Академический Документы
Профессиональный Документы
Культура Документы
i=1
m
(
f
i
2
)
(
t
2
)
=
i =1
m
f
i
( f
i
1)
t (t 1)
If x is a natural language text, we expect that I
c
i=1
m
p
i
2
, where p
i
is probability of occurrence of
the i-th character in the corresponding language. As longer the text x is, the closer the index of
coincidence should be to the theoretical value. For English, theoretical value can be computed as:
12,70
2
+ 9,06
2
+ ... + 0,10
2
+ 0,07
2
= 0,0655
(the values were obtained from the frequency tables of English language)
If the text x was filled with random characters, we would expect I
c
(x) = 26
.
(1/26)
2
= 0,0385.
Interesting is that index of coincidence remains invariant to any polyalphabetic substitution (such as
Vigenre cipher).
The length of key n = 1, 2, ... will be tested. For exact length of the key, the characters in the text x
on the positions i, n + i, 2n + i, ... (1 i n) are encrypted using the same k
i
. Therefore, ciphertext
could be partitioned into n partitions:
k
1
: x
1
x
n+1
x
2n+1
...
k
2
: x
2
x
n+2
x
2n+2
...
...
k
n
: x
n
x
2n
x
3n
...
whereas each partition is obtained from the plaintext using simple substitution. Therefore, we
expect that each partition has index of coincidence close to the index of coincidence of the language
and distant to the randomize text. If the text x is split into partitions of size that mismatches the size
of key, these partitions will be obtained as combinations of two or more simple substitution,
therefore their index of coincidence will move closer to the randomized text. Also, multiplies of the
length of the key should be closer to the index of coincidence of natural language. By computing
the average indexes of coincidence of partitions for each possible length of key and comparing them
to the index of coincidence of natural language and randomized text should yield the correct length
of key.
Second phase
Now the task is to obtain the key, whose length is known. To successfully obtain components of the
17
key k = (k
1
, k
2
, ... , k
n
), we first determine relative distances of k
1
to each part of the key, i.e. k
2
-k
1
, ...,
k
n
-k
1
. To determine these distances, we use the mutual index of coincidence MI
c
(x, y) of two strings
x and y. Mutual index of coincidence is probability that a randomly chosen character from x is equal
to a randomly chosen character y. If we denote number of occurrences of individual characters in x
as f
1
, f
2
, ..., f
m
and similarly for y as f'
1
, f'
2
, ..., f'
m
, then mutual index of coincidence can be obtained
from:
MI
c
( x , y)=
i=1
m
f
i
f '
i
tt '
, where t is |x| and t' is |y|
Mutual index of coincidence of two strings x and y does not change, when the same simple
substitution is applied on both of the strings. We expect that natural language strings have mutual
index of coincidence approximately equal to the to the index of coincidence of the language.
Determination of relative distance k
i
- k
1
(i = 2, ... , n) advances by shifting characters corresponding
to the partition of k
i
by = (0, 1, ... , m-1) and examining mutual index of coincidence with the
partition of component k
1
. If k
i
k
1
= , the index is approximately equal to the index of coincidence
of the natural language. In other case, the index is closer to the index for randomly distributed
characters.
The only thing left is to determine the value of k
1
. This can be done by evaluating all possibilities
(their number is the number of characters in alphabet). By substituting particular k
i
and decrypting
the ciphertext, only one text can be meaningful. This fact will determine the correct value of k
1
.
Example
Imagine we received following ciphertext (letters are organized in quintuples for higher lucidity):
VIYNZ HWZLV EHDGA ZKDGA PJAGS DOUYS PYAJH ICQZF VIJON LZUUB JOJZZ LSWHL SHSOA
OCQZD HBPOU NHKNP APARV DWPLV EKWYR UCSTP UZKTK VBBUY OWOGJ LFXOJ DWPNL OOZSH
KSDOZ TONQH AOJKH YZUSL LHETN VTPNL QCETA PBPKS SWCKU JSYUT TWPZL LKDKU ZWNGU
AVKTF WZQSI OOZHL LBYUT WZWOU PBCZO HHQTS PYAGS SHDKV AVAXZ OSDGK UCJOJ LZEZA
SSWIY VBUSA VRAYJ YWXKO PGFUI OSSGZ QIOZA OSYNH PFIGU VTPNL QWYUY AVAIV VFZOU
HHKXV MWJZL SZEML UQACO FQKAS KVATV AVWBL HUNUB WCBOU PHEGS ZHDGA TOZKB WOONV
YHSUY KWJZO LAOKS CSONV DOXUB ARNGD SSZLV ETNUT OWOKU KCBZO LHWHS LGQVY LAANL
HRKLP UHARS PUATJ LHWXN LHETN ZWNGU AVKTF WFALL YFAJU VHPUI LYJUD UOOZO LGDOA
VTSNP ASDGS SOJJK YCLVL KHDKT HHPKY VTPNL HQNUU FA
First phase
We compute indexes of coincidence for various lengths of key. The following table is therefore
obtained:
n I
c
n I
c
n I
c
n I
c
n I
c
1 0,0470 5 0,0645 9 0,0453 13 0,0489 17 0,0425
2 0,0466 6 0,0454 10 0,0647 14 0,0461 18 0,0443
3 0,0456 7 0,0484 11 0,0468 15 0,0586 19 0,0491
4 0,0454 8 0,0458 12 0,0435 16 0,0451 20 0,0629
As explained above, for the key of the correct length we expect to obtain value closer to the 0,0655
whereas for the mismatched size of the key we expect value closer to the 0,0385.
As we clearly see, multiplies of 5 are much closer to the desired value than any other length, thus
we figured out that the length of the key is 5.
Now we can proceed to identify the individual components of the key.
18
Second phase
We proceed with the computation of the mutual index of coincidences for each key difference. The
presented table summarizes results of differences of key components for various character shifts:
k
2
- k
1
k
3
- k
1
k
4
- k
1
k
5
- k
1
0 0,0457 0,0448 0,0383 0,0622
1 0,0338 0,0338 0,0276 0,0303
2 0,0319 0,0386 0,0375 0,0324
3 0,0480 0,0393 0,0459 0,0398
4 0,0419 0,0483 0,0374 0,0441
5 0,0283 0,0437 0,0330 0,0368
6 0,0337 0,0345 0,0417 0,0387
7 0,0646 0,0352 0,0351 0,0425
8 0,0366 0,0399 0,0315 0,0325
9 0,0307 0,0375 0,0372 0,0382
10 0,0364 0,0341 0,0425 0,0398
11 0,0503 0,0467 0,0403 0,0452
12 0,0404 0,0309 0,0319 0,0282
13 0,0355 0,0311 0,0346 0,0391
14 0,0414 0,0402 0,0474 0,0350
15 0,0396 0,0605 0,0349 0,0432
16 0,0284 0,0353 0,0322 0,0386
17 0,0334 0,0285 0,0341 0,0310
18 0,0443 0,0398 0,0463 0,0357
19 0,0403 0,0424 0,0334 0,0388
20 0,0323 0,0393 0,0338 0,0368
21 0,0318 0,0351 0,0521 0,0336
22 0,0547 0,0360 0,0394 0,0430
23 0,0355 0,0299 0,0265 0,0382
24 0,0349 0,0359 0,0385 0,0358
25 0,0352 0,0394 0,0675 0,0412
By inspecting the table, we can see some underlined values that are most close to the value we
expected. Therefore, we obtained these relative components of the key k: (0, 7, 15, 25, 0). The only
missing fact is now the value of k
1
, other values can be obtained by shifting this value by the
relative distance. Thus, we can explore all k
1
values, apply corresponding component shifts and see,
which of the 26 texts makes some sense. The following fragment of decipherized ciphertext
demonstrates this process:
...
F ...WMSAYLRQCCYZCJRUGRFMSRUYLRGLE...
G ...XNTBZMSRDDZADKSVHSGNTSVZMSHMF...
H ...YOUCANTSEEABELTWITHOUTWANTING...
I ...ZPVDBOUTFFBCFMUXJUIPVUXBOUJOH...
J ...AQWECPVUGGCDGNVYKVJQWVYCPVKPI...
...
As we can see, the only meaningful value of k
1
is H, therefore our key is HOWGH.
19
Finally, we get the plaintext (the punctuation marks were added to achieve better readability):
'Ouch,' said Fox, 'that's what I've always liked about you, Nigel. You can't
see a belt without wanting to hit below it.'
Fox was known in London for his acerbic wit. He had made his mark at an early
meeting of the Joint Intelligence Committee when Sir Anthony Plumb had been
complaining that unlike all the others he had no nice little acronym to describe
his job. He was just the Chairman of the JIC, or the Coordinator of
Intelligence. Why could he not have a group of initials that made up a short
word in themselves?
'How about,' drawled Fox from his end of the table, 'Supreme Head of
Intelligence Targeting?'
Sir Anthony preferred not to be known as the SHIT of Whitehall and dropped the
matter of the acronym.
Again, this is an excerpt from the Frederick Forsyth's book The Fourth Protocol.
Types of attacks
We recognize the following types of cryptanalysis attacks (ordered by ascending severity):
1. COA Ciphertext only attack. Attacker possesses list of ciphertexts E
k
(p
1
), ..., E
k
(p
n
), but
does not know corresponding plaintexts. Attacker usually tries to gather k, determine some
plaintext or create E
k
(p
i
) for a given plaintext p
i
.
2. KPA Known plaintext attack. Attacker possesses list of tuples of plaintexts and
corresponding ciphertexts - (p
1
, E
k
(p
1
)), ..., (p
n
, E
k
(p
n
)). Attacker has the same goals as for the
CCA.
3. CPA Chosen plaintext attack. Attacker has the option to choose few plaintexts to whom
he can obtain corresponding ciphertexts using the same key k. Goals of attack are the same
as in previous cases.
4. CCA Chosen ciphertext attack. Attacker has the option to choose few ciphertexts to
whom he can obtain corresponding plaintexts using the same key k. Again, goals are the
same as in all prior cases.
For CPA and CCA we can also think about their adaptive variants when attacker repeats selection
of texts after analysis of obtained data. Modern cryptographic systems are expected to be resistant
to such attacks.
Kerckhoff's principle
The security of a cryptosystem shall not be based on keeping the algorithm secret but solely on
keeping the key secret. In other words, assume your opponent knows the cryptosystem being used.
As we saw, Scythale and Caesar's shift directly violate Kerckhoff's principle, as the knowledge of
cryptosystem is sufficient to decipher the message.
20
Contemporary cryptography
Symmetric cryptography
Block and stream ciphers
Contemporary symmetric cryptosystems usually utilize keys of fixed length (e.g. 256 bits) which
can be used to encrypt substantially longer plaintexts. Aside from the secure transport of the short
key, there arises the problem of the transfer of the confidential information of virtually any length.
According to the way how the cipher achieves this goal, the symmetric ciphers can be basically
divided into two categories block and stream ciphers.
Block ciphers
Block ciphers encrypt plaintext by splitting it into blocks of fixed length. They process each block
separately and resulting encrypted blocks are concatenated sequentially and form the ciphertext.
Stream ciphers
Stream ciphers imitate Vernam cipher using shorter key. Key is used to initialize a deterministic
finite state machine (DFSM) that produces a stream of bits. This stream is then used as a key for
Vernam cipher. Stream of bits is added modulo 2 (XOR) with the bits of the plaintext. Receiver of
the ciphertext uses the same key to initialize its DFSM, generates the same stream of bits and adds
it to the ciphertext, obtaining the plaintext.
Modes of operation
Basic cipher transformation of a block can be combined in multiple modes in case of longer
plaintext. Each mode has its weak and strong sides and it generally depends on a situation or
environment, which mode is chosen to be used. The following paragraph depicts few of the most
used modes. Plaintext blocks will be referred to as P
i
and ciphertext blocks as C
i
.
21
E E E
plaintext
ciphertext
k k k
DFSM
plaintext ciphertext
key
sender
receiver
DFSM key
plaintext
ECB (Electronic Code Book)
ECB represents straightforward use of block cipher. Plaintext blocks are encrypted independently
using the same key. Encryption and decryption can be thus expressed as follows:
C
i
=E
k
( P
i
)
P
i
=D
k
(C
i
)
Properties
Same blocks of plaintext are encrypted into the same blocks of ciphertext, this allows the attacker to
search for repetitions. Attacker can remove or change order of the block without being caught
(assuming no other integrity mechanism is present). Error in decrypting one block does not affect
any subsequent blocks.
CBC (Cipher Block Chaining)
CBC solves some security problems plaguing ECB mode by linking the encryption of the block of
the plaintext with the ciphertext of the previous block:
C
i
=E
k
( P
i
C
i1
) i 1
P
i
=C
i1
D
k
(C
i
) i1
Value of C
0
is not available at the beginning. CBC mode therefore uses initialization vector IV
(string of bits of the same length as the block).
Properties
The same plaintexts encrypted using the same key lead to different ciphertext assuming the
initialization vectors are different. Ciphertext block C
i
depends on the value of plaintext P
i
as it
depends on the value of all prior plaintext blocks P
1
, ..., P
i-1
. This ensures that the change in the
order of the ciphertext blocks will affect decryption. Change of bit in the ciphertext affects two
blocks of plaintext if the change occurred in the block C
i
, plaintext block P
i
will be affected as a
whole whereas the block P
i+1
will be affected only at the position of the changed bit.
CBC also offers the property of self-synchronization, where the loss of one ciphertext block leads
to the wrong decryption of the subsequent block but further consecutive blocks are not affected.
22
E
k
P
1
C
1
E
k
P
2
C
2
E
k
P
3
C
3
E
k
P
1
C
1
E
k
P
2
C
2
E
k
P
3
C
3
IV ...
Initialization vector does not need to be held secret, usually is generated randomly as the first block
of the ciphertext. The only important thing is to preserve integrity of IV, because change of the bits
of IV will propagate into corresponding positions in the plaintext P
1
.
OFB (Output Feedback)
OFB uses block cipher as the synchronous stream cipher. Therefore can be used as a recipe how to
transform block cipher into stream cipher. Encryption transformation is used only within the
generator of the stream of the blocks that are being XORed with the blocks of plaintexts. Internal
state of generator during the i-th step will be denoted as R
i
and its length matches the length of the
block. Remarkable fact is, that in OFB mode the existence of decryption function does not play any
role.
C
i
=P
i
R
i
R
i
=E
k
( R
i1
) i 1
P
i
=C
i
R
i
R
i
=E
k
( R
i1
) i 1
Similarly to CBC, initialization vector is used to initialize generator of the strem of blocks and can
be transmitted in the open form along with the ciphertext.
Properties
Likewise to what we've seen in CBC mode, the encryption of the same plaintext with the same key
using different IV leads to different ciphertexts. Stream of generated blocks is independent on the
plaintext; therefore it is necessary to use different IV whenever we want to communicate with the
same key, because in the other case, attacker by adding two ciphertexts receives the sum of two
plaintexts and as mentioned in the Vernam cipher, this could lead to revelation of both plaintexts.
Change (invertion) of bits in ciphertext is carried as a change of corresponding bits in the plaintext.
This allows the attacker to influence plaintext in the desired way without its knowledge. If attacker
knows plaintext, then she is able to compute stream of blocks R
i
and construct ciphertext to
plaintext of her choice.
Loss of any part of ciphertext block means that the rest of the ciphertext is affected with this loss.
Main requirement during the construction of a stream cipher is to guarantee appropriate length of
the period of generated stream.
CFB (Cipher Feedback)
CFB mode transforms block cipher into stream cipher in the similar fashion as OFB. Contrary, CFB
constructs self-synchronizing stream cipher with the feedback from ciphertext. Block of plaintext is
encrypted by adding ciphertext of the previous plaintext block. Again, CFB does not employ use of
the decryption function.
C
i
=P
i
E
k
(C
i1
) i1
P
i
=C
i
E
k
(C
i1
) i1
Again, computation is initialized using initialization vector IV used instead of C
0
. Initialization
vector is generated similarly to previous modes.
23
E
k
P
i
C
i
IV
Properties
Like as with CBC and OFB, encryption of the same plaintext with the same key using different
initialization vectors yields different ciphertexts. Initialization vector does not need to be held
secret. Use of the same IV and key allows attacker to obtain sum of the first blocks of the plaintexts.
Similarly to CBC, ciphertext block C
i
depends on the value of plaintext P
i
as it depends on the value
of all prior plaintext blocks P
1
, ..., P
i-1
. Change in the order of ciphertext influences decryption.
Correct decryption of a block requires correct previous block. Again, change of a bit in the
ciphertext affects two blocks of plaintext if the change occurred in the block C
i
, plaintext block P
i
will be affected as a whole whereas the block P
i+1
will be affected only at the position of the
changed bit.
As with CBC, CFB has the property of self-synchronization.
Iterated ciphers
Largest group of block cipher form the iterated ciphers. Idea of iterated ciphers consists in the
definition of a basic transformation (round) that is then used multiple times.
Subsequent rounds usually employ subkeys of the encryption key in the first round subkey k
1
, in
the second k
2
, etc. Subkeys are streams of bits deterministically inferred from the encryption key.
Process of inference of subkeys is called key scheduling.
Cipher standards
Modern block ciphers are realized electronically as hardware modules or as software, therefore it is
safe to assume that the used alphabet is binary. We can formally express block cipher as follows:
Let V
n
= {0,1}
n
, set of n-bit vectors. Block cipher is a tuple of mappings
E :V
n
K -V
n
and
D: V
n
K -V
n
that the following holds:
kK pV
n
: D
k
( E
k
( p))=p ,
24
E
k
P
i
C
i
IV
F
plaintext
F
ciphertext
subkey k
1
subkey k
r
round 1
round r
where K is a finite set of keys. Number n is called length of a block. Keys are retrieved from K
independently and with the same probability. If K = V
l
, we say that the effective length of key is l
bits. During the cipher construction, two opposite requirements arise the security of key (usually,
the larger the set K is, the more secure the key is) and the performance of the cipher (the shorter the
set K is, the faster/less space the cipher runs/occupies)
Feistel ciphers
Feistel ciphers is a class of iterated block ciphers with the same structure of encryption algorithm as
the decryption algorithm. Feistel cipher splits the text into two halves, first (left) will be denoted as
L
0
and second (right) as R
0
. In each round the values of L
i
, R
i
are computed from the previous values
according to the formulas:
L
i
=R
i1
R
i
=L
i1
f ( k
i
, R
i1
) 1ir ,
where f is a transformation affected by subkey k
i
. Output after r rounds is a tuple L
r
, R
r
, whereas in
the last round no swap of halves is performed:
L
r
=L
r 1
f ( k
r
, R
r1
)
R
r
=R
r1
To decrypt a Feistel cipher, it is sufficient to use the same scheme, only order of used subkeys
ought to be reversed. Cryptographic properties of an algorithm are determined by the properties of
the Feistel function f.
Feistel network
The following ciphers are based on (generalized) Feistel network: Blowfish, Camellia, CAST-128,
CAST-256, DES, FEAL, KASUMI, LOKI97, Lucifer, MacGuffin, MAGENTA, MISTY1, RC2,
RC5, RC6, Skipjack, TEA, TripleDES, Twofish, XTEA.
DEA / DES (Data Encryption Algorithm / Standard)
DEA originates from the Feistel family of ciphers and employs the Feistel network using its own
Feistel function and key-scheduling. In 1976, it was selected in USA as the Federal Information
25
Processing Standard (FIPS) and the DEA is then known as DES. DEA was originally designed by
team at IBM in 1972-3. DEA was suspected of being tampered by NSA and having backdoors in
the forms of mysterious substitution boxes. On the other hand, DES was the first spark that ignited
popularization of cryptanalysis amongst techie people in USA.
Nowadays, DES is outdated due to its small, 56-bit size of key that allows successful attacks in less
than 24 hours. However, originating from the IBM Lucifer cipher, DES provides ground for more
secure derived ciphers such as Triple DES, G-DES, DES-X, LOKI89, ICE, etc.
The DEA uses Feistel network consisting of 16 stages. The DEA block has a size of 64 bits. The
key has also size of 64 bits, however, the effective size is only 56 bits, as 8 bits are used only for
parity checking during key scheduling and thereafter discarded.
Structure of the DEA Feistel f-function
The f-function operates on half a block (32 bits) at a time and consists of four stages:
1. Expansion - 32-bit half-block is expanded to 48 bits
using the expansion permutation by duplicating some
of the bits
2. Key mixing - the result is combined with a subkey using
an XOR operation. Sixteen 48-bit subkeys are derived
from the main key using the key schedule.
3. Substitution after mixing in the subkey, the block is
divided into eight 6-bit pieces before processing by the
substitution (S-) boxes. Each S-box replaces its 6 input
bits with 4 output bits according to a non-linear
transformation obtained from hardwired lookup table.
Without substitution the cipher would be linear, and
trivially breakable.
4. Permutation - the 32bit output from the S-boxes is
rearranged according to a fixed permutation (P-box)
Key scheduling
Initially, 56 bits of the key are selected
from the initial 64 by Permuted Choice 1 -
the remaining 8 bits are either discarded or
used as parity check bits. The 56 bits are
then divided into two 28-bit halves; each
half is thereafter treated separately. In
successive rounds, both halves are rotated
left by one or two bits (specified for each
round), and then 48 subkey bits are selected
by Permuted Choice 2 - 24 bits from the
left half, and 24 from the right. The
rotations (denoted by [<<<] in the diagram)
mean that a different set of bits is used in
each subkey; each bit is used in
approximately 14 out of the 16 subkeys.
The key schedule for decryption is similar -
it must generate the keys in the reverse
order. Rotations are then to the right.
26
Expansion
half block subkey
Substitution Box 1-8
Permutation
Feistel output
32 bit 48 bit
48 bit
32 bit
32 bit
48 bit
Permuted choice 1
Input key
Permuted choice 2
<<< <<<
subkey 1
Permuted choice 2
<<< <<<
subkey 2
64 bit
56 bit
28 bit 28 bit
28 bit
28 bit
48 bit
48 bit
56 bit
56 bit
Breaking the DES
There are various known attacks on the DES:
1. Brute force attack is performed by trying every possible key. The length of key specifies
the number of possible keys. It is assumed that NSA possessed enough power to break DES
in the mid '70s. Still, the time complexity is 2
56
of iterations.
2. Differential cryptanalysis DES was designed to withstand this form of attack, however,
the DC is capable of breaking the DES using 2
47
chosen plaintexts.
3. Linear cryptanalysis basic version of attack requires 2
43
known plaintexts, however refined
versions are capable of breaking DES using 2
39
known plaintexts.
Multiple encryption
This metamethod is based on the fact, that multiple encryption passes enhance the security of the
cipher by simulating enlargement of a key. Let's use X
k
to denote cipher transformation (either
encryption or decryption) using the key k. Then we can concatenate encryption transformations and
get double encryption:
c=X
k
2
' '
( X
k
1
'
( p))
or triple encryption: c=X
k
3
' ' '
( X
k
2
' '
( X
k
1
'
( p)))
2TDES
Basically, it is a concatenation of two DES encryptions. We can use 3 modes of operation, denoted
as EE, ED and DE, according to the cipher transformations used. For example, this is EE mode:
c=E
k
2
( E
k
1
( p))
2TDES is prone to the following type of attacks:
Meet in the Middle attack (MIM)
The MIM attack is an attack against multiple encryption using the same encryption algorithm that is
capable of reducing the time complexity of the brute force attack at the price of expanded space
complexity. The attack will be demonstrated on the 2TDES cipher in EE mode. Our ciphertext c
will be c = E
k2
(E
k1
(p)). Let the size of key k
1
and k
2
be l bits. We have n tuples of plain- and
ciphertext
p
i
, c
i
,i =1.. n
encrypted using the same key. Brute force attack tries each tuple of
keys k
1
and k
2
and tests the correctness of the choice by evaluating whether
c
i
=E
k
2
( E
k
1
( p
i
)) , i=1.. n
. Time complexity is in the average case O(2
2l
), space complexity is
O(1).
MIM attack can lower time complexity by enlarging the space complexity. For tuple
p
1,
c
1
we at
first compute the
D
k
2
(c
1
)
for every possible key k
2
. Computed tuples
D
k
2
(c
1
) , k
2
will be stored
in the hash table and indexed by the first component. Then we try to encrypt the plaintext p
1
using
each key k
1
and test whether the value of
E
k
1
( p
1
)
is stored in the hashtable. If we found the match,
it means, that we found such keys k
1
and k
2
that
E
k
1
( E
k
2
( p
1
))=c
1
. There can be more tuples of
keys thislike; we have to test them at first on the remaining tuples of plain- and ciphertexts. Time
complexity of the attack is then O(2
l
) and space complexity O(2
l
).
As a result, 2TDES can be broken in the same time as the DES.
Triple DES (TDES / TDEA / 3TDES / 3DES)
Triple DES effectively triples the length of the DES key, obtaining the size of 168 bits (3x 56 bits).
The Triple DES operates in multiple modes, similarly to the 2TDES.
27
Very popular mode is EDE:
c=E
k
3
( D
k
2
( E
k
1
( p)))
Decryption applies inverse transformations:
p=D
k
1
( E
k
2
( D
k
3
(c)))
Very often we can observe the choice of k
1
= k
3
. Another advantage of EDE mode is its backwards
compatibility when we use k
1
= k
2
= k
3
, we obtain original DES.
The best attack known (2005) on 3TDES requires around 2
32
known plaintexts, 2
113
steps, 2
90
single
DES encryptions and 2
88
memory cells. Triple DES is now being widely replaced by AES.
AES (Advanced Encryption Standard / Rijndael)
This cipher was introduced by Vincent Rijmen and Joan Daemen and because of its qualities (fast,
low memory requirements, safer), it won a NIST competition held in 1997-2000 to be selected as a
replacement of DES and as a result is now being deployed in a large scale.
The NIST competition included following ciphersystems (the finalists are in bold):
CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6,
Rijndael, SAFER+, Serpent and Twofish.
Rijndael is an iterated substitution-permutation network block cipher that uses the block of size of
128 bits. The length of key can be 128, 192 or 256 bits and the corresponding numbers of rounds
are 10, 12 and 14. Internally, the block of processed plain- or ciphertext is represented as two
dimensional array of bytes 4 4. Bytes are aligned in the array (known as the state of algorithm) as
follows:
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
Similarly to other iterated ciphers, Rijndael also uses key scheduling to construct subkeys from the
original encryption key.
Encryption
Rijndael transforms plaintext blocks using four operations:
1. SubBytes substitution of bytes. Each byte of the state of algorithm is replaced by new byte
accordingly to the defined substitution S : 0, 1
8
-0, 1
8
. S is a bijection and beside other
functions, it assures that the encryption is non-linear.
2. ShiftRows cyclic shift of the rows of state of algorithm. Each row is shifted to the left by
different number of bytes (first rows does not change, subsequent rows are shifted by
incremental number of bytes)
s
0,0
s
0,1
s
0,2
s
0,3
s
1,0
s
1,1
s
1,2
s
1,3
s
2,0
s
2,1
s
2,2
s
2,3
s
3,0
s
3,1
s
3,2
s
3,3
s
0,0
s
0,1
s
0,2
s
0,3
s
1,1
s
1,2
s
1,3
s
1,0
s
2,2
s
2,3
s
2,4
s
2,1
s
3,3
s
3,4
s
3,0
s
3,2
28
3. MixColumns transformation of the columns of the state of algorithm. Each column
(consisting of bytes s
0,c
, ..., s
3,c
) is replaced by a new column according to the following
formula:
(
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
)
(
s
0, c
s
1, c
s
2, c
s
3, c
)
In this matrix multiplication the components of both matrices are interpreted as the elements
of finite field GF(2
8
) generated by irreducible polynomial x
8
+ x
4
+ x
3
+ x + 1. Addition is
realized as a simple byte XOR.
4. AddRoundKey addition of subkey of 16-byte length (128 bits) to the state of algorithm.
Addition is performed as XOR of corresponding bytes of subkey and state of algorithm.
Each round consists of the same sequence of these operations, except the beginning (where before
the first round, the operation AddRoundKey is inserted) and the last round (the MixColumn
operation is omitted). Schematically, we can express sequence of encryption and decryption
operations in this diagram:
Decryption
Transformation of the ciphertext during decryption uses inverse transformations to those used in the
encryption, with only exception in the operation AddRoundKey (XOR of the same subkey as in the
encryption removes the subkey from the ciphertext). Therefore, we use following operations:
1. InvSubBytes substitution of the bytes of the state of algorithm; the inverse function
(permutation) S
-1
is used
2. InvShiftRows cyclic shift of rows of the state of algorithm to the right (as opposed to
29
plaintext
AddRoundKeys
S SubBytes
ShiftRows
MixColumns
AddRoundKeys
S SubBytes
ShiftRows
AddRoundKeys
ciphertext
ciphertext
AddRoundKeys
InvShiftRows
S
-1
InvSubBytes
AddRoundKeys
InvMixColumns
InvShiftRows
S
-1
InvSubBytes
AddRoundKeys
plaintext
r - 1 rounds
last round
encryption). First row remains the same, the rest is shifted by one, two and three bytes.
3. InvMixColumns transformation of the columns of the state of the algorithm using inverse
matrix to the matrix used during encryption.
Key scheduling
Key scheduling has to take in account the variable length of a key and different number of rounds.
Word in the Rijndael algorithm denotes a sequence of 4 bytes. Words are basic units of the key
scheduling algorithm. Algorithm creates sufficiently large array of words w and the subkeys are
extracted consecutively during the algorithm run.
Let k denote number of words for keys of size 128, 192 and 256 bits the value of k is 4, 6 and 8.
Beginning of the array w is filled with the encryption key. Another words in w are computed as a
XOR of the words w[i 1] and w[i k]. In case that the actual position of the word (i) is divisible
by the k, transformation of the w[i 1] is executed. Transformation consists of cyclic shift of the
bytes to the right followed by substitution of each byte in a word using the SubBytes S function. At
last, the predefined constant is also added to this word.
Security
The only known successful attack to date (2006) is a side channel attack (any attack based on
information gained from the physical implementation of a cryptosystem rather than theoretical
weaknesses in the algorithms). Side channel attacks do not attack the underlying cipher, but attack
implementations of the cipher on systems which inadvertently leak data.
In April 2005, D.J. Bernstein announced a cache timing attack, that was used to break a custom
server that used OpenSSL's AES encryption. The custom server was designed to give out as much
timing information as possible, and the attack required over 200 million chosen plaintexts.
In October 2005, Adi Shamir presented a paper demonstrating several cache timing attacks against
AES. One attack was able to obtain an entire AES key after only 800 writes, in 65 milliseconds.
These attacks require the attacker to be able to run programs on the same system that is performing
AES encryptions.
AES is recognized as the first public cipher that was approved by NSA for Top Secret information.
IDEA (International Data Encryption Algorithm)
Designed in ETH Zrich during 1991, the IDEA is a block cipher used in PGP 2.0 and remains as
the option in the OpenPGP.
IDEA operates on a 64-bit blocks using 128-bit key, and consists of a series of eight identical
transformations (rounds) and an output transformation (the half-round). The processes for
encryption and decryption are similar. IDEA derives much of its security by interleaving operations
from different groups modular addition and multiplication, and bitwise XOR - which are
algebraically "incompatible" in some sense. All of these operations deal with 16-bit quantities:
1. Bitwise eXclusive OR
2. Addition modulo 2
16
3. Multiplication modulo 2
16
+ 1 , where the all-zero word (0000H) is interpreted as 2
16
The following diagram demonstrates the round of IDEA algorithm:
30
IDEA network round
Security
The designers analyzed IDEA to measure its strength against differential cryptanalysis and
concluded that it is immune under certain assumptions. No successful linear or algebraic
weaknesses have been reported. Some classes of weak keys have been found, although their
cardinality is practically irrelevant. As of 2004, the best attack which applies to all keys can break
IDEA reduced to 5 rounds (the full IDEA cipher uses 8.5 rounds).
The problem that hindered the wide adoption of IDEA are the US patents, that expire in 2011.
Blowfish
Blowfish is an iterated block cipher based on Feistel network, designed
by Bruce Schneier. The Blowfish is adopted by many products as its
availability is granted by its public domain status.
Notable features of the design include key-dependent S-boxes and a
highly complex key schedule.
Blowfish operates over blocks of the 64-bits and uses keys of 32-448
bits length. It is a 16 round Feistel cipher and uses large key-dependent
S-boxes.
The diagram to the left shows the action of Blowfish. Each line
represents 32 bits. The algorithm keeps two subkey arrays: the 18-entry
P-array and four 256-entry S-boxes. The S-boxes accept 8-bit input and
produce 32-bit output. One entry of the P-array is used every round,
and after the final round, each half of the data block is XORed with one
of the two remaining unused P-entries.
31
P
1
P
2
P
3
P
4
C
1
C
2
C
3
C
4
k
1
k
2
k
3
k
4
k
5
k
6
L
0
R
0
f
f
L
r
R
r
P
1
P
16
P
18
P
17
14 rounds
Feistel function
The function splits the 32-bit input into four eight-bit quarters, and uses the quarters as input to the
S-boxes. The outputs are added modulo 2
32
and XORed to produce the final 32-bit output.
Key scheduling
Blowfish's key schedule starts by initializing the P-array and S-boxes with values derived from the
hexadecimal digits of , which contain no obvious pattern. The secret key is then XORed with the
P-entries in order (cycling the key if necessary). A 64-bit all-zero block is then encrypted with the
algorithm as it stands. The resultant ciphertext replaces P
1
and P
2
. The ciphertext is then encrypted
again with the new subkeys, and P
3
and P
4
are replaced by the new ciphertext. This continues,
replacing the entire P-array and all the S-box entries. In all, the Blowfish encryption algorithm will
run 521 times to generate all the subkeys - about 4KB of data is processed.
Security
As of 2006, there is no known effective attack on Blowfish. Still, its 64-bit large block size has a
drawback for large files, as encrypting more than 2
32
blocks would leak information about the
plaintext due to birthday attack.
Practical usage
Blowfish is one of the fastest block ciphers in widespread use except in case of changing keys. Each
new key requires preprocessing equivalent to encrypting about 4 kB of text (very slow). This
prevents its use in certain memory constrained applications. The password-hashing method used in
OpenBSD uses an algorithm derived from Blowfish that makes use of the slow key schedule; the
idea is that the extra computational effort required gives protection against dictionary attacks.
In some implementations, Blowfish has a relatively large memory footprint of just over 4 kB. This
is not a problem even for older smaller desktop and laptop computers, but it does prevent use in the
smallest embedded systems such as early smartcards.
Blowfish is not subject to any patents and is therefore freely available for anyone to use. This has
contributed to its popularity in cryptographic software.
32
8 bits 8 bits 8 bits 8 bits
S-Box
1
S-Box
2
S-Box
3
S-Box
4
output
32 bit 32 bit 32 bit 32 bit
Asymmetric cryptography
Basics of asymmetric (public key) cryptography
Beginning of the asymmetric (public key) cryptography officially dates back to year 1976, when
Whitfield Diffie and Martin Hellman published their key-exchange algorithm. Unofficially, though,
there are rumors that NSA used public key cryptography already in the late '60s of the 20
th
century
as a part of security mechanism embedded into PAL (Permissive Action Link) of nuclear missiles.
First applications were constructions of asymmetric cryptosystems and key-exchange protocols.
Nowadays, the asymmetric cryptography provides base for various systems, such as digital
signatures, electronic money or electronic elections.
Formally, we can express asymmetric system this way:
Asymmetric cryptosystem is a pair of functions public and private. Both of these functions are
constructed (chosen) by the user. Public function is made public by user and is available to anyone.
Private function is an unpublished property of the user. Public function serves the encryption
purposes whilst private function the decryption purposes. Therefore, encryption can be executed by
anyone; decryption only by the owner of private function. Sometimes, the asymmetric system is
being presented as a class of functions parametrized by keys. Then we talk about public and private
key.
Let's denote the set of all plaintexts as P, ciphertexts as C, and R be denoting the set {0, 1}*. Let
E : PR-C be public function, D: C -P be private function. The meaning of set R in the
encryption function E consists in the facilitation of random choice during encryption. In that case,
the plaintext is encrypted into one of potential ciphertexts. Some cryptosystems do not use
randomization (RSA), in some it is essential component of encryption (Elgamal). Systems that use
randomized encrypton are called randomized.
Asymmetric system must satisfy the following properties to be usable:
1. Correctness Deciphering the ciphertext leads to original plaintext:
mP rR: D( E(m, r))=m
2. Realizability Functions E and D are algoritmically effectively realizable. Therewithal, its
construction by the user is also effective. Effective usually means with deterministic
(probabilistic) polynomial time complexity.
3. Security From the knowledge of E is practically impossible to determine function D
*
that
D
*
is effectively realizable and for considerable amount of cC : D
(c)=D(c) . The
inverse function cannot be therefore easily determined only from the knowledge of E.
Hybrid encryption
Contemporary asymmetric cryptosystems are substantially slower than symmetric cryptosystems in
both encryption and decryption. As the speed is one of the most substantial requirements entailed
from a cryptosystem, this represents a major drawback of asymmetric cryptography. To avoid this
obstacle, hybrid encryption concept was introduced that combines strengths of both asymmetric
(better security and maintenance) and symmetric systems (faster operation).
Hybrid system uses symmetric system to encrypt transmitted data using randomly generated key.
Asymmetric system is used to encrypt this key using public function of recipient. After receiving
33
ciphertext, receiver deciphers at first the key using her private function and then deciphers data
using obtained key.
Let E
A
, D
A
denote public and private function of user A, that is also recipient of a message m. E and
D are encryption and decryption algorithm of some symmetric system. Hybrid encryption consists
of following steps:
Choose random symmetric key k. Following tuple will be sent to recipient A:
E
A
(k , r) , E
k
(m)
where r is randomly chosen from R (that represents random part of asymmetric encryption)
User A then deciphers symmetric key:
D
A
( E
A
( k , r))=k
and subsequently also message:
D
k
( E
k
(m))=m
Security of hybrid encryption depends on the security of both used asymmetric and symmetric
system compromise of any of them causes compromise of the whole hybrid system.
Asymmetric protocols
In electronic space we would like to construct objects and procedures common in real world, such
as signatures, money, elections etc. Most of their real-world properties cannot be transformed
directly into electronic space, therefore we need to create their electronic equivalents and ensure
their usability amongst other means also by cryptography. Solutions using exclusively symmetric
cryptography either do not exists or are very ineffective. Usable constructions are therefore based
on asymmetric cryptography and other cryptographic primitives, such as one-way functions,
cryptographic hash functions or secret sharing schemes.
RSA
RSA is one of most known and used asymmetric cryptography
protocols. It was published in 1978 by Ronald Rivest, Adi Shamir
and Leonard Adleman from MIT and its name is composed of first
letters of its authors' surnames. Its cryptographic strength is based
on a problem of factorization.
Initialization
Initialization is a process of creation of the respective RSA instance private and public key.
1. Two different sufficiently large prime numbers p and q are chosen. Let n=pq .
2. Natural number e is chosen that satisfies 1e(n) and gcd (e , (n))=1 , where
(n)=( p1)(q1) is Euler function and gcd denotes greatest common divisor (highest
common factor) of its arguments. Therefore, e does not divide (n) .
3. Number d is computed that satisfies ed 1 ( mod ( n)) .
What are the sufficiently large prime numbers depends on efficiency of contemporary
factorization methods (factorization extracts prime number factors from the number) and on the
degree of security we request from our system. Nowadays, 512-bit prime numbers are considered to
be safe (after multiplication we get at least 1024-bit modulus).
Public key is then duo e , n . Private key is the value of d. Parameter d is also called private
exponent and parameter e public exponent. Prime numbers p and q are not required for the use of
34
RSA, and we can dispose them after initialization. It's however important not to pass p and q to the
hands of potential attackers.
Both plaintext and ciphertext utilize space
n
=0, 1,... , n1
. The essential parts of RSA
cryptosystem can be finally expressed:
encryption: E( m)=m
e
mod n
decryption: D( c)=c
d
mod n
During the computation of decrypting transformation it's required to know the value of n beside the
value of private key d. But n is already a part of public key.
RSA can be used as a typical block cipher; the block has the size of number of bits of n.
Correctness of RSA
In this section we will show the mathematical correctness of RSA that after decryption of
ciphertext we get again the original plaintext.
Theorem (Correctness of RSA)
For each instance RSA holds m
n
: D( E(m))=m .
Proof: Let e and d be public and private exponent in the instance of RSA system with n=pq . We
need to show that (m
e
mod n)
d
mod n=m m
n
.
Special case is form m = 0. Then E(m) = D(m) = 0.
For
m
n
0
we will consider two cases: gcd(n, m) = 1 and gcd(n, m) 1. We know that
ed 1 ( mod ( n)) . Thus k : ed=1+k ( n) .
1. gcd(n, m) = 1. Let's compute:
D( E (m))
=(m
e
mod n)
d
mod n
=m
ed
mod n
=m
1+k ( n)
mod n
=m( m
( n)
)
k
mod n
=m mod n=m.
Penultimate equivalence is a consequence of Euler theorem.
2. gcd(n, m) 1. Then either p | m or q | m (but not both at the same time, because 0 < m < n).
Without any loss of generality we assume that m=lp
s
, where s 1 and gcd(n, l) = 1,
( s , l ) . Then
D( E (m))
=m
ed
mod n
=(lp
s
)
1+k (n)
mod n
=l( p
1+k (n)
)
s
mod n
(1)
According to the small Fermat (Euler) theorem
p
q1
1 ( mod q)
. Therefore
p
(q1)( p1)
1 (mod q)
p
k ( n)
1+aq , a
p
k ( n)+1
p+apq=p+an
p
k ( n)+1
p (mod n)
After instantianting into (1) we get:
D( E (m))=lp
s
(mod n)=m
QED
To sufficiently prove the last step, we need at first to take a look into number theory.
35
Extended Euclidean algorithm:
The algorithm computes for a given pair of natural numbers a, b their greatest common divisor
(denoted as gcd(a, b)) and integer numbers u, v such that ub + va = gcd(a, b). Without loss of any
generality we assume that a b.
Procedure:
s
0
= a; s
1
= b; u
0
= 0; u
1
= 1; v
0
= 1; v
1
= 0;
n = 1;
while s
n
> 0
n = n + 1;
q
n
= s
n-2
/ s
n-1
; // integer division
s
n
= s
n-2
q
n
s
n-1
;
u
n
= q
n
u
n-1
+ u
n-2
;
v
n
= q
n
v
n-1
+ v
n-2
;
end
u = (-1)
n
u
n-1
;
v = (-1)
n
v
n-1
;
gcd(a, b) = s
n-1
;
In the following auxiliary the correctness of extended Euclidean algorithm will be proven.
Auxiliary : Let a, b be natural numbers, where a b. Then
gcd(a, b) = s
n-1
(*)
ub + va = gcd(a, b) (**)
Proof: Property (*) (corresponds to classical Euclidean algorithm) is obtained from this fact:
gcd(a, b) = gcd(b, a mod b) = gcd(b, s
2
)
= gcd(s
2
, b mod s
2
) = gcd(s
2
, s
3
)
= ...
= gcd(s
n-2
, s
n-1
) = s
n-1
Now, the characteristics (**) will be proven. At first, using mathematical induction we show, that
k0, ... , n: (1)
k +1
u
k
b+(1)
k
v
k
a=s
k
:
1. k=0: (1)
1
u
0
b+(1)
0
v
0
a=s
0
k=1: (1)
2
u
1
b+(1)
1
v
1
a=s
1
2. Assume, that identity holds for k 1. We show the validity for k.
(1)
k+1
u
k
b+(1)
k
v
k
a=(1)
k +1
( q
k
u
k 1
+u
k2
)b+(1)
k
(q
k
v
k1
+v
k2
) a=
=q
k
((1)
k
u
k 1
b+(1)
k1
v
k1
a)+(1)
k +1
u
k 2
b+(1)
k
+v
k 2
a=
=q
k
s
k1
+(1)
k1
u
k2
b+(1)
k2
v
k 2
a=
36
=q
k
s
k1
+s
k2
=s
k
From he proven identity and using property (*) we obtain:
(1)
n
u
n1
_
u
b+(1)
n1
v
n1
_
v
a=s
n1
=gcd( a , b)
QED
Auxiliary : Let a b are two mutually indivisible integer numbers, i.e. gcd(n, m) = 1. Then
u , v: va+ub=1 .
Proof: This fact can be obtained directly from the extended Euclidean algorithm.
Let a b be two mutually indivisible natural numbers. Then according to auxiliary 1 there exist two
numbers u, v such that va + ub = 1. Thus va = 1 + b(-v) and this implies that va1 (mod b)
Extended Euclidean algorithm therefore proves the existence of inverse of a according to the
multiplication modulo b. Moreover, algorithm provides a recipe how to compute this inverse (in our
case v). Additionally, the same inverse are also numbers in the form of v + bt for any integer t.
Euler's theorem
At first, some auxiliary statements will be provided.
Auxiliary : Let
n, a ,b , k
. If kakb (mod n) and gcd( k , n)=1 , then ab (mod n)
Proof: If a = b, auxiliary holds trivially. Without any loss of generality we can expect a > b.
Therefore exists l : k (ab)=ln. (***)
Because gcd(k, n) = 1, then according to auxiliary u , v: ku+nv=1 . From this formula we
express k and instantiate into (***):
k ( ab)=
1nv
u
(ab)=ln
ab=lnu+nv( ab)
ab=n(lu+v(ab))
Therefore,
ab( mod n)
.
Definition: For arbitrary natural number n, let symbol
n
: ( n)=
n
. Function
(n)
is
called Euler function.
Remark: If p is a prime number, then
p
=1, ... , p1
. If n = p q is a product of two prime
numbers, then
(n)=( p1)(q1)
.
Auxiliary : Let
n
r
1,
... , r
( n)
ar
1
mod n , ... , ar
( n)
mod n
=
n
.
Proof: We need to show that numbers
ar
1
mod n ,... , ar
( n)
mod n
are mutually different and
indivisible with n. It can be easily shown that 0 < ar
i
mod n < n for i = 1, ...,
(n)
.
1. Let
i , j 1,... ,( n) are such indexes that ar
i
mod n = ar
j
mod n. Because gcd(a, n) = 1
37
then according to auxiliary holds that
r
i
r
j
( mod n)
. According to the assumption, r
i
, r
j
< n and thus r
i
= r
j
i = j. Therefore in the sequence
ar
1
mod n ,... , ar
( n)
mod n
are
mutually different numbers.
2. For all
i 1,... ,( n): gcd( r
i
, n)=1
. Similarly, gcd(a, n) = 1. Therefore also
gcd( ar
i
mod n , n)=1
.
Euler theorem: Let n, a and gcd(a, n) = 1. Then a
(n)
1( mod n) .
Proof: Let
n
r
1,
... , r
( n)
i=1
( n)
r
i
i=1
(n)
ar
i
a
( n)
i=1
(n)
r
i
(mod n)
Let's remind that the first congruence is a consequence of auxiliary . Because gcd
(
i=1
( n)
r
i
, n
)
=1 ,
accordingly to the auxiliary we get:
a
(n)
1 ( mod n) QED
Corollary (Small Fermat theorem): Let p be a prime number and let a be that
pa
(p does
not divide a). Then a
p1
1 (mod p) .
Proof:
( p)=p1
.
Security of RSA
Security of RSA depends on a problem of factorization, i.e. on the problem of decomposition of
value of n into product of two primes p and q. If n were easily factorizable, then anybody is capable
of obtaining values of d in the same way as we do it in the initialization step from the values of e
and (n) . Therefore, if we are able to factor n, we are able to break RSA. However, the opposite is
an open problem (whether breaking the RSA solves factorization).
Factorization of n using the knowledge of (n)
Anybody knowing the value of (n) is capable of finding prime factors p and q by solving system
of two equations:
pq=n
( p1)(q1)=( n)
Factorization of n using the knowledge of e and d
There is possibility of factoring n using the knowledge of e and d, therefore it is strongly advised
not to share the value of n amongst more users, as the knowledge of one pair of e and d leads to
effective factorization of n and thus the communication between those users cannot be considered
as safe.
Special factorization algorithms
If primes p and q are of special structure, we can use special factorization algorithms.
One algorithm exploits the case when p and q are close ( |p q| is not large enough), another one
can factor n when both p 1 and q 1 do not have large prime factor.
38
Small message space
Attacker intercepts the message and using his knowledge of public expontent e, tries to generate
possible messages and encrypt them. If one of the encrypted messages matches intercepted
message, then she was able to find exact plaintext. This can be reasonably done only when there is
small message space i.e. cardinality of plaintexts is low.
Attack on the small public exponent e
Advantage of small public exponent e lies in the speed of encryption or verification of digital
signatures and smaller memory storage requirements. But these advantages are also accompanied
by the security risks, especially in the cases of sending the same messages or sending messages that
are polynomially dependent.
Attack on the short private exponent d
Similarly to previous case, small private exponent d allows faster decryption and lowers memory
requirements, however, there is known attack that is able to compute values of e and n if d < n
0.292
and e < n
1.875
. Second relation is usually satisfied in practical cases.
Elgamal
This cryptosystem was published in 1984 by Taher Elgamal, later chief scientist at
Netscape Corporation and inventor of SSL. It is based on a problem of discrete
logarithm.
Discrete logarithm: Let (G,) be finite group and b , yG . Then discrete logarithm
y in base b is arbitrary x, such that b
x
=y . Discrete logarithm problem denotes the
problem of finding discrete logarithm for given values of b and y. For cyclic groups, it is possible to
formulate stronger statement: Let (G,) be finite cyclic group of the order n and gG be its
generator. For a given yG it is necessary to compute x
n
such that
g
x
=y
.
Intialization
Choose large prime number p and g
p
*
(does not necessarily have to be a generator). Values of
p and g can be shared by the users. Next, choose random x
R
2,3, p2 and compute
y=g
x
( mod p) . Public key is then triple (y, p, g) and private key value of x.
Encryption
Plaintext space is a set
p
*
, for larger texts these can be split into the blocks of required size. Let
the m
p
*
be plaintext (message) we intend to encrypt:
1. We choose random x
R
1, 2, p1 .
2. Ciphertext is a pair
r , s
, where r=g
k
mod p and s=y
k
m mod p (y is part of public
key).
Decryption
User with the knowledge of private key x can decipher the message:
m=(r
x
)
(1)
s mod p
Correctness of Elgamal
We have an instance of Elgamal system and its parameters p, g, y, x. m
p
*
is a message and
39
r , s
its encrypted form. Then
(r
x
)
(1)
s mod p = ( g
kx
)
1
y
k
m mod p = g
kx
g
kx
m mod p = m mod p=m
Elgamal cryptosystem is used in SSH and inspired the basis of Digital Signature Algorithm (DSA).
Rabin
Michael Oser Rabin published in 1979 first mathematically proven asymmetric
cryptosystem. Its strength is based on the problem of factorization and mathematically
is based on the quadratic residues.
Quadratic residue: Number a
n
*
=1 , ... , n1 that is mutually indivisible with n is
called quadratic residue modulo n and denoted QR
n
, if there exists b
n
such that
b
2
a ( mod n) . If such b does not exist, we call a quadratic non-residue modulo n and denote as
QNR
n
.
Initialization
Choose two large prime numbers p, q, p q. To simplify computation of square roots modulo p and
q, the prime numbers could be chosen to satisfy pq3 (mod 4) , but this is not necessary.
Let n = p q; then n is the public key, p and q are the private key.
Encryption
Ciphertext is simply the square of the message, i.e. m
n
: c=E( m)=m
2
mod n .
Decryption
Due to the nature of quadratic residues, one ciphertext can be obtained from four plaintexts.
If gcd(m, n) = 1, then E(m) is QR
n
. Because n is a product of two primes, then each QR
n
(denoted as
c) has exactly four square roots. Leave the possibility that gcd(m, n) 1 (very improbable). Four
square roots can be computed by determining both square roots modulo p and modulo q. We obtain:
r
1,2
=!c
p+1
4
mod p
r
3,4
=!c
p+1
4
mod q
Square roots of c modulo n will be obtained by their linear combination according to Chinese
remainder theorem:
M
1
=(ar
1
+br
3
)mod n M
2
=(ar
1
+br
4
) mod n
M
3
=(ar
2
+br
3
) mod n M
4
=(ar
2
+br
4
) mod n ,
where a=q(q
1
mod p) and b=p( p
1
mod q) .
To identify the correct plaintext, we have to either specify the format of the message or use
additional techniques, such as padding.
Security of Rabin
The great advantage of the Rabin cryptosystem is that the code can only be broken if the
codebreaker is capable of efficiently factoring the public key n.
40
It has been proven that decoding the Rabin cryptosystem is equivalent to the factorization problem,
unlike in RSA. Thus the Rabin system is more secure than RSA, and will remain so until a general
solution for the factorization problem is discovered. (This assumes that the plaintext was not created
with a specific structure to ease decoding).
The problem of factorization is still considered as unbreakable (although for quantum computers
there exists Shor algorithm to compute factors) and thus prevents any eavesdropper nowadays to
break the code.
Rabin system is prone to chosen ciphertext attack.
Diffie-Hellman key exchange (DH)
This is the first known asymmetric protocol, published by Whitfield Diffie
and Martin Hellman in 1976. It is based on the problem of discrete
logarithm. Later emerged that it had been discovered a few years earlier
within GCHQ (Government Communications Headquarters), the British
signals intelligence agency, by Malcolm J. Williamson, but was kept
classified.
Goal of DH is to allow two parties A, B to jointly establish a shared secret key K for secure
communication. Protocol assumes shared values of p and g for all potential parties of the protocol.
Value of p is sufficiently large prime and g
p
*
can be (but does not need to be) a generator of the
group (
p
*
,) .
Protocol:
1. A B : X; where X = g
x
mod p and x
R
p
*
is chosen by A randomly
2. B A : Y; where Y = g
y
mod p and y
R
p
*
is chosen by B randomly
3. A computes K = Y
x
mod p
4. B computes K = X
y
mod p
It can be shown easily that both A and B compute the same key:
Y
x
mod p=g
xy
mod p=X
y
mod p
Man in the Middle attack
DH protocol is prone to type of attack when active attacker M (Mallory) lies in the communication
channel between A (Alice) and B (Bob). Mallory intercepts the first message and instead of value of
X, sends Bob the value of U = g
u
mod p, where u chooses randomly (similarly as Alice chooses x).
Similarly, intercepts the message Y and instead sends Alice value of V = g
v
mod p. The attack
therefore advances as follows:
1. A M(B) : X = g
x
mod p
2. M(A) B : U = g
u
mod p
3. B M(A) : Y = g
y
mod p
4. M(B) A : V = g
v
mod p
5. A computes K
1
= V
x
mod p
6. B computes K
2
= U
y
mod p
41
Notation A M(B) means that Alice sends message to Bob, but is intercepted by Mallory. Notation
M(A) B means that Mallory sends message to Bob in the name of Alice.
Important fact for Mallory is, that both Alice and Bob can't reveal her presence in the protocol and
she is able to compute both keys K
1
and K
2
:
K
1
=X
v
mod p=g
xv
mod p
K
2
=Y
u
mod p=g
yu
mod p
Another asymmetric cryptosystems
Merkle-Hellman
This cryptosystem from the year 1978 is based on the KNAPSACK (its variation subset sum) NP-
complete problem. Its ideas are very elegant, much simpler than RSA, but it was broken by Adi
Shamir. The subset sum problem can be formulated as follows:
Given a list of numbers and a third number, which is the sum of a subset of these numbers,
determine the subset.
This problem is NP complete, although some instances are easily solvable. Merkle-Hellman tries to
transform an easy instance into hard one and then back. Adi Shamir successfully attacked the
process of converting easy instance into difficult one.
Paillier
The Paillier cryptosystem is a probabilistic asymmetric cryptosystem, invented by Pascal Paillier in
1999. The problem of computing n-th residue classes is believed to be computationally difficult.
This is known as the Composite Residuosity (CR) assumption upon which this cryptosystem is
based.
The scheme is an additive homomorphic cryptosystem; this means that, given only the public-key
and the encryption of m
1
and m
2
, one can compute the encryption of m
1
+ m
2
.
It found its usage in the electronic voting and electronic cash, although there are some possibilities
of attacks.
42
M A B
K
1
K
2
Cryptographic hash functions
Cryptographic hash function produces digest (fingerprint) from an electronic document, usually
much shorter than original document. Hash function is usually projection h : X Y, where Y is a
finite set and X can but does not need to be finite set. Value of xX is called document, message;
value of h(x) is called digest. Value of h(x) can be used as a substitute of original document x.
Use of cryptographic hash function
Range of use of the cryptographic hash functions include integrity checks, authentication, digital
signature schemes, cryptographic protocols etc.
Commitment scheme
A typical case of use of a cryptographic hash would be as follows: Alice poses to Bob a difficult
math problem and claims she has solved it. Bob of course would like to try it himself, but would yet
like to be sure that Alice is not bluffing. Therefore, Alice writes down her solution, appends a
random word (nonce), computes its hash and tells Bob the hash value (without revealing the
solution). When Bob finds the solution himself later, he can append the same nonce to his solution
and compute the hash value, verifying whether his solution is equal to the Alice's by comparing
both hash digests.
In practice, Alice and Bob represent computer programs and secret is an information more
important than mere solution of a puzzle.
Message integrity
Cryptographic hash function serves also purpose of ensuring that the original message arrives intact,
untainted, as was originally intended by the sender. Hash digest provides a way to verify whether
message was modified by simply comparing digest computed by receiver after transmission and the
digest value provided by sender using secure channel.
This principle can be also extended to identify modified files by malware/viruses or some other
sorts of malfeasance.
Another typical example of the use of cryptographic hash function is the password verification.
Passwords are typically not stored in their plain form, rather their hash digest is preserved. To
authenticate an user, his typed password is digested and then compared to stored digest. To provide
even stronger security, plain information is often concatenated with random words salt or nonces.
Cryptographic hash function properties and weaknesses
To measure security of cryptographic hash functions, it is vital to define some vital properties of
hash functions that would allow to analyze security of a particular implementation.
43
Look at this, I solved it!
Nice, but I need a proof
you really solved i t
Here is the hash!
(...solvi ng, computi ng hash...)
Now I beli eve you
#
# #
=
?
?
One-way function
Hash function h : X Y is one-way, if for a given yY there is no possibility to effectively find
xX such that h(x) = y.
This property is also called preimage resistance, and means that from the digest alone it is not
possible to reconstruct the original document or its substitute.
Weakly collision-free hash function (second preimage resistance)
Hash function h : X Y is weakly collision-free, if for a given xX it is not effectively possible
to find x ' X x such that h(x) = h(x').
This means that for a given document we are unable to find another one with the same hash digest.
Strongly collision-free hash function (collision resistance)
Hash function h : X Y is strongly collision-free, if it is not effectively possible to find such that
x , x' X such that xx' and h(x) = h(x').
This means that we cannot effectively find two documents with the same digest. This could lead to
substitution of the document with the tampered or fake document with the same digest e.g. two
different contracts with the same digest could lead to undesired results.
Birthday attack
This type of attack is inspired by following problem known as birthday paradox:
How many people in room is enough to have at least 50% probability that there are at least two
people that share the common birthday?
It can be shown, that 23 people is a sufficient amount. This is somewhat surprising fact, if we
investigate how many people ought to be present to have at least 50% probability that one of them
has birthday on a chosen day. 253 is the required amount of people. It can be also further shown,
that for 60 people, the probability of birthday paradox exceeds 99%.
If we put it into perspective, the second question is an analogy to guessing the key of some method
of symmetric cryptography, whereas the first question is an analogy to finding collisions of the hash
functions. The outcome is, that finding digest collision of two messages is much easier than finding
the key, therefore the size of hash digest ought to be larger than the size of symmetric key. Usually
the size of digest is chosen to double the bits of the symmetric key.
Intuitively, it is good to view the birthday paradox this way: it is helpful to realize, that there are
many possible unordered pairs of people, that can share common birthday. For 23 people, there are
(
23
2
)
=253 possible pairs, and that could indicate, why the paradox occurs. Alternatively, the
paradox can be analyzed by thinking about chances of no two people having matching birthday
second person cannot share the birthday of the first, third of the first two, fourth of the first three
etc. By adding more persons, it becomes more likely that some of them share the birthday.
Therefore the paradox pertains to the question, whether any of 23 persons shares birthday with any
other person - not with one in particular.
Probability computation
Assuming, that all 365 possibilities are equally likely, the probability can be computed this way:
First, the probablity p(n) that all n birthdays are different is expressed.
p(n)=1
(
1
1
365
)
(
1
2
365
)
(
1
n1
365
)
, n365
. This is obtained from the fact, that second
44
person cannot have the same birthday as the first one, leaving 364 out of 365 free days, third person
cannot share birthday with first two persons, leaving 363 free days etc. Resulting probability of
birthday paradox, i.e. that there are at least two persons sharing birthday is a complement of the
probability, that there are no persons sharing a birthday, p(n) .
p(n)=1p(n)=1
(
1
1
365
)
(
1
2
365
)
(
1
n1
365
)
, n365
To approximate the probability, the Taylor series expansion can be used:
p(n)1e
1
365
e
2
365
e
( n1)
365
=1e
1+2+... +( n1)
365
=e
n( n1)
2365
e
n
2
2365
p(n)=1p(n)1e
n
2
2365
The attack
Birthday attack is a type of cryptographic attack that exploits principles of birthday paradox,
making use of space-time tradeoff.
Let H denote cardinality of the set of all hash values, e.g. for 64-bit hash output, H = 2
64
. It is
expected, that hash function distributes all values evenly, therefore is balanced. Then by
substituting number of days in the Taylor series formula for birthday paradox, the following
formula for computation of probability that after n attempts the collision is found amongst H
possible values can be obtained:
p(n)1e
n
2
2H
By inverting this expression, the following formula is obtained:
n( p)
.
2Hln
1
1p
The formula can be used to compute number of tries to achieve desired probability, in our case 50%:
n
(
1
2
)
1.1774.H
For 64-bit hash function, the amount of all hash values is H1.910
19
, but to generate a collision,
it is sufficient to try only
n
(
1
2
)
5.110
9
attempts with the 50% probability of success. If hash
function is not balanced, the number of required attempts decrease.
This is the main reason, why for hash functions we typically double number of bits comparing to
their symmetric cipher counterparts.
Replay attack
During authentication process, computing hash of password alone and sending it through the
communication channel represents a security risk, as Mallory in the middle can eavesdrop hash of
password and reuse it next time on behalf of Alice. This scheme depicts this weakness:
45
# #
#
Therefore it is vital to somehow randomize the process of digesting. This can be accomplished by
appending random strings to password and hashing them together each time the authentication
process is being run. This random string is called nonce (number used once) or salt. Authentication
protocol then consists of generating the nonce by Trent, passing it to Alice, computing hash of
password with nonce, sending it to Trent and verifying the hash, as the following scheme shows:
Notice, that even if Mallory eavesdrops in the middle, she is not able to reuse password hash next
time, as Trent generates a different nonce for each session.
During authentication, the nonce is being transferred unencrypted and for the purpose of
verification, nonce is being appended after hash of password concatenated with nonce. Trent is then
immediately able to detect whether the password hash is fresh by simply extracting unencrypted
nonce from the digest and comparing it to the nonce value stored within his system for that
particular session, and also computing digest of password concatenated with that nonce to verify
Alice's input. Alice's output can be thus computed as:
output ( password , nonce)=nonce h(password nonce)
where h is a cryptographic hash function and || denotes operation of concatenation. This process is
called key strengthening.
Construction of cryptographic hash functions
Hash functions can be based on various principles. NP-hard problems, modified block ciphers or
dedicated hash function can be designed or reused.
Constructions from block ciphers
When constructing hash function from block ciphers, the input message is divided into blocks
corresponding to the blocks of used cipher or length of a key. If m is a message, its division into
block is m
1
m
2
..m
k
and E is a symmetric cipher, there exist some secure schemes if the cipher has
desired properties.
Iterated hash functions
Iterated hash functions process input data in blocks of fixed length. The input therefore must be
aligned accordingly and divided into blocks m
1
m
2
..m
k
.
Blocks of input are processed with the compression function f and temporary digest is being
computed:
H
0
=IV
H
i
= f ( m
i
, H
i1
) , i =1.. k
where IV is a constant initialization vector for a given hash function. The output is a value of H
k
or
g(H
k
), where g is an output function.
46
I want to authenti cate
Use thi s nonce:
@
@ #
All ri ght, you are i n
Construction of hash function as an iterated hash function is the most common type amongst
contemporary hash functions. One of the reasons is that if the used compression function has
suitable properties, these can be also proved for the iterated hash function (using suitable
construction).
Merkle-Damgrd construction
This construction extends the collision-free function f : 0,1
n+r+1
-0, 1
n
, r1 into h: 0, 1
*
-0, 1
n
that is also collision-free. Most of the popular contemporary hash functions follow this construction.
1. Let x be the input of the size l bits. Let x be partitioned into blocks x
1
x
2
..x
t
of the length of r
bits.
2. Let x
i+1
be additional block containing binary representation of l.
3. The hash function h(x) = H
t+1
is being computed:
H
1
=f (0
n+1
x
1
)
H
i
= f ( H
i 1
1x
i
) , i=2..t
Additionally, resulting value could be also processed by output function g, that assures that
additional properties of resulting hash are satisfied. These properties are often compression of
internal state to output consisting of less bits, mixing of bits or avalanche effect (small change in
input causes big change in output).
Construction of compression function
The compression function is the core of the cryptographic hash function. During construction, the
input message m is divided into blocks m
1
m
2
..m
k
. Contemporary compression functions are usually
constructed accordingly to various known schemes.
Davies-Meyer scheme
H
i
=E
m
i
( H
i
1)H
i
1, i=1.. k ,
where final digest is a value of H
k
and H
0
is a fixed initialization vector.
Matyas-Meyer-Oseas scheme
H
i
=E
g( H
i1
)
(m
i
)m
i
, i=1.. k ,
where g is a converting/padding function.
47
E
m
i
H
i
H
i-1
g
E
m
i
H
i-1
H
i
f
x
1
f
x
2
IV f
x
t-1
f g H
x
t
Miyaguchi-Preneel
H
i
=E
g( H
i1
)
(m
i
)H
i 1
m
i
, i=1.. k
This is an extended version of previous scheme.
Of course, length of the block must be large enough to prevent birthday type of attacks.
Contemporary cryptographic hash functions
The following table shows some of the contemporary cryptographic hash functions:
Hash
algorithm
Hash sum
size (bits)
Internal state
size (bits)
Block size
(bytes)
HAVAL 128-256
MD2 128 512 16
MD4 128 128 64
MD5 128 128 64
RIPEMD-128 128 128 64
RIPEMD-160 160 160 64
SHA-0 160
SHA-1 160 160 64
SHA-224 224 256 64
SHA-256 256 256 64
SHA-284 384 512 128
SHA-512 512 512 128
Snefru 128-256
Tiger-128 128 192 64
Tiger-160 160 192 64
Tiger / Tiger2 192 192 64
WHIRLPOOL 512 512 64
Message Digest Algorithm 5 - MD5
MD5 is an iterated hash function, introduced by Ronald Rivest in 1991 as a successor to
MD4 and became an internet standard RFC 1321, ensuring its widespread occurrence in
many contemporary applications and standards. It found its main use as a mean to check
the integrity of files.
Algorithm background
MD5 processes a variable length message into fixed-length output of 128-bits. Input message is
48
E
m
i
H
i
H
i-1
g
broken into 512-bit segments and message is padded accordingly. The padding works as follows:
first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are
required to bring the length of the message up to 64 bits fewer than a multiple of 512. The
remaining bits are filled up with a 64-bit integer representing the length of the original message.
The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B,
C and D. These are initialized to certain fixed constants. The main algorithm then operates on each
512-bit message block in turn, each block modifying the state. The processing of a message block
consists of four similar stages (rounds); each round is composed of 16 similar operations based on a
non-linear function F, modular addition, and left rotation. There are four possible functions F, a
different one is used in each round:
F ( X ,Y , Z)=( X Y )(X Y )
G( X , Y , Z)=( X Z)(Y Z)
H( X , Y , Z)=X Y Z
I ( X ,Y , Z)=Y ( X Z)
MD5 consists of 64 of these operations, grouped in four
rounds of 16 operations. F is a nonlinear function; one
function is used in each round. M
i
denotes a 32-bit
block of the message input, and K
i
denotes a 32-bit
constant, different for each operation.
denotes addition modulo 2
32
<<<s denotes left rotation by s places
Pseudocode
The following code snippet demonstrates implementation of MD5.
//Note: All variables are unsigned 32 bits and wrap modulo 2^32 when calculating
//Define r as the following
var int[64] r, k
r[ 0..15] := {7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22}
r[16..31] := {5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20}
r[32..47] := {4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23}
r[48..63] := {6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21}
//Use binary integer part of the sines of integers as constants:
for i from 0 to 63
k[i] := floor(abs(sin(i + 1)) 2^32)
//Initialize variables:
var int h0 := 0x67452301
var int h1 := 0xEFCDAB89
49
A B C D
A B C D
<<<
s
F
M
i
K
i
var int h2 := 0x98BADCFE
var int h3 := 0x10325476
//Pre-processing:
append "1" bit to message
append "0" bits until message length in bits 448 (mod 512)
append bit length of message as 64-bit little-endian integer to message
//Process the message in successive 512-bit chunks:
for each 512-bit chunk of message
break chunk into sixteen 32-bit little-endian words w(i), 0 i 15
//Initialize hash value for this chunk:
var int a := h0
var int b := h1
var int c := h2
var int d := h3
//Main loop:
for i from 0 to 63
if 0 i 15 then
f := (b and c) or ((not b) and d)
g := i
else if 16 i 31
f := (d and b) or ((not d) and c)
g := (5i + 1) mod 16
else if 32 i 47
f := b xor c xor d
g := (3i + 5) mod 16
else if 48 i 63
f := c xor (b or (not d))
g := (7i) mod 16
temp := d
d := c
c := b
b := ((a + f + k(i) + w(g)) rotate left r(i)) + b
a := temp
//Add this chunk's hash to result so far:
h0 := h0 + a
h1 := h1 + b
h2 := h2 + c
h3 := h3 + d
var int digest := h0 append h1 append h2 append h3 //(expressed as little-
endian)
Applications
Digests produced by MD5 are heavily utilized in downloading software, ensuring that downloaded
file was not modified. Trusted party provides MD5 digest of a downloaded file, after download, its
MD5 digest is computed and verified. If trusted party is the same as the provider of the file, MD5
digest loses its security meaning and can be only used as the way to preserve integrity.
MD5 also often serves the purpose of securing passwords. Of course, key strengthening shall be
applied.
Security
MD5 is since 2006 considered to be unsafe, as Vlastimil Klma proposed a method, based on
50
previous work from Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu, called tunneling,
that is able to find a collision within one minute. Further use of MD5 is not secure and is strongly
deprecated.
Secure Hash Algorithm - SHA
SHA is a class of iterated hash functions. The first hash function, SHA or SHA-0 was first
published in 1993. Two years later, SHA-1, was published. Later SHA-2 family has been issued
with slightly modified design. SHA-2 family consists of SHA-224, SHA-256, SHA-384 and SHA-
512 functions.
The original specification of the algorithm (SHA-0) was published in 1993 as the Secure Hash
Standard, FIPS PUB 180 by NIST. It was withdrawn by the NSA shortly after publication and was
superseded by the revised version (SHA-1), published in 1995 in FIPS PUB 180-1. This corrected a
flaw in the original algorithm which reduced its cryptographic security.
SHA-0 and SHA-1 produce a 160-bit digest, maximal size of a message is limited to 2
64
bits.
Algorithm is based on similar principles to those used in MD5.
In 2001, NIST published additional hash functions in the SHA family, each with longer digests,
collectively known as SHA-2 (draft FIPS PUB 180-2). In February 2004, a change notice was
published for FIPS PUB 180-2, specifying an additional variant (SHA-224), defined to match the
key length of two-key Triple DES.
SHA-256 and SHA-512 are cryptographic hash functions computed with 32- and 64-bit words,
respectively. They use different shift amounts and additive constants, but their structures are
otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are
simply truncated versions of the first two, computed with different initial values.
Algorithm
Compression function of SHA-1
This diagram depicts one iteration within the
SHA-1 compression function.
A, B, C, D and E are 32-bit words of the state
F is a nonlinear function that varies
<<<n denotes a left bit rotation by n places; n
varies for each operation.
denotes addition modulo 2
32
.
K
t
is a constant.
In the following paragraph, the SHA-256 will be described, as a representat of modern
cryptographic hash functions.
SHA-256 is defined for messages of size smaller than 2
64
, processed in the blocks of 512 bits (64
bytes). All computations in algorithm are realized on 32-bit words. Opening input transformation is
a padding to have their sizes aligned to be multiplies of 512 bits:
behind the message, bit 1 is appended and last 64 bits are reserved for the binary representation of
51
A B C D
A B C D
<<<
S
F
W
t
K
t
E
E
<<<
30
length of the message. Between 1 and length, corresponding number of 0s is added.
Intermediate result of computation will be further denoted as H
(i)
. This result is of 256-bit length
and is divided into 8 words - H
0
(i )
,... , H
7
( i)
. Value of H
(0)
is defined as a constant initialization
vector.
From each block of input, divided into 16 words (denoted as m
0
, ..., m
15
), the sequence of 64 words
W
0
, ..., W
63
is computed:
W
t
=
m
t
0t 15
G
1
(W
t2
)+W
t 7
+G
0
(W
t 15
)+W
t16
16t 63
,) . Values of p and g can be shared amongst multiple users. Further, the random
value of
x
R
2, 3 ,... , p2
is chosen and y=g
x
mod p is computed. Public key (y, p, g) then
serves for the purpose of verification of a signature. Private key is a value of x and is used in the
signing process.
Signing
Let m be the document to be signed, H be the cryptographic hash function with the output in the
q
*
and computes the value of y=g
x
mod p . Public key is then
quadruple (y, p, q, g).
Signing
Signing process advances in the following steps:
1. Choose random
k
R
1 , 2 ,... , q1
2. Compute r=( g
k
mod p) mod q
3. Compute s=k
1
( H ( m)+xr )mod q
4. Digital signature of the message m is a pair r , s .
If during the signing process r = 0 or s = 0 is obtained, then new k shall be generated.
Verification
Assume, that signed document is m, its digital signature is r , s and (y, p, q, g) is a public key of
the signing user. The signature can be then verified.
At first, it is necessary to check whether both r and s belong to
q
*
. Then these parameters shall be
computed:
u=H( m)s
1
mod q v=rs
1
mod q
Digital signature is correct, if and only if ( g
u
y
v
mod p) mod q=r .
Correctness
If r , s is a digital signature of the document m, the following holds:
g
u
g
v
mod pmod q=g
H ( m) s
1
g
xrs
1
mod pmod q
=g
s
1
( H ( m)+xr)
mod p mod q
=g
k
mod pmod q
=r
Example
Initialization
Let's choose q = 7, then suitable p would be 43, as q | (p 1), i.e. 7 | 42. Also let's choose random h
63
< p 1, h = 5. Then g=h
( p1)
q
=5
6
=15625 . Private key x will be chosen by the signing user, e.g. x
= 4.Afterwards, y=g
x
mod p=15625
4
mod 43=16
4
mod 43=4 . Public key is then quadruple
(4, 43, 7, 15625) .
Signing
Assume, that cryptographic hash digest of a document m is H(m) = 735.
At first, random k < q is chosen, e.g. k = 2. Then r=( g
k
mod p) mod q=(15625
2
mod 43) mod 7=
=(16
2
mod 43) mod 7=(256 mod 43) mod 7=41 mod 7=6 and s=k
1
( H( m)+xr )mod q=
=2
1
(735+46) mod 7=4759mod 7=3036mod 7=5 . Therefore, signature of a document m is
the tuple r , s =6, 5 .
Verification
At first, computing parameters u a v yields following values:
u=H ( m)s
1
mod q=7353 mod 7=0
v=rs
1
mod q=63 mod 7=4
Then the verification can proceed:
( g
u
y
v
mod p) mod q=(15625
0
4
4
mod 43) mod 7=(256 mod 43) mod 7=41 mod 7=6=r .
Blind signatures
Blind signature disguises (blinds) the content of a message before signing. The resulting signature
can be publicly verified against the original, unblinded message similarly to verification of digital
signature. Blind signatures are employed in privacy-related protocols where signer and message
author are different parties, such as electronic election systems, digital cash schemes, electronic
notary, etc.
Real world analogy to blind signature is the physical act of enclosing a message in an envelope that
is then sealed and signed by a signing agent. Thus, the signer does not view the message content,
but a third party can later verify the signature and know that the signature is valid.
Blind signatures can also be used to provide unlinkability, which prevents the signer from linking
the blinded message it signs to a later un-blinded version that it may be called upon to verify. In this
case, the signer's response is first "un-blinded" prior to verification in such a way that the signature
remains valid for the un-blinded message. This can be useful in anonymous schemes.
RSA blind signature scheme
Let S be the signing party, e, n is the public key and d the private key of S. Let A denote the party
willing to obtain the signature of a document m. The process of signing can be described in the
following steps:
1. A-S : r=H ( m)x
e
mod n, x
R
n
*
2.
S -A: s=r
d
mod n
, S signs the message m and sends A the signature
3. A computes digital signature of m out of received signature from S:
sx
1
mod n=( r
d
mod n)x
1
mod n=H( m)
d
x
ed
x
1
mod n=H( m)
d
mod n
Because x is chosen randomly by A in the first step, S is unable to retrieve the document the A wants
to sign in reality.
64
Public key infrastructure (PKI)
Public key cryptography provides a viable solution to security related problems, such as
authentication, integrity, non-repudiation and confidentiality. Implementation of public key
cryptography within a given framework is, however, a very difficult task. The underlying
infrastructure must be well designed and planned to suit all business requirements and to pass all
desired security measures.
A public key infrastructure (PKI) is a foundation on which other applications, system, and network
security components are built. A PKI is an essential component of an overall security strategy that
must work in concert with other security mechanisms, business practices, and risk management
efforts.
Certificates and certification authorities
PKI is essentially an arrangement that provides examination and verification of user identities for
trusted third party. It also allows binding of public keys to users, usually utilizing centralized
authority coordinated with other authorities at distributed locations. The public keys are typically in
certificates.
Certificates are employed to bind the communication party with their public key. This binding is
carried out by trusted third-party authority certification authority. Certification of a user, denoted
as C(U) is a tuple
ID(U), y
U
, while this is digitally signed by certification authority (CA).
Therefore certificate can be of this form:
C(U )=ID(U ), y
U
, signature
CA
( ID(U ), y
U
)
,
where ID(U) is an identification of a subject and certificate (such as name, address, validity of
certificate, certification authority identification, etc.) and y
U
is a public key of U. It is assumed, that
each communication party knows the public key of a certification authority and is capable of
verification of the certifications signed by that authority.
Benefits of public key infrastructure
The increasingly significant presence of Internet and e-commerce technologies provides many
opportunities, but also poses severe security and integrity issues. To enable sustained grow and e-
commerce to be thriving, all business parties (customers, vendors, suppliers, regulatory agencies,
stakeholders, etc.) must be assured that trusted business relationships are maintained.
Typical real world face-to-face transactions do not require additional security precautions, that,
however, became necessary, when these transactions started to be initiated electronically. For
example, e-shops are typically unwilling to ship goods or perform services until a payment has been
accepted by their bank for them. Customer also shall be not allowed to repudiate a valid contract.
Both the seller and the customer should be able to verify each other's identity; for customer to be
assured, that he is purchasing from a legitimate entity and not from cracker site designated to collect
credit card numbers; for seller this typically means that bank transaction from customer occurred.
Therefore, there must be a mechanism (infrastructure), that ensures trusted relationships are
established and maintained. Various implementations of PKI can be then used to ensure that
confidentiality, authentication, integrity and non-repudiation are provided.
65
PKI enables the basic security services for various applications:
communication and transportation security in SSL, IPsec, HTTPS
email security in S/MIME and PGP
value exchange in SET
B2B in Identrus
Key benefits offered by PKI to e-commerce are:
reduction of transaction processing expenses
reduction and compartmentalization of risk
enhancements of efficiency and performance of systems and networks
reduction of complexity of security systems with binary symmetrical methods
Additionally, many other solutions rely on fundamentals public key cryptography, such as
symmetric key management, voting, anonymous value exchange, transit ticketing, identification
(passports and driver licences), notarization (contracts, mail), software distribution, etc.
PKI is, however, not an authentication, authorization, auditing, privacy or integrity mechanism by
itself; rather is an enabling infrastructure that supports variety of business and technical needs. PKI
only allows for the identification of entities. PKI does not infer trust by itself, but depends on the
establishment of a reliable trusted base. Therefore, the basis of trust must be established elsewhere
(on personal, business, etc. level) before it can be accepted by the PKI.
Trust
The issue of trust often arises when designing a PKI. The complexity of an underlying PKI is
dependent on the amount of risk the organization is willing to endure during transaction. If the
transaction of high-value or with significant legal consequences occur in the organization, then tight
set of tests should be performed to authenticate customer or entity. Conversely, if there is low-risk
during transaction, a simple set of test should suffice. During high risk scenarios, it can be intended
that the part of entity authentication occur offline. This implies, that the original entity
authentication problem is not solved by PKI, rather must be addressed in each unique business
environment.
This problem is magnified when organization moves from local to international environments.
There arises problem of authentication of document issued by other governments or foreign
organizations. How does the organization determine if they should trust the credentials presented?
What mechanisms do they use to make that determination? How did the original authority, which
issued the credentials, determine the identity of the requestor? Is the originating authority
trustworthy? These are fundamental issues the PKI must consider.
Planning a public key infrastructure
Besides standard set of problems, that arise from the confidentiality, authentication, integrity and
non-repudiation requirements, following problems should be also considered when creating
business requirements:
careful planning
interoperability
determine a PKI system and vendor
performance and capacity
66
Structure of a public key infrastructure
PKI framework
The framework consists of security and operational policies, security services and interoperability
protocols supporting the use of public-key cryptography for the management of keys and
certificates. The generation, distribution and management of keys are done using Certification
Authorities (CA), Registration Authorities (RA) and directory services. All together establish a
chain of trust. Main purpose of a framework is to support secured exchange of data, credentials,
value (money, etc.) in various insecure environments, such as Internet.
To provide risk management control, a hierarchy of trust must be established using PKI. In the
insecure environments, such as Internet, mutually unknown entities do not have sufficient trust to
perform business transactions. The implementation of a PKI using a certification authority
establishes this trust hierarchy.
Mutually unknown entities individually establish a trust relationship with a CA. The CA performs
authentication, according to rules noted in its Certificate Practices Statement (CPS) and then issues
each individual a digital certificate. CA then vouches for the identity of the entities. Unknown
entities can then use their certificates to establish trust between them because they trust CA, and
they have access to public key of CA, thus can verify certificates of other entities.
This establishment of trust hierarchy scales well in heterogeneous networks and therefore provides
one of major benefits of PKI.
Trust models
An implementation of PKI requires careful analysis of mutual trust relationship of participating
entities. This analysis later leads to establishment of trust, later enforced by PKI.
Hierarchical model
This is a most typical representation of PKI. Rather than having one single CA, there are multiple
CAs with limited range of functionality or extent. For example, there is one international CA that
serves all international entities, more subsequent national CAs that serve entities at the national
level, then regional entities etc. The main advantage of this model is its scalability, whereas the
main drawback is the higher cost to maintain such hierarchy. Compartmentalization of a risk can be
established, where compromise of one CA does not affect all issued certificates.
Distributed (Web of trust) model
A distributed web of trust does not incorporate a CA. No trusted third party actually vouches for the
identity or integrity of any entity. This trust model does not scale well into Internet based e-
commerce world because each end entity must alone determine the acceptable level of trust for
other entities. This model is used in Pretty Good Privacy (PGP).
Direct (peer-to-peer) model
Direct models are used with symmetric key-based systems. Again, a trusted third party does not
exist. Each end entity establishes trust with each other entity directly. Main drawbacks are limited
scalability into the Internet e-commerce world and large number of required operations.
Cross-certification
Instead of using one global CA, cross-certification allows users to choose amongst multiple CAs
adjusting to their needs. Cross-certification is basically done that way that one CA certifies another
CA. A relying entity then can validate the public key certificate of an end entity whose signing CA's
public key is not aware of, by trusting a cross-certificate signed by its own CA.
Cross-certification therefore allows PKI deployments to be both scalable and extensible.
67
X.509 Public Key Infrastructure Standard
X.509 is an ITU-T (International Telecommunication Union Telecommunication Standardization
Sector) standard for PKI and specifies standard formats for public key certificates and a certification
path validation algorithm. X.509 was introduced in 1998 and was closely associated with the X.500
electronic directory services standard (DAP etc.). It assumed a strict hierarchical system of CAs.
Later, version 3 introduced support to other topologies, such as bridges, meshes and peer-to-peer
web of trust. Nowadays, the term X.509 certificate refers to the IETF's (Internet Engineering Task
Force) PKIX certificate and CRL profile of the X.509 v3 certificate standard, specified in RFC
3280, referred to as PKIX (Public Key Infrastructure X.509).
Certificates
CA issues a certificate binding a public key to a particular distinguished name in the X.500 tradition
or to an alternate name such as an e-mail address or a DNS-entry.
Trusted root certificates can be distributed to all employees so that they can use the PKI system.
Browsers usually come with some root certificates preinstalled; essentially, the browser owners
determine which CAs are trusted third parties.
X.509 also includes standards for certificate revocation list (CRL) implementations. Online
Certificate Status Protocol (OCSP) is approved by IETF to check a certificate validity.
Structure of a certificate includes information such as version, serial number, algorithm ID, issuer,
validity (not before, not after), subject, subject public key info (algorithm, public key), issuer
unique identifier, subject unique identifier, extensions, certificate signature algorithm and certificate
signature.
Certificates can be recognized via extensions of their filenames; commonly used extensions are .cer,
.der, .pem, .p7b, .p7c, .pfx and .p12.
If certificates use MD5 function, there is a possibility of obtaining two X.509 certificates that
contain identical signatures and differ only in the public keys, clearly demonstrated by Lenstra,
Wang and de Weger in 2005.
There are many protocols and standards that support X.509, such as TLS/SSL, S/MIME, IPSec,
SSH, Smartcard, HTTPS, EAP, LDAP, Trusted Computing Group TNC TMP NGSCB, etc.
Why does X.509 do otherwise straightforward things in such a weird way?
[The] standards have been written by little green monsters from outer space in order to confuse
normal human beings and prepare them for the big invasion comp.std.internat
68
Cryptographic protocols
To successfully initiate a communication, communicating parties have to execute a sequence of
steps to agree upon the communication details. These steps are denoted as cryptographic protocol,
and have to serve the communication goals of participants and to satisfy their security needs.
Goals of cryptographic protocols vary they can be constructed to provide a key management,
authentication, electronic cash, electronic elections etc. Protocols use and create framework for the
use of basic cryptographic primitives, such as encryption, cryptographic hash functions, digital
signatures and secret sharing schemes.
The most important part of cryptographic protocols concern with the key management.
Attacks on the cryptographic protocols
Basically, attacks can be divided into two groups active and passive. Passive attacks consists only
from eavesdropping, whereas active give freedom to modify protocol run in any possible way. We
assume, that attacker is a legitimate participant of the communication.
Shortly, there are three main types of attacks:
Replay attack exploit of older messages in the actual run of the protocol be repeating
them. To counter this attacks, additional cryptographic primitives such as nonces and
timestamps are used.
Man in the middle attacker as invisible participant of the communication. To counter this
threat, the digital signatures, MACs or similar mechanisms shall be applied.
Utilization of the weaknesses of used cryptographic primitives this includes all security
related problems related to encryption, hashing, signing etc.
Notation
Usually, final forms of protocols employ participants such as Alice, Bob, Dave, trusted third party
Trent and their analysis employ attackers such as Eve, Mallory and Oscar.
Protocols will be described in steps; notation 3. A B : M means that in the third step Alice
sends Bob a message M. On the other hand, 1. A M(B) : S means that in the first step of the
protocol Alice sends the message S to Bob but this message is intercepted by Mallory disguised as
Bob. Similarly, 1. M(B) A : S means that Mallory acting as Bob sends message S to Alice.
Notation
M
K
AB
means that message M is encrypted using symmetric cipher that employs a key
69
Alice Bob
Dave
Eve
Trent
Oscar
Mallory
K
AB
shared by both Alice and Bob. Conversely, notation
M
K
A
means that message M is encrypted
by the asymmetric cipher using the public key K
A
of Alice. Finally, notation
M
K
A
1
means that
message M is digitally signed by private key K
A
1
of Alice.
Diffie-Hellman key-exchange protocol
This protocol was demonstrated in the asymmetric cryptography chapter, nevertheless, it is vital to
mention it also in this chapter.
Goal: To achieve an agreement between two users about their communication key (key-exchange).
Protocol:
1. A B : X = g
x
mod p , x
R
p
*
(x is chosen by Alice randomly) (A sends to B)
2. B A : Y = g
y
mod p , y
R
p
*
3. A computes K = Y
x
mod p
4. B computes K = X
y
mod p
It can be shown easily that both Alice and Bob compute the same key:
Y
x
mod p=g
xy
mod p=X
y
mod p
Man in the Middle attack
As a reminder, DH protocol is prone to type of attack when an active attacker M (Mallory) lies in
the communication channel between Alice and Bob. The attack therefore advances as follows:
1. A M(B) : X = g
x
mod p
2. M(A) B : U = g
u
mod p
3. B M(A) : Y = g
y
mod p
4. M(B) A : V = g
v
mod p
5. A computes K
1
= V
x
mod p
6. B computes K
2
= U
y
mod p
Notation A M(B) means that Alice sends message to Bob, but is intercepted by Mallory. Notation
M(A) B means that Mallory sends message to Bob in the name of Alice.
Important fact for Mallory is, that both Alice and Bob can't reveal her presence in the protocol and
she is able to compute both keys K
1
and K
2
:
K
1
=X
v
mod p=g
xv
mod p
K
2
=Y
u
mod p=g
yu
mod p
70
M A B
K
1
K
2
Modified Diffie-Hellman key-exchange protocol using certification authorities
One of possibilities how to prevent a man-in-the-middle attack lies in the use of certificate
authorities. To recap, certificates have the following form:
C(U )=ID(U ), y
U
, signature
CA
( ID(U ), y
U
)
,
where ID(U) is an identification of a subject and certificate (such as name, address, validity of
certificate, certification authority identification, etc.) and y
U
is a public key of U.
Using certificates, it is possible to modify DH protocol to be resistant to a man-in-the-middle attack.
Assume, that each participant U has its public key y
U
=g
x
U
mod p , x
U
p
*
. DH then can
advance by simple exchange and verification of certificates and subsequent computation of a key K.
Protocol:
1. A B : C( A)=[ ID( A), y
A
, signature
CA
( ID( A) , y
A
)] , y
A
=g
x
A
mod p, x
A
p
*
2. B A : C( B)=[ ID( B) , y
B
,signature
CA
( ID( B) , y
B
)] , y
B
=g
x
B
mod p, x
B
p
*
3. A computes K=y
B
x
A
=g
x
A
x
B
mod p
4. B computes K=y
A
x
B
=g
x
A
x
B
mod p
Man in the middle is not able to construct correct certificates for her fictional public keys that
those were bound to the identity of participants. Major drawback of this modification lies in the fact
that the key K is always the same for a given pair of participants (until the change of one of their
certificates).
Station to Station protocol
This protocol solves the problem of modified DH protocol participants are able to retrieve a
different key K for each instance of the protocol.
Protocol:
1. A B : X =g
x
mod p, x
R
p
*
2. B A : [Y , E
K
(signature
B
( X , Y )), C( B)] , Y =g
y
mod p, y
R
p
*
, K=X
y
mod p
3. A computes K=Y
x
mod p , A deciphers signature
B
(X, Y), A verifies certificate C(B), A
extracts public key y
B
from C(B) and verifies signature
B
(X, Y). If successful, key K is safe.
4. A B :
[ E
K
(signature
A
( X ,Y )), C( A)]
5. B verifies C(A), deciphers and verifies signature
A
(X, Y)
Man in the middle falls short as she is not able to falsify digital signatures.
Interlock protocol
Goal: Detection of the man in the middle attack
To detect a man in the middle, special Interlock protocol was developed. Assume, that participants
Alice and Bob ciphers their communication using a key K, agreed upon using DH protocol. It
71
means, that attacker could deliver fictional keys K
1
to Alice and K
2
to Bob. As the attacker is not
able to guarantee the equality of the keys K
1
and K
2
, unless she is capable of solving the Diffie-
Hellman problem that has equivalent complexity to the Elgamal cryptosystem, Interlock protocol
focuses on this characteristics. Assume that Alice and Bob prepared messages m
A
and m
B
.
Protocol:
1. A B : c
A1
, where c
A
= E
K
(m
A
), c
A
= c
A1
c
A2
(c
A
is partitioned into two halves, E
K
is an
encryption function with a key K)
2. B A : c
B1
, where c
B
= E
K
(m
B
), c
B
= c
B1
c
B2
3. A B : c
A2
4. B A : c
B2
, B is now able to obtain c
A
and decipher message m
A
5. A is now able to obtain c
B
and decipher message m
B
Man in the middle is forced to choose her own messages m'
A
or m'
B
as the first half is useless
without the second half. Herewith, as K
1
K
2
, it is not possible to send unchanged parts of messages
- after deciphering with a different key K, they turn into meaningless messages.
Unfortunately, even Interlock protocol has its weakness. Attacker needs to deceive only one
participant; she can at first run the whole communication with Alice with an imaginary message m'
B
,
obtaining a message m
A
, and then repeat the whole process with Bob. Importance of Interlock
protocol lies in the fact that attacker is forced to actively interfere with communication, increasing
the chance of her uncovering.
Interlock protocol can be helpful in a case of hybrid encryption over insecure channel, when two
parties at first exchange their public keys, then exchange symmetric key and use symmetric
cryptosystem for further communication. Attacker is able to intercept asymmetric cryptosystem,
exchange public keys for her own public key, allowing access to the communication. Interlock
protocol prevents this from happening.
Otway-Rees protocol
Goal: Distribution of key K
AB
of participants Alice and Bob with authentication of Alice, using
trusted third party Trent.
Communication key K
AB
is generated by trusted third party Trent, authentication of Bob is
completed after first use of key K
AB
. Both Alice and Bob share a key K
AT
and K
BT
with Trent for their
own communication. To ensure freshness of transferred messages, nonces N
A
and N
B
are generated
by Alice and Bob. Protocol uses random identifier M to prevent replay attack by using messages
from older instances of communication. This identifier is chosen by Alice.
Protocol:
1. A B : M, A, B,
N
A
, M , A, B
K
AT
2. B T : M, A, B,
N
A
, M , A, B
K
AT
,
N
B
, M , A, B
K
BT
3. T B : M,
N
A
, K
AB
K
AT
,
N
B
, K
AB
K
BT
4. B A : M,
N
A
, K
AB
K
AT
Assume, that Trent in the second step does not verify identity match in both plain and ciphertext,
but only in ciphertext. Then Oscar can advance as follows:
Replay attack:
72
1. A B : M, A, B,
N
A
, M , A, B
K
AT
2. B O(T) : M, A, B,
N
A
, M , A, B
K
AT
,
N
B
, M , A, B
K
BT
O T : M, A, O,
N
A
, M , A, B
K
AT
,
N
O
, M , A, O
K
OT
3. T O : M,
N
A
, K
AB
K
AT
,
N
O
, K
AB
K
OT
4. O(B) A : M,
N
A
, K
AB
K
AT
Attacker after interception of a message in the second step sends Trent his own message acting as a
regular communication participant. Response then allows Oscar to obtain key K
AB
alongside with a
message he needs to send to Alice acting as Bob.
Needham-Schroeder protocol
Goal: Mutual authentication of Alice and Bob using trusted third party Trent alongside with a key
distribution K
AB
.
Assume, that both Alice and Bob share communication key with Trent, K
AT
and K
BT
. Key K
AB
is
provided by Trent. Alice and Bob use nonces N
A
and N
B
and are generated by them as sufficiently
long strings of bits.
Protocol:
1. A T : A, B, N
A
2. T A :
N
A
, B, K , K
AB
, A
K
BT
K
AT
3. A B :
K
AB
, A
K
BT
4. B A :
N
B
K
AB
5. A B :
N
B
1
K
AB
Weakness of Needham-Schroeder protocol lies in an insufficient assurance of a freshness of sent
message in the third step. Assume, that Mallory eavesdrops communication between Alice and Bob.
Assume, that later the key K
AB
is compromised either is revealed by Alice or Bob or is obtained by
cryptanalysis. Mallory is then able to force Bob to use old key again, acting in the name of Alice by
replaying a message from old instance of the protocol.
Attack:
3'. M(A) B :
K
AB
, A
K
BT
4'. B M(A) :
N
B
'
K
AB
5'. M(A) B :
N
B
' 1
K
AB
This problem was that from Bob's view, message in the third step had no means to guarantee its
freshness associated. One of possible workarounds can be summarized in following steps:
Attack resistent protocol:
1. A B : A, B, N
A
2. B T : A, B, N
A
, N
B
3. T A :
N
A
, B, K
AB
, N
B
, A, K
AB
K
BT
K
AT
73
4. A B :
N
B
, A, K
AB
K
BT
Bob sends its nonce to Trent at the beginning of the protocol. Trent then incorporates this nonce to a
message to Alice, who in turn passes
N
B
, A, K
AB
K
BT
to Bob, assuring that the message is now
fresh.
Needham-Schroeder public-key protocol
Goal: Mutual authentication of participants with key agreement for secure communication.
This protocol does not rely on trusted third party, however, assumes, that participants know public
key of each other K
A
and K
B
. Protocol expects nonces N
A
and N
B
to be provided by participants.
Protocol:
1. A B : N
A
, A
K
B
2. B A : N
A
, N
B
K
A
3. A B : N
B
K
B
Oracle replay attack:
Despite the simplicity of the protocol, it took 17 years to find an effective attack. Mallory utilizes
the facts that Alice initiates a communication with her and immediately begins to communicate with
Bob in parallel:
1. A M :
N
A
, A
K
M
1'. M(A) B :
N
A
, A
K
B
2. B M(A) :
N
A
, N
B
K
A
2'. M A :
N
A
, N
B
K
A
3. A M :
N
B
K
M
3'. M(A) B :
N
B
K
B
Both instances of the protocol are successfully completed, where Mallory used Alice as an oracle to
initiated and perform steps of the protocol with Bob. At the end, Bob is convinced he communicates
with Alice whereas Mallory has a full disposal of both nonces N
A
and N
B
, therefore can construct the
key for further communication.
The prevention can be achieved by breaking the symmetry, for example this way:
Protocol:
1. A B : N
A
, A
K
B
2. B A : N
A
, N
B
, B
K
A
3. A B : N
B
K
B
74
Yahalom protocol
Goal: Mutual authentication of participants and distribution of a key for secure communication
provided by Trent.
Protocol assumes that both Alice and Bob provide nonces N
A
and N
B
and share communication keys
with Trent, K
AT
and K
BT
.
Protocol:
1. A B : A, N
A
2. B T : B, A, N
A
, N
B
K
BT
3. T A : B, K
AB
, N
A
, N
B
K
AT
, A, K
AB
K
BT
4. A B : A, K
AB
K
BT
,N
B
K
AB
At the beginning, Alice wants to communicate with Bob. She sends him her identificator alongside
with nonce. Bob prepares a request for a key for Trent. Bob adds his own nonce to the message
from Alice, encrypts it using he shared key between him and Trent. Trusted party Trent deciphers
the message and prepares a response to Alice. This message consists of two parts, one is intended
for Alice, the other one for Bob. Both messages contain K
AB
for further communication. Message to
Alice contains also nonce from her, to convince Alice about the origin and actuality of the
communication (only Alice and Trent know the key K
AT
). Alice deciphers her part, extracts nonce
from Bob and sends Bob his part of the message alongside with his nonce encrypted using their new
shared key K
AB
. Bob deciphers first part of the message and verifies the identifier of Alice. Obtained
key K
AB
uses to decrypt the second part of the message to obtain his nonce. Because nonce N
B
is
sent exclusively in the encrypted form, it is known only to Alice, Bob and Trent. Its presence in the
fourth step of the protocol show that Alice believes in the freshness of the key K
AB
. That alongside
to the fact that the first part of the message is from Trent convinces Bob that K
AB
is a suitable key
for the subsequent communication with Alice.
Alice is convinced about identity of Bob via Trent after third step of the protocol. Bob is convinced
about the identity of Alice after successful fourth step.
Some alterations of Yahalom protocol are prone to attacks.
Denning-Sacco protocol
Goal: Authentication of Alice using certificates provided by trusted third party Trent and key K
AB
distribution for further secure communication.
Let C
A
and C
B
be certificates of public keys of Alice and Bob respectively (in fact, these are just
signed public keys by Trent). Alice generates key K and timestamp T
A
. Notation
K , T
A
K
A
1
K
B
means that a message K, T
A
is digitally signed by Alice and subsequently encrypted for Bob using
his public key.
Protocol:
1. A T : A, B
2. T A : C
A
, C
B
3. A B : C
A
, C
B
,
K , T
A
K
A
1
K
B
75
Attack:
Mallory can exploit situation when Alice wants to communicate with her, to obtain a disguise for
the communication with Bob. It took 12 years to find this attack.
1. A T : A, M
2. T A : C
A
, C
M
3. A M : C
A
, C
M
,
K , T
A
K
A
1
K
M
3'. M(A) B : C
A
, C
B
,
K , T
A
K
A
1
K
B
After receiving a message in the third step of the protocol, Mallory deciphers the message, obtains
the key K, verifies the timestamp and digital signature of Alice. Signed key along with timestamp
then encrypts using public key of Bob and immediately sends as the third step of the protocol. As
timestamp T
A
is still fresh, Bob does not suspect he is manipulated, accepts the message,
authentication of Alice and key K. Attacker obtains the certificate C
A
from Trent.
To avoid this type of attack, it is sufficient to add identifiers of participants into signed message in
the third step of the protocol:
3. A B : C
A
, C
B
,
A, B, K , T
A
K
A
1
K
B
Wide Mouth Frog protocol
Goal: Distribution of a key K
AB
between participants Bob and Alice using trusted third party Trent
and authentication of Alice.
Protocol uses timestamps T
A
(Alice's) and T
T
(Trent's) to ensure a freshness of transmitted messages.
Encryption of communication is achieved using keys K
AT
and K
BT
.
Protocol:
1. A T : A,
T
A
, B, K
AB
,
K
AT
2. T B :
T
T
, A, K
AB
,
K
BT
Replay attack:
Assume that Alice begins protocol with the intention to communicate securely with Bob. Mallory
intercepts a message to Bob in the second step and passes it to Bob:
1. A T : A,
T
A
, B, K
AB
,
K
AT
2. T M(B) :
T
T
, A, K
AB
,
K
BT
M(T) B :
T
T
, A, K
AB
,
K
BT
Intercepted message has the same structure as the message in the first step; therefore can be used to
initialize a fake instance of a protocol:
1'. M(B) T : B,
T
T
, A, K
AB
,
K
BT
2'. T M(A) :
T '
T
, B, K
AB
,
K
AT
Received message has again suitable structure; therefore can be used for a new instance:
1''. M(A) T : A,
T '
T
, B, K
AB
,
K
AT
76
2''. T M(B) : T
T
( 2)
, A, K
AB
,
K
BT
Utilizing this process, Mallory keeps the timestamps always refreshed and meanwhile works on the
compromise of a key K
AB
. After obtaining the key K
AB
, Mallory uses last intercepted message to
instantiate a new protocol run and forces Bob to use K
AB
as a suitable key for communication.
1
(k)
. M(A) T : A, T
T
( k1)
, B, K
AB
,
K
AT
2
(k)
. T B : T
T
( k )
, A, K
AB
,
K
BT
Prevention of this attack breaks the symmetry, as demonstrated in the following modification.
Modified Wide Mouth Frog protocol
Goal: Distribution of a key K
AB
between participants Bob and Alice using trusted third party Trent
and authentication of Alice.
Protocol:
1. A T : A,
T
A
, B, K
AB
,
K
AT
2. T B :
T
T
, A, B, K
AB
,
K
BT
3. T B :
T
B
, A, B,
K
AB
(optional)
Bob is convinced about the identity of Alice via Trent, because at first, Trent verified correctness
and freshness of the message in the first step, otherwise he would not advance to the next step and
secondly, key K
BT
is known only to Trent and Bob and the message from Trent is fresh.
Alice is convinced about the identity of Bob after she receives a message encrypted using the key
K
AB
.
Kerberos protocol
Goal: Authenticate participants of the communication using trusted third party in the network
(client-server) environment.
Kerberos name originates in the Greek mythology, where Cerberos stands for monstrous three-
headed dog guarding the Hades. Kerberos prevents eavesdropping, replay attacks and ensures the
integrity of the data. Utilizes symmetric cryptography and trusted third party. It was introduced by
MIT, now is in its fifth incarnation, Kerberos V, RFC 4120 (2005). There are various
implementations, such as KTH-KRB and Heimdal.
Microsoft uses Kerberos as its default authentication protocol since introduction of Windows 2000.
Protocol is based on the Needham-Schroeder protocol.
Protocol:
1. A T : A, B
2. T A :
T
T
, L , K
AB
, B, T
T
, L , K
AB
, A
K
BS
K
AS
3. A B :
T
T
, L , K
AB
, A
K
BS
, A, T
A
K
AB
4. B A :
T
A
+1
K
AB
77
L is a lifespan data, similar to a timestamp.
Basically, client authenticates itself to Authentication Server, then demonstrates to the Ticked
Granting Server that it's authorized to receive a ticket for a service (and receives it), then
demonstrates to the Service Server that it has been approved to receive the service.
Drawbacks
As Kerberos requires continuous availability of a central server, this introduces the single point of
failure property of the protocol. Kerberos also requires the clocks of the involved hosts to be
synchronized. The tickets have time availability period and, if the host clock is not synchronized
with the clock of Kerberos server, the authentication will fail. The default configuration requires
that clock times are no more than 10 minutes apart. At last, password changing is not standardized,
and differs between server implementations.
Agora protocol
A minimal distributed protocol for electronic commerce introduced by Gabber in 1996.
Goal: Enable simple payments for the information stored on web pages.
Protocol utilizes certificates and digital signatures to ensure authenticity of sent messages. Let Alice
be customer and Bob be merchant selling goods over the internet. Symbols C
A
and C
B
denote
certificates of their public keys. Assume, that certificate are provided by trusted third party. Let M
be request to obtain the price, N is a counter of requests and P is the price for the information.
Protocol:
1. A B : A, M
2. B A :
C
B
, N , P
K
B
1
3. A B :
C
A
, N , P
K
A
1
In the second and third step, the messages are signed by participants using their private keys, but are
not encrypted.
Protocol interaction attack
It is possible to construct special protocol that violates the security of the Agora protocol. This
protocol will serve of purpose of verifying the age as a safety barrier to prevent access for some
web pages. Assume, that certificate contains birth date or that certificate is issued only to persons of
the required age. Participant proves her age by knowing her private key, i.e. by her ability to sign
random request R:
1. A B : A
2. B A : R
3. A B :
C
A
, R
K
A
1
If the length of the random request R is equal to the sum of the lengths of N and P, attacker Mallory
advances in the following steps:
1. A M(D) : A
1'. M(A) B : A, M
2. B M(A) :
C
B
, N , P
K
B
1
2'. M(D) A : R ( R = N, P )
3. A M(D) :
C
A
, R
K
A
1
78
3'. M(A) B :
C
A
, N , P
K
A
1
Mallory uses a concatenation of N, P as the random request in the protocol for age verification.
Subsequent response of Alice is then immediately usable as the response that validates the buy in
the Agora protocol. Dave (D) can be arbitrary participant.
Cryptographic protocol construction security advices
Many attacks can be prevented by following a few security advices related to the construction of
cryptographic protocols. Some of the problems can be avoided by specific implementation details,
such as remembering old keys, verification of diversity of used nonces, but these significantly
increase the complexity of the protocol implementation. Similarly, parallel run check prevents the
attacks exploiting multiple protocol runs, but decreases performance of the system.
Therefore, the aim for cryptographic protocol construction is to create such a protocol, whose
security properties are guaranteed by its own construction and the sequence of steps alongside with
precisely formulated prerequisites.
Some of the advices are formulated in the following section.
1. Explicitness the meaning of the message shall be dependent only on the message alone.
Message is supposed to contain every information required for its interpretation, including
the identity of the participants. Examples of failures include Denning-Sacc protocols or
Needham-Schroeder public key protocol.
2. Assumptions for each message that causes any action all required assumptions shall be
provided.
3. Use of ciphers it must be clearly stated which purpose the encryption of the text serves.
Amongst the common purposes, an encryption can be used to provide confidentiality,
authenticity, mutual binding of the messages, randomness, etc.
4. Signing and encryption digital signature does not guarantee that the sender knows the
plaintext. It is vital to at first sign plaintext and then encrypt whole message. On the other
hand, even this does not guarantee security, as Denning-Sacc protocol proves.
5. Nonces for each nonce it is mandatory to provide its goal and expected properties. Otway-
Reese protocol is an example of security risk regarding this advice.
6. Security of predictable information predicable information (counters) used to ensure
freshness of transferred messages must be secured in the protocol.
7. Timestamps if the timestamps are used to preserve the freshness, it is mandatory to
synchronize local clocks. In addition, system of time administration becomes a critical
component of the security system.
8. Freshness vs usage actual use of an entity (e.g. key to encryption) is not the same as the
freshness of the entity.
9. Exactness (unicity) protocol message shall be exactly decipherable participant is able to
determine pertinence of a message to the protocol, protocol process and order of a message
within the protocol.
10. Trust it is mandatory to formulate and give reasons to all assumptions about the trusts the
protocol expets.
11. Use of private key if possible, it is better to avoid use of private key for various purposes,
such as signing or decryption. For example, with RSA it is possible to obtain private key
from the process of decryption and publishing of the decrypted messages.
12. Assume nothing do not assume anything that is not stated in the protocol definition.
79
Quantum cryptography
Quantum cryptography revolutionized the approach to solve cryptographic problems by relying on
the properties of subatomic particles rather than on clever mathematical ideas. Quantum
cryptography utilizes principles of quantum mechanics and the physics of information to achieve a
secure communication. Eavesdropping can be then viewed as measurements on a physical objects
that carries the information. It is then possible to detect an eavesdropping attempt, using quantum
phenomena such as quantum superposition or quantum entanglement. According to laws of
quantum mechanics, measurement on the quantum carrier of information disturbs it and leaves
traces of tampering.
Quantum theory basics
"I think, I can suggest, that nobody understands the quantum mechanics." Richard P. Feynman
Uncertainty principle
Introduced in 1927 by Werner Heisenberg, uncertainty principle states that one cannot
measure with arbitrary precision values of certain conjugate quantities, which are pairs
of observables of a single elementary particle. These pairs include the position and
momentum. It is however possible to obtain a positive lower bound for the product of
the uncertainties of measurements of the conjugate quantities.
Entanglement of particles
Quantum entanglement is a strange phenomenon of quantum mechanics whose effect is that the
quantum states of two or more objects have to be described with reference to each other, even if
they are spatially separated. This inevitably leads to correlations between observable physical
properties of the system, e.g. it is possible to prepare two electrons in the same quantum state,
where the first electron is observed to be spin-up whereas the second to be spin-down. Still, it is not
possible to predict which set of measurements will be observed for each system, although the
measurement of the first system instantaneously influences the other system entangled with it.
Quantum entanglement is closely related to new technologies of quantum cryptography, quantum
computing in general and also to quantum teleportation. Quantum entanglement however brings
some philosophical problems, as the correlations predicted by quantum mechanics and observed in
experiment reject the principle of local realism, which states that information about the state of a
system should only be mediated by interactions in its immediate surroundings.
Quantum computing
Quantum computers are still a dream yet to come true; however, there are already known some
applications, with a serious implication on current cryptography standards. For example, quantum
computer is theoretically able to solve problem of factorization (basis of RSA cryptosystem) in
polynomial time using a probabilistic algorithm invented by Peter Shor, that computes factors in
O((log n)
3
) and O( log n) space, where n is a product of two prime numbers.
Qubit
Qubit (qbit), an acronym for quantum bit, is a unit of quantum information, first invented
by Brian W. Schumacher, that found a way how a quantum state can represent an
information (Schumacher compression). Quantum information is described by a state
vector in a two-level quantum mechanical system, formally equivalent to a two-
dimensional vector space over the complex numbers. A qubit differs from classical bit in a way, that
80
qubit, similarly to bit, has only two possible values a 0 or a 1, but in a given time can be 0, 1, or a
superposition of both. 0 and 1 are called base states.
Formally, 0 and 1 state is usually presented in a Dirac (bra-ket) form, 0 (ket 0) and 1 (ket 1).
Pure qubit state is their linear superposition, =o0+1
, where o and are complex
probability amplitudes and o
2
+
2
=1 . Qubit can be simultaneously in all available states,
however, any attempt to measure the state causes the qubit to collapse into one of two base states.
Base states are obtained according to probability there is a o
2
probability of achieving 0 and
2
probability of obtaining 1.
Another important property of qubit lies in entanglement; the maximally entangled quantum state of
two qubits, called Bell state, can be described as:
1
+
=
1
.(2)
(
0
A
0
B
+1
A
1
B
)
=
1
.(2)
(00+11)
,
where denotes tensor product. Even if Alice possesses one qubit and Bob the other, as those
qubits were entangled and are now spatially separated, they still exhibit perfect correlations.
Quantum cryptography principles
Polarized photons
In 1984, Charles H. Bennet and Gilles Brassard proposed the first method how to
implement a cryptographic scheme employing quantum theory. The scheme,
known as BB84, uses pulses of polarized light, one photon per pulse. Scheme
uses two types of polarization, rectilinear and diagonal (or circular). Rectilinear
can be either vertical or horizontal, diagonal (circular) can be left-handed or
right-handed. Using any type of polarization, a bit can be encoded e.g. vertical and left-handed
polarizations as 1, horizontal and right-handed as 0. To generate a random key, Alice must send
polarizations with equal probability. To mislead Eve, Alice has to choose between alternative
rectilinear and circular polarizations.
Entangled photons
In 1991, Arthur Ekert proposed a scheme that uses entangled pairs of photons. These
photons are prepared by either Alice, Bob or any other source different from them, such
as Eve. The photons are distributed so that both Alice and Bob each receive one photon
from each pair.
The scheme is based on three properties of entanglement:
First property allows to utilize the fact, that it is possible to make entangled states that are perfectly
correlated. That means that if Alice and Bob both test whether their particles have vertical or
horizontal polarizations, they will always get opposite answers. Similarly, the same opposite result
are obtained if they measure any other pair of complementary orthogonal polarizations. Their
individual results are, however, completely random, as they can not predict whether they obtain
vertical or horizontal polarization.
Second property is often called quantum non-locality, and causes the correlation between the
measurements of Alice and Bob. These correlations are not perfect, however, there is more than
50% probability that Alice can correctly deduce Bob's measurements from her own measurements
and vice versa. These correlations are even stronger that any model based on classical physics or
ordinary intuition would predict.
81
Third property is related to eavesdropping; any attempt at eavesdropping by Eve weakens these
correlations and Alice and Bob can detect changes in the correlations.
Classical cryptography versus quantum cryptography
As the classical cryptography is based on difficult mathematical problems, whereas quantum
cryptography is based upon properties of subatomic particles, there are some fundamental
differences in outcomes of these two types of cryptography.
Privacy amplification
Quantum cryptography protocols allow Alice and Bob to generate and share random keys that are
very similar (under perfect conditions identical), but there will be an error rate. They allow Alice
and Bob to estimate the level of eavesdropping. It is possible to estimate maximum amount of
information Eve can have about their shared key. Eve however should be prevented from obtaining
some parts of the key, when they result in obtaining a critical part of a message. Another disturbing
fact is that the channel noise cannot be distinguished from eavesdropping, therefore it must be
regarded as an attempt to eavesdrop.
Privacy amplification is a cryptographic version of error correction. It allows Alice and Bob to
start with similar shared random keys about which Eve has some information and then shorten these
keys which are thereafter identical and about which Eve has no information whatsoever.
Privacy amplification can be used in both the Bennett-Brassard and Ekert schemes, although the
Ekert's entanglement-based cryptography allows privacy amplification to be performed directly at
the quantum level. Alongside to being more efficient, it also brings the possibility to transmit
quantum cryptography over arbitrarily long distances using quantum repeater stations.
No deniability
Bennett and Brassard's scheme has a deniability limitation. Even as this scheme can be used to
create one time pad keys and achieve perfect security, it may affect one time pad's deniability
property, i.e. Alice may encrypt a message with one key but after sending the ciphertext pretend that
the message was a different one, encrypted with a different key.
Reason for deniability lies in a possible eavesdropping; Eve that listens to a small portion of the key
exchange (and therefore probably disturbs a few bits, but not enough to invalidate the protocol) will
know what has happened in a limited number of bits exchanged. If Alice and Bob have to reveal
what was sent and the key used, Alice and Bob must change the key, therefore must alter their
records which were used to obtain it, in order to deny the message. But there is non-zero probability
that Eve has successfully listened to a parts of their records they changed and therefore know that
the key they are pretending to have used is not correct.
The problem is closely related to the impossibility of a bit commitment (Age problem) using
quantum protocols.
Attacks
Man in the Middle attacks, as known from the classical cryptograpy cannot occur in quantum
cryptography due to the observer effect. If Mallory tries to intercept the stream of photons, she will
alter them with some probability. She then cannot re-emit the photons correctly to Bob, as her
measurement destroyed the information about photon's state and entanglement.
Entangled photons scheme is virtually impossible to hijack, because creating three entangled
photons would decrease the strength of each photon and this could be easily detected. Mallory
cannot use a man-in-the-middle attack as she has to measure an entangled photon and disrupt the
other photon and then re-emit both photons. The laws of quantum physics disallow this.
82
However, there are different versions of man-in-the-middle attacks still applicable in quantum
cryptography. For example, if Eve pretends to be Alice to Bob and vice versa, she can perform
quantum cryptography negotiations with both sides simultaneously, using two keys. This attack
fails if both sides can verify each other's identity.
Denial of service (DoS) attack can be easily performed by cutting a dedicated fiber optic line or by
attempting to tap it.
Random number generator attack can be performed if the equipment used to generate the keys
could be tampered with.
Polarization schemes are also susceptible to an attack, proposed by Adi Shamir. Mallory can send a
large pulse of light back to Alice in between transmitted photons. Alice equipment inevitably
reflects some of Mallory light back. This light is polarized, as Alice's equipment was in some
polarization state; Mallory therefore can try to measure the photons and extract the state of Alice's
polarizer.
Quantum key distribution (QKD)
Quantum cryptography can solve the problem the one-time pad faced in conjunction with the use of
classical cryptography the requirement to safely transmit a key of the same length as the message
prior to an encryption of a message. Quantum cryptography can be used to exchange or distribute
shared secure keys between participants in a communication, forcing a potential eavesdropper to
become an active participant in the communication, increasing the chances to detect any unwanted
activities. Quantum channel can be used to exchange or distribute keys, whereas the transmission
alone could be done using one-time pad, achieving a perfect secrecy. Keys can be changed on-the-
fly, at any moment, making it even harder to achieve a successful eavesdropping.
BB84 quantum coding scheme
The BB84 quantum coding scheme was the first proposed quantum encoding of classical
information in such a way that the receiver (legitimate or illegitimate) cannot recover with 100%
reliability. It is the basic tool most of the quantum protocols are based upon
The BB84 coding scheme makes a correspondence between classical bits and quantum states. Each
classical bits corresponds to a superposition of two equally probable non-orthogonal quantum
states. One representation looks like:
We denote 0
+
and 1
+
states related to a rectilinear base, whereas the states for a diagonal base
will be denoted as 0
x
and 1
x
. In some literature, a circular base is used instead of the diagonal.
Information to be sent over the quantum channel is encoded by the transmission of photons in some
polarization states. The direction of the polarization encodes a classical bit. BB84 coding scheme
has two base states representing classical state of 0, that is encoded either by a photon with athe
horizontal polarization or a photon with the polarization at 45 of the horizontal direction.
Remaining orthogonal states, i.e. vertical and 135 polarization encode classical 1.
Quantum mechanics laws state, that it is impossible to distinguish with certainty two non-
orthogonal quantum states. In order to distinguish these states, a quantum measurement must be
performed providing a classical output trying to identify the received state. The obliviousness of the
83
0
x
0
+
1
+
1
x
45
45
transmitted information provides the cryptographic properties needed in quantum cryptography.
The following measurements will be used for the description of the BB84 coding scheme described
below:
denotes a measurement in rectilinear basis, the Von Neumann measurement allowing to
distinguish between 0
+
and 1
+
states.
denotes a measurement in diagonal basis, the Von Neumann measurement allowing to
distinguish between 0
x
and 1
x
states.
Algorithm
Alice wants to send a secret key to Bob. She therefore generates a random key of length of n-bits
{a
i
} and also vector that contains the decisions which type of polarization (rectilinear or diagonal)
to use {b
i
}. She then encodes these two vectors as a string of n qubits:
=
i=1
n
a
i
b
i
,
where each qubit can be in one of these four states (depending on a
i
b
i
):
00
=0
+
10
=1
+
01
=0
x
=
1
.(2)
0
+
+
1
.( 2)
1
+
11
=1
x
=
1
.(2)
1
+
1
.( 2)
0
+
The qubits are now in states that are not mutually orthogonal, thus it is not possible to distinguish
them with certainty without a prior knowledge of b
i
.
Alice thereafter sends
D
0
=
1
.( 2)
(
0
1
3
6
n
3
6
n
1
0
2
)
D
1
=
1
.(2)
(
n
6
4
6
n
4
6
n
n
6
2
)
D
2
=
1
.( 2)
(
2
6
n
5
6
n
5
6
n
2
6
n
2
)
For each of these linear polarization states, the mutually non-orthogonal alphabets A
0
, A
1
and A
2
can
be constructed, mapping the state to classical bits:
A
0
:
0=0
A
1
:
n
6
=0
A
2
:
2
6
n
=0
3
6
n
=1
4
6
n
=1
5
6
n
=1
For each of these alphabets, corresponding measurement operators M
0
, M
1
and M
2
are constructed:
M
0
:
0 0
M
1
:
n
6
n
6
M
2
:
2
6
n
2
6
n