CRYPTOGRAPHY- Unit-1 - Review

Classical model of Encryption:

EK(m)

ciphertext

m DK’ (EK(m)) =
E D
plaintext m

K
eavesdropping
encryption key
adversary

 Goal of the adversary:

o to systematically recover plaintexts from ciphertexts

o to deduce the (decryption) key K’

 Kerckhoff’s principle:
decryption key
o we must assume that the adversary knows all details of E and D

o security of the system should be based on the protection of the decryption key

Security is about how to prevent attacks, or -- if prevention is not possible -- how to detect attacks
and recover from them

 an attack is a a deliberate attempt to compromise a system;

it usually exploits weaknesses in the system’s design,
implementation, operation, or management

 attacks can be

– passive

• attempts to learn or make use of information from the system but does not
affect system resources

• examples: eavesdropping message contents, traffic analysis

• difficult to detect, should be prevented

– active

• attempts to alter system resources or affect their operation

 • examples: masquerade (spoofing), replay, modification (substitution,
insertion, destruction), denial of service

• difficult to prevent, should be detected

The number of adversary attacks can be summarized as follows:

Ciphertext-only attack: the adversary can only observe ciphertexts produced by the same
encryption key

Known-plaintext attack: the adversary can obtain corresponding plaintext-ciphertext pairs produced
with the same encryption key

(Adaptive) Chosen-plaintext attack: the adversary can choose plaintexts and obtain the
corresponding ciphertexts

(Adaptive) Chosen-ciphertext attack: the adversary can choose ciphertexts and obtain the
corresponding plaintexts

Related-key attack: the adversary can obtain ciphertexts, or plaintext-ciphertext pairs that are
produced with different encryption keys that are related in a known way to a specific encryption key

The main security services are:

 Authentication

o aims to detect masquerade

o provides assurance that a communicating entity is the one that it claims to be

o access control

o aims to prevent unauthorized access to resources

 Confidentiality

o aims to protect data from unauthorized disclosure

o usually based on encryption

 Integrity

o aims to detect modification and replay

o provides assurance that data received are exactly as sent by the sender

 Non-repudiation

o provides protection against denial by one entity involved in a communication of

having participated in all or part of the communication

o two basic types: non-repudiation of origin and non-repudiation of delivery

There are number of security mechanism such as

 Encryption: symmetric key, asymmetric (public) key

 Digital signature
 Access control schemes: access control lists, capabilities, security labels, ...
  Data integrity mechanisms: message authentication codes, sequence numbering, time
stamping, cryptographic chaining
 Authentication protocols: passwords, cryptographic challenge-response protocols,
biometrics
 traffic padding, route control,

An encryption scheme is secure in a given adversary model if it is computationally infeasible for the
adversary to determine the target decryption key under the assumptions of the given model. For
many encryption schemes used in practice, no proof of security exists. These schemes are used,
nevertheless, because they are efficient and they resist all known attacks. Some encryption schemes
are provably secure, however these schemes are often inefficient.

The basic encryption schemes are

 symmetric-key encryption

– it is easy to compute K’ from K (and vice versa)

– usually K’ = K

– two main types:

• stream ciphers – operate on individual characters of the plaintext

• block ciphers – process the plaintext in larger blocks of characters

 asymmetric-key encryption

– it is hard (computationally infeasible) to compute K’ from K

– K can be made public ( public-key cryptography)

Block Ciphers
An n bit block cipher is a function E: {0, 1}n x {0, 1}k  {0, 1}n, such that

for each K ε {0, 1}k, E(x, K) = EK(x) is an invertible mapping from {0, 1}n to {0, 1}n.

k bit
key
…

n bit
… E …
n bit
input output

Design Criteria:

 Completeness

o each bit of the output block should depend on each bit of the input block and on
each bit of the key
  Avalanche effect

o changing one bit in the input block should change approximately half of the bits in
the output block

o similarly, changing one key bit should result in the change of approximately half of
the bits in the output block

 Statistical independence

o input and output should appear to be statistically independent

DES (Data Encryption Standard)

X (64)
Initial Permutation

(32) (32)

F (48)
+ K1

F (48)
+ K2 Key
Scheduler
(56)

F (48) K
+ K3
…

F (48)
+ K16

Initial Permutation-1
Y (64)

(input size: 64, output size: 64, key size: 56, 16 rounds, Feistel structure)

Round Function,F

++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ +++++

S1 S2 S3 S4 S5 S6 S7 S8

P
 ( Si – substitution box (S-box), P – permutation box (P-box))

Key Scheduler:

(56)

Permuted Choice 1
(28) (28)

Left shift(s) Left shift(s)

(28) (28)

(48)
K1
Permuted Choice 2

Left shift(s) Left shift(s)

(48)
K2
Permuted Choice 2

( each key bit is used in around 14 out of 16 rounds)

Two possible attacks are:

a. Exhaustive key search attack

Given a small number of plaintext-ciphertext pairs encrypted under a key K,
K can be recovered by exhaustive key search with 2k-1 processing complexity
(expected number of operations)
1. Input: (X, Y), (X’, Y’), …
2. Progress through the entire key space, and for each candidate key K’, do the
following:
 i.
Decrypt Y with K’
ii.
if the result is not X, then throw away K’
iii.
if the result is X, then check the other pairs (X’, Y’), …
iv.
if K’ does not work for at least one pair, then throw away K’ and take
another key
v. if K’ worked for all pairs (X, Y), (X’, Y’), …, then output K’ as the target key
3. On average, the target key is found after searching half of the key space
- if the plaintexts are known to contain redundancy, then ciphertext-
only
- exhaustive key search is possible with a relatively small number of
ciphertexts
 in practice, key size should be at least 128 bits

b. Algebraic attack:
Having a large key size is only a necessary condition for the security of a block cipher
– a block cipher can be broken due to the weaknesses in its internal (algebraic)
structure, even if it uses large keys

Example:

– naïve exhaustive key search against DES: 255

– attack using the complementation property of DES: 254
Y = DESK(X) implies Y* = DESK*(X*),
where X* denotes the bitwise complement of X
– differential cryptanalysis of DES: 247
– linear cryptanalysis of DES: 243

Stream ciphers
While block ciphers simultaneously encrypt groups of characters, stream ciphers
encrypt individual characters. They may be better suited for real time applications
Stream ciphers are usually faster than block ciphers in hardware
(but not necessarily in software). They are limited or no error propagation. They may be
advantageous when transmission errors are probable
The distinction between stream ciphers and block ciphers is not definitive.
– stream ciphers can be built out of block ciphers using CFB, OFB, or CTR modes
– a block cipher in ECB or CBC mode can be viewed as a stream cipher that
operates
on large characters
 Vernam cipher
– ci = pi ⊕ ki for i = 1, 2, …
 where pi are the plaintext digits, ki are the key stream digits,
ci are the ciphertext digits, and ⊕ is the bitwise XOR operation
 one-time pad
– a Vernam cipher where the key stream digits are generated independently
– and uniformly at random
– the one-time pad is unconditionally secure [Shannon, 1949]
• I(P; C) = H(P) - H(P|C) = 0
– a necessary condition for a symmetric key cipher to be
unconditionally secure is that H(K) ≥ H(P) [Shannon, 1949]
• practically, the key must have as many bits as the compressed
plaintext
• impractical because of key management problems

Examples of Hard Problems

 factoring problem
– given a positive integer n, find its prime factors
• true complexity is unknown
• it is believed that it does not belong to P
 discrete logarithm problem
– given a prime p, a generator g of Zp*, and an element y in Zp*, find the integer
x, 0 £ x £ p-2, such that gx mod p = y
• true complexity is unknown
• it is believed that it does not belong to P
 Diffie-Hellman problem
– given a prime p, a generator g of Zp*, and elements gx mod p and gy mod p,
find gxy mod p
• true complexity is unknown
• it is believed that it does not belong to P

RSA Algorithm:
  Key generation
– select p, q large primes (about 500 bits each)
– n = pq, f(n) = (p-1)(q-1)
– select e such that 1 < e < f(n) and gcd(e, f(n)) = 1
– compute d such that ed mod f(n) = 1 (this is easy if f(n) is known)
– the public key is (e, n)
– the private key is d
 Encryption
– represent the message as an integer m in [0, n-1]
– compute c = me mod n
 Decryption
– compute m = cd mod n

Factoring Problem:

 the problem of computing d from (e, n) is computationally equivalent to the problem

of factoring n
– if one can factor n, then one can easily compute d
– if one can compute d, then one can efficiently factor n
 the problem of computing m from c and (e, n) (called the RSA problem) is believed to
be computationally equivalent to factoring
– if one can factor n, then one can easily compute m from c and (e, n)
– there’s no formal proof for the other direction
SALTING
 Let us assume that the adversary observes a ciphertext, c = EK(m)
 Let the set of possible plaintexts be M
 If M is small, then the adversary can try to encrypt every message in M
with the publicly known key K until she finds the message m that maps into c
 The usual way to prevent this attack is to randomize the encryption
– Some random bytes are added to the plaintext message before
encryption through the application of the PKCS #1 formatting rules
– When the message is decrypted, the recipient can recognize and
discard these random bytes