Public-Key Cryptography [1st ed.] 978-3-662-02629-8, 978-3-662-02627-4

Cryptography, secret writing, is probably as old as writing in general. Only recently it has become the object of extens

177 22 21MB

English Pages 250 Year 1990

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Front Matter....Pages I-X
Classical Two-Way Cryptography....Pages 1-54
The Idea of Public Keys....Pages 55-76
Knapsack Systems....Pages 77-124
RSA....Pages 125-157
Other Bases of Cryptosystems....Pages 159-179
Cryptographic Protocols: Surprising Vistas for Communication....Pages 181-218
Back Matter....Pages 219-247
Recommend Papers

Public-Key Cryptography [1st ed.]
 978-3-662-02629-8, 978-3-662-02627-4

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

EATCS Monographs on Theoretical Computer Science Volume 23 Editors: W. Brauer G. Rozenberg A. Salomaa Advisory Board: G.Ausiello M.Broy S.Even IHartmanis N.Jones T. Leighton M.Nivat C. Papadimitriou D. Scott

Arto Salomaa

Public-Key Cryptography With 18 Figures

Springer-Verlag Berlin Heidelberg GmbH

Author

Prof. Dr. Arto Salomaa The Academy of Finland SF-20500 Turku, Finland

Editors

Prof. Dr. Wilfried Brauer Institut fUr Informatik, Technische Universitat Miinchen Arcisstrasse 21, D-8000 Miinchen 2, FRG Prof. Dr. Grzegorz Rozenberg Institute of Applied Mathematics and Computer Science University of Leiden, Niels-Bohr-Weg 1, P. O. Box 9512 NL-2300 RA Leiden, The Netherlands Prof. Dr. Arto Salomaa (address as above)

ISBN 978-3-662-02629-8

Library of Congress Cataloging-in-Publication Data Salomaa, Arto. Public-key cryptography / Arto SaIomaa. p. cm. - (EATCS monographs on theoretical computer science; v. 23) Includes bibliographical references and index. ISBN 978-3-662-02629-8 ISBN 978-3-662-02627-4 (eBook) DOI 10.1007/978-3-662-02627-4 I. Computers - Access control. 2. Cryptography. I. Title. II. Series. QA76.9.A25S26 1990 005.8'2-dc20 90-10092 CIP This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in other ways, and storage in data banks. Duplication of this publication or parts thereof is only permitted under the provisions ofthe German Copyright Law of September 9, 1965, in its current version, and a copyright fee must always be paid. Violations fall under the prosecution act of the German Copyright Law. © Springer-Verlag Berlin Heidelberg 1990 Originally published by Springer-Verlag Berlin Heidelberg New York in 1990 Softcover reprint of the hardcover 1st edition 1990 The use of registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. 2141/3140-543210 - Printed on acid-free paper

To the Memory of My Sister Sirkka Salomaa 1919-1989

Preface

Cryptography, secret writing, is probably as old as writing in general. Only recently it has become the object of extensive scientific studies. Vast new applications to data security constitute one explanation for this. Perhaps a still more important reason for the huge growth of scientific research on cryptography is the seminal idea of public-key cryptography and the resulting new vistas on the possibilities of communication. This book presents a view on public-key cryptography with classical cryptography as the starting point. An attempt has been made to cover some of the most recent developments and present novel features. The plaintext examples constitute a package of basic sauna knowledge. Acknowledgements. Hermann Maurer revived in the late 70's my dormant interest

in cryptography. I have used some versions of this book since 1983 for courses on cryptography at the Universities of Turku and Leiden, as well as at the Technical University of Wien. The observations of the participants in these courses were useful. Juha Honkala, Jarkko Kari, Valtteri Niemi, Lila Santean, Mika Niemi and Ari Renvall have commented on various parts of the manuscripts, and the first four have contributed in numerous discussions as well. I have also benefited from discussions with Ron Book, Wilfried Brauer. Karel Culik, Ferenc Gecseg, Jozef Gruska, Tero Harju, liro Honkala, Helmut Jurgensen, Juhani Karhumiiki, Werner Kuich, Hannu Nurmi, Kaisa Nyberg, Azaria Paz, Grzegorz Rozenberg, Kai Salomaa, Aimo Tietiiviiinen, Emo Welzl, Derick Wood and Sheng Yu. Special thanks are due to Elisa Mikkola for excellent typing, as well as assistance in many practical matters. Anu Heinimiiki has drawn the pictures. The Academy of Finland has provided me excellent working conditions. The good cooperation with the Academy, in particular with Marjatta Niiiitiinen, is gratefully acknowledged. The scientific organization MA TINE has supported my cryptographic research. Finally, I want to thank Springer-Verlag and especially Dr. Hans Wossner and Mrs. Ingeborg Mayer for good cooperation and timely production. Turku, May 1990

Arto Salomaa

Contents

Chapter 1. Classical Two-Way Cryptography ....................... 1.1 Cryptosystems and Cryptanalysis ........................... 1.2 Monoalphabetic Systems .................................. 1.3 Polyalphabetic and Other Systems .......................... 1.4 Rotors and DES ........................................

1 1 10 22 39

Chapter 2. The Idea of Public Keys .............................. 2.1 Some Streets Are One-Way ........ . . . . . . . . . . . . . . . . . . . . . . . . 2.2 How to Realize the Idea .................................. 2.3 Obvious Advantages of Public Keys .........................

55 55 64 71

Chapter 3. Knapsack Systems .................................. 77 3.1 A Trapdoor is Built ...................................... 77 3.2 How to Find the Trapdoor ................................ 87 3.3 Theory of Reachability .................................... 96 3.4 Trying to Hide the Trapdoor Again ......................... 108 3.5 Dense Knapsacks ........................................ 117 Chapter 4. RSA ............................................. 4.1 Legal World ............................................ 4.2 Attack and Defense ...................................... 4.3 Primality .............................................. 4.4 Cryptanalysis and Factoring ............................... 4.5 Partial Information on RSA ............................... 4.6 Discrete Logarithms and Key Exchange ......................

125 125 134 137 143 147 154

Chapter 5. Other Bases of Cryptosystems ......................... 5.1 Exponentiation in Quadratic Fields .......................... 5.2 Iteration of Morphisms ................................... 5.3 Automata and Language Theory ............................ 5.4 Coding Theory ..........................................

159 159 166 174 178

Chapter 6. Cryptographic Protocols: Surprising Vistas for Communication 6.1 More Than Etiquette ..................................... 6.2 Coin Flipping by Telephone. Poker Revisited .................. 6.3 How to Share a Secret .................................... 6.4 Partial Disclosure of Secrets ............................... 6.5 Oblivious Transfer ....................................... 6.6 Applications: Banking and Ballots ...........................

181 181 184 187 190 194 200

X

6.7 6.8 6.9

Contents

Convincing Proofs with No Details .......................... 202 Zero-Knowledge Proofs ................................... 208 Zero-Knowledge Proofs of Identity .......................... 213

Appendix A. Tutorial in Complexity Theory ....................... 219 Appendix B. Tutorial in Number Theory .......................... 223 Problems

229

Historical and Bibliographical Remarks ........................... 237 References Index

239

..................................................... 243

Chapter 1. Classical Two-Way Cryptography

1.1 Cryptosystems and Cryptanalysis The art and science of cryptography consists of two worlds. There is the world of legal communications: parties such as legal users of a data bank exchanging messages. This world can be viewed as open and sunlit. There is also the dark world of the enemy who illegally tries to intercept the messages and do all kinds of vicious things. For people in the legal world, it is desirable that the enemy understands very little of the messages. The enemy, on the other hand, would like to have easily understandable messages. Cryptography is continuing struggle between the two worlds. A success by the enemy leads to a need to strengthen the methods in the sunlit world. This means a new challenge for the enemy. And so the struggle goes on. Eternal mathematical results are likely to be impractical. How to present the two worlds in a book? There is no difficulty as regards things past. One just describes a method in the sunlit world and then goes on telling how the enemy made a successful attack. The situation is different if one wants to say something about present things. Whenever one describes a successful enemy attack, one has to admit that the corresponding methods in the legal world were not safe after all. No exposition can claim success in both worlds. What one can do is to give details for the legal world and then outline some possible enemy attacks, at the same time telling why the attacks are not likely to succeed. This of course has no implications concerning the eventual success of some other, maybe very ingenious enemy attacks. Anyway, this approach will be followed in the sequel. Although mathematical certainty cannot be reached, the likelihood of the safety of the methods is often very high. The following observation should be made of the two worlds. Although we called them "legal" and "dark", it is not always the case that the former is inhabited by "good guys" and the latter is Mordor where Sauron lives. The roles can be interchanged in practical situations. For instance, the interception of messages may be attempted by our country in a war, whereas messages are interchanged by our enemy. Of course, we have justice on our side! Or the legal users of a data bank may be criminals, and the police tries to find out their activities. In fact, the terminology we will introduce below is going to be impartial in the sense that no value judgments will be attached to the two opposing parties. We are now ready to introduce the very fundamental notions of cryptography. They will be in use throughout the book. It is to be emphasized that the termino-

2

1. Classical Two-Way Cryptography

logy is by no means uniform and fixed in different expositions on secret writing. When introducing the terminology used in this book, we often mention also some other terms used for the same notion by some other authors. Our over-all term for secret writing is cryptography. It includes the activities in both worlds. Some authors use the term cryptology for this over-all purpose and reserve the term "cryptography" for the activities of the legal world. The basic set-up is depicted in Fig. 1.1. A message is being sent through an insecure channel, where it may be intercepted by an eavesdropper.

Fig. 1.1

The picture is the same, no matter whether we speak of a horseback courier or electronic mail. We cannot secure the channel and, therefore, interception is possible. The foremost goal of the enemy is to violate the secrecy of the communication and benefit from the secret information. More sophisticated goals might be the following ones. The enemy might want to alter the message, thus confounding the receiver with a corrupted message. In this fashion the enemy also deceives the receiver about the identity of the sender. For instance, the sender might have sent the message "I will give no support to the Greens." If the enemy alters this into "I will give $10.000 to the Greens," the receiver has no idea from whom this essentially different message came. The enemy might also deceive the sender about the identity of the receiver, for instance, by grabbing the whole message and failing to forward it. In all of these cases it is of great advantage to the original sender and receiver if the enemy does not understand the message after intercepting it. For this purpose, some method of encryption will be used. The message in its original form will be referred to as the plaintext. Thus, the sender encrypts the plaintext. The result will be referred to as the cryptotext. The cryptotext is then sent via the insecure channel. Finally, the receiver decrypts the cryptotext, after which he/she has the original plaintext. Thus, sender's translation activity is: Encrypt plaintext to cryptotext . Receiver's translation activity is the reverse one: Decrypt cryptotext to plaintext.

1.1 Cryptosystems and Cryptanalysis

3

We may use also the shorter symbolic expressions

E(pt)

= ct and D(ct) = pt .

In the literature the terms "cleartext" and "ciphertext" or briefly "cipher" are often used instead of "plaintext" and "cryptotext." The verbs for translation are in this case "encipher" and "decipher." The word "code" and the corresponding verbs "encode" and "decode" have also been used, although not any more recently. The reason is that the word "code" is loaded with other meanings: error-correcting codes, automata-theoretic codes, etc. The word "code" will be used in some special contexts below, not however in the general sense of the word "cryptotext." We now analyze the encryption and decryption further. Both translations happen within the framework of a cryptosystem. A cryptosystem consists of the following items. (i) A plaintext space PT, that is, the collection of all possible plain texts pt. (ii) A key space K. Each key k in K determines an encryption method Ek and a decryption method Dk. If Ek is applied to a plaintext pt, and Dk to the result, then pt is obtained. (iii) A cryptotext space CT, that is, the collection of all possible cryptotexts ct. Elements of CT result from the elements of PT by applying the encryption methods Ek , where k ranges over K. We need some very basic language-theoretic notions. We begin with a finite nonempty set 1:, called an alphabet. The elements of 1: are referred to as letters. Finite strings of elements of 1: are referred to as words. The same letter may occur several times in a word. Also the string consisting of zero letters is counted as a word, the empty word A. The length of a word w is the number of letters in w, where each letter is counted as many times as it occurs. The set of all words over 1: is denoted by 1:*. Subsets of 1:* are referred to as (formal) languages over 1:. For instance, if 1: is the English alphabet {A, B, C, ... ,Z} then ABBA, HORSE and KOKOOKOKOONKOKOKOKKO are words over 1:. (Whether a word has a meaning is irrelevant. In fact, the third word has a meaning in Finnish.) We may also add to 1: the lower case letters, all punctuation marks and the empty space needed in an ordinary text. Then the collected works of Shakespeare, written one after the other, constitute a word over this extended alphabet. We now return to the notion of a cryptosystem, analyzing the different items further. The plaintext space PT is usually either the set 1:*, for some alphabet 1:, or else consists of all meaningful expressions of a natural language. We want to emphasize already now that these two possibilities are essentially different from many points of view. If the plaintext space is 1:* then every letter in the message is significant: there is no leeway in the process of decryption. On the other hand, every natural language is highly redundant in the sense that a message is usually understood correctly even if many individual characters have been distorted. This is a definite advantage for the eavesdropper: he/she might understand the message correctly although the analysis is wrong in several spots! Let us illustrate this further.

I. Classical Two-Way Cryptography

4

Example 1.1. Asume first that the English language constitutes the plaintext space. Consider the plaintext message WEMEETTOMORROW. (We have disregarded the spaces between individual words. This will be often done in the sequel.) This is encrypted as UBQBBNNFIVPNFOOB. (For the moment being we do not tell how エセ・@ encryption is done-the method is a bit surprising.) If the eavesdropper's analysis of the cryptotext gives the result WIMIIDTUMAROV, he/she is quite well off: the result should be understandable correctly. Assume, secondly, that the plaintext space is l:* for the binary alphabet l: = {O, 1}. Assume further that the sender and the receiver have made the following previous agreement concerning the messages. The messages are of length 12 and give information about a fleet consisting of 12 vessels. More specifically, a message sent in the morning indicates which vessels participate in the mission of that particular day. For instance, according to the message 010011000001 the only vessels participating are the second, fifth, sixth and twelfth one. The messages are sent in an encrypted form. Now the analysis of our eavesdropper must produce the original plaintext quite accurately. Even if one bit is wrong, a grave error may occur in the resulting action. Often when the plaintext is English it is first encoded into the binary alphabet, for instance, by replacing each letter with the binary number indicating the position of the letter in the English alphabet. Since 24 < 26 < 25 , words oflength five are needed for this purpose: A

= 00001,

B

= 00010, C = 00011, ... , N = 01110, ... , Z = 11010.

We will use the terms encoding and decoding for translations of the message without any purpose of concealment. An encoding might be needed, for instance, in the transmission of the message. Thus, the message is first encoded and then encrypted. Of course, the redundancy of a natural language is not at all affected by an encoding. D After this discussion about the plaintext space, we give some comments on the key space. The cardinality of the key space should not be very small: the illegal party should not have the possibility of testing all keys. In most cases the key space is (denumerably) infinite. We have said only that each key k determines an encryption method Ek and a decryption method Dk and, further, that Ek and Dk cancel each other. We do not want to give a more specific mathematical characterization of Ek and Dk. In fact, we do not even want to require that Ek is a function. In some cryptosystems presented below there are many possibilities to apply a key to a plaintext, and the results will be different. There is not much to say about the third item, the cryptotext space. It is determined by the first two items: all possible encryptions of all possible plaintexts. What makes a cryptosystem good? Sir Francis Bacon proposed the following three requirements, given now in our terminology. (i) Given Ek and pt, the computation of Ek(pt) is easy. Given Dk and ct, the computation of Dk(ct) is easy.

1.1 Cryptosystems and Cryptanalysis

5

(ii) Without knowing Dk , it is impossible to find pt from ct. (iii) The cryptotext should be without suspicion: innocent looking. One can still agree with Sir Francis, with the following reservations in mind. Requirement (iii) is not any more considered to be important. Section 1.2 contains an example where it is satisfied. Requirement (i) says that for legal users the cryptosystem should not be too complicated. "Easy" refers here to complexity theory - see Appendix A. It is assumed that the users have available a reasonable amount of computing power. In (ii) "impossible" is replaced by "computationally intractable". The eavesdropper is also assumed to have computing power. Strengthenings of requirement (ii) are considered below in connection with cryptanalysis. Sidelines of requirement (i) are discussed in [Ka]. Before the advent of computers, everything in the application of a cryptosystem had to be done by hand. For instance, an army general responsible for cryptography used children in the first grade to test a new cryptosystem. If it was too complicated for the children, it was not accepted for army usage! There will be many examples of cryptosystems in the sequel. Let us begin here with a very old and not at all good cryptosystem: CAESAR. Many variants of it have been in use at different times - it will be discussed also in the next section. It is not important how we fix the plaintext space. CAESAR is based on substitutions: each letter is substituted by another letter. The latter is obtained from the former by advancing k steps in the alphabet. At the end of the alphabet one goes cyclically to the beginning. Thus, for k = 3, substitutions are as follows. oセ@

ABCDEFGHIJKLMNOPQRSTUVWXYZ

セdefghijklmnopqrstuvwxyzabc@

In this case, the plaintext TRY AGAIN is encrypted as WUB DJDLQ. Thus, the key space of the CAESAR system consists of the 26 numbers 0, 1, 2, ... ,25. The encryption method Ek determined by the key k is: advance k steps in the alphabet. The corresponding decryption method Dk is: go back k steps in the alphabet. Some further illustrations: E 2s (IBM)

= HAL, E 6 (MUPID) = SAVOJ ,

E 3 (HELP) = KHOS,

E 1 (HOME) = IPNF ,

D6 (SA VOJ) = E 20 (SA VOJ) = MUPID . Some general properties of the E's and D's can be stated here. One of them is commutativity: whenever some E's and D's are applied one after the other, the order of application does not matter. For instance, E3 D7 E6 Dll

= E3 E6 D7 Dll = D9 = E17 .

Commutativity will be a crucial property in some of our considerations later on. Also the following relations hold for any k satisfying 1 セ@ k セ@ 25: Dk

= E 26.k, Dk Ek = Eo = Do .

6

1. Classical Two-Way Cryptography

The latter expresses the fact that the effects of Ek and Dk cancel each other as they should. The decryption key Dk can be immediately computed from the encryption key Ek. For any cryptosystem, Dk is determined (in a mathematical sense) by Ek. However, the computation of Dk from Ek may be intractable. In every classical cryptosystem also Dk is given away if Ek is publicized. Anybody who knows Ek is able to compute also Dk. Of course, the computation is not so immediate as in case of CAESAR but it can always be done within a reasonable time. Hence, Ek cannot be publicized. A property characteristic for public-key cryptosystems is that Ek can be made public without compromising the secrecy. The keys are so skillfully constructed that the computation of Dk from Ek is intractable, and so is the computation of pt given Ek and Ek(pt). This requirement will be viewed from various angles in later chapters. We wanted only to mention here the essential feature of public-key cryptosystems. After discussing the basics of cryptosystems, let us now go to the other world. From now on we refer to the eavesdropper as the cryptanalyst. Thus, the difference between cryptanalysis and decryption is that the cryptanalyst has to manage without the decryption key Dk. The purpose is the same in both cases: to find the plaintext pt. The illustration in Fig. 1.1 takes now a more detailed form, depicted in Fig. 1.2.

Fig. 1.2

The sender (resp. receiver) knows in advance Ek (resp. Dk). For instance, the two parties might have agreed upon the matters in a previous meeting. The details of this agreement depend on the cryptosystem used. The procedure is essentially different for classical and public-key cryptosystems. Observe that we have, for any key k and plaintext pt, Dk(Ek(pt)) = Dk(ct) = pt .

We now make some over-all remarks about cryptanalysis. We begin by emphasizing the following principle. Golden Rulefor Designers ofCryptosystems: Never underestimate the cryptanalyst.

1.1 Cryptosysterns and Cryptanalysis

7

The golden rule should be applied to all activities of the cryptanalyst: spying information in advance, inventing methods of attack, computing effectively, etc. As regards the advance information, we apply the following convention in the sequel: the cryptanalyst knows the cryptosystem used. This is reasonable also because of the following reason. Even if the cryptanalyst has to tryout a few cryptosystems, the complexity of the procedure is essentially the same as when working with one system. Although the cryptanalyst knows the cryptosystem, he/she does not know the key. However, if the number of all possible keys is small, like in the CAESAR system, then all keys can be tried out. (Recall that the cryptanalyst has excellent computing facilities!) This means that a cryptosystem with a small number of keys is useless in practice. However, such systems are sometimes still useful for illustrating specific points, as is the case in this exposition. The essential condition for a cryptosystem to be good is that it is intractable to recover the plaintext pt from the cryptotext ct without knowing the decryption method Dk • We now discuss in more detail the possible initial setups for the cryptanalyst. We mention below four basic setups. Some symmetric modifications of them are also possible, as well as some combinations of the basic setups. They will not be discussed below. Recall, however, that in each setup the cryptanalyst is assumed to know the cryptosystem used. Setup (i): Cryptotext Only. Here the cryptanalysis has to be based on only one

sample of cryptotext. For the cryptanalyst it is always better that the sample is longer. In simple systems, such as CAESAR, even short samples will suffice because usually only one key will produce meaningful plaintext. In more complicated systems long samples of cryptotext are necessary. Efficient cryptanalytic methods can be based on statistical information concerning the plaintext language, for instance, information about the frequency of individual letters in English. Examples will be given later on. Setup (ii): Known Plaintext. Here the cryptanalyst knows in advance some pairs (pt, Ek(pt)). The knowledge of such pairs may essentially aid the analysis of the given cryptQtext ct. A very simple example is again CAESAR: any pair of any

length gives away the key. Setup (iii): Chosen Plaintext. The cryptanalyst knows also now in advance some pairs (pt, Ek(Pt)). However, pt has now been chosen by the cryptanalyst. In situations where the cryptanalyst has definite conjectures about the key, it is clear that this setup is essentially better than (ii). On the other hand, this setup (iii) is likely to be realistic at least in such cases where the cryptanalyst has the possibility of masquerading himself or herself as an authorized user of the information system in question.

Before discussing setup (iv), we give an example of a cryptosystem where the initial setup (iii) often gives much better possibilities for the cryptanalyst than the initial setup (ii).

8

1. Classical Two-Way Cryptography

Example 1.2. The cryptosystem is based on linear algebra and has been quite important historically. It is originally due to Hill. The plaintext and cryptotext spaces are both equal to 1:*, where 1: is the English alphabet. We number the letters in the alphabetic order: A gets the number 0, B the number 1 and Z the number 25. All arithmetic operations are carried out modulo the total number ofletters: 26. This means that 26 is identified with 0, 27 with 1, 28 with 2, and so forth. We choose an integer d セ@ 2. It indicates the dimension of the matrices involved. In the encryption. procedure, d-tuples of letters of the plaintext are encrypted together. In what follows d will be 2. Let now M be a d-dimensional square matrix. The entries of M are integers between 0 and 25. Furthermore, M is assumed to be invertible in our arithmetic, that is, M- 1 exists. For instance,

M

(3 3)

= 2 5

and

M

-I

(15 17)9·

= 20

Recall that arithmetic is carried out modulo 26. This implies that we have, for instance, 2' 17 + 5' 9 = 79 = 1 + 3' 26 = 1 , as we should, the number being on the main diagonal of the identity matrix. The encryption is carried out by the equation MP=C,

where P and Care d-dimensional column vectors. More specifically, each d-tuple of plaintext letters defines the vector P where the components are the numerical encodings of the letters. Finally, C is again interpreted as a d-tuple of cryptotext letters. For instance, the plaintext HELP defines the two vectors

From the equations MP 1

=

G)

= C 1 and

MP2

= cセI@

= C2

we obtain the cryptotext HIA T. Consider now the world of our cryptanalyst. Assume the cryptanalyst has guessed that d = 2. He has to find the matrix M or, better still, the inverse M - I. For this purpose he chooses the plaintext HELP and learns that the corresponding cryptotext is HIA T. This choice of the plaintext was good because of the following reasons. The cryptanalyst knows that

1.1 Cryptosystems and Cryptanalysis

9

This can be written in the form

M=G 0)(7 11)-1 (7 19

=

4 15

0)(19 19) (3 3) 8 19 14 21 = 2 5 .

The inverse M- 1 is immediately calculable from M. Anything can be decrypted using M- 1 •

!!)

The point in these calculations is that the inverse Hセ@

-1

exists. On the other

hand, our cryptanalyst chose the plaintext HELP giving rise to the matrix

G!!).

Thus, he has to make the choice in such a way that the resulting matrix is invertible. Assume now that the cryptanalyst is working under different preconditions: the initial setup is "known plaintext." More specifically, the cryptanalyst knows CKVOZI is the cryptotext corresponding to the plaintext SAHARA. Although we have here a longer sample of text than before, the information obtained is still much less. Indeed, the plaintext-cryptotext equations are now

No invertible square matrix can be formed of the three column vectors appearing as coefficients of M. The cryptanalyst finds out that any invertible square matrix

M'=G ;) can be the basis of the cryptosystem because it encrypts SAHARA as CKVOZI. Thus, the cryptanalyst might settle for the matrix

M'=G !)

whose inverse is

( ')-1

M

=

(1 25) 24



The cryptanalyst is ready for a cryptotext. He/she receives the text NAFG. The cryptanalyst now computes

( 1 25)(13)° (13)° d (1 25)(5) (25) 24

3

=

an

24

3

6

=



The two column vectors give rise to the plaintext NAZI. However, the legal user knows the original M and its inverse and computes

gセ@

QセIc@

getting the plaintext NAVY.

= cセI@

and

gセ@

QセIg@

=

G!),

10

1. Classical Two-Way Cryptography

Our cryptanalyst made a rude error which may lead to an entirely false

D セエゥッA@

We still continue our list of possible initial setups for the cryptanalyst. Setup (iv).' Encryption Key. The cryptanalyst knows the encryption method Ek and tries to find the corresponding decryption method Dk before actually receiving any samples of cryptotext. Setup (iv) is very typical for public-key cryptosystems. The encryption method Ek might have been made public much in advance, and it might take several months before Ek is used to encrypt important messages. Thus, the cryptanalyst usually has plenty of time for preprocessing, whereas he/she is in a hurry when a message arrives. Anything accomplished in the period when "time is cheap" is especially valuable. In some public-key cryptosystems it is not possible to construct Dk from Ek alone, because it is not possible to recognize the correct Dk among several candidates. Some text samples are needed for this purpose. In some other public-key cryptosystems Dk can be found from Ek by extremely good luck, for instance, by guessing two large primes from their product.

1.2 Monoalphabetic Systems This chapter discusses classical cryptosystems, in contrast to public-key cryptosystems. The chapter constitutes the background necessary for the main parts of the book. While presenting this background, the two worlds of cryptography are taken into account. Recall the difference between classical and public-key cryptosystems. In a classical cryptosystem the decryption key Dk can be easily computed from the encryption key Ek, whereas in a public-key cryptosystem Ek can be safely publicized without compromising the secrecy of D k • For this reason, classical systems are also often referred to as symmetric or two-way, and public-key systems as nonsymmetric or one-way. Let us first discuss some general issues. So far we did not comment at all on requirement (iii) for a good cryptosystem, proposed by Sir Francis Bacon: the cryptotext should be without suspicion, that is, innocent looking. That this requirement is not important any more is due to the fact that nowadays both plaintext and cryptotext are ordinarily sequences of bits, incomprehensible at first sight. A sequence of bits does not usually look more innocent than another sequence! However, this requirement was often taken into account in the past. The best method is garbage-in-between. The actual message (encrypted or not) is supplemented by "garbage letters" that are quite irrelevant for the actual message but still make the whole thing look like something innocent.

1.2 Monoalphabetic Systems

11

123 4 5 6 7 8 9 ill 1 2 3

4 5 6 7 Fig. 1.3

Richelieu used sheets of cardboard with holes. Only the letters visible from the holes were significant. Both the sender and receiver had identical sheets. One such sheet is depicted in Fig. 1.3. The sheet covers a passage of text in the shape of a rectangle with seven rows and ten columns, altogether 70 characters of text. For longer passages the sheet has to be applied several times. Thus, the holes are in positions (1,8), (2,9), (3,6), (4,5), (4,6), (5,1), (5,6) , (5,7), (5,9), (6,2), (6,10), (7,9), (7,10) . The following looks like an innocent love letter: I I

V E H A V E L 0

D E E P

Y 0

U

Y 0

U

U N D E R

S K I V E L F 0 R E V E H Y P E R S

MY

M Y

N

L 0

A S T S R

I N

PAC E

However, when making use of the cryptosystem RICHELIEU in the sense of the sheet of Fig. 1.3, one gets the sinister command YOU KILL AT ONCE. There are many classifications of cryptosystems, some of which will now be mentioned. The principles of classification do not refer to the quality of cryptosystems (good or bad) but rather to the intrinsic properties in their design. A very old classification is into systems of substitution and permutation, often called also transposition. For instance, [Ga] speaks of substitution ciphers and transposition ciphers. In the former, the plaintext letters are replaced with substitutes. The substitutes are kept in the cryptotext in the same order as their originals in the plaintext. If the use of substitutes remains unaltered throughout the text, the cryptosystem is called monoalphabetic. This term reflects the idea that there is only one sequence of

12

1. Classical Two-Way Cryptography

substitute letters: every plaintext letter is represented everywhere by the same substitute. If the plaintext is some natural language, cryptanalysis can always be based on the statistical distribution of letters. Examples will be seen below. Monoalphabetic substitution systems are to be contrasted with polyalphabetic ones: the use of substitutes varies in different parts of the plaintext. We return to polyalphabetic cryptosystems in Section 1.3. Most of the customary cryptanalytic methods deal with polyalphabetic systems. In a permutation (or transposition) cryptosystem the plaintext letters are rearranged. This is too simple as such, so permuting the order has to be combined with some other idea. The following is an example of a permutation system. The plaintext is divided into blocks of three letters each. In each block the letters are permuted in such a way that the first letter becomes third, and the second and third letter move one step ahead. For instance, the plaintext LETUSGOTOFRANCE becomes ETLSGUTOORAFCEN. (Recall that we often ignore the space between individual words.) This Section 1.2 discusses mono alphabetic systems. We are dealing with the English alphabet. Thus, each letter A, B, C, ... ,Z is replaced by a substitute Xl' X 2 , X 3 , . . . ,X 26 everywhere in the plaintext. The substitutes have to be different among themselves but they may include letters not belonging to the English alphabet. The extreme case is where they are some entirely different characters. For instance, consider the following arrangement: A:

B:

C:

J.





S

T

U

D:

E:

F:







V

W

X

G:

H:

I :

p.

Q.



Y

Z

The lines surrounding each letter together with the dots (two, one or zero) indicate the substitute for the letter. Thus, the plaintext WE TALK ABOUT FINNISH SAUNA MANY TIMES LATER will be encrypted as

ditjuセlMNZcイ@ {jイZセiャMNl]@ iuイZ]j{セlQM At a first look there seems to be rather little we can say about monoalphabetic systems. If the plaintext is English or some other natural language, statistical analysis will break the system. Whenever the sample is long enough, one knows that the most frequent character in the cryptotext represents the most common letter in the natural language, and so forth. It usually suffices to find out a few

1.2 Monoalphabetic Systems

13

letters in this fashion and guess the rest of them. On the other hand, if the plaintext space is .P, where 1: is the English alphabet, and no additional information is available then cryptanalysis of a mono alphabetic system is impossible. There is no way of finding the correspondence between the plaintext letters and their substitutes: all correspondences are equally likely. In fact, in this case the monoalphabetic encryption is merely an encoding; the true encryption took place when meaningful messages were translated (with an even distribution) onto words of 1:*. Such a first look misses some important points. In fact, much can be said about mono alphabetic systems. The crucial question concerns key management: everything breaks down if the correspondence between original letters and their substitutes (that is, the key) becomes known. Therefore, the key should not be available anywhere, neither in written form nor in computer memory. The sender and receiver have to memorize the key. Different ways of doing this have led to different mono alphabetic systems. Let us now have a look at some of them. We already talked about CAESAR in Section 1.1. The substitute of a letter is obtained by moving k steps ahead in the alphabet. In CAESAR and other similar systems the natural numerical encoding will be used: ABC

D

E

F

G

H

I

J

K

L

M

o

3

4

5

6

7

8

9

10 11

12

1

N 0

2

P Q R STU V W X Y Z

13 14 15 16 17 18 19 20 21 22 23 24 25 Thus, according to CAESAR, each letter IX becomes IX + k. All arithmetic in this context is carried out modulo 26. Neither the encoding nor decoding (from numbers to letters) are intended for actual encryption. The number of all possible keys in CAESAR is very small. Another great disadvantage from the point of view of security is that the alphabetic order remains the same also in the sequence of substituted letters; only the initial position changes. The affine cryptosystems studied below do not possess this disadvantage. Interlude: Old Times. Julius Caesar tells in his De Bello Gallico how he sent an encrypted message to Cicero. The substitution system used was monoalphabetic, however, it was not CAESAR: the Latin letters were replaced by Greek ones in a way that is not clear from Caesar's writing. The information that Caesar actually used the cryptosystem CAESAR comes from Suetonius. In fact, according to Suetonius, the shift in the alphabet was three letters. No written documentation exists about Caesar using other shifts. CAESAR is not the oldest cryptosystem. Perhaps the oldest known cryptosystem is due to the Greek historian Polybios who died thirty years before Caesar was born. It is not known whether Polybios used his system for cryptographic purposes. We describe the system for the English alphabet from which J is omitted.

14

1. Classical Two-Way Cryptography

Consider the following square, nowadays often called the Polybios checkerboard: B

C

D

E

A B F G L M Q R V W

C H N S X

D I

E K P U Z

A A B C D E

0 T Y

Each letter IX will be represented by the pair of letters indicating the row and column in which IX lies. Thus, the representations of K, 0 and T are BE, CD and DD, respectively. The plaintext LETUSGOTOSAUNA is encrypted as CAAEDDDEDCBBCDDDCDDCAADECCAA. In our terminology, the Polybios system is a monoalphabetic substitution into the target alphabet {AA, AB, ... , AE, BA, ... , EE} of 25 letters. The art of steganography (hiding a message) is often used together with cryptography. For instance, an encrypted message may be written using invisible ink. The most famous historian, Herodotos, does not tell anything about cryptosystems in our sense but has several stories about "crypto-steganography." Here is one of them. Histaios and his son-in-law, Aristagoras, had agreed in advance that a message consisting of a few dots means: Aristagoras should revolt against Persia. When Histaios actually wanted to send such a message to Aristagoras, he observed that the territory between them was heavily guarded. Histaios then let shave the head of his most trusted slave, wrote the dots thereon, and waited for the hair to grow again. When this had happened he set the slave off, with this message to Aristagoras: "Shave my head!" The story tells us also that in those days cryptographers had much more time than nowadays. 0 An affine cryptosystem is determined by two integers a and b, where 0 セ@ a, b セ@ 25 and, furthermore, a and 26 are relatively prime. The substitute for the letter IX will be alX + b. Here we work with the numerical encodings of the letters and, as before, arithmetic is carried out modulo 26. For instance, if a = 3 and b = 5 then the numerical encodings are mapped as follows: old: 01 2345678910111213141516171819202122232425 new: 581114172023036 91215182124 1 4 7101316192225 2 When decoded into letters, the mapping is as follows: old: セfiloruxadgjmpsvybehknqtwzc@

ABC D E F G H I J K L M N 0 P Q R STU V W X Y Z

1.2 Monoalphabetic Systems

15

The plaintext NOTEVERYSTEAMBATHISSAUNA is encrypted as SVKRQREZHKRFPIFKADHHFNSF. The requirement of a and 26 being relatively prime assures that the mapping f(a.) = aa. + b is one-to-one. If we are dealing with the mapping lOa. + 1, where this requirement is not satisfied, then A and N are both mapped into B and, hence, B can be decrypted both as A and N. On the other hand, no numerical encoding is mapped into 0 and, hence, 0 does not occur at all in the alphabet of substitutes. It is easy to find all pairs of letters mapped into the same letter, as well as all letters not occurring in the alphabet of substitutes. We now enter again the world of the cryptanalyst.

Example 1.3. The English plaintext is divided into blocks of five letters each and then encrypted using an affine system. The empty spaces between words in the English plaintext are ignored. This goes for punctuation as well. Then the following cryptotext results. B H J U H

N B U L S

v

ONUUN

B W N U A

X USN L

U Y J

W X R L K

G N BON

UUNBW

S W X K X

H K X 0 H

U Z 0

L K

X B H J U

H B N U 0

NUMHU

G S W H U

X M B X R

W X K X L

U X B H J

U H C X K

X A X K Z

S W K X X

L K 0

J

K C X L C

MXONU

U B V U L

R R W H S

H B H J U

HNBXM

B X R W X

K X N 0

Z

L J B X X

H B N F U

B H J U H

L U S W X

G L L K Z

L J

P H U

U L S Y X

B J K X S

WHSSW

X K X N B

H B H J U

HYXWN

U G S W X

G L L K

L

U L R U

SLY X H S S

Before making any specific cryptanalytic attacks, we want to make several remarks of a general nature. All our examples are too small from the point of view of realistic cryptography. The text samples are too short and the numbers involved too small. The reason is simply that if we try to depict real-life situations, then the presentation becomes unreadable. On the other hand, small examples illustrate key issues and important methods and principles often as well as bigger realistic examples. How many possible keys does an affine system have? Every key is completely determined by the integers a and b, defining the mapping aa. + b. There are 12 possible values for a: 1,3,5, 7, 9, 11, 15, 17, 19,21,23,25. There are 26 possible values for b. They can be used independently of the values of a, except that the case a = 1, b = 0 is excluded. This gives altogether 12·26 - 1 = 311 possible keys. Checking through all the 311 keys is computationally easy and, hence, cryptanalysis is straightforward. However, we want to simplify this exhaustive search. Such a simplification is of crucial importance in more involved cryptanalytic tasks.

16

1. Classical Two-Way Cryptography

The basic cryptanalytic attack against substitution systems begins with a frequency count: the number of occurrences of each letter in the cryptotext is counted. The distribution of letters in the cryptotext is then compared with the distribution of letters in the plaintext language, for instance, English. The letter with the highest frequency in the cryptotext is likely to be the substitute for E, the letter with the highest frequency in English, and so forth. The likelihood grows with the length of the cryptotext. Various tables have been compiled to give information about the distribution of letters in English, as well as in other natural languages. It is to be emphasized, however, that none of these tables contains conclusive information. Even the order of letters, as regards their frequency, varies from table to table. The distribution of letters depends very much on the type of text: ordinary prose, slang, technical, telegraphic, etc. No table can conceivably take into account all types of texts! Still, some things are common for all tables describing English. The letter E always tops the frequency list, with T being second. Almost always A or 0 is in the third position. Moreover, always the same nine letters E, T, A, 0, N, I, S, R, H have a frequency higher than any other letters. These particular letters will make up about 70% of English text. The reader is invited to write a reasonably long English passage, where the high-frequency letters do not constitute a majority! As regards positional frequency, the letter A, I, H do not often end a word, whereas the letters E, N, R appear far less frequently in the initial than in the final position. The remaining letters in the high-frequency class, T, 0, S, appear frequently both as initial and final letters. Such considerations concerning positional frequency are, of course, irrelevant for the particular example we have to break because the block division of the plaintext destroys initial and final positions. In the following table the letters of the English alphabet are ordered according to their frequency. The percentage is also indicated for each letter. The figures are from [Ga].

We know that in our example the plaintext is in English. However, for the sake of comparison, the most frequent letters in different languages are listed in the following table.

1.2 Monoalphabetic Systems

English

%

A I T N E S L 0 K

Italian

%

Spanish

E A I 0 N L

11.79 11.74 11.28 9.83 6.88 6.51 6.37 5.62 4.98

E A 0 S N

E N I

H

French

%

R

E A I S T N R

U L

Finnish

18.46 11.42 8.02 7.14 7.04 5.38 5.22 5.01 4.94

12.31 9.59 8.05 7.94 7.19 7.18 6.59 6.03 5.14

E T A 0 N I S

%

German

R

S A T U

0

15.87 9.42 8.41 7.90 7.26 7.15 6.46 6.24 5.34

R

T S

R

I L

D

17

% 12.06 10.59 9.76 8.64 8.11 7.83 5.86 5.54 5.20

% 13.15 12.69 9.49 7.60 6.95 6.25 6.25 5.94 5.58

Observe that the letters of INSEA appear in the high-frequency class in each language! All of these more general remarks have been appropriate in this first longer cryptanalytic example. We now return to our cryptotext, counting first the number of occurrences of each letter: High:

Middle: Number

Number

X U H B L N K S W

32 30 23 19 19 16 15 15 14

Low:

J

11

0

6 6 5 4 4 4 3 2

R

G M Y

Z

C A

Number

0 V F P E I Q T

2 2 1 1 0 0 0 0 6 = 2.56%

183

= 78.21 %

45

= 19.23%

1. Classical Two-Way Cryptography

18

The frequency of the letters X, U, H, B, L, N, K, S, W is even higher than the frequency of the letters E, A, T, 0, N, I, S, R, H. The former letters are likely to be substitutes for the latter. Since we are dealing with an affine system, it suffices to find correct substitutes for two letters. We make a try with the two most frequent letters: X is the substitute for E, and U for T. The affine system maps every numerical encoding IX to alX + b. Hence 4a

+ b == 23

and

19 a

+ b == 20 ,

where the congruences are modulo 26. These congruences yield unique values for a and b:

a = 5 and b = 3 . For the mapping 51X into plaintext.

+ 3, we

get the following translation table from cryptotext

Crypto

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Plain

PKFAVQLGBWRMHCXSNIDYTOJEZU

Applying this table to our cryptotext, we start getting the following plaintext: KGWTG

CKTMD ...

This nonsense does not look very promising. English should have also some vowels! Let us make another try. We still assume that the most frequent letter E is mapped to the most frequent letter X. But instead of the second highest frequencies, we now consider the third highest: assume that A is mapped into H. This gives the congruences 4a

+ b == 23 and

b == 7 .

There are two solutions for a: a = 4 and a = 17. However, the former is illegal and thus the mapping must be 171X + 7. The translation table is now Crypto

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Plain

VSPMJGDAXUROLIFCZWTQNKHEBY

1.2 Monoalphabetic Systems

19

This gives the plaintext S A UNA

I

S NOT

KNOWN

T 0 B E A

FIN N

I

S H I N V

E N T I 0

N BUT T

HEW 0

R

DIS F

I

N N

ISH

THE R E

ARE M A

N Y M 0

R

E S A U N

A SIN F

I N LAN

D T HAN

E L SEW

HER E 0

N E S A U

NAP E R

EVE R Y

T H R E E

o

R P E 0

L E FIN

N

A S A U N

A I

S E L

SEW H E

o

A S

I G N

S A UNA

U CAN

NOT B E

R F 0

U

WWHAT REI

o

F

Y

NTH E

P

USE E

D 0 0

R Y

o

SUR E T

HAT T H

ERE

I

ABE H I

N D THE

D 0 0

R

S

S K N 0

A S A U N

Much better! Let us still write this with ordinary spacing and punctuation: Sauna is not known to be a Finnish invention but the word is Finnish. There are many more saunas in Finland than elsewhere: one sauna per every three or four people. Finns know what a sauna is. Elsewhere if you see a sign "sauna" on the door, you cannot be sure that there is a sauna behind the door. The reader might want to verify that the letters in the high-frequency class are exactly what they should be, whereas the plaintext letters C and M from the middle class have been interchanged with the letters B and V from the low class. This is no wonder because in a plaintext of length 234 the average expected frequencies of these letters range from 2 to 7. In this range, a small change to the expected values can be caused only "locally" by one or two specific words. A final word about the contents of the plaintext should be added. The cryptanalyst is not supposed to know that many of our examples deal with sauna. Otherwise, he/she might simply try SAUNA for the repeating letter combination BHJUH! 0 This concludes our discussion about affine systems, both from the point of view of cryptosystems and cryptanalysis. Although practical a few centuries ago, affine systems are today used only to illustrate certain basic cryptographic issues. A mathematically natural generalization of affine systems are the polynomial cryptosystems: instead of a linear function f(rx.) = arx. + b we choose an arbitrary polynomial function. However, polynomial systems are of very minor cryptographic interest. Recall that the main motivation for affine systems is key management: we want to represent the encryption and decryption key in a compact form. The key consists always of a sequence of 26 letters. The representation in terms of a polynomial might be as complicated as the obvious representation in terms ofthe sequence itself.

20

1. Classical Two-Way Cryptography

We discuss next another mono alphabetic system, called the KEYWORDCAESAR. Choose first a number k, 0 :::;; k :::;; 25, and a word or a short sentence, referred to as the keyword. All letters in the keyword should be distinct. Let us choose the keyword HOW MANY ELKS and the number 8. The keyword is now written below the alphabet, beginning from the letter whose numerical encoding is the chosen number:

o 8 25 ABCDEFGHIJKLMNOPQRSTUVWXYZ HOWMANYELKS The remaining letters are written in the alphabetic order after the keyword: ABCDEFGHIJKLMNOPQRSTUVWXYZ PQRTUVXZHOWMANYELKSBCDFGIJ We now have the substitutes for each letter. The plaintext ERROLFL YNN is encrypted as UKKYMVMINN. It is not necessary to require that the letters of the keyword be distinct. We may simply write the keyword without repetitions. For instance, the keyword ENGLAND EXPECTS EVERY MAN TO DO HIS DUTY and the number 2 yield the translation table: ABCDEFGHIJKLMNOPQRSTUVWXYZ WZENGLADXPCTSVRYMOHIUBFJKQ The number of keys in KEYWORD-CAESAR is large. Although it might be impossible to find keywords for all of the 26! possible orders of the letters, this can be accomplished for substantially big subclasses. We now again take the cryptanalyst's point of view. Example 1.4. KEYWORD-CAESAR (possibly with repetitions in the keyword) was used to produce the following cryptotext, where also the original spaces between plaintext English words were preserved

T Q

IVD ZCRTIC FQNIQ TU T F XAVFCZ FEQXC PCQUCZ WK FUVBC FNRRTXTCIUAK WTY Q DTUP MCFECXU UV UPC BVANHC VR UPC FEQXC UPC FUVBC XVIUQTIF FUVICF NFNQAAK VI UPC UVE UV UQGC Q FQNIQ WQUP TU TF QAFV ICXCFFQMK UPQU UPC FUVBC TF EMVECMAK PCQUCZ QIZ UPQU KVN PQBC UPC RQXTATUK VR UPMVDTIY DQUCM VI UPC FUVICF

1.2 Monoalphabetic Systems

21

Frequency count yields the following distribution among the 241 letters. High:

Middle:

Number V C Q F V P T I A

32 31 23 22 20 15 15 14 8

Low:

Number X K N E M R B Z D

8 7 7 6 6 6 5 5 4

Number W Y G H J L 0 S

3 2 1 1 0 0 0 0 7 = 2.90 %

180 = 74.69 %

54

= 22.41 %

Comparing the frequency of A with the frequencies in the middle group, we see that any letter in the middle group can be among the high-frequency letters E, T, A, 0, N, I, S, R, H. Moreover, the frequencies at the low end do not give much information, especially because the text is short. However, we can start with the high-frequency letters other than A. A couple of tries will give the right choice, after which the remaining letters, few in number of occurrences, can be fitted in their proper places. However, there is an obvious shortcut than makes the cryptanalytic task very easy. This shortcut demonstrates how dangerous it is to preserve the original plaintext spacing in the cryptotext. The cryptotext contains the one-letter words T and Q. They must be A and I. Since T occurs once and Q three times, it is likely that T is I and Q is A. It becomes almost sure when we look at the frequency count concerning T and Q. The three-letter word VPC occurs seven times, whereas the other three-letter words occur only once. VPC must be THE, this conclusion being marvellously confirmed by the frequency count. We can now decrypt the letters C, P, Q, T, V in the high-frequency group. The continuation is easy. From the words TV TF (occurring twice!) we learn that F is S, and from the word VV that V is O. The word VI and the fact that I has high frequency tell us that I is N - the assumption that I is R is refuted by the word XVIVQTIF. After decrypting eight of the nine high-frequency letters, we have lots of words in the cryptotext with only one unknown letter. This leads to the decryption of the remaining letters, one by one. The decryption table is: Crypto Plain

ABC D E F G H I J K L M N 0 P Q R S T V V W X Y Z L V E W P S K M N ? Y ? R V ? H A F ? ITO B C G D

We write the plaintext using also punctuation.

22

I. Classical Two-Way Cryptography

I now define sauna. It is a closed space heated by a stove sufficiently big with respect to the volume of the space. The stove contains stones, usually on the top. To take a sauna bath it is also necessary that the stove is properly heated and that you have the facility of throwing water on the stones. We transform the decryption table into an encryption table by arranging the plaintext letters in the alphabetic order. Plain Crypto

ABCDEFGHIJKLMNOPQRSTUVWXYZ QWXZCRYPT?GAHIVE?MFUNBD?K?

Hence, the keyword is CRYPTOGRAPHY GIVES ME FUN, starting from position 4. The letters J, Q, X, Z missing from the plaintext should be encrypted as 0, S, J, L, respectively. We note, finally, that the English high-frequency letter R is 0 missing from the class of high-frequency letters of our plaintext. The simplest defense against attacks based on frequency counts is provided by the cryptosystem HOMOPHONES. This system is not any more monoalphabetic: plaintext letters have several substitutes. The number of substitutes is proportional to the frequency of the letter. Thus, the English letter E should have 3 substitutes for each substitute of the letter L, and 123 substitutes for each substitute of the letter J. To encrypt an occurrence of a letter, we pick at random one of its substitutes. (We follow the distribution tables in Example 1.3.) Thus, the encryption method is not a function. The substitutes (often called homophones) might be three-digit numbers from 000 to 999. We assign E randomly 123 of these numbers. J and Z get both one number, and Band G both 16 numbers. The nine letters in the high-frequency class get altogether 700 numbers. If the homophones are assigned randomly to different occurrences of the same letter, every homophone is equally likely to appear in the cryptotext. Hence, simple frequency count does not buy the cryptanalyst anything. However, information is available also about the distribution of pairs of letters and triples of letters in various natural languages. Cryptanalysis based on such information might still be successful.

1.3 Polyalphabetic and Other Systems Recall that a cryptosystem is called monoalphabetic if the use of substitutes remains unaltered throughout the text. Monoalphabetic systems are to be contrasted with polyalphabetic ones: the use of substitutes varies in different parts of the plaintext. But are the substitutes used for individual letters or, say, pairs of letters? Clearly, it is only a matter of definition if one operates with a basic alphabet whose elements are ordered pairs of English letters. If the substitute for such a pair is always the same, we call the system monoalphabetic.

1.3 Polyalphabetic and Other Systems

23

In Section 1.2, our examples of a monoalphabetic substitution dealt with individual letters and substitutions for them. Thus, the systems were monoalphabetic in a very strict sense. We now consider a cryptosystem based on substitutions for pairs of letters, where the substitute for each pair remains the same throughout the text. Such a cryptosystem can be viewed as monoalphabetic "in a wider sense." Later on in this section we discuss polyalphabetic systems: they are not monoalphabetic even in a wider sense. Recall Hill's system discussed in Example 1.2. If the dimension ofthe matrices is two, we encrypt pairs of letters. Although the letter A may be encrypted differently in different parts of the plaintext, pairs such as AL will be encrypted in the same way, provided the distance of the pair from the beginning of the plaintext is even. The occurrences of AL in the plaintexts FISCAL and ALMOST are encrypted in the same way, whereas the occurrence in CALL is likely to be encrypted differently because AL does not appear as a block in the block division. In any case, Hill's system is mono alphabetic in the wider sense. Simple frequency count will not be sufficient for cryptanalysis. More sophisticated frequency counts, such as statistical analysis of pairs of letters, will be needed. This problem will be discussed in Example 1.5. The system we want to discuss now is PLA YF AIR, named after Baron Playfair of St. Andrews. The letter of the English alphabet, with J omitted are arranged in a 5 x 5 square, for instance: S Y D W Z RIP U L

H C A X F T N 0 G E B K M Q V The square is the basis for encryption (and decryption) according to the following rules. (i) The plaintext is divided into blocks consisting of two letters each. It is taken care ofthat no block contains two occurrences of the same letter and that the text is of even length. If this is not the case originally, the text has to be modified. Perhaps even an irrelevant spelling error has to be implemented. For instance, ALL MEN is a legal plaintext with block division AL LM EN, whereas KISS ME and WHERE ARE YOU do not satisfy our rules. The former has a double letter in the block division, and the latter is of odd length. (ii) We know that each plaintext block consists of two distinct letters. The encryption of a block happens as follows, using the square. If the two letters are not in the same row or column, for instance A and E, then we look at the corners of the rectangle determined by the two letters, in our case A, F, 0, E. The pair AE is mapped into FO. The order in FO is determined by the condition that F is in the same row as A and 0 in the same row as E. Similarly EA is mapped into OF, OF into EA, SV into ZB, RC into IH, and TL into ER. If the two letters are in the same row (resp. column), we go one step to the right (resp. below), and do this cyclically.

24

1. Classical Two-Way Cryptography

Thus, HA is mapped into CX, WX into UG, CA into AX, DM into PD, and RL into JR. Let us now try to encrypt the plaintext CRYPTO ENIGMA. (The cryptosystem used by the German military forces in the Second World War was based on the ENIGMA machine.) The block division of the plaintext is: CR YP TO EN IG MA . We observe that CR, YP and IG go to HI, DI and UN, respectively. Here we are dealing with the rectangle rule. The pairs TO and EN lie in the same row and go to NG and TO, respectively. Finally, the pair MA lies in the same column and goes to DO. Thus, the entire cryptotext will be HIDING TO UNDO. Our square is able to work with semantics marvellously! It does not make any difference for a Playfair square if some columns are transferred from one side to the other, or some rows from top to bottom. Only the cyclical order of rows and columns has to be preserved. The reader may verify that the square P U L R I

A X F H C

o

GET N MQVBK D W Z S Y is equivalent to our original square, that is, both squares encrypt any plaintext in the same way. Our rules for the PLA YF AIR system are by no means the only possible ones. Double letters in the plaintext can be handled differently, for instance, by inserting a specified letter (often Q) in-between. The 5 x 5 rectangle may be replaced by a 4 x 6 or 3 x 9 rectangle, with the corresponding change in the size of the alphabet. Also a pair lying in the same row (resp. column) can be encrypted as the pair lying immediately beneath (resp. to the right), cyclically. We emphasized in Section 1.2 that the main motivation for systems such as KEYWORD-CAESAR is key management: instead of an arbitrary permutation of 26 letters, we have a simple way of representing the key. Such a simple respresentation is desirable also for the PLA YFAIR system. Rather than having to remember a 5 x 5 square of letters, we want something simpler. Keywords are useful also for PLA YF AIR. We choose a keyword with no two occurrences of the same letter. We begin the square with the keyword, after which come the remaining letters (except J) in the alphabetic order. Thus, the keyword HOW MANY ELKS yields the square H OWMA N Y E L K S B C D F G I P Q R T U V X Z We are again ready to enter the world of the cryptanalyst. We do this in terms of a longer example.

1.3 Polyalphabetic and Other Systems

25

Example 1.5. The famous detective Brother White was investigating the mysterious disappearance of the Texan multimillionaire J.R. Oil. JR had just vanished without leaving any trace. By some ingenious deductions that are of no concern for us, Brother White was able to find an encrypted letter with the following text:

QN IH PS YF

QN KA MC HC XT 01

MC

PF

LK XR CB EF EU 1L

FS HA

TU SO

AK

MC AK MC

VK

I F

SM QN NX

LQ

FL

YO

MS

SB IQ

1E

MC

T I

I E

QN

BM

WO

OF FT AB

REI V FT OX QE 1V

QN

FX

MB

YF

WE

BA

1T X 1 MB

FM QN NX FM

AQ

AK

QN

MX

ZU

FY

RX AE SN

NV OW AH

OR FT

RB LR

QN

QL

QI

QN AK FM

OS FO SA QE

VK XM

RZ

FT 1T FT

CM

MC QN

HC

1T

QN

OT OF

1F

LT BQ

SM

IQ FL FS

MF

CM QM NX

ST

AQ

QN QM

LT T 1 SN

QN QA

FX BA

XM

ML P 1 OF GS FG AB NO LH

SM UO

LN FY XC

BQ I T TF

MX

SM

RO

I T

KA AK 01 OS RA NC TW AR

VA LN VA FM

WA AR OK FK

OY

Brother White went to sauna. He had learned that sauna heat opens the veins in his brain, after which he thinks very clearly. According to his experience, the most difficult problems were "three sauna" problems, whereas he thought this problem would be cracked during one sauna session. Together with the encrypted letter, Brother White had found a beautifully ornamented silver key. The length of the key was exactly three inches. Brother White knew J.R. Oil as an enthusiastic sportsman. Fair play was one of the issues JR always emphasized. There it was! PLA YF AIR with a key of length three! Brother White was now sure he could decrypt the letter. After coming back from sauna, Brother White looked into his notes about the distribution of pairs of letters, digrams. In English, the most frequent digrams, [Ga], are: TH IN E R R E AN

HE

6.3 %

AR

3.1 % 2.7 % 2.5 % 2.2 % 2.2 %

EN T I T E AT ON

2.0 2.0 2.0 1.9 1.8 1.7

% % % % % %

HA OU I T E S ST OR

1.7 1.4 1.4 1.4 1.4 1.4

% % % % % %

26

1. Classical Two-Way Cryptography

Although irrelevant for the present problem, Brother White also observed the most common digrams in other languages.

German: EN ER CH DE GE EI IE IN NE ND BE EL TE UN ST DI NO UE SE AU Finnish: EN T A IS IN ST AN IT SI AA IT LL TE SE AI KA SA VA LI AL TI French: ES EN OU DE NT TE ON SE AI IT LE ET ME ER EM 01 UN QU Italian: ER ES ON RE EL EN DE DI TI SI AL AN RA NT TA CO Spanish: ES EN EL DE LA OS AR UE RA RE ER AS ON ST AD AL OR TA CO Brother White took notice that he had statistics about trigrams, tetragrams and reversible pairs in different languages. He also knew quite a bit about the distribution of vowels and consonants, as well as about the likelihood of a letter to begin or end a word. He realized that PLA YF AIR destroys all information concerning the beginning and end of words. He realized also that he looses some information if he counts the digrams only as they appear in the cryptotext, ignoring digrams coming from different pairs such as NF, SL, KC at the beginning. However, he was fully aware that no digram statistics can be absolute: some statistics include digrams such as LM in CALL ME, whereas some others do not include them, etc. Brother White estimated that he would still have enough information from the frequency count of the digrams just as they appeared in the cryptotext. There are 97 different digrams among the altogether 166 digrams of the cryptotext. 97 represents 16.2% of the all possible 25' 24 = 600 PLA YFAIR digrams. Brother White knew that this is quite normal: even in a much longer text it is unlikely that you get more than 40% of all possible digrams. Most of the theoretically possible digrams never appear in English. The digrams occurring more than three times in the cryptotext are: QN, 13 occurrences, MC, 6 occurrences, AK, 5 occurrences, FT, 5 occurrences, I T, 5 occurrences, FM, 4 occurrences, SM, 4 occurrences,

7.8 %, 3.6 %, 3.0%, 3.0%, 3.0%, 2.4 %, 2.4 %.

Brother White knew that this was only some very preliminary information. He could study also the other pairs, letters forming pairs with many letters, etc. However, he wanted to begin with a direct attack. It seemed clear that QN is the pair TH in disguise. How much could be deduced from this? Figure 1.4 shows the Playfair square Brother White has to fill in. The length of the keyword is three. After the key, all letters follow in the alphabetic order.

1.3 Polyalphabetic and Other Systems

27

I

Key

Fig. 1.4

Thus, TH is mapped into QN. This is not possible if H, N, Q, T are in the same row. The alphabetic order would certainly not be preserved. What about their being in the same column? T has to precede, cyclically, Q and H have to precede N. Because of the alphabetic order, T has to be in the bottom row and Q in the top row. Moreover, the letters U, V, W, X, Y, Z have to follow T, with the exception of the letters appearing in the keyword. This is possible only if two of the six letters mentioned are in the keyword, and T lies in the leftmost column. This means that the square is Q U X A B C D E F G H I K L M

N 0 P R S T V W Y Z

The only possible variation is that, instead of U and X, any two of the letters U, V, W, X, Y, Z may appear after Q in the keyword. The remaining four letters follow T on the bottom row in the alphabetic order. Does this make any sense? Brother White noticed, looking at the other frequent dig rams, that MC would come from HG, FM from GL, and SM from MG. Also AK, FT and IT would come from very unfrequent, if not nonexisting, English digrams. Brother White concluded that the square is not correct and, hence, QN must come from TH via a rectangle. This rectangle must lie in the square after the keyword. Otherwise, it is not possible to preserve the alphabetic order. Hence, the rectangle looks like: H.

N

Q ... T The letters I, K, L, M must be between Hand N, the letters 0, P between Nand Q, and the letters R, S between Q and T. This is said with the reservation that at most three of the in-between letters might be missing because they appear in the keyword. Of course, because of the alphabetic order no other letters than those mentioned can be between the three pairs. Still, H, N, Q, T must form a rectangle. How many ofthe letters I, K, L, M are in the keyword? Less than two is not possible because there are at most two letters

28

1. Classical Two-Way Cryptography

between Q and T. More than two is also not possible because then there would be too many letters in the keyword. Hence, exactly two of the letters I, K, L, M are in the keyword. This implies that exactly one of the letters 0, P is in the keyword. Otherwise, there can be no rectangle. What could such a keyword be? Knowing JR, the answer was obvious for Brother White: the keyword is OIL! Brother White jotted down quickly the square 0 I L A C D E F H KMN Q R S T VWXY

B G P U Z

and started the decryption: TH OK MU TA TH NI HE CO YS BO HE OR EA ET UW NE FR CE EH

ET NO ST RE IN NG AR ME AR WL LP TH RS OT AN AR AN TH SH

1M WS GO DE GS 01 TH TA EN TH MY EN AS RA TM TH TO EY AL

EH SH MY AD HE LP EY XD OT AT SE EX KB CE EU EF LA HA OM

AS OU HE TH RA R I PL AL IN SW LF TM RO ME RG AM AT VE

CO LD AD OS LD CE AN LA TH HY I V ON TH IN EN OU AR NA

ME TH MY EA TH SD AN SC ES IQ AN TH ER CA TL SC ES ME

HE IN HE WF EM OW EW OW UP UI I S SO WH SE Y I I T ID DN

WH KI AR UL OR NI IN BO ER T I HF RY I T YO AM YO EN AV

Brother White wrote the same with the normal punctuation: The time has come. He who knows should think. I must go. My head, my heart are dead. Those awful things herald the morning. Oil prices down. I hear they plan a new income tax. Dallas Cowboys are not in the Superbowl. That's why I quit. I help myself. I vanish for the next months or years. Ask Brother White to trace me in case you want me urgently. I am near the famous city of Rantola at a residence they have named Naveh Shalom.

1.3 Polyalphabetic and Other Systems

29

Brother White knew he had luck with his basic assumptions. However, also his argumentation based on the assumptions had been correct. Good cryptanalyst,just like good goalkeepers, must have also some luck. Brother White considered the case closed. 0 We repeat the main idea behind polyalphabetic cryptosystems. The first letter in the plaintext is encrypted in a certain way, whereas the next letter may be encrypted by a different principle, and so forth. Thus, the letter A may be encrypted in many ways; the substitutes for A and other letters come from many alphabets. This is also a good defense against the simple frequency count: there will be no unique disguised version of A in the cryptotext. One of the oldest and best known polyalphabetic systems is VIGENERE, named after the French cryptographer Blaise de Vigenere (1523-1596). ABCDEFGHIJKLMNOPQRSTUVWXYZ BCDEFGHIJKLMNOPQRSTUVWXYZA CDEFGHIJKLMNOPQRSTUVWXYZAB DEFGHIJKLMNOPQRSTUVWXYZABC EFGHIJKLMNOPQRSTUVWXYZABCD FGHIJKLMNOPQRSTUVWXYZABCDE GHIJKLMNOPQRSTUVWXYZABCDEF HIJKLMNOPQRSTUVWXYZABCDEFG IJKLMNOPQRSTUVWXYZABCDEFGH JKLMNOPQRSTUVWXYZABCDEFGHI KLMNOPQRSTUVWXYZABCDEFGHIJ LMNOPQRSTUVWXYZABCDEFGHIJK MNOPQRSTUVWXYZABCDEFGHIJKL NOPQRSTUVWXYZABCDEFGHIJKLM OPQRSTUVWXYZABCDEFGHIJKLMN PQRSTUVWXYZABCDEFGHIJKLMNO QRSTUVWXYZABCDEFGHIJKLMNOP RSTUVWXYZABCDEFGHIJKLMNOPQ STUVWXYZABCDEFGHIJKLMNOPQR TUVWXYZABCDEFGHIJKLMNOPQRS UVWXYZABCDEFGHIJKLMNOPQRST VWXYZABCDEFGHIJKLMNOPQRSTU WXYZABCDEFGHIJKLMNOPQRSTUV XYZABCDEFGHIJKLMNOPQRSTUVW YZABCDEFGHIJKLMNOPQRSTUVWX ZABCDEFGHIJKLMNOPQRSTUVWXY Fig.l.S

30

1. Classical Two-Way Cryptography

VIGENERE is like the CAESAR system, where the key varies from step to step. The Vigenere square of Fig. 1.5 is customarily used for encryption and decryption. Each column can be viewed as a CAESAR system, with keys 0, 1, ... ,25. One reads the plaintext from the rows and the CAESAR keys from the columns. The latter are usually expressed in terms of a keyword. For instance, for the encryption of the plaintext PURPLE under the keyword CRYPTO, we first look at the intersection of the P-row and C-column, getting R. The whole cryptotext will be RLPEES. The same cryptotext results if we interchange the roles of the rows and the columns in the encryption process. For the decryption, we look in which row R lies in the C-column. In this way we find P, and so forth. The keyword is customarily applied in a periodic fashion. If the plaintext is longer, the keyword is started anew from the beginning. For instance, the keyword of CRYPTO is applied to a plaintext of 15 letters in the form CRYPTOCRYPTOCRY. ZYXWVUTSRQPONMLKJIHGFEDCBA AZYXWVUTSRQPONMLKJ IHGFEDCB BAZYXWVUTSRQPONMLKJIHGFEDC CBAZYXWVUTSRQPONMLKJIHGFED DCBAZYXWVUTSRQPONMLKJIHGFE EDCBAZYXWVUTSRQPONMLKJIHGF FEDCBAZYXWVUTSRQPONMLKJIHG GFEDCBAZYXWVUTSRQPONMLKJIH HGFEDCBAZYXWVUTSRQPONMLKJ I IHGFEDCBAZYXWVUTSRQPONMLKJ J IHGFEDCBAZYXWVUTSRQPONMLK KJIHGFEDCBAZYXWVUTSRQPONML LKJIHGFEDCBAZYXWVUTSRQPONM MLKJ IHGFEDCBAZYXWVUTSRQPON NMLKJIHGFEDCBAZYXWVUTSRQPO ONMLKJIHGFEDCBAZYXWVUTSRQP PONMLKJ IHGFEDCBAZYXWVUTSRQ QPONMLKJIHGFEDCBAZYXWVUTSR RQPONMLKJIHGFEDCBAZYXWVUTS SRQPONMLKJ IHGFEDCBAZYXWVUT TSRQPONMLKJ IHGFEDCBAZYXWVU UTSRQPONMLKJIHGFEDCBAZYXWV VUTSRQPONMLKJIHGFEDCBAZYXW WVUTSRQPONMLKJIHGFEDCBAZYX XWVUTSRQPONMLKJIHGFEDCBAZY YXWVUTSRQPONMLKJIHGFEDCBAZ Fig. 1.6 Beaufort square

1.3 Polyalphabetic and Other Systems

31

There are, of course, many other squares that are easy to remember and can be used as a basis for a poly alphabetic system in the same way as the Vigenere square. One of the best known is the Beaufort square of Fig. 1.6: the rows are the rows of the Vigenere square written in reverse order. It is named after admiral Sir Francis Beaufort, also the creator of the Beaufort scale for wind velocities. While in the Vigenere square the first row and column also give the indices for columns and rows, respectively, the first row and the last column serve the same purpose for the Beaufort square. Thus, the first cryptotext letter when encrypting PURPLE with the keyword CRYPTO is obtained from the two squares as follows:

A B

©

©

B A

®Q®

®Q®

Vigenere

Beaufort

The general term periodic refers to polyalphabetic cryptosystems, where the alphabets of substitutes are repeated in a periodic fashion. A typical example is VIGEN ERE with a periodically repeated keyword, as described above. If we know the period, the cryptanalysis can be reduced to the cryptanalysis of monoalphabetic systems as follows. Say the period is five. We arrange the letters of the cryptotext in five columns in the following way. The number indicates the position of the letter in the cryptotext. 1 6 11

16 21 26

2 7 12 17 22 27

3 8 13 18 23 28

4 9 14 19 24 29

5 10 15 20 25 30

Two occurrences of the same letter appearing in the same column represent the same plaintext letter. Therefore, we are likely to be able to decrypt each column by a simple frequency count. Periodic cryptosystems with an unknown period were considered to be rather strong before the invention of the following method by the German cryptanalyst F.W. Kasiski around 1860. Kasiski's method finds the period by searching occurrences of the same word from the cryptotext. Say the word PUXUL appears twice, with 15 letters between the two occurrences: ... PUXUL

15 letters

PUXUL.

32

1. Classical Two-Way Cryptography

This might be purely accidental. It might also be due to the fact that the same plaintext portion was encrypted, starting from the same position in the key. This means that the distance between the two P's, that is 20, is a multiple of the length of the key. Thus the length of the key is 2,4,5, 10 or 20. When several such conjectures about the key length have been formed - some of the conjectures being possibly wrong - a pretty good guess about the key length can be made. The longer the repeating words are, the better. It is also of advantage to have words repeating more than once. Kasiski's method is illustrated in the following example. Example 1.6. A cryptanalyst, suspecting VIGENERE, intercepted the following

cryptotext. AVXZHHCS BZHALVXHFMVTLH I GH KALBRVIMOFHDKTASKVBMOSLAC GLGMOSTPFULQHTSLTCKLVNTWW HBWMSXSGAVHMLFRVITYSMOILH PEL H H L L I L F B L B V L P H A V W Y M T U R ABABKVXHHBUGTBBTAVXHFMVTL HIGHPNPZWPBZPGGVHWPGVBGLL R A L F X A V X T C L A Q H T A H U A B Z H T R S BUPNPZWPBZHGTBBTPGMVVTCSM VCLTOESOLACOLKBAVMVCYLKLA CGLGBMHA LGMV J X PGHUZ RHA B Z S K H PEL H BUM F L H T S P H E K B A V T J C N WZXVTLACGLGHUHHWHALBMOSKV CFJOGUCMISALOMLRIYCILFEFI G S S L Z WM P GO L F R Z A T S Z G L J X Y P X ZHBUURDWMOHALVXHFMVTLHIGH No previous plaintext-cryptotext pairs are known. The cryptanalyst might have received this cryptotext of exactly 400 letters, say, in blocks of five letters. However, he/she has forgotten all about the block division. He/she intends to use Kasiski's method. The block division is then only a nuisance because the identical words sought might occur in any position with respect to the blocks. The cryptanalyst observed that the word HAL V X H F M V T L H I G H, unusually long with respect to the length of the cryptotext, occurs twice. The distance between the two occurrences is 375 = 3.5 3 • The distance is computed by taking a specific letter, say the first H, in both occurrences and counting the number of steps from one occurrence to the other. Here it is easy because the number of steps is apparently 15·25.

1.3 Polyalphabetic and Other Systems

33

The final part of the word considered, namely, V X H F M V T L H I G H occurs also for a third time. The distance between the first two occurrences is 129 = 3 . 43, and the distance between the last two occurrences is 246 = 2' 3 . 41. The only common divisor between the numbers so far obtained is 3. Since the words involved are long, the cryptanalyst knows that their appearance is very unlikely to be coincidental. On the contrary, it is to be expected that the same sequence of letters was encrypted, starting from the same position in the keyword. If their appearance is not coincidental then the period is necessarily 3. The cryptanalyst has computing power. He/she could very easily make an exhaustive search of all repetitive words with length at least two. Instead, he/she tries to make a direct kill, betting for the period 3. A couple of immediate observations support this decision. There is another occurrence of VXH, 12 steps from the closest occurrence previously encountered. There are three occurrences of AVX, with distances 141 and 39 from each other. There are four occurrences of HAL, with distances 246, 60 and 69 from each other. All these numbers are divisible by 3, whereas any other divisor would lead to a period not in harmony with the total information already gathered. The cryptanalyst knows that such a direct attack, avoiding an exhaustive search, is to be applauded also from a theoretical point of view. In simple examples, such as the one at hand, a direct attack may render the use of a computer unnecessary: the cryptanalysis can be done by hand. More importantly, in complicated "real life" examples such a direct attack may render the task of cryptanalysis from intractable to tractable. Assuming the period to be 3, the simple frequency count gives the following distribution of letters in the three classes involved. Letters in Class 1 have the positions 1, 4, 7, ... Class 1

Letter A B C 0 E

F G H I J K

L M N 0

12 = 9.0% 4 2 2 1 1 15 = 11.2 % 1 2 1 27 = 20.1 % 2 6

Class 2 5 9= 6.8 % 11= 8.3 %

10= 7.5 % 13= 9.8 % 14 = 10.5 % 7 2 5 1 2 4

Class 3 9= 6.8 % 12 = 9.0%

4 2 10 = 7.5 % 11= 8.3 % 3 4 13= 9.8 % 17 = 12.8 % 4 2

34

1. Classical Two-Way Cryptography

Letter p

Class 1 10 =

7.5 %

Q R S T U V W X Y Z

1

5 6 9= 6.7 % 14 = lOA % 2

7 2 3 13= 9.8 % 4 1 11= 8.3 % 3 1

4

7

Class 3

Class 2

5

5 13= 9.8 % 1 2

6 12 = 9.0% 1 2

RST are the only three consecutive letters in the high-frequency group ET AONISRH. Therefore, the cryptanalyst looks in each of the three classes for three consecutive letters possessing a high frequency each. In this way he/she finds out how RST was encrypted in each class. In Class 1 there are two sequences of high-frequency letters: TUV and YZA. If the former is chosen to represent RST, then the shift is two, which means that the plaintext letters WXY get the high frequencies 4, 7, 12. Hence, YZA is chosen to represent RST, showing that the shift is seven. This means that the 20.1 % letter L is the disguise of E. In small samples (here only 134 letters altogether) one cannot be sure that the letter with the highest frequency actually is the disguised version of E. However, usually only E is capable of taking such an overwhelming majority as here. In Class 2 the cryptanalyst has to make a similar choice between ABC and FGH. (Also ZAB and GHI could be considered.) Because of the same reason as before, the choice is FGH, which gives the shift 14. In Class 3 there is only one choice, KLM, giving the shift 19. Observe that neither in Class 2 nor in Class 3 has the letter E the very highest frequency, although it is close to the top in both classes. The three shifts 7, 14, 19 are obtained from the keyword HOT. The cryptanalyst may begin the decryption: THE S T 0 V E 1ST H E H EAR T 0 F S A UNA WHENYOUTHROWWATERONTHESTO NESTHEAIRBECOMESMOREHUMID Everything seems to work: the plaintext contains information about sauna. The cryptanalyst now writes down the plaintext, using normal punctuation. The stove is the heart of sauna. When you throw water on the stones, the air becomes more humid and feels hotter. You are, thus, able to experience both dry and humid heat in sauna. The art of sauna building is not discussed here. The most

1.3 Polyalphabetic and Other Systems

35

common mistake in building a sauna is to have too small a stove with too few stones. If the stove is only a miserable tiny metal box with a couple of stones on top, then the room cannot be heated properly unless it is very small. Never be stingy with the heart of sauna! The cryptanalyst still looked back at his/her work. The facts used as a basis for the Kasiski analysis were in general correct: the same sequence of letters had been encrypted, starting from the same position of the period. The words AVX and HAL are two encryptions of the plaintext THE, starting from the first and second position of the period, respectively. Sometimes the identical plaintext parts encrypted in the same way had a very different syntactic and/or seman tical function. Thus, VXH was the encryption of HEA. But it came from the HEA in HEART, HEATING, as well as THE ART. In spite of the small size of the classes, the high-frequency letters in each class were almost ETAONISRH. In fact, every "really high" letter (meaning a letter with at least 9 occurrences, with percentage indicated above) was in this group. The final conclusion of the cryptanalyst was that the period should have been much longer, considering the length of the plaintext. 0 Our cryptanalytic examples have made use of some known properties of certain natural languages: the frequency of individual letters and the frequency of digrams. We want to emphasize that statistics are available about many other properties, for instance, the frequency of trigrams, the most common words in a language, the most likely left and right neighbors of each letter, as well as the over-all distribution and mutual position between vowels and consonants. In many cryptanalytic tasks such additional statistics are extremely helpful for eliminating most of the alternatives otherwise possible. A further modification of the VIGENERE system is the AUTOCLAVE system, customarily credited to the 16th century mathematician G. Cardano who is famous also because of his formulas for solving equations of 3rd and 4th degrees. In AUTOCLAVE, the plaintext serves also as the encryption key, with a certain shift. In the following example the shift is of length six. Plaintext: A IDS 1ST RAN S MIT TED T H R 0 UGH Key:

AIDSISTRANSMITTEDT

The key is used, as in VIGENERE, to determine a CAESAR substitution for each letter. The empty space at the beginning of the key can be filled either cyclically from the end of the plaintext, or else by using a keyword. The keyword IMMUNE induces the following beginning for the cryptotext. Plaintext:

A IDS 1ST RAN S MIT TED T H R 0 UGH

Key:

I M M U N E A IDS 1ST RAN S MIT TED T

Cryptotext: I U P M V W T Z D F A E B K T R V F P K H Y J A

36

1. Classical Two-Way Cryptography

The legal decryption is obvious: the keyword gives the beginning of the plaintext from the beginning of the cryptotext, after which one can use the plaintext already available as the key. In another variant of the AUTOCLA VE, the cryptotext already created serves as the ke¥ after the keyword. Thus, our previous example will be encrypted as follows. Plaintext:

A IDS 1ST RAN S MIT TED T H R 0 UGH

Key:

I MM U N E I U P M VW B L P Z N I J E I D Q B

Cryptotext: I U P M V W B L P Z N I J E I D Q B Q V W X W I The cryptanalysis of the latter AUTOCLAVE version is straightforward: the analyst only has to guess or find out the length of the key. Suppose it is known that the length is six in the example above. Then the analyst takes the first letter I and the seventh letter B in the cryptotext. The letter B lies in the T-row of the I-column in the Vigenere square. This gives the plaintext letter T. Similarly, the plaintext letter R is obtained from U and L. Apart from the first six letters, the whole plaintext can be recovered in this fashion. The former AUTOCLAVE version (where the shifted plaintext serves as the key) is not vulnerable against such a simple cryptanalytic attack. We now briefly outline the cryptanalysis of the former AUTOCLAVE version. First Kasiski's method is applied to find the length of the keyword, or at least some likely candidates for the length, also here referred to as the period. The theoretical background for Kasiski's method is not so strong here as in case of VIGEN ERE but the method is usually good enough for finding the period. Let us consider one example. Suppose that the word THE has two occurrences in the plaintext, the distance between the two occurrences being twice the period. Then some sequence of three letters, say AID, is found in the middle of the two occurrences. Thus, the following is a part of the plaintext: ... THE ... AID ... THE ... In the encryption process we now have: Plaintext: Key: Cryptotext:

. .. THE

A I D THE

THE A I D

T P H

T P H

Thus, TPH occurs twice in the cyptotext, the distance between the two occurrences being the period. Kasiski's method gives here exactly the period, whereas in connection with the VIGENERE it gives a multiple of the period. Once the period is known, say it likely to be six, the keyword is found by an exhaustive search based on the frequency count of individual letters. Everything is of course obvious when the keyword is known.

1.3 Polyalphabetic and Other Systems

37

There are 26 possibilities for the first letter of the keyword. When a possibility is fixed, it determines, together with the first letter of the cryptotext, the first letter of the plaintext. The latter, in turn, determines together with the seventh letter of the cryptotext the seventh letter of the plaintext. And so forth. So each choice for the first letter gives us the plaintext letters in positions 1, 7, 13, 19,25, .... Choices leading to sequences improbable distribution wise may be discarded. In this way the first letter is found. Other five letters are found similarly. We have discussed the basic cryptanalytic methods for the most common old cryptosystems. Some additional remarks are in order. There is no overall procedure that could be recommended for all cryptanalytic tasks. However, a cryptanalyst should always be active: if one method fails, another should be tried. The plaintext is almost always in some natural language, granted that there may be some encoding in-between. The cryptanalyst is likely to know which language is used in the communication. Most often this is immediate from the "interception history" of the cryptotext but we should also not forget the Golden Rule for cryptosystem designers! The cryptanalyst has to know the plaintext language, or at least cooperate with a person who knows it. Therefore, it gives an additional dimension to secrecy if a language not too widely known, such as Finnish, is used as the plaintext language. This is now a suitable spot to reveal the encryption method used in Example 1.1. The plaintext was WEMEETTOMORROW.1t was first translated into Finnish: TAPAAMMEHUOMENNA. CAESAR E1 (advance one step) then gives the cryptotext UBQBBNNFIVPNFOOB. We have discussed the difference between monoalphabetic and polyalphabetic cryptosystems. Another natural classification, coming from formal language theory, is to divide cryptosystems into context1ree and context-sensitive. In the former individual letters and, in the latter, groups of letters are encrypted. This can happen in the monoalphabetic or polyalphabetic fashion. Typical examples of cryptosystems of various types are given in the following table. Context-free

Context-sensitive

Monoalphabetic

CAESAR

PLAY FAIR

Polyalphabetic

VIGENERE

PERIODIC PLAYFAIR

Here PERIODIC PLA YF AIR means a modification of PLA YFAIR, where there are several squares, say three. The first pair in the plaintext is encrypted according to the first square, the second and third pairs according to the second and third squares, the fourth pair again according to the first square, and so forth. To conclude this section, we still mention some cryptosystems of an entirely different nature. The system CODE BOOK is referred to in [Ga] as the aristocrat of all cryptosystems. There is some truth in this statement since many aspects, such as making the cryptotext innocent-looking, can be taken into account in the CODE BOOK.

38

1. Classical Two-Way Cryptography

Both legal parties have a dictionary translating plaintext words (at least the most necessary ones) into sequences of numbers, some nonsense words, or preferably, into some other meaningful words. Thus, a part of the dictionary might look like: Original

Translation

ATTACK

FISHING

IN

BETWEEN

MORNING

WORK HOUR

THE

THE

Then the plaintext ATTACK IN THE MORNING will become the cryptotext FISHING BETWEEN THE WORK HOURS. Suitable endings have to be added to the cryptotext to make it syntactically correct. What about the cryptanalysis of CODE BOOK? If nothing is known about the dictionary, then the initial setup "cryptotext only" is impossible. On the other hand, the initial setups "known plaintext" and "chosen plaintext" necessarily disclose some details of the dictionary. It depends on the details how much this is going to help. Are there cryptosystems which guarantee perfect secrecy? Briefly stated, perfect secrecy means that the cryptotext does not give away any information whatsoever to the cryptanalyst. The cryptanalyst mayor may not intercept the cryptotext: he/she has exactly the same knowledge in both cases. The cryptotext gives away no information about the plaintext. An example of a cryptosystem with perfect secrecy is ONE-TIME PAD. The plaintext is a sequence of bits with bounded length, say a sequence of at most 20 bits. The key is a sequence of 20 bits. It is used both for encryption and decryption and communicated to the receiver via some secure channel. Take the key 11010100001100010010. A plaintext, say 010001101011, is encrypted using bitwise addition with the bits of the key, starting from the beginning of the key. Thus, the cryptotext is 100100101000. This gives no information to the cryptanalyst because he/she has no way of knowing whether a bit in the cryptotext comes directly from the plaintext or has been changed by the key. Here it is essential that the key is used only once, as also the name of the cryptosystem indicates. A previous plaintext together with the corresponding cryptotext give away the key, or at least a prefix of the key. Also a set of previous cryptotexts, with plain texts remaining unknown, give away some information. Of course, legal decryption is obvious: use bitwise addition of the plaintext and the beginning of the key. The obvious disadvantage of ONE-TIME PAD is the difficult key management. The key, at least as long as the plaintext, has to be communicated separately

1.4 Rotors and DES

39

via some secure channel. Nothing has been accomplished: the difficulties in secret communication have only been transferred to a different level! Of course, the system is still useful for really important one-time messages. In some variants of ONE-TIME PAD the key management is easier but the secrecy is not quite 100%. We finally mention such a variant. The key is specified by indicating a place in the Bible, King James version. For instance, Joshua 3, 2, 6 means the Book of Joshua, Chapter 3, Verse 2, Letter 6. The key begins from this letter and is used in the VIGENERE fashion. Let us encrypt the plaintext PRACTICAL PERFECTL Y SECRET SYSTEMS WOULD CAUSE UNEMPLOYMENT AMONG CRYPTOGRAPHERS, using this key. Plain:

P R ACT I CAL PER F E C T L Y SEC RET

Key:

CAM E TOP ASS AFT E R T H R E E DAY S

Crypto:

R R M G M W R A D HEW Y I T M S P W I F R C L

Plain:

S Y S T EMS W 0 U L DCA USE U N E M P L 0

Key:

T HAT THE 0 F F ICE R S WEN T T H R 0 U

Crypto:

L F S M X T W K T Z T F G R MOl H G X T G Z I

セ@

YMENTAMONGCRYPTOGRAPHERS

Key:

G H THE H 0 S TAN D THE Y COM MAN D E

Crypto:

E T X U X HAG G G R U R W X M I F M B H R U W

The key management in this variant of ONE-TIME PAD is much easier, since also very long keys can be represented in the same compact form. On the other hand, the keys are by no means random. The frequency information concerning English applies. Also an exhaustive search through all keys is possible computationally.

1.4 Rotors and DES The cryptosystems considered so far can be made more complicated and, at the same time, more secure by the use of cryptographic machines. Such machines make the encryption and (legal) decryption processes much faster, and also provide an enormous number of possible keys to choose from. The history of cryptographic machines extends already over hundreds of years. While the early mechanical devices took several seconds for the encryption of a character, the modern electronic machines encrypt millions of characters in a second. In this last section concerning classical cryptography, we discuss some of the basics about cryptographic machines. The core idea appears clearly already in the oldest machine, the Jefferson wheel, invented and used by Thomas Jefferson.

40

1. Classical Two-Way Cryptography

For an interested reader, [Ka] contains a description of the wheel in Jefferson's own words. Jefferson's wheel consists of a cylinder mounted on an axis. 26 straight lines, parallel to the axis and at equal distances from each other, are drawn on the cylinder. The cylinder is then cut into 10 smaller cylinders of equal height. The smaller cylinders are referred to as disks. Thus, we have 10 disks free to rotate independently about the common axis. Moreover, each of the disks is divided into 26 boxes of equal size on its circumference. On each disk, the 26 boxes are now filled with the 26 letters of the English alphabet. The order of the letters is chosen arbitrarily and varies from disk to disk. A particular Jefferson wheel is depicted in Fig. 1.7. The same wheel will be used in Example 1.7, where also the individual disks are described in detail, that is, also the parts not visible in the figure.

Fig. 1.7

It should be added that Jefferson used 36 disks. We have chosen the smaller number 10, for clarity of presentation. Both the sender and the receiver possess identical wheels, that is, the cyclic order of the letters is the same on each disk. To encrypt an English plaintext, the sender first divides it into blocks of 10 letters each. A block is encrypted by first rotating the disks in such a way that the block can be read from one of the 26 letter sequences parallel to the axis, and then choosing any of the 25 remaining letter sequences as the cryptotext. To decrypt, the legal receiver rotates the disks of the Jefferson wheel in such a way that the cryptotext can be read from one of the 26 letter sequences. The plaintext then appears as one of the 25 remaining letter sequences. It will be obvious which one: with an extremely high probability, only one of the letter sequences can be a part of a meaningful English text. Thus, it is not necessary to agree in advance how many lines in the wheel will be advanced in the encryption process. It can be any number between 1 and 25, and the number can vary from block to block. The situation is slightly different if the plaintext is "nonsense." Then the encryption distance in the wheel must be agreed upon in advance. For instance, if the encryption distance is 3 then the plaintext AAAAAAAAAA will be encrypted as ESYMTRHUEE according to the wheel of Fig. 1.7.

1.4 Rotors and DES

41

Example 1.7. We still consider the wheel of Fig. 1.7 but we now open out each of the disks, to define the entire sequences of letters. The same procedure can be followed in the definition of any Jefferson wheel. Disk number:

1 2 3 4 5 6 7 8 9 10

Row Number:

1 2 3 4 5 6 7 8 9 10 11 12

A A A A A A A A A A

R R P N V S P E I I

0

S

I

I

0 0 U S R H

E S Y M T R H U E E K U L 0

Y P

I

P S T

0 V U C L M S B L 0

B I K U E U E L B M C J

B L B B N C C U

U L R T C D R D D C D B C Y D Y Y H F D J

F D B G E D

I

N F

T C T F F C B J Y G

13

L G F G K V F F T J

14 15 16 17 18 19 20 21 22 23 24 25 26

N K G S N H G 0 G P P N 0 H H F V G H Q W P N J U K J K J

B

QQ E D P L KMK N M T H E QQ MNMV S H MK R I

T Q PW

V E Q P S J

o

R Q X

X D V Q W N L V V L Z YWVXGWWWY GW X X MTQ Y 0

K

H X Z R I WX X U R

Y Z

I

Z

J X Z T X S

F M J W Z Z C Z Z Z

It turns out that this particular Jefferson wheel has remarkable properties in regard to certain plaintexts.

42

1. Classical Two-Way Cryptography

Consider the following plaintext. It contains some questions about sauna. The plaintext has 70 letters. Divided into blocks of 10 letters each, the plaintext looks as follows: W HAT 1 S T H E B

EST T E M PER A

T U REI N S A U N

AHOWMANYTI

M E S MUS TON E

GOINHOWLON

G MUS T I S T A Y The sender decides to use the distances

8, 5, 6, 2, 13, 4, 3 , in this order, for the seven blocks. Since we do not possess any specimen of the wheel, we have to rotate the disks mentally. For each of the seven blocks, we rotate the disks in such a way that the block can be read from the row numbered by 1. In the seven resulting cases the wheel then looks as follows. We indicate the rows only up to the row lying at the chosen distance.

2

Disk number: Block 1

Block 2

3

4

5

6

7

8

9 10

W

HAT

I

S

THE

B

Q

E

P

Y

J

o

0

I

S

N

M

D

S

B

Z

R

L

J

L

V

S

Y Y F

A

P

W

F

B

W

V

W

L

G

V M Q 0

C

X

X

X

U

S

o

D

L

Z

Z

K

H

G

M

B

J

T B Z K F Y Y D C M N K

H

A

R

D

L

Y

ANY

R

E

S

P

E

R

A

U

T E Y B

M

K

T F

U

U

S

E

I

o

V

G

B

C

B

H

U

S

H

B

I

o F

D

D

I

P

L

E

C

J

N G G

Y

S

B

B

T

U

L

E

FEE

L

C

o

S

U

X

G

1.4 Rotors and DES

Disk number: Block 3

Block 4

Block 5

Block 6

1

2

3

4

5

6

7

8

9 10

T

U

R

E

I

N

S

A

U

N

L

V

C

K

J

G

E

E

X

V

N

I

D

P

Z

T

N

S

Z

W

P

J

T

Q

A

W

R

U

A

X

W

L

F

V

V

X

Y

P

I

L

Q

B

G

X

0

Z

D

B

R

Y

M

F

0

R

T

A

B

L

E

K

A

H

0

W

M

A

N

Y

T

I

R

E

N

A

I

S

R

X

G

H

I

D

E

N

J

0

Y

T

H

E

M

E

S

M

U

S

T

0

N

E

S

D

Y

0

P

0

0

G

Y

T

V

Y

L

C

Q

R

L

K

T

0

X

W

U

U

R

P

W

M

G

M

Z

X

K

L

S

M

Q

N

H

U

G

Z

B

T

W

U

X

Q

J

C

H

M

R

Y

X

B

Z

R

K

D

Y

A

C

B

M

D

C

V

M

F

F

R

D

F

I

Y

A

W

P

G

A

0

T

G

J

E

P

Y

Q

J

R

S

F

S

Z

C

U

X

V

P

I

U

G

H

A

V

H

Z

w

Q

E

V

0

J

V

H

I

T

0

B

K

I

N

D

0

F

S

A

U

N

G

0

I

N

H

0

W

L

0

N

H y

S

J

I

U

R

Q

c u

V

U

A

M

P

P

X

D

X

W

F

V

P

0

Q

M

Z

H

Z

X

A

I

S

C

R

U

C

I

A

L

43

44

1. Classical Two-Way Cryptography

2

3

4

5

6

7

8

G

M

U

S

T

I

S

T

H

A

K

H

Y

J

E

Z

Y

R

B

J

L

N

N

A

R

R

F

0

R

D

E

G

R

E

E

S

Disk number: Block 7

9 10 A

Y K

The cryptotext can be read from the bottom rows listed in connection with the seven blocks. Let us still write the plaintext and the cryptotext using customary punctuation and spacing. Plain. What is the best temperature in sauna? How many times must one go in? How long must I stay? Crypto. Hardly any rules. Feel comfortable, kid, enjoy. The kind of sauna is crucial for degrees. Not only is the requirement of RICHELIEU satisfied but the cryptotext also answers the questions given in the plaintext! It is obvious that our particular Jefferson wheel was specially designed for this purpose. Conditions for such D a design are studied in Problem 26. The Jefferson wheel realizes a polyalphabetic substitution. Let us first consider the version where we fix in advance the distance for encryption, that is, we fix a number i among the numbers 1, 2, ... , 25. Thus, the cryptotext is read from i lines below the plaintext. Then the wheel can be viewed as a polyalphabetic substitution with the period 10. The situation is slightly different if the encryption distance is chosen nondeterministically for each 10-block of the plaintext, as was done above. Then, after each 10 letters of the plaintext, we may alter the substitutions for the next 10 letters. However, there are only 25 combinations of substitutions available for the 10-blocks. The basic idea of the Jefferson wheel, the creation of a poly alphabetic substitution using disks rotating more or less independently, is central also in mechanical or electro-mechanical cryptographic machines invented later. Amazingly enough, most of these machines go back to Caesar in that the substitution is a circular one (with respect to the alphabetic order). However, the substitution varies from letter to letter and, viewing the system as VIGENERE, the length of the keyword is enormous: in many cases 1010. Therefore, Kasiski's method is very unlikely to succeed in cryptanalysis. As an illustration of mechanical machines, we discuss the machine C-36 of the famous manufacturer of cryptographic machines Boris Hagelin. It is also known as the M-209 Converter and was used by the U.S. Army still in the early 50s. Verbal descriptions of a mechanical device are extremely hard to follow when no specimen of the device is available. Since it is rather unlikely that the reader has C-36 at hand, we describe its operation in abstract terms. The machine is depicted

1.4 Rotors and DES

45

Fig. 1.8

in Fig. 1.8. Its basic components are six disks, usually called rotors, and a cylinder called the lug cage. Consider a 6 x 27 matrix M with entries from {a, I}. It is also assumed that everyone of the 27 columns of M has at most two 1'so Such matrices are called lug matrices. The matrix

°1 °° °°1°°1 °° °° °°11 °001 1 ° ° °1 1 1 ° ° ° ° ° ° ° ° 1° 100 ° 100 100 1 ° 100 M=

°001 ° °100 ° ° °° °1 °° 1°°°°°°°°°1 001 ° ° °°°°°°°1 °1 1° 111 °°°°°° ° ° 1 ° 1 ° ° ° °001 ° ° °1 ° ° 1 ° ° ° ° ° ° ° ° ° ° ° ° ° ° °1 ° ° 100 1 ° ° ° ° °1 ° ° °1 ° ° °

is an example of a lug matrix. Obviously, if v is a 6-dimensional row vector with entries from {0,1}, the vM is a 27-dimensional row vector with entries from {0,1,2}. For instance, if v = (1,0,1,1,0,0) then

vM

= (0,0,1,2,0,0,0,1,1,1,1,0,0,0,2,1,1,1,0,0,0,1,1,1,1,1,2) .

46

1. Classical Two-Way Cryptography

(Here we use the above M.) The number of positive entries in vM is called the hit number of v with respect to M. In our example the hit number is 16. In general, the hit number can be any integer between and 27. A step figure is constructed as follows. Pile 6 sequences of numbers from {O, 1}. The sequences, from top to bottom, should have lengths 17, 19,21,23,25,26 and start from the same point. For instance,

°

° 1 1 ° ° °1 ° ° ° ° ° ° °1 1 ° °1 1 1 1 1 °°°°°°°°°°°°° ° ° 1 ° ° ° ° °1 ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° °1°° ° 1 ° ° °1 ° ° °1 101 ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° 1 100 ° ° ° ° ° ° ° ° °1°° ° °1 ° ° ° ° ° ° 1 is a step figure. Contrary to lug matrices, there are no restrictions concerning the position of l's in step figures. A step figure generates an infinite sequence of 6-dimensional (row) vectors as follows. The first 17 vectors are read directly from the columns. Thus, (0,0,0,0,1,1)

and

(1,1,0,0,0,1)

are the first two vectors generated by the step figure above. Whenever some row ends, it is restarted from the beginning. Thus, the vectors from 17th to 47th are: (0,0,0,0,0,0) , (0,1,0,0,0,0) , (0,1,0,0,0,0) , (0,0,0,0,0,0) , (1,0,0,0,0,0) , (1,0,0,0,0,0) , (1,1,0,0,0,1) , (0,0,1,0,0,1) ,

(0,0,0,0,0,0) , (0,1,0,0,0,0) , (0,0,0,0,1,1) , (0,0,1,0,0,0) , (0,0,0,0,0,0) , (0,0,0,1,0,0) , (0,1,0,1,0,0) , (0,0,0,1,0,0) ,

(1,0,0,1,0,1) , (0,1,0,1,0,0) , (0,0,0,0,0,1) , (0,0,0,0,0,0) , (0,0,0,1,0,0) , (0,0,0,0,0,0) , (0,1,0,0,0,0) , (0,0,0,0,0,0) .

(1,0,0,0,0,0) , (1,1,1,0,0,0) , (0,0,0,0,1,1) , (1,0,0,0,0,0) , (1,0,0,0,0,0) , (0,1,0,0,0,0) , (0,1,0,0,0,0) ,

Having defined the lug matrix and the step figure, we are now in the position to tell how the cryptotext is obtained. We use our previous numerical encoding of the letters: A gets the number 0, B gets the number 1 and so forth. Z gets the number 25. As before, arithmetic is carried out modulo 26. Assume that IX is the i-th letter in the plaintext and that h is the hit number of the i-th vector generated by the step figure, with respect to the lug matrix. Then IX is translated into the letter

y=h-IX-1 in the cryptotext.

1.4 Rotors and DES

47

For instance, consider the plaintext GOVERNMENTOFTHEPEOPLEBYTHEPEOPLEANDFORTHEPEOPLE, as well as the lug matrix and the step figure given above. The numerical encoding of the plaintext is as follows. We use commas only for clarity. 6, 14, 21, 4, 17, 13, 12, 4, 13, 19, 14, 5, 19, 7, 4, 15, 4, 14, 15, 11, 4, 1, 24, 19, 7, 4, 15, 4, 14, 15, 11, 4, 0, 13, 3, 5, 14, 17, 19, 7, 4, 15, 4, 14, 15, 11, 4, The length of the plaintext is 47. As we often do, we have disregarded the spaces between two words. When using cryptographic machines, the spaces are sometimes filled with the letter Z. Thus, we have to compute the hit numbers of the first 47 vectors generated by the step figure. This is straightforward because the first 17 vectors can be seen directly from the step figure and the other vectors we already computed above. The hit numbers are: 10, 17, 16, 9, 9, 9, 7, 0, 0, 0, 0, 12, 0, 0, 18, 7, 0, 0, 18, 7, 9, 9, 19, 14, 9, 10, 5, 10, 0, 0, 0, 7, 7, 0, 12, 7, 7, 12, 0, 9, 17, 19, 9, 9, 5, 12, 0. By the formula y = h - ex - 1, we now compute the numerical encodings of the cryptotext letters: 3, 2, 20, 4, 17, 21, 20, 21, 12, 6, 11, 6, 6, 18, 13, 17, 21, 11, 2, 21, 4, 7, 20, 20, 1, 5, 15, 5, 11, 10, 14, 3, 6, 12, 8, 1, 18, 20, 6, 1, 12, 3, 4, 20, 15, 0, 21 . Hence, we obtain the following cryptotext: D C V E R V V V M G L G G S N R V L C V E H V V B F P F L K 0 D G M I B S V G B M D E V P A V The three occurrences of PEOPLE in the plaintext have been encrypted as RVLCVE, PFLKOD and DEVPAV, whereas the three occurrences of THE have been encrypted as GSN, VBF and GBM. Several additional remarks concerning the machine C-36 are in order. The rotors and the lug cage correspond to the step figure and the lug matrix, respectively. Any prechosen step figure is obtained by activating suitable pins in the rotors. Similarly, any prechosen lug matrix is obtained by positioning the lugs suitably. The lug matrix and the step figure constitute the key for the C-36 encryption. The machine itself can be viewed as a physical realization of the cryptosystem described above: it operates according to a prechosen key after suitable pins have been activated and lugs positioned suitably. The equation y = h - ex - 1 can be written also in the form ex = h - y - 1. This means that the same key can be used both for encryption and decryption. This is

48

1. Classical Two-Way Cryptography

the reason why the basic equation is of Beaufort type rather than of Vigem!reCaesar type. A combinatorially minded reader might want to compute the number of all possible keys in the C-36 encryption. The additional requirement for the lug matrix should be kept in mind. As will be seen below, all possible keys are not good from the point of view of secrecy. It is obvious that the step figure generates vectors in a periodic fashion. Hence, the C-36 encryption can be viewed as the usage of the Beaufort square with a keyword. But how long is the keyword? Usually it is much longer than any conceivable plaintext. Hence, no periodicity due to the keyword can appear in the cryptotext. Indeed, the lengths of the rows in the step figure are all pairwise relatively prime. This implies that only after 17' 19' 21 . 23 . 25 . 26

= 101.405.850

steps we can be sure that we are back in the initial position again, that is, the step figure restarts the generation of the same sequence. In the general case the period is no shorter than this number which, in fact, exceeds the number of characters in a fairly big encyclopedia. However, in special cases the period can be much shorter. For instance, if the step figure contains no O's then (1,1,1,1,1,1) is the only generated vector and, hence, the period equals 1. The period will be short if there are very few 1's in the lug matrix, or if there are very few O's or very few 1's in the step figure. Thus, such choices of the key should be avoided. There is no compelling mathematical reason for the step figure to consist of 6 rows. This number is just a compromise between security and technical feasibility. Of course, in general the period increases together with the number of rows. The number of rows should obviously be the same in the step figure and in the lug matrix. It is also a great advantage that the lengths ofthe rows in the step figure are pairwise relatively prime: this guarantees the maximal period. Everything else is arbitrary: the lengths of the rows both in the step figure and in the lug matrix, as well as the additional requirement made for the lug matrix. Physically this requirement corresponds to the number of lugs on a bar in the lug cage. It should by now be obvious that Kasiski's method or any similar approach is inadequate for the cryptanalysis of C-36. The interested reader is referred to [BeP] for other cryptanalytic approaches. Some famous cryptographic machines, such as the German ENIGMA, American SIGABA and the Japanese RED and PURPLE from World War II, are electro-mechanical. The basic building block, a wired codewheel also called a rotor, is an insulating disk on which electrical contacts are placed on the circumference, as well as on each side. The latter contacts make the concatenation of rotors possible. As with C-36, the resulting substitution can be varied from letter to letter. We do not want to enter a more detailed discussion of these machines. The resulting cryptographic mappings are, at least from our point of view, essentially the same as those obtained from C-36. The interested reader is referred to [BeP] for more details. As regards cryptographic machines in general, [Ka] contains an abundance of interesting material.

1.4 Rotors and DES

49

In the remainder of this chapter we consider the most widely used crptosystem of all times: Data Encryption Standard (DES) by the National Bureau of Standards. It was published in 1977 - the reference [BeP] has reprinted the original publication. DES specifies an algorithm, to be implemented in electronic hardware devices, for encrypting and decrypting data. The whole idea of a "standard" in cryptography is certainly revolutionary. Before the publication of DES, there apparently were no publications containing a complete algorithm for practical cryptographic usage. Although we have made the assumption that the cryptanalyst knows the cryptosystem used, most cryptosystem designers have tried to conceal the details of their algorithm. The DES is a remarkable exception: the algorithm is actually published. This may be considered as a challenge for everybody to break the system! The encryption and decryption according to DES is carried out as follows. First the users choose a key, consisting of 56 random bits. The same key is applied both in the encryption and decryption algorithm and is, of course, kept secret. Eight bits, in positions 8, 16, ... ,64, are added to the key, to assure that each byte is of odd parity. This is useful for error detection in key distribution and storage. Thus, the bits added are determined by the original 56 random bits, now in positions 1,2, .. , 7, 9, ... , 15, ... ,57, ... , 63 of the key. These 56 bits are subjected to the following permutation: 57 49 41 1 58 50 10 2 59 19 11 3

33 25 17 9 42 34 26 18 51 43 35 27 60 52 44 36

63 55 47 7 62 54 14 6 61 21 13 5

39 31 23 15 46 38 30 22 53 45 37 29 28 20 12 4

The permutation determines two blocks Co and Do of 28 bits each. Thus, the first three bits of Co (resp. the last three bits of Do) are bits 57,49,41 (resp. 20, 12,4) of the key. Having constructed the blocks Cn - 1 and Dn - 1 , n = 1, ... , 16, we construct the blocks Cn and Dn by one or two left shifts from Cn - 1 and Dn- 1 , according to the following table: n

Number of Left Shifts

2 3 4 5 6 7 8 9 10 1 2 2 2 2 221

2

11

12

13

2

2

2

14

15

16

221

A single left shift means a rotation of the bits one place to the left: after one left shift the bits in the 28 positions are the bits that were previously in positions

50

1. Classical Two-Way Cryptography

2,3, ... ,28,1. Thus, C 6 and D6 are obtained from C s and Ds , respectively, by two left shifts. We are now ready to define 16 permuted selections K n , 1 セ@ n セ@ 16, of bits from the key. Each Kn consists of 48 bits, obtained from the bits of CnDn in the following order: 14 3 23 16 41

17 28 19 7 52

11 15 12 27 31

24 6 4 20 37

30

40 49 42

51

45

47 33

8 2 55 48

39 50

56 36

34 29

53 32

44 46

1 21 26 13

5 10

Thus, the first (resp.last) three bits in Kn. are bits 14, 17, 11 (resp. 36,29,32) in CnDn. Observe that 8 of the 56 bits in CnDn are omitted from K n • Our calculations so far are preliminary in nature: we have computed from the key 16 sequences Kn consisting of 48 bits each. We now show how to encrypt a block w of 64 bits of our plaintext. The block w is first subjected to the following

initial permutation: 58 60 62 64 57 59 61 63

50 52

42 44 46 48 41

54 56 49 51 43 53 45 55 47

34 36 38 40 33

26 28 30 32 25 27 29 31

35 37 39

18 20 22 24 17 19 21 23

10 12 14 16 9 11

13 15

2 4 6 8 1 3 5 7

Thus, after this initial permutation, we have a word w', the first three bits of which are bits 58, 50 and 42 of w. We write w' = LoRo, where both Lo and Ro consist of 32 bits. Having defined Ln _ 1 and Rn _ 1> for 1 セ@ n セ@ 16, we define Ln and Rn by Ln = R n- 1

,

Rn = L n- 1 $ f(R n- 1 , Kn) ,

where $

denotes bit-by-bit addition modulo 2 and

f

is defined below. The

1.4 Rotors and DES

51

encryption c of the original w is now obtained by applying the inverse of the initial permutation to the 64-bit block R 16 L 16 . We still have to define the functionJbut, before that, let us see how decryption works. It is really simple: the above equations can be written as

We can, thus, "descend" from L 16 and R16 to Lo and R o, after which the decryption is clear! The function J produces from a 32-bit block R n- 1 or Ln and a 48-bit block Kn (recall how Kn was obtained from the key!) a block of 32 bits as follows. The first variable of 32 bits is expanded into 48 bits according to the following table: 32 4 8 12 16 20 24 28

1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7

11 15 19 23 27 31

4 8 12 16 20 24 28 32

5 9 13 17 21 25 29

Thus, the first bit in the original 32-bit block occurs in positions 2 and 48 in the new 48-bit block. After this expansion, the two blocks of 48 bits are added bit by bit modulo 2. The resulting block B of 48 bits is divided into eight 6-bit blocks: B = B 1 B 2 ' •• Bs. Each of these eight blocks B j is now transformed into a 4-bit block B;, using the appropriate table Si listed below.

14 0 4 15

4 15 1 12

13 7 14 8

15 3 0 13

1 13 14 8

8 4 7 10

4 8 2

2 14 13 4

15 2 6 9

11 13 2

14 7 11 1

6 15 10 3

11 2 4 15

3 8 13 4

11 7

Sl 3 10 10 6 15 12 5 11

6 12 9 3

12 11 7 14

5 9 3 10

9 5 10 0

4 14 1 2

S2 9 7 12 0 5 8 11 6

2 1 12 7

13 10 6 12

12 6 9 0

0 9 3 5

8

0 3 5 6

7 8 0 13

5

10 5 15 9

11

2 14

52

1. Classical Two-Way Cryptography

0

9 14

6

to 13 13 1

7 6 10

0 4 13

9 9 0

7 13 to 3

13 8 6 15

14 11 9 0

3 5

0 6 o 12 6to

2 14 4 11

12 4 11 2 2 8 12

7 4 10

3 8 6

S3 1 13 2 8 15

12 5 2 14

7 14 12 3

11 12 5 11

4 11 to 5

2 15 14 2

8 1 7 12

15 0 3 11 7 13 113 8

1 2 4 7 15 1 94

8 2 3 5

5 12 14 11

11 12 1 to 5 2 12 7

4 14

8 2

15 9 4 14

to 7 13 14

Ss 8 5 5 0 15 9 6 15

3 15 12 0

15 to 5 9

13 3 6 to

o

14

9

3 13 4

4 14 7 5 11 14 0 11 3 8 to 1 13 11 6 7 6 0 8 13

3 4 15 9

15 6 3 8

5 10 0 7

11 4

S4

12 to 9

4

15 2 5 12

9

2 11 11 13

14

15 4 12 1

o

8 13 4 1 14

4

8

6 10

1

9

7

4

15 3 12 10

1 to 15 4 14 15 3 2

4 11 13 0 1 4 6 11

13 1 7

2

12 11 7

6

2 15 11

7 13 8

7 2 9

2 12 8 5

9 10

11 13 7 2

6 1 8 13

6

8

9 12 15

5 3 to

S6 0 13 6 1 7 0 11 14

986 3 0 14 453

S7

8 13 3 12 9 1 10 14 3 3 7 14 10 15 5 4 10 7 9 11

7 14

8

S8 1 to 9 4 12 5 2 0 6 13 15 12

9 5 6

o

7 12 8 15

5 2 0 14

3

14

5 0 0 14 15 3 3 5

6 11 10

9

13 0

to 15 5 2

6

1

8

6

9

2

3

12

12

7 2

9

5 8 6 11

The transformation is carried out as follows. For instance, assume that B7 = l1ooto. The first and last bits represent a number x, 0 セ@ x セ@ 3. Similarly, the middle 4 bits represent a number y, 0 セ@ y セ@ 15. In our example, x = 2 and y = 9. The rows and columns of S7 are considered to be indexed by such numbers x and y. Thus, the pair (x, y) determines a unique number. In our case this number is 15. Taking the binary representation we obtain B; = 1111.

1.4 Rotors and DES

53

The value of f is now obtained by applying the permutation 16 29 1 5 2 32 19 22

7 12 15 18 8 27 13

11

20 28 23 31 24 3 30 4

21 17 26 10 14 9 6 25

to the resulting 32-bit block B'l B]. ••. Bs. This completes the definition of the function f, as well as our description of the encryption and decryption algorithms according to DES. The DES algorithms are very fast with appropriate hardware. On the other hand, cryptanalysis leads to numerous nonlinear systems of equations, the problems involved being at least NP-complete, see Appendix A. However, it has been proposed that a purpose-built machine might exhaust all key possibilities. The special equipment would search through all the 2 56 keys at a rate of 10 12 keys per second: there would be 106 chips, each searching a different portion of the keyspace at a rate of one key per microsecond. Estimates for the cost of such purpose-built equipment vary considerably. Details can be found, for instance, in [De].

(

\

Fia·U

54

1. Classical Two-Way Cryptography

Several properties of DES mappings have been established so far. An interesting property concerning symmetry is given in Problem 16. DES also possesses a feature very desirable from the point of view of secrecy: a small change in the plaintext or key gives rise to a big change in the cryptotext. Detailed figures concerning this avalanche effect can be found in [Kon].

Chapter 2. The Idea of Public Keys

2.1 Some Streets Are One-Way Think about any of the cryptosystems presented in Chapter 1, or any other similar systems. There will be no difficulties in the decryption process for a cryptanalyst who has learned the encryption method. The encryption and decryption keys coincide even in such a sophisticated system as DES. So you give away your secrets if you work with one of the systems mentioned and publicize your encryption method. This is not necessarily the case. There are systems in which you can safely publicize your encryption method. This means that also the cryptanalyst will know it. However, he/she is still unable to decrypt your cryptotext. This is what publickey cryptography is all about: the encryption method can be made pUblic. The idea was presented by Diffie and Hellman [DH]. Although revolutionary, the idea is still very simple. Why was such a simple idea presented so late-in the middle 70's - during the very long history of cryptography? What does safety in giving away the encryption method actually mean? How can one realize the beautiful idea? The answer to the first question is easy: complexity theory was developed only recently. The theory gives us information about the complexity of various computations, say, how much time computations will take with best available computers. Such information is crucial in cryptography. This brings us to the second question. Of course, the encryption method gives away the decryption method in a mathematical sense because the two are "inverses" of each other. Suppose, however, that it will take hundreds of years for the cryptanalyst to compute the decryption method from the encryption method. Then we don't compromise anything by publicizing the encryption method. This is how "safety" in the second question is to be understood. As regards the question about the realization of the idea of public keys, a lot of details will be presented in the sequel. Let us make here some initial observations. In mathematics, as well as in real life, there are some one-way streets. It is easy to go along the street from A to B, whereas it is practically impossible to go from B to A. Encryption is viewed as the direction from A to B. Although you are able to go in this direction, this does not enable you to go in the opposite direction: to decrypt. Take the telephone directory of a big city. It is easy to find the number of any specific person. On the other hand, it is hard - one might say hopeless! - to find the

56

2. The Idea of Public Keys

person who has a certain specified number. The directory consists of several thick volumes. In principle, you have to go through all of them carefully. This gives an idea for a public-key cryptosystem. The encryption is context-free: letter by letter. For each letter of the plaintext, a name beginning with that letter is chosen at random from the directory. The corresponding telephone number constitutes the encryption of that particular occurrence of the letter in question. Thus, the system is polyalphabetic: two different occurrences of the same letter are very unlikely to be encrypted in the same way. The encryption of the plaintext COMETOSAUNA might be as follows. Plaintext C 0 M E T 0 S A U N A

Name Chosen

Cryptotext

Cobham Ogden Maurer Engeler Takahashi Orwell Scott Adleman Ullman Nivat Aho

7184142 3529517 9372712 2645611 2139181 5314217 3541920 4002132 7384502 5768115 7721443

Thus, the whole cryptotext is obtained by writing, one after the other, all numbers appearing in the right column. Of course, the numbers are written in the order indicated. Observe that the encryption method is nondeterministic. Enormously many cryptotexts result from one and the same plaintext. On the other hand, each cryptotext gives rise to only one plaintext. A legal receiver of the plaintext mC"'1sage should have a directory listed according to the increasing order of the number::. Such a directory makes the decryption process easy. According to the terminology discussed in more detail in the sequel, the reverse directory constitutes the secret trapdoor known only to the legal users of the system. Without knowledge of the trapdoor, i.e., without possessing a copy of the reverse directory, the cryptanalyst will have a hard time. This in spite of the fact that the encryption method has been publicized, and so the cryptanalyst knows, in principle, how he/she should interpret the number sequence intercepted. Exhaustive search is likely to take too long. Of course, the cryptanalyst might also try to call the numbers in the cryptotext and ask the names. The success of this method is questionable - the cryptanalyst might get an angry answer or no answer

2.1 Some Streets Are One-Way

57

at all in too many cases. Besides, the method becomes nonapplicable if a reasonably old directory is used. The system based on telephone directories is intended to be only an initial illustration, rather than a cryptosystem for serious use. After all, the "reverse" directories are not so hard to come by. The idea of public-key cryptography is closely related with the idea of one-way functions. Given an argument value x, it is easy to compute the function value f(x), whereas it is intractable to compute x from f(x). Here "intractable" is understood in the sense of complexity theory, see Appendix A. The situation is depicted in Fig. 2.1. X

]セL@

easy

f(x)

+=.

intractable Fig. 2.1

We have referred to f(x) as a function. However, Fig. 2.1 is to be understood in a broader sense that includes also nondeterministic encryption methods, such as the telephone directory example. Moreover, the computation of x from f(x) should be intractable for the cryptanalyst only. The legal receiver should have a trapdoor available. Let us use the term cryptographic to refer to such one-way functions. It is to be emphasized at this point that no cryptographic one-way functions are known. Many cryptographic functions f(x) are known such that (i) It is easy to compute f(x) from x; (ii) Computation of x from f(x) is likely to be intractable. However, no proof is known for the intractability claimed in (ii). This reflects the fact that it is very hard to obtain lower bounds in complexity theory. It is very hard to show that, no matter what algorithm we use, a certain computational task is intractable. From the point of view of public-key cryptography, functions satisfying (i) and (ii) are quite sufficient. In a typical public-key cryptosystem only the straightforward cryptanalysis is based on computing x from f(x). There might be other, more ingenious, cryptanalytic methods, where this computation is avoided. Thus, the cryptanalyst might be successful even if we could show that the computation of x from f(x) is intractable. These issues will be discussed further in the following example.

Example 2.1. Let us first be more specific in the definition of one-way functions. A problem is termed intractable if there is no algorithm for the problem, operating in polynomial time. If there is such an algorithm, the problem is termed tractable. Easy refers to problems possessing an algorithm operating in low polynomial time, preferably in linear time. NP-complete problems are considered intractable. This is all standard terminology from complexity theory. The reader is referred to Appendix A for further details. It should be observed that traditional complexity

58

2. The Idea of Public Keys

theory is by no means ideal from the point of view of cryptography. Traditional complexity theory is all about the worst-case complexity: How hard can the nastiest instance be? Since such nasty instances might be extremely rare, information about the average complexity would be much more essential for cryptography. A function f(x) being one-way means that the transition from x to f(x) is easy, whereas the reverse transition from f(x) to x is intractable. The second requirement is often replaced by a milder condition: the reverse transition is likely to be intractable. (This is the condition (ii) above.) Our example is based on the knapsack problem. An n-tuple

of distinct positive integers, as well as another positive integer k, are given. The problem is to find, if possible, such integers ai whose sum equals k. The intuitive picture is that k indicates the size of a knapsack and each of the numbers a i indicates the size of a particular item that can be packed into the knapsack. The problem is to find such items that the knapsack will be full. As an illustration, consider the to-tuple (43, 129,215,473,903, 302, 561 , 1165,697,1523) as well as the number 3231. We observe that 3231

= 129 + 473 + 903 + 561 + 1165 .

Thus, we found a solution. The situation is depicted in Fig. 2.2.

Fig. 2.2

In principle a solution can always be found by checking through all subsets of A and finding out whether one of them sums up to k. In our illustration this means 210 = 1024 subsets. (This count includes even the empty subset.) This is certainly manageable. But what about if there are several hundreds of the numbers a i ? Our illustration is small to aid the readability of the presentation. A more realistic illustration

2.1 Some Streets Are One-Way

59

would have, say, 300 a/so The point is that no essentially better algorithm than exhaustive search is known. A search through 2300 subsets is unmanageable. Indeed, the knapsack problem is known to be NP-complete. Our n-tuple A defines a function f(x) as follows. Any number x in the interval o セ@ x セ@ 2n - 1 can be given a binary representation consisting of n bits - we add initial zeros if necessary. Thus, 1, 2 and 3 are represented as 0 ... 001, 0 ... 010 and 0 ... 011, whereas 1 ... 111 is the representation for 2n - 1. We now define f(x) to be the number obtained from A by summing up all numbers a i such that the corresponding bit in the binary representation of x equals 1. Thus, f(l) f(2) f(3)

= f(O = f(O

= an , ... 010) = an-I, =f(O ... 011) = an-l + an' ... 001)

and so forth. Using vector multiplication, we may write f(x)

= ABx

,

where Bx is the binary representation of x, written as a column vector. Our previous equation (see also Fig. 2.2) can now be written in the form f(364) =f(0101101100)

= 129 + 473 + 903 + 561 +

1165

= 3231.

Further function values determined by the same 1O-tuple are: f(609) f(686) f(32) f(46)

= f(I00II0000I) = 43 + 473 + 903 + 1523 = 2942 , = f(1010101110) = 43 + 215 + 903 + 561 + 1165 + 697 = 3584, = f(OOOO 100000) = 903 , =f(000010111O) = 903 + 561 + 1165 + 697 = 3326,

f(128) = f(0010000000) = 215 , f(261) =f(0100000101) f(44) f(648)

= f(0000101100) = f(1010001000)

= 129 + 1165 + 1523 = 2817, = 903 + 561 + 1165 = 2629 , = 43 + 215 + 561 = 819.

These particular values will be needed below. The function f(x) was defined using the n-tuple A. Clearly, if we are able to compute x from f(x) then essentially the same amount of work will solve the knapsack problem: x yields immediately its binary representation which, in turn, gives the items of A that sum up to f(x). On the other hand, the computation of f(x) from x is easy. Since the knapsack problem is NP-complete, f(x) is a good candidate for a one-way function. Of course it is assumed that n is reasonably large, say, at least 200. The function f(x) is also cryptographic, as will be seen below. Let us first see how "knapsack vectors" A can be used as a basis for a cryptosystem. The plaintext is first encoded into bits and divided into blocks consisting of n bits each. If necessary, the last block is "filled" by adding some zeros to the end.

60

2. The Idea of Public Keys

Each of the n-bit blocks is then encrypted by computing the value of the function for that particular block. If the plaintext is in English, a natural way of encoding is to replace each letter by the number of the letter in the alphabet, written in binary notation. Five bits are needed for this purpose. In the following table, the numbering of the letters begins from 1, whereas the space between two words is given the number O.

f

Letter

Number

Binary Notation

Space A B C D E F G H I

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

00000 00001 00010 00011 00100 00101 00110 00111 01000 01001 01010 01011 01100 01101 01110 01111 10000 10001 10010 10011 10100 10101 10110 10111 11000 11001 11010

J K L M N

0 p

Q R

S T U V W X Y Z

Consider our previous 10-tuple and the plaintext SAUNA AND HEALTH. Since the blocks to be encrypted consist of 10 bits each, the block division of our plaintext is as follows: SA UN Aspace AN Dspace HE AL TH

2.1 Some Streets Are One-Way

61

The corresponding eight sequences of bits are: 100 11 0000 1 , 1010101110 , 0000 100000 , 0000101110 , 00 10000000 , 0100000101 , 0000 10 11 00 , 1010001000 . But these sequences are exactly the argument values of f discussed above. Hence, the cryptotext is the 8-tuple (2942,3584,903,3326,215,2817,2629,819) . So far our cryptosystem based on the knapsack function f(x) is not public-key. Indeed, we can use it as a classical system. Then the cryptanalyst has to find the basic n-tuple A and, after that, still solve the knapsack problem. If the cryptanalyst can use the setup "chosen plaintext" then it is easy to find A: the cryptanalyst uses plaintexts with exactly one occurrence of 1. But also the legal receiver has to solve the knapsack problem in order to decrypt. This means that the decryption is equally difficult (and calls for the solution of an NP-complete problem) both for the cryptanalyst and the legal receiver. This state of affairs is highly undesirable and shows that, as such, the cryptosystem is very bad. In a good cryptosystem decryption should be immensely harder for the cryptanalyst than for the legal receiver. Let us raise one further issue before we try to improve the cryptosystem and also to convert it into a public-key system. There should never be two plaintexts coming from the same cryptotext. This means that no two different sums formed from the entries of A should be equal. The sums may have the same or a different number of summands but each entry may be used only once. It can be shown that the IO-tuple discussed above has this property. But the 5-tuple (17, 103, 50, 81, 33) does not have this property. According to this 5-tuple, the cryptotext (131,33,100,234,33) can be decrypted both as SAUNA and FAUNA-a rather high degree of ambiguity! Further decryptions of the same cryptotext would result if we had a plaintext character encoded as the bit sequence 11011. Let us now convert the cryptosystem based on the n-tuple A into a public-key one. We begin with some general remarks, and then return to our numerical illustration. There are classes of easy knapsack problems. One such class results from superincreasing n-tuples A. An n-tuple

A=(a 1 ,a2 ,···,an ) is termed superincreasing if each number exceeds the sum of the preceding

62

2. The Idea of Public Keys

numbers - that is, j-1

aj >

L ai

for j

=

2, ... , n .

i= 1

Exhaustive search is not needed to solve the corresponding knapsack problem - it suffices to ·scan through A once from righ to left. Given k (the size of the knapsack), we first find out whether or not k セ@ an. If the answer is "no", an cannot belong to the sum we are looking for. If the answer is "yes", an must belong to the sum. This follows because all of the remaining a/s cannot sum up to k. We define k = {k if k < an , 1 k-a n ゥヲォセ。ョ@

and carry out the same procedure for k1 and an -1. We are through when we reach a 1 • The algorithm shows also that, for any k, the knapsack problem has at most one solution, provided A is superincreasing. If we publicize a superincreasing A as the basis of our cryptosystem, then decryption will be equally easy for both the cryptanalyst and the legal receiver. In order to avoid this, we "scramble" A in such a way that the resulting B is not any more superincreasing but rather looks as an arbitrary knapsack vector. In fact, it only looks like one because very few knapsack vectors can be obtained in this fashion: the scrambling we use is modular multiplication. Indeed, we used modular arithmetic many times already in Chapter 1. A reader unfamiliar with the congruence notation should consult Appendix B. An integer m > I:ai is chosen. Since A is superincreasing, m is large in comparison with all numbers in A. Another integer t, with no common factors with m, is chosen. m and t are referred to as the modulus and the multiplier. The choice of t guarantees that there exists another integer t - 1 such that tt - 1 == 1 (mod m). The integer t - 1 can be regarded as the inverse of t. It can be easify computed from t and m. We now form the products tai' i = 1, ... , n, and reduce them modulo m: let bi be the least positive remainder of ta i modulo m. The resulting vector B = (b 1 , b2 ,

••• ,

bn)

is publicized as the encryption key. The encryption method for blocks of plaintext consisting of n bits each is the one described above. The items t, t -1 and m are kept as the secret trapdoor. Before comparing the situation from the point of view of the cryptanalyst and the legal receiver, let us return to our previous numerical illustration. It is easy to see that our previous 10-tuple (now denoted by B) B=(43, 129,215,473,903,302,561,1165,697,1523)

is obtained by modular multiplication with m = 1590 and t = 43 from the superincreasing knapsack vector A

= (1, 3, 5,11,21,44,87,175,349,701) .

Let us verify this in detail.

2.1 Some Streets Are One-Way

63

The first five numbers in B are obtained from the corresponding numbers in A by a direct multiplication with 43 - no reduction with respect to the modulus is needed. (In a real-life situation not even the first numbers should be too small because then the multiplier can be easily detected.) The following calculations yield the remaining five numbers in B. 43 '44 = 1892 = 1590 + 302, 43'87 = 3741 = 2'1590

+ 561,

+ 1165, 43' 349 = 15007 = 9'1590 + 697 , 43' 701 = 30143 = 18' 1590 + 1523 . 43 '175 = 7525 = 4'1590

We observe further that t and m have no common factors. In fact, 43' 37 = 1591 == 1 (mod 1590) . Hence, t - 1 = 37. Let us now find out an easy decryption method for the legal receiver. Consider first the general case, where A is a superincreasing vector and B is obtained from A by multiplying each number in A with t (mod m). Since the legal receiver knows t- 1 and m, he/she is able to find A from the public key B. After receiving a cryptotext block c', which is an integer, the legal receiver computes t - 1 c' and its smallest positive remainder c (mod m). To decrypt, he/she solves the easy knapsack problem defined by A and c. The solution is a unique sequence p of n bits. It is also a correct block of the plaintext because any solution p' of the knapsack problem defined by Band c' must equal p. Indeed, c == t- 1 c' = t- 1 Bp' == t- l tAp' == Ap'

(mod m).

Observe now that Ap' < m because m > a 1 + a2 + ... + an. This implies that the above congruence can be reduced to the equation c = Ap'. Since the knapsack problem defined by A and c cannot have several solutions, we must have p' = p. Thus, how should the legal receiver handle the cryptotext (2942,3584,903,3326,215,2817,2629,819) obtained earlier? Multiplying by

t

-1

= 37 he/she obtains first

37' 2942 = 108854 = 68' 1590 + 734 == 734 (mod 1590) . Continuing in the same way, he/she gets the 8-tuple (734,638,21,632,5,879,283,93) . The number 734 and the superincreasing A yield the 10-bit sequence 1001100001. Indeed, since 734 > 701, the last bit must be 1. The numbers in A are now compared with the difference 734 - 701 = 33. The first number, from right to left, smaller than 33 is 21. The next number 11 is smaller than the difference 33 - 21 = 12. Finally, the first number 1 equals the difference 12 - 11. The positions of 1, 11, 21 and 701 in A are 1, 4, 5 and 10, respectively.

64

2. The Idea of Public Keys

The numbers 638, ... , 93 yield in the same way the other seven 10-bit sequences listed above. By decoding all eight sequences the legal receiver obtains the plaintext SAUNA AND HEALTH. D The above Example 2.1 constitutes the main part of this section. The general principles for the construction of public-key cryptosystems will be stated explicitly in the next section. The cryptosystem based on superincreasing knapsack vectors serves as a simple and yet detailed illustration of these principles. On the other hand, the cryptosystem as such is not very reliable: a polynomial-time algorithm for breaking it will be discussed in Chapter 3. The algorithm is based on the fact that it is not necessary for the cryptanalyst to find the correct multiplier t and modulus m, that is, the ones actually used by the cryptosystem designer. It suffices to find any t' and m' such that the multiplication of the publicized vector by t'- 1 (mod m') yields a superincreasing vector. Thus, the cryptanalyst may actually break the system by preprocessing, that is, after the encryption key has been publicized. Since the public encryption keys are used for some time, there is often plenty of time for preprocessing, whereas the cryptanalyst is in a hurry after intercepting important encrypted messages. One-way streets - that's what public-key cryptography is all about. The reader might think of examples of one-way streets within different realms of life. Here is one very typical example. The device depicted in Fig. 2.3 is a trap used for fishing, especially in the nordic countries.

Fig. 2.3

It is very easy for a fish to enter the cage. The shape of the entrance guides the fish in - for further encouragement there might be some small fish in the cage as a bait. On the other hand, it is very hard for a fish to find its way out, although in principle an escape is possible. The legal receiver, that is the fisherman, takes the fish out by opening the trapdoor on top of the cage.

2.2 How to Realize the Idea This section will contain some general principles about the construction of publickey cryptosystems. The knowledge of the encryption key Fie should not give away

2.2 How to Realize the Idea

65

the decryption key D k • More specifically, the computation of Dk from Ek should be intractable, at least for almost all keys k. The following mechanical analog depicts the difference between classical and public-key cryptosystems. Assume the information is sent in a box with clasp rings. Then, encryption according to a classical cryptosystem corresponds to the locking of the box with a padlock and sending the key via some absolutely secure channel, such as using an agent in the James Bond class. Key management is always an essential issue, and often constitutes a difficult problem, when one uses classical cryptosystems. Public-key cryptography corresponds to having open padlocks, provided with your name, freely available in places such as post offices. A person who wants to send a message to you closes a box with your padlock and sends it to you. Only you have a key for opening the padlock.

Fig. 2.4

The following modification of the basic public-key procedure is suitable for classical cryptosystems as well. Denote by EA , EB , •.• the encryption procedures used by A, B, .... Denote the decryption procedures similarly by D A' DB' ..•. Assume further that the cryptosystem is commutative: in any composition of EA , E8, DA' DB' ... the order of the factors is immaterial. If A wants to send a message W to B, then the following protocol is used: (i) (ii) (iii) (iv)

A B A B

sends EA(w) to B . sends EB(EA(w)) to B . sends DA(EB(EA(w») = DA(EA(EB(w))) decrypts DB(EB(w)) = w .

= EB(W) to

B.

66

2. The Idea of Public Keys

Coming back to our illustration with padlocks, open padlocks need not be distributed in advance if this protocol is followed. First, A sends the box to B, locked with A's padlock. Then, B sends the box back to A, now locked also with B's padlock. Next, A opens the padlock EA and sends the box back to B. Now B can open it. Thus, the box is always protected by at least one padlock. There is no problem in the key management: the keys are not distributed at all. See Fig. 2.4. The protocol described above is secure against passive eavesdroppers. However, an active eavesdropper C might masquerade him/her as B. Then A has no way of knowing who the other party actually is. By a passive eavesdropper we mean a cryptanalyst who tries only to obtain all possible information in order to decipher important messages. An active eavesdropper masquerades him/her as the intended receiver of a message and returns information to the original sender accordingly. We are now ready to list the general principles behind the construction of public-key cryptosystems. Step J: Start with a difficult problem P. P should be intractable according to complexity theory: there is no algorithm that solves all instances of P in polynomial time with regard to the size of the instance. Preferably, not only the "worstinstance" complexity but also the average complexity of P is high. Step 2: Pick up an easy subproblem

P easy

of P.

P easy

should be in polynomial time,

preferably in linear time. Step 3: "Shuffle or scramble"

in such a way that the resulting problem Pshuffle does not resemble the problem P easy any more. The problem PShuffle should at least look like the original intractable problem P. P easy

Step 4: Publicize Pshuffle> describing how it should be used as an encryption key. The information concerning how P easy can be recovered from Pshuffle is kept as a secret trapdoor. Step 5: Construct the details of the cryptosystem in such a way that decryption will be essentially different for the cryptanalyst and the legal receiver. While the former has to solve Pshuffle (looking like the intractable P), the latter may use the trapdoor and solve only P easy .

Of course, our description of the Steps 1-5 is still on a very abstract level. The quality of the resulting public-key cryptosystem depends on how the details can be filled in. There are many questions to be answered. How is PShuffle used as a basis for encryption? How easy is Peasy? What constitutes the trapdoor? In particular, is it possible for the cryptanalyst to find the trapdoor by preprocessing? Can an instance of Pshuffle be easy to crack just accidentally? And so forth. We will return below to the theoretical problems involved. Let us now recall Example 2.1 from the preceding section. It serves as a very typical illustration of Steps 1-5. The knapsack problem in NP-complete-so it is a very suitable choice for the basic intractable problem. The superincreasing

2.2 How to Realize the Idea

67

knapsack problem is an easy enough subproblem of P. Modular multiplication constitutes a reasonable way of shuffling. We still return in Chapter 3 to the problem of how reasonable it actually is. This discussion will also deal with the possibilities of the cryptanalyst, as well as with some modified cryptosystems. In general, knapsack vectors form a natural and useful method for encryption. What is very interesting about the basic Steps 1-5 of public-key cryptography has something to do with their universality: the subject matter or the area of the problems is not specified in any way. In principle, the problems can be almost about anything. Examples will be seen in later chapters. However, so far the problems most suitable as a basis for a public-key cryptosystem have dealt with number theory. We have already seen an example: the knapsack problem. So far the most widely studied public-key cryptosystem, RSA, is also based on number theory. The product of two large prime numbers can be publicized without giving away the primes themselves. The one-way function, or the trapdoor, can be formulated in these terms. Details will be presented in Chapter 4. It is maybe intrinsic in the nature of public-key cryptography that very little or nothing is known about the underlying problems. Thus, RSA has been very successful although the complexity of the underlying problem, factorization, has not been adequately characterized. On the other hand, some public-key cryptosystems based on provably intractable problems (NP-complete, etc.) have turned out to be failures. For future reference, we now list some very fundamental number-theoretic problems that have so far defied all attempts to classify their complexities. Indeed, none of the subsequent problems is known either to possess a deterministic polynomial time algorithm, or to be complete for any natural complexity class. The problems have turned out to be very useful for many aspects of public-key cryptography. Some mutual reductions among the problems are also known: which of them are "easier" and which are "harder". F ACTOR(n). Find the factorization of n. PRIMALITY(n). Decide whether or not n is prime. FIND-PRIME( > n). Find a prime number >n. SQUAREFREENESS(n). Decide whether or not a square of a prime divides n. QUAD-RESIDUE(a,n). Decide whether or not x 2 == a (mod n) holds for some x. SQUAREROOT(a,n). Find, if possible, an x such that x 2 == a (mod n). DISCRETE-LOG(a,b,n). Find, if possible, an x such that aX == b (mod n). A number-theory minded reader might want to think of some natural reductions among the problems mentioned. For instance, if we are able to factor n, we are also able to tell whether or not n is prime. In fact, the primality problem is essentially simpler than factorization because there are many easily computable criteria to the following effect: if n is prime then a certain condition A (for instance, a congruence) is satisfied. Hence, if A is not satisfied then we are able to conclude that n is composite, without being able to factorize n.

68

2. The Idea of Public Keys

From the theoretical point of view it would be desirable to be able to formally establish some lower bounds for the amount of work the cryptanalyst has to do in order to break a public-key cryptosystem. Unfortunately, no such theoretical lower bounds are known for the most widely used public-key cryptosystems. For instance, F ACTOR(n) might be in low polynomial time, which would mean that RSA and related systems would collapse. On the other hand, it is not likely that F ACTOR(n) is in low polynomial time. After all, people have investigated F ACTOR(n) (more or less intensely) already for more than two thousand years. We will now discuss some issues of complexity theory that shed some light on the state of affairs: there are no provable lower bounds for the amount of work of a cryptanalyst analyzing a public-key cryptosystem. In fact, our previous Golden rule can be extended to concern public-key cryptosystems as follows. Golden Rule for Designers of Public-Key Cryptosystems. Test your system in practice from various points of view. Do not expect to prove remarkable results concerning the security of your system. Again, a reader not familiar with the basics of complexity theory should consult Appendix A. It is generally believed that P =1= NP. This implies that NP-complete problems are intractable. Hence, if we can show that the cryptanalysis of a publickey cryptosystem is NP-complete, we would have established its intractability. However, the following argument shows that this is not likely to be the case. The encryption key is public. Combine this fact with the requirement posed for any cryptosystem, classical and public-key alike: the encryption is easy once the encryption key and the plaintext are known. (Otherwise, the cryptosystem would be very cumbersome to use!) It follows that in any reasonable public-key cryptosystern the cryptanalysis problem is in NP. Given a cryptotext, the cryptanalyst first guesses the plaintext and then encrypts it, finding out whether it leads to the given cryptotext. Even if the publicized encryption method is nondeterministic, the whole procedure is still clearly in NP. The cryptanalysis problem is also in Co-NP. If the encryption method is deterministic, then this is obvious because one can proceed exactly as before: find out that the given plaintext-candidate does not yield the given cryptotext. In the general case, independently of whether the encryption method is deterministic, we argue as follows. We are given a triple (w,k,c),

where w is a candidate for the plaintext, k is the public encryption key and c is the cryptotext. We are supposed to accept the triple exactly in case w is not the plaintext giving rise to c. Clearly there is only one such plaintext; otherwise, decryption would be ambiguous. Our algorithm first guesses the plaintext p, then finds out (in nondeterministic polynomial time) whether p gives rise to c according to k. Only in case of a positive answer the algorithm continues, comparing p and w letter by letter. If a difference is found, the algorithm accepts. We are viewing the cryptanalysis problem in the obvious fashion: find the plaintext when the cryptotext and the public key are known. Along similar lines

2.2 How to Realize the Idea

69

one can show that several analogous problems are in the intersection NP n Co-NP, for instance, the following ones. In each case we assume that the public encryption key and the cryptotext are given. (i) Does a given word appear as a prefix (resp. a suffix) in the plaintext? (ii) Does a given word appear as a subword in the plaintext? (iii) Is a given word obtained by considering only the letters in the positions 5, 10, 15, ... in the plaintext? Thus, the cryptanalysis problem for a public-key cryptosystem is in the intersection NP n Co-NP. Hence, if the cryptanalysis problem C would be NP-complete, we would have NP = Co-NP. This is seen by the following simple argument. Consider any L in N P. Since C is NP-complete, L is polynomial time reducible to C. Consequently, also the complement of L is polynomial time reducible to the complement of C, which is in Co-NP, by our assumption. This implies that L is in Co-NP and, hence, NP is included in Co-NP. By this inclusion, the reverse inclusion is obvious. Take any L in Co-NP. The complement of L is in NP and, consequently, in Co-NP. This implies that L is in NP. We have shown that if the cryptanalysis problem for a public-key cryptosystem is NP-complete, then NP = Co-NP. This implies that it is highly unlikely that the cryptanalysis problem for a public-key cryptosystem is NP-complete or higher up in the complexity hierarchy. We can look for examples optimal from the point of view of complexity theory.

Example 2.2. (Due to [Kar 1].) Consider wffpc's (see Appendix A) with variables in Xu Y, where X and Yare disjoint. Every such wffpc is built from variables using propositional connectives v, 1\ and "'. We allow also the truth-values T and F to appear in a wffpc. Let IX be an assignment of truth-values for the variables in X, and Po and Pl two wffpc's such that Po assumes the truth-value T and Pl the value F (or vice versa) for every assignment of truth-values for variables in X u Y that uses IX for the variables in X. Thus, if IX is used for X, the truth-values of Po and Pl are independent of the truth-values assigned for the variables in Y. The pair (Po, Pl) constitutes the public encryption key, whereas IX is the secret trapdoor. As an illustration, consider X = {Xl' X2 } and Y = {Yl' Y2}' Define IX by IX(X l )

= F and

IX(X 2 )

= T.

One can then choose Po = '" Yl

1\

Y2

1\ X 2 1\

Pl = (Y2 v x 2) 1\ (Yl v

(Yl

V Xl V ('"

Xl V ('"

Yl

1\

Y2

1\ X 2))

,

x 2)) .

It is easy to see that, independently of the values for Yl and Y2' Po assumes the value F and Pl the value T for IX. To encrypt a particular occurrence of the bit i in the plaintext, one assigns in Pi truth-values for the variables in Y in an arbitrary fashion and shuffles the resulting wffpc (with variables in X) randomly according to the standard rules of the propositional calculus (introduction and elimination of T and F, associativity,

70

2. The Idea of Public Keys

commutativity, distributivity, idempotence). If we assign the values F and T for Yl and Y2 in our illustration, Po reads '" F

1\

T

1\

x2

1\

(F

V Xl

v ('" T

1\

x 2 ))



This can be shuffled to X 2 1\ Xl' Consequently, X 2 1\ Xl is one possible encryption for the bit O. Legal decryption is immediate because IX is known. Using the NP-completeness of the satisfiability problem, the following result can be obtained. Assume that we may consult an oracle who, given the public key and a cryptotext, tells us the bit the cryptotext is obtained from. (Oracles will be discussed in more detail in Chapter 4.) Then for every language in the intersection of NP and Co-NP, there is a deterministic polynomial time algorithm using the oracle for determining whether or not a given word is in the language. The result means that the cryptanalysis of any public-key cryptosystem can be reduced to the cryptanalysis of the system described above. Thus, the system is optimal in the sense that any cryptanalytic method to break it can be used to break any other public-key cryptosystem as well. Unfortunately, the same result can be obtained for the following degenerate system. In the public key (Po, PI)' exactly one of the p's, say Pk' is satisfiable. The index k constitutes the secret trapdoor. An occurrence of the bit i is encrypted by first assigning truth-values for the variables in Pi in an arbitrary fashion. If the otherwise i is encrypted as resulting truth-value for Pi is T, i is encrypted as i itself. In the legal decryption one simply maps to k and leaves 0 and 1 unchanged. On the other hand, a cryptanalyst can find out the meaning of by generating assignments until either Po or PI becomes true. If Pk is rarely true, then occurs rarely in the cryptotext. Thus, the degenerate system is intuitively very weak. The paradox of the system being optimal is explained by the fact that we have considered worst case rather than average complexities. 0

*,

*

*

*

In the discussion above the setup for cryptanalysis has been: given cryptotext and public encryption key. For the setup "encryption key only" the cryptanalysis problem is still in NP for any public-key cryptosystem. Interestingly enough, the system given in Example 2.2 is optimal also as regards the cryptanalytic setup "encryption key only": the cryptanalysis problem is NP-complete. It is obvious that no similar upper bounds for cryptanalytic complexity can be given for classical cryptosystems. Essentially, this due to the fact that because everything is kept secret then the easyness of the encryption and decryption for legal users cannot lead to any consequences as regards the world of the cryptanalyst. A final rather strange observation can be made from the point of view of complexity theory. A public-key cryptosystem can always be viewed as a sequence of pairs (Ei' D;), i = 1,2, ... ,where Ei is an encryption key and Di the corresponding decryption key. Both keys are completely determined by i: they can be given by some verbal description. Preprocessing proceeds now as follows. After an encryption key Ek has been publicized, the sequence (E i , D i ) is generated, until the correct Ei ( = the one verbally coinciding with E k ) is found. This may involve a huge

2.3 Obvious Advantages of Public Keys

71

(computationally intractable) amount of work. But still: this amount is a constant independent of the length of the cryptotext. From this point of view, the complexity of the cryptanalytic setup "cryptotext and encryption key" is n + c, where c is a constant! Of course, from a practical point of view, this does not say much because c is huge.

2.3 Obvious Advantages of Public Keys The advantages of public-key cryptography are tremendous, provided the idea can be realized without any too harmful side-effects. The most far-reaching innovation due to public keys concerns key management: how to handle and send keys. Consider any classical (that is, symmetric) cryptosystem. The encryption key gives away the decryption key and, hence, the former cannot be publicized. This means that the two legal parties (sender and receiver) have to agree in advance upon the encryption method. This can happen either in a meeting between the two parties, or else by sending the encryption key via some absolutely secure channel. If a public-key cryptosystem is used, the two parties do not have to meet - they do not even have to know each other or be in any kind of previous communication! This is a huge advantage, for instance, in the case of a big data bank, where there are numerous users and some user wants to communicate only with a specific another user. Then he/she can do so just by applying the information in the data bank itself. One can compare classical and public-key cryptosystems also as regards the length of a key. Since every key has to be described somehow, the description being a sequence ofletters of some alphabet (that is, a word), it is natural to talk about the length of a key. There is a remarkable difference between classical and public-key cryptosystems. Consider first a classical cryptosystem. If the key is longer than the plaintext, nothing has really been achieved. Since the key has to be transmitted securely, one could transmit the plaintext instead of the key via this secure channel. Of course, in some situations the key is transmitted earlier to wait for the crucial moment. Consider next a public-key cryptosystem. The length of the encryption key is largely irrelevant. The key is publicized anyway. This means that also the length of the decryption key is largely irrelevant: the receiver only has to store it in a secure place. The easiness of key management can justly be regarded as the chief advantage of public-key cryptography. Let us now consider some other advantages. The central issues raised will be discussed also later on. One of a computer system's central strongholds is the password file. The following might be an entry in such a file. login: JOHNSON

password: KILLER

If the password file is exposed - accidentally or otherwise - to an inspection by an intruder, then the intruder will have free access, for instance, to Mr. Johnson's

72

2. The Idea of Public Keys

electronic mail. We assume here that the mail is not encrypted and, thus, security is provided only by the passwords. Suppose now that one-way functions f are used in connection with the password file. The entry mentioned above is now as follows. login: JOHNSON

password: KILLER

function: fJ

Here fJ is a description of a one-way function. The idea is that KILLER is Mr. Johnson's "public" password, whereas only Mr. Johnson knows his "secret" password PURR such that fAPURR) = KILLER.

In fact, he "publicized" the password KILLER after computingh(PURR). Mr. Johnson types in the secret password PURR, after which the computer checks whether or not fJ applied to PURR gives the correct result KILLER. The computer does not store PURR in any way. The password file may now be inspected by an intruder without loss of security because the functionfJ cannot be inverted. The one-way functions f need not be cryptographic: a trapdoor for inverting them is useless in this case. It is even possible to have the same function for all users. The reader might suggest in what respect such a common function is weaker than individual functions. Authentication is an important issue. How do we know that a message planted in a communication channel or information system is authentic? How do we generate such an electronic or digital signature? Let us first state more explicitly what we want. Consider two parties A and B, possibly with conflicting interests. Typically, the parties could be a bank and its customer, or the two superpowers. When A sends a message to B, the message should be signed in such a way that the parties get the following two kinds of protection. (i) Both A and B should be protected against messages addressed to B but fed in the information system by a third party C, who pretends to be A. (ii) A should be protected against messages forged by B, who claims to have received them from A, properly signed. Of course, if B sends a message to A then A and B should be interchanged in (ii). One may visualize (i) and (ii) by thinking B as an American agent in Moscow, A as his/her boss in Washington, and C as a Russian agent. The importance of (i) should be obvious. (ii) is required, for instance, in case B initiates some operation without any authorization from A. The operation turns out to be a failure. However, B claims to have acted according to the instructions given by A in a properly signed message! Conditions (i) and (ii) are somewhat contradictory and, therefore, hard to satisfy simultaneously. According to (i), B should know something about A's signature. According to (ii), B should not know too much about A's signature. It is to be emphasized that electronic signatures usually change the whole text, rather than just being an addition to the end of the text.

2.3 Obvious Advantages of Public Keys

73

If a good classical cryptosystem is used, then requirement (i) can be satisfied in a reasonable fashion: A and B agree upon an encryption key known only to them. A message is signed by encrypting it according to the key. The key and preferably also the cryptosystem have to be changed reasonably often. Once C finds out the key, he/she can start sending properly signed messages. Requirement (ii) is apparently more difficult to satisfy because, as we already pointed out, B should know something about the way A generates the signature, and yet it should be impossible for B to generate A's signature. Observe also that if we are dealing with a big network of communicating parties (such as a network of mail users) then it is impractical to use a distinct secret method of signing for every pair of users. If a public-key cryptosystem is used, then both (i) and (ii) can be satisfied, at least in principle. As before, we denote by E A, E B, ... (resp. DA' DB' ... ) the encryption (resp. decryption) key used by A, B, .... First, A sends the message w to B in the form EB(D A( w)). Then, B can recover DA(W) by his/her secret decryption key DB' From DA(W), B can recover W by the publicly known EA- Observe that EA and DA are inverses. Now both (i) and (ii) are satisfied. Only A knows DA and, hence, neither C nor B can forge A's signature. This is the case at least if plaintexts are meaningful passages of some natural language. Then the probability is negligible that some text not obtained by DA from a meaningful plaintext would translate into something meaningful. By this reason, A can also not deny sending the message to B. If only signature (but not the encryption of the message) is important, then it suffices that A sends B the pair (w, DA(W)). Requirements (i) and (ii) are satisfied as before. The basic procedures of authentication described above are vulnerable, especially as regards attacks by active eavesdroppers. The seriousness of attacks depends on the details, in particular, on the possibilities of the eavesdropper to plant false messages in the system. The basic procedures can be strengthened by applying a protocol. This means that A's sending a message to B consists of several communication steps between A and B. A first communicates something to B. Depending on the contents of this communication, B communicates something back to A. And so forth. In general, a protocol involves a sequence of message exchanges. The number of communicating parties may be also greater than two. A specific, usually public-key, cryptosystem is used. The security of a protocol usually means protection against a passive or an active eavesdropper but often also protection against cheating by some of the parties. In the latter case a protocol may provide for arbitration procedures if the parties happen to disagree about their adherence to the protocol. Protocols are no more secure than the cryptosystem applied. It is difficult to prove that a specific cryptosystem possesses certain security properties. It is also difficult to prove that if the underlying cryptosystem satisfies certain security conditions then the protocol possesses certain security properties. Many of the issues involved will be dealt with in the sequel, especially in Chapter 6. Here we briefly mention some examples of problems and tasks for which protocols have been successfully applied.

74

2. The Idea of Public Keys

Handshaking is in general slightly more complicated than authentication. The problem is that A and B want to establish a secure communications channel in a certain communications environment without any prior exchange of information. In our previous example the American agent in Moscow and the boss in Washington had to agree beforehand at least about something: how in principle signatures are generated and where the public keys are available. (We assume that they used the basic procedure described above.) This is not actually much and can be included in the common instructions provided for the users of an information system. Hence, the situation is very close to handshaking. Very often handshaking is understood to imply that the parties trust each other. Thus requirement (ii) becomes unnecessary. Suppose elections are held over a computer network. A protocol should make it impossible for non-registered voters to vote although they might be legal users of the network. Furthermore, ballots should be kept secret and the publicized outcome of the elections should be fair. Also some new types of secret votings can be carried out using appropriate protocols. Such protocols seem to open new vistas for confidential communication. Some members of a council might have the right of veto. When an appropriate protocol is followed, nobody knows whether a negative decision is based on the majority, or somebody using the veto-right, or on both! Let us consider a specific example. The parties A, B, C l' . . . , Cn want to make a yes or no decision. All parties can vote yes or no. Moreover, A and B have two additional votes, super-yes and super-no. Such a voting may be visualized as arising in the United Nations, with A and B being the two superpowers. If no supervotes are cast, the majority decides. If at least one supervote is cast, then the ordinary votes have no significance. The decision is yes in case of a draw. After the voting all parties know the decision but nobody knows why the decision was made. Was it due to a supervote, majority, or to both? Of course, it is possible to construct a voting machine to satisfy the requirements. But nobody would trust such a machine: it could be tampered to leak information and/or announce a false outcome for the voting. In the next example a specific protocol is suggested.

Example 2.3. Two persons A and B want to play poker by telephone without any third party acting as an impartial judge. We consider the basic variant of the game, where five cards are dealt. As regards most of the other variants, the protocol is essentially the same. It is obviously necessary for A and B to exchange information in encrypted form in order to "deal" cards in a proper way. A proper deal should satisfy the following requirements. (i) All hands (sets of five cards) are equally likely. (ii) The hands of A and B are disjoint. (iii) Both players know their own hand but have no information about the opponent's hand. (iv) It is possible for each of the players to find out the eventual cheating of the other player.

2.3 Obvious Advantages of Public Keys

75

We now propose a protocol. A cryptosystem, classical or public-key, is used. However, neither the encryption methods EA and EB nor the decryption methods DA and DB are publicized. Moreover, commutativity is assumed: in any composition of E's and D's the mutual order is immaterial. Before the actual play, A and B agree on the names w1 , •.• , WS2 ofthe 52 cards. The names are chosen in such a way that the cryptosystem is applicable in the sense needed in the sequel. For instance, if EA and EB operate on integers within a certain range then each Wi should be an integer within this range. We are now ready to describe the protocol. A acts as the dealer but the roles of A and B can be interchanged. The protocol consists of the following four steps. Step 1: B shuffles the cards, encrypts them using E B , and tells the result to A. This means that B tells A the items EB(W 1 ), ••• , E B(wS2) in a randomly chosen order. Step 2: A chooses five of the items EB(w;) and tells them to B. These items are B's cards. Step 3: A chooses another five of the items EB(w;), encrypts them by E A, and tells the result to B. Step 4: After receiving five items of the form EA(EB(w;)) in Step 3, B applies DB to them and tells the result to A. These five items represent A's cards.

Let us now see how the requirements (i)-(iv) are satisfied. Clearly both players know their own cards. In particular, A receives in Step 4 five items of the form DB(EA(EB(w;))). Because of commutativity, DB(EA(EB(W i ))) = EA(DB(EB(w;))) = EA(w;) ,

and hence A has only to use D A' The hands will also be disjoint: B can immediately check that the items given in Step 3 differ from those given in Step 2. No conclusive evidence can be presented as regards the other requirements (i)-(iv). The matter depends largely on how truly one-way functions the E's actually are. For instance, it might be impossible to find Wi on the basis of EB(W i ) but, still, some partial information about Wi could be found. For instance, if Wi is a sequence of bits, the last bit could be found from EB(W;). Such partial information could tell A that all aces are within a certain proper subset of EB(W 1 ), ••• , E B(wS2)' Then A would surely deal B only cards outside this subset and for himself/herself only cards from this subset. In this case (i) and the second part of (iii) would be violated. The cryptosystem cannot be public-key in the normal sense. A could simply compute all the values EB(w;) and deal the cards accordingly: a good hand for B but slightly better for himself/herself! Some of the issues in this example are of general nature and will be discussed also later. In fact, a public-key cryptosystem can never have a small plaintext space, such as only 52 plaintexts. Then all of them can be encrypted using the public key, and decryption amounts to a search through all resulting cryptotexts.

76

2. The Idea of Public Keys

The possibility of obtaining partial information is also one of the central issues in public-key cryptography. For some cryptosystems, such as RSA, it has been shown that if partial information can be obtained then the whole system can be broken. This means that if you are convinced about the security of the cryptosystem, then you also know that the system does not leak partial information. 0 We conclude this chapter by mentioning three problems that require cryptographic protocols for their solution. The protocols devised for these problems are often used as a part of a protocol for a more complicated problem. Thus, the protocol given in [GM] for the problem of Example 2.3 uses coin flipping. A and B want toftip a coin by telephone without any impartial judge. As always, both parties should at some later stage be able to check that the other party did not cheat. This may happen after the result of the coin flipping has been used for some other purpose. An oblivious transfer allows A to transfer a secret to B with probability t. After the completion of the protocol, B knows whether or not the secret was transferred successfully, but A does not know. Two or more parties want to share a part of their secrets but do not want to give away their secrets entirely. For instance, two people want to find out who is older without learning anything else about each other's age. After going through the protocol both know who is older but neither one knows how much older.

Chapter 3. Knapsack Systems

3.1 A Trapdoor is Built Public-key cryptosystems based on the knapsack problem were already briefly discussed in Example 2.1 in Chapter 2. It was also pointed out that knapsack systems are very suitable for illustrating all basic ideas behind public-key cryptography. The setup is also versatile enough to produce new variants to avoid cryptographic weaknesses. Mathematical techniques will be used in this and later chapters to a larger extent than in Chapters 1 and 2. All the necessary tools will be summarized in the appendices. Fundamentals of the theory can also be understood without entering the mathematical developments. This section presents the basic knapsack system in more details than Example 2.1. Shamir's cryptanalytic attack is described in Section 3.2. Section 3.3 deals with a general theory of reachability, applicable to both simple and composite knapsacks. Interesting variants of knapsack systems will be presented in Section 3.4. The final Section 3.5 deals with systems based on dense knapsacks. We are now ready to go into definitions. A knapsack vector A = (a l , . • . , an) is an ordered n-tuple, n セ@ 3, of distinct positive integers a j • An instance of the knapsack problem is a pair (A, a), where A is a knapsack vector and a is a positive integer. A solution to (A, a) is a subset of A whose elements sum up to a. (Since we are talking about a subset, each a j appears in the sum at most once.) Knapsack problems are sometimes called also subset sum problems. The most common variant of the knapsack problem is to tell whether or not a given instance (A, a) possesses a solution. A variant used in cryptography is to produce a solution for a given instance (A, a) when it is known that a solution exists. Both of these variants are NP-complete. There are also variants that are not even in NP. A knapsack vector A is used to encrypt a block C of n bits by summing up such components of A that 1 appears in the corresponding position in C. If the sum is denoted by a, then decryption amounts to finding C from a, or from A and Q( if we are dealing with a public-key cryptosystem. The latter possibility is just the cryptographic variant of the knapsack problem. Equivalently, we may view C as a column vector of bits. Then Q( equals the product AC.

78

3. Knapsack Systems

As an illustration, assume that n = 6 and A = (3,41,5,1,21, to). Then (1,1,0,0,1,0) and (1,0,1,1,0,1) are encrypted as 65 and 19, respectively. For this A, all cryptotexts r:J. are numbers セ@ 81. At most one plaintext corresponds to each cryptotext. For A = (14,28,56,82,90, 132, 197,284,341,455), the cryptotext r:J. = 515 has exactly three corresponding plain texts (1,1,0,0,0,1,0,0,1,0),

(0,1,1,0,1,0,0,0,1,0), (1,0,0,1,1,1,1,0,0,0).

This is seen immediately by reading A from right to left, for instance, 455 cannot appear in the solution because it is not possible to express 60 = 515 - 455 as a sum. Similarly, the cryptotext r:J. = 516 has no corresponding plaintext. Now it is easy to see that none of the last four numbers in A can appear in the sum, whereas the sum of the remaining numbers is too small. For r:J. = 517, the only corresponding plaintext is (1,1,1,0,1,1,1,0,0,0). Examples like this illustrate the obvious fact that cryptanalysis arising from some instances of the knapsack problem can be easy. Since uniqueness of decryption is desirable, the knapsacks vectors A should have the property that, for every r:J., all instances (A, r:J.) possess at most one solution. Such knapsack vectors A are referred to as injective in the sequel. This terminology is very natural because the injectivity of A means that the function induced by A, defined in Example 2.1, is injective. Of the two A's considered above the first is injective, whereas the second is not. For some vectors A, all instances (A, r:J.) are easy to solve. We have already seen in Example 2.1 that super-increasing vectors possess this property. A two-way cryptosystem can be based on such vectors in an obvious fashion: both the sender and receiver know the vector A. On the other hand, if a vector B is publicized as an encryption key, then the legal receiver must have some secret trapdoor information for transforming B and the cryptotext into an easy instance of the knapsack problem. We already indicated in Example 2.1 how this can be done using super-increasing vectors. The construction will now be given in a somewhat more detailed form. A knapsack vector A = (at, ... , an) is increasing (resp. super-increasing) iff

holds for all j = 2, ... , n. Clearly, every super-increasing vector is increasing. For a knapsack vector A we define max A

= max(ajll セ@ セェ@

n).

Let x be a nonnegative number. We denote by [x] the integer part of x, that is, the greatest integer セ@ x. For integers x and m セ@ 2, we denote by (x, mod m) the least nonnegative remainder of x modulo m. It is easy to see that (x, modm)

=x-

[x/m] om.

3.1 A Trapdoor is Built

79

This equation will be often, especially in Section 3.3, written in the form x = (x, modm)

+ [x/m]·m

.

We now define two variants of the notion of modular multiplication. Consider a knapsack vector A, an integer m > max A and a positive integer t < m such that the greatest common divisor (t, m) = 1. If B = (b 1 , ••• , bn ) is a vector such that bi = (ta i , modm),

for i = 1, ... , n,

we say that B results from A by modular multiplication with respect to the modulus m and multiplier t or, briefly, with respect to the pair (m, t). The condition (t, m) = 1 guarantees the existence of an inverse t- 1

=

u such that

tu == 1 (modm)

and 1 ::; u < m. This implies that also conversely A results from B by modular multiplication with respect to m and u. (Clearly m > max B because every b i is reduced modulo m.) If above the condition m > max A is replaced by the stronger condition n

m>

L ai'

we say that B results from A by strong modular multiplication with

i= 1

respect to m and t. Observe that now we cannot conclude that A results from B by strong modular multiplication with respect to m and u because the inequality n

m>

L bi

does not necessarily hold. Of course, A results from B by modular

i= 1

multiplication with respect to m and u. A cryptosystem designer now chooses A, t, m, B such that A is super-increasing and B results from A by strong modular multiplication with respect to m and t. B is publicized as the encryption key, and n-bit blocks are sent to the designer as numbers f3 obtained from B in the way described above. An eavesdropper has to solve the instance (B, f3) of the knapsack problem. The designer computes IX = (uf3, mod m) and solves the instance (A, IX). Why this work is summarized in the following lemma.

Lemma 3.1. Assume that A = (aI' ... ,an) is super-increasing and B results from A by strong modular multiplication with respect to m and t. Assume further that u == t- 1 (mod m), f3 is arbitrary and IX = (uf3, mod m). Then the following assertions hold true. (i) The knapsack problem (A, IX) is solvable in linear time. If a solution exists, it is unique. (ii) The knapsack problem (B, f3) has at most one solution. (iii) If a solution to (B, f3) exists, it equals the unique solution to (A, IX). Proof. (i) It was shown in Example 2.1 that every knapsack problem with a superincreasing A can be solved in linear time by reading through A once from right to left. The method shows that there can be at most one solution. (ii) and (iii) Assume

80

3. Knapsack Systems

that an n-bit vector D is a solution to (B, P), that is, BD = p. Consequently, rx == up

= uBD == u(tA)D == AD (modm)

.

Since m exceeds the sum of the components of A, we must have AD < m. Since also rx < m, by the definition of rx, we conclude that rx = AD. Thus, D equals the unique solution to (A, rx). This shows (iii). Since we started with an arbitrary solution to (B, P) and showed that it equals the unique solution to (A, rx), we have established セ@

0

In our cryptographic application of Lemma 3.1 we know that (B, a solution: p was computed in a way to guarantee this.

P)

has

Example 3.1. Our first illustration is still manageable with a pocket calculator. Let n = 10 and consider the super-increasing vector

A =(103, 107,211,430,863, 1718,3449,6907, 13807,27610). Choose the modulus m = 55207 which is greater (by two) than the sum of the components of A. Choose further the multiplier t = 25236. Then (t, m) = 1 and t- 1 = u = 1061. Indeed, 1061' 25236 - 1 = 485' 55207 . As a result of the strong modular multiplication we now get

B=(4579,50316,24924,30908,27110, 17953,32732, 16553,22075,53620). For instance,

+ 47' 55207 and 1061' 4579 = 103 + 88' 55207 , 25236 '1718 = 17953 + 785' 55207 and 1061' 17953 = 1718 + 345' 55207 , 25236' 27610 = 53620 + 12620' 55207 and 1061' 53620 = 27610 + 1030' 55207 . 25236' 103 = 4579

The vector B is the public encryption key, whereas the items A, t, u, m constitute the secret trapdoor. Of course, the knowledge of m and either t or u enables one to compute the other items immediately. Let us now use the public key B and encrypt the plaintext IN FINLAND CHILDREN USED TO BE BORN IN SAUNA EVEN TODAY INFANT MORTALITY IS IN FINLAND LOWEST IN THE WORLD. We use first the numerical encoding, where the space between words gets the value 0 and the letters A-Z the values 1-26. The numerical encoding is expressed in bits. In fact, a complete list of the bit values was given in Example 2.1. Since B can be used to encrypt blocks of ten bits, our plaintext has to be divided into blocks consisting of two characters each. In what follows, we give first a plaintext block, then the numerical encoding and, finally, the encryption of the block as a decimal number. The cryptotext consists of the 53 numbers thus obtained, written one after the other so that individual numbers are distinguishable.

3.1 A Trapdoor is Built

IN F IN LA NO

01001 00000

01001 01100 01110

C

00000

HI LO RE N US EO T

01000 01100 10010 01110 10101 00101

0

BE B OR N IN S AU NA E VE N TO OA Y IN FA NT M

OR TA LI TY I S IN

00000

01111 00010 00000

01111 01110 01001 00000

00001 01110 00000

01110 00110 01110 00001 00100 00011 01001 00100 00101 00000

10011 00100 10100 00000

00101 00010 10010 00000

01110 10011 10101 00001 00101 00101

10110 01110 00000 10100 01111 00100 00001 11001 00000 01001 01110 00110 00001 01110 10100 00000 01101 01111 10010 10100 00001 01100 01001 10100 11001 00000 01001 10011 00000 01001 01110

148786 38628 148786 128860 122701 75695 136668 91793 105660 106148 150261 68587 34506 133258 101081 22075 173286 106148 148786 93648 115236 159768 70173 130584 106148 154483 78544 82005 148786 109452 140654 102905 173286 83123 161592 133808 86352 62597 148786

81

82

3. Knapsack Systems

F IN LA ND L OW ES T IN T HE W OR LD

00000 01001 01100 01110 00000 01111 00101 10100 01001 00000 01000 00000 01111 01100

00110 01110 00001 00100 01100 10111 10011 00000 01110 10100 00101 10111 10010 00100

38628 148786 128860 122701 49285 243459 145682 29503 148786 34506 120489 110201 173286 91793

We decrypt the first number 148786. Note first that 1061 . 148786

=

2859· 55207

+ 25133 .

Consider the knapsack problem (A, 25133). The solution is obtained by scanning A once from right to left. Whenever the number at hand is at least the currently scanned component of A, we get the bit 1 and the new number is obtained by subtracting the component from the number previously at hand. Otherwise, we get the bit 0 and the number at hand remains unaltered. The result can be expressed as follows. Number 25133 25133 11326 4419 970 970 107 107 107 0

Component of A 27610 13807 6907 3449 1718 863 430 211 107 103

Bit 0 1 1 1 0 1 0 0 1 0

The original bit vector, from which the plaintext IN results, can be read from the last column bottom up. In the decryption of the second number 38628 we obtain first 20714 which is treated similarly, and so forth. A further remark is in order. Assume that we try to proceed in the reverse order. Consider the plaintext block OR appearing three times. Encrypt it first with A,

3.1 A Trapdoor is Built

83

yielding 17136. Apply strong modular multiplication with respect to 55207 and 25236, yielding 7665. But (B, 7665) clearly possesses no solution. The simple explanation is that we cannot deduce an equation from a congruence (as in the proof of Lemma 3.1) because m is smaller than the sum of the components of B. Indeed, 7665 == 173286 (mod 55207) , and we should operate with 173286. Our second illustration is too big for a pocket calculator but still too small for real encryption. Realistic examples are very likely to become completely unreadable. The computations here, as well as in the final illustration in Example 4.1, are due to Kimmo Kari. Let now n = 20. Choose the modulus and multiplier

m = 53939986 and t yielding t- 1

=

= 54377 ,

u = 17521047. The super-increasing A is defined by: a1 a2 a3 a4 as a6 a7 as a9 a10 all a12 a13 a14 a1S a16 a17 a1S a19 a20

101 102 206 412 823 1647 3292 6584 13169 = 26337 = 52676 = 105352 = 210703 = 421407 = 842812 = 1685624 = 3371249 = 6742497 = 13484996 = 26969992

Strong modular multiplication gives now the following publicized vector B:

= 5492077 = 5546454 = 11201662 = 22403324 bs = 44752271

b1 b2 b3 b4

84

3. Knapsack Systems

35618933 = 17189126 = 34378252 = 14870895 b lO = 29687413 bl l = 5543594 b12 = 11087188 bl3 = 22119999 bl4 = 44294375 blS = 34540010 bl6 = 15140034 b l7 = 30334445 blS = 6674527 bl9 = 13457808 b20 = 26915616

b6 b7 bs b9

=

Let us encrypt the following plaintext about sauna: IF YOUR FEET CARRY YOU TO SAUNA THEY SURELY CARRY YOU BACK HOME IF SAUNA ALCOHOL AND TAR DO NOT CURE YOUR DISEASE IT MUST BE FATAL. As before, empty space is encoded as 0, and the letters A-Z get the numbers 1-26. Five bits per number are required in binary notation. Since n = 20, four plaintext characters are encrypted at the same time. The encoding, divided into sequences of 20 bits, looks as follows. I F Y OUR FEET CAR RY Y OU T o SA UNA THEY SUR ELY CARR Y YO U BA CK H OME I F S

01001 01111 00110 00000 10010 01111 01111 10101 10100 00000 00101 00011 11001 10101 00011 01111 01001

00110 10101 00101 00011 11001 10101 00000 01110 01000 10011 01100 00001 00000 00000 01011 01101 00110

00000 10010 00101 00001 00000 00000 10011 00001 00101 10101 11001 10010 11001 000 10 00000 00101 00000

11001 00000 10100 10010 11001 10100 00001 00000 11001 10010 00000 10010 01111 00001 01000 00000 10011

3.1 A Trapdoor is Built

AUNA ALC OHOL AND TAR DO NOT CURE YOU R DI SEAS E IT MUS T BE FAT AL

00001 00000

01111 00000 00000

00000 01110 00011 00000

10101 00001 01000 00001 10100 00100 01111 10101 11001

10010 10011 00101 00000 10100

00000

00000

00110 01100

00001

00101 00000

01101 00000

01110 01100 01111 01110 00001 01111 10100 10010 01111 00100 00001 01001 10101 00010 00001

00101 10101 01001 10011 10100 10011 00101 10100

00000

00000

85

00001 00011 01100 00100 10010 00000 00000

The cryptotext consists now of the following numbers (see the remark below at the end of Example 3.1): 1 344 5 270 1 174686956 19062 368 3 102 548 440 2 142 7 5 7 1 2 183 764 3 5 0 153 594 3 6 3 161 8 506 7 2 220 5 293 7 5 201 154 1 1 5 1 6 8 406 1 7 6 148 193 337 1 803 342 1 6 7 141 1 380 128 8 0 2 9 6 0 20756 1 967 1 1 759 5 8 3 1 14927 398 7 6 5 8 3 1 272 245 563 381

86

3. Knapsack Systems

8 3 1 8 3 529 142 5 7 7 6 6 7 124 1 7 7 205 197 5 7 760 1 17124 8 360 24788 1 195 1195237 14 1 9 146 342 3 12825 8 322 2 2 743 3 368 67473008 124 7 8 005 3 8 1 5 5 440 8 The legal recipient multiplies these numbers by u (mod m), and goes back to the super-increasing A. For instance, the multiplication of the first number gives 15488011. When solving this with respect to A, we get similarly as in our first illustration: Number

Component of A

Bit

15488011 15488011 2003015 2003015 2003015 317391 317391 317391 106688 1336 1336 1336 1336 1336 1336 1336 513 101 101 101

26969992 13484996 6742497 3371249 1685624 842812 421407 210703 105352 52676 26337 13169 6584 3292 1647 823 412 206 102 101

0 1 0 0 1 0 0 1 1 0 0 0 0 0 0 1 1 0 0 1

3.2 How to Find the Trapdoor

87

Our encryption procedure in this second illustration was exceptional: the order of the components of B was reversed before encryption. Thus, to get the first encrypted number 134452701 we formed the sum b I9 + b I6 + b13 + b I2 + b5 + b4 + b l . This procedure follows the analysis of A from right to left in the table above. However, the procedure will not be repeated in the sequel because it is unnatural from the point of view of vector multiplication. 0

3.2 How to Find the Trapdoor We face the following cryptanalytic task. A knapsack vector B = (b l , . . . , bn ) is known to us. B is used as a public encryption key in the manner described above. We also know that B is obtained by strong modular multiplication from a superincreasing vector A, with respect to a modulus m and multiplier t. All ofthe items A, m and t are unknown to us. We want to find them. What interests us most directly is to find m and t - I == u (mod m). Knowing m and u we can immediately compute A and decrypt any cryptotext. The computation of u from t, or vice versa, amounts to one application of Euclid's algorithm and can be done fast. The cryptanalytic setup here is encryption key only. Often this means that more time is available because the analysis of the system can be carried out before important cryptotexts have been sent. This section discusses A. Shamir's cryptanalytic approach. The resulting algorithm runs in polynomial time. However, it is to be emphasized that a classification of cryptosystems into bad and good is overly simplified if it focuses only on the condition whether or not a polynomial time algorithm for the cryptanalysis is known. The degree of the polynomial is very important in cryptography. Moreover, as we have already emphasized, knapsack systems are very versatile for producing modifications to overcome known cryptanalytic attacks. When we say that an algorithm runs in polynomial time, we have to be careful in defining the size of an instance B, the algorithm being polynomial with respect to the size. We have to consider a family of knapsack vectors B whose sizes grow to infinity. There are two parameters contributing to the size of a vector B: the number n of the components and the sizes of the individual components bi' If either one of the parameters is kept bounded from above, the resulting knapsack problems can be solved trivially in polynomial time. Indeed, if each bi in every vector considered is less than some constant C, the total number of vectors is finite and, hence, there is some fixed time bound such that every knapsack problem considered can be solved within this time bound. On the other hand, if always n < C then every knapsack problem considered can be solved in linear time, where the coefficient is the constant 2e. It is customary to choose the number n of components as the size and to give bounds for the components in terms of n. It is to be emphasized that all such bounds for the components are artificial from a mathematical point of view and restrict the generality of the problem because only a very small number of

88

3. Knapsack Systems

instances fall within the bounds. This is apparent also in view of the general theory of Section 3.3. In [Sh2], the bounds are given as follows. A proportionality constant d > 1 is fixed. Then the modulus m consists of dn bits. The component ai' 1 ::;; i ::;; n, of the super-increasing vector A consists of dn - 1 - n + i bits. If d is not an integer, dn is replaced by· [dn]. The leading bit is 1 in every number. This guarantees that A is always super-increasing and that one can choose m to exceed the sum of the components of A. In the original paper, [MeH], the choices n = 100 and d = 2 were recommended. This means that m consists of 200 bits and the components a l , . .. , alOO grow in size from 100 to 199 bits. In constructing the algorithm the initial observation is that it is not necessary to find the inverse multiplier u and modulus m actually used by the designer of the cryptosystem. Any pair (u, m) will do, provided u and m satisfy the conditions of modular multiplication as regards B, the result A of such a modular multiplication is super-increasing and m exceeds the sum of the components of A. (This implies that B results from A by strong modular multiplication with respect to m and u- I = t.) Such pairs (u, m) are referred to as trapdoor pairs. Once we have found a trapdoor pair, Lemma 3.1 becomes available, and we may decrypt using the resulting super-increasing vector. This is quite independent of whether or not our trapdoor pair and the resulting super-increasing vector are the ones actually used by the cryptosystem designer. On the other hand, the existence of at least one trapdoor pair is guaranteed by the fact that cryptosystem designer made use of such a pair. (Using the terminology of Section 3.3, we know a priori that the given knapsack vector B is super-reachable.) To find a trapdoor pair (u, m), we first consider the graphs of the functions biu (mod m) for all values i = 1, ... , n. The graph of biu (mod m) consists of straight line segments, where the values u = pm/bi' p = 1, 2, ... , are discontinuation points of the function. Thus, the graph of the function biu (mod m) has the sawtooth form of Fig. 3.1. This sawtooth curve is considered for each i = 1, ... , n.

m

m

Fig. 3.1

Recall that (b i u, mod m) = aI' where u is not a variable but the actual inverse multiplier we are looking for. Since a 1 is the first component in a super-increasing vector and m exceeds the sum of all components, a l must be very small in

3.2 How to Find the Trapdoor

89

comparison with m. This implies that the trapdoor pair value of u must be close to some minimum of the b 1-graph. An explicit estimate concerning how close it must be presupposes some conventions (such as those indicated above) about the sizes of a1 and m, as well as about the expected value of b1 • Usually bda i is very large for small values of i. However, the cryptosystem designer may take care of that bdai < 1 for some values of i. Then some distances will be much larger than expected, which causes serious difficulties for the cryptanalyst. Similarly we see that the trapdoor pair value of u must be close to some minimum of the b2 -graph. This implies (by the triangular inequality) that the two minima of the be and b 2 -graphs must be close to one another. One can proceed in the same way and consider more sawtooth curves. The fact that the trapdoor pair value of u is close to a minimum on each curve implies that all these minima are close to one another. Thus, instead of trying to find u itself, we may try to find "accumulation points" of the minima of our sawtooth curves. This amounts to constructing a small interval containing a minimum of each sawtooth curve. From this interval we also find a trapdoor pair value of u. By heuristic calculations (see [Sh2]) one can show that, for the value d = 2 of the proportionality constant, it suffices to analyze only four sawtooth curves to get a manageable (not too big) set of accumulation points for their minima. Any accumulation point of minima of all curves is among the accumulation points constructed for the minima of the four curves mentioned. We now come to the problem of how to express these ideas in terms of inequalities. The first obstacle is that we do not know any value of a modulus m appearing in a trapdoor pair. This obstacle is easily overcome. We reduce the size of the picture so that m becomes 1. In other words, the lengths are divided by m. This operation does not affect the location of the accumulation points in which we are interested. For instance, if there was a bi-minimum near the seventh b3 minimum before the size reduction, the same certainly holds true after the size reduction. The algorithm for finding a trapdoor pair consists of two parts. In the first part, we find candidates for an integer p such that the pth minimum ofthe becurve is an accumulation point we are looking for. The second part of the algorithm tests the candidates one by one. One of the tests has to succeed because the trapdoor pair value of u used by the cryptosystem designer determines one accumulation point. A specific precaution has to be taken. The first part of the algorithm might produce too many (in comparison with the size of the problem) candidates for p. Therefore, we fix in advance a parameter r indicating the maximum number of candidates allowed. If the first part of the algorithm produces r + 1 candidates for p, the algorithm terminates and reports failure. The algorithm is stochastic with a negligible probability of failure. On the other hand, we do not have to consider all components b 2 , ..• , bn in the first part of the algorithm, but may fix in advance the value of another parameter s < n and consider only the components b2 , ••• ,bs • In other words, the first part of the algorithm produces numbers p such that the pth minimum of the becurve is nearby some minimum of the bi-curve, for i = 2, ... , s. Thus the values i > s are not considered at all in the first part of the algorithm, and it is very likely that

90

3. Knapsack Systems

entirely wrong values of p are produced. However, the second part of the algorithm checks through all values of i, 2 セ@ i セ@ n. A candidate p is rejected if, for some i, there is no minimum of the b;-curve near the pth minimum of the b 1-curve. We already pointed out that s = 4 is in many cases a reasonable choice. Consider the first part of the algorithm in more detail. The u-coordinate of the pth minimum of the b 1-curve is p/b 1 • (Recall that we reduced the picture in such a way that the modulus equals 1.) Hence, the condition that some minimum of the b2 -curve lies near the pth minimum of the bccurve can be expressed as -

E

1, but the vector may still be super-reachable. For instance, in the fundamental paper [MeH] about knapsack-based cryptosystems, the vector B = (25,87,33) is obtained from the super-increasing vector A = (5, 10,20) by two strong modular multiplications, with respect to the modulus-multiplier pairs (47, 17) and (89, 3). It is also shown that B cannot be obtained from A by one strong modular multiplication. However, B is super-reachable because it is obtained from (2, 3, 66) by strong modular multiplication with respect to the pair (99, 62).

3.3 Theory of Reachability

97

We require strong modular multiplication because then Lemma 3.1 becomes available. If we have only modular multiplication, it is not guaranteed that a solution of (B, 13) equals the only solution of (A, CL), where CL results from 13 by the corresponding inverse modular multiplications. This conclusion can be made if the original multiplications are strong, even if there are several of them. The following result is a basic tool in constructing examples of vectors that are not r-hyper-reachable.

Theorem 3.1. Every r-hyper-reachable vector is injective. Hence, every super-reachable vector is injective. Proof The theorem is a consequence of the following facts (i) and (ii).

(i) Every super-increasing vector is injective. Indeed, the algorithm described in Example 2.1 shows that any knapsack problem (A, CL), where A is super-increasing, possesses at most one solution. (ii) Strong modular multiplication preserves injectivity. Assume that B results from A by strong modular multiplication with respect to the pair (m, t). Assume, further, that BC = BC' for some bit vectors C and C'. Clearly, A results from B by modular multiplication (m, u), where u is the inverse of t. Because we have uBC = uBC' by assumption, we have also AC == AC' (mod m). Since m exceeds the sum of the components of A, this congruence must be an equation: AC = AC'. By (i) we conclude that C = C' and, hence, B is injective. D For instance, if some component in a vector equals the sum of some other components, the vector cannot be r-hyper-reachable. Consider a knapsack vector A = (ai' ... ,an), an integer m > max A and a positive integer t < m such that (t, m) = 1. The growing sequence associated with the triple (A, t, m) is the sequence of triples (A(k), t, m + kt), k = 0, 1.2, ... , where A(k) = (a 1

+ k' [ta 1 /m], ... , an + k' [tan/m])

.

Thus, the growing sequence begins with (A, t, m). The terms multiplier and modulus refer also to the number t and m + kt in the triple (A(k), t, m + kt). For instance, if A = (1, 2, 3), t = 4, m = 5, then the growing sequence begins with the triples ((1,2,3),4,5),

((1,3,5),4,9)

and

((1,4, 7), 4, 13) .

If A = (1,4, 7), t = 3, m = 8, then the growing sequence is

((1,4 + k, 7 + 2k), 3, 8 + 3k),

k

= 0, 1,2, ...

A number i, 2 :s; i :s; n, is termed a violation point in a knapsack vector A iff i-1

ai:S;

La

j •

j= 1

Thus, the i-th component of A violates the requirement of A being super-increasing. If A is increasing, every violation point i in A satisfies i セ@ 3.

98

3. Knapsack Systems

The goal of a triple (A, t, m) is the first triple (A(k), t, m + kt) in the growing sequence such that A(k) is super-increasing and m + kt is greater than the sum of the components of A (k), provided such triples exist. Clearly, a triple can be its own goal and some triples have no goal. In particular, if A is not increasing, then (A, t, m) cannot possess a goal. This follows because ai > ai+l implies that [ta;/m] セ@ [tai+ tim] and consequently, for all k,

ai + k· [ta;/m] > ai+ 1

+ k· [tai+ tim] . Returning to the two examples considered above, i = 3 is a

violation point in the initial vector of the first sequence. The third triple is the goal of the sequence. The second sequence possesses no goal because the modulus will never become big enough. Next we define a notion in some sense dual to that of a growing sequence. Let (A, t, m) be a triple defined as in connection with growing sequences. The diminishing sequence associated with the triple (A, t, m) is the sequence of triples (A( - k), t, m - kt), k = 0, 1,2, ... , where the vectors A( - k) are defined by descending induction as follows. A( - 0) = A. Assume that A( - k) = (d 1 , ••• , dn) has been defined and that we still have m - kt > max A ( - k). (The inequality holds for k = 0, by the choice of the original triple.) Then

A( - k - 1)

= (d 1

-

[tdt!(m - kt)], . .. , dn - [tdn/(m - kt)]) .

Diminishing sequences are always finite, whereas growing sequences are infinite. However, in the sequel only finite initial segments of growing sequences will be of interest. We will now develop the technical tools needed for the algorithms. We begin with properties of growing sequences. In Lemmas 3.2-3.4, the notation A, t, m, A(k) is the same as in the definition of a growing sequence. Lemma 3.2. If A is increasing or super-increasing, then each vector in the growing sequence associated with (A, t, m) is increasing or super-increasing, respectively.

Proof The inequality ai-l < ai implies the inequality [tai- tim] if A is increasing then so is every A(k). Assume, next, that セ@

[ta;/m]. Hence,

i-I

L.

aj < ai



j; I

Consequently,

This implies that, whenever A is super-increasing, then so is every A(k).

D

Lemma 3.3. If B = (b l , ••• ,bn) results from A by modular multiplication with respect to (m, t), then B results also from every A(k) by modular multiplication with respect to (m + kt, t). This holds true also if"modular multiplication" is replaced by "strong modular multiplication".

3.3 Theory of Reachability

99

Proof We infer by the assumption: hi

Clearly, (t, m + kt)

=

=

(ta i, modm),

for 1 :0::; i:o::; n .

1. For all k,

t(a i + k' [tadm])

hi

=

+ [tadm] . m + [tadm] . kt

= hi + [tadm] (m + kt) . Since hi < m + kt, we conclude that (t(a i + k' [tai/m]), mod(m

+ kt)) = hi .

This means that B results from A(k) by modular multiplication with respect to (m + kt, t). Assume that B results from A by strong modular multiplication with respect to (m, t). This implies that n

L ai m l ) is the transposed version of (A, t, m). If B results from A by modular multiplication (resp. strong modular multiplication) with respect to (m, t) and max B < t, then B results also from Al by modular multiplication (resp. strong modular multiplication) with respect to (ml' t 1)' If B is super-reachable, then B is (A', t', m')-super-reachable with t' ::;:; max B. Proof Clearly, tl < t. We may repeat the construction of replacing a triple by its transposed version until a triple with t' ::;:; max B is reached. Assume that B results from A by modular multiplication with respect to (m, t) and t > max B. Consequently, (ta i , mod m) = bi' for 1 ::;:; i ::;:; n. This implies that

f-t [tadmJ == bi - ta i == bi (mod t) .

102

3. Knapsack Systems

Since bi

セ@

max B < t, we may write further (tl [ta;/m], mod t) = bi

,

which shows that B results from Al by modular multiplication with respect to (m l , t d. Also the claim concerning strong modular multiplication follows because n

L ai' then

if m >

i= I

n

n

i= I

i= I

L tadm セ@ L [tadm]

t>

.

To prove the last sentence of Lemma 3.5, it suffices to show that if A is super-increasing then so is A I ' The assumption of A being super-increasing implies, for 2 セ@ i セ@ n, i-I

L taim < tadm .

j= I

Hence, i-I

(*)

L [taim] セ@

[tadm] .

j= I

Assume that we have equality in (*). Then i-I

L m[taj/m] = m[tadm]

j= I

and consequently, i-I

L (ta j -

b)

=

ta i

ai

-

-

bi

,

j=1

which can be written in the form bi

(

i-I

Lb

-

j

= t

i- 1

j=1

セ@

aj

) •

j=1

Since the coefficient of t is positive, we infer i-I

t セ@

bi

-

Lb

j

< bi セ@ maxB.

j= I

Since this contradicts the assumption t > max B, we must have strict inequality in D (*). Since i was arbitrary, we conclude that Al is super-increasing. As an illustration, we observe that the vector B = (46,45,40,30) is ((4,5,10,20), 49,50)-super-reachable. By Lemma 3.5, it is also super-reachable from each of the triples ((3,4,9,19),48,49),

((2,3,8,18),47,48)

In the last triple the multiplier is セ@ max B. We now discuss diminishing sequences.

and

((1,2,7,17),46,47).

3.3 Theory of Reachability

103

Lemma 3.6. Assume that B results from A by modular multiplication with respect to (m, t) and that, furthermore, m > 2 max Band t ::;; max B. Then B results also from A( - 1) by modular multiplication with respect to (m - t, t). Moreover, if A is increasing then so is A ( - 1). Proof We use our customary notation A = A( - 0) = (ai' ... , an) B = (b i , . . . , bn ). Then the i-th component of A( - 1), 1 ::;; i ::;; n, is

and

ai - [taJm] . Multiplying this by t and using our assumption we obtain

ta i - t[taJm]

= bi + m[taJm] - t[taJm]

= bi + (m - t) [taJm] == bi (mod (m - t)) . Because by our assumptions m - t > maxB セ@

bi' we obtain

= bi .

(t(a i - [taJm]), mod(m - t)) Observe that

m > 2 t,

(*)

yielding m - t > t ,

and clearly (t, m - t) = 1. The first assertion now follows if the new modulus is big enough. Assume the contrary: ai - [taJm] セ@ m - t, for some i. We multiply this by t, use the above expression for ta i and the assumption m > 2 max B, obtaining

t(m - t)::;; bi + (m - t)[taJm]

m

(n) = 1 (mod n), yielding W ed - 1 ='1 (mod n), Hence,

If exactly one of p and q, say p, divides w, then wq succession

wq>(n) = 1 (mod q),

wjq>(n) = 1 (mod q),

1

=1 (mod q), yielding in

wed = w (mod q) .

Since the last congruence is clearly valid also modulo p, we obtain (*) also in this case. If both p and q divide w, we clearly have wed w (mod n), from which (*) follows as before. 0

=

4.1 Legal World

127

Consider again n = 2773. If we choose the block size 4, it may happen that decryption does not lead back to the original plaintext w, for instance, when W = 3773. We now discuss the cryptosystem design, that is, how the different items are generated. In general, when we say that a random number is chosen or that we select something randomly, then we are using a random number generator, for instance, a computer program generating a sequence of digits that possesses as many statistical properties of a random sequence as possible. We do not discuss here any details concerning random number generators. To select the two large random primes p and q, one chooses randomly an odd integer r of appropriate size (say 100 digits) and tests it for primality. Primality tests are described in Section 4.3. In case of a negative answer, r + 2 is tested, and so forth. By the prime number theorem, there are approximately

100-digit primes. (Here In refers to the natural logarithm.) When this number is compared with the number (10 100 - 1099 )/2 of all 100-digit odd integers, we see that the probability of success for an individual test is approximately .00868. Once p and q have been chosen, candidates for d are tested by Euclid's algorithm. When d satisfies (d, cp(n)) = 1, the chain of equations obtained from Euclid's algorithm gives immediately also e. An operation needed for both encryption and decryption is modular exponentiation, that is, computing (a r , mod n). This can be done much faster than by repeatedly multiplying a by itself. The method we are referring to is squaring. After each squaring reduction modulo n takes place. In this way numbers greater than n 2 are never encountered. More specifically, we consider the binary representation of r, k

r =

L

xj2j,

Xj = 0, 1; k = [log2 r]

+ 1.

j;O

Provided we know all numbers (*) (a r , mod n) can be computed by forming at most k - 1 products and reducing each product modulo n. Thus, it suffices to compute the numbers (*), which involves

k modular squarings, and in addition at most k - 1 modular products. This means computing at most 2k - 1 products with both factors less than n and reducing the products modulo n. If r is large and cp(n) is known then r may be first reduced modulo cp(n). For instance, to compute (7 83 , mod 61), we note that 760 == 1 (mod 61). Hence, we may compute (723, mod 61) as well.

128

4. RSA

By successive squarings, we obtain the powers of 7 where the exponent is a power of 2: j

7 2J

0

1 234

7 49 22 57 16

Since 23 = 10111, we obtain the desired result (723,

mod 61) = (16(22(49' 7)), mod 61) = 17 .

Sometimes one is lucky and finds the result even much faster. This is significant especially if the available computing power is low. For instance, in computing (191 239 , mod 323) one observes first that 191 4 == 1 (mod 323),

yielding 191 236 == 1 (mod 323) .

Since (191 3 , mod 323) = 115, one concludes that 115 is the answer also to the original question. We have already considered the modulus n = 2773, and will still return to it in Example 4.1. To compute (1920 17 , mod 2773), we consider first the powers of 2 as exponents: 3 4 j o 2 1920 2i

1920 1083 2683 2554 820

We conclude that (1920 17 , mod 2773) = (1920' 820, mod 2773) = 2109 . Since 17 - 1 = 157 (mod 2668), we may still verify the result by computing similarly (2109 157 , mod 2773) = 1920. Observe that 2773 = 47' 59 and (n) = 2668, e = 17, d = 157. Now the plaintext, encoded as a sequence of decimal digits, is divided into blocks of four digits. As we saw above, this might lead to a small ambiguity in the decryption process. However, no ambiguities will arise if the original plaintext is written using the 26 letters of the English alphabet, in which case the largest 4-digit number will be 2626. Let us make use of the additional dimension of security of a plaintext written in Finnish and encrypt the text SAUNOIN TAAS (I took a sauna bath again). The numerical encoding with the space getting the value 00 is as follows: Plaintext block Encoding

SA

UN

1901 2114

01

N-

TA

AS

1509 1400 2001 0119

The modular exponentiations needed for encryption are carried out by squaring, as seen from the next table. Plaintext w

w2 w4 w8 W 16

Cryptotext w1 7

1901

2114

1509

1400 2001

0119

582 1693 448 2262 2562 296 418 1740 1048 459 153 1653 25 2257 196 2706 1225 1004 625 48 2367 1716 432 1417 1281 1644 179 982 2029 2243

4.1 Legal World

131

The result can be checked by raising similarly the cryptotext e to the power 157. For instance if e = 1644, we obtain e 2 = 1834,

e4 = 2680,

e 8 = 330,

e l6 = 753,

e32 = 1317, e 64 = 1364, e l28 = 2586, e l44 = 612, e l52 = 2304,

e l56 = 2022,

e 15 ? = 2114.

For our final illustration, we consider the subsequent numbers. p

= 3336670033 ,

q = 9876543211 ,

n = 32954765761773295963 , ·nI2. This procedure can be carried out until the intervals become so small that x is uniquely determined by the interval to which it belongs. We will now present the details explicitly. It will be convenient to use also the oracle O(parity) that will tell the parity of x. If we work with binary notation, O(parity) is naturally depicted as follows.

n, e, (x e , mod n) セ@

o(parity) L.-_ _ _- '

o

----I..

if x is even, if x is odd.

Fig. 4.3

Thus, the oracle tells the last bit of x. We will now show how, using O(parity), x can be constructed bit by bit from the right. Denote by N the number of bits in n (where 1 is the leading bit). Thus, N = [logz n] + 1. We also use the operators Band M producing from a number > 0 the corresponding binary sequence, and vice versa. For instance, B(91) = 1011011 and M(1011011) = 91. B(x) always begins with 1. The operators Band M are sometimes needed to avoid confusion. For two sequences of bits, t and u, we denote by tu the sequence of bits obtained by writing t and u one after the other. The sequence tu is refeued to as the catenation of t and u. As usual, we denote by It I the length of the sequence t. If M(t) セ@ M(u), we denote by LAST(t - u) the last lui bits in the sequence B(M(t) - M(u)), where O's are added to the beginning if B(M(t) - M(u)) < lui. In general, if LAST(t - u) = v then Ivl = lui and, for some w, B(M(t) - M(u)) is a suffix of wv. For instance, LAST(1011011 - 1010111) = 0000100 , LAST(1011011 - 111) = 100 . In the first case w is empty and, in the second case, w = 1010. The condition M(t) セ@ M(u) guarantees that LAST(t - u) is always defined. Let K be the inverse of 2e (mod n), that is, 2 e K == 1 (modn).

150

4. RSA

The number K is found rapidly by Euclid's algorithm. Given (x e , mod n), we now define inductively r(i) and ANS(i), for 1 セ@ i セ@ N. By definition, r(l) = (x e , mod n) and ANS(I) is the answer given by O(parity) to the input xe. (We express the input in this short form because the items nand e remain unaltered during the discussion.) Assume that r(i - 1) and ANS(i - 1) have already been defined, for some i 2:: 2. Then r(i)

= {(r(i

- I)K, modn) if ANS(i - 1) = 0 , ((n - r(i - 1»K, mod n) if ANS (i - 1)

=1,

and ANS(i - 1) is the oracle's answer to the input r(i - 1). Observe that it follows from the definition that r(i) is of the form (ye, mod n), for some y. Secondly, we define t(i), N 2:: i 2:: 1, by descending induction. First, t(N)

= ANS(N) .

Assume that t(i), i 2:: 2, has already been defined. Then t(i)O t(i - 1)

=

{

if ANS(i - 1) = 0 ,

LAST(B(n) - t(i)O)

if ANS(i - 1) = 1 and

M(t(i)O)

LAST(t(i)O - B(n»

if ANS(i - 1) = 1 and

M(t(i)O)

n

, .

Here the separation of ANS(i - 1) into two subcases is needed to guarantee that LAST is defined. In fact, the latter subcase occurs iff i = 2 and M(t(2) > n12. For instance, n = 21, B(n) = 10tOl and t(2) = 1101. As an example, take the first illustration in Example 4.1. We have n = 55, e = 7, N = 6 and B(n) = 110111. Euclid's algorithm gives K = 52. Assume that x e = 49. (We write x e instead of (x e, mod n) for simplicity.) We obtain first r(l) = 49, r(2)

== 49·52 == 18, ANS(2) = 0,

r(3) == 18·52 == 1 , r(4)

ANS(l) = 0 ,

ANS(3) = 1 ,

== 54·52 == 3 , ANS(4)

= 1,

r(5) == 52·52 == 9 ,

ANS(5) = 0 ,

r(6) == 9·52 == 28,

ANS(6)

= 1.

Of course, the values ANS(i) are not computed but obtained from the oracle. In this simple case they can be seen from the table given in Example 4.1. Let us now compute the values t(i). The values t(6) = 1 and t(5) = to are immediate by the definition. Since ANS(4) = 1, we obtain t(4)

Similarly, t(3)

= LAST(llOlll - 100) = 011 .

= LAST(lt0111

- 01 to)

= 0001

.

The remaining values are again obtained by direct catenation: t(2) = oooto and t(l) = 000100. It can now be immediately verified that t(l) is the binary representa-

4.S Partial Information on RSA

lSI

tion of X in N bits: 47 == 49 (mod 55) . This is true also in general.

Theorem 4.3. In the notation defined above, M(t(I» = x .

Before proving Theorem 4.3, we observe that the oracle has to be consulted N times in order to find x. In addition, one application of Euclid's algorithm, as well as at most N - 1 modular multiplications and at most 2N subtractions are needed. Thus, the cryptanalytic algorithm for finding x is very fast if the oracle may be consulted without cost. In this sense a method for finding the last bit of the plaintext yields a method for finding the entire plaintext. Proof of Theorem 4.3. For 1 :s;; i:s;; N, we denote by u(i) the number satisfying u(W == r(i) (mod n),

0 < u(i) < n .

Such numbers u(i) exist by the definition of r(i). More specifically, the relation ± r(i - 1) (modn) shows how the numbers u(i) can be constructed successively. We denote also

2e r(i) ==

v(i) = OJ B(u(i)) ,

wherej = N -IB(u(i))l. Then j セ@ 0 because u(i) < n. Thus, v(i) is always a binary sequence of length N. We now claim that, for N セ@ i セ@ 1, there is a w(i), possibly empty, such that (*)

v(i) = w(i)t(i) .

Theorem 4.3 follows from (*) where we substitute i = 1. Observe first that It(I)1 = N because It(N)1 = 1 and the length increases by one in every transition from t(i) to t(i - 1). Since IV(I)1 = N, (*) implies that w(l) must be empty and that v(l) and t(l) are the same binary sequence. On the other hand, M(v(I» = x and, consequently, M(t(I» = x. Our claim (*) is established by descending induction on i. For i = N, (*) holds true because by definition the last bit of v(N) equals the last bit of B(u(N)) which, in turn, equals ANS(N) = t(N). The inductive hypothesis is that (*) holds for the value i. Consider the value i - 1. Assume first that ANS(i - 1) = o. Then r(i) = (r(i - I)K, mod n)

and, consequently, r(i - 1)

== 2e r(i) == (2u(iW (mod n) ,

which implies that u(i - 1) = (2u(i), mod n). If B(u(i - 1) the inductive hypothesis and the definition of t(i - 1), v(i - 1)

= w(i -

l)t(i)O

= w(i -

= B(u(i))O we obtain, by

l)t(i - 1)

and, therefore, (*) holds for the value i-I where w(i - 1) is obtained from w(i) by

152

4. RSA

omitting one 0 from the beginning. On the other hand, B(u(i - 1)) -=I B(u(i))O implies that u(i - 1) = 2u(i) - n. (Clearly, 2u(i) < 2n.) Hence, u(i - 1) is odd, which contradicts the assumption ANS(i - 1) = O. This shows that B(u(i - 1)) = B(u(i))O. Assume, secondly, that ANS(i - 1) = 1. In this case r(i - 1) == - 2e r(i) == - 2e u(W == (- 2u(iW (mod n) .

Here the last congruence follows because e is odd. This implies that u(i - 1) = (- 2u(i), mod n). If n > 2u(i), then v(i - 1)

= w(i -

l)LAST(B(n) - t(i)O)

= w(i -

l)t(i - 1) .

If n < 2u(i), then v(i - 1) = w(i - l)LAST(t(i)O - B(n)) = w(i - l)t(i - 1) .

The two alternatives correspond to the separation of ANS(i - 1) = 1 into two subcases in the definition of t(i - 1). This completes the inductive step and, consequently, (*) holds. 0 The following Example 4.2 illustrates further various points in the above construction.

Example 4.2. Let us see first how u(i) and v(i) look like in the illustration given just before Theorem 4.3. Here again the table in Example 4.1 is useful. We obtain

= 7, u(5) = 14, u(4) = 27, u(3) = 1, u(2) = 2, u(l) = 4, u(6)

= 000111 , v(5) = 001110 , v(4) = 011011 , v(3) = 000001 , v(2) = 000010 , v(l) = 000100 . v(6)

Comparing the values v(i) and the previously computed values t(i), we infer that w(l) is empty and

= 0,

= 00,

= 011, w(5) = 0011, w(6) = 00011 . As a second illustration, consider n = 57, e = 5, (x e, mod n) = 48. We obtain first N = 6, B(n) = 111001, K = 41, and then the following values. w(2)

w(3)

w(4)

2 r(i) ANS(i) t(i) u(i) v(i)

48 1 100001 33 100001

3

4

15 27 24 0 1 0 01100 0110 011 12 6 3 001100 000110 000011

5

6

12 1 11 27 011011

21 1 1 15 001111

4.5 Partial Information on RSA

153

The next illustration is somewhat bigger. Consider n = 8137, e = 517, (x e , modn) = 5611. In this case we have N = 13, B(n) = 1111111001001,

2 517 = 2512 • 32 == 6905' 32 == 1261 (mod 8137) , whence K

= 342. The resulting values

1 2 3 4 5 6 7 8 9 10 11 12 13

r( i)

ANS(i)

5611 6767 3406 1261

0 0 0 0 1 0 0 1 0 0 0 1 0

7795 5091 7941 1936 3015 5868 5154 3061

of r(i), ANS(i) and t(i) are as follows.

t(i)

OOOOOOOO 10000 00000000 1000 00000000 100 0000000010 000000001 11100100 1110010 111001 01000 0100 010 01 0

Consequently, x = M(t(l)) = 16. The table can be filled in fast if the oracle can actually be consulted. However, because we do not have any oracle available, the values in the table have to be computed by some other method. Such a method cannot be tractable computationally or, otherwise, we are able to break RSA! In the computations above x = 16 was known a priori. Then the t- and ANS-columns can be computed top down. Once the ANS-column is known, the computation of the r-column is immediate. In this particular example we have 1 such that (mj, mj ) = 1 whenever i "# j. Let aj' i = 1, ... ,t, be integers with 0 セ@ ai < mj' (In fact, a;'s could equally well be arbitrary integers.) Let M be the product of all the m;'s. Denote further M j = M Im j , and let N j be the inverse of Mi (mod ma, for i = 1, ... , t. Thus, MjN i == 1 (mod mJ The inverse exists and is immediately found by Euclid's algorithm because (M j , mil = 1. The congruences x == a j (mod mj), i = 1, ... , t , possess a simultaneous solution t

X

=

L ajMjN i ·

j=

1

Moreover, the solution is unique in the sense that any other solution y satisfies (y, mod M) = (x, mod M) .

(Observe that this gives also a proof for the Chinese Remainder Theorem. Clearly, any two solutions must be congruent to each other (mod M). It is obvious that x is a solution because Mi is divisible by every mj with j "# i.) Let now k be fixed, 1 < k セ@ t. Denote by min(k) the smallest product with k distinct factors mi' Thus, min(k) = m l ••• mk if the m;'s are in increasing order. Similarly, denote by max(k - 1) the largest product with k - 1 factors mj' We assume that

(*)

min(k) - max(k - 1)

セ@

3' max(k - 1) .

(Preferably, the m;'s are chosen in such a way that this difference is large.) Let c be an integer satisfying max(k - 1) < c < min(k) . Define the numbers a i by ai

Theorem 6.1. The set {a l

= (c, mod mj), i = 1, ... , t

, ... ,

.

at} is a (k, t) threshold scheme for c.

Proof. Assume first that any k of the a;'s, say a l , ••• ,ak , are known. Denote M' = ml ••• mk , Mi = M'lmj, i = 1, ... ,k, and let Ni be the inverse of Mi (mod mil. Defining k

y=

L aiM;N;, i= 1

6.3 How to Share a Secret

189

we infer by the Chinese Remainder Theorem that

y == c (mod M') . Since M'

セ@

min(k) > c, we obtain c = (y, mod M') ,

which shows how c can be computed from the numbers a l , ... , ak. Assume, secondly that only k - 1 of the a;'s, say a l , ••• ,ak - l , are known. We define y as before, this time using only the moduli ml , . . . , mk - l and conclude that

y == c (mod ml

...

mk -

l) •

But now this leaves many possibilities for c, because of (*). Indeed, there are altogether (**)

[(min(k) - max(k - 1) - 1)/m l

...

mk -

l ]

possibilities which is a very large number if the m;'s are large and close to one another. Example 6.1. Choose k = 3, t = 5 and ml

= 97,

m2 = 98,

m3

= 99,

m4 = 101,

ms

= 103 .

Then min(k) = 941094, max(k - 1) = 10403, and (**) ranges between 89 and 97, depending on the choice of the two m;'s. The highest value 97 is obtained for the product ml m2 = 9506, and the lowest value 89 for the product 10403. The secret c is a number satisfying 10403 < c < 941094 . Assume that a general agency knows c and has given the parties Ai the values

al

= 62, a2 = 4, a3 = 50, a4 = 50, as = 38 .

The moduli mi can be assumed to be public, or else one can assume that each mi is known to the party Ai only. In the latter case the central agency who handles the secret c and gives the partial information to the parties Ai has also taken care of that the m;'s satisfy the required conditions. Assume now that A 2 , A3 and A4 want to combine their knowledge to find out c. First they compute M'l

= 9999, M'z = 9898,

M3

= 9702,

Nt

= 33, N'z = 49, N3 = 17 .

Hence,

y

= 4· 9999·33 + 50·9898 ·49 + 50·9702 ·17 =

33816668

and, consequently, c = (y, mod 98·99·101)

= (y, mod 979902) = 500000 .

190

6. Cryptographic Protocols: Surprising Vistas for Communication

Similarly, if At, A4 and As want to find out c, they compute M't = 10403,

y

M2 = 9991,

M3 = 9797,

N't = 93,

N2 = 63,

N3 = 43 ,

= 62 '10403' 93 + 50' 9991' 63 + 38' 9797' 43 = 107463646 , c = (y, mod 97 '101' 103) = 500000 .

On the other hand, A2 and As only find out that

y = 4'103' 59

+ 38 '98 '41

= 176992

== 5394 == c(mod 10094) ,

after which A2 and As know only that c is one of the numbers 5394

+ i' 10094,

1 セ@

i

セ@

92 ,

even if they know all the moduli mi. The correct value of i is i = 49. Similarly, if A3 and A4 combine their knowledge, they find out that

y

= 50'101'50 + 50'99'50 = 500000 ==

50 (mod 9999).

This tells them, provided they know the moduli mi , that c is one of the numbers

50+i'9999,

RセゥYTN@

Of course, they have no way of knowing that they actually hit the correct value of c when computing y! 0

6.4 Partial Disclosure of Secrets A rapidly developing area with a wide range of applications consists of problems of the following type. Two or more parties are in the possession of secrets. To achieve a common goal, they want to share some information but not too much. A protocol has to be designed for this purpose. What makes the situation different from the sharing of secrets discussed in Section 6.3 is that in the latter some of the parties wanted to disclose their secrets entirely, in order to achieve the information c. Now all of the parties cooperate but disclose their secrets only partially. (Moreover, we do not assume the existence of a central agency. However, such an agency is not needed in Section 6.3 if the moduli are publicized.) A general setup for partial disclosure of secrets can be defined as follows. The parties At, ... ,At, t セ@ 2, each know the definition of a function f(x t , ... ,xt ). Here each variable ranges over a finite initial segment of the set of natural numbers, and the values of f are natural numbers. Thus, the function f can be defined in terms of a table. Each of the parties Ai knows a specific value ai belonging to the range of Xi' but Ai has no information in regard to the values aj for j =F i. The parties At, ... ,At want to compute the function value f(a t , ... ,at) without giving away any additional information about their own values ai • In other words, a protocol has to be designed such that, after running through the protocol, all the parties Ai know the function value f(a t , . . . , at) but no party has given away any

6.4 Partial Disclosure of Secrets

191

additional information about the value ai • Here additional refers to any information not obtainable from the function value f(a 1 , ••• , aJ Of course, the whole matter becomes trivial if an impartial referee is used. For instance, consider is not prime , f( X 1 ,X2 ,X 3 ) -- {I if some Xi • smallest prIme among the arguments, otherwise . If a2 = 19 and f(a 1 , a 2 , a 3 ) = 17, then A2 knows that one of a 1 and a 3 equals 17, and the other is a prime セ@ 17. If a2 = 4 and f(a 1 , a2 , a 3 ) = 1, then A2 has no information whatsoever about the numbers a 1 and a 3 • Protocols have been designed for problems of this type. Security issues are difficult to formalize in the general case: in particular, the issue of collective cheating where some parties form a coalition to cheat the others. On the other hand, such protocols open entirely new vistas for confidential communication. For instance, new types of secret votings can be carried out. Some members of a council might have the right of veto. With the new protocols, nobody knows whether a negative decision is based on the majority, or on somebody using the veto-right, or on both! Consider a specific example. The parties S l' S2' P 1> ••• , Pt where t is odd, want to make a yes or no decision. All parties can vote yes or no. In addition, S 1 and S2 have the possibility of using "super-votes" S-yes and S-no. It has been agreed in advance that the majority decides if no super-votes are cast. In case of a single or two equivalent super-votes, all ordinary votes are ignored. In case of two contradicting super-votes, the majority of the ordinary votes decides. Such a voting can be visualized as arizing in the United Nations, with Sl and S2 being superpowers. For instance, assume that the votes are cast according to the table

After the execution of the protocol, all parties know the result. S 1 does not know that the result had been the same also if they had cast a no vote. S2 does not know that they could not change the result. The parties Pi do not know that their votes did not influence the decision. After the execution of the protocol with the votes

S1 knows that S2 cast an S-no vote and that the majority of the "ordinary powers" Pi cast a no vote. The problem of secret voting with super-votes can be immediately formulated using the general setup for computing the value of a function, and so can the following problem for which we will also describe a protocol in detail. A (lice) and B (ob) want to find out who is older without learning anything else about each other's age. How can they carry out a conversation satisfying this requirement?

192

6. Cryptographic Protocols: Surprising Vistas for Communication

Let us be more specific. We want to design a protocol for the following conversation. At the beginning A knows the integer i and B knows the integer j, namely, the integers indicating A's and B's ages in years. At the end of the conversation, both A and B know whether i セ@ j or i < j, but A and B have obtained no further information about j and i, respectively. The problem we are considering is often stated in the following form. Two millionaires want to know who is richer without obtaining any additional information about each other's wealth. We assume that the ages are between one and one hundred years, that is, i and j range over the integers from 1 to 100. The following protocol is based on a public-key cryptosystem. Thus, B knows A's encryption key E A but not her decryption key DA • Step 1: B chooses a large random number x and privately computes the value EA(x) = k. Step 2: B tells A the number k - j. Step 3: A privately computes the numbers

Yu=DA(k-j+u) for 1 セオ@

100.

Then A chooses a large random prime p. (The approximate size of p is somewhat smaller than the size of x. The approximate sizes of p and x have been agreed upon in advance.) A privately computes the numbers Zu

= (Yu, modp), 1 セ@ u セ@ 100 .

She verifies that, for all u and all v =f. u, (*) If this is not the case, A chooses another prime until she succeeds.

Step 4: A tells B the sequence of numbers (in this order) (**)

Zl""

,Z;,Z;+l

+ 1,z;+2 + 1, ... ,ZlOO + 1,p.

Step 5: B checks whether or not the j-th number in the sequence is congruent to x (mod p). If it is, he concludes that i セ@ j. If it is not, he concludes that i < j. Step 6: B tells A the conclusion.

The conclusion in Step 5 is correct because the j-th number zj in (* *) satisfies the conditions implies zj = Zj == Yj = x (mod p) and i セェ@

i . A does not learn anything about the choices, and neither do Band C learn anything about each other's choices, since they know only their own one-way function. Attempts to choose more than one secret fail with an overwhelming probability because of Step 5, provided the number of bits in the s's is not very small. In another simple protocol for secret selling of secrets A and B both use an own cryptosystem. The systems may be classical but they should be chosen from a collection, where the individual encryptions and decryptions commute. Step 1: B gives A random bit sequences YP ... , Yk (of the same length as the secrets S;). Step 2: A gives B the bit sequences

Zj

= EA(sjXORy),j = 1, ... , k.

Step 3: B, having chosen the i-th secret and knowing the order of the z's, gives A the bit sequence x = EB(z;). Step 4: A gives B the bit sequence DA (x). Step 5: B computes DBDA(x) = SiXORYi' from which he, knowing Yi' learns

Si'

A possible way of cheating for B is to choose some combination of z's instead of in Step 3 and, thus, to try to learn something about several secrets. The possibilities of success depend on the encryption method EA' The following is a further modification of oblivious transfer, often referred to as combined oblivious transfer. A and B possess secrets a and b, respectively, and g is any previously chosen function. During the protocol, B computes g(a, b), while A has no idea what B has computed. In other words, A obliviously transfers a prescribed combination of her and B's secret to B.

Zi

6.6 Applications: Banking and Ballots Some of the protocols discussed in this chapter seem somewhat artificial or designed for rarely occurring situations. However, similar protocols are needed and to some extent already used for important frequently occurring purposes. Some examples will be outlined in this section. The choice of a particular protocol is always a compromise between various security issues and the complexity in executing the protocol. Nowadays, in cashless payment systems, the amount of transaction data and their computerization drastically increases. This development will continue when

6.6 Applications: Banking and Ballots

201

home banking becomes more common. In most cases, such payment systems are completely unacceptable, since the banks and even the computer manufacturers can easily observe who pays what amount to whom and when. Payment systems guaranteeing security against fraud, and also enabling unobservability of clients, are necessary. Measures of jurisdiction alone are insufficient, since infringements can hardly be discovered. For instance, the following requirements are connected with the unobservability of clients. Each payment should be secret from an eavesdropper. Unless the client wishes otherwise, each of his/her actions should be unlinkable to actions that have taken place earlier. The client should be able to do business anonymously: the banks and the client's business partners should not be able to find out his/her identity. One might also require that it is possible for a payer to make off-line payments to arbitrary payees in a way that the latter can verify the payment without using the network. Since a trusted referee is impractical in a big system, such requirements lead to protocol problems similar to the ones considered in this chapter. We do not enter the details. The reader is referred, for instance, to [BuP], for a general model of unobservable payment systems. Cryptographic protocols can also be utilized in devising the arrangements through which the voters signal their opinions. Arrangements aimed at assuring secrecy are of special importance as regards elections through a network. In secret balloting systems the transmission of messages should be secured against eavesdroppers. Moreover, in some cases also authentication is needed. We assume that these requirements are taken care of and focus the attention on specific issues dealing with balloting. In particular, we consider the following four issues. (i) Only legitimized voters should cast a vote. (ii) The ballots should be kept secret. (iii) Nobody is allowed more than one vote. (iv) Every voter should be able to verify that his/her vote has been taken into account in the computation of the electoral outcome. A protocol satisfying (iHiv) is effective against at least the most obvious forms of electoral fraud. A straightforward protocol would be based on an agency that checks the legitimization of each voter, and computes and publicizes the electoral outcome. Assume, further, that each voter sends a secret identification number together with the vote and that the outcome is publicized by issuing a list of sets (*)

where R i , 1 セ@ i セ@ k, is the set of secret identifications of those voters who voted for the i-th candidate or, more generally, adopted the i-th voting strategy. Then the conditions (i)-(iv) are satisfied with the exception that (ii) is violated in the sense that the agency knows how each voter voted. This violation becomes impossible if there are two agencies: one for legitimization (L) and, the other, for computing and publishing the outcome (C). The agency L sends to the agency C the set N of all identification numbers of voters but there is no further contact between the two agencies. Then protocol for a voter A is as follows. Step 1: A sends a message, for instance, "hello I'm A" to L.

202

6. Cryptographic Protocols: Surprising Vistas for Communication

Step 2: If A is allowed to vote, L sends an identification number i(A) to A and also removes A from the set of electors. If A is not allowed to vote, L sends a message "reject" to A. Step 3: A chooses a secret identification s(A) and sends C the triple (i(A), v(A), s(A)), where v(A) is A's vote. Step 4: C finds out whether or not i(A) is in the set N. If it is, C removes i(A) from N and adds s(A) to the set of electors who voted for v(A). If it is not, C does nothing. Step 5: At a previously specified time, C computes and publicizes over the network

the outcome, as well as the list (*). To add security, some public-key cryptosystem may be used in Steps 1-3. Messages are sent authenticated and encrypted by the receiver's public encryption key. A person B who is not a legitimized voter may try to cheat by guessing an identification number i(B). Similarly, a legitimized voter A may try to cheat by guessing further identification numbers. Such attempts are not likely to succeed if proper identification numbers are sparse among all conceivable numbers, say, 106 identification numbers are distributed among the 10 100 first integers. If identification numbers are defined to be numbers of the form IOn + in' n = 1,2, ... ,where in is the n-th decimal in the decimal expansion of n, they are not sparse enough. The above protocol is vulnerable to the collusion of agencies Land C. Clearly, the combined knowledge of Land C discloses how each voter voted. A much more sophisticated protocol is needed to overcome this difficulty. The protocol is based on the secret selling of secrets discussed in Section 6.5. Since the agencies cheat by cooperating, we assume as well that there is only one agency C which replaces Lin the above protocol. The only other difference is that in Step 2 an eligible voter A "buys" secretly from C an identification number. This means that all possible identification numbers are publicized by C in an encrypted form. C then decrypts one of them for A but does not know which one. The probability of two voters buying the same number can be made negligible by choosing much more encrypted numbers than there are voters. On the other hand, even the encrypted numbers should be sparse among the numbers the electors might guess. It is to be added that the agency C is not at all needed if ideas presented in Section 6.4 are used.

6.7 Convincing Proofs with No Details In the remainder of this chapter we focus the attention on the following challenging and fascinating problem. Assume that P ("the Prover", Peter) knows some information. It could be a proof of long-standing conjecture (such as Fermat's Last Theorem), the prime factorization of a large integer, a 3-coloring of a graph,

6.7 Convincing Proofs with No Details

203

a password or an identification number. The essential thing is that P's information is verifiable: there is an effective procedure for checking its validity. In connection with a mathematical theorem this implies that the proof is given in some formal system, where every step of the proof can be validated. P would like to convince V ("the Verifier", Vera), beyond any reasonable doubt, that he is in the possession of this information. P could simply disclose this information so that V could do the checking herself. If the information consists of the prime factors p and q of a large integer n, P could tell V the numbers p and q, and V could convince herself that n = pq. This is a maximum disclosure proof, where V actually learns the information and can later on show it to someone else and even claim that she factored n herself. In a minimum disclosure proof P convinces V that he has the information, but this happens in a way that does not reveal a bit of the information and, consequently, does not in any way help V to determine the information. V is almost sure (because the probability of P cheating can be made arbitrarily small) that P has the information, say, the two factors of n. But V has no idea about the factors themselves and cannot tell anything about them to a third party. A very simple minimum disclosure proof about the knowledge of the factors of n is the following. Step 1: V chooses a random integer x and tells (x 4 , mod n) to P. Step 2: P tells (x 2 , mod n) to V. V obtains no information new to her because she can square x herself. On the other hand, we know that extracting square roots is equivalent to factoring n. In Step 2, P not only has to extract a square root of X4 but the particular one among the four square roots that is a quadratic residue (mod n). Determining quadratic residuosity is also intractable without knowing the factors of n. Of course, the possibility of P succeeding without knowing the factors of n can be made still smaller by iterating the protocol. Let us repeat our basic requirements. We assume that the information is the proof of a theorem.

(I) The Prover probably cannot cheat the Verifier. If the prover does not know a proof of the theorem, his chances of convincing the verifier that he knows a proof are negligible. (II) The Verifier cannot cheat the Prover. She gets not a slightest hint of the proof, apart from the fact that the Prover knows a proof. In particular, the Verifier cannot prove the theorem to anyone else without proving it herself from scratch. Protocols satisfying (I) and (II) contradict the common belief that one necessarily gains additional insight into a theorem by getting convinced that it holds. Minimum disclosure proofs yield no such insight. Whatever one can learn from the proof, one can learn from the statement of the theorem.

204

6. Cryptographic Protocols: Surprising Vistas for Communication

Minimum disclosure proofs are conceivable even if the Prover has no definite proof to start with but only an argument very likely to be true. For instance, P might have found the numbers p and q by one of the primality tests of Section 4.3 and is quite convinced that n = pq is the prime factorization, although it is possible that p or q can be decomposed further. P can transfer his conviction to V in a minimum disclosure manner, which implies that V is unable to convince a third party. The protocol above was constructed in an ad hoc manner, based on the special interconnection between factoring and extracting square roots. Some general ideas are needed if one wants to construct protocols satisfying (I) and (II) for a large class, such as problems in N P. The crucial idea in the construction will be that of a lockable box. The Verifier cannot open it because the Prover has the key. On the other hand, the Prover has to commit himself to the contents of the box, that is, he cannot change the contents when he opens the box. In fact, the Verifier may watch when the Prover opens the box. For the moment being we do not discuss how the boxes are constructed but will return later in this section to this issue. Basically, the hardware consisting of boxes can be replaced by public-key cryptography. Locking information in a box means applying a one-way function to it. The Prover knows the inverse function and applies it when opening the box. His commitment to the box can be verified by applying the one-way function to the plaintext information. Certain assumptions have to be made because public-key cryptography is used. If the boxes are constructed using RSA or discrete logarithms, intractability of factoring or taking discrete logarithms is assumed. In most cases it is possible to change the underlying public-key cryptosystem, so it suffices to assume the existence of a one-way function. Boxes are used in the following minimum disclosure proof of the 3-colorability of a graph. A 3-coloring of a graph consists of providing the nodes with the colors B (blue), R (red) and W(white) in such a way that no two adjacent (that is, connected by an edge) nodes get the same color. 3-colorability is known to be an NP-complete problem. P wants to convince V that he knows a 3-coloring of a graph G with t nodes 1, ... , t. The protocol has k rounds. Each round consists of 4 steps and proceeds as follows.

Step 1: P prepares and presents to V the following locked boxes B i, Bf, 1 セ@ i セ@ 3 t, and Bi,j' 1 セ@ i

Bll ,l2

B9 ,l2'

contain 1, and the remaining 61 boxes contain O. If (a)-line is followed, V gets the graph

3

11 x

)(

1/1 x

x

9

12

1

2

4

5

x

x

x

x

6

7

8

10

x

x

x

x

where we use the indices of the node boxes as labels. The opened node boxes tell V that the labels 3, 11, 12, 9 are, in this order 1, 2, 3, 4. So V gets the original G without colors and 8 isolated nodes. If (b)-line is followed, the 18 edge boxes opened for V are: Bl ,3'

B1,6' Bl,l2'

B 2 ,s, B2,s,

B 3 ,6' B 3 ,12'

B4,7' B4 ,lO' B4 ,ll'

B S ,9' B6 ,l2'

B7 ,lO' B 7 ,ll'

BS,9'

B 2 ,9' Bs,s, BlO,ll .

All of these boxes contain 0, as they should.

0

The following protocol is different in the sense that lockable boxes are not used, although they are present implicitly. P wants to convince V that he knows an isomorphism 9 between two given graphs Gland G2' (By definition, an isomorphism between Gland G2 is a 1-to-1 mapping n of the nodes of G1 onto the nodes of G2 that is also edge-invariant: any nodes x and yare adjacent in G1 iff n(x) and n(y) are adjacent in G2.) The protocol consists of k rounds of the following three steps. Step 1: P generates and tells V a random isomorphic copy G" of G1 .

6.7 Convincing Proofs with No Details

207

Step 2: V asks P to tell her an isomorphism between Ga and Gp , where she has chosen Pfrom the indices 1 and 2. Step 3: P acts as requested. If P knows an isomorphism between G1 and G2 , Step 3 will always be easy for him because he knows also the inverse of the isomorphism of G1 onto Ga' Otherwise, P is in trouble if P= 2. One might think that the Verifier learns something if, for instance, Ga = G2 and P= 1. The point is that V does not get any information she could not have obtained without the Prover: she could have hit such a fortunate random copy Ga herself! The problem of graph non-isomorphism is in Co-NP but it is not known whether it is in N P. Of course, it is in P-SPACE. Using the following simple protocol, P can convince V that he knows that the graphs Go and G1 are not isomorphic. Step 1: V generates a random sequences of bits i1> ... , ik and random graphs Hit, ... ,H;k such that always H;j is isomorphic to G;j. V tells P the sequence of graphs H;j. Step 2: P tells V the sequence of bits i 1 ,

i

••• , k •

Clearly, P has no way of knowing the sequence of bits if the original graphs Go and G1 are isomorphic. In this case, the probability of P getting caught in Step 2 equals 1 - 2- k • If Go and G1 are not isomorphic and P has enough computing power to settle the problem of graph isomorphism, V will be convinced. According to a very recent result of A. Shamir, P-SPACE is the collection of problems possessing such an interactive proof. More specifically, P has unlimited computing power but V works in polynomial time and has to become convinced with arbitrarily high probability. The result is particularly interesting because a proposed solution for a problem in P-SPACE cannot necessarily be checked in polynomial time. Thus, interaction constitutes here the missing link. Let us now discuss a possible way of constructing lockable boxes. It is no loss of generality to assume that each box contains only one bit. If it is originally supposed to contain more information, it can be replaced by several boxes that are opened simultaneously. The method described below is based on the assumption that the computation of discrete logarithms (mod p) is intractable. First a large prime p and a generator 9 of F*(p) are publicized. This means either that P and V agree about p and 9 or, more generally, that p and 9 can be used by all parties wishing to engage in minimum disclosure proofs. If there is any doubt of p and 9 actually being a prime and a generator, we may assume that also the factorization of p - 1 is known, whence the facts concerning p and 9 can be immediately verified. At the beginning V chooses and tells P a random number r, 1 < r < p - 1. P cannot compute the discrete logarithm of r (mod p), that is, an integer e such that g" == r (mod pl. This follows by our assumption concerning the intractability of

208

6. Cryptographic Protocols: Surprising Vistas for Communication

computing discrete logarithms (which is not essentially simpler even if the factorization of p - 1 is known). In order to lock a bit b into a box, P chooses a number y randomly and secretly and tells V the "box": x = (r"gY, mod p). Clearly, any element of F *(p) is ofthe form (gY, mod p), as well as of the form (rgY, mod p). This implies that x does not reveal anything of the locked bit b. When P wants to open the box for V, he tells V the "key", that is, y. This does not help V in any way to open other boxes. On the other hand, this method forces P to commit himself to the bit b. He cannot open the box both as 0 and 1. Suppose the contrary: P can choose two numbers y and y' such that (gY, mod p)

= (rgY', mod p) ,

and then later announce y or y' as the key to the box, depending on whether he wants 0 or 1 to appear in the box. But now r == gY-Y' (modp) and, consequently, P is able to compute the discrete logarithm of r, which contradicts our assumption. This means that, when locking the bit b into the box, P has committed himself to b and cannot later change b.

6.8 Zero-Knowledge Proofs We now make a further restriction against the verifier. While we required in the previous section in the condition II that V learns nothing from P's proof, we now require that V learns nothing whatsoever. By definition, a protocol is zeroknowledge iff I and II are satisfied and, moreover, V learns nothing from P that she could not learn by herself without P. In other words, V is able to simulate the protocol as if P were participating although he, in fact, is not. In this definition we assume the existence of one-way functions (in order to construct lockable boxes). Let us consider another NP-complete problem, namely, the construction of a Hamilton cycle in a graph G. By definition, a cycle (that is, a path with the same start and end nodes) in a graph G is a Hamilton cycle iff it passes through all nodes of G exactly once. The Prover, P, wants to convince the Verifier, V, that he knows a Hamilton cycle in a graph G with t nodes 1, ... , t. The protocol has again k rounds. Each round consists of 4 steps and proceeds as follows. Step 1: P locks the t nodes of G in a random order into t boxes B l '

Moreover, P prepares HセI@

locked boxes B;j, 1 セ@ i < j

セ@

... ,

Bt •

t. The box Bij contains the

number 1 if there is an edge in G between the nodes locked in boxes B; and B j • If there is no edge between these nodes, B;j contains the number O. P gives all boxes to V. Step 2: V flips a coin and tells P the outcome.

6.8 Zero-Knowledge Proofs

209

Step 3: (a) If the outcome was "heads", P opens all the boxes. (b) If the outcome was "tails", P opens t boxes B hh , Bhh , ... ,Bj,h' where the indices run cyclically and every index appears exactly twice. Step 4: (a) V verifies that she got a copy of G. The verification will be easy for her because the opened Bj-boxes tell her the isomorphism used. (b) Vverifies that all of the opened boxes contain the number 1. Everything said about the protocol concerning 3-colorability (before Theorem 6.2) is valid also now: the protocol above satisfies the conditions I and II. Let us now show that the protocol is also zero-knowledge. Assume that V has an algorithm A (running in random polynomial time) to extract some information from her conversation with P. In the following way V can use A to extract the same information even in the absence of P. V first plays the role of P. She flips a coin and, according to the outcome, she either applies an isomorphism to G and locks the result in boxes, or else locks an arbitrary t-cyc1e in boxes and, just for the fun of it, puts some numbers in other boxes to make the total number of boxes correct. Now, having received the boxes, V plays the role of V. She applies her algorithm A to decide the choice between (a)- and (b)-lines. She either gets the same information as in the presence of a true prover P or learns that P is a false prover. V can do everything in polynomial time. The same argument applies also to the protocol concerning 3-coloring. Hence, we obtain the following result.

Theorem 6.3. The given protocols for 3-coloring and Hamilton cycles are zeroknowledge. Consider the way of locking the boxes presented at the end of Section 6.7. Then V does not gain anything from the way P commits himself to specific bits or opens the boxes. The boxes are simulatable in the sense that V can do everything just by herself without P being available at all. This concerns both locking and opening the boxes. The situation is different if the k rounds of the protocol are run in parallel. This will be discussed later on in this section. Suppose P knows a positive solution for a problem in NP, for instance, a solution to a knapsack problem. (Here the term "positive" is to be contrasted with "negative": no solution exists. Our technique is straightforward for positive solutions. Zero-knowledge proofs are possible for negative solutions as well. For instance, a proof that a given knapsack problem possesses no solution has to be carried out within a suitable formalism.) Both of the problems discussed in Theorem 6.3 are NP-complete. This means that any instance of a problem in NP, such as an instance of the knapsack problem, can be reduced in polynomial time to either one of them. This reduction can be carried out also by the Verifier. This result will be stated in the following theorem.

210

6. Cryptographic Protocols: Surprising Vistas for Communication

Theorem 6.4. Every positive solution for a problem in N P can be given a zeroknowledge proof An interesting variation is obtained if all k rounds in the protocols of Theorem 6.3 are carried out in parallel. This means that P prepares at once k sets of locked boxes, and V asks k questions, one for each set. Assume that V uses the k sets of locked boxes to formulate her questions, for instance, by interpreting the k sets as k numbers, applying a one-way k-place function to these numbers, and using the first k bits of the function value to determine the questions. Then it is conceivable that, although the dialogue might contain no information about P's secret, still the dialogue could not be reconstructed without P. In other words, V could convince a third party about the secret's existence, although she could give no details concerning the secret. In fact, in this parallel version V is not able to simulate k rounds in polynomial time. If the zero-knowledge character is to be maintained even in the parallel version of the protocol, then V should be able to open a locked box both as 0 and as 1. This is precisely what P is not able to do, and the situation can be achieved in some cases if V has additional information. More specifically, we say that the locked boxes are (or the method of locking information into the boxes is) chameleon iff V can simulate whatever she would have seen in the process by which P commits himself to bits and, moreover, V can simulate both the process by which P opens a box as a 0 and the process by which he opens it as a 1. The boxes based on the discrete logarithm, as described at the end of Section 6.7, are not chameleon. If V, instead of P, chooses the number y, she still cannot open the box for both of the bits. This means that the protocol should not be performed in parallel if it is to be zero-knowledge. This can be seen by the following argument. Assume that V gives the number (2g e , mod p) = r to P, where she has chosen e by herself. This means that a box locked by P looks like

(rbg Y, mod p) = (g(e+p)b+ y , mod p), where 13 is the discrete logarithm of 2 (mod p). Now V can use several boxes of this form to compute a function value to determine, for instance, her challenges to P. How would this be possible without P? V could, of course, fix the numbers y by herself but still, in order to open the box both as 0 and 1, she would have to know p. By our assumption concerning discrete logarithms, she does not know p. The more boxes there are, the greater will the influence of P be. Hence, V cannot play the role of P. The only way V could have created the record of the protocol without P is that she knows herself the thing to be proven, or else she knows the discrete logarithm of 2. If we exclude the second alternative, the record of the protocol can be used to convince a third party about the truth of the thing to be proven. It is possible to add the chameleon property to the locked boxes. Rather than choosing r randomly, V chooses an exponent e randomly and gives P the number r = (ge, mod p) . Now V knows the discrete logarithm of r and can, if necessary, convince P of this fact by a minimum disclosure proof.

6.8 Zero-Knowledge Proofs

211

We still consider another very basic NP-complete problem, namely, the satisfiability problem for propositional formulas. The problem remains NP-complete even if we assume that the propositional formulas are in 3-conjunctive normalform, that is, conjunctions of disjunctions, where each disjunction consists of 3 literals. A literal is a propositional variable or its negation. For instance, (Xl /\ Hセxi@

v

X2 V V

セ@

セ@

x4 )

X2 V

セ@

/\ (X2 V

x 3)

セ@

X3 V

x4 )

/\ Hセxi@

/\ (Xl V X3 V X 4 ) /\ HセxR@

V

x2

V

x3)

V X3 V

x4 )

is a propositional formula in 3-conjunctive normal with four propositional variables and six clauses. The formula is satisfiable iff there is an assignment of truth-values T (true) and F (false) for the variables for which the formula assumes the truthvalue T. In this case, such an assignment is (*)

When Peter wants to convince Vera in a zero-knowledge manner that he knows a satisfiability assignment, he can do so following Theorem 6.4. We present a more direct method, resembling our discussion concerning 3-colorability. Such a more direct approach is more appropriate because satisfiability problem is basic in the sense that problems in N P can be reduced to it in a straightforward fashion, see [Sal]. Thus, P and V know a propositional formula Q( in 3-conjunctive normal form. Assume that Q( has r propositional variables and t clauses. (We could assume that Q( is arranged in some alphabetic order but this is not important.) P wants to convince V that he knows an assignment of truth-values for the variables making Q( true. As an illustration, we consider the formula above and the assignment (*). P first prepares 2r boxes Bi and BT v , i = 1, ... ,2r, referred to as variable and truth-value boxes, respectively. For each of the 2r pairs (x, y), where X is a propositional variable and y is a truth-value (T or F), there is an i such that X is locked in Bi and y is locked in BTv. Moreover, the pairs (x, y) appear in a random order in the pairs of boxes (Bi' BTV). In our illustration, there are 8 pairs of boxes, for instance, B I : x4

B TV I .. T

B2 :

X2

B3:

Xl

BlV: F B 3TV .. F

B4 :

X4

B 4TV .. F

B5:

X3

B TV 5 •. T

B6:

X3

B7:

Xl

Br v : F B TV 7 •. T

Bs:

X2

B TV s .. T

Moreover, P prepares (4r)3 boxes Bi,i,k' where the three indices range from 1 to 2r and from セ@ 1 to セ@ 2r, and each box contains either 0 or 1. The number

212

6. Cryptographic Protocols: Surprising Vistas for Communication

1 appears in the box B i', j', k' exactly in case i' = i or i' = '" i,j' = j or j' = '" j, k' = k or k' = '" k, IX contains a clause, where the three variables are the ones appearing in the boxes Bi, Bi , Bk (in this order and negated if this is indicated by i',j', k') and, in addition, the three truth-values P assigns to these three variables (in his specific satisfiability assignment) are the ones appearing in the boxes BT v, BJv, B[V (in this order). The boxes Bi',i',k' are referred to as assignment boxes. Thus, t of them contain the number 1. In our illustration, the six assignment boxes containing the number 1 are B 7,2, _

B _ 7,

I'

B 2,5, _

_ 2, _ 5,

I'

B -7,2,5

B7,5,1' B -

,

2,5,1 .

We have listed the boxes in the same order as the clauses above. The protocol now runs similarly as the protocol for 3-colorability. In each round of the protocol, P prepares and gives V the locked boxes as described above, V has now two options. If V so desires, P opens for her all the boxes except the truth-value boxes. V learns from the assignment boxes containing the number 1 the original propositional formula IX. Thus, she learns that P has used the correct IX when locking the boxes but she obtains no information whatever about P's truth-value assignment. V may also ask P to open all truth-table boxes. P then opens for her also all those assignment boxes Bi',j',k' where each of the indices is of the form x with F in bセカL@ or of the form'" x with Tin bセカN@ If the number 0 appears in all of these boxes, then P's truth-value assignment is correct: no clause getting the value F by this assignment appears in IX. Thus, all clauses appearing in IX get the value T by P's assignment. V will be convinced about this, although she learns nothing about P's assignment. In our illustration, P opens all assignment boxes, where each of the three indices belongs to the set {2, 3,4,6, '" 1, '" 5, '" 7, '" 8}. The following result is obtained in the same way as Theorem 6.3: the probability of P cheating is multiplied by ! after the completion of each round. Theorem 6.5. The protocol given above for satisfiability is zero-knowledge. Any of Theorems 6.3-6.5 can be used to convert any mathematical proof into a zero-knowledge proof. Suppose you know a proof of, say, Fermat's Last Theorem. Suppose, further, that your proof has been formalized within some proof-theoretic system. This means that there is no "hand-waving" involved: a verifier can check that every step in the proof follows by the rules of the system. Assume, finally, that an upper bound for the length of the proof is given. The proof can be found out by a nondeterministic procedure working in polynomial time. The procedure first guesses the proof and then checks its validity step by step. On the other hand, the procedure (say, a nondeterministic Turing machine) can be described in terms of a propositional formula IX in 3-conjunctive normal form such that IX is satisfiable iff the theorem has a proof whose length does not exceed the given bound. The construction of IX is effective in the sense that anybody knowing a proof for the theorem knows also a satisfiability assignment for IX. Hence, you are able to convince a verifier that you know a proof for the

6.9 Zero-Knowledge Proofs of Identity

213

theorem without giving away any information about the proof except an upper bound for its length. A few additional comments are in order. In results such as Theorem 6.4 the existence of one-way functions is needed. In fact, in our zero-knowledge protocols one-way functions are used in the construction oflockable boxes. What this means is that the prover reveals his secret to the verifier in an encrypted form. Although the verifier does not gain anyon-line information, it is conceivable that she could later on, either by luck or by sufficient computing effort, break the cryptosystem and learn the entire secret. Recall, for instance, that the 3-coloring is given to the verifier in each set of locked boxes. We will not discuss here protocols referred to as perfect zero-knowledge. In such protocols V obtains no information whatsoever about P's secret (beyond its existence), whereas in the zero-knowledge protocols discussed above V obtains no information she could use on-line or in polynomial time. The reader might think about the meaning of zero-knowledge proofs with RSA-locked boxes in case the theorem to be proved is "There is an algorithm for factorization working in linear time". In the protocols discussed above, the probability of P cheating decreases very rapidly with respect to the number of rounds. However, arbitrarily high security is not obtained with a bounded number of rounds. This technique can be modified to combine arbitrarily high security with a constant number of rounds. In some setups even non-interactive zero-knowledge proof systems are possible. The results of [BeG] can be applied in the following scenario. After P and V have generated together a long random sequence, P leaves for a trip around the world. Whenever he discovers a theorem, he writes a postcard to V proving his new theorem in zero-knowledge. This process is necessarily non-interactive because P has no predictable address.

6.9 Zero-Knowledge Proofs of Identity One of the problems with most of the identification techniques such as ID cards, credit cards and computer passwords is that a party P proves his identity by revealing a word i(P) that is memorized or printed on a card. An adversary cooperating with a dishonest verifier can either get a copy of the card or otherwise learn the word i(P). The adversary can later on use i(P) to pretend to be P and, thus, is granted the access or services implied by i(P). An obvious solution to this problem is to use a zero-knowledge proof to convince the verifier V that the prover P knows i(P) without revealing a single bit about i(P). Such a proof goes one step further than the zero-knowledge proofs considered in the preceding section. Previously P revealed one bit of information to V, namely, that the theorem is true, there is a 3-coloring or a satisfying truth-value assignment, etc. Not a single bit of information is now revealed. This difference can be expressed briefly by saying that, while we previously were talking about

214

6. Cryptographic Protocols: Surprising Vistas for Communication

zero-knowledge proofs of theorems, we are now talking about zero-knowledge proofs of knowledge. Of course, the latter types of proofs can be extended to concern proofs of theorems as well. This means, for instance, that P convinces V that he has settled Fermat's Last Theorem without revealing a single bit of his information, not even whether he has established the theorem or found a counterexample! A way to do this is to let i(P) consist of P's information, beginning with the statement of the theorem or its negation and followed by the proof or counterexample. In the following protocol the existence of a trusted agency is assumed. The only purpose of the agency is to publish a modulus n which equals the product of two large primes p and q but to keep the primes themselves secret. For a technical reason to be explained later, the primes are assumed to be congruent with 3 (mod 4). After publishing n, the agency may cease to exist. P's secret identification i(P) consists of k numbers C1 , ..• , Ck with 1 ::; cj < p. His public identification pi(P) consists of k numbers d 1 , ••• , dk with 1 ::; dj < p, and each dj satisfying one of the congruences djc; ==

(*)

± 1 (mod n) .

The verifier V knows the public nand pi(P). P wants to convince her that he knows i(P). The following four steps constitute one round of the protocol. The number of rounds decreases the probability of P cheating. Step 1: P chooses a random number r, computes the numbers (± r2, mod n) and tells one of them, call it x, to V. Step 2: V chooses a subset S of the set {l, ... ,k} and tells it to P. Step 3: P tells V the number

y=

where

セ@

HイセL@

mod n) ,

is the product of the numbers cj such that j belongs to S.

Step 4: V verifies the condition

x ==

± y2T" (modn) ,

where T" is the product of the numbers dj such that j belongs to S. If it is not satisfied, V rejects. Otherwise, an eventual new round is begun. Observe first that the verification condition in Step 4 should hold because y2 T" == r2 T; T" ==

± r2 == ± x (mod n) ,

the second congruence being a consequence of (*). The use of r is necessary because, otherwise, V would find out any cj by choosing S = {j}. The special form of the primes p and q guarantees that the d-numbers can range over all integers with the Jacobi symbol + 1 (mod n). This implies that V can be sure that the c-numbers exist. A tacit assumption needed for (*) is that (c j , n) = 1, for allj. If this is not the case, then n can be factorized, and the whole world collapses! A minor

6.9 Zero-Knowledge Proofs of Identity

215

technicality useful in practical implementations is to use the inverses of the squares of the c-numbers rather than the squares themselves when defining (*). Of course, the whole protocol is based on the intractability of extracting square roots (mod n) when the factorization of n is unknown. This implies that V gets no information about the c-numbers and, in fact, V can play both the roles of P and V in the protocol. On the other hand, the only way for P to cheat is to guess the set S in advance, and provide ( ± イRセL@ mod n) as x in Step 1 and y = r in Step 3. The probability for a successful guess is 2- k and, hence, r kt in t rounds. A reason for this rapid conver,gence is that the k numbers in P's identification invoke an element of parallelism in the protocol. Assuming the intractability of factorization and extraction of square roots (mod n), our protocol constitutes a zero-knowledge proof of identity. It follows that not even a crooked Vera can extract any information that could later on be used to convince the true Vera about the knowledge of i(P). We remark in passing that a rigid formalism is not needed for our purposes in this chapter. In such a formalism P and V would be machines executing algorithms within certain time bounds and having access to common or separate random numbers. In the discussion of many subtleties such a more penetrating formalism is helpful.

Example 6.5. The trusted agency has published the modulus n = 2773. P's secret identification i(P) consists of the 6-tuple

= 1901, C4 = 1400,

c1

= 2114, Cs = 2001,

c2

= 1509 , c6 = 119 .

c3

(See here also Example 4.1.) The squares of these numbers (mod n) are, in the same order, 582, 1693, 448, 2262, 2562, 296. P now chooses his public identification pi(P) to consist of the 6-tuple

= 81, d 2 = 2678, d3 = 1207 , d4 = 1183, d s = 2681, d6 = 2595 . d1

Then the congruences (*) will be satisfied for j = 1, ... ,6 and, moreover, appears on the right side for j = 1,3,4,5 and - 1 appears for j = 2,6. Assume that P chooses r = 1111 and tells V the number x

= (-

r2, mod n)

+1

= 2437 .

Assume that V chooses S = {I, 4,5, 6} and computes 1'.J = 1116. P computes 1;; = 96 and tells V the number y = 1282. Because ケRセ@

= 1282 2 ·1116 = 2437 = x

The verification condition holds. Similarly, the choices r = 1990,

x = (r2, mod n) = 256

(mod n),

216

6. Cryptographic Protocols: Surprising Vistas for Communication

and S = {2, 3, 5} give the values

Td

= 688, T.: = 1228, y = 707 .

The verification condition - y2 Td == - 2517 == x (mod n) is satisfied.

0

We observed that not even a crooked verifier can gain any information that could later on be used to convince the true verifier about the knowledge of i(P}. Still, some more subtle on-line cheating schemes are conceivable. Assume that a crooked verifier and prover, セ@ and Pc, collaborate in trying to convince the true verifier V that Pc knows the identification i(P} of the true prover P. Assume, further, that セ@ is in the position to test P's knowledge of i(P}. For instance, P wants to pay a bill to セN@ Then at the same time Pc, who can secretly communicate with セ@ by radio or telephone, tries to gain access to a top-secret area, the access being granted by V if knowledge of i(P} is shown. Now Pc and セ@ can act as communication links and, in fact, the whole protocol will be executed between V and P. V will be convinced of the knowledge of i(P} but gets the wrong idea that Pc knows i(P}! We now discuss another identification scheme, based on a knapsack-type problem. We present first a simple version of the scheme, and then a bit more involved one. The latter can be further generalized but it is not yet properly understood to what extent, if any, such generalizations and complications contribute towards the security of the scheme. Let A = (aI' ... , an) be a knapsack vector with an even n. It is an NP-complete problem to pick up half of the components of A in such a way that they sum up to the same number as the remaining half. Hence, also the following problem, being more general, is NP-complete. Given a knapsack vector A and a vector B = (b l , . . . , b n ) with integer components, maybe some of them negative. Find, if possible, a permutation Bp of the vector B such that ABp = O. For instance, if A

= (3,7,8,2, 12, 14),

B

= (1, 1, 1,

- 1, - 1, - 1) ,

then the permutation p transposing the 2nd and 5th components but leaving the other components fixed satisfies the condition because A(1, - 1, 1, - 1, 1, - 1} = 0 .

(Here the second vector in the product is understood to be a column vector.) The setup is now as follows. The trusted agency has published the knapsack vector A = (aI' ... , an). (n need not be even.) P's public identification pi(P} is the vector B = (b l , . • . , bn ) with integer components. His secret identification i(P} is a permutation p such that ABp = O. The protocol uses, in addition, a cryptographic hashfunction h(x, y}. We do not define hash functions formally. The points essential for us are that the value h(x, y} can be easily computed from x and y, whereas x and y cannot be recovered from the value and, moreover, h(x, y} is not long in comparison with x and y. The previously discussed XOR-operator is a simple hash function, if xXORy does not leak information about x or y. The hash function h(x, y} can be published by the agency or agreed upon between P and the verifier V. Of course, it is desirable that not even h(x, y} and one of the arguments gives away the other argument. This condition is clearly not satisfied by the XOR-operator:

6.9 Zero-Knowledge Proofs of Identity

217

Each round in the protocol, where P tries to convince V about his knowledge of i(P), consists of the following steps. Step 1: P chooses a random vector R and a random permutation q (both having the dimension n), and tells V the values h(q, AR) and h(pq, Rq). Step 2: V chooses a number d = 0 or d = 1 and asks from P the vector C = Rq + d· Bpq. After receiving C, V asks from P either the permutation q or the

permutation pq. Step 3: If she asked for q, V verifies the condition h(q, AqC) = h(q, AR). If she asked for pq, V verifies the condition h(pq, C - dBpq) = h(pq, Rq) .

Observe first that V has all the data needed for the verification in Step 3, either from Steps 1 and 2 or from the public information. The validity of the second verification condition is obvious by the definition of C. The validity of the first condition follows because

AqC = AiRq + dBpq)

= AqRq + dAqBpq = AR.

(The equation AqBpq = 0 holds because ABp = 0 and, hence, the product equals

o also if both factors are permuted by the same permutation.)

Coming back to the illustration before the protocol, assume that

R

= (15, 1, 5,9,2,6),

d = 1 and q

= (1234) .

We use here the customary notation for permutations: q is a mapping that permutes the components 1, 2, 3, 4 cyclically and leaves the two other components fixed. Then

Rq = (9, 15, 1,5,2,6), pq = (12534) , Bpq = (- 1, 1, - 1, 1, 1, - 1) , C = (9, 15, 1,5,2,6) + (- 1, 1, - 1, 1, 1, - 1) = (8, 16,0,6,3, 5) ,

Aq = (2, 3, 7, 8, 12, 14), AqC = 218

= AR .

Hence, the verification condition will be satisfied. Observe that the number of permutations is huge even for relatively small values of n. This is very important from the point of view of security. In a more sophisticated version of the protocol, A is an m x n matrix with integer entries, and Ap is the matrix obtained from A by aplying the permutation p to the columns of A. A small prime s is fixed, typically s = 251. A and s are published by the agency, or otherwise agreed upon by all users. As before, P's public identification pi(P) is an n-vector B. His secret identification i(P) is a permutation p such that ABp == 0 (mod s) ,

218

6. Cryptographic Protocols: Surprising Vistas for Communication

where the right side means an m-vector of zeroes. (In our earlier simple version, m = 1 and the congruence is an equation.) The protocol is basically the same as before but also the choice of d will be more general, now 0 :$; d < s. The components of all vectors are reduced modulo s and, moreover, AR and AqC are now m-vectors. Everything else remains the same. Also the validity of the verification conditions follows exactly as before and, hence, an honest prover P always passes the test. It is easy to see that the probability of success for a dishonest prover P (not knowing the permutation p) is at most (s + 1)/2s. The protocol is zero-knowledge because the individual messages sent by P convey no knowledge. Further generalizations of the scheme are obtained, for instance, by replacing the matrix-vector products with matrix-matrix or even with tensor-tensor products.

Fig. 6.1

Appendix A. Tutorial in Complexity Theory

The subsequent two appendices are brief introductions to only those areas of complexity and number theory that are used in this book. There are many good general introductions to both complexity and number theory. From the point of view of classical mathematics problems in cryptography are trivial in the sense that they can be solved by finitely many trials. However, reduction to finitely many cases does not make much sense if the number of cases is unmanageable. If we are not able to decrypt a message within a certain time limit, we might as well forget the whole thing because, as time passes by, the situation might change entirely. The time complexity of an algorithm is a function of the length of the input. An algorithm is of time complexity f(n) iff, for all n and all inputs of length n, the execution of the algorithm takes at mostf(n) steps. Ifn is an integer, its length is the number of digits or bits in n. Of course, there might be slow and fast algorithms for the same problem. In some cases an unlimited speed-up is possible. It is difficult to establish lower bounds for complexity that is to show, for instance, that every algorithm for a certain problem is of at least quadratic time complexity. Clearly, time complexity depends on the model for algorithms we have in mind. The number of steps becomes smaller if more work can be included in one step. However, fundamental notions such as polynomial time complexity are largely independent of the model. Of course, this concerns only models chosen with good taste. For instance, an abstract subroutine for testing the primality of a given number should not be included in one step! To be more specific, we choose a Turing machine as our model for algorithms. A Turing machine operates in discrete time. At each moment of time, it is in a specific internal (memory) state, the number of all possible states being finite. A read-write head scans letters written on a tape one at a time. Every pair (q, a) determines a triple (q l ' a1 , m), where the q's are states, a's are letters and m ("move") assumes one of the three values "left", "right" or "no move". This means that, after scanning the letter a in state q, the machine goes to the state q l' writes a 1 in place of a (possibly a 1 = a) and moves the read-write head according to m. If the read-write head is about to "fall off" the tape, that is, a left move is instructed when the machine is scanning the leftmost square of the tape, then a new blank square is added to the tape. The same holds true with respect to the right end of the tape. This capability of indefinitely extending the external memory can be viewed as a built-in hardware feature of every Turing machine.

220

Appendix A. Tutorial in Complexity Theory

The tape can be viewed both as a potentially infinite memory and an input and output channel. The input-output format is specified as follows. The machine begins its computation by scanning the leftmost letter of a given input word in a specific initial state. The computation ends if and when the machine reaches a specific final state. Then the machine halts and the word appearing on the tape constitutes the output. When reading the output some auxiliary letters can be ignored. The reader is referred to [Sal] for more formal definitions, as well as for a discussion concerning the generality of the model. Now it is clear what a step means. We can define the time complexity function associated with a Turing machine A by

fA(n)

= max{mlA halts after m steps for an input w with Iwl = n}.

We assume for simplicity that A halts, that is, reaches the final state for all inputs. Of course, this is not the case with respect to an arbitrary Turing machine. A Turing machine A is polynomiaUy bounded iff there is a polynomial p(n) such that fA(n) セ@ p(n) holds for all n. The notation P is used for all problems that can be solved using a polynomially bounded Turing machine. A problem is referred to as (computationally) intractable (sometimes also impossible) if it is not in P. Tractable problems (that is, problems in P) have several subclasses whose definition should be obvious: problems with linear, quadratic, cubic, etc. time complexity. The informal reference to a problem as easy means that the values of the polynomial are small, at least within the range considered. The Turing machine considered above is deterministic: the scanned letter and the internal state determine the behavior uniquely. To emphasize that a deterministic Turing machine is involved, we often speak of deterministic time complexity. A nondeterministic Turing machine may have several possibilities for its behavior when scanning a specific letter in a specific state. Consequently, specific inputs give rise to several computations. This can be visualized as the machine making guesses or using an arbitrary number of parallel processors. For each input w, the shortest successful computation s(w) (that is, a computation leading to the final state) is considered. The time complexity function of a nondeterministic Turing machine A is now defined by

fA(n)

= max {I, mls(w) has m steps for w with Iwl = n} .

The pair (1, m) is considered because, for some n, possibly no inputs oflength n lead to successful computations. The notions of a polynomially bounded nondeterministic Turing machine and the corresponding class of problems, N P, are now defined exactly as in the deterministic case. Problems in P are tractable, whereas the problems in N P have the property that it is tractable to check whether or not a good guess for the solution of the problem is correct. A time bound for a nondeterministic Turing machine can be visualized as a time bound for checking whether or not a good guess for the solution is correct. It is not known whether the factorization of an integer is in P but it certainly is in N P: one just guesses the decomposition and verifies the guess by computing the product.

Appendix A. Tutorial in Complexity Theory

221

By definition, P is included in NP but it is a celebrated open problem whether or not P = NP. However, there are many NP-complete problems. A specific problem is NP-complete iff it is in N P and, moreover, it is N P-hard, that is, every problem in NP can be reduced in polynomial time to this specific problem. It follows that P = NP iff an NP-complete problem is in P. In such a case an arbitrary problem in NP can be settled in deterministic polynomial time because it can first be reduced in polynomial time to the specific NP-complete problem which, in turn, can be settled in polynomial time. Clearly, the composition of two polynomials is again a polynomial. It is generally believed that P i= N P. Therefore, NP-complete problems are considered to be intractable. Besides N P, the terms "hard" and "complete" are used in a similar manner in connection with other classes of problems as well. A specific problem is shown to be N P-hard by proving that some problem previously known to be N P-hard can be reduced in polynomial time to the specific problem in question. If we want to show that the specific problem is NP-complete, we have to show also that it is in N P. However, we need something to start with: a problem whose NP-completeness can be established by a direct argument, without any reductions. A problem very suitable for this purpose is the satisfiability problem for well-formed formulas of the propositional calculus, abbreviated wffpc's. Such a formula is obtained from variables by using the operations conjunction 1\, disjunction v and negation '" in a well-formed manner. We omit the obvious recursive definition. A truth-value assignment for a wffpc ex is a mapping of the set of variables occurring in ex into the set {true, false}. The truth-value of ex can be computed for any truth-value assignment using the truth-tables of conjunction, disjunction and negation. Two wffpc's are equivalent iff they assume the same truth-value for all truth-value assignments. A wffpc ex is satisfiable iff it assumes the value "true" for some truth-value assignment. For instance, the wffpc (Xl

v '" x 2 v x 3 )

1\ (X2

v

X 3 ) 1\ ( '" Xl

v

X 3 ) 1\ '" X3

is not satisfiable. Indeed, the last clause forces the assignment X3 = false. Hence by the third clause, Xl = false, and by the second clause x 2 = true. But this assignment contradicts the first clause. The wffpc considered is in conjuctive normal form: a conjunction of disjunctions, where the terms of each disjunction are literals, that is, variables or negated variables. Moreover, it is in 3-conjunctive normal form: each conjunctive clause contains at most three literals. The satisfiability problem for wffpc's can be shown to be NP-complete by a direct argument. Indeed, the computation of a given Turing machine with a given input being successful is equivalent to a certain wffpc being satisfiable. The details can be found, for instance, in [Sa 1]. The result remains valid if attention is restricted to wffpc's in 3-conjunctive normal form. Satisfiability can, of course, be found out by checking through all possible truth-value assignments. This however, leads to exponential time complexity. Space complexity is defined analogously. If a Turing machine receives an input of length n, then originally n tape squares are occupied. New squares may be needed during the computation; their number indicates the space complexity.

222

Appendix A. Tutorial in Complexity Theory

Polynomial bounds can be considered also now. This gives rise to the classes P-SPACE and NP-SPACE. Clearly, a time class is included in the corresponding space class because one time unit is needed to extend the tape by one square. For space classes one can actually prove that P-SPACE = NP-SPACE. Consequently, we have the following chain of inclusions P

£;

NP

£;

P-SPACE

= NP-SPACE.

Whether or not the two inclusions are proper is a celebrated open problem. The class Co-NP consists of problems whose "complement" is in NP. For instance, the complement of the problem "Is a given integer prime?" is "Is a given integer composite?" A formal definition can be given by considering problems as languages. It is clear that if a problem is in P, then also its complement is in P: the same algorithm works for the complement as well. This does not hold true in the nondeterministic case. In fact, the interrelation between NP and Co-NP is unknown but it is generally believed that NP #- Co-NP. It is easy to see that if the complement of some NP-complete problem is in NP, then NP = Co-NP. There are some caveats to be kept in mind when complexity theory is applied to cryptography. When considering polynomial time complexity, the degree of the polynomial is certainly significant. For instance, n 1000 grows ultimately slower than nloglogn but is still likely to be a much worse upper bound for the values under consideration. In cryptography average complexity is more important than worst case complexity. Suppose a user chooses at random the encryption key in a publickey cryptosystem. It is then insignificant if computing the corresponding decryption key is intractable in some rarely occurring cases but easy in most cases. Probabilistic or stochastic algorithms are often used in cryptography. Intuitively this means that random choices are made (that is, a random number generator can be called) at certain stages during the execution of the algorithm. The terminology introduced above is extended to concern the stochastic case. Thus, we may speak of algorithms running in random polynomial time. The corresponding class of problems is often denoted by BP P. It is generally believed that BP P #- N P. Stochastic algorithms may fail but the probability offailure can be made arbitrarily small. Usually the time complexity increases when the probability of failure becomes smaller. The failure is due to the stochastic element. The following terminology is used to indicate different types of failure. A Monte Carlo algorithm might give a wrong answer in some cases. A Las Vegas algorithm always gives a correct answer, but it might end up with the answer "I don't know" in some cases. We mention finally that, when talking about time complexity, we usually do not consider the computation steps of a Turing machine but rather some other elementary operation such as bit multiplication. The classes P and N P are invariant under such changes but, for instance, the degree and/or coefficients of the polynomial involved may change.

Appendix B. Tutorial in Number Theory

This appendix consists of an overview of the number theoretic results used in this book. Most of the proofs are very easy and can be found, for instance, in [Ko]. An integer a divides another integer b, in symbols a Ib, iff b = da holds for some integer d. Then a is called a divisor or factor of b. Let a be an integer greater than 1. Then a is prime if its only positive divisors are 1 and a, otherwise a is composite. Every integer n > 1 can be represented uniquely, disregarding the order offactors, as a product of primes. The essential fact from the point of view of cryptography is that no tractable factorization algorithms are known although, on the other hand, no nontrivial lower bounds for the time complexity of factorization have been established. No tractable methods are known even for the simple case, where two primes p and q have to be recovered from their product n = pq. The greatest common divisor of a and b, in symbols g.c.d. (a, b) or briefly (a, b), is the largest integer dividing both a and b. Equivalently, (a, b) is the only positive integer that divides a and b and is divisible by any integer dividing both a and b. Similarly, the least common multiple l.c.m. (a, b) is the smallest positive integer divisible by both a and b. The greatest common divisor can be computed by Euclid's algorithm. It consists of the following chain of equations.

a = bq 1 + r I ' 0 < r1 < b , b=r 1 q2+ r2,0(I) = 1 and q>(pb) = pb - pb-l, where p is prime and b セ@ 1. It is also easy to see that q>(mn) = q>(m)q>(n) if m and n are relatively prime. By these facts q>(n) can be computed for any n. The computation will be easy if the factorization of n is known. We say that a is congruent to b modulo m, written

a == b(modm) iff m divides the difference a-b. The number m is called the modulus. We assume that m セ@ 2. For every integer x, exactly one of the integers 0, 1, ... , m - 1 is congruent to x modulo m. This particular integer is called the least nonnegative remainder of x modulo m and denoted by

(x, modm). This notation appears frequently in this book in different contexts. Denote further lJy [x] the integer part of x, that is, the greatest integer ::; x. It follows that (x, modm)

= x - [x/m]· m .

We have seen that if a and m are relatively prime, then there are integers x and y such that 1 = xa + ym. Hence, xa == 1 (mod m). The integer x is referred to as the inverse of a modulo m and denoted by a-l (mod m). The inverse is unique when congruent integers are considered to be equal. The time complexity of finding the inverse is roughly the same as that of Euclid's algorithm. This implies that also the congruence az == b (mod m), (a, m) = 1 , can be solved in cubic time. To find z, one first computes a-l (mod m) and multiplies it by b. If (a, m) = 1 then, according to Euler's Theorem, a",(m)

== 1 (mod m) .

If m is a prime not dividing a, this result takes the form

am -

1

== 1 (modm)

and is referred to as Fermat's Little Theorem. If the moduli mi are pairwise relatively prime then the system of congruences x == ai (mod mJ,

i

= 1, ... , k ,

possesses a solution x unique up to congruence modulo M = m1 ••• mk • This result, known as the Chinese Remainder Theorem, is established in Section 6.3. A field F is a set together with the operations of addition and multiplication that satisfy the familiar requirements: associativity, commutativity, distributive

Appendix B. Tutorial in Number Theory

225

law, existence of an additive identity 0 and a multiplicative identity 1, additive inverses and multiplicative inverses for all elements except O. Both the rational numbers and the real numbers constitute a field. Finite fields F(q) with q elements are important in cryptography. It is easy to see that always q = ph, for some prime p and h セ@ 1. A convenient way of representing the elements of F(q) is discussed in Section 3.5. Denote by F*(q) the set of nonzero elements of F(q). An element 9 of F*(q) is termed a generator of F*(q) iff, for every a in F*(q), there is an integer x such that gX = a holds in F*(q). There are altogether 2. If an element a of F*(p) is a square, that is a = x 2 for some x, a is called a quadratic residue modulo p. Otherwise, a is called a quadratic nonresidue modulo p. Clearly, a with 1 ::;; a ::;; p - 1 is a quadratic residue modulo p iff the congruence x 2 == a (mod p) has a solution x. Then necessarily also - x is a solution, that is, a has two square roots modulo p. All quadratic residues are found by computing the squares of the elements 1, ... , (p - 1)/2. Thus, there are (p - 1)/2 quadratic residues and nonresidues. The Legendre symbol for an integer a and prime p > 2 is defined by if p divides a , if a is a quadratic residue modulo p , if a is a quadratic nonresidue modulo p . Clearly, a can be replaced by any integer congruent to a (mod p) without changing the value of the Legendre symbol. The basic result concerning the Legendre symbol IS

(*)

HセI@

==

a(p-l)/2

(modp).

The Jacobi symbol is a generalization of the Legendre symbol. Consider an integer a and an odd number n > 2. Further, let n = pit ... be the prime factorization of n. Then the Jacobi symbol is defined to be the product of the corresponding Legendre symbols:

p;

Clearly, also now a can be replaced by a number congruent to a (mod n) without changing the Jacobi symbol. The multiplicative property

Appendix B. Tutorial in Number Theory

226

follows easily from (*). Consequently,

For special values of a the Jacobi symbol can be computed as follows:

(l)=1'

(D=(-1)(n HセQI]⦅ャョMORL@

l

1l/S.

-

Basic reductions in the computation of the Jacobi symbol are carried out using the Law of Quadratic Reciprocity:

HセI@

=

(_l)(m-l)(n-l)/4(;),

where m and n are odd numbers greater than 2. Equivalently,

HセI@

= (;) unless

m==n==3(mod4),

in which case

HセI@

The value of Hセ@

= - (;) . ) can now be computed, without factoring any numbers (apart

from taking out powers of 2) as follows. If necessary, m is replaced by (m, mod n); a similar replacement is made also at later stages of the procedure. The Law of Quadratic Reciprocity is applied to reduce the "denominator" in Hセ@

). As in case of

Euclid's algorithm, the reduction can be small in one reduction step, however, two consecutive steps reduce the denominator at least by a factor of 1-. Altogether this yields roughly the same time complexity estimate for computing

Hセ@

) as we have

for Euclid's algorithm. An example of a computation is given in Section 6.5. If p is prime, the described method constitutes also a fast algorithm for determining whether a is a quadratic residue or nonresidue modulo p. No such fast algorithm is known if, instead of a prime p, we are dealing with an arbitrary n. Let us consider in more detail the cryptographically important case, where n is the product of two odd primes, n = pq. As we noticed above, half of the numbers 1, ... , p - 1 are quadratic residues modulo p, the other half being nonresidues. Of course the analogous statement holds for q. On the other hand, a number a is a quadratic residue modulo n, that is x 2 == a (mod n) holds for some x, iff a is a quadratic residue both modulo p and modulo q. Altogether this means that exactly half of the numbers a with

o< a < n satisfy

HセI@

= + 1, and

HセI@

and (a, n) = 1

= - 1 holds for the other half. Moreover, half of the

Appendix B. Tutorial in Number Theory

numbers a satisfying ( セI@ n which

227

= + 1 are quadratic residues modulo n, namely, those for

HセI@

=

HセI@

= + 1.

The other half, namely, those for which

HセI@

= HセI@

=-

1

are nonresidues. There seems to be no way of finding out which of the two cases occurs, unless one is able to factor n. Assume that we know that a, 0 < a < n, is a quadratic residue modulo n. Hence, for some x, x2

== a (mod n)

.

Finding x, that is, extracting square roots modulo n is a very important task in cryptography. Let us again consider the case n = pq. By our assumption, a is a quadratic residue both modulo p and modulo q. This implies the existence of numbers y and z such that

( ± y)2 == a (mod p)

and

(± Z)2 == a (modq) .

Moreover. y and z can be found in polynomial time (where the degree of the polynomial is at most 4), provided that p and q are known. The details of such an algorithm are given, for instance, in [Ko]. It is assumed in the algorithm that a nonresidue modulo p is known, as well as a nonresidue modulo q. However, such nonresidues can be found fast by a stochastic algorithm. From the congruences

± y (mod p) and x == ± z (mod q)

x ==

we now get, by the Chinese Remainder Theorem, four square roots x of a modulo n. The square roots can be expressed as ± u and ± w, where u 1= ± W (mod n). Such u and ware referred to as different square roots. The following two facts are important in cryptography. The knowledge of two different square roots enables one to factor n. In fact

= (u + w)(u - w) == o(mod n) . This means that n divides (u + w)(u - w). However, by the choice of u and w, n divides neither u + w nor u - w. This implies that the greatest common divisor of u + wand n (obtained quickly by Euclid's algorithm) is either p or q. u2

-

w2

The second important fact is that, whenever p == q == 3 (mod 4), then two different square roots u and w of the same number a modulo n possess different Jacobi symbols:

228

Appendix B. Tutorial in Number Theory

This follows because, as seen above, either

=w(modp) and u =- w(modq) u =- w(modp) and u =w(modq) , u

or else

and by the assumption concerning p and q

HセQI]⦅N@

Problems

1. Encrypt the plaintext DONOTGOTOSAUNASOONAFTEREATING using KEYWORD-CAESAR with the keyword SUPERDOG and number 9. 2. The plaintext SAUNA is encrypted as TAKE BACK VAT OR BONDS. Describe the cryptosystem used. 3. The plaintext SAUNAANDLIFE is encrypted as RMEMHCZZTCEZTZKKDA. Describe the cryptosystem used. 4. Encrypt according to Hill's cryptosystem (see Example 1.2) the plaintext PAYMOREMONEY when the matrix used is 17 ( 21

2

17 18

RセI@

2 19

.

5. The matrix is now

H Qセ@ Rセ@ セZIN@ 20

7

1

Encrypt STOPPAYMENTX. 6. Establish a necessary and sufficient condition for a matrix M to be invertible when arithmetic is carried out modulo 26. (This is required in Hill's cryptosystern.) Find the inverses of a few 2-dimensional matrices. 7. Hill's cryptosystem with a 2-dimensional matrix is used. The most frequent digrams in the cryptotext are RH and NI, whereas they are TH and HE in the plaintext language. What matrix can be computed from this information? 8. To encrypt one uses first the matrix matrix

HRセ@

!) .

GセI@ 1

and to the resulting text the

Construct a single matrix with the same effect.

9. As Problem 8 but now the matrices are (in this order)

0)

( 23 1) 1 and (11 01 1 . o1 1

230

Problems

10. In general, if the original matrices are m- and n-dimensional, how big a matrix suffices for the combined effect? 11. A cryptosystem is closed under composition iff, for every two encryption keys, there is a single encryption key having the effect of the two keys applied consecutively. Closure under composition means that the consecutive application of two keys does not add security. The preceding problems show that Hill's cryptosystem is closed under composition. Study this property with respect to some cryptosystems discussed in this book. 12. In simple cryptosystems every encryption key can be represented as a composition of a few generator keys. In CAESAR such a generator is E l ' the key mapping every letter to the next one. The affine system maps a letter x, o ::; x ::; 25, into the letter (ax + b, mod 26), where (a, 26) = 1. Show that no single key can be a generator for the affine system, whereas two keys suffice. 13. Decrypt the following cryptotext given to the participants of EUROCRYPT88 in Davos: EXVITL YEKDAV OIEUSM SIXMTA

AMSYMX OSINAL GPLKSM IDAVOS

EAKSSI PVITHE ADAVOS

KIRZMS RRJMLO LULRVK

14. Which city with four letters is in encrypted form BHFLYPBT when the following encryption method is used. First an arbitrary garbage letter is added after each plaintext letter. (Thus, in the resulting word the 2nd, 4th, 6th and 8th letters are insignificant.) Then Hill's system with a 2-dimensional matrix encrypting the wo.ro AIDS into the word AIDS is used. 15. The plaintext alphabet is {A, B, C, D}. The mono alphabetic system is used, where the individual letters are encrypted as follows: A -+ BB,

B -+ AAB,

C -+ BAB,

D

-+

A.

For instance, the word ABDA is encrypted as BBAABABB. Show that decryption is always unique. Show that it is not unique if the individual letters are encrypted: A -+ AB, B -+ BA, C -+ A, D -+ C . 16. The complement セ@ x of a bit x is defined in the natural way: セ@ 0 = 1 and セ@ 1 = O. Prove that if in DES every bit in the plaintext and in the key is replaced by its complement, then also in the cryptotext every bit will change to its complement. 17. Any word over the alphabet {A, B} can appear as plaintext. The first monoalphabetic encryption key is defined by A -+ CCD,

B -+ C

and the second by A -+ C,

B -+ DCC .

Which words over {A, B} are encrypted as the same word over {C, D} according to both keys?

Problems

231

18. The most frequent trigrams in the cryptotext are LME, WRI and ZYC, whereas they are THE, AND and THA in the plaintext language. What is the matrix used in Hill's cryptosystem? 19. Each letter x, 0 セ@ x セ@ 25, is encrypted as (f(x), mod 26), wheref(x) is a quadratic polynomial. Compute the polynomial when the three most frequent letters in the cryptotext are Z, V, B (in this order), whereas they are E, T, N in the plaintext language. 20. Consider the very weak variant of ONE-TIME PAD discussed at the end of Section 1.3. However, now the basic book is this book. For instance, the key 12345 means the fifth letter of the fourth word in the third paragraph of Section 1.2. Encrypt the plaintext RACCOONDOGANDSAUNA using the key 43333. 21. Both the keyword and plaintext can be read in different ways from the Vigenere and Beaufort squares. Write arithmetical expressions for some of the mappings obtained. 22. A simple cryptosystem can be based on permutations as follows. The plaintext is divided into blocks of n characters each. A fixed permutation on the numbers {I, ... , n} is applied to each block. For instance, SAUNA becomes UNSAA if n = 5, the permutation interchanges the first and third as well as the second and fourth letters but leaves the fifth letter unchanged. Show that the same effect can always be reached by a suitable Hill's cryptosystem. 23. A cryptosystem induces a language theoretic mapping from the set of plaintext words to the set of cryptotext words. In general, only little is known about such mappings but, for instance, the mapping induced by CAESAR is easy to characterize. Consider various cryptosystems and answer the question: is the induced mapping length preserving? 24. Give necessary and/or sufficient conditions for a mapping to be realizable by a PLA YF AIR square. The results enable you to construct "meaningful translations" such as the one presented in the text. 25. Explain the differences (apart from different alphabet sizes) between mappings realizable by a PLA YF AIR square and a 3 x 9 PLA YF AIR rectangle. 26. Same as Problem 24 but now for the Jefferson wheel. Observe especially the importance of the distance between the plaintext and cryptotext rows. 27. What is the period obtained from the lug matrix and step figure presented in the text? 28. Construct a lug matrix and a step figure giving rise to the period 17 (resp. 19·21). 29. Construct a lug matrix and a step figure giving rise to the maximal period. ([BeP] may be consulted.) 30. Show that the 10-tuple A' studied in Section 2.1 is injective, that is, there is no IX such that the knapsack problem (A', IX) would have two solutions. 31. Let A = (a l , . • . , an) be a knapsack vector, that is, the a;'s are distinct positive integers. A positive integer IX is represented by A iff IX can be expressed as a sum of the a;'s, where no ai appears twice. If A is injective, then clearly 2n - 1 integers are represented by A. This is the greatest possible number. What is the least possible number in terms of n?

232

Problems

32. Given a knapsack problem (A, k), you have to find all solutions. Show that this problem is not even in NP. 33. Why is 2047 a bad choice for the modulus in RSA, apart from its being too small? 34. Show that encryption and decryption exponents must coincide if 35 is the modulus in RSA. 35. Some plaintext blocks remain unchanged when encrypted according to RSA. Show that their number is (1

+ (e - 1, p - 1))(1 + (e -

l)(q - 1)) .

36. Construct examples of Shamir's algorithm, where at least two disjoint intervals for ujm are found. Can you say something general about the number of disjoint intervals? Is it possible that an interval reduces to a point? 37. Prove that the vector (i, i-I, i - 2, ... , i - j), i - j セ@ 1, is super-reachable exactly in case if both j = 2 and i セ@ 4. 38. The vector (7,3,2) is ((7, 15,38), 73, 84)-super-reachable. Apply the technique of Lemma 3.5 to get a small enough multiplier. 39. Prove that every injective (b l ' b2 , b3 ) is permutation-super-reachable. 40. Describe an algorithm for finding the smallest modulus m such that a given super-reachable vector is (A, t, m)-super-reachable. 41. Consider all knapsack vectors whose components are セ@ 4. Prove that exactly the following ones are super-reachable: (2,4, 3), (4, 3,2), (1,2,4), (2,4, 1), (4, 1,2) . 42. Prove that (5, 3,4) and (5,4, 3) are the only super-reachable ones among vectors with components 3, 4, 5. 43. Represent the elements of F(27) in terms of the roo.t of a polynomial irreducible over F(3). Find a generator and compute the table of logarithms. 44. Study the cryptanalysis of the cryptosystem based on dense knapsacks, when some of the trapdoor items are known. (Here [Cho] should be consulted.) 45. Consider the first illustration (n = 55) in Example 4.1. Send a signed message to a user whose public encryption exponent is 13. (You have e = 7, d = 23.) 46. Show that the number 3215031751 is composite and a strong pseudo prime to each of the bases 2, 3, 5, 7. 47. Consider the general method for key exchange presented at the very end of Chapter 4 in case of some specific function f Can you improve the ratio mjm 2 between the work done by the legal user and the work done by the cryptanalyst? 48. Assume that you have an algorithm for computing one of SQUAREFREENESS (n) (see Section 2.2) and cp(n). Can you reduce this to an algorithm for computing the other? 49. The initial value is 3 in .a functional cryptosystem, the functions being fo(x) = 3x and 11 (x) = 3x + 1. Thus, 011 is encrypted as

3fofJl = 85. What is a very simple way to decrypt a cryptotext written as a decimal number? Which numbers can appear as cryptotexts?

Problems

233

50. Show that the knapsack vector (2106,880,1320,974,2388,1617,1568,2523,48,897) is super-reachable. 51. Give an example of a knapsack problem (A (i), a(i)) having exactly i solutions. i = 1,2, .... 52. Analogously to Example 3.5, let the publicized items be A = (1,2, 3,0,0,4) (A is viewed as a column vector) and m = 7. The secret matrix is 101001)

H=011101. (

101110

53.

54.

55. 56. 57.

58.

What is the signature for the plaintext 3 (i) by the direct method, (ii) using the randomizing vector (1,0,0,0, 1, I)? It is clear that a dual theory can be based on decreasing and super-decreasing vectors, defined in the same way as increasing and super-increasing vectors. In particular, the notion of super-d-reachability refers to super-decreasing vectors. Give examples of injective vectors that are neither super-reachable nor super-d-reachable. Construct a protocol for throwing a dice by telephone. Be not satisfied with the following obvious solution. Flip a coin three times. If the outcome is heads-heads-heads or tails-tails-tails, repeat the procedure until some other outcome is obtained. Assume that the primes p and q in RSA have 100 digits, the first digit being #- O. Estimate the number of possibilities for n. YJCVKUVJGJGCTVQHUCWPC? UVQXG. Prove that the remainders in Euclid's algorithm satisfy the inequality rj+2 < rj/2, for all j. Construct a variant of the algorithm, by allowing negative remainders, where a slightly better convergence rj+ 2 =:; rj+ d2 is obtained. Decrypt KOKOOKOKOONKOKOKOKKOKOKOKOKKOKOKOKOKOKKO and

Both are actually statements or conversations in a wellknown natural language. Certainly the plaintext language is of some importance! 59. Consider the plaintext of length 47, discussed in connection with the C-36 encryption. If YES is added to the end of the plaintext, how does the cryptotext continue? 60. Assume that (a, m) = 1. Show that a 1. 62. There are always in RSA encryption exponents such that every plaintext is encrypted as itself. More explicitly, prove the following assertion. For every choice of P and q, e can be chosen in such a way that we == w(mod n) holds for all w. (The trivial choices e = 1 and e =