1 / 30

exercise in the previous class

exercise in the previous class. give proof for the discussion in p.19. see http ://apal.naist.jp/~kaji/lecture /. chapter 4: cryptography. what we do, and what we do not in this class. cryptography is discusses in many contexts management politics history philosophy

amory
Télécharger la présentation

exercise in the previous class

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. exercise in the previous class • give proof for the discussion in p.19 see http://apal.naist.jp/~kaji/lecture/

  2. chapter 4:cryptography

  3. what we do, and what we do not in this class cryptography is discusses in many contexts • management • politics • history • philosophy • In this class, we focus on the technical aspects of cryptography.

  4. terminology encryption (暗号化) E p E(p) D D(c) c decryption (復号) plaintexts(平文,ひらぶん); make sense by themselves ciphertexts(暗号文); make no sense by themselves • cryptography (暗号) = pair of E and D such that D(E(p)) = p • many variations and confusions on the words: crypto  cipher, text  data, cryptography  encryption

  5. three types of cryptography • key-less cryptography • E(p) (resp. D(c)) is solely determined by p (resp. c). • no key ... the algorithms must be kept secret • security relies on the “gap of wisdom” of the recipients • “O, draconian devil”  “Leonardo da Vinci” • common-key cryptography • E and D must use the same key • public-key cryptography • E and D use different keys which are in special relation

  6. class plan • today: common-key cryptography • widely known algorithms • key agreement protocol • next: public-key cryptography • RSA • related algorithms June 4 (MON): exercise June 5 (TUE): test

  7. common-key cryptography symmetric-key―, classic ―, ... • E (resp. D) takes two inputs: key and plaintext (resp. ciphertext) • E(k, p): the ciphertext of p encrypted with the key k • D(k, c): the plaintext of c decrypted with the key k • D(k, E(k, p)) = p, but D(k’, E(k, p)) p if k’k k1 k2 p, if k1 = k2 p E c D ?, if k1k2

  8. substitution cipher substitution cipher (換字暗号): • encrypt: replace characters in plaintexts to different characters • decrypt: do the inverse replacement of encoding • key: the table of the character replacement ... plaintext A B C Y Z      ciphertext ... E K A Z G • the number of possible keys = 26! for English alphabet ... too many even for today’s computers • the statistics of the plaintexts can be observed in cipherexts

  9. frequency attack in a naive substitution cipher... • a character is always replaced to the identical character • in many data, there is bias on the frequencies of characters in English... • characters such as “e”, “t”, “a”, and “s” occur frequently • characters which occur frequently in a ciphertext = replacements of the above four frequent characters A.C. Doyle, 1903, The Adventure of the Dancing Men

  10. h x a c a b c d 8.4% 1.5% 2.7% 3.8% 8.6% 1.4% 2.8% 3.8% plaintext theory in modern english is a concept which originally derives from classical greek sketch of the frequency attack typical English texts information as a concept has many meanings the concept of information is ciphertext of unknowntext zpunim gt oncuit utqvgwp gw h antaubz spgap nigqgthvvm cuigluw eino → a → b → c → d

  11. many improvements The vulnerability (脆弱性) of the substitution cipher was well-known to cryptographers from early days... many improvements were considered... • one-to-many substitution • substitution of N-grams or words • use of multiple substitution tables • dynamically change the substitution table  Enigma

  12. Enigma • used by German military in the World War II • the substitution is determined by “rotor wheels” • the rotor wheels rotate as one character is processed A B D Enigma showed that machine power >> human power C

  13. DES (Data Encryption Standard) DES (Data Encryption Standard) • developed in the US in 70’s to secure classified data • not the “first-class” cryptography • “good security with reasonable cost” • insecure nowadays, but played important role in cryptology 1973 NBS solicited (公募する) encryption algorithms 1974 IBM submitted a candidate 1977 published as federal standard 1997 NIST (formerly NBS) solicited newer AES

  14. encryption of DES 56...# of bits 56 56 RK1 RK2 RK16 key round keys 48 48 48 32 R1 R2 R15 R16 R0 plaintext f f f IP IP IP-1 ciphertext 64 64 initial permutation L1 L2 L15 L16 L0 32 round 1 round 2 round 16

  15. Feistel structure • each round of DES has the Fesitel structure Li Ri RKi+1 f Li+1 Ri+1 • the Fesitel structure is easy to invert if RKi+1 is provided correctly • the inversion can be done with the same Feistel mechanism (with left and right exchanged) Ri+1 Li+1 RKi+1 f Ri Li

  16. decryption of DES RK16 RK15 RK1 key R1 R2 R15 R16 R0 ciphertext plaintext f f f IP IP IP-1 L1 L2 L15 L16 L0 inside this box is the same as the encryption  one circuit is used for both of encryption and decryption

  17. security of DES • theoretical attacks • differential analysis by Biham & Shamir (1990) • investigated at the design phase of DES... • linear analysis by Matsui (1993) • succeeded to break DES first time • exhaustive attacks • 22hours, 100K computers connected by network (1999) • 9days, FPGA-based parallel machine (2006) DES is not secure anymore!

  18. rumor of DES rumor, or urban legend: “NSA must settle a back-door in DES” NSA: National Security Agency • intelligence agency of the US • some activities not revealed • commitment to the Echelon system evidence? • the key length is shortened from the IBM proposal • some substitution tables in DES is replaced by NSA • NSA did know the differential analysis there is no way to verify what is true and what is not true...

  19. AES and others • DES is no more secure • there is no way to deny the bad rumor  the newer and stronger cryptography is needed 1997 NIST solicited Advanced Encryption Standard (AES) 15 candidate algorithms from 12 countries 1999 5 candidates passed the screening 2000 Rijndael, from Belgium, was selected as winner 2001 published as federal standard There are many other algorithms: Blowfish, IDEA, Camellia...

  20. key agreement Any common-key cryptography faces to one serious problem: How can we share a key with a person at remote place? • the sender and the receiver must have the same key • the key must not be known to anyone else solution... • use an expensive but secure communication channel • secret agent, registered mail, pigeon, etc... • utilize mathematical trick key agreement protocol

  21. ? key agreement protocol We consider a protocol between two users A and B: • the communication channel is not secure • an attacker C can wiretap (盗聴する) the communication, but does not modify data in the channel • after the protocol execution... • A and B know a certain information in common • C does not know the information

  22. Diffie-Hellman protocol Diffie-Hellman protocol; • is proposed by Diffie & Hellman in 1976 • makes use of the property that it is difficult to solve the discrete logarithm problem preliminary • Fq = {0, ..., q – 1} with q a big prime number • g, a generator of Fq (any nonzero aFq is written as a = gx mod q) • discrete logarithm problem (DLP): “given q, g and a, determine x with a = gx mod q”

  23. 6 5 4 3 2 1 0 1 2 3 4 5 6 example • F7 = {0, 1, 2, ..., 6} • g = 3 is a generator of F7 the answer of the DLP x 1 = 36 mod 7 2 = 32 mod 7 3 = 31 mod 7 4 = 34 mod 7 5 = 35 mod 7 6 = 33 mod 7 log3 1 = 6 log3 2 = 2 log3 3 = 1 log3 4 = 4 log3 5 = 5 log3 6 = 3 a no smart algorithm known today ... the only means to solve the problem is by exhaustive search ... nobody can solve the problem if q is large (> thousands bits)

  24. the protocol step 1: A and B agree the prime q and the generator g (in public) step 2a: A chooses random x, and sends mA= gx mod q to B step 2b: B chooses random y, and sends mB= gymod q to A step 3a: A computes(mB)xmod q =gxymod q step 3b: A computes(mA)y mod q = gxymod q determine q & g mA = gx mod q x mB = gy mod q y gxy mod q gxy mod q

  25. example How can we compute 3851 mod 197? • 3851 mod 197 = (3832 mod 197) (3816mod 197) (382mod 197) (381mod 197) mod 197 • 382nmod 197 = (38nmod 197)2mod 197 q = 197, g = 3 71 = 351mod 197 51 38 = 355mod 197 55 122 = 3851 mod 197 122 = 7155mod 197 381 382 384 388 3816 3832 mod 197

  26. security Is the protocol secure? determine q & g mA = gx mod q x • C finds q, g, mA and mB • C cannot know x and yunless he/she solves DLP • C cannot know the value of the shared gxy mod q mB = gy mod q y gxy mod q gxy mod q

  27. another security What happens if the attacker do more than wiretapping? • C communicates with A pretending B • C communicates with B pretending A A and B communicate with C, believing that he/she is communicating with a valid opponent.  man-in-the-middle attack(中間一致攻撃)

  28. summary • classification of cryptography • key-less, common-key and public-key • common-key cryptography • substitution cipher • DES • key-agreement protocol

  29. exercise Decrypt the following ciphertext. qiwaufmlyngcmwzyz c mcxaeyoqweocqyaocuwpwoqjwcqkeyogzkmmwe cod vyoqwezlaeqz, yoviyniqiakzcodzajcqiuwqwzlceqynylcqwyo c pceywqfajnamlwqyqyaoz. qiwaufmlyngcmwzicpwnamwqahwewgcedwdczqiwvaeud'zjaewmazqzlaeqznamlwqyqyaoviwewmaewqicoqvaikodewdocqyaozlceqynylcqw. qiwgcmwzcewnkeewoqufiwudwpwefqvafwcez, vyqizkmmwe cod vyoqweaufmlyngcmwzcuqweocqyog, cuqiakgiqiwfannkewpwefjakefwcezvyqiyoqiwyeewzlwnqypwzwczaocugcmwz.

  30. about test • June 4(Mon), 9:20AM, exercise • June 5 (Tue), 9:20AM, this room • you can bring books, notes and copies of slides • you can bring a calculator and/or PC • PC must be disconnectedfrom the network: download all needed material before the test starts • 本,ノート,資料,電卓,PC ...なんでも持ちこみ可 • PC 等の通信機能は使用不可 必要な資料類は事前にダウンロードしておくこと

More Related