COMP 4109 Applied Cryptography

Transcription

1 COMP 4109 Applied Cryptography Cryptosystems (P,C,K,E,D) 1. P is the finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. K is the keyspace, a finite set of possible keys 4. For each 1. There exists an encryption rule and; 2. A corresponding decryption rule 5. and 6. Secured Communications Cipher rules previously agreed upon. A and B agree on a random key over a secure channel. A wants to send to B A encrypts each of and computes and the encrypted message is Y is sent over the unsecured channel. B receives Y B applies to each of in order to obtain The encryption function must be 1-to-1 such that: The Shift Cipher Suppose a and b are integers, and m is a positive integer. We write if The phrase is called a congruence where a is congruent to b modulo m. This cipher uses an offset for encrypting a message. It has a small key space due to the size of m value chosen, such as the size of the alphabet that the P is written in. Suppose and where and where. 1 P a g e

2 Abelian Group Suppose the binary operation * is defined for elements of the set G. Then G is a group with respect to * provided: 1. G is closed under *, for each 2. * is commutative such that 3. * is associative such that 4. G has an identity element e. There is an e in G such that 5. G contains inverses. A field has two operations A group has a single operation Substitution Cipher o K =26! * Repetition of values since each letter is merely substituted is the inverse permutation to. Vulnerability: measurement of the frequencies of most occurring characters Example: plaintext=shesellsseashellsbytheseashore Break plaintext into groups of m. shesel lsseas hellsb ythese ashore Arrange each group of six letters according to the permutation ELSEHS SSLASE LBHSEL HEYSTE HEARSO The ciphertext could be decrypted using the inverse function Affine Cipher Uses a shift-rotate or rotate-shift When then the cipher is a simple Shift-Cipher 2 P a g e

3 Example Substitute: Vigenère Cipher This cipher uses different values for the same character, but is exploitable when trying to determine the size of m. A key space of size m is chosen and the plaintext is broken up into chunks of size m and plaintext letters are switched to cipher text., and the size of m can be figured out. However, there are non-unique mappings such that the same character is can be mapped to a different character For a key The same character can be mapped to different values. Example Suppose and the keyword is CIPHER. This has the numerical equivalent Vulnerability Cryptanalysis Kasiski Test 2 Identical segments of plaintext will be encrypted to the same ciphertext whenever their occurrence in plaintext is positions apart such that. Scan the ciphertext to seach for pairs of identical segments of and record the distances between string positions of the 2 segments. Several distances will be obtained that satisfy the GCD between all of them,. There may be instances such that two string may occur as the splits between different m blocks where x may be the end of the last block, and ab the beginning of the new block, mimicking the xab string, but it s really not what you re looking for. 3 P a g e

4 Hill Cipher This cryptosystem uses invertible matrices in order to encrypt and decrypt a message. If, K= the set of all invertible matrices. Let, define, and. Example: Stream Ciphers (P,C,K,L,E,D) Generates a keystream and use it to encrypt a plaintext string according to the encryption rule: where each character of ciphertext is encrypted with a character from the keystream alphabet. 1. L is the keystream alphabet 2. g is the keystream generator that takes K as an input, and generates the infinite string called the keystream alphabet. Example: Let and Let for, and Let m = 4 Depends on a combination of some previous 2 keys. The keystream, z, is independent of plaintext. Synchronous keystreams Asynchronous keystreams depend upon plaintext. 4 P a g e

5 Cryptanalysis Can an attacker determine k between 2 parties? Assume the attacker knows which cryptosystem is being used. Ciphertext Only Attacks Attacker can only see Known Plaintext Attacks posess plaintext and corresponding ciphertext Chosen Plaintext Attacks Attacker has temporary access to encryption machinery, and has the ability to choose and generate. Chosen Ciphertext Attacks Attacker has temporary access to encryption machinery, and can choose and obtain. Consider Affine Ciphers Suppose an attacker has obtained the ciphertext of 57 characters long. Using an english alphabet, plot the frequencies of each letter. The are determined as follows: R=8 D=7 E,H,K = 5 F,S,V = 4 From this data, we hypothesize that R is an encryption of E, and D is an encryption of T since they are the two most commonly used language. Numerically, it is expressed as, and. Cryptanalysis of the Vigenère Cipher For a key, To Find m? Use the Kasiski test to determine the key length, m. An observation is made that two identical segments of plaintext will be encrypted to the same ciphertext, each of length of at least 3, a good chance exists such that they correspond to identical segments of plaintext. 1. Search the ciphertext for pairs of idential segments of at least 3 2. Record the distances between the starting positions of the 2 segments a. Segment distances denoted by b. Assume 3. is a string of n alphabetic characters a. Suppose x is a string of text where the probabilities for each letter are denoted by: We would expect the probability of two random elements of the alphabet are equal is: 5 P a g e

6 Denote the frequencies of occurrences for each letter as. We can choose 2 elements of x in ways, and for each there are ways of choosing both elements to be i. Suppose substrings denoted by has been constructed as ciphertext using the Vigenère Cipher, with m, we can write the ciphertext out in columns: If this matrix is constructed, and m is the keyword length, then each value roughly equal to If m is not the correct keyword length, the substrings of more random and even less meaningful. should be will look Cryptanalysis of the Hill Cipher Succumbs easily to a plaintext attack. Plaintext Attack The attacker knows m pairs of, and also knows that If X is invertible, then they can easily determine K by. If X is not invertible, then the attacker would keep trying until they acquire an invertible matrix, X. Chapter 2 : Shannon s Theory Computational Security: How much computational effor is needed to break the system. Provable Security: A given computational security is secure if a given integer cannot be factored. Unconditional Security: No bounds are required. Elementary Probability Theory Let X be a discrete random variable where the probability that a random variable X takes on the value x is denoted by, or if the random variable is fixed. Joint Probability Conditional Probability Indepenent Random Variables 6 P a g e

7 Bayes Theorem If Perfect Secrecy (P,C,K,E,D) Assume there is a probability distribution on P. Let X be the Random Variable with the above probability distribution Let be chosen with the help of some probability distribution is known We can assume that k and X are independent random variables. For a key, For all, we have: Example ENC a b Perfect Secrecy The attacker can not get any information about the plaintext by observing the ciphertext. Computational Security, has a perfect secrecy if Suppose that 26 keys in the shift cipher are used with equal probability =, then for any plaintext probability distribution, the shift cipher has perfect secrecy. That is, each character is shifted by a random key. 7 P a g e

8 Recall that, and for,, so let s compute the probability distribution on C with then Theroem 2.4 Suppose is Computationally Secure where then perfect secrecy exists if and only if are used with equal probability. Proof:, but from assumption No two distinctly different keys can map a plaintext character to the same ciphertect character. Let and the plaintext, and fix a ciphertext element and set, using Bayes Theorem: One-Time Pad Let, for, define and Each key can only be used once Easy to attack due to the use of XOR New keys need to be generated and communicated over a secure channel. 2.7 Product Ciphers Assume that (endomorphic). Let and A key, will be a pair and, 8 P a g e

9 Prove Multiplicative Cipher Let and let For define: Let M be a multiplicative cipher where, and, Let S be a shift cipher. Key in affine cipher is equivalent to key in. 3.1 Block Ciphers Product block cipher which is iterated, i. Round function Key Schedule Encryption of plaintext will go through rounds denoted by Nr. Key Schedule Keys:, and random key: 6. Round Function: Encryption Decryption 3.3 Substitution-Permutation Networks (SPN) This is a special type of iterated cipher with small changes that include breaking the blocks up into m blocks of l size, where lm is the block length of the cipher. It uses two components, and where s is the substitution function using S-Boxes, and p is a permutation. 9 P a g e

10 Given an lm-bit binary string represented by, where x is the concatenation of m substrings, each l-bits long, denoted as. For : The SPN will go through Nr rounds, and on each iteration will perform m substitutions using followed by a permutation. Before each substitution, the round key bits are used via XOR operation. 7. is the input to the S-Boxes in round r. 8. is the ouput of the S-Boxes in round r. 9. is obtained from by applying 10. is constructed from by XOR ing the roung with the key ; round key mixing 11. In the last round, is not applied, allowing the encryption algorithm to be used for decryption as well. 12. The very last operations in SPN are XOR s with subkeys, a process called whitening. 1. Prevent an attacker from beginning to carry out an encryption or decryption even if the key is not known. Algorithm 3.1: return y; 10 P a g e

11 is defined to be 16 consecutive bits starting at is the first S-Box is the result of is the application of is the application of is the 2 nd round of using an S-Box is the result of after 4 rounds of substitution, permuation and XOR The decryption function is merely the inverse of the encryption function There are always a fixed number of rounds, in the example above, there are 5, The substitution and permutation functions must be invertible S-Boxes must have a fixed size, in this case 4-bits with 4 S-Boxes Linear Cryptanalysis It is possible to find a probabilistic linear relationship between a subset of plaintext bits and a subset of state bits immediately preceding the substitutions performed in the last round. Have a look at all possible keys. 1. Feed a plaintext X into some key and look for a relationship to Y with said key. Suppose are 0-1 Independent Random Variables. Let be real number such that for all i. Suppose that, and the independence of and implies that: And for the XOR conditions: Definition of Bias which is a probability distribution of a random variable which could take on the values of 0 and 1, where the bias of is: Let denote the bias of the random variable Consider an S-Box with an m-tuple S-Box with input which is a random bit string. is a 0-1 random variable with bias 11 P a g e

12 is the ciphertext output o is a random variable that is dependent on! To compute the bias of The Random Variables defined by an S-Box If we analyze the random variable: Bias: We can compute the bias for all possible combinations of s and y s. There are a total of 256 possible random variables of this form. In compact form, this can be written as: Where,, and we treat each of the binary vectors and as a hexadecimal digit for input and output. Have a look at the individual S-Boxes 1. Random Variable has a bias 2. - Random Variable has a bias 3. - Random Variable has a bias 4. - Random Variable has a bias Assuming that are independent random variables, then the bias of input bits(x), output bits(y) and key bits.. We need to express the XOR of in terms of Computing the XOR of the above on the right sides, we see that some V s cancel out: Input bits, Intermediate bits, 12 P a g e

13 It is best to think about the key bits as fixed, and we want to figure out the values : 1. and 2. There are possibilities for these bit sequences We construct plaintext-ciphertext pairs, and for each pair obtain the value for and, then compute the value, and maintain counters indexed by the possible 256 bit sequences (keys). At the end of the counting process, we expect that most counters will have a value close to, but the entry with the correct subkey should have a value that converges upon. If the bias is, you will need about pairs. Data Encryption Standard (DES) Uses a Feistel Cipher Each stage is divided into halves 1. Round function: 16 rounds of Feistel Cipher with block length of 64 bits Keys are 56-bits long 64 bits includes parity bits. Cipher text y will be 64-bits long, Prior to beginning the 16 rounds, an initial permutation is applied to the plaintext: After the 16 rounds of encryption, an inverse permutation is applied to the bitstring, yielding the cipher text y: Each and are 32 bits in length, so the function bit strings that are chosen from K,. consists of substitution (s-boxes) followed by a permutation. is implemented as follows: A is expanded to a 48-bit string by an expansion function. E(A) consists of a permutation of 32 bits of A and some bits are repeated. Evaluate which is 48 bits 8 S-Boxes are used, each box maps 6 bits to 4 bits Compute for j=1,,8 Let which is a 32-bit string Permute 32 bits of C with a permutation P. Choose a 56-bit key and determine 13 P a g e

14 An example of a DES S-Box: Each S-box is a matrix, rows numbered 0,1,2,3 and columns 0,,15. Given works as the stored reference location in the S-Box determine the row number determine the column number And note that: Fermat s Little Theorem For any integer a, will be evenly divisible by p: If p is prime, and a is an integer coprime to p, then will be evenly divisible by p: 4. Hash Functions Message = x, hash of message = h(x)=y, which is known. 1. If a user receives x and computes f(x) AND f(x) = h(x) then the message has data integrity 2. Otherwise the message has been changed since h(x) was computed 3. Collisions may also occur Keyed Hash Functions Message authentication Hash Family(x,y,K,H) Alice and Bob know K x - plaintext Alice sends a pair y - ciphertext is hash function k on x. K keyspace, An unkeyed hash function has only 1 key such that Let h be an unkeyed hash function. A hash function is desirable if it is difficult to solve. There are 3 ways that must be made difficult in order to make such a hash function desirable: is known and is known. Given a message digest y, can x be determined such that is known and is known Given a message x, if such that and is known Find such that 14 P a g e

15 If ; how many possible functions from X to Y? Consider an ideal hash function then the only way to determine for x is to evaluate an ideal function from the set of all possible functions from x to y. Let be chosen randomly. Let and the value of h is known for each element of. Then Find-Preimage(h, y, Q) Find-Preimage2(h, x, Q) Choose any for each do choose if for each do return(x) if return(fail); return( return(fail); Proof: Let y be fixed, and Let, and all s are all independent events: To find Collision Find-Collision(h,Q) Example Choose Say 80-bit keys are used then for each do Using a birthday attack, if for some return ; else return(fail); end for Proof Let where, and Let be the event that: By Induction the probability of finding no collisions: 15 P a g e

16 With the above estimate, the probability of finding no collisions is approximately: The probability of finding at least one collision: But if we want this probability to exceed then Consider a 40-bit digest, then y is expressed as 40 bits as well. For, choosing a subset of x of sufficent size should warrant a collision to. In this mentioned case,. To ensure that you get a collision, it s best to user a very large subset of about 128 bits, 256 bits, or eve 512 bits. This increases your chances of obtaining a collision. When designing a good hash function, it is important to make it very difficult to find a collision between different hash functions. 4.3 Iterated Hash Functions These are used on very long strings that could be of infinite length, which are broken up into blocks using a compression function. Suppose a long finite string exists with a function to break it up into blocks: Preprocessing Given an input string x where, construct a string where for. Processing Let IV be the initiation vector of length m. Postprocessing Output: 16 P a g e

17 Merkle-Dangard Construction A particular method of constructing a hash function from a compression function. Collision resistance due to compression function being collision resistant. Compress: Iterated hash function: Claim: If compress: is collision resistant then constructed by the the Merkle- Damgard construction is collision resistant. Proof: Suppose we can find in polynomial time. where Let x and be padded with d and 0 s. Let g values be computed by the algorithm as: Case 1: If and we have: since, but their compression values are the same. 4.4 Message Authentication Codes (MACs) Keyed Hash Functions Placement of a key in the initialization vector is insufficient (IV key) An attacker can request up to Q valid MAC s for well-known messages o Attacker can generate pairs of such that because the attacker knows which creates an authentication problem. The attacker can generate a message without knowing the actual key! is a forgery 17 P a g e

18 Cipher Block Chaining CBC-MAC(x,k) On a very long string, encrypt each block from the output of the previous block IV = 0; and return when complete. Birthday Collision Attack The attacker can request MACs for a large # of messages. Let,, Choose q distinct bit strings of length t: Choose q random bit strings of length t: o Define 1. The attacker requests MAC s for each 2. Due to birthday problem, 3. Define for The attacker can compute the MAC of w without knowledge of key k. key. The request. without RSA 1., where p and q are primes: 2. and 3. Bob-Public =, Bob-Private = are private keys of Bob. 1. Bob selects 2 distinct large prime numbers p and q. Computes and. 2. Bob selects an odd integer b that will be his private key such that. 3. Bob publishes the public key, where. 4. Alice wants to send the message to Bob. using Bob s public key. 5. When bob receives y, he applies using his private key a. Example 1. p = 23, q = 41, n = 943, Public:, a= Alice sends 5. Bob computes mod 943=35. Prove that. 18 P a g e

19 Requirements: Easy to generate p,q,a,b Easy to generate ciphertext Easy to decrypt Computationally infeasible to decrypt without knowing a Proof of correctness: 1. If ; Fermat 2. If ; Euler 3. Let p,q be 2 numbers where If To prove then Note that ; If If : x is a multiple of p. In both cases, Proof of if and p is prime then Let. Multiply them all by a and take mod p =. No two values in Modular Exponentiation n = pq where p and q are large primes of 1024 bits each. The number of primes. The probability that p is prime is:. If 1024 odd numbers with generator numbers with greater values of c, we get a greater chance of finding a large prime. Let n be a number, is n prime? If n is not prime then and If its factors are 512 bits long then or q We can find if n is prime by exploring numbers using the Miller-Rabin Method. Let be an odd number then is even, or or for. Let 19 P a g e

20 . If p s prime and then and since. Let p be a prime number greater than 2. is odd. Let then either: Miller-Rabin Test 1. Find where 2. Select a random number. 3. If then return n may be prime. 4. For to do If return n is prime; Else return n is composite; Given an odd number n, what is the probability that a randomly chosen returns inconclusive provided that the number is composite is. test RSA: Why factoring is hard? Is factoring hard? How fast can factoring work? Sieve of Erastothenes: Iteratively divide by prime numbers from lower order By testing numbers up to 2048 bits, we can deduce factors of n. Pollard-P Heuristic While TRUE do Example n = 1387 i = i+1; = d = if and print(d); if i = k y = k = 2k; This loop does not stop, and runs forever. We only need to maintain, k, so the memory requirement is very low. When, then i is some power of 2. If d is printed, it is a nontrivial factor of n. This algorithm does not go through all possible values of because there exists a cycle that it will loop through. If n is composite, this procedure typically finds its factors. 20 P a g e

21 We can mathematically describe how long it takes before a cycle is observed by focusing on the line in the algorithm which produces random numbers in the range When, The value is from the birthday attack, and it will takes us steps to discover the cycle. Let p be an non-trivial factor of n where steps. Continuing Example:. Due to the birthday attack, we will get a collision in Let p be a non-trivial factor of n,,,, Let be the sequence corresponding to n. Let be the sequence such that We have that, and remember that, so we have that We know that there is a collision in values in steps. Since then there exists a collision in steps, or a cycle appears after that many steps. Complexity : Standard Sieve Method: Pollard-P: where number of bits needed to represent n. In the large cycle of n, there exists a cycle within the factorizations in n that can be solved in the number of steps in complexity above. Discrete Log 1: If then. If, then satisfies (1) What is the least positive integer m for which (1) holds. This value of m is called order of a, or the value to the power of a is equal to 1. It is the length of period generated by a,. is the least value of m, and m exists such that. Example 21 P a g e

22 After we know the exponentiation finally equals 1, we will see that the numbers will continue to cycle from this point on. The length of these sequences always divide which has elements. Important ones are whose length is,. These values for a are called primitive roots. Any of these values can generate the whole set. Not all n s have primitive roots. Where a is a primitive root of p., where, so for what value of i which will satisfy the condition. The i value is called the discreet log problem. The discreet log problem: Given b, a, p, finding i is hard. Example: finding b is easy. ; p = 19. But given a, i, p then Diffie Helman key exchange algorithm: Public elements: Remember that given, finding the exponent is difficult. Alice: Selects a random positive integer, and computes where is private and is public. Bob selects a random integer and computes where is private and Alice computes the key. Bob computes the key. Claim : Example q = 353 Alice chooses, computes Missed example, see textbook Susceptible to man-in-the-middle attack. 1. Oscar generates two random private keys 2. Alice transmits to Bob 3. Oscar intercepts, and transmits to Bob. 22 P a g e

23 4. Bob receives computes. 5. Bob transmits to Alice 6. Oscar intercepts and computes. 7. Oscar transmits to Alice. 8. Alice receives and computes Bob and Alice are not aware that they have been duped by Oscar who has tricked them into sharing a secret key, but Oscar has shared two different keys. One with Alice ( and another with Bob. ElGammal 1984 Public Elements Alice: Selects a random integer and computes where is private. Bob: encrypts a message M as follows:, otherwise chop into those sized blocks. Bob chooses a random digit k,. Computes one time key, and encrypts M as a pair where: Alice recovers M as follows: Key K is recovered by computing: computing: and the message M is recovered by If you know the inverse of K, you can recover the message. Example Elliptic Curve Encryption Abelian Groups o Associative o o o Inverse exsits o 23 P a g e

24 Consider a cubic equation Plot which is symmetric about the x-axis. Let and add a point at. Fix parameters. We will define a group on elements of The group operator is denoted as a +. We need to make sure that the point is on the curve. The operator is defined as follows: Point at is the identity For a point its negative is the image below the x-axis, which is the negation of the y coordinate. Application of the + operator of two point are defined as follows: If then where R is the point where the line through P and Q intersects. If P is a tangent to this line then R=P, and if Q is tangent to this line, then R=Q. The line intersects one of the points, and is tangent to the other, if. If then. Algebraically, we need to compute the slope of the line passing through P and Q, Let s say that R is the intersection of the line through P,Q with the curve. Defined elliptic curve Defined the element of infinity We need to show that is on the curve using the elliptic curve equation. It can be shown that points on with the + operator form an abelian group. We will restrict ourselves to mod p or in in software or hardware respectively. Example With we get, so. Rules for the + are still the same: P a g e

25 3. If One can show that points in with + forms an abelian group. Similarily, it also holds for. Multiplication is Hard, unlike in the discrete log problem before. Let where k is some constant. Multiplication is repeated addition. It is easy given k,p to compute Q. The hard part is given Q,P We need to find Hard Problem: Easy Problem: Example Assume,, which are both points on the curve. Given P, Q, determine k where : Key Exchange 1. Choose parameters P, a, b and define. 2. Pick a point such that the smallest value of n satisfies, which is very large. 3. Alice selects where is Alice s private key. where is public. 4. Bob selects where is Bob s private key. where is public. 5. Alice Generates key 6. Bob Generates key Claim: : - the key is an x-coordinate of. 25 P a g e

26 Example How Encryption/Decryption is done in Elliptic Curve Cryptography 1. Encode the plain text message, m to be sent as a point on. 2. Choose such that and is large (n is order of G). 3. Each user A chooses a private key and generates which is public. Suppose Alice wants to send a message m to Bob, Alice chooses a random integer k and computes where is the public key of Bob, and m is the message. On receiving C, Bob needs to figure out m. Bob uses his private key and multiplies where is the 1 st parameter and subtracts this value from the 2 nd are all points on the elliptic curve. It is equal to m since. Alice has included a clue, the 1 st coordinate, so that anybody who knows can find out m. Example Alice wants to send, so Alice chooses. The public key of Bob is. Alice s cipher text: How to compute In general, SBR is in non-adjacent format (NAF) if no two consecutive values are non-zeros. Example. If we look at the binary representation of an arbitrary number, the number of 0 s should be equal to the number of 1 s, but in SBR-NAT, the number of 0 s is 66%. Signed Binary Representation: Non-Adjacent Form: no two consecutive bits are non-zero. Compute cp, assume that c is in SBR-NAF Q = 0; for i = (l-1) down to 0: Q = 2Q; If If Return Q; 26 P a g e

27 The standard efficiency is due to the doubling, the efficiency of SBR-NAF is due to the fact that 66% of the bits are zeros. Digital Signatures Message authentication used to verify that a message was sent from a particular entity. Bit pattern that is dependent on the message o Prevents impersonation Uses information from the sender Easy to compute the signature Easy to verify Computationally infeasible to tamper with. Should be short El-Gammal Dss Alice: generates public/private keys as follows: Random. Private Key:, public key: To sign a message M, Alice does the following:, where H is the hash function Choose a random integer k where, and the. Compute. Compute as well using the Extended Euclidean Algorithm. Compute Signature Any user Bob, can verify the signature by computing: Signature is valid if. Public Elements p : a prime number, l-bits long, and a multiple of P a g e

28 where h is any integer in. The global public elements. For a user, the private key is x where. The public key of this user. For each message, the user chooses a random key k, where, Signing:,, and the signature becomes. Verification: Suppose verifier received Verifier Computes: Test: Is? If yes, then the signature is verified. 28 P a g e