1

1. Classical CryptographySome Simple Cryptosystems

• Shift Cipher, • Substitution Cipher, • Affine Cipher, • Vigenere Cipher, • Hill Cipher, • Permutation Cipher,• Stream Cipher

Modular Arithmetic, Number theory, and GroupCryptanalysisThe RSA Cryptosystem

2

Classical CryptographyDefinition 1.1: A cryptosystem is a five-tuple (P, C, H, E, D), wherethe following conditions are satisfied:1. P is a finite set of possible plaintexts2. C is a finite set of possible ciphertexts3. H the keyspace, is a finite set of possible keys4. For each K H, there is an encryption rule eK E : P C and a

corresponding decryption rule dK D: C P such that x C, dK (eK(x)) = x

Alice Encrypter

Oscar

Decrypter Bob

Key source

Secure chanel

x y x

K

3

Modular ArithmeticDefinition 1.2: Suppose a and b are integers, and m is positiveinteger. Then we write a b (mod m) if m divides b-a.

• a b mod m if and only if (a-b) = km for some k• Zm the equivalence class under mod m• Canonical form Zm = {0,1,2,…,m-1}, we use the positiveremainder as the standard representation.

• -1 m -1 mod m

• (Zm, +, 0) is a Group + is closed Associative: (a + b) + c = a + (b + c) Commutative: a + b = b + a (abelian group) 0 is the identity for +: a + 0 = a + 0 = aAdditive inverse: (-a) + a = a + (-a) = 0

4

Modular Arithmetic

• (Zm, +, , 0, 1) is a Ring +, are closed +, are associative and commutative (abelian ring) Operation distributes over +: a (b + c) = a b + a c 0 is the identity for + and 1 for Additive inverse

• (Zp, +, , 0, 1) is a Field (when p is a prime number.) +, are closed +, are associative and commutative Operation distributes over + 0 is the identity for + and 1 for Additive inverse and multiplicative inverse

5

Shift CipherCryptosystem 1.1: (Shift Cipher) Let P = C = H = Z26. For 0 K 25, define eK(x) = (x+K) mod 26 (xZ26) and dK(y) = (y-K) mod 26 (yZ26)

A B C D E F G H I J K L M N 0 1 2 3 4 5 6 7 8 9 10 11 12 13

Example 1.1: K=11 and the plaintext is wewillmeetatmidnight.Then the ciphertext is HPHTWWXPPELEXTOYTRSE.

1. eK and dK should be efficiently computable2. An opponent, upon seeing a ciphertext string y, should be unable

to determine the key K that was used, or the plaintext string x.3. Process of attempting to compute the key K is called cryptanalysis.

O P Q R S T U V W X Y Z14 15 16 17 18 19 20 21 22 23 24 25

6

Substitution CipherCryptosystem 1.2: (Substitution Cipher) Let P = C = Z26 andH consist all permutations on Z26. For each permutation H, define e (x) = (x)and d(y) = -1(y)where -1 is the inverse permutation to and x,yZ26.

A B C D E F G H I J K L M N 0 1 2 3 4 5 6 7 8 9 10 11 12 13

O P Q R S T U V W X Y Z14 15 16 17 18 19 20 21 22 23 24 25

A permutation can be

a b c d e f g h i j k l m n o p q r s t u v w x y zX N Y A H P O G Z Q W B T S F L R C V M U E K J D I

x(x)

7

Congruence Equations• Consider the congruence equation ax = b (mod m), a, b Zm

• 5x = 8 mod 12 x = 4 a unique solution in Z12

• 3x = 8 mod 12 no solution• 3x = 9 mod 12 x can be 3, 7, or 11

multiple solutions in Z12

• gcd(5,12) = 1 • gcd(3,12) = 3

Theorem 1.1: ax = b (mod m) has a unique solution in Zm for every number b in Zm iff gcd(a,m) = 1

Definition 1.3: Suppose a1 and m2 are integers. If gcd(a,m)=1, then we say that a and m are relatively prime.

8

Multiplicative InversesDefinition 1.4: Suppose aZm. The multiplicative inverse of a modulo m is an element bZm such that ab=ba=1 mod m.

1. If the multiplicative inverse of a exists, it is unique. Denoted by a-1

2. If b is the inverse of a, then a is the inverse of b.3. a in Zm has a multiplicative inverse in Zm if and only if gcd(a, m)=1

Multiplication Group Z*m = {aZm : gcd(a, m) = 1}

Euler phi function (m) = | Z*m |

Theorem 1.2 ieipm

n

i

ei

ei

ii ppm1

1).()(

Z*26 = {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25}

(Z*26)-1 = {1, 9, 21, 15, 3, 19, 7, 23, 11, 5, 17, 25}

If p is a prime, then Z*p = {1, 2, …, p-1}. Note: (Zp, +, , 0, 1) is a field.

9

Affine CipherCryptosystem 1.3: (Affine Cipher) Let P = C = Z26 and H = Z*

26Z26.For each K=(a,b) H, define

eK (x) = (ax+b) mod 26 (xZ26). and

dK(y) = a-1(y-b) mod 26 (yZ26).

Example 1.3 Suppose that K=(a, b)=(7, 3)eK (x) = ?dK(y) = ?dK(eK (x)) = ?Encrypt the plaintext hot.

10

Vigenère CipherCryptosystem 1.4: (Vigenere Cipher) Let m be a positive integer. LetP = C = H = (Z26)m. For a K = (k1, k2, …, km) H, define

eK (x1, x2, . . . , xm) = (x1+k1, x2+ k2, …, xm+ km) and

dK(y1, y2 , . . . , ym) = (y1-k1, y2- k2, …, ym- km)where all operations are performed in Z26

Example 1.4 Suppose that m=6 and the key is CIPHER, i.e.,K=(2, 8, 15, 7, 4, 17)Encrypt the plaintextThiscryptosystemisnotsecure.

Polyalphabetic cryptosystem: The key of the system contains multiple alphabetic characters

11

Linear Transformation and Matrix

26 mod )78(

26 mod )311(

212

211

xxy

xxy

73

811),(),( 2121 xxyy

If A=(ai,j) and B=(bi,j) are two lm matrixes, Then the sum A+B is definedas (ai,j+bi,j).

If A=(ai,j) is an lm matrix and B=(bi,j) is an mn matrix , then the productAB = (ci,j) is an ln matrix and is defined by the formula

m

kjkkiji bac

1,,,

(Z26)nn : all nn matrixes over Z26.In : the nn identity matrix. For any A(Z26)nn, InA=AIn=A.0n: the nn zero matrix. For any A(Z26)nn, 0n+A=A+0n=A.((Z26)nn, 0n, In, +, ) is a ring.

mod 26

12

The Inverse of a MatrixDefinition: Suppose A (Z26)nn. The inverse of A over (Z26)nn is a matrix B (Z26)nn such that AB=BA=In.

1. If the inverse of A exists, it is unique. Denoted by A-1

2. If B is the inverse of A, then A is the inverse of B.

Definition 1.5: Suppose A = (ai,j) is an mm matrix. For 1 i m, 1 j m, define Ai,j to be the matrix obtained from A by deleting the ith row and the jth column.

The determinant of A, denoted det A, is the value of a1,1 if m=1. If m > 1, the det A is computed recursively from the formula.

niiAaA i,jji

n

j

ji

1 and fixed is where, det)1( det ,1

det A = a11a22-a12a21 if m=2det A = a11a22a33+a21a32a13 +a31a12a23 -a13a22a31-a12a21a33 -a11a23a32 if m=3

13

The Inverse of a MatrixProperties: 1. det In = 1. & 2. det (AB)= det A det B

Theorem 1.3: Suppose A = (ai,j) is an mm matrix over Zn such thatdet A is invertible in Zn. Then A-1=(det A)-1A*, where A* is the adjointmatrix of A. That is A* =(a*

i,j), a*i,j =(-1)i+j det Aj,i.

2,21,2

2,11,1

aa

aaA

1,11,2

2,12,211 ) (detaa

aaAA

73

811A

1198

21143

12510

A

Example 1.5

A-1=? A-1=?

Example 1.6

14

Hill CipherCryptosystem 1.5: (Hill Cipher) Let m2 be an integer. LetP = C = (Z26)m and H = GL(m, Z26). For a key K, define

eK (x) = xK and dK(y) = yK-1

where GL(m, Z26) = {A (Z26)mm : A is invertible} and alloperations are performed in Z26.

Example 1.5: Suppose the key is . Want to encrypt the plaintext july

73

811K

1123

1871KSince July = 9 20 11 24

DEK

)4,3(

73

811)20,9()20,9(

LWK

)22,11(

73

811)24,11()24,11(

The ciphertext isDELW

15

Permutation CipherCryptosystem 1.6: (Permutation Cipher) Let m be a positive integer. Let P = C = (Z26)m and H consist all permutations of {1,…,m}. For a key , define

e (x1, x2, …, xm) = (x(1), x(2), …, x(m))and

where -1 is the inverse permutation to .

),...,(),...,()()2()1(21 111 mm yyyyyyd

Example 1.7 Suppose m=6 and the key is the following permutation :

x 1 2 3 4 5 6(x) 3 5 1 6 4 2

-1=?

Encrypt the following plaintext: shesellsseashellsbytheseashore

16

Stream Cipher

Definition 1.6: A synchronous steam cipher is a tuple (P, C, H, L, E, D),together with a function g, such that the following conditions are satisfied:1. P is a finite set of possible plaintexts2. C is a finite set of possible ciphertexts3. H the keyspace, is a finite set of possible keys4. L is finite set called keystream alphabet5. g is the keystream generator. g takes a key K as input, and generate

an infinite string z1z2…called the keystream, where zi L for alli 1.

6. For each z L, there is an encryption rule ez E : PC and a corresponding decryption rule dzD: CP such that

xP, dz (ez(x)) = x

Block cipher: x=x1x2… & a key K y=y1y2… = eK(x1)eK(x2)…Steam cipher: x=x1x2… & a key K a key stream z=z1z2…

)...()(... 2121 21xexeyyy zz

17

Stream Cipher (Cont.)

• Let P=C=L=Z26, H=(Z26)m. • For K=(k1, k2,…,km), define

This generates the key stream k1k2…kmk1k2…kmk1k2…km…• For zL define

ez(x)=(x+z) mod 26 and dz(y)=y-z mod 26

0 mod

0 mod mod

miifk

miifkz

m

mii

The Vigenère cipher defined as a synchronous stream cipher

A stream cipher is a periodic stream cipher with period dif zi+d=zi

18

Stream Cipher (Cont.)

Example 1.8: m=4, zi+4=(zi+zi+1) mod 2, K = (k1, k2, k3, k4) = (1, 0, 0, 0).The key stream z1z2z3… = ? And period d = ?

k1 k2 k3 k4

+Linear Feed Back Register (LFBR)

Generating the keystream using linear recurrence of degree m

1

0

2 mod m

jjijmi zcz

for all i1, where c0, …, cm-1 Z2 are constants and c00.

),...,(),...,( 11 mm kkzz and

Encryption: yi = (xi+zi) mod 2 and Decryption: yi = (xi-zi) mod 2

19

Non-Synchronous Stream Cipher

A non-synchronous stream cipher is a stream cipher in which each keystream element zi depends on previous plaintext or ciphertext elements (x1…xi-1 and/or y1…yi-1) as well as the key K.

Cryptosystem 1.7: (Autokey Cipher) Let P=C=H=L=Z26. Let z1=K,and define zi=xi-1 for all i2. For 0 z 25, define

ez (x) = (x+z) mod 26 and dz(y) = (y-z) mod 26 (x,y) Z26

Example 1.9: K = 8 and plaintext is rendezvousThe key stream z1z2z3… = ? The ciphertext y1y2…. = ?

20

CryptanalysisCryptanalysis: the process of attempting to compute the key K,

given a string of ciphertext yKerckhoffs’ principle: the opponent knows the cryptosystem

being used.Common types of attack models

• Ciphertext only attackThe opponent possesses a string of ciphertext, y

• Known plaintext attackThe opponent possesses a string of plaintext, x, and the correspondingciphertext, y.

• Chosen plaintext attackThe opponent can use the encryption machine.

• Chosen ciphertext attackThe opponent can use the decryption machine.

21

Cryptanalysis of the Affine Cipher

Statistical properties of the English language• Relatively frequencies of the 26 letters• Common sequences of two or three consecutive letters

Example 1.10 Ciphertext obtained from an Affine Cipher

R: 8 Occurrences, D: 7 Occurrences, E, H, K: 5 Occurrences

First guess: eR eK(4)=17 4a+b=17 a=6 tD eK(19)=3 19a+b=3 b=19

Second guess: eR eK(4)=17 4a+b=17 a=13 tE eK(19)=4 19a+b=4 b=9

Third guess: eR eK(4)=17 4a+b=17 a=8 tH eK(19)=7 19a+b=7 b=?

Fourth guess: eR eK(4)=17 4a+b=17 a=3 tK eK(19)=10 19a+b=10 b=5

22

Cryptanalysis of the Hill CipherKnown plaintext attack on the Hill Cipher (m is known also)/x1…xm/xm+1…x2m/x2m+1… /y1…ym/ym+1…y2m/y2m+1

a1 a2 a3 eK b1 b2 b3

K

a

a

b

b

mm

11

mm b

b

a

a

K 1

1

1

Example 1.13: plaintext: friday 5 17 / 8 3 / 0 24m=2 ciphertext: PQCFKU 15 16 / 2 5 / 10 20

eK(5, 17) = (15, 16)eK(8, 3) = (2, 5)eK(0, 24) = (10, 20)

K

38

175

52

1615

mm a

a

b

b

K 1

1

11or

38

197

52

1615

152

19

52

1615

38

1751

K

23

Cryptanalysis of the LFSR Cipher

1

0

2 mod m

jjijmi zcz

121

132

21

110221 ),...,,(),...,,(

mmm

m

m

mmmm

zzz

zzz

zzz

ccczzz

1

121

132

21

221110 ),...,,(),...,,(

mmm

m

m

mmmm

zzz

zzz

zzz

zzzccc

yi = (xi+zi) mod 2 zi = (yi–xi) mod 2

Example 1.14: plaintext: 101101011110010m=5 ciphertext: 011001111111000

The key stream: 110100100001010

)0,1,0,0,1(

01

11

1

0

0

1

1

010000

01001

10010

)0,0,0,1,0(

00

01

1

0

0

0

0

110010

00101

01011

)0,0,0,1,0(),...,,(

1

410

ccc

zi+5 = (zi + zi+3) mod 2

24

More Number TheoryThe Euclidean Algorithm (to compute gcd(r0, r1))

r0 = q1r1 + r2, 0 r2 < r1

r1 = q2r2 + r3, 0 r3 < r2

…rm-2 = qm-1rm-1 + rm, 0 rm < rm-1

rm-1 = qmrm + 0 gcd (r0, r1) = gcd (r1, r2) = … = gcd (rm-2, rm-1) = gcd (rm-1, rm) = rm

gcd (r0, r1) = rm

The Extended Euclidean Algorithm (to find the inverse of r1Zn , (n=r0))1. Perform the Euclidean Algorithm for r0 and r1. Record the quotients

q1, q2, …, qm.2. Compute t0, t1, …, tm recursively as follows

t0 = 0, t1 = 1,tj = tj-2 – qj-1tj-1, 2jm,

3. r1-1 = tm.

s0 = 1s1 = 0sj = sj-2-qj-1sj-1, 2jm,

25

More Number Theory (Cont.)Theorem 5.1 rj = sjr0 + tjr1, for 0 j m.

Corollary 5.2 If gcd(r0, r1) = 1, then r1-1 = tm mod r0

Example 5.1 Compute 28-1 in Z75 and 17-1 in Z523.

26

Other Useful FactsGroup: A group is a nonempty set G equipped with an operation • such

that the following axioms are satisfied.1. (a•b)•c = a•(b•c), a, b, c G2. identity element e G such that a•e = e•a = a, a G.3. a G, a-1 G such that a•a-1 = a-1 •a = e.

Order of an element in a groupa G, the smallest positive integer m s.t. am = e is called the order

of a, and is denoted by o(a). If there is no positive integer m s.t. am = e, we say that o(a) = .

Theorem 5.4 (Lagrange)Let G be a finite group with |G| = n. Then a G, o(a) divides n.

In particular, a|G| = e.

Corollary 5.5 If b Z*n, then b(n) 1 mod n.

Corollary 5.6 (Fermat) Let p be a prime and b Zp. Then bp b mod p.

27

Other Useful Facts (Cont.)Cyclic Group: Let G be a group and G. If all the elements in G are of

form n (n Z), we say that G is a cyclic group generated by . In this case, we write G = () and is called generating element.

Theorem 5.7 If p is prime, then (Z*p, •) is a cyclic group.

An primitive element modulo p: A generating element of Z*p

Example 5.4: Find primitive elements modulo 13

Theorem 5.8 Suppose p>2 is prime and Z*p, Then is a primitive

element modulo p iff (p-1)/q 1 (mod p) for all primes q s.t. q|(p-1).

Fact: Let be a primitive element modulo p. Then 1. the order of = i (0ip-2) is (p-1)/gcd(p-1, i).2. = i (0ip-2) is a primitive element modulo p iff gcd(p-1, i) = 1.3. The number of primitive elements modulo p is (p-1).

28

The RSA CryptosystemCryptosystem 5.1 RSA Cryptosystem

Let n = pq, where p and q are primes. Let P = C = Zn, and defineK={(n, p, q, a, b) : ab 1 (mod (n))}

For K = (n, p, q, a, b), defineeK(x) = xb mod n & dK(y) = ya mod n, (x, y Zn)

The values n and b comprise the public key, and the values p, q, and aform the private key.

We need to verify dK(eK(x)) = x, i.e. (xb)a x (mod n)

Example 5.51. Bob picks p=101 and q=113. Then n = 11413 and (n) = 11200. 2. Bob chooses b = 3533. Then a = b-1 mod (n) = 65973. Alice encrypts the plaintext 9726 using the public key n and b

97263533 mod 11413 = 57614. Bob decrypts the ciphertext using the private key p, q and a

57616597 mod 11413 = 9726

29

Implementing RSARepresent c in binary notation

1

0

00

11

22

11 22...222

l

i

ll

ll

ii cccccc

Algorithm 5.5 Square-And-Multiply(x, c, n)z 1for i l-1 downto 0 do

z z2 mod nIf ci = 1 then z (zx) mod n

return (z)

The following algorithm computes xc in Zn very efficiently

Example 5.5 (Cont.) Recall n = 11413, b=3533, and plaintext = 9726.Compute 97263533 mod 11413