Some Stuff About Crypto Adrian Frith Laboratory of Foundational Aspects of Computer Science Department of Mathematics and Applied Mathematics University of Cape Town This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 South Africa License. 6 October 2011 Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 1 / 31
What is cryptography? Literally hidden writing hiding information from an adversary The practice and study of techniques for secure communication in the presence of hostile third parties. Traditionally about encryption, i.e. confidentiality, now encompasses authentication and integrity. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 2 / 31
A note about names Cryptography versus cryptanalysis making versus breaking The distinction is not very useful Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 3 / 31
Some encryption terminology The plaintext is the message to be protected. Encryption converts the plaintext to a ciphertext, using a key. Decryption is the reverse. Encryption algorithm + decryption algorithm = cipher. (Don t say code!) A cryptosystem consists of a cipher plus keys, procedures, etc. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 4 / 31
Substitution ciphers Consistently map alphabet to alphabet Caesar cipher: alphabetic shift with rotation. E.g. attack at dawn, with a shift of 5, becomes fyyfhp fy ifbs Hebrew atbash: reverse the alphabet Generic substitution cipher: some permutation of the alphabet Vulnerable to frequency analysis: different characters appear with different frequencies In English: E T A O I N S H R D L U... Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 5 / 31
Variations on the theme Homophony: map smaller alphabet into larger alphabet to disguise frequency Nomenclator: combine a cipher with a codebook State of the art from 1400s to 1700s Great Cipher of France unbroken for 150 years Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 6 / 31
The Babington Plot Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 7 / 31
The Voynich Manuscript Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 8 / 31
Polyalphabetic substitution Many alphabets Cycle through different mappings from plaintext alphabet to ciphertext alphabet Le chiffre indéchiffrable - but it wasn t! Broken by Charles Babbage in the 1850s Use of repetions + frequency analysis Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 9 / 31
The Vigenère square Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 10 / 31
World War I the Zimmermann telegram Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 11 / 31
World War II Enigma 6 5 5 5 4 A S D F 1 A 2 9 S D F 3 7 A S D F 8 Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 12 / 31
Modern cryptography Arises out of World War II work tied closely to development of the computer Claude Shannon information theory Cold War government secrecy DES 1977 first public crypto standard The problem of key distribution Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 13 / 31
Asymmetric encryption Diffie-Hellman key exchange (1976) see later Asymmetric cryptosystems RSA (1978) and others Crypto politics publication in the open literature Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 14 / 31
The structure of modern crypto Symmetric ciphers Block ciphers Stream ciphers Asymmetric ciphers Hash functions Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 15 / 31
Diffie-Hellmann key exchange The aim: Alice and Bob want to derive a shared secret key by exchanging information over a public channel (A diversion into modular arithmetic, if necessary.) 1 Alice chooses a prime p and a generator g and sends them to Bob. 2 Alice generates a random natural x a and Bob generates a random natural x b. 3 Alice calculates y a = g xa mod p and Bob calculates y b = g x b mod p. 4 Alice sends y a to Bob and Bob sends y b to Alice. 5 Alice calculates y xa 6 y xa b gx bx a g xax b y x b b mod p and Bob calculates y x b a mod p. a! Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 16 / 31
RSA encryption Rivest, Shamir, Adleman at MIT in 1978 Previously discovered by Cocks at GCHQ in 1973 One of the earliest, still the most used Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 17 / 31
RSA key generation 1 Choose two primes p and q. 2 Compute the modulus n = pq. 3 Compute ϕ(n) = (p 1)(q 1). (Size of the multiplicative group of integers mod n.) 4 Choose e such that 1 < e < ϕ(n) and e and ϕ(n) are relatively prime. 5 Calculate d = e 1 mod ϕ(n). (Extended Euclidean algorithm.) 6 The public key is (n, e) and the private key is (n, d). Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 18 / 31
RSA encryption and decryption Alice publishes her public key (n, e) and secures her private key (n, d). To encrypt a message m, Bob calculates c = m e mod n. To decrypt, Alice calculates c d mod n. Why does this work? c d m ed mod n. Remember ed 1 mod ϕ(n). Euler s theorem says a ϕ(n) 1 mod n. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 19 / 31
Some computation shortcuts Square-and-multiply for exponentiation a b mod n: 1 Let b t b t 1 b t 2...b 2 b 1 b 0 be the binary expansion of b. 2 Let z := 1. 3 Let y := a 4 For i in 0 to t: 1 If b i = 1 then let z := zy mod n. 2 Let y = yy mod n. 5 Return z. Optimize decryption with Chinese remainder theorem Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 20 / 31
Cryptographic Hash Functions A Very Brief Summary Definition A hash function maps bitstrings of arbitrary length ( messages ) to bitstrings of a fixed length n ( hashes ). A cryptographically secure hash function is: first-preimage resistant: given an n-bit string, it is infeasible to find a message that hashes to that string. second-preimage resistant: given a message, it is infeasible to find a different message with the same hash. collision resistant: it is infeasible to find a pair of messages which share a hash. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 21 / 31
Iterated Hash Functions a.k.a. the Merkle-Damgård Construction Definition A compression function maps bitstrings of length m to bitstrings of length n, where m > n. We construct a hash function F from a compression function f as follows: 1 Divide message M into l blocks of length m n. 2 Let h 0 be some fixed n-bit initialization vector. 3 For i in 1 to l: let h i = f(h i 1 m i ). 4 The final hash F(M) = h l. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 22 / 31
Iterated Hash Functions m 1 m 2 m l 1 m l h 0 f h 1 f h 2 h l 2 f h l 1 f h l With some caveats, this is the basis for MD5, SHA-1, SHA-2, etc. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 23 / 31
The Long Message Attack In hashing a 2 R -block message, 2 R intermediate hash values will be produced: h 1 through h 2 R. Find a message block m that hashes to one of these values, i.e. f(h 0 m ) = h i for some i in 1 through 2 R. Then F(M) = F(m m i+1 m i+2 m 2 R 1 m 2 R). m h 0 h i 1 m i h i m i+1 h i+1 h 2 R Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 24 / 31
The Long Message Attack Finding the Linking Block Calculate h = f(h 0 m ) for a random block m. h has 2 n possible values: therefore a 2R 2 n probability that it matches one of the intermediate values. Geometric distribution with p = 2 R n says we must test on average 2 n R random blocks before finding one that matches. Better than brute force 2 n. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 25 / 31
Merkle-Damgård Strengthening Avoiding the Long Message Attack Simple fix: append a final block to the message, containing a binary representation of the message s length. This can be worked around by using an expandable message. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 26 / 31
Expandable Messages Definition An expandable message is set of messages of different lengths, all of which have the same hash value when the Merkle-Damgård strengthening is not applied. Definition An (a, b)-expandable message is an expandable message containing messages of every length from a to b inclusive. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 27 / 31
Fixed-Point Expandable Messages A fixed point is a pair (h, m) such that f(h m) = h. To create an expandable message: 1 Generate 2 n/2 random fixed points: (h 1, m 1 ) through (h 2 n/2, m 2 n/2). 2 Generate 2 n/2 random blocks: m 1 through m. 2 n/2 3 Find a match where the hash of one of the random blocks is the same as the hash value in the fixed point: h i = f(h 0 m j ). Better than 1 2 probability that such a match exists. We can create a message of any length l by appending l 1 copies of m i after m j. This is a (1, )-expandable message. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 28 / 31
Generic Expandable Messages The Method of Kelsey and Schneier Method for constructing a (R, R + 2 R 1)-expandable message for any iterated hash function. Based on an method for creating a 1-block message and an k-block message that hash from the same intermediate value to the same intermediate value: 1 Generate 2 n/2 1-block messages. 2 Generate 2 n/2 k-block messages. 3 Check for a collision; one will exist with better than 1 2 probability. To create the expandable message, let i iterate from 1 to R and: 1 Find 1-block message m i and (2 i 1 + 1)-block message m i such that f(h i 1 m i ) = f(h i 1 m i ) 2 Let h i = f(h i 1 m i ). continues... Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 29 / 31
Generic Expandable Messages Constructing a k-block Message A k-block message (where R k R + 2 R 1) can be constructed as follows: 1 Let M be the empty message. 2 Let d = k R. Then 0 d 2 R 1. 3 Let s 1 s 2 s R be the binary representation of d with least significant bit first. 4 Let i iterate from 1 to R: If si = 0, append m i to M. If si = 1, append m i to M 5 Return M. The final hash value h R is always the same. This gives us an (R, R + 2 R 1)-expandable message. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 30 / 31
Using the Expandable Message Consider a message M of 2 R + R blocks. 1 Create an (R, R + 2 R 1)-expandable message. Let h e be the hash value shared by all the messages in the expandable message. 2 Use the basic long message attack to find a single block m link that hashes from h e to one of the intermediate values from h R+1 through h 2 R +R. Call this intermediate value h j. 3 Use the expandable message to create a (j 1)-block message m that hashes to h e. 4 Return the message M = m m link m j+1 m j+2 m 2 R +R. Bouillaguet and Fouque prove that this is the optimal generic second-preimage attack on an Merkle-Damgård hash function. Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 31 / 31