caesar cipher - myweb.scu.edu.twmyweb.scu.edu.tw/~wchuang/cipher.pdf · chapter introduction to...
TRANSCRIPT
Chapter Introduction to Cryptography1 Caesar Cipher2 Affine Cipher3 Vigenere Cipher4 Autokey Cipher5 Hill Cipher6 Verman’s Telegraph Cipher7 Exponential Cipher8 RSA Cipher9 Knapsack Cipher10 ElGamal Cipher
June 8, 2017 1 / 44
..
Hello
.
(Plaintext)
.
§♯♯♣♯
.
(Ciphertext)
.
Hello
.
(Plaintext)
.
Enciphering
.
Deciphering
.Key
June 8, 2017 2 / 44
Caesar Cipher (Shift cipher)
Plaintext: A B C D . . .X Y ZCiphertext: D E F G . . .A B C
A B C D E F G H I J K L M00 01 02 03 04 05 06 07 08 09 10 11 12N O P Q R S T U V W X Y Z13 14 15 16 17 18 19 20 21 22 23 24 25
C = P + 3 (mod 26)P = C − 3 (mod 26)
.Example..
......
Plaintext: GOOD = 06 14 14 03C=P+3 (mod 26)Ciphertext: 09 17 17 06 = JRRH
June 8, 2017 3 / 44
Problem of Caesar Cipher
.Example..
......
Decipher
”FKHQBLBDQJ”by Caesar Cipher.
June 8, 2017 4 / 44
Affine Cipher
C = aP + b (mod 26)P = a−1(C − b) (mod 26), gcd(a, 26) = 1
.Remark:..
......
♯{(a, b) ∈ Z26 × Z26 | gcd(a, 26) = 1} = 12× 26 = 312
aφ(26) = a12 = 1(mod 26)a−1 = a11(mod 26)P = a11(C − 3)(mod 26)
.Example..
......
Plaintext: GOOD = 06 14 14 03a=5, b=7 C=5P+7 (mod 26)Ciphertext: 11 25 25 22 = LZZW
June 8, 2017 5 / 44
Problem of Affine Cipher
.Example..
......
Decipher
”RTUEDWJ”by Affine Cipher using C ≡ 9P + 9(mod 26).
June 8, 2017 6 / 44
Vigenere Cipher
Keyword : READY= 17 04 00 03 24 (no repeated).Example..
......
Plaintext: ATTACK AT ONCE00 19 19 00 02 10 00 19 14 13 02 04
Key +) 17 04 00 03 24 17 04 00 03 24 17 0417 23 19 03 00 01 04 19 17 11 19 08
Ciphertext: RXTDAB ET RLTI
.Vigenere Cipher..
......
Keyword: b1, b2, . . . , bn, where 0 ≤ bi ≤ 25
Ci ≡ Pi + bi(mod 26), 1 ≤ i ≤ nPi ≡ Ci − bi(mod 26), 1 ≤ i ≤ n
June 8, 2017 7 / 44
Problem of Vigenere Cipher
.Example..
......
Decipher
”XIGOGIPLZ”by Vigenere Cipher using the Key ”MATH”.
June 8, 2017 8 / 44
Autokey Cipher (Modifying Vigenere Cipher)
Keyword = seed +Plaintext.Example..
......
Plaintext: ONE IF BY DAWNseed = KKeyword K ONE IF BY DAWN
14 13 04 08 05 01 24 03 00 22 13Key +) 10 14 13 04 08 05 01 24 03 00 22
24 01 17 12 13 06 25 01 03 22 09Ciphertext: YBR MN GZ BDWJ
Enciphering:={
C1 ≡ P1 + S(mod 26)Ck ≡ Pk + Pk−1(mod 26) 2 ≤ k ≤ n
Deciphering:={
P1 ≡ C1 − S(mod 26)Pk ≡ Ck − Pk−1(mod 26) 2 ≤ k ≤ n
June 8, 2017 9 / 44
Hill Cipher
Divid the plaintext into blocks of n letters.For n = 2, P1,P2 ⇒ C1,C2 by{
C1 ≡ aP1 + bP2(mod 26)C2 ≡ cP1 + dP2(mod 26) gcd(ad − bc, 26) = 1
.Example..
......
{C1 ≡ 2P1 + 3P2(mod 26)C2 ≡ 5P1 + 8P2(mod 26)
Plaintext: BUY NOW ≡ BU YN OW ≡ 01 20 24 13 14 22Ciphertext: 10 09 09 16 16 12 ≡ KJJQQMFor (C1,C2)=(10,09),{
P1 ≡ 8C1 − 3C2(mod 26) ≡ 8(10)− 3(09) ≡ 01P2 ≡ −5C1 + 2C2(mod 26) ≡ −5(10) + 2(09) ≡ 20
Decipher to BU.
June 8, 2017 10 / 44
Problem of Hill Cipher
.Example..
......
The ciphertext
”ZZ”has been enciphered by Hill cipher{
C1 ≡ 5P1 + 2P2(mod 26)C2 ≡ 3P1 + 7P2(mod 26)
Given the plaintext.
June 8, 2017 11 / 44
Verman’s Telegraph Cipher (Nonalphabetic Cpher)
Baudot code:
A = 11000 B = 10011 C = 01110 D = 10010 E = 10000F = 10110 G = 01011 H = 00101 I = 01100 J = 11010K = 11110 L = 01001 M = 00111 N = 00110 O = 00011P = 01101 Q = 11101 R = 01010 S = 10100 T = 00001U = 11100 V = 01111 W = 11001 X = 10111 Y = 10101Z = 10001
.Example..
......
Plaintext=YES 10101 10000 10100Keyword(any) +) 10101 01010 10101Ciphertext 00000 11010 00001
Enciphering:= C ≡ P + K (mod 2)Deciphering:= P ≡ C + K = P + K + K ≡ P (mod 2)
June 8, 2017 12 / 44
Problem of Verman Cipher
.Example..
......
Decipher
”10010 01001 10011 11010 00000”by Verman’s Telegraph Cipher using Keyword
”1010101010101010101010101”
.
June 8, 2017 13 / 44
Exponential Cipher
1 p is a prime, k exponent with gcd (k, p-1)=1.
2 Encode: A B C . . . X Y Z00 01 02 . . . 23 24 25
3 Group the plaintext in blocks of m letters, where2525 . . . 25︸ ︷︷ ︸
m times< p < 2525 . . . 25︸ ︷︷ ︸
m+1 timesp = 4283, m = 2 by 2525 < 4283 < 252525.p = 670417, m = 3 by 252525 < 670417 < 25252525.
4 Encode a block B using
C ≡ Bk (mod p), 0 ≤ C < p
Remark: it cannot covert to letters.5 Let d be inverse of k modulo p-1. (i.e.dk ≡ 1 (mod p − 1)).
dk = 1 + r(p − 1)
Cd = Bdk = B1+r(p−1) = B(Bp−1)r ≡ B1r = B (mod p)
June 8, 2017 14 / 44
Encipher of Exponential Cipher
.Example..
......
p=2621, p − 1 = 2620 = 22 ∗ 5 ∗ 131. take k=11m=2, since 2525 < 2621 < 252525
Plaintext= DE EP YO GU RT0304 0415 2414 0620 1719
(0304)11 ≡ 0065 (mod 2621)
(0415)11 ≡ 0415 (mod 2621)
(2414)11 ≡ 1323 (mod 2621)
(0620)11 ≡ 1567 (mod 2621)
(1719)11 ≡ 0150 (mod 2621)
ciphertext= 0065 0415 1323 1567 0150
June 8, 2017 15 / 44
Decipher of Exponential Cipher
.Example..
......
p=2621, k=11, where gcd(2620,11)=1
By extended Euclidean algorithm,
a q y2620 − 119111 238 52 5 11 2 0
1=(-5)(2620)+1191*111191 ∗ 11 ≡ 1 (mod 2620)
decode C = 0065
(0065)1191 ≡ 0304 (mod 2621)
0304 = DE
June 8, 2017 16 / 44
Problem of Exponential Cipher
.Example..
......
The ciphertext from an exponential cipher with key (p, k) = (41, 27) is
”13 25 37”Find the plaintext.
June 8, 2017 17 / 44
RSA Cipher(generlization of exponential cipher)
1 n=p*q, p and q are large prime number, n is a key2 Find an exponent k with gcd(k, ϕ(n))=1.
3 Encode: A B C . . . X Y Z00 01 02 . . . 23 24 25
4 Group the plaintext in blocks of m letters, where2525 . . . 25︸ ︷︷ ︸
m times< n < 2525 . . . 25︸ ︷︷ ︸
m+1 times5 Encode a block B using
C ≡ Bk (mod n)
6 Decode: Let d be inverse of k modulo ϕ(n). (i.e.dk ≡ 1 (mod ϕ(n))).dk = 1 + rϕ(n)
Cd = Bdk = B1+rϕ(n) = B(Bϕ(n))r ≡ B1r = B (mod n)
June 8, 2017 18 / 44
Encipher of RSA Cipher.Example..
......
n=p*q=37*73=2701, ϕ(n) = 36 ∗ 72 = 2592
k=47, gcd(47,2592)=1m=2, since 2525 < 2701 < 252525
Plaintext= NO WAY TODAYB= NO WA YT OD AY
1314 2200 2419 1403 0024(1314)47 ≡ 1241 (mod 2701)
(2200)47 ≡ 1993 (mod 2701)
(2419)47 ≡ 1044 (mod 2701)
(1403)47 ≡ 2081 (mod 2701)
(0024)47 ≡ 0873 (mod 2701)
ciphertext = 1241 1993 1044 2081 0873
June 8, 2017 19 / 44
Decipher of RSA Cipher.Example..
......
n=2701, k=47, where gcd(47,ϕ(n))=1 and ϕ(n) = 2592
By extended Euclidean algorithm,
a q y2592 − 110347 55 207 6 35 1 22 2 11 2 0
1=(-20)*2592+1103*471103 ∗ 47 ≡ 1 (mod 2592)
decode C = 1241
(1241)1103 ≡ 1314 (mod 2701)
1314 = NO
June 8, 2017 20 / 44
Problem of RSA Cipher
.Example..
......
The ciphertext from a RSA cipher with key (n, k) = (35, 5) is
”09 20 16 09 12”Find the plaintext. (Note: 2573 = 31× 83)
June 8, 2017 21 / 44
Knapsack cryposystem
.Knapsack Problem..
......
Given a set of positive integers a1, a2, . . . , an and an integer S, the problemasks that which of those integers add together to S? i.e. solve the equation
S = a1x1 + a2x2 + · · ·+ anxn, xi = 0 or 1
.Example..
......
For (a1, a2, a3, a4, a5) = (2, 7, 8, 11, 12) and S = 21,
21 = 2 + 7 + 12 = 2 + 8 + 11
For system 21 = 2x1 + 7x2 + 8x3 + 11x4 + 12x5 with solutionsx1 = x2 = x5 = 1, x3 = x4 = 0 or x1 = x3 = x4 = 1, x2 = x5 = 0
June 8, 2017 22 / 44
Knapsack cryposystem
.Example..
......
For ai = 2i−1 and S < 2n, the system
S = a1x1 + a2x2 + · · ·+ anxn
with solution: Binary expansion of S
.Definition..
......A sequence a1, a2, . . . , an is superincreasing if ai > a1 + a2 + · · ·+ ai−1 fori = 2, 3, . . . , n
Rremark: Above example is superincresing by
2i > 1 + 2 + 22 + . . . 2i−1 = 2i − 1
June 8, 2017 23 / 44
Knapsack cryposystem
.Example..
......
Solve the superincreasing Knapsack problem
28 = 3x1 + 5x2 + 11x3 + 20x4 + 41x5
Solution:1 41 > 28 ⇒ x5 = 0
2 20 < 28 and 3 + 5 + 11 < 20 < 28 ⇒ x4 = 1
8 = 3x1 + 5x2 + 11x3
3 11 > 8 ⇒ x3 = 08 = 3x1 + 5x2
4 x1 = 1 and x2 = 1
June 8, 2017 24 / 44
In grneral, for superincreasing Knapsack problem
S = a1x1 + a2x2 + · · ·+ anxn
xn =
{1 if S ≥ an0 if S < an
xj =
{1 if S −
∑ni=j+1 xiai ≥ aj
0 if S −∑n
i=j+1 xiai < aj j = n − 1, n − 2, . . . , 1
1 When S ≥ an, let xn = 0
n∑i=1
aixi =n−1∑i=1
aixi ≤n−1∑i=1
ai < an ≤ S ” ⇒⇐ ”
2 When S −∑n
i=j+1 xiai ≥ aj, let xj = 0
n∑i=1
aixi ≤j−1∑i=1
ai +n∑
i=j+1
aixi < aj +n∑
i=j+1
ai ≤ S ” ⇒⇐ ”
June 8, 2017 25 / 44
Knapsack Cipher
1 take a superincreasing sequence a1, a2, . . . , an
2 take m s.t. m > 2an
3 take integer a s.t. gcd(a,m)=1 with inverse a.4 aai ≡ bi (mod m), 1 ≤ i ≤ n ⇒ 0 < bi < m
If bi = 0 i.e. aai ≡ 0 (mod m) ⇒ m|aai⇒ m|ai since gcd(a,m)=1 ” ⇒⇐ ” since m > 2an > ai
5 Enciphering: Covert the plaintext into binary sequence M using binaryequivalent of letter
A B C . . . X Y Z(0) (1) (2) . . . (23) (24) (25)
00000 00001 00010 . . . 10111 11000 11001Split M into blocks of n digits
6 For block x1x2 . . . xn, we obtain a cipertext by
S = b1x1 + b2x2 + · · ·+ bnxn
June 8, 2017 26 / 44
Deciphering:S′ ≡ aS (mod m), 0 ≤ S′ < mS′ ≡ ab1x1 + ab2x2 + · · ·+ abnxn (mod m)
≡ aaa1x1 + aaa2x2 + · · ·+ aaanxn (mod m)≡ a1x1 + a2x2 + · · ·+ anxn (mod m)
Since 0 ≤ S′ < m and0 ≤ a1x1 + a2x2 + · · ·+ anxn ≤ a1 + a2 + · · ·+ an < 2an < mwe have
′S = a1x1 + a2x2 + · · ·+ anxn
Since a1, a2, . . . , an is superincreasing , it is solvable.
June 8, 2017 27 / 44
Knapsack Cipher.Example..
......
secret key: superincresing seq 3, 5, 11, 20, 41m=85, a=44 gcd(a,m)=1public key bi ≡ aai (mod m)47, 50, 59, 30, 19Plaintext HELP USM= 00111 00100 01011 01111 10100 10010108=47*0+50*0+59*1+30*1+19*159=47*0+50*0+59*1+30*0+19*099=47*0+50*1+59*0+30*1+19*1158=47*0+50*1+59*1+30*1+19*1106=47*1+50*0+59*1+30*0+19*077=47*1+50*0+59*0+30*1+19*0Ciphertext: 108, 59, 99, 158, 106, 77
June 8, 2017 28 / 44
Knapsack Cipher
Deciphering: 44 = 29 i.e. solution of 44x ≡ 1 (mod 85)
108 ∗ 29(mod85) = 72 = 3x1 + 5x2 + 11x3 + 20x4 + 41x5with solution x1 = x2 = 0 and x3 = x4 = x5 = 1First block is 00111 ⇔ H59 ∗ 29(mod85) = 11 = 3x1 + 5x2 + 11x3 + 20x4 + 41x5with solution x1 = x2 = x4 = x5 = 0 and x3 = 1Second block is 00100 ⇔ E99 ∗ 29(mod85) = 66 = 3x1 + 5x2 + 11x3 + 20x4 + 41x5with solution x1 = x3 = 0 and x2 = x4 = x5 = 1Second block is 01011 ⇔ L
...
June 8, 2017 29 / 44
Knapsack Cipher.Example..
......
secret key: superincresing seq 3, 5, 11, 20, 41, 83, 179, 344, 690,1042m=2618, a=929 gcd(a,m)=1
By extended Euclidean algorithm,
a q y2618 − 31929 2 11760 1 9169 4 284 2 11 84 0
1 = (−11) ∗ 2618 + 31 ∗ 929 ≡ 31 ∗ 929 (mod 2618)
a = 929−1 = 31
public key: bi ≡ aai (mod m)169, 2027, 2365, 254, 1437, 1185, 1357, 180, 2218, 1976
June 8, 2017 30 / 44
.Example..
......
Plaintext NOT NOWM= 0110101110, 1001101101, 01110101109584=169*0+2027*1+2365*1+254*0+1437*1
+1185*0+1357*1+180*1+2218*1+1976*05373=169*1+2027*0+2365*0+254*1+1437*1
+1185*0+1357*1+180*1+2218*0+1976*18229=169*0+2027*1+2365*1+254*1+1437*0
+1185*1+1357*0+180*1+2218*1+1976*0Ciphertext: 9584, 5373, 8229Deciphering: 929−1 = 31 i.e. solution of 929x ≡ 1 (mod 2618)9584 ∗ 31 = 1270 (mod 2618)1270 = 3x1 + 5x2 + 11x3 + 20x4 + 41x5 + 83x6
+179x7 + 344x8 + 690x9 + 1042x10with solution 0110101110 ⇔ NO
June 8, 2017 31 / 44
Problem of Knapsack Cipher
.Example..
......
The ciphertext from a Knapsack cipher using the superincreasing sequence2, 3, 7, 13, 27, modulus m = 60, and multiplier a = 7 is
”49 63 61 49 23”Find the plaintext.
June 8, 2017 32 / 44
ElGamal Cipher
1 Selecting a prime p and a primitive root r of p.2 A integer k, 2 ≤ k ≤ p − 2,
a ≡ rk(mod p); 0 ≤ a ≤ p − 1
3 (p, r, a) is public key4 k private key.
.Example..
......
Take p = 113 with primitive root r = 3. Choose k = 37
337 = 24 = a (mod 113)
(113, 3, 24) is public key37 private key.
June 8, 2017 33 / 44
ElGamal Cipher
1 Encode: The message is first converted to its numerical M byA B C . . . X Y Z00 01 02 . . . 23 24 25
2 If M ≥ p, then M is split into blocks, each block containing the same(even) number of digits.
3 If B is first block, B =⇒ (C1,C2), where
C1 ≡ r j(mod p)
C2 ≡ Ba j(mod p)
2 ≤ j ≤ p − 2; For security, the choice of j can be changed from blockto block.
June 8, 2017 34 / 44
ElGamal CipherDecode:
P = C2Cp−1−k1 (mod p)
by
P ≡ C2Cp−1−k1 ≡ (Ba j)(r j)p−1−k
≡ B(r k) j(r j(p−1)−jk)≡ B(r p−1) j
≡ B (mod p).Example..
......
Deliver the messageSELL NOW
to a person who has secret key k = 15 and public key
(p, r, a) = (43, 3, 22)
, where 22 ≡ 315 (mod 43)
June 8, 2017 35 / 44
ElGamal Cipher
Encode:M = 18041111131422 with Blocks 18 04 11 11 13 14 22
Select an interger j, 2 ≤ j ≤ 41, take j = 23 by
C1 ≡ r j ≡ 3 23 ≡ 34(mod 43)
C2 ≡ Ba j ≡ 18 · (22) 23 = 17(mod 43)
ciphertext is of the form
(34, 17), (34, 42), (34, 08), (34, 08), (34, 29), (34, 18), (34, 16)
andM′ = 17420808291816
June 8, 2017 36 / 44
ElGamal Cipher
Decode:(C1,C2) = (34, 17) =⇒ B = 18 by
P ≡ C2Cp−1−k1 ≡ 17 · (34)43−1−15
≡ 17 · (34)27≡ 18 (mod 43)
B= 18 04 11 11 13 14 22S E L L N O W
.Remark..
......
Encode In last block B = 22, take j = 31,
C1 ≡ r j ≡ 3 31 ≡ 33(mod 43)
C2 ≡ Ba j ≡ 18 · (22) 31 = 35(mod 43)
Decode P ≡ C2Cp−1−k1 ≡ 35 · (33)27 ≡ 22 (mod 43)
June 8, 2017 37 / 44
Problem of ElGamal Cipher
.Example..
......
The ciphertext from ElGamal cipher with Public key (p, r, a) =(2017, 5, 303) and Private key k = 1999 is
C1 1318 1318 1318 1318 1318 1318 1318 1318C2 536 1381 1967 1699 904 854 1967 1063
Find the plaintext.
June 8, 2017 38 / 44
Digital Signature of ElGamal Cipher
.Digital Signature(數位簽章)..
......
Digital Signature 的使用情境大概如下:假設 A 要傳訊息給 B,但是 B 要如何確認訊息真的是由 A 發送的呢?此時只要 A 在發送前, 利用自己的 private key 將訊息製作簽章碼,再傳給 B,B 再利用 A 的簽章碼進行驗証。如果訊息驗証通過,就可以確定訊息是由 A 所發出;即使訊息在傳送過程中被 C 所攔截,再使用 A 的 public key 還原成原本的訊息,還是沒辦法偽裝成 A 所發送的訊息 (因為這需要 A的 private key)。因此,Digital Signature 在實際應用上是很有意義的,因為這項技術代表了授權機制可以很容易建立起來。
June 8, 2017 39 / 44
Digital Signature of ElGamal Cipher
June 8, 2017 40 / 44
Digital Signature of ElGamal Cipher.Sender use public key (p, r, a) and private key k..
......
1 Selecting a integer j, 1 ≤ j ≤ p − 1 such that (j, p − 1) = 1
2 Take First block B of message M, computes
c ≡ r j (mod p); 0 ≤ c ≤ p − 1
a solution d of linear congruence
jd + kc ≡ B (mod p − 1); 0 ≤ d ≤ p − 2
3 The pair (c, d) is the digital signature appended to the message
.The recipient use the public key (p, r, a) to confirm the signature by..
......
1 V1 ≡ accd (mod p) and V2 ≡ rB (mod p)2 If V1 = V2, then the signature is accepted, otherwise it is
un-accepted. Why?
June 8, 2017 41 / 44
Digital Signature of ElGamal Cipher
若 message M 與附加簽章碼 (c,d) 是 Sender 送出來的, 則 V1 = V2
V1 ≡ accd ≡ (rk)c(rj)d
≡ rkc+jd = rB+s(r−1)
≡ rBrs(r−1)
≡ rB ≡ V2 (mod p)若 message M 與附加簽章碼 (c,d) 被第三者攔截, 並送出假訊息 M’with first block B’ ,B = B′, 與附加簽章碼 (c,d), 則 V1 = V2
V1 ≡ accd ≡ (rk)c(rj)d
≡ rkc+jd = rB+s(r−1)
≡ rBrs(r−1) ≡ rB
≡ rB′ ≡ V2 (mod p)
June 8, 2017 42 / 44
Problem of ElGamal Cipher
.Example..
......
1 Deliver the message SELL NOW; first block B = 18 to a person whohas secret key k = 15 and public key (p, r, a) = (43, 3, 22), where22 ≡ 315 (mod 43)
2 Take j = 25 such that (j, 42) = 1
3 c ≡ rj ≡ 325 ≡ 5 (mod 43)
4 jd + kc ≡ 25d + 15 · 5 ≡ B = 18 (mod 42) with solution d = 33
5 The digital signature (c, d) = (5, 33)
6 Recipient Check: V1 ≡ accd ≡ 225533 ≡ 35 (mod 43)
7 V2 ≡ rB ≡ 318 ≡ 35 (mod 43)
8 V1 = V2 Then the message come from Deliver.
June 8, 2017 43 / 44
Mod[2017, 54] PowerMod[2017, 34, 54]PowerMod[34,−1, 2017] GCD[2017, 1820]PrimitiveRoot[2017] PrimitiveRootList[2017]JacobiSymbol[45, 2017] (45/2017) Divisor[15]DivisorSigma[15] σ(15) Length[Divisors[15]] τ(15)MoebiusMu[15] µ(15) EulerPhi[15] ϕ(15)
��END��
June 8, 2017 44 / 44