Professional Documents
Culture Documents
Cryptography
Cryptography
Cryptography
Klaus Sutner
Carnegie Mellon University
www.cs.cmu.edu/∼sutner
cryptography 1
Battleplan
Cryptography
Goal: send a message in a special secret form, so that only authorized recipients can
understand the message.
Ann Bob
Charlie
Need
Coding function translates message or plaintext into incomprehensible cipher text (or coded
message or cryptogram).
More realistically: cannot decode in his lifetime, nor before the heat death of the universe.
Using Keys
Usually coding and decoding involves an additional special parameter, called a key:
where
decode(code(x, K), K) = x.
Key spaces are usually finite, but so large that exhaustive search is impossible.
cryptography 5
Permutation Codes
A simple but highly vulnerable system: pick a permutation π of the alphabet, and replace
each character c by π(c). Easy to decode: just use π −1 instead of π .
For ASCII letters (uppercase only) the key space has size 26! ≈ 4 · 1026
Problem: when coding English text, letters are far from evenly distributed. E.g., the vowel
“e” is the most frequent letter, thus π(e) is the most frequent letter in cipher text.
Note that we can always think of the message space as consisting simply of all binary
sequences of length n, for some suitable, fixed n: write message in blocks of n/8 ASCII
characters.
Now let K be a random binary sequence of length n. Code by bit-wise xor between
message and key:
code(x, K) = x ⊕ K
Note: decoding function exactly the same.
code(x, K) ⊕ x = K
Secure channel now as important as insecure, very expensive. Supposedly was used at
American Embassy in Moscow.
I Quantum Physics
Potentially unassailable way of getting one-time pads: send a pair of entangled photons
to both A and B, measure to obtain 1 bit per photon. For bizarre reasons, A and B will
measure the same bit, despite the fact that
Computational Hardness
To get better codes, one can use the fact that some computations take enormous resources
(time and/or space) to carry out. Specifically, one would like the computation
decode(z, ???) = x
Computational Hardness
Note, though, that computational hardness is usually established by showing that some
specific, well-designed instances are difficult to deal with.
That leaves the possibility wide open that many other instances may be easy to solve.
Ironically, it is much easier is to show that some problems are so hard that they cannot be
solved at all, regardless of computational resources.
cryptography 10
In 1976 Whit Diffie and Martin Hellman seized on this apparent difficulty to propose a
cryptographic scheme that promises
Diffie/Hellman
Apparently Charlie cannot determine c without a huge search, so we only need to make F
large enough to foil his efforts.
cryptography 12
Splitting Things
In fact, over C any non-constant real polynomial can be decomposed into linear factors.
Adjoining one root of g(x) = x3 + x + 1 (previous example) already produces the splitting
field of f .
cryptography 13
Comes down to computing x = logg x0 and y = logg y0 but computing in Zm, not the
reals.
cryptography 14
Discrete Logarithms
Behaves just like a logarithm (at least for m prime and g a generator):
I Apparently, discrete logarithms are very hard to compute efficiently. Of course, brute
force works fine: can check all possible values for 0 ≤ b < ϕ(m) < m.
I Note, though, that there is an algorithm for a Quantum Computer that would allow one
to calculate discrete logs efficiently.
An Insane Idea:
How about publishing (part of) the key, so that the secrecy problem vanishes?
I Disaster!!!
• Ann selects two large primes p and q , and let n = pq . Our messages will be numbers
x, 0 ≤ x < n.
• Select a number e such that gcd(e, ϕ(n)) = 1:
e is the encryption key.
• Ann publishes n and e (but NOT p and q ).
• Solve the equation e · d = 1 (mod ϕ(n)):
d is the decryption key.
Note that Bob can really do this: he knows ϕ(n) = (p − 1)(q − 1), and the multiplicative
inverse d can be found using the EEA.
Ann can look up n and e on the web, and use them to send messages to Bob, over
completely insecure channels.
cryptography 18
Really???
Since one could search all possible keys in principle, this comes down to
Tiny Example
• p = 7919
• q = 8017
• n = 63486623
• m = ϕ(n) = 63470688
• e = 43812599
• d = 24746663
Can check
1 = e · 24746663 − m · 17082147
12345678 is coded as
43812599
63007762 = 12345678 mod 63486623
cryptography 20
Algorithmic Requirements
The brute force approach is to perform b − 1 multiplications, and taking mods each time
to keep the number of bits down to k.
Repeated Squaring
z = 1;
while ( b > 0 )
{
if (b is odd)
z = z * a;
a = a * a;
b = b/2;
}
return z;
Note that b is chopped in half at each step, so the loop cannot execute more than O (log b)
times.
cryptography 23
Hence, fast exponentiation is O (k3) using repeated squaring: we never need to deal with
more than k digits since we are computing modulo m.
Primality testing is relatively easy if one allows probabilistic algorithms: the answer may
be wrong, with a very small probability. E.g., the probability of a machine error may be
much larger.
There are lots of primes: the density of primes around n is approximately 1/ log n. Hence
we can search by brute force starting at n.
Can use a prime to get the encoding number e, or we could generate numbers at random
until we find one coprime to ϕ(n).
cryptography 24
Safety
Euler’s totient function is easy to compute if one knows p and q . Thus, the whole problem
comes down to factoring n = pq .
p + q = n − m + 1 and pq = n,
I Luckily, factoring seems to be extremely hard, even if n is just the product of two
√
primes. Brute force is O ( n), no really significant improvements are known.
cryptography 25
Caveat Emptor
But note: No proof is currently known that factoring is really hard. It might turn out that
there is a fast algorithm for factoring.
Most likely not a real problem, Quantum Computers probably will never happen, and
Classical Computers are probably too feeble.
cryptography 26
More on Safety
Note that a one-bit change in the message usually changes the cryptogram completely.
But that’s also a problem: if the channel produces a one-bit error, we cannot decode any
more.
Also, if C knows most of the message, there is a problem: since C knows the coding
function, a brute force search for the missing part may produce results.
Typical example: a form letter from a bank, with just the PIN different between two letters.
Correctness
Zn → Zp × Zq
That’s enough because of isomorphism, but it’s easier because we are dealing with primes.
cryptography 28
Proof.
Case 1: p divides x.
Then
d e d d
y = (x ) = 0 = 0 = x (mod p).
Note that the isomorphism here is crucial: we cannot use FLT directly in Z∗pq .