Docsity
Docsity

Prepare-se para as provas
Prepare-se para as provas

Estude fácil! Tem muito documento disponível na Docsity


Ganhe pontos para baixar
Ganhe pontos para baixar

Ganhe pontos ajudando outros esrudantes ou compre um plano Premium


Guias e Dicas
Guias e Dicas


Sistema Comunicação - haccap1, Provas de Engenharia Elétrica

Arquivos Diversos

Tipologia: Provas

Antes de 2010

Compartilhado em 09/11/2009

volnei-junior-12
volnei-junior-12 🇧🇷

4.7

(43)

293 documentos

1 / 49

Toggle sidebar

Esta página não é visível na pré-visualização

Não perca as partes importantes!

bg1
This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van
Oorschot, and S. Vanstone, CRC Press, 1996.
For further information, see www.cacr.math.uwaterloo.ca/hac
CRC Press has granted the following specific permissions for the electronic version of this
book:
Permission is granted to retrieve, print and store a single copy of this chapter for
personal use. This permission does not extend to binding multiple chapters of
the book, photocopying or producing copies for other than personal use of the
person creating the copy, or making electronic copies available for retrieval by
others without prior permission in writing from CRC Press.
Except where over-ridden by the specific permission above, the standard copyright notice
from CRC Press applies to this electronic version:
Neither this book nor any part may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying, microfilming,
and recording, or by any information storage or retrieval system, without prior
permission in writing from the publisher.
The consent of CRC Press does not extend to copying for general distribution,
for promotion, for creating new works, or for resale. Specific permission must be
obtained in writing from CRC Press for such copying.
c
1997 by CRC Press, Inc.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31

Pré-visualização parcial do texto

Baixe Sistema Comunicação - haccap1 e outras Provas em PDF para Engenharia Elétrica, somente na Docsity!

This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van

Oorschot, and S. Vanstone, CRC Press, 1996.

For further information, see www.cacr.math.uwaterloo.ca/hac

CRC Press has granted the following specific permissions for the electronic version of this

book:

Permission is granted to retrieve, print and store a single copy of this chapter for

personal use. This permission does not extend to binding multiple chapters of

the book, photocopying or producing copies for other than personal use of the

person creating the copy, or making electronic copies available for retrieval by

others without prior permission in writing from CRC Press.

Except where over-ridden by the specific permission above, the standard copyright notice

from CRC Press applies to this electronic version:

Neither this book nor any part may be reproduced or transmitted in any form or

by any means, electronic or mechanical, including photocopying, microfilming,

and recording, or by any information storage or retrieval system, without prior

permission in writing from the publisher.

The consent of CRC Press does not extend to copying for general distribution,

for promotion, for creating new works, or for resale. Specific permission must be

obtained in writing from CRC Press for such copying.

©c1997 by CRC Press, Inc.

Chapter 1

Overview of Cryptography

Contents in Brief

1.1 Introduction............................. 1 1.2 Information security and cryptography.............. 2 1.3 Background on functions...................... 6 1.4 Basic terminology and concepts................... 11 1.5 Symmetric-key encryption..................... 15 1.6 Digital signatures.......................... 22 1.7 Authentication and identification.................. 24 1.8 Public-key cryptography...................... 25 1.9 Hash functions........................... 33 1.10 Protocols and mechanisms..................... 33 1.11 Key establishment, management, and certification......... 35 1.12 Pseudorandom numbers and sequences.............. 39 1.13 Classes of attacks and security models............... 41 1.14 Notes and further references.................... 45

1.1 Introduction

Cryptography has a long and fascinating history. The most complete non-technical account of the subject is Kahn’s The Codebreakers. This book traces cryptography from its initial and limited use by the Egyptians some 4000 years ago, to the twentieth century where it played a crucial role in the outcome of both world wars. Completed in 1963, Kahn’s book covers those aspects of the history which were most significant (up to that time) to the devel- opment of the subject. The predominant practitioners of the art were those associated with the military, the diplomatic service and government in general. Cryptography was used as a tool to protect national secrets and strategies. The proliferation of computers and communications systems in the 1960s brought with it a demand from the private sector for means to protect information in digital form and to provide security services. Beginning with the work of Feistel at IBM in the early 1970s and culminating in 1977 with the adoption as a U.S. Federal Information Processing Standard for encrypting unclassified information, DES, the Data Encryption Standard, is the most well-known cryptographic mechanism in history. It remains the standard means for secur- ing electronic commerce for many financial institutions around the world. The most striking development in the history of cryptography came in 1976 when Diffie and Hellman published New Directions in Cryptography. This paper introduced the revolu- tionary concept of public-key cryptography and also provided a new and ingenious method

1

§ 1.2 Information security and cryptography 3

privacy or confidentiality

keeping information secret from all but those who are autho- rized to see it. data integrity ensuring information has not been altered by unauthorized or unknown means. entity authentication or identification

corroboration of the identity of an entity (e.g., a person, a computer terminal, a credit card, etc.). message authentication

corroborating the source of information; also known as data origin authentication. signature a means to bind information to an entity. authorization conveyance, to another entity, of official sanction to do or be something. validation a means to provide timeliness of authorization to use or ma- nipulate information or resources. access control restricting access to resources to privileged entities. certification endorsement of information by a trusted entity. timestamping recording the time of creation or existence of information. witnessing verifying the creation or existence of information by an entity other than the creator. receipt acknowledgement that information has been received. confirmation acknowledgement that services have been provided. ownership a means to provide an entity with the legal right to use or transfer a resource to others. anonymity concealing the identity of an entity involved in some process. non-repudiation preventing the denial of previous commitments or actions. revocation retraction of certification or authorization.

Table 1.1: Some information security objectives.

offense to open mail for which one is not authorized. It is sometimes the case that security is achieved not through the information itself but through the physical document recording it. For example, paper currency requires special inks and material to prevent counterfeiting. Conceptually, the way information is recorded has not changed dramatically over time. Whereas information was typically stored and transmitted on paper, much of it now re- sides on magnetic media and is transmitted via telecommunications systems, some wire- less. What has changed dramatically is the ability to copy and alter information. One can make thousands of identical copies of a piece of information stored electronically and each is indistinguishable from the original. With information on paper, this is much more diffi- cult. What is needed then for a society where information is mostly stored and transmitted in electronic form is a means to ensure information security which is independent of the physical medium recording or conveying it and such that the objectives of information se- curity rely solely on digital information itself. One of the fundamental tools used in information security is the signature. It is a build- ing block for many other services such as non-repudiation, data origin authentication, iden- tification, and witnessing, to mention a few. Having learned the basics in writing, an indi- vidual is taught how to produce a handwritten signature for the purpose of identification. At contract age the signature evolves to take on a very integral part of the person’s identity. This signature is intended to be unique to the individual and serve as a means to identify, authorize, and validate. With electronic information the concept of a signature needs to be

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

4 Ch. 1 Overview of Cryptography

redressed; it cannot simply be something unique to the signer and independent of the in- formation signed. Electronic replication of it is so simple that appending a signature to a document not signed by the originator of the signature is almost a triviality. Analogues of the “paper protocols” currently in use are required. Hopefully these new electronic based protocols are at least as good as those they replace. There is a unique op- portunity for society to introduce new and more efficient ways of ensuring information se- curity. Much can be learned from the evolution of the paper based system, mimicking those aspects which have served us well and removing the inefficiencies. Achieving information security in an electronic society requires a vast array of techni- cal and legal skills. There is, however, no guarantee that all of the information security ob- jectives deemed necessary can be adequately met. The technical means is provided through cryptography.

1.1 Definition Cryptography is the study of mathematical techniques related to aspects of in- formation security such as confidentiality, data integrity, entity authentication, and data ori- gin authentication.

Cryptography is not the only means of providing information security, but rather one set of techniques.

Cryptographic goals Of all the information security objectives listed in Table 1.1, the following four form a framework upon which the others will be derived: (1) privacy or confidentiality (§1.5, §1.8); (2) data integrity (§1.9); (3) authentication (§1.7); and (4) non-repudiation (§1.6).

  1. Confidentiality is a service used to keep the content of information from all but those authorized to have it. Secrecy is a term synonymous with confidentiality and privacy. There are numerous approaches to providing confidentiality, ranging from physical protection to mathematical algorithms which render data unintelligible.
  2. Data integrity is a service which addresses the unauthorized alteration of data. To assure data integrity, one must have the ability to detect data manipulation by unau- thorized parties. Data manipulation includes such things as insertion, deletion, and substitution.
  3. Authentication is a service related to identification. This function applies to both enti- ties and information itself. Two parties entering into a communication should identify each other. Information delivered over a channel should be authenticated as to origin, date of origin, data content, time sent, etc. For these reasons this aspect of cryptog- raphy is usually subdivided into two major classes: entity authentication and data origin authentication. Data origin authentication implicitly provides data integrity (for if a message is modified, the source has changed).
  4. Non-repudiation is a service which prevents an entity from denying previous commit- ments or actions. When disputes arise due to an entity denying that certain actions were taken, a means to resolve the situation is necessary. For example, one entity may authorize the purchase of property by another entity and later deny such autho- rization was granted. A procedure involving a trusted third party is needed to resolve the dispute. A fundamental goal of cryptography is to adequately address these four areas in both theory and practice. Cryptography is about the prevention and detection of cheating and other malicious activities. This book describes a number of basic cryptographic tools ( primitives ) used to provide information security. Examples of primitives include encryption schemes (§1.5 and §1.8),

©c1997 by CRC Press, Inc. — See accompanying notice at front of chapter.

6 Ch. 1 Overview of Cryptography

very different functionality depending on its mode of operation or usage.

  1. performance. This refers to the efficiency of a primitive in a particular mode of op- eration. (For example, an encryption algorithm may be rated by the number of bits per second which it can encrypt.)
  2. ease of implementation. This refers to the difficulty of realizing the primitive in a practical instantiation. This might include the complexity of implementing the prim- itive in either a software or hardware environment. The relative importance of various criteria is very much dependent on the application and resources available. For example, in an environment where computing power is limited one may have to trade off a very high level of security for better performance of the system as a whole. Cryptography, over the ages, has been an art practised by many who have devised ad hoc techniques to meet some of the information security requirements. The last twenty years have been a period of transition as the discipline moved from an art to a science. There are now several international scientific conferences devoted exclusively to cryptography and also an international scientific organization, the International Association for Crypto- logic Research (IACR), aimed at fostering research in the area. This book is about cryptography: the theory, the practice, and the standards.

1.3 Background on functions

While this book is not a treatise on abstract mathematics, a familiarity with basic mathe- matical concepts will prove to be useful. One concept which is absolutely fundamental to cryptography is that of a function in the mathematical sense. A function is alternately re- ferred to as a mapping or a transformation.

1.3.1 Functions (1-1, one-way, trapdoor one-way)

A set consists of distinct objects which are called elements of the set. For example, a set X might consist of the elements a, b, c, and this is denoted X = {a, b, c}.

1.2 Definition A function is defined by two sets X and Y and a rule f which assigns to each element in X precisely one element in Y. The set X is called the domain of the function and Y the codomain. If x is an element of X (usually written x ∈ X) the image of x is the element in Y which the rule f associates with x; the image y of x is denoted by y = f (x). Standard notation for a function f from set X to set Y is f : X −→ Y. If y ∈ Y , then a preimage of y is an element x ∈ X for which f (x) = y. The set of all elements in Y which have at least one preimage is called the image of f , denoted Im(f ).

1.3 Example ( function ) Consider the sets X = {a, b, c}, Y = { 1 , 2 , 3 , 4 }, and the rule f from X to Y defined as f (a) = 2, f (b) = 4, f (c) = 1. Figure 1.2 shows a schematic of the sets X, Y and the function f. The preimage of the element 2 is a. The image of f is { 1 , 2 , 4 }.  Thinking of a function in terms of the schematic (sometimes called a functional dia- gram ) given in Figure 1.2, each element in the domain X has precisely one arrowed line originating from it. Each element in the codomain Y can have any number of arrowed lines incident to it (including zero lines).

©c1997 by CRC Press, Inc. — See accompanying notice at front of chapter.

§ 1.3 Background on functions 7

1

3

4

c

b

a 2

f

X Y

Figure 1.2: A function f from a set X of three elements to a set Y of four elements.

Often only the domain X and the rule f are given and the codomain is assumed to be the image of f. This point is illustrated with two examples.

1.4 Example ( function ) Take X = { 1 , 2 , 3 ,... , 10 } and let f be the rule that for each x ∈ X, f (x) = rx, where rx is the remainder when x^2 is divided by 11. Explicitly then f (1) = 1 f (2) = 4 f (3) = 9 f (4) = 5 f (5) = 3 f (6) = 3 f (7) = 5 f (8) = 9 f (9) = 4 f (10) = 1. The image of f is the set Y = { 1 , 3 , 4 , 5 , 9 }. 

1.5 Example ( function ) Take X = { 1 , 2 , 3 ,... , 1050 } and let f be the rule f (x) = rx, where rx is the remainder when x^2 is divided by 1050 + 1 for all x ∈ X. Here it is not feasible to write down f explicitly as in Example 1.4, but nonetheless the function is completely specified by the domain and the mathematical description of the rule f. 

(i) 1-1 functions 1.6 Definition A function (or transformation) is 1 − 1 (one-to-one) if each element in the codomain Y is the image of at most one element in the domain X.

1.7 Definition A function (or transformation) is onto if each element in the codomain Y is the image of at least one element in the domain. Equivalently, a function f : X −→ Y is onto if Im(f ) = Y.

1.8 Definition If a function f : X −→ Y is 1 − 1 and Im(f ) = Y , then f is called a bijection.

1.9 Fact If f : X −→ Y is 1 − 1 then f : X −→ Im(f ) is a bijection. In particular, if f : X −→ Y is 1 − 1 , and X and Y are finite sets of the same size, then f is a bijection.

In terms of the schematic representation, if f is a bijection, then each element in Y has exactly one arrowed line incident with it. The functions described in Examples 1.3 and 1.4 are not bijections. In Example 1.3 the element 3 is not the image of any element in the domain. In Example 1.4 each element in the codomain has two preimages.

1.10 Definition If f is a bijection from X to Y then it is a simple matter to define a bijection g from Y to X as follows: for each y ∈ Y define g(y) = x where x ∈ X and f (x) = y. This function g obtained from f is called the inverse function of f and is denoted by g = f −^1.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

§ 1.3 Background on functions 9

x given that f (x) = 7. Of course, if the number you are given is 3 then it is clear that x = 1 is what you need; but for most of the elements in the codomain it is not that easy. 

One must keep in mind that this is an example which uses very small numbers; the important point here is that there is a difference in the amount of work to compute f (x) and the amount of work to find x given f (x). Even for very large numbers, f (x) can be computed efficiently using the repeated square-and-multiply algorithm (Algorithm 2.143), whereas the process of finding x from f (x) is much harder.

1.15 Example ( one-way function ) A prime number is a positive integer greater than 1 whose only positive integer divisors are 1 and itself. Select primes p = 48611, q = 53993, form n = pq = 2624653723, and let X = { 1 , 2 , 3 ,... , n − 1 }. Define a function f on X by f (x) = rx for each x ∈ X, where rx is the remainder when x^3 is divided by n. For instance, f (2489991) = 1981394214 since 24899913 = 5881949859 · n + 1981394214. Computing f (x) is a relatively simple thing to do, but to reverse the procedure is much more difficult; that is, given a remainder to find the value x which was originally cubed (raised to the third power). This procedure is referred to as the computation of a modular cube root with modulus n. If the factors of n are unknown and large, this is a difficult problem; how- ever, if the factors p and q of n are known then there is an efficient algorithm for computing modular cube roots. (See §8.2.2(i) for details.) 

Example 1.15 leads one to consider another type of function which will prove to be fundamental in later developments.

(iii) Trapdoor one-way functions 1.16 Definition A trapdoor one-way function is a one-way function f : X −→ Y with the additional property that given some extra information (called the trapdoor information ) it becomes feasible to find for any given y ∈ Im(f ), an x ∈ X such that f (x) = y.

Example 1.15 illustrates the concept of a trapdoor one-way function. With the addi- tional information of the factors of n = 2624653723 (namely, p = 48611 and q = 53993, each of which is five decimal digits long) it becomes much easier to invert the function. The factors of 2624653723 are large enough that finding them by hand computation would be difficult. Of course, any reasonable computer program could find the factors relatively quickly. If, on the other hand, one selects p and q to be very large distinct prime numbers (each having about 100 decimal digits) then, by today’s standards, it is a difficult problem, even with the most powerful computers, to deduce p and q simply from n. This is the well- known integer factorization problem (see §3.2) and a source of many trapdoor one-way functions. It remains to be rigorously established whether there actually are any (true) one-way functions. That is to say, no one has yet definitively proved the existence of such func- tions under reasonable (and rigorous) definitions of “easy” and “computationally infeasi- ble”. Since the existence of one-way functions is still unknown, the existence of trapdoor one-way functions is also unknown. However, there are a number of good candidates for one-way and trapdoor one-way functions. Many of these are discussed in this book, with emphasis given to those which are practical. One-way and trapdoor one-way functions are the basis for public-key cryptography (discussed in §1.8). The importance of these concepts will become clearer when their appli- cation to cryptographic techniques is considered. It will be worthwhile to keep the abstract concepts of this section in mind as concrete methods are presented.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

10 Ch. 1 Overview of Cryptography

1.3.2 Permutations

Permutations are functions which are often used in various cryptographic constructs.

1.17 Definition Let S be a finite set of elements. A permutation p on S is a bijection (Defini- tion 1.8) from S to itself (i.e., p : S −→ S).

1.18 Example ( permutation ) Let S = { 1 , 2 , 3 , 4 , 5 }. A permutation p : S −→ S is defined as follows: p(1) = 3, p(2) = 5, p(3) = 4, p(4) = 2, p(5) = 1. A permutation can be described in various ways. It can be displayed as above or as an array:

p =

where the top row in the array is the domain and the bottom row is the image under the mapping p. Of course, other representations are possible. 

Since permutations are bijections, they have inverses. If a permutation is written as an array (see 1.1), its inverse is easily found by interchanging the rows in the array and reorder- ing the elements in the new top row if desired (the bottom row would have to be reordered correspondingly). The inverse of p in Example 1.18 is p−^1 =

1.19 Example ( permutation ) Let X be the set of integers { 0 , 1 , 2 ,... , pq − 1 } where p and q are distinct large primes (for example, p and q are each about 100 decimal digits long), and suppose that neither p− 1 nor q − 1 is divisible by 3. Then the function p(x) = rx, where rx is the remainder when x^3 is divided by pq, can be shown to be a permutation. Determining the inverse permutation is computationally infeasible by today’s standards unless p and q are known (cf. Example 1.15). 

1.3.3 Involutions

Another type of function which will be referred to in §1.5.3 is an involution. Involutions have the property that they are their own inverses.

1.20 Definition Let S be a finite set and let f be a bijection from S to S (i.e., f : S −→ S). The function f is called an involution if f = f −^1. An equivalent way of stating this is f (f (x)) = x for all x ∈ S.

1.21 Example ( involution ) Figure 1.4 is an example of an involution. In the diagram of an involution, note that if j is the image of i then i is the image of j. 

© c1997 by CRC Press, Inc. — See accompanying notice at front of chapter.

12 Ch. 1 Overview of Cryptography

  • An encryption scheme consists of a set {Ee : e ∈ K} of encryption transformations and a corresponding set {Dd : d ∈ K} of decryption transformations with the prop- erty that for each e ∈ K there is a unique key d ∈ K such that Dd = E− e 1 ; that is, Dd(Ee(m)) = m for all m ∈ M. An encryption scheme is sometimes referred to as a cipher.
  • The keys e and d in the preceding definition are referred to as a key pair and some- times denoted by (e, d). Note that e and d could be the same.
  • To construct an encryption scheme requires one to select a message space M, a ci- phertext space C, a key space K, a set of encryption transformations {Ee : e ∈ K}, and a corresponding set of decryption transformations {Dd : d ∈ K}.

Achieving confidentiality An encryption scheme may be used as follows for the purpose of achieving confidentiality. Two parties Alice and Bob first secretly choose or secretly exchange a key pair (e, d). At a subsequent point in time, if Alice wishes to send a message m ∈ M to Bob, she computes c = Ee(m) and transmits this to Bob. Upon receiving c, Bob computes Dd(c) = m and hence recovers the original message m. The question arises as to why keys are necessary. (Why not just choose one encryption function and its corresponding decryption function?) Having transformations which are very similar but characterized by keys means that if some particular encryption/decryption transformation is revealed then one does not have to redesign the entire scheme but simply change the key. It is sound cryptographic practice to change the key (encryption/decryption transformation) frequently. As a physical analogue, consider an ordinary resettable combi- nation lock. The structure of the lock is available to anyone who wishes to purchase one but the combination is chosen and set by the owner. If the owner suspects that the combination has been revealed he can easily reset it without replacing the physical mechanism.

1.22 Example ( encryption scheme ) Let M = {m 1 , m 2 , m 3 } and C = {c 1 , c 2 , c 3 }. There are precisely 3! = 6 bijections from M to C. The key space K = { 1 , 2 , 3 , 4 , 5 , 6 } has six elements in it, each specifying one of the transformations. Figure 1.5 illustrates the six encryption functions which are denoted by Ei, 1 ≤ i ≤ 6. Alice and Bob agree on a trans-

E 1 m 1 m 2 m 3

c 1 c 2

E 2 m 1 m 2 m 3

m 1 m 2 m 3

E 3

E 4 m 1 m 2 m 3

m 1 m 2 m 3

E 5 m 1 m 2 m 3

E 6

c 1 c 2

c 1 c 2 c 2

c 1

c 1 c 2

c 1 c 2

c 3 c 3 c 3

c 3 c 3 c 3

Figure 1.5: Schematic of a simple encryption scheme.

formation, say E 1. To encrypt the message m 1 , Alice computes E 1 (m 1 ) = c 3 and sends c 3 to Bob. Bob decrypts c 3 by reversing the arrows on the diagram for E 1 and observing that c 3 points to m 1.

©c1997 by CRC Press, Inc. — See accompanying notice at front of chapter.

§ 1.4 Basic terminology and concepts 13

When M is a small set, the functional diagram is a simple visual means to describe the mapping. In cryptography, the set M is typically of astronomical proportions and, as such, the visual description is infeasible. What is required, in these cases, is some other simple means to describe the encryption and decryption transformations, such as mathematical al- gorithms. 

Figure 1.6 provides a simple model of a two-party communication using encryption.

m

c

m

Ee(m) = c Dd(c) = m

plaintext source

Alice Bob

UNSECURED CHANNEL

Adversary

encryption decryption

destination

Figure 1.6: Schematic of a two-party communication using encryption.

Communication participants Referring to Figure 1.6, the following terminology is defined.

  • An entity or party is someone or something which sends, receives, or manipulates information. Alice and Bob are entities in Example 1.22. An entity may be a person, a computer terminal, etc.
  • A sender is an entity in a two-party communication which is the legitimate transmitter of information. In Figure 1.6, the sender is Alice.
  • A receiver is an entity in a two-party communication which is the intended recipient of information. In Figure 1.6, the receiver is Bob.
  • An adversary is an entity in a two-party communication which is neither the sender nor receiver, and which tries to defeat the information security service being provided between the sender and receiver. Various other names are synonymous with adver- sary such as enemy, attacker, opponent, tapper, eavesdropper, intruder, and interloper. An adversary will often attempt to play the role of either the legitimate sender or the legitimate receiver.

Channels

  • A channel is a means of conveying information from one entity to another.
  • A physically secure channel or secure channel is one which is not physically acces- sible to the adversary.
  • An unsecured channel is one from which parties other than those for which the in- formation is intended can reorder, delete, insert, or read.
  • A secured channel is one from which an adversary does not have the ability to reorder, delete, insert, or read.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

§ 1.5 Symmetric-key encryption 15

  • Breaking an information security service (which often involves more than simply en- cryption) implies defeating the objective of the intended service.
  • A passive adversary is an adversary who is capable only of reading information from an unsecured channel.
  • An active adversary is an adversary who may also transmit, alter, or delete informa- tion on an unsecured channel.

Cryptology

  • Cryptanalysis is the study of mathematical techniques for attempting to defeat cryp- tographic techniques, and, more generally, information security services.
  • A cryptanalyst is someone who engages in cryptanalysis.
  • Cryptology is the study of cryptography (Definition 1.1) and cryptanalysis.
  • A cryptosystem is a general term referring to a set of cryptographic primitives used to provide information security services. Most often the term is used in conjunction with primitives providing confidentiality, i.e., encryption. Cryptographic techniques are typically divided into two generic types: symmetric-key and public-key. Encryption methods of these types will be discussed separately in §1.5 and §1.8. Other definitions and terminology will be introduced as required.

1.5 Symmetric-key encryption

§1.5 considers symmetric-key encryption. Public-key encryption is the topic of §1.8.

1.5.1 Overview of block ciphers and stream ciphers

1.24 Definition Consider an encryption scheme consisting of the sets of encryption and de- cryption transformations {Ee : e ∈ K} and {Dd : d ∈ K}, respectively, where K is the key space. The encryption scheme is said to be symmetric-key if for each associated encryp- tion/decryption key pair (e, d), it is computationally “easy” to determine d knowing only e, and to determine e from d. Since e = d in most practical symmetric-key encryption schemes, the term symmetric- key becomes appropriate. Other terms used in the literature are single-key , one-key , private- key ,^2 and conventional encryption. Example 1.25 illustrates the idea of symmetric-key en- cryption.

1.25 Example ( symmetric-key encryption ) Let A = {A, B, C,... , X, Y, Z} be the English alphabet. Let M and C be the set of all strings of length five over A. The key e is chosen to be a permutation on A. To encrypt, an English message is broken up into groups each having five letters (with appropriate padding if the length of the message is not a multiple of five) and a permutation e is applied to each letter one at a time. To decrypt, the inverse permutation d = e−^1 is applied to each letter of the ciphertext. For instance, suppose that the key e is chosen to be the permutation which maps each letter to the one which is three positions to its right, as shown below

e =

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

(^2) Private key is a term also used in quite a different context (see §1.8). The term will be reserved for the latter usage in this book.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

16 Ch. 1 Overview of Cryptography

A message m = THISC IPHER ISCER TAINL YNOTS ECURE is encrypted to c = Ee(m) = WKLVF LSKHU LVFHU WDLQO BQRWV HFXUH. 

A two-party communication using symmetric-key encryption can be described by the block diagram of Figure 1.7, which is Figure 1.6 with the addition of the secure (both con-

m

e

c

SECURE CHANNEL

Ee(m) = c Dd(c) = m

e

m

UNSECURED CHANNEL

encryption

plaintext source

Alice

Adversary

source

key

decryption

destination

Bob

Figure 1.7: Two-party communication using encryption, with a secure channel for key exchange. The decryption key d can be efficiently computed from the encryption key e_._

fidential and authentic) channel. One of the major issues with symmetric-key systems is to find an efficient method to agree upon and exchange keys securely. This problem is referred to as the key distribution problem (see Chapters 12 and 13). It is assumed that all parties know the set of encryption/decryptiontransformations (i.e., they all know the encryption scheme). As has been emphasized several times the only infor- mation which should be required to be kept secret is the key d. However, in symmetric-key encryption, this means that the key e must also be kept secret, as d can be deduced from e. In Figure 1.7 the encryption key e is transported from one entity to the other with the understanding that both can construct the decryption key d. There are two classes of symmetric-key encryption schemes which are commonly dis- tinguished: block ciphers and stream ciphers.

1.26 Definition A block cipher is an encryption scheme which breaks up the plaintext mes- sages to be transmitted into strings (called blocks ) of a fixed length t over an alphabet A, and encrypts one block at a time. Most well-known symmetric-key encryption techniques are block ciphers. A number of examples of these are given in Chapter 7. Two important classes of block ciphers are substitution ciphers and transposition ciphers (§1.5.2). Product ciphers (§1.5.3) combine

©c1997 by CRC Press, Inc. — See accompanying notice at front of chapter.

18 Ch. 1 Overview of Cryptography

Often the symbols do not occur with equal frequency in plaintext messages. With a simple substitution cipher this non-uniform frequency property is reflected in the ciphertext as illustrated in Example 1.25. A homophonic cipher can be used to make the frequency of occurrence of ciphertext symbols more uniform, at the expense of data expansion. Decryp- tion is not as easily performed as it is for simple substitution ciphers.

Polyalphabetic substitution ciphers 1.30 Definition A polyalphabetic substitution cipher is a block cipher with block length t over an alphabet A having the following properties: (i) the key space K consists of all ordered sets of t permutations (p 1 , p 2 ,... , pt), where each permutation pi is defined on the set A; (ii) encryption of the message m = (m 1 m 2 · · · mt) under the key e = (p 1 , p 2 ,... , pt) is given by Ee(m) = (p 1 (m 1 )p 2 (m 2 ) · · · pt(mt)); and (iii) the decryption key associated with e = (p 1 , p 2 ,... , pt) is d = (p− 1 1 , p− 2 1 ,... , p− t 1 ).

1.31 Example ( Vigen`ere cipher ) Let A = {A, B, C,... , X, Y, Z} and t = 3. Choose e = (p 1 , p 2 , p 3 ), where p 1 maps each letter to the letter three positions to its right in the alphabet, p 2 to the one seven positions to its right, and p 3 ten positions to its right. If m = THI SCI PHE RIS CER TAI NLY NOT SEC URE then c = Ee(m) = WOS VJS SOO UPC FLB WHS QSI QVD VLM XYO. 

Polyalphabetic ciphers have the advantage over simple substitution ciphers that symbol frequencies are not preserved. In the example above, the letter E is encrypted to both O and L. However, polyalphabetic ciphers are not significantly more difficult to cryptanalyze, the approach being similar to the simple substitution cipher. In fact, once the block length t is determined, the ciphertext letters can be divided into t groups (where group i, 1 ≤ i ≤ t, consists of those ciphertext letters derived using permutation pi), and a frequency analysis can be done on each group.

Transposition ciphers Another class of symmetric-key ciphers is the simple transposition cipher, which simply permutes the symbols in a block.

1.32 Definition Consider a symmetric-key block encryption scheme with block length t. Let K be the set of all permutations on the set { 1 , 2 ,... , t}. For each e ∈ K define the encryption function Ee(m) = (me(1)me(2) · · · me(t)) where m = (m 1 m 2 · · · mt) ∈ M, the message space. The set of all such transformations is called a simple transposition cipher. The decryption key corresponding to e is the inverse permutation d = e−^1. To decrypt c = (c 1 c 2 · · · ct), compute Dd(c) = (cd(1)cd(2) · · · cd(t)).

A simple transposition cipher preserves the number of symbols of a given type within a block, and thus is easily cryptanalyzed.

©c1997 by CRC Press, Inc. — See accompanying notice at front of chapter.

§ 1.5 Symmetric-key encryption 19

1.5.3 Composition of ciphers

In order to describe product ciphers, the concept of composition of functions is introduced. Compositions are a convenient way of constructing more complicated functions from sim- pler ones.

Composition of functions 1.33 Definition Let S, T , and U be finite sets and let f : S −→ T and g : T −→ U be func- tions. The composition of g with f , denoted g ◦ f (or simply gf ), is a function from S to U as illustrated in Figure 1.8 and defined by (g ◦ f )(x) = g(f (x)) for all x ∈ S.

s t u v

1 2 3 4

s t u v

a b c

a b c

S

T U S U

g ◦ f

f g

Figure 1.8: The composition g ◦ f of functions g and f_._

Composition can be easily extended to more than two functions. For functions f 1 , f 2 ,

... , ft, one can define ft ◦ · · ·◦ f 2 ◦ f 1 , provided that the domain of ft equals the codomain of ft− 1 and so on.

Compositions and involutions Involutions were introduced in §1.3.3 as a simple class of functions with an interesting prop- erty: Ek(Ek(x)) = x for all x in the domain of Ek; that is, Ek ◦ Ek is the identity function.

1.34 Remark ( composition of involutions ) The composition of two involutions is not necessar- ily an involution, as illustrated in Figure 1.9. However, involutions may be composed to get somewhat more complicated functions whose inverses are easy to find. This is an important feature for decryption. For example if Ek 1 , Ek 2 ,... , Ekt are involutions then the inverse of Ek = Ek 1 Ek 2 · · · Ekt is E k− 1 = Ekt Ekt− 1 · · · Ek 1 , the composition of the involutions in the reverse order.

1 2 3 4 4

3

2

1

4

3

2

1 1 2 3 4 4

2

1

3 4

3

2

1

f g g ◦ f

Figure 1.9: The composition g ◦ f of involutions g and f is not an involution.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.