorem.

26
How well does this work?

• Can generate modulus, keys fairly efficiently
• Efficient rand algorithms for generating primes
  p,q
• May fail, but with low probability
• Given primes p,q easy to compute npq and ?(n)
• Choose a randomly with gcd(a, ?(n))1
• Compute b a-1 mod ?(n) by Euclidean algorithm
• Public key n, a does not reveal b
• This is not proven, but believed
• But if n can be factored, all is lost ...

27
Message integrity

• Theoretically, a weak point
• encrypt(km) (km)e ke me
• encrypt(k)encrypt(m)
• This leads to chosen ciphertext form of attack
• If someone will decrypt new messages, then can
  trick them into decrypting m by asking for
  decrypt(ke m)
• Implementations reflect this problem
• The PKCS1 RSA encryption is intended
  primarily to provide confidentiality. It is not
  intended to provide integrity. RSA Lab.
  Bulletin

28
Digital Signatures

• Public-key encryption
• Alice publishes encryption key
• Anyone can send encrypted message
• Only Alice can decrypt messages with this key
• Digital signature scheme
• Alice publishes key for verifying signatures
• Anyone can check a message signed by Alice
• Only Alice can send signed messages

29
Properties of signatures

• Functions to sign and verify
• Sign(Key-1, message)
• Verify(Key, x, m)
• Resists forgery
• Cannot compute Sign(Key-1, m) from m and Key
• Resists existential forgery
• given Key, cannot produce Sign(Key-1,
  m)
• for any random or otherwise arbitrary m
• Look for where this is used!

true if x Sign(Key-1, m) false otherwise
30
RSA Signature Scheme

• Publish decryption instead of encryption key
• Alice publishes decryption key
• Anyone can decrypt a message encrypted by Alice
• Only Alice can send encrypt messages
• In more detail,
• Alice generates primes p, q and key pair ?a, b?
• Sign(x) xa mod n
• Verify(y) yb mod n
• Since ab ? 1 mod ?(n), have xab ? x mod n

31
One-way hash functions

• Length-reducing function h
• Map arbitrary strings to strings of fixed length
• One way
• Given y, hard to find x with h(x)y
• Given m, hard to find m with h(m) h(m)
• Collision resistant
• Hard to find any distinct m, m with h(m)h(m)

32
Applications of one-way hash

• Password files (one
  way)
• Digital signatures
  (collision resistant)
• Sign hash of message instead of entire message
• Data integrity
• Compute and store hash of some data
• Check later by recomputing hash and comparing
• Keyed hash fctns for message authentication

33
Summary

• Encryption scheme
• encrypt(key, plaintext) decrypt(key
  ciphertext)
• Secret vs. public key
• Public key publishing key does not reveal key
• Secret key more efficient can have key key
• Hash function
• map long text to short hash key ideally, no
  collisions
• Signature scheme
• private key and public key provide
  authentication

-1
-1
-1
-1
34
(No Transcript)
35
(No Transcript)
36
Extra slides

• Not used in WICS course

37
Dans info on crypto history

• Substitution cipher
• 1400s Arabs did careful analysis of words in
  Koran
• 1500s realized that with letter-frequency
  information, could break substitution ciphers
• Vigenere cipher
• Permutation cipher
• Rotor machines

38
Security objectives

• Secrecy
• Info not revealed
• Authentication
• Know identity of individual or site
• Data integrity
• Msg not altered
• Message Authentication
• Know source of msg

• Receipt
• Know msg received
• Access control
• Revocation
• Anonymity
• Non-repudiation

39
Properties of DES

• Not a simple mathematical function
• Difficult to analyze
• All operations are linear except S-boxes
• Security depends on magic S-box functions
• These were designed secretly by NSA
• No S-box is a linear function
• Changing one input bit changes two output bits
• Efficient to compute
• Combination of bit operations and table lookup
• Differential cryptanalysis of DES
• Can break 8-round DES, but not 16-round DES (yet)

40
Complexity-based Cryptography

• Some computational problems provably hard
• Undecidability of halting problem
• Presburger arithmetic is non-elementary
• Commutative semi-groups require exponential space
• Some problems are believed intractable
• NP-complete optimization problems
• Traveling salesman as hard as any problem in NP
• No known polynomial time algorithm, in spite of
  effort
• Factoring is not believed to be poly-time
• Not NP-complete, but many years of effort
• Still, useful to relate crypto to standard
  problems

41
Easy and hard (more precisely)

• For any finite f, can build a table and invert f
• Measure hardness using classes of functions
• Want this to be hard as a function of choice of
  f
• A class fa Df ? Rf a?A is one-way if
• Efficient algorithm for fa (x), given a, x
• No efficient alg computes x, given a, fa (x)
• where we assume Df , Rf finite and measure
  running time as a function of a

42
Group theory for RSA

• Group G ?G, ?, e, ( )-1?
• Set of elements with
• associative multiplication ?
• identity e with e?x x?e x
• inverse ( )-1 with x?x-1 x-1 ?x e
• Cyclic group
• Group G ?G, ?, e, ( )-1? with
• G g0, g1 , g2 , ... , gk g0
• element g is called a generator of G
• number of distinct elements if called the order
  of group

43
Number theory for RSA

• Group Zn of integers relatively prime to n
• multiplication mod n is associative operation
• 1 is identity
• x-1 computed by Euclidean algorithm for gcd
• order of group is ?(n) kltn gcd(k,n) 1
  
• What if x not relatively prime to n?
• Can have zero divisors, no multiplicative inverse
• If y divides x and n, then yix, yjn and
  therefore xj yij ? 0 mod n
• Only numbers relatively prime to n form group

44
RSA Encryption

• Let p, q be two distinct primes and let npq
• Encryption, decryption based on group Zn
• For npq product of primes, ?(n) (p-1)(q-1)
• Proof (p-1)(q-1) pq - p - q 1
• Key pair ?a, b? with ab ? 1 mod ?(n)
• Encrypt(x) xa mod n
• Decrypt(y) yb mod n
• Since ab ? 1 mod ?(n), have xab ? x mod n
• Proof if gcd(x,n) 1, then by general group
  theory, otherwise use Chinese remainder theorem.

45
How well does this work?

• Can generate modulus, keys fairly efficiently
• Efficient rand algorithms for generating primes
  p,q
• May fail, but with low probability
• Given primes p,q easy to compute npq and ?(n)
• Choose a randomly with gcd(a, ?(n))1
• Compute b a-1 mod ?(n) by Euclidean algorithm
• Public key n, a does not reveal b
• This is not proven, but believed
• But if n can be factored, all is lost ...

46
Message integrity

• Theoretically, a weak point
• encrypt(km) (km)e ke me
• encrypt(k)encrypt(m)
• This leads to chosen ciphertext form of attack
• If someone will decrypt new messages, then can
  trick them into decrypting m by asking for
  decrypt(ke m)
• Implementations reflect this problem
• The PKCS1 RSA encryption is intended
  primarily to provide confidentiality. It is not
  intended to provide integrity. RSA Lab.
  Bulletin

47
Iterated hash functions

• Repeat use of block cipher (like DES, )
• Pad input to some multiple of block length
• Iterate a length-reducing function f
• f 22k -gt 2k reduces bits by 2
• Repeat h0 some seed
• hi1 f(hi, xi)
• Some final function g
• completes calculation

x
48
General Basis for Cryptography

• Cyclic group with one-way properties
• multiplication, inverse easy to compute
• discrete log ? a, an ? ? n not in O(log2 G)
• Note randomized algorithm in O(sqrt G)
• Examples
• Integers modulo prime p
• Elliptic curve groups
• Important complexity depends on group
  presentation

49
Public-Key Cryptography ElGamal

• Public encryption key ? g, ga ?
• Private decryption key a
• Encryption function
• Choose random b ? 2, G-1
• Send encrypt(msg) ? gb , gab ? msg ?
• Decryption
• Compute g-ab ((gb)a) -1
• Decrypt g-ab ? gab ? msg
• This is classical algorithm better security with
  hash(gab) ? msg