# Exercise in the previous class give proof for the discussion in p.19 1 see

## Presentation on theme: "Exercise in the previous class give proof for the discussion in p.19 1 see"— Presentation transcript:

exercise in the previous class give proof for the discussion in p.19 1 see http://apal.naist.jp/~kaji/lecture/

chapter 4: cryptography 2

what we do, and what we do not in this class cryptography is discusses in many contexts management politics history philosophy In this class, we focus on the technical aspects of cryptography. 3

terminology 4 plaintexts( 平文，ひらぶん ); make sense by themselves encryption ( 暗号化 ) decryption ( 復号 ) cryptography ( 暗号 ) = pair of E and D such that D(E(p)) = p many variations and confusions on the words: crypto  cipher, text  data, cryptography  encryption ciphertexts ( 暗号文 ); make no sense by themselves E(p)E(p) c p D(c)D(c) E D

three types of cryptography key-less cryptography E(p) (resp. D(c)) is solely determined by p (resp. c). no key... the algorithms must be kept secret security relies on the “gap of wisdom” of the recipients “O, draconian devil”  “Leonardo da Vinci” common-key cryptography E and D must use the same key public-key cryptography E and D use different keys which are in special relation 5

class plan today: common-key cryptography widely known algorithms key agreement protocol next: public-key cryptography RSA related algorithms June 4 (MON): exercise June 5 (TUE): test 6

common-key cryptography symmetric-key ―, classic ―,... E (resp. D) takes two inputs: key and plaintext (resp. ciphertext) E(k, p): the ciphertext of p encrypted with the key k D(k, c): the plaintext of c decrypted with the key k D(k, E(k, p)) = p, but D(k’, E(k, p))  p if k’  k 7 E pc k1k1 D k2k2 p, if k 1 = k 2 ?, if k 1  k 2

substitution cipher substitution cipher ( 換字暗号 ): encrypt: replace characters in plaintexts to different characters decrypt: do the inverse replacement of encoding key: the table of the character replacement 8 plaintext ciphertext ．．． A E  B K C A Y Z Z G  the number of possible keys = 26! for English alphabet... too many even for today’s computers the statistics of the plaintexts can be observed in cipherexts

frequency attack in a naive substitution cipher... a character is always replaced to the identical character in many data, there is bias on the frequencies of characters in English... characters such as “e”, “t”, “a”, and “s” occur frequently characters which occur frequently in a ciphertext = replacements of the above four frequent characters 9 A.C. Doyle, 1903, The Adventure of the Dancing Men

sketch of the frequency attack 10 information as a concept has many meanings the concept of information is typical English texts theory in modern english is a concept which originally derives from classical greek plaintext ciphertext of unknown text zpunim gt oncuit utqvgwp gw h antaubz spgap nigqgthvvm cuigluw eino hxachxac 8.4% 1.5% 2.7% 3.8% → a → b → c → d abcdabcd 8.6% 1.4% 2.8% 3.8%

many improvements The vulnerability ( 脆弱性 ) of the substitution cipher was well-known to cryptographers from early days... many improvements were considered... one-to-many substitution substitution of N-grams or words use of multiple substitution tables dynamically change the substitution table  Enigma 11

Enigma used by German military in the World War II the substitution is determined by “rotor wheels” the rotor wheels rotate as one character is processed 12 A D B C Enigma showed that machine power >> human power

DES (Data Encryption Standard) developed in the US in 70’s to secure classified data not the “first-class” cryptography “good security with reasonable cost” insecure nowadays, but played important role in cryptology 1973NBS solicited ( 公募する ) encryption algorithms 1974IBM submitted a candidate 1977published as federal standard 1997NIST (formerly NBS) solicited newer AES 13

encryption of DES 14 L 15 R 15 plaintext key ciphertext IP f L1L1 R1R1 L0L0 R0R0 f L2L2 R2R2 f L 16 R 16 RK 1 RK 2 RK 16 IPIP -1 round 1round 2round 16 32 64 56 48 56...# of bits round keys initial permutation

f L i+1 R i+1 LiLi RiRi RK i+1 Feistel structure each round of DES has the Fesitel structure 15 f RiRi LiLi R i+1 L i+1 RK i+1 the Fesitel structure is easy to invert if RK i+1 is provided correctly the inversion can be done with the same Feistel mechanism (with left and right exchanged)

decryption of DES 16 L 15 R 15 ciphertext plaintext IP f L1L1 R1R1 L0L0 R0R0 f L2L2 R2R2 f L 16 R 16 RK 16 RK 15 RK 1 IPIP -1 key inside this box is the same as the encryption  one circuit is used for both of encryption and decryption

security of DES theoretical attacks differential analysis by Biham & Shamir (1990) investigated at the design phase of DES... linear analysis by Matsui (1993) succeeded to break DES first time exhaustive attacks 22hours, 100K computers connected by network (1999) 9days, FPGA-based parallel machine (2006) DES is not secure anymore! 17

rumor of DES rumor, or urban legend: “NSA must settle a back-door in DES” 18 NSA: National Security Agency intelligence agency of the US some activities not revealed commitment to the Echelon system evidence? the key length is shortened from the IBM proposal some substitution tables in DES is replaced by NSA NSA did know the differential analysis there is no way to verify what is true and what is not true...

AES and others DES is no more secure there is no way to deny the bad rumor  the newer and stronger cryptography is needed 1997NIST solicited Advanced Encryption Standard (AES) 15 candidate algorithms from 12 countries 19995 candidates passed the screening 2000Rijndael, from Belgium, was selected as winner 2001published as federal standard There are many other algorithms: Blowfish, IDEA, Camellia... 19

key agreement Any common-key cryptography faces to one serious problem: How can we share a key with a person at remote place? the sender and the receiver must have the same key the key must not be known to anyone else 20 solution... use an expensive but secure communication channel secret agent, registered mail, pigeon, etc... utilize mathematical trick  key agreement protocol

key agreement protocol We consider a protocol between two users A and B: the communication channel is not secure an attacker C can wiretap ( 盗聴する ) the communication, but does not modify data in the channel after the protocol execution... A and B know a certain information in common C does not know the information 21

Diffie-Hellman protocol Diffie-Hellman protocol; is proposed by Diffie & Hellman in 1976 makes use of the property that it is difficult to solve the discrete logarithm problem preliminary F q = {0,..., q – 1} with q a big prime number g, a generator of F q (any nonzero a  F q is written as a = g x mod q) discrete logarithm problem (DLP): “given q, g and a, determine x with a = g x mod q” 22

example F 7 = {0, 1, 2,..., 6} g = 3 is a generator of F 7 23 no smart algorithm known today... the only means to solve the problem is by exhaustive search... nobody can solve the problem if q is large (> thousands bits) 1 = 3 6 mod 7 2 = 3 2 mod 7 3 = 3 1 mod 7 4 = 3 4 mod 7 5 = 3 5 mod 7 6 = 3 3 mod 7 log 3 1 = 6 log 3 2 = 2 log 3 3 = 1 log 3 4 = 4 log 3 5 = 5 log 3 6 = 3 0123456 1 2 3 4 5 6 a x the answer of the DLP

the protocol step 1: A and B agree the prime q and the generator g (in public) step 2a: A chooses random x, and sends m A = g x mod q to B step 2b: B chooses random y, and sends m B = g y mod q to A step 3a: A computes (m B ) x mod q = g xy mod q step 3b: A computes (m A ) y mod q = g xy mod q 24 determine q & g x y m A = g x mod q m B = g y mod q g xy mod q

example 25 q = 197, g = 3 51 55 71 = 3 51 mod 197 38 = 3 55 mod 197 122 = 38 51 mod 197122 = 71 55 mod 197 How can we compute 38 51 mod 197? 38 51 mod 197 = (38 32 mod 197) (38 16 mod 197) (38 2 mod 197) (38 1 mod 197) mod 197 38 2n mod 197 = (38 n mod 197) 2 mod 197 38 32 38 16 38 8 38 4 38 2 38 1 mod 197

security Is the protocol secure? 26 determine q & g x y m A = g x mod q m B = g y mod q g xy mod q C finds q, g, m A and m B C cannot know x and y unless he/she solves DLP C cannot know the value of the shared g xy mod q

another security What happens if the attacker do more than wiretapping? C communicates with A pretending B C communicates with B pretending A 27 A and B communicate with C, believing that he/she is communicating with a valid opponent.  man-in-the-middle attack ( 中間一致攻撃 )

summary classification of cryptography key-less, common-key and public-key common-key cryptography substitution cipher DES key-agreement protocol 28

exercise Decrypt the following ciphertext. qiw aufmlyn gcmwz yz c mcxae yoqweocqyaocu wpwoq jwcqkeyog zkmmwe cod vyoqwe zlaeqz, yo viyni qiakzcodz aj cqiuwqwz lceqynylcqw yo c pceywqf aj namlwqyqyaoz. qiw aufmlyn gcmwz icpw namw qa hw ewgcedwd cz qiw vaeud'z jaewmazq zlaeqz namlwqyqyao viwew maew qico qva ikodewd ocqyaoz lceqynylcqw. qiw gcmwz cew nkeewoquf iwud wpwef qva fwcez, vyqi zkmmwe cod vyoqwe aufmlyn gcmwz cuqweocqyog, cuqiakgi qiwf annke wpwef jake fwcez vyqiyo qiwye ewzlwnqypw zwczaocu gcmwz. 29

about test June 4(Mon), 9:20AM, exercise June 5 (Tue), 9:20AM, this room you can bring books, notes and copies of slides you can bring a calculator and/or PC PC must be disconnected from the network: download all needed material before the test starts 本，ノート，資料，電卓， PC... なんでも持ちこみ可 PC 等の通信機能は使用不可 必要な資料類は事前にダウンロードしておくこと 30

Download ppt "Exercise in the previous class give proof for the discussion in p.19 1 see"

Similar presentations