Some Stuff About Crypto - UCT Algorithm Circle · Cryptographic Hash Functions A Very Brief Summary Deﬁnition A hash function maps bitstrings of arbitrary length (“messages”)

Some Stuff About Crypto

Adrian Frith

Laboratory of Foundational Aspects of Computer ScienceDepartment of Mathematics and Applied Mathematics

University of Cape Town

This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 South Africa License.

6 October 2011

Adrian Frith (University of Cape Town) Some Stuff About Crypto 6 October 2011 1 / 31

http://creativecommons.org/licenses/by-sa/2.5/za/

What is cryptography?

Literally “hidden writing” — hiding information from an adversary“The practice and study of techniques for securecommunication in the presence of hostile third parties.”

Traditionally about encryption, i.e. confidentiality, nowencompasses authentication and integrity.


A note about names

“Cryptography” versus “cryptanalysis” — making versus breaking

The distinction is not very useful


Some encryption terminology

The plaintext is the message to be protected.

Encryption converts the plaintext to a ciphertext, using a key.

Decryption is the reverse.

Encryption algorithm + decryption algorithm = cipher.

(Don’t say “code”!)

A cryptosystem consists of a cipher plus keys, procedures, etc.


Substitution ciphers

Consistently map alphabet to alphabet

Caesar cipher: alphabetic shift with rotation.E.g. “attack at dawn”, with a shift of 5, becomes “fyyfhp fy ifbs”

Hebrew atbash: reverse the alphabet

Generic substitution cipher: some permutation of the alphabet

Vulnerable to frequency analysis: different characters appear withdifferent frequencies

In English: E T A O I N S H R D L U ...


Variations on the theme

Homophony: map smaller alphabet into larger alphabet todisguise frequency

Nomenclator: combine a cipher with a codebook

State of the art from 1400s to 1700s

“Great Cipher” of France — unbroken for 150 years


The Babington Plot


The Voynich Manuscript


Polyalphabetic substitution

“Many alphabets”

Cycle through different mappings from plaintext alphabet tociphertext alphabet

“Le chiffre indéchiffrable” - but it wasn’t!

Broken by Charles Babbage in the 1850s

Use of repetions + frequency analysis


The Vigenère square


World War I — the Zimmermann telegram


World War II — Enigma

5 5 5

1

2

3

4 6

7

8

9

A S D F

A S D F

A S D F


Modern cryptography

Arises out of World War II work — tied closely to development ofthe computer

Claude Shannon — information theory

Cold War — government secrecy

DES 1977 — first public crypto standard

The problem of key distribution


Asymmetric encryption

Diffie-Hellman key exchange (1976) — see later

Asymmetric cryptosystems — RSA (1978) and others

Crypto politics — publication in the open literature


The structure of modern crypto

Symmetric ciphers◮ Block ciphers◮ Stream ciphers

Asymmetric ciphers

Hash functions


Diffie-Hellmann key exchange

The aim: Alice and Bob want to derive a shared secret key byexchanging information over a public channel(A diversion into modular arithmetic, if necessary.)

1 Alice chooses a prime p and a generator g and sends them toBob.

2 Alice generates a random natural xa and Bob generates a randomnatural xb.

3 Alice calculates ya = gxa mod p and Bob calculates yb = gxb

mod p.4 Alice sends ya to Bob and Bob sends yb to Alice.5 Alice calculates yxa

b mod p and Bob calculates yxba mod p.

6 yxab ≡ gxbxa ≡ gxaxb ≡ yxb

a !


RSA encryption

Rivest, Shamir, Adleman at MIT in 1978

Previously discovered by Cocks at GCHQ in 1973

One of the earliest, still the most used


RSA key generation

1 Choose two primes p and q.2 Compute the modulus n = pq.3 Compute ϕ(n) = (p − 1)(q − 1). (Size of the multiplicative group

of integers mod n.)4 Choose e such that 1 < e < ϕ(n) and e and ϕ(n) are relatively

prime.5 Calculate d = e−1 mod ϕ(n). (Extended Euclidean algorithm.)6 The public key is (n,e) and the private key is (n,d).


RSA encryption and decryption

Alice publishes her public key (n,e) and secures her private key(n,d).

To encrypt a message m, Bob calculates c = me mod n.

To decrypt, Alice calculates cd mod n.

Why does this work? cd ≡ med mod n.

Remember ed ≡ 1 mod ϕ(n). Euler’s theorem says aϕ(n) ≡ 1mod n.


Some computation shortcuts

Square-and-multiply for exponentiation ab mod n:1 Let bt bt−1bt−2 . . . b2b1b0 be the binary expansion of b.2 Let z := 1.3 Let y := a4 For i in 0 to t :

1 If bi = 1 then let z := zy mod n.2 Let y = yy mod n.

5 Return z.

Optimize decryption with Chinese remainder theorem


Cryptographic Hash FunctionsA Very Brief Summary

DefinitionA hash function maps bitstrings of arbitrary length (“messages”) tobitstrings of a fixed length n (“hashes”).

A cryptographically secure hash function is:

first-preimage resistant : given an n-bit string, it is infeasible tofind a message that hashes to that string.

second-preimage resistant : given a message, it is infeasible tofind a different message with the same hash.

collision resistant : it is infeasible to find a pair of messageswhich share a hash.


Iterated Hash Functionsa.k.a. the Merkle-Damgård Construction

DefinitionA compression function maps bitstrings of length m to bitstrings oflength n, where m > n.

We construct a hash function F from a compression function f asfollows:

1 Divide message M into l blocks of length m − n.2 Let h0 be some fixed n-bit initialization vector.3 For i in 1 to l : let hi = f (hi−1 ||mi).4 The final hash F (M) = hl .


Iterated Hash Functions

h0

m1

fh1

m2

fh2 hl−2

ml−1

fhl−1

ml

f hl

With some caveats, this is the basis for MD5, SHA-1, SHA-2, etc.


The Long Message Attack

In hashing a 2R-block message, 2R intermediate hash values willbe produced: h1 through h2R .

Find a message block m∗ that hashes to one of these values, i.e.f (h0 ||m∗) = hi for some i in 1 through 2R.

Then F (M) = F (m∗ ||mi+1 ||mi+2 || · · · ||m2R−1 ||m2R ).

h0 hi−1mi hi

mi+1 hi+1 h2R

m∗


The Long Message AttackFinding the Linking Block

Calculate h′ = f (h0 ||m′) for a random block m′.

h′ has 2n possible values: therefore a 2R

2n probability that itmatches one of the intermediate values.

Geometric distribution with p = 2R−n says we must test onaverage 2n−R random blocks before finding one that matches.

Better than brute force 2n.


Merkle-Damgård StrengtheningAvoiding the Long Message Attack

Simple fix: append a final block to the message, containing abinary representation of the message’s length.

This can be worked around by using an “expandable message”.


Expandable Messages

DefinitionAn expandable message is set of messages of different lengths, all ofwhich have the same hash value when the Merkle-Damgårdstrengthening is not applied.

DefinitionAn (a,b)-expandable message is an expandable message containingmessages of every length from a to b inclusive.


Fixed-Point Expandable Messages

A fixed point is a pair (h,m) such that f (h ||m) = h.To create an expandable message:

1 Generate 2n/2 random fixed points: (h1,m1) through (h2n/2 ,m2n/2).2 Generate 2n/2 random blocks: m′

1 through m′

2n/2 .3 Find a match where the hash of one of the random blocks is the

same as the hash value in the fixed point: hi = f (h0 ||m′

j ). Betterthan 1

2 probability that such a match exists.

We can create a message of any length l by appending l − 1copies of mi after m′

j .

This is a (1,∞)-expandable message.


Generic Expandable MessagesThe Method of Kelsey and Schneier

Method for constructing a (R,R + 2R − 1)-expandable messagefor any iterated hash function.Based on an method for creating a 1-block message and ank-block message that hash from the same intermediate value tothe same intermediate value:

1 Generate 2n/2 1-block messages.2 Generate 2n/2 k -block messages.3 Check for a collision; one will exist with better than 1

2 probability.

To create the expandable message, let i iterate from 1 to R and:1 Find 1-block message mi and (2i−1 + 1)-block message m′

i suchthat f (hi−1 ||mi) = f (hi−1 ||m′

i )2 Let hi = f (hi−1 ||mi).

continues...


Generic Expandable MessagesConstructing a k -block Message

A k-block message (where R ≤ k ≤ R + 2R − 1) can be constructedas follows:

1 Let M be the empty message.2 Let d = k − R. Then 0 ≤ d ≤ 2R − 1.3 Let s1s2 · · · sR be the binary representation of d with least

significant bit first.4 Let i iterate from 1 to R:

◮ If si = 0, append mi to M.◮ If si = 1, append m′

i to M5 Return M.

The final hash value hR is always the same. This gives us an(R,R + 2R − 1)-expandable message.


Using the Expandable Message

Consider a message M of 2R + R blocks.1 Create an (R,R + 2R − 1)-expandable message. Let he be the

hash value shared by all the messages in the expandablemessage.

2 Use the basic long message attack to find a single block mlink thathashes from he to one of the intermediate values from hR+1

through h2R+R . Call this intermediate value hj .3 Use the expandable message to create a (j − 1)-block message

m∗ that hashes to he.4 Return the message M ′ = m∗ ||mlink ||mj+1 ||mj+2 || · · · ||m2R+R.

Bouillaguet and Fouque prove that this is the optimal genericsecond-preimage attack on an Merkle-Damgård hash function.


Documents

Some Stuff About Crypto - UCT Algorithm Circle · Cryptographic Hash Functions A Very Brief Summary Deﬁnition A hash function maps bitstrings of arbitrary length (“messages”)