Top Banner
Outline Mathematical Preliminaries PKC Digital Signatures Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January 25, 2009 Ramkumar Asymmetric
52

Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

Jun 12, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Asymmetric Cryptography

Mahalingam RamkumarMississippi State University, MS

January 25, 2009

Ramkumar Asymmetric

Page 2: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

1 Mathematical PreliminariesComputing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

2 Public Key CryptographyDiffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

3 Digital SignaturesRSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Ramkumar Asymmetric

Page 3: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Material Covered Earlier

1 Basic theorem of arithmetic (every number can be expressedas a product of prime powers), LCM, GCD.

2 Computing GCD using the Euclidean Algorithm (Chapter 4.3)

3 Modular arithmetic operations (Chapter 4.2)

4 Computing modular multiplicative inverse using extendedEuclidean Algorithm (Chapter 4.4)

Ramkumar Asymmetric

Page 4: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Notations

1 a p b (a divides b; b = ka where k is an integer; b ≡ 0 mod a)

2 If a p bc, but a . b and a . c then a is not a prime.

3 If a prime p p bc then p p b or p p c or both.

4 (x , y) - GCD of x and y . If (x , y) = 1 x and y are relativelyprime or co-primes. A prime number is coprime to allnumbers.

5 Zm = {0, 1, . . . ,m − 1}6 Zp = {0, 1, . . . , p − 1} (p is a prime)

7 Z∗p = {1, 2, . . . , p − 1} (all elements of Zp except 0)

8 Zm is a ring. Zp is a field (as all elements have multiplicativeinverses)

Ramkumar Asymmetric

Page 5: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Ring vs Field

1 Consider the two equations

2x + 2y ≡ 22 mod 56

2x + 2y ≡ 22 mod 31

2 We cannot reduce the first one to x + y ≡ 11

3 We can reduce the second equation to x + y ≡ 11.

4 Why? (need to multiply by the multiplicative inverse of 2)

5 As all numbers have multiplicative inverses we can easily solvesystems of linear equations in a field. Not so simple in rings.

Ramkumar Asymmetric

Page 6: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Euclidean Algorithm

1 (See Chapters 4.3 and 4.4)

2 To compute GCD (a0, a1) (assume a0 > a1)

3 (a0, a1) = (a1, a2) where a0 ≡ a2 mod a1

4 Recursively generate (ai , ai+1), ai+1 < ai , whereai−1 ≡ ai+1 mod ai till the GCD can be trivially found.

5 Bezout’s Representation: If s = (m, a) we can write s ass = im + ja where i and j are integers.

6 The Bezouts representation can be determined using theextended Euclidean algorithm.

7 If s = (m, a) = 1 we can write 1 = im + ja or ja = 1− im orja ≡ 1 mod m. Thus j is the multiplicative inverse of a in Zm.

Ramkumar Asymmetric

Page 7: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Extended Euclid Algorithm

d = (a, b) = ak + bl : Algorithm returns d , k , l

|a=457,b=283|u(0) u(1) u(2) v(0) v(1) v(2)

u=[a 1 0] |457 1 0 283 0 1v=[b 0 1] |283 0 1 174 1 -1while (v(0) != 0) do |174 1 -1 109 -1 2y=floor(u(0)/v(0)); |109 -1 2 65 2 -3w=u-y*v; | 65 2 -3 44 -3 5u=v; | 44 -3 5 21 5 -8v=w; | 21 5 -8 2 -13 21

endwhile | 2 -13 21 1 135 -283d=u(0); k=u(1); l=u(2); | 1 135 -218 0 -283 457

|____________________________| 1 = 135*457 + (-218)*283

Ramkumar Asymmetric

Page 8: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Square and Multiply Algorithm

1 See Figures 9.7 and 9.8 in the text.2 Compute y = ax mod n. Large a, x , n (say 300 digits long)3 Let b(r) · · · b(0) be the binary representation of the exponent

x (an r + 1 bit number)4 Square and multiply algorithm requires r + 1 to 2(r + 1)

multiplications (1000 to 2000 multiplications for 300 digitexponents)

z=1;for i=r downto 0

z=z*z mod nif (b(i) = 1)

z = z*a mod nendif;

endfor;Ramkumar Asymmetric

Page 9: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Example: Compute 3643 mod 87

x = 43 = 101011b; r = 5; a = 36; n = 87; z = 1;

1 b5 = 1, z = 1 z = z2a ≡ 36 mod 872 b4 = 0, z = 36 z = z2 ≡ 78 mod 873 b3 = 1, z = 78 z = z2a ≡ 45 mod 874 b2 = 0, z = 45 z = z2 ≡ 24 mod 875 b1 = 1, z = 24 z = z2a ≡ 30 mod 876 b0 = 1, z = 30 z = z2a ≡ 36 mod 87

(1)

3643 ≡ 36 mod 87

Ramkumar Asymmetric

Page 10: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Euler-Phi Funtion

1 See Chapter 8.2 (Euler Totient)

2 Φ(m): the number of elements in Zm that are co-prime to m

3 In Zm, Φ(m) elements have multiplicative inverses.

4 For m = p, Φ(p) = p − 1.

5 For m = pq (where p and q are primes)Φ(m) = (p − 1)(q − 1).

Ramkumar Asymmetric

Page 11: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Example

1 p = 5, q = 7. m = 35. Φ(35) = (5− 1)(7− 1) = 24

2 5 multiples of 7 (0,7,14,21,28) and 7 multiples of 5(0,5,10,15,20,25,30) are not relatively prime to 35

3 5+7-1 elements are not co-prime

4 35 - (5+7-1) = 24 numbers are co-prime to m (havemultiplicative inverses).

5 More generally, for m = pq

6 p multiples of q and q multiples of p are not co-prime to m -a total of p + q − 1 elements (0 is common)

7 Φ(m) = pq − (p + q − 1) = (p − 1)(q − 1).

Ramkumar Asymmetric

Page 12: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Fermat’s Little Theorem

1 See Chapter 8.2

2 Applicable for Z∗p

∀a ∈ Z∗p, ap ≡ a mod p

∀a ∈ Z∗p, ap−1 ≡ 1 mod p

3 Proof: aZ∗p is simply a permutation of Z∗p

p−1∏i=1

ai ≡ ap−1(p − 1)! ≡p−1∏i=1

i ≡ (p − 1)! mod p

Ramkumar Asymmetric

Page 13: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Why ...

1 is aZ∗p a permutation of Z∗p?

2 We can easily see that no two elements of aZ∗p can beidentical.

3 Consider ai and aj in aZ∗p (corresponding to i and j in Z∗p)

4 Is it possible that ia ≡ ja mod p (or (ia− ja) ≡ 0 mod p)?

5 No. Only possible if p divides (i − j)a and both (i − j) and ahave no common factors with p.

6 All elements of aZ∗p should be unique!

7 Or aZ∗p is a permutation of Z∗p.

Ramkumar Asymmetric

Page 14: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Alternate Proof for ap ≡ a mod p

1 Based on mathematical induction.

2 We know 1p ≡ 1 mod p

3 Assume np ≡ n mod p

4 Show (n + 1)p ≡ (n + 1) mod p

5 Perform binomial expansion of (n + 1)p

6 (n + 1)p =∑n

i=0

(pi

)ni mod p

7 All terms that are multiples of p can be ignored.

8 That leaves only two terms:(p

0

)n0 = 1 and

(pp

)np ≡ n mod p.

9 Thus (n + 1)p ≡ (n + 1) mod p.

Ramkumar Asymmetric

Page 15: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Euler-Fermat’s Theorem

1 Applicable for Zm (m need not be a prime)2 We are more interested in m of the form m = pq where p and

q are primes.

∀a ∈ Zm, aΦ(m)+1 ≡ a mod m

∀a : (a,m) = 1, aΦ(m) ≡ 1 mod m

3 Also note that

a2Φ(m)+1 ≡ a.aΦ(m) ≡ aΦ(m)+1 ≡ a mod m

oe a ≡ a1 ≡ akΦ(m)+1 mod m for any integer k .4 We can replace the exponent x with y ≡ x mod Φ(m):

ax ≡ ax mod Φ(m) mod m

Ramkumar Asymmetric

Page 16: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Proof: aΦ(m)+1 ≡ a mod m, where m = pq

It is easy to see that

p p (X − a)q p (X − a)

}=⇒ pq p (X − a)

X ≡ a mod pX ≡ a mod q

}=⇒ X ≡ a mod pq

Now consider X = aΦ(m)+1 = a(p−1)(q−1)+1

Easy to see that for any a,

a(p−1)(q−1)+1 ≡ a mod p

a(p−1)(q−1)+1 ≡ a mod q

}=⇒ a(p−1)(q−1)+1 ≡ a mod pq.

Ramkumar Asymmetric

Page 17: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem

Example

1 For p = 3, q = 5 and m = pq = 15, we haveΦ(m) = (3− 1)(5− 1) = 8

2 For all a (between 1 and 14) a9 ≡ a mod 15

3 For all a coprime to 15 a8 ≡ 1 mod 15

Ramkumar Asymmetric

Page 18: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Public Key Cryptography

1 Every entity (for example, Alice) chooses private key(s)

2 Computes public key(s)

3 Alice advertizes her public keys

4 And never reveals her private keys.

5 It should not be possible for any one to compute the privatekey from the public key (obviously)

Ramkumar Asymmetric

Page 19: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Inverse Problems

1 Most PKC algorithms rely on difficult inverse problems

Factorization Problem: Given large p and q it is easy tocompute n = pq. But given n it is impractical to factorize ninto the constituent primes.Discrete Logarithm Problem: Let α = g a mod p. Given a, g , pcomputing α is trivial. However given α, g and p it isimpractical to compute a

Ramkumar Asymmetric

Page 20: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Encryption, Signatures and Key Exchange

1 To send an encrypted message to Alice the sender shouldencrypt the message with Alice’s public key

2 Only Alice (who has the corresponding private key candecrypt the message)

3 If Alice encrypts the message using her private key anybodywith access to her public key can verify that the message wassent by Alice (digital signature)

Ramkumar Asymmetric

Page 21: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Diffie Helman Key Exchange

DH is based on difficulty of calculating discrete logarithms

A known p, and (preferably) a generator g in Zp.

Alice chooses a secret a, calculates α ≡ ga mod p.

Bob chooses a secret b, calculates β ≡ gb mod p.

Alice and Bob exchange α and β

Alice calculates KAB ≡ βa mod p.

Bob calculates KAB ≡ αb mod p.

Both of them arrive at KAB ≡ gab mod p.

KAB is a secret that no one apart from Alice and Bob cancalculate!

Ramkumar Asymmetric

Page 22: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

DH Example

p = 13, g = 2.

Alice chooses a = 3. α ≡ ga ≡ 23 ≡ 8 mod 13

Bob chooses b = 7. β ≡ gb ≡ 27 ≡ 11 mod 13

Alice calculates Kab ≡ βa ≡ 113 ≡ 5 mod 13

Alice calculates Kab ≡ αb ≡ 87 ≡ 5 mod 13

Ramkumar Asymmetric

Page 23: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

RSA - (Rivest - Shamir - Adelman)

See Chapter 9.2

Alice chooses two large primes p and q.

n = pq is the modulus (Zn is a ring - not a field)

Φ(n) = (p − 1)(q − 1).

Alice chooses e such that (e,Φ(n)) = 1.

Computes d such that de ≡ 1 mod Φ(n). Or d is themultiplicative inverse of d mod Φ(n) (using extendedEuclidean algorithm)

Destroy p, q and Φ(n).

n and e are public keys

d is the private key

Ramkumar Asymmetric

Page 24: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

RSA

Cannot determine p and q from n (factorization is hard)

Cannot determine Φ(n) without factoring n. So finding dgiven e (and n) is hard.

Ramkumar Asymmetric

Page 25: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

RSA Cipher

Alice’s public keys are na and ea.

Bob desires to send a message P to Alice

Bob computes and sends C = Pea mod na

Alice computes P = Cda ≡ Peada ≡ PkΦ(na)+1 ≡ P mod na.

eada ≡ 1 mod Φ(na)→ eada = 1 + kΦ(na).

Only Alice (who has access to da) decrypt the message

Ramkumar Asymmetric

Page 26: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

RSA Example

p = 11, q = 13. n = pq = 143

φ(n) = (p − 1)(q − 1) = 120.

Choose e = 7 (say)

d ≡ e−1 mod 120 ≡ 103.

P ≡ 41 mod 143.

C ≡ 417 mod 143 ≡ 24.

P ≡ Cd ≡ 24103 mod 143 ≡ 41.

Ramkumar Asymmetric

Page 27: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Practical Issues

1 Typically p and q may be numbers with around 150 digits

2 n and Φ(n) may be 300 digits long.

3 e could be small. But d may be 300 digits long4 For RSA to be practical it should be easy to

choose two large primes p and q (we must be able to verifythat the numbers are indeed primes)compute multiplicative inverses (trivial)compute large exponents (trivial)

5 It should be difficult (practically impossible) for any one tofactorize n to determine p (and / or q)

Ramkumar Asymmetric

Page 28: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Generating Large Primes

1 See Chapter 9.2

2 Say we need to generate a 150 digit prime

3 Generate a random odd number with 150 digits

4 Check if it is a prime

5 If not increment number by two and check again

6 till we “stumble upon” a prime

Ramkumar Asymmetric

Page 29: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Density of Prime numbers

1 Prime numbers are dense

2 Total number of primes less than N is roughly Nlog(N)

3 Total number of primes with 150 or less digits is 2.8761e148

4 Total number of primes with 149 or less digits is 2.8953e147

5 Total number of 150 digit primes is 2.5866e148 (one in every387 numbers)

6 On an average we need to test about 387/4 = 97 numbers(test if it is a prime)

Ramkumar Asymmetric

Page 30: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Primality Testing

1 How do we check if some number p′ is a prime?

2 A number is a prime if it does not have any factors.

3 Do we have to factorize a number to determine a is not aprime?

4 If that were the case primality checking is impractical (Afterall, PKC relies on the fact that factorization is a hard problem)

5 If p′ (say 150 digits) is not a prime, at least one factor shouldbe 75 digits or less

6 The total number of primes with 75 digits are less is stillprohibitively high (about 5.7e73)

Ramkumar Asymmetric

Page 31: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Probabilistic Primality Testing

1 Fermat’s little theorem to the rescue!2 The algorithm for testing if p′ is a prime:

COUNT=0;while (1)

choose random aif (a, p′) 6= 1 return PRIME=FALSE; break; endif;if ap′−1 mod p′ 6= 1 return PRIME=FALSE; break; endif;COUNT=COUNT+1;if (COUNT=100) return PRIME=TRUE; break; endif

endwhile;

Ramkumar Asymmetric

Page 32: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Primality Testing

1 If p′ IS a prime we know that ap′−1 ≡ 1 mod p′.

2 However, the reverse is NOT true. ap′−1 can be 1 even if p′ isnot a prime.

3 If ap′−1 ≡ 1 mod p′ we say “p′ is pseudo-prime to a” (a primep is pseudo-prime to all bases)

4 Do we need to check all possible values of a? (if so there is noadvantage to this approach)

5 Thankfully we do not need to check for all values of a.

Ramkumar Asymmetric

Page 33: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

Probabilistic Primality Checking

1 Let us assume that p′ is pseudo-prime to bases a1 · · · an andIS NOT a pseudo-prime to a base b.

2 Obviously, p′ cannot be a pseudo-prime to basesba1, ba2, . . . , ban.

3 If p′ is not a pseudo-prime to one base, it should not be apseudo-prime to as many bases as the number of bases forwhich it is a pseudo-prime!

4 Isolated occurrences of non pseudo-primes is not possible

5 Either p′ is a pseudo-prome to all bases (in which case p′ is aprime) or it is not a pseudo-prime to at least half the bases.

6 If the test passes for 100 random values of a the probabilitythat p′ is not a prime is less than 2−100.

Ramkumar Asymmetric

Page 34: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

El Gamal Cipher

Based on the difficulty of discrete log problem (like DH)

All entities agree on a prime p (say 200 digits long) and agenerator g

Alice chooses a random value a as her private key (a < p alsohas typically the same number of digits as p)

Alice compute α = ga mod p as her public key.

Ramkumar Asymmetric

Page 35: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

El Gamal

Bob knows α, p, g , needs to send P to Alice

Bob chooses a random k (from Zp) and computesµ = gk mod p

Sends ciphertext C = Pαk mod p along with the mask µ toAlice.

Alice with access to the private key a can computeµa(gk)a ≡ (ga)k = αk . No one else can compute αk withoutthe knowledge of k.

Alice compute multiplicative inverse of µa (say ν = (µa)−1)

Now Alice can get Cν = Pαk(αk)−1 = P.

Ramkumar Asymmetric

Page 36: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher

El Gamal Cipher Example

p = 13, g = 2.

Alice chooses a = 3. α ≡ ga ≡ 23 ≡ 8 mod 13

Bob chooses k = 5, gk ≡ 25 ≡ 6 mod 13

Say P = 4. αk ≡ 85 ≡ 8 mod 13. C = Pαk = 4 ∗ 8 ≡ 6

Alice calculates αk ≡ (gk)a ≡ 63 ≡ 8

Inverse of 8 is 5.

P = Pαk(αk)−1 ≡ 6 ∗ 5 ≡ 4 mod 13.

Ramkumar Asymmetric

Page 37: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Practical Signature Schemes

Signer (message source) and any number of verfiers.

Message M to be signed

Signer computes h = H(M) (for example SHA-1 hash)

h is encrypted with the private key to get the signature S .

Signer sends M ‖ S

Receiver:

Extract M. Calculate h = H(M).

Verify decryption of S with public key yields h.

Ramkumar Asymmetric

Page 38: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

RSA - As a Signature Scheme

Alice’s public keys are na and ea.

Alice wishes to sign a hash h = h(M)

The signature S is computes as S = hda mod na.

Any verifier with access to Alice’s public keys ea and na canverify that h = Sea ≡ heada ≡ hkΦ(na)+1 ≡ h mod na.

eada ≡ 1 mod Φ(na)→ eada = 1 + kΦ(na).

Ramkumar Asymmetric

Page 39: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

El Gamal Signature Scheme

Public p, g ∈ Zp - g preferably a generator.

Alice’s private key a ∈ Zp.

Alice’s public key α ≡ ga mod p.

To sign a message M with hash h = H(M) Alice chooses arandom 1 ≤ k ≤ p − 2 and calculates:

r = gk mod ps = (h − ar)k−1 mod (p − 1)

Signature is r ‖ s

Verfication: αr r s ≡ gh mod p.

αr = gar , r s = gk(h−ar)k−1= gh−ar

αr r s = gargh−ar = gh

Ramkumar Asymmetric

Page 40: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

El Gamal Example

p = 79, g = 7. Let h = 12 and k = 5.

Alice’s private key a = 43. Public key α ≡ 743 ≡ 48 mod 79.

k−1 mod (p − 1) ≡ 47 mod 78.

r = gk ≡ 75 ≡ 59 mod 79.

s = (12− 43× 59)41 ≡ 41 mod 78.

αr r s ≡ 48595941 ≡ 8 mod 79

gh ≡ 712 ≡ 8 mod 79.

Ramkumar Asymmetric

Page 41: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

RSA vs El Gamal

1 Generation of RSA key pairs is an expensive operation -mainly due to the need to generate primes p and q. For ElGamal the private key can be chosen randomly.

2 For RSA every entity uses a different modulus n = pq. For ElGamal all entities can use the same p (and g)

Ramkumar Asymmetric

Page 42: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

RSA vs El Gamal

1 To encrypt a value P ∈ Zp (say a 1024-bit quantity) thesender needs to provide two 1024-bit quantities in El Gamal(the cipher text C and the mask µ). In RSA only one value isrequired (RSA has less bandwidth overheads).

2 Same goes for signatures too (r and s for El Gamal)

3 In RSA it is possible to choose very small values of publicencryption e. Choosing say e = 3 does not affect the securityof RSA. So encryption can be fast (but decryption will still beslow as the private exponent d will be 1024-bits long).

4 For the same reason verification of RSA signatures can be fast.

Ramkumar Asymmetric

Page 43: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Order of a number in Zp

1 The order of a ∈ Zp is the minimum value r for whichar ≡ 1 mod p

2 The maximum order is p − 1. Also referred to as full order.Generators have full order.

3 The order of any number divides p − 1

4 As p − 1 is always even at the minimum we should have 4orders - p − 1, 1, 2, and p−1

2

5 In Z11 we saw 2,6,7 and 8 have full order (p − 1 = 10); 3,4,5and 9 have order (p − 1)/2 = 5; 10 has order 2; 1 has order 1;

Ramkumar Asymmetric

Page 44: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Order of a number

1 The order of 1 is always 1 and the order of p − 1 is always 2(irrespective of p)

2 The number of elements with full order (the number ofgenerators) is Φ(p − 1)

3 The number of elements with order p−1d is Φ((p − 1)/d)).

4 The maximum order is p − 1. Also referred to as full order.Generators have full order.

5 The order of any number divides p − 1

6 As p − 1 is always even at the minimum we should have 4orders - p − 1, 1, 2, and p−1

2

Ramkumar Asymmetric

Page 45: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Schnorr Signature Scheme

DSA is a variant of the Schnorr Scheme

Public p, q, gq, hash function H().

Large prime p (say 1024-bits)Prime q | (p − 1) (say 160-bit prime)gq ∈ Zp, where gq has order q. (Zp will contain Φ(q) = q − 1numbers of order q - any of which can be chosen for thispurpose)

Alice’s private key a ∈ Zp, public key α ≡ gaq mod p.

Ramkumar Asymmetric

Page 46: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Schnorr Signature Scheme

To sign a message M Alice chooses a random 1 ≤ k ≤ q − 1and calculates:

r = H(M ‖ gkq ) mod q

s = (k + aγ) mod q

Signature is r ‖ s (both r and s are 160-bit quantities)

Verifier (who has α = gaq mod p can calculate

x ≡ g sqα−r mod q

≡ gk+arq g−ar

q mod q≡ gk

q mod q(2)

and verify H(M ‖ x) = r .

Ramkumar Asymmetric

Page 47: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Advantages of Schnorr’s Signature

1 The signature size is small (equivalent to 2 hashes)

2 All computations (for signing and verification) use smallermodulus q (p is typically 1024 bits)

Ramkumar Asymmetric

Page 48: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Factorization

1 RSA relies on the assumption that factorization is hard

2 Brute force factorization of n = pq: Check all primes less than√n.

3 For 300 digit n (around 150 digit p and q) around 1e147primes have to be tested - highly impractical

4 Attacker complexity of 1e20 may be acceptable (equivalent to64-bit symmetric cipher)

5 Many sophisticated algorithms have been developed forfactorization

6 We will just need to increase the key lengths as sophisticationof attacks improve

Ramkumar Asymmetric

Page 49: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Some Factorization Algorithms

1 Fermat’s factorization is effective if the two prime factors (pand q) are close to each other

2 Pollards p − 1 algorithm is efficient in scenarios where eitherp − 1 or q − 1 is comprised of many small factors

3 William’s p + 1 algorithm is efficient when p + 1 or q + 1 iscomprised entirely of small factors

4 Care is taken to ensure that p and q are not close - forexample choosing 148-digit q and 150 digit p

5 it is also necessary to ensure that p− 1, q− 1, p + 1, q + 1 donot have small factors.

6 all these requirements makes secure key generation even morecomplex for RSA.

Ramkumar Asymmetric

Page 50: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

More Advanced Factoring Algorithms

1 Dixons random squares, number field sieves etc.

2 All of them try to determine some “special relationships”

3 If we can find two numbers x and y such that x2 ≡ y2 mod nand x 6≡ y mod n and x 6≡ −y mod n, then we can easilyfactorize n

4 Note that

x2 ≡ y2 mod n⇒ n p (x − y)(x + y)x 6≡ y mod n⇒ n . (x − y)x 6≡ −y mod n⇒ n . (x + y)

(3)

5 Which means (n, x + y) and (n, x − y) should give the factorsof n

Ramkumar Asymmetric

Page 51: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Discrete Log

1 Shank’s Algorithm

2 Pohlig-Helman Algorithm (works well if p − 1 has no largefactors)

3 Index Calculus method

4 Number-field seive

Ramkumar Asymmetric

Page 52: Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf · Asymmetric Cryptography Mahalingam Ramkumar Mississippi State University, MS January

OutlineMathematical Preliminaries

PKCDigital Signatures

RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC

Public Key Cryptography

Computationally about 1000 times more expensive thansymmetric cryptography

Used sparingly

encrypting session keyssigning hashes

RSA - bandwidth efficient, primality testing is hard - sogeneration of key pairs is complex.

DH - based schemes - no need to generate prime numbers(generating key pairs is trivial). Everyone can use the same p,g . Needs twice the bandwidth.

Ramkumar Asymmetric