Professional Documents
Culture Documents
Cryptography Course Work
Cryptography Course Work
Introduction to Cryptography
Cryptography (or cryptology; from Greek κρυπτός, kryptos, "hidden, secret"; and γράφ, gráph,
"writing", or -λογία, -logia, respectively)is the practice and study of hiding information. The
science of cryptography or “secret messages” is used for thousands of years to transmit and store
information needing secrecy. Cryptography provides four main types of services related to data
transmitted or stored:
1. Confidentiality: keep the data secret.
2. Integrity: keep the data unaltered.
3. Authentication: be certain where the data came from.
4. Non-repudiation: so someone cannot deny sending the data.
Confidentiality is a big word meaning “secrecy” — keeping the data secret. For this one uses
encryption, a process of taking readable and meaningful data, and transforming it so that someone
who happens to intercept the data can no longer understand it. As part of the process, there has to
be a way for authorized parties to unscramble or decrypt the encrypted data.
Integrity means keeping the data in unaltered form.
While authentication means to know where the data came from and who sent it. Neither of these
services has anything to do with secrecy, though one might also want secrecy. Consider, for
example, the transfer of funds involving U.S. Federal Reserve Banks (and other banks). While
secrecy might be desirable, it is of small importance compared with being sure who is asking for
the transfer (the authentication) and being sure that the transfer is not altered (the integrity). One
important tool that helps implement these services is the digital signature. A digital signature has
much in common with an ordinary signature, except that it works better: when properly used it is
difficult to forge, and it behaves as if the signature were scrawled over the entire document, so
that any alteration to the document would alter the signature. In contrast, ordinary signatures are
notoriously easy to forge and are affixed to just one small portion of a document.
The final service, non-repudiation, prevents someone from claiming that they had not sent a
document that was authenticated as coming from them. For example, the person might claim that
their private key had been stolen. This service is important but difficult to implement.
Cryptographic techniques can be broadly divided in to three different types. (i) Private Key
cryptography or symmetric key cryptography. (ii) Crypto graphic Hash Functions (iii) Public
Key cryptography or asymmetric key cryptography. Before we investigate such techniques in
details it is worthy to get aware of the terminologies commonly used in common.
Until modern times cryptography referred almost exclusively to encryption, which is the process
of converting ordinary information (plaintext) into unintelligible gibberish (i.e., cipher text).
Decryption is the reverse, in other words, moving from the unintelligible ciphertext back to
plaintext. A cipher (or cypher) is a pair of algorithms that create the encryption and the reversing
decryption. The detailed operation of a cipher is controlled both by the algorithm and in each
instance by a key. This is a secret parameter (ideally known only to the communicants) for a
specific message exchange context. Keys are important, as ciphers without variable keys can be
trivially broken with only the knowledge of the cipher used and are therefore useless (or even
counter-productive) for most purposes. Historically, ciphers were often used directly for
encryption or decryption without additional procedures such as authentication or integrity checks.
In colloquial use, the term "code" is often used to mean any method of encryption or concealment
of meaning. However, in cryptography, code has a more specific meaning. It means the
replacement of a unit of plaintext (i.e., a meaningful word or phrase) with a code word (for
example, wallaby replaces attack at dawn). Codes are no longer used in serious cryptography—
except incidentally for such things as unit designations (e.g., Bronco Flight or Operation
Overlord)—since properly chosen ciphers are both more practical and more secure than even the
best codes and also are better adapted to computers.
Cryptanalysis is the term used for the study of methods for obtaining the meaning of encrypted
information without access to the key normally required to do so; i.e., it is the study of how to
crack encryption algorithms or their implementations.
The study of characteristics of languages which have some application in cryptography (or
cryptology), i.e. frequency data, letter combinations, universal patterns, etc., is called
cryptolinguistics
As mentioned earlier there are two alternatives for encryption in symmetric cryptography. The
differences between these two classes of primitives are summarized in the following table.
The main point to remember is that stream ciphers can encrypt message of any size and there is
no need to to know the size in advance to encrypt (encryption on the fly). Moreover, a stream
cipher encrypts and decrypts data with the same algorithm (encryption=decryption). A block
cipher can require to have two different algorithms for the encryption and the decryption
depending on the encryption mode. For a n-bit block cipher When a message size is not a
multiple of the block size n, we need also to choose a padding algorithm. However, a block
cipher is stateless (the ciphertext is not a function of the time) while a stream cipher has an
internal state. The counter mode (CTR) of encryption allows one to transform a block cipher into
an synchronous additive stream cipher. The output feedback mode (OFB) is also similar to a
stream cipher.
additive synchronous stream ciphers are the most common design used in practice. They
generate a keystream which is combined to the plaintext with the exclusive or to obtain
the ciphertext. There is no error propagation in this model.
The majority of those ciphers are now considered insecure and fully broken by the community.
From a scientific point of view, it is interesting to observe that the success of a stream cipher
design depends on the efficiency and on the code size rather that on its security: RC4 is efficient
and very easy to program, DVDCSS has the same characteristics. Both ciphers suffer serious
flaws. The recent European project NESSIE and more recently eSTREAM have provided several
good candidates for stream ciphers. SNOW 2.0 is the only stream cipher that emerged from the
NESSIE project. The eSTREAM project finally identifies 7 candidates (eSTREAM portfolio):
A block cipher is an encryption function for fixed size blocks. The current generation of block
ciphers has a block size of 128 bit. Those block ciphers encrypt a 128 bit plain text and produce a
128 bit cipher text. To encrypt we need a secret key, and also the key is a string of bits. Common
key size are 128, 256 bits. If the message is of length greater than the block size then we need to
implement Block cipher mode. In next two subsection we try to describe few block ciphers and
their working methodology, We start with DES followed by AES, SERPENT and TWOFISH.
2.3.1 DES
DES encrypts and decrypts data in 64-bit blocks, using a 64-bit key (although the effective key
strength is only 56 bits, as explained below). It takes a 64-bit block of plaintext as input and
outputs a 64-bit block of ciphertext. Since it always operates on blocks of equal size and it uses
both permutations and substitutions in the algorithm, DES is both a block cipher and a product
cipher.
DES has 16 rounds, meaning the main algorithm is repeated 16 times to produce the ciphertext. It
has been found that the number of rounds is exponentially proportional to the amount of time
required to find a key using a brute-force attack. So as the number of rounds increases, the
security of the algorithm increases exponentially.
Key Scheduling
Although the input key for DES is 64 bits long, the actual key used by DES is only 56
bits in length. The least significant (right-most) bit in each byte is a parity bit, and should
be set so that there are always an odd number of 1s in every byte. These parity bits are
ignored, so only the seven most significant bits of each byte are used, resulting in a key length of
56 bits.
The first step is to pass the 64-bit key through a permutation called Permuted Choice 1, or PC-1
for short. The table for this is given below. Note that in all subsequent descriptions of bit
numbers, 1 is the left-most bit in the number, and n is the rightmost bit.
For example, we can use the PC-1 table to figure out how bit 30 of the original 64-bit key
transforms to a bit in the new 56-bit key. Find the number 30 in the table, and notice that it
belongs to the column labeled 5 and the row labeled 36. Add up the value of the row and column
to find the new position of the bit within the key. For bit 30, 36 + 5 = 41, so bit 30 becomes bit 41
of the new 56-bit key. Note that bits 8, 16, 24, 32, 40, 48, 56 and 64 of the original key are not in
the table. These are the unused parity bits that are discarded when the final 56-bit key is created.
Now that we have the 56-bit key, the next step is to use this key to generate 16 48-bit subkeys,
called K[1]-K[16], which are used in the 16 rounds of DES for encryption and decryption. The
procedure for generating the subkeys - known as key scheduling - is fairly simple:
Modes of Operation
2.3.2 AES
AES stands for Advanced Encryption Standard. Advanced Encryption Standard (AES), also
known as Rijndael, is a block cipher adopted as an encryption standard by the U.S. government.
Advanced Encryption Standard is a symmetric key encryption technique which will replace the
commonly used Data Encryption Standard (DES). It was the result of a worldwide call for
submissions of encryption algorithms issued by the US Government's National Institute of
Standards and Technology (NIST) in 1997 and completed in 2000. Five algorithms were selected
into the second round, from which Rijndael was selected to be the final standard. When
considered together, Rijndael's combination of security, performance, efficiency, ease of
implementation and flexibility make it an appropriate selection for the Advanced Encryption
Standard.It was developed by two Belgian cryptologists, Vincent Rijmen and Joan Daemen, and
submitted to the AES selection process under the name "Rijndael". Advanced Encryption
Standard is an iterative, symmetric key block cipher that can use keys of 128, 192, and 256 bits,
and encrypts and decrypts data in blocks of 128 bits (16 bytes). Unlike public key ciphers, which
use a pair of keys, symmetric key ciphers use the same key to encrypt and decrypt data.
The Advanced Encryption Standard algorithm uses three key sizes: a 128-, 192-, or 256-bit
encryption key. Each encryption key size causes the algorithm to behave slightly differently, so
the increasing key sizes not only offer a larger number of bits with which you can scramble the
data, but also increase the complexity of the cipher algorithm.
The Advanced Encryption Standard (AES) is the successor to the older Data Encryption Standard
(DES). DES was approved as a Federal standard in 1977 and remained viable until 1998 when a
combination of advances in hardware, software, and cryptanalysis theory allowed a DES-
encrypted message to be decrypted in 56 hours.
The algorithm consists of four stages that make up a round which is iterated 10 times for a 128-
bit length key, 12 times for a 192-bit key, and 14 times for a 256-bit key. The first stage
"SubBytes" transformation is a non-linear byte substitution for each byte of the block. The second
stage "ShiftRows" transformation cyclically shifts (permutes) the bytes within the block. The
third stage "MixColumns" transformation groups 4-bytes together forming 4-term polynomials
and multiplies the polynomials with a fixed polynomial mod (x^4+1). The fourth stage
"AddRoundKey" transformation adds the round key with the block of data.
In most ciphers, the iterated transform (or round) usually has a Feistel Structure. Typically in this
structure, some of the bits of the intermediate state are transposed unchanged to another position
(permutation). AES does not have a Feistel structure but is composed of three distinct invertible
transforms based on the Wide Trial Strategy design method.
The Wide Trial Strategy design method provides resistance against linear and differential
cryptanalysis. In the Wide Trail Strategy, every layer has its own function:
• The linear mixing layer: guarantees high diffusion over multiply rounds
• The non-linear layer: parallel application of S-boxes that have the optimum worst-case
non-linearity properties.
• The key addition layer: a simple XOR of the round key to the intermediate state
2.3.3 Serpent
Serpent was another finalist in AES competition. It was in many ways opposite to AES
( RIJNDAEL) . AES emphasizes on elegance and speed but SERPENT is designed for security.
The best attack known till date covers only 10 of 32 rounds. The main two disadvantage of
SERPENT are as follows: (a) Very slow about 1/3 rd the speed of AES. (b) Difficult to
implement as s-boxes needs to be converted to Boolean formula suitable for underlying CPU.
SERPENT consist of 32 rounds. EACH round consist of XORING in a 128 round key, applying a
linear linaer mixing function to the 128 bits , and then applying 32 four-bit s-boxes in parallel.
In each round the 32 S-boxes are identical. But there are 8-different S-boxes that are used each in
turn in a round.
A straight forward implementation will be extremely slow as each round consist of 32 S-boxes
and there are 32 rounds .So there will be 32 X 32 =1024 S-box lookups. A solution to this is
using S-boxes as Boolean formulas. Each of the four output bits are written as a Boolean formula
of the four input bits. The CPU then evaluates this Boolean formula directly using AND, OR,
XOR instruction. The trick is that a 32 bit CPU can evaluate 32 S-boxes in parallel. This style of
implementation is called a “bitslice implementation”. The mixing phase is relatively easy to
compute in a bitslice implementation.
2.3.4 TWOFISH
Twofish is a 128-bit block cipher, meaning that data is encrypted and decrypted in 128-
bit chunks. The key length can vary, but for the purposes of the AES it is defined to be
either 128, 192, or 256 bits. This block size and variable key length is standard among all
AES candidates and was one of the major design requirements specified by NIST. The official
Twofish algorithm uses 16 rounds, or iterations of the main algorithm, to ensure maximum
security. Twofish can be implemented with fewer rounds but there is no compelling reason to do
this, as Twofish is a very fast algorithm already and attacks have been discovered against the 5
round version. More than 16 rounds can also be used, but it has been found that the increases in
security decrease rapidly after 16 rounds until the trade off in speed is no longer worth the
slightly better security.
Private Encryptor's implementation of Twofish uses a 256 bit key and the full 16 rounds. We
decided to use the largest possible key size to ensure that the user always enjoys the best possible
security. Our design philosophy is that security always comes before speed. If a shorter key is
provided by the user, Private Encryptor pads the key in a special, seemingly random, way to
make it 256 bits long. The designers of TWO FISH deliberately added the two 1-bit rotations to
the cipher. This rotation makes the encryption and decryption algorithm different and also makes
the software slow.
TWOFISH uses the same Fiestel structure as DES. It splits the 128bit plaintext into four 32 bit
values and most operations are on 32 bit values. The Fiestel structure of TWO fish consist of a
round function F, and the round function consist of two g function. Each g function consists of
four S-boxes followed by a linear mixing function that is very similar to the AES mixing
function. The contents of the S-boxes depend son the key. An algorithm calculates the S-box
tables from the key material.
Appendix::
A Feistel network is a general method of transforming any function (usually called the F
function) into a permutation. It was invented by Horst Feistel [FNS75] in his design of Lucifer
[Fei73], and popularized by DES [NBS77]. It is the basis of most block ciphers published since
then, including FEAL [SM88], GOST [GOST89], Khufu and Khafre [Mer91], LOKI [BPS90,
BKPS93], CAST-128 [Ada97a], Blow_sh [Sch94], and RC5 [Riv95]. The fundamental building
block of a Feistel network is the F function: a key-dependent mapping of an input string onto an
output string. An F function is always non-linear and possibly non-surjective1:
F : f0; 1gn=2 _ f0; 1gN 7! f0; 1gn=2 where n is the block size of the Feistel Network, and F is a
function taking n=2 bits of the block and N bits of a key as input, and producing an output of
length n=2 bits. In each round, the \source block" is the input to F, and the output of F is xored
with the \target block," after which these two blocks swap places for the next round. The idea
here is to take an F function, which may be a weak encryption algorithm when taken by itself,
and repeatedly iterate it to create a strong encryption algorithm. Two rounds of a Feistel network
is called a \cycle" [SK96]. In one cycle, every bit of the text block has been modified once.2
1A non-surjective F function is one in which not all outputs in the output space can occur.
2The notion of a cycle allows Feistel networks to be compared with unbalanced Feistel networks
[SK96, ZMI90] such as MacGu_n [BS95] (cryptanalyzed in [RP95a]) and Bear/Lion [AB96b],
and with SP-networks (also called uniform transformation structures [Fei73]) such as IDEA,
AFER, and Shark [RDP+96] (see also [YTH96]). Thus, 8-cycle (8-round) IDEA is comparable to
8-cycle (16-round) DES and 8-cycle (32-round) Skipjack.4 Two_sh is a 16-round Feistel network
with a bijective F function. 3.2 S-boxes An S-box is a table-driven non-linear substitution
operation used in most block ciphers. S-boxes vary in both input size and output size, and can be
created either randomly or algorithmically. S-boxes were _rst used in Lucifer, then DES, and
afterwards in most encryption algorithms. Twofish uses four different, bijective, key-dependent,
8-by-8-bit S-boxes. These S-boxes are built using two _xed 8-by-8-bit permutations and key
material. 3.3 MDS Matrices A maximum distance separable (MDS) code over a field is a linear
mapping from a field elements to b field elements, producing a composite vector of a+b
elements, with the property that the minimum number of non-zero elements in any non-zero
vector is atleast b + 1 [MS77]. Put another way, the \distance" (i.e., the number of elements that
di_er) between any two distinct vectors produced by the MDS mapping is at least b + 1. It can
easily be shown that no mapping can have a larger minimum distance between two distinct
vectors, hence the term maximum distance separable. MDS mappings can be represented by an
MDS matrix consisting of a _ b elements. Reed-Solomon (RS) error-correcting codes are known
to be MDS. A necessary and su_cient condition for an a _ b matrix to be MDS is that all possible
square submatrices, obtained by discarding rows or columns, are non-singular. Serge Vaudenay
first proposed MDS matrices as a cipher design element [Vau95]. Shark [RDP+96] and Square
[DKR97] use MDS matrices (see also[YMT97]), although we first saw the construction used in
the unpublished cipher Manta3 [Fer96]. Two_sh uses a single 4-by-4 MDS matrix over GF (28).
3. Hash Function
Amongst all cryptographic primitive, hash functions are the most versatile. We can use a hash
function for encryption, authentication, and even for a digital signature scheme.
A hash function is a function that takes some message of any length as input and transforms it
into a fixed-length output called a hash value, a message digest, a checksum, or a digital
fingerprint. A hash function is a function f : D -> R, where the domain D = {0,1}, which means
that the elements of the domain consist of binary string of variable length; and the range R =
{0,1}n; for some n >=1, which means that the elements of the range are binary string of fixed-
length. So, f is a function which takes as input a message M of any size and produces a fixed-
length hash result h of size n. A hash function f is referred to as compression function when its
domain D is finite, in other word, when the function f takes as input a fixed-length message and
produces a shorter fixed-length output. A cryptographic hash function H is a hash function with
additional security properties: A cryptographic hash function H is a hash function with additional
security properties:
1. H should accept a block of data of any size as input.
2. H should produce a fixed-length output no matter what the length of the input is.
3. H should behave like random function while being deterministic and efficiently reproducible.
H should accept an input of any length, and outputs a random string of fixed length. H should
be deterministic and efficiently reproducible in that whenever the same input is given, H
should always produce the same output.
4. Given a message M, it is easy to compute its corresponding digest h; meaning that h can be
computed in polynomial time O(n), where n is the length of the input message, this makes
hardware and software implementations cheap and practical.
5. Given a message digest h, it is computationally difficult to find M such that H(M) = h. This is
called the one-way or pre-image resistance property. It simply means that one should not be
capable of recovering the original message from its hash value.
6. Given a message M1, it is computationally infeasible to find another message M2!= M1 with
H(M1) = H(M2). This is called the weak collision resistance or second preimage resistance
property.
7. It is computationally infeasible to find any pair of distinct messages (M1;M2) such that H(M1)
= H(M2). This is referred to as the strong collision resistance property.
File Integrity Verification: This is of huge use when we download some executables or source
code from some websites.Normally such websites consist of a checksum log besides the
download link. What is normally done is to pass the downloaded file through a hash function and
see if there is any difference in its hash value and documented checksum in the webpage.
Password Hashing: This technique is used in Unix Operating System and as well as any
contemporary web service. The idea is to store the Hash value of a password instead of plaintext.
If a person can have Access to the password file he will only see the corresponding hash value of
the plain text password.
Key Derivation: This is the process of deriving various keys from a shared secret password or
passphrase to secure a communication session. For e.g. two people can agree on a secret key and
pass that key to a key derivation function to produce keys for encryption and authentication. This
gaurantess that an attacker who learns your authentication key will not have access to your
encryption key.
Trusted Digital Timestamp: This technique is implemented in order to vouch safe time and date
of a digital document. There are third party Time Stamping Authority (TSA) who process the
request for digital time stamping. It works in the following way:
The requesting entity calculates the hash of the document she/he wishes to have time-stamped
and sends the resulting hash value as a request to the Time Stamping Authority. ? The Time
Stamping Authority appends a timestamp to the received hash value and calculates the hash of
this concatenation. This final hash is digitally signed using the TSA's private key. Both the
signature (the signed hash generated by the TSA) and the timestamp are sent as a response to
the requesting entity. ? Upon receipt of the response, the requesting entity should verify that the
timestamp received matches perfectly with the timestamp requested. To verify this, the
requesting entity decrypts the signed hash using the TSA's public key, let's call it TSA HASH.
Next, the requesting entity concatenates the received timestamp to the exact same hash of the
original document and calculates the hash of the result of this concatenation, let's call it OD
_HASH. If TSA_HASH equals to OD_HASH then everything is alright, the timestamp is correct
and was issued by the right Time Stamping Authority. The requesting entity may store all the data
in a safe location.
If TSA_HASH is not equal to OD_HASH (and provided that the original document
has not been modi_ed since we sent the request) then either one of the following hypothesis holds
true:
The timestamp was altered along the way.
We have received the wrong timestamp from the right TSA
We have received the wrong signature from the right TSA
The response was simply not issued by the right TSA.
In any case, the TSA should immediately be noti_ed of the situation.
RootKit Detection: A Rootkit is a program or a set of programs that a hacker installs on the
victim'scomputer in order to cover the tracks of other malicious programs which attempt to
corrupt an operating system. A rootkit will hide its presence on a compromised system. It will
replace or alter several legitimate system programs (such as \ls", \_nd", \locate", \top", \kill",
\netstat" found on a UNIX system) by others which are specially designed to prevent the rootkit's
detection and removal. This means that once a rootkit is installed on a system, none of the
programs on that system can be trusted to give precise information or to act as expected.
the use of cryptographic hash functions and is called a hash-based detection. With this method, a
fingerprint or message digest of the filesystem or part of it is generated at regular intervals before
and after any legitimate action which adds or removes files in the system. This fingerprint is later
compared with the current state of the filesystem to find out if any unauthorized change has been
made.
SHA-256,SHA-384, SHA-512 :Recently, NIST published a draft standard containing three new
hash functions [75]. These have 256-, 384-, and 512-bit outputs respectively. They are designed
to be used with the 128-, 196-, and 256-bit key sizes of AES. Their structure is very similar to
SHA-1. These hash functions are very new. We cannot recommend them, but we don't have
much choice. If wewant more security than SHA-1 can give you, you need a hash function with a
larger result. None of the published designs for larger hash functions has received a lot of public
analysis; at least the SHA family has been vetted by the NSA, who seems to gener~lly Iknow
what it is doing. SHA-256i s much slower than SHA-1. For long messagesc, omputing a hash
with SHA-256 takes about as much time as encrypting the message with AES or Twofish, or
maybe a little bit more. This is not necessarily bad. Becausew e feel that hashing is a more
difficult problem than encryption, we
are not surprised that a hash function would be slower than an encryption function. We are,
instead, surprised at the speed of SHA-1 and MD5. But then, relatively little research has been
done on attacking these fast hash functions; certainly nowhere near the amount of work that has
gone into attacking block ciphers. SHA-384 is relatively useless. To compute it, you do all the
work that is required for SHA-512, and then throwaway some of the bits. We don't need a
separatef unction for that, and we recommend sticking with SHA-256 and SHA-512.
(i) Length Extensions: Our greatest peeve about all these hash functions is that they have a
length extension bug that leads to real problems and that could easily have been avoided.
Here is the problem: A message m is split into blocks ml, . . . , mk and hashed to a value
H. Let's now choose a message m' that splits into the block ml,. . ., mk, mk+l' Because the
first k blocks of m' are identical to the k blocks of message m, the hash value h(m) is
merely the intermediate hash value after k blocks in the computation of h(m'). We get
h(m') =h'(h(m), mk+l). When using MD5' or any cipher from the SHA family, you have to
choose m' carefully to include the padding and length field, but this is not a problem as
the method of constructing these fields is known. The length extension problem exists
because there is no special processing at the end of the hash function computation.The
result is that h( m) provides direct information about the intermediate state after the first k
blocks of m'. This is certainly a surprising property for a function we want to think of as a
random mapping. In fact, this property immediately disqualifies all of the mentioned hash
functions, according to our security definition. All a distinguisher has to do is to construct
a few suitable pairs (m, m') and check for this relationship. You certainly wouldn't find
this relationship in an ideal hash function, so this is a valid attack. The attack itself takes
onlya few hash computations, so it is very quick. How could this property be harmful?
Imagine a system where Alice sends a message to Bob and wants to authenticate it by
sending h(X || m), where X is a secret known only to Bob and Alice, and m is the
message. If h were an ideal hash function, this would make a decent authentication
system. But with length extensions, Eve can now append text to the messagem, and
update the authentication code to match the new message. An authentication system
which allows Eve to modifythe message is useless.
(ii) Partial Message Collision: A second problem is inherent in the iterative structure of
most hash functions. We'll explain the problem with a specific distinguisher. The first
step of any distinguisher is to specify the setting in whicb it will differentiate between the
hash function and the ideal hash function. Sometimes
this setting can be very simple: given the hash function, find a collision. Here we use a slightly
more complicated setting. Suppose we have a system that authenticates a message m with h(m ||
X), where X is the authentication key. The attacker can choose the message m, but the system
will only authenticate a single message.4 For a perfect hash function of size n, we expect that this
construction has a security level of n bits. The attacker cannot do any better than to choose an
m, get the system to authenticate it as h( m II X), and then search for X by exhaustive search. The
attacker can do much better with an iterative hash function. She finds two strings m and m' that
lead to a collision when hashed by h. This can be done using the birthday attack in only 2n/2
steps or so. She then gets the system to authenticate m, and replaces the message with m'.
Remember that h is computed iteratively, so once there is a collision and the rest of the hash
inputs are the same, the hash value stays the same too. Because hashing m and m' leads to the
same value, h(m || X) = h(m'||IX) for every X.
This is a typical example of a distinguisher. The distinguisher sets its own "game" (a setting in
which it attempts an attack), and then attacks the system. The object is still to distinguish between
the hash function and the ideal hash function, but that is easy to do here. If the attack succeeds,it
is an iterative hash function; if the attack fails, it is the ideal hash function.
In a basic secure conversation using public-key cryptography, the sender encrypts the message
using the receiver's public key. Remember that this key is known to everyone. The encrypted
message is sent to the receiving end, who will decrypt the message with his private key. Only the
receiver can decrypt the message because no one else has the private key. Also, notice how the
encryption algorithm is the same at both ends: what is encrypted with one key is decrypted with
the other key using the same algorithm.
Public-key systems have a clear advantage over symmetric algorithms: there is no need to agree
on a common key for both the sender and the receiver. As seen in the previous example, if
someone wants to receive an encrypted message, the sender only needs to know the receiver's
public key (which the receiver will provide; publishing the public key in no way compromises the
secure transmission). As long as the receiver keeps the private key secret, no one but the receiver
will be able to decrypt the messages encrypted with the corresponding public key. This is due to
the fact that, in public-key systems, it is relatively easy to compute the public key from the
private key, but very hard to compute the private key from the public key (which is the one
everyone knows). In fact, some algorithms need several months (and even years) of constant
computation to obtain the private key from the public key.
Figure. Public key generation
Another important advantage is that, unlike symmetric algorithms, public-key systems can
guarantee integrity and authentication, not only privacy. The basic communication seen above
only guarantees privacy. We will shortly see how integrity and authentication fit into public-key
systems.The main disadvantage of using public-key systems is that they are not as fast as
symmetric algorithms.
The digital signature is attached to the message, and sent to the receiver. The receiver then does
the following:
1. Using the sender's public key, decrypts the digital signature to obtain the message digest
generated by the sender.
2. Uses the same message digest algorithm used by the sender to generate a message digest
of the received message.
3. Compares both message digests (the one sent by the sender as a digital signature, and the
one generated by the receiver). If they are not exactly the same, the message has been
tampered with by a third party. We can be sure that the digital signature was sent by the
sender (and not by a malicious user) because only the sender's public key can decrypt the
digital signature (which was encrypted by the sender's private key; remember that what
one key encrypts, the other one decrypts, and vice versa). If decrypting using the public
key renders a faulty message digest, this means that either the message or the message
digest are not exactly what the sender sent.
Using public-key cryptography in this manner ensures integrity, because we have a way of
knowing if the message we received is exactly what was sent by the sender. However, notice how
the above example guarantees only integrity. The message itself is sent unencrypted. This is not
necessarily a bad thing: in some cases we might not be interested in keeping the data private, we
simply want to make sure it isn't tampered with. To add privacy to this conversation, we would
simply need to encrypt the message as explained in the first diagram.
The above example does guarantee, to a certain extent, the authenticity of the sender. Since only
the sender's public key can decrypt the digital signature (encrypted with the sender's private key).
However, the only thing this guarantees is that whoever sent the message has the private key
corresponding to the public key we used to decrypt the digital signature. Although this public key
might have been advertised as belonging to the sender, how can we be absolutely certain? Maybe
the sender isn't really who he claims to be, but just someone impersonating the sender.
Some security scenarios might consider that the 'weak authentication' shown in the previous
example is sufficient. However, other scenarios might require that there is absolutely no doubt
about a user's identity. This is achieved with digital certificates, which are explained in the next
section.
RSA Algorithm
The RSA algorithm is named after Ron Rivest, Adi Shamir and Len Adleman, who invented it in
1977 . The basic technique was first discovered in 1973 by Clifford Cocks of CESG (part of the
British GCHQ) but this was a secret until 1997. The patent taken out by RSA Labs has expired.
The RSA algorithm can be used for both public key encryption and digital signatures. Its security
is based on the difficulty of factoring large integers.
1. Generate two large random primes, p and q, of approximately equal size such that
their product n = pq is of the required bit length, e.g. 1024 bits.
2. Compute n = pq and (φ) phi = (p-1)(q-1).
3. Choose an integer e, 1 < e < phi, such that gcd(e, phi) = 1.
4. Compute the secret exponent d, 1 < d < phi, such that ed ≡ 1 (mod phi).
5. The public key is (n, e) and the private key is (n, d). Keep all the values d, p, q
and phi secret.
Encryption
Decryption
Digital signing
1. To generate the primes p and q, generate a random number of bit length b/2 where b is
the required bit length of n; set the low bit (this ensures the number is odd) and set the
two highest bits (this ensures that the high bit of n is also set); check if prime (use the
Rabin-Miller test); if not, increment the number by two and check again until you find a
prime. This is p. Repeat for q starting with a random integer of length b-b/2. If p<q, swop
p and q (this only matters if you intend using the CRT form of the private key). In the
extremely unlikely event that p = q, check your random number generator. Alternatively,
instead of incrementing by 2, just generate another random number each time.
There are stricter rules in [12] to produce strong primes and other restrictions on p and q
to minimise the possibility of known techniques being used against the algorithm. There
is much argument about this topic. It is probably better just to use a longer key length.
2. In practice, common choices for e are 3, 17 and 65537 (216+1). These are Fermat primes,
sometimes referred to as F0, F2 and F4 respectively (Fx=2^(2^x)+1). They are chosen
because they make the modular exponentiation operation faster. Also, having chosen e, it
is simpler to test whether gcd(e, p-1)=1 and gcd(e, q-1)=1 while generating and testing
the primes in step 1. Values of p or q that fail this test can be rejected there and then.
(Even better: if e is prime and greater than 2 then you can do the less-expensive test (p
mod e)!=1 instead of gcd(p-1,e)==1.)
3. To compute the value for d, use the Extended Euclidean Algorithm to calculate d = e-1
mod phi, also written d = (1/e) mod phi. This is known as modular inversion. Note that
this is not integer division. The modular inverse d is defined as the integer value such that
ed = 1 mod phi. It only exists if e and phi have no common factors.
4. When representing the plaintext octets as the representative integer m, it is usual to add
random padding characters to make the size of the integer m large and less susceptible to
certain types of attack. If m = 0 or 1 or n-1 there is no security as the ciphertext has the
same value. For more details on how to represent the plaintext octets as a suitable
representative integer m, see [8] below. It is important to make sure that m < n otherwise
the algorithm will fail. This is usually done by making sure the first octet of m is equal to
0x00.
5. Decryption and signing are identical as far as the mathematics is concerned as both use
the private key. Similarly, encryption and verification both use the same mathematical
operation with the public key. That is, mathematically, for m < n,
Summary of RSA
Key length
When we talk about the key length of an RSA key, we are referring to the length of the modulus,
n, in bits. The minimum recommended key length for a secure RSA transmission is currently
1024 bits. A key length of 512 bits is now no longer considered secure, although cracking it is
still not a trivial task for the likes of you and me. The longer your information is needed to be
kept secure, the longer the key you should use. Keep up to date with the latest recommendations
in the security journals.
There is small one area of confusion in defining the key length. One convention is that the key
length is the position of the most significant bit in n that has value '1', where the least significant
bit is at position 1. Equivalently, key length = ceiling(log2(n+1)). The other convention,
sometimes used, is that the key length is the number of bytes needed to store n multiplied by
eight, i.e. ceiling(log256(n+1)).
The key used in the RSA Example paper [6] is an example. In hex form the modulus is
0A 66 79 1D C6 98 81 68 DE 7A B7 74 19 BB 7F B0
C0 01 C6 27 10 27 00 75 14 29 42 E1 9A 8D 8C 51
D0 53 B3 E3 78 2A 1D E5 DC 5A F4 EB E9 94 68 17
01 14 A1 DF E6 7C DC 9A 9A F5 5D 65 56 20 BB AB
The most significant byte 0x0A in binary is 00001010'B. The most significant bit is at position
508, so its key length is 508 bits. On the other hand, this value needs 64 bytes to store it, so the
key length could also be referred to by some as 64 x 8 = 512 bits. We prefer the former method.
You can get into difficulties with the X9.31 method for signatures if you use the latter
convention.
The following table is taken from NIST's Recommendation for Key Management [13]. It shows
the recommended comparable key sizes for symmetrical block ciphers (AES and Triple DES) and
the RSA algorithm. That is, the key length you would need to use to have comparable security.
Symmetric key Comparable RSA key Comparable hash Bits of
algorithm length function security
2TDEA* 1024 SHA-1 80
3TDEA 2048 SHA-224 112
AES-128 3072 SHA-256 128
AES-192 7680 SHA-384 192
AES-256 15360 SHA-512 256
* 2TDEA is 2-key triple DES – see [10].
Note just how huge (and impractical) an RSA key needs to be for comparable security with AES-
192 or AES-256 (although these two algorithms have had some [11] exposed recently; AES-128
is unaffected).
The above table is a few years old now and may be out of date. Existing cryptographic algorithms
only get weaker as attacks get better.
Key generation is only carried out occasionally and so computational efficiency is less of an
issue.
The calculation a = be mod n is known as modular exponentiation and one efficient method to
carry this out on a computer is the binary left-to-right method. To solve y = x^e mod n let e be
represented in base 2 as
e = e(k-1)e(k-2)...e(1)e(0)
where e(k-1) is the most significant non-zero bit and bit e(0) the least.
set y = x
for bit j = k - 2 downto 0
begin
y = y * y mod n /* square */
if e(j) == 1 then
y = y * x mod n /* multiply */
end
return y
The time to carry out modular exponentiation increases with the number of bits set to one in the
exponent e. For encryption, an appropriate choice of e can reduce the computational effort
required to carry out the computation of c = me mod n. Popular choices like 3, 17 and 65537 are
all primes with only two bits set: 3 = 0011'B, 17 = 0x11, 65537 = 0x10001.
The bits in the decryption exponent d, however, will not be so convenient and so decryption using
the standard method of modular exponentiation will take longer than encryption. Don't make the
mistake of trying to contrive a small value for d; it is not secure.
An alternative method of representing the private key uses the Chinese Remainder Theorem
(CRT). See the page given in reference [9]. The private key is represented as a quintuple (p, q,
dP, dQ, and qInv), where p and q are prime factors of n, dP and dQ are known as the CRT
exponents, and qInv is the CRT coefficient. The CRT method of decryption is four times faster
overall than calculating m = cd mod n. For more details, see [8]. The extra values for the private
key are:-
where the (1/e) notation means the modular inverse. These values are pre-computed and saved
along with p and q as the private key. To compute the message m given c do the following:-
m1 = c^dP mod p
m2 = c^dQ mod q
h = qInv(m1 - m2) mod p
m = m2 + hq
Even though there are more steps in this procedure, the modular exponentation to be carried out
uses much shorter exponents and so it is less expensive overall.
[2008-09-02] Chris Becke has pointed out that most large integer packages will fail when
computing h if m1 < m2. This can be easily fixed by computing
Michael Rabin discovered what we can call a version of RSA, although it is more properly
regarded as a public key cryptosystem in its own right. During its early history, this system was
considered of theoretical, but not practical interest because of a ``fatal flaw'' (a quote from Donald
Knuth) that made it vulnerable to a chosen plaintext attack. However, there is a way around the
flaw, making this system a real competitor to RSA.
In the integers mod n, using both addition and multiplication mod n, if n is not a prime, then not
every non-zero element has a multiplicative inverse. But also of interest here are elements that
have a square root. The square root of an element a is an element b such that (b*b) % n =
a. Some elements have several square roots, and some have none. In fact, number theorists have
been interested in these matters for hundreds of years; they even have a special term for a number
that has a square root: a quadratic residue. Thus this theory is not something new invented just
for cryptography.
In elementary algebra, one learns that positive numbers have two square roots: one positive and
one irrational. In the same way, for the integers modulo a prime, non-zero numbers that are
squares each have two square roots. For example, if n = 11 then in Z11, 12 = 1, 22 = 4, 32
= 9, 42 = 5, 52 = 3, 62 = 3, 72 = 5, 82 = 9, 92 = 4, and 102 = 1. The following
little table shows those numbers that have square roots.
Numbers mod 11
Square Square Roots
1 1, 10
3 5, 6
4 2, 9
5 4, 7
9 3, 8
Notice that 1, 4, and 9 have their ``ordinary'' square roots of 1, 2, and 3, as well as an extra
square root in each case, while 3 and 5 each also have two square roots, and 2, 6, 7, 8, and 10
each have no square roots at all.
Rabin's system uses n = p*q, where p and q are primes, just as with the RSA cryptosystem. It
turns out that the formulas are particularly simple in case p % 4 = 3 and q % 4 = 3 (which
is true for every other prime on the average), so the rest of this chapter makes that assumption
about the primes used. The simplest such case has p = 3 and q = 7. In this case the table of
square roots is the following:
1 1, 8, 13, 20
4 2, 5, 16, 19
7 7, 14
9 3, 18
15 6, 15
16 4, 10, 11, 17
18 9, 12
Here the ``normal'' situation is for a square to have four different square roots. However, certain
squares and square roots have either p or q as a divisor. In this case, each square has two square
roots (shown in red italic above). Of course, all the numbers not appearing in the left column
don't have a square root.This same section gives a table for p = 7 and q = 11, again satisfying the
special Rabin property. In the table about, it looks as if there are a lot of red italic entries, but in
fact there are (p+q)/2 - 1 = O(p+q) such squares with p or q as a factor, while there are (p*q + p
+ q - 3)/4 = O(p*q) squares altogether. An actual Rabin instance will use very large primes, so
that only a vanishingly small number of them have the divisibility property, and the chances of
this happening at random can be ignored.
Each user chooses two primes p and q each equal to 3 modulo 4, and forms the product n = p*q.
In the special case in which both primes when divided by 4 give remainder 3, there are simple
formulas for the four roots:
a and b satisfying a*p + b*q = 1, using the extended GCD algorithm, computed
once when the keys are generated.
r = c(p+1)/4 mod p.
s = c(q+1)/4 mod q.
x = (a*p*s + b*q*r) mod n.
y = (a*p*s - b*q*r) mod n.
Now the four square roots are m1 = x, m2 = -x, m3 = y, and m4 = -y. In case m and hence c
have p or q as a divisor, the formulas will only yield two square roots, each also with p or q as a
factor. For the large primes used in an instance of Rabin, there is a vanishingly small chance of
this happening. (Picture the chances that a 512-bit random prime number happens to divide
evenly into a message!)
The complexity of Rabin's system (the difficulty of breaking it) is exactly equivalent to factoring
the number n. Suppose one has a Rabin encryption/decryption machine that hides the two primes
inside it. If one can factor n, then the system is broken immediately, since the above formulas
allow the roots to be calculated. Thus in this case one could construct the Rabin machine. On the
other hand, if one has access to a Rabin machine, then take any message m, calculate c = m2, and
submit c to the Rabin machine. If the machine returns all four roots, then m and -m give no
additional information, but either of the other two roots minus m will have one of p or q as a
factor. (Take the GCD of it with n.)
The same proof that breaking Rabin is equivalent to factoring n provides what has been called a
``fatal flaw'' in Rabin's system. The above argument is just a chosen ciphertext attack. It is not
wise to allow an opponent to mount such an attack, but one would also not want a cryptosystem
vulnerable to the attack, which is the case with Rabin's system. (However, see the next section.)
In order to distinguish the true message from the other three square roots returned, it is necessary
to put redundant information into the message, so that it can be identified except for an event of
vanishingly small probability. One option is replicating the last 64 bits of any message. Or one
could use 0s as the last 64 bits. In these or similar cases, the Rabin machine would be
programmed to return only messages with the proper redundancy, and if 2-64 is not a small enough
margin of error, then just choose more than 64 redundant bits. Then the attack described above
doesn't work any more because the Rabin machine will only return a decrypted message (a square
root) with the proper redundancy. Thus the Rabin machine returns at most one square root, and
possibly none if someone is trying to cheat. (The probability of having two square roots with the
given redundancy is again vanishingly small.) Breaking the new system is longer formally
equivalent to factoring n, but it is hard to imagine any cryptanalysis that wouldn't also factor n.
Hugh Williams gave another variation of Rabin's cryptosystem that avoids the ``fatal
flaw'' in a mathematically more elegant way.
A Simple Example
Here is an example with tiny values for the primes. Of course a real example would use primes in
the range from 512 to 1024 bits long, just as in the case of RSA.
Suppose one uses 3-bit messages whose bits are then replicated to give 6 bits, up to the number
63. Messages must be in the range from 1 to 70, so this system of redundancy will work. Start
with data bits 1012 or 510. The replication gives 1011012 or 4510. Then c = m2 mod 77 = 23.
Continuing the calculations, r = 232 mod 7 = 4, and s = 233 mod 11 = 1. Finally, x = ((-3)*7*1 +
2*11*4) mod 77 = 67 and y = ((-3)*7*1 - 2*11*4) mod 77 = 45. These are two of the four square
roots, and the remaining two are -x mod 77 = 10 and -y mod 77 = 32. In binary, the four square
roots are 67 = 10000112, 45 = 1011012, 10 = 0010102, and 32 = 1000002. Only 45 has the required
redundancy, so this is the only number that this modified Rabin machine will return.
Reference:
1. Eli BIham, Orr Dunkelman, and Nathan Keller, “The Rectangular Attack – Rectangling the
Serpent”. In Advances in Cryptology- Eurocrypt 2001, Birgit Pfitzmann editor, volume 2045 of
LNCS , pages 340-357, Springer Verlag, 2001.
3. NIST, Secure Hash Standard , April 17, 1995. FIPS PUB 180-1, available from www.
Itl.nist.gov/fipspubs/
4. NIST, Data Encryption Standard ( DES), 1999, DRAFT FIPS PUB 46-3, available from
http://csrc.ncsl.nist.gov/fips/
5. www.csrc.nist.gov/encryption/shs/dfips-180-2.pdf.
6. http://www.di-mgt.com.au/rsa_alg.html#KALI93#KALI93
7.
8. http://www.di-mgt.com.au/rsa_alg.html#pkcs1schemes#pkcs1schemes
9. http://www.di-mgt.com.au/crt.html
10. http://www.cryptosys.net/3des.html
11. http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
12. http://www.di-mgt.com.au/rsa_alg.html#x931#x931
13. http://www.di-mgt.com.au/rsa_alg.html#NIST-80057#NIST-80057
14. http://www.di-mgt.com.au/rsa_alg.html#note4#note4