My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28
Outline 1 The general framework 2 Historical ciphers Pre-20th century World War I 3 Modern block ciphers DES/AES 4 A little number theory Mathematics!!! Hard problems 5 Intro to public-key Diffie-Hellman(-Merkle) RSA 6 Conclusions introduction to cryptography September 7, 2013 2 / 28
A simple game Alice and Bob want to exchange information without Eve finding out the message. introduction to cryptography September 7, 2013 3 / 28
Some assumptions Encryption and Decryption should be easy for Alice and Bob but should be impossible for Eve. A common theme that we will find is that security and practicality are almost always trade-offs. The inherent assumption is that the opponent will discover the nature of the system. In other words the inner workings of the cryptosystem is public. The only secret is the shared key. introduction to cryptography September 7, 2013 4 / 28
A pretty picture introduction to cryptography September 7, 2013 5 / 28
Greek transposition cipher A long strip of paper was wrapped around a staff and the message written. When unwrapped, it appears as a random jumble of letters. introduction to cryptography September 7, 2013 6 / 28
Greek transposition cipher A long strip of paper was wrapped around a staff and the message written. When unwrapped, it appears as a random jumble of letters. The diameter of the staff is the secret key introduction to cryptography September 7, 2013 6 / 28
Caesar cipher Introduced by Julius Caesar. Shift letters 3 to the right (mod 26): A D, B E,, X A, Y B, Z C. Example. Decode PDWK UXOHV! introduction to cryptography September 7, 2013 7 / 28
Some other examples Substitution ciphers. Any permutation of letters. Easy to break by simple frequency analysis. Leonardo da Vinci. Trained himself to write in mirror-image. Simple to read but mirrors were expensive. introduction to cryptography September 7, 2013 8 / 28
What s the problem? introduction to cryptography September 7, 2013 9 / 28
Product cipher: ADFGVX Cipher created by the Germans in World War I. 26 letters and 10 numbers can be expressed as a 6 6 grid. introduction to cryptography September 7, 2013 10 / 28
Product cipher: ADFGVX Cipher created by the Germans in World War I. 26 letters and 10 numbers can be expressed as a 6 6 grid. A D F G V X A K Z W R I F D 9 B 6 C L 5 F Q 7 5 P G X G E V Y 3 A N V 8 0 D H O 2 X U 4 1 S T M Grid is public knowledge! Secret key is a word with no repeated letters. Our secret key is DANIEL. introduction to cryptography September 7, 2013 10 / 28
Product cipher: ADFGVX Cipher created by the Germans in World War I. 26 letters and 10 numbers can be expressed as a 6 6 grid. A D F G V X A K Z W R I F D 9 B 6 C L 5 F Q 7 5 P G X G E V Y 3 A N V 8 0 D H O 2 X U 4 1 S T M Grid is public knowledge! Secret key is a word with no repeated letters. Our secret key is DANIEL. Two-step process: Encode the word, then shuffle. introduction to cryptography September 7, 2013 10 / 28
ADFGVX cont d A D F G V X A K Z W R I F D 9 B 6 C L 5 F Q 7 5 P G X G E V Y 3 A N V 8 0 D H O 2 X U 4 1 S T M Let s encode the word: HELLOS Each letter encoded by row-column index avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 11 / 28
ADFGVX cont d A D F G V X A K Z W R I F D 9 B 6 C L 5 F Q 7 5 P G X G E V Y 3 A N V 8 0 D H O 2 X U 4 1 S T M Let s encode the word: HELLOS Each letter encoded by row-column index VG GA DV DV VV XG introduction to cryptography September 7, 2013 11 / 28
ADFGVX cont d: Retrieving the ciphertext Encoded message: VG GA DV DV VV XG Number the letters of the secret key lexicographically. In the rows beneath, write out the encoded message, wrapping at the end of the row. D A N I E L avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 12 / 28
ADFGVX cont d: Retrieving the ciphertext Encoded message: VG GA DV DV VV XG Number the letters of the secret key lexicographically. In the rows beneath, write out the encoded message, wrapping at the end of the row. D A N I E L 2 1 6 4 3 5 avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 12 / 28
ADFGVX cont d: Retrieving the ciphertext Encoded message: VG GA DV DV VV XG Number the letters of the secret key lexicographically. In the rows beneath, write out the encoded message, wrapping at the end of the row. D A N I E L 2 1 6 4 3 5 V G G A D V D V V V X G avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 12 / 28
ADFGVX cont d: Retrieving the ciphertext Encoded message: VG GA DV DV VV XG Number the letters of the secret key lexicographically. In the rows beneath, write out the encoded message, wrapping at the end of the row. D A N I E L 2 1 6 4 3 5 V G G A D V D V V V X G The ciphertext is given by reading down the columns in numerical order: avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 12 / 28
ADFGVX cont d: Retrieving the ciphertext Encoded message: VG GA DV DV VV XG Number the letters of the secret key lexicographically. In the rows beneath, write out the encoded message, wrapping at the end of the row. D A N I E L 2 1 6 4 3 5 V G G A D V D V V V X G The ciphertext is given by reading down the columns in numerical order: Ciphertext: GV VD DX AV VG GV avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 12 / 28
Data Encryption Standard DES is the first commercial-grade modern algorithm for cryptography. DES is a block cipher that combines permutations and substitutions Introduced in the mid-1970s by IBM. The United States National Security Agency tweaked the original DES design (S-boxes) to make it more secure. DES is now considered to be insecure, owing largely to a key size of only 56 bits. (Wikipedia) distributed.net collaborated to publicly break a DES key in 22 hours and 15 minutes. This can be done on a home computer (sitting in the corner for a long time), today. introduction to cryptography September 7, 2013 13 / 28
More DES We sent the S-boxes off to Washington. They came back and were all different. I don t want to cite Wikipedia twice in 2 slides but they really have a good read on the history (with citations!!) of DES and the NSA. rams: Key-size of 56 bits and block size of 64 bits. Breaks the block into half-blocks, and the key into subkeys. Runs each half-block and sub-key through 16 rounds of the following system. introduction to cryptography September 7, 2013 14 / 28
introduction to cryptography September 7, 2013 15 / 28
Greatest common divisors If p and q are two integers, we call the greatest common divisor d = gcd(p, q) the greatest integer such that d divides p and d divides q. If d = 1 we call p and q relatively prime. By the Extended Euclidean Algorithm we can compute integers a and b such that d = ap + bq. introduction to cryptography September 7, 2013 16 / 28
Just a little theorem Definition. Let G be a group and let G = n, we call n the order of G. Theorem. (Lagrange - mid 18th century) Suppose a G, then a n = 1 G. Theorem. (Euler - early-mid 18th century) Suppose a is an integer relatively prime to n. Then a φ(n) 1 (mod n). Fermat s Little Theorem - early 17th century. If p is a prime number then for any integer a we have a p a (mod p). introduction to cryptography September 7, 2013 17 / 28
What remains in China... Chinese Remainder Theorem. Suppose n 1, n 2,..., n k are positive integers with gcd(n i, n j ) = 1, 1 i < j k. For any given a 1, a 2,..., a k there exists an integer x such that x a 1 (mod n 1 ) x a 2 (mod n 2 ) x a k (mod n k ) and all such solutions x are congruent (mod n 1 n 2 n k ). Thus x y (mod n i ) for all 1 i k if and only if x y (mod n 1 n 2 n k ). introduction to cryptography September 7, 2013 18 / 28
Finite fields Let p be a prime, then Z p, the set of integers (mod p) forms a field with respect to addition and multiplication (mod p). If F is a finite field, then F has order q = p n and we can view F as the vector space Z n p. So, we can model binary words of length n in the vector space Z n 2... introduction to cryptography September 7, 2013 19 / 28
Hard problems - Integer factorization The integer factorization problem is: given an integer n, determine its prime factorization, i.e., write n = p e 1 1 pe k k where the p i are distinct primes and e i > 1. Much harder than primality testing! The AKS primality test shows that primality testing is in P. Algorithms split into general purpose (for all types of integers) and special purpose (for integers of prescribed form). The best general-purpose factoring algorithm is the number field sieve developed by Lenstra and Lenstra in the early 90s. Number field sieve runs in sub-exponential time ( O(n 1/3 log(n) 2/3 )). introduction to cryptography September 7, 2013 20 / 28
Easy problems - Continuous logarithms Given y R, it is easy to find x such that y = e x (i.e., x = ln(y)). When x < 1, log (1/(1 x)) = 1 + x + x 2 /2 + x 3 /3 +. The logarithm of a real number is simple to compute. introduction to cryptography September 7, 2013 21 / 28
Hard problems - Discrete logarithms Problem. In a cyclic group G with generator g, if y is an element of G, find x such that y = g x. The integer 1 x q 1 is the discrete logarithm of y, denoted DLOG g (y). The discrete logarithm follows the same arithmetic rules as the continuous, can be implemented in any finite cyclic group, commonly taken to be the multiplicative group of a finite field avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 22 / 28
Hard problems - Discrete logarithms Problem. In a cyclic group G with generator g, if y is an element of G, find x such that y = g x. The integer 1 x q 1 is the discrete logarithm of y, denoted DLOG g (y). The discrete logarithm follows the same arithmetic rules as the continuous, can be implemented in any finite cyclic group, commonly taken to be the multiplicative group of a finite field quantum computers reduce the run time of calculating the discrete logarithm (polynomial time somewhat greater than O(log(N) 3 ). avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 22 / 28
Diffie Hellman Key Exchange Protocol Diffie-Hellman is not a cryptosystem!!! Diffie-Hellman is a key-exchange protocol. Developed in 1976 by researchers at Stanford. Paper was written by Diffie and Hellman, but the concept was developed by Merkle. Based on the difficulty of the discrete-logarithm problem. Controversy!!! avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 23 / 28
Diffie Hellman Key Exchange Protocol Diffie-Hellman is not a cryptosystem!!! Diffie-Hellman is a key-exchange protocol. Developed in 1976 by researchers at Stanford. Paper was written by Diffie and Hellman, but the concept was developed by Merkle. Based on the difficulty of the discrete-logarithm problem. Controversy!!! The British services took credit for developing key-exchange in 1972. This was not made public until 1997. Who do you think is actually the founder? avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 23 / 28
Diffie-Hellman: The mystery explained Public information: a prime power q and a generator g such that F q =< g >. Alice Secret key a Compute g a Receive g b Bob Secret key b Compute g b Receive g a avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 24 / 28
Diffie-Hellman: The mystery explained Public information: a prime power q and a generator g such that F q =< g >. Alice Secret key a Compute g a Receive g b Compute (g b ) a Bob Secret key b Compute g b Receive g a Compute (g a ) b Public key is g ab introduction to cryptography September 7, 2013 24 / 28
What is RSA?? Reference: Handbook of Applied Cryptography by Menezes, van Oorschot and Vanstone, U of Waterloo, http://www.cacr.math.uwaterloo.ca/hac/ RSA stands for Rivest, Shamir and Adleman, originally submitted as a patent. Security of RSA is based on the difficulty of integer factorization. Can also be used for digital signatures (but that s another talk). introduction to cryptography September 7, 2013 25 / 28
RSA Key Generation 1 Pick two large primes p and q, roughly the same size, at random. 2 Compute n = pq and φ = (p 1)(q 1). 3 Select a random integer e such that gcd(e, φ) = 1. 4 Use Extended Euclidean Algorithm to find d, 1 < d < φ such that ed 1 (mod φ). 5 The public key is the pair (n, e); the secret key is d. introduction to cryptography September 7, 2013 26 / 28
RSA Encryption/Decryption crypt Bob does the following: 1 Receive the public key (n, e) from Alice. 2 Represent the message m in the interval [0, n 1]. 3 Compute c = m e (mod n). 4 Send c to Alice. crypt Alice does: 1 Compute m = c d (mod n). introduction to cryptography September 7, 2013 27 / 28
Some concluding remarks Public-key cryptography depends on being able to solve a hard problem in reasonable time. RSA depends on the hardness of integer factorization, where elliptic curve cryptography depends on finding the order of a point on an elliptic curve over a finite field. 1024-bit RSA keys have similar security to 320-bit elliptic curve keys. Your bank probably uses 1024-bit RSA. Lenstra et al. in 2007 factored a 1039-bit number. avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 28 / 28
Some concluding remarks Public-key cryptography depends on being able to solve a hard problem in reasonable time. RSA depends on the hardness of integer factorization, where elliptic curve cryptography depends on finding the order of a point on an elliptic curve over a finite field. 1024-bit RSA keys have similar security to 320-bit elliptic curve keys. Your bank probably uses 1024-bit RSA. Lenstra et al. in 2007 factored a 1039-bit number. Factoring an RSA 768-bit number takes approximately 2000 years of computing power. avid Thomson dthomson@math.carleton.ca (Carleton My briefuniversity) introduction to cryptography September 7, 2013 28 / 28