Вы находитесь на странице: 1из 13

1

Cryptographic Algorithms and current trends


:
EDI
, . *
& ,
1. INTRODUCTION
Cryptography is a fundamental building block for building
information systems, and as we enter the so-called
"information age" of global networks, ubiquitous
computing devices, and electronic commerce, we can
expect that the cryptography will become more and more
important with time. The main goal of cryptography is to
adequately address the following four areas in both theory
and practice:

Cryptography has a long and fascinating history [1]. The


predominant practitioners of the art were those associated
with the military, the diplomatic service and government in
general. Cryptography was used as a tool to protect national
secrets and strategies. The proliferation of computers and
communications systems in the 1960s brought with it a
demand from the private sector for means to protect
information in digital form and to provide security services.

b. Data integrity is a service which addresses the


unauthorized alteration of data. To assure data integrity, one
must have the ability to detect data manipulation by
unauthorized parties. Data manipulation includes such
things as insertion, deletion, and substitution.

Beginning with the work of Feistel [2] at IBM in the early


1970s and culminating in 1977 with the adoption as a U.S.
Federal Information Processing Standard for encrypting
unclassified information, DES, the Data Encryption
Standard, is the most well-known cryptographic mechanism
in history. It remains the standard means for securing
electronic commerce for many financial institutions around
the world. The most striking development in the history of
cryptography came in 1976 when Diffie and Hellman
published New Directions in Cryptography [3]. This
paper introduced the revolutionary concept of public-key
cryptography and also provided a new and ingenious
method for key exchange, the security of which is based on
the intractability of the discrete logarithm problem.

3. Authentication is a service related to identification. This


function applies to both entities and information itself. Two
parties entering into a communication should identify each
other. Information delivered over a channel should be
authenticated as to origin, date of origin, data content, time
sent, etc. For these reasons this aspect of cryptography is
usually subdivided into two major classes: entity
authentication and data origin authentication. Data origin
authentication implicitly provides data integrity (for if a
message is modified, the source has changed).

Although the authors had no practical realization of a


public-key encryption scheme at the time, the idea was
clear and it generated extensive interest and activity in the
cryptographic community. In 1978 Rivest, Shamir, and
Adleman [4] discovered the first practical public-key
encryption and signature scheme, now referred to as RSA.
The RSA scheme is based on another hard mathematical
problem, the intractability of factoring large integers. This
application of a hard mathematical problem to cryptography
revitalized efforts to find more efficient methods to factor.

4. Non-repudiation is a service which prevents an entity


from denying previous commitments or actions. When
disputes arise due to an entity denying that certain actions
were taken, a means to resolve the situation is necessary.
For example, one entity may authorize the purchase of
property by another entity and later deny such authorization
was granted. A procedure involving a trusted third party is
needed to resolve the dispute.

The 1980s saw major advances in this area but none which
rendered the RSA system insecure. Another class of
powerful and practical public-key schemes was found by El
Gamal [5] in 1985. These are also based on the discrete
logarithm problem. One of the most significant
contributions provided by public-key cryptography is the
digital signature. In 1991 the first international standard for
digital signatures (ISO/IEC 9796) was adopted. It is based
on the RSA public-key scheme. In 1994 the U.S.
Government adopted the Digital Signature Standard [6] , a
mechanism based on the El Gamal public key scheme.

a. Confidentiality is a service used to keep the content of


information from all but those authorized to have it. Secrecy
is a term synonymous with confidentiality and privacy.
There are numerous
approaches to
providing
confidentiality, ranging from physical protection to
mathematical algorithms which render data unintelligible.

* e-mail: psyllos@central.ntua.gr

2
The search for new public-key schemes, improvements to
existing cryptographic mechanisms, and proofs of security
continues at a rapid pace. Various standards and
infrastructures involving cryptography are being put in
place. Security products are being developed to address the
security needs of an information intensive society.
The purpose of this work is to give an up-to-date survey on
algorithms of interest in cryptographic practice. Also to
refer to the institutions involved in the creation of
cryptographic products.
2. CRYPTOGRAPHY BASICS
In cryptographic terminology, the message is called
plaintext or cleartext. Encoding the contents of the message
in such a way that hides its contents from outsiders is called
encryption. The encrypted message is called ciphertext. The
process of retrieving the plaintext from the ciphertext is
called decryption. Encryption and decryption usually make
use of a key, and the coding method is such that decryption
can be performed only by knowing the proper key.
There are two classes of key-based encryption algorithms,
symmetric (or secret-key) and asymmetric (or public-key)
algorithms. The difference is that symmetric algorithms use
the same key for encryption and decryption (or the
decryption key is easily derived from the encryption key),
whereas asymmetric algorithms use a different key for
encryption and decryption, and the decryption key cannot
be derived from the encryption key.
Symmetric algorithms can be divided into stream ciphers
and block ciphers. Stream ciphers encrypt a single bit of
plaintext at a time, whereas block ciphers take a number of
bits (typically 64 bits in modern ciphers), and encrypt them
as a single unit.
Asymmetric ciphers (also called public-key algorithms)
permit the encryption key to be public (it can even be
published to a web site), allowing anyone to encrypt with
the key, whereas only the proper recipient (who knows the
decryption key) can decrypt the message. The encryption
key is also called the public key and the decryption key the
private key. The security provided by these ciphers is based
on keeping the private key secret.
3. CRYPTOGRAPHY ALGORITHMS
3.1 SYMMETRIC KEY ALGORITHMS
I. BLOCK CIPHERS
Symmetric (secret key) encryption schemes use the same
key for encryption and decryption and usually have
predefined key lengths. They provide a high security and a
high performance, but suffer from the key exchange
problem. A group of n entities needs to exchange n*(n1)/2
different keys over secure channels.

The current state of the art in symmetric encryption is


surely given by the five finalists of the AES selection
process. In the AES competition, the winner, Rijndael, got
86 votes at the last AES conference while Serpent got 59
votes, Twofish 31 votes, RC6 23 votes and MARS 13 votes
Nechvatal et al. [7]. We will focus on the winner of the
AES selection process, namely Rijndael, as their
representative.

32bit
[C]

32bit
[JAVA]

64bit[C and
Assembly]

8bit [C and
Assembly]

MARS

++

++

++

++

RC6

+++

+++

++

++

RIJNDAEL

++

++

+++

+++

SERPENT

TWOFISH

++

+++

++

TABLE 1. Encryption and decryption performance


32bit
[C]

32bit
[JAVA]

64bit[C and
Assembly]

8bit [C and
Assembly]

MARS

++

++

++

RC6

++

++

++

RIJNDAEL

+++

+++

+++

+++

SERPENT

++

++

TWOFISH

++

TABLE 2. Key setup performance


NIST [24] has defined five modes of operation for AES and
other FIPS- approved ciphers [8]: CBC (Cipher Block
Chaining), ECB (Electronic CodeBook), CFB (Cipher
FeedBack), OFB (Output FeedBack), and CTR (Counter).
The CBC mode is well defined and well understood for
symmetric ciphers, and it is currently required for all other
ESP ciphers.
ECB The simplest of the encryption modes is the electronic
codebook (ECB) mode, in which the message is split into
blocks and each is encrypted separately. The disadvantage
of this method is that identical plaintext blocks are
encrypted to identical ciphertext blocks; thus, it does not
hide data patterns well. In some senses it doesn't provide
message confidentiality at all, and it is not recommended
for cryptographic protocols.
CBC In the cipher-block chaining (CBC) mode, each block
of plaintext is XORed with the previous ciphertext block
before being encrypted. This way, each ciphertext block is

3
dependent on all plaintext blocks up to that point. Also, to
make each message unique, an initialization vector is used
in the first block.
CFB The cipher feedback (CFB) mode, a close relative of
CBC, makes a block cipher into a self-synchronizing stream
cipher. The operation is very similar; in particular, CFB
decryption is almost identical to CBC decryption performed
in reverse
OFB The output feedback (OFB) mode makes a block
cipher into a synchronous stream cipher: it generates
keystream blocks, which are then XORed with the plaintext
blocks to get the ciphertext. Just as with other stream
ciphers, flipping a bit in the ciphertext produces a flipped
bit in the plaintext at the same location. This property
allows many error correcting codes to function normally
even if applied before encryption. Because of the symmetry
of the XOR operation, encryption and decryption are
exactly the same.
CTR Like OFB, counter mode turns a block cipher into a
stream cipher. It generates the next keystream block by
encrypting successive values of a "counter". The counter
can be any simple function which produces a sequence
which is guaranteed not to repeat for a long time, although
an actual counter is the simplest and most popular. CTR
mode has very similar characteristics to OFB, but also
allows a random access property for decryption and is
probably secure if the block cipher is strong. CTR mode is
also known as Segmented Integer Counter (SIC) mode.

columns in the state. For encryption, each round of AES ,


except the last round consists of four stages:


AddRoundKey each byte of the state is


combined with the round key; each round key is
derived from the cipher key using a key schedule.

SubBytes a non-linear substitution step where


each byte is replaced with another according to a
lookup table.

ShiftRows a transposition step where each row


of the state is shifted cyclically a certain number of
steps.

MixColumns a mixing operation which


operates on the columns of the state, combining
the four bytes in each column using a linear
transformation.

The final round replaces the MixColumns stage with


another instance of AddRoundKey.

A. RIJNDAEL
Rijndael, is a block cipher adopted as an encryption
standard by the US government. It is expected to be used
worldwide and analysed extensively, as was the case with
its predecessor, the Data Encryption Standard (DES). AES
was adopted by National Institute of Standards and
Technology (NIST) as US FIPS PUB 197 in November
2001 after a 5-year standardization process (see Advanced
Encryption Standard process for more details).
The cipher was developed by two Belgian cryptographers,
Joan Daemen and Vincent Rijmen, and submitted to the
AES selection process under the name "Rijndael", a
combination of the names of the inventors..
Strictly speaking, AES is not precisely Rijndael (although
in practice they are used interchangeably) as Rijndael
supports a larger range of block and key sizes; AES has a
fixed block size of 128 bits and a key size of 128, 192 or
256 bits, whereas Rijndael can be specified with key and
block sizes in any multiple of 32 bits, with a minimum of
128 bits and a maximum of 256 bits. The key is expanded
using Rijndael's key schedule. Most of AES calculations are
done in a special finite field.
AES operates on a 44 array of bytes, termed the state versions of Rijndael with a larger block size have additional

FIGURE 1. Rijndael Add Round Key operation


In the AddRoundKey step, each byte of the state is
combined with a byte of the round subkey using the XOR
operation. For each round, a subkey is derived from the
main key using the key schedule; each subkey is the same
size as the state. The subkey is added by combining each
byte of the state with the corresponding byte of the subkey
using bitwise XOR.

FIGURE 2. Rijndael Sub Bytes operation


In the SubBytes step, each byte in the state is replaced with
its entry in a fixed 8-bit lookup table, S; bij = S(aij). This
operation provides the non-linearity in the cipher. The Sbox used is derived from the inverse function over GF(28),
known to have good non-linearity properties. To avoid
attacks based on simple algebraic properties, the S-box is
constructed by combining the inverse function with an
invertible affine transformation. The S-box is also chosen to
avoid any fixed points (and so is a derangement), and also
any opposite fixed points. The S-box is more fully
described in the article Rijndael S-box.

In the MixColumns step, each column of the state is


multiplied with a fixed polynomial c(x). The four bytes of
each column of the state are combined using an invertible
linear transformation. This function takes four bytes as
input and outputs four bytes, where each input byte affects
all four output bytes. Together with ShiftRows,
MixColumns provides diffusion refers to the property that
redundancy in the statistics of the plaintext is "dissipated"
in the statistics of the ciphertext. Each column is treated as
a polynomial over GF(28) and is then multiplied modulo x4
+ 1 with a fixed polynomial c(x) = 3x3 + x2 + x + 2. The
MixColumns step can also be viewed as a matrix multiply
in Rijndael's finite field.
On systems with 32-bit or larger words, it is possible to
speed up execution of this cipher by converting the
SubBytes, ShiftRows and MixColumns transformations into
tables. One then has four 256-entry 32-bit tables, which
utilizes a total of four kilobytes (4096 bytes) of memory--a
kilobyte for each table. A round can now be done with 16
table lookups and 12 32-bit exclusive-or operations,
followed by four 32-bit exclusive-or operations in the
AddRoundKey step. If the resulting four kilobyte table size
is too large for a given target platform, the table lookup
operation can be performed with a single 256-entry 32-bit
table by the use of circular rotates.
SECURITY

FIGURE 3. Rijndael Shift Rows operation


In the ShiftRows step, bytes in each row of the state are
shifted cyclically to the left. The number of places each
byte is shifted differs for each row. For AES, the first row is
left unchanged. Each byte of the second row is shifted one
to the left. Similarly, the third and fourth rows are shifted
by offsets of two and three respectively. In this way, each
column of the output state of the ShiftRows step is
composed of bytes from each column of the input state.
(Rijndael variants with a larger block size have slightly
different offsets).

FIGURE 4. Rijndael Mix Columns operation

As of 2006, the only successful attacks against AES have


been side channel attacks. The National Security Agency
(NSA) reviewed all the AES finalists, including Rijndael,
and stated that all of them were secure enough for US
Government non-classified data. In June 2003, the US
Government announced [9] that AES may be used for
classified information:
The design and strength of all key lengths of the AES
algorithm (i.e., 128, 192 and 256) are sufficient to protect
classified information up to the SECRET level. TOP
SECRET information will require use of either the 192 or
256 key lengths. The implementation of AES in products
intended to protect national security systems and/or
information must be reviewed and certified by NSA prior to
their acquisition and use."
This marks the first time that the public has had access to a
cipher approved by NSA for TOP SECRET information. It
is interesting to note that many public products use 128-bit
secret keys by default; it is possible that NSA suspects a
fundamental weakness in keys this short, or they may
simply prefer a safety margin for top secret documents
(which may require security decades into the future).
The most common way to attack block ciphers is to try
various attacks on versions of the cipher with a reduced
number of rounds. AES has 10 rounds for 128-bit keys, 12
rounds for 192-bit keys, and 14 rounds for 256-bit keys. As
of 2006, the best known attacks are on 7 rounds for 128-bit
keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit
keys.

5
Some cryptographers worry about the security of AES.
They feel that the margin between the number of rounds
specified in the cipher and the best known attacks is too
small for comfort. The risk is that some way to improve
these attacks might be found and that, if so, the cipher could
be broken. In this meaning, a cryptographic "break" is
anything faster than an exhaustive search, so an attack
against 128-bit key AES requiring 'only' 2120 operations
would be considered a break even though it would be, now,
quite unfeasible. In practical application, any break of AES
which is only this 'good' would be irrelevant. For the
moment, such concerns can be ignored. The largest
publicly-known brute-force attack has been against a 64 bit
RC5 key by distributed.net (finishing in 2002; Moore's Law
implies that this is roughly equivalent to an attack on a 66bit key today).
Another concern is the mathematical structure of AES.
Unlike most other block ciphers, AES has a very neat
mathematical description [10]. This has not yet led to any
attacks, but some researchers are worried that future attacks
may find a way to exploit this structure.
In 2002, a theoretical attack, termed the "XSL attack", was
announced by Nicolas Courtois and Josef Pieprzyk,
showing a potential weakness in the AES algorithm.
Several cryptography experts have found problems in the
underlying mathematics of the proposed attack, suggesting
that the authors may have made a mistake in their estimates.
Whether this line of attack can be made to work against
AES remains an open question. For the moment, the XSL
attack against AES appears speculative; it is unlikely that
anyone could carry out the current attack in practice.

PERFORMANCE
Due to Aoki and Lipmaa [11] Rijndael128 is able to
encrypt a 128bit block within 237 cycles on a 450 MHz
Pentium II. This leads to a throughput of 243 Mbit/s.
Lipmaa [12] claims to have a Rijndael library which nearly
reaches 1.5Gbit/s on a 3.06GHz Pentium IV. Hodjat and
Verbauwhede [13] report about a Rijndael hardware
implementation which reaches a throughput of up to
21.54Gbit/s. Following Schneier et al. [14] Rijndael
encrypts 20% slower for 192bit keys and 40% slower for
256bit keys. According to Lenstra [15] a 128bit symmetric
cipher is supposed to be secure against mathematic attacks
until at least 2090 (192bit until 2186, 256bit until 2282).
The estimates from ECRYPT [16] are done much more
carefully. They estimate 128bit keys to be secure until
2035. The 256bit keys are supposed to be secure within the
foreseeable future which explicitly includes quantum
computers. Buchmann [17] reports about the Vernam
OneTimePad which is mathematically proven
unbreakable. But its heavy requirements regarding the keys
make it unusable in normal practice.

B. CAMELLIA
The cipher was developed jointly by Mitsubishi and NTT in
2000 [18] , and has similar design elements to earlier block
ciphers (E2 and MISTY1) from these companies.
Camellia has a block size of 128 bits, and can use 128-bit,
192-bit or 256-bit keys the same interface as the
Advanced Encryption Standard. It is a Feistel cipher with
either 18 rounds (if the key is 128 bits) or 24 rounds (if the
key is 192 or 256 bits). Every six rounds, a logical
transformation layer is applied: the so-called "FL-function"
or its inverse. The cipher also uses input and output key
whitening.
We will focus on the use of the Camellia block cipher
algorithm in Cipher Block Chaining Mode, with an explicit
Initialization Vector, as a confidentiality mechanism within
the context of the IPsec Encapsulating Security Payload
(ESP). Camellia was selected as a recommended
cryptographic primitive by the EU NESSIE (New European
Schemes for Signatures, Integrity and Encryption) project
[16] and was included in the list of cryptographic
techniques for Japanese e-Government systems that was
selected by the Japan CRYPTREC (Cryptography
Research,
Evaluation
Committees)
[CRYPTREC].
Camellia has been submitted to several other
standardization bodies, such as ISO (ISO/IEC 18033) and
the IETF S/MIME Mail Security Working Group [19].
Camellia supports 128-bit block size and 128-, 192-, and
256-bit key lengths, i.e., the same interface specifications as
the Advanced Encryption Standard (AES) [20]. Camellia is
a symmetric cipher with a Feistel structure. Camillia was
developed jointly by NTT and Mitsubishi Electric
Corporation in 2000. It was designed to withstand all
known cryptanalytic attacks, and it has been scrutinized by
worldwide cryptographic experts. Camellia is suitable for
implementation in software and hardware,
offering
encryption speed in software and hardware implementations
that is comparable to AES.
Camellia supports three key sizes: 128 bits, 192 bits, and
256 bits. The default key size is 128 bits, and all
implementations
must
support
this
key
size.
Implementations may also support key sizes of 192 bits and
256 bits. Camellia uses a different number of rounds for
each of the defined key sizes. When a 128-bit key is used,
implementations must use 18 rounds. When a 192-bit key
is used, implementations must use 24 rounds. When a
256-bit key is used, implementations must use 24 rounds.
At the time of writing this document, there are no known
weak keys for Camellia.
SECURITY
Implementations are encouraged to use the largest key sizes
they can, taking into account performance considerations
for their particular hardware and software configuration.
Note that encryption necessarily affects both sides of a
secure channel, so such consideration must take into
account not only the client side, but also the server.

6
However, a key size of 128 bits is considered secure for the
foreseeable future. No security problem has been found on
Camellia [CRYPTREC][16]. Although patented, Camellia
is available under a royalty-free license [1].
PERFORMANCE
Performance figures of Camellia are available at Camellia
web site [18]. This web site also includes performance
comparison with the AES cipher and other AES finalists.
The NESSIE project [NESSIE] has reported performance of
Optimized Implementations independently.
As an opportunity to publish the Camellia open source
codes, NTT offers the codes to the open source
communities such as OpenSSL and Linux, and works so
that Camellia will become standard-equipped at an early
date. In addition, NTT plans to establish a support system
for industrial enterprises and corporations that develop
products incorporating Camellia to enrich the Camelliaequipped product lines.

The system is iterated four times, according to the nextstate function defined below, to diminish correlations
between bits in the key and bits in the internal state
variables. Finally, the counter values are re-initialized
according to:

cj,4=cj,4 XOR x(j+4 mod 8),4


to prevent recovery of the key by inversion of the counter
system. The core of the Rabbit algorithm is the iteration of
the system defined by the following equations:

A. RABBIT

x0,i+1 = g0,i + (g7,i<<< 16) + (g6,i<<< 16)


x1,i+1 = g1,i + (g0,i<<< 8) + g7,i
x2,i+1 = g2,i + (g1,i<<< 16) + (g0,i<<< 16)
x3,i+1 = g3,i + (g2,i<<< 8) + g1,i
x4,i+1 = g4,i + (g3,i<<< 16) + (g2,i<<< 16)
x5,i+1 = g5,i + (g4,i<<< 8) + g3,i
x6,i+1 = g6,i + (g5,i<<< 16) + (g4,i<<< 16)
x7,i+1 = g7,i + (g6,i<<< 8) + g5,i
gj,i = ((xj,i + cj,i)2 XOR ((xj,i + cj,i)2 >> 32) mod 232

Rabbit is a high-speed stream cipher first presented in


February 2003 at the 10th FSE workshop by Martin
Boesgaard, Mette Vesterager, Thomas Christensen and Erik
Zenner. In May 2005, it was submitted to the eSTREAM.

where all additions are modulo 232. This coupled system is


schematically illustrated in Fig.5 .Before an iteration the
counters are incremented as described below.

In order for Camellia to be more widely used, NTT


advances actively the development of Camellia-equipped
products and services, such as security products employing
SSL/TLS. In addition, NTT continues to pursue research
and development in order to contribute to achieving a
securely advanced information society.
II. STREAM CIPHERS

Cryptico has patented the algorithm and requires a license


fee for commercial use of the cipher. The license fee is
waived for non-commercial uses.
The internal state of the stream cipher consists of 513 bits.
512 bits are divided between eight 32-bit state variables xj,i
and eight 32-bit counter variables cj,i, where xj,i is the state
variable of subsystem j at iteration i, and cj,i denote the
corresponding counter variables. There is one counter carry
bit, 7,i, which needs to be stored between iterations. This
counter carry bit is initialized to zero. The eight state
variables and the eight counters are derived from the key at
initialization.
The algorithm is initialized by expanding the 128-bit key
into both the eight state variables and the eight counters
such that there is a one-to-one correspondence between the
key and the initial state variables, xj,0, and the initial
counters, cj,0.
The key, K[127..0], is divided into eight subkeys: k0 =
K[15..0], k1 = K[31..16], ..., k7 =K[127..112]. The state
and counter variables are initialized from the subkeys as
follows:

FIGURE 5. Graphical representation of RABBIT

7
SECURITY
As of March 2006, no cryptographic weaknesses are
known.
PERFORMANCE
Rabbit uses a 128-bit key and a 64-bit initialization vector.
The cipher was designed with high performance in software
in mind, where fully optimized implementations achieve an
encryption speed of up to 3.7 cycles per byte on a Pentium
3, and of 9.7 cycles per byte on an ARM7. However, the
cipher also turns out to be very fast and compact in
hardware.
The core component of the cipher is a bitstream generator
which encrypts 128 message bits per iteration. The cipher's
strength rests on a strong mixing of its inner state between
two consecutive iterations. The mixing function is entirely
based on arithmetical operations that are available on a
modern processor, i.e., no S-boxes or lookup tables are
required to implement the cipher.

The prime numbers can be probabilistically tested


for primality.

A popular choice for the public exponents is


e=216+1=65537. Some applications choose smaller
values such as e = 3,5, or 35 instead. This is done
in order to make implementations on small devices
(e.g. smart cards) easier, i.e. encryption and
signature verification are faster. But choosing
small public exponents may lead to greater
security risks.

Steps 4 and 5 can be performed with the extended


Euclidean algorithm; see modular arithmetic.

Step 3 changed in PKCS#1 v2.0 to


=LCM(p-1,q-1) instead of =(p-1)(q-1).

The public key consists of

n, the modulus, and

e, the public exponent (sometimes encryption


exponent).

3.2 PUBLIC KEY ALGORITHMS


A. RIVEST SHAMIR & ADELMAN (RSA)
RSA involves two keys: public key and private key (a key
is a constant number later used in the encryption formula.)
The public key can be known to everyone and is used to
encrypt messages. These messages can only be decrypted
by use of the private key. In other words, anybody can
encrypt a message, but only the holder of a private key can
actually decrypt the message and read it. Intuitive example:
Bob wants to send Alice a secret message that only she can
read. To do this, Alice sends Bob a box with an open lock,
for which only Alice has the key. Bob receives the box, he
writes the message in plain English, puts it in the box and
locks it with Alice's lock (now Bob can no longer read the
message.) Bob sends the box to Alice and she opens it with
her key. In this example, the box with the lock is Alice's
public key, and the key to the lock is her private key.
Key generation
Suppose Alice and Bob are communicating over an
insecure (open) channel, and Alice wants Bob to send her a
private (or secure) message. Using RSA, Alice will take the
following steps to generate a public key and a private key:
1.

Choose two large prime numbers p and q such that


pq randomly and independently of each other.

2.

Compute n=pq.

3.

Compute the totient function: (n)=(p-1)(q-1).

4.

Choose an integer e such that 1<e<(n) which is


coprime to (n).

5.

Compute d such that de1(mod((n)).

The private key consists of

n, the modulus, which is public and appears in the


public key, and

d, the private exponent (sometimes decryption


exponent), which must be kept secret.

For reasons of efficiency sometimes a different form of the


private key (including CRT parameters) is stored:

p and q, the primes from the key generation,

d mod (p-1) and d mod (q-1) (often known as


dmp1 and dmq1)

(1/q) mod p (often known as iqmp)

Though this form allows faster decryption and signing


using the Chinese Remainder Theorem (CRT), it
considerably lowers the security. In this form, all of the
parts of the private key must be kept secret. Yet, it is a bad
idea to use it, since it enables side channel attacks in
particular if implemented on smart cards, which would
most benefit from the efficiency win. (Start with y = xemodn
and let the card decrypt that. So it computes yd(mod p) or
yd(mod q) whose results give some value z. Now, induce an
error in one of the computations. Then gcd(z x,n) will
reveal p or q.)
Alice transmits the public key to Bob, and keeps the private
key secret. p and q are sensitive since they are the factors of
n, and allow computation of d given e. If p and q are not
stored in the CRT form of the private key, they are securely

8
deleted along with the other intermediate values from the
key generation.
1) Encrypting messages
Suppose Bob wishes to send a message M to Alice. He
turns M into a number m < n, using some previously
agreed-upon reversible protocol known as a padding
scheme.
Bob now has m, and knows n and e, which Alice has
announced. He then computes the ciphertext c
corresponding to m:
c=me mod n
This can be done quickly using the method of
exponentiation by squaring. Bob then transmits c to Alice.
[edit]
2) Decrypting messages
Alice receives c from Bob, and knows her private key d.
She can recover m from c by the following procedure:
m=cd mod n
Given m, she can recover the original message M. The
decryption procedure works because
cd (me)d med (mod n)
.
Now, since ed 1 (mod p-1) and ed 1 (mod q-1),
Fermat's little theorem yields

which are some orders of magnitude over those of Rijndael.


Due to this public key encryption is normally only used in
hybrid encryption systems. Thereby the entities use the
public key systems to exchange a secret key. This
exchanged key is then used to encrypt the actual message
with a symmetric encryption system. In opposite to
symmetric systems the encryption performance of
asymmetric systems may significantly differ from its
decryption performance. The first invented public key
encryption system RSA [26] is still the most used one. It is
based on the factorization problem. According to Lenstra
[22] RSA currently needs a modulus size somewhere
between 2790bit and 3390bit to meet the security of a
128bit Rijndael encryption. Rijndael192 security is
reached by a modulus size somewhere between 7160bit and
8200bit. Rijndael256 security implies an RSA modulus
between 14200bit and 15800bit. ECRYPT [16] estimates
RSA keys with the length of 3072, 7680 and 15360 offer
equivalent security to Rijndael 128, 192 and 256,see
TABLE 3. The most prominent alternative to RSA is
elliptic curve cryptography (ECC). It is based on the
discrete logarithm problem and is faster than RSA because
it manages with shorter keys. Due to the table form Lenstra
and Verheul [25] the security of 1024bit RSA is met by an
ECC key between 138bit and 147bit. ECRYPT [16]
estimates a 160bit ECC key provides RSA1024 security.
All widely used public key cryptosystems are broken by
efficient algorithms for sufficiently large quantum
computers. There is some research on quantumsafe public
key cryptosystems in order to meet this threat.

med m (mod p) and med m (mod q)


Since p and q are distinct prime numbers, applying the
Chinese remainder theorem to these two congruence yields
med m (mod pq). Thus, cd m (mod n).
PERFORMANCE
RSA is much slower than DES and other symmetric
cryptosystems. In practice, Bob typically encrypts a secret
message with a symmetric algorithm, encrypts the
(comparatively short) symmetric key with RSA, and
transmits both the RSA-encrypted symmetric key and the
symmetrically-encrypted message to Alice.
This procedure raises additional security issues. For
instance, it is of utmost importance to use a strong random
number generator for the symmetric key, because otherwise
Eve (an eavesdropper wanting to see what was sent) could
bypass RSA by guessing the symmetric key.
SECURITY
Public key algorithms have complex mathematics and need
very long keys. Due to this public key cryptography is very
much slower than secret key cryptography and needs times

TABLE 3. Key length comparison for the same security


4. HASH FUNCTIONS- DIGITAL SIGNATURES
Hash Functions take a block of data as input, and produce a
hash or message digest as output. The usual intent is that
the hash can act as a signature for the original data, without
revealing its contents. Therefore, it's important that the hash
function be irreversible - not only should it be nearly
impossible to retrieve the original data, it must also be
unfeasible to construct a data block that matches some

9
given hash value. Randomness, however, has no place in a
hash function, which should be completely deterministic.
Given the exact same input twice, the hash function should
always produce the same output. Even a single bit changed
in the input, though, should produce a different hash value.
The hash value should be small enough to be manageable in
further manipulations, yet large enough to prevent an
attacker from randomly finding a block of data that
produces the same hash .In cryptography, a cryptographic
hash function is a hash function with certain additional
security properties to make it suitable for use as a primitive
in various information security applications, such as
authentication and message integrity. A hash function takes
a long string (or message) of any length as input and
produces a fixed length string as output, sometimes termed
a message digest or a digital fingerprint.

authenticate a user, the password presented by the user is


hashed and compared with the stored hash.
Hashes are also used to identify files on peer-to-peer
filesharing networks. For example, in an ed2k link the hash
is combined with the file size, providing sufficient
information for locating file sources, downloading the file
and verifying its contents. Magnet links are another
example. Such file hashes are often the top hash of a hash
list or a hash tree which allows for additional benefits.
For both security and performance reasons, most digital
signature algorithms specify that only the digest of the
message be "signed", not the entire message. Hash
functions can also be used in the generation of
pseudorandom bits.
The most widely used hash functions (and their
modifications) are:


MD5 of R. Rivest (RFC 1321)

SHA-1 SHA-224, SHA-256, SHA-384, SHA-512


of NIST ( FIPS PUB 180-1)

RIPEMD,
RIPEMD-128,
RIPEMD-160
H. Dobbertin, A. Bosselaers, B. Preneel

WHIRLPOOL-0, WHIRLPOOL-T, WHIRLPOOL


P. Barreto, V. Rijmen (NESSIE project ISO/IEC
10118-3:2004)

FIGURE 6. Hash Function Properties


A typical use of a cryptographic hash would be as follows:
Alice poses to Bob a tough math problem and claims she
has solved it. Bob would like to try it himself, but would yet
like to be sure that Alice is not bluffing. Therefore, Alice
writes down her solution, appends a random nonce,
computes its hash and tells Bob the hash value (whilst
keeping the solution secret). This way, when Bob comes up
with the solution himself a few days later, Alice can verify
his solution but still be able to prove that she had the
solution earlier.
In actual practice, Alice and Bob will often be computer
programs, and the secret would be something less easily
spoofed than a claimed puzzle solution. The above
application is called a commitment scheme. Another
important application of secure hashes is verification of
message integrity. Determination of whether or not any
changes have been made to a message (or a file), for
example, can be accomplished by comparing message
digests calculated before, and after, transmission (or any
other event) (for example, see Tripwire , a system using this
property as a defense against malware and malfeasance). A
message digest can also serve as a means of reliably
identifying a file. A related application is password
verification. Passwords are usually not stored in clear text,
for obvious reasons, but instead in digest form. To

TABLE 4. Hash functions performance [27]

10
SHA-1, MD5, and RIPEMD-160 are among the most
commonly-used message digest algorithms as of 2005. In
August 2004, researchers found weaknesses in a number of
hash functions, including MD5, SHA-0 and RIPEMD. This
has called into question the long-term security of later
algorithms which are derived from these hash functions. In
particular, SHA-1 (a strengthened version of SHA-0),
RIPEMD-128, and RIPEMD-160 (both strengthened
versions of RIPEMD). Neither SHA-0 nor RIPEMD are
widely used since they were replaced by their strengthened
versions.
A. SHA-0,SHA-1
SHA-0 and SHA-1 produce a 160-bit digest from a message
with a maximum size of 264 bits, and is based on principles
similar to those used by Professor Ronald L. Rivest of MIT
in the design of the MD4 and MD5 message digest
algorithms.
The original specification of the algorithm was published in
1993 as the Secure Hash Standard, FIPS PUB 180, by US
government standards agency NIST (National Institute of
Standards and Technology). This version is now often
referred to as "SHA-0". It was withdrawn by the NSA
shortly after publication and was superseded by the revised
version, published in 1995 in FIPS PUB 180-1 and
commonly referred to as "SHA-1".
SHA-1 differs from SHA-0 only by a single bitwise rotation
in the message schedule of its compression function. this
was done, according to the NSA, to correct a flaw in the
original algorithm which reduced its cryptographic security.
This function takes as input a 160-bit state and a 512-bit
data word and outputs a new 160-bit state. The hash
function works by repeatedly calling this compression
function with successive 512-bit data blocks and each time
updating the state accordingly. This compression function is
easily invertible if the data block is known,- given the data
block on which it acted and the output of the compression
function, one can compute that state that went in.
Weaknesses have subsequently been reported in both SHA0 and SHA-1. SHA-1 appears to provide greater resistance
to attacks, supporting the NSA's assertion that the change
increased the security. In February 2005, an attack on
SHA-1 was reported, finding collisions in about 269 hashing
operations, rather than the 280 expected for a 160-bit hash
function. In August 2005, another attack on SHA-1 was
reported, finding collisions in 263 operations.
B. MD5 (Message-Digest algorithm 5) is a widely-used
cryptographic hash function with a 128-bit hash value. As
an Internet standard (RFC 1321), MD5 has been employed
in a wide variety of security applications, and is also
commonly used to check the integrity of files.
MD5 was designed by Ronald Rivest in 1991 to replace an
earlier hash function, MD4. In 1996, a flaw was found with
the design of MD5; while it was not a clearly fatal

weakness, cryptographers began to recommend using other


algorithms, such as SHA-1 (recent claims suggest that
SHA-1 has been broken, however). In 2004, more serious
flaws were discovered making further use of the algorithm
for security purposes questionable.
MD5 processes a variable length message into a fixedlength output of 128 bits. The input message is broken up
into chunks of 512-bit blocks; the message is padded so that
its length is divisible by 512. The padding works as
follows: first a single bit, 1, is appended to the end of the
message. This is followed by as many zeros as are required
to bring the length of the message up to 64 bits fewer than a
multiple of 512. The remaining bits are filled up with a 64bit integer representing the length of the original message.
The main MD5 algorithm operates on a 128-bit state,
divided into four 32-bit words, denoted A, B, C and D.
These are initialized to certain fixed constants. The main
algorithm then operates on each 512-bit message block in
turn, each block modifying the state. The processing of a
message block consists of four similar stages, termed
rounds; each round is composed of 16 similar operations
based on a non-linear function F, modular addition, and left
rotation. There are four possible functions F; a different one
is used in each round:

denote the XOR, AND, OR and NOT


operations respectively.
C. WHIRLPOOL
WHIRLPOOL is a cryptographic hash function designed by
Vincent Rijmen and Paulo S. L. M. Barreto. The hash has
been recommended by the NESSIE project. It has also been
adopted by the International Organization for
Standardization (ISO) and the International Electrotechnical
Commission (IEC) as part of the joint ISO/IEC 10118-3
international standard.
WHIRLPOOL is a hash designed after the Square block
cipher. WHIRLPOOL is a Miyaguchi-Preneel construction
based on a substantially modified Advanced Encryption
Standard (AES). Given a message less than 2256 bits in
length, it returns a 512-bit message digest.
The authors have declared that "WHIRLPOOL is not (and
will never be) patented. It may be used free of charge for
any purpose. The reference implementations are in the
public domain."
D. RIPEMD
RIPEMD-160 (RACE Integrity Primitives Evaluation
Message Digest) is a 160-bit message digest algorithm (and
cryptographic hash function) developed in Europe by Hans

11
Dobbertin, Antoon Bosselaers and Bart Preneel, and first
published in 1996. It is an improved version of RIPEMD,
which in turn was based upon the design principles used in
MD4, and is similar in performance to the more popular
SHA-1.
There also exist 128, 256 and 320-bit versions of this
algorithm, called RIPEMD-128, RIPEMD-256, and
RIPEMD-320, respectively. The 128-bit version was
intended only as a drop-in replacement for the original
RIPEMD, which was also 128-bit, and which had been
found to have questionable security. The 256 and 320-bit
versions diminish only the chance of accidental collision,
and don't have higher levels of security as compared to,
respectively, RIPEMD-128 and RIPEMD-160.
RIPEMD-160 was designed in the open academic
community, in contrast to the NSA-designed algorithm,
SHA-1. On the other hand, RIPEMD-160 is a less popular
and correspondingly less well-studied design. RIPEMD-160
is not constrained by any patents.

TABLE 5. Security of hash functions (collisions)

E. SHACAL

5. CRYPTOGRAPHY INSTITUTIONS PROJECTS

SHACAL-1 and SHACAL-2 are block ciphers based on


cryptographic hash function from the SHA family. It was
designed by Helena Handschuh and David Naccache, both
cryptographers from the smart card manufacturer Gemplus.
It is a 160-bit block cipher based on SHA-1, and supports
keys from 128-bit to 512-bit. SHACAL-2 is a 256-bit block
cipher based upon the larger hash function SHA-256.

EUROPE


ECRYPT (Network of Excellence in Cryptology)


contract number IST-2002-507932 [13]

e-Stream (2004-2008) is a project to identify

e-Bats (2004-2008) contract number IST-2002507932

NESSIE (New European Schemes for Signatures,


Integrity, and Encryption) contract number IST1999-12324 (2000-2004). NESSIE selected 17
algorithms out of 44, including the 39 proposed
encryption algorithms. [23]

SHACAL turns the SHA-1 compression function into a


block cipher by using the state input as the data block and
using the data input as the key input. In other words
SHACAL views the SHA-1 compression function as 160bit block cipher with a 512-bit key. Keys shorter than 512
bits are supported by padding them with zero up to 512.
SHACAL is not intended to be used with keys shorter than
128 bit.
In 2003, SHACAL-2 was selected by the NESSIE project
as one of their 17 recommended algorithms.
SECURITY OF HASH FUNCTIONS
In order to attack a hash function, the intruder must replace
the initial message in such a way, by putting his own
message, so as to produce the same output of the hash
function. This is called collision and its very difficult to
happen. Possibilities for finding collisions are given in the
following TABLE 5, attacking of hash functions for the
most popular hash algorithms.

new stream ciphers that might become suitable for


widespread adoption, organised by the EU
ECRYPT network. It was set up as a result of the
failure of all six stream ciphers submitted to the
NESSIE project. The call for primitives was first
issued in November 2004. The project is due to
complete in January 2008. The project is divided
into separate phases and the project goal is to find
algorithms suitable for different application
profiles.

USA




NIST -National Institute of Standards and


Technology [24]
FIPS -Federal Information Processing Standards
[20]
NSA The National Security Agency - Central
Security Service is Americas cryptology
organization. It coordinates, directs, and performs
highly specialized activities to protect U.S.
government information systems and produce
foreign signals intelligence information. A high

12
technology organization, NSA is on the frontiers
of communications and data processing. It is also
one of the most important centers of foreign
language analysis and research within the
government.

[5] T. El Gamal. A public key cryptosystem and signature


scheme based on discrete logarithms. IEEE Trans. Inform.
Theory, 31:469--472, 1985

CRYPTREC -Cryptography Research and


Evaluation Committees (2000-2005). CRYPTREC
was organized to investigate and evaluate
cryptographic techniques suitable for the Japanese
electronic government in terms of security,
implementation, and other characteristics from the
viewpoints of various objective specialists. Out of
the total 66, including the 52 proposed encryption
algorithms, 31 encryption algorithms were
selected.

[7] J. Nechvatal, E. Barker, L. Bassham, W. Burr, M.


Dworkin, J. Foti and E.Roback, Report on the
Development of the Advanced Encryption Standard
(AES) , Journal of Research of the National Institute of
Standards and Technology, 2000,Volume 106, pp. 511576

JAPAN


INTERNATIONAL
IACR The International Association for Cryptologic
Research (IACR) is a non-profit scientific organization
whose purpose is to further research in cryptology and
related fields.
CDT The Center for Democracy and Technology works to
promote democratic values and constitutional liberties in
the digital age. With expertise in law, technology, and
policy, CDT seeks practical solutions to enhance free
expression and privacy in global communications
technologies. CDT is dedicated to building consensus
among all parties interested in the future of the Internet and
other new communications media.
EPIC It is a public interest research center in Washington,
D.C. It was established in 1994 to focus public attention on
emerging civil liberties issues and to protect privacy, the
First Amendment, and constitutional values. EPIC
publishes an award-winning e-mail and online newsletter
on civil liberties in the information age the EPIC Alert.
6. REFERENCES
[1] D. Kahn, Codebreakers: The Story of Secret Writing,
Macmillan, 1967
[2] H. Feistel, "Cryptographic coding for data bank
privacy," IBM Corp. Res. Rep. RC 2827, Mar. 1970. (I-B4,
III-B, SFR)
[3] Diffie, W. & Hellman, M. E. (1976), New directions
in cryptography, IEEE Trans. Inform. Theory IT-22 (6)
644654.
[4] R. Rivest, A. Shamir, L. Adleman,A Method for
Obtaining
Digital
Signatures
and
Public-Key
Cryptosystems, Communications of the ACM 21,2 (Feb.
1978), 120-126

[6] National Institute of Standards and Technology, NST


FIPS PUB 186, Digital Signature Standard, U.S.
Department of Commerce, May, 1994

[8] Dworkin, M., "Recommendation for Block Cipher


Modes of Operation - Methods and Techniques", NIST
Special Publication 800-38A, December 2001
[9] CNSS Policy No. 15, Fact Sheet No. 1, National Policy
on the Use of the Advanced Encryption Standard (AES) to
Protect National Security Systems and National Security
Information , June 2003
[10] N. Ferguson, R. Schroeppel, D. Whiting, A simple
algebraic representation of Rijndael , Selected Areas in
Cryptography, Proc. SAC 2001, Lecture Notes in Computer
Science 2259, pp. 103111, Springer Verlag, 2001.
[11] K. Aoki and H. Lipmaa, Fast Implementations of
AES Candidates, Third Advanced Encryption Standard
Candidate Conference, 2000, pages 106120.
[12] H. Lipmaa, Fast Implementations of AES and IDEA
fro Pentium 3 and 4, October 2005,
http://home.cyber.ee/helger/implementations
[13] A. Hodjat, I. Verbauwhede, A 21.54 Gbit/s fully
pipelined AES processor on FPGA, FieldProgrammable
Custom Computing Machines 2004 (FCCM04), 12th
Annual IEEE Symposium, pages 308 309.
[14] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall
and N. Ferguson, Performance Comparison of the AES
Submissions, Proc. Second AES Candidate
Conference, NIST, 1999, pp. 15-34.
[15] A. Lenstra, Key Length, Contribution to The
Handbook of Information Security, 2004,
http://cm.bell-labs.com/who/akl/key_lengths.pdf
[16] ECRYPT Yearly Report on Algorithms and Keysizes
2005, http://www.ecrypt.eu.org/documents/D.SPA.161.0.pdf
[17] J. Buchmann, Einfuhrung in die Kryptographie,
Springer, 2001, ISBN: 3-540-41283-2, also available in
English ISBN: 0-387-21156-X.

13
[18] K. Aoki et., al. Camellia: A 128-Bit Block Cipher
Suitable for Multiple Platforms- Design and Analysis,
Selected Areas in Cryptography 2000, pp3956
[19] Matsui, M., Nakajima, J., and S. Moriai, "A
Description of the Camellia Encryption Algorithm",
RFC 3713, April 2004.
[20]
NIST, FIPS PUB 197, "Advanced Encryption
Standard
(AES),"
November
2001.
http://csrc.nist.gov/publications/fips/fips197/fips-197
[21]
Frankel, S., Glenn, R., and S. Kelly, "The AESCBC Cipher Algorithm and Its Use With IPsec," RFC
3602, September 2003.
[22] A. Lenstra, Unbelievable Security, 2001,
http://www.win.tue.nl/~klenstra/aes_match.pdf
[23] The NESSIE project (New European Schemes for
Signatures, Integrity and Encryption),
http://www.cosic.esat.kuleuven.ac.be/nessie/.
[24] NIST Computer Security Division, http://csrc.nist.gov/
[25] Arjen Lenstra and E. Verheul, Selecting
Cryptographic Key Sizes, 2001,
http://citeseer.ist.psu.edu/287428.html
[26] RSA Security, PKCS #1: RSA Cryptography Standard,
http://www.rsasecurity.com/rsalabs/node.asp?id=2125
[27] Ilya Mironov Microsoft Research, Silicon Valley
Campus mironov@microsoft.com November 14, 2005
[IACR] http://www.iacr.org/
[CDT] http://www.cdt.org/crypto/
[EPIC ] http://www.epic.org/epic/about.html
[NSA] www.nsa.gov
[CRYPTREC] Information-technology Promotion Agency
(IPA), Japan,
http://www.ipa.go.jp/security/enc/CRYPTREC/indexe.html.

Вам также может понравиться