my brief introduction to cryptography - carleton university

My brief introduction to cryptography

David [email protected]

Carleton University

September 7, 2013

David Thomson [email protected] (Carleton University)My brief introduction to cryptography September 7, 2013 1 / 28

Outline

1 The general framework

2 Historical ciphersPre-20th centuryWorld War I

3 “Modern” block ciphersDES/AES

4 A little number theoryMathematics!!!Hard problems

5 Intro to public-keyDiffie-Hellman(-Merkle)RSA

6 Conclusions


A simple game

Alice and Bob want to exchange information without Eve finding outthe message.


Some assumptions

Encryption and Decryption should be easy for Alice and Bob but should be“impossible” for Eve.

A common theme that we will find is that security and practicality arealmost always trade-offs.

The inherent assumption is that the opponent will discover the nature ofthe system. In other words the inner workings of the cryptosystem ispublic.

The only secret is the shared key.


A pretty picture


Greek transposition cipher

A long strip of paper was wrapped around a staff and the message written.When unwrapped, it appears as a random jumble of letters.

The diameter of the staff is the secret key


Caesar cipher

Introduced by Julius Caesar.

Shift letters 3 to the right (mod 26):

A→ D,B → E , · · · ,X → A,Y → B,Z → C .

Example. Decode PDWK UXOHV!


Some other examples

Substitution ciphers. Any permutation of letters. Easy to break by simplefrequency analysis.

Leonardo da Vinci. Trained himself to write in mirror-image. Simple toread but mirrors were expensive.


What’s the problem?


Product cipher: ADFGVX

Cipher created by the Germans in World War I.26 letters and 10 numbers can be expressed as a 6× 6 grid.

A D F G V X

A K Z W R I FD 9 B 6 C L 5F Q 7 5 P G XG E V Y 3 A NV 8 0 D H O 2X U 4 1 S T M

♠− Grid is public knowledge!♠− Secret key is a word withno repeated letters. Our secret keyis DANIEL.♠− Two-step process:Encode the word, then shuffle.




A D F G V X


♠− Grid is public knowledge!♠− Secret key is a word withno repeated letters. Our secret keyis DANIEL.

♠− Two-step process:Encode the word, then shuffle.




A D F G V X


♠− Grid is public knowledge!♠− Secret key is a word withno repeated letters. Our secret keyis DANIEL.♠− Two-step process:Encode the word, then shuffle.


ADFGVX cont’d

A D F G V X


Let’s encode the word: HELLOSEach letter encoded byrow-column index

VG GA DV DV VV XG


ADFGVX cont’d: Retrieving the ciphertext

Encoded message: VG GA DV DV VV XG

Number the letters of the secret key lexicographically. In the rowsbeneath, write out the encoded message, wrapping at the end of the row.

D A N I E L

2 1 6 4 3 5V G G A D VD V V V X G

The ciphertext is given by reading down the columns in numerical order:

Ciphertext: GV VD DX AV VG GV





D A N I E L2 1 6 4 3 5

V G G A D VD V V V X G







D A N I E L2 1 6 4 3 5V G G A D VD V V V X G




Data Encryption Standard

DES is the first commercial-grade modern algorithm for cryptography.

DES is a block cipher that combines permutations and substitutions

Introduced in the mid-1970s by IBM. The United States NationalSecurity Agency “tweaked” the original DES design (S-boxes) tomake it “more secure”.

DES is now considered to be insecure, owing largely to a key size ofonly 56 bits.

(Wikipedia) distributed.net collaborated to publicly break a DES keyin 22 hours and 15 minutes. This can be done on a home computer(sitting in the corner for a long time), today.


More DES

“We sent the S-boxes off to Washington. They came back and were alldifferent.”I don’t want to cite Wikipedia twice in 2 slides but they really have a goodread on the history (with citations!!) of DES and the NSA.

Params: Key-size of 56 bits and block size of 64 bits.

Breaks the block into half-blocks, and the key into subkeys. Runseach half-block and sub-key through 16 rounds of the followingsystem.


Greatest common divisors

If p and q are two integers, we call the greatest common divisord = gcd(p, q) the greatest integer such that d divides p and d divides q.

If d = 1 we call p and q relatively prime.

By the Extended Euclidean Algorithm we can compute integers a and bsuch that

d = ap + bq.


Just a little theorem

Definition. Let G be a group and let |G | = n, we call n the order of G .

Theorem. (Lagrange - mid 18th century) Suppose a ∈ G , then an = 1G .

Theorem. (Euler - early-mid 18th century) Suppose a is an integerrelatively prime to n. Then aφ(n) ≡ 1 (mod n).

Fermat’s Little Theorem - early 17th century. If p is a prime number thenfor any integer a we have ap ≡ a (mod p).


What remains in China...

Chinese Remainder Theorem. Suppose n1, n2, . . . , nk are positive integerswith gcd(ni , nj) = 1, 1 ≤ i < j ≤ k. For any given a1, a2, . . . , ak thereexists an integer x such that

x ≡ a1 (mod n1)

x ≡ a2 (mod n2)

· · ·x ≡ ak (mod nk)

and all such solutions x are congruent (mod n1n2 · · · nk).

Thus x ≡ y (mod ni ) for all 1 ≤ i ≤ k if and only if x ≡ y(mod n1n2 · · · nk).


Finite fields

Let p be a prime, then Zp, the set of integers (mod p) forms a field withrespect to addition and multiplication (mod p).

If F is a finite field, then F has order q = pn and we can view F as thevector space Zn

p.

So, we can model binary words of length n in the vector space Zn2 . . .


Hard problems - Integer factorization

The integer factorization problem is: given an integer n, determine itsprime factorization, i.e., write n = pe1

1 · · · pekk where the pi are distinct

primes and ei > 1.

Much harder than primality testing! The AKS primality test showsthat primality testing is in P.

Algorithms split into general purpose (for all types of integers) andspecial purpose (for integers of prescribed form).

The best general-purpose factoring algorithm is the number field sievedeveloped by Lenstra and Lenstra in the early 90s.

Number field sieve runs in sub-exponential time(≈ O(n1/3 log(n)2/3)).


Easy problems - Continuous logarithms

Given y ∈ R, it is easy to find x such that y = ex (i.e., x = ln(y)).When |x | < 1,

log (1/(1− x)) = 1 + x + x2/2 + x3/3 + · · · .

The logarithm of a real number is simple to compute.


Hard problems - Discrete logarithms

Problem. In a cyclic group G with generator g , if y is an element of G ,find x such that y = g x .

The integer 1 ≤ x ≤ q − 1 is the discrete logarithm of y , denotedDLOGg (y).

The discrete logarithm follows the same arithmetic rules as thecontinuous,

can be implemented in any finite cyclic group, commonly taken to bethe multiplicative group of a finite field

quantum computers reduce the run time of calculating the discretelogarithm (polynomial time somewhat greater than O(log(N)3).


Diffie Hellman Key Exchange Protocol

Diffie-Hellman is not a cryptosystem!!!

Diffie-Hellman is a key-exchange protocol.

Developed in 1976 by researchers at Stanford. Paper was written byDiffie and Hellman, but the concept was developed by Merkle.

Based on the difficulty of the discrete-logarithm problem.

Controversy!!!

The British services took credit for developingkey-exchange in 1972. This was not made public until 1997. Who doyou think is actually the founder?


Diffie Hellman Key Exchange Protocol

Diffie-Hellman is not a cryptosystem!!!

Diffie-Hellman is a key-exchange protocol.

Developed in 1976 by researchers at Stanford. Paper was written byDiffie and Hellman, but the concept was developed by Merkle.

Based on the difficulty of the discrete-logarithm problem.

Controversy!!! The British services took credit for developingkey-exchange in 1972. This was not made public until 1997. Who doyou think is actually the founder?


Diffie-Hellman: The mystery explained

Public information: a prime power q and a generator g such thatF∗q =< g >.

Alice BobSecret key a Secret key b

Compute ga Compute gb

Receive gb Receive ga

Compute (gb)a Compute (ga)b

Public key is gab


What is RSA??

Reference: Handbook of Applied Cryptography by Menezes, vanOorschot and Vanstone, U of Waterloo,http://www.cacr.math.uwaterloo.ca/hac/

RSA stands for Rivest, Shamir and Adleman, originally submitted as apatent.

Security of RSA is based on the difficulty of integer factorization.

Can also be used for digital signatures (but that’s another talk).


http://www.cacr.math.uwaterloo.ca/hac/

RSA Key Generation

1 Pick two large primes p and q, roughly the same size, at random.

2 Compute n = pq and φ = (p − 1)(q − 1).

3 Select a random integer e such that gcd(e, φ) = 1.

4 Use Extended Euclidean Algorithm to find d , 1 < d < φ such thated ≡ 1 (mod φ).

5 The public key is the pair (n, e); the secret key is d .


RSA Encryption/Decryption

Encrypt Bob does the following:1 Receive the public key (n, e) from Alice.2 Represent the message m in the interval [0, n − 1].3 Compute c = me (mod n).4 Send c to Alice.

Decrypt Alice does:1 Compute m = cd (mod n).


Some concluding remarks

Public-key cryptography depends on being able to solve a “hard”problem in “reasonable” time.

RSA depends on the “hardness” of integer factorization,where elliptic curve cryptography depends on finding the “order” of apoint on an “elliptic curve” over a finite field.

1024-bit RSA keys have similar security to 320-bit elliptic curve keys.

Your bank probably uses 1024-bit RSA.

Lenstra et al. in 2007 factored a 1039-bit number.

Factoring an RSA 768-bit number takes approximately 2000 years ofcomputing power.


my brief introduction to cryptography - carleton university

Documents