Professional Documents
Culture Documents
in criptograe
Marios Choudary
What is cryptography ?
Greek:
crypto: hide, make secret (RO: a ascunde)
[Grafo]: to write (RO: a scrie)
In modern cryptography:
the science of secret wriKng
What is cryptography ?
Cryptography, cryptology, cryptanalysis
Some consider cryptology = cryptography +
cryptanalysis
Cryptanalysis : art/science of analysing (oQen
breaking) the security of cryptographic systmes
Modern cryptographic algorithms oQen have a
strong cryptanalysis performed
Exemple
Secure communication
no eavesdropping
no tampering
Dan Boneh
Crypto core
Secret key establishment:
Talking
to Alice
Talking
to Bob
Alice
Bob
attacker???
Secure communication:
m1
m2
confidentiality and integrity
Dan Boneh
Crypto core
Secret key establishment:
Talking
to Alice
Talking
to Bob
Alice
Bob
attacker???
Secure communication:
m1
m2
confidentiality and integrity
Dan Boneh
File 1
File 2
Alice
No eavesdropping
No tampering
Example:
EMV online authorisation
K
D={Amount, Country, Date, UN, }
But crypto
can do much more
Fancier applicaKons
Digital signatures
Digital signatures
Anonymous communication
Alice
signature
Who did I
just talk to?
Alice
Bob
Dan Boneh
Digital signatures
But crypto
can do much more
Fancier applicaKons
Digital signatures
Digital signatures
Anonymous
communication
Anonymous
communicaKon
Anonymous communication Who did I
Alice
signature
Alice
signature
Who did I
just talk to?
Alice
Alice
Bob
Bob
Dan Boneh
Digital signatures
But crypto
can do much more
Fancier applicaKons
Digital signatures
Digital signatures
Anonymous
communication
Anonymous
communicaKon
Anonymous communication Who did I
just talk to?
Who did I
just talk to?
Alice
Alice
Bob
Digital cash (bitcoin)
Alice
signature
Alice
signature
Bob
Dan Boneh
Digital signatures
But crypto
can do much more
Fancier applicaKons
Digital signatures
Digital signatures
Anonymous
communication
Anonymous
communicaKon
Anonymous communication Who did I
just talk to?
Who did I
just talk to?
Alice
Alice
Bob
Digital cash (bitcoin)
E-voKng, etc.
Alice
signature
Alice
signature
Bob
Dan Boneh
Things to remember
Cryptography is:
A tremendous tool
The basis for many security mechanisms
Cryptography is not:
The solution to all security problems
Reliable unless implemented and used properly
Something you should try to invent yourself
many many examples of broken ad-hoc designs
Dan Boneh
EXEMPLE ISTORICE
Enc(k, c) = c + k mod 26
Dec(k, c) = c - k mod 26
Examples
SubsKtuKon cipher
Key size:
Dan Boneh
O I
N S
H R
D L
U C MW
F G Y P
B V
K
J Z X Q
19 / 171
3. Rotor
Machines (1870-1943)
Rotor machines
Early example: the Hebern machine (single rotor)
A
B
C
.
.
X
Y
Z
key
K
S
T
.
.
R
N
E
E
K
S
T
.
.
R
N
N
E
K
S
T
.
.
R
Dan Boneh
Rotor
Machines (cont.)
Rotor machines
Most famous: the Enigma (3-5 rotors)
Bletchley Park
https://www.bletchleypark.org.uk/
MODERN CRYPTOGRAPHY
(for now)
(for now)
(for now)
(for now)
(for now)
A rigorous science
Approach to modern cryptography
The three steps in cryptography:
Symmetric vs asymmetric
cryptography
Symmetric cryptography
All parKes have the same private key
E.g. stream ciphers (Salsa20), block ciphers (AES)
Used for bulk encrypKon
Asymmetric cryptography
Uses private AND public keys
Users can publish their public keys without
aecKng security of private keys
Used for key exchange and authenKcaKon
STREAM CIPHERS
key: 1 0 1 1 0 1 0
CT:
Lemma: OTP has perfect secrecy.
Proof:
Dan Boneh
Dan B
Dan Boneh
Dan Bone
Weak PRGs
glibc random():
r[i] ( r[i-3] + r[i-31] ) % 232
output r[i] >> 1
Dan Boneh
Attack
1: two time pad is insecure !!
Never use one-Kme pad (or generated
stream) more than once
Never use stream
cipher key more than once !!
C1
m1
PRG(k)
C2
m2
PRG(k)
Eavesdropper does:
C1
C2
m1
m2
m
k
CRC(m)
PRG( IV ll k )
IV
ciphetext
enc ( k )
From: Bob
From: Eve
dec ( k )
From: Eve
eStream
{0,1}s R {0,1}n
Performance:
AMD Opteron, 2.2 GHz
eStream
Crypto++ 5.6.0
[ Wei Dai ]
( Linux)
PRG
Speed (MB/sec)
RC4
126
Salsa20/12
643
Sosemanuk
727
Dan Boneh
BLOCK CIPHERS
Block$ciphers:$$crypto$work$horse$
n bits
PT Block
n bits
CT Block
E, D
Key
k bits
Canonical examples:
1. 3DES: n= 64 bits,
2. AES:
k = 168 bits
Block$Ciphers$Built$by$Itera<on$
key$$k$
k2$
k3$
kn$
R(k2,$)$
R(k3,$)$
R(kn,$)$
m$
k1$
R(k1,$)$
key$expansion$
c$
R(k,m)$is$called$a$round$func<on$
$
$for$$3DES$(n=48),$$$$$$for$AES1128$$(n=10)$
Dan$Boneh$
The$Data$Encryp<on$Standard$(DES)$
DES history
Early$1970s:$$$Horst$Feistel$designs$Lucifer$at$IBM$
$
$key\len$=$128$bits$$;$$$block\len$=$128$bits$
1973:$$$NBS$asks$for$block$cipher$proposals.$$$$
$
$IBM$submits$variant$of$Lucifer.$
1976:$$NBS$adopts$DES$as$a$federal$standard$
$
$key\len$=$56$bits$$;$$$block\len$=$64$bits$
1997:$$DES$broken$by$exhaus<ve$search$
2000:$$NIST$adopts$Rijndael$as$AES$to$replace$DES$
Widely$deployed$in$banking$(ACH)$and$commerce$
$
Dan$Boneh$
DES:$$core$idea$$Feistel$Network$
Given$func<ons$$$$f1,$,$fd:$$${0,1}n$$$${0,1}n$$$$$
Goal:$$$$build$inver<ble$func<on$$$F:${0,1}2n$$$${0,1}2n$$
L1$
f2$
L0$
f1$
R1$
input$
R2$
L2$
Rd\1$
Ld\1$
fd$
n\bits$ n\bits$
R0$
Rd$
Ld$
output$
In$symbols:$
Dan$Boneh$
The$S\boxes$
Si:${0,1}6$${0,1}4$$$
Dan$Boneh$
DES$challenge$
$msg$=$$$The unknown messages is: XXXX
$CT$$$$=$$$$$$$$$$$$$$c1$$$$$$$$$$$$$$$$$$$$c2$$$$$$$$$$$$$$$$c3$$$$$$$$$$$$$$$$$$$$$$$$$c4$
$
Goal:$$$$nd$$$k$ ${0,1}56$$$s.t.$$$$DES(k,$mi)$=$ci$$$for$$i=1,2,3$$
1997:$$$Internet$search$$\\$$3$months$
1998:$$$EFF$machine$(deep$crack)$$\\$$3$days$$$$$$$$$(250K$$)$
1999:$$$combined$search$$\\$$22$hours$
2006:$$$COPACOBANA$(120$FPGAs)$$11$$7$days$$$$$(10K$$)$
$$$56\bit$ciphers$should$not$be$used$$!!$$$$$$$$(128\bit$key$ $272$days)$
Dan$Boneh$
$
=>
Other issues: relatively short block size (64-bit):
bad for modes such as CTR (discussed in next lecture)
Strengthening$DES$against$ex.$search$
Method$1:$$$$$Triple1DES$
Let$$E$:$K$$M$$M$$be$a$block$cipher$
Dene$$$$3E:$K3$$M$$M$$$$as$
3E($(k1,k2,k3),$m)$=$$$
For$3DES:$$$$key\size$=$356$=$168$bits.$$$$$$$$$$$$$3slower$than$DES.$$
$
$(simple$apack$in$<me$$$2118$)$$$
Dan$Boneh$
Apacks$on$the$implementa<on$
Well talk in detail in ~2 lectures
1.$Side$channel$apacks:$$$$$$
Measure$Kme$to$do$enc/dec,$$$measure$power$for$enc/dec$$
$ smartcard$
[Kocher,$Jae,$Jun,$1998]$$
$
2.$Fault$apacks:$
Compu<ng$errors$in$the$last$round$expose$the$secret$key$k$
$$$do$not$even$implement$crypto$primi<ves$yourself$$
Dan$Boneh$
AES history
The$AES$process$
1997:$$$NIST$publishes$request$for$proposal$
1998:$$15$submissions.$$$$$Five$claimed$apacks.$
1999:$$$NIST$chooses$5$nalists$ (Rijndael, Serpent, Twofish, RC6, MARS)
2000:$$$NIST$chooses$Rijndael$as$AES$$$$(designed$in$Belgium)$
Key$sizes:$$$128,$192,$256$bits.$$$$$$$$Block$size:$$128$bits$
Dan$Boneh$
AES$is$a$Subs\Perm$network$(not$Feistel)$
S1$
S2$
S2$
S2$
S3$
S3$
S3$
S8$
subs.$ perm.$
layer$ layer$
S8$
output$
S1$
S1$
kn$
k2$
input$
k1$
S8$
inversion$
Dan$Boneh$
MODES OF OPERATION
Incorrect$use$of$a$PRP$
ECB: do NOT use
Electronic$Code$Book$(ECB):$
PT:
m1$
m2$
CT:
c1$
c2$
Problem:$$$$
if$$$$m1=m2$$$$$then$$$c1=c2$
Dan$Boneh$
In$pictures$
(courtesy$B.$Preneel)$
Dan$Boneh$
ConstrucAon$1:$$$CBC$with$random$IV$
Let$(E,D)$be$a$PRP.$$$$$$$$$$ECBC(k,m):$$$$choose$random$IV
$$
IV$
IV$
m[0]$
m[1]$
m[2]$
X$and$do:$
m[3]$
E(k,)$
E(k,)$
E(k,)$
E(k,)$
c[1]$
c[2]$
c[3]$
c[0]$
ciphertext$
Dan$Boneh$
ConstrucAon$2:$$rand$ctrSmode$
Good construcKon 2: CTR
Let$F:$K$${0,1} $${0,1} $$be$a$secure$PRF.$
n
E(k,m):$$$choose$a$random$$IV$${0,1}n$$$$and$do:$$
IV$
m[0]$
F(k,IV)1
IV$
c[0]$
msg$
m[1]$
F(k,IV+1)1
m[L]$
F(k,IV+L)1
c[1]$
$
ciphertext$
c[L]$
note:$$parallelizable$(unlike$CBC)$
Dan$Boneh$
Plain-text bitmap:
DES-ECB encrypted:
70 /
Plain-text bitmap:
DES-CBC encrypted:
74 / 171
Resurse uKle
Suport
de curs
Slide-uri
Suport de curs
Material propriu
Christof Paar, Jan Pelzl:
Alte
resurse
utile
Resurse uKle
Conferinte
Usenix Security
CHES, CARDIS
https://eprint.iacr.org/
https://scholar.google.co.uk/