Table Of Contentpreliminary
Paper Script
Information Systems Security
157.738
MSc CompSci Sebastian Link
Version March 24, 2003
Massey University
Department of Information Systems
Private Bag 11222
Palmerston North
New Zealand
Plagiarism 2003
Since most of your marks will contribute towards your overall marks for the course we cannot
acceptworkwhichhasbeenwrittenjointlywithothersunlessitisanapprovedgroupactivity.
Similarly,ifyouincludeinyourassignmentsmaterialgainedfromotherworksinyoursub-
ject area it is absolutely imperative that you give due acknowledgment. Deliberately copying
from printed work and passing it o(cid:11) as your own is cheating.
Copyright 2003
Books, journals, computer software and other teaching materials made available by Massey
University are for the student’s own studies and copying or use of them for other purposes is
an infringement of copyright.
3
Preface
This lecture manual is intended to serve as an introduction to cryptography for graduate
Information Systems students. It is self-contained, especially fundamental mathematical con-
cepts are introduced in a way they will be needed to understand formally how and why
particular cryptographic methods work. Therefore, students are not required to have a deep
mathematical background. Unfortunately, proofs for theorems have been omitted in general,
although the author tried to convey as much mathematical (cid:13)avour as possible.
The script covers a lot more than can be taught within a (cid:12)ve day block course, where it is
important that lectures and exercises alternate.
Basically, greater extracts have been taken and adopted from Stinson’s \Cryptography: The-
ory and Practice" and from the \Handbook of Applied Cryptography".
I am grateful for any kind of helpful suggestions and corrections.
Table of Contents
1 The Signi(cid:12)cance of Cryptography 1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Information Security and Cryptography . . . . . . . . . . . . . . . . . . . . . 2
2 Simple Cryptosystems 6
2.1 Basics on Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 General De(cid:12)nitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Monoalphabetic Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3.1 Modular Arithmetic - Part I. . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.2 The Shift Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3.3 Permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.4 The Substitution Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3.5 Modular Arithmetic - Part II . . . . . . . . . . . . . . . . . . . . . . . 17
2.3.6 The A(cid:14)ne Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.4 Polyalphabetic Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4.1 The Vigenere Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4.2 Matrices and determinants . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.3 The Hill Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.4.4 The Permutation Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.5 Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.5.1 Di(cid:11)erent Levels of Attack . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.5.2 Cryptanalysis of the A(cid:14)ne Cipher . . . . . . . . . . . . . . . . . . . . 35
2.5.3 Cryptanalysis of the Substitution Cipher. . . . . . . . . . . . . . . . . 37
2.5.4 Cryptanalysis of the Vigenere Cipher. . . . . . . . . . . . . . . . . . . 39
2.5.5 A known Plaintext Attack on the Hill Cipher . . . . . . . . . . . . . . 44
3 Modern Block Ciphers 45
3.1 Introduction to block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2 DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2.2 Product ciphers and Feistel ciphers . . . . . . . . . . . . . . . . . . . . 46
3.2.3 The DES Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.2.4 Triple DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.2.5 Security and Attacks on DES and Triple DES . . . . . . . . . . . . . . 54
3.2.6 DES Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.3 FEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
ii
3.4 IDEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.5 SAFER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.6 RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.7 The Advanced Encryption Standard: Rijndael . . . . . . . . . . . . . . . . . . 65
3.7.1 The Basic Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.7.2 The Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.7.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.7.4 Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4 The RSA System 73
4.1 Introduction to public-key cryptography . . . . . . . . . . . . . . . . . . . . . 73
4.2 More mathematical background . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.2.1 Asymptotic notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.2.2 The Euclidean Algorithm and its extension . . . . . . . . . . . . . . . 78
4.2.3 Algorithms in (cid:0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
n
4.2.4 The Chinese Remainder Theorem and the Gauss-Algorithm . . . . . . 81
4.2.5 Some facts about groups . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.3 The RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.4 Probabilistic Primality Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.4.1 Fermat’s test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.4.2 The Legendre and Jacobi symbols . . . . . . . . . . . . . . . . . . . . 89
4.4.3 Solovay-Strassen Test . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.4.4 Miller-Rabin Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.4.5 A Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.5 The Integer Factorization Problem . . . . . . . . . . . . . . . . . . . . . . . . 96
4.5.1 Trial Division . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.5.2 Pollard’s (cid:26)-method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.5.3 Pollard’s p 1-method . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
(cid:0)
4.5.4 Elliptic curve factoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.5.5 Quadratic sieve factoring . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.6 Attacks on RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.6.1 Relation to factoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.6.2 Small Encryption Exponent b . . . . . . . . . . . . . . . . . . . . . . . 104
4.6.3 Forward Search Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
4.6.4 Small Decryption Exponent a . . . . . . . . . . . . . . . . . . . . . . . 105
4.6.5 Multiplicative Properties . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.6.6 Common modulus attack . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.6.7 Cycling attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.6.8 Message Concealing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.7 RSA Encryption in Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5 The ElGamal Cryptosystem 110
5.1 The ElGamal Cryptosystem and Discrete Logarithms . . . . . . . . . . . . . 110
5.2 Algorithms for the Discrete Log Problem . . . . . . . . . . . . . . . . . . . . 113
5.2.1 The Baby-Step-Giant-Step Algorithm . . . . . . . . . . . . . . . . . . 113
5.2.2 Pollard’s (cid:26)-algorithm for Discrete Logs . . . . . . . . . . . . . . . . . . 114
5.2.3 The Pohlig-Hellman Algorithm . . . . . . . . . . . . . . . . . . . . . . 116
iii
5.2.4 The Index Calculus Method . . . . . . . . . . . . . . . . . . . . . . . . 118
A Cryptography Timeline 121
Chapter 1
The Signi(cid:12)cance of Cryptography
1.1 Introduction
Cryptographyhasalong andfascinating history.Themost complete non-technical account of
the subject isKahn’sThe Codebreakers. Thisbooktraces cryptography fromits initial useby
the Egyptians some 4000 years ago, to the twenties century where it played a crucial role in
the outcome of both world wars. Completed in 1963, Kahn’s book covers those aspects of the
history which are most signi(cid:12)cant (up to that time) to the development of that subject. The
predominantpractitioniers ofthe artwereassociated withthemilitary, the diplomatic service
and government in general. Cryptography was used as a tool to protect national secrets and
strategies.
The proliferation of computers and communications systems in the 1960s brought with
it a demand from the private sector for means to protect information in digital form and to
provide security services. Beginning with the work of Feistel at IBM in the early 1970s and
culminating in 1977 with the adoption as a U.S. Federal Information Processing Standard
for encrypting unclassi(cid:12)ed information, DES, the Data Encryption Standard, is the most
well-known cryptographic mechanism in history. It remains the standard means for securing
electronic commerce for many (cid:12)nancial institutions around the world.
The most striking development in the history of cryptography came 1976 when Di(cid:14)e and
Hellman published New Directions in Cryptography. This paper introduced the revolutionary
concept of public-key cryptography and also provided a new and ingenious method for key
exchange,thesecurityofwhichisbasedontheintractibilityofthediscretelogarithmproblem.
Although the authors had no practical realization scheme at the time, the idea was clear
and it generated extensive interest and activity in the cryptographic community. In 1978
Rivest,ShamirandAdlemandiscoveredthe(cid:12)rstpracticalpublic-keyencryptionandsignature
scheme, now referred to as RSA. The RSA scheme is based on another hard mathematical
problem,theintractibility offactoring largeintegers. Thisapplication of ahardmathematical
problemto cryptographyrevitalized e(cid:11)orts to (cid:12)ndmore e(cid:14)cent methodsto factor. The1980s
saw major advances in this area but none which rendered the RSA system insecure. Another
class of powerful and practical public-key schemes was found by ElGamal in 1985. These are
also based on the discrete logarithm problem.
Oneofthemostsigni(cid:12)cantcontributionsprovidedbypublic-keycryptographyisthedigital
signature. In 1991 the (cid:12)rst international standard for digital signatures (ISO/IEC 9797) was
adopted. It is based on the RSA public-key scheme. In 1994 the U.S. Government adopted
CHAPTER 1. THE SIGNIFICANCE OF CRYPTOGRAPHY 2
the Digital Signature Standard, a mechanism based on the ElGamal public-key scheme.
The search for new-public schemes, improvements to existing cryptographic mechanisms,
andproofofsecuritycontinuesatarapidpace.Variousstandardsandinfrastructuresinvolving
cryptography are being put in place. Security products are being developed to address the
security needs of an information intensive society.
The purpose of this paper is to give an up-to-date treatise of the principles, techniques,
and algorithms of interest in cryptographic practice. Emphasis has been placed on those
aspects whichare most practical andapplied. Thereaderwill beaware of thebasic issues and
encouraged to further studies in the (cid:12)elds of interest. Due to time restrictions and in view of
the practical intention of this paper, most results will be stated without proofs.
1.2 Information Security and Cryptography
The concept of information will be taken to be an understood quantity. To introduce cryp-
tography, an understanding of issues related to information security in general is necessary.
Informationsecuritymanifestsitselfinmanywaysaccordingtothesituationandrequirement.
Regardless of who is involved, to one degree or another, all parties to a transaction must have
con(cid:12)dence that certain objectives associated with information security have been met. Some
of these objectives are listed in Table 1.1.
privacy keeping information secret from all but those who
or con(cid:12)dentiality are authorized to see it
data integrity ensuring information has not been altered by unauthorized
or unknown means
entity authentication corroborationof the identity of an entity (e.g., a person,
or identi(cid:12)cation a computer terminal, a credit card, etc.)
message corroboratingthe source of information; also known as data
authentication origin authentication
signature a means to bind information to an entity
authorization conveyance,to another entity, of o(cid:14)cial sanction to do or be something
validation a means to provide timeliness of authorization to use or manipulate
information or resources
access control restricting access to resources to privileged entities
certi(cid:12)cation endorsement of information by a trusted entity
timestamping recording the time of creation or existence of information
witnessing verifying the creation or existence of information by an
entity other than the creator
receipt acknowledgementthat information has been received
con(cid:12)rmation acknowledgementthat services have been provided
ownership a means to provide an entity with the legal right to use or
transfer a resourceto others
anonymity concealing the identity of an entity involved in some process
non-repudiation preventing the denial of previous commitments or actions
revocation retraction of certi(cid:12)cation or authorization
Table1.1. Some information security objectives
CHAPTER 1. THE SIGNIFICANCE OF CRYPTOGRAPHY 3
Over the centuries, an elaborate set of protocols and mechanisms has been created to deal
with information security issues when the information is conveyed by physical documents.
Often the objectives of information security cannot solely be achieved through mathematical
algorithms and protocols alone, but require procedural techniques and abidance of laws to
achieve the desired result. For example, privacy of letters is provided by sealed envelopes
delivered by an accepted mail service. The physical security of the envelope is, for practical
necessity, limited and so laws are enacted which make it a criminal o(cid:11)ense to open mail for
which one is not authorized. It is sometimes the case that security is achieved not through
the information itself but through the physical document recording it. For example, paper
currency requires special inks and material to prevent counterfeiting.
Conceptually, the way information is recorded has not changed dramatically over time.
Whereas information was typically stored and transmitted via telecommunications systems,
some wireless. What has changed dramatically is the ability to copy and alter information.
Onecan make thousandsof identical copies ofa piece of information stored electronically and
each is indistinguishable from the original. With information on paper, this is more di(cid:14)cult.
What is needed then for a society where information is mostly stored and transmitted in
electronic formisa means to ensureinformation security which isindependentof the physical
medium recording or conveying it and such that the objectives of information security rely
solely on digital information itself.
One of the fundamental tools used in information security is the signature. It is a building
block for many other services such as non-repudiation, data origin authentication, identi(cid:12)ca-
tion, and witnessing, to mention a few. Having learned the basics in writing, an individual is
taught how to produce a handwritten signature for the purpose of identi(cid:12)cation. At contract
age the signature evolves to take on a very integral part of the person’s identity. This signa-
ture is intended to be unique to the individual and serve as a means to identify, authorize,
and validate. With electronic information the concept of a signature needs to be redressed; it
cannot simply be something unique to the signer and independent of the information signed.
Electronic replication of it is so simple that appending a signature to a document not signed
by the originator of the signature is almost a triviality.
Analogues of the \paper protocols" currently in use are required. Hopefully these new
electronic based protocols are at least as good as those they replace. There is a unique oppor-
tunity to society to introduce new and more e(cid:14)cient ways of ensuring information security.
Much can be learned from the evolution of the paper based system, mimicking those aspects
which have served us well and removing the ine(cid:14)ciencies.
Achieving information security in an electronic society requires a vast array of techniques
and legal skills. There is, however, no guarantee that all of the information security objec-
tieves deemed necessary can be adequately met. The technical means is provided through
cryptography.
De(cid:12)nition1.1. Cryptography is the study of mathematical techniques related to aspects of
information security such as con(cid:12)dentiality, data integrity, entity authentication, and data
origin authentication.
tu
Cryptography is not the only means of providing information security but rather one set of
techniques.
CHAPTER 1. THE SIGNIFICANCE OF CRYPTOGRAPHY 4
Cryptographic goals
Of all the information security objectives listed in Table 1.1, the following four form a frame-
work upon which the others will be derived. (1) privacy or con(cid:12)dentiality; (2) data integrity;
(3) authentication; and (4) non-repudiation.
1. Con(cid:12)dentiality is a service used to keep the content of information from all but those
authorizedtohaveit.Secrecy isatermsynonymouswithcon(cid:12)dentialiyandprivacy.There
are numerousapproaches to providingcon(cid:12)dentiality, ranging fromphysical protection to
mathematical algorithms which render data unintelligible.
2. Data integrity is a service which addresses the unauthorized alteration of data. To assure
data integrity, one must have the ability to detect data manipulation by unauthorized
parties. Data manipulation includes such things as insertion, deletion and substitution.
3. Authentication is a service related to identi(cid:12)cation. This function applies to both entities
and information itself. Two parties entering into a communication should identify each
other. Information delivered over a channel should be authenticated as to origin, date of
origin,datacontent,timesent,etc.Forthesereasonsthisaspectofcryptographyisusually
subdivided into two major classes: entity authentication and data origin authentication.
Data origin authentication implicitly provides data integrity (for if a message is modi(cid:12)ed,
the source has changed).
4. Non-repudiation isaservicewhichpreventsanentityfromdenyingpreviouscommitments
or actions. When disputes arise due to an entity denying that certain actions were taken,
a means to resolve the situation is necessary. For example, one entity may authorize the
purchase of property by another entity and later deny such authorization was granted. A
procedure involving a trusted third party is needed to resolve the dispute.
A fundamental goal of cryptography is to adequately address these four areas in both theory
and practice. Cryptography is about the prevention and detection of cheating and other
malicious activities.
This paper is intended to describe a number of basic cryptographic tools (primitives) used
to provide information security. Unfortunately, we cannot cover all di(cid:11)erent branches that
employ primitives. Nevertheless, we provide a schematic listing of the primitives and how
they relate in Figure 1.1.
These primitives should be evaluated with respect to various criteria such as:
1. Level of Security. This is usually di(cid:14)cult to quantify. Often it is given in terms of the
number of operations required (using the best methods currently known) to defeat the
intended objective. Typically the level of security is de(cid:12)ned by an upper bound on the
amount of work necessary to defeat the objective. This is sometimes called the work
factor.
2. Functionality. Primitives will need to be combined to meet various information security
objectives. Which primitives are most e(cid:11)ective for a given objective will be determined
by the basic properties of the primitives.
3. Methods of operation. Primitives, when applied in various ways and with various inputs,
will typically exhibit di(cid:11)erent characteristics; thus one primitive could provide very dif-
ferent functionality depending on its mode of operation or usage.
4. Performance. Thisrefersto thee(cid:14)ciency ofa primitive ina particularmodeofoperation.
(For example, an encryption algorithm may be rated by the number of bits per second
which it can encrypt.)
Description:ory and Practice” and from the “Handbook of Applied Cryptography”. I am grateful
for any 2.5.3 Cryptanalysis of the Substitution Cipher . 37.
