**Cryptanalysis** is the science and sometimes art of breaking cryptosystems. You might think that code breaking is for the intelligence community or perhaps organized crime, and should not be included in a serious classification of a scientific discipline. However, most cryptanalysis is done by respectable researchers

in academia nowadays. Cryptanalysis is of central importance for modern cryptosystems: without people who try to break our crypto methods, we will never

know whether they are really secure or not. See Sect. 1.3 for more discussion about this issue.

**Symmetric Algorithms** are what many people assume cryptography is about:

two parties have an encryption and decryption method for which they share a secret key. All cryptography from ancient times until 1976 was exclusively based

on symmetric methods. Symmetric ciphers are still in widespread use, especially for data encryption and integrity check of messages.

**Asymmetric (or Public-Key)** Algorithms In 1976 an entirely different type of cipher was introduced by Whitfield Diffie, Martin Hellman and Ralph Merkle. In

public-key cryptography, a user possesses a secret key as in symmetric cryptography but also a public key. Asymmetric algorithms can be used for applications

such as digital signatures and key establishment, and also for classical data encryption.

**Cryptographic Protocol**s Roughly speaking, crypto protocols deal with the application

of cryptographic algorithms. Symmetric and asymmetric algorithms can be viewed as building blocks with which applications such as secure Internet communication can be realized. The Transport Layer Security (TLS) scheme, which is used in every Web browser, is an example of a cryptographic protocol.

Strictly speaking, **hash functions** form a third class of algorithms but at the same time they share some properties with symmetric ciphers.

In the majority of cryptographic applications in practical systems, symmetric and asymmetric algorithms (and often also hash functions) are all used together. This is sometimes referred to as **hybrid schemes**. The reason for using both families of algorithms is that each has specific strengths and weaknesses.

]]>

Classical cryptanalysis is understood as the science of recovering the plaintext x from the ciphertext y, or, alternatively, recovering the key k from the ciphertext y.

Cryptanalysis can be divided into analytical attacks, which exploit the internal structure of the encryption method, and brute-force attacks, which treat the encryption algorithm as a black box and test all possible keys.

Side-channel analysis can be used to obtain a secret key, for instance, by measuring the electrical power consumption of a processor which operates on the secret key. The power trace can then be used to recover the key by applying signal processing techniques. In addition to power consumption, electromagnetic radiation or the runtime behavior of algorithms can give information about the secret key and are, thus, useful side channels. Note also that implementation attacks are mostly relevant against cryptosystems to which an attacker has physical access, such as smart cards. In most Internet-based attacks against remote systems, implementation attacks are usually not a concern.

Bribing, blackmailing, tricking or classical espionage can be used to obtain a secret key by involving humans. For instance, forcing someone to reveal his/her secret key, e.g., by holding a gun to his/her head can be quite successful. Another, less violent, attack is to call people whom we want to attack on the phone, and say: “This is the IT department of your company. For important software updates we need your password”. It is always surprising how many people are naive enough to actually give out their passwords in such situations. This list of attacks against cryptographic system is certainly not exhaustive. For instance, buffer overflow attacks or malware can also reveal secret keys in software systems. You might think that many of these attacks, especially social engineering and implementation attacks, are “unfair,” but there is little fairness in real-world cryptography. If people want to break your IT system, they are already breaking the

rules and are, thus, unfair.

Solid cryptosystems should adhere to Kerckhoffs’ Principle, postulated by Auguste Kerckhoffs in 1883:

A cryptosystem should be secure even if the attacker (Oscar) knows all details about the system, with the exception of the secret key. In particular, the system should be secure when the attacker knows the encryption and decryption algorithms.

**Important Remark:** Kerckhoffs’ Principle is counterintuitive! It is extremely tempting to design a system which appears to be more secure because we keep the details hidden. This is called security by obscurity. However, experience and military history has shown time and again that such systems are almost always weak, and they are very often broken easily as soon as the secret design has been reverse-engineered or leaked out through other means. An example is the Content Scrambling System (CSS) for DVD content protection, which was broken easily once it was reverseengineered. This is why a cryptographic scheme must remain secure even if its description becomes available to an attacker.

1. The discussion of key lengths for symmetric crypto algorithms is only relevant if a brute-force attack is the best known attack. If there is an analytical attack that works, a large key space does not help at all. Of course, if there is the possibility of social engineering or implementation attacks, a long key also does not help.

2. The key lengths for symmetric and asymmetric algorithms are dramatically different.

For instance, an 80-bit symmetric key provides roughly the same security as a 1024-bit RSA (RSA is a popular asymmetric algorithm) key.

Table gives a rough indication of the security of symmetric ciphers with respect to brute-force attacks. Large key space is a necessary but not sufficient condition for a secure symmetric cipher. The cipher must also be strong against analytical attacks.

Foretelling the Future Of course, predicting the future tends to be tricky: We can’t really foresee new technical or theoretical developments with certainty. As you can imagine, it is very hard to know what kinds of computers will be available in the year 2030. For medium-term predictions, Moore’s Law is often assumed. Roughly speaking, Moore’s Law states that computing power doubles every 18 months while the costs stay constant. This has the following implications in cryptography: If today we need one month and computers worth $1,000,000 to break a cipher X, then the cost for breaking the cipher will be

- $500,000 in 18 months (since we onlyhave to buy half as many computers),
- $250,000 in 3 years,
- $125,000 in 4.5 years, and so on.

Let’s look at an example of a finite set of integers from everyday life:

Example 1.4. Consider the hours on a clock. If you keep adding one hour, you obtain:

1h,2h,3h, . . . ,11h,12h,1h,2h,3h, . . . ,11h,12h,1h,2h,3h, . . .

Even though we keep adding one hour, we never leave the set.

Let’s look at a general way of dealing with arithmetic in such finite sets.

Example 1.5. We consider the set of the nine numbers:

{0,1,2,3,4,5,6,7,8}

We can do regular arithmetic as long as the results are smaller than 9. For instance:

2×3 = 6

4+4 = 8

But what about 8+4? Now we try the following rule: Perform regular integer arithmetic

and divide the result by 9. We then consider only the remainder rather than

the original result. Since 8+4 = 12, and 12/9 has a remainder of 3, we write:

8+4 ≡3 mod 9

Definition Modulo Operation Let a, r,m ∈ Z (where Z is a set of all integers) and m > 0. We write a ≡ r mod m if m divides a−r. m is called the modulus and r is called the remainder.

It is always possible to write a ∈ Z, such that a = q ·m+r for 0 ≤ r < m Since a−r = q ·m (m divides a−r) we can now write: a ≡ r mod m. Note that

r ∈ {0,1,2, . . . ,m−1}.

Example

Let a = 42 and m = 9. Then 42 = 4 · 9+6 and therefore 42 ≡ 6 mod 9.

]]>It is somewhat surprising that for every given modulus m and number a, there are (infinitely) many valid remainders. Let’s look at another example:

We want to reduce 12 modulo 5. Here are several results which are correct according to the definition:

- 12 ≡2 mod 5, 2 is a valid remainder since 5/(12−2) or 5 x 2 + 2 = 12
- 12 ≡ 22 mod 5, 22 is a valid remainder since 5/(12−22) or 5 x (-2) + 22 = 12
- 12≡−3 mod 5, −3 is a valid remainder since 5/(12-(−3)) or 5 x 3 + (-3) = 12

There is a system behind this behavior. The set of numbers {. . . ,−8,−3,2,7,12,17,22, . . .} is called an** equivalence class**. There are 4 other equivalence classes for the modulus 5 and in total there are 5 because its modulus 5!

{. . . ,−9,−4,1,6,11,16,21, . . .} we can mark as A

{. . . ,−8,−3,2,7,12,17,22, . . .} we can mark as B

{. . . ,−7,−2,3,8,13,18,23, . . .} we can mark as C

{. . . ,−6,−1,4,9,14,19,24, . . .} we can mark as D

{. . . -10,−5,0,5,10,15,20, . . .} we can mark as E

The most important thing about equivalence class is that **all Members of a Given Equivalence Class Behave Equivalently!! **Here is example:

If I want to calculate 13 x 6 – 8 mod 5 I have to do it by calculator or at least think about it some time. Its 208-8 mod 5 and that is 0.

But because all members of a given equivalence class behave equivalently I can substitute the numbers with something that easy my calculations. I will now substitute the the numbers as we marked the classes:

C x A – C mod 5

Now I can put to the letter the easiest number from the equivalence classes as follows:

3 x 1 – 3 mod 5 = 0

I have same results with absolutely easy calculation.

Why is this important? Because the core operation of many practical public-key schemes is an exponentiation of the form X to E mod m, where x,e,m are very large integers, say, 2048 bits each. We want to compute 38 mod 7. The first method is the straightforward approach, and for the second one we switch between equivalent classes:

- 3 to 8 = 6561 ≡ 2 mod 7, since 6561 = 937 · 7+2 Note that we obtain the fairly large intermediate result 6561 even though we know that our final result cannot be larger than 6, because its mod 7, i.e. we have only 7 elements in finite set.
- Here is a much smarter method: First we perform two partial exponentiations:

3 to 8 = 3 to 4 · 3 to 4 = 81 · 81

We can now replace the intermediate results 81 by another member of the same equivalence class. The smallest positive member modulo 7 in the class is 4 (since 81 = 11 · 7+4). Hence: 38 = 81 · 81 ≡ 4 · 4 = 16 mod 7

From here we obtain the final result easily as 16 ≡ 2 mod 7. Note that we could perform the second method without a pocket calculator since the numbers never become larger than 81. For the first method, on the other hand, dividing 6561 by 7 is mentally already a bit challenging. As a general rule we should remember that it is almost always of computational advantage to apply the modulo reduction as soon as we can in order to keep the numbers small.

By agreement, we usually choose r such that:

0 ≤ r ≤ m−1.

However, mathematically it does not matter which member of an equivalent class we use.

**Let’s first look at an example for a small integer ring. Let m=9, i.e., we are dealing with the ring Z9 ={0,1,2,3,4,5,6,7,8}.**

** Let’s look at a few simple arithmetic operations:**

** 6+8 = 14 ≡5 mod 9**

** 6×8 = 48 ≡3 mod 9**

**More about rings and finite fields which are related to rings is discussed later. At this point, the following properties of rings are important:**

**Why inverse doesnt exists everytime? Lets have a ring {0,1,2,3,4,5,6,7,8,9}. m=9, a=2, a to -1 = ?**

**You would think that 2 x 2 to -1 = 1 mod 9 is right. But it is not!! because 2 to -1 is 0.5 and that is not in the ring!! You have to find different number from the ring and not always you are able to find one. So thats why inverse doesnt exist every time. This time you can put there number 5, i.e. 2 x 5 =1 mod 9. But what about**

**6 x ?=1 mod 9…**

**There is no inverse function for this number. This leads to some conclusion. In integer rings you can add, subtract and multiply. But you cannot always divide (or multiplicative inverse). So integer rings got 3 operators.**

This algorithm computes gcd or greatest common divider. This is very important in PKC (public key cryptography). So if somebody gives you two integers r0,r1, find gcd(r0,r1), i. e. the largest integer that divides both numbers.

Example r0=27, r1=21. How to solve this? lets do prime factorization

27 = 3x3x3 21 = 3x7 What is same? the number 3. so 3=gcd(27,21)

It has a one big issue. It doesnt work good with large numbers. It doesnt work in practice, because in practice cryptography we are using numbers so big that we cannot factorize them. So is there faster method available? Yes there is. Its the euclidean algorithm. In general EA is reduction algorithm. It tries to reduce the size of numbers to two smaller numbers and then reduce the numbers again till we can see gcd. Below is the algorithm, proof is in the book.

gcd(r0,r1) = gcd(r0 mod r1,r1); we assume that r0 > r1, and that both numbers are positive integersalsogcd(r0,r1) = gcd(r1, r0 mod r1)Example r0=27, r1=21 gcd(27,21) = gcd(27 mod 21,21) = gcd(6,21) gcd(21,6) = gcd(21mod6,6) = gcd(3,6) Note that we can swap the numbers in bracketslike we did with gcd(6,21) because we search for theirs common divider, so it doesnt matter what is first number but we need to have r0>r1 so we can compute the mod. gcd(6,3) = 3 Note when remainder is 0 we are done ;-)

Example: Given gcd(973, 301) do the calculation

973(r0) = 3(q1) x 301(r1) + 70(r2) 301(r1) = 4(q2) x 70(r2) + 21(r3) 70(r2) = 3(q3) x 21(r3) + 7(r4) 21(r3) = 3(q4) x 7(r4) + 0 gcd(973,301) = 7

Again given two integers r0, r1, find gcd(r0,r1). But now in addition we would like to compute s and t for gcd(r0,r1) = s x r0 + t x r1. The s and t are very useful.

The idea is to firstly compute regular EA algorithm and then do the form above with s and t numbers. And thats it. But how do the form with s and t? Lets see the previous example but with EEA applied

gcd(973,301) = s x 973 + t x 301 = 7 EA step 1 973(r0) = 3(q1) x 301(r1) + 70(r2); EEA form r2 = s x r0 + t x r1;70 = 1 x 973 + (-3) x 301 -----------------------------------------------------------------------------------------------------------EA step 2 301(r1) = 4(q2) x 70(r2) + 21(r3); EEA form r3 = s x r0 + t x r1; 21 = 1 x 301 - 4 x 70 = 301 - 4 x (973 - 3 x 301);21 = -4 x 973 + 13 x 301 -----------------------------------------------------------------------------------------------------------EA step 3 70(r2) = 3(q3) x 21(r3) + 7(r4); EEA r4 = s x r0 + t x r1; r4 = 70 - 3 x 21 = (973 - 3 x 301) - 3 x (-4 x 973 + 13 x 301);7 = 13 x 973 + (-42) x 301 -----------------------------------------------------------------------------------------------------------step 4 21(r3) = 3(q4) x 7(r4) + 0; we know that the 7 is the gcd! So why is cool that other patter? We can write that 7 also like this:7 = gcd(r0,r1) = r4 = 13 x 973 + (-42) x 301

In step 2 we expressed that 70 with equation one line above and then we altered the formula to original r0, r1 image. Why? Because we want to have it in form gcd(r0,r1) = s x r0 + t x r1 or gcd(973,301) = s x 973 + t x 301. We gonna do that on every step to have the origin form. We will just substitute the numbers.

But the milion dolar question is why we gave a fuck and did all this pain computations? **Main application of the EEA is to compute INVERSE of MOD n. **Lets take a look more on it:

a on -1 x a = 1 mod n gcd(n,a) = 1 = s x n + t x a = 1 /mod n (s x n / mod n = 0) t x a = 1 (that means that t is a on -1 !!!)The parameter t of the EEA is the inversion of r1 mod r0!!!!

Zm = {0,1,......., m-1} .... And you would like to know how many of these numbers are relativly prime to m. For reason you will understand later. Numbers are relatively prime if they their gcd = 1. gcd (0,m) = m gcd (1,m) = ? gcd (2,m) = ? ...

And you are just interested how many of these integers are relatively prime. You are not interested about what specific number but just how many.

]]>RSA algorithm has these steps:

- choose large primes p,q
- take these two primes and multiply them. n=p.q
- compute eulers phi function of (n)

]]>