Lecture 4. Encryption and digital signatures.

Resources:
HW:

1. Symmetric cryptography

There are various flavors of secret writing. We focus on ciphers.

image

Monoalphabetic substitution (1 to 1)

  • Simple case: shift alphabet by x{1,,25}x\in\{1,…,25\} positions [Caesar Cipher]
  • Easy to crack since only 25 different alphabets.

  • More advanced: arbitrary letter mapping.
  • There are 26! different alphabets — much harder to decipher. Was cracked using frequency analysis of symbols!

Improved monoalphabetic substitution (1 to N)

  • Use symbols that delete preceding symbol (to mess around with frequencies)
  • Homophone encryption: use multiple symbols to encrypt one letter (1 to N)
  • Intentional misspelling words
  • Replace single words with one symbol (ie mix cipher with code)

Polyalphabetic substitution (N to N)

  • Mapping of symbols depends on the position of that symbol in the text! Hard to break.
  • An example, with the shared secret code word “CIF”, and Vigenère Cipher:
  • Code word
    C
    I
    F
    C
    I
    F
    C
    I
    F
    C
    Plain text
    b
    l
    o
    c
    k
    c
    h
    a
    i
    n
    Cipher text
    D
    T
    T
    E
    S
    H
    J
    I
    N
    P
    Screenshot taken from
    Screenshot taken from here

Breaking Polyalphabetic Substitution

  • Ample frequency analysis not possible
  • In mid 19th century vulnerability was discovered: use repetition of code word as a starting point
  • Looking for patterns (like the word “the”), try to guess how long the code word is (n), and use frequency analysis on every n-th cipher letter

Unbreakable Cipher

  • Weakness of Vigenère Cipher: repetition of the code word (= key)
  • Solution
    • length of key = length of text
    • random key (don’t use words or lists)
    • use each key only once
  • It’s called “onetime pad cipher” → theoretically unbreakable! [Used between USA and USSR]
  • Still need exchanging keys (or, more precisely, lists of keys, in order to use them more than once)

Encryption in the age of computers

  • Electronics are much faster than mechanical parts
  • Cipher machines become possible
  • Key difference: Letters are translated into Numbers (eg ASCII encoding below)
  • image
  • Nowadays people use utf standard, which has different language letters, and even emojis :)

DES: Data Encryption Standard (block cipher)

  • Companies need a standardized approach
  • Encryption method “Lucifer” by Horst Feistel in early 1970s (this is a block cipher, see the prev leccture for the definition)
  • Later becomes “DES”
  • Advantage: standartization and security
  • Disadvantage: key distribution problem persists, need a secure channel of communication “in the past”

2. Asymmetric Cryptography

Two ways to solve the “key distribution problem”:

  1. Come up with a secure key exchange algorithm
  2. Asymmetric cryptography: public and private keys

[Diffie-Hellman ‘76] key exchange

Gives a solution to the problem of generating a secure key for symmetric encryption on a potentially compromised channel.

The key exchange

Alice and Bob publicly predefine a one-way function Gx (mod P)G^x ~(mod~P), where PP is prime and both GG and PP are large numbers.

Next they implement the following strategy, where all operations happen mod Pmod~P:

Alice

  1. Chooses privately a=3
  2. Sends Bob x=Gax=G^a, receives yy
  3. Computes ya=Gaby^a=G^{ab}

Bob

  1. Chooses privately b=6
  2. Sends Alice y=Gby=G^b, receives xx
  3. Computes xb=Gabx^b=G^{ab}

Result: the key GabG^{ab} is now securely shared!

More details: (from Section 10.4.1)
The key reason for why Diffie-Hellman key exchange is secure is the fact that taking discrete logarithm is practically impossible.

Problem in Diffie-Hellman key exchange is the separate setup for all “pairs” of actors — cumbersome process.

💡
[Diffie ‘75]: theoretical idea of asymmetric encryption. Two separate keys: private key to encrypt messages, and public key to decrypt messages.

[Rivest-Shamir-Adleman (RSA), ‘77]

(Inspired by Diffie’s idea)

Properties of RSA Alice keeps priv_key as a secret, and publishes to everyone pub_key. Two scenarios now:

  1. Secrecy application Bob can encrypt a message by pub_key, and this message can be decrypted only by Alice using priv_key. [Bob]———msg’=encrypt(msg, pub_key)———>[Alice] [Alice]———decrypt(msg’, priv_key)———>msg
  2. Integrity and Authenticity application Alice can sign a message by priv_key, and anyone can check using pub_key that the message was signed by Alice (authenticity) and no-one else (integrity). [Alice]———sig=sign(msg, priv_key)———>[Bob] [Bob]———verify(sig, pub_key)———>True/False

Note that public key in this scheme is a perfect thing to equate with “identity”, an idea that is used evreywhere in blockchains.

Key facts and concepts behind RSA:

A more detailed crash-course into modular arithmetics and Euler’s theorem
The RSA setup: 1) Alice chooses two primes, p and q; computes N = pq 2) Chooses an additional integer e, such that gcd[e, ϕ(N)]=1, where ϕ(N)=(p-1)(q-1) is the number of prime-relative-to-N numbers smaller than N. 3) Computes the private key k by (extended) Euclidean algorithm, according to equation e·k = 1 mod ϕ(N) [Only Alice can do it, since only she knows p and q, and also gcd[e, ϕ(N)]=1 guarantees that k exists.]

Rmk: k is the inverse of e in ZN\mathbb Z^*_{N}, and is called the trapdoor for the one-way function xe (mod N)\mathbf{x^e~(mod~N)}, since it allows to invert it.

The RSA algorithm
Alice
Bob
public key: (N, e) • private key: p, q, k Conditions: - p & q are prime, N=pq - gcd[e, ϕ(N)] = 1 - e·k = 1 mod ϕ(N) [note: ϕ(N)=(p-1)(q-1)]
Wants to securely send an integer m to Alice
Encrypts the message by computing c=me\mathbf{c=m^e} (mod N)
\longleftarrow c
Decrypts the message: ck=mek=mϕ(N)+1=\mathbf{c^k=m^{ek}=m^{\ell\cdot \phi(N)+1} = } =(mϕ(N))m=1m=m (mod N)\mathbf{=(m^{\phi(N)})^\ell m=1^\ell m = m ~(mod~N)}

Remark: gcd(m, N)=1 is needed as a condition of the Euler’s theorem, and it is true probabilistically.

Example with numbers:
Crucial assumption for security of RSA: should be impossible to find p and q ⇒ N needs to be sufficiently large.

Definition: a Digital Signature Scheme (DSS) consists of 3 algorithms:

  1. Gen(): outputs a key pair (priv_key, pub_key)
  2. Sign(priv_key, msg): outputs a signture σ
  3. Verify(pub_key, msg, sig): outputs True or False

Note: unlike signatures in RL, digital signatures depend on the message.

HW: build a DSS using the RSA scheme.

Definition: (informal) DSS is secure if adversary seeing many signatures of Alice (on messages of her choice) cannot forge a signature on a new message.

Families of DSS: (none of these are quantum-resistant)

  1. RSA signatures (not used in blockchain) - long signatures and public keys (≥256 bytes), fast to verify - might not be resistant long-term (the Quadratic Sieve and the General Number Field Sieve get more efficient as the numbers get larger)
  2. ECDSA and Schnorr (Ethereum before the merge, Bitcoin) - short signatures (64 and 48 bytes) and public keys (32 bytes) - better resistance
  3. BLS signatures (Ethereum 2.0) 48 bytes, aggregatable (gamechanger for blockchains), easy threshold building (3 out of 5, say)

Note: post-quantum signatures are long (≥768 bytes). The signatures form the bulk of tx data on a blockchain.

Elliptic cryptography (ECDSA)

(screenshot taken from this lecture)

  • Elliptic curve is a graph of Weierstrass equation: y2=x3+ax+by^2=x^3+ax+b Non-singularity conditions: 4a3+27b204a^3+27b^2\neq0
  • image
  • Symmetry along the x-axis.
  • Addition of points on Elliptic curve:
  • image
  • Point doubling
  • image

Q. On elliptic curve, why geometrical addition of points coincides with algebraic addition? What about point doubling?

  • Bitcoin (before Taproot upgrade) and Ethereum (before The Merge upgrade) use secp256k1: y2=x3+7 (mod p)y^2=x^3+7 ~ (mod~ p) where p=22562322926241p=2^{256}-2^{32}-2^9-2^6-2^4-1.
  • image

    This elliptic curve consists of 39 points!

  • ECDSA cyclical subgroup:
  • image
    image

    the whole subgroup:

    image
  • ECDSA private and public keys
    • kprv=9k_{prv}=9 is the private key = number of steps in cyclic subgroup starting from the generator
    • G=(8,1)G=\langle(8,1)\rangle is publicly known subgroup, |G|=13 in 39 element elliptic group y2=x3+7y^2=x^3+7 over F37\mathbb F_{37}.
    • Kpub=9G(=G9)K_{pub}=9G(=G^9) = (23,1) is the public key. Is computed efficiently!
    • image
    • This difference is the key for why its very easy to derive public key from private (log amount of steps), but not the other way around (n amount of steps, where n=|<G>|=13 in our case)
    • image

ECDSA signature scheme explained theoretically

Example of a signature: (simplified)

  • y2=x3+7y^2=x^3+7
  • G=(8,1)
  • kprv=9k_{prv}=9
  • Kpub=(23,1)K_{pub} = (23,1)
  • t=4t=4 (message)
  1. Choose a random number, e.g. i=7i=7 (chosen differently for every signature)
  2. Compute (r and s comprise signature)
    1. P=iG=7G=(18,20)P=i\cdot G=7G=(18,20)
    2. r=xP (mod 13)=18 (mod 13)=5r=x_P ~(mod~ 13)= 18~(mod~ 13)=5
    3. s={i1(t+rkprv} (mod n)s= \{i^{-1}(t+rk_{prv}\}~ (mod ~ n) ={2+(4+59)} (mod 13)=\{2+(4+5\cdot 9)\} ~( mod ~ 13) =7=7
    4. (Inverses are computed easily by mirroring)

  3. Send
    1. (r, s) = (5, 7)
    2. t=4 (this is what you are signing)
    3. Kpub=(23,1)K_{pub}= (23,1)

Example of verification: (simplified)

  • y2=x3+7y^2=x^3+7
  • G=(8,1)
  • Kpub=(23,1)K_{pub} = (23,1)
  • t=4t=4
  • (r, s) = (5, 7)
  1. Compute
    1. u1=(s1t) (mod n)=8u_1 = (s^{-1}t) ~ (mod ~ n)=8
    2. u2=(s1t) (mod n)=10u_2 = (s^{-1}t) ~ (mod ~ n)=10
    3. P=Gu1+Kpubu2=8G+10(23,1)=(32,20)+(8,36)=(18,20)P = G^{u_1} + K_{pub}^{u_2}= 8 G+10 (23,1)= (32,20)+(8,36)=(18,20)
  2. Check authenticity: xP (mod n)=rx_P ~ (mod ~ n)=r (in our case 18 (mod 13)=518 ~ (mod ~ 13) = 5)