Professional Documents
Culture Documents
Applied Cryptography
Note: This course covers the following areas: Practical aspects of cryptography. Pseudo random num-
ber generation, symmetric cryptography (stream and block ciphers), modes of operation, hash functions,
message and entity authentication protocols, zero knowledge, pitfalls deploying public-key encryption and
digital signatures, key distribution, secret-sharing.
These notes were understood, compiled, and typed by Matthew Tucciarone. Please acknowledge the fact
that there may be errors or typos in these notes either done by the professor during the lecture or by the
note taker.
CONTENTS Applied Cryptography
Contents
1 Introduction 6
1.1 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Hash Functions 7
2.1 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Cryptographic Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Aside 1: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4 Aside 2: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.5 Pre-image Resistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.6 Collision Resistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.7 Pre-image Resistance (Contd) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.8 Collision Resistance (Contd) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.9 Second Pre-Image Resistance (WCR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.10 Examples of where to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.10.1 Password Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.10.2 Torrenting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.10.3 Signed Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.10.4 Hash Tree (Merkle Tree) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.11 Example Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.12 Addressing Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.13 Random Output (RO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.14 Non-Malleability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.15 Internals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.16 Markle-Damgard Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.16.1 Question 1: Input to f1 on first pass instance other than m1 ? . . . . . . . . . . . . . 12
2.16.2 Question 2: Padding? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.16.3 Padding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.17 Length Extension Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.18 Sponge Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.19 Internals of the Compression Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Extractors 16
4.1 Example of an Extractor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2 Von Neumman Extractor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6 One-Time Pad 19
6.1 Drawbacks of OTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2 of 59
CONTENTS Applied Cryptography
7 Stream Ciphers 21
7.1 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7.2 RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7.2.1 Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7.2.2 Key Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
8 Block Ciphers 23
8.1 Common Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
8.1.1 AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
8.2 Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
8.2.1 Electronic Codebook (ECB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
8.2.2 Cipher-Block Chaining (CBC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
8.2.3 Counter Mode (CTR/CM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
9 Security Definitions 26
9.1 One-Time Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
9.1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
9.1.2 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
9.2 Semantic Security (CPA-Secure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
9.3 CCA-Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.3.1 Plaintext Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
12 Number Theory 32
12.1 Algebraic Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
12.2 Integers mod p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
12.3 Exponentiation mod p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
12.4 Subgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
12.5 Integers mod p Continued . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
12.5.1 Inverses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
12.5.2 Exponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
12.5.3 Inverse is an Exponent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
12.6 Quadratic Residue Continued . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3 of 59
CONTENTS Applied Cryptography
16 Digital Signatures 45
16.1 Signature vs MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
16.2 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
16.2.1 Public Key Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
16.2.2 ZKPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
16.3 Schnorr Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
16.3.1 Sign Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
16.3.2 Schnorr-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
16.3.3 Schnorr Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
17 Building CCA-Secure 47
17.1 Naive Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
17.2 STS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
18 RSA Setting 49
18.1 Textbook:" RSA Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
18.1.1 Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
18.1.2 RSA Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
18.1.3 RSA Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
18.1.4 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
18.1.5 RSA Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
18.2 Strengthening RSA Encryption/Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4 of 59
CONTENTS Applied Cryptography
21 HTTPS Protocol 55
21.1 Handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
21.2 Change CipherSpec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
21.3 Application Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
21.4 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
21.4.1 Padding Oracle (Lucky 13) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
21.4.2 BEAST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
21.5 HTTPS - Real World Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
21.5.1 Issues in HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
21.5.2 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
22 Bitcoin 57
22.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
22.2 Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5 of 59
Applied Cryptography
1 Introduction
Info Security
1) Confidentiality (C)
2) Integrity (I)
3) Availability (A)
Cryptography helps in the areas of Confidentiality and Integrity.
Confidentiality Confidentiality consists of two concepts:
Definition 1.1 (Encryption). The idea of locking a message in a safe with a key.
Definition 1.2 (Modern). The idea of minimal disclosure, e.g. a digital drivers license
1.1 Integrity
Integrity consists of the following concepts:
Definition 1.3 (Unmodified). This is relative: Identify precious state (authentication).
6 of 59
Applied Cryptography
2 Hash Functions
In a Hash table we have the following functions:
sleep"
sleek"
dry"
2.1 Properties
Pre-image resistant (PR)
Collision resistant (CR)
Second-pre-image resistant / weak collision resistant (WCR)
Random Output
Non-Malleability
{0, 1} {0, 1}d , |{0, 1}d | = 2d
y = H
|{z} ( x
|{z} )
|{z}
image/output {0, 1} d hash function pre-image, input {0, 1}
2.3 Aside 1:
First pass
x
|{z} y
Hash / other primitive
2.4 Aside 2:
Deals with Computational Infeasability (the idea that things can be done but over a lifetime).
240 feasible
280 infeasible with no safety margin
2128 infeasible
According to NIST standards, they suggest all functions at 2112 .
7 of 59
2.5 Pre-image Resistance Applied Cryptography
n2 d
X n d
E (# collisions) = Pr [h(xi ) = h(xj )] = 2 2 = n2 2(d+1) n2 2d
2 2
ij
Let n n
d/2
, E (#collisions) > 1
Were going to review our definitions thus far and improve on them:
E (# of pre-images) = f (n)
1 = f (n)
n
1=
2d
n = 2d
d is the output of the hash in bits and the output space is 2d . n represents the amount of work. In order
for this to be secure, we want n = 2128 and thus d = 128.
8 of 59
2.8 Collision Resistance (Contd) Applied Cryptography
Where y = h(x) and |y| = 2n . Is h0 collision resistant? Its clear that as long as were feeding it x values
that are unique, well get unique x values out. If we put in a value that is not equal to n, then well get the
hash of x and prepend to 1. By definition, H(x) is collision resistant. Because this is so, any output that
falls in the otherwise category is collision resistant. Then the only hope is to find a collision between the
two cases. Since y 0 = h0 (x), |y 1 | = 2n+1 .
Corollary 2.1 (About Collisions). A naive approach takes a lot of memory but finding collision doesnt
have to take that long, so were gonna look at Floyds cycle-finding algorithm. Its not faster but its as
exhaustive as the naive approach. It stills has a run time of (2 /d ):
2
x gets hashed into h(x) and then gets hashed once more into h(h(x) arbitrarily long. Because the possible
values of x are limited (2d ), we know the chain cant go on forever. Eventually, well hit a number weve
seen before. We also know that it cant terminate. Given these two properties, we find the chain of values
eventually creates a cycle. There is a tail and a cycle for these and theres a high probability well end up in
the tail. At the value intersecting the tail and the start of the cycle, we have found a collision. The length
of the tail (O(2 /2 )) is roughly the same size as the cycle (2 /d ).
d 2
9 of 59
2.10 Examples of where to use Applied Cryptography
2.10.2 Torrenting
Let us assume Alice connects to The Pirate Bay (TBP) and she wants a movie. TBP sends her h(movie)
and then over time TBP sends her pieces (m1 , m2 , m3 , m4 ). Let us assume Eve sends m4 that is actually
a virus. How does Alice know that m4 isnt a valid movie file? She has to trust TBP. What property among
the three properties will ensure she wont get a virus? Weak collision resistance. Were given movie and if
Eve finds m0 h(m0 ) = h(movie). We must rely on WCR since CR is not dependent. What about PR?
That doesnt have any bearing on this scenario, so obviously not needed.
10 of 59
2.11 Example Hash Functions Applied Cryptography
Given hash H which is secure and has output of d bits, construct hash H 0 which has output (d + 1)-bits
and is CR but not PR. Recall that:
(
0 0||x |x| = d
H (x) =
1||H(x) otherwise
This is trivially not PR because youre just concatenating a 0 with the input x in the first case. For CR, there
are two cases:
1. Let y = H 0 (x) = 0. If you get the same output, then it implies you get the same input.
2. Let y = 1 . . . z. This means that y = 1||H(x) and y = 1||H(x0 ). If x = x0 then by definition H is
CR and thus H 0 is also CR.
All of this above is to purely summarize that CR does not imply PR.
11 of 59
2.13 Random Output (RO) Applied Cryptography
2.14 Non-Malleability
This is something that you would think would hold, but sometime it doesnt. Given y, it is infeasible to
produce y 0 such that y 0 = H(f (x)). For example, y 0 = h(x + 1) or y 0 = h(2x). It turns out that most
hash functions are true except ones like y = h(x||m). These examples are called Length Extension
attacks.
2.15 Internals
Note that x can be any size. This makes it hard to define functions that work for all sizes. Youve got
a message m that is split into different blocks of fixed length. The first block would be the compression
function which is similar to a hash that it has CR and PR, however it takes a fixed input and maps
it to a fixed output ({0, 1}2d {0, 1}d . With a general function we have an arbitrary length and were
compressing it to a known length d. So how do we get a fixed length output? We need a way to accumulate
the values produced from each block which should produce us a single block.
There are two common structures we will look at, and the first is:
12 of 59
2.17 Length Extension Attacks Applied Cryptography
2.16.3 Padding
We have m which breaks up into blocks m1 and m2 . For the padding of m2 , we can reserve a set of bits
which is a fixed length. What we put in is the length of m. In practice {0, 1} {0, 1}d where is very
high, such as 2 /2 . Between m2 and the padding, we can fill in with 100000... or 01111... with as many as
d
13 of 59
Applied Cryptography
3.1 Security
A PRG is secure (CS-PRG) if:
(1) Infeasible (something such as (2112 )) to distinguish the output y from a truly random bitstream of
the same length (|y|), if you dont know x. We expect the input size to be greater than 112 bits, such
as having |x| = 128 bits (|x| 112).
Example 3.2. Assume |y| > |x|, e.g. |y| = 2|x| where |y| = 256 and |x| = 128. Then theres less
randomness in y than 256 truly (uniformly) random bits. True randomness give equal probability to every
output where as PRGs would not.
Lemma 3.1 (Security Definition). It is infeasible to predict the next" bit if you dont know x.
Say Alice does P RG(seed) = b1 , b2 , b3 and Alice sends each bit to Bob (who doesnt know what the seed
is). Then even if he looks at every bit, it should be infeasible for him to predict the next bit.
Assume you know x (seed), then you can predict the next bit which is a consequence of the PRG being
deterministic. This would make it feasible to predict the next bit. If you know the seed then you can break
the lemma above and thus break the first infeasible rule of security (1).
Lemma 3.2. Infeasible to recover the seed (x) given output (y).
3.2 Internals
We will be looking at this a bit later, but well be talking about stream ciphers which make use of PRGs.
Well also be talking about Block ciphers. Once we know that, there is a way of converting that into a PRG
using a mode of operation. In practice, people who want PRGs can either rip them out of stream ciphers
or convert them from Block ciphers.
14 of 59
3.3 Examples Applied Cryptography
3.3 Examples
Linear Feedback Shift Registers (LFSRs): No longer secure. Mersenne Twister.
Cellular Automata: Insecure.
A5/1, A5/2 (stream ciphers): Insecure (mobile such as 3G). Monte Carlo sim.
RC4 (stream ciphers): Secure, but low security margin.
Counter Mode" (block cipher): Secure if block cipher is secure. Eg. AES.
15 of 59
Applied Cryptography
4 Extractors
We have the following function which has 1 input, and technically there is a non-secret key (i) but we dont
care in this course: y = Exti (x). The input x is of size {0, 1} with y being of size {0, 1}d . If x has
min-entropy greater than d (typically H0 (x) > 2d), then it is infeasible to distinguish y from a d-bit true
random bitstring. This means that we can shrink" our input x and put it into a size of d for the output y.
How are they used? We have the following function y = P RG(Ext(x)), where y = {0, 1} and x has a
lot of semi-random bits, and Ext(x) is 128-bits in size. As long as there is enough randomness, then itll
crunch down inputs and sanitize" the randomness into pure randomness of 128-bits.
Where the weighted average is pi and the measure of information is the log. The 2 is the output in bits.
Say we flip our bias coin 20 times and we have the output x = HHHT HHHT HHHH . . .. Then we
know Entropy = 20(0.97). We also know that the min-entropy of this coin is 0.736, where we will define
min-entropy later.
We use any x (H0 (x) > 2d) and always return d-bits.
Shannons average case is defined to be pi (log2 pi ).
P
16 of 59
4.2 Von Neumman Extractor Applied Cryptography
17 of 59
Applied Cryptography
18 of 59
Applied Cryptography
6 One-Time Pad
We have a message m of length l and a key that is made of l truly random bits:
Enc m= 0 1 1 0 0 1 0
b= 1 0 0 0 0 1 0
Enck (m) : Dec c= 1 1 1 0 0 0 0
k= 1 0 0 0 0 1 0
m= 0 1 1 0 0 1 0
Theorem 6.1. If k is truly random, then it is not merely infeasible (eg. requiring 2112 work) for Eve to
decrypt it is actually impossible.
Proof. We have Alice sends c to Bob and Eve is in her own closed world and does not get c (Scenario1).
In another scenario, Alice sends c to Bob and Eve manages to see the value c (Scenario2). If you cant
distinguish between these two worlds, then this encryption scheme is secure (ie. whether or not she sees
c doesnt mean anything). Denote Pr (m) that Eve guesses the message m in S1 and let Pr (m|C) be the
?
probability that she guesses m given c in S2. Pr (m) = Pr (m|C). What does Pr (m) mean? We cant say
what that is until we know the kind of messages sent to Bob. Assume its an election and shes sending
Bob the name of a candidate. Assume Alice is willing to vote 60% towards one more person. Things we
know about m would be thing such as:
Liberal 60%
m = Cons 10%
N DP 20%
We know that |m| = l and in general that every 2l bitstring is equally probable, but not in this case. Let
us look at the following which makes use of Bayes Theorem:
?
Pr (m) = Pr (m|C)
? Pr (C|m)Pr (m)
=
Pr (C)
?
Pr (C|m) = Pr (C)
19 of 59
6.1 Drawbacks of OTP Applied Cryptography
Once m is fixed, each unique k gives a unique c st. Pr (C|m) = Pr (k), where Pr (k) is truly random.
Therefore, Pr (C|m) = 1/2e .
P (C):
We know that |m| = |k| = |c| = e. Say that m = m0 and we let m0 is Pr (C|m) = 1/2k . m1 would be
Pr (C|m) = 1/2k and the same goes until mi . Thus we would have:
1 1
Pr (m0 ) ( e
) Pr (m1 ) ( e ) + . . .
2 2
1
= P r(m0 ) + Pr (m1 ) + . . .)
2e
1 1
= e (1) = e
2 2
The above states:
For any m, the probability of c given m is 1/2e
4. Malleable: Given c but not m, we can construct Enc(m m0 ), where m0 is anything you want (this
can disappear with a better encryption function or addition of a MAC)
5. Leaks l, where l is the length of the message
20 of 59
Applied Cryptography
7 Stream Ciphers
The OTP consists of: m l = c, where m = {0, 1}n and k = {0, 1}n . In general, l is a security sensitive
length. A Stream Cipher looks like : m P RG(k) = c where n is much larger than l and k = {0, 1}l and
P RG(k) = {0, 1}n (the keystream). We can assume l = 112 bits or 128 bits. The only difference between
OTP and SC is that k has the property of being impossible to distinguish from true randomness compared
to P RG(k) which has the property of being infeasible to distinguish from randomness.
Once more we have Alice sending c to Bob where c = m P RG(k) and Eve sees c and wants to know m.
She can solve m = c P RG(K) but unfortunately she doesnt know P RG(k). Now assume she knows
part of m. She knows the whole value of c and now she has a message m and knows the first part of the
message and not the last. If she s the first part of c and first part of m then she can obtain y which is
the output of P RG(k). Recall from P RG that its secure in that you cant predict the next bit. Youve got
y but theres no way of finding k. This means the last part of y and m are still unknown.
7.1 Properties
1. Solves the big key problem of OTP
2. Keystream can be independently (pre-) computed: Then it is as fast as you can , which is fast.
3. Cannot reuse keystream, its malleable which leaks |m| = n
Dont forget that Eve knows c, may know parts of m, and we can assume she knows specifications.
Recall that we have a key {0, 1}e and put it into a PRG we get back an output {0, 1}n and XOR that with
a message {0, 1}n and receive a cyphertext of {0, 1}n . Its possible that l is greater smaller than n. We
have two common stream ciphers:
A block cipher that is encased in counter mode
a PRG that is encased in a stream cipher (RC4, ie. Rons Code 4)
7.2 RC4
Think of it as an array consisting of bytes in order (00, 01, . . . , F F ) with no duplicates. You pass a key k
into a Key Schedule along with the sort array of Bytes and somehow, it outputs a shuffle that is dependent
on the key of the arrays; A3, 81, . . . , 03 (shuffled array). We then take our first byte A3 and put it into a
Generation function that outputs a reshuffled array (D7, E2, . . . 96). You can then take out A3 from this
reshuffled array. The grabbing of this element is a pseudo-random selection.
7.2.1 Generator
The input to this function is this array and were going to define two pointers, i, and j, and point them
both from the first element (i = 0, j = 0). The algorithm can be found below:
21 of 59
7.2 RC4 Applied Cryptography
22 of 59
Applied Cryptography
8 Block Ciphers
We have the following formula: c = Enck (m) where c is the cipher text, c {0, 1}B , the key is {0, 1}l (l
can be 128 or 256) and m {0, 1}B . We also have m = Deck (c) where k is the same key. Alice knows k
and m and has c = Enck (m) and she passes along c to Bob. Bob knows k and c and has m = Deck (c).
Our B in the formulas are considered to be a block of a message, (eg. B = 128 bits). Note that in
Stream Ciphers we were encrypting our message bit-by-bit. In Block Ciphers, we have m = 011100 and
c = 101101 and we can see that every bit in c is dependent on every bit in m. That is, the first 1 in c
depends on the 0, 1, 1, 1, . . . in m. What would happen if we had a block that was too large? We would
need a way of chaining.
Recall in hash functions we had a fixed input and a compression function that we wanted to accept any size
input (arbitrary length). We saw that we could chain" these compression functions (ie. Markle-Damgard
and Sponge). In Block Ciphers, we would chain a Block cipher based off a mode of operation which
would give us Block ciphers once more. Some examples of a Block cipher would be DES, AES and for
modes of operation we have ECB, CBC, CM, GCM, and many more. For the output Block ciphers, we would
have something such as AES-CBC-128 which describes the specifics (AES with CBC mode of operation in 128
bits). To help with our knowledge of Block ciphers, there is something called Pseudo-random Permutations
(PRP). The input and output space are the same (input is all possible messages, with 2b same as output),
however the mapping between the two spaces depend on the key. Thus if we use a different key between
the spaces, we receive a different mapping. There are cases for this:
1. You cannot have two messages have the same output since you cannot decrypt.
2. You cannot have a message that goes to two outputs either (block cipher is deterministic)
8.1.1 AES
Lets first consider AES-128 (128 bit key). AES-192/256 work the same way with the exception of having some
extra rounds. In AES-128, you can take your key and put it into a Key Schedule (function) and it will output
23 of 59
8.2 Modes of Operation Applied Cryptography
SubBytes |{z}
m |{z} Shf tRows |{z}
M ixColumns |{z}
AddSubkey
128bit 128bit 128bit 128bit
The input to AddSubkey is the mangled m with the subkey 1. The output of this is then the new m for
the next round. This happens ten times for each key and at each round level there is an output of 128 bits.
The output is then the ciphertext. Note that in the last round we omit M ixColumns.
SubBytes uses a thing called S-Box (Substitution-Box) which is a lookup table. The mappings are
random-ish and this S-Box is the same for everyone (public). This has the property of confusion".
ShftRows mixes up the bytes in each rows, or shuffling. Do nothing with the first row, shift the
second row to the left once, third row to the left twice, and last row to the left three times. This has
the property of diffusion" (dependency between bytes). Combines parts of stage with other parts.
MixColumns takes a column and runs it through a matrix. This has the property of diffusion".
Combines parts of stage with other parts.
AddSubKey is just taking the key and with the state, giving you state.
Recall that in order to decrypt, every function in the rounds must be reversible (since in order to get
the message back, we go through these rounds backwards), with exception of AddSubKey, which only
becomes reversible given a subkey. The KeySchedule function consists of many different rounds and ways
of getting the subkeys.
2. Improves security.
Recall in ECB we had three blocks; m1 , m2 , m2 (where m3 may need padding). We can assume that for
this course itll be zero padding. m1 and k would be the input for Enc which then gives us c, and the
same applies for each c.
24 of 59
8.2 Modes of Operation Applied Cryptography
m1
Encrypt IV1 Enck (m1 , IV2 ), IV1
25 of 59
Applied Cryptography
9 Security Definitions
Definition 9.1 (One-time security). Defined as the lowest level.
Definition 9.2 (Semantic Security). Defined as the medium level, where it is secure against chosen
plaintext attacks (CPA-Secure).
Definition 9.3 (CCA Secure). Defined as the highest level, where it is secure against chosen ciphertext
attacks (CCA-Secure).
26 of 59
9.2 Semantic Security (CPA-Secure) Applied Cryptography
We say that an encryption is one-time secure (OTS) if the adversarys success rate is less than | 21 + |,
where is negl(l). An example of negl would be something that decreases exponentially. Whats the
probability the adversary guesses right? Naive: Pr (correct) = 21 . We can define an advantage, Adv =
|1/2 Pr (correct)|. We can then say a crypto-system is secure if any adversaries advantage is negligible
(really small): negl(l) poly(l)
1
, where l is the key length. Thus negligible is an upper bound. This makes
it a very strong security definition. We would say that the adversary is polynomial-bounded (PPT-bounded
for probabilistic poly time).
An example of this would be: Pr (guess a random key) = 1
2l
= 1
exp(l) (AES = 1
2128 ).
9.1.2 Example
Lets look at an example where encryption clearly fails and we can look at how it fails in the game. An
adversary can decrypt the last bit: m0 = 0000 . . . 0 and m0 = 0000 . . . 1 where the numbers in front are
invariant. The adversary can get back cb (last bit 0? If so, m0 . Otherwise, m1 .
Another example is where we use the same scheme, except 1% of the time the adversary can decrypt the
last bit. Thus, Pr (success) = (0.01) 1 + (0.99)( 21 ) = 12 + 200
1
. 200
1
is not dependent on l. This means
its actually equal to 2 + (1) (O(1) > /poly(x)), which makes this equation larger than 1 + . Thus, this
1 1
is insecure.
27 of 59
9.3 CCA-Secure Applied Cryptography
9.3 CCA-Secure
Were gonna have a modified oracle blackbox which will now have access to a decryption function as well
as an encryption functiin (whereas before it could only encrypt). Were going to change the game we
mentioned above a little bit:
1. Adversary chooses any message and receives encryption, or any ciphertext and receives decryption
2. Adversary chooses m0 , m1
3. Oracle encrypts one at random: cb
4. Adversary chooses any message and receives encryption, or any ciphertext (except cb ) and receives
decryption
5. Adversary guesses
Due to these added tweaks, CBC (c.f. CCR) is not CCA-Secure. We would have an attack as follows:
2) Adversary chooses: m0 = ABCD where A is a block and m1 = W XY Z
3) Get back cb =
4) Create c0b where c0b has blocks that are duplicated from cb but we flip the last bit. We then ask for
the decryption. We would then get back ABC where the last block is complete random and wed
also have W XY and that last square is just garbage. Thus, succeed.
From the above game, whats missing in order to succeed with CCA-Secureness?
28 of 59
Applied Cryptography
10.1.2 Attempt 2
We would have ha = H(m||k), mi, which is just the reverse of the above. We could have H(m||k||k 0 )
which would give us m||k, but that cannot be computed. Thus, its secure against Length-Extension attacks.
We have an m that leads to a collision m0 , where H(m) = H(m0 ). If we used Merkle-Damgard, we would
have H(m||k) = H(m0 ||k). Thus we dont use because the hash needs to be collision resistant. That is, if
H becomes insecure to collision-resistance (easiest property to break) than MAC is not secure.
Recall Markle-Damgard: We have 2 blocks, where m and IV goes into a compression function which
outputs an x; H(m) = x. The output of x can go into another compression function with a key k
that is 1 block and that outputs a. Collision m0 is given by H(m) = H(m0 ), where H(m0 ) = x. If
we had the same setup and used m0 , we would get the output x which is then fed into the second
compression function and k which outputs a, since this is a deterministic process. If H(m) = H(m0 )
then a = M ACk (m) = M ACk (m0 ) = H(m||k) = H(m0 ||k).
10.1.3 Attempt 3
Were given ha = H(k||H(k||m)), mi. The inner H(k||m) value is part of attempt 1. Length-extension
because value is inside a hash, protected by pre-image resistance. The adversary can get y = H(m) =
H(m0 ) which is collision.
29 of 59
10.2 Block Cipher-Based CBC-MAC Applied Cryptography
11.1 MAC-then-Encrypt
We can perform a = M ACkmac (m) and then perform c = Enckenc (m||a). This is in special cases secure.
The problem with this is that sometimes the Encryption function is malleable.
11.2 Encrypt-then-MAC
This was described above, where c = Enckenc (m, IV ) and a = M ACkmac (c, IV ). In general, this is
secure.
Note: Enc was CBC, and MAC was CBC-MAC (last block are same except using different IVs). In special
cases, same key can be used (If we used Enc with CTR and MAC with CBC-MAC, we obtain CCM proven
you can use the same key).
Unless if you know better, you should always use AE. If in a flux and AE is not available, then perform
Encrypt-then-MAC. Should MAC the IV as well (you can never MAC too much information). Weve talked
about the following modes of operation thus far:
30 of 59
11.3 Other AE Modes Applied Cryptography
Note that we have Hashes which are used in MACS, PRNGs are used in Streams, and Symmetric
Encryption is used in MACs and AEs.
Hashes are named PR functions and Streams are PR permutations.
Different Key: Asymmetric Encryption (ElGamal CPA, Cramer-Sharp CCA, RSA OTS, RSA+OAEP
CCA), Signature (DSA, RSA Signature)
Note that in symmetric key primatives (with exclusion of MACs) is considered to be a low-level application,
ie. logical operations, whereas Asymmetric key primatives (such as key exchange, Encryption, signature) is
considered to be low-level in mathematical equations.
31 of 59
Applied Cryptography
12 Number Theory
12.1 Algebraic Structures
Algebraic structures consists of the following:
A set of elements (real numbers, integers, coordinates, polynomials, etc.)
A set of operations (addition, multiplication, exponentiation, etc.)
2. (a b) c = a (b c) (Associativity)
3. e S st. a e = a (Identity)
4. a S b S st. a b = e (Inverse)
5. a, b, a b = b a (Commutativity)
We can have a structure which consists of 2 operations, such as + (abelian group) and (monoid). In
our case, multiplication would be the abelian group and exponentiation as the monoid. There are other
structures such as Finite Fields and Lattices that are important in the field of Cryptography, however we
will not be looking them.
If we define a cryptosystem generically in terms of algebraic structures, the details of what set/operation(s)
we use can be swapped out. In this course, well be looking at integers mod p (prime) and multiplication
(exponentiation). There exists a faster algebraic structure which makes use of an elliptic curve (coordinates)
and an operation called the Point-Doubling (point multiplication). This structure is used in the real world,
whereas the system well be looking at in this course which is easier to understand.
Zp = {1, 2, . . . , p 1}
Note that p
= 0 mod p (congruency)
We see that Zp is an abelian group with multiplication exception 0, however Zp is generally an
abelian group.
32 of 59
12.3 Exponentiation mod p Applied Cryptography
Order of a set is the number of elements in it, e.g. ord(Zp ) = p 1 (abelian group). Note that for
setting 1 cryptography, the order of the set must be a prime number.
The order (t) of an element a divides the order of the set (p 1). For example, in mod 11, we
have a Z11 , a|p 1.
In general, if ord(a) = p 1, then a is a primitive root. That is, it generates every element in Zp .
For example, a = 2 in Z11 , ord(2) = 10 which makes 2 a primitive root. 2 generates, that is the the
integers that result from a being exponentiated by any value
33 of 59
12.4 Subgroups Applied Cryptography
12.4 Subgroups
The set generated by any element a is a group (e.g. closed under multiplication, with inverses, etc.). That
is, a (or g) is a generator of some group and the primitive root is the generator of Zp .
Example 12.2. Let g = 3. The generators are {1, 3, 9, 5, 4}.
Corollary 12.1. For all g with same ord(g), the generated set is the same.
Definition 12.1 (Quadratic Residue). a st. b2 = a, a is a quadratic residue. Note that half of Zp has
two roots and that half of Zp has zero.
Definition 12.2 (Safe Prime). A safe prime p is a prime st. p = 2q + 1 where q is also a prime. In
this course, q will always be multiplied by 2, however in the real world it can be a different factor. Given
a Zp , we have ord(a)|p 1 = {p 1, q, 2, 1} where p = 2q + 1 and p 1 = 2q. We say that p 1 is
the primitive root and that we use Gq for the q in the set mentioned earlier.
Recall we mentioned Settings:
1. Integers mod p where p = 2q + 1 for prime p and q - known as the Discrete Log Setting
2. Integers mod n where n = pq for prime p and q - known as the RSA Setting
3. Elliptic Curves (may cover this at the end of the course)
12.5.1 Inverses
For mod p, every element in Zp is invertible.
Definition 12.3 (Invertible). a is invertible if b st. a b = 1, where b = a1
12.5.2 Exponents
Reduced mod ord(Zp ) = 22 where Zp = [1, 22]. We have g a g b = g a+b mod p
eg. g = 1, g 1 = 1 and
thus if we had g = 2, g 1 = 12 or g = 3, g 1 = 8.
34 of 59
12.6 Quadratic Residue Continued Applied Cryptography
g 1
= g 1 mod p
= g ord(ZP )1
= g p2
With p = 23, then the inverse of g is g 21 = g 1 where we know that ord(Zp ) = p 1.
Example 12.4. Let g = 2, ord(2) = 11, set= {1, 2, 4, 8, 16, 9, 18, 13, 3, 6, 12}. Let this group be called
Gq . ord(Gq ) = q where q is prime.
If p = 2q + 1, groups of order q|p 1 q|2q is always a generator for Gq
Exponents reduced mod ord(Gq ) = mod q
We have that exponents (g a ) are in Zq = {0, 1, 2, . . . , q 1} where g Gq and Gq is a subset of
Zp
If we had g a g b = g (a+b mod q) = g (a+b mod p)
where g a Gq Note that if g a
/ Gq then g a g b 6=
g (a+b mod q) = g (a+b mod p) .
We know that g = 2 generates Gq . Lets look at g = 4. This has ord(q) therefore g = 4 generates Gq .
We can also see that g = 3 generates Gq . Were getting a pattern here. Notice that every number in the
set {1, 2, 4, 8, 16, 9, 18, 13, 3, 16, 12} all generate Gq . Therefore, anything in Gq is a generator of Gq with
exception of g = 1.
35 of 59
Applied Cryptography
3. Alice randomly picks a number a st. a Zq r [0, q]. She then computes g a mod p and obtains
ya = g a mod p
4. Alice sends {p, q, g} to Bob and ya = g a mod p
1. Bob picks b r Zq . He also has yb = g b mod p and sends yb to Alice. Note that Alice cannot get b
from {g, yb } due to the DLP
2. Alice then gets k = yb a = (g b )a = g ab
{p, q, g}
g
ya = g a
yb = g b
Note that it is infeasible to compute g ab . Note that she doesnt know {a, b}. This leads to the Computational
Diffie-Hellman Problem (CDHP).
36 of 59
13.1 Decisional Diffie-Hellman (DDH) Assumption Applied Cryptography
Note that H(a) H(b) 6= H(a||b). Alice has a and sends a to Bob. Bob has a b and sends b to
a b
Alice. Alice does b which leads to ab and Bob takes a and gets ab from it. The CDH states that
a b 6= ab . DDH says given a , b , we cannot tell ab from r .
13.2 Blinding in Gq
Alice has a message m Gq where G is the group, with q elements in the group. Note that G is closed
under multiplication.
Aside: m0 [0, q 1] and m12 mod p = m, m Gq .
We can then say that m r mod p, where r is a random element of Gq , hides m. This is like an OTP. We
can say c = m r where for every possible value of r, there is a different value of m st. c is the same. r
is effectively a OTP (for true randomness). This makes it computationally blinded (pseudo-random).
Bob chooses b and sends b to Alice. Mallory intercepts and instead creates b0 and sends |b0 | to
Alice.
Alice then performs |b0 |a = |ab0 | = k1
37 of 59
13.4 Example Applied Cryptography
13.4 Example
Alice has the following parameters:
Safe prime p = 23 and thus q = p1
2 = 11
Generator of Gq :
1. Pick a random number gi and then ask if giq = 1 mod p. Note that gi1 6= 1 and gi2 6= 1.
2. Pick random gi and set g = gi2 mod p. If g = 3 then p, q, g = 23, 11, 3.
3. Alice chooses a random number a Zq = [0, q 1] = 19 = 8 mod 11. Then yA = g a
mod p = 319 mod 23 = 6. Note that Eve needs to find x within 6 = 3x mod 23 but thats
the DLP.
4. Bob sets b = 4 and generates yB = g b mod p = 12 mod 23. Thus Eve would have 12 = 3x
mod 23 to figure out.
5. Alice computes the secret key by doing k = yBa
= g ba = g ab . Bob performs k = yA
b
= (g a )b =
g . If we plug in numbers, Alice gets 12 mod 23 and Bob gets 6 mod 23. They both
ab 8 4
38 of 59
Applied Cryptography
14.1.3 Encryption
c = Ency (m, r) where m Gq . r is a random factor (similar to an IV). Thus c = {c1 , c2 } = {g r , m y r }
where r r Zq and m Gq . Note that if you encrypt a message twice then because r is a random factor
then the output will not be the same. Thus ElGamal is CPA-Secure. Also note it is homomorphic just like
the DH.
14.1.4 Decryption
my r
We have m = Decx (c) = c2 cx r r x
1 = (m y )(g ) = (my r )(g rx )1 = (my r )(y r )1 = yr = m.
39 of 59
14.2 ElGamal Continued Applied Cryptography
14.4 Properties
Multiplicatively Homomorphic: Enc(m1 ) = g r1 , m1 y r1 and Enc(m2 ) = g r2 , m2 y r2 where
Enc(m1 , m2 ) = g r1 g r2 , m1 m1 y r1 y r2 = g r1 +r2 , m1 m2 y r1 +r2 = Enc(m1 m2 , r1 + r2 )
Even with decryption key, cannot recover r
Randomized: Enc(m1 ) 6= Enc(m1 ) where LSH is g r1 , m1 y r2 and RHS is g r2 , m1 y r2 , however
r1 6= r2 and g r1 6= g r2 .
Every ciphertext hc1 , c2 i where c1 , c2 Gq will decrypt to something
40 of 59
14.6 ElGamal non CCA-Security Applied Cryptography
and x is the secret key, whom sends it to Alice and thus Alice knows y, g, p. Alice sends m1 , m2 and then
the Oracle chooses a b [1, 2] and sends Alice cb . Alice then sends a bunch of messages again and the
Oracle sends some ciphertext. What is cb ? cb = g r , mb y r . Alice tries to guess whether b = 1 or b = 2.
Whats the probability that her guess is correct?
There are two proofing techniques:
1. Game Hopping (Hybrid Arguments)
2. Simulation
Proof. Were using the Game Hopping proof for this. Were making a Game 1 where we change some things:
Oracle gives Alice y, g, p. Alice sends some messages and the Oracle sends some cipertext. Then Alice sends
m1 , m2 . The Oracle picks a b [1, 2]. This is where its different. The oracle does g r , g R = cR
where R is a random number. The Oracle then sends cr to Alice and then the two exchange messages and
ciphertext. Alice now guesses if b = 1 or b = 2? Whats the probability that Alice will guess correctly?
Lets look at the difference between Game 0 and Game 1 and the different of the probabilities. Thus we
can say:
|Pr (win G0) Pr (win G1)|
What does Alice know in G0?
p, g, y, g r , my r = p, y, g x , g r , mg xr
What does Alice know in G1?
p, g, y, g r , g R = p, g, g x , g r , g R
Recall the Decisional Diffie-Hellman: g, g a , g b where g ab is indistinguishable to g R . It turns out that
in both of the above games, you cant distinguish the things she knows in Game 0 and Game 1 cant be
distinguished from each other. Thus we can say:
41 of 59
Applied Cryptography
Step 2:
c = 0 If Pe did 1a then its okay.
c = 1 If Pe did 1a then hes caught.
c = 0 If Pe did 1b then hes caught.
c = 1 If Pe did 1b then its okay.
Heres what Pe will do: He chooses d Zq and put that in a box, d (which is okay). He will then
?
do A = x d = d x and sends. The Verifier will know take d and go d = A x =
dx x = dx+x = d .
42 of 59
15.2 3-move (Sigma) Protocol Applied Cryptography
Challenge:
Must be unpredictable before Alice completes the first step above (the commit).
c {0, 1}. Note that c can be any integer. Note that Pr (Alice cheats) = 12 .
c {0, 1}t where Pr (Alice cheats) = 21t . On a side note, when you extend the challenge to t-bits,
it is no longer technically zero-knowledge (not going to be seen in the course).
43 of 59
15.3 Fiat-Shamir Heuristic Applied Cryptography
Note:
b before c relies on pre-image resistance
c needs to be unpredictable. We need to assume the output of the hash is random (Random Oracle
Assumption).
c needs to be large st. faked hb, c, di values do not, by coincidence, have c = H(b).
You should actually do c = H(b, {p, g, y})
Thus the above removes Bob from the protocol and at the end we would output {{p, g, y}, {b, c, d}}. She
can give anyone this transcript and then everyone can verify it by the following:
?
1. g d = y c b
?
2. c = H(b)
?
3. In one step we can just do c = H(g d g c )
44 of 59
Applied Cryptography
16 Digital Signatures
Alice has a public key, y, and a secret key x. Alice signs a message m as:
s = Sigx (m, r)
Note this has nothing to do with encryption and just integrity. Bob, or anyone, can verify hm, si. This
would be T rue/F alse = V erif yy (m, s).
16.2 Construction
There are two ways to do this:
1. Built from public key decryption
16.2.2 ZKPs
Shnoor alongside Fiat-Shamir proves that a transcript was generated by the person who knows x st. y = g x
mod p. We can let x be the sk and y be the pk.
45 of 59
16.3 Schnorr Signature Applied Cryptography
16.3.2 Schnorr-Security
DLP (Schnorr-ZKP)
Pre-Image Resistance (Hash)
Random Oracle
Collision Resistance (Hash) (Find m0 st. H(s1 ||m0 ) = H(s1 ||m))
46 of 59
Applied Cryptography
17 Building CCA-Secure
Were going to look at CCA-Secure public key encryption. Recall ElGamal is CPA-Secure (reduction to DDH
assumption), but not CCA.
hc1 , c2 , s1 , s2 , s3 i
Recall Diffie-Hellman:
Key Exchange protocol
Passive adversary (eavesdrops, secure)
Active adversary (changes values, insecure due to MITMA)
Station-to-Station (STS): Diffie-Hellman with signed values.
17.2 STS
In this scenario, we have:
Public knowledge of {p, q, g}.
Alice has a [1, g], pkA , and yA = g a mod p. She sends to Bob yA .
Bob chooses b [1, q], pkB and then yB = g b mod p. Bob then sends to Alice yB , SEnck (SigskB (yB , yA )) =
cB . Bob also performs k = yAb
mod p = g ab .
Alice then does k = yB
a
mod p = g ab . Alice then sends back a confirmation by sending SEnck (SigskA (yA , yB )) =
cA .
Alice then performs SDeck (cB ) = Sig which she can verify with pkB and Bob can also perform
SDeck (cA ) = Sig which he can verify with pkA .
How does Alice and Bob learn each others public keys? Recall in Symmetric keys, we have (n2 ) keys
where n is the number of people. In Public key, we have O(n) keys. There is also a concept called
Certificates:
47 of 59
17.2 STS Applied Cryptography
48 of 59
Applied Cryptography
18 RSA Setting
We will work in mod N where N = pq where p, q are large safe primes.
Elements of Zn :
inverses; invertible iff. gcd(a, n) = 1 where a is an element (coprime to n)
Not invertible: p, 2p, 3p, . . . , (q 1)p, q, 2q, 3q, . . . , (p 1)q. Everything else is invertible: Zn
Elements of Zp :
All elements except 0 had inverses: Zp
Lets look at the differences of the order of an element:
Zn :
ord(a)|(p 1)(q 1) = ord(a)|2
p 2
q
p = 2
p + 1, q = 2
q+1
Therefore we have {1, 2, 4, p, q, pq, (p 1)(q 1)}
In general, ord(a) = (n)
Zp :
ord(a)|p 1 = ord(a)|2q which is {1, 2, q, p 1}
Recall that (n) is Eulers function which represents all the numbers coprime to n (and less than n). Note
that (p) = p 1 and (n) = (p 1)(q 1) where n = pq. This means that |Zn | = (p 1)(q 1).
Example 18.1. Find x given g and y:
y = xg mod n easy to find if y Zn
y = gx mod n easy to find if y Zn
y = gx mod n Discrete Log, still hard
y=x g
mod n Discrete Roots (trying to find x = g
y), hard, aka. RSA Problem
Example 18.2. Given n, find p and q: Factoring (hard for large n where |n| 2048, NIST of 2112 ) and p
and q are generally the same length (number of bits).
49 of 59
18.1 Textbook:" RSA Encryption Applied Cryptography
18.1.4 Properties
1. Not randomized, we encrypt the same message and get the same ciphertext. Not CPA-Secure (thus
not CCA-Secure)
2. Multiplicatively Homomorphic:
Note that the RSA Signatures are also deterministic. It doesnt achieve the highest level of security (for
signatures):
?
Given m, s we have: m0 = m 2e and s0 = 2s. Thus (s0 )e = m0 which is (2s)e = 2e se = 2e mde = 2e m.
Example 18.3. Given valid Signature hm, si, compute forgery as m0 = m 2e mod n and s0 2s mod n.
?
V erif y(s0 , m0 ) = (s0 )e mod n = m0 mod n. We then have (2s)e mod n = m2e mod n and then
2e (md )e = m2e and thus 2e m = 2e m.
The above example shows that what we have is not strong enough. Thus, we need to do improvements.
50 of 59
18.2 Strengthening RSA Encryption/Signature Applied Cryptography
RSA-OAEP : CCA
Signatures weve seen so far:
Textbook RSA : Not Secure
RSA-PSS : Secure
DSA (DSS) : Secure
Schnorr : Secure
Key Establishment Protocols weve seen so far:
51 of 59
Applied Cryptography
Get Googles public key = pkG : Both a signing and encryption key
k = KeyEstablishment(pkG ), where k is a shared secret key (master secret)
kEnc , kM AC = P RG(k)
EnckE (m||M ACkm ||pad)
52 of 59
Applied Cryptography
20.3 Syntax
xxx _W IT H_ yyy
T LS_ |{z}
|{z}
Step 1 Step 4
xxx:
DHE_DSS (DSS=DSA
=Schnorr)
DHE_RSA(signature used in DH)
RSA: RSA Encryption
ECDHE
yyy:
AES256_CBC_SHA256 (AES could be 3DES, 256 could be 128, CBC could be GCM, and SHA256 could
also be MD5, SHA1, or SHA374)
RC4128_SHA256
20.4 Certificates
How do we know what the servers key is? Browsers come with a list of certificates" (known as Root
Certificates) for companies called certificate authorities" (CAs). CAs are trusted by the browser to correctly
bind public keys to domain names.
53 of 59
20.4 Certificates Applied Cryptography
Note that collision resistance matters since if we have two messages that hash to the same thing then the
signature will be the same for the two messages.
54 of 59
Applied Cryptography
21 HTTPS Protocol
1. Handshake - establish keys
2. Change CipherSpec - check of handshake
21.1 Handshake
Alice (user) sends ClientHello to the Server containing m1 = {TLS1.2, supported ciphersuites,
nonce} where TLS1.2 is the highest version client supports, the supported ciphersuites would be
something such as TLS_DHE_DDS_WITH_AES_128_CBC_SHA256, and the nonce is a random value
The Server replies with ServerHello to the User containing m2 = { TLS1.0, ciphersuite, nonce
} where TLS1.0 is the highest version in common with the client, the ciphersuite is the highest
prioritized ciphersuite, and the nonce.
The Server sends a Certificate Chain m3
The Server sends k = KeyExchange(P Kserver ) where it can be done using DHE with Signature
or RSA transport, called m4
Alice sends m6 which is ClientF inish.EnckE (H(m1 m5 ), M ACkm (H(m1 m5 ))), the encryp-
tion forces Server to decrypt which checks that kE is correct. The M AC is not generally negotiated
(all MACs are still secure) and MACs were not subjected to export laws
Server sends ChangeCipherSpec where the server checks the MAC
55 of 59
21.4 Attacks Applied Cryptography
21.4 Attacks
21.4.1 Padding Oracle (Lucky 13)
Applies to CBC mode
Exploits the fact that, implemented, CBC mode is not CCA-Secure (even with a MAC)
Problem is with the padding: not inside the MAC
Lesson: better in general to Encrypt-Then-MAC (c = Enc(m||p)||M AC(E))
Adversary sees a Record (Client -> Server) We have a message m that is encrypted and e which
is also encrypted. e consists of m, M AC(m), P AD. e can look like a bunch of stuff with 7C, 03, 03, 03
where the length of the padding is repeated. Say we flip the last byte (flip a bit) in m. This means the last
part of e is flipped, the 03 part. When we decrypt m, the whole block will be ruined.
In TLS, decryption failures are due to bad padding and bad MACS could be distinguished (fixed).
Figure out the padding: Let us look at a new message where the last bit is x and we with y. If we
look at the encrypted message e where the last bit is w, we can see the following:
If y = 0, then its the same
21.4.2 BEAST
Exploits the fact that CBC mode was not CPA-Secure (as implemented) but this was fixed in TLS1.1
and 1.2 using techniques.
Adversary sees a Record (Client -> Server) Let c1 = Enc(m1 IV ) and ci = Enc(mi ci1 ), i >
1. The message that is being transmitted consists of an HTTP header and a cookie (first block) and a
GET/PUT block as the last block. Well assume we know or we can choose some of the information in the
HTTP header.
1. Position your cookie st. only the first byte is in c1 . Let c1 be the first block that consists of the HTTP
and now we have the first byte of the cookie in c1 . c1 = Enc(HTTP Header || ?? IV0 )
56 of 59
21.5 HTTPS - Real World Concerns Applied Cryptography
6. Browser will do Enck (m0 IV 0 ) = Enck ( HTTP with the cookie byte IV0 ) = G
21.5.2 Usability
Less than 40% looked at the security cues for HTTPS (lock, https://)
Ignore warnings?
22 Bitcoin
One bitcoin (BTC) is worth 135$ USD. A year ago it was worth 5USD.
Bitcoin is a digital currency: Not a digitalization of another currency. They are P2P currencies with
no centralized authority
Questions:
57 of 59
22.1 Security Applied Cryptography
22.1 Security
How do you ensure no counterfeiting?
How do you transfer money? The person who owns it should only be able to transfer it
The ultimate answer is Cryptography
Accounts have a public kye (for signing, eg. ECDSA) and is owned by a person who knows a secret key.
5. Not anonymous but it is pseudonymous (no one knows necessarily the link between pka and Alice
and same person can have as many keys as they want)
22.2 Transaction
From: pka
To: pkb
Amount: 1BTC
Signska (m)
The above is broadcast to the P2P network. For validation, you check Sigska is associated with the sender
and then the amount is available.
This a linked list of blocks which consist of a hash tree of transactions. Each block consists of { hash(trans),
hash(previous block), creator, and tweak/nonce }
58 of 59
end page