This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
action to transform a plaintext into a ciphertext or theopposite
SV 2007 Basic Crypto EPFL-SSC 8 / 528
Key Words — iiCryptography
(originally) the science of secret codes, enabling theconfidentiality of communication through an insecurechannel
Cipher
secret code, enabling the expression of a public codeby a secret one by making the related informationconfidential
Cryptographic system, cryptosystem
set of cryptographic algorithms which include ciphersand other cryptographic algorithms
Cryptosystem
→ mostly used for “public key cryptosystem”“secret key cryptographic systems” are rather called“ciphers”
SV 2007 Basic Crypto EPFL-SSC 7 / 528
Key Words — iConfidentiality, secrecy
insurance that a given information cannot be accessedby unauthorized parties
Privacy 6= secrecy (but sometimes synonym)
ability for a person to control how his personalinformation spreads in a community
Codea system of symbols which represent information
Coding theory
science of code transformation which enables to sendinformation through a communication channel in areliable way (→ dummy adversary)
Encode, Decode
action to transform an information into a codeword, orto recover the information from a codeword
SV 2007 Basic Crypto EPFL-SSC 6 / 528
1 Chapter 1: Prehistory of CryptographyTerminologyCryptography Prehistory
SV 2007 Basic Crypto EPFL-SSC 5 / 528
A Science of Malice in Communication Technologies
how to abuse an information security system?
how to model malicious adversaries?
how to reduce adversaries success to well known complexityproblems?
for the bad guy: how to break a system? (Any dirty math allowed)
for the good guy: how to formally prove security? (Rigorousanalysis when possible)
SV 2007 Basic Crypto EPFL-SSC 15 / 528
Applications
entered in mass product markets quite recently
used for authentication and encryption (bank cards, wirelesstelephone, e-commerce, pay-TV)
used for access control (car lock systems, ski lifts)
used for payment (prepaid phone cards, e-cash)
used for logistic & supply chains (RFID)
SV 2007 Basic Crypto EPFL-SSC 14 / 528
Defining Cryptography
cryptography vs coding theorycryptography faces to malicious adversaries (not random noise)
secrecy theory?
cryptography and secrecyCryptography has now a wider sense: the science of informationprotection against unauthorized parties by preventing fromunauthorized alteration of use. Cryptographic algorithms are themathematical algorithms which enforce the protection.
Wide: quick switch between theory, application, business, politics
Romantic: hackers, spies, ...
Fun: solving puzzles...
SV 2007 Basic Crypto EPFL-SSC 16 / 528
Probabilities of Occurrence in English
letter probability letter probability letter probabilityA 0.082 J 0.002 S 0.063B 0.015 K 0.008 T 0.091C 0.028 L 0.040 U 0.028D 0.043 M 0.024 V 0.010E 0.127 N 0.067 W 0.023F 0.022 O 0.075 X 0.001G 0.020 P 0.019 Y 0.020H 0.061 Q 0.001 Z 0.001I 0.070 R 0.060
SV 2007 Basic Crypto EPFL-SSC 23 / 528
Simple Substitutions
Caesar Cipher :
a b c d e f g h i k l m n o p q r s t v xD E F G H I K L M N O P Q R S T V X A B C
caesar −→ FDHXDV
ROT13:
a b c d e f g h i j k l m n o p q r s t u v w x y zN O P Q R S T U V W X Y Z A B C D E F G H I J K L M
rot −→ EBG
SV 2007 Basic Crypto EPFL-SSC 22 / 528
TranspositionsSpartan scytales :
this is a dummy message
?
t h i s is a d um m y m es s a g e
?
TSMSH MSIAYAS G DMEIUE
SV 2007 Basic Crypto EPFL-SSC 21 / 528
Secret Writing
Hieroglyphs!
SV 2007 Basic Crypto EPFL-SSC 20 / 528
Vigen ere Cipher
Plaintext: this is a dummy message
Key: ABC
this is a dummy message+ ABCA BC A BCABC ABCABCA= TIKS JU A EWMNA MFUSBIE
Ciphertext: TIKSJUAEWMNAMFUSBIE
e.g. y + C= A.
SV 2007 Basic Crypto EPFL-SSC 28 / 528
Step I: Frequency Analysis
letter frequency letter frequency letter frequencyA 0 J 11 S 3B 1 K 1 T 2C 15 L 0 U 5D 13 M 16 V 5E 7 N 9 W 8F 11 O 0 X 6G 1 P 1 Y 10H 4 Q 4 Z 20I 5 R 10
TH, HE, IN , ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND,OU, EA, NG, AS, OR, TI , IS , ET, IT , AR, TE, SE, HI and OF.
12 most common trigrams (in decreasing order):
THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FORandDTH.
SV 2007 Basic Crypto EPFL-SSC 24 / 528
Application to the Vigen ere Cipher
With the example TIKSJUAEWMNAMFUSBIE, if we guess that the key isof length 3, we can write
T I KS J UA E WM N AM F US B IE
so we can compute the index of coincidence of TSAMMSE, IJENFB andKUWAUI.
SV 2007 Basic Crypto EPFL-SSC 32 / 528
Index of Coincidence
Index(x1, . . . ,xn) = PrI,J
[xI = xJ |I < J] = ∑c∈Z
nc(nc−1)
n(n−1)
where I,J ∈ {1, . . . ,n} are independent uniformly distributed
Proposition
For any permutation σ over Z , we have
Index(σ(x1), . . . ,σ(xn)) = Index(x1, . . . ,xn)
Index(English text)→ 0.065 when n→+∞Index(Random string)→ 0.038 when n→+∞
SV 2007 Basic Crypto EPFL-SSC 31 / 528
Is this Significant?
In a truly random sequence of 294 characters with alphabet of 26letters
there are n = 292 trigrams t1, . . . , tn out from 1p = 263 = 17576
possibilities, every possible trigram abc has a number ofoccurrences nabc = ∑n
i=1 1ti=abc
Pr[nabc = t] =(n
t
)pt(1−p)n−t ≈ λt
t! e−λ with λ = n×p
since
eλ =t−1
∑i=0
λi
i!+
Z λ
0
(λ− x)t−1
(t−1)!ex dx
we havePr[nabc ≥ t]≈ 1−e−λ ∑t−1
i=0λi
i! ≤ e−λ R λ0
(λ−x)t−1
(t−1)! ex dx ≤ λt
t!
with t = 5 we have Pr[maxαβγ nαβγ ≥ t]≤ 263 Pr[nabc ≥ t]≤ 10−6
SV 2007 Basic Crypto EPFL-SSC 30 / 528
Kasiski Test
C H R E E VOAHMA E R A T B I A X XWT NX B EEOPHBSBQMQEQ E RBWR V X UO A KXAOS X X WE A HBWG J MMQMNKGRF VGXWTRZXW I A KL X F P S K AUTEMN D C M G TS XMX B TU I ADNGMGPSR E L XN J EL XV R V P R T U L HDN QW T WD TYG B P HX T F AL J HASVB F XNGL L CHRZ BW E L E KMS J I K N B HWR J G NMG J SG LXFEYPHAG NRB I EQJ TA MR V L C RREMN D G L X R R I MGN SNRWCHRQHAEY E V TAQ E BB IP E E WE V KAKOEWA D R EMXM T B HHCHRTKDNVRZ C HRC L QOHPWQ A I I WXNRMGWO I I F KE E
CHRoccurs at 1, 166, 236, 276, 286.
SV 2007 Basic Crypto EPFL-SSC 29 / 528
The Enigma Cipher (Mathematically) — i
We define permutations over the 26-character alphabet.
Reflexion. π is a fixed involution with no fixed points.
Rotors. S be a set of five permutations over the alphabet.ρ is the circular rotation over the alphabet by oneposition.ρi thus denotes the circular rotation over the alphabet byi positions.αi denotes ρ−i ◦α◦ρi
Wire connection. σ is a configurable involution with 6 fixed points.
SV 2007 Basic Crypto EPFL-SSC 36 / 528
Enigma Building Blocks
given a permutation σ over Z = {A,B, . . . ,Z}, a fixed point is anelement x ∈ Z such that σ(x) = x
an involution over Z is a permutation σ of Z such thatσ(σ(x)) = x for all x .Examples: reflector, plug board
a rotor is defined by a set of permutations σ0, . . . ,σ25 over Zthe rotor in position i implements permutation σi
such that σi = ρ−i ◦σ0 ◦ρi where ρ(A) = B, ρ(B) = C, ...,ρ(Z) = A
SV 2007 Basic Crypto EPFL-SSC 35 / 528
The Enigma Circuit
A A
Plug Rotor Rotor Rotor ReflectorLamp Kbd
E
C
B
F
DE
C
B
F
D
SV 2007 Basic Crypto EPFL-SSC 34 / 528
Enigma
SV 2007 Basic Crypto EPFL-SSC 33 / 528
Vernam Cipher
we use a uniformly distributed randomkey K (a bitstring)
every message X requires a new K ofsame size (one-time pad)
Encrypting X with K : compute X ⊕K
Decrypting Y with K : compute Y ⊕K
⊕ 0 10 0 11 1 0
(X ) 1001 0⊕ (K ) 0011 1= (Y ) 10101
⊕ (K ) 0011 1= (X ) 1001 0
SV 2007 Basic Crypto EPFL-SSC 40 / 528
The Laws of Modern Cryptography
The n2 Problem:in a network of n users, there is a number of potential pairs ofusers within the order of magnitude of n2
The Kerckhoffs Principle:security should not rely on the secrecy of the cryptosystem itself
The Moore Law:the speed of CPUs doubles every 18 months
The Murphy Law:if there is a single security hole, the exposure of a cryptosystemwill make sure that someone will ultimately find it
SV 2007 Basic Crypto EPFL-SSC 39 / 528
A Turing Machine
SV 2007 Basic Crypto EPFL-SSC 38 / 528
The Enigma Cipher (Mathematically) — ii
Secret key:
σan ordered choice α,β,γ ∈ S of pairwise differentpermutationsa number a
Plaintext: x = x1, . . . ,xm
Ciphertext: y = y1, . . . ,ym
Encryption:
yi = σ−1 ◦α−1i1◦β−1
i2◦ γ−1
i3◦π◦ γi3 ◦βi2 ◦αi1 ◦σ(xi)
where i3i2i1 are the last three digits of the basis 26numeration of i + a.
SV 2007 Basic Crypto EPFL-SSC 37 / 528
A Note on the Vernam Cipher
If used in an appropriate way, this cipher is perfectly secure
It is pretty expensive (true randomness is expensive, keyexchange is expensive)
We cannot achieve perfect security at a lower cost (ShannonTheory)
SV 2007 Basic Crypto EPFL-SSC 44 / 528
Using the Same Key Twice
Y1
-⊕K
-=
X1
Y2
-⊕ -=
X2
?⊕
-=
X1⊕X2
SV 2007 Basic Crypto EPFL-SSC 43 / 528
Example
⊕
=
SV 2007 Basic Crypto EPFL-SSC 42 / 528
Visual Cryptography
Pixel coding
0 −→
1 −→
Pixel XOR
0⊕0 −→ ≈
0⊕1 −→ =
1⊕0 −→ =
1⊕1 −→ ≈
SV 2007 Basic Crypto EPFL-SSC 41 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 48 / 528
Chapter Content
DES: Feistel Scheme, S-boxes
Modes of operation: ECB, CBC, OFB, CFB, CTR, UNIX passwords
Classical designs: IDEA, SAFER-K64, AES
⋆Case study: FOX, CS-CIPHER
Stream ciphers: RC4, A5/1, E0
Brute force attacks: exhaustive search, tradeoffs, meet-in-the-middle
SV 2007 Basic Crypto EPFL-SSC 47 / 528
2 Chapter 2: Conventional Cryptography
SV 2007 Basic Crypto EPFL-SSC 46 / 528
Conclusion
a lot of pedestrian cryptography in the prehistory
now a need for standard solutions
perfect security requires an unreasonable cost
we must trade security against cost
SV 2007 Basic Crypto EPFL-SSC 45 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 52 / 528
Stream Ciphers vs Block Ciphers
stream cipher block cipher
small granularity (encryptbits or bytes)
based on the Vernamcipher, requires a nonce(number to be unsed onlyonce)
very high speed rate, verycheap on hardware
low confidence on security
large granularity (encryptblocks of 64 or 128 bits),require padding techniquesfor messages with arbitrarylength
high rate, nice for softwareimplementation, can beadapted to variousplatforms (8-bit, 32-bit, or64-bit microprocessors)
well established security
SV 2007 Basic Crypto EPFL-SSC 51 / 528
Two Categories of Symmetric Encryption
stream ciphers block ciphersRC4 DES
GSM–A5/1 3DESBluetooth–E0 IDEA
CSS BLOWFISH... RC5
AESKASUMISAFER
CS-CipherFOX
...
SV 2007 Basic Crypto EPFL-SSC 50 / 528
Symmetric Encryption
Generator
KeyKey 66 CONFIDENTIAL
-Message
XEncrypt -
Y-
YDecrypt -Message
X
��
Adversary
SV 2007 Basic Crypto EPFL-SSC 49 / 528
Feistel Scheme
transform function over {0,1} n2 into permutations over {0,1}n
inverse permutations have same structure
alternate round functions and halve swaps
final halve swap omitted
SV 2007 Basic Crypto EPFL-SSC 56 / 528
DES−1
IP−1
?X
Feistel
?
IP
?
?Y
�K1
�K16�K15
...schedule′
?
K
SV 2007 Basic Crypto EPFL-SSC 55 / 528
DES
IP−1
?Y
Feistel
?
IP
?
?X
�K16
�K1�
K2
...schedule
?
K
SV 2007 Basic Crypto EPFL-SSC 54 / 528
DES: the Data Encryption Standard
US Standard from NBS (now NIST), branch of the Department ofCommerce in 1977
secret design by IBM based on a call for proposal
based on LUCIFER by Horst Feistel (from IBM)
design influenced by the NSA
rationales of the design published by Don Coppersmith in 1994
Chabloz Presid ent 78’964.31Zufferey Manager 23’321.16Neuensch wander Consul tant 34’445.22Schneide r Affirm at ive 38’206.51Cotti Audiov isual 21’489.15
C( 3) for Neuenschwander = C( 3) for Schneider
SV 2007 Basic Crypto EPFL-SSC 68 / 528
ECB Mode
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn
?
C
?
?
C
?
?
C
?
?
C
?
SV 2007 Basic Crypto EPFL-SSC 67 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 66 / 528
UNIX Passwords
clock
6
6
salt (12)
6 6 6
0 -≈DES -≈DES - · · · -≈DES - /etc/passwd
? ? ?
W (56)
SV 2007 Basic Crypto EPFL-SSC 65 / 528
OFB Mode
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn?⊕?
C?
-
?⊕?
C?
-
?⊕?
C?
-
?⊕?-
?IV
SV 2007 Basic Crypto EPFL-SSC 72 / 528
Note on the CBC Mode
Three possibilities for dealing with IV
Using a (non secret) constant IV
Using a secret IV which is part of the key
Using a random IV which is sent in clear with the ciphertext
SV 2007 Basic Crypto EPFL-SSC 71 / 528
CBC Decryption
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn
6
⊕6
C−1
6
-
6
⊕6
C−1
6
-
6
⊕6
C−1
6
-
6
⊕6
C−1
6
-IV
SV 2007 Basic Crypto EPFL-SSC 70 / 528
CBC Mode
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn
?⊕
?
C
?
-?⊕
?
C
?
-?⊕
?
C
?
-?⊕
?
C
?
-IV
SV 2007 Basic Crypto EPFL-SSC 69 / 528
Note on the CTR Mode
ti must be new for every block!Example 1: ti = msg counter||blk counterExample 2: ti = t1 +(i−1) where t1 is the last tn plus 1Example 3: ti = t1 +(i−1) where t1 is a (unique) nonce
CTR also transforms a block cipher into a stream cipher
SV 2007 Basic Crypto EPFL-SSC 76 / 528
CTR Mode
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn
t1 t2 t3 tn
?⊕?
C?
-
?⊕?
C?
-
?⊕?
C?
-
?⊕?
C?
-
SV 2007 Basic Crypto EPFL-SSC 75 / 528
CFB Mode
x1 x2 x3 . . . xn
y1 y2 y3 . . . yn
?⊕
?
C6
- ?⊕
?
C6
- ?⊕
?
C6
- ?⊕
?
-
6IV
SV 2007 Basic Crypto EPFL-SSC 74 / 528
Note on the OFB Mode
IV must be new for every plaintext!
Use a random one which is sent in clear...
... or use a counter-based IV
This is not only a property of the OFB mode: property of streamciphers
OFB actually transforms a block cipher into a stream cipher
In SSL/TLS:key is used only oncefirst 256 output bytes are droppedstate is kept from one message to the other
In WEP:key is the concatenation of a 3-byte nonce (sent in clear) and a5-byte key
SV 2007 Basic Crypto EPFL-SSC 102 / 528
RC4 Key Schedule
1: j← 02: for i = 0 to 255 do3: S[i]← i4: end for5: for i = 0 to 255 do6: j← j + S[i]+ K [i mod ℓ]7: swap S[i] and S[j]8: end for9: i← 0
10: j← 0
SV 2007 Basic Crypto EPFL-SSC 101 / 528
A5/1 Key Schedule
1: set all registers to zero2: for i = 0 to 63 do3: R1[0]← R1[0]⊕KC[i]4: R2[0]← R2[0]⊕KC[i]5: R3[0]← R3[0]⊕KC[i]6: clock all registers7: end for8: for i = 0 to 21 do9: R1[0]← R1[0]⊕Count[i]
10: R2[0]← R2[0]⊕Count[i]11: R3[0]← R3[0]⊕Count[i]12: clock all registers13: end for14: for i = 0 to 99 do15: clock the A5/1 automaton16: end for
SV 2007 Basic Crypto EPFL-SSC 108 / 528
A5/1 in Key Schedule
CLK1
CLK2
CLK3
?
6�⊕�
- ?⊕ ?⊕ - ?⊕
� ⊕�
- ?⊕
� ⊕�
- ?⊕ ?⊕ - ?⊕
� ⊕�
SV 2007 Basic Crypto EPFL-SSC 107 / 528
A5/1 Automaton
CLK1
CLK2
CLK3
?
6�⊕�
- ?⊕ ?⊕ - ?⊕
�
- ?⊕
�
- ?⊕ ?⊕ - ?⊕
�
t1
t2
t3
CLKi = CLK if ti = majority(t1, t2, t3), 0 otherwise
SV 2007 Basic Crypto EPFL-SSC 106 / 528
Linear Feedback Shift Register (LFSR)
at time t , Ri = xt+i
when CLK = 1, load Ri with Ri+1
- - - - - - - - - --
⊕6� ⊕
6� ⊕
6�
R9xt+9
R0xt
R1xt+1
R2xt+2
xt
xt+10
connection polynomial: ad xd + · · ·+ a1x + a0 (example:x10 + x5 + x2 + x + 1)
recursion: ad xt+d ⊕·· ·⊕a1xt+1⊕a0xt = 0 for any tso, if ad = 1, we have xt+d = ad−1xt+d−1⊕·· ·⊕a0xt for any t(linear recursion)
we replace every 2 by 0 in polynomialshence 3 = 2+ 1 is replaced by 0+ 1 = 1, 4 is replaced by 0, ...→ monomial coefficients are binary
we replace every x8 by x4 + x3 + x + 1 in polynomialshence x9 = x8× x is replaced by x5 + x4 + x2 + x , ...→ polynomials have degree at most 7
SV 2007 Basic Crypto EPFL-SSC 120 / 528
AddRoundKey
AddRoundKey (s,k)1: for i = 0 to 3 do2: for j = 0 to 3 do3: si,j ← si,j ⊕ ki,j
4: end for5: end for
- -
6
s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3
s0,0⊕k0,0
s0,1⊕k0,1
s0,2⊕k0,2
s0,3⊕k0,3
s1,0⊕k1,0
s1,1⊕k1,1
s1,2⊕k1,2
s1,3⊕k1,3
s2,0⊕k2,0
s2,1⊕k2,1
s2,2⊕k2,2
s2,3⊕k2,3
s3,0⊕k3,0
s3,1⊕k3,1
s3,2⊕k3,2
s3,3⊕k3,3
SV 2007 Basic Crypto EPFL-SSC 119 / 528
ShiftRows
ShiftRows (s)1: replace [s1,0,s1,1,s1,2,s1,3] by [s1,1,s1,2,s1,3,s1,0]2: replace [s2,0,s2,1,s2,2,s2,3] by [s2,2,s2,3,s2,0,s2,1]3: replace [s3,0,s3,1,s3,2,s3,3] by [s3,3,s3,0,s3,1,s3,2]
- -
s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3
s0,0 s0,1 s0,2 s0,3
s1,1 s1,2 s1,3 s1,0
s2,2 s2,3 s2,0 s2,1
s3,3 s3,0 s3,1 s3,2
SV 2007 Basic Crypto EPFL-SSC 118 / 528
SubBytes
SubBytes (s)1: for i = 0 to 3 do2: for j = 0 to 3 do3: si,j ← S-box(si,j)4: end for5: end for
A byte a = a7 . . .a1a0 represents an element of the finite field GF(28)as a polynomial a0 + a1.x + . . .+ a7.x7 modulo x8 + x4 + x3 + x + 1and modulo 2
byte bit string polynomial0x00 00000000 00x01 00000001 10x02 00000010 x0x03 00000011 x + 10x1b 00011011 x4 + x3 + x + 1
Addition: a simple XOR
Multiplication by 0x01 : nothing
Multiplication by 0x02 : shift and XOR with 0x1b if carry
Multiplication by 0x03 : XOR of multiplications by 0x01 and 0x02
For any k , We can ask the safe whether the secret key is equal to k
attack - key
k�
yes/no
safe
SV 2007 Basic Crypto EPFL-SSC 128 / 528
2 Chapter 2: Conventional CryptographySymmetric Encryption ModelThe DES Block CipherModes of OperationsOther Block CiphersStream CiphersThe AES Block CipherBrute Force Attacks
SV 2007 Basic Crypto EPFL-SSC 127 / 528
Key Expansion
KeyExpansion (key,Nk)1: for i = 0 to Nk−1 do2: wi ← keyi
3: end for4: for i = Nk to 4(Nr + 1)−1 do5: t← wi−1
6: if i mod Nk = 0 then7: replace [t1, t2, t3, t4] by [t2, t3, t4, t1] in t8: apply S-box to the four bytes of t9: XOR x i/Nk−1 (in GF) onto the first byte of
t10: else if Nk = 8 and i mod Nk = 4 then11: apply S-box to the four bytes of t12: end if13: wi ← wi−Nk⊕ t14: end for
SV 2007 Basic Crypto EPFL-SSC 126 / 528
Key Expansion
we consider W as a sequence of 4(Nr+ 1) = 44 (resp. 52, 60)rows (32-bit words) w
we consider the key as a sequence of Nk = 4 (resp. 6, 8) rows
the wi are iteratively loaded:the first wi are loaded with the keywi is loaded with wi−Nk⊕wi−1
every Nk iterations, the wi is modified before the XORfor Nk = 8, we add an extra modification
SV 2007 Basic Crypto EPFL-SSC 125 / 528
Exhaustive Search Algorithm
Input : an oracle O , a set of possible keys K ={k1, . . . ,kN}
Oracle interface : input is an element of K , out-put is Boolean
1: pick a random permutation σ of {1, . . . ,N}2: for all i = 1 to N do3: if O (kσ(i)) then4: yield kσ(i) and stop5: end if6: end for7: search failed
SV 2007 Basic Crypto EPFL-SSC 132 / 528
Key Recovery Game with a Stop Test Oracle (Online)
Adversary Challengerpick a random K
try k1query k1−−−−−−−−−−−−−−−−−−−−−−−−−−−→
no←−−−−−−−−−−−−−−−−−−−−−−−−−−− k1 6= K
try k2query k2−−−−−−−−−−−−−−−−−−−−−−−−−−−→
no←−−−−−−−−−−−−−−−−−−−−−−−−−−− k2 6= K...
query k−−−−−−−−−−−−−−−−−−−−−−−−−−−→yes←−−−−−−−−−−−−−−−−−−−−−−−−−−− k = K
SV 2007 Basic Crypto EPFL-SSC 131 / 528
Using a Stop Test Oracle
We use an oracle which tells whether the key we are looking for isequal to queried k
attack - key
k�
yes/no
oracle
(on-line attacks) access trial
(off-line attacks) we obtained a witness W (K ) for the key K
SV 2007 Basic Crypto EPFL-SSC 130 / 528
Guessing a Key using Some Significant Information(Offline Attack)
For any k , We can check whether k is consistent with the informationwe have
attack - key
k�
yes/no
consistent?
SV 2007 Basic Crypto EPFL-SSC 129 / 528
Examples of Witness Functions
useful witnesses for exhaustive search:known plaintext attack: we get some random (x,CK (x)) pairciphertext only attack with redundant plaintexts: we get CK (x) fora random redundant x
other witnesses which can be used for precomputation:chosen plaintext attack: we can get CK (x) for some chosen xleakage of CK (x) for a fixed message x for application (e.g. UNIXpasswords) reasons
SV 2007 Basic Crypto EPFL-SSC 136 / 528
Online and Offline UNIX Passwords Recovery
online
try to connect using a guessfor the password until it works
can be thwarted by audit tools
offline
get a witness from/etc/passwd and look for aguess which is consistent withthe witness
may be precomputed or not
SV 2007 Basic Crypto EPFL-SSC 135 / 528
Key Recovery Game with a Witness (Offline)
Adversary Challengerpick a random K
W(K)←−−−−−−−−−−−−−−−−−−−−−−−−−−−...
query k−−−−−−−−−−−−−−−−−−−−−−−−−−−→ win if k = K
SV 2007 Basic Crypto EPFL-SSC 134 / 528
Complexity Analysis
number of iterationsworst case Naverage case N+1
2
NB: we can decrease the average complexity if we know the a prioridistribution
SV 2007 Basic Crypto EPFL-SSC 133 / 528
Complexity Analysis
Precomputation time D
Memory complexity D
Time complexity T
Probability of success 1−(1− D
N
)T ≈ 1−e−DTN
This is quite interesting when D ≈ T ≈√
N...
SV 2007 Basic Crypto EPFL-SSC 140 / 528
Extension: Multi-Target Dictionary AttackInput : a deterministic witness function W for
keysPreprocessing
1: for D different candidates K do2: compute W (K )3: insert (W (K ),K ) in a dictionary4: end for5: output the dictionary
AttackAttack input : T many witnesses yi = W (Ki), a
dictionary6: for i = 1 to T do7: look at yi in the dictionary8: for all (yi ,K ) in the dictionary do9: yield i,K
10: end for11: end for
SV 2007 Basic Crypto EPFL-SSC 139 / 528
Complexity Analysis
Precomputation time D
Memory complexity D
Time complexity ≈ 1
Probability of success (with randomly selected dictionary keys) D/N
SV 2007 Basic Crypto EPFL-SSC 138 / 528
Dictionary Attack
Input : a deterministic witness function W forkeys
Preprocessing1: for D different candidates K do2: compute W (K )3: insert (W (K ),K ) in a dictionary4: end for5: output the dictionary
AttackAttack input : a witness y = W (K ), a dictionary
6: look at y in the dictionary7: for all (y ,K ) in the dictionary do8: yield K9: end for
SV 2007 Basic Crypto EPFL-SSC 137 / 528
Double DES
X - DES -ZDES - Y
6K1 6K2
K = (K1,K2)
this does not work
SV 2007 Basic Crypto EPFL-SSC 144 / 528
Security of Passwords with less than 48 Bits of Entropy
An 8 i.u.d. random characters password in {a, . . . ,z,A, . . . ,Z,0, . . . ,9}has less than 48 bits of entropy
classical conventional cryptography may require about 300 cycleson a P4 2GHz to check a guess (= 222.6 guesses per second)−→ 256d to find a password with a PC
time-memory tradeoffs cracked a (36-bit entropy) password withina few seconds (complexity N
23 + precomputation N)
−→ 1h to find a password (+ a year of precomputation)
special purpose hardwares cracked 56-bit keys within a day−→ 5min to find a password
distributed.net cracked 64-bit keys within 1757 days in 2002−→ 40min to find a password
Generic attack against hash functions: Birthday paradox
⋆Analysis of hash functions: dedicated attack against MD4
Message Authentication Codes: CBC-MAC, HMAC
⋆Pseudorandom generator: congruential generator
SV 2007 Basic Crypto EPFL-SSC 150 / 528
3 Chapter 3: Dedicated Conventional Cryptographic Primitiv es
SV 2007 Basic Crypto EPFL-SSC 149 / 528
Confidentiality
Generator
KeyKey 66 CONFIDENTIAL
-MessageEncrypt - - Decrypt -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 156 / 528
Confidentiality vs Integrity and Authentication
Non-authenticated but confidential: the adversary cannot read asent message, but she can insert a message so that the receivercan receive an X of her choice
Non-integer but authenticated and confidential: the adversarycannot insert a message of her choice but can modify a sentmessage so that the receiver will receive some X ′ related to X bysome known relation even though the adversary does not learn Xand X ′
Example: the adversary can replace X by X ⊕∆ for a ∆ of herchoice even though she cannot get any information about X→ malleability
Authenticated, integer and confidential: the adversary cannot getany information nor modify a sent message. She can still, inprinciple, replay them, or remove them.
SV 2007 Basic Crypto EPFL-SSC 155 / 528
Authentication vs Integrity
Non-integer but authenticated: the adversary cannot insert amessage of her choice but can modify a sent message X→ malleability
Integer and authenticated: the adversary cannot insert nor modifysent messages but can still, in principle, replay them or removethem
We will assume that authentication implicitly include inte grity
SV 2007 Basic Crypto EPFL-SSC 154 / 528
Authentication and Integrity
Peer integrity: we make sure that the peer cannot be corrupted
Peer authentication: we make sure with whom we are talking to
Message authentication : we make sure about who sent themessage
Message integrity : we make sure that the received message isequal to the sent one
4 different notions
In this chapter we concentrate on message authentication andmessage integrity(Peer authentication will be addressed in Chapter 5)
SV 2007 Basic Crypto EPFL-SSC 153 / 528
A Swiss Army Knife Cryptographic Primitive
Domain extender: hash bistrings of arbitrary length into bitstrings offixed length.Application: instead of specifying digital signaturealgorithms on set of bitstring with arbitrary length, wespecify them with bitstrongs of fixed length and use thehash-and-sign paradigm.
Commitment: “uniquely” characterizes a bistring without revealinginformation on it.Application: commitment which is binding and hiding.
Pseudorandom generator: generate bistrings from seeds which areunpredictable.Application: generation of cryptographic keys from aseed.
Collision attack: find x and x ′ such that x 6= x ′ and h(x) = h(x ′).
First preimage attack: given y find x such that y = h(x).
Second preimage attack: given x find x ′ such that x 6= x ′ andh(x) = h(x ′).
SV 2007 Basic Crypto EPFL-SSC 162 / 528
Security Properties for Hash Functions
Collision resistance: hash function h for which itis hard to find x and x ′ such that h(x) = h(x ′) and x 6= x ′.
→ digital fingerprint of the bitstring
One-wayness: hash function h for which given y it is hard to findeven one x such that y = h(x).
→ witness for a password
Pseudo-randomness : hash function h such that for any given f andgi = h(f i (x)) for i = 0, . . . ,n−1 with a random(unknown) x such that f i(x) is not cycling, it is hard topredict h(f n(x)).
→ pseudo-random generation
SV 2007 Basic Crypto EPFL-SSC 161 / 528
Encryption to Hashing
On-line hashing:
the message is padded following the Merkle–Damgard scheme;
each block is processed using an encryption function C in afeedback mode according to the Davies–Meyer.
initialvalue
message
- C -+6
512?
- C -+6
512?
. . .
. . .
- C -+6
pad?
-128 128
SV 2007 Basic Crypto EPFL-SSC 168 / 528
Cryptographic Hashing
message
?
MD5 -128
“Message Digest” (MD) devised by Ronald Rivest
“Secure Hash Algorithm” (SHA) standardized by NIST
MD4 in 1990 (128-bit digest)
MD5 in 1991 (128-bit digest) published as RFC 1321 in 1992
SHA in 1993 (160-bit digest) (now obsolete)
SHA-1 in 1995 (160-bit digest)
SHA256, SHA384, SHA512 in 2002 (256-, 384-, and 512-bitdigest)
SV 2007 Basic Crypto EPFL-SSC 167 / 528
Scenarii for Threat Models
Substitution in the integrity check process→ second preimage attack
Substitution in a commitment scheme→ collision attack
Information retrieval in a commitment scheme→ first preimage attack
SV 2007 Basic Crypto EPFL-SSC 166 / 528
Application Example: Plying Dices
Alice Bob
pick x ∈ {1, . . . ,6} commit(x)−−−−−−−−−−−−−→y←−−−−−−−−−−−−− pick y ∈ {1, . . . ,6}
open−−−−−−−−−−−−−→ verifyz = 1+((x + y) mod 6)
output: z output: z
SV 2007 Basic Crypto EPFL-SSC 165 / 528
Proof of Merkle–Damg ard Theorem - Case 2
IV - -- C′?
C′?
. . .
. . .
- C′?
IV - -- C′?
C′?
. . .
. . .
- C′?
pad ′
pad
X ′1 X ′2
X1 X2
X ′n
XmX
X ′ 6
?=
C′(Hm,Xm) = C′(H ′n,X′n)
SV 2007 Basic Crypto EPFL-SSC 172 / 528
Proof of Merkle–Damg ard Theorem - Case 1
IV - -- C′?
C′?
. . .
. . .
- C′
pad?
IV - -- C′?
C′?
. . .
. . .
- C′
pad?
X ′1 X ′2
X1 X2
X ′n
XnX
X ′ 6
?=
C′(Hi ,Xi) = C′(H ′i ,X′i )
where i is the last index such that Hi 6= H ′i or Xi 6= X ′i
SV 2007 Basic Crypto EPFL-SSC 171 / 528
Merkle–Damg ard Theorem
Theorem (Merkle-Damg ard 1989)
We construct a cryptographic hash function h from a compressionfunction C′ by using the Merkle-Damgard scheme. If the compressionfunction C′ is collision-resistant, then the hash function h iscollision-resistant as well.
Proof.Case 1: messages of same lengthCase 2: messages of different length
SV 2007 Basic Crypto EPFL-SSC 170 / 528
Merkle–Damg ard’s Extension
pad = 11
0 . . . 0 length64
initialvalue
message
- -- C′
512?
C′
512?
. . .
. . .
- C′
pad?
-128 128
SV 2007 Basic Crypto EPFL-SSC 169 / 528
Implementation of MD5 CompressionInput : an initial hash a,b,c,d , a message block
x0, . . . ,x15
Output : a hash a,b,c,d1: for i = 1 to 4 do2: for j = 0 to 15 do3: t ← ROTLαi,j (a + fi(b,c,d) + xσi(j) +
ki,j)+ b4: a← d5: d ← c6: c← b7: b← t8: end for9: end for
10: a← a+ ainitial
11: b← b + binitial
12: c← c + cinitial
13: d ← d + dinitial
SV 2007 Basic Crypto EPFL-SSC 176 / 528
The Bji Boxes
? ?x a
b b
c c
d d?
ROTLαi,j (a+ fi(b,c,d)+ x + ki,j)+ b
fi are bit-wise boolean functions :
f1(b,c,d) = if b then c else d
f2(b,c,d) = if d then b else c
f3(b,c,d) = b XOR c XOR d
f4(b,c,d) = c XOR (b AND (NOT d))
SV 2007 Basic Crypto EPFL-SSC 175 / 528
The MD5 Encryption Function [RFC1321]
For i = 1 to 4:
A B C D
?
?
?
?B0
i
B1i
B2i
B3i
B4i
B5i
B6i
B7i
B8i
B9i
B10i
B11i
B12i
B13i
B14i
B15i
?
?
?
?
-
-
-
�
-
-
�
-
�
�
�
�
?
?
?
?
-
-
-
�
-
-
�
-
�
�
�
�
?
?
?
?
-
-
-
�
-
-
�
-
�
�
�
�
?
?
?
?
-
-
-
�
-
-
�
-
�
�
�
�
?
?
?
?
?
?
?
?
?
?
?
?
?
? ? ?
σi
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
BLOCK
SV 2007 Basic Crypto EPFL-SSC 174 / 528
Davies–Meyer Scheme
C
?????????????????
32323232323232323232323232323232
32 -
32 -
32 -
32 -
6
6
6
6
+
+
+
+-
-
-
-
-
-
-
-D
C
B
A
+ is addition modulo 232.
SV 2007 Basic Crypto EPFL-SSC 173 / 528
From MD5 to MD4
like MD5 (128 bits, 4 registers, basic key schedule)
new round function
ABCD
←
DROTLαi,j (A + fi(B,C,D)+ xσi(j) + ki)
BC
3 rounds, other functions
f1(b,c,d) = if b then c else d
f2(b,c,d) = majority(b,c,d)
f3(b,c,d) = b XOR c XOR d
SV 2007 Basic Crypto EPFL-SSC 180 / 528
From SHA-1 to SHA
SHA-1 followed SHA
linear expansion in the key schedule: for i = 16, . . . ,79
Input : a cryptographic hash function h onto a do-main of size N, an input x
Output : x ′ such that x 6= x ′ and h(x) = h(x ′)1: compute h(x)2: pick a random ordering of all inputs x1,x2, . . .3: for all i such that xi 6= x do4: compute h(xi )5: if h(xi) = h(x) then6: yield x ′ = xi and stop7: end if8: end for9: search failed
Input : an initial hash a,b,c,d , a message blockx0, . . . ,x15
Output : a hash a,b,c,d1: for i = 1 to 3 do2: for j = 0 to 15 do3: t← ROTLαi,j (a+ fi(b,c,d)+ xσi (j) + ki)4: a← d5: d ← c6: c← b7: b← t8: end for9: end for
10: a← a+ ainitial
11: b← b + binitial
12: c← c + cinitial
13: d ← d + dinitial
SV 2007 Basic Crypto EPFL-SSC 181 / 528
Collision Search II
Input : a cryptographic hash function h onto a do-main of size N
Output : a pair (x ,x ′) such that x 6= x ′ andh(x) = h(x ′)
1: repeat2: pick a (new) random x3: compute y = h(x)4: insert (y ,x) in the hash table5: until there is already another (y ,x ′) pair in
the hash table6: yield (x ,x ′)
SV 2007 Basic Crypto EPFL-SSC 188 / 528
Collision Search I
Input : a cryptographic hash function h onto a do-main of size N
Output : a pair (x ,x ′) such that x 6= x ′ andh(x) = h(x ′)
1: for θ√
N many different x do2: compute y = h(x)3: if there is a (y ,x ′) pair in the hash table
then4: yield (x ,x ′) and stop5: end if6: insert (y ,x) in the hash table7: end for8: search failed
Computing the MAC of t bytes for a message m with a key K using aMerkle-Damgard hash function with block size B bytes, digest size Lbytes. (t = L by default.) E.g. H = SHA-1, B = 64, L = 20.
1 If K has more than B bytes, we first replace K by H(K ).(Having a key of such a long size does not increase the security.)
2 We append zero bytes to the right of K until it has exactly B bytes.
3 We computeH(K ⊕opad||H(K ⊕ ipad||X))
where ipad and opad are two fixed bitstrings of B bytes. The ipadconsists of B bytes equal to 0x36 in hexadecimal. The opadconsists of B bytes equal to 0x5c in hexadecimal.
4 We truncate the result to its t leftmost bytes. We obtainHMACK (X).
SV 2007 Basic Crypto EPFL-SSC 195 / 528
Strong Adversarial Model
adversary - (X ,c)
Xi
�ci
MAC
the adversary can request the authentication of several messages
the goal of the adversary is to output a valid (X ,c) pair
the output X must not have been requested to the oracle
SV 2007 Basic Crypto EPFL-SSC 194 / 528
Weak Adversarial Model
adversary - (X ,c)
Xici
MAC
the adversary can request the authentication of several messages
the goal of the adversary is to output a valid (X ,c) pair
the output X must not have been requested to the oracle
SV 2007 Basic Crypto EPFL-SSC 193 / 528
CBCMAC - (A Bad MAC)
CK CK CK
?
?⊕?
-?⊕?
- -
CK
?⊕?
?
x1 x2 x3 · · ·
· · ·
· · ·
xn
MAC
SV 2007 Basic Crypto EPFL-SSC 200 / 528
Security Proof by Simulation
If we have an adversary for big MAC, we construct an adversary forthe small MAC by simulation:
adversary -
�
----------6666666666
----------
6666666666
K1 MAC
K1-
Xi
H(K1||Xi)-
ci�
ci
(X ,c)(H(K1||X),c)
If H(K1||X) 6= H(K1||Xi) for all i , then we have a message forgery.Otherwise we have a collision!
SV 2007 Basic Crypto EPFL-SSC 199 / 528
Security of (Ideal) HMAC
Theorem (Bellare-Canetti-Krawczyk 1996)
Let H be a hash function which hashes onto ℓ bits following theMerkle-Damgard scheme. We consider keys K1,K2 in {0,1}ℓ. Weassume that
H is collision resistant;
X 7→ H(K2||X) is a secure MAC function over the space {0,1}ℓof messages with a fixed length ℓ.
The following algorithm is a secure MAC function over the space ofmessages with arbitrary length.
X 7→MACK1,K2(X) = H(K2||H(K1||X))
Provided that we cannot distinguish HMAC from this MAC, then HMACis a secure MAC as well.
First submit many messages until we get two messages X1 and X2
such that MAC(X1) = MAC(X2) by using the birthday paradox.
X1 MAC(X1) = cX2 MAC(X2) = cB = random
X3 = X1||B MAC(X3) = c′
X4 = X2||B MAC(X4) = c′
SV 2007 Basic Crypto EPFL-SSC 203 / 528
EMAC (Encrypted MAC) - (A Better CBCMAC Variant)
CK1 CK1 CK1
?
?⊕?
-?⊕?
- -
CK1
?⊕?
?
x1 x2 x3 · · ·
· · ·
· · ·
xn
CK2
?MAC
SV 2007 Basic Crypto EPFL-SSC 202 / 528
A MAC Forgery
X1 = random MAC(X1) = cX2 = random MAC(X2) = c′
X3 = X1||B MAC(X3) = CK (c⊕B)
X4 = X2||B′ MAC(X4) = CK (c′⊕B′)
B′ = B⊕ c⊕ c′ MAC(X4) = MAC(X3)
SV 2007 Basic Crypto EPFL-SSC 201 / 528
CCM (Counter with CBC-MAC)
Roughly speaking:
1: let T = CBCMAC(message)2: encrypt T ||message in CTR mode
More precisely, the CCM mode is defined by
a block cipher which accepts 16-Byte blocks
an even parameter M between 4 and 16 (size of the CBCMAC inbytes)
a parameter L between 2 and 8 (size of the length field in bytes)
SV 2007 Basic Crypto EPFL-SSC 208 / 528
Authenticated Modes of Operation
Generator
KeyKey 66 CONFIDENTIAL
AUTHENTICATEDINTEGER
-Message
-nonce
nonce6
Enc/MAC - - Dec/Check-
ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 207 / 528
OMAC1
Cst1 = 0x00 · · ·02
Cst2 = 0x00 · · ·04
if the message length is not multiple of the block length, pad itwith a bit 1 and as many bits 0 as required to reach this length
if xn was not padded, take Cst = Cst1, otherwise, take Cst = Cst2
L = CK (0) (encryption of the zero block)
HL(Cst1) is L shifted to the left by one bit XOR the carry constantif any, and that HL(Cst2) = HHL(Cst1)(Cst1)
actually, HL(x) = L× x using GF arithmetics with carry constant0x000000000000001b for 64-bit blocks and0x00000000000000000000000000000087 for 128-bit blocks
The server keeps a database of (realm-value,userid,password) triplets
realm-value: one “part” of the HTTP server corresponding to anauthentication method
userid: the identification string of a user
password: the password
Upon a URI request to a server, the server sends a challenge
WWW-Authenticate: basic realm=" 〈realm-value〉"The client must send credentials
Authorization: basic 〈basic-credentials〉where basic-credentials=base64(〈userid〉: 〈password〉)If the (realm-value,userid,password) triplet is correct, the servertreats the URI request. Otherwise it sends message HTTP/1.0401 Unauthorized and sends the challenge again.
SV 2007 Basic Crypto EPFL-SSC 228 / 528
Password Authentication Protocols
Client Serverrequest C to S−−−−−−−−−−−−−−−−−−−−−−−−−−−→
r = MACpassword(c)response r−−−−−−−−−−−−−→ check r = MACpassword(c)
SV 2007 Basic Crypto EPFL-SSC 231 / 528
Passive vs Active Adversary
passive adversary : only listen to communications and tries toget credential to later pass access control
active adversary : can interfere with client or servercommunications e.g. man-in-the-middle
SV 2007 Basic Crypto EPFL-SSC 230 / 528
Pros and Cons
Pros
the server does not keep the password (only a digest)
Cons
does not work through a channel without confidentialityprotection: the password can be compromised
SV 2007 Basic Crypto EPFL-SSC 229 / 528
Pros and Cons
Pros
the server does not keep the secret
resistance to passive adversary
Cons
used with a single server (or securely synchronized ones)
potential implementation problems (beware about sending i fromServer to Client)
not ergonomic: users dislike it
vulnerable to man-in-the-middle attacks
SV 2007 Basic Crypto EPFL-SSC 236 / 528
S/Key - OTP [RFC 2289]
Client Server
choose ww−−−−−−−−−−−−−→ s at random
store p1, . . . ,pNs,p1,...,pN←−−−−−−−−−−−−− pi ← HN+1−i(w ,s)
i← 1 i← 1, p← p0...
request−−−−−−−−−−−−−→i,s←−−−−−−−−−−−−−
y ← piy−−−−−−−−−−−−−→ check H(y) = p... p← y , i← i + 1
SV 2007 Basic Crypto EPFL-SSC 235 / 528
CHAP Access Control in PPP [RFC1334]
CHAP packets are encapsulated in PPP Data Link Layer frames. ACHAP packet consists of
Code(1 byte), Identifier(1 byte), Length(2 bytes), Data
where Code is 1, 2, 3 or 4, Identifier is between 0 and 255, and Lengthis between 0 and 65535. The Identifier bytes are used to identifydifferent simultaneous PPP sessions.
the PPP server sends a CHAP packet with code 1 (challenge)
the peer sends back a CHAP packet with code 2 (response)
Datai = [ValueSize(1byte),Valuei ,Name]
Value2 = H(Identifier,secret,Value1).
the server sends a CHAP packet with code 3 (success) or 4(failure)
SV 2007 Basic Crypto EPFL-SSC 234 / 528
Pros and Cons
Pros
resistance to passive adversary
Cons
the server must keep the password and strongly protect thedatabase
vulnerable to man-in-the-middle attacks
SV 2007 Basic Crypto EPFL-SSC 233 / 528
GSM Protocol
SIM Telephone Radio Network Operator
A5
?
-
Plaintext
A8
A3
-� CiphertextA5
?
�
Plaintext
-ResponseCompare � A3
A8
Random
?Challenge
??
Key
Temporary key
?
Temporary key
?
Key
?
SV 2007 Basic Crypto EPFL-SSC 240 / 528
GSM Slang
GSM: Global System for Mobile telecommunications
MS: Mobile Station
SIM: Subscriber Identity Module (part of MS)
HLR: Home Location Register
VLR: Visitor Location Register
IMSI: International Mobile Subscriber Identity (stored in SIM)
Ki: subscriber Integrity Key (securely stored in SIM)
SV 2007 Basic Crypto EPFL-SSC 239 / 528
GSM Authentication
principle 1: authentication of mobile system
principle 2: privacy protection in the wireless link
challenge-response protocol based on Ki
encryption key for a limited period of time (derived from Ki)
identity IMSI replaced by a pseudonym TMSI as soon as possible
Ki never leaves the security module (SIM card) or home securitydatabase (HLR)
SV 2007 Basic Crypto EPFL-SSC 238 / 528
5 Chapter 5: Security Protocols with Conventional Cryptogra phyAccess ControlArchitectures based on Symmetric Cryptography
SV 2007 Basic Crypto EPFL-SSC 237 / 528
Bluetooth Security
mode 1: non-secure
mode 2: service level enforced security
mode 3: link level enforced security
SV 2007 Basic Crypto EPFL-SSC 244 / 528
Bluetooth History
10th Century: Viking King Harald Blatand (Harold Bluetooth) triedto unify Denmark, Norway, and Sweden
1994: Ericsson initiated a study to investigate the feasibility
May 20, 1998: Bluetooth announced, controled by the SpecialInterest Group (SIG) formed by
Ericsson, IBM, Intel, Nokia, and Toshiba
July 1999: Bluetooth 1.0 Specification Release
November 2004: Bluetooth 2.0 Specification Release
nearly 2000 members in SIG
SV 2007 Basic Crypto EPFL-SSC 243 / 528
The Bluetooth Project
short-range wireless technology
designed to transmit voice and data
for a variety of mobile devices (computing, communicating, ...)
bring together various markets
1Mbit/sec up to 10 meters over the 2.4-GHz radio fequency
Given a group (G, .), an element g generates a subgroup
〈g〉 = {. . . ,g−2,g−1,g0,g1,g2, . . .}If 〈g〉 is finite, of cardinality n, then gn = 1 and
〈g〉= {g0,g1, . . . ,gn−1}Proof. Let m be the smallest integer s.t. there exists i s.t.0≤ i < m and gi = gm. Since gi−1 = gm−1 we must havei−1 < 0 hence i = 0 and gj = gj mod m and
〈g〉 = {g0,g1, . . . ,gm−1}so n = m.
The mapping ϕ : Zn −→ 〈g〉 defined by ϕ(a) = ga is a groupisomorphism . Namely, ϕ(a+ b) = ϕ(a) ·ϕ(b) for any a,b ∈ Zn
SV 2007 Basic Crypto EPFL-SSC 276 / 528
Cerebral Z n
nZ is a group of Z (with law +), which is commutative (groupgenerated by n)
we can do the quotient Z/nZ of Z by nZ
congruence modulo nZ is written
a≡ b (mod n) ⇐⇒ a−b ∈ nZ ⇐⇒ a mod n = b mod n
note that (a+ nZ)+ (b + nZ) = (a⊞ b)+ nZ
an exhaustive list of equivalence classes is
0+ nZ , 1+ nZ , 2+ nZ , . . . ,(n−1)+ nZ
we simply write a instead of a+ nZ
SV 2007 Basic Crypto EPFL-SSC 275 / 528
Pedestrian Z n
Euclidean division in Z:for any a ∈ Z and any n > 0 there exists a unique (q, r) ∈ Z2 suchthat a = qn + r and 0≤ r < nwe write q =
⌊an
⌋and r = a mod n
Zn = {0,1, . . . ,n−1}addition in Zn: a⊞ b = (a+ b) mod n
useful lemma: (a+(b mod n)) mod n = (a+ b) mod n
closure: comes from x mod n ∈ Zn for any x ∈ Z
associativity: comes from the lemma
neutral element: 0
invertibility: comes from the lemma, (−a) mod n
SV 2007 Basic Crypto EPFL-SSC 274 / 528
Functional vs Family Notations
functional notations family notationsfunction domain D index set Ifunction range R set S
finite domain f : {1, . . . ,n} → R (x1, . . . ,xn)infinite domain f : D→ R (xi)i∈I
input x ∈ D i ∈ Iimage f (x) ∈ R xi ∈ Sset SI , Sn
SV 2007 Basic Crypto EPFL-SSC 273 / 528
Addition in Elliptic Curves
Ea,b = {O }∪{(x ,y);y2 = x3 + ax + b}
Given P = (xP ,yP), we define −P = (xP ,−yP) and −O = O .
Given P = (xP ,yP) and Q = (xQ,yQ), if Q =−P, we defineP + Q = O .
Given P = (xP ,yP) and Q = (xQ,yQ), if Q 6=−P, we let
λ =
{yQ−yPxQ−xP
if xP 6= xQ3x2
P+a2yP
if xP = xQ
xR = λ2− xP− xQ
yR = (xP− xR)λ− yP
R = (xR ,yR) and P + Q = R.
In addition, P +O = O + P = P and O +O = O .
SV 2007 Basic Crypto EPFL-SSC 280 / 528
Elliptic Curves
P
Q
P + Q
SV 2007 Basic Crypto EPFL-SSC 279 / 528
Example
Z15 has order 15
We have 〈5〉 = {0,5,10}.This is a subgroup of order 35 has order 3 in Z15
We have 〈2〉 = {0,2,4,6,8,10,12,14,1,3,5,7,9,11,13}.2 has order 15 in Z15
2 is a generator
SV 2007 Basic Crypto EPFL-SSC 278 / 528
Finite Groups
Definition
If (G, .) is a group and if G is a finite set, then the cardinality of G iscalled the group order . If g generates a subgroup of order m, then mis called the order of g.
Property: the order of g is the smallest i > 0 s.t. gi = 1.
Theorem (Lagrange)
The order of any element is a factor of the order of the group.
Consequence: if G has prime order, all elements (except 1) aregenerators
SV 2007 Basic Crypto EPFL-SSC 277 / 528
Ring Units
Let (R,+, .) be a ring. (Example: R = Zn.)
We let R∗ denote the set of invertible elements: the group ofunits
a,b ∈ R are equivalent if a = ub for some unit u
Example: Z∗15 = {1,2,4,7,8,11,13,14}
SV 2007 Basic Crypto EPFL-SSC 284 / 528
Ring Constructions
Product rings: given (R1,+1,×1) and (R2,+2,×2), considerR = R1×R2 and (a1,a2).(b1,b2) = (a1×1 b1,a2×2 b2)
Power rings: given (R,+, .) and A, consider RA and(ai )i∈A× (bi)i∈A = (ai .bi )i∈A
Ideals: given (R,+, .), and given a subgroup I of R s.t.∀a ∈ I ∀b ∈ R ab,ba ∈ I
Quotient rings: given (R,+, .) and an ideal I, consider the group R/Iof representatives of the congruence modulo I with thelaw induced by .
SV 2007 Basic Crypto EPFL-SSC 283 / 528
Definition, examplesDefinition
A ring is an Abelian group (R,+) together with a mapping from R×Rto R which maps (a,b) to an element denoted ab and such that
1-4. [group] R with + is a group
5. [Abelian] for any a,b, we have a+ b = b + a
6. [closure] for any a,b ∈ R, we have ab ∈ R
7. [associativity] for any a,b,c, we have (ab)c = a(bc)
8. [neutral element] there exists an element 1 s.t. for any a,a1 = 1a = a
9. [distributivity] for any a,b,c, we have a(b + c) = ab + ac and(a+ b)c = ac + bc
Z with + and ×Z[X ] with + and ×Zn with the addition and multiplication modulo n
Input : a and b, two integers of at most ℓ bitsOutput : c, an integer of at most ℓ+ 1 bits represent-
ing a + bComplexity : O (ℓ)1: r ← 02: for i = 0 to ℓ−1 do3: d ← ai + bi + r4: set ci and r to bits such that d = 2r + ci
5: end for6: cℓ← r
SV 2007 Basic Crypto EPFL-SSC 288 / 528
Addition with Big Numbers (in Decimal)
1 1 1
8 427 403+ 12 951 842= 21 379 245
Input : two integers a and b of ℓ digitsOutput : one integer c = a + b1: r ← 02: for i = 0 to ℓ−1 do3: d ← ai + bi + r4: write d = 10r + ci with ci < 105: end for6: cℓ← r
Input : a and b, two integers of at most ℓ bitsOutput : d = gcd(a,b)Complexity : O (ℓ2)
1: x ← a, y ← b2: while y > 0 do3: make an Euclidean division x = qy + r4: do simultaneously x← y and y ← x−qy5: end while6: d ← x
SV 2007 Basic Crypto EPFL-SSC 305 / 528
Euler Totient Function
ϕ(n) is the order of Z∗n
Theorem
Given an integer n, we have the following results.
For all x ∈ Zn we have x ∈ Z∗n⇐⇒ gcd(x ,n) = 1.
Zn is a field⇐⇒ Z∗n = Zn\{0} ⇐⇒ ϕ(n) = n−1⇐⇒ n is prime
For all x ∈ Z∗n we have xϕ(n) ≡ 1 (mod n).
For all x ∈ Z∗n, if e is such that gcd(e,ϕ(n)) = 1, we letd = e−1 mod ϕ(n). Then, xd mod n is the only eth root of xmodulo n
SV 2007 Basic Crypto EPFL-SSC 312 / 528
Arithmetics with Big Numbers
addition (O (ℓ)): x ,y 7→ x + y and x ,y ,n 7→ (x + y) mod n
multiplication (O (ℓ2)): x ,y 7→ x× y and x ,y ,n 7→ (x× y) mod n
Euclidean division (O (ℓ2)): x ,n 7→ x mod n
→ Arithmetics in Zn
fast exponential (O (ℓ3)): x ,e,n 7→ xe mod n
Euclid Algorithm (O (ℓ2)): x ,y 7→ a,b s.t. ax + by = gcd(x ,y)
inversion in Zn (O (ℓ2)): x ,n 7→ y s.t. xy mod n = 1 (whenfeasible)
SV 2007 Basic Crypto EPFL-SSC 311 / 528
Modular Inversion
Theorem
x ∈ Zn is invertible if and only if gcd(x ,n) = 1.
Proof.=⇒ if gcd(x ,n) = d > 1 then d divides (x · y) mod n for any y so(x · y) mod n 6= 1 and x is non invertible.⇐= if gcd(x ,n) = 1, the Extended Euclid algorithm finds the inverseof x .
SV 2007 Basic Crypto EPFL-SSC 310 / 528
Example
We run the algorithm with a = 22 and b = 35. We obtain the followingsequence of vectors.
For all x ∈ Z∗n, if e is such that gcd(e,ϕ(n)) = 1, we letd = e−1 mod ϕ(n). Then, xd mod n is the only eth root of x modulo nProof. We have e ·d = 1+ k ·ϕ(n) for some k hencex ≡ ye =⇒ xd ≡ y1+k ·ϕ(n) ≡ y and y ≡ xd =⇒ ye ≡ x1+k ·ϕ(n) ≡ x .
SV 2007 Basic Crypto EPFL-SSC 316 / 528
Proof — iii
For all x ∈ Z∗n we have xϕ(n) ≡ 1 (mod n).Proof. Due to the Lagrange Theorem, the order k of x divides theorder ϕ(n) of Z∗n.Let ϕ(n) = k · r . We have xϕ(n) ≡ xk ·r ≡ (xk)r ≡ 1r ≡ 1.
SV 2007 Basic Crypto EPFL-SSC 315 / 528
Proof — ii
Zn is a field⇐⇒ Z∗n = Zn\{0} ⇐⇒ ϕ(n) = n−1Proof. By definition, Zn is a field⇐⇒ Z∗n = Zn\{0}.Since #Z∗n = ϕ(n), Z∗n ⊆ Zn\{0}, and #Zn\{0} = n−1 we deduceZ∗n = Zn\{0} ⇐⇒ ϕ(n) = n−1.
SV 2007 Basic Crypto EPFL-SSC 314 / 528
Proof — i
For all x ∈ Zn we have x ∈ Z∗n⇐⇒ gcd(x ,n) = 1.Proof.=⇒: if y = gcd(x ,n) > 1, then y divides (x ·z) mod n for any z so thiscannot be equal to 1.⇐=: if gcd(x ,b) = 1, then the extended Euclid algorithm output theinverse of x modulo n.
SV 2007 Basic Crypto EPFL-SSC 313 / 528
Application 2: Correctness of RSA
let N = pq be the product of two different prime numbers p and q
for any x ∈ Z such that x mod p 6= 0 we have(xe mod N)d mod N ≡ x (mod p)(comes from p−1 divides ϕ(N) thus ed mod (p−1) = 1)
this also holds when x mod p = 0
similarly: for any x ∈ Z we have (xe mod N)d mod N ≡ x(mod q)
from CRT (Application 1): for any x ∈ Z we have(xe mod N)d mod N ≡ x (mod N)
for any x ∈ ZN we have (xe mod N)d mod N = x
SV 2007 Basic Crypto EPFL-SSC 320 / 528
Application 1: Equality Modulo Composite Numbers
Theorem
For any a,b,m,n ∈ Z such that gcd(m,n) = 1, then
a≡ b (mod m)a≡ b (mod n)
}
=⇒ a≡ b (mod mn).
Indeed, f (a mod (mn)) = f (b mod (mn)) hencea mod (mn) = b mod (mn)
SV 2007 Basic Crypto EPFL-SSC 319 / 528
Chinese Remainder Theorem
Theorem
(Chinese Remainder Theorem) Let m and n be two integers such thatgcd(m,n) = 1. We have
f : Zmn→ Zm×Zn defined by f (x) = (x mod m,x mod n) is aring isomorphism
ϕ(mn) = ϕ(m)ϕ(n)
f−1(a,b) ≡ an(n−1 mod m)+ bm(m−1 mod n) (mod mn)
Example: (m = 5, n = 7, mn = 35)
f−1(3,4)=(3×7× (7−1 mod 5)+ 4×5× (5−1 mod 7)
)mod 35
=· · ·= 18
Application: ϕ(pq) = (p−1)(q−1) when p and q are two differentprimes
SV 2007 Basic Crypto EPFL-SSC 318 / 528
Application: RSA Cryptosystem
Generator
6Secret key d ,NPublic key e,N 6 AUTHENTICATEDINTEGER
-Messagex Encrypt -Ciphertext
xe mod N-
y Decrypt -Message
yd mod N
��
Adversary
N = pqϕ(N) = (p−1)(q−1)
1 = gcd(e,ϕ(N))d = e−1 mod ϕ(N)
6?
SV 2007 Basic Crypto EPFL-SSC 317 / 528
Proof of CRT — iii
Fact 3 : Z∗mn and Z∗m×Z∗n are isomorphic(thus ϕ(mn) = ϕ(m)ϕ(n))
if x ∈ Z∗mn then x is invertible modulo m and modulo n thus f (x) isin Z∗m×Z∗nconversely, if f (x) is in Z∗m×Z∗n, f (x)× f (y) = (1,1) in Zm×Zn
for some y thus x× y = f−1(1,1) = 1 in Zmn: x is in Z∗mn
f maps Z∗mn onto Z∗m×Z∗n and is injective: it is thus anisomorphism between the two groups
SV 2007 Basic Crypto EPFL-SSC 324 / 528
Proof of CRT — ii
Fact 2 : f is an isomorphism
f (x) = (0,0) implies m and n divide xsince gcd(m,n) = 1, mn divides xthus x mod (mn) = 0
f is injective: for all m,n ∈ Zmn, if f (x) = f (y) thenf (x− y) = (0,0) thus x− y mod (mn) = 0 hence x = y
f is an isomorphism: Zmn and Zm×Zn have the same cardinalityand f is injective thus f is a bijectionsince f is further a homomorphism, f is an isomorphism
SV 2007 Basic Crypto EPFL-SSC 323 / 528
Proof of CRT — i
Fact 1 : f is a ring homomorphism from Zmn to Zm×Zn
f (x +Zmn y) = f (x)+Zm×Zn f (y)indeed:
((x + y) mod (mn)) mod m = ((x mod m)+ (y mod m)) mod m
((x + y) mod (mn)) mod n = ((x mod n)+ (y mod n)) mod n
f (x×Zmn y) = f (x)×Zm×Zn f (y)(same)
SV 2007 Basic Crypto EPFL-SSC 322 / 528
Application 3: Exponentiation Acceleration
log2 p ≈ log2 q ≈ ℓ
2
ad mod (q−1) mod q
ad mod (p−1) mod p
1
qCRT - ad mod pq
2×O((
ℓ2
)3)
O(ℓ3
)
SV 2007 Basic Crypto EPFL-SSC 321 / 528
Fields
Definition
A field is an commutative ring (K ,+,×) such that
1-9. [ring] K is a ring with + and ×10. [commutativity] for any a,b, we have ab = ba
11. [invertibility] for any a 6= 0 there exists b = a−1 s.t. ab = ba = 1
for pairwise different prime numbers p1, . . . ,pr
SV 2007 Basic Crypto EPFL-SSC 326 / 528
Proof of CRT — iv
Fact 4 : f (an(n−1 mod m)+ bm(m−1 mod n)) = (a,b)
an(n−1 mod m)+ bm(m−1 mod n) ≡ a (mod m)
an(n−1 mod m)+ bm(m−1 mod n) ≡ b (mod n)
thus f of the left hand side is (a,b)
SV 2007 Basic Crypto EPFL-SSC 325 / 528
Cerebral GF(pk)
p: a prime number.
Zp[x ] is a Euclidean ring.
Select a monic irreducible polynomial P(x) of degree k in Zp[x ].
P(x) spans an ideal (P(x)) with no non-trivial sub-ideal.
Let GF(pk ) = Zp[x ]/(P(x)) be the quotient of ring Zp[x ] by ideal(P(x)).
We obtain a field who inherits the addition and multiplication fromthe ring structure of Zp[x ].
SV 2007 Basic Crypto EPFL-SSC 332 / 528
Example
In order to construct GF(23):
consider the ring Z2[x ] of polynomials
take the monic irreducible polynomial P(x) = x3 + x + 1 ofdegree 3
construct
GF(23) = {0,1,x ,x + 1,x2,x2 + 1,x2 + x ,x2 + x + 1}
Example: (x + 1)+ (x2 + 1) = x2 + x in GF(23).Example: (x + 1)× (x2 + 1) = x3 + x2 + x + 1 = x2 in GF(23).
SV 2007 Basic Crypto EPFL-SSC 331 / 528
Pedestrian GF(pk)
p: a prime number.
Euclidean disivion in Zp[x ]: for any polynomials A(x) and P(x)such that P 6= 0, there exists polynomials R(x) and B(x) suchthat A(x) = R(x)+ P(x) ·B(x) and deg(R) < deg(P). We callR(x) = A(x) mod P(x) the remainder of A(x) modulo P(x).
Select a monic (i.e. with leading coefficient 1) irreducible (i.e. whocannot be expressed as a product of polynomials with smallerdegree) polynomial P(x) of degree k in Zp[x ].
Let GF(pk ) be the set of all polynomials in Zp[x ] of degree atmost k−1.
Addition: regular polynomial addition modulo p.
Multiplication: regular multiplication in Zp[x ] reduced moduloP(x).
We can prove this constructs a field.
SV 2007 Basic Crypto EPFL-SSC 330 / 528
Properties
p: a prime number.
Z∗p = {1, . . . ,p−1}ϕ(p) = p−1.
(Little Fermat Theorem) for any x ∈ Z∗p, we have xp−1 ≡ 1(mod p)
Z∗p is a cyclic group with ϕ(p−1) generators: there exist(ϕ(n−1) many) numbers g such that
Z∗p = {g0,g1,g2 mod p, . . . ,gp−2 mod p}
SV 2007 Basic Crypto EPFL-SSC 329 / 528
GF(28) Arithmetics in AES
A byte a = a7 . . .a1a0 represents an element of the finite field GF(28)as a polynomial a0 + a1.x + . . .+ a7.x7 modulox8 + x7 + x6 + x5 + x4 + x3 + 1 and modulo 2
The cardinality of any finite fields is a prime power pk .
For any prime power pk , there exists a finite field of cardinality pk .p is called the characteristic of the field.
Two finite fields of same cardinality are isomorphic, so the finitefield of cardinality pk is essentially unique. We denote it GF(pk )as Galois field of cardinality pk .
GF(pk ) is isomorphic to a subfield of GF(pk×ℓ).
GF(pk ) can be defined as the quotient of ring of polynomials withcoefficients in Zp by a principal ideal spanned by an irreduciblepolynomial of degree k: Zp[x ]/(P(x)).
SV 2007 Basic Crypto EPFL-SSC 333 / 528
Chapter Content
Primality: Fermat test, Miller-Rabin test
⋆Primality: Carmichael numbers, Solovay-Strassen test
other arithmetics problems: square roots, eth rootsexponentiation
SV 2007 Basic Crypto EPFL-SSC 338 / 528
Most Important Finite FieldsZp for a large prime p: represented by regular integers
GF(2k ): represented by bistrings of length k
Zp GF(2k )representation integers from 0 to p−1 polynomials of degree at
most k − 1 with binary coef-ficients (k-bit strings)requires the choice of an ir-reducible polynomial of de-gree k
addition addition modulo p bitwise XORmultiplication multiplication modulo p ad-hoc algorithms
multiplication by 0x2 : shift tothe left and XOR to a con-stant if carry
SV 2007 Basic Crypto EPFL-SSC 337 / 528
Fermat Test
Parameter : k , an integerInput : n, an integer of ℓ bitsOutput : notification of non-primality or pseudo-
primalityComplexity : O (kℓ3)
1: repeat2: pick a random b such that 0 < b < n3: x ← bn−1 mod n4: if x 6= 1 then5: output “composite” and stop6: end if7: until k iterations are made8: output “pseudo-prime” and stop
SV 2007 Basic Crypto EPFL-SSC 344 / 528
Fermat Test
Theorem (Little Fermat Theorem)
If n is prime, for any b ∈ {1, . . . ,n−1}, bn−1 mod n = 1.
pick b at random
?bn−1 mod n = 1?
?n composite
-yes
no
t iterations
?end
n prime
�
SV 2007 Basic Crypto EPFL-SSC 343 / 528
Trial Division Algorithm
Input : an integer nOutput : a list of prime numbers whose product is
nComplexity : O (
√n) arithmetic operations
1: b← ⌊√n⌋, x ← n, i ← 22: while x > 1 and i ≤ b do3: while i divides x do4: print i5: x ← x/i6: b← ⌊√x⌋7: end while8: i← i + 19: end while
10: if x > 1 then print x
SV 2007 Basic Crypto EPFL-SSC 342 / 528
7 Chapter 7: Algorithmic Number TheoryPrimality TestsFactoring and Discrete Logarithm ProblemsComputing Orders in Groups
SV 2007 Basic Crypto EPFL-SSC 341 / 528
Square Roots in Finite Fields
Lemma
Let p be a prime number. If x2 mod p = 1 then x mod p = 1 orx mod p = p−1.
we have (x−1)(x + 1) mod p = 0 and p prime thus either pdivides x−1 or p divides x + 1
if p divides x−1 we have x mod p = 1
if p divides x + 1 we have x mod p = p−1
SV 2007 Basic Crypto EPFL-SSC 348 / 528
Carmichael Numbers: the 561 Case
Example: n = 561 = 3 ·11 ·17 is such that for all b s.t. gcd(b,n) = 1,we have bn−1 ≡ 1 (mod n).Proof. We notice that n−1 = 560 = 24 ·5 ·7 which is a multiple of3−1, 11−1, and 17−1. Therefore, if b is prime with 3, we havebn−1 ≡ 1 (mod 3) and the same for 11 and 17. Hence, from theChinese Remainder Theorem we obtain that if b is prime with n wehave bn−1 ≡ 1 (mod n).
SV 2007 Basic Crypto EPFL-SSC 347 / 528
Carmichael Numbers
Definition
We call Carmichael number any integer n which is a product of (atleast 2) pairwise different prime numbers p such that p−1 is a factorof n−1.
Theorem
An integer n is a Carmichael number if and only if it is composite andfor any b s.t. gcd(b,n) = 1, we have bn−1 ≡ 1 (mod n).
Example: n = 561 = 3 ·11 ·17 is such that for all b s.t. gcd(b,n) = 1,we have bn−1 ≡ 1 (mod n).
SV 2007 Basic Crypto EPFL-SSC 346 / 528
Significance of Fermat Test
False Negative: Pr[output composite|n prime] = 0
False Positive: there exist pathologic numbers n which are notprime such that Pr[output pseudoprime|n] is high.Carmichael Numbers n are composite such that for any b suchthat gcd(b,n) = 1 we have bn−1 mod n = 1. Hence
Pr[output pseudoprime|n] =(
ϕ(n)n−1
)k.
SV 2007 Basic Crypto EPFL-SSC 345 / 528
Prime Number GenerationTheorem (Prime Number Theorem)
Let p(N) denote the number of prime numbers in {2,3, . . . ,N}. Wehave p(N) ∼ N
logN when N increases toward the infinity.
→ the probability that a random ℓ-bit number is prime is ≈ 1ℓ log2
Example: a 512-bit random integer is prime with probability ≈ 1355
→ generating a random ℓ-bit prime number takes O (ℓ4)
pick p at random
?is it prime?
?p found
no
yes
�
SV 2007 Basic Crypto EPFL-SSC 352 / 528
Bounding Errors in the Miller-Rabin Test
Theorem (Miller-Rabin)
If more than a quarter of b ∈ Z∗n pass the Miller-Rabin test, then allb ∈ Z∗n do so.
Consequence: the probability that a composite number pass theMiller-Rabin test with k iterations and output “pseudo-prime” is lessthan 4−k .
SV 2007 Basic Crypto EPFL-SSC 351 / 528
The Miller-Rabin Primality Test
Parameter : k , an integerInput : n, an integer of ℓ bitsOutput : notification of non-primality
or pseudo-primalityComplexity : O (kℓ3)
1: if n = 2 then2: output “prime” and stop3: end if4: if n is even then5: output “composite” and stop6: end if7: write n = 2st + 1 with t odd
8: repeat9: pick b ∈ {1, . . . ,n−1}
10: x ← bt mod n, i← 011: if x 6= 1 then12: while x 6= n−1 do13: x← x2 mod n, i ← i + 114: if i = s or x = 1 then15: output “composite” and
stop16: end if17: end while18: end if19: until k iterations are made20: output “pseudo-prime” and stop
SV 2007 Basic Crypto EPFL-SSC 350 / 528
The Miller-Rabin Test
We write n−1 = 2st
If n is prime, we have
bn−1 mod n =(
· · ·((bt )2
)2 · · ·)2
mod n = 1
If n is prime, +1 and −1 are the only possible square roots of 1
factored in 2007 by an equivalent of 100 years of computation on a PC2.2GHz (Opteron).
SV 2007 Basic Crypto EPFL-SSC 357 / 528
Computing Element Orders in Z ∗n =⇒ Knowing λ(n)
Input : an element order oracle in Z∗nOutput : λ(n)
1: λ← 12: repeat3: pick a random x in Z∗n4: compute the order u of x5: λ← lcm(λ,u)6: until λ has not changed for a while
Fact. With the same notations: for all i , Pr[βi < αi ]≤ 1/pi
Thus, the number of iterations is likely to be very small
SV 2007 Basic Crypto EPFL-SSC 364 / 528
Factoring λ(n) =⇒ Computing Element Orders in Z ∗n
Input : factorizationλ(n) = pα1
1 · · ·pαrr , x ∈ Z∗n
Output : the order u of xComplexity : O (r) exponentials
1: u← 12: for i = 1 to r do3: y ← xλ(n)/p
αii mod n
4: while y 6= 1 do5: y ← ypi mod n6: u← u×pi
7: end while8: end for
Fact. If the order of x is pβ11 · · ·p
βrr
then, for all i ,
βi ≤ αi
xλ(n)pβi−αii mod n = 1
xλ(n)pβi−αi−1i mod n 6= 1
SV 2007 Basic Crypto EPFL-SSC 363 / 528
Computing Element Orders in Z ∗n
knowledge of the factorization of λ(n)
=⇒ ability to compute element orders in Z∗n=⇒ knowledge of λ(n)
⇐⇒ knowledge of the factorization of n
Consequence: computing orders in Z∗n is likely to be hard from n only
SV 2007 Basic Crypto EPFL-SSC 362 / 528
Orders in Z ∗n (Reminder)Z∗n is of order ϕ(n) (example: Z∗35 is of order 24)xϕ(n) mod n = 1 for all x ∈ Z∗n{i;∀x x i mod n = 1} can be written λ(n)Z where λ(n) is theexponent of Z∗nλ(n) is the smallest integer i for which x i mod n = 1 for all x ∈ Z∗n(example: λ(35) = 12)λ(n) divides ϕ(n)for x ∈ Z∗n, {i;∀x x i mod n = 1} can be written order(x)Zthe order of x is the smallest integer i for which x i mod n = 1(example: order(6) = 2 in Z∗35)for any x ∈ Z∗n, order(x) divides λ(n)the lcm of order(x) for all x ∈ Z∗n is λ(n)for n = pα1
1 ×·· ·×pαrr with pairwise different prime numbers
p1, . . . ,pr , we have
ϕ(n) = (p1−1)pα1−11 ×·· ·× (pr −1)pαr−1
r
λ(n) = lcm(
(p1−1)pα1−11 , · · · ,(pr −1)pαr−1
r
)
SV 2007 Basic Crypto EPFL-SSC 361 / 528
Checking a Generator of a Group with Known OrderFactorization
Input : a prime number p, p−1 = pα11 ×·· ·×pαr
r ,g ∈ Z∗p
Output : say if g generates Z∗pComplexity : O (r) exponentials
1: for i = 1 to r do2: y ← g(p−1)/pi mod p3: if y = 1 then4: abort: g is not a generator5: end if6: end for7: g is a generator
SV 2007 Basic Crypto EPFL-SSC 368 / 528
Knowing λ(n)⇐⇒ Factoring n
=⇒: previous slide
⇐=: λ(pα11 · · ·pαr
r ) is computed by
lcm((p1−1)pα1−11 , . . . ,(pr −1)pαr−1
r )
NB: knowing a multiple of λ(n)⇐⇒ Factoring n(same proof)
example: knowing ϕ(n)⇐⇒ Factoring n
Conclusion: computing ϕ(n) is hard, computing orders in Z∗n is hard
SV 2007 Basic Crypto EPFL-SSC 367 / 528
Factorization using λ(n)
x t mod n -6= 1SQ -6= 1
SQ -6= 1 · · · -6= 1SQ -6= 1
SQ - 1
?6is it ≡−1?
at most s︷ ︸︸ ︷
SV 2007 Basic Crypto EPFL-SSC 366 / 528
Knowing λ(n) =⇒ Factoring n
Input : λ(n) (n odd)Output : a non trivial factor of n
1: write λ(n) = 2st with t odd2: repeat3: pick a random x in Z∗n4: x ← x t mod n5: y ←⊥6: while x 6= 1 do7: y ← x8: x ← x2 mod n9: end while
10: until y 6=⊥ and y 6≡ −1(mod n)
11: output gcd(y−1,n)
Fact. For x ∈ Zn, if x2 mod n = 1,x 6= 1, x 6= n−1 then 1 < gcd(n,x−1) < n which is a non-trivial factor ofn:
n divides (x−1)(x + 1)
if gcd(n,x −1) = n then ndivides x−1 thus x = 1 whichis wrong
if gcd(n,x −1) = 1 then ndivides x + 1 thus x = n−1which is wrong
Confidentiality using an Authenticated ChannelKey Exchange Protocol
ProtoBobProtoAlice
6KeyKey
-� AUTHENTICATEDINTEGER
6
-MessageEnc/MAC - - Dec/Check
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 380 / 528
Confidentiality using an Authenticated ChannelPublic Key Cryptosystem
Generator
6Secret KeyPublic Key 6 AUTHENTICATEDINTEGER
-MessageEnc - - Dec -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 379 / 528
Trapdoor Permutation
we use an encryption Enc that is easy to compute in one way
...but hard in the other (to compute Dec)
...except using a trapdoor Ks
SV 2007 Basic Crypto EPFL-SSC 378 / 528
Diffie-Hellman
“New directions in cryptography” (1976)
The idea of “trapdoor permutation” (no instance)
Building a public-key cryptosystem from it
Building a digital signature scheme from it
Key agreement protocol
SV 2007 Basic Crypto EPFL-SSC 377 / 528
If we Lack Authentication: Man-in-the-Middle Attack
Alice Eve Bob
pick x , X ← gx X−−−−−−−−→pick x ′, X ′← gx ′ X ′−−−−−−−−→
Y←−−−−−−−− pick y , Y ← gy
Y ′←−−−−−−−− pick y ′, Y ′← gy ′
K1← (Y ′)x K1← X y ′ , K2← Y x ′ K2← (X ′)y
(K1 = gxy ′ ) (K2 = gx ′y )
SV 2007 Basic Crypto EPFL-SSC 384 / 528
Passive vs Active Adversaries
passive adversary: just listen to communications and tries todecrypt communications (e.g. by revocering the key)The Diffie-Hellman protocol resits to passive adversaries
active adversary: can interfere with communication (modifymessages, insert messages, replay messages)The Diffie-Hellman protocol requires authenticated messages
SV 2007 Basic Crypto EPFL-SSC 383 / 528
The Diffie-Hellman Key Agreement Protocol
Assume a group (subgroup of Z∗p, elliptic curves, ...) generated bysome g
Alice Bob
pick x at random, X ← gx X−−−−−−−−−−→Y←−−−−−−−−−− pick y at random, Y ← gy
K ← Y x K ← X y
(K = gxy )
communications must be authenticated and integer!
SV 2007 Basic Crypto EPFL-SSC 382 / 528
Security for Key Exchange Protocol
Secrecy: by looking at the communication protocol, it isimpossible to guess the exchanged key
SV 2007 Basic Crypto EPFL-SSC 381 / 528
Security Models
adversary powerchosen plaintext chosen ciphertext
key recovery weakerdecryption stronger
weakersecurity model−−−−−−−−−−−−−→ stronger
strongerattack←−−−−−−−−−−−−− weaker
strong objectives weak objectiveslow capabilities high capabilities
SV 2007 Basic Crypto EPFL-SSC 388 / 528
Threat Models
Key recovery : an adversary can recover the secret key
Decryption : an adversary can decrypt a random ciphertext
Adversary model: can encrypt chosen plaintexts (passive), can accessto a decryption oracle, ...
SV 2007 Basic Crypto EPFL-SSC 387 / 528
Public Key Cryptosystem
Generator
6Secret KeyPublic Key 6 AUTHENTICATEDINTEGER
-MessageEnc - - Dec -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 386 / 528
Static versus Ephemeral Diffie-Hellman
Ephemeral DH: it provides forward secrecy
“if long-term secret keys are compromised at time t, thisdoes not compromise a DH session key at time t ′ < t”
Static DH: X and Y are used like public keys
SV 2007 Basic Crypto EPFL-SSC 385 / 528
Plain RSA
Generator
6Secret key d ,NPublic key e,N 6 AUTHENTICATEDINTEGER
-Messagex Encrypt -Ciphertext
xe mod N-
y Decrypt -Message
yd mod N
��
Adversary
N = pqϕ(N) = (p−1)(q−1)
1 = gcd(e,ϕ(N))d = e−1 mod ϕ(N)
6?
SV 2007 Basic Crypto EPFL-SSC 392 / 528
Plain RSA Cryptosystem
Public parameter: an integer s.
Set up: find two random different prime numbers p and q of sizes2 bits. Set N = pq. Pick a random e untilgcd(e,(p−1)(q−1)) = 1. (Sometimes we pick speciale like e = 17 or e = 216 + 1.) Setd = e−1 mod ((p−1)(q−1)).
Message: an element x ∈ Z∗N .
Public key: Kp = (e,N).
Secret key: Ks = (d,N).
Encryption: y = xe mod N.
Decryption: x = yd mod N.
SV 2007 Basic Crypto EPFL-SSC 391 / 528
RSA
Rivest-Shamir-Adleman (1978)
SV 2007 Basic Crypto EPFL-SSC 390 / 528
9 Chapter 9: Public Key CryptographyDiffie-HellmanRSAOther Public Key Cryptosystems
SV 2007 Basic Crypto EPFL-SSC 389 / 528
RSA Engineering
Relevance of the mathematical model
Implementation issues (from plain RSA to real life standards)
Side channel attacks
SV 2007 Basic Crypto EPFL-SSC 396 / 528
RSA Security
Key recovery is equivalent to factoring N
Decryption is the RSA problem (not known to be equivalent tofactoring)
SV 2007 Basic Crypto EPFL-SSC 395 / 528
RSA Complexity
RSA with a modulus of ℓ bits and a random e.
Generator: O (ℓ4) (prime numbers generation)
Encryption: O (ℓ3)
Decryption: O (ℓ3)
RSA with a modulus of ℓ bits and a constant e (e.g. e = 216 + 1).
Generator: O (ℓ4) (prime numbers generation)
Encryption: O (ℓ2)
Decryption: O (ℓ3)
SV 2007 Basic Crypto EPFL-SSC 394 / 528
RSA Completeness
Theorem (Euler)
Let p,q be two different primes and N = p×q.For any x ∈ {0, . . . ,N−1} we have xϕ(N)+1 mod N = x.
Consequence: RSA decryption works!Proof. from CRT...
SV 2007 Basic Crypto EPFL-SSC 393 / 528
Power Analysis Attack
Computing x = yd mod N is performed by a device with externalpower supply by using the square-and-multiply algorithm.
The power usage tells how what kind of operation is performed
Cryptoprocessors have faster square than multiply algorithms
The power usage tells when a square and a multiply is performed
The attacker deduces d
SV 2007 Basic Crypto EPFL-SSC 400 / 528
Attack on Low Exponents
Attack on low e: Coppersmith algorithm to find roots less than N1e
of a polynomial of degree e.Example: decryption attack when e = 3 and we know 2
3 of theplaintext bits (e.g. RSA.Enc(pattern||x) with 1024-bit moduluswhen x is a 256-bit symmetric key and pattern is a constantpattern).Example: (e = 3) decryption of two messages who differ in awindow of 1
9 of the full length (e.g. RSA.Enc(x ||counter) andRSA.Enc(x ||counter′) with 1024-bit modulus when the counter isencoded on 32 bits).
Attack on low d : Wiener key recovery attack for d < 4√
N (e.g. Nof 1024 bits and d of less than 256 bits).
SV 2007 Basic Crypto EPFL-SSC 399 / 528
Example with e = 3
x
sy3
N3,3
-y2 N2,3
3y1
N1,3 Broadcast plaintext x to 3 receiversusing e = 3:
Let yi = x3 mod Ni
We have CRT(y1,y2,y3) = x3 mod(N1N2N3) = x3
So we can compute x3 then extact acubic root and get x
SV 2007 Basic Crypto EPFL-SSC 398 / 528
Broadcast Encryption with Low Exponent
Sending the same message x to at least e participants with the sameencryption exponent e and different modulus N1, . . . ,Nn.
The i th participant receives yi = xe mod Ni
The attacker intercepts e values y1, . . . ,ye
The attacker computes y = xe mod N where N = N1× . . .×Ne
by CRT
We have y = xe
The attacker deduces x = e√
y
SV 2007 Basic Crypto EPFL-SSC 397 / 528
Other Side Channel Attacks
Simple fault analysis
Differential fault analysis
Timing attack
Electromagnetic fields
Noisy machines
Cache attacks
Branch prediction algorithm
...
SV 2007 Basic Crypto EPFL-SSC 404 / 528
DFA
xe mod N = y
q
1
yd mod q
yd mod p
1
qCRT - yd mod N = x
xe mod N = y
q
1
random
yd mod p
1
qCRT - x ′ ≡ x (mod p)
SV 2007 Basic Crypto EPFL-SSC 403 / 528
Differential Fault Attack
Computing x = yd mod N is performed by a device using CRTaccelaration.
The attacker picks x and sends y = xe mod N to the device
The attacker agressively (but mildly) stresses the device
The device eventually makes errors
Error may occur during the CRT accelaration
The device computes x ′ and outputs it
The attacker computes gcd(x− x ′,N)
SV 2007 Basic Crypto EPFL-SSC 402 / 528
SPA
-
6
time
power
SQ MUL
1
SQ MUL
1
SQ
0
SQ
0
SQ
secret key is 1100... (from right to left or left to right)
SV 2007 Basic Crypto EPFL-SSC 401 / 528
RSA-OAEP Encryption
ciphertext?
Enc?
00 maskedSeed maskedDB?
⊕� MGF �
?
⊕-MGF-
?
?
seedH(L) 0 · · ·01 M
?
message
SV 2007 Basic Crypto EPFL-SSC 408 / 528
Yet Another Side Channel Attack
Bleichenbacher’s attack against PKCS#1v1.5:
Attacker intercepts y = xe mod N and aims at recovering x
Attacker plays with the server by sending fake ciphertexts y ′ ofthe form
y ′ = sey mod NMost of the time, y ′ does not decrypt well and the server issuesan error message.
If the server accepts, then (y ′)d mod n starts with 00 02, hence
2×256k−2 ≤ sx mod N < 3×256k−2
By using this oracle 1 000 000 times, Attacker can reconstruct x
SV 2007 Basic Crypto EPFL-SSC 407 / 528
PKCS#1v1.5 Encryption
ciphertext?
Enc?
00 02 PS 00 M?
random
?
message
SV 2007 Basic Crypto EPFL-SSC 406 / 528
PKCS#1v1.5(Modulus of k bytes, message M of at most k−11 bytes.)Encryption:
1 generate a pseudorandomstring PS of non-zero bytes sothat M||PS is of k−3 bytes
2 construct string00||02||PS||00||M of k bytes
3 convert it into an integer
4 perform the plain RSAencryption
5 convert the result into a stringof k bytes
Decryption:
1 convert the ciphertext into aninteger, reject it if it is greaterthan the modulus
2 perform the plain RSAdecryption and obtain anotherinteger
3 convert back the integer into abyte string
4 check that the string has the00||02||PS||00||M format forsome byte strings PS and Mwhere PS has no zero bytes
5 output M
SV 2007 Basic Crypto EPFL-SSC 405 / 528
Diffie-Hellman Cryptography
Diffie-Hellman6
problem to instanciate
* RSA
j ElGamal
trapdoor permutation: operation in Z∗n which can be inverted withthe factorization of n
probabilistic encryption: encryption returns gr along withsymEncy r (message) for y r = DH(g,gr ,y)
SV 2007 Basic Crypto EPFL-SSC 412 / 528
9 Chapter 9: Public Key CryptographyDiffie-HellmanRSAOther Public Key Cryptosystems
SV 2007 Basic Crypto EPFL-SSC 411 / 528
Mask Generation Function in RSA-OAEP
The PKCS specifications further suggests an mask generationfunction MGF1 which is based on a hash function. The MGF1ℓ(x)string simply consists of the ℓ leading bytes of
⋆Attacks on ElGamal signatures: existential forgery,Bleichenbacher attack
⋆Provable security: interactive proofs, random oracle model
SV 2007 Basic Crypto EPFL-SSC 422 / 528
10 Chapter 10: Digital Signatures
SV 2007 Basic Crypto EPFL-SSC 421 / 528
Application: Certificates
Client Server-� insecure -�
?
�AuthorityKp κ
AUTHENTICATED AUTHENTICATED
?
certificate
certificate = signatureKs (“I certify that public key κ belongs to S”)
SV 2007 Basic Crypto EPFL-SSC 428 / 528
Digital Signature
Generator
6 Public KeySecret Key 6AUTHENTICATEDINTEGER
-MessageSign - - Verify
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 427 / 528
Authentication Channel
Generator
KeyKey 66 CONFIDENTIAL
AUTHENTICATEDINTEGER
-MessageMAC - - Check
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 426 / 528
Asymmetric Encryption
Generator
6Secret KeyPublic Key 6 AUTHENTICATEDINTEGER
-MessageEncrypt - - Decrypt -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 425 / 528
Encryption to Signature
-Message
X
Hash
?X
-dDecrypt
6σ X ,σ-
X
?
Encrypt
U
Hash
�d d
σ?X
Compare -ok?
Generator
6AUTHENTICATED
INTEGER
-
Secret Key Public Key
��
Adversary
SV 2007 Basic Crypto EPFL-SSC 432 / 528
10 Chapter 10: Digital SignaturesDigital Signature SchemesRSA SignatureElGamal Signature Family
SV 2007 Basic Crypto EPFL-SSC 431 / 528
Security Models
adversary powerpassive chosen message
total break weakeruniversal forgeryexistential forgery stronger
weakersecurity model−−−−−−−−−−−−−−−−−→ stronger
strongerattack←−−−−−−−−−−−−−−−−− weaker
strong objectives weak objectiveslow capabilities high capabilities
SV 2007 Basic Crypto EPFL-SSC 430 / 528
Threat Models
Total break : an adversary can recover the secret key
Universal forgery : an adversary can forge the signature of anyor a random message
Existential forgery : an adversary can forge a validmessage-signature pair
Adversary model: can intercept signatures (passive), can access to asigning oracle, ...
SV 2007 Basic Crypto EPFL-SSC 429 / 528
Plain RSA Signature
Set up: find two random different prime numbers p and q of sizes2 bits. Set N = pq. Pick a random e untilgcd(e,(p−1)(q−1)) = 1. (Sometimes we pick speciale like e = 3 or e = 17.) Setd = e−1 mod ((p−1)(q−1)).
Secret key: Ks = (d,N).
Public key: Kp = (e,N).
Message: an element y ∈ Z∗N .
Signature generation: x = yd mod N.
Extraction: y = xe mod N.
(Signature with message recovery)
SV 2007 Basic Crypto EPFL-SSC 436 / 528
Encryption to Signature with Message Recovery
Generator
6 Public KeySecret Key 6AUTHENTICATEDINTEGER
-Message
XSign -Decrypt
σ-
σ Encrypt -Message
X
��
Adversary
SV 2007 Basic Crypto EPFL-SSC 435 / 528
Signature with Message Recovery
Generator
6 Public KeySecret Key 6AUTHENTICATEDINTEGER
-Message
XSign -Signature
σ-
σ Extract-
ok?
-Message
X��
Adversary
SV 2007 Basic Crypto EPFL-SSC 434 / 528
Hash-and-Sign Paradigm
-Message
X
Hash
?X
-dSign
6σ X ,σ-
X
?
Verify Hash�d
σ?X
-ok?
Generator
6AUTHENTICATED
INTEGER
-
Secret Key Public Key
��
Adversary
SV 2007 Basic Crypto EPFL-SSC 433 / 528
Signature Extraction
1 apply the extraction scheme, obtain a byte string
2 check that the string is of length k and that the rightmosthexadecimal digit is 6
3 perform a message recovery : we remove the leading bit 1, wereplace the rightmost two bytes yHyRxHxR by yHyRπ−1(yH)xH ,obtain . . . ,x2,x1, take z as the smallest index such thatx2z⊕S(x2z−1) 6= 0 (reject if it does not exists) and r equal to thisvalue (and check that r ≤ 8), extract x2z ,x2z−2, . . . ,x2, removethe r −1 leftmost bits (reject if they are not equal to zero). Wemust obtain a message m.
4 Check that the formatting scheme on m leads to the valueobtained after opening the signature. (Check the redundancy.)
SV 2007 Basic Crypto EPFL-SSC 440 / 528
ISO/IEC 9796 Signature Generation(signature of a d-bit message m into a k-bit signature, e.g. d ≤ 512and k = 1024)
1 pad m with r−1 leading zero bits (at most seven) so that the totallength can be cut into a sequence of z bytes mz ,mz−1, . . . ,m1
2 repeat the sequence and take the t = 32 rightmost bytes (t s.t.16t ≥ k−1)
3 insert S(x) to the left of each of the t bytes x , and XOR r onto thezth rightmost redundancy byte S(mz), whereS(xHxL) = π(xH)π(xL) (shadow function ) where xHxL
represents the two hex. digits of x and π is a defined by
π =
(0 1 2 3 4 5 6 7 8 9 A B C D E FE 3 5 8 9 4 2 F 0 D B 6 7 A C 1
)
4 take the k−1 rightmost bits, pad a bit 1 to the left, and replacethe rightmost byte x = xHxL by xL6
5 sign the formatted string (for instance) by using the plain RSA
SV 2007 Basic Crypto EPFL-SSC 439 / 528
ISO/IEC 9796
signature?
Sign?
Format
?
message
signature
6
Extract
6
Unformat
6message
format is invertible
signature with message recovery
SV 2007 Basic Crypto EPFL-SSC 438 / 528
Plain RSA Signature
Generator
6Secret key d ,N Public key e,N6AUTHENTICATEDINTEGER
-Messagex Sign -Signature
xd mod N-
y Extract -ye mod N
��
Adversary
N = pqϕ(N) = (p−1)(q−1)
1 = gcd(e,ϕ(N))d = e−1 mod ϕ(N)
6?
SV 2007 Basic Crypto EPFL-SSC 437 / 528
PKCS#1v1.5 Signature
signature?
Sign?
00 01 FF· · · FF 00 D?
H?
message
SV 2007 Basic Crypto EPFL-SSC 444 / 528
Signature Verification
1 convert the signature into an integer. Reject it if it is greater thanthe modulus.
2 perform the plain RSA verification and obtain another integer.
3 convert back the integer into a byte string.
4 check that the string has the 00||01||FF . . .FF||00||D format for abyte string D.
5 decode the data D and obtain the message digest and the hashalgorithm. Check that the hash algorithm is acceptable.
6 hash the message and check the message digest.
SV 2007 Basic Crypto EPFL-SSC 443 / 528
PKCS#1v1.5
We are given a modulus N of k bytes.
1 hash the message (for instance with MD5) and get a messagedigest.
2 encode the message digest and the identifier of the hashalgorithm into a string D.
3 pad it with a zero byte to the left, then with many FF bytes inorder to reach a length of k−2 bytes, then with a 01 byte. Weobtain k−1 bytes.
4 This byte string 00||01||FF · · ·FF||00||D is converted into aninteger.
5 compute the plain RSA signature.
6 convert the result into a string of k bytes.
SV 2007 Basic Crypto EPFL-SSC 442 / 528
Example “ PAY 1’000’000.-CHF ”
P A Y 1 ’ 0 0 0 ’ 0 0 0 . - C H F504059203127303030273030302e2d434846
1. m =5040 5920312730303027 3030302e2d434846, z = 182. 3127303030273030 302e2d434846|5040 5920312730303027 3030302e2d434846
Public parameters: a large prime number p, a generator g of Z∗p.
Set up: generate a random x ∈ Zp−1 and computey = gx mod p.
Secret key: Ks = x .
Public key: Kp = y .
Message digest: h = H(M) ∈ Zp−1.
Signature generation: pick a random k ∈ Z∗p−1, compute
r = gk mod p and s = h−xrk mod p−1, the signature is
σ = (r ,s).
Verification: check that y r rs ≡ gh (mod p) and 0≤ r < p.
SV 2007 Basic Crypto EPFL-SSC 448 / 528
10 Chapter 10: Digital SignaturesDigital Signature SchemesRSA SignatureElGamal Signature Family
SV 2007 Basic Crypto EPFL-SSC 447 / 528
RSA-PSS Verification
signature
6Extract
6OR 80
bcmaskedDB H
6⊕� MGF �
6
H= -
?
6
0 · · ·01 salt
H(M)0 · · ·00 salt?
H?
message
SV 2007 Basic Crypto EPFL-SSC 446 / 528
RSA-PSS
signature?
Sign?OR 80
bcmaskedDB H?
⊕� MGF �
?
H?
?
0 · · ·01 salt
H(M)0 · · ·00 salt?
H?
message
SV 2007 Basic Crypto EPFL-SSC 445 / 528
Drawbacks of ElGamal Signatures
signatures are pretty long
security issues related to subgroups
lack of security proof for arbitrary public parameter
SV 2007 Basic Crypto EPFL-SSC 452 / 528
Security if we Miss the Inequality Check
If we do not check that 0≤ r < p, we have a universal forgery attack:
pick rp−1,s ∈ Z∗p−1 at random
set rp = gh(M)
s y−rp−1
s mod p
pick r such that r mod p = rp and r mod (p−1) = rp−1 using theChinese Remainder Theorem
issue (r ,s) as a signature for M
SV 2007 Basic Crypto EPFL-SSC 451 / 528
Security
key recovery is equivalent to the discrete logarithm problem
existential forgery is hard on average over the random choice ofthe public parameters in the random oracle model provided thatthe discrete logarithm is hard
SV 2007 Basic Crypto EPFL-SSC 450 / 528
ElGamal Signature
Generator
y = gx mod p
6Secret key x Public key y6AUTHENTICATEDINTEGER
-Message
M
k ∈ Z∗p−1
r = gk mod p
s = H(M)−xrk mod p−1
Sign -M, r ,s
-M, r ,s
0≤ r < py r r s ≡ gH(M) (mod p)
Verify-
ok?
-Message
M��
Adversary
p primeg generator of Z∗p
SV 2007 Basic Crypto EPFL-SSC 449 / 528
Schnorr Signature
Generator
y = gx mod p
6Secret key x Public key y6AUTHENTICATEDINTEGER
-Message
M
k ∈ Z∗qr = gk mod pe = H(M|r)s = ex + k mod q
Sign -M,e,s
-M,e,s
compare e andH (M |gsy−e mod p )
Verify-
ok?
-Message
M��
Adversary
q primep = aq +1 primeg = randoma mod p > 1
SV 2007 Basic Crypto EPFL-SSC 456 / 528
Generating the Public Parameters
pick a prime number q
take a random p = aq + 1 until it is prime
take a random number in Z∗p, raise it to the power a modulo p,and get g
if g = 1, try again (otherwise, it must be of order q in Z∗p)
SV 2007 Basic Crypto EPFL-SSC 455 / 528
Schnorr Signature
Public parameters: pick a not-too-large large prime number q, alarge prime number p = aq +1, a generator of Z∗p raisedto the power a (an element of order q) g.
Set up: pick x ∈ Zq and compute y = gx mod p.
Secret key: Ks = x .
Public key: Kp = y .
Signature generation: pick a random k ∈ Z∗q, computer = gk mod p, e = H(M|r), and s = ex + k mod q, thesignature is σ = (e,s).
Verification: check that e = H(M|gsy−e mod p).
SV 2007 Basic Crypto EPFL-SSC 454 / 528
The ElGamal Dynasty
1984 ElGamal signatures
1989 Schnorr signatures
1995 DSA: US signatures
1995 Nyberg-Rueppel signatures
1997 Pointcheval-Vaudenay signatures
1998 KCDSA: Korean signatures
1998 ECDSA
...
SV 2007 Basic Crypto EPFL-SSC 453 / 528
Benefits from the DSA
US standard
signatures are shorter
no proper subgroup (only {1} and the group itself)
BUT
security results are weaker
SV 2007 Basic Crypto EPFL-SSC 460 / 528
DSA Signature
Generator
y = gx mod p
6Secret key x Public key y6AUTHENTICATEDINTEGER
-Message
M
k ∈ Z∗qr = gk mod p mod q
s = H(M)+xrk mod q
Sign -M, r ,s
-M, r ,s
compare r and
gH(M)
s yrs mod p mod q
Verify-
ok?
-Message
M��
Adversary
q primep = aq +1 primeg = randoma mod p > 1
SV 2007 Basic Crypto EPFL-SSC 459 / 528
DSA Signature (DSS)
Public parameters: pick a 160-bit prime number q, a large primenumber p = aq + 1, a generator of Z∗p raised to thepower a (an element of order q) g.
Set up: pick x ∈ Zq and compute y = gx mod p.
Secret key: Ks = x .
Public key: Kp = y .
Signature generation: pick a random k ∈ Z∗q, compute
r = (gk mod p) mod q, and s = H(M)+xrk mod q, the
signature is σ = (r ,s).
Verification: check that r =(
gH(M)
s mod qyrs mod q mod p
)
mod q.
SV 2007 Basic Crypto EPFL-SSC 458 / 528
Benefits from the Schnorr Signature
signatures are shorter
no proper subgroup (only {1} and the group itself)
some form of provable security (related to interactive proofs)
SV 2007 Basic Crypto EPFL-SSC 457 / 528
Conclusion
Two families of signature schemes
RSA: with message recovery, based on the RSA problem
ElGamal: with domain parameters, based on the discretelogarithm
Sensitive security
SV 2007 Basic Crypto EPFL-SSC 464 / 528
Benefits from the Pointcheval-Vaudenay Signature
ISO/IEC standard
signatures are shorter
no proper subgroup (only {1} and the group itself)
stronger security proof
SV 2007 Basic Crypto EPFL-SSC 463 / 528
Pointcheval-Vaudenay Signature
Generator
y = gx mod p
6Secret key x Public key y6AUTHENTICATEDINTEGER
-Message
M
k ∈ Z∗qr = gk mod p mod q
s = H(r ||M)+xrk mod q
Sign -M, r ,s
-M, r ,s
compare r and
gH(r ||M)
s yrs mod p mod q
Verify-
ok?
-Message
M��
Adversary
q primep = aq +1 primeg = randoma mod p > 1
SV 2007 Basic Crypto EPFL-SSC 462 / 528
Pointcheval-Vaudenay Signature
Public parameters: pick a 160-bit prime number q, a large primenumber p = aq + 1, a generator of Z∗p raised to thepower a (an element of order q) g.
Set up: pick x ∈ Zq and compute y = gx mod p.
Secret key: Ks = x .
Public key: Kp = y .
Signature generation: pick a random k ∈ Z∗q, compute
r = (gk mod p) mod q, and s = H(r ||M)+xrk mod q, the
signature is σ = (r ,s).
Verification: check that r =(
gH(r ||M)
s mod qyrs mod q mod p
)
mod q.
SV 2007 Basic Crypto EPFL-SSC 461 / 528
Chapter Content
Security setup: certificates
Remote access: SSH
Secure Internet transactions: SSL
Security for individuals: PGP
SV 2007 Basic Crypto EPFL-SSC 468 / 528
12 Chapter 12: From Cryptography to Communication Security
Key establishment : set up A/I/C key material for messagesecurity
Sequentiality : whenever a participant has seen a messagesequence starting with X1, . . . ,Xt , Xt coming in, then the otherparticipant has seen a message sequence whose first tmessages are X1, . . . ,Xt
Termination fairness : making sure that the last message onboth ends is the same one
SV 2007 Basic Crypto EPFL-SSC 471 / 528
Security Property of Communication Channels
MessageX
- -X
��
Adversary
Confidentiality , Authentication , Integrity
Freshness : the received X was not received before
Liveliness : a sent message X is eventually delivered
Timeliness : (> liveliness) time of delivery is upper bounded
SV 2007 Basic Crypto EPFL-SSC 470 / 528
12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples
SV 2007 Basic Crypto EPFL-SSC 469 / 528
... with A+I Channel: Key Agreement Protocol
ProtoBobProtoAlice
6KeyKey 6
-� AUTHENTICATEDINTEGER
-MessageEnc/MAC - - Dec/Check
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 476 / 528
Setting up a Secure Channel with A+I+C Channel
Generator
KeyKey 66 CONFIDENTIAL
AUTHENTICATEDINTEGER
-MessageEnc/MAC - - Dec/Check
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 475 / 528
Achieving Authentication
Generator
KeyKey 66 CONFIDENTIAL
AUTHENTICATEDINTEGER
-MessageMAC - - Check
-ok?
-Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 474 / 528
Achieving Confidentiality
Generator
KeyKey 66 CONFIDENTIAL
-MessageEncrypt - - Decrypt -Message�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 473 / 528
Client-Server Solution based on a Third Party
Client Server-� insecure -�
?
�AuthorityK CA
pKp
AUTHENTICATED AUTHENTICATED
?
certificate
SV 2007 Basic Crypto EPFL-SSC 480 / 528
Summary
we set up an initial authenticated communication channel
we exchange a master symmetric key using public keycryptography
we derive several symmetric keys
we use conventional cryptography to set up secure channels
SV 2007 Basic Crypto EPFL-SSC 479 / 528
Approaches to Build an Initial Authenticated Channel
6 CA Public KeyCA Secret Key 6AUTHENTICATEDINTEGER
-Public KeySign -Certificate -Certificate Verify
-ok?
-Public Key�
�Adversary
SV 2007 Basic Crypto EPFL-SSC 482 / 528
Critical Secure Channels
Authority
+K CA
p
Client 3
�K CA
pClient 2
kK CA
p
Client 1
k
K 3p
Server 3
�K 2
pServer 2
+
K 1p
Server 1
SV 2007 Basic Crypto EPFL-SSC 481 / 528
Connection
Client sends a connection request to Server
Client and Server run an key exchange protocol in which Serveris authenticated
Server sends its public key together with a certificate (if available)(First connection only) Client checks the certificate or request theuser to authenticate the public key by other means. Client storesthe public key in a local database (typically, .ssh/known hosts ).(Other connections only) Client check the public key from a localdatabase.
They set up a secure channel
Client is authenticated by an application (e.g. a password)
SV 2007 Basic Crypto EPFL-SSC 488 / 528
Principles
principle: to implement secure (i.e. confidential andauthenticated) communication channels in a client-server session
original philosophy: to be user-friendly (ssh had to be usedexactly like rlogin ), ready to use without any complicatedinstallation, and to be deployed easily
drawback: the security level is not so high, but still higher thanwhat was used before
SSH2 uses public key infrastructures in order to authenticateserver.This is typically heavy stuff, but the user can easily bypass it: hejust has to click “OK” anytime there is a security warning.
SV 2007 Basic Crypto EPFL-SSC 487 / 528
12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples
version VC , initial message ICVC ,IC−−−−−−−−−−−−→VS ,IS←−−−−−−−−−−−− version VS , initial message IS
pick x , e = gx mod pe−−−−−−−−−−−−→
pick y , f = gy mod p, K = ey mod pH = hash(VC ||VS ||IC ||IS ||KS ||e||f ||K)
KS ,f ,s←−−−−−−−−−−−− s = Sig(H)K = f x mod p, check KS
H = hash(VC ||VS ||IC ||IS ||KS ||e||f ||K)VerKS (s,H)
IC and IS: negociation of algorithms
KS: public key of the server
for diffie-hellman-group1-sha1 key exchange:p = 21024−2960−1+ 264
⌊2894π+ 129093
⌋, g = 2, q = p−1
2
SV 2007 Basic Crypto EPFL-SSC 491 / 528
SSH2 Key Exchange and Authentication
DSA for server authentication
Diffie-Hellman key exchange for setting up a symmetric sessionkey
(previous versions was entirely based on RSA)
Both DSA and Diffie-Hellman are based on some generator gwhich generates a subgroup of Z∗p of prime order q
SV 2007 Basic Crypto EPFL-SSC 490 / 528
Critical Asumptions
public key authentication in the first connection is secure(otherwise Server can be impersonated)
the local database has integrity protection(otherwise the Server public key can be replaced by another one)
SV 2007 Basic Crypto EPFL-SSC 489 / 528
Requirements
strong bidirectional authentication
confidentiality of communications
integrity of communication
need not the client part to be strongly secure
SV 2007 Basic Crypto EPFL-SSC 496 / 528
Example of Critical Application
SV 2007 Basic Crypto EPFL-SSC 495 / 528
12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples
SV 2007 Basic Crypto EPFL-SSC 494 / 528
Secure Channel
The choice of the symmetric algorithms is negotiated betweenClient and Server
Several encryption scheme are proposed: triple DES, AES, RC4,IDEA, ...
The MAC algorithm is typically HMAC based on SHA-1 or MD5
SV 2007 Basic Crypto EPFL-SSC 493 / 528
Session State
Session identifier
Peer certificate (if any)
Cipher suite choiceAlgorithm for authentication and key exchange during handshakeCipher Spec: symmetric algorithms (encryption and MAC)
Master secret (a 48-byte symmetric key)
nonces (from the client and the server)
sequence numbers (one for each communication direction)
compression algorithm (if any)
SV 2007 Basic Crypto EPFL-SSC 500 / 528
TLS Record Protocols
Handshake Protocol (for initiating a session)
Change Cipher Spec Protocol (for setting up cryptographicalgorithms)
Alert Protocol (for managing warnings and fatal errors)
Application Data Protocol
SV 2007 Basic Crypto EPFL-SSC 499 / 528
Common Use Principle
client-server communications, random client, corporate server
trusted third party: certificate authority (CA)
A+I secure channel with CA to be used only once
authentication of server based on public key
authentication of client (if needed) based on password
interoperable cipher suites
SV 2007 Basic Crypto EPFL-SSC 498 / 528
History
First version by Netscape in 1994
Microsoft version PCT in 1995
SSLv3 by Netscape in 1995
IETF version TLS/1.0 in 1997 [RFC2246]
IETF version TLS/1.1 in 2005 (draft)
Goal: secure any communication (e.g. HTTP) based on TCP/IP
CipherSuite Key Exchange Cipher HashTLS DHEDSS EXPORTWITH DES40 CBCSHA DHE DSS DES40 SHA-1TLS DHEDSS WITH DES CBCSHA DHE DSS DES SHA-1TLS DHEDSS WITH 3DES EDE CBCSHA DHE DSS 3DES EDE SHA-1TLS DHERSA EXPORTWITH DES40 CBCSHA DHE RSA DES40 SHA-1TLS DHERSA WITH DES CBCSHA DHE RSA DES SHA-1TLS DHERSA WITH 3DES EDE CBCSHA DHE RSA 3DES EDE SHA-1TLS DH anon EXPORTWITH RC4 40 MD5 DH anon RC4 40 MD5TLS DH anon WITH RC4 128 MD5 DH anon RC4 128 MD5TLS DH anon EXPORTWITH DES40 CBCSHA DH anon DES40 SHA-1TLS DH anon WITH DES CBCSHA DH anon DES SHA-1TLS DH anon WITH 3DES EDE CBCSHA DH anon 3DES EDE SHA-1
SV 2007 Basic Crypto EPFL-SSC 502 / 528
Original TLS Cipher Suites — i
CipherSuite Key Exchange Cipher HashTLS NULL WITH NULL NULL NULL NULL NULLTLS RSA WITH NULL MD5 RSA NULL MD5TLS RSA WITH NULL SHA RSA NULL SHA-1TLS RSA EXPORTWITH RC4 40 MD5 RSA RC4 40 MD5TLS RSA WITH RC4 128 MD5 RSA RC4 128 MD5TLS RSA WITH RC4 128 SHA RSA RC4 128 SHA-1TLS RSA EXPORTWITH RC2 CBC40 MD5 RSA RC2 40 MD5TLS RSA WITH IDEA CBCSHA RSA IDEA SHA-1TLS RSA EXPORTWITH DES40 CBCSHA RSA DES40 SHA-1TLS RSA WITH DES CBCSHA RSA DES SHA-1TLS RSA WITH 3DES EDE CBCSHA RSA 3DES EDE SHA-1TLS DH DSS EXPORTWITH DES40 CBCSHA DH DSS DES40 SHA-1TLS DH DSS WITH DES CBCSHA DH DSS DES SHA-1TLS DH DSS WITH 3DES EDE CBCSHA DH DSS 3DES EDE SHA-1TLS DH RSA EXPORTWITH DES40 CBCSHA DH RSA DES40 SHA-1TLS DH RSA WITH DES CBCSHA DH RSA DES SHA-1TLS DH RSA WITH 3DES EDE CBCSHA DH RSA 3DES EDE SHA-1
SV 2007 Basic Crypto EPFL-SSC 501 / 528
MAC in Record Protocol
More precisely the MAC of a fragment is computed as the HMAC withkey MACwrite secret on
handshake is the concatenation of all hanshake messagesMACC and MACS are of 12 byteskey block is the concatenation of the four private keys and the twoinitial vectors.
pre master secretClientKeyExchange :ENC(pre master secret)−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ decrypt
RSA encryption is PKCS#1v1.5
the RSA public key must be authenticated
SV 2007 Basic Crypto EPFL-SSC 512 / 528
Using Stream Ciphers
The RC4 stream cipher is used as a key-stream generator withone-time pad. The internal state of the generator is kept in theconnection state so that the RC4 automaton continuously generateskeystreams in order to encrypt the fragments sequence.
SV 2007 Basic Crypto EPFL-SSC 511 / 528
Using Block Ciphers in CBC Mode
Text - MAC -PAD
- CBC - DEC - - VER - Text
�bad record mac
�decryption failed
S E C R E T A
C C E S S
bloc 1
bloc 28 # $
* = k % ! bloc 32 2 2
SV 2007 Basic Crypto EPFL-SSC 510 / 528
Secure Channel in SSL/TLS (Using CBC Encryption)
fragment
- MAC
?
?
seq num
?MAC key
?Enc
6��
Adversary--
IVEnc key Dec
6
fragment
��
IVEnc key
- MAC- =6
?
seq num
? MAC key
SV 2007 Basic Crypto EPFL-SSC 509 / 528
12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples
Users manage their public key ring themselves (extracting,adding, changing keys, anotating, ...)
When a user is given a public key from another one, he can insertit in its key ring. At the same time, he qualifies how much hetrusts that the key is valid.For instance,
if the key was given hand to hand, he can fairly trust that the key isvalidif the key was taken from a web site through insecure connection,he may give a low confidence in the validityif the public key is certified by a third party, the user puts a trustqualification accordingly
a web of trust of users defines trust paths for public keys
SV 2007 Basic Crypto EPFL-SSC 522 / 528
Key Management
symmetric keys can be prompted to the user. They are usuallyderived from a pass phrase which is freely chosen by the user byusing a hash function.
Asymmetric keys are stored in key ring databeses.
Asymmetric secret keys are encrypted by a symmetric one.
extensive usage of checksums and cryptographic digests so thatbad pass phrases or modified files are easily detected
asymmetric key pair generation by providing enough randomness(e.g. using “entropy collector” with key strokes on the keyboard)
SV 2007 Basic Crypto EPFL-SSC 521 / 528
Main Conclusion
La crypto c’est rigolo!
SV, 1995
(Crypto is fun!)
SV 2007 Basic Crypto EPFL-SSC 528 / 528
Conclusion
SSH increases IP security for remote connections
SSL is a key for WWW security
PGP is a nice tool for small ad-hoc communities
they all put together all cryptographic ingredients quite nicely
they are permanently improved to fix mistakes and use thestate-of-the-art cryptography
SV 2007 Basic Crypto EPFL-SSC 527 / 528
Bluetooth
secure network between devices within short distances
light weigth cryptography
initial authenticated channel by human interaction with devices
key exchanged based on a PIN and E21, E22 (low security)
derivation of a single 128-bit long term link key
secure channel based on E0, E1, E3
several missing security properties: packet authentication,detection of packet loss, privacy, ...
SV 2007 Basic Crypto EPFL-SSC 526 / 528
12 Chapter 12: From Cryptography to Communication SecuritySetting up a Secure Communication ChannelSSH: Secure ShellSSL: Secure Socket LayerPGP: Pretty Good PrivacyOther Examples