James L. Massey

1
Edison Lecture University of Notre Dame 11 April
2002
What Can Cryptography Do and What Should It Be
Allowed To Do?
James L. Massey Prof.-em. ETH Zürich, Adjunct
Prof., Lund Univ. Trondhjemsgade 3, 2TH DK-2100
Copenhagen East JamesMassey_at_compuserve.com
2
Cryptology (hidden word)
Cryptography
Cryptanalysis
(code making)
(code breaking)
The good guys
The bad guys
3
Goals of Cryptography
Privacy
Authenticity
Determines who can read the message
Determines who can write the message

• Prevent forgery
• Prevent alteration

• Prevent eavesdropping
• Prevent tracing

4
A privacy scheme The Caesar Cipher
plaintext
C A E S A R
F D H V D U
ciphertext
plaintext
M A S S E Y
P D V V H B
ciphertext
0
25
Arithmetic on a CIRCLE (Modulo 26 arithmetic)
1
24
A
B
Z
2
Y
.
Encrypt Add 3 (move clockwise 3 places)
23
C
.
X
.
.
.
Decrypt Subtract 3 (move counterclockwise 3
places)
.
SECRET KEY 3
5
Today we use a SMALLER CIRCLE!
Arithmetic on this CIRCLE (Modulo 2 arithmetic)
0
Encrypt Add (move clockwise)
Decrypt Subtract (move counterclockwise)
(move clockwise) Encrypt Add
1
and a LONGER SECRET KEY!
plaintext
1 0 0 1 1 1 0 1
0 1 1 0 0 1 1 1
secret key
1 1 1 1 1 0 1 0
ciphertext
6
Caesar isnt the only one who likes to make codes!
7
Vernams 1926 Cipher (One-Time Pad) Impossible
to break in a ciphertext-only attack!
Enemy Cryptanalyst
Binary Plaintext Source
M
M
E
Destination
K
K
Secure Channel
One-time secret key
K
Modulo 2 adder
Source of Random Bits
The ciphertext E that the enemy cryptanalyst sees
is completely random independently of the
statistics of the plaintext message M. This
simple proof of unbreakability was given by
Shannon in 1949!
8
Shannons 1949 Proposition on Key Length
To be unbreakable against a ciphertext-only
attack, the number of different secret keys
must be at least as great as the number of
different messages (where message here means
the total amount of plaintext encrypted with the
key).
Proof In order to be unbreakable, PEM m(e)
PE(e) ? 0 for every e and every m. To be
able to decrypt, the number of possible
ciphertexts e must be at least as great as the
number of different messages m. But all the
keys from a fixed m to different es must be
different.
9
Shannons bound implies that practical ciphers
will have to depend on computational security,
i.e., on the difficulty of breaking rather than
the impossibility. The problem of good cipher
design is essentially one of finding difficult
problems, subject to certain other conditions.
This is a rather unusual situation, since one is
ordinarily seeking the simple and easily soluble
problems in a field. How can we ever be sure
that a system which is not ideal and therefore
has a unique solution for sufficiently large N
will require a large amount of work to break with
every method of analysis. ... We may construct
our cipher in such a way that breaking it is
equivalent to (or requires at some point in the
process) the solution of some problem known to be
laborious.
10

• Who has a need to use secret-key ciphers?
• Government
• The military
• The general public
• Medical institutions
• Banks and industry
• Criminals, esp. drug dealers
• Terrorists

11
In 1991, my doctoral student, Xuejia Lai, and I
designed a new cipher, which we later named
the International Data Encryption Algorithm
(IDEA) that used a key of 128 bits (the plaintext
and ciphertext were each 64 bits). We published
the details of this cipher publicly. We made this
cipher as strong as we knew how! It has been
widely used and is included in the software
package Pretty Good Privacy (PGP) that is
available both as freeware and in a commercial
version. I also designed a publicly available
cipher, the Secure and Fast Encryption Routine
(SAFER) for Cylink Corp., a Calif. Company of
which I own 0.15.
12
Round Structure of IDEA (Lai Massey, 1991)
X1
X2
X3
X4
Z1(1)
Z3(1)
Z2(1)
Z4(1)
Multiply modulo 2161
Z5(1)
Z6(1)
Add modulo 216
Skip swap in round 8
7 more rounds
Z1(9)
Z2(9)
Z3(9)
Z4(9)
Y1
Y3
Y2
Y4
13
B. Preneel et al. (18 others), Update on the
selection of algorithms for further investigation
during the second round, Project NESSIE, Version
1.0, March 11, 2002. 1.3 IDEA IDEA has been
widely studied for a decade and no security flaws
have been found. With the exception of a rather
slow key schedule, its performance is acceptable
on most desktop platforms. Therefore it has been
selected. 2.10 Safer128 No security flaws have
been found, and its performance is relatively
good. Its design has many interesting properties.
Therefore it has been selected.
(Have I been aiding terrorists ?)
14
How can we ensure that cryptography is used only
for legitimate purposes?
Can we fence off cryptographic methods so they
cannot be used by criminals and terrorists, but
can be used by honest people for honorable
purposes?
But walls are hard to make and keep in good
repair!
Something there is that doesnt love a
wall, That wants it down.
Robert Frost, The Mending Wall
15
Schemes to fence off criminals and terrorists
that have been used or considered

• Prohibit encryption, except for . . .
• Allow only weak encryption, except for . . .
• Regulate sale of encryption chips
• Require escrowing of keys

Will any of these schemes work and, if so, should
they be used?
16
In my opinion, none of these schemes can achieve
the desired end because the genie is already out
of the bottle!
Besides IDEA and SAFER and numerous other
publicly described strong ciphers, the U. S.
government has recently made publicly available a
very strong cipher RIJNDAEL with a 256 bit secret
key. These ciphers all permit software
encryption on a home PC at megabits/sec rates so
there is no need to use hardware encryption chips
unless one needs to communicate secretly at rates
of hundreds of megabits per second or higher.
RIJNDAEL was chosen by the U. S. National
Institute of Science Technology (NIST) as the
winner of the Advanced Encryption Standard (AES)
competition.
17
Before I built a wall Id ask to know What I was
walling in or walling out, And to whom I was like
to give offense.
Robert Frost, The Mending Wall
NIST reasoned, correctly in my opinion, that the
U.S. had much more to lose from attacks on its
information infrastructure, which strong
cryptography could be used to prevent, than from
any tactical advantage that criminals and
terrorists might derive from using such
cryptography in their operations. The main
effect of such strictures would be to discourage
the legitimate use of cryptography. Why are
there those who still lobby for these schemes?
18
There where it is we do not need the wall He is
all pine and I am apple orchard. My apple trees
will never get across And eat the cones under his
pines, I tell him. He only says, Good fences
make good neighbors
Robert Frost, The Mending Wall
Its what our grandfathers did! There is real
cult of paranoia about cryptography among people
(active and retired) in the intelligence
community , in the military, and in various law
enforcement agencies.
Reminder I own 0.15 of Cylink Corp., a Calif.
Company whose business is cryptography.
19
Challenge/Response Authentication via a
secret-key Cipher
Show me you know how to encrypt this randomly
chosen plaintext X.
No problem. Heres the ciphertext Y.
X
Y
Bob
Hi, Bob! Im sure its you because you knew the
key.
Alice
This is how SAFER (which lost out in the AES
competition) is used for entity authentication in
Bluetooth.
20
Just about everybody thinks that authentication
is a good idea and its use should be encouraged!
The reason
There is no way that criminals and terrorists can
use authentication schemes to advance their evil
ends.
21
Or is there a way?
Plans for terrorist attack.
This is the randomly chosen plaintext X that
Alice pretended to be sending to Bob.
M
X
Alice
Looks OK to me!
The authorities dont even know that an encrypted
message was sent.
This is an example of an oblivious transfer,
which is always possible in protocols (such as
most authentication protocols) where random
numbers are required.
22
Public-Key Cryptography (Diffie Hellman, 1976)

• A trapdoor one-way permutation is a family of
  permutations (i.e., invertible functions from a
  set to itself) indexed by a parameter z (the
  trapdoor) such that
• if you know z you can easily find fast
  algorithms Ez and Dz that compute the permutation
  fz(.) and its inverse gz(.), respectively, but
• if you dont know z then, for virtually all y in
  the range of fz(.), it is infeasibly difficult
  when given y to find the x such that y fz(x)
  even if you know the fast algorithm Ez for
  computing fz(.).

Ez is the public key. Dz is the private key.
23
The mechanical analogy of a Trapdoor One-Way
Permutation
Ez
Dz
A lock with two very different keys--the key EZ
is for LOCKING and the key DZ is for
UNLOCKING. Public-key cryptography is thus
sometimes called two-key cryptography or
asymmetric cryptography.
24
As was noted by Diffie and Hellman in 1976, with
a Trapdoor One-Way Permutation one can build a
computationally secure public-key cryptosystem
B
EzB
x
y
fzB(.)
Trusted Public Directory (A, EzA) (B, EZB) etc.
Alice encrypts
PUBLIC CHANNEL
x
y
gzB(.)
Something new! Trusted information instead of
secrets.
Bob decrypts
25
The real novelty of public-key cryptography Publi
c (or true) Signatures
Trusted Public Directory
A
EzA
Bob verifies
Alice signs
Its all over between us, Bob
isidjekdjkvjmdjhjncnx
Its all over .
fzA
gzA
Bob, and anyone else who sees the message, can be
sure that it was written by Alice.
26
Public-key cryptography tends to be slow
(kilobits/sec) because the permutations that it
uses are rather difficult to compute--typically
one does arithmetic modulo an integer n of about
a thousand bits or so. Public-key cryptosystems
for this reason are usually used only for
distributing secret keys. Everyone recognizes the
great value for legitimate users of public
signatures, but authorities have tried to enforce
the use of only weak public-key cryptosystems
(say a modulus of about 500 bits) on the grounds
that the authentication system could also be used
for encryption. In my opinion, this does not
make sense.
27
Shamirs Protocol
A
B
Bobs Lock (He has the only key to it)
Alices Lock (She has the only key to it)
Alice wants to send a private message to Bob, but
Alice and Bob are connected only by a dependable
but curious postman. Can she do it?
28
ALICE
BOB
29
No-See (Blind) Signatures (Chaum)
Heres 10,010 for you, Bob. Please sign the
paper hidden in this envelope with your 10,000
signature.
I cant see what Im signing, but I promise to
give 10,000 to whoever brings this back.
ALICE
(Many months later)
BOB, the banker
What will you give me for this piece of paper,
Bob?
10,000, just like I promised to whoever gave
that to you. I wonder who that was?
CAROL
30
In Shamirs three-pass protocol, the locks must
commute!
But
(MA)B MAB MBA (MB)A
?
The power-function cipher commutes!
Encryption E MR
where the multiplication is modulo a prime
p, where M ? 0, 1, , p-1, and where 0 lt R lt
p-1 and gcd(R, p-1) 1.
Decryption M ER
where 0 lt R lt p-1 and RR 1 modulo p-1.
(This follows from Fermats little theorem,
which asserts that, if M ? 0, then Mp-1 1
modulo p.)
31
U
Redundancy Insertion M (U,U)
MRa
M
Source of random bits
Blinding Operation
ALICE
Signature Insertion
(MRa)Rb
MRb
Deblinding Operation
BOB
Signature Removal
CAROL
M (U,U)
Redundancy and First-time Check
32
Should cryptography be allowed to be used for
this or similar kinds of identity concealment?
Probably not for large financial transactions
where there is a clear public need for regulation
of activity.
Before I built a wall Id ask to know What I was
walling in or walling out, And to whom I was like
to give offense.
Robert Frost, The Mending Wall
But what about opponents of a repressive
political regime that brooks no open opposition?
I am not going to try to call this one!
33
For further reading
C.E. Shannon, "Communication Theory of Secrecy
Systems", Bell System Tech. J., vol. 28, pp.
656-715, Oct., 1949. W. Diffie and M.E. Hellman,
"New Directions in Cryptography," IEEE Trans.
Info. Th., vol. IT-22, pp. 644-654, Nov.
1976. R. L. Rivest, A. Shamir and L. Adleman, "A
Method for Obtaining Digital Signatures and
Public-Key Cryptosystems," Comm. ACM, vol. 21,
pp. 120-126, Feb. 1978. A. J. Menezes, P. C.
van Oorschot and S. A. Vanstone, Handbook of
Applied Cryptography, CRC Press, 1997.