INF3
510
Info
rmat
ion
Sec
urity
Uni
vers
ity o
f Osl
oS
prin
g 20
14
Lect
ure
5C
rypt
ogra
phy
Uni
vers
ity o
f Osl
o, s
prin
g 20
14Le
if N
ilsen
Out
line
•W
hat i
s cr
ypto
grap
hy?
•B
rief c
rypt
o hi
stor
y•
Sec
urity
issu
es•
Sym
met
ric c
rypt
ogra
phy
–S
tream
cip
hers
–B
lock
cip
hers
–H
ash
func
tions
•A
sym
met
ric c
rypt
ogra
phy
–Fa
ctor
ing
base
d m
echa
nism
s–
Dis
cret
e Lo
garit
hms
–D
igita
l sig
natu
res
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
2
Wan
t to
lear
n m
ore?
Look
up
UN
IK 4
220
Wha
t is
cryp
tolo
gy?
L05
Cry
ptog
raph
yIN
F351
0 -U
iO20
143
Se
cu
re c
om
mu
nic
atio
no
ver
un
sec
ure
ch
an
ne
ls
-C
on
fid
en
tia
lity
-In
teg
rity
-A
uth
en
tic
ity
-N
on
-re
pu
dia
tio
n
Alic
eB
ob
Sym
me
tric
cry
pto
Asy
mm
etr
ic c
ryp
to
Osc
ar
Term
inol
ogy
•C
rypt
ogra
phy
is th
e sc
ienc
e of
sec
ret w
ritin
g w
ith th
e go
al o
f hid
ing
the
mea
ning
of a
m
essa
ge.
•C
rypt
anal
ysis
is th
e sc
ienc
e an
d so
met
imes
ar
t of b
reak
ing
cryp
tosy
stem
s.
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
4
Cry
ptol
ogy
Cry
ptog
raph
yC
rypt
anal
ysis
Taxo
nom
y of
cry
ptog
raph
ic p
rimiti
ves
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
5L0
5 C
rypt
ogra
phy
Whe
n is
cry
ptog
raph
y us
ed?
•S
ome
exam
ple
situ
atio
ns:
–H
isto
rical
ly, t
he m
ilitar
y an
d sp
y ag
enci
es w
ere
the
mai
n us
ers
of c
rypt
olog
y•
Situ
atio
n: tr
ansm
ittin
g m
essa
ges
over
inse
cure
cha
nnel
s–
Now
, it i
s us
ed in
man
y ot
her a
reas
, esp
ecia
lly in
el
ectro
nic
info
rmat
ion
proc
essi
ng a
nd
com
mun
icat
ions
tech
nolo
gies
: •
Ban
king
:you
r fin
anci
al tr
ansa
ctio
ns, s
uch
as E
FTP
OS
•C
omm
unic
atio
ns:y
our m
obile
pho
ne c
onve
rsat
ions
•In
fo s
tore
d in
dat
abas
es:h
ospi
tals
, uni
vers
ities
, etc
.•
Cry
ptog
raph
y ca
n be
use
d to
pro
tect
info
rmat
ion
in
stor
age
or d
urin
g tra
nsm
issi
onIN
F351
0 -U
iO 2
014
6
Mod
el o
f sym
met
ric c
rypt
osys
tem
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
7
Term
inol
ogy
•E
ncry
ptio
n: p
lain
text
(cle
ar te
xt) M
is c
onve
rted
into
a c
iphe
rtext
C u
nder
the
cont
rol o
f a k
ey k
.–
We
writ
e C
= E
(M, k
).•
Dec
rypt
ion
with
key
kre
cove
rs th
e pl
aint
ext M
fro
m th
e ci
pher
text
C.
–W
e w
rite
M =
D(C
, k).
•S
ymm
etric
cip
hers
: the
sec
ret k
ey is
use
d fo
r bot
h en
cryp
tion
and
decr
yptio
n.•
Asy
mm
etric
cip
hers
: Pai
r of p
rivat
e an
d pu
blic
ke
ys w
here
it is
com
puta
tiona
lly in
feas
ible
to
deriv
e th
e pr
ivat
e de
cryp
tion
key
from
the
corr
espo
ndin
g pu
blic
enc
rypt
ion
key.
8L0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
4
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
9
Cae
sar c
iphe
r
Exam
ple:
Cae
sar c
iphe
rP
={abcdefghijklmnopqrstuvwxyz}
C=
{DEFGHIJKLMNOPQRSTUVWXYZABC}
Plai
ntex
t:kryptologi er et spennende fag
Chi
pher
text
:NUBSWRORJL HU HT VSHQQHQGH IDJ
Not
e: C
aesa
r chi
pher
in th
is fo
rm d
oes
not i
nclu
de a
va
riabl
e ke
y, b
ut is
an
inst
ance
of a
“shi
ft-ci
pher
” us
ing
key
K=
3.
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
10
Num
eric
al e
ncod
ing
of th
e al
phab
et
Usi
ng th
is e
ncod
ing
man
y cl
assi
cal c
rypt
o sy
stem
s ca
n be
exp
ress
ed a
s al
gebr
aic
func
tions
ove
r Z26
(E
nglis
h al
phab
et) o
r Z29
(Nor
weg
ian
alph
abet
)
ab
cd
ef
gh
ij
kl
mn
o
01
23
45
67
89
1011
1213
14
pq
rs
tu
vw
xy
zæ
øå
1416
1718
1920
2122
2324
2526
2728
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
11
Shi
ft ci
pher
Let P
=C
=Z
29.
For 0
�K�
28, w
e de
fine
E(x
, K) =
x+
K(m
od 2
9)an
d D(y
, K) =
y-K
(mod
29)
(x, y
�Z
29)
Que
stio
n:W
hat i
s th
e si
ze o
f the
key
spa
ce?
Puz
zle:
ct =
LA
HY
CX
PA
JYQ
HR
BW
NN
MN
MO
XA
BN
LDA
NLX
VV
DW
RLJ
CR
XW
BFi
nd th
e pl
aint
ext!
Exh
aust
ive
sear
ch
For[i
=0, i
<26,
i++,
Prin
t["K
ey =
", i,
" P
lain
= ",
dec
rypt
[ct,1
,i]]]
Key
= 0
Pla
in =
LA
HY
CX
PA
JYQ
HR
BW
NN
MN
MO
XA
BN
LDA
NLX
VV
DW
RLJ
CR
XW
BK
ey =
1 P
lain
= K
ZGX
BW
OZI
XP
GQ
AVM
MLM
LNW
ZAM
KC
ZMK
WU
UC
VQ
KIB
QW
VA
Key
= 2
Pla
in =
JY
FWA
VN
YH
WO
FPZU
LLK
LKM
VY
ZLJB
YLJ
VTT
BU
PJH
AP
VU
ZK
ey =
3 P
lain
= IX
EV
ZUM
XG
VN
EO
YTK
KJK
JLU
XY
KIA
XK
IUS
SA
TOIG
ZOU
TYK
ey =
4 P
lain
= H
WD
UY
TLW
FUM
DN
XSJ
JIJI
KTW
XJH
ZWJH
TRR
ZSN
HFY
NTS
XK
ey =
5 P
lain
= G
VC
TXS
KV
ETL
CM
WR
IIHIH
JSV
WIG
YV
IGS
YR
MG
EX
MS
RW
Key
= 6
Pla
in =
FU
BS
WR
JUD
SK
BLV
QH
HG
HG
IRU
VH
FXU
HFR
PP
XQ
LFD
WLR
QV
Key
= 7
Pla
in =
ETA
RV
QIT
CR
JAK
UP
GG
FGFH
QTU
GE
WTG
EQ
OO
WP
KE
CV
KQ
PU
Key
= 8
Pla
in =
DS
ZQU
PH
SB
QIZ
JTO
FFE
FEG
PS
TFD
VS
FDP
NN
VO
JDB
UJP
OT
Key
= 9
Pla
in =
CR
YP
TOG
RA
PH
YIS
NE
ED
ED
FOR
SE
CU
RE
CO
MM
UN
ICA
TIO
NS
Key
= 1
0 P
lain
= B
QX
OS
NFQ
ZOG
XH
RM
DD
CD
CE
NQ
RD
BTQ
DB
NLL
TMH
BZS
HN
MR
Key
= 1
1 P
lain
= A
PW
NR
ME
PY
NFW
GQ
LCC
BC
BD
MP
QC
AS
PC
AM
KK
SLG
AY
RG
MLQ
Key
= 1
2 P
lain
= Z
OV
MQ
LDO
XM
EV
FPK
BB
AB
AC
LOP
BZR
OB
ZLJJ
RK
FZX
QFL
KP
•.
• L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
12
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
13
Sub
stitu
tion
ciph
er-e
xam
ple
8841
7619
9373
9701
9545
4361
6000
000 �
2103
ab
cd
ef
gh
ij
kl
mn
o
UD
MI
PY
ÆK
OX
SN
ÅF
A
pq
rs
tu
vw
xy
zæ
øå
ER
TZ
BØ
CQ
GW
HL
VJ
Pla
inte
xt:f
erm
atss
iste
teor
emC
iphe
rtext
:YP
TÅU
BZZ
OZB
PB
PATP
Å
Wha
t is
the
size
of t
he k
ey s
pace
?
Lette
r Fre
quen
cies
� s
tatis
tical
atta
cks
•E
ncry
ptio
n m
ust h
ide
stat
istic
al p
atte
rns
in d
ata
•A
chie
ved
with
a s
erie
s of
prim
itive
func
tions
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
14
Lette
r fre
quen
cies
in
Eng
lish
Less
ons
lear
ned
•A
cip
her w
ith a
sm
all k
eysp
ace
can
easi
ly b
e at
tack
ed b
y ex
haus
tive
sear
ch•
A la
rge
keys
pace
is n
eces
sary
for a
sec
ure
ciph
er, b
ut it
is b
y its
elf n
ot s
uffc
ient
•M
onoa
lpha
betic
al s
ubst
itutio
n ci
pher
s ca
n ea
sily
be
bro
ken
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
15
Vig
enér
e (1
523-
1596
)A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
KL M N O P Q R S T U V W X YZ A B C D E F G H I J
L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O P Q R S T U V W X YZ A B C D E F G H I J K L M N
P Q R S T U V W X Y Z A B C DE F G H I J K L M N O
Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R S T U V W X Y Z A B CD E F G H IJ K L M N O P S
S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T U V W X Y ZA B C D E F G H I J K L M N O P Q R S
U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
YZ A B C D E F GH I J K L M N O P Q R S T U V W X
Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Key
: kryptokry
Pla
inte
xt:
OL
AOGKARI
Chi
pher
text
: ycydzykig
k �
r � y �
p �
t �o �
Pol
yalp
habe
tical
, but
com
plet
ely
inse
cure
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
16
INF3
510
-UiO
201
4
Eni
gma
•G
erm
an W
W II
cry
pto
mac
hine
•M
any
diffe
rent
var
iant
s•
Ana
lyse
d by
Pol
ish
and
Engl
ish
mat
hem
atic
ians
L05
Cry
ptog
raph
y17
Ope
ratin
g pr
inci
ples
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
18
1-B
atte
ry
2-K
eybo
ard
3-S
teck
er b
oard
4-E
ntry
rin
g
5-R
otor
s (L
M R
)
6-R
efle
ctor
7-C
ondu
ctor
8-C
onne
ctor
9-L
amp
Eni
gma
key
list
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
19
Eni
gma
encr
yptio
n ex
ampl
e
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
20
Mes
sage
: “Ic
hbi
n si
cher
, daß
unse
rFüh
rer e
ine
lose
Sch
raub
eha
t”
Eni
gma
Sim
ulat
or F
or W
indo
ws.
©19
95-1
999
Geo
ff S
ulliv
an. N
orw
ay b
uild
00
2Th
u M
ar 0
6 15
:46:
40 2
008
Rot
or O
rder
: B V
I III
Rin
gste
llung
: T E
K [2
0 05
11]
Ste
cker
s:M
essa
ge K
ey: A
A A
[01
01 0
1]
Pla
inte
xt: I
CH
BI N
SIC
H E
RD
AS
SU
NS
E R
FUH
R E
RE
IN E
LOS
E S
CH
RA
UB
EH
A T
Cip
herte
xt: O
VK
WR
IZX
JE O
XFN
R Y
PB
JZ D
BV
CG
SW
LFR
TG
HP
F K
EO
QL
KK
RLQ
I
Pra
ctic
al c
ompl
exity
for a
ttack
ing
Eni
gma
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
21
Cry
ptoa
naly
tical
assu
mpt
ions
dur
ing
WW
II:
•3
out o
f 5 ro
tors
with
kno
wn
wiri
ng•
10 s
teck
erco
uplin
gs•
Kno
wn
refle
ctor
N =
150
738
274
937
250
· 60
· 17
576
· 67
6 =
1074
5868
7327
2506
1936
0000
(77
bits
)
INF3
510
-UiO
201
4
Atta
ckin
g E
NIG
MA
Pos
isjo
n:
1 2 3 4 5 6 7
Chi
fferte
kst:J T G E F P G
Crib
:R O M M E L F
G
M F
E
34
75
TR
RA A
GG
Z
L05
Cry
ptog
raph
y22
Cry
ptan
alys
is: A
ttack
ing
Cry
ptos
yste
ms
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
23
•Cla
ssic
al A
ttack
s• M
athe
mat
ical
Ana
lysi
s• B
rute
-For
ce A
ttack
•Im
plem
enta
tion
Atta
ck: T
ry to
ext
ract
the
key
thro
ugh
reve
rse
engi
neer
ing
or p
ower
mea
sure
men
t, e.
g., f
or a
ban
king
smar
t car
d.•S
ocia
l Eng
inee
ring
: E.g
., tri
ck a
use
r int
o gi
ving
up
her p
assw
ord
Bru
te-F
orce
Atta
ck (o
r Exh
aust
ive
Key
S
earc
h)• T
reat
s th
e ci
pher
as
a bl
ack
box
• Req
uire
s (a
t lea
st) 1
pla
inte
xt-c
iphe
rtext
pai
r (x 0
, y0)
• Che
ck a
ll po
ssib
le k
eys
until
con
ditio
n is
fulfi
lled:
d K(y
0) =
x0
• How
man
y ke
ys to
we
need
?
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
24
Ker
ckho
ff’s
prin
cipl
es
•Th
e sy
stem
sho
uld
be, i
f not
theo
retic
ally
unb
reak
able
, un
brea
kabl
e in
pra
ctic
e.
•Th
e de
sign
of a
sys
tem
sho
uld
not r
equi
re s
ecre
cy a
nd
com
prom
ise
of th
e sy
stem
sho
uld
not i
ncon
veni
ence
the
corr
espo
nden
ts (K
erck
hoffs
' prin
cipl
e).
•Th
e ke
y sh
ould
be
rem
embe
rabl
e w
ithou
t not
es a
nd
shou
ld b
e ea
sily
cha
ngea
ble
•Th
e cr
ypto
gram
s sh
ould
be
trans
mitt
able
by
tele
grap
h •
The
appa
ratu
s or
doc
umen
ts s
houl
d be
por
tabl
e an
d op
erab
le b
y a
sing
le p
erso
n •
The
syst
em s
houl
d be
eas
y, n
eith
er re
quiri
ng k
now
ledg
e of
a lo
ng li
st o
f rul
es n
or in
volv
ing
men
tal s
train
L0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
425
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
26
Atta
ck m
odel
s:
Kno
wn
ciph
erte
xtK
now
n pl
aint
ext
Cho
sen
plai
ntex
t (ad
aptiv
e)C
hose
n ci
pher
text
(ada
ptiv
e)W
hat a
re th
e go
als
of th
e at
tack
er?
–Fi
nd th
e se
cret
pla
inte
xt o
r par
t of t
he p
lain
text
–Fi
nd th
e en
cryp
tion
key
–D
istin
guis
h th
e en
cryp
tion
of tw
o di
ffere
nt p
lain
text
sH
ow c
leve
r is
the
atta
cker
?
Doe
s se
cure
cip
hers
exi
st?
•W
hat i
s a
secu
re c
iphe
r?–
Per
fect
sec
urity
–C
ompu
tatio
nal s
ecur
ity–
Pro
vabl
e se
curit
y
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
27L0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
428
A p
erfe
ct s
ecur
e cr
ypto
sys
tem
Bin
ary
rand
omso
urce �
�p i
k i
c ip i
Vern
am o
ne-ti
me
pad
(191
8)Fr
ank
Mill
er (1
882)
c i=
p i �
k ip i
= c i �
k i =
p i �
k i�
k i =
p i
Not
e: a
�b
= a
+ b
(mod
2)
Offe
rs p
erfe
ct s
ecur
ity a
ssum
ing
the
key
is p
erfe
ctly
rand
om, o
f sam
e le
ngth
as
The
Mes
sage
; and
onl
y us
ed o
nce.
Pro
ved
by C
laud
e E
. Sha
nnon
in 1
949.
Cla
ude
Sha
nnon
(19
16 –
2001
) Th
e Fa
ther
of I
nfor
mat
ion
Theo
ry –
MIT
/ B
ell L
abs
•In
form
atio
n Th
eory
–D
efin
ed th
e „b
inar
y di
git“
(bit)
as
info
rmat
ion
unit
–D
efin
ition
of „
entro
py“ a
s a
mea
sure
of i
nfor
mat
ion
amou
nt•
Cry
ptog
raph
y–
Mod
el o
f a s
ecre
cy s
yste
m–
Def
initi
on o
f per
fect
sec
recy
–D
esig
ned
S-P
net
wor
ks, i
.e. a
se
ries
of s
ubst
itutio
n &
pe
rmut
atio
n fu
nctio
ns
L05
Cry
ptog
raph
y29
INF3
510
-UiO
201
4L0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
430
ETC
RR
M•
Ele
ctro
nic
Tele
prin
ter
Cry
ptog
raph
ic R
egen
erat
ive
Rep
eate
r Mix
er (E
TCR
RM
) •
Inve
nted
by
the
Nor
weg
ian
Arm
y S
igna
l Cor
ps in
195
0 •
Bjø
rn R
ørho
lt, K
åre
Mes
ings
eth
•P
rodu
ced
by S
TK•
Use
d fo
r ”H
ot-li
ne” b
etw
een
Mos
kva
and
Was
hing
ton
•A
bout
200
0 de
vice
s pr
oduc
ed
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
31
Whi
te H
ouse
Cry
pto
Roo
m 1
960s
Pro
duci
ng k
ey ta
pe fo
r the
one
-tim
e pa
d
INF3
510
-UiO
201
4L0
5 C
rypt
ogra
phy
32
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
33
Ven
ona
•U
S a
ttack
on
encr
ypte
d S
ovje
tUni
ontra
ffic
due
to
re-u
se o
f one
-tim
e pa
ds•
1943
-198
0•
Ca.
300
0 m
essa
ges
decr
ypte
d•
http
://w
ww
.nsa
.gov
/abo
ut/_
files
/cry
ptol
ogic
_her
itage
/pub
licat
ions
/col
dwar
/ven
ona
_sto
ry.p
df
Sym
met
ric e
ncry
ptio
n
Is it
pos
sibl
e to
des
ign
secu
re a
nd
prac
tical
cry
pto?
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
34
Stre
am C
iphe
r vs.
Blo
ck C
iphe
r
Cip
herte
xt b
lock
s
Pla
inte
xt b
lock
s
n bi
ts
Blo
ck c
iphe
r
Key
Blo
ck
Cip
her
n bi
ts
Pla
inte
xt s
tream
Key
st
ream
ge
nera
tor
Key �
Cip
herte
xt s
tream
Key
stre
am
Stre
am c
iphe
r
L05
Cry
ptog
raph
y35
INF3
510
-UiO
201
4
MI
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
36
Sym
met
ric s
tream
cip
her
Key MI
Pse
udor
ando
m-
gene
rato
r
�
Key MI
Pse
udor
ando
m-
gene
rato
r
�P
lain
text
Cip
her t
ext
Pla
inte
xtK
ey s
tream
Key
stre
am
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
37
LFS
R
Usi
ng n
flip-
flops
we
may
gen
erat
e a
bina
ry s
eque
nce
of p
erio
d 2n
-1
11
11
0�
��
��
��
��
ni
ni
ii
ns
cs
cs
cs
�
Lin
ear
feed
back
shift
reg
iste
r
Out
put
Not
e: T
he s
tream
cip
her i
s st
atef
ul
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
38
LFS
R -
prop
ertie
s
•Eas
y to
impl
emen
t in
HW
, offe
rs fa
st c
lock
ing
•The
out
put s
eque
nce
is c
ompl
etel
y de
term
ined
of t
he
initi
al s
tate
and
the
feed
back
coe
ffici
ents
•Usi
ng “c
orre
ct” f
eedb
ack
a re
gist
er o
f len
gth
nm
ayge
nera
te a
seq
uenc
e w
ith p
erio
d 2n
-1•T
he s
eque
nce
will
prov
ide
good
sta
tistic
al p
rope
rties
•Kno
win
g 2n
cons
ecut
ive
bits
of t
he k
ey s
tream
, will
reve
al th
e in
itial
sta
te a
nd fe
edba
ck•T
he li
near
ity m
eans
that
a s
ingl
e LF
SR
is c
ompl
etel
yus
eles
s as
a s
tream
cip
her,
but L
FSR
s m
ay b
e a
usef
ul
build
ing
bloc
k fo
r the
des
ign
of a
stro
ng s
tream
cip
her
Out
put
INF3
510
-UiO
201
4
Sym
met
ric b
lock
cip
her
•Th
e al
gorit
hm re
pres
ents
a
fam
ily o
f per
mut
atio
ns o
f the
m
essa
ge s
pace
•N
orm
ally
des
igne
d by
ite
ratin
g a
less
sec
ure
roun
d fu
nctio
n•
May
be
appl
ied
in d
iffer
ent
oper
atio
nal m
odes
•M
ust b
e im
poss
ible
to d
eriv
e K
bas
ed o
n kn
owle
dge
of P
an
d C
P i
Cry
pto-
algo
rithm
Plai
ntex
t
Ci
K
Cip
herte
xt
L05
Cry
ptog
raph
y39
Blo
ck c
iphe
r and
rand
om p
erm
utat
ions
•G
iven
blo
ck s
ize
m=
64 a
nd k
ey le
ngth
l=
56 b
it•
Num
ber o
f diff
eren
t DE
S-p
erm
utat
ions
is
256
= 7
2057
5940
3792
7936
•N
umbe
r of p
ossi
ble
perm
utat
ions
of 2
64el
emen
ts
is26
4 ! =
?? (m
ore
than
271
deci
mal
dig
its)
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
40
All
perm
utat
ions
DE
S
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
41
Itrer
ated
blo
ck c
iphe
r des
ign
Alg
orith
m:
w0
xw
1
g(w
0 ,K1 )
w2
g(w
1 ,K2 )
• • wN
r-1
g(w
Nr-
2 ,KN
r-1 )
wN
r g(
wN
r-1 ,K
Nr )
y
wN
r
NB
! For
a fi
xed
K,g
mus
tbe
inje
ctiv
e in
ord
er to
de
cryp
ty
w0
g(w
0 ,K1 )x
K K1
w1
g(w
1 ,K2 )
K2
g(w
Nr-1
,KN
r )KN
r
wN
r
• •
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
42
Sub
stitu
sjon
-Per
mut
asjo
n ne
ttver
k (S
PN
):
Rou
nd fu
nctio
n g
:
wi-1
S1
S2
S3
S4
S5
� wi
Ki
Stat
e
S-bo
xes
Perm
utat
ion
Key
mix
New
stat
e
Con
fusi
on
Diff
usio
n
Dat
a E
ncry
ptio
n S
tand
ard
•P
ublis
hed
in 1
977
by th
e U
S N
atio
nal B
urea
u of
S
tand
ards
for u
se in
unc
lass
ified
gov
ernm
ent
appl
icat
ions
with
a 1
5 ye
ar li
fe ti
me.
•16
roun
d Fe
iste
l cip
her w
ith 6
4-bi
t dat
a bl
ocks
, 56
-bit
keys
.•
56-b
it ke
ys w
ere
cont
rove
rsia
l in
1977
; tod
ay,
exha
ustiv
e se
arch
on
56-b
it ke
ys is
ver
y fe
asib
le.
•C
ontro
vers
ial b
ecau
se o
f cla
ssifi
ed d
esig
n cr
iteria
, how
ever
no
loop
hol
e w
as e
ver f
ound
.
43L0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
4L0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
444
DE
S a
rchi
tect
ure
DES
(P):
(L0, R
0)
= IP
(P)
FOR
i =
1 TO
16L i
= R
i-1
Ri=
L i-1
�f(
Ri-
1,Ki)
C =
IP-1(R
16,L
16)
64 b
it d
ata
blo
ck56
bit
key
72.0
57.5
94.0
37.9
27.9
36
�f
K1
P (
64 b
its)
IP
L 0R
0
L 1R
1
�f
K2
IP-1
R16
L 16
�f
K16
C (
64 b
its)
L 15
R15
EFF
DE
S-c
rack
er
•D
edic
ated
AS
IC w
ith 2
4 D
ES
sea
rch
engi
nes
•27
PC
Bs
hous
ing
1800
circ
uits
•C
an te
st 9
2 bi
llion
key
s pe
r sec
ond
•C
ost 2
50 0
00 $
•D
ES
key
foun
d Ju
ly 1
998
afte
r 56
hour
s se
arch
•C
ombi
ned
effo
rt D
ES
Cra
cker
and
100
.000
PC
s co
uld
test
245
bill
ion
keys
per
sec
ond
and
foun
d ke
y af
ter 2
2 ho
urs
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
45
Cop
acob
ana
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
46
CO
PAC
OB
AN
A, t
he C
ost-O
ptim
ized
Par
alle
l CO
de B
reak
er, i
s an
FP
GA
-ba
sed
mac
hine
whi
ch is
opt
imiz
ed fo
r run
ning
cry
ptan
alyt
ical
alg
orith
ms.
C
OPA
CO
BA
NA
is s
uita
ble
for p
aral
lel c
ompu
tatio
n pr
oble
ms
whi
ch h
ave
low
com
mun
icat
ion
requ
irem
ents
. DE
S c
rack
ing
is s
uch
a pa
ralle
lizab
le
prob
lem
: an
exha
ustiv
e ke
y se
arch
of t
he D
ata
Enc
rypt
ion
Sta
ndar
d (D
ES
) tak
es n
o lo
nger
than
a w
eek
on a
vera
ge w
ith C
OPA
CO
BA
NA
. O
ther
cip
hers
can
be
atta
cked
too,
and
CO
PAC
OB
AN
A ca
n al
so b
e us
ed
for p
aral
lel c
ompu
ting
prob
lem
out
side
cry
ptog
raph
y.
(And
yes
, we
know
, Rio
de
Jane
iro's
fam
ous
beac
h is
spe
lled
slig
htly
di
ffere
ntly,
Cop
acab
ana
;)
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
47
DE
S S
tatu
s
•D
ES
er t
he “w
ork
hors
e” w
hich
ove
r 30
year
s ha
ve in
spire
d
cryp
togr
aphi
c re
sear
ch a
nd
deve
lopm
ent
•“O
utda
ted
by n
ow”!
•S
ingl
e D
ES
can
not
be
con
side
red
as a
se
cure
blo
ck c
iphe
r•
Use
3D
ES
(AN
SI
9.52
) or D
ES
X
EE/
DE
P
K1
K2
K3
C
3DES
EK
��
K1
K2
DES
X
Adv
ance
d E
ncry
ptio
n S
tand
ard
•P
ublic
com
petit
ion
to re
plac
e D
ES
: bec
ause
56-
bit k
eys
and
64-b
it da
ta b
lock
s no
long
er
adeq
uate
.•
Rijn
dael
nom
inat
ed a
s th
e ne
w A
dvan
ced
Enc
rypt
ion
Sta
ndar
d (A
ES
) in
2001
[FIP
S-1
97].
•R
ijnda
el (p
rono
unce
as
“Rhi
ne-d
oll”)
des
igne
d by
Vin
cent
Rijm
en a
nd J
oan
Dae
men
. •
128-
bit b
lock
siz
e (N
ote
erro
r in
Har
ris p
. 809
)•
128-
bit,
196-
bit,
and
256-
bit k
ey s
izes
.•
Rijn
dael
is n
ota
Feis
tel c
iphe
r.
48L0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
4
Rijn
dael
, the
sel
ecte
d A
ES
cip
her
Des
igne
d by
Vin
cent
Rijm
en a
nd J
oan
Dae
men
from
B
elgi
um
Vinc
ent R
ijmen
,w
orks
at
K.U
.Leu
ven
Joan
Dae
men
Wor
ks a
t STM
icro
-el
ectro
nics
, B
elgi
um
L05
Cry
ptog
raph
y49
INF3
510
-UiO
201
4
Rijn
dael
roun
d fu
nctio
n
a 0 a 1 a 2 a 3
a 4 a 5 a 6 a 7
a 8 a 9 a 10
a 11
a 12
a 13
a 14
a 15
a 0 a 1 a 2 a 3
a 4 a 5 a 6 a 7
a 8 a 9 a 10
a 11
a 12
a 13
a 14
a 15
Initi
al st
ate
a 0a 1
a 2a 3
a 4a 5
a 6a 7
a 8a 9
a 10
a 11
a 12
a 13
a 14
a 15
a 0a 1
a 2a 3
a 4a 5
a 6a 7
a 8a 9
a 10
a 11
a 12
a 13
a 14
a 15
S-b
ox
Row
-shi
ft
Col
oum
n-m
ix
a 0 a 1 a 2 a 3
a 4 a 5 a 6 a 7
a 8 a 9 a 10
a 11
a 12
a 13
a 14
a 15
�
Key
-mix
a 0 a 1 a 2 a 3
a 4 a 5 a 6 a 7
a 8 a 9 a 10
a 11
a 12
a 13
a 14
a 15
End
stat
e
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
50
Rijn
dael
enc
rypt
ion
1. K
ey m
ix (r
ound
key
K0)
2.N
r-1 ro
unds
con
tain
ing:
a) B
yte
subs
titut
ion
b) R
ow sh
iftc)
Col
oum
n m
ixd)
Key
mix
(rou
nd k
ey K
i)3.
Las
t rou
nd c
onta
inin
g:a)
Byt
e su
bstit
utio
nb)
Row
shift
c)
Key
mix
(rou
nd k
ey K
Nr)
Key
R
ound
s12
8
1019
2
1225
6
14
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
51
Usi
ng e
ncry
ptio
n fo
r rea
l
•W
ith a
blo
ck c
iphe
r, en
cryp
ting
a n-
bit b
lock
Mw
ith a
key
kgi
ves
a ci
pher
text
blo
ck C
= E
(M,k
).•
Giv
en a
wel
l des
igne
d bl
ock
ciph
er, o
bser
ving
C
wou
ld te
ll an
adv
ersa
ry n
othi
ng a
bout
Mor
k.
•W
hat h
appe
ns if
the
adve
rsar
y ob
serv
es tr
affic
ov
er a
long
er p
erio
d of
tim
e?–
The
adve
rsar
y ca
n de
tect
if th
e sa
me
mes
sage
had
be
en s
ent b
efor
e; if
ther
e ar
e on
ly tw
o lik
ely
mes
sage
s “b
uy” a
nd “s
ell”
it m
ay b
e po
ssib
le to
gu
ess
the
plai
ntex
t with
out b
reak
ing
the
ciph
er.
L05
Cry
ptog
raph
y52
INF3
510
-UiO
201
4
Blo
ck C
iphe
rs: M
odes
of O
pera
tion
•B
lock
cip
hers
can
be
used
in d
iffer
ent m
odes
in
orde
r to
prov
ide
diffe
rent
sec
urity
ser
vice
s.•
Com
mon
mod
es in
clud
e:–
Elec
troni
c C
ode
Boo
k (E
CB
)–
Cip
her B
lock
Cha
inin
g (C
BC
)–
Out
put F
eedb
ack
(OFB
)–
Cip
her F
eedb
ack
(CFB
)–
Cou
nter
Mod
e (C
TR)
–G
aloi
s C
ount
er M
ode
(GC
M) {
Aut
hent
icat
ed
encr
yptio
n}
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
53
Ele
ctro
nic
Cod
e B
ook
•E
CB
Mod
e en
cryp
tion
–S
impl
est m
ode
of o
pera
tion
–P
lain
text
dat
a is
div
ided
into
blo
cks
M1,
M2,
…, M
n
–E
ach
bloc
k is
then
pro
cess
ed s
epar
atel
y•
Pla
inte
xt b
lock
and
key
use
d as
inpu
ts to
the
encr
yptio
n al
gorit
hm
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
54
Enc
rypt
K
M1
C1
Enc
rypt
K
M2
C2
Enc
rypt
K
Mn
Cn
Dec
rypt
K
C1
M1
Dec
rypt
K
C2
M2
Dec
rypt
K
Cn
Mn
EC
B M
ode
•E
CB
Mod
e Is
sues
–P
robl
em: F
or a
giv
en k
ey, t
he s
ame
plai
ntex
t blo
ck
alw
ays
encr
ypts
to th
e sa
me
ciph
erte
xt b
lock
. •
This
may
allo
w a
n at
tack
er to
con
stru
ct a
cod
e bo
ok o
f kno
wn
plai
ntex
t/cip
herte
xt b
lock
s.•
The
atta
cker
cou
ld u
se th
is c
odeb
ook
to in
sert,
del
ete,
reor
der
or re
play
dat
a bl
ocks
with
in th
e da
ta s
tream
with
out d
etec
tion
–O
ther
mod
es o
f ope
ratio
n ca
n pr
even
t thi
s, b
y no
t en
cryp
ting
bloc
ks in
depe
nden
tly•
For e
xam
ple,
usi
ng th
e ou
tput
of o
ne b
lock
enc
rypt
ion
as in
put
to th
e ne
xt (c
hain
ing)
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
55
Use
a s
ecur
e m
ode!
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
56
Pla
inte
xtC
iphe
rtext
usi
ngE
CB
mod
eC
iphe
rtext
usi
ngse
cure
mod
e
Cip
her B
lock
Cha
inin
g M
ode
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
57
M1
M2
MN
M1
M2
MN
C1
C2
CN
CTR
Cou
nter
M
ode
L05
Cry
ptog
raph
y58
INF3
510
-UiO
201
4
Blo
ck c
iphe
r: A
pplic
atio
ns
•B
lock
cip
hers
are
ofte
n us
ed fo
r pro
vidi
ng
conf
iden
tialit
y se
rvic
es•
They
are
use
d fo
r app
licat
ions
invo
lvin
g pr
oces
sing
larg
e vo
lum
es o
f dat
a, w
here
tim
e de
lays
are
not
crit
ical
.–
Exa
mpl
es:
•C
ompu
ter f
iles
•D
atab
ases
•E
mai
l mes
sage
s
•B
lock
cip
hers
can
als
o be
use
d to
pro
vide
in
tegr
ity s
ervi
ces,
i.e.
for m
essa
ge a
uthe
ntic
atio
nL0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
459
Inte
grity
Che
ck F
unct
ions
L05
Cry
ptog
raph
y60
INF3
510
-UiO
201
4
61
Has
h fu
nctio
ns
Has
h fu
nctio
n
Has
h va
lue
INF3
510
-UiO
201
4L0
5 C
rypt
ogra
phy
App
licat
ions
of h
ash
func
tions
•P
rote
ctio
n of
pas
swor
d•
Com
parin
g fil
es•
Aut
hent
icat
ion
of S
W d
istri
butio
ns•
Bitc
oin
•G
ener
atio
n of
Mes
sage
Aut
hent
icat
ion
Cod
es
(MA
C)
•D
igita
l sig
natu
res
•P
seud
o nu
mbe
r gen
erat
ion/
Mas
k ge
nera
tion
func
tions
•K
ey d
eriv
atio
nL0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
462
Has
h fu
nctio
ns (m
essa
ge d
iges
t fun
ctio
ns)
Req
uire
men
ts fo
r a o
ne-w
ay h
ash
func
tion
h:
1.E
ase
of c
ompu
tatio
n: g
iven
x, i
t is
easy
to
com
pute
h(x
).2.
Com
pres
sion
: hm
aps
inpu
ts x
of a
rbitr
ary
bitle
ngth
to o
utpu
ts h
(x)o
f a fi
xed
bitle
ngth
n.
3.O
ne-w
ay: g
iven
a v
alue
y, i
t is
com
puta
tiona
lly
infe
asib
le to
find
an
inpu
t xso
that
h(x
)=y.
4.C
ollis
ion
resi
stan
ce: i
t is
com
puta
tiona
lly
infe
asib
le to
find
x a
nd x
’, w
here
x �
x’, w
ith
h(x)
=h(x
’)(n
ote:
two
varia
nts
of th
is p
rope
rty).
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
63
Pro
perti
es o
f has
h fu
nctio
ns
64
x h(x)
Eas
e of
com
puta
tion
? h(.)
Pre
-imag
ere
sist
ance
h(x)
Col
lisio
n
xx’
Wea
k co
llisio
n re
sist
ance
(2nd
pre-
imag
ere
sist
ance
)
h(x)
x?
h(.)
Stro
ng
collis
ion
resi
stan
ce
??
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
Freq
uent
ly u
sed
hash
func
tions
•M
D5:
128
bit
dige
st. B
roke
n. O
ften
used
in In
tern
et
prot
ocol
s bu
t no
long
er re
com
men
ded.
•S
HA
-1 (S
ecur
e H
ash
Alg
orith
m):1
60 b
it di
gest
. P
oten
tial
atta
cks
exis
t. D
esig
ned
to o
pera
te w
ith th
e U
S D
igita
l S
igna
ture
Sta
ndar
d (D
SA
);•
SH
A-2
56, 3
84, 5
12 b
it di
gest
. Stil
l sec
ure.
Rep
lace
men
t fo
r SH
A-1
•
RIP
EM
D-1
60: 1
60 b
it di
gest
. Stil
l sec
ure.
Has
h fu
nctio
n fre
quen
tly u
sed
by E
urop
ean
cryp
togr
aphi
c se
rvic
e pr
ovid
ers.
•N
IST
com
petit
ion
for n
ew s
ecur
e ha
sh a
lgor
ithm
, an
noun
cem
ent o
f win
ner e
xpec
ted
in 2
012.
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
65
And
the
win
ner i
s?
66
•N
IST
anno
unce
dK
ecca
kas
the
win
nero
f the
SH
A-3
Cry
ptog
raph
ic
Has
h A
lgor
ithm
Com
petit
ion
on O
ctob
er 2
, 201
2, a
nd e
nded
the
five-
year
com
petit
ion.
•K
ecca
kw
as d
esig
ned
by a
team
of c
rypt
ogra
pher
s fro
m B
elgi
um a
nd
Italy
, the
y ar
e:–
Gui
do B
erto
ni (I
taly
) of S
TMic
roel
ectro
nics
,–
Joan
Dae
men
(Bel
gium
) of S
TMic
roel
ectro
nics
,–
Mic
haël
Pee
ters
(Bel
gium
) of N
XP
Sem
icon
duct
ors,
and
–G
illes
Van
Ass
che
(Bel
gium
) of S
TMic
roel
ectro
nics
.
INF3
510
-UiO
201
4L0
5 C
rypt
ogra
phy
Kec
cak
and
spon
ge fu
nctio
ns
67IN
F351
0 -U
iO 2
014
L05
Cry
ptog
raph
y
MA
C a
nd M
AC
alg
orith
ms
•M
AC
mea
ns tw
o th
ings
:1.
The
com
pute
d m
essa
ge a
uthe
ntic
atio
n co
de h
(M, k
)2.
Gen
eral
nam
e fo
r alg
orith
ms
used
to c
ompu
te a
MA
C
•In
pra
ctic
e, th
e M
AC
alg
orith
m is
e.g
.–
HM
AC
(Has
h-ba
sed
MA
C a
lgor
ithm
))–
CB
C-M
AC
(CB
C b
ased
MA
C a
lgor
ithm
)–
CM
AC
(Cip
her-
base
d M
AC
alg
orith
m)
•M
AC
alg
orith
ms,
a.k
.a. k
eyed
has
h fu
nctio
ns,
supp
ort d
ata
orig
in a
uthe
ntic
atio
n se
rvic
es.
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
68
Pra
ctic
al m
essa
ge in
tegr
ity w
ith M
AC
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
69
Sha
red
secr
et
key
h(M
,K)
MA
Cfu
nctio
nM
AC
func
tion
Mes
sage
MR
ecei
ved
mes
sage
M’
Alic
eB
ob
Verif
y h(
M,K
) = h
(M ’,
K)
Sha
red
secr
et k
ey
h(M
’ ,K
) M
AC
MA
C s
ent
toge
ther
with
m
essa
ge M
MA
C
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
70
HM
AC
•D
efin
e:
ipad
= 3
636…
.36
(512
bit)
•op
ad =
5C
5C…
5C (5
12 b
it)
•H
MA
CK(x
) = S
HA
-1((
K �
opad
) || S
HA
-1((K
�ip
ad) |
| x))
HM
AC
Kip
ad
x
opad
SH
A-1
SH
A-1
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
71
CB
C-M
AC
•C
BC
-MA
C(x
,K)
•se
tt x
= x 1
|| x 2
|| …
. || x
n
•IV
00
… 0
•y 0
IV•
fori
1 to
n•
doy i
e K(y
i-1�
x i)•
retu
rn(y
n)
IV
x 1x 2
x n
e Ke K
e K
MA
C
Has
h fu
nctio
ns a
nd M
essa
ge A
uthe
ntic
atio
n
•S
hare
d se
cret
key
is u
sed
with
a M
AC
•W
hen
used
dur
ing
mes
sage
tran
smis
sion
, thi
s pr
ovid
es M
essa
ge A
uthe
ntic
atio
n:–
A c
orre
ct M
AC
val
ue c
onfir
ms
the
send
er o
f the
m
essa
ge is
in p
osse
ssio
n of
the
shar
ed s
ecre
t key
–H
ence
, muc
h lik
e a
pass
wor
d, it
con
firm
s th
e au
then
ticity
of t
he m
essa
ge s
ende
r to
the
rece
iver
.•
Inde
ed, m
essa
ge in
tegr
ity is
mea
ning
less
with
out
know
ing
who
sen
t the
mes
sage
.
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
72
Pub
lic-K
ey C
rypt
ogra
phy
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
74
Sym
met
ric c
rypt
osys
tem
Alic
eB
ob
Osc
ar
Encr
ypto
rD
ecry
ptor
Key
sour
ce
Secu
rech
anne
l
Sym
met
ric k
ey d
istri
butio
n
•S
hare
d ke
y be
twee
n ea
ch p
air
•In
net
wor
k of
nus
ers,
eac
h pa
rtici
pant
nee
ds n
-1 k
eys.
•To
tal n
umbe
r of e
xcha
nged
key
s:=
(n-1
)+ (n
-2) +
… +
2 +
1=
n(n-
1)/2
•G
row
s qu
adra
ticly
, whi
ch is
pr
oble
mat
ic.
•Is
ther
e a
bette
r way
?N
etw
ork
of 5
nod
es
L05
Cry
ptog
raph
y75
INF3
510
-UiO
201
4L0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
476
Asy
mm
etris
k kr
ypto
syst
em
Alic
eB
ob
Osc
ar
Encr
ypto
rD
ecry
ptor
Key
sou
rce
Aut
hent
icch
anne
l
d k
e k
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
77
Pub
lic k
ey in
vent
ors?
Mar
ty H
ellm
an a
nd W
hit D
iffie
, Sta
nfor
d 19
76
R. R
ives
t, A
. Sha
mir
and
L. A
dlem
an, M
IT 1
978
Jam
es E
llis,
CE
SG
197
0
C. C
ocks
, M. W
illia
mso
n, C
ES
G 1
973-
1974
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
78
Asy
mm
etric
cry
pto
Pub
lic k
ey c
rypt
ogra
phy
was
bor
n in
May
197
5, th
e ch
ild o
f tw
o pr
oble
ms
and
a m
isun
ders
tand
ing!
Key
Dis
trib
uti
on
!
Dig
ita
l sig
nin
g!
Tra
p-d
oo
ro
ne
-wa
yfu
nc
tio
ns
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
79
One
-way
func
tions
Mod
ular
pow
er fu
nctio
nG
iven
n=
pq, w
here
pan
d q
are
prim
e nu
mbe
rs. N
oef
ficie
nt a
lgor
itms
to fi
nd p
and
q.
Cho
se a
pos
itive
inte
ger b
and
defin
e f:
Zn�
Zn
f(x) =
xb
mod
n
Mod
ular
exp
onen
tiatio
nG
iven
prim
e p,
gen
erat
or g
and
a m
odul
ar
pow
er a
= g
x(m
od p
). N
oef
ficie
nt a
lgor
itms
to fi
nd x
. f: Z
p�
Zp
f(x) =
gx
mod
p
Pub
lic K
ey E
ncry
ptio
n
•P
ropo
sed
in th
e op
en li
tera
ture
by
Diff
ie &
H
ellm
an in
197
6.•
Eac
h pa
rty h
as a
pub
lic e
ncry
ptio
n ke
yan
d a
priv
ate
decr
yptio
n ke
y.•
Red
uces
tota
l num
ber o
f exc
hang
ed k
eys
to n
•C
ompu
ting
the
priv
ate
key
from
the
publ
ic k
ey
shou
ld b
e co
mpu
tatio
nally
infe
asib
le.
•Th
e pu
blic
key
nee
d no
t be
kept
sec
ret b
ut it
is
not n
eces
saril
y kn
own
to e
very
one.
•Th
ere
can
be a
pplic
atio
ns w
here
eve
n ac
cess
to
pub
lic k
eys
is re
stric
ted.
80
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
Ral
ph M
erkl
e, M
artin
Hel
lman
and
W
hitfi
eld
Diff
ie•
Mer
kle
inve
nted
(197
4) a
nd
publ
ishe
d (1
978)
Mer
kle’
s pu
zzle
, a k
ey e
xcha
nge
prot
ocol
whi
ch w
as
unpr
actic
al
•D
iffie
& H
ellm
an in
vent
ed
(influ
ence
d by
Mer
kle)
a
prac
tical
key
exc
hang
e al
gorit
hm u
sing
dis
cret
e ex
pone
ntia
tion.
•D
&H
def
ined
pub
lic-k
ey
encr
yptio
n (e
quiv
. to
non-
secr
et e
ncry
ptio
n)•
Def
ined
dig
ital s
igna
ture
•P
ublis
hed
1976
in “ N
ew
dire
ctio
ns in
cry
ptog
raph
y”L0
5 C
rypt
ogra
phy
81IN
F351
0 -U
iO 2
014
Mer
kle,
Hel
lman
and
Diff
ie
Diff
ie-H
ellm
an k
ey a
gree
men
t (ke
y ex
chan
ge)
(pro
vide
s no
aut
hent
icat
ion)
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
82
gam
odp
Alic
e co
mpu
tes
the
shar
ed
secr
et
(gb )
a=
gab
mod
p
Bob
com
pute
s th
e sa
me
secr
et
(ga )
b=
gab
mod
p.
Alic
e pi
cks
rand
om
inte
ger a
gbm
odp
Bob
pic
ks ra
ndom
in
tege
r b
Com
puta
tiona
llyim
poss
ible
to c
ompu
te
disc
rete
loga
rithm
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
83
Exa
mpl
e
•Z
11us
ing
g =
2:–
21=
2 (m
od 1
1)26
= 9
(mod
11)
–22
= 4
(mod
11)
27=
7 (m
od 1
1)–
23=
8 (m
od 1
1)28
= 3
(mod
11)
–24
= 5
(mod
11)
29=
6 (m
od 1
1)–
25=
10 (m
od 1
1)21
0=
1 (m
od 1
1)
•lo
g 25
= 4
•lo
g 27
= 7
•lo
g 21
= 10
(0
mod
10)
Exa
mpl
e (2
)p
= 30
1966
2633
4536
6522
6674
6444
1118
5277
1272
0472
1722
0445
4398
0521
8819
8428
0643
9806
9801
6315
3421
2777
7985
323
7655
7869
1594
7633
9074
5786
2442
4721
4461
6346
7145
9842
3225
8260
7797
6000
9055
4994
6633
5561
6968
8641
7869
5339
600
4062
3713
9959
9729
5449
7740
0404
5416
7331
3622
5768
2517
1747
5634
6384
0240
9117
9117
2271
5606
9618
7007
6297
223
4159
1375
2658
3857
9703
6214
2317
2371
4806
8590
9595
2889
1803
8021
1902
8293
8283
6838
6437
2233
0258
2405
9867
6263
586
9477
2029
5337
6952
8178
6665
6787
9514
9819
9927
2674
6898
8598
6300
0921
2473
0492
5995
4102
1908
2086
7272
7813
714
8522
5720
1484
4749
0835
2209
0193
1907
4690
7275
6065
2162
4184
1443
5225
6368
9274
9339
8678
0895
5031
0568
7892
8755
875
5227
0014
1844
8833
5635
1776
8339
6400
3g
= 17
2148
4410
2945
4272
0413
6512
1778
8953
8496
3798
8183
4679
8765
9847
4115
7149
6616
1705
0730
2662
8129
2988
3501
017
4348
2503
0800
6877
8341
0370
2727
2697
2149
9966
7683
2329
0540
2169
9277
0986
7285
3850
8742
3829
4159
5672
2486
2481
799
4917
9397
4944
7675
0553
7478
6840
9726
5404
4030
5778
4600
0645
0549
5042
4877
6668
6098
6820
1521
0988
7355
2043
631
7965
3945
0984
9072
4068
9054
1468
1792
6365
1065
2507
9461
0243
4852
1662
7272
1706
6350
1147
4226
2899
4581
7893
3908
279
9157
8201
4086
4919
6984
7648
6330
2981
0524
7140
9215
8468
7117
6739
1090
4986
6118
6091
1795
4454
5125
7320
9668
379
5760
4205
6062
0966
2832
5900
2319
1009
0325
3019
1133
3152
1813
9480
3908
6102
1493
7044
6134
1174
0650
8009
8933
4729
586
0512
4234
7771
0566
9101
0439
0324
2905
8Fi
nn a
når
ga(m
od p
) =
4411
3216
3550
6521
5159
6844
8863
9683
2491
4909
2460
4276
5028
8245
9428
9876
6876
5718
2492
1690
2766
6262
0979
1538
209
5283
0455
1039
8284
9705
0549
8042
7000
2582
4132
1067
4451
6429
1945
7098
7544
9674
2371
0675
4516
1032
7665
8256
727
2413
6033
7237
6920
9803
3897
6048
5571
5556
4281
9285
3384
0136
7427
3248
9850
5506
4876
1094
6300
5314
8353
9064
2583
853
1769
8361
5599
0739
2252
3609
6893
4338
5582
6960
3389
5191
7912
1915
0497
3335
3702
0837
2185
6421
9880
4149
2207
985
6566
4346
6560
4898
6816
6984
5852
9646
2404
7443
2391
2050
1341
2774
9969
2338
5171
1320
1830
2108
1218
4500
6721
0124
727
0098
8032
7560
1662
6566
1675
7996
3223
0423
9541
4267
5792
6222
2147
6259
6502
3052
4198
6906
1244
0277
9894
1410
432
6855
1743
8781
3098
8606
0783
1088
1106
17
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
84
Sol
utio
n
a =
7189
3136
1497
0965
3804
5034
7867
7866
5736
9506
0790
7206
2126
0648
6991
9324
9561
4375
8812
6371
185
8169
4154
9290
9939
6752
2517
8726
8346
5480
5189
5320
1710
7966
3652
6807
4156
4200
2868
8148
7888
963
1989
5353
3111
7023
6034
8366
5844
9187
1177
2382
0644
8551
8405
5305
9455
0171
0227
6155
5809
3657
781
9310
9639
8936
9822
0411
5485
7860
1884
1771
2902
2057
5508
6669
0223
0521
6052
3604
8362
3367
5971
504
2593
8247
6301
2736
8253
3632
9529
2024
7361
4393
7779
9123
1814
2315
4997
1174
7531
8825
0142
4082
252
2816
4641
1119
5458
7558
2301
1214
0813
2266
9809
8654
7390
2563
6607
1064
2521
2812
4210
3815
5501
562
3700
5192
2318
3615
5067
2623
0814
1154
7951
9473
5834
7535
7010
4459
6633
2533
7960
3049
4190
6119
476
1818
1858
3000
9466
2765
8955
2696
3615
406
It is
eas
y to
com
pute
ga
(mod
p) {
0.01
6 s}
, but
it is
co
mpu
taio
nally
infe
asab
le to
com
pute
the
expo
nent
afro
m
the
ga.
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
85
Diff
ie-H
ellm
an A
pplic
atio
ns
•IP
Sec
(IP
Sec
urity
)–
IKE
(Int
erne
t Key
Exc
hang
e) is
par
t of t
he IP
Sec
pr
otoc
ol s
uite
–IK
E is
bas
ed o
n D
iffie
-Hel
lman
Key
Agr
eem
ent
•S
SL/
TLS
–S
ever
al v
aria
tions
of S
SL/
TLS
pro
toco
l inc
ludi
ng•
Fixe
d D
iffie
-Hel
lman
•E
phem
eral
Diff
ie-H
ellm
an•
Ano
nym
ous
Diff
ie-H
ellm
an
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
86
Ron
Riv
est,
Adi
Sha
mir
and
Len
Adl
eman
•R
ead
abou
t pub
lic-k
ey c
rypt
ogra
phy
in 1
976
artic
le
by D
iffie
& H
ellm
an: “
New
dire
ctio
ns in
cry
ptog
raph
y”•
Intri
gued
, the
y w
orke
d on
find
ing
a pr
actic
al
algo
rithm
•S
pent
sev
eral
mon
ths
in 1
976
to re
-inve
nt th
e m
etho
d fo
r non
-sec
ret/p
ublic
-key
enc
rypt
ion
disc
over
ed b
y C
liffo
rd C
ocks
3 y
ears
ear
lier
•N
amed
RS
A a
lgor
ithm
L05
Cry
ptog
raph
y87
INF3
510
-UiO
201
4L0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
488
RS
A p
aram
etre
(tex
tboo
k ve
rsio
n)
•B
ob g
ener
ates
two
larg
e pr
ime
num
bers
pan
d q
and
com
pute
s n
= p·
q.
•H
e th
en c
ompu
tes
a pu
blic
enc
rypt
ion
expo
nent
e, s
uch
that
•(e
, (p-
1)(q
-1))
) = 1
and
com
pute
s th
e co
rres
pond
ing
decr
yptio
n ex
spon
ent d
, by
sol
ving
:
d·e
1 (m
od (p
-1)(
q-1)
)
•B
ob’s
pub
lic k
ey is
the
pair
PB
= (e
, n) a
nd th
e co
rres
pond
ing
priv
ate
and
secr
et k
ey is
SB
= (d
, n).
Enc
rypt
ion:
C =
Me
(mod
n)
Dec
rypt
ion:
M =
Cd
(mod
n)
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
89
RS
A to
y ex
ampl
e
•S
et p
= 15
7, q
= 22
3. T
hen
n =
p·q
=157
·22
3 =
3501
1 an
d(p
-1)(
q-1)
= 1
56 ·2
22 =
346
32•
Set
enc
rypt
ion
expo
nent
: e=
1421
3 {g
cd(3
4632
,142
13) =
1}
•P
ublic
key
: (14
213,
350
11)
•C
ompu
te: d
= e
-1=
1421
3 -1
(mod
346
32) =
316
13•
Priv
ate
key:
(316
13, 3
5011
)
•E
ncry
ptio
n:•
Pla
inte
xt M
= 1
9726
, the
n C
= 1
9726
1421
3(m
od 3
5011
) = 3
2986
•D
ecry
ptio
n:•
Cip
here
rtext
C =
329
86, t
hen
M =
329
8631
613 (
mod
350
11) =
197
26
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
90
Fact
orin
g re
cord
–D
ecem
ber 2
009
•Fi
nd th
e pr
oduc
t of
•p
= 33
4780
7169
8956
8987
8604
4169
8482
1269
0817
7047
9498
3713
7685
68•
9124
3138
8982
8837
9387
8002
2876
1471
1652
5317
4308
7737
8144
6799
9489
•
and
•q=
367
4604
3666
7995
9042
8244
6337
9962
7952
6322
7915
8164
3430
8764
26•
7603
2283
8157
3966
6511
2792
3337
3417
1433
9681
0270
0927
9873
6308
917?
Ans
wer
:n=
123
0186
6845
3011
7755
1304
9495
8384
9627
2077
2853
5695
9533
4792
1973
2
24
5215
1726
4005
0726
3657
5187
4520
2199
7864
6938
9956
4749
4277
4063
8459
251
9255
7326
3034
5373
1548
2685
0791
7026
1221
4291
3461
6704
2921
4311
6022
212
4047
9274
7377
9408
0665
3514
1959
7459
8569
0214
3413
Com
puta
tion
time
ca. 0
.000
0003
s o
n a
fast
lapt
op!
RS
A76
8 -L
arge
st R
SA
-mod
ulus
that
hav
e be
en fa
ctor
ed (1
2/12
-200
9)U
p to
200
7 th
ere
was
50
000$
priz
e m
oney
for t
his
fact
oris
atio
n!
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
91
Com
puta
tiona
l effo
rt?
•Fa
ctor
ing
usin
g N
FS-a
lgor
ithm
(Num
ber F
ield
Sie
ve)
•6
mnd
usi
ng 8
0 co
res
to fi
nd s
uita
ble
poly
nom
ial
•S
oldi
ng fr
om A
ugus
t 200
7 to
Apr
il 20
09 (1
500
AM
D64
-år)
•19
2 79
6 55
0 * 1
92 7
95 5
50 m
atris
e (1
05 G
B)
•11
9 da
ys o
n 8
diffe
rent
clu
ster
s•
Cor
resp
onds
to 2
000
year
s pr
oces
sing
on
one
sing
le c
ore
2.2G
Hz
AM
D O
pter
on (c
a. 2
67in
stru
ctio
ns)
Asy
mm
etric
Cip
hers
: E
xam
ples
of C
rypt
osys
tem
s•
RS
A: b
est k
now
n as
ymm
etric
alg
orith
m.
–R
SA
= R
ives
t, S
ham
ir, a
nd A
dlem
an (p
ublis
hed
1977
)–
His
toric
al N
ote:
U.K
. cry
ptog
raph
er C
liffo
rd C
ocks
in
vent
ed th
e sa
me
algo
rithm
in 1
973,
but
did
n’t p
ublis
h.•
ElG
amal
Cry
ptos
yste
m–
Bas
ed o
n th
e di
fficu
lty o
f sol
ving
the
disc
rete
log
prob
lem
.•
Ellip
tic C
urve
Cry
ptog
raph
y–
Bas
ed o
n th
e di
fficu
lty o
f sol
ving
the
EC
dis
cret
e lo
g pr
oble
m.
–P
rovi
des
sam
e le
vel o
f sec
urity
with
sm
alle
r key
siz
es.
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
92
Sprin
g 20
14U
NIK
4250
Sec
urity
in D
istri
bute
d Sy
stem
s93
Elli
ptic
cur
ves
•Le
t p �
3 be
a p
rime.
An
ellip
tic c
urve
y2
= x3
+ ax
+ b
over
GF(
p) =
Zp
cons
ist o
f all
solu
tions
(x, y
) �Z
p�Z
pto
the
equa
tion
y2
x3+
ax+
b(m
od p
)
•w
here
a, b
�Z
par
e co
nsta
nts
such
that
4a3
+ 27
b2
0 (m
od p
), to
geth
er w
ith a
spe
cial
poi
nt O
whi
ch is
den
oted
as
the
poin
t at i
nfin
ity.
Sprin
g 20
14U
NIK
4250
Sec
urity
in D
istri
bute
d Sy
stem
s94
Elli
ptic
cur
ve o
ver R
-2
24
6
-6
-4
-2246
y2=
x3
–4x
Rem
embe
rO
Sprin
g 20
14U
NIK
4250
Sec
urity
in D
istri
bute
d Sy
stem
s95
Poi
nt a
dditi
on
x +
y
-2
24
6
-6
-4
-2246
xy
Asy
mm
etric
Enc
rypt
ion:
B
asic
enc
rypt
ion
oper
atio
n
•In
pra
ctic
e, la
rge
mes
sage
s ar
e no
t enc
rypt
ed d
irect
ly w
ith
asym
met
ric a
lgor
ithm
s. H
ybrid
sys
tem
s ar
e us
ed, w
here
onl
y sy
mm
etric
ses
sion
key
is e
ncry
pted
with
asy
mm
etric
alg
.L0
5 C
rypt
ogra
phy
INF3
510
-UiO
201
496
Bob
’s
priv
ate
key
C =
E(M
,Kpu
b)M
= D
(C,K
priv)
Bob
’s
publ
ic k
ey
Alic
e’s
publ
ic k
eyrin
g
Encr
yptio
nO
pera
tion
Dec
rypt
ion
Ope
ratio
n
Plai
ntex
t Mci
pher
text
plai
ntex
t
Alic
eB
ob
Hyb
rid C
rypt
osys
tem
s
•S
ymm
etric
cip
hers
are
fast
er th
an a
sym
met
ric
ciph
ers
(bec
ause
they
are
less
com
puta
tiona
lly
expe
nsiv
e ),
but .
..•
Asy
mm
etric
cip
hers
sim
plify
key
dis
tribu
tion,
th
eref
ore
...•
a co
mbi
natio
n of
bot
h sy
mm
etric
and
asy
mm
etric
ci
pher
s ca
n be
use
d –
a hy
brid
sys
tem
:–
The
asym
met
ric c
iphe
r is
used
to d
istri
bute
a ra
ndom
ly
chos
en s
ymm
etric
key
.–
The
sym
met
ric c
iphe
r is
used
for e
ncry
ptin
g bu
lk d
ata.
L05
Cry
ptog
raph
y97
INF3
510
-UiO
201
4
Con
fiden
tialit
y S
ervi
ces:
Hyb
rid C
rypt
osys
tem
s
Bob
’s
priv
ate
key
Bob
’s
publ
ic k
ey
Pla
inte
xt M
C
Pla
inte
xt
MC
= E
(M,K
)M
= D
(C,K
)
Alic
e’s
publ
ic k
eyrin
g
KR
ando
m
sym
met
ric k
ey
KR
ando
m
sym
met
ric k
ey
Enc
rypt
edK
Encr
yptio
nO
pera
tion
Dec
rypt
ion
Ope
ratio
n
Encr
yptio
nO
pera
tion
Dec
rypt
ion
Ope
ratio
n
Alic
eB
ob
L05
Cry
ptog
raph
y98
INF3
510
-UiO
201
4
Dig
ital S
igna
ture
s
L05
Cry
ptog
raph
y99
INF3
510
-UiO
201
4
Dig
ital S
igna
ture
Mec
hani
sms
•A
MA
C c
anno
t be
used
as
evid
ence
that
sho
uld
be
verif
ied
by a
third
par
ty.
•D
igita
l sig
natu
res
used
for n
on-re
pudi
atio
n, d
ata
orig
in
auth
entic
atio
n an
d da
ta in
tegr
ity s
ervi
ces,
and
in s
ome
auth
entic
atio
n ex
chan
ge m
echa
nism
s.•
Dig
ital s
igna
ture
mec
hani
sms
have
thre
e co
mpo
nent
s:–
key
gene
ratio
n–
sign
ing
proc
edur
e (p
rivat
e)–
verif
icat
ion
proc
edur
e (p
ublic
)
•A
lgor
ithm
s–
RS
A–
DS
A a
nd E
CD
SA
100
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
Pra
ctic
al d
igita
l sig
natu
re b
ased
on
hash
val
ue
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
101
Alic
e’s
priv
ate
key
Alic
e’s
publ
ic k
ey
Sig
= D
(h(M
),Kpr
iv)
h(M
)= E
(Sig
,Kpu
b)
Bob
’s
publ
ic k
eyrin
g
Sign
hash
edm
essa
ge
Rec
over
hash
from
Sig
Plai
ntex
tM
Dig
ital
Sign
atur
e
Rec
eive
d pl
aint
ext M
’
Alic
e
Bob
Com
pute
has
h h(
M’ )
Verif
y h(
M) =
h(M
’ )C
ompu
te h
ash
h(M
)
Dig
ital S
igna
ture
s
•To
get
an
auth
entic
atio
n se
rvic
e th
at li
nks
a do
cum
ent t
o A
’s n
ame
(iden
tity)
and
not
just
a
verif
icat
ion
key,
we
requ
ire a
pro
cedu
re fo
r Bto
ge
t an
auth
entic
cop
y of
A’s
publ
ic k
ey.
•O
nly
then
do
we
have
a s
ervi
ce th
at p
rove
s th
e au
then
ticity
of d
ocum
ents
‘sig
ned
by A
’.•
This
can
be
prov
ided
by
a P
KI (
Pub
lic K
ey
Infra
stru
ctur
e)•
Yet
eve
n su
ch a
ser
vice
doe
s no
t pro
vide
non
-re
pudi
atio
nat
the
leve
l of p
erso
ns.
102
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
Diff
eren
ce b
etw
een
MA
Cs
& D
ig. S
ig.
•M
AC
s an
d di
gita
l sig
natu
res
are
both
au
then
ticat
ion
mec
hani
sms.
•M
AC
: the
ver
ifier
nee
ds th
e se
cret
that
was
us
ed to
com
pute
the
MA
C; t
hus
a M
AC
is
unsu
itabl
e as
evi
denc
e w
ith a
third
par
ty.
–Th
e th
ird p
arty
doe
s no
t hav
e th
e se
cret
.–
The
third
par
ty c
anno
t dis
tingu
ish
betw
een
the
parti
es k
now
ing
the
secr
et.
•D
igita
l sig
natu
res
can
be v
alid
ated
by
third
pa
rties
, and
can
in th
eory
ther
eby
supp
ort
both
non
-rep
udia
tion
and
auth
entic
atio
n. 103
? �
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
Key
leng
thco
mpa
rison
:S
ymm
etric
and
Asy
mm
etric
cip
hers
offe
ring
com
para
ble
secu
rity
AES
Key
Siz
eR
SA K
ey S
ize
Ellip
tic c
urve
Key
Si
ze-
1024
163
128
3072
256
192
7680
384
256
1536
051
2
L05
Cry
ptog
raph
y10
4
Ano
ther
look
at k
ey le
ngth
s
L05
Cry
ptog
raph
y10
5
End
of l
ectu
re
L05
Cry
ptog
raph
yIN
F351
0 -U
iO 2
014
106