Cryptography Overview

These notes provide very brief overview of some key concepts in cryptography.

What is Cryptography?

The goal of the cryptography is to protect private communication in the public world. The assumption is that two entities wanting to communicate - Alice and Bob - are shouting their messages in a room full of people. Everyone can hear what they are saying. The goal of cryptography is to protect this communication so that only Alice and Bob can understand the content of the messages.

Beyond confidentiality - ensuring the secrecy of communication - cryptography is used for many other purposes, such as:

How do we encrypt messages? Alice could use knowledge of some common secret that only she and Bob know, like "meet at that place where we first had lunch together". This does not work for arbitrary messages, nor for the case where Alice and Bob never communicated before.

Alice could use a secret protocol to encrypt (transform plaintext into ciphertext) and reverse it to decrypt (transform ciphertext into plaintext). This is a bad idea for several reasons:

Alice can use a public protocol that has been well designed, well implemented and analyzed by many people for security. She can use a secret key that she communicates to Bob - a key is much easier to communicate than a whole new protocol. This is how today's crypto schemes work.

Types of Cryptographic Functions

There are three main types of cryptographic functions that are the building blocks of security:
  1. Symmetric cryptography - Alice and Bob know the same key and use it for encryption and decryption.

    Symmetric crypto can be used to ensure secrecy - Alice and Bob exchange the secret key and use it to communicate privately.

    It can also be used for secure storage - Alice encrypts the files she stores in the cloud. If the cloud is compromised no one can read her files.

    Symmetric crypto can also be used for authentication, aka proving that you know a secret without revealing it. Alice and Bob want to prove to each other they know the same secret. Alice chooses a random number and encrypts it with the key. Bob decrypts it and sends it back. Then Bob chooses a secret number and encrypts it and Alice decrypts it and sends it back. Why do we have to do this twice? Who is assured of what in each round?

  2. Asymmetric cryptography - Alice has a pair of keys - a private key known only to her and a public key that anyone can find out. She can encrypt with one key from a pair (any one) and decrypt with another. Asymmetric crypto can do whatever symmetric crypto can but much slower (about 1,500 times slower). However it can also provide some extra functionality.

    In symmetric crypto secret communication between Alice and Bob is only possible if they know the same secret key. But how do they find out this key? They can use asymmetric crypto to exchange it. Bob could advertise his public key on his Web page. Alice could use it to encrypt a secret key and send it to Bob - only he will be able to retrieve it.

    If Alice wants to authenticate Bob she encrypts a message with his public key and he decrypts it and sends it back. Alice can do all this without storing any secret information.

    If Alice orders something from Bob and signs every message by encrypting it with her private key, anyone can verify her signature and no one can forge it. This ensures non-repudiation - Alice cannot deny she sent the message.

  3. Hash functions - these are publicly known functions that reduce a large message to a fixed-size hash, applying a non-linear transformation (aka one-way hashes or message digests). Cryptographic has functions have several important properties: Hash functions are useful to prove message integrity. One can hash the message and display its hash somewhere publicly. When the recipient receives the message they can calculate its hash, compare it with the public one and verify that the message has not been changed. What if I wanted to send the hash with the message? Can I use symmetric or asymmetric crypto to help me generate a signed hash of the message that I can send with the message? How?

    Hashing a large message requires the hash algorithm to break it into chunks, and combine each chunk with the hash of the previous chunks to generate new hash. This process is shown in the picture below.

Attacks on Cryptography

We now briefly mention some attacks one could launch on a cryptographic protocol with the goal to learn the decryption key or in some cases the plaintext that was input to the protocol. We assume that Alice and Bob talk using the cryptographic protocol. Eve is the enemy that can passively observe encrypted messages but cannot change them, while Mallory is the enemy that sits on the path of the messages and can modify them at will.

Ciphertext-only attack

In this attack Eve observes ciphertexts and uses them to guess plaintext and the decryption key. Such attack e.g., would be possible on monoalphabetic cipher, that replaces each letter in the alphabet with another letter, according to a map. Because the frequency of the letters does not change with this cipher Eve can use frequency analysis to break it. How does Eve know that she succeeded? The assumption here is that the plaintext message is in a language Eve can recognize - thus she can differentiate a useful message from a garbage. What if the message were short?

Known-plaintext attack

In this attack Eve knows some portions of the plaintext. How does she know this? Perhaps messages are exchanged using a known protocol, that has predictable fields such as timestamp, a keyword chosen from a small set, etc. This way Eve can collect plaintext-ciphertext pairs and use them to obtain the key if the cipher is simple.

Chosen-plaintext attack

In this attack Mallory can inject some messages to be encrypted and observe the output. Doing this she can generate plaintext-ciphertext pairs at will ans use them to obtain the key.

Man-in-the-middle attack

In this attack Mallory sits on the path of the messages and can do whatever she likes with them. She can modify them, inject new messages, drop the existing ones or replay messages. MITM attacks are notoriously hard to detect and defend from.

Brute-force attack

In this attack Eve will simply try all possible keys until she finds the one that works. Again, there is an assumption that she can tell which one has worked because decryption of a ciphertext will result in something intelligible in a chosen language. This attack can be made arbitrarily hard if the key is long. What if the decryption key depende on a password in some known way, how could Eve use this to break the encryption?

Cryptographic Techniques

Two main cryptographic techniques are substitution and permutation. Substitution replaces chunks of the message with other chunks according to some mapping (e.g., replaces one letter with another letter). Transposition shuffles the chunks of the message around. Substitution changes the characters in the message so to hinder frequency analysis (e.g., if "the" is the most frequent trigram in English and you use 4-letter chunks and encrypt "the " into "abcd" and "ther" into "kyzh" the frequency analysis will be made more difficult). Transposition ensures that placement of the plaintext differs from the placement of the corresponding ciphertext, thus if one knows that each message starts with "HELLO" they have to detect where these characters are in the ciphertext. It also dissipates the redundancy of plaintext in ciphertext, e.g., seeing "morn" you can guess the rest of the letters in that word but seeing "nmro" makes that hard.

Monoalphabetic ciphers

These ciphers substitute one letter of the alphabet with another letter. This implies that there is some map of letters to other letters that both the sender and the reciever have. Frequency analysis can be used to break these ciphers.

Polyalphabetic ciphers

These ciphers work the same way as monoalphabetic ciphers but rotate through several maps. This makes frequency analysis harder.

Homophonic ciphers

These ciphers substitute one letter of the alphabet with a letter chosen from a small set of possible characters in another alphabet. The size of the set is proportional to the frequency of the original letter in the original alphabet. This defeats frequency analysis.

Polygram ciphers

These ciphers substitute one block of plaintext with one block of ciphertext. They work like monoalphabetic ciphers but on blocks instead of characters.

One-time pad

One-time pad is a polyalphabetic cipher with infinite key (infinite number of mappings). Since no mapping repeats itself it is impossible to break but it depends on random number generation. Why? Because such a long key would be impossible to communicate. Instead both Alice and Bob run the same RNG with the same seed and end up with the same key. The key must be generated in pseudorandom manner - it depends on the seed but the next output of RNG cannot be predicted even if all the outputs so far are known.

Symmetric Crypto Algorithms (Shared or Secret Key Crypto)

These algorithms can work on the message either character by character (polyalphabetic - stream ciphers) or block by block (polygram - block ciphers).

Stream Ciphers

Stream ciphers are effectively one-time pads, using the RNG to generate key and then XORing the message with it. If Eve can get hold of plaintext-ciphertext pair she can retrieve the portion of the key. How? Because the key is very long retrieving a portion of it does not help Eve.

Generating Random Numbers

We would like to generate a sequence of numbers that is long but easily reproducible from a seed. A seed is essentially a position in this sequence. If the numbers of the sequence can range from 0 to n we would like to generate them all in some random order before we repeat any of them.

One way to do this is to use a linear congruential generator. Here the next number in the sequence depends linearly on the previous one, like this:

However, research has shown that any linear congruential generator can be broken (the attacker can learn the variables from the outputs and use them to predict the next state of the generator). In fact any polynomial congruential generator can be broken.

Today's RNG use linear feedback shift registers (LFSRs). The register holds the initial state and is transformed into the next state by XORing some bits and appending this value to the left. Contents are then shifted one space to the right and the bit that falls out is the output of the RNG process. The positions of the bits that are XORed are called the "tap sequence" and if properly chosen this generator will have the maximum period (covering all values from 1 to 2^n-1 where n is the size of the register).

Block Ciphers

Block ciphers segment a message into blocks and encrypt each block separately. This encryption usually happens as several rounds of substitution and transposition. Multiple rounds ensure that each input block affects all output blocks, thus the smallest change in the message (e.g., changing one character) results in a completely different output. There are several ways in which one can encrypt a large message, e.g., each segment separately or encrypt it so that later segments' output depends on earlier segments. We will only mention two such techniques - electronic code-book (ECB) and cipher-block chaining (CBC). For each we will discuss how quickly it can operate, how easy it is to break, what happens if we lose synchronization between a sender and a receiver and what happens if there are bit errors during transmission.

Electronic Code Book

This technique encrypts/decrypts each segment separately. It is amenable to parallelization and fast (requires just a table lookup). However, because the same block always encrypts to the same value Eve can identify some plaintext from ciphertext, and may use this for replay or for injection of fake messages. Bit errors invalidate one block. Loss/addition of bits cannot be recovered from but loss/addition of blocks is recoverable easily.

Cipher Block Chaining

Cipher block chaining makes each subsequent block's encryption depend on all the previous blocks, thus preventing modification of parts of the message, forging and replay of messages. Even identical messages will encrypt differently depending on the initialization vector (IV) a block containing random bits that starts encryption process. IV is chosen at random and can be communicated to the destination as plaintext.

CBC is not parallelizable as blocks must be encrypted and decrypted in order. A bit error during transmission invalidates one block and one bit - this is called "error extension". Bit loss/addition is not recoverable. Block loss/addition is also not recoverable.

Asymmetric Crypto Algorithms (Public Key Crypto)

In asymmetric cryptography there are two keys - a public key that everyone knows and a private key known only to its holder. These keys and the design of encryption/decryption algorithm ensure that a message encrypted with one key can only be decrypted with its pair key.

Asymmetric crypto uses modular exponentiation as encryption/decryption. Modular arithmetic occurs on the Galois Field of size n, which means that all operations use operands and produce results in the range 0 .. n-1. Further modular reduction can be performed at any point, thus (a+b) mod n = ((a mod n) + (b mod n)) mod n. Smaller operands lead to faster operation.

Modular exponentiation can be speeded up considerably by performing addition chaining. To calculate a^x mod n one writes x as a binary number and processes it left to right. At each step, the result of the computation so far is squared. If the digit of exponent is 1, the result is also multiplied by a. This leads to at most 2*k multiplications where k is the number of bits in x. Modular reduction should be performed often to keep the operands small. Below is an example of modular exponentiation via addition chaining.

Asymmetric crypto also resides on use of prime numbers. A number is prime if it is only divisible by 1 and itself. Two numbers are relatively prime if they have no common factors other than 1 (e.g., 5 is a prime number, 9 and 8 are relatively prime even though neither is a prime number).

A multiplicative inverse for x in modular arithmetic is a number y such that x*y mod n = 1. Obviously, we need public and private keys in asymmetric crypto to have this property so that M^{x*y} = M^1 = M. The inverse can easily be found if x and n are relatively prime, otherwise it cannot be found. Thus if n is prime all numbers 1 .. n-1 are all relatively prime to n. Extended Euclidean Algorithm can be used to quickly find a multiplicative inverse for a number.

RSA Algorithm

RSA is the most popular and most used asymmetric crypto algorithm. It works in GF(fi(n)) where n = p*q, p and q are large prime numbers and fi(n)=(p-1)*(q-1).

Private key e and public key d are chosen so that they are multiplicative inverses in GF(fi(n)). One publishes n and d and remembers e. The owner of the e,d chooses d at random and can easily calculate e because they know p and q. No one else can calculate e from n and d because n=(p-1)*(q-1), p and q are not public and to discover them one would have to factor a large number n. Asymmetric crypto's strength resides on the fact that it is hard to factor large numbers, i.e. the only way to do so is via brute-force search.

Encryption occurs as shown below:

Decryption occurs as shown below:

Digital Signatures

Digital signatures can provide integrity and non-repudiation. Integrity is provided by hashing the contents of the message and signing this hash with a key, which could be either a shared key or a private key. Both the message and the hash are sent to the receiver. Why is it necessary to sign the hash? Non-repudiation is only provided if the signing is done with the private key of the sender. Why does this not work with the shared key?