Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From - - PowerPoint PPT Presentation

Late Classical Cryptosystems

From 1900 up to the mid-1970s∗ Jim Royer

Introduction to Cryptography

September 6, 2018

∗ The DES block cipher was announced in 1975, the RSA cryptosystem was first published in 1977, and modern cryptography began to take shape.

Crypto Late Classical Cryptosystems

Cryptosystems from 1900 to 1975

Many important and storied examples. See:

http://users.telenet.be/d.rijmenants/

We’ll talk about just one in detail: the one-time pad. (View the remaining cyptosystems as possible paper topics.) But, we need to mention the system that everyone knows about:

Crypto Late Classical Cryptosystems

Enigma

In WWII, used by the Germans, broken by the British. An example of a rotor machine key = plug board settings + init rotor positions number of keys = (init rotor settings) × (rotor orderings) × (init p-board settings) 263 × 6 × 100391791500 > 1015 Weaknesses keys lasted an entire day weather reports started with a standard openning The 1st letter of a message ≈ a subst. cipher Hence, an easy freq. analysis

Crypto Late Classical Cryptosystems

Part of the National Cryptological Musuem’s Enigma Collection

The One-Time Pad (or the Vernam Cipher, circa 1917)

Observe (a ⊕ b) ⊕ b = a ⊕ (b ⊕ b) = a ⊕ 0 = a. Exclusive-Or ⊕ 1 1 1 1 One-time pad Given a plaintex p and key r bit-strings with len(

• r) = len(
• p)

encrypt

• k(

p) = p ⊕ k. decrypt

• k(
• c) =

c ⊕ k. Example 00101001 (plaintext) ⊕ 10101100 (key) 10000101 (ciphertext) ⊕ 10101100 (key) 00101001 (plaintext)

Crypto Late Classical Cryptosystems

One-Time Pad, Properties

Provided that keys are uniformly randomly chosen for each message, cracking a

• ne-time pad is impossible!

That is:

given a particular ciphertext c of length n, given a particular plaintext p of length n, Prob[c came from p] = 2−n. (We’ll prove this shortly.)

The price for this:

The keys are very big. The keys can be used only once!

To analyze this we need a bit more probability theory.

Crypto Late Classical Cryptosystems

Probability, 1

Terminology S, a sample space = the possible outcomes an experiment. In the following, 0 < S < ∞.

(Recall: S = # of elms. of S.)

A probability distribution is a p: S → [0, 1] (an assignment of a probability to each element of S) so that ∑x∈S p(x) = 1. Example 1. A uniform distribution on S is x

p

→

1 S.

E.g., p(heads) = p(tails) = 1

2.

Loaded die (a nonuniform distr.): p(1) = p(2) = 0.1 p(3) = p(4) = p(5) = p(6) = 0.2 (For the engineering details, see: http:

//www.straightdope.com/columns/read/2878/how-do-you-load-a-pair-of-dice.)

Crypto Late Classical Cryptosystems

Probability, 2

For the moment, fix a probability distribution, p, on S. Terminology X: S → R, a random variable. Maps an outcome (an element of S) to a result (an element of R). Example 2. Roll two 6-sided dice and take the sum of the rolls. S = { (m, n) : m, n ∈ { 1, . . . , 6 } } X(m, n) = m + n.

• Terminology. The probability that X takes
• n value x:

pX = pX(x) = p(X = x) = Prob[s ∈ S|X(s) = x]

Image from http://en.wikipedia.org/wiki/Dice.

Example 3 (Assuming a uniform distr.).

Crypto Late Classical Cryptosystems

Probability, 3

Terminology p(X = x, Y = y) (abbreviated pS(x, y))

= the probability that (X takes on value x) & (Y takes on value y).

Example 4. p(Die = 4, coin = heads) = 1

12.

p(Die = an odd number, Die = a prime) = 1

3.

1, 2, 3, 4, 5, 6

Crypto Late Classical Cryptosystems

Probability, 4

Terminology: The probability that X = x given that Y = y p(X = x|Y = y) = p(X = x, Y = y) p(Y = y) , (assuming p(Y = y) = 0). Example 5. p(coin=heads | die=4) = 1

2.

p(die is prime | die is odd) = 2

3.

Fact: p(X = x, Y = y) = p(X = x|Y = y) · p(Y = y) = p(Y = y|X = x) · p(X = x). Bayes Theorem If p(Y = y) > 0, then p(X = x|Y = y) = p(X = x) · p(Y = y|X = x) p(Y = y) . Abbreviation: pX(x|y) = p(X = x|Y = y).

Crypto Late Classical Cryptosystems

Probabilities for a Simple-Minded Cipher, I

The Cipher Plaintexts P = { a, b, c, d }. Ciphertexts C = { U, V, W, X }. Keys K = { k1, k2, k3 }. Encryption function e·(·) a b c d k1 W X V U k2 W U X V k3 X W U V Basic Probabilities pP(m) = prob. the plaintext is m. m a b c d pP(m) 0.25 0.3 0.15 0.3 pK(k) = prob. the key is k. k k1 k2 k3 pK(k) 0.25 0.5 0.25 We assume that plaintexts and keys are picked independently.

Crypto Late Classical Cryptosystems

Probabilities for a Simple-Minded Cipher, II

e·(·) a b c d k1 W X V U k2 W U X V k3 X W U V m pP(m) a 0.25 b 0.3 c 0.15 d 0.3 k pK(k) k1 0.25 k2 0.5 k3 0.25

Computed Probabilities pC(c) = prob. the ciphertext is c. pC(U) = pK(k1) · pP(d) + pK(k2) · pP(b) + pK(k3) · pP(c) = 0.2625. Similarly, ... PC(V) = 0.2625. PC(W) = 0.2625. PC(X) = 0.2125.

Crypto Late Classical Cryptosystems

Probabilities for a Simple-Minded Cipher, III

e·(·) a b c d k1 W X V U k2 W U X V k3 X W U V m pP(m) a 0.25 b 0.3 c 0.15 d 0.3 k pK(k) k1 0.25 k2 0.5 k3 0.25 c pC(c) U 0.2625 V 0.2625 W 0.2625 X 0.2125

Computed Probabilities

p(C = c|P = m) = prob. the ciphertext is c given that the plaintext is p = ∑{ pK(k) : c = ek(m) } p(C = ·|P = ·) a b c d U 0.5 0.25 0.25 V 0.25 0.75 W 0.75 0.25 X 0.25 0.25 0.5

Crypto Late Classical Cryptosystems

Probabilities for a Simple-Minded Cipher, IV

m pP(m) a 0.25 b 0.3 c 0.15 d 0.3 c pC(c) U 0.2625 V 0.2625 W 0.2625 X 0.2125 p(C = ·|P = ·) a b c d U 0.5 0.25 0.25 V 0.25 0.75 W 0.75 0.25 X 0.25 0.25 0.5

Computed Probabilities (The one we really care about)

p(P = m|C = c) = prob. the plaintext is m given that the ciphertext is c = pP(m) · P(C = c|P = m) PC(c) (Using Bayes Theorem) p(P = ·|C = ·) U V W X a 0.714 0.294 b 0.571 0.286 0.352 c 0.143 0.143 0.352 d 0.286 0.857

Crypto Late Classical Cryptosystems

Checking Details

1

Verify the calculation that pC(V) = 0.2625

2

Verify the calculation that p(C = W|P = a) = 0.75.

3

Verify the calculation that p(P = d|C = V) = 0.857

Crypto Late Classical Cryptosystems

Checking Details

1

Verify the calculation that pC(V) = 0.2625

2

Verify the calculation that p(C = W|P = a) = 0.75.

3

Verify the calculation that p(P = d|C = V) = 0.857

2018-09-06

Late Classical Cryptosystems Checking Details

• 1. Verify the calculation that pC(V) = 0.2625

pC(V) = pK(k1) · pP(c) + pK(k2) · pP(d) + pK(k3) · pP(d) = 0.25 · 0.15 + 0.5 · 0.3 + 0.25 · 0.3 = 0.2625

• 2. Verify the calculation that p(C = W|P = a) = 0.75.

p(C = W|P = a) = pK(k1) + pK(k2) = 0.25 + 0.5 = 0.75

• 3. Verify the calculation that p(P = d|C = V) = 0.857

p(P = d|C = V) = pP(d) · P(C = V|P = d)/pC(V) = 0.3 · 0.75/0.2625 ≈ 0.857

Probabilities for a Simple-Minded Cipher, V

e·(·) a b c d k1 W X V U k2 W U X V k3 X W U V U V W X a 0.714 0.294 b 0.571 0.286 0.352 c 0.143 0.143 0.352 d 0.286 0.857 The ciphertext is very informative. (Which is not what one wants.) If the cipher text is U, the plaintext can’t be a and b is more likely than c and d. If the cipher text is V, the plaintext can’t be a or b and d is much more likely than c. Etc. These are bad properties for a cipher. We want the cipher text to be as uninformative as possible.

Crypto Late Classical Cryptosystems

Perfect Secrecy

Definition 6. A cryptosystem has perfect secrecy when, for all m and all c: p(P = m|C = c) = p(P = m).

Interpretation: Knowing what the ciphertext, c, is fails to tell you anything new about how likely a particular plaintext, p, is.

Theorem 7 (Shannon). Suppose S = (P, C, K, ek(·), dk(·)) is a cryptosystem with P = C = K. Then, S has perfect security iff both

i

pK(k) =

1 K

&

ii

for each m and c: { k : ek(m) = c } = 1.

Crypto Late Classical Cryptosystems

Proof of The Perfect Security Theorem (⇐-direction)

Suppose: (i) pK(k) =

1 K and (ii) { k : ek(m) = c } = 1, ∀m, c.

By (i): pC(c) = ∑k pK(k) · pP(dk(c)) =

1 K ∑k pP(dk(c)).

By (ii): ∑k pP(dk(c)) = ∑m(P = m) = 1. So, pC(c) =

1 K.

Let km,c be the unique k such that c = ek(m). Uniqueness by (ii) So: p(C = c|P = m) = pK(km,c) =

1 K.

So by Bayes Theorem p(P = m|C = c) = p(P = m) · p(C = c|P = m) pC(c) = pP(m) · 1/K 1/K = pP(m). QED

Crypto Late Classical Cryptosystems

Random and Pseudo-Random Bits

For various reasons (that we’ll come back to) using long random bit strings as keys is a pain. Pseudo-random generators are randomness amplifiers 01001 → PRG → 10111 ...01 random bits a long string of pseudo- random bits Why pseudo? Some PRGs are more pseudo than others Linear congruential generators Parameters: a, b, m Seed: x0 xn+1 =def (a · xn + b) mod m NOT cryptographically strong!!!

Crypto Late Classical Cryptosystems

Random and Pseudo-Random Bits, Continued

Definition 8. A one-way function f : A → B is (roughly) a function that is easy to compute, but hard to invert. (Formalizing “easy” and “hard” takes some work.) A PRG based on one-way functions Suppose f is a one-way function. Pick s a seed xj = f(s + j) where j = 1, 2, . . . and bj = xj mod 2. There are believed one-way functions based on AES, SHA-2, SHA-256, ... Other PRGs based on number theory. (later!)

Crypto Late Classical Cryptosystems

Linear Feedback Shift Register Sequences

Example: The following has a period of 31. seed: x1x2x3x4x5 = 01000 rule: xn+5 = (xn + xn+2) mod 2 so: x = 0100001001011001111100011011101010000100 . . . The general form: seed: x1x2x3 . . . xm. rule: xn+m = (∑m−1

i=0 cixn+i) mod 2.

A LFSRS-pad Encryption: p ⊕ x = c. Decryption: c ⊕ x = p low security very fast can have long periods with very little initial info LFSRS are used in some hotel swipe-card door locks.

Crypto Late Classical Cryptosystems