Cryptography

History & Puzzles Substitution Ciphers The birth of Cryptanalysis Modern Times DES Diffie-Hellman key exchange RSA PGP Contentious Issues
Applied Cryptography, Bruce Schneier Cracking DES, Electronic Frontier Foundation The Code Book, Simon Singh
MS 1

Cryptography
The Basic Idea:

Two approaches:
1) Make algorithm secret and dont use a key. Bad Idea 2) Make algorithm public but keep the key secret. Good Idea Bmp example

plaintext Key

algorithm

ciphertext

MS 2

Before Computers
Substitution ciphers ruled:
Caesar (Shift by N): 26 possibilities, easy to decode
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Key Phrase: Lots of possibilities, a bit harder to decode

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B U S H A N D G O R E F I J K L M P Q T V W X Y Z C

Random Mapping: 4 x 1026 possibilities, harder to decode

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z N D T V G K L M R E P O F I J Q U S W X B H A Y Z C

MS 3

Before Computers
Cryptanalysis:
First known publication: A Manuscript on Deciphering Cryptographic Messages By the ninth century Arab scholar:
Abu Yusuf Yaqub ibn Is-haq ibn as-Sabbah ibn omran ibn Ismail al-Kindi

Statistical Frequency Analysis of letters & words can easily break any mono-alphabetic substitution cipher. In English: most common letters: E, T, A, O, I, N, S, most common 2 letters words: ON, AS, TO, AT, IT most common 3 letters words: THE, AND, FOR, WAS,
MS 4

ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --------- ------- ------ --- ---- -------UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI --- ------'- ------------ -------- ------EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P -- ------ - --------- ---- ----- ---- -- DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS ---------- -------- -- -------- ---------U=t E=h I=e

UEI PVUENRFUA NC FU YNMUPFMT XEPU YRFLI CNR P FMCNRLPUFNM. UEI PVUENRFUA NC --- --------- -FU YNMUPFMT XEPU -- -------- ---YRFLI CNR P ----- --- FMCNRLPUFNM. -----------. UEI PVUENRFUA NC the --th---t- -FU YNMUPFMT XEPU -t -------- -h-t YRFLI CNR P ----e --- FMCNRLPUFNM. -------t---.
MS 5

ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --e---e-t ----t-- -et-e- the ---- -e-e---UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the --t---'- --te----e--e --e---e- -e----e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he ----e- - --------- th-t ----- ---e -t DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS ---e---e-t -------- t- -------e --------e-

P=a

ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --e---e-t ----t-- -et-e- the ---- -e-e---UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -at---'- --te----e--e a-e---e- -e-a--e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he -a--e- a --------- that ----- -a-e -t a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS ---e---e-t ------a- t- -------e --a-----e-

UEI PVUENRFUA NC the a-th---t- -FU YNMUPFMT XEPU -t ---ta--- -hat YRFLI CNR P ----e --- a FMCNRLPUFNM. ------at---.

F=i N=o

ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --e-i-e-t --i-to- -etoe- the -i-- -e-e-i-UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -atio-'- i-te--i-e--e a-e--ie- -e-a--e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he -a--e- a --o-i-io- that -o--- -a-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-e---e-t o--i-ia- to -i---o-e --a--i-ie-

UEI PVUENRFUA NC the a-tho-it- oFU YNMUPFMT XEPU it -o-tai-- -hat YRFLI CNR P --i-e -o- a FMCNRLPUFNM. i--o--atio-.

MS 6

C=f R=r

ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD -re-i-e-t --i-to- -etoe- the -i-- re-e-i-UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -atio-'- i-te--i-e--e a-e--ie- -e-a--e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he -a--e- a -ro-i-io- that -o--- -a-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-er--e-t offi-ia- to -i---o-e --a--ifie-

UEI PVUENRFUA NC the a-thorit- of FU YNMUPFMT XEPU it -o-tai-- -hat YRFLI CNR P -ri-e for a FMCNRLPUFNM. i-for-atio-.

Y=c K=l V=u A=y

ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD -re-i-e-t cli-to- -etoe- the -ill re-e-i-UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -atio-'- i-telli-e-ce a-e-cie- -ecau-e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he calle- a -ro-i-io- that -oul- -a-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-er--e-t official to -i-clo-e cla--ifie-

UEI PVUENRFUA NC the authority of FU YNMUPFMT XEPU it co-tai-- -hat YRFLI CNR P cri-e for a FMCNRLPUFNM. i-for-atio-.

MS 7

O=p T=s S=d M=n L=m

ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD president clinton -etoed the -ill rene-inUEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the nation's intelli-ence a-encies -ecause EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he called a pro-ision that -ould ma-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-ernment official to disclose classified

UEI PVUENRFUA NC the authority of FU YNMUPFMT XEPU it contains -hat YRFLI CNR P crime for a FMCNRLPUFNM. information.

W=v H=b D=g M=n L=m X=w J=k

ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD president clinton vetoed the bill renewing UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the nation's intelligence agencies because EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he called a provision that would make it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS government official to disclose classified

UEI PVUENRFUA NC the authority of FU YNMUPFMT XEPU it contains what YRFLI CNR P crime for a FMCNRLPUFNM. information.

MS 8

There are patches to try to increase the security of the mono-alphabetic substitution cipher: -Eliminate spaces -Use many to one mappings that level the frequencies -Lots of other clever ideas Still very weak! Clever cryptanalysists knew how to beat them all hundreds of years ago !!

Polyalphabetic substitution ciphers provided the next big step. (Worked OK until the dawn of modern computers).

Idea: Use many different substitution alphabets; different ones for different letters.

MS 9

Vigenere square (1586)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 a B C D E F G H I J K L M N O P Q R S T U V W X Y Z A b C D E F G H I J K L M N O P Q R S T U V W X Y Z A B c D E F G H I J K L M N O P Q R S T U V W X Y Z A B C d E F G H I J K L M N O P Q R S T U V W X Y Z A B C D e F G H I J K L M N O P Q R S T U V W X Y Z A B C D E f G H I J K L M N O P Q R S T U V W X Y Z A B C D E F g H I J K L M N O P Q R S T U V W X Y Z A B C D E F G h I J K L M N O P Q R S T U V W X Y Z A B C D E F G H i J K L M N O P Q R S T U V W X Y Z A B C D E F G H I j K L M N O P Q R S T U V W X Y Z A B C D E F G H I J k L M N O P Q R S T U V W X Y Z A B C D E F G H I J K l M N O P Q R S T U V W X Y Z A B C D E F G H I J K L m N O P Q R S T U V W X Y Z A B C D E F G H I J K L M n O P Q R S T U V W X Y Z A B C D E F G H I J K L M N o P Q R S T U V W X Y Z A B C D E F G H I J K L M N O p Q R S T U V W X Y Z A B C D E F G H I J K L M N O P q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q r S T U V W X Y Z A B C D E F G H I J K L M N O P Q R s T U V W X Y Z A B C D E F G H I J K L M N O P Q R S t U V W X Y Z A B C D E F G H I J K L M N O P Q R S T u V W X Y Z A B C D E F G H I J K L M N O P Q R S T U v W X Y Z A B C D E F G H I J K L M N O P Q R S T U V w X Y Z A B C D E F G H I J K L M N O P Q R S T U V W x Y Z A B C D E F G H I J K L M N O P Q R S T U V W X y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z MS 10

Vigenere square

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

a B C D E F G H I J K L M N O P Q R S T U V W X Y Z A

b C D E F G H I J K L M N O P Q R S T U V W X Y Z A B

c D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

d E F G H I J K L M N O P Q R S T U V W X Y Z A B C D

e F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

f G H I J K L M N O P Q R S T U V W X Y Z A B C D E F

g H I J K L M N O P Q R S T U V W X Y Z A B C D E F G

h I J K L M N O P Q R S T U V W X Y Z A B C D E F G H

i J K L M N O P Q R S T U V W X Y Z A B C D E F G H I

j K L M N O P Q R S T U V W X Y Z A B C D E F G H I J

k L M N O P Q R S T U V W X Y Z A B C D E F G H I J K

l M N O P Q R S T U V W X Y Z A B C D E F G H I J K L

m N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

n O P Q R S T U V W X Y Z A B C D E F G H I J K L M N

o P Q R S T U V W X Y Z A B C D E F G H I J K L M N O

p Q R S T U V W X Y Z A B C D E F G H I J K L M N O P

q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q

r S T U V W X Y Z A B C D E F G H I J K L M N O P Q R

s T U V W X Y Z A B C D E F G H I J K L M N O P Q R S

t U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

u V W X Y Z A B C D E F G H I J K L M N O P Q R S T U

v W X Y Z A B C D E F G H I J K L M N O P Q R S T U V

w X Y Z A B C D E F G H I J K L M N O P Q R S T U V W

x Y Z A B C D E F G H I J K L M N O P Q R S T U V W X

y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Keyword VOTEVOTEVOTEVOTEVOTE Plaintext ihavethreestinkydogs Ciphertext DVTZZHAVZSLXDBDCYCZW

Immune to frequency analysis !

MS 11

This can still be cryptanalyzed: - just N monoaphabetic substitution ciphers (N is length of key) - so, just solve the N monoaphabetic problems as before
Keyword VOTEVOTEVOTEVOTEVOTE Plaintext ihavethreestinkydogs Ciphertext DVTZZHAVZSLXDBDCYCZW

DZZDY VHSBC TALDZ ZVXCW

Do frequency analysis on these separately

MS 12

OK, so make the key longer. Make it as long as the message !

Keyword VOTINGISIMPORTANTFOR Plaintext ihavethreestinkydogs Ciphertext DVTDRZPJMQPHAGKLWTUJ

If there are patterns in the key (for example, words), the message can still be decrypted with a bit of work.

Enigma: Repeated after 263 = 17,576 letters Successfully broken by Rajewski, Turing et al. (a lot of workprotocol important)

MS 13

However:
IF If the key is as long as the message AND The key is completely random THEN The encryption is perfect (cant be broken) !!!

This is called a One Time Pad

MS 14

The proof that a one time pad gives perfect security is simple: Suppose you have the ciphertext Since all keys are equally likely, then all decoded messages are equally likely !

How message was encoded:

Keyword ASDF Plaintext dogs Ciphertext DGJX Ciphertext DGJX Keyword ASDF Plaintext dogs Ciphertext DGJX Keyword BGQF Plaintext cats

How it should be decoded given the correct key:

How it could be decoded given an equally likely key:

MS 15

Along come computers

Tailor made for both code making & braking* Represent message as a list of numbers (bits) and operate on these with your favorite algorithm.
00=0 10=1 01=1 11=0

Simplest Case: Exclusive OR

Plaintext

DEAD

1101 1110 1010 1101

Key Ciphertext

BEEF

1011 1110 1110 1111 = 0110 0000 0100 0010 = 6042

*Computing engines were spawned from code-breaking efforts during WW-II (Turing). MS 16

This is an example of Symmetric Key Encryption

Plaintext Key Ciphertext Ciphertext Key Plaintext DEAD BEEF 1101 1110 1010 1101

1011 1110 1110 1111 = 0110 0000 0100 0010 = 6042

0110 0000 0100 0010 1011 1110 1110 1111 = 1101 1110 1010 1101 = DEAD

6042 BEEF

Real Simple: Same key to encode and decode

MS 17

SO: Just generate a long one time pad bitstream, do the simple XOR, and we have perfect security. This has two problems:
1) Its hard to generate a long truly random bitstream.

2) Sender and receiver must both have the same one time pad (i.e. the key).

If we make the algorithm more sophisticated we can make the minimum length of a secure key much shorter.
MS 18

Suppose we have an algorithm that takes a block of plaintext and converts it into a block of ciphertext using an N bit key. Suppose that changing any single bit in the key completely changes the ciphertext.

We could only break this by trying all 2N possible keys.

plaintext block

If N = 128, the time required is way beyond the age of the universe.
DES (Digital Encryption Standard)

N bit Key

ciphertext block
MS 19

DES
L0 32

64 bit plaintext block IP R0 32

K1 (derived from 56 bit key)

L1=R0 repeat 16 times

R1=L0 + f(R0,K1)

f
L16=R15 IP-1 64 bit ciphertext block

K16 (derived from 56 bit key)

R16=L15 + f(R15,K16)

MS 20

IP (Initial Permutation):
8 16 24 32 40 48 56

16

24

32

40

48

56

MS 21

L0
32

R0 32 Expansion Permutation 48 48 48
S-Box Substitution

48 bit subkey Generator K48 = g(i,K56) (The key for each round is deterministically found from the input 56 bit key).

32
P-Box Permutation

32
32 L1

32 R1

MS 22

32 Expansion Permutation 48

12

13

16

17

20

21

24

25

28

29

32

48

MS 23

48 48 48

48

X-OR with 48 bit key

48

MS 24

48

S-Box Substitution
32

48

S-box 1

S-box 2

S-box 3

S-box 4

S-box 5

S-box 6

S-box 7

S-box 8

12

13

16

17

20

21

24

25

28

29

32
MS 25

How an S-Box works

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

Page select

S-box 1

0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 5 11 3 14 10 0 1 7 6 13

MS 26

32
P-Box Permutation 32

12

13

16

17

20

21

24

25

28

29

32

12

13

16

17

20

21

24

25

28

29

32
MS 27

IP-1 (Final Permutation):

8 16 24 32 40 48 56

16

24

32

40

48

56

MS 28

Initial Key Permutation

8 16 24 32 40 48 56 64

16

24

32

40

48

56

MS 29

Key Split & Shift & Compress

8 16 24 32 40 48 56

K56

Shift left by Ni
Shift accumulates every round
8 16 24 32

Shift left by Ni
Ni = {1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1}
40 48 56

16

24

32

40

48

K48
MS 30

DES Advantages:
Very Fast:
Ideally suited for implementation in hardware (bit shifts, look-ups etc).
plaintext block

Dedicated hardware (in 1996) could run DES at 200 Mbyte/s. Well suited for voice, video etc.

56 bit Key

ciphertext block

MS 31

DES Security:
Not too good:
Trying all 256 possible keys is not that hard these days. (Thank the NSA for this) If you spend ~$25k you can build a DES password cracker that can will succeed in a few hours. Back in 1975 this would have cost a few billion $$. It is widely believed that the NSA did this. Similar algorithms with longer keys are available today (IDEA).
MS 32

plaintext block

f EFF
ciphertext block

56 bit Key

Other Issues:

With any symmetric algorithm, the key must be agreed upon by sender and receiver in a secure way. Before 1976, key exchange was by far the biggest problem in secure communications !

Then along came Diffie & Hellman

MS 33

Modular Arithmetic to the Rescue: DiffieHellman Key Exchange

1) 2) How Alice and Bob want to come up with the same key by talking on the phone without giving it away to a third party listening to the conversation. They agree on a large prime number p and a small integer g. These numbers are not secret. Alice picks a large random integer a, and calculates A = ga mod p Alice tells Bob what A is. Bob picks a large random integer b, and calculates B = gb mod p Bob tells Alice what B is. Alice computes Ka = Ba mod p. Bob computes Kb = Ab mod p. Low and behold: Ka = Kb = gab mod p. Someone spying on the phone can not get the key without knowing a and b, which were never spoken. Figuring out a and b from A, B, g, and p is as hard as it is to factor numbers the same size as p, hence p should be big (hundreds of digits).

3)
4) 5)

MS 34

Generating Huge Primes: Idea:

1) Pick a big random number. 2) Test to see if its prime.
Dont do this the hard way (factoring)

There are several probabilistic methods:

Choose a possible prime p=33209533878488951298293621905948288497515233544999 Choose a witness random number a = 7229265988 Calculate j = a(p-1)/2 mod p
(= 1 in this case)

If j = +1 or 1 then the chance that p is not prime is no more than 50% Choose another a and test again. Repeat until desired confidence is reached.
MS 35

Are there enough Huge Primes?

YES!
For numbers near n the chance of a number being prime is one in ln(n) There are about 10150 prime numbers containing 512 bits (155 digits). If every atom in the universe needed a billion primes every microsecond from the beginning of time until now, we would only use 10110 primes.

MS 36

Public Key Cryptography: RSA (Rivest, Shamnir, Adleman: 1977)

IDEA: Alice has a public encryption key that everyone knows, and a private decryption key that only she knows. Bob looks up her public key, encrypts his message, and sends it to her. She decrypts it with her private key.

1) 2) 3) 4)

Pick two large prime numbers p and q. These are secret. Calculate n = pq Pick another number e such that e and (p-1)(q-1) are relatively prime. The numbers n and e make up your public key. Publish them!

5) Calculate d such that ed = 1 mod (p-1)(q-1) {i.e. d = e-1 mod (p-1)(q-1) } 6) The number d is your private key.
Encrypt message m via c = me mod n Decrypt the ciphertext c via m = cd mod n

example
MS 37

This is what happens when you buy a book from Amazon.com

RSA Drawbacks:
RSA is slow (i.e. computationally intensive). Message must be broken into chunks ~ n in size, and each block is encrypted separately. Does not really lend itself to hardware implementation: Most RSA chips (in 1996) needed ~106 clock cycles per 512 bit encryption.

MS 38

RSA Security:
RSA is secure because its very hard to factor n to find p and q if n is sufficiently big. (Discrete logarithms). Sufficiently Big means ~2048 bits Hard means that all the computers on earth could not do it in the age of the universe. Symmetric key algorithms can provide the same raw security with key-lengths between 64 and 128 bits.

MS 39

The PGP Solution

(had Phil Zimmerman in very hot water from 1992 to 1996)

PGP = Pretty Good Privacy Use IDEA for encryption (similar to DES except 128 bit key) Use RSA for key IDEA key-exchange. (RSA key-lengths up to 2048 bits supported). Made available as freeware (www.pgp.com). In 1993 Zimmerman was charged with illegally exporting weapons. The FBI & DOJ hounded him until 1996 when the charges were dropped.

MS 40

Todays Issues
CLIPPER & CAPSTONE Encryption chips developed by the NSA. Uses Escrowed Encryption Standard (EES) Each chip has a back door that the government has a key to. They can use this key in the same sense as they can now do a phone wiretap.

Not very popular, not (yet) required by law.

(These things really piss off the encryption community; the NSA loves them)

Tempest
MS 41

Quantum Cryptography
(Kwiat @ UIUC !)
How Bob and Alice can agree on a perfectly secret one-time pad:

Suppose Alice can send binary information using polarized photons.

There are 2 distinct encoding schemes: + and x.

0
MS 42

Quantum Cryptography
(Kwiat @ UIUC !)
Alice randomly switches between + and x schemes, and sends a random string of 1s and 0s to Bob. (Alice keeps track of the schemes she used and the bits she sent).

MS 43

Quantum Cryptography
(Kwiat @ UIUC !)
Bob measures these photons with his own random choice of scheme (he does not know what Alice has done). Sometimes he gets it right, sometimes he gets it wrong:

0 0

0 1

Alices message

0 0

0 1

Bob measures
MS 44

Quantum Cryptography
(Kwiat @ UIUC !)
Alice phones Bob and tells him how her schemes were chosen. Bob tell Alice which schemes he guessed right. Considering only these, they now agree on a subset of bits sent.

0 0

Alices message

Bob measures
MS 45

Quantum Cryptography
(Kwiat @ UIUC !)
Someone listening on the phone only knows which schemes were used, but not what the polarization was.

Any attempt to intercept photons will alter their state, which Alice and Bob can detect by comparing some of their bits to make sure they agree (and discarding these).

0 0

One time pad !

MS 46