Overview of Cryptography

These notes are from:

1) D. Hankerson, A. Menezes, S. Vanstone, Guide to Elliptic
Cryptography, 2004 (Chp. 1)
2) Narayanan, J. Bonneau, E. Felten, A. Miller, S. Goldfeder, Bitcoin and
Cryptocurrency Technologies, 2016. (Chp. 1)
 Cryptography
• Cryptography is about the design and analysis
of mathematical techniques that enable
secure communications in the presence of
malicious adversaries.
 Basic communications model
• Entities A (Alice) and B (Bob) are
communicating over an unsecured channel
• Assume that all communications take place in
the presence of an adversary E (Eve)

unsecured channel
A B

E
 Security Goals
• Confidentiality (Privacy): keeping data secret from all
but those authorized to see it—messages sent by A to
B should not be readable by E.
• Data integrity: ensuring that data has not been altered
by unauthorized means— B should be able to detect
when data sent by A has been modified by E.
• Data origin authentication: verifying the source of
data—B should be able to verify that data purportedly
sent by A indeed originated with A.
• Entity authentication: verifying the identity of an
entity—B should be convinced of the identity of the
other communicating entity.
 Security Goals
• Non-repudiation: preventing an entity from denying
previous commitments or actions—when B receives a
message purportedly from A, not only is B convinced
that the message originated with A, but B can convince
a neutral third party of this; thus A cannot deny having
sent the message to B.
• Some applications may have other security objectives
such as anonymity of the communicating entities or
access control (the restriction of access to resources).
 Adversarial model
• adversary E has considerable capabilities
• E can read all data transmitted over the channel
• E can modify transmitted data and inject her own
data
• E has significant computational resources at her
disposal
• Complete descriptions of the communications
protocols and any cryptographic mechanisms
deployed (except for secret keying information)
are known to E .
 Symmetric-key cryptography
• In symmetric-key schemes, the communicating
entities first agree upon keying material that is
both secret and authentic.
• They use a symmetric-key encryption scheme
such as the Data Encryption Standard (DES), RC4,
or the Advanced Encryption Standard (AES) to
achieve confidentiality.
• They may also use a message authentication
code (MAC) algorithm such as HMAC to achieve
data integrity and data origin authentication.
 MAC / HMAC / Hashing
• a message authentication code (MAC) is a short
piece of information used to authenticate a
message—in other words, to confirm that the
message came from the stated sender (its
authenticity) and has not been changed in transit
(its integrity).
• HMAC is used to used to simultaneously verify
both the data integrity and the authentication of
a message
h(key || h(key || message))
 Replay Attack
• A replay attack (also known as playback attack) is a
form of network attack in which a valid data
transmission is maliciously or fraudulently repeated or
delayed
• The message itself must contain data that assures that
this same message can only be sent once (e.g. time
stamp, sequence number or use of a one-time MAC).
Otherwise an attacker could — without even
understanding its content — record this message and
play it back at a later time, producing the same result
as the original sender.
 Symmetric Key Cryptography
• if confidentiality were desired and the secret key shared by A and B
were k, then A would encrypt a plaintext message m using an
encryption function ENC and the key k and transmit the resulting
ciphertext c = ENCk(m) to B.
• On receiving c, B would use the decryption function DEC and the
same key k to recover m = DECk (c).

• If data integrity and data origin authentication were desired, then A

and B would first agree upon a secret key k, after which A would
compute the authentication tag t = MACk(m) of a plaintext message
m using a MAC algorithm and the key k. A would then send m and t
to B.
• On receiving m and t, B would use the MAC algorithm and the same
key k to recompute the tag tʹ = MACk(m) of m and accept the
message as having originated from A if t = tʹ.
 Symmetric Key Cryptography
• Advantage: The major advantage of
symmetric-key cryptography is high efficiency
• Disadvantage: key distribution problem—the
requirement for a channel that is both secret
and authenticated for the distribution of
keying material.
 Public-key cryptography
• A key pair is selected so that the problem of deriving the private key from the
corresponding public key is equivalent to solving a computational problem that is
believed to be intractable.
• Number-theoretic problems whose intractability form the basis for the security of
commonly used public-key schemes are:
1. The integer factorization problem, whose hardness is essential for the security of RSA public-
key encryption and signature schemes.
2. The discrete logarithm problem, whose hardness is essential for the security of the ElGamal
public-key encryption and signature schemes and their variants such as the Digital Signature
Algorithm (DSA).
3. The elliptic curve discrete logarithm problem, whose hardness is essential for the security of all
elliptic curve cryptographic schemes.

• no efficient algorithms are known for non-quantum computers

• For quantum computers: Shor, Peter (1997). "Polynomial-Time Algorithms for Prime
Factorization and Discrete Logarithms on a Quantum Computer". SIAM Journal on
Computing. 26 (5): 1484–1509.
• For quantum computers, see:
Shor, Peter (1997). "Polynomial-Time Algorithms for Prime Factorization and
Discrete Logarithms on a Quantum Computer". SIAM Journal on Computing. 26
(5): 1484–1509.

• Table from NISTIR 8105 Report on Post-Quantum

Cryptography
http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf
 RSA systems
• named after its inventors Rivest, Shamir and Adleman, was
proposed in 1977
• RSA key generation:
– The public key consists of a pair of integers (n, e) where the RSA
modulus n is a product of two randomly generated (and secret)
primes p and q of the same bitlength.
– The encryption exponent e is an integer satisfying 1 < e < φ and
gcd(e, φ) = 1 where φ = ( p − 1)(q − 1).
– The private key d, also called the decryption exponent, is the
integer satisfying 1 < d < φ and ed ≡ 1 (mod φ).
– The problem of determining the private key d from the public
key (n,e) is computationally equivalent to the problem of
determining the factors p and q of n; the latter is the integer
factorization problem (IFP)
Algorithm: RSA key pair generation
Algorithm: Basic RSA Encryption
Algorithm: Basic RSA Decryption
Basic RSA Signature Generation
Basic RSA Signature Verification
 ECDSA curve used in Bitcoin
• secp256k1 refers to the parameters of the ECDSA curve used in Bitcoin, and is defined in
Standards for Efficient Cryptography (SEC) (Certicom Research, http://www.secg.org/sec2-
v2.pdf).

Plot from: https://www.desmos.com/calculator/ialhd71we3

 Performance RSA vs. Elliptic Curve
• You can compute how much energy is needed to break
a cryptographic algorithm, and compare that with how
much water that energy could boil.
• By this measure, breaking a 228-bit RSA key requires
less energy to than it takes to boil a teaspoon of water.
• Comparatively, breaking a 228-bit elliptic curve key
requires enough energy to boil all the water on earth.
For this level of security with RSA, you'd need a key
with 2,380-bits.
• Reference: A.K. Lenstra, T. Kleinjung, E. Thome Universal security from bits
and mips to pools, lakes – and beyond http://eprint.iacr.org/2013/635.pdf
 Google & Cloudfare
• Google's and Cloudfare’s ECC curve for
ECDHE :
max: 115792089210356248762697446949407573530086143415290314195533631308867097853951
curve: y² = x³ + ax + b
a = 115792089210356248762697446949407573530086143415290314195533631308867097853948
b = 41058363725152142129326129780047268409114441015993725554835256314039467401291

• CDHE stands for Elliptic Curve Diffie Hellman

Ephemeral and is a key exchange mechanism
based on elliptic curves.
 Speed Comparisons
• On a shell execute the openssl command:
>openssl speed ecdsa
Doing 256 bit sign ecdsa's for 10s: 185269 256 bit ECDSA signs in 9.99s
Doing 256 bit verify ecdsa's for 10s: 76192 256 bit ECDSA verify in 10.00s

>openssl speed rsa2048

Doing 2048 bit private rsa's for 10s: 9149 2048 bit private RSA's in 10.00s
Doing 2048 bit public rsa's for 10s: 280747 2048 bit public RSA's in 9.99s
Finding Cipher Suites used
on Web Sites
 Untraceable Payments
• Bitcoin payments are traceable
• Advanced cryptography is used to implement
untraceable payments
– Ring signatures (used in Monero)
– Zero Knowledge Proofs (zk-SNARKS used in Zcash)
 Cryptographic Hashing
• h: hash function, a mathematical transformation taking any
string as input, of arbitrary length and returning a fixed-size
output (ex: 256 bits)
• transformation is deterministic
• Let X: domain of pre-digest, Y: domain of digest
• Cryptographic (or one-way) hash functions have a set of
further properties:
1. for any x ∈ X, it is easy to compute h(x)
2. hiding property: for any y ∈ Y, it is computationally
infeasible to find x ∈ X such that h(x) = y
3. collision resistance: given any x1, it is computationally
infeasible to find another x2 different from x1 such that
f(x1) = f(x2)
 Cryptographic Hashing
• input domain has arbitrary size while output
domain has fixed size, it is not mathematically
possible to have a different output for each input
message: so collision exists, but it is very hard to
find them.
X Y

• examples of cryptographic hashes: MD5, SHA-1,

SHA-256,....
 Example of a hash function which is
not cryptographic:
• 8 bit block parity
x = 11011001100110011000110101010101

11011001
10011001
10001101
01010101
h(x) = 10011000

• Hash function does not satisfy the second and the third
property
 On Collision Resistance
• Cryptographic hash functions used are believed
to be collision resistant: People have tried really,
really hard to find collisions and have not yet
succeeded.
• Note that there are no hash functions proven to
be collision-resistant.
• In the case of the old MD5 hash function,
collisions were eventually found after years of
work, leading the function to be deprecated and
phased out of practical use.
 Commitments
• A commitment is the digital analog of taking a
value, sealing it in an envelope, and putting
that envelope out on the table where
everyone can see it.
• You commit yourself to what is inside the
envelope.
 Commitment scheme
• To use a commitment scheme, we first need to generate a random nonce
• Every time you commit to a value, it is important that you choose a new
random value nonce.
• In cryptography, the term nonce is used to refer to a value that can only
be used once.

• com := commit(​msg, nonce​) := H(​nonce ‖ msg​)

The commit function takes a message and secret random value (e.g. 256 bits),
called a nonce, as input and returns a commitment.

• verify(​com, msg, nonce​) ​

The verify function takes a commitment, nonce, and message as input. It returns
true if com == commit(msg, nonce) and false otherwise.

• Properties of commitment: (i) sealing (ii) binding

 Search Puzzle
• A search puzzle consists of
– a hash function, H,
– a value, id (which we call the puzzle-ID)
– and a target set Y
– A solution to this puzzle is a value, x, such that H(id ||‖ x) ∈ Y.
• Solving the puzzle requires finding an input so that the
output falls within the set Y, which is typically much smaller
than the set of all outputs.
• The size of Y determines how hard the puzzle is.
• If Y is the set of all n-bit strings the puzzle is trivial, whereas
if Y has only 1 element the puzzle is maximally hard.
 Puzzle Friendliness
• If a search puzzle is puzzle-friendly, this implies that there’s
no solving strategy for this puzzle which is much better than
just trying random values of x.
• if we want to pose a puzzle that’s difficult to solve, we can do
it this way as long as we can generate puzzle-IDs in a suitably
random way.
• Bitcoin mining is a sort of computational puzzle.
 SHA-256
• Used in Bitcoin
• Hash functions work on inputs of arbitrary length.
• As long as we can build a hash function that works on fixed-
length inputs, there’s a generic method to convert it into a
hash function that works on arbitrary-length inputs.
• Called the Merkle-Damgard transform.
 Merkle-Damgard Transform

• Assume the compression function takes inputs of length m and produces an

output of a smaller length n.
• The input to the hash function is divided into blocks of length m-n.
• Each block is passed together with the output of the previous block into the
compression function.
• Input length will then be (m-n) + n = m, which is the input length to the
compression function.
• For the first block, to which there is no previous block output, an Initialization
Vector (IV) is used.
• This number is reused for every call to the hash function, and in practice you can
just look it up in a standards document.
Merkle Trees (hash trees)
 Application of
Merkle Trees (hash trees)
• Hash trees, or Merkle trees, can help identify invalid bits
with minimal communication
• For example, is a large video file corrupted ?
 Application of Merkle Trees:
Proof of Membership
• Suppose, someone wants to prove that a certain data
block is a member of the Merkle Tree.
• As usual, we remember just the root.
• Then they need to show us this data block, and the
blocks on the path from the data block to the root.
• We can ignore the rest of the tree, as the blocks on
this path are enough to allow us to verify the hashes all
the way up to the root of the tree
• If there are n nodes in the tree, only about log(n) items
need to be shown
• If there are n nodes in the tree, only about log(n) items
need to be shown
 Proof of Membership Example
• To verify that data block corresponding to D is included, one needs
a copy of the C, AB, and EEEE hashes in addition to the Merkle root
ABCDEEEE;
• No need to know anything about any of the other segments.

ABCDEEEE Merkle root

ABCD EEEE

AB CD EE E is paired with itself

A B C D E
 Python Code: SHA256

#!/usr/bin/python

from Crypto.Hash import SHA256

print SHA256.new('hello world\n').hexdigest()

 Python Code: HMAC
#!/usr/bin/python

from Crypto.Hash import HMAC, SHA256

key = 'hamsi'

h1 = HMAC.new(key, 'I love fish', SHA256)

print h1.hexdigest()

h2 = HMAC.new(key, digestmod=SHA256)
h2.update('I love fish')
print h2.hexdigest()
Python Code: Symmetric Key

#!/usr/bin/python

from Crypto.Cipher import DES

des = DES.new('01234567', DES.MODE_ECB)

text = 'abcdefgh'
cipher_text = des.encrypt(text)
print des.decrypt(cipher_text)
Python Code: RSA Public Key
#!/usr/bin/python

from Crypto.PublicKey import RSA

from Crypto import Random

random_generator = Random.new().read

key = RSA.generate(1024,random_generator)

print key.e
print key.n

public_key = key.publickey()
enc_data = public_key.encrypt('abcdefgh', 32)
print enc_data
print key.decrypt(enc_data)