Cryptography

Markus Kuhn

Computer Laboratory, University of Cambridge

https://www.cl.cam.ac.uk/teaching/1920/Crypto/

Lent 2020 – CST Part II

crypto-slides.pdf 2020-02-20 22:09 60c0312 1 / 230

What is this course about?
Aims
This course provides an overview of basic modern cryptographic
techniques and covers essential concepts that users of cryptographic
standards need to understand to achieve their intended security goals.

Objectives
By the end of the course you should
I be familiar with commonly used standardized cryptographic building
blocks;
I be able to match application requirements with concrete security
definitions and identify their absence in naive schemes;
I understand various adversarial capabilities and basic attack
algorithms and how they affect key sizes;
I understand and compare the finite groups most commonly used with
discrete-logarithm schemes;
I understand the basic number theory underlying the most common
public-key schemes, and some efficient implementation techniques.
2 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

3 / 230
Related textbooks
Main reference:
I Jonathan Katz, Yehuda Lindell:
Introduction to Modern Cryptography
2nd ed., Chapman & Hall/CRC, 2014
Further reading:
I Christof Paar, Jan Pelzl:
Understanding Cryptography
Springer, 2010
http://www.springerlink.com/content/978-3-642-04100-6/
http://www.crypto-textbook.com/
I Douglas Stinson:
Cryptography – Theory and Practice
3rd ed., CRC Press, 2005
I Menezes, van Oorschot, Vanstone:
Handbook of Applied Cryptography
CRC Press, 1996
http://www.cacr.math.uwaterloo.ca/hac/

The course notes and some of the exercises also contain URLs with more
detailed information.
4 / 230
Common information security targets
Most information-security concerns fall into three broad categories:

Confidentiality ensuring that information is accessible only to those

authorised to have access
Integrity safeguarding the accuracy and completeness of
information and processing methods
Availability ensuring that authorised users have access to
information and associated assets when required

Basic threat scenarios:

Eavesdropper: Alice Bob
(passive)
Eve
Middle-person attack: Alice Mallory Bob
(active)
Eve
Storage security: Alice disk
Mallory
5 / 230
Encryption schemes
Encryption schemes are algorithm triples (Gen, Enc, Dec) aimed at
facilitating message confidentiality:

Private-key (symmetric) encryption scheme

I K ← Gen private-key generation
I C ← EncK (M ) encryption of plain-text message M
I DecK (C) = M decryption of cipher-text message C

Public-key (asymmetric) encryption scheme

I (PK , SK ) ← Gen public/secret key-pair generation
I C ← EncPK (M ) encryption using public key
I DecSK (C) = M decryption using secret key

Probabilistic algorithms: Gen and (often also) Enc access a random-bit

generator that can toss coins (uniformly distributed, independent).
Notation: ← assigns the output of a probabilistic algorithm, := that of a deterministic algorithm.
6 / 230
Message integrity schemes
Other cryptographic algorithm triples instead aim at authenticating the
integrity and origin of a message:

Message authentication code (MAC)

I K ← Gen private-key generation
I T := MacK (M ) message tag generation
?
I M 0 6= M ⇒ MAC verification:
MacK (M 0 ) 6= T recalculate and compare tag

Digital signature
I PK , SK ← Gen public/secret key-pair generation
I S ← SignSK (M ) signature generation using secret key
I VrfyPK (M, S) = 1, signature verification using public key
?
M 0 6= M ⇒
VrfyPK (M 0 , S) = 0

7 / 230
Key exchange
Key-agreement protocol
I (PK A , SK A ) ← Gen public/secret key-pair generation by Alice
I (PK B , SK B ) ← Gen public/secret key-pair generation by Bob
I K := DH(SK A , PK B ) key derivation from exchanged public keys
= DH(PK A , SK B )

Diffie–Hellman protocol:
Alice and Bob standardize suitably chosen very large public numbers g, p and q.
Alice picks a random number 0 < x < q and Bob a secret number 0 < y < q as
their respective secret keys. They then exchange the corresponding public keys:
A→B: PK A = g x mod p
B→A: PK B = g y mod p
Alice and Bob each now can calculate
K = (g y mod p)x mod p = (g x mod p)y mod p
and use that as a shared private key. With suitably chosen parameters, outside
observers will not be able to infer x, y, or K.
Why might one also want to sign or otherwise authenticate PK A and/or PK B ?
8 / 230
Key types
I Private keys = symmetric keys
I Public/secret key pairs = asymmetric keys
Warning: this “private” vs “secret” key terminology is not universal in the literature

I Ephemeral keys / session keys are only used briefly and often
generated fresh for each communication session.
They can be used to gain privacy (observers cannot identify users from public keys
exchanged in clear) and forward secrecy (if a communication system gets compromised in
future, this will not compromise past communication).

I Static keys remain unchanged over a longer period of time (typically

months or years) and are usually intended to identify users.
Static public keys are usually sent as part of a signed “certificate” SignSK (A, PK A ),
C
where a “trusted third party” or “certification authority” C certifies that PK A is the public
key associated with user A.

I Master keys are used to generate other derived keys.

I By purpose: encryption, message-integrity, authentication, signing,
key-exchange, certification, revokation, attestation, etc. keys

9 / 230
When is a cryptographic scheme “secure”?
For an encryption scheme, if no adversary can . . .
I . . . find out the secret/private key?
I . . . find the plaintext message M ?
I . . . determine any character/bit of M ?
I . . . determine any information about M from C?
I . . . compute any function of the plaintext M from ciphertext C?
⇒ “semantic security”
For an integrity scheme, should we demand that no adversary can . . .
I . . . find out the secret/private key?
I . . . create a new message M 0 and matching tag/signature?
I . . . create a new M 0 that verifies with a given tag/signature?
I . . . modify or recombine a message+tag so they still verify?
I . . . create two messages with the same signature?
10 / 230
What capabilities may the adversary have?
I access to some ciphertext C
I access to some plaintext/ciphertext pairs (M, C) with
C ← EncK (M )?
I ability to trick the user of EncK into encrypting some plaintext of
the adversary’s choice and return the result?
(“oracle access” to Enc)
I ability to trick the user of DecK into decrypting some ciphertext of
the adversary’s choice and return the result?
(“oracle access” to Dec)?
I ability to modify or replace C en route?
(not limited to eavesdropping)
I how many applications of EncK or DecK can be observed?
I unlimited / polynomial / realistic ( 280 steps) computation time?
I knowledge of all algorithms used

Wanted: Clear definitions of what security of an encryption scheme

means, to guide both designers and users of schemes, and allow proofs.
11 / 230
Kerckhoffs’ principles (1883)
Requirements for a good traditional military encryption system:
1 The system must be substantially, if not mathematically,
undecipherable;
2 The system must not require secrecy and can be stolen by the
enemy without causing trouble;
3 It must be easy to communicate and remember the keys without
requiring written notes, it must also be easy to change or modify the
keys with different participants;
4 The system ought to be compatible with telegraph communication;
5 The system must be portable, and its use must not require more
than one person;
6 Finally, regarding the circumstances in which such system is applied,
it must be easy to use and must neither require stress of mind nor
the knowledge of a long series of rules.
Auguste Kerckhoffs: La cryptographie militaire, Journal des sciences militaires, 1883.
http://petitcolas.net/fabien/kerckhoffs/
12 / 230
Kerckhoffs’ principles (1883)
Requirements for a good traditional military encryption system:
1 The system must be substantially, if not mathematically,
undecipherable;
2 The system must not require secrecy and can be stolen by the
enemy without causing trouble;
3 It must be easy to communicate and remember the keys without
requiring written notes, it must also be easy to change or modify the
keys with different participants;
4 The system ought to be compatible with telegraph communication;
5 The system must be portable, and its use must not require more
than one person;
6 Finally, regarding the circumstances in which such system is applied,
it must be easy to use and must neither require stress of mind nor
the knowledge of a long series of rules.
Auguste Kerckhoffs: La cryptographie militaire, Journal des sciences militaires, 1883.
http://petitcolas.net/fabien/kerckhoffs/
12 / 230
Kerckhoffs’ principle today
Requirement for a modern encryption system:
1 It was evaluated assuming that the enemy knows the system.
2 Its security relies entirely on the key being secret.

13 / 230
Kerckhoffs’ principle today
Requirement for a modern encryption system:
1 It was evaluated assuming that the enemy knows the system.
2 Its security relies entirely on the key being secret.

Note:
I The design and implementation of a secure communication system is
a major investment and is not easily and quickly repeated.
I Relying on the enemy not knowing the encryption system is
generally frowned upon as “security by obscurity”.
I The most trusted cryptographic algorithms have been published,
standardized, and withstood years of cryptanalysis.
I A cryptographic key should be just a random choice that can be
easily replaced, by rerunning a key-generation algorithm.
I Keys can and will be lost: cryptographic systems should provide
support for easy rekeying, redistribution of keys, and quick
revocation of compromised keys.
13 / 230
A note about message length
We explicitly do not worry in the following about the adversary being
able to infer something about the length m of the plaintext message M
by looking at the length n of the ciphertext C.
Therefore, we will consider here in security definitions for encryption
schemes only messages of fixed length m.
Variable-length messages could be extended to a fixed length, by
padding, but this can be expensive. It will depend on the specific
application whether the benefits of fixed-length padding outweigh the
added transmission cost.
Nevertheless, in practice, ciphertext length must always be considered as
a potential information leak. Examples:
I Encrypted-file lengths often permit unambiguous reconstruction of
what pages a HTTPS user accessed on a public web site.
G. Danezis: Traffic analysis of the HTTP protocol over TLS.
http://www0.cs.ucl.ac.uk/staff/G.Danezis/papers/TLSanon.pdf
I Data compression can be abused to extract information from an
encrypted message if an adversary can control part of that message.
J. Kelsey: Compression and information leakage of plaintext.
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
Also: CVE-2012-4929/CRIME
14 / 230
Demo: leaking plaintext through compressed data length
$ cat compression-leak
#!/bin/bash
PLAINTEXT=cafe ←
KEY="N-32m5qEj/emdVr.69w1fX"
ENC="openssl enc -aes-128-ctr -pass pass:$KEY"
for t in {a,b,c,d,e,f}{a,b,c,d,e,f}{a,b,c,d,e,f}{a,b,c,d,e,f} ; do
echo -n "$t "
echo $t $PLAINTEXT | gzip -c | $ENC | wc -c
done | sort -nk2
$ ./compression-leak

15 / 230
Demo: leaking plaintext through compressed data length
$ cat compression-leak
#!/bin/bash
PLAINTEXT=cafe ←
KEY="N-32m5qEj/emdVr.69w1fX"
ENC="openssl enc -aes-128-ctr -pass pass:$KEY"
for t in {a,b,c,d,e,f}{a,b,c,d,e,f}{a,b,c,d,e,f}{a,b,c,d,e,f} ; do
echo -n "$t "
echo $t $PLAINTEXT | gzip -c | $ENC | wc -c
done | sort -nk2
$ ./compression-leak
aafe 44
acaf 44
bafe 44
bcaf 44
cafe 44 ←
ccaf 44
dafe 44
dcaf 44
eafe 44
ecaf 44
fafe 44
fcaf 44
aaaa 46
aaab 46
[. . . remaining 1282 lines not shown . . . ] 15 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

16 / 230
Historic examples of simple ciphers
Shift Cipher: Treat letters {A, . . . , Z} like integers {0, . . . , 25} = Z26 .
Choose key K ∈ Z26 , encrypt each letter individually by addition modulo
26, decrypt by subtraction modulo 26.
Example with K = 25 ≡ −1 (mod 26): IBM→HAL.
K = −3 known as Caesar Cipher, K = 13 as rot13.
The tiny key-space size 26 makes brute-force key search trivial.

Transposition Cipher: K is permutation of letter positions.

Key space is n!, where n is the permutation block length.
K
C
A T T A C K A T D A W N T
T
A
A
W
N
T
A D O
T N E
A R
U T O
B F
T A N W T C A K D A T A B
E

Skytale

Substitution Cipher (monoalphabetic): Key is permutation

K : Z26 ↔ Z26 . Encrypt plaintext M = m1 m2 . . . mn with ci = K(mi )
to get ciphertext C = c1 c2 . . . cn , decrypt with mi = K −1 (ci ).
Key space size 26! > 4 × 1026 makes brute-force search infeasible.
17 / 230
Statistical properties of plain text
English letter frequency
13 E
12
11
10 T
9 A
8 O
I N
%

7 H R S
6
5 D L
4
3 M U W
C F G P Y
2 B K V
1 J Q X Z
0

The most common letters in English:

E, T, A, O, I, N, S, H, R, D, L, U, . . .
The most common digrams in English:
TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, . . .
The most common trigrams in English:
THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, . . .
English text is highly redundant: very roughly 1 bit/letter entropy.
Monoalphabetic substitution ciphers allow simple ciphertext-only attacks based on
digram or trigram statistics (for messages of at least few hundred characters).
18 / 230
Statistical properties of plain text
English letter frequency
13 E
12
11
10 T
9 A
8 O
I N
%

7 S H R
6
5 D L
4
3 U WM
F C G Y P
2 B K
V
1 J X Q Z
0

The most common letters in English:

E, T, A, O, I, N, S, H, R, D, L, U, . . .
The most common digrams in English:
TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, . . .
The most common trigrams in English:
THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, . . .
English text is highly redundant: very roughly 1 bit/letter entropy.
Monoalphabetic substitution ciphers allow simple ciphertext-only attacks based on
digram or trigram statistics (for messages of at least few hundred characters).
18 / 230
Vigenère cipher
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Inputs: BCDEFGHIJKLMNOPQRSTUVWXYZA
CDEFGHIJKLMNOPQRSTUVWXYZAB
I Key word K = k1 k2 . . . kl DEFGHIJKLMNOPQRSTUVWXYZABC
EFGHIJKLMNOPQRSTUVWXYZABCD
I Plain text M = m1 m2 . . . mn FGHIJKLMNOPQRSTUVWXYZABCDE
GHIJKLMNOPQRSTUVWXYZABCDEF
HIJKLMNOPQRSTUVWXYZABCDEFG
Encrypt into ciphertext: IJKLMNOPQRSTUVWXYZABCDEFGH
JKLMNOPQRSTUVWXYZABCDEFGHI
ci = (mi + k[(i−1) mod l]+1 ) mod 26 KLMNOPQRSTUVWXYZABCDEFGHIJ
LMNOPQRSTUVWXYZABCDEFGHIJK
MNOPQRSTUVWXYZABCDEFGHIJKL
NOPQRSTUVWXYZABCDEFGHIJKLM
Example: K = SECRET OPQRSTUVWXYZABCDEFGHIJKLMN
PQRSTUVWXYZABCDEFGHIJKLMNO
S E C R E T S E C ... QRSTUVWXYZABCDEFGHIJKLMNOP
RSTUVWXYZABCDEFGHIJKLMNOPQ
A T T A C K A T D ... STUVWXYZABCDEFGHIJKLMNOPQR
TUVWXYZABCDEFGHIJKLMNOPQRS
S X V R G D S X F ... UVWXYZABCDEFGHIJKLMNOPQRST
VWXYZABCDEFGHIJKLMNOPQRSTU
WXYZABCDEFGHIJKLMNOPQRSTUV
The modular addition can be replaced with XOR: XYZABCDEFGHIJKLMNOPQRSTUVW
YZABCDEFGHIJKLMNOPQRSTUVWX
ci = mi ⊕ k[(i−1) mod l]+1 mi , ki , ci ∈ {0, 1} ZABCDEFGHIJKLMNOPQRSTUVWXY

Vigenère is an example of a polyalphabetic cipher.

19 / 230
Attacking the Vigenère cipher
First determine the key length l. For each candidate keylength l:
I Treat each l-th ciphertext character as part of a separate message
M1 , M2 , . . . , Ml encrypted with just a (monoalphabetic) shift cipher, resulting in
separate ciphertexts C1 , C2 , . . . , Cl .
I Consider the l letter-frequency histograms for these Ci (1 ≤ i ≤ l).
I If choice of l is incorrect, the letter-frequency histograms of each of
C1 , C2 , . . . , Cl will be more even/flatter (as they are the average of several
rotated histograms) than if l was correct.
I If pa,i is the relative frequency of letter a in Ci (for all a in alphabet A), then
the index of coincidence X
IC (Ci ) = p2a,i
a∈A
is the probability that two randomly chosen letters from Ci are identical. IC is a
measure of the unevenness of a histogram (minimal if ∀a ∈ A : pa,i = |A|−1 ).
I Pick the key length l that leads to the highest l−1 li=1 IC (Ci ). In other words,
P
maximise the probability of two letters being identical when looking only at
letters that are a multiple of l characters apart in C.

Once the correct key length l is known, compare the histograms of C1 , C2 , . . . , Cl .

They will just be shifted versions of each other (pa,2 = p(a−k2 +k1 ) mod 26,1 , etc.), and
the shift offsets reveal the differences between the corresponding key characters.
Finally, try decryption with all possible first key characters k1 .
20 / 230
 shifted letter freq. (IC=0.065) shifted letter freq. (IC=0.065)

13 13
12 12
11 11
10 10
9 9
8 8
7 7
6 6
5 5
4 4
3 3
2 2
1 1
0 0

shifted letter freq. (IC=0.065) averaged letter freq. (IC=0.046)

13 13
12 12
11 11
10 10
9 9
8 8
7 7
6 6
5 5
4 4
3 3
2 2
1 1
0 0
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

21 / 230
Perfect secrecy

Computational security
The most efficient known algorithm for breaking a cipher would require
far more computational steps than all hardware available to any adversary
can perform.

Unconditional security
Adversaries have not enough information to decide (from the ciphertext)
whether one plaintext is more likely to be correct than another, even with
unlimited computational power at their disposal.

22 / 230
Perfect secrecy II
Consider a private-key encryption scheme

Enc : K × M → C, Dec : K × C → M

with DecK (EncK (M )) = M for all K ∈ K, M ∈ M, where M, C, K are

the sets of possible plaintexts, ciphertexts and keys, respectively.
Let also M ∈ M, C ∈ C and K ∈ K be values of plaintext, ciphertext
and key. Let P(M ) and P(K) denote an adversary’s respective a-priori
knowledge of the probability that plaintext M or key K are used.
The adversary can then calculate the probability of any ciphertext C as
X
P(C) = P(K) · P(DecK (C)).
K∈K

and can also determine the conditional probability

X
P(C|M ) = P(K)
{K∈K|M =DecK (C)}

23 / 230
Perfect secrecy III
Having eavesdropped some ciphertext C, an adversary can then use
Bayes’ theorem to calculate for any plaintext M ∈ M
P
P(M ) · P(C|M ) P(M ) · {K|M =DecK (C)} P(K)
P(M |C) = = P .
P(C) K P(K) · P(DecK (C))

Perfect secrecy
An encryption scheme over a message space M is perfectly secret if for
every probability distribution over M, every message M ∈ M, and every
ciphertext C ∈ C with P(C) > 0 we have

P(M |C) = P(M ).

In other words: looking at the ciphertext C leads to no new information

beyond what was already known about M in advance ⇒ eavesdropping
C has no benefit, even with unlimited computational power.
C.E. Shannon: Communication theory of secrecy systems. Bell System Technical Journal, Vol 28,
Oct 1949, pp 656–715. http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf
24 / 230
Vernam cipher / one-time pad I
Shannon’s theorem:
Let (Gen, Enc, Dec) be an encryption scheme over a message space M
with |M| = |K| = |C|. It is perfectly secret if and only if
1 Gen chooses every K with equal probability 1/|K|;

2 for every M ∈ M and every C ∈ C, there exists a unique key K ∈ K

such that C = EncK M .

The standard example of a perfectly-secure symmetric encryption scheme:

One-time pad
K = C = M = {0, 1}m
I Gen : K ∈R {0, 1}m (m uniform, independent coin tosses)
I EncK (M ) = K ⊕ M (⊕ = bit-wise XOR)
I DecK (C) = K ⊕ C

Example:
0xbd4b083f6aae ⊕ “Vernam” = 0xbd4b083f6aae ⊕ 0x5665726e616d = 0xeb2e7a510bc3
25 / 230
Vernam cipher / one-time pad II

The one-time pad is a variant of the Vigenère Cipher with l = n: the

key is as long as the plaintext. No key bit is ever used to encrypt more
than one plaintext bit.
Note: If x is a random bit with any probability distribution and y is one with uniform probability
distribution (P(y = 0) = P(y = 1) = 21 ), then the exclusive-or result x ⊕ y will have uniform
probability distribution. This also works for addition modulo m (or for any finite group).

For each possible plaintext M , there exists a key K = M ⊕ C that turns

a given ciphertext C into M = DecK (C). If all K are equally likely, then
also all M will be equally likely for a given C, which fulfills Shannon’s
definition of perfect secrecy.
What happens if you use a one-time pad twice?
One-time pads have been used intensively during significant parts of the 20th century for
diplomatic communications security, e.g. on the telex line between Moscow and Washington. Keys
were generated by hardware random bit stream generators and distributed via trusted couriers.

In the 1940s, the Soviet Union encrypted part of its diplomatic communication using recycled
one-time pads, leading to the success of the US decryption project VENONA.
http://www.nsa.gov/public_info/declass/venona/

26 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

27 / 230
Making the one-time pad more efficient
The one-time pad is very simple, but also very inconvenient:
one key bit for each message bit!
Many standard libraries contain pseudo-random number generators
(PRNGs). They are used in simulations, games, probabilistic algorithms,
testing, etc.
They expand a “seed value” R0 into a sequence of numbers R1 , R2 , . . .
that look very random:
Ri = f (Ri−1 , i)
The results pass numerous statistical tests for randomness (e.g. Marsaglia’s “Diehard” tests).

Can we not use R0 as a short key, split our message M into chunks
M1 , M2 , . . . and XOR with (some function g of) Ri to encrypt Mi ?

Ci = Mi ⊕ g(Ri , i)

28 / 230
Making the one-time pad more efficient
The one-time pad is very simple, but also very inconvenient:
one key bit for each message bit!
Many standard libraries contain pseudo-random number generators
(PRNGs). They are used in simulations, games, probabilistic algorithms,
testing, etc.
They expand a “seed value” R0 into a sequence of numbers R1 , R2 , . . .
that look very random:
Ri = f (Ri−1 , i)
The results pass numerous statistical tests for randomness (e.g. Marsaglia’s “Diehard” tests).

Can we not use R0 as a short key, split our message M into chunks
M1 , M2 , . . . and XOR with (some function g of) Ri to encrypt Mi ?

Ci = Mi ⊕ g(Ri , i)

But what are secure choices for f and g?

What security propery do we expect from such a generator, and what
security can we expect from the resulting encryption scheme?
28 / 230
A non-secure pseudo-random number generator
Example (insecure)
Linear congruential generator with secret parameters (a, b, R0 ):

Ri+1 = (aRi + b) mod m

Attack: guess some plain text (e.g., known file header), obtain for
example (R1 , R2 , R3 ), then solve system of linear equations over Zm :

R2 ≡ aR1 + b (mod m)
R3 ≡ aR2 + b (mod m)

Solution:

a ≡ (R2 − R3 )/(R1 − R2 ) (mod m)

b ≡ R2 − R1 (R2 − R3 )/(R1 − R2 ) (mod m)

Multiple solutions if gcd(R1 − R2 , m) 6= 1: resolved using R4 or just by

trying all possible values.
29 / 230
Private-key (symmetric) encryption
A private-key encryption scheme is a tuple of probabilistic
polynomial-time algorithms (Gen, Enc, Dec) and sets K, M, C such that
I the key generation algorithm Gen receives a security parameter `
and outputs a key K ← Gen(1` ), with K ∈ K, key length |K| ≥ `;
I the encryption algorithm Enc maps a key K and a plaintext
message M ∈ M = {0, 1}m to a ciphertext message
C ← EncK (M );
I the decryption algorithm Dec maps a key K and a ciphertext
C ∈ C = {0, 1}n (n ≥ m) to a plaintext message M := DecK (C);
I for all `, K ← Gen(1` ), and M ∈ {0, 1}m : DecK (EncK (M )) = M .

Notes:
A “polynomial-time algorithm” has constants a, b, c such that the runtime is
always less than a · `b + c if the input is ` bits long. (think Turing machine)
Technicality: we supply the security parameter ` to Gen here in unary encoding (as a sequence of `
“1” bits: 1` ), merely to remain compatible with the notion of “input size” from computational
complexity theory. In practice, Gen usually simply picks ` random bits K ∈R {0, 1}` .
30 / 230
Security definitions for encryption schemes
We define security via the rules of a game played between two players:
I a challenger, who uses an encryption scheme Π = (Gen, Enc, Dec)
I an adversary A, who tries to demonstrate a weakness in Π.
Most of these games follow a simple pattern:
1 the challenger uniformly picks at random a secret bit b ∈R {0, 1}
2 A interacts with the challenger according to the rules of the game
3 At the end, A has to output a bit b0 .
The outcome of such a game XA,Π (`) is either
I b = b0 ⇒ A won the game, we write XA,Π (`) = 1
I b 6= b0 ⇒ A lost the game, we write XA,Π (`) = 0

Advantage
One way to quantify A’s ability to guess b is

AdvXA,Π (`) = P(b = 1 and b0 = 1) − P(b = 0 and b0 = 1)

 

31 / 230
Negligible advantage
Security definition
An encryption scheme Π is considered “X secure” if for all probabilistic
polynomial-time (PPT) adversaries A there exists a “negligible” function
negl such that
1
P(XA,Π (`) = 1) < + negl(`).
2
Some authors prefer the equivalent definition with

AdvXA,Π (`) < negl(`).

Negligible functions
A function negl(`) : N → R is “negligible” if, as ` → ∞, it converges
faster to zero than 1/poly(`) does for any polynomial poly(`).

In practice: We want negl(`) to drop below a small number (e.g., 2−80 or

2−100 ) for modest key lengths ` (e.g., log10 ` ≈ 2 . . . 3). Then no realistic
opponent will have the computational power to repeat the game often enough
to win at least once more than what is expected from random guessing.
32 / 230
“Computationally infeasible”
With good cryptographic primitives, the only form of possible
cryptanalysis should be an exhaustive search of all possible keys (brute
force attack).
The following numbers give a rough idea of the limits involved:
Let’s assume we can later this century produce VLSI chips with 10 GHz
clock frequency and each of these chips costs 10 $ and can test in a
single clock cycle 100 keys. For 10 million $, we could then buy the chips
needed to build a machine that can test 1018 ≈ 260 keys per second.
Such a hypothetical machine could break an 80-bit key in 7 days on
average. For a 128-bit key it would need over 1012 years, that is over
100× the age of the universe.
Rough limit of computational feasiblity: 280 iterations
(i.e., < 260 feasible with effort, but > 2100 certainly not)
For comparison:
I The fastest key search effort using thousands of Internet PCs (RC5-64, 2002) achieved in
the order of 237 keys per second.
http://www.cl.cam.ac.uk/~rnc1/brute.html
http://www.distributed.net/
I Since January 2018, the Bitcoin network has been searching through about 1019 ≈ 263
cryptographic hash values per second, mostly using ASICs.
http://bitcoin.sipa.be/ 33 / 230
Indistinguishability in the presence of an eavesdropper
Private-key encryption scheme Π = (Gen, Enc, Dec), M = {0, 1}m , security parameter `.

Experiment/game PrivKeav
A,Π (`):

1` 1`
M0 , M 1
b ∈R {0, 1}
K ← Gen(1` ) A
C ← EncK (Mb )
challenger C adversary
b b0

Setup:
1 The challenger generates a bit b ∈R {0, 1} and a key K ← Gen(1` ).
2 The adversary A is given input 1`
Rules for the interaction:
1 The adversary A outputs a pair of messages:
M0 , M1 ∈ {0, 1}m .
2 The challenger computes C ← EncK (Mb ) and returns
C to A
Finally, A outputs b0 . If b0 = b then A has succeeded ⇒ PrivKeav
A,Π (`) = 1
34 / 230
Indistinguishability in the presence of an eavesdropper

Definition: A private-key encryption scheme Π has indistinguishable

encryption in the presence of an eavesdropper if for all probabilistic,
polynomial-time adversaries A there exists a negligible function negl,
such that
1
P(PrivKeav
A,Π (`) = 1) ≤ + negl(`)
2

In other words: as we increase the security parameter `, we quickly

reach the point where no eavesdropper can do significantly better than
just randomly guessing b.

35 / 230
Pseudo-random generator I

G : {0, 1}n → {0, 1}e(n) where e(·) is a polynomial (expansion factor)

Definition
G is a pseudo-random generator if both
1 e(n) > n for all n (expansion)
2 for all probabilistic, polynomial-time distinguishers D there exists a
negligible function negl such that

|P(D(r) = 1) − P(D(G(s)) = 1)| ≤ negl(n)

where both r ∈R {0, 1}e(n) and the seed s ∈R {0, 1}n are chosen at
random, and the probabilities are taken over all coin tosses used by
D and for picking r and s.

36 / 230
Pseudo-random generator II
A brute-force distinguisher D would enumerate all 2n possible outputs of
G, and return 1 if the input is one of them.
It would achieve

P(D(G(s)) = 1) = 1
2n
P(D(r) = 1) =
2e(n)
the difference of which converges to 1, which is not negligible.
But a brute-force distinguisher has a exponential run-time O(2n ), and is
therefore excluded!

We do not know how to prove that a given algorithm is a pseudo-random

generator, but there are many algorithms that are widely believed to be.
Some constructions are pseudo-random generators if another well-studied
problem is not solvable in polynomial time.

37 / 230
Encrypting using a pseudo-random generator

We define the following fixed-length private-key encryption scheme:

ΠPRG = (Gen, Enc, Dec):

Let G be a pseudo-random generator with expansion factor e(·),
K = {0, 1}` , M = C = {0, 1}e(`)
I Gen: on input 1` chose K ∈R {0, 1}` randomly
I Enc: C := G(K) ⊕ M
I Dec: M := G(K) ⊕ C

Such constructions are known as “stream ciphers”.

We can prove that ΠPRG has “indistinguishable encryption in the

presence of an eavesdropper” assuming that G is a pseudo-random
generator: if we had a polynomial-time adversary A that can succeed
with non-negligible advantage against ΠPRG , we can turn that using a
polynomial-time algorithm into a polynomial-time distinguisher for G,
which would violate the assumption.

38 / 230
Security proof for a stream cipher
Claim: ΠPRG has indistinguishability in the presence of an eavesdropper
if G is a pseudo-random generator.
Proof: (outline) If ΠPRG did not have indistinguishability in the presence
of an eavesdropper, there would be an adversary A for which
1
(`) := P(PrivKeav
A,ΠPRG (`) = 1) −
2
is not negligible.
Use that A to construct a distinguisher D for G:
I receive input W ∈ {0, 1}e(`)
I pick b ∈R {0, 1}
I run A(1` ) and receive from it M0 , M1 ∈ {0, 1}e(`)
I return C := W ⊕ Mb to A
I receive b0 from A
I return 1 if b0 = b, otherwise return 0
Now, what is |P(D(r) = 1) − P(D(G(K)) = 1)|?
39 / 230
Security proof for a stream cipher (cont’d)

What is |P(D(r) = 1) − P(D(G(K)) = 1)|?

I What is P(D(r) = 1)?
Let Π̃ be an instance of the one-time pad, with key and message
length e(`), i.e. compatible to ΠPRG . In the D(r) case, where we
feed it a random string r ∈R {0, 1}e(n) , then from the point of view
of A being called as a subroutine of D(r), it is confronted with a
one-time pad Π̃. The perfect secrecy of Π̃ implies P(D(r) = 1) = 12 .
I What is P(D(G(K)) = 1)?
In this case, A participates in the game PrivKeav
A,ΠPRG (`). Thus we
eav
have P(D(G(K)) = 1) = P(PrivKA,ΠPRG (`) = 1) = 21 + (`).
Therefore
|P(D(r) = 1) − P(D(G(K)) = 1)| = (`)
which we have assumed not to be negligible, which implies that G is not
a pseudo-random generator, contradicting the assumption.
Katz/Lindell (1st ed.), pp 73-75

40 / 230
Security proofs through reduction
Some key points about this style of “security proof”:
I We have not shown that the encryption scheme ΠPRG is “secure”.
(We don’t know how to do this!)
I We have shown that ΠPRG has one particular type of security
property, if one of its building blocks (G) has another one.
I We have “reduced” the security of construct ΠPRG to another
problem X:
instance of
instance of
problem X Reduction scheme Π A
A0
solution
attack
to X
Here: X = distinguishing output of G from random string
I We have shown how to turn any successful attack on ΠPRG into an
equally successful attack on its underlying building block G.
I “Successful attack” means finding a polynomial-time probabilistic
adversary algorithm that succeeds with non-negligible success
probability in winning the game specified by the security definition.
41 / 230
Security proofs through reduction

In the end, the provable security of some cryptographic construct (e.g.,

ΠPRG , some mode of operation, some security protocol) boils down to
these questions:
I What do we expect from the construct?
I What do we expect from the underlying building blocks?
I Does the construct introduce new weaknesses?
I Does the construct mitigate potential existing weaknesses in its
underlying building blocks?

42 / 230
Indistinguishability in the presence of an eavesdropper
Private-key encryption scheme Π = (Gen, Enc, Dec), M = {0, 1}m , security parameter `.

Experiment/game PrivKeav
A,Π (`):

1` 1`
M0 , M 1
b ∈R {0, 1}
K ← Gen(1` ) A
C ← EncK (Mb )
challenger C adversary
b b0

Setup:
1 The challenger generates a bit b ∈R {0, 1} and a key K ← Gen(1` ).
2 The adversary A is given input 1`
Rules for the interaction:
1 The adversary A outputs a pair of messages:
M0 , M1 ∈ {0, 1}m .
2 The challenger computes C ← EncK (Mb ) and returns
C to A
Finally, A outputs b0 . If b0 = b then A has succeeded ⇒ PrivKeav
A,Π (`) = 1
← 34 / 230
Security for multiple encryptions
Private-key encryption scheme Π = (Gen, Enc, Dec), M = {0, 1}m , security parameter `.

Experiment/game PrivKmult
A,Π (`):

1` 1`
M01 , M02 , . . . , M0t
b ∈R {0, 1}
K ← Gen(1` ) M11 , M12 , . . . , M1t
A
C ← EncK (Mb )
challenger C1, C2, . . . , Ct adversary
b b0

Setup:
1 The challenger generates a bit b ∈R {0, 1} and a key K ← Gen(1` ).
2 The adversary A is given input 1`
Rules for the interaction:
1 The adversary A outputs two sequences of t messages:
M01 , M02 , . . . , M0t and M11 , M12 , . . . , M1t , where all Mji ∈ {0, 1}m .
2 The challenger computes C i ← EncK (Mbi ) and returns
C 1 , C 2 , . . . , C t to A
Finally, A outputs b0 . If b0 = b then A has succeeded ⇒ PrivKmult
A,Π (`) = 1
43 / 230
Security for multiple encryptions (cont’d)
Definition: A private-key encryption scheme Π has indistinguishable
multiple encryptions in the presence of an eavesdropper if for all
probabilistic, polynomial-time adversaries A there exists a negligible
function negl, such that
1
P(PrivKmult
A,Π (`) = 1) ≤ + negl(`)
2

Same definition as for indistinguishable encryptions in the presence of an eavesdropper, except for
referring to the multi-message eavesdropping experiment PrivKmultA,Π (`).

Example: Does our stream cipher ΠPRG offer indistinguishable multiple

encryptions in the presence of an eavesdropper?

44 / 230
Security for multiple encryptions (cont’d)
Definition: A private-key encryption scheme Π has indistinguishable
multiple encryptions in the presence of an eavesdropper if for all
probabilistic, polynomial-time adversaries A there exists a negligible
function negl, such that
1
P(PrivKmult
A,Π (`) = 1) ≤ + negl(`)
2

Same definition as for indistinguishable encryptions in the presence of an eavesdropper, except for
referring to the multi-message eavesdropping experiment PrivKmultA,Π (`).

Example: Does our stream cipher ΠPRG offer indistinguishable multiple

encryptions in the presence of an eavesdropper?
No:
Adversary A4 outputs four messages , and
0
returns b = 1 iff .

44 / 230
Security for multiple encryptions (cont’d)
Definition: A private-key encryption scheme Π has indistinguishable
multiple encryptions in the presence of an eavesdropper if for all
probabilistic, polynomial-time adversaries A there exists a negligible
function negl, such that
1
P(PrivKmult
A,Π (`) = 1) ≤ + negl(`)
2

Same definition as for indistinguishable encryptions in the presence of an eavesdropper, except for
referring to the multi-message eavesdropping experiment PrivKmultA,Π (`).

Example: Does our stream cipher ΠPRG offer indistinguishable multiple

encryptions in the presence of an eavesdropper?
No:
Adversary A4 outputs four messages M01 = M11 = M02 6= M12 , and
returns b0 = 1 iff .

44 / 230
Security for multiple encryptions (cont’d)
Definition: A private-key encryption scheme Π has indistinguishable
multiple encryptions in the presence of an eavesdropper if for all
probabilistic, polynomial-time adversaries A there exists a negligible
function negl, such that
1
P(PrivKmult
A,Π (`) = 1) ≤ + negl(`)
2

Same definition as for indistinguishable encryptions in the presence of an eavesdropper, except for
referring to the multi-message eavesdropping experiment PrivKmultA,Π (`).

Example: Does our stream cipher ΠPRG offer indistinguishable multiple

encryptions in the presence of an eavesdropper?
No:
Adversary A4 outputs four messages M01 = M11 = M02 6= M12 , and
returns b0 = 1 iff C 1 6= C 2 .

44 / 230
Security for multiple encryptions (cont’d)
Definition: A private-key encryption scheme Π has indistinguishable
multiple encryptions in the presence of an eavesdropper if for all
probabilistic, polynomial-time adversaries A there exists a negligible
function negl, such that
1
P(PrivKmult
A,Π (`) = 1) ≤ + negl(`)
2

Same definition as for indistinguishable encryptions in the presence of an eavesdropper, except for
referring to the multi-message eavesdropping experiment PrivKmultA,Π (`).

Example: Does our stream cipher ΠPRG offer indistinguishable multiple

encryptions in the presence of an eavesdropper?
No:
Adversary A4 outputs four messages M01 = M11 = M02 6= M12 , and
returns b0 = 1 iff C 1 6= C 2 . P(PrivKmult
A4 ,ΠPRG (`) = 1) =

44 / 230
Security for multiple encryptions (cont’d)
Definition: A private-key encryption scheme Π has indistinguishable
multiple encryptions in the presence of an eavesdropper if for all
probabilistic, polynomial-time adversaries A there exists a negligible
function negl, such that
1
P(PrivKmult
A,Π (`) = 1) ≤ + negl(`)
2

Same definition as for indistinguishable encryptions in the presence of an eavesdropper, except for
referring to the multi-message eavesdropping experiment PrivKmultA,Π (`).

Example: Does our stream cipher ΠPRG offer indistinguishable multiple

encryptions in the presence of an eavesdropper?
No:
Adversary A4 outputs four messages M01 = M11 = M02 6= M12 , and
returns b0 = 1 iff C 1 6= C 2 . P(PrivKmult
A4 ,ΠPRG (`) = 1) = 1

44 / 230
Security for multiple encryptions (cont’d)
Definition: A private-key encryption scheme Π has indistinguishable
multiple encryptions in the presence of an eavesdropper if for all
probabilistic, polynomial-time adversaries A there exists a negligible
function negl, such that
1
P(PrivKmult
A,Π (`) = 1) ≤ + negl(`)
2

Same definition as for indistinguishable encryptions in the presence of an eavesdropper, except for
referring to the multi-message eavesdropping experiment PrivKmultA,Π (`).

Example: Does our stream cipher ΠPRG offer indistinguishable multiple

encryptions in the presence of an eavesdropper?
No:
Adversary A4 outputs four messages M01 = M11 = M02 6= M12 , and
returns b0 = 1 iff C 1 6= C 2 . P(PrivKmult
A4 ,ΠPRG (`) = 1) = 1

Actually: Any encryption scheme is going to fail here!

44 / 230
Security for multiple encryptions (cont’d)
Definition: A private-key encryption scheme Π has indistinguishable
multiple encryptions in the presence of an eavesdropper if for all
probabilistic, polynomial-time adversaries A there exists a negligible
function negl, such that
1
P(PrivKmult
A,Π (`) = 1) ≤ + negl(`)
2

Same definition as for indistinguishable encryptions in the presence of an eavesdropper, except for
referring to the multi-message eavesdropping experiment PrivKmultA,Π (`).

Example: Does our stream cipher ΠPRG offer indistinguishable multiple

encryptions in the presence of an eavesdropper?
No:
Adversary A4 outputs four messages M01 = M11 = M02 6= M12 , and
returns b0 = 1 iff C 1 6= C 2 . P(PrivKmult
A4 ,ΠPRG (`) = 1) = 1

Actually: Any deterministic encryption scheme is going to fail here!

44 / 230
Securing a stream cipher for multiple encryptions I

How can we still use a stream cipher if we want to encrypt multiple

messages M1 , M2 , . . . , Mt using a pseudo-random generator G?

Synchronized mode
Let the PRG run for longer to produce enough output bits for all
messages:

G(K) = R1 kR2 k . . . kRt , Ci = Ri ⊕ Mi

k is concatenation of bit strings

I convenient if M1 , M2 , . . . , Mt all belong to the same
communications session and G is of a type that can produce long
enough output
I requires preservation of internal state of G across sessions

45 / 230
Securing a stream cipher for multiple encryptions II

Unsynchronized mode
Some PRGs have two separate inputs, a key K and an “initial vector”
IV . The private key K remains constant, while IV is freshly chosen at
random for each message, and sent along with the message.

for each i: IVi ∈R {0, 1}n , Ci := (IVi , G(K, IVi ) ⊕ Mi )

But: what exact security properties do we expect of a G with IV input?

This question leads us to a new security primitive and associated security
definition: pseudo-random functions and CPA security.

46 / 230
Security against chosen-plaintext attacks (CPA)
Private-key encryption scheme Π = (Gen, Enc, Dec), M = {0, 1}m , security parameter `.

Experiment/game PrivKcpa A,Π (`):

M 1, M 2, . . . , M t
1` b ∈R {0, 1} 1`
Ct, . . . , C2, C1
K ← Gen(1` ) M0 , M 1
C i ← EncK (M i ) A
C ← EncK (Mb ) C 0
challenger M t+1 , . . . , M t+t adversary
b t+t 0
t+1 b0
C ,...,C

Setup: (as before)

`
1 The challenger generates a bit b ∈R {0, 1} and a key K ← Gen(1 ).
`
2 The adversary A is given input 1

Rules for the interaction:

1 The adversary A is given oracle access to EncK :
A outputs M 1 , gets EncK (M 1 ), outputs M 2 , gets EncK (M 2 ), . . .
m
2 The adversary A outputs a pair of messages: M0 , M1 ∈ {0, 1} .

3 The challenger computes C ← EncK (Mb ) and returns C to A

4 The adversary A continues to have oracle access to EncK .

Finally, A outputs b0 . If b0 = b then A has succeeded ⇒ PrivKcpa
A,Π (`) = 1
47 / 230
Security against chosen-plaintext attacks (cont’d)

Definition: A private-key encryption scheme Π has indistinguishable

multiple encryptions under a chosen-plaintext attack (“is CPA-secure”) if
for all probabilistic, polynomial-time adversaries A there exists a
negligible function negl, such that
1
P(PrivKcpa
A,Π (`) = 1) ≤ + negl(`)
2

Advantages:
I Eavesdroppers can often observe their own text being encrypted,
even where the encrypter never intended to provide an oracle.
(WW2 story: Midway Island/AF, server communication).
I CPA security provably implies security for multiple encryptions.
I CPA security allows us to build a variable-length encryption scheme
simply by using a fixed-length one many times.

48 / 230
Random functions and permutations
Random function
Consider all possible functions of the form
f : {0, 1}m → {0, 1}n
How often do you have to toss a coin to fill the value table of such a
function f with random bits?
How many different such f are there?
An m-bit to n-bit random function f is one that we have picked
uniformly at random from all these possible functions.

49 / 230
Random functions and permutations
Random function
Consider all possible functions of the form
f : {0, 1}m → {0, 1}n
How often do you have to toss a coin to fill the value table of such a
function f with random bits? n · 2m
How many different such f are there?
An m-bit to n-bit random function f is one that we have picked
uniformly at random from all these possible functions.

49 / 230
Random functions and permutations
Random function
Consider all possible functions of the form
f : {0, 1}m → {0, 1}n
How often do you have to toss a coin to fill the value table of such a
function f with random bits? n · 2m
m
How many different such f are there? 2n·2
An m-bit to n-bit random function f is one that we have picked
uniformly at random from all these possible functions.

49 / 230
Random functions and permutations
Random function
Consider all possible functions of the form
f : {0, 1}m → {0, 1}n
How often do you have to toss a coin to fill the value table of such a
function f with random bits? n · 2m
m
How many different such f are there? 2n·2
An m-bit to n-bit random function f is one that we have picked
uniformly at random from all these possible functions.

Random permutation
Consider all possible permutations of the form
g : {0, 1}n ↔ {0, 1}n

How many different such g are there?

An n-bit to n-bit random permutation g is one that we have picked
uniformly at random from all these possible permutations.
49 / 230
Random functions and permutations
Random function
Consider all possible functions of the form
f : {0, 1}m → {0, 1}n
How often do you have to toss a coin to fill the value table of such a
function f with random bits? n · 2m
m
How many different such f are there? 2n·2
An m-bit to n-bit random function f is one that we have picked
uniformly at random from all these possible functions.

Random permutation
Consider all possible permutations of the form
g : {0, 1}n ↔ {0, 1}n

How many different such g are there? 2n !

An n-bit to n-bit random permutation g is one that we have picked
uniformly at random from all these possible permutations.
49 / 230
Pseudo-random functions and permutations
Basic idea:
A pseudo-random function (PRF) is a fixed, efficiently computable
function
F : {0, 1}k × {0, 1}m → {0, 1}n
that (compared to a random function) depends on an additional input
parameter K ∈ {0, 1}k , the key. Each choice of K leads to a function

FK : {0, 1}m → {0, 1}n

For typical key lengths (e.g., k, m ≥ 128), the set of all possible functions
FK will be a tiny subset of the set of all possible random functions f .
For a secure pseudo-random function F there must be no practical way
to distinguish between FK and a corresponding random function f for
anyone who does not know key K.

We can similarly define a keyed pseudo-random permutation.

In some proofs, in the interest of simplicity, we will only consider PRFs with k = m = n.
50 / 230
Pseudo-random function (formal definition)
F : {0, 1}n × {0, 1}n → {0, 1}n efficient, keyed, length preserving
key input output |input|=|output|

Definition
F is a pseudo-random function if for all probabilistic, polynomial-time
distinguishers D there exists a negligible function negl such that
 
F (·) n f (·) n
P(D K (1 ) = 1) − P(D (1 ) = 1) ≤ negl(n)
 

where K ∈R {0, 1}n is chosen uniformly at random and f is chosen uniformly

at random from the set of functions mapping n-bit strings to n-bitstrings.

Notation: Df (·) means that algorithm D has “oracle access” to function f .

51 / 230
Pseudo-random function (formal definition)
F : {0, 1}n × {0, 1}n → {0, 1}n efficient, keyed, length preserving
key input output |input|=|output|

Definition
F is a pseudo-random function if for all probabilistic, polynomial-time
distinguishers D there exists a negligible function negl such that
 
F (·) n f (·) n
P(D K (1 ) = 1) − P(D (1 ) = 1) ≤ negl(n)
 

where K ∈R {0, 1}n is chosen uniformly at random and f is chosen uniformly

at random from the set of functions mapping n-bit strings to n-bitstrings.

Notation: Df (·) means that algorithm D has “oracle access” to function f .

How does this differ from a pseudo-random generator?

51 / 230
Pseudo-random function (formal definition)
F : {0, 1}n × {0, 1}n → {0, 1}n efficient, keyed, length preserving
key input output |input|=|output|

Definition
F is a pseudo-random function if for all probabilistic, polynomial-time
distinguishers D there exists a negligible function negl such that
 
F (·) n f (·) n
P(D K (1 ) = 1) − P(D (1 ) = 1) ≤ negl(n)
 

where K ∈R {0, 1}n is chosen uniformly at random and f is chosen uniformly

at random from the set of functions mapping n-bit strings to n-bitstrings.

Notation: Df (·) means that algorithm D has “oracle access” to function f .

How does this differ from a pseudo-random generator?

The distinguisher of a pseudo-random generator examines a string. Here, the
distinguisher examines entire functions FK and f .
Any description of f would be at least n · 2n bits long and thus cannot be read
in polynomial time. Therefore we can only provide oracle access to the
distinguisher (i.e., allow D to query f a polynomial number of times).
51 / 230
CPA-secure encryption using a pseudo-random function
We define the following fixed-length private-key encryption scheme:

ΠPRF = (Gen, Enc, Dec):

Let F be a pseudo-random function.
I Gen: on input 1` choose K ∈R {0, 1}` randomly
I Enc: read K ∈ {0, 1}` and M ∈ {0, 1}` , choose R ∈R {0, 1}` randomly,
then output
C := (R, FK (R) ⊕ M )
I Dec: read K ∈ {0, 1}` , C = (R, S) ∈ {0, 1}2` , then output

M := FK (R) ⊕ S

52 / 230
CPA-secure encryption using a pseudo-random function
We define the following fixed-length private-key encryption scheme:

ΠPRF = (Gen, Enc, Dec):

Let F be a pseudo-random function.
I Gen: on input 1` choose K ∈R {0, 1}` randomly
I Enc: read K ∈ {0, 1}` and M ∈ {0, 1}` , choose R ∈R {0, 1}` randomly,
then output
C := (R, FK (R) ⊕ M )
I Dec: read K ∈ {0, 1}` , C = (R, S) ∈ {0, 1}2` , then output

M := FK (R) ⊕ S

Strategy for proving ΠPRF to be CPA secure:

1 Show that a variant scheme Π̃ in which we replace FK with a random
function f is CPA secure (just not efficient).
2 Show that replacing f with a pseudo-random function FK cannot make it
insecure, by showing how an attacker on the scheme using FK can be
converted into a distinguisher between f and FK , violating the
assumption that FK is a pseudo-random function. 52 / 230
Security proof for encryption scheme ΠPRF
First consider Π̃, a variant of ΠPRF in which the pseudo-random function
FK was replaced with a random function f . Claim:
1 q(`)
P(PrivKcpa
A,Π̃
(`) = 1) ≤ + ` with q(`) oracle queries
2 2
Recall: when the challenge ciphertext C in PrivKcpa
A,Π̃
(`) is computed, the
challenger picks RC ∈R {0, 1}` and returns C := (RC , f (RC ) ⊕ Mb ).
Case 1: RC is also used in one of the oracle queries. In which case
A can easily find out f (RC ) and decrypt Mb . A makes at most q(`)
oracle queries and there are 2` possible values of RC , this case happens
with a probability of at most q(`)/2` .
Case 2: RC is not used in any of the oracle queries. For A the value
RC remains completely random, f (RC ) remains completely random, mb
is returned one-time pad encrypted, and A can only make a random
guess, so in this case P(b0 = b) = 21 .
P(PrivKcpa
A,Π̃
(`) = 1)
= P(PrivKcpa
A,Π̃
(`) = 1 ∧ Case 1) + P(PrivKcpa
A,Π̃
(`) = 1 ∧ Case 2)
cpa q(`) 1
≤ P(Case 1) + P(PrivKA,Π̃ (`) = 1|Case 2) ≤ ` + .
2 2 53 / 230
Security proof for encryption scheme ΠPRF (cont’d)
Assume we have an attacker A against ΠPRF with non-negligible
1
(`) = P(PrivKcpa
A,ΠPRF (`) = 1) −
2
Its performance against Π̃ is also limited by
1 q(`)
P(PrivKcpa
A,Π̃
(`) = 1) ≤ + `
2 2
Combining those two equations we get
q(`)
P(PrivKcpa cpa
A,ΠPRF (`) = 1) − P(PrivKA,Π̃ (`) = 1) ≥ (`) −
2`
which is not negligible either, allowing us to distinguish f from FK :
Build distinguisher DO using oracle O to play PrivKcpa A,Π (`) with A:
1 Run A(1` ) and for each of its oracle queries M i pick Ri ∈R {0, 1}` ,
then return C i := (Ri , O(Ri ) ⊕ M i ) to A.
2 When A outputs M0 , M1 , pick b ∈R {0, 1} and RC ∈R {0, 1}` , then
return C := (RC , O(RC ) ⊕ Mb ) to A.
3 Continue answering A’s encryption oracle queries. When A outputs
b0 , output 1 if b0 = b, otherwise 0.
54 / 230
Security proof for encryption scheme ΠPRF (cont’d)
How effective is this D?
1 If D’s oracle is FK : A effectively plays PrivKcpa
A,ΠPRF (`) because if
K was chosen randomly, DFK behaves towards A just like ΠPRF ,
and therefore
P(DFK (·) (1` ) = 1) = P(PrivKcpa
A,ΠPRF (`) = 1)

2 If D’s oracle is f : likewise, A effectively plays PrivKcpa

A,Π̃
(`) and
therefore
P(Df (·) (1` ) = 1) = P(PrivKcpa
A,Π̃
(`) = 1)
`
if f ∈R ({0, 1}` ){0,1} is chosen uniformly at random.
All combined the difference
q(`)
P(DFK (·) (1` ) = 1) − P(Df (·) (1` ) = 1) ≥ (`) −
2`
not being negligible implies that FK is not a pseudo-random function,
which contradicts the assumption, so ΠPRF is CPA secure.
Katz/Lindell (1st ed.), pp 90–93
55 / 230
Pseudo-random permutation
F : {0, 1}n × {0, 1}n → {0, 1}n efficient, keyed, length preserving
key input output |input|=|output|
FK is a pseudo-random permutation if
I for every key K, there is a 1-to-1 relationship for input and output
I FK and FK −1
can be calculated with polynomial-time algorithms
I there is no polynomial-time distinguisher that can distinguish FK
(with randomly picked K) from a random permutation.
Note: Any pseudo-random permutation is also a pseudo-random function. A random function f
looks to any distinguisher just like a random permutation until it finds a collision x 6= y with
f (x) = f (y). The probability for finding one in polynomial time is negligible (“birthday problem”).

A strong pseudo-random permutation remains indistinguishable even if

the distinguisher has oracle access to the inverse.
Definition: F is a strong pseudo-random permutation if for all
polynomial-time distinguishers D there exists a negligible function negl
such that
 −1 −1

P(DFK (·),FK (·) (1n ) = 1) − P(Df (·),f (·) (1n ) = 1) ≤ negl(n)
 

where K ∈R {0, 1}n is chosen uniformly at random, and f is chosen

uniformly at random from the set of permutations on n-bit strings.
56 / 230
Probability of collision / Birthday problem
With 23 random people in a room, there is a 0.507 chance that two share a birthday. Surprised?

We throw b balls into n bins, selecting each bin uniformly at random.

With what probability do at least two balls end up in the same bin?
1 10 0
upper bound upper bound
lower bound lower bound
0.8
-10
10
collision probability

collision probability
0.6

10 -20
0.4

10 -30
0.2

0 10 -40
10 0 10 10 10 20 10 30 10 40 10 0 10 10 10 20 10 30 10 40
40 40
number of balls thrown into 10 bins number of balls thrown into 10 bins

Remember: for large n the collision probability

√
I is near 1 for b  n
√ b2
I is near 0 for b  n, growing roughly proportional to n
pπ
Expected number of balls thrown before first collision: 2
n (for n → ∞)
Approximation formulas: http://cseweb.ucsd.edu/~mihir/cse207/w-birthday.pdf
57 / 230
Iterating a random function
f : {1, . . . , n} → {1, . . . , n} nn such functions, pick one at random
Functional graph: vertices {1, . . . , n}, directed edges (i, f (i))

Several components, each a directed cycle and trees attached to it.

Some expected values for n → ∞, random u ∈R {1, . . . , n}:
p
I tail length E(t(u)) = πn/8 f t(u) (u) = f t(u)+c(u)·i (u), ∀i ∈ N,
p
I cycle length E(c(u)) = πn/8 where t(u), c(u) minimal
p
I rho-length E(t(u) + c(u)) = πn/2
p
I predecessors E(|{v|f i (v) = u ∧ i > 0}|) = πn/8
I edges of component containing u: 2n/3
If f is a random permutation: no trees, expected cycle length (n + 1)/2
Menezes/van Oorschot/Vanstone, §2.1.6. Knuth: TAOCP, §1.3.3, exercise 17.
Flajolet/Odlyzko: Random mapping statistics, EUROCRYPT’89, LNCS 434.
58 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

59 / 230
Block ciphers
Practical, efficient algorithms that try to implement a pseudo-random
permutation E (and its inverse D) are called “block ciphers”:
E : {0, 1}k × {0, 1}n → {0, 1}n
D : {0, 1}k × {0, 1}n → {0, 1}n
with DK (EK (M )) = M for all K ∈ {0, 1}k , M ∈ {0, 1}n .
Alphabet size: 2n , size of key space: 2k

Examples: AES, Camellia: k, n = 128 bit; DES, PRESENT: n = 64 bit

Implementation strategies:
I Confusion – complex relationship between key and ciphertext
I Diffusion – remove statistical links between plaintext and ciphertext
I Prevent adaptive chosen-plaintext attacks, including differential and
linear cryptanalysis
I Product cipher: iterate many rounds of a weaker permutation
I Feistel structure, substitution/permutation network, key-dependent
s-boxes, mix incompatible groups, transpositions, linear
transformations, arithmetic operations, non-linear substitutions, . . .
60 / 230
Feistel structure I

Problem: Build a pseudo-random permutation EK : {0, 1}n ↔ {0, 1}n

n n
(invertible) using pseudo-random functions fK,i : {0, 1} 2 → {0, 1} 2
(non-invertible) as building blocks.
Solution: Split the plaintext block M (n bits) into two halves L and R
(n/2 bits each):
M = L0 kR0
Then apply the non-invertible function fK in each round i alternatingly to
one of these halves, and XOR the result onto the other half, respectively:

Li = Li−1 ⊕ fK,i (Ri−1 ) and Ri = Ri−1 for odd i

Ri = Ri−1 ⊕ fK,i (Li−1 ) and Li = Li−1 for even i

After applying rounds i = 1, . . . , r, concatenate the two halves to form

the ciphertext block C:

EK (M ) = C = Lr kRr

61 / 230
Feistel structure II

Plaintext:

L0 R0
Feistel structure II

r = 1 round:

L0 R0

⊕ fK,1

L1 R1
Feistel structure II

r = 2 rounds:

L0 R0

⊕ fK,1

L1 R1

fK,2 ⊕

L2 R2
Feistel structure II

r = 3 rounds:

L0 R0

⊕ fK,1

L1 R1

fK,2 ⊕

L2 R2

⊕ fK,3

L3 R3

62 / 230
Feistel structure III

Decryption:

L0 R0

⊕ fK,1

L1 R1

fK,2 ⊕

L2 R2

⊕ fK,3

L3 R3

63 / 230
Feistel structure IV

Decryption works backwards (i = r, . . . , 1), undoing round after round,

starting from the ciphertext:

Li−1 = Li ⊕ fK,i (Ri ) and Ri−1 = Ri for odd i

Ri−1 = Ri ⊕ fK,i (Li ) and Li−1 = Li for even i

This works because the Feistel structure is arranged such that during
decryption of round i, the input value for fK,i is known, as it formed half
of the output bits of round i during encryption.

Luby–Rackoff result
If f is a pseudo-random function, then r = 3 Feistel rounds build a
pseudo-random permutation and r = 4 rounds build a strong
pseudo-random permutation.
M. Luby, C. Rackoff: How to construct pseudorandom permutations from pseudorandom functions.
CRYPTO’85, LNCS 218, http://www.springerlink.com/content/27t7330g746q2168/

64 / 230
Data Encryption Standard (DES)

In 1977, the US government standardized a block cipher for unclassified

data, based on a proposal by an IBM team led by Horst Feistel.
DES has a block size of 64 bits and a key size of 56 bits. The relatively
short key size and its limited protection against brute-force key searches
immediately triggered criticism, but this did not prevent DES from
becoming the most commonly used cipher for banking networks and
numerous other applications for more than 25 years.
DES uses a 16-round Feistel structure. Its round function f is much
simpler than a good pseudo-random function, but the number of
iterations increases the complexity of the resulting permutation
sufficiently.
DES was designed for hardware implementation such that the same
circuit can be used with only minor modification for encryption and
decryption. It is not particularly efficient in software.
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

65 / 230
The round function f expands the 32-bit
input to 48 bits, XORs this with a 48-bit
subkey, and applies eight carefully designed
6-bit to 4-bit substitution tables
(“s-boxes”). The expansion function E
makes sure that each sbox shares one input
bit with its left and one with its right
neighbour.

66 / 230
The key schedule of DES
breaks the key into two 28-bit
halves, which are left shifted
by two bits in most rounds
(only one bit in round
1,2,9,16) before 48 bits are
selected as the subkey for
each round.

67 / 230
Strengthening DES
Two techniques have been widely used to extend the short DES key size:

DESX 2 × 64 + 56 = 184 bit keys:

DESXK1 ,K2 ,K3 (M ) = K1 ⊕ DESK2 (M ⊕ K3 )

Triple DES (TDES) 3 × 56 = 168-bits keys:

TDESK (M ) = DESK3 (DES−1
K2 (DESK1 (M )))

TDES−1
K (C) = DES−1 −1
K1 (DESK2 (DESK3 (C)))

Where key size is a concern, K1 = K3 is used ⇒ 112 bit key. With

K1 = K2 = K3 , the TDES construction is backwards compatible to DES.

Double DES would be vulnerable to a meet-in-the-middle attack that

requires only 257 iterations and 257 blocks of storage space: the known
M is encrypted with 256 different keys, the known C is decrypted with
256 keys and a collision among the stored results leads to K1 and K2 .
Neither extension fixes the small alphabet size of 264 .
68 / 230
Advanced Encryption Standard (AES)
In November 2001, the US government published the new Advanced
Encryption Standard (AES), the official DES successor with 128-bit block
size and either 128, 192 or 256 bit key length. It adopted the “Rijndael”
cipher designed by Joan Daemen and Vincent Rijmen, which offers
additional block/key size combinations.
Each of the 9–13 rounds of this substitution-permutation cipher involves:
I an 8-bit s-box applied to each of the 16 input bytes
I permutation of the byte positions
I column mix, where each of the four 4-byte vectors is multiplied with
a 4 × 4 matrix in F28
I XOR with round subkey
The first round is preceded by another XOR with a subkey, the last round
lacks the column-mix step.
Software implementations usually combine the first three steps per byte
into 16 8-bit → 32-bit table lookups.
http://csrc.nist.gov/encryption/aes/
http://www.iaik.tu-graz.ac.at/research/krypto/AES/
Recent CPUs with AES hardware support: Intel/AMD x86 AES-NI instructions, VIA PadLock.
69 / 230
AES round

Illustration by John Savard, http://www.quadibloc.com/crypto/co040401.htm

70 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

71 / 230
Electronic Code Book (ECB) I
ECB is the simplest mode of operation for block ciphers (DES, AES).
The message M is cut into m n-bit blocks:

M1 kM2 k . . . kMm = M kpadding

Then the block cipher EK is applied to each n-bit block individually:

Ci = EK (Mi ) i = 1, . . . , m
C = C1 kC2 k . . . kCm

M1 M2 Mm

EK EK ··· EK

C1 C2 Cm
72 / 230
Electronic Code Book (ECB) II
Warning:
Like any deterministic encryption scheme,
Electronic Code Book (ECB) mode is not CPA secure.

Therefore, repeated plaintext messages (or blocks) can be recognised by

the eavesdropper as repeated ciphertext. If there are only few possible
messages, an eavesdropper might quickly learn the corresponding
ciphertext.

Another problem:
Plaintext block values are often not uniformly distributed, for example in
ASCII encoded English text, some bits have almost fixed values.
As a result, not the entire input alphabet of the block cipher is utilised,
which simplifies for an eavesdropper building and using a value table of
EK .
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
73 / 230
Electronic Code Book (ECB) III
Plain-text bitmap:

DES-ECB encrypted:

74 / 230
Randomized encryption
Any CPA secure encryption scheme must be randomized, meaning that
the encryption algorithm has access to an r-bit random value that is not
predictable to the adversary:
Enc : {0, 1}k ×{0, 1}r ×{0, 1}l → {0, 1}m
Dec : {0, 1}k ×{0, 1}m → {0, 1}l

receives in addition to the k-bit key and l-bit plaintext also an r-bit
random value, which it uses to ensure that repeated encryption of the
same plaintext is unlikely to result in the same m-bit ciphertext.
With randomized encryption, the ciphertext will be longer than the plaintext: m > l, for example
m = r + l.
Given a fixed-length pseudo-random function F , we could encrypt a variable-length message
M kpad(M ) = M1 kM2 k . . . kMn by applying ΠPRF to its individual blocks Mi , and the result
will still be CPA secure:
EncK (M ) = (R1 , EK (R1 ) ⊕ M1 , R2 , EK (R2 ) ⊕ M2 , . . . Rn , EK (Rn ) ⊕ Mn )
But this doubles the message length!

Several efficient “modes of operation” have been standardized for use

with blockciphers to provide CPA-secure encryption schemes for
arbitrary-length messages.
75 / 230
Cipher Block Chaining (CBC) I
The Cipher Block Chaining mode is one way of constructing a
CPA-secure randomized encryption scheme from a block cipher EK .
1 Pad the message M and split it into m n-bit blocks, to match the
alphabet of the block cipher used:
M1 kM2 k . . . kMm = M kpadding
2 Generate a random, unpredictable n-bit initial vector (IV) C0 .
3 Starting with C0 , XOR the previous ciphertext block into the
plaintext block before applying the block cipher:
Ci = EK (Mi ⊕ Ci−1 ) for 0 < i ≤ m
4 Output the (m + 1) × n-bit cipher text
C = C0 kC1 k . . . kCm
(which starts with the random initial vector)

Mi ⊕ EK Ci
76 / 230
Cipher Block Chaining (CBC) II

M1 M2 Mm

⊕ ⊕ ⊕

RND EK EK ··· EK

C0 C1 C2 Cm
initial vector

The input of the block cipher EK is now uniformly distributed.

√ n
Expect a repetition of block cipher input after around 2n = 2 2 blocks
have been encrypted with the same key K, where n is the block size in
bits (→ birthday paradox). Change K well before that.

77 / 230
Cipher Block Chaining (CBC) II

M1 M2 Mm

⊕ ⊕ ⊕

RND DK DK ··· DK

C0 C1 C2 Cm
initial vector

The input of the block cipher EK is now uniformly distributed.

√ n
Expect a repetition of block cipher input after around 2n = 2 2 blocks
have been encrypted with the same key K, where n is the block size in
bits (→ birthday paradox). Change K well before that.

77 / 230
Plain-text bitmap:

DES-CBC encrypted:

78 / 230
Cipher Feedback Mode (CFB)

Ci = Mi ⊕ EK (Ci−1 )

EK

Mi ⊕ Ci

As in CBC, C0 is a randomly selected, unpredictable initial vector, the

entropy of which will propagate through the entire ciphertext.
This variant has three advantages over CBC that can help to reduce
latency:
I The blockcipher step needed to derive Ci can be performed before
Mi is known.
I Incoming plaintext bits can be encrypted and output immediately;
no need to wait until another n-bit block is full.
I No padding of last block needed.
79 / 230
Output Feedback Mode (OFB)
Output Feedback Mode is a stream cipher seeded by the initial vector:
1 Split the message into m blocks (blocks M1 , . . . , Mm−1 each n-bit
long, Mm may be shorter, no padding required):

M1 kM2 k . . . kMm = M

2 Generate a unique n-bit initial vector (IV) C0 .

3 Start with R0 = C0 , then iterate

Ri = EK (Ri−1 )
EK Ri
Ci = Mi ⊕ Ri

for 0 < i ≤ m. From Rm use only the leftmost bits needed for Mm .
4 Output the cipher text C = C0 kC1 k . . . kCm
n
Again, the key K should be replaced before in the order of 2 2 n-bit blocks have been generated.
Unlike with CBC or CFB, the IV does not have to be unpredictable or random (it can be a
counter), but it must be very unlikely that the same IV is ever used again or appears as another
value Ri while the same key K is still used.
80 / 230
Counter Mode (CTR)
This mode is also a stream cipher. It obtains the pseudo-random bit
stream by encrypting an easy to generate sequence of mutually different
blocks T1 , T2 , . . . , Tm , such as the block counter i plus some offset O,
encoded as an n-bit binary value:
Ci = Mi ⊕ EK (Ti ), Ti = hO + ii, for 0 < i ≤ m
Choose O such that probability of reusing any Ti under the same K is
negligible. Send offset O as initial vector C0 = hOi.
Notation hii here means “n-bit binary representation of integer i”, where n is block length of EK .

Advantages:
I allows fast random access
I both encryption and decryption can be parallelized
I low latency
I no padding required
I no risk of short cycles
Today, Counter Mode is generally preferred over CBC, CFB, and OFB.
Alternatively, the Ti can also be generated by a maximum-length linear-feedback shift register
(replacing the operation O + i in Z2n with O(x) · xi in F2n to avoid slow carry bits).
81 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

82 / 230
Security against chosen-ciphertext attacks (CCA)
Private-key encryption scheme Π = (Gen, Enc, Dec), M = {0, 1}m , security parameter `.

Experiment/game PrivKcca A,Π (`):

M 1, C2, . . .
1` b ∈R {0, 1} 1`
. . . , M 2, C1
K ← Gen(1` ) M0 , M 1
C i ← EncK (M i ) A
M i ← DecK (C i ) C
M t+1 , C t+2 6= C, . . . adversary
b C ← EncK (Mb ) b0
. . . , M t+2 , C t+1

Setup:
I handling of `, b, K as before
Rules for the interaction:
1 The adversary A is given oracle access to EncK and DecK :
A outputs M 1 , gets EncK (M 1 ), outputs C 2 , gets DecK (C 2 ), . . .
m
2 The adversary A outputs a pair of messages: M0 , M1 ∈ {0, 1} .

3 The challenger computes C ← EncK (Mb ) and returns C to A

4 The adversary A continues to have oracle access to EncK and DecK

but is not allowed to ask for DecK (C).
Finally, A outputs b0 . If b0 = b then A has succeeded ⇒ PrivKcca
A,Π (`) = 1
83 / 230
Malleability
We call an encryption scheme (Gen, Enc, Dec) malleable if an adversary
can modify the ciphertext C in a way that causes a predictable/useful
modification to the plaintext M .
Example: stream ciphers allow adversary to XOR the plaintext M with
arbitrary value X:

Sender : C = EncK (M ) = (R, FK (R) ⊕ M )

Adversary : C 0 = (R, (FK (R) ⊕ M ) ⊕ X)
Recipient : M 0 = DecK (C 0 ) = FK (R) ⊕ ((FK (R) ⊕ M ) ⊕ X)
=M ⊕X

Malleable encryption schemes are usually not CCA secure.

CBC, OFB, and CTR are all malleable and not CCA secure.

Malleability is not necessarily a bad thing. If carefully used, it can be an essential building block to
privacy-preserving technologies such as digital cash or anonymous electonic voting schemes.
Homomorphic encryption schemes are malleable by design, providing anyone not knowing the key a
means to transform the ciphertext of M into a valid encryption of f (M ) for some restricted class
of transforms f .
84 / 230
Message authentication code (MAC)

A message authentication code is a tuple of probabilistic

polynomial-time algorithms (Gen, Mac, Vrfy) and sets K, M such that
I the key generation algorithm Gen receives a security parameter `
and outputs a key K ← Gen(1` ), with K ∈ K, key length |K| ≥ `;
I the tag-generation algorithm Mac maps a key K and a message
M ∈ M = {0, 1}∗ to a tag T ← MacK (M );
I the verification algorithm Vrfy maps a key K, a message M and a
tag T to an output bit b := VrfyK (M, T ) ∈ {0, 1}, with b = 1
meaning the tag is “valid” and b = 0 meaning it is “invalid”.
I for all `, K ← Gen(1` ), and M ∈ {0, 1}m :
VrfyK (M, MacK (M )) = 1.

85 / 230
MAC security definition: existential unforgeability
Message authentication code Π = (Gen, Mac, Vrfy), M = {0, 1}∗ , security parameter `.

Experiment/game Mac-forgeA,Π (`):

1` K ← Gen(1` ) 1`
M 1, M 2, . . . , M t
T i ← MacK (M i )
T t, . . . , T 2, T 1 A
b := VrfyK (M, T ) adversary
b M, T
M 6∈{M 1 ,M 2 ,...,M t }
1 challenger generates random key K ← Gen(1` )
2 adversary A is given oracle access to MacK (·); let
Q = {M 1 , . . . , M t } denote the set of queries that A asks the oracle
3 adversary outputs (M, T )
4 the experiment outputs 1 if VrfyK (M, T ) = 1 and M 6∈ Q

Definition: A message authentication code Π = (Gen, Mac, Vrfy) is

existentially unforgeable under an adaptive chosen-message attack
(“secure”) if for all probabilistic polynomial-time adversaries A there
exists a negligible function negl such that
P(Mac-forgeA,Π (`) = 1) ≤ negl(`)
86 / 230
MACs versus security protocols
MACs prevent adversaries forging new messages. But adversaries can still
1 replay messages seen previously (“pay £1000”, old CCTV image)

2 drop or delay messages (“smartcard revoked”)

3 reorder a sequence of messages

4 redirect messages to different recipients

A security protocol is a higher-level mechanism that can be built using

MACs, to prevent such manipulations. This usually involves including
into each message additional data before calculating the MAC, such as
I nonces
• message sequence counters
• message timestamps and expiry times
• random challenge from the recipient
• MAC of the previous message
I identification of source, destination, purpose, protocol version
I “heartbeat” (regular message to confirm sequence number)
Security protocols also need to define unambiguous syntax for such
message fields, delimiting them securely from untrusted payload data.
87 / 230
Stream authentication
Alice and Bob want to exchange a sequence of messages M1 , M2 , . . .
They want to verify not just each message individually, but also the
integrity of the entire sequence received so far.
One possibility: Alice and Bob exchange a private key K and then send

A→B: (M1 , T1 ) with T1 = MacK (M1 , 0)

B→A: (M2 , T2 ) with T2 = MacK (M2 , T1 )
A→B: (M3 , T3 ) with T3 = MacK (M3 , T2 )
..
.
B→A: (M2i , T2i ) with T2i = MacK (M2i , T2i−1 )
A→B: (M2i+1 , T2i+1 ) with T2i+1 = MacK (M2i+1 , T2i )
..
.

Mallory can still delay messages or replay old ones. Including in addition unique transmission
timestamps in the messages (in at least M1 and M2 ) allows the recipient to verify their
“freshness” (using a secure, accurate local clock).
88 / 230
MAC using a pseudo-random function

Let F be a pseudo-random function.

I Gen: on input 1` choose K ∈R {0, 1}` randomly
I Mac: read K ∈ {0, 1}` and M ∈ {0, 1}m ,
then output T := FK (M ) ∈ {0, 1}n
I Vrfy: read K ∈ {0, 1}` , M ∈ {0, 1}m , T ∈ {0, 1}n ,
then output 1 iff T = FK (M ).

If F is a pseudo-random function, then (Gen, Mac, Vrfy) is existentially

unforgeable under an adaptive chosen message attack.

89 / 230
MAC using a block cipher: CBC-MAC
Blockcipher E : {0, 1}` × {0, 1}m → {0, 1}m

M1 M2 Mn

⊕ ⊕

EK EK ··· EK

CBC-MACEK (M )

Similar to CBC: IV = 0m , last ciphertext block serves as tag.

Provides existential unforgeability, but only for fixed message length n:
Adversary asks oracle for T 1 := CBC-MACEK (M 1 ) = EK (M 1 ) and then
presents M = M 1 k(T 1 ⊕ M 1 ) and T := CBC-MACEK (M ) =
EK ((M 1 ⊕ T 1 ) ⊕ EK (M 1 )) = EK ((M 1 ⊕ T 1 ) ⊕ T 1 ) = EK (M 1 ) = T 1 .
90 / 230
Variable-length MAC using a block cipher: ECBC-MAC
Blockcipher E : {0, 1}` × {0, 1}m → {0, 1}m

M1 M2 Mn

⊕ ⊕

EK1 EK1 ··· EK1

Padding: M k10p
p = m − (|M | mod m) − 1
EK2
Disadvantages:
I up to two additional
applications of block cipher
I need to rekey block cipher ECBC-MACEK1 ,K2 (M )
I added block if m divides |M |
91 / 230
Variable-length MAC using a block cipher: CMAC
Blockcipher E : {0, 1}` × {0, 1}m → {0, 1}m (typically AES: m = 128)

Derive subkeys K1 , K2 ∈ {0, 1}m from key K ∈ {0, 1}` :

I K0 := EK (0)
I if msb(K0 ) = 0 then K1 := (K0  1) else K1 := (K0  1) ⊕ J
I if msb(K1 ) = 0 then K2 := (K1  1) else K2 := (K1  1) ⊕ J
This merely clocks a linear-feedback shift register twice, or equivalently multiplies a value in F2m
twice with x. J is a fixed constant (generator polynomial),  is a left shift.

CMAC algorithm:
M1 kM2 k . . . kMn := M
r := |Mn |
if r = m then Mn := K1 ⊕ Mn
else Mn := K2 ⊕ (Mn k10m−r−1 )
return CBC-MACK (M1 kM2 k . . . kMn )
Provides existential unforgeability, without the disadvantages of ECBC.
NIST SP 800-38B, RFC 4493
92 / 230
Birthday attack against CBC-MAC, ECBC-MAC, CMAC
Let E be an m-bit block cipher, used to build MACK with m-bit tags.
Birthday/collision attack:
√
I Make t ≈ 2m oracle queries for T i := MACK (hiikRi kh0i) with
Ri ∈R {0, 1}m , 1 ≤ i ≤ t.
Here hii ∈ {0, 1}m is the m-bit binary integer notation for i.
I Look for collision T i = T j with i 6= j
I Ask oracle for T 0 := MACK (hiikRi kh1i)
I Present M := hjikRj kh1i and T := T 0 = MACK (M )
The same intermediate value
C2 occurs while calculating the hii Ri h0i
MAC of
hiikRi kh0i, hjikRj kh0i, ⊕ ⊕
hiikRi kh1i, hjikRj kh1i.
EK EK EK
Possible workaround:
Truncate MAC result to less than m bits,
such that adversary cannot easily spot col-
lisions in C2 from C3 .
C1 C2 MACK
Solution: big enough m.
93 / 230
A one-time MAC (Carter–Wegman)
The following MAC scheme is very fast and unconditionally secure, but
only if the key is used to secure only a single message.
Let F be a large finite field (e.g. Z2128 +51 or GF(2128 )).
I Pick a random key pair K = (K1 , K2 ) ∈ F2
I Split padded message P into blocks P1 , . . . , Pm ∈ F
I Evaluate the following polynomial over F to obtain the MAC:

OT-MACK1 ,K2 (P ) = K1m+1 + Pm K1m + · · · + P2 K12 + P1 K1 + K2

Converted into a computationally secure many-time MAC:

I Pseudo-random function/permutation EK : F → F
I Pick per-message random value R ∈ F
I CW-MACK1 ,K2 (P ) =
(R, K1m+1 + Pm K1m + · · · + P2 K12 + P1 K1 + EK2 (R))
M. Wegman and L. Carter. New hash functions and their use in authentication and set equality.
Journal of Computer and System Sciences, 22:265279, 1981.
94 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

95 / 230
Security against chosen-ciphertext attacks (CCA)
Private-key encryption scheme Π = (Gen, Enc, Dec), M = {0, 1}m , security parameter `.

Experiment/game PrivKcca A,Π (`):

M 1, C2, . . .
1` b ∈R {0, 1} 1`
. . . , M 2, C1
K ← Gen(1` ) M0 , M 1
C i ← EncK (M i ) A
M i ← DecK (C i ) C
M t+1 , C t+2 6= C, . . . adversary
b C ← EncK (Mb ) b0
. . . , M t+2 , C t+1

Setup:
I handling of `, b, K as before
Rules for the interaction:
1 The adversary A is given oracle access to EncK and DecK :
A outputs M 1 , gets EncK (M 1 ), outputs C 2 , gets DecK (C 2 ), . . .
m
2 The adversary A outputs a pair of messages: M0 , M1 ∈ {0, 1} .

3 The challenger computes C ← EncK (Mb ) and returns C to A

4 The adversary A continues to have oracle access to EncK and DecK

but is not allowed to ask for DecK (C).
Finally, A outputs b0 . If b0 = b then A has succeeded ⇒ PrivKcca
A,Π (`) = 1
← 83 / 230
Ciphertext integrity
Private-key encryption scheme Π = (Gen, Enc, Dec), Dec can output error: ⊥
Experiment/game CIA,Π (`):
1` K ← Gen(1` ) 1`
M 1, M 2, . . . , M t
C i ← EncK (M i )
Ct, . . . , C2, C1 A
(
0, DecK (C) = ⊥
b :=
b 1, DecK (C) 6= ⊥ C adversary
C6∈{C 1 ,C 2 ,...,C t }

1 challenger generates random key K ← Gen(1` )

2 adversary A is given oracle access to EncK (·); let Q = {C 1 , . . . , C t }
denote the set of query answers that A got from the oracle
3 adversary outputs C
4 the experiment outputs 1 if DecK (C) 6= ⊥ and C 6∈ Q
Definition: An encryption scheme Π = (Gen, Enc, Dec) provides
ciphertext integrity if for all probabilistic polynomial-time adversaries A
there exists a negligible function negl such that
P(CIA,Π (`) = 1) ≤ negl(`)
96 / 230
Authenticated encryption
Definition: An encryption scheme Π = (Gen, Enc, Dec) provides
authenticated encryption if it provides both CPA security and ciphertext
integrity.
Such an encryption scheme will then also be CCA secure.
Example:
Private-key encryption scheme ΠE = (GenE , Enc, Dec)
Message authentication code ΠM = (GenM , Mac, Vrfy)

Encryption scheme Π0 = (Gen0 , Enc0 , Dec0 ):

0 ` ` `
1 Gen (1 ) := (KE , KM ) with KE ← GenE (1 ) and KM ← GenM (1 )
0
2 Enc(K ,K ) (M ) := (C, T ) with C ← EncKE (M ) and
E M
T ← MacKM (C)
0
3 Dec on input of (KE , KM ) and (C, T ) first check if
VrfyKM (C, T ) = 1. If yes, output DecKE (C), if no output ⊥.
If ΠE is a CPA-secure private-key encryption scheme and ΠM is a secure
message authentication code with unique tags, then Π0 is a CCA-secure
private-key encryption scheme.
A message authentication code has unique tags, if for every K and every M there exists a unique
value T , such that VrfyK (M, T ) = 1. 97 / 230
Combining encryption and message authentication
Warning: Not every way of combining a CPA-secure encryption scheme
(to achieve privacy) and a secure message authentication code (to
prevent forgery) will necessarily provide CPA security:

Encrypt-and-authenticate: (EncKE (M ), MacKM (M ))

Unlikely to be CPA secure: MAC may leak information about M .

Authenticate-then-encrypt: EncKE (M kMacKM (M ))

May not be CPA secure: the recipient first decrypts the received
message with DecKE , then parses the result into M and MacKM (M ) and
finally tries to verify the latter. A malleable encryption scheme, combined
with a parser that reports syntax errors, may reveal information about M .

Encrypt-then-authenticate: (EncKE (M ), MacKM (EncKE (M )))

Secure: provides both CCA security and existential unforgeability.
If the recipient does not even attempt to decrypt M unless the MAC has been verified successfully,
this method can also prevent some side-channel attacks.

Note: CCA security alone does not imply existential unforgeability.

98 / 230
Padding oracle
TLS record protocol:
Recipient steps: CBC decryption, then checks and removes padding,
finally checks MAC.
Padding: append n times byte n (1 ≤ n ≤ 16)
Padding syntax error and MAC failure (used to be) distinguished in error
messages.

C0 = IV C1 C2 C3

DK DK DK

⊕ ⊕ ⊕

M1 M2 M3 kpad
99 / 230
Padding oracle (cont’d)
Attacker has C0 , . . . , C3 and tries to get M2 :

I truncate ciphertext after C2

I a = actual last byte of M2 , C0 = IV C1 C2
g = attacker’s guess of a
(try all g ∈ {0, . . . , 255})
I XOR the last byte of C1 with
g ⊕ 0x01 DK DK
I last byte of M2 is now
a ⊕ g ⊕ 0x01 ⊕ ⊕
I g = a: padding correct ⇒ MAC failed error
g 6= a: padding syntax error (high prob.) M1 M2

Then try 0x02 0x02 and so on.

Serge Vaudenay: Security flaws induced by CBC padding, EUROCRYPT 2002

100 / 230
Galois Counter Mode (GCM)
CBC and CBC-MAC used together require different keys, resulting in two
encryptions per block of data.
Galois Counter Mode is a more efficient authenticated encryption
technique that requires only a single encryption, plus one XOR ⊕ and
one multiplication ⊗, per block of data:

Ci = Mi ⊕ EK (O + i)
Gi = (Gi−1 ⊕ Ci ) ⊗ H, G0 = A ⊗ H, H = EK (0)


GMACEK (A, C) = (Gn ⊕ (len(A)k len(C))) ⊗ H ⊕ EK (O)

A is authenticated, but not encrypted (e.g., message header).

The multiplication ⊗ is over the Galois field F2128 : block bits are
interpreted as coefficients of binary polynomials of degree 127, and the
result is reduced modulo x128 + x7 + x2 + x + 1.
This is like 128-bit modular integer multiplication, but without carry bits,
and therefore faster in hardware.
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
101 / 230
 O+1 ··· O+n

EK EK

M1 ⊕ Mn ⊕

C1 Cn
O O+1 ··· O+n

EK EK EK

M1 ⊕ Mn ⊕

C1 Cn

A ⊗ ⊕ ⊗ ··· ⊕

EK (0) EK (0) ⊗ EK (0)

⊕ len(A)k len(C)

⊗ EK (0)
⊕

GMACEK (A, C)
102 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

103 / 230
Hash functions
A hash function h : {0, 1}∗ → {0, 1}` efficiently maps arbitrary-length
input strings onto fixed-length “hash values” such that the output is
uniformly distributed in practice.
Typical applications of hash functions:
I hash table: data structure for fast t = O(1) table lookup; storage
address of a record containing value x is determined by h(x).
I Bloom filter: data structure for fast probabilistic set membership test
I fast probabilistic string comparison (record deduplication, diff, rsync)
I Rabin–Karp algorithm: substring search with rolling hash
Closely related: checksums (CRC, Fletcher, Adler-32, etc.)

A good hash function h is one that minimizes the chances of a collision

of the form h(x) = h(y) with x 6= y.
But constructing collisions is not difficult for normal hash functions and
checksums, e.g. to modify a file without affecting its checksum.
Algorithmic complexity attack: craft program input to deliberately trigger worst-case runtime
(denial of service). Example: deliberately fill a server’s hash table with colliding entries.
104 / 230
Secure hash functions
A secure, collision-resistant `-bit hash function h : {0, 1}∗ → {0, 1}` is
designed to make it infeasible for an adversary who knows the
implementation of h to find any collision
h(x) = h(y) with x 6= y

Examples for applications of secure hash functions:

I message digest for efficient calculation of digital signatures
I fast message-authentication codes (HMAC)
I tamper-resistant checksum of files
$ sha1sum security?-slides.tex
2c1331909a8b457df5c65216d6ee1efb2893903f security1-slides.tex
50878bcf67115e5b6dcc866aa0282c570786ba5b security2-slides.tex
I git commit identifiers
I P2P file sharing identifiers
I key derivation functions
I password verification
I hash chains (e.g., Bitcoin, timestamping services)
I commitment protocols
105 / 230
Secure hash functions: standards
I MD5: ` = 128 (Rivest, 1991)
insecure, collisions were found in 1996/2004, collisions used in
real-world attacks (Flame, 2012) → avoid (still ok for HMAC)
http://www.ietf.org/rfc/rfc1321.txt

I SHA-1: ` = 160 (NSA, 1995)

widely used today (e.g., git), but 269 -step algorithm to find collisions
found in 2005 → being phased out (still ok for HMAC)
I SHA-2: ` = 224, 256, 384, or 512
close relative of SHA-1, therefore long-term collision-resistance
questionable, very widely used standard
FIPS 180-3 US government secure hash standard,
http://csrc.nist.gov/publications/fips/

I SHA-3: Keccak wins 5-year NIST contest in October 2012

no length-extension attack, arbitrary-length output,
can also operate as PRNG, very different from SHA-1/2.
(other finalists: BLAKE, Grøstl, JH, Skein)
http://csrc.nist.gov/groups/ST/hash/sha-3/
http://keccak.noekeon.org/
106 / 230
Collision resistance – a formal definition
Hash function
A hash function is a pair of probabilistic polynomial-time (PPT)
algorithms (Gen, H) where
I Gen reads a security parameter 1n and outputs a key s.
I H reads key s and input string x ∈ {0, 1}∗ and outputs
Hs (x) ∈ {0, 1}`(n) (where n is a security parameter implied by s)

Formally define collision resistance using the following game:

n
1 Challenger generates a key s = Gen(1 )

2 Challenger passes s to adversary A

0
3 A replies with x, x
0 0
4 A has found a collision iff Hs (x) = Hs (x ) and x 6= x

A hash function (Gen, H) is collision resistant if for all PPT adversaries

A there is a negligible function negl such that
P(A found a collision) ≤ negl(n)
0 (n)
A fixed-length compression function is only defined on x ∈ {0, 1}` with `0 (n) > `(n).
107 / 230
Unkeyed hash functions

Commonly used collision-resistant hash functions (SHA-256, etc.) do not

use a key s. They are fixed functions of the form h : {0, 1}∗ → {0, 1}` .
Why do we need s in the security definition?
Any fixed function h where the size of the domain (set of possible input
values) is greater than the range (set of possible output values) will have
collisions x, x0 . There always exists a constant-time adversary A that just
outputs these hard-wired values x, x0 .
Therefore, a complexity-theoretic security definition must depend on a
key s (and associated security parameter 1n ). Then H becomes a recipe
for defining ever new collision-resistant fixed functions Hs .
So in practice, s is a publicly known fixed constant, embedded in the
secure hash function h.
Also, without any security parameter n, we could not use the notion of a negligible function.

108 / 230
Unkeyed hash functions

Commonly used collision-resistant hash functions (SHA-256, etc.) do not

use a key s. They are fixed functions of the form h : {0, 1}∗ → {0, 1}` .
Why do we need s in the security definition?
Any fixed function h where the size of the domain (set of possible input
values) is greater than the range (set of possible output values) will have
collisions x, x0 . There always exists a constant-time adversary A that just
outputs these hard-wired values x, x0 .
Therefore, a complexity-theoretic security definition must depend on a
key s (and associated security parameter 1n ). Then H becomes a recipe
for defining ever new collision-resistant fixed functions Hs .
So in practice, s is a publicly known fixed constant, embedded in the
secure hash function h.
Also, without any security parameter n, we could not use the notion of a negligible function.

108 / 230
Weaker properties implied by collision resistance
Second-preimage resistance
For a given s and input value x, it is infeasible for any polynomial-time
adversary to find x0 with Hs (x0 ) = Hs (x) (except with negligible
probability).

If there existed a PPT adversary A that can break the second-preimage

resistance of Hs , then A can also break its collision resistance.
Therefore, collision resistance implies second-preimage resistance.

109 / 230
Weaker properties implied by collision resistance
Second-preimage resistance
For a given s and input value x, it is infeasible for any polynomial-time
adversary to find x0 with Hs (x0 ) = Hs (x) (except with negligible
probability).

If there existed a PPT adversary A that can break the second-preimage

resistance of Hs , then A can also break its collision resistance.
Therefore, collision resistance implies second-preimage resistance.

Preimage resistance
For a given s and output value y, it is infeasible for any polynomial-time
adversary to find x0 with Hs (x0 ) = y (except with negligible probability).

If there existed a PPT adversary A that can break the pre-image

resistance of Hs , then A can also break its second-preimage resistance
(with high probability). Therefore, either collision resistance or
second-preimage resistance imply preimage resistance.
How?
109 / 230
Weaker properties implied by collision resistance
Second-preimage resistance
For a given s and input value x, it is infeasible for any polynomial-time
adversary to find x0 with Hs (x0 ) = Hs (x) (except with negligible
probability).

If there existed a PPT adversary A that can break the second-preimage

resistance of Hs , then A can also break its collision resistance.
Therefore, collision resistance implies second-preimage resistance.

Preimage resistance
For a given s and output value y, it is infeasible for any polynomial-time
adversary to find x0 with Hs (x0 ) = y (except with negligible probability).

If there existed a PPT adversary A that can break the pre-image

resistance of Hs , then A can also break its second-preimage resistance
(with high probability). Therefore, either collision resistance or
second-preimage resistance imply preimage resistance.
How? Give y = Hs (x) to A and hope for output x0 6= x
109 / 230
Weaker properties implied by collision resistance
Second-preimage resistance
For a given s and input value x, it is infeasible for any polynomial-time
adversary to find x0 with Hs (x0 ) = Hs (x) (except with negligible
probability).

If there existed a PPT adversary A that can break the second-preimage

resistance of Hs , then A can also break its collision resistance.
Therefore, collision resistance implies second-preimage resistance.

Preimage resistance
For a given s and output value y, it is infeasible for any polynomial-time
adversary to find x0 with Hs (x0 ) = y (except with negligible probability).

If there existed a PPT adversary A that can break the pre-image

resistance of Hs , then A can also break its second-preimage resistance
(with high probability). Therefore, either collision resistance or
second-preimage resistance imply preimage resistance.
How? Give y = Hs (x) to A and hope for output x0 6= x
Note: collision resistance does not prevent Hs from leaking information about x (→ CPA). 109 / 230
Merkle–Damgård construction

Wanted: variable-length hash function (Gen, H).

Given: (Gen, C), a fixed-length hash function with
C : {0, 1}2n → {0, 1}n (“compression function”)
Input of H: key s, string x ∈ {0, 1}L with length L < 2n
1 Pad x to length divisible by n by appending “0” bits, then split the
result into B = L

n blocks of length n each:

xk0nd n e−L = x1 kx2 kx3 k . . . kxB−1 kxB

L

2 Append a final block xB+1 = hLi, which contains the n-bit binary
representation of input length L = |x|.
3 Set z0 := 0n (initial vector, IV)
4 compute zi := Cs (zi−1 kxi ) for i = 1, . . . , B + 1
5 Output Hs (x) := zB+1

110 / 230
 xk0nd n e−L = x1 kx2 kx3 k . . . kxB−1 kxB
L

x1 x2 xB hLi

Cs Cs ··· Cs Cs
0n z z1 zB−1 zB zB+1
Hs (x)
0

111 / 230
 xk0nd n e−L = x1 kx2 kx3 k . . . kxB−1 kxB
L

x1 x2 xB hLi

Cs Cs ··· Cs Cs
0n z z1 zB−1 zB zB+1
Hs (x)
0

x 6= x0

 0
0 n L
−L0
x k0 n = x01 kx02 kx03 k . . . kx0B 0 −1 kx0B 0

x01 x02 x0B 0 hL0 i

Cs Cs ··· Cs Cs
0n zB 0 +1
Hs (x)
z00 z10 0
zB 0 −1
0
zB 0

111 / 230
Merkle–Damgård construction – security proof
If the fixed-length compression function C is collision resistant, so will be
the variable-length hash function H resulting from the Merkle–Damgård
construction.
Proof outline:
Assume Cs is collision resistant, but H is not, because some PPT
adversary A outputs x 6= x0 with Hs (x) = Hs (x0 ).
Let x1 , . . . , xB be the n-bit blocks of padded L-bit input x, and
x01 , . . . , x0B 0 be those of L0 -bit input x0 , and xB+1 = hLi, x0B 0 +1 = hL0 i.
Case L 6= L0 : Then xB+1 6= x0B 0 +1 but Hs (x) = zB+1 =
0 0 0 0
Cs (zB kxB+1 ) = Cs (zB 0 kxB 0 +1 ) = zB 0 +1 = Hs (x ), which

is a collision in Cs .
Case L = L : Now B = B 0 . Let i ∈ {1, . . . , B + 1} be the largest index
0
0
where zi−1 kxi 6= zi−1 kx0i . (Such i exists as due to
0 0
|x| = |x | and x 6= x there will be at least one 1 ≤ j ≤ B
with xj 6= x0j .) Then zk = zk0 for all k ∈ {i, . . . , B + 1}
0
and zi = Cs (zi−1 kxi ) = Cs (zi−1 kx0i ) = zi0 is a collision in
Cs .
So Cs was not collision resistant, invalidating the assumption.
112 / 230
Compression function from block ciphers
Davies–Meyer construction
One possible technique for obtaining a collision-resistant compression
function C is to use a block cipher E : {0, 1}` × {0, 1}n → {0, 1}n in the
following way:
C(K, M ) = EK (M ) ⊕ M

M EK ⊕ C(K, M )

or in the notation of slide 110 (with K = xi and M = zi−1 ):

C(zi−1 kxi ) = Exi (zi−1 ) ⊕ zi−1

However, the security proof for this construction requires E to be an

ideal cipher, a keyed random permutation. It is not sufficient for E to
merely be a strong pseudo-random permutation.
Warning: use only block ciphers that have specifically been designed to be used this way. Other
block ciphers (e.g., DES) may have properties that can make them unsuitable here (e.g., related
key attacks, block size too small).
113 / 230
SHA-1 structure
Merkle–Damgård construction, block length n = 512 bits.

Compression function: One round:

I Input = 160 bits =
A B C D E
five 32-bit registers A–E
I each block = 16 32-bit words
W0 , . . . , W15 F
I LFSR extends that sequence to <<<5

80 words: W16 , . . . , W79

Wt
I 80 rounds, each fed one Wi <<<30

I Round constant Ki and non-linear Kt

function Fi change every 20 rounds.
I four 32-bit additions
and two
32-bit rotations per round, 2–5 A B C D E
32-bit Boolean operations for F . commons.wikimedia.org, CC SA-BY

I finally: 32-bit add round 0 input to

round 79 output (Davies–Meyer)
114 / 230
Random oracle model

Many applications of secure hash functions have no security proof that

relies only on the collision resistance of the function used.
The known security proofs require instead a much stronger assumption,
the strongest possible assumption one can make about a hash function:

Random oracle
I A random oracle H is a device that accepts arbitrary length strings
X ∈ {0, 1}∗ and consistently outputs for each a value
H(X) ∈ {0, 1}` which it chooses uniformly at random.
I Once it has chosen an H(X) for X, it will always output that same
answer for X consistently.
I Parties can privately query the random oracle (nobody else learns
what anyone queries), but everyone gets the same answer if they
query the same value.
I No party can infer anything about H(X) other than by querying X.

115 / 230
Ideal cipher model
A random-oracle equivalent can be defined for block ciphers:

Ideal cipher
Each key K ∈ {0, 1}` defines a random permutation EK , chosen
uniformly at random out of all (2n )! permutations. All parties have oracle
−1
access to both EK (X) and EK (X) for any (K, X). No party can infer
−1
any information about EK (X) (or EK (X)) without querying its value
for (K, X).

We have encountered random functions and random permutations

before, as a tool for defining pseudo-random functions/permutations.
Random oracles and ideal ciphers are different:
If a security proof is made “in the random oracle model”, then a hash
function is replaced by a random oracle or a block cipher is replaced by
an ideal cipher.
In other words, the security proof makes much stronger assumptions
about these components: they are not just indistinguishable from random
functions/permutations by any polynomial-time distinguisher, they are
actually assumed to be random functions/permutations. 116 / 230
Davies–Meyer construction – security proof

C(K, X) = EK (X) ⊕ X
If E is modeled as an ideal cipher, then C is a collision-resistant hash
function. Any attacker A making q < 2`/2 oracle queries to E finds a
collision with probability not higher than q 2 /2` . (negligible)
Proof: Attacker A tries to find (K, X), (K 0 , X 0 ) with
EK (X) ⊕ X = EK 0 (X 0 ) ⊕ X 0 . We assume that, before outputting
(K, X), (K 0 , X 0 ), A has previously made queries to learn EK (X) and
EK 0 (X 0 ). We also assume (wlog) A never makes redundant queries, so
−1
having learnt Y = EK (X), A will not query EK (Y ) and vice versa.
The i-th query (Ki , Xi ) to E only reveals

ci = Ci (Ki , Xi ) = EKi (Xi ) ⊕ Xi .

−1
A query to E −1 instead would only reveal EK i
(Yi ) = Xi and therefore
−1
ci = Ci (Ki , Xi ) = Yi ⊕ EK i
(Yi ).

A needs to find ci = cj with i > j.

117 / 230
For some fixed pair i, j with i > j, what is the probability of ci = cj ?
A collision at query i can only occur as one of these two query results:
I EKi (Xi ) = cj ⊕ Xi
−1
I EK
i
(Yi ) = cj ⊕ Yi
Each query will reveal a new uniformly distributed `-bit value, except that
it may be constrained by (at most) i − 1 previous query results (since
EKi must remain a permutation).
Therefore, the ideal cipher E will answer query i by uniformly choosing a
value out of at least 2` − (i − 1) possible values.
Therefore, each of the above two possibilities for reaching ci = cj can
happen with probability no higher than 1/(2` − (i − 1)).
With i ≤ q < 2`/2 and ` > 1, we have
1 1 2
P(ci = cj ) ≤ ≤ ` ≤ `
2` − (i − 1) 2 − 2`/2 2
q


There are 2 < q 2 /2 pairs j < i ≤ q, so the collision probability after q
2 q2 q2
queries cannot be more than 2`
· 2 = 2`
.
118 / 230
Random oracle model – controversy
Security proofs that replace the use of a hash function with a query to a
random oracle (or a block cipher with an ideal cipher) remain controversial.
Cons
I Real hash algorithms are publicly known. Anyone can query them
privately as often as they want, and look for shortcuts.
I No good justification to believe that proofs in the random oracle model
say anything about the security of a scheme when implemented with
practical hash functions (or pseudo-random functions/permutations).
I No good criteria known to decide whether a practical hash function is
“good enough” to instantiate a random oracle.
Pros
I A random-oracle model proof is better than no proof at all.
I Many efficient schemes (especially for public-key crypto) only have
random-oracle proofs.
I No history of successful real-world attacks against schemes with
random-oracle security proofs.
I If such a scheme were attacked successfully, it should still be fixable by
using a better hash function.
119 / 230
Sponge functions
Another way to construct a secure hash function H(M ) = Z:

http://sponge.noekeon.org/

(r + c)-bit internal state, XOR r-bit input blocks at a time, stir with
pseudo-random permutation f , output r-bit output blocks at a time.
Versatile: secure hash function (variable input length) and stream cipher
(variable output length)
Advantage over Merkle–Damgård: internal state > output, flexibility.
120 / 230
Duplex construction

http://sponge.noekeon.org/

A variant of the sponge construction, proposed to provide

I authenticated encryption (basic idea: σi = Ci = Mi ⊕ Zi−1 )
I reseedable pseudo-random bit sequence generator
(for post-processing and expanding physical random sources)
G. Bertoni, J. Daemen, et al.: Duplexing the sponge: single-pass authenticated encryption and
other applications. SAC 2011. http://dx.doi.org/10.1007/978-3-642-28496-0_19
http://sponge.noekeon.org/SpongeDuplex.pdf
121 / 230
SHA-3

Latest NIST secure hash algorithm

I Sponge function with b = r + c = 1600 = 5 × 5 × 64 bits of state
I Standardized (SHA-2 compatible) output sizes:
` ∈ {224, 256, 384, 512} bits
I Internal capacity: c = 2`
I Input block size: r = b − 2` ∈ {1152, 1088, 832, 576} bits
I Padding: append 10∗ 1 to extend input to next multiple of r
NIST also defined two related extendable-output functions (XOFs),
SHAKE128 and SHAKE256, which accept arbitrary-length input and can
produce arbitrary-length output. PRBG with 128 or 256-bit security.

SHA-3 standard: permutation-based hash and extendable-output functions. August 2015.

http://dx.doi.org/10.6028/NIST.FIPS.202

122 / 230
Probability of collision / Birthday problem
With 23 random people in a room, there is a 0.507 chance that two share a birthday. Surprised?

We throw b balls into n bins, selecting each bin uniformly at random.

With what probability do at least two balls end up in the same bin?
1 10 0
upper bound upper bound
lower bound lower bound
0.8
-10
10
collision probability

collision probability
0.6

10 -20
0.4

10 -30
0.2

0 10 -40
10 0 10 10 10 20 10 30 10 40 10 0 10 10 10 20 10 30 10 40
40 40
number of balls thrown into 10 bins number of balls thrown into 10 bins

Remember: for large n the collision probability

√
I is near 1 for b  n
√ b2
I is near 0 for b  n, growing roughly proportional to n
pπ
Expected number of balls thrown before first collision: 2
n (for n → ∞)
Approximation formulas: http://cseweb.ucsd.edu/~mihir/cse207/w-birthday.pdf
← 57 / 230
“Birthday attacks”
If a hash function outputs `-bit words, an attacker needs to try only
different input values, before there is a better than 50% chance of
finding a collision.

123 / 230
“Birthday attacks”
If a hash function outputs `-bit words, an attacker needs to try only
2`/2 different input values, before there is a better than 50% chance of
finding a collision.
Computational security
Attacks requiring 2128 steps considered infeasible =⇒ use hash function
that outputs ` = 256 bits (e.g., SHA-256). If only second pre-image
resistance is a concern, shorter ` = 128-bit may be acceptable.

123 / 230
“Birthday attacks”
If a hash function outputs `-bit words, an attacker needs to try only
2`/2 different input values, before there is a better than 50% chance of
finding a collision.
Computational security
Attacks requiring 2128 steps considered infeasible =⇒ use hash function
that outputs ` = 256 bits (e.g., SHA-256). If only second pre-image
resistance is a concern, shorter ` = 128-bit may be acceptable.
Finding useful collisions
An attacker needs to generate a large number of plausible input
plaintexts to find a practically useful collision. For English plain text,
synonym substitution is one possibility for generating these:
A: Mallory is a {good,hardworking} and {honest,loyal} {employee,worker}
B: Mallory is a {lazy,difficult} and {lying,malicious} {employee,worker}
Both A and B can be phrased in 23 variants each =⇒ 26 pairs of phrases.

123 / 230
“Birthday attacks”
If a hash function outputs `-bit words, an attacker needs to try only
2`/2 different input values, before there is a better than 50% chance of
finding a collision.
Computational security
Attacks requiring 2128 steps considered infeasible =⇒ use hash function
that outputs ` = 256 bits (e.g., SHA-256). If only second pre-image
resistance is a concern, shorter ` = 128-bit may be acceptable.
Finding useful collisions
An attacker needs to generate a large number of plausible input
plaintexts to find a practically useful collision. For English plain text,
synonym substitution is one possibility for generating these:
A: Mallory is a {good,hardworking} and {honest,loyal} {employee,worker}
B: Mallory is a {lazy,difficult} and {lying,malicious} {employee,worker}
Both A and B can be phrased in 23 variants each =⇒ 26 pairs of phrases.
With a 64-bit hash over an entire letter, we need only such
sentences for a good chance to find a collision in steps.
123 / 230
“Birthday attacks”
If a hash function outputs `-bit words, an attacker needs to try only
2`/2 different input values, before there is a better than 50% chance of
finding a collision.
Computational security
Attacks requiring 2128 steps considered infeasible =⇒ use hash function
that outputs ` = 256 bits (e.g., SHA-256). If only second pre-image
resistance is a concern, shorter ` = 128-bit may be acceptable.
Finding useful collisions
An attacker needs to generate a large number of plausible input
plaintexts to find a practically useful collision. For English plain text,
synonym substitution is one possibility for generating these:
A: Mallory is a {good,hardworking} and {honest,loyal} {employee,worker}
B: Mallory is a {lazy,difficult} and {lying,malicious} {employee,worker}
Both A and B can be phrased in 23 variants each =⇒ 26 pairs of phrases.
With a 64-bit hash over an entire letter, we need only 11 such
sentences for a good chance to find a collision in steps.
123 / 230
“Birthday attacks”
If a hash function outputs `-bit words, an attacker needs to try only
2`/2 different input values, before there is a better than 50% chance of
finding a collision.
Computational security
Attacks requiring 2128 steps considered infeasible =⇒ use hash function
that outputs ` = 256 bits (e.g., SHA-256). If only second pre-image
resistance is a concern, shorter ` = 128-bit may be acceptable.
Finding useful collisions
An attacker needs to generate a large number of plausible input
plaintexts to find a practically useful collision. For English plain text,
synonym substitution is one possibility for generating these:
A: Mallory is a {good,hardworking} and {honest,loyal} {employee,worker}
B: Mallory is a {lazy,difficult} and {lying,malicious} {employee,worker}
Both A and B can be phrased in 23 variants each =⇒ 26 pairs of phrases.
With a 64-bit hash over an entire letter, we need only 11 such
sentences for a good chance to find a collision in 234 steps.
123 / 230
Low-memory collision search
A normal search for an `-bit collision uses O(2`/2 ) memory and time.
Algorithm for finding a
collision with O(1) memory x0
and O(2`/2 ) time:
Input: H : {0, 1}∗ → {0, 1}`
Basic idea:
Output: x 6= x0 with H(x) = H 0 (x)
x0 ← {0, 1}`+1 I Tortoise x goes at most once
x0 := x := x0 round the cycle, hare x0 at
i := 0 least once
loop I loop 1: ends when x0
i := i + 1 overtakes x for the first time
x := H(x) // x = H i (x0 ) ⇒ x0 now i steps ahead of x
0 0
x := H(H(x )) // x0 = H 2i (x0 ) ⇒ i is now an integer
0
until x = x multiple of the cycle length
x0 := x, x := x0
I loop 2: x back at start, x0 is i
for j = 1, 2, . . . , i
steps ahead, same speed
if H(x) = H(x0 ) return (x, x0 )
⇒ meet at cycle entry point
x := H(x) // x = H j (x0 )
x0 := H(x0 ) // x0 = H i+j (x0 ) Wikipedia: Cycle detection
124 / 230
Constructing meaningful collisions
Tortoise-hare algorithm gives no direct control over content of x, x0 .
Solution:
Define a text generator function g : {0, 1}` → {0, 1}∗ , e.g.
g(0000) = Mallory is a good and honest employee
g(0001) = Mallory is a lazy and lying employee
g(0010) = Mallory is a good and honest worker
g(0011) = Mallory is a lazy and lying worker
g(0100) = Mallory is a good and loyal employee
g(0101) = Mallory is a lazy and malicious employee
···
g(1111) = Mallory is a difficult and malicious worker

Then apply the tortoise-hare algorithm to H(x) = h(g(x)), if h is the

hash function for which a meaningful collision is required.
With probability 21 the resulting x, x0 (h(g(x)) = h(g(x0 ))) will differ in
the last bit ⇒ collision between two texts with different meanings.
125 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

126 / 230
Hash and MAC
A secure hash function can be combined with a fixed-length MAC to
provide a variable-length MAC Mack (H(m)). More formally:
Let Π = (Mac, Vrfy) be a MAC for messages of length `(n) and let
ΠH = (GenH , H) be a hash function with output length `(n). Then
define variable-length MAC Π0 = (Gen0 , Mac0 , Vrfy0 ) as:
I Gen0 : Read security parameter 1n , choose uniform k ∈ {0, 1}n , run
s := GenH (1n ) and return (k, s).
I Mac0 : read key (k, s) and message m ∈ {0, 1}∗ , return tag
Mack (Hs (m)).
I Vrfy0 : read key (k, s), message m ∈ {0, 1}∗ , tag t, return
Vrfyk (Hs (m), t).
If Π offers existential unforgeability and ΠH is collision resistant, then Π0
will offer existential unforgeability.
Proof outline: If an adversary used Mac0 to get tags on a set Q of messages,
and then can produce a valid tag for m∗ 6∈ Q, then there are two cases:
I ∃m ∈ Q with Hs (m) = Hs (m∗ ) ⇒ Hs not collision resistant
I ∀m ∈ Q : Hs (m) 6= Hs (m∗ ) ⇒ Mac failed existential unforgeability
127 / 230
Hash-based message authentication code
Initial idea: hash a message M prefixed with a key K to get

MACK (M ) = h(KkM )

This construct is secure in the random oracle model (where h is a

random function). Is is also generally considered secure with fixed-length
m-bit messages M ∈ {0, 1}m or with sponge-function based hash
algorithm h, such as SHA-3.
Danger: If h uses the Merkle–Damgård construction, an adversary can
call the compression function again on the MAC to add more blocks to
M , and obtain the MAC of a longer M 0 without knowing the key!
To prevent such a message-extension attack, variants like

MACK (M ) = h(h(KkM ))

or
MACK (M ) = h(Kkh(M ))
could be used to terminate the iteration of the compression function in a
way that the adversary cannot continue. ⇒ HMAC
128 / 230
HMAC
HMAC is a standard technique widely used to form a
message-authentication code using a Merkle–Damgård-style secure hash
function h, such as MD5, SHA-1 or SHA-256:
HMACK (x) = h(K ⊕ opadkh(K ⊕ ipadkx))

Fixed padding values ipad, opad extend the key to the input size of the
compression function, to permit precomputation of its first iteration.

xkpadding(n + |x|) = x1 kx2 kx3 k . . . kxB−1 kxB

K ⊕ ipad x1 xB

Cs Cs ··· Cs
0n

K ⊕ opad kpadding(2n)

Cs Cs
0n HMACK (x)
http://www.ietf.org/rfc/rfc2104.txt
129 / 230
Secure commitment
Proof of prior knowledge
You have today an idea that you write down in message M . You do not
want to publish M yet, but you want to be able to prove later that you
knew M already today. Initial idea: you publish h(M ) today.
Danger: if the entropy of M is small (e.g., M is a simple choice, a PIN,
etc.), there is a high risk that your adversary can invert the
collision-resistant function h successfully via brute-force search.
Solution:
I Pick (initially) secret N ∈ {0, 1}128 uniformly at random.
I Publish h(N, M ) (as well as h and |N |).
I When the time comes to reveal M , also reveal N .

You can also commit yourself to message M , without yet revealing it’s
content, by publishing h(N, M ).
Applications: online auctions with sealed bids, online games where
several parties need to move simultaneously, etc.
Tuple (N, M ) means any form of unambiguous concatenation, e.g. N kM if length |N | is agreed.
130 / 230
Merkle tree
Problem: Untrusted file store, small trusted memory. Solution: hash tree.
Leaves contain hash values of files F0 , . . . , Fk−1 . Each inner node
contains the hash of its children. Only root h0 (and number k of files)
needs to be stored securely.
Advantages of tree (over naive alternative h0 = h(F0 , . . . , Fk−1 )):
I Update of a file Fi requires only O(log k) recalculations of hash
values along path from h(Fi ) to root (not rereading every file).
I Verification of a file requires only reading O(log k) values in all
direct children of nodes in path to root (not rereading every node).
h0 = h(h1 , h2 )

h1 = h(h3 , h4 ) h2 = h(h5 , h6 )

h3 = h(h7 , h8 ) h4 = h(h9 , h10 ) h5 = h(h11 , h12 ) h6 = h(h13 , h14 )

h7 = h8 = h9 = h10 = h11 = h12 = h13 = h14 =

h(F0 ) h(F1 ) h(F2 ) h(F3 ) h(F4 ) h(F5 ) h(F6 ) h(F7 )
131 / 230
One-time passwords from a hash chain
Generate hash chain: (h is preimage resistant, with ASCII output)
R0 ← random
R1 := h(R0 )
..
.
Rn−1 := h(Rn−2 )
Rn := h(Rn−1 )

Equivalently: Ri := h(h(h(. . . h( R0 ) . . .))) = hi (R0 ) (0 < i ≤ n)

| {z }
i times

Store last chain value H := Rn on the host server. Give the remaining
list Rn−1 , Rn−2 , . . . , R0 as one-time passwords to the user.
?
When user enters password Ri , compare h(Ri ) = H. If they match:
I Update H := Ri on host
I grant access to user
Leslie Lamport: Password authentication with insecure communication. CACM 24(11)770–772,
1981. http://doi.acm.org/10.1145/358790.358797
132 / 230
Broadcast stream authentication
Alice sends to a group of recipients a long stream of messages
M1 , M2 , . . . , Mn . They want to verify Alice’s signature on each packet
immediately upon arrival, but it is too expensive to sign each message.
Alice calculates
C1 = h(C2 , M1 )
C2 = h(C3 , M2 )
C3 = h(C4 , M3 )
···
Cn−2 = h(Cn−1 , Mn−2 )
Cn−1 = h(Cn , Mn−1 )
Cn = h(0, Mn )
and then broadcasts the stream
C1 , Sign(C1 ), (C2 , M1 ), (C3 , M2 ), . . . , (0, Mn ).
Only the first check value is signed, all other packets are bound together
in a hash chain that is linked to that single signature.
Problem: Alice needs to know Mn before she can start to broadcast C1 . Solution: TESLA
133 / 230
Timed Efficient Stream Loss-tolerant Authentication

TESLA uses a hash chain to authenticate broadcast data, without any

need for a digital signature for each message.
Timed broadcast of data sequence M1 , M2 , . . . , Mn :
I t0 : Sign(R0 ), R0 where R0 = h(R1 )
I t1 : (MacR2 (M1 ), M1 , R1 ) where R1 = h(R2 )
I t2 : (MacR3 (M2 ), M2 , R2 ) where R2 = h(R3 )
I t3 : (MacR4 (M3 ), M3 , R3 ) where R3 = h(R4 )
I t4 : (MacR5 (M4 ), M4 , R4 ) where R4 = h(R5 )
I ...
Each Ri is revealed at a pre-agreed time ti . The MAC for Mi can only
be verified after ti+1 when key Ri+1 is revealed.
By the time the MAC key is revealed, everyone has already received the
MAC, therefore the key can no longer be used to spoof the message.

134 / 230
Hash chains, block chains, time-stamping services
Clients continuously produce transactions Mi (e.g., money transfers).
Block-chain time-stamping service: receives client transactions Mi ,
may order them by dependency, validates them (payment covered by
funds?), batches them into groups
G1 = (M1 , M2 , M3 )
G2 = (M4 , M5 , M6 , M7 )
G3 = (M8 , M9 )
...

and then publishes the hash chain (with timestamps ti )

B1 = (G1 , t1 , 0)
B2 = (G2 , t2 , h(B1 ))
B3 = (G3 , t3 , h(B2 ))
...
Bi = (Gi , ti , h(Bi−1 ))
135 / 230
New blocks are broadcast to and archived by clients. Clients can
I verify that ti−1 ≤ ti ≤ now
I verify h(Bi−1 )
I frequently compare latest h(Bi ) with other clients
to ensure consensus that
I each client sees the same serialization order of the same set of
validated transactions
I every client receives the exact same block-chain data
I nobody can later rewrite the transaction history

136 / 230
New blocks are broadcast to and archived by clients. Clients can
I verify that ti−1 ≤ ti ≤ now
I verify h(Bi−1 )
I frequently compare latest h(Bi ) with other clients
to ensure consensus that
I each client sees the same serialization order of the same set of
validated transactions
I every client receives the exact same block-chain data
I nobody can later rewrite the transaction history
The Bitcoin crypto currency is based on a decentralized block-chain:
I accounts identified by single-use public keys
I each transaction signed with the payer’s private key
I new blocks broadcast by “miners”, who are allowed to mint
themselves new currency as incentive for operating the service
I issuing rate of new currency is limited by requirement for miners to
solve cryptographic puzzle (adjust a field in each block such that
h(Bi ) has a required number of leading zeros, currently ≈ 68 bits)
https://blockchain.info/ https://en.bitcoin.it/
136 / 230
Key derivation functions
A secret key K should only ever be used for one single purpose, to prevent one
application of K being abused as an oracle for compromising another one.
Any cryptographic system may involve numerous applications for keys (for encryption
systems, message integrity schemes, etc.)
A key derivation function (KDF) extends a single multi-purpose key K (which may
have been manually configured by a user, or may have been the result of a
key-agreement protocol) into k single-purpose keys K1 , K2 , . . . , Kk .
Requirements:
I Use a one-way function, such that compromise of one derived key Ki does not
also compromise the master key K or any other derived keys Kj (j 6= i).
I Use an entropy-preserving function, i.e. H(Ki ) ≈ min{H(K), |Ki |}
I Include a unique application identifier A (e.g., descriptive text string, product
name, domain name, serial number), to minimize the risk that someone else
accidentally uses the same derived keys for another purpose.
Secure hash functions work well for this purpose, especially those with arbitrary-length
output (e.g., SHA-3). Split their output bit sequence into the keys needed:
K1 kK2 k . . . kKk = h(A, K)
Hash functions with fixed output-length (e.g., SHA-256) may have to be called
multiple times, with an integer counter:
K1 kK2 = h(A, K, h1i), K3 kK4 = h(A, K, h2i), . . .
ISO/IEC 11770-6
137 / 230
Password-based key derivation
Human-selected secrets (PINs, passwords, pass-phrases) usually have much
lower entropy than the > 80 bits desired for cryptographic keys.
Typical password search list: “dictionary of 64k words, 4k suffixes, 64 prefixes and 4 alteration
rules for a total of 238 passwords” http://ophcrack.sourceforge.net/tables.php
Machine-generated random strings encoded for keyboard entry (hexadecimal,
base64, etc.) still lack the full 8 bits per byte entropy of a random binary string
(e.g. only < 96 graphical characters per byte from keyboard).
Workarounds:
I Preferably generate keys with a true random bit generator.
I Ask user to enter a text string longer than the key size.
I Avoid or normalize visually similar characters: 0OQ/1lI/A4/Z2/S5/VU/nu
I Use a secure hash function to condense the passphrase to key length.
I Use a deliberately slow hash function, e.g. iterate C times.
I Use a per-user random salt value S to personalize the hash function
against pre-computed dictionary attacks.
Stored random string where practical, otherwise e.g. user name.

PBKDF2 iterates HMAC C times for each output bit.

Typical values: S ∈ {0, 1}128 , 103 < C < 107
Recommendation for password-based key derivation. NIST SP 800-132, December 2010.
138 / 230
Password storage

Servers that authenticate users by password need to store some

information to verify that password.
Avoid saving a user’s password P as plaintext. Save the output of a
secure hash function h(P ) instead, to help protect the passwords after
theft of the database. Verify a password by comparing it’s hash against
that in the database record.
Better: hinder dictionary attacks by adding a random salt value S and by
iterating the hash function C times to make it computationally more
expensive. The database record then stores

(S, hC (P, S))

or similar.
Standard password-based key derivation functions, such as PBKDF2 or
Argon2, can also be used to verify passwords.
Argon2 is deliberately designed to be memory intensive to discourage fast ASIC implementations.

139 / 230
Inverting unsalted password hashes: time–memory trade-off
Target: invert h(p), where p ∈ P is a password from an assumed finite set
P of passwords (e.g., h = MD5, |P | = 958 ≈ 253 8-char ASCII strings)
Idea: define “reduction” function r : {0, 1}128 → P , then iterate h(r(·))
For example: convert input from base-2 to base-96 number, output first 8 “digits” as printable
ASCII characters, interpret DEL as string terminator.

r h r h h r h
 x0 → p1 → x1 → p2 → · · · → xn−1 → pn → xn ⇒ L[xn ] := x0

m .
y ..

Precompute(h, r, m, n) : invert(h, r, L, x) : Trade-off

for j := 1 to m y := x time:
x0 ∈R {0, 1}128 while L[y] = not found n ≈ |P |1/2
for i := 1 to n y := h(r(y))
p = r(L[y])
memory:
pi := r(xi−1 )
xi := h(pi ) while h(p) 6= x m ≈ |P |1/2
store L[xn ] := x0 p := r(h(p))
return L return p

140 / 230
Inverting unsalted password hashes: time–memory trade-off
Target: invert h(p), where p ∈ P is a password from an assumed finite set
P of passwords (e.g., h = MD5, |P | = 958 ≈ 253 8-char ASCII strings)
Idea: define “reduction” function r : {0, 1}128 → P , then iterate h(r(·))
For example: convert input from base-2 to base-96 number, output first 8 “digits” as printable
ASCII characters, interpret DEL as string terminator.

r h r h h r h
 x0 → p1 → x1 → p2 → · · · → xn−1 → pn → xn ⇒ L[xn ] := x0

m .
y ..

Precompute(h, r, m, n) : invert(h, r, L, x) : Trade-off

for j := 1 to m y := x time:
x0 ∈R {0, 1}128 while L[y] = not found n ≈ |P |1/2
for i := 1 to n y := h(r(y))
p = r(L[y])
memory:
pi := r(xi−1 )
xi := h(pi ) while h(p) 6= x m ≈ |P |1/2
store L[xn ] := x0 p := r(h(p))
return L return p
p
Problem: Once mn  |P | there are many collisions, the x0 → xn
chains merge, loop and overlap, covering P very inefficiently.
M.E. Hellman: A cryptanalytic time–memory trade-off. IEEE Trans. Information Theory,
July 1980. https://dx.doi.org/10.1109/TIT.1980.1056220
140 / 230
Inverting unsalted password hashes: “rainbow tables”
Target: invert h(p), where p ∈ P is a password from an assumed finite set
P of passwords (e.g., h = MD5, |P | = 958 ≈ 253 8-char ASCII strings)
Idea: define a “rainbow” of n reduction functions ri : {0, 1}128 → P ,
then iterate h(ri (·)) to avoid loops. (For example: ri (x) := r(h(xkhii)).)

 r1 h
r2 h h
rn h
x0 → p1 → x1 → p2 → · · · → xn−1 → pn → xn ⇒ L[xn ] := x0

m ..
y .

Precompute(h, r, m, n) : invert(h, r, n, L, x) : Trade-off

for j := 1 to m for k := n downto 1 time:
x0 ∈R {0, 1}128 xk−1 := x n ≈ |P |1/3
for i := 1 to n for i := k to n
pi := ri (xi−1 )
memory:
pi := ri (xi−1 )
xi := h(pi ) xi := h(pi ) m ≈ |P |2/3
store L[xn ] := x0 if L[xn ] exists
return L p1 := r1 (L[xn ])
for j := 1 to n
Philippe Oechslin: Making a faster if h(pj ) = x
cryptanalytic time–memory
trade-off. CRYPTO 2003.
return pj
https://dx.doi.org/10.1007/ pj+1 := rj+1 (h(pj ))
978-3-540-45146-4_36
141 / 230
Other applications of secure hash functions

I deduplication – quickly identify in a large collection of files

duplicates, without having to compare all pairs of files, just compare
the hash of each files content.
I file identification – in a peer-to-peer filesharing network or cluster
file system, identify each file by the hash of its content.
I distributed version control systems (git, mercurial, etc.) – name each
revision via a hash tree of all files in that revision, along with the
hash of the parent revision(s). This way, each revision name securely
identifies not only the full content, but its full revision history.

142 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

143 / 230
Key distribution problem

In a group of n participants, there are n(n − 1)/2 pairs who might want
to communicate at some point, requiring O(n2 ) private keys to be
exchanged securely in advance.
This gets quickly unpractical if n  2 and if participants regularly join
and leave the group.

P8 P1 P2

P7 P3

P6 P5 P4

144 / 230
Key distribution problem

In a group of n participants, there are n(n − 1)/2 pairs who might want
to communicate at some point, requiring O(n2 ) private keys to be
exchanged securely in advance.
This gets quickly unpractical if n  2 and if participants regularly join
and leave the group.

P8 P1 P2 P8 P1 P2

P7 P3 P7 TTP P3

P6 P5 P4 P6 P5 P4

Alternative 1: introduce an intermediary “trusted third party”

144 / 230
Trusted third party – key distribution centre

Needham–Schroeder protocol
Communal trusted server S shares key KP S with each participant P .
1 A informs S that it wants to communicate with B.
2 S generates KAB and replies to A with
EncKAS (B, KAB , EncKBS (A, KAB ))
Enc is a symmetric authenticated-encryption scheme

3 A checks name of B, stores KAB , and forwards the “ticket”

EncKBS (A, KAB ) to B
4 B also checks name of A and stores KAB .
5 A and B now share KAB and communicate via EncKAB /DecKAB .

S 1
2
B A
3

145 / 230
Kerberos
An extension of the Needham–Schroeder protocol is now widely used in
corporate computer networks between desktop computers and servers, in
the form of Kerberos and Microsoft’s Active Directory. KAS is generated
from A’s password (hash function).
Extensions include:
I timestamps and nonces to prevent replay attacks
I a “ticket-granting ticket” is issued and cached at the start of a
session, replacing the password for a limited time, allowing the
password to be instantly wiped from memory again.
I a pre-authentication step ensures that S does not reply with
anything encrypted under KAS unless the sender has demonstrated
knowledge of KAS , to hinder offline password guessing.
I mechanisms for forwarding and renewing tickets
I support for a federation of administrative domains (“realms”)
Problem: ticket message enables eavesdropper off-line dictionary attack.
146 / 230
Key distribution problem: other options
Alternative 2: hardware security modules + conditional access
1 A trusted third party generates a global key K and embeds it
securely in tamper-resistant hardware tokens (e.g., smartcard)
2 Every participant receives such a token, which also knows the
identity of its owner and that of any groups they might belong to.
3 Each token offers its holder authenticated encryption operations
EncK (·) and DecK (A, ·).
4 Each encrypted message EncK (A, M ) contains the name of the
intended recipient A (or the name of a group to which A belongs).
5 A’s smartcard will only decrypt messages addressed this way to A.
Commonly used for “broadcast encryption”, e.g. pay-TV, navigation satellites.

147 / 230
Key distribution problem: other options
Alternative 2: hardware security modules + conditional access
1 A trusted third party generates a global key K and embeds it
securely in tamper-resistant hardware tokens (e.g., smartcard)
2 Every participant receives such a token, which also knows the
identity of its owner and that of any groups they might belong to.
3 Each token offers its holder authenticated encryption operations
EncK (·) and DecK (A, ·).
4 Each encrypted message EncK (A, M ) contains the name of the
intended recipient A (or the name of a group to which A belongs).
5 A’s smartcard will only decrypt messages addressed this way to A.
Commonly used for “broadcast encryption”, e.g. pay-TV, navigation satellites.

Alternative 3: Public-key cryptography

I Find an encryption scheme where separate keys can be used for
encryption and decryption.
I Publish the encryption key: the “public key”
I Keep the decryption key: the “secret key”
Some form of trusted third party is usually still required to certify the correctness of the published
public keys, but it is no longer directly involved in establishing a secure connection.
147 / 230
Public-key encryption

A public-key encryption scheme is a tuple of PPT algorithms

(Gen, Enc, Dec) such that
I the key generation algorithm Gen receives a security parameter `
and outputs a pair of keys (PK , SK ) ← Gen(1` ), with key lengths
|PK | ≥ `, |SK | ≥ `;
I the encryption algorithm Enc maps a public key PK and a
plaintext message M ∈ M to a ciphertext message
C ← EncPK (M );
I the decryption algorithm Dec maps a secret key SK and a
ciphertext C to a plaintext message M := DecSK (C), or outputs ⊥;
I for all `, (PK , SK ) ← Gen(1` ): DecSK (EncPK (M )) = M .

In practice, the message space M may depend on PK .

In some practical schemes, the condition DecSK (EncPK (M )) = M may fail with negligible
probability.

148 / 230
Security against chosen-plaintext attacks (CPA)
Public-key encryption scheme Π = (Gen, Enc, Dec)

Experiment/game PubKcpa A,Π (`):

1` (PK , SK ) ← Gen(1` ) PK 1`

b ∈R {0, 1}
M0 , M 1 A
C ← EncPK (Mb )
b challenger C adversary b0

Setup:
1 The challenger generates a bit b ∈R {0, 1} and a key pair
(PK , SK ) ← Gen(1` ).
`
2 The adversary A is given input 1
Rules for the interaction:
1 The adversary A is given the public key PK
m
2 The adversary A outputs a pair of messages: M0 , M1 ∈ {0, 1} .
3 The challenger computes C ← EncPK (Mb ) and returns C to A

Finally, A outputs b0 . If b0 = b then A has succeeded ⇒ PubKcpa

A,Π (`) = 1
Note that unlike in PrivKcpa we do not need to provide A with any oracle access:
here A has access to the encryption key PK and can evaluate EncPK (·) itself.
149 / 230
Security against chosen-ciphertext attacks (CCA)
Public-key encryption scheme Π = (Gen, Enc, Dec)

Experiment/game PubKcca A,Π (`):

PK
1` (PK , SK ) ← Gen(1` ) 1`
C1, C2, . . . , Ct
b ∈R {0, 1}
M t, . . . , M 2, M 1
M i ← DecSK (C i ) M0 , M 1 A
C ← EncPK (Mb ) C adversary
C t+1 6= C, . . .
b b0
. . . , M t+2 , M t+1
Setup:
I handling of `, b, PK , SK as before
Rules for the interaction:
1 The adversary A is given PK and oracle access to DecSK :
A outputs C 1 , gets DecSK (C 1 ), outputs C 2 , gets DecSK (C 2 ), . . .
m
2 The adversary A outputs a pair of messages: M0 , M1 ∈ {0, 1} .

3 The challenger computes C ← EncPK (Mb ) and returns C to A

4 The adversary A continues to have oracle access to DecSK
but is not allowed to ask for DecSK (C).
Finally, A outputs b0 . If b0 = b then A has succeeded ⇒ PubKcca A,Π (`) = 1
150 / 230
Security against chosen-plaintext attacks (cont’d)
Definition: A public-key encryption scheme Π has indistinguishable
encryptions under a chosen-plaintext attack (“is CPA-secure”) if for all
probabilistic, polynomial-time adversaries A there exists a negligible
function negl, such that
1
P(PubKcpa
A,Π (`) = 1) ≤ + negl(`)
2

Definition: A public-key encryption scheme Π has indistinguishable

encryptions under a chosen-ciphertext attack (“is CCA-secure”) if for all
probabilistic, polynomial-time adversaries A there exists a negligible
function negl, such that
1
P(PubKcca
A,Π (`) = 1) ≤ + negl(`)
2

What about ciphertext integrity / authenticated encryption?

Since the adversary has access to the public encryption key PK , there is
no useful equivalent notion of authenticated encryption for a public-key
encryption scheme.
151 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

152 / 230
Number theory: integers, divisibility, primes, gcd
Set of integers: Z := {. . . , −2, −1, 0, 1, 2, . . .} a, b ∈ Z
If there exists c ∈ Z such that ac = b, we say “a divides b” or “a | b”.
I if 0 < a then a is a “divisor” of b
I if 1 < a < b then a is a “factor” of b
I if a does not divide b, we write “a - b”

153 / 230
Number theory: integers, divisibility, primes, gcd
Set of integers: Z := {. . . , −2, −1, 0, 1, 2, . . .} a, b ∈ Z
If there exists c ∈ Z such that ac = b, we say “a divides b” or “a | b”.
I if 0 < a then a is a “divisor” of b
I if 1 < a < b then a is a “factor” of b
I if a does not divide b, we write “a - b”
If integer p > 1 has no factors (only 1 and p as divisors), it is “prime”,
otherwise it is “composite”. Primes: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, . . .
I every integer n > 1 has a unique prime factorization n = i pei i ,
Q
with primes pi and positive integers ei

153 / 230
Number theory: integers, divisibility, primes, gcd
Set of integers: Z := {. . . , −2, −1, 0, 1, 2, . . .} a, b ∈ Z
If there exists c ∈ Z such that ac = b, we say “a divides b” or “a | b”.
I if 0 < a then a is a “divisor” of b
I if 1 < a < b then a is a “factor” of b
I if a does not divide b, we write “a - b”
If integer p > 1 has no factors (only 1 and p as divisors), it is “prime”,
otherwise it is “composite”. Primes: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, . . .
I every integer n > 1 has a unique prime factorization n = i pei i ,
Q
with primes pi and positive integers ei
The greatest common divisor gcd(a, b) is the largest c with c | a and c | b.
I examples: gcd(18, 12) = 6, gcd(15, 9) = 3, gcd(15, 8) = 1
I if gcd(a, b) = 1 we say a and b are “relatively prime”
I gcd(a, b) = gcd(b, a), gcd(a, 0) = a
I gcd(a, b) = gcd(a, b − a)
I if c|ab and gcd(a, c) = 1 then c|b
I if a|n and b|n and gcd(a, b) = 1 then ab|n
153 / 230
Integer division with remainder
For every integer a and positive integer b there exist unique integers q
and r with a = qb + r and 0 ≤ r < b.
The modulo operator performs integer division and outputs the
remainder:
a mod b = r ⇒ 0 ≤ r < b ∧ ∃q ∈ Z : a − qb = r

Examples: 7 mod 5 = 2, −1 mod 10 = 9

154 / 230
Integer division with remainder
For every integer a and positive integer b there exist unique integers q
and r with a = qb + r and 0 ≤ r < b.
The modulo operator performs integer division and outputs the
remainder:
a mod b = r ⇒ 0 ≤ r < b ∧ ∃q ∈ Z : a − qb = r

Examples: 7 mod 5 = 2, −1 mod 10 = 9

If
a mod n = b mod n
we say that “a and b are congruent modulo n”, and also write
a ≡ b (mod n)
This implies n|(a − b). Being congruent modulo n is an equivalence
relationship:
I reflexive: a ≡ a (mod n)
I symmetric: a ≡ b (mod n) ⇒ b ≡ a (mod n)
I transitive: a ≡ b (mod n) ∧ b ≡ c (mod n) ⇒ a ≡ c (mod n)
154 / 230
Modular arithmetic
Addition, subtraction, and multiplication work the same under
congruence modulo n:
If a ≡ a0 (mod n) and b ≡ b0 (mod n) then
a + b ≡ a0 + b0 (mod n)
a − b ≡ a0 − b0 (mod n)
0 0
ab ≡ a b (mod n)
Associative, commutative and distributive laws also work the same:
a(b + c) ≡ ab + ac ≡ ca + ba (mod n)
When evaluating an expression that is reduced modulo n in the end, we
can also reduce any intermediate results. Example:


(a − bc) mod n = (a mod n) − (b mod n)(c mod n) mod n mod n

Reduction modulo n limits intermediate values to

Zn := {0, 1, 2, . . . , n − 1},
the “set of integers modulo n”.
Staying within Zn helps to limit register sizes and can speed up computation. 155 / 230
Euclid’s algorithm
gcd(21, 15)

156 / 230
Euclid’s algorithm
gcd(21, 15) = gcd(15, 21 mod 15)

156 / 230
Euclid’s algorithm
gcd(21, 15) = gcd(15, 6)

156 / 230
Euclid’s algorithm
gcd(21, 15) = gcd(15, 6) = gcd(6, 15 mod 6)

156 / 230
Euclid’s algorithm
gcd(21, 15) = gcd(15, 6) = gcd(6, 3)

156 / 230
Euclid’s algorithm
gcd(21, 15) = gcd(15, 6) = gcd(6, 3) = 3

156 / 230
Euclid’s algorithm
gcd(21, 15) = gcd(15, 6) = gcd(6, 3) = 3 = −2 × 21 + 3 × 15

156 / 230
Euclid’s algorithm

Euclidean algorithm: (WLOG a ≥ b > 0, since gcd(a, b) = gcd(b, a))

(
b, if b | a
gcd(a, b) =
gcd(b, a mod b), otherwise

157 / 230
Euclid’s algorithm

Euclidean algorithm: (WLOG a ≥ b > 0, since gcd(a, b) = gcd(b, a))

(
b, if b | a
gcd(a, b) =
gcd(b, a mod b), otherwise

For all positive integers a, b, there exist integers x and y such that
gcd(a, b) = ax + by.

157 / 230
Euclid’s algorithm

Euclidean algorithm: (WLOG a ≥ b > 0, since gcd(a, b) = gcd(b, a))

(
b, if b | a
gcd(a, b) =
gcd(b, a mod b), otherwise

For all positive integers a, b, there exist integers x and y such that
gcd(a, b) = ax + by.
Euclid’s extended algorithm also provides x and y: (WLOG a ≥ b > 0)

(gcd(a, b), x, y) :=


 (b, 0, 1), if b | a

(d, y, x − yq), otherwise,
egcd(a, b) =


 with (d, x, y) := egcd(b, r),
where a = qb + r, 0 ≤ r < b


157 / 230
Groups
A group (G, •) is a set G and an operator • : G × G → G that have
closure: a • b ∈ G for all a, b ∈ G
associativity: a • (b • c) = (a • b) • c for all a, b, c ∈ G
neutral element: there exists an e ∈ G such that for all a ∈ G:
a•e=e•a=a
inverse element: for each a ∈ G there exists some b ∈ G such that
a•b=b•a=e

158 / 230
Groups
A group (G, •) is a set G and an operator • : G × G → G that have
closure: a • b ∈ G for all a, b ∈ G
associativity: a • (b • c) = (a • b) • c for all a, b, c ∈ G
neutral element: there exists an e ∈ G such that for all a ∈ G:
a•e=e•a=a
inverse element: for each a ∈ G there exists some b ∈ G such that
a•b=b•a=e
If a • b = b • a for all a, b ∈ G, the group is called commutative (or abelian).

158 / 230
Groups
A group (G, •) is a set G and an operator • : G × G → G that have
closure: a • b ∈ G for all a, b ∈ G
associativity: a • (b • c) = (a • b) • c for all a, b, c ∈ G
neutral element: there exists an e ∈ G such that for all a ∈ G:
a•e=e•a=a
inverse element: for each a ∈ G there exists some b ∈ G such that
a•b=b•a=e
If a • b = b • a for all a, b ∈ G, the group is called commutative (or abelian).
Examples of abelian groups:
I (Z, +), (R, +), (R \ {0}, ·)
I (Zn , +) – set of integers modulo n with addition a + b := (a + b) mod n
I ({0, 1}n , ⊕) where a1 a2 . . . an ⊕ b1 b2 . . . bn = c1 c2 . . . cn with
(ai + bi ) mod 2 = ci (for all 1 ≤ i ≤ n, ai , bi , ci ∈ {0, 1}) “bit-wise XOR”

158 / 230
Groups
A group (G, •) is a set G and an operator • : G × G → G that have
closure: a • b ∈ G for all a, b ∈ G
associativity: a • (b • c) = (a • b) • c for all a, b, c ∈ G
neutral element: there exists an e ∈ G such that for all a ∈ G:
a•e=e•a=a
inverse element: for each a ∈ G there exists some b ∈ G such that
a•b=b•a=e
If a • b = b • a for all a, b ∈ G, the group is called commutative (or abelian).
Examples of abelian groups:
I (Z, +), (R, +), (R \ {0}, ·)
I (Zn , +) – set of integers modulo n with addition a + b := (a + b) mod n
I ({0, 1}n , ⊕) where a1 a2 . . . an ⊕ b1 b2 . . . bn = c1 c2 . . . cn with
(ai + bi ) mod 2 = ci (for all 1 ≤ i ≤ n, ai , bi , ci ∈ {0, 1}) “bit-wise XOR”

If there is no inverse element for each element, (G, •) is a monoid instead.

Examples of monoids:
I (Z, ·) – set of integers under multiplication
I ({0, 1}∗ , ||) – set of variable-length bit strings under concatenation
158 / 230
Permutations and groups
Permutation groups
A set P of permutations over a finite set S forms a group under
concatenation if
I closure: for any pair of permutations g, h : S ↔ S in P their
concatenation g ◦ h : x 7→ g(h(x)) is also in P .
I neutral element: the identity function x 7→ x is in P
I inverse element: for each permutation g ∈ P , the inverse
permutation g −1 is also in P .
Note that function composition is associative: f ◦ (g ◦ h) = (f ◦ g) ◦ h
The set of all permutations of a set S forms a permutation group called the “symmetric group” on
S. Non-trivial symmetric groups (|S| > 1) are not abelian.

159 / 230
Permutations and groups
Permutation groups
A set P of permutations over a finite set S forms a group under
concatenation if
I closure: for any pair of permutations g, h : S ↔ S in P their
concatenation g ◦ h : x 7→ g(h(x)) is also in P .
I neutral element: the identity function x 7→ x is in P
I inverse element: for each permutation g ∈ P , the inverse
permutation g −1 is also in P .
Note that function composition is associative: f ◦ (g ◦ h) = (f ◦ g) ◦ h
The set of all permutations of a set S forms a permutation group called the “symmetric group” on
S. Non-trivial symmetric groups (|S| > 1) are not abelian.

Each group is isomorphic to a permutation group

Given a group (G, •), map each g ∈ G to a function fg : x 7→ x • g.
Since g −1 ∈ G, fg is a permutation, and the set of all fg for g ∈ G forms
a permutation group isomorphic to G. (“Cayley’s theorem”)

159 / 230
Permutations and groups
Permutation groups
A set P of permutations over a finite set S forms a group under
concatenation if
I closure: for any pair of permutations g, h : S ↔ S in P their
concatenation g ◦ h : x 7→ g(h(x)) is also in P .
I neutral element: the identity function x 7→ x is in P
I inverse element: for each permutation g ∈ P , the inverse
permutation g −1 is also in P .
Note that function composition is associative: f ◦ (g ◦ h) = (f ◦ g) ◦ h
The set of all permutations of a set S forms a permutation group called the “symmetric group” on
S. Non-trivial symmetric groups (|S| > 1) are not abelian.

Each group is isomorphic to a permutation group

Given a group (G, •), map each g ∈ G to a function fg : x 7→ x • g.
Since g −1 ∈ G, fg is a permutation, and the set of all fg for g ∈ G forms
a permutation group isomorphic to G. (“Cayley’s theorem”)
Encryption schemes are permutations.
Which groups can be used to form encryption schemes?
159 / 230
Subgroups
(H, •) is a subgroup of (G, •) if
I H is a subset of G (H ⊂ G)
I the operator • on H is the same as on G
I (H, •) is a group, that is
• for all a, b ∈ H we have a • b ∈ H
• each element of H has an inverse element in H
• the neutral element of (G, •) is also in H.

160 / 230
Subgroups
(H, •) is a subgroup of (G, •) if
I H is a subset of G (H ⊂ G)
I the operator • on H is the same as on G
I (H, •) is a group, that is
• for all a, b ∈ H we have a • b ∈ H
• each element of H has an inverse element in H
• the neutral element of (G, •) is also in H.

Examples of subgroups
I (nZ, +) with nZ := {ni|i ∈ Z} = {. . . , −2n, −n, 0, n, 2n, . . .}
– the set of integer multiples of n is a subgroup of (Z, +)
I (R+ , ·) – the set of positive real numbers is a subgroup of (R \ {0}, ·)
I (Q, +) is a subgroup of (R, +), which is a subgroup of (C, +)
I (Q \ {0}, ·) is a subgroup of (R \ {0}, ·), etc.
I ({0, 2, 4, 6}, +) is a subgroup of (Z8 , +)
160 / 230
Notations used with groups

When the definition of the group operator is clear from the context, it is
often customary to use the symbols of the normal arithmetic addition or
multiplication operators (“+”, “×”, “·”, “ab”) for the group operation.
There are two commonly used alternative notations:
“Additive” group: think of group operator as a kind of “+”
I write 0 for the neutral element and −g for the inverse of g ∈ G.
I write g · i := g • g • · · · • g (g ∈ G, i ∈ Z)
| {z }
i times

“Multiplicative” group: think of group operator as a kind of “×”

I write 1 for the neutral element and g −1 for the inverse of g ∈ G.
I write g i := g • g • · · · • g (g ∈ G, i ∈ Z)
| {z }
i times

161 / 230
Rings
A ring (R,
, ) is a set R and two operators
: R × R → R and
 : R × R → R such that
I (R,
) is an abelian group
I (R, ) is a monoid
I a  (b
c) = (a  b)
(a  c) and (a
b)  c = (a  c)
(b  c)
(distributive law)

162 / 230
Rings
A ring (R,
, ) is a set R and two operators
: R × R → R and
 : R × R → R such that
I (R,
) is an abelian group
I (R, ) is a monoid
I a  (b
c) = (a  b)
(a  c) and (a
b)  c = (a  c)
(b  c)
(distributive law)
If also a  b = b  a, then we have a commutative ring.

162 / 230
Rings
A ring (R,
, ) is a set R and two operators
: R × R → R and
 : R × R → R such that
I (R,
) is an abelian group
I (R, ) is a monoid
I a  (b
c) = (a  b)
(a  c) and (a
b)  c = (a  c)
(b  c)
(distributive law)
If also a  b = b  a, then we have a commutative ring.
Examples for rings:
I (Z[x], +, ·), where
(  )
n
X 
i
Z[x] := ai x  ai ∈ Z, n ≥ 0

i=0

is the set of polynomials with variable x and coefficients from Z

– commutative

162 / 230
Rings
A ring (R,
, ) is a set R and two operators
: R × R → R and
 : R × R → R such that
I (R,
) is an abelian group
I (R, ) is a monoid
I a  (b
c) = (a  b)
(a  c) and (a
b)  c = (a  c)
(b  c)
(distributive law)
If also a  b = b  a, then we have a commutative ring.
Examples for rings:
I (Z[x], +, ·), where
(  )
n
X 
i
Z[x] := ai x  ai ∈ Z, n ≥ 0

i=0

is the set of polynomials with variable x and coefficients from Z

– commutative
I Zn [x] – the set of polynomials with coefficients from Zn

162 / 230
Rings
A ring (R,
, ) is a set R and two operators
: R × R → R and
 : R × R → R such that
I (R,
) is an abelian group
I (R, ) is a monoid
I a  (b
c) = (a  b)
(a  c) and (a
b)  c = (a  c)
(b  c)
(distributive law)
If also a  b = b  a, then we have a commutative ring.
Examples for rings:
I (Z[x], +, ·), where
(  )
n
X 
i
Z[x] := ai x  ai ∈ Z, n ≥ 0

i=0

is the set of polynomials with variable x and coefficients from Z

– commutative
I Zn [x] – the set of polynomials with coefficients from Zn
I (Rn×n , +, ·) – n × n matrices over R – not commutative
162 / 230
Fields
A field (F,
, ) is a set F and two associative and commutative
operators
: F × F → F and  : F × F → F such that
I (F,
) is an abelian group with neutral element 0F
I (F, ) is a commutative monoid with neutral element 1F 6= 0F
I (F \ {0F }, ) is also an abelian group (with neutral element 1F )
I a  (b
c) = (a  b)
(a  c) and (a
b)  c = (a  c)
(b  c)
(distributive law)
In other words: a field is a commutative ring where each element except
for the neutral element of the addition has a multiplicative inverse.
Field means: division works, linear algebra works, solving equations, etc.
Examples for (infinitely large) fields: (Q, +, ·), (R, +, ·), (C, +, ·)
For cryptographic applications, we are interested in finite fields, where we
can pick elements uniformly at random. The order of a field is the
number of elements it contains.
If we have 1 + 1 + · · · + 1 = 0 in a ring or field, then we call the smallest such i its characteristic.
| {z }
i times
163 / 230
Ring Zn
Set of integers modulo n is Zn := {0, 1, . . . , n − 1}
When we refer to (Zn , +) or (Zn , ·), we apply after each addition or
multiplication a reduction modulo n. (No need to write out “mod n”
each time.)
We add/subtract the integer multiple of n needed to get the result back into Zn .

(Zn , +) is an abelian group:

I neutral element of addition is 0
I the inverse element of a ∈ Zn is n − a ≡ −a (mod n)
(Zn , ·) is a monoid:
I neutral element of multiplication is 1
(Zn , +, ·), with its “mod n” operators, is a ring, which means
commutative, associative and distributive law works just like over Z.
From now on, when we refer to Zn , we usually imply that we work with
the commutative ring (Zn , +, ·).
Examples in Z5 : 4 + 3 = 2, 4 · 2 = 3, 42 = 1
164 / 230
Division in Zn
In ring Zn , element a has a multiplicative inverse a−1 (with aa−1 = 1) if
and only if gcd(n, a) = 1.
In this case, the extended Euclidian algorithm gives us
nx + ay = 1
and since nx = 0 in Zn for all x, we have ay = 1.
Therefore y = a−1 is the inverse needed for dividing by a.

I We call the set of all elements in Zn that have a multiplicative

inverse the “multiplicative group” of Zn :
Z∗n := {a ∈ Zn | gcd(n, a) = 1}
I If p is prime, then (Z∗p , ·) with
Z∗p = {1, . . . , p − 1}
is a group, and (Zp , +, ·) is a (finite) field, that is every element
except 0 has a multiplicative inverse.
Example: Multiplicative inverses of Z∗7 :
1 · 1 = 1, 2 · 4 = 1, 3 · 5 = 1, 4 · 2 = 1, 5 · 3 = 1, 6 · 6 = 1
165 / 230
Finite fields (Galois fields)
(Zp , +, ·) is a finite field with p elements, where p is a prime number.
Also written as Fp , or as GF(p), the “Galois field of order p”.
We can also construct finite fields Fpn (or GF(pn )) with pn elements:
Let Fq be a finite field with q elements. Then we can create an extension
field Fqn with q n elements as follows:
I Elements: polynomials over variable x with degree less than n and
coefficients from the finite field Fq
I Modulus: select an irreducible polynomial T (x) ∈ Fq [x] of degree n
T (x) = cn xn + · · · + c2 x2 + c1 x + c0
where ci ∈ Fq for all 0 ≤ i ≤ n. An irreducible polynomial cannot be
factored into two lower-degree polynomials from Fq [x] \ {0, 1}.
I Addition: ⊕ is normal polynomial addition (i.e., pairwise addition of
the coefficients in Fq )
I Multiplication: ⊗ is normal polynomial multiplication, then divide
by T (x) and take the remainder (i.e., multiplication modulo T (x)).
Theorem: any finite field has pn elements (for some prime p, n > 0)
Theorem: all finite fields of the same size are isomorphic
166 / 230
F2n – binary fields (fields of characteristic 2)
F2 is particularly easy to implement in hardware:
I addition = subtraction = XOR gate
I multiplication = AND gate
I division can only be by 1, which merely results in the first operand
Of particular practical interest in modern cryptography are larger finite
extension fields of the form F2n (also written as GF(2n )):
I Polynomials are represented as bit words, each coefficient = 1 bit.
I Addition/subtraction is implemented via bit-wise XOR instruction.
I Multiplication and division of binary polynomials is like binary
integer multiplication and division, but without carry-over bits. This
allows the circuit to be clocked much faster.
Recent Intel/AMD CPUs have added instruction PCLMULQDQ for
64 × 64-bit carry-less multiplication. This helps to implement arithmetic
in F264 or F2128 more efficiently.
167 / 230
F28 example
The finite field F28 consists of the 256 polynomials of the form

c7 x7 + · · · + c2 x2 + c1 x + c0 ci ∈ {0, 1}

each of which can be represented by the byte c7 c6 c5 c4 c3 c2 c1 c0 .

As modulus we chose the irreducible polynomial

T (x) = x8 + x4 + x3 + x + 1 or 1 0001 1011

Example operations:
I (x7 + x5 + x + 1) ⊕ (x7 + x6 + 1) = x6 + x5 + x
or equivalently 1010 0011 ⊕ 1100 0001 = 0110 0010
I (x6 + x4 + 1) ⊗T (x2 + 1) = [(x6 + x4 + 1)(x2 + 1)] mod T (x) =
(x8 + x4 + x2 + 1) mod (x8 + x4 + x3 + x + 1) =
(x8 + x4 + x2 + 1) (x8 + x4 + x3 + x + 1) = x3 + x2 + x
or equivalently
0101 0001 ⊗T 0000 0101 = 1 0001 0101 ⊕ 1 0001 1011 = 0000 1110
168 / 230
Multiplication and modular reduction in F2n
n−1
X n−1
X
Let a(x) = ai xi and b(x) = bi xi with ai , bi ∈ Z2
i=0 i=0
be polynomials of degree less than n that represent elements of F2n .
Let f (x) = xn + r(n) be the irreducible modulus.
n−1
X
Algorithm for calculating c(x) = [a(x) · b(x)] mod f (x) = ci xi :
i=0

Right to left multiply(a, b): Left to right multiply(a, b):

if a0 = 1 then c := b else c := 0 c := 0
for i := 1 to n − 1 do for i := n − 1 downto 0 do
if bn−1 = 1 then if ai = 1 then
b := b · x − f ← shift c := c + b ← add
else if i = 0 then return c
b := b · x if cn−1 = 1 then
if ai = 1 then c := c · x − f ← shift
c := c + b ← add else
return c c := c · x
The left-to-right method can be accelerated by precomputing Bu = [b · u] mod f for all 2w
polynomials u of degree less than w, and then adding the Bu selected by w bits of a at a time.
169 / 230
Multiplication and modular reduction in F2n
n−1
X n−1
X
Let a(x) = ai xi and b(x) = bi xi with ai , bi ∈ Z2
i=0 i=0
be polynomials of degree less than n that represent elements of F2n .
Let f (x) = xn + r(n) be the irreducible modulus.
n−1
X
Algorithm for calculating c(x) = [a(x) · b(x)] mod f (x) = ci xi :
i=0

Right to left multiply(a, b): Left to right multiply(a, b):

if a0 = 1 then c := b else c := 0 c := 0
for i := 1 to n − 1 do for i := n − 1 downto 0 do
if bn−1 = 1 then if ai = 1 then
b := b  1 ⊕ r ← shift c := c ⊕ b ← add
else if i = 0 then return c
b := b  1 if cn−1 = 1 then
if ai = 1 then c := c  1 ⊕ r ← shift
c := c ⊕ b ← add else
return c c := c  1
The left-to-right method can be accelerated by precomputing Bu = [b · u] mod f for all 2w
polynomials u of degree less than w, and then adding the Bu selected by w bits of a at a time.
169 / 230
Squaring in F2n
In finite fields of characteristic 2, we have
2=0
−1 = 1
a2 = a for all a ∈ Z2
and as a result some expressions become much simpler.
For example: squaring of polynomials
(a1 x + a0 )2 = (a1 x + a0 )(a1 x + a0 ) = a21 x2 + 2a1 a0 x + a20 = a1 x2 + a0
More generally: if
n−1
X
a(x) = ai xi ∈ F2n
i=0

then
n−1
X
[a(x)]2 = ai x2i .
i=0

170 / 230
Finite groups
Let (G, •) be a group with a finite number of elements |G|.
Practical examples here: (Zn , +), (Z∗
n , ·), (F2n , ⊕), (F2n \ {0}, ⊗)

Terminology:
Related notion: the characteristic of
I The order of a group G is its size |G| a ring or field is the order of 1 in its
additive group, i.e. the smallest i
I order of group element g in G is with 1 + 1 + · · · + 1 = 0.
ordG (g) = min{i > 0 | g i = 1}.
| {z }
i times

Useful facts regarding any element g ∈ G in a group of order m = |G|:

1 g m = 1, g x = g x mod m
2 g x = g x mod ord(g)
3 g x = g y ⇔ x ≡ y (mod ord(g))
4 ord(g) | m “Lagrange’s theorem”
5 if gcd(e, m) = 1 then g 7→ g e is a permutation, and g 7→ g d its
inverse (i.e., g ed = g) if ed mod m = 1
171 / 230
Proofs
0 In any group (G, ·) with a, b, c ∈ G we have ac = bc ⇒ a = b.
Proof: ac = bc ⇒ (ac)c−1 = (bc)c−1 ⇒ a(cc−1 ) = b(cc−1 ) ⇒ a · 1 = b · 1 ⇒ a = b.

1 Let G be an abelian group of order m with elements g1 , . . . , gm . We have

g1 · g2 · · · gm = (gg1 ) · (gg2 ) · · · (ggm )
for arbitrary fixed g ∈ G, because ggi = ggj ⇒ gi = gj (see 0 ), which implies that each
of the (ggi ) is distinct, and since there are only m elements of G, the right-hand side of the
above equation is just a permutation of the left-hand side. Now pull out the g:
m m
g1 · g2 · · · gm = (gg1 ) · (gg2 ) · · · (ggm ) = g · g1 · g2 · · · gm ⇒ g = 1.
m
(Not shown here: g = 1 also holds for non-commutative groups.)

Also: g m = 1 ⇒ g x = g x · (g m )n = g x−nm = g x mod m for any n ∈ Z.

2 Likewise: i = ord(g) ⇒ g i = 1 ⇒ g x = g x · (g i )n = g x+ni = g x mod i for any n ∈ Z.

3 Let i = ord(g).
“⇐”: x ≡ y (mod i) ⇔ x mod i = y mod i ⇒ g x = g x mod i = g y mod i = g y .
“⇒”: Say g x = g y , then 1 = g x−y = g (x−y) mod i . Since (x − y) mod i < i, but i is the
smallest positive integer with g i = 1, we must have (x − y) mod i = 0. ⇒ x ≡ y (mod i).

4 g m = 1 = g 0 therefore m ≡ 0 (mod ord(g)) from 3 , and so ord(g)|m.

5 (g e )d = g ed = g ed mod m = g 1 = g means that g 7→ g d is indeed the inverse of g 7→ g e if

ed mod m = 1. And since G is finite, the existence of an inverse operation implies that
g 7→ g e is a permutation.

Katz/Lindell (2nd ed.), sections 8.1 and 8.3

172 / 230
Cyclic groups
Let G be a finite (multiplicative) group of order m = |G|.

For g ∈ G consider the set

hgi := {g 0 , g 1 , g 2 , . . .}

Note that |hgi| = ord(g) and hgi = {g 0 , g 1 , g 2 , . . . , g ord(g)−1 }.

Definitions:
I We call g a generator of G if hgi = G.
I We call G cyclic if it has a generator.
Useful facts:
1 Every cyclic group of order m is isomorphic to (Zm , +). (g i ↔ i)
2 hgi is a subgroup of G (subset, a group under the same operator)
3 If |G| is prime, then G is cyclic and all g ∈ G \ {1} are generators.
Recall that ord(g) | |G|. We have ord(g) ∈ {1, |G|} if |G| is prime, which makes g either 1
or a generator.
Katz/Lindell (2nd ed.), section 8.3
173 / 230
How to find a generator?

Let G be a cyclic (multiplicative) group of order m = |G|.

I If m is prime, any non-neutral element is a generator. Done.
But |Z∗p | = p − 1 is not prime (for p > 3)!
?
I Directly testing for |hgi| = m is infeasible for crypto-sized m.
Q ei
I Fast test: if m = i pi is composite, then g ∈ G is a generator if
and only if g m/pi 6= 1 for all i.
I Sampling a polynomial number of elements of G for the above test
will lead to a generator in polynomial time (of log2 m) with all but
negligible probability.
⇒ Make sure you pick a group of an order with known prime factors.

One possibility for Z∗p (commonly used):

I Chose a “strong prime” p = 2q + 1, where q is also prime
⇒ |Z∗p | = p − 1 = 2q has prime factors 2 and q.

174 / 230
(Zp , +) is a cyclic group
For every prime p every element g ∈ Zp \ {0} is a generator:

Zp = hgi = {g · i mod p | 0 ≤ i ≤ p − 1}

Note that this follows from fact 3 on slide 173: Zp is of order p, which is prime.

Example in Z7 :
(0 · 0, 0 · 1, 0 · 2, 0 · 3, 0 · 4, 0 · 5, 0 · 6, 0 · 7, . . .) = (0, 0, 0, 0, 0, 0, 0, 0, . . .)
(1 · 0, 1 · 1, 1 · 2, 1 · 3, 1 · 4, 1 · 5, 1 · 6, 0 · 7, . . .) = (0, 1, 2, 3, 4, 5, 6, 0, . . .)
(2 · 0, 2 · 1, 2 · 2, 2 · 3, 2 · 4, 2 · 5, 2 · 6, 0 · 7, . . .) = (0, 2, 4, 6, 1, 3, 5, 0, . . .)
(3 · 0, 3 · 1, 3 · 2, 3 · 3, 3 · 4, 3 · 5, 3 · 6, 0 · 7, . . .) = (0, 3, 6, 2, 5, 1, 4, 0, . . .)
(4 · 0, 4 · 1, 4 · 2, 4 · 3, 4 · 4, 4 · 5, 4 · 6, 0 · 7, . . .) = (0, 4, 1, 5, 2, 6, 3, 0, . . .)
(5 · 0, 5 · 1, 5 · 2, 5 · 3, 5 · 4, 5 · 5, 5 · 6, 0 · 7, . . .) = (0, 5, 3, 1, 6, 4, 2, 0, . . .)
(6 · 0, 6 · 1, 6 · 2, 6 · 3, 6 · 4, 6 · 5, 6 · 6, 0 · 7, . . .) = (0, 6, 5, 4, 3, 2, 1, 0, . . .)

I All the non-zero elements of group Z7 with addition mod 7 are generators
I ord(0) = 1, ord(1) = ord(2) = ord(3) = ord(4) = ord(5) = ord(6) = 7

175 / 230
(Z∗p , ·) is a cyclic group
For every prime p there exists a generator g ∈ Z∗p such that
Z∗p = {g i mod p | 0 ≤ i ≤ p − 2}
Note that this does not follow from fact 3 on slide 173: Z∗
p is of order p − 1, which is even (for
p > 3), not prime.
Example in Z∗7 :
(10 , 11 , 12 , 13 , 14 , 15 , 16 , . . .) = (1, 1, 1, 1, 1, 1, 1, . . .)
(20 , 21 , 22 , 23 , 24 , 25 , 26 , . . .) = (1, 2, 4, 1, 2, 4, 1, . . .)
(30 , 31 , 32 , 33 , 34 , 35 , 36 , . . .) = (1, 3, 2, 6, 4, 5, 1, . . .)
(40 , 41 , 42 , 43 , 44 , 45 , 46 , . . .) = (1, 4, 2, 1, 4, 2, 1, . . .)
(50 , 51 , 52 , 53 , 54 , 55 , 56 , . . .) = (1, 5, 4, 6, 2, 3, 1, . . .)
(60 , 61 , 62 , 63 , 64 , 65 , 66 , . . .) = (1, 6, 1, 6, 1, 6, 1, . . .)
Fast generator test (p. 174), using |Z∗
7 | = 6 = 2·3:
I 3 and 5 are generators of Z∗7 36/2 = 6, 36/3 = 2, 56/2 = 6, 56/3 = 4, all 6= 1.
I 1, 2, 4, 6 generate subgroups of Z∗7 : {1}, {1, 2, 4}, {1, 2, 4}, {1, 6}
I ord(1) = 1, ord(2) = 3, The order of g in Z∗p is the size of the subgroup hgi.
∗
ord(3) = 6, ord(4) = 3, Lagrange’s theorem: ordZ∗p (g) | p − 1 for all g ∈ Zp
ord(5) = 6, ord(6) = 2
176 / 230
Fermat’s and Euler’s theorem
Fermat’s little theorem: (1640)
p prime and gcd(a, p) = 1 ⇒ ap−1 mod p = 1
Recall from Lagrange’s theorem: for a ∈ Z∗ ∗
p , ord(a)|(p − 1) since |Zp | = p − 1.

Euler’s phi function:

ϕ(n) = |Z∗n | = |{a ∈ Zn | gcd(n, a) = 1}|
I Example: ϕ(12) = |{1, 5, 7, 11}| = 4
I primes p, q:
ϕ(p) = p − 1
ϕ(pk ) = pk−1 (p − 1)
ϕ(pq) = (p − 1)(q − 1)
I gcd(a, b) = 1 ⇒ ϕ(ab) = ϕ(a)ϕ(b)
Euler’s theorem: (1763)
gcd(a, n) = 1 ⇔ aϕ(n) mod n = 1
I this implies that in Zn : ax = ax mod ϕ(n) for any a ∈ Zn , x ∈ Z
Recall from Lagrange’s theorem: for a ∈ Z∗ ∗
n , ord(a)|ϕ(n) since |Zn | = ϕ(n).
177 / 230
Chinese remainder theorem
Definition: Let (G, •) and (H, ◦) be two groups. A function f : G → H
is an isomorphism from G to H if
I f is a 1-to-1 mapping (bijection)
I f (g1 • g2 ) = f (g1 ) ◦ f (g2 ) for all g1 , g2 ∈ G

178 / 230
Chinese remainder theorem
Definition: Let (G, •) and (H, ◦) be two groups. A function f : G → H
is an isomorphism from G to H if
I f is a 1-to-1 mapping (bijection)
I f (g1 • g2 ) = f (g1 ) ◦ f (g2 ) for all g1 , g2 ∈ G

Chinese remainder theorem:

For any p, q with gcd(p, q) = 1 and n = pq, the mapping
f : Zn ↔ Zp × Zq f (x) = (x mod p, x mod q)
is an isomorphism, both from Zn to Zp × Zq and from Z∗n to Z∗p × Z∗q .
Inverse: To get back from xp = x mod p and xq = x mod q to x, we first use Euclid’s extended
algorithm to find a, b such that ap + bq = 1, and then x = (xp bq + xq ap) mod n.

Application: arithmetic operations on Zn can instead be done on both

Zp and Zq after this mapping, which may be faster.

178 / 230
Chinese remainder theorem
Definition: Let (G, •) and (H, ◦) be two groups. A function f : G → H
is an isomorphism from G to H if
I f is a 1-to-1 mapping (bijection)
I f (g1 • g2 ) = f (g1 ) ◦ f (g2 ) for all g1 , g2 ∈ G

Chinese remainder theorem:

For any p, q with gcd(p, q) = 1 and n = pq, the mapping
f : Zn ↔ Zp × Zq f (x) = (x mod p, x mod q)
is an isomorphism, both from Zn to Zp × Zq and from Z∗n to Z∗p × Z∗q .
Inverse: To get back from xp = x mod p and xq = x mod q to x, we first use Euclid’s extended
algorithm to find a, b such that ap + bq = 1, and then x = (xp bq + xq ap) mod n.

Application: arithmetic operations on Zn can instead be done on both

Zp and Zq after this mapping, which may be faster.
Example: n = pq = 3 × 5 = 15
x 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
x mod 3 0 1 2 0 1 2 0 1 2 0 1 2 0 1 2
x mod 5 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4
178 / 230
Quadratic residues in (Z∗p , ·)
In Z∗p , the squaring of an element, x 7→ x2 is a 2-to-1 function:

y = x2 = (−x)2
1 2 3 4 5 6
Example in Z∗7 :

(12 , 22 , 32 , 42 , 52 , 62 ) = (1, 4, 2, 2, 4, 1) 1 2 3 4 5 6

If y is the square of a number in x ∈ Z∗p , that is if y has a square root in

Z∗p , we call y a “quadratic residue”.
Example: Z∗7 has 3 quadratic residues: {1, 2, 4}.
If p is an odd prime: Z∗p has (p − 1)/2 quadratic residues.
Zp would have one more: 0

Euler’s criterion:

c(p−1)/2 mod p = 1 ⇔ c is a quadratic residue in Z∗p

Example in Z7 : (7 − 1)/2 = 3, (13 , 23 , 33 , 43 , 53 , 63 ) = (1, 1, 6, 1, 6, 6)

c(p−1)/2 is also called the Legendre symbol
179 / 230
Taking roots in Z∗p
If xe = c in Zp , then x is the “eth root of c”, or x = c1/e .
Case 1: gcd(e, p − 1) = 1
Find d with de = 1 in Zp−1 (Euclid’s extended), then c1/e = cd in Z∗p .
Proof: (cd )e = cde = cde mod ϕ(p) = cde mod (p−1) = c1 = c.

Case 2: e = 2 (taking square roots)

gcd(2, p − 1) 6= 1 if p odd prime ⇒ Euclid’s extended alg. no help here.
√
I If p mod 4 = 3 and c ∈ Z∗p is a quadratic residue: c = c(p+1)/4
h i2
(p−1)/2
Proof: c(p+1)/4 = c(p+1)/2 = c ·c = c.
| {z }
=1

I If p mod 4 = 1 this can also be done efficiently (details omitted).

Application: solve quadratic equations ax2 + bx + c = 0 in Zp
√
−b ± b2 − 4ac
Solution: x =
√ 2a
Algorithms: b2 − 4ac as above, (2a)−1 using Euclid’s extended
Taking roots in Z∗ n : If n is composite, then we know how to test whether c
1/e
exists, and how to
compute it efficiently, only if we know the prime factors of n. Basic Idea: apply Chinese
∗
Remainder Theorem, then apply above techniques for Zp .
180 / 230
Working in subgroups of Z∗p
How can we construct a cyclic finite group G where all non-neutral
elements are generators?
Recall that Z∗p has q = (p − 1)/2 quadratic residues, exactly half of its
elements.
Quadratic residue: an element that is the square of some other element.

Choose p to be a strong prime, that is where q is also prime.

Let G = {g 2 | g ∈ Z∗p } be the set of quadratic residues of Z∗p . G with
operator “multiplication mod p” is a subgroup of Z∗p , with order |G| = q.
G has prime order |G| = q and ord(g)|q for all g ∈ G (Lagrange’s theorem):
⇒ ord(g) ∈ {1, q} ⇒ ord(g) = q for all g > 1 ⇒ for all g ∈ G \ {1} hgi = G.

If p is a strong prime, then each quadratic residue in Z∗p other than 1 is a

generator of the subgroup of quadratic residues of Z∗p .

Generate group(1` ): Example: p = 11, q = 5

p ∈R {(` + 1)-bit strong primes} g ∈ {22 , 32 , 42 , 52 } = {4, 9, 5, 3}
q := (p − 1)/2 h4i = {40 , 41 , 42 , 43 , 44 } = {1, 4, 5, 9, 3}
x ∈R Z∗p \ {−1, 1} h9i = {90 , 91 , 92 , 93 , 94 } = {1, 9, 4, 3, 5}
g := x2 mod p h5i = {50 , 51 , 52 , 53 , 54 } = {1, 5, 3, 4, 9}
return p, q, g h3i = {30 , 31 , 32 , 33 , 34 } = {1, 3, 9, 5, 4}
181 / 230
Modular exponentiation
In cyclic group (G, •) (e.g., G = Z∗p ):
How do we calculate g e efficiently? (g ∈ G, e ∈ N)
Naive algorithm: ge = g • g • · · · • g
| {z }
e times
Far too slow for crypto-size e (e.g., e ≈ 2256 )!

Square-and-multiply algorithm:
n
X
ei · 2 i ,
e
Binary representation: e = n = blog2 ec, ei = 2i mod 2
i=0
Computation:
RtoL square and mult(g, e):
a := g
0 i
 i−1 2 b := 1
g 2 := g, g 2 := g 2 for i := 0 to n do
n   ei if be/2i c mod 2 = 1 then
Y i
g e := g2 b := b • a ← multiply
i=0 a := a • a ← square
return b
182 / 230
Safer square-and-multiply algorithms
Basic square-and-multiply algorithms are vulnerable to side-channel
attacks (e.g., power-line or electromagnetic analysis of unintended
microcontroller signal emissions). If an eavesdropper can recognize the
function-call sequence
square, multiply, square, square, square, multiply, square, multiply, . . .
then that suggests for LtoR square and mult: e = 10011 . . ..
There are often faster algorithms for squaring then just multiplying a group element with itself.

LtoR square and mult(g, e): Montgomery Ladder(g, e):

a := 1 a[0] := g ; assuming en = 1
for i := n downto 0 do a[1] := g 2
a := a2 for i := n − 1 downto 0 do
if ei = 1 then a[¬ei ] := a[0] • a[1]
a := a • g a[ ei ] := a[ei ]2
return a return a[0]

These variants are slower (more multiplications), but branch free.

Dummy write operations like a[0] := a[0] may still be recognizeable.
183 / 230
Safer square-and-multiply algorithms
Basic square-and-multiply algorithms are vulnerable to side-channel
attacks (e.g., power-line or electromagnetic analysis of unintended
microcontroller signal emissions). If an eavesdropper can recognize the
function-call sequence
square, multiply, square, square, square, multiply, square, multiply, . . .
then that suggests for LtoR square and mult: e = 10011 . . ..
There are often faster algorithms for squaring then just multiplying a group element with itself.

Square and mult always(g, e): Montgomery Ladder(g, e):

a[0] := 1 a[0] := g ; assuming en = 1
for i := n downto 0 do a[1] := g 2
a[0] := a[0]2 for i := n − 1 downto 0 do
a[1] := a[0] • g a[¬ei ] := a[0] • a[1]
a[0] := a[ei ] a[ ei ] := a[ei ]2
return a[0] return a[0]

These variants are slower (more multiplications), but branch free.

Dummy write operations like a[0] := a[0] may still be recognizeable.
183 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

184 / 230
Discrete logarithm problem
Let (G, •) be a given cyclic group of order q = |G| with given generator g
(G = {g 0 , g 1 , . . . , g q−1 }). The “discrete logarithm problem (DLP)” is
finding for a given y ∈ G the number x ∈ Zq such that
gx = g • g • · · · • g = y
| {z }
x times

Squaring allows use of faster algorithms than multiplication.

0
If (G, •) is clear from context, we can write x = logg y. For any x0 with g x = y, we have
x = x0 mod q. Discrete logarithms behave similar to normal logarithms: logg 1 = 0 (if 1 is the
neutral element of G), logg hr = (r · logg h) mod q, and logg h1 h2 = (logg h1 + logg h2 ) mod q.

For cryptographic applications, we require groups with

I a probabilistic polynomial-time group-generation algorithm G(1` )
that outputs a description of G with dlog2 |G|e = `;
I a description that defines how each element of G is represented
uniquely as a bit pattern;
I efficient (polynomial time) algorithms for •, for picking an element
of G uniformly at random, and for testing whether a bit pattern
represents an element of G;
185 / 230
Hard discrete logarithm problems

The discrete logarithm experiment DLogG,A (`):

1 Run G(1` ) to obtain (G, q, g), where G is a cyclic group of order q
(2`−1 < q ≤ 2` ) and g is a generator of G
2 Choose uniform h ∈ G.
3 Give (G, q, g, h) to A, which outputs x ∈ Zq
4 Return 1 if g x = h, otherwise return 0

We say “the discrete-logarithm problem is hard relative to G” if for all

probabilistic polynomial-time algorithms A there exists a negligible
function negl, such that P(DLogG,A (`) = 1) ≤ negl(`).

186 / 230
Diffie–Hellman problems
Let (G, •) be a cyclic group of order q = |G| with generator g
(G = {g 0 , g 1 , . . . , g q−1 }). Given elements h1 , h2 ∈ G , define
DH(h1 , h2 ) := g logg h1 ·logg h2
that is if g x1 = h1 and g x2 = h2 , then DH(h1 , h2 ) = g x1 ·x2 = hx1 2 = hx2 1 .
These two problems are related to the discrete logarithm problem:
I Computational Diffie–Hellman (CDH) problem: the adversary is
given uniformly chosen h1 , h2 ∈ G and has to output DH(h1 , h2 ).
The problem is hard if for all PPT A we have P(A(G, q, g, g x , g y ) = g xy ) ≤ negl(`).

I Decision Diffie–Hellman (DDH) problem: the adversary is given

h1 , h2 ∈ G chosen uniformly at random, plus another value h0 ∈ G,
which is either equal to DH(h1 , h2 ), or was chosen uniformly at
random, and has to decide which of the two cases applies.
The problem is hard if for all PPT A and uniform x, y, z ∈ G we have
|P(A(G, q, g, g x , g y , g z ) = 1) − P(A(G, q, g, g x , g y , g xy ) = 1)| ≤ negl(`).

If the discrete-logarithm problem is not hard for G, then neither will be

the CDH problem, and if the latter is not hard, neither will be the DDH
problem.
187 / 230
Diffie–Hellman key exchange
How can two parties achieve message confidentiality who have no prior
shared secret and no secure channel to exchange one?
Select a cyclic group G of order q and a generator g ∈ G, which can be
made public and fixed system wide. A generates x and B generates y,
both chosen uniformly at random out of {1, . . . , q − 1}. Then they
exchange two messages:

A→B: gx
B→A: gy

Now both can form (g x )y = (g y )x = g xy and use a hash h(g xy ) as a

shared private key (e.g. with an authenticated encryption scheme).
The eavesdropper faces the computational Diffie–Hellman problem of
determining g xy from g x , g y and g.
The DH key exchange is secure against a passive eavesdropper, but not against middleperson
attacks, where g x and g y are replaced by the attacker with other values.

W. Diffie, M.E. Hellman: New Directions in Cryptography. IEEE IT-22(6), 1976-11, pp 644–654.

188 / 230
Discrete logarithm algorithms
Several generic algorithms are known for solving the discrete logarithm
problem for any cyclic group G of order q:
I Trivial brute-force algorithm: try all g i , time |hgi| = ord(g) ≤ q.
I Pohlig–Hellman algorithm: if q is not prime, and has a known (or
easy to determine) factorization, then this algorithm reduces the
discrete-logarithm problem for G to discrete-logarithm problems for
prime-order subgroups of G.
⇒ the difficulty of finding the discrete logarithm in a group of order
q is no greater than that of finding it in a group of order q 0 , where q 0
is the largest prime factor dividing q.
I Shank’s baby-step/giant-step algorithm: requires
√ √
O( q · polylog(q)) time and O( q) memory.
I Pollard’s rho algorithm: requires O(√q · polylog(q)) time and
O(1) memory.
⇒ choose G to have a prime order q, and make q large enough such
√
that no adversary can be expected to execute q steps (e.g. q  2200 ).
189 / 230
Baby-step/giant-step algorithm
Given generator g ∈ G (|G| = q) and y ∈ G, find x ∈ Zq with g x = y.
I Powers of g form a cycle 1 = g 0 , g 1 , g 2 , . . . , g q−2 , g q−1 , g q = 1, and
y = g x sits on this cycle.
I Go around cycle in “giant steps” of n = b√qc:

g 0 , g n , g 2n , . . . , g dq/nen

Store all values encountered in a lookup table L[g kn ] := k.

√ √
Memory: q, runtime: q, (times log. lookup table insertion)
I Go around cycle in “baby steps”, starting at y

y · g1 , y · g2 , . . . , y · gn

until we find one of these values in the table L: L[y · g i ] = k.

√
Runtime: q (times log. table lookup)
I Now we know y · g i = g kn , therefore y = g kn−i and can return
x := (kn − i) mod q = logg y.
190 / 230
Discrete logarithm algorithms for Z∗p
The Index Calculus Algorithm computes discrete logarithms in the cyclic
group Z∗p . Unlike the generic algorithms, it has sub-exponential runtime
√
2O( log p log log p)

Therefore, prime p bit-length in cyclic group Z∗p has to be much longer

than a symmetric key of equivalent attack cost. In contrast, the
bit-length of the order q of the subgroup used merely has to be doubled.
There are groups believed to be not vulnerable to the Index Calculus Algorithm, obtained by
defining a group operator over points of an elliptic curve (EC) with coordinates in Zp or Fpn .

Equivalent key lengths: (NIST)

RSA Discrete logarithm problem
private key factoring n = pq in Z∗p in EC
length modulus n modulus p order q order q
80 bits 1024 bits 1024 bits 160 bits 160 bits
112 bits 2048 bits 2048 bits 224 bits 224 bits
128 bits 3072 bits 3072 bits 256 bits 256 bits
192 bits 7680 bits 7680 bits 384 bits 384 bits
256 bits 15360 bits 15360 bits 512 bits 512 bits
191 / 230
Schnorr groups – working in subgroups of Z∗p
Schnorr group: cyclic subgroup G = hgi ⊂ Z∗p with prime order
q = |G| = (p − 1)/r, where (p, q, g) are generated with:
1 Choose primes p  q with p = qr + 1 for r ∈ N
r
2 Choose 1 < h < p with h mod p 6= 1
r r ∗
3 Use g := h mod p as generator for G = hgi = {h mod p|h ∈ Zp }

Advantages:
I Select bit-length of p and q independently, based on respective
security requirements (e.g. 128-bit security: 3072-bit p, 256-bit q)
Difficulty of Discrete Logarithm problem over G ⊆ Z∗
p with order q = |G| depends on both
p (subexponentially) and q (exponentially).
I Some operations faster than if log2 q ≈ log2 p.
Square-and-multiply exponentiation g x mod p (with x < q) run-time ∼ log2 x < log2 q.
I Prime order q has several advantages:
• simple choice of generator (pick any element 6= 1)
• G has no (non-trivial) subgroups ⇒ no small subgroup confinement
attacks
• q with small prime factors can make Decision Diffie–Hellman
problem easy to solve (Exercise 28)
Compare with slide 181 where r = 2.
192 / 230
Schnorr groups (proofs)
Let p = rq + 1 with p, q prime and G = {hr mod p|h ∈ Z∗p }. Then
∗
1 G is a subgroup of Zp .
Proof: G is closed under multiplication, as for all x, y ∈ G we have
xr y r mod p = (xy)r mod p = (xy mod p)r mod p ∈ G as (xy mod p) ∈ Z∗p.
In addition, G includes the neutral element 1r = 1
For each hr , it also includes the inverse element (h−1 )r mod p.

2 G has q = (p − 1)/r elements.

Proof: The idea is to show that the function fr : Z∗ r
p → G with fr (x) = x mod p is an
r-to-1 function, and then since |Z∗ p | = p − 1 this will show that |G| = q = (p − 1)/r.
Let g be a generator of Z∗ 0 1
p such that {g , g , . . . , g
p−2
} = Z∗
p . Under what condition for
i, j is (g i )r ≡ (g j )r (mod p)? (g i )r ≡ (g j )r (mod p) ⇔ ir ≡ jr (mod p − 1) ⇔
(p − 1)|(ir − jr) ⇔ rq|(ir − jr) ⇔ q|(i − j).
For any fixed j ∈ {0, . . . , p − 2} = Zp−1 , what values of i ∈ Zp−1 fulfill the condition
q|(i − j), and how many such values i are there? For each j, there are exactly the r
different values i ∈ {j, j + q, j + 2q, . . . , j + (r − 1)q} in Zp−1 , as j + rq ≡ j
(mod p − 1). This makes fr an r-to-1 function.
∗ r
3 For any h ∈ Zp , h is either 1 or a generator of G.
Proof: h ∈ G (by definition) and |G| prime ⇒ ordG (hr ) ∈ {1, |G|} (Lagrange).
r

∗ q
4 h ∈ G ⇔ h ∈ Zp ∧ h mod p = 1. (Useful security check!)
Proof: Let h = g i with hgi = Z∗
p and 0 ≤ i < p − 1. Then
hq mod p = 1 ⇔ g iq mod p = 1 ⇔ iq mod (p − 1) = 0 ⇔ rq|iq ⇔ r|i.
Katz/Lindell (2nd ed.), section 8.3.3
193 / 230
Elliptic curves – the Weierstrass equation
An elliptic curve E over a field K is defined by the Weierstrass equation

y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6

with coefficients a1 , a2 , a3 , a4 , a6 ∈ K such that ∆(a1 , a2 , a3 , a4 , a6 ) 6= 0.

The discriminant ∆ of E is defined as ∆ = −d22 d8 − 8d34 − 27d26 + 9d2 d4 d6 with d2 = a21 + 4a2 ,
d4 = 2a4 + a1 a3 , d6 = a23 + 4a6 , and d8 = a21 a6 + 4a2 a6 − a1 a3 a4 + a2 a23 − a24 .
If ∆ 6= 0 then the curve is smooth, i.e. it has no points with more than one tangent.

If L is any extension field of K, then the set of (“L-rational”) points on

curve E is defined as

E(L) = {(x, y) ∈ L × L : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 } ∪ {O}

The additional element O is called the “point at infinity”.

It will act as the neutral element when we define a group structure over E(L).

Elliptic curves were originally studied over the fields C, R, and Q, in the
context of elliptic integrals. In cryptography, they are used instead over
finite fields, in particular K = L = Zp as well as K = L = F2n .
194 / 230
Elliptic curves – simplified Weierstrass equations
An elliptic curve defined over a field K by the Weierstrass equation

y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6

can be turned into an equivalent (isomorphic) one by changing variables:

x − 3a21 − 12a2 y − 3a1 x a31 + 4a1 a2 − 12a3

 
(x, y) 7→ , −
36 216 24

This simplifies the curve equation significantly:

y 2 = x3 + ax + b

where a, b ∈ K and ∆ = −16(4a3 + 27b3 ) 6= 0.

However, due to the divisions by 36 = 22 33 , 216 = 23 33 and 24 = 23 3 in
the above change of variables, this trick does not work (would lead to
division by zero) if the characteristic of K is 2 or 3 (i.e., if 1 + 1 = 0 or
1 + 1 + 1 = 0).
195 / 230
Simplified Weierstrass equations if 1 + 1 = 0
If K has characteristic 2, two other changes of variable can be used to
simplify the Weierstrass equation:
I If a1 6= 0 then
a2 a4 + a2
 
a3
(x, y) 7→ a21 x + , a31 y + 1 3 3
a1 a1
leads to the “non-supersingular” curve

y 2 + xy = x3 + ax2 + b
with discriminant ∆ = b 6= 0.
I If a1 = 0 then
(x, y) 7→ (x + a2 , y)
leads to the “supersingular” curve

y 2 + cy = x3 + ax + b

with a, b, c ∈ K and ∆ = c4 6= 0.
Similar tricks exist for K with characteristic 3, but such K are not commonly used in cryptography.
196 / 230
Elliptic-curve group operation
2
10

8
1
7
P2
6

0 5 P1
P1 4

3
-1
2

0 P2
-2
-2 -1 0 1 2 0 1 2 3 4 5 6 7 8 9 10

elliptic curve over R (a = −1, b = 1) elliptic curve over Z11 (a = −1, b = 1)

Elliptic curves over R or Zp (p > 3) are sets of 2-D coordinates (x, y) with
y 2 = x3 + ax + b where 4a3 + 27b2 6= 0
plus one additional “point at infinity” O.
Group operation P1 + P2 : draw line through curve points P1 , P2 , intersect with
curve to get third point P3 , then negate the y coordinate of P3 to get P1 + P2 .
Neutral element: O – intersects any vertical line. Inverse: −(x, y) = (x, −y)
Curve compression: for any given x, encoding y requires only one bit 197 / 230
Elliptic-curve group operation
2
10

9
P3
8
1
7
P2
6

0 5 P1
P1 4

3
-1
2

1
P1 +P 2 3
0 P2
-2
-2 -1 0 1 2 0 1 2 3 4 5 6 7 8 9 10

elliptic curve over R (a = −1, b = 1) elliptic curve over Z11 (a = −1, b = 1)

Elliptic curves over R or Zp (p > 3) are sets of 2-D coordinates (x, y) with
y 2 = x3 + ax + b where 4a3 + 27b2 6= 0
plus one additional “point at infinity” O.
Group operation P1 + P2 : draw line through curve points P1 , P2 , intersect with
curve to get third point P3 , then negate the y coordinate of P3 to get P1 + P2 .
Neutral element: O – intersects any vertical line. Inverse: −(x, y) = (x, −y)
Curve compression: for any given x, encoding y requires only one bit 197 / 230
Elliptic-curve group operation
2
10 P3
9
P3
8
1
7
P2
6

0 5 P1
P1 4

3
-1
2

1 P1 +P 2 3
P1 +P 2 3
0 P2
-2
-2 -1 0 1 2 0 1 2 3 4 5 6 7 8 9 10

elliptic curve over R (a = −1, b = 1) elliptic curve over Z11 (a = −1, b = 1)

Elliptic curves over R or Zp (p > 3) are sets of 2-D coordinates (x, y) with
y 2 = x3 + ax + b where 4a3 + 27b2 6= 0
plus one additional “point at infinity” O.
Group operation P1 + P2 : draw line through curve points P1 , P2 , intersect with
curve to get third point P3 , then negate the y coordinate of P3 to get P1 + P2 .
Neutral element: O – intersects any vertical line. Inverse: −(x, y) = (x, −y)
Curve compression: for any given x, encoding y requires only one bit 197 / 230
Elliptic-curve group operation over E(Zp )
E(Zp ) = {(x, y) | x, y ∈ Zp and y 2 ≡ x3 + ax + b (mod p)} ∪ {O}
where p > 3 prime, parameters a, b ∈ Zp with 4a3 + 27b2 6≡ 0 (mod p).
I Neutral element: P + O = O + P = P for all P ∈ E(Zp )
I Negation: if P = (x, y) then −P = (x, −y) since P − P = O; −O = O
I Addition: for P1 = (x1 , y1 ), P2 = (x2 , y2 ), P1 , P2 6= O, x1 6= x2 :
y2 − y1
m= line slope
x2 − x1
y = m · (x − x1 ) + y1 line equation

2
m · (x − x1 ) + y1 = x3 + ax + b intersections
2
x3 = m − x1 − x2 third-point solution
y3 = m · (x3 − x1 ) + y1
(x1 , y1 ) + (x2 , y2 ) = (m2 − x1 − x2 , m · (x1 − x3 ) − y1 ) (all of this mod p)
If x1 = x2 but y1 6= y2 then P1 = −P2 and P1 + P2 = O.
I Doubling:
If P1 = P2 and y1 = 0 then P1 + P2 = 2P1 = O.
If P1 = P2 and y1 6= 0 then add using tangent m = (3x21 + a)/2y1 .
198 / 230
Non-supersingular curve group operation over E(F2n )
E(F2n ) = {(x, y) | x, y ∈ F2n and y 2 + xy = x3 + ax2 + b} ∪ {O}
where parameters a, b ∈ F2n with b 6= 0.
I Neutral element: P + O = O + P = P for all P ∈ E(F2n )
I Negation: if P = (x, y) then −P = (x, x + y); −O = O
I Addition: for P1 = (x1 , y1 ), P2 = (x2 , y2 ), P1 , P2 6= O, x1 6= x2 :
y1 + y2
m=
x1 + x2
x3 = m2 + m + x1 + x2 + a
y3 = m · (x1 + x3 ) + x3 + y1
(x1 , y1 ) + (x2 , y2 ) = (x3 , y3 )

If x1 = x2 but y1 6= y2 then P1 = −P2 and P1 + P2 = O.

I Doubling (i.e. P1 = P2 = P ):
If y1 = 0 then P = −P , i.e. P1 + P2 = 2P = O.
If y1 6= 0 then P 6= −P and add using tangent m = x1 + y1 /x1 :
b
x3 = m2 + m + a = x21 + and y3 = x21 + mx3 + x3
x21
199 / 230
Projective coordinates for points on E(F2n )
When points P1 and P2 are represented as “affine” coordinates (x, y) in
curve equation y 2 + xy = x3 + ax2 + b, the point addition and doubling
operations involve expensive field divisions.
Several other projective 3D coordinate systems (X, Y, Z) have been
proposed that make the group operation cheaper, by avoiding division:
I Standard projective coordinates: (x, y) = (X/Z, Y /Z)
Curve: Y 2 Z + XY Z = X 3 + aX 2 Z + bZ 3 ,
O = (0, 1, 0) and −(X, Y, Z) = (X, X + Y, Z).

I Jacobian projective coordinates: (x, y) = (X/Z 2 , Y /Z 3 )

Curve: Y 2 + XY Z = X 3 + aX 2 Z 2 + bZ 6 ,
O = (1, 1, 0) and −(X, Y, Z) = (X, X + Y, Z).

I López-Dahab (LD) projective coordinates: (x, y) = (X/Z, Y /Z 2 )

Curve: Y 2 + XY Z = X 3 Z + aX 2 Z 2 + bZ 4 ,
O = (1, 0, 0) and −(X, Y, Z) = (X, X + Y, Z).
For Z = 1 projective and affine coordinates are identical, i.e. (x, y) = (X, Y, 1).
Equivalent projective coordinate systems also exist for E(Zp ): standard (x, y) = (X/Z, Y /Z),
Jacobian (x, y) = (X/Z 2 , Y /Z 3 ) and Chudnovsky (like Jacobian, but also store Z 2 and Z 3 ).
These all have slightly different performance trade-offs regarding the number of field additions,
multiplications and division required for point add and double operations.
200 / 230
Elliptic-curve groups with prime order
How large are elliptic curves over Zp ?
Equation y 2 = f (x) has two solutions if f (x) is a quadratic residue, and
one solution if f (x) = 0. Half of the elements in Z∗p are quadratic
residues, so expect around 2 · (p − 1)/2 + 1 = p points on the curve.
√ √
Hasse bound: p + 1 − 2 p ≤ |E(Zp , a, b)| ≤ p + 1 + 2 p
Actual group order: approximately uniformly spread over Hasse bound.
Elliptic curves became usable for cryptography with the invention of
efficient algorithms for counting the exact number of points on them.
E.g. Schoof’s algorithm for E(Zp ) and Satoh’s algorithm for E(F2n ).

Generate a cyclic elliptic-curve group (p, q, a, b, G) with:

1 Choose uniform n-bit prime p
2 Choose a, b ∈ Zp with 4a3 + 27b2 6= 0 (mod p), determine
q = |E(Zp , a, b)|, repeat until q is an n-bit prime
3 Choose G ∈ E(Zp , a, b) \ {O} as generator
Easy to find a point G = (x, y) on the curve: ppick uniform x ∈ Zp until
f (x) is a quadratic residue or 0, then set y = f (x).
201 / 230
Elliptic-curve discrete-logarithm problem
The elliptic-curve operation is traditionally written as an additive group,
so the “exponentiation” of the elliptic-curve discrete-logarithm problem
(ECDLP) becomes multiplication:
x · G = G + G + ··· + G x ∈ Zq
| {z }
x times

So the square-and-multiply algorithm becomes double-and-add, and Diffie–Hellman becomes

DH(x · G, y · G) = xy · G for x, y ∈ Z∗q.

Many curve parameters and cyclic subgroups for which ECDLP is

believed to be hard have been proposed or standardised.
Example: NIST P-256
p = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
q = 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
a=3
b = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
G = (0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,
0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)

Note: p = 2256 − 2224 + 2192 + 296 − 1 and q ≈ 2256 − 2224 + 2192 here are generalized resp. pseudo
Mersenne primes, for fast mod calculation on 32-bit CPUs and good use of the 256-bit space.
202 / 230
Commonly used standard curves
NIST FIPS 186-4 has standardized five such elliptic curves over integer field
(Zp ) coordinates: P-192, P-224, P-256, P-384, P-521.
Also: five random curves of the form y 2 + xy = x3 + x2 + b over binary field
(F2n ) coordinates: B-163, B-233, B-283, B-409, B-571. The number of
points on these curves is twice the order of the base point G (“cofactor 2”).
And there are five Koblitz curves of the form y 2 + xy = x3 + ax2 + 1
(a ∈ {0, 1}, with cofactors 4 or 2, resp.), also over F2n :
K-163, K-233, K-283, K-409, K-571. (Koblitz: a, b ∈ {0, 1} ⇒ faster.)
Some mistrust the NIST parameters for potentially having been carefully selected by the NSA, to
embed a vulnerability. http://safecurves.cr.yp.to/rigid.html
Brainpool (RFC 5639): seven similar curves over Zp , chosen by the German government.
The Standards for Efficient Cryptography Group SEC 2 specification lists eight curves over Zp
(secp{192,224,256}{k,r}1, secp{384,521}r1) and 12 over F2n (sect163k1,. . . ,sect571r1).
(Vers. 2.0 dropped smaller secp{112,128,160}r{1,2}, secp160k1 and sect{113,131}r{1,2}.)
The numbers indicate the bit length of one coordinate, i.e. roughly twice the
equivalent symmetric-key strength.
ANSI X9.62 (and SEC 1) define a compact binary syntax for curve points.
Curve25519 was proposed by Daniel J. Bernstein in 2005 and has since
become a highly popular P-256 alternative due to faster implementation, better
resiliency against some implementation vulnerabilities (e.g., timing attacks),
lack of patents and worries about NSA backdoors.
203 / 230
ElGamal encryption scheme
The DH key exchange requires two messages. This can be eliminated if
everyone publishes their g x as a public key in a sort of phonebook.
Assume ((G, ·), q, g) are fixed for all participants.
A chooses secret key x ∈ Z∗q and publishes g x ∈ G as her public key.
B generates for each message a new nonce y ∈ Z∗q and then sends
B→A: g y , (g x )y · M
where M ∈ G is the message that B sends to A in this asymmetric
encryption scheme. Then A calculates
[(g x )y · M ] · [(g y )q−x ] = M
to decrypt M .
In practice, this scheme is rarely used because of the difficulty of fitting
M into G. Instead, B only sends g y . Then both parties calculate
K = h(g xy ) and use that as the private session key for an efficient
blockcipher-based authenticated encryption scheme that protects the
confidentiality and integrity of the bulk of the message M:
B→A: g y , EncK (M )
204 / 230
Number theory: easy and difficult problems
Easy:
I given integer n, i and x ∈ Z∗n : calculate x−1 ∈ Z∗n or xi ∈ Z∗n
I given prime p and polynomial f (x) ∈ Zp [x]:
find x ∈ Zp with f (x) = 0
runtime grows linearly with the degree of the polynomial

Difficult:
I given safe prime p, generator g ∈ Z∗p (or large subgroup):
• given value a ∈ Z∗p : find x such that a = g x .
→ Discrete Logarithm Problem
• given values g x , g y ∈ Z∗p : find g xy .
→ Computational Diffie–Hellman Problem
• given values g x , g y , z ∈ Z∗p : tell whether z = g xy .
→ Decision Diffie–Hellman Problem
I given a random n = p · q, where p and q are `-bit primes (` ≥ 1024):
• find integers p and q such that n = p · q in N
→ Factoring Problem
• given a polynomial f (x) of degree > 1:
find x ∈ Zn such that f (x) = 0 in Zn
205 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

206 / 230
“Textbook” RSA encryption
Key generation
I Choose random prime numbers p and q (each ≈ 1024 bits long)
I n := pq (≈ 2048 bits = key length) ϕ(n) = (p − 1)(q − 1)
I pick integer values e, d such that: ed mod ϕ(n) = 1
I public key PK := (n, e)
I secret key SK := (n, d)
Encryption
I input plaintext M ∈ Z∗n , public key (n, e)
I C := M e mod n
Decryption
I input ciphertext C ∈ Z∗n , secret key (n, d)
I M := C d mod n
In Zn : (M e )d = M ed = M ed mod ϕ(n) = M 1 = M .
Common implementation tricks to speed up computation:
I Choose small e with low Hamming weight (e.g., 3, 17, 216 + 1) for faster modular encryption
I Preserve factors of n in SK = (p, q, d), decryption in both Zp and Zq , use Chinese
remainder theorem to recover result in Zn .
207 / 230
“Textbook” RSA is not secure
There are significant security problems with a naive application of the
basic “textbook” RSA encryption function C := P e mod n:

I deterministic encryption: cannot be CPA secure

I malleability:
• adversary intercepts C and replaces it with C 0 := X e · C
• recipient decrypts M 0 = DecSK (C 0 ) = X · M mod n
I chosen-ciphertext attack recovers plaintext:
• adversary intercepts C and replaces it with C 0 := Re · C mod n
• decryption oracle provides M 0 = DecSK (C 0 ) = R · M mod n
• adversary recovers M = M 0 · R−1 mod n
I Small value of M (e.g., 128-bit AES key), small exponent e = 3:
√
• if M e < n then C = M e mod n = M e and then M = 3
C can be
calculated efficiently in Z (no modular arithmetic!)
I many other attacks exist . . .
208 / 230
Trapdoor permutations
A trapdoor permutation is a tuple of polynomial-time algorithms
(Gen, F, F −1 ) such that
I the key generation algorithm Gen receives a security parameter `
and outputs a pair of keys (PK , SK ) ← Gen(1` ), with key lengths
|PK | ≥ `, |SK | ≥ `;
I the sampling function F maps a public key PK and a value x ∈ X
to a value y := FPK (x) ∈ X ;
I the inverting function F −1 maps a secret key SK and a value
−1
y ∈ X to a value x := FSK (y) ∈ X ;
−1
I for all `, (PK , SK ) ← Gen(1` ), x ∈ X : FSK (FPK (x)) = x.

In practice, the domain X may depend on PK .

This looks almost like the definition of a public-key encryption scheme,

the difference being
I F is deterministic;
I the associated security definition.
209 / 230
Secure trapdoor permutations
Trapdoor permutation: Π = (Gen, F, F −1 )

Experiment/game TDInvA,Π (`):

1` (PK , SK ) ← Gen(1` )
x ∈R X PK , y
y := FPK (x) A

x challenger adversary x0

1 The challenger generates a key pair (PK , SK ) ← Gen(1` ) and a

random value x ∈R X from the domain of FPK .
2 The adversary A is given inputs PK and y := FPK (x).
3 Finally, A outputs x0 .

If x0 = x then A has succeeded: TDInvA,Π (`) = 1.

A trapdoor permutation Π is secure if for all probabilistic polynomial time

adversaries A the probability of success P(TDInvA,Π (`) = 1) is negligible.
While the definition of a trapdoor permutation resembles that of a public-key encryption scheme,
its security definition does not provide the adversary any control over the input (plaintext).
210 / 230
Public-key encryption scheme from trapdoor permutation
Trapdoor permutation: ΠTD = (GenTD , F, F −1 ) with FPK : X ↔ X
Authentic. encrypt. scheme: ΠAE = (GenAE , Enc, Dec), key space K
Secure hash function h : X → K

We define the public-key encryption scheme Π = (Gen0 , Enc0 , Dec0 ):

I Gen0 : output key pair (PK , SK ) ← GenTD (1` )
I Enc0 : on input of plaintext message M , generate random x ∈R X ,
y = F (x), K = h(x), C ← EncK (M ), output ciphertext (y, C);
I Dec0 : on input of ciphertext message C = (y, C), recover
K = h(F −1 (y)), output DecK (C)

Encrypted message: F (x), Ench(x) (M )

The trapdoor permutation is only used to communicate a “session key” h(x), the actual message
is protected by a symmetric authenticated encryption scheme. The adversary A in the PubKcca
A,Π0
game has no influence over the input of F .

If hash function h is replaced with a “random oracle” (something that

just picks a random output value for each input from X ), the resulting
public-key encryption scheme Π0 is CCA secure.
211 / 230
Using RSA as a CCA-secure encryption scheme
Solution 1: use only as trapdoor function to build encryption scheme

I Pick random value x ∈ Z∗n

I Ciphertext is (xe mod n, Ench(x) (M )), where Enc is from an
authenticated encryption scheme

Solution 2: Optimal Asymmetric Encryption Padding

Make M (with zero padding) the left half,

and a random string R the right half, of the
input of a two-round Feistel cipher, using a
secure hash function as the round function.

Interpret the result (X, Y ) as an integer

M 0.
e
Then calculate C := M 0 mod n.
Wikipedia/Ozga

PKCS #1 v2.0
212 / 230
Practical pitfalls with implementing RSA

I low entropy of random-number generator seed when generating p

and q (e.g. in embedded devices):
• take public RSA modulus n1 and n2 from two devices
?
• test gcd(n1 , n2 ) = 1 ⇒ if no, n1 and n2 share this number as a
common factor
• February 2012 experiments: worked for many public HTTPS keys
Lenstra et al.: Public keys, CRYPTO 2012
Heninger et al.: Mining your Ps and Qs, USENIX Security 2012.

213 / 230
1 Historic ciphers
2 Perfect secrecy
3 Semantic security
4 Block ciphers
5 Modes of operation
6 Message authenticity
7 Authenticated encryption
8 Secure hash functions
9 Secure hash applications
10 Key distribution problem
11 Number theory and group theory
12 Discrete logarithm problem
13 RSA trapdoor permutation
14 Digital signatures

214 / 230
One-time signatures

A simple digital signature scheme can be built using a one-way function h

(e.g., secure hash function):
Secret key: 2n random bit strings Ri,j (i ∈ {0, 1}, 1 ≤ j ≤ n)
Public key: 2n bit strings h(Ri,j )
Signature: (Rb1 ,1 , Rb2 ,2 , . . . , Rbn ,n ), where h(M ) = b1 b2 . . . bn

215 / 230
RSA signatures
Basic idea: n = pq, ed ≡ 1 (mod φ(n)), PK = (e, n), SK = (d, n)

S = SignSK (M ) := M d mod n
?
VrfyPK (M, S) := (S e mod n = M )

This “textbook” RSA signature, where adversary has free choice of

message M ∈ Z∗n , is completely insecure (no existential unforgability):
I No-message attack: pick any S and present (M, S) with
M := S e mod n to challenger
I Choose message M , factor it into M = M1 M2 , query oracle for
signatures S1 ≡ M1d , S2 ≡ M2d , present (M, S1 S2 mod n)
I If M and e are small (e.g., e = 3, M < 2256
√ SHA-256 hash,
dlog2 ne = 2048), then M e < n and S = e M may be integer
Solution: RSA with full-domain hashing (RSA-FDH, PKCS #1 v2.1).
Use a collision-resistant H : {0, 1}∗ → Z∗n and S := [H(M )]d mod n.
There is also RSA-PSS which adds a “salt” value for randomization.

216 / 230
Schnorr identification scheme
Cyclic group G of prime order q with generator g, DLOG hard
Secret key: x ∈R Z∗q , public key: y = g x
Prover P picks k ∈R Z∗q , Verifier V picks r ∈R Z∗q
P →V : I := g k
V →P : r
P →V : s := rx + k mod q
Verifier checks
?
g s · y −r = I
Works because:
g s · y −r = g rx+k · (g x )−r = g rx+k−rx = g k = I
As secure as DLOG: an attacker who can find s1 , s2 for two challenges
r1 , r2 with same I could also calculate any discrete logarithm:
g s1 · y −r1 = I = g s2 · y −r2
g s1 −s2 = y r1 −r2 = g x(r1 −r2 )
logg y = (s1 − s2 )(r1 − r2 )−1 mod q
217 / 230
Digital Signature Algorithm (DSA)
Let (G, q, g) be system-wide choices of a cyclic group G of order q with
generator g. In addition, we need two functions H : {0, 1}∗ → Zq and
F : G → Zq where H must be collision resistant.
Both H and F are random oracles in security proofs, but common F not even preimage resistant.
Key generation: uniform secret key x ∈ Zq , then public key y := g x ∈ G.
Signing: On input of a secret key x ∈ Zq and a message m ∈ {0, 1}∗ , first
choose (for each message!) uniformly at random k ∈ Z∗q and set r := F (g k ).
Then solve the linear equation
k · s − x · r ≡ H(m) (mod q) (1)
for s := k−1 · (H(m) + xr) mod q. If r = 0 or s = 0, restart with a fresh k,
otherwise output Signx (m) ← (r, s).
Verification: On input of public key y, message m, and signature (r, s), verify
equation (1) after both sides have been turned into exponents of g:
g ks /g xr = g H(m) (2)
k s H(m) r
(g ) = g y (3)
−1 −1
g k = g H(m)s y rs (4)
? H(m)s−1 rs−1

=⇒ actually verify: r=F g y (5)
218 / 230
DSA variants
ElGamal signature scheme
The DSA idea was originally proposed by ElGamal with G = Z∗p ,
ord(g) = q = p − 1 and F (x) = x.
Unless the p and g are chosen more carefully, ElGamal signatures can be vulnerable to forgery:
D. Bleichenbacher: Generating ElGamal signatures without knowing the secret key.
EUROCRYPT ’96. http://www.springerlink.com/link.asp?id=xbwmv0b564gwlq7a

NIST DSA
In 1993, the US government standardized the Digital Signature
Algorithm, a modification of the ElGamal signature scheme where
I G is a prime-order subgroup of Z∗p
I prime number p (1024 bits), prime number q (160 bits) divides p − 1
I g = h(p−1)/q mod p, with 1 < h < p − 1 so that g > 1 (e.g., h = 2)
I H is SHA-1
I F (x) = x mod q
Generate key: random 0 < x < q, y := g x mod p.
Signature (r, s) := Signx (m): random 0 < k < q,
r := (g k mod p) mod q, s := (k −1 (H(m) + x · r)) mod q
Later versions of the DSA standard FIPS 186 added larger values for (p, q, g), as well as ECDSA,
where G is one of several elliptic-curve groups over Zp or F2n and F ((x, y)) = x mod q.
219 / 230
Elliptic-Curve Digital Signature Algorithm (ECDSA)
System-wide domain parameters:
order q of finite field Fq , a representation of Fq , curve parameters a and b, base
point P = (xP , yP ) ∈ E(Fq ), prime order n of P , cofactor h = |E(Fq )|/n.
ECDSA KeyGen: secret key d ∈R Z∗n , public key Q := dP

ECDSA Sign(m, d):

select k ∈R Z∗n
(x1 , y1 ) := kP , convert x1 to integer x̄1
r := x̄1 mod n, if r = 0 restart with new k
e := H(m)
s := k−1 (e + dr) mod n, if s = 0 restart
return (r, s)

ECDSA Vrfy(m, r, s, Q):

reject unless r, s ∈ Z∗n
e := H(m)
w := s−1 mod n, u1 := ew mod n, u2 := rw mod n
X := u1 P + u2 Q, reject if X = O
v := x̄1 mod n where x̄1 is x1 of X converted to integer
accept signature if v = r, otherwise reject signature
220 / 230
221 / 230
Proper generation of k is important

DSA fails catastrophically if the adversary can ever guess k:

s ≡ k −1 · (H(m) + xr) ⇒ x ≡ (k · s − H(m)) · r−1 (mod q)

All that is needed for k to leak is two messages m 6= m0 signed with the
same k = k 0 (easily recognized from r = r0 = F (g k )):

s ≡ k −1 · (H(m) + xr)
s0 ≡ k −1 · (H(m0 ) + xr)
s − s0 ≡ k −1 · (H(m) − H(m0 ))

−1
k ≡ H(m) − H(m0 ) (s − s0


(mod q)

Sony used a fixed k in firmware signatures for their PlayStation 3

(fail0verflow, 27th Chaos Communication Conf., Berlin 2010).
Without a good random-bit generator to generate k, use e.g.
k := SHA-3(xkm) mod q (with hash output longer than q).

222 / 230
Public-key infrastructure I

Public key encryption and signature algorithms allow the establishment of

confidential and authenticated communication links with the owners of
public/secret key pairs.
Public keys still need to be reliably associated with identities of owners.
In the absence of a personal exchange of public keys, this can be
mediated via a trusted third party. Such a certification authority C issues
a digitally signed public key certificate

CertC (A) = (A, PK A , T, L, N, SignSK C (A, PK A , T, L, N ))

in which C confirms that the public key PK A belongs to entity A,

starting at time T and that this confirmation is valid for the time interval
L, and all this has a serial number N and is digitally signed with C’s
secret signing key SK C .
Anyone who knows C’s public key PK C from a trustworthy source can
use it to verify the certificate CertC (A) and obtain a trustworthy copy of
A’s public key PK A this way.

223 / 230
Public-key infrastructure II

We can use the operator • to describe the extraction of A’s public key
PK A from a certificate CertC (A) with the certification authority public
key PK C :

PK A if certificate valid
PK C • CertC (A) =
failure otherwise

The • operation involves not only the verification of the certificate

signature, but also the validity time and other restrictions specified in the
signature. For instance, a certificate issued by C might contain a
reference to an online certificate revocation list published by C, which
lists the serial numbers N of all certificates of public keys that might
have become compromised (e.g., the smartcard containing SK A was
stolen or the server storing SK A was broken into) and whose certificates
have not yet expired.

224 / 230
Public-key infrastructure III
Public keys can also be verified via several trusted intermediaries in a
certificate chain:

PK C1 • CertC1 (C2 ) • CertC2 (C3 ) • · · · • CertCn−1 (Cn ) • CertCn (B) = PK B

A has received directly a trustworthy copy of PK C1 (which many

implementations store locally as a certificate CertA (C1 ) to minimise the
number of keys that must be kept in tamper-resistant storage).
Certification authorities could be made part of a hierarchical tree, in
which members of layer n verify the identity of members in layer n − 1
and n + 1. For example layer 1 can be a national CA, layer 2 the
computing services of universities and layer 3 the system administrators
of individual departments.
Practical example: A personally receives KC1 from her local system administrator C1 , who
confirmed the identity of the university’s computing service C2 in CertC1 (C2 ), who confirmed the
national network operator C3 , who confirmed the IT department of B’s employer C3 who finally
confirms the identity of B. An online directory service allows A to retrieve all these certificates
(plus related certificate revocation lists) efficiently.

In today’s Transport Layer Security (TLS) practice (HTTPS, etc.), most private users use their
web-browser or operating-system vendor as their sole trusted source of PK C1 root keys.

225 / 230
Example of an X.509 certificate
$ openssl s_client -showcerts -connect www.cst.cam.ac.uk:443 >cst.crt
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
depth=1 C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
depth=0 C = GB, ST = Cambridgeshire, L = CAMBRIDGE, O = University of Cambridge, OU = UIS, CN = www.cst.cam.ac.uk
$ openssl x509 -text -noout -in cst.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:07:fb:5f:76:c8:1d:8f:7e:e3:5e:d6:ab:71:5d:a5:1a:c0:e6:70
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
Validity
Not Before: Sep 13 15:33:05 2017 GMT
Not After : Sep 13 15:43:00 2020 GMT
Subject: C = GB, ST = Cambridgeshire, L = CAMBRIDGE, O = University of Cambridge, OU = UIS, CN = www.cst.cam.ac.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c3:cb:9f:77:9d:c8:09:f1:b3:aa:f7:8f:34:e5:
8e:92:45:50:a7:35:ee:09:27:ec:b8:7c:af:07:9d:
f4:30:79:37:2e:81:ad:85:ff:f9:c4:93:ca:27:28:
a0:d1:93:27:9f:0f:b4:c8:1c:55:7b:f9:90:46:c5:
69:56:40:b5:90:d6:34:06:8f:cc:b7:e0:31:3e:2f:
d9:2f:57:13:f5:4f:7d:ef:d8:7e:16:5a:d7:72:14:
e4:0b:13:87:b2:df:2a:0f:30:f1:6d:9a:b6:0b:c8:
e0:87:0f:b5:72:a0:b9:07:2e:48:32:bb:12:dd:d3:
96:21:1c:c9:94:8f:47:1d:9a:3b:35:ec:20:45:38:
06:15:ed:4e:43:80:96:94:90:fc:25:05:88:f6:7b:
cb:27:a9:49:e4:80:20:e7:f1:f0:23:05:e8:91:77:
c3:04:2e:2e:33:ca:76:fc:00:17:a4:93:88:f4:e1:
66:ac:51:56:8d:27:91:2d:d2:5a:e7:01:83:b9:ab:
c1:94:38:54:5a:f4:e9:dc:c5:91:96:b7:17:c6:55:
bf:ea:85:41:d5:0b:d7:09:62:26:01:c9:e1:fe:b3:
57:e0:b8:f9:fc:0b:76:65:6c:43:f0:5f:30:77:38:
17:00:df:6a:27:25:1d:30:9e:19:01:e9:0c:78:cc:
c9:3d
Exponent: 65537 (0x10001)
 X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Authority Key Identifier:
keyid:B3:12:89:B5:A9:4B:35:BC:15:00:F0:80:E9:D8:78:87:F1:13:7C:76

Authority Information Access:

CA Issuers - URI:http://trust.quovadisglobal.com/qvsslg3.crt
OCSP - URI:http://ocsp.quovadisglobal.com

X509v3 Subject Alternative Name:

DNS:www.cst.cam.ac.uk
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.8024.0.2.100.1.1
CPS: http://www.quovadisglobal.com/repository

X509v3 Extended Key Usage:

TLS Web Client Authentication, TLS Web Server Authentication
X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.quovadisglobal.com/qvsslg3.crl

X509v3 Subject Key Identifier:

16:19:61:83:6F:AE:05:98:FA:62:9D:B8:AA:99:4B:C5:0A:04:8B:D9
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
8a:94:59:8a:70:00:c5:f9:1b:25:f0:04:c7:b8:79:46:6b:0c:
2b:d1:01:1a:9e:83:4a:53:f9:c5:45:38:85:1d:f3:32:8a:f8:
03:a2:bd:6d:f7:e6:5b:97:81:11:7d:c6:9c:d0:78:01:2a:f4:
8a:d1:51:13:b0:a4:72:cc:40:55:8f:e8:bb:b1:ff:f9:66:0a:
2d:fe:9c:69:12:2c:32:45:bc:0b:39:02:ff:68:12:94:ad:04:
a2:4a:f0:5b:c6:cb:6d:d2:38:ad:dd:be:4c:1c:19:d2:69:b3:
eb:98:e7:8e:bf:84:cb:a2:7c:07:47:de:99:d9:79:6e:e0:7a:
01:89:a5:93:de:70:b5:69:56:1f:09:8d:15:04:88:e5:59:86:
65:b3:fb:42:24:db:86:8c:d5:f7:f3:1c:cc:cd:7c:79:d4:32:
4a:70:b7:f8:87:b3:0e:9b:93:ef:99:7f:a4:27:fb:7d:03:93:
[... 16 lines deleted ...]
5c:76:39:6d:51:dc:80:2e:cf:96:90:0c:b8:f1:ed:88:c8:c2:
27:69:fe:0d:b9:ec:48:da:d4:f3:79:77:e1:3a:15:be:03:58:
a6:d1:74:d7:4e:ec:d1:17

$ ls -l /etc/ssl/certs/
Outlook

Modern cryptography is still a young discipline (born in the early 1980s),

but well on its way from a collection of tricks to a discipline with solid
theoretical foundations.
Some important concepts that we did not touch here for time reasons:
I password-authenticated key exchange
I identity-based encryption
I side-channel and fault attacks
I application protocols: electronic voting, digital cash, etc.
I secure multi-party computation
I post-quantum cryptography

226 / 230
Appendix

227 / 230
Some basic discrete mathematics notation
I |A| is the number of elements (size) of the finite set A.
I A1 × A2 × · · · × An is the set of all n-tuples (a1 , a2 , . . . , an ) with
a1 ∈ A1 , a2 ∈ A2 , etc. If all the sets Ai (1 ≤ i ≤ n) are finite:
|A1 × A2 × · · · × An | = |A1 | · |A2 | · · · · · |An |.
I An is the set of all n-tuples (a1 , a2 , . . . , an ) = a1 a2 . . . an with
a1 , a2 , . . . , an ∈ A. If A is finite then |An | = |A|n .
I A≤n = ni=0 Ai and A∗ = ∞ i
S S
i=0 A
I Function f : A → B maps each element of A to an element of B:
a 7→ f (a) or b = f (a) with a ∈ A and b ∈ B.
I A function f : A1 × A2 × · · · × An → B maps each parameter tuple
to an element of B: (a1 , a2 , . . . , an ) 7→ f (a1 , a2 , . . . , an ) or
f (a1 , a2 , . . . , an ) = b.
I A permutation f : A ↔ A maps A onto itself and is invertible:
x = f −1 (f (x)). There are | Perm(A)| = |A|! = 1 · 2 · · · · · |A|
permutations over A.
I B A is the set of all functions of the form f : A → B. If A and B
are finite, there will be |B A | = |B||A| such functions.
228 / 230
Confidentiality games at a glance
1` 1`
M0 , M 1
b ∈R {0, 1}
PrivKeav K ← Gen(1` ) A
C ← EncK (Mb )
challenger C adversary
b b0

1` 1`
M01 , M02 , . . . , M0t
b ∈R {0, 1}
K ← Gen(1` ) M11 , M12 , . . . , M1t
PrivKmult A
C ← EncK (Mb )
challenger C1, C2, . . . , Ct adversary
b b0

M 1, M 2, . . . , M t
1` b ∈R {0, 1} 1`
Ct, . . . , C2, C1
K ← Gen(1` ) M0 , M1
PrivKcpa C i ← EncK (M i ) A
C ← EncK (Mb ) C 0
challenger M t+1 , . . . , M t+t adversary
b 0 b0
C t+t , . . . , C t+1

229 / 230
Integrity games at a glance
M 1, C2, . . .
1` b ∈R {0, 1} 1`
. . . , M 2, C1
K ← Gen(1` ) M0 , M1
PrivKcca C i ← EncK (M i ) A
M i ← DecK (C i ) C
M t+1 , C t+2 6= C, . . . adversary
b C ← EncK (Mb ) b0
. . . , M t+2 , C t+1

1` K ← Gen(1` ) 1`
M 1, M 2, . . . , M t
T i ← MacK (M i )
Mac-forge T t, . . . , T 2, T 1 A
b := VrfyK (M, T ) adversary
b M, T
M 6∈{M 1 ,M 2 ,...,M t }

1` K ← Gen(1` ) 1`
M 1, M 2, . . . , M t
C i ← EncK (M i )
CI Ct, . . . , C2, C1 A
(
0, DecK (C) = ⊥
b :=
b 1, DecK (C) 6= ⊥ C adversary
C6∈{C 1 ,C 2 ,...,C t }

230 / 230