Other Topics in Cryptography

Truong Tuan Anh

2

Outline

Public-key cryptosystem

Cryptographic hash functions

Signature schemes

Public-Key Cryptography

Truong Tuan AnhCSE-HCMUT

4

Outline

Public-key cryptosystem

5

Classification

6

Cryptography: Classical Model

7

Cryptography: Classical Model

Secret, common key K

ek and dk for each key K:

dk is either the same as ek or easily derived from ek

Disclose dk or ek will make the system insecure

→ Symmetric-key Cryptosystem

Require prior communication of the key K (using a secure

channel)

→ Difficult to achieve in practice

Public-key cryptosystem

8

Public-key Cryptosystem

Was put forward by Diffie and Hellman in1976

The most important cryptosystems: RSAand ElGamal

Computationally infeasible to determine dk

given ek

ek is public

Alice sends to Bob an encrypted message using ek of Bob

Bob is the only one who can decrypt the message using his dk (private key)

Example: a Scenario

9

10

Public-key Cryptosystem (cont.)

Encryption function is easy to compute

The inverse function (i.e., the decryption

function) should be hard to compute (except for

Bob)

→ one-way function

Example: suppose n is the product of two large

primes p and q; b is a positive integer

11

Trapdoor One-way Functions

From Bob’s view, he does not want ek to be one-

way

→ provide Bob a trapdoor: which consists of secret

information for the inversion of ek

Trapdoor one-way function: a one-way function but

it is easy to invert with the knowledge of a certain

trapdoor

12

Trapdoor One-way Functions (cont.)

Usually, we need to specify a family oftrapdoor one-way functions F

A function f is chosen from F randomly andused as the public encryption function

Its inverse function is the private decryptionfunction

13

Exercise

Implement a very simple public keycryptosystem as follows:

P = C = Z256

K = 0,1,2, …, 255

Where public key + private key = 256

Encryption rule: for each public key kEk(x) = (ASCII_value_of_x + k) mod 256

Decryption rule: for each private key k

Dk(y) = (ASCII_value_of_y + k) mod 256

Cryptographic Hash Functions

Truong Tuan AnhCSE-HCMUT

15

Outline

Data integrity

Hash functions

…

16

Data Integrity

Data usually transferred over insecure

channel

Many factors affecting the data

Example: Alice sends to Bob a message. Bob

needs to know if the message has been

changed over the channel?

→ Need to assure data integrity

17

Hash Functions

Provide assurance of data integrity

Compute a short “fingerprint” of somedata

▪ If the data is changed, the fingerprint willno longer valid

▪ Check the data integrity by re-computingthe fingerprint and verify that the fingerprinthas not changed

The fingerprint = message digest

18

Hash Functions

Let x be some data, its message digest is h(x) where h

is a hash function

The message digest should be short, commonly 160

bits

Keyed and unkeyed hash functions

▪ Keyed hash functions are often used as message

authentication codes (MACs)

19

Hash Function: Key and Unkeyed

Example: Alice wants to send to Bob message x

Unkeyed hash function:

▪ Alice computes y = h(x), then sends x over the channeland stores y in a secure channel

▪ Bob receives x and reads y and verifies if y = h(x), if yes,Bob is confident that x is originated from Alice

Keyed hash function: Alice and Bob share a secretkey K which determines function hK:

▪ Compute y = hK(x), then send (x, y) over the channel

▪ Bob receives (x, y) and verifies if y = hK(x), if yes, Bob isconfident that neither x or y was modified by attackers

20

Hash Family

21

Hash Family

Unkeyed hash function:

▪ Also a hash family in which there is only

one possible key

All we want is to prevent the

construction of certain types of valid

pairs by an adversary

22

Security of Hash Function

It is desirable that the only way toproduce a valid pair (x, y) is to firstchoose x and then compute y = h(x) byapplying the function h to x

Other security requirement dependingon the particular applications

Usually, a hash function is considered tobe secured if the following problems aredifficult to solve

23

Hash Function: Security Requirement

24

Hash Function: Security Requirement

25

Hash Function: Security Requirement

Exercises

1. Suppose a.equals(b).

What can you conclude about a.hashCode()

and b.hashCode()? (Assume hashCode() is

properly implemented)

2. Suppose a.hashCode() == b.hashCode().

What can you conclude about a.equals(b)?

(Assume equals() is properly implemented)

26

Exercises: a Simple Hash Function

3. Implement a hash function

int HashMe(string orgString, int tableSize) {

//return the hash value of orgString in tableSize

}

Note: Hash value of a string in a hash table is: calculate

the sum of the ASCII values of letters in the string, then

modulo the sum to the size of the table

27

Signature Schemes

Truong Tuan AnhCSE-HCMUT

29

Outline

Signature schemes

30

Context

A “conventional” handwritten signature Attached to a document

Specify the person responsible for the document

Used in everyday situations: writing a letter,withdrawing money, signing a contract, …

Electronic document?→ Digital Signatures = Signature Schemes

A method of signing a message stored inelectronic form and can be transmitted over acomputer network

31

Digital vs. Conventional Signatures

Signing a document Conventional Signatures: a part of the physical

document being signed

Digital Signatures: not attached physically to themessage being signed; There is an algorithm to “bind”the signature to the message

Verification Conventional Signatures: compare to authentic

signatures; Not a very secure method

Digital Signatures: can be verified by a publicverification algorithm; Prevent the possibility offorgeries

32

Signature Schemes

A signature Scheme: consists of two

components

A signing algorithm

A verification algorithm

Alice signs a message using the private

signing algorithm

Bob verifies the signature using Alice’s

corresponding public verification algorithm

33

Signature Schemes

34

Signature Schemes (cont.)

35

Signature Schemes: Notes

The functions sigK and verK should be

polynomial-time functions

sigK is the private function and verK is the

public function

It should be computationally infeasible for

anyone than Alice to compute a signature y

such that verK(x,y) = true

If Oscar can compute y such that verK(x,y) =

true, then y is a forgery

36

Signature Schemes: An Example

RSA cryptosystem can be used to provide

digital signatures

→RSA signature scheme

Alice signs a message using the RSAdecryption rule dK = sigK

Anyone can verify the signature using theRSA encryption rule eK = verK

Anyone can forge Alice’s RSA signature by

randomly choosing y and computing if x =

eK(y)

37

Signature Schemes: An Example

38

RSA Signature Scheme: How it works

Alice wishes to send an encrypted, signed

message to Bob (given the plaintext is x)

1. Alice computes her signature y = sigAlice(x)

2. Alice encrypts both x and y using eBob, then z =

eBob(x, y)

3. Alice sends z to Bob

4. Bob receives z

5. Bob decrypts z using dBob to get x, y

6. Bob uses Alice’s public verification function to

check that verAlice(x, y) = true

39

RSA Signature Scheme: How it works

Alice wishes to send an encrypted, signed

message to Bob (given the plaintext is x)

1. Alice encrypts x using eBob, then z = eBob(x)

2. Alice computes her signature y = sigAlice(z)

3. Alice sends (z, y) to Bob

4. Bob receives (z, y)

5. Bob decrypts z using dBob to get x

6. Bob uses Alice’s public verification function to

check that verAlice(z, y) = true

What is the problem?

40

Signature Schemes: In Reality