Public Key Cryptosystems & Digital Signatures --- New era of secure communications ---

Public Key Cryptosystems & Public Key Cryptosystems & Digital SignaturesDigital Signatures--- New era of secure --- New era of secure

communications ---communications ---

CSE2500- System Security and Privacy 2

OutlineOutline

Why public key cryptography ?Why public key cryptography ? General principles of public key General principles of public key

cryptographycryptography The RSA public key cryptosystemThe RSA public key cryptosystem Digital signatureDigital signature Slides 12 to 25 for mathematically Slides 12 to 25 for mathematically

inclined students (and will not be inclined students (and will not be covered in this subject)covered in this subject)


Private key cipherPrivate key cipher

E Network or Storage

Plain Text Cipher Text Cipher Text

D

Bob

Secret Key

Alice

Secret Key

Plain Text


Problems with private key ciphersProblems with private key ciphers

In order for Alice & Bob to be able to In order for Alice & Bob to be able to communicate securely using a private communicate securely using a private key cipher, such as DES, they have to key cipher, such as DES, they have to have a shared key in the first place.have a shared key in the first place.Question: Question:

What if they have never met before ?What if they have never met before ? Alice needs to keep Alice needs to keep 100100 different keys different keys

if she wishes to communicate with if she wishes to communicate with 100100 different peopledifferent people


Motivation of Public Key CryptographyMotivation of Public Key Cryptography

Is it possible for Alice & Bob, who Is it possible for Alice & Bob, who have no shared secret key, to have no shared secret key, to communicate securely ?communicate securely ?

This led to the SINGLE MOST This led to the SINGLE MOST IMPORTANT discovery of public key IMPORTANT discovery of public key communications: communications: Diffie & Hellman’s ideas of public key Diffie & Hellman’s ideas of public key

cryptography: <private-key, public-key>cryptography: <private-key, public-key>


Main ideasMain ideas

Bob:Bob: publishes, say in Yellow/White pages, his publishes, say in Yellow/White pages, his

public (for encryption) key, andpublic (for encryption) key, andencryption algorithm.encryption algorithm.

keeps to himself keeps to himself the matching secret (for decryption) key.the matching secret (for decryption) key.


Main ideas (2)Main ideas (2)

Alice:Alice:Looks up the phone book, and finds out Looks up the phone book, and finds out

Bob’sBob’spublic key, andpublic key, andencryption algorithm.encryption algorithm.

Encrypts a message using Bob’s public Encrypts a message using Bob’s public key and encryption algorithm.key and encryption algorithm.

sends the ciphertext to Bob.sends the ciphertext to Bob.


Main ideas (3)Main ideas (3)

Bob:Bob:Receives the ciphertext from AliceReceives the ciphertext from AliceDecrypts the ciphertext using his secret Decrypts the ciphertext using his secret

key, together with the decryption key, together with the decryption algorithmalgorithm


Public Key CryptosystemPublic Key Cryptosystem

E Network

Plain Text Cipher Text Cipher Text

D

Plain Text

Alice

Bob

Bob:

Public Key Directory (Yellow/White Pages)

Secret Key


Main differences with DESMain differences with DES

The public key is different from the The public key is different from the secret key.secret key.

Infeasible for an attacker to find out Infeasible for an attacker to find out the secret key from the public key.the secret key from the public key.

No need for Alice & Bob to distribute a No need for Alice & Bob to distribute a shared secret key beforehand !shared secret key beforehand !

Only one pair of public and secret Only one pair of public and secret keys is required for each user !keys is required for each user !


Realising public key ciphersRealising public key ciphers

The most famous system that The most famous system that implements Diffie & Hellman’s ideas implements Diffie & Hellman’s ideas on public key ciphers is due toon public key ciphers is due toRonald Ronald RRivestivestAdi Adi SShamirhamirLeonard Leonard AAdlemandleman

This public key cryptosystem is callThis public key cryptosystem is calleded RSA.RSA.


Mathematical backgroundMathematical background

Assume that we are working with non-negative Assume that we are working with non-negative integers:integers:

Prime and composite numbersPrime and composite numbersa prime number is an integer that can be divided a prime number is an integer that can be divided

only by 1 and itselfonly by 1 and itself E.g.E.g. 2,2, 3,3, 5,5, 7,7, 11,11,

13,13, 101, ......101, ......

all other integers are compositeall other integers are composite E.g.E.g. 4,4, 6,6, 8,8, 9,9, 10,10,

12,12, 523743960876432,523743960876432,800164386535800164386535



Modular operationsModular operations ““remainder”remainder”

13 mod 5 = 3,13 mod 5 = 3, 1 mod 7 = 1 1 mod 7 = 1 20 mod 5 = 0,20 mod 5 = 0, 32 mod 7 = 4 32 mod 7 = 4

modular exponentiationmodular exponentiation2222 mod 3 = 1, mod 3 = 1, 3 322 mod 3 = 0 mod 3 = 02222 mod 5 = 4, mod 5 = 4, 10 1022 mod 92 = 8 mod 92 = 84466 mod 10 = 6, mod 10 = 6, 3 31111 mod 10 = 7 mod 10 = 7



aa is relative prime to is relative prime to bb if the largest if the largest integer that divides both integer that divides both aa & & bb is 1 is 1E.g: E.g:

anyany m m (<>0) is relatively prime to a prime (<>0) is relatively prime to a prime numbernumber

is 9 relatively prime to 10?is 9 relatively prime to 10?



Let Let øø((nn) denote the total numbers that are ) denote the total numbers that are less thanless than nn and relatively prime to and relatively prime to nn If If nn is a prime number then is a prime number then øø((nn) = ) = nn – 1– 1 If If pp, , qq are prime numbers and are prime numbers and nn==pp**qq, then , then

ØØ((nn) = ) = ØØ((pp**qq) =) = p p**qq – ( – (pp + + qq -1) = ( -1) = (pp-1)*(-1)*(qq-1) -1)

- - pp & & qq are prime numbers => only multiples of are prime numbers => only multiples of pp and and q q are not relatively prime to p*qare not relatively prime to p*q

- That is: there are (- That is: there are (pp + + qq – 1) multiples [0 is counted – 1) multiples [0 is counted once] of once] of pp and and qq

E.g: E.g: p p = 3; = 3; qq=7; {0, 3, 7, 6, 9, 12, 14, 15, 18} are not =7; {0, 3, 7, 6, 9, 12, 14, 15, 18} are not relatively prime to relatively prime to pp**qq

ØØ((nn) = ) = øø((pp**qq) = 12 ; {1,2,4,5,8,10,11,13,16,17,19,20}) = 12 ; {1,2,4,5,8,10,11,13,16,17,19,20}



yy & & nn are integers and are integers and yy (mod (mod øø((nn)) = 1, )) = 1,

for any for any xx < < nn, , xxyy mod mod n = x n = x (1)(1)

E.g:E.g:y=13 ; n=7; x = 4; y=13 ; n=7; x = 4; øø((nn) = 6; ) = 6; y y mod mod øø((nn) = 13 mod 6 = 1; ) = 13 mod 6 = 1; xxyy = 4 = 413;13; xxyy mod mod nn = 4 = 41313 mod 6 = 4 = mod 6 = 4 = xx mod mod nn;;



The multiplicative inverse of The multiplicative inverse of xx with modulo with modulo nn is is yy such that: (such that: (xx**yy) mod ) mod nn = 1 = 1 (2).(2).

The above multiplicative inverse can be used to The above multiplicative inverse can be used to

create a simple public key cipher: either create a simple public key cipher: either xx or or yy can can be thought of as a secret key and the other is the be thought of as a secret key and the other is the public key.public key.

E.g: E.g: xx=3; =3; nn=10; =10; yy=7; we have: (3*7) mod 10 = 1; =7; we have: (3*7) mod 10 = 1; M =5 ; M =5 ;

3*5 (mod 10) = 5 ; 5*7 (mod 10) = 5 = M (message)3*5 (mod 10) = 5 ; 5*7 (mod 10) = 5 = M (message)M =6 ; M =6 ;

3*6 (mod 10) = 8; 8*7 (mod 10) = 6 = M (message)3*6 (mod 10) = 8; 8*7 (mod 10) = 6 = M (message)


RSA Public Key CryptosystemRSA Public Key Cryptosystem

c=m e mod n

Network

Plain Text Cipher Text Cipher Text Plain Text

Alice

Bob

Bob: (e, n)Public Key Directory (Yellow/White Pages)

public key:

e & n

secret key: d

m=c d mod n


RSA (1)RSA (1)

Bob:Bob:chooses 2 large prime numbers:chooses 2 large prime numbers:p, qp, q

multiplies p and q:multiplies p and q: n = p*qn = p*qfinds out two numbers finds out two numbers ee & & dd such that such that

((e * de * d)) mod mod øø((nn) = 1 ) = 1 [ similar to[ similar to (2) (2) ]]

Or Or ((e * de * d)) mod mod [([(p-1p-1))**((q-1q-1)])] = 1 = 1

public key (published in the phone book)public key (published in the phone book)2 numbers:2 numbers: ((e, ne, n))encryption alg:encryption alg: modular exponentiationmodular exponentiation

secret key:secret key: ((d,nd,n))


RSA (2)RSA (2)

Alice has a message Alice has a message mm to be sent to to be sent to Bob:Bob:finds out Bob’s public encryption key finds out Bob’s public encryption key

((ee, , nn))calculatescalculates

mmee (mod n) -> c(mod n) -> csends the ciphertext sends the ciphertext cc to Bob to Bob


RSA (3)RSA (3)

Bob:Bob:receives the ciphertext receives the ciphertext cc from Alice from Aliceuses his matching secret decryption key uses his matching secret decryption key

dd to calculate to calculate c cdd (mod n) -> m(mod n) -> m


RSA --- 1st small example (1)RSA --- 1st small example (1)

Bob:Bob:chooses 2 primes:chooses 2 primes: p=5, q=11p=5, q=11

multiplies p and q:multiplies p and q: n = p*q = 55n = p*q = 55finds out two numbers finds out two numbers e=3e=3 & & d=27d=27 which which

satisfysatisfy((3 * 273 * 27)) mod 40 = 1 mod 40 = 1

Bob’s public key Bob’s public key 2 numbers:2 numbers: ((3, 553, 55))encryption alg:encryption alg: modular exponentiationmodular exponentiation

secret key:secret key: ((27,5527,55))



Alice has a message Alice has a message m=13m=13 to be sent to to be sent to Bob:Bob:finds out Bob’s public encryption key finds out Bob’s public encryption key

((3, 553, 55))calculates c:calculates c:

c = mc = mee (mod n)(mod n) = 13 = 1333 (mod 55)(mod 55) = 2197 = 2197 (mod 55)(mod 55) = 52 = 52

sends the ciphertext sends the ciphertext c=52c=52 to Bob to Bob



Bob:Bob:receives the ciphertext receives the ciphertext c=52c=52 from Alice from Aliceuses his matching secret decryption key uses his matching secret decryption key

2727 to calculate m: to calculate m:m = 52m = 522727 (mod 55)(mod 55) = 13 (Alice’s message) = 13 (Alice’s message)


How does RSA work?How does RSA work?

n = p*q => n = p*q => ØØ((nn) = ) = ØØ((pp**qq) =) = ((pp-1)*(-1)*(qq-1)-1) We chooseWe choose d & e d & e such thatsuch that

(e * d) mod (e * d) mod øø((nn) = ) = = 1 = 1 ; similar to; similar to (2) (2)

for any for any mm < < nn: : mmdede = = mm mod mod n ; n ; fromfrom (1) (1) an RSAan RSA encryption consists of taking m and raising it encryption consists of taking m and raising it

to to ee; and decrypting the ciphertext by raising the ; and decrypting the ciphertext by raising the result of the encrytion to result of the encrytion to dd:: We have We have ((a*ba*b)) mod nmod n = = ((((a a mod n)mod n) * * ((b b mod nmod n)))) mod nmod n

hence : (mhence : (me e mod nmod n) ) d d mod nmod n = = ((mmee))d d mod nmod n = = ((mmeded) ) mod nmod n = = mm modmod n n = m [from (1)] = m [from (1)]


Remarks on RSARemarks on RSA

The message m The message m has to be has to be an integer an integer betweenbetween the range the range [1, n)[1, n)..

To encrypt long messages we can use To encrypt long messages we can use modes of operation as for block modes of operation as for block private key ciphers, or a hybrid private key ciphers, or a hybrid cryptosystem.cryptosystem.


Why RSA is SecureWhy RSA is Secure

Attack Scenario:Attack Scenario:Marvin wants to read Alice’s private message (m) Marvin wants to read Alice’s private message (m)

intended to be read only by Bob.intended to be read only by Bob.However, Alice used RSA to encrypt m using However, Alice used RSA to encrypt m using

Bob’s public key (Bob’s public key (e, ne, n), into the ciphertext ), into the ciphertext cc = = mmee

(mod (mod nn))..Marvin is a determined attacker and managed to Marvin is a determined attacker and managed to

intercept the ciphertext c on its way from Alice’s intercept the ciphertext c on its way from Alice’s to Bob’s computer.to Bob’s computer.

Marvin also looked up Bob’s public key (Marvin also looked up Bob’s public key (e,ne,n) to ) to help him in his attack.help him in his attack.



Marvin now has (c,e,n) and wants to find out m.Marvin now has (c,e,n) and wants to find out m. How can Marvin proceed to find m?How can Marvin proceed to find m?

Approach 1:Approach 1: If Marvin could also find out Bob’s If Marvin could also find out Bob’s secret key d, he could decrypt c into m in the secret key d, he could decrypt c into m in the same way as Bob does.same way as Bob does. Suppose Bob guards his secret key d very well, what Suppose Bob guards his secret key d very well, what

can Marvin do then?can Marvin do then?

Approach 2:Approach 2: Marvin knows that Marvin knows that cc = = mmee (mod (mod nn)). . He knows that m is a number between 0 and n-1. He knows that m is a number between 0 and n-1. So he could use exhaustive search through all n So he could use exhaustive search through all n possible messages m. possible messages m. But if n is large this takes a long time!But if n is large this takes a long time!



Marvin’s Attack options (cont):Marvin’s Attack options (cont):Approach 3:Approach 3: Marvin can try to Marvin can try to computecompute

Bob’s secret key d from (e,n) and then use Bob’s secret key d from (e,n) and then use Approach 1.Approach 1. Remember that (e * d) mod ((p-1)*(q-1) ) = 1 Remember that (e * d) mod ((p-1)*(q-1) ) = 1 Marvin found in a ‘Number Theory’ book a very Marvin found in a ‘Number Theory’ book a very

fast algorithm called fast algorithm called EUCLID EUCLID to solve the to solve the following problem: Given two numbers (r,s), following problem: Given two numbers (r,s), the algorithm outputs a number x such that the algorithm outputs a number x such that

(r * x) mod s = 1.(r * x) mod s = 1.



Approach 3 is the most efficient known method Approach 3 is the most efficient known method Marvin can use to attack RSA!Marvin can use to attack RSA!

The time taken for Marvin to execute the attack in The time taken for Marvin to execute the attack in Approach 3 is essentially the time to factorize Approach 3 is essentially the time to factorize n=p*q into the prime factors p and q.n=p*q into the prime factors p and q.

Therefore, we say that Therefore, we say that RSA is RSA is based onbased on the the factorifactorizzation problemation problem::

While it is easy to multiply large primes While it is easy to multiply large primes together, together, it is computationally infeasible to factorize or split a large composite into its prime factors !!



Therefore, whenTherefore, when both p and q in RSA are of both p and q in RSA are of at least at least 11555 digits, the product n=p*q is 5 digits, the product n=p*q is 310310 digits.digits.

Then no one can factorize nThen no one can factorize n in less time in less time than a few thousand years, not even than a few thousand years, not even Marvin!!Marvin!!

Thus the Thus the onlyonly person who can extract the person who can extract the plaintext m from the ciphertext c is Bob, as plaintext m from the ciphertext c is Bob, as only he knows the secret decryption key d !only he knows the secret decryption key d !


Marvin’s New Attack IdeaMarvin’s New Attack Idea

Instead of just eavesdropping, Marvin can try Instead of just eavesdropping, Marvin can try a more a more active active attack!attack!

Outline of the New Attack:Outline of the New Attack: Marvin generates an RSA key pairMarvin generates an RSA key pair

Public key = Kpub_* = (N_*, e_*)Public key = Kpub_* = (N_*, e_*) Secret key = Ksec_* = d_*Secret key = Ksec_* = d_*

Marvin sends the following email to Alice, Marvin sends the following email to Alice, pretending to be Bob:pretending to be Bob: Hi Alice, Hi Alice,

Please use my new public key from now on to encrypt Please use my new public key from now on to encrypt messages to me. My new public key is Kpub_*. messages to me. My new public key is Kpub_*.

Yours sincerely, Bob.Yours sincerely, Bob.

Marvin decrypts any messages Alice sends to Bob Marvin decrypts any messages Alice sends to Bob (encrypted with Kpub_*), using Ksec_*.(encrypted with Kpub_*), using Ksec_*.


Preventing Marvin’s Active AttackPreventing Marvin’s Active Attack

The active attack works because:The active attack works because:Alice was tricked by Marvin into encrypting a Alice was tricked by Marvin into encrypting a

message intended for Bob using a “fake” public message intended for Bob using a “fake” public key which is NOT Bob’s public key (in fact it was key which is NOT Bob’s public key (in fact it was Marvin’s).Marvin’s).

To prevent the attack:To prevent the attack: Before Alice encrypts a message for Bob, she must make Before Alice encrypts a message for Bob, she must make

sure she has Bob’s CORRECT public key (and not a fake sure she has Bob’s CORRECT public key (and not a fake one).one).

Alice needs a way of testing the truth of any “Bob’s key Alice needs a way of testing the truth of any “Bob’s key message” informing Alice of Bob’s Public Key. message” informing Alice of Bob’s Public Key.

No one besides Bob should be able to produce such a No one besides Bob should be able to produce such a message so that it will pass Alice’s Test.message so that it will pass Alice’s Test.


Preventing Marvin’s Active Attack (2)Preventing Marvin’s Active Attack (2)

This is a setting where Alice and Bob have a This is a setting where Alice and Bob have a message integritymessage integrity security requirement! security requirement! Ie. Alice and Bob want to prevent fabrication Ie. Alice and Bob want to prevent fabrication

and/or modification of a “Bob’s key message” (a and/or modification of a “Bob’s key message” (a message informing Alice of Bob’s public key) by message informing Alice of Bob’s public key) by unautorised parties (like Marvin).unautorised parties (like Marvin).

The main cryptographic tool used to achieve The main cryptographic tool used to achieve message integrity is “Authority Certificates”.message integrity is “Authority Certificates”.

Later we will see how Digital Signatures can be Later we will see how Digital Signatures can be used to prevent Marvin’s Attack!used to prevent Marvin’s Attack!


Private key ciphersPrivate key ciphers

Good pointsGood pointsin-expensive to usein-expensive to usefastfastlow cost VLSI chips availablelow cost VLSI chips available

Bad pointsBad pointskey distribution is a problemkey distribution is a problem


Public key ciphersPublic key ciphers

Good pointsGood pointskey key distribution distribution is NOT a problem is NOT a problem

Bad pointsBad pointsrelatively expensive to userelatively expensive to userelatively slowrelatively slowVLSI chips not available or relatively high VLSI chips not available or relatively high

costcost


Combining 2 Type of CiphersCombining 2 Type of Ciphers

In practice, we can In practice, we can use a public key cipher (such as RSA) to use a public key cipher (such as RSA) to

distribute keysdistribute keysuse a private key cipher (such as DES) to use a private key cipher (such as DES) to

encrypt and decrypt messagesencrypt and decrypt messages


The Need of Digital SignatureThe Need of Digital Signature

Social & business activities and their Social & business activities and their associated documents are becoming associated documents are becoming digitaldigitaldigital conferencesdigital conferencesdigital contract signingdigital contract signingdigital cash payments, ......digital cash payments, ......

Hand-written signatures are not Hand-written signatures are not applicable to digital dataapplicable to digital data


Digital Signature Digital Signature (based on RSA)(based on RSA)


Bob:

E

Network

Plain Text

Plain Text

Bob

Secret Key

+

Cathy

Signature

Accept if equal

D

Signature

?

Public Key


Digital Signature Digital Signature (for short doc)(for short doc)


Bob: (e, n)

Network

Plain Text

Plain Text

Bob

Secret Key d

+

Cathy

Signature

Accept if equal

Signature

?

Public Key (e, n)

s =md mod n t =se mod n


RSA Signature --- an eg (1)RSA Signature --- an eg (1)

Bob:Bob:chooses 2 primes:chooses 2 primes: p=5, q=11p=5, q=11

multiplies p and q:multiplies p and q: n = p*q = 55n = p*q = 55finds out two numbers finds out two numbers e=3e=3 & & d=27d=27 which which

satisfysatisfy((3 * 273 * 27)) mod 40 = 1 mod 40 = 1

Bob’s public key Bob’s public key 2 numbers:2 numbers: ((3, 553, 55))encryption alg:encryption alg: modular exponentiationmodular exponentiation

secret key:secret key: ((27,55)27,55)


RSA Signature --- an eg (2)RSA Signature --- an eg (2)

Bob has a document Bob has a document m=19 m=19 to sign:to sign:uses his secret key uses his secret key d=27d=27 to calculate the to calculate the

digital signature of digital signature of m=19m=19::s = ms = mdd (mod n)(mod n) = 19 = 192727 (mod 55)(mod 55) = 24 = 24

appends 24 to 19. Now appends 24 to 19. Now (m, s) = (19, 24) (m, s) = (19, 24) indicates that the doc is 19, and Bob’s indicates that the doc is 19, and Bob’s signature on the doc is 24.signature on the doc is 24.


RSA Signature --- an eg. (3)RSA Signature --- an eg. (3)

Cathy, a verifier:Cathy, a verifier:receives a pair receives a pair (m,s)=(19, 24)(m,s)=(19, 24)looks up the phone book and finds out looks up the phone book and finds out

Bob’s public key Bob’s public key (e, n)=(3, 55)(e, n)=(3, 55)calculatescalculates t = st = see (mod n)(mod n)

= 24 = 2433 (mod 55) (mod 55) = 19 = 19

checks whether checks whether t=mt=mconfirms that (confirms that (19,2419,24) is a ) is a genuinely genuinely

signed document of Bob signed document of Bob if if t=mt=m..


How about Long Documents ?How about Long Documents ?

In the previous example, a document In the previous example, a document has to be an integer in [0,...,n)has to be an integer in [0,...,n)

To sign a very long document, we To sign a very long document, we need a so called need a so called one-way hash one-way hash algorithmalgorithm

Instead of signing directly on a doc, Instead of signing directly on a doc, we hash the doc first, and sign the we hash the doc first, and sign the hashed data which is normally short.hashed data which is normally short.


One-Way Hash AlgorithmOne-Way Hash Algorithm

A one-way hash algorithm hashes an input A one-way hash algorithm hashes an input document into a document into a condensedcondensed short output short output (say of 100 bits)(say of 100 bits) Denoting a one-way hash algorithm by H(.), we have:Denoting a one-way hash algorithm by H(.), we have:

Input: m - a binary string of any lengthInput: m - a binary string of any length Output: H(m) - a binary string of L bits, called the “hash Output: H(m) - a binary string of L bits, called the “hash

of m under H”.of m under H”. The output length parameter L is fixed for a given one-The output length parameter L is fixed for a given one-

way hash function H, way hash function H, egeg

The one-way hash function “MD5” has L = 128 bitsThe one-way hash function “MD5” has L = 128 bitsThe one-way hash function “SHA-1” has L = 160 The one-way hash function “SHA-1” has L = 160

bitsbits


One-Way Hash AlgorithmOne-Way Hash Algorithm

Message (of any length)

Hash of the messageA condensed short output, say of 100 bits

Message


Hash of Message

Message


Properties of One-Way Hash AlgorithmProperties of One-Way Hash Algorithm

A good one-way hash algorithm H needs to A good one-way hash algorithm H needs to have these propertieshave these properties:: 1. Easy to Evaluate:1. Easy to Evaluate:

The hashing algorithm should be fastThe hashing algorithm should be fast I.e. given any document m, the hashed value h = H(m) can be I.e. given any document m, the hashed value h = H(m) can be

computed quickly.computed quickly. 2. Hard to Reverse:2. Hard to Reverse:

There is no feasible algorithm to “reverse” a hashed value, There is no feasible algorithm to “reverse” a hashed value, I.e. given any hashed value h, it is computationally infeasible to find I.e. given any hashed value h, it is computationally infeasible to find

any document m such that H(m) = h.any document m such that H(m) = h. NOTE: An algorithm is called NOTE: An algorithm is called ‘One-Way’‘One-Way’ if it has BOTH properties 1 and 2. if it has BOTH properties 1 and 2. 3. Hard to find Collisions:3. Hard to find Collisions:

There is no feasible algorithm to find two or more input documents There is no feasible algorithm to find two or more input documents which are hashed into the same condensed output, which are hashed into the same condensed output,

I.e it is computationally infeasible to find any two documents mI.e it is computationally infeasible to find any two documents m11, m, m2 2

such that H(msuch that H(m11)= H(m)= H(m22).).


The One-way PropertyThe One-way Property

Hash value h(length= L bits)

H

Document m

(any length)

This direction is easy to compute!

Hash value h(length= L bits)

H

Document m

(any length)

But this direction is infeasible to compute!


Finding Collision is InfeasibleFinding Collision is Infeasible

(same condensed output)

I, Bob, will pay$1,000 to Alice.


H H

Document m1

Document m2


Digital Signature Digital Signature (for long doc)(for long doc)


Bob:

Network

Plain Text

Plain Text

H

100 bits

Bob

Secret Key

+

H 100 bits

Cathy

Signature

Accept if equal1-way hash

100 bits

Signature

?

Public Key


Why Digital Signature ?Why Digital Signature ?

UnforgeableUnforgeabletakes 1 billion years to forge !takes 1 billion years to forge !

Un-deniable by the signatoryUn-deniable by the signatory Universally verifiableUniversally verifiable Differs from doc to docDiffers from doc to doc Easily implementable byEasily implementable by

software orsoftware orhardware orhardware orsoftware + hardwaresoftware + hardware


Unforgeable Digital SignatureUnforgeable Digital Signature


a valid signature

101001010

I, Bob, will pay$10,000 to Alice.001001101

also a valid signature


Digital Signature -- summaryDigital Signature -- summary

Three (3) steps are involved in digital Three (3) steps are involved in digital signature signature Setting up public and secret keys Setting up public and secret keys Signing a documentSigning a documentVerifying a signatureVerifying a signature


Setting up Public & Secret KeysSetting up Public & Secret Keys

Bob does the followingBob does the followingprepares a pair of public and secret keysprepares a pair of public and secret keyspublishes his public key in the public key publishes his public key in the public key

file (such as an on-line phone book)file (such as an on-line phone book)keeps the secret key to himselfkeeps the secret key to himself

Note:Note:Setting up needs only to be done once !Setting up needs only to be done once !


Signing a DocumentSigning a Document

Once setting up is completed, Bob Once setting up is completed, Bob can sign a document (such as a can sign a document (such as a contract, a cheque, a certificate, ...) contract, a cheque, a certificate, ...) using the secret keyusing the secret key

The pair of document & signature is a The pair of document & signature is a proof that Bob has signed the proof that Bob has signed the document.document.


Verifying a SignatureVerifying a Signature

Any party, say Cathy, can verify the Any party, say Cathy, can verify the pair of document and signature, by pair of document and signature, by using Bob’s public key in the public using Bob’s public key in the public key file.key file.

Important !Important !Cathy does NOT have to have public or Cathy does NOT have to have public or

secret key !secret key !

Public Key Cryptosystems & Digital Signatures --- New era of secure communications ---

Documents

public key ciphers n

shared key

bobs public key

encryption key

decryption key

shared secret key

private key ciphers

n alice