文稿密码学及应

thereisnomathematicalproofofsecurityforanypracticalcipher.theonlywaytohaveassurancethipherissecureistotrytobreakit(andfail)!学的早年时代：文世出：学水平低导致丢了性命courtesyfrom 是学的催化剂：理科生登场国家重 学：信息论 现代学：理论和现实的鸿courtesyfrom ided modern 3500 ~1950 math 2015! ysis:Attacking Brute-ImplementationAttack:Trytoextractkeythroughreverseengineeringorpowermeasurement,e.g.,forabankin artcard.SocialEngineering:E.g.,trickauserintogivingupher! Attack(orExhaustiveKey SymmetricTreatsthecipherasablackRequires(atleast) intext-ciphertextpair(x0,CheckallpossiblekeysuntilconditionisdK(y0)= HowmanykeystoweneedinbitKeySecuritylife(assumingbrute-asbestpossibleShortterm(fewdaysorLong-term(severaldecadesintheabsenceofquantumLong-term(alsoresistantquantumcomputers–notethatQCdonotexistatthemomentandmightneverexist)Important:Anadversaryonlyneedstosucceedwithoneattack.Thus,alongkeyspacedoesnothelpifotherattacks(e.g.,socialengineering)arepossible..ContentofthisOverviewonthefieldofBasicsofsymmetricSubstitutionModularShift(orCaesar)CipherandAffine!SubstitutionHistoricalGreattoolforunderstanding yticalEncryptslettersratherthanbits(likeallciphersuntilafterWWIdea:receeachintextletterbyafixedother forinstance,ABBAwouldbeencryptedasExampleiqifccvqqrfbrdqvfllcqnardqcfjwhwzhrbnnbhcchwwhbsqvqbrehwqvhlqHowsecureistheSubstitutionCipher?Let‘slookat!AttackstheSubstitutionAttack:ExhaustiveKeySearch Simplytryeverypossiblesubsititutiontableuntilanin intextappears(notethateachsubstitutiontableisakey)..Howmanysubstitutiontables(=keys)are26x25x…x3x2x1=26!Searchthrough288keysiscompleyinfeasiblewithtoday‘scomputers!(cf.earliertableonkeylengths)Q:Canwenowconcludethatthesubstitutioncipherissecures eabrute-attackisnotfeasible?A:No!Wehaveto allpossible!2.Attack:Letter ysis LettershaveverydifferentfrequenciesintheEnglishMoreover:thefrequency intextlettersis intheForinstance,“e“isthemostcommonletterinEnglish;almost13%ofalllettersinatypicalEnglishtextare“e“.Thenextmostcommononeis“t“withabout

LetterfrequenciesinFrequencyFrequencyinETAOINSHRDLC WFGYPBVKJXQZ Chapter1ofUnderstandingCryptographybyChristofPaarandJan!BreakingtheSubstitutionCipherwithLetterFrequencyLet‘sreturntoourexampleandidentifythemostfrequentiqifccvqqrfbrdqvfllcqnardqcfjwhwzhrbnnbhcchwwhbsqvqbrehwqvhlqWe cetheciphertextletterqbyEandiEifccvEErfbrdEvfllcEnardEcfjwhwzhrbnnbhcchwwhbsEvEbrehwEvhlEByfurtherguessingbasedonthefrequencyoftheremaininglettersweobtaintheWEWILLMEETINTHEMIDDLEOFTHELIBRARYATNOONALLARRANGEMENTSAREMADEInIntheeraofsubstitutionciphers(very…very…very…longperiodoftime),linguistsareoftenbettercryptographersthanmathematicians.!BreakingtheSubstitutionCipherwithLetterFrequencyInpractice,notonlyfrequenciesofindividualletterscanbeusedforanattack,butalsothefrequencyofletterpairs(i.e.,„th“isverycommoninEnglish),lettertriples,cf.Problem1.1inUnderstandingCryptographyforalongerciphertextyoucantrytobreak!Importantlesson:Eventhoughthesubstitutioncipherhasasufficientlylargekeyspaceofappr.288,itcaneasilybedefeatedwith yticalmethods.Thisisanexcellentexamplethatanencryptionschememustwithstandalltypesofattacks.ContentofthisOverviewonthefieldofBasicsofsymmetricAttackingcryptoSubstitutionModularShift(orCaesar)CipherandAffine!ShortIntroductiontoModularWhydoweneedtostudymodularExtremelyimportantforasymmetriccryptography(RSA,ellipticcurvesSomehistoricalcipherscanbeelegantlydescribedwithmodulararithmetic(cf.Caesarandaffinecipherlateron).!ShortIntroductiontoModularGenerallyspeaking,mostcryptosytemsarebasedonsetsofnumbersthatdiscrete(setswithintegersareparticularlyfinite(i.e.,ifweonlycomputewithafinielymanySeemstoo ?---Let‘slookatafinitesetwithdiscretenumberswearequitefamiliarwith:aclock. Interestingly,eventhoughthenumbersare rementedeveryhourweneverleavethesetof1,2,3,…11,12,1,2,3,…11,12,1,2,3,!ShortIntroductiontoModularWedevelopnowanarithmeticsystemwhichallowsustocomputeinfinitesetsofintegerslikethe12integerswefindonaclock(1,2,3,…,12).Itiscrucialtohaveanoperationwhich„keepsthenumberswithinlimits“,i.e.,af andmultiplicationtheyshouldneverleavetheset(i.e.,neverlargerthan12).Definition:Definition:ModulusLeta,r,mbeintegersandm>0.Wea≡rmodif(r-a)isdivisibleby“m”iscalledthe“r”iscalledtheExamplesformodularLeta=12andm=9 12≡3modLeta=34andm= 34≡7modLeta=-7andm= -7≡2mod(youshouldcheckwhetherthecondition„mdivides(r-a)“holdsineachofthe3!PropertiesofModularArithmeticTheremainderisnotItissomewhatsurprisingthatforeverygivenmodulusmandnumbera,thereare(infini manyvalidremainders.12≡3mod9→3isavalidremainder e9divides(3-12≡21mod9→21isavalidremainder e9divides(21-12≡-6mod9→-6isavalidremainder e9divides(-6-!PropertiesofModularArithmeticWhichremainderdoweByconvention,weusuallyagreeonthesmallestnon-negativeintegerrasremainder.Thisintegercanbecomputedas a=qm+ where0≤r≤m-Example:a=12and12=1x9+ →r=Remark:Thisisjustaconvention.Algorithmicallyweare tochooseanyothervalidremaindertocomputeourcryptofunctions.x=25,y=x+y=43=7modx+y=(25mod12+18mod12)mod(x+y)modm=(xmodm+ymodm)modx=15,y=x*y=255=3modx*y=(15mod12*17mod12)mod(x*y)modm=(xmodm*ymodm)modx0isaconstantand0≤x0≤m-s={x|x=x0modm}isacongruenceInmodulararithmetic,valuesinthesamecongruenceclasscansubstituteeachother!PropertiesofModularArithmeticHowdoweperformmodularFirst,notethatratherthanperformingadivision,weprefertomultiplybytheinverse.b/a≡bxa-1modTheinversea-1ofanumberaisdefinedsuchaa-1≡1mod Whatis5/7mod9Theinverseof7mod9is4 e7x4≡28≡1mod9,5/7≡5x4=20≡2modHowistheinverseTheinverseofanumberamodmonlyexistsifandonly(a,m)=1(notethatintheexampleabove(5,9)=1,sothattheinverseof5existsmoduloFornow,thebestwayofcomputingtheinverseistouseexhaustivesearch. hapter6ofUnderstandingCryptographywewilllearnthepowerfulEuclide gorithmwhichactuallycomputesaninverseforagivennumberandmodulus. gebraicViewonModuloArithmetic:TheRingZmWecanviewmodulararithmeticintermsofsetsandoperationsintheset.By arithmeticmodulomweobtaintheintegerringZm.withthefollowingproperties:Closure:WecanaddandmultiplyanytwonumbersandtheresultisalwaysintheAdditionandmultiplicationareassociative,i.e.,foralla,b,ca+(b+c)=(a+b)+ca(bc)=(ab)candadditioniscommutative:a+b=b+Thedistributivelawholds:a×(b+c)=(a×b)+(a×c)foralla,b,cThereistheneutralelement0withrespecttoaddition,i.e.,forallaa+0amodForallaZm,thereisalwaysanadditiveinverseelement–asucha+(-a)0modThereistheneutralelement1withrespecttomultiplication,i.e.,forallaa1amodThemultiplicativeinversea-aa-11modexistsonlyforsome,butnotforall,elementsin!PropertiesofModularArithmeticModularreductioncanbeperformedatanypointduringaLet’slookfirstatanexample.Wewanttocompute38mod7(notethatexponentiationisextremelyimport public-keycryptography).Approach:Exponentiationfollowedbymodular38=6561≡2modNotethatwehavetheintermediateresult6561eventhoughweknowthatthefinalresultcan’tbelargerthan6.Approach:Exponentiationwithintermediatemodular38=3434=81xAtthispointwereducetheintermediateresults81modulo38=81x81≡4x4mod4x4=16≡2modNotethatwecanperformallthesemultiplicationswithoutpocketcalculator,whereasmentallycomputing38=6561isabitchallengingformostofus.GeneralGeneralrule:Formostalgorithmsitisadvantageoustoreduceresultsassoonas gebraicViewonModuloArithmetic:TheRingZmRoughlyRoughlyspeaking,aringisastructureinwhichwewaysadd,subtractmultiply,butwecanonlydividebycertainelements(namelybythoseforwhichmultiplicativeinverseWerecallfromabovethatanelementaZmhasamultiplicativeinverseonly(a,m)=1WesaythataiscoprimeorrelativelyprimetoEx:WeconsidertheringZ9=Theelements0,3,and6donothaveinversess etheyarenotcoprimeto9.Theinversesoftheotherelements1,2,4,5,7,and8are:1-11mod 2-15mod 4-17mod5-12mod 7-14mod 8-18modContentofthisOverviewonthefieldofBasicsofsymmetricAttackingcryptoSubstitutionModularShift(orCaesar)CipherandAffine GaiusJuliusFirstTriumvirate(ruleofthreeCleopatra(dictatorOctavian->!Shift(orCaesar)CipherAncientcipher,allegedlyusedbyJulius ces intextletterbyanother cementruleisverysimple:TakeletterthatfollowsafterkpositionsinthealphabetNeedsmapfromletters→numbers:ABCDEFGHIJKLM0123456789NOPQRSTUVExamplefork=intext=ATTACK=0,19,19,0,2,Ciphertext=haahr=7,0,0,7,Notethattheletters”wraparound”at ofthealphabet,whichcanbemathematicallybeexpressedasreductionmodulo26,e.g.,19+7=26≡0mod26!Shift(orCaesar)CipherElegantmathematicaldescriptionoftheLetLetk,x,yε{0,1,…,y=ek(x)≡x+kmodx=dk(x)≡y-kmodQ;IstheshiftcipherA:No!severalattacksare Exhaustivekeysearch(keyspaceisonlyLetter ysis,similarto substitution!AffineCipherExtensionoftheshiftcipher:ratherthanjustaddingthekeytothe intext,wealsomultiplybythekeyWeuseforthisakeyconsistingoftwoparts:k=(a,Letx,Letx,yε{0,1,…, y=ek(x)≡ax+bmod x=dk(x)≡a-1(y–b)mod etheinverseofaisneededfordecryption,wecanonlyusevaluesforafor(a,26)=1Thereare12valuesforathatfulfillthisFromthisfollowsthatthekeyspaceisonly12x26=312(cf.Sec1.4inUnderstandingAgain,severalattacksare Exhaustivekeysearchandletterfrequency ysis,similartotheattack substitutionciph