Channel Coding and Cryptography Part II: Introduction to Cryptography Prof. Dr.-Ing. habil. Andreas Ahrens Communications Signal Processing Group, University of Technology, Business and Design Email: andreas.ahrens@hs-wismar.de Andreas Ahrens 113
Further Reading and Information Understanding Cryptography Menezes, A.; van Oorschot, P.; Vanstone, S. : Handbook of Applied Cryptography. London, New York: CRC Press, 1996. Tilborg, H. v.: Encyclopedia of Cryptography and Security. Berlin: Springer, 2005. Parr, C.; Pelzl, J.: Understanding Cryptography, A Textbook for Students and Practitioners. Heidelberg: Springer, 2010. Andreas Ahrens 114
Classification of the Field of Cryptology (1) Cryptography Symmetric Ciphers Asymmetric Ciphers Block Ciphers Stream Ciphers The majority of today s protocols are hybrid schemes, i.e., the use both symmetric ciphers (e.g., for encryption and message authentication) and asymmetric ciphers (e.g., for key exchange and digital signature). Andreas Ahrens 115
Classification of the Field of Cryptology (2) Symmetric Algorithms two parties have an encryption and decryption method for which they share a secret key Asymmetric (or Public-Key) Algorithms consist of a secret key (as in symmetric cryptography) as well as a public key Hybrid Schemes symmetric ciphers (e.g., for encryption and message authentication) and asymmetric ciphers (e.g., for key exchange and digital signature). Andreas Ahrens 116
Symmetric Cryptography Alternative names: private-key, single-key or secret-key cryptography Oscar (bad guy) Alice (good) x Unsecure channel (e.g. Internet) x Bob (good) Problem Statement: 1) Alice and Bob would like to communicate via an unsecure channel (e.g., WLAN or Internet). 2) A malicious third party Oscar (the bad guy) has channel access but should not be able to understand the communication. Andreas Ahrens 117
Symmetric Cryptography (to be cont.) Solution: Encryption with symmetric cipher. Oscar obtains only ciphertext y, that looks like random bits Syntax: Oscar (bad guy) y x is the plaintext y is the ciphertext K is called the key Alice (good) x Encryption e( ) y Unsecure channel (e.g. Internet) y Decryption d( ) x Bob (good) K K Key Generator Secure Channel Andreas Ahrens 118
Symmetric Cryptography (to be cont.) Symmetric Cryptography: Encryption equation y = e K (x) Decryption equation x = d K (y) Encryption and decryption are inverse operations if the same key K is used on both sides: d K (y) = d K (e K (x)) = x The key must be transmitted via a secure channel between Alice and Bob. The secure channel can be realized, e.g., by manually installing the key for the Wi-Fi Protected Access (WPA) protocol. However, the system is only secure if an attacker does not learn the key K! The problem of secure communication is reduced to secure transmission and storage of the key K. Andreas Ahrens 119
Substitution Cipher (1) Historical cipher Idea: replace each plaintext letter by a fixed other letter. Plaintext Ciphertext Example: A B C K D W ABBA would be encrypted as KDDK How secure is the Substitution Cipher? Let s have a look at how often the letter appear in the alphabet (Letter Frequency Analysis) Andreas Ahrens 120
Substitution Cipher (2) How secure is the Substitution Cipher? Let s have a look at how often the letter appear in the alphabet (Letter Frequency Analysis) Letter Frequency Analysis Letters have very different frequencies in the English language The frequency of plaintext letters is preserved in the ciphertext For Example: e is the most common letter in English; almost 13% of all letters in a typical English text are e In Practice: not only frequencies of individual letters can be used for an attack, but also the frequency of letter pairs (i.e., th is very common in English) Andreas Ahrens 121
Cryptoanalysis Attacks against cryptographic system: Bribing, blackmailing etc. can be used to obtain a secret key. Kerckhoff s Principle is paramount in modern cryptography: A cryptosystem should be secure even if the attacker (Oscar) knows all details about the system, with the exception of the secret key. The system should be secure when the attacker knows the encryption and decryption algorithms. Andreas Ahrens 122
Short Introduction to Modular Arithmetic Why do we need to study modular arithmetic? Important for asymmetric cryptography (RSA, elliptic curves, etc.) Most cryptosystems are based on sets of numbers that are discrete (sets with integers are particularly useful) finite (i.e., if we only compute with a finely many numbers) It is crucial to have an operation which keeps the numbers within limits, i.e., after addition and multiplication they should never leave the set. Let s have a look! Andreas Ahrens 123
Short Introduction to Modular Arithmetic (to be cont.) Modulo Operation Let a, r, m be integers and m > 0. We write a r mod m if (r-a) is divisible by m or if m divides a-r m is called the modulus and r is called the remainder It is always possible to write a = q m + r for 0 r < m with the quotient q and the remainder r. Examples: Let a = 11 and m = 9 : 11 2 mod 9 (11 = 1 9 + 2) Let a = 19 and m = 9 : 19 1 mod 9 (19 = 2 9 + 1) Andreas Ahrens 124
Short Introduction to Modular Arithmetic (to be cont.) How do we perform modular division? First, note that rather than performing a division, we prefer to multiply by the inverse. The inverse a -1 of a number a is defined such that: a a -1 1 mod m The inverse of 7 mod 9 is 4 since 7 x 4 28 1 mod 9. How is the inverse compute? The multiplicative inverse of a number a mod m only exists if and only if: gcd (a, m) = 1 (gcd, greatest common divisor) (note that in the example above gcd(7, 9) = 1, so that the inverse of 7 exists modulo 9) Andreas Ahrens 125
Short Introduction to Modular Arithmetic (to be cont.) Modular Arithmetic There is the neutral element 0 with respect to addition, i.e., for all a a + 0 a mod m For all a, there is always an additive inverse element a such that a + (-a) 0 mod m There is the neutral element 1 with respect to multiplication, i.e., for all a a x 1 a mod m The multiplicative inverse a -1 is defined such that a x a -1 1 mod m Andreas Ahrens 126
Shift Cipher Replaces each plaintext letter by another one. Replacement rule: Take letter that follows after k positions in the alphabet Needs mapping from letters numbers: A B C D E F G H I J K L M 0 1 2 3 4 5 6 7 8 9 10 11 12 N O P Q R S T U V W X Y Z 13 14 15 16 17 18 19 20 21 22 23 24 25 Example for k = 7 Plaintext = ATTACK = 0, 19, 19, 0, 2, 10 Ciphertext = HAAHJR = 7, 0, 0, 7, 9, 17 Note that the letters wrap around at the end of the alphabet, which can mathematically be expressed as reduction modulo 26, e.g., 19 + 7 = 26 0 mod 26 Andreas Ahrens 127
Shift Cipher (to be cont.) Mathematical description of the cipher Let k, x, y ε {0,1,, 25} Encryption: y = e k (x) x + k mod 26 Decryption: x = d k (x) y - k mod 26 How secure is the shift cipher? Exhaustive key search (key space is only 26!) Letter frequency analysis, similar to attack against substitution cipher Andreas Ahrens 128
Affine Cipher Extension of the shift cipher: rather than just adding the key to the plaintext, we also multiply by the key Key consists of two parts: k = (a, b) Let k, x, y ε {0,1,, 25} Encryption: y = e k (x) a x + b mod 26 Decryption: x = d k (x) a -1 (y b) mod 26 Since the inverse of a is needed for inversion, we can only use values for a for which: gcd(a, 26) = 1. There are 12 values for a that fulfill this condition a ε {1,3,5,7,9,11,15,17,19,21,23,25} Again, several attacks are possible, including: Exhaustive key search and letter frequency analysis, similar to the attack against the substitution cipher Andreas Ahrens 129
Affine Cipher (to be cont.) Example Let the key be k = (a,b) = (9,13) Plaintext = ATTACK = 0, 19, 19, 0, 2, 10 Ciphertext = NCCNFZ = 13, 2, 2, 13, 5, 25 Andreas Ahrens 130
Short Introduction to Modular Arithmetic (to be cont.) Modular Reduction Example: We want to compute 3 7 mod 7 (note that exponentiation is extremely important in public-key cryptography). 1. Approach: Exponentiation followed by modular reduction Example: 3 7 = 2187 3 mod 7 the intermediate result is 2187 even though we know that the final result can t be larger than 6. Andreas Ahrens 131
Short Introduction to Modular Arithmetic (to be cont.) 2. Approach: Exponentiation with intermediate modular reduction Example: 3 7 = 3 3 3 4 = 27 x 81 At this point we reduce the intermediate results 27 modulo 7 and 81 mod 7 3 7 = 3 3 3 4 = 27 x 81 6 x 4 mod 7 6 x 4 = 24 3 mod 7 We can perform all these multiplications without pocket calculator, whereas mentally computing 3 7 = 2187 is a bit challenging for most of us For most algorithms it is advantageous to reduce intermediate results as soon as possible. Andreas Ahrens 132
RSA Cryptosystem Martin Hellman and Whitfield Diffie published their landmark publickey paper in 1976 Asymmetric RSA cryptosystem (Ronald Rivest, Adi Shamir and Leonard Adleman, 1977) Up to now, RSA is the most widely used asymmetric cryptosystem RSA is mainly used for two applications Transport of (i.e., symmetric) keys Digital signatures Andreas Ahrens 133
RSA Cryptosystem (to be cont.) RSA operations are done over the integer ring Z n (i.e., arithmetic modulo n), where n = p q, with p, q being large primes Encryption and decryption are simply exponentiations in the ring Encryption and Decryption Given the public key k pub = (n,e) and the private key k pr = d we write (x, y ε Z n ) y = e kpub (x) x e mod n x = d kpr (y) y d mod n We call e kpub () the encryption and d kpr (y) the decryption operation. In practice x, y, n and d are very long integer numbers ( 1024 bits). The security of the scheme relies on the fact that it is hard to derive the private exponent d given the public-key (n, e). Andreas Ahrens 134
RSA Cryptosystem (to be cont.) Key Generation Like all asymmetric schemes, RSA has set-up phase during which the private and public keys are computed Algorithm: RSA Key Generation Output: public key: k pub = (n,e) and private key k pr = d 1. Choose two large primes p, q 2. Compute n = p q 3. Compute Φ(n) = (p-1) (q-1) 4. Select the public exponent e ε {1, 2,, Φ(n)-1} such that gcd(e, Φ(n) ) = 1 5. Compute the private key d such that d e 1 mod Φ(n) 6. Result: public key k pub = (n,e) and private key k pr = d Remarks: Choosing two large, distinct primes p, q (in Step 1) is non-trivial gcd(e, Φ(n)) = 1 ensures that e has an inverse and, thus, that there is always a private key d Andreas Ahrens 135
RSA Cryptosystem (to be cont.) Example ALICE Bob Message x = 4 1. Choose p = 3 and q = 11 2. Compute n = p q = 33 3. Φ(n) = (3-1) (11-1) = 20 4. Chose e = 3 5. d e -1 7 mod 20 k pub = (n,e) = (33,3) y = x e 4 3 31 mod 33 y = 31 y d = 31 7 4 = x mod 33 Andreas Ahrens 136