Excursus 01

The art of secret writing

A.A. 2010/2011 1

Cryptography Part I

Principles and Methods

michele elia

Politecnico di Torino


A.A. 2010/2011 2

Introduction

A complex telecommunications system connects any place, at any time, in any condition.

Tele- or e- are roots for so many activities that were unthinkable few years ago:

- Tele-working e-work

- Tele-teaching e-teaching

e-learning

- Tele-economy e-commerce

In the lovely Global village of Marshall Mcluhan, the print revolution has been

surpassed and squeezed out by the e-revolution.


A.A. 2010/2011 3

Two remarks

1) The expansion of telecommunication

systems has been accelerated and

dominated by the advent of the digital, and

the conversion to full digital is practically

complete.

An historical mark year will be 2012 when

analog TV will dismissed in EU.


Two remarks

2) Electric signals are ubiquitous in the world, they travel unprotected though

conveying vital information for

the army,

the trading,

the economy,

the social life (bureaucracy, health system)

the production systems.

A.A. 2010/2011 4


A.A. 2010/2011 5

In this digital world security is of fundamental importance dealing

with information, specifically for:

- Transmission of Information

- Transformation of Information

- Use of Information

in each case SECURITY is

UNAVOIDABLE.


A.A. 2010/2011 6

A list of applications includes:

Telephone: the oldest e-communication system

(together with the telegraph) requires

confidentiality

e-mail: the e-communication counterpart of

the traditional paper mail requires

confidentiality and signature

Commerce on-line: a form of selling developed

with the Internet, needs

confidentiality, authentication and signature


A.A. 2010/2011 7

A list of applications (Continuation)

Tele-working: the new economy tends to move

the work instead of the workers, and needs

confidentiality and authentication

Access control: distributed access to data base

and computing resources need


E-books and E-libraries, a today reality, need


Medical records: patient status, medical data and

therapy information need

confidentiality and authentication


A.A. 2010/2011 8

A list of applications (Continuation)

Public and private data bases with peoples personal and biographical data, and other sensitive data, need

confidentiality

Wireless systems: cell phones, burglar alarms, car

locks need

authentication and/or confidentiality and signature

Teaching: use of Internet and its facilities is changing

the traditional teaching paradigm.

E-teaching and E-learning will be the usual way to

distribute knowledge, and may need

authentication and signature


A.A. 2010/2011 9

Information protection

What to protect: Existence of message

Content of message

Message

Why to protect: Confidentiality

Authenticity

Integrity - Availability

Tracking

How to protect: CRYPTOGRAPHY

STEGANOGRAPHY


A.A. 2010/2011 10

Information security is achieved through:

Principles: Objectives, Axioms

Methods: Algorithms, Mathematical tools

Means: Protocols, Technology


A.A. 2010/2011 11

The transformation principle typical of any enciphering

scheme was known to Julius Caesar 2000 years ago

The Caesar cipher consisted in

a shift of three positions so that

plaintext Awas encrypted as

ciphertext D


A.A. 2010/2011 12

The transformation principle typical of any enciphering

scheme was known to Julius Caesar 2000 years ago

Encryption is described in mathematical terms:

letters are encoded using numbers

A --> 0 , B --> 1 Z --> 26shift is the secret KEY 3

encryption is the addition operation modulo 26

A --> 0+3=3 --> D


A.A. 2010/2011 13

In this method, using modern mathematical notations,

two fundamental operations are evident: encoding and transformations

Encoding: each letter is converted into a number of Z26,the set of remainders modulo 26

Transformation: the number 3, the secret key, is added

modulo 26 to change each code plain number into a cipher number

Inverse transformation: the number 3 is subtracted

modulo 26 to change each cipher number into a code

plain number

Decoding: each plain number is converted back a letter


A.A. 2010/2011 14

the Caesar cipher

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

A B C D E F G H I J K L M N O P Q R S T U V X Y W Z

D E F G H I J K L M N O P Q R S T U V X Y W Z A B C

A SHIFT of t positions of a letter is equivalent to the operation

of summing t modulo 26 to the letter code number


A.A. 2010/2011 15

Example

text B R I X E N

1 17 8 23 4 13

encryption +

key 3 3 3 3 3 3

=

4 20 11 0 7 16

cipher E U L A H Q


A.A. 2010/2011 16

The example shows a technique known as a simple substitution cipher,

although the mathematical description contains all the ingredients for

perfect enciphering as defined by Shannon

m1 m2 m3 m4 mi

e = m + k mod N

m = e - k mod N

+

km e


A.A. 2010/2011 17

The theoretical paradigm was provided by Claude Elwood Shannon in

his paper

Communication Theory and Secrecy Systems,

BSTJ, vol. 28, 1949, p.656-715,

where enciphering is viewed as a noisy transmission process

Mutual information is used to define perfect encryption

S

Textchannel U

Cipher

Noise

KEY


A.A. 2010/2011 18

S: source alphabet U: cipher alphabet K: key alphabet

Joint probability distribution: KkUuSskusp ,,},,{

}|{}|{

}|,{ln},,{)|,(

,, kupksp

kuspkuspKUSI

KkSsUu

}|{

1ln},{)|(

, kspkspKUH

KkSs


A.A. 2010/2011 19

Mutual Information Properties

I(S,U|K) = H(S|K)-H(S|U,K) = I(U,S|K)

I(U,S|K) = H(U|K)-H(U|S,K)

I(S,U|K) = H(S|K)+H(U|K) - H(SU|K)


A.A. 2010/2011 21

Shannons Conditions for Perfect Encryption:

I(S,U) = 0

I(S,U|K) = H(S)

I(S,U) = H(U)-H(K) --> H(U) = H(K)

I(S,U|K) = H(U|K) --> H(U|K) = H(S)

H(K) = H(U) and H(U|K) = H(S)


A.A. 2010/2011 22

H(K) = H(U)

The key length must be equal to message length

- This condition is satisfied by the Caesar cipher

if message length is one symbol.

- Looking at the whole transmission balance,

perfect encryption is achieved only with

net transmission rate equal to .

- Practical limits impose a short key length.

Shannon perfect encryption is impossible

in real life.


A.A. 2010/2011 23

H(K) = H(U)

The key used to encrypt is the same used to

decrypt. This paradigm is usually called

Symmetric cryptographic scheme

(Symmetric cryptography)

The same name denotes the practical schemes

based on mechanisms that generate

long keys from short keys

that is, mechanisms that generate streams

of the same length of the message.


A.A. 2010/2011 24

Shannon Communication Channel with private key

Perfect Secrecy: Net transmission rate 1/2

U

cipher Public channelU

cipher

Secret channel

S

text

K

key

K

key

R

text


A.A. 2010/2011 25

Binary alphabets

If entropy is measured in bits and binary symbols are

equally probable, then entropy is numerically the length

of a binary string

Key length Lk is of finite size

Message length LM increases with time.

The difference

D=H(U)-H(K)=LM-Lkgrows unbounded as LM increases.


A.A. 2010/2011 26

Confidentiality achieved with secret keys enciphering

guarantees message authenticity

In summary, symmetric cryptographic schemes achieve

a) confidentiality: the content of a

message is disclosed only to the

intended recipient

b) authenticity: the message has been

originated only by the intended sender


A.A. 2010/2011 27

The first modern book on cryptography was a Manuale published in 1378

by Gabriele de Lavinde da Parma working for the anti-pope Clement VII.

In 1466, Leon Battista Alberti published

De Componendis Cyfris, in which he

described the first cipher disk and

conceived the notion of polyalphabeticity.


A.A. 2010/2011 28

Message

If a number a divides the difference

of the numbers b and c,b and c

are said to be congruent relative to a

Encrypted Message

F3BISADTLGP3PGTGAOVQ

ZZZAGAE4I3CRBIOCGOR1

DOZBVIXZBADCNEVBQIXC

LOPM3ZAGX3LIBE4L1LS4

G

Leon Battista Alberti formula (encrypting machine)A.D. 1466


A.A. 2010/2011 29

Polyalphabetic ciphers, better known as Vigener ciphers, were described in

Trait des Chiffres (1586) by Blaise de Vigener.

In 1863, the cryptanalysis of Vigener ciphers

appeared in

Die Geheimschriffen und die Dechiffris kunst

by Friedrich W. Kasiski.

In 1930

Manuale di Crittografia

was published by General Luigi Sacco


A.A. 2010/2011 30

Vigener TABLE

ABCDEFGHIJKLMNOPQRSTUVXYWZ

LMNOPQRSTUVXYWZABCDEFGHIJK

IJKLMNOPQRSTUVXYWZABCDEFGH

DEFGHIJKLMNOPQRSTUVXYWZABC

IJKLMNOPQRSTUVXYWZABCDEFGH

ABCDEFGHIJKLMNOPQRSTUVXYWZ

Secret key: LIDIA = 11 8 3 8 0


A.A. 2010/2011 31

Leon Battista Alberti with his cipher disk conceived the idea of an

encrypting machine whose modern electrical prototypes appeared in

1891 Etienne Bazeries: adopted by the French army

1917 Gilbert Vernan: first binary encrypting machine realizing perfect enciphering

1918 Arthur Scherbius: ENIGMA adopted by the German army (in 1926)

1920 Boris Hagelin: Crypto-Hagelin adopted by the US army


A.A. 2010/2011 32

Arthur Scherbius ENIGMA - 1918


A.A. 2010/2011 33

To provide mechanisms (stream ciphers) that produce

enciphering sequences

k(1), k(2), , k(n) ...

starting from a short sequence K0 called the secret key.

Typical enciphering rule, referred to as Caesar enciphering,

is simple

e(n) = m(n) + k(n)

Symbols are taken from a finite domain where a binary composition rule + is defined.

The design target of encrypting machines is


A.A. 2010/2011 34

The mathematics behind these systems includes modular

arithmetic (ring), finite fields, and groups.

Stream generators are described using

the notion of

FINITE STATE MACHINE


A.A. 2010/2011 35

Finite State Machine

A Finite state machine is a mathematical object

described by a 6-tuple { S, I O, f, g, s0} where

S is finite set of states, possibly represented

by binary vectors (0,1,0, 0 0)

I is a finite input alphabet, possibly binary

O is an output alphabet, possibly binary

f is a mapping from S I into S

g is a mapping from S I into O

s0 the initial state is an element of S


A.A. 2010/2011 36

Given an input sequence

I(1), I(2), I(n)

Machine evolution is a sequence of states

s(1), s(2), s(n) with s(1) = s0, and

s(n+1) = f(s(n), I(n) )

The generated stream is a sequence

k(1), k(2), , k(n), where

k(n) = f(s(n), I(n) )

The machine evolution is said to be autonomous

if the input sequence is missing.


A.A. 2010/2011 37

Stream Ciphers are Finite State Machines

Properties of generated streams for Caesar-like enciphering

Avoid store and replay attack

Avoid error propagation

Hard to cryptanalyze

Good mask properties


A.A. 2010/2011 38

Cryptographic properties of a stream cipher

Period of generated sequence:

should be long and computable to avoid store

and replay attack

Entropy of generated sequence:

should be maximum, it must appear a truly

random sequence (fair coin tossing sequence)

Cryptanalysis:

a plain text attack should be hard, that is the

initial state s0 must be difficult to compute

knowing any piece of generated sequence


A.A. 2010/2011 39

Stream ciphers

Periodic generators:

a classic solution consists of Linear Feedback

Shift Registers and their non-linear variants

Outputs function:

is a non-linear logic functions

Encryption:

commonly is a sum of bits (the logical XOR

operation)


A.A. 2010/2011 40

LFSR

A LFSR is characterized by a generator

polynomial g(x) which defines the positions

of the feedback taps

The degree of g(x) is the LFSR length

The state is the content of the register


A.A. 2010/2011 41

Irreducible polynomials are factors of

where the smallest m is a divisor of

Primitive polynomials have

n1n

1n

2

21 xxgxgxg1g(x)

12 nm

1mx12 n

Generator polynomials of degree n


A.A. 2010/2011 42

LFSR: Linear feedback shift register

Fibonacci

Galois

...

...+ + ++X0 X1 X2 Xn-1

..

+

X1X0 X2 Xn-1


A.A. 2010/2011 43

LFSR: Linear feedback shift register

Tridiagonal

X1 X2 X4+ X0X0 X3+ + ++

LSFR of length 5.

01000

11100

01110

00111

00011

Transition matrix:


A.A. 2010/2011 44

Properties of

the set C of primitive LFSR sequences

C is a group of order

C is the dual code of a Hamming

code

Every sequence has the same number of 1s

Cyclic autocorrelation function () of every

sequence is a two-value function, that is

and () = -1 for every 0.

Runs of 0s and 1s are given in the following Table

n2

)3,12,12( nnn )2,,12( nn n

12 n

12)0( n


A.A. 2010/2011 45

2m-j-2 runs of length j of either 1s or

0s, for 0 < j < m-1

1 run of length m of 1s

0 runs of length m-1 of 1s

1 run of length m-1 of 0s

0 runs of length m of 0s

Properties of

a primitive LFSR sequence


A.A. 2010/2011 46

Computational complexity

The aim of computational complexity is to

give a measure of the difficulty of solving

a problem.

An axiomatic theory yielding a measure of

complexity comparable to the measure of

information, unfortunately, is still missing.

In cryptography, practical measures of

complexity have been developed and are

used in place of theoretical definitions.


A.A. 2010/2011 47


Practical measures of complexity:

- Number of binary operations of algebraic

nature (Es. product of two numbers)

- Number of comparisons in searching an

object among a set of objects (Es. searching

a name in a directory)

- Size of a memory for storing data (Es.

number of bytes required to store the personal

data in the registry of a town)


A.A. 2010/2011 48


Let X and Y be two finite sets.

Let f be a mapping from X into Y.

Let x and y be two variables taking their

values in X and Y, respectively

Definition.

A size of a variable z, taking its values in a

set Z, is the minimum number of bits

necessary to represent any value in Z.


A.A. 2010/2011 49


The size of every x in X is n=log2(| X |)

n is the number of bits necessary to represent

the value of any element in X.

The complexity cx(f ) of a function f is

expressed in terms of n.

If cx(f ) is exactly computable, then it is written

as a function g(n) of n.

If only the order of magnitude of cx(f ) can be computed, then it is written as O(g(n)).


A.A. 2010/2011 50

One-way functions

Definition

An invertible mapping f from a finite set X into a

finite set Y is said to be one-way if

i) the value y=f(x) is easy to compute

for every x in X

ii) the inverse value x=f -1(y) is difficult to compute for almost every y in Y


A.A. 2010/2011 51

One-way functions - complexity

Many one-way functions are realized as

homomorphisms between groups.

If f is an homomorphism between

a group X and

the additive group of remainders modulo M,

the complexity of f , in general, is upper

bounded by O(|X |1/2)which is known as Shanks bound

Excursus 01

Documents

Transcript of Excursus 01