Outline - Information Security Group 3: Cryptography Dusko Pavlovic Channel security Information Areas of inf. sec. Trojan horse Noninterference Encryption Cryptanalysis Modes Generating

Security 3:Cryptography

Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Principles of Security — Part 3:Information Security and Cryptography

Dusko Pavlovic

OxfordMichaelmas Term 2008


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Outline

Information, channel security, noninterference

Encryption and decryption

Cryptanalysis and notions of secrecy

Cyphers and modes of operation

Key establishment

What did we learn?


Dusko Pavlovic

Channel securityInformationAreas of inf. sec.Trojan horseNoninterference

Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Outline

Information, channel security, noninterferenceConcepts of information and of information securityAreas of information securityCovert channels and Trojan horseSecurity models and noninterference




Key establishment

What did we learn?


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Recall from Lecture 1

Information security! secrecy: "bad information flows don’t happen"! authenticity: "good information flows do happen"

In network computation! all information flow constraints are security properties


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

We could also say

Information security! confidentiality: "bad information flows don’t . . . "! integrity: "good information flows do. . . "

Although not synonymous! secrecy, confidentiality and privacy! authenticity and integrity

are used interchanteably


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Security speak(overheard at a security conference)

Speaker: Isn’t it terrifying that on the Internet we haveno privacy?

Charlie: You mean confidentiality. Get your termsstraight.

Radia: Why do security types insist on inventingtheir own language?

Mike: It’s a denial-of-service attack.Charlie: You mean chosen cyphertext attack. . .


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Variants(a possible assignment of meanings)

Bad information flows! secret information: disclosure prevented

! e.g., by cryptography! private information: disclosure when authorized

! information privately owned! confidential information: disclosure restricted

! penalized when detected


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Bad information flows about resources! secret funds: it is secret that they exist

! secret ceremony, secret lover. . .! private funds: access is restricted

! private ceremony, private resort. . .! confidential report: some details confidential

! content can be disclosed, but not the source


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Good information flows! authenticity of a painting, of a letter, of testimony

! the source of the message is who it says it is! integrity of evidence, of a person

! the content of the message not been altered,tampered with, compromised


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

What is information?


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Before a coin flip, the outcome is unknown.

0 1


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Before a coin flip, the outcome is unknown.

0 1

A coin flip yields exactly 1 bit of information.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Before two coin flips, the outcome is even more unknown.

00 01 11 11

Two coin flips give exactly 2 bits of information.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Rolling a fair 4-sided die gives the same amount ofinformation like flipping 2 fair coins.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Let’s get formal (but don’t take it too seriously yet).


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Let’s get formal (but don’t take it too seriously yet).DefinitionA source is a finite or countable set X given with aprobability distribution.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Let’s get formal (but don’t take it too seriously yet).DefinitionA source is a finite or countable set X given with aprobability distribution.A probability distribution over X is a just functionProbX : X !" [0, 1] such that

!

x#XProb(x) = 1


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Examples! coin, two coins, dice. . .

! What will be the outcome?


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons



! What will be the outcome?! language

! What will be the next word that I’ll say?


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons



! What will be the outcome?! language

! What will be the next word that I’ll say?! any observable parameter

! Who will be the next US president?


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

What is information?DefinitionInformation is the average length of the binary wordsneeded to express the outcome of sampling a source X.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

What is information?DefinitionInformation is the average length of the binary wordsneeded to express the outcome of sampling a source X.It is denoted H(X).


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

What is information?DefinitionInformation is the average length of the binary wordsneeded to express the outcome of sampling a source X.It is denoted H(X).

Examples! H(coin) = 1! H(2 coins) = H(4-sided die) = 2! Biased coins and dice give less information.! If the outcome of an experiment X is certain,then H(X) = 0.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Areas of information security

Just like! information is a special kind of a resource,! a message is a special kind of information sample

resource securityinformation security

cryptography


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Information gathering

Information can be acquired by! observing accesses to resources! receiving messages


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Information gathering

Information can be acquired by! observing accesses to resources! receiving messages

Accordingly, we subdivide information security into:! observation security, or channels security, and! message security, or cryptography.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Observing confidential information

! Information flows through channels.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Observing confidential information

! Information flows through channels.

! Confidential information leaks throughcovert channels.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Trojan horse

is a covert channel installed through social engineering

Figure: A channel is concealed in a resource


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Trojan horse

is a covert channel installed through social engineering

Figure: A channel is concealed in a resource.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

State machines

DefinitionA state machine is a map (pair of maps)

Q $ I %nx ,ev&!" Q $O

where Q, I,O are finite sets, representing

! Q — states! I — input alphabet! O — output alphabet

! Q $ I nx!" Q — next state

! Q $ I ev!" O — output eval.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

State machines

DefinitionA state machine is a map (pair of maps)

Q $ I %nx ,ev&!" Q $O

where Q, I,O are finite sets, representing

! Q — states! I — input alphabet! O — output alphabet

! Q $ I nx!" Q — next state

! Q $ I ev!" O — output eval.

NotationA state machine is denoted by the name of its state set Q.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Running state machines

Inputs and outputsThe inputs and the outputs of state machines are listsfrom I and O.For any set X , the set of lists

X ' ="%x1, x2, . . . , xn& # Xn | n # N

#

is generated from the empty list by prepending

1 %&!" X '

X $ X ' @!" X '


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Inputs and outputsThe inputs and the outputs of state machines are listsfrom I and O.For any set X , the set of lists in it

X ' ="%x1, x2, . . . , xn& # Xn | n # N

#

can be generated from the empty list by prepending

1 %&!" X '

X $ X ' @!" X '$

x , %y1, y2 . . . , yn&%(" %x , y1, y2 . . . , yn&


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


Input-output mapsAt any state q, the state machine Q induces a map

I' Evq!" O'

where

Evq%& = %&Evq(x@ys) = evq(x) @ Evnxq(x)(ys)

for x # I and ys # I'


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Multi level machines

DefinitionA multi level machine is a map

Q $ I %nx ,ev&!" Q $O

where Q, I,O are finite sets, representing! Q — states! I =

&!#L I! — disjoint union of input alphabets

! O — output alphabet


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Hi-Lo machines

DefinitionA Hi-Lo machine is a map

Q $ I %nx ,ev&!" Q $O

where Q, I,O are finite sets, representing! Q — states! I = IH + IL — disjoint union input alphabets! O — output alphabet


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Hi-Lo machines

RemarkA Hi-Lo-machine is just a multi level machine with just twolevels L = {L < H}.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Hi-Lo machines

NotationThe restriction (or purge) (!)L : I' !" I'L is defined

%&L = %&

(x@ys)L =

'(()((*x@ysL if x # ILysL otherwise


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Hi-Lo machines

NotationThe restriction (or purge) (!)L : I' !" I'L is defined

%&L = %&

(x@ys)L =

'(()((*x@ysL if x # ILysL otherwise

The outputs of Lo’s actions are:

EvqL %& = %&

EvqL (x@ys) =

'(()((*evq(x) @ Evnx

q(x)L (ys) if x # IL

Evnxq(x)

L (ys) otherwise


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Covert channels and Trojans

DefinitionWe say that the Hi-Lo machine Q has a covert channel ifit has a state q such that! xsL = ysL, but! EvqL (xs) ! EvqL (ys)

holds for some input lists xs, ys # I'.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


DefinitionWe say that the Hi-Lo machine Q has a covert channel ifit has a state q such that! xsL = ysL, but! EvqL (xs) ! EvqL (ys)

holds for some input lists xs, ys # I'.The subject Hi in a Hi-Lo machine with a covert channelis often called a Trojan (horse).


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


HomeworkSpecify a simple Hi-Lo machine with a covert channel.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Noninterference(Goguen-Meseguer)

DefinitionWe say that the Hi-Lo machine Q satisfies thenoninterference requirement if it has no covert channels,i.e.

xsL = ysL =) EvqL (xs) = EvqL (ys)

holds for all states q and all inputs xs, ys # I'.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


RemarkThe no-write-down condition! prevents Hi from sending to Lo! any publicly visible signals (messages).


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons


RemarkThe no-write-down condition! prevents Hi from sending to Lo! any publicly visible signals (messages).

The noninterference condition! prevents Hi from sending to Lo! any secret signals.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Generalized noninterference(McCullough, McLean)

DefinitionWe say that the Hi-Lo machine Q satisfies thegeneralized noninterference requirement if

*xs zs # I'+ys # I'. xsL = ysL , ysH = zsH, EvqL (xs) = EvqL (ys)

holds for all states q.


Dusko Pavlovic


Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Generalized noninterference(McCullough, McLean)

HomeworkProve that generalized noninterference andnoniterference are equivalent for deterministic machines

RemarkGeneralized noninterference is also applicable tonondeterministic machines.


Dusko Pavlovic

Channel security

EncryptionCryptosystemsExamples of simplecrypto systemsRefresher in arithmeticRSA AssumptionCoding vs encryption

Cryptanalysis

Modes

Generating keys

Lessons

Outline


Encryption and decryptionCryptosystemsExamples of simple crypto systemsCoding vs encryption



Key establishment

What did we learn?


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Simple crypto system

Definition

Given the types! M of plaintexts! C of cyphertexts! K of keys


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


Definition

. . . a simple crypto-system is a triple of algorithms:! key generation %KE,KD& : K $K ,! encryption E : K $M !" C, and! decryption D : K $ C !"M,


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


Definition

. . . that together provide! unique decryption:

D(KD,E(KE,m)) = m

! trapdoor encryption:

*A : C !"M.+*m. A(E(KE,m)) = m

,

=)+*c. A(c) = D(KD, c)

,


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Using a cryptosystem Security 3:Cryptography

Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

What where do the plaintexts come from?

Remarks! The spaceM may be

! monoalphabetic: it consists of symbols! M = !

! polyalphabetic: it consists of blocks of symbols! M = !N


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons





! A plaintext is a string fromM.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons





! A plaintext is a string fromM.! A well-formed message is a meaningful plaintext:a word, a sentence, a paragraph.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons





! A plaintext is a string fromM.! A well-formed message is a meaningful plaintext:a word, a sentence, a paragraph.

! Not every plaintext is a well-formed message.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

What shall we study?

! Cryptography: science of crypto systems! Cryptology: designing crypto systems

! to encrypt plaintexts as cyphertexts! so that only those with a key can decrypt them

! Cryptanalysis: breaking crypto systems! to extract the plaintexts without a key! or even better, to extract the key


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Examples

Encode letters as numbersa b c c e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y z13 14 15 16 17 18 19 20 21 22 23 24 25


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 1.1: Shift cypher(monoalphabetic: Cæsar k = 3, ROT13 k = 13. . . )

! M = C = Z26 = {0, 1, 2, 3, . . . , 25}! K = Z26! KE = KD = k! E(k ,m) = m + k mod 26! D(k , c) = c ! k mod 26


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 1.1: Shift cypher(monoalphabetic: Cæsar k = 3, ROT13 k = 13. . . )

E.g., the key k = 5 gives

tx: i t i s v e r y c o l d"m 8 19 8 18 21 4 17 24 2 14 11 3k 5 5 5 5 5 5 5 5 5 5 5 5"c 13 24 13 23 0 9 22 3 7 19 16 8CY: N Y N X A J W D H T Q I

wherea b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y z13 14 15 16 17 18 19 20 21 22 23 24 25


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 1.2: Shift cypher(polyalphabetic)

! M = C = ZN26! K = ZN26! KE = KD = "k = %k1, k2, . . . , kN &! E("k , "m) = "m + "k mod 26! D("k , "c) = "c ! "k mod 26


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


E.g., the block length N = 6 and the keywordkd="monkey" give

tx: i t i s v e r y c o l d"m 8 19 8 18 21 4 17 24 2 14 11 3kd: m o n k e y m o n k e y"k 12 14 13 10 4 24 12 14 13 10 4 24"c 20 7 21 2 25 2 3 12 15 24 15 1CY: U H V C Z B C M P Y P B

wherea b c c e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y z13 14 15 16 17 18 19 20 21 22 23 24 25


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


TerminologyA polyalphabetic shift cypher where! each key K # ZN26 is used to encrypt! a single message "m # ZN26

is called a one-time-pad. It is! perfectly secure, but it reduces! the task to transfer an N-character message to! the task to transfer an N-character key.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


FactA polyalphabetic shift cypher where! a key K # ZN26 is used to encrypt! more than one "m1, "m2 . . . # ZN26

is insecure.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


FactA polyalphabetic shift cypher where! a key K # ZN26 is used to encrypt! more than one "m1, "m2 . . . # ZN26

is insecure.We shall prove this.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


Terminology vs historyPolyalphabetic shift cyphers are often called Vigenère’scyphers.This is a sad confusion. Vigenère had nothing to do withpolyalphabetic shift cyphers.He designed the first auto-keying cypher.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 1.3: Affine cypher(polyalphabetic)

! M = C = ZN26,

! K =+Z'26,N$ ZN26

! KE = KD =$"a, "k%

! E("a, "k , "m) = "a ' "m + "k mod 26! D("a, "k , "c) = 1

"a ' ("c ! "k) mod 26where

"a ' "m = %a1m1,a2m2, . . . ,anmN &1"a

=

- 1a1,1a2, . . . ,

1aN

.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 1.4: Substitition cypher(monoalphabetic)

! M = C = ! = {a, b, c, . . . , z},! K = S(!) = the permutations of !! KE = KD = #

! E(#,m) = #(m)

! D(#, c) = #!1(c)


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 1.5: Substitition cypher(polyalphabetic)

! M = C = !N ,! K = S(!), the permutations of !! KE = KD = #

! E(#, "m) =/#(m1),#(m2), . . .#(mn)

0

! D(#, "c) =$#!1(c1),#!1(c2), . . .#!1(cn)

%

where N = {1, 2, . . . , n}


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 2: Transposition cypher

! M = C = NN ,! K = S(N) = the permutations of the block positions! KE = KD = #

! E(#, "m) =$m#(1),m#(2), . . .m#(n)

%

! D(#, "c) =$m#!1(1),m#!1(2), . . .m#!1(n)

%


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

! M = C = Zn, where n = pq, p, q prime! K = Z$(n), where $(n) = #

1k < n | gcd(n, k) = 12

! KE = e! KD = e!1 mod $(n)! E(e,m) = me mod n! D(d , c) = cd mod n


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

! M = C = Zn, where n = pq, p, q prime! K = Z$(n), where $(n) = #

1k < n | gcd(n, k) = 12

! KE = e " public key! KD = e!1 mod $(n) " private key! E(e,m) = me mod n! D(d , c) = cd mod n


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

Idea of public key cryptography! KE is publicly announced

! eveyone can encrypt! KD is kept secret

! only those who have it can decrypt


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

Idea of public key cryptography! KE is publicly announced

! eveyone can encrypt! KD is kept secret

! only those who have it can decrypt

It is important that KD cannot be derived from KE.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

History of public key cryptography! Whit Diffie and Marty Hellman proposedcomputational hardness as a new foundation forcryptography in 1976.

! Ron Rivest, Adi Shamir and Len Adleman (RSA)implemented that idea using exponentiation in 1978.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA



! The RSA patent became a base of a very profitablecompany.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA



! The RSA patent became a base of a very profitablecompany. All involved became rich and famous.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

History of public key cryptography! In December 1997, the British GovernmentCommunications Headquarters (GCHQ) releasedfive papers.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA


! James Ellis’ paper "The possibility of non-secretencryption" proposed computational hardness as afoundation for cryptography.

! Clifford Cocks’ paper "A note on non-secretencryption" implemented that idea usingexponentiation.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA


! James Ellis’ paper "The possibility of non-secretencryption" proposed computational hardness as afoundation for cryptography. " 1970

! Clifford Cocks’ paper "A note on non-secretencryption" implemented that idea usingexponentiation." 1973


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

History of public key cryptography! James Ellis retired in 1986 and died in November1997.

! Clifford Cocks became the Chief Mathematician atGCHQ in 2007.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

History of public key cryptography! James Ellis retired in 1986 and died in November1997.

! Clifford Cocks became the Chief Mathematician atGCHQ in 2007.

! Public key cryptography was critical in arm treatycontrol as of 1986, but was not deployed earlier.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

! Take p = 11 and q = 17.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

! Take p = 11 and q = 17. Hence! n = pq = 187,


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

! Take p = 11 and q = 17. Hence! n = pq = 187, and! $(n) = (11 ! 1)(17 ! 1) = 160


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA


! Take KE = e = 3


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA


! Take KE = e = 3! Then KD = d = 3!1 = 107 mod 160


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA


! Take KE = e = 3! Then KD = d = 3!1 = 107 mod 160! E(3, p) = J because

! E(3, 15) = 153 = 3375 = 9 mod 187


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA


! Take KE = e = 3! Then KD = d = 3!1 = 107 mod 160! E(3, p) = J because

! E(3, 15) = 153 = 3375 = 9 mod 187! D(107, J) = p because

! D(107, 9) = 9107 = 15 mod 187


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

HomeworkProve that Euler’s totient function

$ : N !" N

n (!" #1k < n | gcd(n, k) = 12

has the following properties:! $(pk) = (p ! 1)pk!1 if p is prime! $(mn) = $(m) · $(n) if gcd(m, n) = 1

Derive a general formula to compute $(n).


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

. . . is a crypto system because! unique decryption holds by

ed = 1 mod $(n) =) (me)d = m mod n


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

. . . is a crypto system because! unique decryption holds by

ed = 1 mod $(n) =) (me)d = m mod n

! trapdoor encryption holds since for every A

*m.A(me) = m mod n =) *c.A(c) = cd mod n

where ed = 1 mod $(n)


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Example 3: RSA

To prove that the RSA satisfies these requirements,we need some basic arithmetic.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Refresher in arithmetic

DefinitionLet (G, ·, 1) be a finite group and g # G. We define

ord(G) = #G (the number of elements)ord(g) = #%g& = min{! | g! = 1}

Theorem (Lagrange)For every g # G holds ord(g) | ord(G).


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


DefinitionThe multiplicative group of invertible elements of Zn is

Z'n = {x # Zn | +y . xy = 1 mod n}

Lemmak # Zn is invertible iff it is mutually prime with n, i.e.

k # Z'n -) gcd(n, k) = 1

Hence ord(Z'n) = #1k < n | gcd(n, k) = 12 = $(n).


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


Corollary (Euler)For every invertible k # Z'n holds

k$(n) = 1 mod n


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


Corollary (Euler)For every invertible k # Z'n holds

k$(n) = 1 mod n

Proof.By the Theorem, ord(k) | ord(Z'n).By the Lemma, ord(Z'n) = $(n). !


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

RSA unique decryption

ConclusionHence the unique decryption property of RSA

ed = 1 mod $(n) -) +!. ed = 1+ !$(n)=) med = m1+!$(n) = m mod n


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

RSA Assumption

RSA Problem! input:

! n = pq # N where p and q are prime! c # Z'n, i.e. gcd(c, n) = 1! e # Z$(n), i.e. gcd(e, p ! 1) = gcd(e, q ! 1) = 1

! output:! m = e.c mod n, i.e. me = c mod n


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

RSA Assumption

RSA Problem! input:

! n = pq # N where p and q are prime! c # Z'n, i.e. gcd(c, n) = 1! e # Z$(n), i.e. gcd(e, p ! 1) = gcd(e, q ! 1) = 1

! output:! m = e.c mod n, i.e. me = c mod n

RSA AssumptionThere is no feasible algorithm solving the RSA Problem.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

RSA trapdoor encryption

ConclusionHence the trapdoor encryption property of RSA

*m.A(me) = m mod n =) *c.A(c) = cd mod n

where ed = 1 mod $(n)


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


RemarkRSA problem can be solved by finding d = e!1 mod $(n)i.e. by finding d , ! such that de + !$(n) = 1.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


RemarkRSA problem can be solved by finding d = e!1 mod $(n)i.e. by finding d , ! such that de + !$(n) = 1.But computing $(n) requires factoring n.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


RemarkRSA problem can be solved by finding d = e!1 mod $(n)i.e. by finding d , ! such that de + !$(n) = 1.But computing $(n) requires factoring n.It is believed that factoring is not feasible:if n has only large factors, they are hard to find.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Coding

DefinitionA coding scheme is an injective function f : X !" G,where! X is a source, and! G / !' is a language (or code).


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Examples of coding

! Morse code:! source: characters! code: strings of dots and dashes

! telegraphic codes:

source CODEanswer my question! LYOUI

are you trying to weasel out? BYOXOyou are a skunk! BMULD

not clearly coded, please repeat AYYLU

! English, Chinese. . . :! source: meaningful phrases! code: orthography


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons

Coding vs encryption

TerminologyThe elements % # G 0 !' are called codewords.Codewords are used as well-formed messages.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons



RemarkWe usually takeM = !.Any string of plaintexts "m # !' can be a message. (E.g.,meaningful words and meaningless strings.)


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons



RemarkWe usually takeM = !.Any string of plaintexts "m # !' can be a message. (E.g.,meaningful words and meaningless strings.)Not every message is a codeword.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons



RemarkWe usually takeM = !.Any string of plaintexts "m # !' can be a message. (E.g.,meaningful words and meaningless strings.)Not every message is a codeword.Those that are are said to be well-formed.


Dusko Pavlovic

Channel security


Cryptanalysis

Modes

Generating keys

Lessons


UpshotThe difference between! decryption C D

!"M! decodingM' 1& G

will play an important role in cryptanalysis.


Dusko Pavlovic

Channel security

Encryption

CryptanalysisCryptanalysisGuessingElements of probabilityProbabilistic encryptionSecrecy proofs

Modes

Generating keys

Lessons

Outline



Cryptanalysis and notions of secrecyCryptanalysisGuessingProbabilistic encryptionSecrecy proofs


Key establishment

What did we learn?


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Cryptanalytic attacksSymmetric key attacksWhen KE = KD = K, the attacks are! cyphertext only (COA):

E(K,m1), . . . ,E(K,m!) 2 K

! known plaintext (KPA), chosen plaintext (CPA):

m1, . . . ,m!,E(K,m1), . . . ,E(K,m!) 2 K

! chosen cyphertext (CCA):

c1, . . . , c!,D(K, c1), . . . ,D(K, c!) 2 K


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Cryptanalytic attacksAsymmetric key attacksWhen KE is publicly known! cyphertext only (COA):

KE,E(KE,m1), . . . ,E(KE,m!) 2 KD

! known plaintext (KPA), chosen plaintext (CPA):

KE,m1, . . . ,m!,E(KE,m1), . . . ,E(KE,m!) 2 KD

! chosen cyphertext (CCA):

KE, c1, . . . , c!,D(KD, c1), . . . ,D(KD, c!) 2 KD

! adaptive chosen cyphertext (CCA2): . . . (later!)


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

COA on monoalphabetic shift cypher

! M = C = Z26! K = Z26! KE = KD = k! E(k ,m) = m + k mod 26! D(k , c) = c ! k mod 26


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


! M = C = Z26! K = Z26! KE = KD = k! E(k ,m) = m + k mod 26! D(k , c) = c ! k mod 26

IdeaSince there are just #K = 26 possible keys, simply tryone after the other.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


CY: N Y N X A J W D H T Q I"c 13 24 13 23 0 9 22 3 7 19 16 8k1 1 1 1 1 1 1 1 1 1 1 1 1"m1 12 23 12 22 25 8 21 2 6 18 15 7tx1: m x m w z i v c g s p h


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


CY: N Y N X A J W D H T Q I"c 13 24 13 23 0 9 22 3 7 19 16 8

k2 2 2 2 2 2 2 2 2 2 2 2 2"m2 11 22 11 21 24 7 20 1 5 17 14 6tx2: l w l v y h u b f r o g


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


CY: N Y N X A J W D H T Q I"c 13 24 13 23 0 9 22 3 7 19 16 8

k5 5 5 5 5 5 5 5 5 5 5 5 5"m5 8 19 8 18 21 4 17 24 2 14 11 3tx5: i t i s v e r y c o l d


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

COA on substitution cypher


! E(#,m) = #(m)

! D(#, c) = #!1(c)


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons



! E(#,m) = #(m)

! D(#, c) = #!1(c)

FactSince #K = 26! 3 4 · 1026, enumerating the keys andsearching for a well-formed plaintext will not help.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


IdeaAlign the letter frequencies of plaintext (e.g. English). . .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


IdeaAlign the letter frequencies of plaintext (e.g. English). . .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Idea. . . with the letter frequencies of the cyphertext

Q W D S E O G B K M A Z C P J L F U X R I Y V T H N


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Summary! the messages are drawn from a source X and codedalong f : X !" G 0M'

! the frequency distribution ProbX : X !" [0, 1] inducesthe frequency distribution ProbM :M !" [0, 1]

ProbM+"m,

= ProbX+f !1("m

,

! the frequency distribution ProbC : C !" [0, 1] can beextracted if there is enough cyphertext


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


The patterns

M C

[0, 1]

ProbProb


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


The patterns are aligned to reconstruct

M C

[0, 1]

E

D

ProbProb


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

KPA on the one-time-pad

! M = C = K = ZN26! E("k , "m) = "m + "k! D("k , "c) = "c ! "k


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

KPA on the one-time-pad

! M = C = K = ZN26! E("k , "m) = "m + "k! D("k , "c) = "c ! "k

AttackGiven "m and E("k , "m) = "m + "k the cryptanalyst derives

"k = E("k , "m) ! "m


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Can we prove that there are no attacks? Security 3:Cryptography

Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Can we prove that there are no attacks?

PropositionIf all keys are equally likely, then the one-time-pad issecure, in the sense that the cyphertext provides noinformation about the plaintext.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Can we prove that there are no attacks?

We need tools for such proofs!


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing

Attack scenario: KPA, CPAThe cryptanalyst knows which crypto system is used.He wants to derive the key from the known or chosenplaintext, and its encryptions

m1, . . . ,m!,E(K,m1), . . . ,E(K,m!) 2 K


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing

Attack scenario: KPA, CPAThe cryptanalyst knows which crypto system is used.He wants to derive the key from the known or chosenplaintext, and its encryptions

m1, . . . ,m!,E(K,m1), . . . ,E(K,m!) 2 K

In some cases, he! may not know the plaintext, but! can recognize well-formed messages.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing

TerminologyA random variable is a function X : X !" V where! X is a source and! V is a set, representing values.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing

TerminologyA random variable is a function X : X !" V where! X is a source and! V is a set, representing values.

NotationWe write

Prob(X = v) = Prob{x #X | X (x) = v}=

!

X(x)=vProb(x)


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing

Guessing processGiven a probability distribution over the key space K , aguessing attack is a random variable G : K' !" N, where

G(k1, k2, . . . , kn) = i

means that ki = KD.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing

Guessing processGiven a probability distribution over the key space K , aguessing attack is a random variable G : K' !" N, where

G(k1, k2, . . . , kn) = i

means that ki = KD.

RemarkThe intuition is that we are given some cyphertext "c, andwe test whether D(ki , "c) is a well-formed message for oneki after the other.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing

ExerciseSuppose that there are ! = #K keys, and that they are allequally likely. What is the probability that! G = 1, i.e. the key is guessed at once,! G = n, i.e. the key is guessed after exactly n tries.! G 4 n, i.e. the key is guessed in at most n tries.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing

Solution! Since there are ! = #K equally likely keys,

! the probability that the right key is drawn at once isProb(G = 1) = p1 = 1

! ;


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing



! ;! the probability that the right key is not drawn at onceis q1 = Prob(G ! 1) = 1 ! p1 = !!1

! .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing




! . In this case, wedraw again, from ! ! 1 untested keys.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing




! . In this case, wedraw again, from ! ! 1 untested keys. This time,

! the probability that the right key is drawn immediatelyis now p2 = 1

!!1 , and thusProb(G = 2) = q1 · p2 = !!1

!· 1!!1 = 1

!;


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing




! . In this case, wedraw again, from ! ! 1 untested keys. This time,

! the probability that the right key is drawn immediatelyis now p2 = 1

!!1 , and thusProb(G = 2) = q1 · p2 = !!1

!· 1!!1 = 1

!;

! whereas the probability that the right key is still notdrawn is q2 = !!2

!!1 . . .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing

In general, with pi = 1!!i+1 and qi = !!i

!!i+1, the probabilitythat a particular key is drawn in the n-th draw is

Prob(G = n) = q1 · q2 · · · qn!1 · pn

=! ! 1!·! ! 2! ! 1 · · ·

! ! n + 1! ! n + 2 ·

1! ! n + 1

=1!


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Guessing

In general, with pi = 1!!i+1 and qi = !!i

!!i+1, the probabilitythat a particular key is drawn in the n-th draw is

Prob(G = n) = q1 · q2 · · · qn!1 · pn

=! ! 1!·! ! 2! ! 1 · · ·

! ! n + 1! ! n + 2 ·

1! ! n + 1

=1!

The probability that a particular key is drawn in at most ntries is

Prob(G 4 n) =n!

i=1Prob(G = i) =

n!


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Elements of probability

NotationGiven a source X and events ', (, % . . . 0 X, we write

3'4

=!

x#'Prob(x)

3' 2 (4 =

3' 5 (

4

3'4


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


RemarkTraditionally, our

3' 2 (4 is written Prob (( | '),

and called conditional probability.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons




and called conditional probability.While the traditional notations need to be respected,cryptography puts conditional probability to heavy use,and abuse.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons




and called conditional probability.While the traditional notations need to be respected,cryptography puts conditional probability to heavy use,and abuse.3' 2 (4 tells how likely it is to guess ( from '.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Homework3' 2 ¬(4 = 1 !

3' 2 (4

3(4=3'4·3' 2 (4+ 3¬'4 · 3¬' 2 (4

3' 2 ( 6 %4 = 3' 2 (4+ 3' 2 %4 ! 3' 2 ( 5 %4


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Homework3' 2 ¬(4 = 1 !

3' 2 (4

3(4=3'4·3' 2 (4+ 3¬'4 · 3¬' 2 (4

3' 2 ( 6 %4 = 3' 2 (4+ 3' 2 %4 ! 3' 2 ( 5 %4

Moreover3' 5 (

4=3'4·3(4-)

3' 2 (4 = 3(4

-)3( 2 '4 = 3'4


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Bayes theorem

3( 2 '4 =

3'43' 2 (4

3'43' 2 (4+ 3¬'43¬' 2 (4


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Proposition

3( 2 '4 =

3% 2 '4

73' 2 (4 · 3( 2 %4 =

3' 2 %4 · 3% 2 (4


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


PropositionSince

3' 2 ( 5 %4 =

3' 2 (4 · 3' 5 ( 2 %4

it follows that3' 2 (4 · 3' 5 ( 2 %4 4 3

' 2 %4

with the equality when3' 5 % 2 (4 = 1, so that3

' 2 %4 = 3' 2 ( 5 %4.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Problem with simple crypto systems

Leaking partial informationThe trapdoor encryption condition

*m.A(E(KE,m)) = m =) *c.A(c) = D(KD, c)

only talks about total decryptions.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Leaking partial informationThe trapdoor encryption condition

*m.A(E(KE,m)) = m =) *c.A(c) = D(KD, c)

only talks about total decryptions.A simple crypto system can leak partial information.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Two kinds of leaksThe attacker may observe traffic and build! a partial map A : C)M

! e.g., by recognizingE(K, "yes"),E(K, "no"),E(K, "buy") . . .

! a map A : C !" "M, extracting partial information! e.g., by comparing E(K,m0),E(K,m1). . .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Example: Reusing one-time-pad

PropositionIf the same one-time-pad key is used to encrypt morethan one block, then a CPA attacker can extract partialinformation.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


PropositionIf the same one-time-pad key is used to encrypt morethan one block, then a CPA attacker can extract partialinformation.E.g., the attacker can form two messages such that, ifshe is given the encryption of one of them, then she cantell which one. (This is one bit of information extracted.)


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


ProofThe CPA attacker forms two messages in the form:

"m0 = "m@"m "m1 = "m@"!

where "x@"y is concatenation and "! ! "m are of length N.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


ProofThe CPA attacker forms two messages in the form:

"m0 = "m@"m "m1 = "m@"!

where "x@"y is concatenation and "! ! "m are of length N.Encrypting with the key "k of length N gives

E("k , "m0) = "c@"c E("k , "m1) = "c@"d

where "c = "m + "k and "d = "m + "!.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Probabilistic crypto systemDefinitionGiven the types! M of plaintexts! C of cyphertexts! K of keys! R of random seeds


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Probabilistic crypto systemDefinition. . . a probabilistic crypto-system is a triple of algorithms:! key generation %KE,KD& : R !" K $K ,! encryption E : R $K $M !" C, and! decryption D : K $ C !"M,

When confusion seems unlikely, we abbreviate! K(r) to K and! E(r , k ,m) to E(k ,m) and even E(m).


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Probabilistic crypto systemDefinition. . . that together provide! unique decryption:

D(KD,E(KE,m)) = m

! secrecy (Shannon: unconditional, "perfect security"):

3c#E(K,m) 2 m#M4 = 3m#M4 (IT-SEC)


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


D(KD,E(KE,m)) = m

! secrecy:3c#E(K,m) 2 m#A(c)

4=3m#A(0)

4(COM-SEC)

for every feasible probabilistic algorithm A : C !"M,(i.e. A : R $K $ C !"M)


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


D(KD,E(KE,m)) = m

! secrecy:

3m0,m1#M, c#E(K,mb) 2 b# {0, 1}

4=

3m0,m1#M 2 b# {0, 1}

4=12 (IT-IND)


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


D(KD,E(KE,m)) = m

! secrecy:

3m0,m1#M, c#E(mb) 2 b#A(m0,m1, c)

44

3m0,m1#M 2 b#A(m0,m1, 0)

4412 (COM-IND)

for any feasible probabilistic A :M $M $ C !" {0, 1}(with KE and the seed implicit)


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


D(KD,E(KE,m)) = m

! secrecy (Goldwasser-Micali: "semantic security")3m0,m1#A0, c#E(mb) 2

b#A1(m0,m1, c)44

12 (IND-CPA)

for any probabilistic algorithm A = %A0,A1&. . .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


D(KD,E(KE,m)) = m

! secrecy (under chosen cyphertext attack):5c0#A0, m#D(c0),m0,m1#A1(c0,m), c#E(mb)

2b#A2(c0,m, m0,m1, c)

64

12 (IND-CCA)

for any probabilistic algorithm A = %A0,A1,A2&. . .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


D(KD,E(KE,m)) = m

! secrecy (under adaptive chosen cyphertext attack):7888888889

c0#A0, m#D(c0),m0,m1#A1(c0,m), c#E(mb)c1#A2(c0,m,m0,m1), :m # D(c1 ! c)

2

b#A3(c0,m,m0,m1, c, c1, :m)

;<<<<<= 4

12 (IND-CCA2)

for any probabilistic algorithm A = %A0,A1,A2,A3&. . .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Taxonomy of secrecy properties

IND-CCA2

IT-SEC

COM-SECIT-IND

COM-IND

IND-CPA

IND-CCAIND-CCA1


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Example: El Gamal

Fix a finite field F and g # F'.

M = R = F KE(a) = ga

C = F' $ F KD(a) = aK = F' $ F' E(r , k ,m) =

$gr , kr ·m

%

D+k , %c1, c2&

,=c2ck1


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Example: El Gamal

Fix a finite field F and g # F'.

M = R = F KE(a) = ga

C = F' $ F KD(a) = aK = F' $ F' E(r , k ,m) =

$gr , kr ·m

%

D+k , %c1, c2&

,=c2ck1

Unique decryption

D (KD(a),E(r ,KE(a),m)) = D (a,E(r , ga,m))

= D+a,$gr , (ga)r ·m

%,

=gar ·m(gr )a

= m


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Unconditional security of one-time-pad

PropositionIf all keys are equally likely, then the one-time-pad isunconditionally secure, i.e. it satisfies (IT-SEC).


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


PropositionIf all keys are equally likely, then the one-time-pad isunconditionally secure, i.e. it satisfies (IT-SEC).

Proof3c#C 2 m#M4 = 3m#M4 follows from3m#M 2 c#C4 = 3c#C4 because

3c#C 2 m#M4 =

3m#M

4·3m#M 2 c#C43c#C4

. . .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Proof (continued)

On one hand, for all messagesm and cyphertexts c holds3m#M 2 c#C4 =

3k = c !m#K

4=

126N


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Proof (continued)

On the other hand, we have3c # C

4=

!

m+k=c

3m #M

4·3k # K

4

=!

m#M

3m #M

4·3c !m#K

4

=126N

!

m#M

3m #M

4

=126N


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Security of El Gamal

Computational Diffie-Hellman Assumption (CDH)There is no feasible probabilistic algorithm CDH : F2 !" Fsuch that for all a, b # F holds with a high probability

CDH(ga, gb) = gab


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


Computational Diffie-Hellman Assumption (CDH)There is no feasible probabilistic algorithm CDH : F2 !" Fsuch that for all a, b # F holds with a high probability

CDH(ga, gb) = gab

Decision Diffie-Hellman Assumption (DDH)There is no feasible prob. algorithm DDH : F3 !" {0, 1}such that for all a, b # F holds with a probability > 1

2

DDH(x , y , z) =

'(()((*1 if +uv . x = gu , y = gv , z = guv

0 otherwise


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


PropositionEl Gamal satisfies (IND-CPA) if and only if (DDH) holds.El Gamal does not safisty (IND-CCA).


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Security of El GamalRecall the definitions:. . .! unique decryption:

D(KD,E(KE,m)) = m

! secrecy (Goldwasser-Micali: "semantic security")3m0,m1#A0, c#E(mb) 2

b#A1(m0,m1, c)44

12 (IND-CPA)

for any probabilistic algorithm A = %A0,A1&. . .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Security of El GamalRecall the definitions:. . .! unique decryption:

D(KD,E(KE,m)) = m

! secrecy (under chosen cyphertext attack):5c0#A0, m#D(c0),m0,m1#A1(c0,m), c#E(mb)

2b#A2(c0,m, m0,m1, c)

64

12 (IND-CCA)

for any probabilistic algorithm A = %A0,A1,A2&. . .


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Security of El GamalProof of (DDH))(IND-CPA)Suppose ¬(IND-CPA).


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Security of El GamalProof of (DDH))(IND-CPA)Suppose ¬(IND-CPA).This means that there is a feasible probabilistic algorithmA = %A0,A1& which! generates m0,m1#A0(k), and then! guesses b#A1(k ,m0,m1, cb) with a probability > 1

2! where cb = E(s, k ,mb) for b# {0, 1}.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Security of El GamalProof of (DDH))(IND-CPA)Suppose ¬(IND-CPA).This means that there is a feasible probabilistic algorithmA = %A0,A1& which! generates m0,m1#A0(k), and then! guesses b#A1(k ,m0,m1, cb) with a probability > 1

2! where cb = E(s, k ,mb) for b# {0, 1}.

We construct the algorithm DDH : F3 !" {0, 1} to decidewhether a triple %x , y , z& is in the form /gu , gv , guv0 forsome u, v # F.


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons

Security of El GamalProof (continued)If the private key KD = u, then El Gamal encrypts

E(v , gu ,m) = %gv , guv ·m&


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


E(v , gu ,m) = %gv , guv ·m&

This means that

DDH(x , y , z) = 1 -) *m.E(x ,m) = %y , z ·m&


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


E(v , gu ,m) = %gv , guv ·m&

This means that

DDH(x , y , z) = 1 -) *m.E(x ,m) = %y , z ·m&

But ¬(IND-CPA) says that A = %A0,A1& can decide theright-hand side, so that m0,m1#A0(x) gives

DDH(x , y , z) =

'((((()(((((*

1 if A1 (x ,m0,m1, %y , z ·m0&) = 0and A1 (x ,m0,m1, %y , z ·m1&) = 1

0 otherwise


Dusko Pavlovic

Channel security

Encryption


Modes

Generating keys

Lessons


HomeworkComplete the proof of the Proposition, showing that! (IND-CPA))(DDH)! (IND-CCA) does not hold.


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

ModesModes of operationCompositecryptosystems

Generating keys

Lessons

Outline




Cyphers and modes of operationModes of operationComposite cryptosystems

Key establishment

What did we learn?


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis


Generating keys

Lessons

Modes of operationECBCCB(Ramzan)


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis


Generating keys

Lessons

Composite cryptosystemsShannon’s group algebra.We mix and compose! substitution cyphers and! transposition cyphers

In diagrams, substitutions are boxes; but transpositionsare knots of threads.Feistel cyphers are a standardized form to perform asimple transposition: they split the output in two sets ofstrings, and send them to different places.


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis


Generating keys

Lessons

Algebra of dataflowThere is a whole algebra of transpositions. Transpositionsare the terms of an algebra where each variable must beused exactly once. (Pitts-Gabbay: names, variables,nonces.)The Feistel cypher and the modes of operation are veryspecial terms in this algebra.DES and AES.


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys"Satan’s computer"DHKANSPK

Lessons

Outline





Key establishment"Programming Satan’s computer"Diffie-Hellman Key AgreementNeedham-Schroeder Public Key Protocol

What did we learn?


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Key establishment

Where do the keys come from?


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Key establishment

! Traditionally, keys sent through a secure channel! messenger, direct handover, physical protection


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Key establishment

! Traditionally, keys sent through a secure channel! messenger, direct handover, physical protection

! In cyberspace, there are no secure channels! only you and me and cryptography


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Key establishment in cyberspace

What is cyberspace?


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons


What is cyberspace?! space of costless communication

! instantaneous message delivery! any two nodes are neighbors: no notion of distance


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons




! end-to-end architecture (TCP, UDP)! simple network links! smart network nodes ("ends")


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons




! end-to-end architecture (TCP, UDP)! simple network links! smart network nodes ("ends")

! "Satan’s computer" (Ross Anderson)! network controlled by the adversaries: Eve, Satan! security only through crypto at the "ends"


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons


Generate your own public key! El Gamal: Alice generates K =

/ga, a0! she picks KD = a! computes KE = ga and! sends KE to Bob


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons


Generate your own public key! El Gamal: Alice generates K =

/ga, a0! she picks KD = a! computes KE = ga and! sends KE to Bob

! RSA: Alice generates K =$%n, e&, d&

%

! she picks large primes p and q and sets n = pq! picks e # Z'

(p!1)(q!1)! computes KD = d = e!1 mod (p ! 1)(q ! 1)! sends KE = %n, e& to Bob


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons


ProblemEve can impersonate Alice! Eve can generate KE and KD,! send KD to Bob! and say "Hi, Alice here, this is my key".

! Bob encrypts his messages to Alice by KE! Eve decrypts them by KD.


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Two party key agreementDiffie-Hellman Key Agreement Protocol (DHKA)A B

*x

*y

A to B:gx

B to A:gy

kAB=(gy)x kAB=(gx)y


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Two party key agreementDiffie-Hellman Key Agreement Protocol (DHKA)A B

*x

*y

A to B:gx

B to A:gy

kAB=vx kXB=uy

X to B:u

B to X :v


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Two party key agreementAttack on DHKAA M B

*x

*y

A to B:gx

B to A:gy

B to A:g:y

A to B:g:x*:x

*:y

kAB=gx:y kAB=g:xygx:y g:xy


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Bootstrapping key agreementNeedham-Schroeder Public Key Protocol (NSPK)A B

*x

*y

A to B:EB(x ,A)

B to A:EA(x ,y)

A to B:EB(y)


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Bootstrapping key agreementAttack on NSPKA M B

*x

*y

A to M:EM (x ,A)

B to A:EA(x ,y)

M to A:EA(x ,y)

A to M:EM (y)

A to B:EB(y)

A to B:EB(x ,A)


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons


*x

*y

A to M:EM (x ,A)

B to X :EX (x ,y)

M to X :EX (x ,y)

A to M:EM (y)

X to B:EB(y)

X to B:EB(x ,X )

X to M:zDM (z)x ,X=


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons


*x

*y

A to M:EM (x ,A)

B to X :EX (x ,y)

M to X :w

A to M:EM (y)

A to B:EB(y)

X to B:EB(x ,X )

X to M:zDM (z)x ,X=

B to X :w


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Bootstrapping key agreementHistory of NSPK! NSPK was proposed by in a seminal paper in 1978.


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Bootstrapping key agreementHistory of NSPK! NSPK was proposed by in a seminal paper in 1978.! It was often used and studied.


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Bootstrapping key agreementHistory of NSPK! NSPK was proposed by in a seminal paper in 1978.! It was often used and studied.! In 1996, Gavin Lowe found the attack

! using the FDR (Failure Divergence Refinement)checker

! as a part of his project work at Comlab


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes


Lessons

Bootstrapping key agreementHistory of NSPK! NSPK was proposed by in a seminal paper in 1978.! It was often used and studied.! In 1996, Gavin Lowe found the attack

! using the FDR (Failure Divergence Refinement)checker

! as a part of his project work at Comlab! Later he built Casper.! More at practicals!


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Outline





Key establishment

What did we learn?


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Lessons about the bad information flows

! information leaks through interference of resources! covert channels are hard to eliminate! formal models help prevent Trojan intrusions


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons



! secrecy is achieved in complicated ways! some of the "purest" maths became the most applied! public key crypto needed a public science of crypto


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons



! secrecy is achieved in complicated ways! some of the "purest" maths became the most applied! public key crypto needed a public science of crypto

! but cryptanalysis is also hard! encryptions are not broken every day! most security failures arise from protocol failures


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Lessons about computation


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons


! The simple insights that! some computations are hard to invert

! e.g., getting p or q from pq, or a from ga and g! some informations are hard to guess

! if the source is large and unbiased


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons




! if the source is large and unbiased! point to the important lesson that

! complexity and! randomness

are powerful computational resources.


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons




! if the source is large and unbiased! point to the important lesson that

! complexity and! randomness

are powerful computational resources.! The negative can be used as the positive.


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons

. . . are used to push good information flows

! The absence of bad information flows

! is a fulcrum to move the good information flows.


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons

. . . are used to push good information flows

! The absence of bad information flows! "If noone can forge Alice’s signature. . .

! is a fulcrum to move the good information flows.! . . . then this message must be from Alice :)))"


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons

Guiding principles for the next part


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons


! Every secret must be authenticated! to prevent impersonation.! Most protocol failures are authentication failures .


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons



! Every authentication must be based on a secret! (in cyberspace).! The chicken and the egg.


Dusko Pavlovic

Channel security

Encryption

Cryptanalysis

Modes

Generating keys

Lessons



! Every authentication must be based on a secret! (in cyberspace).! The chicken and the egg.

! Security is always bootstrapped! secrecy and authenticity are based on each other! new secrets are derived from old secrets

Documents

Outline - Information Security Group 3: Cryptography Dusko Pavlovic Channel security Information Areas of inf. sec. Trojan horse Noninterference Encryption Cryptanalysis Modes Generating