System security

Part 2
Block ciphers: modes of operation
Using the same key several times weakens the system.
Block ciphers can be used in several ways. Primary goal is retaining or
even enhancing confidentiality.
FIPS 81 (December 1980.): DES modes of operation – onyl objective is
confidentiality: ECB, CBC, CFB, OFB
NIST SP 800-38A (2001.)
Recommendation for Block Cipher Modes of Operation: Methods and
Techniques
General description, not only for DES; + CTR (Counter)
Recommendation of the usage with block ciphers deemed to be
secure by FIPS (Federal Information Processing Standard)
Block ciphers: modes of operation
Another recommendations: not only confidentiality but other
objectives are playing role (authentication, integrity,…):
e.g. CBC-MAC, HMAC, CMAC, GMAC , GMC
(MAC: Message Authentication Code)
Encryption on storage devices: e.g. XTS-AES (NIST SP800-38E, 2010.)
Some mode of operation is not mentioned to be recommended:
CTS (Ciphertext Stealing)
At early stages: separate algorithm for encryption and authentication
→ may weaken each other
Block ciphers: modes of operation
The original message is splitted into equal length blocks:
𝑚 = 𝑚1 … 𝑚𝑡 𝑟
For instance, if the block size is 64, then:
𝑙 𝑚1 = ⋯ = 𝑙 𝑚𝑡 = 64 and 𝑙 𝑟 < 64 .
Usually the last block is not full size. Necessary some extension:
𝑚𝑡+1 = 𝑟𝑢 ,
with some 𝑢 : padding
Block ciphers: modes of operation
Possible paddings:
‒ 𝑢 = 0 … 0, the original size must be known.
‒ 𝑢 = 10 … 0, if l 𝑟 = 𝑙(𝑚1 ), then it adds a full block.
‒ 𝑢 = 𝑛𝑛 , i.e. if the size of the padding is 𝑛 bytes then the value of the
extension bytes are also 𝑛.
example: 𝑛 = 3: 𝑢 = 00000011 00000011 00000011

Some of the modes does not require padding: e.g. CFB, OFB, CTR.
Block ciphers: modes of operation
Some of the modes requires an Initialization Vector (IV)
Addign some randomness.
Can’t be the same until the key does not change.
Formerly: the last cipher text of the previous enryption – not secure
(Choosen plain text attack)
e.g. SSL 2.0
Electronic Code Book (ECB)
The simplest mode of operation, the basic one.
Encryption:
𝑐𝑖 = 𝐸𝑛𝑐 𝑘, 𝑚𝑖 , if 𝑖 = 1, … , 𝑡 + 1
padding necessary
Decryption:
𝑚𝑖 = 𝐷𝑒𝑐 𝑘, 𝑐𝑖 , if 𝑖 = 1, … , 𝑡 + 1

Modification (attack): 𝐸 𝑘𝐸 𝑘𝐷
𝐸

𝑚𝑖 𝐸𝑛𝑐 𝑐𝑖 ⊠ 𝐷𝑒𝑐 𝑚𝑖
Electronic Code Book (ECB)
Ideal for encryption of small amount of data.
Relatively fast.
Until the key does not change:
same plain text → same cipher text.
Good error toleration: if a block has changed, only the corresponding
decryption is affected (𝑐𝑖 → 𝑚𝑖 )
Integrity not verifiable.
Cipher Block Chaining (CBC)
The cipher text is used for the modification of the plaintext.
Initialization Vector is necessary: 𝐼𝑉, A and B knows (attacker not)
(e.g. with ECB)
Encryption:
𝑐1 = 𝐸𝑛𝑐 𝑘, 𝑚1 ⊕ 𝐼𝑉
𝑐𝑖 = 𝐸𝑛𝑐 𝑘, 𝑚𝑖 ⊕ 𝑐𝑖−1 , ha 𝑖 = 2, … , 𝑡 + 1
padding is not necessary
Decryption:
𝑚1 = 𝐷𝑒𝑐 𝑘, 𝑐1 ⊕ 𝐼𝑉
𝑚𝑖 = 𝐷𝑒𝑐 𝑘, 𝑐𝑖 ⊕ 𝑐𝑖−1 , ha 𝑖 = 2, … , 𝑡 + 1
Cipher Block Chaining (CBC)
Modification (attack): 𝐸

𝑘𝐸 𝐸 𝑘𝐷

𝑐𝑖
𝑚𝑖 𝐸𝑛𝑐 ⊠ 𝐷𝑒𝑐 𝑚𝑖
𝑖 𝑖
1 <1 <1 1

𝑐𝑖−1 𝑐𝑖−1
𝐼𝑉 𝐼𝑉
Cipher Block Chaining (CBC)
Relatively fast.
Until the key does not change:
same plain text → different cipher text.
Relatively good error toleration: if a block has changed, only the next
two decryptions are affected (𝑐𝑖 → 𝑚𝑖 , 𝑚𝑖+1 )
Integrity not verifiable.
IV should be defended. If an attacker can modify IV of B, then he can
modify the first decrypted plain text (bit by bit).
With proper modifications it can be used for authentication.
Cipher Feedback (CFB)
Cipher text is feedbacked, modifies the key.
Initialization Vector is necessary: 𝐼𝑉, A and B knows (attacker not)
(e.g. with ECB)
The block size of the plain (and cipher) text is changed:
𝑙 𝑚𝑖 = 𝑙 𝑐𝑖 = 𝑠 , where 𝑠 < 𝑛
(𝑛 is the block size of the endryption)
often: 𝑠 = 8 .
Similar to a stream cipher, includes a key generator, but the key
sequence depends on the plaintext, as well.
Cipher Feedback (CFB)
State vector: // LSB least significant 𝑛 bits
𝑣1 = 𝐼𝑉
𝑣𝑖 = LSB 𝑛, 𝑣𝑖−1 𝑐𝑖−1
Key generation: // MSB most significant 𝑠 bits
𝑘𝑖 = MSB 𝑠, 𝐸𝑛𝑐 𝑘, 𝑣𝑖 if 𝑖 = 1, … , 𝑡 + 1

Encryption:
𝑐𝑖 = 𝑚𝑖 ⊕ 𝑘𝑖 , if 𝑖 = 1, … , 𝑡 + 1
padding is necessary
Decryption:
𝑚𝑖 = 𝑐𝑖 ⊕ 𝑘𝑖 , if 𝑖 = 1, … , 𝑡 + 1
Cipher Feedback (CFB)
Modification (attack): 𝐸

𝑘𝐸 𝑘𝐸
𝑣1 = 𝐼𝑉
𝑣𝑖
𝐿𝑆𝐵(𝑛 − 𝑠, 𝑣𝑖−1 ) 𝑐𝑖−1 𝐸𝑛𝑐 𝑀𝑆𝐵(𝑠, ) 𝑀𝑆𝐵(𝑠, ) 𝐸𝑛𝑐 𝐿𝑆𝐵(𝑛 − 𝑠, 𝑣𝑖−1 ) 𝑐𝑖−1

𝑘𝑖 𝑘𝑖
𝑚𝑖 𝑚𝑖
𝑐𝑖 𝑐𝑖
⊠

𝐸
Cipher Feedback (CFB)
Somewhat slower, 𝑠 bits per blocks (speed is 𝑠/𝑛 comapred to ECB).
Until the key does not change:
same plain text → different cipher text.
Encryption and decryption: with the encryption function.
Weaker error toleration: if a block has changed, the next 𝑛/𝑠
decryptions are affected (𝑐𝑖 → 𝑚𝑖 , … , 𝑚𝑖+ 𝑛/𝑠 −1 )
Integrity not verifiable.
Output Feedback (OFB)
Key is feedbacked.
Initialization Vector is necessary: 𝐼𝑉, A and B knows (attacker not)
(e.g. with ECB)
Similar to CFB, but before encryption the key is feedbacked.

Practically a stream cipher, includes a key generator, the sequence of

keys are independent from the plain text.
Output Feedback (OFB)
𝑘1 = 𝐼𝑉
𝑘𝑖 = 𝐸𝑛𝑐 𝑘, 𝑘𝑖−1 ha 𝑖 = 2, … , 𝑡 + 1

Encryption:
𝑐𝑖 = 𝑚𝑖 ⊕ 𝑘𝑖 , ha 𝑖 = 1, … , 𝑡 + 1
padding is not necessary
Decryption:
𝑚𝑖 = 𝑐𝑖 ⊕ 𝑘𝑖 , ha 𝑖 = 1, … , 𝑡 + 1
Output Feedback (OFB)
Modification (attack): 𝐸

𝑖 𝑘𝐸 𝑘𝐸 𝑖

𝐼𝑉 𝐼𝑉
𝐸𝑛𝑐 𝐸𝑛𝑐
𝑘𝑖−1 𝑘𝑖−1
𝑘𝑖 𝑘𝑖

𝑐𝑖
𝑚𝑖 ⊠ 𝑚𝑖
𝑐𝑖

𝐸
Output Feedback (OFB)
Relatively fast.
Until the key does not change:
same plain text → different cipher text.
Encryption and decryption: with the encryption function.
Good error toleration: if a block has changed, only the corresponding
decryption effected (𝑐𝑖 → 𝑚𝑖 )
Integrity not verifiable.
Attacker can modify the plaintext bitwise, even CRC.
Counter (CTR)
The key sequence is generated by the value of a counter, not
recursively.
The counter usually increases by 1 from a previously exhanged initial
value:
𝑇1 choosen, 𝑇𝑖+1 = 𝑇𝑖 + 1 2𝑛 , where 𝑛 is the block size.
Advantage: the separate blocks can be encrypted independently.
Counter (CTR)
𝑘𝑖 = 𝐸𝑛𝑐 𝑘, 𝑇𝑖 if 𝑖 = 1, … , 𝑡 + 1

Encryption:
𝑐𝑖 = 𝑚𝑖 ⊕ 𝑘𝑖 , if 𝑖 = 1, … , 𝑡 + 1
padding is not necessary
Decryption:
𝑚𝑖 = 𝑐𝑖 ⊕ 𝑘𝑖 , if 𝑖 = 1, … , 𝑡 + 1
Counter (CTR)
Modification (attack): 𝐸

𝑘𝐸 𝑘𝐸

𝑇𝑖 𝑇𝑖
𝐸𝑛𝑐 𝐸𝑛𝑐

𝑘𝑖 𝑘𝑖

𝑐𝑖
𝑚𝑖 ⊠ 𝑚𝑖
𝑐𝑖

𝐸
Counter (CTR)
Relatively fast.
Until the key does not change:
same plain text → different cipher text.
Encryption and decryption: with the encryption function.
Good error toleration: if a block has changed, only the corresponding
decryption effected (𝑐𝑖 → 𝑚𝑖 )
Integrity not verifiable.
Attacker can modify the plaintext bitwise, even CRC.
Blocks are independent, the order of encryption is arbitrary (even
parallel) (e.g. ECB).
Discrete Logarithm Problem (DLP)
Let 𝐺,⋅ be an Abelian group (e.g. integers mod 𝑚 with multiplication),
𝑔 is a generator (primitive element).
Problem: given 𝑎 ∈ 𝐴, find 𝑥 s.t.
𝑎 = 𝑔𝑥 ,
i.e. 𝑎 = 𝑔 ⋅ … ⋅ 𝑔 (multiplication repeated 𝑥 times.)
It is called the discrete logarithm problem (DLP).
In general it is hard to solve (in particular, if the group is large and
complex).
Discrete Logarithm Problem (DLP)
Ex. Let 𝑝 = 997 (prime) , 𝑔 = 7 (primitive element) , 𝑎 = 100
𝑥 =?
There are not known much better solution than trial.
Baby-Step-Giant-Step (→ Meet In The Middle):
Let ℎ = 𝑔−1
𝑎0 = 𝑎, 𝑎1 = 𝑔−1 𝑎 = ℎ𝑎, 𝑎2 = ℎ2 𝑎, … , 𝑎31 = ℎ31 𝑎
𝑏 = 𝑔32 and 𝑏1 = 𝑏, 𝑏2 = 𝑏 2 , … , 𝑏32 = 𝑏 32
Discrete Logarithm Problem (DLP)
𝑏 = 732 ≡ 940 (997)
𝑏𝑖 =
940, 258, 249, 762, 434, 187, 308, 390, 701, 920, 401, 74, 767, 149,
480, 556, 212, 877, 858, 944, 30, 284, 761, 491, 926, 59, 625, 267,
733, 93, 681, 66
ℎ = 7−1 ≡ 285 997
𝑎𝑖 =
100, 584, 938, 134, 304, 898, 698, 527, 645, 377, 766, 964, 565, 508,
215, 458, 920, 986, 853, 834, 404, 485, 639, 661, 949, 278, 467, 494,
213, 885, 981, 425
𝑏10 = 920 𝑎16 = 920 710⋅32+16 = 7336 ≡ 100 (997)
Discrete Logarithm Problem (DLP)
Related problems:
Diffie-Hellman problem (and variants) (CDH – computational
DH problem):
given 𝑎 = 𝑔 𝑥 and 𝑏 = 𝑔 𝑦 , determine 𝑐 = 𝑔 𝑥⋅𝑦 -t.
Diffie-Hellman decision problem (DDH):
given 𝑎 = 𝑔 𝑥 , 𝑏 = 𝑔 𝑦 and 𝑐 = 𝑔 𝑧 , decide wether
𝑐 = 𝑔 𝑥⋅𝑦 holds.
If one can solve DLP, then it can solve CDH and DDH, as well.
Conjecture: DLP, CDH and DDH has the same difficulty, i.e. one of the
three is solvable, then the other two is also solvable.
Key exchange (KE)
Problem:
𝐴 and 𝐵 want to agree in a common key for a symmetric CS.
Key exchange (KE)
Diffie-Hellman key exchange protocol (DH Key Exchange – DHKE,
1976.):
Based on the difficulty of DLP.
𝐺,⋅ is an Abelian group, 𝑔 is a generator, order 𝑟 = 𝐺 (i.e. 𝑔𝑟 = 1).
A: chooses a random number: 1 < 𝑥 < 𝑟, computes 𝑎 = 𝑔 𝑥 .
B: chooses a random number : 1 < 𝑦 < 𝑟, computes 𝑏 = 𝑔 𝑦 .
Send to each other 𝑎 and 𝑏.
A: computes 𝑘 = 𝑏 𝑥 = 𝑔 𝑦⋅𝑥 .
B: computes 𝑘 = 𝑎 𝑦 = 𝑔 𝑥⋅𝑦 .
Common key: 𝑘.
Key exchange (KE)
Pl. 𝑚 = 19, 𝑔=2
A: 𝑥 = 3, 𝑎 = 23 ≡ 8 19
B: 𝑥 = 5, 𝑏 = 25 ≡ 13 19
A: 𝑘 = 𝑏 3 ≡ 133 ≡ 12 (19)
B: 𝑘 = 𝑎5 ≡ 85 ≡ 12 (19)
Key exchange (KE)
Man-In-The-Middle attack (MITM):
C accesses the communication channel and can block the message (it doesn’t
reach the recipient).
A: chooses a random number : 𝑥, computes 𝑎 = 𝑔 𝑥 .
C: chooses a random number : 𝑧, computes 𝑐 = 𝑔 𝑧 .
B: chooses a random number : 𝑦, computes 𝑏 = 𝑔 𝑦 .
A nd B send to each other 𝑎 and 𝑏.
C: catches the messages and sends 𝑐 instead.
A: computes 𝑘1 = 𝑐 𝑥 = 𝑔 𝑧⋅𝑥 .
B: computes 𝑘2 = 𝑐 𝑦 = 𝑔 𝑧⋅𝑦 .
C: computes 𝑘1 = 𝑎 𝑧 = 𝑔 𝑥⋅𝑧 and 𝑘2 = 𝑏 𝑧 = 𝑔 𝑦⋅𝑧 .
Key exchange (KE)
C catches all messages during the communication, decrypts and
encrypts with own key, sends it to the recipiant.
(A and B can’t recognize, that message is captured.)
Solution: authentication, digital signature (later).
Key exchange (KE)
Other methods: public key (asymmetric) CS. (later)
Asymmetric cryptosystems, ElGamal
T. Elgamal (1984.)
Based on hardness of DLP.
𝐺,⋅ Abelian group, 𝑔 primitive element, order 𝑟 = 𝐺 .
A: generates a public-secret key pair.
1. Chooses a random 1 < 𝑥𝐴 < 𝑟.
2. Computes 𝑦𝐴 = 𝑔 𝑥𝐴 .
3. Publishes (sends to B) the public key: 𝑃𝐾 = 𝐺, 𝑔, 𝑦𝐴
4. Secret key: 𝑆𝐾 = 𝑥𝐴
Asymmetric cryptosystems, ElGamal
Knowing the public key one (e.g. B ) can send encrypted messages to A.
Encryption (B):
1. Plain text: 0 ≤ 𝑚 < 𝑟 (if longer, splitted into blocks)
2. Chooses a random 1 < 𝑘 < 𝑟
3. Computes 𝐾 = 𝑦𝐴𝑘 .
4. Encryption: 𝑐1 = 𝑔𝑘 𝑐2 = 𝐾 ⋅ 𝑚 , cipher text: 𝑐1 , 𝑐2
Decryption (A):
𝑥𝐴 𝑘 𝑥𝐴
1. Determines 𝑐1 = 𝑔 = 𝑔 𝑥𝐴 𝑘
= 𝑦𝐴𝑘 = 𝐾
2. Computes 𝑚 = 𝑐2 ⋅ 𝐾 −1
Asymmetric cryptosystems, ElGamal
Ex. Let 𝐺 = ℤ19 (integers mod 19) and 𝑔 = 2 .
A: chooses 𝑥𝐴 = 5 (random)
A: computes 𝑦𝐴 = 13 ≡ 25 19
Secret key: 5 Public key: 19,2,13
B: plain text 𝑚 = 9
B: chooses 𝑘 = 7
B: computes 𝐾 = 10 ≡ 137 19
𝑐1 = 14 ≡ 27 19 𝑐2 = 14 ≡ 10 ⋅ 9 19
Cipher text: 14,14
A: computes 𝐾 = 145 ≡ 10 19 , 𝐾 −1 ≡ 2 19 and
𝑚 = 2 ⋅ 14 ≡ 9 (19)
Asymmetric cryptosystems, RSA
Rivest, Shamir, Adleman (1976.)
Based on difficulty of prime decomposition.
Let 𝑝 and 𝑞 be (large) primes, 𝑛 = 𝑝 ⋅ 𝑞, 𝜑 𝑛 = 𝑝 − 1 𝑞 − 1 .
Choose 𝑒, 𝑑 s.t. 𝑒 ⋅ 𝑑 ≡ 1 𝜑 𝑛 (𝑒 ⋅ 𝑑 = 𝑡 ⋅ 𝜑 𝑛 + 1, with
some 𝑡.)
Public key:
𝑃𝐾 = 𝑛, 𝑒
Secret key:
𝑆𝐾 = 𝑝, 𝑞, 𝜑 𝑛 , 𝑑
Asymmetric cryptosystems, RSA
Encryption:
Plain text: 𝑚
Cipher text: 𝑐 ≡ 𝑚𝑒 𝑛
Decryption:
𝑑 𝑒 𝑑 𝑒⋅𝑑 𝑡⋅𝜑 𝑛 +1 𝜑 𝑛 𝑡
𝑐 ≡ 𝑚 ≡𝑚 ≡𝑚 ≡ 𝑚 ⋅𝑚 ≡𝑚 𝑛
Asymmetric cryptosystems, RSA
Knowing any value from 𝑆𝐾 is enough for breaking the system
(decryption).
If either 𝑝 or 𝑞 is known, all other parameter can be computed.
If 𝑑 is known, then we can decrypt anything, without knowing the rest
of the secret key.
If 𝜑 𝑛 is known:
𝑛 =𝑝⋅𝑞 ⇒ 𝑝 =𝑛−𝑞
𝜑 𝑛 = 𝑝−1 𝑞−1 =𝑝⋅𝑞−𝑝−𝑞+1=
𝑛−𝑞 ⋅𝑞− 𝑛−𝑞 −𝑞+1=
𝑛 ⋅ 𝑞 − 𝑞2 − 𝑛 + 2𝑞 + 1
Quadratic equation in 𝑞, easy to solve:
𝑞2 − 𝑛 − 2 ⋅ 𝑞 + 𝑛 − 1 + 𝜑 𝑛 = 0
Asymmetric cryptosystems, RSA
Condition on the primes:
If 𝑝 < 𝑞 and 𝑞 − 𝑝 is small, let
𝑞+𝑝 𝑞−𝑝
𝑎= and 𝑏 = .
2 2
Then 𝑝 = 𝑎 − 𝑏, 𝑞 = 𝑎 + 𝑏 and 𝑛 = 𝑎 − 𝑏 𝑎 + 𝑏 = 𝑎2 − 𝑏 2 .
1. Compute 𝑎 = 𝑛 (fast, e.g. Newton iteration)
2. Test whether 𝑎2 − 𝑛 is a square.
If yes, we have 𝑏 = 𝑎02 − 𝑛
Otherwise 𝑎 = 𝑎 + 1 and continue with 2.
Hash functions
Definition
Let 𝑛 ∈ ℕ ∖ 0 . Then 𝐻: 0,1 ∗ → 0,1 𝑛 is called a hash function.
Remark
An 𝐻 hash function maps a fixed length word to an arbitrary length
input word.
An 𝐻 hash function computes a kind of digest of the original word.
Hash functions
Cryptographic hash function
1. A hash function, which maps a suitable large set of the input texts
uniformly into 0,1 𝑛 . (random like)
2. Efficienty computable.
3. One way: given ℎ ∈ 0,1 𝑛 , hard to determine an x ∈ 0,1 ∗ s.t.
𝐻 𝑥 = ℎ. (preimage resistance)
4. Weak collision resistance: given x ∈ 0,1 ∗ hard to determine a
y ∈ 0,1 ∗ , s.t. 𝑦 ≠ 𝑥 and 𝐻 𝑥 = 𝐻 𝑦 .
(second preimage resistance)
5. (Strong) Collision resistance: hard to determine a pair x, y ∈ 0,1 ∗ ,
s.t. 𝑦 ≠ 𝑥 and 𝐻 𝑥 = 𝐻 𝑦 .
Hash functions
Cryptographic hash function
CR ⇒ SPR
PR is independent
CR: 𝑛 should be suitable large against a birthday (paradoxon) attack
(present: at least 160 bit)
Hash functions
Merkle-Damgård construction (1979.)
Compression function: 𝑓: 0,1 2𝑛 → 0,1 𝑛
Message: 𝑚 = 𝑚1 𝑚2 … 𝑚𝑡 , 𝑙 𝑚1 = ⋯ = 𝑙 𝑚𝑡−1 = 𝑛 ≥ 𝑙 𝑚𝑡 .
If 𝑛 > 𝑙 𝑚𝑡 , then we extend 𝑛 for proper length (padding).
Initial value: ℎ0 ∈ 0,1 𝑛
Further: ℎ𝑖 = 𝑓 𝑚𝑖 ℎ𝑖−1 , if 𝑖 = 1, … , 𝑡.
Output: 𝐻 𝑚 = ℎ𝑡 .
Hash functions
Theorem (Merkle-Damgård)
If 𝑓 is collision resistant and pading is choosen carefully, then the above
defined 𝐻 is collision resistant, as well.
Remark
Padding is proper in the form e.g.
′
𝑚𝑡′ = 𝑚𝑡 10 … 0 and 𝑚𝑡+1 = 0 … 0𝑙 𝑚 .
Proof
Pr. by contradiction:
Assume, that easy to find a pair 𝑀1 ≠ 𝑀2 , s.t. 𝐻 𝑀1 = 𝐻 𝑀2 .
Hash functions
Assume 𝑀1′ = 𝑚11 … 𝑚1𝑡 and 𝑀2′ = 𝑚12 … 𝑚𝑠2 are the padded messages.
Let 𝑖 be the smallest index, s.t. 𝑚1𝑡−𝑖 ≠ 𝑚𝑠−𝑖 2
. Such 𝑖 exists, since
𝑀1 ≠ 𝑀2 . In particular, if 𝑙(𝑀1 ) ≠ 𝑙(𝑀2 ), then 𝑖 = 0.
Furthemore, let ℎ10 , ℎ11 , … , ℎ1𝑡 and ℎ02 , ℎ12 , … , ℎ𝑠2 be the corresponding
intermediate hash values.
Clearly, ℎ10 = ℎ02 = ℎ0 and ℎ1𝑡 = ℎ𝑠2 = 𝐻 𝑀1 = 𝐻 𝑀2 .
If we know 𝑀1 , 𝑀2 , then easy to determine ℎ10 , ℎ11 , … , ℎ1𝑡 and
ℎ02 , ℎ12 , … , ℎ𝑠2 .
Let 𝑗 be the smallest index, s.t. 𝑚1𝑡−𝑗 ℎ1𝑡−𝑗−1 ≠ 𝑚𝑠−𝑗
2 2
ℎ𝑠−𝑗−1 . Then 𝑗 ≤ 𝑖.
Hash functions
Let 𝑗 be the smallest index, s.t. 𝑚1𝑡−𝑗 ℎ1𝑡−𝑗−1 ≠ 𝑚𝑠−𝑗
2 2
ℎ𝑠−𝑗−1 . Then 𝑗 ≤ 𝑖.
For this 𝑗:
𝑓 𝑚1𝑡−𝑗 ℎ1𝑡−𝑗−1 = ℎ1𝑡−𝑗
2 2 2
𝑓 𝑚𝑠−𝑗 ℎ𝑠−𝑗−1 = ℎ𝑠−𝑗 ,
and by the choice of 𝑗: ℎ1𝑡−𝑗 = ℎ𝑠−𝑗
2
.
Since it is easy to determine 𝑚1𝑡−𝑗 ℎ1𝑡−𝑗−1 and 𝑚𝑠−𝑗2 2
ℎ𝑠−𝑗−1 , it
contradicts to the fact that 𝑓 is collision resistant.
Hash functions
Applications of hash functions
1. Manipulation detection
2. Message authentication
3. Digital signature
4. Password file
5. Intrusion (or virus) detection
6. Random number generation
Hash functions
Types of hash functions:
- keyless (Message Digest / Manipulation Detection Code, MDC )
𝐻: 0,1 ∗ → 0,1 𝑛
ℎ=𝐻 𝑚
- keyed (Message Authentication Code, MAC)
𝐻: 0,1 𝑚 × 0,1 ∗ → 0,1 𝑛
ℎ = 𝐻 𝑘, 𝑚
Remark
Formally the two types can be discussed in the same way, but key has an
important role.
There exist solutions, where we can use a keyless hash and encode the
ℎ = 𝐻 𝑘𝑚 . Not strong enough in all cases.
Hash functions
Attack goals:
- keyless (MDC):
a. given ℎ, find 𝑚 s.t.
ℎ=𝐻 𝑚 .
b. given ℎ and 𝑚, s.t. ℎ = 𝐻 𝑚 , find 𝑚′-t satisfying
𝐻 𝑚 = 𝐻 𝑚′ .
c. find a pair 𝑚, 𝑚′, s.t.
𝐻 𝑚 = 𝐻 𝑚′ .
Hash functions
Attack goals:
- keyed (MAC):
without knowing 𝑘, try to produce a new pair
𝑚, 𝐻 𝑘, 𝑚 , if we know some other 𝑚𝑖 , 𝐻 𝑘, 𝑚𝑖 .
Hash functions
Candidates for one way functions:
1. Multiplication: given 𝑝, 𝑞 large primes, 𝑓 𝑝, 𝑞 = 𝑝 ⋅ 𝑞
hard: prime decomposition
2. Exponentiation: given 𝑝 large prime (carefully choosen) and 𝑔
primitive element mod 𝑝. 𝑓 𝑚 = 𝑔𝑚 (mod 𝑝)
hard: DLP
3. DES: 𝑓 𝑚 = 𝐷𝐸𝑆 𝑘, 𝑚 ⊕ 𝑚
hard: 𝐷𝐸𝑆 𝑚 is practically a random number (stream cipher)
Not good:
1. DES: 𝑓 𝑚 = 𝐷𝐸𝑆 𝑘, 𝑚
If ℎ = 𝐷𝐸𝑆 𝑘, 𝑚 , let 𝑘′ be arbitrary: 𝑚′ = 𝐷𝐸𝑆 −1 𝑘 ′ , ℎ is a
second preimage.
Hash functions
Ex. Simple hash functions

G G
Hash functions
Ex. MDC-2 (double hash fn.)

G G
Hash functions
MD4 (Rivest, 1990.; Message Digest)
𝑛 = 128
Directly inspired MD5 and SHA-1 (Secure Hash Algorithm) functions.
1995. The first published collision attack.
Hash functions
NIST
FIPS PUB 180-4 : Secure Hash Standards
After several revision, the most recent: 2015
SHA-1: not recommended (SP 800-131A)
SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-
512/256): recommended (SP 800-131A)
SHA-3 (SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128,
SHAKE256): recommended, but not urgent to swap from SHA-2.

Remark:
MD4, MD5, SHA-1, RIPEMD: collision attack (2004.)
Cipher Block Chaining (CBC)
Modification (attack): 𝐸

𝑘𝐸 𝐸 𝑘𝐷

𝑐𝑖
𝑚𝑖 𝐸𝑛𝑐 ⊠ 𝐷𝑒𝑐 𝑚𝑖
𝑖 𝑖
1 <1 <1 1

𝑐𝑖−1 𝑐𝑖−1
𝐼𝑉 𝐼𝑉
Hash functions
CBC-MAC:
𝑚 = 𝑚1 … 𝑚𝑡
Initial value: ℎ0
ℎ𝑖 = 𝐸 𝑚𝑖 , ℎ𝑖−1
ℎ = ℎ𝑡

Not (enough) resistant against Meet-In-The-Middle (MITM) attack

Hash functions
HMAC:
Let 𝐻 be a proper MDC:
𝐻𝑀𝐴𝐶(𝐾, 𝑀) = 𝐻[(𝐾 + ⊕ 𝑜𝑝𝑎𝑑) || 𝐻[(𝐾 + ⊕ 𝑖𝑝𝑎𝑑) || 𝑀]]
Block size: 𝑏
Hash size: 𝑛
ipad = 00110110 (hexadecimal 36) 𝑏/8 times
opad = 01011100 (hexadecimal 5𝐶) 𝑏/8 times
Key: 𝐾
Extended key: 𝐾 + = 0 … 0𝐾 (𝑏 bits long)
Hash functions
Hash functions
Data Authentication Algorithm (DAA, FIPS PUB113)
DES based
Hash functions
Cipher Based Message Authentication Code (CMAC, NIST SP 800-38B)
AES or TDES based
Hash functions
Véletlenszám-generátorok
Hash functions
One way trapdoor
Digital Signature (DS)
Signing electronic documents
MAC: good for authenticating the sender and the message, but only for
the receiver.
Not certified for a third party, since receiver can produce the same
signature.
Sender can repudiate at a later time (since receiver can produce the
same signature).
Digital Signature (DS)
Signing electronic documents

𝑘𝑆
Sign

m c m
B open channel Verify A

𝑘𝑃
Bob Alice

E Eve
Digital Signature (DS)
Signing electronic documents:
suitable for identify the signer
others can’t sign (the same signature)
recognizes if either the signature or the document is modified
Digital Signature (DS)
(𝑚, 𝑠𝑚 )
1. Authentication: integrity, origin (mesage, sender)
2. Non-repudiation, time stamp
3. No forgery: others can’t create signature, the document can’t be
modified after signing
Digital Signature (DS)
Attack goals (Goldwasser, Micali, Rivest; 1988.)
total break: obtainig the signing key
universal forgery: efficient signing algorithm for arbitrary
message (without the key)
selective forgery: signing a particular message
exsistential forgery: signing a message, the attacker has no
control on which one
Digital Signature (DS)
Attacking methods (Goldwasser, Micali, Rivest; 1988.)
key only attack: only the public key is known (which needs for
verification)
known message attack: message-signature pairs
choosen message attack:
general (independent of the public key): the same attack
against everyone
directed (after knowing the public key)
adaptive choosen message attack
Digital Signature (DS)
Non-repudiation and authentication for a third party is possible in two
different ways:
With a Trusted Third Party (TTP)
(strictly speaking: not DS)
Direct digital signature (public key cryptosystem based)
Digital Signature (DS)
Trusted Third Party (TTP)

𝐴, 𝐵, 𝑚, 𝑀𝐴𝐶 𝑘𝐴 , 𝐵 𝑚 𝐴, 𝑚, 𝑀𝐴𝐶 𝑘𝐵 , 𝐴 𝑚
A TTP B

𝑘𝐴 𝑘𝐴 , 𝑘𝐵 𝑘𝐵
Digital Signature (DS)
RSA based:
Key generation as for the secret message sending.
𝑝, 𝑞 primes, 𝑛 = 𝑝 ⋅ 𝑞, 𝑒⋅𝑑 ≡1 𝜑 𝑛
𝑃𝐾 = 𝑛, 𝑒
𝑆𝐾 = 𝑝, 𝑞, 𝜑 𝑛 , 𝑑
Signing:
𝑚, 𝑠𝑚 , where 𝑠𝑚 ≡ 𝑚𝑑 𝑛
Verifying:
𝑚 ≡ 𝑠𝑚 𝑒 𝑛
Digital Signature (DS)
RSA based:
not reliable
existential forgery:
𝑠 arbitrary → 𝑚 ≡ 𝑠 𝑒 𝑛
𝑚 has no meaning
malleability:
𝑚1 , 𝑠𝑚1 , 𝑚2 , 𝑠𝑚2 valid signatures →
𝑚1 ⋅ 𝑚2 , 𝑠𝑚1 ⋅ 𝑠𝑚2 new signature
Digital Signature (DS)
RSA-FDH (Full Domain Hash)
Bellare, Rogaway (1996.):
Instead of the whole message, we sign only the digest of it.
(hash-and-sign)
Signing:
𝑚 → 𝐻 𝑚 , 𝑠𝑚 ≡ 𝐻 𝑚 𝑑 𝑛 ⇒ 𝑚, 𝑠𝑚
Verifying:
𝑑
𝑚 → 𝐻 𝑚 , 𝐻(𝑚) ≡ 𝑠𝑚 𝑛
Provable secure (as RSA)
Digital Signature (DS)
RSA-FDH (Full Domain Hash)
Advantage: smaller signature size, faster execution.
Resistance: depends on the properties of the hash function
(one way, weak and strong collision resistance)
Digital Signature (DS)
ElGamal digital signature
Key generation:
𝑝 prime, 𝑔 primitive element, 𝑥 random, 𝑎 ≡ 𝑔 𝑥 𝑝
𝑃𝐾 = (𝑝, 𝑔, 𝑎)
𝑆𝐾 = 𝑥
Signing (hash-and-sign)
𝑚 → 𝐻(𝑚), 𝑘 random,
𝑠1 ≡ 𝑔𝑘 𝑝 , 𝑠2 ≡ 𝐻(𝑚) − 𝑥 ⋅ 𝑠1 ⋅ 𝑘 −1 𝑝 − 1
𝑠𝑚 = 𝑠1 , 𝑠2
Digital Signature (DS)
Verifying:
𝑚 → 𝐻(𝑚) , 𝑠𝑚 = 𝑠1 , 𝑠2
𝑣1 ≡ 𝑔𝐻 𝑚
𝑝
𝑠2
𝑣2 ≡ 𝑎 𝑠1
⋅ 𝑠1 (𝑝)
Signature is correct: 𝑣1 = 𝑣2

Size: signature is 2x as the hash.

Digital Signature (DS)
𝑠1 ≡ 𝑔𝑘 𝑝 , 𝑠2 ≡ 𝐻(𝑚) − 𝑥 ⋅ 𝑠1 ⋅ 𝑘 −1 𝑝 − 1
𝑠1 = 𝑡1 ⋅ 𝑝 + 𝑔𝑘 , 𝑠2 = 𝑡2 ⋅ 𝑝 − 1 + 𝐻(𝑚) − 𝑥 ⋅ 𝑠1 ⋅ 𝑘 −1
𝑠2 𝑠2
𝑣2 ≡ 𝑎 𝑠1 ⋅ 𝑠1 ≡ 𝑔 𝑥 𝑠1 ⋅ 𝑠1 ≡
𝑡 ⋅ 𝑝−1 + 𝐻 𝑚 −𝑥⋅𝑠 ⋅𝑘 −1
2 1
𝑔 𝑥⋅𝑠1 ⋅ 𝑔 𝑘 ≡
𝑥⋅𝑠1 +𝑘⋅(𝑡2 ⋅ 𝑝−1 + 𝐻 𝑚 −𝑥⋅𝑠1 ⋅𝑘 −1 )
𝑔 ≡
𝑥⋅𝑠 +𝑘⋅𝑡 ⋅ 𝑝−1 + 𝐻 𝑚 −𝑥⋅𝑠 ⋅𝑘⋅𝑘 −1
𝑔 1 2 1 ≡
𝑔𝑘⋅𝑡2⋅ 𝑝−1 ⋅ 𝑔 𝑥⋅𝑠1 +𝐻 𝑚 −𝑥⋅𝑠1 ≡
1 ⋅ 𝑔𝐻 𝑚 (𝑝)
Digital Signature (DS)
NIST – FIPS 186 (preliminary: 1991., final: 1994. revised: 1996.,
2000., 2009., 2013.):
Digital Signature Standard (DSS)
Uses the SHA (Secure Hash Algorithm) and the DSA (Digital Signture
Algorithm).
Digital Signature (DS)
DSA (Digital Signature Algorithm)
Key generation:
𝑞 prime
𝑝 prime, s.t. 𝑞|𝑝 − 1
𝑔 an element, s.t. the order of 𝑔 mod 𝑝 is 𝑞, i.e.
𝑔𝑞 ≡ 1 𝑝 , but 𝑔𝑡 ≢ 1 𝑝 , if 𝑡 < 𝑞.
𝑥 random
𝑎 ≡ 𝑔 𝑥 (𝑝)
𝑃𝐾 = (𝑝, 𝑞, 𝑔, 𝑎)
𝑆𝐾 = (𝑥)
Digital Signature (DS)
DSA (Digital Signature Algorithm)
At the 1991 (preliminary) version:
𝑞 160 bits, 𝑝 512 – 1024 bits (length is divisible by 64)
Later:
(160, 1024), (224,2048), (256,2048), (256,3072)
Necessary a has function with acceptable security:
𝐻(𝑥) (originally SHA)
Digital Signature (DS)
DSA (Digital Signature Algorithm)
Signing:
𝑘 random
𝑟 ≡ 𝑔𝑘 mod 𝑝 mod 𝑞
𝑡 ≡ 𝑘 −1 𝐻 𝑚 + 𝑥𝑟 mod 𝑞
𝑠𝑚 = (𝑟, 𝑡)
Digital Signature (DS)
DSA (Digital Signature Algorithm)
Verifying:
𝑣1 ≡ 𝐻 𝑚 ⋅ 𝑡 −1 mod 𝑞
𝑣2 ≡ 𝑟 ⋅ 𝑡 −1 mod 𝑞
If 𝑟 ≡ 𝑔𝑣1 𝑎𝑣2 mod 𝑝 𝑚𝑜𝑑 𝑞 , then accepted.
Time stamp
Digital signature may contain a time stamp.
Time stamp provider: TSP
𝑚 → ℎ = 𝐻(𝑚)
ℎ → TSP,
TSP attaches a time 𝑇 and signs→ ℎ 𝑇, 𝑠 ℎ 𝑇
Time stamped message:
𝑚, ℎ 𝑇, 𝑠 ℎ 𝑇
Receiver can be sure, that the document has been existed at time T.
Blind signature
Chaum (1983.)
Signature is provided by a third party.
The signer does not know the content of the message.
Requires two functions: 𝑓 is a blinding and 𝑔 is an unblinding function:
𝑚 → 𝑏 = 𝑓 𝑚 , 𝑠𝑏 , 𝑠𝑚 = 𝑔 𝑠𝑏
Blind signature
RSA blind signature:
Key generation:
𝑝, 𝑞, 𝑛 = 𝑝 ⋅ 𝑞, 𝑒 ⋅ 𝑑 ≡ 1 𝜑 𝑛
𝑃𝐾 = 𝑛, 𝑒
𝑆𝐾 = 𝑝, 𝑞, 𝜑 𝑛 , 𝑑

𝑆𝐾 is the secret key for the signer

𝐻(𝑥) hash function
Blind signature
RSA blind signature:
Blinding:
𝑘 random
𝑚 → 𝑏 ≡ 𝑘𝑒 ⋅ 𝐻 𝑚 𝑛
Signing:
𝑠𝑏 ≡ 𝑏 𝑑 𝑛
Unblinding:
𝑑
𝑠𝑚 ≡ 𝑘 −1 𝑠𝑏 ≡ 𝑘 −1 ⋅ 𝑘𝑒 ⋅𝐻 𝑚 ≡ 𝑘 −1 ⋅ 𝑘 𝑒⋅𝑑 ⋅ 𝐻 𝑚 𝑑 ≡
𝑘 −1 ⋅ 𝑘 ⋅ 𝐻 𝑚 𝑑
≡𝐻 𝑚 𝑑
𝑛
Blind signature
Signing:
𝑚, 𝑠𝑚
Verifying:
𝑒
𝐻 𝑚 ≡ 𝑠𝑚
Undeniable Signature
Chaum, van Antwerpen (1989.)
Active participation of signer is necessary.
Challenge-response paradigm.
Undeniable Signature
Key generation:
𝑝, 𝑞 primes, s.t. 𝑝 = 2𝑞 + 1
𝑔 an element of order 𝑞 (in the structure mod 𝑝)
1 < 𝑥 < 𝑞 random
𝑎 ≡ 𝑔 𝑥 (𝑝)
𝑃𝐾 = (𝑝, 𝑔, 𝑎)
𝑆𝐾 = 𝑥
Undeniable Signature
Signing:
𝑚 is s.t. 𝑚𝑞 ≡ 1 𝑝
𝑠𝑚 ≡ 𝑚 𝑥 𝑝
Verifying:
0 ≤ 𝑒1 , 𝑒2 < 𝑞 random
𝑒1
𝑐 ≡ 𝑠𝑚 ⋅ 𝑎𝑒2 𝑝 : sent to signer
signer:
𝑥 −1 mod 𝑞
𝑑≡𝑐 (mod 𝑝)
Correct, if
𝑑 ≡ 𝑚𝑒1 ⋅ 𝑔𝑒2 (𝑝)
Undeniable Signature
Disavowing:
if 𝑑 ≢ 𝑚𝑒1 ⋅ 𝑔𝑒2 (𝑝)
new challenge
0 ≤ 𝑓1 , 𝑓2 < 𝑞 random
𝑒1
𝐶≡ 𝑠𝑚 ⋅ 𝑎𝑒2 𝑝 : is sent to signer
𝑥 −1 mod 𝑞
𝐷≡𝐶 (mod 𝑝)
if 𝐷 ≢ 𝑚𝑓1 ⋅ 𝑔 𝑓2 (𝑝), then signature is forged if
𝑒1
𝑑𝑔−𝑒2 𝑓1 ≡ −𝑓
𝐷𝑔 2 𝑝
Undeniable Signature
Theorem
Let 𝑠𝑚 ≡ 𝑚 𝑥 𝑝 , 𝑑 ≢ 𝑚𝑒1 ⋅ 𝑔𝑒2 (𝑝) and 𝐷 ≢ 𝑚𝑓1 ⋅ 𝑔 𝑓2 𝑝 .
𝑒1 1
Then the probability that 𝑑𝑔−𝑒2 𝑓1 ≢ 𝐷𝑔 −𝑓2 𝑝 is 1 − .
𝑞