Overview

• What is cryptography?
IT 360 • Symmetric cryptography
Chapter 2 – Brief crypto history
– Stream cipher
– Block cipher
– Hash functions

Cryptography • Asymmetric cryptography

– Asymmetric encryption in general
– Diffie-Hellman key exchange
– Digital signatures
• Post quantum cryptography
2

Terminology Cryptography at a glance

Cryptology
Alice Messag Bob
e

Cryptography Cryptanalysis
Messag Messag
Plain text
• Cryptographyis the science of secret writing for the purpose of
e e

concealing the meaning of a message.

• Cryptanalysisis the science of cracking cryptography. Plain text Plain text
• Cryptologycovers both cryptography and cryptanalysis.

Cryptography 3 Cryptography 4
 Cryptography at a glance What can cryptography be used for?

Alice Bob • Cryptography supports the following security goals:

Secret Secret
key key
– Confidentiality:
• Makes data unreadable by devices that do not have the correct cryptographic keys, even if
they have the data.
Messag Messag
e
– Data integrity:
e
• Devices with correct cryptographic keys can verify that data is correct and has not been altered by
Cipher Cipher unauthorized persons.
– Authentication:
encryption decryption • Communicating entities can be assured that the identity of the other user/
Plain text Plain text entity or the sender of a message is what it claims to be.
– Digital Signature and PKI (Public-Key Infrastructure):
Cipher text • Strong evidence of data authenticity that can be verified by third parties.
• Scalable (to the entire Internet) secure distribution of cryptographic keys.

5 6

Cryptographic Cryptographic functions

functions Terminology
• Encryption: plain text M is transformed with an encryption function E to ciphertext C
Encryption Hash- controlled by encryption key k.
Also called
algorithms functions “public-key – Formal spelling:C =E(M, k).
cryptography"
• Decryption:cipher text C transformed with decryption function D for plain textMcontrolled by
encryption keyk.
Symmetric ciphers S Asymmetric algorithms Uses A – Formal disc style:M =D(C,k).
The same secret key is used for key pairs with public key and
both encryption and decryption private key • Symmetric cipher: the same secret key is used for both encryption and
decryption.
• Asymmetric cipher: Key pair with a private and a public key.
– Encryption with public key and decryption with private key
Block Current Encryption Digital signature – Digital signature with private key and validation of signature with public key
Public key is used for Private key is used for
encryption and private key signing and public key is Public key
is used for decryption Private key
used for validation

7 8
Cryptography| the algebraic prespective

The history of cryptography

Symmetric encryption (with secret key)
Classic Middle Ages Pre-WW2 WW2 Pre-2000 Post-2000
Alice Secret Secret Bob cipher cipher cipher cipher cipher cipher

key key DEC AES

Transposition Poly- disposable Complex
alphabetical key mechanics Feistel Rhyme &
Scythal
substitution Enigma Daemen

Messag Messag and

e e Vernam
transposition
1916
Cipher Cipher Vigenère
Cipher text Substitution SP network
1566 Asymmetrical
encryption decryption caesar- Info theory crypto SHA-3
Plain text Plain text cipher
Shannon
Diffie
Hellmann Post quantum
M E(M,k) C D(C,k) M asymmetrical
crypto

• “Secret key” means that the key is shared In secret between all entities authorized to encrypt/decrypt. → BC A.D→1799 1800→1939 1940→1975 1976→2000 2001→

Cryptography
Cryptography 9 10
Caesar Cryptosystem

Letter frequencies→ Statistical cryptanalysis

• Classical ciphers, such as the Caesar
cipher, are weak because they fail to
hide statistical ones
irregularities in the cipher text.

Caesar chi

Cryptography 16
 Claude Shannon (1916 – 2001) One-Time Pad: One-Time Pad (Gilbert Vernam, 1917)
Father of Information Theory – MIT / Bell Labs
Alice Bob
shared secret shared secret
disposable key K disposable key K
• Information theory
k1, k2, k3... kin… k1, k2, k3... kin…
– Defined "binary digit" (bit) as the smallest unit
of information Message Message

- Defined information entropy as a measure of the amount of encryption Ciphertext C decryption

information cin= min- kin min= cin- kin
c1, c2, c3... cin…
• Cryptography binary binæ

– Model for secret secure systems Plain text - XOR addition message XOR addition Plaintext
M
– Defined perfect secrecy security
message M

• cin= min- kin

– Principle of encryption with SP network Bit by bit binary XOR addition:
min= cin- kin= min- kin- kin= min- 0 = min
(substitution and permutation) to erase
• OTP provides perfect security by assuming that the OTP key is completely random, of the same length as the message, and
statistical irregularities is used only once.

Cryptography 19 Cryptography 20
 The perfect cipher machine: One-Time-Pad Does a perfect secure system exist?
Yes, Perfect encryption scheme can exist only if the secret information k
is as long as the plaintex t [Claude Shannon, 1943]

Time Pad
Key as long as message
Key must be absolutely random keys Key must never be
re-used
guarantees perfetc security y Key Key management
very hard
Computer generated random number sequences are
• Telex with OTP on punched tape, produced by STK on Økern lly) not good Enough

• Modern versions can use DVDs with Gbytes of random data

Cryptography 21

Modern cryptography The strength of a cipher

Factors that determine cipher strength:

The assumption that the Adversary has unlimited computing resources • Key size.
is abondoned – Time required for a complete search among all keys depends on size.
– Typical size for a symmetric block cipher is 256 bits.
Encryption, decryption, and the Adversary are modeled by probabilistic
- Attacker must try 2 on average256/2 different keys to find the right one, which would
algorithm
take millions of years and is therefore impractical.
The running time of the encryption, decrytion, and the Adversary algorithms – If there are N different keys, the key size will be: log2(N).
are asured as functions of a security parameters • The strength of the algorithm.

- Finding the key by cryptanalysis can exploit statistical irregularities in the cipher text.
- To prevent cryptanalysis, the bit patterns / characters in the ciphertext should have a uniform/even
distribution, that is, all bit patterns / characters should be equally likely.

24
 Block cipher
Shannon's SP network (1949)
Erases statistical irregularities Plaintext block (typically 128 bits)

• Repeat substitution and permutation et

sufficient number of times, typically 10-20 rounds.
• Substitution
S S .... S
Round 1
- Clear text block is divided into sub-blocks .P
– Substitution of bits in each sub-block e.g.
0001 is substituted with 0110 S S .... S
- Gives "confusion", i.e. hides the connection between . D
the plaintext block and the ciphertext block.

...
E

.
• Permutation
– Sub-blocks are moved around the block. S S .... S
Roundn
– Provides “diffusion”, i.e. that changing a .P
single plaintext bit (or key bit) causes
many ciphertext bits to change.
•The key is included in S or P or in a separate
function Ciphertext block (typically 128 bits)

Cryptography 26
 AES - Advanced Encryption Standard
Block cipher and stream cipher
• DES (Data Encryption Standard) from 1977 had a 56-bit key and a
64-bit block. In the mid-1990s, DES could be cracked with full key Block cipher Stream cipher
search.
Block with
• In 1997, NIST announced an open competition to design a new plain text Key
block cipher to replace DES. n bits
• The best proposal called "Rijndael" (designed by Vincent Rijmen and Joan
Key-
Daemen from Belgium) was considered the best, and nominated to become current-
Block-
AES (Advanced Encryption Standard) in 2001. cipher
generator

• AES has key sizes of 128, 192 or 256 bits and Key Key current

block sizes of 128 bits. n bits 011010 - 110011

Block with Stream of plain text Stream of ciphertext

cipher text

Cryptography 35 Cryptography 36
Block Cipher: Modes of Operation Electronic Code Book (ECB)
• Simplest encryption mode
• The plain text is divided into blocksM1, M2, …, Mn
• A block cipher encrypts a block of (typically) 128 bits, which is
only about 16 letters. • Each block is encrypted separately.
– Notation encryption: C1=
• For encryption of more than one block, a specific mode is used. – Notation decryption: E(M1,K)
• The encryption modes have different properties. 1=
Mciphertext
- Equal plaintext blocks give equal blocks, this is the problem!
D(C1,K)
• Common modes are: C3
M1 M2 M3 C1 C2
– CounTeRFashion (CTR) K K K K K K
– CipherBlockChaining (CBC)
secur E D D D
– OoutputFoathBack (OFB) e
E E
– CipherFoathBack (CFB)
C1 C2 C3 M1 M2 M3
– EelectronicCdesolateBalso (ECB) unsure Encryption Decryption
Cryptography 37 Cryptography 38

Counter Mode (CTR)

Vulnerability using ECB mode
• The plain text is divided into blocksM1, M2, …, Mn
• An incrementing counter valueTis encrypted
• Each encrypted count value is added to the plaintext block with binary XOR-
- Identical plaintext blocks give different ciphertext blocks, this provides security!

T1 T2 T3 T1 T2 T3
K K K K K K

E E E E E E
Plain text Ciphertext with ECB mode Cipher text with secure mode
M1 - M2 - M3 - C1 - C2 - C3 -
C1 C2 C3 M1 M2 M3

Encryption Decryption

Cryptography 39 Cryptography 40
CTR encryption and binary addition with XOR
• The plain text is divided into blocks:M1, M2, …, M n
• Incrementing counter values with the same block size:T1, T2, …, Tn
• The counter values are encrypted and added to the plaintext blocks:
– Notation encryption: C1= E(T1,K)-M1
HASH FUNCTIONS AND
– Notation decryption: M1= E(T1,K)-C1 = E(T1,K)-E(T1,K)-M1 MESSAGE AUTHENTICATION
– The encryption functionEused for both encryption and decryption

• Binary addition with XOR-

0- 0=0 0- 1=1
- Addition of bit with itself always gives zero
1- 1=0 1- 0=1

• Example encryption and decryption: M1= 1111 E(T1,K) = 1001

– Encryption: C1= 1001-1111 = 0110

– Decryption:M1= 1001-0110 = 1111

41 24
Cryptography

Hash functions
Requirements for a hash functionHash: Properties of hash functions
1.Easy to calculate: Given input datax, it should be easy to calculateHash(x).
x Arbitrarily large x ? x ? x x'
2. Compression: Compresses arbitrarily largexto a hash valueHash(x)
with fixed sizen(typically 256 bits or 512 bits).
3. One way: Given hash valuey, it should be practically impossible to find
input dataxso thatHash(x)=y.
Hash(x) Hash(x) Hash(x) Hash(x) Hash(x)
4. Collision resistance (weak): Given input dataxand associated hash value
Hash(x),it should be practically impossible to find another data setx'so
Easy to Compression one-way Weak Strong
thatHash(x)=Hash(x')(weak collision resistance). to fixed size function collision
calculate collision
5. Collision resistance (strong): It should be practically impossible to find two resistance resistance
different data setsxandx'so thatHash(x)=Hash(x')(strong collision resistance).

Cryptography 43 Cryptography 44
Well known hash functions Applications of hash functions
• MD5(1991): 128-bit hash value. Easy to find collisions, due to small hash • Comparison of files
size and poor design. Should no longer be used.
• Password protection
• SHA-1(Secure Hash Algorithm):160 bit hash value. Designed by NSA in 1995. • Integrity check
Relatively easy to find collisions. Should no longer be used, but occurs in still
older applications. • Generation of Message Authentication Codes (MAC)
• Digital signatures
• SHA-2designed by NSA in 2001. Can generate 256, 384 and 512 bit hash value.
Considered safe. Replacement for SHA-1. • Bitcoin and cryptocurrency
• Generation of pseudorandom numbers
• SHA-3:designed by Joan Daemen + others in 2010. Standardized in 2015. Can • Generation of crypto keys
generate: 256, 384, and 512 bit hash value. SHA-3 has little use, because SHA-2
is still considered secure.

Cryptography 45 Cryptography 46

Message authentication with MAC

Message Authentication Code - MAC
(Message Authentication Code) MA Receive and checkMAC
C
SendMAC no ? Yes
• A message M with a simple hash value Hash(M) can be easily changed by attacker. together with MAC =
• To prevent attacks, it is necessary to use an authenticated hash value. Common MessageM Corrupt MAC' Authentic
• MAC (message authentication code) includes a secret key k for hash function secret Message Message
keyK MAC'
calculation, which provides an authenticated hash value MAC=Hash(M, k).
MAC Calculate
• To validate and authenticate a message, the recipient must have the same secret function MAC=Hash(M,
Calculate expected MAC Common
key k which was used by the sender to calculate MAC. K)
MAC'=Hash(M', K) secret
function
• A third party who does not know the key cannot validate MAC-value. keyK

Send Receive messageM'

MessageM with uncertain authenticity
Alice Bob
Cryptography 47 Cryptography 48
 Asymmetric encryption – basic principle
Alice Bob
PKI

ASYMMETRICAL
Bob's public
CRYPTOGRAPHY key pub
Bob's private

key
private

Asymmetrical Cipher textC Asymmetrical

encryption decryption = D( , private)

• Asymmetric encryption Plain textM

= E( , pub)

Plain textM
• Diffie-Hellman key exchange
• Asymmetric encryption and decryption require heavy computation, and
• Digital signature
are not used for direct encryption as shown above.
• In practice, hybrid encryption is used which combines both an
asymmetric and a symmetric algorithm.
Cryptography 49 Cryptography 50

Traditional asymmetric encryption algorithms

• RSA: best known asymmetric algorithm.

– RSA = Rivest, Shamir and Adleman (published 1977)
- History: British cryptographer Clifford Cocks invented the same algorithm in
1973, but did not publish it because it was classified.
– Eventually requires large keys (typically 2048 bits) to maintain security

• Elliptic curve cryptography

– Based on the difficulty of solving EC discrete logarithms.
- Keys are smaller (typically 256 bits) than RSA.

Cryptography 51
 Hybrid encryption
Hybrid encryption
• Symmetric ciphers are much faster than asymmetric ciphers (because Alice Bob
PKI
symmetric ciphers have simple mathematical computation), but ...
• Asymmetric ciphers simplify key distribution, therefore… Bob's public Bob's private

• Practical to use a combination of both symmetric and Store secret key key private

symmetric keyK Encrypted secret keyK*

asymmetric ciphers - a hybrid system: Asymmetrical Asymmetrical = D( K∗ , Private B)
– The asymmetric cipher is used to distribute a secret symmetric key. encryption decryption
K∗= E( K, Pub B)
Secret keyK
– The secret symmetric key is used together with the symmetric
cipher to encrypt data sets and messages.
Symmetrical Cipher textC Symmetrical
encryption decryption
Plain textM C =E(M,K) M=D(C,K) Plain textM

Cryptography 58

Diffie-Hellman key exchange

Diffie-Hellman key exchange

Alice chooses private subkeya

• Problem:
Bob chooses private subkeyb
- Provides no authentication
Alice calculates publicly [mod ] Bob calculates publicly [mod ]
- Alice and Bob cannot know who they are communicating with
Alice sends to Bob [mod ] - Man-in-the-middle attack possible

• Solution
[mod ] Bob sends to Alice
- Combination with digital signature provides authenticated key exchange
Alice secretly calculates = ( ) towards Bob secretly calculates = ( ) towards
• Applications:
Alice and Bob have exchanged anonymous secret key – TLS (Transport Layer Security) and https
– IKE (Internet Key Exchange) and IPSec (IP Security)
Attackers cannot find the secret subkeysaandbbecause calculating the
discrete logarithm of large integers is difficult. Thus, attackers cannot
calculate the secret key =gabmodp.
Cryptography 59 Cryptography 60
 Digital signature: Basic principle
Need for digital signature PKI
Alice's private
• A MAC cannot be used as proof of data authenticity to be key Digital Send message as Alice's public
verified by a third party
private
S digital signatureS key
signing pub

• Digital signatures can be validated by third parties Calculate digitally Validate Calculate message
signatureS signature
– Provides strong (non-repudiable) data authentication, = Val( , pub)
= Sig(
• Features for digital signature:
private)
,
– Signing (using private key) Receive
Get ready
– Validation (uses public key) Alice MessageM
MessageM
Bob
• Digital signing and validation require heavy calculation, and are not used for direct signing
as shown above.
•In practice, hybrid signing is used which combines a hash function and digital signing.

Cryptography 38 Cryptography 62

Practical digital signing Simple and strong data authentication

PKI Alice's public Authenticated with
Common
key pub Alice secret Bob secret key,
Send digital signatureS
Alice's private key so I know Alice
along with messageM Validate Calculate the hash sent the message.
key Digital
private
S signature = Val( ,
signing pub)
Simple authentication But you have the same
Calculate digitally Check the hash Message key, so you could send
signatureS the message to
no ? Yes MAC (Message yourself.
= Sig( private) H=H Authentication Code)
,
Corrupt ' Authentic
Hash- Calculate the hash
Message Message
function H=Hash(M) Alice's Alice's Digitally signed with
Alice private public Bob
Hash- private key, so I
Calculate the expected key key know Alice sent
hash function
H'=Hash(M') Strong/undeniable the message.
authentication
You're right, only
Send Receive messageM' Message Alice could
Alice MessageM with uncertain authenticity
Bob Digital signature (PKI) signed the message.

Cryptography 63 Cryptography 64
 Quantum computers
• Quantum computing (Quantum Computing - QC) is based on
quantum "qubits" instead of binary bits
POSTQUANTUM
CRYPTOGRAPHY Experimental
quantum computer

• Quantum algorithms, i.e. algorithms for quantum computers, can

potentially break common asymmetric crypto-algorithms,
e.g. RSA, DSA and Diffie-Hellmann.
Cryptography 65 Cryptography 66

Cryptographic functions Cryptographic functions

Symmetrical Symmetrical
encryption Confidentiality encryption Confidentiality

Authenticity / Integrity Authenticity / Integrity

Hash- Hash-
functions functions

Digital Signature Digital Signature

PKI / key distribution PKI / key distribution
T Asymmetrical PQ Asymmetrical
encryption Confidentiality encryption Confidentiality
& Digital Signature & Digital Signature
(Traditional), e.g. (Post-Quantum), With post quantum crypto we
RSA, DSA, Diffie- The quantum threat e.g. Lattice-based, can keep DigSig and PKI even
Hellmann Multivariate, Hash-
based, Code-based, with quantum computers that
Elliptic curve isogeny have 1 million qubits
Cryptography 44 Cryptography 45
 Standardization of post quantum crypto Breakdown of trad. asymmetric crypto?
Quantum
Computer
?
Qubit size

10,000,000
?
Collapse
1,000,000
No
collapse

Very u ncertain preach tion

100,000

Logarithmic scale
10,000
2016 2017 2018 2019 2020 2021 2022 2023 2024
?
50 qubits
1000
• The term "post-quantum crypto" (Post-Quantum Crypto) means computer

cryptography that cannot be broken by quantum computers. 0 Year

2020 2030 2040 2050 2060 2070 2080 2090
Cryptography 69 Cryptography 70

Why move to post-quantum cryptography?

A. Use post-quantum crypto because

quantum computers will probably
crack RSA, Diffi-Hellmann and DSA
sometime in the future.
B. Use post quantum crypto because you don't
want your organization to end up on the
front page of the newspaper, accused of
being irresponsible.

END OF THE
PRESENTATION

48 50
Refrence

Information Security , Åvald Åslaugson Sommervoll, University of Oslo