2006 Peter kvarenina

I would like to thank Martin Stanek for his excellent cryptology

lectures at the Faculty of Mathematics, Physics and Computer Science
of the Comenius University, for his willingness to allow the use
of translations of some parts of his lectures within this book and for his
encouraging and helpful comments during the preparation of this book.
Futurama series characters used in this book are Matt Groening.
All graphics in this book is either a work of the author or is obtained from the Internet
and is believed to be taken from sources under public domain.
2
Table of Contents
Cryptology basics................................................................................................................................6
Encryption and decryption...............................................................................................................6
Cryptanalysis characters.................................................................................................................. 7
A little about the history of cryptology.............................................................................................8
4000 BCE - Egypt, Menet-Khufu - Khnumhotep II tomb inscriptions........................................... 8
500 BCE - Greece, Sparta - Scythale, transposition cipher............................................................. 8
100 BCE - Substitution cipher......................................................................................................... 9
1466 CE - Polyalphabetic cipher, Vigenre square......................................................................... 9
1914-1918 CE - One-time pad, Vernam cipher............................................................................. 10
1976 CE - Public key cryptography...............................................................................................11
1984 CE - Quantum cryptography.................................................................................................12
Basic ciphers......................................................................................................................................13
Simple substitution cipher............................................................................................................. 13
Permutation cipher......................................................................................................................... 15
Vernam cipher (one-time pad)....................................................................................................... 16
Vigenre cipher..............................................................................................................................16
Types of attacks............................................................................................................................. 20
Symmetric cryptography................................................................................................................. 21
Block and stream ciphers............................................................................................................... 21
Modes of operation........................................................................................................................ 21
ECB (Electronic Code Book)....................................................................................................22
CBC (Cipher Block Chaining).................................................................................................. 22
OFB (Output Feedback)............................................................................................................23
CFB (Cipher Feedback)............................................................................................................ 23
Iterated ciphers...............................................................................................................................24
Cipher standards............................................................................................................................ 24
Feistel ciphers........................................................................................................................... 25
DEA / DES (Data Encryption Algorithm / Standard)...............................................................25
Multiple encryption...................................................................................................................27
2TDES.......................................................................................................................................27
Meet in the Middle attack................................................................................................. 27
Triple DES (TDES / TDEA / 3TDES / 3DES)......................................................................... 27
AES (Advanced Encryption Standard / Rijndael).....................................................................28
IDEA (International Data Encryption Algorithm).................................................................... 30
Blowfish.................................................................................................................................... 31
Asymmetric cryptography............................................................................................................... 33
Basics of asymmetric (public key) cryptography.......................................................................... 33
Hybrid encryption.......................................................................................................................... 33
Asymmetric protocols....................................................................................................................34
RSA........................................................................................................................................... 34
Correctness of RSA.............................................................................................................. 35
Security of RSA....................................................................................................................38
Elgamal .......................................................................................................................... 39
Correctness of Elgamal........................................................................................................ 39
Rabin ................................................................................................................................40
Security of Rabin..................................................................................................................40
Diffie-Hellman key exchange (DH)..........................................................................................41
3
Man in the Middle attack.................................................................................................. 41
Another asymmetric cryptosystems.......................................................................................... 42
Merkle-Hellman................................................................................................................... 42
Paillier.................................................................................................................................. 42
Cryptographic hash functions......................................................................................................... 43
Use of cryptographic hash function............................................................................................... 43
Commitment scheme.................................................................................................................43
Message integrity...................................................................................................................... 43
Cryptographic hash function properties and weaknesses.............................................................. 43
One-way function......................................................................................................................44
Weakly collision-free hash function (second preimage resistance).......................................... 44
Strongly collision-free hash function (collision resistance)......................................................44
Birthday attack.......................................................................................................................... 44
Probability computation....................................................................................................... 44
The attack............................................................................................................................. 45
Replay attack.............................................................................................................................45
Construction of cryptographic hash functions............................................................................... 46
Constructions from block ciphers............................................................................................. 46
Iterated hash functions..........................................................................................................46
Merkle-Damgrd construction.........................................................................................47
Construction of compression function................................................................................. 47
Davies-Meyer scheme..................................................................................................... 47
Matyas-Meyer-Oseas scheme.......................................................................................... 47
Miyaguchi-Preneel...........................................................................................................48
Contemporary cryptographic hash functions................................................................................. 48
Message Digest Algorithm 5 - MD5.........................................................................................48
Secure Hash Algorithm - SHA..................................................................................................51
Whirlpool.................................................................................................................................. 54
Message Authentication Code (MAC).......................................................................................... 55
CBC-MAC................................................................................................................................ 56
HMAC.......................................................................................................................................56
Preserving confidentiality with MAC....................................................................................... 56
Digital signatures.............................................................................................................................. 58
Electronic signatures......................................................................................................................58
Reasons to use digital signatures................................................................................................... 58
Public key digital signatures.......................................................................................................... 59
Relation to common law................................................................................................................ 60
Digital signature schemes.............................................................................................................. 61
Elgamal scheme........................................................................................................................ 61
Digital Signature Standard (DSS)............................................................................................. 61
RSA scheme......................................................................................................................... 62
Digital Signature Algorithm (DSA)..................................................................................... 62
Blind signatures............................................................................................................................. 64
RSA blind signature scheme..................................................................................................... 64
Public key infrastructure (PKI)...................................................................................................... 65
Certificates and certification authorities........................................................................................ 65
Benefits of public key infrastructure............................................................................................. 65
Planning a public key infrastructure.............................................................................................. 66
Structure of a public key infrastructure......................................................................................... 67
Trust models.................................................................................................................................. 67
4
Cross-certification..........................................................................................................................67
X.509 Public Key Infrastructure Standard.....................................................................................68
Cryptographic protocols.................................................................................................................. 69
Diffie-Hellman key-exchange protocol......................................................................................... 70
Modified Diffie-Hellman key-exchange protocol using certification authorities......................... 71
Station to Station protocol............................................................................................................. 71
Interlock protocol...........................................................................................................................71
Otway-Rees protocol..................................................................................................................... 72
Needham-Schroeder protocol........................................................................................................ 73
Needham-Schroeder public-key protocol...................................................................................... 74
Yahalom protocol.......................................................................................................................... 75
Denning-Sacco protocol................................................................................................................ 75
Wide Mouth Frog protocol............................................................................................................ 76
Modified Wide Mouth Frog protocol............................................................................................ 77
Kerberos protocol.......................................................................................................................... 77
Agora protocol............................................................................................................................... 78
Cryptographic protocol construction security advices...................................................................79
Quantum cryptography................................................................................................................... 80
Quantum theory basics...................................................................................................................80
Quantum cryptography principles................................................................................................. 81
Polarized photons...................................................................................................................... 81
Entangled photons.....................................................................................................................81
Classical cryptography versus quantum cryptography.................................................................. 82
Privacy amplification................................................................................................................ 82
No deniability............................................................................................................................82
Attacks...................................................................................................................................... 82
Quantum key distribution (QKD).................................................................................................. 83
BB84 quantum coding scheme................................................................................................. 83
Algorithm............................................................................................................................. 84
Example without eavesdropping.......................................................................................... 85
Example with eavesdropping............................................................................................... 85
B92 quantum coding scheme.................................................................................................... 87
Einstein-Podolsky-Rosen (ERP) protocol.................................................................................87
Practical implementations..............................................................................................................89
Elliptic curve cryptography.............................................................................................................90
Cryptographic schemes..................................................................................................................91
Trusted Computing.......................................................................................................................... 92
Trust............................................................................................................................................... 92
Concepts of trusted computing...................................................................................................... 92
Controversy....................................................................................................................................93
Owner override.............................................................................................................................. 94
Secure bootstrap.............................................................................................................................95
Hardware boot process verification............................................................................................... 97
Virtualization technologies in trusted computing.......................................................................... 98
Digital Rights Management........................................................................................................... 99
Literature........................................................................................................................................ 101
5
Cryptology basics
Cryptology is a scientific field concerned with mathematical and physical techniques of securing
information during communication. In early years, cryptology concerned itself mainly with the
construction of methods of privacy preservation, ciphers. As the technology developed, the scope of
the field substantially widened and now includes another security requirements, such as integrity,
authorship verification, authentication protocols, digital signatures, electronic elections etc.
Cryptology can be basically divided into two parts:
cryptography the art of cipher (algorithm, protocol) construction
cryptanalysis the art of cipher breaking and attack prevention
Encryption and decryption
The objective of encryption is to transform input data into state unrecognizable to the potential
attacker that is not able to reconstruct their original state. It is also demanded that authorized
recipients should be able to reconstruct original data from the encrypted form. Input data in their
original form will be denoted as the plaintext. The process of transformation is called encryption
and is realized by encryption algorithm (function) - cipher. Result of the encryption is called
ciphertext. Encryption algorithm could be also parametrized by another input encryption key,
independent on the plaintext.
Process of inverted transformation (ciphertext to plaintext) is called decryption and is realized by
decryption algorithm (also parametrized by key).
Formal notation
Let P, C, K be finite sets:
P set of all plaintexts
C set of all ciphertexts
K set of encryption keys
We say that the function E: P K C is encryption function iff there exists function
D: C K P that the following holds:
kK pP : D( E( p , k) , k)=p
Tuple (E, D) then forms encryption system.
In other words, E is encryption function only if a correct decryption function D exists.
6
encryption
algorithm
plaintext
key
ciphertext
Cryptanalysis characters
As a part of cryptanalysis culture, roles of participants in the secured communication have been
given unique names that quickly blended with the rest of the used jargon.
These names were chosen by Ron Rivest for the 1978 Communications of the ACM
article presenting the RSA cryptosystem.
Alice wants to send a message to Bob
Bob receiver of Alice's messages
Eve eavesdropper, only listens to Alice Bob communication
Mallory malicious attacker, listens to and modifies communication between Alice and Bob
Oscar opponent, same as Mallory
7
Alice
Bob
Eve
Mallory
Oscar
A little about the history of cryptology
4000 BCE
Egypt, town Menet-Khufu; hieroglyphic inscriptions on the tomb of nobleman Khnumhotep II,
written with a number of unusual symbols to confuse or obscure the meaning of the inscriptions.
500 BCE
(Sparta), 'E (Greece); first cryptographic device called (scythale)
Wooden cylinder; both sender and receiver of a message
owned scythale of the same diameter.
To prepare encrypted message, a narrow strip of parchment
was wound around the scythale and the message was written
in the rows, with subsequent characters in consecutive
columns.
Unwound strip then displayed sequence of meaningless
letters, suitable for transportation. To successfully decipher
the message, strip had to be re-wound onto a scythale of the
same diameter.
Let's demonstrate functionality of scythale on a message sent by Spartan outpost related to the
leader of Athens, Pericle:
Plain text: PERICLE ENTERED SPARTA
Scythale:
cipher text: PCNEAELTDRREESTIERPA
This is the first known occurrence of transposition cipher in history. The letters remain the same,
but their order is shuffled.
8
P
C
N
E
A
E
L
T
D
R
R
E
E
S
T
I
E
R
P
A
100 BCE
Gaivs Ivlivs Caesar, first appearance of a substitution cipher. Messages were encoded by
substituting the letter in the text by one that is three positions to the right. A became D, etc.
Plaintext alphabet AB C D E F G H I K L MN O P Q R S T V X Y Z
Ciphertext alphabet DE F G H I K L MN O P Q R S T V X Y Z A B C
Decipher alphabet XY Z A B C D E F G H I K L MN O P Q R S T V
Let's demonstrate the usage of Caesar's shift:
Plain text: VENI VIDI ET OCCVLOS MEOS CREDERE NON POTVI
cipher text: ZHQMZMGMHYRFFZORXPHRXFVHGHVHQRQSRYZM
1466 CE
Leon Battista Alberti, invention of polyalphabetic ciphers, followed
in 1586 by Blaise De Vigenre with his Vigenre's Square, at the
time considered as Le Chiffre Indechiffrable.
Polyalphabetic ciphers transform plaintext character into different
ciphertext characters accordingly to the position in the plaintext using
an encryption key.
The Vigenre square is a 26x26 table that consists of a rows that
represent consecutive Caesar's shifts of the alphabet. Thus the first row contains
original alphabet, second row contains Caesar's shift of 1 of the original alphabet,
third row Caesar's shift of 2 etc.
Plaintext should be encrypted using different row (Caesar's shift) for each character. The row is
determined by the encryption key. The encryption key is prolonged to match the length of the
message by repeating itself (we can represent this by spelling out the keyword above plaintext
message). Then each character of the plaintext is encrypted using character that lies in the Vigenre
square in the intersection of the column that is headed by the plaintext character and row headed by
the matching encryption key character.
Example:
We would like to encrypt a plaintext message ' MEETING STARTS AT EIGHT' using encryption
key 'RADS'
Repeating encryption key
RADSRADSRADSRADSRADS
Plaintext
MEETINGSTARTSATEIGHT
Ciphertext
DEHLZNJKKAULJAWWZGKL
Although considered as uncrackable cipher for over 150 years, in 1854 Charles Babbage
introduced statistical method used successfully to break Vigenre cipher. Method was
later (1863) formalized by major of Prussian army, Friedrich Kasiski, now known as
Kasiski test.
9
Principle of Kasiski test lies in the observation that the same groups of plaintext characters encode
into the same cryptotext characters when their positions are shifted by the multiple of the length of
encoding keyword. Therefore, it is essential to find all groups of the repeating characters.
Principially, the weakness is the repetition of the key.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Vigenre square
1914-1918 CE (World War I)
Joseph Mauborgne, major of US Army, first randomized cipher, one time pad. First and to
date only cipher system that has the property of perfect secrecy, i.e. the ciphertext gives
absolutely no additional information about the plaintext (proved by Claude Shannon).
Variation of the Vigenre cipher; employs the use of randomized keys the same
randomness found in keys is inserted into ciphertext, therefore disallowing the findings of repetitive
patterns in ciphertext. The a priori probability of a plaintext message is the same as the a posteriori
probability of a plaintext message given the corresponding ciphertext. And in fact all plaintexts are
equally probable. This is a strong notion of cryptanalytic difficulty.
10
1917 CE
Gilbert Sandford Vernam, co-inventor of one time pad (U.S. Patent 1310719), also called Vernam
cipher or XOR cipher.
Each plaintext is XORed with randomly generated stream of data of the same length to generate
ciphertext.
The problem of secure transport of the plaintext changes into the problem of secure transport
of the key of the same length, i.e. yields recurrent problem.
Contemporary usage includes wide range of applications. Vernam cipher is now part of RC4, the
Rivest Cipher 4 (ARCFOUR), heavily used in Wi-Fi (WEP and WPA) and SSL.
1976 CE
Whitfield Diffie, Martin Hellman, dawn of public key cryptography
(asymmetric cryptography). Sender has two keys private and public
key. Public key is usually distributed to anyone who is willing to send
encrypted message and locks the message; whilst the private key
unlocks the message. Sender encrypts the message using receiver's public
key, receiver then uses its private key to decipher encoded message.
Originally, Diffie & Hellman utilized discrete logarithm problem.
Telephone directory encoding example:
Let's take a telephone directory of a large city (e.g. 2
512
inhabitants). This directory is usually sorted
by name. Assume that Alice wants to send a secure message to Bob. She therefore replaces all
characters of her message with the telephone number of randomly chosen name from the telephone
directory that begins with actually encoded character. Bob is somehow only person in the world that
possesses also inverted telephone directory, i.e. he owns telephone directory that is actually sorted
by telephone numbers. When Alice's message arrives, Bob simply looks up for telephone numbers
in inverted lists and notes the first character of the name. But Eve is not able to decipher the
message as the number of people in the city is too huge to be feasible to search through normal
telephone directory.
11
1001010010111010110101011
1100101001011101110101101
+ 0101111011100111000000110
Plaintext
Random key
Ciphertext
1984 CE
Charles Bennet, Gilles Brassard, Quantum Cryptography using polarized photons. Instead of
using NP-Complete problems as in the public key cryptography, quantum cryptography relies on
physical properties of subatomic particles.
Quantum cryptography provides means to securely transport encryption/decryption key between
Alice and Bob. Alice and Bob can then for rest of the communication use one-time pad (Vernam's
cipher) that guarantees perfect secrecy.
Therefore, quantum cryptography solves Catch XXII of classical (mathematically based)
cryptography.
Catch XXII: Before Alice and Bob can communicate in secret, they must first communicate in
secret.
Catch XXII(a): Even if Alice and Bob somehow succeed in communicating their key over a secure
communication channel, there is simply no classical cryptographic mechanism guaranteeing with
total certainty that their key was transmitted securely, i.e., that their secure communication
channel is free of Eves unauthorized intrusion.
Polarized light scheme
Scheme uses pulses of polarized light, with one photon per pulse. Consider two types of
polarization, linear and circular. Linear polarization can be vertical or horizontal and circular
polarization can be left-handed or right-handed. Any type of polarization of a single photon can
encode one bit of information, for example, vertical polarization for "0" and horizontal polarization
for "1" or left-handed polarization for "0" and right-handed polarization for "1". In order to generate
a random key, Alice must send either horizontal or vertical polarization with equal probability. To
keep Eve from successfully eavesdropping, Alice also uses randomly the alternative circular
polarizations randomly choosing between left-handed and right-handed photons. The security of
this scheme is based on the fact that Eve does not know whether any given pulse codes for 0 or 1
using the linear or the circular polarizations. If Eve tries to measure the state and guesses wrongly,
she will disturb it, and Alice and Bob can monitor for such disturbances to test for possible
eavesdropping and even estimate what fraction of the transmitted key Eve might have obtained.
Bob does not know which polarizations were used for any given pulse coding either. (Alice could
tell him, but since it has to be kept secret from Eve they would need a cryptographically secure
communication channel to do this, and if they had one they wouldn't need this scheme.) However,
he can guess, and half the time he will get it right. Once the photons are safely received, so that Eve
cannot use the information, Alice can tell him which guesses were right and which wrong.
12
Hi Bob
...
Bender, Charles 913
...
Brainiac, Mark 017
...
Henin, Paulette 524
...
Irving, John 245
...
O'Reily, Jim 175
...
Public key Plaintext
Alice
524 245 017 175 913
Cyphertext
...
017 Brainiac, Mark
...
175 O'Reily, Jim
...
245 Irving, John
...
524 Henin, Paulette
...
913 Bender, Charles
...
Bob
Private key
Basic ciphers
Simple substitution cipher
The cipher first introduced by Caesar and in later centuries extended and developed is now known
as the substitution cipher.
Simple substitution cipher encodes messages by changing the order of characters in the alphabet of
the ciphertext. Both the plaintext and ciphertext use the same set of characters (referred to as an
alphabet) but the order of ciphertext alphabet is a permutation of the order of plaintext alphabet. If
we assume that the typical english alphabet consists of 26 characters, total number of possible
ciphertext alphabets is 26! (cca 4E24) and their number is too ample to be prone to exhaustive
search attack.
Formally, we can express simple substitution cipher as follows:
Let A (or P) be plaintext alphabet, C be ciphertext alphabet (same as A), where K is the set of all
keys, i.e. set of all bijections from A to A (therefore k(A) is one particular permutation of A using the
key k from K). Then the encryption and decryption functions are defined as
E
k
( p)=k ( p)
D
k
(c)=k
1
(c)
pP , cC , kK
Both the encryption and decryption keys are applied character by character and the corresponding
cipher- or plaintext is obtained at the end of the only pass.
The following table demonstrates the encryption function k as the projection from plaintext alphabet
to ciphertext alphabet.
P A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
K(p) E Q R D I P K A F L W S B G C T Y Z J M X U H V O N
Plaintext: REPETITIO EST MATER STVDIORVM
Ciphertext: ZITIMFMFCIJMBEMIZJMUDFCZUB
Breaking the cipher
Imagine we received this ciphertext:
AIZEGKMAIFGJXZEGRIQZCWIZFGRCSRAIJMIZMCSIEZGMAEMMAIMIBTCZEZORCUIZGCMIPCZMAIBCMCRO
RSIAEDQIIGFJJXIDMAIZXJJFEGEJWIDMAIQZCWIZGCMMCBEFSFMAIHCXSDRCSSIRMFMAFBJISPMAFJAI
DFDFBBIDFEMISOEGDSEMIMAEMEPMIZGCCGBCUIDFGMCGXBQIZMHISUIRAIZZOAEOIJAIJTIGMTEZMCPM
AIGFKAMHCZWFGKREZIPXSSOHFMAAFJCGIMFBITEDJTZITEZFGKERCDIDBIJJEKIMAEMGCRCBTXMIZHCX
SDQZIEWRCDIQZIEWFGKAIWGIHFJQEJIDCGTEMMIZGJEGDZITIMFMFCGJACHIUIZJCTAFJMFREMIDMAIR
CBTXMIZXJIDMCRZERWMAIRCDIXJFGKECGIMFBITEDPCZIERAHCZDCPEJACZMBIJJEKISIEUIJGCTEMMI
ZGJEGDGCZITIMFMFCGJ
How to decipher this message? If we look at the simple substitution cipher, we could easily see, that
some statistical characteristics of the text remain unchanged in the ciphertext. One of them is the
frequency characteristics. Even if the characters morph into different characters in the ciphertext,
the distribution of characters remain the same (as we substitute character for character). Therefore,
it is possible to compare distribution of ciphertext characters to the character distribution of a
typical text in English. Let's look at these distributions:
13
As we can see, these distributions look very familiar. Let's say, that our initial guess will be, that E
morphed into I, T into M, O into C and A into E. Also, we see that ciphertext characters V, Y, L
and N have zero occurrence, therefore we assume that they correspond to the characters J, X, Q, Z
in english.
Our ciphertext will be now changed into:
AeZaGKtAeFGJXZaGReQZoWeZFGRoSRAeJteZtoSeaZGtAattAeteBToZaZORoUeZGotePoZtAeBotoZR
ORSeAaDQeeGFJJXeDtAeZXJJFaGaJWeDtAeQZoWeZGottoBaFSFtAeHoXSDRoSSeRtFtAFBJeSPtAFJA
eDFDFBBeDFateSOaGDSatetAataPteZGooGBoUeDFGtoGXBQeZtHeSUeRAeZZOAaOeJAeJTeGtTaZtoP
tAeGFKAtHoZWFGKRaZePXSSOHFtAAFJoGetFBeTaDJTZeTaZFGKaRoDeDBeJJaKetAatGoRoBTXteZHo
XSDQZeaWRoDeQZeaWFGKAeWGeHFJQaJeDoGTatteZGJaGDZeTetFtFoGJAoHeUeZJoTAFJtFRateDtAe
RoBTXteZXJeDtoRZaRWtAeRoDeXJFGKaoGetFBeTaDPoZeaRAHoZDoPaJAoZtBeJJaKeSeaUeJGoTatt
eZGJaGDGoZeTetFtFoGJ
After close examination, we can see, that some strings in the text are repeating. For example, we
can see TatteZGJ twice, ZeTetFtFoGJ twice etc. Searching through dictionary, we can guess the
plaintext form of TatteZGJ as the patterns. By substituting T with p, Z with r, G with n and J with s,
we can try decipher second repetitive string ZeTetFtFoGJ as repetFtFons. Therefore, we can guess
that F represents i in the plaintext, obtaining repetitions as the plaintext. We also should check,
whether suggested substitution matches distribution. This is our case. Therefore we get:
AeranKtAeinsXranReQroWerinRoSRAestertoSearntAattAeteBporarORoUernotePortAeBotorR
ORSeAaDQeenissXeDtAerXssianasWeDtAeQroWernottoBaiSitAeHoXSDRoSSeRtitAiBseSPtAisA
eDiDiBBeDiateSOanDSatetAataPternoonBoUeDintonXBQertHeSUeRAerrOAaOesAespentpartoP
tAeniKAtHorWinKRarePXSSOHitAAisonetiBepaDspreparinKaRoDeDBessaKetAatnoRoBpXterHo
XSDQreaWRoDeQreaWinKAeWneHisQaseDonpatternsanDrepetitionsAoHeUersopAistiRateDtAe
RoBpXterXseDtoRraRWtAeRoDeXsinKaonetiBepaDPoreaRAHorDoPasAortBessaKeSeaUesnopatt
ernsanDnorepetitions
Another guesses by looking into partially deciphered text reveal, that P probably means f in
plaintext (aPternoon), K means g (preparinK), A means h (spent part oP tAe), D is d (patterns anD
repetitions), B is m (one tiBe paD), R is c (sopAistiRateD), H is w (Por eaRA HorD oP sAort
BessaKe):
herangtheinsXranceQroWerincoSchestertoSearnthatthetemporarOcoUernoteforthemotorc
OcSehadQeenissXedtherXssianasWedtheQroWernottomaiSithewoXSdcoSSectithimseSfthish
edidimmediateSOandSatethatafternoonmoUedintonXmQertweSUecherrOhaOeshespentpartof
thenightworWingcarefXSSOwithhisonetimepadspreparingacodedmessagethatnocompXterwo
XSdQreaWcodeQreaWingheWnewisQasedonpatternsandrepetitionshoweUersophisticatedthe
compXterXsedtocracWthecodeXsingaonetimepadforeachwordofashortmessageSeaUesnopatt
ernsandnorepetitions
14
I M C E Z G A J F D R S T B X H W K Q P O U V Y L N
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Ciphertext
Character
F
r
e
q
u
e
n
c
y
E T A O I N S H R D L C U MW F G Y P B V K J X Q Z
0
1
2
3
4
5
6
7
8
9
10
11
12
13
Typical english text
Character
F
r
e
q
u
e
n
c
y
Final guesses are now trivial, as they can be easily obtained from the context. We get O
representing y (temporarO), U is v (coUer note), X is u (insXrance), S is l (message SeaUes no
patterns), W is k (Xsed to cracW the code) and finally Q is b. By applying the rest of substitutions,
we obtain plaintext:
He rang the insurance broker in Colchester, to learn that the temporary cover
note for the motorcycle had been issued. The Russian asked the broker not to
mail it; he would collect it himself.
This he did immediately, and late that afternoon moved into number twelve
Cherryhayes. He spent part of the night working carefully with his one-time
pads, preparing a coded message that no computer would break. Codebreaking, he
knew, is based on patterns and repetitions, however sophisticated the computer
used to crack the code. Using a one time pad for each word of a short message
leaves no patterns and no repetitions.
The plaintext is an excerpt from the Frederick Forsyth's book The Fourth Protocol.
Our example was straightforward; in reality, the advancements in deciphering will be hindered by
incorrect guesses that will require backtrackings. Nevertheless, this process can be almost
automated by using language dictionaries.
Permutation cipher
This cipher uses different approach, transposition, first introduced by Spartians with their famous
scythale. Complementary to the approach in the simple substitution cipher, the permutation cipher
divides plaintext into partitions of the same size and the characters in each partition are positionally
shuffled, using the same shuffling pattern in each partition. If the plaintext does not cover the last
partition, that (or the first) partition can be extended using padding. Both plain- and ciphertext
alphabet remain the same. The term transposition denotes one swap of positions, affecting always
two characters. Each permutation can be decomposed into set of transposition, hence giving reason
to name the principle of the permutation cipher.
Formally, let m 1 (length of the partition). Let A be the alphabet of plaintext language. Then P =
C = A
m
, i.e. m-tuples of the characters in the alphabet A. Set of keys K is a set of permutations of the
set {1, 2, ..., m}. Encryption and decryption functions are defined as follows:
E ( p
1
p
2
... p
m
, k)=p
k ( 1)
p
k (2)
... p
k (m)
D( c
1
c
2
... c
m
, k)=c
k
1
(1)
c
k
1
( 2)
... c
k
1
( m)
Example:
Let's use the permutation of the set {1, 2, 3, 4} as the key, e.g. {3, 1, 4, 2}; i.e. the first character
will shuffle to the second position, the second character to the last position, the third character to
the first position and the last character to the third position.
Plaintext: USE TRANSPOSITION
Partitioned plaintext: USET RANS POSI TION
Cipher text: EUTS NRSA SPIO OTNI
Weaknesses
As the cipher operates on the blocks whose length matches the length of the key, the length of the
whole ciphertext is divisible by the length of the key. This allows us to reduce the potential length
of the key. With the different possible key sizes different possible permutations are tried to find the
permutation which results in the highest number of frequent bigrams and trigrams as found in the
underlying language of the plaintext.
15
Vernam cipher (one-time pad)
Suppose that we want to encrypt plaintext of the length m 1 whose alphabet A consists of 0 and 1,
i.e. A = {0, 1}. Length of plaintext, ciphertext and key is m, P = C = K = {0, 1}
m
. Encryption is
performed by adding key to plaintext bit by bit modulo 2 (XOR operation):
E
k
( p)=pk=p
1
k
1
, ... , p
m
k
m
To decipher ciphertext, we can utilize the fact that for each x {0, 1} holds that x x = 0.
Therefore, it is sufficient to only add key to the ciphertext to obtain plaintext:
D
k
(c)=ck=( pk)k=p
Vernam cipher provides us with perfect secrecy, i.e. attacker is not able to obtain plaintext from
ciphertext regardless on the computing power the attacker possesses, when the following conditions
are satisfied:
1. Keys are chosen from the set K randomly, independently and with the same probability.
2. To encrypt new plaintext, the new key from K is always chosen.
Weaknesses
Assume that we use the same key k to encrypt two plaintexts p
1
and p
2
. Then by summing both
plaintexts we can eliminate the effect of the key k and obtain
( p
1
k)( p
2
k)=p
1
p
2
From the sum of two plaintexts, if they are redundant (that is a normal case for a natural language)
it is possible to obtain both plaintexts.
Another annoyance when using Vernam cipher is the fact that we exchanged secure transport of
information for secure transport of encryption key of the same size as information. But in cases
when required bits are generated in advance in sufficient amount, this does not necessarily cause
significant security problems.
Vigenre cipher
A polyalphabetic substitution cipher, where the same plaintext character can be encrypted into
various ciphertext characters, depending on the position in the plaintext. Let n 1 is a length of a
key, plaintext alphabet A has m characters. Each character is numbered by the number 0 .. m 1
(e.g. accordingly to the alphabet order). Each key is n-tuple of numbers from 0 .. m 1. Then the
encryption and decryption functions are:
E( p
1
p
2
... p
n
, k)=( p
1
+k
1
) mod m, ... , ( p
n
+k
n
) mod m
D( c
1
c
2
... c
n
, k)=(c
1
k
1
) mod m,... ,(c
n
k
n
) mod m
Longer text is encrypted in the blocks of n characters, using padding if required.
Example:
Key H
7
S
18
I
8
V
21
H
7
S
18
I
8
V
21
H
7
S
18
I
8
V
21
Plaintext P
15
O
14
P
15
O
14
C
2
A
0
T
19
E
4
P
15
E
4
T
19
L
11
Ciphertext W
22
G
6
X
23
J
9
J
9
S
18
B
1
Z
25
W
22
W
22
B
1
G
6
16
Breaking the cipher
Cryptanalysis of the Vigenre cipher advances in two steps:
1. Determination of the size of the key (value of n)
2. Determination of the key (k
1
, k
2
, ... k
n
)
First phase
To determine the size of the key, we can use the procedure invented by William
Frederick Friedman in 1920, the index of coincidence I
c
. Index of coincidence of t-
character text x = (x
1
, x
2
, ... x
t
) (denoted as I
c
(x)) is a probability that two randomly
chosen characters from x are equal. Assume that f
1
, f
2
, ... f
m
are numbers of occurrences
of characters in x. Then the index of coincidence can be computed as follows:
I
c
( x)=

i=1
m
(
f
i
2
)
(
t
2
)
=

i =1
m
f
i
( f
i
1)
t (t 1)
If x is a natural language text, we expect that I
c

i=1
m
p
i
2
, where p
i
is probability of occurrence of
the i-th character in the corresponding language. As longer the text x is, the closer the index of
coincidence should be to the theoretical value. For English, theoretical value can be computed as:
12,70
2
+ 9,06
2
+ ... + 0,10
2
+ 0,07
2
= 0,0655
(the values were obtained from the frequency tables of English language)
If the text x was filled with random characters, we would expect I
c
(x) = 26
.
(1/26)
2
= 0,0385.
Interesting is that index of coincidence remains invariant to any polyalphabetic substitution (such as
Vigenre cipher).
The length of key n = 1, 2, ... will be tested. For exact length of the key, the characters in the text x
on the positions i, n + i, 2n + i, ... (1 i n) are encrypted using the same k
i
. Therefore, ciphertext
could be partitioned into n partitions:
k
1
: x
1
x
n+1
x
2n+1
...
k
2
: x
2
x
n+2
x
2n+2
...
...
k
n
: x
n
x
2n
x
3n
...
whereas each partition is obtained from the plaintext using simple substitution. Therefore, we
expect that each partition has index of coincidence close to the index of coincidence of the language
and distant to the randomize text. If the text x is split into partitions of size that mismatches the size
of key, these partitions will be obtained as combinations of two or more simple substitution,
therefore their index of coincidence will move closer to the randomized text. Also, multiplies of the
length of the key should be closer to the index of coincidence of natural language. By computing
the average indexes of coincidence of partitions for each possible length of key and comparing them
to the index of coincidence of natural language and randomized text should yield the correct length
of key.
Second phase
Now the task is to obtain the key, whose length is known. To successfully obtain components of the
17
key k = (k
1
, k
2
, ... , k
n
), we first determine relative distances of k
1
to each part of the key, i.e. k
2
-k
1
, ...,
k
n
-k
1
. To determine these distances, we use the mutual index of coincidence MI
c
(x, y) of two strings
x and y. Mutual index of coincidence is probability that a randomly chosen character from x is equal
to a randomly chosen character y. If we denote number of occurrences of individual characters in x
as f
1
, f
2
, ..., f
m
and similarly for y as f'
1
, f'
2
, ..., f'
m
, then mutual index of coincidence can be obtained
from:
MI
c
( x , y)=

i=1
m
f
i
f '
i
tt '
, where t is |x| and t' is |y|
Mutual index of coincidence of two strings x and y does not change, when the same simple
substitution is applied on both of the strings. We expect that natural language strings have mutual
index of coincidence approximately equal to the to the index of coincidence of the language.
Determination of relative distance k
i
- k
1
(i = 2, ... , n) advances by shifting characters corresponding
to the partition of k
i
by = (0, 1, ... , m-1) and examining mutual index of coincidence with the
partition of component k
1
. If k
i
k
1
= , the index is approximately equal to the index of coincidence
of the natural language. In other case, the index is closer to the index for randomly distributed
characters.
The only thing left is to determine the value of k
1
. This can be done by evaluating all possibilities
(their number is the number of characters in alphabet). By substituting particular k
i
and decrypting
the ciphertext, only one text can be meaningful. This fact will determine the correct value of k
1
.
Example
Imagine we received following ciphertext (letters are organized in quintuples for higher lucidity):
VIYNZ HWZLV EHDGA ZKDGA PJAGS DOUYS PYAJH ICQZF VIJON LZUUB JOJZZ LSWHL SHSOA
OCQZD HBPOU NHKNP APARV DWPLV EKWYR UCSTP UZKTK VBBUY OWOGJ LFXOJ DWPNL OOZSH
KSDOZ TONQH AOJKH YZUSL LHETN VTPNL QCETA PBPKS SWCKU JSYUT TWPZL LKDKU ZWNGU
AVKTF WZQSI OOZHL LBYUT WZWOU PBCZO HHQTS PYAGS SHDKV AVAXZ OSDGK UCJOJ LZEZA
SSWIY VBUSA VRAYJ YWXKO PGFUI OSSGZ QIOZA OSYNH PFIGU VTPNL QWYUY AVAIV VFZOU
HHKXV MWJZL SZEML UQACO FQKAS KVATV AVWBL HUNUB WCBOU PHEGS ZHDGA TOZKB WOONV
YHSUY KWJZO LAOKS CSONV DOXUB ARNGD SSZLV ETNUT OWOKU KCBZO LHWHS LGQVY LAANL
HRKLP UHARS PUATJ LHWXN LHETN ZWNGU AVKTF WFALL YFAJU VHPUI LYJUD UOOZO LGDOA
VTSNP ASDGS SOJJK YCLVL KHDKT HHPKY VTPNL HQNUU FA
First phase
We compute indexes of coincidence for various lengths of key. The following table is therefore
obtained:
n I
c
n I
c
n I
c
n I
c
n I
c
1 0,0470 5 0,0645 9 0,0453 13 0,0489 17 0,0425
2 0,0466 6 0,0454 10 0,0647 14 0,0461 18 0,0443
3 0,0456 7 0,0484 11 0,0468 15 0,0586 19 0,0491
4 0,0454 8 0,0458 12 0,0435 16 0,0451 20 0,0629
As explained above, for the key of the correct length we expect to obtain value closer to the 0,0655
whereas for the mismatched size of the key we expect value closer to the 0,0385.
As we clearly see, multiplies of 5 are much closer to the desired value than any other length, thus
we figured out that the length of the key is 5.
Now we can proceed to identify the individual components of the key.
18
Second phase
We proceed with the computation of the mutual index of coincidences for each key difference. The
presented table summarizes results of differences of key components for various character shifts:
k
2
- k
1
k
3
- k
1
k
4
- k
1
k
5
- k
1
0 0,0457 0,0448 0,0383 0,0622
1 0,0338 0,0338 0,0276 0,0303
2 0,0319 0,0386 0,0375 0,0324
3 0,0480 0,0393 0,0459 0,0398
4 0,0419 0,0483 0,0374 0,0441
5 0,0283 0,0437 0,0330 0,0368
6 0,0337 0,0345 0,0417 0,0387
7 0,0646 0,0352 0,0351 0,0425
8 0,0366 0,0399 0,0315 0,0325
9 0,0307 0,0375 0,0372 0,0382
10 0,0364 0,0341 0,0425 0,0398
11 0,0503 0,0467 0,0403 0,0452
12 0,0404 0,0309 0,0319 0,0282
13 0,0355 0,0311 0,0346 0,0391
14 0,0414 0,0402 0,0474 0,0350
15 0,0396 0,0605 0,0349 0,0432
16 0,0284 0,0353 0,0322 0,0386
17 0,0334 0,0285 0,0341 0,0310
18 0,0443 0,0398 0,0463 0,0357
19 0,0403 0,0424 0,0334 0,0388
20 0,0323 0,0393 0,0338 0,0368
21 0,0318 0,0351 0,0521 0,0336
22 0,0547 0,0360 0,0394 0,0430
23 0,0355 0,0299 0,0265 0,0382
24 0,0349 0,0359 0,0385 0,0358
25 0,0352 0,0394 0,0675 0,0412
By inspecting the table, we can see some underlined values that are most close to the value we
expected. Therefore, we obtained these relative components of the key k: (0, 7, 15, 25, 0). The only
missing fact is now the value of k
1
, other values can be obtained by shifting this value by the
relative distance. Thus, we can explore all k
1
values, apply corresponding component shifts and see,
which of the 26 texts makes some sense. The following fragment of decipherized ciphertext
demonstrates this process:
...
F ...WMSAYLRQCCYZCJRUGRFMSRUYLRGLE...
G ...XNTBZMSRDDZADKSVHSGNTSVZMSHMF...
H ...YOUCANTSEEABELTWITHOUTWANTING...
I ...ZPVDBOUTFFBCFMUXJUIPVUXBOUJOH...
J ...AQWECPVUGGCDGNVYKVJQWVYCPVKPI...
...
As we can see, the only meaningful value of k
1
is H, therefore our key is HOWGH.
19
Finally, we get the plaintext (the punctuation marks were added to achieve better readability):
'Ouch,' said Fox, 'that's what I've always liked about you, Nigel. You can't
see a belt without wanting to hit below it.'
Fox was known in London for his acerbic wit. He had made his mark at an early
meeting of the Joint Intelligence Committee when Sir Anthony Plumb had been
complaining that unlike all the others he had no nice little acronym to describe
his job. He was just the Chairman of the JIC, or the Coordinator of
Intelligence. Why could he not have a group of initials that made up a short
word in themselves?
'How about,' drawled Fox from his end of the table, 'Supreme Head of
Intelligence Targeting?'
Sir Anthony preferred not to be known as the SHIT of Whitehall and dropped the
matter of the acronym.
Again, this is an excerpt from the Frederick Forsyth's book The Fourth Protocol.
Types of attacks
We recognize the following types of cryptanalysis attacks (ordered by ascending severity):
1. COA Ciphertext only attack. Attacker possesses list of ciphertexts E
k
(p
1
), ..., E
k
(p
n
), but
does not know corresponding plaintexts. Attacker usually tries to gather k, determine some
plaintext or create E
k
(p
i
) for a given plaintext p
i
.
2. KPA Known plaintext attack. Attacker possesses list of tuples of plaintexts and
corresponding ciphertexts - (p
1
, E
k
(p
1
)), ..., (p
n
, E
k
(p
n
)). Attacker has the same goals as for the
CCA.
3. CPA Chosen plaintext attack. Attacker has the option to choose few plaintexts to whom
he can obtain corresponding ciphertexts using the same key k. Goals of attack are the same
as in previous cases.
4. CCA Chosen ciphertext attack. Attacker has the option to choose few ciphertexts to
whom he can obtain corresponding plaintexts using the same key k. Again, goals are the
same as in all prior cases.
For CPA and CCA we can also think about their adaptive variants when attacker repeats selection
of texts after analysis of obtained data. Modern cryptographic systems are expected to be resistant
to such attacks.
Kerckhoff's principle
The security of a cryptosystem shall not be based on keeping the algorithm secret but solely on
keeping the key secret. In other words, assume your opponent knows the cryptosystem being used.
As we saw, Scythale and Caesar's shift directly violate Kerckhoff's principle, as the knowledge of
cryptosystem is sufficient to decipher the message.
20
Contemporary cryptography
Symmetric cryptography
Block and stream ciphers
Contemporary symmetric cryptosystems usually utilize keys of fixed length (e.g. 256 bits) which
can be used to encrypt substantially longer plaintexts. Aside from the secure transport of the short
key, there arises the problem of the transfer of the confidential information of virtually any length.
According to the way how the cipher achieves this goal, the symmetric ciphers can be basically
divided into two categories block and stream ciphers.
Block ciphers
Block ciphers encrypt plaintext by splitting it into blocks of fixed length. They process each block
separately and resulting encrypted blocks are concatenated sequentially and form the ciphertext.
Stream ciphers
Stream ciphers imitate Vernam cipher using shorter key. Key is used to initialize a deterministic
finite state machine (DFSM) that produces a stream of bits. This stream is then used as a key for
Vernam cipher. Stream of bits is added modulo 2 (XOR) with the bits of the plaintext. Receiver of
the ciphertext uses the same key to initialize its DFSM, generates the same stream of bits and adds
it to the ciphertext, obtaining the plaintext.
Modes of operation
Basic cipher transformation of a block can be combined in multiple modes in case of longer
plaintext. Each mode has its weak and strong sides and it generally depends on a situation or
environment, which mode is chosen to be used. The following paragraph depicts few of the most
used modes. Plaintext blocks will be referred to as P
i
and ciphertext blocks as C
i
.
21
E E E
plaintext
ciphertext
k k k
DFSM
plaintext ciphertext
key
sender
receiver
DFSM key
plaintext
ECB (Electronic Code Book)
ECB represents straightforward use of block cipher. Plaintext blocks are encrypted independently
using the same key. Encryption and decryption can be thus expressed as follows:
C
i
=E
k
( P
i
)
P
i
=D
k
(C
i
)
Properties
Same blocks of plaintext are encrypted into the same blocks of ciphertext, this allows the attacker to
search for repetitions. Attacker can remove or change order of the block without being caught
(assuming no other integrity mechanism is present). Error in decrypting one block does not affect
any subsequent blocks.
CBC (Cipher Block Chaining)
CBC solves some security problems plaguing ECB mode by linking the encryption of the block of
the plaintext with the ciphertext of the previous block:
C
i
=E
k
( P
i
C
i1
) i 1
P
i
=C
i1
D
k
(C
i
) i1
Value of C
0
is not available at the beginning. CBC mode therefore uses initialization vector IV
(string of bits of the same length as the block).
Properties
The same plaintexts encrypted using the same key lead to different ciphertext assuming the
initialization vectors are different. Ciphertext block C
i
depends on the value of plaintext P
i
as it
depends on the value of all prior plaintext blocks P
1
, ..., P
i-1
. This ensures that the change in the
order of the ciphertext blocks will affect decryption. Change of bit in the ciphertext affects two
blocks of plaintext if the change occurred in the block C
i
, plaintext block P
i
will be affected as a
whole whereas the block P
i+1
will be affected only at the position of the changed bit.
CBC also offers the property of self-synchronization, where the loss of one ciphertext block leads
to the wrong decryption of the subsequent block but further consecutive blocks are not affected.
22
E
k
P
1
C
1
E
k
P
2
C
2
E
k
P
3
C
3
E
k
P
1
C
1
E
k
P
2
C
2
E
k
P
3
C
3
IV ...
Initialization vector does not need to be held secret, usually is generated randomly as the first block
of the ciphertext. The only important thing is to preserve integrity of IV, because change of the bits
of IV will propagate into corresponding positions in the plaintext P
1
.
OFB (Output Feedback)
OFB uses block cipher as the synchronous stream cipher. Therefore can be used as a recipe how to
transform block cipher into stream cipher. Encryption transformation is used only within the
generator of the stream of the blocks that are being XORed with the blocks of plaintexts. Internal
state of generator during the i-th step will be denoted as R
i
and its length matches the length of the
block. Remarkable fact is, that in OFB mode the existence of decryption function does not play any
role.
C
i
=P
i
R
i
R
i
=E
k
( R
i1
) i 1
P
i
=C
i
R
i
R
i
=E
k
( R
i1
) i 1
Similarly to CBC, initialization vector is used to initialize generator of the strem of blocks and can
be transmitted in the open form along with the ciphertext.
Properties
Likewise to what we've seen in CBC mode, the encryption of the same plaintext with the same key
using different IV leads to different ciphertexts. Stream of generated blocks is independent on the
plaintext; therefore it is necessary to use different IV whenever we want to communicate with the
same key, because in the other case, attacker by adding two ciphertexts receives the sum of two
plaintexts and as mentioned in the Vernam cipher, this could lead to revelation of both plaintexts.
Change (invertion) of bits in ciphertext is carried as a change of corresponding bits in the plaintext.
This allows the attacker to influence plaintext in the desired way without its knowledge. If attacker
knows plaintext, then she is able to compute stream of blocks R
i
and construct ciphertext to
plaintext of her choice.
Loss of any part of ciphertext block means that the rest of the ciphertext is affected with this loss.
Main requirement during the construction of a stream cipher is to guarantee appropriate length of
the period of generated stream.
CFB (Cipher Feedback)
CFB mode transforms block cipher into stream cipher in the similar fashion as OFB. Contrary, CFB
constructs self-synchronizing stream cipher with the feedback from ciphertext. Block of plaintext is
encrypted by adding ciphertext of the previous plaintext block. Again, CFB does not employ use of
the decryption function.
C
i
=P
i
E
k
(C
i1
) i1
P
i
=C
i
E
k
(C
i1
) i1
Again, computation is initialized using initialization vector IV used instead of C
0
. Initialization
vector is generated similarly to previous modes.
23
E
k
P
i
C
i
IV
Properties
Like as with CBC and OFB, encryption of the same plaintext with the same key using different
initialization vectors yields different ciphertexts. Initialization vector does not need to be held
secret. Use of the same IV and key allows attacker to obtain sum of the first blocks of the plaintexts.
Similarly to CBC, ciphertext block C
i
depends on the value of plaintext P
i
as it depends on the value
of all prior plaintext blocks P
1
, ..., P
i-1
. Change in the order of ciphertext influences decryption.
Correct decryption of a block requires correct previous block. Again, change of a bit in the
ciphertext affects two blocks of plaintext if the change occurred in the block C
i
, plaintext block P
i
will be affected as a whole whereas the block P
i+1
will be affected only at the position of the
changed bit.
As with CBC, CFB has the property of self-synchronization.
Iterated ciphers
Largest group of block cipher form the iterated ciphers. Idea of iterated ciphers consists in the
definition of a basic transformation (round) that is then used multiple times.
Subsequent rounds usually employ subkeys of the encryption key in the first round subkey k
1
, in
the second k
2
, etc. Subkeys are streams of bits deterministically inferred from the encryption key.
Process of inference of subkeys is called key scheduling.
Cipher standards
Modern block ciphers are realized electronically as hardware modules or as software, therefore it is
safe to assume that the used alphabet is binary. We can formally express block cipher as follows:
Let V
n
= {0,1}
n
, set of n-bit vectors. Block cipher is a tuple of mappings
E :V
n
K -V
n
and
D: V
n
K -V
n
that the following holds:
kK pV
n
: D
k
( E
k
( p))=p ,
24
E
k
P
i
C
i
IV
F
plaintext

F
ciphertext
subkey k
1
subkey k
r
round 1
round r

where K is a finite set of keys. Number n is called length of a block. Keys are retrieved from K
independently and with the same probability. If K = V
l
, we say that the effective length of key is l
bits. During the cipher construction, two opposite requirements arise the security of key (usually,
the larger the set K is, the more secure the key is) and the performance of the cipher (the shorter the
set K is, the faster/less space the cipher runs/occupies)
Feistel ciphers
Feistel ciphers is a class of iterated block ciphers with the same structure of encryption algorithm as
the decryption algorithm. Feistel cipher splits the text into two halves, first (left) will be denoted as
L
0
and second (right) as R
0
. In each round the values of L
i
, R
i
are computed from the previous values
according to the formulas:
L
i
=R
i1
R
i
=L
i1
f ( k
i
, R
i1
) 1ir ,
where f is a transformation affected by subkey k
i
. Output after r rounds is a tuple L
r
, R
r
, whereas in
the last round no swap of halves is performed:
L
r
=L
r 1
f ( k
r
, R
r1
)
R
r
=R
r1
To decrypt a Feistel cipher, it is sufficient to use the same scheme, only order of used subkeys
ought to be reversed. Cryptographic properties of an algorithm are determined by the properties of
the Feistel function f.
Feistel network
The following ciphers are based on (generalized) Feistel network: Blowfish, Camellia, CAST-128,
CAST-256, DES, FEAL, KASUMI, LOKI97, Lucifer, MacGuffin, MAGENTA, MISTY1, RC2,
RC5, RC6, Skipjack, TEA, TripleDES, Twofish, XTEA.
DEA / DES (Data Encryption Algorithm / Standard)
DEA originates from the Feistel family of ciphers and employs the Feistel network using its own
Feistel function and key-scheduling. In 1976, it was selected in USA as the Federal Information
25
Processing Standard (FIPS) and the DEA is then known as DES. DEA was originally designed by
team at IBM in 1972-3. DEA was suspected of being tampered by NSA and having backdoors in
the forms of mysterious substitution boxes. On the other hand, DES was the first spark that ignited
popularization of cryptanalysis amongst techie people in USA.
Nowadays, DES is outdated due to its small, 56-bit size of key that allows successful attacks in less
than 24 hours. However, originating from the IBM Lucifer cipher, DES provides ground for more
secure derived ciphers such as Triple DES, G-DES, DES-X, LOKI89, ICE, etc.
The DEA uses Feistel network consisting of 16 stages. The DEA block has a size of 64 bits. The
key has also size of 64 bits, however, the effective size is only 56 bits, as 8 bits are used only for
parity checking during key scheduling and thereafter discarded.
Structure of the DEA Feistel f-function
The f-function operates on half a block (32 bits) at a time and consists of four stages:
1. Expansion - 32-bit half-block is expanded to 48 bits
using the expansion permutation by duplicating some
of the bits
2. Key mixing - the result is combined with a subkey using
an XOR operation. Sixteen 48-bit subkeys are derived
from the main key using the key schedule.
3. Substitution after mixing in the subkey, the block is
divided into eight 6-bit pieces before processing by the
substitution (S-) boxes. Each S-box replaces its 6 input
bits with 4 output bits according to a non-linear
transformation obtained from hardwired lookup table.
Without substitution the cipher would be linear, and
trivially breakable.
4. Permutation - the 32bit output from the S-boxes is
rearranged according to a fixed permutation (P-box)
Key scheduling
Initially, 56 bits of the key are selected
from the initial 64 by Permuted Choice 1 -
the remaining 8 bits are either discarded or
used as parity check bits. The 56 bits are
then divided into two 28-bit halves; each
half is thereafter treated separately. In
successive rounds, both halves are rotated
left by one or two bits (specified for each
round), and then 48 subkey bits are selected
by Permuted Choice 2 - 24 bits from the
left half, and 24 from the right. The
rotations (denoted by [<<<] in the diagram)
mean that a different set of bits is used in
each subkey; each bit is used in
approximately 14 out of the 16 subkeys.
The key schedule for decryption is similar -
it must generate the keys in the reverse
order. Rotations are then to the right.
26
Expansion
half block subkey
Substitution Box 1-8
Permutation
Feistel output
32 bit 48 bit
48 bit
32 bit
32 bit
48 bit
Permuted choice 1
Input key
Permuted choice 2
<<< <<<
subkey 1
Permuted choice 2
<<< <<<
subkey 2

64 bit
56 bit
28 bit 28 bit
28 bit
28 bit
48 bit
48 bit
56 bit
56 bit
Breaking the DES
There are various known attacks on the DES:
1. Brute force attack is performed by trying every possible key. The length of key specifies
the number of possible keys. It is assumed that NSA possessed enough power to break DES
in the mid '70s. Still, the time complexity is 2
56
of iterations.
2. Differential cryptanalysis DES was designed to withstand this form of attack, however,
the DC is capable of breaking the DES using 2
47
chosen plaintexts.
3. Linear cryptanalysis basic version of attack requires 2
43
known plaintexts, however refined
versions are capable of breaking DES using 2
39
known plaintexts.
Multiple encryption
This metamethod is based on the fact, that multiple encryption passes enhance the security of the
cipher by simulating enlargement of a key. Let's use X
k
to denote cipher transformation (either
encryption or decryption) using the key k. Then we can concatenate encryption transformations and
get double encryption:
c=X
k
2
' '
( X
k
1
'
( p))
or triple encryption: c=X
k
3
' ' '
( X
k
2
' '
( X
k
1
'
( p)))
2TDES
Basically, it is a concatenation of two DES encryptions. We can use 3 modes of operation, denoted
as EE, ED and DE, according to the cipher transformations used. For example, this is EE mode:
c=E
k
2
( E
k
1
( p))
2TDES is prone to the following type of attacks:
Meet in the Middle attack (MIM)
The MIM attack is an attack against multiple encryption using the same encryption algorithm that is
capable of reducing the time complexity of the brute force attack at the price of expanded space
complexity. The attack will be demonstrated on the 2TDES cipher in EE mode. Our ciphertext c
will be c = E
k2
(E
k1
(p)). Let the size of key k
1
and k
2
be l bits. We have n tuples of plain- and
ciphertext
p
i
, c
i
,i =1.. n
encrypted using the same key. Brute force attack tries each tuple of
keys k
1
and k
2
and tests the correctness of the choice by evaluating whether
c
i
=E
k
2
( E
k
1
( p
i
)) , i=1.. n
. Time complexity is in the average case O(2
2l
), space complexity is
O(1).
MIM attack can lower time complexity by enlarging the space complexity. For tuple
p
1,
c
1

we at
first compute the
D
k
2
(c
1
)
for every possible key k
2
. Computed tuples
D
k
2
(c
1
) , k
2

will be stored
in the hash table and indexed by the first component. Then we try to encrypt the plaintext p
1
using
each key k
1
and test whether the value of
E
k
1
( p
1
)
is stored in the hashtable. If we found the match,
it means, that we found such keys k
1
and k
2
that
E
k
1
( E
k
2
( p
1
))=c
1
. There can be more tuples of
keys thislike; we have to test them at first on the remaining tuples of plain- and ciphertexts. Time
complexity of the attack is then O(2
l
) and space complexity O(2
l
).
As a result, 2TDES can be broken in the same time as the DES.
Triple DES (TDES / TDEA / 3TDES / 3DES)
Triple DES effectively triples the length of the DES key, obtaining the size of 168 bits (3x 56 bits).
The Triple DES operates in multiple modes, similarly to the 2TDES.
27
Very popular mode is EDE:
c=E
k
3
( D
k
2
( E
k
1
( p)))
Decryption applies inverse transformations:
p=D
k
1
( E
k
2
( D
k
3
(c)))
Very often we can observe the choice of k
1
= k
3
. Another advantage of EDE mode is its backwards
compatibility when we use k
1
= k
2
= k
3
, we obtain original DES.
The best attack known (2005) on 3TDES requires around 2
32
known plaintexts, 2
113
steps, 2
90
single
DES encryptions and 2
88
memory cells. Triple DES is now being widely replaced by AES.
AES (Advanced Encryption Standard / Rijndael)
This cipher was introduced by Vincent Rijmen and Joan Daemen and because of its qualities (fast,
low memory requirements, safer), it won a NIST competition held in 1997-2000 to be selected as a
replacement of DES and as a result is now being deployed in a large scale.
The NIST competition included following ciphersystems (the finalists are in bold):
CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6,
Rijndael, SAFER+, Serpent and Twofish.
Rijndael is an iterated substitution-permutation network block cipher that uses the block of size of
128 bits. The length of key can be 128, 192 or 256 bits and the corresponding numbers of rounds
are 10, 12 and 14. Internally, the block of processed plain- or ciphertext is represented as two
dimensional array of bytes 4 4. Bytes are aligned in the array (known as the state of algorithm) as
follows:

0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15

Similarly to other iterated ciphers, Rijndael also uses key scheduling to construct subkeys from the
original encryption key.
Encryption
Rijndael transforms plaintext blocks using four operations:
1. SubBytes substitution of bytes. Each byte of the state of algorithm is replaced by new byte
accordingly to the defined substitution S : 0, 1
8
-0, 1
8
. S is a bijection and beside other
functions, it assures that the encryption is non-linear.
2. ShiftRows cyclic shift of the rows of state of algorithm. Each row is shifted to the left by
different number of bytes (first rows does not change, subsequent rows are shifted by
incremental number of bytes)

s
0,0
s
0,1
s
0,2
s
0,3
s
1,0
s
1,1
s
1,2
s
1,3
s
2,0
s
2,1
s
2,2
s
2,3
s
3,0
s
3,1
s
3,2
s
3,3

s
0,0
s
0,1
s
0,2
s
0,3
s
1,1
s
1,2
s
1,3
s
1,0
s
2,2
s
2,3
s
2,4
s
2,1
s
3,3
s
3,4
s
3,0
s
3,2

28
3. MixColumns transformation of the columns of the state of algorithm. Each column
(consisting of bytes s
0,c
, ..., s
3,c
) is replaced by a new column according to the following
formula:

(
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
)
(
s
0, c
s
1, c
s
2, c
s
3, c
)
In this matrix multiplication the components of both matrices are interpreted as the elements
of finite field GF(2
8
) generated by irreducible polynomial x
8
+ x
4
+ x
3
+ x + 1. Addition is
realized as a simple byte XOR.
4. AddRoundKey addition of subkey of 16-byte length (128 bits) to the state of algorithm.
Addition is performed as XOR of corresponding bytes of subkey and state of algorithm.
Each round consists of the same sequence of these operations, except the beginning (where before
the first round, the operation AddRoundKey is inserted) and the last round (the MixColumn
operation is omitted). Schematically, we can express sequence of encryption and decryption
operations in this diagram:
Decryption
Transformation of the ciphertext during decryption uses inverse transformations to those used in the
encryption, with only exception in the operation AddRoundKey (XOR of the same subkey as in the
encryption removes the subkey from the ciphertext). Therefore, we use following operations:
1. InvSubBytes substitution of the bytes of the state of algorithm; the inverse function
(permutation) S
-1
is used
2. InvShiftRows cyclic shift of rows of the state of algorithm to the right (as opposed to
29
plaintext
AddRoundKeys
S SubBytes
ShiftRows
MixColumns
AddRoundKeys
S SubBytes
ShiftRows
AddRoundKeys
ciphertext
ciphertext
AddRoundKeys
InvShiftRows
S
-1
InvSubBytes
AddRoundKeys
InvMixColumns
InvShiftRows
S
-1
InvSubBytes
AddRoundKeys
plaintext
r - 1 rounds
last round
encryption). First row remains the same, the rest is shifted by one, two and three bytes.
3. InvMixColumns transformation of the columns of the state of the algorithm using inverse
matrix to the matrix used during encryption.
Key scheduling
Key scheduling has to take in account the variable length of a key and different number of rounds.
Word in the Rijndael algorithm denotes a sequence of 4 bytes. Words are basic units of the key
scheduling algorithm. Algorithm creates sufficiently large array of words w and the subkeys are
extracted consecutively during the algorithm run.
Let k denote number of words for keys of size 128, 192 and 256 bits the value of k is 4, 6 and 8.
Beginning of the array w is filled with the encryption key. Another words in w are computed as a
XOR of the words w[i 1] and w[i k]. In case that the actual position of the word (i) is divisible
by the k, transformation of the w[i 1] is executed. Transformation consists of cyclic shift of the
bytes to the right followed by substitution of each byte in a word using the SubBytes S function. At
last, the predefined constant is also added to this word.
Security
The only known successful attack to date (2006) is a side channel attack (any attack based on
information gained from the physical implementation of a cryptosystem rather than theoretical
weaknesses in the algorithms). Side channel attacks do not attack the underlying cipher, but attack
implementations of the cipher on systems which inadvertently leak data.
In April 2005, D.J. Bernstein announced a cache timing attack, that was used to break a custom
server that used OpenSSL's AES encryption. The custom server was designed to give out as much
timing information as possible, and the attack required over 200 million chosen plaintexts.
In October 2005, Adi Shamir presented a paper demonstrating several cache timing attacks against
AES. One attack was able to obtain an entire AES key after only 800 writes, in 65 milliseconds.
These attacks require the attacker to be able to run programs on the same system that is performing
AES encryptions.
AES is recognized as the first public cipher that was approved by NSA for Top Secret information.
IDEA (International Data Encryption Algorithm)
Designed in ETH Zrich during 1991, the IDEA is a block cipher used in PGP 2.0 and remains as
the option in the OpenPGP.
IDEA operates on a 64-bit blocks using 128-bit key, and consists of a series of eight identical
transformations (rounds) and an output transformation (the half-round). The processes for
encryption and decryption are similar. IDEA derives much of its security by interleaving operations
from different groups modular addition and multiplication, and bitwise XOR - which are
algebraically "incompatible" in some sense. All of these operations deal with 16-bit quantities:
1. Bitwise eXclusive OR
2. Addition modulo 2
16
3. Multiplication modulo 2
16
+ 1 , where the all-zero word (0000H) is interpreted as 2
16
The following diagram demonstrates the round of IDEA algorithm:
30
IDEA network round
Security
The designers analyzed IDEA to measure its strength against differential cryptanalysis and
concluded that it is immune under certain assumptions. No successful linear or algebraic
weaknesses have been reported. Some classes of weak keys have been found, although their
cardinality is practically irrelevant. As of 2004, the best attack which applies to all keys can break
IDEA reduced to 5 rounds (the full IDEA cipher uses 8.5 rounds).
The problem that hindered the wide adoption of IDEA are the US patents, that expire in 2011.
Blowfish
Blowfish is an iterated block cipher based on Feistel network, designed
by Bruce Schneier. The Blowfish is adopted by many products as its
availability is granted by its public domain status.
Notable features of the design include key-dependent S-boxes and a
highly complex key schedule.
Blowfish operates over blocks of the 64-bits and uses keys of 32-448
bits length. It is a 16 round Feistel cipher and uses large key-dependent
S-boxes.
The diagram to the left shows the action of Blowfish. Each line
represents 32 bits. The algorithm keeps two subkey arrays: the 18-entry
P-array and four 256-entry S-boxes. The S-boxes accept 8-bit input and
produce 32-bit output. One entry of the P-array is used every round,
and after the final round, each half of the data block is XORed with one
of the two remaining unused P-entries.
31
P
1
P
2
P
3
P
4
C
1
C
2
C
3
C
4
k
1
k
2
k
3
k
4
k
5
k
6
L
0
R
0
f

f
L
r
R
r
P
1
P
16
P
18
P
17
14 rounds

Feistel function
The function splits the 32-bit input into four eight-bit quarters, and uses the quarters as input to the
S-boxes. The outputs are added modulo 2
32
and XORed to produce the final 32-bit output.
Key scheduling
Blowfish's key schedule starts by initializing the P-array and S-boxes with values derived from the
hexadecimal digits of , which contain no obvious pattern. The secret key is then XORed with the
P-entries in order (cycling the key if necessary). A 64-bit all-zero block is then encrypted with the
algorithm as it stands. The resultant ciphertext replaces P
1
and P
2
. The ciphertext is then encrypted
again with the new subkeys, and P
3
and P
4
are replaced by the new ciphertext. This continues,
replacing the entire P-array and all the S-box entries. In all, the Blowfish encryption algorithm will
run 521 times to generate all the subkeys - about 4KB of data is processed.
Security
As of 2006, there is no known effective attack on Blowfish. Still, its 64-bit large block size has a
drawback for large files, as encrypting more than 2
32
blocks would leak information about the
plaintext due to birthday attack.
Practical usage
Blowfish is one of the fastest block ciphers in widespread use except in case of changing keys. Each
new key requires preprocessing equivalent to encrypting about 4 kB of text (very slow). This
prevents its use in certain memory constrained applications. The password-hashing method used in
OpenBSD uses an algorithm derived from Blowfish that makes use of the slow key schedule; the
idea is that the extra computational effort required gives protection against dictionary attacks.
In some implementations, Blowfish has a relatively large memory footprint of just over 4 kB. This
is not a problem even for older smaller desktop and laptop computers, but it does prevent use in the
smallest embedded systems such as early smartcards.
Blowfish is not subject to any patents and is therefore freely available for anyone to use. This has
contributed to its popularity in cryptographic software.
32
8 bits 8 bits 8 bits 8 bits
S-Box
1
S-Box
2
S-Box
3
S-Box
4
output
32 bit 32 bit 32 bit 32 bit
Asymmetric cryptography
Basics of asymmetric (public key) cryptography
Beginning of the asymmetric (public key) cryptography officially dates back to year 1976, when
Whitfield Diffie and Martin Hellman published their key-exchange algorithm. Unofficially, though,
there are rumors that NSA used public key cryptography already in the late '60s of the 20
th
century
as a part of security mechanism embedded into PAL (Permissive Action Link) of nuclear missiles.
First applications were constructions of asymmetric cryptosystems and key-exchange protocols.
Nowadays, the asymmetric cryptography provides base for various systems, such as digital
signatures, electronic money or electronic elections.
Formally, we can express asymmetric system this way:
Asymmetric cryptosystem is a pair of functions public and private. Both of these functions are
constructed (chosen) by the user. Public function is made public by user and is available to anyone.
Private function is an unpublished property of the user. Public function serves the encryption
purposes whilst private function the decryption purposes. Therefore, encryption can be executed by
anyone; decryption only by the owner of private function. Sometimes, the asymmetric system is
being presented as a class of functions parametrized by keys. Then we talk about public and private
key.
Let's denote the set of all plaintexts as P, ciphertexts as C, and R be denoting the set {0, 1}*. Let
E : PR-C be public function, D: C -P be private function. The meaning of set R in the
encryption function E consists in the facilitation of random choice during encryption. In that case,
the plaintext is encrypted into one of potential ciphertexts. Some cryptosystems do not use
randomization (RSA), in some it is essential component of encryption (Elgamal). Systems that use
randomized encrypton are called randomized.
Asymmetric system must satisfy the following properties to be usable:
1. Correctness Deciphering the ciphertext leads to original plaintext:
mP rR: D( E(m, r))=m
2. Realizability Functions E and D are algoritmically effectively realizable. Therewithal, its
construction by the user is also effective. Effective usually means with deterministic
(probabilistic) polynomial time complexity.
3. Security From the knowledge of E is practically impossible to determine function D
*
that
D
*
is effectively realizable and for considerable amount of cC : D

(c)=D(c) . The
inverse function cannot be therefore easily determined only from the knowledge of E.
Hybrid encryption
Contemporary asymmetric cryptosystems are substantially slower than symmetric cryptosystems in
both encryption and decryption. As the speed is one of the most substantial requirements entailed
from a cryptosystem, this represents a major drawback of asymmetric cryptography. To avoid this
obstacle, hybrid encryption concept was introduced that combines strengths of both asymmetric
(better security and maintenance) and symmetric systems (faster operation).
Hybrid system uses symmetric system to encrypt transmitted data using randomly generated key.
Asymmetric system is used to encrypt this key using public function of recipient. After receiving
33
ciphertext, receiver deciphers at first the key using her private function and then deciphers data
using obtained key.
Let E
A
, D
A
denote public and private function of user A, that is also recipient of a message m. E and
D are encryption and decryption algorithm of some symmetric system. Hybrid encryption consists
of following steps:
Choose random symmetric key k. Following tuple will be sent to recipient A:
E
A
(k , r) , E
k
(m)
where r is randomly chosen from R (that represents random part of asymmetric encryption)
User A then deciphers symmetric key:
D
A
( E
A
( k , r))=k
and subsequently also message:
D
k
( E
k
(m))=m
Security of hybrid encryption depends on the security of both used asymmetric and symmetric
system compromise of any of them causes compromise of the whole hybrid system.
Asymmetric protocols
In electronic space we would like to construct objects and procedures common in real world, such
as signatures, money, elections etc. Most of their real-world properties cannot be transformed
directly into electronic space, therefore we need to create their electronic equivalents and ensure
their usability amongst other means also by cryptography. Solutions using exclusively symmetric
cryptography either do not exists or are very ineffective. Usable constructions are therefore based
on asymmetric cryptography and other cryptographic primitives, such as one-way functions,
cryptographic hash functions or secret sharing schemes.
RSA
RSA is one of most known and used asymmetric cryptography
protocols. It was published in 1978 by Ronald Rivest, Adi Shamir
and Leonard Adleman from MIT and its name is composed of first
letters of its authors' surnames. Its cryptographic strength is based
on a problem of factorization.
Initialization
Initialization is a process of creation of the respective RSA instance private and public key.
1. Two different sufficiently large prime numbers p and q are chosen. Let n=pq .
2. Natural number e is chosen that satisfies 1e(n) and gcd (e , (n))=1 , where
(n)=( p1)(q1) is Euler function and gcd denotes greatest common divisor (highest
common factor) of its arguments. Therefore, e does not divide (n) .
3. Number d is computed that satisfies ed 1 ( mod ( n)) .
What are the sufficiently large prime numbers depends on efficiency of contemporary
factorization methods (factorization extracts prime number factors from the number) and on the
degree of security we request from our system. Nowadays, 512-bit prime numbers are considered to
be safe (after multiplication we get at least 1024-bit modulus).
Public key is then duo e , n . Private key is the value of d. Parameter d is also called private
exponent and parameter e public exponent. Prime numbers p and q are not required for the use of
34
RSA, and we can dispose them after initialization. It's however important not to pass p and q to the
hands of potential attackers.
Both plaintext and ciphertext utilize space

n
=0, 1,... , n1
. The essential parts of RSA
cryptosystem can be finally expressed:
encryption: E( m)=m
e
mod n
decryption: D( c)=c
d
mod n
During the computation of decrypting transformation it's required to know the value of n beside the
value of private key d. But n is already a part of public key.
RSA can be used as a typical block cipher; the block has the size of number of bits of n.
Correctness of RSA
In this section we will show the mathematical correctness of RSA that after decryption of
ciphertext we get again the original plaintext.
Theorem (Correctness of RSA)
For each instance RSA holds m
n
: D( E(m))=m .
Proof: Let e and d be public and private exponent in the instance of RSA system with n=pq . We
need to show that (m
e
mod n)
d
mod n=m m
n
.
Special case is form m = 0. Then E(m) = D(m) = 0.
For
m
n
0
we will consider two cases: gcd(n, m) = 1 and gcd(n, m) 1. We know that
ed 1 ( mod ( n)) . Thus k : ed=1+k ( n) .
1. gcd(n, m) = 1. Let's compute:
D( E (m))
=(m
e
mod n)
d
mod n

=m
ed
mod n

=m
1+k ( n)
mod n

=m( m
( n)
)
k
mod n

=m mod n=m.
Penultimate equivalence is a consequence of Euler theorem.
2. gcd(n, m) 1. Then either p | m or q | m (but not both at the same time, because 0 < m < n).
Without any loss of generality we assume that m=lp
s
, where s 1 and gcd(n, l) = 1,
( s , l ) . Then
D( E (m))
=m
ed
mod n

=(lp
s
)
1+k (n)
mod n

=l( p
1+k (n)
)
s
mod n
(1)
According to the small Fermat (Euler) theorem
p
q1
1 ( mod q)
. Therefore

p
(q1)( p1)
1 (mod q)

p
k ( n)
1+aq , a

p
k ( n)+1
p+apq=p+an

p
k ( n)+1
p (mod n)
After instantianting into (1) we get:

D( E (m))=lp
s
(mod n)=m
QED
To sufficiently prove the last step, we need at first to take a look into number theory.
35
Extended Euclidean algorithm:
The algorithm computes for a given pair of natural numbers a, b their greatest common divisor
(denoted as gcd(a, b)) and integer numbers u, v such that ub + va = gcd(a, b). Without loss of any
generality we assume that a b.
Procedure:
s
0
= a; s
1
= b; u
0
= 0; u
1
= 1; v
0
= 1; v
1
= 0;
n = 1;
while s
n
> 0
n = n + 1;
q
n
= s
n-2
/ s
n-1
; // integer division
s
n
= s
n-2
q
n
s
n-1
;
u
n
= q
n
u
n-1
+ u
n-2
;
v
n
= q
n
v
n-1
+ v
n-2
;
end
u = (-1)
n
u
n-1
;
v = (-1)
n
v
n-1
;
gcd(a, b) = s
n-1
;
In the following auxiliary the correctness of extended Euclidean algorithm will be proven.
Auxiliary : Let a, b be natural numbers, where a b. Then
gcd(a, b) = s
n-1
(*)
ub + va = gcd(a, b) (**)
Proof: Property (*) (corresponds to classical Euclidean algorithm) is obtained from this fact:
gcd(a, b) = gcd(b, a mod b) = gcd(b, s
2
)
= gcd(s
2
, b mod s
2
) = gcd(s
2
, s
3
)
= ...
= gcd(s
n-2
, s
n-1
) = s
n-1
Now, the characteristics (**) will be proven. At first, using mathematical induction we show, that
k0, ... , n: (1)
k +1
u
k
b+(1)
k
v
k
a=s
k
:
1. k=0: (1)
1
u
0
b+(1)
0
v
0
a=s
0
k=1: (1)
2
u
1
b+(1)
1
v
1
a=s
1
2. Assume, that identity holds for k 1. We show the validity for k.
(1)
k+1
u
k
b+(1)
k
v
k
a=(1)
k +1
( q
k
u
k 1
+u
k2
)b+(1)
k
(q
k
v
k1
+v
k2
) a=
=q
k
((1)
k
u
k 1
b+(1)
k1
v
k1
a)+(1)
k +1
u
k 2
b+(1)
k
+v
k 2
a=
=q
k
s
k1
+(1)
k1
u
k2
b+(1)
k2
v
k 2
a=
36

=q
k
s
k1
+s
k2
=s
k
From he proven identity and using property (*) we obtain:

(1)
n
u
n1
_
u
b+(1)
n1
v
n1
_
v
a=s
n1
=gcd( a , b)
QED
Auxiliary : Let a b are two mutually indivisible integer numbers, i.e. gcd(n, m) = 1. Then
u , v: va+ub=1 .
Proof: This fact can be obtained directly from the extended Euclidean algorithm.
Let a b be two mutually indivisible natural numbers. Then according to auxiliary 1 there exist two
numbers u, v such that va + ub = 1. Thus va = 1 + b(-v) and this implies that va1 (mod b)
Extended Euclidean algorithm therefore proves the existence of inverse of a according to the
multiplication modulo b. Moreover, algorithm provides a recipe how to compute this inverse (in our
case v). Additionally, the same inverse are also numbers in the form of v + bt for any integer t.
Euler's theorem
At first, some auxiliary statements will be provided.
Auxiliary : Let
n, a ,b , k
. If kakb (mod n) and gcd( k , n)=1 , then ab (mod n)
Proof: If a = b, auxiliary holds trivially. Without any loss of generality we can expect a > b.
Therefore exists l : k (ab)=ln. (***)
Because gcd(k, n) = 1, then according to auxiliary u , v: ku+nv=1 . From this formula we
express k and instantiate into (***):
k ( ab)=
1nv
u
(ab)=ln

ab=lnu+nv( ab)

ab=n(lu+v(ab))
Therefore,
ab( mod n)
.
Definition: For arbitrary natural number n, let symbol
n

denote set of all numbers indivisible

with n, that are smaller than n and larger than 0:

=aa1, ... , n1 gcd( a , n)=1

Additionally, symbol
(n)
will denote cardinality of the set
n

: ( n)=
n

. Function
(n)
is
called Euler function.
Remark: If p is a prime number, then
p

=1, ... , p1
. If n = p q is a product of two prime
numbers, then
(n)=( p1)(q1)
.
Auxiliary : Let
n

r
1,
... , r
( n)

are all natural numbers smaller than n and mutually indivisible

with n. Let a be integer number and gcd(a, n) = 1. Then

ar
1
mod n , ... , ar
( n)
mod n

=
n

.
Proof: We need to show that numbers
ar
1
mod n ,... , ar
( n)
mod n
are mutually different and
indivisible with n. It can be easily shown that 0 < ar
i
mod n < n for i = 1, ...,
(n)
.
1. Let
i , j 1,... ,( n) are such indexes that ar
i
mod n = ar
j
mod n. Because gcd(a, n) = 1
37
then according to auxiliary holds that
r
i
r
j
( mod n)
. According to the assumption, r
i
, r
j
< n and thus r
i
= r
j
i = j. Therefore in the sequence
ar
1
mod n ,... , ar
( n)
mod n
are
mutually different numbers.
2. For all
i 1,... ,( n): gcd( r
i
, n)=1
. Similarly, gcd(a, n) = 1. Therefore also
gcd( ar
i
mod n , n)=1
.
Euler theorem: Let n, a and gcd(a, n) = 1. Then a
(n)
1( mod n) .
Proof: Let
n

r
1,
... , r
( n)

. Then following relation holds:

i=1
( n)
r
i

i=1
(n)
ar
i
a
( n)

i=1
(n)
r
i
(mod n)
Let's remind that the first congruence is a consequence of auxiliary . Because gcd
(

i=1
( n)
r
i
, n
)
=1 ,
accordingly to the auxiliary we get:
a
(n)
1 ( mod n) QED
Corollary (Small Fermat theorem): Let p be a prime number and let a be that
pa
(p does
not divide a). Then a
p1
1 (mod p) .
Proof:
( p)=p1
.
Security of RSA
Security of RSA depends on a problem of factorization, i.e. on the problem of decomposition of
value of n into product of two primes p and q. If n were easily factorizable, then anybody is capable
of obtaining values of d in the same way as we do it in the initialization step from the values of e
and (n) . Therefore, if we are able to factor n, we are able to break RSA. However, the opposite is
an open problem (whether breaking the RSA solves factorization).
Factorization of n using the knowledge of (n)
Anybody knowing the value of (n) is capable of finding prime factors p and q by solving system
of two equations:
pq=n
( p1)(q1)=( n)
Factorization of n using the knowledge of e and d
There is possibility of factoring n using the knowledge of e and d, therefore it is strongly advised
not to share the value of n amongst more users, as the knowledge of one pair of e and d leads to
effective factorization of n and thus the communication between those users cannot be considered
as safe.
Special factorization algorithms
If primes p and q are of special structure, we can use special factorization algorithms.
One algorithm exploits the case when p and q are close ( |p q| is not large enough), another one
can factor n when both p 1 and q 1 do not have large prime factor.
38
Small message space
Attacker intercepts the message and using his knowledge of public expontent e, tries to generate
possible messages and encrypt them. If one of the encrypted messages matches intercepted
message, then she was able to find exact plaintext. This can be reasonably done only when there is
small message space i.e. cardinality of plaintexts is low.
Attack on the small public exponent e
Advantage of small public exponent e lies in the speed of encryption or verification of digital
signatures and smaller memory storage requirements. But these advantages are also accompanied
by the security risks, especially in the cases of sending the same messages or sending messages that
are polynomially dependent.
Attack on the short private exponent d
Similarly to previous case, small private exponent d allows faster decryption and lowers memory
requirements, however, there is known attack that is able to compute values of e and n if d < n
0.292
and e < n
1.875
. Second relation is usually satisfied in practical cases.
Elgamal
This cryptosystem was published in 1984 by Taher Elgamal, later chief scientist at
Netscape Corporation and inventor of SSL. It is based on a problem of discrete
logarithm.
Discrete logarithm: Let (G,) be finite group and b , yG . Then discrete logarithm
y in base b is arbitrary x, such that b
x
=y . Discrete logarithm problem denotes the
problem of finding discrete logarithm for given values of b and y. For cyclic groups, it is possible to
formulate stronger statement: Let (G,) be finite cyclic group of the order n and gG be its
generator. For a given yG it is necessary to compute x
n
such that
g
x
=y
.
Intialization
Choose large prime number p and g
p
*
(does not necessarily have to be a generator). Values of
p and g can be shared by the users. Next, choose random x
R
2,3, p2 and compute
y=g
x
( mod p) . Public key is then triple (y, p, g) and private key value of x.
Encryption
Plaintext space is a set
p
*
, for larger texts these can be split into the blocks of required size. Let
the m
p
*
be plaintext (message) we intend to encrypt:
1. We choose random x
R
1, 2, p1 .
2. Ciphertext is a pair
r , s
, where r=g
k
mod p and s=y
k
m mod p (y is part of public
key).
Decryption
User with the knowledge of private key x can decipher the message:
m=(r
x
)
(1)
s mod p
Correctness of Elgamal
We have an instance of Elgamal system and its parameters p, g, y, x. m
p
*
is a message and
39
r , s
its encrypted form. Then
(r
x
)
(1)
s mod p = ( g
kx
)
1
y
k
m mod p = g
kx
g
kx
m mod p = m mod p=m
Elgamal cryptosystem is used in SSH and inspired the basis of Digital Signature Algorithm (DSA).
Rabin
Michael Oser Rabin published in 1979 first mathematically proven asymmetric
cryptosystem. Its strength is based on the problem of factorization and mathematically
is based on the quadratic residues.
Quadratic residue: Number a
n
*
=1 , ... , n1 that is mutually indivisible with n is
called quadratic residue modulo n and denoted QR
n
, if there exists b
n
such that
b
2
a ( mod n) . If such b does not exist, we call a quadratic non-residue modulo n and denote as
QNR
n
.
Initialization
Choose two large prime numbers p, q, p q. To simplify computation of square roots modulo p and
q, the prime numbers could be chosen to satisfy pq3 (mod 4) , but this is not necessary.
Let n = p q; then n is the public key, p and q are the private key.
Encryption
Ciphertext is simply the square of the message, i.e. m
n
: c=E( m)=m
2
mod n .
Decryption
Due to the nature of quadratic residues, one ciphertext can be obtained from four plaintexts.
If gcd(m, n) = 1, then E(m) is QR
n
. Because n is a product of two primes, then each QR
n
(denoted as
c) has exactly four square roots. Leave the possibility that gcd(m, n) 1 (very improbable). Four
square roots can be computed by determining both square roots modulo p and modulo q. We obtain:
r
1,2
=!c
p+1
4
mod p
r
3,4
=!c
p+1
4
mod q
Square roots of c modulo n will be obtained by their linear combination according to Chinese
remainder theorem:
M
1
=(ar
1
+br
3
)mod n M
2
=(ar
1
+br
4
) mod n
M
3
=(ar
2
+br
3
) mod n M
4
=(ar
2
+br
4
) mod n ,
where a=q(q
1
mod p) and b=p( p
1
mod q) .
To identify the correct plaintext, we have to either specify the format of the message or use
additional techniques, such as padding.
Security of Rabin
The great advantage of the Rabin cryptosystem is that the code can only be broken if the
codebreaker is capable of efficiently factoring the public key n.
40
It has been proven that decoding the Rabin cryptosystem is equivalent to the factorization problem,
unlike in RSA. Thus the Rabin system is more secure than RSA, and will remain so until a general
solution for the factorization problem is discovered. (This assumes that the plaintext was not created
with a specific structure to ease decoding).
The problem of factorization is still considered as unbreakable (although for quantum computers
there exists Shor algorithm to compute factors) and thus prevents any eavesdropper nowadays to
break the code.
Rabin system is prone to chosen ciphertext attack.
Diffie-Hellman key exchange (DH)
This is the first known asymmetric protocol, published by Whitfield Diffie
and Martin Hellman in 1976. It is based on the problem of discrete
logarithm. Later emerged that it had been discovered a few years earlier
within GCHQ (Government Communications Headquarters), the British
signals intelligence agency, by Malcolm J. Williamson, but was kept
classified.
Goal of DH is to allow two parties A, B to jointly establish a shared secret key K for secure
communication. Protocol assumes shared values of p and g for all potential parties of the protocol.
Value of p is sufficiently large prime and g
p
*
can be (but does not need to be) a generator of the
group (
p
*
,) .
Protocol:
1. A B : X; where X = g
x
mod p and x
R

p
*
is chosen by A randomly
2. B A : Y; where Y = g
y
mod p and y
R

p
*
is chosen by B randomly
3. A computes K = Y
x
mod p
4. B computes K = X
y
mod p
It can be shown easily that both A and B compute the same key:
Y
x
mod p=g
xy
mod p=X
y
mod p
Man in the Middle attack
DH protocol is prone to type of attack when active attacker M (Mallory) lies in the communication
channel between A (Alice) and B (Bob). Mallory intercepts the first message and instead of value of
X, sends Bob the value of U = g
u
mod p, where u chooses randomly (similarly as Alice chooses x).
Similarly, intercepts the message Y and instead sends Alice value of V = g
v
mod p. The attack
therefore advances as follows:
1. A M(B) : X = g
x
mod p
2. M(A) B : U = g
u
mod p
3. B M(A) : Y = g
y
mod p
4. M(B) A : V = g
v
mod p
5. A computes K
1
= V
x
mod p
6. B computes K
2
= U
y
mod p
41
Notation A M(B) means that Alice sends message to Bob, but is intercepted by Mallory. Notation
M(A) B means that Mallory sends message to Bob in the name of Alice.
Important fact for Mallory is, that both Alice and Bob can't reveal her presence in the protocol and
she is able to compute both keys K
1
and K
2
:
K
1
=X
v
mod p=g
xv
mod p
K
2
=Y
u
mod p=g
yu
mod p
Another asymmetric cryptosystems
Merkle-Hellman
This cryptosystem from the year 1978 is based on the KNAPSACK (its variation subset sum) NP-
complete problem. Its ideas are very elegant, much simpler than RSA, but it was broken by Adi
Shamir. The subset sum problem can be formulated as follows:
Given a list of numbers and a third number, which is the sum of a subset of these numbers,
determine the subset.
This problem is NP complete, although some instances are easily solvable. Merkle-Hellman tries to
transform an easy instance into hard one and then back. Adi Shamir successfully attacked the
process of converting easy instance into difficult one.
Paillier
The Paillier cryptosystem is a probabilistic asymmetric cryptosystem, invented by Pascal Paillier in
1999. The problem of computing n-th residue classes is believed to be computationally difficult.
This is known as the Composite Residuosity (CR) assumption upon which this cryptosystem is
based.
The scheme is an additive homomorphic cryptosystem; this means that, given only the public-key
and the encryption of m
1
and m
2
, one can compute the encryption of m
1
+ m
2
.
It found its usage in the electronic voting and electronic cash, although there are some possibilities
of attacks.
42
M A B
K
1
K
2
Cryptographic hash functions
Cryptographic hash function produces digest (fingerprint) from an electronic document, usually
much shorter than original document. Hash function is usually projection h : X Y, where Y is a
finite set and X can but does not need to be finite set. Value of xX is called document, message;
value of h(x) is called digest. Value of h(x) can be used as a substitute of original document x.
Use of cryptographic hash function
Range of use of the cryptographic hash functions include integrity checks, authentication, digital
signature schemes, cryptographic protocols etc.
Commitment scheme
A typical case of use of a cryptographic hash would be as follows: Alice poses to Bob a difficult
math problem and claims she has solved it. Bob of course would like to try it himself, but would yet
like to be sure that Alice is not bluffing. Therefore, Alice writes down her solution, appends a
random word (nonce), computes its hash and tells Bob the hash value (without revealing the
solution). When Bob finds the solution himself later, he can append the same nonce to his solution
and compute the hash value, verifying whether his solution is equal to the Alice's by comparing
both hash digests.
In practice, Alice and Bob represent computer programs and secret is an information more
important than mere solution of a puzzle.
Message integrity
Cryptographic hash function serves also purpose of ensuring that the original message arrives intact,
untainted, as was originally intended by the sender. Hash digest provides a way to verify whether
message was modified by simply comparing digest computed by receiver after transmission and the
digest value provided by sender using secure channel.
This principle can be also extended to identify modified files by malware/viruses or some other
sorts of malfeasance.
Another typical example of the use of cryptographic hash function is the password verification.
Passwords are typically not stored in their plain form, rather their hash digest is preserved. To
authenticate an user, his typed password is digested and then compared to stored digest. To provide
even stronger security, plain information is often concatenated with random words salt or nonces.
Cryptographic hash function properties and weaknesses
To measure security of cryptographic hash functions, it is vital to define some vital properties of
hash functions that would allow to analyze security of a particular implementation.
43
Look at this, I solved it!
Nice, but I need a proof
you really solved i t
Here is the hash!
(...solvi ng, computi ng hash...)
Now I beli eve you
#
# #
=
?
?
One-way function
Hash function h : X Y is one-way, if for a given yY there is no possibility to effectively find
xX such that h(x) = y.
This property is also called preimage resistance, and means that from the digest alone it is not
possible to reconstruct the original document or its substitute.
Weakly collision-free hash function (second preimage resistance)
Hash function h : X Y is weakly collision-free, if for a given xX it is not effectively possible
to find x ' X x such that h(x) = h(x').
This means that for a given document we are unable to find another one with the same hash digest.
Strongly collision-free hash function (collision resistance)
Hash function h : X Y is strongly collision-free, if it is not effectively possible to find such that
x , x' X such that xx' and h(x) = h(x').
This means that we cannot effectively find two documents with the same digest. This could lead to
substitution of the document with the tampered or fake document with the same digest e.g. two
different contracts with the same digest could lead to undesired results.
Birthday attack
This type of attack is inspired by following problem known as birthday paradox:
How many people in room is enough to have at least 50% probability that there are at least two
people that share the common birthday?
It can be shown, that 23 people is a sufficient amount. This is somewhat surprising fact, if we
investigate how many people ought to be present to have at least 50% probability that one of them
has birthday on a chosen day. 253 is the required amount of people. It can be also further shown,
that for 60 people, the probability of birthday paradox exceeds 99%.
If we put it into perspective, the second question is an analogy to guessing the key of some method
of symmetric cryptography, whereas the first question is an analogy to finding collisions of the hash
functions. The outcome is, that finding digest collision of two messages is much easier than finding
the key, therefore the size of hash digest ought to be larger than the size of symmetric key. Usually
the size of digest is chosen to double the bits of the symmetric key.
Intuitively, it is good to view the birthday paradox this way: it is helpful to realize, that there are
many possible unordered pairs of people, that can share common birthday. For 23 people, there are
(
23
2
)
=253 possible pairs, and that could indicate, why the paradox occurs. Alternatively, the
paradox can be analyzed by thinking about chances of no two people having matching birthday
second person cannot share the birthday of the first, third of the first two, fourth of the first three
etc. By adding more persons, it becomes more likely that some of them share the birthday.
Therefore the paradox pertains to the question, whether any of 23 persons shares birthday with any
other person - not with one in particular.
Probability computation
Assuming, that all 365 possibilities are equally likely, the probability can be computed this way:
First, the probablity p(n) that all n birthdays are different is expressed.
p(n)=1
(
1
1
365
)

(
1
2
365
)

(
1
n1
365
)
, n365
. This is obtained from the fact, that second
44
person cannot have the same birthday as the first one, leaving 364 out of 365 free days, third person
cannot share birthday with first two persons, leaving 363 free days etc. Resulting probability of
birthday paradox, i.e. that there are at least two persons sharing birthday is a complement of the
probability, that there are no persons sharing a birthday, p(n) .
p(n)=1p(n)=1
(
1
1
365
)

(
1
2
365
)

(
1
n1
365
)
, n365
To approximate the probability, the Taylor series expansion can be used:
p(n)1e
1
365
e
2
365
e
( n1)
365
=1e
1+2+... +( n1)
365
=e
n( n1)
2365
e
n
2
2365
p(n)=1p(n)1e
n
2
2365
The attack
Birthday attack is a type of cryptographic attack that exploits principles of birthday paradox,
making use of space-time tradeoff.
Let H denote cardinality of the set of all hash values, e.g. for 64-bit hash output, H = 2
64
. It is
expected, that hash function distributes all values evenly, therefore is balanced. Then by
substituting number of days in the Taylor series formula for birthday paradox, the following
formula for computation of probability that after n attempts the collision is found amongst H
possible values can be obtained:
p(n)1e
n
2
2H
By inverting this expression, the following formula is obtained:
n( p)
.
2Hln
1
1p
The formula can be used to compute number of tries to achieve desired probability, in our case 50%:
n
(
1
2
)
1.1774.H
For 64-bit hash function, the amount of all hash values is H1.910
19
, but to generate a collision,
it is sufficient to try only
n
(
1
2
)
5.110
9
attempts with the 50% probability of success. If hash
function is not balanced, the number of required attempts decrease.
This is the main reason, why for hash functions we typically double number of bits comparing to
their symmetric cipher counterparts.
Replay attack
During authentication process, computing hash of password alone and sending it through the
communication channel represents a security risk, as Mallory in the middle can eavesdrop hash of
password and reuse it next time on behalf of Alice. This scheme depicts this weakness:
45
# #
#
Therefore it is vital to somehow randomize the process of digesting. This can be accomplished by
appending random strings to password and hashing them together each time the authentication
process is being run. This random string is called nonce (number used once) or salt. Authentication
protocol then consists of generating the nonce by Trent, passing it to Alice, computing hash of
password with nonce, sending it to Trent and verifying the hash, as the following scheme shows:
Notice, that even if Mallory eavesdrops in the middle, she is not able to reuse password hash next
time, as Trent generates a different nonce for each session.
During authentication, the nonce is being transferred unencrypted and for the purpose of
verification, nonce is being appended after hash of password concatenated with nonce. Trent is then
immediately able to detect whether the password hash is fresh by simply extracting unencrypted
nonce from the digest and comparing it to the nonce value stored within his system for that
particular session, and also computing digest of password concatenated with that nonce to verify
Alice's input. Alice's output can be thus computed as:
output ( password , nonce)=nonce h(password nonce)
where h is a cryptographic hash function and || denotes operation of concatenation. This process is
called key strengthening.
Construction of cryptographic hash functions
Hash functions can be based on various principles. NP-hard problems, modified block ciphers or
dedicated hash function can be designed or reused.
Constructions from block ciphers
When constructing hash function from block ciphers, the input message is divided into blocks
corresponding to the blocks of used cipher or length of a key. If m is a message, its division into
block is m
1
m
2
..m
k
and E is a symmetric cipher, there exist some secure schemes if the cipher has
desired properties.
Iterated hash functions
Iterated hash functions process input data in blocks of fixed length. The input therefore must be
aligned accordingly and divided into blocks m
1
m
2
..m
k
.
Blocks of input are processed with the compression function f and temporary digest is being
computed:
H
0
=IV
H
i
= f ( m
i
, H
i1
) , i =1.. k
where IV is a constant initialization vector for a given hash function. The output is a value of H
k
or
g(H
k
), where g is an output function.
46
I want to authenti cate
Use thi s nonce:
@
@ #
All ri ght, you are i n
Construction of hash function as an iterated hash function is the most common type amongst
contemporary hash functions. One of the reasons is that if the used compression function has
suitable properties, these can be also proved for the iterated hash function (using suitable
construction).
Merkle-Damgrd construction
This construction extends the collision-free function f : 0,1
n+r+1
-0, 1
n
, r1 into h: 0, 1
*
-0, 1
n

that is also collision-free. Most of the popular contemporary hash functions follow this construction.
1. Let x be the input of the size l bits. Let x be partitioned into blocks x
1
x
2
..x
t
of the length of r
bits.
2. Let x
i+1
be additional block containing binary representation of l.
3. The hash function h(x) = H
t+1
is being computed:
H
1
=f (0
n+1
x
1
)
H
i
= f ( H
i 1
1x
i
) , i=2..t
Additionally, resulting value could be also processed by output function g, that assures that
additional properties of resulting hash are satisfied. These properties are often compression of
internal state to output consisting of less bits, mixing of bits or avalanche effect (small change in
input causes big change in output).
Construction of compression function
The compression function is the core of the cryptographic hash function. During construction, the
input message m is divided into blocks m
1
m
2
..m
k
. Contemporary compression functions are usually
constructed accordingly to various known schemes.
Davies-Meyer scheme
H
i
=E
m
i
( H
i
1)H
i
1, i=1.. k ,
where final digest is a value of H
k
and H
0
is a fixed initialization vector.
Matyas-Meyer-Oseas scheme
H
i
=E
g( H
i1
)
(m
i
)m
i
, i=1.. k ,
where g is a converting/padding function.
47
E
m
i
H
i
H
i-1
g
E
m
i
H
i-1
H
i
f
x
1
f
x
2
IV f
x
t-1
f g H
x
t
Miyaguchi-Preneel
H
i
=E
g( H
i1
)
(m
i
)H
i 1
m
i
, i=1.. k
This is an extended version of previous scheme.
Of course, length of the block must be large enough to prevent birthday type of attacks.
Contemporary cryptographic hash functions
The following table shows some of the contemporary cryptographic hash functions:
Hash
algorithm
Hash sum
size (bits)
Internal state
size (bits)
Block size
(bytes)
HAVAL 128-256
MD2 128 512 16
MD4 128 128 64
MD5 128 128 64
RIPEMD-128 128 128 64
RIPEMD-160 160 160 64
SHA-0 160
SHA-1 160 160 64
SHA-224 224 256 64
SHA-256 256 256 64
SHA-284 384 512 128
SHA-512 512 512 128
Snefru 128-256
Tiger-128 128 192 64
Tiger-160 160 192 64
Tiger / Tiger2 192 192 64
WHIRLPOOL 512 512 64
Message Digest Algorithm 5 - MD5
MD5 is an iterated hash function, introduced by Ronald Rivest in 1991 as a successor to
MD4 and became an internet standard RFC 1321, ensuring its widespread occurrence in
many contemporary applications and standards. It found its main use as a mean to check
the integrity of files.
Algorithm background
MD5 processes a variable length message into fixed-length output of 128-bits. Input message is
48
E
m
i
H
i
H
i-1
g
broken into 512-bit segments and message is padded accordingly. The padding works as follows:
first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are
required to bring the length of the message up to 64 bits fewer than a multiple of 512. The
remaining bits are filled up with a 64-bit integer representing the length of the original message.
The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B,
C and D. These are initialized to certain fixed constants. The main algorithm then operates on each
512-bit message block in turn, each block modifying the state. The processing of a message block
consists of four similar stages (rounds); each round is composed of 16 similar operations based on a
non-linear function F, modular addition, and left rotation. There are four possible functions F, a
different one is used in each round:
F ( X ,Y , Z)=( X Y )(X Y )
G( X , Y , Z)=( X Z)(Y Z)
H( X , Y , Z)=X Y Z
I ( X ,Y , Z)=Y ( X Z)
MD5 consists of 64 of these operations, grouped in four
rounds of 16 operations. F is a nonlinear function; one
function is used in each round. M
i
denotes a 32-bit
block of the message input, and K
i
denotes a 32-bit
constant, different for each operation.
denotes addition modulo 2
32
<<<s denotes left rotation by s places
Pseudocode
The following code snippet demonstrates implementation of MD5.
//Note: All variables are unsigned 32 bits and wrap modulo 2^32 when calculating
//Define r as the following
var int[64] r, k
r[ 0..15] := {7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22}
r[16..31] := {5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20}
r[32..47] := {4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23}
r[48..63] := {6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21}
//Use binary integer part of the sines of integers as constants:
for i from 0 to 63
k[i] := floor(abs(sin(i + 1)) 2^32)
//Initialize variables:
var int h0 := 0x67452301
var int h1 := 0xEFCDAB89
49
A B C D
A B C D
<<<
s
F
M
i
K
i
var int h2 := 0x98BADCFE
var int h3 := 0x10325476
//Pre-processing:
append "1" bit to message
append "0" bits until message length in bits 448 (mod 512)
append bit length of message as 64-bit little-endian integer to message
//Process the message in successive 512-bit chunks:
for each 512-bit chunk of message
break chunk into sixteen 32-bit little-endian words w(i), 0 i 15
//Initialize hash value for this chunk:
var int a := h0
var int b := h1
var int c := h2
var int d := h3
//Main loop:
for i from 0 to 63
if 0 i 15 then
f := (b and c) or ((not b) and d)
g := i
else if 16 i 31
f := (d and b) or ((not d) and c)
g := (5i + 1) mod 16
else if 32 i 47
f := b xor c xor d
g := (3i + 5) mod 16
else if 48 i 63
f := c xor (b or (not d))
g := (7i) mod 16
temp := d
d := c
c := b
b := ((a + f + k(i) + w(g)) rotate left r(i)) + b
a := temp
//Add this chunk's hash to result so far:
h0 := h0 + a
h1 := h1 + b
h2 := h2 + c
h3 := h3 + d
var int digest := h0 append h1 append h2 append h3 //(expressed as little-
endian)
Applications
Digests produced by MD5 are heavily utilized in downloading software, ensuring that downloaded
file was not modified. Trusted party provides MD5 digest of a downloaded file, after download, its
MD5 digest is computed and verified. If trusted party is the same as the provider of the file, MD5
digest loses its security meaning and can be only used as the way to preserve integrity.
MD5 also often serves the purpose of securing passwords. Of course, key strengthening shall be
applied.
Security
MD5 is since 2006 considered to be unsafe, as Vlastimil Klma proposed a method, based on
50
previous work from Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu, called tunneling,
that is able to find a collision within one minute. Further use of MD5 is not secure and is strongly
deprecated.
Secure Hash Algorithm - SHA
SHA is a class of iterated hash functions. The first hash function, SHA or SHA-0 was first
published in 1993. Two years later, SHA-1, was published. Later SHA-2 family has been issued
with slightly modified design. SHA-2 family consists of SHA-224, SHA-256, SHA-384 and SHA-
512 functions.
The original specification of the algorithm (SHA-0) was published in 1993 as the Secure Hash
Standard, FIPS PUB 180 by NIST. It was withdrawn by the NSA shortly after publication and was
superseded by the revised version (SHA-1), published in 1995 in FIPS PUB 180-1. This corrected a
flaw in the original algorithm which reduced its cryptographic security.
SHA-0 and SHA-1 produce a 160-bit digest, maximal size of a message is limited to 2
64
bits.
Algorithm is based on similar principles to those used in MD5.
In 2001, NIST published additional hash functions in the SHA family, each with longer digests,
collectively known as SHA-2 (draft FIPS PUB 180-2). In February 2004, a change notice was
published for FIPS PUB 180-2, specifying an additional variant (SHA-224), defined to match the
key length of two-key Triple DES.
SHA-256 and SHA-512 are cryptographic hash functions computed with 32- and 64-bit words,
respectively. They use different shift amounts and additive constants, but their structures are
otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are
simply truncated versions of the first two, computed with different initial values.
Algorithm
Compression function of SHA-1
This diagram depicts one iteration within the
SHA-1 compression function.
A, B, C, D and E are 32-bit words of the state
F is a nonlinear function that varies
<<<n denotes a left bit rotation by n places; n
varies for each operation.
denotes addition modulo 2
32
.
K
t
is a constant.
In the following paragraph, the SHA-256 will be described, as a representat of modern
cryptographic hash functions.
SHA-256 is defined for messages of size smaller than 2
64
, processed in the blocks of 512 bits (64
bytes). All computations in algorithm are realized on 32-bit words. Opening input transformation is
a padding to have their sizes aligned to be multiplies of 512 bits:
behind the message, bit 1 is appended and last 64 bits are reserved for the binary representation of
51
A B C D
A B C D
<<<
S
F
W
t
K
t
E
E
<<<
30
length of the message. Between 1 and length, corresponding number of 0s is added.
Intermediate result of computation will be further denoted as H
(i)
. This result is of 256-bit length
and is divided into 8 words - H
0
(i )
,... , H
7
( i)
. Value of H
(0)
is defined as a constant initialization
vector.
From each block of input, divided into 16 words (denoted as m
0
, ..., m
15
), the sequence of 64 words
W
0
, ..., W
63
is computed:
W
t
=

m
t
0t 15
G
1
(W
t2
)+W
t 7
+G
0
(W
t 15
)+W
t16
16t 63

Addition is interpreted as modulo 2 and functions G

0
, G
1
are defined as follows (RR
k
is a cyclic
rotation to the right by k bits and SR
k
is a shift to the right by k bits)
G
0
( x)=RR
7
( x)RR
18
( x)SR
3
( x)
G
1
( x)=RR
17
( x)RR
19
( x)SR
10
( x)
Subsequently, the words W
t
are processed in the loop. In the loop, the temporary variables a, b, c, d,
e, f, g, h are declared and at first, the following assignment is executed:
a=H
0
(i 1)
b=H
1
( i1)
c=H
2
(i 1)
d =H
3
( i1)
e=H
4
(i 1)
f =H
5
(i1)
g=H
6
( i1)
h=H
7
(i1)
In the loop for t = 0, ..., 63, the temporary variables are modified accordingly to following
assignments:
a=T
1
+T
2
b=a c=b d =c
e=d+T
1
f =e g=f h=g
where T
1
and T
2
are computed by following equations:
T
1
=h+F
1
(e)+Ch(e , f , g)+K
t
+W
t
T
2
=F
0
( a)+Maj (a , b , c)
F
0
( x)=RR
6
( x)RR
11
( x)RR
25
( x)
F
1
( x)=RR
2
( x)RR
13
( x)RR
22
( x)
Ch( x , y , z)=( xy)(xz)
Maj ( x , y , z)=( xy)( xz)( yz)
where functions F
0
, F
1
, Ch and Maj are logic functions evaluated bit after bit and K
t
are algorithm
constants.
Final computation of H
(i)
is obtained by executing following assignments:
a=a+H
0
( i1)
b=b+H
1
( i1)
c=c+H
2
( i1)
d =d+H
3
( i1)
e=e+H
4
( i1)
f = f +H
5
( i1)
g=g+H
6
(i 1)
h=h+H
7
(i1)
Message digest is given by the value of H
(i)
after processing the last block of the aligned message.
Variants
The following table demonstrates all variants of SHA:
52
Hash
algorithm
Hash sum
size (bits)
Internal
state size
(bits)
Block size
(bytes)
SHA-0 160
SHA-1 160 160 64
SHA-224 224 256 64
SHA-256 256 256 64
SHA-384 384 512 128
SHA-512 512 512 128
The internal state means the "internal hash sum" after each compression of a data block. SHA also
internally use some additional variables such as length of the data compressed so far since that is
needed for the length padding in the end.
Security
Both early members, SHA-0 and SHA-1 are prone to certain identified attacks. SHA-2 seems to be
resistant to them at this time, but as SHA-2 is similar to SHA-1, work on new and better hashing
standard is undergoing.
In early 2005, Rijmen and Oswald published an attack on a reduced version of SHA-1 - 53 out of
80 rounds - which finds collisions with a complexity of fewer than 2
80
operations.
In February 2005, an attack by Xiaoyun Wang, Yiqun Lisa Yin and Hongbo Yu was announced.
The attacks can find collisions in the full version of SHA-1, requiring fewer than 2
69
operations (a
brute-force search would require 2
80
). The analysis was built on the original differential attack on
SHA-0, the near collision attack on SHA-0, the multi-block collision techniques, as well as the
message modification techniques used in the collision search attack on MD5.
On 17 August 2005, an improvement on the SHA-1 attack was announced on behalf of Xiaoyun
Wang, Andrew Yao and Frances Yao, lowering the complexity required for finding a collision in
SHA-1 to 2
63
.
In academic cryptography, any attack that has less computational complexity than the expected time
needed for brute force is considered a break. This does not, however, necessarily mean that the
attack can be practically exploited. It has been speculated that finding a collision for SHA-1 is
within reach of massive distributed Internet search.
Applications
SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are the required secure hash algorithms for
use in U.S. Federal applications, including use by other cryptographic algorithms and protocols, for
the protection of sensitive unclassified information. FIPS PUB 180-1 also encouraged adoption and
use of SHA-1 by private and commercial organizations.
A prime motivation for the publication of the Secure Hash Algorithm was the Digital Signature
Standard (DSS), in which it is incorporated.
The most commonly used function in the family, SHA-1, is employed in a large variety of popular
security applications and protocols, including TLS, SSL, PGP, SSH, S/MIME and IPSec. SHA-1 is
considered to be the successor to MD5, an earlier, widely-used hash function
The SHA hash functions have been used as the basis for the SHACAL block ciphers.
53
The copy prevention system of Microsoft's Xbox game console relies on the security of SHA-1.
SHA-1 hashing has also been employed by many file sharing applications to link multiple sources
for the same file, that may not have the same name, as well as to avoid matching nonidentical
sources that may have the same name.
Whirlpool
Whirlpool is a cryptographic hash functions based on a similar ideas to those
used in the AES symmetric cryptosystem, introduced by Vincent Rijmen and
Paulo S. L. M. Barreto. Whirlpool operates on messages less than 2
256
bits in
length and produces 512-bit digest. Whirlpool is standardized under ISO/IEC
10118-3:2004; final version comes from the predecessors called Whirlpool-0
and Whirlpool-T. Cipher is named after the Whirlpool galaxy M51 (NGC 5194) in Canes Venatici.
Whirlpool uses Merkle-Damgrd strengthening and the Miyaguchi-
Preneel hashing scheme with a dedicated 512-bit block cipher
called W. The bit string to be hashed is padded with bit values of
one, then with a sequence of zero bits, and finally with the original
length (in the form of a 256-bit integer value), so that the length
after padding is a multiple of 512 bits. The resulting message string
is divided into a sequence of 512-bit blocks m
1
, m
2
, ... m
t
which is
then used to generate a sequence of intermediate hash values H
0
, H
1
, H
2
, ... H
t
. By definition, H
0
is a
string of 512 zero bits. To compute H
i
, W encrypts m
i
using H
i-1
as a key, and XORs the resulting
ciphertext with both H
i
and m
i
, as specified by Miyaguchi-Preneel scheme. Final message hash
digest is then H
t
.
Block cipher
The 512-bit block cipher W is very similar to AES algorithm, Rijndael. The main differences are
summarized in the following table:
AES / Rijndael W / Whirlpool
Block size (bits) 128. 160, 192, 224, 256 512
Number of rounds 10-14 10
Key schedule dedicated a priori algorithm round function itself
GF(2
8
) reduction polynomial x
8
+ x
4
+ x
3
+ x + 1 (0x11B) x
8
+ x
4
+ x
3
+ x
2
+ 1 (0x11D)
Substitution (S)-box origin mapping u u
-1
over GF(2
8
),
affine transform
recursive structure
Round constants origin polynomials x
i
over GF(2
8
) successive entries of S-box
Diffusion layer left-multiplication by the 44
circulant MDS matrix
cir(2, 3, 1, 1)
right-multiplication by the 88
circulant MDS matrix
cir(1, 1, 4, 1, 8, 5, 2, 9)
Differences between Whirlpool's W block cipher and AES (Rijndael)
The W's S-box, which in the original submission is generated entirely at random (i.e. lacks any
internal structure), by a recursive structure: the new 88 substitution box is composed of smaller
44 "mini-boxes" (the exponential E-box, its inverse, and the pseudo-randomly generated R-box).
54
W
H
i-1
H
i
m
i
u 0 1 2 3 4 5 6 7 8 9 A B C D E F
E(u) 1 B 9 C D 6 F 3 E 8 7 4 A 2 5 0
u 0 1 2 3 4 5 6 7 8 9 A B C D E F
E
-1
(u) F 0 D 7 B E 5 A 9 2 C 1 3 4 8 6
u 0 1 2 3 4 5 6 7 8 9 A B C D E F
R(u) 7 C B D E 4 9 F 6 3 8 A 2 5 1 0
W's S-Box
Assume we take as hash result the value of any n-bit substring of the full Whirlpool output. The
design of Whirlpool sets the following security goals:
The expected workload of generating a collision is of the order of 2
n/2
executions of
Whirlpool .
Given an n-bit value, the expected workload of finding a message that hashes to that value
is of the order of 2
n
executions of Whirlpool.
Given a message and its n-bit hash result, the expected workload of finding a second
message that hashes to the same value is of the order of 2
n
executions of Whirlpool.
It is infeasible to detect systematic correlations between any linear combination of input bits
and any linear combination of bits of the hash result, or to predict what bits of the hash
result will change value when certain input bits are flipped (this means resistance against
linear and differential attacks).
These claims result from the considerable safety margin taken with respect to all known attacks.
The authors also claim that Whirlpool does not contain any trapdoors deliberately introduced in the
algorithm.
Message Authentication Code (MAC)
For the situations during the communication, when there is no requirement to preserve secrecy of a
transmitted data but rather their integrity and authenticity is important, the Message Authentication
Code provides a mean how to fulfill these goals.
Roughly said, MAC is a cryptographic hash function with a key. Beside the original message, the
message digest depends also on the secret key known only to the communication parties. MAC is
transmitted alongside the message. To create correct MAC, the knowledge of the key is required.
Most common is a construction of MAC from the symmetric block ciphers and cryptographic hash
functions. MACs based on symmetric block ciphers are usually slower.
Elementary constructions of cryptographic hash functions, when key is concatenated to the message
and digest is computed from the modified message have security weaknesses. If used hash function
is iterated and key is appended before message m, then it is possible to compute MAC also for
arbitrary message that begins with m without the knowledge of m, as subsequent iterations do not
depend on the key. If the used hash function is iterative and key is appended after message, then
MACs for the messages that yield collision are equal.
55
E E
-1
R
E E
-1
Following is a list of some of the contemporary methods for obtaining MAC:
CBC-MAC
HMAC
UMAC
Data Authentication Code
Poly1305-AES
CBC-MAC
CBC-MAC is a construction of MAC from the block
ciphers. Idea is to use CBC mode of block cipher, where
the last block of ciphertext will be the resulting MAC. To
enhance security of the scheme, this block is then
postprocessed.
Let m = m
1
m
2
...m
t
be a message divided into blocks of
length corresponding to the length of a block of used cipher
algorithm. Computation of MAC M processes as follows:
1. H
0
= IV, IV is an initialization vector
2.
H
i
=E
k
( H
i1
m
i
) , i =1, ... ,t
3.
M=E
k
( D
k '
( H
t
))
Construction uses two symmetric keys k and k'. Last block of the message is processed using
triple encryption in the EDE mode. It is necessary to have k k', in practice k' can be derived from k
e.g. k' = E
k
(k), k ' =k (negation of k) etc. If keys are equal, last step of algorithm does not occur
and scheme can be compromised.
HMAC
HMAC is most known and used construction method from a cryptographic hash function. Its main
advantage lies in the fact, that if used cryptographic hash function satisfies some assumptions, the
resulting construction is provably secure.
Computation of HMAC is given by following formula:
HMAC
k
( x)=H ( kopadH( kipadx))
,
where k is a key, x is a message, opad and ipad are strings of a sufficient length and || denotes
concatenation. Despite the double use of cryptographic hash function, the computation of HMAC
has essentially the same complexity as the computation of message digest, because outer use of H
computes digest from a short string.
Construction of HMAC is an internet standard RFC 2104 and is implemented and employed in
various standards such as IPSec, SSL and TLS. In this standard, the values of opad and ipad are
chosen for MD5 and SHA-1 algorithms as 64-times repeating byte 0x5C, 0x36 respectively.
Preserving confidentiality with MAC
Interesting use of MAC to preserve confidentiality was introduced by Ronald Rivest in 1998.
Encryption has not necessarily to be the only way how to preserve confidentiality. Valid
56
E
k
m
1
H
1
E
k
m
2
H
2
E
k
m
3
H
3
IV ...
information can be hidden amongst plenty of misleading messages, where the valid MAC is
computed only for the real information in the other case, some random data are used in the
place of MAC.
Example
Alice and Bob communicate and share a common secret key k for MAC. Message sent in the step i
is denoted as m
i
and MAC of the message x is denoted as H
k
(x). Original message transfer divided
into five packets could be for example arranged like this:
1. A B: (1, Hi Bob,, H
k
(1 || m
1
))
2. A B: (2, we will meet, H
k
(2 || m
2
))
3. A B: (3, tomorrow at 5 p.m., H
k
(3 || m
3
))
4. A B: (4, at the main square,, H
k
(4 || m
4
))
5. A B: (5, Alice, H
k
(5 || m
5
))
Packets are numbered and MAC is a part of each packet. Adding misleading packets with the
same numbers of packets but random numbers instead of MAC, the communication could look for
example like this:
1. A B: (1, Hi Bob,, H
k
(1 || m
1
))
1'. A B: (1, Hi Mallory,, ...)
2'. A B: (2, concert starts, ...)
2. A B: (2, we will meet, H
k
(2 || m
2
))
3. A B: (3, tomorrow at 5 p.m., H
k
(3 || m
3
))
3'. A B: (3, today afternoon, ...)
4. A B: (4, at the main square,, H
k
(4 || m
4
))
4'. A B: (4, at the railway station, ...)
5. A B: (5, Alice, H
k
(5 || m
5
))
5'. A B: (5, Oscar, ...)
Bob is easily able to identify the correct information, due to his knowledge of the key k, whereas
Eve does not know k and this leads her to many combinations of given information, each
meaningful without any clue which ones are right. In this example, from the messages it is possible
to construct 32 more or less meaningful messages.
57
Digital signatures
Electronic signatures
Historically, digital signatures evolved from what is now known as electronic signature. Century
ago, people used Morse code alongside with telegraph to accept contracts electronically. In '80s of
20th century, the fax machines began to spread around the globe and companies started to utilize
them to transfer high priority paper documents. These papers often accompanied real physical
signature, but images of these were electronically transferred to recipient. Contemporary electronic
signatures can be found in email agreements, person identification numbers PINs in ATM
machines, signing on a digital pen pad at the checkout counter or POS, accepting the user
agreement through clickwrap when installing software, signing electronic documents online, etc.
Electronic signature can be defined as an electronic sound, symbol, or process, attached to or
logically associated with a contract or other record and executed or adopted by a person with the
intent to sign the record (US Electronic Signatures in Global and National Commerce Act, 2000).
In common law, the term denotes also several mechanisms for identification of the originator of an
electronic message, such as cable and Telex addresses and fax transmission of handwritten
signatures on a paper document.
Digital signatures are a subset of electronic signatures, usually mean those electronic signatures that
employ cryptography. Sometimes the term widens its scope to encompass broader range of means,
such as message authentication codes, file integrity hashes and digital pen pad devices.
Public-key digital signature is an encryption scheme for authentication of users that sign digital
information through the binding of public keys to users using asymmetric cryptography. Generally,
two methods are provides, one for signing and the other for the verification process. Output of this
signing process is called digital signature.
Digital signature tries to mimic real-world signature, while taking into account specific properties of
the electronic world, such as the easy way to copy information. Therefore, digital signature does not
only depend on the identity of the signer (private key), but also on the document that is being signed
(document digest). Otherwise, it would be extremely easy to append arbitrary signature to any
document.
Reasons to use digital signatures
The following properties should be provided and assured by the use of digital signatures:
Authenticity
Verifier after successful verification should be assured, that document was signed by the provider of
the digital signature. Of course, this is not feasible, as the cryptosystem could be broken, but
nevertheless, verifier should at least be confident.
Integrity
Both the sender and receiver of a signed document shall be confident that a message has not been
modified during the transmission. Unfortunately, even if encryption makes it impossible to third
party to read a message, it still does not necessarily mean that it also disallows the third party from
making useful modifications into original message. For example, homomorphism attack can be used
for schemes not using cryptographic hash functions to alter message, while preserving correct
digital signature.
58
Non-repudiation
Signing user shall not be allowed to repudiate (deny the association with) the message. The
recipient of a message may insist that the sender attach a signature in order to prevent any later
repudiation. Recipient may show the message to a third party to prove its origin. Compromise of
private key brings a threat of repudiation of all digitally signed documents.
Public key digital signatures
Public key digital signature schemes rely on asymmetric cryptography, using private keys for
signing and public key for verification purposes.
A general public key digital signature scheme consists of three parts (algorithms):
Key generation algorithm (similar to asymmetric system)
Signing algorithm (private key encryption)
Verification algorithm (public key decryption)
How it works?
Alice wants to send Bob a message and be able to prove that it came from her. Alice sends the
message to Bob and attaches a digital signature. This digital signature is generated using the private
key owned by Alice and applying it on the hash digest of the transmitted document. Signature is
then transmitted in the form of string of characters (binary data). On reception, Bob can check
whether the message is from Alice using verification on the message and its signature. Verification
algorithm uses Alice's public key to obtain hash digest of the transmitted document. By computing
hash digest of the message and comparing its value to the digest from digital signature, he can
decide, whether Alice is originator of the message. If those values match, Bob can be confident, that
Alice originated the message. Conversely, if these two values don't match, either signature is
generated with wrong private key or the document was changed during the transmission.
59
' Ou ch , ' sai d F o x , ' th at' s wh at I' v e alway s li k ed ab o u t y o u ,
Ni g el . Yo u can ' t see a b el t wit h o u t wan t in g to h it b elo w it . '
F o x was k n o wn i n Lo n d o n fo r h i s acerb ic wi t. He h ad
mad e h i s mark at an earl y meet in g o f th e Jo in t In tell ig en ce
Co mmi tt ee wh en S i r An th o n y P lu mb h ad b een
co mp l ai n in g th at u n li k e al l th e o t h ers h e h ad n o n i ce l it tl e
acro n y m t o d escri b e h is j o b . He was j u st t h e Ch ai rman
o f t h e JIC, o r th e Co o rd in ato r o f In tell ig en ce. Wh y
co u l d h e n o t h av e a g ro u p o f in i ti al s th at mad e u p
a sh o rt wo rd i n t h emsel v es?
' Ho w ab o u t , ' d rawl ed F o x fro m h is en d o f t h e tab le,
' S u p reme Head o f In tell ig en ce Targ eti n g ?'
Si r An th o n y p referred n o t to b e k n o wn as th e S HIT
o f Wh i teh al l an d d ro p p ed t h e mat ter o f th e acro n y m.
# 0110 ... 1010 #
Comput e
hash digest
# 0110 ... 1010 #
Encrypt hash digest
wit h t he privat e key
of sender
# 0110 ... 1010 #
Di gi tal l y si gned
document
# 0110 ... 1010 #
Comput e
hash digest
# 0110 ... 1010 #
Decrypt t he signat ure
wit h t he public key
of sender
=
?
Signing
Verification
' Ou ch , ' sai d F o x , ' th at' s wh at I' v e alway s li k ed ab o u t y o u ,
Ni g el . Yo u can ' t see a b el t wit h o u t wan t in g to h it b elo w it . '
F o x was k n o wn i n Lo n d o n fo r h i s acerb ic wi t. He h ad
mad e h i s mark at an earl y meet in g o f th e Jo in t In tell ig en ce
Co mmi tt ee wh en S i r An th o n y P lu mb h ad b een
co mp l ai n in g th at u n li k e al l th e o t h ers h e h ad n o n i ce l it tl e
acro n y m t o d escri b e h is j o b . He was j u st t h e Ch ai rman
o f t h e JIC, o r th e Co o rd in ato r o f In tell ig en ce. Wh y
co u l d h e n o t h av e a g ro u p o f in i ti al s th at mad e u p
a sh o rt wo rd i n t h emsel v es?
' Ho w ab o u t , ' d rawl ed F o x fro m h is en d o f t h e tab le,
' S u p reme Head o f In tell ig en ce Targ eti n g ?'
Si r An th o n y p referred n o t to b e k n o wn as th e S HIT
o f Wh i teh al l an d d ro p p ed t h e mat ter o f th e acro n y m.
Relation to common law
Legal issue, that often arises in the legislation process of e-commerce promotion is the validity of
electronic contracts and other electronic documents. Following section takes a mild look into some
legal aspects of digital signatures relating to their use as the validation mechanism.
Validity of an agreement and status of its binding
The question is, whether an agreement is valid and binding, if it is made by e-mail or at a web site.
Legislative in many countries often banks upon the prerequisite, that each contract must be in
writing or must be signed. Another problem, the implementation of an e-government breeds
problems related to records or forms required to be filled with the government as they must be
signed or filled in writing. The problem how to define these legal terms in regard to the Internet is
approached in different ways.
To a limited extent, these issues can be resolved relatively simply by a minimalistic law providing
that "a signature, contract or other record may not be denied legal effect, validity or enforceability
solely because it is in electronic form."
The United Nations Comission on International Trade Law (UNICITRAL) adopted a minimalistic
model law on electronic commerce in 1996.
Legislation based on the UNCITRAL model has been adopoted in several countries including USA
(US Electronic Signatures in Global and National Commerce Act ["E-SIGN"] Public Law 106-229
[2000]), Australia, France, Hong-Kong, Ireland etc.
European Union has taken a different approach in its Electronic Signatures Directive (1999). The
directive relates to a core area of contract law that concerned with form requirements (the need for
a writing record and the requirement of a signature). The directive provides the grounds to estimate
whether an electronic record that matches the capabilities of a hand-written signature complies with
the signatures requirement. It was further complemented by the Electronic Commerce Directive
which provided the grounds to estimate whether the electronic format complies with the writing
requirement.
There may be, however, a need of exceptions to the general acceptability of electronic documents,
in cases of particularly momentous matters, such as wills, divorces or child adoption matters. Also,
use of electronic means must be voluntary and mutually acceptable to the parties. For example, by
posting required information only online, businesses could avoid consumer protection
responsibilities and this is not desired situation.
Minimalist approach does not resolve some very important questions, such as authentication,
integrity and non-repudiation.
These issues can be solved using modern cryptographic methods. Practically, these techniques
require an existence of trusted parties entities certification authorities, that can be trusted and
certify the other, lesser entities using encryption.
Very difficult question is, who should be the certifying authority is government trustworthy to
play that role? Is it better to leave it to the marketplace with the hope that trustworthy private
certificate authorities develop? Should the government license certificate authorities? Should
private industry accredit such authorities, pursuant to standards developed by private industry?
In recent years, it became clear that government cannot initiate the creation of a certificate authority
system at will the problems are primarily technological and related to markets rather than to law.
60
Digital signature schemes
Elgamal scheme
This scheme is based upon Elgamal asymmetric cryptosystem. The process is divided into two
parts, initialization and signing, similarly to original asymmetric cryptosystem.
Initialization
Large prime number p and g
p

are chosen, where g can but does not need to be a generator of

the group (
p

,) . Values of p and g can be shared amongst multiple users. Further, the random
value of
x
R
2, 3 ,... , p2
is chosen and y=g
x
mod p is computed. Public key (y, p, g) then
serves for the purpose of verification of a signature. Private key is a value of x and is used in the
signing process.
Signing
Let m be the document to be signed, H be the cryptographic hash function with the output in the

. Then the signing process advances in the following steps:

1. Choose random
k
R
1 , 2 ,... , p2
such that gcd(k, p-1) = 1.
2. Compute
r=g
k
mod p
.
3. Compute s such that the following equation holds:
H(m)=( xr+ks) mod( p1)
4. Digital signature of the message m is a pair r , s .
Value of s can be obtained during the signing from the expression:
s=( H (m)xr) k
1
mod ( p1)
This equation shows why it is necessary to choose k in the first step such that it is mutually
indivisible with p 1. In that case, there exists inverse number to k (modulo p).
Verification
Anybody with the knowledge of public key (y, p, g) and message m can verify the correctness of
digital signature r , s . Signature is correct if and only if:
y
r
r
s
g
H
(m)mod p 1rp
Correctness is implied from the following expression (last congruence is a consequence of Small
Fermat Theorem):
y
r
r
s
g
xr
g
ks
g
rx+ks
g
H
(m) mod p
Digital Signature Standard (DSS)
Digital Signature Standard comprises of RSA scheme, Digital Signature Algorithm (DSA) and
ECDSA (DSA that operates on elliptic curves). Originally was introduced by NIST in 1991 and
adopted in 1993 as FIPS 186, further developed in 1996 as FIPS 186-1 and in 2000 as FIPS 186-2.
61
RSA scheme
This scheme closely follows asymmetric cipher RSA. As a signing algorithm, the decryption
function of RSA is used, whereas for verification, the RSA encryption function is used. Similarly
to the RSA, user has at first initialize the instance, obtaining a private key d and public key tuple of
public exponent e and the value of n. Having the original document m and a cryptographic hash
function H with output in
n
, user can proceed with the document signing and verifying:
Signing: s=H (m)
d
mod n
Verification: Signature of the document m is correct if and only if H (m)=s
e
mod n .
Correctness
Correctness implies from the fact, that encrypting and decrypting functions are mutually inverse in
the RSA cryptosystem:
s
e
mod n=H(m)
ed
mod n=H(m)
Security weaknesses
Small message digest space
Traditionally, the bit length of a module n in RSA (e.g. 1024-bit) is often larger than the bit length
of a hash digest (e.g. 256 bits). This could lead to weakness related to the fact that space of potential
texts for RSA is vastly reduced. To avoid potential security problems, before signing
transformation, the value of H(m) should be padded filled with random bits up to the size of
module n. During verification, these aditional bits are ignored.
RSA homomorphism attack
RSA scheme can be compromised, if the hash function is not used. Direct use of decrypting (for
signing) and encrypting (for verification) transformation can lead to construction of the third
correctly signed document from two other correctly signed documents. This is possible due to
homomorphic (multiplicative) structure of RSA:
m
1
d
m
2
d
mod n=(m
1
m
2
)
d
mod n
If m
1
, m
1
d
mod n and m
2
, m
2
d
mod n are pairs of documents along with their digital signatures.
Then a new correctly signed document can be constructed without any knowledge of private key:
m
1
m
2
mod n ,(m
1
m
2
)
d
mod n
Of course, the new document will be most probably preposterous.
Use of hash function typically solves this problem, as H usually does not have multiplicative
property of homomorphism, i.e.
H (m
1
m
2
)=H(m
1
) H(m
2
)
.
Random message forgery
Another type of attack is based on the idea that attacker chooses a random signature s
n
and
computes
m=s
e
mod n
. If RSA does not use cryptographic hash function, then s is a correct
signature of the document m. Otherwise, the attack is not possible, due to one-way property of
cryptographic hash functions.
Digital Signature Algorithm (DSA)
DSA is an Elgamal-type algorithm. Standard specifies the use of SHA-1 as the hash function H.
62
Initialization
At the beginning, parameters p, q and g are chosen. They can be shared amongst multiple users.
p 1024-bit randomly chosen prime number.
q 160-bit prime number such that q( p1) .
g compute g=h
( p1)
q
, where h
R
2 , 3, ... , p2 , h
( p1)
q
>1 .
At first, the value of q is chosen and the appropriate value of p is then sought. Choice of g
guarantees, that g has order of q in the group (
p

,) . Accordingly to the Small Fermat theorem:

g
q
=h
( p1)
q
q
=1 , therefore the order of g, ord(g) q. If g
k
= 1, then also g
2k
= 1, g
3k
= 1, etc. This
implies, that ord(g) | q. Because g > 1 and q is a prime number, ord(g) = q. Therefore g is a
generator of the group of the order q.
User chooses private key x
R

q
*
and computes the value of y=g
x
mod p . Public key is then
quadruple (y, p, q, g).
Signing
Signing process advances in the following steps:
1. Choose random
k
R
1 , 2 ,... , q1
2. Compute r=( g
k
mod p) mod q
3. Compute s=k
1
( H ( m)+xr )mod q
4. Digital signature of the message m is a pair r , s .
If during the signing process r = 0 or s = 0 is obtained, then new k shall be generated.
Verification
Assume, that signed document is m, its digital signature is r , s and (y, p, q, g) is a public key of
the signing user. The signature can be then verified.
At first, it is necessary to check whether both r and s belong to
q
*
. Then these parameters shall be
computed:
u=H( m)s
1
mod q v=rs
1
mod q
Digital signature is correct, if and only if ( g
u
y
v
mod p) mod q=r .
Correctness
If r , s is a digital signature of the document m, the following holds:
g
u
g
v
mod pmod q=g
H ( m) s
1
g
xrs
1
mod pmod q

=g
s
1
( H ( m)+xr)
mod p mod q
=g
k
mod pmod q
=r
Example
Initialization
Let's choose q = 7, then suitable p would be 43, as q | (p 1), i.e. 7 | 42. Also let's choose random h
63
< p 1, h = 5. Then g=h
( p1)
q
=5
6
=15625 . Private key x will be chosen by the signing user, e.g. x
= 4.Afterwards, y=g
x
mod p=15625
4
mod 43=16
4
mod 43=4 . Public key is then quadruple
(4, 43, 7, 15625) .
Signing
Assume, that cryptographic hash digest of a document m is H(m) = 735.
At first, random k < q is chosen, e.g. k = 2. Then r=( g
k
mod p) mod q=(15625
2
mod 43) mod 7=
=(16
2
mod 43) mod 7=(256 mod 43) mod 7=41 mod 7=6 and s=k
1
( H( m)+xr )mod q=
=2
1
(735+46) mod 7=4759mod 7=3036mod 7=5 . Therefore, signature of a document m is
the tuple r , s =6, 5 .
Verification
At first, computing parameters u a v yields following values:
u=H ( m)s
1
mod q=7353 mod 7=0
v=rs
1
mod q=63 mod 7=4
Then the verification can proceed:
( g
u
y
v
mod p) mod q=(15625
0
4
4
mod 43) mod 7=(256 mod 43) mod 7=41 mod 7=6=r .
Blind signatures
Blind signature disguises (blinds) the content of a message before signing. The resulting signature
can be publicly verified against the original, unblinded message similarly to verification of digital
signature. Blind signatures are employed in privacy-related protocols where signer and message
author are different parties, such as electronic election systems, digital cash schemes, electronic
notary, etc.
Real world analogy to blind signature is the physical act of enclosing a message in an envelope that
is then sealed and signed by a signing agent. Thus, the signer does not view the message content,
but a third party can later verify the signature and know that the signature is valid.
Blind signatures can also be used to provide unlinkability, which prevents the signer from linking
the blinded message it signs to a later un-blinded version that it may be called upon to verify. In this
case, the signer's response is first "un-blinded" prior to verification in such a way that the signature
remains valid for the un-blinded message. This can be useful in anonymous schemes.
RSA blind signature scheme
Let S be the signing party, e, n is the public key and d the private key of S. Let A denote the party
willing to obtain the signature of a document m. The process of signing can be described in the
following steps:
1. A-S : r=H ( m)x
e
mod n, x
R

n
*
2.
S -A: s=r
d
mod n
, S signs the message m and sends A the signature
3. A computes digital signature of m out of received signature from S:
sx
1
mod n=( r
d
mod n)x
1
mod n=H( m)
d
x
ed
x
1
mod n=H( m)
d
mod n
Because x is chosen randomly by A in the first step, S is unable to retrieve the document the A wants
to sign in reality.
64
Public key infrastructure (PKI)
Public key cryptography provides a viable solution to security related problems, such as
authentication, integrity, non-repudiation and confidentiality. Implementation of public key
cryptography within a given framework is, however, a very difficult task. The underlying
infrastructure must be well designed and planned to suit all business requirements and to pass all
desired security measures.
A public key infrastructure (PKI) is a foundation on which other applications, system, and network
security components are built. A PKI is an essential component of an overall security strategy that
must work in concert with other security mechanisms, business practices, and risk management
efforts.
Certificates and certification authorities
PKI is essentially an arrangement that provides examination and verification of user identities for
trusted third party. It also allows binding of public keys to users, usually utilizing centralized
authority coordinated with other authorities at distributed locations. The public keys are typically in
certificates.
Certificates are employed to bind the communication party with their public key. This binding is
carried out by trusted third-party authority certification authority. Certification of a user, denoted
as C(U) is a tuple
ID(U), y
U
, while this is digitally signed by certification authority (CA).
Therefore certificate can be of this form:
C(U )=ID(U ), y
U
, signature
CA
( ID(U ), y
U
)
,
where ID(U) is an identification of a subject and certificate (such as name, address, validity of
certificate, certification authority identification, etc.) and y
U
is a public key of U. It is assumed, that
each communication party knows the public key of a certification authority and is capable of
verification of the certifications signed by that authority.
Benefits of public key infrastructure
The increasingly significant presence of Internet and e-commerce technologies provides many
opportunities, but also poses severe security and integrity issues. To enable sustained grow and e-
commerce to be thriving, all business parties (customers, vendors, suppliers, regulatory agencies,
stakeholders, etc.) must be assured that trusted business relationships are maintained.
Typical real world face-to-face transactions do not require additional security precautions, that,
however, became necessary, when these transactions started to be initiated electronically. For
example, e-shops are typically unwilling to ship goods or perform services until a payment has been
accepted by their bank for them. Customer also shall be not allowed to repudiate a valid contract.
Both the seller and the customer should be able to verify each other's identity; for customer to be
assured, that he is purchasing from a legitimate entity and not from cracker site designated to collect
credit card numbers; for seller this typically means that bank transaction from customer occurred.
Therefore, there must be a mechanism (infrastructure), that ensures trusted relationships are
established and maintained. Various implementations of PKI can be then used to ensure that
confidentiality, authentication, integrity and non-repudiation are provided.
65
PKI enables the basic security services for various applications:
communication and transportation security in SSL, IPsec, HTTPS
email security in S/MIME and PGP
value exchange in SET
B2B in Identrus
Key benefits offered by PKI to e-commerce are:
reduction of transaction processing expenses
reduction and compartmentalization of risk
enhancements of efficiency and performance of systems and networks
reduction of complexity of security systems with binary symmetrical methods
Additionally, many other solutions rely on fundamentals public key cryptography, such as
symmetric key management, voting, anonymous value exchange, transit ticketing, identification
(passports and driver licences), notarization (contracts, mail), software distribution, etc.
PKI is, however, not an authentication, authorization, auditing, privacy or integrity mechanism by
itself; rather is an enabling infrastructure that supports variety of business and technical needs. PKI
only allows for the identification of entities. PKI does not infer trust by itself, but depends on the
establishment of a reliable trusted base. Therefore, the basis of trust must be established elsewhere
(on personal, business, etc. level) before it can be accepted by the PKI.
Trust
The issue of trust often arises when designing a PKI. The complexity of an underlying PKI is
dependent on the amount of risk the organization is willing to endure during transaction. If the
transaction of high-value or with significant legal consequences occur in the organization, then tight
set of tests should be performed to authenticate customer or entity. Conversely, if there is low-risk
during transaction, a simple set of test should suffice. During high risk scenarios, it can be intended
that the part of entity authentication occur offline. This implies, that the original entity
authentication problem is not solved by PKI, rather must be addressed in each unique business
environment.
This problem is magnified when organization moves from local to international environments.
There arises problem of authentication of document issued by other governments or foreign
organizations. How does the organization determine if they should trust the credentials presented?
What mechanisms do they use to make that determination? How did the original authority, which
issued the credentials, determine the identity of the requestor? Is the originating authority
trustworthy? These are fundamental issues the PKI must consider.
Planning a public key infrastructure
Besides standard set of problems, that arise from the confidentiality, authentication, integrity and
non-repudiation requirements, following problems should be also considered when creating
business requirements:
careful planning
interoperability
determine a PKI system and vendor
performance and capacity
66
Structure of a public key infrastructure
PKI framework
The framework consists of security and operational policies, security services and interoperability
protocols supporting the use of public-key cryptography for the management of keys and
certificates. The generation, distribution and management of keys are done using Certification
Authorities (CA), Registration Authorities (RA) and directory services. All together establish a
chain of trust. Main purpose of a framework is to support secured exchange of data, credentials,
value (money, etc.) in various insecure environments, such as Internet.
To provide risk management control, a hierarchy of trust must be established using PKI. In the
insecure environments, such as Internet, mutually unknown entities do not have sufficient trust to
perform business transactions. The implementation of a PKI using a certification authority
establishes this trust hierarchy.
Mutually unknown entities individually establish a trust relationship with a CA. The CA performs
authentication, according to rules noted in its Certificate Practices Statement (CPS) and then issues
each individual a digital certificate. CA then vouches for the identity of the entities. Unknown
entities can then use their certificates to establish trust between them because they trust CA, and
they have access to public key of CA, thus can verify certificates of other entities.
This establishment of trust hierarchy scales well in heterogeneous networks and therefore provides
one of major benefits of PKI.
Trust models
An implementation of PKI requires careful analysis of mutual trust relationship of participating
entities. This analysis later leads to establishment of trust, later enforced by PKI.
Hierarchical model
This is a most typical representation of PKI. Rather than having one single CA, there are multiple
CAs with limited range of functionality or extent. For example, there is one international CA that
serves all international entities, more subsequent national CAs that serve entities at the national
level, then regional entities etc. The main advantage of this model is its scalability, whereas the
main drawback is the higher cost to maintain such hierarchy. Compartmentalization of a risk can be
established, where compromise of one CA does not affect all issued certificates.
Distributed (Web of trust) model
A distributed web of trust does not incorporate a CA. No trusted third party actually vouches for the
identity or integrity of any entity. This trust model does not scale well into Internet based e-
commerce world because each end entity must alone determine the acceptable level of trust for
other entities. This model is used in Pretty Good Privacy (PGP).
Direct (peer-to-peer) model
Direct models are used with symmetric key-based systems. Again, a trusted third party does not
exist. Each end entity establishes trust with each other entity directly. Main drawbacks are limited
scalability into the Internet e-commerce world and large number of required operations.
Cross-certification
Instead of using one global CA, cross-certification allows users to choose amongst multiple CAs
adjusting to their needs. Cross-certification is basically done that way that one CA certifies another
CA. A relying entity then can validate the public key certificate of an end entity whose signing CA's
public key is not aware of, by trusting a cross-certificate signed by its own CA.
Cross-certification therefore allows PKI deployments to be both scalable and extensible.
67
X.509 Public Key Infrastructure Standard
X.509 is an ITU-T (International Telecommunication Union Telecommunication Standardization
Sector) standard for PKI and specifies standard formats for public key certificates and a certification
path validation algorithm. X.509 was introduced in 1998 and was closely associated with the X.500
electronic directory services standard (DAP etc.). It assumed a strict hierarchical system of CAs.
Later, version 3 introduced support to other topologies, such as bridges, meshes and peer-to-peer
web of trust. Nowadays, the term X.509 certificate refers to the IETF's (Internet Engineering Task
Force) PKIX certificate and CRL profile of the X.509 v3 certificate standard, specified in RFC
3280, referred to as PKIX (Public Key Infrastructure X.509).
Certificates
CA issues a certificate binding a public key to a particular distinguished name in the X.500 tradition
or to an alternate name such as an e-mail address or a DNS-entry.
Trusted root certificates can be distributed to all employees so that they can use the PKI system.
Browsers usually come with some root certificates preinstalled; essentially, the browser owners
determine which CAs are trusted third parties.
X.509 also includes standards for certificate revocation list (CRL) implementations. Online
Certificate Status Protocol (OCSP) is approved by IETF to check a certificate validity.
Structure of a certificate includes information such as version, serial number, algorithm ID, issuer,
validity (not before, not after), subject, subject public key info (algorithm, public key), issuer
unique identifier, subject unique identifier, extensions, certificate signature algorithm and certificate
signature.
Certificates can be recognized via extensions of their filenames; commonly used extensions are .cer,
.der, .pem, .p7b, .p7c, .pfx and .p12.
If certificates use MD5 function, there is a possibility of obtaining two X.509 certificates that
contain identical signatures and differ only in the public keys, clearly demonstrated by Lenstra,
Wang and de Weger in 2005.
There are many protocols and standards that support X.509, such as TLS/SSL, S/MIME, IPSec,
SSH, Smartcard, HTTPS, EAP, LDAP, Trusted Computing Group TNC TMP NGSCB, etc.
Why does X.509 do otherwise straightforward things in such a weird way?
[The] standards have been written by little green monsters from outer space in order to confuse
normal human beings and prepare them for the big invasion comp.std.internat
68
Cryptographic protocols
To successfully initiate a communication, communicating parties have to execute a sequence of
steps to agree upon the communication details. These steps are denoted as cryptographic protocol,
and have to serve the communication goals of participants and to satisfy their security needs.
Goals of cryptographic protocols vary they can be constructed to provide a key management,
authentication, electronic cash, electronic elections etc. Protocols use and create framework for the
use of basic cryptographic primitives, such as encryption, cryptographic hash functions, digital
signatures and secret sharing schemes.
The most important part of cryptographic protocols concern with the key management.
Attacks on the cryptographic protocols
Basically, attacks can be divided into two groups active and passive. Passive attacks consists only
from eavesdropping, whereas active give freedom to modify protocol run in any possible way. We
assume, that attacker is a legitimate participant of the communication.
Shortly, there are three main types of attacks:
Replay attack exploit of older messages in the actual run of the protocol be repeating
them. To counter this attacks, additional cryptographic primitives such as nonces and
timestamps are used.
Man in the middle attacker as invisible participant of the communication. To counter this
threat, the digital signatures, MACs or similar mechanisms shall be applied.
Utilization of the weaknesses of used cryptographic primitives this includes all security
related problems related to encryption, hashing, signing etc.
Notation
Usually, final forms of protocols employ participants such as Alice, Bob, Dave, trusted third party
Trent and their analysis employ attackers such as Eve, Mallory and Oscar.
Protocols will be described in steps; notation 3. A B : M means that in the third step Alice
sends Bob a message M. On the other hand, 1. A M(B) : S means that in the first step of the
protocol Alice sends the message S to Bob but this message is intercepted by Mallory disguised as
Bob. Similarly, 1. M(B) A : S means that Mallory acting as Bob sends message S to Alice.
Notation
M
K
AB
means that message M is encrypted using symmetric cipher that employs a key
69
Alice Bob
Dave
Eve
Trent
Oscar
Mallory
K
AB
shared by both Alice and Bob. Conversely, notation
M
K
A
means that message M is encrypted
by the asymmetric cipher using the public key K
A
of Alice. Finally, notation
M
K
A
1
means that
message M is digitally signed by private key K
A
1
of Alice.
Diffie-Hellman key-exchange protocol
This protocol was demonstrated in the asymmetric cryptography chapter, nevertheless, it is vital to
mention it also in this chapter.
Goal: To achieve an agreement between two users about their communication key (key-exchange).
Protocol:
1. A B : X = g
x
mod p , x
R

p
*
(x is chosen by Alice randomly) (A sends to B)
2. B A : Y = g
y
mod p , y
R

p
*
3. A computes K = Y
x
mod p
4. B computes K = X
y
mod p
It can be shown easily that both Alice and Bob compute the same key:
Y
x
mod p=g
xy
mod p=X
y
mod p
Man in the Middle attack
As a reminder, DH protocol is prone to type of attack when an active attacker M (Mallory) lies in
the communication channel between Alice and Bob. The attack therefore advances as follows:
1. A M(B) : X = g
x
mod p
2. M(A) B : U = g
u
mod p
3. B M(A) : Y = g
y
mod p
4. M(B) A : V = g
v
mod p
5. A computes K
1
= V
x
mod p
6. B computes K
2
= U
y
mod p
Notation A M(B) means that Alice sends message to Bob, but is intercepted by Mallory. Notation
M(A) B means that Mallory sends message to Bob in the name of Alice.
Important fact for Mallory is, that both Alice and Bob can't reveal her presence in the protocol and
she is able to compute both keys K
1
and K
2
:
K
1
=X
v
mod p=g
xv
mod p
K
2
=Y
u
mod p=g
yu
mod p
70
M A B
K
1
K
2
Modified Diffie-Hellman key-exchange protocol using certification authorities
One of possibilities how to prevent a man-in-the-middle attack lies in the use of certificate
authorities. To recap, certificates have the following form:
C(U )=ID(U ), y
U
, signature
CA
( ID(U ), y
U
)
,
where ID(U) is an identification of a subject and certificate (such as name, address, validity of
certificate, certification authority identification, etc.) and y
U
is a public key of U.
Using certificates, it is possible to modify DH protocol to be resistant to a man-in-the-middle attack.
Assume, that each participant U has its public key y
U
=g
x
U
mod p , x
U

p
*
. DH then can
advance by simple exchange and verification of certificates and subsequent computation of a key K.
Protocol:
1. A B : C( A)=[ ID( A), y
A
, signature
CA
( ID( A) , y
A
)] , y
A
=g
x
A
mod p, x
A

p
*
2. B A : C( B)=[ ID( B) , y
B
,signature
CA
( ID( B) , y
B
)] , y
B
=g
x
B
mod p, x
B

p
*
3. A computes K=y
B
x
A
=g
x
A
x
B
mod p
4. B computes K=y
A
x
B
=g
x
A
x
B
mod p
Man in the middle is not able to construct correct certificates for her fictional public keys that
those were bound to the identity of participants. Major drawback of this modification lies in the fact
that the key K is always the same for a given pair of participants (until the change of one of their
certificates).
Station to Station protocol
This protocol solves the problem of modified DH protocol participants are able to retrieve a
different key K for each instance of the protocol.
Protocol:
1. A B : X =g
x
mod p, x
R

p
*
2. B A : [Y , E
K
(signature
B
( X , Y )), C( B)] , Y =g
y
mod p, y
R

p
*
, K=X
y
mod p
3. A computes K=Y
x
mod p , A deciphers signature
B
(X, Y), A verifies certificate C(B), A
extracts public key y
B
from C(B) and verifies signature
B
(X, Y). If successful, key K is safe.
4. A B :
[ E
K
(signature
A
( X ,Y )), C( A)]
5. B verifies C(A), deciphers and verifies signature
A
(X, Y)
Man in the middle falls short as she is not able to falsify digital signatures.
Interlock protocol
Goal: Detection of the man in the middle attack
To detect a man in the middle, special Interlock protocol was developed. Assume, that participants
Alice and Bob ciphers their communication using a key K, agreed upon using DH protocol. It
71
means, that attacker could deliver fictional keys K
1
to Alice and K
2
to Bob. As the attacker is not
able to guarantee the equality of the keys K
1
and K
2
, unless she is capable of solving the Diffie-
Hellman problem that has equivalent complexity to the Elgamal cryptosystem, Interlock protocol
focuses on this characteristics. Assume that Alice and Bob prepared messages m
A
and m
B
.
Protocol:
1. A B : c
A1
, where c
A
= E
K
(m
A
), c
A
= c
A1
c
A2
(c
A
is partitioned into two halves, E
K
is an
encryption function with a key K)
2. B A : c
B1
, where c
B
= E
K
(m
B
), c
B
= c
B1
c
B2
3. A B : c
A2
4. B A : c
B2
, B is now able to obtain c
A
and decipher message m
A
5. A is now able to obtain c
B
and decipher message m
B
Man in the middle is forced to choose her own messages m'
A
or m'
B
as the first half is useless
without the second half. Herewith, as K
1
K
2
, it is not possible to send unchanged parts of messages
- after deciphering with a different key K, they turn into meaningless messages.
Unfortunately, even Interlock protocol has its weakness. Attacker needs to deceive only one
participant; she can at first run the whole communication with Alice with an imaginary message m'
B
,
obtaining a message m
A
, and then repeat the whole process with Bob. Importance of Interlock
protocol lies in the fact that attacker is forced to actively interfere with communication, increasing
the chance of her uncovering.
Interlock protocol can be helpful in a case of hybrid encryption over insecure channel, when two
parties at first exchange their public keys, then exchange symmetric key and use symmetric
cryptosystem for further communication. Attacker is able to intercept asymmetric cryptosystem,
exchange public keys for her own public key, allowing access to the communication. Interlock
protocol prevents this from happening.
Otway-Rees protocol
Goal: Distribution of key K
AB
of participants Alice and Bob with authentication of Alice, using
trusted third party Trent.
Communication key K
AB
is generated by trusted third party Trent, authentication of Bob is
completed after first use of key K
AB
. Both Alice and Bob share a key K
AT
and K
BT
with Trent for their
own communication. To ensure freshness of transferred messages, nonces N
A
and N
B
are generated
by Alice and Bob. Protocol uses random identifier M to prevent replay attack by using messages
from older instances of communication. This identifier is chosen by Alice.
Protocol:
1. A B : M, A, B,
N
A
, M , A, B
K
AT
2. B T : M, A, B,
N
A
, M , A, B
K
AT
,
N
B
, M , A, B
K
BT
3. T B : M,
N
A
, K
AB

K
AT
,
N
B
, K
AB

K
BT
4. B A : M,
N
A
, K
AB

K
AT
Assume, that Trent in the second step does not verify identity match in both plain and ciphertext,
but only in ciphertext. Then Oscar can advance as follows:
Replay attack:
72
1. A B : M, A, B,
N
A
, M , A, B
K
AT
2. B O(T) : M, A, B,
N
A
, M , A, B
K
AT
,
N
B
, M , A, B
K
BT
O T : M, A, O,
N
A
, M , A, B
K
AT
,
N
O
, M , A, O
K
OT
3. T O : M,
N
A
, K
AB

K
AT
,
N
O
, K
AB

K
OT
4. O(B) A : M,
N
A
, K
AB

K
AT
Attacker after interception of a message in the second step sends Trent his own message acting as a
regular communication participant. Response then allows Oscar to obtain key K
AB
alongside with a
message he needs to send to Alice acting as Bob.
Needham-Schroeder protocol
Goal: Mutual authentication of Alice and Bob using trusted third party Trent alongside with a key
distribution K
AB
.
Assume, that both Alice and Bob share communication key with Trent, K
AT
and K
BT
. Key K
AB
is
provided by Trent. Alice and Bob use nonces N
A
and N
B
and are generated by them as sufficiently
long strings of bits.
Protocol:
1. A T : A, B, N
A
2. T A :
N
A
, B, K , K
AB
, A
K
BT

K
AT
3. A B :
K
AB
, A
K
BT
4. B A :
N
B

K
AB
5. A B :
N
B
1
K
AB
Weakness of Needham-Schroeder protocol lies in an insufficient assurance of a freshness of sent
message in the third step. Assume, that Mallory eavesdrops communication between Alice and Bob.
Assume, that later the key K
AB
is compromised either is revealed by Alice or Bob or is obtained by
cryptanalysis. Mallory is then able to force Bob to use old key again, acting in the name of Alice by
replaying a message from old instance of the protocol.
Attack:
3'. M(A) B :
K
AB
, A
K
BT
4'. B M(A) :
N
B
'
K
AB
5'. M(A) B :
N
B
' 1
K
AB
This problem was that from Bob's view, message in the third step had no means to guarantee its
freshness associated. One of possible workarounds can be summarized in following steps:
Attack resistent protocol:
1. A B : A, B, N
A
2. B T : A, B, N
A
, N
B

3. T A :
N
A
, B, K
AB
, N
B
, A, K
AB

K
BT

K
AT
73
4. A B :
N
B
, A, K
AB

K
BT
Bob sends its nonce to Trent at the beginning of the protocol. Trent then incorporates this nonce to a
message to Alice, who in turn passes
N
B
, A, K
AB

K
BT
to Bob, assuring that the message is now
fresh.
Needham-Schroeder public-key protocol
Goal: Mutual authentication of participants with key agreement for secure communication.
This protocol does not rely on trusted third party, however, assumes, that participants know public
key of each other K
A
and K
B
. Protocol expects nonces N
A
and N
B
to be provided by participants.
Protocol:
1. A B : N
A
, A
K
B
2. B A : N
A
, N
B

K
A
3. A B : N
B

K
B
Oracle replay attack:
Despite the simplicity of the protocol, it took 17 years to find an effective attack. Mallory utilizes
the facts that Alice initiates a communication with her and immediately begins to communicate with
Bob in parallel:
1. A M :
N
A
, A
K
M
1'. M(A) B :
N
A
, A
K
B
2. B M(A) :
N
A
, N
B

K
A
2'. M A :
N
A
, N
B

K
A
3. A M :
N
B

K
M
3'. M(A) B :
N
B

K
B
Both instances of the protocol are successfully completed, where Mallory used Alice as an oracle to
initiated and perform steps of the protocol with Bob. At the end, Bob is convinced he communicates
with Alice whereas Mallory has a full disposal of both nonces N
A
and N
B
, therefore can construct the
key for further communication.
The prevention can be achieved by breaking the symmetry, for example this way:
Protocol:
1. A B : N
A
, A
K
B
2. B A : N
A
, N
B
, B
K
A
3. A B : N
B

K
B
74
Yahalom protocol
Goal: Mutual authentication of participants and distribution of a key for secure communication
provided by Trent.
Protocol assumes that both Alice and Bob provide nonces N
A
and N
B
and share communication keys
with Trent, K
AT
and K
BT
.
Protocol:
1. A B : A, N
A
2. B T : B, A, N
A
, N
B

K
BT
3. T A : B, K
AB
, N
A
, N
B

K
AT
, A, K
AB

K
BT
4. A B : A, K
AB

K
BT
,N
B

K
AB
At the beginning, Alice wants to communicate with Bob. She sends him her identificator alongside
with nonce. Bob prepares a request for a key for Trent. Bob adds his own nonce to the message
from Alice, encrypts it using he shared key between him and Trent. Trusted party Trent deciphers
the message and prepares a response to Alice. This message consists of two parts, one is intended
for Alice, the other one for Bob. Both messages contain K
AB
for further communication. Message to
Alice contains also nonce from her, to convince Alice about the origin and actuality of the
communication (only Alice and Trent know the key K
AT
). Alice deciphers her part, extracts nonce
from Bob and sends Bob his part of the message alongside with his nonce encrypted using their new
shared key K
AB
. Bob deciphers first part of the message and verifies the identifier of Alice. Obtained
key K
AB
uses to decrypt the second part of the message to obtain his nonce. Because nonce N
B
is
sent exclusively in the encrypted form, it is known only to Alice, Bob and Trent. Its presence in the
fourth step of the protocol show that Alice believes in the freshness of the key K
AB
. That alongside
to the fact that the first part of the message is from Trent convinces Bob that K
AB
is a suitable key
for the subsequent communication with Alice.
Alice is convinced about identity of Bob via Trent after third step of the protocol. Bob is convinced
about the identity of Alice after successful fourth step.
Some alterations of Yahalom protocol are prone to attacks.
Denning-Sacco protocol
Goal: Authentication of Alice using certificates provided by trusted third party Trent and key K
AB
distribution for further secure communication.
Let C
A
and C
B
be certificates of public keys of Alice and Bob respectively (in fact, these are just
signed public keys by Trent). Alice generates key K and timestamp T
A
. Notation
K , T
A

K
A
1
K
B

means that a message K, T
A
is digitally signed by Alice and subsequently encrypted for Bob using
his public key.
Protocol:
1. A T : A, B
2. T A : C
A
, C
B
3. A B : C
A
, C
B
,
K , T
A

K
A
1
K
B
75
Attack:
Mallory can exploit situation when Alice wants to communicate with her, to obtain a disguise for
the communication with Bob. It took 12 years to find this attack.
1. A T : A, M
2. T A : C
A
, C
M
3. A M : C
A
, C
M
,
K , T
A

K
A
1
K
M
3'. M(A) B : C
A
, C
B
,
K , T
A

K
A
1
K
B
After receiving a message in the third step of the protocol, Mallory deciphers the message, obtains
the key K, verifies the timestamp and digital signature of Alice. Signed key along with timestamp
then encrypts using public key of Bob and immediately sends as the third step of the protocol. As
timestamp T
A
is still fresh, Bob does not suspect he is manipulated, accepts the message,
authentication of Alice and key K. Attacker obtains the certificate C
A
from Trent.
To avoid this type of attack, it is sufficient to add identifiers of participants into signed message in
the third step of the protocol:
3. A B : C
A
, C
B
,
A, B, K , T
A

K
A
1
K
B
Wide Mouth Frog protocol
Goal: Distribution of a key K
AB
between participants Bob and Alice using trusted third party Trent
and authentication of Alice.
Protocol uses timestamps T
A
(Alice's) and T
T
(Trent's) to ensure a freshness of transmitted messages.
Encryption of communication is achieved using keys K
AT
and K
BT
.
Protocol:
1. A T : A,
T
A
, B, K
AB
,
K
AT
2. T B :
T
T
, A, K
AB
,
K
BT
Replay attack:
Assume that Alice begins protocol with the intention to communicate securely with Bob. Mallory
intercepts a message to Bob in the second step and passes it to Bob:
1. A T : A,
T
A
, B, K
AB
,
K
AT
2. T M(B) :
T
T
, A, K
AB
,
K
BT
M(T) B :
T
T
, A, K
AB
,
K
BT
Intercepted message has the same structure as the message in the first step; therefore can be used to
initialize a fake instance of a protocol:
1'. M(B) T : B,
T
T
, A, K
AB
,
K
BT
2'. T M(A) :
T '
T
, B, K
AB
,
K
AT
Received message has again suitable structure; therefore can be used for a new instance:
1''. M(A) T : A,
T '
T
, B, K
AB
,
K
AT
76
2''. T M(B) : T
T
( 2)
, A, K
AB
,
K
BT
Utilizing this process, Mallory keeps the timestamps always refreshed and meanwhile works on the
compromise of a key K
AB
. After obtaining the key K
AB
, Mallory uses last intercepted message to
instantiate a new protocol run and forces Bob to use K
AB
as a suitable key for communication.
1
(k)
. M(A) T : A, T
T
( k1)
, B, K
AB
,
K
AT
2
(k)
. T B : T
T
( k )
, A, K
AB
,
K
BT
Prevention of this attack breaks the symmetry, as demonstrated in the following modification.
Modified Wide Mouth Frog protocol
Goal: Distribution of a key K
AB
between participants Bob and Alice using trusted third party Trent
and authentication of Alice.
Protocol:
1. A T : A,
T
A
, B, K
AB
,
K
AT
2. T B :
T
T
, A, B, K
AB
,
K
BT
3. T B :
T
B
, A, B,
K
AB
(optional)
Bob is convinced about the identity of Alice via Trent, because at first, Trent verified correctness
and freshness of the message in the first step, otherwise he would not advance to the next step and
secondly, key K
BT
is known only to Trent and Bob and the message from Trent is fresh.
Alice is convinced about the identity of Bob after she receives a message encrypted using the key
K
AB
.
Kerberos protocol
Goal: Authenticate participants of the communication using trusted third party in the network
(client-server) environment.
Kerberos name originates in the Greek mythology, where Cerberos stands for monstrous three-
headed dog guarding the Hades. Kerberos prevents eavesdropping, replay attacks and ensures the
integrity of the data. Utilizes symmetric cryptography and trusted third party. It was introduced by
MIT, now is in its fifth incarnation, Kerberos V, RFC 4120 (2005). There are various
implementations, such as KTH-KRB and Heimdal.
Microsoft uses Kerberos as its default authentication protocol since introduction of Windows 2000.
Protocol is based on the Needham-Schroeder protocol.
Protocol:
1. A T : A, B
2. T A :
T
T
, L , K
AB
, B, T
T
, L , K
AB
, A
K
BS

K
AS
3. A B :
T
T
, L , K
AB
, A
K
BS
, A, T
A

K
AB
4. B A :
T
A
+1
K
AB
77
L is a lifespan data, similar to a timestamp.
Basically, client authenticates itself to Authentication Server, then demonstrates to the Ticked
Granting Server that it's authorized to receive a ticket for a service (and receives it), then
demonstrates to the Service Server that it has been approved to receive the service.
Drawbacks
As Kerberos requires continuous availability of a central server, this introduces the single point of
failure property of the protocol. Kerberos also requires the clocks of the involved hosts to be
synchronized. The tickets have time availability period and, if the host clock is not synchronized
with the clock of Kerberos server, the authentication will fail. The default configuration requires
that clock times are no more than 10 minutes apart. At last, password changing is not standardized,
and differs between server implementations.
Agora protocol
A minimal distributed protocol for electronic commerce introduced by Gabber in 1996.
Goal: Enable simple payments for the information stored on web pages.
Protocol utilizes certificates and digital signatures to ensure authenticity of sent messages. Let Alice
be customer and Bob be merchant selling goods over the internet. Symbols C
A
and C
B
denote
certificates of their public keys. Assume, that certificate are provided by trusted third party. Let M
be request to obtain the price, N is a counter of requests and P is the price for the information.
Protocol:
1. A B : A, M
2. B A :
C
B
, N , P
K
B
1
3. A B :
C
A
, N , P
K
A
1
In the second and third step, the messages are signed by participants using their private keys, but are
not encrypted.
Protocol interaction attack
It is possible to construct special protocol that violates the security of the Agora protocol. This
protocol will serve of purpose of verifying the age as a safety barrier to prevent access for some
web pages. Assume, that certificate contains birth date or that certificate is issued only to persons of
the required age. Participant proves her age by knowing her private key, i.e. by her ability to sign
random request R:
1. A B : A
2. B A : R
3. A B :
C
A
, R
K
A
1
If the length of the random request R is equal to the sum of the lengths of N and P, attacker Mallory
advances in the following steps:
1. A M(D) : A
1'. M(A) B : A, M
2. B M(A) :
C
B
, N , P
K
B
1
2'. M(D) A : R ( R = N, P )
3. A M(D) :
C
A
, R
K
A
1
78
3'. M(A) B :
C
A
, N , P
K
A
1
Mallory uses a concatenation of N, P as the random request in the protocol for age verification.
Subsequent response of Alice is then immediately usable as the response that validates the buy in
the Agora protocol. Dave (D) can be arbitrary participant.
Cryptographic protocol construction security advices
Many attacks can be prevented by following a few security advices related to the construction of
cryptographic protocols. Some of the problems can be avoided by specific implementation details,
such as remembering old keys, verification of diversity of used nonces, but these significantly
increase the complexity of the protocol implementation. Similarly, parallel run check prevents the
attacks exploiting multiple protocol runs, but decreases performance of the system.
Therefore, the aim for cryptographic protocol construction is to create such a protocol, whose
security properties are guaranteed by its own construction and the sequence of steps alongside with
precisely formulated prerequisites.
Some of the advices are formulated in the following section.
1. Explicitness the meaning of the message shall be dependent only on the message alone.
Message is supposed to contain every information required for its interpretation, including
the identity of the participants. Examples of failures include Denning-Sacc protocols or
Needham-Schroeder public key protocol.
2. Assumptions for each message that causes any action all required assumptions shall be
provided.
3. Use of ciphers it must be clearly stated which purpose the encryption of the text serves.
Amongst the common purposes, an encryption can be used to provide confidentiality,
authenticity, mutual binding of the messages, randomness, etc.
4. Signing and encryption digital signature does not guarantee that the sender knows the
plaintext. It is vital to at first sign plaintext and then encrypt whole message. On the other
hand, even this does not guarantee security, as Denning-Sacc protocol proves.
5. Nonces for each nonce it is mandatory to provide its goal and expected properties. Otway-
Reese protocol is an example of security risk regarding this advice.
6. Security of predictable information predicable information (counters) used to ensure
freshness of transferred messages must be secured in the protocol.
7. Timestamps if the timestamps are used to preserve the freshness, it is mandatory to
synchronize local clocks. In addition, system of time administration becomes a critical
component of the security system.
8. Freshness vs usage actual use of an entity (e.g. key to encryption) is not the same as the
freshness of the entity.
9. Exactness (unicity) protocol message shall be exactly decipherable participant is able to
determine pertinence of a message to the protocol, protocol process and order of a message
within the protocol.
10. Trust it is mandatory to formulate and give reasons to all assumptions about the trusts the
protocol expets.
11. Use of private key if possible, it is better to avoid use of private key for various purposes,
such as signing or decryption. For example, with RSA it is possible to obtain private key
from the process of decryption and publishing of the decrypted messages.
12. Assume nothing do not assume anything that is not stated in the protocol definition.
79
Quantum cryptography
Quantum cryptography revolutionized the approach to solve cryptographic problems by relying on
the properties of subatomic particles rather than on clever mathematical ideas. Quantum
cryptography utilizes principles of quantum mechanics and the physics of information to achieve a
secure communication. Eavesdropping can be then viewed as measurements on a physical objects
that carries the information. It is then possible to detect an eavesdropping attempt, using quantum
phenomena such as quantum superposition or quantum entanglement. According to laws of
quantum mechanics, measurement on the quantum carrier of information disturbs it and leaves
traces of tampering.
Quantum theory basics
"I think, I can suggest, that nobody understands the quantum mechanics." Richard P. Feynman
Uncertainty principle
Introduced in 1927 by Werner Heisenberg, uncertainty principle states that one cannot
measure with arbitrary precision values of certain conjugate quantities, which are pairs
of observables of a single elementary particle. These pairs include the position and
momentum. It is however possible to obtain a positive lower bound for the product of
the uncertainties of measurements of the conjugate quantities.
Entanglement of particles
Quantum entanglement is a strange phenomenon of quantum mechanics whose effect is that the
quantum states of two or more objects have to be described with reference to each other, even if
they are spatially separated. This inevitably leads to correlations between observable physical
properties of the system, e.g. it is possible to prepare two electrons in the same quantum state,
where the first electron is observed to be spin-up whereas the second to be spin-down. Still, it is not
possible to predict which set of measurements will be observed for each system, although the
measurement of the first system instantaneously influences the other system entangled with it.
Quantum entanglement is closely related to new technologies of quantum cryptography, quantum
computing in general and also to quantum teleportation. Quantum entanglement however brings
some philosophical problems, as the correlations predicted by quantum mechanics and observed in
experiment reject the principle of local realism, which states that information about the state of a
system should only be mediated by interactions in its immediate surroundings.
Quantum computing
Quantum computers are still a dream yet to come true; however, there are already known some
applications, with a serious implication on current cryptography standards. For example, quantum
computer is theoretically able to solve problem of factorization (basis of RSA cryptosystem) in
polynomial time using a probabilistic algorithm invented by Peter Shor, that computes factors in
O((log n)
3
) and O( log n) space, where n is a product of two prime numbers.
Qubit
Qubit (qbit), an acronym for quantum bit, is a unit of quantum information, first invented
by Brian W. Schumacher, that found a way how a quantum state can represent an
information (Schumacher compression). Quantum information is described by a state
vector in a two-level quantum mechanical system, formally equivalent to a two-
dimensional vector space over the complex numbers. A qubit differs from classical bit in a way, that
80
qubit, similarly to bit, has only two possible values a 0 or a 1, but in a given time can be 0, 1, or a
superposition of both. 0 and 1 are called base states.
Formally, 0 and 1 state is usually presented in a Dirac (bra-ket) form, 0 (ket 0) and 1 (ket 1).
Pure qubit state is their linear superposition, =o0+1
, where o and are complex
probability amplitudes and o
2
+
2
=1 . Qubit can be simultaneously in all available states,
however, any attempt to measure the state causes the qubit to collapse into one of two base states.
Base states are obtained according to probability there is a o
2
probability of achieving 0 and
2

probability of obtaining 1.
Another important property of qubit lies in entanglement; the maximally entangled quantum state of
two qubits, called Bell state, can be described as:
1
+
=
1
.(2)
(
0
A
0
B
+1
A
1
B
)
=
1
.(2)
(00+11)
,
where denotes tensor product. Even if Alice possesses one qubit and Bob the other, as those
qubits were entangled and are now spatially separated, they still exhibit perfect correlations.
Quantum cryptography principles
Polarized photons
In 1984, Charles H. Bennet and Gilles Brassard proposed the first method how to
implement a cryptographic scheme employing quantum theory. The scheme,
known as BB84, uses pulses of polarized light, one photon per pulse. Scheme
uses two types of polarization, rectilinear and diagonal (or circular). Rectilinear
can be either vertical or horizontal, diagonal (circular) can be left-handed or
right-handed. Using any type of polarization, a bit can be encoded e.g. vertical and left-handed
polarizations as 1, horizontal and right-handed as 0. To generate a random key, Alice must send
polarizations with equal probability. To mislead Eve, Alice has to choose between alternative
rectilinear and circular polarizations.
Entangled photons
In 1991, Arthur Ekert proposed a scheme that uses entangled pairs of photons. These
photons are prepared by either Alice, Bob or any other source different from them, such
as Eve. The photons are distributed so that both Alice and Bob each receive one photon
from each pair.
The scheme is based on three properties of entanglement:
First property allows to utilize the fact, that it is possible to make entangled states that are perfectly
correlated. That means that if Alice and Bob both test whether their particles have vertical or
horizontal polarizations, they will always get opposite answers. Similarly, the same opposite result
are obtained if they measure any other pair of complementary orthogonal polarizations. Their
individual results are, however, completely random, as they can not predict whether they obtain
vertical or horizontal polarization.
Second property is often called quantum non-locality, and causes the correlation between the
measurements of Alice and Bob. These correlations are not perfect, however, there is more than
50% probability that Alice can correctly deduce Bob's measurements from her own measurements
and vice versa. These correlations are even stronger that any model based on classical physics or
ordinary intuition would predict.
81
Third property is related to eavesdropping; any attempt at eavesdropping by Eve weakens these
correlations and Alice and Bob can detect changes in the correlations.
Classical cryptography versus quantum cryptography
As the classical cryptography is based on difficult mathematical problems, whereas quantum
cryptography is based upon properties of subatomic particles, there are some fundamental
differences in outcomes of these two types of cryptography.
Privacy amplification
Quantum cryptography protocols allow Alice and Bob to generate and share random keys that are
very similar (under perfect conditions identical), but there will be an error rate. They allow Alice
and Bob to estimate the level of eavesdropping. It is possible to estimate maximum amount of
information Eve can have about their shared key. Eve however should be prevented from obtaining
some parts of the key, when they result in obtaining a critical part of a message. Another disturbing
fact is that the channel noise cannot be distinguished from eavesdropping, therefore it must be
regarded as an attempt to eavesdrop.
Privacy amplification is a cryptographic version of error correction. It allows Alice and Bob to
start with similar shared random keys about which Eve has some information and then shorten these
keys which are thereafter identical and about which Eve has no information whatsoever.
Privacy amplification can be used in both the Bennett-Brassard and Ekert schemes, although the
Ekert's entanglement-based cryptography allows privacy amplification to be performed directly at
the quantum level. Alongside to being more efficient, it also brings the possibility to transmit
quantum cryptography over arbitrarily long distances using quantum repeater stations.
No deniability
Bennett and Brassard's scheme has a deniability limitation. Even as this scheme can be used to
create one time pad keys and achieve perfect security, it may affect one time pad's deniability
property, i.e. Alice may encrypt a message with one key but after sending the ciphertext pretend that
the message was a different one, encrypted with a different key.
Reason for deniability lies in a possible eavesdropping; Eve that listens to a small portion of the key
exchange (and therefore probably disturbs a few bits, but not enough to invalidate the protocol) will
know what has happened in a limited number of bits exchanged. If Alice and Bob have to reveal
what was sent and the key used, Alice and Bob must change the key, therefore must alter their
records which were used to obtain it, in order to deny the message. But there is non-zero probability
that Eve has successfully listened to a parts of their records they changed and therefore know that
the key they are pretending to have used is not correct.
The problem is closely related to the impossibility of a bit commitment (Age problem) using
quantum protocols.
Attacks
Man in the Middle attacks, as known from the classical cryptograpy cannot occur in quantum
cryptography due to the observer effect. If Mallory tries to intercept the stream of photons, she will
alter them with some probability. She then cannot re-emit the photons correctly to Bob, as her
measurement destroyed the information about photon's state and entanglement.
Entangled photons scheme is virtually impossible to hijack, because creating three entangled
photons would decrease the strength of each photon and this could be easily detected. Mallory
cannot use a man-in-the-middle attack as she has to measure an entangled photon and disrupt the
other photon and then re-emit both photons. The laws of quantum physics disallow this.
82
However, there are different versions of man-in-the-middle attacks still applicable in quantum
cryptography. For example, if Eve pretends to be Alice to Bob and vice versa, she can perform
quantum cryptography negotiations with both sides simultaneously, using two keys. This attack
fails if both sides can verify each other's identity.
Denial of service (DoS) attack can be easily performed by cutting a dedicated fiber optic line or by
attempting to tap it.
Random number generator attack can be performed if the equipment used to generate the keys
could be tampered with.
Polarization schemes are also susceptible to an attack, proposed by Adi Shamir. Mallory can send a
large pulse of light back to Alice in between transmitted photons. Alice equipment inevitably
reflects some of Mallory light back. This light is polarized, as Alice's equipment was in some
polarization state; Mallory therefore can try to measure the photons and extract the state of Alice's
polarizer.
Quantum key distribution (QKD)
Quantum cryptography can solve the problem the one-time pad faced in conjunction with the use of
classical cryptography the requirement to safely transmit a key of the same length as the message
prior to an encryption of a message. Quantum cryptography can be used to exchange or distribute
shared secure keys between participants in a communication, forcing a potential eavesdropper to
become an active participant in the communication, increasing the chances to detect any unwanted
activities. Quantum channel can be used to exchange or distribute keys, whereas the transmission
alone could be done using one-time pad, achieving a perfect secrecy. Keys can be changed on-the-
fly, at any moment, making it even harder to achieve a successful eavesdropping.
BB84 quantum coding scheme
The BB84 quantum coding scheme was the first proposed quantum encoding of classical
information in such a way that the receiver (legitimate or illegitimate) cannot recover with 100%
reliability. It is the basic tool most of the quantum protocols are based upon
The BB84 coding scheme makes a correspondence between classical bits and quantum states. Each
classical bits corresponds to a superposition of two equally probable non-orthogonal quantum
states. One representation looks like:
We denote 0
+
and 1
+
states related to a rectilinear base, whereas the states for a diagonal base
will be denoted as 0
x
and 1
x
. In some literature, a circular base is used instead of the diagonal.
Information to be sent over the quantum channel is encoded by the transmission of photons in some
polarization states. The direction of the polarization encodes a classical bit. BB84 coding scheme
has two base states representing classical state of 0, that is encoded either by a photon with athe
horizontal polarization or a photon with the polarization at 45 of the horizontal direction.
Remaining orthogonal states, i.e. vertical and 135 polarization encode classical 1.
Quantum mechanics laws state, that it is impossible to distinguish with certainty two non-
orthogonal quantum states. In order to distinguish these states, a quantum measurement must be
performed providing a classical output trying to identify the received state. The obliviousness of the
83
0
x
0
+
1
+
1
x
45
45
transmitted information provides the cryptographic properties needed in quantum cryptography.
The following measurements will be used for the description of the BB84 coding scheme described
below:
denotes a measurement in rectilinear basis, the Von Neumann measurement allowing to
distinguish between 0
+
and 1
+
states.
denotes a measurement in diagonal basis, the Von Neumann measurement allowing to
distinguish between 0
x
and 1
x
states.
Algorithm
Alice wants to send a secret key to Bob. She therefore generates a random key of length of n-bits
{a
i
} and also vector that contains the decisions which type of polarization (rectilinear or diagonal)
to use {b
i
}. She then encodes these two vectors as a string of n qubits:
=
i=1
n

a
i
b
i
,
where each qubit can be in one of these four states (depending on a
i
b
i
):

00

=0
+

10

=1
+

01

=0
x
=
1
.(2)
0
+
+
1
.( 2)
1
+

11

=1
x
=
1
.(2)
1
+

1
.( 2)
0
+
The qubits are now in states that are not mutually orthogonal, thus it is not possible to distinguish
them with certainty without a prior knowledge of b
i
.
Alice thereafter sends

to Bob over a public quantum channel. Bob receives a state

c j=c , where c represents both noise and eavesdropping by Eve. After Bob receives the
string of qubits, all three parties Alice, Bob and Eve have their own states. Only Alice knows the
polarization sequence {b
i
}, making it almost impossible for both Bob and Eve to distinguish the
states of the qubits. Eve however cannot be in a possession of a copy of the qubits sent to Bob (no
cloning theorem of quantum mechanics), unless she tried to measure them. Her measurements could
cause with an increasing probability disturbances of qubits; each qubit can be disturbed with
probability of 50%, if she guesses a wrong basis.
On the other side, Bob generates a string of random bits {b
i
'} of the same length as {b
i
}, which he
uses as his guesses for the type of the polarization used for a given a
i
' he received from Alice (Eve).
Then he measures these values and obtains the values a
i
''. Bob afterwards announces through a
public channel that he received all of Alice's qubits. Next, Bob and Alice can communicate through
a public channel and find which polarizations were received right and which were wrong (b
i
b
i
').
Both Alice and Bob the remove all qubits that were measured by Bob with the wrong polarization.
Finally, eavesdropping check is performed. Out of remaining k qubits a
i
, Alice chooses randomly
half of them and discloses her choices over the public channel. Both Alice and Bob announce these
bits publicly and run a check whether all of them match (a
i
= a
i
''). If it is the case, they then proceed
with the use of information reconciliation and privacy amplification techniques to create some
number of shared secret keys. Otherwise, they found a possible eavesdropping (or noise), as the Eve
possibly guessed wrong polarization type at the position where Bob used the correct measurement,
disrupting the qubit at the j-th place, causing Bob's measurement to fail - a
i
a
i
' a
i
''. If there is
more than certain amount of misses, they start over with the protocol.
84
Example without eavesdropping
Alice sends Bob a stream of 16 photons, representing a string 1100011101010011 of qubits:
Bob randomly chooses the type of measurement (rectilinear or diagonal) for each photon Alice sent:
Bob's equipment used to measure photons has a 0.5 probability of failing in the detection of a
photon at all. Therefore Bob will receive these results during his measurement:
Empty circles represent a failure to detect a photon at all; measurements in squares are incorrect
(Bob of course is not aware of that).
Bob then uses a public channel and tells Alice which types of measurements he made for received
photons, but does not tell her the detected values:
Alice then tells Bob which measurements were of the correct type:
The probability that Bob makes the same type of measurement as Alice did is just one half, his
equipment has also one half probability of detecting no photon at all. As the result, only about one
quarter of sent photons can be expected to be correctly received. From the stream of the 16 photons
in this example it is expected to receive only 4 of them correctly on the Bob's side. In fact, in this
example Bob retrieved 6 photons correctly. These photons and the qubits they represent can be used
to construct a secret key used by Alice and Bob in their communication using symmetric
cryptography on an insecure channel, e.g. Vernam cipher.
To review the steps of this example:
Alice sends:
Bob measures:
Bob reads:
Bob sends:
Alice tells:
Example with eavesdropping
Alice sends Bob a stream of 16 photons, representing a string 0010001110110000 of qubits:
Eve randomly chooses the type of measurement (rectilinear or diagonal) for each photon Alice sent:
85
1 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0
1 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0
0 1 0 0 1 1 0 1 0 0 0 0 1 1 0 0
Eve's equipment used to measure photons has a 0.5 probability of failing in the detection of a
photon at all. Eve will receive these results during her measurement:
Measurement in a diamond is an incorrect guess of Eve and will be sent further to Bob.
Bob randomly chooses the type of measurement (rectilinear or diagonal) for each photon Alice
(Eve) sent:
Again, Bob will receive these results during his measurement as there is a possibility that his
equipment fails during the measurement:
Bob then uses a public channel and tells Alice which types of measurements he made for his
successful measurements:
Alice then tells Bob which measurements were of the correct type:
There were 8 usable qubits retrieved at the end.
Both Bob and Alice want to know if anyone has been eavesdropping. They decided to compare 50%
of these shared qubits. Thus they agreed on a random subset of these digits, so Eve can not predict
which qubits will be checked and therefore she can not tamper with them.
Alice refines her earlier answer to reveal half of the shared qubits:

Bob tells Alice what his corresponding qubits are:

One of three qubits was wrong the qubit in a diamond. Therefore Alice and Bob came to
conclusion that Eve was listening to their communication.
To review the steps of this example:
Alice sends:
Eve measures:
Eve reads:
Bob measures:
Bob reads:
86
0 1 0 0 1 1 0 1 0 0 0 0 1 1 0 0
Bob tells:
Alice tells:
Alice tells:
Bob tells:
B92 quantum coding scheme
The B92 quantum coding scheme, introduced by Charles H. Bennett in 1992, is similar to the
BB84, but utilizes only 2 out of the 4 BB84 qubit states. It encodes classical bits in two non-
orthogonal BB84 states. No measurement can disinguish two non-orthogonal quantum states, thus it
is impossible to identify the given bit with certainty. Any attempt to learn the bit will modify the
state in a observeable way. By contrast to the BB84 coding scheme, the B92 coding scheme allows
Bob to know whenever he gets the bit sent without further discussion with Alice. B92 coding
scheme is easier to implement, as it uses only 2 states. However, security seems to be substantially
reduced comparing to BB84 in some situations, often being totally insecure.
To send a bit a
i
, Alice prepares a photon in the following state:
These states correspond to the states 0
+
and 0
x
of the BB84. Bob then chooses a basis for a
measurement and performs it. According to the outcome, the received bit a
i
' is set to be:
In the B92 coding scheme, the classical bit 0 is encoded by a photon with horizontal polarization
and the classical bit 1 is encoded by a photon with polarization angle of 45. If the outcome of the
transmission is 1
+
or 1
x
, then Bob can immediately identify the bit sent by Alice; otherwise it
is an transmission error (if the received bit was 1
+
, then a
i
was 0, if Bob received 1
x
, then the
bit a
i
was 1).
Einstein-Podolsky-Rosen (ERP) protocol
Arthur Ekert introduced in 1991 a protocol based on a famous paper of Einstein, Podolsky and
Rosen, Can quantum, mechanical description of physical reality be considered complete? (1935)
that uses quantum entanglement as its core principle.
EPR quantum protocol is a 3-state protocol, that uses Bell's inequality to detect a presence of Eve in
the system as a hidden variable. These three basic polarization states are chosen as follows:
87
1
0
45
?
?
1
0
45
45

D
0

=
1
.( 2)
(
0
1

3
6
n

3
6
n

1
0
2
)
D
1
=
1
.(2)
(
n
6

4
6
n

4
6
n

n
6

2
)

D
2

=
1
.( 2)
(

2
6
n

5
6
n

5
6
n

2
6
n

2
)
For each of these linear polarization states, the mutually non-orthogonal alphabets A
0
, A
1
and A
2
can
be constructed, mapping the state to classical bits:
A
0
:
0=0
A
1
:

n
6

=0
A
2
:

2
6
n

=0

3
6
n

=1

4
6
n

=1

5
6
n

=1
For each of these alphabets, corresponding measurement operators M
0
, M
1
and M
2
are constructed:
M
0
:
0 0
M
1
:

n
6

n
6

M
2
:

2
6
n

2
6
n

For each bit a

i
Alice chooses a state D
i
is chosen with equal probability from amongst all states.
Then an EPR pair is created in the selected state D
i
. One photon of the constructed pair is sent to
Alice, the other to Bob. Alice and Bob choose at random independently the type of measurement M
i
and measure their respective photons accordingly. Alice records her bit, Bob records a complement
of his bit.
Next, Alice and Bob communicate through a public channel about their chosen measurement types
to determine the bits with the same measurement type. They then construct two sequences, raw key
sequence consisting of those bits that used the same measurement type and rejected key consisted of
those bits for whose the types mismatched.
Rejected key is used to detect a presence of Eve if the Bell inequality is satisfied, then Eve's
presence is detected, otherwise not.
For the ERP protocol, the Bell's inequality can be written as follows:
Let P(| i , j ) denote probability that two corresponding bits of rejected key do not match given
that the measurement operators chosen by Alice and Bob are M
i
and M
j
or M
j
and M
i
. Let
P(=| i , j )=1P(| i , j ) .
Let A(i , j )=P( | i , j )P(=| i , j ) and =1+A(1, 2)A(0, 1)A(0, 2) .
Then Bell's inequality reduces to:
0
For quantum mechanics (no hidden variables):
=
1
2
That is a clear violation of Bell's inequality.
88
Practical implementations
Navajo
The first known commercial system for QKD, named Navajo, was introduced in 2003 by MagiQ
Technologies Inc. MagiQ's system uses a fibre-optic link which updates its encryption key, encoded
as qubits, every second. Its communication link, Quantum Private Network (QPN), consists of two
black boxes connected by a 30 km optic link that implement the BB84 quantum coding scheme.
The following figure shows a basic layout of Navajo:
More detailed view of quantum key distribution system is depicted below:
Clavis
Clavis is an ancient latin word for key. Switzerland based ID Quantique introduced another QKD
system id 3000 Clavis in 2005. This system is capable of transferring secure key qubits in
distances up to 100 km with a minimal transfer rate of 1500 bits/s. This system employs two
quantum protocols, BB84 and SARG. Conventional channel cryptography is based on Triple DES
and AES standards. Its architecture resembles that of Navajo.
89
VPN
VPN
Plain t ext
Quant um
Privat e
Net work
VPN
VPN
Plain t ext
Quant um
Privat e
Net work
Ciphert ext
Quant um Key Dist ribut ion
Int ernet t raffic
Rout er
Sonet t elecommunicat ion
prot ocol
Wave division
mult iplexer (WDM)
Opt ical
amplifier
QPN repeat er QPN repeat er
Int ernet t raffic
Rout er
Sonet
WDM
Opt ical
amplifier
Quant um Privat e Net work
(QPN)
Quant um Privat e Net work
(QPN)
Quant um Key
Dist ribut ion
Encrypt ed
message
Elliptic curve cryptography
Elliptic Curve Cryptography (ECC) is an approach to public-key cryptography based on the
algebraic structure of elliptic curves over a finite field. This approach was introduced in 1985 by
Neal Koblitz and Victor S. Miller.
An elliptic curve is a plane curve defined by an equation of the form
y
2
= x
3
+ ax + b
The set of points on elliptic curve form an abelian group (with identity element as the point at
infinity). If the coordinates x and y are chosen from a large finite field, the solutions form a finite
abelian group. The discrete logarithm problem on such elliptic curve groups is believed to be more
difficult than the corresponding problem in the underlying finite field. As a result, keys in the
elliptic curve cryptography can be chosen to be much shorter and still attain a comparable level of
security.
No mathematical proof of difficulty has been published for ECC as of 2006. The NSA has endorsed
ECC by including it in its Suite B of recommended algorithms.
Elliptic curve y
2
= x
3
+ x over F
23
90
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 x
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
y
Cryptographic schemes
As the elliptic curve extends the problem of discrete logarithm, the problem related to the use of
discrete logarithm over an elliptic curve is called elliptic curve discrete logarithm problem
(ECDLP). The hardness of several problems related to the discrete logarithm in the subgroup of
elliptic curve E over a finite field F
q
, E(F
q
) allows cryptographic use of elliptic curves. Most of the
elliptic cryptographic schemes are related to the discrete logarithm schemes, therefore yield new
modification of existing modular arithmetic schemes:
Elliptic Curve Diffie-Hellman (ECDH) key agreement scheme based on the Diffie-Hellman key
agreement scheme
Elliptic Curve Digital Signature Algorithm (ECDSA) based on the Digital Signature Algorithm
(DSA)
ECMQV key agreement scheme based on the MQV key agreement scheme
The famous Elgamal encryption scheme cannot be, however, easily ported to the elliptic curve
domain. The scheme was never standardized and cannot be directly used over an elliptic curve. The
reason is that even if it is easy to convert an arbitrary message to an integer modulo p, it is not easy
to convert an arbitrary bitstring to a point on a curve (for a given x it is not always possible to find
an y that lies on the curve). Elgamal is also vulnerable to chosen ciphertext attacks (CCA).
Therefore, a modification of Elgamal scheme, called Elliptic Curve Integrated Encryption Scheme
(ECIES) was introduced.
It is accepted that the ECDLP-based cryptography will replace a cryptography based on integer
factorization (RSA) and finite field cryptography (DSA). In 2005, NSA announced its Suite B of
recommended algorithm that exclusively uses ECC for digital signature generation and key
exchange.
91
Trusted Computing
Today, we are in the midst of a quiet cryptographic revolution that would affect each computer user
all around the world. Rapidly increased number of virus attacks, trojan horses, denial of service
attacks, spyware, online piracy and other security related problems prompted commercial vendors
to join their efforts and propose a technology that would help to solve these difficult problems.
The Trusted Computing Group (TCG), formerly known as Trusted
Computing Platform Alliance (TCPA) is an initiative of vendors to
implement trusted computing. Trusted computing is a term that covers the
use of trusted systems, systems which user has no choice but to trust.
The main purpose of TCG was to develop a hardware device, a Trusted Platform Module (TPM)
that enables trusted computing features. Basically, it is an integrated circuit that provides some
cryptographic features, such as random number generator, RSA cryptosystem, cryptographic hash
storage, etc. It is expected, that by 2010 all notebooks and desktop PCs will include a TPM in their
motherboards. Another objective of TCG is to release a Trusted Network Connect (TNC)
architecture to enable network operators to provide endpoint integrity at every network connection,
thus enabling interoperability among multi-vendor network endpoints.
Trust
In the field of security, the term trusted system denotes a system which has to be trusted for the
security of a larger system to hold. Trusted system is therefore a system that can break the user's
security policy, i.e. system you are forced to trust because you have no choice. Trusted system does
not mean that the system is trustworthy. For example, a hard drive controller must be trusted by its
users that it works as expected in each case. A secure web site must also be trusted it is secure, as
the user cannot verify this alone. Trust is always a kind of compromise or weakness, although
undesirable, still inevitable.
The term trust causes the main controversy, as the TCG defines technical trust as an entity can be
trusted if it always behaves in the expected manner for the intended purpose. The controversy
comes from the fact, that rather than define a trustworthy system, it leads to a system user is forced
to trust.
Another concern is that the concept of TPM cannot be always used to a full extent as there are cases
when it is not possible to examine all hardware components, which presents a security risk to
overall platform integrity and data.
Another problem is the pace of cryptography advancements, that quickly obsolete hardware
implementations of algorithms.
While on the one hand, trusted computing increases security, it also allows to force user to use
mandatory digital rights management, harm privacy and impose other restrictions on users. Trusting
networked computers to authorities could lead to censorship. As a result new concept of secure
computing was introduced where the anonymity is the main concern.
Concepts of trusted computing
Trusted computing encompasses five essential key technology concepts of trusted system:
1. Endorsement Key
2. Secure Input and Output
3. Memory curtaining, protected execution
4. Sealed storage
5. Remote attestation
92
Endorsement key
The endorsement key is a 2,048-bit RSA public and private key pair, created at manufactured time,
stored in the chip and cannot be changed. The private key is stored in the chip, the public key is
disclosed to other modules for attestation and for encryption of information sent to the chip.
This key allows the executions of secure transactions. Each TPM is required to sign a random
number to prove its identity; this makes impossible for a software TPM emulator to start a secure
transaction with a trusted entity. The TPM is designed to avoid the extraction of this key by
hardware analysis.
Secure Input and Output
There must be established a protected path between the computer user and the software. Secure I/O
uses checksums to identify any potential tampering of the information exchanged. Secure I/O is
however not resistant to hardware based attacks, such as keylogger devices.
Memory curtaining, protected execution
Memory curtaining isolates sensitive areas of memory (e.g. areas containing cryptographic keys).
Using virtualization techniques, even OS does not have access to this part of the memory.
Sealed storage
Another form of security protection can be achieved by encrypting the data using a key derived
from the software and hardware being used. Effectively, this means that the data can be read only
by the same combination of software and hardware. As the effect, only unmodified software can
work with some data and any attempt to modify original program leads to cryptographic failure
when reading the data.
Remote attestation
Remote attestation allows the changes to the computer to be detected by the user and remote
administrator. As a result, it is possible to detect compromised computer and exclude it from the
secure network or from making important decisions. Hardware generates a certificate of the
software currently running that can be shown to a remote party to provide an assurance that the
computer has not been tampered with. Remote attestation usually uses public key cryptography.
Controversy
The main controversy behind Trusted Computing can be attributed to the fact that TC can be used
in a way that the data are controlled by their creators rather than user of a computer where they are
stored. This could lead to a remote censorship.
Another issue is a vendor lock-down, where vendor can force the users to use only its software, as
the output of the software will be encrypted by private keys only vendor has access to.
Whoever controls TC infrastructure will acquire a huge amount of power. And as the history shows,
this always leads to abuses.
Control of the received information
Users cannot control the information they receive due to a remote attestation. For example, buying
Digital Rights Management (DRM)enabled music online could allow the music industry to impose
inappropriate restrictions on the user, such as preventing the user from playing a song more than
specified amount of time without additional paying. Remote attestation can be used to send music
only to a conforming music players, sealed storage can prevent the user from playing music by
different music player and memory curtaining can prevent user from making a copy of the music.
93
Inability to change software
Whereas the trusted computing can prevent some forms of malicious behavior, it also prevents
competition between various software products by the use of sealing storage and remote attestation.
For example, internet browsers often behave as another browsers to enable some features on the
web page that require a presence of a given browser. Use of remote attestation will reject these
browsers as inappropriate.
Control of the data
Users do not control their data anymore. The sealed storage could prevent the data from moving to a
new computer. If the TPM is outdated, it could be impossible to transfer files from the older
computer to a new one.
Loss of Internet anonymity
TC-enabled computer is able to uniquely identity its owner by the use of remote attestation. As a
consequence, researchers invented direct anonymous attestation that copes with this problem.
Censorship
The trusted computing brings new forms of censorship possibilities. For example, a newspaper
could require that its readers read the articles only using the trusted application. This could lead to
situations, where the application forces the user to read only the last version of the article without
any possibility to store the content of the previous, uncensored version. It effectively enables the
author of the article to deny access to older versions of the article. Therefore, as a consequence, the
history could be rewritten by changing or deleting the articles.
Web censorship could be implemented using trusted browser, that could deny the user the access to
web sites the author of the browser found inappropriate.
Impracticality of trusted computing
As the hardware is not error prone, the potential to fail still exists and this could lead to disastrous
results if the trusted computing principles are tightly implemented. User might be irrevocably
prevented from the access to its information in the case of hardware failure. The sealed storage will
prevent the information to be read using a different computer.
Owner override
To solve at least some of the problems the trusted computing is facing now lies in the ability of the
owner override, where owner can disable parts of the trusted computing.
Trusted computing protects programs against everything, even the owner. Owner override is a
suggested fix to this problem, however, it was rejected by TCG. Whereas still impractical, as it
requires non-automatic effort from the user, it at least enables the use of different software in lieu of
required ones by the action of the owner and manual certification of owner's presence. Instead of
preventing the software change, the remote attestation would indicate when the software was
changed without owner permission.
Problem of the owner override lies in the fact, that it defeats the trust in other computers, since the
remote attestation is not enforced centrally. The fundamental premise behind trusted computing lies
in the fact that owner cannot be trusted. And owner override allows the user to waive the rules or
restriction on her own computer.
94
Secure bootstrap
The cornerstone of trusted computing is a secured boot process. It is extremely important to provide
a secure initialization of the computer, as any malicious modifications to initialization procedure
could lead to the permanent compromise of the system. Therefore, TCG has put a great emphasis on
the resolution of this problem. TCG adopted the AEGIS boot mechanism as its official standard.
AEGIS
Developed in University of Pennsylvania by William A. Arbaugh, Angelos D. Keromytis, David J.
Farber and Jonathan M. Smith, provides a way how to implement a secured boot process based on
the usage of a public key infrastructure, digital signatures and cryptographic hash functions. AEGIS
was designed with the following assumptions on mind:
1. CPU, motherboard and a portion of the system BIOS are not compromised.
2. Existence of a cryptographic certificate authority infrastructure to bind an identity with a
public key, although no limits are placed on the type of infrastructure.
3. A trusted repository exists for recovery purposes. This repository may be a host on a
network that is reachable through a secure communications protocol, or it may be a trusted
ROM card located on the protected host.
Existence of a trusted repository allows to prevent some forms of Denial of Service (DoS) attacks,
as the failing components can be substituted by their trusted repository counterparts.
The goals of AEGIS can be summarized as follows:
1. Allow the AEGIS client and the trusted repository to mutually authenticate their identities
with limited or no prior contact (mobility between domains).
2. Prevent man in the middle attacks.
3. Prevent replay attacks.
4. Mitigate certain classes of denial of service attacks.
5. Allow the participating parties to agree upon a shared secret in a secure manner in order to
optimize future message authentication.
6. Keep It Simple and Secure: Complexity breeds design and implementation vulnerabilities.
Guaranteed secure boot process
AEGIS relies on two rules of the boot mechanism:
1. No code is executed unless it is explicitly trusted or verified prior to an execution.
2. When an integrity failure is detected a process can recover a suitable replacement module.
AEGIS divides boot process into levels. The lowest level is Level 0. Level 0 contains the small
section of trusted software, digital signatures, public key certificates, and recovery code. The
integrity of this level is assumed to be valid. However, an initial checksum test to identify PROM
failures is performed. The first level contains the remainder of the usual BIOS code, and the CMOS.
The second level contains all of the expansion cards and their associated ROMs, if any. The third
level contains the operating system boot sector. This is resident on the bootable device and is
responsible for loading the operating system kernel. The fourth level contains the operating system,
and the fifth and final level contains user level programs and any network hosts.
The transition between levels in a traditional boot process is accomplished with a jump or a call
instruction without any attempt at verifying the integrity of the next level. AEGIS, on the other
hand, uses public key cryptography and cryptographic hashes to protect the transition from each
95
lower level to the next higher one, and its recovery process ensures the integrity of the next level in
the event of failures. Before passing the control to a higher level, the certificate for a new level is
obtained and verified. If the verification is successful, the control
The pseudo code for the action taken at each level, L, before transition to level L+1 is shown below:
int IntegrityValid(Level L)
{
Certificate c = LookupCert(L);
int result;
if (result = VerifyCertChain(c)) return DSAVerify(SHA1(L), c);
else return result;
}
if (IntegrityValid(L+1)))
{
ControlTransition(L+1);
}
else
{
RecoveryTransition(L+1);
}
The boot process can be seen in a nutshell on the following figure:
AEGIS does not utilize the X.509 PKI standard; rather employs more suitable concepts from the
SDSI/SPKI 2.0 standard. X.509 is not suitable because of its large certificates and the ambiguity in
the parsing of compliant certificates because of its use of the Basic Encoding Rules (BER).
96
BIOS Section 1
BIOS Section 2
Boot Block
Operating System
AEGIS ROM
Expansion ROMs
User Programs Network Host
Initiate POST
Level 0
Level 1
Level 2
Level 3
Level 4
Level 5
Control transition
Recovery transition
SDSI/SPKI provides for the notion of a capability. In a capability based model, the certificate
carries the authorizations of the holder eliminating the need for an identity infrastructure and access
control lists. AEGIS uses two capabilities, SERVER and CLIENT.
AEGIS also uses three types of certificates. The first is an authorization certificate. This certificate,
signed by a trusted third party or certificate authority, grants to the private key holder the capability
to generate the second type of certificate - an authentication certificate. The authentication
certificate demonstrates that the client or server actually holds the private key corresponding to the
public key identified in the authentication certificate. A nonce field is used along with a
corresponding nonce in the server authentication certificate to ensure that the authentication
protocol is Fail Stop detecting and preventing active attacks such as a maninthemiddle. The
third type of certificate, component signature certificate, is either embedded in a component or
stored in a table. It is used with the AEGIS boot process.
AEGIS employs a modification of Station-to-Station protocol and SHA-1 MAC to communicate
with a trusted repository through IPSEC and using DHCP. AEGIS acts as a client whereas trusted
repository as a server. The server and client have to agree on a trusted third party and obtain its
public key to perform any further communication. Subsequent messages are then authorized by the
use of SHA1 HMAC.
Hardware boot process verification
Secure bootstrap mechanism is not sufficient to provide a trustworthy computing, as the peripherals
can be used to perform an attack (due to a CPU-centric approach in AEGIS and similar solutions).
Therefore, TCG advocates to use a secure hardware device to verify the boot sequence and
authenticate this verification. This can be even used by a remote administrator to verify whether the
system at least started from a trustworthy state. Currently, the Trusted Platform Module (TPM)
provides this kind of functionality. TPM enables a remote observer to verify the integrity of a
running operating system, and this in turn enables more security guarantees found in complex
systems, such as Microsoft's NGSCB.
TPM can be used to verify the integrity of a computing system.
TPM employs cryptographic hash functions to measure data.
TPM contains 16 Platform Configuration Registers (PCR) that
hold hash digests of programs/firmwares. It extends a
measurement to a PCR by hashing together the current value of
the PCR and the hash of the data and storing the result in the
PCR. To measure to a PCR, the TPM measures data and extends
it to a PCR. All code must be measured before control is
transferred to it.
During a computer reset, the control is given to the Core Root of
Trust for Measurement (CRTM), a small and immutable code.
The CRTM measures all executable firmware connected to the
motherboard, such as BIOS, to PCR0. The CRTM in turn
transfers the control to the BIOS that measures the hardware
configuration to PCR1 and option ROM to PCR2 prior to
execution of these ROMs. Each of these ROMs must measure
configuration and data to PCR3. Thereafter, the Initial Program Loader (IPL/MBR) is measured by
BIOS to PCR4 before transferring the control to it. The IPL measures its configuration and data to
PCR5. PCR6 is used during power state transitions (sleep, suspend, etc.), and PCR7 is reserved.
97
PCR15
PCR14
PCR13
PCR12
PCR11
PCR10
PCR9
PCR8
PCR7
PCR6
PCR5
PCR4
PCR3
PCR2
PCR1
PCR0 BIOS
Hardware configuration
Option ROMs
Option ROM configuration
Boot loader
Boot loader configuration
Reserved
Operating system
(kernel, devices,
applications)
The remaining eight PCRs can be used to measure the kernel, device drivers, applications, etc. in a
similarly. At this point, the bootstrap code, operating system, and some applications have been
loaded. A remote observer can verify which bootstrap code or operating system has been loaded by
asking the TPM to sign a message with each PCR this operation is called attestation. After
successful attestation, remote observer can trust the system.
Security problems
Weakness of this approach lies in the possibility of a tampered hardware. As the most practical
attacks seems to be the changes of a firmware (such as DVDs with region-free firmware, X-BOX
hacked to become a cheap computer, etc.), it is natural to find a solutions to suppress the possibility
of negative effects of the malicious firmware changes. Therefore, it is required to handle
untrustworthy devices by restricting their possible negative effects. One of the solution is called
sandboxing, which usually means that these devices have restricted access to some resources and
are expelled from some services that require a trust. Sandboxing is now usually done by relying on
the virtualization techniques.
The following figure demonstrates the functionality of the hardware boot verification:
After the reset, the CRTM measures the BIOS to PCR[0] before transferring control to it. The BIOS
recursively measures devices on the PCI bus and PCI-X bus. The IDE controller and Gigabit
Ethernet controller do not support firmware measurements; as a result, they cannot be trusted and
DMA must be sandboxed. The SCSI controller reports that one of its disks cannot be trusted with
unencrypted or unauthenticated sensitive data. The USB controller reports that the Camera cannot
be trusted; however, the USB controller itself can still utilize DMA.
Virtualization technologies in trusted computing
With the emergence of hardware virtualization platforms, such as Intel Vanderpool and AMD
Pacifica, new possibilities were uncovered for the trusted computing. Virtual machines enable
containment of attacks and scoping of trust (sandboxing), and this alongside with the core of trust
provided by the trusted hardware enables remote verification and local fallback security in case the
software is compromised. There are however technological challenges that result from the
combination of these two technologies:
1. providing an infrastructure with a set of services implementing scalable security for virtual
machines
2. hardening the virtualization software with the goal of providing an isolation degree among
virtual machines that is as close as possible to the isolation among physical machines
3. leveraging Trusted Computing technology (e.g. for attesting to the integrity of the
virtualization layer) while providing a choice of acceptable policies to the users (e.g.
satisfying privacy concerns).
98
CRTM
PCR0
BIOS
PCR1
PCI
PCI-X
USB
IDE
Camera
GLAN
SCSI
Disk 1
Disk 2
Virtualization however does not solve all security problems, even alone introduces new security
problems.
Basically, architecture of a trusted system that utilizes virtualization can be described on the
following diagram:
Hardware platform shall allow the use of virtualization technology; processors since Intel (Core)
and AMD (AM2) pass this requirement. The hardware platform shall support Trusted Platform
Modules (TPM), which must be supported by all peripherals of the system. On the top of hardware
platform lies a tiny layer of TC and virtualization enabled BIOS that provides a secure bootstrap
mechanism and starts the main virtualization operating system. This system controls hardware,
provides virtualization of hardware devices and sandboxes user operating systems (Windows,
Linux, etc.), running in a separate virtual machines.
Digital Rights Management
One of the most controversial topics of Trusted Computing is the Digital Rights Management
(DRM). On the one hand, it is strongly demanded by content providers, as the Internet represents a
threat to their profits, on the other hand, it puts too many restriction on the users and buyers of a
digital content.
DRM is any of several technologies used by publishers to control access to digital data (such as
software, music, movies) and hardware, handling usage restrictions associated with a specific
instance of a digital work.
Protected Video Path Output Protection Management (PVP-OPM)
PVP-OPM is a form of DRM implemented in Windows Vista operating system. Microsoft states that
the PC's video outputs have the required protection or that they are turned off in the case of no such
protection is available.
Windows Vista provides process isolation to prevent users from copying DRM content. If an
unverified component in the kernel mode is loaded, Vista will stop playing DRM content rather.
The Protected Environment (PE) in which DRM is played contains the media components that play
DRM content, therefore there is no need to handle unprotected content data; it is sufficient to
provide only basic playing controls (Play, Stop, Pause...) to the user. Content therefore can be
processed without making the content available to unapproved software; PE assures that no
untrusted application (non-certified by Microsoft) will have an access to unprotected content. The
PE is based on the Intel LaGrande or AMD Presidio technology.
From the hardware point of view, the digital outputs of PC must be under control to not to allow
99
Hardware platform
(Intel LaGrande, AMD Presidio)
Virtualization Technology BIOS (EFI)
Virtualization Platform
(Intel Vanderpool, AMD Pacifica)
TPM
Main
Virtualization
Operating
System
Virtual Machines
Operating Systems
TC Applications, Legacy Applications Management Apps
unrestricted content output being transferred through unencrypted line. Therefore, digital outputs
such as Digital Visual Interface (DVI) or High-Definition Multimedia Interface (HDMI) will have
High-bandwidth Digital Content Protection (HDCP) enabled to prevent the recording of digital
content.
HDCP is a form of DRM developed by Intel to control the transfer of video and audio streams
through digital outputs.
Main targt of HDCP is to prevent a transmission of non-encrypted high definition content. To
achieve that goal, three systems were developed:
1. authentication process prevents the non-genuine devices to receive high definition content
2. encryption of the actual data sent over DVI or HDMI interface prevents eavesdropping and
man-in-the-middle attacks.
3. key revocation procedures ensure that devices that violate the license agreement could be
easily blocked from high definition content.
Each HDCP capable device model has a unique set of keys; there are 40 keys, each 56 bits long.
These keys are confidential and failure to keep them secret may be seen as a violation of the license
agreement. For each set of keys a special key called a Key Selection Vector (KSV) is created. Each
KSV has exactly 20 bits set to 0 and 20 bits set to 1.
During the authentication process, both parties exchange their KSVs. Then each device adds
(without overflow) its own secret keys according to a KSV received from another device. If a
particular bit in the vector is set to 1, then the corresponding secret key is used in the addition,
otherwise it is ignored. Keys and KSVs are generated in such a way that during this process both
devices get the same 56 bit number as a result. That number is later used in the encryption process.
Encryption is done by a stream cipher. Each decoded pixel is encrypted by applying an XOR
operation with a 24-bit number produced by a generator. The HDCP specifications ensure constant
updating of keys (after each encoded frame).
If some particular model is considered compromised, its KSV is put into revocation lists, which are
written e.g. on newly produced disks with HD content. Each revocation list is signed with a digital
signature using the DSA algorithm; this is supposed to prevent malicious users from revoking
legitimate devices. During the authentication process, if the receiver's KSV is found by a transmitter
in the revocation list, then the transmitter considers the receiver to be compromised and refuses to
send HD data to it.
Weaknesses
It turned out to be that the HDCP is not a well-thought out mechanism as it allows broad range of
attacks. HDCP linear key exchange is a fundamental weakness. It is possible to eavesdrop on any
data, clone any device with only its public key, avoid any blacklist on devices, create new device
key selection vectors and usurp the authority completely.
HDCP is therefore considered to be broken, even if its occurrence in a modern hardware is still rare.
The most well-known attack on HDCP is the conspiracy attack, where a number of devices are
compromised and the information gathered is used to reproduce the private key of the central
authority.
100
Literature
Martin Stanek Zklady kryptolgie (verzia 0.16 z 12. decembra 2004), in Slovak language,
lecture material for the Cryptology course at the Faculty of Mathematics, Physics and Computer
Science of the Comenius University in Bratislava, Slovakia
Joel Weise - Public Key Infrastructure Overview SunPS
SM
Global Security Practice, Sun
BluePrints
TM
OnLine, August 2001, http://www.sun.com/blueprints/0801/publickey.pdf
Peter Gutmann Everything you Never Wanted to Know about PKI but were Forced to Find Out,
University of Auckland, http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf
Paulo S. M. L. Baretto, The Whirlpool hash function,
http://paginas.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html
101