Content Cryptography and Security - epfl - home Chapter 1: Prehistory of Cryptography Terminology Cryptography Prehistory SV 2007 Basic Crypto EPFL-SSC 19 / 528 Basic Security Properties

Chapter Content

Foundations: history, vocabulary, transpositions, substitutions

Basic ciphers: simple substitution, Vigenere, Vernam

Modern settings: digital communications, Kerckhoffs principles

⋆The Shannon Theory of secrecy: entropy, encryption model,perfect secrecy

SV 2007 Basic Crypto EPFL-SSC 4 / 528

1 Chapter 1: Prehistory of Cryptography


Content

Part 1 1. Prehistory of cryptography2. Conventional cryptography3. Dedicated conventional cryptographic primitives4. Conventional security analysis (adv)5. Security protocols with conventional cryptography

Part 2 6. Algorithmic algebra7. Algorithmic number theory8. Elements of complexity theory (adv)9. Public key cryptography

10. Digital signatures11. Cryptographic protocols (adv)12. From cryptography to communication security


Cryptography and SecurityBasic Cryptography

Serge Vaudenay

ÉCOLE POLYTECHNIQUEFÉDÉRALE DE LAUSANNE

http://lasecwww.epfl.ch/


Key Words — iii

Cleartextinformation encoded by using a public code

Plaintext 6= cleartext!

input of an encryption algorithm

Ciphertext, cryptogram

information encoded by a cryptographic system

Encryption, encipherment, decryption, decipherment

action to transform a plaintext into a ciphertext or theopposite


Key Words — iiCryptography

(originally) the science of secret codes, enabling theconfidentiality of communication through an insecurechannel

Cipher

secret code, enabling the expression of a public codeby a secret one by making the related informationconfidential

Cryptographic system, cryptosystem

set of cryptographic algorithms which include ciphersand other cryptographic algorithms

Cryptosystem

→ mostly used for “public key cryptosystem”“secret key cryptographic systems” are rather called“ciphers”


Key Words — iConfidentiality, secrecy

insurance that a given information cannot be accessedby unauthorized parties

Privacy 6= secrecy (but sometimes synonym)

ability for a person to control how his personalinformation spreads in a community

Codea system of symbols which represent information

Coding theory

science of code transformation which enables to sendinformation through a communication channel in areliable way (→ dummy adversary)

Encode, Decode

action to transform an information into a codeword, orto recover the information from a codeword


1 Chapter 1: Prehistory of CryptographyTerminologyCryptography Prehistory


A Science of Malice in Communication Technologies

how to abuse an information security system?

how to model malicious adversaries?

how to reduce adversaries success to well known complexityproblems?

for the bad guy: how to break a system? (Any dirty math allowed)

for the good guy: how to formally prove security? (Rigorousanalysis when possible)


Applications

entered in mass product markets quite recently

used for authentication and encryption (bank cards, wirelesstelephone, e-commerce, pay-TV)

used for access control (car lock systems, ski lifts)

used for payment (prepaid phone cards, e-cash)

used for logistic & supply chains (RFID)


Defining Cryptography

cryptography vs coding theorycryptography faces to malicious adversaries (not random noise)

secrecy theory?

cryptography and secrecyCryptography has now a wider sense: the science of informationprotection against unauthorized parties by preventing fromunauthorized alteration of use. Cryptographic algorithms are themathematical algorithms which enforce the protection.

adversity theory?Reductionism: modeling malice + proving security underreasonable assumptions


Key Words — iv

Cryptanalysis, cryptographic analysis, cryptoanalysis

theory of security analysis of cryptographic systems

To cryptanalyze a cryptosystem 6= to break it

to prove of disprove the security provided by acryptosystem

To break a cryptosystem

to prove the insecurity of a cryptosystem

Cryptology 6= cryptography

science of cryptography and cryptanalysis (sometimesalso steganography)

Steganography 6= cryptography

science of information hiding


1 Chapter 1: Prehistory of CryptographyTerminologyCryptography Prehistory


Basic Security Properties

Confidentialitythe information should not leak to any unexpected party

Integritythe information must be protected against any maliciousmodification

Authenticationthe information should make clear who the author of it is


The Fundamental Trilogy

Message

X- -

X

��

Adversary

Confidentiality (C): only the legitimate receiver can get X

Authentication + Integrity (A+I): only the legitimate sender caninsert X and the received message must be equal to X


La Crypto c’est Rigolo!

Multidisciplinary: physics, electronics, software, math, logic, ...

Exposed: lots of attention by media

Wide: quick switch between theory, application, business, politics

Romantic: hackers, spies, ...

Fun: solving puzzles...


Probabilities of Occurrence in English

letter probability letter probability letter probabilityA 0.082 J 0.002 S 0.063B 0.015 K 0.008 T 0.091C 0.028 L 0.040 U 0.028D 0.043 M 0.024 V 0.010E 0.127 N 0.067 W 0.023F 0.022 O 0.075 X 0.001G 0.020 P 0.019 Y 0.020H 0.061 Q 0.001 Z 0.001I 0.070 R 0.060


Simple Substitutions

Caesar Cipher :

a b c d e f g h i k l m n o p q r s t v xD E F G H I K L M N O P Q R S T V X A B C

caesar −→ FDHXDV

ROT13:

a b c d e f g h i j k l m n o p q r s t u v w x y zN O P Q R S T U V W X Y Z A B C D E F G H I J K L M

rot −→ EBG


TranspositionsSpartan scytales :

this is a dummy message

?

t h i s is a d um m y m es s a g e

?

TSMSH MSIAYAS G DMEIUE


Secret Writing

Hieroglyphs!


Vigen ere Cipher

Plaintext: this is a dummy message

Key: ABC

this is a dummy message+ ABCA BC A BCABC ABCABCA= TIKS JU A EWMNA MFUSBIE

Ciphertext: TIKSJUAEWMNAMFUSBIE

e.g. y + C= A.


Step I: Frequency Analysis

letter frequency letter frequency letter frequencyA 0 J 11 S 3B 1 K 1 T 2C 15 L 0 U 5D 13 M 16 V 5E 7 N 9 W 8F 11 O 0 X 6G 1 P 1 Y 10H 4 Q 4 Z 20I 5 R 10


A Simple Substitution Cipher

------------------------------------------YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ

------------------------------------------NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ

------------------------------------------NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ

------------------------------------------XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR


Rough Frequencies in English

1 most frequent: E

2 very frequent: T A O I N S H R

3 frequent: D L

4 rare: C U M W F G Y P B

5 very rare: V K J X Q Z

30 most common digrams (in decreasing order):

TH, HE, IN , ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND,OU, EA, NG, AS, OR, TI , IS , ET, IT , AR, TE, SE, HI and OF.

12 most common trigrams (in decreasing order):

THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FORandDTH.


Application to the Vigen ere Cipher

With the example TIKSJUAEWMNAMFUSBIE, if we guess that the key isof length 3, we can write

T I KS J UA E WM N AM F US B IE

so we can compute the index of coincidence of TSAMMSE, IJENFB andKUWAUI.


Index of Coincidence

Index(x1, . . . ,xn) = PrI,J

[xI = xJ |I < J] = ∑c∈Z

nc(nc−1)

n(n−1)

where I,J ∈ {1, . . . ,n} are independent uniformly distributed

Proposition

For any permutation σ over Z , we have

Index(σ(x1), . . . ,σ(xn)) = Index(x1, . . . ,xn)

Index(English text)→ 0.065 when n→+∞Index(Random string)→ 0.038 when n→+∞


Is this Significant?

In a truly random sequence of 294 characters with alphabet of 26letters

there are n = 292 trigrams t1, . . . , tn out from 1p = 263 = 17576

possibilities, every possible trigram abc has a number ofoccurrences nabc = ∑n

i=1 1ti=abc

Pr[nabc = t] =(n

t

)pt(1−p)n−t ≈ λt

t! e−λ with λ = n×p

since

eλ =t−1

∑i=0

λi

i!+

Z λ

0

(λ− x)t−1

(t−1)!ex dx

we havePr[nabc ≥ t]≈ 1−e−λ ∑t−1

i=0λi

i! ≤ e−λ R λ0

(λ−x)t−1

(t−1)! ex dx ≤ λt

t!

with t = 5 we have Pr[maxαβγ nαβγ ≥ t]≤ 263 Pr[nabc ≥ t]≤ 10−6


Kasiski Test

C H R E E VOAHMA E R A T B I A X XWT NX B EEOPHBSBQMQEQ E RBWR V X UO A KXAOS X X WE A HBWG J MMQMNKGRF VGXWTRZXW I A KL X F P S K AUTEMN D C M G TS XMX B TU I ADNGMGPSR E L XN J EL XV R V P R T U L HDN QW T WD TYG B P HX T F AL J HASVB F XNGL L CHRZ BW E L E KMS J I K N B HWR J G NMG J SG LXFEYPHAG NRB I EQJ TA MR V L C RREMN D G L X R R I MGN SNRWCHRQHAEY E V TAQ E BB IP E E WE V KAKOEWA D R EMXM T B HHCHRTKDNVRZ C HRC L QOHPWQ A I I WXNRMGWO I I F KE E

CHRoccurs at 1, 166, 236, 276, 286.


The Enigma Cipher (Mathematically) — i

We define permutations over the 26-character alphabet.

Reflexion. π is a fixed involution with no fixed points.

Rotors. S be a set of five permutations over the alphabet.ρ is the circular rotation over the alphabet by oneposition.ρi thus denotes the circular rotation over the alphabet byi positions.αi denotes ρ−i ◦α◦ρi

Wire connection. σ is a configurable involution with 6 fixed points.


Enigma Building Blocks

given a permutation σ over Z = {A,B, . . . ,Z}, a fixed point is anelement x ∈ Z such that σ(x) = x

an involution over Z is a permutation σ of Z such thatσ(σ(x)) = x for all x .Examples: reflector, plug board

a rotor is defined by a set of permutations σ0, . . . ,σ25 over Zthe rotor in position i implements permutation σi

such that σi = ρ−i ◦σ0 ◦ρi where ρ(A) = B, ρ(B) = C, ...,ρ(Z) = A


The Enigma Circuit

A A

Plug Rotor Rotor Rotor ReflectorLamp Kbd

E

C

B

F

DE

C

B

F

D


Enigma


Vernam Cipher

we use a uniformly distributed randomkey K (a bitstring)

every message X requires a new K ofsame size (one-time pad)

Encrypting X with K : compute X ⊕K

Decrypting Y with K : compute Y ⊕K

⊕ 0 10 0 11 1 0

(X ) 1001 0⊕ (K ) 0011 1= (Y ) 10101

⊕ (K ) 0011 1= (X ) 1001 0


The Laws of Modern Cryptography

The n2 Problem:in a network of n users, there is a number of potential pairs ofusers within the order of magnitude of n2

The Kerckhoffs Principle:security should not rely on the secrecy of the cryptosystem itself

The Moore Law:the speed of CPUs doubles every 18 months

The Murphy Law:if there is a single security hole, the exposure of a cryptosystemwill make sure that someone will ultimately find it


A Turing Machine


The Enigma Cipher (Mathematically) — ii

Secret key:

σan ordered choice α,β,γ ∈ S of pairwise differentpermutationsa number a

Plaintext: x = x1, . . . ,xm

Ciphertext: y = y1, . . . ,ym

Encryption:

yi = σ−1 ◦α−1i1◦β−1

i2◦ γ−1

i3◦π◦ γi3 ◦βi2 ◦αi1 ◦σ(xi)

where i3i2i1 are the last three digits of the basis 26numeration of i + a.


A Note on the Vernam Cipher

If used in an appropriate way, this cipher is perfectly secure

It is pretty expensive (true randomness is expensive, keyexchange is expensive)

We cannot achieve perfect security at a lower cost (ShannonTheory)


Using the Same Key Twice

Y1

-⊕K

-=

X1

Y2

-⊕ -=

X2

?⊕

-=

X1⊕X2


Example

⊕

=


Visual Cryptography

Pixel coding

0 −→

1 −→

Pixel XOR

0⊕0 −→ ≈

0⊕1 −→ =

1⊕0 −→ =

1⊕1 −→ ≈


2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks


Chapter Content

DES: Feistel Scheme, S-boxes

Modes of operation: ECB, CBC, OFB, CFB, CTR, UNIX passwords

Classical designs: IDEA, SAFER-K64, AES

⋆Case study: FOX, CS-CIPHER

Stream ciphers: RC4, A5/1, E0

Brute force attacks: exhaustive search, tradeoffs, meet-in-the-middle


2 Chapter 2: Conventional Cryptography


Conclusion

a lot of pedestrian cryptography in the prehistory

now a need for standard solutions

perfect security requires an unreasonable cost

we must trade security against cost




Stream Ciphers vs Block Ciphers

stream cipher block cipher

small granularity (encryptbits or bytes)

based on the Vernamcipher, requires a nonce(number to be unsed onlyonce)

very high speed rate, verycheap on hardware

low confidence on security

large granularity (encryptblocks of 64 or 128 bits),require padding techniquesfor messages with arbitrarylength

high rate, nice for softwareimplementation, can beadapted to variousplatforms (8-bit, 32-bit, or64-bit microprocessors)

well established security


Two Categories of Symmetric Encryption

stream ciphers block ciphersRC4 DES

GSM–A5/1 3DESBluetooth–E0 IDEA

CSS BLOWFISH... RC5

AESKASUMISAFER

CS-CipherFOX

...


Symmetric Encryption

Generator

KeyKey 66 CONFIDENTIAL

-Message

XEncrypt -

Y-

YDecrypt -Message

X

��

Adversary


Feistel Scheme

transform function over {0,1} n2 into permutations over {0,1}n

inverse permutations have same structure

alternate round functions and halve swaps

final halve swap omitted


DES−1

IP−1

?X

Feistel

?

IP

?

?Y

�K1

�K16�K15

...schedule′

?

K


DES

IP−1

?Y

Feistel

?

IP

?

?X

�K16

�K1�

K2

...schedule

?

K


DES: the Data Encryption Standard

US Standard from NBS (now NIST), branch of the Department ofCommerce in 1977

secret design by IBM based on a call for proposal

based on LUCIFER by Horst Feistel (from IBM)

design influenced by the NSA

rationales of the design published by Don Coppersmith in 1994

dedicated to hardware implementation

block cipher with 64-bit blocks

key of 56 effective bits


S3

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1510 0 9 14 6 3 15 5 1 13 12 7 11 4 2 813 7 0 9 3 4 6 10 2 8 5 14 12 11 15 113 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7

1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

Example: S3(111000 ) = 0101 :

1 1100 0 = 56

1100 = 12

10 = 2

0101 = 5


DES Round Function

S1

S2

S3

S4

S5

S6

S7

S8

⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕


(Inverse) Feistel Scheme

Ψ−1(F K1 ,F K2 ,F K3) = Ψ(F K3 ,F K2 ,F K1)

⊕??

��

⊕??

��

⊕?

?

?��

?

F

K3

F

K2

F

K1


(Direct) Feistel Scheme

Ψ(F K1 ,F K2 ,F K3)

⊕??

��

⊕??

��

⊕?

?

?��

?

F

K1

F

K2

F

K3


Password Access Control: Using Salt

Password Password

- �

?

-

?

Salt

Hash Hash

- - =?

Enrolment Record Control


Password Access Control: Attempts

login: U

password: W

Scheme #1 : store U and DESW (0) in /etc/passwdbut: DES is pretty fast which makes exhaustive search easy

Scheme #2 : store U and DESnW (0) in /etc/passwd

but: many optimized on-the-shelf implementations of DES whichcan be used for exhaustive search

Scheme #3 : store U and f nW (0) in /etc/passwd where f is

transformed from DESbut: precomputed inverse tables could be used to crack arbitraryentries in /etc/passwd

Scheme #4 : store U, f nW (0) and salt ck in /etc/passwd where f

is transformed from DES by using ck


UNIX Password Access Protocols

User Work stationlogin?←−−−−−−−−−−−−−−−−−

type UU−−−−−−−−−−−−−−−−−→

password?←−−−−−−−−−−−−−−−−−type W

W−−−−−−−−−−−−−−−−−→check (U,W ) using adatabase, retreive infor-mation from the database(home directory...)


DES Key Schedule

schedule (K )

1: KPC1−→ (C,D)

2: for i = 1 to 16 do3: C← ROLri(C)4: D← ROLri(D)5: Ki ← PC2(C,D)6: end for

C,D: two 28-bit registers

i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16ri 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1


Note on the ECB Mode

Information leakage for blocks with low entropy

Chabloz Presid ent 78’964.31Zufferey Manager 23’321.16Neuensch wander Consul tant 34’445.22Schneide r Affirm at ive 38’206.51Cotti Audiov isual 21’489.15

C( 3) for Neuenschwander = C( 3) for Schneider


ECB Mode

x1 x2 x3 . . . xn

y1 y2 y3 . . . yn

?

C

?

?

C

?

?

C

?

?

C

?




UNIX Passwords

clock

6

6

salt (12)

6 6 6

0 -≈DES -≈DES - · · · -≈DES - /etc/passwd

? ? ?

W (56)


OFB Mode

x1 x2 x3 . . . xn

y1 y2 y3 . . . yn?⊕?

C?

-

?⊕?

C?

-

?⊕?

C?

-

?⊕?-

?IV


Note on the CBC Mode

Three possibilities for dealing with IV

Using a (non secret) constant IV

Using a secret IV which is part of the key

Using a random IV which is sent in clear with the ciphertext


CBC Decryption

x1 x2 x3 . . . xn

y1 y2 y3 . . . yn

6

⊕6

C−1

6

-

6

⊕6

C−1

6

-

6

⊕6

C−1

6

-

6

⊕6

C−1

6

-IV


CBC Mode

x1 x2 x3 . . . xn

y1 y2 y3 . . . yn

?⊕

?

C

?

-?⊕

?

C

?

-?⊕

?

C

?

-?⊕

?

C

?

-IV


Note on the CTR Mode

ti must be new for every block!Example 1: ti = msg counter||blk counterExample 2: ti = t1 +(i−1) where t1 is the last tn plus 1Example 3: ti = t1 +(i−1) where t1 is a (unique) nonce

CTR also transforms a block cipher into a stream cipher


CTR Mode

x1 x2 x3 . . . xn

y1 y2 y3 . . . yn

t1 t2 t3 tn

?⊕?

C?

-

?⊕?

C?

-

?⊕?

C?

-

?⊕?

C?

-


CFB Mode

x1 x2 x3 . . . xn

y1 y2 y3 . . . yn

?⊕

?

C6

- ?⊕

?

C6

- ?⊕

?

C6

- ?⊕

?

-

6IV


Note on the OFB Mode

IV must be new for every plaintext!

Use a random one which is sent in clear...

... or use a counter-based IV

This is not only a property of the OFB mode: property of streamciphers

OFB actually transforms a block cipher into a stream cipher


Generalized Feistel Scheme

⊕

+

∗

?

?

?��

π σ

?

?

?- -

π σ

?

?

?��

?

F

K1

G

K2

F

K3


Block Ciphers Characteristics

cipher release block key # rounds commentDES 1977 64 56 16 secretly developed3DES 1985 64 112,168 48 pragmatic solutionIDEA 1990 64 128 8.5

SAFER K-64 1993 64 64 6BLOWFISH 1994 64 0–448 16

RC5 1996 2–256 0–255 0–255 64/128/12 recommendedCS-Cipher 1998 64 0–128 8

AES 2001 128 128,192,256 10,12,14 dependent parametersKASUMI 2002 64 128 8 dedicated

FOX 2003 64,128 0–256 12–255


Classical Skeletons

Feistel schemes...and extensionsDES, 3DES, BLOWFISH, KASUMI

Lai-Massey schemeIDEA, FOX

Substitution-permutation networkSAFER, CS-Cipher, AES




IDEA Groups

G = {0,1}16 and a⊙b = a⊕b(mircroprocessor XOR on 16-bit words)

G = {0,1, . . . ,216−1} and a⊙b = a+ b mod 216

(mircroprocessor addition on 16-bit words)

G = {0,1, . . . ,216−1} and a⊙b = a ·b... (next slide)(based on mircroprocessor multiplication on 16-bit words)


Reminders on Z n

r = a mod n is the remainder of a divided by n in the Euclideandivision: it is such that 0≤ r < n and r = a−q×n for someinteger q

a≡ b (mod n) means that a−b is a multiple of n, or equivalentlythat a mod n = b mod n

(a+(b mod n)) mod n = (a+ b) mod n

Zn = {0,1, . . . ,n−1} is a group for a⊙b = (a+ b) mod n

we also have (a× (b mod n)) mod n = (a×b) mod n


Abelian Group Laws

Definition

An Abelian group is a set G together with a mapping from G×G to Gwhich maps (a,b) to an element denoted a⊙b and such that

1. [closure] for any a,b ∈ G, we have a⊙b ∈ G

2. [associativity] for any a,b,c, we have (a⊙b)⊙ c = a⊙ (b⊙ c)

3. [neutral element] there exists an element e s.t. for any a,a⊙e = e⊙a = a

4. [invertibility] for any a there exists b s.t. a⊙b = b⊙a = e

5. [commutativity] for any a,b ∈ G, we have a⊙b = b⊙a


IDEA: The Lai-Massey Scheme

Designed at ETH-Zurich in 1992 by J. Massey and X. Lai

Patented by Ascom (IPR management outsourced to MediaCrypt)

well known to be used in PGP

part of the PhD Thesis of Xuejia Lai

dedicated to software on 16-bit microprocessors

alternate scheme to DES


128-bit key


IDEA from High Level

?round

?round

?...

?round∗

?

key (enc)

? ?

keyschedule

� subkey1

� subkey2

...

subkey8�


Computation of IDEA Multiplication (Nonzero Cases)

Let a×b = cH×216 + cL and carry = 1 if cL < cH and 0otherwise

if a 6= 0 and b 6= 0

a ·b =((a×b) mod (216 + 1)

)mod 216

=((cH×216 + cL) mod (216 + 1)

)mod 216

=((cL− cH) mod (216 + 1)

)mod 216

=(cL− cH + carry× (216 + 1)

)mod 216

= (cL− cH + carry) mod 216


Computation of IDEA Multiplication (Zero Cases)

for a = b = 0 we directly check this is correct

if a = 0 and b 6= 0 (for b = 0 and a 6= 0 we just exchange a and b)

0 ·b =(216×b mod (216 + 1)

)mod 216

=(−b mod (216 + 1)

)mod 216

=(216 + 1−b

)mod 216

= (1−b) mod 216

= (2+ NOT(b)) mod 216


IDEA Multiplication

a ·b =((

a× b)

mod (216 + 1))

mod 216

x =

{x if x 6= 0

216 if x = 0

a ·b = (2+ NOT(a+ b)) mod 216 if a = 0 or b = 0

a ·b = (cL− cH + carry) mod 216 oterwise

where a×b = cH ×216 + cL and carry = 1 if cL < cH and 0 otherwise


The MA Structure in IDEA

? ?

+ ·

· +? ?

? ?

-

�

-

� subkey

subkey


One IDEA Decryption Round

? ? ? ?

⊕⊕

⊕⊕� -

� -

MA

??

⊕⊕

/ − − /

??

??

--

��

? ? ? ?� � � � subkey

� subkey


One IDEA Round

? ? ? ?

⊕⊕

⊕⊕� -

� -

MA

??

⊕⊕

· + + ·

??

??

--

��

? ? ? ?� � � � subkey

� subkey


IDEA Decryption from High Level

?i-round

?i-round

?...

?i-round∗

?

key (dec)

? ?

keyschedule

� subkey8

� subkey7

...

subkey1�


SAFER Pseudo-Hadamard Transform

2−PHTR

R

x y

u = 2x + y mod 256 v = x + y mod 256

2−PHT−1R

R

u v

x = u− v mod 256 y = 2v−u mod 256


SAFER Substitution Boxes

E(x) = (45x mod 257) mod 256

L(x) = E−1(x)

Z256 is an isomorphic group to Z∗257

...indeed, 257 is a prime number, so Z∗257 is a cyclic group oforder 256...

45 generates Z∗257

...indeed, 45128 mod 257 6= 1 so 45 is of order 256...


SAFER K−64

�

�

E L L E E L L E

2−PHT 2−PHT 2−PHT 2−PHT



? ? ? ? ? ? ? ?

? ? ? ? ? ? ? ?

? ? ? ? ? ? ? ?

? ? ? ? ? ? ? ?

? ?

? ?

q

q

j

j

�

�

R

R

)

)

? ? ? ? ? ? ? ?

⊕ + + ⊕ ⊕ + + ⊕

+ ⊕ ⊕ + + ⊕ ⊕ +


SAFER K−64

Designed at ETH-Zurich in 1993 by James Massey

Propriety of Cylink


substitution permutation network


64-bit key


RC4 (Alleged)

?

6

automaton

Key

?key schedule

?registers i and j

permutationS[0],S[1], . . . ,S[255]

?

1: i← i + 12: j← j + S[i]3: swap S[i] and S[j]4: output S[S[i]+ S[j]]

�

?output byte


RC4

Designed at MIT in 1987 by Ronald Rivest

Trade secret of RSA Security Inc.

illegally disclosed in 1994

well known to be used in SSL


stream cipher with bytes streams

key length from 40 to 256


Stream Ciphers from a High Level

plaintext stream

nonce

key

-

-key schedule init. state- automaton -key strm⊕ - ciphertext stream

6




A5/1 from a High Level

plaintext frame

Count

KC

-

-key schedule 64 bits- automaton -114 bits ⊕ - ciphertext frame

6


GSM A5/1

Designed at ETSI by the SAGE group

Trade secret of the GSM consortium

reverse engineered

dedicated to lightweight hardware

stream cipher with bit streams

64-bit key and 22-bit counter


RC4 in Security Protocols

In SSL/TLS:key is used only oncefirst 256 output bytes are droppedstate is kept from one message to the other

In WEP:key is the concatenation of a 3-byte nonce (sent in clear) and a5-byte key


RC4 Key Schedule

1: j← 02: for i = 0 to 255 do3: S[i]← i4: end for5: for i = 0 to 255 do6: j← j + S[i]+ K [i mod ℓ]7: swap S[i] and S[j]8: end for9: i← 0

10: j← 0


A5/1 Key Schedule

1: set all registers to zero2: for i = 0 to 63 do3: R1[0]← R1[0]⊕KC[i]4: R2[0]← R2[0]⊕KC[i]5: R3[0]← R3[0]⊕KC[i]6: clock all registers7: end for8: for i = 0 to 21 do9: R1[0]← R1[0]⊕Count[i]

10: R2[0]← R2[0]⊕Count[i]11: R3[0]← R3[0]⊕Count[i]12: clock all registers13: end for14: for i = 0 to 99 do15: clock the A5/1 automaton16: end for


A5/1 in Key Schedule

CLK1

CLK2

CLK3

?

6�⊕�

- ?⊕ ?⊕ - ?⊕

� ⊕�

- ?⊕

� ⊕�

- ?⊕ ?⊕ - ?⊕

� ⊕�


A5/1 Automaton

CLK1

CLK2

CLK3

?

6�⊕�

- ?⊕ ?⊕ - ?⊕

�

- ?⊕

�

- ?⊕ ?⊕ - ?⊕

�

t1

t2

t3

CLKi = CLK if ti = majority(t1, t2, t3), 0 otherwise


Linear Feedback Shift Register (LFSR)

at time t , Ri = xt+i

when CLK = 1, load Ri with Ri+1

- - - - - - - - - --

⊕6� ⊕

6� ⊕

6�

R9xt+9

R0xt

R1xt+1

R2xt+2

xt

xt+10

connection polynomial: ad xd + · · ·+ a1x + a0 (example:x10 + x5 + x2 + x + 1)

recursion: ad xt+d ⊕·· ·⊕a1xt+1⊕a0xt = 0 for any tso, if ad = 1, we have xt+d = ad−1xt+d−1⊕·· ·⊕a0xt for any t(linear recursion)

maximal period⇐⇒ primitive polynomial =⇒ irreduciblepolynomial


E0 Key Schedule

BD ADDR: the logical 48-bit address of the master

CLK: the 26-bit clock value of the master

Kc : the encryption key whose length is an integralnumber of bytes between 1 and 16

linearly expand Kc into a 128-bit key

enter the expanded key, BD ADDR, and CLK in the first levelautomaton

clock it, get 128 bits which are put in the second level automaton


One-Level E0

LFSR1

25b

LFSR2

31b

LFSR3

33b

LFSR4

39b

x1t

?-

x2t

-x3

t

x4t

6

+

-y0

t

-

-y1

t-

y2t

+

-×

s0t+1

6

s1t+1

6

z−1

2b

c0t

-

?

6⊕6zt

c1t

-

?

z−1

2b c1t−1

-⊕-⊕

� c0t+1

c0t−1

-⊕

�c1

t+1

??


E0 from a High Level

plaintext frame

CLK

BD ADDR

Kc-

-

-

-

E0 level 1 -128 bits E0 level 2 -2745 bits⊕ - ciphertext frame6

Frames are limited to 2745 bits

Clock-based resynchronization using an additional E0 level


Bluetooth E0

Designed by the Special Interest Group (SIG)

Bluetooth standard

default encryption scheme

dedicated to lightweight hardware

stream cipher with bit streams

key of up to 128 bits and 26-bit clock


One Non-Terminal Round of Rijndael

SubBytes ShiftRows MixColumns AddRoundKey

- - - - - - - -

6


Rijndael Skeleton

128-bit block −→ 4×4 square matrix of bytes

Nr = 10, 12 or 14 rounds depending on the key size of 128, 192or 256 bits

AES encryption (s,W )1: AddRoundKey (s,W0)2: for r = 1 to Nr−1 do3: SubBytes (s)4: ShiftRows (s)5: MixColumns (s)6: AddRoundKey (s,Wr )7: end for8: SubBytes (s)9: ShiftRows (s)

10: AddRoundKey (s,WNr)


AES: the Advanced Encryption Standard

US Standard from NIST, branch of the Department of Commercein 2001

public process based on a call for proposal

standard version of Rijndael

Rijndael was designed by Joan Daemen and Vincent Rijmen inBelgium



key of length 128, 192, or 256




Introduction to GF Arithmetics in Rijndael

we use the following representation rule

byte bit string polynomialB b7 · · ·b2b1b0 b7.x7 + · · ·+ b2.x2 + b1.x + b0

we replace every 2 by 0 in polynomialshence 3 = 2+ 1 is replaced by 0+ 1 = 1, 4 is replaced by 0, ...→ monomial coefficients are binary

we replace every x8 by x4 + x3 + x + 1 in polynomialshence x9 = x8× x is replaced by x5 + x4 + x2 + x , ...→ polynomials have degree at most 7


AddRoundKey

AddRoundKey (s,k)1: for i = 0 to 3 do2: for j = 0 to 3 do3: si,j ← si,j ⊕ ki,j

4: end for5: end for

- -

6

s0,0 s0,1 s0,2 s0,3

s1,0 s1,1 s1,2 s1,3

s2,0 s2,1 s2,2 s2,3

s3,0 s3,1 s3,2 s3,3

s0,0⊕k0,0

s0,1⊕k0,1

s0,2⊕k0,2

s0,3⊕k0,3

s1,0⊕k1,0

s1,1⊕k1,1

s1,2⊕k1,2

s1,3⊕k1,3

s2,0⊕k2,0

s2,1⊕k2,1

s2,2⊕k2,2

s2,3⊕k2,3

s3,0⊕k3,0

s3,1⊕k3,1

s3,2⊕k3,2

s3,3⊕k3,3


ShiftRows

ShiftRows (s)1: replace [s1,0,s1,1,s1,2,s1,3] by [s1,1,s1,2,s1,3,s1,0]2: replace [s2,0,s2,1,s2,2,s2,3] by [s2,2,s2,3,s2,0,s2,1]3: replace [s3,0,s3,1,s3,2,s3,3] by [s3,3,s3,0,s3,1,s3,2]

- -

s0,0 s0,1 s0,2 s0,3

s1,0 s1,1 s1,2 s1,3

s2,0 s2,1 s2,2 s2,3

s3,0 s3,1 s3,2 s3,3

s0,0 s0,1 s0,2 s0,3

s1,1 s1,2 s1,3 s1,0

s2,2 s2,3 s2,0 s2,1

s3,3 s3,0 s3,1 s3,2


SubBytes

SubBytes (s)1: for i = 0 to 3 do2: for j = 0 to 3 do3: si,j ← S-box(si,j)4: end for5: end for

- -

s0,0 s0,1 s0,2 s0,3

s1,0 s1,1 s1,2 s1,3

s2,0 s2,1 s2,2 s2,3

s3,0 s3,1 s3,2 s3,3

S(s0,0) S(s0,1) S(s0,2) S(s0,3)

S(s1,0) S(s1,1) S(s1,2) S(s1,3)

S(s2,0) S(s2,1) S(s2,2) S(s2,3)

S(s3,0) S(s3,1) S(s3,2) S(s3,3)


MixColumns

- -s.,0 s.,1 s.,2 s.,3 M× s.,0M× s.,1M× s.,2M× s.,3


MixColumns

MixColumns (s)1: for i = 0 to 3 do2: let v be the 4-dimensional vector with coor-

dinates s0,i ,s1,is2,is3,i

3: replace s0,i ,s1,is2,is3,i by the coordinates ofM× v

4: end for

M =

0x02 0x03 0x01 0x010x01 0x02 0x03 0x010x01 0x01 0x02 0x030x03 0x01 0x01 0x02

.


GF Arithmetics

A byte a = a7 . . .a1a0 represents an element of the finite field GF(28)as a polynomial a0 + a1.x + . . .+ a7.x7 modulo x8 + x4 + x3 + x + 1and modulo 2

byte bit string polynomial0x00 00000000 00x01 00000001 10x02 00000010 x0x03 00000011 x + 10x1b 00011011 x4 + x3 + x + 1

Addition: a simple XOR

Multiplication by 0x01 : nothing

Multiplication by 0x02 : shift and XOR with 0x1b if carry

Multiplication by 0x03 : XOR of multiplications by 0x01 and 0x02


Examples

0x5c + 0x2a = 0x76

byte bit string polynomial0x5c 01011100 x6 + x4 + x3 + x2

+ 0x2a 00101010 x5 + x3 + x= x6 + x5 + x4 + 2.x3 + x2 + x= 0x76 01110110 x6 + x5 + x4 + x2 + x

0x9e × 0x02 = 0x27

byte bit string polynomial0x9e 10011110 x7 + x4 + x3 + x2 + x

× 0x02 00000010 x= x8 + x5 + x4 + x3 + x2

= x5 + 2.x4 + 2.x3 + x2 + x + 1= 0x27 00100111 x5 + x2 + x + 1


Trying to Open a Safe (Online Attack)

For any k , We can ask the safe whether the secret key is equal to k

attack - key

k�

yes/no

safe




Key Expansion

KeyExpansion (key,Nk)1: for i = 0 to Nk−1 do2: wi ← keyi

3: end for4: for i = Nk to 4(Nr + 1)−1 do5: t← wi−1

6: if i mod Nk = 0 then7: replace [t1, t2, t3, t4] by [t2, t3, t4, t1] in t8: apply S-box to the four bytes of t9: XOR x i/Nk−1 (in GF) onto the first byte of

t10: else if Nk = 8 and i mod Nk = 4 then11: apply S-box to the four bytes of t12: end if13: wi ← wi−Nk⊕ t14: end for


Key Expansion

we consider W as a sequence of 4(Nr+ 1) = 44 (resp. 52, 60)rows (32-bit words) w

we consider the key as a sequence of Nk = 4 (resp. 6, 8) rows

the wi are iteratively loaded:the first wi are loaded with the keywi is loaded with wi−Nk⊕wi−1

every Nk iterations, the wi is modified before the XORfor Nk = 8, we add an extra modification


Exhaustive Search Algorithm

Input : an oracle O , a set of possible keys K ={k1, . . . ,kN}

Oracle interface : input is an element of K , out-put is Boolean

1: pick a random permutation σ of {1, . . . ,N}2: for all i = 1 to N do3: if O (kσ(i)) then4: yield kσ(i) and stop5: end if6: end for7: search failed


Key Recovery Game with a Stop Test Oracle (Online)

Adversary Challengerpick a random K

try k1query k1−−−−−−−−−−−−−−−−−−−−−−−−−−−→

no←−−−−−−−−−−−−−−−−−−−−−−−−−−− k1 6= K

try k2query k2−−−−−−−−−−−−−−−−−−−−−−−−−−−→

no←−−−−−−−−−−−−−−−−−−−−−−−−−−− k2 6= K...

query k−−−−−−−−−−−−−−−−−−−−−−−−−−−→yes←−−−−−−−−−−−−−−−−−−−−−−−−−−− k = K


Using a Stop Test Oracle

We use an oracle which tells whether the key we are looking for isequal to queried k

attack - key

k�

yes/no

oracle

(on-line attacks) access trial

(off-line attacks) we obtained a witness W (K ) for the key K


Guessing a Key using Some Significant Information(Offline Attack)

For any k , We can check whether k is consistent with the informationwe have

attack - key

k�

yes/no

consistent?


Examples of Witness Functions

useful witnesses for exhaustive search:known plaintext attack: we get some random (x,CK (x)) pairciphertext only attack with redundant plaintexts: we get CK (x) fora random redundant x

other witnesses which can be used for precomputation:chosen plaintext attack: we can get CK (x) for some chosen xleakage of CK (x) for a fixed message x for application (e.g. UNIXpasswords) reasons


Online and Offline UNIX Passwords Recovery

online

try to connect using a guessfor the password until it works

can be thwarted by audit tools

offline

get a witness from/etc/passwd and look for aguess which is consistent withthe witness

may be precomputed or not


Key Recovery Game with a Witness (Offline)

Adversary Challengerpick a random K

W(K)←−−−−−−−−−−−−−−−−−−−−−−−−−−−...

query k−−−−−−−−−−−−−−−−−−−−−−−−−−−→ win if k = K


Complexity Analysis

number of iterationsworst case Naverage case N+1

2

NB: we can decrease the average complexity if we know the a prioridistribution


Complexity Analysis

Precomputation time D

Memory complexity D

Time complexity T

Probability of success 1−(1− D

N

)T ≈ 1−e−DTN

This is quite interesting when D ≈ T ≈√

N...


Extension: Multi-Target Dictionary AttackInput : a deterministic witness function W for

keysPreprocessing

1: for D different candidates K do2: compute W (K )3: insert (W (K ),K ) in a dictionary4: end for5: output the dictionary

AttackAttack input : T many witnesses yi = W (Ki), a

dictionary6: for i = 1 to T do7: look at yi in the dictionary8: for all (yi ,K ) in the dictionary do9: yield i,K

10: end for11: end for


Complexity Analysis

Precomputation time D

Memory complexity D

Time complexity ≈ 1

Probability of success (with randomly selected dictionary keys) D/N


Dictionary Attack

Input : a deterministic witness function W forkeys

Preprocessing1: for D different candidates K do2: compute W (K )3: insert (W (K ),K ) in a dictionary4: end for5: output the dictionary

AttackAttack input : a witness y = W (K ), a dictionary

6: look at y in the dictionary7: for all (y ,K ) in the dictionary do8: yield K9: end for


Double DES

X - DES -ZDES - Y

6K1 6K2

K = (K1,K2)

this does not work


Security of Passwords with less than 48 Bits of Entropy

An 8 i.u.d. random characters password in {a, . . . ,z,A, . . . ,Z,0, . . . ,9}has less than 48 bits of entropy

classical conventional cryptography may require about 300 cycleson a P4 2GHz to check a guess (= 222.6 guesses per second)−→ 256d to find a password with a PC

time-memory tradeoffs cracked a (36-bit entropy) password withina few seconds (complexity N

23 + precomputation N)

−→ 1h to find a password (+ a year of precomputation)

special purpose hardwares cracked 56-bit keys within a day−→ 5min to find a password

distributed.net cracked 64-bit keys within 1757 days in 2002−→ 40min to find a password


Application to DES

strategy preprocessing memory timeexhaustive search 0 1 256

dictionary attack 256 256 1tradeoffs 256 237 237

→ the key of DES is too short!→ we need some way to enlarge the key


Summary of Single-Target Brute Force Attacks

strategy preprocessing memory time success proba.exhaustive search 0 1 N 1dictionary attack N N 1 1

tradeoffs N N23 N

23 cte

exhaustive search 0 1 D D/Ndictionary attack D D 1 D/N


Conclusion

block ciphers + modes of operation, and stream ciphers

many proposals, little rationales

governmental and industrial interest: trade secrets, patents,regulation

security goals: make sure that no better attacks than genericones exist


Two-Key Triple DES

X - DES - DES−1 - DES - Y

6K1 6K16K2

K = (K1,K2)


Complexity Analysis

Memory complexity #K ′ (256 for double DES)

Time complexity #K ′+#K ′′ (257 for double DES)

Probability of success 1


Meet-in-the-Middle Attack

Input : two encryption schemes C′ and C′′ withtwo corresponding sets of possible keys K ′

and K ′′, an (x ,y) pair with y = C′′K2(C′K1

(x))1: for all k1 ∈ K ′ do2: compute z = C′k1

(x)3: insert (z,k1) in a hash table (indexed with

the first entry)4: end for5: for all k2 ∈ K ′′ do6: compute z = C′′−1

k2(y)

7: for all (z,k1) in the hash table do8: yield (k1,k2) as a possible key9: end for

10: end for


The Cryptographic Trilogy

Message

X- -

X

��

Adversary

Confidentiality (C): only the legitimate receiver can get X

Authentication + Integrity (A+I): only the legitimate sender caninsert X and the received message must be equal to X


3 Chapter 3: Dedicated Conventional Cryptographic Primitiv esThe Cryptographic TrilogyCryptographic Hash FunctionsBrute Force AttacksAuthentication CodesPseudorandom GeneratorsSummary


Chapter Content

Hash functions: MD5, SHA, SHA-1

Generic attack against hash functions: Birthday paradox

⋆Analysis of hash functions: dedicated attack against MD4

Message Authentication Codes: CBC-MAC, HMAC

⋆Pseudorandom generator: congruential generator


3 Chapter 3: Dedicated Conventional Cryptographic Primitiv es


Confidentiality

Generator


-MessageEncrypt - - Decrypt -Message�

�Adversary


Confidentiality vs Integrity and Authentication

Non-authenticated but confidential: the adversary cannot read asent message, but she can insert a message so that the receivercan receive an X of her choice

Non-integer but authenticated and confidential: the adversarycannot insert a message of her choice but can modify a sentmessage so that the receiver will receive some X ′ related to X bysome known relation even though the adversary does not learn Xand X ′

Example: the adversary can replace X by X ⊕∆ for a ∆ of herchoice even though she cannot get any information about X→ malleability

Authenticated, integer and confidential: the adversary cannot getany information nor modify a sent message. She can still, inprinciple, replay them, or remove them.


Authentication vs Integrity

Non-integer but authenticated: the adversary cannot insert amessage of her choice but can modify a sent message X→ malleability

Integer and authenticated: the adversary cannot insert nor modifysent messages but can still, in principle, replay them or removethem

We will assume that authentication implicitly include inte grity


Authentication and Integrity

Peer integrity: we make sure that the peer cannot be corrupted

Peer authentication: we make sure with whom we are talking to

Message authentication : we make sure about who sent themessage

Message integrity : we make sure that the received message isequal to the sent one

4 different notions

In this chapter we concentrate on message authentication andmessage integrity(Peer authentication will be addressed in Chapter 5)


A Swiss Army Knife Cryptographic Primitive

Domain extender: hash bistrings of arbitrary length into bitstrings offixed length.Application: instead of specifying digital signaturealgorithms on set of bitstring with arbitrary length, wespecify them with bitstrongs of fixed length and use thehash-and-sign paradigm.

Commitment: “uniquely” characterizes a bistring without revealinginformation on it.Application: commitment which is binding and hiding.

Pseudorandom generator: generate bistrings from seeds which areunpredictable.Application: generation of cryptographic keys from aseed.




Authenticity

Generator


AUTHENTICATEDINTEGER

-Message

XMAC -

X ,c-

X ,cCheck

-ok?

-Message

X��

Adversary


Integrity

-Message

Hash

?

-INTEGER

Digest

-

Hash

?

Message

?Compare -

ok?

��

Adversary


Using Commitment

-x Commit-c

-Key

(delay) -Key

Open -x


Commitment Scheme

pick r at random

c = h(x ||r)commit :

c−−−−−−−−−−−−−−−−−→ store c

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

...

←−−−−−−−−−−−−−−−−−open :

x ,r−−−−−−−−−−−−−−−−−→ check h(x ||r) = c


Threat Models for Hash Functions

Collision attack: find x and x ′ such that x 6= x ′ and h(x) = h(x ′).

First preimage attack: given y find x such that y = h(x).

Second preimage attack: given x find x ′ such that x 6= x ′ andh(x) = h(x ′).


Security Properties for Hash Functions

Collision resistance: hash function h for which itis hard to find x and x ′ such that h(x) = h(x ′) and x 6= x ′.

→ digital fingerprint of the bitstring

One-wayness: hash function h for which given y it is hard to findeven one x such that y = h(x).

→ witness for a password

Pseudo-randomness : hash function h such that for any given f andgi = h(f i (x)) for i = 0, . . . ,n−1 with a random(unknown) x such that f i(x) is not cycling, it is hard topredict h(f n(x)).

→ pseudo-random generation


Encryption to Hashing

On-line hashing:

the message is padded following the Merkle–Damgard scheme;

each block is processed using an encryption function C in afeedback mode according to the Davies–Meyer.

initialvalue

message

- C -+6

512?

- C -+6

512?

. . .

. . .

- C -+6

pad?

-128 128


Cryptographic Hashing

message

?

MD5 -128

“Message Digest” (MD) devised by Ronald Rivest

“Secure Hash Algorithm” (SHA) standardized by NIST

MD4 in 1990 (128-bit digest)

MD5 in 1991 (128-bit digest) published as RFC 1321 in 1992

SHA in 1993 (160-bit digest) (now obsolete)

SHA-1 in 1995 (160-bit digest)

SHA256, SHA384, SHA512 in 2002 (256-, 384-, and 512-bitdigest)


Scenarii for Threat Models

Substitution in the integrity check process→ second preimage attack

Substitution in a commitment scheme→ collision attack

Information retrieval in a commitment scheme→ first preimage attack


Application Example: Plying Dices

Alice Bob

pick x ∈ {1, . . . ,6} commit(x)−−−−−−−−−−−−−→y←−−−−−−−−−−−−− pick y ∈ {1, . . . ,6}

open−−−−−−−−−−−−−→ verifyz = 1+((x + y) mod 6)

output: z output: z


Proof of Merkle–Damg ard Theorem - Case 2

IV - -- C′?

C′?

. . .

. . .

- C′?

IV - -- C′?

C′?

. . .

. . .

- C′?

pad ′

pad

X ′1 X ′2

X1 X2

X ′n

XmX

X ′ 6

?=

C′(Hm,Xm) = C′(H ′n,X′n)


Proof of Merkle–Damg ard Theorem - Case 1

IV - -- C′?

C′?

. . .

. . .

- C′

pad?

IV - -- C′?

C′?

. . .

. . .

- C′

pad?

X ′1 X ′2

X1 X2

X ′n

XnX

X ′ 6

?=

C′(Hi ,Xi) = C′(H ′i ,X′i )

where i is the last index such that Hi 6= H ′i or Xi 6= X ′i


Merkle–Damg ard Theorem

Theorem (Merkle-Damg ard 1989)

We construct a cryptographic hash function h from a compressionfunction C′ by using the Merkle-Damgard scheme. If the compressionfunction C′ is collision-resistant, then the hash function h iscollision-resistant as well.

Proof.Case 1: messages of same lengthCase 2: messages of different length


Merkle–Damg ard’s Extension

pad = 11

0 . . . 0 length64

initialvalue

message

- -- C′

512?

C′

512?

. . .

. . .

- C′

pad?

-128 128


Implementation of MD5 CompressionInput : an initial hash a,b,c,d , a message block

x0, . . . ,x15

Output : a hash a,b,c,d1: for i = 1 to 4 do2: for j = 0 to 15 do3: t ← ROTLαi,j (a + fi(b,c,d) + xσi(j) +

ki,j)+ b4: a← d5: d ← c6: c← b7: b← t8: end for9: end for

10: a← a+ ainitial

11: b← b + binitial

12: c← c + cinitial

13: d ← d + dinitial


The Bji Boxes

? ?x a

b b

c c

d d?

ROTLαi,j (a+ fi(b,c,d)+ x + ki,j)+ b

fi are bit-wise boolean functions :

f1(b,c,d) = if b then c else d

f2(b,c,d) = if d then b else c

f3(b,c,d) = b XOR c XOR d

f4(b,c,d) = c XOR (b AND (NOT d))


The MD5 Encryption Function [RFC1321]

For i = 1 to 4:

A B C D

?

?

?

?B0

i

B1i

B2i

B3i

B4i

B5i

B6i

B7i

B8i

B9i

B10i

B11i

B12i

B13i

B14i

B15i

?

?

?

?

-

-

-

�

-

-

�

-

�

�

�

�

?

?

?

?

-

-

-

�

-

-

�

-

�

�

�

�

?

?

?

?

-

-

-

�

-

-

�

-

�

�

�

�

?

?

?

?

-

-

-

�

-

-

�

-

�

�

�

�

?

?

?

?

?

?

?

?

?

?

?

?

?

? ? ?

σi

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

BLOCK


Davies–Meyer Scheme

C

?????????????????

32323232323232323232323232323232

32 -

32 -

32 -

32 -

6

6

6

6

+

+

+

+-

-

-

-

-

-

-

-D

C

B

A

+ is addition modulo 232.


From MD5 to MD4

like MD5 (128 bits, 4 registers, basic key schedule)

new round function

ABCD

←

DROTLαi,j (A + fi(B,C,D)+ xσi(j) + ki)

BC

3 rounds, other functions


f2(b,c,d) = majority(b,c,d)



From SHA-1 to SHA

SHA-1 followed SHA

linear expansion in the key schedule: for i = 16, . . . ,79

xi = (xi−3 XOR xi−8 XOR xi−14 XOR xi−16)

no justification

reverse-engineered by Chabaud and Joux


Implementation of SHA-1 Compression

Input : an initial hash a,b,c,d,e, amessage block x0, . . . ,x15

Output : a hash a,b,c,d,e1: for i = 16 to 79 do2: xi ← ROTL1 (xi−3 XOR xi−8 XOR xi−14

XOR xi−16)

3: end for4: FOR i = 1 to 4 DO5: FOR j = 0 to 19 DO6: t ← ROTL5(a) + fi(b,c,d) +

e + x20(i−1)+j + ki

7: e← d8: d ← c9: c← ROTL30(b)

10: b← a11: a← t12: end for13: end for14: a← a+ ainitial




18: e← e + einitial


From MD5 to SHA-1 [FIPS 180–2]

128 to 160 bits (5 registers)

linear expansion in the key schedule: for i = 16, . . . ,79

xi = ROTL(xi−3 XOR xi−8 XOR xi−14 XOR xi−16)

new round function

ABCDE

←

ROTL5(A)+ fi (B,C,D)+E + x20(i−1)+j + ki

AROTL30(B)

CD



f3(b,c,d) = majority(b,c,d)



Birthday Paradox

Theorem

If we pick independent random numbers in {1,2, . . . ,N} with uniformdistribution, θ

√N times, we get at least one number twice with

probability

1− N!

Nθ√

N(N−θ√

N)!−→

N→+∞1−e−

θ2

2 .

For N = 365, we obtain the following figures.

θ√

N 10 15 20 25 30 35 40θ 0.52 0.79 1.05 1.31 1.57 1.83 2.09

probability 12% 25% 41% 57% 71% 81% 89%


Second Preimage Attack

Input : a cryptographic hash function h onto a do-main of size N, an input x

Output : x ′ such that x 6= x ′ and h(x) = h(x ′)1: compute h(x)2: pick a random ordering of all inputs x1,x2, . . .3: for all i such that xi 6= x do4: compute h(xi )5: if h(xi) = h(x) then6: yield x ′ = xi and stop7: end if8: end for9: search failed




Implementation of MD4 Compression

Input : an initial hash a,b,c,d , a message blockx0, . . . ,x15

Output : a hash a,b,c,d1: for i = 1 to 3 do2: for j = 0 to 15 do3: t← ROTLαi,j (a+ fi(b,c,d)+ xσi (j) + ki)4: a← d5: d ← c6: c← b7: b← t8: end for9: end for

10: a← a+ ainitial





Collision Search II

Input : a cryptographic hash function h onto a do-main of size N

Output : a pair (x ,x ′) such that x 6= x ′ andh(x) = h(x ′)

1: repeat2: pick a (new) random x3: compute y = h(x)4: insert (y ,x) in the hash table5: until there is already another (y ,x ′) pair in

the hash table6: yield (x ,x ′)


Collision Search I

Input : a cryptographic hash function h onto a do-main of size N

Output : a pair (x ,x ′) such that x 6= x ′ andh(x) = h(x ′)

1: for θ√

N many different x do2: compute y = h(x)3: if there is a (y ,x ′) pair in the hash table

then4: yield (x ,x ′) and stop5: end if6: insert (y ,x) in the hash table7: end for8: search failed


Birthday Paradox - Proof — ii

We now use log(1− ε) =−ε− ε2

2 + o(ε2)

1−p ∼ exp

[

−θ√

N +(−N + θ√

N) log

(

1− θ√N

)]

∼ exp

[

−θ2

2+ o(1)

]

−→ e−θ2

2


Birthday Paradox - Proof — i

Proof. We use the Stirling Approximation

n! ∼n→+∞

√2πne−nnn

We have

1−p =N!

Nθ√

N(N−θ√

N)!

∼(

1− θ√N

)−N+θ√

N

e−θ√

N

= exp

[

−θ√

N +(−N + θ√

N) log

(

1− θ√N

)]


Authentication Channel

Generator



-Message

XMAC -

X ,c-

X ,cCheck

-ok?

-Message

X��

Adversary




Summary of Generic Attacks

if we hash onto n bits, (N = 2n)

attack complexitypreimage attack 2n

collision attack 2n2


Collision Search Complexity

strategy memory time success proba.

collision search I θ√

N θ√

N 1−e−θ2

2

collision search II√π

2 ×√

N√π

2 ×√

N 1


HMAC [RFC 2104]

MAC?

trunc?

H?

?

H?

?⊕ipad?

?

message

?⊕opad?

key||0 · · ·0


Hashing to Authentication: HMAC [RFC 2104]

Computing the MAC of t bytes for a message m with a key K using aMerkle-Damgard hash function with block size B bytes, digest size Lbytes. (t = L by default.) E.g. H = SHA-1, B = 64, L = 20.

1 If K has more than B bytes, we first replace K by H(K ).(Having a key of such a long size does not increase the security.)

2 We append zero bytes to the right of K until it has exactly B bytes.

3 We computeH(K ⊕opad||H(K ⊕ ipad||X))

where ipad and opad are two fixed bitstrings of B bytes. The ipadconsists of B bytes equal to 0x36 in hexadecimal. The opadconsists of B bytes equal to 0x5c in hexadecimal.

4 We truncate the result to its t leftmost bytes. We obtainHMACK (X).


Strong Adversarial Model

adversary - (X ,c)

Xi

�ci

MAC

the adversary can request the authentication of several messages

the goal of the adversary is to output a valid (X ,c) pair

the output X must not have been requested to the oracle


Weak Adversarial Model

adversary - (X ,c)

Xici

MAC

the adversary can request the authentication of several messages

the goal of the adversary is to output a valid (X ,c) pair

the output X must not have been requested to the oracle


CBCMAC - (A Bad MAC)

CK CK CK

?

?⊕?

-?⊕?

- -

CK

?⊕?

?

x1 x2 x3 · · ·

· · ·

· · ·

xn

MAC


Security Proof by Simulation

If we have an adversary for big MAC, we construct an adversary forthe small MAC by simulation:

adversary -

�

----------6666666666

----------

6666666666

K1 MAC

K1-

Xi

H(K1||Xi)-

ci�

ci

(X ,c)(H(K1||X),c)

If H(K1||X) 6= H(K1||Xi) for all i , then we have a message forgery.Otherwise we have a collision!


Security of (Ideal) HMAC

Theorem (Bellare-Canetti-Krawczyk 1996)

Let H be a hash function which hashes onto ℓ bits following theMerkle-Damgard scheme. We consider keys K1,K2 in {0,1}ℓ. Weassume that

H is collision resistant;

X 7→ H(K2||X) is a secure MAC function over the space {0,1}ℓof messages with a fixed length ℓ.

The following algorithm is a secure MAC function over the space ofmessages with arbitrary length.

X 7→MACK1,K2(X) = H(K2||H(K1||X))

Provided that we cannot distinguish HMAC from this MAC, then HMACis a secure MAC as well.


Examples

algo hash B L t

TLSMD5 MD5 64 16 16SHA SHA1 64 20 20

SSHhmac md5 MD5 64 16 16hmac md5 96 MD5 64 16 12hmac sha1 SHA1 64 20 20hmac sha 96 SHA1 64 20 12


ISO/IEC 9797 - (An Even Better CBCMAC Variant)

CK1 CK1 CK1

?

?⊕?

-?⊕?

- -

CK1

?⊕?

?

x1 x2 x3 · · ·

· · ·

· · ·

xn

CK2

?

trunc

?MAC


Birthday Attack on EMAC

First submit many messages until we get two messages X1 and X2

such that MAC(X1) = MAC(X2) by using the birthday paradox.

X1 MAC(X1) = cX2 MAC(X2) = cB = random

X3 = X1||B MAC(X3) = c′

X4 = X2||B MAC(X4) = c′


EMAC (Encrypted MAC) - (A Better CBCMAC Variant)

CK1 CK1 CK1

?

?⊕?

-?⊕?

- -

CK1

?⊕?

?

x1 x2 x3 · · ·

· · ·

· · ·

xn

CK2

?MAC


A MAC Forgery

X1 = random MAC(X1) = cX2 = random MAC(X2) = c′

X3 = X1||B MAC(X3) = CK (c⊕B)

X4 = X2||B′ MAC(X4) = CK (c′⊕B′)

B′ = B⊕ c⊕ c′ MAC(X4) = MAC(X3)


CCM (Counter with CBC-MAC)

Roughly speaking:

1: let T = CBCMAC(message)2: encrypt T ||message in CTR mode

More precisely, the CCM mode is defined by

a block cipher which accepts 16-Byte blocks

an even parameter M between 4 and 16 (size of the CBCMAC inbytes)

a parameter L between 2 and 8 (size of the length field in bytes)


Authenticated Modes of Operation

Generator



-Message

-nonce

nonce6

Enc/MAC - - Dec/Check-

ok?

-Message�

�Adversary


OMAC1

Cst1 = 0x00 · · ·02

Cst2 = 0x00 · · ·04

if the message length is not multiple of the block length, pad itwith a bit 1 and as many bits 0 as required to reach this length

if xn was not padded, take Cst = Cst1, otherwise, take Cst = Cst2

L = CK (0) (encryption of the zero block)

HL(Cst1) is L shifted to the left by one bit XOR the carry constantif any, and that HL(Cst2) = HHL(Cst1)(Cst1)

actually, HL(x) = L× x using GF arithmetics with carry constant0x000000000000001b for 64-bit blocks and0x00000000000000000000000000000087 for 128-bit blocks


OMAC (One-key CBC-MAC) - (Best CBCMAC Variant)

CK CK CK

?

?⊕?

-?⊕?

- -

CK

?⊕?

?

x1 x2 x3 · · ·

· · ·

· · ·

xn

trunc

?MAC

� HL(Cst)




Processing with an Extra Data

If we wish to send X together with a protocol data a which also needsto be authenticated (e.g. a sequence number, and IP address...)

add a special bit in byte1 which tells that a is used

if a is between 1 and 65279 bytes, encode it on two bytes, makelength(a)||a||pad′ where pad′ consists of enough zero bytes toreach the block boundary

insert it between B0 and B1 before the CBCMAC computation


CCM Processing

pad X with enough zero bytes to reach the block boundary

split X ||pad as B1|| · · · ||Bn

make B0 = byte1||N||length(X) where byte1 encodes M and L

compute the CBCMAC of B0||B1|| · · · ||Bn, truncate it to M bytes,and get T

make Ai = byte2||N||i where byte2 encodes L

encrypt T ||X by

Y = (T ||X)⊕ (truncM(CK (A0))||trunc(CK (A1)|| · · · ||CK (An)))


CCM

⊕?trunc

?

CBC-MAC??

message pad nonce

?

?

CTR

��⊕

� -

key

? ?head body




A Few Examples

stream ciphers: RC4, A5/1...

block ciphers with OFB or CTR mode of operation

finite automaton with an internal state (clock,key,Seed)

J = Enc(time)

r = Enc(J⊕Seed)

and the seed is replaced by

NextSeed = Enc(J⊕ r)


Famous Failure Cases

The early version of SSL (Wagner): there was not enougheffective entropy used in the generation of the session secret key

DSA (Bleichenbacher): the 160-bit random number was reducedmodulo a 160-bit prime number q so that the final distribution wasbiased


Adversarial Model

adversary - rd+1

r1, . . . , rd

Generator

the goal of the adversary is to predict the next generation(e.g. by finding an internal state)


Conclusion

New cryptographic problems: message integrity, commitment,message authentication, unpredictability

Dedicated cryptographic primitives

Dedicated constructions based on combinatorics

Well identified generic attacks


Dedicated Primitives and Reductions

Hash functions

Block Ciphers

?

DM + MD schemes

MAC

Stream Ciphers

?

WC MAC

-OFB, CTR modes

-HMAC

q

CBCMAC


Generic Attacks

primitive attack complexity parameter nencryption key recovery Θ(2n) key lengthhash function preimage attack Θ(2n) hash length

collision Θ(2n2 ) hash length

MAC key recovery Θ(2n) key length


Conventional Primitives

goal primitiveconfidentiality encryptionintegrity, commitment hash functionauthentication MACunpredictibility pseudorandom generator


5 Chapter 5: Security Protocols with Conventional Cryptogra phy


Conclusion of Chapters 2–4

Conventional cryptographic primitives are efficient

Conventional cryptographic primitives are robust

Conventional cryptographic primitives are weird

Conventional cryptanalysis is well advanced


Chapter Content

⋆Attack methods: differential cryptanalysis, linear cryptanalysis

⋆Security analysis: nonlinearity, Markov ciphers

⋆Security strengthening: indistinguishability, dedicated construction,decorrelation


4 Chapter 4:Conventional Security Analysis


Basic Access Control in HTTP [RFC2617]

The server keeps a database of (realm-value,userid,password) triplets

realm-value: one “part” of the HTTP server corresponding to anauthentication method

userid: the identification string of a user

password: the password

Upon a URI request to a server, the server sends a challenge

WWW-Authenticate: basic realm=" 〈realm-value〉"The client must send credentials

Authorization: basic 〈basic-credentials〉where basic-credentials=base64(〈userid〉: 〈password〉)If the (realm-value,userid,password) triplet is correct, the servertreats the URI request. Otherwise it sends message HTTP/1.0401 Unauthorized and sends the challenge again.


Password Authentication Protocols

Client Serverrequest C to S−−−−−−−−−−−−−−−−−−−−−−−−−−−→

credential?←−−−−−−−−−−−−−−−−−−−−−−−−−−−login, password−−−−−−−−−−−−−−−−−−−−−−−−−−−→ check

Example: UNIX password→ (login,salt,OW(password,salt)) isstored in a database.


5 Chapter 5: Security Protocols with Conventional Cryptogra phyAccess ControlArchitectures based on Symmetric Cryptography


Chapter Content

Password access control: UNIX passwords, basic HTTP, PAP

Challenge-response protocols: digest HTTP, CHAP

One-time passwords: Lamport scheme, S/Key

Key distribution: Needham-Schroeder, Kerberos, Merkle puzzles

Authentication chains: Merkle signature scheme, timestamps

Case study: GSM network, Bluetooth network


Challenge/Response Protocols

Password Password

- �

?

Challenge

Response

?

random

MAC MAC

- =?

Client Server


Challenge/Response Protocols

Client Serverrequest C to S−−−−−−−−−−−−−→

challenge c←−−−−−−−−−−−−− pick c at random

r = MACpassword(c)response r−−−−−−−−−−−−−→ check r = MACpassword(c)


Passive vs Active Adversary

passive adversary : only listen to communications and tries toget credential to later pass access control

active adversary : can interfere with client or servercommunications e.g. man-in-the-middle


Pros and Cons

Pros

the server does not keep the password (only a digest)

Cons

does not work through a channel without confidentialityprotection: the password can be compromised


Pros and Cons

Pros

the server does not keep the secret

resistance to passive adversary

Cons

used with a single server (or securely synchronized ones)

potential implementation problems (beware about sending i fromServer to Client)

not ergonomic: users dislike it

vulnerable to man-in-the-middle attacks


S/Key - OTP [RFC 2289]

Client Server

choose ww−−−−−−−−−−−−−→ s at random

store p1, . . . ,pNs,p1,...,pN←−−−−−−−−−−−−− pi ← HN+1−i(w ,s)

i← 1 i← 1, p← p0...

request−−−−−−−−−−−−−→i,s←−−−−−−−−−−−−−

y ← piy−−−−−−−−−−−−−→ check H(y) = p... p← y , i← i + 1


CHAP Access Control in PPP [RFC1334]

CHAP packets are encapsulated in PPP Data Link Layer frames. ACHAP packet consists of

Code(1 byte), Identifier(1 byte), Length(2 bytes), Data

where Code is 1, 2, 3 or 4, Identifier is between 0 and 255, and Lengthis between 0 and 65535. The Identifier bytes are used to identifydifferent simultaneous PPP sessions.

the PPP server sends a CHAP packet with code 1 (challenge)

the peer sends back a CHAP packet with code 2 (response)

Datai = [ValueSize(1byte),Valuei ,Name]

Value2 = H(Identifier,secret,Value1).

the server sends a CHAP packet with code 3 (success) or 4(failure)


Pros and Cons

Pros

resistance to passive adversary

Cons

the server must keep the password and strongly protect thedatabase

vulnerable to man-in-the-middle attacks


GSM Protocol

SIM Telephone Radio Network Operator

A5

?

-

Plaintext

A8

A3

-� CiphertextA5

?

�

Plaintext

-ResponseCompare � A3

A8

Random

?Challenge

??

Key

Temporary key

?

Temporary key

?

Key

?


GSM Slang

GSM: Global System for Mobile telecommunications

MS: Mobile Station

SIM: Subscriber Identity Module (part of MS)

HLR: Home Location Register

VLR: Visitor Location Register

IMSI: International Mobile Subscriber Identity (stored in SIM)

Ki: subscriber Integrity Key (securely stored in SIM)


GSM Authentication

principle 1: authentication of mobile system

principle 2: privacy protection in the wireless link

challenge-response protocol based on Ki

encryption key for a limited period of time (derived from Ki)

identity IMSI replaced by a pseudonym TMSI as soon as possible

Ki never leaves the security module (SIM card) or home securitydatabase (HLR)


5 Chapter 5: Security Protocols with Conventional Cryptogra phyAccess ControlArchitectures based on Symmetric Cryptography


Bluetooth Security

mode 1: non-secure

mode 2: service level enforced security

mode 3: link level enforced security


Bluetooth History

10th Century: Viking King Harald Blatand (Harold Bluetooth) triedto unify Denmark, Norway, and Sweden

1994: Ericsson initiated a study to investigate the feasibility

May 20, 1998: Bluetooth announced, controled by the SpecialInterest Group (SIG) formed by

Ericsson, IBM, Intel, Nokia, and Toshiba

July 1999: Bluetooth 1.0 Specification Release

November 2004: Bluetooth 2.0 Specification Release

nearly 2000 members in SIG


The Bluetooth Project

short-range wireless technology

designed to transmit voice and data

for a variety of mobile devices (computing, communicating, ...)

bring together various markets

1Mbit/sec up to 10 meters over the 2.4-GHz radio fequency

robustness, low complexity, low power, low cost


GSM Authentication

A3/8(Ki,RAND) = (SRES,KC)

SIM MS (wireless) VLR (secure) HLR

(Ki)IMSI−−−−−−−−−→ IMSI−−−−−−−−−−−−→ (Ki)

RAND←−−−−−−−−− RAND←−−−−−−−−− storen×(RAND,SRES,KC)←−−−−−−−−−−−−

SRES,KC−−−−−−−−−→ SRES−−−−−−−−−→ checkCKC(TMSI)←−−−−−−−−−

...TMSI−−−−−−−−−→

RAND←−−−−−−−−− RAND←−−−−−−−−−SRES,KC−−−−−−−−−→ SRES−−−−−−−−−→ check


Typical Secure Communication Problem

Device A Device B-� radio link -�

? ?

Human UserSECURE SECURE

secure channel for a PIN only

security based on an ephemeral PIN


Privacy in Bluetooth

set discoverable mode

?pairing protocol

?set non-discoverable mode

?connect to paired device

?secure session

?end session

�

6

?

unsafe

6

?

user monitoring


Discovery and Connection Protocols

Discovery protocol:

Target Devicewho’s there?�

-I’m ADDR

Connection protocol:

Target Deviceconnect to ADDR�

-yes/no


Security from an Outside View

(for security level 3)

discoverable vs non-discoverable (privacy)

non connectable connectablenon discoverable off cruise mode

discoverable — setup mode

set mode←pairing based on PIN code introduced by a human operator

pairing protocol←database of paired devices

list of paired devices←


Pairing Protocol

Master A Slave B

user inputs PIN code

pick IN RANDIN RAND−−−−−−−−→ user inputs PIN code

Kinit = E22(PIN, IN RAND) Kinit = E22(PIN, IN RAND)pick LK RANDA pick LK RANDB

CA = LK RANDA⊕Kinit CB = LK RANDB⊕KinitCA−−−−−−−−→CB←−−−−−−−−

LK RANDB = CB⊕Kinit LK RANDA = CA⊕Kinit

compute K compute K

K = E21(LK RANDA,BD ADDRA)⊕E21(LK RANDB,BD ADDRB)


Device Pairing

Device 1 Device 2

Operator

PIN

� request, . . . -

PIN

U�

protocol-

Klink Klink


Key Management from an Inside View

pairing generates an ephemeral key Kinit (discarded after pairing)

pairing leads to a long-term 128-bit link key K

(dummy devices have a fixed Kunit which can be forced tobecome the link key)

link key used to authenticate devices and to derive an encryptionkey Kc

effective length of encryption key from 8 to 128 bits (for regulationpurposes)


... with a Dummy Device

Device A Dummy device-� radio link -�

?

�Human UserSECURE SECURE

?

limited keyboard and screen (button and LED only)

manufactured PIN and semi-permanent unit key


Peer Authentication

Master A Slave B

pick AU RANDBAU RANDB−−−−−−−−−−−−−−−−−→

check SRESBSRESB←−−−−−−−−−−−−−−−−− compute SRESB

AU RANDA←−−−−−−−−−−−−−−−−− pick AU RANDA

compute SRESASRESA−−−−−−−−−−−−−−−−−→ check SRESA

SRESd = E1(K ,AU RANDd ,BD ADDRd)


Dummy Devices: Unit Key is Shared with Many Devices

Device 2

Dummy

Device 1

Kunit

y

Kunit9


... with a Dummy Device

Master A Slave B

user inputs PIN code

pick IN RANDIN RAND−−−−−−−−→ user inputs PIN code (or not)

Kinit = E22(PIN, IN RAND) Kinit = E22(PIN, IN RAND)CB←−−−−−−−− CB = Kunit⊕Kinit

K = CB⊕Kinit K = Kunit

link key is forced to be the unit key

→ problem if dummy device is (or has been) paired with multipledevices


Pairing with a Dummy Device

Device Dummy

Operator Factory

PIN

?

PIN�

Kunit

PIN

� request, . . . -�protocol

-

Kunit


Server-Aided Authentication (Bad One)

AS Client Server

request IC to IS←−−−−−−−−−−−−−pick K

CKC (K),CKS (K)−−−−−−−−−−−−−→

CKS(K),IC−−−−−−−−−−−−−→

Problem: there is no authentication: an attacker can replace IC or IS


Server-Aided Authentication

Hypotheses:

there is an online (trusted) authentication server (AS)

AS shares KC with client IC

AS shared KS with server IS

Goal: to help IC and IS to share a session key K (and to helpcareless users to get privacy)


Sniffing + Offline Attack

Assumption: pairing not made in a private environment (channel notconfidential) and guessable PIN (lazzy operator)

1 sniff the pairing protocol, get IN RAND,CA,CB

2 −→ can compute Klink from PIN

3 sniff a peer-authentication protocol, get rand,F(rand,Klink)

4 −→ can check a guess on Klink

5 run an offline exhaustive search on PIN


Underlying Hypothesis

pairing is made in a bunker (equiped with a Faraday cage)

Confidentiality seems necessary during the pairing protocolOtherwise one can derive dramatic sniffing attacks (Jakobsson-Wetzel2001)


Basic Kerberos Protocol

AS Client Server

request IC to IS ,N←−−−−−−−−−−−−−−−−− pick N

pick KCKC (K ,IS ,N,T ,L),CKS (K ,IC ,T ,L)−−−−−−−−−−−−−−−−−→

CKS(K ,IC ,T ,L),CK (IC ,T )

−−−−−−−−−−−−−→CK (T+1)←−−−−−−−−−−−−−

T : clock value; L: validity period


Needham-Schroeder Authentication

AS Client Server

request IC to IS,N1←−−−−−−−−−−−−− pick N1

pick KCKC

(K ,IS ,N1,CKS(K ,IC))

−−−−−−−−−−−−−→CKS

(K ,IC)−−−−−−−−−−−−−→

CK (N2)←−−−−−−−−−−−−− pick N2CK (N2+1)−−−−−−−−−−−−−→

Problem: replay attack by impersonating C after K gets compromised


Server-Aided Authentication (Still Bad One)

AS Client Server

request IC to IS←−−−−−−−−−−−−−pick K

CKC (K ,IS),CKS (K ,IC)−−−−−−−−−−−−−→

CKS(K ,IC)

−−−−−−−−−−−−−→

Problem: replay attack by impersonating AS after K gets compromised


Attack

AS Adv. Server

request IA to IS←−−−−−−−−−−−−−pick K

CKA(K),CKS (K)−−−−−−−−−−−−−→

CKS(K),IC−−−−−−−−−−−−−→

Server thinks he is talking to IC


Chapter Content

Group theory: isomorphism, construction

Zn ring: Euclid algorithm, exponentiation, Chinese RemainderTheorem

Finite fields: generators, construction

⋆Quadratic residue

Elliptic curves


6 Chapter 6: Algorithmic Algebra


Conclusion

Lightweight networks based on conventional cryptography only(GSM, Bluetooth, ...)

Although limited, we can make many protocols with onlyconventional cryptography

Assembling cryptographic primitives in a protocol is not trivial


Kerberos

Crequest C to TGS, options,N0−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ AS

CCKC

(K0,time,N0,ITGS),grant=CKTGS(flags,K0,IC ,time)

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− AS (pick K0)

CIS , options, grant,N,CK0(IC ,time)−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ TGS

CCK0(K ,time,N,IS ,T ,L),ticket=CKS (flags,K ,IC ,T ,L)

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− TGS (pick K )

Cticket,CK (IC ,T )−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ S

CCK (T+1)←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− S


Group Constructions

Subgroups: given (G, .), and given H ⊆ G which is nonempty andstable by . and inversion, consider (H, .)

Product groups: given (G1,×1) and (G2,×2), consider G = G1×G2

and (a1,a2).(b1,b2) = (a1×1 b1,a2×2 b2)

Power groups: given (G, .) and I, consider GI and(ai )i∈I × (bi)i∈I = (ai .bi )i∈I

Quotient groups: given (G, .) commutative and a subgroup H,consider the set G/H of representatives of thecongruence modulo H with the law induced by .


Additive vs Multiplicative Notations

additive notations multiplicative notationsgroup (G,+) (G,×)operation a+ b a.bneutral element 0 1inverse −a a−1

exponential n.a an


Definition, Examples

Definition

A group is a set G together with a mapping from G×G to G whichmaps (a,b) to an element denoted ab and such that

1. [closure] for any a,b ∈ G, we have ab ∈ G

2. [associativity] for any a,b,c, we have (ab)c = a(bc)

3. [neutral element] there exists an element e s.t. for any a,ae = ea = a

4. [invertibility] for any a there exists b s.t. ab = ba = e

Z with +

SA with ◦Zn with the addition modulo n


6 Chapter 6: Algorithmic AlgebraGroupsRingsThe Zn RingFinite Fields


Generators

Given a group (G, .), an element g generates a subgroup

〈g〉 = {. . . ,g−2,g−1,g0,g1,g2, . . .}If 〈g〉 is finite, of cardinality n, then gn = 1 and

〈g〉= {g0,g1, . . . ,gn−1}Proof. Let m be the smallest integer s.t. there exists i s.t.0≤ i < m and gi = gm. Since gi−1 = gm−1 we must havei−1 < 0 hence i = 0 and gj = gj mod m and

〈g〉 = {g0,g1, . . . ,gm−1}so n = m.

The mapping ϕ : Zn −→ 〈g〉 defined by ϕ(a) = ga is a groupisomorphism . Namely, ϕ(a+ b) = ϕ(a) ·ϕ(b) for any a,b ∈ Zn


Cerebral Z n

nZ is a group of Z (with law +), which is commutative (groupgenerated by n)

we can do the quotient Z/nZ of Z by nZ

congruence modulo nZ is written

a≡ b (mod n) ⇐⇒ a−b ∈ nZ ⇐⇒ a mod n = b mod n

note that (a+ nZ)+ (b + nZ) = (a⊞ b)+ nZ

an exhaustive list of equivalence classes is

0+ nZ , 1+ nZ , 2+ nZ , . . . ,(n−1)+ nZ

we simply write a instead of a+ nZ


Pedestrian Z n

Euclidean division in Z:for any a ∈ Z and any n > 0 there exists a unique (q, r) ∈ Z2 suchthat a = qn + r and 0≤ r < nwe write q =

⌊an

⌋and r = a mod n

Zn = {0,1, . . . ,n−1}addition in Zn: a⊞ b = (a+ b) mod n

useful lemma: (a+(b mod n)) mod n = (a+ b) mod n

closure: comes from x mod n ∈ Zn for any x ∈ Z

associativity: comes from the lemma

neutral element: 0

invertibility: comes from the lemma, (−a) mod n


Functional vs Family Notations

functional notations family notationsfunction domain D index set Ifunction range R set S

finite domain f : {1, . . . ,n} → R (x1, . . . ,xn)infinite domain f : D→ R (xi)i∈I

input x ∈ D i ∈ Iimage f (x) ∈ R xi ∈ Sset SI , Sn


Addition in Elliptic Curves

Ea,b = {O }∪{(x ,y);y2 = x3 + ax + b}

Given P = (xP ,yP), we define −P = (xP ,−yP) and −O = O .

Given P = (xP ,yP) and Q = (xQ,yQ), if Q =−P, we defineP + Q = O .

Given P = (xP ,yP) and Q = (xQ,yQ), if Q 6=−P, we let

λ =

{yQ−yPxQ−xP

if xP 6= xQ3x2

P+a2yP

if xP = xQ

xR = λ2− xP− xQ

yR = (xP− xR)λ− yP

R = (xR ,yR) and P + Q = R.

In addition, P +O = O + P = P and O +O = O .


Elliptic Curves

P

Q

P + Q


Example

Z15 has order 15

We have 〈5〉 = {0,5,10}.This is a subgroup of order 35 has order 3 in Z15

We have 〈2〉 = {0,2,4,6,8,10,12,14,1,3,5,7,9,11,13}.2 has order 15 in Z15

2 is a generator


Finite Groups

Definition

If (G, .) is a group and if G is a finite set, then the cardinality of G iscalled the group order . If g generates a subgroup of order m, then mis called the order of g.

Property: the order of g is the smallest i > 0 s.t. gi = 1.

Theorem (Lagrange)

The order of any element is a factor of the order of the group.

Consequence: if G has prime order, all elements (except 1) aregenerators


Ring Units

Let (R,+, .) be a ring. (Example: R = Zn.)

We let R∗ denote the set of invertible elements: the group ofunits

a,b ∈ R are equivalent if a = ub for some unit u

Example: Z∗15 = {1,2,4,7,8,11,13,14}


Ring Constructions

Product rings: given (R1,+1,×1) and (R2,+2,×2), considerR = R1×R2 and (a1,a2).(b1,b2) = (a1×1 b1,a2×2 b2)

Power rings: given (R,+, .) and A, consider RA and(ai )i∈A× (bi)i∈A = (ai .bi )i∈A

Ideals: given (R,+, .), and given a subgroup I of R s.t.∀a ∈ I ∀b ∈ R ab,ba ∈ I

Quotient rings: given (R,+, .) and an ideal I, consider the group R/Iof representatives of the congruence modulo I with thelaw induced by .


Definition, examplesDefinition

A ring is an Abelian group (R,+) together with a mapping from R×Rto R which maps (a,b) to an element denoted ab and such that

1-4. [group] R with + is a group

5. [Abelian] for any a,b, we have a+ b = b + a

6. [closure] for any a,b ∈ R, we have ab ∈ R

7. [associativity] for any a,b,c, we have (ab)c = a(bc)

8. [neutral element] there exists an element 1 s.t. for any a,a1 = 1a = a

9. [distributivity] for any a,b,c, we have a(b + c) = ab + ac and(a+ b)c = ac + bc

Z with + and ×Z[X ] with + and ×Zn with the addition and multiplication modulo n




Addition in Binary

1+ 1 = 10

1 1

1 001 001+ 10 011 000= 11 100 001

Input : a and b, two integers of at most ℓ bitsOutput : c, an integer of at most ℓ+ 1 bits represent-

ing a + bComplexity : O (ℓ)1: r ← 02: for i = 0 to ℓ−1 do3: d ← ai + bi + r4: set ci and r to bits such that d = 2r + ci

5: end for6: cℓ← r


Addition with Big Numbers (in Decimal)

1 1 1

8 427 403+ 12 951 842= 21 379 245

Input : two integers a and b of ℓ digitsOutput : one integer c = a + b1: r ← 02: for i = 0 to ℓ−1 do3: d ← ai + bi + r4: write d = 10r + ci with ci < 105: end for6: cℓ← r




Irreducibility and Primes

Let us consider the ring (R,+, .) = Z.

a,b ∈ R are equivalent if a =±b

If a ∈ R is such that for all b,c ∈ R, a = bc⇒ b =±1 or c =±1then a is said irreducible

We define the primes as the positive irreducible integers

There is a Euclidean division in Z: for any a,b with b > 0, thereexists q, r s.t. a = qb + r and 0≤ r < b

In Euclidean rings , elements a uniquely factored into product ofprimes and a unit (up to any permutation of the product)


Multiplication From Right to Left

Input : a and b, two integers of at most ℓ bitsOutput : c = a×bComplexity : O (ℓ2)

1: x ← 02: y ← a3: for i = 0 to ℓ−1 do4: if bi = 1 then5: x ← x + y6: end if7: y ← y + y8: end for9: c← x


Multiplication

12× 100101 = 444

1 1 0 0 0x00c (12)× 1 0 0 1 0 1 0x025 (37)

1 1 0 0 0x00c (12)+ 0 0 0 0 0x000 (0)+ 1 1 0 0 0x030 (48)+ 0 0 0 0 0x000 (0)+ 0 0 0 0 0x000 (0)+ 1 1 0 0 0x180 (384)

= 1 1 0 1 1 1 1 0 0 0x84 (444)

�444?

3841

� +

DB �1920 DB �

960 DB �

�+?

60

481 DB �

240 DB �

+�?12 0

121


Addition in Z n

Input : an integer n of ℓ bits, two integers a and bless than n

Output : c, an integer which represents a +b mod n

Complexity : O (ℓ)1: add a and b in c2: compare c and n3: if c ≥ n then4: subtract n from c5: end if


Addition (Binary/Hexadecimal/Decimal)

1 0 1 0 1 0 0 0x54 (84)+ 1 0 0 1 0 0 1 0 0x92 (146)

= 1 1 1 0 0 1 1 0 0xe6 (230)


Multiplication in Z n From Left to Right

Input : an integer n of ℓ bits, a,b ∈ Zn

Output : c = a×b mod nComplexity : O (ℓ2)

1: x ← 02: for i = ℓ−1 to 0 do3: x ← x + x mod n4: if bi = 1 then5: x ← x + a mod n6: end if7: end for8: c← x


Multiplication From Left to Right

Input : a and b, two integers of at most ℓ bitsOutput : c = a×bComplexity : O (ℓ2)

1: x ← 02: for i = ℓ−1 to 0 do3: x ← x + x4: if bi = 1 then5: x ← x + a6: end if7: end for8: c← x


From Left to Right

12× 100101 = 444

DB DB DB DB DB DB- -+- - - -+- - -+-0 0 12 24 48 96 108 216 432 444

12

? ? ?

1 0 0 1 0 1

12×1

12×10

12×100

12×1001

12×10010

12×100101


Multiplication in Z n From Right to Left

Input : an integer n of ℓ bits, a,b ∈ Zn less than nOutput : c = a×b mod nComplexity : O (ℓ2)

1: x ← 02: y ← a3: for i = 0 to ℓ−1 do4: if bi = 1 then5: x ← x + y mod n6: end if7: y ← y + y mod n8: end for9: c← x


Alternate Presentation

26100101 mod 77 = 5

SQ � SQ � SQ � SQ � SQ �

� ×� ×� ×�? ? ?5 45 26 1

2660 37 53 58 601 0 0 1 0 1


Modular Exponentiation

0x1a (26)power 100101 0x25 (37)mod 0x4d (77)

0x1a (26) 261=26× 0x01 (1) 600=1 262 mod 77 = 60× 0x3a (58) 581=58 602 mod 77 = 58× 0x01 (1) 530=1 582 mod 77 = 53× 0x01 (1) 370=1 532 mod 77 = 37× 0x3c (60) 601=60 372 mod 77 = 60= 0x05 (5)


Generalization: Exponential

if we can compute a group law ab in O (T ) then we can computean for n ∈ N in O (T logn)

if we can compute a group law a+ b in O (T ) then we cancompute n.a for n ∈ N in O (T logn)


Example

12× 100101 mod 77 = 59

DB DB DB DB DB DB- -+- - - -+- - -+-0 0 12 24 48 19 31 62 47 59

12

? ? ?

1 0 0 1 0 1

12×1

12×10

12×100

12×1001

12×10010

12×100101


Euclidean Division

we can just adapt the algorithm we have learnt at school(not trivial to implement!)

for any a ∈ Z and n > 0 there exists a unique pair (q, r) ∈ Z2 suchthat a = qn + r and 0≤ r < nq =

⌊an

⌋and r = a mod n

algorithm runs in O (ℓ2)


Example

26100101 mod 77 = 5

SQ SQ SQ SQ SQ SQ- -×- - - -×- - -×-1 1 26 60 58 53 69 64 15 5

26

? ? ?

1 0 0 1 0 1

26 = 261

262 = 2610

2622= 26100

2623+1 = 261001

2624+2 = 2610010

2625+22+1 = 26100101


Exponentiation From Left to Right

Input : a and n, two integers of at most ℓ bits, aninteger e

Output : x = ae mod nComplexity : O (ℓ2 log e)

1: x ← 12: for i = loge−1 to 0 do3: x ← x× x mod n4: if ei = 1 then5: x ← x×a mod n6: end if7: end for


Exponentiation From Right to Left

Input : a and n, two integers of at most ℓ bits, aninteger e

Output : x = ae mod nComplexity : O (ℓ2 log e)

1: x ← 12: y ← a3: for i = 0 to loge−1 do4: if ei = 1 then5: x ← x× y mod n6: end if7: y ← y× y mod n8: end for


Extended Euclid Algorithm

Input : a and b, two integers of at most ℓ bitsOutput : d , u,v such that d = au + bv =

gcd(a,b)Complexity : O (ℓ2)

1: ~x ← (a,1,0),~y ← (b,0,1)2: while y1 > 0 do3: make an Euclidean division x1 = qy1 + r4: do simultaneously~x←~y and~y ←~x−q~y5: end while6: (d,u,v)←~x

~x,~y ∈ {(α,β,γ);α = a ·β+ b · γ}


Why does it Work?

a divisor of x and y is a divisor of x−qy for all q

x = (x−qy)− (−q)y

d divides x and y ⇐⇒ d divides y and x−qy

gcd(x ,y) = gcd(y ,x−qy)

gcd(x ,0) = x

conclusion: the algorithm terminates with gcd(a,b)

to be discussed: runing time (complexity)


Example

We run the algorithm with a = 22 and b = 35. We obtain the followingsequence.

iteration x y q0 22 35 01 35 22 12 22 13 13 13 9 14 9 4 25 4 1 46 1 0

Thus gcd(22,35) = 1.


Euclid Algorithm

Input : a and b, two integers of at most ℓ bitsOutput : d = gcd(a,b)Complexity : O (ℓ2)

1: x ← a, y ← b2: while y > 0 do3: make an Euclidean division x = qy + r4: do simultaneously x← y and y ← x−qy5: end while6: d ← x


Euler Totient Function

ϕ(n) is the order of Z∗n

Theorem

Given an integer n, we have the following results.

For all x ∈ Zn we have x ∈ Z∗n⇐⇒ gcd(x ,n) = 1.

Zn is a field⇐⇒ Z∗n = Zn\{0} ⇐⇒ ϕ(n) = n−1⇐⇒ n is prime

For all x ∈ Z∗n we have xϕ(n) ≡ 1 (mod n).

For all x ∈ Z∗n, if e is such that gcd(e,ϕ(n)) = 1, we letd = e−1 mod ϕ(n). Then, xd mod n is the only eth root of xmodulo n


Arithmetics with Big Numbers

addition (O (ℓ)): x ,y 7→ x + y and x ,y ,n 7→ (x + y) mod n

multiplication (O (ℓ2)): x ,y 7→ x× y and x ,y ,n 7→ (x× y) mod n

Euclidean division (O (ℓ2)): x ,n 7→ x mod n

→ Arithmetics in Zn

fast exponential (O (ℓ3)): x ,e,n 7→ xe mod n

Euclid Algorithm (O (ℓ2)): x ,y 7→ a,b s.t. ax + by = gcd(x ,y)

inversion in Zn (O (ℓ2)): x ,n 7→ y s.t. xy mod n = 1 (whenfeasible)


Modular Inversion

Theorem

x ∈ Zn is invertible if and only if gcd(x ,n) = 1.

Proof.=⇒ if gcd(x ,n) = d > 1 then d divides (x · y) mod n for any y so(x · y) mod n 6= 1 and x is non invertible.⇐= if gcd(x ,n) = 1, the Extended Euclid algorithm finds the inverseof x .


Example

We run the algorithm with a = 22 and b = 35. We obtain the followingsequence of vectors.

iteration ~x ~y q0 (22,1,0) (35,0,1) 01 (35,0,1) (22,1,0) 12 (22,1,0) (13,−1,1) 13 (13,−1,1) (9,2,−1) 14 (9,2,−1) (4,−3,2) 25 (4,−3,2) (1,8,−5) 46 (1,8,−5) (0,−35,22)

Thus 1 = 22×8−35×5.

Application: inversion of 22 modulo 35


Proof — iv

For all x ∈ Z∗n, if e is such that gcd(e,ϕ(n)) = 1, we letd = e−1 mod ϕ(n). Then, xd mod n is the only eth root of x modulo nProof. We have e ·d = 1+ k ·ϕ(n) for some k hencex ≡ ye =⇒ xd ≡ y1+k ·ϕ(n) ≡ y and y ≡ xd =⇒ ye ≡ x1+k ·ϕ(n) ≡ x .


Proof — iii

For all x ∈ Z∗n we have xϕ(n) ≡ 1 (mod n).Proof. Due to the Lagrange Theorem, the order k of x divides theorder ϕ(n) of Z∗n.Let ϕ(n) = k · r . We have xϕ(n) ≡ xk ·r ≡ (xk)r ≡ 1r ≡ 1.


Proof — ii

Zn is a field⇐⇒ Z∗n = Zn\{0} ⇐⇒ ϕ(n) = n−1Proof. By definition, Zn is a field⇐⇒ Z∗n = Zn\{0}.Since #Z∗n = ϕ(n), Z∗n ⊆ Zn\{0}, and #Zn\{0} = n−1 we deduceZ∗n = Zn\{0} ⇐⇒ ϕ(n) = n−1.


Proof — i

For all x ∈ Zn we have x ∈ Z∗n⇐⇒ gcd(x ,n) = 1.Proof.=⇒: if y = gcd(x ,n) > 1, then y divides (x ·z) mod n for any z so thiscannot be equal to 1.⇐=: if gcd(x ,b) = 1, then the extended Euclid algorithm output theinverse of x modulo n.


Application 2: Correctness of RSA

let N = pq be the product of two different prime numbers p and q

for any x ∈ Z such that x mod p 6= 0 we have(xe mod N)d mod N ≡ x (mod p)(comes from p−1 divides ϕ(N) thus ed mod (p−1) = 1)

this also holds when x mod p = 0

similarly: for any x ∈ Z we have (xe mod N)d mod N ≡ x(mod q)

from CRT (Application 1): for any x ∈ Z we have(xe mod N)d mod N ≡ x (mod N)

for any x ∈ ZN we have (xe mod N)d mod N = x


Application 1: Equality Modulo Composite Numbers

Theorem

For any a,b,m,n ∈ Z such that gcd(m,n) = 1, then

a≡ b (mod m)a≡ b (mod n)

}

=⇒ a≡ b (mod mn).

Indeed, f (a mod (mn)) = f (b mod (mn)) hencea mod (mn) = b mod (mn)


Chinese Remainder Theorem

Theorem

(Chinese Remainder Theorem) Let m and n be two integers such thatgcd(m,n) = 1. We have

f : Zmn→ Zm×Zn defined by f (x) = (x mod m,x mod n) is aring isomorphism

ϕ(mn) = ϕ(m)ϕ(n)

f−1(a,b) ≡ an(n−1 mod m)+ bm(m−1 mod n) (mod mn)

Example: (m = 5, n = 7, mn = 35)

f−1(3,4)=(3×7× (7−1 mod 5)+ 4×5× (5−1 mod 7)

)mod 35

=· · ·= 18

Application: ϕ(pq) = (p−1)(q−1) when p and q are two differentprimes


Application: RSA Cryptosystem

Generator

6Secret key d ,NPublic key e,N 6 AUTHENTICATEDINTEGER

-Messagex Encrypt -Ciphertext

xe mod N-

y Decrypt -Message

yd mod N

��

Adversary

N = pqϕ(N) = (p−1)(q−1)

1 = gcd(e,ϕ(N))d = e−1 mod ϕ(N)

6?


Proof of CRT — iii

Fact 3 : Z∗mn and Z∗m×Z∗n are isomorphic(thus ϕ(mn) = ϕ(m)ϕ(n))

if x ∈ Z∗mn then x is invertible modulo m and modulo n thus f (x) isin Z∗m×Z∗nconversely, if f (x) is in Z∗m×Z∗n, f (x)× f (y) = (1,1) in Zm×Zn

for some y thus x× y = f−1(1,1) = 1 in Zmn: x is in Z∗mn

f maps Z∗mn onto Z∗m×Z∗n and is injective: it is thus anisomorphism between the two groups


Proof of CRT — ii

Fact 2 : f is an isomorphism

f (x) = (0,0) implies m and n divide xsince gcd(m,n) = 1, mn divides xthus x mod (mn) = 0

f is injective: for all m,n ∈ Zmn, if f (x) = f (y) thenf (x− y) = (0,0) thus x− y mod (mn) = 0 hence x = y

f is an isomorphism: Zmn and Zm×Zn have the same cardinalityand f is injective thus f is a bijectionsince f is further a homomorphism, f is an isomorphism


Proof of CRT — i

Fact 1 : f is a ring homomorphism from Zmn to Zm×Zn

f (x +Zmn y) = f (x)+Zm×Zn f (y)indeed:

((x + y) mod (mn)) mod m = ((x mod m)+ (y mod m)) mod m

((x + y) mod (mn)) mod n = ((x mod n)+ (y mod n)) mod n

f (x×Zmn y) = f (x)×Zm×Zn f (y)(same)


Application 3: Exponentiation Acceleration

log2 p ≈ log2 q ≈ ℓ

2

ad mod (q−1) mod q

ad mod (p−1) mod p

1

qCRT - ad mod pq

2×O((

ℓ2

)3)

O(ℓ3

)


Fields

Definition

A field is an commutative ring (K ,+,×) such that

1-9. [ring] K is a ring with + and ×10. [commutativity] for any a,b, we have ab = ba

11. [invertibility] for any a 6= 0 there exists b = a−1 s.t. ab = ba = 1

Q, R, C

Zp for a prime number p




Computation of Euler Totient Function

ϕ(p) = p−1 for p prime

ϕ(mn) = ϕ(m)×ϕ(n) when gcd(m,n) = 1

ϕ(pa) = (p−1)pa−1 for p prime

ϕ(pa1

1 ×·· ·×parr

)= (p1−1)pa1−1

1 ×·· ·× (pr −1)par−1r

= pa11 ×·· ·×par

r(p1−1)×·· ·× (pr −1)

p1×·· ·×pr

for pairwise different prime numbers p1, . . . ,pr


Proof of CRT — iv

Fact 4 : f (an(n−1 mod m)+ bm(m−1 mod n)) = (a,b)

an(n−1 mod m)+ bm(m−1 mod n) ≡ a (mod m)

an(n−1 mod m)+ bm(m−1 mod n) ≡ b (mod n)

thus f of the left hand side is (a,b)


Cerebral GF(pk)

p: a prime number.

Zp[x ] is a Euclidean ring.

Select a monic irreducible polynomial P(x) of degree k in Zp[x ].

P(x) spans an ideal (P(x)) with no non-trivial sub-ideal.

Let GF(pk ) = Zp[x ]/(P(x)) be the quotient of ring Zp[x ] by ideal(P(x)).

We obtain a field who inherits the addition and multiplication fromthe ring structure of Zp[x ].


Example

In order to construct GF(23):

consider the ring Z2[x ] of polynomials

take the monic irreducible polynomial P(x) = x3 + x + 1 ofdegree 3

construct

GF(23) = {0,1,x ,x + 1,x2,x2 + 1,x2 + x ,x2 + x + 1}

Example: (x + 1)+ (x2 + 1) = x2 + x in GF(23).Example: (x + 1)× (x2 + 1) = x3 + x2 + x + 1 = x2 in GF(23).


Pedestrian GF(pk)

p: a prime number.

Euclidean disivion in Zp[x ]: for any polynomials A(x) and P(x)such that P 6= 0, there exists polynomials R(x) and B(x) suchthat A(x) = R(x)+ P(x) ·B(x) and deg(R) < deg(P). We callR(x) = A(x) mod P(x) the remainder of A(x) modulo P(x).

Select a monic (i.e. with leading coefficient 1) irreducible (i.e. whocannot be expressed as a product of polynomials with smallerdegree) polynomial P(x) of degree k in Zp[x ].

Let GF(pk ) be the set of all polynomials in Zp[x ] of degree atmost k−1.

Addition: regular polynomial addition modulo p.

Multiplication: regular multiplication in Zp[x ] reduced moduloP(x).

We can prove this constructs a field.


Properties

p: a prime number.

Z∗p = {1, . . . ,p−1}ϕ(p) = p−1.

(Little Fermat Theorem) for any x ∈ Z∗p, we have xp−1 ≡ 1(mod p)

Z∗p is a cyclic group with ϕ(p−1) generators: there exist(ϕ(n−1) many) numbers g such that

Z∗p = {g0,g1,g2 mod p, . . . ,gp−2 mod p}


GF(28) Arithmetics in AES

A byte a = a7 . . .a1a0 represents an element of the finite field GF(28)as a polynomial a0 + a1.x + . . .+ a7.x7 modulox8 + x7 + x6 + x5 + x4 + x3 + 1 and modulo 2

byte polynomial0x00 00x01 10x02 x0x03 x + 10xf9 x7 + x6 + x5 + x4 + x3 + 1

Addition: bitwise XORMultiplication by 0x02 : shift and XOR with 0xf9 if carry


GF(4)

GF(4) = {c0,c1,c2,c3}+ c0 c1 c2 c3

c0 c0 c1 c2 c3

c1 c1 c0 c3 c2

c2 c2 c3 c0 c1

c3 c3 c2 c1 c0

× c0 c1 c2 c3

c0 c0 c0 c0 c0

c1 c0 c1 c2 c3

c2 c0 c2 c3 c1

c3 c0 c3 c1 c2

(GF(4),+) ≈ (Z2×Z2,+) (GF(4)∗,×)≈ (Z3,+)

P(x) = x2 + x + 1 irreducible in Z2[x ], GF(4) = Z2[x ]/(P(x))

c0 = (0) c1 = (1) c2 = (x) c3 = (x + 1)


GF(5)

GF(5) = {0,1,2,3,4}

+ 0 1 2 3 40 0 1 2 3 41 1 2 3 4 02 2 3 4 0 13 3 4 0 1 24 4 0 1 2 3

× 0 1 2 3 40 0 0 0 0 01 0 1 2 3 42 0 2 4 1 33 0 3 1 4 24 0 4 3 2 1

(GF(5),+) ≈ (Z5,+) (GF(5)∗,×)≈ (Z4,+)


Galois Fields

Theorem

We have the following results.

The cardinality of any finite fields is a prime power pk .

For any prime power pk , there exists a finite field of cardinality pk .p is called the characteristic of the field.

Two finite fields of same cardinality are isomorphic, so the finitefield of cardinality pk is essentially unique. We denote it GF(pk )as Galois field of cardinality pk .

GF(pk ) is isomorphic to a subfield of GF(pk×ℓ).

GF(pk ) can be defined as the quotient of ring of polynomials withcoefficients in Zp by a principal ideal spanned by an irreduciblepolynomial of degree k: Zp[x ]/(P(x)).


Chapter Content

Primality: Fermat test, Miller-Rabin test

⋆Primality: Carmichael numbers, Solovay-Strassen test

⋆Factorization: rho method, p−1 method, elliptic curve method

Group orders: computation

⋆Discrete logarithm: baby-steps giant-steps, Pohlig-Hellman


7 Chapter 7: Algorithmic Number Theory


Conclusion

finite fields: Zp, GF(2k)

rings: Zn, polynomials

integer arithmetics: gcd, Euler totient function, ChineseRemainder Theorem

groups: Zn, group of units of rings, elliptic curves

algorithmic arithmetics: addition, multiplication, inversion,

other arithmetics problems: square roots, eth rootsexponentiation


Most Important Finite FieldsZp for a large prime p: represented by regular integers

GF(2k ): represented by bistrings of length k

Zp GF(2k )representation integers from 0 to p−1 polynomials of degree at

most k − 1 with binary coef-ficients (k-bit strings)requires the choice of an ir-reducible polynomial of de-gree k

addition addition modulo p bitwise XORmultiplication multiplication modulo p ad-hoc algorithms

multiplication by 0x2 : shift tothe left and XOR to a con-stant if carry


Fermat Test

Parameter : k , an integerInput : n, an integer of ℓ bitsOutput : notification of non-primality or pseudo-

primalityComplexity : O (kℓ3)

1: repeat2: pick a random b such that 0 < b < n3: x ← bn−1 mod n4: if x 6= 1 then5: output “composite” and stop6: end if7: until k iterations are made8: output “pseudo-prime” and stop


Fermat Test

Theorem (Little Fermat Theorem)

If n is prime, for any b ∈ {1, . . . ,n−1}, bn−1 mod n = 1.

pick b at random

?bn−1 mod n = 1?

?n composite

-yes

no

t iterations

?end

n prime

�


Trial Division Algorithm

Input : an integer nOutput : a list of prime numbers whose product is

nComplexity : O (

√n) arithmetic operations

1: b← ⌊√n⌋, x ← n, i ← 22: while x > 1 and i ≤ b do3: while i divides x do4: print i5: x ← x/i6: b← ⌊√x⌋7: end while8: i← i + 19: end while

10: if x > 1 then print x


7 Chapter 7: Algorithmic Number TheoryPrimality TestsFactoring and Discrete Logarithm ProblemsComputing Orders in Groups


Square Roots in Finite Fields

Lemma

Let p be a prime number. If x2 mod p = 1 then x mod p = 1 orx mod p = p−1.

we have (x−1)(x + 1) mod p = 0 and p prime thus either pdivides x−1 or p divides x + 1

if p divides x−1 we have x mod p = 1

if p divides x + 1 we have x mod p = p−1


Carmichael Numbers: the 561 Case

Example: n = 561 = 3 ·11 ·17 is such that for all b s.t. gcd(b,n) = 1,we have bn−1 ≡ 1 (mod n).Proof. We notice that n−1 = 560 = 24 ·5 ·7 which is a multiple of3−1, 11−1, and 17−1. Therefore, if b is prime with 3, we havebn−1 ≡ 1 (mod 3) and the same for 11 and 17. Hence, from theChinese Remainder Theorem we obtain that if b is prime with n wehave bn−1 ≡ 1 (mod n).


Carmichael Numbers

Definition

We call Carmichael number any integer n which is a product of (atleast 2) pairwise different prime numbers p such that p−1 is a factorof n−1.

Theorem

An integer n is a Carmichael number if and only if it is composite andfor any b s.t. gcd(b,n) = 1, we have bn−1 ≡ 1 (mod n).

Example: n = 561 = 3 ·11 ·17 is such that for all b s.t. gcd(b,n) = 1,we have bn−1 ≡ 1 (mod n).


Significance of Fermat Test

False Negative: Pr[output composite|n prime] = 0

False Positive: there exist pathologic numbers n which are notprime such that Pr[output pseudoprime|n] is high.Carmichael Numbers n are composite such that for any b suchthat gcd(b,n) = 1 we have bn−1 mod n = 1. Hence

Pr[output pseudoprime|n] =(

ϕ(n)n−1

)k.


Prime Number GenerationTheorem (Prime Number Theorem)

Let p(N) denote the number of prime numbers in {2,3, . . . ,N}. Wehave p(N) ∼ N

logN when N increases toward the infinity.

→ the probability that a random ℓ-bit number is prime is ≈ 1ℓ log2

Example: a 512-bit random integer is prime with probability ≈ 1355

→ generating a random ℓ-bit prime number takes O (ℓ4)

pick p at random

?is it prime?

?p found

no

yes

�


Bounding Errors in the Miller-Rabin Test

Theorem (Miller-Rabin)

If more than a quarter of b ∈ Z∗n pass the Miller-Rabin test, then allb ∈ Z∗n do so.

Consequence: the probability that a composite number pass theMiller-Rabin test with k iterations and output “pseudo-prime” is lessthan 4−k .


The Miller-Rabin Primality Test

Parameter : k , an integerInput : n, an integer of ℓ bitsOutput : notification of non-primality

or pseudo-primalityComplexity : O (kℓ3)

1: if n = 2 then2: output “prime” and stop3: end if4: if n is even then5: output “composite” and stop6: end if7: write n = 2st + 1 with t odd

8: repeat9: pick b ∈ {1, . . . ,n−1}

10: x ← bt mod n, i← 011: if x 6= 1 then12: while x 6= n−1 do13: x← x2 mod n, i ← i + 114: if i = s or x = 1 then15: output “composite” and

stop16: end if17: end while18: end if19: until k iterations are made20: output “pseudo-prime” and stop


The Miller-Rabin Test

We write n−1 = 2st

If n is prime, we have

bn−1 mod n =(

· · ·((bt )2

)2 · · ·)2

mod n = 1

If n is prime, +1 and −1 are the only possible square roots of 1

bt mod n -6= 1SQ -6= 1

SQ -6= 1 · · · -6= 1SQ -6= 1

SQ - 1

?6is it ≡−1?

at most s︷︸︸︷


Record using the Number Field Sieve Algorithm

Complexity: eO

(

(log n)13 (log logn)

23

)

RSA200= 2799783391122132787082946763872260162107044678695542853756000992932612840010

7609345671052955360856061822351910951365788637105954482006576775098580557613579098734950144178863178946295187237869221823983

= 3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349×7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467

factored in 2005 by an equivalent of 55 years of computation on a2.2GHz PC.


Factoring Problem

Factoring Problem

Parameters: Gen, a pseudorandom generator

Instance: n, an integer produced by Gen

Problem: factor n

Examples:

Gen generates an RSA public key

Gen generates Mersenne numbers




Implementation

Input : ℓOutput : a random prime number between 2ℓ−1

and 2ℓ

Complexity : O (ℓ4) arithmetic operations1: repeat2: pick a random number n of ℓ bits3: until a primality test with k iterations accepts

n as a prime number4: output n

With k = log2 ℓ− log2 ε the probability that this algorithm outputs acomposite number is less than ε.




The Discrete Logarithm Problem

Discrete Logarithm Problem

Parameters: G, a group, g ∈ G and n, the order of g

Instance: y , power of g

Problem: find x such that y = gx


Factorization Tomorrow

Factorization of n with complexity O ((log n)2 log logn log log logn) byusing Shor’s algorithm

It only works on a quantum computer (if exists)


Record using the Number Field Sieve Algorithm

21039−1= 5080711×(306 chiffres)

= 5080711×55853666619936291260749204658315944968646527018488637648010052346319853288374753×20758181946442382764570481370359469516293970800739520988120838703792729090324679382343143884144834882534053344769112223028158327696525376091410189105241993899334109711624358962065972167481161749004803659735573409253205425523689

factored in 2007 by an equivalent of 100 years of computation on a PC2.2GHz (Opteron).


Computing Element Orders in Z ∗n =⇒ Knowing λ(n)

Input : an element order oracle in Z∗nOutput : λ(n)

1: λ← 12: repeat3: pick a random x in Z∗n4: compute the order u of x5: λ← lcm(λ,u)6: until λ has not changed for a while

Fact. With the same notations: for all i , Pr[βi < αi ]≤ 1/pi

Thus, the number of iterations is likely to be very small


Factoring λ(n) =⇒ Computing Element Orders in Z ∗n

Input : factorizationλ(n) = pα1

1 · · ·pαrr , x ∈ Z∗n

Output : the order u of xComplexity : O (r) exponentials

1: u← 12: for i = 1 to r do3: y ← xλ(n)/p

αii mod n

4: while y 6= 1 do5: y ← ypi mod n6: u← u×pi

7: end while8: end for

Fact. If the order of x is pβ11 · · ·p

βrr

then, for all i ,

βi ≤ αi

xλ(n)pβi−αii mod n = 1

xλ(n)pβi−αi−1i mod n 6= 1


Computing Element Orders in Z ∗n

knowledge of the factorization of λ(n)

=⇒ ability to compute element orders in Z∗n=⇒ knowledge of λ(n)

⇐⇒ knowledge of the factorization of n

Consequence: computing orders in Z∗n is likely to be hard from n only


Orders in Z ∗n (Reminder)Z∗n is of order ϕ(n) (example: Z∗35 is of order 24)xϕ(n) mod n = 1 for all x ∈ Z∗n{i;∀x x i mod n = 1} can be written λ(n)Z where λ(n) is theexponent of Z∗nλ(n) is the smallest integer i for which x i mod n = 1 for all x ∈ Z∗n(example: λ(35) = 12)λ(n) divides ϕ(n)for x ∈ Z∗n, {i;∀x x i mod n = 1} can be written order(x)Zthe order of x is the smallest integer i for which x i mod n = 1(example: order(6) = 2 in Z∗35)for any x ∈ Z∗n, order(x) divides λ(n)the lcm of order(x) for all x ∈ Z∗n is λ(n)for n = pα1

1 ×·· ·×pαrr with pairwise different prime numbers

p1, . . . ,pr , we have

ϕ(n) = (p1−1)pα1−11 ×·· ·× (pr −1)pαr−1

r

λ(n) = lcm(

(p1−1)pα1−11 , · · · ,(pr −1)pαr−1

r

)


Checking a Generator of a Group with Known OrderFactorization

Input : a prime number p, p−1 = pα11 ×·· ·×pαr

r ,g ∈ Z∗p

Output : say if g generates Z∗pComplexity : O (r) exponentials

1: for i = 1 to r do2: y ← g(p−1)/pi mod p3: if y = 1 then4: abort: g is not a generator5: end if6: end for7: g is a generator


Knowing λ(n)⇐⇒ Factoring n

=⇒: previous slide

⇐=: λ(pα11 · · ·pαr

r ) is computed by

lcm((p1−1)pα1−11 , . . . ,(pr −1)pαr−1

r )

NB: knowing a multiple of λ(n)⇐⇒ Factoring n(same proof)

example: knowing ϕ(n)⇐⇒ Factoring n

Conclusion: computing ϕ(n) is hard, computing orders in Z∗n is hard


Factorization using λ(n)

x t mod n -6= 1SQ -6= 1

SQ -6= 1 · · · -6= 1SQ -6= 1

SQ - 1

?6is it ≡−1?

at most s︷︸︸︷


Knowing λ(n) =⇒ Factoring n

Input : λ(n) (n odd)Output : a non trivial factor of n

1: write λ(n) = 2st with t odd2: repeat3: pick a random x in Z∗n4: x ← x t mod n5: y ←⊥6: while x 6= 1 do7: y ← x8: x ← x2 mod n9: end while

10: until y 6=⊥ and y 6≡ −1(mod n)

11: output gcd(y−1,n)

Fact. For x ∈ Zn, if x2 mod n = 1,x 6= 1, x 6= n−1 then 1 < gcd(n,x−1) < n which is a non-trivial factor ofn:

n divides (x−1)(x + 1)

if gcd(n,x −1) = n then ndivides x−1 thus x = 1 whichis wrong

if gcd(n,x −1) = 1 then ndivides x + 1 thus x = n−1which is wrong


Chapter Content

⋆Formal computation: languages, automata, Turing machines

⋆Ability frontiers: computability, decidability

⋆Complexity reduction: intractability, NP-completeness, oracles


8 Chapter 8: Elements of Complexity Theory


Conclusion

primality testing is easy

generating large primes is feasible

picking generators is feasible


Picking a Generator in a Cyclic Group with Known Order

Input : a prime number p, a bound BOutput : a generator g of Z∗p

1: find the list p1, . . . ,pr of all prime factors ofp−1 which are less than B

2: repeat3: pick a random g in Z∗p4: b← true5: for i = 1 to r do6: y ← g(p−1)/pi mod p7: if y = 1 then8: b← false9: end if

10: end for11: until b

The output number is a generator, except with a probability less than1/B


9 Chapter 9: Public Key CryptographyDiffie-HellmanRSAOther Public Key Cryptosystems


Chapter Content

Diffie-Hellman: asymmetric cryptography, the DH key agreementprotocol

⋆Knapsack problems: NP-completeness, the Merkle-Hellmancryptosystem

RSA: the cryptosystem, attacks against particularimplementations

ElGamal Encryption


9 Chapter 9: Public Key Cryptography


Conclusion of Chapters 6–8

Useful agebraic structures: groups, rings, fields

Algebraic engineering: efficient arithmetic computations

Making primes is easy


Confidentiality using an Authenticated ChannelKey Exchange Protocol

ProtoBobProtoAlice

6KeyKey

-� AUTHENTICATEDINTEGER

6

-MessageEnc/MAC - - Dec/Check

-ok?

-Message�

�Adversary


Confidentiality using an Authenticated ChannelPublic Key Cryptosystem

Generator

6Secret KeyPublic Key 6 AUTHENTICATEDINTEGER

-MessageEnc - - Dec -Message�

�Adversary


Trapdoor Permutation

we use an encryption Enc that is easy to compute in one way

...but hard in the other (to compute Dec)

...except using a trapdoor Ks


Diffie-Hellman

“New directions in cryptography” (1976)

The idea of “trapdoor permutation” (no instance)

Building a public-key cryptosystem from it

Building a digital signature scheme from it

Key agreement protocol


If we Lack Authentication: Man-in-the-Middle Attack

Alice Eve Bob

pick x , X ← gx X−−−−−−−−→pick x ′, X ′← gx ′ X ′−−−−−−−−→

Y←−−−−−−−− pick y , Y ← gy

Y ′←−−−−−−−− pick y ′, Y ′← gy ′

K1← (Y ′)x K1← X y ′ , K2← Y x ′ K2← (X ′)y

(K1 = gxy ′ ) (K2 = gx ′y )


Passive vs Active Adversaries

passive adversary: just listen to communications and tries todecrypt communications (e.g. by revocering the key)The Diffie-Hellman protocol resits to passive adversaries

active adversary: can interfere with communication (modifymessages, insert messages, replay messages)The Diffie-Hellman protocol requires authenticated messages


The Diffie-Hellman Key Agreement Protocol

Assume a group (subgroup of Z∗p, elliptic curves, ...) generated bysome g

Alice Bob

pick x at random, X ← gx X−−−−−−−−−−→Y←−−−−−−−−−− pick y at random, Y ← gy

K ← Y x K ← X y

(K = gxy )

communications must be authenticated and integer!


Security for Key Exchange Protocol

Secrecy: by looking at the communication protocol, it isimpossible to guess the exchanged key


Security Models

adversary powerchosen plaintext chosen ciphertext

key recovery weakerdecryption stronger

weakersecurity model−−−−−−−−−−−−−→ stronger

strongerattack←−−−−−−−−−−−−− weaker

strong objectives weak objectiveslow capabilities high capabilities


Threat Models

Key recovery : an adversary can recover the secret key

Decryption : an adversary can decrypt a random ciphertext

Adversary model: can encrypt chosen plaintexts (passive), can accessto a decryption oracle, ...


Public Key Cryptosystem

Generator


-MessageEnc - - Dec -Message�

�Adversary


Static versus Ephemeral Diffie-Hellman

Ephemeral DH: it provides forward secrecy

“if long-term secret keys are compromised at time t, thisdoes not compromise a DH session key at time t ′ < t”

Static DH: X and Y are used like public keys


Plain RSA

Generator

6Secret key d ,NPublic key e,N 6 AUTHENTICATEDINTEGER

-Messagex Encrypt -Ciphertext

xe mod N-

y Decrypt -Message

yd mod N

��

Adversary

N = pqϕ(N) = (p−1)(q−1)


6?


Plain RSA Cryptosystem

Public parameter: an integer s.

Set up: find two random different prime numbers p and q of sizes2 bits. Set N = pq. Pick a random e untilgcd(e,(p−1)(q−1)) = 1. (Sometimes we pick speciale like e = 17 or e = 216 + 1.) Setd = e−1 mod ((p−1)(q−1)).

Message: an element x ∈ Z∗N .

Public key: Kp = (e,N).

Secret key: Ks = (d,N).

Encryption: y = xe mod N.

Decryption: x = yd mod N.


RSA

Rivest-Shamir-Adleman (1978)




RSA Engineering

Relevance of the mathematical model

Implementation issues (from plain RSA to real life standards)

Side channel attacks


RSA Security

Key recovery is equivalent to factoring N

Decryption is the RSA problem (not known to be equivalent tofactoring)


RSA Complexity

RSA with a modulus of ℓ bits and a random e.

Generator: O (ℓ4) (prime numbers generation)

Encryption: O (ℓ3)

Decryption: O (ℓ3)

RSA with a modulus of ℓ bits and a constant e (e.g. e = 216 + 1).

Generator: O (ℓ4) (prime numbers generation)




RSA Completeness

Theorem (Euler)

Let p,q be two different primes and N = p×q.For any x ∈ {0, . . . ,N−1} we have xϕ(N)+1 mod N = x.

Consequence: RSA decryption works!Proof. from CRT...


Power Analysis Attack

Computing x = yd mod N is performed by a device with externalpower supply by using the square-and-multiply algorithm.

The power usage tells how what kind of operation is performed

Cryptoprocessors have faster square than multiply algorithms

The power usage tells when a square and a multiply is performed

The attacker deduces d


Attack on Low Exponents

Attack on low e: Coppersmith algorithm to find roots less than N1e

of a polynomial of degree e.Example: decryption attack when e = 3 and we know 2

3 of theplaintext bits (e.g. RSA.Enc(pattern||x) with 1024-bit moduluswhen x is a 256-bit symmetric key and pattern is a constantpattern).Example: (e = 3) decryption of two messages who differ in awindow of 1

9 of the full length (e.g. RSA.Enc(x ||counter) andRSA.Enc(x ||counter′) with 1024-bit modulus when the counter isencoded on 32 bits).

Attack on low d : Wiener key recovery attack for d < 4√

N (e.g. Nof 1024 bits and d of less than 256 bits).


Example with e = 3

x

sy3

N3,3

-y2 N2,3

3y1

N1,3 Broadcast plaintext x to 3 receiversusing e = 3:

Let yi = x3 mod Ni

We have CRT(y1,y2,y3) = x3 mod(N1N2N3) = x3

So we can compute x3 then extact acubic root and get x


Broadcast Encryption with Low Exponent

Sending the same message x to at least e participants with the sameencryption exponent e and different modulus N1, . . . ,Nn.

The i th participant receives yi = xe mod Ni

The attacker intercepts e values y1, . . . ,ye

The attacker computes y = xe mod N where N = N1× . . .×Ne

by CRT

We have y = xe

The attacker deduces x = e√

y


Other Side Channel Attacks

Simple fault analysis

Differential fault analysis

Timing attack

Electromagnetic fields

Noisy machines

Cache attacks

Branch prediction algorithm

...


DFA

xe mod N = y

q

1

yd mod q

yd mod p

1

qCRT - yd mod N = x

xe mod N = y

q

1

random

yd mod p

1

qCRT - x ′ ≡ x (mod p)


Differential Fault Attack

Computing x = yd mod N is performed by a device using CRTaccelaration.

The attacker picks x and sends y = xe mod N to the device

The attacker agressively (but mildly) stresses the device

The device eventually makes errors

Error may occur during the CRT accelaration

The device computes x ′ and outputs it

The attacker computes gcd(x− x ′,N)


SPA

-

6

time

power

SQ MUL

1

SQ MUL

1

SQ

0

SQ

0

SQ

secret key is 1100... (from right to left or left to right)


RSA-OAEP Encryption

ciphertext?

Enc?

00 maskedSeed maskedDB?

⊕� MGF �

?

⊕-MGF-

?

?

seedH(L) 0 · · ·01 M

?

message


Yet Another Side Channel Attack

Bleichenbacher’s attack against PKCS#1v1.5:

Attacker intercepts y = xe mod N and aims at recovering x

Attacker plays with the server by sending fake ciphertexts y ′ ofthe form

y ′ = sey mod NMost of the time, y ′ does not decrypt well and the server issuesan error message.

If the server accepts, then (y ′)d mod n starts with 00 02, hence

2×256k−2 ≤ sx mod N < 3×256k−2

By using this oracle 1 000 000 times, Attacker can reconstruct x


PKCS#1v1.5 Encryption

ciphertext?

Enc?

00 02 PS 00 M?

random

?

message


PKCS#1v1.5(Modulus of k bytes, message M of at most k−11 bytes.)Encryption:

1 generate a pseudorandomstring PS of non-zero bytes sothat M||PS is of k−3 bytes

2 construct string00||02||PS||00||M of k bytes

3 convert it into an integer

4 perform the plain RSAencryption

5 convert the result into a stringof k bytes

Decryption:

1 convert the ciphertext into aninteger, reject it if it is greaterthan the modulus

2 perform the plain RSAdecryption and obtain anotherinteger

3 convert back the integer into abyte string

4 check that the string has the00||02||PS||00||M format forsome byte strings PS and Mwhere PS has no zero bytes

5 output M


Diffie-Hellman Cryptography

Diffie-Hellman6

problem to instanciate

* RSA

j ElGamal

trapdoor permutation: operation in Z∗n which can be inverted withthe factorization of n

probabilistic encryption: encryption returns gr along withsymEncy r (message) for y r = DH(g,gr ,y)




Mask Generation Function in RSA-OAEP

The PKCS specifications further suggests an mask generationfunction MGF1 which is based on a hash function. The MGF1ℓ(x)string simply consists of the ℓ leading bytes of

H(x ||00000000)||H(x ||00000001)||H(x ||00000002)|| · · ·

in which x is concatenated to a four-byte counter.


RSA-OAEP Decryption

ciphertext

6Dec

6

00 maskedSeed maskedDB

6⊕� MGF �

6⊕-MGF-

6 6seed

H(L) 0 · · ·01 M

6message


Non-Deterministic Encryption

m

R

-

�

Encrypt

c3

c2

c1

�-R

Decrypt

m


Generating a Generator

We consider Z∗p with an odd prime p and we let p−1 = ∏ri=1 pαi

i withpairwise different primes pi

g is a generator of Z∗p iff gp−1pi mod p 6= 1 for i = 1, . . . , r

given a random g ∈U Z∗p, all gp−1pi mod p are independent

Prg∈U Z∗p

[

gp−1pi mod p = 1

]

=1

pi

assuming that pi ≤ B for i ≤ s and pi > B for i > s, then

Prg∈U Z∗p

[

g generator∣∣∣g

p−1pi mod p 6= 1; i = 1, . . . ,s

]

=r

∏i=s+1

(

1− 1

pi

)

we can just simply work with an incomplete factorizationp−1 = q ∏s

i=1 pαii which includes all small factors pi

→ Pr[not generator|passed]≤ 1/B


Plain ElGamal Encryption

Generator

6Secret key xPublic key y 6 AUTHENTICATEDINTEGER

-Messagem Encrypt -Ciphertext

(gr ,my r )-

(u,v)Decrypt -Message

vu−x

��

Adversary

y = gx mod p

6?


ElGamal Cryptosystem

Public parameter: a large prime p, a generator g of Z∗p.

Set up: generate a random x ∈ Zp−1, and computey = gx mod p.

Message: an element m ∈ Z∗p.

Public key: Kp = y .

Secret key: Ks = x .

Encryption: pick a random r ∈ Zp−1, compute u = gr mod p, andv = my r mod p. The ciphertext is (u,v).

Decryption: Extract the u and v parts of the ciphertext and computem = vu−x mod p.


Conclusion

High complexity overhead

Two families: factorization and discrete logarithm

Big trouble to go beyond textbook cryptosystems

Problem with side channels

Sensitive security


Other Public-Key Cryptosystems

ECC

HECC

Paillier cryptosystem

NTRU

lattice-based cryptosystem

McEliece cryptosystem

TCHo

...


Comparison with RSA

Complexity of Gen is much lower

Problem: encryption is length-increasing

Can be easily adapted to other groups (e.g. elliptic curves)


ElGamal Encryption Complexity

Domain parameter selection: O (ℓ4) (prime numbers generation)

Generator: O (ℓ3)




Symmetric Encryption

Generator



�Adversary


10 Chapter 10: Digital SignaturesDigital Signature SchemesRSA SignatureElGamal Signature Family


Chapter Content

RSA signature: PKCS, ISO/IEC 9796

ElGamal signature family: ElGamal, Schnorr, DSS, ECDSA

⋆Attacks on ElGamal signatures: existential forgery,Bleichenbacher attack

⋆Provable security: interactive proofs, random oracle model


10 Chapter 10: Digital Signatures


Application: Certificates

Client Server-� insecure -�

?

�AuthorityKp κ

AUTHENTICATED AUTHENTICATED

?

certificate

certificate = signatureKs (“I certify that public key κ belongs to S”)


Digital Signature

Generator

6 Public KeySecret Key 6AUTHENTICATEDINTEGER

-MessageSign - - Verify

-ok?

-Message�

�Adversary


Authentication Channel

Generator



-MessageMAC - - Check

-ok?

-Message�

�Adversary


Asymmetric Encryption

Generator



�Adversary


Encryption to Signature

-Message

X

Hash

?X

-dDecrypt

6σ X ,σ-

X

?

Encrypt

U

Hash

�d d

σ?X

Compare -ok?

Generator

6AUTHENTICATED

INTEGER

-

Secret Key Public Key

��

Adversary




Security Models

adversary powerpassive chosen message

total break weakeruniversal forgeryexistential forgery stronger

weakersecurity model−−−−−−−−−−−−−−−−−→ stronger

strongerattack←−−−−−−−−−−−−−−−−− weaker

strong objectives weak objectiveslow capabilities high capabilities


Threat Models

Total break : an adversary can recover the secret key

Universal forgery : an adversary can forge the signature of anyor a random message

Existential forgery : an adversary can forge a validmessage-signature pair

Adversary model: can intercept signatures (passive), can access to asigning oracle, ...


Plain RSA Signature

Set up: find two random different prime numbers p and q of sizes2 bits. Set N = pq. Pick a random e untilgcd(e,(p−1)(q−1)) = 1. (Sometimes we pick speciale like e = 3 or e = 17.) Setd = e−1 mod ((p−1)(q−1)).

Secret key: Ks = (d,N).

Public key: Kp = (e,N).

Message: an element y ∈ Z∗N .

Signature generation: x = yd mod N.

Extraction: y = xe mod N.

(Signature with message recovery)


Encryption to Signature with Message Recovery

Generator


-Message

XSign -Decrypt

σ-

σ Encrypt -Message

X

��

Adversary


Signature with Message Recovery

Generator


-Message

XSign -Signature

σ-

σ Extract-

ok?

-Message

X��

Adversary


Hash-and-Sign Paradigm

-Message

X

Hash

?X

-dSign

6σ X ,σ-

X

?

Verify Hash�d

σ?X

-ok?

Generator

6AUTHENTICATED

INTEGER

-

Secret Key Public Key

��

Adversary


Signature Extraction

1 apply the extraction scheme, obtain a byte string

2 check that the string is of length k and that the rightmosthexadecimal digit is 6

3 perform a message recovery : we remove the leading bit 1, wereplace the rightmost two bytes yHyRxHxR by yHyRπ−1(yH)xH ,obtain . . . ,x2,x1, take z as the smallest index such thatx2z⊕S(x2z−1) 6= 0 (reject if it does not exists) and r equal to thisvalue (and check that r ≤ 8), extract x2z ,x2z−2, . . . ,x2, removethe r −1 leftmost bits (reject if they are not equal to zero). Wemust obtain a message m.

4 Check that the formatting scheme on m leads to the valueobtained after opening the signature. (Check the redundancy.)


ISO/IEC 9796 Signature Generation(signature of a d-bit message m into a k-bit signature, e.g. d ≤ 512and k = 1024)

1 pad m with r−1 leading zero bits (at most seven) so that the totallength can be cut into a sequence of z bytes mz ,mz−1, . . . ,m1

2 repeat the sequence and take the t = 32 rightmost bytes (t s.t.16t ≥ k−1)

3 insert S(x) to the left of each of the t bytes x , and XOR r onto thezth rightmost redundancy byte S(mz), whereS(xHxL) = π(xH)π(xL) (shadow function ) where xHxL

represents the two hex. digits of x and π is a defined by

π =

(0 1 2 3 4 5 6 7 8 9 A B C D E FE 3 5 8 9 4 2 F 0 D B 6 7 A C 1

)

4 take the k−1 rightmost bits, pad a bit 1 to the left, and replacethe rightmost byte x = xHxL by xL6

5 sign the formatted string (for instance) by using the plain RSA


ISO/IEC 9796

signature?

Sign?

Format

?

message

signature

6

Extract

6

Unformat

6message

format is invertible

signature with message recovery


Plain RSA Signature

Generator

6Secret key d ,N Public key e,N6AUTHENTICATEDINTEGER

-Messagex Sign -Signature

xd mod N-

y Extract -ye mod N

��

Adversary

N = pqϕ(N) = (p−1)(q−1)


6?


PKCS#1v1.5 Signature

signature?

Sign?

00 01 FF· · · FF 00 D?

H?

message


Signature Verification

1 convert the signature into an integer. Reject it if it is greater thanthe modulus.

2 perform the plain RSA verification and obtain another integer.

3 convert back the integer into a byte string.

4 check that the string has the 00||01||FF . . .FF||00||D format for abyte string D.

5 decode the data D and obtain the message digest and the hashalgorithm. Check that the hash algorithm is acceptable.

6 hash the message and check the message digest.


PKCS#1v1.5

We are given a modulus N of k bytes.

1 hash the message (for instance with MD5) and get a messagedigest.

2 encode the message digest and the identifier of the hashalgorithm into a string D.

3 pad it with a zero byte to the left, then with many FF bytes inorder to reach a length of k−2 bytes, then with a 01 byte. Weobtain k−1 bytes.

4 This byte string 00||01||FF · · ·FF||00||D is converted into aninteger.

5 compute the plain RSA signature.

6 convert the result into a string of k bytes.


Example “ PAY 1’000’000.-CHF ”

P A Y 1 ’ 0 0 0 ’ 0 0 0 . - C H F504059203127303030273030302e2d434846

1. m =5040 5920312730303027 3030302e2d434846, z = 182. 3127303030273030 302e2d434846|5040 5920312730303027 3030302e2d434846

3. 83315f278e308e30 8e305f278e308e30 8e305c2era2d9843 904892464e509e40

4d595e2083315f27 8e308e308e305f27 8e308e308e305c2e 5a2d984390489246

...83315f278e308e30 8e305f278e308e30 8e305c2era2d9843 904892464f509e40

4d595e2083315f27 8e308e308e305f27 8e308e308e305c2e 5a2d984390489246

4. 83315f278e308e30 8e305f278e308e30 8e305c2era2d9843 904892464f509e40

4d595e2083315f27 8e308e308e305f27 8e308e308e305c2e 5a2d984390489266

5. feed the plain RSA signature scheme...


ElGamal Signature

Public parameters: a large prime number p, a generator g of Z∗p.

Set up: generate a random x ∈ Zp−1 and computey = gx mod p.



Message digest: h = H(M) ∈ Zp−1.

Signature generation: pick a random k ∈ Z∗p−1, compute

r = gk mod p and s = h−xrk mod p−1, the signature is

σ = (r ,s).

Verification: check that y r rs ≡ gh (mod p) and 0≤ r < p.




RSA-PSS Verification

signature

6Extract

6OR 80

bcmaskedDB H

6⊕� MGF �

6

H= -

?

6

0 · · ·01 salt

H(M)0 · · ·00 salt?

H?

message


RSA-PSS

signature?

Sign?OR 80

bcmaskedDB H?

⊕� MGF �

?

H?

?

0 · · ·01 salt

H(M)0 · · ·00 salt?

H?

message


Drawbacks of ElGamal Signatures

signatures are pretty long

security issues related to subgroups

lack of security proof for arbitrary public parameter


Security if we Miss the Inequality Check

If we do not check that 0≤ r < p, we have a universal forgery attack:

pick rp−1,s ∈ Z∗p−1 at random

set rp = gh(M)

s y−rp−1

s mod p

pick r such that r mod p = rp and r mod (p−1) = rp−1 using theChinese Remainder Theorem

issue (r ,s) as a signature for M


Security

key recovery is equivalent to the discrete logarithm problem

existential forgery is hard on average over the random choice ofthe public parameters in the random oracle model provided thatthe discrete logarithm is hard


ElGamal Signature

Generator

y = gx mod p

6Secret key x Public key y6AUTHENTICATEDINTEGER

-Message

M

k ∈ Z∗p−1

r = gk mod p

s = H(M)−xrk mod p−1

Sign -M, r ,s

-M, r ,s

0≤ r < py r r s ≡ gH(M) (mod p)

Verify-

ok?

-Message

M��

Adversary

p primeg generator of Z∗p


Schnorr Signature

Generator

y = gx mod p


-Message

M

k ∈ Z∗qr = gk mod pe = H(M|r)s = ex + k mod q

Sign -M,e,s

-M,e,s

compare e andH (M |gsy−e mod p )

Verify-

ok?

-Message

M��

Adversary

q primep = aq +1 primeg = randoma mod p > 1


Generating the Public Parameters

pick a prime number q

take a random p = aq + 1 until it is prime

take a random number in Z∗p, raise it to the power a modulo p,and get g

if g = 1, try again (otherwise, it must be of order q in Z∗p)


Schnorr Signature

Public parameters: pick a not-too-large large prime number q, alarge prime number p = aq +1, a generator of Z∗p raisedto the power a (an element of order q) g.

Set up: pick x ∈ Zq and compute y = gx mod p.



Signature generation: pick a random k ∈ Z∗q, computer = gk mod p, e = H(M|r), and s = ex + k mod q, thesignature is σ = (e,s).

Verification: check that e = H(M|gsy−e mod p).


The ElGamal Dynasty

1984 ElGamal signatures

1989 Schnorr signatures

1995 DSA: US signatures

1995 Nyberg-Rueppel signatures

1997 Pointcheval-Vaudenay signatures

1998 KCDSA: Korean signatures

1998 ECDSA

...


Benefits from the DSA

US standard

signatures are shorter

no proper subgroup (only {1} and the group itself)

BUT

security results are weaker


DSA Signature

Generator

y = gx mod p


-Message

M

k ∈ Z∗qr = gk mod p mod q

s = H(M)+xrk mod q

Sign -M, r ,s

-M, r ,s

compare r and

gH(M)

s yrs mod p mod q

Verify-

ok?

-Message

M��

Adversary



DSA Signature (DSS)

Public parameters: pick a 160-bit prime number q, a large primenumber p = aq + 1, a generator of Z∗p raised to thepower a (an element of order q) g.




Signature generation: pick a random k ∈ Z∗q, compute

r = (gk mod p) mod q, and s = H(M)+xrk mod q, the

signature is σ = (r ,s).

Verification: check that r =(

gH(M)

s mod qyrs mod q mod p

)

mod q.


Benefits from the Schnorr Signature



some form of provable security (related to interactive proofs)


Conclusion

Two families of signature schemes

RSA: with message recovery, based on the RSA problem

ElGamal: with domain parameters, based on the discretelogarithm

Sensitive security


Benefits from the Pointcheval-Vaudenay Signature

ISO/IEC standard



stronger security proof


Pointcheval-Vaudenay Signature

Generator

y = gx mod p


-Message

M

k ∈ Z∗qr = gk mod p mod q

s = H(r ||M)+xrk mod q

Sign -M, r ,s

-M, r ,s

compare r and

gH(r ||M)

s yrs mod p mod q

Verify-

ok?

-Message

M��

Adversary



Pointcheval-Vaudenay Signature

Public parameters: pick a 160-bit prime number q, a large primenumber p = aq + 1, a generator of Z∗p raised to thepower a (an element of order q) g.




Signature generation: pick a random k ∈ Z∗q, compute

r = (gk mod p) mod q, and s = H(r ||M)+xrk mod q, the

signature is σ = (r ,s).

Verification: check that r =(

gH(r ||M)

s mod qyrs mod q mod p

)

mod q.


Chapter Content

Security setup: certificates

Remote access: SSH

Secure Internet transactions: SSL

Security for individuals: PGP


12 Chapter 12: From Cryptography to Communication Security


Chapter Content

⋆Zero-knowledge: Fiat-Shamir, Feige-Fiat-Shamir

⋆Secret sharing: threshold scheme, perfect schemes

⋆Special purpose signatures: undeniable signatures


11 Chapter 11: Cryptographic Protocols


Virtual Channels by Combination of Channels

66

-� [assumptions]

-Message

X-

Y-

Y-

X

Message��

Adversary


From Packet Security to Session Security

-�

-

-�

-

��

Adversary

Key establishment : set up A/I/C key material for messagesecurity

Sequentiality : whenever a participant has seen a messagesequence starting with X1, . . . ,Xt , Xt coming in, then the otherparticipant has seen a message sequence whose first tmessages are X1, . . . ,Xt

Termination fairness : making sure that the last message onboth ends is the same one


Security Property of Communication Channels

MessageX

- -X

��

Adversary

Confidentiality , Authentication , Integrity

Freshness : the received X was not received before

Liveliness : a sent message X is eventually delivered

Timeliness : (> liveliness) time of delivery is upper bounded


12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples


... with A+I Channel: Key Agreement Protocol

ProtoBobProtoAlice

6KeyKey 6

-� AUTHENTICATEDINTEGER


-ok?

-Message�

�Adversary


Setting up a Secure Channel with A+I+C Channel

Generator




-ok?

-Message�

�Adversary


Achieving Authentication

Generator



-MessageMAC - - Check

-ok?

-Message�

�Adversary


Achieving Confidentiality

Generator



�Adversary


Client-Server Solution based on a Third Party

Client Server-� insecure -�

?

�AuthorityK CA

pKp

AUTHENTICATED AUTHENTICATED

?

certificate


Summary

we set up an initial authenticated communication channel

we exchange a master symmetric key using public keycryptography

we derive several symmetric keys

we use conventional cryptography to set up secure channels


Approaches to Build an Initial Authenticated Channel

using a trusted authority

by user full monitoring

ad-hoc solutions


Key Transmission using PKC

Generator


-KeyEncrypt - - Decrypt -Key�

�Adversary


An X.509 Certificate Example: Overall Structure

Certificate:Data:

Version: 3 (0x2)Serial Number: 674866 (0xa4c32)Signature Algorithm: md5WithRSAEncryptionIssuer: C=ZA, ST=Western Cape, L=Cape Town,

O=Thawte Consulting cc, OU=Certification Services Divisi on,CN=Thawte Server CA/[email protected]

ValidityNot Before: Jun 2 13:10:11 2003 GMTNot After : Jun 11 10:21:15 2005 GMT

...X509v3 extensions:

X509v3 Extended Key Usage: TLS Web Server AuthenticationX509v3 Basic Constraints: critical CA:FALSE

Signature Algorithm: md5WithRSAEncryption8d:7b:78:60:88:c4:13:4e:94:0d:bc:3b:1b:1c:b6:c9:bc: b1:0b:ed:7d:eb:6f:08:3a:ba:6d:21:36:93:38:36:66:7b:a7: bc:c0:3f:c4:e0:cf:b4:02:58:be:a6:b9:1d:45:a2:c4:58:38: 07:e4:63:1a:d9:b9:8d:27:7c:93:67:31:82:6f:a3:3c:86:0c: e0:10:71:de:f2:e9:74:af:ac:76:b4:5b:8e:48:57:9d:8f:12: f6:72:63:8a:79:b4:74:e0:ba:ca:ac:1a:36:b4:16:38:c1:c5: d2:73:ed:e8:64:b0:ae:9e:e2:36:d7:0c:77:92:cc:c7:c0:e0: 8a:54:24


Key Exchange Using Certificates

Client Server

Authority

K CAp

�

Kp

K

certificate

Urequest, . . . -�

-EncKp(K )

K ,Kp K


Public-Key Certificate

Generator

6 CA Public KeyCA Secret Key 6AUTHENTICATEDINTEGER

-Public KeySign -Certificate -Certificate Verify

-ok?

-Public Key�

�Adversary


Critical Secure Channels

Authority

+K CA

p

Client 3

�K CA

pClient 2

kK CA

p

Client 1

k

K 3p

Server 3

�K 2

pServer 2

+

K 1p

Server 1


Connection

Client sends a connection request to Server

Client and Server run an key exchange protocol in which Serveris authenticated

Server sends its public key together with a certificate (if available)(First connection only) Client checks the certificate or request theuser to authenticate the public key by other means. Client storesthe public key in a local database (typically, .ssh/known hosts ).(Other connections only) Client check the public key from a localdatabase.

They set up a secure channel

Client is authenticated by an application (e.g. a password)


Principles

principle: to implement secure (i.e. confidential andauthenticated) communication channels in a client-server session

original philosophy: to be user-friendly (ssh had to be usedexactly like rlogin ), ready to use without any complicatedinstallation, and to be deployed easily

drawback: the security level is not so high, but still higher thanwhat was used before

SSH2 uses public key infrastructures in order to authenticateserver.This is typically heavy stuff, but the user can easily bypass it: hejust has to click “OK” anytime there is a security warning.




An X.509 Certificate Example: Subject

Subject: C=CH, ST=Bern, L=Bern,O=Switch - Teleinformatikdienste fuer Lehre und Forschung ,CN=nic.switch.ch

Subject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)

Modulus (1024 bit):00:d0:0e:b7:16:bf:86:59:c3:97:e6:02:33:59:90:65:29:b0:69:73:64:83:03:1b:df:62:a8:4d:c0:4f:3c:d9:12:6b:8c:57:95:e1:57:e8:48:a6:7f:dd:15:8b:9d:ad:93:dc:78:af:06:1a:ce:0f:7b:cc:c4:6f:a0:06:26:40:73:04:d3:da:7b:20:c1:15:37:8c:2f:58:c4:d4:c1:4b:18:84:5c:54:f1:b1:a0:44:3c:e2:0e:8a:a2:63:48:6b:34:c7:10:9d:a1:23:56:77:f5:4e:3d:38:9a:70:5e:03:02:30:45:ee:81:e4:94:96:47:18:9e:47:37:bb:18:f6:87

Exponent: 65537 (0x10001)


Key Derivation

Client and Server derive six keys from K and H:

Initial value IV from the client to the server: string = A

Initial value IV from the server to the client: string = B

Encryption key from the client to the server: string = C

Encryption key from the server to the client: string = D

Authentication key from the client to the server: string = E

Authentication key from the server to the client: string = F

A key consist of the leading bits of a sequence k1,k2, . . . generated by

k1 = H(K ||H||string||session id) ki+1 = H(K ||H||k1|| · · · ||ki)


Semi-Authenticated Key Exchange in SSH

Client Server

version VC , initial message ICVC ,IC−−−−−−−−−−−−→VS ,IS←−−−−−−−−−−−− version VS , initial message IS

pick x , e = gx mod pe−−−−−−−−−−−−→

pick y , f = gy mod p, K = ey mod pH = hash(VC ||VS ||IC ||IS ||KS ||e||f ||K)

KS ,f ,s←−−−−−−−−−−−− s = Sig(H)K = f x mod p, check KS

H = hash(VC ||VS ||IC ||IS ||KS ||e||f ||K)VerKS (s,H)

IC and IS: negociation of algorithms

KS: public key of the server

for diffie-hellman-group1-sha1 key exchange:p = 21024−2960−1+ 264

⌊2894π+ 129093

⌋, g = 2, q = p−1

2


SSH2 Key Exchange and Authentication

DSA for server authentication

Diffie-Hellman key exchange for setting up a symmetric sessionkey

(previous versions was entirely based on RSA)

Both DSA and Diffie-Hellman are based on some generator gwhich generates a subgroup of Z∗p of prime order q


Critical Asumptions

public key authentication in the first connection is secure(otherwise Server can be impersonated)

the local database has integrity protection(otherwise the Server public key can be replaced by another one)


Requirements

strong bidirectional authentication

confidentiality of communications

integrity of communication

need not the client part to be strongly secure


Example of Critical Application




Secure Channel

The choice of the symmetric algorithms is negotiated betweenClient and Server

Several encryption scheme are proposed: triple DES, AES, RC4,IDEA, ...

The MAC algorithm is typically HMAC based on SHA-1 or MD5


Session State

Session identifier

Peer certificate (if any)

Cipher suite choiceAlgorithm for authentication and key exchange during handshakeCipher Spec: symmetric algorithms (encryption and MAC)

Master secret (a 48-byte symmetric key)

nonces (from the client and the server)

sequence numbers (one for each communication direction)

compression algorithm (if any)


TLS Record Protocols

Handshake Protocol (for initiating a session)

Change Cipher Spec Protocol (for setting up cryptographicalgorithms)

Alert Protocol (for managing warnings and fatal errors)

Application Data Protocol


Common Use Principle

client-server communications, random client, corporate server

trusted third party: certificate authority (CA)

A+I secure channel with CA to be used only once

authentication of server based on public key

authentication of client (if needed) based on password

interoperable cipher suites


History

First version by Netscape in 1994

Microsoft version PCT in 1995

SSLv3 by Netscape in 1995

IETF version TLS/1.0 in 1997 [RFC2246]

IETF version TLS/1.1 in 2005 (draft)

Goal: secure any communication (e.g. HTTP) based on TCP/IP


Key Derivation

nonceC (32B)nonceS (32B)

pre master secret

??

- PRF - master secret(48B)

??

- PRF

------

Aut. C→ SAut. S→ CEnc. C→ SEnc. S→ CIV C→ SIV S→ C

pre master secret is 48B for RSA key exchange or the obtainedDiffie-Hellman key for DH RSA, DH DSS, DHE RSA, DHE DSS, andDH anon


A Typical TLS Session

Client Server

ClientHello :accepted cipher suites, nonceC−−−−−−−−−−−−−−−−−−−−−−−−→ServerHello :cipher suite, certificate, nonceS←−−−−−−−−−−−−−−−−−−−−−−−− select cipher suite

pre master secretClientKeyExchange :ENC(pre master secret)−−−−−−−−−−−−−−−−−−−−−−−−→ decrypt

(key derivation)

MACC−−−−−−−−−−−−−−−−−−−−−−−−→ check

checkMACS←−−−−−−−−−−−−−−−−−−−−−−−−

(open tunnel)

[authentication?]←−−−−−−−−−−−−−−−−−−−−−−−−[login, password]−−−−−−−−−−−−−−−−−−−−−−−−→ check


Original TLS Cipher Suites — ii

CipherSuite Key Exchange Cipher HashTLS DHEDSS EXPORTWITH DES40 CBCSHA DHE DSS DES40 SHA-1TLS DHEDSS WITH DES CBCSHA DHE DSS DES SHA-1TLS DHEDSS WITH 3DES EDE CBCSHA DHE DSS 3DES EDE SHA-1TLS DHERSA EXPORTWITH DES40 CBCSHA DHE RSA DES40 SHA-1TLS DHERSA WITH DES CBCSHA DHE RSA DES SHA-1TLS DHERSA WITH 3DES EDE CBCSHA DHE RSA 3DES EDE SHA-1TLS DH anon EXPORTWITH RC4 40 MD5 DH anon RC4 40 MD5TLS DH anon WITH RC4 128 MD5 DH anon RC4 128 MD5TLS DH anon EXPORTWITH DES40 CBCSHA DH anon DES40 SHA-1TLS DH anon WITH DES CBCSHA DH anon DES SHA-1TLS DH anon WITH 3DES EDE CBCSHA DH anon 3DES EDE SHA-1


Original TLS Cipher Suites — i

CipherSuite Key Exchange Cipher HashTLS NULL WITH NULL NULL NULL NULL NULLTLS RSA WITH NULL MD5 RSA NULL MD5TLS RSA WITH NULL SHA RSA NULL SHA-1TLS RSA EXPORTWITH RC4 40 MD5 RSA RC4 40 MD5TLS RSA WITH RC4 128 MD5 RSA RC4 128 MD5TLS RSA WITH RC4 128 SHA RSA RC4 128 SHA-1TLS RSA EXPORTWITH RC2 CBC40 MD5 RSA RC2 40 MD5TLS RSA WITH IDEA CBCSHA RSA IDEA SHA-1TLS RSA EXPORTWITH DES40 CBCSHA RSA DES40 SHA-1TLS RSA WITH DES CBCSHA RSA DES SHA-1TLS RSA WITH 3DES EDE CBCSHA RSA 3DES EDE SHA-1TLS DH DSS EXPORTWITH DES40 CBCSHA DH DSS DES40 SHA-1TLS DH DSS WITH DES CBCSHA DH DSS DES SHA-1TLS DH DSS WITH 3DES EDE CBCSHA DH DSS 3DES EDE SHA-1TLS DH RSA EXPORTWITH DES40 CBCSHA DH RSA DES40 SHA-1TLS DH RSA WITH DES CBCSHA DH RSA DES SHA-1TLS DH RSA WITH 3DES EDE CBCSHA DH RSA 3DES EDE SHA-1


MAC in Record Protocol

More precisely the MAC of a fragment is computed as the HMAC withkey MACwrite secret on

seq numTLSCompressed .type ,TLSCompressed .version ,TLSCompressed .lengthTLSCompressed .fragment

MACwrite secret is the MAC key of the sender

seq num is the sequence number of the fragment

TLSCompressed.fragment is the compressed fragment

TLSCompressed.length is its actual length

TLSCompressed.type

TLSCompressed.version are some information about the TLSprotocol (namely, the compression algorithm) that is being used


Application Data Record Protocol

split the application data into fragments of at most 214 Bytes andsend the fragments separately.

(optional) compress the fragment

append a MAC to the fragmentThe MAC is computed on a sequence number, the compressionand TLS version materials, the compressed fragment.

encrypt all this

send this after a record header (type, version, length)


PRF

Given a secret, a seed, and a string label we define a sequence

a0 = seed

ai = HMAChash(S,ai−1)

ri = HMAChash(S,ai ||seed)

P hash(S,seed) = r1, r2, r3, . . .

PRF(secret, label,seed) = P MD5(S1, label||seed)⊕P SHA1(S2, label||seed)

where S1 and S2 are the two halves of secret.(If secret has an odd length, its middle byte is both the last byte of S1and the first byte of S2.)


Using PRF

We define

h handshake = MD5(handshake)||SHA1(handshake))MACC = PRF(master secret ,”client finished ”,h handshake)MACS = PRF(master secret ,”server finished ”,h handshake)

master secret = PRF(pre master secret ,”master secret ”,nonceC ||nonceS)key block = PRF(master secret ,”key expansion ”,nonceS ||nonceC)

handshake is the concatenation of all hanshake messagesMACC and MACS are of 12 byteskey block is the concatenation of the four private keys and the twoinitial vectors.


RSA Key Exchange

Client Server

ClientHello :accepted cipher suites, nonceC−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ServerHello :TLS RSA cipher hash, certificate, nonceS←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

pre master secretClientKeyExchange :ENC(pre master secret)−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ decrypt

RSA encryption is PKCS#1v1.5

the RSA public key must be authenticated


Using Stream Ciphers

The RC4 stream cipher is used as a key-stream generator withone-time pad. The internal state of the generator is kept in theconnection state so that the RC4 automaton continuously generateskeystreams in order to encrypt the fragments sequence.


Using Block Ciphers in CBC Mode

Text - MAC -PAD

- CBC - DEC - - VER - Text

�bad record mac

�decryption failed

S E C R E T A

C C E S S

bloc 1

bloc 28 # $

* = k % ! bloc 32 2 2


Secure Channel in SSL/TLS (Using CBC Encryption)

fragment

- MAC

?

?

seq num

?MAC key

?Enc

6��

Adversary--

IVEnc key Dec

6

fragment

��

IVEnc key

- MAC- =6

?

seq num

? MAC key




DH anon Key Exchange

Client Server

ClientHello :accepted cipher suites, nonceC−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ServerHello :TLS DH anon cipher hash, nonceS←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

ServerKeyExchange :p,g,gx mod p←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− select p,g, pick x

pick yClientKeyExchange :gy mod p−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

pre master secret = gxy mod p

Diffie-Hellman protocol is not authenticated!


DHE sig Key Exchange

Client Server

ClientHello :accepted cipher suites, nonceC−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ServerHello :TLS DHE sig cipher hash, certificate, nonceS←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

ServerKeyExchange :p,g,gx mod p,sig(hash(p,g,gx mod p))←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− select p,g, pick x



the sig public key must be authenticated in the certificate

gy mod p is not authenticated!


DH sig Key Exchange

Client Server

ClientHello :accepted cipher suites, nonceC−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ServerHello :TLS DH sig cipher hash, certificate, nonceS←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−



the certificate is signed using sig algorithm

the certificate includes p,g,gx mod p

this is fixed Diffie-Hellman where parameters are chosen by theserver and server uses a fixed x


Example

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1

PGP makes cryptographic messages readable for human beings .-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBA4c1/LSQdhvwJ58RAjzEAKCXHnwQHNGbX2Bzjo3AMZHABWTW5wCgkxVLrq22vPs5vlR6RZOf1zEDSF4==cVzf-----END PGP SIGNATURE-----

gpg: Signature made Sun 25 Jul 2004 12:11:01 PM CEST using DSA key ID 1BF0279Fgpg: Good signature from "Serge Vaudenay <serge.vaudenay@ epfl.ch>"


ASCII Armor Format

protection of unreadable files (ciphertexts, signatures, hashedvalues, or even cryptographic keys) by encoding them into areadable form

(transparency and education) users can see the crypto in function(signature structure, PGP version)

Radix-64 code (also called base64 in the MIME standard)


Security for Individuals

easy to set up without any corporate help

certificates do not rely on any authority

no use of any public parameter

anyone can freely generates its own key and chooses itscryptographic algorithm

encrypt, decrypt, hash, sign, or verify digital files (archives oremails)

popular algorithms in PGP are IDEA symmetric encryption, RSAencryption or signature, and MD5 hash function


History

Unlike SSL which is dedicated to on-line communication, PGPfocuses on off-line communication: signature and encryption ofemails, archives, ...

PGP was first designed by Phil Zimmermann in the ninetiesagainst the US laws.

Gnu version of PGP called GPG as for GnuPGP.


Security Weak Points

PGP may not be very well used (need for education)choosing pass phrases, managing keys, caring about key ringintegrity...

key infrastructure heavily relies on trust (no authority)

key revocation is ad-hoc based (no central service)


Example of Key Ring

vaudenay@lasecpc7:˜> gpg --list-public-keys/home/vaudenay/.gnupg/pubring.gpg---------------------------------pub 1024D/1BF0279F 2004-07-25 Serge Vaudenay <serge.vaud [email protected]>sub 1024g/9D26BE8B 2004-07-25

pub 1024D/8EB9124A 2004-07-25 Student <[email protected]>sub 1024g/ECCAE364 2004-07-25

pub 1536R/27295F6B 2004-07-25 Colleague <colleague@epfl .ch>

D=DSA, g=ElGamal, R=RSA


Public Key Management

Users manage their public key ring themselves (extracting,adding, changing keys, anotating, ...)

When a user is given a public key from another one, he can insertit in its key ring. At the same time, he qualifies how much hetrusts that the key is valid.For instance,

if the key was given hand to hand, he can fairly trust that the key isvalidif the key was taken from a web site through insecure connection,he may give a low confidence in the validityif the public key is certified by a third party, the user puts a trustqualification accordingly

a web of trust of users defines trust paths for public keys


Key Management

symmetric keys can be prompted to the user. They are usuallyderived from a pass phrase which is freely chosen by the user byusing a hash function.

Asymmetric keys are stored in key ring databeses.

Asymmetric secret keys are encrypted by a symmetric one.

extensive usage of checksums and cryptographic digests so thatbad pass phrases or modified files are easily detected

asymmetric key pair generation by providing enough randomness(e.g. using “entropy collector” with key strokes on the keyboard)


Main Conclusion

La crypto c’est rigolo!

SV, 1995

(Crypto is fun!)


Conclusion

SSH increases IP security for remote connections

SSL is a key for WWW security

PGP is a nice tool for small ad-hoc communities

they all put together all cryptographic ingredients quite nicely

they are permanently improved to fix mistakes and use thestate-of-the-art cryptography


Bluetooth

secure network between devices within short distances

light weigth cryptography

initial authenticated channel by human interaction with devices

key exchanged based on a PIN and E21, E22 (low security)

derivation of a single 128-bit long term link key

secure channel based on E0, E1, E3

several missing security properties: packet authentication,detection of packet loss, privacy, ...




Content Cryptography and Security - epfl - home Chapter 1: Prehistory of Cryptography Terminology Cryptography Prehistory SV 2007 Basic Crypto EPFL-SSC 19 / 528 Basic Security Properties

Documents