exercise in the previous class

give proof for the discussion in p.19

1see http://apal.naist.jp/~kaji/lecture/

chapter 4:cryptography

2

what we do, and what we do not in this class

cryptography is discusses in many contextsmanagementpoliticshistoryphilosophy

In this class, we focus on the technical aspects of cryptography.

3

terminology

4

plaintexts(平文，ひらぶん );make sense by themselves

encryption (暗号化 )

decryption (復号 )

cryptography (暗号 ) = pair of E and D such that D(E(p)) = pmany variations and confusions on the words:

crypto cipher, text data, cryptography encryption

ciphertexts (暗号文 );make no sense by themselves

E(p)

c

p

D(c)

E

D

three types of cryptography

key-less cryptographyE(p) (resp. D(c)) is solely determined by p (resp. c).no key ... the algorithms must be kept secretsecurity relies on the “gap of wisdom” of the recipients“O, draconian devil” “Leonardo da Vinci”

common-key cryptographyE and D must use the same key

public-key cryptographyE and D use different keys which are in special relation

5

class plan

today: common-key cryptographywidely known algorithmskey agreement protocol

next: public-key cryptographyRSArelated algorithms

June 4 (MON): exerciseJune 5 (TUE): test

6

common-key cryptography

symmetric-key ―, classic ―, ...E (resp. D) takes two inputs: key and plaintext (resp. ciphertext)

E(k, p): the ciphertext of p encrypted with the key kD(k, c): the plaintext of c decrypted with the key k

D(k, E(k, p)) = p, but D(k’, E(k, p)) p if k’ k

7

Ep c

k1

D

k2

p, if k1 = k2

?, if k1 k2

substitution cipher

substitution cipher (換字暗号 ):encrypt: replace characters in plaintexts to different charactersdecrypt: do the inverse replacement of encodingkey: the table of the character replacement

8

plaintext

ciphertext

．．．

．．．

A

E

B

K

C

A

Y

Z

Z

G

the number of possible keys = 26! for English alphabet... too many even for today’s computers

the statistics of the plaintexts can be observed in cipherexts

frequency attack

in a naive substitution cipher...a character is always replaced to the identical characterin many data, there is bias on the frequencies of characters

in English...characters such as “e”, “t”, “a”, and “s” occur frequentlycharacters which occur frequently in a ciphertext

= replacements of the above four frequent characters

9

A.C. Doyle, 1903,The Adventure of the Dancing Men

sketch of the frequency attack

10

information as aconcept has manymeanings theconcept of information is

typical English texts

theory in modernenglish is a conceptwhich originallyderives fromclassical greek

plaintextciphertext ofunknown text

zpunim gt oncuitutqvgwp gw hantaubz spgapnigqgthvvmcuigluw einoh

xac

8.4%1.5%2.7%3.8%

→ a→ b→ c→ d

abcd

8.6%1.4%2.8%3.8%

many improvements

The vulnerability (脆弱性 ) of the substitution cipher waswell-known to cryptographers from early days...

many improvements were considered...one-to-many substitutionsubstitution of N-grams or wordsuse of multiple substitution tablesdynamically change the substitution table

Enigma

11

Enigma

used by German military in the World War IIthe substitution is determined by “rotor wheels”the rotor wheels rotate as one character is processed

12

A

DB

CEnigma showed thatmachine power >> human power

DES (Data Encryption Standard)

DES (Data Encryption Standard)developed in the US in 70’s to secure classified datanot the “first-class” cryptography

“good security with reasonable cost”insecure nowadays, but played important role in cryptology

1973 NBS solicited (公募する ) encryption algorithms1974 IBM submitted a candidate1977 published as federal standard1997 NIST (formerly NBS) solicited newer AES

13

encryption of DES

14

L 15R 15

plai

ntex

tke

y

ciph

erte

xt

IP f

L 1R 1

L 0R 0

f

L 2R 2

f

L 16R 16

RK1

RK2

RK16

IP IP-1

round 1 round 2 round 16

3232

64 64

56 56

48 48 48

56...# of bits

round keys

initialpermutation

f

Li+1 Ri+1

Li Ri

RKi+1

Feistel structure

each round of DES has the Fesitel structure

15

f

Ri Li

Ri+1 Li+1

RKi+1

the Fesitel structure is easy toinvert if RKi+1 is provided

correctlythe inversion can be done with

the same Feistel mechanism(with left and right

exchanged)

decryption of DES

16

L 15R 15

ciph

erte

xt

plai

ntex

t

IP f

L 1R 1

L 0R 0

f

L 2R 2

f

L 16R 16

RK16

RK15

RK1

IP IP-1

key

inside this box is the same as the encryption one circuit is used for both of encryption and decryption

security of DES

theoretical attacksdifferential analysis by Biham & Shamir (1990)

investigated at the design phase of DES...linear analysis by Matsui (1993)

succeeded to break DES first time

exhaustive attacks22hours, 100K computers connected by network (1999)9days, FPGA-based parallel machine (2006)

DES is not secure anymore!

17

rumor of DES

rumor, or urban legend: “NSA must settle a back-door in DES”

18

NSA: National Security Agencyintelligence agency of the USsome activities not revealedcommitment to the Echelon system

evidence?the key length is shortened from the IBM proposalsome substitution tables in DES is replaced by NSANSA did know the differential analysis

there is no way to verify what is true and what is not true...

AES and others

DES is no more securethere is no way to deny the bad rumor

the newer and stronger cryptography is needed

1997 NIST solicited Advanced Encryption Standard (AES)15 candidate algorithms from 12 countries

1999 5 candidates passed the screening2000 Rijndael, from Belgium, was selected as winner2001 published as federal standard

There are many other algorithms: Blowfish, IDEA, Camellia...

19

key agreement

Any common-key cryptography faces to one serious problem:How can we share a key with a person at remote place?

the sender and the receiver must have the same keythe key must not be known to anyone else

20

solution...use an expensive but secure communication channel

secret agent, registered mail, pigeon, etc...utilize mathematical trick key agreement protocol

key agreement protocol

We consider a protocol between two users A and B:the communication channel is not secure

an attacker C can wiretap (盗聴する ) the communication,but does not modify data in the channel

after the protocol execution...A and B know a certain information in commonC does not know the information

21

Diffie-Hellman protocol

Diffie-Hellman protocol;is proposed by Diffie & Hellman in 1976makes use of the property that

it is difficult to solve the discrete logarithm problem

preliminaryFq = {0, ..., q – 1} with q a big prime number

g, a generator of Fq

(any nonzero aFq is written as a = gx mod q)

discrete logarithm problem (DLP):“given q, g and a, determine x with a = gx mod q”

22

example

F7 = {0, 1, 2, ..., 6}

g = 3 is a generator of F7

23

no smart algorithm known today... the only means to solve the problem is by exhaustive search... nobody can solve the problem if q is large (> thousands bits)

1 = 36 mod 72 = 32 mod 73 = 31 mod 74 = 34 mod 75 = 35 mod 76 = 33 mod 7

log3 1 = 6log3 2 = 2log3 3 = 1log3 4 = 4log3 5 = 5log3 6 = 3 0 1 2 3 4 5 6

123456

a

x

the answer of the DLP

the protocol

step 1: A and B agree the prime q and the generator g (in public)step 2a: A chooses random x, and sends mA = gx mod q to B

step 2b: B chooses random y, and sends mB = gy mod q to A

step 3a: A computes (mB)x mod q = gxy mod q

step 3b: A computes (mA)y mod q = gxy mod q

24

determine q & g

x

y

mA = gx mod q

mB = gy mod q

gxy mod q gxy mod q

example

25

q = 197, g = 3

51

55

71 = 351 mod 197

38 = 355 mod 197

122 = 3851 mod 197 122 = 7155 mod 197

How can we compute 3851 mod 197?3851 mod 197

= (3832 mod 197) (3816 mod 197) (382 mod 197) (381 mod 197) mod 197

382n mod 197 = (38n mod 197)2 mod 19738323816388384382381 mod 197

security

Is the protocol secure?

26

determine q & g

x

y

mA = gx mod q

mB = gy mod q

gxy mod q gxy mod q

C finds q, g, mA and mB

C cannot know x and y unless he/she solves DLPC cannot know the value of the shared gxy mod q

another security

What happens if the attacker do more than wiretapping?C communicates with A pretending BC communicates with B pretending A

27

A and B communicate with C, believing thathe/she is communicating with a valid opponent. man-in-the-middle attack (中間一致攻撃 )

summary

classification of cryptographykey-less, common-key and public-key

common-key cryptographysubstitution cipherDES

key-agreement protocol

28

exercise

Decrypt the following ciphertext.

qiw aufmlyn gcmwz yz c mcxae yoqweocqyaocu wpwoq jwcqkeyog zkmmwe cod vyoqwe zlaeqz, yo viyni qiakzcodz aj cqiuwqwz lceqynylcqw yo c pceywqf aj namlwqyqyaoz. qiw aufmlyn gcmwz icpw namw qa hw ewgcedwd cz qiw vaeud'z jaewmazq zlaeqz namlwqyqyao viwew maew qico qva ikodewd ocqyaoz lceqynylcqw. qiw gcmwz cew nkeewoquf iwud wpwef qva fwcez, vyqi zkmmwe cod vyoqwe aufmlyn gcmwz cuqweocqyog, cuqiakgi qiwf annke wpwef jake fwcez vyqiyo qiwye ewzlwnqypw zwczaocu gcmwz.

29

about test

June 4(Mon), 9:20AM, exercise

June 5 (Tue), 9:20AM, this roomyou can bring books, notes and copies of slidesyou can bring a calculator and/or PCPC must be disconnected from the network:

download all needed material before the test starts

本，ノート，資料，電卓， PC ...なんでも持ちこみ可PC 等の通信機能は使用不可

必要な資料類は事前にダウンロードしておくこと

30