EE5552 Network Security and
Encryption
block 5
Dr. T.J. Owens CMath, FIMA, MIEEE
Dr T. Itagaki MIET, MIEEE, MAES
Block 5
Simple Ciphers and Classical Ciphers
and
A Complexity Measure for Security
Objectives (1)
After studying this material you should
• Understand the following concepts: additive cipher,
multiplicative cipher, modular arithmetic.
• Understand how a key can set the parameters of a
mathematical transformation.
• Understand in general terms how an adversary might attack
these ciphers.
Objectives (2)
After studying this material you should
• Be able to define the terms one-way function, one way hash
function and one way trapdoor function and state their
relevance to cryptography.
• Be able to outline how the complexity of a problem or
algorithm is measured.
• Know what it means for a problem to be in complexity class P.
• Understand that in modern scalable cryptosystems encryption
and decryption are in P and cryptanalysis is not.
Educational Program
Cryptool (1)
The material in this block can seem a little abstract. To visualise
the concepts it contains an educational program called
CrypTool about cryptography and cryptanalysis is
recommended.
You can download Cryptool from
http://www.cryptool.com/
Educational Program
Cryptool (2)
Security does not depend on keeping the encoding algorithm
secret it depends on keeping the key secret.
Caesar Cipher (1)
Plaintext:
Ciphertext:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
In ASCII code wise…
Encryption:
En(x) = (x + n) mod 26
Dycription:
Dn(x) = (x - n) mod 26
where n is shift (= key)
Modular arithmetic is used in RSA public key cryptography which
is used in WPA.
Caesar Cipher (2)
Caesar Cipher is a transposion/substituion cipher.
The replacement remains the same throughout the message, so
the cipher is classed as a type of monoalphabetic
substitution, as opposed to polyalphabetic substitution.
Caesar Cipher (3)
Breaking the cipher (1)
The Caesar cipher can be easily broken even in a ciphertext-only
scenario. Two situations can be considered:
1) an attacker knows (or guesses) that some sort of simple
substitution cipher has been used, but not specifically that it
is a Caesar scheme;
2) an attacker knows that a Caesar cipher is in use, but does not
know the shift value.
Caesar Cipher (4)
Breaking the cipher (2)
In the first case, the cipher can be
broken using the same techniques
as for a general simple substitution
cipher, such as frequency analysis
or pattern words. While solving, it
is likely that an attacker will quickly
notice the regularity in the
solution and deduce that a Caesar
cipher is the specific algorithm
employed.
The distribution of letters in a typical
sample of English language text
http://en.wikipedia.org/wiki/Caesar_cipher
Caesar Cipher (5)
Breaking the cipher (3)
In the second instance, breaking
the scheme is even more
straightforward. Since there are
only a limited number of possible
shifts (26 in English), they can each
be tested in turn in a brute force
attack.
A brute force approach is to match
up the frequency distribution of
the letters.
The distribution of letters in a typical
sample of English language text
http://en.wikipedia.org/wiki/Caesar_cipher
Caesar Cipher (6)
For a visualisation of the Caesar cipher in CrypTool from the pull
down menu choose:
Indiv. Procedures/Visualization of Algorithms/Caesar
Caesar Cipher (7)
Frequency distribution – keyboard layout (UK, D)
http://en.wikipedia.org/wiki/Keyboard_layout
Caesar Cipher (8)
Frequency distribution – keyboard layout (UK, FR)
http://en.wikipedia.org/wiki/Keyboard_layout
Caesar Cipher (9)
Frequency distribution? – keyboard layout (UK, JP)
http://en.wikipedia.org/wiki/Keyboard_layout
Caesar Cipher (10)
Frequency distribution? – keyboard layout (D, PL)
http://ascii-table.com/img/keyboard-214.png
http://en.wikipedia.org/wiki/Keyboard_layout
Caesar Cipher (11)
Strengthening the cipher (1)
The frequency distribution of the letters is the main problem, an
application of a random number table/generator, as an
additive cipher, would be a help – hiding the repeats and the
frequency distribution.
c.f. Vigenère cipher
http://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher
Classic military ciphers usually comply with an implementation
guide (logic-sequence/algorism), a code (word/dictionary)
book and a random number table.
Caesar Cipher (12)
Strengthening the cipher (2)
In accordance with the implementation guide, the message
header should contain the key to the starting point (or the
initial setting) of the random number table/generator.
• To encode, each symbol would be added with the random
number from the sequence.
• To decode, each symbol would be deducted with the random
number from the sequence.
Caesar Cipher (13)
Strengthening the cipher (3)
The cryptanalysts may be able to realise the use of a random
number table/generator. However, without having the same
random number table/generator with the initial setting, it
would be very difficult to decrypt, as long as the random
number table/generator is good enough.
However, the deployment of the specific code book and random
number table/generator is a logistical problem.
c.f. length of password
http://en.wikipedia.org/wiki/Enigma_machine
Caesar Cipher (14)
Strengthening the cipher (4)
interlacing
Strip Cipher
http://en.wikipedia.org/wiki/Cryptography
http://en.wikipedia.org/wiki/M-94
Other Monoalphabetic Ciphers
Multiplicative ciphers (1)
Encrypt:
(a x k) mod m
This is just multiplication modulo m.
Decrypt:
(a x k-1) mod m
(k x k-1) mod m
= (k-1 x k) mod m
NOTE: Inverses mod m do not always exist.
Other Monoalphabetic Ciphers
Multiplicative ciphers (2)
Also possible ambiguity.
Key k is 2 and 6 received
Two possible messages were sent (3 and 16), since
(3 x 2) mod 26 = (16 x 2) mod 26 = 6
So this transformation is not invertible.
To avoid the problem choose key that does not share any
divisors with the modulus.
Keys are coprime or relatively prime to (have no common
factors with) the modulus.
Suitable Keys for a Multiplicative Cipher (1)
Use a prime modulus, then any non-zero key can be used:
Calculation of the inverse of a key k
where
(a x k) mod m
Let Ф(m) = number of positive integers < m that are coprime
with m; if m is prime Ф(m) = m - 1.
Then we use FERMAT’S THEOREM that:
1 mod m
k-1 mod m
Suitable Keys for a Multiplicative Cipher (2)
Suppose we want the multiplicative inverse of 3 mod 53.
Then we calculate k-1 = km-2 mod m >> 351 mod 53
3 x 18 =54 = 1 mod 53 as required
So, 3-1 mod 53 = 18 mod 53
Cryptanalysis of Multiplicative Ciphers (1)
If the modulus is non-prime, then the plaintext may have a
common factor with m. The cryptanalyst must solve
(pq)k = pr mod ps
which gives the equation
qk = r mod ps
Suppose the plaintext is a and the ciphertext is b the
cryptanalyst must solve:
a x k = m b = b mod m
for some k. If m is prime
k = b a-1 mod m
Cryptanalysis of Multiplicative Ciphers (2)
By calculating
k = rq-1 mod ps
one possible value for the key is obtained. The others are
k + s, k + 2s, k + 3s….
Example
If we know that plaintext 15 produces ciphertext 12 mod 21
Cryptanalysis of Multiplicative Ciphers (3)
Example
If we know that plaintext 15 produces ciphertext 12 mod 21
Since the keys 12 and 19 are also possible so we need some further plaintext
- ciphertext pairs to determine a unique value for the key.
Nevertheless, a multiplicative cipher is not significantly harder to break than
an additive cipher.
A Complexity Measure for Security (1)
Technology is notoriously hard to predict:
Where a calculator on the ENIAC is equipped with 18,000
vacuum tubes and weighs 30 tons, computers in the future
may have only 1,000 vacuum tubes and weigh only 1½ tons.
(Popular Mechanics, March 1949)
In this section we examine the theory that can give some
assurance that a cryptosystem will be secure in the future.
A Complexity Measure for Security (2)
One-way Functions:
The concept of a one-way function is fundamental to modern cryptography.
Such a function, say f(x), is a function that is easy to compute but which is
extremely difficult to invert.
Example 9.2-1 Factorisation
The question: “What is the product of 23, 31, 52 and 111?” has easy answer,
6600
BUT the question: “What are the prime factors of 6600?” is much harder.
OR
Factorise 1323
Variants on the Idea of One-Way Function (1)
One-way Hash Functions
Hash function y = H(x) is a many-to-one function.
Takes big number, or piece of text, or some other data and
computes from it a smaller number or bit vector.
The intention is that the probability of two distinct typical
arguments giving the same result is uniformly small.
Variants on the Idea of One-Way Function (2)
Example
In CrypTool compute a hash of the starting example text using the SHA-1
function.
From the pull down menu chose:
Indiv. Procedures/Hash/SHA-1
Write down the hash of startingexample-en
Now go to:
File/Open
and Open CrypTool-en and compute its hash using the SHA-1 function.
Write down the hash of CrypTool-en and compare it with that of
startingexample-en.
What do you observe?
Variants on the Idea of One-Way Function (3)
One-way hash function is designed so that y = H(x) is easy to
compute but x = H-1(y) is extremely hard.
Hash functions are widely used in wireless systems to verify the
authenticity of messages
SHA-1 is a one-way hash function
Variants on the Idea of One-Way Function (4)
Trapdoor One-way Functions
A trap door one-way function is a one-way function together
with a certain piece of additional information (the “trapdoor”)
that enables easy calculation of f-1.
For example: one of the factors of 1323 is 33
Cryptographic Applications
of One-way Functions (1)
Authenticating Messages
Password Protection
Stream Cipher:
A one-way hash function could be
used to create a secure stream
cipher as in the diagram.
Since the input to the one-way
function cannot be determined
from its output, the state of the
counter cannot be determined.
Cryptographic Applications
of One-way Functions (2)
Block Cipher (DES)
Public Key Cryptography (RSA)
Message Authentication in a Public Key System
Asymptotic Complexity (1)
A problem with complexity n2 will be harder to solve than a
problem with complexity 10000n for all inputs of size greater
than 10,000.
Thus we choose to ignore constant factors to get a degree of
technology independence, since changes in technology only
affect constant factors.
Asymptotic Complexity (2)
The graph below shows how some functions vary with n.
A exp(Bn) > Cn Dlog(En) > Fn3G > Hn2l
This is true regardless of the values of the constants A-I.
Comparing the asymptotic magnitude
of two functions (1)
Is
for large enough n and for all
values of a (>1) and b?
If we take logs of both sides we obtain the
equivalent condition
So there will be a member of the set of
natural numbers
n = {0, 1, 2, …} to satisfy this condition for
any a (>1) and b, so an is always greater
than
Comparing the asymptotic magnitude
of two functions (2)
We ignore terms that are insignificant for very large n. Thus for
example we shall not distinguish between n4 and
n4+100n3+25n, since n4 becomes arbitrarily larger than
100n3+25n as n increases.
Notation for Asymptotic Complexity (1)
Domain n = {0, 1, 2, …}.
UPPER BOUND
g(n)”.
LOWER BOUND
g(n)”.
TIGHT BOUND
write
“ f(n) grows no more quickly than
“f(n) grows at least as quickly as
and
Notation for Asymptotic Complexity (2)
Example
Consider the function
This is (1) , (n5 ) , (n log n ) , (5 10 n ) and
Recall for
we ignore constant factors like 5x and for
we ignore
because it grows more slowly than
.
It is also O(10n ) , O105 n , O(5 10 ) and
Note the 5 in
is not a constant factor.
Hence in addition (5 10 n ) and (10 n  nlogn )
n
Measuring the Complexity of a Problem
Primitive Operations
Problem solution time is measured by the number of steps, or primitive
operations that must be performed. Usually,
• They can be computed in a time that is independent of their arguments.
• They have a finite domain - they accept as input only a fixed number of
distinct values.
• They can be implemented by fixed size logic circuits.
More formally, the (time) complexity of a problem is generally stated as the
number of primitive steps required by some model of computation.
Classifying Decision Problems P (1)
Class P: functions whose complexity is no greater than
for
some constant a.
Problems in P are regarded as easy or feasible, and problems
that are not are regarded as hard or infeasible or intractable.
A problem has at least exponential time complexity if its
complexity is
and such problems are provably intractable
for large n.
Classifying Decision Problems P (2)
Example: A polynomial function and an exponential function
Compare operations required for n10 and 1.1n
N
n10
1.1n
2
210  1024
1.12  1.21
1000
100010  1030
1.11000  2.47  1041
Scalable cryptosystems (1)
A cryptosystem is scalable if it allows us to set the cryptanalyst a
harder task whenever the time spent on encryption and
decryption is increased, by using a longer key.
To achieve scalability, it must be arranged that as the
cryptosystem is scaled up, the time required for cryptanalysis
increases much faster than the time spent on encryption and
decryption.
Scalable cryptosystems (2)
A modern scalable cryptosystem is designed so that encryption and
decryption are computationally feasible but identification of the key by a
cryptanalyst is infeasible.
• A problem is considered feasible if it is in class P and infeasible if it is
not.
• It follows that cryptosystems are designed so that encryption and
decryption are in P and cryptanalysis is not.
By choosing a sufficiently large key the cryptographer can ensure that the
cryptanalyst cannot afford sufficient computer power to attack it.
A user of AES can implement it as a scalable cryptosystem by increasing its
key length; AES supports key sizes of 128, 192, and 256 bits. IEEE 802.11i
recommends the use of AES.
home work
•
•
•
•
•
•
http://en.wikipedia.org/wiki/Cipher
http://en.wikipedia.org/wiki/Enigma_machine
http://en.wikipedia.org/wiki/Enigma_(2001_film)
http://en.wikipedia.org/wiki/Windtalkers
http://en.wikipedia.org/wiki/Colossus_computer
http://en.wikipedia.org/wiki/Steganography