communication security & cryptography - … of shift cipher ciphertext only exhaustive key...

Computational Thinking Communication Security & Cryptography

Communication Security & Cryptography

Cetin Kaya Kochttp://koclab.cs.ucsb.edu/teaching/cs192

[email protected]

Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 1 / 44

http://koclab.cs.ucsb.edu/teaching/cs192

[email protected]

http://koclab.cs.ucsb.edu


Secure Communication over an Insecure Channel

Sender Receiver

Adversary

M




Secret-Key Cryptography

Sender Receiver

Adversary

C

C=EKe(M) M=DKd(C)

secure

channel Kd

Encryption and decryption functions: E (·) & D(·)Encryption and decryption keys: Ke & Kd

Plaintext and ciphertext: M & C




Secret-Key Cryptography

C = EKe (M) and M = DKd(C )

Either E (·) = D(·) and Ke 6= Kd

Kd is easily deduced from Ke

Ke is easily deduced from Kd

Or E (·) 6= D(·) and Ke = Kd

D(·) is easily deduced from E (·)E (·) is easily deduced from D(·)




First Example: Shift Cipher

Input/output: {a, b, . . . , z} with encoding {0, 1, . . . , 25}

a b c d e f g h i j k l m n o

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

p q r s t u v w x y z

15 16 17 18 19 20 21 22 23 24 25

Encryption function: Ek(x) = x + k (mod 26)Decryption function: Dk(y) = y − k (mod 26)

The encryption or decryption key: k ∈ {0, 1, 2, . . . , 25}Key space size: 26 (or 25, if you do not count k = 0)

Caesar cipher: Shift cipher with a constant encryption key k = 3




Shift Cipher

For k = 15, hello is encrypted as wtaad sinceE15(h) = E15(7) = 7 + 15 = 22 (mod 26) → w

E15(e) = E15(4) = 4 + 15 = 19 (mod 26) → t

E15(l) = E15(11) = 11 + 15 = 26 = 0 (mod 26) → a

E15(o) = E15(14) = 14 + 15 = 29 = 3 (mod 26) → d

For k = 12, eqqw is decrypted as seek sinceD12(e) = D12(4) = 4− 12 = −8 = 18 (mod 26) → s

D12(q) = D12(16) = 16− 12 = 4 (mod 26) → e

D12(w) = D12(22) = 22− 12 = 10 (mod 26) → k




Cryptanalysis of Shift Cipher

Ciphertext only

Exhaustive key search: a paragraph of ciphertext(in order to avoid ambiguity)Frequency analysis: a paragraph of ciphertext(in order to get statistically reliable frequency count)

Known plaintext: a single plaintext/ciphertext pair




Exhaustive Key Search

Given an encrypted text: vnnc vn jc ljsn jc oxda yv

Decrypt the text with all possible keys:k=1−→ ummb um ib kirm ib nwcz xuk=2−→ tlla tl ha jhql ha mvby wt

· · ·k=8−→ nffu nf bu dbkf bu gpvs qnk=9−→ meet me at caje at four pm

A short encrypted text may have several “meaningful” decryptions:

vnnck=9−→ meet

vnnck=25−→ wood

For a sufficiently long encrypted text, there will not be ambiguity




Frequency Analysis

The most frequently occurring ciphertext is the encryption of themost frequently occurring plaintext

In English: that would be the letter e, followed up by letters t and a

Letter frequencies (percentages) in Englisha b c d e f g h i j

8.2 1.5 2.8 4.3 12.7 2.2 2.0 6.1 7.0 0.2

k l m n o p q r s t0.8 4.0 2.4 6.7 7.5 1.9 0.1 6.0 6.3 9.1

u v w x y z

2.8 1.0 2.3 0.1 2.0 0.1

Compute the ciphertext letter frequencies, and find the mostfrequently occurring the letter: this must be the ciptertext for theletter e




Occurrences of Letter e

Frequency: 54435 ≈ 12.4%




Occurrences of Letter a

Frequency: 23435 ≈ 5.3%




Unusual Texts

The novel “Gadsby” by E. V. Wright is written asa lipogram∗; it has 50,000 words in it without asingle occurrence of the letter e

“A Void”, translated from the original French “LaDisparition” (The Disappearance), is a 300-pagelipogrammatic novel, written in 1969 by GeorgesPerec, entirely without using the letter e (exceptfor the author’s name)

However, the probability of occurrence for such texts is very low

∗ A lipogram (leipogrammatos: leaving out a letter) is a kind of constrained

writing or word game consisting of writing paragraphs in which a particular letter

or group of letters is avoided




Frequency Analysis

Given the short ciphertext: tbxqebo fp dobxq ebob

Frequency analysis finds the most frequently occurring letter as b

The letter b (most probably) is the ciphertext for the letter e

Ek(e) = b

Ek(4) = 4 + k = 1 (mod 26)

k = 1− 4 = − 3 = 23 (mod 26)

Indeed, if we decrypt the encrypted text using the key k = 23, weobtain:tbxqebo fp dobxq ebob

k=23−→ weather is great here




Known Plaintext Scenario

Given a (any) single plaintext/ciphertext pair (x , y), we have

Ek(x) = x + k = y (mod 26)

k = y − x (mod 26)

Consider the encrypted message:zrrg zr ng bhe frperg ybpngvba

and the plaintext/ciphertext pair: m → z

Ek(m) = z

Ek(12) = 12 + k = 25 (mod 26)

k = 25− 12 = 13 (mod 26)

We find the key as k = 13; indeed this key decrypts the messagek=13−→ meet me at our secret location




Second Example: Hill Algebra

Encoding: {a, b, . . . , z} −→ {0, 1, . . . , 25}Select a d × d matrix A of integers and find its inverse A−1 mod 26

For example, for d = 2

A =

[3 32 5

]and A−1 =

[15 1720 9

]Verify:[

3 32 5

] [15 1720 9

]=

[105 78130 79

]=

[1 00 1

](mod 26)




Hill Cipher

Encryption function: c = E (m) = Am (mod 26)

Decryption function: m = D(c) = A−1 c (mod 26)

m and c are d × 1 vectors of plaintext and ciphertext letter encodings

Encryption key Ke : ADecryption key Kd : A−1 (mod 26)

A and A−1 are d × d matrices such that det(A) 6= 0 (mod 26) andA−1 is the inverse of A mod 26




Hill Cipher Example

The plaintext: "help"

u1 =

["h"

"e"

]=

[74

]; u2 =

["l"

"p"

]=

[1115

]Encryption: v1 = A u1 and v2 = A u2[

3 32 5

] [74

]=

[3334

]=

[78

]=

["h"

"i"

][

3 32 5

] [1115

]=

[7897

]=

[0

19

]=

["a"

"t"

]The ciphertext: "hiat"




Hill Cipher

To decrypt the ciphertext: "hiat", we need the vectors v1 and v2

Decryption: u1 = A−1 v1 and u2 = A−1 v2[15 1720 9

] [78

]=

[241212

]=

[74

]=

["h"

"e"

][

15 1720 9

] [0

19

]=

[323171

]=

[1115

]=

["l"

"p"

]The plaintext: "help"

The d-dimensional Hill cipher is poly-alphabetic on single letters,however, mono-alphabetic on words of length d




Key Space Size for Hill Space

It was suggested by Overbey, Traves, and Wojdylo in Cryptologia,29(1), Jan 2005, that the number of d × d matrices invertible modulom is ∏

i

(p(ni−1)d2

i

d−1∏k=0

(pdi − pki )

)such that m =

∏pnii

When m = 26 = 21 · 131, we simplify this as

d−1∏k=0

(2d−2k)(13d−13k) = 26d2

(1−1/2) · · · (1−1/2d)(1−1/13) · · · (1−1/13d)




Key Space Size for Hill Cipher

We enumerate and find the number of keys for as follows:

d Number of Keys Power of 10

2 157,248 105.2

3 1,750,755,202,560 1012.2

4 13,621,827,326,505,327,820,800 1022.1

5 72,803,944,226,174,990,390,435,243,910,758,400 1034.9

Exhaustive key search is probably not feasible for 4-dimensional Hillciphers (requires significant resources), and definitely not feasible for5-dimensional (and beyond) Hill ciphers




Frequency Analysis of the Hill Cipher

Frequency analysis is not applicable for single letters — a plaintextletter is encrypted to different ciphertext letter depending on whetherit is the first or second letter and what the other letter is

For example, for our example 2-dimensional Hill cipher, theencryption of x is as follows:"xy" → "lk" implies "x" → "l"

"xz" → "op" implies "x" → "o"

"zx" → "oj" implies "x" → "j"

However, digrams (2-letter words) are always encrypted to the sameciphertext bigrams for a 2-dimensional cipher"xyabcd" → "lkdfpt"

"abxycd" → "dflkpt"

"abcdxy" → "dfptlk"




Digram Frequencies in English




Frequency Analysis of the Hill Cipher

We can apply frequency attack to a d-dimensional Hill cipher if wehave “useful” (distinguishable) d-gram frequencies

As expected the digram "th" appears in English more often — somestudies have shown that the frequency of diagram "th" is about3.15%

Similarly the frequency of "the" is higher than most other trigrams,followed up by "and", "for" — however, these frequencies are toolow and too close to one another

As expected, as the word size increases the frequencies becomeindistinguishable from one another — we loose those useful frequencyvalues such as 12.7% for the single letter "e"




Secret-Key versus Public-Key Cryptography

Secret-Key Cryptography:

Requires establishment of a secure channel for key exchangeTwo parties cannot start communication if they never metSecure communication of n parties requires n(n − 1)/2 keysKeys are “shared”, rather than “owned” (secret vs private)

Public-Key Cryptography:

No need for a secure channelMay require establishment of a public-key directoryTwo parties can start communication even if they never metSecure communication of n parties requires n keysKeys are “owned’, rather than “shared”Ability to “sign” digital data (secret vs private)




Diffie-Hellman Key Exchange Method

Martin Hellman (1945): American cryptologist and co-inventor ofpublic key cryptography in cooperation with Whitfield Diffie andRalph Merkle at Stanford

Bailey Whitfield Diffie (1944) is an American cryptographer andco-inventor of public key cryptography

Diffie and Hellman’s paper “New Directions in Cryptography” waspublished IEEE Tran. Information Theory in Nov 1976

It introduced a radically new method of distributing cryptographickeys, that went far toward solving one of the fundamental problems ofcryptography, key distribution

It has become known as Diffie-Hellman key exchange.





A and B agree on a prime p and a primitive element g of Z∗p

This is accomplished in public: p and g are known to the adversary

A selects a ∈ Z∗p , computes s = ga (mod p), and sends s to B

B selects b ∈ Z∗p , computes r = gb (mod p), and sends r to A

A computes K = ra (mod p)

B computes K = sb (mod p)

K = ra = (gb)a = gab (mod p)

K = sb = (ga)b = gab (mod p)





User A

a

ga

(gb

)a

K = gab

User B

b

gb

(ga

)b

K = gab

Adversary

p & g

ga

gb




Discrete Logarithm Problem

The adversary knows the group: p and g

The adversary also sees (obtains copies of) s = ga and r = gb

The discrete logarithm problem (DLP):the computation of x ∈ Z∗

p in

y = g x (mod p)

given p, g , and y

Example: Given p = 23 and g = 5, find x such that

10 = 5x (mod 23)

Answer: x = 3




Discrete Logarithm Problem

Given p = 158(2800 + 25) + 1 =

1053546280395016975304616582933958731948871814925913489342608734258717883575185867300386287737705577937382925873762451990450430661350859682697410256268271147283034897563214300237166369174066615907176472549470083113107138189921280884003892629359

and g = 3, find x ∈ Z∗p such that

2 = 3x (mod p)

Answer: ?

How difficult is it to find x?





The Diffie-Hellman algorithm allows two parties to agree on a key thatis known only to them, except that the adversary can solve the DLP

Once the secret key (shared key) is established, the parties can use asecret-key cryptographic algorithm to encrypt and decrypt

However, we still have the problem of establishing n(n − 1)/2 keysbetween n parties, and other difficulties of the secret-keycryptography also remain

But, we no longer need a (secret-key type) secure channel — theDiffie-Hellman algorithm gave us a secure channel, whose securitydepends on computational difficulty of the DLP

The Diffie-Hellman algorithm is not a public-key encryption method




Public-Key Cryptography

The functions C (·) and D(·) are inverses of one another

C = EKe (M) and M = DKd(C )

Encryption and decryption processes are asymmetric:

Ke 6= Kd

Ke is public, known to everyone

Kd is private, known only to the user

Ke may be easily deduced from Kd

However, Kd is NOT easily deduced from Ke





User2 User0

Adversary

C2

C3=EKe(M3)

M1=DKd(C1)

User1

User3

PK Directory

User0 Ke

C1

C3

C1=EKe(M1)

C2=EKe(M2)

M2=DKd(C2)

M3=DKd(C3)





The User publishes his/her own public key: Ke

Anyone can obtain the public key Ke and can encrypt a message M,and send the ciphertext to the User

C = EKe (M)

The private key is known only to the User: Kd

Only the User can decrypt the ciphertext to get the message

M = DKd(C )

The adversary may be able to block the ciphertext, but cannot decrypt





A public-key cryptographic algorithm is based on a function y = f (x)such thatGiven x , computing y is EASY: y = f (x)Given y , computing x is HARD: x = f −1(y)

x

easy

−−−−−−−−−−−−−−→←−−−−−−−−−−−−−−

hard

y = f (x)

Such functions are called one-way

In order to decide what is hard: Theory of complexity could help




Well-Known One-Way Functions

Discrete Logarithm:Given p, g , and x , computing y in y = g x (mod p) is EASYGiven p, g , y , computing x in y = g x (mod p) is HARD

Factoring:Given p and q, computing n in n = p · q is EASYGiven n, computing p or q in n = p · q is HARD

Discrete Square Root:Given x and y , computing y in y = x2 (mod n) is EASYGiven y and n, computing x in y = x2 (mod n) is HARD

Discrete eth Root:Given x , n and e, computing y in y = xe (mod n) is EASYGiven y , n and e, computing x in y = xe (mod n) is HARD




One-Way Functions for PKC

However, a one-way function is difficult for anyone to invert

What we need: a function easy to invert for the legitimate receiver ofthe encrypted message, but for everyone else: hard

Such functions are called one-way trapdoor functions

In order to build a public-key encryption algorithm, we need aone-way trapdoor function

Once that is understood (in around 1975-1976), researchers lookedfor such special functions which are either based on the knownone-way functions or some other constructions




Rivest-Shamir-Adleman Algorithm

Invented by three young faculty members at MIT: Ronald Rivest(CS), Adi Shamir (Math), and Leonard Adleman (Math) in theSummer and Fall of 1976:“Ron and Adi would come up with ideas, and Len would try to shootthem down. Len was consistently successful; late one night, though,Ron came up with an algorithm that Len couldnt crack.”

Following the ideas of building a public-key encryption method usingtrapdoor one-way functions of Merkle and Hellman

It is based on the one-way functions factoring and discrete eth root

The paper was published in 1977 (Comm. of ACM)

The method was patented by MIT in 1983, which ended in 2000





The User generates two large, approximately same size randomprimes: p and q

The modulus n is the product of these two primes: n = pq

Euler’s totient function of n is given by φ(n) = (p − 1)(q − 1)

The User selects a number 1 < e < φ(n) such that

gcd(e, φ(n)) = 1

and computes d with

d = e−1 (mod φ(n))

using the extended Euclidean algorithm





e is the public exponent and d is the private exponent

The public key: The modulus n and the public exponent e

The private key: The private exponent d , the primes p and q, andφ(n) = (p − 1)(q − 1)

Encryption and decryption are performed by computing

C = Me (mod n)

M = Cd (mod n)

where M,C are the plaintext and ciphertext such that

0 ≤ M,C < n




Example RSA

The primes p = 11 and q = 13, the modulus n = 11 · 13 = 143

φ(n) = φ(143) = (p − 1)(q − 1) = 10 · 12 = 120

Find e such that gcd(e, φ(n)) = φ(e, 120) = 1

Since 120 = 23 · 3 · 5, we select e = 7

d = e−1 (mod φ(n)) which gives d = 7−1 (mod 120) as d = 103

Encryption C = Me (mod n) gives C = 87 (mod 143) as C = 57Decryption D = Cd (mod n) gives M = 57103 (mod 143) as M = 8

Encryption C = Me (mod n) gives C = 117 (mod 143) as C = 132Decryption D = Cd (mod n) gives M = 132103 (mod 143) asM = 11




Security of RSA

The public key (e, n) is publishedThe private key parameters p, q, φ(n), d are kept by the user

Breaking RSA:one or several or all instances → Computing M, given C and (e, n)all instances → Computing d , given (e, n)

Taking discrete eth Root → Computing MCompute eth Root of Me (mod n) and obtain M

Factoring n ⇒ Computing dFactor n = pq, compute d = e−1 mod (p − 1)(q − 1)

Computing φ(n) ⇒ Computing dCompute d = e−1 mod φ(n)




Knowing φ(n) ⇒ Factoring n

We know n = pq, we can also write:

n − φ(n) + 1 = pq − (p − 1)(q − 1) + 1 = p + q

Thus we have pq and p + q, and we can write a quadratic equationwhose roots are p and q

x2 − (p + q)x + pq = x2 − (n − φ(n) + 1) + n = 0

The roots of the equations are

1

2(n − φ(n) + 1±

√(n − φ(n) + 1)2 − 4n )

Example: For n = 143 and φ(n) = 120, we writep, q = (1/2)(143− 120 + 1±

√(143− 120 + 1)2 − 4 · 143) = 11, 13




Knowing d ⇒ (Probabilistically) Factoring n

Given d , we can write

d · e = 1 + Kφ(n)

since they are inverses of one another mod φ(n)

Since d · e − 1 is a multiple of φ(n), for gcd(a, n) = 1 we can write

ade−1 = (aφ(n))K = 1 (mod n)

If there is a universal exponent b such that ab = 1 (mod n) for all awith gcd(a, n), then there is exists a probabilistic method for factoringn

This probabilistic factorization algorithm is based on the Miller-Rabinprimality test




Breaking RSA?⇒ Factoring

Factoring n indeed breaks the RSA encryption algorithm

However, does “Breaking RSA” mean that we can factor n ?

There is no general proof for such a claim — a lack of progress

A related result: Breaking the low-exponent RSA is not as hard asfactoring integers

Strong evidence: An RSA breaker cannot be used for factoringintegers



communication security & cryptography - … of shift cipher ciphertext only exhaustive key...

Documents