crypt-summary-english-version
advertisement
Modern Cryptology – Test formulae sheet
Based on a paper written by Guy Shaked in 2011. Translated to English by Dekel Santo in 2014.
DES Encryption
π
π = πΏπ−1 β¨πΉ(π
π−1 , πΎπ ),
πΏπ = π
π−1
F-function: ππππ’π‘ (32 πππ‘π ) → ππΈ (48 πππ‘π )β¨π π’ππππ¦ (48 πππ‘π ) → π − πππ₯ππ → π → ππ’π‘ππ’π‘ (32 πππ‘π )
Complementary property: if πΆ = πΈπΎ (π), then πΆΜ
= πΈπΎΜ
(πΜ
).
Attack: Request pairs πΆ1 = πΈπΎ (π), πΆ2 = πΈπΎ (πΜ
), try non-complementary πΎ ′ values: If πΈπΎ′ (π) = πΆ1, then
possibly πΎ = πΎ′, and if πΈπΎ′ (π) = πΆ2 then possibly πΎ = Μ
Μ
Μ
πΎ′.
Block Ciphers – Modes of operation
-
ECB – Each block is encrypted separately - πΆπ = πΈπΎ (ππ ), ππ = π·πΎ (πΆπ )
CBC – Before encryption, each block is XOR’d with the encryption of the previous block πΆπ = πΈπΎ (ππ β¨πΆπ−1 ), ππ = π·πΎ (πΆπ )β¨πΆπ−1
OFB – Compute a pseudo-random string that will be XOR’d to the plaintext ππ = πΈπΎ (π£π−1 ), πΆπ = ππ β¨ππ ,
ππ = πΆπ β¨ππ
CFB – πΆπ = ππ β¨πΈπΎ (πΆπ−1 ), ππ = πΆπ β¨πΈπΎ (πΆπ−1 )
Perfect Cipher
A cipher will be called perfect if every π, πΆ hold π(π|πΆ) = π(π). Equivalent definitions:
∀π, πΆ: π(πΆ) = π(πΆ|π)
∀π, πΆ: π(πΆ|π) =
∑
(πΎ |πΈπΎ (π)
π(πΎ)
= π)
Therefore, a cipher is perfect iff for all πΆ the above sum is independent of π. A perfect cipher always
holds |πΎ| ≥ |π|.
Unicity distance
π=
πππ¦ πππππ‘β ππ πππ‘π
π»(πΎ)
=
π·
π»(πΆ) − π»(π)
The unicity distance is the length of π, πΆ in relation to πΎ, that will allow certain identification of the key
πΎ given π, πΆ.
π» is a measure of mean entropy in a representation of a letter. π· is a measure of representation
redundancy, and is defined as π· β π»(πΆ) − π»(π). In English, 1.5 bits are needed for every letter,
therefore in ASCII representation for example - π·π΄ππΆπΌπΌ = 8 − 1.5.
Birthday paradox
In order to find collision with probability greater than half, in a function with range of size π, it is
enough to draw 1.17√π different inputs. (Also works when drawing from 2 different sets)
Groups
A group {πΊ,β} holds-
Closure - πΌ, π½ ∈ πΊ ⇒ πΌ β π½ ∈ πΊ
Identity element - π ∈ πΊ such that ∀πΌ ∈ πΊ, π β πΌ = πΌ β π = πΌ
Inverse element - πΌ ∈ πΊ ⇒ πΌ −1 ∈ πΊ, πΌπΌ −1 = πΌ −1 πΌ = π
Associativity – πΌ, π½, πΎ ∈ πΊ ⇒ πΌ β (π½ β πΎ) = (πΌ β π½) β πΎ
Properties:
πΊ ′ ⊆ πΊ subgroup iff πΊ ′ ≠ ∅ (and then π ∈ πΊ′), and the closure property is held on πΊ′. An element’s
order divides the group’s order. If π π = π then πππππ(π, πΊ)|π .
Euler Function
π(π) = |β€π∗ | = |{π ∈ β€π | gcd(π, π) = 1}|
π
For π = ∏π ππ π :
π −1
π(π) = ∏ (ππ π
(ππ − 1)) = π β ∏ (1 −
π
π
1
)
ππ
π, π primes, π, π, π integers. The following holdsπ(π) = π − 1
π(ππ ) = (π − 1)ππ−1 = ππ − ππ−1
π(ππ) = (π − 1)(π − 1)
gcd(π, π) = 1 ⇒ π(ππ) = π(π)π(π)
∑ π(π) = π
π|π
π
π ≡ π (πππ π) (Fermat’s little theorem)
gcd(π, π) = 1 ⇒ ππ(π) ≡ 1 (πππ π)
Chinese Remainder Theorem
β€∗ππ ≅ (β€∗π × β€∗π ) and the transition between the groups can be done easily. Alternatively: There exists a
homomorphism β: β€∗ππ → β€π∗ × β€π∗ . The homomorphism is defined β(π’) = (π’(πππ π), π’(πππ π)).
Algorithm (for the transition from the right hand side to the left). Calculate π, π such thatπ ≡ 1 (πππ π)
π ≡ 0 (πππ π)
π ≡ 0 (πππ π)
π ≡ 1 (πππ π)
By π = π β (π −1 (πππ π)), π = π β (π−1 (πππ π). Then (π , π‘) → π β π + π β π‘.
Groups of the form β€∗π
An element π has an inverse in β€π∗ iff gcd(π, π) = 1. πππππ(π, β€∗π )|π(π), and if π is prime, then
πππππ(π, β€∗π )|(π − 1).
When π is prime and π|(π − 1), the number of elements of order π is β€∗π is π(π). In particular, the
number of generators is π(π(π)) = π(π − 1).
Wilson’s Theorem - 1 β 2 β 3 β … β (π − 1) ≡ −1 (πππ π).
Quadratic residues (π ≠ 2)
There are
π(π)
2
π−1
2
=
quadratic residues in β€∗π .
Euler’s Criterion - π ∈ β€∗π is a quadratic residue iff π
π−1
2
≡(π) 1.
For π = ππ - if π ∈ β€π∗ is a quadratic residue, then it has 4 square roots. Therefore – there are exactly
π(π)
quadratic
4
residues in β€∗π .
Calculating root modulo π
π = 4π + 3 - √π = π
π+1
4
π = 4π + 1 – Probabilistic algorithm –
-
-
Randomly select π which is a quadratic non-residue.
Initialize 0 → π‘, 2π → π
While π is even
o
π
2
o
If ππ π π‘ ≡ −1 then π‘ + 2π → π‘
Return π
π‘
→ π, 2 → π‘
π+1
2
π‘
, π2 .
Legendre’s symbol
+1 π ππ π ππ’πππππ‘ππ πππ πππ’π πππ π
π
(π) β {
−1 π ππ π ππ’πππππ‘ππ πππ πππ πππ’π πππ π
π
According to Euler - (π) ≡ π
1
π2
π−1
2
Every π holds (π) = ( π ) = 1
(πππ π)
−1
(π)={
1 π = 4π + 1
−1 π = 4π + 3
π2 −1
8
2
π
( ) = (−1)
ππ
π
π
( π ) = (π) (π)
π−1π−1
2 2
π
If π, π are odd primes - (π ) = (−1)
π
(π)
Jacoby’s symbol
π = π1 β π2 βββ ππ odd. π is coprime to π. Jacoby’s symbol is defined as –
π
π
π
π
( ) β ( ) ( ) βββ ( )
π
π1 π2
ππ
π
π
π is a quadratic residue modulo π iff (π ) = 1 for every π. Therefore – if (π) = −1 we could know for
π
π
certain that π is a quadratic non-residue. However (π) = 1 does not guarantee that π is a quadratic
residue.
π2
1
1 is a quadratic residue for all π. In particular, (π) = ( π ) = 1.
π−1
2
−1
( π ) = (−1)
π2 −1
8
2
π
( ) = (−1)
π
)
ππ
(
ππ
π
π
π
π
= ( )( )
π
π
( π ) = (π) (π)
π
π−1π−1
2
2
If π, π are coprime and odd - (π) = (−1)
π
(π)
An efficient search requires π(log 2 π) modular operations.
Number Theory
π, π coprime ⇔ ∃π₯, π¦ | ππ₯ + ππ¦ = 1
π, π coprime and π | ππ ⇒ π | π
π|π, π|π ⇒ π|(πΌπ + π½π) ∀πΌ, π½ ∈ β€
gcd(π, π) = min{ππ₯ + ππ¦ > 0 | π₯, π¦ ∈ β€}
πππ(π, π) = min{π > 0| π|π, π|π}
π|π, π|π ⇒ π|gcd(π, π)
gcd(ππ, ππ) = |π| β gcd(π, π)
Euclidean Algorithm finds gcd, and can be used to find a modular inverse. Complexity π(log(π)).
π has an inverse modulo π ⇔ gcd(π, π) = 1.
RSA Encryption
π, π large primes, π = ππ. π coprime to π(π), π = π −1 (πππ π(π)).
(π, π) public key, π secret.
Encryption π ← ππ (πππ π). Decryption π ← πΆ π (πππ π).
Properties:
π
Multiplication property - πΈ(π1 β π2 ) = πΈ(π1 ) β πΈ(π2 ). Encryption preserves Jacoby’s symbol ( π ) =
ππ
( π ).
Hardcore bits – lsb, half
Non-trivial element root (πΌ 2 = 1, πΌ ≠ ±1) allows factorization.
Modular square calculation allows factorization:
if π2 = π 2 , then gcd(π − π, π) and
π
gcd(π−π,π)
are the prime factors.
RSA Signatures
-
Signing process - π = π·π΄ (π) = πππ΄
Verification process - π =? πΈπ΄ (π) = π ππ΄
Zero Knowledge Proofs
Perfect – Simulator output with identical distribution to a “real” output.
Computational – The distribution of the simulator output and the distribution of a real prover’s output
are (computationally) indistinguishable, i.e. there can be a negligible difference between them.
If bit-commitment is used in a ZK protocol, perfect binding must be assured because the prover is
computationally unlimited. Therefore the secrecy is computational, and the protocol will be
computational ZK rather than perfect.
Zero-knowledge Computationally: Graph 3-Colorability.
Differential Cryptanalysis
π-round Characteristic is Ω = (Ωπ , ΩΛ , Ωπ ) such that:
-
Ωπ – π bits, input difference (before encryption)
Ωπ – π bits, output difference (after encryption)
ΩΛ = (Λ1 , Λ 2 , … Λ π ) intermediate rounds. Each of them:
o
Λ π = (ΛππΌ , Λππ ) (round input and output,
π
2
bits each)
And the following are held –
-
Λ1πΌ – Right half of Ωπ
Λ2πΌ - Λ1π β¨(Left half of Ωπ )
ΛππΌ – Right half of Ω π
Λπ−1
- Λππ β¨(Left half of Ωπ )
πΌ
π+1
For every 2 ≤ π ≤ π − 1, Λππ = ππ−1
πΌ β¨ππΌ
Correct pair in relation to a characteristic Ω and a key πΎ is a pair of inputs, the difference of which is Ωπ
and all the differences in the intermediate rounds match the description in the characteristic.
Probability of a characteristic is the probability that a pair of inputs which matches Ωπ is a correct pair
(in relation to all the keys).
Differential is a set of all the characteristics which have identical Ωπ , Ωπ and an equal number of rounds.
The probability of a differential is the sum of the characteristics’ probabilities.
The iterative characteristic Ωπ = (19 60 00 00π₯ , 00 00 00 00), also written as Ωπ = (π, 0). A two1
round characteristic, with probability 234. Ωπ = (0, π) so that it can be composed on itself.
Concatenation of the characteristic to 16-17 rounds yields a characteristic with probability of 2−62 , 2−63
respectively.
Note : In order to get the same output of F, two inputs must be different in at least 3 S-boxes.
0R Attack requires 2 β π−1 pairs of input (π – characteristic probability), from which 2 correct pairs will
remain.
Secret Sharing
Secret sharing scheme:
-
π parties, each receiving a share.
A cooperation of pre-defined groups allows to reconstruct the secret.
Any group that wasn’t pre-defined cannot gain any information on the secret.
(π, π)-Threshold Scheme – a group can reconstruct the secret only if its size is at least π.
Hash Function
-
Merkle-Damgård padding: Given a message π, π is padded so that its length will be a multiply
of the block size. The message length is included in the padding.
Merkle-Damgård construction: βπ = π»(βπ−1 , ππ ), where β0 = πΌπ and β(π1 , … ππ ) = βπ .
Mutual Commitment
Perfect binding: The committer sends ππ πππ π (π odd/even according to π). The committer cannot
cheat (reveal another value), but the receiver can calculate π.
Perfect commitment: sends π π βπ πππ π (π, β generators of a group of element of order π|π − 1). The
receiver cannot calculate π, but the committer can reveal different π, π values.
Common coin (bit) toss: Each one commits on one bit and sends, afterwards the bits are revealed and
the coin will be π = ππ΄ β¨ππ΅ .
1
ππ: B learns a bit with probability 2, A doesn’t know whether B has learned the bit.
ππ12 : B learns one of two secrets of his choice. A doesn’t know which secret B has learned.
Implementations: bit commitment, non-interactive zero-knowledge proofs.
