CS 591

Monday, August 23
Initial topic: A Survey of Basic
Cryptography
Peter Gemmell
277-6509 office
280-2557 cellular
gemmell@cs.unm.edu
 What is cryptology?

• Generalized methods to hide (encrypt) and

authenticate information

• Generalized methods to expose and substitute

information

(malicious adversary -- not like that in error-correcting codes)

 An Important Distinction

Encryption = maintainng information secret/confidential

Authentication = proving and maintaining information integrity

(sometimes also availability)
 Cryptographic work can be at
different levels
-- algorithms/primitives: e.g. encryption algorithms,
signature algorithms, hash algorithms

-- protocols between more than 1 party: e.g. threshold

sharing

-- systems: e.g. electronic cash systems, smartcard systems

-- “Attacks” - on all the above

 Some applications of
cryptography
• network, operating systems security
• private internet, telephone communications
• electronic payments
• database security
• software protection
• pay television
• confidential, authentic military communications
 Open system design
vs
closed system design

Open design: the algorithm, protocol, or system design

may be public information. The only secret will be the
private or symmetric key(s)

Closed design: as much information as possible is kept

secret
 Types of Security

-- unconditional or “information theoretic”: the security

is provable free of assumptions

-- reducible or “provable”: one can prove that the security

is as valid as some common unproven assumption

-- ad hoc: the security seems good

 Types of algorithms
Symmetric (encryption)
Alice Bob

k k

sender receiver
encryption decryption
M ciphertext ciphertext M
Enck Deck
 Types of algorithms
Symmetric (authentication)
Alice Bob

k k

sender receiver
authentication verification

M M, Authk(M) M,Authk(M) “OK”

Authk Verifyk
 Types of algorithms
Public Key (assymmetric encryption)
Alice Bob

pubkey privkey

sender receiver
encryption decryption
M ciphertext ciphertext M
Encpubkey Decprivkey
 Types of algorithms
Public Key (assymmetric authentication)
Alice Bob

privkey pubkey

sender receiver
authentication verification

M M, Signprivkey(M) M, Signprivkey(M) “OK”

Signprivkey Verifypubkey
 Digital Signatures
A public key technique to authenticate information in
a non-repudiable way

may be legally binding

Recipient knows:
a) that the message is that of the supposed sender
b) can prove (a) to a third party
Why Public Key is so important
It lessens the number of keys needed in a general purpose
virtual private network (VPN)

Less reliance on a “trusted center” for system availability

and secrecy (e.g. electronic cash)

Non-repudiation
 Math Background
Modular (clock) Arithmetic

A mod N = remainder of A divided by N

B A mod N if B mod N = A mod N

A mod N + B mod N A + B mod N

A mod N * B mod N A*B mod N

 Encryption Algorithms
Historical and Toy

Caesar Cipher: {a, b, c … z} {1, 2, 3, … 26}

Enc(X) = Enc(x1 … xN)

= x1 + 3 mod 26 … xN + 3 mod 26 = C1 … CN

E.G. Enc(“Security”) = Enc(19,5,3,21,18,9,20,25)

= 22,8,6,24,21,12,23,2 = “Vhfxulyb”
Generalizations of Caesar Cipher
(all weak security)

Shift: Enck(x) = x+k mod 26

Affine: Enck1,k2(x) = k1 *x + k2 mod 26

Substitution: Encperm(x) = perm(x)

 Other Historial Ciphers
-- WWII American use of Navajo

-- WWII German Enigma machine

-- WWII Japanese Purple Machine

D. Kahn. The Codebreakers. Macmillan Co., New York, 1967.

 Unconditionally Secure Cipher
One-time pad
key = random* bits = 1100010011100100011…
message = bits = 1110011001100110001…

cipher text = XOR

of key, message = 0010001010000010010...

Problems: number of random bits = length of all messages

being encrypted (not reusable), random bits must be known
to both sender and recipient.
Data Encryption Standard (DES)
(symmetric key)
Enck(M) =
wild permutation, XOR’s of M, S-boxes, and k
16 “rounds,” 64-bit block input and output
not clean and concise (like RSA and one-time pad)

Standard for encryption of unclassified data since 1977

56 bits (40 bits in exported versions) yield valid

concerns about vulnerability to “exhaustive key search”
 Extensions to DES
that may give a longer effective key

Tripe-DES: ciphertext =
EncDESk1(EncDESk2(EncDESk3( plaintext)))
EncDESk1(DecDESk1 xor k2(EncDESk2( plaintext)))

DESX: ciphertext = k1 xor EncDESk1(message xor k3)

RC5 by Ron Rivest of RSA
(symmetric encryption algorithm)

Rotations, XOR’s, modular additions

With variable key lengths and being more

succinct than DES, it is faster and may
inspire more confidence
 RSA
(public key encryption*)

• Public key: (N,e)

• Private key: (p,q,d): p,q large primes;
e d
N = pq; d : (m ) = m mod N

*RSA encryption can be modified easily to work as the

RSA signature function
 RSA
(public key encryption, continued)

• Express message M as a number between

1 and N *
• Compute EncRSAN,e(M) = Me mod N
e d
• Compute DecRSA p,q,d(M e
) = (M ) = M mod N
• Assumed hard:
factoring,
discrete logs modulo N
 Hash functions
H

• compress length of message

1M bits (any number) 128 or 160 bits
• “collision-free”
for any x one can not compute y = x, H(x) = H(y)
• “random-like” behavior

E.G. SHA-1, MD5, MD2

 Authentication
unconditionally secure
Alice Bob

a,b a,b

sender receiver
authentication verification

M M, aM+b M, aM+b “OK”

a,b can be used only once

 Authentication
Keyed hash function (symmetric)
Alice Bob

k k

sender receiver
authentication verification

M M, H(k,M,k) M, H(k,M,k) “OK”

H(K XOR opad, H(K XOR ipad, text))

 Efficiency Considerations and
the need for symmetric session
keys
public key algorithms tend to be slow.

E.G. RSA decrypts at the order of 10k bits/second

DES encrypts/decrypts at the order of 1Mbit/second
 Key Exchange:
Establishing a (symmetric)
Session Key k
Alice Bob
pubkeyBob pubkeyAlice
privkeyAlice privkeyBob

k
 Impersonation Attack

Alice

pubkeyFakeBob “I’m Bob” pubkeyAlice

privkeyAlice privkeyFakeBob

important information
Certification Authority (CA)
“Bob”
“Bob” CA

PubkeyBob
misc info
misc info CA
signature

certificate binds a name to a public key

Open Network
Virtual Private Networks (VPN)
 VPN software/hardware
Application layer: SSL, Shttp, S/WAN, PCT

IP Layer: Netlock, competitors

 Electronic Payment Systems
“credit card,” “debit card” style

Visa, bank, or other

“You have received payment”

Internet payer Internet payee

 Sample Payment Protocols

• iKP of IBM
• SEPP: IBM, Netscape,GTE,CyberCash, and MasterCard
• VISA’s design
• First Virtual
• Secure Courier, STT
 Electronic Payment Systems
Chaum-style untraceable Cash

The Bank/Mint

Ecash
withdrawer/payer
The Bank/Mint

SN =
12345
BankSig
SN=
12345
ECash
Payee/Depositor

SN =
BankSig BankSig 12345
BankSig
 Electronic Payment Systems
Trustee-traceable Cash
Trustee 1

Trustee 2
The Bank/Mint

Ecash
Withdrawer/Payer
The Bank/Mint

SN =
12345
BankSig
SN=
12345
ECash
Payee/Depositor

SN =
BankSig BankSig 12345
BankSig
 Key Escrow, e.g. Clipper
Trustee 1
escrow
key1
ECash User
escrow Trustee 2
key2

escrow Trustee L
keyL
The Threshold Paradigm is one of
Distributed Trust

Secret Information
 Threshold Sharing

Dealer shares a secret S to L

shareholders. Some may be
untrustworthy.
Threshold Sharing protects:

- Secrecy: no k-1 shareholders can

learn the secret

- Integrity: no L-k shareholders

can destroy the secret
Fortezza, Capstone, and Skipjack

Skipjack: a classified NSA-designed

symmetric encryption algorithm

Capstone: suite of crypto functions for govt-related use

bulk data encryption algorithm: Skipjack
digital signature algorithm: DSA
key exchange protocol: not published
hash function: SHA

Fortezza: a tamper-resistant PCMCIA card, implementing

Capstone algorithms
 Man-in-the-Middle Attack
Alice Bob

“I’m Bob” “I’m Alice”

 Crypto Information Resources

• RSA FAQ (http://www.rsa.com/rsalabs/newfaq/)

• Handbook of Applied Cryptography Alfred J. Menezes,
Paul C. van Oorschot and Scott A. Vanstone
(http://www.dms.auburn.edu/hac/)
• B. Schneier, Applied Cryptography: Protocols,
Algorithms, and Source Code in C,
John Wiley & Sons, New York, 2nd Edition
• D.R. Stinson. Cryptography - Theory and Practice.
CRC Press, Boca Raton, 1995
http://bibd.unl.edu/~stinson/CTAP.html
• D. Kahn. The Codebreakers. Macmillan Co., New
York, 1967
 Homework
1. Decipher this Caesar Text: “Wklv lv d whvw”

2. Decipher this shift Text:

“Bqrairaijibnabiqjmibqraiwxbiknnwijibnabibqraivnaajpniexcumi
qjdniknnwimroon nwb”
hint: including a space character, there are 27 letters.

3. What is a CAPI and why is it important?

4. What is FIPS140 and why is it important?

e.c. What are Alice and Bob’s real names?

 Block Ciphers

• Iterated
• Key Schedule
• Feistel -- e.g. DES
 Modes of DES Encryption
DES is a block cipher, encryptions of the
same block repeated might yield the same
cipher text

• Electronic Code Book (ECB)

• Cipher Block Chaining (CBC)
• Cipher Feedback Mode (CFM)
• Output Feedback Mode (OFM)
Electronic Code Book mode
(ECB)

M1-64 M65-128

DES k DES k

C1-64 C65-128
Cipher Block Chaining mode
(CBC)
M65-128

M1-64 XOR

DES k DES k

C1-64 C65-128
Attacks -- characterized by
needs of the attacker

• Known Plaintext
• Chosen Plaintext
• Chosen Ciphertext

Also -- number of plaintext, ciphertext pairs

 The birthday paradox

Any random set of 23 people probably shares

a birthday
 A birthday attack

If hash function H maps into message digests of length 60 bits,

then an adversary can find a collision using only 230 inputs
 Meet in the middle attack
on symmetric encryption functions
(known plain text attack)
key k = k1,k2

Enck(M) = Enck1(Enck2(M))

Known Plain text P, Cipher text C = Enck(P)

 Meet in the middle technique

k2 = 000..0 k1 = 000..0

P Enck2(P) = Deck1(C) C

k2 = 11….1
k1 = 11….1
 Homework 2
• Why do people not advocate “double DES” ?
• Why do people not use error correcting codes for
encryption?
• Why do people not use error correcting codes for
authentication?
Using CBC DES for authentication
(symmetric)
M1-64 M65-128 Mlast block

XOR XOR

DES k DES k DES k

Authk(M)
 RSA
(public key signatures)

• Public key: (N,e)

• Private key: (p,q,d): p,q large primes;
e d
N = pq; d : (x ) = x mod N
 RSA
(public key signatures, continued)

• Hash message M to a number H(M)

• Compute SignRSAp,q,d(M) = H(M)d mod N
• VerifyRSAN,e(M, SignRSA(M)) = “OK” iff
SignRSA(M)e = H(M) mod N
The Digital Signature Algorithm
DSA/DSS
set-up
Public verification key
• p prime
• q prime (160 bits), q divides p-1
• g generator
• y = gx mod p
Private signing key
• x random number between 1 and q
 The Digital Signature
Algorithm
signing
M: message to be signedprocess
H: hash function such as SHA or MD5 or MD2
k: a random one-time signing key

r =(gk mod p) mod q

s = k-1(H(M) + xr) mod q

Sigx(M) = (r,s)
 The Digital Signature
Algorithm
signature verification
Given: M, (r,s)
process

compute
u1 = s-1 H(M) mod q
u2 = s-1 r mod q
v = (gu1 yu2 mod p) mod q
accept v=r
 Primality Testing
For security and general fault-tolerant reasons,
need to know if p is really prime (divisible only by
1 and p)

Probabilistic:
Miller-Rabin
Solovay-Strassen
…
100% guaranteed:
Atkins
…
 Strong primes p
• p+1 has a large prime factor
• p-1 has a large prime factor r
• r-1 has a large prime factor

foils factoring, discrete log, RSA attacks

 Elliptic Curve Algorithms
public key encryption/authentication
Issue: the public and private keys and signatures of
assymmetric encryption encryption and signatures are
too big and slow

Solution?: Instead of operating on the numbers

1 … N or 1 … p, operate on eliptic curve elements:

(x,y) such that y2 = x3 + ax + b (mod p)

 Factoring Techniques

• Try all primes <= squareroot(p)

• Pollard’s rho method
• Elliptic curve methods
• Quadratic sieve
• Number field sieve
• ….

discrete logs: index calculus ...

Best current algorithms can factor, take discrete logs

of roughly 400 bits.
 Pseudo-random number
generators
Problems:
• getting many truly random bits is slow
• getting many shared truly random bits is more awkward
• getting “good randomness” is important for many crypto
algorithms

Solution:
• theory: pseudo-random strings that are “polynomial time
indistinguishable” from truly random strings
• practice: use DES, hash functions generate bits from a
random seed (FIPS 186)
 Stream Ciphers
(example -- binary cipher)
key: k
input: M1M2 M3 M4…
key stream: k1 k2 k3 k4…

cipher stream: C1 C2C3 C4…

Ci = ki xor Mi
key stream ki depends on k and possibly M1M2 ... Mi-1
 Zero-knowledge proofs
(crypto tools)

Prover Verifier

(Interactive proofs)
 Zero knowledge proofs are
simulateable
(conversation distributions are indistinguishable)

Prover Verifier
conversation 1

Simulator Verifier
conversation 2
 Complexity Theory

P: problems that can be solved in polynomial time,

I.e. problems that can be solved “efficiently”
NP: broad set of problems that includes P
NP-complete: the hardest problems in NP, they appear
to have no efficient solution
Factoring, discrete log are in NP, not known to be NP-
complete or in P
 Quantum Computation
Radically new machine design can factor, compute discrete
logarithms, and compute other things it is believed
conventional machines can not.

Can a quantum machine be built?

 More Notation
One-way function: a function that is easy to compute in
one direction, but hard to invert, e.g. a hash function

Trap-door one-way function: a function that is easy to

compute in one direction, but hard to invert … unless one
knows the key, e.g. the RSA encryption function
 Some security partners for crypto
(Crypto can not solve all security problems)

• Secure operating system/network security

• Tamper-resistant hardware
-- e.g. prevent adversary from learning keys of
his own smart card.
-- e.g. detect tampering in smartcard
• Proper personal management of passwords
-- e.g. non-dictionary words
-- sufficiently many characters
-- not written down
-- limitted number of tries
-- one-time passwords
 3rd Homework
• What is wrong with making RSA more efficient by
letting one prime be smaller -- say of only 30 bits.
• How many bits should an RSA/DSA modulus / DES key
have … -- for personal email?
-- for business email?
-- for military/classified data?
-- for a CA’s signature key?
• How could one authenticate a small message … say of 50
bits using a symmetric one-time key?
• Which is a better way for Alice to send Bob an
authenticated and encrypted message M?:
-- EncpubkeyBob(M, SignprivkeyAlice(M))
-- EncpubkeyBob(M),SignprivkeyAlice(EncpubkeyBob(M))
 Extra questions

• What about the case y = (-1)x mod p ? Isn’t it easy

to find a value x that maps to y? Doesn’t this put a damper
on the idea that discrete log is hard?
• What sort of a function is f(x,y) = gxhy mod p? ( …
assuming g and h are generators of Zp)
• What is PGP?
• What are Montgomery Multiplication, Brickell-McCurley
fast modular exponentation?
• What is a group? … a field?
• What is a knapsack system?