IT325, Winter 2012

Topic 1: Intro to symmetric ciphers

Reference: Chapter 1 of text by Christof Paar and Jan Pelzl

Contents

Symmetric cryptography Substitution Cipher Attacks against the Substitution Cipher Modular arithmetic Shift (or Caesar) Cipher and Affine Cipher

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Symmetric Cryptography
Alternative names: private-key, single-key or secret-key cryptography.
Oscar (bad guy)
Unsecure channel (e.g. Internet)

Alice (good)

Bob (good)

Problem: 1) Alice and Bob would like to communicate via an unsecure channel (e.g., WLAN or Internet). 2) A malicious third party Oscar (the bad guy) has channel access but should not be able to understand the communication.

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Symmetric Cryptography
Solution: Encryption with symmetric cipher. Oscar obtains only ciphertext y, that looks like random bits

Oscar (bad guy) y

Unsecure channel (e.g. Internet)

Alice (good)

Encryption e( )

Decryption d( )

Bob (good)

K
Key Generator Secure Channel

4/

x is the. plaintext y is the ciphertext K is the key Set of all keys {K1, K2, ...,Kn} is the key space
Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Symmetric Cryptography
Encryption equation Decryption equation
y = eK(x) x = dK(y)

Encryption and decryption are inverse operations if the same key K is used on both sides: dK(y) = dK(eK(x)) = x

Important: The key must be transmitted via a secure channel between Alice and Bob. The secure channel can be realized, for example, by manual means. However, the system is only secure if an attacker does not learn the key K!
The problem of secure communication is reduced to secure transmission and storage of the key K.

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Common mistake
A system looks secure if its details are kept secret from the
adversary

Historic example: Enigma Secret encryption machine Allies obtained the machine Decryption by reverse engineering

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Kerchoffs Principle
Cryptography does not rely on secret tricks! To the contrary we assume that the Adversary
knows exactly which methods are used

A cryptosystem should be secure even if the attacker (Oscar) knows all details about the system, with the exception of the secret key.

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Cryptanalysis: Attacking Cryptosystems

Classical Attacks Mathematical Analysis Brute-Force Attack Implementation Attack: Try to extract key through reverese engineering or
power measurement, e.g., for a banking smart card.

Social Engineering: E.g., trick a user into giving up her password

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Brute-Force Attack (or Exhaustive Key Search) against Symmetric Ciphers

Treats the cipher as a black box Requires (at least) 1 plaintext-ciphertext pair (x0, y0) Check all possible keys until condition is fulfilled: dK(y0) = x0

How many keys to we need ? Key length in bit 64 128 Key space 264 2128 2256 Security life time (assuming brute-force as best possible attack) Short term (few days or less) Long-term (several decades in the absence of quantum computers) Long-term (also resistant against quantum computers note that QC do not exist at the moment and might never exist)

256

Important: An adversary only needs to succeed with one attack. Thus, a long key space does not help if other attacks (e.g., social engineering) are possible..
9

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Substitution Cipher
Great tool for understanding brute-force vs. analytical attacks Encrypts letters rather than bits (like all ciphers until after WW II)
Idea: replace each plaintext letter by a fixed other letter. p p p .... for instance, ABBA would be encrypted as kddk Plaintext A B C Ciphertext k d w

Example (ciphertext):
iq ifcc vqqr fb rdq vfllcq na rdq cfjwhwz hr bnnb hwwhbsqvqbre hwq vhlq hcc

How secure is the Substitution Cipher? Lets look at attacks

10

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Attacks against the Substitution Cipher

1. Attack: Exhaustive Key Search (Brute-Force Attack) Simply try every possible subsititution table until an intelligent plaintext appears
(note that each substitution table is a key)..

How many substitution tables (= keys) are there?

26 x 25 x x 3 x 2 x 1 = 26! } 288 Search through 288 keys is completely infeasible with todays computers! (cf. earlier table on key lengths)

Q: Can we now conclude that the substitution cipher is secure since a bruteforece attack is not feasible?

A: No! We have to protect against all possible attacks

11

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Attacks against the Substitution Cipher

2. Attack: Letter frequency analysis

Letters have very different frequencies in the English language Moreover: the frequency of plaintext letters is preserved in the ciphertext. For instanc, e is the most common letter in English; almost 13% of all letters in a typical English text are e. The next most common one is t with about 9%.
Letter frequencies in English
14.0000

12.0000

10.0000

F requency in %

8.0000

6.0000

4.0000

2.0000

0.0000 E T A O I N S H R D L C U M W F G Y P B V K J X Q Z

Letters
12

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Breaking the Substitution Cipher with Letter Frequency Attack

Lets retun to our example and identify the most frequent letter:
iq ifcc vqqr fb rdq vfllcq na rdq cfjwhwz hr bnnb hcc hwwhbsqvqbre hwq vhlq

We replace the ciphertext letter q by E and obtain:

iE ifcc vEEr fb rdE vfllcE na rdE cfjwhwz hr bnnb hwwhbsEvEbre hwE vhlE hcc

By further guessing based on the frequency of the remaining letters we obtain the
plaintext: WE WILL MEET IN THE MIDDLE OF THE LIBRARY AT NOON ALL ARRANGEMENTS ARE MADE

13

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Breaking the Substitution Cipher with Letter Frequency Attack

In practice, not only frequencies of individual letters can be used for an attack,
but also the frequency of letter pairs (i.e., prefix th is very common in English), letter triples, etc.

cf. Problem 1.1 in text for a longer ciphertext you can try to break!

Important lesson: Even though the substitution cipher has a sufficiently large key space of appr. 288, it can easily be defeated with analytical methods.

14

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Short Introduction to Modular Arithmetic

Generally speaking, most cryptosytems are based on sets of numbers that are

1. discrete (sets with integers are particularly useful) 2. finite (i.e., if we only compute with a finitely many numbers)

Why do we need to study modular arithmetic?

Extremely important for asymmetric cryptography (RSA, elliptic curves etc.) Basic symmetric ciphers can be elegantly described with modular arithmetic

15

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Short Introduction to Modular Arithmetic

Definition: Modulus Operation Let a, r, m be integers and m > 0. We write a r mod m

if (r-a) is divisible by m.

m is called the modulus r is called the remainder

Examples for modular reduction:

Let a= 12 and m= 9 : Let a= 37 and m= 9: Let a= -7 and m= 9:

12 34 -7

3 mod 9 7 mod 9 2 mod 9

16

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Properties of Modular Arithmetic (1)

The remainder r is not unique

Example:

12 3 mod 9 12 21 mod 9 12 -6 mod 9

3 is a valid remainder since 9 divides (3-12) 21 is a valid remainder since 9 divides (21-12) -6 is a valid remainder since 9 divides (-6-12)

The set of remainders form an equivalence class

Example:

{..., -24, -15, -6, 3, 12, 21, 30, ...}

17

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Properties of Modular Arithmetic (2)

Which remainder do we choose?
By convention, we usually agree on the smallest positive integer r as remainder. This integer can be computed as
quotient remainder

a=q m+r

where 0 r m-1

Example: a=12 and m= 9

12 = 1 x 9 + 3 r=3

Remark: Algorithmically we are free to choose any other valid remainder to compute our crypto functions.

18

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Properties of Modular Arithmetic (3)

We want to compute 38 mod 7 (exponentiation is important in public-key crypto).
Approach 1: Exponentiation followed by modular reduction 38 = 6561 2 mod 7 Approach 2: Exponentiation with intermediate modular reduction 38 = 34 34 = 81 x 81 38 = 81 x 81 4 x 4 = 16 4 x 4 mod 7 2 mod 7

Note that we can perform all these multiplications without pocket calculator, whereas mentally computing 38 = 6561 is a bit challenging for most of us.

General rule: For most algorithms it is advantageous to reduce intermediate results as soon as possible.

19

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Shift (or Caesar) Cipher (1)

Ancient cipher, allegedly used by Julius Caesar Replaces each plaintext letter by another one: Take letter that follows after k positions in the alphabet

0 corresponds to A, 1 corresponds to B, etc:

A 0 N 13 B 1 O 14 C 2 P 15 D 3 Q 16 E 4 R 17 F 5 S 18 G 6 T 19 H 7 U 20 I 8 V 21 J 9 W 22 K 10 X 23 L 11 Y 24 M 12 Z 25

Example for k = 7

Plaintext = ATTACK = 0, 19, 19, 0, 2, 10 Ciphertext = haahjr = 7, 0, 0, 7, 9, 17 Note that the letters wrap around at the end of the alphabet

20

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Shift (or Caesar) Cipher (2)

Mathematical formulation

Let k, x, y

{0,1, , 25} y = ek(x) x = dk(y) x + k mod 26 y - k mod 26

Encryption: Decryption:

Q; Is the shift cipher secure? A: No! several attacks are possible, including:

Exhaustive key search (key space is only 26!) Letter frequency analysis, similar to attack against substitution cipher

21

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Affine Cipher (1)

Extension to shift cipher: adds and multiplies the key to the plaintext Key consists of two parts: k = (a, b) or a=; b= Let x, y, a, b {0,1, , 25} y = ek(x) x = dk(y) a x + b mod 26 (y b)(1/a) mod 26

Encryption: Decryption:
The solution to ax 1 mod m

is called the multiplicative inverse of a, denoted as a-1

Multiplying by a-1 corresponds to dividing by a, so can write b/a mod m when we mean ba-1 mod m.

Ex: The inverse of 7 mod 9 is 4 since 7 x 4 = 28 1 mod 9 So, 5 / 7 5 x 4 = 20 2 mod 9

22

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 The Inverse Theorem

The following theorem tells us which numbers have inverses modulo m. Theorem: A number a has a multiplicative inverse if and only if: gcd(m, a) = 1. We say that a is coprime or relatively prime to m. Practice Problem: Which of the numbers 0,1, 2, 3, 4, 5, 6, 7, 8 have inverses mod 9 ?

The elements 0, 3, and 6 do not have inverses since they are not co-prime to 9. Students use trial and error to find the inverses of the other elements 1, 2, 4, 5, 7, and 8.

Trial and error approach is inefficient when m is large. Euclidean algorithm for computing inverse is more efficient (do later).

23

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Proof of Inverse Theorem

To prove a-1 exists iff gcd(m, a) = 1, we show the following: i. a-1 exists gcd(m, a) = 1 ii. gcd(m, a) =1 a-1 exists
Students to do proof of (i)

24

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Proof of Inverse Theorem, contd:

To prove gcd(m, a) =1 => a-1 exists
We show the following: A.  integers s, t, such that ms + at = gcd(m, a) Hence, gcd(a, m) = 1  integers s, t, such that ms + at = 1 B.  integers s, t, such that ms + at = 1 a-1 exists

25

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Proof of Inverse Theorem, contd:

Proof of ii A:
 s, t, such that ms + at = gcd(m, a) Let x be any integer of the form Sm + Ta for integers S and T Let g be the smallest non-negative integer of this form (want to show g = gcd(m, a)) Then x = Cg + r, 0 e r < g

26

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Proof of Inverse Theorem, contd:

Proof of ii A:
 s, t, such that ms + at = gcd(m, a) x = Cg + r, 0 e r < g where r = Sm+Ta Cg = Sm + Ta C(Sm +Ta) = Sm + Ta =0 (as g was smallest such non-negative integer and r < g)

27

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Proof of Inverse Theorem, contd:

Proof of ii A:
 s, t, such that ms + at = gcd(m, a) x = Cg + r; r = 0 Hence g divides all integers of the form Sm + Ta, in particular, g divides a (S = 0) and m (T = 0) Further, as g itself is of the form Sm + Ta, all common factors of m and a divide g Hence g = gcd(m, a) Hence  s, t, such that ms + at = gcd(m, a)

28

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Proof of Inverse Theorem, contd:

Proof of ii B:
 s, t, such that ms + at = 1 a-1 exists  s, t, such that ms + at =1 at 1 mod m a-1 t mod m A and B imply ii. gcd(m, a) = 1 a-1 exists

29

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Properties of Affine Cipher

What is the size of the key space? Recall key k = (a, b) Since the inverse of a is needed for decryption, we can only use values for a for which: gcd(a, 26) = 1. There are 12 values for a that fulfill this condition Hence the key space of affine cipher is 12 x 26 = 312 Again, several attacks are possible, including:

Exhaustive key search and letter frequency analysis, similar to the attack against the
substitution cipher

30

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Lessons Learned
Never ever develop your own crypto algorithm unless you have a team of experienced
cryptanalysts checking your design.

A large key space by itself is no guarantee for a cipher being secure; the cipher might still
be vulnerable against analytical attacks.

Attackers always look for the weakest point of a cryptosystem.

31

Chapter 1 of Understanding Cryptography by Christof Paar and Jan Pelzl

 Credits
A large fraction of the slides are adapted from Paar-Pelzls Proof of Inverse Theorem is from the lecture notes of Poorvi
Vora