Information Security Technical Report, Vol. 2, No.
2 (1997) 1O-l 3
Introduction to Cryptology
By Professor Fred Piper, Information Security
Group, Royal Holloway, University of London
This article provides a general introduction to the
subject of Cryptology, explains the terminology
and the practical application of cryptographic
security techniques.
In this brief introduction our aim is to define
the basic terms, explain some of the
fundamental concepts and highlight a few of
the problems that arise when using
encryption. In particular we stress that having
a strong algorithm is no guarantee for security.
Management and the establishment of trust
are the two fundamental issues which concern
those with responsibility for secure networks
and, in particular, those who are trying to
establish secure electronic commerce over the
Internet.
Some basic concepts and definitions
The idea of a cipher system is to disguise
confidential information in such a way that its
meaning is unintelligible to an unauthorized
person. The information to be concealed is
called the plaintext (or just the message) and
the operation of disguising it is known as
enciphering or encryption. The enciphered
message is called the ciphertext
cryptogram. The person who *enciphers the
message is known as the encipherer, while the
person to whom they send the cryptogram is
called the recipient or receiver. The set of rules
which the encipherer uses to encipher his
plaintext is the enciphering algorithm.
Normally the operation of this algorithm will
depend on an enciphering key k(E) which the
encipherer inputs to the algorithm together
with his message.
In order that the recipient can obtain the
message from the cryptogram there has to be a
deciphering algorithm which, when seeded by
10
the appropriate deciphering key k(D)
reproduces the plaintext from the ciphertext.
This is shown diagrammatically by the
following figure.
I
I
I key k(E) key k(D)
I
Figure 1
Even if they know the deciphering algorithm
eavesdroppers will not, in general, know the
deciphering key and it is this lack of
knowledge which, it is hoped, will prevent
them from knowing the plaintext.
Cryptography is the science of designing
cipher systems and cryptanalysis is the name
given to the process of deducing the plaintext
from the ciphertext without knowing the key.
Cryptology is the collective term for both
cryptography and cryptanalysis.
In practice most cryptanalytic attacks involve
trying to determine the deciphering key
because, if successful, the attacker will then
have the same knowledge as the intended
recipient and will be able to decipher all other
communications until the key is changed.
or However, there may be instances where an
attacker’s sole objective is to read a particular
message.
One important fact should already be clear
from our introduction: knowledge of the
enciphering key is not necessary for obtaining
the message from the ciphertext. This simple
observation has had a dramatic impact on
modern cryptology and has led to a natural
division into two types of cipher systems.
A cipher system is called conventional or
symmetric if it is easy to deduce the
deciphering key k(D) from the enciphering
0167-4048/97/$17.00 0 1997, Elsevier Science Ltd

key k(E). However, if it is computationally
infeasible to deduce k(D) from k(E) then the
system is called asymmetric or a public key
system. The reason for distinguishing between
these two types of system should be clear. In
order to prevent an interceptor with
knowledge of the algorithm from obtaining
the plaintext from intercepted ciphertext it is
essential that k(D) should be secret. Whereas
for a symmetric system this necessitates that
k(E) should also be secret, if the system is
asymmetric then knowledge of k(E) is of no
practical use to the attacker. Indeed it can, and
usually is, made public.
Although the statements made in the last
paragraph may appear to be simple and self-
evident, their consequences are far reaching.
In Figure 2 our diagram assumes that the
sender and recipient have a ‘matching pair’ of
keys, It may, in practice, be quite difficult for
them to reach this situation. If, for instance,
the system is symmetric then there may be a
need to distribute a secret key value before
secret messages can be exchanged. The problem
of providing adequate protection for these
keys should not be underestimated. In fact, the
general problem of key management, which
includes key generation, distribution, storage,
change and destruction, is one of the most
difficult aspects of obtaining a secure system.
The problems associated with key
management tend to be different for
symmetric and asymmetric systems. If the
system is symmetric then, as we have seen,
there is a need to be able to distribute keys
while keeping their values secret. If the system
is asymmetric then it may be possible to avoid
this particular problem by distributing only
the enciphering keys, which do not need to be
secret. However, it is then replaced by the
problem of guaranteeing the authenticity of
each participant’s enciphering key i.e. of
guaranteeing that the person using an
enciphering key knows the identify of the
‘owner’ of the corresponding deciphering key.
Information Security Technical Report, Vol. 2, No. 2
Introduction to Cryptology
When we were introducing the difference
between symmetric and asymmetric systems
we assumed that the attacker knew the
algorithm. This, of course, will not always be
true. Nevertheless, it is probably best for the
designer of a cipher system to assume that any
would-be attacker has as much knowledge
and general ‘intelligence’ information as
possible.
One of the main problems facing anyone
wishing to design or implement a cipher
system is how to assess whether or not the
system is ‘secure enough’ for the particular
implementation. In order to assess the security
of a system it is customary to make the
following three assumptions.
WC1 The cryptanalyst has a complete
knowledge of the cipher system.
WC2 The cryptanalyst has obtained a
considerable amount of ciphertext.
WC3 The cryptanalyst knows the plaintext
equivalent of a certain amount of the
ciphertext.
In any given situation it is, of course,
necessary to quantify realistically what is
meant by ‘considerable’ and ‘certain’. This
will depend on the particular system under
consideration.
Condition WC1 implies that there should be
no reliance on keeping details of the cipher
system secret. However, this does not imply
that the system should be made public.
Naturally the cryptanalyst’s task is
considerably harder if he does not know the
system used and it is now possible to conceal
this information to a certain extent, although
there is considerable debate about how much
reliance can be placed on the tamper
resistance of cryptographic devices such as
smartcards. From any manufacturer’s or
designer’s point of view, WC1 is an essential
assumption, since it removes a great deal of
11
Introduction to Cryptology
the ultimate responsibility involved in
keeping a system secret.
WC2 is a reasonable assumption. If there is no
possibility of interception then there is no
need to use a cipher system. However, if
interception is a possibility then, presumably,
the communicators will not be able to dictate
when the interception takes place and the
safest option is to assume that all
transmissions will be intercepted.
WC3 is also a realistic condition. The attacker
might gain this type of information by
observing traffic or making intelligent
guesses. He might also even be able to choose
the plaintext for which the ciphertext is
known.
An attack which utilizes the existence of
known plaintext/ciphertext pairs is called a
known plaintext attack. If the plaintext is
selected by the attacker then it is a chosen
plaintext attack.
One consequence of accepting these worst
case conditions is that we have to assume that
the only information which distinguishes the
genuine recipient from the interceptor is
knowledge of k(D). Thus the security of the
system is totally dependent on the secrecy of
the deciphering key. This reinforces our earlier
assertion about the importance of good key
management.
We must stress that assessing the security level
of a cipher system is not an exact science. All
assessments are based upon assumptions, not
only on the knowledge available to an
attacker, but also on the facilities available to
them. The best general principle is to assume
the worst and/or err on the side of caution. It
is also worth stressing that, in general, the
relevant question is not “is this an
exceptionally secure system?” but, rather, “is
this system secure enough for this particular
application?” This latter observation is very
12
important and it must be recognized that there
is a ‘market’ for low level security. For almost
all non-military implementations the
provision of security is a costly overhead.
Furthermore, the addition of the security
facilities frequently degrades the overall
performance of the system. Thus there is a
natural requirement to keep the security to a
minimum. One common way of trying to
determine the level of security required is to
try to estimate the length of time for which the
information needs protection. If we call this
the desired cover time of the system then we
have a crude indication of the security level
required. For instance the cipher system
suitable for a tactical network with a cover
time of a few minutes may be considerably
‘weaker’ than that required for a
strategic system where, as in the case of
government secrets, the cover time may be
tens of years.
If we assume that our deciphering algorithm
is known then there is one obvious method of
attack available to the interceptor. They could,
at least in theory, try each possible
deciphering key and ‘hope’ that they identify
the correct one. Such an attack is called an
exhaustive key search. Of course such an
attack cannot possibly succeed unless the
attacker has some way of recognizing the
correct key or, as is more common, at least
being able to eliminate some obviously
incorrect ones. In a known plaintext attack, for
instance, it is clear that any choice of k(D)
which does not give the correct plaintext for
all the corresponding ciphertext cannot
possibly be the correct key.
Uses of cryptography
In the introductory section we assumed that
cryptography was being used to provide
secrecy. Although this is its ‘traditional’ use it
is no longer its only application. In fact, it is
probably true to say the provision of secrecy is
no longer its main purpose.
Information Security Technical Report, Vol. 2, No. 2

When messages are sent over open networks
there may not be any need for confidentiality,
but the user is likely to need assurance that the
message received has not been altered during
transmission. Furthermore, they will also need
to be confident that they know the identity of
the sender. Cryptography may be used to
provide these assurances.
This is an appropriate place to point out a
fundamental difference between the use of
symmetric and asymmetric algorithms. If a
symmetric algorithm is used then the receiver
and sender share the same secret key and it is
the use of this secret key that identifies them to
each other and provides the assurances about
the integrity of the data and the identity of the
sender. Provided that they remain the only
two people who know the secret key then they
have protection against all third parties.
However, they have no protection from each
other. Either one of them could use the secret
key and claim that the other must be
responsible. Thus symmetric systems are only
appropriate when the two parties trust each
other. If two parties need protection from each
other, in the sense that, say, the sender should
not be able to deny sending a particular
message, then there must be some form of
asymmetry between them. In this case data
integrity and user authentication are provided
by the use of a digital signature which is a
cryptographic checksum added by the sender
but with the property that only the sender,
could have computed it. In most
circumstances any third party, e.g. a judge,
will be able to verify that the checksum was
computed by the actual sender.
Public key systems tend to use arithmetic
processes involving very large numbers and,
as a result, are usually significantly slower
than symmetric algorithms. Thus they tend
not to be used for encrypting large passages of
text. The two main uses of public key systems
are the provision of digital signature and as
key encrypting keys to distribute keys for
Information Security Technical Report, Vol. 2, No. 2
Introduction to Cryptology
symmetric systems. In each case an attacker
has two different methods of attacking the
system. One is to obtain the relevant secret
key. This might be achieved by computing the
secret key from the public key or by obtaining
a device which stores and/or uses that key.
(The computation attack is prevented by using
suitable large keys and relying on the
infeasibility of the attacker successfully
completing the necessary calculations. Attacks
which involve the misuse of devices must be
thwarted by good management and/or the
use of suitably tamper resistant devices.) The
other attack is to substitute a public key for the
genuine one. If the public key system is being
used to encrypt a symmetric key then, since
the attacker’s key has been used for the
encryption, it will be the attacker and not the
intended recipient who obtains the symmetric
key. If the public key system is being used to
provide digital signatures then, clearly, the
attacker can forge the signature of the genuine
signer.
This last paragraph highlights the need for
being able to guarantee the authenticity of
public keys. This is not an easy problem and
most solutions involve the use of a trusted
third party, called a Certification Authority
(CA), which digitally signs a certificate which
binds the identity of the key owner to the
value of the public key. Anyone who has an
authentic copy of the CA’s public key, and has
confidence that the CA will have checked the
key owner’s credentials, will then be able to
confirm the authenticity of the public key by
checking the CA’s signature. These certificates
can also be used to verify a user’s identity by
issuing a challenge which they must encrypt
using their secret key. The issuer of the
challenge can use the public key value in the
certificate to decrypt the response and, if the
answer is correct, knows that the response
must have come from the user identified in the
certificate. Of course the problem now is
ensuring that we can have confidence in the
CA and be sure that we have an authentic
copy of that CA’s public key.
13