View
246
Download
1
Category
Preview:
Citation preview
Chapter Content
Foundations: history, vocabulary, transpositions, substitutions
Basic ciphers: simple substitution, Vigenere, Vernam
Modern settings: digital communications, Kerckhoffs principles
⋆The Shannon Theory of secrecy: entropy, encryption model,perfect secrecy
SV 2007 Basic Crypto EPFL-SSC 4 / 528
1 Chapter 1: Prehistory of Cryptography
SV 2007 Basic Crypto EPFL-SSC 3 / 528
Content
Part 1 1. Prehistory of cryptography2. Conventional cryptography3. Dedicated conventional cryptographic primitives4. Conventional security analysis (adv)5. Security protocols with conventional cryptography
Part 2 6. Algorithmic algebra7. Algorithmic number theory8. Elements of complexity theory (adv)9. Public key cryptography
10. Digital signatures11. Cryptographic protocols (adv)12. From cryptography to communication security
SV 2007 Basic Crypto EPFL-SSC 2 / 528
Cryptography and SecurityBasic Cryptography
Serge Vaudenay
ÉCOLE POLYTECHNIQUEFÉDÉRALE DE LAUSANNE
http://lasecwww.epfl.ch/
SV 2007 Basic Crypto EPFL-SSC 1 / 528
Key Words — iii
Cleartextinformation encoded by using a public code
Plaintext 6= cleartext!
input of an encryption algorithm
Ciphertext, cryptogram
information encoded by a cryptographic system
Encryption, encipherment, decryption, decipherment
action to transform a plaintext into a ciphertext or theopposite
SV 2007 Basic Crypto EPFL-SSC 8 / 528
Key Words — iiCryptography
(originally) the science of secret codes, enabling theconfidentiality of communication through an insecurechannel
Cipher
secret code, enabling the expression of a public codeby a secret one by making the related informationconfidential
Cryptographic system, cryptosystem
set of cryptographic algorithms which include ciphersand other cryptographic algorithms
Cryptosystem
→ mostly used for “public key cryptosystem”“secret key cryptographic systems” are rather called“ciphers”
SV 2007 Basic Crypto EPFL-SSC 7 / 528
Key Words — iConfidentiality, secrecy
insurance that a given information cannot be accessedby unauthorized parties
Privacy 6= secrecy (but sometimes synonym)
ability for a person to control how his personalinformation spreads in a community
Codea system of symbols which represent information
Coding theory
science of code transformation which enables to sendinformation through a communication channel in areliable way (→ dummy adversary)
Encode, Decode
action to transform an information into a codeword, orto recover the information from a codeword
SV 2007 Basic Crypto EPFL-SSC 6 / 528
1 Chapter 1: Prehistory of CryptographyTerminologyCryptography Prehistory
SV 2007 Basic Crypto EPFL-SSC 5 / 528
A Science of Malice in Communication Technologies
how to abuse an information security system?
how to model malicious adversaries?
how to reduce adversaries success to well known complexityproblems?
for the bad guy: how to break a system? (Any dirty math allowed)
for the good guy: how to formally prove security? (Rigorousanalysis when possible)
SV 2007 Basic Crypto EPFL-SSC 15 / 528
Applications
entered in mass product markets quite recently
used for authentication and encryption (bank cards, wirelesstelephone, e-commerce, pay-TV)
used for access control (car lock systems, ski lifts)
used for payment (prepaid phone cards, e-cash)
used for logistic & supply chains (RFID)
SV 2007 Basic Crypto EPFL-SSC 14 / 528
Defining Cryptography
cryptography vs coding theorycryptography faces to malicious adversaries (not random noise)
secrecy theory?
cryptography and secrecyCryptography has now a wider sense: the science of informationprotection against unauthorized parties by preventing fromunauthorized alteration of use. Cryptographic algorithms are themathematical algorithms which enforce the protection.
adversity theory?Reductionism: modeling malice + proving security underreasonable assumptions
SV 2007 Basic Crypto EPFL-SSC 13 / 528
Key Words — iv
Cryptanalysis, cryptographic analysis, cryptoanalysis
theory of security analysis of cryptographic systems
To cryptanalyze a cryptosystem 6= to break it
to prove of disprove the security provided by acryptosystem
To break a cryptosystem
to prove the insecurity of a cryptosystem
Cryptology 6= cryptography
science of cryptography and cryptanalysis (sometimesalso steganography)
Steganography 6= cryptography
science of information hiding
SV 2007 Basic Crypto EPFL-SSC 9 / 528
1 Chapter 1: Prehistory of CryptographyTerminologyCryptography Prehistory
SV 2007 Basic Crypto EPFL-SSC 19 / 528
Basic Security Properties
Confidentialitythe information should not leak to any unexpected party
Integritythe information must be protected against any maliciousmodification
Authenticationthe information should make clear who the author of it is
SV 2007 Basic Crypto EPFL-SSC 18 / 528
The Fundamental Trilogy
Message
X- -
X
��
Adversary
Confidentiality (C): only the legitimate receiver can get X
Authentication + Integrity (A+I): only the legitimate sender caninsert X and the received message must be equal to X
SV 2007 Basic Crypto EPFL-SSC 17 / 528
La Crypto c’est Rigolo!
Multidisciplinary: physics, electronics, software, math, logic, ...
Exposed: lots of attention by media
Wide: quick switch between theory, application, business, politics
Romantic: hackers, spies, ...
Fun: solving puzzles...
SV 2007 Basic Crypto EPFL-SSC 16 / 528
Probabilities of Occurrence in English
letter probability letter probability letter probabilityA 0.082 J 0.002 S 0.063B 0.015 K 0.008 T 0.091C 0.028 L 0.040 U 0.028D 0.043 M 0.024 V 0.010E 0.127 N 0.067 W 0.023F 0.022 O 0.075 X 0.001G 0.020 P 0.019 Y 0.020H 0.061 Q 0.001 Z 0.001I 0.070 R 0.060
SV 2007 Basic Crypto EPFL-SSC 23 / 528
Simple Substitutions
Caesar Cipher :
a b c d e f g h i k l m n o p q r s t v xD E F G H I K L M N O P Q R S T V X A B C
caesar −→ FDHXDV
ROT13:
a b c d e f g h i j k l m n o p q r s t u v w x y zN O P Q R S T U V W X Y Z A B C D E F G H I J K L M
rot −→ EBG
SV 2007 Basic Crypto EPFL-SSC 22 / 528
TranspositionsSpartan scytales :
this is a dummy message
?
t h i s is a d um m y m es s a g e
?
TSMSH MSIAYAS G DMEIUE
SV 2007 Basic Crypto EPFL-SSC 21 / 528
Secret Writing
Hieroglyphs!
SV 2007 Basic Crypto EPFL-SSC 20 / 528
Vigen ere Cipher
Plaintext: this is a dummy message
Key: ABC
this is a dummy message+ ABCA BC A BCABC ABCABCA= TIKS JU A EWMNA MFUSBIE
Ciphertext: TIKSJUAEWMNAMFUSBIE
e.g. y + C= A.
SV 2007 Basic Crypto EPFL-SSC 28 / 528
Step I: Frequency Analysis
letter frequency letter frequency letter frequencyA 0 J 11 S 3B 1 K 1 T 2C 15 L 0 U 5D 13 M 16 V 5E 7 N 9 W 8F 11 O 0 X 6G 1 P 1 Y 10H 4 Q 4 Z 20I 5 R 10
SV 2007 Basic Crypto EPFL-SSC 26 / 528
A Simple Substitution Cipher
------------------------------------------YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ
------------------------------------------NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ
------------------------------------------NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ
------------------------------------------XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR
SV 2007 Basic Crypto EPFL-SSC 25 / 528
Rough Frequencies in English
1 most frequent: E
2 very frequent: T A O I N S H R
3 frequent: D L
4 rare: C U M W F G Y P B
5 very rare: V K J X Q Z
30 most common digrams (in decreasing order):
TH, HE, IN , ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND,OU, EA, NG, AS, OR, TI , IS , ET, IT , AR, TE, SE, HI and OF.
12 most common trigrams (in decreasing order):
THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FORandDTH.
SV 2007 Basic Crypto EPFL-SSC 24 / 528
Application to the Vigen ere Cipher
With the example TIKSJUAEWMNAMFUSBIE, if we guess that the key isof length 3, we can write
T I KS J UA E WM N AM F US B IE
so we can compute the index of coincidence of TSAMMSE, IJENFB andKUWAUI.
SV 2007 Basic Crypto EPFL-SSC 32 / 528
Index of Coincidence
Index(x1, . . . ,xn) = PrI,J
[xI = xJ |I < J] = ∑c∈Z
nc(nc−1)
n(n−1)
where I,J ∈ {1, . . . ,n} are independent uniformly distributed
Proposition
For any permutation σ over Z , we have
Index(σ(x1), . . . ,σ(xn)) = Index(x1, . . . ,xn)
Index(English text)→ 0.065 when n→+∞Index(Random string)→ 0.038 when n→+∞
SV 2007 Basic Crypto EPFL-SSC 31 / 528
Is this Significant?
In a truly random sequence of 294 characters with alphabet of 26letters
there are n = 292 trigrams t1, . . . , tn out from 1p = 263 = 17576
possibilities, every possible trigram abc has a number ofoccurrences nabc = ∑n
i=1 1ti=abc
Pr[nabc = t] =(n
t
)pt(1−p)n−t ≈ λt
t! e−λ with λ = n×p
since
eλ =t−1
∑i=0
λi
i!+
Z λ
0
(λ− x)t−1
(t−1)!ex dx
we havePr[nabc ≥ t]≈ 1−e−λ ∑t−1
i=0λi
i! ≤ e−λ R λ0
(λ−x)t−1
(t−1)! ex dx ≤ λt
t!
with t = 5 we have Pr[maxαβγ nαβγ ≥ t]≤ 263 Pr[nabc ≥ t]≤ 10−6
SV 2007 Basic Crypto EPFL-SSC 30 / 528
Kasiski Test
C H R E E VOAHMA E R A T B I A X XWT NX B EEOPHBSBQMQEQ E RBWR V X UO A KXAOS X X WE A HBWG J MMQMNKGRF VGXWTRZXW I A KL X F P S K AUTEMN D C M G TS XMX B TU I ADNGMGPSR E L XN J EL XV R V P R T U L HDN QW T WD TYG B P HX T F AL J HASVB F XNGL L CHRZ BW E L E KMS J I K N B HWR J G NMG J SG LXFEYPHAG NRB I EQJ TA MR V L C RREMN D G L X R R I MGN SNRWCHRQHAEY E V TAQ E BB IP E E WE V KAKOEWA D R EMXM T B HHCHRTKDNVRZ C HRC L QOHPWQ A I I WXNRMGWO I I F KE E
CHRoccurs at 1, 166, 236, 276, 286.
SV 2007 Basic Crypto EPFL-SSC 29 / 528
The Enigma Cipher (Mathematically) — i
We define permutations over the 26-character alphabet.
Reflexion. π is a fixed involution with no fixed points.
Rotors. S be a set of five permutations over the alphabet.ρ is the circular rotation over the alphabet by oneposition.ρi thus denotes the circular rotation over the alphabet byi positions.αi denotes ρ−i ◦α◦ρi
Wire connection. σ is a configurable involution with 6 fixed points.
SV 2007 Basic Crypto EPFL-SSC 36 / 528
Enigma Building Blocks
given a permutation σ over Z = {A,B, . . . ,Z}, a fixed point is anelement x ∈ Z such that σ(x) = x
an involution over Z is a permutation σ of Z such thatσ(σ(x)) = x for all x .Examples: reflector, plug board
a rotor is defined by a set of permutations σ0, . . . ,σ25 over Zthe rotor in position i implements permutation σi
such that σi = ρ−i ◦σ0 ◦ρi where ρ(A) = B, ρ(B) = C, ...,ρ(Z) = A
SV 2007 Basic Crypto EPFL-SSC 35 / 528
The Enigma Circuit
A A
Plug Rotor Rotor Rotor ReflectorLamp Kbd
E
C
B
F
DE
C
B
F
D
SV 2007 Basic Crypto EPFL-SSC 34 / 528
Enigma
SV 2007 Basic Crypto EPFL-SSC 33 / 528
Vernam Cipher
we use a uniformly distributed randomkey K (a bitstring)
every message X requires a new K ofsame size (one-time pad)
Encrypting X with K : compute X ⊕K
Decrypting Y with K : compute Y ⊕K
⊕ 0 10 0 11 1 0
(X ) 1001 0⊕ (K ) 0011 1= (Y ) 10101
⊕ (K ) 0011 1= (X ) 1001 0
SV 2007 Basic Crypto EPFL-SSC 40 / 528
The Laws of Modern Cryptography
The n2 Problem:in a network of n users, there is a number of potential pairs ofusers within the order of magnitude of n2
The Kerckhoffs Principle:security should not rely on the secrecy of the cryptosystem itself
The Moore Law:the speed of CPUs doubles every 18 months
The Murphy Law:if there is a single security hole, the exposure of a cryptosystemwill make sure that someone will ultimately find it
SV 2007 Basic Crypto EPFL-SSC 39 / 528
A Turing Machine
SV 2007 Basic Crypto EPFL-SSC 38 / 528
The Enigma Cipher (Mathematically) — ii
Secret key:
σan ordered choice α,β,γ ∈ S of pairwise differentpermutationsa number a
Plaintext: x = x1, . . . ,xm
Ciphertext: y = y1, . . . ,ym
Encryption:
yi = σ−1 ◦α−1i1◦β−1
i2◦ γ−1
i3◦π◦ γi3 ◦βi2 ◦αi1 ◦σ(xi)
where i3i2i1 are the last three digits of the basis 26numeration of i + a.
SV 2007 Basic Crypto EPFL-SSC 37 / 528
A Note on the Vernam Cipher
If used in an appropriate way, this cipher is perfectly secure
It is pretty expensive (true randomness is expensive, keyexchange is expensive)
We cannot achieve perfect security at a lower cost (ShannonTheory)
SV 2007 Basic Crypto EPFL-SSC 44 / 528
Using the Same Key Twice
Y1
-⊕K
-=
X1
Y2
-⊕ -=
X2
?⊕
-=
X1⊕X2
SV 2007 Basic Crypto EPFL-SSC 43 / 528
Example
⊕
=
SV 2007 Basic Crypto EPFL-SSC 42 / 528
Visual Cryptography
Pixel coding
0 −→
1 −→
Pixel XOR
0⊕0 −→ ≈
0⊕1 −→ =
1⊕0 −→ =
1⊕1 −→ ≈
SV 2007 Basic Crypto EPFL-SSC 41 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 48 / 528
Chapter Content
DES: Feistel Scheme, S-boxes
Modes of operation: ECB, CBC, OFB, CFB, CTR, UNIX passwords
Classical designs: IDEA, SAFER-K64, AES
⋆Case study: FOX, CS-CIPHER
Stream ciphers: RC4, A5/1, E0
Brute force attacks: exhaustive search, tradeoffs, meet-in-the-middle
SV 2007 Basic Crypto EPFL-SSC 47 / 528
2 Chapter 2: Conventional Cryptography
SV 2007 Basic Crypto EPFL-SSC 46 / 528
Conclusion
a lot of pedestrian cryptography in the prehistory
now a need for standard solutions
perfect security requires an unreasonable cost
we must trade security against cost
SV 2007 Basic Crypto EPFL-SSC 45 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 52 / 528
Stream Ciphers vs Block Ciphers
stream cipher block cipher
small granularity (encryptbits or bytes)
based on the Vernamcipher, requires a nonce(number to be unsed onlyonce)
very high speed rate, verycheap on hardware
low confidence on security
large granularity (encryptblocks of 64 or 128 bits),require padding techniquesfor messages with arbitrarylength
high rate, nice for softwareimplementation, can beadapted to variousplatforms (8-bit, 32-bit, or64-bit microprocessors)
well established security
SV 2007 Basic Crypto EPFL-SSC 51 / 528
Two Categories of Symmetric Encryption
stream ciphers block ciphersRC4 DES
GSM–A5/1 3DESBluetooth–E0 IDEA
CSS BLOWFISH... RC5
AESKASUMISAFER
CS-CipherFOX
...
SV 2007 Basic Crypto EPFL-SSC 50 / 528
Symmetric Encryption
Generator
KeyKey 66 CONFIDENTIAL
-Message
XEncrypt -
Y-
YDecrypt -Message
X
��
Adversary
SV 2007 Basic Crypto EPFL-SSC 49 / 528
Feistel Scheme
transform function over {0,1} n2 into permutations over {0,1}n
inverse permutations have same structure
alternate round functions and halve swaps
final halve swap omitted
SV 2007 Basic Crypto EPFL-SSC 56 / 528
DES−1
IP−1
?X
Feistel
?
IP
?
?Y
�K1
�K16�K15
...schedule′
?
K
SV 2007 Basic Crypto EPFL-SSC 55 / 528
DES
IP−1
?Y
Feistel
?
IP
?
?X
�K16
�K1�
K2
...schedule
?
K
SV 2007 Basic Crypto EPFL-SSC 54 / 528
DES: the Data Encryption Standard
US Standard from NBS (now NIST), branch of the Department ofCommerce in 1977
secret design by IBM based on a call for proposal
based on LUCIFER by Horst Feistel (from IBM)
design influenced by the NSA
rationales of the design published by Don Coppersmith in 1994
dedicated to hardware implementation
block cipher with 64-bit blocks
key of 56 effective bits
SV 2007 Basic Crypto EPFL-SSC 53 / 528
S3
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1510 0 9 14 6 3 15 5 1 13 12 7 11 4 2 813 7 0 9 3 4 6 10 2 8 5 14 12 11 15 113 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
Example: S3(111000 ) = 0101 :
1 1100 0 = 56
1100 = 12
10 = 2
0101 = 5
SV 2007 Basic Crypto EPFL-SSC 60 / 528
DES Round Function
S1
S2
S3
S4
S5
S6
S7
S8
⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕
SV 2007 Basic Crypto EPFL-SSC 59 / 528
(Inverse) Feistel Scheme
Ψ−1(F K1 ,F K2 ,F K3) = Ψ(F K3 ,F K2 ,F K1)
⊕??
��
⊕??
��
⊕?
?
?��
?
F
K3
F
K2
F
K1
SV 2007 Basic Crypto EPFL-SSC 58 / 528
(Direct) Feistel Scheme
Ψ(F K1 ,F K2 ,F K3)
⊕??
��
⊕??
��
⊕?
?
?��
?
F
K1
F
K2
F
K3
SV 2007 Basic Crypto EPFL-SSC 57 / 528
Password Access Control: Using Salt
Password Password
- �
?
-
?
Salt
Hash Hash
- - =?
Enrolment Record Control
SV 2007 Basic Crypto EPFL-SSC 64 / 528
Password Access Control: Attempts
login: U
password: W
Scheme #1 : store U and DESW (0) in /etc/passwdbut: DES is pretty fast which makes exhaustive search easy
Scheme #2 : store U and DESnW (0) in /etc/passwd
but: many optimized on-the-shelf implementations of DES whichcan be used for exhaustive search
Scheme #3 : store U and f nW (0) in /etc/passwd where f is
transformed from DESbut: precomputed inverse tables could be used to crack arbitraryentries in /etc/passwd
Scheme #4 : store U, f nW (0) and salt ck in /etc/passwd where f
is transformed from DES by using ck
SV 2007 Basic Crypto EPFL-SSC 63 / 528
UNIX Password Access Protocols
User Work stationlogin?←−−−−−−−−−−−−−−−−−
type UU−−−−−−−−−−−−−−−−−→
password?←−−−−−−−−−−−−−−−−−type W
W−−−−−−−−−−−−−−−−−→check (U,W ) using adatabase, retreive infor-mation from the database(home directory...)
SV 2007 Basic Crypto EPFL-SSC 62 / 528
DES Key Schedule
schedule (K )
1: KPC1−→ (C,D)
2: for i = 1 to 16 do3: C← ROLri(C)4: D← ROLri(D)5: Ki ← PC2(C,D)6: end for
C,D: two 28-bit registers
i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16ri 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
SV 2007 Basic Crypto EPFL-SSC 61 / 528
Note on the ECB Mode
Information leakage for blocks with low entropy
Chabloz Presid ent 78’964.31Zufferey Manager 23’321.16Neuensch wander Consul tant 34’445.22Schneide r Affirm at ive 38’206.51Cotti Audiov isual 21’489.15
C( 3) for Neuenschwander = C( 3) for Schneider
SV 2007 Basic Crypto EPFL-SSC 68 / 528
ECB Mode
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn
?
C
?
?
C
?
?
C
?
?
C
?
SV 2007 Basic Crypto EPFL-SSC 67 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 66 / 528
UNIX Passwords
clock
6
6
salt (12)
6 6 6
0 -≈DES -≈DES - · · · -≈DES - /etc/passwd
? ? ?
W (56)
SV 2007 Basic Crypto EPFL-SSC 65 / 528
OFB Mode
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn?⊕?
C?
-
?⊕?
C?
-
?⊕?
C?
-
?⊕?-
?IV
SV 2007 Basic Crypto EPFL-SSC 72 / 528
Note on the CBC Mode
Three possibilities for dealing with IV
Using a (non secret) constant IV
Using a secret IV which is part of the key
Using a random IV which is sent in clear with the ciphertext
SV 2007 Basic Crypto EPFL-SSC 71 / 528
CBC Decryption
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn
6
⊕6
C−1
6
-
6
⊕6
C−1
6
-
6
⊕6
C−1
6
-
6
⊕6
C−1
6
-IV
SV 2007 Basic Crypto EPFL-SSC 70 / 528
CBC Mode
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn
?⊕
?
C
?
-?⊕
?
C
?
-?⊕
?
C
?
-?⊕
?
C
?
-IV
SV 2007 Basic Crypto EPFL-SSC 69 / 528
Note on the CTR Mode
ti must be new for every block!Example 1: ti = msg counter||blk counterExample 2: ti = t1 +(i−1) where t1 is the last tn plus 1Example 3: ti = t1 +(i−1) where t1 is a (unique) nonce
CTR also transforms a block cipher into a stream cipher
SV 2007 Basic Crypto EPFL-SSC 76 / 528
CTR Mode
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn
t1 t2 t3 tn
?⊕?
C?
-
?⊕?
C?
-
?⊕?
C?
-
?⊕?
C?
-
SV 2007 Basic Crypto EPFL-SSC 75 / 528
CFB Mode
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn
?⊕
?
C6
- ?⊕
?
C6
- ?⊕
?
C6
- ?⊕
?
-
6IV
SV 2007 Basic Crypto EPFL-SSC 74 / 528
Note on the OFB Mode
IV must be new for every plaintext!
Use a random one which is sent in clear...
... or use a counter-based IV
This is not only a property of the OFB mode: property of streamciphers
OFB actually transforms a block cipher into a stream cipher
SV 2007 Basic Crypto EPFL-SSC 73 / 528
Generalized Feistel Scheme
⊕
+
∗
?
?
?��
π σ
?
?
?- -
π σ
?
?
?��
?
F
K1
G
K2
F
K3
SV 2007 Basic Crypto EPFL-SSC 80 / 528
Block Ciphers Characteristics
cipher release block key # rounds commentDES 1977 64 56 16 secretly developed3DES 1985 64 112,168 48 pragmatic solutionIDEA 1990 64 128 8.5
SAFER K-64 1993 64 64 6BLOWFISH 1994 64 0–448 16
RC5 1996 2–256 0–255 0–255 64/128/12 recommendedCS-Cipher 1998 64 0–128 8
AES 2001 128 128,192,256 10,12,14 dependent parametersKASUMI 2002 64 128 8 dedicated
FOX 2003 64,128 0–256 12–255
SV 2007 Basic Crypto EPFL-SSC 79 / 528
Classical Skeletons
Feistel schemes...and extensionsDES, 3DES, BLOWFISH, KASUMI
Lai-Massey schemeIDEA, FOX
Substitution-permutation networkSAFER, CS-Cipher, AES
SV 2007 Basic Crypto EPFL-SSC 78 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 77 / 528
IDEA Groups
G = {0,1}16 and a⊙b = a⊕b(mircroprocessor XOR on 16-bit words)
G = {0,1, . . . ,216−1} and a⊙b = a+ b mod 216
(mircroprocessor addition on 16-bit words)
G = {0,1, . . . ,216−1} and a⊙b = a ·b... (next slide)(based on mircroprocessor multiplication on 16-bit words)
SV 2007 Basic Crypto EPFL-SSC 84 / 528
Reminders on Z n
r = a mod n is the remainder of a divided by n in the Euclideandivision: it is such that 0≤ r < n and r = a−q×n for someinteger q
a≡ b (mod n) means that a−b is a multiple of n, or equivalentlythat a mod n = b mod n
(a+(b mod n)) mod n = (a+ b) mod n
Zn = {0,1, . . . ,n−1} is a group for a⊙b = (a+ b) mod n
we also have (a× (b mod n)) mod n = (a×b) mod n
SV 2007 Basic Crypto EPFL-SSC 83 / 528
Abelian Group Laws
Definition
An Abelian group is a set G together with a mapping from G×G to Gwhich maps (a,b) to an element denoted a⊙b and such that
1. [closure] for any a,b ∈ G, we have a⊙b ∈ G
2. [associativity] for any a,b,c, we have (a⊙b)⊙ c = a⊙ (b⊙ c)
3. [neutral element] there exists an element e s.t. for any a,a⊙e = e⊙a = a
4. [invertibility] for any a there exists b s.t. a⊙b = b⊙a = e
5. [commutativity] for any a,b ∈ G, we have a⊙b = b⊙a
SV 2007 Basic Crypto EPFL-SSC 82 / 528
IDEA: The Lai-Massey Scheme
Designed at ETH-Zurich in 1992 by J. Massey and X. Lai
Patented by Ascom (IPR management outsourced to MediaCrypt)
well known to be used in PGP
part of the PhD Thesis of Xuejia Lai
dedicated to software on 16-bit microprocessors
alternate scheme to DES
block cipher with 64-bit blocks
128-bit key
SV 2007 Basic Crypto EPFL-SSC 81 / 528
IDEA from High Level
?round
?round
?...
?round∗
?
key (enc)
? ?
keyschedule
� subkey1
� subkey2
...
subkey8�
SV 2007 Basic Crypto EPFL-SSC 88 / 528
Computation of IDEA Multiplication (Nonzero Cases)
Let a×b = cH×216 + cL and carry = 1 if cL < cH and 0otherwise
if a 6= 0 and b 6= 0
a ·b =((a×b) mod (216 + 1)
)mod 216
=((cH×216 + cL) mod (216 + 1)
)mod 216
=((cL− cH) mod (216 + 1)
)mod 216
=(cL− cH + carry× (216 + 1)
)mod 216
= (cL− cH + carry) mod 216
SV 2007 Basic Crypto EPFL-SSC 87 / 528
Computation of IDEA Multiplication (Zero Cases)
for a = b = 0 we directly check this is correct
if a = 0 and b 6= 0 (for b = 0 and a 6= 0 we just exchange a and b)
0 ·b =(216×b mod (216 + 1)
)mod 216
=(−b mod (216 + 1)
)mod 216
=(216 + 1−b
)mod 216
= (1−b) mod 216
= (2+ NOT(b)) mod 216
SV 2007 Basic Crypto EPFL-SSC 86 / 528
IDEA Multiplication
a ·b =((
a× b)
mod (216 + 1))
mod 216
x =
{x if x 6= 0
216 if x = 0
a ·b = (2+ NOT(a+ b)) mod 216 if a = 0 or b = 0
a ·b = (cL− cH + carry) mod 216 oterwise
where a×b = cH ×216 + cL and carry = 1 if cL < cH and 0 otherwise
SV 2007 Basic Crypto EPFL-SSC 85 / 528
The MA Structure in IDEA
? ?
+ ·
· +? ?
? ?
-
�
-
� subkey
subkey
SV 2007 Basic Crypto EPFL-SSC 92 / 528
One IDEA Decryption Round
? ? ? ?
⊕⊕
⊕⊕� -
� -
MA
??
⊕⊕
/ − − /
??
??
--
��
? ? ? ?� � � � subkey
� subkey
SV 2007 Basic Crypto EPFL-SSC 91 / 528
One IDEA Round
? ? ? ?
⊕⊕
⊕⊕� -
� -
MA
??
⊕⊕
· + + ·
??
??
--
��
? ? ? ?� � � � subkey
� subkey
SV 2007 Basic Crypto EPFL-SSC 90 / 528
IDEA Decryption from High Level
?i-round
?i-round
?...
?i-round∗
?
key (dec)
? ?
keyschedule
� subkey8
� subkey7
...
subkey1�
SV 2007 Basic Crypto EPFL-SSC 89 / 528
SAFER Pseudo-Hadamard Transform
2−PHTR
R
x y
u = 2x + y mod 256 v = x + y mod 256
2−PHT−1R
R
u v
x = u− v mod 256 y = 2v−u mod 256
SV 2007 Basic Crypto EPFL-SSC 96 / 528
SAFER Substitution Boxes
E(x) = (45x mod 257) mod 256
L(x) = E−1(x)
Z256 is an isomorphic group to Z∗257
...indeed, 257 is a prime number, so Z∗257 is a cyclic group oforder 256...
45 generates Z∗257
...indeed, 45128 mod 257 6= 1 so 45 is of order 256...
SV 2007 Basic Crypto EPFL-SSC 95 / 528
SAFER K−64
�
�
E L L E E L L E
2−PHT 2−PHT 2−PHT 2−PHT
2−PHT 2−PHT 2−PHT 2−PHT
2−PHT 2−PHT 2−PHT 2−PHT
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ?
? ?
q
q
j
j
�
�
R
R
)
)
? ? ? ? ? ? ? ?
⊕ + + ⊕ ⊕ + + ⊕
+ ⊕ ⊕ + + ⊕ ⊕ +
SV 2007 Basic Crypto EPFL-SSC 94 / 528
SAFER K−64
Designed at ETH-Zurich in 1993 by James Massey
Propriety of Cylink
dedicated to software on 8-bit microprocessors
substitution permutation network
block cipher with 64-bit blocks
64-bit key
SV 2007 Basic Crypto EPFL-SSC 93 / 528
RC4 (Alleged)
?
6
automaton
Key
?key schedule
?registers i and j
permutationS[0],S[1], . . . ,S[255]
?
1: i← i + 12: j← j + S[i]3: swap S[i] and S[j]4: output S[S[i]+ S[j]]
�
?output byte
SV 2007 Basic Crypto EPFL-SSC 100 / 528
RC4
Designed at MIT in 1987 by Ronald Rivest
Trade secret of RSA Security Inc.
illegally disclosed in 1994
well known to be used in SSL
dedicated to software on 8-bit microprocessors
stream cipher with bytes streams
key length from 40 to 256
SV 2007 Basic Crypto EPFL-SSC 99 / 528
Stream Ciphers from a High Level
plaintext stream
nonce
key
-
-key schedule init. state- automaton -key strm⊕ - ciphertext stream
6
SV 2007 Basic Crypto EPFL-SSC 98 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 97 / 528
A5/1 from a High Level
plaintext frame
Count
KC
-
-key schedule 64 bits- automaton -114 bits ⊕ - ciphertext frame
6
SV 2007 Basic Crypto EPFL-SSC 104 / 528
GSM A5/1
Designed at ETSI by the SAGE group
Trade secret of the GSM consortium
reverse engineered
dedicated to lightweight hardware
stream cipher with bit streams
64-bit key and 22-bit counter
SV 2007 Basic Crypto EPFL-SSC 103 / 528
RC4 in Security Protocols
In SSL/TLS:key is used only oncefirst 256 output bytes are droppedstate is kept from one message to the other
In WEP:key is the concatenation of a 3-byte nonce (sent in clear) and a5-byte key
SV 2007 Basic Crypto EPFL-SSC 102 / 528
RC4 Key Schedule
1: j← 02: for i = 0 to 255 do3: S[i]← i4: end for5: for i = 0 to 255 do6: j← j + S[i]+ K [i mod ℓ]7: swap S[i] and S[j]8: end for9: i← 0
10: j← 0
SV 2007 Basic Crypto EPFL-SSC 101 / 528
A5/1 Key Schedule
1: set all registers to zero2: for i = 0 to 63 do3: R1[0]← R1[0]⊕KC[i]4: R2[0]← R2[0]⊕KC[i]5: R3[0]← R3[0]⊕KC[i]6: clock all registers7: end for8: for i = 0 to 21 do9: R1[0]← R1[0]⊕Count[i]
10: R2[0]← R2[0]⊕Count[i]11: R3[0]← R3[0]⊕Count[i]12: clock all registers13: end for14: for i = 0 to 99 do15: clock the A5/1 automaton16: end for
SV 2007 Basic Crypto EPFL-SSC 108 / 528
A5/1 in Key Schedule
CLK1
CLK2
CLK3
?
6�⊕�
- ?⊕ ?⊕ - ?⊕
� ⊕�
- ?⊕
� ⊕�
- ?⊕ ?⊕ - ?⊕
� ⊕�
SV 2007 Basic Crypto EPFL-SSC 107 / 528
A5/1 Automaton
CLK1
CLK2
CLK3
?
6�⊕�
- ?⊕ ?⊕ - ?⊕
�
- ?⊕
�
- ?⊕ ?⊕ - ?⊕
�
t1
t2
t3
CLKi = CLK if ti = majority(t1, t2, t3), 0 otherwise
SV 2007 Basic Crypto EPFL-SSC 106 / 528
Linear Feedback Shift Register (LFSR)
at time t , Ri = xt+i
when CLK = 1, load Ri with Ri+1
- - - - - - - - - --
⊕6� ⊕
6� ⊕
6�
R9xt+9
R0xt
R1xt+1
R2xt+2
xt
xt+10
connection polynomial: ad xd + · · ·+ a1x + a0 (example:x10 + x5 + x2 + x + 1)
recursion: ad xt+d ⊕·· ·⊕a1xt+1⊕a0xt = 0 for any tso, if ad = 1, we have xt+d = ad−1xt+d−1⊕·· ·⊕a0xt for any t(linear recursion)
maximal period⇐⇒ primitive polynomial =⇒ irreduciblepolynomial
SV 2007 Basic Crypto EPFL-SSC 105 / 528
E0 Key Schedule
BD ADDR: the logical 48-bit address of the master
CLK: the 26-bit clock value of the master
Kc : the encryption key whose length is an integralnumber of bytes between 1 and 16
linearly expand Kc into a 128-bit key
enter the expanded key, BD ADDR, and CLK in the first levelautomaton
clock it, get 128 bits which are put in the second level automaton
SV 2007 Basic Crypto EPFL-SSC 112 / 528
One-Level E0
LFSR1
25b
LFSR2
31b
LFSR3
33b
LFSR4
39b
x1t
?-
x2t
-x3
t
x4t
6
+
-y0
t
-
-y1
t-
y2t
+
-×
s0t+1
6
s1t+1
6
z−1
2b
c0t
-
?
6⊕6zt
c1t
-
?
z−1
2b c1t−1
-⊕-⊕
� c0t+1
c0t−1
-⊕
�c1
t+1
??
SV 2007 Basic Crypto EPFL-SSC 111 / 528
E0 from a High Level
plaintext frame
CLK
BD ADDR
Kc-
-
-
-
E0 level 1 -128 bits E0 level 2 -2745 bits⊕ - ciphertext frame6
Frames are limited to 2745 bits
Clock-based resynchronization using an additional E0 level
SV 2007 Basic Crypto EPFL-SSC 110 / 528
Bluetooth E0
Designed by the Special Interest Group (SIG)
Bluetooth standard
default encryption scheme
dedicated to lightweight hardware
stream cipher with bit streams
key of up to 128 bits and 26-bit clock
SV 2007 Basic Crypto EPFL-SSC 109 / 528
One Non-Terminal Round of Rijndael
SubBytes ShiftRows MixColumns AddRoundKey
- - - - - - - -
6
SV 2007 Basic Crypto EPFL-SSC 116 / 528
Rijndael Skeleton
128-bit block −→ 4×4 square matrix of bytes
Nr = 10, 12 or 14 rounds depending on the key size of 128, 192or 256 bits
AES encryption (s,W )1: AddRoundKey (s,W0)2: for r = 1 to Nr−1 do3: SubBytes (s)4: ShiftRows (s)5: MixColumns (s)6: AddRoundKey (s,Wr )7: end for8: SubBytes (s)9: ShiftRows (s)
10: AddRoundKey (s,WNr)
SV 2007 Basic Crypto EPFL-SSC 115 / 528
AES: the Advanced Encryption Standard
US Standard from NIST, branch of the Department of Commercein 2001
public process based on a call for proposal
standard version of Rijndael
Rijndael was designed by Joan Daemen and Vincent Rijmen inBelgium
dedicated to software on 8-bit microprocessors
block cipher with 128-bit blocks
key of length 128, 192, or 256
SV 2007 Basic Crypto EPFL-SSC 114 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 113 / 528
Introduction to GF Arithmetics in Rijndael
we use the following representation rule
byte bit string polynomialB b7 · · ·b2b1b0 b7.x7 + · · ·+ b2.x2 + b1.x + b0
we replace every 2 by 0 in polynomialshence 3 = 2+ 1 is replaced by 0+ 1 = 1, 4 is replaced by 0, ...→ monomial coefficients are binary
we replace every x8 by x4 + x3 + x + 1 in polynomialshence x9 = x8× x is replaced by x5 + x4 + x2 + x , ...→ polynomials have degree at most 7
SV 2007 Basic Crypto EPFL-SSC 120 / 528
AddRoundKey
AddRoundKey (s,k)1: for i = 0 to 3 do2: for j = 0 to 3 do3: si,j ← si,j ⊕ ki,j
4: end for5: end for
- -
6
s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3
s0,0⊕k0,0
s0,1⊕k0,1
s0,2⊕k0,2
s0,3⊕k0,3
s1,0⊕k1,0
s1,1⊕k1,1
s1,2⊕k1,2
s1,3⊕k1,3
s2,0⊕k2,0
s2,1⊕k2,1
s2,2⊕k2,2
s2,3⊕k2,3
s3,0⊕k3,0
s3,1⊕k3,1
s3,2⊕k3,2
s3,3⊕k3,3
SV 2007 Basic Crypto EPFL-SSC 119 / 528
ShiftRows
ShiftRows (s)1: replace [s1,0,s1,1,s1,2,s1,3] by [s1,1,s1,2,s1,3,s1,0]2: replace [s2,0,s2,1,s2,2,s2,3] by [s2,2,s2,3,s2,0,s2,1]3: replace [s3,0,s3,1,s3,2,s3,3] by [s3,3,s3,0,s3,1,s3,2]
- -
s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3
s0,0 s0,1 s0,2 s0,3
s1,1 s1,2 s1,3 s1,0
s2,2 s2,3 s2,0 s2,1
s3,3 s3,0 s3,1 s3,2
SV 2007 Basic Crypto EPFL-SSC 118 / 528
SubBytes
SubBytes (s)1: for i = 0 to 3 do2: for j = 0 to 3 do3: si,j ← S-box(si,j)4: end for5: end for
- -
s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3
S(s0,0) S(s0,1) S(s0,2) S(s0,3)
S(s1,0) S(s1,1) S(s1,2) S(s1,3)
S(s2,0) S(s2,1) S(s2,2) S(s2,3)
S(s3,0) S(s3,1) S(s3,2) S(s3,3)
SV 2007 Basic Crypto EPFL-SSC 117 / 528
MixColumns
- -s.,0 s.,1 s.,2 s.,3 M× s.,0M× s.,1M× s.,2M× s.,3
SV 2007 Basic Crypto EPFL-SSC 124 / 528
MixColumns
MixColumns (s)1: for i = 0 to 3 do2: let v be the 4-dimensional vector with coor-
dinates s0,i ,s1,is2,is3,i
3: replace s0,i ,s1,is2,is3,i by the coordinates ofM× v
4: end for
M =
0x02 0x03 0x01 0x010x01 0x02 0x03 0x010x01 0x01 0x02 0x030x03 0x01 0x01 0x02
.
SV 2007 Basic Crypto EPFL-SSC 123 / 528
GF Arithmetics
A byte a = a7 . . .a1a0 represents an element of the finite field GF(28)as a polynomial a0 + a1.x + . . .+ a7.x7 modulo x8 + x4 + x3 + x + 1and modulo 2
byte bit string polynomial0x00 00000000 00x01 00000001 10x02 00000010 x0x03 00000011 x + 10x1b 00011011 x4 + x3 + x + 1
Addition: a simple XOR
Multiplication by 0x01 : nothing
Multiplication by 0x02 : shift and XOR with 0x1b if carry
Multiplication by 0x03 : XOR of multiplications by 0x01 and 0x02
SV 2007 Basic Crypto EPFL-SSC 122 / 528
Examples
0x5c + 0x2a = 0x76
byte bit string polynomial0x5c 01011100 x6 + x4 + x3 + x2
+ 0x2a 00101010 x5 + x3 + x= x6 + x5 + x4 + 2.x3 + x2 + x= 0x76 01110110 x6 + x5 + x4 + x2 + x
0x9e × 0x02 = 0x27
byte bit string polynomial0x9e 10011110 x7 + x4 + x3 + x2 + x
× 0x02 00000010 x= x8 + x5 + x4 + x3 + x2
= x5 + 2.x4 + 2.x3 + x2 + x + 1= 0x27 00100111 x5 + x2 + x + 1
SV 2007 Basic Crypto EPFL-SSC 121 / 528
Trying to Open a Safe (Online Attack)
For any k , We can ask the safe whether the secret key is equal to k
attack - key
k�
yes/no
safe
SV 2007 Basic Crypto EPFL-SSC 128 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 127 / 528
Key Expansion
KeyExpansion (key,Nk)1: for i = 0 to Nk−1 do2: wi ← keyi
3: end for4: for i = Nk to 4(Nr + 1)−1 do5: t← wi−1
6: if i mod Nk = 0 then7: replace [t1, t2, t3, t4] by [t2, t3, t4, t1] in t8: apply S-box to the four bytes of t9: XOR x i/Nk−1 (in GF) onto the first byte of
t10: else if Nk = 8 and i mod Nk = 4 then11: apply S-box to the four bytes of t12: end if13: wi ← wi−Nk⊕ t14: end for
SV 2007 Basic Crypto EPFL-SSC 126 / 528
Key Expansion
we consider W as a sequence of 4(Nr+ 1) = 44 (resp. 52, 60)rows (32-bit words) w
we consider the key as a sequence of Nk = 4 (resp. 6, 8) rows
the wi are iteratively loaded:the first wi are loaded with the keywi is loaded with wi−Nk⊕wi−1
every Nk iterations, the wi is modified before the XORfor Nk = 8, we add an extra modification
SV 2007 Basic Crypto EPFL-SSC 125 / 528
Exhaustive Search Algorithm
Input : an oracle O , a set of possible keys K ={k1, . . . ,kN}
Oracle interface : input is an element of K , out-put is Boolean
1: pick a random permutation σ of {1, . . . ,N}2: for all i = 1 to N do3: if O (kσ(i)) then4: yield kσ(i) and stop5: end if6: end for7: search failed
SV 2007 Basic Crypto EPFL-SSC 132 / 528
Key Recovery Game with a Stop Test Oracle (Online)
Adversary Challengerpick a random K
try k1query k1−−−−−−−−−−−−−−−−−−−−−−−−−−−→
no←−−−−−−−−−−−−−−−−−−−−−−−−−−− k1 6= K
try k2query k2−−−−−−−−−−−−−−−−−−−−−−−−−−−→
no←−−−−−−−−−−−−−−−−−−−−−−−−−−− k2 6= K...
query k−−−−−−−−−−−−−−−−−−−−−−−−−−−→yes←−−−−−−−−−−−−−−−−−−−−−−−−−−− k = K
SV 2007 Basic Crypto EPFL-SSC 131 / 528
Using a Stop Test Oracle
We use an oracle which tells whether the key we are looking for isequal to queried k
attack - key
k�
yes/no
oracle
(on-line attacks) access trial
(off-line attacks) we obtained a witness W (K ) for the key K
SV 2007 Basic Crypto EPFL-SSC 130 / 528
Guessing a Key using Some Significant Information(Offline Attack)
For any k , We can check whether k is consistent with the informationwe have
attack - key
k�
yes/no
consistent?
SV 2007 Basic Crypto EPFL-SSC 129 / 528
Examples of Witness Functions
useful witnesses for exhaustive search:known plaintext attack: we get some random (x,CK (x)) pairciphertext only attack with redundant plaintexts: we get CK (x) fora random redundant x
other witnesses which can be used for precomputation:chosen plaintext attack: we can get CK (x) for some chosen xleakage of CK (x) for a fixed message x for application (e.g. UNIXpasswords) reasons
SV 2007 Basic Crypto EPFL-SSC 136 / 528
Online and Offline UNIX Passwords Recovery
online
try to connect using a guessfor the password until it works
can be thwarted by audit tools
offline
get a witness from/etc/passwd and look for aguess which is consistent withthe witness
may be precomputed or not
SV 2007 Basic Crypto EPFL-SSC 135 / 528
Key Recovery Game with a Witness (Offline)
Adversary Challengerpick a random K
W(K)←−−−−−−−−−−−−−−−−−−−−−−−−−−−...
query k−−−−−−−−−−−−−−−−−−−−−−−−−−−→ win if k = K
SV 2007 Basic Crypto EPFL-SSC 134 / 528
Complexity Analysis
number of iterationsworst case Naverage case N+1
2
NB: we can decrease the average complexity if we know the a prioridistribution
SV 2007 Basic Crypto EPFL-SSC 133 / 528
Complexity Analysis
Precomputation time D
Memory complexity D
Time complexity T
Probability of success 1−(1− D
N
)T ≈ 1−e−DTN
This is quite interesting when D ≈ T ≈√
N...
SV 2007 Basic Crypto EPFL-SSC 140 / 528
Extension: Multi-Target Dictionary AttackInput : a deterministic witness function W for
keysPreprocessing
1: for D different candidates K do2: compute W (K )3: insert (W (K ),K ) in a dictionary4: end for5: output the dictionary
AttackAttack input : T many witnesses yi = W (Ki), a
dictionary6: for i = 1 to T do7: look at yi in the dictionary8: for all (yi ,K ) in the dictionary do9: yield i,K
10: end for11: end for
SV 2007 Basic Crypto EPFL-SSC 139 / 528
Complexity Analysis
Precomputation time D
Memory complexity D
Time complexity ≈ 1
Probability of success (with randomly selected dictionary keys) D/N
SV 2007 Basic Crypto EPFL-SSC 138 / 528
Dictionary Attack
Input : a deterministic witness function W forkeys
Preprocessing1: for D different candidates K do2: compute W (K )3: insert (W (K ),K ) in a dictionary4: end for5: output the dictionary
AttackAttack input : a witness y = W (K ), a dictionary
6: look at y in the dictionary7: for all (y ,K ) in the dictionary do8: yield K9: end for
SV 2007 Basic Crypto EPFL-SSC 137 / 528
Double DES
X - DES -ZDES - Y
6K1 6K2
K = (K1,K2)
this does not work
SV 2007 Basic Crypto EPFL-SSC 144 / 528
Security of Passwords with less than 48 Bits of Entropy
An 8 i.u.d. random characters password in {a, . . . ,z,A, . . . ,Z,0, . . . ,9}has less than 48 bits of entropy
classical conventional cryptography may require about 300 cycleson a P4 2GHz to check a guess (= 222.6 guesses per second)−→ 256d to find a password with a PC
time-memory tradeoffs cracked a (36-bit entropy) password withina few seconds (complexity N
23 + precomputation N)
−→ 1h to find a password (+ a year of precomputation)
special purpose hardwares cracked 56-bit keys within a day−→ 5min to find a password
distributed.net cracked 64-bit keys within 1757 days in 2002−→ 40min to find a password
SV 2007 Basic Crypto EPFL-SSC 143 / 528
Application to DES
strategy preprocessing memory timeexhaustive search 0 1 256
dictionary attack 256 256 1tradeoffs 256 237 237
→ the key of DES is too short!→ we need some way to enlarge the key
SV 2007 Basic Crypto EPFL-SSC 142 / 528
Summary of Single-Target Brute Force Attacks
strategy preprocessing memory time success proba.exhaustive search 0 1 N 1dictionary attack N N 1 1
tradeoffs N N23 N
23 cte
exhaustive search 0 1 D D/Ndictionary attack D D 1 D/N
SV 2007 Basic Crypto EPFL-SSC 141 / 528
Conclusion
block ciphers + modes of operation, and stream ciphers
many proposals, little rationales
governmental and industrial interest: trade secrets, patents,regulation
security goals: make sure that no better attacks than genericones exist
SV 2007 Basic Crypto EPFL-SSC 148 / 528
Two-Key Triple DES
X - DES - DES−1 - DES - Y
6K1 6K16K2
K = (K1,K2)
SV 2007 Basic Crypto EPFL-SSC 147 / 528
Complexity Analysis
Memory complexity #K ′ (256 for double DES)
Time complexity #K ′+#K ′′ (257 for double DES)
Probability of success 1
SV 2007 Basic Crypto EPFL-SSC 146 / 528
Meet-in-the-Middle Attack
Input : two encryption schemes C′ and C′′ withtwo corresponding sets of possible keys K ′
and K ′′, an (x ,y) pair with y = C′′K2(C′K1
(x))1: for all k1 ∈ K ′ do2: compute z = C′k1
(x)3: insert (z,k1) in a hash table (indexed with
the first entry)4: end for5: for all k2 ∈ K ′′ do6: compute z = C′′−1
k2(y)
7: for all (z,k1) in the hash table do8: yield (k1,k2) as a possible key9: end for
10: end for
SV 2007 Basic Crypto EPFL-SSC 145 / 528
The Cryptographic Trilogy
Message
X- -
X
��
Adversary
Confidentiality (C): only the legitimate receiver can get X
Authentication + Integrity (A+I): only the legitimate sender caninsert X and the received message must be equal to X
SV 2007 Basic Crypto EPFL-SSC 152 / 528
3 Chapter 3: Dedicated Conventional Cryptographic Primitiv esThe Cryptographic TrilogyCryptographic Hash FunctionsBrute Force AttacksAuthentication CodesPseudorandom GeneratorsSummary
SV 2007 Basic Crypto EPFL-SSC 151 / 528
Chapter Content
Hash functions: MD5, SHA, SHA-1
Generic attack against hash functions: Birthday paradox
⋆Analysis of hash functions: dedicated attack against MD4
Message Authentication Codes: CBC-MAC, HMAC
⋆Pseudorandom generator: congruential generator
SV 2007 Basic Crypto EPFL-SSC 150 / 528
3 Chapter 3: Dedicated Conventional Cryptographic Primitiv es
SV 2007 Basic Crypto EPFL-SSC 149 / 528
Confidentiality
Generator
KeyKey 66 CONFIDENTIAL
-MessageEncrypt - - Decrypt -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 156 / 528
Confidentiality vs Integrity and Authentication
Non-authenticated but confidential: the adversary cannot read asent message, but she can insert a message so that the receivercan receive an X of her choice
Non-integer but authenticated and confidential: the adversarycannot insert a message of her choice but can modify a sentmessage so that the receiver will receive some X ′ related to X bysome known relation even though the adversary does not learn Xand X ′
Example: the adversary can replace X by X ⊕∆ for a ∆ of herchoice even though she cannot get any information about X→ malleability
Authenticated, integer and confidential: the adversary cannot getany information nor modify a sent message. She can still, inprinciple, replay them, or remove them.
SV 2007 Basic Crypto EPFL-SSC 155 / 528
Authentication vs Integrity
Non-integer but authenticated: the adversary cannot insert amessage of her choice but can modify a sent message X→ malleability
Integer and authenticated: the adversary cannot insert nor modifysent messages but can still, in principle, replay them or removethem
We will assume that authentication implicitly include inte grity
SV 2007 Basic Crypto EPFL-SSC 154 / 528
Authentication and Integrity
Peer integrity: we make sure that the peer cannot be corrupted
Peer authentication: we make sure with whom we are talking to
Message authentication : we make sure about who sent themessage
Message integrity : we make sure that the received message isequal to the sent one
4 different notions
In this chapter we concentrate on message authentication andmessage integrity(Peer authentication will be addressed in Chapter 5)
SV 2007 Basic Crypto EPFL-SSC 153 / 528
A Swiss Army Knife Cryptographic Primitive
Domain extender: hash bistrings of arbitrary length into bitstrings offixed length.Application: instead of specifying digital signaturealgorithms on set of bitstring with arbitrary length, wespecify them with bitstrongs of fixed length and use thehash-and-sign paradigm.
Commitment: “uniquely” characterizes a bistring without revealinginformation on it.Application: commitment which is binding and hiding.
Pseudorandom generator: generate bistrings from seeds which areunpredictable.Application: generation of cryptographic keys from aseed.
SV 2007 Basic Crypto EPFL-SSC 160 / 528
3 Chapter 3: Dedicated Conventional Cryptographic Primitiv esThe Cryptographic TrilogyCryptographic Hash FunctionsBrute Force AttacksAuthentication CodesPseudorandom GeneratorsSummary
SV 2007 Basic Crypto EPFL-SSC 159 / 528
Authenticity
Generator
KeyKey 66 CONFIDENTIAL
AUTHENTICATEDINTEGER
-Message
XMAC -
X ,c-
X ,cCheck
-ok?
-Message
X��
Adversary
SV 2007 Basic Crypto EPFL-SSC 158 / 528
Integrity
-Message
Hash
?
-INTEGER
Digest
-
Hash
?
Message
?Compare -
ok?
��
Adversary
SV 2007 Basic Crypto EPFL-SSC 157 / 528
Using Commitment
-x Commit-c
-Key
(delay) -Key
Open -x
SV 2007 Basic Crypto EPFL-SSC 164 / 528
Commitment Scheme
pick r at random
c = h(x ||r)commit :
c−−−−−−−−−−−−−−−−−→ store c
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
...
←−−−−−−−−−−−−−−−−−open :
x ,r−−−−−−−−−−−−−−−−−→ check h(x ||r) = c
SV 2007 Basic Crypto EPFL-SSC 163 / 528
Threat Models for Hash Functions
Collision attack: find x and x ′ such that x 6= x ′ and h(x) = h(x ′).
First preimage attack: given y find x such that y = h(x).
Second preimage attack: given x find x ′ such that x 6= x ′ andh(x) = h(x ′).
SV 2007 Basic Crypto EPFL-SSC 162 / 528
Security Properties for Hash Functions
Collision resistance: hash function h for which itis hard to find x and x ′ such that h(x) = h(x ′) and x 6= x ′.
→ digital fingerprint of the bitstring
One-wayness: hash function h for which given y it is hard to findeven one x such that y = h(x).
→ witness for a password
Pseudo-randomness : hash function h such that for any given f andgi = h(f i (x)) for i = 0, . . . ,n−1 with a random(unknown) x such that f i(x) is not cycling, it is hard topredict h(f n(x)).
→ pseudo-random generation
SV 2007 Basic Crypto EPFL-SSC 161 / 528
Encryption to Hashing
On-line hashing:
the message is padded following the Merkle–Damgard scheme;
each block is processed using an encryption function C in afeedback mode according to the Davies–Meyer.
initialvalue
message
- C -+6
512?
- C -+6
512?
. . .
. . .
- C -+6
pad?
-128 128
SV 2007 Basic Crypto EPFL-SSC 168 / 528
Cryptographic Hashing
message
?
MD5 -128
“Message Digest” (MD) devised by Ronald Rivest
“Secure Hash Algorithm” (SHA) standardized by NIST
MD4 in 1990 (128-bit digest)
MD5 in 1991 (128-bit digest) published as RFC 1321 in 1992
SHA in 1993 (160-bit digest) (now obsolete)
SHA-1 in 1995 (160-bit digest)
SHA256, SHA384, SHA512 in 2002 (256-, 384-, and 512-bitdigest)
SV 2007 Basic Crypto EPFL-SSC 167 / 528
Scenarii for Threat Models
Substitution in the integrity check process→ second preimage attack
Substitution in a commitment scheme→ collision attack
Information retrieval in a commitment scheme→ first preimage attack
SV 2007 Basic Crypto EPFL-SSC 166 / 528
Application Example: Plying Dices
Alice Bob
pick x ∈ {1, . . . ,6} commit(x)−−−−−−−−−−−−−→y←−−−−−−−−−−−−− pick y ∈ {1, . . . ,6}
open−−−−−−−−−−−−−→ verifyz = 1+((x + y) mod 6)
output: z output: z
SV 2007 Basic Crypto EPFL-SSC 165 / 528
Proof of Merkle–Damg ard Theorem - Case 2
IV - -- C′?
C′?
. . .
. . .
- C′?
IV - -- C′?
C′?
. . .
. . .
- C′?
pad ′
pad
X ′1 X ′2
X1 X2
X ′n
XmX
X ′ 6
?=
C′(Hm,Xm) = C′(H ′n,X′n)
SV 2007 Basic Crypto EPFL-SSC 172 / 528
Proof of Merkle–Damg ard Theorem - Case 1
IV - -- C′?
C′?
. . .
. . .
- C′
pad?
IV - -- C′?
C′?
. . .
. . .
- C′
pad?
X ′1 X ′2
X1 X2
X ′n
XnX
X ′ 6
?=
C′(Hi ,Xi) = C′(H ′i ,X′i )
where i is the last index such that Hi 6= H ′i or Xi 6= X ′i
SV 2007 Basic Crypto EPFL-SSC 171 / 528
Merkle–Damg ard Theorem
Theorem (Merkle-Damg ard 1989)
We construct a cryptographic hash function h from a compressionfunction C′ by using the Merkle-Damgard scheme. If the compressionfunction C′ is collision-resistant, then the hash function h iscollision-resistant as well.
Proof.Case 1: messages of same lengthCase 2: messages of different length
SV 2007 Basic Crypto EPFL-SSC 170 / 528
Merkle–Damg ard’s Extension
pad = 11
0 . . . 0 length64
initialvalue
message
- -- C′
512?
C′
512?
. . .
. . .
- C′
pad?
-128 128
SV 2007 Basic Crypto EPFL-SSC 169 / 528
Implementation of MD5 CompressionInput : an initial hash a,b,c,d , a message block
x0, . . . ,x15
Output : a hash a,b,c,d1: for i = 1 to 4 do2: for j = 0 to 15 do3: t ← ROTLαi,j (a + fi(b,c,d) + xσi(j) +
ki,j)+ b4: a← d5: d ← c6: c← b7: b← t8: end for9: end for
10: a← a+ ainitial
11: b← b + binitial
12: c← c + cinitial
13: d ← d + dinitial
SV 2007 Basic Crypto EPFL-SSC 176 / 528
The Bji Boxes
? ?x a
b b
c c
d d?
ROTLαi,j (a+ fi(b,c,d)+ x + ki,j)+ b
fi are bit-wise boolean functions :
f1(b,c,d) = if b then c else d
f2(b,c,d) = if d then b else c
f3(b,c,d) = b XOR c XOR d
f4(b,c,d) = c XOR (b AND (NOT d))
SV 2007 Basic Crypto EPFL-SSC 175 / 528
The MD5 Encryption Function [RFC1321]
For i = 1 to 4:
A B C D
?
?
?
?B0
i
B1i
B2i
B3i
B4i
B5i
B6i
B7i
B8i
B9i
B10i
B11i
B12i
B13i
B14i
B15i
?
?
?
?
-
-
-
�
-
-
�
-
�
�
�
�
?
?
?
?
-
-
-
�
-
-
�
-
�
�
�
�
?
?
?
?
-
-
-
�
-
-
�
-
�
�
�
�
?
?
?
?
-
-
-
�
-
-
�
-
�
�
�
�
?
?
?
?
?
?
?
?
?
?
?
?
?
? ? ?
σi
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
BLOCK
SV 2007 Basic Crypto EPFL-SSC 174 / 528
Davies–Meyer Scheme
C
?????????????????
32323232323232323232323232323232
32 -
32 -
32 -
32 -
6
6
6
6
+
+
+
+-
-
-
-
-
-
-
-D
C
B
A
+ is addition modulo 232.
SV 2007 Basic Crypto EPFL-SSC 173 / 528
From MD5 to MD4
like MD5 (128 bits, 4 registers, basic key schedule)
new round function
ABCD
←
DROTLαi,j (A + fi(B,C,D)+ xσi(j) + ki)
BC
3 rounds, other functions
f1(b,c,d) = if b then c else d
f2(b,c,d) = majority(b,c,d)
f3(b,c,d) = b XOR c XOR d
SV 2007 Basic Crypto EPFL-SSC 180 / 528
From SHA-1 to SHA
SHA-1 followed SHA
linear expansion in the key schedule: for i = 16, . . . ,79
xi = (xi−3 XOR xi−8 XOR xi−14 XOR xi−16)
no justification
reverse-engineered by Chabaud and Joux
SV 2007 Basic Crypto EPFL-SSC 179 / 528
Implementation of SHA-1 Compression
Input : an initial hash a,b,c,d,e, amessage block x0, . . . ,x15
Output : a hash a,b,c,d,e1: for i = 16 to 79 do2: xi ← ROTL1 (xi−3 XOR xi−8 XOR xi−14
XOR xi−16)
3: end for4: FOR i = 1 to 4 DO5: FOR j = 0 to 19 DO6: t ← ROTL5(a) + fi(b,c,d) +
e + x20(i−1)+j + ki
7: e← d8: d ← c9: c← ROTL30(b)
10: b← a11: a← t12: end for13: end for14: a← a+ ainitial
15: b← b + binitial
16: c← c + cinitial
17: d ← d + dinitial
18: e← e + einitial
SV 2007 Basic Crypto EPFL-SSC 178 / 528
From MD5 to SHA-1 [FIPS 180–2]
128 to 160 bits (5 registers)
linear expansion in the key schedule: for i = 16, . . . ,79
xi = ROTL(xi−3 XOR xi−8 XOR xi−14 XOR xi−16)
new round function
ABCDE
←
ROTL5(A)+ fi (B,C,D)+E + x20(i−1)+j + ki
AROTL30(B)
CD
f1(b,c,d) = if b then c else d
f2(b,c,d) = b XOR c XOR d
f3(b,c,d) = majority(b,c,d)
f4(b,c,d) = b XOR c XOR d
SV 2007 Basic Crypto EPFL-SSC 177 / 528
Birthday Paradox
Theorem
If we pick independent random numbers in {1,2, . . . ,N} with uniformdistribution, θ
√N times, we get at least one number twice with
probability
1− N!
Nθ√
N(N−θ√
N)!−→
N→+∞1−e−
θ2
2 .
For N = 365, we obtain the following figures.
θ√
N 10 15 20 25 30 35 40θ 0.52 0.79 1.05 1.31 1.57 1.83 2.09
probability 12% 25% 41% 57% 71% 81% 89%
SV 2007 Basic Crypto EPFL-SSC 184 / 528
Second Preimage Attack
Input : a cryptographic hash function h onto a do-main of size N, an input x
Output : x ′ such that x 6= x ′ and h(x) = h(x ′)1: compute h(x)2: pick a random ordering of all inputs x1,x2, . . .3: for all i such that xi 6= x do4: compute h(xi )5: if h(xi) = h(x) then6: yield x ′ = xi and stop7: end if8: end for9: search failed
SV 2007 Basic Crypto EPFL-SSC 183 / 528
3 Chapter 3: Dedicated Conventional Cryptographic Primitiv esThe Cryptographic TrilogyCryptographic Hash FunctionsBrute Force AttacksAuthentication CodesPseudorandom GeneratorsSummary
SV 2007 Basic Crypto EPFL-SSC 182 / 528
Implementation of MD4 Compression
Input : an initial hash a,b,c,d , a message blockx0, . . . ,x15
Output : a hash a,b,c,d1: for i = 1 to 3 do2: for j = 0 to 15 do3: t← ROTLαi,j (a+ fi(b,c,d)+ xσi (j) + ki)4: a← d5: d ← c6: c← b7: b← t8: end for9: end for
10: a← a+ ainitial
11: b← b + binitial
12: c← c + cinitial
13: d ← d + dinitial
SV 2007 Basic Crypto EPFL-SSC 181 / 528
Collision Search II
Input : a cryptographic hash function h onto a do-main of size N
Output : a pair (x ,x ′) such that x 6= x ′ andh(x) = h(x ′)
1: repeat2: pick a (new) random x3: compute y = h(x)4: insert (y ,x) in the hash table5: until there is already another (y ,x ′) pair in
the hash table6: yield (x ,x ′)
SV 2007 Basic Crypto EPFL-SSC 188 / 528
Collision Search I
Input : a cryptographic hash function h onto a do-main of size N
Output : a pair (x ,x ′) such that x 6= x ′ andh(x) = h(x ′)
1: for θ√
N many different x do2: compute y = h(x)3: if there is a (y ,x ′) pair in the hash table
then4: yield (x ,x ′) and stop5: end if6: insert (y ,x) in the hash table7: end for8: search failed
SV 2007 Basic Crypto EPFL-SSC 187 / 528
Birthday Paradox - Proof — ii
We now use log(1− ε) =−ε− ε2
2 + o(ε2)
1−p ∼ exp
[
−θ√
N +(−N + θ√
N) log
(
1− θ√N
)]
∼ exp
[
−θ2
2+ o(1)
]
−→ e−θ2
2
SV 2007 Basic Crypto EPFL-SSC 186 / 528
Birthday Paradox - Proof — i
Proof. We use the Stirling Approximation
n! ∼n→+∞
√2πne−nnn
We have
1−p =N!
Nθ√
N(N−θ√
N)!
∼(
1− θ√N
)−N+θ√
N
e−θ√
N
= exp
[
−θ√
N +(−N + θ√
N) log
(
1− θ√N
)]
SV 2007 Basic Crypto EPFL-SSC 185 / 528
Authentication Channel
Generator
KeyKey 66 CONFIDENTIAL
AUTHENTICATEDINTEGER
-Message
XMAC -
X ,c-
X ,cCheck
-ok?
-Message
X��
Adversary
SV 2007 Basic Crypto EPFL-SSC 192 / 528
3 Chapter 3: Dedicated Conventional Cryptographic Primitiv esThe Cryptographic TrilogyCryptographic Hash FunctionsBrute Force AttacksAuthentication CodesPseudorandom GeneratorsSummary
SV 2007 Basic Crypto EPFL-SSC 191 / 528
Summary of Generic Attacks
if we hash onto n bits, (N = 2n)
attack complexitypreimage attack 2n
collision attack 2n2
SV 2007 Basic Crypto EPFL-SSC 190 / 528
Collision Search Complexity
strategy memory time success proba.
collision search I θ√
N θ√
N 1−e−θ2
2
collision search II√π
2 ×√
N√π
2 ×√
N 1
SV 2007 Basic Crypto EPFL-SSC 189 / 528
HMAC [RFC 2104]
MAC?
trunc?
H?
?
H?
?⊕ipad?
?
message
?⊕opad?
key||0 · · ·0
SV 2007 Basic Crypto EPFL-SSC 196 / 528
Hashing to Authentication: HMAC [RFC 2104]
Computing the MAC of t bytes for a message m with a key K using aMerkle-Damgard hash function with block size B bytes, digest size Lbytes. (t = L by default.) E.g. H = SHA-1, B = 64, L = 20.
1 If K has more than B bytes, we first replace K by H(K ).(Having a key of such a long size does not increase the security.)
2 We append zero bytes to the right of K until it has exactly B bytes.
3 We computeH(K ⊕opad||H(K ⊕ ipad||X))
where ipad and opad are two fixed bitstrings of B bytes. The ipadconsists of B bytes equal to 0x36 in hexadecimal. The opadconsists of B bytes equal to 0x5c in hexadecimal.
4 We truncate the result to its t leftmost bytes. We obtainHMACK (X).
SV 2007 Basic Crypto EPFL-SSC 195 / 528
Strong Adversarial Model
adversary - (X ,c)
Xi
�ci
MAC
the adversary can request the authentication of several messages
the goal of the adversary is to output a valid (X ,c) pair
the output X must not have been requested to the oracle
SV 2007 Basic Crypto EPFL-SSC 194 / 528
Weak Adversarial Model
adversary - (X ,c)
Xici
MAC
the adversary can request the authentication of several messages
the goal of the adversary is to output a valid (X ,c) pair
the output X must not have been requested to the oracle
SV 2007 Basic Crypto EPFL-SSC 193 / 528
CBCMAC - (A Bad MAC)
CK CK CK
?
?⊕?
-?⊕?
- -
CK
?⊕?
?
x1 x2 x3 · · ·
· · ·
· · ·
xn
MAC
SV 2007 Basic Crypto EPFL-SSC 200 / 528
Security Proof by Simulation
If we have an adversary for big MAC, we construct an adversary forthe small MAC by simulation:
adversary -
�
----------6666666666
----------
6666666666
K1 MAC
K1-
Xi
H(K1||Xi)-
ci�
ci
(X ,c)(H(K1||X),c)
If H(K1||X) 6= H(K1||Xi) for all i , then we have a message forgery.Otherwise we have a collision!
SV 2007 Basic Crypto EPFL-SSC 199 / 528
Security of (Ideal) HMAC
Theorem (Bellare-Canetti-Krawczyk 1996)
Let H be a hash function which hashes onto ℓ bits following theMerkle-Damgard scheme. We consider keys K1,K2 in {0,1}ℓ. Weassume that
H is collision resistant;
X 7→ H(K2||X) is a secure MAC function over the space {0,1}ℓof messages with a fixed length ℓ.
The following algorithm is a secure MAC function over the space ofmessages with arbitrary length.
X 7→MACK1,K2(X) = H(K2||H(K1||X))
Provided that we cannot distinguish HMAC from this MAC, then HMACis a secure MAC as well.
SV 2007 Basic Crypto EPFL-SSC 198 / 528
Examples
algo hash B L t
TLSMD5 MD5 64 16 16SHA SHA1 64 20 20
SSHhmac md5 MD5 64 16 16hmac md5 96 MD5 64 16 12hmac sha1 SHA1 64 20 20hmac sha 96 SHA1 64 20 12
SV 2007 Basic Crypto EPFL-SSC 197 / 528
ISO/IEC 9797 - (An Even Better CBCMAC Variant)
CK1 CK1 CK1
?
?⊕?
-?⊕?
- -
CK1
?⊕?
?
x1 x2 x3 · · ·
· · ·
· · ·
xn
CK2
?
trunc
?MAC
SV 2007 Basic Crypto EPFL-SSC 204 / 528
Birthday Attack on EMAC
First submit many messages until we get two messages X1 and X2
such that MAC(X1) = MAC(X2) by using the birthday paradox.
X1 MAC(X1) = cX2 MAC(X2) = cB = random
X3 = X1||B MAC(X3) = c′
X4 = X2||B MAC(X4) = c′
SV 2007 Basic Crypto EPFL-SSC 203 / 528
EMAC (Encrypted MAC) - (A Better CBCMAC Variant)
CK1 CK1 CK1
?
?⊕?
-?⊕?
- -
CK1
?⊕?
?
x1 x2 x3 · · ·
· · ·
· · ·
xn
CK2
?MAC
SV 2007 Basic Crypto EPFL-SSC 202 / 528
A MAC Forgery
X1 = random MAC(X1) = cX2 = random MAC(X2) = c′
X3 = X1||B MAC(X3) = CK (c⊕B)
X4 = X2||B′ MAC(X4) = CK (c′⊕B′)
B′ = B⊕ c⊕ c′ MAC(X4) = MAC(X3)
SV 2007 Basic Crypto EPFL-SSC 201 / 528
CCM (Counter with CBC-MAC)
Roughly speaking:
1: let T = CBCMAC(message)2: encrypt T ||message in CTR mode
More precisely, the CCM mode is defined by
a block cipher which accepts 16-Byte blocks
an even parameter M between 4 and 16 (size of the CBCMAC inbytes)
a parameter L between 2 and 8 (size of the length field in bytes)
SV 2007 Basic Crypto EPFL-SSC 208 / 528
Authenticated Modes of Operation
Generator
KeyKey 66 CONFIDENTIAL
AUTHENTICATEDINTEGER
-Message
-nonce
nonce6
Enc/MAC - - Dec/Check-
ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 207 / 528
OMAC1
Cst1 = 0x00 · · ·02
Cst2 = 0x00 · · ·04
if the message length is not multiple of the block length, pad itwith a bit 1 and as many bits 0 as required to reach this length
if xn was not padded, take Cst = Cst1, otherwise, take Cst = Cst2
L = CK (0) (encryption of the zero block)
HL(Cst1) is L shifted to the left by one bit XOR the carry constantif any, and that HL(Cst2) = HHL(Cst1)(Cst1)
actually, HL(x) = L× x using GF arithmetics with carry constant0x000000000000001b for 64-bit blocks and0x00000000000000000000000000000087 for 128-bit blocks
SV 2007 Basic Crypto EPFL-SSC 206 / 528
OMAC (One-key CBC-MAC) - (Best CBCMAC Variant)
CK CK CK
?
?⊕?
-?⊕?
- -
CK
?⊕?
?
x1 x2 x3 · · ·
· · ·
· · ·
xn
trunc
?MAC
� HL(Cst)
SV 2007 Basic Crypto EPFL-SSC 205 / 528
3 Chapter 3: Dedicated Conventional Cryptographic Primitiv esThe Cryptographic TrilogyCryptographic Hash FunctionsBrute Force AttacksAuthentication CodesPseudorandom GeneratorsSummary
SV 2007 Basic Crypto EPFL-SSC 212 / 528
Processing with an Extra Data
If we wish to send X together with a protocol data a which also needsto be authenticated (e.g. a sequence number, and IP address...)
add a special bit in byte1 which tells that a is used
if a is between 1 and 65279 bytes, encode it on two bytes, makelength(a)||a||pad′ where pad′ consists of enough zero bytes toreach the block boundary
insert it between B0 and B1 before the CBCMAC computation
SV 2007 Basic Crypto EPFL-SSC 211 / 528
CCM Processing
pad X with enough zero bytes to reach the block boundary
split X ||pad as B1|| · · · ||Bn
make B0 = byte1||N||length(X) where byte1 encodes M and L
compute the CBCMAC of B0||B1|| · · · ||Bn, truncate it to M bytes,and get T
make Ai = byte2||N||i where byte2 encodes L
encrypt T ||X by
Y = (T ||X)⊕ (truncM(CK (A0))||trunc(CK (A1)|| · · · ||CK (An)))
SV 2007 Basic Crypto EPFL-SSC 210 / 528
CCM
⊕?trunc
?
CBC-MAC??
message pad nonce
?
?
CTR
��⊕
� -
key
? ?head body
SV 2007 Basic Crypto EPFL-SSC 209 / 528
3 Chapter 3: Dedicated Conventional Cryptographic Primitiv esThe Cryptographic TrilogyCryptographic Hash FunctionsBrute Force AttacksAuthentication CodesPseudorandom GeneratorsSummary
SV 2007 Basic Crypto EPFL-SSC 216 / 528
A Few Examples
stream ciphers: RC4, A5/1...
block ciphers with OFB or CTR mode of operation
finite automaton with an internal state (clock,key,Seed)
J = Enc(time)
r = Enc(J⊕Seed)
and the seed is replaced by
NextSeed = Enc(J⊕ r)
SV 2007 Basic Crypto EPFL-SSC 215 / 528
Famous Failure Cases
The early version of SSL (Wagner): there was not enougheffective entropy used in the generation of the session secret key
DSA (Bleichenbacher): the 160-bit random number was reducedmodulo a 160-bit prime number q so that the final distribution wasbiased
SV 2007 Basic Crypto EPFL-SSC 214 / 528
Adversarial Model
adversary - rd+1
r1, . . . , rd
Generator
the goal of the adversary is to predict the next generation(e.g. by finding an internal state)
SV 2007 Basic Crypto EPFL-SSC 213 / 528
Conclusion
New cryptographic problems: message integrity, commitment,message authentication, unpredictability
Dedicated cryptographic primitives
Dedicated constructions based on combinatorics
Well identified generic attacks
SV 2007 Basic Crypto EPFL-SSC 220 / 528
Dedicated Primitives and Reductions
Hash functions
Block Ciphers
?
DM + MD schemes
MAC
Stream Ciphers
?
WC MAC
-OFB, CTR modes
-HMAC
q
CBCMAC
SV 2007 Basic Crypto EPFL-SSC 219 / 528
Generic Attacks
primitive attack complexity parameter nencryption key recovery Θ(2n) key lengthhash function preimage attack Θ(2n) hash length
collision Θ(2n2 ) hash length
MAC key recovery Θ(2n) key length
SV 2007 Basic Crypto EPFL-SSC 218 / 528
Conventional Primitives
goal primitiveconfidentiality encryptionintegrity, commitment hash functionauthentication MACunpredictibility pseudorandom generator
SV 2007 Basic Crypto EPFL-SSC 217 / 528
5 Chapter 5: Security Protocols with Conventional Cryptogra phy
SV 2007 Basic Crypto EPFL-SSC 224 / 528
Conclusion of Chapters 2–4
Conventional cryptographic primitives are efficient
Conventional cryptographic primitives are robust
Conventional cryptographic primitives are weird
Conventional cryptanalysis is well advanced
SV 2007 Basic Crypto EPFL-SSC 223 / 528
Chapter Content
⋆Attack methods: differential cryptanalysis, linear cryptanalysis
⋆Security analysis: nonlinearity, Markov ciphers
⋆Security strengthening: indistinguishability, dedicated construction,decorrelation
SV 2007 Basic Crypto EPFL-SSC 222 / 528
4 Chapter 4:Conventional Security Analysis
SV 2007 Basic Crypto EPFL-SSC 221 / 528
Basic Access Control in HTTP [RFC2617]
The server keeps a database of (realm-value,userid,password) triplets
realm-value: one “part” of the HTTP server corresponding to anauthentication method
userid: the identification string of a user
password: the password
Upon a URI request to a server, the server sends a challenge
WWW-Authenticate: basic realm=" 〈realm-value〉"The client must send credentials
Authorization: basic 〈basic-credentials〉where basic-credentials=base64(〈userid〉: 〈password〉)If the (realm-value,userid,password) triplet is correct, the servertreats the URI request. Otherwise it sends message HTTP/1.0401 Unauthorized and sends the challenge again.
SV 2007 Basic Crypto EPFL-SSC 228 / 528
Password Authentication Protocols
Client Serverrequest C to S−−−−−−−−−−−−−−−−−−−−−−−−−−−→
credential?←−−−−−−−−−−−−−−−−−−−−−−−−−−−login, password−−−−−−−−−−−−−−−−−−−−−−−−−−−→ check
Example: UNIX password→ (login,salt,OW(password,salt)) isstored in a database.
SV 2007 Basic Crypto EPFL-SSC 227 / 528
5 Chapter 5: Security Protocols with Conventional Cryptogra phyAccess ControlArchitectures based on Symmetric Cryptography
SV 2007 Basic Crypto EPFL-SSC 226 / 528
Chapter Content
Password access control: UNIX passwords, basic HTTP, PAP
Challenge-response protocols: digest HTTP, CHAP
One-time passwords: Lamport scheme, S/Key
Key distribution: Needham-Schroeder, Kerberos, Merkle puzzles
Authentication chains: Merkle signature scheme, timestamps
Case study: GSM network, Bluetooth network
SV 2007 Basic Crypto EPFL-SSC 225 / 528
Challenge/Response Protocols
Password Password
- �
?
Challenge
Response
?
random
MAC MAC
- =?
Client Server
SV 2007 Basic Crypto EPFL-SSC 232 / 528
Challenge/Response Protocols
Client Serverrequest C to S−−−−−−−−−−−−−→
challenge c←−−−−−−−−−−−−− pick c at random
r = MACpassword(c)response r−−−−−−−−−−−−−→ check r = MACpassword(c)
SV 2007 Basic Crypto EPFL-SSC 231 / 528
Passive vs Active Adversary
passive adversary : only listen to communications and tries toget credential to later pass access control
active adversary : can interfere with client or servercommunications e.g. man-in-the-middle
SV 2007 Basic Crypto EPFL-SSC 230 / 528
Pros and Cons
Pros
the server does not keep the password (only a digest)
Cons
does not work through a channel without confidentialityprotection: the password can be compromised
SV 2007 Basic Crypto EPFL-SSC 229 / 528
Pros and Cons
Pros
the server does not keep the secret
resistance to passive adversary
Cons
used with a single server (or securely synchronized ones)
potential implementation problems (beware about sending i fromServer to Client)
not ergonomic: users dislike it
vulnerable to man-in-the-middle attacks
SV 2007 Basic Crypto EPFL-SSC 236 / 528
S/Key - OTP [RFC 2289]
Client Server
choose ww−−−−−−−−−−−−−→ s at random
store p1, . . . ,pNs,p1,...,pN←−−−−−−−−−−−−− pi ← HN+1−i(w ,s)
i← 1 i← 1, p← p0...
request−−−−−−−−−−−−−→i,s←−−−−−−−−−−−−−
y ← piy−−−−−−−−−−−−−→ check H(y) = p... p← y , i← i + 1
SV 2007 Basic Crypto EPFL-SSC 235 / 528
CHAP Access Control in PPP [RFC1334]
CHAP packets are encapsulated in PPP Data Link Layer frames. ACHAP packet consists of
Code(1 byte), Identifier(1 byte), Length(2 bytes), Data
where Code is 1, 2, 3 or 4, Identifier is between 0 and 255, and Lengthis between 0 and 65535. The Identifier bytes are used to identifydifferent simultaneous PPP sessions.
the PPP server sends a CHAP packet with code 1 (challenge)
the peer sends back a CHAP packet with code 2 (response)
Datai = [ValueSize(1byte),Valuei ,Name]
Value2 = H(Identifier,secret,Value1).
the server sends a CHAP packet with code 3 (success) or 4(failure)
SV 2007 Basic Crypto EPFL-SSC 234 / 528
Pros and Cons
Pros
resistance to passive adversary
Cons
the server must keep the password and strongly protect thedatabase
vulnerable to man-in-the-middle attacks
SV 2007 Basic Crypto EPFL-SSC 233 / 528
GSM Protocol
SIM Telephone Radio Network Operator
A5
?
-
Plaintext
A8
A3
-� CiphertextA5
?
�
Plaintext
-ResponseCompare � A3
A8
Random
?Challenge
??
Key
Temporary key
?
Temporary key
?
Key
?
SV 2007 Basic Crypto EPFL-SSC 240 / 528
GSM Slang
GSM: Global System for Mobile telecommunications
MS: Mobile Station
SIM: Subscriber Identity Module (part of MS)
HLR: Home Location Register
VLR: Visitor Location Register
IMSI: International Mobile Subscriber Identity (stored in SIM)
Ki: subscriber Integrity Key (securely stored in SIM)
SV 2007 Basic Crypto EPFL-SSC 239 / 528
GSM Authentication
principle 1: authentication of mobile system
principle 2: privacy protection in the wireless link
challenge-response protocol based on Ki
encryption key for a limited period of time (derived from Ki)
identity IMSI replaced by a pseudonym TMSI as soon as possible
Ki never leaves the security module (SIM card) or home securitydatabase (HLR)
SV 2007 Basic Crypto EPFL-SSC 238 / 528
5 Chapter 5: Security Protocols with Conventional Cryptogra phyAccess ControlArchitectures based on Symmetric Cryptography
SV 2007 Basic Crypto EPFL-SSC 237 / 528
Bluetooth Security
mode 1: non-secure
mode 2: service level enforced security
mode 3: link level enforced security
SV 2007 Basic Crypto EPFL-SSC 244 / 528
Bluetooth History
10th Century: Viking King Harald Blatand (Harold Bluetooth) triedto unify Denmark, Norway, and Sweden
1994: Ericsson initiated a study to investigate the feasibility
May 20, 1998: Bluetooth announced, controled by the SpecialInterest Group (SIG) formed by
Ericsson, IBM, Intel, Nokia, and Toshiba
July 1999: Bluetooth 1.0 Specification Release
November 2004: Bluetooth 2.0 Specification Release
nearly 2000 members in SIG
SV 2007 Basic Crypto EPFL-SSC 243 / 528
The Bluetooth Project
short-range wireless technology
designed to transmit voice and data
for a variety of mobile devices (computing, communicating, ...)
bring together various markets
1Mbit/sec up to 10 meters over the 2.4-GHz radio fequency
robustness, low complexity, low power, low cost
SV 2007 Basic Crypto EPFL-SSC 242 / 528
GSM Authentication
A3/8(Ki,RAND) = (SRES,KC)
SIM MS (wireless) VLR (secure) HLR
(Ki)IMSI−−−−−−−−−→ IMSI−−−−−−−−−−−−→ (Ki)
RAND←−−−−−−−−− RAND←−−−−−−−−− storen×(RAND,SRES,KC)←−−−−−−−−−−−−
SRES,KC−−−−−−−−−→ SRES−−−−−−−−−→ checkCKC(TMSI)←−−−−−−−−−
...TMSI−−−−−−−−−→
RAND←−−−−−−−−− RAND←−−−−−−−−−SRES,KC−−−−−−−−−→ SRES−−−−−−−−−→ check
SV 2007 Basic Crypto EPFL-SSC 241 / 528
Typical Secure Communication Problem
Device A Device B-� radio link -�
? ?
Human UserSECURE SECURE
secure channel for a PIN only
security based on an ephemeral PIN
SV 2007 Basic Crypto EPFL-SSC 248 / 528
Privacy in Bluetooth
set discoverable mode
?pairing protocol
?set non-discoverable mode
?connect to paired device
?secure session
?end session
�
6
?
unsafe
6
?
user monitoring
SV 2007 Basic Crypto EPFL-SSC 247 / 528
Discovery and Connection Protocols
Discovery protocol:
Target Devicewho’s there?�
-I’m ADDR
Connection protocol:
Target Deviceconnect to ADDR�
-yes/no
SV 2007 Basic Crypto EPFL-SSC 246 / 528
Security from an Outside View
(for security level 3)
discoverable vs non-discoverable (privacy)
non connectable connectablenon discoverable off cruise mode
discoverable — setup mode
set mode←pairing based on PIN code introduced by a human operator
pairing protocol←database of paired devices
list of paired devices←
SV 2007 Basic Crypto EPFL-SSC 245 / 528
Pairing Protocol
Master A Slave B
user inputs PIN code
pick IN RANDIN RAND−−−−−−−−→ user inputs PIN code
Kinit = E22(PIN, IN RAND) Kinit = E22(PIN, IN RAND)pick LK RANDA pick LK RANDB
CA = LK RANDA⊕Kinit CB = LK RANDB⊕KinitCA−−−−−−−−→CB←−−−−−−−−
LK RANDB = CB⊕Kinit LK RANDA = CA⊕Kinit
compute K compute K
K = E21(LK RANDA,BD ADDRA)⊕E21(LK RANDB,BD ADDRB)
SV 2007 Basic Crypto EPFL-SSC 252 / 528
Device Pairing
Device 1 Device 2
Operator
PIN
� request, . . . -
PIN
U�
protocol-
Klink Klink
SV 2007 Basic Crypto EPFL-SSC 251 / 528
Key Management from an Inside View
pairing generates an ephemeral key Kinit (discarded after pairing)
pairing leads to a long-term 128-bit link key K
(dummy devices have a fixed Kunit which can be forced tobecome the link key)
link key used to authenticate devices and to derive an encryptionkey Kc
effective length of encryption key from 8 to 128 bits (for regulationpurposes)
SV 2007 Basic Crypto EPFL-SSC 250 / 528
... with a Dummy Device
Device A Dummy device-� radio link -�
?
�Human UserSECURE SECURE
?
limited keyboard and screen (button and LED only)
manufactured PIN and semi-permanent unit key
SV 2007 Basic Crypto EPFL-SSC 249 / 528
Peer Authentication
Master A Slave B
pick AU RANDBAU RANDB−−−−−−−−−−−−−−−−−→
check SRESBSRESB←−−−−−−−−−−−−−−−−− compute SRESB
AU RANDA←−−−−−−−−−−−−−−−−− pick AU RANDA
compute SRESASRESA−−−−−−−−−−−−−−−−−→ check SRESA
SRESd = E1(K ,AU RANDd ,BD ADDRd)
SV 2007 Basic Crypto EPFL-SSC 256 / 528
Dummy Devices: Unit Key is Shared with Many Devices
Device 2
Dummy
Device 1
Kunit
y
Kunit9
SV 2007 Basic Crypto EPFL-SSC 255 / 528
... with a Dummy Device
Master A Slave B
user inputs PIN code
pick IN RANDIN RAND−−−−−−−−→ user inputs PIN code (or not)
Kinit = E22(PIN, IN RAND) Kinit = E22(PIN, IN RAND)CB←−−−−−−−− CB = Kunit⊕Kinit
K = CB⊕Kinit K = Kunit
link key is forced to be the unit key
→ problem if dummy device is (or has been) paired with multipledevices
SV 2007 Basic Crypto EPFL-SSC 254 / 528
Pairing with a Dummy Device
Device Dummy
Operator Factory
PIN
?
PIN�
Kunit
PIN
� request, . . . -�protocol
-
Kunit
SV 2007 Basic Crypto EPFL-SSC 253 / 528
Server-Aided Authentication (Bad One)
AS Client Server
request IC to IS←−−−−−−−−−−−−−pick K
CKC (K),CKS (K)−−−−−−−−−−−−−→
CKS(K),IC−−−−−−−−−−−−−→
Problem: there is no authentication: an attacker can replace IC or IS
SV 2007 Basic Crypto EPFL-SSC 260 / 528
Server-Aided Authentication
Hypotheses:
there is an online (trusted) authentication server (AS)
AS shares KC with client IC
AS shared KS with server IS
Goal: to help IC and IS to share a session key K (and to helpcareless users to get privacy)
SV 2007 Basic Crypto EPFL-SSC 259 / 528
Sniffing + Offline Attack
Assumption: pairing not made in a private environment (channel notconfidential) and guessable PIN (lazzy operator)
1 sniff the pairing protocol, get IN RAND,CA,CB
2 −→ can compute Klink from PIN
3 sniff a peer-authentication protocol, get rand,F(rand,Klink)
4 −→ can check a guess on Klink
5 run an offline exhaustive search on PIN
SV 2007 Basic Crypto EPFL-SSC 258 / 528
Underlying Hypothesis
pairing is made in a bunker (equiped with a Faraday cage)
Confidentiality seems necessary during the pairing protocolOtherwise one can derive dramatic sniffing attacks (Jakobsson-Wetzel2001)
SV 2007 Basic Crypto EPFL-SSC 257 / 528
Basic Kerberos Protocol
AS Client Server
request IC to IS ,N←−−−−−−−−−−−−−−−−− pick N
pick KCKC (K ,IS ,N,T ,L),CKS (K ,IC ,T ,L)−−−−−−−−−−−−−−−−−→
CKS(K ,IC ,T ,L),CK (IC ,T )
−−−−−−−−−−−−−→CK (T+1)←−−−−−−−−−−−−−
T : clock value; L: validity period
SV 2007 Basic Crypto EPFL-SSC 264 / 528
Needham-Schroeder Authentication
AS Client Server
request IC to IS,N1←−−−−−−−−−−−−− pick N1
pick KCKC
(K ,IS ,N1,CKS(K ,IC))
−−−−−−−−−−−−−→CKS
(K ,IC)−−−−−−−−−−−−−→
CK (N2)←−−−−−−−−−−−−− pick N2CK (N2+1)−−−−−−−−−−−−−→
Problem: replay attack by impersonating C after K gets compromised
SV 2007 Basic Crypto EPFL-SSC 263 / 528
Server-Aided Authentication (Still Bad One)
AS Client Server
request IC to IS←−−−−−−−−−−−−−pick K
CKC (K ,IS),CKS (K ,IC)−−−−−−−−−−−−−→
CKS(K ,IC)
−−−−−−−−−−−−−→
Problem: replay attack by impersonating AS after K gets compromised
SV 2007 Basic Crypto EPFL-SSC 262 / 528
Attack
AS Adv. Server
request IA to IS←−−−−−−−−−−−−−pick K
CKA(K),CKS (K)−−−−−−−−−−−−−→
CKS(K),IC−−−−−−−−−−−−−→
Server thinks he is talking to IC
SV 2007 Basic Crypto EPFL-SSC 261 / 528
Chapter Content
Group theory: isomorphism, construction
Zn ring: Euclid algorithm, exponentiation, Chinese RemainderTheorem
Finite fields: generators, construction
⋆Quadratic residue
Elliptic curves
SV 2007 Basic Crypto EPFL-SSC 268 / 528
6 Chapter 6: Algorithmic Algebra
SV 2007 Basic Crypto EPFL-SSC 267 / 528
Conclusion
Lightweight networks based on conventional cryptography only(GSM, Bluetooth, ...)
Although limited, we can make many protocols with onlyconventional cryptography
Assembling cryptographic primitives in a protocol is not trivial
SV 2007 Basic Crypto EPFL-SSC 266 / 528
Kerberos
Crequest C to TGS, options,N0−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ AS
CCKC
(K0,time,N0,ITGS),grant=CKTGS(flags,K0,IC ,time)
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− AS (pick K0)
CIS , options, grant,N,CK0(IC ,time)−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ TGS
CCK0(K ,time,N,IS ,T ,L),ticket=CKS (flags,K ,IC ,T ,L)
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− TGS (pick K )
Cticket,CK (IC ,T )−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ S
CCK (T+1)←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− S
SV 2007 Basic Crypto EPFL-SSC 265 / 528
Group Constructions
Subgroups: given (G, .), and given H ⊆ G which is nonempty andstable by . and inversion, consider (H, .)
Product groups: given (G1,×1) and (G2,×2), consider G = G1×G2
and (a1,a2).(b1,b2) = (a1×1 b1,a2×2 b2)
Power groups: given (G, .) and I, consider GI and(ai )i∈I × (bi)i∈I = (ai .bi )i∈I
Quotient groups: given (G, .) commutative and a subgroup H,consider the set G/H of representatives of thecongruence modulo H with the law induced by .
SV 2007 Basic Crypto EPFL-SSC 272 / 528
Additive vs Multiplicative Notations
additive notations multiplicative notationsgroup (G,+) (G,×)operation a+ b a.bneutral element 0 1inverse −a a−1
exponential n.a an
SV 2007 Basic Crypto EPFL-SSC 271 / 528
Definition, Examples
Definition
A group is a set G together with a mapping from G×G to G whichmaps (a,b) to an element denoted ab and such that
1. [closure] for any a,b ∈ G, we have ab ∈ G
2. [associativity] for any a,b,c, we have (ab)c = a(bc)
3. [neutral element] there exists an element e s.t. for any a,ae = ea = a
4. [invertibility] for any a there exists b s.t. ab = ba = e
Z with +
SA with ◦Zn with the addition modulo n
SV 2007 Basic Crypto EPFL-SSC 270 / 528
6 Chapter 6: Algorithmic AlgebraGroupsRingsThe Zn RingFinite Fields
SV 2007 Basic Crypto EPFL-SSC 269 / 528
Generators
Given a group (G, .), an element g generates a subgroup
〈g〉 = {. . . ,g−2,g−1,g0,g1,g2, . . .}If 〈g〉 is finite, of cardinality n, then gn = 1 and
〈g〉= {g0,g1, . . . ,gn−1}Proof. Let m be the smallest integer s.t. there exists i s.t.0≤ i < m and gi = gm. Since gi−1 = gm−1 we must havei−1 < 0 hence i = 0 and gj = gj mod m and
〈g〉 = {g0,g1, . . . ,gm−1}so n = m.
The mapping ϕ : Zn −→ 〈g〉 defined by ϕ(a) = ga is a groupisomorphism . Namely, ϕ(a+ b) = ϕ(a) ·ϕ(b) for any a,b ∈ Zn
SV 2007 Basic Crypto EPFL-SSC 276 / 528
Cerebral Z n
nZ is a group of Z (with law +), which is commutative (groupgenerated by n)
we can do the quotient Z/nZ of Z by nZ
congruence modulo nZ is written
a≡ b (mod n) ⇐⇒ a−b ∈ nZ ⇐⇒ a mod n = b mod n
note that (a+ nZ)+ (b + nZ) = (a⊞ b)+ nZ
an exhaustive list of equivalence classes is
0+ nZ , 1+ nZ , 2+ nZ , . . . ,(n−1)+ nZ
we simply write a instead of a+ nZ
SV 2007 Basic Crypto EPFL-SSC 275 / 528
Pedestrian Z n
Euclidean division in Z:for any a ∈ Z and any n > 0 there exists a unique (q, r) ∈ Z2 suchthat a = qn + r and 0≤ r < nwe write q =
⌊an
⌋and r = a mod n
Zn = {0,1, . . . ,n−1}addition in Zn: a⊞ b = (a+ b) mod n
useful lemma: (a+(b mod n)) mod n = (a+ b) mod n
closure: comes from x mod n ∈ Zn for any x ∈ Z
associativity: comes from the lemma
neutral element: 0
invertibility: comes from the lemma, (−a) mod n
SV 2007 Basic Crypto EPFL-SSC 274 / 528
Functional vs Family Notations
functional notations family notationsfunction domain D index set Ifunction range R set S
finite domain f : {1, . . . ,n} → R (x1, . . . ,xn)infinite domain f : D→ R (xi)i∈I
input x ∈ D i ∈ Iimage f (x) ∈ R xi ∈ Sset SI , Sn
SV 2007 Basic Crypto EPFL-SSC 273 / 528
Addition in Elliptic Curves
Ea,b = {O }∪{(x ,y);y2 = x3 + ax + b}
Given P = (xP ,yP), we define −P = (xP ,−yP) and −O = O .
Given P = (xP ,yP) and Q = (xQ,yQ), if Q =−P, we defineP + Q = O .
Given P = (xP ,yP) and Q = (xQ,yQ), if Q 6=−P, we let
λ =
{yQ−yPxQ−xP
if xP 6= xQ3x2
P+a2yP
if xP = xQ
xR = λ2− xP− xQ
yR = (xP− xR)λ− yP
R = (xR ,yR) and P + Q = R.
In addition, P +O = O + P = P and O +O = O .
SV 2007 Basic Crypto EPFL-SSC 280 / 528
Elliptic Curves
P
Q
P + Q
SV 2007 Basic Crypto EPFL-SSC 279 / 528
Example
Z15 has order 15
We have 〈5〉 = {0,5,10}.This is a subgroup of order 35 has order 3 in Z15
We have 〈2〉 = {0,2,4,6,8,10,12,14,1,3,5,7,9,11,13}.2 has order 15 in Z15
2 is a generator
SV 2007 Basic Crypto EPFL-SSC 278 / 528
Finite Groups
Definition
If (G, .) is a group and if G is a finite set, then the cardinality of G iscalled the group order . If g generates a subgroup of order m, then mis called the order of g.
Property: the order of g is the smallest i > 0 s.t. gi = 1.
Theorem (Lagrange)
The order of any element is a factor of the order of the group.
Consequence: if G has prime order, all elements (except 1) aregenerators
SV 2007 Basic Crypto EPFL-SSC 277 / 528
Ring Units
Let (R,+, .) be a ring. (Example: R = Zn.)
We let R∗ denote the set of invertible elements: the group ofunits
a,b ∈ R are equivalent if a = ub for some unit u
Example: Z∗15 = {1,2,4,7,8,11,13,14}
SV 2007 Basic Crypto EPFL-SSC 284 / 528
Ring Constructions
Product rings: given (R1,+1,×1) and (R2,+2,×2), considerR = R1×R2 and (a1,a2).(b1,b2) = (a1×1 b1,a2×2 b2)
Power rings: given (R,+, .) and A, consider RA and(ai )i∈A× (bi)i∈A = (ai .bi )i∈A
Ideals: given (R,+, .), and given a subgroup I of R s.t.∀a ∈ I ∀b ∈ R ab,ba ∈ I
Quotient rings: given (R,+, .) and an ideal I, consider the group R/Iof representatives of the congruence modulo I with thelaw induced by .
SV 2007 Basic Crypto EPFL-SSC 283 / 528
Definition, examplesDefinition
A ring is an Abelian group (R,+) together with a mapping from R×Rto R which maps (a,b) to an element denoted ab and such that
1-4. [group] R with + is a group
5. [Abelian] for any a,b, we have a+ b = b + a
6. [closure] for any a,b ∈ R, we have ab ∈ R
7. [associativity] for any a,b,c, we have (ab)c = a(bc)
8. [neutral element] there exists an element 1 s.t. for any a,a1 = 1a = a
9. [distributivity] for any a,b,c, we have a(b + c) = ab + ac and(a+ b)c = ac + bc
Z with + and ×Z[X ] with + and ×Zn with the addition and multiplication modulo n
SV 2007 Basic Crypto EPFL-SSC 282 / 528
6 Chapter 6: Algorithmic AlgebraGroupsRingsThe Zn RingFinite Fields
SV 2007 Basic Crypto EPFL-SSC 281 / 528
Addition in Binary
1+ 1 = 10
1 1
1 001 001+ 10 011 000= 11 100 001
Input : a and b, two integers of at most ℓ bitsOutput : c, an integer of at most ℓ+ 1 bits represent-
ing a + bComplexity : O (ℓ)1: r ← 02: for i = 0 to ℓ−1 do3: d ← ai + bi + r4: set ci and r to bits such that d = 2r + ci
5: end for6: cℓ← r
SV 2007 Basic Crypto EPFL-SSC 288 / 528
Addition with Big Numbers (in Decimal)
1 1 1
8 427 403+ 12 951 842= 21 379 245
Input : two integers a and b of ℓ digitsOutput : one integer c = a + b1: r ← 02: for i = 0 to ℓ−1 do3: d ← ai + bi + r4: write d = 10r + ci with ci < 105: end for6: cℓ← r
SV 2007 Basic Crypto EPFL-SSC 287 / 528
6 Chapter 6: Algorithmic AlgebraGroupsRingsThe Zn RingFinite Fields
SV 2007 Basic Crypto EPFL-SSC 286 / 528
Irreducibility and Primes
Let us consider the ring (R,+, .) = Z.
a,b ∈ R are equivalent if a =±b
If a ∈ R is such that for all b,c ∈ R, a = bc⇒ b =±1 or c =±1then a is said irreducible
We define the primes as the positive irreducible integers
There is a Euclidean division in Z: for any a,b with b > 0, thereexists q, r s.t. a = qb + r and 0≤ r < b
In Euclidean rings , elements a uniquely factored into product ofprimes and a unit (up to any permutation of the product)
SV 2007 Basic Crypto EPFL-SSC 285 / 528
Multiplication From Right to Left
Input : a and b, two integers of at most ℓ bitsOutput : c = a×bComplexity : O (ℓ2)
1: x ← 02: y ← a3: for i = 0 to ℓ−1 do4: if bi = 1 then5: x ← x + y6: end if7: y ← y + y8: end for9: c← x
SV 2007 Basic Crypto EPFL-SSC 292 / 528
Multiplication
12× 100101 = 444
1 1 0 0 0x00c (12)× 1 0 0 1 0 1 0x025 (37)
1 1 0 0 0x00c (12)+ 0 0 0 0 0x000 (0)+ 1 1 0 0 0x030 (48)+ 0 0 0 0 0x000 (0)+ 0 0 0 0 0x000 (0)+ 1 1 0 0 0x180 (384)
= 1 1 0 1 1 1 1 0 0 0x84 (444)
�444?
3841
� +
DB �1920 DB �
960 DB �
�+?
60
481 DB �
240 DB �
+�?12 0
121
SV 2007 Basic Crypto EPFL-SSC 291 / 528
Addition in Z n
Input : an integer n of ℓ bits, two integers a and bless than n
Output : c, an integer which represents a +b mod n
Complexity : O (ℓ)1: add a and b in c2: compare c and n3: if c ≥ n then4: subtract n from c5: end if
SV 2007 Basic Crypto EPFL-SSC 290 / 528
Addition (Binary/Hexadecimal/Decimal)
1 0 1 0 1 0 0 0x54 (84)+ 1 0 0 1 0 0 1 0 0x92 (146)
= 1 1 1 0 0 1 1 0 0xe6 (230)
SV 2007 Basic Crypto EPFL-SSC 289 / 528
Multiplication in Z n From Left to Right
Input : an integer n of ℓ bits, a,b ∈ Zn
Output : c = a×b mod nComplexity : O (ℓ2)
1: x ← 02: for i = ℓ−1 to 0 do3: x ← x + x mod n4: if bi = 1 then5: x ← x + a mod n6: end if7: end for8: c← x
SV 2007 Basic Crypto EPFL-SSC 296 / 528
Multiplication From Left to Right
Input : a and b, two integers of at most ℓ bitsOutput : c = a×bComplexity : O (ℓ2)
1: x ← 02: for i = ℓ−1 to 0 do3: x ← x + x4: if bi = 1 then5: x ← x + a6: end if7: end for8: c← x
SV 2007 Basic Crypto EPFL-SSC 295 / 528
From Left to Right
12× 100101 = 444
DB DB DB DB DB DB- -+- - - -+- - -+-0 0 12 24 48 96 108 216 432 444
12
? ? ?
1 0 0 1 0 1
12×1
12×10
12×100
12×1001
12×10010
12×100101
SV 2007 Basic Crypto EPFL-SSC 294 / 528
Multiplication in Z n From Right to Left
Input : an integer n of ℓ bits, a,b ∈ Zn less than nOutput : c = a×b mod nComplexity : O (ℓ2)
1: x ← 02: y ← a3: for i = 0 to ℓ−1 do4: if bi = 1 then5: x ← x + y mod n6: end if7: y ← y + y mod n8: end for9: c← x
SV 2007 Basic Crypto EPFL-SSC 293 / 528
Alternate Presentation
26100101 mod 77 = 5
SQ � SQ � SQ � SQ � SQ �
� � � �? ? ?5 45 26 1
2660 37 53 58 601 0 0 1 0 1
SV 2007 Basic Crypto EPFL-SSC 300 / 528
Modular Exponentiation
0x1a (26)power 100101 0x25 (37)mod 0x4d (77)
0x1a (26) 261=26× 0x01 (1) 600=1 262 mod 77 = 60× 0x3a (58) 581=58 602 mod 77 = 58× 0x01 (1) 530=1 582 mod 77 = 53× 0x01 (1) 370=1 532 mod 77 = 37× 0x3c (60) 601=60 372 mod 77 = 60= 0x05 (5)
SV 2007 Basic Crypto EPFL-SSC 299 / 528
Generalization: Exponential
if we can compute a group law ab in O (T ) then we can computean for n ∈ N in O (T logn)
if we can compute a group law a+ b in O (T ) then we cancompute n.a for n ∈ N in O (T logn)
SV 2007 Basic Crypto EPFL-SSC 298 / 528
Example
12× 100101 mod 77 = 59
DB DB DB DB DB DB- -+- - - -+- - -+-0 0 12 24 48 19 31 62 47 59
12
? ? ?
1 0 0 1 0 1
12×1
12×10
12×100
12×1001
12×10010
12×100101
SV 2007 Basic Crypto EPFL-SSC 297 / 528
Euclidean Division
we can just adapt the algorithm we have learnt at school(not trivial to implement!)
for any a ∈ Z and n > 0 there exists a unique pair (q, r) ∈ Z2 suchthat a = qn + r and 0≤ r < nq =
⌊an
⌋and r = a mod n
algorithm runs in O (ℓ2)
SV 2007 Basic Crypto EPFL-SSC 304 / 528
Example
26100101 mod 77 = 5
SQ SQ SQ SQ SQ SQ- -×- - - -×- - -×-1 1 26 60 58 53 69 64 15 5
26
? ? ?
1 0 0 1 0 1
26 = 261
262 = 2610
2622= 26100
2623+1 = 261001
2624+2 = 2610010
2625+22+1 = 26100101
SV 2007 Basic Crypto EPFL-SSC 303 / 528
Exponentiation From Left to Right
Input : a and n, two integers of at most ℓ bits, aninteger e
Output : x = ae mod nComplexity : O (ℓ2 log e)
1: x ← 12: for i = loge−1 to 0 do3: x ← x× x mod n4: if ei = 1 then5: x ← x×a mod n6: end if7: end for
SV 2007 Basic Crypto EPFL-SSC 302 / 528
Exponentiation From Right to Left
Input : a and n, two integers of at most ℓ bits, aninteger e
Output : x = ae mod nComplexity : O (ℓ2 log e)
1: x ← 12: y ← a3: for i = 0 to loge−1 do4: if ei = 1 then5: x ← x× y mod n6: end if7: y ← y× y mod n8: end for
SV 2007 Basic Crypto EPFL-SSC 301 / 528
Extended Euclid Algorithm
Input : a and b, two integers of at most ℓ bitsOutput : d , u,v such that d = au + bv =
gcd(a,b)Complexity : O (ℓ2)
1: ~x ← (a,1,0),~y ← (b,0,1)2: while y1 > 0 do3: make an Euclidean division x1 = qy1 + r4: do simultaneously~x←~y and~y ←~x−q~y5: end while6: (d,u,v)←~x
~x,~y ∈ {(α,β,γ);α = a ·β+ b · γ}
SV 2007 Basic Crypto EPFL-SSC 308 / 528
Why does it Work?
a divisor of x and y is a divisor of x−qy for all q
x = (x−qy)− (−q)y
d divides x and y ⇐⇒ d divides y and x−qy
gcd(x ,y) = gcd(y ,x−qy)
gcd(x ,0) = x
conclusion: the algorithm terminates with gcd(a,b)
to be discussed: runing time (complexity)
SV 2007 Basic Crypto EPFL-SSC 307 / 528
Example
We run the algorithm with a = 22 and b = 35. We obtain the followingsequence.
iteration x y q0 22 35 01 35 22 12 22 13 13 13 9 14 9 4 25 4 1 46 1 0
Thus gcd(22,35) = 1.
SV 2007 Basic Crypto EPFL-SSC 306 / 528
Euclid Algorithm
Input : a and b, two integers of at most ℓ bitsOutput : d = gcd(a,b)Complexity : O (ℓ2)
1: x ← a, y ← b2: while y > 0 do3: make an Euclidean division x = qy + r4: do simultaneously x← y and y ← x−qy5: end while6: d ← x
SV 2007 Basic Crypto EPFL-SSC 305 / 528
Euler Totient Function
ϕ(n) is the order of Z∗n
Theorem
Given an integer n, we have the following results.
For all x ∈ Zn we have x ∈ Z∗n⇐⇒ gcd(x ,n) = 1.
Zn is a field⇐⇒ Z∗n = Zn\{0} ⇐⇒ ϕ(n) = n−1⇐⇒ n is prime
For all x ∈ Z∗n we have xϕ(n) ≡ 1 (mod n).
For all x ∈ Z∗n, if e is such that gcd(e,ϕ(n)) = 1, we letd = e−1 mod ϕ(n). Then, xd mod n is the only eth root of xmodulo n
SV 2007 Basic Crypto EPFL-SSC 312 / 528
Arithmetics with Big Numbers
addition (O (ℓ)): x ,y 7→ x + y and x ,y ,n 7→ (x + y) mod n
multiplication (O (ℓ2)): x ,y 7→ x× y and x ,y ,n 7→ (x× y) mod n
Euclidean division (O (ℓ2)): x ,n 7→ x mod n
→ Arithmetics in Zn
fast exponential (O (ℓ3)): x ,e,n 7→ xe mod n
Euclid Algorithm (O (ℓ2)): x ,y 7→ a,b s.t. ax + by = gcd(x ,y)
inversion in Zn (O (ℓ2)): x ,n 7→ y s.t. xy mod n = 1 (whenfeasible)
SV 2007 Basic Crypto EPFL-SSC 311 / 528
Modular Inversion
Theorem
x ∈ Zn is invertible if and only if gcd(x ,n) = 1.
Proof.=⇒ if gcd(x ,n) = d > 1 then d divides (x · y) mod n for any y so(x · y) mod n 6= 1 and x is non invertible.⇐= if gcd(x ,n) = 1, the Extended Euclid algorithm finds the inverseof x .
SV 2007 Basic Crypto EPFL-SSC 310 / 528
Example
We run the algorithm with a = 22 and b = 35. We obtain the followingsequence of vectors.
iteration ~x ~y q0 (22,1,0) (35,0,1) 01 (35,0,1) (22,1,0) 12 (22,1,0) (13,−1,1) 13 (13,−1,1) (9,2,−1) 14 (9,2,−1) (4,−3,2) 25 (4,−3,2) (1,8,−5) 46 (1,8,−5) (0,−35,22)
Thus 1 = 22×8−35×5.
Application: inversion of 22 modulo 35
SV 2007 Basic Crypto EPFL-SSC 309 / 528
Proof — iv
For all x ∈ Z∗n, if e is such that gcd(e,ϕ(n)) = 1, we letd = e−1 mod ϕ(n). Then, xd mod n is the only eth root of x modulo nProof. We have e ·d = 1+ k ·ϕ(n) for some k hencex ≡ ye =⇒ xd ≡ y1+k ·ϕ(n) ≡ y and y ≡ xd =⇒ ye ≡ x1+k ·ϕ(n) ≡ x .
SV 2007 Basic Crypto EPFL-SSC 316 / 528
Proof — iii
For all x ∈ Z∗n we have xϕ(n) ≡ 1 (mod n).Proof. Due to the Lagrange Theorem, the order k of x divides theorder ϕ(n) of Z∗n.Let ϕ(n) = k · r . We have xϕ(n) ≡ xk ·r ≡ (xk)r ≡ 1r ≡ 1.
SV 2007 Basic Crypto EPFL-SSC 315 / 528
Proof — ii
Zn is a field⇐⇒ Z∗n = Zn\{0} ⇐⇒ ϕ(n) = n−1Proof. By definition, Zn is a field⇐⇒ Z∗n = Zn\{0}.Since #Z∗n = ϕ(n), Z∗n ⊆ Zn\{0}, and #Zn\{0} = n−1 we deduceZ∗n = Zn\{0} ⇐⇒ ϕ(n) = n−1.
SV 2007 Basic Crypto EPFL-SSC 314 / 528
Proof — i
For all x ∈ Zn we have x ∈ Z∗n⇐⇒ gcd(x ,n) = 1.Proof.=⇒: if y = gcd(x ,n) > 1, then y divides (x ·z) mod n for any z so thiscannot be equal to 1.⇐=: if gcd(x ,b) = 1, then the extended Euclid algorithm output theinverse of x modulo n.
SV 2007 Basic Crypto EPFL-SSC 313 / 528
Application 2: Correctness of RSA
let N = pq be the product of two different prime numbers p and q
for any x ∈ Z such that x mod p 6= 0 we have(xe mod N)d mod N ≡ x (mod p)(comes from p−1 divides ϕ(N) thus ed mod (p−1) = 1)
this also holds when x mod p = 0
similarly: for any x ∈ Z we have (xe mod N)d mod N ≡ x(mod q)
from CRT (Application 1): for any x ∈ Z we have(xe mod N)d mod N ≡ x (mod N)
for any x ∈ ZN we have (xe mod N)d mod N = x
SV 2007 Basic Crypto EPFL-SSC 320 / 528
Application 1: Equality Modulo Composite Numbers
Theorem
For any a,b,m,n ∈ Z such that gcd(m,n) = 1, then
a≡ b (mod m)a≡ b (mod n)
}
=⇒ a≡ b (mod mn).
Indeed, f (a mod (mn)) = f (b mod (mn)) hencea mod (mn) = b mod (mn)
SV 2007 Basic Crypto EPFL-SSC 319 / 528
Chinese Remainder Theorem
Theorem
(Chinese Remainder Theorem) Let m and n be two integers such thatgcd(m,n) = 1. We have
f : Zmn→ Zm×Zn defined by f (x) = (x mod m,x mod n) is aring isomorphism
ϕ(mn) = ϕ(m)ϕ(n)
f−1(a,b) ≡ an(n−1 mod m)+ bm(m−1 mod n) (mod mn)
Example: (m = 5, n = 7, mn = 35)
f−1(3,4)=(3×7× (7−1 mod 5)+ 4×5× (5−1 mod 7)
)mod 35
=· · ·= 18
Application: ϕ(pq) = (p−1)(q−1) when p and q are two differentprimes
SV 2007 Basic Crypto EPFL-SSC 318 / 528
Application: RSA Cryptosystem
Generator
6Secret key d ,NPublic key e,N 6 AUTHENTICATEDINTEGER
-Messagex Encrypt -Ciphertext
xe mod N-
y Decrypt -Message
yd mod N
��
Adversary
N = pqϕ(N) = (p−1)(q−1)
1 = gcd(e,ϕ(N))d = e−1 mod ϕ(N)
6?
SV 2007 Basic Crypto EPFL-SSC 317 / 528
Proof of CRT — iii
Fact 3 : Z∗mn and Z∗m×Z∗n are isomorphic(thus ϕ(mn) = ϕ(m)ϕ(n))
if x ∈ Z∗mn then x is invertible modulo m and modulo n thus f (x) isin Z∗m×Z∗nconversely, if f (x) is in Z∗m×Z∗n, f (x)× f (y) = (1,1) in Zm×Zn
for some y thus x× y = f−1(1,1) = 1 in Zmn: x is in Z∗mn
f maps Z∗mn onto Z∗m×Z∗n and is injective: it is thus anisomorphism between the two groups
SV 2007 Basic Crypto EPFL-SSC 324 / 528
Proof of CRT — ii
Fact 2 : f is an isomorphism
f (x) = (0,0) implies m and n divide xsince gcd(m,n) = 1, mn divides xthus x mod (mn) = 0
f is injective: for all m,n ∈ Zmn, if f (x) = f (y) thenf (x− y) = (0,0) thus x− y mod (mn) = 0 hence x = y
f is an isomorphism: Zmn and Zm×Zn have the same cardinalityand f is injective thus f is a bijectionsince f is further a homomorphism, f is an isomorphism
SV 2007 Basic Crypto EPFL-SSC 323 / 528
Proof of CRT — i
Fact 1 : f is a ring homomorphism from Zmn to Zm×Zn
f (x +Zmn y) = f (x)+Zm×Zn f (y)indeed:
((x + y) mod (mn)) mod m = ((x mod m)+ (y mod m)) mod m
((x + y) mod (mn)) mod n = ((x mod n)+ (y mod n)) mod n
f (x×Zmn y) = f (x)×Zm×Zn f (y)(same)
SV 2007 Basic Crypto EPFL-SSC 322 / 528
Application 3: Exponentiation Acceleration
log2 p ≈ log2 q ≈ ℓ
2
ad mod (q−1) mod q
ad mod (p−1) mod p
1
qCRT - ad mod pq
2×O((
ℓ2
)3)
O(ℓ3
)
SV 2007 Basic Crypto EPFL-SSC 321 / 528
Fields
Definition
A field is an commutative ring (K ,+,×) such that
1-9. [ring] K is a ring with + and ×10. [commutativity] for any a,b, we have ab = ba
11. [invertibility] for any a 6= 0 there exists b = a−1 s.t. ab = ba = 1
Q, R, C
Zp for a prime number p
SV 2007 Basic Crypto EPFL-SSC 328 / 528
6 Chapter 6: Algorithmic AlgebraGroupsRingsThe Zn RingFinite Fields
SV 2007 Basic Crypto EPFL-SSC 327 / 528
Computation of Euler Totient Function
ϕ(p) = p−1 for p prime
ϕ(mn) = ϕ(m)×ϕ(n) when gcd(m,n) = 1
ϕ(pa) = (p−1)pa−1 for p prime
ϕ(pa1
1 ×·· ·×parr
)= (p1−1)pa1−1
1 ×·· ·× (pr −1)par−1r
= pa11 ×·· ·×par
r(p1−1)×·· ·× (pr −1)
p1×·· ·×pr
for pairwise different prime numbers p1, . . . ,pr
SV 2007 Basic Crypto EPFL-SSC 326 / 528
Proof of CRT — iv
Fact 4 : f (an(n−1 mod m)+ bm(m−1 mod n)) = (a,b)
an(n−1 mod m)+ bm(m−1 mod n) ≡ a (mod m)
an(n−1 mod m)+ bm(m−1 mod n) ≡ b (mod n)
thus f of the left hand side is (a,b)
SV 2007 Basic Crypto EPFL-SSC 325 / 528
Cerebral GF(pk)
p: a prime number.
Zp[x ] is a Euclidean ring.
Select a monic irreducible polynomial P(x) of degree k in Zp[x ].
P(x) spans an ideal (P(x)) with no non-trivial sub-ideal.
Let GF(pk ) = Zp[x ]/(P(x)) be the quotient of ring Zp[x ] by ideal(P(x)).
We obtain a field who inherits the addition and multiplication fromthe ring structure of Zp[x ].
SV 2007 Basic Crypto EPFL-SSC 332 / 528
Example
In order to construct GF(23):
consider the ring Z2[x ] of polynomials
take the monic irreducible polynomial P(x) = x3 + x + 1 ofdegree 3
construct
GF(23) = {0,1,x ,x + 1,x2,x2 + 1,x2 + x ,x2 + x + 1}
Example: (x + 1)+ (x2 + 1) = x2 + x in GF(23).Example: (x + 1)× (x2 + 1) = x3 + x2 + x + 1 = x2 in GF(23).
SV 2007 Basic Crypto EPFL-SSC 331 / 528
Pedestrian GF(pk)
p: a prime number.
Euclidean disivion in Zp[x ]: for any polynomials A(x) and P(x)such that P 6= 0, there exists polynomials R(x) and B(x) suchthat A(x) = R(x)+ P(x) ·B(x) and deg(R) < deg(P). We callR(x) = A(x) mod P(x) the remainder of A(x) modulo P(x).
Select a monic (i.e. with leading coefficient 1) irreducible (i.e. whocannot be expressed as a product of polynomials with smallerdegree) polynomial P(x) of degree k in Zp[x ].
Let GF(pk ) be the set of all polynomials in Zp[x ] of degree atmost k−1.
Addition: regular polynomial addition modulo p.
Multiplication: regular multiplication in Zp[x ] reduced moduloP(x).
We can prove this constructs a field.
SV 2007 Basic Crypto EPFL-SSC 330 / 528
Properties
p: a prime number.
Z∗p = {1, . . . ,p−1}ϕ(p) = p−1.
(Little Fermat Theorem) for any x ∈ Z∗p, we have xp−1 ≡ 1(mod p)
Z∗p is a cyclic group with ϕ(p−1) generators: there exist(ϕ(n−1) many) numbers g such that
Z∗p = {g0,g1,g2 mod p, . . . ,gp−2 mod p}
SV 2007 Basic Crypto EPFL-SSC 329 / 528
GF(28) Arithmetics in AES
A byte a = a7 . . .a1a0 represents an element of the finite field GF(28)as a polynomial a0 + a1.x + . . .+ a7.x7 modulox8 + x7 + x6 + x5 + x4 + x3 + 1 and modulo 2
byte polynomial0x00 00x01 10x02 x0x03 x + 10xf9 x7 + x6 + x5 + x4 + x3 + 1
Addition: bitwise XORMultiplication by 0x02 : shift and XOR with 0xf9 if carry
SV 2007 Basic Crypto EPFL-SSC 336 / 528
GF(4)
GF(4) = {c0,c1,c2,c3}+ c0 c1 c2 c3
c0 c0 c1 c2 c3
c1 c1 c0 c3 c2
c2 c2 c3 c0 c1
c3 c3 c2 c1 c0
× c0 c1 c2 c3
c0 c0 c0 c0 c0
c1 c0 c1 c2 c3
c2 c0 c2 c3 c1
c3 c0 c3 c1 c2
(GF(4),+) ≈ (Z2×Z2,+) (GF(4)∗,×)≈ (Z3,+)
P(x) = x2 + x + 1 irreducible in Z2[x ], GF(4) = Z2[x ]/(P(x))
c0 = (0) c1 = (1) c2 = (x) c3 = (x + 1)
SV 2007 Basic Crypto EPFL-SSC 335 / 528
GF(5)
GF(5) = {0,1,2,3,4}
+ 0 1 2 3 40 0 1 2 3 41 1 2 3 4 02 2 3 4 0 13 3 4 0 1 24 4 0 1 2 3
× 0 1 2 3 40 0 0 0 0 01 0 1 2 3 42 0 2 4 1 33 0 3 1 4 24 0 4 3 2 1
(GF(5),+) ≈ (Z5,+) (GF(5)∗,×)≈ (Z4,+)
SV 2007 Basic Crypto EPFL-SSC 334 / 528
Galois Fields
Theorem
We have the following results.
The cardinality of any finite fields is a prime power pk .
For any prime power pk , there exists a finite field of cardinality pk .p is called the characteristic of the field.
Two finite fields of same cardinality are isomorphic, so the finitefield of cardinality pk is essentially unique. We denote it GF(pk )as Galois field of cardinality pk .
GF(pk ) is isomorphic to a subfield of GF(pk×ℓ).
GF(pk ) can be defined as the quotient of ring of polynomials withcoefficients in Zp by a principal ideal spanned by an irreduciblepolynomial of degree k: Zp[x ]/(P(x)).
SV 2007 Basic Crypto EPFL-SSC 333 / 528
Chapter Content
Primality: Fermat test, Miller-Rabin test
⋆Primality: Carmichael numbers, Solovay-Strassen test
⋆Factorization: rho method, p−1 method, elliptic curve method
Group orders: computation
⋆Discrete logarithm: baby-steps giant-steps, Pohlig-Hellman
SV 2007 Basic Crypto EPFL-SSC 340 / 528
7 Chapter 7: Algorithmic Number Theory
SV 2007 Basic Crypto EPFL-SSC 339 / 528
Conclusion
finite fields: Zp, GF(2k)
rings: Zn, polynomials
integer arithmetics: gcd, Euler totient function, ChineseRemainder Theorem
groups: Zn, group of units of rings, elliptic curves
algorithmic arithmetics: addition, multiplication, inversion,
other arithmetics problems: square roots, eth rootsexponentiation
SV 2007 Basic Crypto EPFL-SSC 338 / 528
Most Important Finite FieldsZp for a large prime p: represented by regular integers
GF(2k ): represented by bistrings of length k
Zp GF(2k )representation integers from 0 to p−1 polynomials of degree at
most k − 1 with binary coef-ficients (k-bit strings)requires the choice of an ir-reducible polynomial of de-gree k
addition addition modulo p bitwise XORmultiplication multiplication modulo p ad-hoc algorithms
multiplication by 0x2 : shift tothe left and XOR to a con-stant if carry
SV 2007 Basic Crypto EPFL-SSC 337 / 528
Fermat Test
Parameter : k , an integerInput : n, an integer of ℓ bitsOutput : notification of non-primality or pseudo-
primalityComplexity : O (kℓ3)
1: repeat2: pick a random b such that 0 < b < n3: x ← bn−1 mod n4: if x 6= 1 then5: output “composite” and stop6: end if7: until k iterations are made8: output “pseudo-prime” and stop
SV 2007 Basic Crypto EPFL-SSC 344 / 528
Fermat Test
Theorem (Little Fermat Theorem)
If n is prime, for any b ∈ {1, . . . ,n−1}, bn−1 mod n = 1.
pick b at random
?bn−1 mod n = 1?
?n composite
-yes
no
t iterations
?end
n prime
�
SV 2007 Basic Crypto EPFL-SSC 343 / 528
Trial Division Algorithm
Input : an integer nOutput : a list of prime numbers whose product is
nComplexity : O (
√n) arithmetic operations
1: b← ⌊√n⌋, x ← n, i ← 22: while x > 1 and i ≤ b do3: while i divides x do4: print i5: x ← x/i6: b← ⌊√x⌋7: end while8: i← i + 19: end while
10: if x > 1 then print x
SV 2007 Basic Crypto EPFL-SSC 342 / 528
7 Chapter 7: Algorithmic Number TheoryPrimality TestsFactoring and Discrete Logarithm ProblemsComputing Orders in Groups
SV 2007 Basic Crypto EPFL-SSC 341 / 528
Square Roots in Finite Fields
Lemma
Let p be a prime number. If x2 mod p = 1 then x mod p = 1 orx mod p = p−1.
we have (x−1)(x + 1) mod p = 0 and p prime thus either pdivides x−1 or p divides x + 1
if p divides x−1 we have x mod p = 1
if p divides x + 1 we have x mod p = p−1
SV 2007 Basic Crypto EPFL-SSC 348 / 528
Carmichael Numbers: the 561 Case
Example: n = 561 = 3 ·11 ·17 is such that for all b s.t. gcd(b,n) = 1,we have bn−1 ≡ 1 (mod n).Proof. We notice that n−1 = 560 = 24 ·5 ·7 which is a multiple of3−1, 11−1, and 17−1. Therefore, if b is prime with 3, we havebn−1 ≡ 1 (mod 3) and the same for 11 and 17. Hence, from theChinese Remainder Theorem we obtain that if b is prime with n wehave bn−1 ≡ 1 (mod n).
SV 2007 Basic Crypto EPFL-SSC 347 / 528
Carmichael Numbers
Definition
We call Carmichael number any integer n which is a product of (atleast 2) pairwise different prime numbers p such that p−1 is a factorof n−1.
Theorem
An integer n is a Carmichael number if and only if it is composite andfor any b s.t. gcd(b,n) = 1, we have bn−1 ≡ 1 (mod n).
Example: n = 561 = 3 ·11 ·17 is such that for all b s.t. gcd(b,n) = 1,we have bn−1 ≡ 1 (mod n).
SV 2007 Basic Crypto EPFL-SSC 346 / 528
Significance of Fermat Test
False Negative: Pr[output composite|n prime] = 0
False Positive: there exist pathologic numbers n which are notprime such that Pr[output pseudoprime|n] is high.Carmichael Numbers n are composite such that for any b suchthat gcd(b,n) = 1 we have bn−1 mod n = 1. Hence
Pr[output pseudoprime|n] =(
ϕ(n)n−1
)k.
SV 2007 Basic Crypto EPFL-SSC 345 / 528
Prime Number GenerationTheorem (Prime Number Theorem)
Let p(N) denote the number of prime numbers in {2,3, . . . ,N}. Wehave p(N) ∼ N
logN when N increases toward the infinity.
→ the probability that a random ℓ-bit number is prime is ≈ 1ℓ log2
Example: a 512-bit random integer is prime with probability ≈ 1355
→ generating a random ℓ-bit prime number takes O (ℓ4)
pick p at random
?is it prime?
?p found
no
yes
�
SV 2007 Basic Crypto EPFL-SSC 352 / 528
Bounding Errors in the Miller-Rabin Test
Theorem (Miller-Rabin)
If more than a quarter of b ∈ Z∗n pass the Miller-Rabin test, then allb ∈ Z∗n do so.
Consequence: the probability that a composite number pass theMiller-Rabin test with k iterations and output “pseudo-prime” is lessthan 4−k .
SV 2007 Basic Crypto EPFL-SSC 351 / 528
The Miller-Rabin Primality Test
Parameter : k , an integerInput : n, an integer of ℓ bitsOutput : notification of non-primality
or pseudo-primalityComplexity : O (kℓ3)
1: if n = 2 then2: output “prime” and stop3: end if4: if n is even then5: output “composite” and stop6: end if7: write n = 2st + 1 with t odd
8: repeat9: pick b ∈ {1, . . . ,n−1}
10: x ← bt mod n, i← 011: if x 6= 1 then12: while x 6= n−1 do13: x← x2 mod n, i ← i + 114: if i = s or x = 1 then15: output “composite” and
stop16: end if17: end while18: end if19: until k iterations are made20: output “pseudo-prime” and stop
SV 2007 Basic Crypto EPFL-SSC 350 / 528
The Miller-Rabin Test
We write n−1 = 2st
If n is prime, we have
bn−1 mod n =(
· · ·((bt )2
)2 · · ·)2
mod n = 1
If n is prime, +1 and −1 are the only possible square roots of 1
bt mod n -6= 1SQ -6= 1
SQ -6= 1 · · · -6= 1SQ -6= 1
SQ - 1
?6is it ≡−1?
at most s︷ ︸︸ ︷
SV 2007 Basic Crypto EPFL-SSC 349 / 528
Record using the Number Field Sieve Algorithm
Complexity: eO
(
(log n)13 (log logn)
23
)
RSA200= 2799783391122132787082946763872260162107044678695542853756000992932612840010
7609345671052955360856061822351910951365788637105954482006576775098580557613579098734950144178863178946295187237869221823983
= 3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349×7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467
factored in 2005 by an equivalent of 55 years of computation on a2.2GHz PC.
SV 2007 Basic Crypto EPFL-SSC 356 / 528
Factoring Problem
Factoring Problem
Parameters: Gen, a pseudorandom generator
Instance: n, an integer produced by Gen
Problem: factor n
Examples:
Gen generates an RSA public key
Gen generates Mersenne numbers
SV 2007 Basic Crypto EPFL-SSC 355 / 528
7 Chapter 7: Algorithmic Number TheoryPrimality TestsFactoring and Discrete Logarithm ProblemsComputing Orders in Groups
SV 2007 Basic Crypto EPFL-SSC 354 / 528
Implementation
Input : ℓOutput : a random prime number between 2ℓ−1
and 2ℓ
Complexity : O (ℓ4) arithmetic operations1: repeat2: pick a random number n of ℓ bits3: until a primality test with k iterations accepts
n as a prime number4: output n
With k = log2 ℓ− log2 ε the probability that this algorithm outputs acomposite number is less than ε.
SV 2007 Basic Crypto EPFL-SSC 353 / 528
7 Chapter 7: Algorithmic Number TheoryPrimality TestsFactoring and Discrete Logarithm ProblemsComputing Orders in Groups
SV 2007 Basic Crypto EPFL-SSC 360 / 528
The Discrete Logarithm Problem
Discrete Logarithm Problem
Parameters: G, a group, g ∈ G and n, the order of g
Instance: y , power of g
Problem: find x such that y = gx
SV 2007 Basic Crypto EPFL-SSC 359 / 528
Factorization Tomorrow
Factorization of n with complexity O ((log n)2 log logn log log logn) byusing Shor’s algorithm
It only works on a quantum computer (if exists)
SV 2007 Basic Crypto EPFL-SSC 358 / 528
Record using the Number Field Sieve Algorithm
21039−1= 5080711×(306 chiffres)
= 5080711×55853666619936291260749204658315944968646527018488637648010052346319853288374753×20758181946442382764570481370359469516293970800739520988120838703792729090324679382343143884144834882534053344769112223028158327696525376091410189105241993899334109711624358962065972167481161749004803659735573409253205425523689
factored in 2007 by an equivalent of 100 years of computation on a PC2.2GHz (Opteron).
SV 2007 Basic Crypto EPFL-SSC 357 / 528
Computing Element Orders in Z ∗n =⇒ Knowing λ(n)
Input : an element order oracle in Z∗nOutput : λ(n)
1: λ← 12: repeat3: pick a random x in Z∗n4: compute the order u of x5: λ← lcm(λ,u)6: until λ has not changed for a while
Fact. With the same notations: for all i , Pr[βi < αi ]≤ 1/pi
Thus, the number of iterations is likely to be very small
SV 2007 Basic Crypto EPFL-SSC 364 / 528
Factoring λ(n) =⇒ Computing Element Orders in Z ∗n
Input : factorizationλ(n) = pα1
1 · · ·pαrr , x ∈ Z∗n
Output : the order u of xComplexity : O (r) exponentials
1: u← 12: for i = 1 to r do3: y ← xλ(n)/p
αii mod n
4: while y 6= 1 do5: y ← ypi mod n6: u← u×pi
7: end while8: end for
Fact. If the order of x is pβ11 · · ·p
βrr
then, for all i ,
βi ≤ αi
xλ(n)pβi−αii mod n = 1
xλ(n)pβi−αi−1i mod n 6= 1
SV 2007 Basic Crypto EPFL-SSC 363 / 528
Computing Element Orders in Z ∗n
knowledge of the factorization of λ(n)
=⇒ ability to compute element orders in Z∗n=⇒ knowledge of λ(n)
⇐⇒ knowledge of the factorization of n
Consequence: computing orders in Z∗n is likely to be hard from n only
SV 2007 Basic Crypto EPFL-SSC 362 / 528
Orders in Z ∗n (Reminder)Z∗n is of order ϕ(n) (example: Z∗35 is of order 24)xϕ(n) mod n = 1 for all x ∈ Z∗n{i;∀x x i mod n = 1} can be written λ(n)Z where λ(n) is theexponent of Z∗nλ(n) is the smallest integer i for which x i mod n = 1 for all x ∈ Z∗n(example: λ(35) = 12)λ(n) divides ϕ(n)for x ∈ Z∗n, {i;∀x x i mod n = 1} can be written order(x)Zthe order of x is the smallest integer i for which x i mod n = 1(example: order(6) = 2 in Z∗35)for any x ∈ Z∗n, order(x) divides λ(n)the lcm of order(x) for all x ∈ Z∗n is λ(n)for n = pα1
1 ×·· ·×pαrr with pairwise different prime numbers
p1, . . . ,pr , we have
ϕ(n) = (p1−1)pα1−11 ×·· ·× (pr −1)pαr−1
r
λ(n) = lcm(
(p1−1)pα1−11 , · · · ,(pr −1)pαr−1
r
)
SV 2007 Basic Crypto EPFL-SSC 361 / 528
Checking a Generator of a Group with Known OrderFactorization
Input : a prime number p, p−1 = pα11 ×·· ·×pαr
r ,g ∈ Z∗p
Output : say if g generates Z∗pComplexity : O (r) exponentials
1: for i = 1 to r do2: y ← g(p−1)/pi mod p3: if y = 1 then4: abort: g is not a generator5: end if6: end for7: g is a generator
SV 2007 Basic Crypto EPFL-SSC 368 / 528
Knowing λ(n)⇐⇒ Factoring n
=⇒: previous slide
⇐=: λ(pα11 · · ·pαr
r ) is computed by
lcm((p1−1)pα1−11 , . . . ,(pr −1)pαr−1
r )
NB: knowing a multiple of λ(n)⇐⇒ Factoring n(same proof)
example: knowing ϕ(n)⇐⇒ Factoring n
Conclusion: computing ϕ(n) is hard, computing orders in Z∗n is hard
SV 2007 Basic Crypto EPFL-SSC 367 / 528
Factorization using λ(n)
x t mod n -6= 1SQ -6= 1
SQ -6= 1 · · · -6= 1SQ -6= 1
SQ - 1
?6is it ≡−1?
at most s︷ ︸︸ ︷
SV 2007 Basic Crypto EPFL-SSC 366 / 528
Knowing λ(n) =⇒ Factoring n
Input : λ(n) (n odd)Output : a non trivial factor of n
1: write λ(n) = 2st with t odd2: repeat3: pick a random x in Z∗n4: x ← x t mod n5: y ←⊥6: while x 6= 1 do7: y ← x8: x ← x2 mod n9: end while
10: until y 6=⊥ and y 6≡ −1(mod n)
11: output gcd(y−1,n)
Fact. For x ∈ Zn, if x2 mod n = 1,x 6= 1, x 6= n−1 then 1 < gcd(n,x−1) < n which is a non-trivial factor ofn:
n divides (x−1)(x + 1)
if gcd(n,x −1) = n then ndivides x−1 thus x = 1 whichis wrong
if gcd(n,x −1) = 1 then ndivides x + 1 thus x = n−1which is wrong
SV 2007 Basic Crypto EPFL-SSC 365 / 528
Chapter Content
⋆Formal computation: languages, automata, Turing machines
⋆Ability frontiers: computability, decidability
⋆Complexity reduction: intractability, NP-completeness, oracles
SV 2007 Basic Crypto EPFL-SSC 372 / 528
8 Chapter 8: Elements of Complexity Theory
SV 2007 Basic Crypto EPFL-SSC 371 / 528
Conclusion
primality testing is easy
generating large primes is feasible
picking generators is feasible
SV 2007 Basic Crypto EPFL-SSC 370 / 528
Picking a Generator in a Cyclic Group with Known Order
Input : a prime number p, a bound BOutput : a generator g of Z∗p
1: find the list p1, . . . ,pr of all prime factors ofp−1 which are less than B
2: repeat3: pick a random g in Z∗p4: b← true5: for i = 1 to r do6: y ← g(p−1)/pi mod p7: if y = 1 then8: b← false9: end if
10: end for11: until b
The output number is a generator, except with a probability less than1/B
SV 2007 Basic Crypto EPFL-SSC 369 / 528
9 Chapter 9: Public Key CryptographyDiffie-HellmanRSAOther Public Key Cryptosystems
SV 2007 Basic Crypto EPFL-SSC 376 / 528
Chapter Content
Diffie-Hellman: asymmetric cryptography, the DH key agreementprotocol
⋆Knapsack problems: NP-completeness, the Merkle-Hellmancryptosystem
RSA: the cryptosystem, attacks against particularimplementations
ElGamal Encryption
SV 2007 Basic Crypto EPFL-SSC 375 / 528
9 Chapter 9: Public Key Cryptography
SV 2007 Basic Crypto EPFL-SSC 374 / 528
Conclusion of Chapters 6–8
Useful agebraic structures: groups, rings, fields
Algebraic engineering: efficient arithmetic computations
Making primes is easy
SV 2007 Basic Crypto EPFL-SSC 373 / 528
Confidentiality using an Authenticated ChannelKey Exchange Protocol
ProtoBobProtoAlice
6KeyKey
-� AUTHENTICATEDINTEGER
6
-MessageEnc/MAC - - Dec/Check
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 380 / 528
Confidentiality using an Authenticated ChannelPublic Key Cryptosystem
Generator
6Secret KeyPublic Key 6 AUTHENTICATEDINTEGER
-MessageEnc - - Dec -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 379 / 528
Trapdoor Permutation
we use an encryption Enc that is easy to compute in one way
...but hard in the other (to compute Dec)
...except using a trapdoor Ks
SV 2007 Basic Crypto EPFL-SSC 378 / 528
Diffie-Hellman
“New directions in cryptography” (1976)
The idea of “trapdoor permutation” (no instance)
Building a public-key cryptosystem from it
Building a digital signature scheme from it
Key agreement protocol
SV 2007 Basic Crypto EPFL-SSC 377 / 528
If we Lack Authentication: Man-in-the-Middle Attack
Alice Eve Bob
pick x , X ← gx X−−−−−−−−→pick x ′, X ′← gx ′ X ′−−−−−−−−→
Y←−−−−−−−− pick y , Y ← gy
Y ′←−−−−−−−− pick y ′, Y ′← gy ′
K1← (Y ′)x K1← X y ′ , K2← Y x ′ K2← (X ′)y
(K1 = gxy ′ ) (K2 = gx ′y )
SV 2007 Basic Crypto EPFL-SSC 384 / 528
Passive vs Active Adversaries
passive adversary: just listen to communications and tries todecrypt communications (e.g. by revocering the key)The Diffie-Hellman protocol resits to passive adversaries
active adversary: can interfere with communication (modifymessages, insert messages, replay messages)The Diffie-Hellman protocol requires authenticated messages
SV 2007 Basic Crypto EPFL-SSC 383 / 528
The Diffie-Hellman Key Agreement Protocol
Assume a group (subgroup of Z∗p, elliptic curves, ...) generated bysome g
Alice Bob
pick x at random, X ← gx X−−−−−−−−−−→Y←−−−−−−−−−− pick y at random, Y ← gy
K ← Y x K ← X y
(K = gxy )
communications must be authenticated and integer!
SV 2007 Basic Crypto EPFL-SSC 382 / 528
Security for Key Exchange Protocol
Secrecy: by looking at the communication protocol, it isimpossible to guess the exchanged key
SV 2007 Basic Crypto EPFL-SSC 381 / 528
Security Models
adversary powerchosen plaintext chosen ciphertext
key recovery weakerdecryption stronger
weakersecurity model−−−−−−−−−−−−−→ stronger
strongerattack←−−−−−−−−−−−−− weaker
strong objectives weak objectiveslow capabilities high capabilities
SV 2007 Basic Crypto EPFL-SSC 388 / 528
Threat Models
Key recovery : an adversary can recover the secret key
Decryption : an adversary can decrypt a random ciphertext
Adversary model: can encrypt chosen plaintexts (passive), can accessto a decryption oracle, ...
SV 2007 Basic Crypto EPFL-SSC 387 / 528
Public Key Cryptosystem
Generator
6Secret KeyPublic Key 6 AUTHENTICATEDINTEGER
-MessageEnc - - Dec -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 386 / 528
Static versus Ephemeral Diffie-Hellman
Ephemeral DH: it provides forward secrecy
“if long-term secret keys are compromised at time t, thisdoes not compromise a DH session key at time t ′ < t”
Static DH: X and Y are used like public keys
SV 2007 Basic Crypto EPFL-SSC 385 / 528
Plain RSA
Generator
6Secret key d ,NPublic key e,N 6 AUTHENTICATEDINTEGER
-Messagex Encrypt -Ciphertext
xe mod N-
y Decrypt -Message
yd mod N
��
Adversary
N = pqϕ(N) = (p−1)(q−1)
1 = gcd(e,ϕ(N))d = e−1 mod ϕ(N)
6?
SV 2007 Basic Crypto EPFL-SSC 392 / 528
Plain RSA Cryptosystem
Public parameter: an integer s.
Set up: find two random different prime numbers p and q of sizes2 bits. Set N = pq. Pick a random e untilgcd(e,(p−1)(q−1)) = 1. (Sometimes we pick speciale like e = 17 or e = 216 + 1.) Setd = e−1 mod ((p−1)(q−1)).
Message: an element x ∈ Z∗N .
Public key: Kp = (e,N).
Secret key: Ks = (d,N).
Encryption: y = xe mod N.
Decryption: x = yd mod N.
SV 2007 Basic Crypto EPFL-SSC 391 / 528
RSA
Rivest-Shamir-Adleman (1978)
SV 2007 Basic Crypto EPFL-SSC 390 / 528
9 Chapter 9: Public Key CryptographyDiffie-HellmanRSAOther Public Key Cryptosystems
SV 2007 Basic Crypto EPFL-SSC 389 / 528
RSA Engineering
Relevance of the mathematical model
Implementation issues (from plain RSA to real life standards)
Side channel attacks
SV 2007 Basic Crypto EPFL-SSC 396 / 528
RSA Security
Key recovery is equivalent to factoring N
Decryption is the RSA problem (not known to be equivalent tofactoring)
SV 2007 Basic Crypto EPFL-SSC 395 / 528
RSA Complexity
RSA with a modulus of ℓ bits and a random e.
Generator: O (ℓ4) (prime numbers generation)
Encryption: O (ℓ3)
Decryption: O (ℓ3)
RSA with a modulus of ℓ bits and a constant e (e.g. e = 216 + 1).
Generator: O (ℓ4) (prime numbers generation)
Encryption: O (ℓ2)
Decryption: O (ℓ3)
SV 2007 Basic Crypto EPFL-SSC 394 / 528
RSA Completeness
Theorem (Euler)
Let p,q be two different primes and N = p×q.For any x ∈ {0, . . . ,N−1} we have xϕ(N)+1 mod N = x.
Consequence: RSA decryption works!Proof. from CRT...
SV 2007 Basic Crypto EPFL-SSC 393 / 528
Power Analysis Attack
Computing x = yd mod N is performed by a device with externalpower supply by using the square-and-multiply algorithm.
The power usage tells how what kind of operation is performed
Cryptoprocessors have faster square than multiply algorithms
The power usage tells when a square and a multiply is performed
The attacker deduces d
SV 2007 Basic Crypto EPFL-SSC 400 / 528
Attack on Low Exponents
Attack on low e: Coppersmith algorithm to find roots less than N1e
of a polynomial of degree e.Example: decryption attack when e = 3 and we know 2
3 of theplaintext bits (e.g. RSA.Enc(pattern||x) with 1024-bit moduluswhen x is a 256-bit symmetric key and pattern is a constantpattern).Example: (e = 3) decryption of two messages who differ in awindow of 1
9 of the full length (e.g. RSA.Enc(x ||counter) andRSA.Enc(x ||counter′) with 1024-bit modulus when the counter isencoded on 32 bits).
Attack on low d : Wiener key recovery attack for d < 4√
N (e.g. Nof 1024 bits and d of less than 256 bits).
SV 2007 Basic Crypto EPFL-SSC 399 / 528
Example with e = 3
x
sy3
N3,3
-y2 N2,3
3y1
N1,3 Broadcast plaintext x to 3 receiversusing e = 3:
Let yi = x3 mod Ni
We have CRT(y1,y2,y3) = x3 mod(N1N2N3) = x3
So we can compute x3 then extact acubic root and get x
SV 2007 Basic Crypto EPFL-SSC 398 / 528
Broadcast Encryption with Low Exponent
Sending the same message x to at least e participants with the sameencryption exponent e and different modulus N1, . . . ,Nn.
The i th participant receives yi = xe mod Ni
The attacker intercepts e values y1, . . . ,ye
The attacker computes y = xe mod N where N = N1× . . .×Ne
by CRT
We have y = xe
The attacker deduces x = e√
y
SV 2007 Basic Crypto EPFL-SSC 397 / 528
Other Side Channel Attacks
Simple fault analysis
Differential fault analysis
Timing attack
Electromagnetic fields
Noisy machines
Cache attacks
Branch prediction algorithm
...
SV 2007 Basic Crypto EPFL-SSC 404 / 528
DFA
xe mod N = y
q
1
yd mod q
yd mod p
1
qCRT - yd mod N = x
xe mod N = y
q
1
random
yd mod p
1
qCRT - x ′ ≡ x (mod p)
SV 2007 Basic Crypto EPFL-SSC 403 / 528
Differential Fault Attack
Computing x = yd mod N is performed by a device using CRTaccelaration.
The attacker picks x and sends y = xe mod N to the device
The attacker agressively (but mildly) stresses the device
The device eventually makes errors
Error may occur during the CRT accelaration
The device computes x ′ and outputs it
The attacker computes gcd(x− x ′,N)
SV 2007 Basic Crypto EPFL-SSC 402 / 528
SPA
-
6
time
power
SQ MUL
1
SQ MUL
1
SQ
0
SQ
0
SQ
secret key is 1100... (from right to left or left to right)
SV 2007 Basic Crypto EPFL-SSC 401 / 528
RSA-OAEP Encryption
ciphertext?
Enc?
00 maskedSeed maskedDB?
⊕� MGF �
?
⊕-MGF-
?
?
seedH(L) 0 · · ·01 M
?
message
SV 2007 Basic Crypto EPFL-SSC 408 / 528
Yet Another Side Channel Attack
Bleichenbacher’s attack against PKCS#1v1.5:
Attacker intercepts y = xe mod N and aims at recovering x
Attacker plays with the server by sending fake ciphertexts y ′ ofthe form
y ′ = sey mod NMost of the time, y ′ does not decrypt well and the server issuesan error message.
If the server accepts, then (y ′)d mod n starts with 00 02, hence
2×256k−2 ≤ sx mod N < 3×256k−2
By using this oracle 1 000 000 times, Attacker can reconstruct x
SV 2007 Basic Crypto EPFL-SSC 407 / 528
PKCS#1v1.5 Encryption
ciphertext?
Enc?
00 02 PS 00 M?
random
?
message
SV 2007 Basic Crypto EPFL-SSC 406 / 528
PKCS#1v1.5(Modulus of k bytes, message M of at most k−11 bytes.)Encryption:
1 generate a pseudorandomstring PS of non-zero bytes sothat M||PS is of k−3 bytes
2 construct string00||02||PS||00||M of k bytes
3 convert it into an integer
4 perform the plain RSAencryption
5 convert the result into a stringof k bytes
Decryption:
1 convert the ciphertext into aninteger, reject it if it is greaterthan the modulus
2 perform the plain RSAdecryption and obtain anotherinteger
3 convert back the integer into abyte string
4 check that the string has the00||02||PS||00||M format forsome byte strings PS and Mwhere PS has no zero bytes
5 output M
SV 2007 Basic Crypto EPFL-SSC 405 / 528
Diffie-Hellman Cryptography
Diffie-Hellman6
problem to instanciate
* RSA
j ElGamal
trapdoor permutation: operation in Z∗n which can be inverted withthe factorization of n
probabilistic encryption: encryption returns gr along withsymEncy r (message) for y r = DH(g,gr ,y)
SV 2007 Basic Crypto EPFL-SSC 412 / 528
9 Chapter 9: Public Key CryptographyDiffie-HellmanRSAOther Public Key Cryptosystems
SV 2007 Basic Crypto EPFL-SSC 411 / 528
Mask Generation Function in RSA-OAEP
The PKCS specifications further suggests an mask generationfunction MGF1 which is based on a hash function. The MGF1ℓ(x)string simply consists of the ℓ leading bytes of
H(x ||00000000)||H(x ||00000001)||H(x ||00000002)|| · · ·
in which x is concatenated to a four-byte counter.
SV 2007 Basic Crypto EPFL-SSC 410 / 528
RSA-OAEP Decryption
ciphertext
6Dec
6
00 maskedSeed maskedDB
6⊕� MGF �
6⊕-MGF-
6 6seed
H(L) 0 · · ·01 M
6message
SV 2007 Basic Crypto EPFL-SSC 409 / 528
Non-Deterministic Encryption
m
R
-
�
Encrypt
c3
c2
c1
�-R
Decrypt
m
SV 2007 Basic Crypto EPFL-SSC 416 / 528
Generating a Generator
We consider Z∗p with an odd prime p and we let p−1 = ∏ri=1 pαi
i withpairwise different primes pi
g is a generator of Z∗p iff gp−1pi mod p 6= 1 for i = 1, . . . , r
given a random g ∈U Z∗p, all gp−1pi mod p are independent
Prg∈U Z∗p
[
gp−1pi mod p = 1
]
=1
pi
assuming that pi ≤ B for i ≤ s and pi > B for i > s, then
Prg∈U Z∗p
[
g generator∣∣∣g
p−1pi mod p 6= 1; i = 1, . . . ,s
]
=r
∏i=s+1
(
1− 1
pi
)
we can just simply work with an incomplete factorizationp−1 = q ∏s
i=1 pαii which includes all small factors pi
→ Pr[not generator|passed]≤ 1/B
SV 2007 Basic Crypto EPFL-SSC 415 / 528
Plain ElGamal Encryption
Generator
6Secret key xPublic key y 6 AUTHENTICATEDINTEGER
-Messagem Encrypt -Ciphertext
(gr ,my r )-
(u,v)Decrypt -Message
vu−x
��
Adversary
y = gx mod p
6?
SV 2007 Basic Crypto EPFL-SSC 414 / 528
ElGamal Cryptosystem
Public parameter: a large prime p, a generator g of Z∗p.
Set up: generate a random x ∈ Zp−1, and computey = gx mod p.
Message: an element m ∈ Z∗p.
Public key: Kp = y .
Secret key: Ks = x .
Encryption: pick a random r ∈ Zp−1, compute u = gr mod p, andv = my r mod p. The ciphertext is (u,v).
Decryption: Extract the u and v parts of the ciphertext and computem = vu−x mod p.
SV 2007 Basic Crypto EPFL-SSC 413 / 528
Conclusion
High complexity overhead
Two families: factorization and discrete logarithm
Big trouble to go beyond textbook cryptosystems
Problem with side channels
Sensitive security
SV 2007 Basic Crypto EPFL-SSC 420 / 528
Other Public-Key Cryptosystems
ECC
HECC
Paillier cryptosystem
NTRU
lattice-based cryptosystem
McEliece cryptosystem
TCHo
...
SV 2007 Basic Crypto EPFL-SSC 419 / 528
Comparison with RSA
Complexity of Gen is much lower
Problem: encryption is length-increasing
Can be easily adapted to other groups (e.g. elliptic curves)
SV 2007 Basic Crypto EPFL-SSC 418 / 528
ElGamal Encryption Complexity
Domain parameter selection: O (ℓ4) (prime numbers generation)
Generator: O (ℓ3)
Encryption: O (ℓ3)
Decryption: O (ℓ3)
SV 2007 Basic Crypto EPFL-SSC 417 / 528
Symmetric Encryption
Generator
KeyKey 66 CONFIDENTIAL
-MessageEncrypt - - Decrypt -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 424 / 528
10 Chapter 10: Digital SignaturesDigital Signature SchemesRSA SignatureElGamal Signature Family
SV 2007 Basic Crypto EPFL-SSC 423 / 528
Chapter Content
RSA signature: PKCS, ISO/IEC 9796
ElGamal signature family: ElGamal, Schnorr, DSS, ECDSA
⋆Attacks on ElGamal signatures: existential forgery,Bleichenbacher attack
⋆Provable security: interactive proofs, random oracle model
SV 2007 Basic Crypto EPFL-SSC 422 / 528
10 Chapter 10: Digital Signatures
SV 2007 Basic Crypto EPFL-SSC 421 / 528
Application: Certificates
Client Server-� insecure -�
?
�AuthorityKp κ
AUTHENTICATED AUTHENTICATED
?
certificate
certificate = signatureKs (“I certify that public key κ belongs to S”)
SV 2007 Basic Crypto EPFL-SSC 428 / 528
Digital Signature
Generator
6 Public KeySecret Key 6AUTHENTICATEDINTEGER
-MessageSign - - Verify
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 427 / 528
Authentication Channel
Generator
KeyKey 66 CONFIDENTIAL
AUTHENTICATEDINTEGER
-MessageMAC - - Check
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 426 / 528
Asymmetric Encryption
Generator
6Secret KeyPublic Key 6 AUTHENTICATEDINTEGER
-MessageEncrypt - - Decrypt -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 425 / 528
Encryption to Signature
-Message
X
Hash
?X
-dDecrypt
6σ X ,σ-
X
?
Encrypt
U
Hash
�d d
σ?X
Compare -ok?
Generator
6AUTHENTICATED
INTEGER
-
Secret Key Public Key
��
Adversary
SV 2007 Basic Crypto EPFL-SSC 432 / 528
10 Chapter 10: Digital SignaturesDigital Signature SchemesRSA SignatureElGamal Signature Family
SV 2007 Basic Crypto EPFL-SSC 431 / 528
Security Models
adversary powerpassive chosen message
total break weakeruniversal forgeryexistential forgery stronger
weakersecurity model−−−−−−−−−−−−−−−−−→ stronger
strongerattack←−−−−−−−−−−−−−−−−− weaker
strong objectives weak objectiveslow capabilities high capabilities
SV 2007 Basic Crypto EPFL-SSC 430 / 528
Threat Models
Total break : an adversary can recover the secret key
Universal forgery : an adversary can forge the signature of anyor a random message
Existential forgery : an adversary can forge a validmessage-signature pair
Adversary model: can intercept signatures (passive), can access to asigning oracle, ...
SV 2007 Basic Crypto EPFL-SSC 429 / 528
Plain RSA Signature
Set up: find two random different prime numbers p and q of sizes2 bits. Set N = pq. Pick a random e untilgcd(e,(p−1)(q−1)) = 1. (Sometimes we pick speciale like e = 3 or e = 17.) Setd = e−1 mod ((p−1)(q−1)).
Secret key: Ks = (d,N).
Public key: Kp = (e,N).
Message: an element y ∈ Z∗N .
Signature generation: x = yd mod N.
Extraction: y = xe mod N.
(Signature with message recovery)
SV 2007 Basic Crypto EPFL-SSC 436 / 528
Encryption to Signature with Message Recovery
Generator
6 Public KeySecret Key 6AUTHENTICATEDINTEGER
-Message
XSign -Decrypt
σ-
σ Encrypt -Message
X
��
Adversary
SV 2007 Basic Crypto EPFL-SSC 435 / 528
Signature with Message Recovery
Generator
6 Public KeySecret Key 6AUTHENTICATEDINTEGER
-Message
XSign -Signature
σ-
σ Extract-
ok?
-Message
X��
Adversary
SV 2007 Basic Crypto EPFL-SSC 434 / 528
Hash-and-Sign Paradigm
-Message
X
Hash
?X
-dSign
6σ X ,σ-
X
?
Verify Hash�d
σ?X
-ok?
Generator
6AUTHENTICATED
INTEGER
-
Secret Key Public Key
��
Adversary
SV 2007 Basic Crypto EPFL-SSC 433 / 528
Signature Extraction
1 apply the extraction scheme, obtain a byte string
2 check that the string is of length k and that the rightmosthexadecimal digit is 6
3 perform a message recovery : we remove the leading bit 1, wereplace the rightmost two bytes yHyRxHxR by yHyRπ−1(yH)xH ,obtain . . . ,x2,x1, take z as the smallest index such thatx2z⊕S(x2z−1) 6= 0 (reject if it does not exists) and r equal to thisvalue (and check that r ≤ 8), extract x2z ,x2z−2, . . . ,x2, removethe r −1 leftmost bits (reject if they are not equal to zero). Wemust obtain a message m.
4 Check that the formatting scheme on m leads to the valueobtained after opening the signature. (Check the redundancy.)
SV 2007 Basic Crypto EPFL-SSC 440 / 528
ISO/IEC 9796 Signature Generation(signature of a d-bit message m into a k-bit signature, e.g. d ≤ 512and k = 1024)
1 pad m with r−1 leading zero bits (at most seven) so that the totallength can be cut into a sequence of z bytes mz ,mz−1, . . . ,m1
2 repeat the sequence and take the t = 32 rightmost bytes (t s.t.16t ≥ k−1)
3 insert S(x) to the left of each of the t bytes x , and XOR r onto thezth rightmost redundancy byte S(mz), whereS(xHxL) = π(xH)π(xL) (shadow function ) where xHxL
represents the two hex. digits of x and π is a defined by
π =
(0 1 2 3 4 5 6 7 8 9 A B C D E FE 3 5 8 9 4 2 F 0 D B 6 7 A C 1
)
4 take the k−1 rightmost bits, pad a bit 1 to the left, and replacethe rightmost byte x = xHxL by xL6
5 sign the formatted string (for instance) by using the plain RSA
SV 2007 Basic Crypto EPFL-SSC 439 / 528
ISO/IEC 9796
signature?
Sign?
Format
?
message
signature
6
Extract
6
Unformat
6message
format is invertible
signature with message recovery
SV 2007 Basic Crypto EPFL-SSC 438 / 528
Plain RSA Signature
Generator
6Secret key d ,N Public key e,N6AUTHENTICATEDINTEGER
-Messagex Sign -Signature
xd mod N-
y Extract -ye mod N
��
Adversary
N = pqϕ(N) = (p−1)(q−1)
1 = gcd(e,ϕ(N))d = e−1 mod ϕ(N)
6?
SV 2007 Basic Crypto EPFL-SSC 437 / 528
PKCS#1v1.5 Signature
signature?
Sign?
00 01 FF· · · FF 00 D?
H?
message
SV 2007 Basic Crypto EPFL-SSC 444 / 528
Signature Verification
1 convert the signature into an integer. Reject it if it is greater thanthe modulus.
2 perform the plain RSA verification and obtain another integer.
3 convert back the integer into a byte string.
4 check that the string has the 00||01||FF . . .FF||00||D format for abyte string D.
5 decode the data D and obtain the message digest and the hashalgorithm. Check that the hash algorithm is acceptable.
6 hash the message and check the message digest.
SV 2007 Basic Crypto EPFL-SSC 443 / 528
PKCS#1v1.5
We are given a modulus N of k bytes.
1 hash the message (for instance with MD5) and get a messagedigest.
2 encode the message digest and the identifier of the hashalgorithm into a string D.
3 pad it with a zero byte to the left, then with many FF bytes inorder to reach a length of k−2 bytes, then with a 01 byte. Weobtain k−1 bytes.
4 This byte string 00||01||FF · · ·FF||00||D is converted into aninteger.
5 compute the plain RSA signature.
6 convert the result into a string of k bytes.
SV 2007 Basic Crypto EPFL-SSC 442 / 528
Example “ PAY 1’000’000.-CHF ”
P A Y 1 ’ 0 0 0 ’ 0 0 0 . - C H F504059203127303030273030302e2d434846
1. m =5040 5920312730303027 3030302e2d434846, z = 182. 3127303030273030 302e2d434846|5040 5920312730303027 3030302e2d434846
3. 83315f278e308e30 8e305f278e308e30 8e305c2era2d9843 904892464e509e40
4d595e2083315f27 8e308e308e305f27 8e308e308e305c2e 5a2d984390489246
...83315f278e308e30 8e305f278e308e30 8e305c2era2d9843 904892464f509e40
4d595e2083315f27 8e308e308e305f27 8e308e308e305c2e 5a2d984390489246
4. 83315f278e308e30 8e305f278e308e30 8e305c2era2d9843 904892464f509e40
4d595e2083315f27 8e308e308e305f27 8e308e308e305c2e 5a2d984390489266
5. feed the plain RSA signature scheme...
SV 2007 Basic Crypto EPFL-SSC 441 / 528
ElGamal Signature
Public parameters: a large prime number p, a generator g of Z∗p.
Set up: generate a random x ∈ Zp−1 and computey = gx mod p.
Secret key: Ks = x .
Public key: Kp = y .
Message digest: h = H(M) ∈ Zp−1.
Signature generation: pick a random k ∈ Z∗p−1, compute
r = gk mod p and s = h−xrk mod p−1, the signature is
σ = (r ,s).
Verification: check that y r rs ≡ gh (mod p) and 0≤ r < p.
SV 2007 Basic Crypto EPFL-SSC 448 / 528
10 Chapter 10: Digital SignaturesDigital Signature SchemesRSA SignatureElGamal Signature Family
SV 2007 Basic Crypto EPFL-SSC 447 / 528
RSA-PSS Verification
signature
6Extract
6OR 80
bcmaskedDB H
6⊕� MGF �
6
H= -
?
6
0 · · ·01 salt
H(M)0 · · ·00 salt?
H?
message
SV 2007 Basic Crypto EPFL-SSC 446 / 528
RSA-PSS
signature?
Sign?OR 80
bcmaskedDB H?
⊕� MGF �
?
H?
?
0 · · ·01 salt
H(M)0 · · ·00 salt?
H?
message
SV 2007 Basic Crypto EPFL-SSC 445 / 528
Drawbacks of ElGamal Signatures
signatures are pretty long
security issues related to subgroups
lack of security proof for arbitrary public parameter
SV 2007 Basic Crypto EPFL-SSC 452 / 528
Security if we Miss the Inequality Check
If we do not check that 0≤ r < p, we have a universal forgery attack:
pick rp−1,s ∈ Z∗p−1 at random
set rp = gh(M)
s y−rp−1
s mod p
pick r such that r mod p = rp and r mod (p−1) = rp−1 using theChinese Remainder Theorem
issue (r ,s) as a signature for M
SV 2007 Basic Crypto EPFL-SSC 451 / 528
Security
key recovery is equivalent to the discrete logarithm problem
existential forgery is hard on average over the random choice ofthe public parameters in the random oracle model provided thatthe discrete logarithm is hard
SV 2007 Basic Crypto EPFL-SSC 450 / 528
ElGamal Signature
Generator
y = gx mod p
6Secret key x Public key y6AUTHENTICATEDINTEGER
-Message
M
k ∈ Z∗p−1
r = gk mod p
s = H(M)−xrk mod p−1
Sign -M, r ,s
-M, r ,s
0≤ r < py r r s ≡ gH(M) (mod p)
Verify-
ok?
-Message
M��
Adversary
p primeg generator of Z∗p
SV 2007 Basic Crypto EPFL-SSC 449 / 528
Schnorr Signature
Generator
y = gx mod p
6Secret key x Public key y6AUTHENTICATEDINTEGER
-Message
M
k ∈ Z∗qr = gk mod pe = H(M|r)s = ex + k mod q
Sign -M,e,s
-M,e,s
compare e andH (M |gsy−e mod p )
Verify-
ok?
-Message
M��
Adversary
q primep = aq +1 primeg = randoma mod p > 1
SV 2007 Basic Crypto EPFL-SSC 456 / 528
Generating the Public Parameters
pick a prime number q
take a random p = aq + 1 until it is prime
take a random number in Z∗p, raise it to the power a modulo p,and get g
if g = 1, try again (otherwise, it must be of order q in Z∗p)
SV 2007 Basic Crypto EPFL-SSC 455 / 528
Schnorr Signature
Public parameters: pick a not-too-large large prime number q, alarge prime number p = aq +1, a generator of Z∗p raisedto the power a (an element of order q) g.
Set up: pick x ∈ Zq and compute y = gx mod p.
Secret key: Ks = x .
Public key: Kp = y .
Signature generation: pick a random k ∈ Z∗q, computer = gk mod p, e = H(M|r), and s = ex + k mod q, thesignature is σ = (e,s).
Verification: check that e = H(M|gsy−e mod p).
SV 2007 Basic Crypto EPFL-SSC 454 / 528
The ElGamal Dynasty
1984 ElGamal signatures
1989 Schnorr signatures
1995 DSA: US signatures
1995 Nyberg-Rueppel signatures
1997 Pointcheval-Vaudenay signatures
1998 KCDSA: Korean signatures
1998 ECDSA
...
SV 2007 Basic Crypto EPFL-SSC 453 / 528
Benefits from the DSA
US standard
signatures are shorter
no proper subgroup (only {1} and the group itself)
BUT
security results are weaker
SV 2007 Basic Crypto EPFL-SSC 460 / 528
DSA Signature
Generator
y = gx mod p
6Secret key x Public key y6AUTHENTICATEDINTEGER
-Message
M
k ∈ Z∗qr = gk mod p mod q
s = H(M)+xrk mod q
Sign -M, r ,s
-M, r ,s
compare r and
gH(M)
s yrs mod p mod q
Verify-
ok?
-Message
M��
Adversary
q primep = aq +1 primeg = randoma mod p > 1
SV 2007 Basic Crypto EPFL-SSC 459 / 528
DSA Signature (DSS)
Public parameters: pick a 160-bit prime number q, a large primenumber p = aq + 1, a generator of Z∗p raised to thepower a (an element of order q) g.
Set up: pick x ∈ Zq and compute y = gx mod p.
Secret key: Ks = x .
Public key: Kp = y .
Signature generation: pick a random k ∈ Z∗q, compute
r = (gk mod p) mod q, and s = H(M)+xrk mod q, the
signature is σ = (r ,s).
Verification: check that r =(
gH(M)
s mod qyrs mod q mod p
)
mod q.
SV 2007 Basic Crypto EPFL-SSC 458 / 528
Benefits from the Schnorr Signature
signatures are shorter
no proper subgroup (only {1} and the group itself)
some form of provable security (related to interactive proofs)
SV 2007 Basic Crypto EPFL-SSC 457 / 528
Conclusion
Two families of signature schemes
RSA: with message recovery, based on the RSA problem
ElGamal: with domain parameters, based on the discretelogarithm
Sensitive security
SV 2007 Basic Crypto EPFL-SSC 464 / 528
Benefits from the Pointcheval-Vaudenay Signature
ISO/IEC standard
signatures are shorter
no proper subgroup (only {1} and the group itself)
stronger security proof
SV 2007 Basic Crypto EPFL-SSC 463 / 528
Pointcheval-Vaudenay Signature
Generator
y = gx mod p
6Secret key x Public key y6AUTHENTICATEDINTEGER
-Message
M
k ∈ Z∗qr = gk mod p mod q
s = H(r ||M)+xrk mod q
Sign -M, r ,s
-M, r ,s
compare r and
gH(r ||M)
s yrs mod p mod q
Verify-
ok?
-Message
M��
Adversary
q primep = aq +1 primeg = randoma mod p > 1
SV 2007 Basic Crypto EPFL-SSC 462 / 528
Pointcheval-Vaudenay Signature
Public parameters: pick a 160-bit prime number q, a large primenumber p = aq + 1, a generator of Z∗p raised to thepower a (an element of order q) g.
Set up: pick x ∈ Zq and compute y = gx mod p.
Secret key: Ks = x .
Public key: Kp = y .
Signature generation: pick a random k ∈ Z∗q, compute
r = (gk mod p) mod q, and s = H(r ||M)+xrk mod q, the
signature is σ = (r ,s).
Verification: check that r =(
gH(r ||M)
s mod qyrs mod q mod p
)
mod q.
SV 2007 Basic Crypto EPFL-SSC 461 / 528
Chapter Content
Security setup: certificates
Remote access: SSH
Secure Internet transactions: SSL
Security for individuals: PGP
SV 2007 Basic Crypto EPFL-SSC 468 / 528
12 Chapter 12: From Cryptography to Communication Security
SV 2007 Basic Crypto EPFL-SSC 467 / 528
Chapter Content
⋆Zero-knowledge: Fiat-Shamir, Feige-Fiat-Shamir
⋆Secret sharing: threshold scheme, perfect schemes
⋆Special purpose signatures: undeniable signatures
SV 2007 Basic Crypto EPFL-SSC 466 / 528
11 Chapter 11: Cryptographic Protocols
SV 2007 Basic Crypto EPFL-SSC 465 / 528
Virtual Channels by Combination of Channels
66
-� [assumptions]
-Message
X-
Y-
Y-
X
Message��
Adversary
SV 2007 Basic Crypto EPFL-SSC 472 / 528
From Packet Security to Session Security
-�
-
-�
-
��
Adversary
Key establishment : set up A/I/C key material for messagesecurity
Sequentiality : whenever a participant has seen a messagesequence starting with X1, . . . ,Xt , Xt coming in, then the otherparticipant has seen a message sequence whose first tmessages are X1, . . . ,Xt
Termination fairness : making sure that the last message onboth ends is the same one
SV 2007 Basic Crypto EPFL-SSC 471 / 528
Security Property of Communication Channels
MessageX
- -X
��
Adversary
Confidentiality , Authentication , Integrity
Freshness : the received X was not received before
Liveliness : a sent message X is eventually delivered
Timeliness : (> liveliness) time of delivery is upper bounded
SV 2007 Basic Crypto EPFL-SSC 470 / 528
12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples
SV 2007 Basic Crypto EPFL-SSC 469 / 528
... with A+I Channel: Key Agreement Protocol
ProtoBobProtoAlice
6KeyKey 6
-� AUTHENTICATEDINTEGER
-MessageEnc/MAC - - Dec/Check
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 476 / 528
Setting up a Secure Channel with A+I+C Channel
Generator
KeyKey 66 CONFIDENTIAL
AUTHENTICATEDINTEGER
-MessageEnc/MAC - - Dec/Check
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 475 / 528
Achieving Authentication
Generator
KeyKey 66 CONFIDENTIAL
AUTHENTICATEDINTEGER
-MessageMAC - - Check
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 474 / 528
Achieving Confidentiality
Generator
KeyKey 66 CONFIDENTIAL
-MessageEncrypt - - Decrypt -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 473 / 528
Client-Server Solution based on a Third Party
Client Server-� insecure -�
?
�AuthorityK CA
pKp
AUTHENTICATED AUTHENTICATED
?
certificate
SV 2007 Basic Crypto EPFL-SSC 480 / 528
Summary
we set up an initial authenticated communication channel
we exchange a master symmetric key using public keycryptography
we derive several symmetric keys
we use conventional cryptography to set up secure channels
SV 2007 Basic Crypto EPFL-SSC 479 / 528
Approaches to Build an Initial Authenticated Channel
using a trusted authority
by user full monitoring
ad-hoc solutions
SV 2007 Basic Crypto EPFL-SSC 478 / 528
Key Transmission using PKC
Generator
6Secret KeyPublic Key 6 AUTHENTICATEDINTEGER
-KeyEncrypt - - Decrypt -Key�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 477 / 528
An X.509 Certificate Example: Overall Structure
Certificate:Data:
Version: 3 (0x2)Serial Number: 674866 (0xa4c32)Signature Algorithm: md5WithRSAEncryptionIssuer: C=ZA, ST=Western Cape, L=Cape Town,
O=Thawte Consulting cc, OU=Certification Services Divisi on,CN=Thawte Server CA/Email=server-certs@thawte.com
ValidityNot Before: Jun 2 13:10:11 2003 GMTNot After : Jun 11 10:21:15 2005 GMT
...X509v3 extensions:
X509v3 Extended Key Usage: TLS Web Server AuthenticationX509v3 Basic Constraints: critical CA:FALSE
Signature Algorithm: md5WithRSAEncryption8d:7b:78:60:88:c4:13:4e:94:0d:bc:3b:1b:1c:b6:c9:bc: b1:0b:ed:7d:eb:6f:08:3a:ba:6d:21:36:93:38:36:66:7b:a7: bc:c0:3f:c4:e0:cf:b4:02:58:be:a6:b9:1d:45:a2:c4:58:38: 07:e4:63:1a:d9:b9:8d:27:7c:93:67:31:82:6f:a3:3c:86:0c: e0:10:71:de:f2:e9:74:af:ac:76:b4:5b:8e:48:57:9d:8f:12: f6:72:63:8a:79:b4:74:e0:ba:ca:ac:1a:36:b4:16:38:c1:c5: d2:73:ed:e8:64:b0:ae:9e:e2:36:d7:0c:77:92:cc:c7:c0:e0: 8a:54:24
SV 2007 Basic Crypto EPFL-SSC 484 / 528
Key Exchange Using Certificates
Client Server
Authority
K CAp
�
Kp
K
certificate
Urequest, . . . -�
-EncKp(K )
K ,Kp K
SV 2007 Basic Crypto EPFL-SSC 483 / 528
Public-Key Certificate
Generator
6 CA Public KeyCA Secret Key 6AUTHENTICATEDINTEGER
-Public KeySign -Certificate -Certificate Verify
-ok?
-Public Key�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 482 / 528
Critical Secure Channels
Authority
+K CA
p
Client 3
�K CA
pClient 2
kK CA
p
Client 1
k
K 3p
Server 3
�K 2
pServer 2
+
K 1p
Server 1
SV 2007 Basic Crypto EPFL-SSC 481 / 528
Connection
Client sends a connection request to Server
Client and Server run an key exchange protocol in which Serveris authenticated
Server sends its public key together with a certificate (if available)(First connection only) Client checks the certificate or request theuser to authenticate the public key by other means. Client storesthe public key in a local database (typically, .ssh/known hosts ).(Other connections only) Client check the public key from a localdatabase.
They set up a secure channel
Client is authenticated by an application (e.g. a password)
SV 2007 Basic Crypto EPFL-SSC 488 / 528
Principles
principle: to implement secure (i.e. confidential andauthenticated) communication channels in a client-server session
original philosophy: to be user-friendly (ssh had to be usedexactly like rlogin ), ready to use without any complicatedinstallation, and to be deployed easily
drawback: the security level is not so high, but still higher thanwhat was used before
SSH2 uses public key infrastructures in order to authenticateserver.This is typically heavy stuff, but the user can easily bypass it: hejust has to click “OK” anytime there is a security warning.
SV 2007 Basic Crypto EPFL-SSC 487 / 528
12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples
SV 2007 Basic Crypto EPFL-SSC 486 / 528
An X.509 Certificate Example: Subject
Subject: C=CH, ST=Bern, L=Bern,O=Switch - Teleinformatikdienste fuer Lehre und Forschung ,CN=nic.switch.ch
Subject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)
Modulus (1024 bit):00:d0:0e:b7:16:bf:86:59:c3:97:e6:02:33:59:90:65:29:b0:69:73:64:83:03:1b:df:62:a8:4d:c0:4f:3c:d9:12:6b:8c:57:95:e1:57:e8:48:a6:7f:dd:15:8b:9d:ad:93:dc:78:af:06:1a:ce:0f:7b:cc:c4:6f:a0:06:26:40:73:04:d3:da:7b:20:c1:15:37:8c:2f:58:c4:d4:c1:4b:18:84:5c:54:f1:b1:a0:44:3c:e2:0e:8a:a2:63:48:6b:34:c7:10:9d:a1:23:56:77:f5:4e:3d:38:9a:70:5e:03:02:30:45:ee:81:e4:94:96:47:18:9e:47:37:bb:18:f6:87
Exponent: 65537 (0x10001)
SV 2007 Basic Crypto EPFL-SSC 485 / 528
Key Derivation
Client and Server derive six keys from K and H:
Initial value IV from the client to the server: string = A
Initial value IV from the server to the client: string = B
Encryption key from the client to the server: string = C
Encryption key from the server to the client: string = D
Authentication key from the client to the server: string = E
Authentication key from the server to the client: string = F
A key consist of the leading bits of a sequence k1,k2, . . . generated by
k1 = H(K ||H||string||session id) ki+1 = H(K ||H||k1|| · · · ||ki)
SV 2007 Basic Crypto EPFL-SSC 492 / 528
Semi-Authenticated Key Exchange in SSH
Client Server
version VC , initial message ICVC ,IC−−−−−−−−−−−−→VS ,IS←−−−−−−−−−−−− version VS , initial message IS
pick x , e = gx mod pe−−−−−−−−−−−−→
pick y , f = gy mod p, K = ey mod pH = hash(VC ||VS ||IC ||IS ||KS ||e||f ||K)
KS ,f ,s←−−−−−−−−−−−− s = Sig(H)K = f x mod p, check KS
H = hash(VC ||VS ||IC ||IS ||KS ||e||f ||K)VerKS (s,H)
IC and IS: negociation of algorithms
KS: public key of the server
for diffie-hellman-group1-sha1 key exchange:p = 21024−2960−1+ 264
⌊2894π+ 129093
⌋, g = 2, q = p−1
2
SV 2007 Basic Crypto EPFL-SSC 491 / 528
SSH2 Key Exchange and Authentication
DSA for server authentication
Diffie-Hellman key exchange for setting up a symmetric sessionkey
(previous versions was entirely based on RSA)
Both DSA and Diffie-Hellman are based on some generator gwhich generates a subgroup of Z∗p of prime order q
SV 2007 Basic Crypto EPFL-SSC 490 / 528
Critical Asumptions
public key authentication in the first connection is secure(otherwise Server can be impersonated)
the local database has integrity protection(otherwise the Server public key can be replaced by another one)
SV 2007 Basic Crypto EPFL-SSC 489 / 528
Requirements
strong bidirectional authentication
confidentiality of communications
integrity of communication
need not the client part to be strongly secure
SV 2007 Basic Crypto EPFL-SSC 496 / 528
Example of Critical Application
SV 2007 Basic Crypto EPFL-SSC 495 / 528
12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples
SV 2007 Basic Crypto EPFL-SSC 494 / 528
Secure Channel
The choice of the symmetric algorithms is negotiated betweenClient and Server
Several encryption scheme are proposed: triple DES, AES, RC4,IDEA, ...
The MAC algorithm is typically HMAC based on SHA-1 or MD5
SV 2007 Basic Crypto EPFL-SSC 493 / 528
Session State
Session identifier
Peer certificate (if any)
Cipher suite choiceAlgorithm for authentication and key exchange during handshakeCipher Spec: symmetric algorithms (encryption and MAC)
Master secret (a 48-byte symmetric key)
nonces (from the client and the server)
sequence numbers (one for each communication direction)
compression algorithm (if any)
SV 2007 Basic Crypto EPFL-SSC 500 / 528
TLS Record Protocols
Handshake Protocol (for initiating a session)
Change Cipher Spec Protocol (for setting up cryptographicalgorithms)
Alert Protocol (for managing warnings and fatal errors)
Application Data Protocol
SV 2007 Basic Crypto EPFL-SSC 499 / 528
Common Use Principle
client-server communications, random client, corporate server
trusted third party: certificate authority (CA)
A+I secure channel with CA to be used only once
authentication of server based on public key
authentication of client (if needed) based on password
interoperable cipher suites
SV 2007 Basic Crypto EPFL-SSC 498 / 528
History
First version by Netscape in 1994
Microsoft version PCT in 1995
SSLv3 by Netscape in 1995
IETF version TLS/1.0 in 1997 [RFC2246]
IETF version TLS/1.1 in 2005 (draft)
Goal: secure any communication (e.g. HTTP) based on TCP/IP
SV 2007 Basic Crypto EPFL-SSC 497 / 528
Key Derivation
nonceC (32B)nonceS (32B)
pre master secret
??
- PRF - master secret(48B)
??
- PRF
------
Aut. C→ SAut. S→ CEnc. C→ SEnc. S→ CIV C→ SIV S→ C
pre master secret is 48B for RSA key exchange or the obtainedDiffie-Hellman key for DH RSA, DH DSS, DHE RSA, DHE DSS, andDH anon
SV 2007 Basic Crypto EPFL-SSC 504 / 528
A Typical TLS Session
Client Server
ClientHello :accepted cipher suites, nonceC−−−−−−−−−−−−−−−−−−−−−−−−→ServerHello :cipher suite, certificate, nonceS←−−−−−−−−−−−−−−−−−−−−−−−− select cipher suite
pre master secretClientKeyExchange :ENC(pre master secret)−−−−−−−−−−−−−−−−−−−−−−−−→ decrypt
(key derivation)
MACC−−−−−−−−−−−−−−−−−−−−−−−−→ check
checkMACS←−−−−−−−−−−−−−−−−−−−−−−−−
(open tunnel)
[authentication?]←−−−−−−−−−−−−−−−−−−−−−−−−[login, password]−−−−−−−−−−−−−−−−−−−−−−−−→ check
SV 2007 Basic Crypto EPFL-SSC 503 / 528
Original TLS Cipher Suites — ii
CipherSuite Key Exchange Cipher HashTLS DHEDSS EXPORTWITH DES40 CBCSHA DHE DSS DES40 SHA-1TLS DHEDSS WITH DES CBCSHA DHE DSS DES SHA-1TLS DHEDSS WITH 3DES EDE CBCSHA DHE DSS 3DES EDE SHA-1TLS DHERSA EXPORTWITH DES40 CBCSHA DHE RSA DES40 SHA-1TLS DHERSA WITH DES CBCSHA DHE RSA DES SHA-1TLS DHERSA WITH 3DES EDE CBCSHA DHE RSA 3DES EDE SHA-1TLS DH anon EXPORTWITH RC4 40 MD5 DH anon RC4 40 MD5TLS DH anon WITH RC4 128 MD5 DH anon RC4 128 MD5TLS DH anon EXPORTWITH DES40 CBCSHA DH anon DES40 SHA-1TLS DH anon WITH DES CBCSHA DH anon DES SHA-1TLS DH anon WITH 3DES EDE CBCSHA DH anon 3DES EDE SHA-1
SV 2007 Basic Crypto EPFL-SSC 502 / 528
Original TLS Cipher Suites — i
CipherSuite Key Exchange Cipher HashTLS NULL WITH NULL NULL NULL NULL NULLTLS RSA WITH NULL MD5 RSA NULL MD5TLS RSA WITH NULL SHA RSA NULL SHA-1TLS RSA EXPORTWITH RC4 40 MD5 RSA RC4 40 MD5TLS RSA WITH RC4 128 MD5 RSA RC4 128 MD5TLS RSA WITH RC4 128 SHA RSA RC4 128 SHA-1TLS RSA EXPORTWITH RC2 CBC40 MD5 RSA RC2 40 MD5TLS RSA WITH IDEA CBCSHA RSA IDEA SHA-1TLS RSA EXPORTWITH DES40 CBCSHA RSA DES40 SHA-1TLS RSA WITH DES CBCSHA RSA DES SHA-1TLS RSA WITH 3DES EDE CBCSHA RSA 3DES EDE SHA-1TLS DH DSS EXPORTWITH DES40 CBCSHA DH DSS DES40 SHA-1TLS DH DSS WITH DES CBCSHA DH DSS DES SHA-1TLS DH DSS WITH 3DES EDE CBCSHA DH DSS 3DES EDE SHA-1TLS DH RSA EXPORTWITH DES40 CBCSHA DH RSA DES40 SHA-1TLS DH RSA WITH DES CBCSHA DH RSA DES SHA-1TLS DH RSA WITH 3DES EDE CBCSHA DH RSA 3DES EDE SHA-1
SV 2007 Basic Crypto EPFL-SSC 501 / 528
MAC in Record Protocol
More precisely the MAC of a fragment is computed as the HMAC withkey MACwrite secret on
seq numTLSCompressed .type ,TLSCompressed .version ,TLSCompressed .lengthTLSCompressed .fragment
MACwrite secret is the MAC key of the sender
seq num is the sequence number of the fragment
TLSCompressed.fragment is the compressed fragment
TLSCompressed.length is its actual length
TLSCompressed.type
TLSCompressed.version are some information about the TLSprotocol (namely, the compression algorithm) that is being used
SV 2007 Basic Crypto EPFL-SSC 508 / 528
Application Data Record Protocol
split the application data into fragments of at most 214 Bytes andsend the fragments separately.
(optional) compress the fragment
append a MAC to the fragmentThe MAC is computed on a sequence number, the compressionand TLS version materials, the compressed fragment.
encrypt all this
send this after a record header (type, version, length)
SV 2007 Basic Crypto EPFL-SSC 507 / 528
PRF
Given a secret, a seed, and a string label we define a sequence
a0 = seed
ai = HMAChash(S,ai−1)
ri = HMAChash(S,ai ||seed)
P hash(S,seed) = r1, r2, r3, . . .
PRF(secret, label,seed) = P MD5(S1, label||seed)⊕P SHA1(S2, label||seed)
where S1 and S2 are the two halves of secret.(If secret has an odd length, its middle byte is both the last byte of S1and the first byte of S2.)
SV 2007 Basic Crypto EPFL-SSC 506 / 528
Using PRF
We define
h handshake = MD5(handshake)||SHA1(handshake))MACC = PRF(master secret ,”client finished ”,h handshake)MACS = PRF(master secret ,”server finished ”,h handshake)
master secret = PRF(pre master secret ,”master secret ”,nonceC ||nonceS)key block = PRF(master secret ,”key expansion ”,nonceS ||nonceC)
handshake is the concatenation of all hanshake messagesMACC and MACS are of 12 byteskey block is the concatenation of the four private keys and the twoinitial vectors.
SV 2007 Basic Crypto EPFL-SSC 505 / 528
RSA Key Exchange
Client Server
ClientHello :accepted cipher suites, nonceC−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ServerHello :TLS RSA cipher hash, certificate, nonceS←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
pre master secretClientKeyExchange :ENC(pre master secret)−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ decrypt
RSA encryption is PKCS#1v1.5
the RSA public key must be authenticated
SV 2007 Basic Crypto EPFL-SSC 512 / 528
Using Stream Ciphers
The RC4 stream cipher is used as a key-stream generator withone-time pad. The internal state of the generator is kept in theconnection state so that the RC4 automaton continuously generateskeystreams in order to encrypt the fragments sequence.
SV 2007 Basic Crypto EPFL-SSC 511 / 528
Using Block Ciphers in CBC Mode
Text - MAC -PAD
- CBC - DEC - - VER - Text
�bad record mac
�decryption failed
S E C R E T A
C C E S S
bloc 1
bloc 28 # $
* = k % ! bloc 32 2 2
SV 2007 Basic Crypto EPFL-SSC 510 / 528
Secure Channel in SSL/TLS (Using CBC Encryption)
fragment
- MAC
?
?
seq num
?MAC key
?Enc
6��
Adversary--
IVEnc key Dec
6
fragment
��
IVEnc key
- MAC- =6
?
seq num
? MAC key
SV 2007 Basic Crypto EPFL-SSC 509 / 528
12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples
SV 2007 Basic Crypto EPFL-SSC 516 / 528
DH anon Key Exchange
Client Server
ClientHello :accepted cipher suites, nonceC−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ServerHello :TLS DH anon cipher hash, nonceS←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
ServerKeyExchange :p,g,gx mod p←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− select p,g, pick x
pick yClientKeyExchange :gy mod p−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
pre master secret = gxy mod p
Diffie-Hellman protocol is not authenticated!
SV 2007 Basic Crypto EPFL-SSC 515 / 528
DHE sig Key Exchange
Client Server
ClientHello :accepted cipher suites, nonceC−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ServerHello :TLS DHE sig cipher hash, certificate, nonceS←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
ServerKeyExchange :p,g,gx mod p,sig(hash(p,g,gx mod p))←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− select p,g, pick x
pick yClientKeyExchange :gy mod p−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
pre master secret = gxy mod p
the sig public key must be authenticated in the certificate
gy mod p is not authenticated!
SV 2007 Basic Crypto EPFL-SSC 514 / 528
DH sig Key Exchange
Client Server
ClientHello :accepted cipher suites, nonceC−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ServerHello :TLS DH sig cipher hash, certificate, nonceS←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
pick yClientKeyExchange :gy mod p−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
pre master secret = gxy mod p
the certificate is signed using sig algorithm
the certificate includes p,g,gx mod p
this is fixed Diffie-Hellman where parameters are chosen by theserver and server uses a fixed x
SV 2007 Basic Crypto EPFL-SSC 513 / 528
Example
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1
PGP makes cryptographic messages readable for human beings .-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBA4c1/LSQdhvwJ58RAjzEAKCXHnwQHNGbX2Bzjo3AMZHABWTW5wCgkxVLrq22vPs5vlR6RZOf1zEDSF4==cVzf-----END PGP SIGNATURE-----
gpg: Signature made Sun 25 Jul 2004 12:11:01 PM CEST using DSA key ID 1BF0279Fgpg: Good signature from "Serge Vaudenay <serge.vaudenay@ epfl.ch>"
SV 2007 Basic Crypto EPFL-SSC 520 / 528
ASCII Armor Format
protection of unreadable files (ciphertexts, signatures, hashedvalues, or even cryptographic keys) by encoding them into areadable form
(transparency and education) users can see the crypto in function(signature structure, PGP version)
Radix-64 code (also called base64 in the MIME standard)
SV 2007 Basic Crypto EPFL-SSC 519 / 528
Security for Individuals
easy to set up without any corporate help
certificates do not rely on any authority
no use of any public parameter
anyone can freely generates its own key and chooses itscryptographic algorithm
encrypt, decrypt, hash, sign, or verify digital files (archives oremails)
popular algorithms in PGP are IDEA symmetric encryption, RSAencryption or signature, and MD5 hash function
SV 2007 Basic Crypto EPFL-SSC 518 / 528
History
Unlike SSL which is dedicated to on-line communication, PGPfocuses on off-line communication: signature and encryption ofemails, archives, ...
PGP was first designed by Phil Zimmermann in the ninetiesagainst the US laws.
Gnu version of PGP called GPG as for GnuPGP.
SV 2007 Basic Crypto EPFL-SSC 517 / 528
Security Weak Points
PGP may not be very well used (need for education)choosing pass phrases, managing keys, caring about key ringintegrity...
key infrastructure heavily relies on trust (no authority)
key revocation is ad-hoc based (no central service)
SV 2007 Basic Crypto EPFL-SSC 524 / 528
Example of Key Ring
vaudenay@lasecpc7:˜> gpg --list-public-keys/home/vaudenay/.gnupg/pubring.gpg---------------------------------pub 1024D/1BF0279F 2004-07-25 Serge Vaudenay <serge.vaud enay@epfl.ch>sub 1024g/9D26BE8B 2004-07-25
pub 1024D/8EB9124A 2004-07-25 Student <student@epfl.ch>sub 1024g/ECCAE364 2004-07-25
pub 1536R/27295F6B 2004-07-25 Colleague <colleague@epfl .ch>
D=DSA, g=ElGamal, R=RSA
SV 2007 Basic Crypto EPFL-SSC 523 / 528
Public Key Management
Users manage their public key ring themselves (extracting,adding, changing keys, anotating, ...)
When a user is given a public key from another one, he can insertit in its key ring. At the same time, he qualifies how much hetrusts that the key is valid.For instance,
if the key was given hand to hand, he can fairly trust that the key isvalidif the key was taken from a web site through insecure connection,he may give a low confidence in the validityif the public key is certified by a third party, the user puts a trustqualification accordingly
a web of trust of users defines trust paths for public keys
SV 2007 Basic Crypto EPFL-SSC 522 / 528
Key Management
symmetric keys can be prompted to the user. They are usuallyderived from a pass phrase which is freely chosen by the user byusing a hash function.
Asymmetric keys are stored in key ring databeses.
Asymmetric secret keys are encrypted by a symmetric one.
extensive usage of checksums and cryptographic digests so thatbad pass phrases or modified files are easily detected
asymmetric key pair generation by providing enough randomness(e.g. using “entropy collector” with key strokes on the keyboard)
SV 2007 Basic Crypto EPFL-SSC 521 / 528
Main Conclusion
La crypto c’est rigolo!
SV, 1995
(Crypto is fun!)
SV 2007 Basic Crypto EPFL-SSC 528 / 528
Conclusion
SSH increases IP security for remote connections
SSL is a key for WWW security
PGP is a nice tool for small ad-hoc communities
they all put together all cryptographic ingredients quite nicely
they are permanently improved to fix mistakes and use thestate-of-the-art cryptography
SV 2007 Basic Crypto EPFL-SSC 527 / 528
Bluetooth
secure network between devices within short distances
light weigth cryptography
initial authenticated channel by human interaction with devices
key exchanged based on a PIN and E21, E22 (low security)
derivation of a single 128-bit long term link key
secure channel based on E0, E1, E3
several missing security properties: packet authentication,detection of packet loss, privacy, ...
SV 2007 Basic Crypto EPFL-SSC 526 / 528
12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples
SV 2007 Basic Crypto EPFL-SSC 525 / 528
Recommended