Cryptography: Past, Present, and Future Report
advertisement
Cryptography: Past, Present, and Future Group Three Ahmed Abdalla, Troy Brant, Gabe Campbell, Chansereyratana Lim, Saudamini Zarapkar CS4235 – Information Security Georgia Institute of Technology Table Of Contents 1. Introduction.......................................................................................................2 2. A Brief History of Cryptography ................................................................2 2.1 Early Cryptography ........................................................................................... 3 2.2 Entering the Modern Era ................................................................................... 5 3. Symmetric Encryption ...................................................................................6 3.1 The Serpent Algorithm ..................................................................................... 7 3.2 The TwoFish Algorithm ................................................................................... 9 4. Asymmetric Cryptography............................................................................11 4.1 4.2 4.3 4.4 The RSA Algorithm .......................................................................................... 12 The Elgamal Algorithm .................................................................................... 13 The Future of Asymmetric Cryptography ......................................................... 15 Problems with Asymmetric Cryptography ....................................................... 16 5. Politics in Cryptography ................................................................................17 5.1 5.2 5.3 5.4 The National Security Agency .......................................................................... 17 Challenges to Government Control Over Cryptography .................................. 17 Government Control Over Exporting Cryptography ........................................ 19 Current Political Status ..................................................................................... 20 6. Quantum Cryptography .................................................................................21 6.1 6.2 6.3 6.4 The Effect of Quantum Computing on Current Encryption Algorithms .......... 23 The BB84 Algorithm ........................................................................................ 23 Using Entanglement for Quantum Key Distribution ........................................ 25 Challenges and the Future ................................................................................. 25 7. Conclusion ........................................................................................................26 Appendix A ............................................................................................. 31 Appendix B ............................................................................................. 32 1 Abstract In this paper we describe the history and evolution of cryptography starting from the beginning of the 20th century and continuing into the current day. Specifically, the following five topics are addressed: the cryptography used from 1900 until the end of World War II, the history of the politics involved with government control over cryptography, the history and current status of asymmetric cryptography, the history and current status of symmetric cryptography, and the future of the field of cryptography using quantum physics. By analyzing these areas, we hope to provide a more complete picture of where the field has been and where it is headed. 1. Introduction Cryptography is a subject that has been studied and applied since ancient Roman times, and research into better encryption methods continues to this day. Cryptography is the art of encoding and decoding messages so that messages can be securely transmitted from a sender to a receiver without fear of an outside party intercepting and reading or altering the message's contents. The purpose of this paper is to describe the history and evolution of cryptography starting from the beginning of the 20th century and continuing into the present day. Specifically, the following five topics will be addressed: the cryptography used from 1900 until the end of World War II, the history of the politics involved with government control over cryptography, the history and current status of asymmetric cryptography, the history and current status of symmetric cryptography, and the future of the field of cryptography using quantum physics. 2. A Brief History of Cryptography The history of cryptography goes back thousands of years. Until recently, this history has consisted of the classical components of cryptography – ciphers written with pen on paper or other simple mechanical services. The turn of the 20th century however, brought about several advances in this subject. The invention of electromagnetic machines such as the German 2 Enigma provided a much more efficient method of encrypting messages, and subsequently led to the introduction of cryptography into the emerging field of computing. “The fundamental objective of cryptography is to enable two people, usually referred to as Alice and Bob, to communicate over an insecure channel in such a way that an opponent, Oscar, cannot understand what is being said” (Zotos). A cipher is an algorithm for performing encryption (and in the reverse, decryption); it is in effect a series of well-defined steps that can be followed as a procedure. The original information is usually known as plaintext and the encrypted messages are known as cipher text. 2.1 Early Cryptography One of the oldest cipher styles is the substitution cipher, whose first examples are dated back thousands of years. Substitution is a method of encrypting by which units of plaintext are substituted with cipher text according to a regular system. An example of this is the Atbash cipher, which dates from 500 BC (Kartalopoulos). This cipher is based on the Hebrew alphabet, and is regulated where the first letter is substituted by the last letter, the second letter by the second to last letter and so on. Because it is a monoalphabetic cipher and can have only one possible key, this cipher is relatively weak; however this was not a viable concern during its time as literacy was not common. These types of ciphers were used frequently in religious texts and writings, and it was probably this use that developed the method of frequency analysis to analyze the messages (Kartalopoulos). Frequency analysis is where one examines the frequency of substituted letters, from which they can estimate certain letters which appear repeatedly in the plaintext language. Frequency analysis was a huge advance in cryptanalysis; however, around 1467 there 3 was a big development in cryptography – the polyalphabetic cipher. Based on substitution, it used multiple substitution alphabets. The Vigenère cipher (see table in Appendix A) is probably the best-known example of this cipher, though it is a simplified special case. The Enigma machine, used in WWII, is more complex but still fundamentally a polyalphabetic substitution cipher. The cipher was invented by Leon Battista Alberti in 1467. Alberti would use a common Caesar cipher to encrypt his messages, but whenever he wanted he would switch alphabet keys, indicating his switch by capitalizing the first letter of the new alphabet. He also created a decoder apparatus, quite similar to the Vigenere table, called an encryption disk which he would use to decrypt the messages. The polyalphabetic method was not readily adopted however, until the 18th and 19th centuries. “From before 1400 until about 1750 only one kind of encryption method was widely used” – substitution (Reeds). When Thomas Jefferson adopted the Vigenere cipher as part of his encryption methods, he was thought to be an innovator, despite its 300 year existence. It was in the nineteenth century that the Vigenere table came into regular use. The multiple alphabet possibilities for each letter and the relative security provided if both A and B knew the key made the cipher a popular and at one time almost impenetrable. A huge breakthrough for cryptanalysis came in the mid-1800s with Charles Babbage and his study in the field. The strength in the Vigenere and other polyalphabetic ciphers was its ability to foil frequency analysis. The critical weakness in the cipher that Babbage (and the man who published the studies, Friedrich Kasiski) found was the short and repetitive nature of the key (Reeds). If a cryptanalyst could discover the key’s length, they could apply the fundamentals of frequency analysis and decrypt the cipher text using that method. The test took advantage of the fact that certain common words like "the" could be encrypted using the same key letters, leading to repeated groups in the cipher text. For example, assuming the key is ABCD, certain 4 sequences, such as CRYPTO (ciphered into CSASTP) are repeated because the key placement is the exact same (Reeds). Thus one can tabulate the frequency of these sequences and substitute corresponding letters to decrypt the cipher. This test of Babbage’s went on to assist several British military campaigns. 2.2 Entering the Modern Era An important era for the promotion and proliferation of cryptography was WWII, when rapid intelligence needed to be sent by secret methods on all sides of the fronts. The Germans had their famous Enigma machine, a cipher machine consisting of rotors, a plug board and a keyboard. The machine worked with any combination rotors, where a specific rotor revolved a certain amount with each keystroke, thus changing the current flow through the machine and therefore the encryption of the letter (see Appendix B-1) (Hinsley). British and American forces had their own electronic encryption machines, called the TypeX and SIGABA respectively. The reason the Enigma machine gained so much notoriety was the fact that the Allies were able to decrypt many of its messages. This was accomplished by obtaining an Enigma machine in a diplomatic bag and using this to create their own decryption machine, which they codenamed ULTRA. This intelligence was a significant aid to the Allied war effort, and some critics say that the intelligence gained by ULTRA concluded the war a full two years early (Hinsley). The world wars also brought about the common use of the one time pad (OTP) algorithm. OTP is an encryption algorithm where the plaintext is combined with a random key that is as long as the plaintext so each character is used only once. If the key is truly random, never reused, and kept secret, the OTP can be proven to be unbreakable. It was invented around 1917, with one of the contributors being Gilbert Vernam, an AT&T Bell Labs engineer (Hinsley). 5 Claude Shannon, a fellow engineer at Bell Labs, later proved that the OTP was unbreakable. Shannon would also prove to be the father of modern mathematically based cryptology. His work on the theory of communication and his other studies in information theory provided a sound basis for theoretical cryptology and cryptanalysis. With the advent of his work, the end of WWII and the beginning of the Cold War, cryptography slipped away from the public sector and began to become strictly a governmental instrument. Major advances in cryptography wouldn’t be seen until the mid-1970s with the advent of the Data Encryption Standard. 3. Symmetric Encryption With the invention of calculators and computers in the middle of the twentieth century, older codes were becoming more and more easy to break. In 1975 IBM submitted the DES encryption algorithm to the government in order to create a standard method of encryption between government and the private sector. After being reviewed by the NSA, it was accepted as the first standard encryption algorithm for the US government. DES uses 64 bit keys, but the last 8 bits of the key do not affect the implementation. These are only used as “check digits”, giving an effective key length of 56 bits. Soon after its release, it was proven to be insecure because of the shortness of its key and the increasing power of computer. Later, double DES and triple DES were proposed. Double DES used two keys and was intended to give an affective key length of double DES’; however, this did not improve the security of the algorithm. Triple DES, on the other hand, uses two keys in three steps. This algorithm has better security than both DES and double DES, but its effective key length is only doubled in length. Worrying that this algorithm could be broken easily with more powerful computers, the National Institute of Standards and Technology (NIST) called for new algorithms to be submitted and chosen as a 6 new standard. In response to the call of the NIST's encryption contest many cryptographers submitted their versions of encryption algorithms. Only one of them (Rijndeal) was selected and considered to be the new encryption standard, Advanced Encryption Standard (AES). However, many popular algorithms did not win the contest and are still widely used. Two of these algorithms, Serpent and TwoFish, are investigated in further detail below. The Rijndeal algorithm was chosen to become the Advanced Encryption Standard. This algorithm is different from DES in both key length and algorithm complexity. AES uses a repeating cycle of 9, 11, or 13 steps requiring 128, 192, and 256 bits keys respectively. Each cycle (or round), it executes four steps: Byte Substitution, Shift row, Mix Column, and Add subkey. Rijndeal was chosen over other algorithm because of its speed in both software and hardware and its effectiveness in encrypting data. 3.1 The Serpent Algorithm After the AES selection process, Serpent was only second to the Rijndael algorithm. It was designed by Ross Anderson, Eli Biham and Lars Knudsen. This algorithm met every requirement that the NIST imposed. However, Serpent ran slower than Rijndael. Similar to the Rijndael algorithm, Serpent uses a block size of 128 bits encrypting a 128-bit plaintext block P to a 128-bit ciphertext C in 32 rounds under the control of 33 128-bit subkeys, K0, …K32. Its key length vary from 128 to 256 bits long. If the key is shorter than 256 bits, a “1" is appended to the end of most significant bit, followed by as many “0" bits as required to make up 256 bits. The algorithm consists of three phases. First phase is the initial phase where eight S-boxes are generated (Appendix B-2). The second phase is where the plain text is transformed to semi-finish 7 ciphertext, which is then transformed to ciphertext in the third phase. Inspired by the “Rivest Cipher 4” (RC4) algorithm, the S-box is generated using a 32 x 16 matrix. The matrix was initialized with the 32 rows of the DES S-boxes and transformed by wrapping the entries in the rth array depending on the value of the entries in the (r+1)st array and on an initial string representing a key. If the resulting array has the desired (differential and linear) properties, save the array as a Serpent S-box. This procedure is repeated until eight Sboxes have been generated. Then, the algorithm runs three operations thirty-two rounds: Bit-wise XOR with the 128-bit Round Key Kr, Substitution via thirty-two copies of one of eight S-boxes, Data mixing via a Linear Transformation. (Anderson) These operations are performed in each of the thirty-two rounds with the exception of the last round. In the last round, the Linear Transformation is replaced with a bit-wise XOR with a final 128-bit key. This algorithm can be described in equation form: - B0 = IP(P); B0 is the input to the first round, IP is initial permutation - Bi+1 = Ri(Bi); Bi+1 is the out put of round Bi Ri(Y) = L(Si(Y XOR Ki)), where i = 0,..,30 and Ri(Y) = L(Si(Y XOR K32)), i = 31 Sj is the application of S-box, Sj mod 8 32 times in parallel, j = 0,…,7 L is linear transformation. - C = FP( B32); C is the ciphertext, FP is the final permutation, which is the inverse of the initial permutation. When Serpent was proposed to the National Institute of Standards and Technology, the probability of the best successful attack is not higher than 2-120. Nonetheless, in 2002, Courtois and Pieprzyk observed that Serpent could be expressed as a system of quadratic equations. So, in 8 their experiment, “Cryptanalysis of Block Ciphers with Overdefined Systems of Equations,” they concluded that “Serpent for key lengths [of] 192 and 256 bits” can be broken by using eXtended Sparse Linearization algorithm (XSL) with one or two know plaintext. However, the process still takes about 2200 attacks (Courtoi). In terms of hardware implementation, Elbirt and Paar evaluated Serpent and concluded that this algorithm can be implemented to run fast “with the register-rich architecture of the chosen Xilinx XCV1000 FPGA.” This implementation could perform encryption at the rate of more than 4Gbit/s (Elbirt). 3.2 The TwoFish Algorithm The third place finalist in the NIST contest was the Twofish algorithm. This algorithm was designed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. It is similar to the AES standard and Serpent. It uses a block size of 128 bits and has a key size of up to 256 bits. Twofish works as follows: The plaintext is split into four 32-bit words. In the initial step, called the "input whitening" step, these words are XORred with four words of the key. This is followed by sixteen rounds of encryption. In each round, the two words on the left are used as inputs to the g function (one of them is rotated by 8 bits first). The g function consists of four byte-wide key-dependent S-boxes, followed by a linear mixing step based on a Maximum Distance Separable (MDS) matrix. The results of the two g functions are combined using a Pseudo-Hadamard Transform (PHT). PHT is defined as a’ = a + b mod 232, and b’ = a + 2b mod 232, where a and b are given two inputs. Then, the two keywords are added. These two results are then XORed into the words on the right (one of which is rotated left by 1 bit first, the other is 9 rotated right afterwards). The left and right halves are then swapped for the next round. After all the rounds are executed, the swap of the last operation is reversed, and the four words are XORed with four more keywords to produce the ciphertext. (see in Figured 2 for graphical display of the algorithm). In mathematical terms, the algorithm works as follows: the 16 bytes plain text, p0,…, p15 are split into 4 words P0, .., P3 of 32 bits each using little-endian conversion. (Eq. 1) Then, these words are XORed with four words of the expanded key. (Eq. 2) They are used as input to the next round. The third word is XORed with the first output work of from left and rotated right by one bit. Conversely, the fourth word is rotated one bit to the left and then XORed with the second output of the left. This process is repeated 16 times. The final outputs are swapped in the final round to undo the swap in the initial step and then XORed with four more words of the expanded key. (Eq. 3) The ciphertexts are then written as 16 bytes c0, …, c15 using the same little-endian conversion as used for plaintext. (Eq. 4) When this algorithm was submitted to the contest, there was no attack more efficient than brute force. The most efficient attack against Twofish with a 128-bit key had a complexity of 2128, the most efficient attack against Twofish with a 192-bit key had a complexity of 2192, 10 256-bit key has a complexity of 2256. After this, there have been many attempts to find the best way to break this algorithm; however, no one has found a way to break it faster than brute force. In 2001, Stefan Lucks attacked Twofish using several methods such as Key Finding and Distinguisher attacks. He discovered that the Key Finding attack was only two to four time faster than an exhaustive search brute force, and the Distinguisher attack had the probability of success of only 25% , with 232 to 2127 chosen plaintexts. Moreover, these attacks only break one-half of Twofish cipher texts because of its one-bit rotation. (Schneier) No matter how good or widely used Serpent and Twofish are; they still suffer from key distribution/exchange problems and key management disadvantages (Lucks). Finally, it is only a matter of time before these algorithms can be easily broken using more powerful computer and technique (Courtoi). 4. Asymmetric Cryptography The idea of asymmetric (or public key) cryptography was first published in 1976 by Whitfield Diffie and Martin Hellman in their paper "New Directions in Cryptography" (Menezie, 2). In this document Diffie and Hellman approached the issue of cryptographic algorithms and their necessity of secure channels of communication. While this proposed the theory behind asymmetric cryptographic algorithms, it did not provide a method of implementation. It was not until Rivest, Shamir, and Adlement created the RSA algorithm in 1978 that an algorithm was created that could make use of the technique proposed by Diffie and Hellman in 1976. The RSA algorithm is based upon the difficulty of factoring large numbers. In 1984 the Elgamal algorithm was proposed which included the functionality to perform the Diffie-Hellman (DH) key exchange (as described in their paper), and was based on the discrete logarithm problem, 11 considered a more sound mathematical problem than prime factorization (Menezie, 6). This section will focus primarily on the two main public key algorithms and their implementations. 4.1 The RSA Algorithm In their paper Diffie and Hellman focused on the issue of key exchange and secure channels in contemporary (symmetric) cryptosystems. They defined public key cryptosystems as a system with two separate keys such that computing one from the other is "computationally infeasible", allowing one of the keys to be published and the other to be kept secret. This separation of keys allows the public key to be transported across insecure channels without worry. The next advantage of public key encryption discussed is the ability to sign documents, giving the ability to authenticate senders. Prior to the publishing of this paper, the authenticity of the sender could not be determined by the receiver, making it difficult at times to ensure the validity of messages (DH, 1-2). As mentioned, the Diffie-Hellman paper proposed the method for asymmetric (public key) cryptosystems using computationally secure algorithms, but did not propose a solution. In their 1978 paper "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Rivest, Shamir, and Adleman discussed in detail the "trap door one-way permutation" function originally proposed by Diffie and Hellman and their idea of digital signatures. A "trap door oneway permutation" is a function which takes a message and can easily encrypt it with one key, creating an encrypted message that is computationally difficult to decrypt without the second key (RSA, 1-2). The method used to create the one-way permutation in RSA, in general terms, is based on the computational difficulty to factor large numbers. Mathematically an encryption this may be 12 demonstrated with the equation: C = Me( mod N ) (Eq. 5) where C is the cipher text, Me indicates multiplication by the plaintext e and mod N indicates the modulus operation with N=PQ where P and Q are the public and private keys, very large prime numbers. Because of the use of N in the modulus operation, it is assumed that N will be computationally difficult to find, therefore making this algorithm dependent on the difficulty of factoring large numbers (N). 4.2 The Elgamal Algorithm In 1985, Taher Elgamal proposed a new method of public key encryption using discrete logarithms instead of prime factoring. His paper, "A public key cryptosystem and a signature scheme based on discrete logarithms", discusses a new method for public key cryptosystems and their use for digital signatures. This is considered a more mathematically correct method of encryption (Ellis, 3). The Elgamal algorithm differed in its implementation from RSA in that it uses discrete logarithms for the basis of its trapdoor. Mathematically an encryption can be described with the equation: C = ek mod p (Eq. 6) where C is the cipher text, ek is the plaintext raised to the exponent of k a secret session key that can be computed by the two private keys of the sender and recipient, and mod p is the modulus operator using the sender's private key p. Due to the exponent k, cryptanalysis of the algorithm becomes a logarithmic function which is computationally difficult for large values of k. Because of the method with which this algorithm implements the keys, the cipher text is twice as long as 13 the original plain text (Elgamal, 1). While RSA was originally used for almost all public key cryptography, Elgamal has replaced it in a few applications. In PGP, Elgamal replaced RSA as the implementation after version 5. This was due to the fact that Elgamal was a better subset of the Diffie-Hellman key exchange, was considered more mathematically sound, and had a better implementation of digital signatures (Odlyzko 95, 4). RSA remains the algorithm used in ssl and many PKI implementations. Each algorithm has their own benefits and drawbacks: Drawbacks of using Diffie-Hillman/Elgamal over RSA include: ● Message expansion: DH/Elgamal creates ciphertext that's longer than the message. This is not generally a problem as it is used to transfer session keys. ● Signature Strength: DH/Elgamal uses smaller keys, which may not be large enough to guarantee security for a sufficient period of time. ● Computational Intensity: DH/Elgamal require more processes to compute than RSA. ● Need for 'good' randomness: DH/Elgamal requires a random value which must be unique and unpredictable for each message. If an attacker recovers k or if two messages are encrypted with k, the private key may be obtained. Benefits of DH/Elgamal over RSA include: ● No patent/copyright issues: DH/Elgamal are free and open source algorithms, whereas RSA Labs must license RSA for use in the US and Canada. ● RSA is forgeable: A malicious user could generate fake data that is easily factorable. This is difficult to check without access to the private key. ● RSA key generation requires a lot of computation; it is not good for use in systems 14 require ephemeral keys. ● RSA offers less security per key bit than DH/Elgamal ● DH/Elgamal seems to be based on better mathematical theory. ● DH/Elgamal uses evanescent keys: An eavesdropper can not find the contents of a DH/Elgamal message once the session key is destroyed. In RSA the private key decrypts all messages. In 1994, the Elgamal algorithm was agreed upon for use in the Digital Signature Standard and was designated Digital Signature Algorithm for use in the US government. This was decided upon as because this algorithm generates a signature based upon message size instead of depending on the size of the key, a problem with RSA keys (FIPS186). Elgamal also replaced RSA keys in version 5 of Pretty Good Privacy (PGP) and all versions of GNU Privacy Guard (GPG), effectively replacing RSA for use in encrypted emails. The RSA algorithm remains the algorithm for SSL connections and public key infrastructures, as these require fewer key generations and is computationally less intensive (Simpson). 4.3 Future of Asymmetric Cryptography Public key infrastructures (PKI) and systems are being deployed more and more rapidly in corporate environments and government agencies. Due to the current level of encryption that public key encryption provides and the rate at which new technologies are implemented, public key encryption should be able to weather the upcoming years with increases in key length, however as quantum computing becomes more and more of a reality, these technologies will most likely become obsolete. Until that time, companies should be able to deploy public key infrastructures to protect their networks, data, and emails without worry (RK 2). 15 A future implementation of public key cryptography will be an algorithm utilizing elliptic curves, another problem in number theory. The use of elliptic curves were first proposed in 1985 independently by V.S. Miller and N. Kobilitz. They offer a few advantages over DiffieHellman/Elgamal, and RSA keys in that the require smaller keys for the same level of security and are faster to compute than both RSA and DH base systems (Simpson). Space has been included in the OpenPGP standard for the use of elliptic curves in public key algorithms (RFC2440). 4.4 Problems With Asymmetric Cryptography So far neither of the public key algorithms have been proven secure. The level of security is dependent on how much computing power the cryptanalyst has, how much time he takes to break the cipher text, and the length of the key used. A key length of 512 bits, once considered secure for a number of years, can now be cracked in a matter of months (or less). with increases in computational power and the advent and implementation of quantum computing, public key cryptosystems will become outdated (Ellis, 2). According to Ronald Rivest and Burt Kaliski in their paper "RSA Problem", an attacker could theoretically create algorithms and/or methods of key generation that would severely decrease the ability of RSA to work properly or allow decryption of a message using only a cipher text and a public key (RK, 3). This along with papers like those of Odlyzko question the validity of discrete logarithms and the security of prime factorization in the near future, and their abilities to keep current data secure, a valid concern in cryptography (Odlyzko). 16 5. Politics in Cryptography The history of the politics of cryptography started shortly after World War II and continues to this day. After World War II, the government realized the importance of cryptographic methods and put in place laws that give the government strict control over all issues dealing with cryptography. However, with the coming of the Information Age and widespread use of computers, there has been considerable tension between the government and public developers of cryptographic algorithms. In particular, the export of cryptographic algorithms and programs has been regulated fiercely by the government. The history of politics and cryptography in the United States and the current legislation regarding cryptography will be addressed in detail. 5.1 The National Security Agency The most important government agency involved in the cryptographic political struggle is the highly secretive National Security Agency. The creation of the National Security Agency was authorized by President Harry Truman in June of 1952 and was officially established by the National Security Council Intelligence Directive 9 on December 29, 1952 (“Records of the NSA”). The NSA is under the Department of Defense, and it was created in order perform signal processing and code-breaking for ensuring the security of the United States (“National Security Agency”). The agency is inherently involved with cryptography because it has to decode any encoded messages it intercepts while monitoring communications. From World War II to the 1970s, most of the research and development in the field of cryptography in the United States was done exclusively by the NSA. As the Information Age approached and computer use became more mainstream, tensions 17 between the government and the private and academic sectors began to arise. Private companies needed cryptography to securely transfer sensitive information, and academics were trying to pursue research in cryptography. But the NSA didn’t want any cryptographic techniques to be developed that they could not break since it would interfere with their ability to monitor communications. 5.2 Challenges to Government Control over Cryptography The first publicized controversy came in the 1970s with the advent of the Data Encryption Standard (DES) encryption algorithm. The National Bureau of Standards identified a need for a government-wide standard for encrypting unclassified, sensitive material. The National Bureau of Standards opened a competition to the public for anyone or any group who could design an acceptably secure cryptographic algorithm. The winning algorithm was one developed by IBM, and it was sent to the NSA for validation. Controversy ensued after the algorithm was returned with two major alterations. First, the substitution boxes, or so-called “sboxes”, in the algorithm had been changed, and second, the key size used in the algorithm had been reduced from 128 bits to 56 bits. There was speculation that the NSA had added a trap-door into the DES algorithm that would allow them to decode any message that was encoded using DES. An investigation was opened in the case, and the United States Select Committee on Intelligence found that the NSA had been free from any wrongdoing and that the changes made were made independently by IBM with feedback from the NSA used only as recommendations ("NSRP: Cryptography"). In 1989, the Khufu and Khafre block ciphers were created by current Georgia Tech professor Ralph Merkle while he then worked at Xerox. Xerox sent a request to the NSA to 18 publish the paper Merkle had written about his research into the two encryption algorithms, and the NSA denied the request to publish the paper. However, when the paper was being reviewed, a copy was passed to John Gilmore, who made the paper publicly available on the sci.crypt newsgroup. Because Gilmore published it using legal methods, the government took no legal action against Gilmore (Gilmore). This situation is evidence of how difficult it is for the NSA to enforce restrictions on the spread of information in a networked world. In 1991, Senate bill 266 was proposed that would require trap-doors to be added to networking equipment used in the private sector so that the government could monitor business communications (“S.266”). Phil Zimmerman, the eventual creator of Pretty Good Privacy (PGP), believed that the government was close to outlawing secure communications between private citizens. He wrote the PGP software and released it publicly on the Internet before Congress could create legislation that mandated trap-doors for the government be inserted in private encryption systems. The government opened a criminal investigation into Zimmerman for releasing the PGP software to the public without the government’s permission. The government argued that the technology would weaken the government’s ability to protect national security because rouge countries and terrorists could use the strong encryption to make their communications unreadable. Zimmerman argued that developing and releasing the software was freedom of speech and protected under the First Amendment. Eventually, in 1996, the government dropped its case against Zimmerman under strong pressure from free speech advocates and civil rights organizations. (Bender) This was a victory for a computing industry that was trying to generate more secure forms of communication in networks and for web applications such as banking websites that needed highly secure channels of communication. 19 5.3 Government Control Over Exporting Cryptography In addition to limiting the development and disclosure of cryptographic algorithms through the NSA, the government has also labeled cryptographic materials and ideas as “munitions” that have restrictive export laws (“United States Munitions List”). Cryptography exports are handled jointly by the Department of Commerce and the Department of State. Because cryptography is considered a type of munitions, then the State Department determines if cryptographic materials are fit for export on a case-by-case basis. If the State Department defers jurisdiction over a cryptographic export, then the Bureau of Industry and Security in the Commerce Department determines whether or not cryptographic materials can be exported. In the past, the government would not allow encryption with a key size larger than 40 bits to be exported. (“US Crypto. Export/Import Laws”) Today, encryption that uses any key size can be exported after a technical review from the Department of Commerce. ("Admin. Implements Updated Encrypt. Export Policy") In 1994, Phil Karn filed a lawsuit against the State Department to challenge defining encryption as a type of munitions. The State Department had ruled that the book Applied Cryptography by Bruce Schneier was exportable and protected by the First Amendment under freedom of speech, even though it contained complete source code for several encryption algorithms. But a floppy disk that came with the book and contained the exact same source code that was in the book was ruled a type of munitions and couldn’t be exported. In year 2000, The Department of Commerce’s Bureau of Export Administration relaxed the export laws to allow publicly available encryption source code to be freely exportable. Karn then dropped the case because under the new laws, the floppy disk with public encryption source code was not considered a type of munitions. ("Detailed History of Applied Crypto. Case") 20 5.4 Current Political Status Today, there are much fewer limitations on developing and releasing cryptographic materials than there were in the past. In the year 2000, the Department of Commerce’s Bureau of Export Administration relaxed the restrictions on exporting cryptography. Publicly available encryption source code is now freely exportable. Any cryptographic algorithms developed by an individual or company are also exportable, but they still require export licenses from the government. Export of cryptography to rogue countries or terrorist organizations is still strictly prohibited. ("Admin. Implements Updated Encrypt. Export Policy") The struggle between the government and everyone else developing cryptography still continues to this day. For a large part of the last 50 years, the NSA had a monopoly on cryptography development and strictly limited public access and research into cryptographic algorithms. The government labeled cryptography as a type of munitions, and thus enforced strict laws governing the export of cryptography. Starting in the 1990s, the control the government had over cryptography began to break down as the Internet allowed for the near instantaneous spread of information with millions of people around the world. Today, the government has relaxed the restraints over the distribution of cryptography, and publishing a paper on cryptography or starting an open source project to create a new encryption algorithm are much easier to do than they were in the past. 6. Quantum Cryptography With the development of quantum computing, fundamental changes must be made in the way quantum cryptography is looked at. To understand these changes and why they must take 21 place, one must first look at the physics principles behind both quantum computing and quantum cryptography. Three quantum mechanical phenomena that are used uniquely in both of these are the uncertainty principle, superposition, and entanglement. As this paper is more focused on the cryptographic side of the issue, it will not go into full detail on these, merely providing a basic overview. The uncertainty principle dictates that there are certain related quantum states of which the measurement of one property will disturb the other, the classic example being that of momentum and position. Any measurement made attempting to determine the position of a particle will introduce some amount of uncertainty into the momentum. The more precise one measurement is, the more uncertainty is introduced to the other. This principle will become a key factor in the detection of eavesdroppers in quantum cryptography. Superposition refers to the fact that a particle exists as a superposition of multiple quantum states. Only when this quantity is observed does the wave function describing the particle collapse into only one of the states. Quantum computing can utilize this property to carry out certain complex computations very quickly. While a traditional bit is in either the zero or one state, a quantum bit, or qubit, can utilize superposition to exist in both states simultaneously, allowing for previously complex calculations to be performed very quickly as many possible solutions to problems can be analyzed at once. Entanglement is the quantum mechanical phenomena in which the quantum states of two or more particles are linked, even when they become spatially separated. For example, after two particles are created that are entangled, both particles would have a probability of having a certain spin. When the measurement is made on the first particle, thereby forcing it into a single state, its entangled particle then always will measured to have the opposite spin. 22 6.1 The Effect of Quantum Computing on Current Encryption Algorithms As described previously in this paper, the RSA algorithm is dependent on the fact that it is a computationally complex and intense process to determine the prime factors of a number. However, with quantum computers utilizing superposition, Shor's algorithm can theoretically 3 factor a number, N, in O(log(N) ) time, effectively breaking the encryption algorithm (Hey). Even the previously mentioned Elgamal algorithm, which claimed to have a more secure method of encryption falls under the unique abilities of quantum computers, as Shor's algorithm is also able to more quickly solve the problem of discrete logarithms, upon which the encryption algorithm is founded. Also, while not as significantly advantageous, a quantum computing method known as Grover's quantum searching algorithm has been shown to dramatically decrease the amount of time needed to brute force a DES key, although this can be solved by some degree by doubling the key length (Hey). The main result of the possible failing of the RSA and DES algorithms is the need for new methods of key exchange and authentication. This is where quantum cryptography comes in to play. 6.2 The BB84 Algorithm One of the oldest and most thoroughly investigated quantum cryptography methods was proposed by C.H. Bennett and G. Brassard in 1984 and come to be known as the BB84 algorithm. This algorithm is largely based off the uncertainty principle and the fact that any eavesdropper intercepting and measuring the quantum states of particles being exchanged will also alter those states. Photons used here can be polarized either horizontally and vertically or diagonally (45° and 135°) each corresponding to a 0 or 1 respectively. The algorithm would 23 work as follows: 1. The sender, Alice, chooses a random bit string and a random sequence of polarizations 2. She then sends the other user (Bob) a train of photons each representing one bit of the string. 3. Bob randomly chooses to measure each arriving photon rectilinearly or diagonally. 4. Bob tells Alice the polarizations he used for measurement via a public channel. 5. Alice tells Bob which measurements were correct. 6. Bob and Alice choose a certain number of bits to compare to check for tampering (Bennett) At this point Alice and Bob have successfully exchanged a key without fear of eavesdropping by the third party Eve. Because of the uncertainty principle, attempting to measure in one polarization will effectively randomize the other. Because the polarizations being sent out are random, and any incorrect reading effectively destroys the information, any attempt at eavesdropping will not only be unsuccessful, with at best half the key being correctly found, but Bob and Alice would no longer have the same key due to the lost information, making the eavesdropper's presence known to both parties (Bennett). The disadvantage to the BB84 method being that it while is secure when only one photon is sent for each bit, current lasers can often send multiple photons, allowing Eve to intercept one without the other parties knowing. Therefor “true on-demand single photon sources are desired in order to make QKD efficient and unconditionally secure (Curcic). Similarly, there is a “lack of high quality single-photon detectors,” (Kincade), meaning sending a single photon may not always be possible on either end of the line. Of course BB84 is by no means the only QKD method to exist. One other method that highlights an alternative technique is shown below. 24 6.3 Using Entanglement for QKD In 1991 A. K. Ekert proposed a method of QKD that instead relied on the principle of entanglement, with some similarities to the BB84 algorithm. First, an entangled pair of polarized photons are generated by a trusted source. This can be a third party or even Alice. One photon of the pair is sent to Alice, the other to Bob. Each measures the polarization using a certain basis (rectilinear or diagonal, just as in BB84), and they announce to each other the bases used to measure each photon. If the same basis was used for a pair of entangled photons and they were entangled, then the resulting measurements will be correlated due to “spooky action” (Poppe). Also just as before, should Eve try and read the photons in transit, she would only be able to guess the polarization correctly half the time, destroying the information the other half. Entanglement also provides additional security in that there are tests which can be performed to check for entanglement, thereby preventing Eve from creating her own photons to send to Bob (Poppe). Because it is single photons that are linked, the problem of generating multiple photons per pulse and allowing Eve to intercept them as stated earlier is eliminated. While there is an added security benefit in using entangled pairs, the overall cost of equipment for generating single photons is significantly lower, making the small security trade-off worth it from a commercial perspective (Kincade). 6.4 Challenges and the Future Quantum cryptography is still an emerging technology and has many hurdles to overcome before it becomes widely usable. To start with, the entry cost in establishing a QKD 25 system is quite high. Dedicated fiber must be established between sites wishing to exchange keys, and the equipment needed for photon generation and measurement can be quite expensive. However, the technology has been steadily improving. While the first actual quantum key exchange was over a distance of only 30cm, current experiments have been carried out over over 150km (Curcic) The future of the technology appears to be very bright. The logic behind the algorithms has by now been thoroughly proven as completely secure (Chau) and even gone as far as to be put into test implementations. New algorithms using other quantum techniques are consistently being published, such as implementation in wireless LANs (Nguyen), and as more progress is made in the field of quantum physics, so will more exploits become available for secure cryptography. 7. Conclusion This paper discussed the technical history and details of cryptography and cryptographic systems. Section 2 detailed the history of cryptography before the advent and proliferation of computers and general computing with a focus on the beginning of the twentieth century. Section 3 approached the use of symmetric cryptography in computing, systems that require a single key to encrypt and decrypt data. Section 4 explained the two main asymmetric cryptographic algorithms, their uses, and touched on the future of public key technology. Section 5 gave historic accounts of the differences between the government and public entities over the publishing and exportation of cryptographic software and information. Section 5 introduced the subject of quantum cryptography and the future of quantum computing on cryptography and cryptosystems. It would seem that cryptographic algorithms and applications 26 are secured for the time being against modern cryptanalyst attacks, however as they are all only computationally secure, their life span is limited. Cryptography as a field has a bright future, with new research and development prompting new algorithms and methods. Quantum computing, perhaps the next, largest step in computing, also provides the newest hopes for cryptography, creating the potential for new cryptographic methods an algorithms, obsolescing modern applications and algorithms at the same time. By looking at modern and past methods cryptographers can look to the future with experience, creating better, more efficient algorithms without recreating the mistakes of the past. 27 References Hinsley, Harry. "The Enigma of Ultra." History Today 43 (1993). EBSCOHost. Georgia Tech Library, Metz. 16 July 2006. Keyword: Cryptography. Kartalopoulos, Stamatios V. "A Primer on Cryptography in Communications." IEEE Communications Magazine (2006): 146-151. EBSCOHost. Georgia Tech Library, Metz. 16 July 2006. Keyword: Cryptography. Reeds, Jim. "Review of "the Code Book: the Evolution of Secrecy From Mary Queen of Scots to Quantum Cryptography" by Simon Singh. Anchor Books." Rev. of The Code Book, by Simon Singh. ACM SIGACT News June 2001: 6-11. Zotos, Kostas, and Andreas Litke. Cryptography and Encryption. Dept. of Applied Informatics, University of Macedonia. 16 July 2006 <http://arxiv.org/ftp/math/papers/0510/0510057.pdf>. R. Anderson, E. Biham, and L. Knudsen, “Serpent: A Proposal for the Advanced Encryption Standard,” First Advanced Encryption Standard (AES) Conference, Ventura, CA, 1998. Nicolas Courtois, Josef Pieprzyk, "Cryptanalysis of Block Ciphers with Overdefined Systems of Equations". The Association for Computer Machinery. Lecture Notes In Computer Science; Vol. 2501. pg. 267 – 287. 2002. AJ Elbirt, C. Paar. “An FPGA Implementation and Performance Evaluation of the Serpent Block Cipher.” The Association for Computer Machinery. International Symposium on Field Programmable Gate Arrays. Pg 33-40. 2000. http://portal.acm.org/citation.cfm?id=329176&coll=portal&dl=ACM B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, and N. Ferguson. “Twofish: A 128-Bit Block Cipher.” Stefan Lucks. “The Saturation Attack - A Bait for Twofish”. The Association for Computer Machinery. Lecture Notes In Computer Science; Vol. 2355. pg. 1 – 15. 2001. P. K. Mohapatra. “Public Key Cryptography.” The Association for Computer Machinery. http://www.acm.org/crossroads/xrds7-1/crypto.html "New Directions in Cryptography." Diffie, Whitfield and Hellman, Martin. IEEE Transactions on Information Theory Vol. IT-22. 6 Nov. 1976. "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms." Elgamal, Taher. IEEE Transactions on Information Theory Vol. IT-31. 4 July 1985. "The Handbook of Applied Cryptography." A. Menezes, P. van Oorschot, S. Vanstone. CRC 28 Press, 1996. "The History of Non-Secret Encryption." J. H. Ellis. Cryptologia. July 1999. "DIGITAL SIGNATURE STANDARD (DSS)", NIST Federal Information ProcessingStandards Publication 186-1, Dec 1998. J.Callas, L.Donnerhacke, H.Finney, R.Thayer, "OpenPGP Message Format", RFC 2440, Nov 1998. "PGP DH vs. RSA FAQ." Simpson, Sam. 1999 <http://www.scramdisk.clara.net/pgpfaq.html> A.M.Odlyzko, "The Future of Integer Factorization", RSA CryptoBytes, Volume 1, Number 2, Summer 1995. A.M.Odlyzko, "Discrete logarithms: The past and future", 5th July 1999. "Records of the National Security Agency/Central Security Service." The National Archives. 17 July 2006 <http://www.archives.gov/research/guide-fedrecords/groups/457.html#457.1>. "National Security Agency." University of San Diego. Dept. of History, U. of San Diego. 18 July 2006 <http://history.sandiego.edu/gen/20th/nsa.html>. "NSRP: Cryptography." U. of Texas. School of Information, U. of Texas. 18 July 2006 <http://www.gslis.utexas.edu/~netsec/crypto.html>. Gilmore, John. "Merkle's "a Software Encryption Function" Now Published and Available." sci.crypt. 13 July 1989. 18 July 2006 <http://groups.google.com/group/sci.crypt/msg/e86ff3c3089f97c8>. "S.266." Library of Congress. 1991. 18 July 2006 <http://thomas.loc.gov/cgibin/query/z?c102:S.266.IS:>. Bender, Adam. Carnegie Mellon. Carnegie Mellon. 18 July 2006 <http://www.andrew.cmu.edu/user/abender/pgp/history.html>. United States. Department of State. The United States Munitions List. 18 July 2006 <https://www.demil.osd.mil/documents/app1_97.pdf>. "6.4 United States Cryptography Export/Import Laws." RSA Security. 18 July 2006 <http://www.rsasecurity.com/rsalabs/node.asp?id=2327>. "Detailed History of Applied Cryptography Case." Qualcomm. 24 Feb. 1999. 18 July 2006 <http://people.qualcomm.com/karn/export/history.html>. 29 "Administration Implements Updated Encryption Export Policy." Center for Democracy and Technology. 12 Jan. 2000. Department of Commerce. 18 July 2006 <http://www.cdt.org/crypto/admin/000112commercefactsheet.shtml>. K. Kincade, “Bob and Alice Beef Up Security” Laser Focus World, v 42, n 5, May 2006, 10913 A. Poppe, A. Fedrizzi, H. Hübel, R. Ursin, A. Zeilinger, “Entangled State Quantum Key Distribution and Teleportation”, 31st European Conference on Optical Communication, 2005, pt. 5, 61 vol.5 C. Bennet, and G. Brassard, G. “Quantum cryptography: Public key distribution and coin tossing”, IEEE International Conference on Computers, Systems, and Signal Processing, IEEE Press, LOS ALAMITOS, 1984. T. Curcic et. al. “Quantum Networks: From Quantum Cryptography to Quantum Architecture” Computer Communication Review, v 34, n 5, October, 2004, p 3-8 T. Nguyen, M. Sfaxi, S. Ghernouti, “Integration of Quantum Cryptography in 802.11 Networks” Proceedings. The First International Conference on Availability, Reliability and Security, 2006, 8 pp. H. Chau, “Unconditionally Secure Key Distribution in Higher Dimensions by Depolarization” IEEE Transactions on Information Theory, v 51, n 4, April, 2005, p 1451-1468 T. Hey, “Quantum Computing: An Introduction” Computing & Control Engineering Journal, v. 10 , issue 3, June 1999, pp: 105 - 112 T. Nguyen, “Integration of Quantum Cryptography in 802.11 Networks” Availability, Reliability and Security, 2006. ARES 2006. The First International Conference on, 20-22 April 2006, 8 pp. 30 Appendix A: A Vigenere Table 31 Appendix B-1: Serpent Algorithm Diagram 32 Appendix B-2: Twofish 33
