Modern Cryptography Theory & Practice pdf

(1)

• Table of Contents

Modern Cryptography: Theory and Practice

By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR

Pub Date: July 25, 2003

ISBN: 0-13-066943-1

Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing

(2)

ISBN: 0-13-066943-1

Pages: 648

cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.

ISBN: 0-13-066943-1

Pages: 648

Copyright

Hewlett-Packard® Professional Books

A Short Description of the Book

Preface

Scope

Acknowledgements

List of Figures

List of Algorithms, Protocols and Attacks

Part I: Introduction

Chapter 1. Beginning with a Simple Communication Game

Section 1.1. A Communication Game

Section 1.2. Criteria for Desirable Cryptographic Systems and Protocols

Section 1.3. Chapter Summary

Exercises

Chapter 2. Wrestling Between Safeguard and Attack

Section 2.1. Introduction

Section 2.2. Encryption

Section 2.3. Vulnerable Environment (the Dolev-Yao Threat Model)

Section 2.4. Authentication Servers

Section 2.5. Security Properties for Authenticated Key Establishment

Section 2.6. Protocols for Authenticated Key Establishment Using Encryption

Exercises

Part II: Mathematical Foundations: Standard Notation

Chapter 3. Probability and Information Theory

Section 3.2. Basic Concept of Probability

Section 3.3. Properties

Section 3.4. Basic Calculation

Section 3.5. Random Variables and their Probability Distributions

Section 3.6. Birthday Paradox

(3)

ISBN: 0-13-066943-1

Pages: 648

Section 3.8. Redundancy in Natural Languages

Exercises

Chapter 4. Computational Complexity

Section 4.2. Turing Machines

Section 4.3. Deterministic Polynomial Time

Section 4.4. Probabilistic Polynomial Time

Section 4.5. Non-deterministic Polynomial Time

Section 4.6. Non-Polynomial Bounds

Section 4.7. Polynomial-time Indistinguishability

Section 4.8. Theory of Computational Complexity and Modern Cryptography

Exercises

Chapter 5. Algebraic Foundations

Section 5.2. Groups

Section 5.3. Rings and Fields

Section 5.4. The Structure of Finite Fields

Section 5.5. Group Constructed Using Points on an Elliptic Curve

Exercises

Chapter 6. Number Theory

Section 6.2. Congruences and Residue Classes

Section 6.3. Euler's Phi Function

Section 6.4. The Theorems of Fermat, Euler and Lagrange

Section 6.5. Quadratic Residues

Section 6.6. Square Roots Modulo Integer

Section 6.7. Blum Integers

Exercises

Part III: Basic Cryptographic Techniques

Chapter 7. Encryption — Symmetric Techniques

Section 7.2. Definition

Section 7.3. Substitution Ciphers

Section 7.4. Transposition Ciphers

Section 7.5. Classical Ciphers: Usefulness and Security

Section 7.6. The Data Encryption Standard (DES)

Section 7.7. The Advanced Encryption Standard (AES)

Section 7.8. Confidentiality Modes of Operation

Section 7.9. Key Channel Establishment for Symmetric Cryptosystems

Exercises

Chapter 8. Encryption — Asymmetric Techniques

Section 8.2. Insecurity of "Textbook Encryption Algorithms"

Section 8.3. The Diffie-Hellman Key Exchange Protocol

(4)

ISBN: 0-13-066943-1

Pages: 648

Section 8.5. The RSA Cryptosystem (Textbook Version)

Section 8.6. Cryptanalysis Against Public-key Cryptosystems

Section 8.7. The RSA Problem

Section 8.8. The Integer Factorization Problem

Section 8.9. Insecurity of the Textbook RSA Encryption

Section 8.10. The Rabin Cryptosystem (Textbook Version)

Section 8.11. Insecurity of the Textbook Rabin Encryption

Section 8.12. The ElGamal Cryptosystem (Textbook Version)

Section 8.13. Insecurity of the Textbook ElGamal Encryption

Section 8.14. Need for Stronger Security Notions for Public-key Cryptosystems

Section 8.15. Combination of Asymmetric and Symmetric Cryptography

Section 8.16. Key Channel Establishment for Public-key Cryptosystems

Exercises

Chapter 9. In An Ideal World: Bit Security of The Basic Public-Key Cryptographic Functions

Section 9.2. The RSA Bit

Section 9.3. The Rabin Bit

Section 9.4. The ElGamal Bit

Section 9.5. The Discrete Logarithm Bit

Exercises

Chapter 10. Data Integrity Techniques

Section 10.2. Definition

Section 10.3. Symmetric Techniques

Section 10.4. Asymmetric Techniques I: Digital Signatures

Section 10.5. Asymmetric Techniques II: Data Integrity Without Source Identification

Exercises

Part IV: Authentication

Chapter 11. Authentication Protocols — Principles

Section 11.2. Authentication and Refined Notions

Section 11.3. Convention

Section 11.4. Basic Authentication Techniques

Section 11.5. Password-based Authentication

Section 11.6. Authenticated Key Exchange Based on Asymmetric Cryptography

Section 11.7. Typical Attacks on Authentication Protocols

Section 11.8. A Brief Literature Note

Exercises

Chapter 12. Authentication Protocols — The Real World

Section 12.2. Authentication Protocols for Internet Security

Section 12.3. The Secure Shell (SSH) Remote Login Protocol

Section 12.4. The Kerberos Protocol and its Realization in Windows 2000

Section 12.5. SSL and TLS

(5)

ISBN: 0-13-066943-1

Pages: 648

Chapter 13. Authentication Framework for Public-Key Cryptography

Section 13.2. Directory-Based Authentication Framework

Section 13.3. Non-Directory Based Public-key Authentication Framework

Exercises

Part V: Formal Approaches to Security Establishment

Chapter 14. Formal and Strong Security Definitions for Public-Key Cryptosystems

Section 14.2. A Formal Treatment for Security

Section 14.3. Semantic Security — the Debut of Provable Security

Section 14.4. Inadequacy of Semantic Security

Section 14.5. Beyond Semantic Security

Exercises

Chapter 15. Provably Secure and Efficient Public-Key Cryptosystems

Section 15.2. The Optimal Asymmetric Encryption Padding

Section 15.3. The Cramer-Shoup Public-key Cryptosystem

Section 15.4. An Overview of Provably Secure Hybrid Cryptosystems

Section 15.5. Literature Notes on Practical and Provably Secure Public-key Cryptosystems

Section 15.7. Exercises

Chapter 16. Strong and Provable Security for Digital Signatures

Section 16.2. Strong Security Notion for Digital Signatures

Section 16.3. Strong and Provable Security for ElGamal-family Signatures

Section 16.4. Fit-for-application Ways for Signing in RSA and Rabin

Section 16.5. Signcryption

Section 16.7. Exercises

Chapter 17. Formal Methods for Authentication Protocols Analysis

Section 17.2. Toward Formal Specification of Authentication Protocols

Section 17.3. A Computational View of Correct Protocols — the Bellare-Rogaway Model

Section 17.4. A Symbolic Manipulation View of Correct Protocols

Section 17.5. Formal Analysis Techniques: State System Exploration

Section 17.6. Reconciling Two Views of Formal Techniques for Security

Exercises

Part VI: Cryptographic Protocols

Chapter 18. Zero-Knowledge Protocols

Section 18.2. Basic Definitions

Section 18.3. Zero-knowledge Properties

Section 18.4. Proof or Argument?

Section 18.5. Protocols with Two-sided-error

Section 18.6. Round Efficiency

Section 18.7. Non-interactive Zero-knowledge

(6)

ISBN: 0-13-066943-1

Pages: 648

Exercises

Chapter 19. Returning to "Coin Flipping Over Telephone"

Section 19.1. Blum's "Coin-Flipping-By-Telephone" Protocol

Section 19.2. Security Analysis

Section 19.3. Efficiency

Chapter 20. Afterremark

(7)

ISBN: 0-13-066943-1

Pages: 648

Copyright

Library of Congress Cataloging-in-Publication Data

A CIP catalog record for this book can be obtained from the Library of Congress.

Editorial/production supervision: Mary Sudul

Cover design director: Jerry Votta

Cover design: Talar Boorujy

Manufacturing manager: Maura Zaldivar

Acquisitions editor: Jill Harry

Marketing manager: Dan DePasquale

Publisher, Hewlett-Packard Books: Walter Bruce

Prentice-Hall, Inc.

Upper Saddle River, New Jersey 07458

Prentice Hall books are widely used by corporations and government agencies for training, marketing, and resale.

The publisher offers discounts on this book when ordered in bulk quantities. For more

information, contact Corporate Sales Department, Phone: 800-382-3419; FAX: 201-236-7141; E-mail: [email protected]

Or write: Prentice Hall PTR, Corporate Sales Dept., One Lake Street, Upper Saddle River, NJ 07458.

Other product or company names mentioned herein are the trademarks or registered trademarks of their respective owners.

Printed in the United States of America

1st Printing

Pearson Education LTD.

Pearson Education Australia PTY, Limited Pearson Education Singapore, Pte. Ltd. Pearson Education North Asia Ltd. Pearson Education Canada, Ltd.

Pearson Educación de Mexico, S.A. de C.V. Pearson Education — Japan

(8)

ISBN: 0-13-066943-1

Pages: 648

Dedication

To

(9)

ISBN: 0-13-066943-1

Pages: 648

Hewlett-Packard

®

Professional Books

HP-UX

Fernandez Configuring CDE

Madell Disk and File Management Tasks on HP-UX

Olker Optimizing NFS Performance

Poniatowski HP-UX 11i Virtual Partitions

Poniatowski HP-UX 11i System Administration Handbook and Toolkit, Second Edition

Poniatowski The HP-UX 11.x System Administration Handbook and Toolkit

Poniatowski HP-UX 11.x System Administration "How To" Book

Poniatowski HP-UX 10.x System Administration "How To" Book

Poniatowski HP-UX System Administration Handbook and Toolkit

Poniatowski Learning the HP-UX Operating System

Rehman HP Certified: HP-UX System Administration

Sauers/Weygant HP-UX Tuning and Performance

Weygant Clusters for High Availability, Second Edition

Wong HP-UX 11i Security

UNIX, LINUX, WINDOWS, AND MPE I/X

Mosberger/Eranian IA-64 Linux Kernel

Poniatowski UNIX User's Handbook, Second Edition

Stone/Symons UNIX Fault Management

COMPUTER ARCHITECTURE

Evans/Trimper Itanium Architecture for Programmers

Kane PA-RISC 2.0 Architecture

Markstein IA-64 and Elementary Functions

NETWORKING/COMMUNICATIONS

Blommers Architecting Enterprise Solutions with UNIX Networking

Blommers OpenView Network Node Manager

Blommers Practical Planning for Network Growth

Brans Mobilize Your Enterprise

(10)

ISBN: 0-13-066943-1

Pages: 648

Lucke Designing and Implementing Computer Workgroups

Lund Integrating UNIX and PC Network Operating

Systems

SECURITY

Bruce Security in Distributed Computing

Mao Modern Cryptography:Theory and Practice

Pearson et al. Trusted Computing Platforms

Pipkin Halting the Hacker, Second Edition

Pipkin Information Security

WEB/INTERNET CONCEPTS AND PROGRAMMING

Amor E-business (R)evolution, Second Edition

Apte/Mehta UDDI

Mowbrey/Werry Online Communities

Tapadiya .NET Programming

OTHER PROGRAMMING

Blinn Portable Shell Programming

Caruso Power Programming in HP Open View

Chaudhri Object Databases in Practice

Chew The Java/C++ Cross Reference Handbook

Grady Practical Software Metrics for Project Management and Process Improvement

Grady Software Metrics

Grady Successful Software Process Improvement

Lewis The Art and Science of Smalltalk

Lichtenbelt Introduction to Volume Rendering

Mellquist SNMP++

Mikkelsen Practical Software Configuration Management

Norton Thread Time

Tapadiya COM+ Programming

Yuan Windows 2000 GDI Programming

STORAGE

Thornburgh Fibre Channel for Mass Storage

Thornburgh/Schoenborn Storage Area Networks

Todman Designing Data Warehouses

(11)

ISBN: 0-13-066943-1

Pages: 648

Missbach/Hoffman SAP Hardware Solutions

IMAGE PROCESSING

Crane A Simplified Approach to Image Processing

(12)

ISBN: 0-13-066943-1

Pages: 648

A Short Description of the Book

Many cryptographic schemes and protocols, especially those based on public-key cryptography, have basic or so-called "textbook crypto" versions, as these versions are usually the subjects for many textbooks on cryptography. This book takes a different approach to introducing

(13)

ISBN: 0-13-066943-1

Pages: 648

Preface

Our society has entered an era where commerce activities, business transactions and

government services have been, and more and more of them will be, conducted and offered over open computer and communications networks such as the Internet, in particular, via

WorldWideWeb-based tools. Doing things online has a great advantage of an always-on availability to people in any corner of the world. Here are a few examples of things that have been, can or will be done online:

Banking, bill payment, home shopping, stock trading, auctions, taxation, gambling, micro-payment (e.g., pay-per-downloading), electronic identity, online access to medical records, virtual private networking, secure data archival and retrieval, certified delivery of

documents, fair exchange of sensitive documents, fair signing of contracts, time-stamping, notarization, voting, advertising, licensing, ticket booking, interactive games, digital libraries, digital rights management, pirate tracing, …

And more can be imagined.

Fascinating commerce activities, transactions and services like these are only possible if

communications over open networks can be conducted in a secure manner. An effective solution to securing communications over open networks is to apply cryptography. Encryption, digital signatures, password-based user authentication, are some of the most basic cryptographic techniques for securing communications. However, as we shall witness many times in this book, there are surprising subtleties and serious security consequences in the applications of even the most basic cryptographic techniques. Moreover, for many "fancier" applications, such as many listed in the preceding paragraph, the basic cryptographic techniques are no longer adequate.

With an increasingly large demand for safeguarding communications over open networks for more and more sophisticated forms of electronic commerce, business and services[a], an increasingly large number of information security professionals will be needed for designing, developing, analyzing and maintaining information security systems and cryptographic

protocols. These professionals may range from IT systems administrators, information security engineers and software/hardware systems developers whose products have security

requirements, to cryptographers.

[a]_{Gartner Group forecasts that total electronic business revenues for business to business (B2B) and}

business to consumer (B2C) in the European Union will reach a projected US $2.6 trillion in 2004 (with probability 0.7) which is a 28-fold increase from the level of 2000 [5]. Also, eMarketer [104] (page 41) reports that the cost to financial institutions (in USA) due to electronic identity theft was US $1.4 billion in 2002, and forecasts to grow by a compound annual growth rate of 29%.

In the past few years, the author, a technical consultant on information security and cryptographic systems at Hewlett-Packard Laboratories in Bristol, has witnessed the phenomenon of a progressively increased demand for information security professionals unmatched by an evident shortage of them. As a result, many engineers, who are oriented to application problems and may have little proper training in cryptography and information security have become "roll-up-sleeves" designers and developers for information security systems or cryptographic protocols. This is in spite of the fact that designing cryptographic systems and protocols is a difficult job even for an expert cryptographer.

The author's job has granted him privileged opportunities to review many information security systems and cryptographic protocols, some of them proposed and designed by "roll-up-sleeves" engineers and are for uses in serious applications. In several occasions, the author observed so-called "textbook crypto" features in such systems, which are the result of applications of

(14)

ISBN: 0-13-066943-1

Pages: 648

cryptographic textbooks. Direct encryption of a password (a secret number of a small

magnitude) under a basic public-key encryption algorithm (e.g., "RSA") is a typical example of textbook crypto. The appearances of textbook crypto in serious applications with a

"non-negligible probability" have caused a concern for the author to realize that the general danger of textbook crypto is not widely known to many people who design and develop information

security systems for serious real-world applications.

Motivated by an increasing demand for information security professionals and a belief that their knowledge in cryptography should not be limited to textbook crypto, the author has written this book as a textbook on non-textbook cryptography. This book endeavors to:

Introduce a wide range of cryptographic algorithms, schemes and protocols with a particular emphasis on their non-textbook versions.

Reveal general insecurity of textbook crypto by demonstrating a large number of attacks on and summarizing typical attacking techniques for such systems.

Provide principles and guidelines for the design, analysis and implementation of cryptographic systems and protocols with a focus on standards.

Study formalism techniques and methodologies for a rigorous establishment of strong and fit-for-application security notions for cryptographic systems and protocols.

(15)

ISBN: 0-13-066943-1

Pages: 648

Scope

Modern cryptography is a vast area of study as a result of fast advances made in the past thirty years. This book focuses on one aspect: introducing fit-for-application cryptographic schemes and protocols with their strong security properties evidently established.

The book is organized into the following six parts:

Part I This part contains two chapters (1—2) and serves an elementary-level introduction for the book and the areas of cryptography and information security. Chapter 1 begins with a demonstration on the effectiveness of cryptography in solving a subtle communication problem. A simple cryptographic protocol (first protocol of the book) for achieving "fair coin tossing over telephone" will be presented and discussed. This chapter then carries on to conduct a cultural and "trade" introduction to the areas of study. Chapter 2 uses a series of simple authentication protocols to manifest an unfortunate fact in the areas: pitfalls are everywhere.

As an elementary-level introduction, this part is intended for newcomers to the areas.

Part II This part contains four chapters (3—6) as a set of mathematical background knowledge, facts and basis to serve as a self-contained mathematical reference guide for the book. Readers who only intend to "knowhow," i.e., know how to use the

fit-for-application crypto schemes and protocols, may skip this part yet still be able to follow most contents of the rest of the book. Readers who also want to "know-why," i.e., know why these schemes and protocols have strong security properties, may find that this self-contained mathematical part is a sufficient reference material. When we present working principles of cryptographic schemes and protocols, reveal insecurity for some of them and reason about security for the rest, it will always be possible for us to refer to a precise point in this part of the book for supporting mathematical foundations.

This part can also be used to conduct a systematic background study of the theoretical foundations for modern cryptography.

Part III This part contains four chapters (7—10) introducing the most basic cryptographic algorithms and techniques for providing privacy and data integrity protections. Chapter 7 is for symmetric encryption schemes, Chapter 8, asymmetric techniques. Chapter 9 considers an important security quality possessed by the basic and popular asymmetric cryptographic functions when they are used in an ideal world in which data are random. Finally, Chapter 10 covers data integrity techniques.

Since the schemes and techniques introduced here are the most basic ones, many of them are in fact in the textbook crypto category and are consequently insecure. While the schemes are introduced, abundant attacks on many schemes will be demonstrated with warning remarks explicitly stated. For practitioners who do not plan to proceed with an in-depth study of fit-for-application crypto and their strong security notions, this textbook crypto part will still provide these readers with explicit early warning signals on the general insecurity of textbook crypto.

(16)

ISBN: 0-13-066943-1

Pages: 648

systems which cover up-to-date and novel techniques.

Practitioners, such as information security systems administration staff in an enterprise and software/hardware developers whose products have security consequences may find this part helpful.

Part V This part contains four chapters (14—17) which provide formalism and rigorous treatments for strong (i.e., fit-for-application) security notions for public-key cryptographic techniques (encryption, signature and signcryption) and formal methodologies for the analysis of authentication protocols. Chapter 14 introduces formal definitions of strong security notions. The next two chapters are fit-for-application counterparts to textbook crypto schemes introduced in Part III, with strong security properties formally established (i.e., evidently reasoned). Finally, Chapter 17 introduces formal analysis methodologies and techniques for the analysis of authentication protocols, which we have not been able to deal with in Part IV.

Part VI This is the final part of the book. It contains two technical chapters (18—19) and a short final remark (Chapter 20). The main technical content of this part, Chapter 18, introduces a class of cryptographic protocols called zero-knowledge protocols. These protocols provide an important security service which is needed in various "fancy"

electronic commerce and business applications: verification of a claimed property of secret data (e.g., in conforming with a business requirement) while preserving a strict privacy quality for the claimant. Zero-knowledge protocols to be introduced in this part exemplify the diversity of special security needs in various real world applications, which are beyond confidentiality, integrity, authentication and non-repudiation. In the final technical chapter of the book (Chapter 19) we will complete our job which has been left over from the first protocol of the book: to realize "fair coin tossing over telephone." That final realization will achieve a protocol which has evidently-established strong security properties yet with an efficiency suitable for practical applications.

Needless to say, a description for each fit-for-application crypto scheme or protocol has to begin with a reason why the textbook crypto counterpart is unfit for application. Invariably, these reasons are demonstrated by attacks on these schemes or protocols, which, by the nature of attacks, often contain a certain degree of subtleties. In addition, a description of a application scheme or protocol must also end at an analysis that the strong (i.e., fit-for-application) security properties do hold as claimed. Consequently, some parts of this book inevitably contain mathematical and logical reasonings, deductions and transformations in order to manifest attacks and fixes.

While admittedly fit-for-application cryptography is not a topic for quick mastery or that can be mastered via light reading, this book, nonetheless, is not one for in-depth research topics which will only be of interest to specialist cryptographers. The things reported and explained in it are well-known and quite elementary to cryptographers. The author believes that they can also be comprehended by non-specialists if the introduction to the subject is provided with plenty of explanations and examples and is supported by self-contained mathematical background and reference material.

The book is aimed at the following readers.

Students who have completed, or are near to completion of, first degree courses in computer, information science or applied mathematics, and plan to pursue a career in information security. For them, this book may serve as an advanced course in applied cryptography.

Security engineers in high-tech companies who are responsible for the design and

(17)

ISBN: 0-13-066943-1

Pages: 648

crypto appearing in an academic research proposal may not be too harmful since the worst case of the consequence would be an embarrassment, then the use of textbook crypto in an information security product may lead to a serious loss. Therefore, knowing the unfitness of textbook crypto for real world applications is necessary for these readers. Moreover, these readers should have a good understanding of the security principles behind the fit-for-application schemes and protocols and so they can apply the schemes and the principles correctly. The self-contained mathematical foundations material in Part II makes the book a suitable self-teaching text for these readers.

Information security systems administration staff in an enterprise and software/hardware systems developers whose products have security consequences. For these readers, Part I

is a simple and essential course for cultural and "trade" training; Parts III and IV form a suitable cut-down set of knowledge in cryptography and information security. These three parts contain many basic crypto schemes and protocols accompanied with plenty of

attacking tricks and prevention measures which should be known to and can be grasped by this population of readers without demanding them to be burdened by theoretical

foundations.

New Ph.D. candidates beginning their research in cryptography or computer security. These readers will appreciate a single-point reference book which covers formal treatment of strong security notions and elaborates these notions adequately. Such a book can help them to quickly enter into the vast area of study. For them, Parts II, IV, V, and VI

constitute a suitable level of literature survey material which can lead them to find further literatures, and can help them to shape and specialize their own research topics.

(18)

ISBN: 0-13-066943-1

Pages: 648

Acknowledgements

I am deeply grateful to Feng Bao, Colin Boyd, Richard DeMillo, Steven Galbraith, Dieter Gollmann, Keith Harrison, Marcus Leech, Helger Lipmaa, Hoi-Kwong Lo, Javier Lopez, John Malone-Lee, Cary Meltzer, Christian Paquin, Kenny Paterson, David Pointcheval, Vincent Rijmen, Nigel Smart, David Soldera, Paul van Oorschot, Serge Vaudenay and Stefek Zaba. These people gave generously of their time to review chapters or the whole book and provide invaluable comments, criticisms and suggestions which make the book better.

The book also benefits from the following people answering my questions: Mihir Bellare, Jan Camenisch, Neil Dunbar, Yair Frankel, Shai Halevi, Antoine Joux, Marc Joye, Chalie Kaufman, Adrian Kent, Hugo Krawczyk, Catherine Meadows, Bill Munro, Phong Nguyen, Radia Perlman, Marco Ricca, Ronald Rivest, Steve Schneider, Victor Shoup, Igor Shparlinski and Moti Yung.

I would also like to thank Jill Harry at Prentice-Hall PTR and Susan Wright at HP Professional Books for introducing me to book writing and for the encouragement and professional support they provided during the lengthy period of manuscript writing. Thanks also to Jennifer Blackwell, Robin Carroll, Brenda Mulligan, Justin Somma and Mary Sudul at Prentice-Hall PTR and to

Walter Bruce and Pat Pekary at HP Professional Books.

I am also grateful to my colleagues at Hewlett-Packard Laboratories Bristol, including David Ball, Richard Cardwell, Liqun Chen, Ian Cole, Gareth Jones, Stephen Pearson and Martin Sadler for technical and literature services and management support.

Bristol, England

(19)

ISBN: 0-13-066943-1

Pages: 648

List of Figures

2.1 A Simplified Pictorial Description of a Cryptographic System 25

3.1 Binomial Distribution 70

4.1 A Turing Machine 87

4.2 The operation of machine Div3 90

4.3 Bitwise Time Complexities of the Basic Modular Arithmetic Operations

103

4.4 All Possible Moves of a Non-deterministic Turing Machine 124

5.1 Elliptic Curve Group Operation 168

7.1 Cryptographic Systems 208

7.2 Feistel Cipher (One Round) 220

7.3 The Cipher Block Chaining Mode of Operation 233

7.4 The Cipher Feedback Mode of Operation 238

7.5 The Output Feedback Mode of Operation 239

10.1 Data Integrity Systems 299

12.1 An Unprotected IP Packet 390

12.2 The Structure of an Authentication Header and its Position in an IP Packet

392

12.3 The Structure of an Encapsulating Security Payload 393

12.4 Kerberos Exchanges 412

14.1 Summary of the Indistinguishable Attack Games 489

14.2 Reduction from an NM-attack to an IND-attack 495

14.3 Reduction from IND-CCA2 to NM-CCA2 497

14.4 Relations Among Security Notions for Public-key Cryptosystems

498

15.1 Optimal Asymmetric Encryption Padding (OAEP) 503

15.2 OAEP as a Two-round Feistel Cipher 504

15.3 Reduction from Inversion of a One-way Trapdoor Function f to an Attack on the f-OAEP Scheme

511

15.4 Reduction from the DDH Problem to an Attack on the Cramer-Shoup Cryptosystem

532

16.1 Reduction from a Signature Forgery to Solving a Hard Problem

551

(20)

ISBN: 0-13-066943-1

Pages: 648

16.3 The PSS Padding 560

16.4 The PSS-R Padding 563

17.1 The CSP Language 609

(21)

ISBN: 0-13-066943-1

Pages: 648

List of Algorithms, Protocols and Attacks

Protocol 1.1: Coin Flipping Over Telephone 5

Protocol 2.1: From Alice To Bob 32

Protocol 2.2: Session Key From Trent 34

Attack 2.1: An Attack on Protocol "Session Key From Trent"

35

Protocol 2.3: Message Authentication 39

Protocol 2.4: Challenge Response (the Needham-Schroeder Protocol)

43

Attack 2.2: An Attack on the Needham-Schroeder Protocol 44

Protocol 2.5: Needham-Schroeder Public-key Authentication Protocol

47

Attack 2.3: An Attack on the Needham-Schroeder Public-key Protocol

50

Algorithm 4.1: Euclid Algorithm for Greatest Common Divisor

93

Algorithm 4.2: Extended Euclid Algorithm 96

Algorithm 4.3: Modular Exponentiation 101

Algorithm 4.4: Searching Through Phone Book (a ZPP Algorithm)

108

Algorithm 4.5: Probabilistic Primality Test (a Monte Carlo Algorithm)

110

Algorithm 4.6: Proof of Primality (a Las Vegas Algorithm) 113

Protocol 4.1: Quantum Key Distribution (an Atlantic City Algorithm)

117

Algorithm 4.7: Random k-bit Probabilistic Prime Generation

121

Algorithm 4.8: Square-Freeness Integer 123

Algorithm 5.1: Random Primitive Root Modulo Prime 166

Algorithm 5.2: Point Multiplication for Elliptic Curve Element

171

Algorithm 6.1: Chinese Remainder 182

Algorithm 6.2: Legendre/Jacobi Symbol 191

Algorithm 6.3: Square Root Modulo Prime (Special Cases) 194

(22)

ISBN: 0-13-066943-1

Pages: 648

Algorithm 6.5: Square Root Modulo Composite 197

Protocol 7.1: A Zero-knowledge Protocol Using Shift Cipher

216

Protocol 8.1: The Diffie-Hellman Key Exchange Protocol 249

Attack 8.1: Man-in-the-Middle Attack on the Diffie-Hellman Key Exchange Protocol

251

Algorithm 8.1: The RSA Cryptosystem 258

Algorithm 8.2: The Rabin Cryptosystem 269

Algorithm 8.3: The ElGamal Cryptosystem 274

Algorithm 9.1: Binary Searching RSA Plaintext Using a Parity Oracle

289

Algorithm 9.2: Extracting Discrete Logarithm Using a Parity Oracle

293

Algorithm 9.3: Extracting Discrete Logarithm Using a "Half-order Oracle"

294

Algorithm 10.1: The RSA Signature Scheme 309

Algorithm 10.2: The Rabin Signature Scheme 312

Algorithm 10.3: The ElGamal Signature Scheme 314

Algorithm 10.4: The Schnorr Signature Scheme 319

Algorithm 10.5: The Digital Signature Standard 320

Algorithm 10.6: Optimal Asymmetric Encryption Padding for RSA (RSA-OAEP)

324

Protocol 11.1: ISO Public Key Three-Pass Mutual Authentication Protocol

346

Attack 11.1: Wiener's Attack on ISO Public Key Three-Pass Mutual Authentication Protocol

347

Protocol 11.2: The Woo-Lam Protocol 350

Protocol 11.3: Needham's Password Authentication Protocol

352

Protocol 11.4: The S/KEY Protocol 355

Protocol 11.5: Encrypted Key Exchange (EKE) 357

Protocol 11.6: The Station-to-Station (STS) Protocol 361

Protocol 11.7: Flawed "Authentication-only" STS Protocol 363

Attack 11.2: An Attack on the "Authentication-only" STS Protocol

364

Attack 11.3: Lowe's Attack on the STS Protocol (a Minor Flaw)

366

(23)

ISBN: 0-13-066943-1

Pages: 648

Attack 11.5: A Parallel-Session Attack on the Woo-Lam Protocol

372

Attack 11.6: A Reflection Attack on a "Fixed" Version of the Woo-Lam Protocol

374

Protocol 11.8: A Minor Variation of the Otway-Rees Protocol

379

Attack 11.7: An Attack on the Minor Variation of the Otway-Rees Protocol

381

Protocol 12.1: Signature-based IKE Phase 1 Main Mode 397

Attack 12.1: Authentication Failure in Signature-based IKE Phase 1 Main Mode

399

Protocol 12.2: A Typical Run of the TLS Handshake Protocol

421

Algorithm 13.1: Shamir's Identity-based Signature Scheme

437

Algorithm 13.2: The Identity-Based Cryptosystem of Boneh and Franklin

451

Protocol 14.1: Indistinguishable Chosen-plaintext Attack 465

Protocol 14.2: A Fair Deal Protocol for the SRA Mental Poker Game

469

Algorithm 14.1: The Probabilistic Cryptosystem of Goldwasser and Micali

473

Algorithm 14.2: A Semantically Secure Version of the ElGamal Cryptosystem

476

Protocol 14.3: "Lunchtime Attack" (Non-adaptive Indistinguishable Chosen-ciphertext Attack)

483

Protocol 14.4: "Small-hours Attack" (Indistinguishable Adaptive Chosen-ciphertext Attack)

488

Protocol 14.5: Malleability Attack in Chosen-plaintext Mode

491

Algorithm 15.1: The Cramer-Shoup Public-key Cryptosystem

526

Algorithm 15.2: Product of Exponentiations 529

Algorithm 16.1: The Probabilistic Signature Scheme (PSS) 561

Algorithm 16.2: The Universal RSA-Padding Scheme for Signature and Encryption

564

Algorithm 16.3: Zheng's Signcryption Scheme SCSI 568

Algorithm 16.4: Two Birds One Stone: RSA-TBOS Signcryption Scheme

573

Protocol 17.1: The Needham-Schroeder Symmetric-key Authentication Protocol in Refined Specification

(24)

ISBN: 0-13-066943-1

Pages: 648

Protocol 17.2: The Woo-Lam Protocol in Refined Specification

586

Protocol 17.3: The Needham-Schroeder Public-key Authentication Protocol

588

Protocol 17.4: The Needham-Schroeder Public-key Authentication Protocol in Refined Specification

588

Protocol 17.5: Another Refined Specification of the Needham-Schroeder Public-key Authentication Protocol

589

Protocol 17.6: MAP1 595

Protocol 18.1: An Interactive Proof Protocol for Subgroup Membership

623

Protocol 18.2: Schnorr's Identification Protocol 630

Protocol 18.3: A Perfect Zero-knowledge Proof Protocol for Quadratic Residuosity

642

Protocol 18.4: ZK Proof that N Has Two Distinct Prime Factors

645

Protocol 18.5: "Not To Be Used" 651

Protocol 18.6: Chaum's ZK Proof of Dis-Log-EQ Protocol 654

(25)

ISBN: 0-13-066943-1

Pages: 648

Part I: Introduction

The first part of this book consists of two introductory chapters. They introduce us to some of the most basic concepts in cryptography and information security, to the environment in which we communicate and handle sensitive information, to several well known figures who act in that environment and the standard modus operandi of some of them who play role of bad guys, to the culture of the communities for research and development of cryptographic and information security systems, and to the fact of extreme error proneness of these systems.