YALE UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE
CPSC 467b: Cryptography and Computer Security | Handout #7 | |
Professor M. J. Fischer | February 20, 2012 | |
Study Guide to Mideterm Exam
For the exam, you are responsible for the contents of lectures 1–12, the concepts used in problem sets 1–3, and the corresponding sections of the Trappe and Washington textbook. In greater detail, you are responsible for the following chapters and sections of Trappe and Washington:
Goldwasser and Bellare is a supplement to the lectures and the main textbook. It contains material that goes way beyond what this course is able to cover, and you are not responsible for material in it that was not covered in the lectures. Nevertheless, you might find the following sections helpful in understanding some of the class material:
Below is an index to the lecture notes. It lists all of the sections, subsections, and slide titles from lectures 1–12.
1 Course Overview [lecture 01]
∙ What is this course about?
∙ Role of cryptography
∙ Information security in the real world
∙ How is security achieved in the real world?
∙ Threat examples
∙ Principles of risk management
∙ Focus of this course
∙ Computer science, mathematics and cryptography
∙ Organization of this course
∙ What this course is not
∙ Example primitive: Symmetric cryptography (informal)
∙ Application of a symmetric cryptosystem
∙ Solution using symmetric cryptography
∙ Eve’s side of the story
∙ Requirements
2 Symmetric Cryptography [lecture 01]
∙ Symmetric cryptosystems (somewhat more formal)
∙ Desired properties
∙ What’s wrong with this definition?
3 Security of Symmetric Cryptography [lecture 02]
∙ Choosing a cryptosystem
∙ An analogy—choosing a car
∙ Quantifying computational difficulty
∙ Some important questions
∙ Modern Cryptography
∙ Giving precise answers to security questions
∙ Measuring computational difficulty
∙ Role of complexity theory
∙ Feasibility
∙ Keeping data confidential
∙ A more nuanced approach
∙ Attacks that do not always succeed
∙ Eve’s information
∙ Attack scenarios
∙ Known plaintext attacks
∙ Chosen text attack scenarios
∙ Why would Alice cooperate in a chosen plaintext attack?
∙ Adaptive chosen text attack scenarios
∙ Randomness in cryptography
∙ Independence
∙ Joint probability distribution
∙ Eve’s success probability
∙ Computational security
∙ Practical security considerations
4 Probability Theory [lecture 02]
∙ Probability distributions and events
∙ Random variables
∙ Experiments
∙ Conditional probability
∙ Statistical independence
5 Perfect Secrecy [lecture 02]
∙ Information-theoretic security
∙ Base Caesar cipher
∙ Full Caesar cipher
6 Perfect secrecy [lecture 03]
∙ Caesar cipher
∙ Simplified Caesar cipher
∙ Joint message-key distribution
∙ Conditional probability distribution
∙ Proof of perfect secrecy
∙ A minor change
∙ Perfect secrecy lost
∙ Caveats with perfect secrecy
∙ Known plaintext attack against simplified Caesar cipher
∙ Man-in-the-middle attacks
∙ Modification attack against base Caesar cipher
∙ A modification attack on English vowels
∙ A general’s orders
∙ Moral
7 Classical ciphers [lecture 03]
∙ One-time pad
∙ The one-time pad cryptosystem
∙ One-time pad in practice
∙ One-time pad vulnerable to a known plaintext attack
f03
∙ Affine ciphers
∙ Polyalphabetic ciphers
∙ Vigenère cipher
∙ Hill cipher
∙ Playfair cipher
∙ How Playfair works
∙ Example Playfair matrix
∙ Encrypting in Playfair: preparing the message
∙ Encrypting in Playfair: substituting the pairs
∙ Decrypting in Playfair
∙ Block ciphers
∙ Analysis of the Caesar cipher
∙ References
∙ Breaking the Caesar cipher: An example
∙ Breaking the Caesar cipher: Extending these ideas
∙ Breaking the Caesar cipher: Conclusion
∙ Trying all keys
∙ Automating brute force attacks
∙ Random English-like messages
∙ Determining likely keys
∙ How long should the keys be?
∙ What is safe today and into the future?
∙ Cryptography before computers
∙ Monoalphabetic ciphers
∙ How to break monoalphabetic ciphers
10 Building block ciphers [lecture 04]
∙ Substitution: Replacing one letter by another
∙ Transposition: Rearranging letters
∙ Composition: Building new ciphers from old
∙ Practical ciphers
11 Data Encryption Standard (DES) [lecture 04]
∙ Data encryption standard (DES)
∙ Feistel networks
∙ DES Feistel network
∙ One stage
∙ Properties of Feistel networks
∙ Obtaining the subkey
∙ The scrambling function
∙ DES scrambling network
∙ Connecting the boxes
∙ Expansion permutation
∙ Connecting the outputs
∙ Security considerations
12 Using block ciphers [lecture 04]
∙ Block ciphers
∙ Using a block cipher
∙ Padding
∙ Padding rules
∙ Padding example
14 Advanced Encryption Standard [lecture 05]
∙ New Standard
∙ Details
∙ More details
∙ How does AES actually work?
∙ Confusion & Diffusion
∙ Transformations
∙ Roles of the four transformations
∙ Roles of the four transformations
∙ Preliminaries
∙ SubBytes()
∙ SubBytes() S-Box
∙ SubBytes()
∙ ShiftRows()
∙ MixColumns()
∙ Matrix multiplication
∙ AddRoundKey()
∙ Decryption
∙ AES Security
∙ Bruce Schneier on AES security
15 AES Alternatives [lecture 05]
∙ Other ciphers
∙ IDEA (International Data Encryption Algorithm)
∙ Blowfish
∙ RC6
∙ TEA (Tiny Encryption Algorithm)
∙ Additional Resources
∙ Padding revisited
∙ PKCS7 padding
17 Chaining modes [lecture 06]
∙ Chaining mode
∙ Electronic Codebook Mode (ECB)
∙ Cipher Block Chaining Mode (CBC)
∙ Output Feedback Mode (OFB)
∙ Cipher-Feedback Mode (CFB)
∙ OFB, CFB, and stream ciphers
∙ Propagating Cipher-Block Chaining Mode (PCBC)
∙ Recovery from data corruption
∙ Other modes
18 Stream ciphers [lecture 06]
∙ Symmetric cryptosystem families
∙ Structure of stream cipher
∙ Key stream generator
∙ Security requirements for key stream generator
∙ Cryptographically strong pseudorandom sequence generators
∙ Ideas for improving stream ciphers
∙ Building key stream generators from block ciphers
∙ Stream ciphers from OFB and CFB block ciphers
∙ Extended OFB and CFB modes
∙ Some notation
∙ Extended OFB and CFB similarities
∙ Shift register rules
∙ Comparison of extended OFB and CFB modes
∙ Downside of extended OFB
∙ Possible solution
∙ Rotor machines
∙ How a rotor machine works
∙ Key stream generation
∙ Key stream generation (cont.)
∙ Changing the permutation
∙ History
∙ Steganography
20 Active adversaries [lecture 06]
∙ Active adversary
∙ Some active attacks
∙ Replay attacks
∙ Fake encrypted messages
∙ Message-altering attacks
∙ Encrypting random-looking strings
∙ Public-key cryptography
∙ Asymmetric cryptosystems
∙ Security requirement
∙ Man-in-the-middle attack against 2-key cryptosystem
∙ Passive attacks against a 2-key cryptosystem
∙ Facts about asymmetric cryptosystems
∙ Hybrid cryptosystems
∙ Overview of RSA
∙ RSA spaces
∙ Encoding bit strings by integers
∙ RSA key generation
∙ RSA encryption and decryption
∙ RSA questions
∙ Tools needed to answer RSA questions
23 Factoring Assumption [lecture 07]
∙ Factoring assumption
∙ How big is big enough?
24 Computing with Big Numbers [lecture 07]
∙ Algorithms for arithmetic on big numbers
∙ Big number libraries
∙ GMP
∙ Openssl crypto package
25 Fast Exponentiation Algorithms [lecture 07]
∙ Modular exponentiation
∙ Difficulty of modular exponentiation
∙ Controlling the size of intermediate results
∙ Efficient exponentiation
∙ Combining the mi for general e
∙ Towards greater efficiency
∙ A recursive exponentiation algorithm
∙ An iterative exponentiation algorithm
∙ Correctness
∙ A minor optimization
∙ Number theory overview
∙ Quotient and remainder
∙ mod for negative numbers
∙ Divides
∙ The mod relation
∙ Mod is an equivalence relation
he two-place07 ∙ Canonical names
27 Number Theory Needed for RSA [lecture 08]
∙ Number theory needed for RSA
∙ How these facts apply to RSA
28 Zn: The integers mod n [lecture 08]
∙ The mod relation
∙ Mod is an equivalence relation
he two-place08 ∙ Canonical names
∙ Mod is a congruence relation
∙ Greatest common divisor
∙ Computing the GCD
∙ Euclidean algorithm
∙ Euclidean identities
∙ Computing GCD without factoring
∙ Repeated subtraction
∙ Using division in place of repeated subtractions
∙ Full Euclidean algorithm
∙ Complexity of GCD
∙ Relatively prime numbers
∙ Euler’s totient function ϕ(n)
∙ Example: ϕ(26)
∙ A formula for ϕ(n)
29 Computing in Zn [lecture 08]
∙ Multiplication modulo n
∙ Example: Multiplication in Z*26
∙ Example: Inverses the elements in Z*26.
∙ Finding modular inverses
∙ Diophantine equations
∙ Existence of solution
∙ Extended Euclidean algorithm
∙ Finding all solutions
∙ Example of extended Euclidean algorithm
∙ Computing the triples
∙ Extracting the solution
30 Generating RSA Encryption and Decryption Exponents [lecture 08]
∙ Recall RSA exponent requirement
∙ Sampling from Z*n
∙ How large is large enough?
∙ A lower bound on ϕ(m)∕m
∙ Expected difficulty of choosing RSA exponent e
31 Euler’s Theorem [lecture 09]
∙ Repeated multiplication in Z*n
∙ Euler’s and Fermat’s theorem
∙ An important corollary
∙ Application to RSA
∙ Messages not in Z*n
∙ Why Alice might want to avoid sending messages not in Z*n
∙ Why a random message is likely to be in Z*n
∙ RSA works anyway
32 Generating RSA Modulus [lecture 09]
∙ Recall RSA modulus
∙ Generating random primes of a given length
∙ Expected number of trials to find a prime
∙ Prime number function
∙ Prime number theorem
∙ Likelihood of randomly finding a prime
33 Primality Tests [lecture 09]
∙ Algorithms for testing primality
∙ Tests for primality
∙ Probabilistic primality testing algorithm
∙ Trading off non-termination against possibility of failure
∙ Strong primality tests
∙ Weak tests
∙ Use of a weak test of compositeness
∙ Algorithm P3 using a weak test
∙ Meaning of output ?
∙ Finding a random prime
∙ Success probability for GenPrime(k)
∙ Boolean test of compositeness
∙ Meaning of a Boolean test of compositeness
∙ Useful tests
∙ Sample use of a useful test
∙ Application to RSA
∙ Finding weak tests of compositeness
∙ The division test δa(n)
∙ The Fermat test ζa(n)
∙ Carmichael numbers (Fermat pseudoprimes)
∙ Attacks on RSA
∙ RSA factoring problem
∙ ϕ(n) problem
∙ Decryption exponent problem
∙ Factoring n knowing e and d
∙ Square roots of 1 (mod n)
∙ Finding a square root of 1 (mod n)
∙ Using a non-trivial square root of unity to factor n
∙ Randomized factoring algorithm knowing d
∙ Notes on the algorithm
∙ Example
∙ A ciphertext-only attack against RSA
∙ Hardness of ciphertext-only attack
35 One-way and Trapdoor Permutations [lecture 10]
∙ One-way permutations
∙ Negligible functions
∙ One-way functions
∙ Fine points
∙ Trapdoor functions
∙ A more intuitive formulation of trapdoor function
∙ The RSA function
36 Discrete Logarithm [lecture 10]
∙ Logarithms modp
∙ Discrete log problem
37 Diffie-Hellman Key Exchange [lecture 10]
∙ Key exchange problem
∙ D-H key exchange overview
∙ D-H key exchange protocol
∙ Security of DH key exchange
38 ElGamal Key Agreement [lecture 10]
∙ A variant of DH key exchange
∙ Comparison with first DH protocol
∙ ElGamal cryptosystem
∙ Combining key exchange with underlying cryptosystem
∙ A hybrid ElGamal cryptosystem
∙ Randomized encryption
∙ Remarks about randomized encryption
39 Primitive Roots [lecture 10]
∙ Using the ElGamal cryptosystem
∙ Primitive root
∙ Number of primitive roots
∙ Primitive root example
∙ Lucas test
∙ Problems with the Lucas test
∙ Special form primes
∙ Density of special form primes
40 Message Integrity and Authenticity [lecture 11]
∙ Protecting messages
∙ Protecting integrity and authenticity
∙ Message authentication codes (MACs)
∙ Creating an authenticated message
∙ Verifying an authenticated message
∙ Cheating
∙ Computing a MAC
∙ Protecting both privacy and authenticity
∙ Another possible use of a MAC
∙ The problem
∙ Example of a flawed use of a MAC
∙ Asymmetric digital signatures
∙ Asymmetric digital signatures
∙ Fundamental property of a signature scheme
∙ What does a digital signature imply?
∙ Disavowal
∙ Practical usefulness of digital signatures
41 Digital Signature Algorithms [lecture 11]
∙ RSA digital signature scheme
∙ Commutative cryptosystems
∙ Signatures from non-commutative cryptosystems
∙ Interchanging public and private keys
∙ ElGamal signature scheme
∙ Why do ElGamal signatures work?
42 Security of Digital Signatures [lecture 11]
∙ Desired security properties of digital signatures
∙ Forging random RSA signed messages
∙ Importance of random signed messages
∙ Adding redundancy
∙ Security of signatures with fixed redundancy
∙ Forging signatures with fixed redundancy
∙ Signing message digests
∙ Forging signed message digests
∙ Solving for s′
∙ Solving for m′
∙ Other attempts
∙ More advantages of signing message digests
∙ Signed encrypted messages
∙ Weakness of encrypt-and-sign
∙ A forgery-resistant signature scheme with no privacy
∙ Encrypt or sign first?
43 Practical Signature Algorithms [lecture 12]
∙ Digital signature standard
∙ DSA key generation
∙ DSA signing and verification
∙ Why DSA works
∙ Double remaindering
∙ Example mod 29 mod 7
∙ Common hash function
∙ SHA-1
∙ SHA-1 broken
∙ MD5 overview
∙ MD5 padding
∙ MD5 chaining
∙ MD5 block function
∙ MD5 scrambling function
∙ Further remarks on MD5
44 Digital Signatures with Special Properties [lecture 12]
∙ Electronic voting
∙ Validating ballots
∙ Blind signatures
∙ RSA blind signatures
∙ Electronic cash
∙ Producing a digital coin
∙ Group signatures
∙ Properties of group signatures
∙ Properties of group signatures (cont.)
∙ Short signatures
∙ Applications of short signatures
∙ Aggregate signatures