4.4 Public key cryptography10 4.5 Digital envelopes16 4.6 Protection of cryptographic keys18 4.7 Generation of pseudorandom bit sequences20 4.8 Legal Issues20 4.9 Notation25 References 113
w A cryptographic algorithm is an algorithm defined by a sequence of
steps precisely specifying the actions required to calculate a specific function of the input data. Most of the time, cryptographic algorithms are used to achieve specific security objectives.
w A cryptographic protocol is a distributed algorithm defined by a
sequence of steps precisely specifying the actions required of two or more entities.
Cryptographic algorithms and protocols are being studied in both theory and practice. The aim is to design and come up with algorithms and protocols that are both secure and practical. Note, however, that there are at least two basic approaches to discussing the security of cryptographic algorithms and protocols:
w Computational security measures the computational effort required to
break a specific cryptographic algorithm or protocol. An algorithm or protocol is said to be computationally secure if the best method for breaking it requires at leastnoperations, wherenis some specified, usually very large, number. The problem is that no known practical algorithm or protocol can be proven to be secure under this definition. In practice, an algorithm or protocol is calledcomputation- ally secure if the best known method of breaking it requires an unreasonably large amount of computational resources (e.g., time or memory). Another approach is to provide evidence of computational security by reducing the security of an algorithm or protocol to some well-studied problem that is thought to be difficult. For example, it may be possible to prove that an algorithm or protocol is secure if a given integer cannot be factored or a discrete logarithm cannot be computed. Algorithms and protocols of this type are sometimes called provably secure, but it must be understood that this approach only provides a proof of security relative to the difficulty of solving another problem, not an absolute proof of security.
w Unconditional security measures the security of a cryptographic
algorithm or protocol when there is no upper bound placed on the amount of computational resources an adversary has at hand. Consequently, an algorithm or protocol is called unconditionally secure if it cannot be broken, even with infinite time and memory.
The computational security of a cryptographic algorithm or protocol can be studied from the point of view of computational complexity, whereas
the unconditional security cannot be studied from this point of view because computational resources are allowed to be infinite. The appropriate frame- work in which unconditional security must be studied is probability theory, and the application thereof in communication or information theory [8, 9].
Unconditional security is preferable from a security point of view, because it protects against an infinitely powerful adversary. Unfortunately, unconditional security is generally hard and expensive to achieve in many cases, and sometimes impossible. For example, theory shows that uncondi- tionally secure encryption systems use very long keys, making them unsuitable for most practical applications. Similarly, there is no such thing as an unconditionally secure public key cryptosystem. The best we can achieve is provable security, in the sense that the problem of breaking the public key cryptosystem is arguably at least as difficult as solving a complex mathematical problem. Consequently, one is satisfied with computational security, given some reasonable assumptions about the computational power of a potential adversary. But keep in mind that the security that a computationally secure cryptographic algorithm or protocol may provide is, for the most part, based on the perceived difficulty of a mathematical problem, such as the factorization problem or the discrete logarithm problem in the case of public key cryptography. Confidence in the security of such systems may be high because the problems are public and many minds have attempted to attack them. However, the vulnerability remains that a new insight or computing technology may defeat this type of cryptography. There are at least two recent developments that provide some evidence for this intrinsic vulnerability:
w In 1994, Peter W. Shor proposed randomized polynomial-time
algorithms for computing discrete logarithms and factoring integers on a quantum computer, a computational device based on quantum mechanical principles [10, 11]. Note that it is not known how to build a quantum computer of a useful size; it is not even known to be possible at all.
w Also in 1994, Len M. Adleman1demonstrated the feasibility of using
tools from molecular biology to solve an instance of the directed Hamiltonian path problem, which is known to be hard2 [12]. The problem instance was encoded in molecules of deoxyribonucleic acid (DNA), and the steps of the computation were performed with
1. Len M. Adleman is a coinventor of the Rivest, Shamir, and Adleman (RSA) cryptosystem. 2. According to theoretical computer science, the directed Hamiltonian path problem is NP-complete.
standard protocols and enzymes. Adleman notes that while the currently available fastest supercomputers can execute approxi- mately 1012operations per second, it is plausible for DNA computers to execute 1020 or even more operations per second. Moreover, a DNA computer would be far more energy efficient than existing supercomputers. Similar to the quantum computer, it is not clear at present whether it is feasible to actually build a DNA computer with such performance characteristics. Further information on DNA computing can be found in the relevant literature (e.g., [13]).
Should either quantum computers or DNA computers ever become practical, they would have a tremendous impact on modern cryptography. In fact, many cryptographic algorithms and protocols that are computation- ally secure would be rendered worthless. This is particularly true for algorithms and protocols that make use of public key cryptography.
Cryptographic algorithms and protocols are used to establish secured channels (both in terms of authenticity and integrity, as well as confidentiality). Note the subtle difference between asecure channel and a secured channel. Certain channels are assumed to be secure, including trusted couriers and personal contacts between communicating parties, whereas other channels may be secured by physical or cryptographic techniques. Physical security may be established through physical means, such as dedicated communication links with corresponding access controls put in place, or the use ofquantum cryptography. Contrary to conventional cryptography, the security of quantum cryptography does not rely upon any complexity-theoretic or probability-theoretic assumptions, but is based on the Heisenberg uncertainty principle of quantum physics [14]. As such, quantum cryptography is immune to advances in computing power and human cleverness. In the future, quantum cryptography may provide a physical alternative to unconditionally secure cryptographic algorithms and protocols. In the meantime, however, conventional and computationally secure cryptographic algorithms and protocols are much easier to use and deploy. Consequently, we are not going to delve into the details of quantum cryptography in this book. You may refer to any book mentioned above to get information about quantum cryptography.
4.2
Cryptographic hash functions
According to [4], ahash functionis a functionhthat has, as a minimum, the following two properties:
1. hmaps an inputxof arbitrary finite bit-length, to an outputhðxÞof fixed bit-length (compression);
2. Givenh andx,hðxÞis easy to compute (ease of computation). In addition, hash functions that are relevant for cryptographic applications (i.e., cryptographic hash functions) may fulfill one or several of the following requirements:
w A hash function ispreimage resistant(orone-way) if for essentially all
prespecified outputs, it is computationally infeasible to find any input that hashes to that output, that is, to find any preimagex0such that hðx0Þ ¼y when given any y for which a corresponding input is not known.
w A hash function issecond-preimage resistant(orweak collision resistant) if
it is computationally infeasible to find any second input that has the same output as any specified input, that is, givenx, to find a second preimagex06¼xsuch that hðxÞ ¼hðx0Þ.
w A hash function iscollision resistant (orstrong collision resistant) if it is
computationally infeasible to find any distinct inputsx,x0that have the same output, that is, such thathðxÞ ¼hðx0Þ.
In the literature, the termone-way hash function(OWHF) orweak one-way hash functionis often used to refer to a hash function that is both preimage resistant and second-preimage resistant, whereas the term collision resistant hash function(CRHF) orstrong one-way hash functionis often used to refer to a hash function that is collision resistant. Furthermore, the termcryptographic hash functionis used to refer to either of them (i.e., OWHF or CRHF).
Mainly because of their efficiency, cryptographic hash functions are of central importance for cryptographic algorithms and protocols. For example, cryptographic hash functions can be used to compute and verify digests for arbitrary messages. In this context, these functions may also be called message digest algorithms, and in this book we use both terms synonymously and interchangeably. Also, keyed cryptographic hash functions can be used to compute and verify message authentication codes (MACs). Almost all cryptographic security protocols make use of MACs in one way or another.
All definitions given above are not precise in a mathematically strong sense, because they do not resolve what the termseasyand computationally infeasibleactually mean. Nevertheless, we want to use these definitions in this book. It is important to note that the existence of OWHF (or even
CRHF) is still an unproven assumption and that, until today, no function has been shown to be preimage resistant (i.e., one-way) in a mathematically pure sense. Obviously, a sufficiently large domain prohibiting an exhaustive search is a necessary but not sufficient condition for a function to be preimage resistant.
Most cryptographic hash functions in use today work on similar principles. They have a basic compression function that is iteratively applied on subsequent blocks of data (until the result of the last compression step is taken as output value). Examples of cryptographic hash functions include MD2 [15], MD4 [16], MD5 [17], and the Secure Hash Algorithm 1 (SHA-1) [18]. MD2, MD4, and MD5 produce 128-bit hash values, whereas SHA-1 produces 160-bit hash values. RIPEMD is another example of an iterative cryptographic hash function. It was developed as part of a European research project and is basically a variation of MD4. RIPEMD-160 is a strengthened version of RIPEMD producing another 160-bit hash value [19]. As of this writing, MD5 and SHA-1 are by far the most widely used and deployed cryptographic hash functions. Due to some recent results in the cryptanalysis of MD5, SHA-1 is the preferred choice.