Chapter Overview of Cryptography ContentsinBrief 1.1 Introduction §?§N§?§?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 1 1.2 Informationsecurityandcryptography §?§&§?§?§?§N§?§?§&§?§?§?§&§ 2 1.3 Backgroundonfunctions §?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 6 1.4 Basicterminologyandconcepts§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 11 1.5 Symmetric-keyencryption §?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 15 1.6 Digitalsignatures §?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 22 1.7 Authenticationandidentification §?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 24 1.8 Public-keycryptography §?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 25 1.9 Hashfunctions §?§?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 33 1.10 Protocolsandmechanisms §?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 33 1.11 Keyestablishment,management,andcertification §N§?§?§&§?§?§?§&§ 35 1.12 Pseudorandomnumbersandsequences §?§&§?§?§?§N§?§?§&§?§?§?§&§ 39 1.13 Classesofattacksandsecuritymodels §?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 41 1.14 Notesandfurtherreferences §&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 45 1.1 Introduction Cryptographyhasalongandfascinatinghistory.Themostcompletenon-technicalaccount ofthesubjectisKahn’sTheCodebreakers. Thisbooktracescryptographyfromitsinitial andlimitedusebytheEgyptianssome 4000yearsago,to the twentiethcenturywhereit playedacrucialroleintheoutcomeofbothworldwars. Completedin1963,Kahn’sbook coversthoseaspectsofthehistorywhichweremostsignificant(uptothattime)tothedevel- opmentofthesubject. Thepredominantpractitionersoftheartwerethoseassociatedwith themilitary,thediplomaticserviceandgovernmentingeneral. Cryptographywasusedas atooltoprotectnationalsecretsandstrategies. Theproliferationofcomputersandcommunicationssystemsinthe1960sbroughtwith itademandfromtheprivatesectorformeanstoprotectinformationindigitalformandto providesecurityservices.BeginningwiththeworkofFeistelatIBMintheearly1970sand culminatingin1977withtheadoptionasaU.S.FederalInformationProcessingStandard for encryptingunclassified information, DES, the Data Encryption Standard, is the most well-knowncryptographicmechanisminhistory. Itremainsthestandardmeansforsecur- ingelectroniccommerceformanyfinancialinstitutionsaroundtheworld. Themoststrikingdevelopmentinthehistoryofcryptographycamein1976whenDiffie andHellmanpublishedNewDirectionsinCryptography.Thispaperintroducedtherevolu- tionaryconceptofpublic-keycryptographyandalsoprovidedanewandingeniousmethod 1 2 Ch.1 OverviewofCryptography forkeyexchange,thesecurityofwhichisbasedontheintractabilityofthediscreteloga- rithmproblem. Althoughtheauthorshadnopracticalrealizationofapublic-keyencryp- tionschemeatthetime,theideawasclearanditgeneratedextensiveinterestandactivity inthecryptographiccommunity.In1978Rivest,Shamir,andAdlemandiscoveredthefirst practicalpublic-keyencryptionandsignaturescheme,nowreferredtoasRSA.TheRSA schemeisbasedonanotherhardmathematicalproblem,theintractabilityoffactoringlarge integers. Thisapplicationofahardmathematicalproblemtocryptographyrevitalizedef- fortstofindmoreefficientmethodstofactor. The1980ssawmajoradvancesinthisarea butnonewhichrenderedtheRSAsysteminsecure. Anotherclassofpowerfulandpractical public-keyschemeswasfoundbyElGamalin1985. Thesearealsobasedonthediscrete logarithmproblem. Oneofthemostsignificantcontributionsprovidedbypublic-keycryptographyisthe digital signature. In 1991 the first international standard for digital signatures (ISO/IEC 9796)wasadopted. ItisbasedontheRSApublic-keyscheme. In1994theU.S.Govern- mentadoptedtheDigitalSignatureStandard,amechanismbasedontheElGamalpublic- keyscheme. Thesearchfornewpublic-keyschemes,improvementstoexistingcryptographicmec- hanisms,andproofsofsecuritycontinuesatarapidpace. Variousstandardsandinfrastruc- turesinvolvingcryptographyarebeingputinplace. Securityproductsarebeingdeveloped toaddressthesecurityneedsofaninformationintensivesociety. Thepurposeofthisbookistogiveanup-to-datetreatiseoftheprinciples,techniques, andalgorithmsof interestin cryptographicpractice. Emphasishas beenplaced onthose aspectswhicharemostpracticalandapplied. Thereaderwillbemadeawareofthebasic issuesandpointedtospecificrelatedresearchintheliteraturewheremoreindepthdiscus- sionscanbefound. Duetothevolumeofmaterialwhichiscovered,mostresultswillbe statedwithoutproofs. Thisalsoservesthepurposeofnotobscuringtheveryappliednature ofthesubject. Thisbookisintendedforbothimplementersandresearchers. Itdescribes algorithms,systems,andtheirinteractions. Chapter1 is atutorialonthemanyandvariousaspectsofcryptography. It doesnot attempttoconveyallofthedetailsandsubtletiesinherenttothesubject. Itspurposeisto introducethebasicissuesandprinciplesandtopointthereadertoappropriatechaptersinthe bookformorecomprehensivetreatments. Specifictechniquesareavoidedinthischapter. 1.2 Information security and cryptography Theconceptofinformationwillbetakentobeanunderstoodquantity. Tointroducecryp- tography,anunderstandingofissuesrelatedtoinformationsecurityingeneralisnecessary. Informationsecuritymanifestsitselfinmanywaysaccordingtothesituationandrequire- ment. Regardlessofwhoisinvolved,toonedegreeoranother,allpartiestoatransaction musthaveconfidencethatcertainobjectivesassociatedwithinformationsecurityhavebeen met. SomeoftheseobjectivesarelistedinTable1.1. Overthecenturies,anelaboratesetofprotocolsandmechanismshasbeencreatedto dealwithinformationsecurityissueswhentheinformationisconveyedbyphysicaldoc- uments. Often the objectives of information security cannot solely be achieved through mathematicalalgorithmsandprotocolsalone,butrequireproceduraltechniquesandabid- anceoflawstoachievethedesiredresult. Forexample,privacyoflettersisprovidedby sealedenvelopesdeliveredbyanacceptedmailservice. The physicalsecurityofthe en- velopeis,forpracticalnecessity,limitedandsolawsareenactedwhichmakeitacriminal ¤ c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. ' 1.2 Informationsecurityandcryptography 3 privacy keepinginformationsecretfromallbutthosewhoareautho- orconfidentiality rizedtoseeit. dataintegrity ensuringinformationhasnotbeenalteredbyunauthorizedor unknownmeans. entity authentication corroboration of the identity of an entity (e.g., a person, a oridentification computerterminal,acreditcard,etc.). message corroboratingthesourceofinformation;alsoknownasdata authentication originauthentication. signature ameanstobindinformationtoanentity. authorization conveyance,toanotherentity,ofofficialsanctiontodoorbe something. validation ameanstoprovidetimelinessofauthorizationtouseorma- nipulateinformationorresources. accesscontrol restrictingaccesstoresourcestoprivilegedentities. certification endorsementofinformationbyatrustedentity. timestamping recordingthetimeofcreationorexistenceofinformation. witnessing verifyingthecreationorexistenceofinformationbyanentity otherthanthecreator. receipt acknowledgementthatinformationhasbeenreceived. confirmation acknowledgementthatserviceshavebeenprovided. ownership a means to provide an entity with the legal right to use or transferaresourcetoothers. anonymity concealingtheidentityofanentityinvolvedinsomeprocess. non-repudiation preventingthedenialofpreviouscommitmentsoractions. revocation retractionofcertificationorauthorization. Table1.1:Someinformationsecurityobjectives. offensetoopenmailforwhichoneisnotauthorized. Itissometimesthecasethatsecurity isachievednotthroughtheinformationitselfbutthroughthephysicaldocumentrecording it. Forexample,papercurrencyrequiresspecialinksandmaterialtopreventcounterfeiting. Conceptually,thewayinformationisrecordedhasnotchangeddramaticallyovertime. Whereas information was typically stored and transmitted on paper, much of it now re- sidesonmagneticmediaandis transmittedvia telecommunicationssystems, somewire- less. Whathaschangeddramaticallyistheabilitytocopyandalterinformation. Onecan makethousandsofidenticalcopiesofapieceofinformationstoredelectronicallyandeach isindistinguishablefromtheoriginal. Withinformationonpaper,thisismuchmorediffi- cult. Whatisneededthenforasocietywhereinformationismostlystoredandtransmitted in electronicformis a means to ensure informationsecurity which is independentof the physicalmediumrecordingorconveyingitandsuchthattheobjectivesofinformationse- curityrelysolelyondigitalinformationitself. Oneofthefundamentaltoolsusedininformationsecurityisthesignature.Itisabuild- ingblockformanyotherservicessuchasnon-repudiation,dataoriginauthentication,iden- tification,andwitnessing,tomentionafew. Havinglearnedthebasicsinwriting,anindi- vidualistaughthowtoproduceahandwrittensignatureforthepurposeofidentification. Atcontractagethesignatureevolvestotakeonaveryintegralpartoftheperson’sidentity. Thissignatureisintendedtobeuniquetotheindividualandserveasameanstoidentify, authorize,andvalidate. Withelectronicinformationtheconceptofasignatureneedstobe HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 4 Ch.1 OverviewofCryptography redressed; itcannotsimplybesomethinguniquetothe signerandindependentofthein- formationsigned. Electronicreplicationofitissosimplethatappendingasignaturetoa documentnotsignedbytheoriginatorofthesignatureisalmostatriviality. Analoguesofthe“paperprotocols”currentlyinusearerequired. Hopefullythesenew electronicbasedprotocolsareatleastasgoodasthosetheyreplace. Thereisauniqueop- portunityforsocietytointroducenewandmoreefficientwaysofensuringinformationse- curity.Muchcanbelearnedfromtheevolutionofthepaperbasedsystem,mimickingthose aspectswhichhaveserveduswellandremovingtheinefficiencies. Achievinginformationsecurityinanelectronicsocietyrequiresavastarrayoftechni- calandlegalskills. Thereis,however,noguaranteethatalloftheinformationsecurityob- jectivesdeemednecessarycanbeadequatelymet. Thetechnicalmeansisprovidedthrough cryptography. 1.1 Definition Cryptographyisthestudyofmathematicaltechniquesrelatedtoaspectsofin- formationsecuritysuchasconfidentiality,dataintegrity,entityauthentication,anddataori- ginauthentication. Cryptographyisnottheonlymeansofprovidinginformationsecurity,butratheronesetof techniques. Cryptographicgoals Of all the information security objectives listed in Table 1.1, the following four form a frameworkuponwhichtheotherswillbederived:(1)privacyorconfidentiality(“ 1.5,“ 1.8); (2)dataintegrity(“ 1.9);(3)authentication(“ 1.7);and(4)non-repudiation(“ 1.6). 1. Confidentialityisaserviceusedtokeepthecontentofinformationfromallbutthose authorizedtohaveit. Secrecyisatermsynonymouswithconfidentialityandprivacy. Therearenumerousapproachestoprovidingconfidentiality,rangingfromphysical protectiontomathematicalalgorithmswhichrenderdataunintelligible. 2. Data integrityis aservicewhichaddressesthe unauthorizedalteration ofdata. To assuredataintegrity,onemusthavetheabilitytodetectdatamanipulationbyunau- thorizedparties. Datamanipulationincludessuchthingsasinsertion,deletion,and substitution. 3. Authenticationisaservicerelatedtoidentification.Thisfunctionappliestobothenti- tiesandinformationitself. Twopartiesenteringintoacommunicationshouldidentify eachother. Informationdeliveredoverachannelshouldbeauthenticatedastoorigin, dateoforigin,datacontent,timesent,etc. Forthesereasonsthisaspectofcryptog- raphy is usually subdivided into two majorclasses: entity authenticationand data origin authentication. Data originauthenticationimplicitlyprovidesdata integrity (forifamessageismodified,thesourcehaschanged). 4. Non-repudiationisaservicewhichpreventsanentityfromdenyingpreviouscommit- mentsoractions. Whendisputesariseduetoanentitydenyingthatcertainactions were taken, a means to resolve the situationis necessary. For example, one entity mayauthorizethepurchaseofpropertybyanotherentityandlaterdenysuchautho- rizationwasgranted. Aprocedureinvolvingatrustedthirdpartyisneededtoresolve thedispute. Afundamentalgoalofcryptographyistoadequatelyaddressthesefourareasinboth theoryand practice. Cryptographyis aboutthe preventionand detectionof cheatingand othermaliciousactivities. Thisbookdescribesanumberofbasiccryptographictools(primitives)usedtoprovide informationsecurity. Examplesofprimitivesincludeencryptionschemes(“ 1.5and“ 1.8), ¤ c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. ' 1.2 Informationsecurityandcryptography 5 hashfunctions(“ 1.9),anddigitalsignatureschemes(“ 1.6). Figure1.1providesaschematic listingoftheprimitivesconsideredandhowtheyrelate. Manyofthesewillbebrieflyintro- ducedinthischapter,withdetaileddiscussionlefttolaterchapters.Theseprimitivesshould Arbitrarylength hashfunctions Unkeyed One-waypermutations Primitives Randomsequences Block ciphers Symmetric-key ciphers Stream Arbitrarylength ciphers hashfunctions(MACs) Security Symmetric-key Primitives Primitives Signatures Pseudorandom sequences Identificationprimitives Public-key ciphers Public-key Signatures Primitives Identificationprimitives Figure1.1:Ataxonomyofcryptographicprimitives. beevaluatedwithrespecttovariouscriteriasuchas: 1. levelofsecurity. Thisisusuallydifficulttoquantify.Oftenitisgivenintermsofthe numberofoperationsrequired(usingthebestmethodscurrentlyknown)todefeatthe intendedobjective. Typicallythelevelofsecurityisdefinedbyanupperboundon theamountofworknecessarytodefeattheobjective. Thisissometimescalledthe workfactor(see“ 1.13.4). 2. functionality. Primitiveswillneedtobe combinedtomeetvariousinformationse- curityobjectives. Whichprimitivesaremosteffectiveforagivenobjectivewillbe determinedbythebasicpropertiesoftheprimitives. 3. methodsofoperation. Primitives,whenappliedinvariouswaysandwithvariousin- puts,willtypicallyexhibitdifferentcharacteristics;thus,oneprimitivecouldprovide HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 6 Ch.1 OverviewofCryptography verydifferentfunctionalitydependingonitsmodeofoperationorusage. 4. performance. Thisreferstotheefficiencyofaprimitiveinaparticularmodeofop- eration. (Forexample,anencryptionalgorithmmayberatedbythenumberofbits persecondwhichitcanencrypt.) 5. ease of implementation. This refers to the difficultyof realizingthe primitive in a practicalinstantiation. Thismightincludethecomplexityofimplementingtheprim- itiveineitherasoftwareorhardwareenvironment. Therelativeimportanceofvariouscriteriaisverymuchdependentontheapplication andresourcesavailable. Forexample,inanenvironmentwherecomputingpowerislimited onemayhavetotradeoffaveryhighlevelofsecurityforbetterperformanceofthesystem asawhole. Cryptography,overtheages,hasbeenanartpractisedbymanywhohavedevisedad hoc techniques to meet some of the information security requirements. The last twenty yearshavebeenaperiodoftransitionasthedisciplinemovedfromanarttoascience.There are now several international scientific conferences devoted exclusively to cryptography andalsoaninternationalscientificorganization,theInternationalAssociationforCrypto- logicResearch(IACR),aimedatfosteringresearchinthearea. Thisbookisaboutcryptography: thetheory,thepractice,andthestandards. 1.3 Background on functions Whilethisbookisnotatreatiseonabstractmathematics,afamiliaritywithbasicmathe- maticalconceptswillprovetobeuseful. Oneconceptwhichisabsolutelyfundamentalto cryptographyisthatofafunctioninthemathematicalsense. Afunctionisalternatelyre- ferredtoasamappingoratransformation. 1.3.1 Functions (1-1, one-way, trapdoor one-way) Asetconsistsofdistinctobjectswhicharecalledelementsoftheset. Forexample,aset« mightconsistoftheelements‹ ,› ,fi ,andthisisdenoted«⁄fl(cid:144)(cid:176)–‹(cid:27)†(cid:146)›(cid:146)†(cid:146)fi(cid:146)‡ . 1.2 Definition Afunctionisdefinedbytwosets« and· andarule(cid:181) whichassignstoeach elementin« preciselyoneelementin · . Theset« iscalledthedomainofthefunction and· thecodomain.If¶ isanelementof« (usuallywritten¶(cid:132)•h« )theimageof¶ isthe elementin· whichtherule(cid:181) associateswith¶ ;theimage‚ of¶ isdenotedby‚Ffl(cid:31)(cid:181)(cid:14)„”¶(cid:12)» . Standardnotationforafunction(cid:181) fromset« toset · is (cid:181)O…(cid:16)«(cid:190)‰f¿(cid:147)· . If‚7•x· ,thena preimageof‚ isanelement¶(cid:140)•(cid:2)« forwhich(cid:181)(cid:14)„”¶R»Afl~‚ . Thesetofallelementsin· which haveatleastonepreimageiscalledtheimageof(cid:181) ,denoted(cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)» . 1.3 Example (function)Consider the sets«ˆfl˜(cid:176)–‹(cid:27)†(cid:146)›(cid:127)†Ufi(cid:146)‡ , ·˜fl¯(cid:176)V˘K†(cid:127)˙(cid:20)†(cid:146)¨(cid:20)†(cid:146)(cid:201)K‡ ,and the rule (cid:181) from« to · definedas (cid:181)(cid:14)„´‹K»(cid:143)fl(cid:129)˙ , (cid:181)(cid:14)„˚›ƒ»(cid:143)fl(cid:129)(cid:201) , (cid:181)(cid:14)„´fiƒ»"fl(cid:153)˘ . Figure1.2showsaschematicof thesets« , · andthefunction (cid:181) . Thepreimageoftheelement ˙ is ‹ . Theimageof (cid:181) is (cid:176)V˘(cid:20)†(cid:146)˙(cid:20)†(cid:146)(cid:201)K‡ . ¸ Thinkingofafunctionintermsoftheschematic(sometimescalledafunctionaldia- gram)giveninFigure1.2,eachelementinthedomain« haspreciselyonearrowedline originatingfromit. Eachelementinthecodomain· canhaveanynumberofarrowedlines incidenttoit(includingzerolines). ¤ c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. ' 1.3 Backgroundonfunctions 7 ˇ 1 ˛ 2 (cid:209) ˝ — 3 (cid:204) 4 Figure1.2:Afunction(cid:210) fromaset(cid:211) ofthreeelementstoaset(cid:212) offourelements. Oftenonlythedomain« andtherule(cid:181) aregivenandthecodomainisassumedtobe theimageof(cid:181) . Thispointisillustratedwithtwoexamples. 1.4 Example (function)Take«\flI(cid:176)–˘(cid:20)†(cid:127)˙K†(cid:127)¨K†(cid:146)(cid:213)(cid:146)(cid:213)U(cid:213)(cid:16)†(cid:146)˘‘(cid:214)(cid:27)‡ andlet(cid:181) betherulethatforeach¶(cid:11)•h« , (cid:181)(cid:14)„”¶R»Hfl(cid:141)(cid:215)(cid:145)(cid:216) ,where(cid:215)(cid:145)(cid:216) istheremainderwhen¶Q(cid:217) isdividedby˘(cid:20)˘ . Explicitlythen (cid:181)(cid:14)„(cid:135)˘(cid:20)»Hfl|˘(cid:218)(cid:181)(cid:14)„(cid:135)˙(cid:20)»HflD(cid:201) (cid:181)(cid:14)„´¨‘»HflD(cid:219) (cid:181)(cid:14)„´(cid:201)‘»Hfl|(cid:220) (cid:181)(cid:14)„(cid:135)(cid:220)(cid:20)»HflD¨ (cid:181)(cid:14)„(cid:135)(cid:221)(cid:20)»Hfl|¨(cid:218)(cid:181)(cid:14)„(cid:135)(cid:222)(cid:20)»HflD(cid:220) (cid:181)(cid:14)„´(cid:223)‘»HflD(cid:219) (cid:181)(cid:14)„´(cid:219)‘»Hfl|(cid:201) (cid:181)(cid:14)„(cid:135)˘‘(cid:214)(cid:20)»(cid:4)fl|˘K(cid:213) Theimageof(cid:181) istheset·Ifl(cid:31)(cid:176)V˘K†(cid:127)¨K†(cid:127)(cid:201)(cid:20)†(cid:146)(cid:220)(cid:20)†(cid:146)(cid:219)K‡ . ¸ 1.5 Example (function)Take«\flI(cid:176)–˘(cid:20)†(cid:146)˙(cid:20)†(cid:127)¨K†(cid:146)(cid:213)U(cid:213)(cid:146)(cid:213)Q†(cid:127)˘‘(cid:214)U(cid:224)´ÆK‡ andlet(cid:181) betherule(cid:181)(cid:14)„”¶(cid:12)»(fl~(cid:215) (cid:216) ,where (cid:215) (cid:216) istheremainderwhen¶(cid:16)(cid:217) isdividedby˘(cid:20)(cid:214)(cid:146)(cid:224)˚Æ"(cid:226)x˘ forall¶-•(cid:11)« . Hereitisnotfeasible to writedown (cid:181) explicitlyasin Example1.4, butnonethelessthe functionis completely specifiedbythedomainandthemathematicaldescriptionoftherule(cid:181) . ¸ (i) 1-1functions 1.6 Definition A function (or transformation) is ˘(cid:2)‰(cid:142)˘ (one-to-one) if each element in the codomain· istheimageofatmostoneelementinthedomain« . 1.7 Definition Afunction(ortransformation)is ª˚(cid:228)(cid:230)(cid:229)(cid:146)ª ifeachelementinthecodomain · is theimageofatleastoneelementinthedomain. Equivalently,afunction(cid:181)N…<«(cid:190)‰f¿(cid:231)· is ontoif(cid:192)(cid:22)`^„˚(cid:181)(cid:14)»Hfl(cid:31)· . 1.8 Definition Ifafunction(cid:181)N…(cid:18)«Ł‰f¿Ø· is˘3‰Z˘ and(cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)»HflI· ,then(cid:181) iscalledabijection. 1.9 Fact If (cid:181)N…(cid:230)« ‰f¿ · is ˘Z‰(cid:159)˘ then (cid:181)A…(cid:230)« ‰f¿ (cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)» is a bijection. In particular, if (cid:181)O…(cid:27)«(cid:160)‰(cid:230)¿Ø· is˘"‰~˘ ,and« and· arefinitesetsofthesamesize,then(cid:181) isabijection. In terms of the schematic representation, if (cid:181) is a bijection, then each element in · hasexactlyonearrowedlineincidentwithit. ThefunctionsdescribedinExamples1.3and 1.4arenotbijections. InExample1.3theelement¨ isnottheimageofanyelementinthe domain. InExample1.4eachelementinthecodomainhastwopreimages. 1.10 Definition If(cid:181) isabijectionfrom« to· thenitisasimplemattertodefineabijectionŒ from· to« asfollows:foreach‚(cid:133)•{· defineŒ(cid:14)„”‚(cid:230)»Hfl(cid:141)¶ where¶(cid:140)•(cid:2)« and(cid:181)(cid:14)„(cid:6)¶R»Hfl(cid:141)‚ . This functionŒ obtainedfrom(cid:181) iscalledtheinversefunctionof(cid:181) andisdenotedbyŒZfl|(cid:181)3º3(cid:236) . HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 8 Ch.1 OverviewofCryptography ˇ (cid:239) ˛ ˛ 1 1 ˝ ˝ 2 2 (cid:209) — — (cid:209) (cid:204) (cid:204) 3 3 (cid:237) (cid:237) 4 4 (cid:238) (cid:238) 5 5 Figure1.3:Abijection(cid:210) anditsinverse(cid:240)(cid:136)æ(cid:141)(cid:210)<(cid:242)(cid:16)(cid:243) . 1.11 Example (inversefunction)Let«\fl(cid:144)(cid:176)–‹(cid:27)†(cid:146)›(cid:127)†Ufi(cid:127)†(cid:146)(cid:244)K†(cid:146)ıV‡ ,and·Ifl(cid:31)(cid:176)–˘(cid:20)†(cid:146)˙(cid:20)†(cid:127)¨K†(cid:127)(cid:201)K†(cid:127)(cid:220)K‡ ,andconsider the rule (cid:181) givenby the arrowededges in Figure 1.3. (cid:181) is a bijectionandits inverseŒ is formedsimplybyreversingthearrowsontheedges.ThedomainofŒ is· andthecodomain is« . ¸ Note that if (cid:181) is a bijection, then so is (cid:181)3ºf(cid:236) . In cryptography bijections are used as thetoolforencryptingmessagesandtheinversetransformationsareusedtodecrypt. This willbemadeclearerin“ 1.4whensomebasicterminologyisintroduced. Noticethatifthe transformationswere not bijections then it would not be possible to always decrypt to a uniquemessage. (ii) One-wayfunctions Thereare certaintypes of functionswhichplay significantrolesin cryptography. At the expenseofrigor,anintuitivedefinitionofaone-wayfunctionisgiven. 1.12 Definition Afunction (cid:181) fromaset« toaset · iscalledaone-wayfunctionif (cid:181)(cid:14)„”¶(cid:12)» is “easy”tocomputeforall¶-•{« butfor“essentiallyall”elements‚(cid:149)•(cid:134)(cid:192)(cid:22)`(cid:29)„˚(cid:181)(cid:14)» itis“com- putationallyinfeasible”tofindany¶(cid:11)•h« suchthat(cid:181)(cid:14)„”¶(cid:12)»Hfl~‚ . 1.13 Note (clarificationoftermsinDefinition1.12) (i) Arigorousdefinitionoftheterms“easy”and“computationallyinfeasible”isneces- sarybutwoulddetractfromthesimpleideathatisbeingconveyed. Forthepurpose ofthischapter,theintuitivemeaningwillsuffice. (ii) Thephrase“foressentiallyallelementsin · ”referstothefactthatthereareafew values‚e•(cid:132)· forwhichitiseasytofindan¶(cid:140)•(cid:2)« suchthat‚efl(cid:31)(cid:181)(cid:14)„(cid:6)¶R» . Forexample, onemaycompute‚~fl(cid:246)(cid:181)(cid:14)„(cid:6)¶R» forasmallnumberof¶ valuesandthenforthese,the inverseisknownbytablelook-up. Analternatewaytodescribethispropertyofa one-way functionis the following: for a random‚(cid:142)•(cid:153)(cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)» it is computationally infeasibletofindany¶(cid:11)•Z« suchthat(cid:181)(cid:14)„”¶R»Afl7‚ . Theconceptofaone-wayfunctionisillustratedthroughthefollowingexamples. 1.14 Example (one-wayfunction)Take«(cid:247)flł(cid:176)V˘K†(cid:127)˙(cid:20)†(cid:146)¨(cid:20)†U(cid:213)(cid:146)(cid:213)(cid:146)(cid:213)Q†(cid:127)˘(cid:20)(cid:221)K‡ anddefine (cid:181)(cid:14)„(cid:6)¶R»(cid:9)fl(cid:153)(cid:215)(cid:145)(cid:216) forall (cid:216) ¶(cid:11)•h« where(cid:215)V(cid:216) istheremainderwhen¨ isdividedby˘(cid:20)(cid:222) . Explicitly, ¶ ˘ø˙ ¨ (cid:201)(cid:218)(cid:220) (cid:221) (cid:222) (cid:223) (cid:219)ø˘(cid:20)(cid:214)ˆ˘(cid:20)˘(cid:218)˘‘˙ø˘‘¨ø˘(cid:20)(cid:201)ˆ˘(cid:20)(cid:220)ø˘‘(cid:221) (cid:181)(cid:14)„”¶(cid:12)» ¨ø(cid:219)(cid:218)˘(cid:20)(cid:214)ˆ˘(cid:20)¨ø(cid:220)ˆ˘(cid:20)(cid:220)ø˘‘˘ø˘‘(cid:221)ø˘‘(cid:201) (cid:223) (cid:222) (cid:201)(cid:218)˘‘˙ ˙ (cid:221) ˘ Givenanumberbetween˘ and˘‘(cid:221) ,itisrelativelyeasytofindtheimageofitunder(cid:181) . How- ever,givenanumbersuchas(cid:222) ,withouthavingthetableinfrontofyou,itishardertofind ¤ c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. ' 1.3 Backgroundonfunctions 9 ¶ giventhat(cid:181)(cid:14)„”¶(cid:12)»Hfl|(cid:222) . Ofcourse,ifthenumberyouaregivenis¨ thenitisclearthat¶wfl(cid:31)˘ iswhatyouneed;butformostoftheelementsinthecodomainitisnotthateasy. ¸ One must keep in mind that this is an example which uses very small numbers; the importantpoint hereis thatthere is adifferencein the amount of workto compute (cid:181)(cid:14)„”¶(cid:12)» andtheamountofworktofind¶ given (cid:181)(cid:14)„”¶R» . Evenforverylargenumbers, (cid:181)(cid:14)„”¶R» canbe computedefficientlyusingtherepeatedsquare-and-multiplyalgorithm(Algorithm2.143), whereastheprocessoffinding¶ from(cid:181)(cid:14)„”¶(cid:12)» ismuchharder. 1.15 Example (one-wayfunction)Aprimenumberisapositiveintegergreaterthan1whose onlypositiveintegerdivisorsare1anditself. Selectprimesœ(cid:133)fl(cid:159)(cid:201)(cid:20)(cid:223)‘(cid:221)(cid:20)˘‘˘ ,ß(cid:136)fl(cid:159)(cid:220)‘¨(cid:20)(cid:219)‘(cid:219)(cid:20)¨ ,form (cid:228)(cid:151)fl(cid:252)œQß(cid:149)flØ˙(cid:20)(cid:221)‘˙(cid:20)(cid:201)‘(cid:221)‘(cid:220)(cid:20)¨‘(cid:222)(cid:20)˙‘¨ ,and let«(cid:253)fl(cid:160)(cid:176)–˘(cid:20)†(cid:146)˙(cid:20)†(cid:127)¨K†(cid:146)(cid:213)U(cid:213)(cid:146)(cid:213)Q†(cid:22)(cid:228)(cid:134)‰(cid:31)˘(cid:27)‡ . Define a function (cid:181) on« by (cid:181)(cid:14)„”¶(cid:12)»(cid:136)fl(cid:153)(cid:215) (cid:216) foreach¶(cid:144)•(cid:141)« ,where(cid:215) (cid:216) istheremainderwhen¶(cid:16)(cid:254) isdividedby(cid:228) . For instance,(cid:181)(cid:14)„(cid:135)˙‘(cid:201)(cid:20)(cid:223)‘(cid:219)(cid:20)(cid:219)‘(cid:219)‘˘(cid:20)»Afl)˘‘(cid:219)‘(cid:223)(cid:20)˘‘¨(cid:20)(cid:219)‘(cid:201)‘˙(cid:20)˘‘(cid:201) since˙‘(cid:201)‘(cid:223)(cid:20)(cid:219)‘(cid:219)(cid:20)(cid:219)‘˘(cid:146)(cid:254)(cid:7)fl)(cid:220)(cid:20)(cid:223)‘(cid:223)(cid:20)˘‘(cid:219)‘(cid:201)(cid:20)(cid:219)‘(cid:223)(cid:20)(cid:220)‘(cid:219)N(cid:255)(cid:146)(cid:228)w(cid:226)-˘(cid:20)(cid:219)‘(cid:223)‘˘(cid:20)¨‘(cid:219)(cid:20)(cid:201)‘˙‘˘(cid:20)(cid:201) . Computing(cid:181)(cid:14)„(cid:6)¶R» isarelativelysimplethingtodo,buttoreversetheprocedureismuchmore difficult;thatis,givenaremaindertofindthevalue¶ whichwasoriginallycubed(raised tothethirdpower). Thisprocedureisreferredtoasthecomputationofamodularcuberoot withmodulus(cid:228) . Ifthefactorsof(cid:228) areunknownandlarge,thisisadifficultproblem;how- ever,ifthefactorsœ andß of(cid:228) areknownthenthereisanefficientalgorithmforcomputing modularcuberoots. (See“ 8.2.2(i)fordetails.) ¸ Example1.15 leads oneto consideranothertype of functionwhich will prove to be fundamentalinlaterdevelopments. (iii) Trapdoorone-wayfunctions 1.16 Definition A trapdoor one-way function is a one-way function (cid:181)A…f« ‰(cid:230)¿ · with the additionalpropertythatgivensomeextrainformation(calledthetrapdoorinformation)it becomesfeasibletofindforanygiven‚(cid:154)•{(cid:192)(cid:22)`(cid:29)„˚(cid:181)(cid:14)» ,an¶(cid:11)•Z« suchthat(cid:181)(cid:14)„”¶(cid:12)»(fl7‚ . Example1.15illustratestheconceptofatrapdoorone-wayfunction. Withtheaddi- tionalinformationofthefactorsof(cid:228)(cid:149)flI˙‘(cid:221)(cid:20)˙‘(cid:201)(cid:20)(cid:221)‘(cid:220)‘¨(cid:20)(cid:222)‘˙(cid:20)¨ (namely,œZflI(cid:201)‘(cid:223)(cid:20)(cid:221)‘˘(cid:20)˘ andß(cid:152)flI(cid:220)‘¨‘(cid:219)(cid:20)(cid:219)‘¨ , each of which is five decimal digitslong) it becomesmuch easierto invert the function. Thefactorsof˙‘(cid:221)(cid:20)˙‘(cid:201)‘(cid:221)(cid:20)(cid:220)‘¨(cid:20)(cid:222)‘˙‘¨ arelargeenoughthatfindingthembyhandcomputationwould bedifficult. Ofcourse,anyreasonablecomputerprogramcouldfindthefactorsrelatively quickly. If,ontheotherhand,oneselectsœ and ß tobeverylargedistinctprimenumbers (eachhavingabout100decimaldigits)then,bytoday’sstandards,itisadifficultproblem, evenwiththemostpowerfulcomputers,todeduceœ andß simplyfrom(cid:228) . Thisisthewell- known integer factorization problem (see “ 3.2) and a source of many trapdoor one-way functions. Itremainstoberigorouslyestablishedwhetherthereactuallyareany(true)one-way functions. That is to say, no one has yet definitively proved the existence of such func- tionsunderreasonable(andrigorous)definitionsof“easy”and“computationallyinfeasi- ble”. Sincetheexistenceofone-wayfunctionsisstillunknown,theexistenceoftrapdoor one-wayfunctionsisalsounknown. However,thereareanumberofgoodcandidatesfor one-wayandtrapdoorone-wayfunctions. Manyofthesearediscussedinthisbook,with emphasisgiventothosewhicharepractical. One-way and trapdoor one-way functions are the basis for public-key cryptography (discussedin“ 1.8). Theimportanceoftheseconceptswillbecomeclearerwhentheirappli- cationtocryptographictechniquesisconsidered. Itwillbeworthwhiletokeeptheabstract conceptsofthissectioninmindasconcretemethodsarepresented. HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 10 Ch.1 OverviewofCryptography 1.3.2 Permutations Permutationsarefunctionswhichareoftenusedinvariouscryptographicconstructs. 1.17 Definition Let beafinitesetofelements. Apermutationœ on isabijection(Defini- (cid:0) (cid:0) tion1.8)from toitself(i.e.,œO… x‰f¿ ). (cid:0) (cid:1)(cid:0) (cid:2)(cid:0) 1.18 Example (permutation)Letxfl(cid:159)(cid:176)V˘K†(cid:127)˙K†(cid:127)¨(cid:20)†(cid:146)(cid:201)(cid:20)†(cid:146)(cid:220)K‡ . ApermutationœA… |‰f¿ isdefinedas (cid:0) (cid:3)(cid:0) (cid:4)(cid:0) follows: œQ„(cid:135)˘‘»(cid:4)fl(cid:31)¨(cid:20)†(cid:12)œQ„(cid:135)˙‘»(cid:4)fl(cid:31)(cid:220)(cid:20)†(cid:12)œQ„(cid:135)¨‘»Hfl|(cid:201)(cid:20)†(cid:12)œQ„(cid:135)(cid:201)‘»Hfl|˙(cid:20)†(cid:12)œQ„(cid:135)(cid:220)‘»Hfl|˘(cid:20)(cid:213) Apermutationcanbedescribedinvariousways.Itcanbedisplayedasaboveorasanarray: ˘(cid:218)˙ˆ¨(cid:218)(cid:201)ø(cid:220) œhfl † (1.1) ¨(cid:218)(cid:220)ˆ(cid:201)(cid:218)˙ø˘ where the top row in the array is the domainand the bottomrow is the image under the mappingœ . Ofcourse,otherrepresentationsarepossible. ¸ Sincepermutationsarebijections,theyhaveinverses. Ifapermutationiswrittenasan array(see1.1),itsinverseiseasilyfoundbyinterchangingtherowsinthearrayandreorder- ingtheelementsinthenewtoprowifdesired(thebottomrowwouldhavetobereordered ˘ø˙(cid:218)¨ˆ(cid:201)(cid:218)(cid:220) correspondingly).Theinverseofœ inExample1.18isœ º3(cid:236) fl (cid:213) (cid:220)ø(cid:201)(cid:218)˘ˆ¨(cid:218)˙ 1.19 Example (permutation)Let« bethesetofintegers(cid:176)–(cid:214)(cid:20)†(cid:127)˘K†(cid:127)˙K†(cid:146)(cid:213)(cid:146)(cid:213)U(cid:213)(cid:14)†(cid:22)œQßN‰7˘(cid:27)‡ whereœ andß aredistinctlargeprimes(forexample,œ andß areeachabout100decimaldigitslong),and supposethatneitherœH‰(cid:2)˘ norß<‰(cid:29)˘ isdivisibleby3. ThenthefunctionœQ„”¶(cid:12)»Hfl~(cid:215) (cid:216) ,where(cid:215) (cid:216) istheremainderwhen¶ (cid:254) isdividedbyœQß ,canbeshowntobeapermutation. Determining theinversepermutationiscomputationallyinfeasiblebytoday’sstandardsunlessœ and ß areknown(cf.Example1.15). ¸ 1.3.3 Involutions Anothertypeoffunctionwhichwillbereferredtoin “ 1.5.3isaninvolution. Involutions havethepropertythattheyaretheirowninverses. 1.20 Definition Let beafinitesetandlet (cid:181) beabijectionfrom to (i.e., (cid:181)N… (cid:151)‰(cid:230)¿ ). (cid:0) (cid:0) (cid:0) (cid:5)(cid:0) (cid:6)(cid:0) The function (cid:181) is calledan involutionif (cid:181)IflŁ(cid:181) º3(cid:236) . An equivalentway of statingthis is (cid:181)(cid:14)„´(cid:181)(cid:14)„”¶(cid:12)»(cid:135)»(fl~¶ forall¶(cid:11)• . (cid:7)(cid:0) 1.21 Example (involution)Figure 1.4 is an example of an involution. In the diagram of an involution,notethatif istheimageof then istheimageof . ¸ (cid:8) (cid:9) (cid:9) (cid:8) ¤ c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.