Notes on Cryptography Paulo Mateus, Am´ılcar Sernadas, 1 Andre´ Souto and Lu´ıs Antunes 2012 1Parasefazerolivroa` posteriori Totheguardian Caution The themes presented in this work are in a very preliminary phase of maturation. It contains lotsoftypos,examplesthatarenotyetcomplete,definitionsthatarenotwrittenwithaunified notations and theorems that are not properly written. In fact, there are lots of topics still to be written and others that will deserve a profound reflection before publishing. Many exercises and examples are part of other books are meant to be used in classes. They will be substituted in mean time by others that fulfill our purposes of presentations and focus on crucial aspects thatwehaveinmind. Readingthislecturenotesrequiresthereadertobepreparedtofindsomeproblemsofcompre- hension and we suggest that it should be complemented with the reading of standard books used to teach the materials presented here. We suggest for example the readings of [Sti06], [MVO96],[KL07]andtheotherreferencesthatweputonalongthetextforafullunderstanding ofcryptography. 3 Preface Thisworkismeanttocompileinabooktheprogrammaticcontentsoftheintroductorycourse Criptografia e Protocolos de Seguranc¸a of the Master of Bologne in Mathematics and appli- cations and also from the Doctoral program me on Security of Information lectured in the mathematical department of Instituto Superior Te´cnico of Universidade Te´cnica de Lisboa. It alsousesmateriallecturedinthecourseCriptografialecturedatcomputersciencedepartment ofFaculdadedeCieˆnciasofUniversidadedoPorto. The idea of this work is provide a very useful self contained book about cryptography using a perspective of a mathematician and also a perspective of a computer scientist in order to be abletoatoolthatotherscanusetoteachasimilarcourse. For financial support the author Andre´ Souto is deeply thankful to FCT through the grant SFRH/BPD/76231/2011. WearegratefultotheSQIGmembersfortheniceworkingambientandalltheencouragement thattheyhaveus. Aspecialthanksisduetoseveralpeoplewithwhichwehadveryhelpfuldiscussions,feedback andadvisingonthethemesandtheapproacheschoosen. 2012. MathematicalDepartment 5 InstitutoSuperiorTe´cnico,UniversidadeTe´cnicadeLisboa ComputerScienceDepartment FaculdadedeCieˆnciasdaUniversidadedoPorto SecurityandQuantumInformationGroup InstitutodeTelecomunicac¸o˜es Contents Caution 3 Preface 5 1 Intro 3 I Basic concepts 5 2 Algebraicstructuresandnumbertheory 9 2.1 Groups,ringsandfields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2 Thenaturalnumbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.3 Congruencesandmodularalgebras . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.3.1 FiniteFields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3 ProbabilitiesandShannonentropy 29 3.1 Probabilitytheory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 7 3.1.1 Thenotionofbiasofadistribution . . . . . . . . . . . . . . . . . . . . . . . 32 3.2 Entropyandinformationtheory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4 Notionofcomputationalcomplexity 41 4.1 Pseudo-codeasbaseforcomputation . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.2 Measuringcomplexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.2.1 Thebig-Ohnotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 4.2.2 Complexityclasses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 4.3 One-wayfunctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 4.3.1 Thecandidatestoone-wayfunctions . . . . . . . . . . . . . . . . . . . . . 68 II Classical Cryptography 71 5 Classicalcryptographicsystems 73 5.1 Cryptographicsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 5.1.1 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 5.1.2 Thesubstitutioncipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 5.1.3 TheVermanciphersystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 5.1.4 TheVigene`recipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 5.1.5 TheHillcipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 5.1.6 Streamciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 5.1.6.1 LinearFeedbackShiftRegisters . . . . . . . . . . . . . . . . . . . 90 5.2 BlockCipherSystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 5.2.1 ECBmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 5.2.2 CBCmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 5.2.3 CFBmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 5.2.4 OFBmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 5.3 Breakingdownthecryptographicsystem . . . . . . . . . . . . . . . . . . . . . . . 101 5.3.1 Breakingdownthesubstitutioncipher . . . . . . . . . . . . . . . . . . . . . 106 5.3.2 BreakingtheVigene`recipher . . . . . . . . . . . . . . . . . . . . . . . . . . 110 5.3.3 BreakingtheHillcipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 5.3.4 BreakingtheLFCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 5.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 6 Perfectsecrecy 121 6.1 Definitionofperfectsecurityandresults . . . . . . . . . . . . . . . . . . . . . . . . 123 6.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 7 Blockciphers: DESandAES 133 7.1 Substitution-PermutationNetworks . . . . . . . . . . . . . . . . . . . . . . . . . . 134 7.2 DES–DataEncryptionStandards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 7.2.1 DescriptionofDES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 7.2.2 BreakingdowntheDES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 7.2.2.1 LinearApproximationof S-boxes . . . . . . . . . . . . . . . . . . 145 7.2.2.2 Thedifferentialattack . . . . . . . . . . . . . . . . . . . . . . . . . 150 7.2.2.3 Analyticattack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 7.3 AES–AdvancedEncryptionStandards . . . . . . . . . . . . . . . . . . . . . . . . 155 7.3.1 DescriptionofAES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 7.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 III The Public Key Cryptography 163 8 ThestorybehindPublicKeyCryptography 165 8.1 Describingapublickeycryptographicsystem . . . . . . . . . . . . . . . . . . . . 168 9 TheRSAcryptographicsystem 173 9.1 TheRSAcryptographicsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 9.2 EuclideanAlgorithmforthegcdandthemodularexponentiation . . . . . . . . . 178 9.3 Checkingfastprimalityofnumbers . . . . . . . . . . . . . . . . . . . . . . . . . . 183 9.3.1 ThequadraticresidueproblemandtheLegendreandJacobisymbols . . . 187 9.3.2 Solovay–Strassenalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 9.3.3 Miller-Rabin’salgorithmforprimalitytest . . . . . . . . . . . . . . . . . . 197 9.3.4 TheAKSalgorithmprovingthatPrimes ∈ P . . . . . . . . . . . . . . . . 198 9.4 AttackingtheRSA-Factorizing n . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 9.4.1 Pollard’s p−1method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 9.4.2 Dixon’srandomsquarealgorithms . . . . . . . . . . . . . . . . . . . . . . . 209 9.4.3 Shor’salgorithmforfactorization . . . . . . . . . . . . . . . . . . . . . . . 212 9.4.3.1 quantummechanics . . . . . . . . . . . . . . . . . . . . . . . . . . 212 9.4.3.2 Thealgorithmanditsexplanation . . . . . . . . . . . . . . . . . . 212 9.5 AttackingtheRSA-otherattacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 9.6 AttackingRSAbasedonpartialinformationleaked . . . . . . . . . . . . . . . . . 215 9.7 TheRabin’scryptographicsystemanditsrelationshipwithRSA . . . . . . . . . . 218 9.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 10 Cryptographicschemesbasedonthediscretelogarithmicproblem 235 10.1 Thediscretelogarithmicproblem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235