exercise in the previous class
DESCRIPTION
exercise in the previous class. give proof for the discussion in p.19. see http ://apal.naist.jp/~kaji/lecture /. chapter 4: cryptography. what we do, and what we do not in this class. cryptography is discusses in many contexts management politics history philosophy - PowerPoint PPT PresentationTRANSCRIPT
exercise in the previous class
give proof for the discussion in p.19
1see http://apal.naist.jp/~kaji/lecture/
chapter 4:cryptography
2
what we do, and what we do not in this class
cryptography is discusses in many contextsmanagementpoliticshistoryphilosophy
In this class, we focus on the technical aspects of cryptography.
3
terminology
4
plaintexts(平文,ひらぶん );make sense by themselves
encryption (暗号化 )
decryption (復号 )
cryptography (暗号 ) = pair of E and D such that D(E(p)) = pmany variations and confusions on the words:
crypto cipher, text data, cryptography encryption
ciphertexts (暗号文 );make no sense by themselves
E(p)
c
p
D(c)
E
D
three types of cryptography
key-less cryptographyE(p) (resp. D(c)) is solely determined by p (resp. c).no key ... the algorithms must be kept secretsecurity relies on the “gap of wisdom” of the recipients“O, draconian devil” “Leonardo da Vinci”
common-key cryptographyE and D must use the same key
public-key cryptographyE and D use different keys which are in special relation
5
class plan
today: common-key cryptographywidely known algorithmskey agreement protocol
next: public-key cryptographyRSArelated algorithms
June 4 (MON): exerciseJune 5 (TUE): test
6
common-key cryptography
symmetric-key ―, classic ―, ...E (resp. D) takes two inputs: key and plaintext (resp. ciphertext)
E(k, p): the ciphertext of p encrypted with the key kD(k, c): the plaintext of c decrypted with the key k
D(k, E(k, p)) = p, but D(k’, E(k, p)) p if k’ k
7
Ep c
k1
D
k2
p, if k1 = k2
?, if k1 k2
substitution cipher
substitution cipher (換字暗号 ):encrypt: replace characters in plaintexts to different charactersdecrypt: do the inverse replacement of encodingkey: the table of the character replacement
8
plaintext
ciphertext
...
...
A
E
B
K
C
A
Y
Z
Z
G
the number of possible keys = 26! for English alphabet... too many even for today’s computers
the statistics of the plaintexts can be observed in cipherexts
frequency attack
in a naive substitution cipher...a character is always replaced to the identical characterin many data, there is bias on the frequencies of characters
in English...characters such as “e”, “t”, “a”, and “s” occur frequentlycharacters which occur frequently in a ciphertext
= replacements of the above four frequent characters
9
A.C. Doyle, 1903,The Adventure of the Dancing Men
sketch of the frequency attack
10
information as aconcept has manymeanings theconcept of information is
typical English texts
theory in modernenglish is a conceptwhich originallyderives fromclassical greek
plaintextciphertext ofunknown text
zpunim gt oncuitutqvgwp gw hantaubz spgapnigqgthvvmcuigluw einoh
xac
8.4%1.5%2.7%3.8%
→ a→ b→ c→ d
abcd
8.6%1.4%2.8%3.8%
many improvements
The vulnerability (脆弱性 ) of the substitution cipher waswell-known to cryptographers from early days...
many improvements were considered...one-to-many substitutionsubstitution of N-grams or wordsuse of multiple substitution tablesdynamically change the substitution table
Enigma
11
Enigma
used by German military in the World War IIthe substitution is determined by “rotor wheels”the rotor wheels rotate as one character is processed
12
A
DB
CEnigma showed thatmachine power >> human power
DES (Data Encryption Standard)
DES (Data Encryption Standard)developed in the US in 70’s to secure classified datanot the “first-class” cryptography
“good security with reasonable cost”insecure nowadays, but played important role in cryptology
1973 NBS solicited (公募する ) encryption algorithms1974 IBM submitted a candidate1977 published as federal standard1997 NIST (formerly NBS) solicited newer AES
13
encryption of DES
14
L 15R 15
plai
ntex
tke
y
ciph
erte
xt
IP f
L 1R 1
L 0R 0
f
L 2R 2
f
L 16R 16
RK1
RK2
RK16
IP IP-1
round 1 round 2 round 16
3232
64 64
56 56
48 48 48
56...# of bits
round keys
initialpermutation
f
Li+1 Ri+1
Li Ri
RKi+1
Feistel structure
each round of DES has the Fesitel structure
15
f
Ri Li
Ri+1 Li+1
RKi+1
the Fesitel structure is easy toinvert if RKi+1 is provided
correctlythe inversion can be done with
the same Feistel mechanism(with left and right
exchanged)
decryption of DES
16
L 15R 15
ciph
erte
xt
plai
ntex
t
IP f
L 1R 1
L 0R 0
f
L 2R 2
f
L 16R 16
RK16
RK15
RK1
IP IP-1
key
inside this box is the same as the encryption one circuit is used for both of encryption and decryption
security of DES
theoretical attacksdifferential analysis by Biham & Shamir (1990)
investigated at the design phase of DES...linear analysis by Matsui (1993)
succeeded to break DES first time
exhaustive attacks22hours, 100K computers connected by network (1999)9days, FPGA-based parallel machine (2006)
DES is not secure anymore!
17
rumor of DES
rumor, or urban legend: “NSA must settle a back-door in DES”
18
NSA: National Security Agencyintelligence agency of the USsome activities not revealedcommitment to the Echelon system
evidence?the key length is shortened from the IBM proposalsome substitution tables in DES is replaced by NSANSA did know the differential analysis
there is no way to verify what is true and what is not true...
AES and others
DES is no more securethere is no way to deny the bad rumor
the newer and stronger cryptography is needed
1997 NIST solicited Advanced Encryption Standard (AES)15 candidate algorithms from 12 countries
1999 5 candidates passed the screening2000 Rijndael, from Belgium, was selected as winner2001 published as federal standard
There are many other algorithms: Blowfish, IDEA, Camellia...
19
key agreement
Any common-key cryptography faces to one serious problem:How can we share a key with a person at remote place?
the sender and the receiver must have the same keythe key must not be known to anyone else
20
solution...use an expensive but secure communication channel
secret agent, registered mail, pigeon, etc...utilize mathematical trick key agreement protocol
key agreement protocol
We consider a protocol between two users A and B:the communication channel is not secure
an attacker C can wiretap (盗聴する ) the communication,but does not modify data in the channel
after the protocol execution...A and B know a certain information in commonC does not know the information
21
Diffie-Hellman protocol
Diffie-Hellman protocol;is proposed by Diffie & Hellman in 1976makes use of the property that
it is difficult to solve the discrete logarithm problem
preliminaryFq = {0, ..., q – 1} with q a big prime numberg, a generator of Fq
(any nonzero aFq is written as a = gx mod q)discrete logarithm problem (DLP):
“given q, g and a, determine x with a = gx mod q”22
example
F7 = {0, 1, 2, ..., 6}g = 3 is a generator of F7
23
no smart algorithm known today... the only means to solve the problem is by exhaustive search... nobody can solve the problem if q is large (> thousands bits)
1 = 36 mod 72 = 32 mod 73 = 31 mod 74 = 34 mod 75 = 35 mod 76 = 33 mod 7
log3 1 = 6log3 2 = 2log3 3 = 1log3 4 = 4log3 5 = 5log3 6 = 3 0 1 2 3 4 5 6
123456
a
x
the answer of the DLP
the protocol
step 1: A and B agree the prime q and the generator g (in public)step 2a: A chooses random x, and sends mA = gx mod q to Bstep 2b: B chooses random y, and sends mB = gy mod q to Astep 3a: A computes (mB)x mod q = gxy mod qstep 3b: A computes (mA)y mod q = gxy mod q
24
determine q & g
x
y
mA = gx mod q
mB = gy mod q
gxy mod q gxy mod q
example
25
q = 197, g = 3
51
55
71 = 351 mod 197
38 = 355 mod 197
122 = 3851 mod 197 122 = 7155 mod 197
How can we compute 3851 mod 197?3851 mod 197
= (3832 mod 197) (3816 mod 197) (382 mod 197) (381 mod 197) mod 197
382n mod 197 = (38n mod 197)2 mod 19738323816388384382381 mod 197
security
Is the protocol secure?
26
determine q & g
x
y
mA = gx mod q
mB = gy mod q
gxy mod q gxy mod q
C finds q, g, mA and mB
C cannot know x and y unless he/she solves DLPC cannot know the value of the shared gxy mod q
another security
What happens if the attacker do more than wiretapping?C communicates with A pretending BC communicates with B pretending A
27
A and B communicate with C, believing thathe/she is communicating with a valid opponent. man-in-the-middle attack (中間一致攻撃 )
summary
classification of cryptographykey-less, common-key and public-key
common-key cryptographysubstitution cipherDES
key-agreement protocol
28
exercise
Decrypt the following ciphertext.
qiw aufmlyn gcmwz yz c mcxae yoqweocqyaocu wpwoq jwcqkeyog zkmmwe cod vyoqwe zlaeqz, yo viyni qiakzcodz aj cqiuwqwz lceqynylcqw yo c pceywqf aj namlwqyqyaoz. qiw aufmlyn gcmwz icpw namw qa hw ewgcedwd cz qiw vaeud'z jaewmazq zlaeqz namlwqyqyao viwew maew qico qva ikodewd ocqyaoz lceqynylcqw. qiw gcmwz cew nkeewoquf iwud wpwef qva fwcez, vyqi zkmmwe cod vyoqwe aufmlyn gcmwz cuqweocqyog, cuqiakgi qiwf annke wpwef jake fwcez vyqiyo qiwye ewzlwnqypw zwczaocu gcmwz.
29
about test
June 4(Mon), 9:20AM, exercise
June 5 (Tue), 9:20AM, this roomyou can bring books, notes and copies of slidesyou can bring a calculator and/or PCPC must be disconnected from the network:
download all needed material before the test starts
本,ノート,資料,電卓, PC ...なんでも持ちこみ可PC 等の通信機能は使用不可
必要な資料類は事前にダウンロードしておくこと
30