part_03_b&w

8/12/2019 Part_03_B&W

http://slidepdf.com/reader/full/part03bw 1/20

1

C R Y P T O G R A P H Y

A.A. 2009/2010 1

Cryptography Part III

Public Key Systems

michele elia

Politecnico di Torino


A.A. 2009/2010 2

In the e-world a definition of cryptography is

The art of information integrity

Beside confidentiality Information may need

Integrity

Availability

Ubiquity

Authenticity (without secrecy)

Tracking

8/12/2019 Part_03_B&W


2


A.A. 2009/2010 3

Secret key cryptography cannot solve large-scale problemsthat occur in civilian life:

1Key Distribution Problem: two users need to

share a common secret key. A channel for secret keyexchange may not be available.

2Key Management Problem: in a network of n

users, every pair of users must share a secret key, fora total of n(n-1)/2 keys. If n is not small, then thenumber of keys becomes unmanageable.

3Digital Signature Problem: non-secret

authentication and non-repudiation problems are theelectronic counterparts of a hand-written signature;neither problem can be solved by a secret key system


A.A. 2009/2010 4

Diffie and Hellman

In 1976, Witfield Diffie and Martin Hellman

invented

Public Key Cryptography (PKC)to address key management issues.

The basic idea was the exploitation of aconcept already present in secret keysystems

ONE-WAY FUNCTION

8/12/2019 Part_03_B&W


3


A.A. 2009/2010 5

A naive definition of one-way function is

A function F: D →→→→ U is one-way if threeconditions are met:

1. It is one-to-one, that is the

function

F -1 : U →→→→ D exists and is unique

2. It is easy to compute Y=F(X) forevery X ∈∈∈∈ D

1. It is hard to compute X= F -1(Y) for

almost every Y ∈∈∈∈ D


A.A. 2009/2010 6

Public key cryptography: In 25 years many one-way functions have

been put forward, all based on hard arithmetical problems.Only four “functions” or principles have survived:

1. Prime factorization: it is “easy” to multiply two

primes, whereas it is hard to factor their product (Rabin)

2. Discrete Logarithm: it is easy to compute a power in a

cyclic group, whereas it is hard to find the exponent

3. Evaluation of the order of a group: it is possible and

easy to define a finite group, whereas the computation

of its order (number of its elements) may be hard

4. Decoding Linear Codes: it is easy to encode and to

corrupt the code word with noise, whereas it is hard

to recover the code word

8/12/2019 Part_03_B&W


4


A.A. 2009/2010 7

One-Way functions vs. Hard Problems - status


A.A. 2009/2010 8

Rabin: public key N=pq, message M

Encryption

C = M2 mod N

Decryption

M = C1/2 mod N

p,q prime numbers (Blum primes, 4k+3)

M relatively prime with p,q

Decryption is easy using Chinese Remainder Theorem if

p,q are known Blum primes, and is hard otherwise

8/12/2019 Part_03_B&W


5


A.A. 2009/2010 9

Rabin - 2

Decrypting is equivalent to solving

x2 = C mod pq

CRT requires solving two equations over fields

x2 = C mod p and x2 = C mod q

If p and q are Blum primes then

xp = ±C(p+1)/4 mod p ; xq = ±C(q+1)/4 mod qsolution modulo N=pq is obtained as a linear combination


A.A. 2009/2010 10

Rabin - 3

Cryptanalysis is equivalent to factoring:

If an oracle can compute the four square roots then p is

computed as the common factor between

N=pq and x1-x3

8/12/2019 Part_03_B&W


6


A.A. 2009/2010 11

RSA: public key [N,E], message M

Let p, q be prime numbers and N=p q

Encryption: C = ME mod N

Decryption: M = CD mod N

M relatively prime with p,q

E relatively prime with the Euler totient function

and


A.A. 2009/2010 12

Diffie-Hellman

Public parameters: a ∈∈∈∈ Z, p prime

Alice: Secret key X

Public Key KA = aX mod p

Bob: Secret key YPublic Key KB = aY mod p

Alice-Bob: Common key KAB = aXY mod p

8/12/2019 Part_03_B&W


7


A.A. 2009/2010 13

McEliece

G generator matrix of a linear code (n, k, 2t+1)

allowing an algebraic decoding algorithm

[Goppa code (2m, 2m-mt, 2t+1) are good candidates]

Bob: Secret Key (P, A, G)

Public Key: a pair (t, Gp)

where: Gp = PGA

P is a n × n permutation matrix

A is a k × k nonsingular matrix


A.A. 2009/2010 14

McEliece continuation

Alice Encryption: E= Gp M + e

where e is a random vector with less than t 1s

Bob Decryption: E1 = PT E,

M1 = E1 + e ,

where e results from an algebraic decoding[With Goppa codes the Berlekamp-Massey algorithm is used]

Message recovering

M = A-1 M1

8/12/2019 Part_03_B&W


8


A.A. 2009/2010 15

Complexity

An axiomatic measure of complexity is missing

Problem size is defined to be n, where n may be

– number of variables

– number of equations

– number of bits for representing a parameter

A practical measure of complexity is a function f(n)

A problem is considered hard if f(n)= a0 n A problem is considered easy if f(n)= b0 log(n)

Frequently f(n) = eg(n)

with g(n)=[log(n)]1/2 , n1/3 [log(n)]1/3


A.A. 2009/2010 16

Chinese Remainder Theorem

Let be a product of r positiveintegers mi which are relatively primes

Given a non-negative integer a not greater than N,

then r remainders can be computed easily

The Chinese remainder theorem solves the

problem of computing a given the r remainders ai

8/12/2019 Part_03_B&W


9


A.A. 2009/2010 17

Chinese Remainder Theorem Properties

Let betwo numbers in ZN decomposed according to CRT

Then

where the operations ai bi, ai+bi and ain areperformed modulo mi.

In general CRT reduces the complexity since theoperations are performed in domains of smaller

cardinality.


A.A. 2009/2010 18

Electronic Signature

based on reverse use of a ONE-WAYfunction

consists in a pair of numbers

– S plain signature encoded as an integer

– ES electronic signature

computed from S using a one-way function

has the significance of an authentication mark.

8/12/2019 Part_03_B&W


10


A.A. 2009/2010 19

Electronic Signature

Standard procedure to sign Bob’s message M electronically:

1 A public key directory contains PK the public key ofsignatory Bob

2 Bob computes a Digest from M using a hash function

(one-way function)

3 Bob forms his signature by juxtaposing

S = Name|Date|Digest|Random4 Bob computes the electronic signature ES encrypting

S with his private key PVK

5 Bob’s electronic signature (S,ES) is verified usingBob’s PK public key.


A.A. 2009/2010 20

Rabin signature public key N=pq

message M

secrect signature: random R, and

signature

(M, K, S)

where S=√[M.(RΣ)] and K = ( RΣ)2

verification?

S4 = M2 K2

8/12/2019 Part_03_B&W


11


A.A. 2009/2010 21

El Gamal signature public key [p, g, k]

message M

secrect signature: random m, and u

where k = gu mod p

signature

(M, a, b)

where a = gm mod pb solution of b m + a u = M mod p-1


A.A. 2009/2010 22

El Gamal signature public key [p, g, k]

signature

(M, a, b)

verification?

gM

= ab

ka

mod p

8/12/2019 Part_03_B&W


12


A.A. 2009/2010 23

Digital Signature

Two main scopes:

– certify the authenticity of a public or secret message

– avoid repudiation

Uses

– electronic locking/unlocking of doors

– electronic orders and payments

– networks or physical access Algorithm

– RSA

– Rabib

– El Gamal


A.A. 2009/2010 24

Elliptic curves

Elliptic curves are algebraic curves endowed with a

group structure that was discovered by

Giulio Fagnano de Toschi in the eighteen century.

Given two points P and Q on an elliptic curve E, a

third point R on E is defined as the sum

R=P+Q

This property was exploited by Euler in his

development of the elliptic integral theory.

In cryptography, the elliptic curves are usedas a rich source of Abelian group

8/12/2019 Part_03_B&W


13


A.A. 2009/2010 25

Elliptic curves

The set of “real” points of an Elliptic curve E over

a finite field forms an Abelian group for a pointsum.

Given P on E and an integer m, the point mP is

defined as mP=P+P+P + … +P (m times)

The set of points mP forms a cyclic group where

the discrete logarithm problem is hard:

It is easy to compute Q = mP

It is hard to compute m from Q given P


A.A. 2009/2010 26

Elliptic curve over a finite field GF(pm)

An elliptic curve E consists of a set of points P=(x,y) whose coordinates satisfy

Y 2 = X3 + a 4 X + a 6 where a 4, a 6 X and Y belongs to GF(pm).

Hasse’s theorem asserts that the number of points #Eon E with coordinates in GF(pm) satisfies the

inequality

8/12/2019 Part_03_B&W


14


A.A. 2009/2010 27

In E an addition of points is defined as


A.A. 2009/2010 28

The set E is a group for point addition

Given P1=(x 1,y 1) and P2=(x 2,y 2)the sum is point P3=(x 3,y 3) written

P3= P1+ P2

Addition is

- Commutative and Associative.

- A point O exists which has the role of

group identity

P=P+O

8/12/2019 Part_03_B&W


15


A.A. 2009/2010 29

Addition formulas


A.A. 2009/2010 30

Addition formulas over GF(2m): Non-Supersingular Curves

8/12/2019 Part_03_B&W


16


A.A. 2009/2010 31

Duplication formulas are important

nP=(bs 2s+bs-1 2s-1+ b1 2 + b0)Pand

2s P= 2(2(2 …))P s-times

If s = [log2 n] then 2s additions/duplications are sufficient

to compute Q=nP: EASY

Given Q and P

to compute n: HARD


A.A. 2009/2010 32

Group structure of E over GF(p m )

Theorem 1 (Hasse)

#E=p m +1-t, with

Theorem 2

Let E be an elliptic curve defined over GF(p m ),where p is a prime. Then there exist integers n

and k such that E is isomorphic to Z n × Z k .

Further k|n and k|(p m -1).

Z n denotes a cyclic group of order n

8/12/2019 Part_03_B&W


17


A.A. 2009/2010 33

ECC - Elliptic Curve Crypto-system

EC are used as a rich source of cyclic groups where the discrete logarithm problem is hard.

EC are used to define a Diffie-Hellman publickey scheme as follows:

– Let P be a public fixed point of an Elliptic curve E

– Let A= x P and x be Alice’s public and secret keys,

respectively – Let B= y P and y be Bob’s public and secret keys,

respectively

– The common secret key is K= x y P


A.A. 2009/2010 34

Factorization

Gauss recognized that factorization is animportant, though difficult, problem in arithmetic

Fermat observed that is prime for n=0,1,2,3,4

and guessed that it was prime for every n.

At present, a more likely guess would be that noFermat number is prime for n greater than 4.

RSA renewed the challenge to factor largenumbers and inspired the development of recentfactorization methods.

8/12/2019 Part_03_B&W


18


A.A. 2009/2010 35

In 1977 Martin Gardner in ScientificAmerican proposed cryptanalysing amessage encoded with the RSA algorithmusing a 129 digit number product of twoprimes (Rivest)

In 1994 the number was factored into twoprimes of 64 and 65 digits and themessage was decrypted

“The magic words are

squeamish ossifrage”


A.A. 2009/2010 36

It is likely that the RSA problem is not equivalentto factoring.

Using lattice algorithms it is possible to breaksystems with small exponents E

Small D secret exponents are weak

It seems that 250 digit numbers cannot befactored in the near future

250 digit is about 800 bits which seem to be a

reasonable size for absolute secure keys

8/12/2019 Part_03_B&W


19


A.A. 2009/2010 37

A millennial evolution has shown that cryptography is a sciencerather than an art.

Today, the prophetic words of Adrian A. Albert at theopening of the 382nd Congress of the AmericanMathematical Society in 1939 are fully meaningful:

We shall see that cryptography is more than

a subject permitting mathematical formulation

for indeed it would not be an exaggeration

to state that

abstract cryptographyis identical with

abstract mathematics.


A.A. 2009/2010 38

Bibliography

W. Diffie, M.E. Hellman, New Directions inCryptography , IEEE Transactions on InformationTheory , vol.IT-22, n.6, November 1976, pp.644-654.

C.E. Shannon, Communication Theory and SecrecySystems , BSTJ , vol. 28, 1949, pp.656-715.

N. Koblitz, A Course in Number Theory andCryptography , Springer, 1987.

J.A. Buchmann, Introduction to Cryptography ,

Springer, New York, 2000.

B. Schneier, Applied Cryptography , Wiley, 1996.

8/12/2019 Part_03_B&W


20


A.A. 2009/2010 39

Bibliography

F. Fabris, Teoria dell'Informazione, Codici, Cifrari ,Bollati Boringhieri, Torino, 2001.

R. Mollin, An Introduction to Cryptography , CRC,

New York, 2007.

A.J. Menezes, P.C. van Oorschot, S.S. Vanstone,Handbook of Applied Cryptography , CRC 1997.

R.A. Rueppel, Analysis and Design of Stream Ciphers ,Springer, New York, 1986.

G.J. Simmons, Contemporary Cryptology: The Science

of Information Integrity , IEEE Press, New York, 1992.

part_03_b&w

Documents