Lecture 4. Encryption and digital signatures.

(3 hours)

Resources:

UBasel course: 2, 3, 4

Simon Singh, “The Code Book”

Diagram codes
flowchart TB
classDef default fill:#F8ECFB, stroke:#000, stroke-width:2px, text-align:left
classDef green fill:#C5F1AB,stroke:#000,stroke-width:2px
classDef red fill:#FFA69D,stroke:#000,stroke-width:2px
classDef blue fill:#DAF4FF,stroke:#000,stroke-width:2px
classDef white fill:#ffffff,stroke:#000,stroke-width:2px
classDef orange fill:#FDDCBE,stroke:#000,stroke-width:2px

SW("<b>Secret writing</b>")
St("<b>Steganography</b></b>\n(hiding the fact of communication)\n\n")
Cr("<b>Cryptography </b>\n(hiding the content of the message\n\n")
Tr("<b>Transposition</b>\n(subparts are permutated)\n\n")
Sub("<b>Substitution</b> \n(subparts are substituted)\n\n")
Code("<b>Code</b> \n(words are subbed; need a dictionary)\n\n")
Cipher("<b>Cipher</b>\n(letters are subbed; really low level)\n\n"):::orange
SW-->St
SW-->Cr
Cr-->Tr
Cr-->Sub
Sub-->Code
Sub-->Cipher
HW:

How does the “signature” part works in the RSA scheme? (we only described encryption)

1. Symmetric cryptography

There are various flavors of secret writing. We focus on ciphers.

image

Monoalphabetic substitution (1 to 1)

  • Simple case: shift alphabet by positions [Caesar Cipher]
  • Easy to crack since only 25 different alphabets.

  • More advanced: arbitrary letter mapping.
  • There are 26! different alphabets — much harder to decipher. Was cracked using frequency analysis of symbols!

Improved monoalphabetic substitution (1 to N)

  • Use symbols that delete preceding symbol (to mess around with frequencies)
  • Homophone encryption: use multiple symbols to encrypt one letter (1 to N)
  • Intentional misspelling words
  • Replace single words with one symbol (ie mix cipher with code)

Polyalphabetic substitution (N to N)

  • Mapping of symbols depends on the position of that symbol in the text! Hard to break.
  • An example, with the shared secret code word “CIF”, and Vigenère Cipher:
  • Code word
    C
    I
    F
    C
    I
    F
    C
    I
    F
    C
    Plain text
    b
    l
    o
    c
    k
    c
    h
    a
    i
    n
    Cipher text
    D
    T
    T
    E
    S
    H
    J
    I
    N
    P
    Screenshot taken from
    Screenshot taken from here

Breaking Polyalphabetic Substitution

  • Ample frequency analysis not possible
  • In mid 19th century vulnerability was discovered: use repetition of code word as a starting point
  • Looking for patterns (like the word “the”), try to guess how long the code word is (n), and use frequency analysis on every n-th cipher letter

Unbreakable Cipher

  • Weakness of Vigenère Cipher: repetition of the code word (= key)
  • Solution
    • length of key = length of text
    • random key (don’t use words or lists)
    • use each key only once
  • It’s called “onetime pad cipher” → theoretically unbreakable! [Used between USA and USSR]
  • Still need exchanging keys (or, more precisely, lists of keys, in order to use them more than once)

Encryption in the age of computers

  • Electronics are much faster than mechanical parts
  • Cipher machines become possible
  • Key difference: Letters are translated into Numbers (eg ASCII encoding below)
  • image
  • Nowadays people use utf standard, which has different language letters, and even emojis :)

DES: Data Encryption Standard (block cipher)

  • Companies need a standardized approach
  • Encryption method “Lucifer” by Horst Feistel in early 1970s (this is a block cipher, see the prev leccture for the definition)
  • Later becomes “DES”
  • Advantage: standartization and security
  • Disadvantage: key distribution problem persists, need a secure channel of communication “in the past”

2. Asymmetric Cryptography

Two ways to solve the “key distribution problem”:

  1. Come up with a secure key exchange algorithm
  2. Asymmetric cryptography: public and private keys

[Diffie-Hellman ‘76] key exchange

Gives a solution to the problem of generating a secure key for symmetric encryption on a potentially compromised channel.

The key exchange

Alice and Bob publicly predefine a one-way function , where is prime and both and are large numbers.

Next they implement the following strategy, where all operations happen :

Alice

  1. Chooses privately a=3
  2. Sends Bob , receives
  3. Computes

Bob

  1. Chooses privately b=6
  2. Sends Alice , receives
  3. Computes

Result: the key is now securely shared!

More details: (from Section 10.4.1)
image
The key reason for why Diffie-Hellman key exchange is secure is the fact that taking discrete logarithm is practically impossible.

Problem in Diffie-Hellman key exchange is the separate setup for all “pairs” of actors — cumbersome process.

💡
[Diffie ‘75]: theoretical idea of asymmetric encryption. Two separate keys: private key to encrypt messages, and public key to decrypt messages.

[Rivest-Shamir-Adleman (RSA), ‘77]

(Inspired by Diffie’s idea)

Properties of RSA Alice keeps priv_key as a secret, and publishes to everyone pub_key. Two scenarios now:

  1. Secrecy application Bob can encrypt a message by pub_key, and this message can be decrypted only by Alice using priv_key. [Bob]———msg’=encrypt(msg, pub_key)———>[Alice] [Alice]———decrypt(msg’, priv_key)———>msg
  2. Integrity and Authenticity application Alice can sign a message by priv_key, and anyone can check using pub_key that the message was signed by Alice (authenticity) and no-one else (integrity). [Alice]———sig=sign(msg, priv_key)———>[Bob] [Bob]———verify(sig, pub_key)———>True/False

Note that public key in this scheme is a perfect thing to equate with “identity”, an idea that is used evreywhere in blockchains.

Key facts and concepts behind RSA:

A more detailed crash-course into modular arithmetics and Euler’s theorem

(numbers are assumed to be integers below)

  1. Modular arithmetics [a≡b (mod n) ⇒ a+x≡b+x (mod n) AND ax≡bx (mod n)]
  2. Euclidean algorithm
  3. ⇒ [gcd(a,b)=d ⇒ ∃x,y s.t. ax+by=d]

    ⇒ [gcd(a,n)=1 ⇒ ∃x s.t. ax ≡ 1 (mod n)]

    ⇒ (cancellation law) [gcd(a,n)=1 AND ax≡ay (mod n) ⇒ x≡y (mod n)]

    ⇒ [gcd(a,n)=1 ⇒ all possible different residues of N, , are permutated via multiplication by a]

    ⇒ [gcd(a,n)=1 ⇒ П≡ПaП (mod n)]

    (via cancellation of each in ПП)

    ⇒ [Euler’s theorem: gcd(a,n)=1 ⇒ 1 ≡ (mod n)]

The RSA setup: 1) Alice chooses two primes, p and q; computes N = pq 2) Chooses an additional integer e, such that gcd[e, ϕ(N)]=1, where ϕ(N)=(p-1)(q-1) is the number of prime-relative-to-N numbers smaller than N. 3) Computes the private key k by (extended) Euclidean algorithm, according to equation e·k = 1 mod ϕ(N) [Only Alice can do it, since only she knows p and q, and also gcd[e, ϕ(N)]=1 guarantees that k exists.]

Rmk: k is the inverse of e in , and is called the trapdoor for the one-way function , since it allows to invert it.

The RSA algorithm
Alice
Bob
public key: (N, e) • private key: p, q, k Conditions: - p & q are prime, N=pq - gcd[e, ϕ(N)] = 1 - e·k = 1 mod ϕ(N) [note: ϕ(N)=(p-1)(q-1)]
Wants to securely send an integer m to Alice
Encrypts the message by computing (mod N)
c
Decrypts the message:

Remark: gcd(m, N)=1 is needed as a condition of the Euler’s theorem, and it is true probabilistically.

Example with numbers:
  1. Alice chooses two primes, p and q (say p=17, q=11); computes N = pq (N=187 in our case); chooses an additional integer e (say e=7), such that gcd[e, (p-1)(q-1)]=1; (N, e) is Alice’s public key. ( (187,7) in our case )
  2. Bob encodes message M as an integer (e.g., letter X in ASCII, giving M=88); computes encrypted message C using Alice’s public key:
  3. In our example

  4. Alice computes the private key by (extended) Euclidean algorithm, according to equation:
  5. where is the number of relative to N prime numbers smaller than N. Only Alice can do it, since only she knows p and q, and also gcd[e, (p-1)(q-1)]=1 guarantees that exists. [ is the inverse of in , and is called the trapdoor for the one-way function “x^e (mod N)”, since it allows to invert it]

    In our case:

  6. Alice decrypts Bob’s message using Euller’s theorem, working modulo :
  7. In our case ⇒ M=88 ⇒ symbol is X via ASCII.

Crucial assumption for security of RSA: should be impossible to find p and q ⇒ N needs to be sufficiently large.

Definition: a Digital Signature Scheme (DSS) consists of 3 algorithms:

  1. Gen(): outputs a key pair (priv_key, pub_key)
  2. Sign(priv_key, msg): outputs a signture σ
  3. Verify(pub_key, msg, sig): outputs True or False

Note: unlike signatures in RL, digital signatures depend on the message.

HW: build a DSS using the RSA scheme.

Definition: (informal) DSS is secure if adversary seeing many signatures of Alice (on messages of her choice) cannot forge a signature on a new message.

Families of DSS: (none of these are quantum-resistant)

  1. RSA signatures (not used in blockchain) - long signatures and public keys (≥256 bytes), fast to verify - might not be resistant long-term (the Quadratic Sieve and the General Number Field Sieve get more efficient as the numbers get larger)
  2. ECDSA and Schnorr (Ethereum before the merge, Bitcoin) - short signatures (64 and 48 bytes) and public keys (32 bytes) - better resistance
  3. BLS signatures (Ethereum 2.0) 48 bytes, aggregatable (gamechanger for blockchains), easy threshold building (3 out of 5, say)

Note: post-quantum signatures are long (≥768 bytes). The signatures form the bulk of tx data on a blockchain.