faryal crypto book

1. HANDBOOK ofAPPLIEDCRYPTOGRAPHYAlfred J. MenezesPaul C. van OorschotScott A. Vanstone

2. Forewordby R.L. RivestAs we draw near to closing out the twentieth century, we see quite clearly that theinformation-processing and telecommunications revolutions now underway willcontinue vigorously into the twenty-first. We interact and transact by directing flocksof digital packets towards each other through cyberspace, carrying love notes, digitalcash, and secret corporate documents. Our personal and economic lives rely more andmore on our ability to let such ethereal carrier pigeons mediate at a distance what weused to do with face-to-face meetings, paper documents, and a firm handshake.Unfortunately, the technical wizardry enabling remote collaborations is founded onbroadcasting everything as sequences of zeros and ones that ones own dog wouldntrecognize. What is to distinguish a digital dollar when it is as easily reproducible as thespoken word? How do we converse privately when every syllable is bounced off asatellite and smeared over an entire continent? How should a bank know that it really isBill Gates requesting from his laptop in Fiji a transfer of $10,000,000,000 to anotherbank? Fortunately, the magical mathematics of cryptography can help. Cryptographyprovides techniques for keeping information secret, for determining that informationhas not been tampered with, and for determining who authored pieces of information.Cryptography is fascinating because of the close ties it forges between theory andpractice, and because todays practical applications of cryptography are pervasive andcritical components of our information-based society. Information-protection protocolsdesigned on theoretical foundations one year appear in products and standardsdocuments the next. Conversely, new theoretical developments sometimes mean thatlast years proposal has a previously unsuspected weakness. While the theory isadvancing vigorously, there are as yet few true guarantees; the security of manyproposals depends on unproven (if plausible) assumptions. The theoretical work refinesand improves the practice, while the practice challenges and inspires the theoreticalwork. When a system is "broken," our knowledge improves, and next years system isimproved to repair the defect. (One is reminded of the long and intriguing battlebetween the designers of bank vaults and their opponents.)Cryptography is also fascinating because of its game-like adversarial nature. A goodcryptographer rapidly changes sides back and forth in his or her thinking, from attackerto defender and back. Just as in a game of chess, sequences of moves and counter-moves must be considered until the current situation is understood. Unlike chessplayers, cryptographers must also consider all the ways an adversary might try to gainby breaking the rules or violating expectations. (Does it matter if she measures howlong I am computing? Does it matter if her "random" number isnt one?)The current volume is a major contribution to the field of cryptography. It is a rigorousencyclopedia of known techniques, with an emphasis on those that are both (believed tobe) secure and practically useful. It presents in a coherent manner most of the importantcryptographic tools one needs to implement secure cryptographic systems, and explainsmany of the cryptographic principles and protocols of existing systems. The topicscovered range from low-level considerations such as random-number generation andefficient modular exponentiation algorithms and medium-level items such as public-key signature techniques, to higher-level topics such as zero-knowledge protocols. This 3. books excellent organization and style allow it to serve well as both a self-containedtutorial and an indispensable desk reference.In documenting the state of a fast-moving field, the authors have done incredibly wellat providing error-free comprehensive content that is up-to-date. Indeed, many of thechapters, such as those on hash functions or key-establishment protocols, break newground in both their content and their unified presentations. In the trade-off betweencomprehensive coverage and exhaustive treatment of individual items, the authors havechosen to write simply and directly, and thus efficiently, allowing each element to beexplained together with their important details, caveats, and comparisons.While motivated by practical applications, the authors have clearly written a book thatwill be of as much interest to researchers and students as it is to practitioners, byincluding ample discussion of the underlying mathematics and associated theoreticalconsiderations. The essential mathematical techniques and requisite notions arepresented crisply and clearly, with illustrative examples. The insightful historical notesand extensive bibliography make this book a superb stepping-stone to the literature. (Iwas very pleasantly surprised to find an appendix with complete programs for theCRYPTO and EUROCRYPT conferences!)It is a pleasure to have been asked to provide the foreword for this book. I am happy tocongratulate the authors on their accomplishment, and to inform the reader that he/sheis looking at a landmark in the development of the field.Ronald L. RivestWebster Professor of Electrical Engineering and Computer ScienceMassachusetts Institute of TechnologyJune 1996 4. PrefaceThis book is intended as a reference for professional cryptographers, presenting thetechniques and algorithms of greatest interest to the current practitioner, along with the sup-portingmotivation and background material. It also provides a comprehensive source fromwhich to learn cryptography, serving both students and instructors. In addition, the rigor-ous treatment, breadth, and extensive bibliographic material should make it an importantreference for research professionals.Our goal was to assimilate the existing cryptographic knowledge of industrial interestinto one consistent, self-contained volume accessible to engineers in practice, to computerscientists and mathematicians in academia, and to motivated non-specialists with a strongdesire to learn cryptography. Such a task is beyond the scope of each of the following: re-search papers, which by nature focus on narrow topics using very specialized (and oftennon-standard) terminology; survey papers, which typically address, at most, a small num-ber of major topics at a high level; and (regretably also) most books, due to the fact thatmany book authors lack either practical experience or familiarity with the research litera-ture or both. Our intent was to provide a detailed presentation of those areas of cryptogra-phy which we have found to be of greatest practical utilityin our own industrialexperience,while maintaining a sufciently formal approach to be suitable both as a trustworthy refer-ence for those whose primary interest is further research, and to provide a solid foundationfor students and others rst learning the subject.Throughout each chapter, we emphasize the relationship between various aspects ofcryptography. Background sections commence most chapters, providing a framework andperspective for the techniques which follow. Computer source code (e.g. C code) for algo-rithms has been intentionallyomitted, in favor of algorithms specied in sufcient detail toallow direct implementationwithoutconsultingsecondary references. We believe this styleof presentation allows a better understanding of how algorithms actually work, while at thesame time avoiding low-level implementation-specic constructs (which some readers willinvariably be unfamiliar with) of various currently-popular programming languages.The presentation also strongly delineates what has been established as fact (by math-ematical arguments) from what is simply current conjecture. To avoid obscuring the veryapplied nature of the subject, rigorousproofs of correctness are in most cases omitted; how-ever, references given in the Notes section at the end of each chapter indicate the originalor recommended sources for these results. The trailing Notes sections also provide infor-mation (quite detailed in places) on various additionaltechniques not addressed in the maintext, and provide a survey of research activities and theoretical results; references again in-dicate where readers may pursue particular aspects in greater depth. Needless to say, manyresults, and indeed some entire research areas, have been given far less attention than theywarrant, or have been omitted entirely due to lack of space; we apologize in advance forsuch major omissions, and hope that the most signicant of these are brought to our atten-tion.To provide an integrated treatment of cryptography spanning foundational motivationthrough concrete implementation, it is useful to consider a hierarchy of thought rangingfrom conceptual ideas and end-user services, down to the tools necessary to complete ac-tual implementations. Table 1 depicts the hierarchical structure around which this book isorganized. Corresponding to this, Figure 1 illustrates how these hierarchical levels mapxxiii 5. xxiv PrefaceInformation Security ObjectivesCondentialityData integrityAuthentication (entity and data origin)Non-repudiationCryptographic functionsEncryption Chapters 6, 7, 8Message authentication and data integrity techniques Chapter 9Identication/entity authentication techniques Chapter 10Digital signatures Chapter 11Cryptographic building blocksStream ciphers Chapter 6Block ciphers (symmetric-key) Chapter 7Public-key encryption Chapter 8One-way hash functions (unkeyed) Chapter 9Message authentication codes Chapter 9Signature schemes (public-key, symmetric-key) Chapter 11UtilitiesPublic-key parameter generation Chapter 4Pseudorandom bit generation Chapter 5Efcient algorithms for discrete arithmetic Chapter 14FoundationsIntroduction to cryptography Chapter 1Mathematical background Chapter 2Complexity and analysis of underlying problems Chapter 3Infrastructure techniques and commercial aspectsKey establishment protocols Chapter 12Key installation and key management Chapter 13Cryptographic patents Chapter 15Cryptographic standards Chapter 15Table 1: Hierarchical levels of applied cryptography.onto the various chapters, and their inter-dependence.Table 2 lists the chapters of the book, along with the primary author(s) of each whoshould be contacted by readers with comments on specic chapters. Each chapter was writ-ten to provide a self-contained treatment of one major topic. Collectively, however, thechapters have been designed and carefully integrated to be entirely complementary withrespect to denitions, terminology, and notation. Furthermore, there is essentially no du-plication of material across chapters; instead, appropriate cross-chapter references are pro-vided where relevant.While it is not intended that this book be read linearly from front to back, the materialhas been arranged so that doing so has some merit. Two primary goals motivated by thehandbook nature of this project were to allow easy access to stand-alone results, and to al-low results and algorithms to be easily referenced (e.g., for discussion or subsequent cross-reference). To facilitate the ease of accessing and referencing results, items have been cate-gorizedand numbered to a large extent, withthe followingclasses of items jointlynumberedconsecutively in each chapter: Denitions, Examples, Facts, Notes, Remarks, Algorithms,Protocols, and Mechanisms. In more traditional treatments, Facts are usually identied aspropositions,lemmas, or theorems. We use numbered Notes for additionaltechnical points, 6. Preface xxvauthenticationdataintegrityconfidentialitydataintegritytechniquesmessageauthenticationidentificationChapter9Chapter9Chapters6,7,8encryptionChapter9hashfunctionsChapter9signaturesChapter11(symmetric-key)numberrandomChapter5generationChapter4non-repudiationChapter10Chapter11signaturesdigitalhashfunctionsChapter13keymanagement(keyed)(unkeyed)streamciphersChapter8(public-key)Chapter7blockciphers(symmetric-key)signaturesChapter11(public-key)Chapter3public-keyparameterspublic-keysecurityfoundationsestablishmentofsecretkeysChapter12Chapter6encryptionChapter14implementationefficientpatentsandstandardsChapter15Chapter2backgroundmathChapter1introductionFigure 1: Roadmap of the book. 7. xxvi PrefaceChapter Primary AuthorAJM PVO SAV1. Overview of Cryptography * * *2. Mathematical Background *3. Number-Theoretic Reference Problems *4. Public-Key Parameters * *5. Pseudorandom Bits and Sequences *6. Stream Ciphers *7. Block Ciphers *8. Public-Key Encryption *9. Hash Functions and Data Integrity *10. Identication and Entity Authentication *11. Digital Signatures *12. Key Establishment Protocols *13. Key Management Techniques *14. Efcient Implementation *15. Patents and Standards * Overall organization * *Table 2: Primary authors of each chapter.while numbered Remarks identify non-technical (often non-rigorous) comments, observa-tions, and opinions. Algorithms, Protocols and Mechanisms refer to techniques involvinga series of steps. Examples, Notes, and Remarks generally begin with parenthetical sum-mary titles to allow faster access, by indicating the nature of the content so that the entireitem itself need not be read in order to determine this. The use of a large number of smallsubsections is also intended to enhance the handbook nature and accessibility to results.Regarding the partitioning of subject areas into chapters, we have used what we call afunctionalorganization(based on functionsof interest to end-users). For example, all itemsrelated toentityauthenticationare addressed inone chapter. An alternativewouldhave beenwhat may be called an academic organization, under which perhaps, all protocols based onzero-knowledge concepts (including both a subset of entity authentication protocols andsignature schemes) might be covered in one chapter. We believe that a functional organi-zation is more convenient to the practitioner, who is more likely to be interested in optionsavailable for an entity authentication protocol (Chapter 10) or a signature scheme (Chapter11), than to be seeking a zero-knowledge protocol with unspecied end-purpose.In the front matter, a top-level Table of Contents (giving chapter numbers and titlesonly) is provided, as well as a detailed Table of Contents (down to the level of subsections,e.g., x5.1.1). This is followed by a List of Figures, and a List of Tables. At the start of eachchapter, a brief Table of Contents(specifyingsection number and titlesonly, e.g., x5.1, x5.2)is also given for convenience.Atthe end of the book, we have includeda listofpapers presented at each of the Crypto,Eurocrypt, Asiacrypt/Auscrypt and Fast Software Encryption conferences to date, as wellas a list of all papers published in the Journal of Cryptology up to Volume 9. These arein addition to the References section, each entry of which is cited at least once in the bodyof the handbook. Almost all of these references have been veried for correctness in theirexact titles, volume and page numbers, etc. Finally, an extensive Index prepared by theauthors is included. The Index begins with a List of Symbols.Our intention was not to introduce a collection of new techniques and protocols, but 8. Preface xxviirather to selectively present techniques from those currently available in the public domain.Such a consolidation of the literature is necessary from time to time. The fact that manygood books in this eld include essentially no more than what is covered here in Chapters7, 8 and 11 (indeed, these might serve as an introductorycourse along with Chapter 1) illus-trates that the eld has grown tremendously in the past 15 years. The mathematical foun-dation presented in Chapters 2 and 3 is hard to nd in one volume, and missing from mostcryptography texts. The material in Chapter 4 on generation of public-key parameters, andin Chapter 14 on efcient implementations, while well-known to a small body of specialistsand available in the scattered literature, has previously not been available in general texts.The material in Chapters 5 and 6 on pseudorandom number generation and stream ciphersis also often absent (many texts focus entirely on block ciphers), or approached only froma theoretical viewpoint. Hash functions (Chapter 9) and identication protocols (Chapter10) have only recently been studied in depth as specialized topics on their own, and alongwith Chapter 12 on key establishment protocols, it is hard to nd consolidated treatmentsof these now-mainstream topics. Key management techniques as presented in Chapter 13have traditionallynot been given much attention by cryptographers, but are of great impor-tance in practice. A focused treatment of cryptographic patents and a concise summary ofcryptographic standards, as presented in Chapter 15, are also long overdue.In most cases (with some historical exceptions), where algorithms are known to be in-secure, we have chosen to leave out specication of their details, because most such tech-niques are of little practical interest. Essentially all of the algorithms included have beenveried for correctness by independent implementation, conrming the test vectors speci-ed.AcknowledgementsThis project would not have been possible without the tremendous efforts put forth by ourpeers who have taken the time to read endless drafts and provide us with technical correc-tions, constructive feedback, and countless suggestions. In particular, the advice of our Ad-visoryEditors has been invaluable, and itis impossibleto attributeindividualcredit for theirmany suggestions throughout this book. Among our Advisory Editors, we would particu-larly like to thank:Mihir Bellare Don Coppersmith Dorothy Denning Walter FumyBurt Kaliski Peter Landrock Arjen Lenstra Ueli MaurerChris Mitchell Tatsuaki Okamoto Bart Preneel Ron RivestGus Simmons Miles Smid Jacques Stern Mike WienerYacov YacobiIn addition, we gratefully acknowledge the exceptionally large number of additional indi-viduals who have helped improve the quality of this volume, by providing highly appreci-ated feedback and guidance on various matters. These individuals include:Carlisle Adams Rich Ankney Tom BersonSimon Blackburn Ian Blake Antoon BosselaersColin Boyd Jorgen Brandt Mike BurmesterEd Dawson Peter de Rooij Yvo DesmedtWhit Dife Hans Dobbertin Carl EllisonLuis Encinas Warwick Ford Amparo FusterShuhong Gao Will Gilbert Marc GiraultJovan Golic Dieter Gollmann Li Gong 9. xxviii PrefaceCarrie Grant Blake Greenlee Helen GustafsonDarrel Hankerson Anwar Hasan Don JohnsonMike Just Andy Klapper Lars KnudsenNeal Koblitz C etin Koc Judy KoellerEvangelos Kranakis David Kravitz Hugo KrawczykXuejia Lai Charles Lam Alan LingS. Mike Matyas Willi Meier Peter MontgomeryMike Mosca Tim Moses Serge MisterVolker Mueller David Naccache James NechvatalKaisa Nyberg Andrew Odlyzko Richard OuterbridgeWalter Penzhorn Birgit Ptzmann Kevin PhelpsLeon Pintsov Fred Piper Carl PomeranceMatt Robshaw Peter Rodney Phil RogawayRainer Rueppel Mahmoud Salmasizadeh Roger SchlayJeff Shallit Jon Sorenson Doug StinsonAndrea Vanstone Serge Vaudenay Klaus VedderJerry Veeh Fausto Vitini Lisa YinRobert ZuccheratoWe apologize to those whose names have inadvertentlyescaped this list. Special thanks aredue to Carrie Grant, Darrel Hankerson, Judy Koeller, Charles Lam, and Andrea Vanstone.Their hard work contributed greatly to the quality of this book, and it was truly a pleasureworking with them. Thanks also to the folks at CRC Press, including Tia Atchison, GaryBennett, Susie Carlisle, Nora Konopka, Mary Kugler, Amy Morrell, Tim Pletscher, BobStern, and Wayne Yuhasz. The second author would like to thank his colleagues past andpresent at Nortel Secure Networks (Bell-NorthernResearch), many of whom are mentionedabove, for their contributions on this project, and in particular Brian OHiggins for his en-couragement and support; all views expressed, however, are entirely that of the author. Thethird author would also like to acknowledge the support of the Natural Sciences and Engi-neering Research Council.Any errors that remain are, of course, entirelyour own. We wouldbe grateful if readerswhospot errors, missing references or credits, orincorrectlyattributedresults wouldcontactus with details. It is our hope that this volume facilitates further advancement of the eld,and that we have helped play a small part in this.Alfred J. MenezesPaul C. van OorschotScott A. VanstoneAugust, 1996 10. Table of ContentsList of Tables xvList of Figures xixForeword by R.L. Rivest xxiPreface xxiii1 Overview of Cryptography 11.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 11.2 Information security and cryptography : : : : : : : : : : : : : : : : : : 21.3 Background on functions : : : : : : : : : : : : : : : : : : : : : : : : : 61.3.1 Functions (1-1, one-way, trapdoor one-way) : : : : : : : : : : : : 61.3.2 Permutations : : : : : : : : : : : : : : : : : : : : : : : : : : : : 101.3.3 Involutions : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 101.4 Basic terminology and concepts : : : : : : : : : : : : : : : : : : : : : : 111.5 Symmetric-key encryption : : : : : : : : : : : : : : : : : : : : : : : : 151.5.1 Overview of block ciphers and stream ciphers : : : : : : : : : : : 151.5.2 Substitution ciphers and transposition ciphers : : : : : : : : : : : 171.5.3 Composition of ciphers : : : : : : : : : : : : : : : : : : : : : : 191.5.4 Stream ciphers : : : : : : : : : : : : : : : : : : : : : : : : : : : 201.5.5 The key space : : : : : : : : : : : : : : : : : : : : : : : : : : : 211.6 Digital signatures : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 221.7 Authentication and identication : : : : : : : : : : : : : : : : : : : : : 241.7.1 Identication : : : : : : : : : : : : : : : : : : : : : : : : : : : : 241.7.2 Data origin authentication : : : : : : : : : : : : : : : : : : : : : 251.8 Public-key cryptography : : : : : : : : : : : : : : : : : : : : : : : : : 251.8.1 Public-key encryption : : : : : : : : : : : : : : : : : : : : : : : 251.8.2 The necessity of authentication in public-key systems : : : : : : : 271.8.3 Digital signatures from reversible public-key encryption : : : : : : 281.8.4 Symmetric-key vs. public-key cryptography : : : : : : : : : : : : 311.9 Hash functions : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 331.10 Protocols and mechanisms : : : : : : : : : : : : : : : : : : : : : : : : : 331.11 Key establishment, management, and certication : : : : : : : : : : : : : 351.11.1 Key management through symmetric-key techniques : : : : : : : 361.11.2 Key management through public-key techniques : : : : : : : : : : 371.11.3 Trusted third parties and public-key certicates : : : : : : : : : : 391.12 Pseudorandom numbers and sequences : : : : : : : : : : : : : : : : : : 391.13 Classes of attacks and security models : : : : : : : : : : : : : : : : : : 411.13.1 Attacks on encryption schemes : : : : : : : : : : : : : : : : : : 411.13.2 Attacks on protocols : : : : : : : : : : : : : : : : : : : : : : : : 421.13.3 Models for evaluating security : : : : : : : : : : : : : : : : : : : 421.13.4 Perspective for computational security : : : : : : : : : : : : : : : 441.14 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 45v 11. vi Table of Contents2 Mathematical Background 492.1 Probability theory : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 502.1.1 Basic denitions : : : : : : : : : : : : : : : : : : : : : : : : : : 502.1.2 Conditional probability : : : : : : : : : : : : : : : : : : : : : : 512.1.3 Random variables : : : : : : : : : : : : : : : : : : : : : : : : : 512.1.4 Binomial distribution : : : : : : : : : : : : : : : : : : : : : : : 522.1.5 Birthday attacks : : : : : : : : : : : : : : : : : : : : : : : : : : 532.1.6 Random mappings : : : : : : : : : : : : : : : : : : : : : : : : : 542.2 Information theory : : : : : : : : : : : : : : : : : : : : : : : : : : : : 562.2.1 Entropy : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 562.2.2 Mutual information : : : : : : : : : : : : : : : : : : : : : : : : 572.3 Complexity theory : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 572.3.1 Basic denitions : : : : : : : : : : : : : : : : : : : : : : : : : : 572.3.2 Asymptotic notation : : : : : : : : : : : : : : : : : : : : : : : : 582.3.3 Complexity classes : : : : : : : : : : : : : : : : : : : : : : : : : 592.3.4 Randomized algorithms : : : : : : : : : : : : : : : : : : : : : : 622.4 Number theory : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 632.4.1 The integers : : : : : : : : : : : : : : : : : : : : : : : : : : : : 632.4.2 Algorithms in Z : : : : : : : : : : : : : : : : : : : : : : : : : : 662.4.3 The integers modulo n : : : : : : : : : : : : : : : : : : : : : : : 672.4.4 Algorithms in Zn : : : : : : : : : : : : : : : : : : : : : : : : : 712.4.5 The Legendre and Jacobi symbols : : : : : : : : : : : : : : : : : 722.4.6 Blum integers : : : : : : : : : : : : : : : : : : : : : : : : : : : 742.5 Abstract algebra : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 752.5.1 Groups : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 752.5.2 Rings : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 762.5.3 Fields : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 772.5.4 Polynomial rings : : : : : : : : : : : : : : : : : : : : : : : : : : 782.5.5 Vector spaces : : : : : : : : : : : : : : : : : : : : : : : : : : : 792.6 Finite elds : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 802.6.1 Basic properties : : : : : : : : : : : : : : : : : : : : : : : : : : 802.6.2 The Euclidean algorithm for polynomials : : : : : : : : : : : : : 812.6.3 Arithmetic of polynomials : : : : : : : : : : : : : : : : : : : : : 832.7 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 853 Number-Theoretic Reference Problems 873.1 Introduction and overview : : : : : : : : : : : : : : : : : : : : : : : : : 873.2 The integer factorization problem : : : : : : : : : : : : : : : : : : : : : 893.2.1 Trial division : : : : : : : : : : : : : : : : : : : : : : : : : : : : 903.2.2 Pollards rho factoring algorithm : : : : : : : : : : : : : : : : : : 913.2.3 Pollards p ;1 factoring algorithm : : : : : : : : : : : : : : : : 923.2.4 Elliptic curve factoring : : : : : : : : : : : : : : : : : : : : : : : 943.2.5 Random square factoring methods : : : : : : : : : : : : : : : : : 943.2.6 Quadratic sieve factoring : : : : : : : : : : : : : : : : : : : : : : 953.2.7 Number eld sieve factoring : : : : : : : : : : : : : : : : : : : : 983.3 The RSA problem : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 983.4 The quadratic residuosity problem : : : : : : : : : : : : : : : : : : : : : 993.5 Computing square roots in Zn : : : : : : : : : : : : : : : : : : : : : : : 993.5.1 Case (i): n prime : : : : : : : : : : : : : : : : : : : : : : : : : : 1003.5.2 Case (ii): n composite : : : : : : : : : : : : : : : : : : : : : : : 101 12. Table of Contents vii3.6 The discrete logarithm problem : : : : : : : : : : : : : : : : : : : : : : 1033.6.1 Exhaustive search : : : : : : : : : : : : : : : : : : : : : : : : : 1043.6.2 Baby-step giant-step algorithm : : : : : : : : : : : : : : : : : : : 1043.6.3 Pollards rho algorithm for logarithms : : : : : : : : : : : : : : : 1063.6.4 Pohlig-Hellman algorithm : : : : : : : : : : : : : : : : : : : : : 1073.6.5 Index-calculus algorithm : : : : : : : : : : : : : : : : : : : : : : 1093.6.6 Discrete logarithm problem in subgroups of Zp : : : : : : : : : : 1133.7 The Dife-Hellman problem : : : : : : : : : : : : : : : : : : : : : : : 1133.8 Composite moduli : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1143.9 Computing individual bits : : : : : : : : : : : : : : : : : : : : : : : : : 1143.9.1 The discrete logarithm problem in Zp individual bits : : : : : : 1163.9.2 The RSA problem individual bits : : : : : : : : : : : : : : : : 1163.9.3 The Rabin problem individual bits : : : : : : : : : : : : : : : 1173.10 The subset sum problem : : : : : : : : : : : : : : : : : : : : : : : : : : 1173.10.1 The L3-lattice basis reduction algorithm : : : : : : : : : : : : : : 1183.10.2 Solving subset sum problems of low density : : : : : : : : : : : : 1203.10.3 Simultaneous diophantine approximation : : : : : : : : : : : : : 1213.11 Factoring polynomials over nite elds : : : : : : : : : : : : : : : : : : 1223.11.1 Square-free factorization : : : : : : : : : : : : : : : : : : : : : : 1233.11.2 Berlekamps Q-matrix algorithm : : : : : : : : : : : : : : : : : : 1243.12 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 1254 Public-Key Parameters 1334.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1334.1.1 Generating large prime numbers naively : : : : : : : : : : : : : : 1344.1.2 Distribution of prime numbers : : : : : : : : : : : : : : : : : : : 1344.2 Probabilistic primality tests : : : : : : : : : : : : : : : : : : : : : : : : 1354.2.1 Fermats test : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1364.2.2 Solovay-Strassen test : : : : : : : : : : : : : : : : : : : : : : : 1374.2.3 Miller-Rabin test : : : : : : : : : : : : : : : : : : : : : : : : : : 1384.2.4 Comparison: Fermat, Solovay-Strassen, and Miller-Rabin : : : : : 1404.3 (True) Primality tests : : : : : : : : : : : : : : : : : : : : : : : : : : : 1424.3.1 Testing Mersenne numbers : : : : : : : : : : : : : : : : : : : : : 1424.3.2 Primality testing using the factorization of n ; 1 : : : : : : : : : 1434.3.3 Jacobi sum test : : : : : : : : : : : : : : : : : : : : : : : : : : : 1444.3.4 Tests using elliptic curves : : : : : : : : : : : : : : : : : : : : : 1454.4 Prime number generation : : : : : : : : : : : : : : : : : : : : : : : : : 1454.4.1 Random search for probable primes : : : : : : : : : : : : : : : : 1454.4.2 Strong primes : : : : : : : : : : : : : : : : : : : : : : : : : : : 1494.4.3 NIST method for generating DSA primes : : : : : : : : : : : : : 1504.4.4 Constructive techniques for provable primes : : : : : : : : : : : : 1524.5 Irreducible polynomials over Zp : : : : : : : : : : : : : : : : : : : : : : 1544.5.1 Irreducible polynomials : : : : : : : : : : : : : : : : : : : : : : 1544.5.2 Irreducible trinomials : : : : : : : : : : : : : : : : : : : : : : : 1574.5.3 Primitive polynomials : : : : : : : : : : : : : : : : : : : : : : : 1574.6 Generators and elements of high order : : : : : : : : : : : : : : : : : : 1604.6.1 Selecting a prime p and generator of Zp : : : : : : : : : : : : : : 1644.7 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 165 13. viii Table of Contents5 Pseudorandom Bits and Sequences 1695.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1695.1.1 Background and Classication : : : : : : : : : : : : : : : : : : : 1705.2 Random bit generation : : : : : : : : : : : : : : : : : : : : : : : : : : 1715.3 Pseudorandom bit generation : : : : : : : : : : : : : : : : : : : : : : : 1735.3.1 ANSI X9.17 generator : : : : : : : : : : : : : : : : : : : : : : : 1735.3.2 FIPS 186 generator : : : : : : : : : : : : : : : : : : : : : : : : : 1745.4 Statistical tests : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1755.4.1 The normal and chi-square distributions : : : : : : : : : : : : : : 1765.4.2 Hypothesis testing : : : : : : : : : : : : : : : : : : : : : : : : : 1795.4.3 Golombs randomness postulates : : : : : : : : : : : : : : : : : : 1805.4.4 Five basic tests : : : : : : : : : : : : : : : : : : : : : : : : : : : 1815.4.5 Maurers universal statistical test : : : : : : : : : : : : : : : : : 1835.5 Cryptographically secure pseudorandom bit generation : : : : : : : : : : 1855.5.1 RSA pseudorandom bit generator : : : : : : : : : : : : : : : : : 1855.5.2 Blum-Blum-Shub pseudorandom bit generator : : : : : : : : : : : 1865.6 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 1876 Stream Ciphers 1916.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1916.1.1 Classication : : : : : : : : : : : : : : : : : : : : : : : : : : : 1926.2 Feedback shift registers : : : : : : : : : : : : : : : : : : : : : : : : : : 1956.2.1 Linear feedback shift registers : : : : : : : : : : : : : : : : : : : 1956.2.2 Linear complexity : : : : : : : : : : : : : : : : : : : : : : : : : 1986.2.3 Berlekamp-Massey algorithm : : : : : : : : : : : : : : : : : : : 2006.2.4 Nonlinear feedback shift registers : : : : : : : : : : : : : : : : : 2026.3 Stream ciphers based on LFSRs : : : : : : : : : : : : : : : : : : : : : : 2036.3.1 Nonlinear combination generators : : : : : : : : : : : : : : : : : 2056.3.2 Nonlinear lter generators : : : : : : : : : : : : : : : : : : : : : 2086.3.3 Clock-controlled generators : : : : : : : : : : : : : : : : : : : : 2096.4 Other stream ciphers : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2126.4.1 SEAL : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2136.5 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 2167 Block Ciphers 2237.1 Introduction and overview : : : : : : : : : : : : : : : : : : : : : : : : : 2237.2 Background and general concepts : : : : : : : : : : : : : : : : : : : : : 2247.2.1 Introduction to block ciphers : : : : : : : : : : : : : : : : : : : : 2247.2.2 Modes of operation : : : : : : : : : : : : : : : : : : : : : : : : 2287.2.3 Exhaustive key search and multiple encryption : : : : : : : : : : 2337.3 Classical ciphers and historical development : : : : : : : : : : : : : : : 2377.3.1 Transposition ciphers (background) : : : : : : : : : : : : : : : : 2387.3.2 Substitution ciphers (background) : : : : : : : : : : : : : : : : : 2387.3.3 Polyalphabetic substitutions and Vigen`ere ciphers (historical) : : : 2417.3.4 Polyalphabetic cipher machines and rotors (historical) : : : : : : : 2427.3.5 Cryptanalysis of classical ciphers (historical) : : : : : : : : : : : 2457.4 DES : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2507.4.1 Product ciphers and Feistel ciphers : : : : : : : : : : : : : : : : : 2507.4.2 DES algorithm : : : : : : : : : : : : : : : : : : : : : : : : : : : 2527.4.3 DES properties and strength : : : : : : : : : : : : : : : : : : : : 256 14. Table of Contents ix7.5 FEAL : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2597.6 IDEA : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2637.7 SAFER, RC5, and other block ciphers : : : : : : : : : : : : : : : : : : : 2667.7.1 SAFER : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2667.7.2 RC5 : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2697.7.3 Other block ciphers : : : : : : : : : : : : : : : : : : : : : : : : 2707.8 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 2718 Public-Key Encryption 2838.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2838.1.1 Basic principles : : : : : : : : : : : : : : : : : : : : : : : : : : 2848.2 RSA public-key encryption : : : : : : : : : : : : : : : : : : : : : : : : 2858.2.1 Description : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2868.2.2 Security of RSA : : : : : : : : : : : : : : : : : : : : : : : : : : 2878.2.3 RSA encryption in practice : : : : : : : : : : : : : : : : : : : : 2908.3 Rabin public-key encryption : : : : : : : : : : : : : : : : : : : : : : : : 2928.4 ElGamal public-key encryption : : : : : : : : : : : : : : : : : : : : : : 2948.4.1 Basic ElGamal encryption : : : : : : : : : : : : : : : : : : : : : 2948.4.2 Generalized ElGamal encryption : : : : : : : : : : : : : : : : : : 2978.5 McEliece public-key encryption : : : : : : : : : : : : : : : : : : : : : : 2988.6 Knapsack public-key encryption : : : : : : : : : : : : : : : : : : : : : : 3008.6.1 Merkle-Hellman knapsack encryption : : : : : : : : : : : : : : : 3008.6.2 Chor-Rivest knapsack encryption : : : : : : : : : : : : : : : : : 3028.7 Probabilistic public-key encryption : : : : : : : : : : : : : : : : : : : : 3068.7.1 Goldwasser-Micali probabilistic encryption : : : : : : : : : : : : 3078.7.2 Blum-Goldwasser probabilistic encryption : : : : : : : : : : : : : 3088.7.3 Plaintext-aware encryption : : : : : : : : : : : : : : : : : : : : : 3118.8 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 3129 Hash Functions and Data Integrity 3219.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 3219.2 Classication and framework : : : : : : : : : : : : : : : : : : : : : : : 3229.2.1 General classication : : : : : : : : : : : : : : : : : : : : : : : 3229.2.2 Basic properties and denitions : : : : : : : : : : : : : : : : : : 3239.2.3 Hash properties required for specic applications : : : : : : : : : 3279.2.4 One-way functions and compression functions : : : : : : : : : : : 3279.2.5 Relationships between properties : : : : : : : : : : : : : : : : : 3299.2.6 Other hash function properties and applications : : : : : : : : : : 3309.3 Basic constructions and general results : : : : : : : : : : : : : : : : : : 3329.3.1 General model for iterated hash functions : : : : : : : : : : : : : 3329.3.2 General constructions and extensions : : : : : : : : : : : : : : : 3339.3.3 Formatting and initialization details : : : : : : : : : : : : : : : : 3349.3.4 Security objectives and basic attacks : : : : : : : : : : : : : : : : 3359.3.5 Bitsizes required for practical security : : : : : : : : : : : : : : : 3379.4 Unkeyed hash functions (MDCs) : : : : : : : : : : : : : : : : : : : : : 3389.4.1 Hash functions based on block ciphers : : : : : : : : : : : : : : : 3389.4.2 Customized hash functions based on MD4 : : : : : : : : : : : : : 3439.4.3 Hash functions based on modular arithmetic : : : : : : : : : : : : 3519.5 Keyed hash functions (MACs) : : : : : : : : : : : : : : : : : : : : : : 3529.5.1 MACs based on block ciphers : : : : : : : : : : : : : : : : : : : 353 15. x Table of Contents9.5.2 Constructing MACs from MDCs : : : : : : : : : : : : : : : : : : 3549.5.3 Customized MACs : : : : : : : : : : : : : : : : : : : : : : : : : 3569.5.4 MACs for stream ciphers : : : : : : : : : : : : : : : : : : : : : 3589.6 Data integrity and message authentication : : : : : : : : : : : : : : : : : 3599.6.1 Background and denitions : : : : : : : : : : : : : : : : : : : : 3599.6.2 Non-malicious vs. malicious threats to data integrity : : : : : : : : 3629.6.3 Data integrity using a MAC alone : : : : : : : : : : : : : : : : : 3649.6.4 Data integrity using an MDC and an authentic channel : : : : : : 3649.6.5 Data integrity combined with encryption : : : : : : : : : : : : : : 3649.7 Advanced attacks on hash functions : : : : : : : : : : : : : : : : : : : : 3689.7.1 Birthday attacks : : : : : : : : : : : : : : : : : : : : : : : : : : 3699.7.2 Pseudo-collisions and compression function attacks : : : : : : : : 3719.7.3 Chaining attacks : : : : : : : : : : : : : : : : : : : : : : : : : : 3739.7.4 Attacks based on properties of underlying cipher : : : : : : : : : 3759.8 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 37610 Identication and Entity Authentication 38510.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 38510.1.1 Identication objectives and applications : : : : : : : : : : : : : 38610.1.2 Properties of identication protocols : : : : : : : : : : : : : : : : 38710.2 Passwords (weak authentication) : : : : : : : : : : : : : : : : : : : : : 38810.2.1 Fixed password schemes: techniques : : : : : : : : : : : : : : : 38910.2.2 Fixed password schemes: attacks : : : : : : : : : : : : : : : : : 39110.2.3 Case study UNIX passwords : : : : : : : : : : : : : : : : : : : 39310.2.4 PINs and passkeys : : : : : : : : : : : : : : : : : : : : : : : : : 39410.2.5 One-time passwords (towards strong authentication) : : : : : : : : 39510.3 Challenge-response identication (strong authentication) : : : : : : : : : 39710.3.1 Background on time-variant parameters : : : : : : : : : : : : : : 39710.3.2 Challenge-response by symmetric-key techniques : : : : : : : : : 40010.3.3 Challenge-response by public-key techniques : : : : : : : : : : : 40310.4 Customized and zero-knowledge identication protocols : : : : : : : : : 40510.4.1 Overview of zero-knowledge concepts : : : : : : : : : : : : : : : 40510.4.2 Feige-Fiat-Shamir identication protocol : : : : : : : : : : : : : 41010.4.3 GQ identication protocol : : : : : : : : : : : : : : : : : : : : : 41210.4.4 Schnorr identication protocol : : : : : : : : : : : : : : : : : : : 41410.4.5 Comparison: Fiat-Shamir, GQ, and Schnorr : : : : : : : : : : : : 41610.5 Attacks on identication protocols : : : : : : : : : : : : : : : : : : : : 41710.6 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 42011 Digital Signatures 42511.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 42511.2 A framework for digital signature mechanisms : : : : : : : : : : : : : : 42611.2.1 Basic denitions : : : : : : : : : : : : : : : : : : : : : : : : : : 42611.2.2 Digital signature schemes with appendix : : : : : : : : : : : : : : 42811.2.3 Digital signature schemes with message recovery : : : : : : : : : 43011.2.4 Types of attacks on signature schemes : : : : : : : : : : : : : : : 43211.3 RSA and related signature schemes : : : : : : : : : : : : : : : : : : : : 43311.3.1 The RSA signature scheme : : : : : : : : : : : : : : : : : : : : 43311.3.2 Possible attacks on RSA signatures : : : : : : : : : : : : : : : : 43411.3.3 RSA signatures in practice : : : : : : : : : : : : : : : : : : : : : 435 16. Table of Contents xi11.3.4 The Rabin public-key signature scheme : : : : : : : : : : : : : : 43811.3.5 ISO/IEC 9796 formatting : : : : : : : : : : : : : : : : : : : : : 44211.3.6 PKCS #1 formatting : : : : : : : : : : : : : : : : : : : : : : : : 44511.4 Fiat-Shamir signature schemes : : : : : : : : : : : : : : : : : : : : : : 44711.4.1 Feige-Fiat-Shamir signature scheme : : : : : : : : : : : : : : : : 44711.4.2 GQ signature scheme : : : : : : : : : : : : : : : : : : : : : : : 45011.5 The DSA and related signature schemes : : : : : : : : : : : : : : : : : : 45111.5.1 The Digital Signature Algorithm (DSA) : : : : : : : : : : : : : : 45211.5.2 The ElGamal signature scheme : : : : : : : : : : : : : : : : : : 45411.5.3 The Schnorr signature scheme : : : : : : : : : : : : : : : : : : : 45911.5.4 The ElGamal signature scheme with message recovery : : : : : : 46011.6 One-time digital signatures : : : : : : : : : : : : : : : : : : : : : : : : 46211.6.1 The Rabin one-time signature scheme : : : : : : : : : : : : : : : 46211.6.2 The Merkle one-time signature scheme : : : : : : : : : : : : : : 46411.6.3 Authentication trees and one-time signatures : : : : : : : : : : : : 46611.6.4 The GMR one-time signature scheme : : : : : : : : : : : : : : : 46811.7 Other signature schemes : : : : : : : : : : : : : : : : : : : : : : : : : : 47111.7.1 Arbitrated digital signatures : : : : : : : : : : : : : : : : : : : : 47211.7.2 ESIGN : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 47311.8 Signatures with additional functionality : : : : : : : : : : : : : : : : : : 47411.8.1 Blind signature schemes : : : : : : : : : : : : : : : : : : : : : : 47511.8.2 Undeniable signature schemes : : : : : : : : : : : : : : : : : : : 47611.8.3 Fail-stop signature schemes : : : : : : : : : : : : : : : : : : : : 47811.9 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 48112 Key Establishment Protocols 48912.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 48912.2 Classication and framework : : : : : : : : : : : : : : : : : : : : : : : 49012.2.1 General classication and fundamental concepts : : : : : : : : : : 49012.2.2 Objectives and properties : : : : : : : : : : : : : : : : : : : : : 49312.2.3 Assumptions and adversaries in key establishment protocols : : : : 49512.3 Key transport based on symmetric encryption : : : : : : : : : : : : : : : 49712.3.1 Symmetric key transport and derivation without a server : : : : : 49712.3.2 Kerberos and related server-based protocols : : : : : : : : : : : : 50012.4 Key agreement based on symmetric techniques : : : : : : : : : : : : : : 50512.5 Key transport based on public-key encryption : : : : : : : : : : : : : : : 50612.5.1 Key transport using PK encryption without signatures : : : : : : : 50712.5.2 Protocols combining PK encryption and signatures : : : : : : : : 50912.5.3 Hybrid key transport protocols using PK encryption : : : : : : : : 51212.6 Key agreement based on asymmetric techniques : : : : : : : : : : : : : 51512.6.1 Dife-Hellman and related key agreement protocols : : : : : : : : 51512.6.2 Implicitly-certied public keys : : : : : : : : : : : : : : : : : : : 52012.6.3 Dife-Hellman protocols using implicitly-certied keys : : : : : : 52212.7 Secret sharing : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 52412.7.1 Simple shared control schemes : : : : : : : : : : : : : : : : : : : 52412.7.2 Threshold schemes : : : : : : : : : : : : : : : : : : : : : : : : : 52512.7.3 Generalized secret sharing : : : : : : : : : : : : : : : : : : : : : 52612.8 Conference keying : : : : : : : : : : : : : : : : : : : : : : : : : : : : 52812.9 Analysis of key establishment protocols : : : : : : : : : : : : : : : : : : 53012.9.1 Attack strategies and classic protocol aws : : : : : : : : : : : : 530 17. xii Table of Contents12.9.2 Analysis objectives and methods : : : : : : : : : : : : : : : : : : 53212.10 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 53413 Key Management Techniques 54313.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 54313.2 Background and basic concepts : : : : : : : : : : : : : : : : : : : : : : 54413.2.1 Classifying keys by algorithm type and intended use : : : : : : : : 54413.2.2 Key management objectives, threats, and policy : : : : : : : : : : 54513.2.3 Simple key establishment models : : : : : : : : : : : : : : : : : 54613.2.4 Roles of third parties : : : : : : : : : : : : : : : : : : : : : : : : 54713.2.5 Tradeoffs among key establishment protocols : : : : : : : : : : : 55013.3 Techniques for distributing condential keys : : : : : : : : : : : : : : : 55113.3.1 Key layering and cryptoperiods : : : : : : : : : : : : : : : : : : 55113.3.2 Key translation centers and symmetric-key certicates : : : : : : : 55313.4 Techniques for distributing public keys : : : : : : : : : : : : : : : : : : 55513.4.1 Authentication trees : : : : : : : : : : : : : : : : : : : : : : : : 55613.4.2 Public-key certicates : : : : : : : : : : : : : : : : : : : : : : : 55913.4.3 Identity-based systems : : : : : : : : : : : : : : : : : : : : : : : 56113.4.4 Implicitly-certied public keys : : : : : : : : : : : : : : : : : : : 56213.4.5 Comparison of techniques for distributing public keys : : : : : : : 56313.5 Techniques for controlling key usage : : : : : : : : : : : : : : : : : : : 56713.5.1 Key separation and constraints on key usage : : : : : : : : : : : : 56713.5.2 Techniques for controlling use of symmetric keys : : : : : : : : : 56813.6 Key management involving multiple domains : : : : : : : : : : : : : : : 57013.6.1 Trust between two domains : : : : : : : : : : : : : : : : : : : : 57013.6.2 Trust models involving multiple certication authorities : : : : : : 57213.6.3 Certicate distribution and revocation : : : : : : : : : : : : : : : 57613.7 Key life cycle issues : : : : : : : : : : : : : : : : : : : : : : : : : : : : 57713.7.1 Lifetime protection requirements : : : : : : : : : : : : : : : : : : 57813.7.2 Key management life cycle : : : : : : : : : : : : : : : : : : : : 57813.8 Advanced trusted third party services : : : : : : : : : : : : : : : : : : : 58113.8.1 Trusted timestamping service : : : : : : : : : : : : : : : : : : : 58113.8.2 Non-repudiation and notarization of digital signatures : : : : : : : 58213.8.3 Key escrow : : : : : : : : : : : : : : : : : : : : : : : : : : : : 58413.9 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 58614 Efcient Implementation 59114.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 59114.2 Multiple-precision integer arithmetic : : : : : : : : : : : : : : : : : : : 59214.2.1 Radix representation : : : : : : : : : : : : : : : : : : : : : : : : 59214.2.2 Addition and subtraction : : : : : : : : : : : : : : : : : : : : : : 59414.2.3 Multiplication : : : : : : : : : : : : : : : : : : : : : : : : : : : 59514.2.4 Squaring : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 59614.2.5 Division : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 59814.3 Multiple-precision modular arithmetic : : : : : : : : : : : : : : : : : : : 59914.3.1 Classical modular multiplication : : : : : : : : : : : : : : : : : : 60014.3.2 Montgomery reduction : : : : : : : : : : : : : : : : : : : : : : : 60014.3.3 Barrett reduction : : : : : : : : : : : : : : : : : : : : : : : : : : 60314.3.4 Reduction methods for moduli of special form : : : : : : : : : : : 60514.4 Greatest common divisor algorithms : : : : : : : : : : : : : : : : : : : 606 18. Table of Contents xiii14.4.1 Binary gcd algorithm : : : : : : : : : : : : : : : : : : : : : : : : 60614.4.2 Lehmers gcd algorithm : : : : : : : : : : : : : : : : : : : : : : 60714.4.3 Binary extended gcd algorithm : : : : : : : : : : : : : : : : : : : 60814.5 Chinese remainder theorem for integers : : : : : : : : : : : : : : : : : : 61014.5.1 Residue number systems : : : : : : : : : : : : : : : : : : : : : : 61114.5.2 Garners algorithm : : : : : : : : : : : : : : : : : : : : : : : : : 61214.6 Exponentiation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 61314.6.1 Techniques for general exponentiation : : : : : : : : : : : : : : : 61414.6.2 Fixed-exponent exponentiation algorithms : : : : : : : : : : : : : 62014.6.3 Fixed-base exponentiation algorithms : : : : : : : : : : : : : : : 62314.7 Exponent recoding : : : : : : : : : : : : : : : : : : : : : : : : : : : : 62714.7.1 Signed-digit representation : : : : : : : : : : : : : : : : : : : : : 62714.7.2 String-replacement representation : : : : : : : : : : : : : : : : : 62814.8 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 63015 Patents and Standards 63515.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 63515.2 Patents on cryptographic techniques : : : : : : : : : : : : : : : : : : : : 63515.2.1 Five fundamental patents : : : : : : : : : : : : : : : : : : : : : : 63615.2.2 Ten prominent patents : : : : : : : : : : : : : : : : : : : : : : : 63815.2.3 Ten selected patents : : : : : : : : : : : : : : : : : : : : : : : : 64115.2.4 Ordering and acquiring patents : : : : : : : : : : : : : : : : : : : 64515.3 Cryptographic standards : : : : : : : : : : : : : : : : : : : : : : : : : : 64515.3.1 International standards cryptographic techniques : : : : : : : : : 64515.3.2 Banking security standards (ANSI, ISO) : : : : : : : : : : : : : : 64815.3.3 International security architectures and frameworks : : : : : : : : 65315.3.4 U.S. government standards (FIPS) : : : : : : : : : : : : : : : : : 65415.3.5 Internet standards and RFCs : : : : : : : : : : : : : : : : : : : : 65515.3.6 De facto standards : : : : : : : : : : : : : : : : : : : : : : : : : 65615.3.7 Ordering and acquiring standards : : : : : : : : : : : : : : : : : 65615.4 Notes and further references : : : : : : : : : : : : : : : : : : : : : : : : 657A Bibliography of Papers from Selected Cryptographic Forums 663A.1 Asiacrypt/Auscrypt Proceedings : : : : : : : : : : : : : : : : : : : : : : 663A.2 Crypto Proceedings : : : : : : : : : : : : : : : : : : : : : : : : : : : : 667A.3 Eurocrypt Proceedings : : : : : : : : : : : : : : : : : : : : : : : : : : 684A.4 Fast Software Encryption Proceedings : : : : : : : : : : : : : : : : : : 698A.5 Journal of Cryptology papers : : : : : : : : : : : : : : : : : : : : : : : 700References 703Index 755 19. Chapter 1Overview of CryptographyContents in Brief1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Information security and cryptography . . . . . . . . . . . . . . 21.3 Background on functions . . . . . . . . . . . . . . . . . . . . . . 61.4 Basic terminology and concepts . . . . . . . . . . . . . . . . . . . 111.5 Symmetric-key encryption . . . . . . . . . . . . . . . . . . . . . 151.6 Digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . 221.7 Authentication and identication . . . . . . . . . . . . . . . . . . 241.8 Public-key cryptography . . . . . . . . . . . . . . . . . . . . . . 251.9 Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 331.10 Protocols and mechanisms . . . . . . . . . . . . . . . . . . . . . 331.11 Key establishment, management, and certication . . . . . . . . . 351.12 Pseudorandom numbers and sequences . . . . . . . . . . . . . . 391.13 Classes of attacks and security models . . . . . . . . . . . . . . . 411.14 Notes and further references . . . . . . . . . . . . . . . . . . . . 451.1 IntroductionCryptography has a long and fascinating history. The most complete non-technical accountof the subject is Kahns The Codebreakers. This book traces cryptography from its initialand limited use by the Egyptians some 4000 years ago, to the twentieth century where itplayed a crucial role in the outcome of both world wars. Completed in 1963, Kahns bookcovers those aspects of the history which were most signicant (up to that time) to the devel-opment of the subject. The predominant practitioners of the art were those associated withthe military, the diplomatic service and government in general. Cryptography was used asa tool to protect national secrets and strategies.The proliferation of computers and communications systems in the 1960s brought withit a demand from the private sector for means to protect information in digital form and toprovide security services. Beginning with the work of Feistel at IBM in the early 1970s andculminating in 1977 with the adoption as a U.S. Federal Information Processing Standardfor encrypting unclassied information, DES, the Data Encryption Standard, is the mostwell-known cryptographic mechanism in history. It remains the standard means for secur-ing electronic commerce for many nancial institutions around the world.The most strikingdevelopmentin the historyof cryptographycame in 1976when Difeand Hellman published New Directions in Cryptography. This paper introduced the revolu-tionary concept of public-key cryptography and also provided a new and ingenious method1 20. 2 Ch. 1 Overview of Cryptographyfor key exchange, the security of which is based on the intractability of the discrete loga-rithm problem. Although the authors had no practical realization of a public-key encryp-tion scheme at the time, the idea was clear and it generated extensive interest and activityin the cryptographic community. In 1978 Rivest, Shamir, and Adleman discovered the rstpractical public-key encryption and signature scheme, now referred to as RSA. The RSAscheme is based on another hard mathematical problem, the intractability of factoring largeintegers. This application of a hard mathematical problem to cryptography revitalized ef-forts to nd more efcient methods to factor. The 1980s saw major advances in this areabut none which rendered the RSA system insecure. Another class of powerful and practicalpublic-key schemes was found by ElGamal in 1985. These are also based on the discretelogarithm problem.One of the most signicant contributions provided by public-key cryptography is thedigital signature. In 1991 the rst international standard for digital signatures (ISO/IEC9796) was adopted. It is based on the RSA public-key scheme. In 1994 the U.S. Govern-ment adopted the Digital Signature Standard, a mechanism based on the ElGamal public-key scheme.The search for new public-key schemes, improvements to existing cryptographic mec-hanisms, and proofs of security continues at a rapid pace. Various standards and infrastruc-tures involving cryptography are being put in place. Security products are being developedto address the security needs of an information intensive society.The purpose of this book is to give an up-to-date treatise of the principles, techniques,and algorithms of interest in cryptographic practice. Emphasis has been placed on thoseaspects which are most practical and applied. The reader will be made aware of the basicissues and pointed to specic related research in the literature where more indepth discus-sions can be found. Due to the volume of material which is covered, most results will bestated without proofs. This also serves the purpose of not obscuring the very applied natureof the subject. This book is intended for both implementers and researchers. It describesalgorithms, systems, and their interactions.Chapter 1 is a tutorial on the many and various aspects of cryptography. It does notattempt to convey all of the details and subtleties inherent to the subject. Its purpose is tointroducethe basic issues and principlesand to pointthe reader to appropriatechapters in thebook for more comprehensive treatments. Specic techniques are avoided in this chapter.1.2 Information security and cryptographyThe concept of information will be taken to be an understood quantity. To introduce cryp-tography, an understanding of issues related to information security in general is necessary.Information security manifests itself in many ways according to the situation and require-ment. Regardless of who is involved, to one degree or another, all parties to a transactionmust have condence that certain objectives associated with informationsecurity have beenmet. Some of these objectives are listed in Table 1.1.Over the centuries, an elaborate set of protocols and mechanisms has been created todeal with information security issues when the information is conveyed by physical doc-uments. Often the objectives of information security cannot solely be achieved throughmathematical algorithms and protocols alone, but require procedural techniques and abid-ance of laws to achieve the desired result. For example, privacy of letters is provided bysealed envelopes delivered by an accepted mail service. The physical security of the en-velope is, for practical necessity, limited and so laws are enacted which make it a criminal 21. 1.2 Information security and cryptography 3privacyor condentialitykeeping information secret from all but those who are autho-rized to see it.data integrity ensuring information has not been altered by unauthorized orunknown means.entity authenticationor identicationcorroboration of the identity of an entity (e.g., a person, acomputer terminal, a credit card, etc.).messageauthenticationcorroborating the source of information; also known as dataorigin authentication.signature a means to bind information to an entity.authorization conveyance, to another entity, of ofcial sanction to do or besomething.validation a means to provide timeliness of authorization to use or ma-nipulate information or resources.access control restricting access to resources to privileged entities.certication endorsement of information by a trusted entity.timestamping recording the time of creation or existence of information.witnessing verifying the creation or existence of information by an entityother than the creator.receipt acknowledgement that information has been received.conrmation acknowledgement that services have been provided.ownership a means to provide an entity with the legal right to use ortransfer a resource to others.anonymity concealing the identity of an entity involved in some process.non-repudiation preventing the denial of previous commitments or actions.revocation retraction of certication or authorization.Table 1.1: Some information security objectives.offense to open mail for which one is not authorized. It is sometimes the case that securityis achieved not through the information itself but through the physical document recordingit. For example, paper currency requires special inks and material to prevent counterfeiting.Conceptually, the way information is recorded has not changed dramatically over time.Whereas information was typically stored and transmitted on paper, much of it now re-sides on magnetic media and is transmitted via telecommunications systems, some wire-less. What has changed dramatically is the ability to copy and alter information. One canmake thousands of identical copies of a piece of information stored electronically and eachis indistinguishable from the original. With information on paper, this is much more dif-cult. What is needed then for a society where information is mostly stored and transmittedin electronic form is a means to ensure information security which is independent of thephysical medium recording or conveying it and such that the objectives of information se-curity rely solely on digital information itself.One of the fundamental tools used in information security is the signature. It is a build-ing block for many other services such as non-repudiation, data origin authentication, iden-tication, and witnessing, to mention a few. Having learned the basics in writing, an indi-vidual is taught how to produce a handwritten signature for the purpose of identication.At contract age the signature evolves to take on a very integral part of the persons identity.This signature is intended to be unique to the individual and serve as a means to identify,authorize, and validate. With electronic information the concept of a signature needs to be 22. 4 Ch. 1 Overview of Cryptographyredressed; it cannot simply be something unique to the signer and independent of the in-formation signed. Electronic replication of it is so simple that appending a signature to adocument not signed by the originator of the signature is almost a triviality.Analogues of the paper protocols currently in use are required. Hopefully these newelectronic based protocols are at least as good as those they replace. There is a unique op-portunity for society to introduce new and more efcient ways of ensuring information se-curity. Much can be learned from the evolution of the paper based system, mimicking thoseaspects which have served us well and removing the inefciencies.Achieving information security in an electronic society requires a vast array of techni-cal and legal skills. There is, however, no guarantee that all of the information security ob-jectives deemed necessary can be adequately met. The technical means is provided throughcryptography.1.1 Denition Cryptography is the study of mathematical techniques related to aspects of in-formation security such as condentiality, data integrity, entity authentication, and data ori-gin authentication.Cryptography is not the only means of providing information security, but rather one set oftechniques.Cryptographic goalsOf all the information security objectives listed in Table 1.1, the following four form aframeworkuponwhich the others will be derived: (1) privacyor condentiality(1.5, 1.8);(2) data integrity (1.9); (3) authentication (1.7); and (4) non-repudiation (1.6).1. Condentiality is a service used to keep the content of information from all but thoseauthorized to have it. Secrecy is a term synonymous with condentiality and privacy.There are numerous approaches to providing condentiality, ranging from physicalprotection to mathematical algorithms which render data unintelligible.2. Data integrity is a service which addresses the unauthorized alteration of data. Toassure data integrity, one must have the ability to detect data manipulation by unau-thorized parties. Data manipulation includes such things as insertion, deletion, andsubstitution.3. Authenticationis a service related to identication. This function applies to both enti-ties andinformationitself. Two parties enteringinto a communicationshouldidentifyeach other. Informationdelivered over a channel should be authenticated as to origin,date of origin, data content, time sent, etc. For these reasons this aspect of cryptog-raphy is usually subdivided into two major classes: entity authentication and dataorigin authentication. Data origin authentication implicitly provides data integrity(for if a message is modied, the source has changed).4. Non-repudiationis a service which preventsan entity fromdenyingpreviouscommit-ments or actions. When disputes arise due to an entity denying that certain actionswere taken, a means to resolve the situation is necessary. For example, one entitymay authorize the purchase of property by another entity and later deny such autho-rization was granted. A procedure involving a trusted third party is needed to resolvethe dispute.A fundamental goal of cryptography is to adequately address these four areas in boththeory and practice. Cryptography is about the prevention and detection of cheating andother malicious activities.This book describes a number of basic cryptographic tools (primitives) used to provideinformation security. Examples of primitives include encryption schemes (1.5 and 1.8), 23. 1.2 Information security and cryptography 5hash functions (1.9), and digital signature schemes (1.6). Figure 1.1 provides a schematiclisting of the primitives considered and how they relate. Many of these will be briey intro-duced in this chapter, with detailed discussion left to later chapters. These primitives shouldSymmetric-keyciphersPrimitivesUnkeyedArbitrary lengthhash functionshash functions (MACs)Arbitrary lengthciphersBlockStreamciphersPseudorandomsequencesRandom sequencesPublic-keyPrimitivesPublic-keyciphersIdentication primitivesSignaturesIdentication primitivesPrimitivesSecurity Symmetric-keyPrimitivesOne-way permutationsSignaturesFigure 1.1: A taxonomy of cryptographic primitives.be evaluated with respect to various criteria such as:1. level of security. This is usually difcult to quantify. Often it is given in terms of thenumber of operations required (using the best methods currently known) to defeat theintended objective. Typically the level of security is dened by an upper bound onthe amount of work necessary to defeat the objective. This is sometimes called thework factor (see 1.13.4).2. functionality. Primitives will need to be combined to meet various information se-curity objectives. Which primitives are most effective for a given objective will bedetermined by the basic properties of the primitives.3. methods of operation. Primitives, when applied in various ways and with various in-puts, will typically exhibit different characteristics; thus, one primitive could provide 24. 6 Ch. 1 Overview of Cryptographyvery different functionality depending on its mode of operation or usage.4. performance. This refers to the efciency of a primitive in a particular mode of op-eration. (For example, an encryption algorithm may be rated by the number of bitsper second which it can encrypt.)5. ease of implementation. This refers to the difculty of realizing the primitive in apractical instantiation. This might include the complexity of implementing the prim-itive in either a software or hardware environment.The relative importance of various criteria is very much dependent on the applicationand resources available. For example, in an environmentwhere computing power is limitedone may have to trade off a very high level of security for better performance of the systemas a whole.Cryptography, over the ages, has been an art practised by many who have devised adhoc techniques to meet some of the information security requirements. The last twentyyears have been a period of transition as the discipline moved from an art to a science. Thereare now several international scientic conferences devoted exclusively to cryptographyand also an international scientic organization, the International Association for Crypto-logic Research (IACR), aimed at fostering research in the area.This book is about cryptography: the theory, the practice, and the standards.1.3 Background on functionsWhile this book is not a treatise on abstract mathematics, a familiarity with basic mathe-matical concepts will prove to be useful. One concept which is absolutely fundamental tocryptography is that of a function in the mathematical sense. A function is alternately re-ferred to as a mapping or a transformation.1.3.1 Functions (1-1, one-way, trapdoor one-way)A set consists of distinct objects which are called elements of the set. For example, a set Xmight consist of the elements a, b, c, and this is denoted X = {a, b, c}.1.2 Denition A function is dened by two sets X and Y and a rule f which assigns to eachelement in X precisely one element in Y . The set X is called the domain of the functionand Y the codomain. If x is an element of X (usually written x X) the image of x is theelement in Y which the rule f associates with x; the image y of x is denoted by y = f(x).Standard notation for a function f from set X to set Y is f : X Y . If y Y , then apreimage of y is an element x X for which f(x) = y. The set of all elements in Y whichhave at least one preimage is called the image of f, denoted Im(f).1.3 Example (function) Consider the sets X = {a, b, c}, Y = {1, 2, 3, 4}, and the rule ffrom X to Y dened as f(a) = 2, f(b) = 4, f(c) = 1. Figure 1.2 shows a schematic ofthe sets X, Y and the function f. The preimage of the element 2 is a. The image of f is{1, 2, 4}.Thinking of a function in terms of the schematic (sometimes called a functional dia-gram) given in Figure 1.2, each element in the domain X has precisely one arrowed lineoriginating from it. Each element in the codomain Y can have any number of arrowed linesincident to it (including zero lines). 25. 1.3 Background on functions 7134cba2fYXFigure 1.2: A function f from a set X of three elements to a set Y of four elements.Often only the domain X and the rule f are given and the codomain is assumed to bethe image of f. This point is illustrated with two examples.1.4 Example (function) Take X = {1, 2, 3, . . . , 10} and let f be the rule that for each x X,f(x) = rx, where rx is the remainder when x2is divided by 11. Explicitly thenf(1) = 1 f(2) = 4 f(3) = 9 f(4) = 5 f(5) = 3f(6) = 3 f(7) = 5 f(8) = 9 f(9) = 4 f(10) = 1.The image of f is the set Y = {1, 3, 4, 5, 9}.1.5 Example (function) Take X = {1, 2, 3, . . . , 1050} and let f be the rule f(x) = rx, whererx is the remainder when x2is divided by 1050+ 1 for all x X. Here it is not feasibleto write down f explicitly as in Example 1.4, but nonetheless the function is completelyspecied by the domain and the mathematical description of the rule f.(i) 1-1 functions1.6 Denition A function (or transformation) is 1 1 (one-to-one) if each element in thecodomain Y is the image of at most one element in the domain X.1.7 Denition A function (or transformation) is onto if each element in the codomain Y isthe image of at least one element in the domain. Equivalently, a function f : X Y isonto if Im(f) = Y .1.8 Denition If a function f : X Y is 11 and Im(f) = Y , then f is called a bijection.1.9 Fact If f : X Y is 1 1 then f : X Im(f) is a bijection. In particular, iff : X Y is 1 1, and X and Y are nite sets of the same size, then f is a bijection.In terms of the schematic representation, if f is a bijection, then each element in Yhas exactly one arrowed line incident with it. The functions described in Examples 1.3 and1.4 are not bijections. In Example 1.3 the element 3 is not the image of any element in thedomain. In Example 1.4 each element in the codomain has two preimages.1.10 Denition If f is a bijection from X to Y then it is a simple matter to dene a bijection gfrom Y to X as follows: for each y Y dene g(y) = x where x X and f(x) = y. Thisfunction g obtained from f is called the inverse function of f and is denoted by g = f 1. 26. 8 Ch. 1 Overview of Cryptographybcde234512345bcde1a afX YgXYFigure 1.3: A bijection f and its inverse g = f1.1.11 Example (inverse function) Let X = {a, b, c, d, e}, and Y = {1, 2, 3, 4, 5}, and considerthe rule f given by the arrowed edges in Figure 1.3. f is a bijection and its inverse g isformedsimply byreversingthe arrows on the edges. The domainof g is Y and the codomainis X.Note that if f is a bijection, then so is f1. In cryptography bijections are used asthe tool for encrypting messages and the inverse transformations are used to decrypt. Thiswill be made clearer in 1.4 when some basic terminology is introduced. Notice that if thetransformations were not bijections then it would not be possible to always decrypt to aunique message.(ii) One-way functionsThere are certain types of functions which play signicant roles in cryptography. At theexpense of rigor, an intuitive denition of a one-way function is given.1.12 Denition A function f from a set X to a set Y is called a one-way function if f(x) iseasy to compute for all x X but for essentially all elements y Im(f) it is com-putationally infeasible to nd any x X such that f(x) = y.1.13 Note (clarication of terms in Denition 1.12)(i) A rigorous denition of the terms easy and computationally infeasible is neces-sary but would detract from the simple idea that is being conveyed. For the purposeof this chapter, the intuitive meaning will sufce.(ii) The phrase for essentially all elements in Y refers to the fact that there are a fewvalues y Y for which it is easy to nd an x X such that y = f(x). For example,one may compute y = f(x) for a small number of x values and then for these, theinverse is known by table look-up. An alternate way to describe this property of aone-way function is the following: for a random y Im(f) it is computationallyinfeasible to nd any x X such that f(x) = y.The concept of a one-way function is illustrated through the following examples.1.14 Example (one-way function) Take X = {1, 2, 3, . . . , 16} and dene f(x) = rx for allx X where rx is the remainder when 3xis divided by 17. Explicitly,x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16f(x) 3 9 10 13 5 15 11 16 14 8 7 4 12 2 6 1Given a number between 1 and 16, it is relatively easy to nd the image of it under f. How-ever, given a number such as 7, without having the table in front of you, it is harder to nd 27. 1.3 Background on functions 9x given that f(x) = 7. Of course, if the number you are given is 3 then it is clear that x = 1is what you need; but for most of the elements in the codomain it is not that easy.One must keep in mind that this is an example which uses very small numbers; theimportant point here is that there is a difference in the amount of work to compute f(x)and the amount of work to nd x given f(x). Even for very large numbers, f(x) can becomputed efciently using the repeated square-and-multiply algorithm (Algorithm 2.143),whereas the process of nding x from f(x) is much harder.1.15 Example (one-way function) A prime number is a positive integer greater than 1 whoseonly positive integer divisors are 1 and itself. Select primes p = 48611, q = 53993, formn = pq = 2624653723, and let X = {1, 2, 3, . . . , n 1}. Dene a function f on Xby f(x) = rx for each x X, where rx is the remainder when x3is divided by n. Forinstance, f(2489991) = 1981394214 since 24899913= 5881949859 n + 1981394214.Computingf(x) is a relatively simple thing to do, but to reverse the procedureis much moredifcult; that is, given a remainder to nd the value x which was originally cubed (raisedto the third power). This procedure is referred to as the computation of a modular cube rootwith modulus n. If the factors of n are unknown and large, this is a difcult problem; how-ever, if the factors p and q of n are known then there is an efcient algorithm for computingmodular cube roots. (See 8.2.2(i) for details.)Example 1.15 leads one to consider another type of function which will prove to befundamental in later developments.(iii) Trapdoor one-way functions1.16 Denition A trapdoor one-way function is a one-way function f : X Y with theadditional property that given some extra information (called the trapdoor information) itbecomes feasible to nd for any given y Im(f), an x X such that f(x) = y.Example 1.15 illustrates the concept of a trapdoor one-way function. With the addi-tional information of the factors of n = 2624653723 (namely, p = 48611 and q = 53993,each of which is ve decimal digits long) it becomes much easier to invert the function.The factors of 2624653723 are large enough that nding them by hand computation wouldbe difcult. Of course, any reasonable computer program could nd the factors relativelyquickly. If, on the other hand, one selects p and q to be very large distinct prime numbers(each having about 100 decimal digits) then, by todays standards, it is a difcult problem,even with the most powerful computers, to deduce p and q simply from n. This is the well-known integer factorization problem (see 3.2) and a source of many trapdoor one-wayfunctions.It remains to be rigorously established whether there actually are any (true) one-wayfunctions. That is to say, no one has yet denitively proved the existence of such func-tions under reasonable (and rigorous) denitions of easy and computationally infeasi-ble. Since the existence of one-way functions is still unknown, the existence of trapdoorone-way functions is also unknown. However, there are a number of good candidates forone-way and trapdoor one-way functions. Many of these are discussed in this book, withemphasis given to those which are practical.One-way and trapdoor one-way functions are the basis for public-key cryptography(discussed in 1.8). The importance of these concepts will become clearer when their appli-cation to cryptographic techniques is considered. It will be worthwhile to keep the abstractconcepts of this section in mind as concrete methods are presented. 28. 10 Ch. 1 Overview of Cryptography1.3.2 PermutationsPermutations are functions which are often used in various cryptographic constructs.1.17 Denition Let S be a nite set of elements. A permutation p on S is a bijection (Deni-tion 1.8) from S to itself (i.e., p: S S).1.18 Example (permutation) Let S = {1, 2, 3, 4, 5}. A permutation p: S S is dened asfollows:p(1) = 3, p(2) = 5, p(3) = 4, p(4) = 2, p(5) = 1.A permutation can be described in various ways. It can be displayed as above or as an array:p =1 2 3 4 53 5 4 2 1, (1.1)where the top row in the array is the domain and the bottom row is the image under themapping p. Of course, other representations are possible.Since permutations are bijections, they have inverses. If a permutation is written as anarray (see 1.1), its inverse is easily found by interchangingthe rows in the array and reorder-ing the elements in the new top row if desired (the bottom row would have to be reorderedcorrespondingly). The inverse of p in Example 1.18 is p1=1 2 3 4 55 4 1 3 2.1.19 Example (permutation) Let X be the set of integers {0, 1, 2, . . . , pq 1} where p and qare distinct large primes (for example, p and q are each about 100 decimal digits long), andsuppose that neither p1 nor q1 is divisible by 3. Then the function p(x) = rx, where rxis the remainder when x3is divided by pq, can be shown to be a permutation. Determiningthe inverse permutation is computationally infeasible by todays standards unless p and qare known (cf. Example 1.15).1.3.3 InvolutionsAnother type of function which will be referred to in 1.5.3 is an involution. Involutionshave the property that they are their own inverses.1.20 Denition Let S be a nite set and let f be a bijection from S to S (i.e., f : S S).The function f is called an involution if f = f1. An equivalent way of stating this isf(f(x)) = x for all x S.1.21 Example (involution) Figure 1.4 is an example of an involution. In the diagram of aninvolution, note that if j is the image of i then i is the image of j. 29. 1.4 Basic terminology and concepts 111234523451S SFigure 1.4: An involution on a set S of 5 elements.1.4 Basic terminology and conceptsThe scientic study of any discipline must be built upon rigorous denitions arising fromfundamental concepts. What follows is a list of terms and basic concepts used throughoutthis book. Where appropriate, rigor has been sacriced (here in Chapter 1) for the sake ofclarity.Encryption domains and codomains A denotes a nite set called the alphabet of denition. For example, A = {0, 1}, thebinary alphabet, is a frequently used alphabet of denition. Note that any alphabetcan be encodedin terms of the binary alphabet. For example, since there are 32 binarystrings of length ve, each letter of the English alphabet can be assigned a uniquebinary string of length ve. M denotes a set called the message space. M consists of strings of symbols froman alphabet of denition. An element of M is called a plaintext message or simplya plaintext. For example, M may consist of binary strings, English text, computercode, etc. C denotes a set called the ciphertext space. C consists of strings of symbols from analphabet of denition, which may differ from the alphabet of denition for M. Anelement of C is called a ciphertext.Encryption and decryption transformations K denotes a set called the key space. An element of K is called a key. Each element e K uniquely determines a bijection from M to C, denoted by Ee.Ee is called an encryption function or an encryption transformation. Note that Eemust be a bijection if the process is to be reversed and a unique plaintext messagerecovered for each distinct ciphertext.1 For each d K, Dd denotes a bijection from C to M (i.e., Dd : C M). Dd iscalled a decryption function or decryption transformation. The process of applying the transformation Ee to a message m M is usually re-ferred to as encrypting m or the encryption of m. The process of applying the transformation Dd to a ciphertext c is usually referred toas decrypting c or the decryption of c.1More generality is obtained if Ee is simply dened as a 1 1 transformation from M to C. That is to say,Ee is a bijection from M to Im(Ee) where Im(Ee) is a subset of C. 30. 12 Ch. 1 Overview of Cryptography An encryption scheme consists of a set {Ee : e K} of encryption transformationsand a corresponding set {Dd : d K} of decryption transformations with the prop-erty that for each e K there is a unique key d K such that Dd = E1e ; that is,Dd(Ee(m)) = m for all m M. An encryption scheme is sometimes referred toas a cipher. The keys e and d in the preceding denition are referred to as a key pair and some-times denoted by (e, d). Note that e and d could be the same. To construct an encryption scheme requires one to select a message space M, a ci-phertext space C, a key space K, a set of encryption transformations {Ee : e K},and a corresponding set of decryption transformations {Dd : d K}.Achieving condentialityAn encryption scheme may be used as follows for the purpose of achieving condentiality.Two parties Alice and Bob rst secretly choose or secretly exchange a key pair (e, d). At asubsequent point in time, if Alice wishes to send a message m M to Bob, she computesc = Ee(m) and transmits this to Bob. Upon receiving c, Bob computes Dd(c) = m andhence recovers the original message m.The question arises as to why keys are necessary. (Why not just choose one encryptionfunction and its corresponding decryption function?) Having transformations which arevery similar but characterized by keys means that if some particular encryption/decryptiontransformation is revealed then one does not have to redesign the entire scheme but simplychange the key. It is sound cryptographic practice to change the key (encryption/decryptiontransformation) frequently. As a physical analogue, consider an ordinary resettable combi-nation lock. The structure of the lock is available to anyone who wishes to purchase one butthe combination is chosen and set by the owner. If the owner suspects that the combinationhas been revealed he can easily reset it without replacing the physical mechanism.1.22 Example (encryption scheme) Let M = {m1, m2, m3} and C = {c1, c2, c3}. Thereare precisely 3! = 6 bijections from M to C. The key space K = {1, 2, 3, 4, 5, 6} hassix elements in it, each specifying one of the transformations. Figure 1.5 illustrates the sixencryption functions which are denoted by Ei, 1 i 6. Alice and Bob agree on a trans-E1m1m2m3c1c2E2m1m2m3m1m2m3E3E4m1m2m3m1m2m3E5m1m2m3E6c1c2c1c2c2c1c1c2c1c2c3 c3 c3c3 c3 c3Figure 1.5: Schematic of a simple encryption scheme.formation, say E1. To encrypt the message m1, Alice computes E1(m1) = c3 and sendsc3 to Bob. Bob decrypts c3 by reversing the arrows on the diagram for E1 and observingthat c3 points to m1. 31. 1.4 Basic terminology and concepts 13When M is a small set, the functional diagram is a simple visual means to describe themapping. In cryptography, the set M is typically of astronomical proportions and, as such,the visual description is infeasible. What is required, in these cases, is some other simplemeans to describe the encryption and decryption transformations, such as mathematical al-gorithms.Figure 1.6 provides a simple model of a two-party communication using encryption.mcmDd(c) = mEe(m) = cplaintextsourceAlice BobUNSECURED CHANNELAdversarydecryptionencryptiondestinationFigure 1.6: Schematic of a two-party communication using encryption.Communication participantsReferring to Figure 1.6, the following terminology is dened. An entity or party is someone or something which sends, receives, or manipulatesinformation. Alice and Bob are entities in Example 1.22. An entity may be a person,a computer terminal, etc. A sender is an entity in a two-partycommunicationwhich is the legitimate transmitterof information. In Figure 1.6, the sender is Alice. A receiver is an entity in a two-party communication which is the intended recipientof information. In Figure 1.6, the receiver is Bob. An adversary is an entity in a two-party communication which is neither the sendernor receiver, and which tries to defeat the informationsecurity service being providedbetween the sender and receiver. Various other names are synonymous with adver-sary such as enemy, attacker, opponent,tapper, eavesdropper,intruder, and interloper.An adversary will often attempt to play the role of either the legitimate sender or thelegitimate receiver.Channels A channel is a means of conveying information from one entity to another. A physically secure channel or secure channel is one which is not physically acces-sible to the adversary. An unsecured channel is one from which parties other than those for which the in-formation is intended can reorder, delete, insert, or read. A secured channelis one from which an adversarydoes not have the ability to reorder,delete, insert, or read. 32. 14 Ch. 1 Overview of CryptographyOne should note the subtle difference between a physically secure channel and a se-cured channel a secured channel may be secured by physical or cryptographic techniques,the latter being the topic of this book. Certain channels are assumed to be physically secure.These include trusted couriers, personal contact between communicatingparties, and a ded-icated communication link, to name a few.SecurityA fundamental premise in cryptography is that the sets M, C, K, {Ee : e K}, {Dd : d K} are public knowledge. When two parties wish to communicate securely using an en-cryption scheme, the only thing that they keep secret is the particular key pair (e, d) whichthey are using, and which they must select. One can gain additional security by keeping theclass of encryption and decryption transformations secret but one should not base the secu-rity of the entire scheme on this approach. History has shown that maintaining the secrecyof the transformations is very difcult indeed.1.23 Denition An encryption scheme is said to be breakable if a third party, without priorknowledge of the key pair (e, d), can systematically recover plaintext from correspondingciphertext within some appropriate time frame.An appropriate time frame will be a function of the useful lifespan of the data beingprotected. For example, an instruction to buy a certain stock may only need to be kept secretfor a few minutes whereas state secrets may need to remain condential indenitely.An encryption scheme can be broken by trying all possible keys to see which one thecommunicating parties are using (assuming that the class of encryption functions is publicknowledge). This is called an exhaustive search of the key space. It follows then that thenumberof keys (i.e., the size of the key space) should be large enoughto make this approachcomputationallyinfeasible. It is the objectiveof a designerof an encryptionscheme that thisbe the best approach to break the system.Frequently cited in the literature are Kerckhoffs desiderata, a set of requirements forcipher systems. They are given here essentially as Kerckhoffs originally stated them:1. the system should be, if not theoretically unbreakable, unbreakable in practice;2. compromise of the system details should not inconvenience the correspondents;3. the key should be rememberable without notes and easily changed;4. the cryptogram should be transmissible by telegraph;5. the encryption apparatus should be portable and operable by a single person; and6. the system should be easy, requiring neither the knowledge of a long list of rules normental strain.This list of requirementswas articulatedin 1883and, forthe most part, remains useful today.Point 2 allows that the class of encryption transformations being used be publicly knownand that the security of the system should reside only in th