CODING, CRYPTOGRAPHY and CRYPTOGRAPHIC PROTOCOLS prof. RNDr. Jozef Gruska, DrSc. Faculty of Informatics Masaryk University December 6, 2011 Technické řešení této výukové pomůcky je spolufinancováno Evropským sociálním fondem a státním rozpočtem české republiky. INVESTICE DO ROZVOJE VZDĚLÁVÁNÍ Contents J Basics of Coding Theory ^ Linear Codes J Cyclic Codes and Channel Codes J Secret-key Cryptosystems ^ Public-key Cryptosystems, I. Key Exchange, Knapsack, RSA 7\ Public-key cryptosystems, II. Other cryptosystems, security, PRG, Hash Functions j Digital Signatures ^ Elliptic Curves Cryptography and Factorization ^ Identification, Authentication, Secret Sharing and e-commerce S Protocols to do Seemingly Impossible and Zero-knowledge Protocols n Steganography and Watermarking ^ From Theory to Practice in Cryptography S Quantum Cryptography LITERATURE ■ R. Hill: A first course in coding theory, Claredon Press, 1985 ■ V. Pless: Introduction to the theory of error-correcting codes, John Willey, 1998 ■ J. Gruska: Foundations of computing, Thomson International Computer Press, 1997 ■ A. Salomaa: Public-key cryptography, Springer, 1990 ■ D. R. Stinson: Cryptography: theory and practice, CRC Press, 1995 ■ W. Trappe, L. Washington: Introduction to cryptography with coding theory ■ B. Schneier: Applied cryptography, John Willey and Sons, 1996 ■ J. Gruska: Quantum computing, McGraw-Hill, 1999 (For additions and updatings: http://www.mcgraw-hill.co.uk/gruska) ■ S. Singh, The code book, Anchor Books, 1999 ■ D. Kahn: The codebreakers. Two story of secret writing. Macmillan, 1996 (An entertaining and informative history of cryptography.) INTRODUCTION ■ Transmission of classical information in time and space is nowadays very easy (through noiseless channel). It took centuries, and many ingenious developments and discoveries (writing, book printing, photography, movies, telegraph, telephone, radio transmissions,TV, -sounds recording - records, tapes, discs) and the idea of the digitalisation of all forms of information to discover fully this property of information. Coding theory develops methods to protect information against a noise. ■ Information is becoming an increasingly valuable commodity for both individuals and society. Cryptography develops methods how to ensure secrecy of information and identity, privacy or anonymity of users. ■ A very important property of information is that it is often very easy to make unlimited number of copies of information. Steganography develops methods to hide important information in innocently looking information (and that can be used to protect intellectual properties). HISTORY OF CRYPTOGRAPHY The history of cryptography is the story of centuries-old battles between codemakers (ciphermakers) and codebreakers (cipherbreakers), an intellectual arms race that has had a dramatic impact on the course of history. The ongoing battle between codemakers and codebreakers has inspired a whole series of remarkable scientific breakthroughts. History is full of ciphers. They have decided the outcomes of battles and led to the deaths of kings and queens. Security of communication and data and identity or privacy of users are of key importance for information society. Cryptography, broadly understood, is an important tool to achieve such a goal. Part I Basics of coding theory CHAPTER 1: BASICS of CODING THEORY ABSTRACT Coding theory - theory of error correcting codes - is one of the most interesting and applied part of mathematics and informatics. All real communication systems that work with digitally represented data, as CD players, TV, fax machines, internet, satellites, mobiles, require to use error correcting codes because all real channels are, to some extent, noisy - due to interference caused by environment ■ Coding theory problems are therefore among the very basic and most frequent problems of storage and transmission of information. ■ Coding theory results allow to create reliable systems out of unreliable systems to store and/or to transmit information. ■ Coding theory methods are often elegant applications of very basic concepts and methods of (abstract) algebra. This first chapter presents and illustrates the very basic problems, concepts, methods and results of coding theory. prof. Jozef Gruska IV054 1. Basics of coding theory 8/616 CODING - BASIC CONCEPTS Without coding theory and error-correcting codes there would be no deep-space travel and pictures, no satellite TV, no compact disc, no . . . no . . . no ... . Error-correcting codes are used to correct messages when they are transmitted through noisy channels. message source W Encoding channel code code word I word C(W) noise C'(W) Decoding W user prof. Jozef Gruska IV054 1. Basics of coding theory 9/616 CODING - BASIC CONCEPTS Without coding theory and error-correcting codes there would be no deep-space travel and pictures, no satellite TV, no compact disc, no . . . no . . . no ... . Error-correcting codes are used to correct messages when they are transmitted through noisy channels. message source W Encoding channel code code word I word C(W) noise C'(W) Decoding W Example Error correcting framework message YES or NO YES Encoding YES-00000 NO -11111 00000 S 01001 Decoding yes , 01001 TES, user 00000 A code C over an alphabet £ is a subset of £*(C C £*). A q-nary code is a code over an alphabet of q-symbols. A binary code is a code over the alphabet {0,1}. Examples of codes C1 = {00, 01,10,11} C2 = {000, 010,101,100} C3 = {00000, 01101,10111,11011} prof. Jozef Gruska IV054 1. Basics of coding theory 9/616 user CHANNEL is any physical medium through which information is transmitted. (Telephone lines and the atmosphere are examples of channels.) prof. Jozef Gruska IV054 1. Basics of coding theory 10/616 CHANNEL is any physical medium through which information is transmitted. (Telephone lines and the atmosphere are examples of channels.) NOISE may be caused by sunspots, lighting, meteor showers, random radio disturbance, poor typing, poor hearing, . . . . prof. Jozef Gruska IV054 1. Basics of coding theory 10/616 CHANNEL is any physical medium through which information is transmitted. (Telephone lines and the atmosphere are examples of channels.) NOISE may be caused by sunspots, lighting, meteor showers, random radio disturbance, poor typing, poor hearing, .... TRANSMISSION GOALS T| Fast encoding of information. ^ Easy transmission of encoded messages. J Fast decoding of received messages. J Reliable correction of errors introduced in the channel. ^ Maximum transfer of information per unit time. prof. Jozef Gruska IV054 1. Basics of coding theory 10/616 CHANNEL is any physical medium through which information is transmitted. (Telephone lines and the atmosphere are examples of channels.) NOISE may be caused by sunspots, lighting, meteor showers, random radio disturbance, poor typing, poor hearing, .... TRANSMISSION GOALS T| Fast encoding of information. ^ Easy transmission of encoded messages. J Fast decoding of received messages. J Reliable correction of errors introduced in the channel. ^ Maximum transfer of information per unit time. BASIC METHOD OF FIGHTING ERRORS: REDUNDANCY!!! 0 is encoded as 00000 and 1 is encoded as 11111. prof. Jozef Gruska IV054 1. Basics of coding theory 10/616 IMPORTANCE of ERROR-CORRECTING CODES In a good cryptosystem a change of a single bit of the cryptotext should change so many bits of the plaintext obtained from the cryptotext that the plaintext gets uncomprehensible. Methods to detect and correct errors when cryptotexts are transmitted are therefore much needed. Also many non-cryptographic applications require error-correcting codes. For example, mobiles, CD-players,... prof. Jozef Gruska IV054 1. Basics of coding theory 11/616 BASIC IDEA The details of techniques used to protect information against noise in practice are sometimes rather complicated, but basic principles are easily understood. The key idea is that in order to protect a message against a noise, we should encode the message by adding some redundant information to the message. In such a case, even if the message is corrupted by a noise, there will be enough redundancy in the encoded message to recover - to decode the message completely. prof. Jozef Gruska IV054 1. Basics of coding theory 12/616 EXAMPLE In case of the encoding 0 — 000 1 — 111 the probability of the bit error p < ^ , and the majority voting decoding 000, 001, 010,100 — 000 and 111,110,101, 011 — 111 the probability of an erroneous decoding (if there are 2 or 3 errors) is 3p2(1 - p) + p3 = 3p2 - 2p3 < p prof. Jozef Gruska IV054 1. Basics of coding theory 13/616 EXAMPLE: Coding of a path avoiding an enemy territory Story Alice and Bob share an identical map (Fig. 1) gridded as shown in Fig.1. Only Alice knows the route through which Bob can reach her avoiding the enemy territory. Alice wants to send Bob the following information about the safe route he should take. Alice NNWNNWWSSWWNNNNWWN Three ways to encode the safe route from Bob to Alice are: J C1 = {N = 00, W = 01, S = 11, E = 10} Any error in the code word 000001000001011111010100000000010100 would be a disaster. prof. Jozef Gruska IV054 1. Basics of coding theory 14/616 EXAMPLE: Coding of a path avoiding an enemy territory Story Alice and Bob share an identical map (Fig. 1) gridded as shown in Fig.1. Only Alice knows the route through which Bob can reach her avoiding the enemy territory. Alice wants to send Bob the following information about the safe route he should take. Alice NNWNNWWSSWWNNNNWWN Three ways to encode the safe route from Bob to Alice are: J C1 = {N = 00, W = 01, S = 11, E = 10} Any error in the code word 000001000001011111010100000000010100 would be a disaster. \ C2 = {000, 011,101,110} A single error in encoding each of symbols N, W, S, E can be detected. Fig. 1 Bob N prof. Jozef Gruska IV054 1. Basics of coding theory 14/616 EXAMPLE: Coding of a path avoiding an enemy territory Story Alice and Bob share an identical map (Fig. 1) gridded as shown in Fig.1. Only Alice knows the route through which Bob can reach her avoiding the enemy territory. Alice wants to send Bob the following information about the safe route he should take. Alice NNWNNWWSSWWNNNNWWN Three ways to encode the safe route from Bob to Alice are: J C1 = {N = 00, W = 01, S = 11, E = 10} Any error in the code word 000001000001011111010100000000010100 would be a disaster. \ C2 = {000, 011,101,110} A single error in encoding each of symbols N, W, S, E can be detected. \ C3 = {00000, 01101,10110,11011} A single error in decoding each of symbols N, W, S, E can be corrected. prof. Jozef Gruska IV054 1. Basics of coding theory 14/616 Basic terminology Block code - a code with all words of the same length. Codewords - words of some code. prof. Jozef Gruska IV054 1. Basics of coding theory 15/616 Basic terminology Block code - a code with all words of the same length. Codewords - words of some code. Basic assumptions about channels T| Code length preservation Each output word of a channel has the same length as the input codeword. ^ Independence of errors The probability of any one symbol being affected in transmissions is the same. prof. Jozef Gruska IV054 1. Basics of coding theory 15/616 Basic terminology Block code - a code with all words of the same length. Codewords - words of some code. Basic assumptions about channels T| Code length preservation Each output word of a channel has the same length as the input codeword. ^ Independence of errors The probability of any one symbol being affected in transmissions is the same. Basic strategy for decoding For decoding we use the so-called maximal likehood principle, or nearest neighbor decoding strategy, or majority voting decoding strategy which says that the receiver should decode a word w' as that codeword w that is the closest one to w'. prof. Jozef Gruska IV054 1. Basics of coding theory 15/616 HAMMING DISTANCE The intuitive concept of "closeness" of two words is well formalized through Hamming distance h(x, y) of words x, y. For two words x, y h(x, y) = the number of symbols in which the words x and y differ. Example: h(10101, 01100) = 3, h(fourth, eighth) = 4 prof. Jozef Gruska IV054 1. Basics of coding theory 16/616 HAMMING DISTANCE The intuitive concept of "closeness" of two words is well formalized through Hamming distance h(x, y) of words x, y. For two words x, y h(x, y) = the number of symbols in which the words x and y differ. Example: h(10101, 01100) = 3, h( fourth, eighth) = 4 Properties of Hamming distance jl h(x, y) = 0 ^ x = y J h(x, y) = h(y, x) J h(x,z) < h(x,y) + h(y,z) triangle inequality An important parameter of codes C is their minimal distance. h(C) = m/n{h(x,y) | x, y e C,x = y}, because h(C) is the smallest number of errors needed to change one codeword into another. Theorem Basic error correcting theorem T| A code C can detect up to s errors if h(C) > s +1. ^ A code C can correct up to t errors if h(C) > 2t +1. Proof (1) Trivial. (2) Suppose h(C) > 2t + 1. Let a codeword x is transmitted and a word y is recceived with h(x, y) < t. If x' = x is a codeword, then h(y, x') > t + 1 because otherwise h(y,x') < t +1 and therefore h(x,x') < h(x,y) + h(y,x') < 2t + 1 what contradicts the assumption h(C) > 2t + 1. prof. Jozef Gruska IV054 1. Basics of coding theory 16/616 BINARY SYMMETRIC CHANNEL Consider a transition of binary symbols such that each symbol has probability of error P < 2. ^IL/ Binary symmetric channel If n symbols are transmitted, then the probability of t errors is pi (1 - p)n-t c) In the case of binary symmetric channels, the "nearest neighbour decoding strategy" is also "maximum likelihood decoding strategy". Example Consider C = {000,111} and the nearest neighbour decoding strategy. Probability that the received word is decoded correctly as 000 is (1 - p)3 + 3p(1 - p)2, as 111 is (1 - p)3 + 3p(1 - p)2, Therefore Perr(C) = 1 - ((1 - p)3 + 3p(1 - p)2) is probability of erroneous decoding. Example If p = 0.01, then Perr(C) = 0.000298 and only one word in 3356 will reach the user with an error. prof. Jozef Gruska IV054 1. Basics of coding theory 17/616 POWER of PARITY BITS Example Let all 211 of binary words of length 11 be codewords. Let the probability p of a bit error be 10-8. Let bits be transmitted at the rate 107 bits per second. The probability that a word is transmitted incorrectly is approximately 11p(1 - p)10 — ^. Therefore • ^ = 0.1 of words per second are transmitted incorrectly. One wrong word is transmitted every 10 seconds, 360 erroneous words every hour and 8640 words every day without being detected! Let now one parity bit be added. Any single error can be detected!!! The probability of at least two errors is: 1 - (1 - p)12 - 12(1 - p)11p — (?)(! - p)10p2 - Therefore approximately 1015 • ^ — 5.5 • 10-9 words per second are transmitted with an undetectable error. Corollary One undetected error occurs only every 2000 days! (2000 — 5 5 x86400). prof. Jozef Gruska IV054 1. Basics of coding theory 18/616 TWO-DIMENSIONAL PARITY CODE The two-dimensional parity code arranges the data into a two-dimensional array and then to each row (column) parity bit is attached. Example Binary string 10001011000100101111 is represented and encoded as follows 10001 01100 01001 01111 1 0 0 0 1 0 0 110 0 0 — 0 10 0 10 011110 110110 Question How much better is two-dimensional encoding than one-dimensional encoding? prof. Jozef Gruska IV054 1. Basics of coding theory 19/616 NOTATIONS and EXAMPLES Notation: An (n, M, d)-code C is a code such that ■ n - is the length of codewords. M - is the number of codewords. d - is the minimum distance in C. prof. Jozef Gruska IV054 1. Basics of coding theory 20/616 NOTATIONS and EXAMPLES Notation: An (n, M, d)-code C is a code such that ■ n - is the length of codewords. M - is the number of codewords. d - is the minimum distance in C. Example: C1 = {00, 01,10,11} is a (2,4,1)-code. C2 = {000, 011,101,110} is a (3,4,2)-code. C3 = {00000, 01101,10110,11011} is a (5,4,3)-code. Comment: A good (n, M, d)-code has small n and large M and d. prof. Jozef Gruska IV054 1. Basics of coding theory 20/616 EXAMPLES from DEEP SPACE TRAVELS Examples (Transmission of photographs from the deep space) ■ In 1965-69 Mariner 4-5 took the first photographs of another planet - 22 photos. Each photo was divided into 200 x 200 elementary squares - pixels. Each pixel was assigned 6 bits representing 64 levels of brightness. Hadamard code was used. Transmission rate: 8.3 bits per second. ■ In 1970-72 Mariners 6-8 took such photographs that each picture was broken into 700 x 832 squares. Reed-Muller (32,64,16) code was used. Transmission rate was 16200 bits per second. (Much better pictures) prof. Jozef Gruska IV054 1. Basics of coding theory 21/616 HADAMARD CODE In Mariner 5, 6-bit pixels were encoded using 32-bit long Hadamard code that could correct up to 7 errors. Hadamard code has 64 codewords. 32 of them are represented by the 32 x 32 matrix H = {hu}, where 0 < ;, j < 31 and = (_1)a0*0 + a1b1+--- + a4b4 where i and j have binary representations The remaing 32 codewords are represented by the matrix _H. Decoding is quite simple. prof. Jozef Gruska IV054 1. Basics of coding theory 22/616 CODE RATE For q-nary (n, M, d)-code we define code rate, or information rate, R, by r _ IgqM n The code rate represents the ratio of the number of needed input data symbols to the number of transmitted code symbols Code rate (6/32 for Hadamard code), is an important parameter for real implementations, because it shows what fraction of the bandwidth is being used to transmit actual data. prof. Jozef Gruska IV054 1. Basics of coding theory 23/616 The ISBN-code I Each book till 1.1.2007 had International Standard Book Number which was a 10-digit codeword produced by the publisher with the following structure: / p m w = x10... x1 language publisher number weighted check sum 0 07 709503 0 such that ix = 0 (mod 11) The publisher has to put x1 = X if x1 is to be 10. The ISBN code was designed to detect: (a) any single error (b) any double error created by a transposition prof. Jozef Gruska IV054 1. Basics of coding theory 24/616 The ISBN-code I Each book till 1.1.2007 had International Standard Book Number which was a 10-digit codeword produced by the publisher with the following structure: I p m w = x10... x1 language publisher number weighted check sum 0 07 709503 0 such that ^fi. ixi = 0 (mod 11) The publisher has to put x1 = X if x1 is to be 10. The ISBN code was designed to detect: (a) any single error (b) any double error created by a transposition Single error detection Let X = x10 . . . x1 be a correct code and let Y = x10 ... Xj+1yjXj-1 ... x1 with yj = xj + a, a = 0 In such a case: E1^1 iyi ^ ixi + ja = 0 (mod 11) prof. Jozef Gruska IV054 1. Basics of coding theory 24/616 The ISBN-code II Transposition detection Let xJ and xk be exchanged. iyi = p1=1 ixi + (k - j)xj + (j - k)xk = (k - j)(xy - Xk) = 0 (mod 11) if k = j and Xy = Xk. prof. Jozef Gruska IV054 1. Basics of coding theory 25/616 New ISBN code Starting 1.1.2007 instead of 10-digit ISBN code a 13-digit ISBN code is being used. New ISBN number can be obtained from the old one by preceeding the old code with three digits 978. For details about 13-digit ISBN see http://www.en.wikipedia.org/Wiki/International_Standard_Book_Number prof. Jozef Gruska IV054 1. Basics of coding theory 26/616 EQUIVALENCE of CODES Definition Two q-ary codes are called equivalent if one can be obtained from the other by a combination of operations of the following type: (a) a permutation of the positions of the code. (b) a permutation of symbols appearing in a fixed position. Question: Let a code be displayed as an M x n matrix. To what correspond operations (a) and (b)? Claim: Distances between codewords are unchanged by operations (a), (b). Consequently, equivalent codes have the same parameters (n,M,d) (and correct the same number of errors). prof. Jozef Gruska IV054 1. Basics of coding theory 27/616 EQUIVALENCE of CODES Definition Two q-ary codes are called equivalent if one can be obtained from the other by a combination of operations of the following type: (a) a permutation of the positions of the code. (b) a permutation of symbols appearing in a fixed position. Question: Let a code be displayed as an M x n matrix. To what correspond operations (a) and (b)? Claim: Distances between codewords are unchanged by operations (a), (b). Consequently, equivalent codes have the same parameters (n,M,d) (and correct the same number of errors). Examples of equivalent codes (1) 0 0 1 1 0 0 1 1 1 0 1 0 0 1 1 0 0 1 1 0 0 0 1 1 0 1 0 1 0 1 1 0 0 0 1 1 0 1 0 1 Lemma Any q-ary (n, M, d)-code over an alphabet {0,1, (n, M, d)-code which contains the all-zero codeword 00. Proof Trivial. 0. q 1} is equivalent to an prof. Jozef Gruska IV054 1. Basics of coding theory 27/616 THE MAIN CODING THEORY PROBLEM A good (n, M, d)-code has small n, large M and large d. The main coding theory problem is to optimize one of the parameters n, M, d for given values of the other two. Notation: Aq(n, d) is the largest M such that there is an q-nary (n, M, d)-code. Theorem n (a) Aq(n, 1) _ q ; (b) Aq(n, n)_ q. Proof (a) obvious; (b) Let C be an q-nary (n, M, n)-code. Any two distinct codewords of C differ in all n positions. Hence symbols in any fixed position of M codewords have to be different == Aq(n, n) < q. Since the q-nary repetition code is (n, q, n)-code, we get Aq(n, n) > q. prof. Jozef Gruska IV054 1. Basics of coding theory 28/616 EXAMPLE Example Proof that A2(5, 3) = 4. (a) Code C3 is a (5,4, 3)-code, hence A2(5, 3) > 4. (b) Let C be a (5, M, 3)-code with M = 5. ■ By previous lemma we can assume that 00000 e C. ■ C has to contain at most one codeword with at least four 1's. (otherwise d(x, y) < 2 for two such codewords x, y) ■ Since 00000 e C, there can be no codeword in C with at most one or two 1. ■ Since d = 3, C cannot contain three codewords with three 1's. ■ Since M > 4, there have to be in C two codewords with three 1's. (say 11100, 00111), the only possible codeword with four or five 1's is then 11011. prof. Jozef Gruska IV054 1. Basics of coding theory 29/616 DESIGN of ONE CODE from ANOTHER ONE Theorem Suppose d is odd. Then a binary (n, M, d)-code exists if a binary (n + 1, M, d + 1)-code exists. Proof Only if case: Let C be a binary (n, M, d) code. Let C' = {X1 . . . X„Xn+1|X1 . . . Xn G C, Xn+1 = (JT,"=1 X') mod 2} Since parity of all codewords in C' is even, d(x',y') is even for all x',y' G C'. Hence d(C') is even. Since d < d(C') < d + 1 and d is odd, d(C') = d + 1. Hence C' is an (n + 1, M, d + 1)-code. If case: Let D be an (n + 1, M, d + 1)-code. Choose code words x,y of D such that d(x, y) = d + 1. Find a position in which x, y differ and delete this position from all codewords of D. Resulting code is an (n, M, d)-code. prof. Jozef Gruska IV054 1. Basics of coding theory 30/616 A COROLLARY Corollary: If d is odd, then A2(n, d) = A2(n + 1, d + 1). If d is even, then A2(n, d) = A2(n — 1, d — 1). Example A2(5, 3) = 4 == ^2(6,4) = 4 (5,4, 3)-code == (6,4,4)-code 00000 01101 1 0 1 1 0 by adding check. 11011 prof. Jozef Gruska IV054 1. Basics of coding theory 31/616 A SPEHERE and its CONTENTS Notation - is a set of all words of length n over the alphabet {0,1, 2,... , q — 1} Definition For any codeword u e F,° and any integer r > 0 the sphere of radius r and centre u is denoted by S(u, r) = {v e Fq"|h(u, v) < r}. Theorem A sphere of radius r in , 0 < r < n contains (o) + (1)(q — 1) + (J)(q — 1)2 +... + C )(q — 1)r words. prof. Jozef Gruska IV054 1. Basics of coding theory 32/616 A SPEHERE and its CONTENTS Notation - is a set of all words of length n over the alphabet {0,1, 2,... , q - 1} Definition For any codeword u e and any integer r > 0 the sphere of radius r and centre u is denoted by S(u, r) = {v e Fq"|h(u, v) < r}. Theorem A sphere of radius r in , 0 < r < n contains (n) + (1)(q -1) + (n)(q -1)2 +... +(: )(q - 1)r words. Proof Let u be a fixed word in . The number of words that differ from u in m positions is prof. Jozef Gruska IV054 1. Basics of coding theory 32/616 GENERAL UPPER BOUNDS Theorem (The sphere-packing or Hamming bound) If C is a q-nary (n, M, 2t + 1)-code, then m{(0) + (1)(q-1) + ••• + (")(q-1)(} < qn (1 Proof Any two spheres of radius t centred on distinct codewords have no codeword in common. Hence the total number of words in M spheres of radius t centred on M codewords is given by the left side (1). This number has to be less or equal to qn. A code which achieves the sphere-packing bound from (1), i.e. such a code that equality holds in (1), is called a perfect code. Singleton bound: If C is an q-ary (n, M, d) code, then prof. Jozef Gruska IV054 1. Basics of coding theory 33/616 A GENERAL UPPER BOUND on Aq(n, d) Example An (7, M, 3)-code is perfect if M ((0) + (I)) =27 i.e. M = 16 An example of such a code: C4 = {0000000,1111111,1000101,1100010,0110001,1011000, 0101100, 0010110,0001011,0111010,0011101,1001110, 0100111,1010011, 1101001,1110100} Table of ^2(0, d) from 1981 n d = 3 d = 5 d=7 5 4 2 - 6 8 2 - 7 16 2 2 8 20 4 2 9 40 6 2 10 72-79 12 2 11 144-158 24 4 12 256 32 4 13 512 64 8 14 1024 128 16 15 2048 256 32 16 2560-3276 256-340 36-37 For current best results see http://www.codetables.de prof. Jozef Gruska IV054 1. Basics of coding theory 34/616 LOWER BOUND for Aq(n, d) The following lower bound for Aq(n, d) is known as Gilbert-Varshamov bound: Theorem Given d < n, there exists a q-ary (n, M, d)-code with M> Ejt-01 (" )'- and therefore Aq(n, d) > d . ,qn"-: prof. Jozef Gruska IV054 1. Basics of coding theory 35/616 ERROR DETECTION Error detection is much more modest aim than error correction. Error detection is suitable in the cases that channel is so good that probability of error is small and if an error is detected, the receiver can ask to renew the transmission. For example, two main requirements for many telegraphy codes used to be: ■ Any two codewords had to have distance at least 2; ■ No codeword could be obtained from another codeword by transposition of two adjacent letters. prof. Jozef Gruska IV054 1. Basics of coding theory 36/616 Pictures of Saturn taken by Voyager Pictures of Saturn taken by Voyager, in 1980, had 800 x 800 pixels with 8 levels of brightness. Since pictures were in color, each picture was transmitted three times; each time through different color filter. The full color picture was represented by 3 x 800 x 800 x 8 = 13360000 bits. To transmit pictures Voyager used the Golay code G24. prof. Jozef Gruska IV054 1. Basics of coding theory 37/616 GENERAL CODING PROBLEM Important problems of information theory are how to define formally such concepts as information and how to store or transmit information efficiently. Let X be a random variable (source) which takes any value x with probability p(x). The entropy of X is defined by S(X) = - px P(x)/gp(x) and it is considered to be the information content of X. In a special case of a binary variable X which takes on the value 1 with probability p and the value 0 with probability 1 — p S (X) = H (p) = —p/gp — (1 — p)/g (1 — p) Problem: What is the minimal number of bits needed to transmit n values of X? Basic idea: To encode more probable outputs of X by shorter binary words. Example (Morse code - 1838) a .- b c d -.. e . f g -. h .... i .. j .— k -.- l m - n -. o — p .-. q -.- r .-. s ... t - u ..v w .- x y -.- z -.. prof. Jozef Gruska IV054 1. Basics of coding theory 38/616 SHANNON'S NOISLESS CODING THEOREM Shannon's noiseless coding theorem says that in order to transmit n values of X, we need, and it is sufficient, to use nS(X) bits. More exactly, we cannot do better than the bound nS(X) says, and we can reach the bound nS(X) as close as desirable. Example Let a source X produce the value 1 with probability p = 4 and the value 0 with probability 1 — p = | Assume we want to encode blocks of the outputs of X of length 4. By Shannon's theorem we need 4H(1) = 3.245 bits per blocks (in average) A simple and practical method known as Huffman code requires in this case 3.273 bits per a 4-bit message. mess. code mess. code mess. code mess. code 0000 10 0100 010 1000 011 1100 11101 0001 000 0101 11001 1001 11011 1101 111110 0010 001 0110 11010 1010 11100 1110 111101 0011 11000 0111 1111000 1011 111111 1111 1111001 Observe that this is a prefix code - no codeword is a prefix of another codeword. prof. Jozef Gruska IV054 1. Basics of coding theory 39/616 DESIGN of HUFFMAN CODE II Given a sequence of n objects, x1,... ,xn with probabilities p1 > ... > pn. Stage 1 - shrinking of the sequence. ■ Replace xn-1,xn with a new object yn-1 with probability pn-1 + pn and rearrange sequence so one has again non-increasing probabilities. ■ Keep doing the above step till the sequence shrinks to two objects. .50 .50 .50 .50 .50 .50 .50 .15 .15 .15 .15 .12 .12 .12 .13 .10 .10 .10 .04 .05 .08 .04 .03 .02 .04 .05 .04 .22 .28 .50 j|X___-.13 prof. Jozef Gruska IV054 1. Basics of coding theory 40/616 DESIGN of HUFFMAN CODE II Given a sequence of n objects, x1,... ,xn with probabilities p1 > ... > pn. Stage 1 - shrinking of the sequence. ■ Replace xn-1,xn with a new object yn-1 with probability pn-1 + pn and rearrange sequence so one has again non-increasing probabilities. ■ Keep doing the above step till the sequence shrinks to two objects. .50 .50 .50 .50 .50 .50 .50 .15_ .15 .15 .15 .22 .28 .50 .12_ .12 .12 .13 .15 .10 .10 .10 .12 .13 J .04 .05 .08^ .10 .04 .05 .03^ .04 J .02H Stage 2 - extending the code - Apply again and again the following method. If C = {c1,. .. , cr} is a prefix optimal code for a source Sr, then C' = {c',. .. , c^+1} is an optimal code for Sr+1, where c' = c 1 < ; < r - 1 c'r = cr 1 Cr+1 = Cr 0. prof. Jozef Gruska IV054 1. Basics of coding theory 40/616 DESIGN of HUFFMAN CODE II Stage 2 Apply again and again the following method: If C = (c1,. .. , cr} is a prefix optimal code for a source Sr, then C = (c', an optimal code for Sr+1, where c'; = a 1 < i < r - 1 c'r = cr 1 c'+1 = cr0. l 0^28 - Ol Y—\ 0^l3 - OlO r—KO8 - OlOlF—f)^ - OlOll 0^22 - OO t— O^l2 - OOl O^O4 OlOlO OlOll OlOOl O^O2 OlOOO i .sc .sc .sc .sc .sc .sc cii .is cci .i2 ccc .ic .is .i2 .22 .28 cicii .c4 cicic .Ü4 cicci .c3 i ciccc .is .is .i2 .i3 .is i .22 c .ic .ic .i2 i .i3 ic .c4 i .cs c .c4c , cr;+1} is prof. Jozef Gruska IV054 1. Basics of coding theory 41/616 O^5 - l O^5 - O O^l - OOO sc i sc c A BIT OF HISTORY I The subject of error-correcting codes arose originally as a response to practical problems in the reliable communication of digitally encoded information. The discipline was initiated in the paper Claude Shannon: A mathematical theory of communication, Bell Syst.Tech. Journal V27, 1948, 379-423, 623-656 Shannon's paper started the scientific discipline information theory and error-correcting codes are its part. Originally, information theory was a part of electrical engineering. Nowadays, it is an important part of mathematics and also of informatics. prof. Jozef Gruska IV054 1. Basics of coding theory 42/616 A BIT OF HISTORY II SHANNON'S VIEW In the introduction to his seminal paper "A mathematical theory of communication" Shannon wrote: The fundamental problem of communication is that of reproducing at one point either exactly or approximately a message selected at another point. prof. Jozef Gruska IV054 1. Basics of coding theory 43/616 Part II CHAPTER 2: LINEAR CODES ABSTRACT Most of the important codes are special types of so-called linear codes. Linear codes are of very large importance because they have very concise description, very nice properties, very easy encoding and, in principle, easy to describe decoding. prof. Jozef Gruska IV054 2. Linear codes 45/616 LINEAR CODES Linear codes are special sets of words of the length n over an alphabet Zq = {0,.., q — 1}, where q is a power of prime. Since now on Fq will be the vector spaces of all n-tuples over the finite field Fq (on the set {0,.., q — 1} and arithmetical operations modulo q.) Definition A subset C C V(n, q) is a linear code if T| u + v e C for all u, v e C ^ au e C for all u e C, a e GF(q) - {Galoi field over Zq} Example Codes Ci, C2, C3 introduced in Lecture 1 are linear codes. prof. Jozef Gruska IV054 2. Linear codes 46/616 LINEAR CODES Linear codes are special sets of words of the length n over an alphabet Zq = {0,.., q - 1}, where q is a power of prime. Since now on Fq will be the vector spaces of all n-tuples over the finite field Fq (on the set {0,.., q - 1} and arithmetical operations modulo q.) Definition A subset C C V(n, q) is a linear code if T| u + v e C for all u, v e C ^ au e C for all u e C, a e GF(q) - {Galoi field over Zq} Example Codes C1, C2, C3 introduced in Lecture 1 are linear codes. Lemma A subset C C V(n, q) is a linear code iff one of the following conditions is satisfied J C is a subspace of V(n, q) ^ sum of any two codewords from C is in C (for the case q = 2) If C is a /(-dimensional subspace of V(n, q), then C is called [n, k]-code. It has qk codewords if q is prime. If minimal distance of C is d, then it is called [n, k, d] code. Linear codes are also called "group codes". prof. Jozef Gruska IV054 2. Linear codes 46/616 EXERCISE Which of the following binary codes are linear? C1 = {00, 01,10,11} C2 = {000,011,101,110} C3 = {00000, 01101, 10110, 11011} C5 = {101, 111, 011} C6 = {000, 001, 010, 011} C7 = {0000,1001, 0110,1110} prof. Jozef Gruska IV054 2. Linear codes 47/616 EXERCISE Which of the following binary codes are linear? ci = {00, 01,10,11} c2 = {000,011,101,110} c3 = {00000,01101,10110,11011} c5 = {101,111, 011} c6 = {000,001, 010, 011} c7 = {0000,1001, 0110,1110} How to create a linear code Notation If s is a set of vectors of a vector space, then let (s} be the set of all linear combinations of vectors from s. Theorem For any subset s of a linear space, (s} is a linear space that consists of the following words: ■ the zero word, ■ all words in S, ■ all sums of two or more words in S. prof. Jozef Gruska IV054 2. Linear codes 47/616 EXERCISE Which of the following binary codes are linear? C1 = {00, 01,10,11} C2 = {000,011,101,110} C3 = {00000, 01101, 10110, 11011} C5 = {101,111, 011} C6 = {000, 001, 010, 011} C7 = {0000, 1001, 0110, 1110} How to create a linear code Notation If S is a set of vectors of a vector space, then let (S} be the set of all linear combinations of vectors from S. Theorem For any subset S of a linear space, (S} is a linear space that consists of the following words: ■ the zero word, ■ all words in S, ■ all sums of two or more words in S. Example S = {0100, 0011,1100} (S} = {0000, 0100, 0011,1100, 0111,1011,1000,1111}. prof. Jozef Gruska IV054 2. Linear codes 47/616 BASIC PROPERTIES of LINEAR CODES I Notation: w(x) (weight of x) denotes the number of non-zero entries of x. Lemma If x,y e V(n, q), then h(x,y) = w(x - y). Proof x - y has non-zero entries in exactly those positions where x and y differ. prof. Jozef Gruska IV054 2. Linear codes 48/616 BASIC PROPERTIES of LINEAR CODES I Notation: w(x) (weight of x) denotes the number of non-zero entries of x. Lemma If x,y e V(n, q), then h(x,y) = w(x — y). Proof x — y has non-zero entries in exactly those positions where x and y differ. Theorem Let C be a linear code and let weight of C, notation w(C), be the smallest of the weights of non-zero codewords of C. Then h(C) = w(C). Proof There are x,y e C such that h(C) = h(x,y). Hence h(C) = w(x — y) > w(C). On the other hand, for some x e C w(C) = w(x) = h(x, 0) > h(C). Consequence ■ If C is a code with m codewords, then in order to determine h(C) one has to make (™) = 0(m2) comparisons in the worst case. ■ If C is a linear code, then in order to compute h(C), m — 1 comparisons are enough. prof. Jozef Gruska IV054 2. Linear codes 48/616 BASIC PROPERTIES of LINEAR CODES II If C is a linear [n, k]-code, then it has a basis consisting of k codewords. Example Code C4 = {0000000, 1111111, 1000101, 1100010, 0110001, 1011000, 0101100, 0010110, 0001011, 0111010, 0011101, 1001110, 0100111, 1010011, 1101001, 1110100} has the basis {1111111, 1000101, 1100010, 0110001}. How many different bases has a linear code? prof. Jozef Gruska IV054 2. Linear codes 49/616 BASIC PROPERTIES of LINEAR CODES II If C is a linear [n, k]-code, then it has a basis consisting of k codewords. Example Code C4 = {0000000,1111111,1000101,1100010, 0110001,1011000, 0101100, 0010110, 0001011, 0111010, 0011101, 1001110, 0100111,1010011,1101001,1110100} has the basis {1111111, 1000101, 1100010, 0110001}. How many different bases has a linear code? Theorem A binary linear code of dimension k has 1 nkro1(2k - 2;) bases. prof. Jozef Gruska IV054 2. Linear codes 49/616 ADVANTAGES and DISADVANTAGES of LINEAR CODES I. Advantages - big. T| Minimal distance h(C) is easy to compute if C is a linear code. ^ Linear codes have simple specifications. ■ To specify a non-linear code usually all codewords have to be listed. ■ To specify a linear [n, k]-code it is enough to list k codewords (of a basis). Definition A k x n matrix whose rows form a basis of a linear [n, k]-code (subspace) C is said to be the generator matrix of C. Example The generator matrix of the code c2 = and of the code C4 = is 0 1 0 1 A i i 100 110 011 11 01 00 00 11 0 1 J There are simple encoding/decoding procedures for linear codes. prof. Jozef Gruska IV054 2. Linear codes 50/616 ) is ADANTAGES and DISADVANTAGES of LINEAR CODES II. Disadvantages of linear codes are small: T| Linear q-codes are not defined unless q is a prime power. ^ The restriction to linear codes might be a restriction to weaker codes than sometimes desired. prof. Jozef Gruska IV054 2. Linear codes 51/616 EQUIVALENCE of LINEAR CODES I Definition Two linear codes on GF(q) are called equivalent if one can be obtained from another by the following operations: (a) permutation of the words or positions of the code; (b) multiplication of symbols appearing in a fixed position by a non-zero scalar. prof. Jozef Gruska IV054 2. Linear codes 52/616 EQUIVALENCE of LINEAR CODES I Definition Two linear codes on GF(q) are called equivalent if one can be obtained from another by the following operations: (a) permutation of the words or positions of the code; (b) multiplication of symbols appearing in a fixed position by a non-zero scalar. Theorem Two k x n matrices generate equivalent linear [n, k]-codes over GF(q) if one matrix can be obtained from the other by a sequence of the following operations: (a) permutation of the rows (b) multiplication of a row by a non-zero scalar (c) addition of one row to another (d) permutation of columns (e) multiplication of a column by a non-zero scalar prof. Jozef Gruska IV054 2. Linear codes 52/616 EQUIVALENCE of LINEAR CODES I Definition Two linear codes on GF(q) are called equivalent if one can be obtained from another by the following operations: (a) permutation of the words or positions of the code; (b) multiplication of symbols appearing in a fixed position by a non-zero scalar. Theorem Two k x n matrices generate equivalent linear [n, k]-codes over GF(q) if one matrix can be obtained from the other by a sequence of the following operations: (a) permutation of the rows (b) multiplication of a row by a non-zero scalar (c) addition of one row to another (d) permutation of columns (e) multiplication of a column by a non-zero scalar Proof Operations (a) - (c) just replace one basis by another. Last two operations convert a generator matrix to one of an equivalent code. prof. Jozef Gruska IV054 2. Linear codes 52/616 EQUIVALENCE of LINEAR CODES II Theorem Let G be a generator matrix of an [n, k]-code. Rows of G are then linearly independent .By operations (a) - (e) the matrix G can be transformed into the form: [Ik|A] where Ik is the k x k identity matrix, and A is a k x (n - k) matrix. prof. Jozef Gruska IV054 2. Linear codes 53/616 EQUIVALENCE of LINEAR CODES II Theorem Let G be a generator matrix of an [n, k]-code. Rows of G are then linearly independent .By operations (a) - (e) the matrix G can be transformed into the form: [Ik|A] where Ik is the k x k identity matrix, and A is a k x (n — k) matrix. Example A i i i i i i A i i i i i i 0 0 0 i 0 i 0 i i i 0 i 0 i i 0 0 0 i 0 0 0 i i i 0 i i i 0 0 0 V 0 0 0 i i i A 0 0 0 i 0 A 0 0 0 i 0 i\ 0 i i i 0 i 0 0 i 0 0 i i i 0 0 i i i 0 i 0 0 i i i 0 i \0 0 0 i i i 0 0 0 0 i i i 0 prof. Jozef Gruska IV054 2. Linear codes 53/616 ENCODING with LINEAR CODES is a vector x matrix multiplication Let C be a linear [n, k]-code over GF(q) with a generator matrix G. Theorem C has qk codewords. Proof Theorem follows from the fact that each codeword of C can be expressed uniquely as a linear combination of the basis vectors. Corollary The code C can be used to encode uniquely qk messages. Let us identify messages with elements V(k, q). Encoding of a message u = (ui,... , uk) with the code C: u • G = k=i u;r; where ri,... , rk are rows of G. prof. Jozef Gruska IV054 2. Linear codes 54/616 ENCODING with LINEAR CODES is a vector x matrix multiplication Let C be a linear [n, k]-code over GF(q) with a generator matrix G. Theorem C has qk codewords. Proof Theorem follows from the fact that each codeword of C can be expressed uniquely as a linear combination of the basis vectors. Corollary The code C can be used to encode uniquely qk messages. Let us identify messages with elements V(k, q). Encoding of a message u = (ui,... , uk) with the code C: u • G = k=i u;r; where ri,... , rk are rows of G. Example Let C be a [7,4]-code with the generator matrix G= 10 0 0 0 10 0 0 0 10 0 0 0 1 A message (oi, u2,1/3, u4) is encoded as:??? For example: 0 0 0 0 is encoded as.................... 1 0 0 0 is encoded as.................... 1 1 1 0 is encoded as.................... 10 11 11 01 . . . . ? . . . . ? . . . . ? prof. Jozef Gruska IV054 2. Linear codes 54/616 UNIQUENESS of ENCODING with linear codes Theorem If G = {w;}k=1 is a generator matrix of a binary linear code C of length n and dimension k, then v = uG ranges over all 2k codewords of C as u ranges over all 2k words of length k. Therefore C = {uG|u G{0,1}k} Moreover u1G = u2G if and only if u1 = u2. Proof If u1G-u2G = 0, then 0 = Z)k=1 u1,iw, - Ylk=1 u2,iw, = Y1 k=1 (u1,i - u2,i)w; And, therefore, since w; are linearly independent, u1 = u2. prof. Jozef Gruska IV054 2. Linear codes 55/616 DECODING of LINEAR CODES Decoding problem: If a codeword: x = xi ... x„ is sent and the word y = yi ... y„ is received, then e = y-x = e1... en is said to be the error vector. The decoder must decide, from y, which x was sent, or, equivalently, which error e occurred. To describe main Decoding method some technicalities have to be introduced Definition Suppose C is an [n, k]-code over GF(q) and u e V(n, q). Then the set u + C = {u + x|x e C} is called a coset (u-coset) of C in V(n, q). prof. Jozef Gruska IV054 2. Linear codes 56/616 DECODING of LINEAR CODES Decoding problem: If a codeword: x = x1 ... x„ is sent and the word y = y1 ... y„ is received, then e = y-x = e1... e„ is said to be the error vector. The decoder must decide, from y, which x was sent, or, equivalently, which error e occurred. To describe main Decoding method some technicalities have to be introduced Definition Suppose C is an [n, k]-code over GF(q) and u e V(n, q). Then the set u + C = {u + x|x e C} is called a coset (u-coset) of C in V(n, q). Example Let C = {0000,1011, 0101,1110} Cosets: 0000 + C = C, 1000 + C = {1000, 0011,1101, 0110}, 0100 + c = {0100,1111,0001,1010} = 0001 + C, 0010 + c = {0010,1001,0111,1100}. Are there some other cosets in this case? prof. Jozef Gruska IV054 2. Linear codes 56/616 DECODING of LINEAR CODES Decoding problem: If a codeword: x = x1 ... x„ is sent and the word y = y1 ... y„ is received, then e = y-x = e1... e„ is said to be the error vector. The decoder must decide, from y, which x was sent, or, equivalently, which error e occurred. To describe main Decoding method some technicalities have to be introduced Definition Suppose C is an [n, k]-code over GF(q) and u e V(n, q). Then the set u + C = {u + x|x e C} is called a coset (u-coset) of C in V(n, q). Example Let C = {0000,1011, 0101,1110} Cosets: 0000 + C = C, 1000 + C = {1000, 0011,1101, 0110}, 0100 + c = {0100,1111,0001,1010} = 0001 + C, 0010 + c = {0010,1001,0111,1100}. Are there some other cosets in this case? Theorem Suppose C is a linear [n, k]-code over GF(q). Then (a) every vector of V(n, q) is in some coset of C, (b) every coset contains exactly qk elements, (c) two cosets are either disjoint or identical. prof. Jozef Gruska IV054 2. Linear codes 56/616 NEAREST NEIGHBOUR DECODING SCHEME Each vector having minimum weight in a coset is called a coset leader. 1. Design a (Slepian) standard array for an [n, k]-code C - that is a qn-k x qk array of the form: codewords coset leader codeword 2 codeword 2k coset leader + + + + + coset leader + + coset leader prof. Jozef Gruska IV054 2. Linear codes 57/616 NEAREST NEIGHBOUR DECODING SCHEME Each vector having minimum weight in a coset is called a coset leader. 1. Design a (Slepian) standard array for an [n, k]-code C - that is a qn-k x qk array of the form: codewords coset leader codeword 2 codeword 2k coset leader + + + + + coset leader + + coset leader Example 0000 1011 0101 1110 1000 0011 1101 0110 0100 1111 0001 1010 0010 1001 0111 1100 A word y is decoded as codeword of the first row of the column in which y occurs. Error vectors which will be corrected are precisely coset leaders! In practice, this decoding method is too slow and requires too much memory. prof. Jozef Gruska IV054 2. Linear codes 57/616 PROBABILITY of GOOD ERROR CORRECTION What is the probability that a received word will be decoded correctly - that is as the codeword that was sent (for binary linear codes and binary symmetric channel)? Probability of an error in the case of a given error vector of weight i is p;(1 - p)"-'. Therefore, it holds. Theorem Let C be a binary [n, k]-code, and for ; = 0,1,... , n let a; be the number of coset leaders of weight ;. The probability Pcorr(C) that a received vector when decoded by means of a standard array is the codeword which was sent is given by Pcorr (C ) = £ "=0 a; p' (1 - p)"-'. prof. Jozef Gruska IV054 2. Linear codes 58/616 PROBABILITY of GOOD ERROR CORRECTION What is the probability that a received word will be decoded correctly - that is as the codeword that was sent (for binary linear codes and binary symmetric channel)? Probability of an error in the case of a given error vector of weight ; is p'(1 - P)"-'. Therefore, it holds. Theorem Let C be a binary [n, k]-code, and for ; = 0,1,... , n let a; be the number of coset leaders of weight ;. The probability Pcorr(C) that a received vector when decoded by means of a standard array is the codeword which was sent is given by Pcorr(C) = p"=o a;p;(1 - p)"-;. Example For the [4, 2]-code of the last example a0 = 1, ai = 3, a2 = a3 = a4 = 0. Hence Pcorr(C) = (1 - p)4 + 3p(1 - p)3 = (1 - p)3(1 + 2p). If p = 0.01, then Pcorr = 0.9897 prof. Jozef Gruska IV054 2. Linear codes 58/616 PROBABILITY of GOOD ERROR DETECTION Suppose a binary linear code is used only for error detection. The decoder will fail to detect errors which have occurred if the received word y is a codeword different from the codeword x which was sent, i. e. if the error vector e = y — x is itself a non-zero codeword. The probability Pundetect(C) that an incorrect codeword is received is given by the following result. Theorem Let C be a binary [n, k]-code and let A; denote the number of codewords of C of weight i. Then, if C is used for error detection, the probability of an incorrect message being received is Pundetect(C) = £A;p>(1 — p)"-. prof. Jozef Gruska IV054 2. Linear codes 59/616 PROBABILITY of GOOD ERROR DETECTION Suppose a binary linear code is used only for error detection. The decoder will fail to detect errors which have occurred if the received word y is a codeword different from the codeword x which was sent, i. e. if the error vector e = y — x is itself a non-zero codeword. The probability Pundetect(C) that an incorrect codeword is received is given by the following result. Theorem Let C be a binary [n, k]-code and let A; denote the number of codewords of C of weight . Then, if C is used for error detection, the probability of an incorrect message being received is Pundetect (C) = ELo Ap' (1 — p)""'. Example In the case of the [4, 2] code from the last example A2 = 1 A3 = 2 Pundetect (C) = p2(1 — p)2 + 2p3(1 — p) = p2 — p4. For p = 0.01 Pundetect (C) = 0.00009999. prof. Jozef Gruska IV054 2. Linear codes 59/616 DUAL CODES Inner product of two vectors (words) u = u1 ... un, v = v1 ... vn in V(n, q) is an element of GF(q) defined (using modulo q operations) by u • v = U1V1 + ... + u„v„. Example /n V(4, 2) : 1001 • 1001 = 0 /n V(4, 3) : 2001 • 1210 = 2 1212 • 2121 = 2 If u • v = 0 then words (vectors) u and v are called orthogonal. Properties If u, v, w e V(n, q), A, /k e GF(q), then u • v = v • u, (Au + /kv) • w = A(u • w) + /k(v • w). Given a linear [n, k]-code C, then the dual code of C, denoted by Cx, is defined by C± = {v e V(n, q) | v • u = 0 for all u e C}. Lemma Suppose C is an [n, k]-code having a generator matrix G. Then for v e V(n, q) v e C± ^ vGt = 0, where Gt denotes the transpose of the matrix G. Proof Easy. prof. Jozef Gruska IV054 2. Linear codes 60/616 PARITE CHECKS versus ORTHOGONALITY For understanding of the role the parity checks play for linear codes, it is important to understand relation between orthogonality and special parity checks. If binary words x and y are orthogonal, then the word y has even number of ones (1's) in the positions determined by ones (1's) in the word x. This implies that if words x and y are orthogonal, then x is a parity check word for y and y is a parity check word for x. Exercise: Let the word 100001 be orthogonal to a set S of binary words of length 6. What can we say about the words in S? prof. Jozef Gruska IV054 2. Linear codes 61/616 EXAMPLE For the [n, 1]-repetition code C, with the generator matrix G = (1,1,..., 1) the dual code Cx is [n, n — 1]-code with the generator matrix Gx, described by /1 1 0 0 G± = 0 1 0 10 ... 0 \1 0 0 0 ... 1/ prof. Jozef Gruska IV054 2. Linear codes 62/616 PARITY CHECK MATRICES I Example If C6 = G G l l G G l l (G G 1 l G G l 1 l G l , then C5 = C5. then C6 = GGG lll If prof. Jozef Gruska IV054 2. Linear codes 63/616 PARITY CHECK MATRICES I Example If C6 = (0 0 1 1 0 0 1 1 0 1 1 0 0 1 1 V1 0 1 , then C5X = C5. then C6 = 000 111 Theorem Suppose C is a linear [n, k]-code over GF(q), then the dual code C is a linear [n, n — k]-code. Definition A parity-check matrix H for an [n, k]-code C is a generator matrix of Cx. prof. Jozef Gruska IV054 2. Linear codes 63/616 If PARITY CHECK MATRICES Definition A parity-check matrix H for an [n, k]-code C is a generator matrix of Cx. Theorem If H is parity-check matrix of C, then C = {x e V(n, q)|xHT = 0}, and therefore any linear code is completely specified by a parity-check matrix. prof. Jozef Gruska IV054 2. Linear codes 64/616 PARITY CHECK MATRICES Definition A parity-check matrix H for an [n, k]-code C is a generator matrix of Cx. Theorem If H is parity-check matrix of C, then C = {x e V(n, q)|xHT = 0}, and therefore any linear code is completely specified by a parity-check matrix. Example Parity-check matrix for C5 is 0 0 1 1 and for Ca is (1 1 1) The rows of a parity check matrix are parity checks on codewords. They say that certain linear combinations of elements of every codeword are zeros. prof. Jozef Gruska IV054 2. Linear codes 64/616 SYNDROME DECODING Theorem If G = [/k|A] is the standard form generator matrix of an [n, k]-code C, then a parity check matrix for C is H = [-AT|/n-k]. Example 1 0 1 Generator matrix G = 1 1 1 1 0 1 0 1 1 == parity check m. H = 11 11 10 Definition Suppose H is a parity-check matrix of an [n, k]-code C. Then for any y € V(n, q) the following word is called the syndrome of y: S (y )= yHT. Lemma Two words have the same syndrome iff they are in the same coset. Syndrom decoding Assume that a standard array of a code C is given and, in addition, let in the last two columns the syndrome for each coset be given. 0000 1000 0100 0010 01 01 11 00 1 0 1 1 1 0 1 0 101 101 001 111 11 11 01 10 When a word y is received, compute S(y) = yHT, locate S(y) in the "syndrome column", and then locate y in the same row and decode y as the codeword in the same column and in the first row. prof. Jozef Gruska IV054 2. Linear codes 65/616 KEY OBSERVATION for SYNDROM COMPUTATION When preparing a "syndrome decoding" it is sufficient to store only two columns: one for coset leaders and one for syndromes. Example coset leaders syndromes l(z) z 0000 00 1000 11 0100 01 0010 10 Decoding procedure ■ Step 1 Given y compute S(y). ■ Step 2 Locate z = S(y) in the syndrome column. ■ Step 3 Decode y as y — /(z). prof. Jozef Gruska IV054 2. Linear codes 66/616 KEY OBSERVATION for SYNDROM COMPUTATION When preparing a "syndrome decoding" it is sufficient to store only two columns: one for coset leaders and one for syndromes. Example coset leaders syndromes l(z) z 0000 00 1000 11 0100 01 0010 10 Decoding procedure ■ Step 1 Given y compute S(y). ■ Step 2 Locate z = S(y) in the syndrome column. ■ Step 3 Decode y as y — /(z). Example If y = 1111, then S(y) = 01 and the above decoding procedure produces 1111-0100 = 1011. Syndrom decoding is much faster than searching for a nearest codeword to a received word. However, for large codes it is still too inefficient to be practical. In general, the problem of finding the nearest neighbour in a linear code is NP-complete. Fortunately, there are important linear codes with really efficient decoding. prof. Jozef Gruska IV054 2. Linear codes 66/616 HAMMING CODES An important family of simple linear codes that are easy to encode and decode, are so-called Hamming codes. Definition Let r be an integer and H be an r x (2r — 1) matrix columns of which are all non-zero distinct words from V(r, 2). The code having H as its parity-check matrix is called binary Hamming code and denoted by Ham(r, 2). Example "1 1 0" 10 1 Ham(2, 2) : H = G = [1 1 ll Ham(3, 2) = H = 0 11110 0 10 110 10 110 10 0 1 G= 1000011 0100101 0010110 0001111 prof. Jozef Gruska IV054 2. Linear codes 67/616 HAMMING CODES An important family of simple linear codes that are easy to encode and decode, are so-called Hamming codes. Definition Let r be an integer and H be an r x (2r — 1) matrix columns of which are all non-zero distinct words from V(r, 2). The code having H as its parity-check matrix is called binary Hamming code and denoted by Ham(r, 2). Example G = [1 1 1] Ham{3, 2) = H = Ham(2, 2) : H = 1 1 1 0 0 1 "0 1 1 1 1 0 0 = 1 0 1 1 0 1 0 11 0 1 0 0 1 G = 1000011 0100101 0010110 0001111 Theorem Hamming code Ham(r, 2) ■ is [2r — 1, 2r-1 — r]-code, ■ has minimum distance 3, is a perfect code. Properties of binary Hamming codes Coset leaders are precisely words of weight < 1. The syndrome of the word 0 ... 010... 0 with 1 in j-th position and 0 otherwise is the transpose of the j-th column of H. prof. Jozef Gruska IV054 2. Linear codes 67/616 HAMMING CODES - DECODING Decoding algorithm for the case the columns of H are arranged in the order of increasing binary numbers the columns represent. ■ Step 1 Given y compute syndrome S(y) = yHT. ■ Step 2 If S(y) = 0, then y is assumed to be the codeword sent. ■ Step 3 If S(y) = 0, then assuming a single error, S(y) gives the binary position of the error. prof. Jozef Gruska IV054 2. Linear codes 68/616 EXAMPLE For the Hamming code given by the parity-check matrix H = and the received word 0 0 0 1 1 1 1 0 110 0 11 10 10 10 1 y = 1101011, we get syndrome S (y) = 110 and therefore the error is in the sixth position. Hamming code was discovered by Hamming (1950), Golay (1950). It was conjectured for some time that Hamming codes and two so called Golay codes are the only non-trivial perfect codes. Comment Hamming codes were originally used to deal with errors in long-distance telephon calls. prof. Jozef Gruska IV054 2. Linear codes 69/616 ADVANTAGES of HAMMING CODES Let a binary symmetric channel be used which with probability q correctly transfers a binary symbol. If a 4-bit message is transmitted through such a channel, then correct transmission of the message occurs with probability q4. If Hamming (7,4, 3) code is used to transmit a 4-bit message, then probability of correct decoding is q7 + 7(1 — q)q6. In case q = 0.9 the probability of correct transmission is 0.6561 in the case no error correction is used and 0.8503 in the case Hamming code is used - an essential improvement. prof. Jozef Gruska IV054 2. Linear codes 70/616 IMPORTANT CODES ■ Hamming (7,4, 3)-code. It has 16 codewords of length 7. It can be used to send 27 = 128 messages and can be used to correct 1 error. ■ Golay (23,12, 7)-code. It has 4 096 codewords. It can be used to transmit 8 388 608 messages and can correct 3 errors. ■ Quadratic residue (47, 24,11)-code. It has 16 777 216 codewords and can be used to transmit 140 737 488 355 238 messages and correct 5 errors. ■ Hamming and Golay codes are the only non-trivial perfect codes. prof. Jozef Gruska IV054 2. Linear codes 71/616 GOLAY CODES - DESCRIPTION Golay codes G24 and G23 were used by Voyager I and Voyager II to transmit color pictures of Jupiter and Saturn. Generation matrix for G24 has the form /l 0000000000011 '01000000000010 00100000000011 00010000000010 00001000000010 000001000000 00000010000011 00000001000011 00000000100011 00000000010010 00000000001011 00000000000111 1 1 01 10 01 1000 00 01 10 1 1 0 1 0 110 111 0 1 1 101 1000 1100 111 011 10 11 01 10 01 000 100 001 000 10 01 10111000 G = G24 is (24,12, 8)-code and the weights of all codewords are multiples of 4. G23 is obtained from G24 by deleting last symbols of each codeword of G24. G23 is (23,12, 7)-code. prof. Jozef Gruska IV054 2. Linear codes 72/616 GOLAY CODES - CONSTRUCTION Matrix G for Golay code G24 has actually a simple and regular construction. The first 12 columns are formed by a unitary matrix /i2, next column has all 1's. Rows of the last 11 columns are cyclic permutations of the first row which has 1 at those positions that are squares modulo 11, that is 0, 1, 3, 4, 5, 9. prof. Jozef Gruska IV054 2. Linear codes 73/616 REED-MULLER CODES Reed-Muller codes form a family of codes defined recursively with interesting properties and easy decoding. If D1 is a binary [n, k1, di]-code and D2 is a binary [n, k2, d2]-code, a binary code C of length 2n is defined as follows C = {u\u + v, where u e D1, v e D2}. Lemma C is [2n, k1 + k2, min{2d1, d2}]-code and if G; is a generator matrix for D;, »Gi Gil . t t- f r is a generator matrix for C. i = 1, 2, then 0 G2 Reed-Muller codes R(r, m), with 0 < r < m are binary codes of length n = 2m.R(m, m) is the whole set of words of length n, R(0, m) is the repetition code. If 0 < r < m, then R(r + 1, m +1) is obtained from codes R(r + 1, m) and R(r, m) by the above construction. Theorem The dimension of R(r, m) equals 1 + (^) + ... + (^). The minimum weight of R(r, m) equals 2m-r. Codes R(m — r — 1, m) and R(r, m) are dual codes. prof. Jozef Gruska IV054 2. Linear codes 74/616 SINGLETON BOUND Singleton bound: Let C be a q-ary (n, M, d)-code. Then M < q"-d+1. Proof Take some d - 1 coordinates and project all codewords to the resulting coordinates. The resulting codewords are all different and therefore M cannot be larger than the number of q-ary words of length n - d - 1. Codes for which M = q"-d+1 are called MDS-codes (Maximum Distance Separable). Corollary: If C is a q-ary linear [n, k, d]-code, then k + d < n + 1. prof. Jozef Gruska IV054 2. Linear codes 75/616 SHORTENING and PUNCTURING of LINEAR CODES Let C be a q-ary linear [n, k, d]-code. Let D = {(xi,... ,x„_i)|(xi,... ,x„_i, 0) e C}. then D is a linear code - a shortening of the code C. If d > 1, then D is a linear [n — 1, k, d*]-code or [n — 1, k, d — 1]-code a shortening of the code C. Corollary: If there is a q-ary [n, k, d]-code, then shortening yields a q-ary [n — 1, k — 1, d]-code. Let C be a q-ary [n, k, d]-code. Let E = {(x1,... ,x„_1)|(x1,. .. ,xn-1,x) e C, for some x < q}, then E is a linear code - a puncturing of the code C. prof. Jozef Gruska IV054 2. Linear codes 76/616 If d > 1, then E is an [n — 1, k, d*] code where d* = d — 1 if C has a minimum weight codeword with wit non-zero llast coordinate and D* = d otherwise. when d = 1, then E is an [n — 1, k, 1] code, if C has no codeword of weight 1 whose nonzero entry is in last coordinate; otherwise, if k > 1, then E s an [n — 1, k — 1, d*] prof. Jozef Gruska IV054 2. Linear codes 77/616 code with d* > 1 REED-SOLOMON CODES An important example of MDS-codes are q-ary Reed-Solomon codes RSC(k, q), for k < q. They are codes generator matrix of which has rows labelled by polynomials X', 0 < ; < k — 1, columns by elements 0,1,. .. , q — 1 and the element in a row labelled by a polynomial p and in a column labelled by an element u is p(u). RSC(k, q) code is [q, k, q — k + 1] code. Example Generator matrix for RSC(3,5) code is "11111" 0 12 3 4 0 14 4 1 Interesting property of Reed-Solomon codes: RSC(k, q)± = RSC(q — k, q). Reed-Solomon codes are used in digital television, satellite communication, wireless communication, barcodes, compact discs, DVD,. . . They are very good to correct burst errors - such as ones caused by solar energy. prof. Jozef Gruska IV054 2. Linear codes 77/616 SOCCER GAMES BETTING SYSTEM Ternary Golay code with parameters (11, 729, 5) can be used to bet for results of 11 soccer games with potential outcomes 1 (if home team wins), 2 (if guests win) and 3 (in case of a draw). If 729 bets are made, then at least one bet has at least 9 results correctly guessed. In case one has to bet for 13 games, then one can usually have two games with pretty sure outcomes and for the rest one can use the above ternary Golay code. prof. Jozef Gruska IV054 2. Linear codes 78/616 LDPC (Low-Density Parity Check) - CODES A LDPC code is a binary linear code whose parity check matrix is very sparse - it contains only very few 1's. A linear [n, k] code is a regular [n, k, r, c] LDPC code if r << n, c << n - k and its parity-check matrix has exactly r 1's in each row and exactly c 1's in each column. In the last years LDPC codes are replacing in many important applications other types of codes for the following reasons: T| LDPC codes are in principle also very good channel codes, so called Shannon capacity approaching codes, they allow the noise threshold to be set arbitrarily close to the theoretical maximum - to Shannon limit - for symmetric channel. ^ Good LDPC codes can be decoded in time linear to their block length using special (for example "iterative belief propagation") approximation techniques. J Some LDPC codes are well suited for implementations that make heavy use of parallelism. Parity-check matrices for LDPC codes are often (pseudo)-randomly generated, subject to sparsity constrains. Such LDPC codes are proven to be good with a high probability. prof. Jozef Gruska IV054 2. Linear codes 79/616 DISCOVERY and APPLICATION of LDPC CODES LDPC codes were discovered in 1960 by R.C. Gallager in his PhD thesis, but ignored till 1996 when linear time decoding methods were discovered for some of them. LDPC codes are used for: deep space communication; digital video broadcasting; 10GBase-T Ethernet, which sends data at 10 gigabits per second over Twisted-pair cables; Wi-Fi standard,.... prof. Jozef Gruska IV054 2. Linear codes 80/616 TANNER GRAPHS REPRESENTATION of LDPC CODES An [n, k] LDPC code can be represented by a bipartite graph between a set of n top "variable-nodes (v-nodes)" and a set of bottom (n — k) "constrain nodes (c-nodes)". 3.1 3o a a die Qs- + + + The corresponding parity check matrix has n — k rows and n columns and /-th column has 1 in the j-th row exactly in case if /-th v-node is connected to j-th c-node. llllOO H = í O O l l O l lOOllO prof. Jozef Gruska IV054 2. Linear codes 81/616 TANNER GRAPHS - CONTINUATION Valid codewords for the LDPC-code with Tanner graph aa 1 S with parity check matrix have to satisfy constrains 3 S 5 + + + H = l l l l O O O O l l O l l O O l l O prof. Jozef Gruska a1 + a2 + a3 + a4 = O a3 + a4 + a6 = O a1 + a4 + a5 = O IV054 2. Linear codes a 82/616 APPENDIX prof. Jozef Gruska IV054 2. Linear codes 83/616 COMMENTS ■ GF(q) for a prime q is the set {0,1,... , q — 1} with operations + and • modulo q. prof. Jozef Gruska IV054 2. Linear codes 84/616 CHAPTER 3: CYCLIC CODES and CHANNEL CODES Cyclic codes are special linear codes of large interest and importance because ■ They posses a rich algebraic structure that can be utilized in a variety of ways. ■ They have extremely concise specifications. ■ Their encodings can be efficiently implemented using simple shift registers. ■ Many of the practically very important codes are cyclic. Channel codes are used to encode streams of data (bits). Some of them, as Turbo codes, reach theoretical Shannon bound concerning efficiency, and are currently used often. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 86/616 IMPORTANT NOTE In order to specify a binary code with 2k codewords of length n one may need to write down 2k codewords of length n. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 87/616 IMPORTANT NOTE In order to specify a binary code with 2k codewords of length n one may need to write down codewords of length n. In order to specify a linear binary code of the dimension k with 2k codewords of length n it is sufficient to write down k codewords of length n. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 87/616 IMPORTANT NOTE In order to specify a binary code with 2k codewords of length n one may need to write down 2k codewords of length n. In order to specify a linear binary code of the dimension k with 2k codewords of length n it is sufficient to write down k codewords of length n. In order to specify a binary cyclic code with 2k codewords of length n it is sufficient to write down 1 codeword of length n. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 87/616 BASIC DEFINITION AND EXAMPLES Definition A code C is cyclic if (i) C is a linear code; (ii) any cyclic shift of a codeword is also a codeword, i.e. whenever a0,... an-1 € C, then also an-1a0 ... a„_2 € C and a1 a2... an-1a0 € C. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 88/616 BASIC DEFINITION AND EXAMPLES Definition A code C is cyclic if (i) C is a linear code; (ii) any cyclic shift of a codeword is also a codeword, i.e. whenever a0,... an-1 € C, then also an-1a0 ... a„_2 € C and a1 a2... an-1a0 € C. Example (i) Code C = {000,101, 011,110} is cyclic. (ii) Hamming code Ham(3, 2): with the generator matrix G = 1 0 0 0 0 1 1 0 10 0 10 1 0 0 10 110 0 0 0 1 1 1 1 is equivalent to a cyclic code. (iii) The binary linear code {0000,1001, 0110,1111} is not cyclic, but it is equivalent to a cyclic code. (iv) Is Hamming code Ham(2, 3) with the generator matrix "10 11" 0112 (a) cyclic? (b) or at least equivalent to a cyclic code? prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 88/616 FREQUENCY of CYCLIC CODES Comparing with linear codes, cyclic codes are quite scarce. For example, there are 11 811 linear [7,3] binary codes, but only two of them are cyclic. Trivial cyclic codes. For any field F and any integer n > 3 there are always the following cyclic codes of length n over F: ■ No-information code - code consisting of just one all-zero codeword. ■ Repetition code - code consisting of all codewords (a, a, . . . ,a) for a e F. ■ Single-parity-check code - code consisting of all codewords with parity 0. ■ No-parity code - code consisting of all codewords of length n For some cases, for example for n = 19 and F = GF(2), the above four trivial cyclic codes are the only cyclic codes. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 89/616 EXAMPLE of a CYCLIC CODE The code with the generator matrix "1 0 1 1 1 0 0 G = 0 1 0 1 1 1 0 0 0 1 0 1 1 1 has, in addition to the codeword 0000000, the following codewords C2 = 0101110 ci = 1011100 es = 0010111 ci + cs = 1001011 Ci + C2 = 1110010 C2 + cs = 0111001 ci + c2 + cs = 1100101 and it is cyclic because the right shifts have the following impacts c2 — cs, ci — c2, cs — ci + cs ci + cs — ci + c2 + cs, ci + c2 — c2 + cs, c2 + cs — ci ci + c2 + cs — ci + c2 prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 90/616 POLYNOMIALS over GF(q) A codeword of a cyclic code is usually denoted 3031 . . . 3„_1 and to each such a codeword the polynomial 30 + 31x + 32x2 + ... + 3„_1x"-1 will be associated. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 91/616 POLYNOMIALS over GF(q) A codeword of a cyclic code is usually denoted aoai.. . a„-i and to each such a codeword the polynomial ao + ai x + a2X2 + ... + a„-ix"-1 will be associated. NOTATION: Fq[x] denotes the set of all polynomials over GF(q). deg(f(x)) = the largest m such that xm has a non-zero coefficient in f(x). prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 91/616 POLYNOMIALS over GF(q) A codeword of a cyclic code is usually denoted aoa1.. . a„_1 and to each such a codeword the polynomial ao + a1 x + a2x2 + ... + a„_1x"_1 will be associated. NOTATION: Fq[x] denotes the set of all polynomials over GF(q). deg(f(x)) = the largest m such that xm has a non-zero coefficient in f(x). Multiplication of polynomials If f(x), g(x) e Fq[x], then deg (f (x)g (x)) = deg (f (x)) + deg (g (x)). prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 91/616 POLYNOMIALS over GF(q) A codeword of a cyclic code is usually denoted 3031 . . . 3n-1 and to each such a codeword the polynomial 30 + 31X + 32X2 + ... + 3„-1X"-1 will be associated. NOTATION: Fq[x] denotes the set of all polynomials over GF(q). deg(f(x)) = the largest m such that xm has a non-zero coefficient in f(x). Multiplication of polynomials If f(x), g(x) e Fq[x], then deg (f (x)g (x)) = deg (f (x)) + deg (g (x)). Division of polynomials For every pair of polynomials 3(x), b(x) = 0 in Fq[x] there exists a unique pair of polynomials q(x), r(x) in Fq[x] such that 3(x) = q(x)b(x) + r(x), deg(r(x)) < deg(b(x)). Example Divide X3 + X + 1 by X2 + X + 1 in F2[x]. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 91/616 POLYNOMIALS over GF(q) A codeword of a cyclic code is usually denoted a0a1.. . a„-1 and to each such a codeword the polynomial a0 + a1 x + a2X2 + ... + a„-1x"-1 will be associated. NOTATION: Fq[x] denotes the set of all polynomials over GF(q). deg(f(x)) = the largest m such that xm has a non-zero coefficient in f(x). Multiplication of polynomials If f(x), g(x) e Fq[x], then deg (f (x)g (x)) = deg (f (x)) + deg (g (x)). Division of polynomials For every pair of polynomials a(x), b(x) = 0 in Fq[x] there exists a unique pair of polynomials q(x), r(x) in Fq[x] such that a(x) = q(x)b(x) + r(x), deg(r(x)) < deg(b(x)). Example Divide x3 + x + 1 by x2 + x + 1 in F2[x]. Definition Let f(x) be a fixed polynomial in Fq[x]. Two polynomials g(x), h(x) are said to be congruent modulo f(x), notation g(x) = h(x)(mod f(x)), if g(x) - h(x) is divisible by f (x). prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 91/616 RINGS of POLYNOMIALS For any polynomial f(x), the set of all polynomials in Fq[x] of degree less than deg(f(x)), with addition and multiplication modulo f(x), forms a ring denoted Fq[x]/f(x). Example Calculate (x + 1)2 in F2[x]/(x2 + x + 1). It holds (x + 1)2 = x2 + 2x +1 = x2 + 1 = x (mod x2 + x +1). How many elements has Fq[x]/f(x)? Result |Fq[x]/f(x)| = qdeg(f(x)). prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 92/616 RINGS of POLYNOMIALS For any polynomial f(x), the set of all polynomials in Fq[x] of degree less than deg(f(x)), with addition and multiplication modulo f(x), forms a ring denoted Fq[x]/f(x). Example Calculate (x + 1)2 in F2[x]/(x2 + x + 1). It holds (x + 1)2 = x2 + 2x +1 = x2 + 1 = x (mod x2 + x +1). How many elements has Fq[x]/f(x)? Result |Fq[x]/f(x)| = qdeg(f(x)). Example Addition and multiplication tables for F2[x]/(x2 + x + 1) + 0 1 x 1+x • 0 1 x 1+x 0 0 1 x 1+x 0 0 0 0 0 1 1 0 1+x x 1 0 1 x 1+x x x 1+x 0 1 x 0 x 1+x 1 1+x 1+x x 1 0 1+x 0 1+x 1 x prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 92/616 RINGS of POLYNOMIALS For any polynomial f(x), the set of all polynomials in Fq[x] of degree less than deg(f(x)), with addition and multiplication modulo f(x), forms a ring denoted Fq[x]/f(x). Example Calculate (x + 1)2 in F2[x]/(x2 + x + 1). It holds (x + 1)2 = x2 + 2x +1 = x2 + 1 = x (mod x2 + x +1). How many elements has Fq[x]/f(x)? Result |Fq[x]/f(x)| = qdeg(f(x)). Example Addition and multiplication tables for F2[x]/(x2 + x + 1) + 0 1 x 1+x • 0 1 x 1+x 0 0 1 x 1+x 0 0 0 0 0 1 1 0 1+x x 1 0 1 x 1+x x x 1+x 0 1 x 0 x 1+x 1 1+x 1+x x 1 0 1+x 0 1+x 1 x Definition A polynomial f(x) in Fq[x] is said to be reducible if f(x) = a(x)b(x), where a(x), b(x) e Fq[x] and deg(a(x)) < deg(f(x)), deg(b(x)) < deg(f(x)). If f(x) is not reducible, then it is said to be irreducible in Fq[x]. Theorem The ring Fq[x]/f(x) is a field if f(x) is irreducible in Fq[x]. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 92/616 FIELD Rn, Rn = Fq[x]/(xn - 1) Computation modulo xn — 1 in the field R„ = Fq[x]/(xn — 1) Since xn = 1(mod (xn — 1)) we can compute f(x) mod (xn — 1) by replacing, in f(x), xnby 1, x"+1 by x, x"+2 by x2, x"+3 by x3, . . . prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 93/616 FIELD Rn, Rn = Fq[x]/(xn - 1) Computation modulo xn — 1 in the field Rn = Fq[x]/(xn — 1) Since xn = 1(mod (xn — 1)) we can compute f(x) mod (xn — 1) by replacing, in f(x), xnby 1, x"+1 by x, xn+2 by x2, xn+3 by x3, . . . Replacement of a word w = aoai ... a„_i by a polynomial p(w) = ao + aix + ... + a„_ix"-1 is of large importance because multiplication of p(w) by x in Rn corresponds to a single cyclic shift of w x(ao + aix + ... an_ixn-1) = a„_i + aox + aix2 + ... + a„_2x"-1 prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 93/6i6 ALGEBRAIC CHARACTERIZATION of CYCLIC CODES Theorem A code C is cyclic if and only if it satisfies two conditions (i) 3(x), b(x) e C == 3(x) + b(x) e C (ii) 3(x) e C, r(x) e Rn == r(x)3(x) e C prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 94/616 ALGEBRAIC CHARACTERIZATION of CYCLIC CODES Theorem A code C is cyclic if and only if it satisfies two conditions (i) a(x), b(x) e C == a(x) + b(x) e C (ii) a(x) e C, r(x) e R„ == r(x)a(x) e C Proof (1) Let C be a cyclic code. C is linear == (i) holds. (ii) Let a(x) € C, r(x) = ro + rix + ... + r„_ix"-1 r (x)a(x) = roa(x) + rixa(x) + ... + r„_ix"-1a(x) is in C by (i) because summands are cyclic shifts of a(x). (2) Let (i) and (ii) hold ■ Taking r(x) to be a scalar the conditions imply linearity of C. ■ Taking r(x) = x the conditions imply cyclicity of C. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 94/616 CONSTRUCTION of CYCLIC CODES Notation For any f(x) e Rn, we can define (f(x)> = {r(x)f(x) \ r(x) e Rn} (with multiplication modulo xn — 1) a set of polynomials - a code. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 95/616 CONSTRUCTION of CYCLIC CODES Notation For any f(x) e Rn, we can define (f(x)> = {r(x)f(x) \ r(x) e Rn} (with multiplication modulo xn — 1) a set of polynomials - a code. Theorem For any f(x) e Rn, the set (f(x)> is a cyclic code (generated by f). Proof We check conditions (i) and (ii) of the previous theorem. (i) If a(x)f(x) e (f(x)> and also b(x)f(x) e (f(x)>, then a(x)f(x) + b(x)f(x) = (a(x) + b(x))f(x) e (f(x)> (ii) If a(x)f(x) e (f(x)>, r(x) e Rn, then r(x)(a(x)f(x)) = (r(x)a(x))f(x) e (f(x)> prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 95/616 CONSTRUCTION of CYCLIC CODES Notation For any f(x) € Rn, we can define (f(x)> = {r(x)f(x) | r(x) € R„j (with multiplication modulo xn — 1) a set of polynomials - a code. Theorem For any f(x) € Rn, the set (f(x)> is a cyclic code (generated by f). Proof We check conditions (i) and (ii) of the previous theorem. (i) If a(x)f(x) € (f(x)> and also b(x)f(x) € (f(x)>, then a(x)f(x) + b(x)f(x) = (a(x) + b(x))f(x) € (f(x)> (ii) If a(x)f(x) € (f(x)>, r(x) € R„, then r(x)(a(x)f(x)) = (r(x)a(x))f(x) € (f(x)> Example let C = (1 + x2>, n = 3, q = 2. In order to determine C we have to compute r(x)(1 + x2) for all r(x) € R3. R3 = {0,1, x, 1+ x, x2, 1 + x2, x + x2,1+ x + x2}. Result C = {0,1 + x, 1 + x2, x + x2} C = {000, 011, 101, 110} prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 95/616 CHARACTERIZATION THEOREM for CYCLIC CODES We show that all cyclic codes C have the form C = (f(x)} for some f(x) e Rn. Theorem Let C be a non-zero cyclic code in Rn. Then ■ there exists a unique monic polynomial g(x) of the smallest degree such that ■ C = (g (x)} ■ g(x) is a factor of xn — 1. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 96/616 CHARACTERIZATION THEOREM for CYCLIC CODES We show that all cyclic codes C have the form C = (f(x)} for some f(x) e Rn. Theorem Let C be a non-zero cyclic code in Rn. Then ■ there exists a unique monic polynomial g(x) of the smallest degree such that ■ C = (g (x )} ■ g(x) is a factor of Xn — 1. Proof (i) Suppose g(x) and h(x) are two monic polynomials in C of the smallest degree. Then the polynomial g(x) — h(x) e C and it has a smaller degree and a multiplication by a scalar makes out of it a monic polynomial. If g(x) = h(x) we get a contradiction. (ii) Suppose 3(x) e C. Then 3(x) = q(x)g(x) + r(x), (deg r(x) < deg g(x)). and r(x) = 3(x) — q(x)g(x) e C. By minimality r(x) = 0 and therefore 3(x) e (g(x)}. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 96/616 CHARACTERIZATION THEOREM for CYCLIC CODES - continuation (iii) Clearly, xn — 1 = q(x)g(x) + r(x) with deg r(x) < deg g(x) and therefore r(x) = —q(x)g(x)(mod xn — 1) and r(x) e C = r(x) = 0 = g(x) is a factor of xn — 1. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 97/616 CHARACTERIZATION THEOREM for CYCLIC CODES - continuation (iii) Clearly, xn — 1 = q(x)g(x) + r(x) with deg r(x) < deg g(x) and therefore r(x) = —q(x)g(x)(mod xn — 1) and r(x) e C =>• r(x) = 0 ^ g(x) is a factor of xn — 1. GENERATOR POLYNOMIALS Definition If C = (g (x )>, holds for a cyclic code C, then g is called the generator polynomial for the code C. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 97/6i6 HOW TO DESIGN CYCLIC CODES? The last claim of the previous theorem gives a recipe to get all cyclic codes of the given length n in GF(q). Indeed, all we need to do is to find all factors (in GF(q)) of xn - 1. Problem: Find all binary cyclic codes of length 3. Solution: Since x3 - 1= (x - 1)(x2 + x + 1) 1-v-' both factors are irreducible in GF(2) we have the following generator polynomials and codes. Generator polynomials Code in R3 Code in V(3, 2) 1 R V(3,2) x +1 {0,1+ x,x + x2,1 + x2} {000,110, 011,101} x2 + x +1 {0,1 + x + x2} {000,111} x3 - 1 ( = 0) {0} {000} prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 98/616 DESIGN of GENERATOR MATRICES for CYCLIC CODES Theorem Suppose C is a cyclic code of codewords of length n with the generator polynomial g (x) = g0 + g1X + ... + grx'. Then dim (C) = n — r and a generator matrix G1 for C is fg0 g1 g2 00 0 . '0 0 g0 g1 g2 gr 0 0 . '0 = 0 0 g0 g1 g2 0 . '0 V 0' 0 0 0 ' ' ' 0 g0 ' ' ' 'g'r' prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 99/616 DESIGN of GENERATOR MATRICES for CYCLIC CODES Theorem Suppose C is a cyclic code of codewords of length n with the generator polynomial g (x) = g0 + g1X + ... + grxr. Then d/m (C) = n - r and a generator matrix G1 for C is /go g1 g2 gr 00 0 ' '0 0 g0 g1 g2 gr 0 0 ' '0 = 0 0 g0 g1 g2 ' ' gr 0 ' '0 V 0' 0 0 0 ' ' ' 0 g0 ' ' 'gj Proof (i) All rows of G1 are linearly independent. (ii) The n — r rows of G represent codewords g(x)>)> x2g(x), • • •, x"-r-1g(x) (*) (iii) It remains to show that every codeword in C can be expressed as a linear combination of vectors from (*). Indeed, if a(x) e C, then Since deg a(x) < n we have deg q(x) < n — r. Hence prof. Jozef Gruska = qog(x) + qixg(x) + • • • + q„_r_ix" IV054 3. Cyclic codes and channel codes 1g (x )' 99/616 EXAMPLE The task is to determine all ternary codes of length 4 and generators for them. Factorization of x4 — 1 over GF(3) has the form x4 — 1 = (x — 1)(x3 + x2 + x + 1) = (x — 1)(x + 1)(x2 + 1) Therefore there are 23 = 8 divisors of x4 — 1 and each generates a cyclic code. Generator polynomial Gener x- 1 x + 1 x2 + 1 (x — 1)(x +1)= x2 — 1 (x — 1)(x2 + 1) = x3 — x2 + x — 1 (x +1)(x2 + 1) prof. Jozef Gruska IV054 3. Cyclic codes and channel codes — 1 0 0 1 0 0 1 0 — 1 0 — 1 [1 100/616 1 COMMENT On the previous slide "generator polynomials" x — 1, x2 — 1 and x3 — x2 + x + 1 are formally not in R„ becasue only allowable coefficients are 0,1, 2. A good practice is, however, to use also coefficients —2, and —1 as ones that are equal, modulo 3, to 1 nd 2 and they can be replace in such a way also in matrices to be fully correct formally. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 101/616 CHECK POLYNOMIALS and PARITY CHECK MATRICES for CYCLIC CODES Let C be a cyclic [n, k]-code with the generator polynomial g(x) (of degree n — k). By the last theorem g(x) is a factor of xn — 1. Hence x" — 1 = g (x)h(x) for some h(x) of degree k. (h(x) is called the check polynomial of C.) Theorem Let C be a cyclic code in Rn with a generator polynomial g(x) and a check polynomial h(x). Then an c(x) e Rn is a codeword of C if and only if c(x)h(x) = 0 -(this and next congruences are all modulo x" — 1). prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 102/616 CHECK POLYNOMIALS and PARITY CHECK MATRICES for CYCLIC CODES Let C be a cyclic [n, k]-code with the generator polynomial g(x) (of degree n — k). By the last theorem g(x) is a factor of xn — 1. Hence xn — 1 = g (x)h(x) for some h(x) of degree k. (h(x) is called the check polynomial of C.) Theorem Let C be a cyclic code in Rn with a generator polynomial g(x) and a check polynomial h(x). Then an c(x) e Rn is a codeword of C if and only if c(x)h(x) = 0 -(this and next congruences are all modulo xn — 1). Proof Note, that g(x)h(x) = xn — 1 = 0 (i) c(x) e C == c(x) = a(x)g(x) for some a(x) e Rn == c(x)h(x) = a(x) g(x)h(x) = 0. =0 (ii) c(x)h(x) = 0 c(x) = q(x)g(x) + r(x), deg r(x) < n — k = deg g(x) c(x)h(x) = 0 == r(x)h(x) = 0 (mod xn — 1) Since deg (r(x)h(x)) < n — k + k = n, we have r(x)h(x) = 0 in F[x] and therefore r(x) = 0 == c(x) = q(x)g(x) e C. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 102/616 POLYNOMIAL REPRESENTATION of DUAL CODES Since dim ((h(x)}) = n — k = dim(Cx) we might easily be fooled to think that the check polynomial h(x) of the code C generates the dual code Cx. Reality is "slightly different": Theorem Suppose C is a cyclic [n, k]-code with the check polynomial h(x ) = h0 + h1X + ... + hk xk, then (i) a parity-check matrix for C is / hk hk-1 . H = 0 hk . \ 0 0 . (ii) Cx is the cyclic code generated by the p h(x) = hk + hk-1X + ... + h0X i.e. the reciprocal polynomial of h(x). h0 0 ... 0\ h1 h0 ... 0 0 hk ... ha) Dolynomial prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 103/616 POLYNOMIAL REPRESENTATION of DUAL CODES Proof A polynomial c(x) = c0 + c1x + ... + cn-ixn 1 represents a code from C if c(x)h(x) = 0. For c(x)h(x) to be 0 the coefficients at xk,... ,xn-1 must be zero, i.e. cohk + ci hk-i + ... + Ck ho = 0 ci hk + c2hk-i + ... + ck+iho = 0 c„-k-ihk + c„-k hk-i + ... + c„-iho = 0 Therefore, any codeword c0c1... cn-1 e C is orthogonal to the word hkhk-1 ... h000... 0 and to its cyclic shifts. Rows of the matrix H are therefore in Cx. Moreover, since hk = 1, these row vectors are linearly independent. Their number is n — k = d/m (Cx). Hence H is a generator matrix for Cx, i.e. a parity-check matrix for C. In order to show that Cx is a cyclic code generated by the polynomial h(x) = hk + hk-ix + ... + h0xk it is sufficient to show that h(x) is a factor of xn — 1. Observe that h(x) = xkh(x-i)and since h(x-i)g(x-^ = (x-i)n - 1 we have that xkh(x-i)xn-kg(x-i) = xn(x-n - 1) = 1 - xn and therefore h(x) is indeed a factor of xn - 1. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes i04/6i6 ENCODING with CYCLIC CODES I Encoding using a cyclic code can be done by a multiplication of two polynomials - a message polynomial and the generating polynomial for the cyclic code. Let C be an [n, k]-code over an field F with the generator polynomial g(x) = go + gix + ... + gr-ixr-1 of degree r = n — k. If a message vector m is represented by a polynomial m(x) of degree k and m is encoded by m == c = mG, then the following relation between m(x) and c(x) holds c(x) = m(x)g(x). Such an encoding can be realized by the shift register shown in Figure below, where input is the k-bit message to be encoded followed by n — k 0' and the output will be the encoded message. Shift-register encodings of cyclic codes. Small circles represent multiplication by the corresponding constant, 0 nodes represent modular addition, squares are shift elements -» output input prof. Jozef Gruska IVo54 3. Cyclic codes and channel codes 105/616 EXAMPLE input 9o 992 0 output 9r-l 0 9r Shift-register encodings of cyclic codes. Small circles represent multiplication by the corresponding constant, 0 nodes represent modular addition, squares are delay elements prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 106/616 HAMMING CODES as CYCLIC CODES I Definition (Again!) Let r be a positive integer and let H be an r x (2r — 1) matrix whose columns are all distinct non-zero vectors of V(r, 2). Then the code having H as its parity-check matrix is called binary Hamming code denoted by H3m (r, 2). It can be shown that: prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 107/616 HAMMING CODES as CYCLIC CODES I Definition (Again!) Let r be a positive integer and let H be an r x (2r — 1) matrix whose columns are all distinct non-zero vectors of V(r, 2). Then the code having H as its parity-check matrix is called binary Hamming code denoted by Ham (r, 2). It can be shown that: Theorem The binary Hamming code Ham (r, 2) is equivalent to a cyclic code. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 107/616 HAMMING CODES as CYCLIC CODES I Definition (Again!) Let r be a positive integer and let H be an r x (2r - 1) matrix whose columns are all distinct non-zero vectors of V(r, 2). Then the code having H as its parity-check matrix is called binary Hamming code denoted by Ham (r, 2). It can be shown that: Theorem The binary Hamming code Ham (r, 2) is equivalent to a cyclic code. Definition If p(x) is an irreducible polynomial of degree r such that x is a primitive element of the field F[x]/p(x), then p(x) is called a primitive polynomial. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 107/616 HAMMING CODES as CYCLIC CODES I Definition (Again!) Let r be a positive integer and let H be an r x (2r — 1) matrix whose columns are all distinct non-zero vectors of V(r, 2). Then the code having H as its parity-check matrix is called binary Hamming code denoted by H3m (r, 2). It can be shown that: Theorem The binary Hamming code H3m (r, 2) is equivalent to a cyclic code. Definition If p(x) is an irreducible polynomial of degree r such that X is a primitive element of the field F[x]/p(x), then p(x) is called a primitive polynomial. Theorem If p(x) is a primitive polynomial over GF(2) of degree r, then the cyclic code (p(x)} is the code H3m (r, 2). prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 107/616 HAMMING CODES as CYCLIC CODES II Example Polynomial x3 + x + 1 is irreducible over GF(2) and x is primitive element of the field F2[x]/(x3 + x + 1). F2[x]/(x3 + x +1) = { 0 , 1 , x, x2 , x3 = x + 1 , x4 = x2 + x, x5 = x2 + x + 1 , x6 = x2 + 1 } The parity-check matrix for a cyclic version of Ham (3, 2) 001011 10 1110 1 010111 prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 108/616 PROOF of THEOREM The binary Hamming code Ham (r, 2) is equivalent to a cyclic code. It is known from algebra that if p(x) is an irreducible polynomial of degree r, then the ring F2[x]/p(x) is a field of order 2r. In addition, every finite field has a primitive element. Therefore, there exists an element a of F2[x]/p(x) such that F2[x]/p(x) = {0,1,a,a2,...,a2r-2}. Let us identify an element 30 + 31 + ... ar-1Xr— 1 of F2[x]/p(x) with the column vector (a0, 31, ..., 3r-1)T and consider the binary r X (2r — 1) matrix H = [1 a a2 ...a2r-2]. Let now C be the binary linear code having H as a parity check matrix. Since the columns of H are all distinct non-zero vectors of V(r, 2), C = Ham (r, 2). Putting n = 2r — 1 we get C = {f0f1 ... fn-1 € V (n, 2)|f0 + f1a + ... + f^a"-1 = 0} (1) = {f(x) € Rn|f(a) = 0 in F2[x]/p(x)} (2) If f(x) € C and r(x) € Rn, then r(x)f(x) € C because r(a)f (a) = r(a) • 0 = 0 and therefore, by one of the previous theorems, this version of H3m (r, 2) is cyclic. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 109/616 BCH CODES and REED-SOLOMON CODES To the most important cyclic codes for applications belong BCH codes and Reed-Solomon codes. Definition A polynomial p is said to be minimal for a complex number x in Zq if p(x) = 0 and p is irreducible over Zq. 1BHC stands for Bose and Ray-Chaudhuri and Hocquenghem who discovered these codes. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 110/616 BCH CODES and REED-SOLOMON CODES To the most important cyclic codes for applications belong BCH codes and Reed-Solomon codes. Definition A polynomial p is said to be minimal for a complex number x in Zq if p(x) = 0 and p is irreducible over Zq. Definition A cyclic code of codewords of length n over Zq, q = pr, p is a prime, is called BCH code1 of distance d if its generator g(x) is the least common multiple of the minimal polynomials for j y+1,...y+d-2 for some l, where j is the primitive n-th root of unity. If n = qm — 1 for some m, then the BCH code is called primitive. 1BHC stands for Bose and Ray-Chaudhuri and Hocquenghem who discovered these codes. prof. Jozef Gruska IVo54 3. Cyclic codes and channel codes 11o/616 BCH CODES and REED-SOLOMON CODES To the most important cyclic codes for applications belong BCH codes and Reed-Solomon codes. Definition A polynomial p is said to be minimal for a complex number x in Zq if p(x) = 0 and p is irreducible over Zq. Definition A cyclic code of codewords of length n over Zq, q = pr, p is a prime, is called BCH code1 of distance d if its generator g(x) is the least common multiple of the minimal polynomials for j y+1,...y+d-2 for some l, where j is the primitive n-th root of unity. If n = qm — 1 for some m, then the BCH code is called primitive. Definition A Reed-Solomon code is a primitive BCH code with n = q — 1. Properties: ■ Reed-Solomon codes are self-dual. 1BHC stands for Bose and Ray-Chaudhuri and Hocquenghem who discovered these codes. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 110/616 CHANNEL (STREAMS) CODING I. The task of channel coding is to encode streams of data in such a way that if they are sent over a noisy channel errors can be detected and/or corrected by the receiver. prof. Jozef Gruska IVo54 3. Cyclic codes and channel codes 111/616 CHANNEL (STREAMS) CODING I. The task of channel coding is to encode streams of data in such a way that if they are sent over a noisy channel errors can be detected and/or corrected by the receiver. In case no receiver-to-sender communication is allowed we speak about forward error correction. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 111/616 CHANNEL (STREAMS) CODING I. The task of channel coding is to encode streams of data in such a way that if they are sent over a noisy channel errors can be detected and/or corrected by the receiver. In case no receiver-to-sender communication is allowed we speak about forward error correction. An important parameter of a channel code is code rate = k n in case k bits are encoded by n bits. The code rate expressed the amount of redundancy in the code - the lower is the rate, the more redundant is the code. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 111/616 CHANNEL (STREAM) CODING II Design of a channel code is always a tradeoff between energy efficiency and bandwidth efficiency. Codes with lower code rate can usually correct more errors. Consequently, the communication system can operate ■ with a lower transmit power; ■ transmit over longer distances; ■ tolerate more interference; ■ use smaller antennas; ■ transmit at a higher data rate. These properties make codes with lower code rate energy efficient. On the other hand such codes require larger bandwidth and decoding is usually of higher complexity. The selection of the code rate involves a tradeoff between energy efficiency and bandwidth efficiency. Central problem of channel encoding: encoding is usually easy, but decoding is usually hard. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 112/616 CONVOLUTION CODES Our first example of channel codes are convolution codes. Convolution codes have simple encoding and decoding, are quite a simple generalization of linear codes and have encodings as cyclic codes. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 113/616 CONVOLUTION CODES Our first example of channel codes are convolution codes. Convolution codes have simple encoding and decoding, are quite a simple generalization of linear codes and have encodings as cyclic codes. An (n, k) convolution code (CC) is defined by an k x n generator matrix, entries of which are polynomials over F2. For example, is the generator matrix for a is the generator matrix for a prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 113/616 ENCODING of FINITE POLYNOMIALS An (n,k) convolution code with a k x n generator matrix G can be used to encode a k-tuple of plain-polynomials (polynomial input information) / = (fc(x), /1(x),..., lk-1 (x)) to get an n-tuple of crypto-polynomials C = (C0(x), C1(x),..., C„_1(x)) As follows C = / • G prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 114/616 EXAMPLES EXAMPLE 1 (x3 + x + 1) • Gi = (x3 + x + 1) • (x2 + 1, x2 + x + 1) = (x5 + x2 + x +1, x5 + x4 + 1) EXAMPLE 2 (x2 + x, x3 + 1) • G2 = (x2 + x, x3 + 1) •{ 0 1 x ) prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 115/616 ENCODING of INFINITE INPUT STREAMS The way infinite streams are encoded using convolution codes will be Illustrated on the code CC1. An input stream / = (/0, /1, /_,...) is mapped into the output stream C = (C00, C10, C01, C11.. .) defined by C0(x) = C00 + C01X + ... = (x_ + 1)/(x) and C1(X) = C10 + C11 x + ... = (x _ + x +1)/(x). The first multiplication can be done by the first shift register from the next figure; second multiplication can be performed by the second shift register on the next slide and it holds C0; = /; + /;+_, C1; = /; + /;-1 + /;__. That is the output streams C0 and C1 are obtained by convolving the input stream with polynomials of G1. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 116/616 ENCODING The first shift register ^ output input r-A- 1 X X2 will multiply the input stream by x2 + 1 and the second shift register ^ output . /TV input i 1 i 1 X X2 will multiply the input stream by x2 + x + 1. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 117/616 ENCODING and DECODING The following shift-register will therefore be an encoder for the code CCi —"Coo,Coi,Cq2 input x x output streams Cio,Cn,Ci2 For decoding of the convolution codes so called Viterbi algorithm Is used. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 118/616 SHANNON CHANNEL CAPACITY For every combination of bandwidth (W), channel type , signal power (S) and received noise power (A/), there is a theoretical upper bound, called channel capacity or Shannon capacity, on the data transmission rate R for which error-free data transmission is possible. prof. Jozef Gruska IVo54 3. Cyclic codes and channel codes 119/616 SHANNON CHANNEL CAPACITY For every combination of bandwidth (w), channel type , signal power (s) and received noise power (a/), there is a theoretical upper bound, called channel capacity or Shannon capacity, on the data transmission rate r for which error-free data transmission is possible. For so-called Additive White Gaussian Noise (AWGN) channels, that well capture deep space channels, this limit is (so-called Shannon-Hartley theorem): r < w log f 1 + {bits per second} Shannon capacity sets a limit to the energy efficiency of the code. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 119/616 SHANNON CHANNEL CAPACITY For every combination of bandwidth (W), channel type , signal power (S) and received noise power (A/), there is a theoretical upper bound, called channel capacity or Shannon capacity, on the data transmission rate R for which error-free data transmission is possible. For so-called Additive White Gaussian Noise (AWGN) channels, that well capture deep space channels, this limit is (so-called Shannon-Hartley theorem): R < W log f 1 + {bits per second} Shannon capacity sets a limit to the energy efficiency of the code. Till 1993 channel code designers were unable to develop codes with performance close to Shannon capacity limit, that is Shannon capacity approaching codes, and practical codes required about twice as much energy as theoretical minimum predicted. Therefore there was a big need for better codes with performance (arbitrarily) close to Shannon capacity limits. Concatenated codes and Turbo codes have such a Shannon capacity approaching property. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 119/616 CONCATENATED CODES Let C;„ : Ak — A" be an [n, k, d] code over alphabet A. Let Cout : BK — BN be an [N, K, D] code over alphabet B with |B| = |A|k symbols. Concatenation of Cout (as outer code) with C-m (as inner code), denoted Cout o C," is the [nN, kK, dD] code Cout o C," : AkK — A"N that maps an input message m = (mi, m2,. .. , at?k) to a codeword (C,"(m1), C,"(m2),... , Ci"(mN)), where (mi, m?2,... , mN) = Cout (mi, m?2,... , mK) super encoder super decoder outer _, inner _ noisy inner _ - outer encoder encoder channel decoder decoder super channel prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 120/616 CONCATENATED CODES super encoder outer encoder inner encoder noisy channel super channel super decoder inner decoder outer decoder Of the key importance is the fact that if C,„ is decoded using the max;mum-/;ke/;hood pr/nc/p/e (thus showing an exponentially decreasing error probability with increasing length) and Cout is a code with length N = 2nr that can be decoded in polynomial time in A , then the concatenated code can be decoded in polynomial time with respect to n2nr and has exponentially decreasing error probability even if C,„ has exponential decoding complexity. prof. Jozef Gruska IVo54 3. Cyclic codes and channel codes 121/616 APPLICATIONS ■ Concatenated codes started to be used for deep space communication starting with Voyager program in 1977 and stayed so until the invention of Turbo codes and LDPC codes. ■ Concatenated codes are used also on Compact Disc. ■ The best concatenated codes for many applications were based on outer Reed-Solomon codes and inner Viterbi-decoded short constant length convolution codes. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 122/616 TURBO CODES Turbo codes were introduced by Berrou, Glavieux and Thitimajshima in 1993. A Turbo code is formed from the parallel composition of two (convolution) codes separated by an interleaver (that permutes blocks of data in a fixed (pseudo)-random way). A Turbo encoder is formed from the parallel composition of two (convolution) encoders separated by an interleaver. input x i convolution I parity bit bl encoder r * interleaver parity bit b2 convolution encoder prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 123/616 EXAMPLE of TURBO and CONVOLUTION ENCODERS A Turbo encoder input x i convolution I parity bit bl encoder r * interleaver convolution encoder | parity bit b2 and a convolution encoder prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 124/616 DECODING and PERFORMANCE of TURBO CODES ■ A soft-in-soft-out decoding is used - the decoder gets from the analog/digital demodulator a soft value of each bit - probability that it is 1 and produces only a soft-value for each bit. ■ The overall decoder uses decoders for outputs of two encoders that also provide only soft values for bits and by exchanging information produced by two decoders and from the original input bit, the main decoder tries to increase, by an iterative process, likelihood for values of decoded bits and to produce finally hard outcome - a bit 1 or 0. ■ Turbo codes performance can be very close to theoretical Shannon limit. ■ This was, for example the case for UMTS (the third Generation Universal Mobile Telecommunication System) Turbo code having a less than 1.2-fold overhead. in this case the interleaver worked with block of 40-5114 bits. ■ Turbo codes were incorporated into standards used by NASA for deep space communications, digital video broadcasting and both third generation cellular standards. ■ Literature: M.C. Valenti and J.Sun: Turbo codes - tutorial, Handbook of RF and Wireless Technologies, 2004 - reachable by Google. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 125/616 REACHING SHANNON LIMIT ■ Though Shannon developed his capacity bound already in 1940, till recently code designers were unable to come with codes with performance close to theoretical limit. ■ In 1990 the gap between theoretical bound and practical implementations was still at best about 3dB A decibel is a relative measure. If E is the actual energy and Eref is the theoretical lower bound, then the relative energy increase in decibels is 10logio-^- Since log10 2 = 0.3 a two-fold relative energy increase equals 3dB. ■ For code rate 1 the relative increase in energy consumption is about 4.8 dB for convolution codes and 0.98 for Turbo codes. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 126/616 WHY ARE TURBO CODES SO GOOD? ■ Turbo codes are linear codes. ■ A "good" linear code is one that has mostly high-weight codewords. ■ High-weight codewords are desirable because they are more distinct and the decoder can more easily distinguish among them. ■ A big advantage of Turbo encoders is that they reduce the number of low-weight codewords because their output is the sum of the weights of the input and two parity output bits. prof. Jozef Gruska IV054 3. Cyclic codes and channel codes 127/616 Part IV Secret-key cryptosystems CHAPTER 4: CLASSICAL (SECRET-KEY) CRYPTOSYSTEMS ■ In this chapter we deal with some of the very old or quite old classical (secret-key or symmetric) cryptosystems that were primarily used in the pre-computer era. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 129/616 CHAPTER 4: CLASSICAL (SECRET-KEY) CRYPTOSYSTEMS ■ In this chapter we deal with some of the very old or quite old classical (secret-key or symmetric) cryptosystems that were primarily used in the pre-computer era. ■ These cryptosystems are too weak nowadays, too easy to break, especially with computers. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 129/616 CHAPTER 4: CLASSICAL (SECRET-KEY) CRYPTOSYSTEMS ■ In this chapter we deal with some of the very old or quite old classical (secret-key or symmetric) cryptosystems that were primarily used in the pre-computer era. ■ These cryptosystems are too weak nowadays, too easy to break, especially with computers. ■ However, these simple cryptosystems give a good illustration of several of the important ideas of the cryptography and cryptanalysis. ■ Moreover, most of them can be very useful in combination with more modern cryptosystem - to add a new level of security. prof. Jozef Gruska IVo54 4. Secret-key cryptosystems 129/616 CRYPTOLOGY, CRYPTOSYSTEMS - SECRET-KEY CRYPTOGRAPHY Cryptology (= cryptography + cryptanalysis) has more than two thousand years of history. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 130/616 CRYPTOLOGY, CRYPTOSYSTEMS - SECRET-KEY CRYPTOGRAPHY Cryptology (= cryptography + cryptanalysis) has more than two thousand years of history. Basic historical observation ■ People have always had fascination with keeping information away from others. ■ Some people - rulers, diplomats, military people, businessmen - have always had needs to keep some information away from others. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 130/616 CRYPTOLOGY, CRYPTOSYSTEMS - SECRET-KEY CRYPTOGRAPHY Cryptology (= cryptography + cryptanalysis) has more than two thousand years of history. Basic historical observation ■ People have always had fascination with keeping information away from others. ■ Some people - rulers, diplomats, military people, businessmen - have always had needs to keep some information away from others. Importance of cryptography nowadays ■ Applications: cryptography is the key tool to make modern information transmission secure, and to create secure information society. ■ Foundations: cryptography gave rise to several new key concepts of the foundation of informatics: one-way functions, computationally perfect pseudorandom generators, zero-knowledge proofs, holographic proofs, program self-testing and self-correcting, . . . prof. Jozef Gruska IV054 4. Secret-key cryptosystems 130/616 APPROACHES and PARADOXES of CRYPTOGRAPHY Sound approaches to cryptography ■ Shannon's approach based on information theory (enemy has not enough information to break a cryptosystem). ■ Current approach based on complexity theory (enemy has not enough computation power to break a cryptosystem). ■ Very recent approach based on the laws and limitations of quantum physics (enemy would need to break laws of nature to break a cryptosystem). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 131/616 APPROACHES and PARADOXES of CRYPTOGRAPHY Sound approaches to cryptography ■ Shannon's approach based on information theory (enemy has not enough information to break a cryptosystem). ■ Current approach based on complexity theory (enemy has not enough computation power to break a cryptosystem). ■ Very recent approach based on the laws and limitations of quantum physics (enemy would need to break laws of nature to break a cryptosystem). Paradoxes of modern cryptography ■ Positive results of modern cryptography are based on negative results of complexity theory. ■ Computers, that were designed originally for decryption, seem to be now more useful for encryption. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 131/616 CRYPTOSYSTEMS - CIPHERS The cryptography deals with problem of sending a message (plaintext, cleartext), through an insecure channel, that may be tapped by an adversary (eavesdropper, cryptanalyst), to a legal receiver. [ key source ) sender cryptotext C legal receiver decryption -1 u> = dfc(c) 1 prof. Jozef Gruska IV054 4. Secret-key cryptosystems 132/616 COMPONENTS of CRYPTOSYSTEMS: Plaintext-space: P - a set of plaintexts over an alphabet Cryptotext-space: C - a set of cryptotexts (ciphertexts) over alphabet A Key-space: K - a set of keys prof. Jozef Gruska IV054 4. Secret-key cryptosystems 133/616 COMPONENTS of CRYPTOSYSTEMS: Plaintext-space: P - a set of plaintexts over an alphabet Cryptotext-space: C - a set of cryptotexts (ciphertexts) over alphabet A Key-space: K - a set of keys Each key k determines an encryption algorithm ek and an decryption algorithm dk such that, for any plaintext w, ek(w) is the corresponding cryptotext and w £ dk(ek(w)) or w = dk(ek(w)). Note: As encryption algorithms we can use also randomized algorithms. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 133/616 100 - 42 B.C., CAESAR CRYPTOSYSTEM - SHIFT CIPHER I CAESAR can be used to encrypt words in any alphabet. In order to encrypt words in English alphabet we use: prof. Jozef Gruska IV054 4. Secret-key cryptosystems 134/616 100 - 42 B.C., CAESAR CRYPTOSYSTEM - SHIFT CIPHER I CAESAR can be used to encrypt words in any alphabet. In order to encrypt words in English alphabet we use: Key-space: {0,1,... , 25} prof. Jozef Gruska IVo54 4. Secret-key cryptosystems 134/616 100 - 42 B.C., CAESAR CRYPTOSYSTEM - SHIFT CIPHER I CAESAR can be used to encrypt words in any alphabet. In order to encrypt words in English alphabet we use: Key-space: {0,1,... , 25} An encryption algorithm ek substitutes any letter by the letter occurring k positions ahead (cyclically) in the alphabet. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 134/616 100 - 42 B.C., CAESAR CRYPTOSYSTEM - SHIFT CIPHER I CAESAR can be used to encrypt words in any alphabet. In order to encrypt words in English alphabet we use: Key-space: {0,1,... , 25} An encryption algorithm ek substitutes any letter by the letter occurring k positions ahead (cyclically) in the alphabet. A decryption algorithm dk substitutes any letter by the one occurring k positions backward (cyclically) in the alphabet. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 134/616 100 - 42 B.C., CAESAR CRYPTOSYSTEM - SHIFT CIPHER II Example e2 (EXAMPLE) = GZCOSNG, e2 (EXAMPLE) = HADPTOH, e1 (HAL) = IBM, e3(COLD) = FROG ABCDEFGHIJKLMNOPQRSTUVWXYZ prof. Jozef Gruska IV054 4. Secret-key cryptosystems 135/616 100 - 42 B.C., CAESAR CRYPTOSYSTEM - SHIFT CIPHER II Example e2 (EXAMPLE) = GZCOSNG, e2 (EXAMPLE) = HADPTOH, ei (HAL) = IBM, es (COLD) = FROG ABCDEFGHIJKLMNOPQRSTUVWXYZ Example Find the plaintext to the following cryptotext obtained by the encryption with CAESAR with k = ?. Cryptotext: VHFUHW GH GHXA, VHFUHW GH GLHX, VHFUHW GH WURLV, VHFUHW GH WRXV. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 135/616 100 - 42 B.C., CAESAR CRYPTOSYSTEM - SHIFT CIPHER II Example e2 (EXAMPLE) = GZCOSNG, e2 (EXAMPLE) = HADPTOH, ei (HAL) = IBM, e3 (COLD) = FROG ABCDEFGHIJKLMNOPQRSTUVWXYZ Example Find the plaintext to the following cryptotext obtained by the encryption with CAESAR with k = ?. Cryptotext: VHFUHW GH GHXA, VHFUHW GH GLHX, VHFUHW GH WURLV, VHFUHW GH WRXV. Numerical version of CAESAR is defined on the set {0,1, 2,. .. , 25} by the encryption algorithm: ek(;) = (; + k)(mod 26) prof. Jozef Gruska IV054 4. Secret-key cryptosystems 135/616 POLYBIOUS CRYPTOSYSTEM for encryption of words of the English alphabet without J. Key-space: Polybious checkerboards 5 x 5 with 25 English letters and with rows + columns labeled by symbols. Encryption algorithm: Each symbol is substituted by the pair of symbols denoting the row and the column of the checkerboard in which the symbol is placed. Example: F G H I J A A B C D E B F G H I K C L M N O P D Q R S T U E V W X Y Z KONIEC — Decryption algorithm: ??? prof. Jozef Gruska IV054 4. Secret-key cryptosystems 136/616 KERCKHOFF's PRINCIPLE The philosophy of modern cryptanalysis is embodied in the following principle formulated in 1883 by Jean Guillaume Hubert Victor Francois Alexandre Auguste Kerckhoffs von Nieuwenhof (1835 - 1903). prof. Jozef Gruska IVo54 4. Secret-key cryptosystems 137/616 KERCKHOFF's PRINCIPLE The philosophy of modern cryptanalysis is embodied in the following principle formulated in 1883 by Jean Guillaume Hubert Victor Francois Alexandre Auguste Kerckhoffs von Nieuwenhof (1835 - 1903). The security of a cryptosystem must not depend on keeping secret the encryption algorithm. The security should depend only on keeping secret the key. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 137/616 REQUIREMENTS for GOOD CRYPTOSYSTEMS (Sir Francis R. Bacon (1561 - 1626)) T| Given ek and a plaintext w, it should be easy to compute c = ek(w). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 138/616 REQUIREMENTS for GOOD CRYPTOSYSTEMS (Sir Francis R. Bacon (1561 - 1626)) T| Given ek and a plaintext w, it should be easy to compute c = ek(w). ^ Given dk and a cryptotext c, it should be easy to compute w = dk(c). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 138/616 REQUIREMENTS for GOOD CRYPTOSYSTEMS (Sir Francis R. Bacon (1561 - 1626)) T| Given ek and a plaintext w, it should be easy to compute c = ek(w). ^ Given dk and a cryptotext c, it should be easy to compute w = dk(c). J A cryptotext ek(w) should not be much longer than the plaintext w. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 138/616 REQUIREMENTS for GOOD CRYPTOSYSTEMS (Sir Francis R. Bacon (1561 - 1626)) T| Given ek and a plaintext w, it should be easy to compute c = ek(w). ^ Given dk and a cryptotext c, it should be easy to compute w = dk(c). J A cryptotext ek(w) should not be much longer than the plaintext w. J It should be unfeasible to determine w from ek(w) without knowing dk. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 138/616 REQUIREMENTS for GOOD CRYPTOSYSTEMS (Sir Francis R. Bacon (1561 - 1626)) T| Given ek and a plaintext w, it should be easy to compute c = ek(w). ^ Given dk and a cryptotext c, it should be easy to compute w = dk(c). J A cryptotext ek(w) should not be much longer than the plaintext w. J It should be unfeasible to determine w from ek(w) without knowing dk. % The so called avalanche effect should hold: A small change in the plaintext, or in the key, should lead to a big change in the cryptotext (i.e. a change of one bit of the plaintext should result in a change of all bits of the cryptotext, each with the probability close to 0.5). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 138/616 REQUIREMENTS for GOOD CRYPTOSYSTEMS (Sir Francis R. Bacon (1561 - 1626)) T| Given ek and a plaintext w, it should be easy to compute c = ek(w). ^ Given dk and a cryptotext c, it should be easy to compute w = dk(c). J A cryptotext ek(w) should not be much longer than the plaintext w. J It should be unfeasible to determine w from ek(w) without knowing dk. % The so called avalanche effect should hold: A small change in the plaintext, or in the key, should lead to a big change in the cryptotext (i.e. a change of one bit of the plaintext should result in a change of all bits of the cryptotext, each with the probability close to 0.5). ^ The cryptosystem should not be closed under composition, i.e. not for every two keys k1, k2 there is a key k such that ek (w) = ek1 (ek2 (w)). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 138/616 REQUIREMENTS for GOOD CRYPTOSYSTEMS (Sir Francis R. Bacon (1561 - 1626)) T| Given ek and a plaintext w, it should be easy to compute c = ek(w). ^ Given dk and a cryptotext c, it should be easy to compute w = dk(c). J A cryptotext ek(w) should not be much longer than the plaintext w. J It should be unfeasible to determine w from ek(w) without knowing dk. % The so called avalanche effect should hold: A small change in the plaintext, or in the key, should lead to a big change in the cryptotext (i.e. a change of one bit of the plaintext should result in a change of all bits of the cryptotext, each with the probability close to 0.5). ^ The cryptosystem should not be closed under composition, i.e. not for every two keys k1, k2 there is a key k such that efc (w) = efc1 (ek2 (w)). j The set of keys should be very large. prof. Jozef Gruska IV0%4 4. Secret-key cryptosystems 138/616 CRYPTANALYSIS ATTACKS I The aim of cryptanalysis is to get as much information about the plaintext or the key as possible. Main types of cryptanalytic attacks J Cryptotexts-only attack. The cryptanalysts get cryptotexts ci = ek(wi),..., cn = ek(wn) and try to infer the key k or as many of the plaintexts wi,..., wn as possible. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 139/616 CRYPTANALYSIS ATTACKS I The aim of cryptanalysis is to get as much information about the plaintext or the key as possible. Main types of cryptanalytic attacks J Cryptotexts-only attack. The cryptanalysts get cryptotexts c1 = ek(w1),..., cn = ek(wn) and try to infer the key k or as many of the plaintexts w1,..., wn as possible. j Known-plaintexts attack (given are some pairs [plaintext, cryptotext]) The cryptanalysts know some pairs w;, ek(w-,), 1 < ; < n, and try to infer k, or at least wn+1 for a new cryptotext ek(wn+1). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 139/616 CRYPTANALYSIS ATTACKS I The aim of cryptanalysis is to get as much information about the plaintext or the key as possible. Main types of cryptanalytic attacks J Cryptotexts-only attack. The cryptanalysts get cryptotexts c1 = ek(w1),..., cn = ek(wn) and try to infer the key k or as many of the plaintexts w1,..., wn as possible. j Known-plaintexts attack (given are some pairs [plaintext, cryptotext]) The cryptanalysts know some pairs w;, ek(w-,), 1 < ; < n, and try to infer k, or at least wn+1 for a new cryptotext ek(wn+1). J Chosen-plaintexts attack (given are cryptotext for some chosen plaintexts) The cryptanalysts choose plaintexts w1?..., wn to get cryptotexts ek(w1),..., ek(wn), and try to infer k or at least wn+1 for a new cryptotext cn+1 = ek(wn+1). (For example, if they get temporary access to the encryption machinery.) prof. Jozef Gruska IVo54 4. Secret-key cryptosystems 139/616 CRYPTANALYSIS ATTACKS II J Known-encryption-algorithm attack The encryption algorithm ek is given and the cryptanalysts try to get the decryption algorithm dk. prof. Jozef Gruska IVo54 4. Secret-key cryptosystems 14o/616 CRYPTANALYSIS ATTACKS II J Known-encryption-algorithm attack The encryption algorithm ek is given and the cryptanalysts try to get the decryption algorithm dk. ^ Chosen-cryptotext attack (given are plaintexts for some chosen cryptotexts) The cryptanalysts know some pairs [a, dk(c)], 1 < ; < n, where the cryptotexts a have been chosen by the cryptanalysts. The aim is to determine the key. (For example, if cryptanalysts get a temporary access to decryption machinery.) prof. Jozef Gruska IV054 4. Secret-key cryptosystems 140/616 WHAT CAN a BAD EVE DO? Let us assume that a clever Alice sends an encrypted message to Bob. What can a bad enemy, called usually Eve (eavesdropper), do? ■ Eve can read (and try to decrypt) the message. ■ Eve can try to get the key that was used and then decrypt all messages encrypted with the same key. ■ Eve can change the message sent by Alice into another message, in such a way that Bob will have the feeling, after he gets the changed message, that it was a message from Alice. ■ Eve can pretend to be Alice and communicate with Bob, in such a way that Bob thinks he is communicating with Alice. An eavesdropper can therefore be passive - Eve or active - Mallot. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 141/616 BASIC GOALS of BROADLY UNDERSTOOD CRYPTOGRAPHY Confidentiality: Eve should not be able to decrypt the message Alice sends to Bob. Data integrity: Bob wants to be sure that Alice's message has not been altered by Eve. Authentication: Bob wants to be sure that only Alice could have sent the message he has received. Non-repudiation: Alice should not be able to claim that she did not send messages that she has sent. Anonymity: Alice does not want Bob to find out who sent the message prof. Jozef Gruska IV054 4. Secret-key cryptosystems 142/616 HILL CRYPTOSYSTEM I The cryptosystem presented in this slide was probably never used. In spite of that this cryptosystem played an important role in the history of modern cryptography. We describe Hill cryptosystem for a fixed n and the English alphabet. Key-space: The set of all matrices M of degree n with elements from the set {0,1,... , 25} such that M-1mod 26 exist. Plaintext + cryptotext space: English words of length n. Encoding: For a word w let cw be the column vector of length n of the integer codes of symbols of w. (A — 0, B — 1, C — 2,...) Encryption: cc = Mcw mod 26 Decryption: cw = M-1cc mod 26 prof. Jozef Gruska IV054 4. Secret-key cryptosystems 143/616 HILL CRYPTOSYSTEM - EXAMPLE Example ABCDEFGHIJKLMNOPQRSTUVWXYZ ,. »4 7l ,. _! »17 11" M = M 1 = M 11 M 9 16 Plaintext: w = LONDON 4 7 1 1 M 1 = 11 '111,- »13" »14" 1^ ' CWD = [3\ ' Con = [13 12" »211 »1 25 ' MCnd = 16 ' MCon = . Cryptotext: MZVQRB Theorem aii 312I _ 1 1 [322 -3121 321 322_| det M _ If M = 311 312 , thenM -1 = 321 322 |' det M 1-321 311 Proof: Exercise prof. Jozef Gruska IV054 4. Secret-key cryptosystems 144/616 SECRET-KEY (SYMMETRIC) CRYPTOSYSTEMS A cryptosystem is called secret-key cryptosystem if some secret piece of information - the key - has to be agreed first between any two parties that have, or want, to communicate through the cryptosystem. Example: CAESAR, HILL. Another name is symmetric cryptosystem (cryptography). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 145/616 SECRET-KEY (SYMMETRIC) CRYPTOSYSTEMS A cryptosystem is called secret-key cryptosystem if some secret piece of information - the key - has to be agreed first between any two parties that have, or want, to communicate through the cryptosystem. Example: CAESAR, HILL. Another name is symmetric cryptosystem (cryptography). Two basic types of secret-key cryptosystems ■ substitution based cryptosystems ■ transposition based cryptosystems prof. Jozef Gruska IV054 4. Secret-key cryptosystems 145/616 SECRET-KEY (SYMMETRIC) CRYPTOSYSTEMS A cryptosystem is called secret-key cryptosystem if some secret piece of information - the key - has to be agreed first between any two parties that have, or want, to communicate through the cryptosystem. Example: CAESAR, HILL. Another name is symmetric cryptosystem (cryptography). Two basic types of secret-key cryptosystems ■ substitution based cryptosystems ■ transposition based cryptosystems Two basic types of substitution cryptosystems ■ monoalphabetic cryptosystems - they use a fixed substitution - CAESAR, POLYBIOUS ■ polyalphabetic cryptosystems - substitution keeps changing during the encryption prof. Jozef Gruska IV054 4. Secret-key cryptosystems 145/616 SECRET-KEY (SYMMETRIC) CRYPTOSYSTEMS A cryptosystem is called secret-key cryptosystem if some secret piece of information - the key - has to be agreed first between any two parties that have, or want, to communicate through the cryptosystem. Example: CAESAR, HILL. Another name is symmetric cryptosystem (cryptography). Two basic types of secret-key cryptosystems ■ substitution based cryptosystems ■ transposition based cryptosystems Two basic types of substitution cryptosystems ■ monoalphabetic cryptosystems - they use a fixed substitution - CAESAR, POLYBIOUS ■ polyalphabetic cryptosystems - substitution keeps changing during the encryption A monoalphabetic cryptosystem with letter-by-letter substitution is uniquely specified by a permutation of letters, (number of permutations (keys) is 26!) prof. Jozef Gruska IV054 4. Secret-key cryptosystems 145/616 AFFINE CRYPTOSYSTEMS Example: An AFFINE cryptosystem is given by two integers 0 < a, b < 25, gcd(a, 26) = 1. Encryption: ea>b(x) = (ax + b) mod 26 Example a = 3, b = 5, e3,5(x) = (3x + 5) mod 26, e3,5(3) = 14, e3,5(15) = 24 - e3,5(D) = O, e3,5(P) = Y ABCDEFGHIJK LMNOPQRSTUVWXYZ 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Decryption: da,b(y) = a-1(y — b) mod 26 prof. Jozef Gruska IV054 4. Secret-key cryptosystems 146/616 CRYPTANALYSIS The basic cryptanalytic attack against monoalphabetic substitution cryptosystems begins with a frequency count: the number of each letter in the cryptotext is counted. The distributions of letters in the cryptotext is then compared with some official distribution of letters in the plaintext language. The letter with the highest frequency in the cryptotext is likely to be substitute for the letter with highest frequency in the plaintext language . . . . The likelihood grows with the length of cryptotext. Frequency counts in English: and for other languages: % % % English % German % Finnish % French % Italian % Spanish % E 12.31 L 4.03 B 1.62 E 12.31 E 18.46 A 12.06 E 15.87 E 11.79 E 13.15 T 9.59 N 11.42 I 10.59 A 9.42 A 11.74 A 12.69 T 9.59 D 3.65 G 1.61 A 8.05 I 8.02 T 9.76 I 8.41 I 11.28 O 9.49 A 8.05 C 3.20 V 0.93 O 7.94 R 7.14 N 8.64 S 7.90 O 9.83 S 7.60 O 7.94 U 3.10 K 0.52 N 7.19 S 7.04 E 8.11 T 7.29 N 6.88 N 6.95 N 7.19 P 2.29 Q 0.20 I 7.18 A 5.38 S 7.83 N 7.15 L 6.51 R 6.25 I 7.18 F 2.28 X 0.20 S 6.59 T 5.22 L 5.86 R 6.46 R 6.37 I 6.25 S 6.59 M 2.25 J 0.10 R 6.03 U 5.01 O 5.54 U 6.24 T 5.62 L 5.94 R 6.03 W 2.03 Z 0.09 H 5.14 D 4.94 K 5.20 L 5.34 S 4.98 D 5.58 H 5.14 Y 1.88 70.02 24.71 5"2T The 20 most common digrams are (in decreasing order) TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA, NG, AS. The six most common trigrams: THE, ING, AND, HER, ERE, ENT. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 147/616 CRYPTANALYSIS of AFFINE CRYPTOSYSTEM - EXAMPLE Cryptanalysis of a cryptotext encrypted using the AFFINE cryptosystem with an encryption algorithm eab(x) = (ax + b) mod 26 = (xa + b) mod 26 where 0 < a, b < 25,gcd(a, 26) = 1. (Number of keys: 12 x 26 = 312.) Example: Assume that an English plaintext is divided into blocks of 5 letters and encrypted by an AFFINE cryptosystem (ignoring space and interpunctions) as follows: How to find the plaintext? B H J U H N B U L S V U L R U S LY X H O N U U N B W N U A X U S N L U YJ S S W X R L K G N B O N U U N B W S WX K X H K X D H U Z D L K X B H J U H BN U O N U M H U G S W H U X M B X R WXK X L U X B H J U H C X K X A X K Z S WK X X L K O L J K C X L C M X O N U U BV U L R R W H S H B H J U H N B X M B XR WX K X N O Z L J B X X H B N F U B HJ U H L U S W X G L L K Z L J P H U U LS Y X B J K X S W H S S W X K X N B H BH J U H Y X W N U G S WX G L L K prof. Jozef Gruska IV054 4. Secret-key cryptosystems 148/616 CRYPTANALYSIS - CONTINUATION I X - 32 J - 11 D - 2 Frequency analysis of plainext and frequency table for English: 19 M 16 Y First guess: E = X, T = U W-14 A Encodings; 4a + b = 23 (m°d 26) xa + b = y 19a + b = 20 (mod 26) Solutions: a = 5, b = 3 — a-1 = V - 2 F - 1 P - 1 E - 0 I - 0 Q - 0 T - 0 1 % _1 1 % 1 % E 12.31 L 4.03 B 1.62 T 9.59 D 3.65 G 1.61 A 8.05 C 3.20 V 0.93 O 7.94 U 3.10 K 0.52 N 7.19 P 2.29 Q 0.20 I 7.18 F 2.28 X 0.20 S 6.59 M 2.25 J 0.10 R 6.03 W 2.03 Z 0.09 H 5.14 Y 1.88 70.02 24.71 "5~2t 30 O prof. Jozef Gruska IV054 4. Secret-key cryptosystems 149/616 CRYPTANALYSIS - CONTINUATION I X 32 J 11 D 2 U 30 O 6 V 2 H 23 R 6 F 1 B 19 G 5 P 1 L 19 M 4 E 0 N 16 Y 4 I 0 K 15 Z 4 Q 0 S 15 C 3 T 0 W 14 A 2 Frequency analysis of plainext and frequency table for English: First guess: E = X, T = U Encodings; 4a + b = 23 (mod 26) xa + b = y 19a + b = 20 (mod 26) Solutions: a = 5, b = 3 — a-1 = 1 % _1 1 % 1 % E 12.31 L 4.03 B 1.62 T 9.59 D 3.65 G 1.61 A 8.05 C 3.20 V 0.93 O 7.94 U 3.10 K 0.52 N 7.19 P 2.29 Q 0.20 I 7.18 F 2.28 X 0.20 S 6.59 M 2.25 J 0.10 R 6.03 W 2.03 Z 0.09 H 5.14 Y 1.88 70.02 24.71 "5~2t TranS/at/on fab/P crypto ABCDEFGH I JKLMNOPQRSTUVWXYZ lldllSldlIUU IdUia p|ain PKFAVQLGBWRM H CXSN I DYTO J EZU B H J U H N B U L S V U L R U S LY X H O N U U N BW N U A X U S N L U YJ S S W X R L K G N B O N U U N B W S WX K X H K X D H U Z D L K X B H J U H BN U O N U M H U G S W H U X M B X R W XK X L U X B H J U H C X K X A X K Z S WK X X L K O L J K C X L C M X O N U U BV U L R R W H S H B H J U H N B X M B XRW X K X N O Z L J B X X H B N F U B HJ U H L U S W X G L L K Z L J P H U U LS Y X B J K X S W H S S W X K X N B H BH J U H Y XW N U G S WX G L L K provides from the above cryptotext the plaintext that starts with KGWTG CKTMO OTMIT DMZEG, which does not make sense. prof. Jozef Gruska IVo54 4. Secret- key cryptosystems 149/616 CRYPTANALYSIS - CONTINUATION II Second guess: E = X, A = H Equations 4a + b = 23 (mod 26) b = 7 (mod 26) Solutions: a = 4 or a =17 and therefore a =17 prof. Jozef Gruska IV054 4. Secret-key cryptosystems 150/616 CRYPTANALYSIS - CONTINUATION II Second guess: E = X, A = H Equations 4a + b = 23 (mod 26) b = 7 (mod 26) Solutions: a = 4 or a =17 and therefore a =17 Th is gives the trans/at/on tab/e crypto ABCDEFGH I J KL MNOPQ R STUVWXYZ plain and the fo//ow/ng p/a/ntext from the above cryptotext VSPMJGDAXUROL I FCZWTQNKH EBY S A U N A I S N O T K N OW N T O B E A F I N N I S H I N V E N T I O N B U T T H E W O R D I S F I N N I S H T H E R E A R E M A N Y M O R E S A U N A S I N F I N L A N D T H A N E L S E W H E R E O N E S A U N A P E R E V E R Y T H R E E O R F O U R P E O P L E F I N N S K N O W W H A T A S A U N A I S E L S E W H E R E I F Y O U S E E A S I G N S A U N A O N T H E D O O R Y O U C A N N O T B E S U R E T H A T T H E R E I S A S A U N A B E H I N D T H E D O O R prof. Jozef Gruska IV054 4. Secret-key cryptosystems 150/616 EXAMPLES of MONOALPHABETIC CRYPTOSYSTEMS Symbols of the English alphabet will be replaced by squares with or without points and with or without surrounding lines using the following rule: A: B: C: J- K- L- S T U D: E: F: M- N- O- V W X G: H: I: P- Q- R- Y Z For example the plaintext: WE TALK ABOUT FINNISH SAUNA MANY TIMES LATER results in the cryptotext: □□UJLUJUELUCr □□rjnjjldj^jd nurzimjLJumr prof. Jozef Gruska IV0%4 4. Secret-key cryptosystems 1%1/616 EXAMPLES of MONOALPHABETIC CRYPTOSYSTEMS Symbols of the English alphabet will be replaced by squares with or without points and with or without surrounding lines using the following rule: A: B: C: J- K- L- S T U D: E: F: M- N- O- V W X G: H: I: P- Q- R- Y Z For example the plaintext: WE TALK ABOUT FINNISH SAUNA MANY TIMES LATER results in the cryptotext: □□UJLUJUELUHr □□tjhjjld nurzimjLJumr Garbage in between method: the message (plaintext or cryptotext) is supplemented by "garbage letters". Richelieu cryptosystem used sheets of card board with holes. I LOVE YOU I HAVE YOU DEEP UNDER MY SKIN MY LOVE LASTS FOREVER IN HYPERSPACE 123456789 10 prof. Jozef Gruska IV054 4. Secret-key cryptosystems 151/616 POLYALPHABETIC SUBSTITUTION CRYPTOSYSTEMS I Playfair cryptosystem Invented around 1854 by Ch. Wheatstone. Key - a Playfair square is defined by a word w of length at most 25. In w repeated letters are then removed, remaining letters of alphabets (except j) are then added and resulting word is divided to form an 5 x 5 array (a Playfair square). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 152/616 POLYALPHABETIC SUBSTITUTION CRYPTOSYSTEMS I Playfair cryptosystem Invented around 1854 by Ch. Wheatstone. Key - a Playfair square is defined by a word w of length at most 25. In w repeated letters are then removed, remaining letters of alphabets (except j) are then added and resulting word is divided to form an 5 x 5 array (a Playfair square). Encryption: of a pair of letters x, y T| If x and y are in the same row (column), then they are replaced by the pair of symbols to the right (bellow) them. ^ If x and y are in different rows and columns they are replaced by symbols in the opposite corners of rectangle created by x and y. the rder is important. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 152/616 POLYALPHABETIC SUBSTITUTION CRYPTOSYSTEMS I Playfair cryptosystem Invented around 1854 by Ch. Wheatstone. Key - a Playfair square is defined by a word w of length at most 25. In w repeated letters are then removed, remaining letters of alphabets (except j) are then added and resulting word is divided to form an 5 x 5 array (a Playfair square). Encryption: of a pair of letters x, y T| If x and y are in the same row (column), then they are replaced by the pair of symbols to the right (bellow) them. ^ If x and y are in different rows and columns they are replaced by symbols in the opposite corners of rectangle created by x and y. the rder is important. Example: PLAYFAIR is encrypted as LCMNNFCS Playfair was used in World War I by British army. S D Z I U H A F N G B M V Y W R P L C X T O E K Q prof. Jozef Gruska IVo54 4. Secret-key cryptosystems 152/616 POLYALPHABETIC SUBSTITUTION CRYPTOSYSTEMS II VIGENERE and AUTOCLAVE cryptosystems Several of the following polyalphabetic cryptosystems are modification of the CAESAR cryptosystem. A 26x26 table is first designed with the first row containing a permutation of all symbols of alphabet and all columns represent CAESAR shifts starting with the symbol of the first row. Secondly, for a plaintext w a key k is a word of the same length as w. Encryption: the ;-th letter of the plaintext - w; is replaced by the letter in the w;-row and k;-column of the table. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 153/616 POLYALPHABETIC SUBSTITUTION CRYPTOSYSTEMS II VIGENERE and AUTOCLAVE cryptosystems Several of the following polyalphabetic cryptosystems are modification of the CAESAR cryptosystem. A 26x26 table is first designed with the first row containing a permutation of all symbols of alphabet and all columns represent CAESAR shifts starting with the symbol of the first row. Secondly, for a plaintext w a key k is a word of the same length as w. Encryption: the ;-th letter of the plaintext - w; is replaced by the letter in the w;-row and k;-column of the table. VIGENERE cryptosystem: a short keyword p is chosen and k = Prefix, w |p°° VIGENERE is actually a cyclic version of the CAESAR cryptosystem. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 153/616 POLYALPHABETIC SUBSTITUTION CRYPTOSYSTEMS II VIGENERE and AUTOCLAVE cryptosystems Several of the following polyalphabetic cryptosystems are modification of the CAESAR cryptosystem. A 26x26 table is first designed with the first row containing a permutation of all symbols of alphabet and all columns represent CAESAR shifts starting with the symbol of the first row. Secondly, for a plaintext w a key k is a word of the same length as w. Encryption: the i-th letter of the plaintext - w,- is replaced by the letter in the w,-row and k,-column of the table. VIGENERE cryptosystem: a short keyword p is chosen and k = Prefix, w |p°° VIGENERE is actually a cyclic version of the CAESAR cryptosystem. AUTOCLAVE cryptosystem: k = Prefix^,pw prof. Jozef Gruska IV054 4. Secret-key cryptosystems 153/616 POLYALPHABETIC SUBSTITUTION CRYPTOSYSTEMS III VIGENERE and AUTOCLAVE cryptosystems Example: A B C D E F G H I J K L M N O P Q R S T U V WX Y Z B C D E F G H I J K L M N O P Q R S T U VW X Y Z A C D E F G H I J K L M N O P Q R S T U VWX Y Z A B D E F G H I J K L M N O P Q R S T U VWX Y Z A B C E F G H I J K L M N O P Q R S T U VWX Y Z A B C D F G H I J K L M N O P Q R S T U V WX Y Z A B C D E G H I J K L M N O P Q R S T U V W X Y Z A B C D E F H I J K L M N O P Q R S T U VW X Y Z A B C D E F G I J K L M N O P Q R S T U VWX Y Z A B C D E F G H J K L M N O P Q R S T U VWX Y Z A B C D E F G H I K L M N O P Q R S T U VWX Y Z A B C D E F G H I J L M N O P Q R S T U V WX Y Z A B C D E F G H I J K M N O P Q R S T U VW X Y Z A B C D E F G H I J K L N O P Q R S T U VW X Y Z A B C D E F G H I J K L M O P Q R S T U VWX Y Z A B C D E F G H I J K L M N P Q R S T U VWX Y Z A B C D E F G H I J K L M N O Q R S T U VWX Y Z A B C D E F G H I J K L M N O P R S T U V WX Y Z A B C D E F G H I J K L M N O P Q S T U VW X Y Z A B C D E F G H I J K L M N O P Q R T U VWX Y Z A B C D E F G H I J K L M N O P Q R S U VWX Y Z A B C D E F G H I J K L M N O P Q R S T V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X Y Z A B C D E F G H I J K L M N O P Q R S T U VW Y Z A B C D E F G H I J K L M N O P Q R S T U VWX Z A B C D E F G H I J K L M N O P Q R S T U VWX Y Keyword: HAMBURG Plaintext: INJEDEMMENSCHENGESICHTESTEHTSEINEG Vigenere-key: HAMBURGHAMBURGHAMBURGHAMBURGHAMBUR Autoclave-key: HAMBURGINJEDEMMENSCHENGESICHTESTEH Vigenere-cryp.: PNVFXVSTEZTWYKUGQTCTNAEEUYYZZEUOYX Autoclave-cryp.: PNVFXVSURWWFLQZKRKKJLGKWLMJALIAGIN prof. Jozef Gruska IV054 4. Secret-key cryptosystems 154/616 CRYPTANALYSIS of cryptotexts produced by VIGENERE cryptosystem T| Task 1 - to find the length of the key Kasiski method (1852) - invented also by Charles Babbage (1853). Basic observation If a subword of a plaintext is repeated at a distance that is a multiple of the length of the key, then the corresponding subwords of the cryptotext are the same. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 155/616 CRYPTANALYSIS of cryptotexts produced by VIGENERE cryptosystem T| Task 1 - to find the length of the key Kasiski method (1852) - invented also by Charles Babbage (1853). Basic observation If a subword of a plaintext is repeated at a distance that is a multiple of the length of the key, then the corresponding subwords of the cryptotext are the same. Example, cryptotext: CHRGQPWOEIRULYANDOSHCHRIZKEBUSNOFKYWROPDCHRKGAXBNRHROAKERBKSCHRIWK Substring "CHR" occurs in positions 1, 21, 41, 66: expected keyword length is therefore 5. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 155/616 CRYPTANALYSIS of cryptotexts produced by VIGENERE cryptosystem T| Task 1 - to find the length of the key Kasiski method (1852) - invented also by Charles Babbage (1853). Basic observation If a subword of a plaintext is repeated at a distance that is a multiple of the length of the key, then the corresponding subwords of the cryptotext are the same. Example, cryptotext: CHRGQPWOEIRULYANDOSHCHRIZKEBUSNOFKYWROPDCHRKGAXBNRHROAKERBKSCHRIWK Substring "CHR" occurs in positions 1, 21, 41, 66: expected keyword length is therefore 5. Method. Determine the greatest common divisor of the distances between identical subwords (of length 3 or more) of the cryptotext. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 155/616 CRYPTANALYSIS of cryptotexts produced by VIGENERE cryptosystem Friedman method Let /7; be the number of occurrences of the i-th letter in the cryptotext. Let l be the length of the keyword. Let n be the length of the cryptotext. Once the length of the keyword is found it is easy to determine the key using the statistical (frequency analysis) method of analyzing monoalphabetic cryptosystems. Then it holds / 26 m (n;-1) /'=! n(n-1) prof. Jozef Gruska IV054 4. Secret-key cryptosystems 156/616 DERIVATION of the FRIEDMAN METHOD I T| Let n; be the number of occurrences of ;-th alphabet symbol in a text of length n. The probability that if one selects a pair of symbols from the text, then they are the same is i = Eg1 n; (n,-1) = ^- 26 Q) ' = n(n-1) = 2^ ;=1 (n) and it is called the index of coincidence. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 157/616 DERIVATION of the FRIEDMAN METHOD I T| Let n; be the number of occurrences of i-th alphabet symbol in a text of length n. The probability that if one selects a pair of symbols from the text, then they are the same is I = p2=1 "/(n;~1) = V- 26 Q) 1 = n(n-1) = 2. ;=1 (n) and it is called the index of coincidence. ^ Let p; be the probability that a randomly chosen symbol is the i-th symbol of the alphabet. The probability that two randomly chosen symbols are the same is For English text one has p2=1 p2 = 0.065 For randomly chosen text: E2=1 P,2 = =0.038 Approximately 26 2 1 = E/=! p prof. Jozef Gruska IV054 4. Secret-key cryptosystems 157/616 DERIVATION of the FRIEDMAN METHOD li Assume that a cryptotext is organized into / columns headed by the letters of the keyword letters S; Si S2 S3 ... S xi X2 X3 ... X X+i X+2 X+3 X2/ X2 ;+i X2 ;+2 X2 ;+3 . . . X3/ First observation Each column is obtained using the CAESAR cryptosystem. Probability that two randomly chosen letters are the same in ■ the same column is 0.065. ■ different columns is 0.038. The number of pairs of letters in the same column: 2 • 7(7 - 1) = "("2-7) The number of pairs of letters in different columns: ;( • = " (2-1) The expected number A of pairs of equals letters is A = 7("2-0 • 0.065 + • 0.038 Since / = -"-^ = 7(7-Ij[0.027n + /(0.038n - 0.065)] 2 one gets the formula for l from the previous slide. prof. Jozef Gruska IV054 4. Secret-key c^ptosystems 158/616 ONE-TIME PAD CRYPTOSYSTEM - Vernam's cipher plaintext w = Binary case: key k ; are binary words of the same length cryptotext c J Encryption: c = w © k Decryption: w = c © k prof. Jozef Gruska IV054 4. Secret-key cryptosystems 159/616 ONE-TIME PAD CRYPTOSYSTEM - Vernam's cipher Binary case: Encryption: Decryption: Example: plaintext w key k cryptotext c c = w © k w = c © k are binary words of the same length w = 101101011 k = 011011010 c = 110110001 prof. Jozef Gruska IV054 4. Secret-key cryptosystems 159/616 ONE-TIME PAD CRYPTOSYSTEM - Vernam's cipher Binary case: Encryption: Decryption: Example: plaintext w key k cryptotext c c = w © k w = c © k are binary words of the same length w = 101101011 k = 011011010 c = 110110001 What happens if the same key is used twice or 3 times for encryption? prof. Jozef Gruska IV054 4. Secret-key cryptosystems 159/616 ONE-TIME PAD CRYPTOSYSTEM - Vernam's cipher Binary case: Encryption: Decryption: Example: plaintext w key k cryptotext c c = w © k w = c © k are binary words of the same length w = 101101011 k = 011011010 c = 110110001 What happens if the same key is used twice or 3 times for encryption? d = w1 © k, c2 = w2 © k, c3 = w3 © k c1 © c2 = w1 © w2 c1 © c3 = w1 © w3 c2 © c3 = w2 © w3 prof. Jozef Gruska IV054 4. Secret-key cryptosystems 159/616 PERFECT SECRET-KEY CRYPTOSYSTEMS By Shannon, a cryptosystem is perfect if the knowledge of the cryptotext provides no information whatsoever about its plaintext (with the exception of its length). It follows from Shannon's results that perfect secrecy is possible if the key-space is as large as the plaintext-space. In addition, a key has to be as long as plaintext and the same key should not be used twice. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 160/616 PERFECT SECRET-KEY CRYPTOSYSTEMS By Shannon, a cryptosystem is perfect if the knowledge of the cryptotext provides no information whatsoever about its plaintext (with the exception of its length). It follows from Shannon's results that perfect secrecy is possible if the key-space is as large as the plaintext-space. In addition, a key has to be as long as plaintext and the same key should not be used twice. An example of a perfect cryptosystem ONE-TIME PAD cryptosystem (Gilbert S. Vernam (l917) - AT&T + Major Joseph Mauborgne). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 160/616 PERFECT SECRET-KEY CRYPTOSYSTEMS By Shannon, a cryptosystem is perfect if the knowledge of the cryptotext provides no information whatsoever about its plaintext (with the exception of its length). It follows from Shannon's results that perfect secrecy is possible if the key-space is as large as the plaintext-space. In addition, a key has to be as long as plaintext and the same key should not be used twice. An example of a perfect cryptosystem ONE-TIME PAD cryptosystem (Gilbert S. Vernam (l917) - AT&T + Major Joseph Mauborgne). If used with the English alphabet, it is simply a polyalphabetic substitution cryptosystem of VIGENERE with the key being a randomly chosen English word of the same length as the plaintext. Proof of perfect secrecy: by the proper choice of the key any plaintext of the same length could provide the given cryptotext. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 160/616 PERFECT SECRET-KEY CRYPTOSYSTEMS By Shannon, a cryptosystem is perfect if the knowledge of the cryptotext provides no information whatsoever about its plaintext (with the exception of its length). It follows from Shannon's results that perfect secrecy is possible if the key-space is as large as the plaintext-space. In addition, a key has to be as long as plaintext and the same key should not be used twice. An example of a perfect cryptosystem ONE-TIME PAD cryptosystem (Gilbert S. Vernam (1917) - AT&T + Major Joseph Mauborgne). If used with the English alphabet, it is simply a polyalphabetic substitution cryptosystem of VIGENERE with the key being a randomly chosen English word of the same length as the plaintext. Proof of perfect secrecy: by the proper choice of the key any plaintext of the same length could provide the given cryptotext. Did we gain something? The problem of secure communication of the plaintext got transformed to the problem of secure communication of the key of the same length. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 160/616 PERFECT SECRET-KEY CRYPTOSYSTEMS By Shannon, a cryptosystem is perfect if the knowledge of the cryptotext provides no information whatsoever about its plaintext (with the exception of its length). It follows from Shannon's results that perfect secrecy is possible if the key-space is as large as the plaintext-space. In addition, a key has to be as long as plaintext and the same key should not be used twice. An example of a perfect cryptosystem ONE-TIME PAD cryptosystem (Gilbert S. Vernam (l917) - AT&T + Major Joseph Mauborgne). If used with the English alphabet, it is simply a polyalphabetic substitution cryptosystem of VIGENERE with the key being a randomly chosen English word of the same length as the plaintext. Proof of perfect secrecy: by the proper choice of the key any plaintext of the same length could provide the given cryptotext. Did we gain something? The problem of secure communication of the plaintext got transformed to the problem of secure communication of the key of the same length. yes- 11 ONE-TIME PAD cryptosystem is used in critical applications ^ It suggests an idea how to construct practically secure cryptosystems. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 160/616 TRANSPOSITION CRYPTOSYSTEMS 1 N J E D E M M E N S C H E N G E S I C H T E S T E H T S E I N E G E S C H I C H T E T O J E O N O The basic idea is very simple: permute the plaintext to get the cryptotext. Less clear it is how to specify and perform efficiently permutations. One idea: choose n, write plaintext into rows, with n symbols in each row and then read it by columns to get cryptotext. Example Cryptotexts obtained by transpositions, called anagrams, were popular among scientists of 17th century. They were used also to encrypt scientific findings. Newton wrote to Leibniz a7c2 d 2e 14f2/7/3m1n8o 4q3r 2s 4t 8v 12x1 what stands for: "data aequatione quodcumque fluentes quantitates involvente, fluxiones invenire et vice versa" Example a2cdef 3g2/2jkmn3o5prs 2t 2u3z Solution: prof. Jozef Gruska IV054 4. Secret-key cryptosystems 161/616 KEYWORD CAESAR CRYPTOSYSTEM Choose an integer 0 < k < 25 and a string, called keyword, of length at most 25 with all letters different. The keyword is then written bellow the English alphabet letters, beginning with the k-symbol, and the remaining letters are written in the alphabetic order and cyclically after the keyword. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 162/616 KEYWORD CAESAR CRYPTOSYSTEM Choose an integer 0 < k < 25 and a string, called keyword, of length at most 25 with all letters different. The keyword is then written bellow the English alphabet letters, beginning with the k-symbol, and the remaining letters are written in the alphabetic order and cyclically after the keyword. Example: keyword: HOW MANY ELKS, k =8 0 8 ABCDEFGH I J K LMNOPQRSTUVWXYZ PQRTUVXZHOWMANYELKSBCD FG I J prof. Jozef Gruska IV054 4. Secret-key cryptosystems 162/616 KEYWORD CAESAR - Example I Example Decrypt the following cryptotext encrypted using the KEYWORD CAESAR and determine the keyword and k T I V D Z CR T I C F Q N I Q T U T F Q X A V F C Z F E Q X C P C Q U C Z W K Q F U V B C F N R R T X T C I U A K WT Y D T U P M C F E C X U U V U P C BV A N H C V R U P C F E Q X C U P C F U V BC X V I U Q T I F F U V I C F N F N Q AA K V I U P C UV E U V U Q G C Q F Q N I Q W Q U P T U T F Q A F V I C X C FF Q M K U P Q U U P C F U V B C T F E M VE C M A K P C Q U C Z QI Z U P Q U K V N PQ B C U P C R Q X TA T U K V R U P M V DT I Y D Q U C M V I U P C F U V I C F prof. Jozef Gruska IV054 4. Secret-key cryptosystems 163/616 KEYWORD CAESAR - Example II Step 1. Make the frequency counts: Number Number Number U 32 X 8 W 3 C 31 K 7 Y 2 Q 23 N 7 G 1 F 22 E 6 H 1 V 20 M 6 J 0 P 15 R 6 L 0 T 15 B 5 O 0 I 14 Z 5 S 0 A 8 D 4 180=74.69% 54=22.41% 7=2.90% prof. Jozef Gruska IV054 4. Secret-key cryptosystems 164/616 KEYWORD CAESAR - Example II Step 1. Make the frequency counts: Number Number Number U 32 X 8 W 3 C 31 K 7 Y 2 Q 23 N 7 G 1 F 22 E 6 H 1 V 20 M 6 J 0 P 15 R 6 L 0 T 15 B 5 O 0 I 14 Z 5 S 0 A 8 D 4 180=74.69% 54=22.41% 7=2.90% Step 2. Cryptotext contains two one-letter words T and Q. They must be A and I. Since T occurs once and Q three times it is likely that T is I and Q is A. The three letter word UPC occurs 7 times and all other 3-letter words occur only once. Hence UPC is likely to be THE. Let us now decrypt the remaining letters in the high frequency group: F,V,I From the words TU, TF == F=S From UV From VI V=O I=N The result after the remaining guesses ABCDEFGH IJKLMNOPQRSTUVWXYZ LVEWPSKMN?Y?RU?HEF?ITOBCGD prof. Jozef Gruska IV054 4. Secret-key cryptosystems 164/616 UNICITY DISTANCE of CRYPTOSYSTEMS Redundancy of natural languages is of the key importance for cryptanalysis. Would all letters of a 26-symbol alphabet have the same probability, a character would carry lg 26 = 4.7 bits of Information. The estimated average amount of information carried per letter in a meaningful English text is 1.5 bits. The unicity distance of a cryptosystem is the minimum number of cryptotext (number of letters) required to a computationally unlimited adversary to recover the unique encryption key. Empirical evidence indicates that if any simple cryptosystem is applied to a meaningful English message, then about 25 cryptotext characters is enough for an experienced cryptanalyst to recover the plaintext. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 165/616 ANAGRAMS - EXAMPLES German: IRI BRATER, GENF FRANK PEKL, REGEN PEER ASSSTIL, MELK INGO DILMR, PEINE EMIL REST, GERA KARL SORDORT, PEINE Briefträgerin prof. Jozef Gruska IV054 4. Secret-key cryptosystems 166/616 ANAGRAMS - EXAMPLES German: English: IRI BRATER, GENF FRANK PEKL, REGEN PEER ASSSTIL, MELK INGO DILMR, PEINE EMIL REST, GERA KARL SORDORT, PEINE Briefträgerin algorithms antagonist compressed coordinate creativity deductions descriptor impression introduces procedures logarithms stagnation decompress decoration reactivity discounted predictors permission reductions reproduces prof. Jozef Gruska IV054 4. Secret-key cryptosystems 166/616 APPENDIX prof. Jozef Gruska IV054 4. Secret-key cryptosystems 167/616 STREAM CRYPTOSYSTEMS Two basic types of cryptosystems are: ■ Block cryptosystems (Hill cryptosystem,. . .) - they are used to encrypt simultaneously blocks of plaintext. ■ Stream cryptosystems (CAESAR, ONE-TIME PAD,. . .) - they encrypt plaintext letter by letter, or block by block, using an encryption that may vary during the encryption process. Stream cryptosystems are more appropriate in some applications (telecommunication), usually are simpler to implement (also in hardware), usually are faster and usually have no error propagation (what is of importance when transmission errors are highly probable). Two basic types of stream cryptosystems: secret key cryptosystems (ONE-TIME PAD) and public-key cryptosystems (Blum-Goldwasser) prof. Jozef Gruska IV054 4. Secret-key cryptosystems 168/616 Block versus stream cryptosystems In block cryptosystems the same key is used to encrypt arbitrarily long plaintext - block by block - (after dividing each long plaintext w into a sequence of subplaintexts (blocks) In stream cryptosystems each block is encrypted using a different key prof. Jozef Gruska IV054 4. Secret-key cryptosystems 169/616 Block versus stream cryptosystems In block cryptosystems the same key is used to encrypt arbitrarily long plaintext - block by block - (after dividing each long plaintext w into a sequence of subplaintexts (blocks) w1w2w3 ). In stream cryptosystems each block is encrypted using a different key ■ The fixed key k is used to encrypt all blocks. In such a case the resulting cryptotext has the form c = C1C2C3 ... = ek(w1)ek(1/1/2) ek(1/1/3)... prof. Jozef Gruska IV054 4. Secret-key cryptosystems 169/616 Block versus stream cryptosystems In block cryptosystems the same key is used to encrypt arbitrarily long plaintext - block by block - (after dividing each long plaintext w into a sequence of subplaintexts (blocks) wiw2w3 ). In stream cryptosystems each block is encrypted using a different key ■ The fixed key k is used to encrypt all blocks. In such a case the resulting cryptotext has the form c = C1C2C3 ... = ek(wi)ek(w2)ek(1/1/3)... ■ A stream of keys is used to encrypt subplaintexts. The basic idea is to generate a key-stream K = k1; k2, k3,... and then to compute the cryptotext as follows c = C1C2C3 ... = eki(wi)ek2(w2)ek3(w3). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 169/616 CRYPTOSYSTEMS WITH STREAMS OF KEYS Various techniques are used to compute a sequence of keys. For example, given a key k k; = f; (k, k1, k2,..., k;_1) In such a case encryption and decryption processes generate the following sequences: Encryption: To encrypt the plaintext w1w2w3 . . .the sequence of keys and sub-cryptotexts is computed. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 170/616 CRYPTOSYSTEMS WITH STREAMS OF KEYS Various techniques are used to compute a sequence of keys. For example, given a key k k = f (k, k1, k2,..., k,-_1) In such a case encryption and decryption processes generate the following sequences: Encryption: To encrypt the plaintext w1w2w3 . . .the sequence k., C1, k, C2 , k3, C3,.. . of keys and sub-cryptotexts is computed. Decryption: To decrypt the cryptotext c1c2c3 . . . the sequence k1, w1, k2, w2, k3, w3, . . . of keys and subplaintexts is computed. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 170/616 EXAMPLES A keystream is called synchronous if it is independent of the plaintext. KEYWORD VIGENERE cryptosystem can be seen as an example of a synchronous keystream cryptosystem. Another type of the binary keystream cryptosystem is specified by an initial sequence of keys fa, fa, fa ... km and an initial sequence of binary constants b1, b2, b3... bm-1 and the remaining keys are computed using the rule k+m = Ej™-1 by ki+j mod 2 A keystream is called periodic with period p if k,+p = ki for all i. prof. Jozef Gruska IVo54 4. Secret- key cryptosystems 171/616 EXAMPLES A keystream is called synchronous if it is independent of the plaintext. KEYWORD VIGENERE cryptosystem can be seen as an example of a synchronous keystream cryptosystem. Another type of the binary keystream cryptosystem is specified by an initial sequence of keys fa, fa, fa ... km and an initial sequence of binary constants b1, b2, b3... bm-1 and the remaining keys are computed using the rule k+m = Ejl-1 bj ki +j mod 2 A keystream is called periodic with period p if k,+p = ki for all ;. Example Let the keystream be generated by the rule k+4 = ki e k,-+1 If the initial sequence of keys is (1,0,0,0), then we get the following keystream: 1,0,0,0,1,0,0,1,1,0,1,0 1,1,1, . .. of period 15. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 171/616 PERFECT SECRECY - BASIC CONCEPTS Let P, K and C be sets of plaintexts, keys and cryptotexts. Let pk(k) be the probability that the key k is chosen from K and let a priory probability that plaintext w is chosen be pp(w). If for a key k e K, C(k) = {ek(w)|w e P}, then for the probability Pc(y) that c is the cryptotext that is transmitted it holds pc(c) = E{k\cec(k)} pK(k)pPH(c)). For the conditional probability pc(c|w) that c is the cryptotext if w is the plaintext it holds Pc(c|w) = E{k\w=dk(c)} pK(k). Using Bayes' conditional probability formula p(y)p(x|y) = p(x)p(y|x) we get for probability pP(w|c) that w is the plaintext if c is the cryptotext the expression pp = E{k|cec(K)} pk(k)pp(dK(c)). prof. Jozef Gruska IV054 4. Secret-key cryptosystems 172/616 PERFECT SECRECY - BASIC RESULTS Definition A cryptosystem has perfect secrecy if pP(w|c) = pP(w) for all w e P and c e C. (That is, the a posteriori probability that the plaintext is w,given that the cryptotext is c is obtained, is the same as a priori probability that the plaintext is w.) Example CAESAR cryptosystem has perfect secrecy if any of the 26 keys is used with the same probability to encode any symbol of the plaintext. Proof Exercise. An analysis of perfect secrecy: The condition pP(w|c) = pP(w) is for all w e P and c e C equivalent to the condition pC(c|w) = pC(c). Let us now assume that pC(c) > 0 for all c e C. Fix w e P. For each c e C we have pC(c|w) = pC(c) > 0. Hence, for each c e C there must exist at least one key k such that ek(w) = c. Consequently, |K| > |C| > |P|. In a special case |K| = |C| = |P|, the following nice characterization of the perfect secrecy can be obtained: Theorem A cryptosystem in which |P| = |K| = |C| provides perfect secrecy if and only if every key is used with the same probability and for every w e P and every c e C there is a unique key k such that ek(w) = c. Proof Exercise. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 173/616 PRODUCT CRYPTOSYSTEMS A cryptosystem S = (P, K, C, e, d) with the sets of plaintexts P, keys K and cryptotexts C and encryption (decryption) algorithms e(d) is called endomorphic if P = C. If Si = (P, Ki, P, ed(1))andS2 = (P, K2, P, e(2), d(2)) are endomorphic cryptosystems, then the product cryptosystem is Si eg S2 = (P, Ki eg) K2, P, e, d), where encryption is performed by the procedure e(ki,k2)(w) = ek2(efci(w)) and decryption by the procedure d(ki,k2)(c) = dki(dk2(c)). prof. Jozef Gruska IV054 4. Secret-key cryptosystems i74/6i6 PRODUCT CRYPTOSYSTEMS A cryptosystem S = (P, K, C, e, d) with the sets of plaintexts P, keys K and cryptotexts C and encryption (decryption) algorithms e(d) is called endomorphic if P = C. If S1 = (P, K1, P, ed(1))andS2 = (P, K2, P, e(2), d(2)) are endomorphic cryptosystems, then the product cryptosystem is S1 eg S2 = (P, K1 eg K2, P, e, d), where encryption is performed by the procedure e(k1,k2)(w) = ek2(ek1(w)) and decryption by the procedure d(k1,k2)(c) = dk1(dk2(c)). Example (Multiplicative cryptosystem): Encryption: ea(w) = aw mod p; decryption: da(c) = a-1c mod 26. If M denote the multiplicative cryptosystem, then clearly CAESAR x M is actually the AFFINE cryptosystem. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 174/616 PRODUCT CRYPTOSYSTEMS A cryptosystem S = (P, K, C, e, d) with the sets of plaintexts P, keys K and cryptotexts C and encryption (decryption) algorithms e(d) is called endomorphic if P = C. If S1 = (P, K1, P, ed(1))andS2 = (P, K2, P, e(2), d(2)) are endomorphic cryptosystems, then the product cryptosystem is S1 eg S2 = (P, K1 eg) K2, P, e, d), where encryption is performed by the procedure e(k1,k2)(w) = ek2(ek1(w)) and decryption by the procedure d(k1,k2)(c) = dk1(dk2(c)). Example (Multiplicative cryptosystem): Encryption: ea(w) = aw mod p; decryption: da(c) = a-1c mod 26. If M denote the multiplicative cryptosystem, then clearly CAESAR x M is actually the AFFINE cryptosystem. Exercise Show that also M CAESAR is actually the AFFINE cryptosystem. Two cryptosystems S1 and S2 are called commutative if S1 e S2 = S2 e S1. A cryptosystem S is called idempotent if S e S = S. prof. Jozef Gruska IV054 4. Secret-key cryptosystems 174/616 Part V Public-key cryptosystems, I. Key exchange, knapsack, RSA CHAPTER 5: PUBLIC-KEY CRYPTOGRAPHY I. RSA Rapidly increasing needs for flexible and secure transmission of information require to use new cryptographic methods. The main disadvantage of the classical (symmetric) cryptography is the need to send a (long) key through a super secure channel before sending the message itself. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 176/616 CHAPTER 5: PUBLIC-KEY CRYPTOGRAPHY I. RSA Rapidly increasing needs for flexible and secure transmission of information require to use new cryptographic methods. The main disadvantage of the classical (symmetric) cryptography is the need to send a (long) key through a super secure channel before sending the message itself. In the classical or secret-key (symmetric) cryptography both sender and receiver share the same secret key. prof. Jozef Gruska IVo54 5. Public- key cryptosystems, I. Key exchange, knapsack, RSA 176/616 CHAPTER 5: PUBLIC-KEY CRYPTOGRAPHY I. RSA Rapidly increasing needs for flexible and secure transmission of information require to use new cryptographic methods. The main disadvantage of the classical (symmetric) cryptography is the need to send a (long) key through a super secure channel before sending the message itself. In the classical or secret-key (symmetric) cryptography both sender and receiver share the same secret key. In the public-key (asymmetric) cryptography there are two different keys: a public encryption key (at the sender side) and a private (secret) decryption key (at the receiver side). prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 176/616 BASIC IDEA - EXAMPLE Basic idea: If it is infeasible from the knowledge of an encryption algorithm ek to construct the corresponding description algorithm dk, then ek can be made public. Toy example: (Telephone directory encryption) Start: Each user U makes public a unique telephone directory tdU to encrypt messages for U and U is the only user to have an inverse telephone directory itdU. Encryption: Each letter X of a plaintext w is replaced, using the telephone directory tdU of the intended receiver U, by the telephone number of a person whose name starts with letter X. Decryption: easy for Uk, with the inverse telephone directory, infeasible for others. prof. Jozef Gruska IVo54 5. Public key cryptosystems, I. Key exchange, knapsack, RSA 177/616 BASIC IDEA - EXAMPLE Basic idea: If it is infeasible from the knowledge of an encryption algorithm ek to construct the corresponding description algorithm dk, then ek can be made public. Toy example: (Telephone directory encryption) Start: Each user U makes public a unique telephone directory tdU to encrypt messages for U and U is the only user to have an inverse telephone directory ;tdU. Encryption: Each letter X of a plaintext w is replaced, using the telephone directory tdU of the intended receiver U, by the telephone number of a person whose name starts with letter X. Decryption: easy for Uk, with the inverse telephone directory, infeasible for others. Analogy between secret and public-key cryptography: Secret-key cryptography 1. Put the message into a box, lock it with a padlock and send the box. 2. Send the key by a secure channel. Public-key cryptography Open padlocks, for each user different ones, are freely available. Only legitimate user has key from his padlocks. Transm;ss;on: Put the message into the box of the intended receiver, close the padlock and send the box. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 177/616 PUBLIC ESTABLISHMENT of SECRET KEYS Main problem of the secret-key cryptography: a need to make a secure distribution (establishment) of secret keys ahead of transmissions. Diffie+Hellman solved this problem in 1976 by designing a protocol for secure key establishment (distribution) over public channels. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA i78/6i6 PUBLIC ESTABLISHMENT of SECRET KEYS Main problem of the secret-key cryptography: a need to make a secure distribution (establishment) of secret keys ahead of transmissions. Diffie+Hellman solved this problem in 1976 by designing a protocol for secure key establishment (distribution) over public channels. Diffie-Hellman Protocol: If two parties, Alice and Bob, want to create a common secret key, then they first agree, somehow, on a large prime p and a q

n be publicly known. Steps of the protocol: T| Each user U in the network is assigned, by Trent, a unique public number rU < p. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 181/616 BLOOM's KEY PRE-DISTRIBUTION PROTOCOL allows a trusted authority (Trent - TA) to distribute secret keys to —- pairs of n users. Let a large prime p > n be publicly known. Steps of the protocol: T| Each user U in the network is assigned, by Trent, a unique public number rU < p. ^ Trent chooses three random numbers a, b and c, smaller than p. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 181/616 BLOOM's KEY PRE-DISTRIBUTION PROTOCOL allows a trusted authority (Trent - TA) to distribute secret keys to —- pairs of n users. Let a large prime p > n be publicly known. Steps of the protocol: T| Each user U in the network is assigned, by Trent, a unique public number rU < p. ^ Trent chooses three random numbers a, b and c, smaller than p. J For each user U, Trent calculates two numbers aU = (a + brU) mod p, bU = (b + crU) mod p and sends them via his secure channel to U . prof. Jozef Gruska IVo54 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 181/616 BLOOM's KEY PRE-DISTRIBUTION PROTOCOL allows a trusted authority (Trent - TA) to distribute secret keys to —) pairs of n users. Let a large prime p > n be publicly known. Steps of the protocol: T| Each user U in the network is assigned, by Trent, a unique public number ru < p. ^ Trent chooses three random numbers a, b and c, smaller than p. J For each user U, Trent calculates two numbers au = (a + bru) mod p, bu = (b + cru) mod p and sends them via his secure channel to U . J Each user U creates the polynomial gu (x) = au + bu (x). prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 181/616 BLOOM's KEY PRE-DISTRIBUTION PROTOCOL allows a trusted authority (Trent - TA) to distribute secret keys to —- pairs of n users. Let a large prime p > n be publicly known. Steps of the protocol: T| Each user U in the network is assigned, by Trent, a unique public number rU < p. ^ Trent chooses three random numbers a, b and c, smaller than p. J For each user U, Trent calculates two numbers aU = (a + brU) mod p, bU = (b + crU) mod p and sends them via his secure channel to U . J Each user U creates the polynomial gU (x) = au + by (x). ^ If Alice (A) wants to send a message to Bob (B), then Alice computes her key Kab = gA(re) and Bob computes his key Kba = ge(aa). prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 181/616 BLOOM's KEY PRE-DISTRIBUTION PROTOCOL allows a trusted authority (Trent - TA) to distribute secret keys to —- pairs of n users. Let a large prime p > n be publicly known. Steps of the protocol: T| Each user U in the network is assigned, by Trent, a unique public number ru < p. ^ Trent chooses three random numbers a, b and c, smaller than p. J For each user U, Trent calculates two numbers au = (a + bru) mod p, bu = (b + cru) mod p and sends them via his secure channel to U . J Each user U creates the polynomial gu (x) = au + bu (x). ^ If Alice (A) wants to send a message to Bob (B), then Alice computes her key Kab = ga(rb) and Bob computes his key Kba = gB(m). ^ It is easy to see that KAB = KBA and therefore Alice and Bob can now use their (identical) keys to communicate using some secret-key cryptosystem. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 181/616 SECURE COMMUNICATION with SECRET-KEY CRYPTOSYSTEMS and without any need for secret key distribution (Shamir's "no-key algorithm") Basic assumption: Each user X has its own secret encryption function eX secret decryption function dX and all these functions commute (to form a commutative cryptosystem). prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 182/616 SECURE COMMUNICATION with SECRET-KEY CRYPTOSYSTEMS and without any need for secret key distribution (Shamir's "no-key algorithm") Basic assumption: Each user X has its own secret encryption function eX secret decryption function dX and all these functions commute (to form a commutative cryptosystem). Communication protocol with which Alice can send a message w to Bob. T| Alice sends eA(w) to Bob ^ Bob sends eg(eA(w)) to Alice J Alice sends dA(eB(eA(w))) = eB(w) to Bob ^ Bob performs the decryption to get dB(eg(w)) = w. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 182/616 SECURE COMMUNICATION with SECRET-KEY CRYPTOSYSTEMS and without any need for secret key distribution (Shamir's "no-key algorithm") Basic assumption: Each user X has its own secret encryption function eX secret decryption function dX and all these functions commute (to form a commutative cryptosystem). Communication protocol with which Alice can send a message w to Bob. T| Alice sends eA(w) to Bob ^ Bob sends eg(eA(w)) to Alice J Alice sends dA(eB(eA(w))) = eB(w) to Bob ^ Bob performs the decryption to get dB(eg(w)) = w. Disadvantage: 3 communications are needed (in such a context 3 is a much too large number). Advantage: A perfect protocol for distribution of secret keys. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 182/616 CRYPTOGRAPHY and COMPUTATIONAL COMPLEXITY Modern cryptography uses such encryption methods that no "enemy" can have enough computational power and time to do decryption (even those capable to use thousands of supercomputers during tens of years for encryption). Modern cryptography is based on negative and positive results of complexity theory - on the fact that for some algorithm problems no efficient algorithm seem to exists, surprisingly, and for some "small" modifications of these problems, surprisingly, simple, fast and good (randomized) algorithms do exist. Examples: prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 183/616 CRYPTOGRAPHY and COMPUTATIONAL COMPLEXITY Modern cryptography uses such encryption methods that no "enemy" can have enough computational power and time to do decryption (even those capable to use thousands of supercomputers during tens of years for encryption). Modern cryptography is based on negative and positive results of complexity theory - on the fact that for some algorithm problems no efficient algorithm seem to exists, surprisingly, and for some "small" modifications of these problems, surprisingly, simple, fast and good (randomized) algorithms do exist. Examples: Integer factorization: Given n(= pq), it is, in general, unfeasible, to find p, q. There is a list of "most wanted to factor integers". Top recent successes, using thousands of computers for months. (*) Factorization of 22' + 1 with 155 digits (1996) (**) Factorization of a "typical" 155-digits integer (1999) prof. Jozef Gruska IVo54 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 183/616 CRYPTOGRAPHY and COMPUTATIONAL COMPLEXITY Modern cryptography uses such encryption methods that no "enemy" can have enough computational power and time to do decryption (even those capable to use thousands of supercomputers during tens of years for encryption). Modern cryptography is based on negative and positive results of complexity theory - on the fact that for some algorithm problems no efficient algorithm seem to exists, surprisingly, and for some "small" modifications of these problems, surprisingly, simple, fast and good (randomized) algorithms do exist. Examples: Integer factorization: Given n(= pq), it is, in general, unfeasible, to find p, q. There is a list of "most wanted to factor integers". Top recent successes, using thousands of computers for months. (*) Factorization of 22' + 1 with 155 digits (1996) (**) Factorization of a "typical" 155-digits integer (1999) Primes recognition: Is a given n a prime? - fast randomized algorithms exist (1977). The existence of polynomial deterministic algorithms has been shown only in 2002 prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 183/616 COMPUTATIONALLY INFEASIBLE PROBLEMS Discrete logarithm problem: Given x,y, n, determine integer a such that y = xa(mod n) - infeasible in general. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 184/616 COMPUTATIONALLY INFEASIBLE PROBLEMS Discrete logarithm problem: Given x,y, n, determine integer a such that y = xa(mod n) - infeasible in general. Discrete square root problem: Given integers y, n, compute an integer x such that y = x2(mod n) - infeasible in general, easy if factorization of n is known prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 184/616 COMPUTATIONALLY INFEASIBLE PROBLEMS Discrete logarithm problem: Given x,y, n, determine integer a such that y = xa(mod n) - infeasible in general. Discrete square root problem: Given integers y, n, compute an integer x such that y = x2(mod n) - infeasible in general, easy if factorization of n is known Knapsack problem: Given a ( knapsack - integer) vector X = (xi,...,xn) and a (integer capacity) c, find a binary vector (61,..., bn) such that £"=i b,-Xi = c. Problem is A/P-hard in general, but easy if x, > Yl'j=1 Xj, 1 < ' < n. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 184/616 ONE-WAY FUNCTIONS Informally, a function F : N — N is said to be one-way function if it is easily computable - in polynomial time - but any computation of its inverse is infeasible. A one-way permutation is a 1-1 one-way function. -easy- f(x) Ncomputationaly infeasible-' x prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 185/616 ONE-WAY FUNCTIONS Informally, a function F : N — N is said to be one-way function if it is easily computable - in polynomial time - but any computation of its inverse is infeasible. A one-way permutation is a 1-1 one-way function. A more formal approach Definition A function f : {0,1}* — {0,1}* is called a strongly one-way function if the following conditions are satisfied: T| f can be computed in polynomial time; J there are c, e > 0 such that |x|£ < |f(x)| < |x|c; ^ for every randomized polynomial time algorithm A, and any constant c > 0, there exists an nc such that for n > nc f(x) x ■computationaly infeasible- Pr(A(f(x)) e f-1(f(x))) < ± prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 185/616 ONE-WAY FUNCTIONS Informally, a function F : N — N is said to be one-way function if it is easily computable - in polynomial time - but any computation of its inverse is infeasible. A one-way permutation is a 1-1 one-way function. A more formal approach Definition A function f : {0,1}* — {0,1}* is called a strongly one-way function if the following conditions are satisfied: T| f can be computed in polynomial time; J there are c, e > 0 such that |x|£ < |f(x)| < |x|c; ^ for every randomized polynomial time algorithm A, and any constant c > 0, there exists an nc such that for n > nc f(x) x ■computationaly infeasible- Pr(A(f(x)) e f-1(f(x))) < ± . Candidates: Modular exponentiation: f(x) = ax mod n Modular squaring f (x) = x2 mod n, n — a Blum integer Prime number multiplication f (p, q) = pq. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 185/616 TRAPDOOR ONE-WAY FUNCTIONS The key concept for design of public-key cryptosystems is that of trapdoor one-way functions. A function f : X — Y is trapdoor one-way function if f and its inverse can be computed efficiently, ■ yet even the complete knowledge of the algorithm to compute f does not make it feasible to determine a polynomial time algorithm to compute the inverse of f. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 186/616 TRAPDOOR ONE-WAY FUNCTIONS The key concept for design of public-key cryptosystems is that of trapdoor one-way functions. A function f : X — Y is trapdoor one-way function if f and its inverse can be computed efficiently, ■ yet even the complete knowledge of the algorithm to compute f does not make it feasible to determine a polynomial time algorithm to compute the inverse of f. A candidate: modular squaring with a fixed modulus. ■ computation of discrete square roots is unfeasible in general, but quite easy if the decomposition of the modulus into primes is known. A way to design a trapdoor one-way function is to transform an easy case of a hard (one-way) function to a hard-looking case of such a function, that can be, however, solved easily by those knowing how the above transformation was performed. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 186/616 EXAMPLE - COMPUTER PASSWORDS A naive solution is to keep in computer a file with entries as login CLINTON password BUSH, that is with logins and their passwords. This is not sufficiently safe. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 187/616 EXAMPLE - COMPUTER PASSWORDS A naive solution is to keep in computer a file with entries as login CLINTON password BUSH, that is with logins and their passwords. This is not sufficiently safe. A more safe method is to keep in the computer a file with entries as login CLINTON password BUSH one-way function fc prof. Jozef Gruska IVo54 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 187/616 EXAMPLE - COMPUTER PASSWORDS A naive solution is to keep in computer a file with entries as login CLINTON password BUSH, that is with logins and their passwords. This is not sufficiently safe. A more safe method is to keep in the computer a file with entries as login CLINTON password BUSH one-way function fc The idea is that BUSH is a "public" password and CLINTON is the only one that knows a "secret" password, say MADONNA, such that fc (MADONNA) = BUSH prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 187/616 Lamport's one-time passwords One-way functions can be used to create a sequence of passwords: T| Alice chooses a random w and computes, using a one-way function h, a sequence of passwords w, h(w), h(h(w)),..., h"(w) b Alice then transfers securely "the initial secret" w0 = h"(w) to Bob. J The i-th authentication, 0 < ; < n + 1, is performed as follows: -------Alice sends w; = h""'(w) to Bob for I = 1, 2_____n-1 -------Bob checks whether wi-1 = h(w;). When the number of identifications reaches n, a new w has to be chosen. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 188/616 GENERAL KNAPSACK PROBLEM - UNFEASIBLE KNAPSACK PROBLEM: Given an integer-vector X = (xi,... ,x„) and an integer c. Determine a binary vector B = . .. , b„) (if it exists) such that XBT = c. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 189/616 GENERAL KNAPSACK PROBLEM - UNFEASIBLE KNAPSACK PROBLEM: Given an integer-vector X = (xi,... ,x„) and an integer c. Determine a binary vector B = . .. , b„) (if it exists) such that XBT = c. Knapsack problem with superincreasing vector - easy Problem Given a superincreasing integer-vector X = (xi,... ,x„) (i.e. x; > 1 x,' > 1) and an integer c, determine a binary vector B = ... , b„) (if it exists) such that XBT = c. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 189/616 GENERAL KNAPSACK PROBLEM - UNFEASIBLE KNAPSACK PROBLEM: Given an integer-vector X = (X1,... ,x„) and an integer c. Determine a binary vector B = . .. , b„) (if it exists) such that XBT = c. Knapsack problem with superincreasing vector - easy Problem Given a superincreasing integer-vector X = (x1,... ,x„) (i.e. x; > E/Z1 Xj, i > 1) and an integer c, determine a binary vector B = ... , b„) (if it exists) such that XBT = c. Algorithm - to solve knapsack problems with superincreasing vectors: for i — downto 2 do if c > 2x; then terminate {no solution} else if c > x; then b; — 1; c — c — x;; else b; = 0; if c = x1 then b1 — 1 else if c = 0 then b1 — 0; else terminate {no solution} prof. Jozef Gruska IVo54 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 189/616 GENERAL KNAPSACK PROBLEM - UNFEASIBLE KNAPSACK PROBLEM: Given an integer-vector X = (X1,... ,x„) and an integer c. Determine a binary vector B = . .. , b„) (if it exists) such that XBT = c. Knapsack problem with superincreasing vector - easy Problem Given a superincreasing integer-vector X = (x1,... ,x„) (i.e. x,- > XlyZ1 Xj, i > 1) and an integer c, determine a binary vector B = ... , b„) (if it exists) such that XBT = c. Algorithm - to solve knapsack problems with superincreasing vectors: for i — downto 2 do if c > 2x,- then terminate {no solution} else if c > x then b; — 1; c — c — x; else b; = 0; if c = x1 then b1 — 1 else if c = 0 then b1 — 0; else terminate {no solution} Example X = (1,2,4,8,16,32,64,128,256,512) c = 999 X = (1,3,5,10,20,41,94,199) c = 242 prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 189/616 KNAPSACK ENCODING - BASIC IDEAS Let a (knapsack) vector A = (ai,... , a„) be given. Encoding of a (binary) message B = (b1, b2,... , bn) by A is done by the vector/vector multiplication: AB T = c and results in the cryptotext c. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 190/616 KNAPSACK ENCODING - BASIC IDEAS Let a (knapsack) vector A = (ai,... , a„) be given. Encoding of a (binary) message B = b2,... , bn) by A is done by the vector/vector multiplication: AB T = c and results in the cryptotext c. Decoding of c requires to solve the knapsack problem for the instant given by the knapsack vector A and the cryptotext c. The problem is that decoding seems to be infeasible. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 190/616 KNAPSACK ENCODING - BASIC IDEAS Let a (knapsack) vector A = (ai,... , a„) be given. Encoding of a (binary) message B = b2,... , b„) by A is done by the vector/vector multiplication: AB T = c and results in the cryptotext c. Decoding of c requires to solve the knapsack problem for the instant given by the knapsack vector A and the cryptotext c. The problem is that decoding seems to be infeasible. Example If A = (74, 82, 94, 83, 39, 99,56,49, 73, 99) and B = (1100110101) then AB T = prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 190/616 DESIGN of KNAPSACK CRYPTOSYSTEMS j Choose a superincreasing vector X = (xi,. .. ,xn). ^ Choose m, u such that m > 2xn, gcd(m, u) = 1. El Compute u-1 mod m, X' = (x(,... ,x'n), x/ = ux; mod m. diffusion confusion prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 191/616 DESIGN of KNAPSACK CRYPTOSYSTEMS T| Choose a superincreasing vector X = (x1,. .. ,xn). ^ Choose m, u such that m > 2xn, gcd(m, u) = 1. El Compute u"1 mod m, X' = (x',... ,x"), x/ = ux} mod m. diffusion confusion Cryptosystem: X' - public key X, u, m - trapdoor information Encryption: of a binary vector w of length n: c = X'w Decryption: compute c' = u-1c mod m and solve the knapsack problem with X and c'. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 191/616 DESIGN of KNAPSACK CRYPTOSYSTEMS T| Choose a superincreasing vector X = (xi,. .. ,x„). ^ Choose m, u such that m > 2x„, gcd(m, u) = 1. El Compute u-1 mod m, X' = (x',... ,), x/ = ux} mod m. diffusion confusion Cryptosystem: X' - public key X, u, m - trapdoor information Encryption: of a binary vector w of length n: c = X'w Decryption: compute c' = u-ic mod m and solve the knapsack problem with X and c'. Lemma Let X, m, u, X', c, c' be as defined above. Then the knapsack problem instances (X, c') and (X', c) have at most one solution, and if one of them has a solution, then the second one has the same solution. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 191/616 DESIGN of KNAPSACK CRYPTOSYSTEMS T| Choose a superincreasing vector X = (x1,. .. ,x„). ^ Choose m, u such that m > 2x„, gcd(m, u) = 1. El Compute u -1 mod m, X' = (x',... ,), x/ = ox,- mod m. diffusion confusion Cryptosystem: X' - public key X, u, m - trapdoor information Encryption: of a binary vector w of length n: c = X'w Decryption: compute c' = u 1c mod m and solve the knapsack problem with X and c'. Lemma Let X, m, u, X', c, c' be as defined above. Then the knapsack problem instances (X, c') and (X', c) have at most one solution, and if one of them has a solution, then the second one has the same solution. Proof Let X' w = c. Then c' = u-1c = u-1 X'w = u-1 uXw = Xw(mod m). Since X is superincreasing and m > 2x„ we have ( Xw ) mod m = Xw and therefore c' = Xw. prof. Jozef Gruska IVo54 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 191/616 DESIGN of KNAPSACK CRYPTOSYSTEMS - EXAMPLE Example X= (1,2,4,9,18,35,75,151,302,606) m = 1250, u = 41 X' = (41,82,164,369,738,185,575,1191,1132,1096) In order to encrypt an English plaintext, we first encode its letters by 5-bit numbers _ -00000, A - 00001, B - 00010,. . . and then divide the resulting binary strings into blocks of length 10. Plaintext: Encoding of AFRICA results in vectors W1 = (0000100110) W2 = (1001001001) ws = (0001100001) Encryption: c1/ = X'w1 = 3061 c2/ = X'w2 = 2081 c3/ = X'w3 = 2203 Cryptotext: (3061,2081,2203) prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 192/616 DESIGN of KNAPSACK CRYPTOSYSTEMS - EXAMPLE Example X= (1,2,4,9,18,35,75,151,302,606) m = 1250, u = 41 X' = (41,82,164,369,738,185,575,1191,1132,1096) In order to encrypt an English plaintext, we first encode its letters by 5-bit numbers _ -00000, A - 00001, B - 00010,. . . and then divide the resulting binary strings into blocks of length 10. Plaintext: Encoding of AFRICA results in vectors w1 = (0000100110) w2 = (1001001001) ws = (0001100001) Encryption: c1/ = X'w1 = 3061 c2/ = X'w2 = 2081 c3/ = X'w3 = 2203 Cryptotext: (3061,2081,2203) Decryption of cryptotexts: (2163, 2116, 1870, 3599) By multiplying with u-1 = 61 (mod 1250) we get new cryptotexts (several new c') (693, 326, 320, 789) And, in the binary form, solutions B of equations XBT = c' have the form (1101001001, 0110100010, 0000100010, 1011100101) Therefore, the resulting plaintext is: ZIMBABWE prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 192/616 STORY of KNAPSACK Invented: 1978 - Ralph C. Merkle, Martin Hellman Patented: in 10 countries Broken: 1982: Adi Shamir New idea: iterated knapsack cryptosystem using hyper-reachable vectors. Definition A knapsack vector X' = (x1/,... ,x„/) is obtained from a knapsack vector X = (x1,... , x„) by strong modular multiplication if X; = ox,- mod m, i = 1,... , n, where m > 2 E;=1 x; and gcd(u, m) = 1. A knapsack vector X' is called hyper-reachable, if there is a sequence of knapsack vectors X = x0,x1,... ,xk = X', where x0 is a super-increasing vector and for i = 1,... , k x; is obtained from x,-_1 by a strong modular multiplication. Iterated knapsack cryptosystem was broken in 1985 - E. Brickell New ideas: dense knapsack cryptosystems. Density of a knapsack vector X = (x1,.. . ,x„) is defined by d(x) = -.—-,-,"1,^,, -,, J v > log(max{x; |1(n) = (p - 1)(q - 1) ^ Choose a large d such that gcd(d ,0(n)) = 1 and compute e = d-1(mod (n)) Public key: n (modulus), e (encryption exponent) Trapdoor information: p, q, d (decryption exponent) prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 201/616 DESIGN and USE of RSA CRYPTOSYSTEM Invented in 1978 by Rivest, Shamir, Adleman Basic idea: prime multiplication is very easy, integer factorization seems to be unfeasible. Design of RSA cryptosystems J Choose two large s-bit primes p,q, s in [512,1024], and denote n = pq, (n) = (p - 1)(q - 1) ^ Choose a large d such that gcd(d ,0(n)) = 1 and compute e = d-1(mod (n)) Public key: n (modulus), e (encryption exponent) Trapdoor information: p, q, d (decryption exponent) Plaintext w Encryption: cryptotext c = we mod n Decryption: plaintext w = cd mod n prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 201/616 DESIGN and USE of RSA CRYPTOSYSTEM Invented in 1978 by Rivest, Shamir, Adleman Basic idea: prime multiplication is very easy, integer factorization seems to be unfeasible. Design of RSA cryptosystems J Choose two large s-bit primes p,q, s in [512,1024], and denote n = pq, (n) = (p - 1)(q - 1) ^ Choose a large d such that gcd(d ,0(n)) = 1 and compute e = d-1(mod (n)) Public key: n (modulus), e (encryption exponent) Trapdoor information: p, q, d (decryption exponent) Plaintext w Encryption: cryptotext c = we mod n Decryption: plaintext w = cd mod n Details: A plaintext is first encoded as a word over the alphabet {0,1,... , 9}, then divided into blocks of length ; — 1, where 10'-1 < n < 10'. Each block is taken as an integer and decrypted using modular exponentiation. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 201/616 CORRECTNESS of RSA Let c = wemod n be the cryptotext for a plaintext w, in the cryptosystem with n = pq, ed = 1 (mod (n)), gcd(d, (n)) = 1 In such a case w = cd mod n and, if the decryption is unique, w = cdmod n. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 202/616 CORRECTNESS of RSA Let c = wemod n be the cryptotext for a plaintext w, in the cryptosystem with n = pq, ed = 1 (mod (n)), gcd(d, (n)) = 1 In such a case w = cd mod n and, if the decryption is unique, w = cdmod n. Proof Since ed = 1 (mod (n)), there exist a j e N such that ed = _/0(n) + 1. ■ Case 1. Neither p nor q divides w. In such a case gcd(n, w) = 1 and by the Euler's Totient Theorem we get that d ed /(n)), gcd(d, (n)) = 1 In such a case w = cd mod n and, if the decryption is unique, w = cdmod n. Proof Since ed = 1 (mod (n)), there exist a j e N such that ed = j4>(n) + 1. ■ Case 1. Neither p nor q divides w. In such a case gcd(n, w) = 1 and by the Euler's Totient Theorem we get that d ed /(n)), gcd(d, (n)) = 1 In such a case w = cd mod n and, if the decryption is unique, w = cdmod n. Proof Since ed = 1 (mod (n)), there exist a j e N such that ed = j4>(n) + 1. ■ Case 1. Neither p nor q divides w. In such a case gcd(n, w) = 1 and by the Euler's Totient Theorem we get that d ed /(n) = 2400 ■ By choosing d = 2087 we get e = 23 ■ By choosing d = 2069 we get e = 29 ■ By choosing other values of d we would get other values of e. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 203/616 DESIGN and USE of RSA CRYPTOSYSTEM Example of the design and of the use of RSA cryptosystems. ■ By choosing p = 41, q = 61 we get n = 2501, (n) = 2400 ■ By choosing d = 2087 we get e = 23 ■ By choosing d = 2069 we get e = 29 ■ By choosing other values of d we would get other values of e. Let us choose the first pair of encryption/decryption exponents (e = 23 and d = 2087). Plaintext: KARLSRUHE Encoding: 100017111817200704 Since 103 < n < 104, the numerical plaintext is divided into blocks of 3 digits == 6 plaintext integers are obtained 100, 017, 111, 817, 200, 704 prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 203/616 DESIGN and USE of RSA CRYPTOSYSTEM Example of the design and of the use of RSA cryptosystems. ■ By choosing p = 41, q = 61 we get n = 2501, (n) = 2400 ■ By choosing d = 2087 we get e = 23 ■ By choosing d = 2069 we get e = 29 ■ By choosing other values of d we would get other values of e. Let us choose the first pair of encryption/decryption exponents (e = 23 and d = 2087). Plaintext: KARLSRUHE Encoding: 100017111817200704 Since 103 < n < 104, the numerical plaintext is divided into blocks of 3 digits == 6 plaintext integers are obtained 100, 017, 111, 817, 200, 704 Encryption: 10023 mod 2501, 1723 mod 2501, 11123 mod 2501 81723 mod 2501, 20023 mod 2501, 70423 mod 2501 provides cryptotexts: 2306, 1893, 621, 1380, 490, 313 prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 203/616 DESIGN and USE of RSA CRYPTOSYSTEM Example of the design and of the use of RSA cryptosystems. ■ By choosing p = 41, q = 61 we get n = 2501, (n) = 2400 ■ By choosing d = 2087 we get e = 23 ■ By choosing d = 2069 we get e = 29 ■ By choosing other values of d we would get other values of e. Let us choose the first pair of encryption/decryption exponents (e = 23 and d = 2087). Plaintext: KARLSRUHE Encoding: 100017111817200704 Since 103 < n < 104, the numerical plaintext is divided into blocks of 3 digits == 6 plaintext integers are obtained 100, 017, 111, 817, 200, 704 Encryption: 10023 mod 2501, 1723 mod 2501, 11123 mod 2501 81723 mod 2501, 20023 mod 2501, 70423 mod 2501 provides cryptotexts: 2306, 1893, 621, 1380, 490, 313 Decryption: 2 3 0 6 2087 mod 2501 = 100,18932087 mod 2501 = 17 62 1 2087 mod 2501 = 111,13802087 mod 2501 = 817 4902087 mod 2501 = 200, 3132087 mod 2501 = 704 prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 203/616 RSA CHALLENGE One of the first descriptions of RSA was in the paper. Martin Gardner: Mathematical games, Scientific American, 1977 and in this paper RSA inventors presented the following challenge. Decrypt the cryptotext: 9686 9613 7546 2206 1477 1409 2225 4355 8829 0575 9991 1245 7431 9874 6951 2093 0816 2982 2514 5708 3569 3147 6622 8839 8962 8013 3919 9055 1829 9451 5781 5154 prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 204/616 RSA CHALLENGE One of the first descriptions of RSA was in the paper. Martin Gardner: Mathematical games, Scientific American, 1977 and in this paper RSA inventors presented the following challenge. Decrypt the cryptotext: 9686 9613 7546 2206 1477 1409 2225 4355 8829 0575 9991 1245 7431 9874 6951 2093 0816 2982 2514 5708 3569 3147 6622 8839 8962 8013 3919 9055 1829 9451 5781 5154 encrypted using the RSA cryptosystem with 129 digit number, called also RSA129 n: 114 381 625 757 888 867 669 235 779 976 146 612 010 218 296 721 242 362 562 561 842 935 706 935 245 733 897 830 597 123 513 958 705 058 989 075 147 599 290 026 879 543 541. and with e = 9007. The problem was solved in 1994 by first factorizing n into one 64-bit prime and one 65-bit prime, and then computing the plaintext THE MAGIC WORDS ARE SQUEMISH OSSIFRAGE prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 204/616 HOW to DESIGN REALLY GOOD RSA CRYPTOSYSTEMS? T| How to choose large primes p, q? Choose randomly a large integer p, and verify, using a randomized algorithm, whether p is prime. If not, check p + 2, p + 4,... From the Prime Number Theorem it follows that there are approximately log2d " log2d-1 d bit primes. (A probability that a 512-bit number is prime is 0.00562.) prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 205/616 HOW to DESIGN REALLY GOOD RSA CRYPTOSYSTEMS? T| How to choose large primes p, q? Choose randomly a large integer p, and verify, using a randomized algorithm, whether p is prime. If not, check p + 2, p + 4,... From the Prime Number Theorem it follows that there are approximately log2d — log2d-1 d bit primes. (A probability that a 512-bit number is prime is 0.00562.) ^ What kind of relations should be between p and q? 2.1 Difference |p — q| should be neither too small nor too large. 2.2 gcd(p — 1, q — 1) should not be large. 2.3 Both p — 1 and q — 1 should contain large prime factors. 2.4 Quite ideal case: q, p should be safe primes - such that also (p—1)/2 and (q — 1)/2 are primes. (83,107,10100 — 166517 prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 205/616 HOW to DESIGN REALLY GOOD RSA CRYPTOSYSTEMS? T| How to choose large primes p, q? Choose randomly a large integer p, and verify, using a randomized algorithm, whether p is prime. If not, check p + 2, p + 4,... From the Prime Number Theorem it follows that there are approximately log2d " log2d-1 d bit primes. (A probability that a 512-bit number is prime is 0.00562.) ^ What kind of relations should be between p and q? 2.1 Difference |p — q| should be neither too small nor too large. 2.2 gcd(p — 1, q — 1) should not be large. 2.3 Both p — 1 and q — 1 should contain large prime factors. 2.4 Quite ideal case: q, p should be safe primes - such that also (p—1)/2 and (q — 1)/2 are primes. (83,107,10100 — 166517 are examples of safe primes). J How to choose e and d? 3.1 Neither d nor e should be small. 3.2 d should not be smaller than n4. (For d < n4 a polynomial time algorithm is known to determine d). prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 205/616 PRIME RECOGNITION and FACTORIZATION The key problems for the development of RSA cryptosystem are that of prime recognition and integer factorization. On August 2002, the first polynomial time algorithm was discovered that allows to determine whether a given m bit integer is a prime. Algorithm works in time O(m12). Fast randomized algorithms for prime recognition has been known since 1977. One of the simplest one is due to Rabin and will be presented later. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 206/616 PRIME RECOGNITION and FACTORIZATION The key problems for the development of RSA cryptosystem are that of prime recognition and integer factorization. On August 2002, the first polynomial time algorithm was discovered that allows to determine whether a given m bit integer is a prime. Algorithm works in time O(m12). Fast randomized algorithms for prime recognition has been known since 1977. One of the simplest one is due to Rabin and will be presented later. For integer factorization situation is somehow different. ■ No polynomial time classical algorithm is known. ■ Simple, but not efficient factorization algorithms are known. ■ Several sophisticated distributed factorization algorithms are known that allowed to factorize, using enormous computation power, surprisingly large integers. ■ Progress in integer factorization, due to progress in algorithms and technology, has been recently enormous. ■ Polynomial time quantum algorithms for integer factorization are known since 1994 (P. Shor). Several simple and some sophisticated factorization algorithms will be presented and illustrated in the following. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 206/616 RABIN-MILLER's PRIME RECOGNITION Rabin-Miller's Monte Carlo prime recognition algorithm is based on the following result from the number theory. Lemma Let n e N. Denote, for 1 < x < n, by C(x) the condition: Either xn-1 = 1 (mod n), or there is an m = 2—1 for some i, such that gcd(n,xm — 1) = 1 If C(x) holds for some 1 < x < n, then n is not a prime. If n is not a prime, then C(x) holds for at least half of x between 1 and n. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 207/616 RABIN-MILLER's PRIME RECOGNITION Rabin-Miller's Monte Carlo prime recognition algorithm is based on the following result from the number theory. Lemma Let n e N. Denote, for 1 < x < n, by C(x) the condition: Either xn-1 = 1 (mod n), or there is an m = 2—1 for some i, such that gcd(n,xm — 1) = 1 If C(x) holds for some 1 < x < n, then n is not a prime. If n is not a prime, then C(x) holds for at least half of x between 1 and n. Algorithm: Choose randomly integers x1,x2,.. . ,xm such that 1 < x,- < n. For each x,- determine whether C(x,-) holds. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 207/616 RABIN-MILLER's PRIME RECOGNITION Rabin-Miller's Monte Carlo prime recognition algorithm is based on the following result from the number theory. Lemma Let n e N. Denote, for 1 < x < n, by C(x) the condition: Either xn-1 = 1 (mod n), or there is an m = 2—1 for some i, such that gcd(n,xm — 1) = 1 If C(x) holds for some 1 < x < n, then n is not a prime. If n is not a prime, then C(x) holds for at least half of x between 1 and n. Algorithm: Choose randomly integers x1,x2,.. . ,xm such that 1 < x < n. For each x determine whether C(x) holds. Claim: If C(x) holds for some ;, then n is not a prime for sure. Otherwise n is declared to be prime. Probability that this is not the case is 2-m. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 207/616 FACTORIZATION of 512-BITS and 663-BITS NUMBERS On August 22, 1999, a team of scientists from 6 countries found, after 7 months of computing, using 300 very fast SGI and SUN workstations and Pentium II, factors of the so-called RSA-155 number with 512 bits (about 155 digits). prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 208/616 FACTORIZATION of 512-BITS and 663-BITS NUMBERS On August 22, 1999, a team of scientists from 6 countries found, after 7 months of computing, using 300 very fast SGI and SUN workstations and Pentium II, factors of the so-called RSA-155 number with 512 bits (about 155 digits). RSA-155 was a number from a Challenge list issue by the US company RSA Data Security and "represented" 95% of 512-bit numbers used as the key to protect electronic commerce and financial transmissions on Internet. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 208/616 FACTORIZATION of 512-BITS and 663-BITS NUMBERS On August 22, 1999, a team of scientists from 6 countries found, after 7 months of computing, using 300 very fast SGI and SUN workstations and Pentium II, factors of the so-called RSA-155 number with 512 bits (about 155 digits). RSA-155 was a number from a Challenge list issue by the US company RSA Data Security and "represented" 95% of 512-bit numbers used as the key to protect electronic commerce and financial transmissions on Internet. Factorization of RSA-155 would require in total 37 years of computing time on a single computer. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 208/616 FACTORIZATION of 512-BITS and 663-BITS NUMBERS On August 22, 1999, a team of scientists from 6 countries found, after 7 months of computing, using 300 very fast SGI and SUN workstations and Pentium II, factors of the so-called RSA-155 number with 512 bits (about 155 digits). RSA-155 was a number from a Challenge list issue by the US company RSA Data Security and "represented" 95% of 512-bit numbers used as the key to protect electronic commerce and financial transmissions on Internet. Factorization of RSA-155 would require in total 37 years of computing time on a single computer. When in 1977 Rivest and his colleagues challenged the world to factor RSA-129, they estimated that, using knowledge of that time, factorization of RSA-129 would require 1016 years. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 208/616 FACTORIZATION of 512-BITS and 663-BITS NUMBERS On August 22, 1999, a team of scientists from 6 countries found, after 7 months of computing, using 300 very fast SGI and SUN workstations and Pentium II, factors of the so-called RSA-155 number with 512 bits (about 155 digits). RSA-155 was a number from a Challenge list issue by the US company RSA Data Security and "represented" 95% of 512-bit numbers used as the key to protect electronic commerce and financial transmissions on Internet. Factorization of RSA-155 would require in total 37 years of computing time on a single computer. When in 1977 Rivest and his colleagues challenged the world to factor RSA-129, they estimated that, using knowledge of that time, factorization of RSA-129 would require 1016 years. In 2005 RSA-200, a 663-bits number, was factorized by a team of German Federal Agency for Information Technology Security, using CPU of 80 AMD Opterons. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 208/616 LARGE NUMBERS Hindus named many large numbers - one having 153 digits. Romans initially had no terms for numbers larger than 104. Greeks had a popular belief that no number is larger than the total count of sand grains needed to fill the universe. Large numbers with special names: duotrigintillion=googol —10100 googolplex—1010 prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 209/616 LARGE NUMBERS Hindus named many large numbers - one having 153 digits. Romans initially had no terms for numbers larger than 104. Greeks had a popular belief that no number is larger than the total count of sand grains needed to fill the universe. Large numbers with special names: duotrigintillion=googol —10100 googolplex—1010 FACTORIZATION of very large NUMBERS W. Keller factorized F23471 which has 107000 digits. 1nl000 J. Harley factorized: 1010 + 1. One factor: 316, 912, 650, 057, 350, 374,175, 801, 344, 000, 001 1992 E. Crandal, Doenias proved, using a computer that F22, which has more than million of digits, is composite (but no factor of F22 is known). 1034 Number 1010 was used to develop a theory of the distribution of prime numbers. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 209/616 DESIGN OF GOOD RSA CRYPTOSYSTEMS Claim 1. Difference |p — q| should not be small. Indeed, if |p — q| is small, and p > q, then (p+q) is only slightly larger than ^J~n because (p + q)2 n = (p — q)2 4 4 In addition (p+q)--n is a square, say y2. In order to factor n, it is then enough to test x > \fn until x is found such that x2 — n is a square, say y2. In such a case p + q = 2x, p — q = 2y and therefore p = x + y, q = x — y. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 210/616 DESIGN OF GOOD RSA CRYPTOSYSTEMS Claim 1. Difference |p — q| should not be small. Indeed, if |p — q| is small, and p > q, then (p+q) is only slightly larger than ^J~n because (p + q)2 n = (p — q)2 4 4 In addition (p+q)--n is a square, say y2. In order to factor n, it is then enough to test x > \fn until x is found such that x2 — n is a square, say y2. In such a case p + q = 2x, p — q = 2y and therefore p = x + y, q = x — y. Claim 2. gcd(p — 1, q — 1) should not be large. Indeed, in the opposite case s = lcm(p — 1, q — 1) is much smaller than (n) If d'e = 1 mod s, then, for some integer k, c = w = w = w mod n since p — 1|s, q — 11s and therefore wks = 1 mod p and wks+1 = w mod q. Hence, d' can serve as a decryption exponent. Moreover, in such a case s can be obtained by testing. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 210/616 DESIGN OF GOOD RSA CRYPTOSYSTEMS Claim 1. Difference |p — q| should not be small. Indeed, if |p — q| is small, and p > q, then (p+q) is only slightly larger than ^J~n because (p + q)2 n = (p — q)2 4 4 In addition (p+q)--n is a square, say y2. In order to factor n, it is then enough to test x > \fn until x is found such that x2 — n is a square, say y2. In such a case p + q = 2x, p — q = 2y and therefore p = x + y, q = x — y. Claim 2. gcd(p — 1, q — 1) should not be large. Indeed, in the opposite case s = lcm(p — 1, q — 1) is much smaller than (n) If d'e = 1 mod s, then, for some integer k, d _ ed _ ks+1 _ I c = w = w = w mod n since p — 1|s, q — 11s and therefore wks = 1 mod p and wks+1 = w mod q. Hence, d' can serve as a decryption exponent. Moreover, in such a case s can be obtained by testing. Question Is there enough primes (to choose again and again new ones)? No problem, the number of primes of length 512 bit or less exceeds 10150. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 210/616 HOW IMPORTANT is FACTORIZATION for BREAKING RSA? j If integer factorization is feasible, then RSA is breakable. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 211/616 HOW IMPORTANT is FACTORIZATION for BREAKING RSA? T| If integer factorization is feasible, then RSA is breakable. ^ There is no proof that factorization is indeed needed to break RSA. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 211/616 HOW IMPORTANT is FACTORIZATION for BREAKING RSA? T| If integer factorization is feasible, then RSA is breakable. ^ There is no proof that factorization is indeed needed to break RSA. J If a method of breaking RSA would provide an effective way to get a trapdoor information, then factorization could be done effectively. Theorem Any algorithm to compute (n) can be used to factor integers with the same complexity. Theorem Any algorithm for computing d can be converted into a break randomized algorithm for factoring integers with the same complexity. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 211/616 HOW IMPORTANT is FACTORIZATION for BREAKING RSA? T| If integer factorization is feasible, then RSA is breakable. ^ There is no proof that factorization is indeed needed to break RSA. J If a method of breaking RSA would provide an effective way to get a trapdoor information, then factorization could be done effectively. Theorem Any algorithm to compute (n) can be used to factor integers with the same complexity. Theorem Any algorithm for computing d can be converted into a break randomized algorithm for factoring integers with the same complexity. J There are setups in which RSA can be broken without factoring modulus n. Example An agency chooses p, q and computes a modulus n = pq that is publicized and common to all users U1, U2,. .. and also encryption exponents e1, e2,... are publicized. Each user U; gets his decryption exponent d;. In such a setting any user is able to find in deterministic quadratic time another user's decryption exponent. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 211/616 SECURITY of RSA in PRACTICE None of the numerous attempts to develop attacks on RSA has turned out to be successful. There are various results showing that it is impossible to obtain even only partial information about the plaintext from the cryptotext produced by the RSA cryptosystem. We will show that were the following two functions, that are computationally polynomially equivalent, be efficiently computable, then the RSA cryptosystem with the encryption (decryption) exponents ek(dk) would be breakable. parityek(c) =the least significant bit of such an w that ek(w) = c; ha/fek(c) = 0 if 0 < w < 2 and ha/f-k(c) = 1 if § < w < n - 1 prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 212/616 SECURITY of RSA in PRACTICE None of the numerous attempts to develop attacks on RSA has turned out to be successful. There are various results showing that it is impossible to obtain even only partial information about the plaintext from the cryptotext produced by the RSA cryptosystem. We will show that were the following two functions, that are computationally polynomially equivalent, be efficiently computable, then the RSA cryptosystem with the encryption (decryption) exponents ek(dk) would be breakable. parityek(c) =the least significant bit of such an w that ek(w) = c; ha/fek(c) = 0 if 0 < w < 2 and ha/£,k(c) = 1 if § < w < n — 1 We show two important properties of the functions haf and parity. T| Polynomial time computational equivalence of the functions half and parity follows from the following identities ha/fek(c) = par/tyek((c x ek(2)) mod n par/tyek(c) = ha/fek((c x efc(2)) mod n and the multiplicative rule ek(w1)ek(w2) = ek(w1w2). prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 212/616 SECURITY of RSA in PRACTICE None of the numerous attempts to develop attacks on RSA has turned out to be successful. There are various results showing that it is impossible to obtain even only partial information about the plaintext from the cryptotext produced by the RSA cryptosystem. We will show that were the following two functions, that are computationally polynomially equivalent, be efficiently computable, then the RSA cryptosystem with the encryption (decryption) exponents ek(dk) would be breakable. parityek(c) =the least significant bit of such an w that ek(w) = c; ha/fek(c) = 0 if 0 < w < 2 and ha/fek(c) = 1 if § < w < n — 1 We show two important properties of the functions haf and parity. T| Polynomial time computational equivalence of the functions half and parity follows from the following identities ha/fek(c) = parityek((c x ek(2)) mod n parityek(c) = ha/fek((c x ek(2)) mod n and the multiplicative rule ek(w1)ek(w2) = ek(w1w2). ^ There is an efficient algorithm to determine plaintexts w from the cryptotexts c obtained by RSA-decryption provided efficiently computable function ha/f can be used as the oracle: prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 212/616 SECURITY of RSA in PRACTICE I BREAKING RSA USING AN ORACLE Algorithm: for i = 0 to [lgn] do a, — half (c); c — (c X ek(2)) mod n I — 0; u — n for / = 0 to [lgn] do m — (i + u)/2; if ci = 1 then i — m else u — m; output — [u] Indeed, in the first cycle a = ha/f(c x (ek(2))') = ha/f(ek(2;w)), is computed for 0 < ; < lgn. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 213/616 SECURITY of RSA in PRACTICE I BREAKING RSA USING AN ORACLE Algorithm: for / = 0 to [lgn] do a, — half (c); c — (c X ek(2)) mod n I — 0; u — n for i = 0 to [lgn] do m — (i + u)/2; if ci = 1 then i — m else u — m; output — [u] Indeed, in the first cycle a = ha/f(c x (ek(2))') = ha/f(efc(2;w)), is computed for 0 < ; < lgn. In the second part of the algorithm binary search is used to determine interval in which w lies. For example, we have that ha/f(ek(w)) = 0 = w e [0, n) ha/f(ek(2w)) = 0 = w e [0, n) U [, ^) ha/f(ek(4w)) = 0 = w e prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 213/616 SECURITY of RSA in PRACTICE II There are many results for RSA showing that certain parts are as hard as whole. For example any feasible algorithm to determine the last bit of the plaintext can be converted into a feasible algorithm to determine the whole plaintext. Example Assume that we have an algorithm H to determine whether a plaintext x designed in RSA with public key e, n is smaller than 2 if the cryptotext y is given. We construct an algorithm A to determine in which of the intervals (j", (j'+g1)"), 0 < j < 7 the plaintext lies. Basic idea H can be used to decide whether the plaintexts for cryptotexts xe mod n Answers xe mod n, 2exe mod n, 4exe mod n are smaller than " n yes, yes, yes 0 (n) for some k gcd(eA, gcd(f,0(n)) = 1 m is a multiple of (n). m and eA have no common divisor and therefore there exist integers u, v such that um + veA = 1 Since m is a multiple of (n), we have veA = 1 — um = 1 mod (n) and since eA^A = 1 mod (n), we have (v — c/a)eA = 0 mod (n) and therefore v = c/a mod (n) is a decryption exponent of A. Indeed, for a cryptotext c: cv = weAv = weAdA+c= w mod (n) prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 215/616 COMMON MODULUS ATTACK Let a message w be encoded with a modulus n and two encryption exponents ei and e2 such that gcd(e1; e2) = 1. Therefore c1 = wei mod n, c2 = we2 mod n; Then w = cf c|, where, a, b are such that a • e1 + b • e2 = 1 prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 216/616 PRIVATE-KEY versus PUBLIC-KEY CRYPTOGRAPHY ■ The prime advantage of public-key cryptography is increased security - the private keys do not ever need to be transmitted or revealed to anyone. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 217/616 PRIVATE-KEY versus PUBLIC-KEY CRYPTOGRAPHY ■ The prime advantage of public-key cryptography is increased security - the private keys do not ever need to be transmitted or revealed to anyone. ■ Public key cryptography is not meant to replace secret-key cryptography, but rather to supplement it, to make it more secure. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 217/616 PRIVATE-KEY versus PUBLIC-KEY CRYPTOGRAPHY ■ The prime advantage of public-key cryptography is increased security - the private keys do not ever need to be transmitted or revealed to anyone. ■ Public key cryptography is not meant to replace secret-key cryptography, but rather to supplement it, to make it more secure. ■ Example RSA and DES (AES) are usually combined as follows Jl The message is encrypted with a random DES key ^| DES-key is encrypted with RSA b DES-encrypted message and RSA-encrypted DES-key are sent. This protocol is called RSA digital envelope. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 217/616 PRIVATE-KEY versus PUBLIC-KEY CRYPTOGRAPHY ■ The prime advantage of public-key cryptography is increased security - the private keys do not ever need to be transmitted or revealed to anyone. ■ Public key cryptography is not meant to replace secret-key cryptography, but rather to supplement it, to make it more secure. ■ Example RSA and DES (AES) are usually combined as follows Jl The message is encrypted with a random DES key ^| DES-key is encrypted with RSA b DES-encrypted message and RSA-encrypted DES-key are sent. This protocol is called RSA digital envelope. ■ In software (hardware) DES is generally about 100 (1000) times faster than RSA. If n users communicate with secrete-key cryptography, they need n (n - 1) / 2 keys. If n users communicate with public-key cryptography 2n keys are sufficient. Public-key cryptography allows spontaneous communication. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 217/616 KERBEROS We describe a very popular key distribution protocol with trusted authority TA with which each user A shares a secret key KA. ■ To communicate with user B the user A asks TA for a session key (K) ■ TA chooses a random session key K, a time-stamp T, and a lifetime limit L. ■ TA computes m1 = eKA(K, /D(B), T, L); m2 = eKs(K, /D(B), T, L); and sends m1, m2 to A. ■ A decrypts m1, recovers K, T, L, /D(B), computes m3 = (/D(B), T) and sends m2 and m3 to B. ■ B decrypts m2 and m3, checks whether two values of T and of /D(B) are the same. If so, B computes m4 = (T + 1) and sends it to A. ■ A decrypts m4 and verifies that she got T +1. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 218/616 Part VI Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS A large number of interesting and important cryptosystems have already been designed. In this chapter we present several other of them in order to illustrate principles and techniques that can be used to design cryptosystems. At first, we present several cryptosystems security of which is based on the fact that computation of square roots and discrete logarithms is in genral infeasible in some groups. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 220/616 CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS A large number of interesting and important cryptosystems have already been designed. In this chapter we present several other of them in order to illustrate principles and techniques that can be used to design cryptosystems. At first, we present several cryptosystems security of which is based on the fact that computation of square roots and discrete logarithms is in genral infeasible in some groups. Secondly, we discuss pseudo-random number generators and hash functions - other very important concepts of modern cryptography prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 220/616 CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS A large number of interesting and important cryptosystems have already been designed. In this chapter we present several other of them in order to illustrate principles and techniques that can be used to design cryptosystems. At first, we present several cryptosystems security of which is based on the fact that computation of square roots and discrete logarithms is in genral infeasible in some groups. Secondly, we discuss pseudo-random number generators and hash functions - other very important concepts of modern cryptography Finally, we discuss one of the fundamental questions of modern cryptography: when can a cryptosystem be considered as (computationally) perfectly secure? In order to do that we will: ■ discuss the role randomness play in the cryptography; ■ introduce the very fundamental definitions of perfect security of cryptosystem ■ present some examples of perfectly secure cryptosystems. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 220/616 RABIN CRYPTOSYSTEM Primes p, q of the form 4k + 3, so called Blum primes, are kept secret, n = pq is the public key. Encryption: of a plaintext w < n c = w2 mod n prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 221/616 RABIN CRYPTOSYSTEM Primes p, q of the form 4k + 3, so called Blum primes, are kept secret, n = pq is the public key. Encryption: of a plaintext w < n c = w2 mod n Decryption: It is easy to verify, using Euler's criterion which says that if c is a quadratic residue modulo p, then c(p-1)/2 = 1 (modp), that ±c(p+1)/4 mod p and ±c(q+1)/4 mod q are two square roots of c modulo p and q. One can now obtain four square roots of c modulo n using the method shown in Appendix. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 221/616 RABIN CRYPTOSYSTEM Primes p, q of the form 4k + 3, so called Blum primes, are kept secret, n = pq is the public key. Encryption: of a plaintext w < n c = w2 mod n Decryption: It is easy to verify, using Euler's criterion which says that if c is a quadratic residue modulo p, then c(p-1)/2 = 1 (modp), that ±c(p+1)/4 mod p and ±c(q+1)/4 mod q are two square roots of c modulo p and q. One can now obtain four square roots of c modulo n using the method shown in Appendix. In case the plaintext w is a meaningful English text, it should be easy to determine w from w1, w2, wB, w4. However, if w is a random string (say, for a key exchange) it is impossible to determine w from w1, w2, wB, w4. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 221/616 RABIN CRYPTOSYSTEM Primes p, q of the form 4k + 3, so called Blum primes, are kept secret, n = pq is the public key. Encryption: of a plaintext w < n c = w2 mod n Decryption: It is easy to verify, using Euler's criterion which says that if c is a quadratic residue modulo p, then c(p-1)/2 = 1 (modp), that ±c(p+1)/4 mod p and ±c(q+1)/4 mod q are two square roots of c modulo p and q. One can now obtain four square roots of c modulo n using the method shown in Appendix. In case the plaintext w is a meaningful English text, it should be easy to determine w from w1, w2, w3, w4. However, if w is a random string (say, for a key exchange) it is impossible to determine w from w1, w2, w3, w4. Rabin did not propose this system as a practical cryptosystem. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 221/616 GENERALIZED RABIN CRYPTOSYSTEM Public key: n, B (0 < B < n - 1) Trapdoor: Blum primes p, q (n = pq) Encryption: e(x) = x(x + B) mod n Decryption: d(y)= f J^ + y — -2^ mod n prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 222/616 GENERALIZED RABIN CRYPTOSYSTEM Public key: n, B (0 < B < n - 1) Trapdoor: Blum primes p, q (n = pq) Encryption: e(x) = x(x + B) mod n Decryption: d (y )= (\j~B^+ry — mod n It is easy to verify that if uu is a nontrivial square root of 1 modulo n, then there are four decryptions of e(x): x, -x, u (x + §) - f, -u (x + B) - § prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 222/616 GENERALIZED RABIN CRYPTOSYSTEM Public key: n, B (0 < B < n — 1) Trapdoor: Blum primes p, q (n = pq) Encryption: e(x) = x(x + B) mod n Decryption: d(y) = ( \ -^i + y _ b j mQd n It is easy to verify that if uu is a nontrivial square root of 1 modulo n, then there are four decryptions of e(x): x, -x, u (x + §) - f, -u (x + B) - § Example e(u (x + f) - f) = (u (x + f) - f )(u (x + f) + f) = uf (x + f)2 - (f)2 = x2 + Bx = e(x) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 222/616 GENERALIZED RABIN CRYPTOSYSTEM Public key: n, B (0 < B < n - 1) Trapdoor: Blum primes p, q (n = pq) Encryption: e(x) = x(x + B) mod n Decryption: d(y)= ^+ y — mod n It is easy to verify that if uu is a nontrivial square root of 1 modulo n, then there are four decryptions of e(x): x, —x, u (x + §) — §, —u (x + § ) — § Example e(u (x + §) — §) = (u (x + §) — § )(u (x + §) + §) = uf (x + §)2 — (§)2 = x2 + Bx = e(x) Decryption of the generalized Rabin cryptosystem can be reduced to the decryption of the original Rabin cryptosystem. Indeed, the equation x2 + Bx = y (mod n) can be transformed, by the substitution x = xi — B/2 , into xi2 = B2/4 + y (mod n) and, by defining c = B2/4 + y, into x12 = c (mod n) Decryption can be done by factoring n and solving congruences xi 2 = c (mod p) xi 2 = c (mod q) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 222/616 SECURITY of RABIN CRYPTOSYSTEM We show that any hypothetical decryption algorithm A for Rabin cryptosystem, can be used, as an oracle, in the following Las Vegas algorithm, to factor an integer n. Algorithm: □ Choose a random r, 1 < r < n — 1; b Compute y = (r2 — B2/4) mod n; J Call A(y), to obtain a decryption x = J Compute xi = x + B/2; J if x1 = ±r then quit (failure) else gcd(x1 + r, n) = p or q {y = ek (r — B/2)}. + y — |) mod n; {x12 = r2 mod n} prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 223/616 SECURITY of RABIN CRYPTOSYSTEM We show that any hypothetical decryption algorithm A for Rabin cryptosystem, can be used, as an oracle, in the following Las Vegas algorithm, to factor an integer n. Algorithm: □ Choose a random r, 1 < r < n — 1; b Compute y = (r2 — B2/4) mod n; J Call A(y), to obtain a decryption x = J Compute xi = x + B/2; J if x1 = ±r then quit (failure) else gcd(x1 + r, n) = p or q Indeed, after Step 4, either x1 = ±r mod n or x1 = ±wr mod n. In the second case we have n | (X1 — r)(x1 + r), but n does not divide either factor x1 — r or x1 + r. Therefore computation of gcd(x1 + r, n) or gcd(x1 — r, n) must yield factors of n. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 223/616 {y = ek (r — B/2)}. + y — f) mod n; {x12 = r2 mod n} ElGamal CRYPTOSYSTEM Design: choose a large prime p - (with at least 150 digits). choose two random integers 1 < q,x < p - where q is a primitive element of Z*p calculate y = qx mod p. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 224/616 ElGamal CRYPTOSYSTEM Design: choose a large prime p - (with at least 150 digits). choose two random integers 1 < q,x < p - where q is a primitive element of Z*p calculate y = qx mod p. Public key: p, q, y; trapdoor: x prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 224/616 ElGamal CRYPTOSYSTEM Design: choose a large prime p - (with at least 150 digits). choose two random integers 1 < q,x < p - where q is a primitive element of Z*p calculate y = qx mod p. Public key: p, q, y; trapdoor: x Encryption of a plaintext w: choose a random r and compute a = qr mod p, b = yrw mod p Cryptotext: c = (a, b) (Cryptotext contains indirectly r and the plaintext is "masked" by multiplying with yr (and taking modulo p)) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 224/616 ElGamal CRYPTOSYSTEM Design: choose a large prime p - (with at least 150 digits). choose two random integers 1 < q,x < p - where q is a primitive element of Z*p calculate y = qx mod p. Public key: p, q, y; trapdoor: x Encryption of a plaintext w: choose a random r and compute a = qr mod p, b = yrw mod p Cryptotext: c = (a, b) (Cryptotext contains indirectly r and the plaintext is "masked" by multiplying with yr (and taking modulo p)) Decryption: w = Jl mod p = ba-x mod p. Proof of correctness: ax = qrxmod p b yr w qrx w — = - = - = w(mod p) ax ax qrx y ! prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 224/616 ElGamal CRYPTOSYSTEM Design: choose a large prime p - (with at least 150 digits). choose two random integers 1 < q,x < p - where q is a primitive element of Z*p calculate y = qx mod p. Public key: p, q, y; trapdoor: x Encryption of a plaintext w: choose a random r and compute a = qr mod p, b = yrw mod p Cryptotext: c = (a, b) (Cryptotext contains indirectly r and the plaintext is "masked" by multiplying with yr (and taking modulo p)) Decryption: w = ax mod p = ba-x mod p. Proof of correctness: ax = qrxmod p b yr w qrx w — = - = - = w(mod p) Note: Security of the ElGamal cryptosystem is based on infeasibility of the discrete logarithm computation. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 224/616 SHANKS' ALGORITHM for DISCRETE ALGORITHM Let m = \\/\p — 1)1. The following algorithm computes lgqy in Z*p. O Compute qmj mod p, 0 < j < m — 1. ^ Create list L1 of m pairs (j, qmj mod p), sorted by the second item. El Compute yq-' mod p, 0 < ; < m — 1. □ Create list L2 of pairs (;, yq-'mod p) sorted by the second item. ^ Find two pairs, one (j, z) e L1 and second (;, z) e L2 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 225/616 SHANKS' ALGORITHM for DISCRETE ALGORITHM Let m = \\f(p — 1)1. The following algorithm computes lgqy in Z*p. O Compute qmj mod p, 0 < j < m — 1. ^ Create list L1 of m pairs (j, qmj mod p), sorted by the second item. b Compute yq-' mod p, 0 < / < m — 1. □ Create list L2 of pairs (;, yq-'mod p) sorted by the second item. ^ Find two pairs, one (j, z) e L1 and second (;, z) e L2 If such a search is successful, then qmj mod p = z = yq-' mod p and as the result lgqy = (mj + /) mod (p — 1). Therefore qmj+' = y (mod p) On the other hand, for any y we can write lgq y = mj + /, For some 0 < /, j < m — 1. Hence the search in the Step 5 of the algorithm has to be successful. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 225/616 BIT SECURITY of DISCRETE LOGARITHM Let us consider problem to compute /_,-(y) = ;-th least significant bit of lgqy in Z*p. Result 1 L1(y) can be computed efficiently. To show that we use the fact that the set QR(p) has (p — 1)/2 elements. Let q be a primitive element of Z*p. Clearly, qa e QR(p) if a is even. Since the elements q0mod p, q2mod p,... , qp-3mod p are all distinct, we have that QR(p) = (q2/mod p | 0 < ; < (p — 3)/2} Consequence: y is a quadratic residue iff lgqy is even, that is iff L1(y) = 0. By Euler's criterion y is a quadratic residue if y(p-1)/2 = 1 mod p L1(y) can therefore be computed as follows: Li(y) = 0 if y(p-1)/2 = 1 mod p; L1(y) = 1 otherwise prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 226/616 BIT SECURITY of DISCRETE LOGARITHM Let us consider problem to compute /_,-(y) = ;-th least significant bit of lgqy in Z*p. Result 1 L1(y) can be computed efficiently. To show that we use the fact that the set QR(p) has (p — 1)/2 elements. Let q be a primitive element of Z*p. Clearly, qa e QR(p) if a is even. Since the elements q0mod p, q2mod p,... , qp-3mod p are all distinct, we have that QR(p) = {q2imod p | 0 < ; < (p — 3)/2} Consequence: y is a quadratic residue iff lgqy is even, that is iff L1(y) = 0. By Euler's criterion y is a quadratic residue if y(p-1)/2 = 1 mod p L1(y) can therefore be computed as follows: L1(y) = 0 if y(p-1)/2 = 1 mod p; L1(y) = 1 otherwise Result 2 Efficient computability of /_,-(y),; > 1 in Z*p would imply efficient computability of the discrete logarithm in Z*p. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 226/616 GROUP VERSION of ElGamal CRYPTOSYSTEM A group version of discrete logarithm probem Given a group (G, o), a e G, P e (a' | / > 0}. Find loga P = k such that ak = P GROUP VERSION of ElGamal CRYPTOSYSTEM ElGamal cryptosystem can be implemented in any group in which discrete logarithm problem is infeasible. Cryptosystem for (G, o) Public key: a, P Trapdoor: k such that ak = P Encryption: of a plaintext w and a random integer k e(w, k) = (y1, y2) where y1 = ak, y2 = w o pk Decryption: of cryptotext (y1 , y2): d(y1, y2) = y2 ◦ y-k An important special case is that of computation of discrete logarithm in a group of points of an eliptic curve defined over a finite field. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 227/616 WILLIAMS CRYPTOSYSTEM - BASICS This cryptosystem is similar to RSA, but with number operations performed in a quadratic field. Complexity of the cryptanalysis of the Williams cryptosystem is equivalent to factoring. Consider numbers of the form a = a + b^fC where a, b, c are integers. If c is fixed, a can be viewed as a pair (a, b). ai + a2 = (ai, bi) + (a2, b2) = (ai + a2, bi + b2) aia2 = (ai, bi) • (a2, b2) = (aia2+c bib2, aib2 + bia2) The conjugate a of a of a is defined by a = a — b^fc prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 228/6i6 WILLIAMS CRYPTOSYSTEM - BASICS This cryptosystem is similar to RSA, but with number operations performed in a quadratic field. Complexity of the cryptanalysis of the Williams cryptosystem is equivalent to factoring. Consider numbers of the form a = a + b^fc where a, b, c are integers. If c is fixed, a can be viewed as a pair (a, b). ai + a2 = (ai, bi) + (a2, b2) = (ai + a2, bi + b2) aia2 = (ai, bi) • (a2, b2) = (aia2+c bib2, aib2 + bia2) The conjugate a of a of a is defined by a = a — by'c Auxiliary functions: X; (a) a; + a ; 2 Y (a) b(a; - a ;) (a - a) a — a! Hence a' = X; (a) + Y; (a)y/C a; = X;(a) - Yi(a)y^C prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 228/6i6 WILLIAMS CRYPTOSYSTEM - EFFICIENT EXPONENTIATION Assume now Then aa = 1 and consequently Moreover, for j > ; From these and following equations: we get the recursive formulas: a2 - cb2 = 1 X,2 - cY, 2 = 1 X/+j = 2X/ Xj + Xj-1 Y+j = 2Y/ Xj + X/+j = 2X/ Xj+cY/ Yj Y/+j = 2Y/ Xj + X/ Yj X?,- = X2 + cY2 = 2X2 Y>; = 2X, y;- X2,+1 = 2X; Y;+1 — X1 Y2;+1 = 2X; Y;+1 — Y1 Consequences: 1. X; and Y; can be, given ;, computed fast. Remark Since X0 = 1, X1 = a, X; does not depend on b. 1 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 229/616 WHEN is a CRYPTOSYSTEM (perfectly) SECURE? First question: Is it enough for perfect security of a cryptosystem that one cannot get a plaintext from a cryptotext? prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 230/616 WHEN is a CRYPTOSYSTEM (perfectly) SECURE? First question: Is it enough for perfect security of a cryptosystem that one cannot get a plaintext from a cryptotext? NO, NO, NO WHY prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 230/616 WHEN is a CRYPTOSYSTEM (perfectly) SECURE? First question: Is it enough for perfect security of a cryptosystem that one cannot get a plaintext from a cryptotext? NO, NO, NO WHY For many applications it is crucial that no information about the plaintext could be obtained. ■ Intuitively, a cryptosystem is (perfectly) secure if one cannot get any (new) information about the corresponding plaintext from any cryptotext. ■ It is very nontrivial to define fully precisely when a cryptosystem is (computationally) perfectly secure. ■ It has been shown that perfectly secure cryptosystems have to use randomized encryptions. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 230/616 CRYPTOGRAPHY and RANDOMNESS Randomness and cryptography are deeply related. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 231/616 CRYPTOGRAPHY and RANDOMNESS Randomness and cryptography are deeply related. T| Prime goal of any good encryption method is to transform even a highly nonrandom plaintext into a highly random cryptotext. (Avalanche effect.) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 231/616 CRYPTOGRAPHY and RANDOMNESS Randomness and cryptography are deeply related. T| Prime goal of any good encryption method is to transform even a highly nonrandom plaintext into a highly random cryptotext. (Avalanche effect.) Example Let ek be an encryption algorithm, xo be a plaintext. And Xi = ek(X'-i),; > 1. It is intuitively clear that if encryption ek is "cryptographically secure", then it is very, very likely that the sequence x0 xi x2 x3 is (quite) random. Perfect encryption should therefore produce (quite) perfect (pseudo)randomness. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 23i/6i6 CRYPTOGRAPHY and RANDOMNESS Randomness and cryptography are deeply related. T| Prime goal of any good encryption method is to transform even a highly nonrandom plaintext into a highly random cryptotext. (Avalanche effect.) Example Let ek be an encryption algorithm, x0 be a plaintext. And x; = ek(x;-1), / > 1. It is intuitively clear that if encryption ek is "cryptographically secure", then it is very, very likely that the sequence x0 x1 x2 x3 is (quite) random. Perfect encryption should therefore produce (quite) perfect (pseudo)randomness. ^ The other side of the relation is more complex. It is clear that perfect randomness together with ONE-TIME PAD cryptosystem produces perfect secrecy. The price to pay: a key as long as plaintext is needed. The way out seems to be to use an encryption algorithm with a pseudo-random generator to generate a long pseudo-random sequence from a short seed and to use the resulting sequence with ONE-TIME PAD. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 231/616 CRYPTOGRAPHY and RANDOMNESS Randomness and cryptography are deeply related. T| Prime goal of any good encryption method is to transform even a highly nonrandom plaintext into a highly random cryptotext. (Avalanche effect.) Example Let ek be an encryption algorithm, x0 be a plaintext. And Xi = ek(x-1), / > 1. It is intuitively clear that if encryption ek is "cryptographically secure", then it is very, very likely that the sequence x0 x1 x2 x3 is (quite) random. Perfect encryption should therefore produce (quite) perfect (pseudo)randomness. ^ The other side of the relation is more complex. It is clear that perfect randomness together with ONE-TIME PAD cryptosystem produces perfect secrecy. The price to pay: a key as long as plaintext is needed. The way out seems to be to use an encryption algorithm with a pseudo-random generator to generate a long pseudo-random sequence from a short seed and to use the resulting sequence with ONE-TIME PAD. Basic question: When is a pseudo-random generator good enough for cryptographical purposes? prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 231/616 SECURE ENCRYPTIONS - BASIC CONCEPTS I We now start to discuss a very nontrivial question: when is an encryption scheme computationally perfectly SECURE? prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 232/616 SECURE ENCRYPTIONS - BASIC CONCEPTS I We now start to discuss a very nontrivial question: when is an encryption scheme computationally perfectly SECURE? At first, we introduce two very basic technical concepts: Definition A function f:/V — R is a negligible function if for any polynomial p(n) and for almost all n: v ' — p(n) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 232/616 SECURE ENCRYPTIONS - BASIC CONCEPTS I We now start to discuss a very nontrivial question: when is an encryption scheme computationally perfectly SECURE? At first, we introduce two very basic technical concepts: Definition A function f:/V — R is a negligible function if for any polynomial p(n) and for almost all n: v ' — P(n) Definition - computational distinguishibility Let X = {Xn}„g/v and Y = { Y„}„6/v be probability ensembles such that each Xn and Yn ranges over strings of length n. We say that X and Y are computationally indistinguishable if for every feasible algorithm A the difference d„(n) =| Pr[A(X„) = 1] — Pr[A(Y„) = 1] | is a negligible function in n. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 232/616 SECURE ENCRYPTIONS - PSEUDORANDOM GENERATORS In cryptography random sequences can be usually be well enough replaced by pseudorandom sequences generated by (cryptographically perfect) pseudorandom generators. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 233/616 SECURE ENCRYPTIONS - PSEUDORANDOM GENERATORS In cryptography random sequences can be usually be well enough replaced by pseudorandom sequences generated by (cryptographically perfect) pseudorandom generators. Definition - pseudorandom generator. Let /(n) : N — N be such that /(n) > n for all n. A (computationally indistinguishable) pseudorandom generator with a stretch function /, is an efficient deterministic algorithm which on the input of a random n-bit seed outputs a /(n)-bit sequence which is computationally indistinguishable from any random /(n)-bit sequence. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 233/616 SECURE ENCRYPTIONS - PSEUDORANDOM GENERATORS In cryptography random sequences can be usually be well enough replaced by pseudorandom sequences generated by (cryptographically perfect) pseudorandom generators. Definition - pseudorandom generator. Let /(n) : N — N be such that /(n) > n for all n. A (computationally indistinguishable) pseudorandom generator with a stretch function /, is an efficient deterministic algorithm which on the input of a random n-bit seed outputs a /(n)-bit sequence which is computationally indistinguishable from any random /(n)-bit sequence. Theorem Let f be a one-way function which is length preserving and efficiently computable, and b be a hard core predicate of f, then is a (computationally indistinguishable) pseudorandom generator with stretch function /(n). G (s) = b(s) • b(f (s)) • • • b f- '(s) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 233/616 SECURE ENCRYPTIONS - PSEUDORANDOM GENERATORS In cryptography random sequences can be usually be well enough replaced by pseudorandom sequences generated by (cryptographically perfect) pseudorandom generators. Definition - pseudorandom generator. Let /(n) : N — N be such that /(n) > n for all n. A (computationally indistinguishable) pseudorandom generator with a stretch function /, is an efficient deterministic algorithm which on the input of a random n-bit seed outputs a /(n)-bit sequence which is computationally indistinguishable from any random /(n)-bit sequence. Theorem Let f be a one-way function which is length preserving and efficiently computable, and b be a hard core predicate of f, then is a (computationally indistinguishable) pseudorandom generator with stretch function /(n). Definition A predicate b is a hard core predicate of the function f if b is easy to evaluate, but b(x) is hard to predict from f(x). (That is, it is unfeasible, given f(x) where x is uniformly chosen, to predict b(x) substantially better than with the probability 1/2.) It is conjectured that the least significant bit of the modular squaring function x2 mod n is a hard-core predicate. G (s) = b(s) ■ b(f (s)) • • • b f ,(|s|,-1(s) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 233/616 SECURE ENCRYPTIONS - PSEUDORANDOM GENERATORS In cryptography random sequences can be usually be well enough replaced by pseudorandom sequences generated by (cryptographically perfect) pseudorandom generators. Definition - pseudorandom generator. Let /(n) : N — N be such that /(n) > n for all n. A (computationally indistinguishable) pseudorandom generator with a stretch function /, is an efficient deterministic algorithm which on the input of a random n-bit seed outputs a /(n)-bit sequence which is computationally indistinguishable from any random /(n)-bit sequence. Theorem Let f be a one-way function which is length preserving and efficiently computable, and b be a hard core predicate of f, then is a (computationally indistinguishable) pseudorandom generator with stretch function /(n). Definition A predicate b is a hard core predicate of the function f if b is easy to evaluate, but b(x) is hard to predict from f(x). (That is, it is unfeasible, given f(x) where x is uniformly chosen, to predict b(x) substantially better than with the probability 1/2.) It is conjectured that the least significant bit of the modular squaring function x2 mod n is a hard-core predicate. G(s) = b(s) • b(f(s)) • • • b f'(|s|,-1(s) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 233/616 CRYPTOGRAPHICALLY STRONG PSEUDO-RANDOM GENERATORS Fundamental question: when is a pseudo-random generator good enough for cryptographical purposes? Basic concept: A pseudo-random generator is called cryptographically strong if the sequence of bits it produces, from a short random seed, is so good for using with ONE-TIME PAD cryptosystem, that no polynomial time algorithm allows a cryptanalyst to learn any information about the plaintext from the cryptotext. A cryptographically strong pseudo-random generator would therefore provide sufficient security in a secret-key cryptosystem if both parties agree on some short seed and never use it twice. As discussed later: Cryptographically strong pseudo-random generators could provide perfect secrecy also for public-key cryptography. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 234/6i6 CRYPTOGRAPHICALLY STRONG PSEUDO-RANDOM GENERATORS Fundamental question: when is a pseudo-random generator good enough for cryptographical purposes? Basic concept: A pseudo-random generator is called cryptographically strong if the sequence of bits it produces, from a short random seed, is so good for using with ONE-TIME PAD cryptosystem, that no polynomial time algorithm allows a cryptanalyst to learn any information about the plaintext from the cryptotext. A cryptographically strong pseudo-random generator would therefore provide sufficient security in a secret-key cryptosystem if both parties agree on some short seed and never use it twice. As discussed later: Cryptographically strong pseudo-random generators could provide perfect secrecy also for public-key cryptography. Problem: Do cryptographically strong pseudo-random generators exist? prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 234/616 CRYPTOGRAPHICALLY STRONG PSEUDO-RANDOM GENERATORS Fundamental question: when is a pseudo-random generator good enough for cryptographical purposes? Basic concept: A pseudo-random generator is called cryptographically strong if the sequence of bits it produces, from a short random seed, is so good for using with ONE-TIME PAD cryptosystem, that no polynomial time algorithm allows a cryptanalyst to learn any information about the plaintext from the cryptotext. A cryptographically strong pseudo-random generator would therefore provide sufficient security in a secret-key cryptosystem if both parties agree on some short seed and never use it twice. As discussed later: Cryptographically strong pseudo-random generators could provide perfect secrecy also for public-key cryptography. Problem: Do cryptographically strong pseudo-random generators exist? Remark: The concept of a cryptographically strong pseudo-random generator is one of the key concepts of the foundations of computing. Indeed, a cryptographically strong pseudo-random generator exists if and only if a one-way function exists what is equivalent with P = UP and what implies P = A/P. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 234/616 CANDIDATES for CRYPTOGRAPHICALLY STRONG PSEUDO-RANDOM GENERATORS So far there are only candidates for cryptographically strong pseudo-random generators. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 235/616 CANDIDATES for CRYPTOGRAPHICALLY STRONG PSEUDO-RANDOM GENERATORS So far there are only candidates for cryptographically strong pseudo-random generators. For example, cryptographically strong are all pseudo-random generators that are unpredictable to the left in the sense that a cryptanalyst that knows the generator and sees the whole generated sequence except its first bit has no better way to find out this first bit than to toss the coin. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 235/616 CANDIDATES for CRYPTOGRAPHICALLY STRONG PSEUDO-RANDOM GENERATORS So far there are only candidates for cryptographically strong pseudo-random generators. For example, cryptographically strong are all pseudo-random generators that are unpredictable to the left in the sense that a cryptanalyst that knows the generator and sees the whole generated sequence except its first bit has no better way to find out this first bit than to toss the coin. It has been shown that if integer factoring is intractable, then the so-called BBS pseudo-random generator, discussed below, is unpredictable to the left. (We make use of the fact that if factoring is unfeasible, then for almost all quadratic residues x mod n, coin-tossing is the best possible way to estimate the least significant bit of x after seeing x2 mod n.) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 235/616 CANDIDATES for CRYPTOGRAPHICALLY STRONG PSEUDO-RANDOM GENERATORS So far there are only candidates for cryptographically strong pseudo-random generators. For example, cryptographically strong are all pseudo-random generators that are unpredictable to the left in the sense that a cryptanalyst that knows the generator and sees the whole generated sequence except its first bit has no better way to find out this first bit than to toss the coin. It has been shown that if integer factoring is intractable, then the so-called BBS pseudo-random generator, discussed below, is unpredictable to the left. (We make use of the fact that if factoring is unfeasible, then for almost all quadratic residues x mod n, coin-tossing is the best possible way to estimate the least significant bit of x after seeing x2 mod n.) Let n be a Blum integer. Choose a random quadratic residue x0 (modulo n). For ; > 0 let x;+i = x; 2mod n, b; = the least significant bit of xj For each integer ;, let BBS „,,-(x0) = b0 ... b;-i be the first i bits of the pseudo-random sequence generated from the seed x0 by the BBS pseudo-random generator. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 235/6i6 BBS PSEUDO-RANDOM GENERATOR - ANALYSIS Choose random x, relatively prime to n, compute x0 = x2 mod n Let x;+1 = x; 2 mod n, and b; be the least significant bit of x; eeS„,;(x0) = b0 ... b;-1 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 236/616 BBS PSEUDO-RANDOM GENERATOR - ANALYSIS Choose random x, relatively prime to n, compute x0 = x2 mod n Let X;+1 = x;2 mod n, and b; be the least significant bit of x,-eeS„,;(x0) = b0 ... b;-1 Assume that the pseudo-random generator BBS with a Blum integer is not unpredictable to the left. Let y be a quadratic residue from Z„ *. Compute 66Sn>;-1(y) for some ; > 1. Let us pretend that last (; — 1) bits of BBS„,,-(x) are actually the first (; — 1) bits of 66S„,,-1(y), where x is the principal square root of y. Hence, if the BBS pseudo-random generator is not unpredictable to the left, then there exists a better method than coin-tossing to determine the least significant bit of x, what is, as mentioned above, impossible. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 236/616 RANDOMIZED ENCRYPTIONS From security point of view, public-key cryptography with deterministic encryptions has the following serious drawback: A cryptoanalyst who knows the public encryption function e k and a cryptotext c can try to guess a plaintext w, compute e k(w) and compare it with c. The purpose of randomized encryptions is to encrypt messages, using randomized algorithms, in such a way that one can prove that no feasible computation on the cryptotext can provide any information whatsoever about the corresponding plaintext (except with a negligible probability). prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 237/616 RANDOMIZED ENCRYPTIONS From security point of view, public-key cryptography with deterministic encryptions has the following serious drawback: A cryptoanalyst who knows the public encryption function e k and a cryptotext c can try to guess a plaintext w, compute e k(w) and compare it with c. The purpose of randomized encryptions is to encrypt messages, using randomized algorithms, in such a way that one can prove that no feasible computation on the cryptotext can provide any information whatsoever about the corresponding plaintext (except with a negligible probability). Formal setting: Given: plaintext-space P cryptotext C key-space K random-space R encryption: ek : PxR — C decryption: d k : C — P or C — 2Psuch that for any p, r: d k(e k(p, r)) = p. ■ d k, e k should be easy to compute. ■ Given e k, it should be unfeasible to determine d k. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 237/616 SECURE ENCRYPTION - FIRST DEFINITION Definition - semantic security of encryption A cryptographic system is semantically secure if for every feasible algorithm A, there exists a feasible algorithm B so that for every two functions f, h : {0,1}* — {0,1}n and all probability ensembles {X „}„£n, where X n ranges over {0,1}n Pr[A(E(X„), h(X)) = f(X„)] < Pr[B(h(X„)) = f(X„)j + /x(n), where ^ is a negligible function. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 238/616 SECURE ENCRYPTION - FIRST DEFINITION Definition - semantic security of encryption A cryptographic system is semantically secure if for every feasible algorithm A, there exists a feasible algorithm B so that for every two functions f, h : {0,1}* — {0,1}n and all probability ensembles {X „}„£n, where X n ranges over {0,1}n Pr[A(E(X„), h(X)) = f(X„)] < Pr[B(h(X„)) = f(X„)j + where /k is a negligible function. It can be shown that any semantically secure public-key cryptosystem must use a randomized encryption algorithm. RSA cryptosystem is not secure in the above sense. However, randomized versions of RSA are semantically secure. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 238/616 SECURE ENCRYPTIONS - SECOND DEFINITION Definition A randomized-encryption cryptosystem is polynomial time secure if, for any c G N and sufficiently large s e N (security parameter), any randomized polynomial time algorithms that takes as input s (in unary) and the public key, cannot distinguish between randomized encryptions, by that key, of two given messages of length c, with the probability larger than | + jC. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 239/616 SECURE ENCRYPTIONS - SECOND DEFINITION Definition A randomized-encryption cryptosystem is polynomial time secure if, for any c G N and sufficiently large s e N (security parameter), any randomized polynomial time algorithms that takes as input s (in unary) and the public key, cannot distinguish between randomized encryptions, by that key, of two given messages of length c, with the probability larger than | + jC. Both definitions are equivalent. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 239/616 SECURE ENCRYPTIONS - SECOND DEFINITION Definition A randomized-encryption cryptosystem is polynomial time secure if, for any c G N and sufficiently large s e N (security parameter), any randomized polynomial time algorithms that takes as input s (in unary) and the public key, cannot distinguish between randomized encryptions, by that key, of two given messages of length c, with the probability larger than | + jC. Both definitions are equivalent. Example of a polynomial-time secure randomized (Bloom-Goldwasser) encryption: p, q - large Blum primes n = p x q - key Plaintext-space - all binary strings Random-space - QRn Crypto-space - QRn x {0,1}* prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 239/616 SECURE ENCRYPTIONS - SECOND DEFINITION Definition A randomized-encryption cryptosystem is polynomial time secure if, for any c G N and sufficiently large s e N (security parameter), any randomized polynomial time algorithms that takes as input s (in unary) and the public key, cannot distinguish between randomized encryptions, by that key, of two given messages of length c, with the probability larger than | + jC. Both definitions are equivalent. Example of a polynomial-time secure randomized (Bloom-Goldwasser) encryption: p, q - large Blum primes n = p x q - key Plaintext-space - all binary strings Random-space - QRn Crypto-space - QRn x {0,1}* Encryption: Let w be a t-bit plaintext and x0 a random quadratic residue modulo n. Compute xt and BBS„,t(x0) using the recurrence x;+i = x2 mod n Cryptotext: (xt, w © BBS„,t(x0)) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 239/616 SECURE ENCRYPTIONS - SECOND DEFINITION Definition A randomized-encryption cryptosystem is polynomial time secure if, for any c G N and sufficiently large s e N (security parameter), any randomized polynomial time algorithms that takes as input s (in unary) and the public key, cannot distinguish between randomized encryptions, by that key, of two given messages of length c, with the probability larger than | + jC. Both definitions are equivalent. Example of a polynomial-time secure randomized (Bloom-Goldwasser) encryption: p, q - large Blum primes n = p x q - key Plaintext-space - all binary strings Random-space - QRn Crypto-space - QRn x {0,1}* Encryption: Let w be a t-bit plaintext and x0 a random quadratic residue modulo n. Compute xt and BBS„,t(x0) using the recurrence x;+1 = x2 mod n Cryptotext: (xt, w © BBS„,t(x0)) Decryption: Legal user, knowing p, q, can compute x0 from xt, then BBS„,t(x0), and finally w. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 239/616 HASH FUNCTIONS Another very simple, fundamental and important cryptographic concept is that of hash functions. Hash functions h : {0,1}* — {0,1}m; h : {0,1}" — {0,1}m, n >> m map (very) long messages w into short ones, called usually messages digests or hashes or fingerprints of w, in a way that has important cryptographic properties. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 240/6i6 HASH FUNCTIONS Another very simple, fundamental and important cryptographic concept is that of hash functions. Hash functions h : {0,1}* — {0,1}m; h : {0,1}n — {0,1}m, n >> m map (very) long messages w into short ones, called usually messages digests or hashes or fingerprints of w, in a way that has important cryptographic properties. Digital signatures are one of important applications of hash functions. In most of the digital signature schemes, to be discussed in the next chapter, the length of a signature is at least as long as of the message being signed. This is clearly a big disadvantage. To remedy this situation, signing procedure is applied to a hash of the message, rather than to the message itself. This is OK provided the hash function has good cryptographic properties, discussed next. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 240/616 PROPERTIES GOOD HASH FUNCTIONS SHOULD HAVE I. We now derive basic properties cryptographically good hash functions should have - by analysing several possible attacks on their use. Attack 1 If Eve gets a valid signature (w,y), where y = sigk(h(w)) and she would be able to find w' such that h(w')=h(w), then also (w',y), a forgery, would be a valid signature. Cryptographically good hash function should therefore have the following weak collision-free property Definition 1. Let w be a message. A hash function h is weakly collision-free for w, if it is computationally infeasible to find a w' such that h(w)=h(w ). prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 241/616 PROPERTIES GOOD HASH FUNCTIONS SHOULD HAVE II. Attack 2 If Eve finds two w and w' such that h(w')=h(w), she can ask Alice to sign h(w) to get signature s and then Eve can create a forgery (w',s). Cryptographically good hash function should therefore have the following strong collision-free property Definition 2. A hash function h is strongly collision-free if it is computationally infeasible to find two elements w = w' such that h(w)=h(w'). prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 242/616 PROPERTIES HASH FUNCTIONS SHOULD HAVE III. Attack 3 If Eve can compute signature s of a random z, and then she can find w such that z=h(w), then Eve can create forgery (w,s). To exclude such an attack, hash functions should have the following one-wayness property Definition 3. A hash function h is one-way if it is computationally infeasible to find, given z, an w such that h(w)=z. One can show that if a hash function has strongly collision-free property, then it has one-wayness property. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 243/616 HASH FUNCTIONS and INTEGRITY of DATA An important use of hash functions is to protect integrity of data in the following way: The problem of protecting data of arbitrary length is reduced, using hash functions, to the problem to protect integrity of the data of fixed (and small) length - of their fingerprints. In addition, to send reliably a message w through an unreliable (and cheap) channel, one sends also its (small) hash h(w) through a very secure (and therefore expensive) channel. The receiver, familiar also with the hash function h that is being used, can then verify the integrity of the message w' he receives by computing h(w') and comparing h(w) and h(w') . prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 244/6i6 EXAMPLES Example 1 For a vector a = (a1,. .. , ak) of integers let k H(a) = a; mod n i=0 where n is a product of two large integers. This hash functions does not meet any of the three properties mentioned on the last slide. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 245/616 EXAMPLES Example 1 For a vector a = (a1,. .. , ak) of integers let k H(a) = a; mod n i=0 where n is a product of two large integers. This hash functions does not meet any of the three properties mentioned on the last slide. Example 2 For a vector a = (a1,. .. , ak) of integers let H (a) = (NJ a;) mod n k This fuction is one-way, but it is not weakly collision-free. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 245/616 FINDING COLLISIONS with INVERSION ALGORITHM Theorem Let h : X — Z be a hash function where X and Z are finite and |X| > 2|Z|. If there is an inversion algorithm A for h, then there exists randomized algorithm to find collisions. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 246/616 FINDING COLLISIONS with INVERSION ALGORITHM Theorem Let h : X — Z be a hash function where X and Z are finite and |X| > 2|Z|. If there is an inversion algorithm A for h, then there exists randomized algorithm to find collisions. Sketch of the proof. One can easily show that the following algorithm T| Choose a random x e X and compute z=h(x); Compute xi = A(z); ^ if x1 = x, then x1 and x collide (under h - success) else failure has probability of success where, for x e X, [x] is the set of elements having the same hash as x. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 246/616 VARIATIONS on BIRTHDAY PARADOX It is well known that if there are 23 (29) [40] {57} < 100 > people in one room, then the probability that two of them have the same birthday is more than 50% (70%)[89%] {99%} < 99.99997% > — this is called a Birthday paradox. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 247/616 VARIATIONS on BIRTHDAY PARADOX It is well known that if there are 23 (29) [40] {57} < 100 > people in one room, then the probability that two of them have the same birthday is more than 50% (70%)[89%] {99%} < 99.99997% > — this is called a Birthday paradox. More generally, if we have n objects and r people, each choosing one object (so that several people can choose the same object), then if r w 1.17^V/"(f ~ V72nA), then probability that two people choose the same object is 50% ((1 - e"A)%). prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 247/616 VARIATIONS on BIRTHDAY PARADOX It is well known that if there are 23 (29) [40] {57} < 100 > people in one room, then the probability that two of them have the same birthday is more than 50% (70%)[89%] {99%} < 99.99997% > — this is called a Birthday paradox. More generally, if we have n objects and r people, each choosing one object (so that several people can choose the same object), then if r w 1.177'yfn(r w ^/2nX), then probability that two people choose the same object is 50% ((1 - e-A)%). Another version of the birthday paradox: Let us have n objects and two groups of r people. If r w yf\n, then probability that someone from one group chooses the same object as someone from the other group is (1 - e-A). prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 247/616 BASIC DERIVATIONS related to BIRTHDAY PARADOX For probability p(n) that all n people in a room have birthday in different days, it holds P(n) = TT fl 1 = n"01(365 " ') =_365_ P( ) A_A V 36^ 365" 365"(365 - n)! prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 248/616 BASIC DERIVATIONS related to BIRTHDAY PARADOX For probability p(n) that all n people in a room have birthday in different days, it holds P(n) = f[ „1 -~L~I = n"-0i(365 " ') =_365_ n) 11 V 365" 365"(365 - n)! This equation expresses the fact for no person to share a birthday, the second person cannot have the same birthday as the first one, third person cannot have the same birthday as first two,..... prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 248/6i6 BASIC DERIVATIONS related to BIRTHDAY PARADOX For probability p(n) that all n people in a room have birthday in different days, it holds This equation expresses the fact for no person to share a birthday, the second person cannot have the same birthday as the first one, third person cannot have the same birthday as first two,..... Probability p(n) that at least two person have the same birthday is therefore p(n) = 1 - p(n) This probability is larger than 0.5 first time for n = 23. n;Lo(365 - /) 365" 365"(365 - n)l 365! prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 248/616 HASH FUNCTION DOMAIN LOWER BOUND Birthday paradox imposes a lower bound on the sizes of message digests (fingerprints) For example a 40-bit message would be insecure because a collision could be found with probability 0.5 with just over 2020 random hashes. Minimum acceptable size of message digest seems to be 128 and therefore 160 are used in such important systems as DSS - Digital Signature Schemes (standard). prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 249/616 AN ALMOST GOOD HASH FUNCTION We show an example of the hash function (so called Discrete Log Hash Function) that seems to have as the only drawback that it is too slow to be used in practice: Let p be a large prime such that q = (p-1) is also prime and let a,/3 be two primitive roots modulo p. Denote a = loga /3 (that is /3 = aa). h will map two integers smaller than q to an integer smaller than p, for m = x0 + x1q, 0 < x0,x1 < q — 1 as follows, h(x0, x1) = h(m) = aX0 (mod p). prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 250/616 AN ALMOST GOOD HASH FUNCTION We show an example of the hash function (so called Discrete Log Hash Function) that seems to have as the only drawback that it is too slow to be used in practice: Let p be a large prime such that q = (p-1) is also prime and let a,ff be two primitive roots modulo p. Denote a = loga ff (that is ff = aa). h will map two integers smaller than q to an integer smaller than p, for m = xo + x1q, 0 < xo,x1 < q — 1 as follows, h(xo, x1) = h(m) = aXo ffX1 (mod p). To show that h is one-way and collision-free the following fact can be used: FACT: If we know different messages m1 and m2 such that h(m1) = h(m2), then we can compute loga ff. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 250/616 EXTENDING HASH FUNCTIONS Let h : {0, 1}m — {0,1}' be a strongly collision-free hash function, where m > t + 1. We design now a strongly collision-free hash function oo h* {0,1}; — {0,1}'. i=m Let a bit string x, |x| = n > m, have decomposition x = xi||x2 . . . ||x* , where |x;| = m — t — lif ; < k and |xk| = m — t — 1 — d for some d. (Hence k =[(m—i^l) h* will be computed as follows: jl for i=1 to k-1 do y; := x ; ^ yk := xky0d ; yk+1 := binary representation of d ; ! gi := h(0t+1yyi) ; J for i=1 to k do g;+i := h(g;||1|y;+i) ; 0 h*(x) := gk+i. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 25i/6i6 HASH FUNCTIONS from CRYPTOSYSTEMS Let us have computationally secure cryptosystem with plaintexts, keys and cryptotexts being binary strings of a fixed length n and with encryption function ek. If x = xi||x2|| . . . ||xfc is decomposition of x into substrings of length n, g0 is a random string, and g; = f (x;, g; -1) for ; = 1,. .. , k, where f is a function that "incorporates" encryption function ek of the cryptosystem, then h(x) = gk . For example such good properties have these two functions: f (x;, g;-i) = (x;) © x; f (x;, g;-i) = (x;) © x; © g;-i prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 252/6i6 PRACTICALLY USED HASH FUNCTIONS A variety of hash functions has been constructed. Very often used hash functions are MD4, MD5 (created by Rivest in 1990 and 1991 and producing 128 bit message digest). NIST even published, as a standard, in 1993, SHA (Secure Hash Algorithm) - producing 160 bit message digest - based on similar ideas as MD4 and MD5. A hash function is called secure if it is strongly collision-free. One of the most important cryptographic results of the last years was due to the Chinese Wang who has shown that MD4 is not cryptographically secure. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 253/616 RANDOMIZED VERSION of RSA-LIKE CRYPTOSYSTEM The scheme works for any trapdoor function (as in case of RSA), f : D — D, D C {0,1}", for any pseudorandom generator G : {0,1}k — {0,1}', k << / and any hash function h : {0,1}' — {0,1}k, where n = l + k. Given a random seed s e {0,1}k as input, G generates a pseudorandom bit-sequence of length l. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 254/616 RANDOMIZED VERSION of RSA-LIKE CRYPTOSYSTEM The scheme works for any trapdoor function (as in case of RSA), f : D — D, D C {0,1}", for any pseudorandom generator G : {0,1}k — {0,1}', k << / and any hash function h : {0,1}' — {0,1}k, where n = l + k. Given a random seed s e {0,1}k as input, G generates a pseudorandom bit-sequence of length l. Encryption of a message m e {0,1}' is done as follows: j A random string r e {0,1}k is chosen. I Set x = (m 0 G(r))||(r 0 h(m 0 G(r))). (If x e D go to step 1.) J Compute encryption c = f(x) - length of x and of c is n. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 254/6i6 RANDOMIZED VERSION of RSA-LIKE CRYPTOSYSTEM The scheme works for any trapdoor function (as in case of RSA), f : D — D, D C {0,1}", for any pseudorandom generator G : {0,1}k — {0,1}', k << / and any hash function h : {0,1}' — {0,1}k, where n = l + k. Given a random seed s e {0,1}k as input, G generates a pseudorandom bit-sequence of length l. Encryption of a message m e {0,1}' is done as follows: j A random string r e {0,1}k is chosen. I Set x = (m © G(r))||(r © h(m © G(r))). (If x e D go to step 1.) J Compute encryption c = f(x) - length of x and of c is n. Decryption of a cryptotext c. ■ Compute f-1(c) = a||b, |a| = / and |b| = k. Set r = h(a) © b and get m = a © G(r). Comment Operation " ||" stands for a concatenation of strings. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 254/616 BLOOM-GOLDWASSER CRYPTOSYSTEM ONCE MORE Private key: Blum primes p and q. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 255/616 BLOOM-GOLDWASSER CRYPTOSYSTEM ONCE MORE Private key: Blum primes p and q. Public key: n = pq. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 255/616 BLOOM-GOLDWASSER CRYPTOSYSTEM ONCE MORE Private key: Blum primes p and q. Public key: n = pq. Encryption of x e {0,1}m. T| Randomly choose so e {0,1,... , n}. ^ For I = 1, 2.....m + 1 compute s; <— s2_! mod n and a; = /sb(s;). The cryptotext is (sm+i, y), where y = x © <7i<72.. .am. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 255/616 BLOOM-GOLDWASSER CRYPTOSYSTEM ONCE MORE Private key: Blum primes p and q. Public key: n = pq. Encryption of x e {0,1}m. T| Randomly choose so e {0,1,... , n}. ^ For I = 1, 2.....m + 1 compute s; — s2_! mod n and a; = /sb(s;). The cryptotext is (sm+i, y), where y = x © <7i<72.. .am. Decryption: of the cryptotext (r, y): Let d = 2-m mod 0(n)). ■ Let s1 = rd mod n. ■ For i = 1.....m, compute <7; = /sb(s;) and s;+1 — s2 mod n The plaintext x can then be computed as y © a1a2. .. am. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 255/616 APENDIX prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 256/616 GLOBAL GOALS of CRYPTOGRAPHY Cryptosystems and encryption/decryption techniques are only one part of modern cryptography. General goal of modern cryptography is construction of schemes which are robust against malicious attempts to make these schemes to deviate from their prescribed functionality. The fact that an adversary can design its attacks after the cryptographic scheme has been specified, makes design of such cryptographic schemes very difficult - schemes should be secure under all possible attacks. In the next chapters several of such most important basic functionalities and design of secure systems for them will be considered. For example: digital signatures, user and message authentication,... Moreover, also such basic primitives as zero-knowledge proofs, needed to deal with general cryptography problems will be presented and discussed. We will also discuss cryptographic protocols for a variety of important applications. For example for voting, digital cash,... prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 257/616 BLUM INTEGERS ■ An integer n is a Blum integer if n = pq, where p, q are primes congruent 3 modulo 4, that is primes of the form 4k + 3 for some integer k. If n is a Blum integer, then each x e QR(n) has 4 square roots and exactly one of them is in QR(n) - so called principal square root of x modulo n. ■ Function f : QR(n) —> QR(n) defined by f(x) = x2 mod n is a permutation. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 258/6i6 CHAPTER 7: DIGITAL SIGNATURES Digital signatures are one of the most important inventions/applications of modern cryptography. The problem is how can a user sign a message such that everybody (or the intended addressee only) can verify the digital signature and the signature is good enough also for legal purposes. prof. Jozef Gruska IV054 7. Digital signatures 260/616 CHAPTER 7: DIGITAL SIGNATURES Digital signatures are one of the most important inventions/applications of modern cryptography. The problem is how can a user sign a message such that everybody (or the intended addressee only) can verify the digital signature and the signature is good enough also for legal purposes. Example: Assume that each user A uses a public-key cryptosystem (eA,dA). A way to sign a message w by a user A, so that any user can verify the signature: prof. Jozef Gruska IV054 7. Digital signatures 260/616 CHAPTER 7: DIGITAL SIGNATURES Digital signatures are one of the most important inventions/applications of modern cryptography. The problem is how can a user sign a message such that everybody (or the intended addressee only) can verify the digital signature and the signature is good enough also for legal purposes. Example: Assume that each user A uses a public-key cryptosystem (eA,dA). A way to sign a message w by a user A, so that any user can verify the signature: A way to sign a message w by a user A so that only user B can verify the signature: prof. Jozef Gruska IV054 7. Digital signatures 260/616 CHAPTER 7: DIGITAL SIGNATURES Digital signatures are one of the most important inventions/applications of modern cryptography. The problem is how can a user sign a message such that everybody (or the intended addressee only) can verify the digital signature and the signature is good enough also for legal purposes. Example: Assume that each user A uses a public-key cryptosystem (eA,dA). A way to sign a message w by a user A, so that any user can verify the signature: dA(w) A way to sign a message w by a user A so that only user B can verify the signature: prof. Jozef Gruska IV054 7. Digital signatures 260/616 CHAPTER 7: DIGITAL SIGNATURES Digital signatures are one of the most important inventions/applications of modern cryptography. The problem is how can a user sign a message such that everybody (or the intended addressee only) can verify the digital signature and the signature is good enough also for legal purposes. Example: Assume that each user A uses a public-key cryptosystem (eA,dA). A way to sign a message w by a user A, so that any user can verify the signature: dA(w) A way to sign a message w by a user A so that only user B can verify the signature: Example Assume Alice succeeds to factor the integer Bob used, as modulus, to sign his will, using RSA, 20 years ago. Even if the key has already expired, Alice can rewrite Bob's will, leaving fortune to her, and date it 20 years ago. Moral: It may pay off to factor a single integers using many years of many computers power. prof. Jozef Gruska IV054 7. Digital signatures 260/616 DIGITAL SIGNATURES - BASIC GOALS Digital signatures should be such that each user should be able to verify signatures of other users, but that should give him/her no information how to sign a message on behalf of other users. prof. Jozef Gruska IV054 7. Digital signatures 261/616 DIGITAL SIGNATURES - BASIC GOALS Digital signatures should be such that each user should be able to verify signatures of other users, but that should give him/her no information how to sign a message on behalf of other users. An important difference from a handwritten signature is that digital signature of a message is always intimately connected with the message, and for different messages is different, whereas the handwritten signature is adjoined to the message and always looks the same. prof. Jozef Gruska IV054 7. Digital signatures 261/616 DIGITAL SIGNATURES - BASIC GOALS Digital signatures should be such that each user should be able to verify signatures of other users, but that should give him/her no information how to sign a message on behalf of other users. An important difference from a handwritten signature is that digital signature of a message is always intimately connected with the message, and for different messages is different, whereas the handwritten signature is adjoined to the message and always looks the same. Technically, a digital signature signing is performed by a signing algorithm and a digital signature is verified by a verification algorithm. A copy of a digital (classical) signature is identical (usually distinguishable) to (from) the origin. A care has therefore to be taken that digital signatures are not misused. This chapter contains some of the main techniques for design and verification of digital signatures (as well as some possible attacks on them). prof. Jozef Gruska IV054 7. Digital signatures 261/616 DIGITAL SIGNATURES - OBSERVATION Can we make digital signatures by digitalizing our usual signature and attaching them to the messages (documents) that need to be signed? No, because such signatures could be easily removed and attached to some other documents or messages. Key observation: Digital signatures have to depend not only on the signer, but also on the message that is being signed. prof. Jozef Gruska IV054 7. Digital signatures 262/616 A SCHEME of DIGITAL SIGNATURE SYSTEMS - SIMPLIFIED VERSION A digital signature system (DSS) consists of: P - the space of possible plaintexts (messages). ■ S - the space of possible signatures. K - the space of possible keys. prof. Jozef Gruska IV054 7. Digital signatures 263/616 A SCHEME of DIGITAL SIGNATURE SYSTEMS - SIMPLIFIED VERSION A digital signature system (DSS) consists of: P - the space of possible plaintexts (messages). ■ S - the space of possible signatures. K - the space of possible keys. ■ For each k e K there is a signing algorithm s;gk and a corresponding verification algorithm verk such that sigk : P — S. verk : P ® S — (true, fa/se} and J true if s = s;gk(w); , verk(w, s) = < I fa/se otherwise. Algorithms s;gk and verk should be computable in polynomial time. prof. Jozef Gruska IV054 7. Digital signatures 263/616 A SCHEME of DIGITAL SIGNATURE SYSTEMS - SIMPLIFIED VERSION A digital signature system (DSS) consists of: P - the space of possible plaintexts (messages). ■ S - the space of possible signatures. K - the space of possible keys. ■ For each k e K there is a signing algorithm s;gk and a corresponding verification algorithm verk such that s;gk : P — S. verk : P ® S — (true, fa/se} and J true if s = s;gk(w); , verk(w, s) = < I fa/se otherwise. Algorithms s;gk and verk should be computable in polynomial time. Verification algorithm can be publicly known; signing algorithm (actually only its key) should be kept secret prof. Jozef Gruska IV054 7. Digital signatures 263/616 DIGITAL SIGNATURE SCHEMES I Digital signature schemes are basic tools for authentication and non-repudiation of messages. A digital signature scheme allows anyone to verify signature of any sender S without providing any information how to generate signatures of S. prof. Jozef Gruska IV054 7. Digital signatures 264/616 DIGITAL SIGNATURE SCHEMES I Digital signature schemes are basic tools for authentication and non-repudiation of messages. A digital signature scheme allows anyone to verify signature of any sender S without providing any information how to generate signatures of S. A Digital Signature Scheme (M, S, Ks, Kv) is given by: M - a set of messages to be signed S - a set of possible signatures Ks - a set of private keys for signing Kv - a set of public keys for verification prof. Jozef Gruska IV054 7. Digital signatures 264/616 DIGITAL SIGNATURE SCHEMES I Digital signature schemes are basic tools for authentication and non-repudiation of messages. A digital signature scheme allows anyone to verify signature of any sender S without providing any information how to generate signatures of S. A Digital Signature Scheme (M, S, Ks, Kv) is given by: M - a set of messages to be signed S - a set of possible signatures Ks - a set of private keys for signing Kv - a set of public keys for verification Moreover, it is required that: ■ For each k from Ks, there exists a single and easy to compute signing mapping s/gk: {0,1}* x M — S ■ For each k from Kv there exists a single and easy to compute verification mapping verk: M x S — {true, fa/se} such that the following two conditions are satisfied: prof. Jozef Gruska IV054 7. Digital signatures 264/616 DIGITAL SIGNATURES SCHEMES II Correctness: For each message m from M and public key k in Kv, it holds verk(m, s) = true if there is an r from {0,1}* such that s = s/g;(r, m) for a private key l from Ks corresponding to the public key k. Security: For any w from M and kin Kv , it is computationally infeasible, without the knowledge of the private key corresponding to k, to find a signature s from S such that verk(w, s) = true. prof. Jozef Gruska IV054 7. Digital signatures 265/616 A COMMENT ON DIGITAL SIGNATURE SCHEMES Sometimes it is said that a digital signature scheme contains also a key generation algorithm that selects uniformly and randomly a secret key (from a set of potential secret keys) and outputs this secret key and the corresponding private key. prof. Jozef Gruska IV054 7. Digital signatures 266/616 ATTACK MODELS on DIGITAL SIGNATURES Basic attack models KEY-ONLY ATTACK : The attacker is only given the public verification key. KNOWN SIGNATURES ATTACK : The attacker is given valid signatures for several messages known but not chosen by the attacker. CHOSEN SIGNATURES ATTACK : The attacker is given valid signatures for sever al messages chosen by the attacker. prof. Jozef Gruska IV054 7. Digital signatures 267/616 BASIC ATTACKS on DIGITAL SIGNATURES Total break of a signature scheme: The adversary manages to recover the secret key from the public key. prof. Jozef Gruska IV054 7. Digital signatures 268/616 BASIC ATTACKS on DIGITAL SIGNATURES Total break of a signature scheme: The adversary manages to recover the secret key from the public key. Universal forgery: The adversary can derive from the public key an algorithm which allows to forge the signature of any message. prof. Jozef Gruska IV054 7. Digital signatures 268/616 BASIC ATTACKS on DIGITAL SIGNATURES Total break of a signature scheme: The adversary manages to recover the secret key from the public key. Universal forgery: The adversary can derive from the public key an algorithm which allows to forge the signature of any message. Selective forgery: The adversary can derive from the public key a method to forge signatures of selected messages (where selection was made prior the knowledge of the public key). prof. Jozef Gruska IV054 7. Digital signatures 268/616 BASIC ATTACKS on DIGITAL SIGNATURES Total break of a signature scheme: The adversary manages to recover the secret key from the public key. Universal forgery: The adversary can derive from the public key an algorithm which allows to forge the signature of any message. Selective forgery: The adversary can derive from the public key a method to forge signatures of selected messages (where selection was made prior the knowledge of the public key). Existential forgery: The adversary is able to create from the public key a valid signature of a message m (but has no control for which m). prof. Jozef Gruska IV054 7. Digital signatures 268/616 A DIGITAL SIGNATURE of one BIT Let us start with a very simple but much illustrating (though non-practical) example how to sign a single bit. prof. Jozef Gruska IV054 7. Digital signatures 269/616 A DIGITAL SIGNATURE of one BIT Let us start with a very simple but much illustrating (though non-practical) example how to sign a single bit. Design of the signature scheme: A one-way function f(x) is chosen. Two integers k0 and ki are chosen and kept secret by the signer, and three items f, (0, so), (1, si) are made public, where so = f(ko), si = f(ki) prof. Jozef Gruska IV054 7. Digital signatures 269/616 A DIGITAL SIGNATURE of one BIT Let us start with a very simple but much illustrating (though non-practical) example how to sign a single bit. Design of the signature scheme: A one-way function f(x) is chosen. Two integers k0 and ki are chosen and kept secret by the signer, and three items f, (0, so), (1, si) are made public, where so = f(ko), si = f(ki) Signature of a bit b: (b, kb). prof. Jozef Gruska IV054 7. Digital signatures 269/616 A DIGITAL SIGNATURE of one BIT Let us start with a very simple but much illustrating (though non-practical) example how to sign a single bit. Design of the signature scheme: A one-way function f(x) is chosen. Two integers ko and ki are chosen and kept secret by the signer, and three items f, (0, so), (1, si) are made public, where so = f(ko), si = f(ki) Signature of a bit b: (b, kb). Verification of such a signature sb = f (kb) SECURITY? prof. Jozef Gruska IV054 7. Digital signatures 269/616 RSA SIGNATURES and ATTACKS on them Let us have an RSA cryptosystem with encryption and decryption exponents e and d and modulus n. Signing of a message w: s = (w,a), where a = wd mod n Verification of a signature s = (w,a): w = ae mod n? prof. Jozef Gruska IV054 7. Digital signatures 270/616 RSA SIGNATURES and ATTACKS on them Let us have an RSA cryptosystem with encryption and decryption exponents e and d and modulus n. Signing of a message w: s = (w,a), where a = wd mod n Verification of a signature s = (w,a): w = ae mod n? Attacks ■ It might happen that Bob accepts a signature not produced by Alice. Indeed, let Eve, using Alice's public key, compute we and say that (we, w) is a message signed by Alice. Everybody verifying Alice's signature gets we = we. prof. Jozef Gruska IV054 7. Digital signatures 270/616 RSA SIGNATURES and ATTACKS on them Let us have an RSA cryptosystem with encryption and decryption exponents e and d and modulus n. Signing of a message w: s = (w,a), where a = wd mod n Verification of a signature s = (w,a): w = ae mod n? Attacks ■ It might happen that Bob accepts a signature not produced by Alice. Indeed, let Eve, using Alice's public key, compute we and say that (we, w) is a message signed by Alice. Everybody verifying Alice's signature gets we = we. ■ Some new signatures can be produced without knowing the secret key. Indeed, is a1 and a2 are signatures for w1 and w2, then a1 a2 and a-1 are signatures for w1 w2 and w—1. prof. Jozef Gruska IV054 7. Digital signatures 270/616 ENCRYPTIONS versus SIGNATURES Let each user U use a cryptosystem with encryption and decryption algorithms: eU, dU Let w be a message PUBLIC-KEY ENCRYPTIONS Encryption: eU (w) Decryption: dU (eU(w)) prof. Jozef Gruska IV054 7. Digital signatures 271/616 ENCRYPTIONS versus SIGNATURES Let each user U use a cryptosystem with encryption and decryption algorithms: eu, du Let w be a message PUBLIC-KEY ENCRYPTIONS Encryption: eu (w) Decryption: du (eu(w)) PUBLIC-KEY SIGNATURES Signing: du (w) Verification of the signature: eu (du(w)) prof. Jozef Gruska IV054 7. Digital signatures 271/616 FROM PKC to DSS - again Any public-key cryptosystem in which the plaintext and cryptotext space are the same, can be used for digital signature. Signing of a message w by a user A so that any user can verify the signature: dA(w). prof. Jozef Gruska IV054 7. Digital signatures 272/616 FROM PKC to DSS - again Any public-key cryptosystem in which the plaintext and cryptotext space are the same, can be used for digital signature. Signing of a message w by a user A so that any user can verify the signature: dA(w). Signing of a message w by a user A so that only user B can verify the signature: ee (dA(w)). prof. Jozef Gruska IV054 7. Digital signatures 272/616 FROM PKC to DSS - again Any public-key cryptosystem in which the plaintext and cryptotext space are the same, can be used for digital signature. Signing of a message w by a user A so that any user can verify the signature: c/a(w). Signing of a message w by a user A so that only user B can verify the signature: ee (dA(w)). Sending a message w and a signed message digest of w obtained by using a (standard) hash function h: (w, d^(h(w))). prof. Jozef Gruska IV054 7. Digital signatures 272/616 FROM PKC to DSS - again Any public-key cryptosystem in which the plaintext and cryptotext space are the same, can be used for digital signature. Signing of a message w by a user A so that any user can verify the signature: d^(w). Signing of a message w by a user A so that only user B can verify the signature: ee (dA(w)). Sending a message w and a signed message digest of w obtained by using a (standard) hash function h: (w, d^(h(w))). If only signature (but not the encryption of the message) are of importance, then it suffices that Alice sends to Bob prof. Jozef Gruska IV054 7. Digital signatures 272/616 ElGamal SIGNATURES Design of the ElGamal digital signature system: choose: prime p, integers 1 < q < x < p, where q is a primitive element of Zp; Compute: y = qx mod p key K = (p, q, x, y) public key (p, q, y) - trapdoor: x prof. Jozef Gruska IV054 7. Digital signatures 273/616 ElGamal SIGNATURES Design of the ElGamal digital signature system: choose: prime p, integers 1 < q < x < p, where q is a primitive element of Zp; Compute: y = qx mod p key K = (p, q, x, y) public key (p, q, y) - trapdoor: x Signature of a message w: Let r e Z*_! be randomly chosen and kept secret. sig(w, r) = (a, b), where a = qr mod p and b = (w — xa)r-1 (mod (p — 1)). prof. Jozef Gruska IV054 7. Digital signatures 273/616 ElGamal SIGNATURES Design of the ElGamal digital signature system: choose: prime p, integers 1 < q < x < p, where q is a primitive element of Zp; Compute: y = qx mod p key K = (p, q, x, y) public key (p, q, y) - trapdoor: x Signature of a message w: Let r e Z*_1 be randomly chosen and kept secret. sig(w, r) = (a, b), where a = qr mod p and b = (w — xa)r -1 (mod (p — 1)). Verification: accept a signature (a,b) of w as valid if yaab = qw (mod p) (Indeed: yaab = qaxqrb = qax+w - ax+k(p -1) = qw (mod p)) prof. Jozef Gruska IV054 7. Digital signatures 273/616 ElGamal SIGNATURE - EXAMPLE Example choose: p = 11, q = 2, x = 8 compute: y = 28 mod 11 = 3 w = 5 is signed as (a,b), where a = qr mod p, w = xa + rb mod (p — 1) choose r = 9 - (this choice is O.K. because gcd(9, 10) = 1) compute a = 29 mod 11 = 6 solve equation: 5 = 8 • 6 + 9b (mod 10) that is 7 = 9b (mod 10) == b=3 signature: (6, 3) prof. Jozef Gruska IV054 7. Digital signatures 274/616 SECURITY of ElGamal SIGNATURES Let us analyze several ways an eavesdropper Eve can try to forge ElGamal signature (with x - secret; p, q and y = qx mod p - public): sig(w, r) = (a, b); where r is random and a = qr mod p; b = (w — xa)r-1 (mod p — 1). T| First suppose Eve tries to forge signature for a new message w, without knowing x. ■ If Eve first chooses a value a and tries to find the corresponding b, it has to compute the discrete logarithm (because ab = qr(w-xa)r-1 = qw-xa = qwy-a) what is infeasible. ■ If Eve first chooses b and then tries to find a, she has to solve the equation yaab = qxaqrb = qw (mod p). It is not known whether this equation can be solved for any given b efficiently. prof. Jozef Gruska IV054 7. Digital signatures 275/616 SECURITY of ElGamal SIGNATURES Let us analyze several ways an eavesdropper Eve can try to forge ElGamal signature (with x - secret; p, q and y = qx mod p - public): sig(w, r) = (a, b); where r is random and a = qr mod p; b = (w — xa)r-1 (mod p — 1). T| First suppose Eve tries to forge signature for a new message w, without knowing x. ■ If Eve first chooses a value a and tries to find the corresponding b, it has to compute the discrete logarithm (because ab = qr(w-xa)r-1 = qw-xa = qwy-a) what is infeasible. ■ If Eve first chooses b and then tries to find a, she has to solve the equation yaab = qxaqrb = qw (mod p). It is not known whether this equation can be solved for any given b efficiently. ^ If Eve chooses a and b and tries to determine such w that (a,b) is signature of w, then she has to compute discrete logarithm Igq y aab. Hence, Eve can not sign a "random" message this way. prof. Jozef Gruska IV054 7. Digital signatures 275/616 FORGING and MISUSING of ElGamal SIGNATURES There are ways to produce, using ElGamal signature scheme, some valid forged signatures, but they do not allow an opponent to forge signatures on messages of his/her choice. For example, if 0 < ;, j < p — 2 and gcd(j, p - 1) = 1, then for a = q;yj mod p; b = — aj-1 mod (p — 1); w = — ay-1 mod (p — 1) the pair (a, b) is a valid signature of the message w. This can be easily shown by checking the verification condition. There are several ways ElGamal signatures can be broken if they are not used carefully enough. For example, the random r used in the signature should be kept secret. Otherwise the system can be broken and signatures forged. Indeed, if r is known, then x can be computed by x = (w — rb)a-1 mod (p — 1) and once x is known Eve can forge signatures at will. Another misuse of the ElGamal signature system is to use the same r to sign two messages. In such a case x can be computed and the system can be broken. prof. Jozef Gruska IV054 7. Digital signatures 276/616 From ElGamal to DSA (DIGITAL SIGNATURE STANDARD) DSA, accepted in 1994, is a modification of ElGamal digital signature scheme. It was proposed in August 1991 and adopted in December 1994. prof. Jozef Gruska IV054 7. Digital signatures 277/616 From EIGamal to DSA (DIGITAL SIGNATURE STANDARD) DSA, accepted in 1994, is a modification of EIGamal digital signature scheme. It was proposed in August 1991 and adopted in December 1994. Any proposal for digital signature standard has to go through a very careful scrutiny. Why? prof. Jozef Gruska IV054 7. Digital signatures 277/616 From EIGamal to DSA (DIGITAL SIGNATURE STANDARD) DSA, accepted in 1994, is a modification of ElGamal digital signature scheme. It was proposed in August 1991 and adopted in December 1994. Any proposal for digital signature standard has to go through a very careful scrutiny. Why? Encryption of a message is usually done only once and therefore it usually suffices to use a cryptosystem that is secure at the time of the encryption. On the other hand, a signed message could be a contract or a will and it can happen that it will be needed to verify a signature many years after the message is signed. prof. Jozef Gruska IV054 7. Digital signatures 277/616 From EIGamal to DSA (DIGITAL SIGNATURE STANDARD) DSA, accepted in 1994, is a modification of ElGamal digital signature scheme. It was proposed in August 1991 and adopted in December 1994. Any proposal for digital signature standard has to go through a very careful scrutiny. Why? Encryption of a message is usually done only once and therefore it usually suffices to use a cryptosystem that is secure at the time of the encryption. On the other hand, a signed message could be a contract or a will and it can happen that it will be needed to verify a signature many years after the message is signed. Since ElGamal signature is no more secure than discrete logarithm, it is necessary to use large p, with at least 512 bits. However, with ElGamal this would lead to signatures with at least 1024 bits what is too much for such applications as smart cards. prof. Jozef Gruska IV054 7. Digital signatures 277/616 DIGITAL SIGNATURE STANDARD I In December 1994, on the proposal of the National Institute of Standards and Technology, the following Digital Signature Algorithm (DSA) was accepted as a standard. prof. Jozef Gruska IV054 7. Digital signatures 278/616 DIGITAL SIGNATURE STANDARD I In December 1994, on the proposal of the National Institute of Standards and Technology, the following Digital Signature Algorithm (DSA) was accepted as a standard. Design of DSA T| The following global public key components are chosen: p - a random l-bit prime, 512 < / < 1024, l = 64k. ■ q - a random 160-bit prime dividing p -1. ■ r = h(p—mod p, where h is a random primitive element of Zp, such that r > 1, r =1 (observe that r is a q-th root of 1 mod p). prof. Jozef Gruska IV054 7. Digital signatures 278/616 DIGITAL SIGNATURE STANDARD I In December 1994, on the proposal of the National Institute of Standards and Technology, the following Digital Signature Algorithm (DSA) was accepted as a standard. Design of DSA T| The following global public key components are chosen: p - a random l-bit prime, 512 < / < 1024, l = 64k. ■ q - a random 160-bit prime dividing p -1. ■ r = h(p—1)/q mod p, where h is a random primitive element of Zp, such that r > 1, r =1 (observe that r is a q-th root of 1 mod p). b The following user's private key component is chosen: ■ x - a random integer (once), 0 < x < q, J The following value is also made public ■ y = rx mod p. prof. Jozef Gruska IV054 7. Digital signatures 278/616 DIGITAL SIGNATURE STANDARD I In December 1994, on the proposal of the National Institute of Standards and Technology, the following Digital Signature Algorithm (DSA) was accepted as a standard. Design of DSA T| The following global public key components are chosen: p - a random l-bit prime, 512 < / < 1024, l = 64k. ■ q - a random 160-bit prime dividing p -1. ■ r = h(p—1)/q mod p, where h is a random primitive element of Zp, such that r > 1, r =1 (observe that r is a q-th root of 1 mod p). b The following user's private key component is chosen: ■ x - a random integer (once), 0 < x < q, J The following value is also made public ■ y = rx mod p. ^ Key is K = (p, q, r, x, y) prof. Jozef Gruska IV054 7. Digital signatures 278/616 DIGITAL SIGNATURE STANDARD II Signing and Verification Signing of a 160-bit plaintext w ■ choose random 0 < k < q m compute a = (rk mod p) mod q ■ compute b = k-1(w + xa) mod q where kk-1 = 1 (mod q) ■ signature: sig(w, k) = (a, b) prof. Jozef Gruska IV054 7. Digital signatures 279/616 DIGITAL SIGNATURE STANDARD II Signing and Verification Signing of a 160-bit plaintext w ■ choose random 0 < k < q m compute a = (rk mod p) mod q ■ compute b = k-1(w + xa) mod q where kk-1 = 1 (mod q) ■ signature: sig(w, k) = (a, b) Verification of signature (a, b) ■ compute z = b-1 mod q ■ compute u1 = wz mod q, u2 = az mod q verification: verK(w, a, b) = true -o- (r1,1 y"2 mod p) mod q = a prof. Jozef Gruska IV054 7. Digital signatures 279/616 From ElGamal to DSA - II DSA is a modification of ElGamal digital signature scheme. It was proposed in August 1991 and adopted in December 1994. prof. Jozef Gruska IV054 7. Digital signatures 280/616 From ElGamal to DSA - II DSA is a modification of ElGamal digital signature scheme. It was proposed in August 1991 and adopted in December 1994. Since ElGamal signature is no more secure than discrete logarithm, it is necessary to use large p, with at least 512 bits. However, with ElGamal this would lead to signatures with at least 1024 bits what is too much for such applications as smart cards. In DSA a 160 bit message is signed using 320-bit signature, but computation is done modulo with 512-1024 bits. prof. Jozef Gruska IV054 7. Digital signatures 280/616 From ElGamal to DSA - II DSA is a modification of ElGamal digital signature scheme. It was proposed in August 1991 and adopted in December 1994. Since ElGamal signature is no more secure than discrete logarithm, it is necessary to use large p, with at least 512 bits. However, with ElGamal this would lead to signatures with at least 1024 bits what is too much for such applications as smart cards. In DSA a 160 bit message is signed using 320-bit signature, but computation is done modulo with 512-1024 bits. Observe that y and a are also q-roots of 1. Hence any exponents of r,y and a can be reduced modulo q without affecting the verification condition. prof. Jozef Gruska IV054 7. Digital signatures 280/616 Fiat-Shamir SIGNATURE SCHEME Choose primes p, q, compute n = pq and choose: as a public key integers v1,.. . , vk and compute, as a secret key, s1,... , sk, s; = \Jv—1 mod n. prof. Jozef Gruska IV054 7. Digital signatures 281/616 Fiat-Shamir SIGNATURE SCHEME Choose primes p, q, compute n = pq and choose: as a public key integers v1,.. . , vk and compute, as a secret key, s1,... , sk, s; = \Jv- 1 mod n. Protocol for Alice to sign a message w: J Alice chooses (as a security parameter) an integer t, t random integers 1 < r1,... , rt < n, and computes x; = r;2 mod n, 1 < ; < t. prof. Jozef Gruska IV054 7. Digital signatures 281/616 Fiat-Shamir SIGNATURE SCHEME Choose primes p, q, compute n = pq and choose: as a public key integers v1,.. . , vk and compute, as a secret key, s1,... , sk, s; = \Jv—1 mod n. Protocol for Alice to sign a message w: J Alice chooses (as a security parameter) an integer t, t random integers 1 < r1,... , rt < n, and computes x; = r2 mod n, 1 < ; < t. ^ Alice uses a publicly known hash function h to compute H = h(wx1x2... xt) and then uses the first kt bits of H, denoted as bj, 1 < ; < t, 1 < j < k as follows. prof. Jozef Gruska IV054 7. Digital signatures 281/616 Fiat-Shamir SIGNATURE SCHEME Choose primes p, q, compute n = pq and choose: as a public key integers vi,.. . , vk and compute, as a secret key, s1,... , sk, s; = \Jv-1 mod n. Protocol for Alice to sign a message w: J Alice chooses (as a security parameter) an integer t, t random integers 1 < r1,... , rt < n, and computes x; = r;2 mod n, 1 < ; < t. ^ Alice uses a publicly known hash function h to compute H = h(wx1x2... xt) and then uses the first kt bits of H, denoted as bj, 1 < ; < t, 1 < j < k as follows. J Alice computes y1,... , yt k y; = r,T^J s** mod n j=1 prof. Jozef Gruska IV054 7. Digital signatures 281/616 Fiat-Shamir SIGNATURE SCHEME Choose primes p, q, compute n = pq and choose: as a public key integers vi,.. . , vk and compute, as a secret key, s1,... , sk, s; = \Jv-1 mod n. Protocol for Alice to sign a message w: J Alice chooses (as a security parameter) an integer t, t random integers 1 < r1,... , rt < n, and computes x; = r2 mod n, 1 < ; < t. ^ Alice uses a publicly known hash function h to compute H = h(wx1x2... xt) and then uses the first kt bits of H, denoted as by, 1 < ; < t, 1 < j < k as follows. J Alice computes y1,... , yt k y' = r'TT S/''"' mod n y=1 □ Alice sends to Bob w, all by, all y; and also h {Bob already knows Alice's public key V1, ... , Vk} prof. Jozef Gruska IV054 7. Digital signatures 281/616 Fiat-Shamir SIGNATURE SCHEME Choose primes p, q, compute n = pq and choose: as a public key integers vi,.. . , vk and compute, as a secret key, s1,... , sk, s; = \Jv-1 mod n. Protocol for Alice to sign a message w: J Alice chooses (as a security parameter) an integer t, t random integers 1 < r1,... , rt < n, and computes x; = r2 mod n, 1 < ; < t. ^ Alice uses a publicly known hash function h to compute H = h(wx1x2... xt) and then uses the first kt bits of H, denoted as bj, 1 < ; < t, 1 < j < k as follows. J Alice computes y1,... , yt k y; = r,J^J s** mod n j=1 □ Alice sends to Bob w, all b*, all y; and also h {Bob already knows Alice's public key V1, ... , Vk} ^ Bob computes z1,... , zk Z; = y2 Y v,tj mod n = r2 ^ (V-1U VJ * = r2 = x' j=1 j=1 j=1 and verifies that the first k x t bits of h(wx1x2... xt) are the b* values that Alice has sent to him. prof. Jozef Gruska IV054 7. Digital signatures 281/616 Fiat-Shamir SIGNATURE SCHEME Choose primes p, q, compute n = pq and choose: as a public key integers vi,.. . , vk and compute, as a secret key, s1,... , sk, s; = \Jv-1 mod n. Protocol for Alice to sign a message w: J Alice chooses (as a security parameter) an integer t, t random integers 1 < r1,... , rt < n, and computes x; = r2 mod n, 1 < ; < t. ^ Alice uses a publicly known hash function h to compute H = h(wx1x2... xt) and then uses the first kt bits of H, denoted as bj, 1 < ; < t, 1 < j < k as follows. J Alice computes y1,... , yt k y = r,-^TJ s** mod n j=1 □ Alice sends to Bob w, all b*, all y and also h {Bob already knows Alice's public key V1, ... , Vk} ^ Bob computes z1,... , zk Z; = y2 Y Vbj mod n = r2 ^ (v,-1 )bj Y V*" = rf = X j=1 j=1 j=1 and verifies that the first k x t bits of h(wx1x2... xt) are the b* values that Alice has sent to him. Security of this signature scheme is 2-kt. Advantage over the RSA-based signature scheme: only about 5% of modular multiplications are needed. prof. Jozef Gruska IV054 7. Digital signatures 281/616 SAD STORY prof. Jozef Gruska IV054 7. Digital signatures 282/616 SAD STORY Alice and Bob got to jail - and, unfortunately, to different jails. prof. Jozef Gruska IV054 7. Digital signatures 282/616 SAD STORY Alice and Bob got to jail - and, unfortunately, to different jails. Walter, the warden, allows them to communicate by network, but he will not allow their messages to be encrypted. prof. Jozef Gruska IV054 7. Digital signatures 282/616 SAD STORY Alice and Bob got to jail - and, unfortunately, to different jails. Walter, the warden, allows them to communicate by network, but he will not allow their messages to be encrypted. Problem: Can Alice and Bob set up a subliminal channel, a covert communication channel between them, in full view of Walter, even though the messages themselves that they exchange contain no secret information? prof. Jozef Gruska IV054 7. Digital signatures 282/616 Ong-Schnorr-Shamir SUBLUMINAL CHANNEL SCHEME Story Alice and Bob are in different jails. Walter, the warden, allows them to communicate by network, but he will not allow messages to be encrypted. Can they set up a subliminal channel, a covert communication channel between them, in full view of Walter, even though the messages themselves contain no secret information? prof. Jozef Gruska IV054 7. Digital signatures 283/616 Ong-Schnorr-Shamir SUBLUMINAL CHANNEL SCHEME Story Alice and Bob are in different jails. Walter, the warden, allows them to communicate by network, but he will not allow messages to be encrypted. Can they set up a subliminal channel, a covert communication channel between them, in full view of Walter, even though the messages themselves contain no secret information? Yes. Alice and Bob create first the following communication scheme: They choose a large n and an integer k such that gcd(n, k) = 1. They calculate h = k-2 mod n = (k-1)2 mod n. Public key: h, n Trapdoor information: k Let secret message Alice wants to send be w (it has to be such that gcd(w, n) =1) Denote a harmless message she uses by w' (it has to be such that gcd(w ',n) = 1) Signing by Alice: 51 = 2 • (W + w) mod n 52 = 2 • (£ - w) mod n Signature: (S1, S2). Alice then sends to Bob (w', S1, S2) Signature verification method for Walter: w' = S2 — hS22( mod n) Decryption by Bob: w = 77;-W _< c •. mod n (S1 + k 1S2) prof. Jozef Gruska IV054 7. Digital signatures 283/616 ONE-TIME SIGNATURES Lamport signature scheme shows how to construct a signature scheme for one use only -from any one-way function. Let k be a positive integer and let P = {0,1}k be the set of messages. Let f: Y — Z be a one-way function where Y is a set of "signatures". For 1 < ; < k, j = 0,1 let y,y e Y be chosen randomly and z,y = f(y,y). The key K consists of 2k y's and z's. y's are secret, z's are public. prof. Jozef Gruska IV054 7. Digital signatures 284/616 ONE-TIME SIGNATURES Lamport signature scheme shows how to construct a signature scheme for one use only -from any one-way function. Let k be a positive integer and let P = {0,1}k be the set of messages. Let f: Y — Z be a one-way function where Y is a set of "signatures". For 1 < ; < k, j = 0,1 let y,y e Y be chosen randomly and z,y = f(y,y). The key K consists of 2k y's and z's. y's are secret, z's are public. Signing of a message x = x1 ... xk e {0,1}k s;g(xi. ..Xk) = (yi,xi,... ,yk,xk) = (ai,... , afc) - notation and verx(x1 ... xk, a1,... , ak) = true -o- f (a,) = z,-,x;, 1 < ; < k Eve cannot forge a signature because she is unable to invert one-way functions. Important note: Lamport signature scheme can be used to sign only one message. prof. Jozef Gruska IV054 7. Digital signatures 284/616 SIGNING of FINGERPRINTS Signature schemes presented so far allow to sign only "short" messages. For example, DSS is used to sign 160 bit messages (with 320-bit signatures). A naive solution is to break long message into a sequence of short ones and to sign each block separately. Disadvantages: signing is slow and for long signatures integrity is not protected. The solution is to use a fast public hash function h which maps a message of any length to a fixed length hash. The hash is then signed. Example: message w arbitrary length message digest z = h (w) 160bits El Gamal signature y = sig(z) 320bits If Bob wants to send a signed message w he sends (w, sig(h(w)). prof. Jozef Gruska IV054 7. Digital signatures 285/616 TIMESTAMPING There are various ways that a digital signature can be compromised. For example: if Eve determines the secret key of Bob, then she can forge signatures of any Bob's message she likes. If this happens, authenticity of all messages signed by Bob before Eve got the secret key is to be questioned. The key problem is that there is no way to determine when a message was signed. A timestamping protocol should provide a proof that a message was signed at a certain time. prof. Jozef Gruska IV054 7. Digital signatures 286/616 TIMESTAMPING There are various ways that a digital signature can be compromised. For example: if Eve determines the secret key of Bob, then she can forge signatures of any Bob's message she likes. If this happens, authenticity of all messages signed by Bob before Eve got the secret key is to be questioned. The key problem is that there is no way to determine when a message was signed. A timestamping protocol should provide a proof that a message was signed at a certain time. In the following pub denotes some publicly known information that could not be predicted before the day of the signature (for example, stock-market data). prof. Jozef Gruska IV054 7. Digital signatures 286/616 TIMESTAMPING There are various ways that a digital signature can be compromised. For example: if Eve determines the secret key of Bob, then she can forge signatures of any Bob's message she likes. If this happens, authenticity of all messages signed by Bob before Eve got the secret key is to be questioned. The key problem is that there is no way to determine when a message was signed. A timestamping protocol should provide a proof that a message was signed at a certain time. In the following pub denotes some publicly known information that could not be predicted before the day of the signature (for example, stock-market data). Timestamping by Bob of a signature on a message w, using a hash function h. ■ Bob computes z = h(w); ■ Bob computes z' = h(z || pub); - { ||} denotes concatenation ■ Bob computes y = sig(z'); ■ Bob publishes (z, pub, y) in the next days's newspaper. It is now clear that signature could not be done after the triple (z, pub, y) was published, but also not before the date pub was known. prof. Jozef Gruska IV054 7. Digital signatures 286/616 BLIND SIGNATURES The basic idea is that Sender makes Signer to sign a message m without Signer knowing m, therefore blindly - this is needed in e-commerce. Blind signing can be realized by a two party protocol, between the Sender and the Signer, that has the following properties. ■ In order to sign (by a Signer) a message m, the Sender creates, using a blinding procedure, from the message m a new message m* from which m can not be obtained without knowing a secret, and sends m* to the Signer. ■ The Signer signs the message m* to get a signature sm* (of m*) and sends sm* to the Sender. The signing is to be done in such a way that the Sender can afterwards compute, using an unblinding procedure, from Signer's signature sm* of m* - the signer signature sm of m. prof. Jozef Gruska IV054 7. Digital signatures 287/616 Chaum's BLIND SIGNATURE SCHEME This blind signature protocol combines RSA with blinding/unblinding features. Bob's RSA public key is (n, e) and his private key is d. Let m be a message, 0 < m < n, PROTOCOL: ■ Alice chooses a random 0 < k < n with gcd(n, k) = 1. ■ Alice computes m* = mke (mod n) and sends it to Bob (this way Alice blinds the message m). ■ Bob computed s* = (m*)d (mod n) and sends s* to Alice (this way Bob signs the blinded message m*). ■ Alice computes s = k-1s* (mod n) to obtain Bob's signature md of m (Alice performs unblinding of m*). Verification is equivalent to that of the RSA signature scheme. prof. Jozef Gruska IV054 7. Digital signatures 288/616 FAIL-THEN-STOP SIGNATURES They are signatures schemes that use a trusted authority and provide ways to prove, if it is the case, that a powerful enough adversary is around who could break the signature scheme and therefore its use should be stopped. The scheme is maintained by a trusted authority that chooses a secret key for each signer, keeps them secret, even from the signers themselves, and announces only the related public keys. An important idea is that signing and verification algorithms are enhanced by a so-called proof-of-forgery algorithm. When the signer sees a forged signature he is able to compute his secret key and by submitting it to the trusted authority to prove the existence of a forgery and this way to achieve that any further use of the signature scheme is stopped. So called Heyst-Pedersen Scheme is an example of a Fail-Then-Stop signature Scheme. prof. Jozef Gruska IV054 7. Digital signatures 289/616 DIGITAL SIGNATURES with ENCRYPTION and RESENDING j Alice signs the message: sa(w). prof. Jozef Gruska IV054 7. Digital signatures 290/616 DIGITAL SIGNATURES with ENCRYPTION and RESENDING T| Alice signs the message: sA(w). ^ Alice encrypts the signed message: eB(sA(w)). J Bob decrypts the signed message: dB(eB(sA(w))) = sA(w). J Bob verifies the signature and recovers the message vA(sA(w)) = w. prof. Jozef Gruska IV054 7. Digital signatures 290/616 DIGITAL SIGNATURES with ENCRYPTION and RESENDING T| Alice signs the message: sA(w). ^ Alice encrypts the signed message: eB(sA(w)). J Bob decrypts the signed message: dB(eB(sA(w))) = sA(w). J Bob verifies the signature and recovers the message vA(sA(w)) = w. Resending the message as a receipt ^ Bob signs and encrypts the message and sends to Alice eA(sB(w)). prof. Jozef Gruska IV054 7. Digital signatures 290/616 DIGITAL SIGNATURES with ENCRYPTION and RESENDING T| Alice signs the message: sA(w). ^ Alice encrypts the signed message: ee(sA(w)). J Bob decrypts the signed message: de(ee(sA(w))) = sA(w). ^ Bob verifies the signature and recovers the message vA(sA(w)) = w. Resending the message as a receipt ^ Bob signs and encrypts the message and sends to Alice eA(se(w)). ^ Alice decrypts the message and verifies the signature. prof. Jozef Gruska IV054 7. Digital signatures 290/616 DIGITAL SIGNATURES with ENCRYPTION and RESENDING T| Alice signs the message: sA(w). ^ Alice encrypts the signed message: ee(sA(w)). J Bob decrypts the signed message: de(ee(sA(w))) = sA(w). ^ Bob verifies the signature and recovers the message vA(sA(w)) = w. Resending the message as a receipt ^ Bob signs and encrypts the message and sends to Alice eA(se(w)). ^ Alice decrypts the message and verifies the signature. Assume now: vx = ex, sx = dx for all users x. prof. Jozef Gruska IV054 7. Digital signatures 290/616 A SURPRISING ATTACK to PREVIOUS SCHEME I Mallot intercepts eB(sA(w)). prof. Jozef Gruska IV054 7. Digital signatures 291/616 A SURPRISING ATTACK to PREVIOUS SCHEME J Mallot intercepts eB(sA(w)). I Later Mallot sends eB(sA(w)) to Bob pretending it is from him (from Mallot). prof. Jozef Gruska IV054 7. Digital signatures 291/616 A SURPRISING ATTACK to PREVIOUS SCHEME J Mallot intercepts eB(sA(w)). I Later Mallot sends eB(sA(w)) to Bob pretending it is from him (from Mallot). h Bob decrypts and "verifies" the message by computing e/w(dB(ee(d/\(w)))) = e/w(d/\(w)) - a garbage. prof. Jozef Gruska IV054 7. Digital signatures 291/616 A SURPRISING ATTACK to PREVIOUS SCHEME J Mallot intercepts eB(sA(w)). I Later Mallot sends eB(sA(w)) to Bob pretending it is from him (from Mallot). h Bob decrypts and "verifies" the message by computing e/w(de(ee(d/\(w)))) = e/w(d/\(w)) - a garbage. I Bob goes on with the protocol and returns to Mallot the receipt: e/w (de (e/w (d/\(w)))) prof. Jozef Gruska IV054 7. Digital signatures 291/616 A SURPRISING ATTACK to PREVIOUS SCHEME J Mallot intercepts eB(sA(w)). I Later Mallot sends eB(sA(w)) to Bob pretending it is from him (from Mallot). b Bob decrypts and "verifies" the message by computing e/w(dB(ee(aA(w)))) = e/w(d/\(w)) - a garbage. I Bob goes on with the protocol and returns to Mallot the receipt: e/w (de (e/w (d^(w)))) I Mallot can then get w. Indeed, Mallot can compute eA(d/w (ee (d/w (e/w (de (e/w (d^(w)))))))) = w. prof. Jozef Gruska IV054 7. Digital signatures 291/616 A MAN-IN-THE-MIDDLE ATTACK Consider the following protocol: J Alice sends Bob the pair (eg(eg(w)||A), B) to B. ^ Bob uses dB to get A and w, and acknowledges by sending the pair (e„(e„(w)||B), A) to Alice. (Here the function e and d are assumed to operate on strings and identificators A, B,... are strings. prof. Jozef Gruska IV054 7. Digital signatures 292/616 A MAN-IN-THE-MIDDLE ATTACK Consider the following protocol: J Alice sends Bob the pair (eB(eB(w)||A), B) to B. ^ Bob uses dB to get A and w, and acknowledges by sending the pair (e„(e„(w)||B), A) to Alice. (Here the function e and d are assumed to operate on strings and identificators A, B,... are strings. What can an active eavesdropper C do? ■ C can learn (eA(eA(w)||B), A) and therefore eA(w'), w' = eA(w)||B. ■ C can now send to Alice the pair (eA(eA|| w')|| C), A). ■ Alice, thinking that this is the step 1 of the protocol, acknowledges by sending the pair (ec(ec(w')||A), C) to C. ■ C is now able to learn w' and therefore also eA(w). ■ C now sends to Alice the pair (eA(eA(w)||C), A). ■ Alice acknowledges by sending the pair (ec(ec(w)||A), C). C is now able to learn w. prof. Jozef Gruska IV054 7. Digital signatures 292/616 PROBABILISTIC SIGNATURES SCHEMES - PSS Let us have integers k, l, n such that k + / < n, a permutation f : D — D, D C {0,1}n, a pseudorandom bit generator G : {0,1}' — {0,1}k x {0, w — (Gi(w), G2(w)) and a hash function h : {0,1}* — {0,1}'. The following PSS scheme is applicable to messages of arbitrary length. prof. Jozef Gruska IV054 7. Digital signatures 293/616 PROBABILISTIC SIGNATURES SCHEMES - PSS Let us have integers k, l, n such that k + / < n, a permutation f : D — D, D C {0,1}n, a pseudorandom bit generator G : {0,1}' — {0,1}k x {0, w — (Gi(w), G2(w)) and a hash function h : {0,1}* — {0,1}'. The following PSS scheme is applicable to messages of arbitrary length. Signing: of a message w e {0,1}*. j Choose random r e {0,1}k and compute m = h(w||r). ^ Compute G(m) = (G1(m), G2(m)) and y = m^(G1(m) © r)||G2(m). J Signature of w is a = f-1(y). prof. Jozef Gruska IV054 7. Digital signatures 293/616 PROBABILISTIC SIGNATURES SCHEMES - PSS Let us have integers k, l, n such that k + / < n, a permutation f : D — D, D C {0,1}n, a pseudorandom bit generator G : {0,1}' — {0,1}k x {0, w — (Gi(w), G2(w)) and a hash function h : {0,1}* — {0,1}'. The following PSS scheme is applicable to messages of arbitrary length. Signing: of a message w e {0,1}*. j Choose random r e {0,1}k and compute m = h(w||r). ^ Compute G(m) = (G1(m), G2(m)) and y = m^(G1(m) © r)^G2(m). J Signature of w is a = f-1(y). Verification of a signed message (w ■ Compute f(a) and decompose f(a) = m||t||o, where |m| = /, |t| = k and |u| = n - (k + /). ■ Compute r = t © G1 (m). ■ Accept signature a if h(w||r) = m and G2(m) = u; otherwise reject it. prof. Jozef Gruska IV054 7. Digital signatures 293/616 Diffie-Hellman PUBLIC ESTABLISHMENT of SECRET KEYS - rpetition Main problem of the secret-key cryptography: a need to make a secure distribution (establishment) of secret keys ahead of transmissions. Diffie+Hellman solved this problem in 1976 by designing a protocol for secure key establishment (distribution) over public channels. prof. Jozef Gruska IV054 7. Digital signatures 294/616 Diffie-Hellman PUBLIC ESTABLISHMENT of SECRET KEYS - rpetition Main problem of the secret-key cryptography: a need to make a secure distribution (establishment) of secret keys ahead of transmissions. Diffie+Hellman solved this problem in 1976 by designing a protocol for secure key establishment (distribution) over public channels. Diffie-Hellman Protocol: If two parties, Alice and Bob, want to create a common secret key, then they first agree, somehow, on a large prime p and a q

3 is a prime, then such a general equation can be transformed to our special case of equation. In other cases, it may be necessary to consider the most general form of equation. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 312/616 ADDITION of POINTS on ELLIPTIC CURVES - GEOMETRY (1) Geometry On any elliptic curve we can define addition of points in such a way that points of the corresponding curve with such an operation of addition form an Abelian group. in which oc point is the identity element prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 313/616 ADDITION of POINTS on ELLIPTIC CURVES - GEOMETRY (1) Geometry On any elliptic curve we can define addition of points in such a way that points of the corresponding curve with such an operation of addition form an Abelian group. in which oc point is the identity element If the line through two different points P1 and P2 of an elliptic curve E intersects E in a point Q = (x,y), then we define P1 + P2 = P3 = (x, —y). (This also implies that for any point P on E it holds P + oc = P + 0P.) oc therefore play a role of null element prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 313/616 ADDITION of POINTS on ELLIPTIC CURVES - GEOMETRY (1) Geometry On any elliptic curve we can define addition of points in such a way that points of the corresponding curve with such an operation of addition form an Abelian group. in which oc point is the identity element If the line through two different points P1 and P2 of an elliptic curve E intersects E in a point Q = (x,y), then we define P1 + P2 = P3 = (x, —y). (This also implies that for any point P on E it holds P + oc = P + 0P.) oc therefore play a role of null element If the line through two different points P1 and P2 is parallel with y-axis, then we define Pi + P2 = oc. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 313/616 ADDITION of POINTS on ELLIPTIC CURVES - GEOMETRY (1) Geometry On any elliptic curve we can define addition of points in such a way that points of the corresponding curve with such an operation of addition form an Abelian group. in which o point is the identity element If the line through two different points P1 and P2 of an elliptic curve E intersects E in a point Q = (x,y), then we define P1 + P2 = P3 = (x, —y). (This also implies that for any point P on E it holds P + oo = P + 0P.) oo therefore play a role of null element If the line through two different points P1 and P2 is parallel with y-axis, then we define P1 + P2 = oo. In case P1 = P2, and the tangent to E in P1 intersects E in a point Q = (x, y), then we define P1 + P1 = (x, —y). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 313/616 ADDITION of POINTS on ELLIPTIC CURVES - GEOMETRY (1) Geometry On any elliptic curve we can define addition of points in such a way that points of the corresponding curve with such an operation of addition form an Abelian group. in which oc point is the identity element If the line through two different points P1 and P2 of an elliptic curve E intersects E in a point Q = (x,y), then we define P1 + P2 = P3 = (x, —y). (This also implies that for any point P on E it holds P + oc = P + 0P.) oc therefore play a role of null element If the line through two different points P1 and P2 is parallel with y-axis, then we define Pi + P2 = oc. In case P1 = P2, and the tangent to E in P1 intersects E in a point Q = (x, y), then we define P1 + P1 = (x, —y). It should now be obvious how to define subtraction of two points of an elliptic curve. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 313/616 ADDITION of POINTS on ELLIPTIC CURVES - GEOMETRY (1) Geometry On any elliptic curve we can define addition of points in such a way that points of the corresponding curve with such an operation of addition form an Abelian group. in which oc point is the identity element If the line through two different points P1 and P2 of an elliptic curve E intersects E in a point Q = (x,y), then we define P1 + P2 = P3 = (x, —y). (This also implies that for any point P on E it holds P + oc = P + 0P.) oc therefore play a role of null element If the line through two different points P1 and P2 is parallel with y-axis, then we define P1 + P2 = o . In case P1 = P2, and the tangent to E in P1 intersects E in a point Q = (x, y), then we define P1 + P1 = (x, —y). It should now be obvious how to define subtraction of two points of an elliptic curve. It is now easy to verify that the above addition of points forms Abelian group with o as the identity (null) element. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 313/616 ELLIPTIC CURVES - GENERALITY A general elliptic curve over Zpm where p is a prime is the set of points (x,y) satisfying so-called Weierstrass equation y2 + uxy + vy = x3 + ax2 + bx + c for some constants u, v, a, b, c together with a single element 0, called the point of infinity. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 314/616 ELLIPTIC CURVES - GENERALITY A general elliptic curve over Zpm where p is a prime is the set of points (x,y) satisfying so-called Weierstrass equation y2 + uxy + vy = x3 + ax2 + bx + c for some constants u, v, a, b, c together with a single element 0, called the point of infinity. If p = 2 Weierstrass equation can be simplified by transformation y — (ox + v) y 2 to get the equation y2 = x3 + dx2 + ex + f for some constants d, e, f and if p = 3 by transformation d x ~+ x — 3 to get equation y2 = x3 + fx + g prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 314/616 ADDITION of POINTS on ELLIPTIC CURVES (2) Formulas Addition of points P1 = (x1, y1) and P2 = (x2, y2) of an elliptic curve E : y2 = x3 + ax + b can be easily computed using the following formulas: P1 + P2 = P3 = (x3, y3) where x3 = A2 — x1 — x2 y3 = A(x1 — x3) — y and prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 315/616 ADDITION of POINTS on ELLIPTIC CURVES (2) Formulas Addition of points P1 = (x1,y1) and P2 = (x2,y2) of an elliptic curve E : y2 = x3 + ax + b can be easily computed using the following formulas: where and Pi + P2 = P3 = (X3, 73) X3 = A - Xi - X2 y3 = A(xi - X3) - yi All that holds for the case that A = oo; otherwise P3 = 00. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 315/616 ADDITION of POINTS on ELLIPTIC CURVES (2) Formulas Addition of points P1 = (x1,y1) and P2 = (x2,y2) of an elliptic curve E : y2 = x3 + ax + b can be easily computed using the following formulas: where and Pi + P2 = P3 = (x3, y3) X3 = A - Xi - X2 y3 = A(xi - X3) - yi {(y2 - yi) (3x2 + a) (2yi) if Pi = P2, if Pi = P2. All that holds for the case that A = to; otherwise P3 = to. Example For curve y2 = x3 + 73 and P1 = (2, 9), P2 = (3,10) we have A = 1, P1 + P2 = P3 = (-4, -3) and P3 + P3 = (72, 611). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 3i5/6i6 A ELLIPTIC CURVES mod n The points on an elliptic curve E : y2 = x3 + ax + b (mod n) are such pairs (x,y) mod n that satisfy the above equation, along with the point oo at infinity. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 316/616 ELLIPTIC CURVES mod n The points on an elliptic curve E : y2 = x3 + ax + b (mod n) are such pairs (x,y) mod n that satisfy the above equation, along with the point to at infinity. Example Elliptic curve E : y2 = x3 + 2x + 3 (mod 5) has points (1,1), (1,4), (2, 0), (3,1), (3,4), (4, 0), to. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 316/616 ELLIPTIC CURVES mod n The points on an elliptic curve E : y2 = x3 + ax + b (mod n) are such pairs (x,y) mod n that satisfy the above equation, along with the point to at infinity. Example Elliptic curve E : y2 = x3 + 2x + 3 (mod 5) has points (1,1), (1,4), (2, 0), (3,1), (3,4), (4, 0), to. Example For elliptic curve E : y2 = x3 + x + 6 ( mod 11) and its point P = (2, 7) it holds 2P = (5, 2); 3P = (8, 3). Number of points on an elliptic curve (mod p) can be easily estimated. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 316/616 ELLIPTIC CURVES mod n The points on an elliptic curve E : y2 = x3 + ax + b (mod n) are such pairs (x,y) mod n that satisfy the above equation, along with the point to at infinity. Example Elliptic curve E : y2 = x3 + 2x + 3 (mod 5) has points (1,1), (1,4), (2, 0), (3,1), (3,4), (4, 0), to. Example For elliptic curve E : y2 = x3 + x + 6 ( mod 11) and its point P = (2, 7) it holds 2P = (5, 2); 3P = (8, 3). Number of points on an elliptic curve (mod p) can be easily estimated. Hasse's theorem If an elliptic curve E(modp) has |E| points then |p — 1| < 2^fp prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 316/616 ELLIPTIC CURVES mod n The points on an elliptic curve E : y2 = x3 + ax + b (mod n) are such pairs (x,y) mod n that satisfy the above equation, along with the point oo at infinity. Example Elliptic curve E : y2 = x3 + 2x + 3 (mod 5) has points (1,1), (1,4), (2, 0), (3,1), (3,4), (4, 0), oo. Example For elliptic curve E : y2 = x3 + x + 6 ( mod 11) and its point P = (2, 7) it holds 2P = (5, 2); 3P = (8, 3). Number of points on an elliptic curve (mod p) can be easily estimated. Hasse's theorem If an elliptic curve E(modp) has |E| points then |p — 1| < 2,^/5 The addition of points on an elliptic curve mod n is done by the same formulas as given previously, except that instead of rational numbers c/d we deal with cd-1 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 316/616 ELLIPTIC CURVES mod n The points on an elliptic curve E : y2 = x3 + ax + b (mod n) are such pairs (x,y) mod n that satisfy the above equation, along with the point to at infinity. Example Elliptic curve E : y2 = x3 + 2x + 3 (mod 5) has points (1,1), (1,4), (2, 0), (3,1), (3,4), (4, 0), to. Example For elliptic curve E : y2 = x3 + x + 6 ( mod 11) and its point P = (2, 7) it holds 2P = (5, 2); 3P = (8, 3). Number of points on an elliptic curve (mod p) can be easily estimated. Hasse's theorem If an elliptic curve E(modp) has |E| points then |p — 1| < 2^fp The addition of points on an elliptic curve mod n is done by the same formulas as given previously, except that instead of rational numbers c/d we deal with cd-1 Example For the curve E : y2 = x3 + 2x + 3 it holds (1,4) + (3,1) = (2, 0); (1,4) + (2, 0) = (?, ?). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 316/616 ELLIPTIC CURVES DISCRETE LOGARITHM Let E be an elliptic curve and A, B be its points such that B = kA = (A + A + ... A + A) - k times - for some k. The task to find such a k is called the discrete logarithm problem for elliptic curves. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 317/616 ELLIPTIC CURVES DISCRETE LOGARITHM Let E be an elliptic curve and A, B be its points such that B = kA = (A + A + ... A + A) - k times - for some k. The task to find such a k is called the discrete logarithm problem for elliptic curves. No efficient algorithm to compute discrete logarithm problem for elliptic curves is known and also no good general attacks. Elliptic curves based cryptography is based on these facts. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 317/616 ELLIPTIC CURVES DISCRETE LOGARITHM Let E be an elliptic curve and A, B be its points such that B = kA = (A + A + ... A + A) - k times - for some k. The task to find such a k is called the discrete logarithm problem for elliptic curves. No efficient algorithm to compute discrete logarithm problem for elliptic curves is known and also no good general attacks. Elliptic curves based cryptography is based on these facts. There is the following general procedure for changing a discrete logarithm based cryptographic protocols to a cryptographic protocols based on elliptic curves: ■ Assign to the message (plaintext) a point on an elliptic curve. ■ Change, in the cryptographic protocol, modular multiplication to addition of points on an elliptic curve. ■ Change, in the cryptographic protocol, exponentiation to multiplication of a point on the elliptic curve by an integer. ■ To the point of an elliptic curve that results from such a protocol one assigns a message (cryptotext). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 317/616 MAPPING MESSAGES into POINTS of ELLIPTIC CURVES (I) Problem and basic idea The problem of assigning messages to points on elliptic curves is difficult because there are no polynomial-time algorithms to write down points of an arbitrary elliptic curve. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 318/616 MAPPING MESSAGES into POINTS of ELLIPTIC CURVES (I) Problem and basic idea The problem of assigning messages to points on elliptic curves is difficult because there are no polynomial-time algorithms to write down points of an arbitrary elliptic curve. Fortunately, there is a fast randomized algorithm, to assign points of any elliptic curve to messages, that can fail with probability that can be made arbitrarily small. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 318/616 MAPPING MESSAGES into POINTS of ELLIPTIC CURVES (I) Problem and basic idea The problem of assigning messages to points on elliptic curves is difficult because there are no polynomial-time algorithms to write down points of an arbitrary elliptic curve. Fortunately, there is a fast randomized algorithm, to assign points of any elliptic curve to messages, that can fail with probability that can be made arbitrarily small. Basic idea: Given an elliptic curve E(modp), the problem is that not to every x there is an y such that ( x, y) is a point of E . Given a message (number) m we therefore adjoin to m few bits at the end of m and adjust them until we get a number x such that x3 + ax + b is a square modp. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 318/616 MAPPING MESSAGES into POINTS of ELLIPTIC CURVES (II) Technicalities Let K be a large integer such that a failure rate of is acceptable when trying to encode a message by a point. For j e {0,. .. , K — 1} verify whether for x = mK + j, x3 + ax + b (mod p) is a square (mod p) of an integer y. If such an j is found, encoding is done; if not the algorithm fails (with probability because x3 + ax + b is a square approximately half of the time). In order to recover the message m from the point (x, y), we compute: X K prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 319/616 ELLIPTIC CURVES KEY EXCHANGE Elliptic curve version of the Diffie-Hellman key generation protocol goes as follows: Let Alice and Bob agree on a prime p, on an elliptic curve E (mod p) and on a point P on E. ■ Alice chooses an integer na, computes naP and sends it to Bob. ■ Bob chooses an integer nb, computes nbP and sends it to Alice. ■ Alice computes na(nbP) and Bob computes nb(naP). This way they have the same key. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 320/616 ELLIPTIC CURVES VERSION of ElGamal CRYPTOSYSTEM Standard version of ElGamal: Bob chooses a prime p, a generator q < p, an integer x, computes y = qx (mod p), makes public p, q, y and keeps x secret. To send a message m Alice chooses a random r, computes: a = qr ; b = myr and sends it to Bob who decrypts by calculating m = ba-x (bmod p) prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 321/616 ELLIPTIC CURVES VERSION of ElGamal CRYPTOSYSTEM Standard version of ElGamal: Bob chooses a prime p, a generator q < p, an integer x, computes y = qx (mod p), makes public p, q, y and keeps x secret. To send a message m Alice chooses a random r, computes: a = qr ; b = myr and sends it to Bob who decrypts by calculating m = ba-x (bmod p) Elliptic curve version of ElGamal: Bob chooses a prime p, an elliptic curve E (mod p), a point P on E, an integer x, computes Q = xP, makes E, p, and Q public and keeps x secret. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 321/616 ELLIPTIC CURVES VERSION of ElGamal CRYPTOSYSTEM Standard version of ElGamal: Bob chooses a prime p, a generator q < p, an integer x, computes y = qx (mod p), makes public p, q, y and keeps x secret. To send a message m Alice chooses a random r, computes: a = qr ; b = myr and sends it to Bob who decrypts by calculating m = ba-x (bmod p) Elliptic curve version of ElGamal: Bob chooses a prime p, an elliptic curve E (mod p), a point P on E, an integer x, computes Q = xP, makes E, p, and Q public and keeps x secret. To send a message m ALice expresses m as a point X on E, chooses random r, computes a = rP ; b = X + rQ And sends the pair (a, b) to Bob who decrypts by calculating X = b — xa. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 321/616 ELLIPTIC CURVES DIGITAL SIGNATURES Elliptic curves version of ElGamal digital signatures has the following form for signing (a message) m, an integer, by Alice and to have the signature verified by Bob: Alice chooses p and an elliptic curve E (mod p), a point P on E and calculates the number of points n on E (mod p) - what can be done, and we assume that 0 < m < n. Alice then chooses a random integer a and computes Q = aP. She makes public p, E, P, Q and keeps secret a. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 322/616 ELLIPTIC CURVES DIGITAL SIGNATURES Elliptic curves version of ElGamal digital signatures has the following form for signing (a message) m, an integer, by Alice and to have the signature verified by Bob: Alice chooses p and an elliptic curve E (mod p), a point P on E and calculates the number of points n on E (mod p) - what can be done, and we assume that 0 < m < n. Alice then chooses a random integer a and computes Q = aP. She makes public p, E, P, Q and keeps secret a. To sign m Alice does the following: ■ Alice chooses a random integer r, 1 < r < n such that gcd(r,n) = 1 and computes R = rP = (x,y). ■ Alice computes s = r-1(m — ax) (mod n) ■ Alice sends the signed message (m,R,s) to Bob. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 322/616 ELLIPTIC CURVES DIGITAL SIGNATURES Elliptic curves version of ElGamal digital signatures has the following form for signing (a message) m, an integer, by Alice and to have the signature verified by Bob: Alice chooses p and an elliptic curve E (mod p), a point P on E and calculates the number of points n on E (mod p) - what can be done, and we assume that 0 < m < n. Alice then chooses a random integer a and computes Q = aP. She makes public p, E, P, Q and keeps secret a. To sign m Alice does the following: ■ Alice chooses a random integer r, 1 < r < n such that gcd(r,n) = 1 and computes R = rP = (x,y). ■ Alice computes s = r-1(m — ax) (mod n) ■ Alice sends the signed message (m,R,s) to Bob. Bob verifies the signature as follows: ■ Bob declares the signature as valid if xQ + sR = mP The verification procedure works because xQ + sR = xaP + r-1(m — ax)(rP) = xaP + (m — ax)P = mP prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 322/616 ELLIPTIC CURVES DIGITAL SIGNATURES Elliptic curves version of ElGamal digital signatures has the following form for signing (a message) m, an integer, by Alice and to have the signature verified by Bob: Alice chooses p and an elliptic curve E (mod p), a point P on E and calculates the number of points n on E (mod p) - what can be done, and we assume that 0 < m < n. Alice then chooses a random integer a and computes Q = aP. She makes public p, E, P, Q and keeps secret a. To sign m Alice does the following: ■ Alice chooses a random integer r, 1 < r < n such that gcd(r,n) = 1 and computes R = rP = (x,y). ■ Alice computes s = r-1(m — ax) (mod n) ■ Alice sends the signed message (m,R,s) to Bob. Bob verifies the signature as follows: ■ Bob declares the signature as valid if xQ + sR = mP The verification procedure works because xQ + sR = xaP + r-1(m — ax)(rP) = xaP + (m — ax)P = mP Warning Observe that actually rr-1 = 1 + tn for some t. For the above verification procedure to work we then have to use the fact that nP = oc and therefore P + t -co = P prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 322/616 COMMENT Federal (USA) elliptic curve digital signature standard (ECDSA) was introduced in 20??. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 323/616 DOMAIN PARAMETERS for ELLIPTIC CURVES To use ECC all parties involved have to agree on all basic elements concerning the elliptic curve E being used: ■ A prime p. ■ Constants a and b in the equation y2 = x3 + ax + b. ■ Generator G of the underlying cyclic subgroup such that its order is prime. ■ The order n of G, that is such an n that nG = 0 ■ Co-factor h = ^ that should be small (h < 4) and, preferably h = 1. To determine domain parameters (especially n and h) may be much time consuming task. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 324/616 FACTORING with ELLIPTIC CURVES Basis idea: To factorize an integer n choose an elliptic curve E, a point P on E and compute, modulo n, either iP for ; = 2, 3,4,... or 2JP for j =1, 2,... . The point is that in doing that one needs to compute gcd(k,n) for various k. If one of these values is between 1 and n we have a factor of n. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 325/616 FACTORING with ELLIPTIC CURVES Basis idea: To factorize an integer n choose an elliptic curve E, a point P on E and compute, modulo n, either iP for ; = 2, 3,4,... or 2JP for j = 1, 2,... . The point is that in doing that one needs to compute gcd(k,n) for various k. If one of these values is between 1 and n we have a factor of n. Factoring of large integers: The above idea can be easily parallelised and converted to using an enormous number of computers to factor a single very large n. Each computer gets some number of elliptic curves and some points on them and multiplies these points by some integers according to the rule for addition of points. If one of computers encounters, during such a computation, a need to compute 1 < gcd(k, n) < n, factorization is finished. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 325/616 FACTORING with ELLIPTIC CURVES Basis idea: To factorize an integer n choose an elliptic curve E, a point P on E and compute, modulo n, either iP for ; = 2, 3,4,... or 2JP for j = 1, 2,... . The point is that in doing that one needs to compute gcd(k,n) for various k. If one of these values is between 1 and n we have a factor of n. Factoring of large integers: The above idea can be easily parallelised and converted to using an enormous number of computers to factor a single very large n. Each computer gets some number of elliptic curves and some points on them and multiplies these points by some integers according to the rule for addition of points. If one of computers encounters, during such a computation, a need to compute 1 < gcd(k, n) < n, factorization is finished. Example: If curve E : y2 = x3 + 4x + 4 (mod 2773) and its point P = (1, 3) are used, then 2P = (1771, 705) and in order to compute 3P one has to compute gcd(1770, 2773) = 59 - factorization is done. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 325/616 FACTORING with ELLIPTIC CURVES Basis idea: To factorize an integer n choose an elliptic curve E, a point P on E and compute, modulo n, either iP for ; = 2, 3,4,... or 2JP for j =1, 2,... . The point is that in doing that one needs to compute gcd(k,n) for various k. If one of these values is between 1 and n we have a factor of n. Factoring of large integers: The above idea can be easily parallelised and converted to using an enormous number of computers to factor a single very large n. Each computer gets some number of elliptic curves and some points on them and multiplies these points by some integers according to the rule for addition of points. If one of computers encounters, during such a computation, a need to compute 1 < gcd(k, n) < n, factorization is finished. Example: If curve E : y2 = x3 + 4x + 4 (mod 2773) and its point P = (1, 3) are used, then 2P = (1771, 705) and in order to compute 3P one has to compute gcd(1770, 2773) = 59 - factorization is done. Example: For elliptic curve E : y2 = x3 + x — 1 (mod 35) and its point P = (1,1) we have 2P = (2, 32); 4P = (25,12); 8P = (6, 9) and at the attempt to compute 9P one needs to compute gcd(15, 35) = 5 and factorization is done. The only things that remain to be explored is how efficient this method is and when it is more efficient than other methods. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 325/616 IMPORTANT OBSERVATIONS (1) ■ If n = pq for primes p, q, then an elliptic curve E (mod n) can be seen as a pair of elliptic curves E (mod p) and E (mod q). ■ It follows from the Lagrange theorem that for any elliptic curve E (mod n) and its point P there is an k < n such that kP = to. ■ In case of an elliptic curve E (mod p) for some prime p, the smallest positive integer m such that mP = to for some point P divides the number N of points on the curve E (modp). Hence NP = to. If N is a product of small primes, then b! will be a multiple of N for a reasonable small b. Therefore, b!P = to. ■ The number with only small factors is called smooth and if all factors are smaller than an b, then it is called b-smooth. It can be shown that the density of smooth integers is so large that if we choose a random elliptic curve E (mod n) then it is a reasonable chance that n is smooth. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 326/616 PRACTICALITY of FACTORING USING ECC (1) Let us continue to discuss the following key problem for factorization using elliptic curves: Problem: How to choose integer k such that for a given point P we should try to compute points iP or 2'P for all multiples of P smaller than kP? Idea: If one searches for m-digits factors, one chooses k in such a way that k is a multiple of as many as possible of those m-digit numbers which do not have too large prime factors. In such a case one has a good chance that k is a multiple of the number of elements of the group of points of the elliptic curve modulo n. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 327/616 PRACTICALITY of FACTORING USING ECC (1) Let us continue to discuss the following key problem for factorization using elliptic curves: Problem: How to choose integer k such that for a given point P we should try to compute points iP or 2'P for all multiples of P smaller than kP? Idea: If one searches for m-digits factors, one chooses k in such a way that k is a multiple of as many as possible of those m-digit numbers which do not have too large prime factors. In such a case one has a good chance that k is a multiple of the number of elements of the group of points of the elliptic curve modulo n. Method 1: One chooses an integer B and takes as k the product of all maximal powers of primes smaller than B. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 327/616 PRACTICALITY of FACTORING USING ECC (1) Let us continue to discuss the following key problem for factorization using elliptic curves: Problem: How to choose integer k such that for a given point P we should try to compute points iP or 2'P for all multiples of P smaller than kP? Idea: If one searches for m-digits factors, one chooses k in such a way that k is a multiple of as many as possible of those m-digit numbers which do not have too large prime factors. In such a case one has a good chance that k is a multiple of the number of elements of the group of points of the elliptic curve modulo n. Method 1: One chooses an integer B and takes as k the product of all maximal powers of primes smaller than B. Example: In order to find a 6-digit factor one chooses B=147 and k = 27 • 34 • 53 • 72 • 112 • 13 • ... • 139. The following table shows B and the number of elliptic curves one has to test: prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 327/616 PRACTICALITY of FACTORING USING ECC (2) Digits of to-be-factors 6 9 12 18 24 30 B 147 682 2462 23462 162730 945922 Number of curves 10 24 55 231 833 2594 Computation time by the elliptic curves method depends on the size of factors. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 328/616 ELLIPTIC CURVES FACTORIZATION - DETAILS Given an n such that gcd(n, 6) = 1 and let the smallest factor of n be expected to be smaller than an F. One should then proceed as follows: Choose an integer parameter r and: T| Select, randomly, an elliptic curve E : y2 = x3 + ax + b such that gcd(n, 4a2 + 27b2) = 1 and a random point P on E. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 329/616 ELLIPTIC CURVES FACTORIZATION - DETAILS Given an n such that gcd(n, 6) = 1 and let the smallest factor of n be expected to be smaller than an F. One should then proceed as follows: Choose an integer parameter r and: T| Select, randomly, an elliptic curve E : y2 = x3 + ax + b such that gcd(n, 4a2 + 27b2) = 1 and a random point P on E. ^ Choose integer bounds A,B,M such that m=n p;pj for some primes p1 < p2 < ... < p/ < B and aPj, being the largest exponent such that pj3' < A. Set j = k = 1 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 329/616 ELLIPTIC CURVES FACTORIZATION - DETAILS Given an n such that gcd(n, 6) = 1 and let the smallest factor of n be expected to be smaller than an F. One should then proceed as follows: Choose an integer parameter r and: T| Select, randomly, an elliptic curve E : y2 = x3 + ax + b such that gcd(n, 4a2 + 27b2) = 1 and a random point P on E. ^ Choose integer bounds A,B,M such that m=n Pp for some primes p1 < p2 < ... < pi < B and aPj, being the largest exponent such that pjj < A. Set j = k = 1 J Calculate p/P. ^ Computing gcd. ■ If pjP = O (mod n), then set P = p/P and reset k k + 1 T| If k < ap. , then go to step (3). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 329/616 ELLIPTIC CURVES FACTORIZATION - DETAILS II b If k > aPj, then reset j — j + 1, k — 1. If j < l, then go to step (3); otherwise go to step (5) ■ If pjP = O( mod n) and no factor of n was found at the computation of inverse elements, then go to step (5) B Reset r — r — 1. If r > 0 go to step (1); otherwise terminate with "failure". The "smoothness bound" B is recommended to be chosen as InF (InlnF) B = e 2 and in such a case running time is O (e ) prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 330/616 ELLIPTIC CURVES: FAQ ■ How to choose (randomly) an elliptic curve E and point P on E? prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 331/616 ELLIPTIC CURVES: FAQ ■ How to choose (randomly) an elliptic curve E and point P on E? An easy way is first choose a point P(x,y) and an a and then compute b = y2 — x3 — ax to get the curve E : y2 = x3 + ax + b. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 331/616 ELLIPTIC CURVES: FAQ ■ How to choose (randomly) an elliptic curve E and point P on E? An easy way is first choose a point P(x,y) and an a and then compute b = y2 — x3 — ax to get the curve E : y2 = x3 + ax + b. ■ What happens at the factorization using elliptic curve method, if for a chosen curve E (mod n) the corresponding cubic polynomial x3 + ax + b has multiple roots (that is if 4a3 + 27b2 = 0) ? prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 331/616 ELLIPTIC CURVES: FAQ ■ How to choose (randomly) an elliptic curve E and point P on E? An easy way is first choose a point P(x,y) and an a and then compute b = y2 — x3 — ax to get the curve E : y2 = x3 + ax + b. ■ What happens at the factorization using elliptic curve method, if for a chosen curve E (mod n) the corresponding cubic polynomial x3 + ax + b has multiple roots (that is if 4a3 + 27b2 = 0) ? No problem, method still works. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 331/616 ELLIPTIC CURVES: FAQ ■ How to choose (randomly) an elliptic curve E and point P on E? An easy way is first choose a point P(x,y) and an a and then compute b = y2 — x3 — ax to get the curve E : y2 = x3 + ax + b. ■ What happens at the factorization using elliptic curve method, if for a chosen curve E (mod n) the corresponding cubic polynomial x3 + ax + b has multiple roots (that is if 4a3 + 27b2 = 0) ? No problem, method still works. ■ What kind of elliptic curves are really used in cryptography? prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 331/616 ELLIPTIC CURVES: FAQ ■ How to choose (randomly) an elliptic curve E and point P on E? An easy way is first choose a point P(x,y) and an a and then compute b = y2 — x3 — ax to get the curve E : y2 = x3 + ax + b. ■ What happens at the factorization using elliptic curve method, if for a chosen curve E (mod n) the corresponding cubic polynomial x3 + ax + b has multiple roots (that is if 4a3 + 27b2 = 0) ? No problem, method still works. ■ What kind of elliptic curves are really used in cryptography? Elliptic curves over fields GF(2n) for n > 150. Dealing with such elliptic curves requires, however, slightly different rules. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 331/616 FACTORIZATION Factorization of integers is a very important problem. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 332/616 FACTORIZATION Factorization of integers is a very important problem. A variety of techniques has been developed to deal with this problem. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 332/616 FACTORIZATION Factorization of integers is a very important problem. A variety of techniques has been developed to deal with this problem. So far the fastest classical factorization algorithms work in time eO((log n)1 (log log n)33) The fastest quantum algorithm for factorization works in (both quantum and classical) polynomial time. In the rest of chapter several factorization methods will be presented and discussed. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 332/616 FACTORIZATION on QUANTUM COMPUTERS In the following we present the basic idea behind a polynomial time algorithm for quantum computers to factorize integers. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 333/616 FACTORIZATION on QUANTUM COMPUTERS In the following we present the basic idea behind a polynomial time algorithm for quantum computers to factorize integers. Quantum computers works with superpositions of basic quantum states on which very special (unitary) operations are applied and and very special quantum features (non-locality) are used. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 333/616 FACTORIZATION on QUANTUM COMPUTERS In the following we present the basic idea behind a polynomial time algorithm for quantum computers to factorize integers. Quantum computers works with superpositions of basic quantum states on which very special (unitary) operations are applied and and very special quantum features (non-locality) are used. Quantum computers work not with bits, that can take on any of two values 0 and 1, but with qubits (quantum bits) that can take on any of infinitely many states a|0) + (3 where a and (3 are complex numbers such that |a|2 + |312 = 1. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 333/616 REDUCTIONS Shor's polynomial time quantum factorization algorithm is based on an understanding that factorization problem can be reduced J first on the problem of solving a simple modular quadratic equation; I second on the problem of finding period of functions f (x) = ax mod n. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 334/616 FIRST REDUCTION Lemma If there is a polynomial time deterministic (randomized) [quantum] algorithm to find a nontrivial solution of the modular quadratic equations a2 = 1 (mod n), then there is a polynomial time deterministic (randomized) [quantum] algorithm to factorize integers. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 335/616 FIRST REDUCTION Lemma If there is a polynomial time deterministic (randomized) [quantum] algorithm to find a nontrivial solution of the modular quadratic equations a2 = 1 (mod n), then there is a polynomial time deterministic (randomized) [quantum] algorithm to factorize integers. Proof. Let a = ±1 be such that a2 = 1 (mod n). Since a2 — 1 = (a + 1)(a — 1), if n is not prime, then a prime factor of n has to be a prime factor of either a + 1 or a — 1. By using Euclid's algorithm to compute gcd(a + 1, n) and gcd(a — 1, n) we can find, in O(lg n) steps, a prime factor of n. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 335/616 SECOND REDUCTION The second key concept is that of the period of functions fnx(k) = xk mod n. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 336/616 SECOND REDUCTION The second key concept is that of the period of functions fnx(k) = xk mod n. Period is the smallest integer r such that fn,x (k + r) = fn,x (k) for any k, i.e. the smallest r such that xr = 1 (mod n). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 336/616 SECOND REDUCTION The second key concept is that of the period of functions fnx(k) = xk mod n. Period is the smallest integer r such that fn,x (k + r) = f„,x (k) for any k, i.e. the smallest r such that xr = 1 (mod n). AN ALGORITHM TO SOLVE EQUATION x2 = 1 (mod n). ^^^^H Choose random// 1 < a < n. ^^^^^1 Compute gcd(a, n). /f gcd(a, n) = 1 we have a factor. ^^^^Fl F/nd period r of function ak mod n. ^^^^Q /f r is odd or ar/2 = ±1 (mod n),then go to step 1; otherwise stop. If this algorithm stops, then ar/2 is a non-trivial solution of the equation x2 = 1 (mod n). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 336/616 EXAMPLE Let n = 15. Select a < 15 such that gcd(a, 15) = 1. {The set of such a is {2,4, 7, 8,11,13,14}} Choose a = 11. Values of 11x mod 15 are then 11, 1, 11, 1, 11, 1 whiach gives r = 2. Hence ar/2 = 11 (mod 15). Therefore gcd(15,12) = 3, gcd(15,10) = 5 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 337/616 EXAMPLE Let n = 15. Select a < 15 such that gcd(a, 15) = 1. {The set of such a is {2,4, 7, 8,11,13,14}} Choose a = 11. Values of 11x mod 15 are then 11, 1, 11, 1, 11, 1 whiach gives r = 2. Hence ar/2 = 11 (mod 15). Therefore gcd(15,12) = 3, gcd(15,10) = 5 For a = 14 we get again r = 2, but in this case 142/2 = —1 (mod 15) and the following algorithm fails. ^^^^H Choose randomly 1 < a < n. ^^^^^1 Compute gcd(a, n). /f gcd(a, n) = 1 we have a factor. ^^^^Fl F/nd period r of function ak mod n. ^^^^^ /f r /s odd or ar/2 = ±1 (mod n),then go to step 1; otherw/se stop. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 337/616 EFFICIENCY of REDUCTION Lemma If 1 < a < n satisfying gcd(n, a) = 1 is selected in the above algorithm randomly and n is not a power of prime, then Pr{r is even and ar/2 = ±1} > —. T| Choose random/y 1 < a < n. ^ Compute gcd(a, n). /f gcd(a, n) = 1 we have a factor. ^ F/nd period r of function ak mod n. ^ /f r /s odd or ar/2 = ±1 (mod n),then go to step 1; otherwise stop. Corollary If there is a polynomial time randomized [quantum] algorithm to compute the period of the function fna(k) = ak mod n, then there is a polynomial time randomized [quantum] algorithm to find non-trivial solution of the equation a2 = 1 (mod n) (and therefore also to factorize integers). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 338/616 A GENERAL SCHEME for Shor's ALGORITHM The following flow diagram shows the general scheme of Shor's quantum factorization algorithm prof. Jozef Gruska quantum subroutine choose randomly, a € {2, ... ,n-1} compute z = gcd(a, n) I z = 1?] yes find period r of function a mod n r is even? yes z = max{gcd(n, ar -1), gcd(n, ar 2 +1)} " yes z=1 ? IV054 8. Elliptic curves cryptography and factorization 339/616 no no no Fermat FACTORIZATION METHOD Factorization of so-called Fermat numbers 22 + 1 is a good example to illustrate progress that has been made in the area of factorization. Pierre de Fermat (1601-65) expected that all numbers Fi = 22' +1 i > 1 are primes. This is true for i = 1,... , 4. Fi =5, F2 = 17, F3 = 257, F4 = 65537. 1732 L. Euler found that F5 = 4294967297 = 641 • 6700417 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 340/616 Fermat FACTORIZATION METHOD Factorization of so-called Fermat numbers 22 + 1 is a good example to illustrate progress that has been made in the area of factorization. Pierre de Fermat (1601-65) expected that all numbers F = 22' +1 i > 1 are primes. This is true for i = 1,... , 4. F1 =5, F2 = 17, F3 = 257, F4 = 65537. 1732 L. Euler found that F5 = 4294967297 = 641 • 6700417 1880 Landry+LeLasser found that F6 = 18446744073709551617 = 274177 • 67280421310721 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 340/616 Fermat FACTORIZATION METHOD Factorization of so-called Fermat numbers 22 + 1 is a good example to illustrate progress that has been made in the area of factorization. Pierre de Fermat (1601-65) expected that all numbers F = 22' +1 i > 1 are primes. This is true for i = 1,... , 4. F1 =5, F2 = 17, F3 = 257, F4 = 65537. 1732 L. Euler found that F5 = 4294967297 = 641 • 6700417 1880 Landry+LeLasser found that F6 = 18446744073709551617 = 274177 • 67280421310721 1970 Morrison+Brillhart found factorization for F7 = (39digits) F7 = 340282366920938463463374607431768211457 = = 5704689200685129054721 • 59649589127497217 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 340/616 Fermat FACTORIZATION METHOD Factorization of so-called Fermat numbers 22 + 1 is a good example to illustrate progress that has been made in the area of factorization. Pierre de Fermat (1601-65) expected that all numbers F; = 22' +1 i > 1 are primes. This is true for i = 1,... , 4. Fi =5, F2 = 17, F3 = 257, F4 = 65537. 1732 L. Euler found that F5 = 4294967297 = 641 • 6700417 1880 Landry+LeLasser found that F6 = 18446744073709551617 = 274177 • 67280421310721 1970 Morrison+Brillhart found factorization for F7 = (39digits) F7 = 340282366920938463463374607431768211457 = = 5704689200685129054721 • 59649589127497217 1980 Brent+Pollard found factorization for F8 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 340/616 Fermat FACTORIZATION METHOD Factorization of so-called Fermat numbers 22 + 1 is a good example to illustrate progress that has been made in the area of factorization. Pierre de Fermat (1601-65) expected that all numbers F = 22 + 1 i > 1 are primes. This is true for i = 1, . . . , 4. F1 = 5, F2 = 17, F3 = 257, F4 = 65537. 1732 L. Euler found that F5 = 4294967297 = 641 • 6700417 1880 Landry+LeLasser found that F6 = 18446744073709551617 = 274177 • 67280421310721 1970 Morrison+Brillhart found factorization for F7 = (39digits) F7 = 340282366920938463463374607431768211457 = = 5704689200685129054721 • 59649589127497217 1980 Brent+Pollard found factorization for F8 1990 A. K. Lenstra+ ... found factorization for F9 (155 digits) prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 340/616 Fermat TEST It follows from the Little Fermat Theorem that if p is a prime, then for all 0 < b < p, we have bp-1 = I (mod p) Can we say that n is prime if and only if for all 0 < b < n, we have bn-1 = I (mod n)? prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 341/616 Fermat TEST It follows from the Little Fermat Theorem that if p is a prime, then for all 0 < b < p, we have bp-i = / (mod p) Can we say that n is prime if and only if for all 0 < b < n, we have bn-i = / (mod n)? No, there are composed numbers n, so-called Carmichael numbers, such that for all 0 < b < n that are co-prime with n it holds bn 1 = / (mod ri) Such number is, for example, n=561. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 341/616 POLLARD p-METHOD A variety of factorization algorithms, of complexity around O(y/p) where p is the smallest prime factor of n, is based on the following idea: ■ A function f is taken that "behaves like a randomizing function" and f(x) = f(x mod p) (mod p) for any factor p of n - usually f(x) = x2 + 1 ■ A random x0 is taken and iteration x+1 = f(x) mod n is performed (this modulo n computation actually "hides" modulo p computation in the following sense: if x0 = x0, x/+1 = f (x/) mod n, then x/ = x mod p) ■ Since Zp is finite, the shape of the sequence x/ will remind the letter p, with a tail and a loop. Since f is "random", the loop modulo n rarely synchronizes with the loop modulo p ■ The loop is easy to detect by GCD-computations and it can be shown that the total length of tail and loop is O(y'p). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 342/616 LOOP DETECTION In order to detect the loop it is enough to perform the following computation: a — xo; b — xo; repeat a — f (a); b — f (f (b)); until a = b Iteration ends if at = b2t for some t greater than the tail length and a multiple of the loop length. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 343/616 FIRST Pollard p-ALGORITHM Input: an integer n with a factor smaller than B Complexity: O(vB) of arithmetic operations x0 — random; a — x0; b — x0; do a — f(a) mod n; b — f(f(b) mod n) mod n; until gcd(a - b, n) = 1 output gcd(a - b, n) The proof that complexity of the first Pollard factorization p-algorithm is given by 1 O(A/4) arithmetic operations is based on the following result: Lemma Let x0 be random and f be "random" in Zp, xi+1 = f(x). The probability that all elements of the sequence x0, x1,..., xt 1 _. are pairwise different when t = 1 + |_(2Ap) 2 J is less than e . prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 344/616 SECOND Pollard p-ALGORITHM Basic idea T| Choose an easy to compute f : Zn — Zn and x0 e Zn. Example f(x) = x2 + 1 ^ Keep computing xi+1 = f(xj), j = 0,1, 2,... and gcd(xj — xk, n), k < j. (Observe that if xj = xk mod p for a prime factor p of n, then gcd (xj — xk, n) < p.) Example n = 91, f ( x) = x2 + 1, x0 = 1, x1 = 2, x2 = 5, x3 = 26 gcd(x3 — x2, n) = gcd(26 — 5, 91) = 7 Remark: In the p-method, it is important to choose a function f in such a way that f maps Zn into Zn in a "random" way. Basic question: How good is the p-method? (How long we expect to have to wait before we get two values xj, xk such that gcd (xj — xk, n) = 1, if n is not a prime?) prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 345/616 p-ALGORITHM A simplification of the basic idea: For each k compute gcd(xk — xy, n) for just one j < k. Choose f : Z„ Z„,x0, compute xk = f(xk-1), k > 0. If k is an (h +1)-bit integer, i.e. 2h < k < 2h+1, then compute gcd(xk,x2h-1). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 346/616 p-ALGORITHM A simplification of the basic idea: For each k compute gcd(xk — Xj, n) for just one j < k. Choose f : Z„ — Z„,xo, compute xk = f(xk-1), k > 0. If k is an (h +1)-bit integer, i.e. 2h < k < 2h+1, then compute gcd(xk,x2h-1). Example n = 4087, f(x) = x2 + x + 1,xo = 2 x1 = f(2) = 7, gcd(x1 — x0 , n) =1 x2 = f(7) = 57, gcd(x2 — x1 , n) = gcd(57 - 7, n) = 1 x3 = f(57) = 3307, gcd(x3 — x1 , n) = gcd(3307 - 7, n) = 1 x4 = f(3307) = 2745, gcd(x4 — x3 , n) = gcd(2745 - 3307, n) = 1 x5 = f(2746) = 1343, gcd(x5 — x3 , n) = gcd(1343 - 3307, n) = 1 x6 = f(1343) = 2626, gcd(x6 — x3 , n) = gcd(2626 - 3307, n) = 1 x7 = f(2626) = 3734, gcd(x7 — x3 , n) = gcd(3734 - 3307, n) = 61 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 346/616 p-ALGORITHM A simplification of the basic idea: For each k compute gcd(xk — xy, n) for just one j < k. Choose f : Z„ — Z„,x0, compute xk = f(xk-1), k > 0. If k is an (h +1)-bit integer, i.e. 2h < k < 2h+1, then compute gcd(xk,x2h-1). Example n = 4087, f(x) = x2 + x + 1, x0 = 2 x1 = f(2) = 7, gcd(x1 — x0 , n) =1 x2 = f(7) = 57, gcd(x2 — x1 , n) = gcd(57 - 7, n) = 1 x3 = f(57) = 3307, gcd(x3 — x1 , n) = gcd(3307 - 7, n) = 1 x4 = f(3307) = 2745, gcd(x4 — x3 , n) = gcd(2745 - 3307, n) = 1 x5 = f(2746) = 1343, gcd(x5 — x3 , n) = gcd(1343 - 3307, n) = 1 x6 = f(1343) = 2626, gcd(x6 — x3 , n) = gcd(2626 - 3307, n) = 1 x7 = f(2626) = 3734, gcd(x7 — x3 , n) = gcd(3734 - 3307, n) = 61 Disadvantage We likely will not detect the first case such that for some k0 there is a jo < k0 such that gcd(xk0 — xy0, n) > 1. This is no real problem! Let k0 have h + 1 bits. Set j = 2h+1 — 1, k = j + k0 — j0. k has (h+2) bits, gcd(xk — xy, n) > 1 k < 2h+2 = 4 • 2h < 4k0. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 346/616 p-ALGORITHM Theorem Let n be odd and composite and 1 < r < \fn its factor. If f, xo are chosen randomly, then p algorithm reveals r in O(y/n/og3n) bit operations with high probability. More precisely, there is a constant C > 0 such that for any A > 0, the probability that the p algorithm fails to find a nontrivial factor of n in CVA^n/og3n bit operations is less than e-A. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 347/616 p-ALGORITHM Theorem Let n be odd and composite and 1 < r < \fn its factor. If f, x0 are chosen randomly, then p algorithm reveals r in O(y/n/og3n) bit operations with high probability. More precisely, there is a constant C > 0 such that for any A > 0, the probability that the p algorithm fails to find a nontrivial factor of n in CvXyn/og3n bit operations is less than e-A. Proof Let C1 be a constant such that gcd(y - z, n) can be computed in C1/og3n bit operations whenever y, z < n. Let C2 be a constant such that f(x) mod n can be computed in C2/og2n bit operations if x < n. If k0 is the first index for which there exists j0 < k0 with xk0 = xj0 mod r, then the p-algorithm finds r in k < 4k0 steps. The total number of bit operations is bounded by — 4k0(C1/og3n + C2/og2n) By Lemma the probability that k0 is greater than 1 + V2Ar is less than e-A. If k0 < 1 + V2Ar , then the number of bit operations needed to find r is bounded by 4(1 + v^XG/og3n - C2/og2n) < 4(1 + v^v^XG/og3n + C2/og2n) If we choose C > 4v/2(C1 + C2), then we have that r will be found in Cv^y^/og3n bit operations - unless we made uniform choice of (f, x0) the probability of which a is at most e-A. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 347/616 COMMENTS Pollard p-method works fine for integers n with a small factor. Next method, so called Pollard (p-1)-method, works fine for n having a prime factor p such that all prime factors of p-1 are small. When all prime factors of p-1 are smaller than a B, we say that p-1 is B-smooth. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 348/616 POLLARD's p-1 algorithm Pollard's algorithm (to factor n given a bound b on factors). a := 2; for j=2 to b do a := a mod n; f := gcd(a - 1, n); f = gcd(2b! - 1, n) if 1 < f < n then f is a factor of n otherwise failure Indeed, let p be a prime divisor of n and q < b for every prime q|(p — 1). (Hence (p — 1)|b!). At the end of the for-loop we have a = 2b! (mod n) and therefore a = 2b! (mod p) By Fermat theorem 2p-1 = 1 (mod p) and since (p — 1)|b! we get a = 2b! = 1 (mod p). and therefore we have p|(a — 1) Hence p|gcd(a — 1, n) prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 349/616 IMPORTANT OBSERVATIONS II Pollard p-method works fine for numbers with a small factor. The p-1 method requires that p-1 is smooth. The elliptic curve method requires only that there are enough smooth integers near p and so at least one of randomly chosen integers near p is smooth. This means that the elliptic curves factorization method succeeds much more often than p-1 method. Fermat factorization and Quadratic Sieve method discussed later works fine if integer has two factors of almost the same size. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 350/616 Fermat FACTORIZATION I If n = pq, p < y/n , then n =( q-^^-(i^)' = a2 - b 2 Therefore, in order to find a factor of n, we need only to investigate the values x = a2 — n for a = |Vn] +1, |Vn] + 2,... , (nn—1 until a perfect square is found. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 351/616 Fermat FACTORIZATION Basic idea: Factorization is easy if one finds x, y such that n|(x2 — y2) Proof: If n divides (x + y)(x - y) and n does not divide neither x+y nor x-y, then one factor of n has to divide x+y and another one x-y. Example n = 7429 = 2272 — 2102, x = 227, y = 210 x - y = 17 x + y = 437 gcd(17, 7429) = 17 gcd(437, 7429) = 437. How to find such x and y? First idea: one tries all t starting with yfn until t2 — n is a square S2. Second idea: One forms a system of (modular) linear equations and determines x and y from the solutions of such a system. number of digits of n 50 60 70 80 90 100 110 120 number of equations 3000 4000 7400 15000 30000 51000 120000 245000 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 352/616 METHOD of QUADRATIC SIEVE to FACTORIZE an INTEGER n Step 1 One finds numbers x such that x2 — n is small and has small factors. Example 832 — 7429 = —540 = (—1) • 22 • 33 • 5 872 — 7429 = 140 = 22 • 5 • 7 } relations 882 7429 = 315 = 32 5 7 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 353/616 METHOD of QUADRATIC SIEVE to FACTORIZE an INTEGER n Step 1 One finds numbers x such that x2 — n is small and has small factors. Example 832 — 7429 = —540 = (—1) • 22 • 33 • 5 ^ 872 — 7429 = 140 = 22 • 5 • 7 > relations 882 — 7429 = 315 = 32 • 5 • 7 Step 2 One multiplies some of the relations if their product is a square. For example (872 — 7429)(882 — 7429) = 22 • 32 • 52 • 72 = 2102 Now (87 • 88)2 = (872 — 7429)(882 — 7429) mod 7429 2272 = 2102 mod 7429 Hence 7429 divides 2272 — 2102. Formation of equations: For the i-th relation one takes a variable A; and forms the expression ((—1) ^ 22 ^ 33 ^ 5)A1 ^ (22 ^ 5 ^ 7)^2 ^ (32 ^ 5 ^ 7)A3 = (—1)A1 ^ 22A1+2A2 ^ 32A1+2A2 ^ 5A1+A2+A3 ^ 7A2+A3 If this is to form a square the A1 = 0 mod 2 following equations have to hold A1 + A2 + A3 = 0 mod 2 A2 + A3 = 0 mod 2 A1 = 0, A2 = A3 = 1 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 353/616 METHOD of QUADRATIC SIEVE to FACTORIZE n Problem How to find relations? Using the algorithm called Quadratic sieve method. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 354/616 METHOD of QUADRATIC SIEVE to FACTORIZE n Problem How to find relations? Using the algorithm called Quadratic sieve method. Step 1 One chooses a set of primes that can be factors - a so-called factor basis. One chooses an m such that m2 — n is small and considers numbers (m + u)2 — n for — k < u < k for small k. One then tries to factor all (m + u)2 — n with primes from the factor basis, from the smallest to the largest. u (m + u)2 — n -3 -540 -2 -373 -1 -204 0 -33 1 140 2 315 3 492 Sieve with 2 -135 -51 35 123 Sieve with 3 -5 -17 -11 35 41 Sieve with 5 -1 7 7 Sieve with 7 1 1 In order to factor a 129-digit number from the RSA challenge they used 8 424 486 relations 569 466 equations 544 939 elements in the factor base prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 354/616 APPENDIX to CHAPTER 8 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 355/616 HISTORY of ELLIPTIC CURVES CRYPTOGRAPHY ■ The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S. Miller in 1985. ■ Behind this method is a believe that the discrete logarithm of a random elliptic curve element with respect to publicly known base point is infeasible. ■ At first Elliptic curves over a prime finite field were used for ECC. Later also elliptic curves over the fields GF(2m) started to be used. ■ In 2005 the US NSA endorsed to use ECC (Elliptic curves cryptography) with 384-bit key to protect information classified as "top secret". ■ There are patents in force covering certain aspects of ECC technology. ■ Elliptic curves have been first used for factorization by Lenstra. ■ Elliptic curves played an important role in perhaps most celebrated mathematical proof of the last hundred years - in the proof of Fermat's Last Theorem - due to A. Wiles and R. Taylor. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 356/616 SECURITY of ELLIPTIC CURVE CRYPTOGRAPHY ■ Security of ECC depends on the difficulty of solving the discrete logarithm problem over elliptic curves. ■ Two general methods of solving such discrete logarithm problems are known. ■ The square root method and Silver-Pohling-Hellman (SPH) method. ■ SPH method factors the order of a curve into small primes and solves the discrete logarithm problem as a combination of discrete logarithms for small numbers. ■ Computation time of the square root method is proportional to O(v^e") where n is the order of the based element of the curve. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 357/616 FACTORIZATION of a 512-BIT NUMBER On August 22, 1999, a team of scientists from 6 countries found, after 7 months of computing, using 300 very fast SGI and SUN workstations and Pentium II, factors of the so-called RSA-155 number with 512 bits (about 155 digits). prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 358/616 FACTORIZATION of a 512-BIT NUMBER On August 22, 1999, a team of scientists from 6 countries found, after 7 months of computing, using 300 very fast SGI and SUN workstations and Pentium II, factors of the so-called RSA-155 number with 512 bits (about 155 digits). RSA-155 was a number from a Challenge list issue by the US company RSA Data Security and "represented" 95 % of 512-bit numbers used as the key to protect electronic commerce and financial transmissions on Internet. Factorization of RSA-155 would require in total 37 years of computing time on a single computer. When in 1977 Rivest and his colleagues challenged the world to factor RSA-129, he estimated that, using knowledge of that time, factorization of RSA-129 would require 1016 years. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 358/616 LARGE NUMBERS Hindus named many large numbers - one having 153 digits. Romans initially had no terms for numbers larger than 104. Greeks had a popular belief that no number is larger than the total count of sand grains needed to fill the universe. Large numbers with special names: googol - 10100 googolplex - 1010100 prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 359/616 LARGE NUMBERS Hindus named many large numbers - one having 153 digits. Romans initially had no terms for numbers larger than 104. Greeks had a popular belief that no number is larger than the total count of sand grains needed to fill the universe. Large numbers with special names: googol - 10100 googolplex - 1010 FACTORIZATION of very large NUMBERS W. Keller factorized F23471 which has 107000 digits. J. Harley factorized: 10101000 +1. One factor: 316,912,650,057,350,374,175,801,344,000,001 1992 E. Crandal, Doenias proved, using a computer that F22, which has more than million of digits, is composite (but no factor of F22 is known). 1034 Number 1010 was used to develop a theory of the distribution of prime numbers. prof. Jozef Gruska IV054 8. Elliptic curves cryptography and factorization 359/616 Part IX Identification, authentication, secret sharing and e-commerce USER IDENTIFICATION and MESSAGE AUTHENTICATION, SECRET SHARING and E-COMMERCE Most of today's cryptographic applications ask for authenticity of data rather than for secret data. Main related problems to deal with are: T| User identification (authentication): How can a person/computer prove her/his identity? prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 361/616 USER IDENTIFICATION and MESSAGE AUTHENTICATION, SECRET SHARING and E-COMMERCE Most of today's cryptographic applications ask for authenticity of data rather than for secret data. Main related problems to deal with are: T| User identification (authentication): How can a person/computer prove her/his identity? ^ Message authentication: Can tools be provided to find out, for the recipient, that the message is indeed from the person who was supposed to send it? prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 361/616 USER IDENTIFICATION and MESSAGE AUTHENTICATION, SECRET SHARING and E-COMMERCE Most of today's cryptographic applications ask for authenticity of data rather than for secret data. Main related problems to deal with are: T| User identification (authentication): How can a person/computer prove her/his identity? ^ Message authentication: Can tools be provided to find out, for the recipient, that the message is indeed from the person who was supposed to send it? ^ Message integrity (authentication): Can tools be provided to decide for the recipient whether or not the message was changed on the fly? prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 361/616 USER IDENTIFICATION and MESSAGE AUTHENTICATION, SECRET SHARING and E-COMMERCE Most of today's cryptographic applications ask for authenticity of data rather than for secret data. Main related problems to deal with are: T| User identification (authentication): How can a person/computer prove her/his identity? ^ Message authentication: Can tools be provided to find out, for the recipient, that the message is indeed from the person who was supposed to send it? ^ Message integrity (authentication): Can tools be provided to decide for the recipient whether or not the message was changed on the fly? Important practical objectives are to find identification schemes that are so simple that they can be implemented on smart cards - they are essentially credit cards equipped with a chip that can perform arithmetical operations and communications. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 361/616 USER IDENTIFICATION and MESSAGE AUTHENTICATION, SECRET SHARING and E-COMMERCE Most of today's cryptographic applications ask for authenticity of data rather than for secret data. Main related problems to deal with are: T| User identification (authentication): How can a person/computer prove her/his identity? ^ Message authentication: Can tools be provided to find out, for the recipient, that the message is indeed from the person who was supposed to send it? ^ Message integrity (authentication): Can tools be provided to decide for the recipient whether or not the message was changed on the fly? Important practical objectives are to find identification schemes that are so simple that they can be implemented on smart cards - they are essentially credit cards equipped with a chip that can perform arithmetical operations and communications. Secret sharing among a group of users so only well specify subsets of them can discover it is another often used cryptographic primitive we will deal with prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 361/616 USER IDENTIFICATION and MESSAGE AUTHENTICATION, SECRET SHARING and E-COMMERCE Most of today's cryptographic applications ask for authenticity of data rather than for secret data. Main related problems to deal with are: T| User identification (authentication): How can a person/computer prove her/his identity? ^ Message authentication: Can tools be provided to find out, for the recipient, that the message is indeed from the person who was supposed to send it? ^ Message integrity (authentication): Can tools be provided to decide for the recipient whether or not the message was changed on the fly? Important practical objectives are to find identification schemes that are so simple that they can be implemented on smart cards - they are essentially credit cards equipped with a chip that can perform arithmetical operations and communications. Secret sharing among a group of users so only well specify subsets of them can discover it is another often used cryptographic primitive we will deal with E-commerce: One of the main new applications of the cryptographic techniques is to establish secure and convenient manipulation with digital money (e-money), especially for e-commerce. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 361/616 USER IDENTIFICATION (AUTHENTICATION) User identification (authentication) is a process at which one party (often referred to as a Prover or Alice) convinces a second party (often referred to as a Verifier or Bob) of Prover's identity. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 362/616 USER IDENTIFICATION (AUTHENTICATION) User identification (authentication) is a process at which one party (often referred to as a Prover or Alice) convinces a second party (often referred to as a Verifier or Bob) of Prover's identity. Namely, that the Prover (Alice) herself has actually participated in the identification process. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 362/616 USER IDENTIFICATION (AUTHENTICATION) User identification (authentication) is a process at which one party (often referred to as a Prover or Alice) convinces a second party (often referred to as a Verifier or Bob) of Prover's identity. Namely, that the Prover (Alice) herself has actually participated in the identification process. In other words that the Prover has been herself active in proving her identity in the time the confirmative evidence of her identity has been required). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 362/616 USER IDENTIFICATION (AUTHENTICATION) User identification (authentication) is a process at which one party (often referred to as a Prover or Alice) convinces a second party (often referred to as a Verifier or Bob) of Prover's identity. Namely, that the Prover (Alice) herself has actually participated in the identification process. In other words that the Prover has been herself active in proving her identity in the time the confirmative evidence of her identity has been required). The purpose of any identification (authentication) process is to preclude (vylucit) some impersonation (zosobnenie) of one person (the Prover) by someone else. Identification usually serves to control access to a resource (often a resource should be accessed only by privileged users). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 362/616 OBJECTIVES of IDENTIFICATIONS User identification process has to satisfy the following objectives: ■ The Verifier has to accept Prover's identity if both parties are honest; prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 363/616 OBJECTIVES of IDENTIFICATIONS User identification process has to satisfy the following objectives: ■ The Verifier has to accept Prover's identity if both parties are honest; ■ The Verifier cannot later, after a successful identification, act as the Prover and identify himself (as the Prover) to another Verifier; prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 363/616 OBJECTIVES of IDENTIFICATIONS User identification process has to satisfy the following objectives: ■ The Verifier has to accept Prover's identity if both parties are honest; ■ The Verifier cannot later, after a successful identification, act as the Prover and identify himself (as the Prover) to another Verifier; ■ A dishonest party, say E, that would claim to be the other party, say A, has only negligible chance to identify itself successfully as A; prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 363/616 OBJECTIVES of IDENTIFICATIONS User identification process has to satisfy the following objectives: ■ The Verifier has to accept Prover's identity if both parties are honest; ■ The Verifier cannot later, after a successful identification, act as the Prover and identify himself (as the Prover) to another Verifier; ■ A dishonest party, say E, that would claim to be the other party, say A, has only negligible chance to identify itself successfully as A; ■ Each of the above conditions remains true even if an attacker has observed, or has participated in, several identification processes of the same party. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 363/616 USER IDENTIFICATION PROTOCOLS Identification protocols have to satisfy two security conditions: J If one party, say Bob (a Verifier), gets a message from the other party, that claims to be Alice (a Prover), then Bob is able to verify that the sender was indeed Alice. I There is no way to pretend, for a third party, say Charles, when communicating with Bob, that he is Alice without Bob having a large chance to find that out. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 364/616 IDENTIFICATION SYSTEM BASED on a PKC ■ Alice chooses a random r and sends ee(r) to Bob. ■ Alice identifies a communicating person as Bob if he can send her back r. ■ Bob identifies a communicating person as Alice if she can send him back r. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 365/616 IDENTIFICATION SYSTEM BASED on a PKC ■ Alice chooses a random r and sends eB(r) to Bob. ■ Alice identifies a communicating person as Bob if he can send her back r. ■ Bob identifies a communicating person as Alice if she can send him back r. A misuse of the above system We show that (any non-honest) Alice could misuse the above identification scheme. Indeed, Alice could intercept a communication of Jane (some new "player") with Bob, and get a cryptotext eB(w), the one Jana has been sending to Bob, and then Alice could send eB(w) to Bob. Honest Bob, who follows fully the protocol, would then return w to Alice and she would get this way the plaintext w. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 365/616 IDENTIFICATION SYSTEM BASED on a PKC - a better version ■ Alice chooses a random r and sends ee(r) to Bob. ■ Alice identifies a communicating person as Bob if he can send her back r through eA(r, r1) for a random r1. ■ Bob identifies a communicating person as Alice if she can send him back r, r1. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 366/616 ELEMENTARY AUTHENTICATION PROTOCOLS USER IDENTIFICATION Static means of identification: People can be identified by their (a) attributes (fingerprints), possessions (passports), or knowledge. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 367/616 ELEMENTARY AUTHENTICATION PROTOCOLS USER IDENTIFICATION Static means of identification: People can be identified by their (a) attributes (fingerprints), possessions (passports), or knowledge. Dynamic means of identification: Challenge and respond protocols. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 367/616 ELEMENTARY AUTHENTICATION PROTOCOLS USER IDENTIFICATION Static means of identification: People can be identified by their (a) attributes (fingerprints), possessions (passports), or knowledge. Dynamic means of identification: Challenge and respond protocols. Example: Both Alice and Bob share a key k and a one-way function fk. T| Bob sends Alice a random number, or a random string, RAND. I Alice sends Bob PI = fk(RAND). J If Bob gets PI, then he verifies whether PI = fk (RAND). If yes, he starts to believe that the person he has communicated with is Alice (more exactly that it is the person who sent RAND to him. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 367/616 ELEMENTARY AUTHENTICATION PROTOCOLS USER IDENTIFICATION Static means of identification: People can be identified by their (a) attributes (fingerprints), possessions (passports), or knowledge. Dynamic means of identification: Challenge and respond protocols. Example: Both Alice and Bob share a key k and a one-way function fk. T| Bob sends Alice a random number, or a random string, RAND. I Alice sends Bob P/ = fk(RAND). J If Bob gets PI, then he verifies whether P/ = fk(RAA/D). If yes, he starts to believe that the person he has communicated with is Alice (more exactly that it is the person who sent RAND to him. The process can be repeated to increase probability of a correct identification. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 367/616 ELEMENTARY AUTHENTICATION PROTOCOLS USER IDENTIFICATION Static means of identification: People can be identified by their (a) attributes (fingerprints), possessions (passports), or knowledge. Dynamic means of identification: Challenge and respond protocols. Example: Both Alice and Bob share a key k and a one-way function fk. T| Bob sends Alice a random number, or a random string, RAND. I Alice sends Bob PI = fk(RAND). J If Bob gets PI, then he verifies whether PI = fk (RAND). If yes, he starts to believe that the person he has communicated with is Alice (more exactly that it is the person who sent RAND to him. The process can be repeated to increase probability of a correct identification. MESSAGE AUTHENTICATION - to be discussed in details later MAC -method (Message Authentication Code) Alice and Bob share a key k and a encoding algorithm Ak T| With a message m, Alice sends (m, Ak (m)) - MAC is here Ak(m) ^ If Bob gets (m', MAC), then he computes Ak (m') and compares it with MAC. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 367/616 THREE-WAY AUTHENTICATION and also KEY-AGREEMENT I A PKC will be used with encryption/decryption algorithms (eU, dU), for each user U, and DSS with signing/verification algorithms(sU, vU). Alice and Bob will have their, public, identity strings /A and /e. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 368/616 THREE-WAY AUTHENTICATION and also KEY-AGREEMENT I A PKC will be used with encryption/decryption algorithms (eU, dU), for each user U, and DSS with signing/verification algorithms(sU, vU). Alice and Bob will have their, public, identity strings /A and /e. T| Alice chooses a random integer rA, sets t = (/e, rA), signs it as s;gSA(t) and sends m1 = (t, s;gsA (t)) to Bob. Bob verifies Alice's signature, chooses a random re and a random session key k. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 368/616 THREE-WAY AUTHENTICATION and also KEY-AGREEMENT I A PKC will be used with encryption/decryption algorithms (eU, dU), for each user U, and DSS with signing/verification algorithms(sU, vU). Alice and Bob will have their, public, identity strings /A and /e. T| Alice chooses a random integer rA, sets t = (/e, rA), signs it as s;gSA(t) and sends m1 = (t, s;gsA (t)) to Bob. b Bob verifies Alice's signature, chooses a random re and a random session key k.He then encrypts k with Alice's public key to get EeA(k) = c, sets t1 = (/a, m, re, c), and signs it as s;gse(t1). Then he sends m2 = (t1, s;gse(t1)) to Alice. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 368/616 THREE-WAY AUTHENTICATION and KEY AGREEMENT II b Alice verifies Bob's signature s;gse (t1) with t1 = rA, re, c),, and then checks that the rA she just got matches the one she generated in Step 1. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 369/616 THREE-WAY AUTHENTICATION and KEY AGREEMENT II b Alice verifies Bob's signature s;gse (t1) with t1 = rA, re, c),, and then checks that the rA she just got matches the one she generated in Step 1. Once verified, she is convinced that she is communicating with Bob. She gets session key k via (C) = (EeA (k)) = k, sets t2 = (/e, re) and signs it as s;gSA(t2). Then she sends m3 = (t2, s;gSA(t2)) to Bob. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 369/616 THREE-WAY AUTHENTICATION and KEY AGREEMENT II El Alice verifies Bob's signature s;gSB (t1) with t1 = rA, rB, c),, and then checks that the rA she just got matches the one she generated in Step 1. Once verified, she is convinced that she is communicating with Bob. She gets session key k via (C) = (EeA (k)) = k, sets t2 = (/B, rB) and signs it as s;gSA(t2). Then she sends m3 = (t2, s;gSA(t2)) to Bob. □ Bob verifies Alice's signature and checks that rB he just got matches his choice in Step 2. If both verifications pass, Alice and Bob have mutually authenticated each other's identity and, in addition, have agreed upon a session key k. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 369/616 DATA AUTHENTICATION The goal of data authentication schemes (protocols) is to handle the case that data are sent through insecure channels. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 370/616 DATA AUTHENTICATION The goal of data authentication schemes (protocols) is to handle the case that data are sent through insecure channels. By creating so-called Message Authentication Code (MAC) a sending this MAC, together with a message through an insecure channel, one can create possibility to verify whether data were not changed in the channel. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 370/616 DATA AUTHENTICATION The goal of data authentication schemes (protocols) is to handle the case that data are sent through insecure channels. By creating so-called Message Authentication Code (MAC) a sending this MAC, together with a message through an insecure channel, one can create possibility to verify whether data were not changed in the channel. The price to pay is that communicating parties need to share a secret random key that needs to be transmitted through a secure channel. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 370/616 SCHEMES for DATA AUTHENTICATION Basic difference between MACs and digital signatures is that MACs are symmetric in the following sense: Anyone who is able to verify MAC of a message is also able to generate the same MAC, and vice verse. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 371/616 SCHEMES for DATA AUTHENTICATION Basic difference between MACs and digital signatures is that MACs are symmetric in the following sense: Anyone who is able to verify MAC of a message is also able to generate the same MAC, and vice verse. A scheme (M, T, K) for data authentication is given by: M is a set of possible messages (data) T is a set of possible MACs - (tags) K is a set of possible keys prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 371/616 SCHEMES for DATA AUTHENTICATION Basic difference between MACs and digital signatures is that MACs are symmetric in the following sense: Anyone who is able to verify MAC of a message is also able to generate the same MAC, and vice verse. A scheme (M, T, K) for data authentication is given by: M is a set of possible messages (data) T is a set of possible MACs - (tags) K is a set of possible keys Moreover, it is required that ■ to each k from K there is a single and easy to compute authentication mapping authk : {0,1}* x M — T ■ and a single and easy to compute verification mapping verk : M x T — {true, fa/se} such that the following two conditions should be satisfied: prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 371/616 SCHEMES for DATA AUTHENTICATION Basic difference between MACs and digital signatures is that MACs are symmetric in the following sense: Anyone who is able to verify MAC of a message is also able to generate the same MAC, and vice verse. A scheme (M, T, K) for data authentication is given by: M is a set of possible messages (data) T is a set of possible MACs - (tags) K is a set of possible keys Moreover, it is required that ■ to each k from K there is a single and easy to compute authentication mapping authk : {0,1}* x M — T ■ and a single and easy to compute verification mapping verk : M x T — {true, false} such that the following two conditions should be satisfied: Correctness: For each m from M and k from K it holds verk(m, c) = true, if there exists an r from {0,1}* such that c = authk(r, m) Security: For any m e M and any k e K it is computationally unfeasible, without a knowledge of k, to find t e T such that verk(m, t) = true prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 371/616 FROM BLOCK CIPHERS to MAC - CBC-MAC Let C be an encryption algorithm that maps k-bit strings into k-bit strings. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 372/616 FROM BLOCK CIPHERS to MAC - CBC-MAC Let C be an encryption algorithm that maps k-bit strings into k-bit strings. If a message m = m1m2... ml is divided into blocks of length k, then so-called CBC-mode of encryption assumes a choice (random) of a special block y0 of length k, and performs the following computations for i = 1.....l y = C (y-1 0 m;) and then y1||y2||... Ily is the encryption of m and yl can then be considered as the MAC for m. A modification of this method is to use another crypto-algorithm to encrypt the last block mi. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 372/616 SPECIAL WEAKNESS of the CBS-MAC METHOD Let us have three pairs and in each pair a message and its MAC (nn, t1), (m2, t2), (m3, t3) where messages m1, m3 and also t1, t3 are also of the length k and m2 = m1|8||m2 for some B that is also of length k. The encryption of the block B within m2 is C(B © t1). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 373/616 SPECIAL WEAKNESS of the CBS-MAC METHOD Let us have three pairs and in each pair a message and its MAC (m1, d), (m2, t2), (m?3, £3) where messages m1, m3 and also t1, t3 are also of the length k and m2 = m1|8||m2 for some B that is also of length k. The encryption of the block B within m2 is C(B © t1). If we now define B' = B © t1 © t3, m4 = m3|B'|m2 , then, during the encryption of m4, we get C(B' © t3)= C(B © t1), prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 373/616 SPECIAL WEAKNESS of the CBS-MAC METHOD Let us have three pairs and in each pair a message and its MAC (m?1, d), (m?2, t2), (m?3, t3) where messages m1, m3 and also t1, t3 are also of the length k and m2 = m1|81| m2 for some B that is also of length k. The encryption of the block B within m2 is C(B © t1). If we now define B' = B © t1 © t3, m4 = m3\B'||m' , then, during the encryption of m4, we get C(B' © t3)= C(B © t1), This implies that MAC's for m4 and m2 are the same. One can therefore forge a new valid pair (m4, t2). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 373/616 ANALYSIS of CBC-MAC - a view Theorem Given are two independent random permutations C1 and C2 on the set of message blocks M of cardinality n. Let us define MAC (m1, m2,... , mi) = d(d(... G(G(m1) © m2) © ... ©)m,_1) © mi). Let us assume that the MAC function is implemented by an oracle, and consider an adversary who can send queries to the oracle with a limited total length of q. Let m1,... , md denote the finite block sequences on M which are sent by the adversary to the oracle and let the total number of blocks be less than q. Let the purpose of the adversary be to output a message m which is different from all m; together with its MAC value c. Then the probability of success of the adversary (i.e. the probability that his MAC value is correct) is smaller than 2 n — q n — d 1 O2 _ When q = On2, this is approximately a= — (which is greater than 1 — e a ) Implication: if the total length of all authenticated messages is negligible against # n, then there is no better way than the brute force attack to get collisions on the CBC-MAC. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 374/616 FROM HASH FUNCTIONS TO HMAC So called HMAC was published as the internet standard RFC2104. Let a hash function h process messages by blocks of b bytes and produce a digest of l bytes and let t be the size of MAC, in bytes. HMAC of a message m with a key k is computed as follows: If k has more than b bytes replace k with h(k). ■ Append zero bytes to k to have exactly b bytes. ■ Compute (using constant strings opad and ipad) h(k © opad||h(k © ;pad||m)). and truncate the results to its t leftmost bytes to get /7MACk(m). There is a variety of HMAC systems and they are usually specified by hash function that is used prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 375/616 SECURITY of HMAC It can be shown that if ■ h(k © ;pad||m) defines a secure MAC on fixed length messages, and h is collision free, then HMAC is a secure MAC on variable length messages with two independent keys. More precisely: prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 376/616 SECURITY of HMAC It can be shown that if ■ h(k © ;pad||m) defines a secure MAC on fixed length messages, and h is collision free, then HMAC is a secure MAC on variable length messages with two independent keys. More precisely: Theorem Let h be a hash function which hashes into l bits. Given k1, k2 from {0,1}' consider the following MAC algorithm MACk1,k2 (m) = /)(k2||/i(k1||m)) If h is collision free and m — h(k2||m) is a secure MAC algorithm for messages m of the fixed length l, then the HMAC is a secure MAC algorithm for messages of arbitrary length. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 376/616 DISADVANTAGE of STATIC USER IDENTIFICATION SCHEMES Everybody who knows your password or PIN can impersonate you. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 377/616 DISADVANTAGE of STATIC USER IDENTIFICATION SCHEMES Everybody who knows your password or PIN can impersonate you. Better are dynamic means of identification - for example challenge and response protocols. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 377/616 DISADVANTAGE of STATIC USER IDENTIFICATION SCHEMES Everybody who knows your password or PIN can impersonate you. Better are dynamic means of identification - for example challenge and response protocols. Basic idea. ■ Alice claims ability to solve some hard problem P. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 377/616 DISADVANTAGE of STATIC USER IDENTIFICATION SCHEMES Everybody who knows your password or PIN can impersonate you. Better are dynamic means of identification - for example challenge and response protocols. Basic idea. ■ Alice claims ability to solve some hard problem P. ■ Bob challenges her ability by asking her to solve a particular instance of the P problem. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 377/616 DISADVANTAGE of STATIC USER IDENTIFICATION SCHEMES Everybody who knows your password or PIN can impersonate you. Better are dynamic means of identification - for example challenge and response protocols. Basic idea. ■ Alice claims ability to solve some hard problem P. ■ Bob challenges her ability by asking her to solve a particular instance of the P problem. ■ If she succeeds, then Bob intends to believe he is indeed communicating with Alice. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 377/616 DISADVANTAGE of STATIC USER IDENTIFICATION SCHEMES Everybody who knows your password or PIN can impersonate you. Better are dynamic means of identification - for example challenge and response protocols. Basic idea. ■ Alice claims ability to solve some hard problem P. ■ Bob challenges her ability by asking her to solve a particular instance of the P problem. ■ If she succeeds, then Bob intends to believe he is indeed communicating with Alice. Using so called zero-knowledge identification schemes, discussed in the next chapter, you can identify yourself without giving to the identificator the ability to impersonate you. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 377/616 SIMPLIFIED Fiat-Shamir IDENTIFICATION SCHEME A trusted authority (TA) chooses: large random primes p,q, computes n = pq; and chooses a quadratic residue v e QRn, and s such that s2 = v (mod n). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 378/616 SIMPLIFIED Fiat-Shamir IDENTIFICATION SCHEME A trusted authority (TA) chooses: large random primes p,q, computes n = pq; and chooses a quadratic residue v e QRn, and s such that s2 = v (mod n). public-key: v private-key: s (that Alice knows, but not Bob) prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 378/616 SIMPLIFIED Fiat-Shamir IDENTIFICATION SCHEME A trusted authority (TA) chooses: large random primes p,q, computes n = pq; and chooses a quadratic residue v e QRn, and s such that s2 = v (mod n). public-key: v private-key: s (that Alice knows, but not Bob) Challenge-response Identification protocol jl Alice chooses a random r < n, computes x = r2 mod n and sends x to Bob. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 378/616 SIMPLIFIED Fiat-Shamir IDENTIFICATION SCHEME A trusted authority (TA) chooses: large random primes p,q, computes n = pq; and chooses a quadratic residue v e QRn, and s such that s2 = v (mod n). public-key: v private-key: s (that Alice knows, but not Bob) Challenge-response Identification protocol jl Alice chooses a random r < n, computes x = r2 mod n and sends x to Bob. ^ Bob sends to Alice a random bit (a challenge) b. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 378/616 SIMPLIFIED Fiat-Shamir IDENTIFICATION SCHEME A trusted authority (TA) chooses: large random primes p,q, computes n = pq; and chooses a quadratic residue v e QRn, and s such that s2 = v (mod n). public-key: v private-key: s (that Alice knows, but not Bob) Challenge-response Identification protocol jl Alice chooses a random r < n, computes x = r2 mod n and sends x to Bob. ^ Bob sends to Alice a random bit (a challenge) b. J Alice sends Bob (a response) y = rsb mod n prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 378/616 SIMPLIFIED Fiat-Shamir IDENTIFICATION SCHEME A trusted authority (TA) chooses: large random primes p,q, computes n = pq; and chooses a quadratic residue v e QRn, and s such that s2 = v (mod n). public-key: v private-key: s (that Alice knows, but not Bob) Challenge-response Identification protocol jl Alice chooses a random r < n, computes x = r2 mod n and sends x to Bob. ^ Bob sends to Alice a random bit (a challenge) b. J Alice sends Bob (a response) y = rsb mod n ^ Bob identifies the sender as Alice if and only if y2 = xvb mod n, which is taken as a proof that the sender knows square roots of x and of v. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 378/616 SIMPLIFIED Fiat-Shamir IDENTIFICATION SCHEME A trusted authority (TA) chooses: large random primes p,q, computes n = pq; and chooses a quadratic residue v e QRn, and s such that s2 = v (mod n). public-key: v private-key: s (that Alice knows, but not Bob) Challenge-response Identification protocol jl Alice chooses a random r < n, computes x = r2 mod n and sends x to Bob. ^ Bob sends to Alice a random bit (a challenge) b. J Alice sends Bob (a response) y = rsb mod n ^ Bob identifies the sender as Alice if and only if y2 = xvb mod n, which is taken as a proof that the sender knows square roots of x and of v. This protocol is a so-called single accreditation protocol Alice proves her identity by convincing Bob that she knows the square root s of v (without revealing s to Bob) and the square root r of x. If protocol is repeated t times, Alice has a chance 2-t to fool Bob if she does not know s and r. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 378/616 ANALYSIS of Fiat-Shamir IDENTIFICATION I public-key: v private-key: s (of Alice) such that s2 = v (mod n). Protocol jl Alice chooses a random r < n, computes x = r2 mod n and sends x (her commitment) to Bob. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 379/616 ANALYSIS of Fiat-Shamir IDENTIFICATION I public-key: v private-key: s (of Alice) such that s2 = v (mod n). Protocol jl Alice chooses a random r < n, computes x = r2 mod n and sends x (her commitment) to Bob. ^ Bob sends to Alice a random bit b (a challenge). J Alice sends to Bob (a response) y = rsb. ^ Bob verifies if and only if y2 = xvb mod n, proving that Alice knows a square root of x. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 379/616 ANALYSIS of Fiat-Shamir IDENTIFICATION II Analysis T| The first message is a commitment by Alice that she knows square root of x. ^ The second message is a challenge by Bob. ■ If Bob sends b = 0, then Alice has to open her commitment and reveal r. ■ If Bob sends b = 1, the Alice has to show her secret s in an "encrypted form". b The third message is Alice's response to the challenge of Bob. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 380/616 ANALYSIS of Fiat-Shamir IDENTIFICATION II Analysis T| The first message is a commitment by Alice that she knows square root of x. ^ The second message is a challenge by Bob. ■ If Bob sends b = 0, then Alice has to open her commitment and reveal r. ■ If Bob sends b = 1, the Alice has to show her secret s in an "encrypted form". El The third message is Alice's response to the challenge of Bob. Completeness If Alice knows s, and both Alice and Bob follow the protocol, then the response rsb is the square root of xvb. It can be shown that Eve can cheat with probability of success 1 as follows: ■ Eve chooses random r e Z,5*, random b1 e {0,1} and sends x = r2v-b1, to Bob. ■ Bob chooses b e {0,1} at random and sends it to Eve. ■ Eve sends r to Bob. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 380/616 HOW CAN BAD EVE CHEAT? Eve can send, to fool Bob, as her commitment, either r for a random r or r2v-1 In the first case Eve can respond correctly to the Bob's challenge b=0, by sending r; but cannot respond correctly to the challenge b = 1. In the second case Eve can respond correctly to Bob's challenge b = 1, by sending r again; but cannot respond correctly to the challenge b = 0. Eve has therefore a 50% chance to cheat. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 381/616 Fiat-Shamir IDENTIFICATION SCHEME - PARALLEL VERSION In the following parallel version of Fiat-Shamir identification scheme the probability of a false identification is decreased. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 382/616 Fiat-Shamir IDENTIFICATION SCHEME - PARALLEL VERSION In the following parallel version of Fiat-Shamir identification scheme the probability of a false identification is decreased. Choose primes p, q and compute n = pq and choose as security parameters integers k, t. Choose quadratic residues v1,... , vk e QR„. Compute s1,... , sk such that s = ^/vi mod n prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 382/616 Fiat-Shamir IDENTIFICATION SCHEME - PARALLEL VERSION In the following parallel version of Fiat-Shamir identification scheme the probability of a false identification is decreased. Choose primes p, q and compute n = pq and choose as security parameters integers k, t. Choose quadratic residues v1,... , vk e QR„. Compute s1,... , sk such that s; = y/v mod n public-key: v1,... , vk secret-key: s1,... , sk of Alice prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 382/616 Fiat-Shamir IDENTIFICATION SCHEME - PARALLEL VERSION In the following parallel version of Fiat-Shamir identification scheme the probability of a false identification is decreased. Choose primes p, q and compute n = pq and choose as security parameters integers k, t. Choose quadratic residues v1,... , vk e QR„. Compute s1,... , sk such that s = ^/vi mod n public-key: v1,..., vk secret-key: s1sk of Alice PROTOCOL: jl Alice chooses a random r < n, computes a = r2 mod n and sends a to Bob. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 382/616 Fiat-Shamir IDENTIFICATION SCHEME - PARALLEL VERSION In the following parallel version of Fiat-Shamir identification scheme the probability of a false identification is decreased. Choose primes p, q and compute n = pq and choose as security parameters integers k, t. Choose quadratic residues v1,... , vk e QR„. Compute s1,... , sk such that s = ^/vi mod n public-key: v1,..., vk secret-key: s1sk of Alice PROTOCOL: jl Alice chooses a random r < n, computes a = r2 mod n and sends a to Bob. ^ Bob sends Alice a random k-bit string b1 ... bk. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 382/616 Fiat-Shamir IDENTIFICATION SCHEME - PARALLEL VERSION In the following parallel version of Fiat-Shamir identification scheme the probability of a false identification is decreased. Choose primes p, q and compute n = pq and choose as security parameters integers k, t. Choose quadratic residues v1,... , vk e QR„. Compute s1,... , sk such that s; = ^/V; mod n public-key: v1,..., vk secret-key: s1sk of Alice PROTOCOL: jl Alice chooses a random r < n, computes a = r2 mod n and sends a to Bob. ^ Bob sends Alice a random k-bit string b1 ... bk. 1 Alice sends to Bob k y = r J^J sb/ mod n ;=1 prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 382/616 Fiat-Shamir IDENTIFICATION SCHEME - PARALLEL VERSION In the following parallel version of Fiat-Shamir identification scheme the probability of a false identification is decreased. Choose primes p, q and compute n = pq and choose as security parameters integers k, t. Choose quadratic residues v1,... , vk e QR„. Compute s1,... , sk such that s; = ^/V; mod n public-key: v1,..., vk secret-key: s1sk of Alice PROTOCOL: jl Alice chooses a random r < n, computes a = r2 mod n and sends a to Bob. ^ Bob sends Alice a random k-bit string b1 ... bk. 1 Alice sends to Bob k y = r J^J sb; mod n ;=1 ^ Bob accepts if and only if k y2 = a J^J vb/ mod n =1 prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 382/616 Fiat-Shamir IDENTIFICATION SCHEME - PARALLEL VERSION In the following parallel version of Fiat-Shamir identification scheme the probability of a false identification is decreased. Choose primes p, q and compute n = pq and choose as security parameters integers k, t. Choose quadratic residues v1,... , vk e QR„. Compute s1,... , sk such that s; = ^/V; mod n public-key: v1,..., vk secret-key: s1sk of Alice PROTOCOL: jl Alice chooses a random r < n, computes a = r2 mod n and sends a to Bob. ^ Bob sends Alice a random k-bit string b1 ... bk. 1 Alice sends to Bob k y = r J^J sb/ mod n ;=1 ^ Bob accepts if and only if k y2 = a J^J vb/ mod n =1 Alice and Bob repeat this protocol t times, until Bob is convinced that Alice knows s1 , . . . , sk . The chance that Alice can fool Bob is 2-kt, a significant decrease comparing with the chance ^ of the previous version of the identification scheme. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 382/616 THE SCHNORR IDENTIFICATION SCHEME - SETTING This is a practically attractive because being computationally efficient (in time, space + communication) scheme which minimizes storage + computations performed by Alice (to be, for example, a smart card). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 383/616 THE SCHNORR IDENTIFICATION SCHEME - SETTING This is a practically attractive because being computationally efficient (in time, space + communication) scheme which minimizes storage + computations performed by Alice (to be, for example, a smart card). Scheme also requires a trusted authority (TA) who jl chooses: a large prime p < 2512, a large prime q dividing p - 1 and q < 2140, an a e Z* of order q, a security parameter t such that 2( < q, p, q, a, t are made public. ^ establishes: a secure digital signature scheme with a secret signing algorithm s/gjA and a public verification algorithm verTA. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 383/616 THE SCHNORR IDENTIFICATION SCHEME - SETTING This is a practically attractive because being computationally efficient (in time, space + communication) scheme which minimizes storage + computations performed by Alice (to be, for example, a smart card). Scheme also requires a trusted authority (TA) who jl chooses: a large prime p < 2512, a large prime q dividing p - 1 and q < 2140, an a e Z* of order q, a security parameter t such that 2( < q, p, q, a, t are made public. ^ establishes: a secure digital signature scheme with a secret signing algorithm sigTA and a public verification algorithm verjA. Protocol for issuing a certificate to Alice T| TA establishes Alice's identity by conventional means and forms a 512-bit string ID(Alice) which contains the identification information. b Alice chooses a secret random 0 < a < q — 1 and computes v = a-a mod p and sends v to the TA. ^ TA generates signature s = sigjA(ID(Alice), v) and sends to Alice as hercertificate: C (Alice) = (ID(Alice), v, s) prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 383/616 Schnorr IDENTIFICATION SCHEME - PROTOCOL T| Alice chooses a random 0 < k < q and computes Y = ak mod p. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 384/616 Schnorr IDENTIFICATION SCHEME - PROTOCOL T| Alice chooses a random 0 < k < q and computes Y = ak mod p. ^ Alice sends to Bob her certificate C (Alice) = (ID(Alice), v, s) and also y. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 384/616 Schnorr IDENTIFICATION SCHEME - PROTOCOL T| Alice chooses a random 0 < k < q and computes Y = ak mod p. ^ Alice sends to Bob her certificate C (Alice) = (ID(Alice), v, s) and also y. J Bob verifies the signature of TA by checking that verTA(/D(A/;ce), v, s) = true. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 384/616 Schnorr IDENTIFICATION SCHEME - PROTOCOL T| Alice chooses a random 0 < k < q and computes Y = ak mod p. ^ Alice sends to Bob her certificate C (Alice) = (ID(Alice), v, s) and also y. J Bob verifies the signature of TA by checking that verTA(/D(/A//ce), v, s) = true. ^ Bob chooses a random 1 < r < 2(, where t < lg q is a security parameter and sends it to Alice (often t < 40). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 384/616 Schnorr IDENTIFICATION SCHEME - PROTOCOL T| Alice chooses a random 0 < k < q and computes Y = ak mod p. ^ Alice sends to Bob her certificate C (Alice) = (ID(Alice), v, s) and also y. J Bob verifies the signature of TA by checking that verTA(/D(/A//ce), v, s) = true. J Bob chooses a random 1 < r < 2(, where t < lg q is a security parameter and sends it to Alice (often t < 40). ^ Alice computes and sends to Bob y = (k + ar) mod p. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 384/616 Schnorr IDENTIFICATION SCHEME - PROTOCOL T| Alice chooses a random 0 < k < q and computes Y = ak mod p. ^ Alice sends to Bob her certificate C (Alice) = (ID(Alice), v, s) and also y. J Bob verifies the signature of TA by checking that verTA(ID(Alice), v, s) = true. J Bob chooses a random 1 < r < 2(, where t < lg q is a security parameter and sends it to Alice (often t < 40). ^ Alice computes and sends to Bob y = (k + ar) mod p. ^ Bob verifies that Y = ay vr mod q prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 384/616 Schnorr IDENTIFICATION SCHEME - PROTOCOL T| Alice chooses a random 0 < k < q and computes Y = ak mod p. ^ Alice sends to Bob her certificate C (Alice) = (ID(Alice), v, s) and also y. J Bob verifies the signature of TA by checking that verjA(ID(Alice), v, s) = true. J Bob chooses a random 1 < r < 2(, where t < lg q is a security parameter and sends it to Alice (often t < 40). ^ Alice computes and sends to Bob y = ( k + ar ) mod p. ^ Bob verifies that Y = ay vr mod q j This way Alice proofs her identity to Bob. Indeed, ayvr = ak+ara-ar mod p = ak mod p = Y mod p. Total storage needed: 512 bits for ID(Alice), 512 bits for v, 320 bits for s (if DSS is used). In total - 1344 bits. Total communication needed from: Alice Bob - 1996 (= 1344+512+140) bits, Bob — Alice 40 bits (to send r). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 384/616 Okamoto IDENTIFICATION SCHEME The disadvantage of the Schnorr identification scheme is that there is no proof of its security. For the following modification of the Schnorr identification scheme presented below, for the Okamoto identification scheme, a proof of security exists. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 385/616 Okamoto IDENTIFICATION SCHEME The disadvantage of the Schnorr identification scheme is that there is no proof of its security. For the following modification of the Schnorr identification scheme presented below, for the Okamoto identification scheme, a proof of security exists. Basic setting: To set up the scheme TA chooses: ■ a large prime p < 2512, ■ a large prime q > 2140 dividing p - 1; ■ two elements a1, a2 e Z* of the order q. TA makes public p, q,a1,a2 and keeps secret (also before Alice and Bob) c = lga1 a2. Finally, TA chooses a signature scheme and a hash function. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 385/616 Okamoto IDENTIFICATION SCHEME The disadvantage of the Schnorr identification scheme is that there is no proof of its security. For the following modification of the Schnorr identification scheme presented below, for the Okamoto identification scheme, a proof of security exists. Basic setting: To set up the scheme TA chooses: ■ a large prime p < 2512, ■ a large prime q > 2140 dividing p - 1; ■ two elements a1, a2 e Z* of the order q. TA makes public p, q,a1,a2 and keeps secret (also before Alice and Bob) C = /ga1 «2. Finally, TA chooses a signature scheme and a hash function. Issuing a certificate to Alice ■ TA establishes Alice's identity and issues her identification string ID(Alice). ■ Alice secretly and randomly chooses 0 < a1, a2 < q — 1 and sends to TA v = a-a1 a-a2 mod p. ■ TA generates a signature s = s;gTA(/D(A/ice), v) and sends to Alice the certificate C (Alice) = (ID(Alice), v, s). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 385/616 Okamoto IDENTIFICATION SCHEME - BASICS ONCE MORE Basic setting TA chooses: a large prime p < 2512,large prime q > 2140 dividing p - 1; two elements ai,a2 € Zp of order q. TA keep secret (also from Alice and Bob) Issuing a certificate to Alice ■ TA establishes Alice's identity and issues an identification string ID(Alice). ■ Alice randomly chooses 0 < a1, a2 < q — 1 and sends to TA. v = a-aia-a2 mod p. ■ TA generates a signature s = sigjA(ID(Alice), v) and sends to Alice the certificate C (Alice) = (ID(Alice), v, s). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 386/616 Okamoto IDENTIFICATION SCHEME Okamoto IDENTIFICATION SCHEME ■ Alice chooses random 0 < k1, k2 < q — 1 and computes Y = aj1 a22 mod p. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 387/616 Okamoto IDENTIFICATION SCHEME Okamoto IDENTIFICATION SCHEME ■ Alice chooses random 0 < ki, k2 < q — 1 and computes Y = al1 a22 mod p. ■ Alice sends to Bob her certificate (ID(Alice), v, s) and y. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 387/616 Okamoto IDENTIFICATION SCHEME Okamoto IDENTIFICATION SCHEME ■ Alice chooses random 0 < k1, k2 < q — 1 and computes Y = a*1 a22 mod p. ■ Alice sends to Bob her certificate (ID(Alice), v, s) and y. ■ Bob verifies the signature of TA by checking that verTA(ID(Alice), v, s) = true. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 387/616 Okamoto IDENTIFICATION SCHEME Okamoto IDENTIFICATION SCHEME ■ Alice chooses random 0 < k1, k2 < q — 1 and computes Y = a11 a22 mod p. ■ Alice sends to Bob her certificate (ID(Alice), v, s) and y. ■ Bob verifies the signature of TA by checking that verjA(ID(Alice), v, s) = true. ■ Bob chooses a random 1 < r < 2( and sends it to Alice. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 387/616 Okamoto IDENTIFICATION SCHEME Okamoto IDENTIFICATION SCHEME ■ Alice chooses random 0 < k1, k2 < q — 1 and computes Y = a!1 a22 mod p. ■ Alice sends to Bob her certificate (ID(Alice), v, s) and y. ■ Bob verifies the signature of TA by checking that ver-rA(/D(/A/;ce), v, s) = true. ■ Bob chooses a random 1 < r < 2( and sends it to Alice. ■ Alice sends to Bob y1 = (k1 + a1r) mod q; y2 = (k2 + a2r) mod q. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 387/616 Okamoto IDENTIFICATION SCHEME Okamoto IDENTIFICATION SCHEME ■ Alice chooses random 0 < k1, k2 < q — 1 and computes Y = a11 a22 mod p. ■ Alice sends to Bob her certificate (ID(Alice), v, s) and y. ■ Bob verifies the signature of TA by checking that ver-rA(/D(/A//ce), v, s) = true. ■ Bob chooses a random 1 < r < 2( and sends it to Alice. ■ Alice sends to Bob y1 = (k1 + a1r) mod q; y2 = (k2 + a2r) mod q. ■ Bob verifies Y = a!1 a22 vr (mod p) prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 387/616 AUTHENTICATION CODES They provide methods to ensure integrity of messages - that a message has not been tampered/changed, and that the message originated with the presumed sender. The goal is to achieve authentication even in the presence of Mallot, a man in the middle, who can observe transmitted messages and replace them by messages of his own choice. Formally, an authentication code consists of: ■ A set M of possible messages. ■ A set T of possible authentication tags. ■ A set K of possible keys. ■ A set R of authentication algorithms ak : M — T, one for each k e K prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 388/616 AUTHENTICATION CODES They provide methods to ensure integrity of messages - that a message has not been tampered/changed, and that the message originated with the presumed sender. The goal is to achieve authentication even in the presence of Mallot, a man in the middle, who can observe transmitted messages and replace them by messages of his own choice. Formally, an authentication code consists of: ■ A set M of possible messages. ■ A set T of possible authentication tags. ■ A set K of possible keys. ■ A set R of authentication algorithms ak : M — T, one for each k e K Transmission process ■ Alice and Bob jointly choose a secret key k. ■ If Alice wants to send a message w to Bob, she sends (w, t), where t = ak(w). ■ If Bob receives (w, t) he computes t = ak(w) and if t = t', then Bob accepts the message w as authentic. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 388/616 ATTACKS and DECEPTION PROBABILITIES There are two basic types of attacks Mallot, the man in the middle, can do. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 389/616 ATTACKS and DECEPTION PROBABILITIES There are two basic types of attacks Mallot, the man in the middle, can do. Impersonation. Mallot introduces a message (w, t) into the channel - expecting that message will be received as being sent by Alice. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 389/616 ATTACKS and DECEPTION PROBABILITIES There are two basic types of attacks Mallot, the man in the middle, can do. Impersonation. Mallot introduces a message (w, t) into the channel - expecting that message will be received as being sent by Alice. Substitution. Mallot replaces a message (w, t) in the channel by another one, (w', t') -expecting that message will be accepted as being sent by Alice. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 389/616 ATTACKS and DECEPTION PROBABILITIES There are two basic types of attacks Mallot, the man in the middle, can do. Impersonation. Mallot introduces a message (w, t) into the channel - expecting that message will be received as being sent by Alice. Substitution. Mallot replaces a message (w, t) in the channel by another one, (w', t') -expecting that message will be accepted as being sent by Alice. With any impersonation (substitution) attack a probability P;(Ps) is associated that Mallot will deceive Bob, if Mallot follows an optimal strategy. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 389/616 ATTACKS and DECEPTION PROBABILITIES There are two basic types of attacks Mallot, the man in the middle, can do. Impersonation. Mallot introduces a message (w, t) into the channel - expecting that message will be received as being sent by Alice. Substitution. Mallot replaces a message (w, t) in the channel by another one, (w', t') -expecting that message will be accepted as being sent by Alice. With any impersonation (substitution) attack a probability P;(Ps) is associated that Mallot will deceive Bob, if Mallot follows an optimal strategy. In order to determine such probabilities we need to know probability distributions pm on messages and pk on keys. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 389/616 ATTACKS and DECEPTION PROBABILITIES There are two basic types of attacks Mallot, the man in the middle, can do. Impersonation. Mallot introduces a message (w, t) into the channel - expecting that message will be received as being sent by Alice. Substitution. Mallot replaces a message (w, t) in the channel by another one, (w', t') -expecting that message will be accepted as being sent by Alice. With any impersonation (substitution) attack a probability P;(Ps) is associated that Mallot will deceive Bob, if Mallot follows an optimal strategy. In order to determine such probabilities we need to know probability distributions pm on messages and pk on keys. In the following so called authentication matrices |K| x |M| will tabulate all authentication tags. The item in a row corresponding to a key k and in a column corresponding to a message w will contain the authentication tag tk(w). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 389/616 ATTACKS and DECEPTION PROBABILITIES There are two basic types of attacks Mallot, the man in the middle, can do. Impersonation. Mallot introduces a message (w, t) into the channel - expecting that message will be received as being sent by Alice. Substitution. Mallot replaces a message (w, t) in the channel by another one, (w', t') -expecting that message will be accepted as being sent by Alice. With any impersonation (substitution) attack a probability P;(Ps) is associated that Mallot will deceive Bob, if Mallot follows an optimal strategy. In order to determine such probabilities we need to know probability distributions pm on messages and pk on keys. In the following so called authentication matrices \K| x |M| will tabulate all authentication tags. The item in a row corresponding to a key k and in a column corresponding to a message w will contain the authentication tag tk(w). The goal of authentication codes, to be discussed next, is to decrease probabilities that Mallot performs successfully impersonation or substitution. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 389/616 EXAMPLE Let M = T = Z3, K = Z3 x Z3. For (;,j) e K and w e M, let t,y(w) = (;w + j) mod 3. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 390/616 EXAMPLE Let M = T = Z3, K = Z3 x Z3. For (i,j) e K and w e M, let t,y(w) = (iw + j) mod 3. Let the matrix key x message of authentication tags has the form Key 0 1 2 (0,0) 0 0 0 (0,1) 1 1 1 (0,2) 2 2 2 (1,0) 0 1 2 (1,1) 1 2 0 (1,2) 2 0 1 (2,0) 0 2 1 (2,1) 1 0 2 (2,2) 2 1 0 Impersonation attack: Mallot picks a message w and tries to guess the correct authentication tag. However, for each message w and each tag a there are exactly three keys k such that tk(w) = a. Hence P; = 3. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 390/616 EXAMPLE Let M = T = Z3, K = Z3 x Z3. For (/,j) e K and w e M, let t,y(w) = (/w + j) mod 3. Let the matrix key x message of authentication tags has the form Key 0 1 2 (0,0) 0 0 0 (0,1) 1 1 1 (0,2) 2 2 2 (1,0) 0 1 2 (1,1) 1 2 0 (1,2) 2 0 1 (2,0) 0 2 1 (2,1) 1 0 2 (2,2) 2 1 0 Impersonation attack: Mallot picks a message w and tries to guess the correct authentication tag. However, for each message w and each tag a there are exactly three keys k such that tk(w) = a. Hence P; = "3. Substitution attack: By checking the table one can see that if Mallot observes an authenticated message (w, t), then there are only three possibilities for the key that was used. Moreover, for each choice (w', t'), w = w', there is exactly one of the three possible keys for (w',t') that can be used. Therefore Ps = 3. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 390/616 ORTHOGONAL ARRAYS Definition An orthogonal array OA(n, k, A) is a An2 x k array of n symbols, such that in any two columns of the array every one of the possible n2 pairs of symbols occurs in exactly A rows. Example OA(3,3,1) obtained from the authentication matrix presented before; 0 1 0 2 2 2 0 1 2 1 2 0 2 0 1 0 2 1 1 2 0 1 2 20 prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 391/616 ORTHOGONAL ARRAYS Definition An orthogonal array OA(n, k, A) is a An2 x k array of n symbols, such that in any two columns of the array every one of the possible n2 pairs of symbols occurs in exactly A rows. Example OA(3,3,1) obtained from the authentication matrix presented before; 0 1 0 2 2 2 0 1 2 1 2 0 2 0 1 0 2 1 1 2 0 1 2 20 Theorem Suppose we have an orthogonal array OA(n, k, A).Then there is an authentication code with |M| = k, |A| = n, |K| = An2 and Pi = Ps = -. Proof Use each row of the orthogonal array as an authentication rule (key) with equal probability. Therefore we have the following correspondence: orthogonal array authentication code row authentication rule column message symbol authentication tag prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 391/616 CONSTRUCTION and BOUNDS for OAs In an orthogonal array OA(n, k, A) ■ n determines the number of authenticators (security of the code); k is the number of messages the code can accommodate; ■ A relates to the number of keys —An2. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 392/616 CONSTRUCTION and BOUNDS for OAs In an orthogonal array OA(n, k, A) ■ n determines the number of authenticators (security of the code); k is the number of messages the code can accommodate; ■ A relates to the number of keys —An2. The following holds for orthogonal arrays. ■ If p is prime, then OA(p, p, 1) exits. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 392/616 CONSTRUCTION and BOUNDS for OAs In an orthogonal array OA(n, k, A) ■ n determines the number of authenticators (security of the code); k is the number of messages the code can accommodate; ■ A relates to the number of keys —An2. The following holds for orthogonal arrays. ■ If p is prime, then OA(p, p, 1) exits. ■ Suppose there exists an OA(n, k, A). Then A > k(n — + 1; prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 392/616 CONSTRUCTION and BOUNDS for OAs In an orthogonal array OA(n, k, A) ■ n determines the number of authenticators (security of the code); k is the number of messages the code can accommodate; ■ A relates to the number of keys —An2. The following holds for orthogonal arrays. ■ If p is prime, then OA(p, p, 1) exits. ■ Suppose there exists an OA(n, k, A). Then A > k(n — 21) + 1; ■ Suppose that p is a prime and d < 2 an integer. Then there is an orthogonal array ■ Let us have an authentication code with |A| = n and P; = Ps = i.Then |K| > n2. Moreover, |K| = n2 if and only if there is an orthogonal array OA(n, k,1), where |M| = k and Pk(k) = -j for every key k e K. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 392/616 CONSTRUCTION and BOUNDS for OAs In an orthogonal array OA(n, k, A) ■ n determines the number of authenticators (security of the code); k is the number of messages the code can accommodate; ■ A relates to the number of keys —An2. The following holds for orthogonal arrays. ■ If p is prime, then OA(p, p, 1) exits. ■ Suppose there exists an OA(n, k, A). Then A > k(n — 21) + 1; m Suppose that p is a prime and d < 2 an integer. Then there is an orthogonal array •y ~ m Let us have an authentication code with |A| = n and P; = Ps = i.Then |K| > n2. Moreover, |K| = n2 if and only if there is an orthogonal array OA(n, k,1), where |M| = k and Pk(k) = — for every key k e K. The last claim shows that there are no much better approaches to authentication codes with deception probabilities as small as possible than orthogonal arrays. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 392/616 SECRET SHARING - PROBLEM In many applications it is of importance to distribute a sensitive information, called here as a secret (for example an algorithm how to open a safe or a secret key) among several parties in such a way that only a well define subset of parties can determine the secret if they cooperate. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 393/616 SECRET SHARING - PROBLEM In many applications it is of importance to distribute a sensitive information, called here as a secret (for example an algorithm how to open a safe or a secret key) among several parties in such a way that only a well define subset of parties can determine the secret if they cooperate. In some other cases one can increase security of confidential information, say a secret key, by sharing it between several parties. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 393/616 SECRET SHARING - PROBLEM In many applications it is of importance to distribute a sensitive information, called here as a secret (for example an algorithm how to open a safe or a secret key) among several parties in such a way that only a well define subset of parties can determine the secret if they cooperate. In some other cases one can increase security of confidential information, say a secret key, by sharing it between several parties. In the following we show how to solve this problem in the following "threshold" setting: How to "partition" a number S (called here as a "secret") into n "shares" and distribute them among n parties in such a way that for a fixed (threshold) t < n any t of them can create S, but no t — 1, or less, of them can can the slightest idea how to do that. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 393/616 BASIC IDEA of the (n,t) THRESHOLD SECRET SHARING To distribute a secret (number) S among n parties, the dealer creates a degree t — 1 random polynomial p such that p(0)=S and distributes to each party a "share" of it -value of p in a separate point. Since each degree t — 1 polynomial p is uniquely determined by any t points on p, the above distribution of points allows any t users to determine p, and so also p(0)=S, and no smaller group of parties, can have slightest idea about S. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 394/616 SECRET SHARING between TWO PARTIES A dealer creates shares of a binary-string secret s and distributes them between two parties P1 and P2 by choosing a random binary string b, of the same length as s, and ■ sends the share b to Pi and ■ sends the share s 0 b to P2. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 395/616 SECRET SHARING between TWO PARTIES A dealer creates shares of a binary-string secret s and distributes them between two parties P1 and P2 by choosing a random binary string b, of the same length as s, and ■ sends the share b to Pi and ■ sends the share s 0 b to P2. This way, none of the parties P1 and P2 alone has a slightest idea about s, but both together easily recover s by computing b 0 (s 0 b) = s. The above scheme can be easily extended to the case of n users so that only all of them can reveal the secret. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 395/616 THRESHOLD SECRET SHARING SCHEMES Secret sharing schemes "partition" a "secret" into shares and distributes them among several parties in such a way that only predefined sets of parties can "assemble" the secret. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 396/616 THRESHOLD SECRET SHARING SCHEMES Secret sharing schemes "partition" a "secret" into shares and distributes them among several parties in such a way that only predefined sets of parties can "assemble" the secret. For example, a vault in the bank can be opened only if at least two out of three responsible employees use their knowledge and tools (keys) to open the vault. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 396/616 THRESHOLD SECRET SHARING SCHEMES Secret sharing schemes "partition" a "secret" into shares and distributes them among several parties in such a way that only predefined sets of parties can "assemble" the secret. For example, a vault in the bank can be opened only if at least two out of three responsible employees use their knowledge and tools (keys) to open the vault. An important special simple case of secret sharing schemes are threshold secret sharing schemes at which a certain threshold of participant is needed and sufficient to assemble the secret. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 396/616 THRESHOLD SECRET SHARING SCHEMES Secret sharing schemes "partition" a "secret" into shares and distributes them among several parties in such a way that only predefined sets of parties can "assemble" the secret. For example, a vault in the bank can be opened only if at least two out of three responsible employees use their knowledge and tools (keys) to open the vault. An important special simple case of secret sharing schemes are threshold secret sharing schemes at which a certain threshold of participant is needed and sufficient to assemble the secret. Definition Let t < n be positive integers. A (n, t)-threshold scheme is a method of sharing a secret S among a set P of n parties, P = {p | 1 < ; < n}, in such a way that any t, or more, parties can compute the value S , but no group of t - 1, or less, parties can compute S . Secret S is chosen by a "dealer" D max{S, n} and sets a0 = S. t-1 ■ TA selects randomly a1,... , at-1 e Zp and creates the polynomial f(x) = a;x; ;=0 ■ TA computes s; = f (;),; = 1,... , n and transfers each (;, s;) to the party P; in a secure way. Any group J of t or more parties can compute the secret. Indeed, from the previous corollary we have j In case | J| < t, then each a0 e Zp is equally likely to be the secret. S = a0 = f(0) = E f('') II /_/ prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 399/616 SECRET SHARING - GENERAL CASE A serious limitation of the threshold secret sharing schemes is that all groups of parties with the same number of parties have the same access to the secret. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 400/616 SECRET SHARING - GENERAL CASE A serious limitation of the threshold secret sharing schemes is that all groups of parties with the same number of parties have the same access to the secret. Practical situations usually require that some (sets of) parties are more important than others. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 400/616 SECRET SHARING - GENERAL CASE A serious limitation of the threshold secret sharing schemes is that all groups of parties with the same number of parties have the same access to the secret. Practical situations usually require that some (sets of) parties are more important than others. Let P be a set of parties. To deal with the above situation such concepts as authorized set of user of P and access structures are used. An authorized set of parties A C P is a set of parties who can together construct the secret. An unauthorized set of parties U C P is a set of parties who alone cannot learn anything about the secret. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 400/616 SECRET SHARING - GENERAL CASE A serious limitation of the threshold secret sharing schemes is that all groups of parties with the same number of parties have the same access to the secret. Practical situations usually require that some (sets of) parties are more important than others. Let P be a set of parties. To deal with the above situation such concepts as authorized set of user of P and access structures are used. An authorized set of parties A C P is a set of parties who can together construct the secret. An unauthorized set of parties U C P is a set of parties who alone cannot learn anything about the secret. Let P be a set of parties. The access structure r C 2P is a set such that A e r for all authorized sets A and U e 2P — r for all unauthorized sets U. Theorem: For any access structure there exists a secret sharing scheme realizing this access structure. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 400/616 SECRET SHARING SCHEME with VERIFICATION ■ Secret sharing protocols increase security of a secret information by sharing it between several parties. ■ Some secret sharing scheme are such that they work even in case some parties behave incorrectly. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 401/616 SECRET SHARING SCHEME with VERIFICATION ■ Secret sharing protocols increase security of a secret information by sharing it between several parties. ■ Some secret sharing scheme are such that they work even in case some parties behave incorrectly. ■ A secret sharing scheme with verification is such a secret sharing scheme that: ■ Each Pi is capable to verify correctness of his/her share s, ■ No party P, is able to provide incorrect information and to convince others about its correctness prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 401/616 Feldman's (n,k)-PROTOCOL Feldman's protocol is an example of the secret sharing scheme with verification. The protocol is a generalization of Shamir's protocol. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 402/616 Feldman's (n.k)-PROTOCOL Feldman's protocol is an example of the secret sharing scheme with verification. The protocol is a generalization of Shamir's protocol. It is assumed that all n participants can broadcast messages to all others and each of them can determine all senders. Given are large primes p, q, q|(p — 1), q > n and h < p - a generator of Z* . All these p-i numbers, and also the number g = h q mod p, are public. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 402/616 Feldman's (n,k)-PROTOCOL Feldman's protocol is an example of the secret sharing scheme with verification. The protocol is a generalization of Shamir's protocol. It is assumed that all n participants can broadcast messages to all others and each of them can determine all senders. Given are large primes p, q, q|(p — 1), q > n and h < p - a generator of Z* . All these numbers, and also the number g = h q mod p, are public. As in Shamir's scheme, to share a secret S, the dealer assigns to each party P a specific random x; from {1,... , q — 1} and generates a random secret polynomial f (x) = a/X mod q (1) such that f(0) = S and sends to each P a value y; = f(x;). In addition, using a broadcasting scheme, the dealer sends to each P; all values v/ = gaj mod p. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 402/616 Feldman's (n,k)-PROTOCOL - continuation Each P; verifies that k-1 gy; = ]\(vj)X mod p (1) j=0 If (1) does not hold, P; asks, using the broadcasting scheme, the dealer to broadcast correct value of y;. If there are at least k such requests, or some of the new values of y; does not satisfy (1), the dealer is considered as not reliable. One can easily verify that if the dealer works correctly, then all relations (1) hold. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 403/616 VISUAL SECRET SHARING The basic idea is to create, for a visual information (a secret) S, a set of n transparencies in such a way that one can see S only if all n trancparencies are overlaid. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 404/616 E-COMMERCE Very important is to ensure security of e-money transactions needed for e-commerce. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 405/616 E-COMMERCE Very important is to ensure security of e-money transactions needed for e-commerce. In addition to providing security and privacy, the task is also to prevent alterations of purchase orders and forgery of credit card information. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 405/616 BASIC REQUIREMENTS for e-COMMERCE SYSTEMS Authenticity: Participants in transactions cannot be impersonated and signatures cannot be forged. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 406/616 BASIC REQUIREMENTS for e-COMMERCE SYSTEMS Authenticity: Participants in transactions cannot be impersonated and signatures cannot be forged. Integrity: Documents (purchase orders, payment instructions,...) cannot be forged. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 406/616 BASIC REQUIREMENTS for e-COMMERCE SYSTEMS Authenticity: Participants in transactions cannot be impersonated and signatures cannot be forged. Integrity: Documents (purchase orders, payment instructions,...) cannot be forged. Privacy: Details of transaction should be kept secret. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 406/616 BASIC REQUIREMENTS for e-COMMERCE SYSTEMS Authenticity: Participants in transactions cannot be impersonated and signatures cannot be forged. Integrity: Documents (purchase orders, payment instructions,...) cannot be forged. Privacy: Details of transaction should be kept secret. Security: Sensitive information (as credit card numbers) must be protected. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 406/616 BASIC REQUIREMENTS for e-COMMERCE SYSTEMS Authenticity: Participants in transactions cannot be impersonated and signatures cannot be forged. Integrity: Documents (purchase orders, payment instructions,...) cannot be forged. Privacy: Details of transaction should be kept secret. Security: Sensitive information (as credit card numbers) must be protected. Anonymity: Anonymity of money senders should be guaranteed. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 406/616 BASIC REQUIREMENTS for e-COMMERCE SYSTEMS Authenticity: Participants in transactions cannot be impersonated and signatures cannot be forged. Integrity: Documents (purchase orders, payment instructions,...) cannot be forged. Privacy: Details of transaction should be kept secret. Security: Sensitive information (as credit card numbers) must be protected. Anonymity: Anonymity of money senders should be guaranteed. Additional requirement: In order to allow an efficient fighting of the organized crime a system for processing e-money has to be such that under well defined conditions it has to be possible to revoke custodier's identity and flo\A# prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 406/616 HISTORICAL COMMENT So called Secure Electronic Transaction protocol was created to standardize the exchange of credit card information. Development of SET initiated in 1996 credit card companies MasterCard and Visa. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 407/616 EXAMPLE - DUAL SIGNATURE PROTOCOL We present a protocol to solve the following security and privacy problem in e-commerce: How to arrange e-shopping in such a way that shoppers' banks should not know what shoppers/cardholders are ordering and shops should not learn credit card numbers of shoppers. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 408/616 EXAMPLE - DUAL SIGNATURE PROTOCOL We present a protocol to solve the following security and privacy problem in e-commerce: How to arrange e-shopping in such a way that shoppers' banks should not know what shoppers/cardholders are ordering and shops should not learn credit card numbers of shoppers. Participants of our e-commerce protocol will be: a bank, a shopper/cardholder, a shop prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 408/616 EXAMPLE - DUAL SIGNATURE PROTOCOL We present a protocol to solve the following security and privacy problem in e-commerce: How to arrange e-shopping in such a way that shoppers' banks should not know what shoppers/cardholders are ordering and shops should not learn credit card numbers of shoppers. Participants of our e-commerce protocol will be: a bank, a shopper/cardholder, a shop The cardholder will use the following information: ■ GSO - Goods and Services Order (cardholder's name, shop's name, items being ordered, their quantity,...) ■ PI - Payment Instructions (shop's name, card number, total price,...) Protocol will use also a public hash function h. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 408/616 EXAMPLE - DUAL SIGNATURE PROTOCOL We present a protocol to solve the following security and privacy problem in e-commerce: How to arrange e-shopping in such a way that shoppers' banks should not know what shoppers/cardholders are ordering and shops should not learn credit card numbers of shoppers. Participants of our e-commerce protocol will be: a bank, a shopper/cardholder, a shop The cardholder will use the following information: ■ GSO - Goods and Services Order (cardholder's name, shop's name, items being ordered, their quantity,...) ■ PI - Payment Instructions (shop's name, card number, total price,...) Protocol will use also a public hash function h. RSA cryptosystem will also be used and ■ eC, eS and eB will be public (encryption) keys of cardholder, shop, bank and ■ dC, dS and dB will be their secret (decryption) keys. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 408/616 CARDHOLDER and SHOP ACTIONS A cardholder performs the following procedure - to create GSO-goods and services order T| Computes HEGSO = h(eS(GSO)) - hash value of the encryption of GSO. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 409/616 CARDHOLDER and SHOP ACTIONS A cardholder performs the following procedure - to create GSO-goods and services order T| Computes HEGSO = h(eS(GSO)) - hash value of the encryption of GSO. ^ Computes HEP/ = h(ee(P/)) - hash value of the encryption of the payment instructions for the bank. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 409/616 CARDHOLDER and SHOP ACTIONS A cardholder performs the following procedure - to create GSO-goods and services order T| Computes HEGSO = h(eS(GSO)) - hash value of the encryption of GSO. ^ Computes HEP/ = h(ee(P/)) - hash value of the encryption of the payment instructions for the bank. 3 Computes HPO = h(HEP/1|HEGSO) - Hash value of the Payment Order. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 409/616 CARDHOLDER and SHOP ACTIONS A cardholder performs the following procedure - to create GSO-goods and services order T| Computes HEGSO = h(eS(GSO)) - hash value of the encryption of GSO. ^ Computes HEP/ = h(ee(P/)) - hash value of the encryption of the payment instructions for the bank. B Computes HPO = h(HEP/1|HEGSO) - Hash value of the Payment Order. □ Signs HPO by computing "Dual Signature" DS = dC(HPO). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 409/616 CARDHOLDER and SHOP ACTIONS A cardholder performs the following procedure - to create GSO-goods and services order T| Computes HEGSO = h(es(GSO)) - hash value of the encryption of GSO. ^ Computes HEP/ = h(ee(P/)) - hash value of the encryption of the payment instructions for the bank. 3 Computes HPO = h(HEP/1|HEGSO) - Hash value of the Payment Order. □ Signs HPO by computing "Dual Signature" DS = dC(HPO). I Sends es(GSO), DS, HEPI, and ee(P/) to the shop. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 409/616 CARDHOLDER and SHOP ACTIONS A cardholder performs the following procedure - to create GSO-goods and services order T| Computes HEGSO = h(eS(GSO)) - hash value of the encryption of GSO. ^ Computes HEP/ = h(ee(P/)) - hash value of the encryption of the payment instructions for the bank. B Computes HPO = h(HEP/1|HEGSO) - Hash value of the Payment Order. □ Signs HPO by computing "Dual Signature" DS = dC(HPO). I Sends es(GSO), DS, HEPI, and ee(P/) to the shop. The Shop does the following: - to create payment instructions prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 409/616 CARDHOLDER and SHOP ACTIONS A cardholder performs the following procedure - to create GSO-goods and services order T| Computes HEGSO = h(es(GSO)) - hash value of the encryption of GSO. ^ Computes HEPI = h(eB(PI)) - hash value of the encryption of the payment instructions for the bank. 3 Computes HPO = h(HEPI\\HEGSO) - Hash value of the Payment Order. □ Signs HPO by computing "Dual Signature" DS = dC(HPO). I Sends es(GSO), DS, HEPI, and ee(PI) to the shop. The Shop does the following: - to create payment instructions ■ Calculates h(es(GSO)) = HEGSO; prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 409/616 CARDHOLDER and SHOP ACTIONS A cardholder performs the following procedure - to create GSO-goods and services order T| Computes HEGSO = h(es(GSO)) - hash value of the encryption of GSO. ^ Computes HEPI = h(ee(PI)) - hash value of the encryption of the payment instructions for the bank. 3 Computes HPO = h(HEPI\\HEGSO) - Hash value of the Payment Order. □ Signs HPO by computing "Dual Signature" DS = dC(HPO). I Sends es(GSO), DS, HEPI, and ee(PI) to the shop. The Shop does the following: - to create payment instructions ■ Calculates h(es(GSO)) = HEGSO; ■ Calculates h(HEPI\HEGSO) and eC(DS). If they are equal, the shop has verified by that the cardholder signature; prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 409/616 CARDHOLDER and SHOP ACTIONS A cardholder performs the following procedure - to create GSO-goods and services order T| Computes HEGSO = h(es(GSO)) - hash value of the encryption of GSO. ^ Computes HEP/ = h(ee(P/)) - hash value of the encryption of the payment instructions for the bank. 3 Computes HPO = h(HEP/1|HEGSO) - Hash value of the Payment Order. □ Signs HPO by computing "Dual Signature" DS = dc(HPO). I Sends es(GSO), DS, HEPI, and ee(P/) to the shop. The Shop does the following: - to create payment instructions ■ Calculates h(es(GSO)) = HEGSO; ■ Calculates h(HEP/|HEGSO) and ec(DS). If they are equal, the shop has verified by that the cardholder signature; ■ Computes ds(es(GSO)) to get GSO. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 409/616 CARDHOLDER and SHOP ACTIONS A cardholder performs the following procedure - to create GSO-goods and services order T| Computes HEGSO = h(es(GSO)) - hash value of the encryption of GSO. ^ Computes HEP/ = h(ee(P/)) - hash value of the encryption of the payment instructions for the bank. B Computes HPO = h(HEP/1|HEGSO) - Hash value of the Payment Order. □ Signs HPO by computing "Dual Signature" DS = dC(HPO). I Sends es(GSO), DS, HEPI, and ee(P/) to the shop. The Shop does the following: - to create payment instructions ■ Calculates h(es(GSO)) = HEGSO; ■ Calculates h(HEP/|HEGSO) and eC(DS). If they are equal, the shop has verified by that the cardholder signature; ■ Computes ds(es(GSO)) to get GSO. ■ Sends HEGSO, HEP/, ee(P/), and DS to the bank. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 409/616 BANK and SHOP ACTIONS The Bank has received HEPI, HEGSO, eB(PI), and DS and performs the following actions. J Computes h(eB(PI)) - which should be equal to HEPI. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 410/616 BANK and SHOP ACTIONS The Bank has received HEPI, HEGSO, ee(P/), and DS and performs the following actions. J Computes h(ee(P/)) - which should be equal to HEPI. I Computes h(h(ee(P/))||HEGSO) which should be equal to ec(DS) = HPO. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 410/616 BANK and SHOP ACTIONS The Bank has received HEPI, HEGSO, eB(P/), and DS and performs the following actions. J Computes h(eB(P/)) - which should be equal to HEPI. I Computes h(h(ee(P/))||HEGSO) which should be equal to ec(DS) = HPO. J Computes dB(eB(P/)) to obtain PI; prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 410/616 BANK and SHOP ACTIONS The Bank has received HEPI, HEGSO, ee(PI), and DS and performs the following actions. J Computes h(ee(PI)) - which should be equal to HEPI. I Computes h(h(ee(PI))\\HEGSO) which should be equal to ec(DS) = HPO. J Computes de(ee(PI)) to obtain PI; J Returns an encrypted (with eS) digitally signed authorization to shop, guaranteeing the payment. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 410/616 BANK and SHOP ACTIONS The Bank has received HEPI, HEGSO, eB(PI), and DS and performs the following actions. J Computes h(eB(PI)) - which should be equal to HEPI. I Computes h(h(eB(PI))\\HEGSO) which should be equal to ec(DS) = HPO. J Computes dB(eB(PI)) to obtain PI; J Returns an encrypted (with eS) digitally signed authorization to shop, guaranteeing the payment. Shop completes the procedure by encrypting, with ec, the receipt to the cardholder, indicating that transaction has been completed. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 410/616 BANK and SHOP ACTIONS The Bank has received HEPI, HEGSO, ee(P/), and DS and performs the following actions. J Computes h(ee(P/)) - which should be equal to HEPI. I Computes h(h(ee(P/))||HEGSO) which should be equal to ec(DS) = HPO. J Computes de(ee(P/)) to obtain PI; ^ Returns an encrypted (with es) digitally signed authorization to shop, guaranteeing the payment. Shop completes the procedure by encrypting, with ec, the receipt to the cardholder, indicating that transaction has been completed. It is easy to verify that the above protocol fulfills basic requirements concerning security, privacy and integrity. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 410/616 DIGITAL MONEY Is it possible to have electronic (digital) money? prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 411/616 DIGITAL MONEY Is it possible to have electronic (digital) money? It seems that not, because copies of digital information are indistinguishable from their origin and one could therefore hardly prevent double spending,.... prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 411/616 DIGITAL MONEY Is it possible to have electronic (digital) money? It seems that not, because copies of digital information are indistinguishable from their origin and one could therefore hardly prevent double spending,.... T. Okamoto and K. Ohia formulated six properties digital money systems should have. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 411/616 DIGITAL MONEY Is it possible to have electronic (digital) money? It seems that not, because copies of digital information are indistinguishable from their origin and one could therefore hardly prevent double spending,.... T. Okamoto and K. Ohia formulated six properties digital money systems should have. T| One should be able to send e-money through e-networks. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 411/616 DIGITAL MONEY Is it possible to have electronic (digital) money? It seems that not, because copies of digital information are indistinguishable from their origin and one could therefore hardly prevent double spending,.... T. Okamoto and K. Ohia formulated six properties digital money systems should have. T| One should be able to send e-money through e-networks. ^ It should not be possible to copy and reuse e-money. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 411/616 DIGITAL MONEY Is it possible to have electronic (digital) money? It seems that not, because copies of digital information are indistinguishable from their origin and one could therefore hardly prevent double spending,.... T. Okamoto and K. Ohia formulated six properties digital money systems should have. T| One should be able to send e-money through e-networks. ^ It should not be possible to copy and reuse e-money. J Transactions using e-money could be done off-line - that is no communication with central bank should be needed during translation. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 411/616 DIGITAL MONEY Is it possible to have electronic (digital) money? It seems that not, because copies of digital information are indistinguishable from their origin and one could therefore hardly prevent double spending,.... T. Okamoto and K. Ohia formulated six properties digital money systems should have. T| One should be able to send e-money through e-networks. ^ It should not be possible to copy and reuse e-money. J Transactions using e-money could be done off-line - that is no communication with central bank should be needed during translation. J One should be able to sent e-money to anybody. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 411/616 DIGITAL MONEY Is it possible to have electronic (digital) money? It seems that not, because copies of digital information are indistinguishable from their origin and one could therefore hardly prevent double spending,.... T. Okamoto and K. Ohia formulated six properties digital money systems should have. T| One should be able to send e-money through e-networks. ^ It should not be possible to copy and reuse e-money. J Transactions using e-money could be done off-line - that is no communication with central bank should be needed during translation. J One should be able to sent e-money to anybody. ^ An e-coin could be divided into e-coins of smaller values. Several systems of e-money have been created that satisfy all or at least some of the above requirements. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 411/616 BLIND SIGNATURES - APPLICATIONS Blind digital signatures allow the signer (bank) to sign a message without seeing its content. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 412/616 BLIND SIGNATURES - APPLICATIONS Blind digital signatures allow the signer (bank) to sign a message without seeing its content. Scenario: Customer Bob would like to give e-money to Shop. E-money has to be signed by a Bank. Shop must be able to verify Bank's signature. Later, when Shop sends e-money to Bank, Bank should not be able to recognize that it signed these e-money for Bob. Bank has therefore to sign money blindly. Bob can obtain a blind signature for a message m from Bank by executing the Schnorr blind signature protocol described on the next slide. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 412/616 BLIND SIGNATURES - APPLICATIONS Blind digital signatures allow the signer (bank) to sign a message without seeing its content. Scenario: Customer Bob would like to give e-money to Shop. E-money has to be signed by a Bank. Shop must be able to verify Bank's signature. Later, when Shop sends e-money to Bank, Bank should not be able to recognize that it signed these e-money for Bob. Bank has therefore to sign money blindly. Bob can obtain a blind signature for a message m from Bank by executing the Schnorr blind signature protocol described on the next slide. Basic setting Bank chooses large primes p, q\(p — 1) and an g e Zp of order q. Let h : {0,1}* — Zp be a collision-free hash function. Bank's secret will be a randomly chosen x e {0,... , p — 1}. Public information: (p, q,g,y = gx). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 412/616 BLIND SIGNATURES - protocols □ Schnorr's simplified identification scheme in which Bank proves its identity by proving that it knows x. ■ Bank chooses a random r € {0,..., q — 1} and send a = g' to Bob. {By that Bank "commits" itself to r}. ■ Bob sends to Bank a random c € {0,..., q — 1} {a challenge}. ■ Bank sends to Bob b = r — cx {a response}. ■ Bob accepts the proof that bank knows x if a = gbyc. {because y = gx} prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 413/616 BLIND SIGNATURES - protocols □ Schnorr's simplified identification scheme in which Bank proves its identity by proving that it knows x. ■ Bank chooses a random r € {0,..., q — 1} and send a = gr to Bob. {By that Bank "commits" itself to r}. ■ Bob sends to Bank a random c € {0,..., q — 1} {a challenge}. ■ Bank sends to Bob b = r — cx {a response}. ■ Bob accepts the proof that bank knows x if a = gbyc. {because y = gx} ^ Transfer of the identification scheme to a signature scheme: Bob chooses as c = r/(m||a), where m is message to sign. Signature: (c, b); Verification rule: a = gbyc; Transcript: (a, c, b). prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 413/616 BLIND SIGNATURES - protocols □ Schnorr's simplified identification scheme in which Bank proves its identity by proving that it knows x. ■ Bank chooses a random r € {0,..., q — 1} and send a = gr to Bob. {By that Bank "commits" itself to r}. ■ Bob sends to Bank a random c € {0,..., q — 1} {a challenge}. ■ Bank sends to Bob b = r — cx {a response}. ■ Bob accepts the proof that bank knows x if a = gbyc. {because y = gx} ^ Transfer of the identification scheme to a signature scheme: Bob chooses as c = h(m\\a), where m is message to sign. Signature: (c, b); Verification rule: a = gbyc; Transcript: (a, c, b). J Shnorr's blind signature scheme ■ Bank sends to Bob a' = gr with random r' € {0,..., q — 1}. ■ Bob chooses random u, v, w € {0,..., q — 1}, u = 0, computes a = a'ugvyw, c = /?(m||a), c' = (c — w)u—1 and sends c' to Bank. ■ Bank sends to Bob b' = r' - c'x. Bob verifies whether a' = gb yc , computes b = ub' + v and gets blind signature <7(m) = (c, b) of m. Verification condition for the blind signature: c = h(m\\gbyc). Both (a,c,b) and (a',c',b') are valid transcripts. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 413/616 COMPUTATION of DECEPTION PROBABILITIES I Probability of impersonation: For w e M, t e T, let us define payoff(w, t) to be the probability that Bob accepts the message (w, t) as authentic. Then payoff(w, t) = Pr(t = (w)) (4) = Yl PrK(k) (5) {keK\ak (w )=t} In other words, payoff(w, t) is computed by selecting the rows of the authentication matrix that have entry t in column w and summing probabilities of the corresponding keys. Therefore P; = max {payoff (w, t), |w e M, t e A}. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 414/616 COMPUTATION of DECEPTION PROBABILITIES I Probability of impersonation: For w e M, t e T, let us define payoff(w, t) to be the probability that Bob accepts the message (w, t) as authentic. Then payoff (w, t) = Pr(t = (w)) (4) = £ PrK(fc) (5) {k6K |ak (w )=t} In other words, payoff(w, t) is computed by selecting the rows of the authentication matrix that have entry t in column w and summing probabilities of the corresponding keys. Therefore P; = max {payoff (w, t), |w e M, t e A}. Probability of substitution: Define, for w, w' e M, w = w' and t, t' e A, payoff(w', t', w, t) to be the probability that a substitution of (w, t) with (w', t') will succeed to deceive Bob. Hence payoff(w', t', w, t) = Pr(t' = (w')|t = (w)) (6) = Pr(t' = afcp(w') n t = efcp(w)) = Pr (t = (w)) = J2{keK|ak(w)=t,ak(w')=t'} pk(k) payoff (w, t) Observe that the numerator in the last fraction is found by selecting rows of the authentication matrix with value t in column w and t' in column w'. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 414/616 (7) (8) COMPUTATION of DECEPTION PROBABILITIES II Since Mallot wants to maximize his chance of deceiving Bob, he needs to compute pw t = max{payoff(w', t', w, t)|w' e M, w = w', t' e A}. pw,t therefore denotes the probability that Mallot can deceive Bob with a substitution in the case (w, t) is the message observed. If PrMa(w, t) is the probability of observing a message (w, t) in the channel, then Ps = PrMa(w, t)pw,t (w ,t)GMa and PrMa(w, t) = PrM(w)PrK(t|w) = PrM(w) x payoff(w, t). The next problem is to show how to construct an authentication code such that the deception probabilities are as low as possible. The concept of orthogonal arrays, introduced next, serves well such a purpose. prof. Jozef Gruska IV054 9. Identification, authentication, secret sharing and e-commerce 415/616 Part X Protocols to do seemingly impossible and zero-knowledge protocols j PROTOCOLS to do SEEMINGLY IMPOSSIBLE A protocol is an algorithm two (or more) parties have to follow to perform a communication/cooperation. A cryptographical protocol is a protocol to achieve secure communication during some goal oriented cooperation. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 417/616 PROTOCOLS to do SEEMINGLY IMPOSSIBLE A protocol is an algorithm two (or more) parties have to follow to perform a communication/cooperation. A cryptographical protocol is a protocol to achieve secure communication during some goal oriented cooperation. In this chapter we first present several cryptographic protocols for such basic cryptographic primitives as coin tossing, bit commitment and oblivious transfer. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 417/616 PROTOCOLS to do SEEMINGLY IMPOSSIBLE A protocol is an algorithm two (or more) parties have to follow to perform a communication/cooperation. A cryptographical protocol is a protocol to achieve secure communication during some goal oriented cooperation. In this chapter we first present several cryptographic protocols for such basic cryptographic primitives as coin tossing, bit commitment and oblivious transfer. After that we deal with a variety of cryptographical protocols that allow to solve easily seemingly unsolvable problems. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 417/616 PROTOCOLS to do SEEMINGLY IMPOSSIBLE A protocol is an algorithm two (or more) parties have to follow to perform a communication/cooperation. A cryptographical protocol is a protocol to achieve secure communication during some goal oriented cooperation. In this chapter we first present several cryptographic protocols for such basic cryptographic primitives as coin tossing, bit commitment and oblivious transfer. After that we deal with a variety of cryptographical protocols that allow to solve easily seemingly unsolvable problems. Of special importance among them are so called zero-knowledge protocols we will deal with afterwards. They are counter intuitive, though powerful and useful. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 417/616 PRIMITIVES for CRYPTOGRAPHIC PROTOCOLS Cryptographic protocols are specifications how two parties, Alice and Bob, should prepare themselves for a communication and how they should behave during a communication in order to achieve their goal and be protected against an adversary. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 418/616 PRIMITIVES for CRYPTOGRAPHIC PROTOCOLS Cryptographic protocols are specifications how two parties, Alice and Bob, should prepare themselves for a communication and how they should behave during a communication in order to achieve their goal and be protected against an adversary. In coin-flipping protocols Alice and Bob can flip a coin over a distance in such a way that neither of them can determine the outcome of the flip, but both can agree on the outcome in spite of the fact that they do not trust each other. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 418/616 PRIMITIVES for CRYPTOGRAPHIC PROTOCOLS Cryptographic protocols are specifications how two parties, Alice and Bob, should prepare themselves for a communication and how they should behave during a communication in order to achieve their goal and be protected against an adversary. In coin-flipping protocols Alice and Bob can flip a coin over a distance in such a way that neither of them can determine the outcome of the flip, but both can agree on the outcome in spite of the fact that they do not trust each other. In bit commitment protocols Alice can choose a bit and get committed to it in the following sense: Bob has no way of learning Alice's commitment and Alice has no way of changing her commitment. Alice commits herself to a bit x using a comm;t(x) procedure, and reveals her commitment, if needed, using open(x) procedure. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 418/616 PRIMITIVES for CRYPTOGRAPHIC PROTOCOLS Cryptographic protocols are specifications how two parties, Alice and Bob, should prepare themselves for a communication and how they should behave during a communication in order to achieve their goal and be protected against an adversary. In coin-flipping protocols Alice and Bob can flip a coin over a distance in such a way that neither of them can determine the outcome of the flip, but both can agree on the outcome in spite of the fact that they do not trust each other. In bit commitment protocols Alice can choose a bit and get committed to it in the following sense: Bob has no way of learning Alice's commitment and Alice has no way of changing her commitment. Alice commits herself to a bit x using a commit(x) procedure, and reveals her commitment, if needed, using open(x) procedure. In 1-out-2 oblivious transfer protocols Alice transmits two messages m1 and m2 to Bob who can chose whether to receive m1 or m2, but cannot learn both, and Alice has no idea which of them Bob has received. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 418/616 SCHEMES for PRIMITIVES of CRYPTOGRAPHIC PROTOCOLS Coin-flipping A b random Bit commitment AB commit phase b-- □ opening phase b-Jb 1/2 oblivious transfer AB bo -H-1— c 1/2 OT b1 —I___r— bc prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 419/616 PROTOCOLS for COIN-FLIPPING BY PHONE Coin-flipping by telephone: Alice and Bob got divorced and they do not trust each other any longer. They want to decide, communicating by phone only, who gets the car. prof Jozef Gruska IV054 10 Protocols to do seemingly impossible and zero-knowledge protocols 420/616 PROTOCOLS for COIN-FLIPPING BY PHONE Coin-flipping by telephone: Alice and Bob got divorced and they do not trust each other any longer. They want to decide, communicating by phone only, who gets the car. Protocol 1 Alice sends Bob messages head and tail encrypted by a one-way function f. Bob guesses which one of them is encryption of head. Alice tells Bob whether his guess was correct. If Bob does not believe her, Alice sends f to Bob. prof Jozef Gruska IV054 10 Protocols to do seemingly impossible and zero-knowledge protocols 420/616 PROTOCOLS for COIN-FLIPPING BY PHONE Coin-flipping by telephone: Alice and Bob got divorced and they do not trust each other any longer. They want to decide, communicating by phone only, who gets the car. Protocol 1 Alice sends Bob messages head and tail encrypted by a one-way function f. Bob guesses which one of them is encryption of head. Alice tells Bob whether his guess was correct. If Bob does not believe her, Alice sends f to Bob. Protocol 2 Alice chooses two large primes p,q, sends Bob n = pq and keeps p, q secret. prof Jozef Gruska IV054 10 Protocols to do seemingly impossible and zero-knowledge protocols 420/616 PROTOCOLS for COIN-FLIPPING BY PHONE Coin-flipping by telephone: Alice and Bob got divorced and they do not trust each other any longer. They want to decide, communicating by phone only, who gets the car. Protocol 1 Alice sends Bob messages head and tail encrypted by a one-way function f. Bob guesses which one of them is encryption of head. Alice tells Bob whether his guess was correct. If Bob does not believe her, Alice sends f to Bob. Protocol 2 Alice chooses two large primes p,q, sends Bob n = pq and keeps p, q secret. Bob chooses randomly an integer y e {1,. .. , f }, sends Alice x Alice: if you guess y correctly, car will be yours. y2 mod n and tells prof Jozef Gruska IV054 10 Protocols to do seemingly impossible and zero-knowledge protocols 420/616 PROTOCOLS for COIN-FLIPPING BY PHONE Coin-flipping by telephone: Alice and Bob got divorced and they do not trust each other any longer. They want to decide, communicating by phone only, who gets the car. Protocol 1 Alice sends Bob messages head and tail encrypted by a one-way function f. Bob guesses which one of them is encryption of head. Alice tells Bob whether his guess was correct. If Bob does not believe her, Alice sends f to Bob. Protocol 2 Alice chooses two large primes p,q, sends Bob n = pq and keeps p, q secret. Bob chooses randomly an integer y e {1,. .. , f }, sends Alice x = y2 mod n and tells Alice: if you guess y correctly, car will be yours. Alice computes four square roots (xi, n — Xi) and (X2, n — X2) of x. Since y e {1,... , §}, either y = x[ or y = x2. Alice then guesses whether y = x[ or y = x2 and tells Bob her choice (for example by reporting the position and value of the leftmost bit in which x[ and x2 differ). Let x[ = min(xi, n — Xi),x2 = m/r/(x2, n — x2). prof Jozef Gruska IV054 10 Protocols to do seemingly impossible and zero-knowledge protocols 420/616 PROTOCOLS for COIN-FLIPPING BY PHONE Coin-flipping by telephone: Alice and Bob got divorced and they do not trust each other any longer. They want to decide, communicating by phone only, who gets the car. Protocol 1 Alice sends Bob messages head and tail encrypted by a one-way function f. Bob guesses which one of them is encryption of head. Alice tells Bob whether his guess was correct. If Bob does not believe her, Alice sends f to Bob. Protocol 2 Alice chooses two large primes p,q, sends Bob n = pq and keeps p, q secret. Bob chooses randomly an integer y e {1,. .. , f }, sends Alice x = y2 mod n and tells Alice: if you guess y correctly, car will be yours. Alice computes four square roots (xi, n — Xi) and (X2, n — x2) of x. Since y e {1,... , §}, either y = x[ or y = x2. Alice then guesses whether y = x[ or y = x2 and tells Bob her choice (for example by reporting the position and value of the leftmost bit in which x[ and x2 differ). Bob tells Alice whether her guess was correct. (Later, if necessary, Alice reveals p and q, and Bob reveals y.) Let x[ = min(xi, n — Xi),x2 = min(x2, n — x2). prof Jozef Gruska IV054 10 Protocols to do seemingly impossible and zero-knowledge protocols 420/616 COIN TOSSING - requirements and problems ■ In any good coin tossing protocol both parties should influence the outcome and should accept the outcome. Both outcomes should have the same probability. ■ Requirements for a coin tossing protocol are sometimes generalized as follows: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 421/616 COIN TOSSING - requirements and problems ■ In any good coin tossing protocol both parties should influence the outcome and should accept the outcome. Both outcomes should have the same probability. ■ Requirements for a coin tossing protocol are sometimes generalized as follows: ■ The outcome of the protocol is an element from the set {0, 1, reject} ■ If both parties behave correctly, the outcome should be from the set {0, 1} ■ If it is not the case that both parties behave correctly, the outcome should be reject prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 421/616 COIN TOSSING - requirements and problems ■ In any good coin tossing protocol both parties should influence the outcome and should accept the outcome. Both outcomes should have the same probability. ■ Requirements for a coin tossing protocol are sometimes generalized as follows: ■ The outcome of the protocol is an element from the set {0, 1, reject} ■ If both parties behave correctly, the outcome should be from the set {0, 1} ■ If it is not the case that both parties behave correctly, the outcome should be reject Problem: In some coin tossing protocols one party can find out the outcome sooner than the second party. In such a case if she is not happy with the outcome she can disrupt the protocol - to produce reject or to say "I do not continue in performing the protocol". A way out is to require that in case of correct behavior no outcome should have probability > 2. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 421/616 COIN TOSSING USING a ONE-WAY FUNCTION Protocol: ■ Alice chooses a one-way function f and informs Bob about the definition domain of f. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 422/616 COIN TOSSING USING a ONE-WAY FUNCTION Protocol: ■ Alice chooses a one-way function f and informs Bob about the definition domain of f. ■ Bob chooses randomly r1, r2 from dom(f) and sends them to Alice prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 422/616 COIN TOSSING USING a ONE-WAY FUNCTION Protocol: ■ Alice chooses a one-way function f and informs Bob about the definition domain of f. ■ Bob chooses randomly r1, r2 from dom(f) and sends them to Alice ■ Alice sends to Bob one of the values f (r1) or f (r2) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 422/616 COIN TOSSING USING a ONE-WAY FUNCTION Protocol: ■ Alice chooses a one-way function f and informs Bob about the definition domain of f. ■ Bob chooses randomly r1, r2 from dom(f) and sends them to Alice ■ Alice sends to Bob one of the values f (r1) or f (r2) ■ Bob announces Alice his guess which of the two values he received prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 422/616 COIN TOSSING USING a ONE-WAY FUNCTION Protocol: ■ Alice chooses a one-way function f and informs Bob about the definition domain of f. ■ Bob chooses randomly r1, r2 from dom(f) and sends them to Alice ■ Alice sends to Bob one of the values f (r1) or f (r2) ■ Bob announces Alice his guess which of the two values he received ■ Alice announces Bob whether his guess was correct (0) or not (1) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 422/616 COIN TOSSING USING a ONE-WAY FUNCTION Protocol: ■ Alice chooses a one-way function f and informs Bob about the definition domain of f. ■ Bob chooses randomly r1, r2 from dom(f) and sends them to Alice ■ Alice sends to Bob one of the values f (r1) or f (r2) ■ Bob announces Alice his guess which of the two values he received ■ Alice announces Bob whether his guess was correct (0) or not (1) ■ If one needs to verify correctness, Alice should send to Bob specification of f prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 422/616 COIN TOSSING USING a ONE-WAY FUNCTION Protocol: ■ Alice chooses a one-way function f and informs Bob about the definition domain of f. ■ Bob chooses randomly r1, r2 from dom(f) and sends them to Alice ■ Alice sends to Bob one of the values f (r1) or f (r2) ■ Bob announces Alice his guess which of the two values he received ■ Alice announces Bob whether his guess was correct (0) or not (1) ■ If one needs to verify correctness, Alice should send to Bob specification of f The protocol is computationally secure. Indeed, to cheat, Alice should be able to find, for randomly chosen r1, r2 such a one-way function f that f (n) = f (r2). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 422/616 BIT COMMITMENT PROTOCOLS (BCP) Basic ideas and solutions I In a bit commitment protocol Alice chooses a bit b and gets committed to b, in the following sense: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 423/616 BIT COMMITMENT PROTOCOLS (BCP) Basic ideas and solutions I In a bit commitment protocol Alice chooses a bit b and gets committed to b, in the following sense: Bob has no way of knowing which commitment Alice has made, and Alice has no way of changing her commitment once she has made it; say after Bob announces his guess as to what Alice has chosen. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 423/616 BIT COMMITMENT PROTOCOLS (BCP) Basic ideas and solutions I In a bit commitment protocol Alice chooses a bit b and gets committed to b, in the following sense: Bob has no way of knowing which commitment Alice has made, and Alice has no way of changing her commitment once she has made it; say after Bob announces his guess as to what Alice has chosen. An example of a "pre-computer era" bit commitment protocol is that Alice writes her commitment on a paper, locks it in a box, sends the box to Bob and, later, in the opening phase, she sends also the key to Bob. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 423/616 BIT COMMITMENT PROTOCOLS (BCP) Basic ideas and solutions I In a bit commitment protocol Alice chooses a bit b and gets committed to b, in the following sense: Bob has no way of knowing which commitment Alice has made, and Alice has no way of changing her commitment once she has made it; say after Bob announces his guess as to what Alice has chosen. An example of a "pre-computer era" bit commitment protocol is that Alice writes her commitment on a paper, locks it in a box, sends the box to Bob and, later, in the opening phase, she sends also the key to Bob. Complexity era solution I. Alice chooses a one-way function f and an even (odd) x if she wants to commit herself to 0 (1) and sends to Bob f(x) and f. Problem: Alice may know an even x1 and an odd x2 such that f(x1) = f(x2). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 423/616 BIT COMMITMENT PROTOCOLS (BCP) Basic ideas and solutions I In a bit commitment protocol Alice chooses a bit b and gets committed to b, in the following sense: Bob has no way of knowing which commitment Alice has made, and Alice has no way of changing her commitment once she has made it; say after Bob announces his guess as to what Alice has chosen. An example of a "pre-computer era" bit commitment protocol is that Alice writes her commitment on a paper, locks it in a box, sends the box to Bob and, later, in the opening phase, she sends also the key to Bob. Complexity era solution I. Alice chooses a one-way function f and an even (odd) x if she wants to commit herself to 0 (1) and sends to Bob f(x) and f. Problem: Alice may know an even x1 and an odd x2 such that f(x1) = f(x2). Complexity era solution II. Alice chooses a one-way function f, two random x1, x2 and a bit b she wishes to commit to, and sends to Bob (f(x1,x2, b),x1) - a commitment. When times comes for Alice to reveal her bit she sends to Bob f and the triple (x1,x2, b). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 423/616 BIT COMMITMENT SCHEMES I The basis of bit commitment protocols are bit commitment schemes: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 424/616 BIT COMMITMENT SCHEMES I The basis of bit commitment protocols are bit commitment schemes: A bit commitment scheme is a mapping f : {0,1} x X — Y, where X and Y are finite sets. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 424/616 BIT COMMITMENT SCHEMES I The basis of bit commitment protocols are bit commitment schemes: A bit commitment scheme is a mapping f : {0,1} x X — Y, where X and Y are finite sets. A commitment to a b G {0,1}, or an encryption of b, is any value (called a blow) f(b, x) where x G X. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 424/616 BIT COMMITMENT SCHEMES I The basis of bit commitment protocols are bit commitment schemes: A bit commitment scheme is a mapping f : {0,1} x X — Y, where X and Y are finite sets. A commitment to a b G {0,1}, or an encryption of b, is any value (called a blow) f(b, x) where x G X. Each bit commitment protocol has two phases: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 424/616 BIT COMMITMENT SCHEMES I The basis of bit commitment protocols are bit commitment schemes: A bit commitment scheme is a mapping f : {0, 1} x X — Y , where X and Y are finite sets. A commitment to a b G {0,1}, or an encryption of b, is any value (called a blow) f(b, x) where x G X. Each bit commitment protocol has two phases: Commitment phase: The sender sends a bit b he wants to commit to, in an encrypted form, to the receiver. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 424/616 BIT COMMITMENT SCHEMES I The basis of bit commitment protocols are bit commitment schemes: A bit commitment scheme is a mapping f : {0,1} x X — Y, where X and Y are finite sets. A commitment to a b G {0,1}, or an encryption of b, is any value (called a blow) f(b, x) where x G X. Each bit commitment protocol has two phases: Commitment phase: The sender sends a bit b he wants to commit to, in an encrypted form, to the receiver. Opening phase: If required, the sender sends to the receiver additional information that enables the receiver to get b. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 424/616 BIT COMMITMENT SCHEMES II Each bit commitment scheme should have three properties: Hiding (privacy): For no b £ {0,1} and no x e X, it is feasible for Bob to determine b from B = f(b, x). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 425/616 BIT COMMITMENT SCHEMES II Each bit commitment scheme should have three properties: Hiding (privacy): For no b £ {0,1} and no x e X, it is feasible for Bob to determine b from B = f(b, x). Binding: Alice can "open" her commitment b, by revealing (opening) x and b such that B = f(b, x), but she should not be able to open a commitment (blow) B as both 0 and 1. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 425/616 BIT COMMITMENT SCHEMES II Each bit commitment scheme should have three properties: Hiding (privacy): For no b G {0,1} and no x G X, it is feasible for Bob to determine b from B = f(b, x). Binding: Alice can "open" her commitment b, by revealing (opening) x and b such that B = f(b, x), but she should not be able to open a commitment (blow) B as both 0 and 1. Correctness: If both, the sender and the receiver, follow the protocol, then the receiver will always learn (recover) the committed value b. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 425/616 BIT COMMITMENT with ONE-WAY FUNCTIONS Commitment phase: ■ Alice and Bob choose a one-way function f ■ Bob sends a randomly chosen r1 to Alice ■ Alice chooses random r2 and her committed bit b and sends to Bob f(n, r2, b). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 426/616 BIT COMMITMENT with ONE-WAY FUNCTIONS Commitment phase: ■ Alice and Bob choose a one-way function f ■ Bob sends a randomly chosen r1 to Alice ■ Alice chooses random r2 and her committed bit b and sends to Bob f(n, r2, b). Opening phase: ■ Alice sends to Bob r2 and b ■ Bob computes f (r1, r2, b) and compares with the value he has already received. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 426/616 HASH FUNCTIONS and COMMITMENTS A commitment to a data w, without revealing w, using a hash function h, can be done as follows: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 427/616 HASH FUNCTIONS and COMMITMENTS A commitment to a data w, without revealing w, using a hash function h, can be done as follows: Commitment phase: To commit to a w choose a random r and make public h(wr). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 427/616 HASH FUNCTIONS and COMMITMENTS A commitment to a data w, without revealing w, using a hash function h, can be done as follows: Commitment phase: To commit to a w choose a random r and make public h(wr). Opening phase: reveal r and w. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 427/616 HASH FUNCTIONS and COMMITMENTS A commitment to a data w, without revealing w, using a hash function h, can be done as follows: Commitment phase: To commit to a w choose a random r and make public h(wr). Opening phase: reveal r and w. For this application the hash function h has to be one-way: from h(wr) it should be unfeasible to determine wr prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 427/616 TWO SPECIAL BIT COMMITMENT SCHEMES Bit commitment scheme I. Let p, q be large primes, n = pq, m e QNR(n), X = Y = Z*. Let n,m be public. Commitment: f(b, x) = mbx2 mod n for a random x from X. Since computation of quadratic residues is in general infeasible, this bit commitment scheme is hiding. Since m e QNR(n), there are no x1,x2 such that mx2 = x2 mod n and therefore the scheme is binding. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 428/616 TWO SPECIAL BIT COMMITMENT SCHEMES Bit commitment scheme I. Let p, q be large primes, n = pq, m e QNR(n), X = Y = Z*. Let n,m be public. Commitment: f(b, x) = mbx2 mod n for a random x from X. Since computation of quadratic residues is in general infeasible, this bit commitment scheme is hiding. Since m e QA/R(n), there are no x1,x2 such that mx2 = x2 mod n and therefore the scheme is binding. Bit commitment scheme II. Let p be a large Blum prime, X = Zp* = Y, a be a primitive element of Zp*. f(b, x) = ax mod p, if SLB(x) = b; = ap-x mod p, if SLB(x) = b. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 428/616 TWO SPECIAL BIT COMMITMENT SCHEMES Bit commitment scheme I. Let p, q be large primes, n = pq, m e QNR(n), X = Y = Z*. Let n,m be public. Commitment: f(b, x) = mod n for a random x from X. Since computation of quadratic residues is in general infeasible, this bit commitment scheme is hiding. Since m e QA/f?(n), there are no x1,x2 such that mx2 = x2 mod n and therefore the scheme is binding. Bit commitment scheme II. Let p be a large Blum prime, X = Zp* = Y, a be a primitive element of Zp*. f(b, x) = ax mod p, if SLB(x) = b; = ap-x mod p, if SLB(x) = b. where SLB(x) = 0 if x = 0,1 (mod 4); = 1 if x = 2, 3 (mod 4). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 428/616 TWO SPECIAL BIT COMMITMENT SCHEMES Bit commitment scheme I. Let p, q be large primes, n = pq, m e QNR(n), X = Y = Z*. Let n,m be public. Commitment: f(b, x) = mbx2 mod n for a random x from X. Since computation of quadratic residues is in general infeasible, this bit commitment scheme is hiding. Since m e QA/f?(n), there are no x1,x2 such that mx2 = x2 mod n and therefore the scheme is binding. Bit commitment scheme II. Let p be a large Blum prime, X = Zp* = Y, a be a primitive element of Zp . f(b, x) = ax mod p, if SLB(x) = b; = ap-x mod p, if SLB(x) = b. where SLB(x) = 0 if x = 0,1 (mod 4); = 1 if x = 2, 3 (mod 4). Binding property of this bit commitment scheme follows from the fact that in the case of discrete logarithms modulo Blum primes there is no effective way to determine second least significant bit (SLB) of the discrete logarithm. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 428/616 MAKING COIN TOSSING FROM BIT COMMITMENT Each bit commitment scheme can be used to solve coin tossing problem as follows: T| Alice tosses a coin, and commits itself to its outcome bA (say to 0 (1) if the outcome is head (tail)) and sends the commitment to Bob. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 429/616 MAKING COIN TOSSING FROM BIT COMMITMENT Each bit commitment scheme can be used to solve coin tossing problem as follows: T| Alice tosses a coin, and commits itself to its outcome bA (say to 0 (1) if the outcome is head (tail)) and sends the commitment to Bob. J Bob also tosses a coin and sends the outcome be to Alice. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 429/616 MAKING COIN TOSSING FROM BIT COMMITMENT Each bit commitment scheme can be used to solve coin tossing problem as follows: T| Alice tosses a coin, and commits itself to its outcome bA (say to 0 (1) if the outcome is head (tail)) and sends the commitment to Bob. ^ Bob also tosses a coin and sends the outcome bB to Alice. ^ Alice opens her commitment. to Bob (so he knows bA) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 429/616 MAKING COIN TOSSING FROM BIT COMMITMENT Each bit commitment scheme can be used to solve coin tossing problem as follows: T| Alice tosses a coin, and commits itself to its outcome bA (say to 0 (1) if the outcome is head (tail)) and sends the commitment to Bob. ^ Bob also tosses a coin and sends the outcome bB to Alice. ^ Alice opens her commitment. to Bob (so he knows bA) J Both Alice and Bob compute b = bA © bB. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 429/616 MAKING COIN TOSSING FROM BIT COMMITMENT Each bit commitment scheme can be used to solve coin tossing problem as follows: T| Alice tosses a coin, and commits itself to its outcome bA (say to 0 (1) if the outcome is head (tail)) and sends the commitment to Bob. ^ Bob also tosses a coin and sends the outcome bB to Alice. ^ Alice opens her commitment. to Bob (so he knows bA) J Both Alice and Bob compute b = bA © bB. Observe that if at least one of the parties follows the protocol, that is it tosses a random coin, the outcome is indeed a random bit. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 429/616 MAKING COIN TOSSING FROM BIT COMMITMENT Each bit commitment scheme can be used to solve coin tossing problem as follows: T| Alice tosses a coin, and commits itself to its outcome bA (say to 0 (1) if the outcome is head (tail)) and sends the commitment to Bob. ^ Bob also tosses a coin and sends the outcome be to Alice. ^ Alice opens her commitment. to Bob (so he knows bA) J Both Alice and Bob compute b = bA © be. Observe that if at least one of the parties follows the protocol, that is it tosses a random coin, the outcome is indeed a random bit. Note: Observe that after step 2 Alice will know what the outcome is, but Bob does not. So Alice can disrupt the protocol if the outcome is to be not good for her. This is a weak point of this protocol. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 429/616 BASIC TYPES of HIDING and BINDING If the hiding or the binding property of a commitment protocol depends on the complexity of a computational problem, we speak about computational hiding and computational binding. In case, the binding or the hiding property does not depend on the complexity of a computational problem, we speak about unconditional hiding or unconditional binding. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 430/616 A COMMITMENT SCHEME BASED on DISCRETE LOGARITHM Alice wants to commit herself to an m e {0,... , q — 1}. Scheme setting: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 431/616 A COMMITMENT SCHEME BASED on DISCRETE LOGARITHM Alice wants to commit herself to an m e {0,... , q — 1}. Scheme setting: Bob randomly chooses primes p and q such that q|(p — i). Bob chooses random generators g = 1 = v of the subgroup G of order q e Z*. Bob sends p, q, g and v to Alice. Commitment phase: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 431/616 A COMMITMENT SCHEME BASED on DISCRETE LOGARITHM Alice wants to commit herself to an m e {0,... , q — 1}. Scheme setting: Bob randomly chooses primes p and q such that q|(p — i). Bob chooses random generators g = 1 = v of the subgroup G of order q e Z*. Bob sends p, q, g and v to Alice. Commitment phase: To commit to an m e {0,... , q — 1}, Alice chooses a random r e Zq, and sends c = gr vm to Bob. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 431/616 A COMMITMENT SCHEME BASED on DISCRETE LOGARITHM Alice wants to commit herself to an m e {0,... , q — 1}. Scheme setting: Bob randomly chooses primes p and q such that q|(p — i). Bob chooses random generators g = 1 = v of the subgroup G of order q e Z*. Bob sends p, q, g and v to Alice. Commitment phase: To commit to an m e {0,... , q — 1}, Alice chooses a random r e Zq, and sends c = gr vm to Bob. Opening phase: Alice sends r and m to Bob who then verifies whether c= grvm. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 431/616 COMMENTS ■ If Alice, committed to an m, could open her commitment as m = m, using some r, then grvm = grvm and therefore lgg v = (r - r)(m - m)-1. Hence, Alice could compute ggv of a randomly chosen element v e G, what contradicts the assumption that computation of discrete logarithms in G is infeasible. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 432/616 COMMENTS ■ If Alice, committed to an m, could open her commitment as m = m, using some r, then grvm = grvm and therefore lgg v = (r - r)(m - m)-1. Hence, Alice could compute lggv of a randomly chosen element v e G, what contradicts the assumption that computation of discrete logarithms in G is infeasible. ■ Since g and v are generators of G, then gr is a uniformly chosen random element in G, perfectly hiding vm and m in grvm, as in the encryption with ONE-TIME PAD cryptosystem. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 432/616 BIT COMMITMENT using ENCRYPTIONS Commit phase: J Bob generates a random string r and sends it to Alice j Alice commit herself to a bit b using a key k through an encryption Ek (rb) and sends it to Bob. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 433/616 BIT COMMITMENT using ENCRYPTIONS Commit phase: J Bob generates a random string r and sends it to Alice j Alice commit herself to a bit b using a key k through an encryption Ek (rb) and sends it to Bob. Opening phase: J Alice sends the key k to Bob. j Bob decrypts the message to learn b and to verify r. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 433/616 BIT COMMITMENT using ENCRYPTIONS Commit phase: J Bob generates a random string r and sends it to Alice j Alice commit herself to a bit b using a key k through an encryption Ek (rb) and sends it to Bob. Opening phase: J Alice sends the key k to Bob. j Bob decrypts the message to learn b and to verify r. Comment: without Bob's random string r Alice could find a different key l such that ek(b) = e/(-b). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 433/616 COMMITMENTS and ELECTRONIC VOTING Let com(r, m) = grvm denote commitment to m in the commitment scheme based on discrete logarithm. If ri, r2, mi, m2 € Z„, then com(ri, mi) x com(r2, m2) = com(ri + r2, mi + m2). Commitment schemes with such a property are called homomorphic commitment schemes. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 434/616 COMMITMENTS and ELECTRONIC VOTING Let com(r, m) = grvm denote commitment to m in the commitment scheme based on discrete logarithm. If f1, r2, m1, m2 € Zn, then com(f1, m1) x com(r2, m2) = com(r1 + r2, m1 + m2). Commitment schemes with such a property are called homomorphic commitment schemes. Homomorphic schemes can be used to cast yes-no votes of n voters V1,..., Vn, by the trusted authority TA for whom ej and dj are ElGamal encryption and decryption algorithms. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 434/616 COMMITMENTS and ELECTRONIC VOTING Let com(r, m) = grvm denote commitment to m in the commitment scheme based on discrete logarithm. If ri, r2, mi, m2 € Z„, then com(ri, mi) x com(r2, m2) = com(ri + r2, mi + m2). Commitment schemes with such a property are called homomorphic commitment schemes. Homomorphic schemes can be used to cast yes-no votes of n voters Vi,..., V„, by the trusted authority TA for whom ej and dj are ElGamal encryption and decryption algorithms. This works as follows: Each voter V; chooses his vote m; € {0, i}, a random r/ € {0,..., q — i} and computes his voting commitment c/ = com(r;, m;). Then V; makes c; public and sends ej(gr,) to TA and TA computes n \ n where r = r;, and makes public gr. 1 prof. Jozef Gruska IV054 i0. Protocols to do seemingly impossible and zero-knowledge protocols 434/616 COMMITMENTS and ELECTRONIC VOTING Let com(r, m) = grvm denote commitment to m in the commitment scheme based on discrete logarithm. If ri, r2, mi, m2 € Zn, then com(ri, mi) x com(r2, m2) = com(ri + r2, mi + m2). Commitment schemes with such a property are called homomorphic commitment schemes. Homomorphic schemes can be used to cast yes-no votes of n voters Vi,..., Vn, by the trusted authority TA for whom er and c/7- are ElGamal encryption and decryption algorithms. This works as follows: Each voter V chooses his vote m; € {0, i}, a random r/ € {0,..., q — i} and computes his voting commitment c/ = com(r;, m;). Then V, makes c; public and sends e7 (gr ) to TA and TA computes dr( J! er (gr; )j = gr; = gr, n where r = r , and makes public gr. ;=i Now, anybody can compute the result s of voting from publicly known c, and gr since n c vs = ^ gr n with s = m . =i s can now be derived from vs by computing vi, v2, v3,... and comparing with vs if the number of voters is not too large. prof. Jozef Gruska IV054 i0. Protocols to do seemingly impossible and zero-knowledge protocols 434/6i6 TRUST in CRYPTOGRAPHIC PROTOCOLS - deliberations In any interaction between people, there is a certain level of risk, trust, and expected behaviour, that is implicit in the interchanges. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 435/616 TRUST in CRYPTOGRAPHIC PROTOCOLS - deliberations In any interaction between people, there is a certain level of risk, trust, and expected behaviour, that is implicit in the interchanges. People may behave properly for a variety of reasons: fear from prosecution, desire to act in unethical manner due to social influences, and so on. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 435/616 TRUST in CRYPTOGRAPHIC PROTOCOLS - deliberations In any interaction between people, there is a certain level of risk, trust, and expected behaviour, that is implicit in the interchanges. People may behave properly for a variety of reasons: fear from prosecution, desire to act in unethical manner due to social influences, and so on. However, in cryptographic protocols trust has to be kept to the lowest possible level. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 435/616 TRUST in CRYPTOGRAPHIC PROTOCOLS - deliberations In any interaction between people, there is a certain level of risk, trust, and expected behaviour, that is implicit in the interchanges. People may behave properly for a variety of reasons: fear from prosecution, desire to act in unethical manner due to social influences, and so on. However, in cryptographic protocols trust has to be kept to the lowest possible level. In any cryptographic protocol, if there is an absence of a mechanism for verifying, say authenticity, one must assume, as default, that other participants can be dishonest (if for no other reason than for self-preservation). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 435/616 OBLIVIOUS TRANSFER (OT) PROBLEM Story: Alice knows a secret and wants to send secret to Bob in such a way that he gets secret with probability |, and he knows whether he got secret, but Alice has no idea whether he received secret. (Or Alice has several secrets and Bob wants to buy one of them but he does not want Alice to know which one he bought.) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 436/616 OBLIVIOUS TRANSFER (OT) PROBLEM Story: Alice knows a secret and wants to send secret to Bob in such a way that he gets secret with probability |, and he knows whether he got secret, but Alice has no idea whether he received secret. (Or Alice has several secrets and Bob wants to buy one of them but he does not want Alice to know which one he bought.) Oblivious transfer problem: Design a protocol for sending a message from Alice to Bob in such a way that Bob receives the message with probability 1 and "garbage" with the probability 1. Moreover, Bob knows whether he got the message or garbage, but Alice has no idea which one he got. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 436/616 OBLIVIOUS TRANSFER PROTOCOL - continuation Oblivious transfer problem: Design a protocol for sending a message from Alice to Bob in such a way that Bob receives the message with probability 1 and "garbage" with the probability 1. Moreover, Bob knows whether he got the message or garbage, but Alice has no idea which one he got. An Oblivious transfer protocol: T| Alice chooses two large primes p and q and sends n = pq to Bob. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 437/616 OBLIVIOUS TRANSFER PROTOCOL - continuation Oblivious transfer problem: Design a protocol for sending a message from Alice to Bob in such a way that Bob receives the message with probability 1 and "garbage" with the probability 1. Moreover, Bob knows whether he got the message or garbage, but Alice has no idea which one he got. An Oblivious transfer protocol: T| Alice chooses two large primes p and q and sends n = pq to Bob. ^ Bob chooses a random number x and sends y = x2 mod n to Alice. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 437/616 OBLIVIOUS TRANSFER PROTOCOL - continuation Oblivious transfer problem: Design a protocol for sending a message from Alice to Bob in such a way that Bob receives the message with probability 1 and "garbage" with the probability 1. Moreover, Bob knows whether he got the message or garbage, but Alice has no idea which one he got. An Oblivious transfer protocol: T| Alice chooses two large primes p and q and sends n = pq to Bob. ^ Bob chooses a random number x and sends y = x2 mod n to Alice. J Alice computes four square roots ±x1, ±x2 of y (mod n) and sends one of them to Bob. (She can do it, but has no idea which of them is x.) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 437/616 OBLIVIOUS TRANSFER PROTOCOL - continuation Oblivious transfer problem: Design a protocol for sending a message from Alice to Bob in such a way that Bob receives the message with probability 1 and "garbage" with the probability 1. Moreover, Bob knows whether he got the message or garbage, but Alice has no idea which one he got. An Oblivious transfer protocol: T| Alice chooses two large primes p and q and sends n = pq to Bob. ^ Bob chooses a random number x and sends y = x2 mod n to Alice. J Alice computes four square roots ±x1, ±x2 of y (mod n) and sends one of them to Bob. (She can do it, but has no idea which of them is x.) J Bob checks whether the number he got is congruent to x. If yes, he has received no new information. Otherwise, Bob has two different square roots modulo n and can factor n. Alice has no way of knowing whether this is the case. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 437/616 OBLIVIOUS TRANSFER PROTOCOL - continuation Oblivious transfer problem: Design a protocol for sending a message from Alice to Bob in such a way that Bob receives the message with probability 1 and "garbage" with the probability 1. Moreover, Bob knows whether he got the message or garbage, but Alice has no idea which one he got. An Oblivious transfer protocol: T| Alice chooses two large primes p and q and sends n = pq to Bob. ^ Bob chooses a random number x and sends y = x2 mod n to Alice. J Alice computes four square roots ±xi, ±x2 of y (mod n) and sends one of them to Bob. (She can do it, but has no idea which of them is x.) J Bob checks whether the number he got is congruent to x. If yes, he has received no new information. Otherwise, Bob has two different square roots modulo n and can factor n. Alice has no way of knowing whether this is the case. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 437/616 1-OUT-OF-2 OBLIVIOUS TRANSFER PROBLEM The 1-out-of-2 oblivious transfer problem: Alice sends two messages to Bob in such a way that Bob can choose which of the messages he receives (but he cannot choose both), but Alice cannot learn Bob's decision. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 438/616 1-OUT-OF-2 OBLIVIOUS TRANSFER PROBLEM The 1-out-of-2 oblivious transfer problem: Alice sends two messages to Bob in such a way that Bob can choose which of the messages he receives (but he cannot choose both), but Alice cannot learn Bob's decision. A generalization of 1-out-of-2 oblivious transfer problem is two-party oblivious circuit evaluation problem: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 438/616 1-OUT-OF-2 OBLIVIOUS TRANSFER PROBLEM The 1-out-of-2 oblivious transfer problem: Alice sends two messages to Bob in such a way that Bob can choose which of the messages he receives (but he cannot choose both), but Alice cannot learn Bob's decision. A generalization of 1-out-of-2 oblivious transfer problem is two-party oblivious circuit evaluation problem: Alice has a secret i and Bob has a secret j and they both know some function f. At the end of protocol the following conditions should hold: J Bob knows the value f(i,j), but he does not learn anything about i. j Alice learns nothing about j and nothing about f(i,j). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 438/616 1-OUT-OF-2 OBLIVIOUS TRANSFER PROBLEM The 1-out-of-2 oblivious transfer problem: Alice sends two messages to Bob in such a way that Bob can choose which of the messages he receives (but he cannot choose both), but Alice cannot learn Bob's decision. A generalization of 1-out-of-2 oblivious transfer problem is two-party oblivious circuit evaluation problem: Alice has a secret i and Bob has a secret j and they both know some function f. At the end of protocol the following conditions should hold: J Bob knows the value f(i,j), but he does not learn anything about i. j Alice learns nothing about j and nothing about f(i,j). Note: The 1-out-of-2 oblivious transfer problem is the instance of the oblivious circuit evaluation problem for / = (b0, b1), f (i, j) = bj. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 438/616 l-out-2 OBLIVIOUS TRANSFER BOX 1-out-of-two oblivious transfer can be imagined as a box with three inputs and one output. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 439/616 1-out-2 OBLIVIOUS TRANSFER BOX 1-out-of-two oblivious transfer can be imagined as a box with three inputs and one output. INPUTS: Alice inputs: x0 and x1; ......... Bob inputs a bit c prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 439/616 l-out-2 OBLIVIOUS TRANSFER BOX 1-out-of-two oblivious transfer can be imagined as a box with three inputs and one output. INPUTS: Alice inputs: x0 and x1; ......... Bob inputs a bit c OUTPUT: Bob gets as the output: xc prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 439/616 AN IMPLEMENTATION of OBLIVIOUS TRANSFER PROTOCOLS ■ Alice generates two key pairs for a PKC P and sends both her public keys p1, p2 to Bob. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 440/616 AN IMPLEMENTATION of OBLIVIOUS TRANSFER PROTOCOLS ■ Alice generates two key pairs for a PKC P and sends both her public keys p1, p2 to Bob. ■ Bob chooses a to-be random secret key k for a SKC S, encrypts it by one of Alice's public keys, p1 or p2 and sends the outcome to Alice. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 440/616 AN IMPLEMENTATION of OBLIVIOUS TRANSFER PROTOCOLS ■ Alice generates two key pairs for a PKC P and sends both her public keys p1; p2 to Bob. ■ Bob chooses a to-be random secret key k for a SKC S, encrypts it by one of Alice's public keys, p1 or p2 and sends the outcome to Alice. ■ Alice uses her two secret keys to decrypt the message she received. One of the outcomes is garbage g, another one is k, but she does not know which one is k. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 440/616 AN IMPLEMENTATION of OBLIVIOUS TRANSFER PROTOCOLS ■ Alice generates two key pairs for a PKC P and sends both her public keys p1, p2 to Bob. ■ Bob chooses a to-be random secret key k for a SKC S, encrypts it by one of Alice's public keys, p1 or p2 and sends the outcome to Alice. ■ Alice uses her two secret keys to decrypt the message she received. One of the outcomes is garbage g, another one is k, but she does not know which one is k. ■ Alice encrypts her two secret messages, one with k, another with g and sends them to Bob. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 440/616 AN IMPLEMENTATION of OBLIVIOUS TRANSFER PROTOCOLS ■ Alice generates two key pairs for a PKC P and sends both her public keys p1; p2 to Bob. ■ Bob chooses a to-be random secret key k for a SKC S, encrypts it by one of Alice's public keys, p1 or p2 and sends the outcome to Alice. ■ Alice uses her two secret keys to decrypt the message she received. One of the outcomes is garbage g, another one is k, but she does not know which one is k. ■ Alice encrypts her two secret messages, one with k, another with g and sends them to Bob. ■ Bob uses S with k to decrypt both messages he got and one of the attempts is successful. Alice has no idea which one. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 440/616 HISTORY and POWER of OBLIVIOUS TRANSFER PROTOCOLS ■ C. Crepeau (1988) showed that both versions of oblivious transfer are equivalent - a protocol for each version can be realized using any protocol for the other version, using a cryptographic reduction prof. Jozef Gruska IV054 i0. Protocols to do seemingly impossible and zero-knowledge protocols 44i/6i6 HISTORY and POWER of OBLIVIOUS TRANSFER PROTOCOLS ■ C. Crepeau (1988) showed that both versions of oblivious transfer are equivalent - a protocol for each version can be realized using any protocol for the other version, using a cryptographic reduction ■ Original definition of the oblivious transfer is due to J. Halpern and M. O. Rabin (1983); 1-out-of-2 oblivious transfer suggested S. Even, O. Goldreich and A. Lempel in 1985. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 441/616 HISTORY and POWER of OBLIVIOUS TRANSFER PROTOCOLS ■ C. Crepeau (1988) showed that both versions of oblivious transfer are equivalent - a protocol for each version can be realized using any protocol for the other version, using a cryptographic reduction ■ Original definition of the oblivious transfer is due to J. Halpern and M. O. Rabin (1983); 1-out-of-2 oblivious transfer suggested S. Even, O. Goldreich and A. Lempel in 1985. ■ J. Kilian (1988) showed that oblivious transfers are very powerful protocols that allow secure computation of the value f(x, y) of any binary function f , where x is a secret value known only by Alice, and y is a secret value known only by Bob, in such a way that it holds: ■ Both, Alice and Bob, learn f(x, y) ■ Alice learns about y only as much as she can learn from x and f(x, y) ■ Bob learns about x only as much as he can learn from y and f(x, y) prof. Jozef Gruska IV054 i0. Protocols to do seemingly impossible and zero-knowledge protocols 44i/6i6 BIT COMMITMENT from 1-out-2 oblivious transfer Using 1-out-of-2 oblivious transfer box (OT-box) one can design a bit commitment scheme: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 442/616 BIT COMMITMENT from 1-out-2 oblivious transfer Using 1-out-of-2 oblivious transfer box (OT-box) one can design a bit commitment scheme: COMMITMENT PHASE: T| Alice selects a random bit r and her commitment bit b; ^ Alice inputs x0 = r and xi = r © b into the OT-box. J Alice sends a message to Bob telling him it is his turn. J Bob selects a random bit c, inputs c into the OT-box and records the output xc. prof. Jozef Gruska IV054 i0. Protocols to do seemingly impossible and zero-knowledge protocols 442/6i6 BIT COMMITMENT from 1-out-2 oblivious transfer Using 1-out-of-2 oblivious transfer box (OT-box) one can design a bit commitment scheme: COMMITMENT PHASE: T| Alice selects a random bit r and her commitment bit b; ^ Alice inputs x0 = r and x1 = r © b into the OT-box. J Alice sends a message to Bob telling him it is his turn. J Bob selects a random bit c, inputs c into the OT-box and records the output xc. OPENING PHASE: T| Alice sends r and b to Bob. ^ Bob checks to see if xc = r © (bc) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 442/616 MENTAL POKER PLAYING by PHONE by Alice and Bob Basic requirements (for playing poker with 52 cards): ■ Initial hands (sets of 5 cards) of both players are equally likely. ■ The initial hands of Alice and Bob are disjoint. ■ Both players always know their own hands but not that of the opponent. ■ Each player can detect eventual cheating of the other player. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 443/616 MENTAL POKER PLAYING by PHONE by Alice and Bob Basic requirements (for playing poker with 52 cards): ■ Initial hands (sets of 5 cards) of both players are equally likely. ■ The initial hands of Alice and Bob are disjoint. ■ Both players always know their own hands but not that of the opponent. ■ Each player can detect eventual cheating of the other player. A commutative cryptosystem is used with all functions kept secret. Players agree on numbers w1,... , w52 as the names of 52 cards. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 443/616 MENTAL POKER PLAYING by PHONE by Alice and Bob Basic requirements (for playing poker with 52 cards): ■ Initial hands (sets of 5 cards) of both players are equally likely. ■ The initial hands of Alice and Bob are disjoint. ■ Both players always know their own hands but not that of the opponent. ■ Each player can detect eventual cheating of the other player. A commutative cryptosystem is used with all functions kept secret. Players agree on numbers W1,... , w52 as the names of 52 cards. Protocol: T| Bob encrypts cards with ee, and tells ee... , ee(w52), in a randomly chosen order, to Alice. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 443/616 MENTAL POKER PLAYING by PHONE by Alice and Bob Basic requirements (for playing poker with 52 cards): ■ Initial hands (sets of 5 cards) of both players are equally likely. ■ The initial hands of Alice and Bob are disjoint. ■ Both players always know their own hands but not that of the opponent. ■ Each player can detect eventual cheating of the other player. A commutative cryptosystem is used with all functions kept secret. Players agree on numbers w1,... , w52 as the names of 52 cards. Protocol: T| Bob encrypts cards with eB, and tells eB... , eB(w52), in a randomly chosen order, to Alice. b Alice chooses five of the items eB(w;) as Bob's hand and tells them Bob. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 443/616 MENTAL POKER PLAYING by PHONE by Alice and Bob Basic requirements (for playing poker with 52 cards): ■ Initial hands (sets of 5 cards) of both players are equally likely. ■ The initial hands of Alice and Bob are disjoint. ■ Both players always know their own hands but not that of the opponent. ■ Each player can detect eventual cheating of the other player. A commutative cryptosystem is used with all functions kept secret. Players agree on numbers W1,... , w52 as the names of 52 cards. Protocol: T| Bob encrypts cards with ee, and tells ee... , ee(w52), in a randomly chosen order, to Alice. b Alice chooses five of the items ee(w;) as Bob's hand and tells them Bob. J Alice chooses another five of ee(w;), encrypts them with eA and sends them to Bob. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 443/616 MENTAL POKER PLAYING by PHONE by Alice and Bob Basic requirements (for playing poker with 52 cards): ■ Initial hands (sets of 5 cards) of both players are equally likely. ■ The initial hands of Alice and Bob are disjoint. ■ Both players always know their own hands but not that of the opponent. ■ Each player can detect eventual cheating of the other player. A commutative cryptosystem is used with all functions kept secret. Players agree on numbers wi,... , w52 as the names of 52 cards. Protocol: T| Bob encrypts cards with ee, and tells ee(wi),... , ee(w52), in a randomly chosen order, to Alice. b Alice chooses five of the items ee(w;) as Bob's hand and tells them Bob. J Alice chooses another five of ee(w;), encrypts them with eA and sends them to Bob. ^ Bob applies de to all five values eA(ee(w;)) he got from Alice and sends eA(w;) to Alice as Alice's hand. At this point both players have their hands and poker can start. prof. Jozef Gruska IV054 i0. Protocols to do seemingly impossible and zero-knowledge protocols 443/6i6 MENTAL POKER PLAYING by PHONE by Alice and Bob Basic requirements (for playing poker with 52 cards): ■ Initial hands (sets of 5 cards) of both players are equally likely. ■ The initial hands of Alice and Bob are disjoint. ■ Both players always know their own hands but not that of the opponent. ■ Each player can detect eventual cheating of the other player. A commutative cryptosystem is used with all functions kept secret. Players agree on numbers w1,... , w52 as the names of 52 cards. Protocol: T| Bob encrypts cards with ee, and tells ee(w1),... , ee(w52), in a randomly chosen order, to Alice. b Alice chooses five of the items ee(w;) as Bob's hand and tells them Bob. J Alice chooses another five of ee(w;), encrypts them with eA and sends them to Bob. J Bob applies de to all five values eA(ee(w;)) he got from Alice and sends eA(w;) to Alice as Alice's hand. At this point both players have their hands and poker can start. Remark: The cryptosystems that are used cannot be public-key in the normal sense. Otherwise Alice could compute ee(w;) and deal with the cards accordingly - a good hand for B but slightly better for herself. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 443/616 MENTAL POKER by PHONE with THREE PLAYERS T| Alice encrypts 52 cards W1,... , w52 with eA and sends encryptions, in a random order, to Bob. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 444/616 MENTAL POKER by PHONE with THREE PLAYERS T| Alice encrypts 52 cards w1,... , w52 with eA and sends encryptions, in a random order, to Bob. ^ Bob, who cannot decode the encryptions, chooses 5 of them, randomly. He encrypts them with ee, and sends ee(eA(w;)) to Alice and the remaining 47 encryptions eA(w;) to Carol. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 444/616 MENTAL POKER by PHONE with THREE PLAYERS T| Alice encrypts 52 cards w1,... , w52 with eA and sends encryptions, in a random order, to Bob. ^ Bob, who cannot decode the encryptions, chooses 5 of them, randomly. He encrypts them with ee, and sends ee(eA(w;)) to Alice and the remaining 47 encryptions eA(w;) to Carol. J Carol, who cannot decode any of the encryptions, chooses five of them randomly, encrypts them also with her key and sends Alice eC(eA(w;)). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 444/616 MENTAL POKER by PHONE with THREE PLAYERS T| Alice encrypts 52 cards w1,... , w52 with eA and sends encryptions, in a random order, to Bob. ^ Bob, who cannot decode the encryptions, chooses 5 of them, randomly. He encrypts them with ee, and sends ee(eA(w,-)) to Alice and the remaining 47 encryptions eA(w;) to Carol. J Carol, who cannot decode any of the encryptions, chooses five of them randomly, encrypts them also with her key and sends Alice eC(eA(w,-)). J Alice, who cannot read encrypted messages from Bob and Carol, decrypt them with her key and sends back to the senders, five dA(ee(eA(w,-))) = ee(w,-) to Bob, five dA(eC(eA(w;))) = eC(w,-) to Carol. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 444/616 MENTAL POKER by PHONE with THREE PLAYERS T| Alice encrypts 52 cards w1,... , w52 with eA and sends encryptions, in a random order, to Bob. ^ Bob, who cannot decode the encryptions, chooses 5 of them, randomly. He encrypts them with eB, and sends eB(eA(w;)) to Alice and the remaining 47 encryptions eA(w;) to Carol. J Carol, who cannot decode any of the encryptions, chooses five of them randomly, encrypts them also with her key and sends Alice eC(eA(w;)). J Alice, who cannot read encrypted messages from Bob and Carol, decrypt them with her key and sends back to the senders, five dA(eB(eA(w;))) = eB(w;) to Bob, five dA(eC(eA(w;))) = eC(w;) to Carol. % Bob and Carol decrypt encryptions they got to learn their hands. ^ Carol chooses randomly 5 other messages eA(w;) from the remaining 42 and sends them to Alice. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 444/616 MENTAL POKER by PHONE with THREE PLAYERS T| Alice encrypts 52 cards w1,... , w52 with eA and sends encryptions, in a random order, to Bob. ^ Bob, who cannot decode the encryptions, chooses 5 of them, randomly. He encrypts them with ee, and sends ee(eA(w,-)) to Alice and the remaining 47 encryptions eA(w,-) to Carol. J Carol, who cannot decode any of the encryptions, chooses five of them randomly, encrypts them also with her key and sends Alice eC(eA(w,-)). J Alice, who cannot read encrypted messages from Bob and Carol, decrypt them with her key and sends back to the senders, five dA(ee(eA(w,-))) = ee(w,-) to Bob, five dA(eC(eA(w;))) = eC(w,-) to Carol. % Bob and Carol decrypt encryptions they got to learn their hands. ^ Carol chooses randomly 5 other messages eA(w,-) from the remaining 42 and sends them to Alice. j Alice decrypt messages to learn her hand. Additional cards can be dealt with in a similar manner. If either Bob or Carol wants a card, they take an encrypted message eA(w,-) and go through the protocol with Alice. If Alice wants a card, whoever currently has the deck sends her a card. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 444/616 ZERO-KNOWLEDGE PROOF PROTOCOLS To the most important primitives for cryptographic protocols, and at the same time very counter intuitive primitives, belong so-called zero-knowledge (proof) protocols. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 445/616 ZERO-KNOWLEDGE PROOF PROTOCOLS To the most important primitives for cryptographic protocols, and at the same time very counter intuitive primitives, belong so-called zero-knowledge (proof) protocols. Very informally, a zero-knowledge proof protocol allows one party, usually called PROVER, to convince another party, called VERIFIER, that PROVER knows some fact (a secret, a proof of a theorem,...) without revealing to the VERIFIER ANY information about his knowledge (secret, proof,...). In the rest of this chapter we present and illustrate very basic ideas of zero-knowledge proof protocols and their importance for cryptography. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 445/616 ZERO-KNOWLEDGE PROOF PROTOCOLS To the most important primitives for cryptographic protocols, and at the same time very counter intuitive primitives, belong so-called zero-knowledge (proof) protocols. Very informally, a zero-knowledge proof protocol allows one party, usually called PROVER, to convince another party, called VERIFIER, that PROVER knows some fact (a secret, a proof of a theorem,...) without revealing to the VERIFIER ANY information about his knowledge (secret, proof,...). In the rest of this chapter we present and illustrate very basic ideas of zero-knowledge proof protocols and their importance for cryptography. Zero-knowledge proof protocols are a special type of so-called interactive proof systems. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 445/616 ZERO-KNOWLEDGE PROOF PROTOCOLS To the most important primitives for cryptographic protocols, and at the same time very counter intuitive primitives, belong so-called zero-knowledge (proof) protocols. Very informally, a zero-knowledge proof protocol allows one party, usually called PROVER, to convince another party, called VERIFIER, that PROVER knows some fact (a secret, a proof of a theorem,...) without revealing to the VERIFIER ANY information about his knowledge (secret, proof,...). In the rest of this chapter we present and illustrate very basic ideas of zero-knowledge proof protocols and their importance for cryptography. Zero-knowledge proof protocols are a special type of so-called interactive proof systems. By a theorem we understand in the following a claim that a specific object has a specific property. For example, that a specific graph is 3-colorable. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 445/616 AN ILLUSTRATIVE EXAMPLE (A cave with a door opening on a secret word) Alice knows a secret word opening the door in cave. How can she convince Bob about it without revealing this secret word? Bobo • Alice prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 446/616 ZERO-KNOWLEDGE PROOFS Informally speaking, an interactive proof systems has the property of being zero-knowledge if the Verifier, that interacts with the honest Prover of the system, learns nothing from their interaction beyond the validity of the statement being proved. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 447/616 ZERO-KNOWLEDGE PROOFS Informally speaking, an interactive proof systems has the property of being zero-knowledge if the Verifier, that interacts with the honest Prover of the system, learns nothing from their interaction beyond the validity of the statement being proved. There are several variants of zero-knowledge protocols that differ in the specific way the notion of learning nothing is formalized. In each variant it is viewed that a particular Verifier learns nothing if there exists a polynomial time simulator whose output is indistinguishable from the output of the Verifier after interacting with the Prover on any possible instance of the problem. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 447/616 ZERO-KNOWLEDGE PROOFS Informally speaking, an interactive proof systems has the property of being zero-knowledge if the Verifier, that interacts with the honest Prover of the system, learns nothing from their interaction beyond the validity of the statement being proved. There are several variants of zero-knowledge protocols that differ in the specific way the notion of learning nothing is formalized. In each variant it is viewed that a particular Verifier learns nothing if there exists a polynomial time simulator whose output is indistinguishable from the output of the Verifier after interacting with the Prover on any possible instance of the problem. The different variants of zero-knowledge proof systems concern the strength of this distinguishability. In particular, perfect or statistical zero-knowledge refer to the situation where the simulator's output and the Verifier's output are indistinguishable in an information theoretic sense. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 447/616 ZERO-KNOWLEDGE PROOFS Informally speaking, an interactive proof systems has the property of being zero-knowledge if the Verifier, that interacts with the honest Prover of the system, learns nothing from their interaction beyond the validity of the statement being proved. There are several variants of zero-knowledge protocols that differ in the specific way the notion of learning nothing is formalized. In each variant it is viewed that a particular Verifier learns nothing if there exists a polynomial time simulator whose output is indistinguishable from the output of the Verifier after interacting with the Prover on any possible instance of the problem. The different variants of zero-knowledge proof systems concern the strength of this distinguishability. In particular, perfect or statistical zero-knowledge refer to the situation where the simulator's output and the Verifier's output are indistinguishable in an information theoretic sense. Computational zero-knowledge refer to the case there is no polynomial time distinguishability. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 447/616 INTERACTIVE PROOF PROTOCOLS In an interactive proof system there are two parties ■ An (all powerful) Prover, often called Peggy (a randomized algorithm that uses a private random number generator); ■ A (little (polynomially) powerful) Verifier, often called Vic (a polynomial time randomized algorithm that uses a private random number generator). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 448/616 INTERACTIVE PROOF PROTOCOLS In an interactive proof system there are two parties ■ An (all powerful) Prover, often called Peggy (a randomized algorithm that uses a private random number generator); ■ A (little (polynomially) powerful) Verifier, often called Vic (a polynomial time randomized algorithm that uses a private random number generator). Prover knows some secret, or a knowledge, or a fact about a specific object, and wishes to convince Vic, through a communication with him, that he has the above knowledge. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 448/616 INTERACTIVE PROOF PROTOCOLS In an interactive proof system there are two parties ■ An (all powerful) Prover, often called Peggy (a randomized algorithm that uses a private random number generator); ■ A (little (polynomially) powerful) Verifier, often called Vic (a polynomial time randomized algorithm that uses a private random number generator). Prover knows some secret, or a knowledge, or a fact about a specific object, and wishes to convince Vic, through a communication with him, that he has the above knowledge. For example, both Prover and Verifier posses an input x and Prover wants to convince Verifier that x has a certain Property and that Prover knows how to prove that. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 448/616 INTERACTIVE PROOF PROTOCOLS In an interactive proof system there are two parties ■ An (all powerful) Prover, often called Peggy (a randomized algorithm that uses a private random number generator); ■ A (little (polynomially) powerful) Verifier, often called Vic (a polynomial time randomized algorithm that uses a private random number generator). Prover knows some secret, or a knowledge, or a fact about a specific object, and wishes to convince Vic, through a communication with him, that he has the above knowledge. For example, both Prover and Verifier posses an input x and Prover wants to convince Verifier that x has a certain Property and that Prover knows how to prove that. The interactive proof system consists of several rounds. In each round Prover and Verifier alternatively do the following. T| Receive a message from the other party. ^ Perform a (private) computation. J Send a message to the other party. Communication starts usually by a challenge of Verifier and a response of Prover. At the end, Verifier either accepts or rejects Prover's attempts to convince Verifier. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 448/616 EXAMPLE - GRAPH NON-ISOMORPHISM A simple interactive proof protocol exists for a computationally very hard graph non-isomorphism problem. Input: Two graphs G1 and G2, with the set of nodes {1,... , n) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 449/616 EXAMPLE - GRAPH NON-ISOMORPHISM A simple interactive proof protocol exists for a computationally very hard graph non-isomorphism problem. Input: Two graphs G1 and G2, with the set of nodes {1,... , n) Protocol: Repeat n times the following steps: T| Vic chooses randomly an integer ; e {1, 2} and a permutation n of {1,... , n}. Vic then computes the image H of G under permutation n and sends H to Peggy. ^ Peggy determines the value j such that Gj is isomorphic to H, and sends j to Vic. J Vic checks to see if i = j. Vic accepts Peggy's proof if i = j in each of n rounds. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 449/616 EXAMPLE - GRAPH NON-ISOMORPHISM A simple interactive proof protocol exists for a computationally very hard graph non-isomorphism problem. Input: Two graphs G1 and G2, with the set of nodes {1,... , n} Protocol: Repeat n times the following steps: T| Vic chooses randomly an integer ; e {1, 2} and a permutation n of {1,... , n}. Vic then computes the image H of G; under permutation n and sends H to Peggy. ^ Peggy determines the value j such that Gj is isomorphic to H, and sends j to Vic. J Vic checks to see if i = j. Vic accepts Peggy's proof if i = j in each of n rounds. Completeness: If G1 is not isomorphic to G2, then probability that Vic accepts is clearly 1 because Peggy will have no problem answer correctly. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 449/616 EXAMPLE - GRAPH NON-ISOMORPHISM A simple interactive proof protocol exists for a computationally very hard graph non-isomorphism problem. Input: Two graphs G1 and G2, with the set of nodes {1,... , n) Protocol: Repeat n times the following steps: T| Vic chooses randomly an integer ; e {1, 2} and a permutation n of {1,... , n}. Vic then computes the image H of G under permutation n and sends H to Peggy. ^ Peggy determines the value j such that Gj is isomorphic to H, and sends j to Vic. J Vic checks to see if i = j. Vic accepts Peggy's proof if i = j in each of n rounds. Completeness: If G1 is not isomorphic to G2, then probability that Vic accepts is clearly 1 because Peggy will have no problem answer correctly. Soundness: If G1 is isomorphic to G2, then Peggy can deceive Vic if and only if she correctly guesses n times those i's Vic chooses randomly. Probability that this happens is 2-n. Observe that Vic's computations can be performed in polynomial time (with respect to the size of graphs). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 449/616 INTERACTIVE PROOF SYSTEMS An interactive proof protocol is said to be an interactive proof system for a secret/knowledge or a decision problem n if the following properties are satisfied provided that Prover and Verifier posses an input x (or Prover has secret knowledge) and Prover wants to convince Verifier that x has certain properties and that Prover knows how to prove that (or that Prover knows the secret). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 450/616 INTERACTIVE PROOF SYSTEMS An interactive proof protocol is said to be an interactive proof system for a secret/knowledge or a decision problem n if the following properties are satisfied provided that Prover and Verifier posses an input x (or Prover has secret knowledge) and Prover wants to convince Verifier that x has certain properties and that Prover knows how to prove that (or that Prover knows the secret). (Knowledge) Completeness: If x is a yes-instance of n, or Peggy knows the secret, then Vic always accepts Peggy's "proof for sure. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 450/616 INTERACTIVE PROOF SYSTEMS An interactive proof protocol is said to be an interactive proof system for a secret/knowledge or a decision problem n if the following properties are satisfied provided that Prover and Verifier posses an input x (or Prover has secret knowledge) and Prover wants to convince Verifier that x has certain properties and that Prover knows how to prove that (or that Prover knows the secret). (Knowledge) Completeness: If x is a yes-instance of n, or Peggy knows the secret, then Vic always accepts Peggy's "proof for sure. (Knowledge) Soundness: If x is a no-instance of n, or Peggy does not know the secret, then Vic accepts Peggy's "proof" only with very small probability. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 450/616 INTERACTIVE PROOF SYSTEMS An interactive proof protocol is said to be an interactive proof system for a secret/knowledge or a decision problem n if the following properties are satisfied provided that Prover and Verifier posses an input x (or Prover has secret knowledge) and Prover wants to convince Verifier that x has certain properties and that Prover knows how to prove that (or that Prover knows the secret). (Knowledge) Completeness: If x is a yes-instance of n, or Peggy knows the secret, then Vic always accepts Peggy's "proof for sure. (Knowledge) Soundness: If x is a no-instance of n, or Peggy does not know the secret, then Vic accepts Peggy's "proof" only with very small probability. CHEATING ■ If the Prover and the Verifier of an interactive proof system fully follow the protocol they are called honest Prover and honest Verifier. ■ A Prover who does not know secret or proof and tries to convince the Verifier is called cheating Prover. ■ A Verifier who does not follow the behaviour specified in the protocol is called a cheating Verifier. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 450/616 ZERO-KNOWLEDGE PROOF PROTOCOLS INFORMATION VERY INFORMALLY Very informally An interactive "proof protocol" at which a Prover tries to convince a Verifier about the truth of a statement, or about possession of a knowledge, is called "zero-knowledge" protocol if the Verifier does not learn from communication anything more except that the statement is true or that Prover has knowledge (secret) she claims to have. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 451/616 ZERO-KNOWLEDGE PROOF PROTOCOLS INFORMATION VERY INFORMALLY Very informally An interactive "proof protocol" at which a Prover tries to convince a Verifier about the truth of a statement, or about possession of a knowledge, is called "zero-knowledge" protocol if the Verifier does not learn from communication anything more except that the statement is true or that Prover has knowledge (secret) she claims to have. Example The proof n = 670592745 = 12345 x 54321 is not a zero-knowledge proof that n is not a prime. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 451/616 ZERO-KNOWLEDGE PROOF PROTOCOLS INFORMATION MORE FORMALLY huge Informally A zero-knowledge proof is an interactive proof protocol that provides highly convincing evidence that a statement is true or that Prover has certain knowledge (of a secret) and that Prover knows a (standard) proof of it while providing not a single bit of information about the proof (knowledge or secret). (In particular, Verifier who got convinced about the correctness of a statement cannot convince the third person about that.) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 452/616 ZERO-KNOWLEDGE PROOF PROTOCOLS INFORMATION MORE FORMALLY huge Informally A zero-knowledge proof is an interactive proof protocol that provides highly convincing evidence that a statement is true or that Prover has certain knowledge (of a secret) and that Prover knows a (standard) proof of it while providing not a single bit of information about the proof (knowledge or secret). (In particular, Verifier who got convinced about the correctness of a statement cannot convince the third person about that.) More formally A zero-knowledge proof of a theorem T is an interactive two party protocol, in which Prover is able to convince Verifier who follows the same protocol, by the overwhelming statistical evidence, that T is true, if T is indeed true, but no Prover is able to convince Verifier that T is true, if this is not so. In addition, during interactions, Prover does not reveal to Verifier any other information, except whether T is true or not. Consequently, whatever Verifier can do after he gets convinced, he can do just believing that T is true. Similar arguments hold for the case Prover possesses a secret. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 452/616 AGE DIFFERENCE FINDING PROTOCOL Alice and Bob want to find out who of them is older without disclosing any other information about their age. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 453/616 AGE DIFFERENCE FINDING PROTOCOL Alice and Bob want to find out who of them is older without disclosing any other information about their age. The following protocol is based on a public-key cryptosystem, in which it is assumed that neither Bob nor Alice are older than 100 years. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 453/616 AGE DIFFERENCE FINDING PROTOCOL Alice and Bob want to find out who of them is older without disclosing any other information about their age. The following protocol is based on a public-key cryptosystem, in which it is assumed that neither Bob nor Alice are older than 100 years. Protocol Let age of Bob be j; and age of Alice be i. T| Bob chooses a random x e {1,... , 100}, computes k = eA(x) and sends to Alice s = k-j. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 453/616 AGE DIFFERENCE FINDING PROTOCOL Alice and Bob want to find out who of them is older without disclosing any other information about their age. The following protocol is based on a public-key cryptosystem, in which it is assumed that neither Bob nor Alice are older than 100 years. Protocol Let age of Bob be j; and age of Alice be i. T| Bob chooses a random x e {1,... , 100}, computes k = eA(x) and sends to Alice s = k-j. ^ Alice first computes the numbers y, = dA(s + u); 1 < u < 100, then chooses a large random prime p and computes numbers zu = y, mod p, 1 < u < 100 (*) and verifies that for all u = v |zu - zv| > 2 and z„ = 0 (**) (If this is not the case, Alice choose a new p, repeats computations in (*) and checks (**) again.) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 453/616 AGE DIFFERENCE FINDING PROTOCOL Alice and Bob want to find out who of them is older without disclosing any other information about their age. The following protocol is based on a public-key cryptosystem, in which it is assumed that neither Bob nor Alice are older than 100 years. Protocol Let age of Bob be j; and age of Alice be i. T| Bob chooses a random x e {1,... , 100}, computes k = eA(x) and sends to Alice s = k-j. ^ Alice first computes the numbers yu = dA(s + u); 1 < u < 100, then chooses a large random prime p and computes numbers zu = y„ mod p, 1 < u < 100 (*) and verifies that for all u = v |zu - zv| > 2 and z„ = 0 (**) (If this is not the case, Alice choose a new p, repeats computations in (*) and checks (**) again.) Finally, Alice sends Bob the following sequence (order is important). z1, . . . , z;, z;+1 + 1, . . . , z100 + 1, P as z1,... , ^ ... , zioo, p prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 453/616 AGE DIFFERENCE FINDING PROTOCOL Alice and Bob want to find out who of them is older without disclosing any other information about their age. The following protocol is based on a public-key cryptosystem, in which it is assumed that neither Bob nor Alice are older than 100 years. Protocol Let age of Bob be j; and age of Alice be i. T| Bob chooses a random x e {1,... , 100}, computes k = eA(x) and sends to Alice s = k-j. ^ Alice first computes the numbers yu = dA(s + u); 1 < u < 100, then chooses a large random prime p and computes numbers zu = y„ mod p, 1 < u < 100 (*) and verifies that for all u = v |zu - zv| > 2 and z„ = 0 (**) (If this is not the case, Alice choose a new p, repeats computations in (*) and checks (**) again.) Finally, Alice sends Bob the following sequence (order is important). z1, . . . , z;, z;+1 + 1, . . . , z100 + 1, P as z1,... , z^ ... , zioo, p J Bob checks whether j-th number in the above sequence is congruent to x modulo p. If yes, Bob knows that / > j, otherwise ; < j. / > j =>- zJ = zj = yj = dA(k) = x (mod p) ; < j = zj = zj + 1 = yj = dA(k) = x (mod p) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 453/616 3-COLORABILITY of GRAPHS With the following protocol Peggy can convince Vic that a particular graph G, known to both of them, is 3-colorable and that Peggy knows such a coloring, without revealing to Vic any information how such coloring looks. 1 red 2 green 12/31 3 blue 4 red 5 blue 6 green e1 e6 e1(red) = y1 e2 (green) = y2 e3(b/ue) = y3 e4(red) = y4 e5(b/ue) = y5 e6 (green) = y6 (a) (b) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 454/616 3-COLORABILITY of GRAPHS With the following protocol Peggy can convince Vic that a particular graph G, known to both of them, is 3-colorable and that Peggy knows such a coloring, without revealing to Vic any information how such coloring looks. 1 red e1 e1(red) = y1 2 green e2 e2 (green) = y2 3 blue e3 e3(b/ue) = y3 4 red e4 e4(red) = y4 5 blue e5 e5(b/ue) = y5 6 green e6 e6 (green) = y6 (a) (b) Protocol: Peggy colors the graph G = (V, E) with colors (red, blue, green) and she performs with Vic |E|2- times the following interactions, where v1,. .. , v„ are nodes of V. T| Peggy chooses a random permutation of colors, recolors G, and encrypts, for i = 1,2,. . . ,n, the color c; of node v; by an encryption procedure e; - for each i different. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 454/616 3-COLORABILITY of GRAPHS With the following protocol Peggy can convince Vic that a particular graph G, known to both of them, is 3-colorable and that Peggy knows such a coloring, without revealing to Vic any information how such coloring looks. 1 red e1 e1(red) = y1 2 green e2 e2 (green) = y2 3 blue e3 e3(blue) = y3 4 red e4 e4(red) = y4 5 blue e5 e5(blue) = y5 6 green e6 e6(green) = y6 (a) (b) Protocol: Peggy colors the graph G = (V, E) with colors (red, blue, green) and she performs with Vic |E|2- times the following interactions, where v1,. .. , v„ are nodes of V. T| Peggy chooses a random permutation of colors, recolors G, and encrypts, for i = 1,2,. . . ,n, the color c of node v by an encryption procedure e; - for each i different. Peggy then removes colors from nodes, labels the i-th node of G with cryptotext y = e;(c;), and designs Table (b). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 454/616 3-COLORABILITY of GRAPHS With the following protocol Peggy can convince Vic that a particular graph G, known to both of them, is 3-colorable and that Peggy knows such a coloring, without revealing to Vic any information how such coloring looks. 1 red e1 e1(red) = yi 2 green e2 e2 (green) = y2 3 blue e3 e3(blue) = y3 4 red e4 e4(red) = y4 5 blue e5 e5(blue) = y5 6 green ea ea (green) = ya (a) (b) Protocol: Peggy colors the graph G = (V, E) with colors (red, blue, green) and she performs with Vic |E|2- times the following interactions, where v1,. .. , vn are nodes of V. T| Peggy chooses a random permutation of colors, recolors G, and encrypts, for i = 1,2,. . . ,n, the color c; of node v; by an encryption procedure e; - for each i different. Peggy then removes colors from nodes, labels the i-th node of G with cryptotext y; = e;(c;), and designs Table (b). Peggy finally shows Vic the graph with nodes labeled by cryptotexts. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 454/616 3-COLORABILITY of GRAPHS With the following protocol Peggy can convince Vic that a particular graph G, known to both of them, is 3-colorable and that Peggy knows such a coloring, without revealing to Vic any information how such coloring looks. 1 red e1 e1(red) = yi 2 green e2 e2 (green) = y2 3 blue e3 e3(blue) = y3 4 red e4 e4(red) = y4 5 blue e5 e5(blue) = y5 6 green ea ea (green) = ya (a) (b) Protocol: Peggy colors the graph G = (V, E) with colors (red, blue, green) and she performs with Vic |E|2- times the following interactions, where v1,. .. , vn are nodes of V. T| Peggy chooses a random permutation of colors, recolors G, and encrypts, for i = 1,2,. . . ,n, the color c; of node v; by an encryption procedure e; - for each i different. Peggy then removes colors from nodes, labels the i-th node of G with cryptotext y; = e;(c;), and designs Table (b). Peggy finally shows Vic the graph with nodes labeled by cryptotexts. ^ Vic chooses an edge and asks Peggy to show him coloring of the corresponding nodes. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 454/616 3-COLORABILITY of GRAPHS With the following protocol Peggy can convince Vic that a particular graph G, known to both of them, is 3-colorable and that Peggy knows such a coloring, without revealing to Vic any information how such coloring looks. 1 red ei ei(red) = yi 2 green e2 e2 (green) = y2 3 blue e3 e3(blue) = y3 4 red e4 e4(red) = y4 5 blue e5 e5(blue) = y5 6 green ea ea (green) = ya (a) (b) Protocol: Peggy colors the graph G = (V, E) with colors (red, blue, green) and she performs with Vic |E|2- times the following interactions, where v1,. .. , vn are nodes of V. T| Peggy chooses a random permutation of colors, recolors G, and encrypts, for i = 1,2,. . . ,n, the color c; of node v; by an encryption procedure e; - for each i different. Peggy then removes colors from nodes, labels the i-th node of G with cryptotext y; = e;(c;), and designs Table (b). Peggy finally shows Vic the graph with nodes labeled by cryptotexts. ^ Vic chooses an edge and asks Peggy to show him coloring of the corresponding nodes. J Peggy shows Vic entries of the table corresponding to the nodes of the chosen edge. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 454/616 3-COLORABILITY of GRAPHS With the following protocol Peggy can convince Vic that a particular graph G, known to both of them, is 3-colorable and that Peggy knows such a coloring, without revealing to Vic any information how such coloring looks. 1 red ei ei(red) = yi 2 green e2 e2 (green) = y2 3 blue e3 e3(blue) = y3 4 red e4 e4(red) = y4 5 blue e5 e5(blue) = y5 6 green ea ea (green) = ya (a) (b) Protocol: Peggy colors the graph G = (V, E) with colors (red, blue, green) and she performs with Vic |E|2- times the following interactions, where v1,. .. , vn are nodes of V. T| Peggy chooses a random permutation of colors, recolors G, and encrypts, for i = 1,2,. . . ,n, the color c; of node v; by an encryption procedure e; - for each i different. Peggy then removes colors from nodes, labels the i-th node of G with cryptotext y; = e;(c;), and designs Table (b). Peggy finally shows Vic the graph with nodes labeled by cryptotexts. ^ Vic chooses an edge and asks Peggy to show him coloring of the corresponding nodes. J Peggy shows Vic entries of the table corresponding to the nodes of the chosen edge. 14 Vic performs desired encryptions to verify that nodes really have colors as shown. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 454/616 APPLICATIONS of ZERO-KNOWLEDGE PROOFS in CRYPTOGRAPHIC PROTOCOLS The fact that for a big class of statements there are zero-knowledge proofs can be used to design secure cryptographic protocols. (All languages in NP have zero-knowledge proofs.) prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 455/616 APPLICATIONS of ZERO-KNOWLEDGE PROOFS in CRYPTOGRAPHIC PROTOCOLS The fact that for a big class of statements there are zero-knowledge proofs can be used to design secure cryptographic protocols. (All languages in NP have zero-knowledge proofs.) A cryptographic protocol can be seen as a set of interactive programs to be executed by non-trusting parties. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 455/616 APPLICATIONS of ZERO-KNOWLEDGE PROOFS in CRYPTOGRAPHIC PROTOCOLS The fact that for a big class of statements there are zero-knowledge proofs can be used to design secure cryptographic protocols. (All languages in NP have zero-knowledge proofs.) A cryptographic protocol can be seen as a set of interactive programs to be executed by non-trusting parties. Each party keeps secret her local input. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 455/616 APPLICATIONS of ZERO-KNOWLEDGE PROOFS in CRYPTOGRAPHIC PROTOCOLS The fact that for a big class of statements there are zero-knowledge proofs can be used to design secure cryptographic protocols. (All languages in NP have zero-knowledge proofs.) A cryptographic protocol can be seen as a set of interactive programs to be executed by non-trusting parties. Each party keeps secret her local input. The protocol specifies the actions parties should take, depending on their local secrets and previous messages exchanged. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 455/616 APPLICATIONS of ZERO-KNOWLEDGE PROOFS in CRYPTOGRAPHIC PROTOCOLS The fact that for a big class of statements there are zero-knowledge proofs can be used to design secure cryptographic protocols. (All languages in NP have zero-knowledge proofs.) A cryptographic protocol can be seen as a set of interactive programs to be executed by non-trusting parties. Each party keeps secret her local input. The protocol specifies the actions parties should take, depending on their local secrets and previous messages exchanged. The main problem in this setting is how can a party verify that the other parties have really followed the protocol? prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 455/616 APPLICATIONS of ZERO-KNOWLEDGE PROOFS in CRYPTOGRAPHIC PROTOCOLS The fact that for a big class of statements there are zero-knowledge proofs can be used to design secure cryptographic protocols. (All languages in NP have zero-knowledge proofs.) A cryptographic protocol can be seen as a set of interactive programs to be executed by non-trusting parties. Each party keeps secret her local input. The protocol specifies the actions parties should take, depending on their local secrets and previous messages exchanged. The main problem in this setting is how can a party verify that the other parties have really followed the protocol? The way out: a party A can convince a party B that the transmitted message was completed according to the protocol without revealing its secrets. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 455/616 APPLICATIONS of ZERO-KNOWLEDGE PROOFS in CRYPTOGRAPHIC PROTOCOLS The fact that for a big class of statements there are zero-knowledge proofs can be used to design secure cryptographic protocols. (All languages in NP have zero-knowledge proofs.) A cryptographic protocol can be seen as a set of interactive programs to be executed by non-trusting parties. Each party keeps secret her local input. The protocol specifies the actions parties should take, depending on their local secrets and previous messages exchanged. The main problem in this setting is how can a party verify that the other parties have really followed the protocol? The way out: a party A can convince a party B that the transmitted message was completed according to the protocol without revealing its secrets. An idea how to design a reliable protocol T| Design a protocol under the assumption that all parties follow the protocol. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 455/616 APPLICATIONS of ZERO-KNOWLEDGE PROOFS in CRYPTOGRAPHIC PROTOCOLS The fact that for a big class of statements there are zero-knowledge proofs can be used to design secure cryptographic protocols. (All languages in NP have zero-knowledge proofs.) A cryptographic protocol can be seen as a set of interactive programs to be executed by non-trusting parties. Each party keeps secret her local input. The protocol specifies the actions parties should take, depending on their local secrets and previous messages exchanged. The main problem in this setting is how can a party verify that the other parties have really followed the protocol? The way out: a party A can convince a party B that the transmitted message was completed according to the protocol without revealing its secrets. An idea how to design a reliable protocol T| Design a protocol under the assumption that all parties follow the protocol. ^ Transform protocol, using known methods how to make zero-knowledge proofs out of normal ones, into a protocol in which communication is based on zero-knowledge proofs, and which preserves both correctness and privacy and works even if some parties display an adversary behavior. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 455/616 ZERO-KNOWLEDGE PROOF for QUADRATIC RESIDUA Input: An integer n = pq, where p, q are primes and x G QR(n). prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 456/616 ZERO-KNOWLEDGE PROOF for QUADRATIC RESIDUA Input: An integer n = pq, where p, q are primes and x e QR(n). Protocol: Repeat lg n times the following steps: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 456/616 ZERO-KNOWLEDGE PROOF for QUADRATIC RESIDUA Input: An integer n = pq, where p, q are primes and x G QR(n). Protocol: Repeat lg n times the following steps: Q Peggy chooses a random v G Z„* and sends to Vic y = v2 mod n. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 456/616 ZERO-KNOWLEDGE PROOF for QUADRATIC RESIDUA Input: An integer n = pq, where p, q are primes and x e QR(n). Protocol: Repeat lg n times the following steps: Q Peggy chooses a random v e Z„* and sends to Vic y = v2 mod n. ^ Vic sends to Peggy a random ; e {0,1}. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 456/616 ZERO-KNOWLEDGE PROOF for QUADRATIC RESIDUA Input: An integer n = pq, where p, q are primes and x e QR(n). Protocol: Repeat lg n times the following steps: Q Peggy chooses a random v e Z„* and sends to Vic y = v2 mod n. ^ Vic sends to Peggy a random / e {0,1}. J Peggy computes a square root u of x and sends to Vic z = u; v mod n. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 456/616 ZERO-KNOWLEDGE PROOF for QUADRATIC RESIDUA Input: An integer n = pq, where p, q are primes and x e QR(n). Protocol: Repeat lg n times the following steps: Q Peggy chooses a random v e Z„* and sends to Vic y = v2 mod n. ^ Vic sends to Peggy a random ; e {0,1}. J Peggy computes a square root u of x and sends to Vic z = u' v mod n. ^ Vic checks whether z2 = x'y mod n. Vic accepts Peggy's proof that x is QR if he succeeds in point 4 in each of lg n rounds. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 456/616 ZERO-KNOWLEDGE PROOF for QUADRATIC RESIDUA Input: An integer n = pq, where p, q are primes and x e QR(n). Protocol: Repeat lg n times the following steps: Q Peggy chooses a random v e Z„* and sends to Vic y = v2 mod n. ^ Vic sends to Peggy a random ; e {0,1}. J Peggy computes a square root u of x and sends to Vic z = u' v mod n. ^ Vic checks whether z2 = x'y mod n. Vic accepts Peggy's proof that x is QR if he succeeds in point 4 in each of lg n rounds. Completeness is straightforward: Soundness If x is not a quadratic residue, then Peggy can answer only one of two possible challenges (only if i = 0), because in such a case y is a quadratic residue if and only if xy is not a quadratic residue.This means that Peggy will be caught in any given round of the protocol with probability 2. The overall probability that prover deceives Vic is therefore 2- lgn = 1. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 456/616 ZERO-KNOWLEDGE PROOF for GRAPH ISOMORPHISM Input: Given are two graphs G1 and G2 with the set of nodes {1,... , n}. Repeat the following steps n times: prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 457/616 ZERO-KNOWLEDGE PROOF for GRAPH ISOMORPHISM Input: Given are two graphs G1 and G2 with the set of nodes {1,... , n}. Repeat the following steps n times: T| Peggy chooses a random permutation n of {1,... , n} and computes H to be the image of G1 under the permutation n, and sends H to Vic. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 457/616 ZERO-KNOWLEDGE PROOF for GRAPH ISOMORPHISM Input: Given are two graphs G1 and G2 with the set of nodes {1,... , n}. Repeat the following steps n times: T| Peggy chooses a random permutation n of {1,... , n} and computes H to be the image of Gi under the permutation n, and sends H to Vic. ^ Vic chooses randomly ; G {1, 2} and sends it to Peggy. {This way Vic asks for isomorphism between H and G;.} prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 457/616 ZERO-KNOWLEDGE PROOF for GRAPH ISOMORPHISM Input: Given are two graphs Gi and G2 with the set of nodes {1,... , n}. Repeat the following steps n times: T| Peggy chooses a random permutation n of {1,... , n} and computes H to be the image of G1 under the permutation n, and sends H to Vic. ^ Vic chooses randomly / e {1, 2} and sends it to Peggy. {This way Vic asks for isomorphism between H and G.} J Peggy creates a permutation p of {1,.. . , n} such that p specifies isomorphism between H and G and Peggy sends p to Vic. {If i = 1 Peggy takes p = n; if i = 2 Peggy takes p = a on, where a is a fixed isomorphic mapping of nodes of G2 to G1.} prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 457/616 ZERO-KNOWLEDGE PROOF for GRAPH ISOMORPHISM Input: Given are two graphs G1 and G2 with the set of nodes {1,... , n}. Repeat the following steps n times: T| Peggy chooses a random permutation n of {1,... , n} and computes H to be the image of G1 under the permutation n, and sends H to Vic. ^ Vic chooses randomly ; e {1, 2} and sends it to Peggy. {This way Vic asks for isomorphism between H and G;.} J Peggy creates a permutation p of {1,.. . , n} such that p specifies isomorphism between H and G and Peggy sends p to Vic. {If i = 1 Peggy takes p = n; if i = 2 Peggy takes p = a on, where a is a fixed isomorphic mapping of nodes of G2 to G1.} ^ Vic checks whether H provides the isomorphism between G; and H. Vic accepts Peggy's "proof if H is the image of G in each of the n rounds. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 457/616 ZERO-KNOWLEDGE PROOF for GRAPH ISOMORPHISM Input: Given are two graphs G1 and G2 with the set of nodes {1,... , n}. Repeat the following steps n times: T| Peggy chooses a random permutation n of {1,... , n} and computes H to be the image of G1 under the permutation n, and sends H to Vic. ^ Vic chooses randomly ; e {1, 2} and sends it to Peggy. {This way Vic asks for isomorphism between H and G;.} J Peggy creates a permutation p of {1,.. . , n} such that p specifies isomorphism between H and G and Peggy sends p to Vic. {If i = 1 Peggy takes p = n; if i = 2 Peggy takes p = a on, where a is a fixed isomorphic mapping of nodes of G2 to G1.} ^ Vic checks whether H provides the isomorphism between G; and H. Vic accepts Peggy's "proof if H is the image of G; in each of the n rounds. Completeness. It is obvious that if G1 and G2 are isomorphic then Vic accepts with probability 1. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 457/616 ZERO-KNOWLEDGE PROOF for GRAPH ISOMORPHISM Input: Given are two graphs G1 and G2 with the set of nodes {1,... , n}. Repeat the following steps n times: T| Peggy chooses a random permutation n of {1,... , n} and computes H to be the image of G1 under the permutation n, and sends H to Vic. ^ Vic chooses randomly ; e {1, 2} and sends it to Peggy. {This way Vic asks for isomorphism between H and G;.} J Peggy creates a permutation p of {1,.. . , n} such that p specifies isomorphism between H and G; and Peggy sends p to Vic. {If i = 1 Peggy takes p = n; if i = 2 Peggy takes p = a on, where a is a fixed isomorphic mapping of nodes of G2 to G1.} ^ Vic checks whether H provides the isomorphism between G; and H. Vic accepts Peggy's "proof if H is the image of G; in each of the n rounds. Completeness. It is obvious that if G1 and G2 are isomorphic then Vic accepts with probability 1. Soundness: If graphs G1 and G2 are not isomorphic, then Peggy can deceive Vic only if she is able to guess in each round the i Vic chooses and then sends as H the graph G;. However, the probability that this happens is 2-n. Observe that Vic can perform all computations in polynomial time. However, why is this proof a zero-knowledge proof? prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 457/616 WHY is the last "PROOF" a "ZERO-KNOWLEDGE PROOF"? Because Vic gets convinced, by the overwhelming statistical evidence, that graphs G1 and G2 are isomorphic, but he does not get any information ("knowledge") that would help him to create isomorphism between G1 and G2. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 458/616 WHY is the last "PROOF" a "ZERO-KNOWLEDGE PROOF"? Because Vic gets convinced, by the overwhelming statistical evidence, that graphs G1 and G2 are isomorphic, but he does not get any information ("knowledge") that would help him to create isomorphism between G1 and G2. In each round of the proof Vic see isomorphism between H (a random isomorphic copy of G1) and G1 or G2, (but not between both of them)! prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 458/616 WHY is the last "PROOF" a "ZERO-KNOWLEDGE PROOF"? Because Vic gets convinced, by the overwhelming statistical evidence, that graphs G1 and G2 are isomorphic, but he does not get any information ("knowledge") that would help him to create isomorphism between G1 and G2. In each round of the proof Vic see isomorphism between H (a random isomorphic copy of G1) and G1 or G2, (but not between both of them)! However, Vic can create such random copies H of the graphs by himself and therefore it seems very unlikely that this can help Vic to find an isomorphism between G1 and G2. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 458/616 WHY is the last "PROOF" a "ZERO-KNOWLEDGE PROOF"? Because Vic gets convinced, by the overwhelming statistical evidence, that graphs G1 and G2 are isomorphic, but he does not get any information ("knowledge") that would help him to create isomorphism between G1 and G2. In each round of the proof Vic see isomorphism between H (a random isomorphic copy of G1) and G1 or G2, (but not between both of them)! However, Vic can create such random copies H of the graphs by himself and therefore it seems very unlikely that this can help Vic to find an isomorphism between G1 and G2. Information that Vic can receive during the protocol, called transcript, contains: ■ The graphs G1 and G2. ■ All messages i transmitted during communications by Peggy and Vic. ■ Random numbers r used by Peggy and Vic to generate their outputs. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 458/616 WHY is the last "PROOF" a "ZERO-KNOWLEDGE PROOF"? Because Vic gets convinced, by the overwhelming statistical evidence, that graphs G1 and G2 are isomorphic, but he does not get any information ("knowledge") that would help him to create isomorphism between G1 and G2. In each round of the proof Vic see isomorphism between H (a random isomorphic copy of G1) and G1 or G2, (but not between both of them)! However, Vic can create such random copies H of the graphs by himself and therefore it seems very unlikely that this can help Vic to find an isomorphism between G1 and G2. Information that Vic can receive during the protocol, called transcript, contains: ■ The graphs G1 and G2. ■ All messages i transmitted during communications by Peggy and Vic. ■ Random numbers r used by Peggy and Vic to generate their outputs. Transcript has therefore the form T = ((Gi, G2);(Hi, ;1, n),..., (H„, /„, r„)). The essential point, which is the basis for the formal definition of zero-knowledge proof, is that Vic can forge transcript, without participating in the interactive proof, that look like "real transcripts", if graphs are isomorphic, by means of the following forging algorithm called simulator. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 458/616 SIMULATOR A simulator for the previous graph isomorphism protocol. ■ T = (d, G2), for j = 1 to n do prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 459/616 SIMULATOR A simulator for the previous graph isomorphism protocol. ■ T = (d, G2), for j = 1 to n do ■ Chose randomly /j e {1, 2}. ■ Chose pj to be a random permutation of {1,..., n}. ■ Compute Hj to be the image of Gj under pj; ■ Concatenate (Hj, /j, pj) at the end of T. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 459/616 CONSEQUENCES and FORMAL DEFINITION The fact that a simulator can forge transcripts has several important consequences. ■ Anything Vic can compute using the information obtained from the transcript can be computed using only a forged transcript and therefore participation in such a communication does not increase Vic capability to perform any computation. ■ Participation in such a proof does not allow Vic to prove isomorphism of G1 and G2. ■ Vic cannot convince someone else that G1 and G2 are isomorphic by showing the transcript because it is indistinguishable from a forged one. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 460/616 CONSEQUENCES and FORMAL DEFINITION The fact that a simulator can forge transcripts has several important consequences. ■ Anything Vic can compute using the information obtained from the transcript can be computed using only a forged transcript and therefore participation in such a communication does not increase Vic capability to perform any computation. ■ Participation in such a proof does not allow Vic to prove isomorphism of G1 and G2. ■ Vic cannot convince someone else that G1 and G2 are isomorphic by showing the transcript because it is indistinguishable from a forged one. Formal definition of what this means that a forged transcript "looks like" a real one: Definition Suppose that we have an interactive proof system for a decision problem n and a polynomial time simulator S. Denote by r(x) the set of all possible transcripts that could be produced during the interactive proof communication for a yes-instance x. Denote F(x) the set of all possible forged transcripts produced by the simulator S. For any transcript T e r(x), let Pr(T) denote the probability that T is the transcript produced during the interactive proof. Similarly, for T e F(x), let pF(T) denote the probability that T is the transcript produced by S. If r(x) = F(x) and, for any T e r(x), pr(T) = pF(T) , then we say that the interactive proof system is a zero-knowledge proof system. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 460/616 WHY is the last "PROOF" a "ZERO-KNOWLEDGE PROOF"? Because Vic gets convinced, by the overwhelming statistical evidence, that graphs Gi and G2 are isomorphic, but he does not get any information ("knowledge") that would help him to create isomorphism between Gi and Gi- prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 461/616 WHY is the last "PROOF" a "ZERO-KNOWLEDGE PROOF"? Because Vic gets convinced, by the overwhelming statistical evidence, that graphs Gi and G2 are isomorphic, but he does not get any information ("knowledge") that would help him to create isomorphism between Gi and G2. In each round of the proof Vic see isomorphism between H (a random isomorphic copy of Gi) and Gi or G2, (but not between both of them)! prof Jozef Gruska IV054 10 Protocols to do seemingly impossible and zero-knowledge protocols 461/616 WHY is the last "PROOF" a "ZERO-KNOWLEDGE PROOF"? Because Vic gets convinced, by the overwhelming statistical evidence, that graphs Gi and G2 are isomorphic, but he does not get any information ("knowledge") that would help him to create isomorphism between Gi and G2. In each round of the proof Vic see isomorphism between H (a random isomorphic copy of Gi) and Gi or G2, (but not between both of them)! However, Vic can create such random copies H of the graphs by himself and therefore it seems very unlikely that this can help Vic to find an isomorphism between G\ and G2. prof Jozef Gruska IV054 10 Protocols to do seemingly impossible and zero-knowledge protocols 461/616 WHY is the last "PROOF" a "ZERO-KNOWLEDGE PROOF"? Because Vic gets convinced, by the overwhelming statistical evidence, that graphs Gi and G2 are isomorphic, but he does not get any information ("knowledge") that would help him to create isomorphism between Gi and G2. In each round of the proof Vic see isomorphism between H (a random isomorphic copy of Gi) and Gi or G2, (but not between both of them)! However, Vic can create such random copies H of the graphs by himself and therefore it seems very unlikely that this can help Vic to find an isomorphism between G\ and G2. Information that Vic can receive during the protocol, called transcript, contains: ■ The graphs G\ and G2. ■ All messages i transmitted during communications by Peggy and Vic. ■ Random numbers r used by Peggy and Vic to generate their outputs. prof Jozef Gruska IV054 10 Protocols to do seemingly impossible and zero-knowledge protocols 461/616 WHY is the last "PROOF" a "ZERO-KNOWLEDGE PROOF"? Because Vic gets convinced, by the overwhelming statistical evidence, that graphs Gi and G2 are isomorphic, but he does not get any information ("knowledge") that would help him to create isomorphism between Gi and G2. In each round of the proof Vic see isomorphism between H (a random isomorphic copy of Gi) and Gi or G2, (but not between both of them)! However, Vic can create such random copies H of the graphs by himself and therefore it seems very unlikely that this can help Vic to find an isomorphism between G\ and G2. Information that Vic can receive during the protocol, called transcript, contains: ■ The graphs G\ and G2. ■ All messages i transmitted during communications by Peggy and Vic. ■ Random numbers r used by Peggy and Vic to generate their outputs. Transcript has therefore the form 7 = ((G1,G2);(H1,/1,r1),...,(H„,/„,r„)). The essential point, which is the basis for the formal definition of zero-knowledge proof, is that Vic can forge transcript, without participating in the interactive proof, that look like "real transcripts", if graphs are isomorphic, by means of the following forging algorithm called simulator. prof Jozef Gruska IV054 10 Protocols to do seemingly impossible and zero-knowledge protocols 461/616 SIMULATOR A simulator for the previous graph isomorphism protocol. ■ T = (d, G2), for j = 1 to n do ■ Chose randomly j e {1, 2}. ■ Chose pj to be a random permutation of {1,..., n}. ■ Compute Hj to be the image of G;j under pj; ■ Concatenate (Hj, ij, pj) at the end of T. ■ If, in an interactive proof system, the probability distributions specified by the protocols with Vic and with simulator are computationally indistinguishable in polynomial time , then we speak about computationally zero-knowledge proof system. prof. Jozef Gruska IV054 10. Protocols to do seemingly impossible and zero-knowledge protocols 462/616 DIGITAL STEGANOGRAPHY and DIGITAL WATERMARJIN A very important property of (digital) information is that it is, in principle, very easy to produce and distribute unlimited number of its copies. prof. Jozef Gruska IV054 11. Steganography and Watermarking 464/616 DIGITAL STEGANOGRAPHY and DIGITAL WATERMARJIN A very important property of (digital) information is that it is, in principle, very easy to produce and distribute unlimited number of its copies. This might undermine the music, film, book and software industries and therefore it brings a variety of important problems, concerning protection of the intellectual and production rights, that badly need to be solved. prof. Jozef Gruska IV054 11. Steganography and Watermarking 464/616 DIGITAL STEGANOGRAPHY and DIGITAL WATERMARJIN A very important property of (digital) information is that it is, in principle, very easy to produce and distribute unlimited number of its copies. This might undermine the music, film, book and software industries and therefore it brings a variety of important problems, concerning protection of the intellectual and production rights, that badly need to be solved. Since an unlimited number of perfect copies of text, audio and video data can be illegally produced and distributed requires to develop ways of embedding copyright and source information in audio and video data. prof. Jozef Gruska IV054 11. Steganography and Watermarking 464/616 DIGITAL STEGANOGRAPHY and DIGITAL WATERMARJIN A very important property of (digital) information is that it is, in principle, very easy to produce and distribute unlimited number of its copies. This might undermine the music, film, book and software industries and therefore it brings a variety of important problems, concerning protection of the intellectual and production rights, that badly need to be solved. Since an unlimited number of perfect copies of text, audio and video data can be illegally produced and distributed requires to develop ways of embedding copyright and source information in audio and video data. Digital steganography and digital watermarking bring techniques to hide important information, in an undetectable and/or irremovable way, in audio and video digital data. prof. Jozef Gruska IV054 11. Steganography and Watermarking 464/616 DIGITAL STEGANOGRAPHY and DIGITAL WATERMARJIN A very important property of (digital) information is that it is, in principle, very easy to produce and distribute unlimited number of its copies. This might undermine the music, film, book and software industries and therefore it brings a variety of important problems, concerning protection of the intellectual and production rights, that badly need to be solved. Since an unlimited number of perfect copies of text, audio and video data can be illegally produced and distributed requires to develop ways of embedding copyright and source information in audio and video data. Digital steganography and digital watermarking bring techniques to hide important information, in an undetectable and/or irremovable way, in audio and video digital data. Digital steganography is the art and science of embedding information/signals in such a hidden way, especially in texts, images, video and audio carriers, that only intended recipients can recover them. prof. Jozef Gruska IV054 11. Steganography and Watermarking 464/616 DIGITAL STEGANOGRAPHY and DIGITAL WATERMARJIN A very important property of (digital) information is that it is, in principle, very easy to produce and distribute unlimited number of its copies. This might undermine the music, film, book and software industries and therefore it brings a variety of important problems, concerning protection of the intellectual and production rights, that badly need to be solved. Since an unlimited number of perfect copies of text, audio and video data can be illegally produced and distributed requires to develop ways of embedding copyright and source information in audio and video data. Digital steganography and digital watermarking bring techniques to hide important information, in an undetectable and/or irremovable way, in audio and video digital data. Digital steganography is the art and science of embedding information/signals in such a hidden way, especially in texts, images, video and audio carriers, that only intended recipients can recover them. Digital watermarking is a process of embedding (hiding) information (through "watermarks") into digital data (signals) - picture, audio or video - to identify its owner or to authentisized its origin in an unremovable way. prof. Jozef Gruska IV054 11. Steganography and Watermarking 464/616 DIGITAL STEGANOGRAPHY and DIGITAL WATERMARJIN A very important property of (digital) information is that it is, in principle, very easy to produce and distribute unlimited number of its copies. This might undermine the music, film, book and software industries and therefore it brings a variety of important problems, concerning protection of the intellectual and production rights, that badly need to be solved. Since an unlimited number of perfect copies of text, audio and video data can be illegally produced and distributed requires to develop ways of embedding copyright and source information in audio and video data. Digital steganography and digital watermarking bring techniques to hide important information, in an undetectable and/or irremovable way, in audio and video digital data. Digital steganography is the art and science of embedding information/signals in such a hidden way, especially in texts, images, video and audio carriers, that only intended recipients can recover them. Digital watermarking is a process of embedding (hiding) information (through "watermarks") into digital data (signals) - picture, audio or video - to identify its owner or to authentisized its origin in an unremovable way. prof. Jozef Gruska IV054 11. Steganography and Watermarking 464/616 INFORMATION HIDING SUB-DISCIPLINES Covert channels occur especially in operating systems and networks. They are communication paths that were neither designed nor intended to transfer information at all, but can be used that way. These channels are typically used by untrustworthy/spying programs to leak (confidential) information to their owner while performing service for another user/program. prof. Jozef Gruska IV054 11. Steganography and Watermarking 465/616 INFORMATION HIDING SUB-DISCIPLINES Covert channels occur especially in operating systems and networks. They are communication paths that were neither designed nor intended to transfer information at all, but can be used that way. These channels are typically used by untrustworthy/spying programs to leak (confidential) information to their owner while performing service for another user/program. Anonymity is finding ways to hide meta content of the message (for example who is the sender and/or the recipients of a message). Anonymity is needed, for example, when making on-line voting, or to hide access to some web pages, or to hide sender. prof. Jozef Gruska IV054 11. Steganography and Watermarking 465/616 INFORMATION HIDING SUB-DISCIPLINES Covert channels occur especially in operating systems and networks. They are communication paths that were neither designed nor intended to transfer information at all, but can be used that way. These channels are typically used by untrustworthy/spying programs to leak (confidential) information to their owner while performing service for another user/program. Anonymity is finding ways to hide meta content of the message (for example who is the sender and/or the recipients of a message). Anonymity is needed, for example, when making on-line voting, or to hide access to some web pages, or to hide sender. Steganography - covered writing - from Greek <7T£7av-£ 7pa0-etv is the art and science of hiding secret messages in innocently looking ones. prof. Jozef Gruska IV054 11. Steganography and Watermarking 465/616 INFORMATION HIDING SUB-DISCIPLINES Covert channels occur especially in operating systems and networks. They are communication paths that were neither designed nor intended to transfer information at all, but can be used that way. These channels are typically used by untrustworthy/spying programs to leak (confidential) information to their owner while performing service for another user/program. Anonymity is finding ways to hide meta content of the message (for example who is the sender and/or the recipients of a message). Anonymity is needed, for example, when making on-line voting, or to hide access to some web pages, or to hide sender. Steganography - covered writing - from Greek <7T£7av-£ Ypa^-etv is the art and science of hiding secret messages in innocently looking ones. Watermarking - is the technique to embed visible and especially imperceptible (invisible, transparent,...) watermarks into carriers in undetectable or unremovable way. prof. Jozef Gruska IV054 11. Steganography and Watermarking 465/616 STEGANOGRAPHY versus WATERMARKING.II Both techniques belong to the category of information hiding, but the objectives and embeddings of these techniques are just opposite. prof. Jozef Gruska IV054 11. Steganography and Watermarking 466/616 STEGANOGRAPHY versus WATERMARKING.II Both techniques belong to the category of information hiding, but the objectives and embeddings of these techniques are just opposite. In watermarking, the important information is in the cover data. The embedded data - watermarks - are for protection or detection of the cover data origins. prof. Jozef Gruska IV054 11. Steganography and Watermarking 466/616 STEGANOGRAPHY versus WATERMARKING.!! Both techniques belong to the category of information hiding, but the objectives and embeddings of these techniques are just opposite. In watermarking, the important information is in the cover data. The embedded data - watermarks - are for protection or detection of the cover data origins. In steganography, the cover data is not important. It mostly serves as a diversion from the most important information that is in embedded data. Comment Steganography tools typically embed/hide relatively large blocks of information while watermarking tools embed/hide less information in an image or sounds or videos or texts. Data hiding dilemma: to find the best trade-off between three quantities of embeddings: robustness, capacity and security. prof. Jozef Gruska IV054 11. Steganography and Watermarking 466/616 STEGANOGRAPHY versus WATERMARKING again Technically, differences between steganography and watermarking are both subtle and quite essential. prof. Jozef Gruska IV054 11. Steganography and Watermarking 467/616 STEGANOGRAPHY versus WATERMARKING again Technically, differences between steganography and watermarking are both subtle and quite essential. The main goal of steganography is to hide a message m in some audio or video (cover) data d, to obtain new data d', in such a way that an eavesdropper cannot detect the presence of m in d'. prof. Jozef Gruska IV054 11. Steganography and Watermarking 467/616 STEGANOGRAPHY versus WATERMARKING again Technically, differences between steganography and watermarking are both subtle and quite essential. The main goal of steganography is to hide a message m in some audio or video (cover) data d, to obtain new data d', in such a way that an eavesdropper cannot detect the presence of m in d'. The main goal of watermarking is to hide a message m in some audio or video (cover) data d, to obtain new data d', practically indistinguishable from d, by people, in such a way that an eavesdropper cannot remove or replace m in d'. prof. Jozef Gruska IV054 11. Steganography and Watermarking 467/616 STEGANOGRAPHY versus WATERMARKING again Technically, differences between steganography and watermarking are both subtle and quite essential. The main goal of steganography is to hide a message m in some audio or video (cover) data d, to obtain new data d', in such a way that an eavesdropper cannot detect the presence of m in d'. The main goal of watermarking is to hide a message m in some audio or video (cover) data d, to obtain new data d', practically indistinguishable from d, by people, in such a way that an eavesdropper cannot remove or replace m in d'. Shortly, one can say that cryptography is about protecting the content of messages, steganography is about concealing its very existence. prof. Jozef Gruska IV054 11. Steganography and Watermarking 467/616 STEGANOGRAPHY versus WATERMARKING again Technically, differences between steganography and watermarking are both subtle and quite essential. The main goal of steganography is to hide a message m in some audio or video (cover) data d, to obtain new data d', in such a way that an eavesdropper cannot detect the presence of m in d'. The main goal of watermarking is to hide a message m in some audio or video (cover) data d, to obtain new data d', practically indistinguishable from d, by people, in such a way that an eavesdropper cannot remove or replace m in d'. Shortly, one can say that cryptography is about protecting the content of messages, steganography is about concealing its very existence. Steganography methods usually do not need to provide strong security against removing or modification of the hidden message. Watermarking methods need to to be very robust to attempts to remove or modify a hidden message. prof. Jozef Gruska IV054 11. Steganography and Watermarking 467/616 BASIC QUESTIONS ■ Where and how can be secret data undetectably hidden? prof. Jozef Gruska IV054 11. Steganography and Watermarking 468/616 BASIC QUESTIONS ■ Where and how can be secret data undetectably hidden? ■ Who and why needs steganography or watermarking? ■ What is the maximum amount of information that can be hidden, given a level of degradation, to the digital media? ■ How one chooses good cover media for a given stego message? ■ How to detect, localize a stego message? prof. Jozef Gruska IV054 11. Steganography and Watermarking 468/616 SOME APPLICATIONS of STEGANOGRAPHY ■ To have secure secret communications where cryptographic encryption methods are not available. prof. Jozef Gruska IV054 11. Steganography and Watermarking 469/616 SOME APPLICATIONS of STEGANOGRAPHY ■ To have secure secret communications where cryptographic encryption methods are not available. ■ To have secure secret communication where strong cryptography is impossible. prof. Jozef Gruska IV054 11. Steganography and Watermarking 469/616 SOME APPLICATIONS of STEGANOGRAPHY ■ To have secure secret communications where cryptographic encryption methods are not available. ■ To have secure secret communication where strong cryptography is impossible. ■ In some cases, for example in military applications, even the knowledge that two parties communicate can be of large importance. prof. Jozef Gruska IV054 11. Steganography and Watermarking 469/616 SOME APPLICATIONS of STEGANOGRAPHY ■ To have secure secret communications where cryptographic encryption methods are not available. ■ To have secure secret communication where strong cryptography is impossible. ■ In some cases, for example in military applications, even the knowledge that two parties communicate can be of large importance. ■ The health care, and especially medical imaging systems, may very much benefit from information hiding techniques. prof. Jozef Gruska IV054 11. Steganography and Watermarking 469/616 SOME APPLICATIONS of WATERMARKING A basic application of watermarking techniques is to provide ownership information of digital data (images, video and audio products) by embedding copyright information into them. prof. Jozef Gruska IV054 11. Steganography and Watermarking 470/616 SOME APPLICATIONS of WATERMARKING A basic application of watermarking techniques is to provide ownership information of digital data (images, video and audio products) by embedding copyright information into them. Other applications: prof. Jozef Gruska IV054 11. Steganography and Watermarking 470/616 SOME APPLICATIONS of WATERMARKING A basic application of watermarking techniques is to provide ownership information of digital data (images, video and audio products) by embedding copyright information into them. Other applications: ■ Automatic monitoring and tracking of copy-write material on WEB. (For example, a robot searches the Web for marked material and thereby identifies potential illegal issues.) prof. Jozef Gruska IV054 11. Steganography and Watermarking 470/616 SOME APPLICATIONS of WATERMARKING A basic application of watermarking techniques is to provide ownership information of digital data (images, video and audio products) by embedding copyright information into them. Other applications: ■ Automatic monitoring and tracking of copy-write material on WEB. (For example, a robot searches the Web for marked material and thereby identifies potential illegal issues.) ■ Automatic audit of radio transmissions: (A robot can "listen" to a radio station and look for marks, which indicate that a particular piece of music, or advertisement , has been broadcast.) prof. Jozef Gruska IV054 11. Steganography and Watermarking 470/616 SOME APPLICATIONS of WATERMARKING A basic application of watermarking techniques is to provide ownership information of digital data (images, video and audio products) by embedding copyright information into them. Other applications: ■ Automatic monitoring and tracking of copy-write material on WEB. (For example, a robot searches the Web for marked material and thereby identifies potential illegal issues.) ■ Automatic audit of radio transmissions: (A robot can "listen" to a radio station and look for marks, which indicate that a particular piece of music, or advertisement , has been broadcast.) ■ Data augmentation - to add information for the benefit of the public. prof. Jozef Gruska IV054 11. Steganography and Watermarking 470/616 SOME APPLICATIONS of WATERMARKING A basic application of watermarking techniques is to provide ownership information of digital data (images, video and audio products) by embedding copyright information into them. Other applications: ■ Automatic monitoring and tracking of copy-write material on WEB. (For example, a robot searches the Web for marked material and thereby identifies potential illegal issues.) ■ Automatic audit of radio transmissions: (A robot can "listen" to a radio station and look for marks, which indicate that a particular piece of music, or advertisement , has been broadcast.) ■ Data augmentation - to add information for the benefit of the public. ■ Fingerprinting applications (in order to distinguish distributed data) Actually, watermarking has recently emerged as the leading technology to solve the above very important problems. prof. Jozef Gruska IV054 11. Steganography and Watermarking 470/616 SOME APPLICATIONS of WATERMARKING A basic application of watermarking techniques is to provide ownership information of digital data (images, video and audio products) by embedding copyright information into them. Other applications: ■ Automatic monitoring and tracking of copy-write material on WEB. (For example, a robot searches the Web for marked material and thereby identifies potential illegal issues.) ■ Automatic audit of radio transmissions: (A robot can "listen" to a radio station and look for marks, which indicate that a particular piece of music, or advertisement , has been broadcast.) ■ Data augmentation - to add information for the benefit of the public. ■ Fingerprinting applications (in order to distinguish distributed data) Actually, watermarking has recently emerged as the leading technology to solve the above very important problems. All kind of data can be watermarked: audio, images, video, formatted text, 3D models, . . . prof. Jozef Gruska IV054 11. Steganography and Watermarking 470/616 STEGANOGRAPHY/WATERMARKING versus CRYPTOGRAPHY The purpose of both is to provide secret communication. prof. Jozef Gruska IV054 11. Steganography and Watermarking 471/616 STEGANOGRAPHY/WATERMARKING versus CRYPTOGRAPHY The purpose of both is to provide secret communication. Cryptography hides the contents of the message from an attacker, but not the existence of the message. prof. Jozef Gruska IV054 11. Steganography and Watermarking 471/616 STEGANOGRAPHY/WATERMARKING versus CRYPTOGRAPHY The purpose of both is to provide secret communication. Cryptography hides the contents of the message from an attacker, but not the existence of the message. Steganography/watermarking even hide the very existence of the message in the communicated data. prof. Jozef Gruska IV054 11. Steganography and Watermarking 471/616 STEGANOGRAPHY/WATERMARKING versus CRYPTOGRAPHY The purpose of both is to provide secret communication. Cryptography hides the contents of the message from an attacker, but not the existence of the message. Steganography/watermarking even hide the very existence of the message in the communicated data. Consequently, the concept of breaking the system is different for cryptosystems and stegosystems (watermarking systems). prof. Jozef Gruska IV054 11. Steganography and Watermarking 471/616 STEGANOGRAPHY/WATERMARKING versus CRYPTOGRAPHY The purpose of both is to provide secret communication. Cryptography hides the contents of the message from an attacker, but not the existence of the message. Steganography/watermarking even hide the very existence of the message in the communicated data. Consequently, the concept of breaking the system is different for cryptosystems and stegosystems (watermarking systems). ■ A cryptographic system is broken when the attacker can read the secrete message. prof. Jozef Gruska IV054 11. Steganography and Watermarking 471/616 STEGANOGRAPHY/WATERMARKING versus CRYPTOGRAPHY The purpose of both is to provide secret communication. Cryptography hides the contents of the message from an attacker, but not the existence of the message. Steganography/watermarking even hide the very existence of the message in the communicated data. Consequently, the concept of breaking the system is different for cryptosystems and stegosystems (watermarking systems). ■ A cryptographic system is broken when the attacker can read the secrete message. ■ Breaking of a steganographic/watermarking system has two stages: ■ The attacker can detect that steganography/watermarking has been used; prof. Jozef Gruska IV054 11. Steganography and Watermarking 471/616 STEGANOGRAPHY/WATERMARKING versus CRYPTOGRAPHY The purpose of both is to provide secret communication. Cryptography hides the contents of the message from an attacker, but not the existence of the message. Steganography/watermarking even hide the very existence of the message in the communicated data. Consequently, the concept of breaking the system is different for cryptosystems and stegosystems (watermarking systems). ■ A cryptographic system is broken when the attacker can read the secrete message. ■ Breaking of a steganographic/watermarking system has two stages: ■ The attacker can detect that steganography/watermarking has been used; ■ The attacker is able to read, modify or remove the hidden message. prof. Jozef Gruska IV054 11. Steganography and Watermarking 471/616 STEGANOGRAPHY/WATERMARKING versus CRYPTOGRAPHY The purpose of both is to provide secret communication. Cryptography hides the contents of the message from an attacker, but not the existence of the message. Steganography/watermarking even hide the very existence of the message in the communicated data. Consequently, the concept of breaking the system is different for cryptosystems and stegosystems (watermarking systems). ■ A cryptographic system is broken when the attacker can read the secrete message. ■ Breaking of a steganographic/watermarking system has two stages: ■ The attacker can detect that steganography/watermarking has been used; ■ The attacker is able to read, modify or remove the hidden message. A steganography/watermarking system is considered as insecure already if the detection of steganography/watermarking is possible. prof. Jozef Gruska IV054 11. Steganography and Watermarking 471/616 STEGANOGRAPHY/WATERMARKING versus CRYPTOGRAPHY The purpose of both is to provide secret communication. Cryptography hides the contents of the message from an attacker, but not the existence of the message. Steganography/watermarking even hide the very existence of the message in the communicated data. Consequently, the concept of breaking the system is different for cryptosystems and stegosystems (watermarking systems). ■ A cryptographic system is broken when the attacker can read the secrete message. ■ Breaking of a steganographic/watermarking system has two stages: ■ The attacker can detect that steganography/watermarking has been used; ■ The attacker is able to read, modify or remove the hidden message. A steganography/watermarking system is considered as insecure already if the detection of steganography/watermarking is possible. The advantage of steganography over cryptography is that messages do not attract attention to themselves. prof. Jozef Gruska IV054 11. Steganography and Watermarking 471/616 CRYPTOGRAPHY and STEGANOGRAPHY Steganography can be also use to increase secrecy provided by cryptographical methods prof. Jozef Gruska IV054 11. Steganography and Watermarking 472/616 CRYPTOGRAPHY and STEGANOGRAPHY Steganography can be also use to increase secrecy provided by cryptographical methods Indeed, when steganography is used to hide the encrypted communication, an enemy is not only faced with a difficult decryption problem, but also with the problem of finding the communicated data. prof. Jozef Gruska IV054 11. Steganography and Watermarking 472/616 FIRST STEGANOGRAPHIC METHODS ■ First recorded use of steganographic methods was traced to 440 BC. Greek Demaratus sent a warning about an attack by writing it on a wooden desk and then covering it by vax. prof. Jozef Gruska IV054 11. Steganography and Watermarking 473/616 FIRST STEGANOGRAPHIC METHODS ■ First recorded use of steganographic methods was traced to 440 BC. Greek Demaratus sent a warning about an attack by writing it on a wooden desk and then covering it by vax. ■ Ancient Chinese wrote messages on fine silk, which was then crunched into a tiny ball and covered in wax. The messenger then swallowed the ball of wax. prof. Jozef Gruska IV054 11. Steganography and Watermarking 473/616 FIRST STEGANOGRAPHIC METHODS ■ First recorded use of steganographic methods was traced to 440 BC. Greek Demaratus sent a warning about an attack by writing it on a wooden desk and then covering it by vax. ■ Ancient Chinese wrote messages on fine silk, which was then crunched into a tiny ball and covered in wax. The messenger then swallowed the ball of wax. ■ A variety of steganographic methods was used also in Roman times and then in 15-16 century (ranging from coding messages in music, and string knots, to invisible inks). prof. Jozef Gruska IV054 11. Steganography and Watermarking 473/616 FIRST STEGANOGRAPHIC METHODS ■ First recorded use of steganographic methods was traced to 440 BC. Greek Demaratus sent a warning about an attack by writing it on a wooden desk and then covering it by vax. ■ Ancient Chinese wrote messages on fine silk, which was then crunched into a tiny ball and covered in wax. The messenger then swallowed the ball of wax. ■ A variety of steganographic methods was used also in Roman times and then in 15-16 century (ranging from coding messages in music, and string knots, to invisible inks). ■ In the sixteenth century, the Italian scientist Giovanni Porta described how to conceal a message within a hard-boiled egg by making an ink from a mixture of one ounce of alum and a pint of vinegar, and then using ink to write on the shell. The ink penetrated the porous shell, and left the message on the surface of the hardened egg albumen, which could be read only when the shell was removed. prof. Jozef Gruska IV054 11. Steganography and Watermarking 473/616 FIRST STEGANOGRAPHIC METHODS ■ First recorded use of steganographic methods was traced to 440 BC. Greek Demaratus sent a warning about an attack by writing it on a wooden desk and then covering it by vax. ■ Ancient Chinese wrote messages on fine silk, which was then crunched into a tiny ball and covered in wax. The messenger then swallowed the ball of wax. ■ A variety of steganographic methods was used also in Roman times and then in 15-16 century (ranging from coding messages in music, and string knots, to invisible inks). ■ In the sixteenth century, the Italian scientist Giovanni Porta described how to conceal a message within a hard-boiled egg by making an ink from a mixture of one ounce of alum and a pint of vinegar, and then using ink to write on the shell. The ink penetrated the porous shell, and left the message on the surface of the hardened egg albumen, which could be read only when the shell was removed. ■ Special invisible "inks" (milk, urine,...) were important steganographic tools since middle ages and even during the Second World War. prof. Jozef Gruska IV054 11. Steganography and Watermarking 473/616 FIRST STEGANOGRAPHIC METHODS ■ First recorded use of steganographic methods was traced to 440 BC. Greek Demaratus sent a warning about an attack by writing it on a wooden desk and then covering it by vax. ■ Ancient Chinese wrote messages on fine silk, which was then crunched into a tiny ball and covered in wax. The messenger then swallowed the ball of wax. ■ A variety of steganographic methods was used also in Roman times and then in 15-16 century (ranging from coding messages in music, and string knots, to invisible inks). ■ In the sixteenth century, the Italian scientist Giovanni Porta described how to conceal a message within a hard-boiled egg by making an ink from a mixture of one ounce of alum and a pint of vinegar, and then using ink to write on the shell. The ink penetrated the porous shell, and left the message on the surface of the hardened egg albumen, which could be read only when the shell was removed. ■ Special invisible "inks" (milk, urine,...) were important steganographic tools since middle ages and even during the Second World War. ■ Acrostic - hiding messages in first, last or other letters of words was popular steganographic method since middle ages. prof. Jozef Gruska IV054 11. Steganography and Watermarking 473/616 FIRST STEGANOGRAPHIC METHODS ■ First recorded use of steganographic methods was traced to 440 BC. Greek Demaratus sent a warning about an attack by writing it on a wooden desk and then covering it by vax. ■ Ancient Chinese wrote messages on fine silk, which was then crunched into a tiny ball and covered in wax. The messenger then swallowed the ball of wax. ■ A variety of steganographic methods was used also in Roman times and then in 15-16 century (ranging from coding messages in music, and string knots, to invisible inks). ■ In the sixteenth century, the Italian scientist Giovanni Porta described how to conceal a message within a hard-boiled egg by making an ink from a mixture of one ounce of alum and a pint of vinegar, and then using ink to write on the shell. The ink penetrated the porous shell, and left the message on the surface of the hardened egg albumen, which could be read only when the shell was removed. ■ Special invisible "inks" (milk, urine,...) were important steganographic tools since middle ages and even during the Second World War. ■ Acrostic - hiding messages in first, last or other letters of words was popular steganographic method since middle ages. ■ During the Second World War a technique was developed to shrink photographically a page of text into a dot less than one millimeter in diameter, and then hide this microdot in an apparently innocuous letter. (The first microdot has been spotted by FBI in 1941.) prof. Jozef Gruska IV054 11. Steganography and Watermarking 473/616 HISTORY of MICRODOTS ■ In 1857, Brewster suggested hiding secret messages "in spaces not larger than a full stop or small dot of ink". prof. Jozef Gruska IV054 11. Steganography and Watermarking 474/616 HISTORY of MICRODOTS ■ In 1857, Brewster suggested hiding secret messages "in spaces not larger than a full stop or small dot of ink". ■ In 1860 the problem of making tiny images was solved by French photographer Dragon. prof. Jozef Gruska IV054 11. Steganography and Watermarking 474/616 HISTORY of MICRODOTS ■ In 1857, Brewster suggested hiding secret messages "in spaces not larger than a full stop or small dot of ink". ■ In 1860 the problem of making tiny images was solved by French photographer Dragon. ■ During Franco-Prussian war (1870-1881) from besieged Paris messages were sent on microfilms using pigeon post. prof. Jozef Gruska IV054 11. Steganography and Watermarking 474/616 HISTORY of MICRODOTS ■ In 1857, Brewster suggested hiding secret messages "in spaces not larger than a full stop or small dot of ink". ■ In 1860 the problem of making tiny images was solved by French photographer Dragon. ■ During Franco-Prussian war (1870-1881) from besieged Paris messages were sent on microfilms using pigeon post. ■ During the Russo-Japanese war (1905) microscopic images were hidden in ears, nostrils, and under fingernails. prof. Jozef Gruska IV054 11. Steganography and Watermarking 474/616 HISTORY of MICRODOTS ■ In 1857, Brewster suggested hiding secret messages "in spaces not larger than a full stop or small dot of ink". ■ In 1860 the problem of making tiny images was solved by French photographer Dragon. ■ During Franco-Prussian war (1870-1881) from besieged Paris messages were sent on microfilms using pigeon post. ■ During the Russo-Japanese war (1905) microscopic images were hidden in ears, nostrils, and under fingernails. ■ During the First World War messages to and from spies were reduced to microdots, by several stages of photographic reductions, and then stuck on top of printed periods or commas (in innocuous cover materials, such as magazines). prof. Jozef Gruska IV054 11. Steganography and Watermarking 474/616 FIRST STEGANOGRAPHY BOOKS In the fourth century BC, the Greek Aeneas Tacticus, wrote a book on military techniques, On the defence of fortification in which the whole chapter is devoted to steganographic methods. prof. Jozef Gruska IV054 11. Steganography and Watermarking 475/616 FIRST STEGANOGRAPHY BOOKS In the fourth century BC, the Greek Aeneas Tacticus, wrote a book on military techniques, On the defence of fortification in which the whole chapter is devoted to steganographic methods. In 1499 Johannes Trithemius, opat from Wurzburg, wrote 3 out of 8 planned books "Steganographie". prof. Jozef Gruska IV054 11. Steganography and Watermarking 475/616 FIRST STEGANOGRAPHY BOOKS In the fourth century BC, the Greek Aeneas Tacticus, wrote a book on military techniques, On the defence of fortification in which the whole chapter is devoted to steganographic methods. In 1499 Johannes Trithemius, opat from Wurzburg, wrote 3 out of 8 planned books "Steganographie". In 1518 Trithemius printed 6 books, 540 pages, on cryptography and steganography called Polygraphiae. prof. Jozef Gruska IV054 11. Steganography and Watermarking 475/616 FIRST STEGANOGRAPHY BOOKS In the fourth century BC, the Greek Aeneas Tacticus, wrote a book on military techniques, On the defence of fortification in which the whole chapter is devoted to steganographic methods. In 1499 Johannes Trithemius, opat from Wurzburg, wrote 3 out of 8 planned books "Steganographie". In 1518 Trithemius printed 6 books, 540 pages, on cryptography and steganography called Polygraphiae. This is Trithemius' most notorious work. It includes a sophisticated system of steganography, as well as angel magic. It also contains a synthesis of the science of knowledge, the art of memory, magic, an accelerated language learning system, and a method of sending messages without symbols. prof. Jozef Gruska IV054 11. Steganography and Watermarking 475/616 FIRST STEGANOGRAPHY BOOKS In the fourth century BC, the Greek Aeneas Tacticus, wrote a book on military techniques, On the defence of fortification in which the whole chapter is devoted to steganographic methods. In 1499 Johannes Trithemius, opat from Wurzburg, wrote 3 out of 8 planned books "Steganographie". In 1518 Trithemius printed 6 books, 540 pages, on cryptography and steganography called Polygraphiae. This is Trithemius' most notorious work. It includes a sophisticated system of steganography, as well as angel magic. It also contains a synthesis of the science of knowledge, the art of memory, magic, an accelerated language learning system, and a method of sending messages without symbols. In 1665 Gaspari Schotti published the book "Steganographica", 400pages. (New presentation of Trithemius.) prof. Jozef Gruska IV054 11. Steganography and Watermarking 475/616 TRITHEMIUS ■ Born on February 2, 1462 and considered as one of the main intellectuals of his time. prof. Jozef Gruska IV054 11. Steganography and Watermarking 476/616 TRITHEMIUS ■ Born on February 2, 1462 and considered as one of the main intellectuals of his time. ■ His book STEGANOGRAPHIA was published in 1606. prof. Jozef Gruska IV054 11. Steganography and Watermarking 476/616 TRITHEMIUS ■ Born on February 2, 1462 and considered as one of the main intellectuals of his time. ■ His book STEGANOGRAPHIA was published in 1606. ■ In 1609 catholic church has put the book on the list of forbidden books (to be there for more than 200 years). prof. Jozef Gruska IV054 11. Steganography and Watermarking 476/616 TRITHEMIUS ■ Born on February 2, 1462 and considered as one of the main intellectuals of his time. ■ His book STEGANOGRAPHIA was published in 1606. ■ In 1609 catholic church has put the book on the list of forbidden books (to be there for more than 200 years). ■ His books are obscured by his strong belief in occult powers. prof. Jozef Gruska IV054 11. Steganography and Watermarking 476/616 TRITHEMIUS ■ Born on February 2, 1462 and considered as one of the main intellectuals of his time. ■ His book STEGANOGRAPHIA was published in 1606. ■ In 1609 catholic church has put the book on the list of forbidden books (to be there for more than 200 years). ■ His books are obscured by his strong belief in occult powers. ■ He classified witches into four categories. prof. Jozef Gruska IV054 11. Steganography and Watermarking 476/616 TRITHEMIUS ■ Born on February 2, 1462 and considered as one of the main intellectuals of his time. ■ His book STEGANOGRAPHIA was published in 1606. ■ In 1609 catholic church has put the book on the list of forbidden books (to be there for more than 200 years). ■ His books are obscured by his strong belief in occult powers. ■ He classified witches into four categories. ■ He fixed creation of the world at 5206 B.C. prof. Jozef Gruska IV054 11. Steganography and Watermarking 476/616 TRITHEMIUS ■ Born on February 2, 1462 and considered as one of the main intellectuals of his time. ■ His book STEGANOGRAPHIA was published in 1606. ■ In 1609 catholic church has put the book on the list of forbidden books (to be there for more than 200 years). ■ His books are obscured by his strong belief in occult powers. ■ He classified witches into four categories. ■ He fixed creation of the world at 5206 B.C. ■ He described how to perform telepathy. prof. Jozef Gruska IV054 11. Steganography and Watermarking 476/616 TRITHEMIUS ■ Born on February 2, 1462 and considered as one of the main intellectuals of his time. ■ His book STEGANOGRAPHIA was published in 1606. ■ In 1609 catholic church has put the book on the list of forbidden books (to be there for more than 200 years). ■ His books are obscured by his strong belief in occult powers. ■ He classified witches into four categories. ■ He fixed creation of the world at 5206 B.C. ■ He described how to perform telepathy. ■ Trithemius died on December 14, 1516. prof. Jozef Gruska IV054 11. Steganography and Watermarking 476/616 TRITHEMIUS ■ Born on February 2, 1462 and considered as one of the main intellectuals of his time. ■ His book STEGANOGRAPHIA was published in 1606. ■ In 1609 catholic church has put the book on the list of forbidden books (to be there for more than 200 years). ■ His books are obscured by his strong belief in occult powers. ■ He classified witches into four categories. ■ He fixed creation of the world at 5206 B.C. ■ He described how to perform telepathy. ■ Trithemius died on December 14, 1516. prof. Jozef Gruska IV054 11. Steganography and Watermarking 476/616 ORIGIN of MODERN - DIGITAL - STEGANOGRAPHY The origin of modern (digital) steganography has been dated to around 1985 - after personal computers started to be applied to classical steganographic problems. prof. Jozef Gruska IV054 11. Steganography and Watermarking 477/616 ORIGIN of MODERN - DIGITAL - STEGANOGRAPHY The origin of modern (digital) steganography has been dated to around 1985 - after personal computers started to be applied to classical steganographic problems. This was related to new problems at which information needed to be sent securely and safely between parties across restrictive communication channels. B. Morgen and M. Bary, from a small Dallas based company created and fielded two steganographic systems. prof. Jozef Gruska IV054 11. Steganography and Watermarking 477/616 ORIGIN of MODERN - DIGITAL - STEGANOGRAPHY The origin of modern (digital) steganography has been dated to around 1985 - after personal computers started to be applied to classical steganographic problems. This was related to new problems at which information needed to be sent securely and safely between parties across restrictive communication channels. B. Morgen and M. Bary, from a small Dallas based company created and fielded two steganographic systems. Since then a huge spectrum of methods and tools have been discovered and developed for digital cryptography. prof. Jozef Gruska IV054 11. Steganography and Watermarking 477/616 ORIGIN of MODERN - DIGITAL - STEGANOGRAPHY The origin of modern (digital) steganography has been dated to around 1985 - after personal computers started to be applied to classical steganographic problems. This was related to new problems at which information needed to be sent securely and safely between parties across restrictive communication channels. B. Morgen and M. Bary, from a small Dallas based company created and fielded two steganographic systems. Since then a huge spectrum of methods and tools have been discovered and developed for digital cryptography. Some examples" ■ Network steganohraphy ■ WLAN steganography ■ Inter-protocol steganography ■ Blog steganography ■ Echo steganography ■ Sudoku puzzles using steganography Steganography used before is usually called physical steganography because physical carrier have been used to embed secret messages. prof. Jozef Gruska IV054 11. Steganography and Watermarking 477/616 GENERAL STEGANOGRAPHIC MODEL A general model of a steganographic system: secret message cover Stegosystem encoder stego object Estimate of secret message key ] communication -' channel Stegosystem decoder I original cover Figure 1: Model of steganographic systems Steganographic algorithms are in general based on replacing noise component of a digital object with a to-be-hidden message. Kerckhoffs's principle holds also for steganography. Security of the system should not be based on hiding embedding algorithm, but on hiding the key. prof. Jozef Gruska IV054 11. Steganography and Watermarking 478/616 BASIC CONCEPTS of STEGOSYSTEMS ■ Covertext (cover-data - cover-object) is an original (unaltered) message. prof. Jozef Gruska IV054 11. Steganography and Watermarking 479/616 BASIC CONCEPTS of STEGOSYSTEMS ■ Covertext (cover-data - cover-object) is an original (unaltered) message. ■ Embedding process (ukryvaci process) in which the sender, Alice, tries to hide a message by embedding it into a (randomly chosen) covertext, usually using a key, to obtain a stegotext (stego-data or stego-object). The embedding process can be described by the mapping E : C x K x M — C, where C is the set of possible cover - and stegotexts, K is the set of keys, and M is the set of messages. prof. Jozef Gruska IV054 11. Steganography and Watermarking 479/616 BASIC CONCEPTS of STEGOSYSTEMS ■ Covertext (cover-data - cover-object) is an original (unaltered) message. ■ Embedding process (ukryvaci process) in which the sender, Alice, tries to hide a message by embedding it into a (randomly chosen) covertext, usually using a key, to obtain a stegotext (stego-data or stego-object). The embedding process can be described by the mapping E : C x K x M — C, where C is the set of possible cover - and stegotexts, K is the set of keys, and M is the set of messages. ■ Stegotext (stego-data - stego-object) is the message that comes out of the embedding process and contains the hidden message. prof. Jozef Gruska IV054 11. Steganography and Watermarking 479/616 BASIC CONCEPTS of STEGOSYSTEMS ■ Covertext (cover-data - cover-object) is an original (unaltered) message. ■ Embedding process (ukryvaci process) in which the sender, Alice, tries to hide a message by embedding it into a (randomly chosen) covertext, usually using a key, to obtain a stegotext (stego-data or stego-object). The embedding process can be described by the mapping E : C x K x M — C, where C is the set of possible cover - and stegotexts, K is the set of keys, and M is the set of messages. ■ Stegotext (stego-data - stego-object) is the message that comes out of the embedding process and contains the hidden message. ■ Recovering process (or extraction process - odkryvaci process) in which the receiver, Bob, tries to get, using the key only but not the covertext, the hidden message in the stegotext. The recovery (decoding) process D can be seen as a mapping D : C x K — C. prof. Jozef Gruska IV054 11. Steganography and Watermarking 479/616 BASIC CONCEPTS of STEGOSYSTEMS ■ Covertext (cover-data - cover-object) is an original (unaltered) message. ■ Embedding process (ukryvaci process) in which the sender, Alice, tries to hide a message by embedding it into a (randomly chosen) covertext, usually using a key, to obtain a stegotext (stego-data or stego-object). The embedding process can be described by the mapping E : C x K x M — C, where C is the set of possible cover - and stegotexts, K is the set of keys, and M is the set of messages. ■ Stegotext (stego-data - stego-object) is the message that comes out of the embedding process and contains the hidden message. ■ Recovering process (or extraction process - odkryvaci process) in which the receiver, Bob, tries to get, using the key only but not the covertext, the hidden message in the stegotext. The recovery (decoding) process D can be seen as a mapping D : C x K — C. ■ Security requirement is that a third person watching such a communication should not be able to find out whether the sender has been active, and when, in the sense that he really embedded a message in the covertext. In other words, stegotexts should be indistinguishable from covertexts. prof. Jozef Gruska IV054 11. Steganography and Watermarking 479/616 BASIC TYPES of STEGOSYSTEMS There are three basic types of stegosystems ■ Pure stegosystems - no key is used. ■ Secret-key stegosystems - shared secret key is used. ■ Public-key stegosystems - public and secret keys are used. prof. Jozef Gruska IV054 11. Steganography and Watermarking 480/616 BASIC TYPES of STEGOSYSTEMS There are three basic types of stegosystems ■ Pure stegosystems - no key is used. ■ Secret-key stegosystems - shared secret key is used. ■ Public-key stegosystems - public and secret keys are used. Definition Pure stegosystem S = (C, M, E, D}, where C is the set of possible covertexts, M is the set of secret messages, |C| > |M|, E : C x M — C is the embedding function and D : C — M, is the extraction function, with the property that D(E(c,m)) = m, for all m e M and c e C. Security of the pure stegosystems depends completely on its secrecy.On the other hand, security of other two stegosystems depends on the secrecy of the key used. prof. Jozef Gruska IV054 11. Steganography and Watermarking 480/616 BASIC TYPES of STEGOSYSTEMS There are three basic types of stegosystems ■ Pure stegosystems - no key is used. ■ Secret-key stegosystems - shared secret key is used. ■ Public-key stegosystems - public and secret keys are used. Definition Pure stegosystem S = (C, M, E, D}, where C is the set of possible covertexts, M is the set of secret messages, |C| > |M|, E : C x M — C is the embedding function and D : C — M, is the extraction function, with the property that D(E(c,m)) = m, for all m e M and c e C. Security of the pure stegosystems depends completely on its secrecy.On the other hand, security of other two stegosystems depends on the secrecy of the key used. Definition Secret-key (asymmetric) stegosystem S = (C, M, K, Ek, Dk}, where C is the set of possible covertexts, M is the set of secret messages with |C| > |M|, K is the set of secret keys, EK : C x M x K — C, DK : C x K — M with the property that Dk(Ek(c, m, k), k) = m for all m e M, c e C and k e K. prof. Jozef Gruska IV054 11. Steganography and Watermarking 480/616 PUBLIC-KEY STEGANOGRAPHY Similarly as in the case of the public-key cryptography, two keys are used: a public-key E for embedding and a private-key D for recovering. prof. Jozef Gruska IV054 11. Steganography and Watermarking 481/616 PUBLIC-KEY STEGANOGRAPHY Similarly as in the case of the public-key cryptography, two keys are used: a public-key E for embedding and a private-key D for recovering. It is often useful to combine such a public-key stegosystem with a public-key cryptosystem. prof. Jozef Gruska IV054 11. Steganography and Watermarking 481/616 PUBLIC-KEY STEGANOGRAPHY Similarly as in the case of the public-key cryptography, two keys are used: a public-key E for embedding and a private-key D for recovering. It is often useful to combine such a public-key stegosystem with a public-key cryptosystem. For example, in case Alice wants to send a message m to Bob, she encodes first m using Bob's public key eg, then makes embedding of eg(m) using process E into a cover and then sends the resulting stegotext to Bob, who recovers eg(m) using D and then decrypts it, using his decryption function prof. Jozef Gruska IV054 11. Steganography and Watermarking 481/616 TEXT STEGANOGRAPHY A variety of steganography techniques allow to hide messages in formatted texts. ■ Acrostic. A message is hidden into certain letters of the text, for example into the first letters of some words. Tables have been produced, the first one by Trithentius, called Ave Maria, how to replace plaintext letters by words. prof. Jozef Gruska IV054 11. Steganography and Watermarking 482/616 TEXT STEGANOGRAPHY A variety of steganography techniques allow to hide messages in formatted texts. ■ Acrostic. A message is hidden into certain letters of the text, for example into the first letters of some words. Tables have been produced, the first one by Trithentius, called Ave Maria, how to replace plaintext letters by words. ■ An improvement of the previous method is to distribute plaintext letters randomly in the cover-text and then use a mask to read it. prof. Jozef Gruska IV054 11. Steganography and Watermarking 482/616 TEXT STEGANOGRAPHY A variety of steganography techniques allow to hide messages in formatted texts. ■ Acrostic. A message is hidden into certain letters of the text, for example into the first letters of some words. Tables have been produced, the first one by Trithentius, called Ave Maria, how to replace plaintext letters by words. ■ An improvement of the previous method is to distribute plaintext letters randomly in the cover-text and then use a mask to read it. ■ The presence of errors or stylistic features at predetermined points in the cover data is another way to select the location of the embedded information. prof. Jozef Gruska IV054 11. Steganography and Watermarking 482/616 TEXT STEGANOGRAPHY A variety of steganography techniques allow to hide messages in formatted texts. ■ Acrostic. A message is hidden into certain letters of the text, for example into the first letters of some words. Tables have been produced, the first one by Trithentius, called Ave Maria, how to replace plaintext letters by words. ■ An improvement of the previous method is to distribute plaintext letters randomly in the cover-text and then use a mask to read it. ■ The presence of errors or stylistic features at predetermined points in the cover data is another way to select the location of the embedded information. ■ Line shifting encodings. prof. Jozef Gruska IV054 11. Steganography and Watermarking 482/616 TEXT STEGANOGRAPHY A variety of steganography techniques allow to hide messages in formatted texts. ■ Acrostic. A message is hidden into certain letters of the text, for example into the first letters of some words. Tables have been produced, the first one by Trithentius, called Ave Maria, how to replace plaintext letters by words. ■ An improvement of the previous method is to distribute plaintext letters randomly in the cover-text and then use a mask to read it. ■ The presence of errors or stylistic features at predetermined points in the cover data is another way to select the location of the embedded information. ■ Line shifting encodings. ■ Word shifting encodings. prof. Jozef Gruska IV054 11. Steganography and Watermarking 482/616 TEXT STEGANOGRAPHY A variety of steganography techniques allow to hide messages in formatted texts. ■ Acrostic. A message is hidden into certain letters of the text, for example into the first letters of some words. Tables have been produced, the first one by Trithentius, called Ave Maria, how to replace plaintext letters by words. ■ An improvement of the previous method is to distribute plaintext letters randomly in the cover-text and then use a mask to read it. ■ The presence of errors or stylistic features at predetermined points in the cover data is another way to select the location of the embedded information. ■ Line shifting encodings. ■ Word shifting encodings. ■ Data hiding through justifications. prof. Jozef Gruska IV054 11. Steganography and Watermarking 482/616 TEXT STEGANOGRAPHY A variety of steganography techniques allow to hide messages in formatted texts. ■ Acrostic. A message is hidden into certain letters of the text, for example into the first letters of some words. Tables have been produced, the first one by Trithentius, called Ave Maria, how to replace plaintext letters by words. ■ An improvement of the previous method is to distribute plaintext letters randomly in the cover-text and then use a mask to read it. ■ The presence of errors or stylistic features at predetermined points in the cover data is another way to select the location of the embedded information. ■ Line shifting encodings. ■ Word shifting encodings. ■ Data hiding through justifications. ■ Through features encoding (for example in the vertical lines of letters b, d, h, k). prof. Jozef Gruska IV054 11. Steganography and Watermarking 482/616 TEXT STEGANOGRAPHY A variety of steganography techniques allow to hide messages in formatted texts. ■ Acrostic. A message is hidden into certain letters of the text, for example into the first letters of some words. Tables have been produced, the first one by Trithentius, called Ave Maria, how to replace plaintext letters by words. ■ An improvement of the previous method is to distribute plaintext letters randomly in the cover-text and then use a mask to read it. ■ The presence of errors or stylistic features at predetermined points in the cover data is another way to select the location of the embedded information. ■ Line shifting encodings. ■ Word shifting encodings. ■ Data hiding through justifications. ■ Through features encoding (for example in the vertical lines of letters b, d, h, k). Text steganography (a really good one) is considered to be very difficult kind of steganography due to the lack of redundancy in texts comparing to images or audio. prof. Jozef Gruska IV054 11. Steganography and Watermarking 482/616 ACROSTIC Amorosa visione by Giovanni Boccaccio (1313-1375) is said to be the world largest acrostic. Boccaccio first wrote three sonnets (1500 letters together) and then he wrote other poems such that the initials of the successive tercets correspond exactly to the letters of the sonnets. prof. Jozef Gruska IV054 11. Steganography and Watermarking 483/616 ACROSTIC Amorosa visione by Giovanni Boccaccio (1313-1375) is said to be the world largest acrostic. Boccaccio first wrote three sonnets (1500 letters together) and then he wrote other poems such that the initials of the successive tercets correspond exactly to the letters of the sonnets. In the book Hypnerotomachia Poliphili, published by an anonymous in 1499, and considered as one of the most beautiful books ever,the first letters of the 38 chapters spelled out as follows: Poliam frater Franciscus Columna peramavit with the translation Brother Francesco Colonna passionately loves Polia prof. Jozef Gruska IV054 11. Steganography and Watermarking 483/616 PERFECT SECRECY of STEGOSYSTEMS In order to define secrecy of a stegosystem we need to consider ■ probability distribution Pc on the set C of covertexts; ■ probability distribution PM on the set M of secret messages; ■ probability distribution Pk on the set K of keys; ■ probability distribution Ps on the set {Ek(c, m, k), |c e C, m e M, k e K} of stegotexts. prof. Jozef Gruska IV054 11. Steganography and Watermarking 484/616 PERFECT SECRECY of STEGOSYSTEMS In order to define secrecy of a stegosystem we need to consider ■ probability distribution PC on the set C of covertexts; ■ probability distribution PM on the set M of secret messages; ■ probability distribution Pk on the set K of keys; ■ probability distribution PS on the set {Ek(c, m, k), |c £ C, m e M, k e K} of stegotexts. The basic related concept is that of the relative entropy D(Pi||P2) of two probability distributions P1 and P2 defined on a set Q by which measures the inefficiency of assuming that the distribution on Q is P2 if it is really qEQ Pi. prof. Jozef Gruska IV054 11. Steganography and Watermarking 484/616 PERFECT SECRECY of STEGOSYSTEMS In order to define secrecy of a stegosystem we need to consider ■ probability distribution PC on the set C of covertexts; ■ probability distribution PM on the set M of secret messages; ■ probability distribution Pk on the set K of keys; ■ probability distribution PS on the set {Ek(c, m, k), |c e C, m e M, k e K} of stegotexts. The basic related concept is that of the relative entropy D(Pi||P2) of two probability distributions P1 and P2 defined on a set Q by which measures the inefficiency of assuming that the distribution on Q is P2 if it is really P1. Definition Let S be a stegosystem, PC the probability distribution on covertexts C and PS the probability distribution of the stegotexts and e > 0. S is called - e-secure against passive attackers, if qEQ D(Pc||Ps) < e and perfectly secure if e = 0. prof. Jozef Gruska IV054 11. Steganography and Watermarking 484/616 PERFECTLY SECURE STEGOSYSTEMS A perfectly secure stegosystem can be constructed out of the ONE TIME-PAD CRYPTOSYSTEM prof. Jozef Gruska IV054 11. Steganography and Watermarking 485/616 PERFECTLY SECURE STEGOSYSTEMS A perfectly secure stegosystem can be constructed out of the ONE TIME-PAD CRYPTOSYSTEM Theorem There exist perfectly secure stegosystems. prof. Jozef Gruska IV054 11. Steganography and Watermarking 485/616 PERFECTLY SECURE STEGOSYSTEMS A perfectly secure stegosystem can be constructed out of the ONE TIME-PAD CRYPTOSYSTEM Theorem There exist perfectly secure stegosystems. Proof. Let n be an integer, Cn = {0,1}n and Pc be the uniform distribution on Cn, and let m e Cn be a secret message. The sender selects randomly c e Cn, computes c © m = s. The resulting stegotexts are uniformly distributed on Cn and therefore Pc = Ps from what it follows that D (Pen ||Ps ) = 0. In the extraction process, the message m can be extracted from s by the computation m = s © c. prof. Jozef Gruska IV054 11. Steganography and Watermarking 485/616 INFORMATION HIDING in NOISY DATA Perhaps the most basic methods of steganography is to utilize the existence of redundant information in communication channels/media. prof. Jozef Gruska IV054 11. Steganography and Watermarking 486/616 INFORMATION HIDING in NOISY DATA Perhaps the most basic methods of steganography is to utilize the existence of redundant information in communication channels/media. Images and digital sounds naturally contain such redundancies in the form of noise components. For images and digital sounds it is natural to assume that a cover-data are represented by a sequence of numbers and their least significant bits (LSB) represent noise. prof. Jozef Gruska IV054 11. Steganography and Watermarking 486/616 INFORMATION HIDING in NOISY DATA Perhaps the most basic methods of steganography is to utilize the existence of redundant information in communication channels/media. Images and digital sounds naturally contain such redundancies in the form of noise components. For images and digital sounds it is natural to assume that a cover-data are represented by a sequence of numbers and their least significant bits (LSB) represent noise. If cover-data are represented by numbers Cl, C2 , C3, . . . , then one of the most basic steganographic methods is to replace, in some of c's, chosen using an algorithm and a key, the least significant bits by the bits of the message that should be hidden. prof. Jozef Gruska IV054 11. Steganography and Watermarking 486/616 INFORMATION HIDING in NOISY DATA Perhaps the most basic methods of steganography is to utilize the existence of redundant information in communication channels/media. Images and digital sounds naturally contain such redundancies in the form of noise components. For images and digital sounds it is natural to assume that a cover-data are represented by a sequence of numbers and their least significant bits (LSB) represent noise. If cover-data are represented by numbers C1, C2 , C3, . . . , then one of the most basic steganographic methods is to replace, in some of c;'s, chosen using an algorithm and a key, the least significant bits by the bits of the message that should be hidden. Unfortunately, this method does not provide high level of security and it can change significantly statistical properties of the cover-data. prof. Jozef Gruska IV054 11. Steganography and Watermarking 486/616 ACTIVE and MALICIOUS ATTACKS At the design of stegosystems special attention has to be paid to the presence of active and malicious attackers. ■ Active attackers can change cover during the communication process. ■ An attacker is malicious if he forges messages or initiates a steganography protocol under the name of one communicating party. prof. Jozef Gruska IV054 11. Steganography and Watermarking 487/616 ACTIVE and MALICIOUS ATTACKS At the design of stegosystems special attention has to be paid to the presence of active and malicious attackers. ■ Active attackers can change cover during the communication process. ■ An attacker is malicious if he forges messages or initiates a steganography protocol under the name of one communicating party. In the presence of a malicious attacker, it is not enough that stegosystem is robust. If the embedding method does not depend on a key shared by the sender and receiver, then an attacker can forge messages, since the recipient is not able to verify sender's identity. prof. Jozef Gruska IV054 11. Steganography and Watermarking 487/616 SECURITY of STEGOSYSTEMS Definition A steganographic algorithm is called secure if ■ Messages are hidden using a public algorithm and a secret key. The secret key must identify the sender uniquely. prof. Jozef Gruska IV054 11. Steganography and Watermarking 488/616 SECURITY of STEGOSYSTEMS Definition A steganographic algorithm is called secure if ■ Messages are hidden using a public algorithm and a secret key. The secret key must identify the sender uniquely. ■ Only the holder of the secret key can detect, extract and prove the existence of the hidden message. (Nobody else should be able to find any statistical evidence of a message's existence.) prof. Jozef Gruska IV054 11. Steganography and Watermarking 488/616 SECURITY of STEGOSYSTEMS Definition A steganographic algorithm is called secure if ■ Messages are hidden using a public algorithm and a secret key. The secret key must identify the sender uniquely. ■ Only the holder of the secret key can detect, extract and prove the existence of the hidden message. (Nobody else should be able to find any statistical evidence of a message's existence.) ■ Even if an enemy gets the contents of one hidden message, he should have no chance of detecting others. prof. Jozef Gruska IV054 11. Steganography and Watermarking 488/616 SECURITY of STEGOSYSTEMS Definition A steganographic algorithm is called secure if ■ Messages are hidden using a public algorithm and a secret key. The secret key must identify the sender uniquely. ■ Only the holder of the secret key can detect, extract and prove the existence of the hidden message. (Nobody else should be able to find any statistical evidence of a message's existence.) ■ Even if an enemy gets the contents of one hidden message, he should have no chance of detecting others. ■ It is computationally infeasible to detect hidden messages. prof. Jozef Gruska IV054 11. Steganography and Watermarking 488/616 STEGO - ATTACKS Stego-only attack Only the stego-object is available for stegoanalysis. prof. Jozef Gruska IV054 11. Steganography and Watermarking 489/616 STEGO - ATTACKS Stego-only attack Only the stego-object is available for stegoanalysis. Known-cover attack The original cover-object and stego-object are both available. prof. Jozef Gruska IV054 11. Steganography and Watermarking 489/616 STEGO - ATTACKS Stego-only attack Only the stego-object is available for stegoanalysis. Known-cover attack The original cover-object and stego-object are both available. Known-message attack Sometimes the hidden message may become known to the stegoanalyser. Analyzing the stego-object for patterns that correspond to the hidden message may be beneficial for future attacks against that system. (Even with the message, this may be very difficult and may even be considered equivalent to the stego-analysis.) prof. Jozef Gruska IV054 11. Steganography and Watermarking 489/616 STEGO - ATTACKS Stego-only attack Only the stego-object is available for stegoanalysis. Known-cover attack The original cover-object and stego-object are both available. Known-message attack Sometimes the hidden message may become known to the stegoanalyser. Analyzing the stego-object for patterns that correspond to the hidden message may be beneficial for future attacks against that system. (Even with the message, this may be very difficult and may even be considered equivalent to the stego-analysis.) Chosen-stego attack The stegoanalysis generates a stego-object from some steganography tool or algorithm from a chosen message. The goal in this attack is to determine corresponding patterns in the stego-object that may point to the use of specific steganography tools or algorithms. prof. Jozef Gruska IV054 11. Steganography and Watermarking 489/616 STEGO - ATTACKS Stego-only attack Only the stego-object is available for stegoanalysis. Known-cover attack The original cover-object and stego-object are both available. Known-message attack Sometimes the hidden message may become known to the stegoanalyser. Analyzing the stego-object for patterns that correspond to the hidden message may be beneficial for future attacks against that system. (Even with the message, this may be very difficult and may even be considered equivalent to the stego-analysis.) Chosen-stego attack The stegoanalysis generates a stego-object from some steganography tool or algorithm from a chosen message. The goal in this attack is to determine corresponding patterns in the stego-object that may point to the use of specific steganography tools or algorithms. Known-stego attack The steganography algorithm is known and both the original and stego-objects are available. prof. Jozef Gruska IV054 11. Steganography and Watermarking 489/616 BASIC STEGANOGRAPHIC TECHNIQUES Substitution techniques: substitute a redundant part of the cover-object with the secret message. prof. Jozef Gruska IV054 11. Steganography and Watermarking 490/616 BASIC STEGANOGRAPHIC TECHNIQUES Substitution techniques: substitute a redundant part of the cover-object with the secret message. Transformed domain techniques: embed the secret message in a transform space of the signal (e.g. in the frequency domain). prof. Jozef Gruska IV054 11. Steganography and Watermarking 490/616 BASIC STEGANOGRAPHIC TECHNIQUES Substitution techniques: substitute a redundant part of the cover-object with the secret message. Transformed domain techniques: embed the secret message in a transform space of the signal (e.g. in the frequency domain). Spread spectrum techniques: embed the secret messages adopting ideas from the spread spectrum communications. prof. Jozef Gruska IV054 11. Steganography and Watermarking 490/616 BASIC STEGANOGRAPHIC TECHNIQUES Substitution techniques: substitute a redundant part of the cover-object with the secret message. Transformed domain techniques: embed the secret message in a transform space of the signal (e.g. in the frequency domain). Spread spectrum techniques: embed the secret messages adopting ideas from the spread spectrum communications. Statistical techniques: embed messages by changing some statistical properties of the cover-objects and use hypothesis-testing methods in the extraction process. prof. Jozef Gruska IV054 11. Steganography and Watermarking 490/616 BASIC STEGANOGRAPHIC TECHNIQUES Substitution techniques: substitute a redundant part of the cover-object with the secret message. Transformed domain techniques: embed the secret message in a transform space of the signal (e.g. in the frequency domain). Spread spectrum techniques: embed the secret messages adopting ideas from the spread spectrum communications. Statistical techniques: embed messages by changing some statistical properties of the cover-objects and use hypothesis-testing methods in the extraction process. Cover generation techniques: do not embed the message in randomly chosen cover-objects, but create covers that fit a message that needs to be hidden. prof. Jozef Gruska IV054 11. Steganography and Watermarking 490/616 DIGITAL COVER DATA A cover-object or, shortly, a cover c is a sequence of numbers c;,; = 1, 2,... , |c|. Such a sequence can represent digital sounds in different time moments, or a linear (vectorized) version of an image. c; £ {0,1} in case of binary images and, usually, 0 < c; < 256 in case of quantized images or sounds. prof. Jozef Gruska IV054 11. Steganography and Watermarking 491/616 DIGITAL COVER DATA A cover-object or, shortly, a cover c is a sequence of numbers c;,; = 1, 2,... , |c|. Such a sequence can represent digital sounds in different time moments, or a linear (vectorized) version of an image. c; e {0,1} in case of binary images and, usually, 0 < c; < 256 in case of quantized images or sounds. An image C can be seen as a discrete function assigning a color vector c(x,y) to each pixel p(x,y). prof. Jozef Gruska IV054 11. Steganography and Watermarking 491/616 DIGITAL COVER DATA A cover-object or, shortly, a cover c is a sequence of numbers cy,; = 1, 2,... , |c|. Such a sequence can represent digital sounds in different time moments, or a linear (vectorized) version of an image. cy e {0,1} in case of binary images and, usually, 0 < cy < 256 in case of quantized images or sounds. An image C can be seen as a discrete function assigning a color vector c(x,y) to each pixel p(x,y). A color value is normally a three-component vector in a color space. Often used are the following color spaces: RGB-space - every color is specified as a weighted sum of a red, green and a blue component. A vector specifies intensities of these three components. YCbCr-space It distinguishes a luminance Y and two chrominance components (Cb, Cr). Note A color vector can be converted to YCbCr components as follows: Y = 0.299 R + 0.587 G + 0.114 B Cb = 0.5 + ^ Cr = 0.5+(R-Y) 1.6 prof. Jozef Gruska IV054 11. Steganography and Watermarking 491/616 BASIC SUBSTITUTION TECHNIQUES ■ LSB substitution - the LSB of an binary block ck; is replaced by the bit m; of the secret message. The methods differ by techniques how to determine k; for a given i. For example, k,+1 = k + r;, where r; is a sequence of numbers generated by a pseudo-random generator. prof. Jozef Gruska IV054 11. Steganography and Watermarking 492/616 BASIC SUBSTITUTION TECHNIQUES ■ LSB substitution - the LSB of an binary block ck; is replaced by the bit m; of the secret message. The methods differ by techniques how to determine k; for a given i. For example, k;+1 = k; + r;, where r; is a sequence of numbers generated by a pseudo-random generator. ■ Substitution into parity bits of blocks. If the parity bit of block ck; is m;, then the block ck; is not changed; otherwise one of its bits is changed. ■ Substitution in binary images. If image c; has more (less) black pixels than white pixels and m = 1(m = 0), then c is not changed; otherwise the portion of black and white pixels is changed (by making changes at those pixels that are neighbors of pixels of the opposite color). ■ Substitution in unused or reserved space in computer systems. prof. Jozef Gruska IV054 11. Steganography and Watermarking 492/616 LSB SUBSTITUTION PLUSES and MINUSES Bits for substitution can be chosen (a) randomly; (b) adaptively according to local properties of the digital media that is used. Advantages: (a) LSB substitution is the simplest and most common stego technique and it can be used also for different color models. (b) This method can reach a very high capacity with little, if any, visible impact to the cover digital media. (c) It is relatively easy to apply on images and radio data. (d) Many tools for LSB substitutions are available on the internet Disadvantages: (a) It is relatively simple to detect the hidden data; (b) It does not offer robustness against small modifications (including compression) at the stego images. prof. Jozef Gruska IV054 11. Steganography and Watermarking 493/616 ROBUSTNESS of STEGANOGRAFY Steganographic systems are extremely sensitive to cover modifications, such as ■ image processing techniques (smoothing, filtering, image transformations, ...); ■ filtering of digital sounds; ■ compression techniques. prof. Jozef Gruska IV054 11. Steganography and Watermarking 494/616 ROBUSTNESS of STEGANOGRAFY Steganographic systems are extremely sensitive to cover modifications, such as ■ image processing techniques (smoothing, filtering, image transformations, ...); ■ filtering of digital sounds; ■ compression techniques. Informally, a stegosystem is robust if the embedded information cannot be altered without making substantial changes to the stego-objects. Definition Let S be a stegosystem and P be a class of mappings C — C. S is P-robust, if for all p e P DK(p(EK(c, m, k)), k) = DK(Ek(c, m, k), k) = m in the case of a secret-key stegosystem and D(p(E(c, m))) = D(E(c, m)) = m in the case of pure stegosystem, for any m, c, k. m There is a clear tradeoff between security and robustness. m Some stegosystems are designed to be robust against a specific class of mappings (for example JPEG compression/decompression). ■ There are two basic approaches to make stegosystems robust: ■ By foreseeing possible cover modifications, the embedding process can be robust so that possible modifications do not entirely destroy embedded information. ■ Reversing operations that has been made by an active attacker. prof. Jozef Gruska IV054 11. Steganography and Watermarking 494/616 DETECTING SECRET MESSAGES The main goal of a passive attacker is to decide whether data sent to Bob by Alice contain secret message or not. The detection task can be formalized as a statistical hypothesis-testing problem with the test function f : C — {0,1}: rr \ _ f 1, if c contains a secret message; 0, otherwise There are two types of errors possible: ■ Type-I error - a secret message is detected in data with no secret message; ■ Type-II error - a hidden secret message is not detected In the case of e-secure stegosystems there is well know relation between the probability /3 of the type II error and probability a of the type I error. Let S be a stegosystem which is e-secure against passive attackers, /3 the probability that the attacker does not detect a hidden message and a the probability that the attacker falsely detects a hidden message. Then d(a,/3) < e, where d(a, /3) is the binary relative entropy defined by d(a,/3) = a^j—^ + (1 - a)lg1—a. prof. Jozef Gruska IV054 11. Steganography and Watermarking 495/616 DIGITAL WATERMARKING Digital watermarking seems to be a promising technique to deal with the following problem: Problem Digitalization allows to make unlimited number of copies of intellectual products (books, art products, music, video,...). How to make use of this enormous potential digitalization has and, at the same time, to protect intellectual rights of authors (copyrights, protection against modifications and insertion into other products), in a that is legally accepted? Solution Digital watermarking tries to solve the above problem using a variety of methods of informatics, cryptography, signal processing, ... and in order to achieve that tries to insert specific information (watermarks) into data/carrier/signal in such a way that watermarks cannot be extracted or at least detected and if data with one or several watermarks are copied, watermarks should not change. prof. Jozef Gruska IV054 11. Steganography and Watermarking 496/616 BASIC APPLICATIONS ■ Copyright protection - ownership assertion For example, if a watermark is embedded into a music (or video) product, then each time music (video) is played in public information about author is extracted and tandem are established. Another example: annotation of digital photographs prof. Jozef Gruska IV054 11. Steganography and Watermarking 497/616 BASIC APPLICATIONS ■ Copyright protection - ownership assertion For example, if a watermark is embedded into a music (or video) product, then each time music (video) is played in public information about author is extracted and tandem are established. Another example: annotation of digital photographs ■ Source tracing. Watermarks can be used to trace or verify the source of digital data. prof. Jozef Gruska IV054 11. Steganography and Watermarking 497/616 BASIC APPLICATIONS ■ Copyright protection - ownership assertion For example, if a watermark is embedded into a music (or video) product, then each time music (video) is played in public information about author is extracted and tandem are established. Another example: annotation of digital photographs ■ Source tracing. Watermarks can be used to trace or verify the source of digital data. ■ Insertion of additional (sensitive) information For example, personal data into rontgen photos r of keywords into multimedia products. prof. Jozef Gruska IV054 11. Steganography and Watermarking 497/616 HISTORY of WATERMARKING Paper watermarks appeared in the art of handmade paper marking 700 hundred years ago. Watermarks were mainly used to identify the mill producing the paper and paper format, quality and strength. Paper watermarks was a perfect technique to eliminate confusion from which mill paper is and what are its parameters. prof. Jozef Gruska IV054 11. Steganography and Watermarking 498/616 HISTORY of WATERMARKING Paper watermarks appeared in the art of handmade paper marking 700 hundred years ago. Watermarks were mainly used to identify the mill producing the paper and paper format, quality and strength. Paper watermarks was a perfect technique to eliminate confusion from which mill paper is and what are its parameters. Legal power of watermarks has been demonstrated in 1887 in France when watermarks of two letters, presented as a piece of evidence in a trial, proved that the letters had been predated, what resulted in the downfall of a cabinet and, finally, the resignation of the president Grevy. prof. Jozef Gruska IV054 11. Steganography and Watermarking 498/616 HISTORY of WATERMARKING Paper watermarks appeared in the art of handmade paper marking 700 hundred years ago. Watermarks were mainly used to identify the mill producing the paper and paper format, quality and strength. Paper watermarks was a perfect technique to eliminate confusion from which mill paper is and what are its parameters. Legal power of watermarks has been demonstrated in 1887 in France when watermarks of two letters, presented as a piece of evidence in a trial, proved that the letters had been predated, what resulted in the downfall of a cabinet and, finally, the resignation of the president Grevy. Paper watermarks in bank notes or stamps inspired the first use of the term water mark in the context of digital data. prof. Jozef Gruska IV054 11. Steganography and Watermarking 498/616 HISTORY of WATERMARKING Paper watermarks appeared in the art of handmade paper marking 700 hundred years ago. Watermarks were mainly used to identify the mill producing the paper and paper format, quality and strength. Paper watermarks was a perfect technique to eliminate confusion from which mill paper is and what are its parameters. Legal power of watermarks has been demonstrated in 1887 in France when watermarks of two letters, presented as a piece of evidence in a trial, proved that the letters had been predated, what resulted in the downfall of a cabinet and, finally, the resignation of the president Grevy. Paper watermarks in bank notes or stamps inspired the first use of the term water mark in the context of digital data. The first publications that really focused on watermarking of digital images were from 1990 and then in 1993. prof. Jozef Gruska IV054 11. Steganography and Watermarking 498/616 EMBEDDING and RECOVERY SYSTEMS in WATERMARKING SYSTEMS Figure 2 shows the basic scheme of the watermarks embedding systems. Watermark W- Cover data l-H watermark embedding system h-Watermarked data I' Secret key K- Figure 2: Watermark embedding scheme Inputs to the scheme are the watermark, the cover data and an optional public or secret key. The output are watermarked data. The key is used to enforce security. prof. Jozef Gruska IV054 11. Steganography and Watermarking 499/616 EMBEDDING and RECOVERY SYSTEMS in WATERMARKING SYSTEMS Figure 2 shows the basic scheme of the watermarks embedding systems. Watermark W- Cover data l-H watermark embedding system h-Watermarked data I' Secret key K Figure 2: Watermark embedding scheme Inputs to the scheme are the watermark, the cover data and an optional public or secret key. The output are watermarked data. The key is used to enforce security. Figure 3 shows the basic scheme for watermark recovery schemes. watermark W or original data I" watermark Test data I' — Secret key K detection watermark ► or confidence measure Figure 3: Watermark recovery scheme Inputs to the scheme are the watermarked data, the secret or public key and, depending on the method, the original data and/or the original watermark. The output is the recovered watermark W or some kind of confidence measure indicating how likely it is for the given watermark at the input to be present in the data under inspection. prof. Jozef Gruska IV054 11. Steganography and Watermarking 499/616 TYPES of WATERMARKING SCHEMES Private (non-blind) watermarking systems require for extraction/detection the original cover-data. ■ Type I systems use the original cover-data to determine where a watermark is and how to extract the watermark from stego-data. ■ Type II systems require a copy of the embedded watermark for extraction and just yield a yes/no answer to the question whether the stego-data contains a watermark. prof. Jozef Gruska IV054 11. Steganography and Watermarking 500/616 TYPES of WATERMARKING SCHEMES Private (non-blind) watermarking systems require for extraction/detection the original cover-data. ■ Type I systems use the original cover-data to determine where a watermark is and how to extract the watermark from stego-data. ■ Type II systems require a copy of the embedded watermark for extraction and just yield a yes/no answer to the question whether the stego-data contains a watermark. Semi-private (semi-blind) watermarking does not use the original cover-data for detection, but tries to answer the same question. (Potential application of blind and semi-blind watermarking is for evidence in court ownership,...) Public (blind) watermarking - neither cover-data nor embedded watermarks are required for extraction - this is the most challenging problem. prof. Jozef Gruska IV054 11. Steganography and Watermarking 500/616 SECRET SHARING by SECRET HIDING A simple technique has been developed, by Naor and Shamir, that allows for a given n and t < n to hide any secret (image) message m in images on transparencies in such away that each of n parties receives one transparency and no t - 1 parties are able to obtain the message m from the transparencies they have. ■ any t of the parties can easily get (read or see) the message m just by stacking their transparencies together and aligning them carefully. prof. Jozef Gruska IV054 11. Steganography and Watermarking 501/616 APPENDIX prof. Jozef Gruska IV054 11. Steganography and Watermarking 502/616 SIGNAL PROCESSING TERMINOLOGY In some applications of steganography the following signal processing technology is used. ■ Payload - message to be secretly communicated; ■ Carrier - data file or signal into which payload is embedded ■ Package - stego file - covert message - the outcome of embedding of payload into carrier. ■ Encoding density - the percentage of bytes or other signal elements into which the payload is embedded. prof. Jozef Gruska IV054 11. Steganography and Watermarking 503/616 TO REMEMBER !!! There is no use in trying, she said: one cannot believe impossible things. I dare to say that you have not had much practice, said the queen, When I was your age, I always did it for half-an-hour a day and sometimes I have believed as many as six impossible things before breakfast. Lewis Carroll: Through the Looking-glass, 1872 prof. Jozef Gruska IV054 11. Steganography and Watermarking 504/616 Part XII From theory to practice in cryptography From Crypto-Theory to Crypto-Practice I I.SHIFT REGISTERS The first practical approach to ONE-TIME PAD cryptosystem. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 506/616 From Crypto-Theory to Crypto-Practice I I.SHIFT REGISTERS The first practical approach to ONE-TIME PAD cryptosystem. Basic idea: to use a short key, called plaintext-(binary) "seed" with a pseudorandom generator to generate as long key as needed. short key pseudo random generator prof. Jozef Gruska IV054 12. From theory to practice in cryptography 506/616 From Crypto-Theory to Crypto-Practice I I.SHIFT REGISTERS The first practical approach to ONE-TIME PAD cryptosystem. Basic idea: to use a short key, called "seed" with a pseudorandom generator to generate as long key as needed. Shift registers as pseudorandom generators plaintext - (binary) short key pseudo random generator period linear shift register period Theorem For every n > 0 there is a linear shift register of maximal period 2n — 1. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 506/616 CRYPTANALYSIS of linear feedback shift registers Sequences generated by linear shift registers have excellent statistical properties, but they are not resistant to a known plaintext attack. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 507/616 CRYPTANALYSIS of linear feedback shift registers Sequences generated by linear shift registers have excellent statistical properties, but they are not resistant to a known plaintext attack. Example Let us have a 4-bit shift register and let us assume we know 8 bits of plaintext and of cryptotext. By XOR-ing these two bit sequences we get 8 bits of the output of the register (of the key), say 00011110 We need to determine c4, c3, c2, c1 such that the above sequence is outputted by the shift register state of cell 4 state of cell 3 state of cell 2 state of cell 1 c4 1 0 0 c4 © c3 c4 1 0 c2 © c4 c4 © c3 c4 1 c1 © c3(c4 © c3) © c4 c2 © c4 c4 © c3 c4 c4 = 1 c4 = 1 c4 © c3 = 1 r—\ c3 =0 c2 © c4 = 1 ^ c2 =0 c1 © c3 © c4 © c3 • c4 = 0 c1 =1 prof. Jozef Gruska IV054 12. From theory to practice in cryptography 507/616 Linear Recurrences Linear feedback shift registers are an efficient way to realize recurrence relations of the type x„+m = coXn + C1Xn+1 +----+ cm_1X„+m_1 (mod n) that can be specified by 2m bits c0,... , cm-1 and x1,... ,xm. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 508/616 Linear Recurrences Linear feedback shift registers are an efficient way to realize recurrence relations of the type x„+m = C0Xn + C1Xn+1 +----+ cm_1X„+m_1 (mod n) that can be specified by 2m bits c0,... , cm-1 and x1,... ,xm. Recurrences realized by shift registers on previous slides are: Xn+4 = xn; Xn+4 = Xn+2 + xn; Xn+4 = Xn+3 + xn ■ The main advantage of such recurrences is that a key of a very large period can be generated using a very few bits. For example, the recurrence xn+31 = xn + xn+3, and any non-zero initial vector, produces sequences with period 231 — 1, what is more than two billions. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 508/616 Linear Recurrences Linear feedback shift registers are an efficient way to realize recurrence relations of the type x„+m = C0Xn + C1Xn+1 +----+ cm_1X„+m_1 (mod n) that can be specified by 2m bits c0,... , cm-1 and x1,... ,xm. Recurrences realized by shift registers on previous slides are: Xn+4 = xn; Xn+4 = Xn+2 + xn; Xn+4 = Xn+3 + xn. The main advantage of such recurrences is that a key of a very large period can be generated using a very few bits. For example, the recurrence xn+31 = xn + xn+3, and any non-zero initial vector, produces sequences with period 231 — 1, what is more than two billions. Encryption using one-time pad and key generated by a linear feedback shift register succumbs easily to a known plaintext attack. If we know few bits of the plaintext and of the corresponding cryptotext, one can easily determine the initial part of the key and then the corresponding linear recurrence, as already shown. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 508/616 Finding Linear Recurrences - a method To test whether a given portion of a key was generated by a recurrence of a length m, if we know x1;..., x2m, we need to solve the matrix equation / X1 X2 ... Xm \ / C0 \ / Xm+A X2 X X2 X3 Xm+1 Xm+1 Q) C1 X2m-1/ \cm-1 / Xm+2 and then to verify whether the remaining available bits, X2m+1;. really generated by the recurrence obtained. are prof. Jozef Gruska IV054 12. From theory to practice in cryptography 509/616 Finding Linear Recurrences The basic idea to find linear recurrences generating a given sequence is to check whether there is such a recurrence for m = 2, 3, ... In doing that we use the following result. Theorem Let M = X2 xm+1 xm+1 X2m-1 J If the sequence x1; x2 ..., x2m-1 satisfies a linear recurrence of length less than m, then det(M) = 0. Conversely, if the sequence x1; x2 ..., x2m-1 satisfies a linear recurrence of length m and det(M) = 0, then the sequence also satisfies a linear recurrence of length less than m. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 510/616 II. How to make cryptanalyst's task harder? Two general methods are called diffusion and confusion. Diffusion: dissipate the source language redundancy found in the plaintext by spreading it out over the cryptotext. Example 1: A permutation of the plaintext rules out possibility to use frequency tables for digrams, trigrams. Example 2: Make each letter of cryptotext to depend on so many letters of the plaintext as possible prof. Jozef Gruska IV054 12. From theory to practice in cryptography 511/616 II. How to make cryptanalyst's task harder? Two general methods are called diffusion and confusion. Diffusion: dissipate the source language redundancy found in the plaintext by spreading it out over the cryptotext. Example 1: A permutation of the plaintext rules out possibility to use frequency tables for digrams, trigrams. Example 2: Make each letter of cryptotext to depend on so many letters of the plaintext Illustration: Let letters of English be encoded by integers from {0,. .. , 25}. Let the key k = k\,... , ks be a sequence of such integers. as possible Let c; = p,-/ mod 26, 1 < ; < n prof. Jozef Gruska IV054 12. From theory to practice in cryptography 511/616 II. How to make cryptanalyst's task harder? Two general methods are called diffusion and confusion. Diffusion: dissipate the source language redundancy found in the plaintext by spreading it out over the cryptotext. Example 1: A permutation of the plaintext rules out possibility to use frequency tables for digrams, trigrams. Example 2: Make each letter of cryptotext to depend on so many letters of the plaintext Illustration: Let letters of English be encoded by integers from {0,. .. , 25}. Let the key k = k\,... , ks be a sequence of such integers. Confusion makes the relation between the cryptotext and plaintext as complex as possible. Example: polyalphabetic substitutions. as possible Let c; = p,-/ mod 26, 1 < ; < n prof. Jozef Gruska IV054 12. From theory to practice in cryptography 511/616 Confusion and diffusion - a more detailed view As already mentioned, two fundamental cryptographic techniques, introduced already by Shannon, are confusion and diffusion. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 512/616 Confusion and diffusion - a more detailed view As already mentioned, two fundamental cryptographic techniques, introduced already by Shannon, are confusion and diffusion. Confusion obscures the relationship between the plaintext and the ciphertext, which makes much more difficult cryptanalyst's attempts to study cryptotext by looking for redundancies and statistical patterns. (The best way to cause confusion is through complicated substitutions.) prof. Jozef Gruska IV054 12. From theory to practice in cryptography 512/616 Confusion and diffusion - a more detailed view As already mentioned, two fundamental cryptographic techniques, introduced already by Shannon, are confusion and diffusion. Confusion obscures the relationship between the plaintext and the ciphertext, which makes much more difficult cryptanalyst's attempts to study cryptotext by looking for redundancies and statistical patterns. (The best way to cause confusion is through complicated substitutions.) Diffusion dissipates redundancy of the plaintext by spreading it over cryptotext - that again makes much more difficult a cryptanalyst's attempts to search for redundancy in the plaintext through observation of cryptotext. (The best way to achieve it is through transformations that cause that bits from different positions in plaintext contribute to the same bit of cryptotext.) Mono-alphabetic cryptosystems use no confusion and no diffusion. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 512/616 Confusion and diffusion - a more detailed view As already mentioned, two fundamental cryptographic techniques, introduced already by Shannon, are confusion and diffusion. Confusion obscures the relationship between the plaintext and the ciphertext, which makes much more difficult cryptanalyst's attempts to study cryptotext by looking for redundancies and statistical patterns. (The best way to cause confusion is through complicated substitutions.) Diffusion dissipates redundancy of the plaintext by spreading it over cryptotext - that again makes much more difficult a cryptanalyst's attempts to search for redundancy in the plaintext through observation of cryptotext. (The best way to achieve it is through transformations that cause that bits from different positions in plaintext contribute to the same bit of cryptotext.) Mono-alphabetic cryptosystems use no confusion and no diffusion. Polyalphabetic cryptosystems use only confusion. In permutation cryptosystems only diffusion step is used. DES essentially uses a sequence of confusion and diffusion steps. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 512/616 III. Cryptosystem DES - its history 15. 5. 1973 National Bureau of Standards published a solicitation for a new cryptosystem. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 513/616 III. Cryptosystem DES - its history 15. 5. 1973 National Bureau of Standards published a solicitation for a new cryptosystem. This led to the development of so far the most often used cryptosystem Data Encryption Standard - DES DES was developed at IBM, as a modification of an earlier cryptosystem called Lucifer. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 513/616 III. Cryptosystem DES - its history 15. 5. 1973 National Bureau of Standards published a solicitation for a new cryptosystem. This led to the development of so far the most often used cryptosystem Data Encryption Standard - DES DES was developed at IBM, as a modification of an earlier cryptosystem called Lucifer. 17. 3. 1975 DES was published for the first time. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 513/616 III. Cryptosystem DES - its history 15. 5. 1973 National Bureau of Standards published a solicitation for a new cryptosystem. This led to the development of so far the most often used cryptosystem Data Encryption Standard - DES DES was developed at IBM, as a modification of an earlier cryptosystem called Lucifer. 17. 3. 1975 DES was published for the first time. After long ad heated public discussion, DES was adopted as a standard on 15. 1. 1977. DES used to be reviewed by NBS every 5 years. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 513/616 DES - description DES was a revolutionary step in the secret-key cryptography history: Both encryption and decryption algorithms were made public!!!!!! prof. Jozef Gruska IV054 12. From theory to practice in cryptography 514/616 DES - description DES was a revolutionary step in the secret-key cryptography history: Both encryption and decryption algorithms were made public!!!!!! Preprocessing: A secret 56-bit key k56 is chosen. A fixed+public permutation 56 is applied to get 56(/c56). The first (second) part of the resulting string is taken to get a 28-bit block C0(D0). Using a fixed+public sequence s1,. .. , s16 of integers, 16 pairs of 28-bit blocks (C;, D;), i = 1.....16 are obtained as follows: ■ C;(D;) is obtained from C;_1 (D;-1) by s; left shifts. ■ Using a fixed and public order, a 48-bit block K; is created from each pair C; and D;. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 514/616 DES - description DES was a revolutionary step in the secret-key cryptography history: Both encryption and decryption algorithms were made public!!!!!! Preprocessing: A secret 56-bit key k56 is chosen. A fixed+public permutation 56 is applied to get 56(k56). The first (second) part of the resulting string is taken to get a 28-bit block Co(Do). Using a fixed+public sequence si,. .. , si6 of integers, 16 pairs of 28-bit blocks (C;, D;), i = 1.....16 are obtained as follows: ■ C;(D;) is obtained from C;-i (D;-i) by s; left shifts. ■ Using a fixed and public order, a 48-bit block K; is created from each pair C; and D;. Encryption A fixed+public permutation 64 is applied to a 64-bits long plaintext w to get w' = L0R0, where each of the strings L0 and R0 has 32 bits. 16 pairs of 32-bit blocks L;, R;, 1 < i < 16, are designed using the recurrence: L; = R; -i R; = L;-i © f(R;-i, K;), where f is a fixed+public and easy-to-implement function. The cryptotext c = 064i(Li6, Ri6) prof. Jozef Gruska IV054 i2. From theory to practice in cryptography 5i4/6i6 DES cryptosystem - Data Encryption Standard - 1977 Encryption A fixed+public permutation 64 is applied to a 64-bits long plaintext w to get w' = L0R0, where each of the strings L0 and R0 has 32 bits. 16 pairs of 32-bit blocks L;, R, 1 < ; < 16, are designed using the recurrence: L; = R; -1 R = L;-1 © f(R;-1, K;), where f is a fixed+public and easy-to-implement function. The cryptotext c = 0641(L16, R16) Decryption 064(c) = L16R16 is computed and then the recurrence R -1 = L L;-1 = R; © f(L;, K;), is used to get L;, R; i = 15.....1,0, w = 0641(L0, R0). prof. Jozef Gruska IV054 12. From theory to practice in cryptography 515/616 How fast is DES? 200 megabits can be encrypted per second using a special hardware. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 516/616 How fast is DES? 200 megabits can be encrypted per second using a special hardware. How safe is DES? Pretty good. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 516/616 How fast is DES? 200 megabits can be encrypted per second using a special hardware. How safe is DES? Pretty good. How to increase security when using DES? T| Use two keys, for a double encryption. ^ Use three keys, k1, k2 and k3 to compute c = DESki (DES-1(DESk3 (w))) How to increase security when encrypting long plaintexts? w = m1 m2... m„ where each m; has 64-bits. Choose a 56-bit key k and a 64-bit block c0 and compute C; = DES(m; © C;-1) for i = 1, . . . ,n. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 516/616 The DES controversy T| There have been suspicions that the design of DES might contain hidden "trapdoors'' what allows NSA to decrypt messages. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 517/616 The DES controversy T| There have been suspicions that the design of DES might contain hidden "trapdoors'' what allows NSA to decrypt messages. ^ The main criticism has been that the size of the keyspace, 256, is too small for DES to be really secure. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 517/616 The DES controversy T| There have been suspicions that the design of DES might contain hidden "trapdoors'' what allows NSA to decrypt messages. ^ The main criticism has been that the size of the keyspace, 256, is too small for DES to be really secure. J In 1977 Diffie+Hellamn suggested that for $ 20 millions one could build a VLSI chip that could search the entire key space within 1 day. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 517/616 The DES controversy T| There have been suspicions that the design of DES might contain hidden "trapdoors'' what allows NSA to decrypt messages. ^ The main criticism has been that the size of the keyspace, 256, is too small for DES to be really secure. J In 1977 Diffie+Hellamn suggested that for $ 20 millions one could build a VLSI chip that could search the entire key space within 1 day. J In 1993 M. Wiener suggested a machine of the cost $ 100.000 that could find the key in 1.5 days. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 517/616 What are the key elements of DES? ■ A cryptosystem is called linear if each bit of cryptotext is a linear combination of bits of plaintext. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 518/616 What are the key elements of DES? ■ A cryptosystem is called linear if each bit of cryptotext is a linear combination of bits of plaintext. ■ For linear cryptosystems there is a powerful decryption method -so-called linear cryptanalysis. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 518/616 What are the key elements of DES? ■ A cryptosystem is called linear if each bit of cryptotext is a linear combination of bits of plaintext. ■ For linear cryptosystems there is a powerful decryption method -so-called linear cryptanalysis. ■ The only components of DES that are non-linear are S-boxes. ■ Some of original requirements for S-boxes: ■ Each row of an S-box should include all possible output bit combinations; ■ It two inputs to an S-box differ in precisely one bit, then the output must differ in a minimum of two bits; ■ If two inputs to an S-box differ in their first two bits, but have identical last two bits, the two outputs have to be distinct. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 518/616 What are the key elements of DES? ■ A cryptosystem is called linear if each bit of cryptotext is a linear combination of bits of plaintext. ■ For linear cryptosystems there is a powerful decryption method -so-called linear cryptanalysis. ■ The only components of DES that are non-linear are S-boxes. ■ Some of original requirements for S-boxes: ■ Each row of an S-box should include all possible output bit combinations; ■ It two inputs to an S-box differ in precisely one bit, then the output must differ in a minimum of two bits; ■ If two inputs to an S-box differ in their first two bits, but have identical last two bits, the two outputs have to be distinct. ■ There have been many other very technical requirements for DES items in order to ensure security. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 518/616 Weaknesses of DES ■ Existence of weak keys: they are such keys k that for any plaintext p, Ek (Ek (p)) = p. There are four such keys: k e {(028,028), (128,128), (028,128), (128,028)} prof. Jozef Gruska IV054 12. From theory to practice in cryptography 519/616 Weaknesses of DES ■ Existence of weak keys: they are such keys k that for any plaintext p, Ek (Ek (p)) = p. There are four such keys: k e {(028,028), (128,128), (028,128), (128,028)} ■ The existence of semi-weak key pairs (k1; k2) such that for any plaintext Ek1 (Ek2 (p)) = p. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 519/616 Weaknesses of DES ■ Existence of weak keys: they are such keys k that for any plaintext p, Ek (Ek (p)) = p. There are four such keys: k e {(028,028), (128,128), (028,128), (128,028)} ■ The existence of semi-weak key pairs (k1; k2) such that for any plaintext Ek1 (Ek2 (p)) = p. ■ The existence of complementation property Ec(k)(c (p)) = c (Ek(p)), where c(x) is binary complement of binary string x. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 519/616 DES modes of operation ECB mode: to encode a sequence X1, X2, X3, . . . of 64-bit plaintext blocks, each X; is encrypted with the same key. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 520/616 DES modes of operation ECB mode: to encode a sequence Xi, X2, X3, . . . of 64-bit plaintext blocks, each x; is encrypted with the same key. CBC mode: to encode a sequence Xi , X2, X3, . . . of 64-bit plaintext blocks, a y0 is chosen and each x; is encrypted by cryptotext y; = ek (y;_i © X;). prof. Jozef Gruska IV054 12. From theory to practice in cryptography 520/616 DES modes of operation ECB mode: to encode a sequence X1, X2, X3, . . . of 64-bit plaintext blocks, each x; is encrypted with the same key. CBC mode: to encode a sequence X1, X2, X3, .. . of 64-bit plaintext blocks, a y0 is chosen and each x; is encrypted by cryptotext y; = ek (y;-1 © X;). OFB mode: to encode a sequence X1 , X2, X3, . . . of 64-bit plaintext blocks, a z0 is chosen, z; = ek(z;-1) are computed and each X; is encrypted by cryptotext y; = X; © z;. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 520/616 DES modes of operation ECB mode: to encode a sequence X1, X2, X3, . . . of 64-bit plaintext blocks, each x is encrypted with the same key. CBC mode: to encode a sequence X1, X2, X3, . . . of 64-bit plaintext blocks, a y0 is chosen and each x is encrypted by cryptotext y; = ek (y;-1 © X;). OFB mode: to encode a sequence X1, X2, X3, . . . of 64-bit plaintext blocks, a z0 is chosen, z; = ek(z;-1) are computed and each x is encrypted by cryptotext y; = x © z;. CFB mode: to encode a sequence x1, x2, x3, . . . of 64-bit plaintext blocks a y0 is chosen and each x is encrypted by cryptotext y; = x; © z, where z; = ek(y;-1). prof. Jozef Gruska IV054 12. From theory to practice in cryptography 520/616 8-bit VERSION of the CFB MODE In this mode each 8-bit piece of the plaintext is encrypted without having to wait for an entire block to be available. The plaintext is broken into 8-bit pieces: P=[Pi, P2,... ]. Encryption: An initial 64-bit block Xi is chosen and then, for j=1,2,. . . , the following computation is done: Cj = Pj © Ls(ek(Xj)) prof. Jozef Gruska IV054 i2. From theory to practice in cryptography 52i/6i6 8-bit VERSION of the CFB MODE In this mode each 8-bit piece of the plaintext is encrypted without having to wait for an entire block to be available. The plaintext is broken into 8-bit pieces: P=[P1, P2,... ]. Encryption: An initial 64-bit block X1 is chosen and then, for j=1,2,. . . , the following computation is done: Cj = Pj © L8(ek(Xj)) Xj+1 = R56(xj , L8(X) denotes the 8 leftmost bits of X. R56(X) denotes the rightmost 56 bits of X. X|| Y denotes concatenation of strings X and Y. Decryption: Pj = Cj © L8(ek(Xj)) Xj+1 = R56(Xj )||Cj, prof. Jozef Gruska IV054 12. From theory to practice in cryptography 521/616 Advantages of different encryption modes ■ CBC mode is used for block-encryption and also for authentication; ■ CFB mode is used for stream-encryption; ■ OFB mode is used for stream-encryptions that require message authentication; CTR MODE Counter Mode - some consider it as the best one. Key design: k; = Ek(n,;) for a nonce n; Encryption: y = x; © k; This mode is very fast because a key stream can be parallelised to any degree. Because of that this mode is used in network security applications. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 522/616 Killers and death of DES ■ In 1993 M. J. Weiner suggested that one could design, using one million dollars, a computer capable to decrypt, using brute force, DES in 3.5 hours. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 523/616 Killers and death of DES ■ In 1993 M. J. Weiner suggested that one could design, using one million dollars, a computer capable to decrypt, using brute force, DES in 3.5 hours. ■ In 1998 group of P. Kocher designed, using a quarter million of dolars, a computer capable to decrypt DES in 56 hours. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 523/616 Killers and death of DES ■ In 1993 M. J. Weiner suggested that one could design, using one million dollars, a computer capable to decrypt, using brute force, DES in 3.5 hours. ■ In 1998 group of P. Kocher designed, using a quarter million of dolars, a computer capable to decrypt DES in 56 hours. ■ In 1999 they did that in 24 hours. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 523/616 Killers and death of DES ■ In 1993 M. J. Weiner suggested that one could design, using one million dollars, a computer capable to decrypt, using brute force, DES in 3.5 hours. ■ In 1998 group of P. Kocher designed, using a quarter million of dolars, a computer capable to decrypt DES in 56 hours. ■ In 1999 they did that in 24 hours. ■ It started to be clear that a new cryptosystem with larger keys is badly needed. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 523/616 Product- and Feistel-cryptosystems Design of several important practical cryptosystems used the following three general design principles for cryptosystems. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 524/616 Product- and Feistel-cryptosystems Design of several important practical cryptosystems used the following three general design principles for cryptosystems. A product cryptosystem combines two or more crypto-transformations in such a way that resulting cryptosystem is more secure than component transformations. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 524/616 Product- and Feistel-cryptosystems Design of several important practical cryptosystems used the following three general design principles for cryptosystems. A product cryptosystem combines two or more crypto-transformations in such a way that resulting cryptosystem is more secure than component transformations. An iterated block cryptosystem iteratively uses a round function (and it has as parameters number of rounds r, block bit-size n, subkeys bit-size k) of the input key K from which r subkeys K; are derived. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 524/616 Product- and Feistel-cryptosystems Design of several important practical cryptosystems used the following three general design principles for cryptosystems. A product cryptosystem combines two or more crypto-transformations in such a way that resulting cryptosystem is more secure than component transformations. An iterated block cryptosystem iteratively uses a round function (and it has as parameters number of rounds r, block bit-size n, subkeys bit-size k) of the input key K from which r subkeys K; are derived. A Feistel cryptosystem is an iterated cryptosystem mapping 2t-bit plaintext (L0, R0) oft-bit blocks L0 and R0 to a 2t-bit cryptotext (Rr, Lr), through an r-round process, where r > 0. For 0 < / < r +1, the round i maps (L;_i, R;-i) to (L;, R;) using a subkey K as follows L ; = R;_i, R; = K;_i © f(R;_i, K;), where each subkey K is derived from the main key K. prof. Jozef Gruska IV054 i2. From theory to practice in cryptography 524/6i6 Blowfish cryptosystem ■ Blowfish is Feistel type cryptosystem developed in 1994 by Bruce Schneier. ■ Blowfish is more secure and faster than DES. ■ It encrypts 8-bytes blocks into 8-bytes blocks. ■ Key length is variable 32k, for k = 1, 2, ..., 16. ■ For decryption it does not reverse the order of encryption, but it follows it. ■ S-boxes are key dependent and they, as well as subkeys are created by repeated execution of Blowfish enciphering transformation. ■ Blowfish has very strong avalanche effect. ■ A follower of Blowfish, Twofish, was one of 5 candidates for AES. ■ Blowfish can be downloaded free from the B. Schneier web site. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 525/616 AES CRYPTOSYSTEM On October 2, 2000, NIST selected, as new Advanced Encryption Standard, the cryptosystem Rijndael, designed in 1998 by Joan Daemen and Vincent Rijmen. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 526/616 AES CRYPTOSYSTEM On October 2, 2000, NIST selected, as new Advanced Encryption Standard, the cryptosystem Rijndael, designed in 1998 by Joan Daemen and Vincent Rijmen. The main goal has been to develop a new cryptographic standard that could be used to encrypt sensitive governmental information securely, well into the next century. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 526/616 AES CRYPTOSYSTEM On October 2, 2000, NIST selected, as new Advanced Encryption Standard, the cryptosystem Rijndael, designed in 1998 by Joan Daemen and Vincent Rijmen. The main goal has been to develop a new cryptographic standard that could be used to encrypt sensitive governmental information securely, well into the next century. AES was expected to be used obligatory by U.S. governmental institution and, naturally, voluntarily, but as a necessity, also by the private sector. prof. Jozef Gruska IV054 i2. From theory to practice in cryptography 526/6i6 AES CRYPTOSYSTEM On October 2, 2000, NIST selected, as new Advanced Encryption Standard, the cryptosystem Rijndael, designed in 1998 by Joan Daemen and Vincent Rijmen. The main goal has been to develop a new cryptographic standard that could be used to encrypt sensitive governmental information securely, well into the next century. AES was expected to be used obligatory by U.S. governmental institution and, naturally, voluntarily, but as a necessity, also by the private sector. AES is to encrypt 128-bit blocks using a key with 128, 192 or 256 bits. In addition, AES is to be used as a standard for authentication (MAC), hashing and pseudorandom numbers generation. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 526/616 AES CRYPTOSYSTEM On October 2, 2000, NIST selected, as new Advanced Encryption Standard, the cryptosystem Rijndael, designed in 1998 by Joan Daemen and Vincent Rijmen. The main goal has been to develop a new cryptographic standard that could be used to encrypt sensitive governmental information securely, well into the next century. AES was expected to be used obligatory by U.S. governmental institution and, naturally, voluntarily, but as a necessity, also by the private sector. AES is to encrypt 128-bit blocks using a key with 128, 192 or 256 bits. In addition, AES is to be used as a standard for authentication (MAC), hashing and pseudorandom numbers generation. Motivations and advantages of AES: ■ Short code and fast implementations ■ Simplicity and transparency of the design ■ Variable key length ■ Resistance against all known attacks prof. Jozef Gruska IV054 12. From theory to practice in cryptography 526/616 ARITHMETIC in GF(28) The basic data structure of AES is a byte a = (a7, a6, as, a4, a3, a2, ai, ao) where a;'s are bits, which can be conveniently represented by the polynomial a(x) = a7x7 + a6X6 + a5x5 + a4x4 + a3x3 + a2x2 + a1x + a0. Bytes can be conveniently seen as elements of the field F = GF(28)/m(x), where m(x) = x8 + x4 + x3 + x + 1. In the field F, the addition is the bit-wise-XOR and multiplication can be elegantly expressed using polynomial multiplication modulo m(x). c = a © b; c = a • b where c(x) = [a(x) • b(x)] mod m(x) prof. Jozef Gruska IV054 12. From theory to practice in cryptography 527/616 MULTIPLICATION in GF(28) Multiplication c = a • b where c(x) = [a(x) • b(x)] mod m(x) in GF(28) can be easily performed using a new operation b = xtime(a) that corresponds to the polynomial multiplication b(x) = [a(x) • x] mod m(x), as follows set c = 00000000 and p = a; for i = 0 to 7 do c — c © (b • p) p — xt/me(p) Hardware implementation of the multiplication requires therefore one circuit for operation xtime and two 8-bit registers. Operation b = xtime(a) can be implemented by one step (shift) of the following shift register: prof. Jozef Gruska IV054 12. From theory to practice in cryptography 528/616 EXAMPLES '53' + '87' = 'D4' because, in binary, '01010011' © '10000111' = '11010100' what means (x6 + x 4 + x +1) + (x7 + x2 + x +1) = x7 + x6 + x4 + x2 prof. Jozef Gruska IV054 12. From theory to practice in cryptography 529/616 EXAMPLES '53' + '87' = 'D4' because, in binary, '01010011' © '10000111' = '11010100' what means (x6 + x 4 + x +1) + (x7 + x2 + x +1) = x7 + x6 + x4 + x2 '57''» '83' = 'C1' Indeed, (x6 + x4 + x2 + x + 1)(x7 + x + 1) = x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 and (x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1) mod (x8 + x4 + x3 + x + 1) = x7 + x6 + 1 prof. Jozef Gruska IV054 12. From theory to practice in cryptography 529/616 EXAMPLES '53' + '87' = 'D4' because, in binary, '01010011' © '10000111' = '11010100' what means (x6 + x 4 + x +1) + (x7 + x2 + x +1) = x7 + x6 + x4 + x2 ■ '57''» '83' = 'C1' Indeed, (x6 + x4 + x2 + x + 1)(x7 + x + 1) = x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 and (x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1) mod (x8 + x4 + x3 + x + 1) = x7 + x6 + 1 ■ ' 57 ' • ' 13 ' = ( ' 57 ' • ' 01') © ( '57 ' • ' 02') © ( ' 57 ' • ' 10') = ' 57 ' © ' AE ' © ' 07 ' = ' FE ' because ' 57 ' • ' 02 ' = xtime(57) = ' AE ' ' 57 ' • ' 04 ' = xtime(AE) = ' 47 ' 57 • 08 = xtime(47) = 8E 57 • 10 = xtime(8E) = 07' prof. Jozef Gruska IV054 12. From theory to practice in cryptography 529/616 POLYNOMIALS over GF(28) Algorithms of AES work with 4-byte vectors that can be represented by polynomials of the degree at most 4 with coefficients in GF(28). Addition of such polynomials is done using component-wise and bit-wise XOR. Multiplication is done modulo M(x) = x4 + 1. (it holds xJ mod (x4 + 1) = xJ mod 4.) Multiplication of vectors (33X3 + 32X2 + aix + ao) ® (b3X3 + b2x2 + bix + bo) can be done using matrix multiplication /do\ \d3j I ao ai a2 a3\ ai a2 a3 ao a2 a3 ao ai a3 ao ai a2 bo bi b3 where additions and multiplications (•) are done in GF(28) as described before. Multiplication of a polynomial a(x) by x results in a cyclic shift of the coefficients. prof. Jozef Gruska IVo54 i2. From theory to practice in cryptography 53o/6i6 BYTE SUBSTITUTION Byte substitution b = SubByte(a) is defined by the following matrix operations A 1 1 1 1 0 0 0 /(a-1)7\ 0 be 0 1 1 1 1 1 0 0 (a-1)e 1 b5 0 0 1 1 1 1 1 0 (a-1)5 1 b4 0 0 0 1 1 1 1 1 (a-1)4 + 0 bs — 1 0 0 0 1 1 1 1 X (a-1)s 0 b2 1 1 0 0 0 1 1 1 (a-1)2 0 bi 1 1 1 0 0 0 1 1 1 \boJ 1 1 1 0 0 0 1 Ua-1)cy 1 This operation is computationally heavy and it is assumed that it will be implemented by a pre-computed substitution table. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 531/616 ENCRYPTION in AES Encryption and decryption are done using state matrices A E I M B F J N C G K O D H L P elements of which are bytes. A byte-matrix with 4 rows and k = 4, 6 or 8 columns is also used to write down a key with Dk = 128, 192 or 256 bits. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 532/616 ENCRYPTION in AES Encryption and decryption are done using state matrices A E I M B F J N C G K O D H L P elements of which are bytes. A byte-matrix with 4 rows and k = 4, 6 or 8 columns is also used to write down a key with Dk = 128, 192 or 256 bits. ENCRYPTION ALGORITHM j KeyExpansion prof. Jozef Gruska IV054 12. From theory to practice in cryptography 532/616 ENCRYPTION in AES Encryption and decryption are done using state matrices A E I M B F J N C G K O D H L P elements of which are bytes. A byte-matrix with 4 rows and k = 4, 6 or 8 columns is also used to write down a key with Dk = 128, 192 or 256 bits. ENCRYPTION ALGORITHM T| KeyExpansion ^ AddRoundKey prof. Jozef Gruska IV054 12. From theory to practice in cryptography 532/616 ENCRYPTION in AES Encryption and decryption are done using state matrices A E I M B F J N C G K O D H L P elements of which are bytes. A byte-matrix with 4 rows and k = 4, 6 or 8 columns is also used to write down a key with Dk = 128, 192 or 256 bits. ENCRYPTION ALGORITHM T| KeyExpansion ^ AddRoundKey J do (k + 5)-times: a) SubByte b) ShiftRow c) MixColumn d) AddRoundKey prof. Jozef Gruska IV054 12. From theory to practice in cryptography 532/616 ENCRYPTION in AES Encryption and decryption are done using state matrices A E I M B F J N C G K O D H L P elements of which are bytes. A byte-matrix with 4 rows and k = 4, 6 or 8 columns is also used to write down a key with Dk = 128, 192 or 256 bits. ENCRYPTION ALGORITHM T| KeyExpansion ^ AddRoundKey J do (k + 5)-times: a) SubByte b) ShiftRow c) MixColumn d) AddRoundKey J Final round a) SubByte b) ShiftRow c) AddRoundKey prof. Jozef Gruska IV054 12. From theory to practice in cryptography 532/616 ENCRYPTION in AES Encryption and decryption are done using state matrices A E I M B F J N C G K O D H L P elements of which are bytes. A byte-matrix with 4 rows and k = 4, 6 or 8 columns is also used to write down a key with Dk = 128, 192 or 256 bits. ENCRYPTION ALGORITHM T| KeyExpansion ^ AddRoundKey J do (k + 5)-times: a) SubByte b) ShiftRow c) MixColumn d) AddRoundKey J Final round a) SubByte b) ShiftRow c) AddRoundKey The final round does not contain MixColumn procedure. The reason being is to be able to use the same hardware for encryption and decryption. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 532/616 KEY EXPANSION The basic key is written into the state matrix with 4, 6 or 8 columns. The goal of the key expansion procedure is to extend the number of keys in such a way that each time a key is used actually a new key is used. The key extension algorithm generates new columns W; of the state matrix from the columns W;-i and W;_k using the following rule W; = W;_k © V, where (F (W;-i), ifimodk = 0 V = ( G(W;-i), if i mod k = 4 and Dk = 256 bits, W -i otherwise where the function G performs only the byte-substitution of the corresponding bytes. Function F is defined in a quite a complicated way. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 533/616 STEPS of ENCRYPTION AddRoundKey procedure adds byte-wise and bit-wise current key to the current contents of the state matrix. ShiftRow procedure cyclically shifts i-th row of the state matrix by i shifts. MixColumns procedure multiplies columns of the state matrix by the matrix 2 3 1 1 1 2 3 1 1 1 2 3 V3 1 1 2 prof. Jozef Gruska IVo54 i2. From theory to practice in cryptography 534/6i6 DECRYPTION in AES Steps of the encryption algorithm map an input state matrix into an output matrix. All encryption operations have inverse operations. Decryption algorithm applies, in the opposite order as at the encryption, the inverse versions of the encryption operations. DECRYPTION J Key Expansion prof. Jozef Gruska IV054 12. From theory to practice in cryptography 535/616 DECRYPTION in AES Steps of the encryption algorithm map an input state matrix into an output matrix. All encryption operations have inverse operations. Decryption algorithm applies, in the opposite order as at the encryption, the inverse versions of the encryption operations. DECRYPTION J Key Expansion j AddRoundKey prof. Jozef Gruska IV054 12. From theory to practice in cryptography 535/616 DECRYPTION in AES Steps of the encryption algorithm map an input state matrix into an output matrix. All encryption operations have inverse operations. Decryption algorithm applies, in the opposite order as at the encryption, the inverse versions of the encryption operations. DECRYPTION J Key Expansion j AddRoundKey % do k+5 - times: a) InvSubByte b) InvShiftRow c) InvMixColumn d) AddInvRoundKey prof. Jozef Gruska IV054 12. From theory to practice in cryptography 535/616 DECRYPTION in AES Steps of the encryption algorithm map an input state matrix into an output matrix. All encryption operations have inverse operations. Decryption algorithm applies, in the opposite order as at the encryption, the inverse versions of the encryption operations. DECRYPTION J Key Expansion j AddRoundKey % do k+5 - times: a) InvSubByte b) InvShiftRow c) InvMixColumn d) AddlnvRoundKey j Final round a) InvSubByte b) InvShiftRow c) AddInvRoundKey prof. Jozef Gruska IV054 12. From theory to practice in cryptography 535/616 SECURITY GOALS The goal of the authors was that Rijndael (AES) is K-secure and hermetic in the following sense: Definition A cryptosystem is K-secure if all possible attack strategies for it have the same expected work factor and storage requirements as for the majority of possible cryptosystems with the same security. Definition A block cryptosystem is hermetic if it does not have weaknesses that are not present for the majority of cryptosystems with the same block and key length. prof. Jozef Gruska IVo54 12. From theory to practice in cryptography 536/616 MISCELANEOUS Pronunciation of the name Rijndael is as "Reign Dahl" or "rain Doll" or "Rhine Dahl". prof. Jozef Gruska IV054 12. From theory to practice in cryptography 537/616 PKC versus SKC - comparisons Security: If PKC is used, only one party needs to keep secret a (single) key; If SKC is used, both party needs to keep secret one key. No PKC has been shown perfectly secure. Perfect secrecy has been shown for One-time Pad and for quantum generation of classical keys. Longevity: With PKC, keys may need to be kept secure for (very) long time; with SKC a change of keys for each session is recommended. Key management: If a multiuser network is used, then fewer private keys are required with PKC than with SKC. Key exchange: With PKC no key exchange between communicating parties is needed; with SKC a hard-to-implement secret key exchange is needed. Digital signatures: Only PKC are usable for digital signatures. Efficiency: PKC is much slower than SKC (10 times when software implementations of RSA and DES are compared). Key sizes: Keys for PKC (2048 bits for RSA) are significantly larger than for SCK (128 bits for AES). Non-repudiation: With PKC we can ensure, using digital signatures, non-repudiation, but not with SKC. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 538/616 Digital envelopes Modern cryptography uses both SKC and PKC, in so-called hybrid cryptosystems or in digital envelopes to send a message m using a secret key k, public encryption exponent e, and secret decryption exponent d, as follows: J Key k is encrypted using e and sent as e(k) b Secret description exponent d is used to get k=d(e(k)) j SKC with k is then used to encrypt a message prof. Jozef Gruska IV054 12. From theory to practice in cryptography 539/616 KEY MANAGEMENT Secure methods of key management are extremely important. In practice, most of the attacks on public-key cryptosystems are likely to be at the key management levels. Problems: How to obtain securely an appropriate key pair? How to get other people's public keys? How to get confidence in the legitimacy of other's public keys? How to store keys? How to set, extend,. . . expiration dates of the keys? prof. Jozef Gruska IV054 i2. From theory to practice in cryptography 540/6i6 KEY MANAGEMENT Secure methods of key management are extremely important. In practice, most of the attacks on public-key cryptosystems are likely to be at the key management levels. Problems: How to obtain securely an appropriate key pair? How to get other people's public keys? How to get confidence in the legitimacy of other's public keys? How to store keys? How to set, extend,. . . expiration dates of the keys? Who needs a key? Anyone wishing to sign a message, to verify signatures, to encrypt messages and to decrypt messages. How does one get a key pair? Each user should generate his/her own key pair. Once generated, a user must register his/her public-key with some central administration, called a certifying authority. This authority returns a certificate. Certificates are digital documents attesting to the binding of a public-key to an individual or institutions. They allow verification of the claim that a given public-key does belong to a given individual. Certificates help to prevent someone from using a phony key to impersonate someone else. In their simplest form, certificates contain a public-key and a name. In addition they contain: expiration date, name of the certificate issuing authority, serial number of the certificate and the digital signature of the certificate issuer. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 540/616 How are certificates used - certification authorities The most secure use of authentication involves enclosing one or more certificates with every signed message. The receiver of the message verifies the certificate using the certifying authorities public-keys and, being confident of the public-keys of the sender, verifies the message's signature. There may be more certificates enclosed with a message, forming a hierarchical chain, wherein one certificate testifies to the authenticity of the previous certificate. At the top end of a certificate hierarchy is a top-level certifying-authority to be trusted without a certificate. Example According to the standards, every signature points to a certificate that validates the public-key of the signer. Specifically, each signature contains the name of the issuer of the certificate and the serial number of the certificate. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 541/616 How are certificates used - certification authorities The most secure use of authentication involves enclosing one or more certificates with every signed message. The receiver of the message verifies the certificate using the certifying authorities public-keys and, being confident of the public-keys of the sender, verifies the message's signature. There may be more certificates enclosed with a message, forming a hierarchical chain, wherein one certificate testifies to the authenticity of the previous certificate. At the top end of a certificate hierarchy is a top-level certifying-authority to be trusted without a certificate. Example According to the standards, every signature points to a certificate that validates the public-key of the signer. Specifically, each signature contains the name of the issuer of the certificate and the serial number of the certificate. How do certifying authorities store their private keys? It is extremely important that private-keys of certifying authorities are stored securely. One method to store the key in a tamper-proof box called a Certificate Signing Unit, CSU. The CSU should, preferably, destroy its contents if ever opened. Not even employees of the certifying authority should have access to the private-key itself, but only the ability to use private-key in the certificates issuing process. CSU are for sells Note: PKCS - Public Key Certification Standards. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 541/616 What is PKI? ■ PKI (Public Key Infrastructure) is an infrastructure that allows to handle public-key problems for the community that uses public-key cryptography. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 542/616 What is PKI? ■ PKI (Public Key Infrastructure) is an infrastructure that allows to handle public-key problems for the community that uses public-key cryptography. ■ Structure of PKI Security policy that specifies rules under which PKI can be handled. Products that generate, store, distribute and manipulate keys. Procedures that define methods ■ to generate and manipulate keys ■ to generate and manipulate certificates ■ to distribute keys and certificates ■ to use certificates. ■ Authorities that take care that the general security policy is fully performed. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 542/616 PKI users and systems ■ Certificate holder ■ Certificate user ■ Certification authority (CA) ■ Registration authority (RA) ■ Revocation authority ■ Repository (to publish a list of certificates, of relocated certificates,...) ■ Policy management authority (to create certification policy) ■ Policy approving authority prof. Jozef Gruska IV054 i2. From theory to practice in cryptography 543/6i6 SECURITY of Certification and Registration authorities PKI system is so secure how secure are systems for certificate authorities (CA) and registration authorities (RA). Basic principles to follow to ensure necessary security of CA and RA. ■ Private key of CA has to be stored in a way that is secure against intentional professional attacks. ■ Steps have to be made for renovation of the private key in the case of a collapse of the system. ■ Access to CA/RA tools has to be maximally controlled. ■ Each requirement for certification has to be authorized by several independent operators. ■ All key transactions of CA/RA have to be logged to be available for a possible audit. ■ All CA/RA systems and their documentation have to satisfy maximal requirements for their reliability. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 544/616 PUBLIC-KEY INFRASTRUCTURE PROBLEMS Public-key cryptography has low infrastructure overhead, it is more secure, more truthful and with better geographical reach. However, this is due to the fact that public-key users bear a substantial administrative burden and security advantages of the public key cryptography rely excessively on the end-users' security discipline. Problem 1: With public-key cryptography users must constantly be careful to validate rigorously every public-key they use and must take care for secrecy of their private secret keys. prof. Jozef Gruska IVo54 12. From theory to practice in cryptography 545/616 PUBLIC-KEY INFRASTRUCTURE PROBLEMS Public-key cryptography has low infrastructure overhead, it is more secure, more truthful and with better geographical reach. However, this is due to the fact that public-key users bear a substantial administrative burden and security advantages of the public key cryptography rely excessively on the end-users' security discipline. Problem 1: With public-key cryptography users must constantly be careful to validate rigorously every public-key they use and must take care for secrecy of their private secret keys. Problem 2: End-users are rarely willing or able to manage keys sufficiently carefully. User's behavior is the weak link in any security system, and public-key security is unable to reinforce this weakness. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 545/616 PUBLIC-KEY INFRASTRUCTURE PROBLEMS Public-key cryptography has low infrastructure overhead, it is more secure, more truthful and with better geographical reach. However, this is due to the fact that public-key users bear a substantial administrative burden and security advantages of the public key cryptography rely excessively on the end-users' security discipline. Problem 1: With public-key cryptography users must constantly be careful to validate rigorously every public-key they use and must take care for secrecy of their private secret keys. Problem 2: End-users are rarely willing or able to manage keys sufficiently carefully. User's behavior is the weak link in any security system, and public-key security is unable to reinforce this weakness. Problem 3: Only sophisticated users, like system administrators, can realistically be expected to meet fully the demands of public-key cryptography. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 545/616 Main components of public-key infrastructure ■ The Certification Authority (CA) signs user's public-keys. (There has to be a hierarchy of CA, with a root CA on the top.) ■ The Directory is a public-access database of valid certificates. ■ The Certificate Revocation List (CRL) - a public-access database of invalid certificates. (There has to be a hierarchy of CRL). prof. Jozef Gruska IV054 12. From theory to practice in cryptography 546/616 Main components of public-key infrastructure ■ The Certification Authority (CA) signs user's public-keys. (There has to be a hierarchy of CA, with a root CA on the top.) ■ The Directory is a public-access database of valid certificates. ■ The Certificate Revocation List (CRL) - a public-access database of invalid certificates. (There has to be a hierarchy of CRL). Stages at which key management issues arise ■ Key creation: user creates a new key pair, proves his identify to CA. CA signs a certificate. User encrypts his private key. ■ Single sign-on: decryption of the private key, participation in public-key protocols. ■ Key revocation: CRL should be checked every time a certificate is used. If a user's secret key is compromised, CRL administration has to be notified. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 546/616 MAIN PROBLEMS ■ Authenticating the users: How does a CA authenticate a distant user, when issuing the initial certificate? (Ideally CA and the user should meet. Consequently, properly authenticated certificates will have to be expensive, due to the label cost in a face-to-face identity check.) ■ Authenticating the CA: Public key cryptography cannot secure the distribution and the validation of the Root CA's public key. ■ Certificate revocation lists: Timely and secure revocation presents big scaling and performance problems. As a result public-key deployment is usually proceeding without a revocation infrastructure. (Revocation is the classical Achilles' Heel of public-key cryptography.) ■ Private key management: The user must keep his long-lived secret key in memory during his login-session: There is no way to force a public-key user to choose a good password. (Lacking effective password-quality controls, most public-key systems are vulnerable to the off-line guessing attacks.) prof. Jozef Gruska IV054 12. From theory to practice in cryptography 547/616 LIFE CYCLE of CERTIFICATES Issuing of certificates ■ registration of applicants for certificates; ■ generation of pairs of keys; ■ creation of certificates; ■ delivering of certificates; ■ dissemination of certificates; ■ backuping of keys; prof. Jozef Gruska IV054 12. From theory to practice in cryptography 548/616 LIFE CYCLE of CERTIFICATES Issuing of certificates ■ registration of applicants for certificates; ■ generation of pairs of keys; ■ creation of certificates; ■ delivering of certificates; ■ dissemination of certificates; ■ backuping of keys; Using of certificates ■ receiving a certificate; ■ validation of the certificate; ■ key backup and recovery; ■ automatic key/certificate updating prof. Jozef Gruska IV054 12. From theory to practice in cryptography 548/616 LIFE CYCLE of CERTIFICATES Issuing of certificates ■ registration of applicants for certificates; ■ generation of pairs of keys; ■ creation of certificates; ■ delivering of certificates; ■ dissemination of certificates; ■ backuping of keys; Using of certificates ■ receiving a certificate; ■ validation of the certificate; ■ key backup and recovery; ■ automatic key/certificate updating Revocation of certificates ■ expiration of certificates validity period; ■ revocation of certificates; ■ archivation of keys and certificates. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 548/616 Pretty Good Privacy In June 1991 Phil Zimmermann, made publicly available software that made use of RSA cryptosystem very friendly and easy and by that he made strong cryptography widely available. Starting February 1993 Zimmermann was for three years a subject of FBI and Grand Jury investigations, being accused of illegal exporting arms (strong cryptography tools). William Cowell, Deputy Director of NSA said: "If all personal computers in the world - approximately 200 millions - were to be put to work on a single PGP encrypted message, it would take an average an estimated 12 million times the age of universe to break a single message". Heated discussion whether strong cryptography should be allowed keep going on. September 11 attack brought another dimension into the problem. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 549/616 SECURITY / PRIVACY REALITY and TOOLS Concerning security we are winning battles, but we are loosing wars concerning privacy. Four areas concerning security and privacy: ■ Security of communications - cryptography ■ Computer security (operating systems, viruses, ...) ■ Physical security ■ Identification and biometrics With Google we lost privacy. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 550/616 How cryptographic systems get broken Techniques that are indeed used to break cryptosystems: By NSA: ■ By exhaustive search (up to 280 options). ■ By exploiting specific mathematical and statistical weaknesses to speed up the exhaustive search. ■ By selling compromised crypto-devices. ■ By analysing crypto-operators methods and customs. By FBI: ■ Using keystroke analysis. ■ Using the fact that in practice long keys are almost always designed from short guessable passwords. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 551/616 APPENDIX prof. Jozef Gruska IV054 12. From theory to practice in cryptography 552/616 RSA in practice ■ 660-bits integers were already (factorized) broken in practice. ■ 1024-bits integers are currently used as moduli. ■ 512-bit integers can be factorized with a device costing 5 K $ in about 10 minutes. ■ 1024-bit integers could be factorized in 6 weeks by a device costing 10 millions of dollars. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 553/616 Patentability of cryptography ■ Cryptographic systems are patentable ■ Many secret-key cryptosystems have been patented ■ The basic idea of public-key cryptography are contained in U.S. Patents 4 200 770 (M. Hellman, W. Diffie, R. Merkle) - 29. 4. 1980 U.S. Patent 4 218 582 (M. Hellman, R. Merkle) The exclusive licensing rights to both patents are held by "Public Key Partners" (PKP) which also holds rights to the RSA patent. All legal challenges to public-key patents have been so far settled before judgment. Some patent applications for cryptosystems have been blocked by intervention of US: intelligence or defense agencies. All cryptographic products in USA needed export licences from the State department, acting under authority of the International Traffic in Arms Regulation, which defines cryptographic devices, including software, as munition. Export of cryptography for authentication has not been restricted, Problems were only whith cryptography for privacy. prof. Jozef Gruska IV054 12. From theory to practice in cryptography 554/616 Quantum cryptography Quantum cryptography has a potential to be cryptography of 21st century. An important new feature of quantum cryptography is that security of quantum cryptographic protocols is based on the laws of nature - of quantum physics, and not on the unproven assumptions of computational complexity. Quantum cryptography is the first area of information processing and communication in which quantum particle physics laws are directly exploited to bring an essential advantage in information processing. prof. Jozef Gruska IV054 13. Quantum cryptography 556/616 MAIN OUTCOMES - so far ■ It has been shown that would we have quantum computer, we could design absolutely secure quantum generation of shared and secret random classical keys. ■ It has been proven that even without quantum computers unconditionally secure quantum generation of classical secret and shared keys is possible (in the sense that any eavesdropping is detectable). ■ Unconditionally secure basic quantum cryptographic primitives, such as bit commitment and oblivious transfer, are impossible. ■ Quantum zero-knowledge proofs exist for all NP-complete languages ■ Quantum teleportation and pseudo-telepathy are possible. ■ Quantum cryptography and quantum networks are already in advanced experimental stage. prof. Jozef Gruska IV054 13. Quantum cryptography 557/616 BASICS of QUANTUM INFORMATION PROCESSING As an introduction to quantum cryptography the very basic motivations, experiments, principles, concepts and results of quantum information processing and communication will be presented in the next few slides. prof. Jozef Gruska IV054 13. Quantum cryptography 558/616 BASIC MOTIVATION In quantum information processing we witness an interaction between the two most important areas of science and technology of 20-th century, between quantum physics and informatics. This is very likely to have important consequences for 21th century. prof. Jozef Gruska IV054 13. Quantum cryptography 559/616 QUANTUM PHYSICS Quantum physics deals with fundamental entities of physics - particles (waves?) like ■ protons, electrons and neutrons (from which matter is built); ■ photons (which carry electromagnetic radiation) ■ various "elementary particles" which mediate other interactions in physics. ■ We call them particles in spite of the fact that some of their properties are totally unlike the properties of what we call particles in our ordinary classical world. For example, a quantum particle can go through two places at the same time and can interact with itself. Because of that quantum physics is full of counter-intuitive, weird, mysterious and even paradoxical events. prof. Jozef Gruska IV054 13. Quantum cryptography 560/616 FEYNMAN's VIEW I am going to tell you what Nature behaves like ... However, do not keep saying to yourself, if you can possibly avoid it, BUT HOW CAN IT BE LIKE THAT? Because you will get "down the drain" into a blind alley from which nobody has yet escaped NOBODY KNOWS HOW IT CAN BE LIKE THAT Richard Feynman (1965): The character of physical law. prof. Jozef Gruska IV054 13. Quantum cryptography 561/616 CLASSICAL versus QUANTUM INFORMATION Main properties of classical information: J It is easy to store, transmit and process classical information in time and space. j It is easy to make (unlimited number of) copies of classical information j One can measure classical information without disturbing it. Main properties of quantum information: J It is difficult to store, transmit and process quantum information j There is no way to copy unknown quantum information j Measurement of quantum information destroys it, in general. prof. Jozef Gruska IV054 13. Quantum cryptography 562/616 Classical versus quantum computing The essence of the difference between classical computers and quantum computers is in the way information is stored and processed. In classical computers, information is represented on macroscopic level by bits, which can take one of the two values 0 or 1 In quantum computers, information is represented on microscopic level using qubits, (quantum bits) which can take on any from the following uncountable many values a|0) + ff|1) where a, ff are arbitrary complex numbers such that |a|2 + |ff|2 = 1. prof. Jozef Gruska IV054 13. Quantum cryptography 563/616 CLASSICAL versus QUANTUM REGISTERS An n bit classical register can store at any moment exactly one n-bit string. An n-qubit quantum register can store at any moment a superposition of all 2n n-bit strings. Consequently, on a quantum computer one can compute in a single step with 2n values. This enormous massive parallelism is one reason why quantum computing can be so powerful. prof. Jozef Gruska IV054 13. Quantum cryptography 564/616 CLASSICAL EXPERIMENTS prof. Jozef Gruska IV054 13. Quantum cryptography 565/616 QUANTUM EXPERIMENTS detector \ \ source v of electrons j wall H2 pa(i) =Pl3(l) . . wall ... . . (a) (b) (c) Figure 3: Two-slit experiment detector light source u source v of electrons | wall H2 -p12w , . wall ... (a) (b) (c) Figure 4: Two-slit experiment with an observation prof. Jozef Gruska IV054 13. Quantum cryptography 566/616 THREE BASIC PRINCIPLES P1 To each transfer from a quantum state 0 to a state ip a complex number is associated. This number is called the probability amplitude of the transfer and l|2 is then the probability of the transfer. prof. Jozef Gruska IV054 13. Quantum cryptography 567/616 THREE BASIC PRINCIPLES P1 To each transfer from a quantum state 0 to a state ip a complex number is associated. This number is called the probability amplitude of the transfer and ||2 is then the probability of the transfer. P2 If a transfer from a quantum state 0 to a quantum state ip can be decomposed into two subsequent transfers ip — 0 — 0 then the resulting amplitude of the transfer is the product of amplitudes of subtransfers: = <0'|0> prof. Jozef Gruska IV054 13. Quantum cryptography 567/616 THREE BASIC PRINCIPLES P1 To each transfer from a quantum state 0 to a state i/> a complex number < is associated. This number is called the probability amplitude of the transfer and l<|2 is then the probability of the transfer. P2 If a transfer from a quantum state 0 to a quantum state i/> can be decomposed into two subsequent transfers i/> — 0 — 0 then the resulting amplitude of the transfer is the product of amplitudes of subtransfers: < = W><0'|0> P3 If a transfer from a state 0 to a state i/> has two independent alternatives then the resulting amplitude is the sum of amplitudes of two subtransfers. prof. Jozef Gruska IV054 13. Quantum cryptography 567/616 QUANTUM SYSTEMS = HILBERT SPACE Hilbert space H„ is n-dimensional complex vector space with scalar product (i/>|0) = 4>i^*of vectors|0) = 01 ^1 02 0n This allows to define the norm of vectors as II0II = v«H. Two vectors |0) and |i/>) are called orthogonal if (0|V>) = 0. A basis B of Hn is any set of n vectors |b2),... , |bn) of the norm 1 which are mutually orthogonal. Given a basis B, any vector |i/>) from Hn can be uniquely expressed in the form prof. Jozef Gruska IV054 13. Quantum cryptography 568/616 BRA-KET NOTATION Dirac introduced a very handy notation, so called bra-ket notation, to deal with amplitudes, quantum states and linear functionals f : H — C. If 4>,(j) G H, then (■010) - scalar product of 0 and (an amplitude of going from to 0). |) - ket-vector (a column vector) - an equivalent to (t) is the state of the system in time t. If the Hamiltonian is time independent then the above Shrodinger equation has solution |0(t)> = i/(t)l(o)> where !Ht U(t) = e~ is the evolution operator that can be represented by a unitary matrix. A step of such an evolution is therefore a multiplication of a unitary matrix A with a vector i.e. A A matrix A is unitary if A ■ A* = A* ■ A = I J prof. Jozef Gruska IV054 13. Quantum cryptography 570/616 PAULI MATRICES Very important one-qubit unary operators are the following Pauli operators, expressed in the standard basis as follows; a*=(10)=(° "01)^=(1 -1) prof. Jozef Gruska IV054 13. Quantum cryptography 571/616 PAULI MATRICES Very important one-qubit unary operators are the following Pauli operators, expressed in the standard basis as follows; ax =(i o) ,ay = (° "o1) ,az =(o -°i) Observe that Pauli matrices transform a qubit state |0) = + ß|1) as follows ax (a|°) + ß|1)) = ß |°) + a|1) az(a|°) + ß|1)) = a|°)- ß| 1) ay(a|°) + ß|1)) = ß|°) - a|1) Operators ax,az and ay represent therefore a bit error, a sign error and a bit-sign error. prof. Jozef Gruska IV054 13. Quantum cryptography 571/616 QUANTUM (PROJECTION) MEASUREMENTS A quantum state is always observed (measured) with respect to an observable O - a decomposition of a given Hilbert space into orthogonal subspaces (where each vector can be uniquely represented as a sum of vectors of these subspaces). There are two outcomes of a projection measurement of a state \4>) with respect to O: T| Classical information into which subspace projection of |0> was made. B Resulting quantum projection (as a new state) | in one of the above subspaces. The subspace into which projection is made is chosen randomly and the corresponding probability is uniquely determined by the amplitudes at the representation of |0> as a sum of states of the subspaces. prof. Jozef Gruska IV054 13. Quantum cryptography 572/616 QUANTUM STATES and PROJECTION MEASUREMENT In case an orthonormal basis {/J;}"=1 is chosen in Hn, any state |) e Hn can be expressed in the form n n ;=1 ;=1 where a; = (/J;|0) are called probability amplitudes and their squares provide probabilities that if the state |) is measured with respect to the basis {/3;}n=1, then the state |) collapses into the state |/3;) with probability |a;|2. The classical "outcome" of a measurement of the state |) with respect to the basis {A'}n=1 is the index i of that state |/3;) into which the state collapses. prof. Jozef Gruska IV054 13. Quantum cryptography 573/616 QUBITS A qubit is a quantum state in H2 |0) = a|0) + /3|1> where a, /3 e C are such that |a|2 + |/3|2 = 1 and {|0>, |1>} is a (standard) basis of H2 prof. Jozef Gruska IV054 13. Quantum cryptography 574/616 QUBITS A qubit is a quantum state in H2 |0) = a|0) + ß|1) where a, ß G C are such that |a|2 + |ß|2 = 1 and {|0), is a (standard) basis of H2 EXAMPLE: Representation of qubits by (a) electron in a Hydrogen atom (b) a spin-1/2 particle Basis states Basis states Figure 5: Qubit representations by energy levels of an electron in a hydrogen atom and by a spin-1/2 particle. The condition |a|2 + |//|2 = 1 is a legal one if |a|2 and |//|2 are to be the probabilities of being in one of two basis states (of electrons or photons). prof. Jozef Gruska IV054 13. Quantum cryptography 574/616 HILBERT SPACE H2 STANDARD BASIS |0>,|1> Q (í) DUAL BASIS |0'>, |ľ> V 72/ Hadamard matrjx H=72(1 -i H |0> H |1> |0'> H |0'> H |ľ> |0> |1> transforms one of the basis into another one. General form of a unitary matrix of degree 2 U = eiY 0 ea , « ( cos ô i sin ô« (e/ß 0 « J \i sin ô cos ô J \ 0 e-"3 J prof. Jozef Gruska IV054 13. Quantum cryptography 575/616 0 QUANTUM MEASUREMENT of a qubit state A qubit state can "contain" unboundly large amount of classical information. However, an unknown quantum state cannot be identified. By a measurement of the qubit state a|0> + /3|1> with respect to the basis {|0>,|1>} we can obtain only classical information and only in the following random way: 0 with probability |a|2 1 with probability |/3|2 measurement wrt.{|0 >, |1 >} Classical world measurement wrt. {|0'">,|1'">} Quantum world -Uth -\I"P í prof. Jozef Gruska \4> >=a|0>+/3|l> =í>measurement wrt-{|°" >■|ť'>} = a'"|0'">+/3'"|l'"> IV054 13. Quantum cryptography 576/616 MIXED STATES - DENSITY MATRICES A probability distribution {(p;, |<<>/))}!= on pure states is called a mixed state to which it is assigned a density operator n One interpretation of a mixed state {(p;, \

) •(1 -I1* which represents a random bit corresponds the density matrix prof. Jozef Gruska IV054 13. Quantum cryptography 578/616 MAXIMALLY MIXED STATES To the maximally mixed state 2-|4 (2-|1> which represents a random bit corresponds the density matrix 2 (1) •••|P"> plaintext: shared key: cryptotext: encoding: decoding: an n-qubit string |p) two n-bit strings k,k' an n-qubit string |c) |c;) = (Tx'Vz \Pi) \Pi) = 0x0z \Ci) |ci)...|c„) where |p,} = (t^j anc' lc/) = fg-l are c'u'3'ts anc' a* = (i ol W't^1 = fo ^1 are Pauli matrices. prof Jozef Gruska IV054 13 Quantum cr/ptography 579/616 UNCONDITIONAL SECURITY of QUANTUM ONE-TIME PAD In the case of encryption of a qubit !) = a|0> + ß|1> by QUANTUM ONE-TIME PAD cryptosystem, what is being transmitted is the mixed state (J , |>) ,(1 ,*x |>) ,(1 ,<7Z |>) ,(1 ,*x Oz |>) whose density matrix is 2 2 prof. Jozef Gruska IV054 13. Quantum cryptography 580/616 UNCONDITIONAL SECURITY of QUANTUM ONE-TIME PAD In the case of encryption of a qubit |) = a|0) + by QUANTUM ONE-TIME PAD cryptosystem, what is being transmitted is the mixed state (J, |)),(1 ,*x |)) ,(1 ,*z |)) ,(1 ,ax az |)) whose density matrix is 2 2 This density matrix is identical to the density matrix corresponding to that of a random bit, that is to the mixed state (2-|0)M 2,|1)) prof. Jozef Gruska IV054 13. Quantum cryptography 580/616 SHANNON's THEOREMS Shannon classical encryption theorem says that n bits are necessary and sufficient to encrypt securely n bits. Quantum version of Shannon encryption theorem says that 2n classical bits are necessary and sufficient to encrypt securely n qubits. prof. Jozef Gruska IV054 13. Quantum cryptography 581/616 COMPOSED QUANTUM SYSTEMS (1) Tensor product of vectors (x1,..., Xn) ® (y1,..., ym) = (x1y1,..., X1 ym, X2y1,..., X2ym,..., X2ym,..., xny\,..., x„ym) Tensor product of matrices A ® B = fan \an1 (auB \an1B alnB^ annB where A = a1n ann prof. Jozef Gruska IV054 13. Quantum cryptography 582/616 COMPOSED QUANTUM SYSTEMS (1) Tensor product of vectors (xi,...,Xn) ® (yi,...,ym) = (xiyi,..., xiym,X2yi,...,X2ym,...,X2ym,...,x„yi,...,x„ym) /aiiß ... ainß^ Tensor product of matrices A ® B = /an where A = \ani ain^ Example '\ 0 ,0 1 « <8> „aii ai2« a2 a22 a a 2 a2 a22 )• (0 1) a 0 a2 0 an B annB a a 2 0 a2 a22 0 0 0 0 ai2 a 0 0 a22 a2 0 0a 0 a2i a0 0 a22 00 a 2 a22 prof. Jozef Gruska IV054 i3. Quantum cryptography 582/6i6 COMPOSED QUANTUM SYSTEMS (2) Tensor product of Hilbert spaces H1 H2 is the complex vector space spanned by tensor products of vectors from H1 and H2 . That corresponds to the quantum system composed of the quantum systems corresponding to Hilbert spaces H1 and H2. An important difference between classical and quantum systems A state of a compound classical (quantum) system can be (cannot be) always composed from the states of the subsystem. prof. Jozef Gruska IV054 13. Quantum cryptography 583/616 QUANTUM REGISTERS A general state of a 2-qubit register is: |0) = a00|00) + a01|01) + an,|10) + an|11) where |a0012 + |«01|2 + |«10|2 + |an|2 = 1 and 100), 101), 110), 111) are vectors of the "standard" basis of H4, i.e. |00> = An important unitary matrix of degree 4, to transform states of 2-qubit registers: 1000 =XOR =(0 0 0 0 0001 It holds: CNOT : |x, y) == |x,x © y) prof. Jozef Gruska IV054 13. Quantum cryptography 584/616 0 0 0 1 0 0 1 0 0 0 |01> = 1 0 |10> = |11> = 0 0 0 1 QUANTUM MEASUREMENT of the states of 2-qubit registers |0> = aoo|00> + aoi|01> + aio|10> + an|11> J Measurement with respect to the basis {|00>, |01>, |10>, |11>} RESULTS: |00> and 00 with probability |aoo|2 |01> and 01 with probability |aol|2 |10> and 10 with probability |alo|2 111 > and 11 with probability |a11|2 prof. Jozef Gruska IVo54 13. Quantum cryptography 585/616 QUANTUM MEASUREMENT of the states of 2-qubit registers |0> = a00|00> + a01|01> + an)|10> + an|11> J Measurement with respect to the basis {|00>, |01>, |10>, |11>} RESULTS: |00> and 00 with probability |a00|2 |01> and 01 with probability |a01|2 |10> and 10 with probability |a10|2 111 > and 11 with probability |a11|2 ^ Measurement of particular qubits: By measuring the first qubit we get 0 with probability |a00|2 + |a0112 a00|00> + a01|01> and |> is reduced to the vector «10|2 + |an| 22 1 with probability |a10| + |a111 , „ «10|10> + an|11> and |> is reduced to the vector |«10|2 + |an|2 prof. Jozef Gruska IV054 13. Quantum cryptography 585/616 NO-CLONING THEOREM INFORMAL VERSION: Unknown quantum state cannot be cloned. prof. Jozef Gruska IV054 13. Quantum cryptography 586/616 NO-CLONING THEOREM INFORMAL VERSION: Unknown quantum state cannot be cloned. FORMAL VERSION: There is no unitary transformation U such that for any qubit state u (|v>>|0» = |V>M prof. Jozef Gruska IV054 13. Quantum cryptography 586/616 NO-CLONING THEOREM INFORMAL VERSION: Unknown quantum state cannot be cloned. FORMAL VERSION: There is no unitary transformation U such that for any qubit state U (|^>|0» = |V>W> PROOF: Assume U exists and for two different states |a> and |/3> U (|a>|0>) = |a>|a> U (|/3>|0>) = |/3>|/3> Let |Y> = --=(|a> + |/3>) Then U (| Y >|0>) = --=(|a>|a> + |/3>|/3>) = |7>|7> = --=(|a>|a> + |/3>|/3> + |a>|/3> + |/3>|a>) However, CNOT can make copies of basis states |0>, |1>: CA/OT (|x>|0>) = |x>|x> prof. Jozef Gruska IV054 13. Quantum cryptography 586/616 BELL STATES States |4>+) = -1=(|00) + jll)), |4>") = -1=(|00) - jll)) = -1=(|01) + |10)), = -1=(|01) - |10)) form an orthogonal (Bell) basis in H4 and play an important role in quantum computing. Theoretically, there is an observable for this basis. However, no one has been able to construct a measuring device for Bell measurement using linear elements only. prof. Jozef Gruska IV054 13. Quantum cryptography 587/616 QUANTUM n-qubit REGISTER A general state of an n-qubit register has the form: 10) = a') is a vector in H2n. Operators on n-qubits registers are unitary matrices of degree 2n. Is it difficult to create a state of an n-qubit register? In general yes, in some important special cases not. For example, if n-qubit Hadamard transformation is used then Hn|0(n)) = cg)n=1 H |0) = |0» == |x)|f (x)> Let us have the state W = i E|'>|0> v 2 ;=o With a single application of the mapping Uf we then get OBSERVE THAT IN A SINGLE COMPUTATIONAL STEP 2n VALUES OF fARE COMPUTED! prof. Jozef Gruska IV054 13. Quantum cryptography 589/616 IN WHAT LIES POWER OF QUANTUM COMPUTING? In quantum superposition or in quantum parallelism? NOT, in QUANTUM ENTANGLEMENT! Let |V> = ^(|00> + |11>) be a state of two very distant particles, for example on two planets Measurement of one of the particles, with respect to the standard basis, makes the above state to collapse to one of the states | 00> or | 11>. This means that subsequent measurement of other particle (on another planet) provides the same result as the measurement of the first particle. This indicate that in quantum world non-local influences, correlations, exist. prof. Jozef Gruska IV054 13. Quantum cryptography 590/616 POWER of ENTANGLEMENT Quantum state |W) of a composed bipartite quantum system A B is called entangled if it cannot be decomposed into tensor product of the states from A and B. Quantum entanglement is an important quantum resource that allows ■ To create phenomena that are impossible in the classical world (for example teleportation) ■ To create quantum algorithms that are asymptotically more efficient than any classical algorithm known for the same problem. ■ To create communication protocols that are asymptotically more efficient than classical communication protocols for the same task ■ To create, for two parties, shared secret binary keys ■ To increase capacity of quantum channels prof. Jozef Gruska IV054 13. Quantum cryptography 591/616 CLASSICAL versus QUANTUM CRYPTOGRAPHY ■ Security of classical cryptography is based on unproven assumptions of computational complexity (and it can be jeopardize by progress in algorithms and/or technology). Security of quantum cryptography is based on laws of quantum physics that allow to build systems where undetectable eavesdropping is impossible. prof. Jozef Gruska IV054 13. Quantum cryptography 592/616 CLASSICAL versus QUANTUM CRYPTOGRAPHY ■ Security of classical cryptography is based on unproven assumptions of computational complexity (and it can be jeopardize by progress in algorithms and/or technology). Security of quantum cryptography is based on laws of quantum physics that allow to build systems where undetectable eavesdropping is impossible. ■ Since classical cryptography is vulnerable to technological improvements it has to be designed in such a way that a secret is secure with respect to future technology, during the whole period in which the secrecy is required. Quantum key generation, on the other hand, needs to be designed only to be secure against technology available at the moment of key generation. prof. Jozef Gruska IV054 13. Quantum cryptography 592/616 QUANTUM KEY GENERATION Quantum protocols for using quantum systems to achieve unconditionally secure generation of secret (classical) keys by two parties are one of the main theoretical achievements of quantum information processing and communication research. Moreover, experimental systems for implementing such protocols are one of the main achievements of experimental quantum information processing research. It is believed and hoped that it will be quantum key generation (QKG) another term is quantum key distribution (QKD) where one can expect the first transfer from the experimental to the development stage. prof. Jozef Gruska IV054 13. Quantum cryptography 593/616 QUANTUM KEY GENERATION - EPR METHOD Let Alice and Bob share n pairs of particles in the entangled EPR-state. 1 2 (|00) + n pairs of particles in EPR state If both of them measure their particles in the standard basis, then they get, as the classical outcome of their measurements the same random, shared and secret binary key of length n. prof. Jozef Gruska IV054 13. Quantum cryptography 594/616 POLARIZATION of PHOTONS Polarized photons are currently mainly used for experimental quantum key generation. Photon, or light quantum, is a particle composing light and other forms of electromagnetic radiation. Photons are electromagnetic waves and their electric and magnetic fields are perpendicular to the direction of propagation and also to each other. An important property of photons is polarization - it refers to the bias of the electric field in the electromagnetic field of the photon. fy Figure 6: Electric and magnetic fields of a linearly polarized photon prof. Jozef Gruska IVo54 13. Quantum cryptography 595/616 POLARIZATION of PHOTONS Figure 6: Electric and magnetic fields of a linearly polarized photon If the electric field vector is always parallel to a fixed line we have linear polarization (see Figure). prof. Jozef Gruska IVo54 13. Quantum cryptography 596/616 POLARIZATION of PHOTONS There is no way to determine exactly polarization of a single photon. However, for any angle 0 there are ^-polarizers - "filters" - that produce 0-polarized photons from an incoming stream of photons and they let 01-polarized photons to get through with probability cos2(0 — 01). Figure 6: Photon polarizers and measuring devices-80% Photons whose electronic fields oscillate in a plane at either 0° or 90° to some reference line are called usually rectilinearly polarized and those whose electric field oscillates in a plane at 45° or 135° as diagonally polarized. Polarizers that produce only vertically or horizontally polarized photons are depicted in Figure 6 a, b. prof. Jozef Gruska IV054 13. Quantum cryptography 597/616 POLARIZATION of PHOTONS Generation of orthogonally polarized photons. Figure 6: Photon polarizers and measuring devices-80% For any two orthogonal polarizations there are generators that produce photons of two given orthogonal polarizations. For example, a calcite crystal, properly oriented, can do the job. Fig. c - a calcite crystal that makes ^-polarized photons to be horizontally (vertically) polarized with probability cos29(sin29). Fig. d - a calcite crystal can be used to separate horizontally and vertically polarized photons. prof. Jozef Gruska IV054 13. Quantum cryptography 598/616 QUANTUM KEY GENERATION - PROLOGUE Very basic setting Alice tries to send a quantum system to Bob and an eavesdropper tries to learn, or to change, as much as possible, without being detected. Eavesdroppers have this time especially hard time, because quantum states cannot be copied and cannot be measured without causing, in general, a disturbance. Key problem: Alice prepares a quantum system in a specific way, unknown to the eavesdropper, Eve, and sends it to Bob. The question is how much information can Eve extract of that quantum system and how much it costs in terms of the disturbance of the system. Three special cases T| Eve has no information about the state |i/>) Alice sends. ^ Eve knows that |i/>) is one of the states of an orthonormal basis )}"=1. J Eve knows that |i/>) is one of the states |1),... , |„) that are not mutually orthonormal and that p; is the probability that |i/>) = |;). prof. Jozef Gruska IV054 13. Quantum cryptography 599/616 TRANSMISSION ERRORS If Alice sends randomly chosen bit 0 encoded randomly as |0) or |0') or 1 encoded as randomly as |1) or and Bob measures the encoded bit by choosing randomly the standard or the dual basis, then the probability of error is 1 = | If Eve measures the encoded bit, sent by Alice, according to the randomly chosen basis, standard or dual, then she can learn the bit sent with the probability 75% . If she then sends the state obtained after the measurement to Bob and he measures it with respect to the standard or dual basis, randomly chosen, then the probability of error for his measurement is 3 - a 50% increase with respect to the case there was no eavesdropping. Indeed the error is 11 1 /11 13 \ = 3 2 ' 4 + 2 V2 ' 4 + 2 ' 4/8 prof. Jozef Gruska IV054 13. Quantum cryptography 600/616 BB84 QUANTUM KEY GENERATION PROTOCOL Quantum key generation protocol BB84 (due to Bennett and Brassard), for generation of a key of length n, has several phases: Preparation phase prof. Jozef Gruska IVo54 13. Quantum cryptography 6o1/616 BB84 QUANTUM KEY GENERATION PROTOCOL Quantum key generation protocol BB84 (due to Bennett and Brassard), for generation of a key of length n, has several phases: Preparation phase Alice is assumed to have four transmitters of photons in one of the following four polarizations 0, 45, 90 and 135 degrees Figure 8: Polarizations of photons for BB84 and B92 protocols Expressed in a more general form, Alice uses for encoding states from the set {|0>, |1>, |0'>, Bob has a detector that can be set up to distinguish between rectilinear polarizations (0 and 90 degrees) or can be quickly reset to distinguish between diagonal polarizations (45 and 135 degrees). prof. Jozef Gruska IV054 13. Quantum cryptography 601/616 BB84 QUANTUM KEY GENERATION PROTOCOL (In accordance with the laws of quantum physics, there is no detector that could distinguish between unorthogonal polarizations.) (In a more formal setting, Bob can measure the incomming photons either in the standard basis B = {|0>, |1» or in the dual basis D = {|0'>, To send a bit 0 (1) of her first random sequence through a quantum channel Alice chooses, on the basis of her second random sequence, one of the encodings |0> or |0'> (|1> or |1'>), i.e., in the standard or dual basis, Bob chooses, each time on the base of his private random sequence, one of the bases B or D to measure the photon he is to receive and he records the results of his measurements and keeps them secret. Alice's encodings Bob's observables Alice's state relative to Bob The result and its probability Correctness 0 — |0> 0 — B |0> 0 (prob. 1) correct 1 — D ^(|0'> + |1'>) 0/1 (prob. i) random 0 — |0'> 0 — B ^(|0> + |1>) 0/1 (prob. i) random 1 — D |0'> 0 (prob. 1) correct 1 —11> 0 — B |1> 1 (prob. 1) correct 1 — D ^(|0'>-|1'» 0/1 (prob. i) random 1 — |1'> 0 — B ^(|0> + |1>) 0/1 (prob. i) random 1 — D |1'> 1 (prob. 1) correct Figure 9: Quantum cryptography with BB84 protocol Figure 9 shows the possible results of the measurements and their probabilities. prof. Jozef Gruska IV054 13. Quantum cryptography 602/616 BB84 QUANTUM KEY GENERATION PROTOCOL An example of an encoding - decoding process is in the Figure 10. Raw key extraction Bob makes public the sequence of bases he used to measure the photons he received -but not the results of the measurements - and Alice tells Bob, through a classical channel, in which cases he has chosen the same basis for measurement as she did for encoding. The corresponding bits then form the basic raw key. 1 0 0 0 1 1 0 0 0 1 1 Alice's random sequence |1> |0'> |0> |0'> |1> |1'> |0'> |0> |0> |1> |1'> Alice's polarizations 0 1 1 1 0 0 1 0 0 1 0 Bob's random sequence B D D D B B D B B D B Bob's observable 1 0 R 0 1 R 0 0 0 R R outcomes Figure 10: Quantum transmissions in the BB84 protocol — R stands for the case that the result of the measurement is random. prof. Jozef Gruska IV054 13. Quantum cryptography 603/616 BB84 QUANTUM KEY GENERATION PROTOCOL Test for eavesdropping Alice and Bob agree on a sequence of indices of the raw key and make the corresponding bits of their raw keys public. Case 1. Noiseless channel. If the subsequences chosen by Alice and Bob are not completely identical eavesdropping is detected. Otherwise, the remaining bits are taken as creating the final key. Case 2. Noisy channel. If the subsequences chosen by Alice and Bob contains more errors than the admitable error of the channel (that has to be determined from channel characteristics), then eavesdropping is assumed. Otherwise, the remaining bits are taken as the next result of the raw key generation process. prof. Jozef Gruska IV054 13. Quantum cryptography 604/616 BB84 QUANTUM KEY GENERATION PROTOCOL Test for eavesdropping Alice and Bob agree on a sequence of indices of the raw key and make the corresponding bits of their raw keys public. Case 1. Noiseless channel. If the subsequences chosen by Alice and Bob are not completely identical eavesdropping is detected. Otherwise, the remaining bits are taken as creating the final key. Case 2. Noisy channel. If the subsequences chosen by Alice and Bob contains more errors than the admitable error of the channel (that has to be determined from channel characteristics), then eavesdropping is assumed. Otherwise, the remaining bits are taken as the next result of the raw key generation process. Error correction phase In the case of a noisy channel for transmission it may happen that Alice and Bob have different raw keys after the key generation phase. A way out is to use a special error correction techniques and at the end of this stage both Alice and Bob share identical keys. prof. Jozef Gruska IV054 13. Quantum cryptography 604/616 BB84 QUANTUM KEY GENERATION PROTOCOL Privacy amplification phase One problem remains. Eve can still have quite a bit of information about the key both Alice and Bob share. Privacy amplification is a tool to deal with such a case. Privacy amplification is a method how to select a short and very secret binary string s from a longer but less secret string s'. The main idea is simple. If |s| = n, then one picks up n random subsets Si,... , Sn of bits of s' and let si, the i-th bit of S, be the parity of Si. One way to do it is to take a random binary matrix of size |s| x |s'| and to perform multiplication Ms'T, where s'T is the binary column vector corresponding to s'. The point is that even in the case where an eavesdropper knows quite a few bits of s', she will have almost no information about s. More exactly, if Eve knows parity bits of k subsets of s', then if a random subset of bits of s' is chosen, then the probability that Eve has any information about its parity bit is 2-(n-k-1) less than -;-. ln 2 prof. Jozef Gruska IV054 13. Quantum cryptography 605/616 EXPERIMENTAL CRYPTOGRAPHY Successes T| Transmissions using optical fibers to the distance of 120 km. ^ Open air transmissions to the distance 144 km at day time (from one pick of Canary Islands to another). J Next goal: earth to satellite transmissions. prof. Jozef Gruska IV054 13. Quantum cryptography 606/616 EXPERIMENTAL CRYPTOGRAPHY Successes T| Transmissions using optical fibers to the distance of 120 km. ^ Open air transmissions to the distance 144 km at day time (from one pick of Canary Islands to another). J Next goal: earth to satellite transmissions. All current systems use optical means for quantum state transmissions Problems and tasks T| No single photon sources are available. Weak laser pulses currently used contains in average 0.1 - 0.2 photons. ^ Loss of signals in the fiber. (Current error rates: 0,5 - 4%) J To move from the experimental to the developmental stage. prof. Jozef Gruska IV054 13. Quantum cryptography 606/616 QUANTUM TELEPORTATION Quantum teleportation allows to transmit unknown quantum information to a very distant place in spite of impossibility to measure or to broadcast information to be transmitted. 2 classical bits _ Alice gets de5troyei by measurement measurement ransformation I* > |M> = a|0> + /3|1> \EPR - pair> = ^=(|00) + Total state |M)|EPR - pair> = -^(a|000> + a|011> + /3|100> + /3|111» v2 Measurement of the first two qubits is done with respect to the "Bell basis": |*+> = -1=(|00> + |11>) |+"> = -1=(|00> - |11>) |^+> = r1i(|0i> +110>) |^-> = -12(|0i> -110>) prof. Jozef Gruska IV054 13. Quantum cryptography 607/616 QUANTUM TELEPORTATION I Total state of three particles: \ip)\EPR - pair) = --=(a\000) + a|011) + /3\100) + v2 can be expressed as follows: \*I>)\EPR - pair) = \0+)-^(«|0) + /3\1)) + |^+)-^(^|0) + a|1)) + \0-)-1=(a\0) - /3|1» + \i|/-)-1=(-/3\0) + a|1)) and therefore Bell measurement of the first two particles projects the state of Bob's particle into a "small modification" |i/>1) of the state |i/>) = a\0) + /3|1), ) = either |\|/) or oxor oz\V) or oxoz|i/>) The unknown state \i/>) can therefore be obtained from |i/>1) by applying one of the four operations and the result of the Bell measurement provides two bits specifying which of the above four operations should be applied. These four bits Alice needs to send to Bob using a classical channel (by email, for example). prof. Jozef Gruska IV054 13. Quantum cryptography 608/616 QUANTUM TELEPORTATION II If the first two particles of the state |^}|EPR - pa/r> = |0+}-^(a|0> + /3|1>) + |V+>-^(/3|0> + a|1>) + |0-}-1=(a|0} -/3|1}) + |^-}-1=(-^|0} + a|1>) are measured with respect to the Bell basis then Bob's particle gets into the mixed state (4,a|0> + /3|1>) © (J,a|0> - /3|1>) © (4,/3|0> + a|1>) © (i,/3|0} - a|1>) to which corresponds the density matrix The resulting density matrix is identical to the density matrix for the mixed state 2 ,|0}) © (1 Indeed, the density matrix for the last mixed state has the form 1 0) + ! (?)(0,1) = 1 / prof. Jozef Gruska IV054 13. Quantum cryptography 609/616 QUANTUM TELEPORTATION - COMMENTS ■ Alice can be seen as dividing information contained in \ip) into ■ quantum information — transmitted through EPR channel ■ classical information — transmitted through a classical channel prof. Jozef Gruska IV054 13. Quantum cryptography 610/616 QUANTUM TELEPORTATION - COMMENTS ■ Alice can be seen as dividing information contained in |i/>) into ■ quantum information — transmitted through EPR channel ■ classical information — transmitted through a classical channel In a quantum teleportation an unknown quantum state |) can be disassembled into, and later reconstructed from, two classical bit-states and an maximally entangled pure quantum state. prof. Jozef Gruska IV054 13. Quantum cryptography 610/616 QUANTUM TELEPORTATION - COMMENTS ■ Alice can be seen as dividing information contained in |i/>) into ■ quantum information — transmitted through EPR channel ■ classical information — transmitted through a classical channel In a quantum teleportation an unknown quantum state |) can be disassembled into, and later reconstructed from, two classical bit-states and an maximally entangled pure quantum state. ■ Using quantum teleportation an unknown quantum state can be teleported from one place to another by a sender who does need to know - for teleportation itself -neither the state to be teleported nor the location of the intended receiver. prof. Jozef Gruska IV054 13. Quantum cryptography 610/616 QUANTUM TELEPORTATION - COMMENTS ■ Alice can be seen as dividing information contained in |i/>) into ■ quantum information — transmitted through EPR channel ■ classical information — transmitted through a classical channel In a quantum teleportation an unknown quantum state |) can be disassembled into, and later reconstructed from, two classical bit-states and an maximally entangled pure quantum state. ■ Using quantum teleportation an unknown quantum state can be teleported from one place to another by a sender who does need to know - for teleportation itself -neither the state to be teleported nor the location of the intended receiver. ■ The teleportation procedure can not be used to transmit information faster than light but it can be argued that quantum information presented in unknown state is transmitted instantaneously (except two random bits to be transmitted at the speed of light at most). prof. Jozef Gruska IV054 13. Quantum cryptography 610/616 QUANTUM TELEPORTATION - COMMENTS ■ Alice can be seen as dividing information contained in \ip) into ■ quantum information — transmitted through EPR channel ■ classical information — transmitted through a classical channel In a quantum teleportation an unknown quantum state |c>) can be disassembled into, and later reconstructed from, two classical bit-states and an maximally entangled pure quantum state. ■ Using quantum teleportation an unknown quantum state can be teleported from one place to another by a sender who does need to know - for teleportation itself -neither the state to be teleported nor the location of the intended receiver. ■ The teleportation procedure can not be used to transmit information faster than light but it can be argued that quantum information presented in unknown state is transmitted instantaneously (except two random bits to be transmitted at the speed of light at most). ■ EPR channel is irreversibly destroyed during the teleportation process. prof. Jozef Gruska IV054 13. Quantum cryptography 610/616 DARPA Network ■ In Cambridge connecting Harvard, Boston Uni, and BBN Technology (10,19 and 29 km). ■ Currently 6 nodes, in near future 10 nodes. ■ Continuously operating since March 2004 ■ Three technologies: lasers through optic fibers, entanglement through fiber and free-space QKD (in future two versions of it). ■ Implementation of BB84 with authentication, sifting error correction and privacy amplification. ■ One 2x2 switch to make sender-receiver connections ■ Capability to overcome several limitations of stand-alone QKD systems. prof. Jozef Gruska IV054 13. Quantum cryptography 611/616 WHY IS QUANTUM INFORMATION PROCESSING SO IMPORTANT ■ QIPC is believed to lead to new Quantum Information Processing Technology that could have broad impacts. ■ Several areas of science and technology are approaching such points in their development where they badly need expertise with storing, transmission and processing of particles. ■ It is increasingly believed that new, quantum information processing based, understanding of (complex) quantum phenomena and systems can be developed. ■ Quantum cryptography seems to offer new level of security and be soon feasible. ■ QIPC has been shown to be more efficient in interesting/important cases. prof. Jozef Gruska IV054 13. Quantum cryptography 612/616 UNIVERSAL SETS of QUANTUM GATES The main task at quantum computation is to express solution of a given problem P as a unitary matrix U and then to construct a circuit Cu with elementary quantum gates from a universal sets of quantum gates to realize U. prof. Jozef Gruska IV054 13. Quantum cryptography 613/616 UNIVERSAL SETS of QUANTUM GATES The main task at quantum computation is to express solution of a given problem P as a unitary matrix U and then to construct a circuit Cu with elementary quantum gates from a universal sets of quantum gates to realize U. A simple universal set of quantum gates consists of gates. /I 0 1 0 0 0 0 1 0 0 CNOT 0 0 0 0 prof. Jozef Gruska IV054 13. Quantum cryptography 613/616 FUNDAMENTAL RESULTS The first really satisfactory results, concerning universality of gates, have been due to Barenco et al. (1995) Theorem 0.1 CNOT gate and all one-qubit gates form a universal set of gates. The proof is in principle a simple modification of the RQ-decomposition from linear algebra. Theorem 0.1 can be easily improved: Theorem 0.2 CNOT gate and elementary rotation gates 6 6 Ra(6) = cos2/ - isin 2o« for a e {x, y, z} form a universal set of gates. prof. Jozef Gruska IV054 13. Quantum cryptography 614/616 QUANTUM ALGORITHMS Quantum algorithms are methods of using quantum circuits and processors to solve algorithmic problems. On a more technical level, a design of a quantum algorithm can be seen as a process of an efficient decomposition of a complex unitary transformation into products of elementary unitary operations (or gates), performing simple local changes. prof. Jozef Gruska IV054 13. Quantum cryptography 615/616 QUANTUM ALGORITHMS Quantum algorithms are methods of using quantum circuits and processors to solve algorithmic problems. On a more technical level, a design of a quantum algorithm can be seen as a process of an efficient decomposition of a complex unitary transformation into products of elementary unitary operations (or gates), performing simple local changes. The four main features of quantum mechanics that are exploited in quantum computation: ■ Superposition; ■ Interference; ■ Entanglement; ■ Measurement. prof. Jozef Gruska IV054 13. Quantum cryptography 615/616 EXAMPLES of QUANTUM ALGORITHMS Deutsch problem: Given is a black-box function f: {0,1} — {0,1}, how many queries are needed to find out whether f is constant or balanced: Classically: 2 Quantumly: 1 Deutsch-Jozsa Problem: Given is a black-box function f : {0,1}n — {0,1} and a promise that f is either constant or balanced, how many queries are needed to find out whether f is constant or balanced. Classically: n Quantumly 1 Factorization of integers: all classical algorithms are exponential. Peter Shor developed polynomial time quantum algorithm Search of an element in an unordered database of n elements: Classically n queries are needed in the worst case Lov Grover showed that quantumly yfn queries are enough prof. Jozef Gruska IV054 13. Quantum cryptography 616/616