UNIT II

advertisement
UNIT II
PUBLIC KEY CRYPTOGRAPHY







Key management
Diffie Hellman key exchange
Elliptic curve architecture and cryptography
Introduction to number theory
Confidentiality using symmetric encryption
Public key cryptography
RSA
Confidentiality using symmetric encryption:
1. Key Distribution:
 Hierarchical key control
 Session key lifetime
 Transparent key control scheme
 Decentralized key control
 Controlling key usage
2. Random Number Generator:
 Use of random numbers
 Pseudorandom Number Generators (PRNGs)
 Cryptographically generated random numbers
 Blum blum shub generator
Key Distribution:
 For symmetric encryption to work, two parties must share the same key and
the key must be protected from access by others.
 Frequent key changes are desirable  To limit the amount of data hacked if
an attacker learns the key.
 Key distribution technique  Refers to the delivery of key to two parties
who wish to exchange data, without the knowledge of others.
For two parties A and B, key distribution can be achieved in a number of ways, as
follows:
1. A can select a key and physically deliver it to B
2. A third party can select the key and physically deliver it to B
3. If A and B have previously or recently used a key, one party can send the
new key to the other, encrypted using old key.
4. If A and B each has an encrypted connection to a third party C, C can send a
key on the encrypted links to A and B.
 Option 1 & 2 Physical delivery is simplest.
 But only applicable when there is personal contact between recipient and
key issuer.
 This is fine for link encryption where devices & keys occur in pairs, but does
not scale as number of parties who wish to communicate grows.
 Option 3  Mostly based on 1 or 2 occurring first.
 This is a possibility for either link or end to end encryption
 If the attacker succeeds in gaining access to one key, then the subsequent
keys will be revealed.
 Option 4  In this scheme, the key distribution center is responsible for
distributing keys to pair of users.
 Each user must share a unique key with the key distribution center for
purposes of key distribution.
Key distribution center (KDC):
 It is based on the use of hierarchy of keys.
 Two level keys are used:
1. Session key  Communication between end systems is encrypted using a
temporary key called session key.
o It is used for certain duration and then discarded.
2. Master key  Session keys are transmitted in encrypted form using a
master key that is shared by the KDC and the user or host.
o These are distributed in a non cryptographic way, such as physical
delivery.
Key Distribution Scenario:
This scenario assumes that each user shares a unique master key with the KDC.
 Let us assume that user A wishes to establish a logical connection with B
and requires a one-time session key to protect the data transmitted over the
connection,
 A has a secret key Ka , known only to itself and the KDC.
 Similarly B shares the master key Kb with the KDC.
The following steps occur:
1. A issues request to the KDC for a session key to protect a logical connection
to B.
The message includes the identity of A and B and a unique identifier N1 for
the transaction, called nonce.
The nonce may be a timestamp, a counter or a random number
The minimum requirement is it should be differ with each request.
2.
3.
4.
5.
Random number is a good choice for nonce.
KDC responds with a message encrypted using Ka
 Thus A is the only one who can successfully read the message.
 The message includes 2 items intended for A:
 One time session key Ks, to be used for the session
 Original request message including the nonce, to enable A to match
this response with the appropriate request.
 In addition, the message includes two items intended for B:
 One time session key Ks, to be used for the session
An identifier of A, IDA

 The last two items are encrypted with Kb. They are to be sent to B to
establish the connection and prove A’s identity.
A stores the session key for use in the upcoming session and forwards to B
the information that originated at the KDC for B, namely Ekb[Ks || IDA]
 Because, this information is encrypted with Kb, it is protected from
eavesdropping.
 B now knows the session key, knows that the other party is A
 At this point, a session key has been securely delivered to A and B
Using the newly minted session key for encryption, B sends a nonce N2 to
A.
Also using Ks, A responds with f(N2), where f is a function that performs
some transformation on N2.
Actual key distribution involves only steps 1 through 3.
Steps 4 and 5 as well as 3 performs an authentication function.
Hierarchical Key control:
 For large networks, a hierarchy of KDCs can be established.
 Eg: Local KDCs, each responsible for a small domain of the overall
network.
 For communication among entities within the same local domain, the
local KDC is responsible for key distribution
 If two entities in different domains desire to share a key, then the
corresponding local KDCs can communicate through a global KDC.
 Can be extended to three or even more layers, depending on the size of
the internetwork.
 Hierarchical scheme minimizes the effort involved in master key
distribution, because most master keys are those shared by a local KDC with
its local entities.
Session Key Lifetime:
 The more frequently the session key are exchanged, the more secure they
are, because the opponent has less ciphertext to work with for any given
session key.
 On the other hand, the distribution of session keys delays the start of any
exchange and places a burden on network capacity.
 For connection oriented protocols, one obvious choice is to use the same
session key for the length of time that the connection is open, using a new
session key for each new session.
 For connectionless protocol, there is no explicit connection initiation or
termination.
o Thus it is not obvious how often one needs to change the session key.
o The most secure approach is to use a new session key for each
exchange.
Transparent Key Control Scheme:
 Automatic key distribution for connection oriented protocol scheme is useful
for providing end to end encryption at a network or transport level in a way
that is transparent to the end users.
Steps involved in establishing a connection:
1. When one host wishes to set up a connection to another host, it transmits a
connection request packet
2. The FEP saves that packet and applies to the KDC for permission to
establish the connection.
3. The communication between the FEP and the KDC is encrypted using a
master key shared only by the FEP and the KDC.
 If the KDC approves the connection request it generates the session key
and delivers it to the two appropriate FEPs, using a unique permanent
key for each front end.
4. The requesting FEP can now release the connection request packet, and a
connection is set up between the two end systems.
5. All user data exchanged between the two end systems are encrypted by their
respective FEPs using the one time session key.
Decentralized key control:
 The use of KDC imposes the requirement that the KDC be trusted and be
protected from subversion.
 This requirement can be avoided if key distribution is fully decentralized.
 A decentralized approach requires that each end system be able to
communicate in a secure manner with all potential partner end systems
for purposes of session key distribution.
A session key may be established with the following steps:
1. A issues a request to B for a session key and includes a nonce N1.
2. B responds with a message that is encrypted using the shared master key.
The response includes the session key by b, an identifier of B, the value
f(N1) and another nonce N2.
3. Using the new session key, A returns f(N2) to B.
Controlling Key Usage:
 The concept of a key hierarchy and the use of automated key distribution
techniques greatly reduce the number of keys that must be manually
managed and distributed.
 It may also be desirable to impose some control on the way in which
automatically distributed keys are used.
1. One simple plan is to associate a tag with each key.
 The proposed technique is for use with DES and makes use of the extra 8
bits in each 64 bit DES key.
 The bits have the following interpretation:
1. One bit indicates whether the key is a session key or a master key
2. One bit indicates whether the key can be used for encryption.
3. One bit indicates whether the key can be used for decryption.
4. The remaining bits are spares for future use.
Drawback:
 Tag length is limited to 8 bits, limiting its functionality and flexibility.
 The tag is not transmitted in clear form
2. A more flexible key scheme is control vector.
 In this scheme, each session key has an associated control vector
consisting of a number of fields that specify the uses and restrictions for
that session key.
 The length of the control vector may vary.
The steps are as follows:
1. The control vector is passes through a hash function that produces a value
whose length is equal to the encryption key length.
2. Hash function maps the values from a larger range into a smaller range, with
a reasonably uniform spread.
3. The hash value is then XORed with the master key to produce an output that
is used as the key input for encrypting the session key.
4. When the session key is delivered to a user from the KDC, it is accompanied
by the control vector in clear form.
5. The session key can be recovered only by using both the master key that the
user shares with the KDC and the control vector.
Hash value = H = h(CV)
Key input = Km XOR H
Ciphertext = EKm XOR H [Ks]
Where Km is the master key and Ks is the session key.
Advantages:
 There is no restriction on length on the control vector
 Control vector is available in clear form at all stages of operation.
Random Number Generation:
 Random numbers plays an important role in the use of encryption for
various network security applications.
 Sequence of numbers that will pass many reasonable tests of randomness is
called pseudorandom numbers.
Use of Random Numbers:
 Nonce in authentication protocol to prevent replay
 Session key generation
 Generation of keys for the RSA public key encryption algorithm
 Key stream for a one time pad
In all cases it is critical that this value should satisfy the two requirements:
1. Randomness
2. Unpredictability
1. Randomness:
 The generation of a sequence of random numbers should be in some well
defined statistical sense.
 The following two criteria are used to validate that a sequence of numbers is
random:
1. Uniform distribution: The frequency of the occurrence of each of the
numbers should be approximately the same.
2. Independence: No one value in the sequence can be inferred from the
others.
2. Unpredictability:
 Care must be taken that an opponent not be able to predict future elements of
the sequence on the basis of earlier elements.
Pseudorandom Number Generators (PRNGs)
 Algorithmic technique to create “random numbers”
 Although not truly random
 Can pass many tests of “randomness”
 First proposed by Lehmer, which is known as the linear congruential
method.
 Algorithm is parameterized with four numbers, as follows:
1. m
the modulus
m>0
2. a
the multiplier
0<a<m
3. c
the increment
0<=c<m
4. X0
the starting value, or seed
0<= X0<m
 The sequence of random numbers {Xn} is obtained via the following iterative
equation:
Xn+1 = (a Xn + c) mod m
 The selection of values for a, c and m is critical in developing a good random
number generator.
 PARK88 proposes three tests to be used in evaluating a random number
generator:
1. Function should be a full-period generating function  function should
generate all the numbers between 0 and m.
2. Generated sequence should appear random
3. Efficient implementation with 32-bit arithmetic
 Note that an attacker can reconstruct sequence given a small number of values
 Have possibilities for making this harder
Cryptographically generated random numbers:
It makes some sense to take advantage of the encryption logic available to produce
random numbers.
1. Cyclic encryption
2. DES output feedback mode
3. ANSI X9.17 PRNG
4. Blum Blum Shub Generator
1. Cyclic encryption:
 This procedure is used to generate session keys from a master key.
 A counter with period N provides input to the encryption logic.
 After each key is produced, the counter is incremented by one.
 Thus the pseudorandom numbers produced by this scheme cycle through a
full period.
Xi = EKm[C+1]
 Each of the output is based on a different counter value.
 Because the master key is protected, it is not feasible to deduce any of the
secret keys through knowledge of one or more earlier keys.
2. DES output feedback mode
3. ANSI X9.17 PRNG
 One of the strongest (cryptographically speaking) PRNGs is specified in
ANSI X9.17.
 The algorithm which makes use of 3DES for an encryption. The ingredients
are as follows:
1. Input: Two pseudorandom inputs drive the generator.
o Date &Time – 64 bit representation of date/time value, updated on
each number generation.
o 64 bit seed value - This is initialized to some arbitrary value and is
updated during the generation process.
2. Keys: It makes use of the pair of 56 bit keys, which must be kept secret.
3. Output: It consists of a 64 bit pseudorandom number and a 64 bit seed
value
Define the following quantities:
 DTi - Date/time value at the beginning of ith generation stage
 Vi - Seed value at the beginning of ith generation stage
 Ri - Pseudorandom number produced by the ith generation stage
 K1, K2 - DES keys used for each stage
Then compute successive values as:
Ri = EDE[K1, K2] [Vi XOR EDE[K1, K2] [DTi]]
Vi+1 = EDE[K1, K2] [Ri XOR EDE[K1, K2] [DTi]]
Where EDE refers to the sequence encrypt-decrypt-encrypt using two key
3DES.
 The technique involves a 112-bit key and three EDE encryptions for a total of
nine DES encryptions.
 Thus the amount of material that must be compromised by an opponent is
overwhelming.
Blum Blum Shub Generator:
 Based on public key cryptographic algorithms
 Procedure is as follows:
1. Choose two large prime numbers p and q, that both have a remainder of 3
when divided by 4.
p≡q≡ 3 (mod4)
i.e., p mod 4 =3 & q mod 4 =3
2. Next choose a random number s, such that s is relatively prime to n; this
is equivalent to saying that neither p nor q is a factor of s.
3. Then BBS generator produces a sequence of bits Bi, according to the
following algorithm.
X0 = s2 mod n
for i= 1 to ∞
Xi = (Xi-1)2 mod n
Bi = Xi mod 2
 The least significant bit is taken for each iteration
 BBS referred to as a cryptographically secure pseudorandom bit generator
(CSPRBG).
Key Management
1. Key Management
 Distribution of public keys
 Public key distribution of secret keys
2. Diffie Hellman key Exchange
3. Elliptic curve architecture
 Abelian Groups
 Elliptic Curves over real numbers
Elliptic Curves over Zp

 Elliptic Curves over GF(2m)
4. Elliptic Curve Cryptography
 Analog of Diffie Hellman key exchange
 Elliptic curve encryption/decryption
 Security of Elliptic curve cryptography
KEY MANAGEMENT:
 Public-key encryption helps to address key distribution problems
Have two aspects of this:
 Distribution of public keys
 Use of public-key encryption to distribute secret keys
Distribution of public keys
Several techniques have been proposed for the distribution of public keys.
All these proposals can be grouped into the following general schemes:
 Public announcement
 Publicly available directory
 Public-key authority
 Public-key certificates
Public Announcement:
 Users distribute public keys to recipients or broadcast to community at large
o Eg. Append PGP keys to email messages or post to news groups or
email list
 Major weakness is forgery
o Some user could pretend to be the legitimate user and send a public
key to another participant or broadcast such a public key.
o Until the legitimate user discovers the forgery and alerts other
participants, the forger is able to read the message intended for A and
used the forged key for authentication.
Publicly Available Directory:
 Can obtain greater security by maintaining a publicly available directory of
public keys.
 Maintenance of the public directory is the responsibility of some trusted
entity or organization.
 Directory would includes the following elements:
o Authority maintains a directory with a {name, public-key} entry for
each participant.
o Each participants registers a public key with the directory authority by
some form of secure authenticated communication.
o Any participant can replace the existing key with a new one at any
time.
o Authority should publish the entire directory or updates periodically.
o Participants could also access the directory electronically.
 Still vulnerable to forgery or tampering
Public key authority:
 Improve security by tightening the control over distribution of keys from
directory
 Central authority maintains a directory of public keys of all participants
o Requires users to know public key for the directory
 Then users interact with directory to obtain any desired private key securely
o Does require real-time access to directory when keys are needed
1. A sends a time stamped message to the public key authority containing the
request for the current public key B.
2. Authority responds with a message that is encrypted using the authority’s
private key KRauth.
3. Thus A is able to decrypt the message using the authority’s public key.
4. The message includes the following:
 B’s public key KUb, which A can use to encrypt messages destines for
B
 Original request to enable A to match this response
 Original time stamp
5. A stores B’s public key and also uses it to encrypt a message to B and con
 Identifies of A (IDA)
 Nonce (N1)
6. B retrieves A’s public key from the authority in the same manner as A
retrieved B’s public key.
7. B sends a message to A encrypted with KUa and containing A’s nonce (N1)
as well as a new nonce generated by B (N2).
8. A returns N2, encrypted using B’s public key, to assure B that its
correspondent is A
Public key certificates:
 Use certificates that can be used by participants to exchange keys without
contacting the public key authority.
 Each certificate contains public key and other information created by a
certificate authority.
 Then it is given to the participants with the matching private key.
 Participant conveys its key information to another by transmitting its
certificate.
 Other participants can verify that the certificate was created by the authority.
o Anyone can read a certificate to determine the name and public key of
the certificate’s owner.
o Anyone can verify that the certificate originated from the certificate
authority.
o Only the certificate authority can create and update certificates.
o Any participant can verify the certificates
 For participant A, the authority provides a certificate of the form
CA = EKRauth [T,IDA, KUA]
 A may then pass this certificate on to any other participant, who reads and
verify the certificates as follows:
DKUauth [CA] = DKUauth [EKRauth [T,IDA, KUA]] = (T,IDA, KUA)
Public key distribution of secret keys:
Simple secret key distribution:
 A generates a public/private key pair {KUa, KRa} and transmit a message to
B consisting of KUa and an identifier of A, IDA
 B generates a secret key Ks and transmit it to A, encrypted with A’s public
key.
 A computes DKRa [EKUa [ Ks]] to recover the secret key.
 A discards KUa and KRa and B discards KUa.
 If an opponent E, has the control to invert the communication channel, he
has access the channel without being detected.
Attack by opponent E:
 A generates KUA and KRA, sends IDA, KUA to B
 E intercepts the message, transmits IDA, KUE to B
 B generates a secret key Ks
 B sends Ks to A using A’s “public key” KUE
 E intercepts the message, decrypt it and get Ks
 E sends A the message Ks, encrypted by KUA
 A decrypts the message to get the secret key Ks
 Now E knows Ks, but A and B are unaware of it. A and B can now exchange
messages using Ks. E has no longer actively interferes with the
communications channel but simply eavesdrops.
Secret key distribution with confidentiality and authentication:
 A and B need to use a secure method to exchange their public keys
Scheme :
 A uses B’s public key to encrypt a message containing an identifier of A
(IDA) and a nonce (N1)
 B replies it with a message to A encrypted with KUA and containing A’s
nonce (N1) as well as a new nonce generated by B (N2)
 A returns N2, encrypted using B’s public key, to assure B that its
correspondent is A.
 A selects a secret key Ks and sends B the message EKUB (EKRA(Ks)).
Encryption of this message with B’s public key ensures that only B can read
it.
 B computes DKUA (DKRB(Ks)) to recover the secret key.
 The result is that this scheme ensures both confidentiality and authentication
in the exchange of a secret key.
Diffie – Hellman key exchange:
 First proposed public-key algorithm by Diffie & Hellman in 1976
 Practical method for public exchange of a secret key
 Number of commercial products employs this key exchange technique.
 Purpose of this algorithm is to enable two users to exchange a key
securely that can then be used for subsequent encryption of messages.
 The security of Diffie Hellman lies in the fact that, while it is relatively
easy to calculate exponentials modulo a prime, it is very difficult to
compute discrete logarithms.
Key exchange algorithm:
1. All users agree on global parameters:
 q Large prime integer
 α  Primitive root of q, α <q
2. User A key generation:
 xa < q  Select private key xa
 ya = αxa mod q  Compute the public key ya
3. User B key generation:
 xb < q  Select private key xb
 yb = αxb mod q  Compute the public key yb
4. Generation of secret key by user A
 K = (Yb)Xa mod q
5. Generation of secret key by user B
 K = (Ya)Xb mod q
Example:
Users Alice & Bob who wish to swap keys:
 Choose q=353 and α=3
 Select random secret keys:
A chooses xa=97
B chooses xb=233
 Compute public keys:
Ya=397 mod 353 = 40 (Alice)
Yb=3233 mod 353 = 248
(Bob)
 Compute shared session key as:
K= ybxa mod 353 = 24897mod 353= 160 (Alice)
K= yaxb mod 353 = 40233mod 353= 160 (Bob)
Man in the middle attack in Diffie Hellman:
 There are 2 publicly known numbers q and α
 User A wishes to exchange a key to B
 User A selects a random integer xa and computes ya
 User B selects a random integer xb and computes yb
 Each user keeps the X value private and makes the Y value available to
others.
 User A computes the key as K = (Yb)Xa mod q
 User B computes the key as K = (Ya)Xb mod q
 Result is that the two sides have exchanged a secret key
 An opponent only has the ingredients to work with to get the key: q, α, ya, yb
 To get the secret key of B, the opponent must compute
Xb = ind q, α (yb)
 Then the key is calculated in the same manner as user B calculates it.
Elliptic Curve Architecture:
 Majority of public-key cryptography encryption algorithms like RSA, DH
use either integer or polynomial arithmetic with very large
numbers/polynomials
 Imposes a significant load in storing and processing keys and messages
 An alternative is to use Elliptic Curve Cryptography (ECC)
 Offers same security with smaller key size, thereby reducing the processing
overhead.
 To know in detail about ECC, first we have to know about the following:
o Abelian groups
o Elliptic curves over real numbers
o Elliptic curves over finite fields
o Elliptic curves ciphers
Abelian groups:
 An abelian group G, denoted by {G, . }, is a set of elements with a binary
operation, denoted by .
(A1) Closure: If a and b belong to G, then a . b is also in G
(A2) Associative: a . (b . c) = (a . b) . C for all a, b, c in G
(A3) Identity element: There is an element e in G such that a . e = e . a = a
for all a in G
(A4) Inverse element: For each a in G there is an element a’ in G such that
a . a‘ = a’ . a =e
(A5) Commutative: a . b = b . a for all a, b in G
 For elliptic curve cryptography, an operation over elliptic curves, called
addition is used.
 Multiplication is defined by repeated addition.
Elliptic curves over real numbers:
 Elliptic curves are not ellipses
 Described by cubic equations, similar to those used for calculating the
circumference of an ellipse.
y2 + ax + by = x3 + cx2 + dx + e
 It is sufficient to limit this equation of the form
y2 = x3 + ax+ b
Where a,b are all real numbers and x, y take on values in the real numbers.
 An elliptic curve is defined by an equation in two variables x & y, with
coefficients.
 Cubic equation or of degree 3, coz the highest exponent they contain is 3.
 Elliptic curve is a single element denoted O, called the point at infinity or
the zero point.
Geometric description of addition:
 If 3 points on an elliptic curve lie on a straight line, their sum is O.
Rules of addition over elliptic curve:
1. O serves as an additive element. Thus O = - O, and for any point P on the
curve, P + O = P
2. If P = (x , y) and –P = (x, -y), then P + (- P) = O
3. To add two points P and Q with different coordinates, draw a straight line
between them and find the third point of intersection R.
4. P + Q = - R, thus P + Q is the mirror image of the third point of intersection.
5. To double a point Q, draw the tangent line and find the other point of
intersection S
Q + Q = 2Q = S
Algebraic description of addition:
1. If P = (xp, yp) and Q = (xq, yq), then R = P + Q = (xr, yr)
xr = ∆2 – xp – xq
yr = -yp + ∆ (xp – xr)
where ∆ = (yq - yp ) / (Xq - Xp )
Elliptic curves over finite fields:
 Elliptic curve cryptography uses curves whose variables & coefficients are
finite
 Have two families of elliptic curves:
 Prime curves Ep(a,b) defined over Zp
o Use integers modulo a prime p
o Best in software
 Binary curves E2m(a,b) defined over GF(2m)
o Use polynomials with binary coefficients
o Best in hardware
Elliptic curves defined over Zp :
 For elliptic curves over Zp, a cubic equation in which the variables and
coefficients all take on the values in the set of integers from 0 through p-1.
 Equation for elliptic curves over Zp is denoted by
y2 mod p = (x3 + ax + b) mod p
Rules of addition over an elliptic curve:
1. P + O = P
2. If P = (xp , yp), then P + (xp, -yp) = O
3. If P = (xp , yp) and Q = (xq , yq) with P ≠ Q, then R = P + Q = (xr, yr)
xr = λ2 –xp – xq) mod p
yr = (λ (xp- xr) – yp) mod p
λ = [(yq – yp)/ (xq- xp) ] mod p if P ≠ Q
λ = [(3xp2 + a)/ (2yp) ] mod p if P = Q
4. Multiplication is defined as repeated addition: 4Q = Q + Q + Q + Q
where
Elliptic curves defined over GF(2m):
 Equation for elliptic curves over GF(2m) is denoted by
y2 + xy = x3 + ax2 + b
Rules for addition over an elliptic curve:
1. P + O = P
2. If P = (xp , yp), then P + (xp, xp+yp) = O. The point (xp, xp+yp) is the negative
of , i.e, -P
3. If P = (xp , yp) and Q = (xq , yq) with P ≠ - Q and P ≠ Q, then R = P + Q = (xr,
yr)
xr = λ2 + λ +xp + xq + a
yr = (λ (xp+ xr) + xr + yp
where λ = [(yq + yp)/ (xq +xp) ]
4. If P = (xp , yp) and R = P + P = P = (xr , yr), then
x r = λ2 + λ + a
yr = (xp2+ λ + 1) xr
Where
λ = xp + (yp /xp)
Elliptic curve cryptography:
 ECC addition is analog of modular multiplication in RSA
 ECC repeated addition is analog of modular exponentiation
 Need “hard” problem equivalent to discrete log
 Q=kP, where Q, P belong to a prime curve
o Is “easy” to compute Q given k, P
o But “hard” to find k given Q, P
o Known as the discrete logarithm problem of elliptic curve.
ECC Diffie-Hellman:
 Can do key exchange using ECC that is analogous to D – H
 Select global parameters:
o Eq(a, b)  elliptic curve with parameters a, b and q, where q is a
prime number
o G (x1,y1) (base point)  point on elliptic curve whose order is large
value n
 User A key generation:
o Select private key nA  nA<n
o Calculate public key PA=nA G
 User B key generation:
o Select private key nB  nB<n
o Calculate public key PB=nB G
 Generation of secret keys:
o KA=nA PB
o KB=nB PA
ECC Encryption/Decryption:
 First task in this system is to encode the plaintext message M as a point (x-y
coordinates) on elliptic curve Pm
 Then this Pm will be encrypted as a ciphertext and it will be decrypted.
 Each user chooses private key nA<n & computes public key PA=nA G
 To encrypt Pm : Cm={k G, Pm + kPb}, k random
 To decrypt Cm compute:
 Pm =Cm+ kPb –nB (k G)
= Cm+k(nBG)–nB(k G)
ECC Security:
 Relies on elliptic curve logarithm problem
 Fastest method to take the elliptic curve logarithm is “pollard rho method”
 Factoring a number into two primes using the general field sieve.
Advantages:
 Smaller key size can be used for ECC compared to RSA
 For equivalent key lengths, the computational effort required for ECC and
RSA is comparable.
 Computational advantage of ECC is the usage of much smaller key size.
Introduction to number theory
 Prime numbers
 Fermat’s and Euler’s theorem
o Fermat’s theorem
o Euler’s totient theorem
o Euler’s theorem
 Testing of Primality
 Chinese remainder theorem
 Discrete logarithms
Prime Numbers:
 An integer p> 1 is a prime number if and only if its only divisors are + 1 and
+ p.
 Eg. 2,3,5,7 are prime
 4,6,8,9,10 are not prime
 list of prime number less than 200 is:
o 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89
97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173
179 181 191 193 197 199
Prime Factorisation:
 To factor a number n is to write it as a product of other numbers: n=a × b ×
c
 Prime factorisation of a number n is when its written as a product of primes
o Eg. 91=7×13
 If P is the set of all prime numbers, then any positive integer can be written
uniquely in the following form:





o 3600=24×32×52
Right hand side is the overall possible prime numbers p, for any particular
value a, and most of values ap will be 0.
Eg: Integer 12 can be represented by {a2 =2, a3 = 1}
Integer 18 can be represented by {a2 =1, a3 = 2}
Multiplication of two numbers is equivalent to adding the corresponding
exponents:
k = mn
kp = mp + np
Eg:
k= 12*18
k2= 2+1=3
 k3 = 1+2=3
216 = 23 *33
Relatively Prime Numbers & GCD:
 Two numbers a, b are relatively prime
o If have no common divisors apart from 1
o Eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15
are 1,3,5,15 and 1 is the only common factor
 Can determine the greatest common divisor by comparing their prime
factorizations and using least powers
o 300=21×31×52
o 18=21×32
o Hence GCD(18,300)=21×31×50=6
 In general
k= gcd ( a ,b)  kp = min (ap, bp) for all p
• Euclid's Algorithm to compute GCD(a,b):
gcd(A, B)
1. While(B>0){
1. r = A % B;
2. A = B;
3. B = r;}
return A
Fermat’s theorem:
 Fermat’s theorem states the following:
o If p is prime and a is a positive integer not divisible by p, then
ap-1 ≡ 1 mod p
 Eg:
a=7, p =19
718 = 1628413597910449 mod 19 =1
 Alternative form of the theorem is :
o If p is prime and a is a positive integer, then
ap ≡ a mod p
 Eg:
a=3, p =5
35 = 243 mod 5=3 mod 5 =3
Euler Totient Function ø(n):
 ø(n)is the number of positive integers less than n and relatively prime to n
 Consists of reduced set of residues, those that are numbers (residues) which
are relatively prime to n
 For a prime number p,
ø(p) = p-1
 Suppose if we have two prime numbers p and q, then n = pq
ø(n) = ø(pq) = ø(p) * ø(q) = (p-1) (q-1)
 Determine ø(21)
ø(21) = ø(3) * ø(7)
= (3-1) (7-1)
=2*6
= 12
 The 12 integers are {1,2,4,5,8,10,11,13,16,17,19,20}
Euler's Theorem:
 A generalisation of Fermat's Theorem
 Euler’s theorem states that
For every a and n that are relatively prime
aø(n)≡ 1 mod n
 Eg.
a=3, n=10,
ø(10)= ø(2) ø(5)
= (2-1) (5-1)
=1*4=4
 Hence 34 = 81
 81 ≡ 1 mod 10
Eg:
a=2, n=11; ø(11)=10;
 Hence 210 = 1024 = 1 mod 11
Testing of Primality:
 In cryptographic algorithms, it is necessary to select one or more prime
numbers at random.
 Task is to determine, whether the given large number is prime.
 A test based on Fermat’s Theorem called Miller Rabin Algorithm is used to
test whether the given number is prime or not.
 If Miller-Rabin returns “composite” the number is definitely not prime
 Otherwise is a prime
TEST (n) is:
1. Find integers k, q, k > 0, q odd, so that (n–1)=2kq
2. Select a random integer a, 1<a<n–1
3. if aq mod n = 1 then return (“inconclusive");
4. for j = 0 to k – 1 do
if (a2jq mod n = n-1)
then return("inconclusive ")
5. return ("composite")
Eg:
TEST (29)
1. n-1 29-1 =28
k, q = 2kq  2,7 = 22 (7)
2. If a =10
3. 107 mod 29 =17
4. (107 )2 mod 29 = 28
If a =2
2. 27 mod 29 =12
3. (27 )2 mod 29 = 28
Thus 29 is a prime number
Chinese Remainder Theorem:
 CRT says, it is possible to reconstruct integers in a certain range from their
residues.
 To compute (A mod M) can firstly compute all (ai mod mi) separately and
then combine results to get answer using:
 Where the mi are pair wise relatively prime
 Eg: 973 mod 1813
 Given:
A =973
M =1813
m1 = 37
m2 = 49
 973 mod 37 =11
 973 mod 49 =42
Representation of 973 is (11, 42)
 If we want to add 678 to 973.
 First compute
678 mod 37 = 12
678 mod 49 = 41
 Then we add (11+12 mod 37 ,42+41 mod 49) = (23,34)
Discrete logarithms:
 From Euler’s theorem that, for every a and n that are relatively prime,
aø(n)mod n=1
ammod n=1
PRIMITIVE ROOTS:
 Primitive root of a prime number p is the one whose powers generate all the
integers from 1 to p-1.
 If a is a primitive root of the prime number p, then the numbers
a mod p, a2 mod p, ....ap-1 mod p
Eg: Find the primitive root 7
a a2
a3
a4
a5
a6
1
1
1
1
1
1
2
4
1
2
4
1
3
2
6
4
5
1
4
2
1
4
2
1
5
4
6
2
3
1
6
1
6
1
6
1
Primitive roots of 7 = 3 and 5
Fast modular exponentiation algorithm:
1. Find the value of 561123 mod 577 =?
d1
for i  k
do d  (d*d) mod n
if bi=1
then d  (d*a) mod n
Sol:
123 =1111011
i
bi
d
6
1
561
5
1
520
4
1
523
3
1
81
2
0
214
1
1
54
0
1
81
Extended Euclid’s algorithm:
1. 7-1 mod 576 =?
x-1mod y =?
Sol:
EXTENDED EUCLID(m, b)
[A1, A2, A3; B1, B2, B3][1, 0, m ;0, 1, b];
if B3==0;
return (A3=gcd(m,b)); no inverse
if B3==1;
return( B3=gcd(m,b)); B2=b–1%m;
Q = A3/B3;
[r1,r2,r3][A1–QB1, A2–QB2, A3–QB3];
[A1,A2,A3][B1,B2,B3];
[B1,B2,B3][r1,r2,r3];
goto 2
For our simplicity:
A1 = 1, A2 = 0, A3 = y
B1 = 0, B2 = 1, B3 = x
A3/B3 =Q
T1=A1-QB1
T2=A2-QB2
T3=A3-QB3
Q
82
3
A1
1
0
1
A2
0
1
-82
A3
576
7
2
B1
0
1
-3
B2
1
-82
247
B3
7
2
1
Public key cryptography and RSA
 Principles of public key cryptosystem
o Public key cryptosystem
o Applications of Public key cryptosystem
o Requirements of Public key cryptosystem
o Public key cryptanalysis
 RSA algorithm
Private-key cryptography:
 Traditional private/secret/single key/ symmetric encryption
 Cryptographic algorithm uses one key  Shared by both sender and
receiver
 If this key is disclosed communications are compromised
 Hence does not protect sender and receiver from forging a message and
claiming it’s sent by sender (repudiation problem)
Public key cryptosystem:
 Public key cryptosystem rely on two keys {public key, private key}.
 It is computationally infeasible to determine the decryption key given only
knowledge of the cryptographic algorithm and the encryption key.
 One key for encryption and a different but related key for decryption.
 Ingredients of public key cryptosystem:
o Plaintext  Readable message or data that is fed into the algorithm
as input.
o Encryption algorithm  Performs various transformations on the
plaintext using the key input.
o Public and private keys  Pair of keys that is used for encryption
and decryption process.
o Ciphertext  Scrambled message produced as a output.
o Decryption algorithm  Accepts the ciphertext and produces the
plaintext using the matching key.
Essential steps are as follows:
1. Each user generates a pair of keys to be used for the encryption and
decryption of messages.
2. Each user places one of the two keys in a public register or other accessible
file. This is the public key. The companion key is the private key.
3. If user B wishes to send a confidential message to A, B encrypts the message
using A’s public key.
4. When A receives the message, she decrypts it using her private key. No
other recipient can decrypt the message because only A knows A’s private
key.
Conventional vs public key encryption:
Conventional encryption
Same algorithm with the same key is
used for encryption and decryption
Sender and receiver must share the
algorithm and the key
Key must be kept secret
Knowledge of algorithm + sample of
ciphertext must be insufficient to
determine the key
It must be impossible or at least
impractical to decipher a message if no
other information is available.
Public key encryption
One algorithm is used for encryption
and decryption with a pair of keys, one
for encryption and one for decryption
Sender and receiver must each have one
of the matched pair of keys
One of the two keys must be kept secret
Knowledge of algorithm + one of the
key + samples of ciphertext must be
insufficient to determine the other key
It must be impossible or at least
impractical to decipher a message if no
other information is available.
Public key cryptosystem: secrecy & authentication:
 It is possible to provide both the confidentiality and authentication by a
double use of the public key scheme.
 In this case, A prepares a message to B and encrypts it using A’s private
key before transmitting it.
 B can decrypt using A’s public key.
 The message was encrypted using A’s private key, only A could have
prepared the message. So the entire message serves as a digital
signature.
 Then the encrypted message is again encrypted using B’s public key.
 Z = EKUB [EKRA(x)]]
 In the receiver side, it is first decrypted using B’s private key and then
using then A’s private key to get the original plaintext message.
 X= EKUA [DKRB(z)]]
 The disadvantage of this approach is that the public key algorithm, which
is complex, must be exercised four times rather than two in each
communication.
Applications of public key cryptosystem:
Public key systems are characterized by the use of a cryptographic algorithm with
two keys, one held private and one available public.
Depending on the application, the sender uses either the sender’s private key or the
receiver’s public key or both to perform some type of cryptographic functions.
 Applications of public key cryptosystem falls into three categories:
o Encryption / decryption  Sender encrypts a message with the
recipient’s public key
o Digital signature  Sender signs a message with its private key.
Signing is achieved by a cryptographic algorithm applied to the
message or to a small block of data
o Key exchange  Two sides cooperate to exchange a session key.
 Some algorithms are suitable for all three applications, where as others can
be applied only for one or two of these applications.
Algorithm
Encryption/Decryption Digital signature Key exchange
RSA
Yes
Yes
Yes
Elliptic curve
Yes
Yes
Yes
Diffie – Hellman No
No
Yes
DSS
No
Yes
No
Requirements of public key cryptography:
 Public-key algorithms rely on two keys where:
 Knowing only algorithm & encryption key
o It is computationally easy for a party B to generate a pair public key
and private key {KUb , KRb}to en/decrypt messages.
o It is computationally easy for a sender , knowing the public key and
the message to be encrypted M, to generate the corresponding cipher
text:
 C = EKUb (M)
o It is computationally easy for a retriever to decrypt the resulting
ciphertext using the private key to recover the original message:
 M = DKRb(C) = DKRb[EKUb(M)]
o It is computationally infeasible for an opponent (knowing the public
key Kub ) to determine the private key KRb
o It is computationally infeasible for an opponent ( knowing the public
key Kub ) and a cipher text C, to recover the original message M.




o Encryption and decryption function can be applied in either order.
These are formidable requirements which only a few algorithms have
satisfied.
Need for a trap door one-way function
One-way function  Every function has a unique inverse, with the
condition that the calculation of the function is easy whereas the calculation
of the inverse is infeasible
o Y = f(X)
easy
o X = f–1(Y) infeasible
Trap door one-way function  Easy to calculate in one direction and
infeasible to calculate in the other direction unless certain additional
information is known. With the additional information the inverse can be
calculated in polynomial time.
o Y = fk(X)
easy, if k and X are known
-1
o X = fk (Y) easy, if k and Y are known
o X = fk -1(Y) infeasible, if Y known but k not known
Public key cryptanalysis:
 As like symmetric key encryption, PKC is also vulnerable to brute force
attack.
o Countermeasure : Use large keys
 Security relies on a large enough difference in difficulty between easy
(en/decrypt) and hard (cryptanalyze) problems
 Use of large key size makes the brute force attack impractical but it slows
the process.
 Another form of attack is finding the private key given the public key.
 Probable message attack  Opponent could encrypt all the possible keys
using the public key and could decipher the message by matching the
transmitted ciphertext.
o This attack can be avoided by appending some random bits to the
message.
RSA Algorithm:
 Introduced by Rivest, Shamir & Adleman of MIT in 1977
 Best used public-key scheme
 It is a block cipher in which plaintext and ciphertext are integers between 0
to n-1 for some n.
 Typical size of n is 1024
 RSA makes use of expressions with exponentials
 Security due to cost of factoring large numbers
 Factorization takes o(e log n log log n) operations (hard)
RSA algorithm:
The ingredients of RSA algorithm are as follows:
1. p, q, two prime numbers
2. n= pq
3. e, with gcd (e , ø(n))=1 , Where 1<e<ø(n)
4. d ≡ e-1 mod ø(n)
private, chosen
public, calculated
public, chosen
private, calculated
RSA Key generation:
Each user generates a public/private key pair by:
1. Select p , q  p and q are prime numbers , p is not equal to q
2. Calculate n = p * q
3. Calculate ø(n)=(p-1)(q-1)
4. Select integer e
gcd (e , ø(n))=1 , Where 1<e<ø(n)
5. Calculate d
d ≡ e-1 mod ø(n)
6. Public key: KU={e , n}
7. Private key: KR={d , n}
RSA Encryption and decryption:
 Encryption:
Plaintext:
M<n
Ciphertext: C=Me mod N
 Decryption:
Ciphertext: C
Plaintext:
M=Cd mod N
RSA example:
1. Select primes: p=17 & q=11
2. Compute n = pq =17×11=187
3. Compute ø(n)=(p–1)(q-1)=16×10=160
4. Select e : gcd (e,160)=1; choose e=7
5. Determine d:
d ≡ e-1 mod ø(n)
d ≡ 7-1 mod 160 = 23 (Using EEA)
6. Publish public key KU={7,187}
7. Private key KR={23,187}
 Given message M = 88
 Encryption:
C = 887 mod 187 = 11
 Decryption:
M = 1123 mod 187 = 88
Computational aspects of RSA:
 Consider two issues in RSA:
o Encryption and decryption
o Key generation
Encryption and decryption:
 Both encryption and decryption in RSA involves raising an integer to an integer
power mod n (exponentiation)
 Another consideration is the efficiency of exponentiation
 RSA makes use of large exponents and fast modular exponentiation
algorithm is used to compute ab mod n.
 Variable c is not needed. It is included for explanatory purposes. The value of c
is the value of the exponent.
Key generation:
 Users of RSA must:
o Determine two primes at random - p, q
o Select either e or d and compute the other
 Primes p , q must not be easily derived from modulus n=p . q
o Means must be sufficiently large
 Exponents e, d are inverses, so use inverse algorithm to compute the other
(Extended Euclid’s algorithm)
RSA security:
 Three approaches to attacking RSA:
o Brute force key search (trying all possible private keys)
o Mathematical attacks (factoring the product of two primes)
o Timing attacks (depends on running of decryption algorithm)
 Factoring problem:
o Factor n into its two prime factors p and q. Calculate of ø(n) and find
d




o Determine ø(n) directly and compute d
o Determine d directly, without first determining ø(n)
Have seen slow improvements over the years
o As of aug-99 best is 512 bit with GNFS
Biggest improvement comes from improved algorithm
o “quadratic sieve” to “generalized number field sieve”
Ensure p, q of similar size and matching other constraints
The threat to larger key sizes is twofold: the continuous increase in
computing power and the continuing refinement of factoring problems.
Timing attack:
 Attacker can determine a private key by keeping track of how long a
computer takes to decipher the message.
o Attack may be from completely unexpected direction
o And it may be a ciphertext only attack
 Exploit timing variations in operations using fast modular exponentiation
algorithm
o Eg. Multiplying by small vs large number
 If the observed time to execute the decryption algorithm is always slow
when the particular iteration is slow with a bit 1, then it is assumed to be 1.
 If the observed time for the entire algorithm is fast, then this bit is assumed
to be 0.
 Countermeasures:
o Constant exponentiation time  ensure that all exponentiations take
the same amount of time before returning a result.
o Random delay  better performance can be achieved by adding a
random delay to the exponentiation algorithm to confuse the timing
attack.
o Blinding  multiply the ciphertext by random number before
performing exponentiation. This process prevents the attacker from
knowing what ciphertext bits are being processes inside the computer
and therefore prevents the bit by bit analysis essential to the timing
attack.
Download