From da098b4126bce3a41123ad2a08f7f6d1ddcceef2 Mon Sep 17 00:00:00 2001 From: Sungchan Yi Date: Fri, 27 Oct 2023 11:06:42 +0900 Subject: [PATCH] [PUBLISHER] upload files #114 --- ...2023-09-11-symmetric-key-cryptography-1.md | 71 +++++++++++++++---- 1 file changed, 59 insertions(+), 12 deletions(-) diff --git a/_posts/Lecture Notes/Internet Security/2023-09-11-symmetric-key-cryptography-1.md b/_posts/Lecture Notes/Internet Security/2023-09-11-symmetric-key-cryptography-1.md index 039c5aa..fda0d36 100644 --- a/_posts/Lecture Notes/Internet Security/2023-09-11-symmetric-key-cryptography-1.md +++ b/_posts/Lecture Notes/Internet Security/2023-09-11-symmetric-key-cryptography-1.md @@ -24,7 +24,7 @@ github_title: 2023-09-11-symmetric-key-cryptography-1 - A strong encryption algorithm, which is known to the public. - Kerckhoff's principle! - A secret key known only to sender and receiver. -- We assume the **existence of a a secure channel for distributing the key**. +- We assume the **existence of a a secure channel for distributing the key**.[^1] - **Correctness requirement** - Let $m$, $k$ denote the message and the key. - For encryption/decryption algorithm $E$ and $D$, @@ -32,7 +32,7 @@ github_title: 2023-09-11-symmetric-key-cryptography-1 ## Cryptographic Attacks -In increasing order of increasing power of the attacker, +In increasing order of the power of the attacker, - **Ciphertext only attacks**: the attacker has ciphertexts, and tries to obtain information. - **Known plaintext attack**: the attacker has a collection of plaintext/ciphertext pairs. @@ -44,8 +44,10 @@ In increasing order of increasing power of the attacker, The following two properties should hold for a secure cipher. - **Diffusion** hides the relationship between the ciphertext and the plaintext. - It should be hard to obtain the plaintext from the ciphertext. + - Changing a single bit of the plaintext affects several bits of the ciphertext, and vice versa. - **Confusion** hides the relationship between the ciphertext and the key. - It should be hard to obtain the key from the ciphertext. + - Each bit of the ciphertext should depend on several parts of the key. ## Primitives @@ -66,8 +68,9 @@ In **substitution cipher**, encryption is done by replacing units of plaintext w - In Caesar cipher, $a = 1$ and $b = 3$. - Encryption: $E(x) = ax + b \pmod m$. - Decryption: $D(x) = a^{-1}(x - b) \pmod m$. -- There are $12$ possible values for $a$, and $26$ possible values for $b$. +- If we use the $26$ alphabets, there are $12$ possible values for $a$, and $26$ possible values for $b$. - $a^{-1}$ does not exist for all $m$. + - We need that $\gcd(a, m) = 1$. The number of possible $a$ values is $\phi(m)$. - This scheme is not secure either, since we can try all possibilities and check if the message makes sense. #### Monoalphabetic Substitution Cipher @@ -79,17 +82,17 @@ In **substitution cipher**, encryption is done by replacing units of plaintext w - Decryption is done by replacing each letter $x$ by $\pi^{-1}(x)$. - This scheme is still not secure, since we can try all possibilities on a *modern* computer. -To attack this scheme, we use frequency analysis. Calculate the frequency of each letter and compare it with the actual distribution of English letters. Also, we could use bigrams (2-letters) +To attack this scheme, we use frequency analysis. Calculate the frequency of each letter and compare it with the actual distribution of English letters. We could also use *bigrams* (2-letters) for calculating the frequency. #### Vigenère Cipher - A polyalphabetic substitution - Given a key length $m$, take key $k = (k_1, k_2, \dots, k_m)$. -- For the $i$-th letter $x$, set $j = i \pmod m$. +- For the $i$-th letter $x$, set $j = i \bmod m$. - Encryption is done by replacing $x$ by $x + k_{j}$. - Decryption is done by replacing $x$ by $x - k_j$. -To attack this scheme, find the key length by *index of coincidence*. Then use frequency analysis. +To attack this scheme, find the key length by [*index of coincidence*](https://en.wikipedia.org/wiki/Index_of_coincidence). Then use frequency analysis. #### Hill Cipher @@ -113,6 +116,48 @@ This scheme is vulnerable to known plaintext attack, since the equation can be s - To encrypt, reorder the columns by the chosen permutation. - Then the ciphertext is taken by taking letters in column major order. +##### Example + +Suppose we encrypt the following text: + +$$ +\texttt{CRYPTOGRAPHY INTERNET SECURITY} +$$ + +Choose a key $\sigma = (1, 4, 5, 2, 3, 6)$. Then + +$$ +\begin{matrix} \\ +4 & 3 & 6 & 5 & 2 & 1 \\ \hline +\texttt{C} & \texttt{R} & \texttt{Y} & \texttt{P} & \texttt{T} & \texttt{O} \\ +\texttt{G} & \texttt{R} & \texttt{A} & \texttt{P} & \texttt{H} & \texttt{Y} \\ +\texttt{I} & \texttt{N} & \texttt{T} & \texttt{E} & \texttt{R} & \texttt{N} \\ +\texttt{E} & \texttt{T} & \texttt{S} & \texttt{E} & \texttt{C} & \texttt{U} \\ +\texttt{R} & \texttt{I} & \texttt{T} & \texttt{Y} +\end{matrix} +$$ + +Now reorder the columns, + +$$ +\begin{matrix} \\ +1 & 2 & 3 & 4 & 5 & 6 \\ \hline +\texttt{O} & \texttt{T} & \texttt{R} & \texttt{C} & \texttt{P} & \texttt{Y} \\ +\texttt{Y} & \texttt{H} & \texttt{R} & \texttt{G} & \texttt{P} & \texttt{A} \\ +\texttt{N} & \texttt{R} & \texttt{N} & \texttt{I} & \texttt{E} & \texttt{T} \\ +\texttt{U} & \texttt{C} & \texttt{T} & \texttt{E} & \texttt{E} & \texttt{S} \\ +&& \texttt{I} & \texttt{R} & \texttt{Y} & \texttt{T} +\end{matrix} +$$ + +The ciphertext is + +$$ +\texttt{OYNU THRC RRNTI CGIER PPEEY YATST}. +$$ + +The decryption process is the reverse of this operation. It seems to be breakable by inspecting the $i$-th letter of each block and reordering the letters to check if any reordering makes sense. + ### Exclusive OR (XOR) - A bitwise operation $x \oplus y = x + y \pmod 2$. @@ -130,8 +175,8 @@ This scheme is vulnerable to known plaintext attack, since the equation can be s $$ \begin{align*} -\mathrm{Pr}[C = 0] &= \mathrm{Pr}[M = 0 \land K = 0] + \mathrm{Pr}[M = 1 \land K = 1] \\ &= \mathrm{Pr}[M = 0] \cdot \mathrm{Pr}[K = 0] + \mathrm{Pr}[M = 1] \cdot \mathrm{Pr}[K = 1] \\ -&= \frac{1}{2}\left(\mathrm{Pr}[M = 0] + \mathrm{Pr}[M = 1]\right) \\ +\Pr[C = 0] &= \Pr[M = 0 \land K = 0] + \Pr[M = 1 \land K = 1] \\ &= \Pr[M = 0] \cdot \Pr[K = 0] + \Pr[M = 1] \cdot \Pr[K = 1] \\ +&= \frac{1}{2}\left(\Pr[M = 0] + \Pr[M = 1]\right) \\ &= \frac{1}{2}. \end{align*} $$ @@ -140,20 +185,20 @@ The case for $C = 1$ is similar. ### One-Time Pad (OTP) -Omitted. +![1. OTP, Stream Ciphers and PRGs > One-Time Pad (OTP)](2023-09-07-otp-stream-cipher-prgs.md#one-time-pad-otp) ## Perfect Secrecy > **Definition.** Let $(E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. We assume that $\lvert \mathcal{K} \rvert = \lvert \mathcal{M} \rvert = \lvert \mathcal{C} \rvert$. The cipher is **perfectly secure** if for all $m \in \mathcal{M}$ and $c \in \mathcal{C}$, > > $$ -> \mathrm{Pr}[\mathcal{M} = m \mid \mathcal{C} = c] = \mathrm{Pr}[\mathcal{M} = m]. +> \Pr[\mathcal{M} = m \mid \mathcal{C} = c] = \Pr[\mathcal{M} = m]. > $$ > > Or equivalently, for all $m_0, m_1 \in \mathcal{M}$, $c \in \mathcal{C}$, > > $$ -> \mathrm{Pr}[E(k, m _ 0) = c] = \mathrm{Pr}[E(k, m _ 1) = c] +> \Pr[E(k, m _ 0) = c] = \Pr[E(k, m _ 1) = c] > $$ > > where $k$ is chosen uniformly in $\mathcal{K}$. @@ -163,7 +208,7 @@ In other words, the adversary learns nothing from the ciphertext. With this definition, we can show that **OTP is perfectly secure**. For all $m \in \mathcal{M}$ and $c \in \mathcal{C}$, $$ -\mathrm{Pr}[E(k, m) = c] = \frac{1}{\lvert \mathcal{K} \rvert} +\Pr[E(k, m) = c] = \frac{1}{\lvert \mathcal{K} \rvert} $$ since for each $m$ and $c$, $k$ is determined uniquely. @@ -278,3 +323,5 @@ Given a bit string (defined in the specification), the sender performs long divi - $c \oplus (x \parallel \mathrm{CRC}(x)) = k_s \oplus (m\oplus x \parallel \mathrm{CRC}(m\oplus x))$ - The receiver will decrypt and get $(m\oplus x \parallel \mathrm{CRC}(m\oplus x))$. - CRC check by the receiver will succeed. + +[^1]: This assumption will be removed when we learn public key cryptography.