Homework 2

1
Homework 2

• Description
• Implement both the DES and RSA algorithm. You can
  choose any programming language to implement
  these algorithms. State clearly the assumptions
  that made you decide about the details of your
  implementation and about your programming
  language. Compare your implementation against
  existing ones, changing it or suggesting what you
  would change if you had more time.
• What I am looking for are
• 1.      How well you analyze your implementation
  against existing research or implementations
• 2.      How well you cross reference your
  decisions with existing research papers
• 3.      What is your current performance and
  storage requirements and how you could improve if
  you had more time
• 4.      Any other detail or facts that made you
  take decisions that you think are cool.
• This project can be done in groups of two.
  However, I expect more from group than individual
  projects.

2
Mid Term

• Date February 26th 2001
• Time 305 pm 425 pm
• Subject Anything that was covered in class until
  now.
• Two parts
• Closed Book 75 points in 6 questions
• Open Book 35 points in 2 questions

3
Introduction

• A few concepts
• Cryptography
• Cryptanalysis
• Steganography
• Plaintext
• Ciphertext

4
Concepts

• Plaintext the original message
• Ciphertext the transformed message
• Encryption transformation of plaintext into
  ciphertext
• Decryption transformation of plaintext into
  ciphertext
• Key some critical information used for
  encryption and decryption, only known to the
  sender and/or receiver

5
Attacks

• Interruption
• r attacks
• Interception
• Snnifers, traffic analisys
• Modification
• Man in the middle
• Fabrications
• Replay

6
Some historical data

• Gilbert Vernan introduces a very simple system
  that uses an xor operation in 1918
• Joseph Mauborgne extends Vernans algorythm to
  suggest the perfect cipher one-time pad
• DES is standardized in 1977.
• Diffie and Hellman, and Merkle, introduces
  public-key cryptography in 1976.
• RSA algorithm is published in 1978 (NSA wants to
  classify the work)
• Reading The Codebreakers from David Kahan

7
Cryptographic Algorithms

• Symmetric algorithm
• Encryption and decryption is performed using a
  unique key
• Both Alice and Bob agree in a secret key
• The key may have an expiration date for
  containment of damage.
• Key agreement/distribution is a problem

8
Classical Cryptography

• Symmetric algorithms
• The classical algorithms use
• Substitution Letters/words are substituted by
  another letters/words
• Transposition Letters are arranged in different
  order
• The substitution or transposition may be
• Monoalphabetic one substitution/transposition
• Polyalphabetic multiple substitution/transpositio
  n

9
Caesar Cipher

• Monoalphabetic substitution
• abcdefghijklmnopqrstuvwxyz
• defghijklmnopqrstuvwxyzabc
• Ek(m) C (m k) mod 26
• Dk(C) m (C k) mod 26
• On Caesar cipher k 3
• Ex. E3( I CAME I SAW I CONQUERED)
• L FDPH L VDZ L FRQTXHUHG

10
Cryptanalysis

• Search space for the key is small 26
  possibilities
• Brute force attack!
• How do you recognize a correct plaintext?
• Frequency analysis
• Letter E gt T gt R gt N gt I gt O gt A gt S
• Digraphs TH gt HE gt IN gt ER gt RE gt ON gt AN gt EN
• Trigraph THE gt AND gt TIO gt ATI gt FOR gt THA ? TER
  gt RES

11
Cryptanalysis

• Character frequency is dependent on the language
• Highly effective for monoalphabetic substitutions
• Important to have enough ciphertext to work on

12
More complex

• Make the key 26 characters long
• Key
• Plain ABCDEFGHIJKLMNOPQRSTUVWXYZ
• Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
• Encryption
• Plaintext IFWEWISHTOREPLACELETTERS
• Ciphertext WIRFRWAJUHYFTSDVFSFUUFYA
• Search space very large.
• Is it safe?

13
General Monoalphabetic

• A particular instance of the algorithm just
  described
• Key is smaller
• Write key without repeated letters followed by
  remaining letters.
• Ex.
• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• ANDREBCFGHIJKLMOPQSTUVWXYZ

14
General Monoalphabetic

• Better
• ANDRE
• BCFGH
• IJKLM
• OPQST
• UVWXY
• Z
• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• ABIOUZNCJPVDFKQWRGLSXEHMTY

15
Simple Substitution

• Use books or dictionary to map numbers to letters
• This can even be used to map whole words
• Code and codebooks
• Use additional symbols

16
Polyalphabetic substitution

• Change same letter by different letters depending
  on its position on plaintext
• This flattens the frequency distribution
• Cryptanalysis is harder
• This has the same effect that of having several
  Caesar cipher that are position dependent

17
Vigenere

• Uses i keys from a Caesar cipher
• For each letter in position j uses the key such
  as
• j mod i 0
• In order to make it easier, repeat a keyword as
  many times as necessary.
• Ex
• Plaintext THISPROCESSCANALSOBEEXPRESSED
• Keyword CIPHERCIPHERCIPHERCIPHERCIPHE
• Plaintext VPXZTIQKTZWTCVPSWFDMTETIGAHLH

18
Kasiski

• Great idea
• Certain sequence of letters appears many times in
  a text
• A ciphertext that uses Vigenere will have the
  sequence of letters (encrypted) showing in many
  places
• So
• Record distances between repetitive sequences of
  letters greater than 3 letters
• Good candidate for the number of alphabets (key
  size) is the gcd of the recorded distances
• Plaintext TOBEORNOTTOBE
• Key NOWNOWNOWNOWN
• Ciphertext GCXRCNACPGCXR

19
Friedmans IC

• Using this you get Friedmans method
• Guess that the key size is m
• Divide the ciphertext in m subtexts
• Calculate Ic for each of these subtexts, if your
  guess is right than for each subtext Ic will be
  approximately 0.065, if your guess is wrong, than
  you get approximately 0.038

20
Simple Transposition Ciphers

• Reverse cipher
• Plain SIMPLE CIPHER
• Cipher REHP ICEL PMIS
• Rail Fence
• Plain S M L C P E
• I P E I H R
• Cipher SMLC PEIP EIHR
• Geometric Figure

21
Row Transposition Cipher

• Write the message in rows
• Pad the end of the message
• Plain A VERY SIMPLE MESSAGE
• Key 2413
• AVER Cipher EARV IYMS EPML SEAS XGXE
• YSIM
• PLEM
• ESSA
• GEXX

22
Block (columnar) Transposition

• Write plaintext in rows again
• This time reads a whole column as specified by
  the key
• Key 2 4 1 3
• AVER Cipher EIES XAYP EGRM MAXV
• YSIM SLSE
• PLEM
• ESSA
• GEXX

23
Entropy

• Entropy is a measure of uncertainty
• The entropy is a metric for the question
• What is the information gained by an event that
  takes place with probability p(X)?
• Which is the same as
• How easily we can guess the outcome of an event
  before it takes place?
• The entropy of X is denoted by H(X)

24
Entropy

• In a natural language, HL is measured in bits per
  letter
• The excess of characters (information) carried by
  a natural language is called redundancy and given
  by RL1- HL/logP
• For English,
• Using these values,

25
Product Ciphers

• Classical crypto is based on substitution and
  transposition
• Two substitution is equal to one (or no)
  substitution
• Two transposition is equal to one (or no)
  transposition
• So, lets use substitution and transposition for
  our cipher! Why I did not think about this
  before???

26
Block Ciphers

• The plaintext is divided in blocks
• Each block is encrypted independently
• Some times the plaintext blocks suffer a
  transformation. Why?
• Shannon again,
• C E Shannon, "Communication Theory of Secrecy
  Systems", Bell System Technical Journal, Vol 28,
  Oct 1949, pp 656-715
• C E Shannon, "Prediction and Entropy of printed
  English", Bell System Technical Journal, Vol 30,
  Jan 1951, pp 50-64

27
Block Ciphers

• Substitution-Permutation Ciphers
• Product cipher
• S-P networks is the basis of modern symmetric
  cryptography
• Substitution box (S-Box)
• We have an input as a n bits word
• The output will be a n bit word that the input
  has been substituted for.

28
Substitution-Permutation Networks

• In order to have a practical implementation
• define inverses for each of S P-boxes, but this
  doubles the code/hardware needed, or
• define a structure that is easy to reverse, so
  can use basically the same code or hardware for
  both encryption and decryption

29
Feistel

• Feistel, from IBM, designed a practical schema in
  early 70s that uses S-P boxes
• The schema tries to maximize confusion-diffusion
  and too make the system easy to reverse
• The idea is to built a system from basic blocks
• The input to each basic block is divide in left
  part and right part

30
Feistel

• Only the right part is used together with a
  subkey in each basic block (a round)

31
Data Encryption Standard (DES)

• Financial companies found the need for a
  cryptographic algorithm that would have the
  blessing of the US government (NSA)
• First call for candidates in May 73, followed by
  a new call in August 74
• Not very many submissions (Why?)
• IBM submitted Lucifer
• NSA worked with IBM in redesigning the algorithm

32
DES

• The standard is public, the design criteria is
  classified
• One of the biggest controversies is the key size
  (56 bits)
• W Diffie, M Hellman "Exhaustive Cryptanalysis of
  the NBS Data Encryption Standard" IEEE Computer
  10(6), June 1977, pp74-84
• M Hellman "DES will be totally insecure within
  ten years" IEEE Spectrum 16(7), Jul 1979, pp
  31-41
• Another controversy is there a back door?

33
DES

• DES has proven a well designed code
• 56 bits has been proven inadequate
• EFF built a cracker for around 200,000
• Increase the key to 112 bits?
• The best way known to cryptanalyze DES is (after
  brute force) the differential analysis
• NSA new this from the design??

34
DES

• Uses Feistel principle
• Many similarities with Lucifer
• Improves on the S-Boxes

35
DES

• It operates in 64 bits blocks with 56 bits keys
• Uses 16 rounds, each round computed by a function
  f

36
DES

• A round can be described as
• Li Ri-1
• The key generation is performed
• An initial permutation PC1 which selects 56 bits
  and divide them in two halves
• In each round
• Select 24 bits from each half using a permutation
  function PC2
• Rotate left each half by one or two position

37
DES

• Properties of DES (per NSA)
• All rows of all the S-boxes are permutations of
  0, 1, , 15
• S-Boxes are not affine transformations of their
  input
• Change in an input bit changes at least two
  output bits of the S-box
• For any x and any S-box S, S(x), S(x ?001100)
  differs by at least two bits

38
DES Modes of Operation

• Block modes
• Electronic Codebook Book (ECB)
• Message is broken into independent blocks of 64
  bits
• Cipher Block Chaining (CBC)
• Message is broken in independent blocks of 64
  bits, but next input depends of previous output
• CiPi?Ci-1, with C-1IV

39
DES Modes of Operation

• Stream Modes
• Cipher FeedBack (CFB)
• The message is xored with the feedback of
  encrypting the previous block
• CiPi?Ek(Ci-1), with C-1IV
• Output feedback
• The feedback is independent of the message
• CiPi?Ek(Oi-1), with O-1IV

40
DES Weak Keys

• with many block ciphers there are some keys that
  should be avoided, because of reduced cipher
  complexity
• these keys are such that the same sub-key is
  generated in more than one round
• Weak Keys
• The same sub-key is generated for every round
• DES has 4 weak keys

41
Cryptanalysis of DES

• If you can choose the plaintext
• Brute Force try all 256 possible keys
• No memory necessary
• The encryption with all keys may be too slow
• Build a dictionary
• Each plaintext may result in 264 different
  ciphertext, but there is only 256 possible values
• Encrypt the known plaintext with all possible
  keys
• You have a look up table
• Very effective if you can inject plaintext and
  want to find many different keys

42
Cryptanalysis of DES

• Linear cryptanalisis
• Find bit locations ?s on plain, ?s on
  ciphertext and ?s on key such that
• has a probability higher than .5
• Use many different plaintext and analyze the left
  hand side. Infer the right hand side.

43
Cryptanalysis of DES

• Differential cryptanalysis
• First suggested by Murphy for the cryptanalysis
  of FEAL-4
• Assume that we label each left and right part of
  any block in the 16 rounds of DES as xi, starting
  from x0 and x1.
• Assume that we have two known plaintext x and x,
  and we know ?x x?x
• DES in each round produces xi1 xi-1 ?F(xi,Ki)

44
Cryptanalysis of DES

• Differential analysis
• Using that, we have
• ? xi1 ? xi-1 ?F(xi,Ki) ?F(xi,Ki)
• If F(xi,Ki) ?F(xi,Ki) is a function of ? xi with
  high probability, then
• Knowing ? xi-1 and ? xi then we know ? xi1
• Test this hypotheses for different ? x and start
  getting information about Ki
• This can break DES with 247 chosen plaintext

45
IDEA

• name changed to IDEA in 1992
• encrypts 64-bit blocks using a 128-bit key
• based on mixing operations from different
  (incompatible) algebraic groups (XOR, Addition
  mod 2(16) , Multiplication mod 2(16) 1)
• all operations are on 16-bit sub-blocks, with no
  permutations used, hence its very efficient in
  s/w
• IDEA is patented in Europe US, however
  non-commercial use is freely permitted
• used in the public domain PGP secure email system
  (with agreement from the patent holders)

46
DESX

• This algorithm, designed by Ron Rivest in 1984,
  compete with 3DES to provide protection against
  brute force attacks
• One goal of DESX is to overcome the slowness of 3
  DES (three time slower than DES)
• DESX use three keys k, k1, and k2
• DESXk,k1,k2k2?DESk(k1?x)

47
AES

• Second AES conference in March 1999
• Selected five candidates
• MARS
• RC6
• Rijndael
• Serpent
• Twofish.
• In October 200 Rijndael is selected by NIST as
  proposed AES

48
Public Key Cryptography

• Symmetric Key Algorithms
• Key agreement and change
• Trust on all parties that have the key
• Trust in the security level
• Trust in not misusing keys
• Public-key cryptography involves the use of two
  keys
• a public-key, which may be known by anybody, and
  can be used to encrypt messages, and verify
  signatures
• a private-key, known only to the recipient, used
  to decrypt messages, and sign (create) signatures

49
Public Key Cryptography

• Public-key is easily computed from the private
  key and other information about the cipher (a
  polynomial time (P-time) problem)
• Knowing the public-key and public description of
  the cipher, it is still computationally
  infeasible to compute the private key (an NP-time
  problem)
• The public-key may be distributed to anyone
  wishing to communicate securely with its owner
  (although secure distribution of the public-key
  is a non-trivial problem - the key distribution
  problem)

50
RSA

• Based on exponentiation in a finite (Galois)
  field over integers modulo a prime
• exponentiation takes O((log n)3) operations
• Security relies on the difficulty of calculating
  factors of large numbers
• factorization takes O(e log n log log n)
  operations
• (same as for discrete logarithms)
• Main patent expired in 2000

51
RSA

• Key-Generation by each user consists of
• Selecting two large primes at random (100
  digit), p, q
• Calculating the system modulus Rpq p, q primes
  
• selecting at random the encryption key e (usually
  3),
• e lt R, gcd(e, ?(R)) 1
• solving the congruence to find the decryption key
  d,
• ed 1 mod ?(R) 0 ? d ? R
• publishing the public encryption key K1e,R
• securing the private decryption key K2d,p,q

52
RSA

• Encryption of a message M to obtain ciphertext C
  is
• C Me mod R
• Decryption of a ciphertext C to recover the
  message M is
• M Cd Me.d M1n?(R) M mod R
• Note we still would need to prove that this
  holds for g.c.d.(M, R) ? 1

53
RSA

• Most (all!!) computers can't directly handle
  numbers larger than 32-bits (64-bits on the very
  newest)
• Need to use multiple precision arithmetic
  libraries to handle numbers this large
• Multi-Precision Arithmetic
• Involves libraries of functions that work on
  multiword (multiple precision) numbers
• Classic references are in Knuth vol 2 -
  "Seminumerical Algorithms"
• multiplication digit by digit

54
RSA

• Primality Testing and RSA
• The first stage of key-generation for RSA
  involves finding two large primes p, q
• Because of the size of numbers used, must find
  primes by trial and error
• Modern primality tests utilize properties of
  primes eg
• an-1 1 mod n where GCD(a,n)1
• all primes numbers 'n' will satisfy this equation
  
• some composite numbers will also satisfy the
  equation, and are called pseudo-primes.