Professional Documents
Culture Documents
CRYPTOGRAPHY CRYPTANALYSIS
Private Key
Public Key
(Secret Key)
• substitution ciphers
– monoalphabetic ciphers
– polyalphabetic ciphers
• transposition (permutation) ciphers
• product ciphers
– using both
• substitution, and
• transposition
Classical Cryptography
• Monoalphabetic Ciphers
Once a key is chosen, each alphabetic
character of a plaintext is mapped onto
a unique alphabetic character of a
ciphertext.
– The Shift Cipher (Caesar Cipher)
– The Substitution Cipher
– The Affine Cipher
Classical Cryptography
• Polyalphabetic Ciphers
Each alphabetic character of a plaintext
can be mapped onto m alphabetic
characters of a ciphertext. Usually m is
related to the encryption key.
– The Vigenère Cipher
– The Hill Cipher
– The Permutation Cipher
Benefits of
Cryptography
• Offers individual privacy and confidentiality.
• In some circumstances also authentication
and non-repudiation (e.g. legal ‘signatures’)
• Especially important in explicitly
Authorization .
4 types of cryptanalysis
• depending on what a cryptanalyst has to
work with, attacks can be classified into
– ciphertext only attack
– known plaintext attack
– chosen plaintext attack
– chosen ciphertext attack (most severe)
4 types of attacks (2)
• ciphertext only attack
– the only data available is a target ciphertext
K=3
The Caesar cipher (cnt’d)
K=3
Caesar Cipher
• The Caesar cipher is still useful as a way to prevent
people from unintentionally reading something.
– ROT-13
– By decrypting, the user agrees that they want to
view the content.
• Fundamental problem: key length is shorter than the
message.
Let P = C = K = Z26.
xP, yC, KK, define
y =eK(x) = x + K (mod 26)
and
X=dK(y) = y - K (mod 26).
An example
10 11 01 01 11 10 00 11 01
Message: A B C D E F G H I J K L M
Ciphertext: J P I O T M F W Q C D Y B
Message: N O P Q R S T U V W X Y Z
Ciphertext: Z A E S H V R L G N K U X
Message: A B C D E F G H I J K L M
Ciphertext: H A L E K N W B F O R D I
Message: N O P Q R S T U V W X Y Z
Ciphertext: G T U S Y M C V Q P Z J X
Substitution Cipher
• For each letter, substitute some other
letter(randomly)
– A key determines what the substitution is
– E.g., 4, 8, 1, 26,...
• 1st letter in the alphabet will be represented by the 4 th letter
• AD
• 2nd letter will be represented by the 8th
• BH
• 3rd letter will be represented by the 1 st
• CA
• 4th letter will be represented by the 26th
• DZ
Substitution cipher—formal definition
• Let P = C = Z26 , K, consists of all possible permutations of the
26 symbols 0,1, …, 25 ( or a,b,…,z). For each permutation
K, , define
e(x) = (x)
and
d(y) = -1(y)
Alice E
D Bob
key
Message Message
(cleartext,plaintext) (cleartext, plaintext)
Problems with private key ciphers
• In order for Alice & Bob to be able to
communicate securely using a private key
cipher, such as DES, they have to have a
shared key in the first place.
– Question:
What if they have never met before ?
• Alice needs to keep 100 different keys if
she wishes to communicate with 100
different people
A question
• Consider a group of n people, each wishing to
communicate securely with all other members
in the group, by using a private key cipher,
say DES.
E Network D
Secret Key
Alice
Bob
Main differences with DES
• The public encryption key is different from
the secret decryption key.
• Infeasible for an attacker to find out the
secret decryption key from the public
encryption key.
• no need for Alice & Bob to distribute a shared
secret key beforehand !
• only one pair of public and secret keys is
required for each user !
Realising public key ciphers
The most famous system that implements •
Diffie & Hellman’s ideas on public key
ciphers is due to
Ronald Rivest –
Adi Shamir –
Leonard Adleman –
This concrete public key cryptosystem is •
.called RSA
Prime & composite
Prime and composite numbers •
a prime number is an integer that can divided –
only by 1 and itself
13, 11, 7, 5, 3, 2, E.g. •
...... ,103101,
all other integers are composite –
12, 10, 9, 8, 6, 4, E.g. •
800164386535523743960876432,
Modular operations
”remainder“ •
1 = 1 (mod 7),)mod 5( 3 = 13 –
32 = 4 (mod 7),)mod 5( 0 = 20 –
modular exponentiation •
32 = 0 (mod 3) ,)mod 3( 1 = 22 –
102 = 8 (mod 92) ,)mod 5( 4 = 22 –
311 = 7 (mod 10) ,)mod 10( 6 = 46 –
RSA Public Key Cryptosystem
Public Key Directory (Yellow/White Pages)
Bob: (e, n)
public key:
e &n
Plain Text Cipher Text Cipher Text Plain Text
c= m=
Network
m e mod n c d mod n
Bob
RSA (1)
• Bob:
– chooses 2 large primes (each at least 100 digits):
p, q
multiplies p and q: n = p*q
– finds out two numbers e & d such that
e * d = 1 (mod (p-1)(q-1))
– public key (published in the phone book)
• 2 numbers: (e, n)
• encryption alg: modular exponentiation
– secret key: d
RSA (2)
• Alice has a message m to be sent to Bob:
– finds out Bob’s public encryption key
(e, n)
– calculates
c = me (mod n)
– sends the ciphertext c to Bob
RSA (3)
• Bob:
– receives the ciphertext c from Alice
– uses his matching secret decryption key d to
calculate
m = cd (mod n)
RSA --- 1st small example (1)
:Bob •
p=5, q=11chooses 2 primes: –
n = p*q = 55multiplies p and q:
finds out two numbers e=3 & d=27 which satisfy –
3 * 27 = 1 (mod 40)
Bob’s public key –
(3, 55)numbers: 2 •
modular exponentiationencryption alg: •
27 secret key: –
RSA --- 1st small example (2)
Alice has a message m=13 to be sent to •
:Bob
finds out Bob’s public encryption key –
(3, 55)
calculates –
c = me (mod n)
= 133 (mod 55)
= 2197 (mod 55)
= 52
sends the ciphertext c=52 to Bob –
RSA --- 1st small example (3)
:Bob •
receives the ciphertext c=52 from Alice –
uses his matching secret decryption key 27 to –
calculate
m = 5227 (mod 55)
= 13 (Alice’s message)
RSA --- 2nd small example (1)
:Bob •
p=101, q=113chooses 2 primes: –
n = p*q = 11413multiplies p and q:
finds out two numbers e=3533 & d=6597 which –
satisfy
3533 * 6597 = 1 (mod 11200)
Bob’s public key –
(3533, 11413)numbers: 2 •
modular exponentiationencryption alg: •
6597 secret key: –
RSA --- 2nd small example (2)
Alice has a message m=9726 to be sent to •
:Bob
finds out Bob’s public encryption key –
(3533, 11413)
calculates –
c = me (mod n)
= 97263533 (mod 11413)
= 5761
sends the ciphertext c=5761 to Bob –
RSA --- 2nd small example (3)
:Bob •
receives the ciphertext c=5761 from Alice –
uses his matching secret decryption key 6597 –
to calculate
m = cd (mod n)
= 57616597 (mod 11413)
= 9726 (Alice’s message)
Remarks on RSA
The message m has to be an integer •
.between in the range [1, n]
To encrypt long messages we can use •
modes of operation as for private key
ciphers, or a hybrid cryptosystem (see
.later)
Why RSA is Secure
• Attack Scenario:
– Marvin wants to read Alice’s private message (m)
intended to be read only by Bob.
– However, Alice used RSA to encrypt m using Bob’s
public key (e, n), into the ciphertext c = me (mod n).
– Marvin is a determined attacker and managed to
intercept the ciphertext c on its way from Alice’s to
Bob’s computer.
– Marvin also looked up Bob’s public key (e,n) to help
him in his attack.
Why RSA is Secure
• Marvin now has (c,e,n) and wants to find out m.
• How can Marvin proceed to find m?
– Approach 1: If Marvin could also find out Bob’s secret key
d, he could decrypt c into m in the same way as Bob does.
• Suppose Bob guards his secret key d very well, what can Marvin
do then?
– Approach 2: Marvin knows that c = me (mod n). He knows
that m is a number between 0 and n-1. So he could use
exhaustive search through all n possible messages m.
• But if n is large this takes a long time!
• Exercise: If m is known to be one of X possible messages, how
long does this attack take? (Assume it takes time T to encrypt m
into c)
Why RSA is Secure
• Marvin’s Attack options (cont):
– Approach 3: Marvin can try to compute Bob’s secret
key d from (e,n) and then use Approach 1.
• Remember that e * d = 1 ( mod (p-1)(q-1) )
• Marvin found in a ‘Number Theory’ book a very fast
algorithm called EUCLID to solve the following problem:
Given two numbers (r,s), the algorithm outputs a number x
such that
r * x = 1 (mod s).
• Exercise: Explain how Marvin can use algorithm EUCLID to
find Bob’s secret key d very quickly from (e,n) once he
manages to ‘factorize’ n = p*q into the prime factors p and q.
Why RSA is Secure
• Approach 3 is the most efficient known method Marvin
can use to attack RSA!
M (k ) 2
1.923|n|1 / 3 k 1 / 3 (log 2 ( k |n| / 1.44 )) 2 / 3 (log 2 (|n| / 1.44 )) 2 / 3
Assuming it takes T = 1 day to factorize |n| of length 155
:decimal digits, it would take
M(2)*T = 222 days = 20,000 years to factor n of length |n| =
2*155 = 310 digits
M(3)*T = 239 days = 2 billion (!!) years to factor n of length |n| =
…3*155 = 465 digits
Why RSA is Secure
Therefore, when both p and q in RSA are of at •
.least 155 digits, the product n=p*q is 310 digits