Introduction to Cryptography Part I

Presentation is based on the book
„Understanding Cryptography – A Textbook for
Students and Practitioners“
by Christof Paar and Jan Pelzl
www.crypto-textbook.com
Part I – Introduction to Cryptography
These slides were prepared by Christof Paar, Jan Pelzl and Maksim Djackov

2/36 Understanding Cryptography by Christof Paar and Jan Pelzl
Some legal stuff: Terms of Use
• The slides can used free of charge. All copyrights for the slides remain with
Christof Paar and Jan Pelzl.
• The title of the accompanying book “Understanding Cryptography” by
Springer and the author’s names must remain on each slide.
• If the slides are modified, appropriate credits to the book authors and the
book title must remain within the slides.
• It is not permitted to reproduce parts or all of the slides in printed form
whatsoever without written consent by the authors.

Part I

Content of this Chapter
• Overview on the field of cryptology
• Basics of symmetric cryptography
• One-Time Pad (OTP)
• Substitution Cipher
• Shift (or Caesar) Cipher and Affine Cipher
• Enigma Machine
• DES Block Cipher
• AES Block Cipher

 Further Reading and Information
Addition to Understanding Cryptography .
• A.Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography.
CRC Press, October 1996.
• H.v.Tilborg (ed.), Encyclopedia of Cryptography and Security, Springer, 2005
History of Cryptography (great bedtime reading)
• S. Singh, The Code Book: The Science of Secrecy from Ancient Egypt to
Quantum Cryptography, Anchor, 2000.
• D. Kahn, The Codebreakers: The Comprehensive History of Secret
Communication from Ancient Times to the Internet. 2nd edition, Scribner, 1996.
Software (excellent demonstration of many ancient and modern ciphers)
• Cryptool, http://www.cryptool.de

 Classification of the Field of Cryptology
Cryptology
Cryptography Cryptanalysis
Symmetric Ciphers Asymmetric Ciphers Protocols
Block Ciphers Stream Ciphers

 Some Basic Facts
• Ancient Crypto: Early signs of encryption in Eqypt in ca. 2000 B.C.
Letter-based encryption schemes (e.g., Caesar cipher) popular ever since.
• Symmetric ciphers: All encryption schemes from ancient times until 1976 were
symmetric ones.
• Asymmetric ciphers: In 1976 public-key (or asymmetric) cryptography was openly
proposed by Diffie, Hellman and Merkle.
• Hybrid Schemes: The majority of today‘s protocols are hybrid schemes, i.e., the
use both
• symmteric ciphers (e.g., for encryption and message authentication) and
• asymmetric ciphers (e.g., for key exchange and digital signature).

• Enigma Machine

 Symmetric Cryptography
• Alternative names: private-key, single-key or secret-key cryptography.
Alice
(good)
Bob
(good)
Oscar
(bad guy)
x x
Unsecure
channel
(e.g. Internet)
• Problem Statement:
1) Alice and Bob would like to communicate via an unsecure channel (e.g.,
WLAN or Internet).
2) A malicious third party Oscar (the bad guy) has channel access but should
not be able to understand the communication.

Alice
(good)
Bob
(good)
Oscar
(bad guy)
Encryption
e( )
Key Generator
Decryption
d( )
Secure Channel
K
x y
K
x
Unsecure
channel
(e.g. Internet)
• x is the. plaintext
• y is the ciphertext
• K is the key
• Set of all keys {K1, K2, ...,Kn} is the key space
Solution: Encryption with symmetric cipher.
 Oscar obtains only ciphertext y, that looks
like random bits
y

• Encryption equation y = eK(x)
• Decryption equation x = dK(y)
• Important: The key must be transmitted via a secure channel between Alice and Bob.
• The secure channel can be realized, e.g., by manually installing the key for the Wi-Fi
Protected Access (WPA) protocol or a human courier.
• However, the system is only secure if an attacker does not learn the key K!
 The problem of secure communication is reduced to secure transmission and
storage of the key K.
• Encryption and decryption are inverse operations if the same key K is used on both
sides:
dK(y) = dK(eK(x)) = x

• Treats the cipher as a black box
• Requires (at least) 1 plaintext-ciphertext pair (x0, y0)
• Check all possible keys until condition is fulfilled:
dK(y0) = x0
• How many keys to we need ?
 Brute-Force Attack (or Exhaustive Key Search) against Symmetric Ciphers
Key length
in bit
Key space Security life time
(assuming brute-force as best possible attack)
64 264 Short term (few days or less)
128 2128 Long-term (several decades in the absence of
quantum computers)
256 2256 Long-term (also resistant against quantum
computers – note that QC do not exist at the
moment and might never exist)
?
Important: An adversary only needs to succeed with one attack. Thus, a long key space
does not help if other attacks (e.g., social engineering) are possible..

• Enigma Machine

 One-Time Pad (OTP)
Unconditionally secure cryptosystem:
• A cryptosystem is unconditionally secure if it cannot be broken even with
infinite computational resources
One-Time Pad
• A cryptosystem developed by Mauborgne that is based on Vernam’s stream
cipher:
• Properties:
Let the plaintext, ciphertext and key consist of individual bits
xi, yi, ki  {0,1}.
Encryption: eki
(xi) = xi  ki.
Decryption: dki
(yi) = yi  ki
OTP is unconditionally secure if and only if the key ki. is used once!

 One-Time Pad (OTP)
Unconditionally secure cryptosystem:
y0 = x0  k0
y1 = x1  k1
:
Every equation is a linear equation with two unknowns
 for every yi are xi = 0 and xi = 1 equiprobable!
This is true iff k0, k1, ... are independent, i.e., all ki have to be
generated truly random
 It can be shown that this systems can provably not be solved.
Disadvantage: For almost all applications the OTP is impractical
since the key must be as long as the message! (Imagine you
have to encrypt a 1GByte email attachment.)

• Enigma Machine

 Substitution Cipher
• Historical cipher
• Great tool for understanding brute-force vs. analytical attacks
• Encrypts letters rather than bits (like all ciphers until after WW II)
Idea: replace each plaintext letter by a fixed other letter.
Plaintext Ciphertext
A  k
B  d
C  w
....
for instance, ABBA would be encrypted as kddk
• Example (ciphertext):
iq ifcc vqqr fb rdq vfllcq na rdq cfjwhwz hr bnnb hcc
hwwhbsqvqbre hwq vhlq
• How secure is the Substitution Cipher? Let‘s look at the attacks…

 Attacks against the Substitution Cipher
1. Attack: Exhaustive Key Search (Brute-Force Attack)
• Simply try every possible subsititution table until an intelligent plaintext appears
(note that each substitution table is a key)..
• How many substitution tables (= keys) are there?
26 x 25 x … x 3 x 2 x 1 = 26!  288
Search through 288 keys is completely infeasible with today‘s computers!
(cf. earlier table on key lengths)
• Q: Can we now conclude that the substitution cipher is secure since a brute-
forece attack is not feasible?
• A: No! We have to protect against all possible attacks…

 2. Attack: Letter Frequency Analysis (Brute-Force Attack)
• Letters have very different frequencies in the English language
• Moreover: the frequency of plaintext letters is preserved in the ciphertext.
• For instanc, „e“ is the most common letter in English; almost 13% of all letters in a
typical English text are „e“.
• The next most common one is „t“ with about 9%.
E T A O I N S H R D L C U M W F G Y P B V K J X Q Z
0.0000
2.0000
4.0000
6.0000
8.0000
10.0000
12.0000
14.0000
Letter frequencies in English
Letters
Frequencyin%

 Breaking the Substitution Cipher with Letter Frequency Attack
• Let‘s retun to our example and identify the most frequent letter:
iq ifcc vqqr fb rdq vfllcq na rdq cfjwhwz hr bnnb hcc
hwwhbsqvqbre hwq vhlq
• We replace the ciphertext letter q by E and obtain:
iE ifcc vEEr fb rdE vfllcE na rdE cfjwhwz hr bnnb hcc
hwwhbsEvEbre hwE vhlE
• By further guessing based on the frequency of the remaining letters we obtain the
plaintext:
WE WILL MEET IN THE MIDDLE OF THE LIBRARY AT NOON ALL
ARRANGEMENTS ARE MADE

 Breaking the Substitution Cipher with Letter Frequency Attack
• In practice, not only frequencies of individual letters can be used for an attack,
but also the frequency of letter pairs (i.e., „th“ is very common in English), letter
triples, etc.
• cf. Problem 1.1 in Understanding Cryptography for a longer ciphertext you can
try to break!
Important lesson: Even though the substitution cipher has a sufficiently large key
space of appr. 288, it can easily be defeated with analytical methods. This is an
excellent example that an encryption scheme must withstand all types of
attacks.

• Enigma Machine

 Shift (or Caesar) Cipher (1)
• Ancient cipher, allegedly used by Julius Caesar
• Replaces each plaintext letter by another one.
• Replacement rule is very simple: Take letter that follows after k positions in the alphabet
Needs mapping from letters → numbers:
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
• Example for k = 7
Plaintext = ATTACK = 0, 19, 19, 0, 2, 10
Ciphertext = haahr = 7, 0, 0, 7, 17
Note that the letters ”wrap around” at the end of the alphabet, which can be
mathematically be expressed as reduction modulo 26, e.g., 19 + 7 = 26 ≡ 0 mod 26

 Shift (or Caesar) Cipher (2)
• Elegant mathematical description of the cipher.
• Q; Is the shift cipher secure?
• A: No! several attacks are possible, including:
• Exhaustive key search (key space is only 26!)
• Letter frequency analysis, similar to attack against substitution cipher
Let k, x, y ε {0,1, …, 25}
• Encryption: y = ek(x) ≡ x + k mod 26
• Decryption: x = dk(x) ≡ y - k mod 26

 Affine Cipher (1)
• Extension of the shift cipher: rather than just adding the key to the plaintext, we also
multiply by the key
• We use for this a key consisting of two parts: k = (a, b)
• Since the inverse of a is needed for inversion, we can only use values for a for which:
gcd(a, 26) = 1
There are 12 values for a that fulfill this condition.
• From this follows that the key space is only 12 x 26 = 312 (cf. Sec 1.4 in Understanding
Cryptography)
• Again, several attacks are possible, including:
• Exhaustive key search and letter frequency analysis, similar to the attack against
the substitution cipher
Let k, x, y ε {0,1, …, 25}
• Encryption: y = ek(x) ≡ a x + b mod 26
• Decryption: x = dk(x) ≡ a-1( y – b) mod 26

• Enigma Machine

 Enigma Machine (Image Source: wikipedia.com)

• Enigma Machine

 DES Block Cipher
• Data Encryption Standard (DES) encrypts blocks of size 64 bit
• Developed by IBM based on the cipher Lucifer under influence of the National
Security Agency (NSA), the design criteria for DES have not been published
• Most popular block cipher for most of the last 30 years
• Nowadays considered insecure due to the small key length of 56 bit
• But: 3DES yields very secure cipher, still widely used today
• Replaced by the Advanced Encryption Standard (AES) in 2000

 Block Cipher Primitives: Confusion and Diffusion
• Claude Shannon: There are two primitive operations with which strong encryption
algorithms can be built:
1. Confusion: An encryption operation where the relationship between key and cipher
text is obscured
Today, a common element for achieving confusion is substitution, which is found
in both AES and DES.
2. Diffusion: An encryption operation where the influence of one plaintext symbol is
spread over many cipher text symbols with the goal of hiding statistical properties of
the plaintext
A simple diffusion element is the bit permutation, which is frequently used within
DES
• Both operations by themselves cannot provide security. The idea is to
concatenate confusion and diffusion elements to build so called product ciphers.

 Product Ciphers
• Most of today‘s block ciphers are product ciphers as they consist
of rounds which are applied repeatedly to the data
• Can reach excellent diffusion: changing of one bit of plaintext
results on average in the change of half the output bits
• Example:

• Enigma Machine

 AES (Advanced Encryption Standard)
• AES is the most widely used symmetric cipher today
• The algorithm for AES was chosen by the US National Institute of Standards and
Technology (NIST) in a multi-year selection process
• The requirements for all AES candidate submissions were:
• Block cipher with 128-bit block size
• Three supported key lengths: 128, 192 and 256 bit
• Security relative to other submitted algorithms
• Efficiency in software and hardware
• 5 finalists announced in August, 1999:
• Mars – IBM Corporation
• RC6 – RSA Laboratories
• Rijndael – J. Daemen & V. Rijmen
• Serpent – Eli Biham et al.
• Twofish – B. Schneier et al.
• In October 2000, Rijndael was chosen as the AES

 AES (Advanced Encryption Standard)
There were found NO analytical attacks on
AES that reduce its key space effectively (at
the time of this writing)

 Lessons Learned
• Never ever develop your own crypto algorithm unless you have a team of experienced
cryptanalysts checking your design.
• Do not use unproven crypto algorithms or unproven protocols.
• Attackers always look for the weakest point of a cryptosystem. For instance, a large key
space by itself is no guarantee for a cipher being secure; the cipher might still be vulnerable
against analytical attacks.
• Key lengths for symmetric algorithms in order to thwart exhaustive key-search attacks:
• 64 bit: insecure except for data with extremely short-term value
• 128 bit: long-term security of several decades, unless quantum computers become
available (quantum computers do not exist and perhaps never will)
• 256 bit: as above, but probably secure against attacks by quantum computers.
• Modular arithmetic is a tool for expressing historical encryption schemes, such as the affine
cipher, in a mathematically elegant way.

Introduction to Cryptography Part I

More Related Content

Introduction to Cryptography Part I