Table Of ContentChapter
Overview of Cryptography
ContentsinBrief
1.1 Introduction §?§N§?§?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 1
1.2 Informationsecurityandcryptography §?§&§?§?§?§N§?§?§&§?§?§?§&§ 2
1.3 Backgroundonfunctions §?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 6
1.4 Basicterminologyandconcepts§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 11
1.5 Symmetric-keyencryption §?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 15
1.6 Digitalsignatures §?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 22
1.7 Authenticationandidentification §?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 24
1.8 Public-keycryptography §?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 25
1.9 Hashfunctions §?§?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 33
1.10 Protocolsandmechanisms §?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 33
1.11 Keyestablishment,management,andcertification §N§?§?§&§?§?§?§&§ 35
1.12 Pseudorandomnumbersandsequences §?§&§?§?§?§N§?§?§&§?§?§?§&§ 39
1.13 Classesofattacksandsecuritymodels §?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 41
1.14 Notesandfurtherreferences §&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 45
1.1 Introduction
Cryptographyhasalongandfascinatinghistory.Themostcompletenon-technicalaccount
ofthesubjectisKahn’sTheCodebreakers. Thisbooktracescryptographyfromitsinitial
andlimitedusebytheEgyptianssome 4000yearsago,to the twentiethcenturywhereit
playedacrucialroleintheoutcomeofbothworldwars. Completedin1963,Kahn’sbook
coversthoseaspectsofthehistorywhichweremostsignificant(uptothattime)tothedevel-
opmentofthesubject. Thepredominantpractitionersoftheartwerethoseassociatedwith
themilitary,thediplomaticserviceandgovernmentingeneral. Cryptographywasusedas
atooltoprotectnationalsecretsandstrategies.
Theproliferationofcomputersandcommunicationssystemsinthe1960sbroughtwith
itademandfromtheprivatesectorformeanstoprotectinformationindigitalformandto
providesecurityservices.BeginningwiththeworkofFeistelatIBMintheearly1970sand
culminatingin1977withtheadoptionasaU.S.FederalInformationProcessingStandard
for encryptingunclassified information, DES, the Data Encryption Standard, is the most
well-knowncryptographicmechanisminhistory. Itremainsthestandardmeansforsecur-
ingelectroniccommerceformanyfinancialinstitutionsaroundtheworld.
Themoststrikingdevelopmentinthehistoryofcryptographycamein1976whenDiffie
andHellmanpublishedNewDirectionsinCryptography.Thispaperintroducedtherevolu-
tionaryconceptofpublic-keycryptographyandalsoprovidedanewandingeniousmethod
1
2 Ch.1 OverviewofCryptography
forkeyexchange,thesecurityofwhichisbasedontheintractabilityofthediscreteloga-
rithmproblem. Althoughtheauthorshadnopracticalrealizationofapublic-keyencryp-
tionschemeatthetime,theideawasclearanditgeneratedextensiveinterestandactivity
inthecryptographiccommunity.In1978Rivest,Shamir,andAdlemandiscoveredthefirst
practicalpublic-keyencryptionandsignaturescheme,nowreferredtoasRSA.TheRSA
schemeisbasedonanotherhardmathematicalproblem,theintractabilityoffactoringlarge
integers. Thisapplicationofahardmathematicalproblemtocryptographyrevitalizedef-
fortstofindmoreefficientmethodstofactor. The1980ssawmajoradvancesinthisarea
butnonewhichrenderedtheRSAsysteminsecure. Anotherclassofpowerfulandpractical
public-keyschemeswasfoundbyElGamalin1985. Thesearealsobasedonthediscrete
logarithmproblem.
Oneofthemostsignificantcontributionsprovidedbypublic-keycryptographyisthe
digital signature. In 1991 the first international standard for digital signatures (ISO/IEC
9796)wasadopted. ItisbasedontheRSApublic-keyscheme. In1994theU.S.Govern-
mentadoptedtheDigitalSignatureStandard,amechanismbasedontheElGamalpublic-
keyscheme.
Thesearchfornewpublic-keyschemes,improvementstoexistingcryptographicmec-
hanisms,andproofsofsecuritycontinuesatarapidpace. Variousstandardsandinfrastruc-
turesinvolvingcryptographyarebeingputinplace. Securityproductsarebeingdeveloped
toaddressthesecurityneedsofaninformationintensivesociety.
Thepurposeofthisbookistogiveanup-to-datetreatiseoftheprinciples,techniques,
andalgorithmsof interestin cryptographicpractice. Emphasishas beenplaced onthose
aspectswhicharemostpracticalandapplied. Thereaderwillbemadeawareofthebasic
issuesandpointedtospecificrelatedresearchintheliteraturewheremoreindepthdiscus-
sionscanbefound. Duetothevolumeofmaterialwhichiscovered,mostresultswillbe
statedwithoutproofs. Thisalsoservesthepurposeofnotobscuringtheveryappliednature
ofthesubject. Thisbookisintendedforbothimplementersandresearchers. Itdescribes
algorithms,systems,andtheirinteractions.
Chapter1 is atutorialonthemanyandvariousaspectsofcryptography. It doesnot
attempttoconveyallofthedetailsandsubtletiesinherenttothesubject. Itspurposeisto
introducethebasicissuesandprinciplesandtopointthereadertoappropriatechaptersinthe
bookformorecomprehensivetreatments. Specifictechniquesareavoidedinthischapter.
1.2 Information security and cryptography
Theconceptofinformationwillbetakentobeanunderstoodquantity. Tointroducecryp-
tography,anunderstandingofissuesrelatedtoinformationsecurityingeneralisnecessary.
Informationsecuritymanifestsitselfinmanywaysaccordingtothesituationandrequire-
ment. Regardlessofwhoisinvolved,toonedegreeoranother,allpartiestoatransaction
musthaveconfidencethatcertainobjectivesassociatedwithinformationsecurityhavebeen
met. SomeoftheseobjectivesarelistedinTable1.1.
Overthecenturies,anelaboratesetofprotocolsandmechanismshasbeencreatedto
dealwithinformationsecurityissueswhentheinformationisconveyedbyphysicaldoc-
uments. Often the objectives of information security cannot solely be achieved through
mathematicalalgorithmsandprotocolsalone,butrequireproceduraltechniquesandabid-
anceoflawstoachievethedesiredresult. Forexample,privacyoflettersisprovidedby
sealedenvelopesdeliveredbyanacceptedmailservice. The physicalsecurityofthe en-
velopeis,forpracticalnecessity,limitedandsolawsareenactedwhichmakeitacriminal
¤
c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.
'
1.2 Informationsecurityandcryptography 3
privacy keepinginformationsecretfromallbutthosewhoareautho-
orconfidentiality rizedtoseeit.
dataintegrity ensuringinformationhasnotbeenalteredbyunauthorizedor
unknownmeans.
entity authentication corroboration of the identity of an entity (e.g., a person, a
oridentification computerterminal,acreditcard,etc.).
message corroboratingthesourceofinformation;alsoknownasdata
authentication originauthentication.
signature ameanstobindinformationtoanentity.
authorization conveyance,toanotherentity,ofofficialsanctiontodoorbe
something.
validation ameanstoprovidetimelinessofauthorizationtouseorma-
nipulateinformationorresources.
accesscontrol restrictingaccesstoresourcestoprivilegedentities.
certification endorsementofinformationbyatrustedentity.
timestamping recordingthetimeofcreationorexistenceofinformation.
witnessing verifyingthecreationorexistenceofinformationbyanentity
otherthanthecreator.
receipt acknowledgementthatinformationhasbeenreceived.
confirmation acknowledgementthatserviceshavebeenprovided.
ownership a means to provide an entity with the legal right to use or
transferaresourcetoothers.
anonymity concealingtheidentityofanentityinvolvedinsomeprocess.
non-repudiation preventingthedenialofpreviouscommitmentsoractions.
revocation retractionofcertificationorauthorization.
Table1.1:Someinformationsecurityobjectives.
offensetoopenmailforwhichoneisnotauthorized. Itissometimesthecasethatsecurity
isachievednotthroughtheinformationitselfbutthroughthephysicaldocumentrecording
it. Forexample,papercurrencyrequiresspecialinksandmaterialtopreventcounterfeiting.
Conceptually,thewayinformationisrecordedhasnotchangeddramaticallyovertime.
Whereas information was typically stored and transmitted on paper, much of it now re-
sidesonmagneticmediaandis transmittedvia telecommunicationssystems, somewire-
less. Whathaschangeddramaticallyistheabilitytocopyandalterinformation. Onecan
makethousandsofidenticalcopiesofapieceofinformationstoredelectronicallyandeach
isindistinguishablefromtheoriginal. Withinformationonpaper,thisismuchmorediffi-
cult. Whatisneededthenforasocietywhereinformationismostlystoredandtransmitted
in electronicformis a means to ensure informationsecurity which is independentof the
physicalmediumrecordingorconveyingitandsuchthattheobjectivesofinformationse-
curityrelysolelyondigitalinformationitself.
Oneofthefundamentaltoolsusedininformationsecurityisthesignature.Itisabuild-
ingblockformanyotherservicessuchasnon-repudiation,dataoriginauthentication,iden-
tification,andwitnessing,tomentionafew. Havinglearnedthebasicsinwriting,anindi-
vidualistaughthowtoproduceahandwrittensignatureforthepurposeofidentification.
Atcontractagethesignatureevolvestotakeonaveryintegralpartoftheperson’sidentity.
Thissignatureisintendedtobeuniquetotheindividualandserveasameanstoidentify,
authorize,andvalidate. Withelectronicinformationtheconceptofasignatureneedstobe
HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone.
4 Ch.1 OverviewofCryptography
redressed; itcannotsimplybesomethinguniquetothe signerandindependentofthein-
formationsigned. Electronicreplicationofitissosimplethatappendingasignaturetoa
documentnotsignedbytheoriginatorofthesignatureisalmostatriviality.
Analoguesofthe“paperprotocols”currentlyinusearerequired. Hopefullythesenew
electronicbasedprotocolsareatleastasgoodasthosetheyreplace. Thereisauniqueop-
portunityforsocietytointroducenewandmoreefficientwaysofensuringinformationse-
curity.Muchcanbelearnedfromtheevolutionofthepaperbasedsystem,mimickingthose
aspectswhichhaveserveduswellandremovingtheinefficiencies.
Achievinginformationsecurityinanelectronicsocietyrequiresavastarrayoftechni-
calandlegalskills. Thereis,however,noguaranteethatalloftheinformationsecurityob-
jectivesdeemednecessarycanbeadequatelymet. Thetechnicalmeansisprovidedthrough
cryptography.
1.1 Definition Cryptographyisthestudyofmathematicaltechniquesrelatedtoaspectsofin-
formationsecuritysuchasconfidentiality,dataintegrity,entityauthentication,anddataori-
ginauthentication.
Cryptographyisnottheonlymeansofprovidinginformationsecurity,butratheronesetof
techniques.
Cryptographicgoals
Of all the information security objectives listed in Table 1.1, the following four form a
frameworkuponwhichtheotherswillbederived:(1)privacyorconfidentiality(“ 1.5,“ 1.8);
(2)dataintegrity(“ 1.9);(3)authentication(“ 1.7);and(4)non-repudiation(“ 1.6).
1. Confidentialityisaserviceusedtokeepthecontentofinformationfromallbutthose
authorizedtohaveit. Secrecyisatermsynonymouswithconfidentialityandprivacy.
Therearenumerousapproachestoprovidingconfidentiality,rangingfromphysical
protectiontomathematicalalgorithmswhichrenderdataunintelligible.
2. Data integrityis aservicewhichaddressesthe unauthorizedalteration ofdata. To
assuredataintegrity,onemusthavetheabilitytodetectdatamanipulationbyunau-
thorizedparties. Datamanipulationincludessuchthingsasinsertion,deletion,and
substitution.
3. Authenticationisaservicerelatedtoidentification.Thisfunctionappliestobothenti-
tiesandinformationitself. Twopartiesenteringintoacommunicationshouldidentify
eachother. Informationdeliveredoverachannelshouldbeauthenticatedastoorigin,
dateoforigin,datacontent,timesent,etc. Forthesereasonsthisaspectofcryptog-
raphy is usually subdivided into two majorclasses: entity authenticationand data
origin authentication. Data originauthenticationimplicitlyprovidesdata integrity
(forifamessageismodified,thesourcehaschanged).
4. Non-repudiationisaservicewhichpreventsanentityfromdenyingpreviouscommit-
mentsoractions. Whendisputesariseduetoanentitydenyingthatcertainactions
were taken, a means to resolve the situationis necessary. For example, one entity
mayauthorizethepurchaseofpropertybyanotherentityandlaterdenysuchautho-
rizationwasgranted. Aprocedureinvolvingatrustedthirdpartyisneededtoresolve
thedispute.
Afundamentalgoalofcryptographyistoadequatelyaddressthesefourareasinboth
theoryand practice. Cryptographyis aboutthe preventionand detectionof cheatingand
othermaliciousactivities.
Thisbookdescribesanumberofbasiccryptographictools(primitives)usedtoprovide
informationsecurity. Examplesofprimitivesincludeencryptionschemes(“ 1.5and“ 1.8),
¤
c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.
'
1.2 Informationsecurityandcryptography 5
hashfunctions(“ 1.9),anddigitalsignatureschemes(“ 1.6). Figure1.1providesaschematic
listingoftheprimitivesconsideredandhowtheyrelate. Manyofthesewillbebrieflyintro-
ducedinthischapter,withdetaileddiscussionlefttolaterchapters.Theseprimitivesshould
Arbitrarylength
hashfunctions
Unkeyed One-waypermutations
Primitives
Randomsequences
Block
ciphers
Symmetric-key
ciphers
Stream
Arbitrarylength ciphers
hashfunctions(MACs)
Security Symmetric-key
Primitives Primitives
Signatures
Pseudorandom
sequences
Identificationprimitives
Public-key
ciphers
Public-key Signatures
Primitives
Identificationprimitives
Figure1.1:Ataxonomyofcryptographicprimitives.
beevaluatedwithrespecttovariouscriteriasuchas:
1. levelofsecurity. Thisisusuallydifficulttoquantify.Oftenitisgivenintermsofthe
numberofoperationsrequired(usingthebestmethodscurrentlyknown)todefeatthe
intendedobjective. Typicallythelevelofsecurityisdefinedbyanupperboundon
theamountofworknecessarytodefeattheobjective. Thisissometimescalledthe
workfactor(see“ 1.13.4).
2. functionality. Primitiveswillneedtobe combinedtomeetvariousinformationse-
curityobjectives. Whichprimitivesaremosteffectiveforagivenobjectivewillbe
determinedbythebasicpropertiesoftheprimitives.
3. methodsofoperation. Primitives,whenappliedinvariouswaysandwithvariousin-
puts,willtypicallyexhibitdifferentcharacteristics;thus,oneprimitivecouldprovide
HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone.
6 Ch.1 OverviewofCryptography
verydifferentfunctionalitydependingonitsmodeofoperationorusage.
4. performance. Thisreferstotheefficiencyofaprimitiveinaparticularmodeofop-
eration. (Forexample,anencryptionalgorithmmayberatedbythenumberofbits
persecondwhichitcanencrypt.)
5. ease of implementation. This refers to the difficultyof realizingthe primitive in a
practicalinstantiation. Thismightincludethecomplexityofimplementingtheprim-
itiveineitherasoftwareorhardwareenvironment.
Therelativeimportanceofvariouscriteriaisverymuchdependentontheapplication
andresourcesavailable. Forexample,inanenvironmentwherecomputingpowerislimited
onemayhavetotradeoffaveryhighlevelofsecurityforbetterperformanceofthesystem
asawhole.
Cryptography,overtheages,hasbeenanartpractisedbymanywhohavedevisedad
hoc techniques to meet some of the information security requirements. The last twenty
yearshavebeenaperiodoftransitionasthedisciplinemovedfromanarttoascience.There
are now several international scientific conferences devoted exclusively to cryptography
andalsoaninternationalscientificorganization,theInternationalAssociationforCrypto-
logicResearch(IACR),aimedatfosteringresearchinthearea.
Thisbookisaboutcryptography: thetheory,thepractice,andthestandards.
1.3 Background on functions
Whilethisbookisnotatreatiseonabstractmathematics,afamiliaritywithbasicmathe-
maticalconceptswillprovetobeuseful. Oneconceptwhichisabsolutelyfundamentalto
cryptographyisthatofafunctioninthemathematicalsense. Afunctionisalternatelyre-
ferredtoasamappingoratransformation.
1.3.1 Functions (1-1, one-way, trapdoor one-way)
Asetconsistsofdistinctobjectswhicharecalledelementsoftheset. Forexample,aset«
mightconsistoftheelements‹ ,› ,fi ,andthisisdenoted«⁄fl(cid:144)(cid:176)–‹(cid:27)†(cid:146)›(cid:146)†(cid:146)fi(cid:146)‡ .
1.2 Definition Afunctionisdefinedbytwosets« and· andarule(cid:181) whichassignstoeach
elementin« preciselyoneelementin · . Theset« iscalledthedomainofthefunction
and· thecodomain.If¶ isanelementof« (usuallywritten¶(cid:132)•h« )theimageof¶ isthe
elementin· whichtherule(cid:181) associateswith¶ ;theimage‚ of¶ isdenotedby‚Ffl(cid:31)(cid:181)(cid:14)„”¶(cid:12)» .
Standardnotationforafunction(cid:181) fromset« toset · is (cid:181)O…(cid:16)«(cid:190)‰f¿(cid:147)· . If‚7•x· ,thena
preimageof‚ isanelement¶(cid:140)•(cid:2)« forwhich(cid:181)(cid:14)„”¶R»Afl~‚ . Thesetofallelementsin· which
haveatleastonepreimageiscalledtheimageof(cid:181) ,denoted(cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)» .
1.3 Example (function)Consider the sets«ˆfl˜(cid:176)–‹(cid:27)†(cid:146)›(cid:127)†Ufi(cid:146)‡ , ·˜fl¯(cid:176)V˘K†(cid:127)˙(cid:20)†(cid:146)¨(cid:20)†(cid:146)(cid:201)K‡ ,and the rule (cid:181)
from« to · definedas (cid:181)(cid:14)„´‹K»(cid:143)fl(cid:129)˙ , (cid:181)(cid:14)„˚›ƒ»(cid:143)fl(cid:129)(cid:201) , (cid:181)(cid:14)„´fiƒ»"fl(cid:153)˘ . Figure1.2showsaschematicof
thesets« , · andthefunction (cid:181) . Thepreimageoftheelement ˙ is ‹ . Theimageof (cid:181) is
(cid:176)V˘(cid:20)†(cid:146)˙(cid:20)†(cid:146)(cid:201)K‡ . ¸
Thinkingofafunctionintermsoftheschematic(sometimescalledafunctionaldia-
gram)giveninFigure1.2,eachelementinthedomain« haspreciselyonearrowedline
originatingfromit. Eachelementinthecodomain· canhaveanynumberofarrowedlines
incidenttoit(includingzerolines).
¤
c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.
'
1.3 Backgroundonfunctions 7
ˇ
1
˛
2
(cid:209) ˝ —
3
(cid:204)
4
Figure1.2:Afunction(cid:210) fromaset(cid:211) ofthreeelementstoaset(cid:212) offourelements.
Oftenonlythedomain« andtherule(cid:181) aregivenandthecodomainisassumedtobe
theimageof(cid:181) . Thispointisillustratedwithtwoexamples.
1.4 Example (function)Take«\flI(cid:176)–˘(cid:20)†(cid:127)˙K†(cid:127)¨K†(cid:146)(cid:213)(cid:146)(cid:213)U(cid:213)(cid:16)†(cid:146)˘‘(cid:214)(cid:27)‡ andlet(cid:181) betherulethatforeach¶(cid:11)•h« ,
(cid:181)(cid:14)„”¶R»Hfl(cid:141)(cid:215)(cid:145)(cid:216) ,where(cid:215)(cid:145)(cid:216) istheremainderwhen¶Q(cid:217) isdividedby˘(cid:20)˘ . Explicitlythen
(cid:181)(cid:14)„(cid:135)˘(cid:20)»Hfl|˘(cid:218)(cid:181)(cid:14)„(cid:135)˙(cid:20)»HflD(cid:201) (cid:181)(cid:14)„´¨‘»HflD(cid:219) (cid:181)(cid:14)„´(cid:201)‘»Hfl|(cid:220) (cid:181)(cid:14)„(cid:135)(cid:220)(cid:20)»HflD¨
(cid:181)(cid:14)„(cid:135)(cid:221)(cid:20)»Hfl|¨(cid:218)(cid:181)(cid:14)„(cid:135)(cid:222)(cid:20)»HflD(cid:220) (cid:181)(cid:14)„´(cid:223)‘»HflD(cid:219) (cid:181)(cid:14)„´(cid:219)‘»Hfl|(cid:201) (cid:181)(cid:14)„(cid:135)˘‘(cid:214)(cid:20)»(cid:4)fl|˘K(cid:213)
Theimageof(cid:181) istheset·Ifl(cid:31)(cid:176)V˘K†(cid:127)¨K†(cid:127)(cid:201)(cid:20)†(cid:146)(cid:220)(cid:20)†(cid:146)(cid:219)K‡ . ¸
1.5 Example (function)Take«\flI(cid:176)–˘(cid:20)†(cid:146)˙(cid:20)†(cid:127)¨K†(cid:146)(cid:213)U(cid:213)(cid:146)(cid:213)Q†(cid:127)˘‘(cid:214)U(cid:224)´ÆK‡ andlet(cid:181) betherule(cid:181)(cid:14)„”¶(cid:12)»(fl~(cid:215) (cid:216) ,where
(cid:215) (cid:216) istheremainderwhen¶(cid:16)(cid:217) isdividedby˘(cid:20)(cid:214)(cid:146)(cid:224)˚Æ"(cid:226)x˘ forall¶-•(cid:11)« . Hereitisnotfeasible
to writedown (cid:181) explicitlyasin Example1.4, butnonethelessthe functionis completely
specifiedbythedomainandthemathematicaldescriptionoftherule(cid:181) . ¸
(i) 1-1functions
1.6 Definition A function (or transformation) is ˘(cid:2)‰(cid:142)˘ (one-to-one) if each element in the
codomain· istheimageofatmostoneelementinthedomain« .
1.7 Definition Afunction(ortransformation)is ª˚(cid:228)(cid:230)(cid:229)(cid:146)ª ifeachelementinthecodomain · is
theimageofatleastoneelementinthedomain. Equivalently,afunction(cid:181)N…<«(cid:190)‰f¿(cid:231)· is
ontoif(cid:192)(cid:22)`^„˚(cid:181)(cid:14)»Hfl(cid:31)· .
1.8 Definition Ifafunction(cid:181)N…(cid:18)«Ł‰f¿Ø· is˘3‰Z˘ and(cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)»HflI· ,then(cid:181) iscalledabijection.
1.9 Fact If (cid:181)N…(cid:230)« ‰f¿ · is ˘Z‰(cid:159)˘ then (cid:181)A…(cid:230)« ‰f¿ (cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)» is a bijection. In particular, if
(cid:181)O…(cid:27)«(cid:160)‰(cid:230)¿Ø· is˘"‰~˘ ,and« and· arefinitesetsofthesamesize,then(cid:181) isabijection.
In terms of the schematic representation, if (cid:181) is a bijection, then each element in ·
hasexactlyonearrowedlineincidentwithit. ThefunctionsdescribedinExamples1.3and
1.4arenotbijections. InExample1.3theelement¨ isnottheimageofanyelementinthe
domain. InExample1.4eachelementinthecodomainhastwopreimages.
1.10 Definition If(cid:181) isabijectionfrom« to· thenitisasimplemattertodefineabijectionŒ
from· to« asfollows:foreach‚(cid:133)•{· defineŒ(cid:14)„”‚(cid:230)»Hfl(cid:141)¶ where¶(cid:140)•(cid:2)« and(cid:181)(cid:14)„(cid:6)¶R»Hfl(cid:141)‚ . This
functionŒ obtainedfrom(cid:181) iscalledtheinversefunctionof(cid:181) andisdenotedbyŒZfl|(cid:181)3º3(cid:236) .
HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone.
8 Ch.1 OverviewofCryptography
ˇ (cid:239)
˛ ˛
1 1
˝ ˝
2 2
(cid:209) — — (cid:209)
(cid:204) (cid:204)
3 3
(cid:237) (cid:237)
4 4
(cid:238) (cid:238)
5 5
Figure1.3:Abijection(cid:210) anditsinverse(cid:240)(cid:136)æ(cid:141)(cid:210)<(cid:242)(cid:16)(cid:243) .
1.11 Example (inversefunction)Let«\fl(cid:144)(cid:176)–‹(cid:27)†(cid:146)›(cid:127)†Ufi(cid:127)†(cid:146)(cid:244)K†(cid:146)ıV‡ ,and·Ifl(cid:31)(cid:176)–˘(cid:20)†(cid:146)˙(cid:20)†(cid:127)¨K†(cid:127)(cid:201)K†(cid:127)(cid:220)K‡ ,andconsider
the rule (cid:181) givenby the arrowededges in Figure 1.3. (cid:181) is a bijectionandits inverseΠis
formedsimplybyreversingthearrowsontheedges.ThedomainofŒ is· andthecodomain
is« . ¸
Note that if (cid:181) is a bijection, then so is (cid:181)3ºf(cid:236) . In cryptography bijections are used as
thetoolforencryptingmessagesandtheinversetransformationsareusedtodecrypt. This
willbemadeclearerin“ 1.4whensomebasicterminologyisintroduced. Noticethatifthe
transformationswere not bijections then it would not be possible to always decrypt to a
uniquemessage.
(ii) One-wayfunctions
Thereare certaintypes of functionswhichplay significantrolesin cryptography. At the
expenseofrigor,anintuitivedefinitionofaone-wayfunctionisgiven.
1.12 Definition Afunction (cid:181) fromaset« toaset · iscalledaone-wayfunctionif (cid:181)(cid:14)„”¶(cid:12)» is
“easy”tocomputeforall¶-•{« butfor“essentiallyall”elements‚(cid:149)•(cid:134)(cid:192)(cid:22)`(cid:29)„˚(cid:181)(cid:14)» itis“com-
putationallyinfeasible”tofindany¶(cid:11)•h« suchthat(cid:181)(cid:14)„”¶(cid:12)»Hfl~‚ .
1.13 Note (clarificationoftermsinDefinition1.12)
(i) Arigorousdefinitionoftheterms“easy”and“computationallyinfeasible”isneces-
sarybutwoulddetractfromthesimpleideathatisbeingconveyed. Forthepurpose
ofthischapter,theintuitivemeaningwillsuffice.
(ii) Thephrase“foressentiallyallelementsin · ”referstothefactthatthereareafew
values‚e•(cid:132)· forwhichitiseasytofindan¶(cid:140)•(cid:2)« suchthat‚efl(cid:31)(cid:181)(cid:14)„(cid:6)¶R» . Forexample,
onemaycompute‚~fl(cid:246)(cid:181)(cid:14)„(cid:6)¶R» forasmallnumberof¶ valuesandthenforthese,the
inverseisknownbytablelook-up. Analternatewaytodescribethispropertyofa
one-way functionis the following: for a random‚(cid:142)•(cid:153)(cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)» it is computationally
infeasibletofindany¶(cid:11)•Z« suchthat(cid:181)(cid:14)„”¶R»Afl7‚ .
Theconceptofaone-wayfunctionisillustratedthroughthefollowingexamples.
1.14 Example (one-wayfunction)Take«(cid:247)flł(cid:176)V˘K†(cid:127)˙(cid:20)†(cid:146)¨(cid:20)†U(cid:213)(cid:146)(cid:213)(cid:146)(cid:213)Q†(cid:127)˘(cid:20)(cid:221)K‡ anddefine (cid:181)(cid:14)„(cid:6)¶R»(cid:9)fl(cid:153)(cid:215)(cid:145)(cid:216) forall
(cid:216)
¶(cid:11)•h« where(cid:215)V(cid:216) istheremainderwhen¨ isdividedby˘(cid:20)(cid:222) . Explicitly,
¶ ˘ø˙ ¨ (cid:201)(cid:218)(cid:220) (cid:221) (cid:222) (cid:223) (cid:219)ø˘(cid:20)(cid:214)ˆ˘(cid:20)˘(cid:218)˘‘˙ø˘‘¨ø˘(cid:20)(cid:201)ˆ˘(cid:20)(cid:220)ø˘‘(cid:221)
(cid:181)(cid:14)„”¶(cid:12)» ¨ø(cid:219)(cid:218)˘(cid:20)(cid:214)ˆ˘(cid:20)¨ø(cid:220)ˆ˘(cid:20)(cid:220)ø˘‘˘ø˘‘(cid:221)ø˘‘(cid:201) (cid:223) (cid:222) (cid:201)(cid:218)˘‘˙ ˙ (cid:221) ˘
Givenanumberbetween˘ and˘‘(cid:221) ,itisrelativelyeasytofindtheimageofitunder(cid:181) . How-
ever,givenanumbersuchas(cid:222) ,withouthavingthetableinfrontofyou,itishardertofind
¤
c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.
'
1.3 Backgroundonfunctions 9
¶ giventhat(cid:181)(cid:14)„”¶(cid:12)»Hfl|(cid:222) . Ofcourse,ifthenumberyouaregivenis¨ thenitisclearthat¶wfl(cid:31)˘
iswhatyouneed;butformostoftheelementsinthecodomainitisnotthateasy. ¸
One must keep in mind that this is an example which uses very small numbers; the
importantpoint hereis thatthere is adifferencein the amount of workto compute (cid:181)(cid:14)„”¶(cid:12)»
andtheamountofworktofind¶ given (cid:181)(cid:14)„”¶R» . Evenforverylargenumbers, (cid:181)(cid:14)„”¶R» canbe
computedefficientlyusingtherepeatedsquare-and-multiplyalgorithm(Algorithm2.143),
whereastheprocessoffinding¶ from(cid:181)(cid:14)„”¶(cid:12)» ismuchharder.
1.15 Example (one-wayfunction)Aprimenumberisapositiveintegergreaterthan1whose
onlypositiveintegerdivisorsare1anditself. Selectprimesœ(cid:133)fl(cid:159)(cid:201)(cid:20)(cid:223)‘(cid:221)(cid:20)˘‘˘ ,ß(cid:136)fl(cid:159)(cid:220)‘¨(cid:20)(cid:219)‘(cid:219)(cid:20)¨ ,form
(cid:228)(cid:151)fl(cid:252)œQß(cid:149)flØ˙(cid:20)(cid:221)‘˙(cid:20)(cid:201)‘(cid:221)‘(cid:220)(cid:20)¨‘(cid:222)(cid:20)˙‘¨ ,and let«(cid:253)fl(cid:160)(cid:176)–˘(cid:20)†(cid:146)˙(cid:20)†(cid:127)¨K†(cid:146)(cid:213)U(cid:213)(cid:146)(cid:213)Q†(cid:22)(cid:228)(cid:134)‰(cid:31)˘(cid:27)‡ . Define a function (cid:181) on«
by (cid:181)(cid:14)„”¶(cid:12)»(cid:136)fl(cid:153)(cid:215) (cid:216) foreach¶(cid:144)•(cid:141)« ,where(cid:215) (cid:216) istheremainderwhen¶(cid:16)(cid:254) isdividedby(cid:228) . For
instance,(cid:181)(cid:14)„(cid:135)˙‘(cid:201)(cid:20)(cid:223)‘(cid:219)(cid:20)(cid:219)‘(cid:219)‘˘(cid:20)»Afl)˘‘(cid:219)‘(cid:223)(cid:20)˘‘¨(cid:20)(cid:219)‘(cid:201)‘˙(cid:20)˘‘(cid:201) since˙‘(cid:201)‘(cid:223)(cid:20)(cid:219)‘(cid:219)(cid:20)(cid:219)‘˘(cid:146)(cid:254)(cid:7)fl)(cid:220)(cid:20)(cid:223)‘(cid:223)(cid:20)˘‘(cid:219)‘(cid:201)(cid:20)(cid:219)‘(cid:223)(cid:20)(cid:220)‘(cid:219)N(cid:255)(cid:146)(cid:228)w(cid:226)-˘(cid:20)(cid:219)‘(cid:223)‘˘(cid:20)¨‘(cid:219)(cid:20)(cid:201)‘˙‘˘(cid:20)(cid:201) .
Computing(cid:181)(cid:14)„(cid:6)¶R» isarelativelysimplethingtodo,buttoreversetheprocedureismuchmore
difficult;thatis,givenaremaindertofindthevalue¶ whichwasoriginallycubed(raised
tothethirdpower). Thisprocedureisreferredtoasthecomputationofamodularcuberoot
withmodulus(cid:228) . Ifthefactorsof(cid:228) areunknownandlarge,thisisadifficultproblem;how-
ever,ifthefactorsœ andß of(cid:228) areknownthenthereisanefficientalgorithmforcomputing
modularcuberoots. (See“ 8.2.2(i)fordetails.) ¸
Example1.15 leads oneto consideranothertype of functionwhich will prove to be
fundamentalinlaterdevelopments.
(iii) Trapdoorone-wayfunctions
1.16 Definition A trapdoor one-way function is a one-way function (cid:181)A…f« ‰(cid:230)¿ · with the
additionalpropertythatgivensomeextrainformation(calledthetrapdoorinformation)it
becomesfeasibletofindforanygiven‚(cid:154)•{(cid:192)(cid:22)`(cid:29)„˚(cid:181)(cid:14)» ,an¶(cid:11)•Z« suchthat(cid:181)(cid:14)„”¶(cid:12)»(fl7‚ .
Example1.15illustratestheconceptofatrapdoorone-wayfunction. Withtheaddi-
tionalinformationofthefactorsof(cid:228)(cid:149)flI˙‘(cid:221)(cid:20)˙‘(cid:201)(cid:20)(cid:221)‘(cid:220)‘¨(cid:20)(cid:222)‘˙(cid:20)¨ (namely,œZflI(cid:201)‘(cid:223)(cid:20)(cid:221)‘˘(cid:20)˘ andß(cid:152)flI(cid:220)‘¨‘(cid:219)(cid:20)(cid:219)‘¨ ,
each of which is five decimal digitslong) it becomesmuch easierto invert the function.
Thefactorsof˙‘(cid:221)(cid:20)˙‘(cid:201)‘(cid:221)(cid:20)(cid:220)‘¨(cid:20)(cid:222)‘˙‘¨ arelargeenoughthatfindingthembyhandcomputationwould
bedifficult. Ofcourse,anyreasonablecomputerprogramcouldfindthefactorsrelatively
quickly. If,ontheotherhand,oneselectsœ and ß tobeverylargedistinctprimenumbers
(eachhavingabout100decimaldigits)then,bytoday’sstandards,itisadifficultproblem,
evenwiththemostpowerfulcomputers,todeduceœ andß simplyfrom(cid:228) . Thisisthewell-
known integer factorization problem (see “ 3.2) and a source of many trapdoor one-way
functions.
Itremainstoberigorouslyestablishedwhetherthereactuallyareany(true)one-way
functions. That is to say, no one has yet definitively proved the existence of such func-
tionsunderreasonable(andrigorous)definitionsof“easy”and“computationallyinfeasi-
ble”. Sincetheexistenceofone-wayfunctionsisstillunknown,theexistenceoftrapdoor
one-wayfunctionsisalsounknown. However,thereareanumberofgoodcandidatesfor
one-wayandtrapdoorone-wayfunctions. Manyofthesearediscussedinthisbook,with
emphasisgiventothosewhicharepractical.
One-way and trapdoor one-way functions are the basis for public-key cryptography
(discussedin“ 1.8). Theimportanceoftheseconceptswillbecomeclearerwhentheirappli-
cationtocryptographictechniquesisconsidered. Itwillbeworthwhiletokeeptheabstract
conceptsofthissectioninmindasconcretemethodsarepresented.
HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone.
10 Ch.1 OverviewofCryptography
1.3.2 Permutations
Permutationsarefunctionswhichareoftenusedinvariouscryptographicconstructs.
1.17 Definition Let beafinitesetofelements. Apermutationœ on isabijection(Defini-
(cid:0) (cid:0)
tion1.8)from toitself(i.e.,œO… x‰f¿ ).
(cid:0) (cid:1)(cid:0) (cid:2)(cid:0)
1.18 Example (permutation)Letxfl(cid:159)(cid:176)V˘K†(cid:127)˙K†(cid:127)¨(cid:20)†(cid:146)(cid:201)(cid:20)†(cid:146)(cid:220)K‡ . ApermutationœA… |‰f¿ isdefinedas
(cid:0) (cid:3)(cid:0) (cid:4)(cid:0)
follows:
œQ„(cid:135)˘‘»(cid:4)fl(cid:31)¨(cid:20)†(cid:12)œQ„(cid:135)˙‘»(cid:4)fl(cid:31)(cid:220)(cid:20)†(cid:12)œQ„(cid:135)¨‘»Hfl|(cid:201)(cid:20)†(cid:12)œQ„(cid:135)(cid:201)‘»Hfl|˙(cid:20)†(cid:12)œQ„(cid:135)(cid:220)‘»Hfl|˘(cid:20)(cid:213)
Apermutationcanbedescribedinvariousways.Itcanbedisplayedasaboveorasanarray:
˘(cid:218)˙ˆ¨(cid:218)(cid:201)ø(cid:220)
œhfl † (1.1)
¨(cid:218)(cid:220)ˆ(cid:201)(cid:218)˙ø˘
where the top row in the array is the domainand the bottomrow is the image under the
mappingœ . Ofcourse,otherrepresentationsarepossible. ¸
Sincepermutationsarebijections,theyhaveinverses. Ifapermutationiswrittenasan
array(see1.1),itsinverseiseasilyfoundbyinterchangingtherowsinthearrayandreorder-
ingtheelementsinthenewtoprowifdesired(thebottomrowwouldhavetobereordered
˘ø˙(cid:218)¨ˆ(cid:201)(cid:218)(cid:220)
correspondingly).Theinverseofœ inExample1.18isœ º3(cid:236) fl (cid:213)
(cid:220)ø(cid:201)(cid:218)˘ˆ¨(cid:218)˙
1.19 Example (permutation)Let« bethesetofintegers(cid:176)–(cid:214)(cid:20)†(cid:127)˘K†(cid:127)˙K†(cid:146)(cid:213)(cid:146)(cid:213)U(cid:213)(cid:14)†(cid:22)œQßN‰7˘(cid:27)‡ whereœ andß
aredistinctlargeprimes(forexample,œ andß areeachabout100decimaldigitslong),and
supposethatneitherœH‰(cid:2)˘ norß<‰(cid:29)˘ isdivisibleby3. ThenthefunctionœQ„”¶(cid:12)»Hfl~(cid:215) (cid:216) ,where(cid:215) (cid:216)
istheremainderwhen¶ (cid:254) isdividedbyœQß ,canbeshowntobeapermutation. Determining
theinversepermutationiscomputationallyinfeasiblebytoday’sstandardsunlessœ and ß
areknown(cf.Example1.15). ¸
1.3.3 Involutions
Anothertypeoffunctionwhichwillbereferredtoin “ 1.5.3isaninvolution. Involutions
havethepropertythattheyaretheirowninverses.
1.20 Definition Let beafinitesetandlet (cid:181) beabijectionfrom to (i.e., (cid:181)N… (cid:151)‰(cid:230)¿ ).
(cid:0) (cid:0) (cid:0) (cid:5)(cid:0) (cid:6)(cid:0)
The function (cid:181) is calledan involutionif (cid:181)IflŁ(cid:181) º3(cid:236) . An equivalentway of statingthis is
(cid:181)(cid:14)„´(cid:181)(cid:14)„”¶(cid:12)»(cid:135)»(fl~¶ forall¶(cid:11)• .
(cid:7)(cid:0)
1.21 Example (involution)Figure 1.4 is an example of an involution. In the diagram of an
involution,notethatif istheimageof then istheimageof . ¸
(cid:8) (cid:9) (cid:9) (cid:8)
¤
c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.
