# Information-theoretic Cryptography

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Information-theoretic Cryptography Hermann Gruber, papro.soft GbR June 6, 2005 Abstract In 1949, Shannon published the paper Communication theory of secrecy systems. This constituted a foundational treatment and analysis of encryption systems. He transferred the methods of information theory, originally developed as a mathematical model for communication over noisy channels to the setting of cryptosystems. We give a brief introduction into his most outstanding ideas, such as the notions of perfect/provable security, and statistical/information-theoretic concepts like entropy, key equivocation, and unicity distance. 1

2 Contents 1 Introduction 3 2 Cryptosystems 3 3 Perfect Secrecy Systems Definition of Perfect Secrecy Development of the Tools One-time Pad provides Perfect Secrecy Characterization of Perfect Secrecy Conclusions about Perfect Secrecy Information Theoretic Concepts Entropy Conditional Entropy Statistical Analysis of Imperfect Cryptosystems Entropy of Natural Language Unicity Distance Conclusion 10 2

3 1 Introduction In 1949, Shannon published the paper Communication theory of secrecy systems [Sha49]. This constituted a foundational treatment and analysis of encryption systems. He transferred the methods of information theory, originally developed as a mathematical model for communication over noisy channels [Sha48], to the setting of cryptosystems. This includes the concepts of entropy and conditional entropy as measures for the secrecy of a system. Some of his seminal ideas inspired upcoming round-based encryption systems, such as the Data Encryption Standard [FIP93] or the modern Advanced Encryption Standard [FIP01]. But his most relevant achievement was his proof of the existence of systems with perfect secrecy. Informally stated, a system provides perfect secrecy if an intercepted cryptogram unveals no information about the plaintext, even provided the attacker has unbounded computational power. This is indeed a very strong assumption. The secrecy of most systems used today stems from computational hardness of code breaking: It is unlikely that an attacker with bounded computational power can break the code within reasonable time - unless he knows about some yet undiscovered clues, such as a fast factorization algorithm. (It should be mentioned that Shannon also included an informal discussion of this approach.) But why don t we use perfect secrecy systems today if we could? The main drawback of these systems is that the length of the key must equal the length of the plaintext message. And the key can be used only once (the most prominent among these carries the name One-Time Pad ). Hence, we will have to transfer a large amount of data over a secure channel. Despite this apparent objection to practical applications, such systems are in use. For example, in a diplomatic context, two persons may agree at some time about a key, and both keep it in a secure place until it is needed. Then they can communicate in urgent cases over an insecure channel, while having achieved perfect secrecy. But most practical cryptosystems re-use a key more than once. Since in natural language there are symbols which appear more often than others, statistical attacks are possible. This is a principal weakness known to cryptanalists for a long time. For example, suppose an english message M is encrypted using a simple substitution (say every occurence of E is replaced by Q, and so on). For short ciphertexts, there are usually many reasonable plaintext candidates (and candidates for the key). Among these candidates, only one is correct; the others are spurious keys. With the length of the message, the probability for some few candidates increases, while it decreases for the others. Finally, there is a length where a single plaintext is most likely, whereas all others have probabilities near zero. This length is called unicity distance. Shannon formalized this idea and gave an estimate for this measure. The relevance of Shannon s pioneering work for modern systems is twofold: most today s cryptosystems do not incorporate perfect secrecy; statistical/information-theoretic methods are not the main tools of modern cryptanalysis. However, there are applications where perfect secrecy is needed; and many of the Shannon s original ideas are incorporated in the design of modern encryption algorithms. The paper is organized as follows: After this introduction, we give a mathematical definition of what constitutes a cryptosystem in the next chapter. Then we introduce the reader into Shannon s term of perfect secrecy systems, culminating in a complete characterization of these systems. Before we go over to the analysis of imperfect cryptosystems, we familiarize the reader with basic concepts of information theory. Finally, we end up with some concluding remarks on the impact of Shannon s work on today s developments in cryptography. 2 Cryptosystems Before we start off, we need to clarify what we are talking about: Definition 2.1 Cryptography is [...] the study of means of converting information from its normal, comprehensible form into an incomprehensible format, rendering it unreadable without 3

5 bution, how much differs the a posteriori probability distribution when Ivan has observed a certain ciphertext c? A secrecy system is called perfectly secure if the a priori probability distribution equals the a posteriori distribution. Definition 3.1 (Shannon 1949) A cryptosystem with probability distributions on message space M and keyspace K is said to be perfectly secret, if for all ciphertext messages c and all messages m holds P r[m c] = P r[m] An example for a perfect secrecy system is the following: Example 3.1 ( One-Time Pad (Gilbert Vernam 1926, patented 1919)) M = K = C = {0, 1} n keys are chosen equiprobable encryption/decryption: bitwise modulo-2-addition of key and message key is only used once. (Note that the key is as long as the message.) Can we prove that this system is perfectly secure? 3.2 Development of the Tools Suppose Ivan intercepts a ciphertext c, and wants to obtain a posteriori (conditional) distribution on M, depending on c. A very common and useful theorem for dealing with conditional probabilities is Bayes theorem: Theorem 1 (Bayes theorem) Let C and M denote random variables. If P [C = c] > 0, then P [C = c M = m]p [M = m] P [M = m C = c] = P [C = c] Furthermore, C and M are independent iff P [M = m C = c] = P [M = m]. Next, we define the set of possible keys for a given cipher c: K(c) = {k K m M : T k (m) = c} And, accordingly the set of possible keys for a given message m and a given ciphertext c is defined as K(c, m) = {k K T k (m) = c}. and Then, we have obviously P [C = c] = k K(c) P [C = c M = m] = Putting these into Bayes formula yields P [M = m C = c] = = P [K = k]p [M = T 1 k (c)] k K(c,m) P [K = k]. P [C = c M = m]p [M = m] P [C = c] P [K = k]p [M = m] k K(c,m) k K(c) 1 P [K = k]p [M = Tk (c)] In this way, we can always compute the a posteriori probability distribution from the known a priori probability distribution and an intercepted ciphertext; Furthermore, this calculation can be carried out without much effort. 5

6 3.3 One-time Pad provides Perfect Secrecy Now we are ready to prove that the One-time Pad does indeed provide perfect secrecy. Theorem 2 The One-time Pad is a perfect secrecy system. Proof We have to show that for every possible messages m and every possible ciphertext c holds P [M = m C = c] = P [M = m]. For every k, we have P [K = k] = ( 1 n, 2) as the keys are chosen equiprobably. So we obtain ) n P [C = c] = ( 1 2 k K(c) P [M = T 1 k (c)] for every possible ciphertext c. Next, see that for every message-ciphertext pair m, c, there is a unique key that can be used for m to obtain c; In other words, K(c, m) = 1 for every pair m, c Using this knowledge in the above equation, we get P [M = T 1 k (c)] = P [M = m] = 1; m M and we conclude k K(c) P [C = c] = ( ) 1 n. 2 That is, C is distributed equiprobably over the ciphertext space. We had seen in the previous section that P [C = c M = m] = k K(c,m) P [K = k]. Now, for every possible message-ciphertext pair K(c, m) = 1, and the following holds: P [C = c M = m] = ( ) 1 n P [K = k] = 2 k K(c,m) Surely, this is the wrong probability distribution, as we actually want to determine P [C = c M = m]. But we can use Bayes formula to flip the variables in a conditional distribution: P [M = m C = c] = = P [C = c M = m]p [M = m] P [C = c] P [C = c M = m]p [M = m] ( 1 n 2) = (1/2)n P [M = m] (1/2) n = P [M = m]. So, we have proved that there exist examples of perfect secrecy systems, and we have seen that One-time Pad is indeed a living example of this species. 3.4 Characterization of Perfect Secrecy The main ideas from the previous chapter can be generalized to obtain sufficient conditions for perfect secrecy. Then it is not hard to show that all of these conditions are also necessary, and with not to much effort one obtains the following Theorem 3 (Perfect Secrecy Theorem [Sha49]) A cryptosystem provides perfect secrecy if and only if 6

7 M = C = K every key is used with equal probability 1/ K, and for every message-cipher-pair m, c, there is a unique key k with c = T k (m). (The proof can be found in [Sti02].) Thus it can be seen that all perfect secrecy systems are very similar in nature one might even be tempted that they are all just different encodings of the One-time Pad. Note that perfect secrecy has a high price: From the above theorem, we can see that Perfect Secrecy is often impractical, as the key needs to be as long as the plaintext message this can be seen from the fact that the message space has to be as large as the key space, and since all keys are chosen equiprobably, we cannot use compression to reduce the length of the key. 3.5 Conclusions about Perfect Secrecy Some possible ways around are proposed in the following: We may make use of pseudo-random generators instead of true random choice for the One-Time Pad. This allows to dramatically reduce the size of the key which has to be transmitted. On the other hand, this provides no longer perfect secrecy. We may rethink our model of secrecy: Is it too pessimistic to think of the enemy as having unbounded computational power? These considerations led to the development of other models for secrecy, where the enemy only has limited computational power, but may have other possibilities, for example he may have discovered a plaintext-ciphertext pair. Unfortunately, a mathematical analysis of this setting seems to be very hard to the moment, no positive results about the secrecy of systems are proved without using additional assumptions. Nevertheless, the One-Time pad is still in use for very critical purposes, such as in diplomatic or military contexts. 4 Information Theoretic Concepts 4.1 Entropy The difficulties arising with perfect secrecy systems, namely the need for transmission of a large key over a secure channel, raises the following question: What if we use the same key more than once? The mathematical analysis is again due to Shannon. He used a concept from information theory, namely entropy. Informally spoken, the entropy measures the average degree of uncertainty of a statistical quantity. Shannon gave the following definition along with a mathematical motivation for using entropy as a measure for information. Definition 4.1 (Entropy, [Sha48]) Let X be a random variable taking on the values 1,...,n. Then n H(X) = P [X = i]log 2 P [X = i] i=1 Example 4.1 If we throw a fair (Laplace) die, the result is an equiprobably distributed random variable X. Its entropy can be calculated as H(X) = log = log 26 i=1 7

8 In general, the entropy of a random variable taking on values from 1 to n, the entropy is bounded above by the one of an equiprobable distribution: X ranges from 1 to n H(X) log 2 n. 4.2 Conditional Entropy In the theory of probability, we often consider conditional random variables. The following generalization of the definition is besides of its importance for information theory of particular use for the analysis of secrecy systems: Definition 4.2 (Conditional Entropy, [Sha48]) Let Y be another random variables, taking values 1,...,m The conditional entropy H(X Y ) is H(X Y ) = m p(y = j)h(x Y = j) j=1 We can state that conditional entropy measures the average uncertainity about X given observations of the variable Y. In the context of (imperfect) secrecy systems, we can use this quantity to answer the following natural question: How much average uncertainty remains about the key remains provided we have intercepted the ciphertext? For a secrecy system, we call the conditional entropy H(K C) the key equivocation. Shannon found that for this quantity holds [Sha49] Theorem 4 H(K C) = H(M) + H(K) H(C) (The proof can be found in [Sti02],Thm ) As an immediate implication of the above theorem, we have H(K C) = H(K) in the case of a perfect secrecy system, and this is a necessary and sufficient condition for perfect secrecy. That is, uncertainty about the key does not decrease with knowledge of the ciphertext. 5 Statistical Analysis of Imperfect Cryptosystems 5.1 Entropy of Natural Language If a cryptosystem is not perfectly secure, we can deduce that some keys are more likely than others provided we encode some information with a reasonable probability distribution. In particular, we analyze the situation where the same key is reused over and over again to encode a sequence of messages. Suppose the same key is used over and over again to encode a long message, and Ivan knows a priori that Alfons and Boris exchange messages in natural language. So, Boris can reduce the message space to a smaller space of likely messages and hence the key space. To formalize our intuition, we need a notion of the entropy of a natural language, such as English. Suppose we have intercepted a part of a ciphertext having three (n) letters. We know that some tri-grams (n-grams) are very common in English, such as THE is much more likely to occur than SRX (although one should be aware that the situation is entirely different in marketing english: The company Linksys uses SRX as acronym for Speed and Range expansion [ocsi]; In general, words on three letters with an X are very common in technical marketing speech!) We define M n as the probability distribution for plaintext messages of length n, and correspondingly C n for the ciphertexts. Note that C n is far from being equiprobably distributed, as we reuse the same key n times! 8

9 The entropy of the english language is then defined as H L = lim n H(M n ) An immediate upper bound is the entropy of random strings over the 26-letter alphabet, that is H L log ; A better estimate is obtained by sweeping large amounts of english texts. Such experiments led to the empirical result 1.0 H L Unicity Distance. We go on with the assumption that the same key was used n times, and a ciphertext of length was intercepted. In this situation, a cryptanalyst can deduce that a small subset of the keyspace contains the key which was actually used for encrypting. Of course, only one key was actually used; this subset of the keyspace excluding the correct key is called a set of spurious keys. More formally, S n (c) denotes the set of keys k for which, given a ciphertext c of length n, there is an decryption T 1 k (c) = m such that m is a meaningful english text. (To avoid complications, we omit a detailed definition of the term meaningful... ) The longer the intercepted ciphertext message, the more keys can be ruled out, as they do not encode sensible messages; and the smaller is the remaining set of spurious keys. We are interested to what extent the number of spurious keys reduces, if we intercept more and more ciphertext, and in particular we want to determine the amount of ciphertext where the number of spurious keys approaches zero. This amount is called the unicity distance. The average number of spurious keys over all possible ciphertexts of length n is denoted by s n, and it holds s n = c C n P r[c]( S n (c) 1) = c C n (P r[c]s n (c)) 1 We want to calculate the value s n, and in particular we are interested in the point n where the number of spurious keys approaches zero. We continue with some estimates; first we show how s n can be related to the key equivocation of a ciphertext of length n: H(K C n ) = P r[c]h(k c) c C n P r[c] log 2 S n (c), c C n since we can assume K c ranges only over values encoding meaningful messages. The last term in the above inequality almost looks like our formula for the average number of spurious keys. From theory on convex functions, we can apply Jensen s inequality [Jen06] to obtain c C n P r[c] log 2 ( S n (c) ) log 2 ( c C n P r[c] S n(c) ) = log 2 ( s n + 1) Recall from Theorem 4 that H(K C n ) = H(K) + H(M n ) H(C n ). We can estimate that H(M n ) nh L and H(C n ) n log 2 C. Putting all things together, we get the following Theorem 5 ([Sha49], see also [SL]) For a cryptosystem in which keys are chosen equiprobably and M = C, we have the heuristic s n K /( M ) n(1 H L) 1 9

10 To estimate the unicity distance, we simply put s n = 0 in the above inequality. In particular, for modern block ciphers, we have a unicity distance which is lower than 2. This means that, by information-theoretic means, intercepting only two ciphertext blocks will be enough to reproduce the key. Fortunately, today s human or software attackers only have bounded computational power... 6 Conclusion Shannon s pioneering work is regarded by much people working in the field as the foundation of cryptography. We have looked at some of the most aspects of his work which count to the opinion of the author among the most relevant. This included the development of a model of a cryptosystem, with Alfons and the key generator as statistical information source. The enciphered text is transmitted over a public channel, while nobody but Alfons and Bob know anything about the secret key, and the plaintext - inlcuding a possible attacker Ivan. The attacker is assumed to have unbounded computational power, and by the Kerckhoffs principle he knows the interior mechanism of the cryptosystem. This principle of transparency is very important for most of modern cryptography, as the designer of a cryptosystem has to take care that secrecy is based only on the secret key being unknown. Today s cryptographic community mostly shows an offensive handling with this principle: All details of the design of modern cryptographic algorithms are publicly available. This allows the community to carry out a rigorous process of scrutiny. Potential flaws or weaknesses can be discussed publicly, and anyone not trusting the secrecy of the system is free to rule out his doubts himself. Using concepts from probability and information theory, we have analyzed an example of a perfect secrecy system, that is, a system where an attacker cannot gain any kind of information from observing the ciphertext, regardless of his computational resources (in bth time and space) nor the length of the observed ciphertext. This example is the One-Time Pad, which was developed by the engineer Gilbert Vernam. We also stated a characterization of perfect secrecy systems, from which we saw that all such systems are essentially alike. Perfect secrecy requires that the amount of key information to be transported over a secure channel is the same as the amount of information which we desire to encrypt. This is a disadvantage of perfect secrecy, and explains its little importance in practice. We used concepts from information theory to analyze the case where we cannot have perfect secrecy, but use the same key over and over again. Using concepts from information theory, we saw that there exists a certain amount of ciphertext which is enough to uniquely determine not only the plaintext message, but the key which was actually used; and we can roughly estimate the size of this required amount. Information theory can sometimes be a powerful tool to prove lower bounds on computational hardness in general a very challenging task. We have shown that no algorithm can break a perfect secrecy system. Another example is the folklore result that any general (comparison-based,deterministic) algorithm sorting n items requires time Ω(n log n). But, unfortunately, in most situations lower bounds from information theory perform arbitrarily bad this is where we require additional (unproved) assumptions on which mathematical proofs of secrecy properties are based. References [FIP93] Federal Information Processing Standards. Announcing the Standard for Data Encryption Standard (DES),

11 [FIP01] Federal Information Processing Standards. Announcing Advanced Encryption Standard (AES), [Jen06] J. L. W. V. Jensen. Sur les fonctions convexes et les inégalités entre les valeurs moyennes. Acta Math., 30: , [Ker83] A. Kerckhoffs. La cryptographie militaire i. Journal des sciences militaires, IX:5 138, January [ocsi] Linksys A Division of Cisco Systems Inc. [Sha48] C.E. Shannon. A mathematical theory of communication. Bell Systems Technical Journal, 27(3): , July [Sha49] C.E. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28: , October [SL] Nigel Smart and John Malone Lee. Introduction to cryptography. Lecture notes of course COMS30124 at the University of Bristol. [Sti02] D. R. Stinson. Cryptography Theory and Practice, chapter Shannon s Theory. Discrete Mathematics and its Applications. Chapman and Hall / CRC,

### Communication Theory of Secrecy Systems

Communication Theory of Secrecy Systems By C. E. SHANNON 1 INTRODUCTION AND SUMMARY The problems of cryptography and secrecy systems furnish an interesting application of communication theory 1. In this

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### The mathematics of cryptology

The mathematics of cryptology Paul E. Gunnells Department of Mathematics and Statistics University of Massachusetts, Amherst Amherst, MA 01003 www.math.umass.edu/ gunnells April 27, 2004 What is Cryptology?

### Solutions to Problem Set 1

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #8 Zheng Ma February 21, 2005 Solutions to Problem Set 1 Problem 1: Cracking the Hill cipher Suppose

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### CIS433/533 - Computer and Network Security Cryptography

CIS433/533 - Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and

### SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### 1 Data Encryption Algorithm

Date: Monday, September 23, 2002 Prof.: Dr Jean-Yves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer

### Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic

### The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

### Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Cryptography and Network Security

Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Outline. Cryptography. Bret Benesh. Math 331

Outline 1 College of St. Benedict/St. John s University Department of Mathematics Math 331 2 3 The internet is a lawless place, and people have access to all sorts of information. What is keeping people

### Effective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2

Effective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2 Research Student, Bharti Vidyapeeth, Pune, India sd_patil057@rediffmail.com Modern College of Engineering,

### SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION September 2010 (reviewed September 2014) ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK NETWORK SECURITY

### Lecture 5 - Cryptography

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Thinking of a (block) cipher as a permutation (depending on the key) on strings of a certain size, we would not want such a permutation to have many

Fixed points of permutations Let f : S S be a permutation of a set S. An element s S is a fixed point of f if f(s) = s. That is, the fixed points of a permutation are the points not moved by the permutation.

### The Data Encryption Standard (DES)

The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmetric or secret key cryptography and asymmetric or public key cryptography. Symmetric

### Diffusion and Data compression for data security. A.J. Han Vinck University of Duisburg/Essen April 2013 Vinck@iem.uni-due.de

Diffusion and Data compression for data security A.J. Han Vinck University of Duisburg/Essen April 203 Vinck@iem.uni-due.de content Why diffusion is important? Why data compression is important? Unicity

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

### Cryptography. some history. modern secret key cryptography. public key cryptography. cryptography in practice

Cryptography some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) modern secret key cryptography DES, AES public key cryptography RSA, digital signatures cryptography in practice

### Cryptography and Network Security

Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 1: Introduction Ion Petre Department of IT, Åbo Akademi University January 10, 2012 1 Motto Unfortunately, the technical

### Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

Cryptography: Motivation Many areas have sensitive information, e.g. Data Structures and Algorithms Cryptography Goodrich & Tamassia Sections 3.1.3 & 3.1.4 Introduction Simple Methods Asymmetric methods:

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### A Numerical Study on the Wiretap Network with a Simple Network Topology

A Numerical Study on the Wiretap Network with a Simple Network Topology Fan Cheng and Vincent Tan Department of Electrical and Computer Engineering National University of Singapore Mathematical Tools of

### Topic 1: Cryptography

1 Introduction to Cryptography: 1.1 Science SCIE1000 Project, Semester 1 2011 Topic 1: Cryptography Cryptography is the science of using mathematics to hide information. Cryptography allows us to store

### IT Networks & Security CERT Luncheon Series: Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI

### Cryptography and Network Security

Cryptography and Network Security Xiang-Yang Li Introduction The art of war teaches us not on the likelihood of the enemy s not coming, but on our own readiness to receive him; not on the chance of his

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### Introduction to Encryption

Computers and Society Introduction to Encryption Chris Brooks Department of Computer Science University of San Francisco Department of Computer Science University of San Francisco p.1/35 3-0: Terminology

### SECURITY EVALUATION OF EMAIL ENCRYPTION USING RANDOM NOISE GENERATED BY LCG

SECURITY EVALUATION OF EMAIL ENCRYPTION USING RANDOM NOISE GENERATED BY LCG Chung-Chih Li, Hema Sagar R. Kandati, Bo Sun Dept. of Computer Science, Lamar University, Beaumont, Texas, USA 409-880-8748,

### Network Security. HIT Shimrit Tzur-David

Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key

### Chap 2. Basic Encryption and Decryption

Chap 2. Basic Encryption and Decryption H. Lee Kwang Department of Electrical Engineering & Computer Science, KAIST Objectives Concepts of encryption Cryptanalysis: how encryption systems are broken 2.1

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### A Probabilistic Quantum Key Transfer Protocol

A Probabilistic Quantum Key Transfer Protocol Abhishek Parakh Nebraska University Center for Information Assurance University of Nebraska at Omaha Omaha, NE 6818 Email: aparakh@unomaha.edu August 9, 01

### Hill s Cipher: Linear Algebra in Cryptography

Ryan Doyle Hill s Cipher: Linear Algebra in Cryptography Introduction: Since the beginning of written language, humans have wanted to share information secretly. The information could be orders from a

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Theory of Computation Prof. Kamala Krithivasan Department of Computer Science and Engineering Indian Institute of Technology, Madras

Theory of Computation Prof. Kamala Krithivasan Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture No. # 31 Recursive Sets, Recursively Innumerable Sets, Encoding

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### A New Interpretation of Information Rate

A New Interpretation of Information Rate reproduced with permission of AT&T By J. L. Kelly, jr. (Manuscript received March 2, 956) If the input symbols to a communication channel represent the outcomes

### 159.334 Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Network Security 1 Professor Richard Harris School of Engineering and Advanced Technology Presentation Outline Overview of Identification and Authentication The importance of identification and Authentication

### Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

CS-4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 59-75, 92-93) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret

### Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart OV-Chipkaart Security Issues Tutorial for Non-Expert Readers The current debate concerning the OV-Chipkaart security was

### Network Security - ISA 656 Introduction to Cryptography

Network Security - ISA 656 Angelos Stavrou September 18, 2007 Codes vs. K = {0, 1} l P = {0, 1} m C = {0, 1} n, C C E : P K C D : C K P p P, k K : D(E(p, k), k) = p It is infeasible to find F : P C K Let

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Cryptography & Digital Signatures

Cryptography & Digital Signatures CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration Prof. Sloan s Slides, 2007, 2008 Robert H.

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note 11

CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note Conditional Probability A pharmaceutical company is marketing a new test for a certain medical condition. According

### A NEW APPROACH FOR COMPLEX ENCRYPTING AND DECRYPTING DATA

A NEW APPROACH FOR COMPLEX ENCRYPTING AND DECRYPTING DATA ABSTRACT Obaida Mohammad Awad Al-Hazaimeh Department of Information Technology, Al-balqa Applied University, AL-Huson University College, Irbid,

### Cryptographic mechanisms

General Secretariat for National Defence Central Directorate for Information Systems Security PRIME MINISTER Paris, 2007 september 14 No. 1904/SGDN/DCSSI/SDS/LCR Cryptographic mechanisms Rules and recommendations

### Cryptography & Network Security

Cryptography & Network Security Lecture 1: Introduction & Overview 2002. 3. 27 chlim@sejong.ac.kr Common Terms(1) Cryptography: The study of mathematical techniques related to aspects of information security

### Introduction To Security and Privacy Einführung in die IT-Sicherheit I

Introduction To Security and Privacy Einführung in die IT-Sicherheit I Prof. Dr. rer. nat. Doğan Kesdoğan Institut für Wirtschaftsinformatik kesdogan@fb5.uni-siegen.de http://www.uni-siegen.de/fb5/itsec/

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

### Sandeep Mahapatra Department of Computer Science and Engineering PEC, University of Technology s.mahapatra15101987@gmail.com

Computing For Nation Development, March 10 11, 2011 Bharati Vidyapeeth s Institute of Computer Applications and Management, New Delhi A Comparative Evaluation of Various Encryptions Techniques Committing

### One-Way Encryption and Message Authentication

One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School

### Message Authentication Codes. Lecture Outline

Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

### The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

### 9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

### Introduction to Hill cipher

Introduction to Hill cipher We have explored three simple substitution ciphers that generated ciphertext C from plaintext p by means of an arithmetic operation modulo 26. Caesar cipher: The Caesar cipher

### An Overview of Common Adversary Models

An Overview of Common Adversary Karl Palmskog palmskog@kth.se 2012-03-29 Introduction Requirements of Software Systems 1 Functional Correctness: partial, termination, liveness, safety,... 2 Nonfunctional

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Secret Key Cryptography (I) 1 Introductory Remarks Roadmap Feistel Cipher DES AES Introduction

### Evaluation of the RC4 Algorithm for Data Encryption

Evaluation of the RC4 Algorithm for Data Encryption Allam Mousa (1) and Ahmad Hamad (2) (1) Electrical Engineering Department An-Najah University, Nablus, Palestine (2) Systems Engineer PalTel Company,

### YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is

### I. INTRODUCTION. of the biometric measurements is stored in the database

122 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL 6, NO 1, MARCH 2011 Privacy Security Trade-Offs in Biometric Security Systems Part I: Single Use Case Lifeng Lai, Member, IEEE, Siu-Wai

### Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

### Symmetric Key cryptosystem

SFWR C03: Computer Networks and Computer Security Mar 8-11 200 Lecturer: Kartik Krishnan Lectures 22-2 Symmetric Key cryptosystem Symmetric encryption, also referred to as conventional encryption or single

### Secure Physical-layer Key Generation Protocol and Key Encoding in Wireless Communications

IEEE Globecom Workshop on Heterogeneous, Multi-hop Wireless and Mobile Networks Secure Physical-layer ey Generation Protocol and ey Encoding in Wireless Communications Apirath Limmanee and Werner Henkel

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

### Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST) When will a quantum computer be built that breaks current crypto? 15 years, \$1 billion USD, nuclear power

### Message Authentication Codes

2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

### NUMBER THEORY AND CRYPTOGRAPHY

NUMBER THEORY AND CRYPTOGRAPHY KEITH CONRAD 1. Introduction Cryptography is the study of secret messages. For most of human history, cryptography was important primarily for military or diplomatic purposes

### Bit-Level Encryption and Decryption of Images Using Genetic Algorithm: A New Approach

Bit-Level Encryption and Decryption of Images Using Genetic Algorithm: A New Approach Gamil R. S. Qaid 1, Sanjay N. Talbar 2 1 Research Student, Electronics & Telecommunications Dept.,S.G.G.S. institute

### INTRODUCTION TO CODING THEORY: BASIC CODES AND SHANNON S THEOREM

INTRODUCTION TO CODING THEORY: BASIC CODES AND SHANNON S THEOREM SIDDHARTHA BISWAS Abstract. Coding theory originated in the late 1940 s and took its roots in engineering. However, it has developed and

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

Hill Cipher Project K80TTQ1EP-??,VO.L,XU0H5BY,_71ZVPKOE678_X,N2Y-8HI4VS,,6Z28DDW5N7ADY013 Directions: Answer all numbered questions completely. Show non-trivial work in the space provided. Non-computational

### Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

### Cryptography: RSA and the discrete logarithm problem

Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:

### Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

### Key Agreement from Close Secrets over Unsecured Channels Winter 2010

Key Agreement from Close Secrets over Unsecured Channels Winter 2010 Andreas Keller Contens 1. Motivation 2. Introduction 3. Building Blocks 4. Protocol Extractor Secure Sketches (MAC) message authentication

### Privacy and Security in the Internet of Things: Theory and Practice. Bob Baxley; bob@bastille.io HitB; 28 May 2015

Privacy and Security in the Internet of Things: Theory and Practice Bob Baxley; bob@bastille.io HitB; 28 May 2015 Internet of Things (IoT) THE PROBLEM By 2020 50 BILLION DEVICES NO SECURITY! OSI Stack

### Lecture 17: Re-encryption

600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy

### Discrete Mathematics for CS Fall 2006 Papadimitriou & Vazirani Lecture 22

CS 70 Discrete Mathematics for CS Fall 2006 Papadimitriou & Vazirani Lecture 22 Introduction to Discrete Probability Probability theory has its origins in gambling analyzing card games, dice, roulette

### CHAPTER 6. Shannon entropy

CHAPTER 6 Shannon entropy This chapter is a digression in information theory. This is a fascinating subject, which arose once the notion of information got precise and quantifyable. From a physical point

### HASH CODE BASED SECURITY IN CLOUD COMPUTING

ABSTRACT HASH CODE BASED SECURITY IN CLOUD COMPUTING Kaleem Ur Rehman M.Tech student (CSE), College of Engineering, TMU Moradabad (India) The Hash functions describe as a phenomenon of information security

### Fundamentals of Computer Security

Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A Message From Our Sponsors Fundamentals System/Network Security, crypto How do things work Why How to design secure