Cryptography BITS F463 S.K. Sahay

Transcription

1 Cryptography BITS F463 S.K. Sahay BITS-Pilani, K.K. Birla Goa Campus, Goa

2 S.K. Sahay Cryptography 1 Terminology Cryptography: science of secret writing with the goal of hiding the meaning of a message. Cryptanalysis: art and science to break the cryprtosystem. Encryption: method of transforming data (x) into an unredable format. Plaintext: message/data before encryption. Ciphertext: message/data after encryption. Decryption: method to get back the x from y.

3 S.K. Sahay Cryptography 2 Terminology Cipher/EA: set of rules/procedures that dictates how to ecnrypt/decrypt data. Key: values used in encryption/decryption. Key space: range of possible values used to construct keys. Key clustering: when two different keys generate the same y from the same x. Work factor: estimated time and resources to break a cryptosystem. No system is unbreakable.

4 S.K. Sahay Cryptography 3 Steganography Hides secret message in other message. Security through obscurity. Does not attract attention, while cryptography draw attention. Provide secrecy, while cryptography provides privacy. Can be used where crptography is not allowed. Supplements cryptography.

5 S.K. Sahay Cryptography 4 Key Ideas of Encryption Confusion Diffusion Kerchoff s principles

6 S.K. Sahay Cryptography 5 Historical Ciphers Symmetric ciphers are also referred as symmetric-key, secret-key and single key. Ancient ciphers was exclusively based on symmetric-key. Substitution ciphers: Monalphabetic ciphers Homophonic ciphers Polyalphabetic ciphers Polygram ciphers Running key ciphers Letter frequency attack

7 S.K. Sahay Cryptography 6 Historical Ciphers Transposition ciphers: Simplest: write horizontally and read vertically. key: Letters remain same, order changes. While in substitution letter changes, order remain same. Combined cipher: Two substitution/transposition cipher in sequence. Substitution and transposition are othorgonal. Hence can be combined to produce a new harder cipher.

8 S.K. Sahay Cryptography 7 Breaking an Algorithm Total Break Global Deduction Instance (local) deduction Information Deduction.

9 S.K. Sahay Cryptography 8 Cryptanalysis attack Ciphertext only attack Known plaintext attack Chosen plaintext attack Adaptive chosen plaintext attack Chosen ciphertext attack Chosen key attack Rubber hose cryptanalysis

10 S.K. Sahay Cryptography 9 Unconditional secure Security of cipher Computationally secure Degre of security: how hard to break. Peer-review. Decoding by reverse engg. Data Complexity: Breaking cost Encrypted data cost. Time Complexity: Time require to break Time the data is useful. Storage requirement: Amount of data required to break Amount of available x, y. An algorithm is said to have a security level of n bit if the best known attack requires 2 n steps.

11 S.K. Sahay Cryptography 10 Stream Cipher Synchronous stream cipher (Key-Auto-Key) State cipher Depend on the current state. Encrypted plaintext will be different at every time. Security concern: Identical key stream at both sides; Synchroniziation? k = = x = y Pattern repeatation, neglible security; Random, harder to break it. If x and y known k can be obtained. Deterministic if k not changes; k > x If y 1 and y 2 encrypted with same k.

12 S.K. Sahay Cryptography 11 Stream Cipher Asynchronous stream cipher (Ciphertext-Auto-Key) State depend on previous y. Synchroniztion is automatic. y error = continous x error, until synchronized. Protects against any insertion/deletion. General advantage of stream cipher: Compact and fast [cell phones, embedded devices, RC4 (internet traffic)] Less flops and gates.

13 S.K. Sahay Cryptography 12 Modular Arithmetic A simple way of doing arithmetic in a finite set of integers. In general a r mod n, if n divides a - r, a, r, n Z and m > 0 All modern crypto algos. are based on modular arithmetic. Holds comutative, associative, distributive laws Identities and additive inverse.

14 S.K. Sahay Cryptography 13 Modular Arithmetic: Properties a and b are congruent modula of n, if a mod n = b mod n; a b mod n; b a mod n If a b mod n; b c mod n then a c mod n If (a + c) (b + c) mod n; then b c mod n If (a c) (b c) mod n; then b c mod n If (a ± b) mod n = (a mod n ± b mod n) mod n If (a b) mod n = [(a mod n) (b mod n)] mod n If [a (b ± c)] mod n = [(a b) mod n) ± (a c) mod n)] mod n For efficiency apply modulo reduction (public-key schemes); e.g. 3 8 mod 7 = mod 7

15 S.K. Sahay Cryptography 14 Modular Arithmetic Equivalence class: one can write a = q.m + r a r = q.m a r mod n; a Z n ; 0 r < n Many valid r for a given n and a. A set of Nos. having same remainder (r) are called an equivalence class; e.g mod ; mod 7; 10 4 mod 7... forms a set (...-18,-11,-4, 3, 10, 17,...). In a modulus 7 there are more 6 equivalenc class. There are (n -1) equivalence class for given n and in a given equivalence class all members behave equivalently.

16 S.K. Sahay Cryptography 15 Group and Ring Group is a set of elements together with an operation which combines two elements of group. Group operation is closed, associative and an neutral & inverse element exists. Ring is a set of elements with two operations (+, ), a, b Z n s.t. (a + b) c mod n; (a b) d mod n; c, d Z n Operation is closed, associative, distributive and an neutral & inverse element exists for both the operators.

17 S.K. Sahay Cryptography 16 Modular Arithmetic: Application Shift/Caesar cipher: If x, y, k Z 26, then y = E k (x) (x + k) mod 26 x = D k (y) (y k) mod 26 If k = 10 and plaintext is CRYPTO = x 1, x 2, x 3, x 4, x 5, x 6 = 2, 17, 24, 15, 19, 14 then ciphertext = y 1, y 2, y 3, y 4, y 5, y 6 = 12, 1, 8, 25, 3, 24 = MBIZDY Only 25 possible keys, hence brute force attack is trivial. Also one can apply letter frequency analysis. If arbitrary substitution, then key space is 26!

18 S.K. Sahay Cryptography 17 Modular Arithmetic: Application Affine cipher: If x, y, a, b Z 26, then y = E k (x) (a.x + b) mod 26 x = D k (y) a 1.(y b) mod 26 If (a, b) = (3, 10) and plaintext is CRYPTO = x 1, x 2, x 3, x 4, x 5, x 6 = 2, 17, 24, 15, 19, 14 then ciphertext = y 1, y 2, y 3, y 4, y 5, y 6 = 16, 9, 4, 3, 15, 0 = QJEDPA = 312 possible keys. Larger than caesar cipher but still brute force attack is trivial and letter frequency analysis. Correctness.

19 S.K. Sahay Cryptography 18 Modular Arithmetic: Application Stream Cipher: If x i, y i, s i {0, 1}, then y i = E si (x i ) (x i + s i ) mod 2 x i = D si (y i ) (x i + s i ) mod 2 Encryption and decrytpion are the same function. Simple modulo 2 addition (XOR) XOR gate is invertible and perfectly balanced. If s i is true random, then it is upredictable with 50% chance. Nature of the key stream: s i sequence should appear random, hence stream cipher will not be easy to break by an attacker.

20 S.K. Sahay Cryptography 19 Perfect Stream Cipher Requirement of random number: Uniform distribution and Independence. Random number generator: TRNG, PRNG and CSRNG With a given seed s o, s i+1 = a.s i + b mod n; s i+1 = a.s 2 i + b.s i + c mod n; s i+1 = a.s 3 i + b.s2 i + c.s i + d mod n, Passes the next bit test i.e. there is no polynomial time algo. that on input of the first k bits, can predict the (k + 1) bit with probability greater than 50% DES-OFB, ANSI X9.17 PRNG, Blum-Blum Shub Generator

21 S.K. Sahay Cryptography 20 Perfect Stream Cipher OTP in substitution cipher is an addition modulo 26 and the one time character. e.g. EQNVZ = E k (X... Y) Stream cipher as a perfect cipher or OTP i.e. unconditionally secure, if the key-stream (s i ). is generated from TRNG known to only legtimante parties used only once y o (x o + s o ) mod 2 y 1 (x 1 + s 1 ) mod 2 Attacker will not able to determine x i (0/1) better than 50%, if s i is obtained from TRNG.

22 S.K. Sahay Cryptography 21 Perfect Stream Cipher: Limitation Need of TRNG. Transportation and volume (size) of the key. Key shall not be re-used. True OTP are rarely used, however gave great idea for developing secure ciphers.

23 S.K. Sahay Cryptography 22 Practical Stream Cipher OTP is unconditionally secure, but not practical. Know cipher not unconditionally secure, also don t know the best algorithm for a attack. Design with a complexity no better than an exhaustive key search. Key shall not be re-used.

24 S.K. Sahay Cryptography 23 Practical Stream Cipher: LFSR Flip-Flop Gated D-latch Shift register. Linear Feedback Shift Register. Leftmost bit is XORed with the previous operations. The sequence of s i generated by plain LFSR are cryptographically weak. Combinations of LFSR with proper feedback makes secure stream cipher. e.g. A5/1, Trivium, etc. Degree of LFSR: No. of storage element.

25 S.K. Sahay Cryptography 24 Practical Stream Cipher: LFSR LFSR of degree 3 (011). Repeats after 6th clock, hence period of length is 7. In general, of s i+3 = (s i+1 + s i ) mod 2

26 S.K. Sahay Cryptography 25 Practical Stream Cipher: LFSR Generalize LFSR i.e. of degree m m possible feedbacks; P i = 1/0 taken as closed/open switch. Output sequence depends on feedback coefficients. If initial value is s o, s 1, s 2...s m 1, then in general s i+m = m 1 j=0 s i+j.p j mod 2; s i, P j (0, 1), i = 0, 1, 2...

27 S.K. Sahay Cryptography 26 Practical Stream Cipher: LFSR Linear recurrences, repeats periodically. Length of the s i sequence depends on the feedback coefficient. Let m = 4 and 1. P 3 = 0, P 2 = 0, P 1 = 1, P o = 1; (4, 1, 0) 2. P 3 = 1, P 2 = 1, P 1 = 1, P o = 1; (4, 3, 2, 1, 0) How to obtain maximum length i.e. 2 m 1 Deterministic for a given previous state. Polynomial representation: P(x) = x m + P m 1.x m P 1.x + P o

28 S.K. Sahay Cryptography 27 Practical Stream Cipher: LFSR If polynomial is primitive output sequence will be max. length. A polynomial over GF(2) is irreducible, if it cannot be factored e.g. x 2 + x + 1 is irreducible, but x Security issue: Highly insecure cipher, however an advantage for communication system. Known plain-text attack.