part_03_b&w
TRANSCRIPT
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 1/20
1
C R Y P T O G R A P H Y
A.A. 2009/2010 1
Cryptography Part III
Public Key Systems
michele elia
Politecnico di Torino
C R Y P T O G R A P H Y
A.A. 2009/2010 2
In the e-world a definition of cryptography is
The art of information integrity
Beside confidentiality Information may need
Integrity
Availability
Ubiquity
Authenticity (without secrecy)
Tracking
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 2/20
2
C R Y P T O G R A P H Y
A.A. 2009/2010 3
Secret key cryptography cannot solve large-scale problemsthat occur in civilian life:
1Key Distribution Problem: two users need to
share a common secret key. A channel for secret keyexchange may not be available.
2Key Management Problem: in a network of n
users, every pair of users must share a secret key, fora total of n(n-1)/2 keys. If n is not small, then thenumber of keys becomes unmanageable.
3Digital Signature Problem: non-secret
authentication and non-repudiation problems are theelectronic counterparts of a hand-written signature;neither problem can be solved by a secret key system
C R Y P T O G R A P H Y
A.A. 2009/2010 4
Diffie and Hellman
In 1976, Witfield Diffie and Martin Hellman
invented
Public Key Cryptography (PKC)to address key management issues.
The basic idea was the exploitation of aconcept already present in secret keysystems
ONE-WAY FUNCTION
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 3/20
3
C R Y P T O G R A P H Y
A.A. 2009/2010 5
A naive definition of one-way function is
A function F: D →→→→ U is one-way if threeconditions are met:
1. It is one-to-one, that is the
function
F -1 : U →→→→ D exists and is unique
2. It is easy to compute Y=F(X) forevery X ∈∈∈∈ D
1. It is hard to compute X= F -1(Y) for
almost every Y ∈∈∈∈ D
C R Y P T O G R A P H Y
A.A. 2009/2010 6
Public key cryptography: In 25 years many one-way functions have
been put forward, all based on hard arithmetical problems.Only four “functions” or principles have survived:
1. Prime factorization: it is “easy” to multiply two
primes, whereas it is hard to factor their product (Rabin)
2. Discrete Logarithm: it is easy to compute a power in a
cyclic group, whereas it is hard to find the exponent
3. Evaluation of the order of a group: it is possible and
easy to define a finite group, whereas the computation
of its order (number of its elements) may be hard
4. Decoding Linear Codes: it is easy to encode and to
corrupt the code word with noise, whereas it is hard
to recover the code word
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 4/20
4
C R Y P T O G R A P H Y
A.A. 2009/2010 7
One-Way functions vs. Hard Problems - status
C R Y P T O G R A P H Y
A.A. 2009/2010 8
Rabin: public key N=pq, message M
Encryption
C = M2 mod N
Decryption
M = C1/2 mod N
p,q prime numbers (Blum primes, 4k+3)
M relatively prime with p,q
Decryption is easy using Chinese Remainder Theorem if
p,q are known Blum primes, and is hard otherwise
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 5/20
5
C R Y P T O G R A P H Y
A.A. 2009/2010 9
Rabin - 2
Decrypting is equivalent to solving
x2 = C mod pq
CRT requires solving two equations over fields
x2 = C mod p and x2 = C mod q
If p and q are Blum primes then
xp = ±C(p+1)/4 mod p ; xq = ±C(q+1)/4 mod qsolution modulo N=pq is obtained as a linear combination
C R Y P T O G R A P H Y
A.A. 2009/2010 10
Rabin - 3
Cryptanalysis is equivalent to factoring:
If an oracle can compute the four square roots then p is
computed as the common factor between
N=pq and x1-x3
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 6/20
6
C R Y P T O G R A P H Y
A.A. 2009/2010 11
RSA: public key [N,E], message M
Let p, q be prime numbers and N=p q
Encryption: C = ME mod N
Decryption: M = CD mod N
M relatively prime with p,q
E relatively prime with the Euler totient function
and
C R Y P T O G R A P H Y
A.A. 2009/2010 12
Diffie-Hellman
Public parameters: a ∈∈∈∈ Z, p prime
Alice: Secret key X
Public Key KA = aX mod p
Bob: Secret key YPublic Key KB = aY mod p
Alice-Bob: Common key KAB = aXY mod p
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 7/20
7
C R Y P T O G R A P H Y
A.A. 2009/2010 13
McEliece
G generator matrix of a linear code (n, k, 2t+1)
allowing an algebraic decoding algorithm
[Goppa code (2m, 2m-mt, 2t+1) are good candidates]
Bob: Secret Key (P, A, G)
Public Key: a pair (t, Gp)
where: Gp = PGA
P is a n × n permutation matrix
A is a k × k nonsingular matrix
C R Y P T O G R A P H Y
A.A. 2009/2010 14
McEliece continuation
Alice Encryption: E= Gp M + e
where e is a random vector with less than t 1s
Bob Decryption: E1 = PT E,
M1 = E1 + e ,
where e results from an algebraic decoding[With Goppa codes the Berlekamp-Massey algorithm is used]
Message recovering
M = A-1 M1
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 8/20
8
C R Y P T O G R A P H Y
A.A. 2009/2010 15
Complexity
An axiomatic measure of complexity is missing
Problem size is defined to be n, where n may be
– number of variables
– number of equations
– number of bits for representing a parameter
A practical measure of complexity is a function f(n)
A problem is considered hard if f(n)= a0 n A problem is considered easy if f(n)= b0 log(n)
Frequently f(n) = eg(n)
with g(n)=[log(n)]1/2 , n1/3 [log(n)]1/3
C R Y P T O G R A P H Y
A.A. 2009/2010 16
Chinese Remainder Theorem
Let be a product of r positiveintegers mi which are relatively primes
Given a non-negative integer a not greater than N,
then r remainders can be computed easily
The Chinese remainder theorem solves the
problem of computing a given the r remainders ai
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 9/20
9
C R Y P T O G R A P H Y
A.A. 2009/2010 17
Chinese Remainder Theorem Properties
Let betwo numbers in ZN decomposed according to CRT
Then
where the operations ai bi, ai+bi and ain areperformed modulo mi.
In general CRT reduces the complexity since theoperations are performed in domains of smaller
cardinality.
C R Y P T O G R A P H Y
A.A. 2009/2010 18
Electronic Signature
based on reverse use of a ONE-WAYfunction
consists in a pair of numbers
– S plain signature encoded as an integer
– ES electronic signature
computed from S using a one-way function
has the significance of an authentication mark.
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 10/20
10
C R Y P T O G R A P H Y
A.A. 2009/2010 19
Electronic Signature
Standard procedure to sign Bob’s message M electronically:
1 A public key directory contains PK the public key ofsignatory Bob
2 Bob computes a Digest from M using a hash function
(one-way function)
3 Bob forms his signature by juxtaposing
S = Name|Date|Digest|Random4 Bob computes the electronic signature ES encrypting
S with his private key PVK
5 Bob’s electronic signature (S,ES) is verified usingBob’s PK public key.
C R Y P T O G R A P H Y
A.A. 2009/2010 20
Rabin signature public key N=pq
message M
secrect signature: random R, and
signature
(M, K, S)
where S=√[M.(RΣ)] and K = ( RΣ)2
verification?
S4 = M2 K2
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 11/20
11
C R Y P T O G R A P H Y
A.A. 2009/2010 21
El Gamal signature public key [p, g, k]
message M
secrect signature: random m, and u
where k = gu mod p
signature
(M, a, b)
where a = gm mod pb solution of b m + a u = M mod p-1
C R Y P T O G R A P H Y
A.A. 2009/2010 22
El Gamal signature public key [p, g, k]
signature
(M, a, b)
verification?
gM
= ab
ka
mod p
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 12/20
12
C R Y P T O G R A P H Y
A.A. 2009/2010 23
Digital Signature
Two main scopes:
– certify the authenticity of a public or secret message
– avoid repudiation
Uses
– electronic locking/unlocking of doors
– electronic orders and payments
– networks or physical access Algorithm
– RSA
– Rabib
– El Gamal
C R Y P T O G R A P H Y
A.A. 2009/2010 24
Elliptic curves
Elliptic curves are algebraic curves endowed with a
group structure that was discovered by
Giulio Fagnano de Toschi in the eighteen century.
Given two points P and Q on an elliptic curve E, a
third point R on E is defined as the sum
R=P+Q
This property was exploited by Euler in his
development of the elliptic integral theory.
In cryptography, the elliptic curves are usedas a rich source of Abelian group
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 13/20
13
C R Y P T O G R A P H Y
A.A. 2009/2010 25
Elliptic curves
The set of “real” points of an Elliptic curve E over
a finite field forms an Abelian group for a pointsum.
Given P on E and an integer m, the point mP is
defined as mP=P+P+P + … +P (m times)
The set of points mP forms a cyclic group where
the discrete logarithm problem is hard:
It is easy to compute Q = mP
It is hard to compute m from Q given P
C R Y P T O G R A P H Y
A.A. 2009/2010 26
Elliptic curve over a finite field GF(pm)
An elliptic curve E consists of a set of points P=(x,y) whose coordinates satisfy
Y 2 = X3 + a 4 X + a 6 where a 4, a 6 X and Y belongs to GF(pm).
Hasse’s theorem asserts that the number of points #Eon E with coordinates in GF(pm) satisfies the
inequality
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 14/20
14
C R Y P T O G R A P H Y
A.A. 2009/2010 27
In E an addition of points is defined as
C R Y P T O G R A P H Y
A.A. 2009/2010 28
The set E is a group for point addition
Given P1=(x 1,y 1) and P2=(x 2,y 2)the sum is point P3=(x 3,y 3) written
P3= P1+ P2
Addition is
- Commutative and Associative.
- A point O exists which has the role of
group identity
P=P+O
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 15/20
15
C R Y P T O G R A P H Y
A.A. 2009/2010 29
Addition formulas
C R Y P T O G R A P H Y
A.A. 2009/2010 30
Addition formulas over GF(2m): Non-Supersingular Curves
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 16/20
16
C R Y P T O G R A P H Y
A.A. 2009/2010 31
Duplication formulas are important
nP=(bs 2s+bs-1 2s-1+ b1 2 + b0)Pand
2s P= 2(2(2 …))P s-times
If s = [log2 n] then 2s additions/duplications are sufficient
to compute Q=nP: EASY
Given Q and P
to compute n: HARD
C R Y P T O G R A P H Y
A.A. 2009/2010 32
Group structure of E over GF(p m )
Theorem 1 (Hasse)
#E=p m +1-t, with
Theorem 2
Let E be an elliptic curve defined over GF(p m ),where p is a prime. Then there exist integers n
and k such that E is isomorphic to Z n × Z k .
Further k|n and k|(p m -1).
Z n denotes a cyclic group of order n
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 17/20
17
C R Y P T O G R A P H Y
A.A. 2009/2010 33
ECC - Elliptic Curve Crypto-system
EC are used as a rich source of cyclic groups where the discrete logarithm problem is hard.
EC are used to define a Diffie-Hellman publickey scheme as follows:
– Let P be a public fixed point of an Elliptic curve E
– Let A= x P and x be Alice’s public and secret keys,
respectively – Let B= y P and y be Bob’s public and secret keys,
respectively
– The common secret key is K= x y P
C R Y P T O G R A P H Y
A.A. 2009/2010 34
Factorization
Gauss recognized that factorization is animportant, though difficult, problem in arithmetic
Fermat observed that is prime for n=0,1,2,3,4
and guessed that it was prime for every n.
At present, a more likely guess would be that noFermat number is prime for n greater than 4.
RSA renewed the challenge to factor largenumbers and inspired the development of recentfactorization methods.
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 18/20
18
C R Y P T O G R A P H Y
A.A. 2009/2010 35
In 1977 Martin Gardner in ScientificAmerican proposed cryptanalysing amessage encoded with the RSA algorithmusing a 129 digit number product of twoprimes (Rivest)
In 1994 the number was factored into twoprimes of 64 and 65 digits and themessage was decrypted
“The magic words are
squeamish ossifrage”
C R Y P T O G R A P H Y
A.A. 2009/2010 36
It is likely that the RSA problem is not equivalentto factoring.
Using lattice algorithms it is possible to breaksystems with small exponents E
Small D secret exponents are weak
It seems that 250 digit numbers cannot befactored in the near future
250 digit is about 800 bits which seem to be a
reasonable size for absolute secure keys
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 19/20
19
C R Y P T O G R A P H Y
A.A. 2009/2010 37
A millennial evolution has shown that cryptography is a sciencerather than an art.
Today, the prophetic words of Adrian A. Albert at theopening of the 382nd Congress of the AmericanMathematical Society in 1939 are fully meaningful:
We shall see that cryptography is more than
a subject permitting mathematical formulation
for indeed it would not be an exaggeration
to state that
abstract cryptographyis identical with
abstract mathematics.
C R Y P T O G R A P H Y
A.A. 2009/2010 38
Bibliography
W. Diffie, M.E. Hellman, New Directions inCryptography , IEEE Transactions on InformationTheory , vol.IT-22, n.6, November 1976, pp.644-654.
C.E. Shannon, Communication Theory and SecrecySystems , BSTJ , vol. 28, 1949, pp.656-715.
N. Koblitz, A Course in Number Theory andCryptography , Springer, 1987.
J.A. Buchmann, Introduction to Cryptography ,
Springer, New York, 2000.
B. Schneier, Applied Cryptography , Wiley, 1996.
8/12/2019 Part_03_B&W
http://slidepdf.com/reader/full/part03bw 20/20
20
C R Y P T O G R A P H Y
A.A. 2009/2010 39
Bibliography
F. Fabris, Teoria dell'Informazione, Codici, Cifrari ,Bollati Boringhieri, Torino, 2001.
R. Mollin, An Introduction to Cryptography , CRC,
New York, 2007.
A.J. Menezes, P.C. van Oorschot, S.S. Vanstone,Handbook of Applied Cryptography , CRC 1997.
R.A. Rueppel, Analysis and Design of Stream Ciphers ,Springer, New York, 1986.
G.J. Simmons, Contemporary Cryptology: The Science
of Information Integrity , IEEE Press, New York, 1992.
Ria Slides LETTRE ECRITE EN 2070 www ww w www w W w w ww w w w w ww w w w www wW w w ww w w w ww www
Ria Slides CARTA ESCRITA NO ANO 2070 www ww w www w W w w ww w w w w ww w w w www wW w w ww w w w ww
Ria Slides CARTA ESCRITA EM 2070 www ww w www w W w w ww w w w w ww w w w www wW w w ww w w w ww www