chapter15 2ffxuuhqfhv ' 2ffxuuhqfhv ( + . 2ffxuuhqfhv )luvw jxhvv hÆ5 Îh. Î d e Îd u...
TRANSCRIPT
1
1. Classical CryptographySome Simple Cryptosystems
• Shift Cipher, • Substitution Cipher, • Affine Cipher, • Vigenere Cipher, • Hill Cipher, • Permutation Cipher,• Stream Cipher
Modular Arithmetic, Number theory, and GroupCryptanalysisThe RSA Cryptosystem
2
Classical CryptographyDefinition 1.1: A cryptosystem is a five-tuple (P, C, H, E, D), wherethe following conditions are satisfied:1. P is a finite set of possible plaintexts2. C is a finite set of possible ciphertexts3. H the keyspace, is a finite set of possible keys4. For each K H, there is an encryption rule eK E : P C and a
corresponding decryption rule dK D: C P such that x C, dK (eK(x)) = x
Alice Encrypter
Oscar
Decrypter Bob
Key source
Secure chanel
x y x
K
3
Modular ArithmeticDefinition 1.2: Suppose a and b are integers, and m is positiveinteger. Then we write a b (mod m) if m divides b-a.
• a b mod m if and only if (a-b) = km for some k• Zm the equivalence class under mod m• Canonical form Zm = {0,1,2,…,m-1}, we use the positiveremainder as the standard representation.
• -1 m -1 mod m
• (Zm, +, 0) is a Group + is closed Associative: (a + b) + c = a + (b + c) Commutative: a + b = b + a (abelian group) 0 is the identity for +: a + 0 = a + 0 = aAdditive inverse: (-a) + a = a + (-a) = 0
4
Modular Arithmetic
• (Zm, +, , 0, 1) is a Ring +, are closed +, are associative and commutative (abelian ring) Operation distributes over +: a (b + c) = a b + a c 0 is the identity for + and 1 for Additive inverse
• (Zp, +, , 0, 1) is a Field (when p is a prime number.) +, are closed +, are associative and commutative Operation distributes over + 0 is the identity for + and 1 for Additive inverse and multiplicative inverse
5
Shift CipherCryptosystem 1.1: (Shift Cipher) Let P = C = H = Z26. For 0 K 25, define eK(x) = (x+K) mod 26 (xZ26) and dK(y) = (y-K) mod 26 (yZ26)
A B C D E F G H I J K L M N 0 1 2 3 4 5 6 7 8 9 10 11 12 13
Example 1.1: K=11 and the plaintext is wewillmeetatmidnight.Then the ciphertext is HPHTWWXPPELEXTOYTRSE.
1. eK and dK should be efficiently computable2. An opponent, upon seeing a ciphertext string y, should be unable
to determine the key K that was used, or the plaintext string x.3. Process of attempting to compute the key K is called cryptanalysis.
O P Q R S T U V W X Y Z14 15 16 17 18 19 20 21 22 23 24 25
6
Substitution CipherCryptosystem 1.2: (Substitution Cipher) Let P = C = Z26 andH consist all permutations on Z26. For each permutation H, define e (x) = (x)and d(y) = -1(y)where -1 is the inverse permutation to and x,yZ26.
A B C D E F G H I J K L M N 0 1 2 3 4 5 6 7 8 9 10 11 12 13
O P Q R S T U V W X Y Z14 15 16 17 18 19 20 21 22 23 24 25
A permutation can be
a b c d e f g h i j k l m n o p q r s t u v w x y zX N Y A H P O G Z Q W B T S F L R C V M U E K J D I
x(x)
7
Congruence Equations• Consider the congruence equation ax = b (mod m), a, b Zm
• 5x = 8 mod 12 x = 4 a unique solution in Z12
• 3x = 8 mod 12 no solution• 3x = 9 mod 12 x can be 3, 7, or 11
multiple solutions in Z12
• gcd(5,12) = 1 • gcd(3,12) = 3
Theorem 1.1: ax = b (mod m) has a unique solution in Zm for every number b in Zm iff gcd(a,m) = 1
Definition 1.3: Suppose a1 and m2 are integers. If gcd(a,m)=1, then we say that a and m are relatively prime.
8
Multiplicative InversesDefinition 1.4: Suppose aZm. The multiplicative inverse of a modulo m is an element bZm such that ab=ba=1 mod m.
1. If the multiplicative inverse of a exists, it is unique. Denoted by a-1
2. If b is the inverse of a, then a is the inverse of b.3. a in Zm has a multiplicative inverse in Zm if and only if gcd(a, m)=1
Multiplication Group Z*m = {aZm : gcd(a, m) = 1}
Euler phi function (m) = | Z*m |
Theorem 1.2 ieipm
n
i
ei
ei
ii ppm1
1).()(
Z*26 = {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25}
(Z*26)-1 = {1, 9, 21, 15, 3, 19, 7, 23, 11, 5, 17, 25}
If p is a prime, then Z*p = {1, 2, …, p-1}. Note: (Zp, +, , 0, 1) is a field.
9
Affine CipherCryptosystem 1.3: (Affine Cipher) Let P = C = Z26 and H = Z*
26Z26.For each K=(a,b) H, define
eK (x) = (ax+b) mod 26 (xZ26). and
dK(y) = a-1(y-b) mod 26 (yZ26).
Example 1.3 Suppose that K=(a, b)=(7, 3)eK (x) = ?dK(y) = ?dK(eK (x)) = ?Encrypt the plaintext hot.
10
Vigenère CipherCryptosystem 1.4: (Vigenere Cipher) Let m be a positive integer. LetP = C = H = (Z26)m. For a K = (k1, k2, …, km) H, define
eK (x1, x2, . . . , xm) = (x1+k1, x2+ k2, …, xm+ km) and
dK(y1, y2 , . . . , ym) = (y1-k1, y2- k2, …, ym- km)where all operations are performed in Z26
Example 1.4 Suppose that m=6 and the key is CIPHER, i.e.,K=(2, 8, 15, 7, 4, 17)Encrypt the plaintextThiscryptosystemisnotsecure.
Polyalphabetic cryptosystem: The key of the system contains multiple alphabetic characters
11
Linear Transformation and Matrix
26 mod )78(
26 mod )311(
212
211
xxy
xxy
73
811),(),( 2121 xxyy
If A=(ai,j) and B=(bi,j) are two lm matrixes, Then the sum A+B is definedas (ai,j+bi,j).
If A=(ai,j) is an lm matrix and B=(bi,j) is an mn matrix , then the productAB = (ci,j) is an ln matrix and is defined by the formula
m
kjkkiji bac
1,,,
(Z26)nn : all nn matrixes over Z26.In : the nn identity matrix. For any A(Z26)nn, InA=AIn=A.0n: the nn zero matrix. For any A(Z26)nn, 0n+A=A+0n=A.((Z26)nn, 0n, In, +, ) is a ring.
mod 26
12
The Inverse of a MatrixDefinition: Suppose A (Z26)nn. The inverse of A over (Z26)nn is a matrix B (Z26)nn such that AB=BA=In.
1. If the inverse of A exists, it is unique. Denoted by A-1
2. If B is the inverse of A, then A is the inverse of B.
Definition 1.5: Suppose A = (ai,j) is an mm matrix. For 1 i m, 1 j m, define Ai,j to be the matrix obtained from A by deleting the ith row and the jth column.
The determinant of A, denoted det A, is the value of a1,1 if m=1. If m > 1, the det A is computed recursively from the formula.
niiAaA i,jji
n
j
ji
1 and fixed is where, det)1( det ,1
det A = a11a22-a12a21 if m=2det A = a11a22a33+a21a32a13 +a31a12a23 -a13a22a31-a12a21a33 -a11a23a32 if m=3
13
The Inverse of a MatrixProperties: 1. det In = 1. & 2. det (AB)= det A det B
Theorem 1.3: Suppose A = (ai,j) is an mm matrix over Zn such thatdet A is invertible in Zn. Then A-1=(det A)-1A*, where A* is the adjointmatrix of A. That is A* =(a*
i,j), a*i,j =(-1)i+j det Aj,i.
2,21,2
2,11,1
aa
aaA
1,11,2
2,12,211 ) (detaa
aaAA
73
811A
1198
21143
12510
A
Example 1.5
A-1=? A-1=?
Example 1.6
14
Hill CipherCryptosystem 1.5: (Hill Cipher) Let m2 be an integer. LetP = C = (Z26)m and H = GL(m, Z26). For a key K, define
eK (x) = xK and dK(y) = yK-1
where GL(m, Z26) = {A (Z26)mm : A is invertible} and alloperations are performed in Z26.
Example 1.5: Suppose the key is . Want to encrypt the plaintext july
73
811K
1123
1871KSince July = 9 20 11 24
DEK
)4,3(
73
811)20,9()20,9(
LWK
)22,11(
73
811)24,11()24,11(
The ciphertext isDELW
15
Permutation CipherCryptosystem 1.6: (Permutation Cipher) Let m be a positive integer. Let P = C = (Z26)m and H consist all permutations of {1,…,m}. For a key , define
e (x1, x2, …, xm) = (x(1), x(2), …, x(m))and
where -1 is the inverse permutation to .
),...,(),...,()()2()1(21 111 mm yyyyyyd
Example 1.7 Suppose m=6 and the key is the following permutation :
x 1 2 3 4 5 6(x) 3 5 1 6 4 2
-1=?
Encrypt the following plaintext: shesellsseashellsbytheseashore
16
Stream Cipher
Definition 1.6: A synchronous steam cipher is a tuple (P, C, H, L, E, D),together with a function g, such that the following conditions are satisfied:1. P is a finite set of possible plaintexts2. C is a finite set of possible ciphertexts3. H the keyspace, is a finite set of possible keys4. L is finite set called keystream alphabet5. g is the keystream generator. g takes a key K as input, and generate
an infinite string z1z2…called the keystream, where zi L for alli 1.
6. For each z L, there is an encryption rule ez E : PC and a corresponding decryption rule dzD: CP such that
xP, dz (ez(x)) = x
Block cipher: x=x1x2… & a key K y=y1y2… = eK(x1)eK(x2)…Steam cipher: x=x1x2… & a key K a key stream z=z1z2…
)...()(... 2121 21xexeyyy zz
17
Stream Cipher (Cont.)
• Let P=C=L=Z26, H=(Z26)m. • For K=(k1, k2,…,km), define
This generates the key stream k1k2…kmk1k2…kmk1k2…km…• For zL define
ez(x)=(x+z) mod 26 and dz(y)=y-z mod 26
0 mod
0 mod mod
miifk
miifkz
m
mii
The Vigenère cipher defined as a synchronous stream cipher
A stream cipher is a periodic stream cipher with period dif zi+d=zi
18
Stream Cipher (Cont.)
Example 1.8: m=4, zi+4=(zi+zi+1) mod 2, K = (k1, k2, k3, k4) = (1, 0, 0, 0).The key stream z1z2z3… = ? And period d = ?
k1 k2 k3 k4
+Linear Feed Back Register (LFBR)
Generating the keystream using linear recurrence of degree m
1
0
2 mod m
jjijmi zcz
for all i1, where c0, …, cm-1 Z2 are constants and c00.
),...,(),...,( 11 mm kkzz and
Encryption: yi = (xi+zi) mod 2 and Decryption: yi = (xi-zi) mod 2
19
Non-Synchronous Stream Cipher
A non-synchronous stream cipher is a stream cipher in which each keystream element zi depends on previous plaintext or ciphertext elements (x1…xi-1 and/or y1…yi-1) as well as the key K.
Cryptosystem 1.7: (Autokey Cipher) Let P=C=H=L=Z26. Let z1=K,and define zi=xi-1 for all i2. For 0 z 25, define
ez (x) = (x+z) mod 26 and dz(y) = (y-z) mod 26 (x,y) Z26
Example 1.9: K = 8 and plaintext is rendezvousThe key stream z1z2z3… = ? The ciphertext y1y2…. = ?
20
CryptanalysisCryptanalysis: the process of attempting to compute the key K,
given a string of ciphertext yKerckhoffs’ principle: the opponent knows the cryptosystem
being used.Common types of attack models
• Ciphertext only attackThe opponent possesses a string of ciphertext, y
• Known plaintext attackThe opponent possesses a string of plaintext, x, and the correspondingciphertext, y.
• Chosen plaintext attackThe opponent can use the encryption machine.
• Chosen ciphertext attackThe opponent can use the decryption machine.
21
Cryptanalysis of the Affine Cipher
Statistical properties of the English language• Relatively frequencies of the 26 letters• Common sequences of two or three consecutive letters
Example 1.10 Ciphertext obtained from an Affine Cipher
R: 8 Occurrences, D: 7 Occurrences, E, H, K: 5 Occurrences
First guess: eR eK(4)=17 4a+b=17 a=6 tD eK(19)=3 19a+b=3 b=19
Second guess: eR eK(4)=17 4a+b=17 a=13 tE eK(19)=4 19a+b=4 b=9
Third guess: eR eK(4)=17 4a+b=17 a=8 tH eK(19)=7 19a+b=7 b=?
Fourth guess: eR eK(4)=17 4a+b=17 a=3 tK eK(19)=10 19a+b=10 b=5
22
Cryptanalysis of the Hill CipherKnown plaintext attack on the Hill Cipher (m is known also)/x1…xm/xm+1…x2m/x2m+1… /y1…ym/ym+1…y2m/y2m+1
a1 a2 a3 eK b1 b2 b3
K
a
a
b
b
mm
11
mm b
b
a
a
K 1
1
1
Example 1.13: plaintext: friday 5 17 / 8 3 / 0 24m=2 ciphertext: PQCFKU 15 16 / 2 5 / 10 20
eK(5, 17) = (15, 16)eK(8, 3) = (2, 5)eK(0, 24) = (10, 20)
K
38
175
52
1615
mm a
a
b
b
K 1
1
11or
38
197
52
1615
152
19
52
1615
38
1751
K
23
Cryptanalysis of the LFSR Cipher
1
0
2 mod m
jjijmi zcz
121
132
21
110221 ),...,,(),...,,(
mmm
m
m
mmmm
zzz
zzz
zzz
ccczzz
1
121
132
21
221110 ),...,,(),...,,(
mmm
m
m
mmmm
zzz
zzz
zzz
zzzccc
yi = (xi+zi) mod 2 zi = (yi–xi) mod 2
Example 1.14: plaintext: 101101011110010m=5 ciphertext: 011001111111000
The key stream: 110100100001010
)0,1,0,0,1(
01
11
1
0
0
1
1
010000
01001
10010
)0,0,0,1,0(
00
01
1
0
0
0
0
110010
00101
01011
)0,0,0,1,0(),...,,(
1
410
ccc
zi+5 = (zi + zi+3) mod 2
24
More Number TheoryThe Euclidean Algorithm (to compute gcd(r0, r1))
r0 = q1r1 + r2, 0 r2 < r1
r1 = q2r2 + r3, 0 r3 < r2
…rm-2 = qm-1rm-1 + rm, 0 rm < rm-1
rm-1 = qmrm + 0 gcd (r0, r1) = gcd (r1, r2) = … = gcd (rm-2, rm-1) = gcd (rm-1, rm) = rm
gcd (r0, r1) = rm
The Extended Euclidean Algorithm (to find the inverse of r1Zn , (n=r0))1. Perform the Euclidean Algorithm for r0 and r1. Record the quotients
q1, q2, …, qm.2. Compute t0, t1, …, tm recursively as follows
t0 = 0, t1 = 1,tj = tj-2 – qj-1tj-1, 2jm,
3. r1-1 = tm.
s0 = 1s1 = 0sj = sj-2-qj-1sj-1, 2jm,
25
More Number Theory (Cont.)Theorem 5.1 rj = sjr0 + tjr1, for 0 j m.
Corollary 5.2 If gcd(r0, r1) = 1, then r1-1 = tm mod r0
Example 5.1 Compute 28-1 in Z75 and 17-1 in Z523.
26
Other Useful FactsGroup: A group is a nonempty set G equipped with an operation • such
that the following axioms are satisfied.1. (a•b)•c = a•(b•c), a, b, c G2. identity element e G such that a•e = e•a = a, a G.3. a G, a-1 G such that a•a-1 = a-1 •a = e.
Order of an element in a groupa G, the smallest positive integer m s.t. am = e is called the order
of a, and is denoted by o(a). If there is no positive integer m s.t. am = e, we say that o(a) = .
Theorem 5.4 (Lagrange)Let G be a finite group with |G| = n. Then a G, o(a) divides n.
In particular, a|G| = e.
Corollary 5.5 If b Z*n, then b(n) 1 mod n.
Corollary 5.6 (Fermat) Let p be a prime and b Zp. Then bp b mod p.
27
Other Useful Facts (Cont.)Cyclic Group: Let G be a group and G. If all the elements in G are of
form n (n Z), we say that G is a cyclic group generated by . In this case, we write G = () and is called generating element.
Theorem 5.7 If p is prime, then (Z*p, •) is a cyclic group.
An primitive element modulo p: A generating element of Z*p
Example 5.4: Find primitive elements modulo 13
Theorem 5.8 Suppose p>2 is prime and Z*p, Then is a primitive
element modulo p iff (p-1)/q 1 (mod p) for all primes q s.t. q|(p-1).
Fact: Let be a primitive element modulo p. Then 1. the order of = i (0ip-2) is (p-1)/gcd(p-1, i).2. = i (0ip-2) is a primitive element modulo p iff gcd(p-1, i) = 1.3. The number of primitive elements modulo p is (p-1).
28
The RSA CryptosystemCryptosystem 5.1 RSA Cryptosystem
Let n = pq, where p and q are primes. Let P = C = Zn, and defineK={(n, p, q, a, b) : ab 1 (mod (n))}
For K = (n, p, q, a, b), defineeK(x) = xb mod n & dK(y) = ya mod n, (x, y Zn)
The values n and b comprise the public key, and the values p, q, and aform the private key.
We need to verify dK(eK(x)) = x, i.e. (xb)a x (mod n)
Example 5.51. Bob picks p=101 and q=113. Then n = 11413 and (n) = 11200. 2. Bob chooses b = 3533. Then a = b-1 mod (n) = 65973. Alice encrypts the plaintext 9726 using the public key n and b
97263533 mod 11413 = 57614. Bob decrypts the ciphertext using the private key p, q and a
57616597 mod 11413 = 9726
29
Implementing RSARepresent c in binary notation
1
0
00
11
22
11 22...222
l
i
ll
ll
ii cccccc
Algorithm 5.5 Square-And-Multiply(x, c, n)z 1for i l-1 downto 0 do
z z2 mod nIf ci = 1 then z (zx) mod n
return (z)
The following algorithm computes xc in Zn very efficiently
Example 5.5 (Cont.) Recall n = 11413, b=3533, and plaintext = 9726.Compute 97263533 mod 11413