Download - Practical Aspects of Modern Cryptography
![Page 1: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/1.jpg)
Practical Aspects of Modern Cryptography
Josh Benaloh & Brian LaMacchia
![Page 2: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/2.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Public-Key History
• 1976 New Directions in CryptograhyWhit Diffie and Marty Hellman• One-Way functions
• Diffie-Hellman Key Exchange
• 1978 RSA paperRon Rivest, Adi Shamir, and Len Adleman• RSA Encryption System
• RSA Digital Signature Mechanism
![Page 3: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/3.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
The Fundamental Equation
Z=YZ=YXX mod Nmod N
![Page 4: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/4.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Diffie-Hellman
Z=YZ=YXX mod Nmod NWhen X is unknown, the problem is
known as the discrete logarithm and is generally believed to be hard to solve.
![Page 5: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/5.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange
Alice• Randomly select a
large integer a and send A = Ya mod N.
• Compute the key K = Ba mod N.
Bob• Randomly select a
large integer b and send B = Yb mod N.
• Compute the key K = Ab mod N.
Ba = Yba = Yab = Ab
![Page 6: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/6.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange
What does Eve see?
Y, Ya , Yb
… but the exchanged key is Yab.
Belief: Given Y, Ya , Yb it is difficult to compute Yab .
Contrast with discrete logarithm assumption: Given Y, Yx it is difficult to compute x .
![Page 7: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/7.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
One-Way Trap-Door Functions
Z=Z=YYXX mod Nmod NRecall that this equation is solvable for Y
if the factorization of N is known, but is believed to be hard otherwise.
![Page 8: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/8.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
RSA Public-Key Cryptosystem
Alice• Select two large
random primes P & Q.• Publish the product
N=PQ.• Use knowledge of P &
Q to compute Y.
Anyone• To send message Y to
Alice, compute Z=YX mod N.
• Send Z and X to Alice.
![Page 9: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/9.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Some RSA Details
When N=PQ is the product of distinct primes,
YX mod N = Y whenever
X mod (P-1)(Q-1) = 1 and 0 YN.
![Page 10: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/10.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Some RSA Details
When N=PQ is the product of distinct primes,
YX mod N = Y whenever
X mod (P-1)(Q-1) = 1 and 0 YN.
Alice can easily select integers E and D such that E•D mod (P-1)(Q-1) = 1.
![Page 11: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/11.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Some RSA Details
Encryption: E(Y) = YE mod N.
Decryption: D(Y) = YD mod N.
D(E(Y))
= (YE mod N)D mod N
= YED mod N
= Y
![Page 12: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/12.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
RSA Signatures
An additional property
D(E(Y)) = YED mod N = Y
E(D(Y)) = YDE mod N = Y
Only Alice (knowing the factorization of N) knows D. Hence only Alice can compute D(Y) = YD mod N.
This D(Y) serves as Alice’s signature on Y.
![Page 13: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/13.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Remaining RSA Basics
• Why is YX mod PQ = Y whenever
X mod (P-1)(Q-1) = 1, 0 YPQ,
and P and Q are distinct primes?
• How can Alice can select integers E and D such that E•D mod (P-1)(Q-1) = 1?
![Page 14: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/14.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Modular Arithmetic
• To compute (A+B) mod N,compute (A+B) and take the result mod N.
• To compute (A-B) mod N,compute (A-B) and take the result mod N.
• To compute (A×B) mod N,compute (A×B) and take the result mod N.
• To compute (A÷B) mod N, …
![Page 15: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/15.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Modular Division
What is the value of (1÷2) mod 7?
We need a solution to 2x mod 7 = 1.
Try x = 4.
What is the value of (7÷5) mod 11?
We need a solution to 5x mod 11 = 7.
Try x = 8.
![Page 16: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/16.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Modular Division
Is modular division always well-defined?
(1÷3) mod 6 = ?
3x mod 6 = 1 has no solution!
Fact
(A÷B) mod N always has a solution when gcd(B,N) = 1.
![Page 17: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/17.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Greatest Common Divisors
gcd(A , B) = gcd(B , A - B)
gcd(21,12) = gcd(12,9) = gcd(9,3)
= gcd(6,3) = gcd(3,3) = gcd(0,3) = 3
gcd(A , B) = gcd(B , A mod B)
gcd(21,12) = gcd(12,9) = gcd(9,3)
= gcd(0,3) = 3
![Page 18: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/18.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
Given integers A and B, find integers X and Y such that AX + BY = gcd(A,B).
When gcd(A,B) = 1, solve AX mod B = 1, by finding X and Y such that
AX + BY = gcd(A,B) = 1.
Compute (C÷A) mod B as C×(1÷A) mod B.
![Page 19: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/19.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
Given A,B > 0, set x1=1, x2=0, y1=0, y2=1, a1=A, b1=B, i=1.
Repeat while bi>0: {i = i + 1;
q = ai-1 div bi-1; bi = ai-1-qbi-1; ai = bi-1;
xi+1=xi-1-qxi; yi+1=yi-1-qyi}.
Axi + Byi = ai = gcd(A,B).
![Page 20: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/20.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Remaining RSA Basics
• Why is YX mod PQ = Y whenever
X mod (P-1)(Q-1) = 1, 0 YPQ,
and P and Q are distinct primes?
• How can Alice can select integers E and D such that E•D mod (P-1)(Q-1) = 1?
![Page 21: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/21.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Fermat’s Little Theorem
If p is prime,
then x p-1 mod p = 1 for all 0 < x < p.
Equivalently …
If p is prime,
then x p mod p = x mod p for all integers x.
![Page 22: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/22.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
The Binomial Theorem
(x + y) p = x p + ( )x p-1y + … + ( )xy p-1 + y p
If p is prime, then ( ) mod p = 0 for 0 < i < p.
Thus, (x + y) p mod p = (x p + y p) mod p.
p1
Proof of Fermat’s Little Theorem
pp-1
pi
![Page 23: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/23.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
By induction on x…
Basis
If x = 0, then x p mod p = 0 = x mod p.
If x = 1, then x p mod p = 1 = x mod p.
![Page 24: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/24.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
Inductive Step
Assume that x p mod p = x mod p.
Then (x + 1) p mod p = (x p + 1p) mod p
= (x + 1) mod p.
Hence, x p mod p = x mod p for integers x ≥ 0.
Also true for negative x, since (-x) p = (-1) px p.
![Page 25: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/25.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Proof of RSA
We have shown …
YP mod P = Y whenever 0 ≤ Y < P
and P is prime!
You will show …
YK(P-1)(Q-1)+1 mod PQ = Y when 0 ≤ Y < PQ
P and Q are distinct primes and K ≥ 0.
![Page 26: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/26.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Authentication
How can I use RSA to authenticate someone’s identity?
If Alice’s public key EA, just pick a random message m and send EA(m).
If m comes back, I must be talking to Alice.
![Page 27: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/27.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Authentication
Should Alice be happy with this method of authentication?
Bob sends Alice the authentication string y = “I owe Bob $1,000,000 - signed Alice.”
Alice dutifully authenticates herself by decrypting (putting her signature on) y.
![Page 28: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/28.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Authentication
What if Alice only returns authentication queries when the decryption has a certain format?
![Page 29: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/29.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
RSA Cautions
Is it reasonable to sign/decrypt something given to you by someone else?
Note that RSA is multiplicative. Can this property be used/abused?
![Page 30: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/30.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
RSA Cautions
D(Y1) • D(Y2) = D(Y1 • Y2)
Thus, if I’ve decrypted (or signed) Y1 and Y2, I’ve also decrypted (or signed) Y1 • Y2.
![Page 31: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/31.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
The Hastad Attack
Given
E1(x) = x3 mod n1
E2(x) = x3 mod n2
E3(x) = x3 mod n3
one can easily compute x.
![Page 32: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/32.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
The Bleichenbacher Attack
PKCS#1 Message Format:
00 01 XX XX ... XX 00 YY YY ... YY
randomnon-zero
bytes
message
![Page 33: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/33.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
“Man-in-the-Middle” Attacks
Alice Bob
Alice Eve Bob
![Page 34: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/34.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
The Practical Side
• RSA can be used to encrypt any data.
• Public-key (asymmetric) cryptography is very inefficient when compared to traditional private-key (symmetric) cryptography.
![Page 35: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/35.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
The Practical Side
For efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key.
The private session key is used to encrypt and authenticate any subsequent data.
Digital signatures are only used to sign a digest of the message.
![Page 36: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/36.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Symmetric Ciphers
Private-key (symmetric) ciphers are usually divided into two classes.
• Block ciphers
• Stream ciphers
![Page 37: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/37.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Symmetric Ciphers
Private-key (symmetric) ciphers are usually divided into two classes.
• Block ciphers
• Stream ciphers
![Page 38: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/38.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Block Ciphers
BlockCipher
Plaintext Data Ciphertext
Key
![Page 39: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/39.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Block Ciphers
BlockCipher
Plaintext Data Ciphertext
Key
Currently usually 8 bytes.Soon 16-32 bytes.
![Page 40: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/40.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Block Cipher Modes
Electronic Code Book (ECB) Encryption:
BlockCipher
BlockCipher
BlockCipher
BlockCipher
Plaintext
Ciphertext
![Page 41: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/41.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Block Cipher Modes
Electronic Code Book (ECB) Decryption:
InverseCipher
InverseCipher
InverseCipher
InverseCipher
Plaintext
Ciphertext
![Page 42: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/42.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Block Cipher Modes
Electronic Code Book (ECB) Encryption:
BlockCipher
BlockCipher
BlockCipher
BlockCipher
Plaintext
Ciphertext
![Page 43: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/43.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Block Cipher Modes
Cipher Block Chaining (CBC) Encryption:
BlockCipher
BlockCipher
BlockCipher
BlockCipher
Plaintext
Ciphertext
IV
![Page 44: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/44.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Block Cipher Modes
Cipher Block Chaining (CBC) Decryption:
InverseCipher
InverseCipher
InverseCipher
InverseCipher
Plaintext
Ciphertext
IV
![Page 45: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/45.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Block Cipher Modes
Cipher Block Chaining (CBC) Encryption:
BlockCipher
BlockCipher
BlockCipher
BlockCipher
Plaintext
Ciphertext
IV
![Page 46: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/46.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
How to Build a Block Cipher
BlockCipher
Plaintext
Ciphertext
Key
![Page 47: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/47.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Feistel Ciphers
Ugly
![Page 48: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/48.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Feistel Ciphers
Ugly
![Page 49: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/49.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Feistel Ciphers
Ugly
![Page 50: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/50.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Ugly
Feistel Ciphers
![Page 51: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/51.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Feistel Ciphers
Ugly
Ugly
![Page 52: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/52.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Feistel Ciphers
• Typically, most Feistel ciphers are iterated for about 16 rounds.
• Different “sub-keys” are used for each round.
• Even a weak round function can yield a strong Feistel cipher if iterated sufficiently.
![Page 53: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/53.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Data Encryption Standard (DES)
BlockCipher
64-bit Plaintext
64-bit Ciphertext
56-bit Key
![Page 54: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/54.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Data Encryption Standard (DES)
64-bit Plaintext
64-bit Ciphertext
56-bit Key 16 FeistelRounds
![Page 55: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/55.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Data Encryption Standard (DES)
64-bit Plaintext
64-bit Ciphertext
56-bit Key 16 FeistelRounds
![Page 56: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/56.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
DES Round
Ugly
![Page 57: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/57.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Simplified DES Round Function
Sub-key
4-bit substitutions
32-bit permutation
Ugly32 bits
![Page 58: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/58.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Actual DES Round Function
Sub-key
6/4-bit substitutions
32-bit permutation
Ugly32 bits
48 bits
![Page 59: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/59.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Symmetric Ciphers
Private-key (symmetric) ciphers are usually divided into two classes.
• Block ciphers
• Stream ciphers
![Page 60: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/60.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Stream Ciphers
• Use the key as a seed to a pseudo-random number-generator.
• Take the stream of output bits from the PRNG and XOR it with the plaintext to form the ciphertext.
![Page 61: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/61.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Stream Cipher Encryption
Plaintext:
PRNG(seed):
Ciphertext:
![Page 62: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/62.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Stream Cipher Decryption
Plaintext:
PRNG(seed):
Ciphertext:
![Page 63: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/63.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A PRNG: Alleged RC4
Initialization
S[0..255] = 0,1,…,255
K[0..255] = Key,Key,Key,…
for i = 0 to 255
j = (j + S[i] + K[i]) mod 256
swap S[i] and S[j]
![Page 64: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/64.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A PRNG: Alleged RC4
Iteration
i = (i + 1) mod 256
j = (j + S[i]) mod 256
swap S[i] and S[j]
t = (S[i] + S[j]) mod 256
Output S[t]
![Page 65: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/65.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Stream Cipher Integrity
• It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way.
Bob to Bob’s Bank: Please transfer $0,000,002.00 to the account of my good friend Alice.
![Page 66: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/66.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Stream Cipher Integrity
• It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way.
Bob to Bob’s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice.
![Page 67: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/67.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Stream Cipher Integrity
• It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way.
Bob to Bob’s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice.
• This can be protected against by the careful addition of appropriate redundancy.
![Page 68: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/68.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
One-Way Hash Functions
The idea of a check sum is great, but it is designed to prevent accidental changes in a message.
For cryptographic integrity, we need an integrity check that is resilient against a smart and determined adversary.
![Page 69: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/69.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
One-Way Hash Functions
Generally, a one-way hash function is a function H : {0,1}* {0,1}k (typically k is 128 or 160) such that given an input value x, one cannot find a value x x such H(x) = H(x ).
![Page 70: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/70.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
One-Way Hash Functions
There are many measures for one-way hashes.
• Non-invertability: given y, it’s difficult to find any x such that H(x) = y.
• Collision-intractability: one cannot find a pair of values x x such that H(x) = H(x ).
![Page 71: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/71.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
One-Way Hash Functions
• When using a stream cipher, a hash of the message can be appended to ensure integrity. [Message Authentication Code]
• When forming a digital signature, the signature need only be applied to a hash of the message. [Message Digest]
![Page 72: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/72.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
CompressionFunction
160-bit Output
512-bit Input(IV)
![Page 73: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/73.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
160-bit 512-bit
One of 80 rounds
![Page 74: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/74.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
160-bit 512-bit
One of 80 rounds
No Change
![Page 75: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/75.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
160-bit 512-bit
One of 80 rounds
Rotate 30 bits
![Page 76: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/76.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
160-bit 512-bit
One of 80 rounds
No Change
![Page 77: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/77.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
160-bit 512-bit
One of 80 rounds
No Change
![Page 78: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/78.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
160-bit 512-bit
One of 80 rounds
?
![Page 79: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/79.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
What’s in the final 32-bit transform?
• Take the rightmost word.
• Add in the leftmost word rotated 5 bits.
• Add in a round-dependent function f of the middle three words.
![Page 80: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/80.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
160-bit 512-bit
One of 80 rounds
f
![Page 81: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/81.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
Depending on the round, the “non-linear” function f is one of the following.
f(X,Y,Z) = (XY) ((X)Z)
f(X,Y,Z) = (XY) (XZ) (YZ)
f(X,Y,Z) = X Y Z
![Page 82: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/82.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
What’s in the final 32-bit transform?
• Take the rightmost word.
• Add in the leftmost word rotated 5 bits.
• Add in a round-dependent function f of the middle three words.
![Page 83: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/83.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
What’s in the final 32-bit transform?
• Take the rightmost word.
• Add in the leftmost word rotated 5 bits.
• Add in a round-dependent function f of the middle three words.
• Add in a round-dependent constant.
![Page 84: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/84.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
What’s in the final 32-bit transform?
• Take the rightmost word.
• Add in the leftmost word rotated 5 bits.
• Add in a round-dependent function f of the middle three words.
• Add in a round-dependent constant.
• Add in a portion of the 512-bit message.
![Page 85: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/85.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
A Cryptographic Hash: SHA-1
160-bit 512-bit
One of 80 rounds
![Page 86: Practical Aspects of Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081506/56814982550346895db6ccf8/html5/thumbnails/86.jpg)
January 15, 2002Practical Aspects of Modern Cryptography
Cryptographic Tools
One-Way Trapdoor Functions
Public-Key Encryption Schemes
One-Way Functions
One-Way Hash Functions
Pseudo-Random Number-Generators
Secret-Key Encryption Schemes
Digital Signature Schemes