WHAT IS STREAM CIPHER ?

ROTOR BASED SYSTEM SHIFT REGISTER BASED SYSTEM DESIGN CONSIDERATION FOR STREAM CIPHER CRYPTANALYSIS OF STREAM CIPHER COMBINED ENCRYPTION AND ENCODING BLOCK CIPHER DES AND VARIENT

MODES OF USE OF DES PUBLIC KEY SYSTEM KNACKSACK SYSTEM RSK DIFFLE HELLMAN EXCHANGE AUTHENTICATION DIGITAL SIGNATURE ELLIPTIC CURVED SYSTEM

What is stream cipher ?

 Cryptosystems are divided between those that are secretkey or symmetric, and those that are public-key or asymmetric.  With the latter, the sender uses publicly known information to send a message to the receiver. The receiver then uses secret information to recover the message. In secret key cryptography, the sender and receiver have previously agreed on some private information that they use for both encryption and decryption. This information must be kept secret from potential eavesdroppers.

There is a further division of symmetric cryptosystems into block ciphers and stream ciphers.  The distinction between block and stream ciphers is perhaps best summarized by the following quotation :

Block ciphers operate with a fixed transformation on large blocks of plaintext data; stream ciphers operate with a timevarying transformation on individual plaintext digits.

ROTOR BASED SYSTEM

SUNNY

11121

Shift register based systems

SURBHI 11122

Definition
o A linear feedback shift register (LFSR) is a shift register whose input bit is a linear function of its previous state. o A shift register is a device whose identifying function is to shift its contents into adjacent positions within the register or, in the case of the position on the end, out of the register.

Description: The feedback function in an LFSR has several names: -XOR, odd parity, sum modulo 2. Whatever the name, the function is simple: 1) Add the selected bit values, 2) If the sum is odd, the output of the function is one; otherwise the output is zero.

XOR gate

Shift register

A 4-bit Fibonacci LFSR with its state diagram.

Feedback function: The most commonly used linear function of single bits is XOR. Thus, an LFSR is most often a shift register whose input bit is driven by the exclusive-or (XOR) of some bits of the overall shift register value. The initial value of the LFSR is called the seed.

Applications:Uses as counters Uses in cryptography Uses in digital broadcasting and communications

PRESENTED BY

SUSHANT

DESIGN CONSIDERARION FOR STREAM CIPHER 11123 FINAL YEAR

CRYPTANALYSIS OF STREAM CIPHER SWEETY MITTAL 11124

some design considerations are:

long period with no repetitions statistically random depends on large enough key large linear complexity correlation immunity confusion diffusion use of highly non-linear Boolean functions

 The key-stream must eventually repeat, and key-stream re-use makes the scheme vulnerable to cryptanalysis: For almost every key K, the generated key stream have very long period. The key-stream should be indistinguishable from a random sequence, to hide plaintext statistics.

WHY STUDY CRYPTANALYSIS ???

Information security is a big topic
Crypto, Access control, Protocols, Software Real world info security problems abound

Cryptography is the part of information security that works best Using crypto correctly is important .

 The more we make other parts of security behave like crypto, the better Study of cryptanalysis gives insight into all aspects of crypto Gain insight into attacker s mindset
black hat versus white hat mentality

Cryptanalysis is more fun than cryptography

Cryptographers are boring Cryptanalysts are cool

But cryptanalysis is hard

Preliminaries
Cryptosystem: A mechanism for providing a secure means of information exchange. Cryptographer: A person who design a cryptosystem . Cryptanalyst: One who tries to attack the cryptosystem
Message/Plaintext Cipher text/Cipher Key

Encryption: Process of transforming the message into cipher Decryption: Recovering the actual message from the cipher A cryptosystem is specified by the encryption and decryption procedure.

Classical Cryptography
Caesar Cipher: Plaintext(P) and Cipher (C) are English alphabet and Key(K) denotes no. of shifts. Substitution Cipher: Here P & C are same and K is a permutation of the 26 symbols.

Cryptanalysis
cipher-text only known plain-text chosen plain-text

Caesar Cipher: Too small key-space Substitution Cipher: Frequency attack

Stream Cipher
Plaintext(P): binary bit string Key-string(K): pseudo random binary string cipher text(C): bitwise XOR (addition modul 2) of P & K e.g: P: 011 001 001 000 100 010 K: 001 010 001 101 110 101 C: 010 011 000 101 010 111 Here Pr[P=0]=2/3; Pr[P=1]=1/3 Pr[P=0|C=0]= Pr[P=0|C=1]=2/3 Pr[P=1|C=0]= Pr[P=1|C=1]=1/3 This gives Pr[P]= Pr[P|C]

PRACTICAL IMPLEMENTATION

Good Guys and Bad Guys

Alice and Bob are the good guys

Trudy is the bad guy Trudy is our generic intruder

Intro 25

Good Guys and Bad Guys

Alice and Bob want to communicate securely
Typically, over a network

Alice or Bob might also want to store their data securely Trudy wants to read Alice and Bob s secrets Or Trudy might have other devious plans
Cause confusion, denial of service, etc.

Intro 26

CIA
Confidentiality, Integrity and Availability Confidentiality: prevent unauthorized reading of information Integrity: prevent unauthorized writing of information Availability: data is available in a timely manner when needed
Availability is a new security concern Due to denial of service (DoS) threats
Intro 27

Crypto
Cryptology The art and science of making and breaking secret codes Cryptography making secret codes Cryptanalysis breaking secret codes Crypto all of the above (and more)

Intro 28

How to Speak Crypto

A cipher or cryptosystem is used to encrypt the plaintext The result of encryption is ciphertext We decrypt ciphertext to recover plaintext A key is used to configure a cryptosystem A symmetric key cryptosystem uses the same key to encrypt as to decrypt A public key cryptosystem uses a public key to encrypt and a private key to decrypt
Private key can be used to sign and public key used to verify signature (more on this later )
Intro 29

Crypto
Underlying assumption
The system is completely known to Trudy Only the key is secret

Also known as Kerckhoffs Principle

Crypto algorithms are not secret

Why do we make this assumption?

Experience has shown that secret algorithms are often weak when exposed Secret algorithms never remain secret Better to find weaknesses beforehand
Intro 30

Crypto as a Black Box

key key

plaintext

Pi

Ci

encrypt ciphertext

Pi

decrypt

plaintext

Note Pi is ith unit of plaintext And Ci is corresponding ciphertext Unit may be bit, letter, block of bits, etc.
Intro 31

Who Knows What?

Alice key Trudy key Bob

plaintext

Pi

Ci

encrypt ciphertext

Pi

decrypt

plaintext

Intro 32

Trudy knows the ciphertext Trudy knows the cipher and how it works Trudy might know a little more Trudy does not know the key

Taxonomy of Cryptography
Symmetric Key
Same key for encryption as for decryption Stream ciphers and block ciphers

Public Key
Two keys, one for encryption (public), and one for decryption (private) Digital signatures nothing comparable in symmetric key crypto

Hash algorithms

Intro 33

Cryptanalysis
This course focused on cryptanalysis Trudy wants to recover key or plaintext Trudy is not bound by any rules
For example, Trudy might attack the implementation, not the algorithm itself She might use side channel info, etc.

Intro 34

Exhaustive Key Search

How can Trudy attack a cipher? She can simply try all possible keys and test each to see if it is correct
Exhaustive key search

To prevent an exhaustive key search, a cryptosystem must have a large keyspace

Must be too many keys for Trudy to try them all in any reasonable amount of time

Intro 35

Beyond Exhaustive Search

A large keyspace is necessary for security But a large keyspace is not sufficient Shortcut attacks might exist We ll see many examples of shortcut attacks In cryptography we can (almost) never prove that no shortcut attack exists This makes cryptography interesting

Intro 36

Taxonomy of Cryptanalysis
Ciphertext only always an option Known plaintext possible in many cases Chosen plaintext Lunchtime attack Protocols might encrypt chosen text Adaptively chosen plaintext Related key Forward search (public key crypto only) Rubber hose , bribery, etc., etc., etc.
Intro 37

Definition of Secure
A cryptosystem is secure if the best know attack is to try all possible keys Cryptosystem is insecure if any shortcut attack is known By this definition, an insecure system might be harder to break than a secure system!

Intro 38

Definition of Secure
Why do we define secure this way? The size of the keyspace is the advertised level of security If an attack requires less work, then false advertising A cipher must be secure (by our definition) and have a large keyspace
Too big for an exhaustive key search
Intro 39

Theoretical Cryptanalysis
Spse that a cipher has a 100 bit key
Then keyspace is of size 2100

On average, for exhaustive search Trudy tests 2100/2 = 299 keys Spse Trudy can test 230 keys/second
Then she can find the key in about 37.4 trillion years

Intro 40

Theoretical Cryptanalysis
Spse that a cipher has a 100 bit key
Then keyspace is of size 2100

Spse there is a shortcut attack with work equal to testing about 280 keys If Trudy can test 230 per second
Then she finds key in 36 million years Better than 37 trillion, but not practical

Intro 41

Applied Cryptanalysis
In this class, we focus on attacks that produce plaintext
Not interested in attacks that just show a theoretical weakness in a cipher

We call this applied cryptanalysis Why applied cryptanalysis?

Because it s a lot more fun And it s a good place to start
Intro 42

Applied Cryptanalysis: Overview

Classic (pen and paper) ciphers
Transposition, substitution, etc. Same principles appear in later sections

World War II ciphers

Enigma, Purple, Sigaba

Stream ciphers
Shift registers, correlation attack, ORYX, RC4, PKZIP
Intro 43

Applied Cryptanalysis: Overview

Block ciphers
Hellman s TMTO, CMEA, Akelarre, FEAL

Hash functions
Nostradamus attack, MD4, MD5

Public key crypto

Knapsack, Diffie-Hellman, Arithmetica, RSA, Rabin, NTRU, ElGamal Factoring, discrete log, timing, glitching
Intro 44

11125 TRIPTI JAIN Combined Encoding & Encryption

ENCODING
y Encoding is the process of transforming source information into a specialised format so that it can be consumed by different types of systems and transmitted efficiently. The reverse of this process is Decoding. y The goal is not to keep information secret, but rather to ensure that it's able to be properly consumed. y Uses scheme that is publicly available y Does not require a key y To decode requires only the algorithm that was used to encode it y Examples: ASCII, Unicode, URL Encoding, Base64

ENCRYPTION
y Encryption is the process of obscuring information to make it unreadable without special knowledge, sometimes referred to as scrambling. y The goal is to ensure the data cannot be consumed by anyone other than the intended recipient(s).
y Transformation uses a key which is kept secret, in conjunction with the plain text and the algorithm.

y Examples: AES, Blowfish, RSA

A symmetric encryption scheme has five ingredients : 1. Plaintext: Original intelligible message 2. Encryption algorithm: Performs various substitutions and transformations on the plaintext 3. Secret key: Another input to the encryption algorithm. Independent of plaintext and algorithm 4. Ciphertext: Scrambled message produced as output. Depends on the plaintext and the secret key 5. Decryption algorithm: Essentially encryption algorithm run in reverse

Figure 2.1. Simplified Model of Conventional Encryption

COMBINED ENCODING AND ENCRYPTION

y The problem of joint encryption and encoding for error correction can be formulated either as: 1. Encoding problem followed by encryption or 2. Encryption followed by encoding.

Encoding followed by encryption

y Earlier, Mc Eliece used this approach and designed a public key cryptosystem based on algebraic coding theory. y Recently Rao and Nam introduced a private key algebra coded cryptosystems using only small distance ( d<6) codes. y This scheme results in a very strong cryptosystems with high information rate and low overhead.

Encryption followed by encoding.

y Considering this approach, Kak described a method based on D-sequences. y He used the scheme for secure and error- free transmission of the keys in Diffie- Hellman encryption system.

y In broad band communication, a technique of errorfree transmission for stream ciphers is introduced. y Capability of error correction depends upon introduction of redundancy into the sequence y Breaking the encryption into block, then introducing the redundancy bit for error correction increases the complexity of the encryption sequence from 2n to 2mn.

S-DES(Simplified Data Encryption Standard)

y Takes an 8-bit block plaintext, a 10-bit key and produces an 8-bit block of ciphertext y Decryption takes the 8-bit block of ciphertext, the same 10-bit key and produces the original 8-bit block of plaintext y Five Functions to Encrypt
y IP an initial permutation y fk - a complex, 2-input function y SW a simple permutation that swaps the two halves y fk - a complex, 2-input function; again y IP-1 inverse permutation of the initial permutation

S-DES Scheme
Encryption Decryption
8-bit plaintext P10 8-bit plaintext SHIFT IP K1 P8 K1 IP - 1 fk

fk

SW K2 fk IP - 1 8-bit ciphertext

SHIFT P8 K2

SW

fk

IP 8-bit ciphertext

Key Generation
10 P10 5 LS-1 5 P8 5 5 LS-1

8 K1 LS-2 5

LS-2 5 P8

K2

P10 Permutation
k1 k2 k3 k4 k5 k6 k7 k8 k9 k10

k3 k5 k2 k7 k4 k10 k1 k9 k8 k6

P8 Permutation
Permutate 10 into 8 k1 k2 k3 k4 k5 k6 k7 k8 k9 k10

k6 k3 k7 k4 k8 k5 k10 k9

LS-1
Left circular shift 1 each 5 bit group

k3 k 5 k 2 k 7 k 4

k10 k1 k9 k8 k6

k5 k 2 k 7 k 4 k 3

k1 k9 k8 k6 k10

LS-2
Left circular shift 2 each 5 bit group

k3 k 5 k 2 k 7 k 4

k10 k1 k9 k8 k6

k2 k7 k4 k3 k5

k9 k8 k6 k10 k1

IP E/P 8 4 S0 2 P4 4 4 S1 2 4 4

Encryption Detail
K1

SW E/P K2

S0 P4

S1

I P -1

Initial Permutation (IP) & Inverse Permutation(IP-1)

k1 k2 k3 k4 k5 k6 k7 k8 k1 k2 k3 k4 k5 k6 k7 k8

k2 k6 k3 k1 k4 k8 k5 k7

k4 k1 k3 k5 k7 k2 k8 k6

Initial Permutation

Inverse Permutation

Expansion/Permutation (E/P)
Expand 4 bits into 8 and permutate them k1 k2 k3 k4

k4 k1 k2 k3 k2 k3 k4 k1

Substitution Boxes

S0 1 3 0 3 0 2 2 1 3 1 1 3 2 0 3 2 0 2 3 2 1 0 0 1

S1 2 1 1 0 3 3 0 3

MODERN Block Ciphers

TUSHAR 11126

Symmetric Cipher Model

Plaintext Encryption Algorithm Secret Key (known to sender and receiver) Ciphertext Decryption Algorithm
Secret Key Secret Key

Plaintext Message

Encryption Algorithm Transmitted Ciphertext

Decryption Algorithm

Plaintext Message

Monoalphabetic Substitution Cipher

Shuffle the letters and map each plaintext letter to a different random ciphertext letter:
Plain letters: abcdefghijklmnopqrstuvwxyz Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN Plaintext: ifwewishtoreplaceletters Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA What does a key look like?

66

Playfair Key Matrix

Use a 5 x 5 matrix. Fill in letters of the key (w/o duplicates). Fill the rest of matrix with other letters. E.g., key = MONARCHY.
M C E L U O H F P V N Y G Q W A B I/J S X R D K T Z
67

Vigenre Cipher
Simplest polyalphabetic substitution cipher Consider the set of all Caesar ciphers: { Ca, Cb, Cc, ..., Cz } Key: e.g. security Encrypt each letter using Cs, Ce, Cc, Cu, Cr, Ci, Ct, Cy in turn. Repeat from start after Cy. Decryption simply works in reverse.
68

Basic idea of modern block ciphers

From classical ciphers, we learn two techniques that may improve security:
Encrypt multiple letters at a time Use multiple ciphertext alphabets (Polyalphabetic ciphers)

Combining these two techniques

encrypt eight (or more) letters at a time
called a block cipher

and use an extremely large number of ciphertext alphabets

will be called modes of operation
1

Block Ciphers
In general, a block cipher replaces a block of N plaintext bits with a block of N ciphertext bits. (E.g., N = 64 or 128.) A block cipher is a monoalphabetic cipher. Each block may be viewed as a gigantic character. The alphabet consists of 2N gigantic characters. Each particular cipher is a one-to-one mapping from the plaintext alphabet to the ciphertext alphabet . There are 2N! such mappings. A secret key indicates which mapping to use.

70

Ideal Block Cipher

An ideal block cipher would allow us to use any of these 2N! mappings.
The key space would be extremely large.

But this would require a key of log2(2N!) bits. If N = 64, log2(2N!) N x 2N 1021 bits 1011 GB. Infeasible!
71

Ideal Block Cipher

72

Practical Block Ciphers

Modern block ciphers use a key of K bits to specify a random subset of 2K mappings. If K N,
2K is much smaller than 2N! But is still very large.

If the selection of the 2K mappings is random, the resulting cipher will be a good approximation of the ideal block cipher. Horst Feistel, in1970s, proposed a method to achieve this.

73

The Feistel Cipher Structure

Input: a data block and a key Partition the data block into two halves L and R. Go through a number of rounds. In each round,
R does not change. L goes through an operation that depends on R and a round key derived from the key.
74

The Feistel Cipher Structure

Ji
Q

Round i
Li-1 Ri-1

f +

ki

Li

Ri

Mathematical Description of Round i

y Let Li 1 and Ri 1 be the input of round i, and Li and Ri the output. y We have Li :! Ri 1 Ri :! Li 1 F ( Ri 1 , Ki ) y Or, (Li , Ri ) :! Q $ Ji ( Li 1 , Ri 1 ), where Ji : ( x, y ) p ( x F ( y, ki ), y ). Q : ( x, y ) p ( y, x ). y Note that Ji 1 ! Ji and Q 1 ! Q.
77

Feistel Cipher
y Goes through a number of rounds, say 16 rounds. y A Feistel cipher encrypts a plaintext block m as: c :! E k (m) :! Q $ Q $ J16 $$ Q $ J2 $ Q $ J1 (m) y The decryption will be: Dk ( c) ! J11 $ Q 1 $ J21 $$ Q 1 $ J11 $ Q 1 $ Q 1 (c ) 6 ! Q $ Q $ J1 $ Q $ J2 $$ Q $ J16 ( c) y The descryption algorithm is the same as the encryption algorithm, but uses round keys in the reverse order.
78

DES AND VARIENT

11127

UMESH

DES
DES is the archetypal block cipher an algorithm that takes a fixed-length string of plaintext bits and transforms it through a series of complicated operations into another ciphertext bitstring of the same length. In the case of DES, the block size is 64 bits. DES also uses a key to customize the transformation, so that decryption can supposedly only be performed by those who know the particular key used to encrypt.

Description
The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are thereafter discarded. Hence the effective key length is 56 bits, and it is never quoted as such. Every 8th bit of the selected key is discarded, that is, positions 8, 16, 24, 32, 40, 48, 56, 64 are removed from the 64 bit key leaving behind only the 56 bit key.

 Like other block ciphers, DES by itself is not a secure means of encryption but must instead be used in a mode of operation. FIPS-81 specifies several modes for use with DES. Further comments on the usage of DES are contained in FIPS.

MODES OF USE OF DES

UTKARSH 11128

DES: Data Encryption Standard

Most widely used block cipher in world Adopted in 1977 by NBS (now NIST)
as FIPS PUB 46

Encrypts 64-bit data using 56-bit key Has widespread use Has been considerable controversy over its security

DES (Contd..)
Block cipher: 64 bits at a time Initial permutation rearranges 64 bits (no cryptographic effect) Encoding is in 16 rounds
plaintext INITIAL PERMUTATION ROUND 1 ROUND 2 ... ROUND 16 INITIAL PERMUTATION ciphertext

DES MODES
ECB: Electronic CodeBook mode:
Encrypt each 64-bit block independently. Attacker could build codebook.

CBC: Cipher Block Chaining mode:

Encryption: Ci = EK(Pi Ci-1) Decryption: Pi = Ci-1 DK(Ci)

CFB, OFB: allow byte-wise encryption:

Cipher FeedBack, Output FeedBack

Electronic Code Book (ECB) Mode

Plaintext Block 1 Block 2 Block 3 Block 4 Block 5

Block Encryption

E(block)

E(block)

E(block)

E(block)

E(block)

E(block)

Ciphertext

Block 1 Block 2 Block 3 Block 4 Block 5

Pad last block, if necessary

Cipher Block Chaining (CBC) Mode

Plaintext Random Block 1 Block 2 Block 3 Block 4

XOR

XOR

XOR

XOR

XOR

Block Encryption

E(block)

E(block)

E(block)

E(block)

E(block)

Ciphertext

Block 2 Block 3 Block 4 Block 5

Pad last block, if necessary Random Block called IV can be sent in plain text. Not a secret just prevents a codebook. Often times a timestamp.

Cipher Feedback Mode (CFB) Mode

1 unit is 1/N block Shift Register (1 Block wide) C I-6 C I-5 C I-4 C I-3 C I-2 C I-1

Block Encryption Encrypted Register

E(register)

Leftmost

Next unit of Plaintext

XOR

Next unit of Ciphertext output

After each unit, shift input register and insert the most recently generated unit of ciphertext

Output Feedback Mode (OFB) Mode

1 unit is 1/N block Shift Register (1 Block wide) C I-6 C I-5 C I-4 C I-3 C I-2 C I-1

Block Encryption Encrypted Register

E(register)

Leftmost

Next unit of Plaintext

XOR

Next unit of Ciphertext output

After each unit, shift input register and insert the leftmost unit of the encrypted register.

PUBLIC KEY SYSTEM VANDANA 11129

In a public key system, each user has a publicly known encryption key (public key) and a private key known only to that user. Messages are encrypted using the receiver's public key. When they receive it, they decrypt it using their private key. Public key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman

Asymmetric encryption

Cont d

The key used to encrypt a message is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys a public encryption key and a private decryption key. The publicly available encrypting-key is widely distributed, while the private decrypting-key is known only to the recipient. Messages are encrypted with the recipient's public key and can be decrypted only with the corresponding private key.

Symmetric encryption
In contrast, symmetric-key algorithms, variations of which having been used for thousands of years, use a single secret key which must be shared and kept private by both sender and receiver for both encryption and decryption. To use a symmetric encryption scheme, the sender and receiver must securely share a key in advance.

Branches
The two main branches of public key cryptography are: Public key encryption Digital signatures

KNACKSACK SYSTEM VANDANA 11130

RSK

VIKAS

11131

What is RSK ??
RSK is a process developed by NMI Info Security Solutions to quantify the risk to your information systems. The RSK program evaluates thousands of risk factors that affect your information systems, including the computers in your information system, the network applications running on those computers, security holes associated with those network applications and configuration errors.

 The output of the RSK program is a number called an RSK measurement. An RSK measurement is a number that is easy to communicate and easy to understand. High numbers mean a higher risk to your information systems.

How RSK Helps You Manage Risk and Save Money

RSK allows you to perform risk assessments more frequently. RSK makes the results of risk assessments easily accessible to all audiences. RSK allows you to track your risk management progress and to compare your risk levels with other organizations in your industry. RSK allows you to prioritize and determine the cost effectiveness of remedial actions.

RSK allows you to perform risk assessments more frequently.

Full risk assessments can cost tens or hundreds of thousands of dollars. RSK allows you to perform lightweight differential risk assessments that are a fraction of the cost of full risk assessments. By performing more frequent risk assessments, you increase your chance of catching a serious problem before someone else does.

RSK makes the results of risk assessments easily accessible to all audiences.
In addition to a traditional text report (possibly hundreds of pages long) outlining technical and policy issues be addressed, RSK provides a quick and easy-to-understand interpretation of the risk to your organization s information security. This allows senior executives to access the information they need to make decisions about risk management strategies.

RSK allows you to prioritize and determine the cost effectiveness of remedial actions.
Very few organizations have the time, money, or human resources to implement every recommendation of a risk assessment. Some recommendations may be very costly to implement, and the degree they reduce risk may not be obvious using traditional risk assessment techniques. By attaching a consistent numeric value to each risk factor, RSK allows risk managers to prioritize remedial actions that result in the greatest reduction of risk at the lowest cost.

DIFFLE HELLMAN EXCHANGE

YOGESH

11132

Diffie-Hellman Exchange [DH 76]

Alice gx gy

Bob

both parties compute the secret key K=gxy=(gx)y=(gy)x

assumes authenticated channels (+ DDH assumption) open to m-i-t-m in a realistic unauthenticated setting
107

Authenticated Diffie-Hellman
Bind key to identities via PKs (or other means) Non-trivial: innumerable proposals, many broken
NOT that a good protocol must be complex or inefficient, only that it is incredibly easy to design them wrong No need to compromise for weak protocols anymore

What does it mean for a KE protocol to be secure? What are the attackers capabilities?
Many works/approaches: much beyond preventing obvious impersonation and key recovery attacks (known-key attacks, ephemeral vs static, UKS, PFS, KCI,...)
108

HMQV: A secure MQV variant

As in MQV: basic DH (X=gx, Y=gy), PKs: A=ga, B=gb Both compute =g(x+da)(y+eb) as = (YBe)x+da = (XAd)y+eb d=H(X, Bob ) e=H(Y, Alice ) (here H outputs |q|/2 bits) Session key K=H( ) Differences with MQV
Definition of d, e: binds id s, randomizes representation H( ): integral (and essential) part of the protocol (OW,RO)

HMQV = Hashed MQV

(note: 2.5 exponentiations)

109

HMQV Analysis
In the KE model of Canetti and Krawczyk [CK01] Attacker may access private keys, session keys, sessionstate information (exposed session) Any unexposed session is secure (key is indist from random) In addition: extensions to capture PFS, KCI [CK01] Prove that secure KE in this model secure communications (secure channels) Note: protocol must specify what resides in state and what in protected memory (such as private keys)
110

AUTHENTICATION

RAHUL

11133

DIGITAL SIGNATURE

VIKAS

11640

Objectives To define a digital signature To define security services provided by a digital signature To define attacks on digital signatures To discuss some digital signature schemes, including RSA, ElGamal, Schnorr, DSS, and elliptic curve To describe some applications of digital signatures
13.113

1 COMPARISON

Let us begin by looking at the differences between conventional signatures and digital signatures. signatures.

Topics discussed in this section:

1.1 1.2 1.3 1.4 13.114 Inclusion 390 Verification Method 390 Relationship 390 Duplicity 390

1.1 Inclusion

A conventional signature is included in the document; it is part of the document. But when we sign a document digitally, we send the signature as a separate document.

13.115

1.2 Verification Method

For a conventional signature, when the recipient receives a document, she compares the signature on the document with the signature on file. For a digital signature, the recipient receives the message and the signature. The recipient needs to apply a verification technique to the combination of the message and the signature to verify the authenticity.

13.116

1.3 Relationship

For a conventional signature, there is normally a one-tomany relationship between a signature and documents. For a digital signature, there is a one-to-one relationship between a signature and a message.

13.117

1.4 Duplicity

In conventional signature, a copy of the signed document can be distinguished from the original one on file. In digital signature, there is no such distinction unless there is a factor of time on the document.

13.118

2 PROCESS

Figure 13.1 shows the digital signature process. The 13. process. sender uses a signing algorithm to sign the message. message. The message and the signature are sent to the receiver. receiver. The receiver receives the message and the signature and applies the verifying algorithm to the combination. If combination. the result is true, the message is accepted; otherwise, it accepted; is rejected. rejected. Topics discussed in this section:
2.1 2.2
13.119

Need for Keys Signing the Digest

2 Continued

Figure 13.1 Digital signature process

13.120

2.1 Need for Keys

Figure 13.2 Adding key to the digital signature process

Note A digital signature needs a public-key system. The signer signs with her private key; the verifier verifies with the signers public key.
13.121

2.1 Continued

Note A cryptosystem uses the private and public keys of the receiver: a digital signature uses the private and public keys of the sender.

13.122

2.2 Signing the Digest

Figure 13.3 Signing the digest

13.123

3 SERVICES

We discussed several security services in Chapter 1 including message confidentiality, message authentication, message integrity, and nonrepudiation. nonrepudiation. A digital signature can directly provide the last three; for message confidentiality we still need encryption/decryption. Topics discussed in this section:
3.1 3.2 3.3 3.4
13.124

Message Authentication Message Integrity Nonrepudiation Confidentiality

3.1 Message Authentication

A secure digital signature scheme, like a secure conventional signature can provide message authentication. Note A digital signature provides message authentication.

13.125

3.2 Message Integrity

The integrity of the message is preserved even if we sign the whole message because we cannot get the same signature if the message is changed.

Note A digital signature provides message integrity.

13.126

3.3 Nonrepudiation

Figure 13.4 Using a trusted center for nonrepudiation

Note Nonrepudiation can be provided using a trusted party.

13.127

3.4 Confidentiality

Figure 13.5 Adding confidentiality to a digital signature scheme

Note A digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied.
13.128

4 ATTACKS ON DIGITAL SIGNATURE

This section describes some attacks on digital signatures and defines the types of forgery. forgery.

Topics discussed in this section:

4.1 4.2
13.129

Attack Types Forgery Types

4.1 Attack Types

Key-Only Attack

Known-Message Attack

Chosen-Message Attack

13.130

4.2 Forgery Types

Existential Forgery

Selective Forgery

13.131

5 DIGITAL SIGNATURE SCHEMES

Several digital signature schemes have evolved during the last few decades. Some of them have been decades. implemented. implemented.

Topics discussed in this section:

5.1 5.2 5.3 5.4 5.5 13.132 RSA Digital Signature Scheme ElGamal Digital Signature Scheme Schnorr Digital Signature Scheme Digital Signature Standard (DSS) Elliptic Curve Digital Signature Scheme

5.1 RSA Digital Signature Scheme

Figure 13.6 General idea behind the RSA digital signature scheme

13.133

5.1 Continued

Key Generation Key generation in the RSA digital signature scheme is exactly the same as key generation in the RSA Note In the RSA digital signature scheme, d is private; e and n are public.

13.134

5.1 Continued

Signing and Verifying

Figure 13.7 RSA digital signature scheme

13.135

5.1

Continued

Example 13.1 As a trivial example, suppose that Alice chooses p = 823 and q = 953, and calculates n = 784319. The value of J(n) is 782544. Now she chooses e = 313 and calculates d = 160009. At this point key generation is complete. Now imagine that Alice wants to send a message with the value of M = 19070 to Bob. She uses her private exponent, 160009, to sign the message:

Alice sends the message and the signature to Bob. Bob receives the message and the signature. He calculates

Bob accepts the message because he has verified Alices signature.

13.136

5.1 Continued

RSA Signature on the Message Digest

Figure 13.8 The RSA signature on the message digest

13.137

5.1 Continued

Note When the digest is signed instead of the message itself, the susceptibility of the RSA digital signature scheme depends on the strength of the hash algorithm.

13.138

5.2 ElGamal Digital Signature Scheme

Figure 13.9 General idea behind the ElGamal digital signature scheme

13.139

5.2 Continued

Key Generation The key generation procedure here is exactly the same as the one used in the cryptosystem. Note In ElGamal digital signature scheme, (e1, e2, p) is Alices public key; d is her private key.

13.140

5.2 Continued

Verifying and Signing

Figure 13.10 ElGamal digital signature scheme

13.141

5.1

Continued

Example 13.2 Here is a trivial example. Alice chooses p = 3119, e1 = 2, d = 127 and calculates e2 = 2127 mod 3119 = 1702. She also chooses r to be 307. She announces e1, e2, and p publicly; she keeps d secret. The following shows how Alice can sign a message.

Alice sends M, S1, and S2 to Bob. Bob uses the public key to calculate V1 and V2.

13.142

5.1

Continued

Example 13.3 Now imagine that Alice wants to send another message, M = 3000, to Ted. She chooses a new r, 107. Alice sends M, S1, and S2 to Ted. Ted uses the public keys to calculate V1 and V2.

13.143

5.3 Schnorr Digital Signature Scheme

Figure 13.11 General idea behind the Schnorr digital signature scheme

13.144

5.3 Continued

Key Generation
1) 2) 3) 4) Alice selects a prime p, which is usually 1024 bits in length. Alice selects another prime q. Alice chooses e1 to be the qth root of 1 modulo p. Alice chooses an integer, d, as her private key.

5) Alice calculates e2 = e1d mod p. 6) Alices public key is (e1, e2, p, q); her private key is (d).

Note In the Schnorr digital signature scheme, Alices public key is (e1, e2, p, q); her private key (d).
13.145

5.3 Continued

Signing and Verifying

Figure 13.12 Schnorr digital signature scheme

13.146

5.3 Continued

Signing 1. Alice chooses a random number r. 2. Alice calculates S1 = h(M|e1r mod p). 3. Alice calculates S2 = r + d S1 mod q. 4. Alice sends M, S1, and S2. Verifying Message 1. Bob calculates V = h (M | e1S2 e2S1 mod p). 2. If S1 is congruent to V modulo p, the message is accepted;
13.147

5.1

Continued

Example 13.4 Here is a trivial example. Suppose we choose q = 103 and p = 2267. Note that p = 22 q + 1. We choose e0 = 2, which is a primitive in Z2267*. Then (p 1) / q = 22, so we have e1 = 222 mod 2267 = 354. We choose d = 30, so e2 = 35430 mod 2267 = 1206. Alices private key is now (d); her public key is (e1, e2, p, q). Alice wants to send a message M. She chooses r = 11 and calculates e2 r = 35411 = 630 mod 2267. Assume that the message is 1000 and concatenation means 1000630. Also assume that the hash of this value gives the digest h(1000630) = 200. This means S1 = 200. Alice calculates S2 = r + d S1 mod q = 11 + 1026 200 mod 103 = 35. Alice sends the message M =1000, S1 = 200, and S2 = 35. The verification is left as an exercise.

13.148

5.4 Digital Signature Standard (DSS)

Figure 13.13 General idea behind DSS scheme

13.149

5.4 Continued

Key Generation. 1) Alice chooses primes p and q. 2) Alice uses <Zp*, > and <Zq*, >. 3) Alice creates e1 to be the qth root of 1 modulo p. 4) Alice chooses d and calculates e2 = e1d. 5) Alices public key is (e1, e2, p, q); her private key is (d).

13.150

5.4 Continued

Verifying and Signing

Figure 13.14 DSS scheme

13.151

5.1

Continued

Example 13.5 Alice chooses q = 101 and p = 8081. Alice selects e0 = 3 and calculates e1 = e0 (p1)/q mod p = 6968. Alice chooses d = 61 as the private key and calculates e2 = e1d mod p = 2038. Now Alice can send a message to Bob. Assume that h(M) = 5000 and Alice chooses r = 61:

Alice sends M, S1, and S2 to Bob. Bob uses the public keys to calculate V.

13.152

5.4 Continued

DSS Versus RSA Computation of DSS signatures is faster than computation of RSA signatures when using the same p.

DSS Versus ElGamal DSS signatures are smaller than ElGamal signatures because q is smaller than p.

13.153

5.5 Elliptic Curve Digital Signature Scheme

Figure 13.15 General idea behind the ECDSS scheme

13.154

5.5 Continued

Key Generation Key generation follows these steps: 1) Alice chooses an elliptic curve Ep(a, b). 2) Alice chooses another prime q the private key d. 3) Alice chooses e1(, ), a point on the curve. 4) Alice calculates e2(, ) = d e1(, ). 5) Alices public key is (a, b, p, q, e1, e2); her private key is 13.155 d.

5.5 Continued

Signing and Verifying

Figure 13.16 The ECDSS scheme

13.156

6 VARIATIONS AND APPLICATIONS

This section briefly discusses applications for digital signatures. signatures.

variations

and

Topics discussed in this section:

6.1 6.2 Variations Applications

13.157

6.1 Variations

Time Stamped Signatures Sometimes a signed document needs to be time stamped to prevent it from being replayed by an adversary. This is called time-stamped digital signature scheme. Blind Signatures Sometimes we have a document that we want to get signed without revealing the contents of the document to the signer.

13.158

ELLIPTIC CURVED BASED SYSTEM

VINAY

11641

Outline of the Talk

Introduction to Elliptic Curves Elliptic Curve Cryptosystems (ECC) Security in Elliptic Curve System Advantages of Elliptic Curve System

Introduction to Elliptic Curves

 INTRODUCTION The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S. Miller in 1985. The Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. Security of Public-Key Cryptography depends on the difficulty of solving the Hard Problems defined in Complexity Theory

 BACKGROUND OF PUBLIC KEY CRYPTOSYSTEM The Cryptosystems based on following mathematical problem are considered secure and efficient : Integer Factorization problem (IFP) Examples are RSA ,Rabin-Williams Discrete Logarithm Problem (DLP) U.S. Govt. s DSA, Diffie-Hellman and MQV key agreement scheme etc.

Contd
None of these problems have been proven intractable but they are believed to be intractable. Since 1985, ECC has received intense scrutiny from cryptographers, mathematicians, and computer scientists around the world. On the one hand, the fact that no significant weaknesses have been found has led to high confidence in the security of ECC. ECC has become more attractive rather than RSA and DSA.

 For Elliptic-curve-based protocols, it is assumed that finding the discrete logarithm of an elliptic curve element is infeasible. The size of the elliptic curve determines the difficulty of the problem. Over the past few years elliptic curve cryptography has been gaining popularity and being standardized around the world by agencies such as ANSI, IEEE and ISO. The U.S. National Security Agency has endorsed ECC technology by including it in its Suite B set of recommended algorithms and allows their use for protecting information classified up to top secret with 384-bit keys.

 Elliptic Curve An elliptic curve is the set of solutions of an equation of the form y2 = x3 + ax + b . Where the co-efficeints a and b are elements of the field and 4a3 + 27b2 ? 0. Each value of the 'a' and 'b' gives a different elliptic curve. An equation of this kind can be studied over various mathematical structures, such as a ring or a field. One interesting property of set of solutions of elliptic curve is that it forms a group which enables us to do Cryptography. The public key is a point in the curve and the private key is a random number. The public key is obtained by multiplying the private key with the generator point G in the curve.

Graphical Representation

Y axis

X axis Curves of this nature are called ELLIPTIC CURVES

Elliptic curves in Cryptography

Elliptic Curve (EC) systems as applied to cryptography were first proposed in 1985 independently by Neal Koblitz and Victor Miller. The discrete logarithm problem on elliptic curve groups is believed to be more difficult than the corresponding problem in (the multiplicative group of nonzero elements of) the underlying finite field.

Elliptic Curve on a finite set of Integers

Consider y2 = x3 + 2x + 3 (mod 5)
x x x x x = = = = = 0 1 2 3 4 y2 y2 y2 y2 y2 = = = = = 3 no solution (mod 5) 6 = 1 y = 1,4 (mod 5) 15 = 0 y = 0 (mod 5) 36 = 1 y = 1,4 (mod 5) 75 = 0 y = 0 (mod 5)

Then points on the elliptic curve are (1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and the point at infinity: g
Using the finite fields we can form an Elliptic Curve Group where we also have a DLP problem which is harder to solve

Definition of Elliptic curves

An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with a rational point (which may be a point at infinity). The field K is usually taken to be the complex numbers, reals, rationals, algebraic extensions of rationals, p-adic numbers, or a finite field.

General form of a EC
An elliptic curve is a plane curve defined by an equation of the form 2 3

y ! x  ax  b

Examples

The Abelian Group

Given two points P,Q in E(Fp), there is a third point, denoted by P+Q on E(Fp), and the following relations hold for all P,Q,R in E(Fp) P + Q = Q + P (commutativity) (P + Q) + R = P + (Q + R) (associativity) P + O = O + P = P (existence of an identity element) there exists ( P) such that P + P = P + ( P) = O
(existence of inverses)

Elliptic Curve Picture

y

Consider elliptic curve

E: y2 = x3 - x + 1
P2 x P3

P1

If P1 and P2 are on E, we can define P3 = P1 + P2 as shown in picture Addition is all we need

Public-Key Cryptosystems

Authentication: Only A can generate the encrypted message

Secrecy: Only B can Decrypt the message

Public-Key Cryptography

Public-Key Cryptography

What Is Elliptic Curve Cryptography (ECC)?

Elliptic curve cryptography [ECC] is a public-key cryptosystem just like RSA, Rabin, and El Gamal. Every user has a public and a private key.
Public key is used for encryption/signature verification. Private key is used for decryption/signature generation.

Elliptic curves are used as an extension to other current cryptosystems.

Elliptic Curve Diffie-Hellman Key Exchange Elliptic Curve Digital Signature Algorithm

Using Elliptic Curves In Cryptography

The central part of any cryptosystem involving elliptic curves is the elliptic group. All public-key cryptosystems have some underlying mathematical operation.
RSA has exponentiation (raising the message or ciphertext to the public or private values) ECC has point multiplication (repeated addition of two points).

Generic Procedures of ECC

Both parties agree to some publicly-known data items The elliptic curve equation values of a and b prime, p The elliptic group computed from the elliptic curve equation A base point, B, taken from the elliptic group Similar to the generator used in current cryptosystems Each user generates their public/private key pair Private Key = an integer, x, selected from the interval [1, p-1] Public Key = product, Q, of private key and base point (Q = x*B)

Why use ECC?

How do we analyze Cryptosystems?
How difficult is the underlying problem that it is based upon
RSA Integer Factorization DH Discrete Logarithms ECC - Elliptic Curve Discrete Logarithm problem

How do we measure difficulty?

We examine the algorithms used to solve these problems

Security of ECC
To protect a 128 bit AES key it would take a:
RSA Key Size: 3072 bits ECC Key Size: 256 bits

How do we strengthen RSA?

Increase the key length

Impractical?

ADVANTAGES OF ECC
The Advantages of Elliptic Curve Cryptography The biggest advantage of elliptic curve cryptography is the drastic reduction in overhead associated with it. Take this side by side comparison of required key sizes to achieve different levels of security for RSA modulus n and an elliptic curve system with a security parameter n.

Applications of ECC
Many devices are small and have limited storage and computational power Where can we apply ECC?
Wireless communication devices Smart cards Web servers that need to handle many encryption sessions Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems

Benefits of ECC
Same benefits of the other cryptosystems: confidentiality, integrity, authentication and non-repudiation but Shorter key lengths
Encryption, Decryption and Signature Verification speed up Storage and bandwidth savings

THANK YOU