Introducere

in criptograe
Marios Choudary

What is cryptography ?
Greek:
crypto: hide, make secret (RO: a ascunde)
[Grafo]: to write (RO: a scrie)

In older cryptographic systems:

the art of secret wriKng

In modern cryptography:
the science of secret wriKng

What is cryptography ?
Cryptography, cryptology, cryptanalysis
Some consider cryptology = cryptography +
cryptanalysis
Cryptanalysis : art/science of analysing (oQen
breaking) the security of cryptographic systmes
Modern cryptographic algorithms oQen have a
strong cryptanalysis performed

Exemple

APLICATII ALE CRYPTOGRAFIEI

Secure communication

no eavesdropping
no tampering

Dan Boneh

Crypto core
Secret key establishment:

Talking
to Alice

Talking
to Bob
Alice

Bob

attacker???

Secure communication:

m1

m2
confidentiality and integrity
Dan Boneh

Crypto core
Secret key establishment:

Talking
to Alice

Talking
to Bob
Alice

Bob

attacker???

Secure communication:

m1

m2
confidentiality and integrity
Dan Boneh

Protected files on disk

Disk
Alice

File 1

File 2

Alice

No eavesdropping
No tampering

Analogous to secure communication:

Alice today sends a message to Alice tomorrow
Dan Boneh

Example:
EMV online authorisation

K
D={Amount, Country, Date, UN, }

REQ={UN,ATC,IAD,}, AUTH REQ=MACK(D, ATC, IAD)

RESP={OK/BAD}, AUTH RESP=MACK(RESP, AUTH REQ,)

But crypto
can do much more
Fancier applicaKons
Digital signatures

Digital signatures
Anonymous communication
Alice
signature

Who did I
just talk to?

Alice
Bob

Dan Boneh

Digital signatures

But crypto
can do much more
Fancier applicaKons

Digital signatures

Digital signatures
Anonymous
communication

Anonymous
communicaKon
Anonymous communication Who did I

Alice
signature

just talk to?

Alice
signature

Who did I
just talk to?

Alice

Alice
Bob

Bob

Dan Boneh

Digital signatures

But crypto
can do much more
Fancier applicaKons

Digital signatures

Digital signatures
Anonymous
communication

Anonymous
communicaKon
Anonymous communication Who did I
just talk to?
Who did I

just talk to?
Alice
Alice

Bob


Digital cash (bitcoin)

Alice
signature
Alice
signature

Bob

Dan Boneh

Digital signatures

But crypto
can do much more
Fancier applicaKons

Digital signatures

Digital signatures
Anonymous
communication

Anonymous
communicaKon
Anonymous communication Who did I
just talk to?
Who did I

just talk to?
Alice
Alice

Bob


Digital cash (bitcoin)
E-voKng, etc.

Alice
signature
Alice
signature

Bob

Dan Boneh

Things to remember
Cryptography is:
A tremendous tool
The basis for many security mechanisms
Cryptography is not:
The solution to all security problems
Reliable unless implemented and used properly
Something you should try to invent yourself
many many examples of broken ad-hoc designs
Dan Boneh

VedeK The code breakers de David Kahn

EXEMPLE ISTORICE

Atbash: criptograe din

istoria lui Israel
Ieremia 25, 17-26: i am luat cupa din mna
Domnului i am dat sa bea tuturor neamurilor
la care m-a trimis Domnul: [...] iar regele
iacului va bea dupa ei.
iac (ebr: Sheshakh) = Babilon cu litere
schimbate; prima cu ulKma, a doua cu
penulKma, etc.

Shift cipher: key k

Caesar
Cipher
(no
key)
More popular: Caesar cipher

Asemanator cu Caesar Cipher dar facem shif

(or K)
un numar arbitrar k:

Enc(k, c) = c + k mod 26

Dec(k, c) = c - k mod 26

Examples

(all badly broken)

SubsKtuKon cipher

e size of key space in the substitution cipher

6 letters?
k :=

Key size:

Dan Boneh

Statistical properties of plain text

English letter frequency

13
12
11
10
9
8
7
6
5
4
3
2
1
0

O I
N S
H R
D L
U C MW
F G Y P
B V
K

J Z X Q

The most common letters in English:

E, T, A, O, I, N, S, H, R, D, L, U, C, M, W, F, G, Y, P, B, V, K, J, . . .
The most common digrams in English:
TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, . . .
The most common trigrams in English:
THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, . . .
English text is highly redundant: very roughly 1 bit/letter entropy.
Monoalphabetic substitution ciphers allow simple ciphertext-only attacks based on
digram or trigram statistics (for messages of at least few hundred characters).

19 / 171

3. Rotor
Machines (1870-1943)
Rotor machines
Early example: the Hebern machine (single rotor)

A
B
C
.
.
X
Y
Z

key

K
S
T
.
.
R
N
E

E
K
S
T
.
.
R
N

N
E
K
S
T
.
.
R
Dan Boneh

Rotor
Machines (cont.)
Rotor machines
Most famous: the Enigma (3-5 rotors)

# keys = 264 = 218 (actually 236 due to plugboard)

Dan Boneh

Bletchley Park

Britains codebreaking centre

during WW II

Alan Turings and other

mathematicians break first versions
of Enigma

Bomb: computer specialised in

breaking such encryptions

Colossus: first semiprogrammable electronic computer

Great help against Germany and

Japan - very important factor in
determining the end of the war

https://www.bletchleypark.org.uk/

MODERN CRYPTOGRAPHY

What is a secure cipher?

What is a secure cipher ?

Attackers abilities: CT only attack

(for now)

Possible security requirements:

attempt #1: attacker cannot recover secret key
attempt #2: attacker cannot recover all of plaintext
Shannons idea:
CT should reveal no info about PT
Dan Boneh

What is a secure cipher?

What is a secure cipher ?

Attackers abilities: CT only attack

(for now)

Possible security requirements:

attempt #1: attacker cannot recover secret key
attempt #2: attacker cannot recover all of plaintext
Shannons idea:
CT should reveal no info about PT
Dan Boneh

What is a secure cipher?

What is a secure cipher ?

Attackers abilities: CT only attack

(for now)

Possible security requirements:

attempt #1: attacker cannot recover secret key
attempt #2: attacker cannot recover all of plaintext
Shannons idea:
CT should reveal no info about PT
Dan Boneh

What is a secure cipher?

What is a secure cipher ?

Attackers abilities: CT only attack

(for now)

Possible security requirements:

attempt #1: attacker cannot recover secret key
attempt #2: attacker cannot recover all of plaintext
Shannons idea:
CT should reveal no info about PT
Dan Boneh

What is a secure cipher?

What is a secure cipher ?

Attackers abilities: CT only attack

(for now)

Possible security requirements:

attempt #1: attacker cannot recover secret key
attempt #2: attacker cannot recover all of plaintext
Shannons idea:
CT should reveal no info about PT
Dan Boneh

A rigorous science
Approach to modern cryptography
The three steps in cryptography:

Precisely specify threat model

Propose a construction

Prove that breaking construction under

threat mode will solve an underlying hard problem
Dan Boneh

Symmetric vs asymmetric
cryptography
Symmetric cryptography
All parKes have the same private key
E.g. stream ciphers (Salsa20), block ciphers (AES)
Used for bulk encrypKon

Asymmetric cryptography
Uses private AND public keys
Users can publish their public keys without
aecKng security of private keys
Used for key exchange and authenKcaKon

STREAM CIPHERS

One Kme pad (Vernam, 1917)

The One Time Pad
(Vernam 1917)
msg: 0 1 1 0 1 1 1

key: 1 0 1 1 0 1 0

CT:
Lemma: OTP has perfect secrecy.
Proof:
Dan Boneh

The bad news

Dan B

Stream ciphers: making OTP pracKcal

Stream Ciphers: making OTP practical
idea: replace random key by pseudorandom key

Dan Boneh

Stream ciphers: making OTP pracKcal

Stream Ciphers: making OTP practical

Dan Bone

Weak PRGs

(do not use for crypto)

glibc random():
r[i] ( r[i-3] + r[i-31] ) % 232
output r[i] >> 1
Dan Boneh

Attack
1: two time pad is insecure !!
Never use one-Kme pad (or generated
stream) more than once
Never use stream
cipher key more than once !!
C1

m1

PRG(k)

C2

m2

PRG(k)

Eavesdropper does:
C1

C2

m1

m2

Enough redundancy in English and ASCII encoding that:

m1 m2
m1 , m 2
Dan Boneh

Real world examples

802.11b WEP:

m
k

CRC(m)

PRG( IV ll k )
IV

ciphetext

Length of IV: 24 bits

Repeated IV after 224 16M frames
On some 802.11 cards: IV resets to 0 after power cycle
Dan Boneh

Problem 2: OTP is malleable

Attack 2: no integrity (OTP is malleable)
(no integrity)
From: Bob

enc ( k )

From: Bob

From: Eve

dec ( k )

From: Eve

Modifications to ciphertext are undetected and

have predictable impact on plaintext
Dan Boneh

Modern stream ciphers:

PRG:

eStream

{0,1}s R {0,1}n

Nonce: a non-repeating value for a given key.

E(k, m ; r) = m PRG(k ; r)
The pair (k,r) is never used more than once.
Dan Boneh

Performance:
AMD Opteron, 2.2 GHz

eStream

Crypto++ 5.6.0

[ Wei Dai ]

( Linux)

PRG

Speed (MB/sec)

RC4

126

Salsa20/12

643

Sosemanuk

727

Dan Boneh

BLOCK CIPHERS

Block$ciphers:$$crypto$work$horse$
n bits
PT Block

n bits
CT Block

E, D
Key

k bits

Canonical examples:
1. 3DES: n= 64 bits,
2. AES:

k = 168 bits

n=128 bits, k = 128, 192, 256 bits

Dan$Boneh$

Block$Ciphers$Built$by$Itera<on$
key$$k$

k2$

k3$

kn$

R(k2,$)$

R(k3,$)$

R(kn,$)$

m$

k1$
R(k1,$)$

key$expansion$

c$

R(k,m)$is$called$a$round$func<on$
$

$for$$3DES$(n=48),$$$$$$for$AES1128$$(n=10)$
Dan$Boneh$

The$Data$Encryp<on$Standard$(DES)$
DES history
Early$1970s:$$$Horst$Feistel$designs$Lucifer$at$IBM$
$
$key\len$=$128$bits$$;$$$block\len$=$128$bits$
1973:$$$NBS$asks$for$block$cipher$proposals.$$$$
$
$IBM$submits$variant$of$Lucifer.$
1976:$$NBS$adopts$DES$as$a$federal$standard$
$
$key\len$=$56$bits$$;$$$block\len$=$64$bits$
1997:$$DES$broken$by$exhaus<ve$search$
2000:$$NIST$adopts$Rijndael$as$AES$to$replace$DES$
Widely$deployed$in$banking$(ACH)$and$commerce$
$

Dan$Boneh$

DES:$$core$idea$$Feistel$Network$
Given$func<ons$$$$f1,$,$fd:$$${0,1}n$$$${0,1}n$$$$$
Goal:$$$$build$inver<ble$func<on$$$F:${0,1}2n$$$${0,1}2n$$

L1$

f2$

L0$

f1$

R1$

input$

R2$
L2$

Rd\1$
Ld\1$

fd$

n\bits$ n\bits$

R0$

Rd$
Ld$
output$

In$symbols:$
Dan$Boneh$

The$S\boxes$
Si:${0,1}6$${0,1}4$$$

Dan$Boneh$

DES$challenge$
$msg$=$$$The unknown messages is: XXXX
$CT$$$$=$$$$$$$$$$$$$$c1$$$$$$$$$$$$$$$$$$$$c2$$$$$$$$$$$$$$$$c3$$$$$$$$$$$$$$$$$$$$$$$$$c4$
$

Goal:$$$$nd$$$k$ ${0,1}56$$$s.t.$$$$DES(k,$mi)$=$ci$$$for$$i=1,2,3$$
1997:$$$Internet$search$$\\$$3$months$
1998:$$$EFF$machine$(deep$crack)$$\\$$3$days$$$$$$$$$(250K$$)$
1999:$$$combined$search$$\\$$22$hours$
2006:$$$COPACOBANA$(120$FPGAs)$$11$$7$days$$$$$(10K$$)$
$$$56\bit$ciphers$should$not$be$used$$!!$$$$$$$$(128\bit$key$ $272$days)$

Dan$Boneh$

$
=>
Other issues: relatively short block size (64-bit):
bad for modes such as CTR (discussed in next lecture)

Strengthening$DES$against$ex.$search$
Method$1:$$$$$Triple1DES$
Let$$E$:$K$$M$$M$$be$a$block$cipher$
Dene$$$$3E:$K3$$M$$M$$$$as$
3E($(k1,k2,k3),$m)$=$$$

For$3DES:$$$$key\size$=$356$=$168$bits.$$$$$$$$$$$$$3slower$than$DES.$$
$

$(simple$apack$in$<me$$$2118$)$$$
Dan$Boneh$

Apacks$on$the$implementa<on$
Well talk in detail in ~2 lectures
1.$Side$channel$apacks:$$$$$$
Measure$Kme$to$do$enc/dec,$$$measure$power$for$enc/dec$$

$ smartcard$
[Kocher,$Jae,$Jun,$1998]$$
$
2.$Fault$apacks:$
Compu<ng$errors$in$the$last$round$expose$the$secret$key$k$
$$$do$not$even$implement$crypto$primi<ves$yourself$$
Dan$Boneh$

AES history
The$AES$process$
1997:$$$NIST$publishes$request$for$proposal$
1998:$$15$submissions.$$$$$Five$claimed$apacks.$
1999:$$$NIST$chooses$5$nalists$ (Rijndael, Serpent, Twofish, RC6, MARS)
2000:$$$NIST$chooses$Rijndael$as$AES$$$$(designed$in$Belgium)$

Key$sizes:$$$128,$192,$256$bits.$$$$$$$$Block$size:$$128$bits$
Dan$Boneh$

AES$is$a$Subs\Perm$network$(not$Feistel)$
S1$

S2$

S2$

S2$

S3$

S3$

S3$

S8$
subs.$ perm.$
layer$ layer$

S8$

output$

S1$

S1$

kn$

k2$

input$

k1$

S8$
inversion$

Dan$Boneh$

MODES OF OPERATION

Incorrect$use$of$a$PRP$
ECB: do NOT use
Electronic$Code$Book$(ECB):$
PT:

m1$

m2$

CT:

c1$

c2$

Problem:$$$$
if$$$$m1=m2$$$$$then$$$c1=c2$
Dan$Boneh$

In$pictures$

(courtesy$B.$Preneel)$

Dan$Boneh$

ConstrucAon$1:$$$CBC$with$random$IV$

Good construcKon 1: CBC

Let$(E,D)$be$a$PRP.$$$$$$$$$$ECBC(k,m):$$$$choose$random$IV
$$
IV$

IV$

m[0]$

m[1]$

m[2]$

X$and$do:$

m[3]$

E(k,)$

E(k,)$

E(k,)$

E(k,)$

c[1]$

c[2]$

c[3]$

c[0]$

ciphertext$
Dan$Boneh$

ConstrucAon$2:$$rand$ctrSmode$
Good construcKon 2: CTR
Let$F:$K$${0,1} $${0,1} $$be$a$secure$PRF.$
n

E(k,m):$$$choose$a$random$$IV$${0,1}n$$$$and$do:$$
IV$

m[0]$
F(k,IV)1

IV$

c[0]$

msg$
m[1]$
F(k,IV+1)1

m[L]$

F(k,IV+L)1

c[1]$
$
ciphertext$

c[L]$

note:$$parallelizable$(unlike$CBC)$
Dan$Boneh$

Plain-text bitmap:

DES-ECB encrypted:

70 /

Plain-text bitmap:

DES-CBC encrypted:

74 / 171

Resurse uKle
Suport
de curs
Slide-uri

Suport de curs

Cursul de la Stanford (Dan Boneh):

Manuale
https://www.coursera.org/learn/crypto/

Jonathan Katz, Yehuda Lindell:

Cursul din Cambridge (Markus Kuhn):
Introduction to Modern Cryptography
http://www.cl.cam.ac.uk/teaching/1516/Security
CRC Press 2008 (1st Ed.), 2015 (2nd Ed.)

Material propriu
Christof Paar, Jan Pelzl:

Alte
resurse
utile
Resurse uKle

Conferinte

IEEE Security & Privacy

Usenix Security

Crypto, Eurocrypt, Asiacrypt

ACM CCS, ESORICS

CHES, CARDIS

https://eprint.iacr.org/

https://scholar.google.co.uk/