IN2120 – Information Security

Cryptography

Nils Gruschka

University of Oslo

Outline

• What is cryptography?

• Brief crypto history

• Symmetric cryptography– Stream ciphers

– Block ciphers

– Hash functions

• Asymmetric cryptography– Encryption

– Diffie-Hellman key exchange

– Digital signatures

• Post-Quantum CryptoCryptography IN2120 2

Terminology

• Cryptography is the science of secret writing with the goal of hiding the meaning of a message.

• Cryptanalysis is the science of breaking cryptography.

• Cryptology covers both cryptography and cryptanalysis.

Cryptography IN2120 3

Cryptology

Cryptography Cryptanalysis

What can cryptography do?

• Crypto can provide the following security services:

– Confidentiality:• Makes data unreadable to entities who do not have the appropriate cryptographic

keys, even if they have the data.

– Data Integrity:• Entities with the appropriate cryptographic keys can verify that data is correct and has

not been altered, either deliberately or accidentally.

– Authentication:• Entities who communicate can be assured that the other user/entity or the sender of a

message is what it claims to be.

– Digital Signature and PKI (Public-Key Infrastructure):• Strong proof of data origin which can be verified by 3rd parties.

• Scalable (to the whole Internet) distribution of cryptographic keys.

Cryptography IN2120 4

Taxonomy of cryptographic functions

Cryptography IN2120 5

Ciphers

Symmetric

One secret key

used for both

encryption and decryption

Asymmetric

Public key used for

encryption and private

key used for decryption

Block Stream

AS

HashFunctions

Cryptographic Functions

Also called “public-key

cryptography”

Evolution of Ciphers

Cryptography IN2120 6

AD → 1799 1800 → 1939 1940 → 1975 1976 → 2000

Medieval ciphers

2001 →→ BC

Caesar cipher

Poly-alphabetic

Substitution +

Transposition

Substution

Classical ciphers

Scytale

Transposition

Vigenère1566

Pre-WW2 ciphers

Vernam1916

One-timepad

WW2 ciphers

Complex mechanics

Enigma

Shannon

SP-networksInfo-theory

Pre-2000 ciphers

DES

Feistel

Asymmetriccrypto

Post-2000 ciphers

AES

Rijmen & Daemen

Post-Quantum

Asymmetriccrypto

DiffieHellman

Terminology

• Encryption: plaintext (cleartext) M is converted into a ciphertext C under the control of a key k.– We write C = E(M, k).

• Decryption with key k recovers the plaintext M from the ciphertext C.– We write M = D(C, k).

• Symmetric ciphers: the secret key is used for both encryption and decryption.

• Asymmetric ciphers: Pair of private and public keys where it is computationally infeasible to derive the private decryption key from the corresponding public encryption key.

Cryptography IN2120 7

Symmetric cryptography (secret key)

• “Secret key” means that the key is shared “in secret” between entities who are authorized to encrypt and decrypt

Cryptography IN2120 8

Algorithm

encryption decryption

Plaintext

Ciphertext

Plaintext

Secret key Secret key

Algorithm

Alice Bob

Message Message

Strength of Ciphers

Factors for cryptographic strength:

• Key size. – Exhaustive key-search time depends on the key size.

– Typical key size for a symmetric cipher is 256 bit.

– Attacker must try 2256/2 keys on average to find the key, which would take millions of years, which is not practical.

– With N different keys, the key size is log2(N).

• Algorithm strength.– Key discovery by cryptanalysis can exploit statistical regularities in the

ciphertext.

– To prevent cryptanalysis, the bit-patterns / characters in the ciphertext should have a uniform distribution, i.e. all bit-patterns / characters should be equally probable.

Cryptography IN2120 9

Letter Frequencies → Statistical cryptanalysis

Cryptography IN2120 10

Letter frequencies in English

Caesar Cipher

Th

is P

ho

tob

y U

nkn

ow

n A

uth

or

is lic

en

se

d u

nd

er

CC

B

Y-S

A

• Historic ciphers, like the Caesar Cipher, are weak because they fail to hide statistical regularities in the ciphertext.

Claude Shannon (1916 – 2001) The Father of Information Theory – MIT / Bell Labs

• Information Theory− Defined the „binary digit“ (bit) as information unit

− Defined information „entropy“ to measureamount of information

• Cryptography− Model of secrecy systems

− Defined perfect secrecy

− Principle of S-P encryption (substitution & permutation) to hide statistical regularities

Cryptography IN2120 11

Shannon’s S-P NetworkRemoves statistical regularities in ciphertext

• “S-P Networks” (1949)

– Substitutions & Permutations

– Substitute bits e.g. 0001 with 0110

– Permute parts e.g. part-1 to part-2

– Substitution provides “confusion” i.e. complex relationship between input and output

– Permutation provide “diffusion”, i.e. a single input bit influences many output bits

– Iterated S-P functions a specific number of times

– Functions must be invertible

Cryptography IN2120 12

. . . .P

. . . .

. . . .P

...

plaintext

ciphertext

ED

S S S

S S S

S S S

AES - Advanced Encryption Standard

• DES (Data Encryption Standard) from 1977 had a 56-bit key and a 64-bit block. In the mid-1990s DES could be cracked with exhaustive key search.

• In 1997, NIST announced an open competition for a new block cipher to replace DES.

• The best proposal called “Rijndael” (designed by Vincent Rijmenand Joan Daemen from Belgium) was nominated as AES (Advanced Encryption Standard) in 2001.

• AES has key sizes of 128, 192 or 256 bitand block size of 128 bit.

Cryptography IN2120 13

Block Cipher

Cryptography IN2120 14

Ciphertext blocks

Plaintext blocks

n bits

Block cipher

Key Block Cipher

n bits

Block Ciphers: Modes of Operation

• Block ciphers can be used in different modes in order to provide specific security protection.

• Common modes include:

– Electronic Code Book (ECB)

– Cipher Block Chaining (CBC)

– Output FeedBack (OFB)

– Cipher FeedBack (CFB)

– CounTeR Mode (CTR)

Cryptography IN2120 15

Insecure

Secure

Electronic Code Book (ECB)

• Simplest mode of operation

• Plaintext data is divided into blocks M1, M2, …, Mn

• Each block is then processed separately– Plaintext block and key used as inputs to the encryption algorithm

Cryptography IN2120 16

EncryptK

M1

C1

EncryptK

M2

C2

EncryptK

Mn

Cn

DecryptK

C1

M1

DecryptK

C2

M2

DecryptK

Cn

Mn

Electronic Code Book (ECB-mode)

Cryptography IN2120 17

THIS IS A SIMPLE PLAINTEXT MESSAGE.

Encryption

X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü

Encryption Encryption

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Encryption

Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0

Encryption Encryption

Vulnerability of ECB-mode

Cryptography IN2120 18

CTRCounter Mode

Cryptography

One-Time-Pad (Gilbert Vernam, 1917)

• Property of bitwise XOR addition: ki ki = 0 and mi = ci ki = mi ki ki

• OTP offers perfect security assuming the OTP key is perfectly random, of same length as the message, and only used once

Cryptography IN2120 20

bitwise

XOR additionbitwise

XOR-additionPlaintext

message M

Ciphertext

k1, k2, k3 … ki …

Alice Bob

mi = ci kici = mi ki

encryption decryption

Shared secret

OTP key K

Shared secret

OTP key K

c1, c2, c3 … ci…

Message Message

k1, k2, k3 … ki …

Plaintext

message M

The perfect cipher: One-Time-Pad

• Old version used a paper tape of random data

• Modern versions can use DVDs with Gbytes of random data

Cryptography IN2120 21

Block Cipher vs. Stream Cipher

Cryptography IN2120 22

Ciphertext blocks

Plaintext blocks

n bits

Block cipher

Key Block Cipher

n bits

Key stream

generator

Key

Ciphertext streamPlaintext stream

Key stream

Stream cipher

Note that the key stream repeats itself

and is not totally random, hence a

stream cipher is not a One-Time-Pad.

INTEGRITY CHECK FUNCTIONS

Cryptography IN2120 23

Hash Functions

• Idea:– take a large dataset and …

– … calculate a small piece of data which is characteristic for the large dataset

– this is also called a “fingerprint” or “message digest”

• (Extremely simple) example:– take the last 4 digits of a credit card number

Cryptography IN2120 24

Ima

ge

So

urc

e: h

ttp

s://w

ww

.sysso

lutio

nsllc

.co

m/p

ag

e/A

dd

on

s/C

red

itC

ard

Ho

lde

rNa

me

Hash functions (message digest functions)

Requirements for a one-way hash function h:

1.Ease of computation: given x, it is easy to compute h(x).

2.Compression: h maps inputs x of arbitrary bitlength to outputs h(x)of a fixed bitlength n.

3.One-way: given a value y, it is computationally infeasible to find an input x so that h(x)=y.

4.Collision resistance: it is computationally infeasible to find x and x’, where x ≠ x’, with h(x)=h(x’) (note: two variants of this property).

Cryptography IN2120 25

Properties of hash functions

Cryptography IN2120 26

x

h(x)

Ease of

computation

h(x)

Collisions

exist but are

hard to find

x x’?

h(.)

Pre-image

resistance

Weak collision

resistance

(2nd pre-image

resistance)

h(x)

x ?

h(.)

Strong

collision

resistance

? ?

Applications of hash functions

• Comparing files

• Protection of password

• Authentication of SW distributions

• Bitcoin

• Generation of Message Authentication Codes (MAC)

• Digital signatures

• Pseudo number generation/Mask generation functions

• Key derivation

Cryptography IN2120 27

Well-known hash functions

• MD5 (1991): 128 bit digest. Relatively easy to break by finding collisions, due to short digest and poor design. Not to be used in new applications, but may be used in legacy applications.

• SHA-1 (Secure Hash Algorithm):160 bit digest. Designed by NSA in 1995 to operate with DSA (Digital Signature Standard). Attacks exist. Not recommended, but sometimes still in use.

• SHA-2 designed by NSA in 2001 provides 224, 256, 384, and 512 bit digest. Considered secure. Replacement for SHA-1.

• SHA-3: designed by Joan Daemen + others in 2010.

Standardized in 2015. Digest of: 224, 256, 384, and 512 bit.

SHA-3 has little use, because SHA-2 is considered strong.

Cryptography IN2120 28

Hash Function for Integrity Protection

Cryptography IN2120 29

h(M)

Hash

functionHash

function

Message MReceived

message M’Alice Bob

Verify h(M) = h(M’)

h(M’) hash

hash sent together

with message M

hash

Message Authentication Codes

• A message M with a simple message hash h(M) can be changed by attacker.

• In communications, we need to verify the origin of data, i.e. we need message authentication.

• MAC (message authentication code) can use hash function as h(M, k) i.e. with message M and a secret key k as input.

• To validate and authenticate a message, the receiver has to share the same secret key used to compute the MAC with the sender.

• A third party who does not know the key cannot validate the MAC.

Cryptography IN2120 30

Practical message integrity with MAC

Cryptography IN2120 31

Shared

secret

key

h(M,K)

MAC

functionMAC

function

Message MReceived

message M’Alice Bob

Verify h(M,K) = h(M ’,K)

Shared

secret key

h(M ’ ,K) MAC

MAC sent

together with

message M

MAC

?

MAC and MAC functions

• Terminology– MAC is the computed message authentication code h(M, k)

– MAC function is the algorithm used to compute a MAC

• MAC functions, a.k.a. keyed hash functions, support data origin authentication services.

• Different types of MAC functions, e.g.– HMAC (Hash-based MAC algorithm)

– CBC-MAC (CBC based MAC algorithm)

– CMAC (Cipher-based MAC algorithm)

• Modern encryption modes (e.g. AES-GCM) perform encryption and MAC calculation at the same time

Cryptography IN2120 32

PUBLIC-KEY CRYPTOGRAPHY

Problem of symmetric key distribution

• Shared key between each pair

• In network of n users, each participant needs n-1 keys.

• Number of exchanged secret keys: n(n-1)/2

= number of glasses touching at cocktail party

• Grows exponentially, which is a major problem.

• Is there a better way?

• → Public-key cryptography

Cryptography IN2120 34

Network of 5 nodes

Cocktail party

James H. Ellis (1924 – 1997)Inventor of pub-key crypto, but received little recognition

• British engineer and mathematician

• Worked at GCHQ (Government Communications Headquarters)

• Idea of non-secret encryption to solve key distribution problem

• Encrypt with non-secret information in a way which makes it impossible to decrypt without related secret information

• Never found a practical method

Cryptography IN2120 35

Clifford Cocks (1950 – )Inventor of RSA algorithm in 1973, recognized in 1998

• British mathematician and cryptographer

• Silver medal at the International Mathematical Olympiad, 1968

• Worked at GCHQ (equivalent to NSA)

• Heard from James Ellis the idea of non-secret encryption in 1973

• Spent 30 minutes in 1973 to invent a practical method

• Equivalent to the RSA algorithm

• Was classified TOP SECRET

• Result revealed in 1998

• Fellow of the British Royal Society in 2015.

Cryptography IN2120 36

Malcolm J. Williamson (1950 – 2015)Inventor of key exchange but received little recognition

• British mathematician and cryptographer

• Gold medal at the International Mathematical Olympiad, 1968

• Worked at GCHQ until 1982

• Heard from James Ellis the idea of non-secret encryption, and from Clifford Cocks the practical method.

• Intrigued, spent 1 day in 1974 to invent a method for secret key exchange without secret channel

• Equivalent to the Diffie-Hellmann key exchange algorithm

Cryptography IN2120 37

Ralph Merkle, Martin Hellman and Whitfield Diffie

• Merkle invented (1979) the Merkle Hash Tree and the Merkle Digital Signature Scheme, used e.g. in Bitcoin. Resistant to quantum computers.

• Diffie & Hellman (1976) invented a practical key exchange algorithm with discrete exponentiation.

• D&H defined public-key encryption (equiv. to non-secret encryption) (1976)

• Defined digital signature

Cryptography IN2120 38

Diffie-Hellman Key Exchange

Attackers can not recover the integers a or b because discrete logarithm of large integers is computationally difficult. Hence, attackers are unable to compute the secret key = gab mod p.

Cryptography IN2120 39

ga mod p

Alice computes the shared secret (gb)a = gab mod p

Bob computes the same shared secret (ga)b = gab mod p.

Alice picks private random integer a

gb mod p

Bob picks private random integer b

Diffie-Hellman Key Exchange

• Problem:– Provides no authentication

– Alice and Bob can not be sure with whom they are communicating

– Man-in-the-middle attack possible

• Applications:– IKE (Internet Key Exchange), part of IPSec (IP Security)

– TLS (Transport Layer Security)

Cryptography IN2120 40

Ron Rivest, Adi Shamir and Len Adleman

• Read about public-key cryptography in 1976 article by Diffie & Hellman: “New directions in cryptography”

• Intrigued, they worked on finding a practical algorithm

• Spent several months in 1976 to re-invent the method for non-secret/public-key encryption discovered by Clifford Cocks 3 years earlier

• Named RSA algorithm

• Uses a pair of keys: public key and private key

Cryptography IN2120 41

Asymmetric Encryption: Basic encryption operation

Cryptography IN2120 42

Bob’s

private key

C = E(M,Kpub(B)) M = D(C,Kpriv(B))

Alice’s

public-key

ring

Bob’s

public

key

Asymmetric

encryption

Asymmetric

decryption

Plaintext M Ciphertext C Plaintext M

Alice Bob?

Asymmetric Ciphers: Examples of Cryptosystems

• RSA: best known asymmetric algorithm.

– RSA = Rivest, Shamir, and Adleman (published 1977)

– Historical Note: U.K. cryptographer Clifford Cocks invented the same algorithm in 1973, but didn’t publish.

• ElGamal Cryptosystem

– Based on the difficulty of solving the discrete log problem.

• Elliptic Curve Cryptography

– Based on the difficulty of solving the EC discrete log problem.

– Provides same level of security with smaller key sizes.

Cryptography IN2120 43

Hybrid Cryptosystems

• Symmetric ciphers are faster than asymmetric ciphers (because they are less computationally expensive ), but ...

• Asymmetric ciphers simplify key distribution, therefore ...

• a combination of both symmetric and asymmetric ciphers can be used – a hybrid system:– The asymmetric cipher is used to distribute a randomly chosen symmetric

key.

– The symmetric cipher is used for encrypting bulk data.

Cryptography 44IN2120

Hybrid Cryptosystems

Bob’s

private key

Kpriv(B)

Plaintext M

Ciphertext C

Plaintext MC = E(M,K) M = D(C,K)

Alice’s

public-key

ring

Generate secret

symmetric key KShared secret

symmetric key K

E(K,Kpub(B))

Encrypted

key K

Asymmetric

encryption

Asymmetric

decryption

Symmetric

encryption

Symmetric

decryption

Cryptography 45IN2120

Alice Bob

Bob’s

public key Kpub(B)

DIGITAL SIGNATURES

Cryptography IN2120 46

Non-repudiation?

Cryptography IN2120 47

Alice Bob

Sharedsecret key

The MAC was made with the secret key, so I know that Alice sent the message.

But you have the same secret key, so maybe you sent the message.

Symmetric authentication

MAC

Digital Signature Mechanisms

• A MAC cannot be used as evidence to be verified by a 3rd party (details below)

• Digital signatures can be verified by 3rd party– Used for non-repudiation,

– data origin authentication and

– data integrity

• Digital signature mechanisms have three components:– key generation

– signing procedure (private)

– verification procedure (public)

48Cryptography IN2120

Digital signature: Basic operation

• In practical applications, message M is not signed directly, only a hash value h(M) is signed.

Cryptography IN2120 49

Alice’s

private key

C = E(M,Kpriv(A)) M = D(C,Kpub(A))

Alice’s

public

key

Bob’s

public-key

ring

Encryption

operation

(Signing)

Decryption

operation

(Validation)

Plaintext M C = (Signed M) Plaintext M

Alice Bob

Practical digital signature based on hash value

Cryptography IN2120 50

Alice’s private

key

Sig = E(h(M),Kpriv(A))

h(M) = D(Sig,Kpub(A))

Bob’s

public-key

ring

Sign

hashed

message

Recover

hash

from Sig

Plaintext M

Digital

Signature

Received plaintext M’

Compute hash

h(M’ )

Verify h(M) = h(M’ )Compute hash

h(M)

Alice Bob

Alice’s

public key

Non-repudiation

Cryptography IN2120 51

Alice Bob

Sharedsecret key

The MAC was made with the secret key, so I know that Alice sent the message.

But you have the same secret key, so maybe you sent the message.

Alice BobPrivate key The message was

signed by Alice, so I know that she sent the message.

You are right, only Alice could have signed the message.

Pulic key

Symmetric authentication

MAC

Non-repudiatable authentication

Digital signature

POST-QUANTUM CRYPTOGRAPHY

Cryptography IN2120 52

Cryptography IN2120 53

DN

.no, 1

Dece

mbe

r 20

17

Principle of Quantum Computing

• Quantum Computing (QC) uses quantum superpositions instead of binary bits to perform computations.

• Quantum algorithms, i.e. algorithms for quantum computers, can solve certainproblems much faster than classical computer algorithms.

Cryptography IN2120 54

ExperimentalQuantum

Computer

QC Threat to Traditional Cryptography

• Shor’s Quantum Algorithm (1994) can factor integers and compute discrete logarithms efficiently. With a powerful quantum computer (at least 1 million qubits), Shor’s algorithm would be devastating to traditional public key crypto algorithms.

• Grover’s Quantum Search Algorithm (1996) can be used to brute-force search for a k-bit secret key with an effort of only

which effectively doubles the required key sizes for ciphers.

• QC has been dismissed by most cryptographers until recent years. General purpose quantum computers do not currently exist but are predicted to be built in foreseeable future.

Cryptography IN2120 55

2/22 kk =

Cryptographic Functions and Services

Cryptography IN2120 56

Hash-functions

Symmetricencryption

Asymmetricencryption & digital signature(Traditional), e.g. RSA, ECC, Diffie-Hellman

Confidentiality

Authentcity / Integrity

Digital SignaturePKI / key distribution

ConfidentialityT

Quantum Threat

Cryptographic Functions and Services

Cryptography IN2120 57

Hash-functions

Symmetricencryption

Asymmetric encryption & digital signature (Post-Quantum), e.g., Lattice-based, Multivariate, Hash-based, Code-based, Ellipticcurve isogeny

Confidentiality

Authentcity / Integrity

Digital SignaturePKI / key distribution

ConfidentialityPQ

Thanks to PQ Crypto we can still use DigSig and PKI even withquantum computers of 1 million qubit

Collapse of traditional asymmetric crypto?

Cryptography IN2120 58

10.000.000

1.000.000

100.000

10.000

0

1000

Collapse

No collapse

2030 2040 2050 2060 2070 2080V

ery

uncert

ain

pre

dic

tion

2020 2090

?

?

?

Year

Quantum ComputerQubit size

50 qubitcomputer

Lo

ga

ritm

icsca

le

PQC already works

• Many initiatives for prototyping PQC in real applications

• Version of Chrome Browser with PQC TLS

• Disadvantage of PQC is high complexity and computation load

Cryptography IN2120 60

END OF LECTURE