Public-key Cryptography: Theory and Practice

Size: px

Start display at page:

Download "Public-key Cryptography: Theory and Practice"

Gervase Evans
5 years ago
Views:

1 Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques

2 Block Ciphers A block cipher f of block-size n and key-size r is a function f : Z n 2 Zr 2 Zn 2 that maps (M, K) to C = f(m, K). For each key K, the map f K : Z n 2 Zn 2 taking a plaintext message M to the ciphertext message C = f K (M) = f(m, K) should be bijective (invertible). n and r should be large enough to preclude successful exhaustive search. Each f K should be a sufficiently random permutation.

3 Block Ciphers: Examples Name n, r (Data Encryption Standard) 64, 56 FEAL (Fast Data Encipherment Algorithm) 64, 64 SAFER (Secure And Fast Encryption Routine) 64, 64 IDEA (International Data Encryption Algorithm) 64, 128 Blowfish 64, 448 The Finalists Rijndael (Rijmen and Daemen) 128, 128/192/256 Serpent (Anderson, Biham and Knudsen) 128, 128/192/256 Twofish (Schneier and others) 128, 256 RC6 (Rivest and others) 128, 128/192/256 MARS (Coppersmith and others) 128, (multiple of 32) Old standard: New standard: (adaptation of the Rijndael cipher)

4 Block Ciphers: Security Requirements Introduced by Shannon in Confusion The relation between key and ciphertext must be very complex. Changing a single key bit should affect every ciphertext bit pseudorandomly. Ideally, for a change in each key bit, each ciphertext bit should change with probability 1/2. Confusion is meant to make the guess of the key difficult. Diffusion The relation between plaintext and ciphertext must be very complex. Changing a single plaintext bit should affect every ciphertext bit pseudorandomly. Ideally, for a change in each plaintext bit, each ciphertext bit should change with probability 1/2. Diffusion is meant to dissipate plaintext redundancy.

5 Iterated Block Cipher Block Ciphers M K C K Round 1 e K 1 Round l e 1 K r Round 2 e... K 2 Key Schedule Round l 1 e 1K r 1... Key Schedule Round l e K r K 1 Round 1 e 1 C M (a) Encryption (b) Decryption

6 Substitution-Permutation Network (SPN) Block from round i 1 Substitution Box (S Box) e Permutation Box (P Box) Round key K i Block to round i+1

7 Feistel Cipher Block Ciphers Li 1 Ri 1 R i L i e K i e K i Li (a) Encryption Ri R i 1 L i 1 (b) Decryption L i = R i 1 R i 1 = L i R i = L i 1 e(r i 1, K i ) L i 1 = R i e(l i, K i )

8 (Data Encryption Standard) Proposed as a US standard in supports blocks of length n = 64 bits. supports keys K = k 1 k 2...k 64 of length r = 64 bits, but the bits k 8, k 16,...,k 64 are used as parity-check bits. So the effective key size is 56 bits. is a Feistel cipher. The number of rounds in is l = 16.

9 Key Schedule Block Ciphers Input: A key K = k 1 k 2...k 64. Output: Sixteen 48-bit round keys K 1, K 2,...,K 16. Generate 56-bit permuted key U 0 = PC1(K) = k 57 k 49 k k 12 k 4. Break U 0 in two 28-bit parts: U 0 = C 0 D 0. for i = 1, 2,..., 16, repeat the following steps: { 1 if i = 1, 2, 9, 16, Take s := 2 otherwise. Cyclically left shift C i 1 by s bits to get C i. Cyclically left shift D i 1 by s bits to get D i. Let U i := C i D i = u 1 u 2... u 56. Compute 48-bit round key K i = PC2(U i ) = u 14 u 17 u u 29 u 32.

10 Key Schedule (contd) PC1 PC

11 Encryption Block Ciphers Input: Plaintext block M = m 1 m 2...m 64 and round keys K 1, K 2,..., K 16. Output: The ciphertext block C. Apply initial permutation: V = IP(M) = m 58 m 50 m m 15 m 7. Break V in two 32-bit parts: V = L 0 R 0. For i = 1, 2,..., 16, repeat the following steps: L i := R i 1. R i := L i 1 e(r i 1, K i ). Let W = R 16 L 16 = w 1 w 2... w 64. Apply inverse of IP: C = IP 1 (W) = w 40 w 8 w w 57 w 25.

12 Encryption (contd) IP IP 1

13 Encryption (contd) Encryption primitive e(x, J) = P(S(E(X) J)), where X is a 32-bit message block, and J is a 48-bit round key. Apply 32-to-48 bit expansion: X = E(X) = x 32 x 1 x 2... x 32 x 1. XOR with the round key: Y = X J. Break Y in eight 6-bit parts: Y = Y 1 Y 2 Y 8. For j = 1, 2,...,8, do the following: Write Y j = y 1 y 2 y 3 y 4 y 5 y 6. Consider the integers µ = (y 1 y 6 ) 2 and ν = (y 2 y 3 y 4 y 5 ) 2. Let Z j = (z 1 z 2 z 3 z 4 ) 2 = S j (µ, ν). Concatenate the Z j s to the 32-bit value: Z = Z 1 Z 2 Z 8 = z 1 z 2... z 32. Apply permutation function: e(x, J) = P(Z) = z 16 z 7 z 20...z 4 z 25.

14 Encryption (contd) E P

15 Encryption: S-Boxes S S S

16 Encryption: S-Boxes (contd) S S S

17 Encryption: S-Boxes (contd) S S

18 Decryption Block Ciphers Input: Ciphertext block C = c 1 c 2...c 64 and round keys K 1, K 2,..., K 16. Output: The plaintext block M. Apply initial permutation: V = IP(C) = c 58 c 50 c c 15 c 7. Break V in two 32-bit parts: V = R 16 L 16. For i = 16, 15,..., 1, repeat the following steps: R i 1 = L i. L i 1 = R i e(l i, K i ). Let W = L 0 R 0 = w 1 w 2... w 64. Apply inverse of IP: M = IP 1 (W) = w 40 w 8 w w 57 w 25. Note: decryption is the same as encryption, with the key schedule reversed.

19 (Advanced Encryption Standard) is an adaptation of the Rijndael cipher designed by J. Daemen and V. Rijmen. Since supports short keys (56 bits) vulnerable even to brute-force search, the new standard is adopted in is a substitution-permutation cipher. is not a Feistel cipher. The block size for is n = 128 bits. Number of rounds for is l = 10, 12, or 14 for key sizes r = 128, 192, or 256 bits. key schedule: From K, generate 32-bit round keys K 0, K 1,...,K 4l+3. Four round keys are used in a round.

20 (contd) Block Ciphers State: represents a 128-bit message block as a 4 4 array of octets: µ 0 µ 1...µ 15 µ 0 µ 4 µ 8 µ 12 µ 1 µ 5 µ 9 µ 13 µ 2 µ 6 µ 10 µ 14 µ 3 µ 7 µ 11 µ 15 Each octet A = a 7 a 6...a 1 a 0 in the state is identified with the element a 7 α 7 + a 6 α a 1 α + a 0 of F 2 8 = F 2 (α), where α 8 + α 4 + α 3 + α + 1 = 0. Each column A 3 A 2 A 1 A 0 in the state is identified with the element A 3 y 3 + A 2 y 2 + A 1 y + A 0 of F 2 8[y] modulo the (reducible polynomial) y

21 Encryption Block Ciphers Generate key schedule K 0, K 1,..., K 4l+3 from the key K. Convert the plaintext block M to a state S. S = AddKey(S, K 0, K 1, K 2, K 3 ). [bitwise XOR] for i = 1, 2,...,l do the following: S = SubState(S). [non-linear, involves inverses in F 2 8] S = ShiftRows(S). [cyclic shift of octets in each row] If i l, S = MixCols(S). [operation in F 2 8[y] mod y 4 + 1] S = AddKey(S, K 4i, K 4i+1, K 4i+2, K 4i+3 ). [bitwise XOR] Convert the state S to the ciphertext block C.

22 Decryption Block Ciphers Generate key schedule K 0, K 1,..., K 4l+3 from the key K. Convert the ciphertext block C to a state S. S = AddKey(S, K 4l, K 4l+1, K 4l+2, K 4l+3 ). for i = l 1, l 2,...,1, 0 do the following: S = ShiftRows 1 (S). S = SubState 1 (S). S = AddKey(S, K 4i, K 4i+1, K 4i+2, K 4i+3 ). If i 0, S = MixCols 1 (S). Convert the state S to the plaintext block M.

23 : The AddKey Primitive Let S = (σ uv ) = σ 00 σ 01 σ 02 σ 03 σ 10 σ 20 σ 11 σ 21 σ 12 σ 22 σ 13 σ 23 be a state of. σ 30 σ 31 σ 32 σ 33 Let the four 32-bit round keys be L 0, L 1, L 2, L 3 with the octet representation L u = λ u0 λ u1 λ u2 λ u3. The u-th key L u is XORed with the u-th column of the state S.. σ 33 λ 33 S maps to AddKey(S, L 0, L 1, L 2, L 3 ) = σ 00 λ 00 σ 01 λ 10 σ 02 λ 20 σ 03 λ 30 σ 10 λ 01 σ 20 λ 02 σ 11 λ 11 σ 21 λ 12 σ 12 λ 21 σ 22 λ 22 σ 13 λ 31 σ 23 λ 32 σ 30 λ 03 σ 31 λ 13 σ 32 λ 23

24 : The SubState Primitive Let A = a 0 a 1... a 6 a 7 be an octet (an element of F 2 8). Let B = b 0 b 1... b 6 b 7 = A 1 in F 2 8 (with 0 1 = 0). Let D = d 0 d 1... d 6 d 7 = 63 = SubOctet(A) = C = c 0 c 1... c 6 c 7, where c i = b i b (i+1)rem8 b (i+2)rem8 b (i+3)rem8 b (i+4)rem8 d i. Let S = σ 00 σ 01 σ 02 σ 03 σ 10 σ 20 σ 11 σ 21 σ 12 σ 22 σ 13 σ 23 be a state. σ 30 σ 31 σ 32 σ 33 SubState(S) = σ 00 σ 01 σ 02 σ 03 σ 10 σ 11 σ 12 σ 13 σ 20 σ 21 σ 22 σ 23 σ 30 σ 31 σ 32 σ 33, where σ uv = SubOctet(σ uv).

25 : The ShiftRows Primitive Cyclically left rotate the r-th row by r bytes: σ 00 σ 01 σ 02 σ 03 σ 10 σ 20 σ 11 σ 21 σ 12 σ 22 σ 13 σ 23 maps to σ 30 σ 31 σ 32 σ 33. σ 32 σ 00 σ 01 σ 02 σ 03 σ 11 σ 22 σ 12 σ 23 σ 13 σ 20 σ 10 σ 21 σ 33 σ 30 σ 31

26 : The MixCols Primitive Let S = σ 00 σ 01 σ 02 σ 03 σ 10 σ 20 σ 11 σ 21 σ 12 σ 22 σ 13 σ 23 be a state. σ 30 σ 31 σ 32 σ 33 Each column of S is identified with an element of F 2 8[y], and is multiplied by the constant polynomial [03]y 3 + [01]y 2 + [01]y + [02] modulo y The v-th column σ 0v σ 1v σ 2v maps to σ 3v where is the multiplication of F 2 8. σ 0v σ 1v σ 2v σ 3v,

27 Inverses of Encryption Primitives AddKey is the inverse of itself. SubState 1 is the octet-by-octet inverse of SubOctet. SubOctet 1 involves an affine transformation followed by taking inverse in F 2 8. ShiftRows 1 cyclically right rotates the r-th row by r bytes. MixCols 1 multiplies each column by the polynomial [0b]y 3 + [0d]y 2 + [09]y + [0e] modulo y 4 + 1, with the coefficient arithmetic being that of F 2 8.

28 Key Schedule Block Ciphers Let t be the key size in words (t = 4, 6, 8 for r = 128, 192, 256). The respective numbers of rounds are l = 10, 12, 14. key schedule generates 4(l + 1) 32-bit keys K 0, K 1,...,K 4Nr+3 from the secret key K. Initially, K = K 0 K 1... K t 1. For i = t, t + 1,..., 4l + 3, generate K i as follows: Let K i 1 = τ 0 τ 1 τ 2 τ 3 (each τ j an octet). Let τ j = SubOctet(τ j ). If (i 0 (mod t)), then set T = (τ 1 τ 2 τ 3 τ 0 ) [α(i/t) ], else if (t > 6) and (i 4 (mod t)), then set T = τ 0 τ 1 τ 2 τ 3. Generate the 32-bit key K i = K i t T.

29 Multiple Encryption Block Ciphers K 1 K 2 m x g 1 g 2 c (a) Double encryption K 1 K 2 K 3 m x y h 1 h 2 h 3 c (b) Triple encryption

30 Modes of Operation: Encryption Break the message M = M 1 M 2... M l into blocks of bit length n n. To generate the ciphertext C = C 1 C 2... C l. ECB (Electronic Code-Book) mode: Here n = n. C i = f K (M i ). CBC (Cipher-Block Chaining) mode: Here n = n. Set C 0 = IV. C i = f K (M i C i 1 ). CFB (Cipher FeedBack) Mode: Here n n. Set k 0 = IV. C i = M i msb n (f K (k i 1 )). [Mask key and plaintext] k i = lsb n n (k i 1 ) C i. [Generate next key] OFB (Output FeedBack) Mode: Here n n. Set k 0 = IV. k i = f K (k i 1 ). [Generate next key] C i = M i msb n (k i ). [Mask plaintext block] CFB and OFB modes act like stream ciphers

31 Modes of Operation: Decryption ECB (Electronic Code-Book) mode: M i = f 1 K (C i). CBC (Cipher-Block Chaining) mode: Set C 0 = IV. M i = f 1 K (C i) C i 1. CFB (Cipher FeedBack) Mode: Set k 0 = IV. M i = C i msb n (f K (k i 1 )). [Remove mask from ciphertext] k i = lsb n n (k i 1 ) C i. [Generate next key] OFB (Output FeedBack) Mode: Set k 0 = IV. k i = f K (k i 1 ). [Generate next key] M i = C i msb n (k i ). [Remove mask from ciphertext]

32 Attacks on Block Ciphers Exhaustive key search If the key space is small, all possibilities for an unknown key can be matched against known plaintext-ciphertext pairs. Many challenges are cracked by exhaustive key search. has a small key-size (56 bits). Only two plaintext-ciphertext pairs usually suffice to determine a key uniquely. Exhaustive key search on block ciphers (like ) with key sizes 128 is infeasible. Linear and differential cryptanalysis By far the most sophisticated attacks on block ciphers. Impractical if sufficiently many rounds are used. is robust against these attacks.

33 Attacks on Block Ciphers (contd) Specific attacks on Square attack Collision attack Algebraic attacks (like XSL) Meet-in-the-middle attack Applies to multiple encryption schemes. For m stages, we get security of m/2 keys only.

34 Block Ciphers Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack Stream ciphers encrypt bit-by-bit. Plaintext stream: M = m 1 m 2...m l. Key stream: K = k 1 k 2...k l. Ciphertext stream: C = c 1 c 2... c l. Encryption: c i = m i k i. Decryption: m i = c i k i. Source of security: unpredictability in the key-stream. Vernam s one-time pad: For a truly random key stream, Pr(c i = 0) = Pr(c i = 1) = 1 2 for each i, irrespective of the probabilities of the values assumed by m i. This leads to unconditional security, that is, the knowledge of any number of plaintext-ciphertext bit pairs, does not help in decrypting a new ciphertext bit.

35 : Drawbacks Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack Key stream should be as long as the message stream. Management of long key streams is difficult. It is difficult to generate truly random (and reproducible) key streams. Pseudorandom bit streams provide practical solution, but do not guarantee unconditional security. Pseudorandom bit generators are vulnerable to compromise of seeds. Repeated use of the same key stream degrades security.

36 Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack Linear Feedback Shift Register (LFSR) feedback s d Dd 1 Dd 2 D2 D1 D0 d 1 s d d 1 d 2 a a s s s s 0 a a 2 1 a 0 output

37 LFSR: Example Block Ciphers Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack D D 2 D 1 D 0 3 output Time D 3 D 2 D 1 D

38 LFSR: State Transition Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack Control bits: a 0, a 1,...,a d 1. State: s = (s 0, s 1,..., s d 1 ). Each clock pulse changes the state as follows: t 0 = s 1 t 1 = s 2. t d 2 = s d 1 t d 1 a 0 s 0 + a 1 s 1 + a 2 s a d 1 s d 1 (mod 2).

39 LFSR: State Transition (contd) Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack In the matrix notation t L s (mod 2), where the transition matrix is L = a 0 a 1 a 2 a d 2 a d 1

40 LFSR (contd) Block Ciphers Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack The output bit-stream behaves like a pseudorandom sequence. The output stream must be periodic. The period should be large. Maximum period of a non-zero bit-stream = 2 d 1. Maximum-length LFSR has the maximum period. Connection polynomial C L (x) = 1+a d 1 x + a d 2 x 2 + +a 1 x d 1 + a 0 x d F 2 [X]. L is a maximum-length LFSR if and only if C L (x) is a primitive polynomial of F 2 [x].

41 An Attack on LFSR Block Ciphers Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack The linear relation of the feedback bit as a function of the current state in LFSRs invites attacks. Berlekamp-Massey attack Suppose that the bits m i and c i for 2d consecutive values of i (say, 1, 2,...,2d) are known to an attacker. Then k i = m i c i are also known for these values of i. Define the states S i = (k i, k i+1,...,k i+d 1 ) of the LFSR. Then, S i+1 L S i (mod 2) for i = 1, 2,...,d. Treat each S i as a column vector. Then, ( S2 S 3 S d+1 ) L ( S1 S 2 S d ) (mod 2) This reveals L, that is, the secret a 0, a 1,...,a d 1. Remedy: Introduce non-linearity to the LFSR output.

42 Nonlinear Combination Generator Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack LFSR 1 u 1 LFSR.. LFSR 2 k u u 2 k f Nonlinear function u

43 The Geffe Generator Block Ciphers Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack LFSR LFSR 1 2 u u 1 2 k LFSR 3 u 3 f

44 Nonlinear Filter Generator Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack Feedback Feedback function... Nonlinear filter function Output

45 Block Ciphers Properties Merkle s Meta Method SHA-1 Used to convert strings of any length to strings of a fixed length. Used for the generation of (short) representatives of messages. Unkeyed hash functions ensure data integrity. Keyed hash functions authenticate source of messages. Symmetric techniques are typically used for designing hash functions. A collision for a hash function H is a pair of two distinct strings x, y with H(x) = H(y). Since hash functions map an infinite domain to finite sets, collisions must exist for any hash function.

46 Properties Merkle s Meta Method SHA-1 : Desirable Properties Easy to compute First pre-image resistance (Difficult to invert): For most hash values y, it should be difficult to find a string x with H(x) = y. Second pre-image resistance: Given a string x, it should be difficult to find a different string x with H(x ) = H(x). Collision resistance: It should be difficult to find two distinct strings x, x with H(x) = H(x ).

47 Properties Merkle s Meta Method SHA-1 : Properties (contd) Collision resistance implies second pre-image resistance. Second pre-image resistance does not imply collision resistance: Let S be a finite set of size 2 and H a cryptographic hash function. Then { H 0 n+1 if x S, (x) = 1 H(x) otherwise, is second pre-image resistant but not collision resistant.

48 Properties Merkle s Meta Method SHA-1 : Properties (contd) Collision resistance does not imply first pre-image resistance: Let H be an n-bit cryptographic hash function. Then { H 0 x if x = n, (x) = 1 H(x) otherwise. is collision resistant (so second pre-image resistant), but not first pre-image resistant. First pre-image resistance does not imply second pre-image resistance: Let m be a product of two unknown big primes. Define H (x) = (1 x) 2 (mod m). H is first pre-image resistant, but not second pre-image resistant.

49 : Construction Properties Merkle s Meta Method SHA-1 Compression function: A function F : Z m 2 Zn 2, where m = n + r. Merkle-Damgård s meta method Break the input x = x 1 x 2... x l to blocks each of bit-length r. Initialize h 0 = 0 r. For i = 1, 2,..., l use compression h i = F(h i 1 x i ). Output H(x) = h l as the hash value. x1 x2 x3... xl h0 h 1 h 2 h 3 hl 1 h l F F F... F

50 Properties Merkle s Meta Method SHA-1 : Construction (contd) Properties If F is first pre-image resistant, then H is also first pre-image resistant. If F is collision resistant, then H is also collision resistant. A concrete realization Let f is a block cipher of block-size n and key-size r. Take: F(M K) = f K (M). Keyed hash function HMAC(M) = H(K P H(K Q M)), where H is an unkeyed hash function, K is a key and P, Q are short padding strings.

51 Properties Merkle s Meta Method SHA-1 Custom-Designed The SHA (Secure Hash Algorithm) family: SHA-1 (160-bit), SHA-256 (256-bit), SHA-384 (384-bit), SHA-512 (512-bit). The MD family: MD2 (128-bit), MD5 (128-bit). The RIPEMD family: RIPEMD-128 (128-bit), RIPEMD-160 (160-bit).

52 SHA-1: Message Padding Properties Merkle s Meta Method SHA-1 To compute SHA-1(M) for a message M of bit-length λ. Pad M to generate M = M 1 0 k Λ, where Λ is the 64-bit representation of λ, and k is the smallest integer 0 for which M = λ k + 64 is a multiple of 512. Break M into 512-bit blocks M (1), M (2),..., M (l). Break each M (i) = M (i) 0 M (i) 1 M (i) 15 into sixteen 32-bit words M (i) j.

53 Properties Merkle s Meta Method SHA-1 SHA-1: Iterated Hash Construction The idea is similar to the Merkle-Damgård construction. Start with the initial hash value H (0) = 0x efcdab89 98badcfe c3d2e1f0. For i = 1, 2,...,l, consume the message block M (i) to convert H (i 1) to H (i). Return H (l) as SHA-1(M). Each H (i) is a 160-bit value. Write H (i) = H (i) 0 H (i) 1 H (i) 2 H (i) is a 32-bit word. H (i) j 3 H (i) 4, where each

54 SHA-1: Compression Function Properties Merkle s Meta Method SHA-1 Compute the message schedule W j, 0 j 79: For j = 0, 1,..., 15, set W j := M (i) j. For j = 16, 17,..., 79, set W j := LR 1 (W j 3 W j 8 W j 14 W j 16 ). For j = 0, 1, 2, 3, 4, store H (i 1) j in t j. For j = 0, 1,...,79, do the following: ) Set T = (LR 5 (t 0 ) + f j (t 1, t 2, t 3 ) + t 4 + K j + W j rem t 4 = t 3, t 3 = t 2, t 2 = RR 2 (t 1 ), t 1 = t 0, t 0 = T. ( ) For j = 0, 1, 2, 3, 4, update H (i) j := t j + H (i 1) j rem 2 32.

55 Properties Merkle s Meta Method SHA-1 SHA-1: Compression Function (contd) xy xz if 0 j 19 x y z if 20 j 39 f j (x, y, z) = xy xz yz if 40 j 59 x y z if 60 j 79 0x5a if 0 j 19 0x6ed9eba1 if 20 j 39 K j = 0x8f1bbcdc if 40 j 59 0xca62c1d6 if 60 j 79 LR k and RR k mean left and right rotate by k bits.

56 Attacks on Properties Merkle s Meta Method SHA-1 The birthday attack is based on the birthday paradox. For an n-bit hash function, one needs to compute on an average 2 n/2 hash values in order to detect (with high probability) a collision for the hash function. For cryptographic applications one requires n 128 (n 160 is preferable). Algebraic attacks may make hash functions vulnerable. Some other attacks: Pseudo-collision attacks Chaining attacks Attacks on the underlying cipher Exhaustive key search for keyed hash functions Long message attacks

57 The Birthday Paradox Block Ciphers Properties Merkle s Meta Method SHA-1 Let S be a set finite size N. k elements are drawn at random from S (with replacement). The probability that all these k elements are distinct is p k = N(N 1) (N k + 1) N k = k 1 i=1 ( 1 i N p k 1/2 for k N ln N. p k for k 2 N. ) e k(k 1) 2N. Examples There is a chance of 50% that at least two of 23 (randomly chosen) persons have the same birthday. A collision of an n-bit hash function can be found with high probability from O(2 n/2 ) random hash calculations.

Symmetric Crypto Systems

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers