Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part 9, Basic Cryptography 1. Introduction A cryptosystem is a tuple: ( M,K,C, E,D) where M is the set of plaintexts K the set of keys C the set of ciphertexts.

Published byBernard Short Modified over 8 years ago

Similar presentations

Presentation on theme: "Part 9, Basic Cryptography 1. Introduction A cryptosystem is a tuple: ( M,K,C, E,D) where M is the set of plaintexts K the set of keys C the set of ciphertexts."— Presentation transcript:

1 Part 9, Basic Cryptography 1

2 Introduction A cryptosystem is a tuple: ( M,K,C, E,D) where M is the set of plaintexts K the set of keys C the set of ciphertexts E: M  K  C the set of enciphering functions D: C  K  M the set of deciphering functions 2

3 The Caesar cipher M = C is the set of sequences of Roman letters K : the set of integers: 0,1,…,25 E : the set of enciphering functions E k, k  K : E k (m)=m+k (mod 26) D : the set of deciphering functions D k, k  K : D k (c)= c - k (mod 26) 3

4 Example If the key is K=3, then: “HELLO”  “KHOR” Since: H  1 I  2 J  3 K E  F  G  H L  M  N  O O  P  Q  R 4

5 Cryptanalysis The goal of cryptography is to keep enciphered text secret. The goal of the adversary is to break a ciphertext. Attacks on cryptosystems:  Ciphertext only attacks: the adversary has only access to ciphertexts. The adversary must find a corresponding plaintext.  Known plaintext attacks: the adversary has access to some matched ciphertexts / plaintext pairs. The adversary must find the plaintext of some new ciphertext.  Chosen plaintext attacks: the adversary may ask that specific plaintexts are enciphered. The adversary must find the plaintext that corresponds to a new ciphertext. 5

6 Kerchoffs’ assumption The adversary knows all details of the encrypting function except the secret key 6

7 The transposition cipher A transposition cipher rearranges the characters in the plaintext; the key is a permutation  on the characters. The letters are not changed. So -- E  (x) =  (x) -- D  (y) =  -1 (y) Example: rail-fence cipher Let the ciphertext be “HELLO WORLD”: Write it in two columns as HLOOL ELWRD The ciphertext is “HLOOLELWRD” 7

8 Anagramming Attacking a transposition cipher requires a rearrangement of the letters of the ciphertext. Anagramming uses tables of n-gram frequencies to identify common n-grams. For example, for the ciphertext “HLOOLELWRD” the digram “HE” occurs with frequency 0.0305 in English (see textbook). Of the other possible digrams beginning with “H”, “HO” is the next highest. This suggest that “E” follows “H” in the plaintext. And so on. 8

9 The substitution cipher A substitution cipher changes the characters in the plaintext to produce the ciphertext. Caesar’s cipher is an example. Again the key for this cipher can be found by using a frequency analysis. 9

10 Block ciphers The Transposition and Substitution Ciphers are block ciphers: successive plaintext elements (blocks) are encrypted using the same key. We now consider some other block ciphers. The Affine Cipher, is a special case of the Substitution Cipher with -- E K (x) = ax + b mod26 -- D K (y) = a -1 y - a -1 b mod26 where a,b x,y is in Z 26, and a is invertible in Z 26. 10

11 Block ciphers The Vigenere Cipher is polyalphabetic. Let m > 1 M = C = K = ( Z 26 ) m = Z 26  Z 26  Z 26 For a key K = (k 1, …, k m ) -- e K (x 1,…, x m ) = (x 1 + k 1, …, x m + k m ) -- d K (y 1,…, y m ) = (y 1 - k 1, …, y m - k m ) where all operations are in Z 26. 11

12 Block ciphers The Hill Cipher is also polyalphabetic. Let m > 1 M = C = ( Z 26 ) m, K is the set of all m by m invertible matrices over ( Z 26 ) m For a key K -- e K (x) = xK -- d K (y)= yK -1 with all operations are in Z 26. 12

13 Stream Ciphers The ciphers considered so far are block ciphers. Another type of cryptosystem is the stream cipher. 13

14 Stream Ciphers A synchronous stream cipher is a tuple ( E,D,M,C,K, L ) with a function g such that: E, D, M, C, K, are as before. L is the keysteam alphabet g is the keystream generator: it takes as input a key K and outputs an infinite string z 1, z 2, … called the keystream, where z i are in L. For each z i are in L there is an encryption rule e z in E, and a decryption rule d z in D such that: d z (e z (x)) = x for all plaintexts x in M. 14

15 Stream Ciphers The Linear Feedback Shift Register or LFSR. The keystream is computed as follows: Let (k 1, k 2, …,k m ) be the initialized key vector at time t. At the next time unit the key vector is updated as follows: -- k 1 is tapped as the next keystream bit -- k 2, …, k m are each shifted one place to the left -- the “new” value of k m is computed by m-1 k m+1 =  c j k j+1 j=0 15

16 Stream Ciphers Let x 1, x 2, … be the plaintext (a binary string). Then the ciphertext is: y 1, y 2, … where y i,= x i + k i, for i = 1,2,… and the sum is bitwise xor. 16

17 Cryptanalysis Attacks on Cryptosystems Ciphertext only attack: the adversary has access a string of ciphertexts: y 1, y 2, … Known plaintext attack: the adversary has access a string of plaintexts x 1, x 2, … and the corresponding string of ciphertexts: y 1, y 2, … 17

18 Attacks on Cryptosystems Chosen plaintext attack: the adversary can choose a string of plaintexts x 1, x 2, … and obtain the corresponding string of ciphertexts: y 1, y 2, … Chosen ciphertext attack: the adversary can choose a string of ciphertexts: y 1, y 2, … and construct the corresponding string of plaintexts x 1, x 2, … 18

19 Attacks on Cryptosystems In all these attacks the adversary is given a new ciphertext and must find the corresponding plaintext 19

20 Cryptanalysis Cryptanalysis of the transposition cipher and substitution cipher: Ciphertext attack -- use statistical properties of the language Cryptanalysis of the affine and Vigenere cipher: Ciphertext attack -- use statistical: properties of the language Attacks on the affine and Vigenere cipher: Ciphertext attack -- use statistical: properties of the language 20

21 Cryptanalysis Cryptanalysis of the Hill cipher: Known plaintext attack Cryptanalysis of the LFSR stream cipher: Known plaintext attack 21

22 One-time pad This is a variant of the Vigenere cipher. The key string is chosen as a random bit string and is at least as long as the bit string message (plaintext) This cipher has perfect secrecy. (defined later) 22

23 One-time pad Suppose the key is the bit string K = (k 1, …, k m ) and the plaintext is the bit string (x 1, …, x m ). Then -- e K (x 1,…, x m ) = (x 1 XOR k 1, …, x m XOR k m ) -- d K (y 1,…, y m ) = (y 1 XOR k 1, …, y m XOR k m ) Note that (x XOR k) XOR k = x for all bits x, k. 23

24 Security Computational security Computationally hard to break: requires super-polynomial computations (in the length of the ciphertext) Provable security Security is reduced to a well studied problem though to be hard, e.g. factorization. Unconditional security No bound on computation: cannot be broken even with infinite power/space. Only way to break is by “lucky” guessing. 24

25 Some Probability Theory The random variables X,Y are independent if: Pr[ x,y ] = Pr[ x ]. Pr[ y ], for all x,y in X In general, Pr[ x,y ] = Pr[ x | y ]. Pr[ y ] = Pr[ y | x ]. Pr[ x ], for all x,y in X 25

26 Some Probability Theory Bayes’ Law: Pr[x|y] = Corollary: X,Y are independent random variables ( r.v. ) if and only if Pr[x|y] = Pr[x] for all x,y in X Pr[y] Pr[y|x]. Pr[x] ---------------- for all x,y in X 26

27 Perfect secrecy A cryptosystem has perfect secrecy if : Pr[x|y] = Pr[x], for all x in M and y in C. That is: knowledge of the ciphertext y, offers no advantage to the adversary to determine the plaintext x. (there is no advantage in eavesdropping) 27

28 DES DES is a Feistel cipher. Block length 64 bits (effectively 56) Key length 56 bits Ciphertext length 64 bits 28

29 DES It has a round function g for which: g([L i-1,R i-1 ]),K i ) = (L i,R i ), where L i = R i-1 and R i = L i-1 XOR f (R i-1, K i ). 29

30 DES round encryption 30

31 DES inner function 31

32 DES computation path 32

33 Attacks on DES Brute force Linear Cryptanalysis -- Known plaintext attack Differential cryptanalysis –Chosen plaintext attack –Modify plaintext bits, observe change in ciphertext No dramatic improvement on brute force 33

34 Countering Attacks Large keyspace combats brute force attack Triple DES (say EDE mode, 2 or 3 keys) Use AES 34

35 AES Block length 128 bits. Key lengths 128 (or 192 or 256). The AES is an iterated cipher with Nr=10 (or 12 or 14) In each round we have: Subkey mixing A substitution A permutation 35

36 Modes of operation Four basic modes of operation are available for block ciphers: Electronic codebook mode: ECB Cipher block chaining mode: CBC Cipher feedback mode: CFB Output feedback mode: OFB 36

37 Electronic Codebook mode, ECB Each plaintext x i is encrypted with the same key K: y i = e K (x i ). So, the naïve use of a block cipher. 37

38 ECB (Electronic code Book) x1x1 x2x2 x3x3 x4x4 y4y4 y3y3 y2y2 y1y1 DES 38

39 Cipher Block Chaining, CBC Each cipher block y i-1 is xor -ed with the next plaintext x i : y i = e K (y i-1 XOR x i ) before being encrypted to get the next plaintext y i. The chain is initialized with an initialization vector: y 0 = IV with length, the block size. 39

40 Cipher Block Chaining, CBC x1x1 ++++ IV x2x2 x3x3 x4x4 y4y4 y3y3 y2y2 y1y1 DES 40

41 Cipher and Output feedback modes (CFB & OFB) CFB z 0 = IV and recursively: z i = e K (y i-1 ) and y i = x i XOR z i OFB z 0 = IV and recursively: z i = e K (z i-1 ) and y i = x i XOR z i 41

42 CFB mode IV eKeK eKeK y1y1 + x1x1 eKeK x2x2 y2y2 + 42

43 OFB mode IV eKeK eKeK y1y1 + x1x1 x2x2 y2y2 + 43

44 Public Key Cryptography Alice Bob Alice and Bob want to exchange a private key in public. 44

45 Public Key Cryptography Alice g a mod p Bob g b mod p The private key is: g ab mod p where p is a prime and g is a generator of Z p 45

46 The RSA cryptosystem Let n = pq, where p and q are primes. Let M = C = Z n, and let a,b be such that ed = 1 mod  (n). Define e K (x) = x e mod n and d K (y) = y d mod n, where ( x,y )  Z n. Public key = ( n,e ), Private key ( n,d ). 46

47 Check We have: ed = 1 mod  (n), so ed = 1 + t  (n). Therefore, d K (e K (m)) = (m e ) d = m ed = m t  (n)+1 = (m  (n) ) t m = 1.m = m mod n 47

48 Example p = 101, q = 113, n = 11413.  ( n) = 100x112 = 11200 = 2 6 5 2 7 For encryption use e = 3533. Then d = e -1 mod11200 = 6597. Bob publishes: n = 11413, e = 3533. Suppose Alice wants to encrypt: 9726. She computes 9726 3533 mod 11413 = 5761 To decrypt it Bob computes: 5761 6597 mod 11413 = 9726 48

49 Example: how to find d from e Use the Extended Euclidean Algorithm (EEA). EEA takes as input two positive numbers a,b and outputs three numbers: s,t,d with, d = gcd(a,b) and sa+tb = d. In our case we take a = e, b =  ( n), to get: sa = 1 mod  ( n). So d = s. 49

50 Security of RSA 1.Relation to factoring. Recovering the plaintext m from an RSA ciphertext c is easy if factoring is possible. 2.The RSA problem Given ( n,e ) and c, compute: m such that m e = c mod n 50

51 The Rabin cryptosystem Let n = pq, p,q primes with p,q 3 mod 4. Let P = C = Z n * and define K = {( n,p,q )}. For K = ( n,p,q ) define e K ( x ) = x 2 mod n d K ( y ) = a square root of y mod n The value of n is the public key, while p,q are the private key. One needs the factors p,q of n to find the square root. 51

52 The RSA digital signature scheme Let n = pq, where p and q are primes. Let P = C = Z n, and define e,d such that ed = 1 mod  (n). Define sig K ( m ) = m d mod n and ver K ( m,y ) = true y = m e mod n, where ( m,y )  Z n. Public key = ( n,e ), Private key ( n,d ). 52

53 The Digital Signature Algorithm Let p be a an L-bit prime prime, 512  L  1024 and L  0 mod 64, let q be a 160-bit prime that divides p-1 and Let   Z p * be a q -th root of 1 modulo p. Let M = Z p-1, C = Z q x Z q and K = {( x,y ): y =  x mod p }. The public key is p,q, ,y. The private key is ( p,q,  ), x. 53

54 The Digital Signature scheme Signing Let m  Z p be a message. For public key is p,g, ,y, with y =  x mod p, and secret random number k  Z p-1, define: sig K ( m,k ) = ( s,t ), where – s = (  k mod p) mod q – t = (SHA-1( m )+ xs ) k -1 mod q Verification Let – e 1 = SHA-1( m ) t -1 mod q – e 2 = st -1 mod q ver K ( m,(s,t) ) = true (  e1 y e2 mod p ) mod q = s. 54

55 Cryptographic hash functions Message can be quite long. Therefore, before digitally signing a message it is hashed. A hash function ( unkeyed ) is a mapping h: X  Y, where X is a set of possible messages Y is the set of possible message digests Message digests have fixed length (typically 160 bits, but also 256 or 516) 55

56 Properties of cryptographic hash funct ions One way or preimage resistant : given a hash function h, and a message digest y, the equation y = h(x) cannot be solved efficiently for x. Second preimage resistant : given a hash function h, a message x and the message digest y = h(x), the equation y = h(x) cannot be solved efficiently for a second preimage x’, different from x, with y = h(x’). Collision resistant : one cannot find efficiently a pair of distinct messages x, x’ for which h(x)= h(x’). 56

Download ppt "Part 9, Basic Cryptography 1. Introduction A cryptosystem is a tuple: ( M,K,C, E,D) where M is the set of plaintexts K the set of keys C the set of ciphertexts."

Similar presentations

From Crypto-Theory to Crypto-Practice 1 CHAPTER 14: From Crypto-Theory to Crypto-Practice SHIFT REGISTERS The first practical approach to ONE-TIME PAD.

From Crypto-Theory to Crypto-Practice 1 CHAPTER 14: From Crypto-Theory to Crypto-Practice SHIFT REGISTERS The first practical approach to ONE-TIME PAD.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
7. Asymmetric encryption-

7. Asymmetric encryption-
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Classical Cryptography 1. Introduction: Some Simple Cryptosystems.

Classical Cryptography 1. Introduction: Some Simple Cryptosystems.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
EEC 688/788 Secure and Dependable Computing Lecture 4 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 4 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Similar presentations

Ads by Google