Asymmetric Key Cryptography - FTP Directory Listing
advertisement
Mathematische Verfahren
Prof. Dr. Eckhard Letsch
Asymmetric Key Cryptography
Assignment
Hochschule Reutlingen
MKI/Master -1
Submitted by:Khushdeep Noheria
16.01.2006
Matriculation No: 052455
Asymmetric Key Cryptography
1
2
3
4
5
6
7
WS-2005/06
Abstract ....................................................................................................................... 2
Introduction to Public-key cryptography .................................................................... 2
2.1
Public-Key Encryption........................................................................................ 3
2.1.1
Ciphers ........................................................................................................ 4
2.2
Digital Signatures................................................................................................ 6
2.2.1
Authenticity................................................................................................. 6
2.2.2
Integrity ....................................................................................................... 7
2.2.3
Non-repudiation .......................................................................................... 7
2.2.4
Implementation ........................................................................................... 7
2.3
Key Agreement Protocol..................................................................................... 8
2.3.1
Exponential key exchange .......................................................................... 8
2.3.2
Authentication ............................................................................................. 8
2.4
One-Way Functions ............................................................................................ 9
2.5
Comparison between Symmetric - Asymmetric Key Algorithms .................... 10
History....................................................................................................................... 11
Security ..................................................................................................................... 13
Applications .............................................................................................................. 13
5.1
Confidentiality .................................................................................................. 13
5.2
Authentication ................................................................................................... 14
Techniques in Asymmetric Key Cryptography ........................................................ 16
6.1
RSA Cryptosystem............................................................................................ 16
6.2
DSA Cryptosystem ........................................................................................... 23
6.2.1
Elliptic Curve DSA ................................................................................... 25
6.3
Elliptic curve cryptosystems ............................................................................. 26
6.4
Diffie-Hellman .................................................................................................. 28
6.4.1
Elliptic Curve Diffie-Hellman .................................................................. 32
6.5
ElGmal .............................................................................................................. 33
6.6
Merkle-Hellman ................................................................................................ 35
Protocols Using Asymmetric Key Algorithm ........................................................... 37
7.1
GPG................................................................................................................... 37
7.2
PGP ................................................................................................................... 39
7.3
Others ................................................................................................................ 43
Appendix A ....................................................................................................................... 44
A.1 Functions ................................................................................................................ 44
A.2 Modular arithmetic ................................................................................................. 45
A.3 Groups .................................................................................................................... 46
A.4 Fields and rings ...................................................................................................... 47
Appendix B Glossary ........................................................................................................ 49
Appendix C References .................................................................................................... 57
Khushdeep Noheria
Page 1
Asymmetric Key Cryptography
WS-2005/06
1 Abstract
This report focuses on the topic Asymmetric key Cryptography (Public–Key
Cryptography). This subject is very wide, but still it is tried to cover many of the topics
related to it. Firstly, a brief introduction about Public–Key Cryptography is given and its
related terms are discussed. Thereafter a brief history of Public Key is described. After
history, comes the security issue related to public key cryptography and it is discussed in
Chapter 4. On next, the applications and techniques of Asymmetric Key Cryptography
like RSA, DSA and an unsuccessful algorithm such as Merkel-Hellman algorithm are
detailed in chapter 5 and 6. In last chapter, protocols such as PGP (Pretty Good Privacy),
GPG (Gnu Privacy Guard) using asymmetric key techniques are mentioned. In Appendix
the basic mathematical concepts are discussed so that the different algorithms in the
report are better understandable. Words are marked in blue colour are explained in the
glossary.
2 Introduction to Public-key cryptography
Public key cryptography is a form of cryptography which generally allows users to
communicate securely without having prior access to a shared secret key, by using a pair
of cryptographic keys, designated as public key and private key, which are related
mathematically.
The term asymmetric key cryptography is a synonym for public key cryptography.
In public key cryptography, the private key is generally kept secret, while the public key
may be widely distributed. In a sense, one key "locks" a lock; while the other is required
to unlock it. It should not be possible to deduce the private key of a pair given the public
key.
In traditional cryptography, the sender and receiver of a message know and use the same
secret key; the sender uses the secret key to encrypt the message, and the receiver uses
the same secret key to decrypt the message. This method is known as secret key or
symmetric cryptography. The main challenge is getting the sender and receiver to agree
on the secret key without anyone else finding out. If they are in separate physical
locations, they must trust a courier, a phone system, or some other transmission medium
to prevent the disclosure of the secret key. Anyone who overhears or intercepts the key in
transit can later read, modify, and forge all messages encrypted or authenticated using
that key. The generation, transmission and storage of keys is called key management. All
cryptosystems must deal with key management issues. Because all keys in a secret-key
cryptosystem must remain secret, secret-key cryptography often has difficulty providing
secure key management, especially in open systems with a large number of users.
Khushdeep Noheria
Page 2
Asymmetric Key Cryptography
WS-2005/06
In order to solve the key management problem, Whitfield Diffie and Martin Hellman
introduced the concept of public-key cryptography in 1976. Public-key cryptosystems
have two primary uses, encryption and digital signatures. In their system, each person
gets a pair of keys, one called the public key and the other called the private key. The
public key is published, while the private key is kept secret. The need for the sender and
receiver to share secret information is eliminated; all communications involve only public
keys, and no private key is ever transmitted or shared. In this system, it is no longer
necessary to trust the security of some means of communications. The only requirement
is that public keys be associated with their users in a trusted (authenticated) manner (for
instance, in a trusted directory). Anyone can send a confidential message by just using
public information, but the message can only be decrypted with a private key, which is in
the sole possession of the intended recipient. Furthermore, public-key cryptography can
be used not only for privacy (encryption), but also for authentication (digital signatures)
and other various techniques.
In a public-key cryptosystem, the private key is always linked mathematically to the
public key. Therefore, it is always possible to attack a public-key system by deriving the
private key from the public key. Typically, the defense against this is to make the
problem of deriving the private key from the public key as difficult as possible. For
instance, some public-key cryptosystems are designed such that deriving the private key
from the public key requires the attacker to factor a large number, it this case it is
computationally infeasible to perform the derivation. This is the idea behind the RSA
public-key cryptosystem.
There are many forms of public key cryptography, including:
public key encryption — keeping a message secret from anyone that does not
possess a specific private key.
public key digital signature — allowing anyone to verify that a message was
created with a specific private key.
key agreement — generally, allowing two parties that may not initially share a
secret key to agree on one.
Typically, public key techniques are much more computationally intensive than purely
symmetric algorithms, but the judicious use of these techniques enables a wide variety of
applications.
2.1 Public-Key Encryption
When Alice wishes to send a secret message to Bob, she looks up Bob's public key in a
directory, uses it to encrypt the message and sends it off. Bob then uses his private key to
decrypt the message and read it. No one listening in can decrypt the message. Anyone
can send an encrypted message to Bob, but only Bob can read it (because only Bob
knows Bob's private key).
Khushdeep Noheria
Page 3
Asymmetric Key Cryptography
WS-2005/06
In a secure asymmetric key encryption scheme, the decryption key should not be
deducible from the encryption key. This is known as public-key encryption, since the
encryption key can be published without compromising the security of encrypted
messages. In the analogy above, Bob might publish instructions on how to make a lock
("public key"), but the lock is such that it is impossible (so far as is known) to deduce
from these instructions how to make a key which will open that lock ("private key").
Those wishing to send messages to Bob use the public key to encrypt the message; Bob
uses his private key to decrypt it.
In cryptography, encryption is the process of obscuring information to make it
unreadable without special knowledge. While encryption has been used to protect
communications for centuries, only organizations and individuals with an extraordinary
need for secrecy have made use of it. In the mid-1970s, strong encryption emerged from
the sole preserve of secretive government agencies into the public domain, and is now
employed in protecting widely-used systems, such as Internet e-commerce, mobile
telephone networks and bank automatic teller machines.
Encryption can be used to ensure secrecy, but other techniques are still needed to make
communications secure, particularly to verify the integrity and authenticity of a message;
for example, a message authentication code (MAC) or digital signatures. Another
consideration is protection against traffic analysis.
2.1.1 Ciphers
A cipher is an algorithm for performing encryption (and the reverse, decryption) — a
series of well-defined steps that can be followed as a procedure. An alternative term is
encipherment.
The original information is known as plaintext, and the encrypted form as ciphertext. The
ciphertext message contains all the information of the plaintext message, but is not in a
format readable by a human or computer without the proper mechanism to decrypt it; it
should resemble random gibberish to those not intended to read it.
The operation of a cipher usually depends on a piece of auxiliary information, called a
key or, in traditional NSA parlance, a cryptovariable. The encrypting procedure is varied
depending on the key, which changes the detailed operation of the algorithm. A key must
be selected before using a cipher to encrypt a message. Without the same key, it should
be difficult, if not impossible, to decrypt the resulting ciphertext into readable plaintext.
"Cipher" is alternatively spelled "cypher"; similarly "ciphertext" and "cyphertext", and so
forth. The word descends from the Arabic word for zero: ṣifr or ر ِفص,
ْ like (the Italian)
zero (which remained in use for 0, the crucial innovation in positional Arabic versus
Roman numerals) but soon was used for any decimal digit, even any number. While it
may have come to mean encoding because that often involved numbers, a theory says
conservative Catholic opponents of the Arabic (heathen) numerals equated it with any
'dark secret'.
Khushdeep Noheria
Page 4
Asymmetric Key Cryptography
WS-2005/06
Ciphers versus codes
In non-technical usage, a "(secret) code" is the same thing as a cipher. Within technical
discussions, however, they are distinguished into two concepts. Codes work at the level
of meaning — that is, words or phrases are converted into something else. Ciphers, on the
other hand, work at a lower level: the level of individual letters, small groups of letters,
or, in modern schemes, individual bits. Some systems used both codes and ciphers in one
system, using super-encipherment to increase the security.
Historically, cryptography was split into a dichotomy of codes and ciphers, and coding
had its own terminology, analogous to that for ciphers: "encoding, codetext, decoding"
and so on. However, codes have a variety of drawbacks, including susceptibility to
cryptanalysis and the difficulty of managing a cumbersome codebook. Because of this,
codes have fallen into disuse in modern cryptography, and ciphers are the dominant
technique.
Types of cipher
There are a variety of different types of encryption. Algorithms used earlier in the history
of cryptography are substantially different from modern methods, and modern ciphers
can be classified according to how they operate and whether they use one or two keys.
Historical pen and paper ciphers used in the past are sometimes known as classical
ciphers. They include substitution ciphers and transposition ciphers. During the early
20th century, more sophisticated machines for encryption were used, rotor machines,
which were more complex than previous schemes.
Khushdeep Noheria
Page 5
Asymmetric Key Cryptography
WS-2005/06
Encryption methods can be divided into symmetric key algorithms and asymmetric key
algorithms. In a symmetric key algorithm (e.g., DES and AES), the sender and receiver
must have a shared key set up in advance and kept secret from all other parties; the
sender uses this key for encryption, and the receiver uses the same key for decryption. In
an asymmetric key algorithm (e.g., RSA), there are two separate keys: a public key is
published and enables any sender to perform encryption, while a private key is kept secret
by the receiver and enables him to perform decryption.
Symmetric key ciphers can be distinguished into two types, depending on whether they
work on blocks of symbols usually of a fixed size (block ciphers), or on a continuous
stream of symbols (stream ciphers).
2.2 Digital Signatures
Digital signature (or public-key digital signature) is a type of method for
authenticating digital information analogous to ordinary physical signatures on paper, but
implemented using techniques from the field of public-key cryptography. A digital
signature method generally defines two complementary algorithms, one for signing and
the other for verification, and the output of the signing process is also called a digital
signature.
Digital signature has also been used as a broader term encompassing both public-key
digital signature techniques and message authentication codes.
Digital signatures differ in some respects from their physical counterparts. The term
electronic signature, although sometimes used for the same thing, has a distinct meaning
in common law: it refers to any of several, not necessarily cryptographic, mechanisms for
identifying the originator of an electronic message. Electronic signatures have included
cable and Telex addresses, as well as FAX transmission of handwritten signatures on a
paper document.
There are three common reasons for applying a digital signature to communications:
2.2.1 Authenticity
Public-key cryptosystems allow anybody to send a message using the public key. A
signature allows the recipient of a message to be confident that the sender is indeed who
s/he claims to be. Of course the recipient cannot be 100% sure that the sender is indeed
who s/he claims to be - the recipient can only be confident - since the cryptosystem may
have been broken. The importance of authenticity is especially obvious in a financial
context. For example, suppose a bank sends instructions from its branch offices to the
central office in the form (a,b) where a is the account number and b is the amount to be
credited to the account. A devious customer may deposit £100, observe the resulting
transmission and repeatedly retransmit (a,b). This is known as a replay attack.
Khushdeep Noheria
Page 6
Asymmetric Key Cryptography
WS-2005/06
2.2.2 Integrity
Both parties will always wish to be confident that a message has not been altered during
transmission. The encryption makes it difficult for a third party to read a message, but
that third party may still be able to alter it in a useful way. A popular example to
illustrate this is the homomorphism attack: consider the same bank as above which sends
instructions from its branch offices to the central office in the form (a,b) where a is the
account number and b is the amount to be credited to the account. A devious customer
may deposit £100, intercept the resulting transmission and then transmit (a,b3) to become
an instant millionaire.
2.2.3 Non-repudiation
In a cryptographic context, the word repudiation refers to the act of denying association
with a message (ie claiming it was sent by a third party). The recipient of a message may
insist that the sender attach a signature in order to prevent any later repudiation, since the
recipient may show the message to a third party to prove its origin.
2.2.4 Implementation
Digital signature schemes rely on public-key cryptography. In public-key cryptography,
each user has a pair of keys: one public and one private. The public key is distributed
freely, but the private key is kept secret and confidential; another requirement is that it
should be infeasible to derive the private key from the public key.
A general digital signature scheme consists of three algorithms:
A key generation algorithm
A signing algorithm
A verification algorithm
For example, consider the situation in which Bob sends a message to Alice and wants to
be able to prove it came from him. Bob sends his message to Alice and attaches a digital
signature. The digital signature is generated using Bob's private key, and takes the form
of a simple numerical value (normally represented as a string of binary digits). On
receipt, Alice can then check whether the message really came from Bob by running the
verification algorithm on the message together with the signature and Bob's public key. If
they match, then Alice can be confident that the message really was from Bob, because
the signing algorithm is designed so that it is very difficult to forge a signature to match a
given message (unless one has knowledge of the private key, which Bob has kept secret).
More usually, for efficiency reasons, Bob first applies a cryptographic hash function to
the message before signing. This makes the signature much shorter and thus saves time
since hashing is generally much faster than signing in implementations. However, if the
message digest algorithm is insecure (for example, if it is possible to generate hash
collisions), then it might be feasible to forge digital signatures.
Khushdeep Noheria
Page 7
Asymmetric Key Cryptography
WS-2005/06
2.3 Key Agreement Protocol
In cryptography, a key-agreement protocol is a protocol whereby two or more parties
can agree on a key in such a way that both influence the outcome. If properly done, this
precludes undesired third-parties from forcing a key choice on the agreeing parties.
Protocols which are useful in practice also do not reveal to any eavesdropping party what
key has been agreed upon.
2.3.1 Exponential key exchange
The first publicly known (*) public-key agreement protocol that meets the above criteria
was the Diffie-Hellman exponential key exchange, in which two people jointly
exponentiate a generator with random numbers, in such a way that an eavesdropper has
no way of guessing what the key is.
However, exponential key exchange in and of itself does not specify any prior agreement
or subsequent authentication between the participants. It has thus been described as an
anonymous key agreement protocol.
2.3.2 Authentication
Anonymous key exchange, like Diffie-Hellman, does not provide authentication of the
parties, and is thus vulnerable to man in the middle (MITM) attack.
A wide variety of cryptographic authentication schemes and protocols have been
developed to provide authenticated key agreement to prevent man-in-the-middle and
related attacks. These methods generally mathematically bind the agreed key to other
agreed-upon data, such as:
Public/private key pairs
Shared secret keys
Passwords
Other tricks
Public keys
A widely used mechanism for defeating such attacks is the use of digitally signed keys
that must be integrity-assured: if Bob's key is signed by a trusted third party vouching for
his identity, Alice can have considerable confidence that a signed key she receives is not
an attempt to intercept by Mallory. When Alice and Bob have a public key infrastructure
they may digitally sign an agreed Diffie-Hellman agreed key, or exchanged DiffieHellman public keys. Such signed keys, sometimes signed by a certificate authority, are
one of the primary mechanisms used for secure web traffic (including HTTPS, SSL or
Transport Layer Security protocols). Other specific examples are MQV and the ISAKMP
component of the IPsec protocol suite for securing Internet Protocol communications.
However, these systems require care in endorsing the match between identity information
Khushdeep Noheria
Page 8
Asymmetric Key Cryptography
WS-2005/06
and public keys by certificate authorities in order to properly work. e.g. Hybrid systems
use public keys cryptography to exchange secret keys which are then used in symmetric
key cryptography systems.
Shared secret keys
Secret key (symmetric) cryptograhy requires the initial exchange of a shared key in a
manner that is private and integrity-assured. When done right, MITM attack is prevented.
However, without the use of public key cryptography, one may be left with undesirable
key management problems.
Passwords
Password-authenticated key agreement protocols require the separate establishment of a
password (which may be smaller than a key) in a manner that is both private and
integrity-assured. These are designed to resist MITM and other active attacks on the
password and the established keys. For example, DH-EKE, SPEKE, and SRP are
password-authenticated variations of Diffie-Hellman.
Other tricks
If one has an integrity-assured way to verify a shared-key over a public channel, one may
engage in a Diffie-Hellman key exchange to derive a one-time shared key, and then
subsequently authenticate that the keys match. One way is to use a voice-authenticated
read-out of the key, as in PGPfone. Voice authentication, however, presumes that it is
infeasible for a MITM to spoof one participant's voice to the other in real-time, which
may be an undesirable assumption. Such protocols may be designed to work with even a
small public value, such as a password. Variations on this theme have been proposed for
Bluetooth pairing protocols.
In an attempt to avoid using any additional out-of-band authentication factors, Davies and
Price proposed the use of the Interlock Protocol of Ron Rivest and Adi Shamir, which has
been subject to both attack and subsequent refinement.
2.4 One-Way Functions
A one-way function is a mathematical function that is significantly easier to compute in
one direction (the forward direction) than in the opposite direction (the inverse direction).
It might be possible, for example, to compute the function in the forward direction in
seconds but to compute its inverse could take months or years, if at all possible. A
trapdoor one-way function is a one-way function for which the inverse direction is easy
given a certain piece of information (the trapdoor), but difficult otherwise.
Public-key cryptosystems are based on (presumed) trapdoor one-way functions. The
public key gives information about the particular instance of the function; the private key
gives information about the trapdoor. Whoever knows the trapdoor can compute the
Khushdeep Noheria
Page 9
Asymmetric Key Cryptography
WS-2005/06
function easily in both directions, but anyone lacking the trapdoor can only perform the
function easily in the forward direction. The forward direction is used for encryption and
signature verification; the inverse direction is used for decryption and signature
generation.
In almost all public-key systems, the size of the key corresponds to the size of the inputs
to the one-way function; the larger the key, the greater the difference between the efforts
necessary to compute the function in the forward and inverse directions (for someone
lacking the trapdoor). For a digital signature to be secure for years, for example, it is
necessary to use a trapdoor one-way function with inputs large enough that someone
without the trapdoor would need many years to compute the inverse function (that is, to
generate a legitimate signature).
All practical public-key cryptosystems are based on functions that are believed to be oneway, but no function has been proven to be so. This means it is theoretically possible to
discover algorithms that can compute the inverse direction easily without a trapdoor for
some of the one-way functions; this development would render any cryptosystem based
on these one-way functions insecure and useless. On the other hand, further research in
theoretical computer science may result in concrete lower bounds on the difficulty of
inverting certain functions; this would be a landmark event with significant positive
ramifications for cryptography.
2.5 Comparison between Symmetric - Asymmetric Key
Algorithms
Advantages and disadvantages of public-key cryptography compared with secretkey cryptography
The primary advantage of public-key cryptography is increased security and
convenience: private keys never need to be transmitted or revealed to anyone. In a secretkey system, by contrast, the secret keys must be transmitted (either manually or through a
communication channel) since the same key is used for encryption and decryption. A
serious concern is that there may be a chance that an enemy can discover the secret key
during transmission.
Another major advantage of public-key systems is that they can provide digital signatures
that cannot be repudiated. Authentication via secret-key systems requires the sharing of
some secret and sometimes requires trust of a third party as well. As a result, a sender can
repudiate a previously authenticated message by claiming the shared secret was somehow
compromised by one of the parties sharing the secret. For example, the Kerberos secretkey authentication system involves a central database that keeps copies of the secret keys
of all users; an attack on the database would allow widespread forgery. Public-key
authentication, on the other hand, prevents this type of repudiation; each user has sole
responsibility for protecting his or her private key. This property of public-key
authentication is often called non-repudiation.
Khushdeep Noheria
Page 10
Asymmetric Key Cryptography
WS-2005/06
A disadvantage of using public-key cryptography for encryption is speed. There are many
secret-key encryption methods that are significantly faster than any currently available
public-key encryption method. Nevertheless, public-key cryptography can be used with
secret-key cryptography to get the best of both worlds. For encryption, the best solution is
to combine public- and secret-key systems in order to get both the security advantages of
public-key systems and the speed advantages of secret-key systems. Such a protocol is
called a digital envelope.
Public-key cryptography may be vulnerable to impersonation, even if users' private keys
are not available. A successful attack on a certification authority will allow an adversary
to impersonate whomever he or she chooses by using a public-key certificate from the
compromised authority to bind a key of the adversary's choice to the name of another
user.
In some situations, public-key cryptography is not necessary and secret-key cryptography
alone is sufficient. These include environments where secure secret key distribution can
take place, for example, by users meeting in private. It also includes environments where
a single authority knows and manages all the keys, for example, a closed banking system.
Since the authority knows everyone's keys already, there is not much advantage for some
to be "public" and others to be "private." Note, however, that such a system may become
impractical if the number of users becomes large; there are not necessarily any such
limitations in a public-key system.
Public-key cryptography is usually not necessary in a single-user environment. For
example, if you want to keep your personal files encrypted, you can do so with any secret
key encryption algorithm using, say, your personal password as the secret key. In general,
public-key cryptography is best suited for an open multi-user environment.
Public-key cryptography is not meant to replace secret-key cryptography, but rather to
supplement it, to make it more secure. The first use of public-key techniques was for
secure key establishment in a secret-key system; this is still one of its primary functions.
Secret-key cryptography remains extremely important and is the subject of much ongoing
study and research.
3 History
The history of cryptography dates back thousands of years. Until recent decades, it has
been a history of classic cryptography — of methods of encryption that use pen and
paper, or perhaps simple mechanical aids. In the early 20th century, the invention of
complex mechanical and electromechanical machines, such as the Enigma rotor machine,
provided more sophisticated and efficient means of encryption; and the subsequent
introduction of electronics and computing has allowed elaborate schemes of still greater
complexity.
Khushdeep Noheria
Page 11
Asymmetric Key Cryptography
WS-2005/06
The evolution of cryptography has been paralleled by the evolution of cryptanalysis — of
the "breaking" of codes and ciphers. The discovery and application, early on, of
frequency analysis to the reading of encrypted communications has on occasion altered
the course of history. Thus the Zimmermann Telegram triggered the United States' entry
into World War I; and Allied reading of Nazi Germany's ciphers may have shortened
World War II by as much as two years.
Until the 1970s, secure cryptography was largely the preserve of governments. Two
events have since brought it squarely into the public domain: the creation of a public
encryption standard (DES); and the invention of public-key cryptography.
For most of the history of cryptography, a key had to be kept absolutely secret and would
be agreed upon beforehand using a secure, but non-cryptographic, method; for example, a
face-to-face meeting or a trusted courier. There are a number of significant practical
difficulties in this approach to distributing keys. Public key cryptography was invented to
address these drawbacks — with public key cryptography, users can communicate
securely over an insecure channel without having to agree upon a shared key beforehand.
The first invention of an asymmetric key algorithm was by Clifford Cocks, then a recent
mathematics graduate and a new staff member at GCHQ in the UK, early in the 1970s.
This fact was kept secret until 1997.
An asymmetric key cryptosystem was published in 1976 by Whitfield Diffie and Martin
Hellman, who, influenced by Ralph Merkle's work on public key distribution, disclosed a
method of public key agreement. This method of exponential key exchange, which came
to be known as Diffie-Hellman key exchange, was the first published practical method
for establishing a shared secret key over an unprotected communications channel without
using a prior shared secret. Merkle's public key agreement technique known as Merkle's
Puzzles was published in 1978.
The Cocks method was reinvented in 1977 by Rivest, Shamir and Adleman all then at
MIT. The latter authors published their work in 1978, and the algorithm appropriately
came to be known as RSA. RSA uses exponentiation modulo a product of two large
primes to encrypt and decrypt, performing both public key encryption and public key
digital signature, and its security is based on the presumed difficulty of factoring large
integers.
Since the 1970s, a large number and variety of encryption, digital signature, key
agreement, and other techniques have been developed in the field of public key
cryptography. The ElGamal cryptosystem (invented by Taher ElGamal then of Netscape)
relies on the (similar, and related) difficulty of the discrete logarithm problem, as does the
closely related DSA developed by the NSA and NIST. The introduction of elliptic curve
cryptography by Neal Koblitz in the mid '80s has yielded a new family of analogous
public key algorithms. Although mathematically more complex, elliptic curves appear to
provide a more efficient way to leverage the discrete logarithm problem, particularly with
respect to key size.
Khushdeep Noheria
Page 12
Asymmetric Key Cryptography
WS-2005/06
4 Security
There is nothing especially more secure about asymmetric key algorithms than symmetric
key algorithms. There are popular ones and unpopular ones. There are broken ones and
ones that are, for now, not broken. Unfortunately, popularity is not a reliable indicator of
security. Some algorithms have security proofs with various properties, and of varying
quality. Many proofs claim that breaking an algorithm, with respect to some well-defined
security goals, is equivalent to solving one of the more popular mathematical problems
that are presumed to be intractable, like factoring large integers or finding discrete
logarithms. And some proofs have been shown to be broken too. In general, none of these
algorithms has been proved secure in as absolute a sense as the one-time pad has. As with
all cryptographic algorithms, these algorithms must be chosen and used with care.
In cryptography, the one-time pad (OTP) is the only theoretically unbreakable method
of encryption: the plaintext is combined with a random "pad" the same length as the
plaintext. The "pad" part of the name comes from early implementations of the key
material as a pad of gummed paper (for easy concealment, the pad was often physically
very small.
5 Applications
The most known application of a public key encryption system is confidentiality; a
message which a sender encrypts using the recipient's public key can only be decrypted
by the recipient's paired private key.
Public-key digital signature algorithms can be used for sender authentication. For
instance, a user can encrypt a message with his own private key and send it. If another
user can successfully decrypt it using the corresponding public key, this provides
assurance that the first user (and no other) sent it.
These characteristics are useful for many other, sometimes surprising, applications, like
digital cash (Electronic money (also known as digital money, electronic currency,
digital currency or internet money) refers to money which is only exchanged
electronically. ), password authenticated key agreement, multi-party key agreement, etc.
5.1 Confidentiality
Confidentiality has been defined by the International Organization for Standardization
(ISO) as "ensuring that information is accessible only to those authorized to have access"
and is one of the cornerstones of Information security. Confidentiality is one of the
design goals for many cryptosystems, made possible in practice by the techniques of
modern cryptography.
Khushdeep Noheria
Page 13
Asymmetric Key Cryptography
WS-2005/06
Confidentiality also refers to an ethical principle associated with several professions (eg,
medicine, law, religion, journalism). In ethics, and (in some places) in law, some types of
communication between a person and one of these professionals are "privileged" and may
not be discussed or divulged to third parties. In those jurisdictions in which the law
makes provision for such confidentiality, there are usually penalties for its violation.
Confidentiality of information, enforced in an adaptation of military's classic "need-toknow" principle, forms the cornerstone of information security in today's corporates.
5.2 Authentication
In computer security, authentication (Greek: αυθεντικός, from 'authentes'='author') is the
process by which a computer, computer program, or another user attempts to confirm that
the computer, computer program, or user from whom the second party has received some
communication is, or is not, the claimed first party. A blind credential, in contrast, does
not establish identity at all, but only a narrow right or status of the user or program.
In a Web of trust "authentication" is a way to ensure users are who they say they are--that
the user who attempts to perform functions in a system is in fact the user who is
authorized to do so.
To distinguish authentication from the closely related term authorization, the short-hand
notations A1 (authentication) and A2 (authorization) are occasionally used.
The problem of authorization is often thought to be identical to that of authentication;
many widely adopted standard security protocols, obligatory regulations, and even
statutes are based on this assumption. However, there are many cases in which these two
problems are distinct.
One familiar example is access control. A computer system supposed to be used only by
those authorized must attempt to detect and exclude the unauthorized. Access to it is
therefore usually controlled by insisting on an authentication procedure to establish with
some established degree of confidence the identity of the user, thence granting those
privileges as may be authorized to that identity. Common examples of access control
involving authentication include:
Withdrawing cash from an ATM.
Controlling a remote computer over the Internet.
Using an Internet banking system.
However, note that much of the discussion on these topics is misleading because terms
are used without precision. Part of this confusion may be due to the 'law enforcement'
tone of much of the discussion. No computer, computer program, or computer user can
'confirm the identity' of another party. It is not possible to 'establish' or 'prove' an identity,
either. There are tricky issues lurking under what appears to be a straightforward surface.
Khushdeep Noheria
Page 14
Asymmetric Key Cryptography
WS-2005/06
It is only possible to apply one or more tests which, if passed, have been previously
declared to be sufficient to proceed. The problem is to determine which tests are
sufficient, and many such are inadequate. There have been many instances of such tests
having been spoofed successfully; they have by their failure shown themselves,
inescapably, to be inadequate. Many people continue to regard the test(s) -- and the
decision to regard success in passing them -- as acceptable, and blame their failure on
'sloppiness' or 'incompetence' on the part of someone. The problem is that the test was
supposed to work in practice -- not under ideal conditions of no sloppiness or
incompetence -- and did not. It is the test which has failed in such cases. Consider the
very common case of a confirmation email which must be replied to in order to activate
an online account of some kind. Since email can easily be arranged to go to or come from
bogus and untraceable addresses, this is just about the least authentication possible.
Success in passing this test means little, without regard to sloppiness or incompetence.
Multifactor authentication
The methods by which a human can authenticate themselves are generally classified into
three cases:
Something about the user is (e.g., fingerprint or retinal pattern, DNA sequence
(there are assorted definitions of what is sufficient), voice pattern (again several
definitions), signature recognition or other biometric identifier)
Something the user has (e.g., ID card, security token, software token or cell
phone)
Something the user knows (e.g., a password, a pass phrase or a personal
identification number (PIN))
Sometimes a combination of methods is used, e.g., a bank card and a PIN, in which case
the term 'two-factor authentication' is used.
Historically, fingerprints have been used as the most authoritative method of
authentication, but recent court cases in the US and elsewhere have raised fundamental
doubts about fingerprint reliability. Other biometric methods are promising (retinal and
fingerprint scans are an example), but have shown themselves to be easily spoofable in
practice.
In a computer data context, cryptographic methods have been developed (digital
signature and challenge-response authentication) which are currently not spoofable if
(and only if) the originator's key has not been compromised. That the originator (or
anyone other than an attacker) knows (or doesn't know) about a compromise is irrelevant.
It is not known whether these cryptographically based authentication methods are
provably secure since unanticipated mathematical developments may make them
vulnerable to attack in future. If that were to occur, it may call into question much of the
authentication in the past. In particular, a digitally signed contract may be questioned
when a new attack on the cryptography underlying the signature is discovered.
Khushdeep Noheria
Page 15
Asymmetric Key Cryptography
WS-2005/06
6 Techniques in Asymmetric Key Cryptography
Cryptographic algorithms are the basic building blocks of cryptographic applications and
protocols. This chapter presents most of the important encryption algorithms and a
unsuccessful Algorithm.
6.1 RSA Cryptosystem
In cryptography, RSA is an algorithm for public-key encryption. It was the first
algorithm known to be suitable for signing as well as encryption, and one of the first
great advances in public key cryptography. RSA is still widely used in electronic
commerce protocols, and is believed to be secure given sufficiently long keys.
History of RSA
The algorithm was described in 1977 by Ron Rivest, Adi Shamir and Len Adleman at
MIT; the letters RSA are the initials of their surnames.
Clifford Cocks, a British mathematician working for GCHQ, described an equivalent
system in an internal document in 1973. Given the relatively expensive computers needed
to implement it at the time it was mostly considered a curiosity and, as far as is publicly
known, was never deployed. His discovery, however, was not revealed until 1997 due to
its top-secret classification.
The algorithm was patented by MIT in 1983 in the United States of America as U.S.
Patent 4,405,829. It expired on 21 September 2000. Since the algorithm had been
published prior to patent application, regulations in much of the rest of the world
precluded patents elsewhere. Had Cocks' work been publicly known, a patent in the US
would not have been possible either.
RSA Algorithm
The RSA algorithm works as follows:
Take two large primes, p and q, and compute their product n = pq; n is called the
modulus. Choose a number, e, less than n and relatively prime to (p-1)(q-1), which means
e and (p-1)(q-1) have no common factors except 1. Find another number d such that (ed 1) is divisible by (p-1)(q-1). The values e and d are called the public and private
exponents, respectively. The public key is the pair (n, e); the private key is (n, d). The
factors p and q may be destroyed or kept with the private key.
It is currently difficult to obtain the private key d from the public key (n, e). However if
one could factor n into p and q, then one could obtain the private key d. Thus the security
Khushdeep Noheria
Page 16
Asymmetric Key Cryptography
WS-2005/06
of the RSA system is based on the assumption that factoring is difficult. The discovery of
an easy method of factoring would "break" RSA.
Here is how the RSA system can be used for encryption and digital signatures (in
practice, the actual use is slightly different;):
Encryption
Suppose Alice wants to send a message m to Bob. Alice creates the ciphertext c by
exponentiating: c = me mod n, where e and n are Bob's public key. She sends c to Bob. To
decrypt, Bob also exponentiates: m = cd mod n; the relationship between e and d ensures
that Bob correctly recovers m. Since only Bob knows d, only Bob can decrypt this
message.
Digital Signature
Suppose Alice wants to send a message m to Bob in such a way that Bob is assured the
message is both authentic, has not been tampered with, and from Alice. Alice creates a
digital signature s by exponentiating: s = md mod n, where d and n are Alice's private key.
She sends m and s to Bob. To verify the signature, Bob exponentiates and checks that the
message m is recovered: m = se mod n, where e and n are Alice's public key.
Thus encryption and authentication take place without any sharing of private keys: each
person uses only another's public key or their own private key. Anyone can send an
encrypted message or verify a signed message, but only someone in possession of the
correct private key can decrypt or sign a message.
A working example of RSA
Here is an example of RSA encryption and decryption. The parameters used here are
artificially small, but you can also use OpenSSL to generate and examine a keypair.
We let
p = 61
— first prime number (to be kept secret or deleted securely)
q = 53
— second prime number (to be kept secret or deleted securely)
n = pq =
— modulus (to be made public)
3233
e = 17
— public exponent (to be made public)
d = 2753
— private exponent (to be kept secret)
The public key is (e, n). The private key is d. The encryption function is:
encrypt(m) = me mod n = m17 mod 3233 where m is the plaintext. The decryption function
is: decrypt(c) = cd mod n = c2753 mod 3233 where c is the ciphertext.
Khushdeep Noheria
Page 17
Asymmetric Key Cryptography
WS-2005/06
To encrypt the plaintext value 123, we calculate encrypt(123) = 12317 mod 3233 = 855
To decrypt the ciphertext value 855, we calculate decrypt(855) = 8552753 mod 3233 = 123
Both of these computations can be done efficiently using the square-and-multiply
algorithm for modular exponentiation.
Padding schemes
When used in practice, RSA must be combined with some form of padding scheme, so
that no values of M result in insecure ciphertexts. RSA used without padding may suffer
from a number of potential problems:
The values m = 0 or m = 1 always produce ciphertexts equal to 0 or 1
respectively, due to the properties of exponentiation.
When encrypting with low encryption exponents (e.g., e = 3) and small values of
the m, the (non-modular) result of me may be strictly less than the modulus n. In
this case, ciphertexts may be easily decrypted by taking the eth root of the
ciphertext with no regard to the modulus.
Because RSA encryption is a deterministic encryption algorithm-- i.e., has no
random component-- an attacker can successfully launch a chosen plaintext attack
against the cryptosystem, building a dictionary by encrypting likely plaintexts
under the public key, and storing the resulting ciphertexts. When matching
ciphertexts are observed on a communication channel, the attacker can use this
dictionary in order to learn the content of the message.
In practice, the first two problems might arise when sending short ASCII messages,
where m is the concatenation of one or more ASCII-encoded character(s). A message
consisting of a single ASCII NUL character (whose numeric value is 0) would be encoded
as m = 0, which produces a ciphertext of 0 regardless of what e and N are used. Likewise,
a single ASCII SOH (whose numeric value is 1) would always produce a ciphertext of 1.
For systems which conventionally use small values of e, such as 3, all single character
ASCII messages encoded using this scheme would be insecure, since the largest m would
have a value of 255, and 2553 is less than any reasonable modulus. Such plaintexts could
be recovered by simply taking the cube root of the ciphertext.
To avoid these problems, practical RSA implementations typically embed some form of
structured, randomized padding into the value m before encrypting it. This padding
ensures that m does not fall into the range of insecure plaintexts, and that a given
message, once padded, will encrypt to one of a large number of different possible
ciphertexts. The latter property can increase the cost of a dictionary attack beyond the
capabilities of a reasonable attacker.
Standards such as PKCS have been carefully designed to securely pad messages prior to
RSA encryption. Because these schemes pad the plaintext m with some number of
additional bits, the size of the un-padded message M must be somewhat smaller. RSA
Khushdeep Noheria
Page 18
Asymmetric Key Cryptography
WS-2005/06
padding schemes must be carefully designed so as to prevent sophisticated attacks which
may be facilitated by a predictable message structure. Early versions of the PKCS
standard used ad-hoc constructions, which were later found vulnerable to a practical
adaptive chosen ciphertext attack. Modern constructions use secure techniques such as
Optimal Asymmetric Encryption Padding (OAEP) to protect messages while preventing
these attacks. The PKCS standard also incorporates processing schemes designed to
provide additional security for RSA signatures, e.g., the Probabilistic Signature Scheme
for RSA (RSA-PSS).
Signing messages
RSA can also be used to sign a message. Suppose Alice wishes to send a signed message
to Bob. She produces a hash value of the message, raises it to the power of d mod n (as
she does when decrypting a message), and attaches it as a "signature" to the message.
When Bob receives the signed message, he raises the signature to the power of e mod n
(as he does when encrypting a message), and compares the resulting hash value with the
message's actual hash value. If the two agree, he knows that the author of the message
was in possession of Alice's secret key, and that the message has not been tampered with
since.
Note that secure padding schemes such as RSA-PSS are as essential for the security of
message signing as they are for message encryption, and that the same key should never
be used for both encryption and signing purposes.
Security
The security of the RSA cryptosystem is based on two mathematical problems: the
problem of factoring very large numbers, and the RSA problem. Full decryption of an
RSA ciphertext is thought to be infeasible on the assumption that both of these problems
are hard, i.e., no efficient algorithm exists for solving them. Providing security against
partial decryption may require the addition of a secure padding scheme.
The RSA problem is defined as the task of taking eth roots modulo a composite n:
recovering a value m such that me=c mod n, where (e, n) is an RSA public key and c is an
RSA ciphertext. Currently the most promising approach to solving the RSA problem is to
factor the modulus n. With the ability to recover prime factors, an attacker can compute
the secret exponent d from a public key (e, n), then decrypt c using the standard
procedure. To accomplish this, an attacker factors n into p and q, and computes (p-1)(q-1)
which allows the determination of d from e. No polynomial-time method for factoring
large integers on a classical computer has yet been found, but it has not been proven that
none exists. See integer factorization for a discussion of this problem.
As of 2005, the largest number factored by general-purpose methods was 663 bits long,
using state-of-the-art distributed methods. RSA keys are typically 1024–2048 bits long.
Some experts believe that 1024-bit keys may become breakable in the near term (though
this is disputed); few see any way that 4096-bit keys could be broken in the foreseeable
Khushdeep Noheria
Page 19
Asymmetric Key Cryptography
WS-2005/06
future. Therefore, it is generally presumed that RSA is secure if n is sufficiently large. If
n is 256 bits or shorter, it can be factored in a few hours on a personal computer, using
software already freely available. If n is 512 bits or shorter, it can be factored by several
hundred computers as of 1999. A theoretical hardware device named TWIRL and
described by Shamir and Tromer in 2003 called into question the security of 1024 bit
keys. It is currently recommended that n be at least 2048 bits long.
In 1993, Peter Shor published Shor's algorithm, showing that a quantum computer could
in principle perform the factorization in polynomial time, rendering RSA and related
algorithms obsolete. However, quantum computation is not expected to be developed to
such a level until at least 2015 or beyond.
Practical considerations of RSA
How to generate the Key:
Finding the large primes p and q is usually done by testing random numbers of the right
size with probabilistic primality tests which quickly eliminate virtually all non-primes.
p and q should not be 'too close', lest the Fermat factorization for n be successful.
Furthermore, if either p-1 or q-1 has only small prime factors, n can be factored quickly
and these values of p or q should therefore be discarded as well.
One should not employ a prime search method which gives any information whatsoever
about the primes to the attacker. In particular, a good random number generator for the
start value needs to be employed. Note that the requirement here is both 'random' and
'unpredictable'. These are not the same criteria; a number may have been chosen by a
random process (ie, no pattern in the results), but if it is predictable in any manner (or
even partially predicatable), the method used will result in loss of security. For example,
the random number table published by the Rand Corp in the 1950s might very well be
truly random, but it has been published and thus can serve an attacker as well. If the
attacker can guess half of the digits of p or q, they can quickly compute the other half
(shown by Coppersmith in 1997).
It is important that the secret key d be large enough. Wiener showed in 1990 that if p is
between q and 2q (which is quite typical) and d < n1/4/3, then d can be computed
efficiently from n and e. Although values of e as low as 3 have been used in the past, low
exponent RSA is also presently deprecated, for reasons including the unpadded plaintext
vulnerability listed above. 65537 is a commonly used value for e, as it is considered large
enough to avoid small exponent attacks, yet has a low enough hamming weight to
facilitate efficient exponentiation.
Speed Comparison with symmetric crptosystems:
RSA is much slower than DES (The Data Encryption Standard) and other symmetric
cryptosystems. In practice, Bob typically encrypts a secret message with a symmetric
Khushdeep Noheria
Page 20
Asymmetric Key Cryptography
WS-2005/06
algorithm, encrypts the (comparatively short) symmetric key with RSA, and transmits
both the RSA-encrypted symmetric key and the symmetrically-encrypted message to
Alice.
This procedure raises additional security issues. For instance, it is of utmost importance
to use a strong random number generator for the symmetric key, because otherwise Eve
could bypass RSA by guessing the symmetric key.
How to distribute key:
As with all ciphers, how RSA public keys are distributed is important to security. Key
distribution must be secured against a man-in-the-middle attack. Suppose Eve has some
way to give Bob arbitrary keys and make him believe they belong to Alice. Suppose
further that Eve can intercept transmissions between Alice and Bob. Eve sends Bob her
own public key, which Bob believes to be Alice's. Eve can then intercept any ciphertext
sent by Bob, decrypt it with her own secret key, keep a copy of the message, encrypt the
message with Alice's public key, and send the new ciphertext to Alice. In principle,
neither Alice nor Bob would be able to detect Eve's presence. Defenses against such
attacks are often based on digital certificates or other components of a public key
infrastructure.
Timing attacks:
Kocher described an ingenious new attack on RSA in 1995: if the attacker Eve knows
Alice's hardware in sufficient detail and is able to measure the decryption times for
several known ciphertexts, she can deduce the decryption key d quickly. This attack can
also be applied against the RSA signature scheme. In 2003, Boneh and Brumley
demonstrated a more practical attack capable of recovering RSA factorizations over a
network connection (e.g., from a Secure Socket Layer (SSL)-enabled webserver). This
attack takes advantage of information leaked by the Chinese Remainder Theorem
optimization used by many RSA implementations.
One way to thwart these attacks is to ensure that the decryption operation takes a constant
amount of time for every ciphertext. However, this approach can significantly reduce
performance. Instead, most RSA implementations use an alternate technique known as
cryptographic blinding. RSA blinding makes use of the multiplicative property of RSA.
Instead of computing cd mod n, Alice first chooses a secret random value r and computes
(rec)d mod n. The result of this computation is rm mod n and so the effect of r can be
removed by multiplying by its inverse. A new value of r is chosen for each ciphertext.
With blinding applied, the decryption time is no longer correlated to the value of the
input ciphertext and so the timing attack fails.
Adaptive chosen ciphertext attacks:
In 1998, Daniel Bleichenbacher described the first practical adaptive chosen ciphertext
attack, against RSA-encrypted messages using the PKCS #1 v1 padding scheme (a
Khushdeep Noheria
Page 21
Asymmetric Key Cryptography
WS-2005/06
padding scheme randomizes and adds structure to an RSA-encrypted message, so it is
possible to determine whether a decrypted message is valid.) Due to flaws with the PKCS
#1 scheme, Bleichenbacher was able to mount a practical attack against RSA
implementations of the Secure Socket Layer protocol, and to recover session keys. As a
result of this work, cryptographers now recommend the use of provably secure padding
schemes such as Optimal Asymmetric Encryption Padding, and RSA Laboratories has
released new versions of PKCS #1 that are not vulnerable to these attacks.
In End of the theory of RSA, following question arises:
Is the RSA cryptosystem currently in use?
The RSA system is currently used in a wide variety of products, platforms, and industries
around the world. It is found in many commercial software products and is planned to be
in many more. The RSA algorithm is built into current operating systems by Microsoft,
Apple, Sun, and Novell. In hardware, the RSA algorithm can be found in secure
telephones, on Ethernet network cards, and on smart cards. In addition, the algorithm is
incorporated into all of the major protocols for secure Internet communications, including
S/MIME, SSL, and S/WAN. It is also used internally in many institutions, including
branches of the U.S. government, major corporations, national laboratories, and
universities.
At the time of this publication, technology using the RSA algorithm is licensed by over
700 companies. The estimated installed base of RSA BSAFE encryption technologies is
around 500 million. The majority of these implementations include use of the RSA
algorithm, making it by far the most widely used public-key cryptosystem in the world.
Is the RSA system an official standard today?
The RSA cryptosystem is part of many official standards worldwide. The ISO
(International Standards Organization) 9796 standard lists RSA as a compatible
cryptographic algorithm, as does the ITU-T X.509 security standard. The RSA system is
part of the Society for Worldwide Interbank Financial Telecommunications (SWIFT)
standard, the French financial industry's ETEBAC 5 standard, the ANSI X9.31 rDSA
standard and the X9.44 draft standard for the U.S. banking industry. The Australian key
management standard, AS2805.6.5.3, also specifies the RSA system.
The RSA algorithm is found in Internet standards and proposed protocols including
S/MIME, IPSec, and TLS (the Internet standards-track successor to SSL; as well as in the
PKCS standard for the software industry. The OSI Implementers' Workshop (OIW) has
issued implementers' agreements referring to PKCS, which includes RSA.
A number of other standards are currently being developed and will be announced over
the next few years; many are expected to include the RSA algorithm as either an
endorsed or a recommended system for privacy and/or authentication. For example, IEEE
P1363 and WAP WTLS includes the RSA system.
Khushdeep Noheria
Page 22
Asymmetric Key Cryptography
WS-2005/06
Is the RSA system a de facto standard?
The RSA system is the most widely used public-key cryptosystem today and has often
been called a de facto standard. Regardless of the official standards, the existence of a de
facto standard is extremely important for the development of a digital economy. If one
public-key system is used everywhere for authentication, then signed digital documents
can be exchanged between users in different nations using different software on different
platforms; this interoperability is necessary for a true digital economy to develop.
Adoption of the RSA system has grown to the extent that standards are being written to
accommodate it. When the leading vendors of U.S. financial industry were developing
standards for digital signatures, they first developed ANSI X9.30 in 1997 to support the
federal requirement of using the Digital Signature Standard. One year later they added
ANSI X9.31, whose emphasis is on RSA digital signatures to support the de facto
standard of financial institutions.
The lack of secure authentication has been a major obstacle in achieving the promise that
computers would replace paper; paper is still necessary almost everywhere for contracts,
checks, official letters, legal documents, and identification. With this core of necessary
paper transaction, it has not been feasible to evolve completely into a society based on
electronic transactions. A digital signature is the exact tool necessary to convert the most
essential paper-based documents to digital electronic media. Digital signatures make it
possible for passports, college transcripts, wills, leases, checks and voter registration
forms to exist in the electronic form; any paper version would just be a "copy" of the
electronic original. The accepted standard for digital signatures has enabled all of this to
happen.
6.2 DSA Cryptosystem
The National Institute of Standards and Technology (NIST) published the Digital
Signature Algorithm (DSA) in the Digital Signature Standard (DSS), which is a part of
the U.S. government's Capstone project. DSS was selected by NIST, in cooperation with
the NSA, to be the digital authentication standard of the U.S. government. The standard
was issued in May 1994.
DSA is based on the discrete logarithm problem and is related to signature schemes that
were proposed by Schnorr and ElGamal. While the RSA system can be used for both
encryption and digital signatures the DSA can only be used to provide digital signatures.
In DSA, signature generation is faster than signature verification, whereas with the RSA
algorithm, signature verification is very much faster than signature generation (if the
public and private exponents, respectively, are chosen for this property, which is the
usual case). It might be claimed that it is advantageous for signing to be the faster
operation, but since in many applications a piece of digital information is signed once,
but verified often, it may well be more advantageous to have faster verification. The
Khushdeep Noheria
Page 23
Asymmetric Key Cryptography
WS-2005/06
tradeoffs and issues involved have been explored by Wiener. There has been work by
many authors including Naccache et al. on developing techniques to improve the
efficiency of DSA, both for signing and verification.
Although several aspects of DSA have been criticized since its announcement, it is being
incorporated into a number of systems and specifications. Initial criticism focused on a
few main issues: it lacked the flexibility of the RSA cryptosystem; verification of
signatures with DSA was too slow; the existence of a second authentication mechanism
was likely to cause hardship to computer hardware and software vendors, who had
already standardized on the RSA algorithm; and that the process by which NIST chose
DSA was too secretive and arbitrary, with too much influence wielded by the NSA. Other
criticisms more related to the security of the scheme were addressed by NIST by
modifying the original proposal.
Key generation
Choose a 160-bit prime q.
Choose an L-bit prime p, such that p=qz+1 for some integer z and such that 512 ≤ L ≤
1024 and L is divisible by 64.
Note: FIPS-182-2, change notice 1 specifies that L should only assume the value 1024,
and the forthcoming FIPS 186-3 (described, e.g., in SP 800-57) uses SHA-224, SHA-256,
SHA-384, and SHA-512 as a hash function, q of size 224, 256, 384, and 512 bits, with L
equal to 2048, 3072, 7680, and 15360, respectively.
Choose h, where 1 < h < p − 1 such that g = hz mod p > 1.
Choose x by some random method, where 0 < x < q.
Calculate y = gx mod p.
Public key is (p, q, g, y). Private key is x.
Note that (p, q, g) can be shared between different users of the system, if desired.
Signing
Generate a random per message value k where 1 < k < q (this is known as a
nonce)
Calculate r = (gk mod p) mod q
Calculate s = (k-1(SHA-1(m) + x*r)) mod q, where SHA-1(m) is the SHA-1 hash
function applied to the message m
The signature is (r,s)
Verifying
Calculate w = (s)-1 mod q
Calculate u1 = (SHA-1(m)*w) mod q
Khushdeep Noheria
Page 24
Asymmetric Key Cryptography
WS-2005/06
Calculate u2 = (r*w) mod q
Calculate v = ((gu1*yu2) mod p) mod q
The signature is valid if v = r
DSA is similar to the ElGamal signature scheme.
Correctness of the algorithm
The signature scheme is correct in the sense that the verifier will always accept genuine
signatures. This can be shown as follows:
From g = hz mod p follows gq ≡ hqz ≡ hp-1 ≡ 1 (mod p) by Fermat's little theorem. Since
g>1 and q is prime it follows that g has order q.
The signer computes
Thus
Since g has order q we have
Finally, the correctness of DSA follows from
6.2.1 Elliptic Curve DSA
Elliptic Curve DSA (ECDSA) is a variant of the Digital Signature Algorithm (DSA)
which operates on elliptic curve groups. The EC variant provides smaller key sizes for
the same security level. On the other hand, the execution time is roughly the same and the
signature size is exactly the same: 4t, where t is the security parameter. For example,
DSA with 1024-bit p and 160-bit q and ECDSA over the 160-bit prime field both
produce 320-bits signatures and need only few milliseconds for execution on a 2 GHz
Pentium.
Khushdeep Noheria
Page 25
Asymmetric Key Cryptography
WS-2005/06
Signature generation algorithm
Suppose Alice wants to send a signed message to Bob. Initially, the curve parameters
(q,FR,a,b,G,n,h) must be agreed upon. Also, Alice must have a key pair suitable for
elliptic curve cryptography, consisting of a private key dA (a randomly selected integer in
the interval [1,n − 1]) and a public key QA (where QA = dAG).
For Alice to sign a message m, she follows these steps:
Calculate e = HASH(m), where HASH is a cryptographic hash function, such as
SHA-1.
Select a random integer k from [1,n − 1].
Calculate r = x1(mod n), where (x1,y1) = kG. If r = 0, go back to step 2.
Calculate s = k − 1(e + dAr)(mod n). If s = 0, go back to step 2.
The signature is the pair (r,s).
Signature verification algorithm
For Bob to authenticate Alice's signature, he must have a copy of her public key QA. He
follows these steps:
Verify that r and s are integers in [1,n − 1]. If not, the signature is invalid.
Calculate e = HASH(m), where HASH is the same function used in the signature
generation.
Calculate w = s − 1(mod n).
Calculate u1 = ew(mod n) and u2 = rw(mod n).
Calculate (x1,y1) = u1G + u2QA.
The signature is valid if x1 = r(mod n), invalid otherwise.
Note that using Straus's algorithm (aka. Shamir's trick) a sum of two scalar
multiplications u1G + u2QA can be calculated faster than with two scalar multiplications.
6.3 Elliptic curve cryptosystems
Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on
the mathematics of elliptic curves. The use of elliptic curves in cryptography was
suggested independently by Neal Koblitz and Victor Miller in 1985.
The main benefit of ECC is that under certain situations it uses smaller keys than other
methods — such as RSA — while providing an equivalent or higher level of security.
Another benefit of ECC is that a bilinear map between groups can be defined, based on
the Weil pairing or the Tate pairing; bilinear maps have recently found numerous
applications in cryptography, for example identity-based encryption. One drawback,
however, is that the implementation of encryption and decryption operations may take
longer than in other schemes.
Khushdeep Noheria
Page 26
Asymmetric Key Cryptography
WS-2005/06
Key exchange
There are several slightly different versions of elliptic curve cryptography, all of which
rely on the widely believed difficulty of solving the discrete logarithm problem for the
group of an elliptic curve over some finite field.
Finite field
The most popular finite fields for this are the integers modulo a prime number (see
modular arithmetic) GF(p), or a Galois field of characteristic two GF(2m). The latter is
more computationally efficient on dedicated hardware implementations, whereas the
former is usually more efficient on general-purpose processors. Patent issues are also
relevant. Galois fields of size of power of some other prime have also been proposed, but
are considered a bit dubious among cryptanalysts.
Given an elliptic curve E, and a field GF(q), we consider the abelian group of rational
points E(q) of the form (x, y), where both x and y are in GF(q), and where the group
operation "+" is defined on this curve based on the elliptic curves. We then define a
second operation "*" | Z×E(q) → E(q): if P is some point in E(q), then we define 2*P = P
+ P, 3*P = 2*P + P = P + P + P, and so on. Note that given integers j and k, j*(k*P) =
(j*k)*P = k*(j*P). The elliptic curve discrete logarithm problem (ECDLP) is then to
determine the integer k, given points P and Q, and given that k*P = Q.
It is believed that the usual discrete logarithm problem over the multiplicative group of a
finite field (DLP) and ECDLP are not equivalent problems; and that ECDLP is
significantly more difficult than DLP.
In cryptographic use, a specific base point G is selected and published for use with the
curve E(q). A private key k is selected as a random integer; and then the value P = k*G is
published as the public key (note that the purported difficulty of ECDLP implies that k is
hard to determine from P). If Alice and Bob have private keys kA and kB, and public keys
PA and PB, then Alice can calculate kA*PB = (kA*kB)*G; and Bob can compute the same
value as kB*PA = (kB*kA)*G.
This allows the establishment of a "secret" value that both Alice and Bob can easily
compute, but which is difficult for any third party to derive. In addition, Bob does not
gain any new knowledge about kA during this transaction, so that Alice's private key
remains private.
Encryption
The actual methods used to then encrypt messages between Alice and Bob based on this
secret value are adaptations of older discrete logarithm cryptosystems originally
described for use on other groups. These include:
Diffie-Hellman — ECDH
Khushdeep Noheria
Page 27
Asymmetric Key Cryptography
WS-2005/06
MQV — ECMQV,
ElGamal discrete log cryptosystem — ECElGamal
DSA — ECDSA.
Doing the group operations needed to run the system is slower for an ECC system than
for a factorization system or modulo integer discrete log system of the same size.
However, proponents of ECC systems believe that the ECDLP problem is significantly
harder than the DLP or factorisation problems, and so equal security can be provided by
much smaller key lengths using ECC, to the extent that it can actually be faster than, for
instance, RSA. Published results to date tend to support this belief, but some experts are
skeptical. ECC is widely regarded as the strongest asymmetric algorithm at a given key
length, so may become useful over links that have very tight bandwidth requirements.
6.4 Diffie-Hellman
Diffie-Hellman key exchange is a cryptographic protocol which allows two parties that
have no prior knowledge of each other to jointly establish a shared secret key over an
insecure communications channel. This key can then be used to encrypt subsequent
communications using a symmetric key cipher.
Synonyms of Diffie-Hellman key exchange include:
Diffie-Hellman key agreement
Diffie-Hellman key establishment
Diffie-Hellman key negotiation
exponential key exchange
The scheme was first published publicly by Whitfield Diffie and Martin Hellman in 1976,
although it later emerged that it had been discovered a few years earlier within GCHQ,
the British signals intelligence agency, by Malcolm J. Williamson but was kept classified.
In 2002, Hellman suggested the algorithm be called Diffie-Hellman-Merkle key
exchange in recognition of Ralph Merkle's contribution to the invention of public-key
cryptography (Hellman, 2002).
Although Diffie-Hellman key agreement itself is an anonymous (non-authenticated) key
agreement protocol, it provides the basis for a variety of authenticated protocols, and is
used to provide perfect forward secrecy in TLS's ephemeral modes
History
Diffie-Hellman key agreement was invented in 1976 during a collaboration between
Whitfield Diffie and Martin Hellman and was the first practical method for establishing a
shared secret over an unprotected communications channel. Ralph Merkle's work on
public key distribution was an influence. John Gill suggested application of the discrete
logarithm problem. It had been discovered by Malcolm Williamson of GCHQ in the UK
Khushdeep Noheria
Page 28
Asymmetric Key Cryptography
WS-2005/06
some years previously, but GCHQ chose not make it public until 1997, by which time it
had no influence on research in academia.
The method was followed shortly afterwards by RSA, another implementation of public
key cryptography using asymmetric algorithms.
In 2002, Martin Hellman wrote:"The system...has since become known as Diffie-Hellman
key exchange. While that system was first described in a paper by Diffie and me, it is a
public key distribution system, a concept developed by Merkle, and hence should be
called 'Diffie-Hellman-Merkle key exchange' if names are to be associated with it. I hope
this small pulpit might help in that endeavor to recognize Merkle's equal contribution to
the invention of public key cryptography."
U.S. Patent 4,200,770, now expired, describes the algorithm and credits Hellman, Diffie,
and Merkle as inventors
Diffie-Hellman Algorithm
The simplest, and original, implementation of the protocol uses the multiplicative group
of integers modulo p, where p is prime and g is primitive mod p. Modulo (or mod) simply
means that the integers between 1 and p − 1 are used with normal multiplication,
exponentiation and division, except that after each operation the result keeps only the
remainder after dividing by p. Here is an example of the protocol:
Alice and Bob agree to use a prime number p=23 and base g=5.
Alice chooses a secret integer a=6, then sends Bob (ga mod p)
56 mod 23 = 8.
Bob chooses a secret integer b=15, then sends Alice (gb mod p)
515 mod 23 = 19.
Alice computes (gb mod p)a mod p
196 mod 23 = 2.
Bob computes (ga mod p)b mod p
815 mod 23 = 2.
Both Alice and Bob have arrived at the same value, because gab and gba are equal. Note
that only a, b, gab and gba are kept secret. All the other values are sent in the clear. Once
Alice and Bob compute the shared secret they can use it as an encryption key, known
only to them, for sending messages across the same open communications channel. Of
course, much larger values of a,b, and p would be needed to make this example secure,
since it is easy to try all the possible values of gab mod 23 (there will be, at most, 22 such
values, even if a and b are large). If p was a prime of more than 300 digits, and a and b
were at least 100 digits long, then even the best known algorithms for finding a given
only g, p, and ga mod p (known as the discrete logarithm problem) would take longer
than the lifetime of the universe to run. g need not be large at all, and in practice is
usually either 2 or 5.
Khushdeep Noheria
Page 29
Asymmetric Key Cryptography
WS-2005/06
Here's a more general description of the protocol:
Alice and Bob agree on a finite cyclic group G and a generating element g in G.
(This is usually done long before the rest of the protocol; g is assumed to be
known by all attackers.) We will write the group G multiplicatively.
Alice picks a random natural number a and sends ga to Bob.
Bob picks a random natural number b and sends gb to Alice.
Alice computes (gb)a.
Bob computes (ga)b.
Both Alice and Bob are now in possession of the group element gab which can serve as
the shared secret key. The values of (gb)a and (ga)b are the same because groups are
power associative.
chart
Here is a chart to help simplify who knows what.
Let s = shared secret key. s = 2
let a = Alice's private key. a = 6
let b = Bob's private key. b = 15
let g = public base. g=5
let p = public (prime) number. p = 23
Alice knows:
p = 23 base g = 5 a = 6
5^6 mod 23 = 8
5^b mod 23 = 19
19^6 mod 23 = 2
8^b mod 23 = 2
19^6 mod 23 = 8^b mod 23
s=2
Doesn't Know: b = 15
Khushdeep Noheria
Page 30
Asymmetric Key Cryptography
WS-2005/06
Bob Knows:
p = 23 base g = 5 b = 15
5^15 mod 23 = 19
5^a mod 23 = 8
8^15 mod 23 = 2
19^a mod 23 = 2
8^15 mod 23 = 19^a mod 23
s=2
doesn't know: a = 6
Eve Knows:
p = 23 base g = 5
5^a mod 23 = 8
5^b mod 23 = 19
19^a mod 23 = s
8^b mod 23 = s
19^a mod 23 = 8^b mod 23
Doesn't Know: a = 6, b = 15, s = 2
Note: It should be difficult for Alice to solve for Bob's private key or for Bob to solve for
Alice's private key. If it isn't difficult for Alice to solve for Bob's private key (or vice
versa), Eve may simply substitute her own private / public key pair, plug Bob's public
key into her private key, produce a fake shared secret key, and solve for Bob's private key
(and use that to solve for the shared secret key. Eve may attempt to choose a public /
private key pair that will make it easy for her to solve for Bob's private key).
Security
The protocol is considered secure against eavesdroppers if G and g are chosen properly.
The eavesdropper ("Eve") must solve the Diffie-Hellman problem to obtain gab. This is
Khushdeep Noheria
Page 31
Asymmetric Key Cryptography
WS-2005/06
currently considered difficult. An efficient algorithm to solve the discrete logarithm
problem would make it easy to compute a or b and solve the Diffie-Hellman problem,
making this protocol insecure.
The order of G should be prime or have a large prime factor to prevent use of the PohligHellman algorithm to obtain a or b. For this reason, a Sophie Germain prime q is
sometimes used to calculate p=2q+1, called a safe prime, since the order of G is then
only divisible by 2 and q. g is then sometimes chosen to generate the order q subgroup of
G, rather than G, so that the Legendre symbol of ga never reveals the low order bit of a.
If Alice and Bob use random number generators whose outputs are not completely
random but can be predicted to some extent, then Eve's task is much easier.
The secret integers a and b are discarded at the end of the session. Therefore, DiffieHellman key exchange by itself trivially achieves perfect forward secrecy because no
long-term private keying material exists to be disclosed.
Authentication
In the original description, the Diffie-Hellman exchange by itself does not provide
authentication of the parties, and is thus vulnerable to man in the middle attack. The manin-the-middle may establish two distinct Diffie-Hellman keys, one with Alice and the
other with Bob, and then try to masquerade as Alice to Bob and/or vice-versa, perhaps by
decrypting and re-encrypting messages passed between them. Some method to
authenticate these parties to each other is generally needed.
A variety of cryptographic authentication solutions incorporate a Diffie-Hellman
exchange. When Alice and Bob have a public key infrastructure they may digitally sign
the agreed key, or ga and gb, as in MQV, STS and the IKE component of the IPsec
protocol suite for securing Internet Protocol communications. When Alice and Bob share
a password, they may use a password-authenticated key agreement form of DiffieHellman.
6.4.1 Elliptic Curve Diffie-Hellman
Elliptic Curve Diffie-Hellman (ECDH) is a key agreement protocol that allows two
parties to estabilish a shared secret key over an insecure channel. This key can then be
used to encrypt subsequent communications using a symmetric key cipher. It is a variant
of the Diffie-Hellman protocol using elliptic curve cryptography.
Key establishment protocol
Suppose Alice wants to establish a shared key with Bob, but the only channel available
for them might be eavesdropped. Initially, the curve parameters (q,FR,a,b,G,n,h) must be
agreed upon. Also, each party must have a key pair suitable for elliptic curve
cryptography, consisting of a private key d (a randomly selected integer in the interval
Khushdeep Noheria
Page 32
Asymmetric Key Cryptography
WS-2005/06
[1,n − 1]) and a public key Q (where Q = dG). Let Alice's key pair be (dA,QA) and Bob's
key pair be (dB,QB). Each party must have the other party's public key. Alice computes
(xk,yk) = dAQB. Bob computes k = dBQA. The shared key is xk (the x coordinate of the
point).
The number calculated by both parties is equal, because dAQB = dAdBG = dBdAG = dBQA.
The protocol is secure because nothing is disclosed (except for the public keys, which are
not secret), and no party can derive the private key of the other unless it can solve the
Elliptic Curve Discrete Logarithm Problem.
The public keys are either static (and trusted, say via a certificate) or ephemeral.
Ephemeral keys are not necessarily authenticated, so if authentication is wanted, it has to
be obtained by other means. Static public keys provide neither forward secrecy nor keycompromise impersonation resilience, among other advanced security properties. Holders
of static private keys should validate the other public key, and should apply a secure key
derivation function to the raw Diffie-Hellman shared secret to avoid leaking information
about the static private key.
6.5 ElGmal
The ElGamal algorithm is an asymmetric key encryption algorithm for public key
cryptography which is based on Diffie-Hellman key agreement. It was described by
Taher Elgamal in 1984. The ElGamal algorithm is used in the free GNU Privacy Guard
software, recent versions of PGP, and other cryptosystems. The Digital Signature
Algorithm is a variant of the ElGamal signature scheme, which should not be confused
with the ElGamal algorithm.
ElGamal can be defined over any cyclic group G. Its security depends upon the difficulty
of a certain problem in G related to computing discrete logarithms.
The algorithm
ElGamal consists of three components: the key generator, the encryption algorithm, and
the decryption algorithm.
The key generator works as follows:
Alice generates an efficient description of a cyclic group G of order q with
generator g. See below for specific examples of how this can be done.
Alice chooses a random x from
.
Alice computes h = gx.
Alice publishes h, along with the description of G,q,g, as her public key. Alice
retains x as her secret key.
Khushdeep Noheria
Page 33
Asymmetric Key Cryptography
WS-2005/06
The encryption algorithm works as follows: to encrypt a message m to Alice under her
public key (G,q,g,h),
Bob converts m into an element of G.
Bob chooses a random y from
.
Bob sends the ciphertext (c1,c2) to Alice.
, then calculates c1 = gy and
The decryption algorithm works as follows: to decrypt a ciphertext (c1,c2) with her secret
key x,
Alice computes
as the plaintext message.
The decryption algorithm produces the intended message, since
If the space of possible messages is larger than the size of G, then the message can be
split into several pieces and each piece can be encrypted independently. Typically,
however, a short key to a symmetric-key cipher is first encrypted under ElGamal, and the
(much longer) intended message is encrypted more efficiently using the symmetric-key
cipher — this is termed hybrid encryption.
Security
ElGamal is a simple example of a semantically secure asymmetric key encryption
algorithm (under reasonable assumptions). It is probabilistic, meaning that a single
plaintext can be encrypted to many possible ciphertexts, with the consequence that a
general ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext.
ElGamal's security rests, in part, on the difficulty of solving the discrete logarithm
problem in G. Specifically, if the discrete logarithm problem could be solved efficiently,
then ElGamal would be broken. However, the security of ElGamal actually relies on the
so-called Decisional Diffie-Hellman (DDH) assumption. This assumption is often
stronger than the discrete log assumption, but is still believed to be true for many classes
of groups.
Generating the group G
As described above, ElGamal can be defined over any cyclic group G, and is secure if a
certain computational assumption (the "DDH Assumption") about that group is true.
Unfortunately, the straightforward use of G = Zp for a prime p is insecure, because the
Khushdeep Noheria
Page 34
Asymmetric Key Cryptography
WS-2005/06
DDH Assumption is false in this group. In contrast, computing discrete logs is believed to
be hard in Zp, but this is not enough for the security of ElGamal.
The two most popular types of groups used in ElGamal are subgroups of Zp and groups
defined over certain elliptic curves. Here is one popular way of choosing an appropriate
subgroup of Zp which is believed to be secure:
Choose a random large prime p such that p − 1 = kq for some small integer k and
large prime q. This can be done, for example with k = 2, by first choosing a
random large prime q and checking if p = 2q + 1 is prime.
Choose a random element
such that
and gq = 1mod p, i.e. such
that g is of order q.
The group G is the subgroup of Zp generated by g, i.e. the set of kth residues mod
p.
When encrypting, care must be taken to properly encode the message m as an element of
G, and not, say, as just an arbitrary element of Zp.
Efficiency
Encryption under ElGamal requires two exponentiations; however, these exponentiations
are independent of the message and can be computed ahead of time if need be.
Decryption only requires one exponentiation (plus one division, which is typically much
faster). Unlike in the RSA and Rabin systems, ElGamal decryption cannot be sped up via
the Chinese remainder theorem.
Miscellaneous
ElGamal is malleable in an extreme way: for example, given an encryption (c1,c2) of
some (possibly unknown) message m, one can easily construct an encryption
of the message 2m. Therefore ElGamal is not secure under chosen ciphertext
attack. On the other hand, the Cramer-Shoup system (which is based on ElGamal) is
secure under chosen ciphertext attack.
6.6 Merkle-Hellman
Merkle-Hellman (MH) was one of the earliest public key cryptosystems invented by
Ralph Merkle and Martin Hellman in 1978. Although its ideas are elegant, and far
simpler than RSA, it has been broken. The Merkle-Hellman system is based on the subset
sum problem (a special case of the knapsack problem): given a list of numbers and a third
number, which is the sum of a subset of these numbers, determine the subset. In general,
this problem is known to be NP-complete; however, there are some 'easy' instances which
can be solved efficiently. The Merkle-Hellman scheme is based on transforming an easy
instance into a difficult instance, and back again. However, the scheme was broken by
Khushdeep Noheria
Page 35
Asymmetric Key Cryptography
WS-2005/06
Adi Shamir, not by attacking the knapsack problem, but rather by breaking the conversion
from an easy knapsack to a hard one.
Merkle-Hellman Algorithm
Key generation
To encrypt n-bit messages, choose a superincreasing sequence
w = (w1, w2, ..., wn)
of n natural numbers (excluding zero). (A superincreasing sequence is a sequence in
which every element is greater than the sum of all previous elements, eg {1, 2, 4, 8, 16} )
Pick a random integer q, such that
q≥
,
and a random integer, r, such that gcd(r,q) == 1.
q must be chosen as such to ensure the uniqueness of the encrypted message, after
modular arithmetic. If it is any smaller, more than one message (in plaintext) will encrypt
to the same cryptotext, making decoding functionally impossible. r must be coprime to q
or else it will not have an inverse mod q. The existence of the inverse of r is necessary so
that decryption is possible.
Now calculate the sequence
β = (β1, β2, ..., βn)
where βi = rwi (mod q). The public key is β, while the private key is (w, q, r).
Encryption
To encrypt an n-bit message
α = (α1, α2, ..., αn),
where αi is the i-th bit of the message and αi
{0, 1}, calculate
.
The cryptogram then is c.
Khushdeep Noheria
Page 36
Asymmetric Key Cryptography
WS-2005/06
Decryption
The key to decryption lies in somehow determining s = r-1 (mod q). s is the private key in
this cryptosystem. You can now convert the NP-hard problem, extrapolating α from c
(using an essentially randomly-filled knapsack), into the easy problem of extrapolating α
using a super-increasing knapsack, which is solvable in linear time.
The steps of decryption require that you calculate c' = c*s (mod q) and w = β*s (mod q).
c' is still an encrypted form of α, but the knapsack which encrypts it is simply the superincreasing sequence, w. The super-increasing knapsack problem is easy to solve because
of the structure of a super-increasing sequence. Take the largest element in w, say wk. If
wk > c', then αk = 0, if wk≤c', then αk = 1. Then, subtract wk * αk from c', and repeat these
steps until you have figured out α.
When q is very large, it is very difficult to calculate s (it can take a long time, but the
algorithm merely makes use of simple modular multiplication). The difficulty of
determining s is why this was thought to be such an impossible cryptosystem to break.
7 Protocols Using Asymmetric Key Algorithm
7.1 GPG
The GNU Privacy Guard (GnuPG or GPG) is a free software replacement for the PGP
suite of cryptographic software, released under the GNU General Public License. It is a
part of the Free Software Foundation's GNU software project, and has received major
funding from the German Government. GPG is completely compliant with the IETF
standard for OpenPGP. Current versions of PGP (and Veridis' Filecrypt) are interoperable
with GPG and other OpenPGP-compliant systems. Although some older versions of PGP
are also interoperable, not all features of newer software are supported by the older
software. It is necessary for users to understand those incompatibilities and work around
them.
History
GPG was initially developed by Werner Koch. Version 1.0.0 was released on September
7th, 1999. The German Federal Ministry of Economics and Technology has funded the
documentation and the port to Microsoft Windows in 2000.
Because GPG is an OpenPGP standard compliant system, the history of OpenPGP is of
importance.Version 1.4.2 of the stable branch was announced on 27 July 2005, and
version 1.9.19 of the development branch (with S/MIME support) was released on 12
September 2005.
Khushdeep Noheria
Page 37
Asymmetric Key Cryptography
WS-2005/06
Uses of GnuPG
GPG is stable, production-quality software. It is frequently included in free operating
systems, such as FreeBSD, OpenBSD, and NetBSD and nearly all distributions of
GNU/Linux.
Although the basic GPG program has a command line interface, there exist various frontends that provide it with a graphical user interface; for example, it has been integrated
into EMail and Evolution, the graphical email clients found in the most popular Linux
desktops KDE and GNOME. For GNOME, there is a graphical GPG front-end called
Seahorse. A plugin known as Enigmail allows GPG to be integrated with Mozilla and
Thunderbird, which works on Microsoft Windows as well as Linux and other operating
systems. Web-based software such as Horde also makes use of it. Note that, because the
plugin mechanism is not part of GPG itself and not specified by the Open PGP standard,
and because neither the GPG nor Open PGP developers were involved in their
development, it is possible that GPG's security benefits could be compromised or even
lost as a result of using such auxiliaries.
GPG can also be compiled for other platforms like Mac OS X and Windows. For Mac OS
X, there is a free port called MacGPG which has been adapted to use the OS X user
interface and its native class definitions. Cross compilation is not a trivial exercise, at
least in part because security provisions vary with operating system and adapting to them
is often tricky, but high quality compilers should routinely produce executables which
will interoperate correctly with other GPG implementations.
How GPG works
GPG encrypts messages using asymmetric keypairs individually generated by GPG users.
The resulting public keys can be exchanged with other users in a variety of ways, such as
Internet key servers. They must always be exchanged carefully to prevent identity
spoofing by corrupting public key ↔ 'owner' identity correspondences. It is also possible
to add a cryptographic digital signature to a message, so the message integrity and sender
can be verified, if a particular correspondence relied upon has not been corrupted.
GPG does not use patented or otherwise restricted software or algorithms, including the
IDEA encryption algorithm which has been present in PGP almost from the beginning.
Instead, it uses a variety of other, non-patented algorithms such as ElGamal, CAST5,
Triple DES, AES, Blowfish and Twofish. It is still possible to use IDEA in GPG by
downloading a plugin for it, however this may require getting a license for some uses in
some countries in which IDEA is patented.
GPG is a hybrid encryption software program in that it uses a combination of
conventional symmetric-key cryptography for speed, and public-key cryptography for
ease of secure key exchange, typically by using the recipient's public key to encrypt a
session key which is only used once. This mode of operation is part of the Open PGP
standard and has been part of PGP from its first version.
Khushdeep Noheria
Page 38
Asymmetric Key Cryptography
WS-2005/06
Problems
The OpenPGP standard specifies several methods of digitally signing messages. Due to
an error in a change to GPG intended to make one of those methods more efficient, a
security vulnerability was introduced (Nguyen, 2004). It affects only one method of
digitally signing messages, only for some releases of GPG (1.0.2 through 1.2.3), and
there were less than 1000 such keys listed on the key servers. Most people did not use
this method, and were in any case discouraged from doing so, so the damage caused (if
any, and none has been publicly reported) would appear to have been minimal. Support
for this method has been removed from GPG versions released after this discovery (1.2.4
and later).
GPG is a command-line based system, that is not written as an API which can be
incorporated into other software. GPGME is an API wrapper around GPG which parses
the output of GPG, and various graphical front-ends based on GPGME have been
created. This requires an out-of-process call to the GPG executable for each GPGME API
call. The approach is less than satisfactory because GPGME ends up parsing text output
originally intended for human eyes. In general, GUI systems based on GPGME do not
offer the robustness of software that calls true APIs (e.g. contrast WinPT with GnuPG to
the PGP GUI: the latter uses API calls into its encryption routines).
Other software wraps the command line in a Perl script (e.g. gpg-dialog) that is menu
based and more user friendly.
7.2 PGP
When it comes to Asymmetric cryptography the most popular and widely used
application that comes to anyone's mind is PGP. PGP stands for “Pretty Good Privacy”
and is the standard public key cryptography application used today.
PGP is a computer program which provides cryptographic privacy and authentication.
The first released version of PGP, by designer and developer Phil Zimmermann, became
available in 1991. Subsequent versions have been developed by both Zimmerman and
others.
PGP has been sufficiently influential that its operating protocols and data formats have
been standardised for interoperability among different versions of PGP and related
software. Eventually, the PGP design was adopted as an Internet standards-track
specification known as OpenPGP. OpenPGP is now an open standard followed by PGP,
GNU Privacy Guard (GnuPG), Hushmail, Veridis, Authora, EasyByte Cryptocx, and
others.
Khushdeep Noheria
Page 39
Asymmetric Key Cryptography
WS-2005/06
PGP and email
While PGP can encrypt the content of any data (e.g., any computer file or message text),
it is most commonly used for e-mail, which has no built-in security as originally
implemented. PGP and S/MIME are two (incompatible) official email security systems
which are currently NIST specified standards.
PGP was originally used for email by converting an encrypted message into a special
formatting (ASCII armor) to prevent changes during transmission. A more
comprehensive integration of PGP with the MIME email standard is specified by RFC
3156.
Plugins implementing PGP functionality are available for many popular e-mail
applications (such as Outlook, Outlook Express, Eudora, Evolution, Mutt, Mozilla
Thunderbird, Apple Mail, and many others). Several are included with many PGP
distributions.
From a security viewpoint, every such plugin is independent of PGP itself. Each might
have implementation errors or interact insecurely with PGP or with other software. Using
such plugins does not necessarily provide the same level of security as would standalone
(and correct) use of PGP itself. Such add-ons can, at best, be equivalent to PGP in
security; at worst, a plugin may reduce your actual security to nothing. Distinguishing
amongst these cases is non-trivial even for the most cryptographically skilled and
informed. The best advice for the ordinary user is always be careful and to regularly test
the whole system by sending test messages to oneself or, better, to a partner who uses an
independently installed and configured copy of PGP or compatible software. This will
assure that there is at least end to end functionality, though more subtle bugs or damage
may nevertheless still be present. This sort of check is especially important after any
software change or upgrade. The safest use pattern is to manually encrypt and sign
messages and email them manually; this evades such problems as automatic hidden
transmission of message text copies unintended place via a network connection. As with
all security considerations, however, ensuring the best possible security must necessarily
be balanced against other system constraints and user needs. For instance, those who
must use Microsoft Windows or Outlook or Internet Explorer will have a different
security situation than those who use OpenBSD or FreeBSD and Firefox. Each must take
different measures to maximize security. Whatever risks there may be in a quality
security system such as PGP or its relatives, not using it is always riskier.
How PGP works
PGP uses both public-key cryptography and symmetric key cryptography, and includes a
system which binds the public keys to user identities. The first version of this system is
generally known as a web of trust and continues in use. Later versions of PGP have
included something more akin to a public key infrastructure (PKI).
Khushdeep Noheria
Page 40
Asymmetric Key Cryptography
WS-2005/06
PGP uses asymmetric key encryption algorithms. In these, the recipient must have
previously generated a linked key pair, a public key and a private key. The sender uses
the recipient's public key to encrypt a shared key (a secret key or conventional key) for a
symmetric cipher algorithm. That key is used, finally, to encrypt the plaintext of a
message. Many PGP users' public keys are available to all from the many PGP key
servers around the world which act as mirror sites for each other.
The recipient of a PGP-protected message decrypts it using the session key for a
symmetric algorithm. That session key was, of course, included in the message in
encrypted form and was itself decrypted using the recipient's private key. Use of two
ciphers in this way is sensible because of the very considerable difference in operating
speed between asymmetric key and symmetric key ciphers (the differences are often
1000+ times). There are also cryptographic vulnerabilities in when using asymmetric key
algorithms when they are used to directly encrypt messages.
A similar strategy is (by default) used to detect whether a message has been altered since
it was completed, or (also by default) whether it was actually sent by the person/entity
claimed to be the sender.
To do both at once, the sender uses PGP to 'sign' the message with either the RSA or
DSA signature algorithms. To do so, PGP computes a hash (also called a message digest)
from the plaintext, and then creates the digital signature from that hash using the sender's
private key. The message recipient computes a message digest over the recovered
plaintext, and then uses the sender's public key and the signed message digest value with
the signature algorithm. If the signature matches the received plaintext's message digest,
it must be presumed (to a very high degree of confidence) that the message received has
not been tampered with, either deliberately or accidentally, since it was properly signed.
Both when encrypting messages and when verifying signatures, it is critical that the
public key one uses to send messages to some person or entity actually does 'belong' to
the intended recipient. Simply downloading a public key from somewhere is not
overwhelming assurance of that association; deliberate (or accidental) spoofing is
possible. PGP has always included provisions for distributing users' public keys in
'identity certificates' which are constructed cryptographically so that any tampering (or
accidental garble) is readily detectable. But merely making a certificate effectively
impossible to modify undetectably is also insufficient. It can prevent corruption only after
the certificate has been created, not before. Users must also verify by some means that
the public key in a certificate actually does belong to the person/entity claiming it. From
its first release, PGP has included an internal certificate 'vetting scheme' to assist with
this; it has been called a web of trust. A given public key (or more specifically,
information binding a person to a key) may be digitally signed by a third party to attest
the association between the person and the key. There are several levels of confidence
that can be expressed in this signature; although many programs read and write this
information, few (if any) incorporate the level of certification when calculating whether
to trust a key.
Khushdeep Noheria
Page 41
Asymmetric Key Cryptography
WS-2005/06
In the (more recent) OpenPGP specification, trust signatures can be used to support
creation of certificate authorities. A trust signature indicates both that the key belongs to
its claimed owner and that the owner of the key is trustworthy to sign other keys at one
level below their own. A level 0 signature is comparable to a web of trust signature, since
only the validity of the key is certified. A level 1 signature is similar to the trust one has
in a certificate authority because a key signed to level 1 is able to issue an unlimited
number of level 0 signatures. A level 2 signature is highly analogous to the trust
assumption users must rely on whenever they use the default certificate authority list in
Internet Explorer; it allows the owner of the key to make other keys certificate
authorities.
PGP has also always included a way to cancel ('revoke') identity certificates which may
have become invalid; this is, more or less, equivalent to the certificate revocation lists of
more centralized PKI schemes. More recent PGP versions have also supported certificate
expiration dates.
The problem of correctly identifing a public key as belonging to some other user is not
unique to PGP. All public key and private key cryptosystems have the same problem, if
in slightly different guise, and no fully satisfactory solution is known. PGP's original
scheme, at least, leaves the decision whether or not to use its endorsement/vetting system
to the user, while most other PKI schemes do not, requiring instead that every certificate
attested to by a central certificate authority be accepted as correct.
Security
When used properly, PGP is believed to be capable of very high security. It is widely
believed, within the cryptographic community, that -- if anyone -- only government
agencies such as NSA might be capable of directly breaking properly produced, PGPprotected, messages. However, to the best of publicly available information, there is no
known method for any entity to break PGP by cryptographic, computational means
regardless of the version being employed. In 1996, cryptographer Bruce Schneier
characterized an early version as being "the closest you're likely to get to military-grade
encryption" (Applied Cryptography, 2nd ed., p587).
In contrast to security systems/protocols like SSL which only protect data in transit over a
network, PGP can also be used to protect data in long-term data storage such as disk files.
Some products derived from PGP have been developed which streamlined such uses of
the PGP security design, largely by Network Associates while it controlled PGP.
Like all cryptography systems and software, the security of PGP can be lost by misuse or
by indirect attacks which avoid hard cryptanalysis. In one case, the FBI obtained a court
order permitting secret installation of keystroke logger software on a suspect's computer;
when they harvested the information, they recovered his PGP passphrase and thereby
gained access, by way of his PGP private key, to all his protected files and emails. He
was subsequently tried and convicted.
Khushdeep Noheria
Page 42
Asymmetric Key Cryptography
WS-2005/06
Leaving aside such attacks, the cryptographic security of PGP depends on the assumption
that the algorithms it uses are unbreakable by direct cryptanalysis with current equipment
and techniques. For instance, in the original version of PGP the RSA algorithm was used
to encrypt session keys; RSA's security depends upon the (generally presumed) one-way
function nature of mathematical integer factoring. Now unknown integer factorization
techniques have the potential, therefore, to make breaking RSA easier than now, or
perhaps even trivially easy. Likewise the secret key algorithm originally used in PGP was
IDEA, which might at some future time be found to have a previously unsuspected
cryptanalytic flaw. Specific instances of PGP or IDEA insecurities -- if they exist -- are
not publicly known. As current versions of PGP have added additional encryption
algorithms, the degree of their cryptographic vulnerabilty varies.
Clearly, since NSA, GCHQ and similar organizations do not discuss the state of their
cryptanalytic knowledge, there exists a publicly unknown chance that one or more of
them have discovered something which allows them to decrypt some PGP messages
without access to the relevant private key. But this is, of course, true of every
cryptographic system of any design and from any source, not just PGP.
Since PGP now permits the use of several algorithms, current PGP messages are not
equally susceptible to any potential breakthroughs against the original algorithms.
However, there has been some speculation that the first released PGP version (using the
RSA and IDEA algorithms) might have been broken. PGP's author, Phil Zimmerman,
was criminally investigated for three years by the U.S. Government for having violated
munitions control regulations in connection with the availability outside the US and
Canada of PGP. The investigation was abruptly dropped. Zimmerman has publicly stated
that the investigation might have been dropped because the U.S. government had found a
way to break PGP messages of that period.
On balance, it should be understood from the above discussion that the only currently
credible entities with any credible chance of breaking PGP messages have access to
government-level resources. The security of PGP encryption from direct cryptanalytic
attack by anyone else is almost certainly quite strong.
For more details please visit www.pgp.com
7.3 Others
Examples of other protocols using asymmetric key algorithms include:
IKE
SSH
Secure Socket Layer now implemented as an IETF standard -- TLS
SILC
Khushdeep Noheria
Page 43
Asymmetric Key Cryptography
WS-2005/06
Appendix A Mathematical concepts
The purpose of this Appendix is to give a brief description of some of the mathematical
concepts mentioned in this document. For a more thorough treatment of modular
arithmetic and basic number theory, consider any undergraduate textbook in elementary
algebra. For more details on analysis and the theory of limits, consult any undergraduate
textbook in analysis.
A.1 Functions
A function f from a set A to a set B assigns to each element a in A a unique element b in
B. For each element a Î A, the corresponding element in B assigned to a by f is denoted
f(a); we say that a is mapped to f(a). The notation f :A ® B means that f is a function from
A to B.
Example
Consider the set Z of integers. We may define a function f : Z ® Z such that f(x) = x2 for
each x Î Z. For example, f(5) = 25.
Let f : A ® B and g : B ® C be functions. The composition g °f of g and f is the function h
: A® C defined as h(a) = g(f(a)) for each a Î A. Note, however, that ``f °g'' does not make
sense unless A = C.
Example
Let N be the set of nonnegative numbers. With f : Z ® N defined as f(x) = x2 and g : N ®
Z defined as g(y) = y-y2, we obtain that g °f : Z ®Z is the function h defined as
h(x) = g(x2) = x2 - x4.
A function f : A ® B is one-to-one or injective if f(a) = f(a¢) implies that a = a¢, that is,
no two elements in A are mapped to the same element in B. The function f is onto or
surjective if, for each b Î B, there exists an element a Î A such that f(a) = b. Finally, f is
bijective if f is one-to-one and onto. Given a bijective function f : A ® B, the inverse f-1 of
f is the unique function g : B ® A with the property that g °f(a) = a for all a Î A. A
bijective function f : A ® A is a permutation of the set A.
For any subset S of A, f(S) is the set of elements b such that f(a) = b for some a Î S. Note
that f being surjective means that f(A) = B. The restriction of f to a subset S of A is the
function fS : S ® B defined as fS(s) = f(s) for all s Î S.
Khushdeep Noheria
Page 44
Asymmetric Key Cryptography
WS-2005/06
Examples.
The function f : Z ® Z defined as f(x) = x3 is injective, because x3 = y3 implies that
x = y. However, f is not surjective; for example, there is no x such that f(x) = 2.
Let |x| be the absolute value of x Î Z (for example, |-5| = |5| = 5). The function g :
Z ®N defined as g(x) = |x| is surjective but not injective. Namely, for all x, the
elements x and -x are mapped to the same element |x|. However, the restriction of
g to N is injective and surjective, hence bijective.
If A and B are finite sets of the same size, then a function f : A ® B is injective if
and only if f is surjective.
A.2 Modular arithmetic
Given integers a, b, and n with n > 0, we say that a and b are congruent modulo n if a-b is
divisible by n, that is, if [(a-b)/( n)] is an integer. We write
a ºb (mod n)
if a and b are congruent modulo n>. Let a, b, c, and d be integers such that a ºc (mod n)
and b ºd (mod n). It is not difficult to prove that
a +b º c+d (mod n)
-(1)
a b º c d (mod n).
-(2)
and
Given a fixed integer n > 0, called the modulus, we may form congruence classes of
integers modulo n. Each congruence class is formally a set of the form
[a]: = a + n Z = { ¼, a-2n, a-n, a, a+n, a+2n, ¼}.
By (1) and (2), addition and multiplication of congruence classes is well-defined. More
precisely, we define [a]+[b] = [a+b] and [a] ·[b] = [ab]. It is convenient to identify the
element [a] with the smallest nonnegative number a¢ such that a º a¢ (mod n) . This
number a¢ will be denoted a mod n . For example, 13 mod 5 = 3. Let Zn denote the set
of congruence classes modulo n. For example, Z5 = {0,1,2,3,4}.
The greatest common divisor (gcd) of two integers m and n is the greatest positive integer
d such that d divides both m and n. For example, gcd(91,52) = 13.
The Euclid algorithm states that if gcd(m,n) = d, then there are integers r and s such that
mr + ns = d. In particular, the equation
Khushdeep Noheria
Page 45
Asymmetric Key Cryptography
mx º b (mod n) Û mx = b (in Zn)
WS-2005/06
-(3)
has a solution x if and only if b is divisible by d.
Let Zn* be the set of integers (congruence classes modulo n) k Î {1, ¼, n-1} with the
property that gcd(k,n) = 1. For example, Z12* = {1,5,7,11}.
A.3 Groups
Consider a prime number p. The procedures of adding elements in Zp and multiplying
elements in Z*p share certain properties:
Both operations are associative, that is, a + (b + c) = (a +b) + c and a (b c) = (a b)
c.
There is an additive identity 0 with the property that 0+a = a+0 = a for all a. The
corresponding multiplicative identity is the element 1; 1 ·a = a ·1 = a.
For each a Î Zp, there is a b such that a+b = 0; namely, b = -a has this property.
By (3) in Section A.2, the equation ax = 1 has an integer solution x : = a-1 for each
a Î Zp*. Namely, since p is a prime, gcd(a,p) = 1. The elements -a and a-1 are the
additive and multiplicative inverses of a, respectively.
Structures with these three properties have turned out to be of such a great importance
that they have a name; they are called groups.
Formally, a group consists of a set G (finite or infinite) together with a binary operation *
: G ×G ® G called (group) multiplication. Note that ``* : G ×G ® G'' means that G is
closed under multiplication, that is, the product a*b is in G for any two elements a, b in
G. A group must satisfy the following axioms:
The operation * is associative, that is, a*(b*c) = (a*b)*c for any a, b, c Î G.
There exists an identity element e Î G such that a*e = e*a = a for each element a Î
G.
Each element a Î G has an inverse b Î G satisfying a*b = b*a = e = the identity.
If, in addition, multiplication in G is commutative, that is, a*b = b*a for any two
elements a,b Î G, then the group is abelian.
A group is usually identified with its underlying set, unless the group operation is not
clear from context. From now on, we will suppress the group operation * and simply
write ab instead of a*b. For n ³ 1, gn means multiplication of g with itself n times (for
example, g3 = ggg), while g-n is the inverse of gn. g0 is the identity element. Note that ga
gb = ga+b for all integers a, b.
A subgroup H of a group G is a group such that the set H is a subset of G. Any subset S
of G generates a subgroup áS ñ of G consisting of all elements of the form
Khushdeep Noheria
Page 46
Asymmetric Key Cryptography
WS-2005/06
s1a1 ¼snan,
where s1, ¼, sn are (not necessarily distinct) elements in S and a1, ¼, an are (not
necessarily positive) integers. If G = ág ñ for some g Î G, then G is cyclic with generator
g. This means that every element in G is of the form gk for some integer k. All cyclic
groups are abelian.
Examples
The set Z of integers is a cyclic group under addition with generator 1. However,
the set of nonzero integers is not a group under multiplication. Namely, for a ¹ ±1,
there is no integer b such that ab = 1.
The sets Q, R, and C of rational, real, and complex numbers are all abelian
groups under addition. Moreover, Q*, R*, and C* (the above sets with 0 removed)
are all abelian groups under multiplication. Namely, the inverse of a number x is
1/x.
The set Zn is a cyclic group under addition. If n = ab is a composite number with
a, b > 1, then the set {1, ¼,n-1} is not a group under multiplication modulo n.
Namely, the product of a and b is equal to 0 modulo n, which implies that the set
is not even closed under multiplication. However, the subset Zn* is a group under
multiplication. If n is a prime, then Zp* is a cyclic group of order p-1.
The set Z under subtraction is not a group. Namely, subtraction is not associative;
a - (b-c) ¹ (a-b)-c unless c = 0.
For a given set A, the set SA of permutations (bijective functions) p: A ® A is a
group under composition °. For example, composition is associative, because
p°(r°s) (a) = p(r(s(a))) = (p°r) °s(a).
However, unless A consists of at most two elements, SA is not abelian. For
example, with A = Z3, p(a) = a +1, and s(a) = 2 a, we have
p°s(0) = p(s(0)) = p(0) = 1 ¹ 2 = s(1) = s(p(0)) = s°p(0).
A.4 Fields and rings
One interesting observation from the examples in the previous section is that each of the
sets Zp, R, Q, and C contains two different abelian group structures: the set itself under
addition and the set of nonzero elements under multiplication. Structures satisfying this
property together with an axiom about multiplication ``distributing'' over addition are
called fields.
Formally, a field consists of a set F together with two operations + : F ×F ® F and ·: F
×F ® F called addition and multiplication, respectively, such that the following axioms
are satisfied.
Khushdeep Noheria
Page 47
Asymmetric Key Cryptography
WS-2005/06
F forms an abelian group under addition.
F \{0} forms an abelian group under multiplication, where 0 is the identity in the
additive abelian group áF, + ñ.
Multiplication distributes over addition, that is, a ·(b+c) = a ·b + a ·c.
For an integer n and a field element x, n ·x denotes the element obtained by adding x to
itself n times; for example, 3·x = x+x+x. The characteristic of a field is the smallest
positive integer p such that p ·1 = 0. If no such p exists, then the characteristic of the field
is defined to be 0. The characteristic of a field is either a prime number or 0. If the
characteristic of a field is 0, then the field is infinite. However, a field with nonzero
characteristic might be either finite or infinite.
Examples.
The fields Q, R, and C of rational, real, and complex numbers, respectively, are fields of
characteristic 0. The finite field Zp is a field of characteristic p.
The number of elements in a finite field must be a power of a prime number. A
classification theorem of the finite fields states that there is exactly one finite field (up to
isomorphism; of size q for each prime power number q. Thus it makes sense talking about
the field with q elements, which is traditionally denoted GF(q) (GF = Galois Field) or Fq.
A ring R satisfies axioms (1) and (3), but instead of (2), multiplication in R is only
required to be associative. If multiplication is commutative, then the ring is commutative.
A nonzero element a in a ring is a zero divisor if there is a nonzero element b such that ab
= 0. There are two main classes of commutative rings: Rings with no zero divisors. All
fields and the ring Z of integers are of this kind. Rings with zero divisors. The ring Zn
contains zero divisors if and only if n is composite. A polynomial in a ring R is a function
f : R ® R of the form
f(x) = a0 + a1 x + a2 x2 + ¼+ an xn,
here a0, ¼, an are elements in the ring. A root of a polynomial is an element r such that
f(r) = 0.
Khushdeep Noheria
Page 48
Asymmetric Key Cryptography
WS-2005/06
Appendix B Glossary
Sr.No.
1
2
3
4
Keyword
Description
ATM
automatic teller machines
abelian group
An abstract group with a commutative binary operation
adaptive chosen ciphertext attack A version of the chosen-ciphertext attack where the cryptanalyst can
choose ciphertexts dynamically. A cryptanalyst can mount an attack of
this type in a scenario in which he or she has free use of a piece of
decryption hardware, but is unable to extract the decryption key from it.
AES
The Advanced Encryption Standard that will replace DES (The Data
Encryption Standard) around the turn of the century.
5
6
7
8
API
Apple Mail
ASCII
ASCII armor
Application Programming Interface.
is an email program made by Apple Computer included in Mac OS X.
American Standard Code for Information Interchange
is a term used to describe an encoding process, in which data in a
binary format is transformed into a textual format.
9
10
asymmetric key algorithms
attacker
Public key cryptography algorithms like RSA,DSA etc.
is a malicious entity whose aim is to prevent the users of the
cryptosystem from achieving their goal.
11
Authentication
The action of verifying information such as identity, ownership or
authorization.
12
bilinear map
is a mathematical function of several vector variables that is linear in
each variable.
13
Biometric
The science of using biological properties to identify individuals; for
example, finger prints, a retina scan, and voice recognition.
14
blind credential
is a token asserting that someone qualifies under some criteria or has
some status or right, without revealing "who" that person is — without
including their name or address, for instance. It is used in maintaining
medical privacy and increasingly for consumer privacy.
15
Blind signature scheme
Allows one party to have a second party sign a message without
revealing any (or very little) information about the message to the
second party
16
block ciphers
A symmetric cipher which encrypts a message by breaking it down into
blocks and encrypting each block.
17
18
Blowfish
Bluetooth
is a keyed, symmetric block cipher.
is an industrial specification for wireless personal area networks
(PANs).
19
20
21
22
Bogus
CAST5
certificate authority
challenge-response authentication
is something that is useless, bad or fake.
is a block cipher used in a number of products.
A person or organization that creates certificates.
is a family of protocols in which one party presents a question
("challenge") and another party must provide a valid answer
("response") to be authenticated.
23
Chinese Remainder Theorem
is a theorem related to abstract algebra and number theory. More
details: see any mathbook.
Khushdeep Noheria
Page 49
Asymmetric Key Cryptography
WS-2005/06
24
chosen plaintext attack
A form of cryptanalysis where the cryptanalyst may choose the
plaintext to be encrypted.
25
ciphers
An encryption-decryption algorithm.
26
27
28
ciphertext
classic cryptography
classical ciphers
Encrypted data.
classical ciphers were used in this cryptography.
is a type of cipher used historically but which now have fallen, for the
most part, into disuse.
29
Clifford Cocks
is a British mathematician and cryptographer at GCHQ who invented
the widely-used encryption algorithm now commonly known as RSA
30
31
32
Code
codebook
computer security
is a method used to transform a message into an obscured form
is a document used for implementing a code.
is a field of computer science concerned with the control of risks
related to computer use.
33
coprime
34
35
Cramer-Shoup system
cryptanalysis
the integers a and b are said to be coprime or relatively prime if they
have no common factor other than 1 and -1, or equivalently, if their
greatest common divisor is 1.
is an asymmetric key encryption algorithm for public key cryptography.
The art and science of breaking encryption or any form of
cryptography. See attack.
36
cryptographic hash function
is a hash function with certain additional security properties to make it
suitable for use as a primitive in various information security.
37
cryptographic keys
A key is a piece of information that controls the operation of a
cryptography algorithm.
38
39
cryptographic privacy
cryptographic protocol
Privacy can be seen as an aspect of security
is an abstract or concrete protocol that performs a security-related
function and applies cryptographic methods.
40
Cryptography
The art and science of using mathematics to secure information and
create a high degree of trust in the electronic realm.
41
cyclic group
42
is a group that can be generated by a single element, in the sense that
the group has an element a (called a "generator" of the group) such
that, when written multiplicatively, every element of the group is a
power of a (or na when the notation is additive).
Decisional Diffie-Hellman (DDH) is the assumption that a certain computational problem within a cyclic
assumption
group is hard.
43
DES
Data Encryption Standard, a block cipher developed by IBM and the
U.S. government in the 1970's as an official standard.
44
45
46
deterministic encryption
DH-EKE
Diffie-Hellman key exchange
a deterministic algorithm
Diffie-Hellman Encrypted Key Exchange
A key exchange protocol allowing the participants to agree on a key
over an insecure channel.
47
Diffie-Hellman problem
an open problem in number theory developed by Whitfield Diffie and
Martin Hellman with implications for modern cryptography.
48
49
50
digital cash
digital certificates
digital envelope
electronic money
is a certificate which uses a digital signature.
A key exchange protocol that uses a public-key cryptosystem to
encrypt a secret key for a secret-key cryptosystem.
51
52
digital signatures
digitally signed
The encryption of a message digest with a private key.
See digital signatures
Khushdeep Noheria
Page 50
Asymmetric Key Cryptography
WS-2005/06
53
54
digitally signed contract
discrete logarithm
A contract that is digitally signed.
Given two elements d, g in a group such that there is an integer r
satisfying gr = d, r is called the discrete logarithm of d in the ``base'' g.
55
discrete logarithm problem
The problem of finding r such that gr = d, where d and g are elements
in a given group. For some groups, the discrete logarithm problem is a
hard problem used in public-key cryptography.
56
distributing keys
A key that is split up into many parts and shared (distributed) among
different participants. See also secret sharing.
57
DNA
58
59
60
61
62
63
EasyByteCryptocx
ECDSA
ECElGamal
ECMQV
e-commerce
electronic signature
Deoxyribonucleic acid (DNA) is a nucleic acid that contains the genetic
instructions specifying the biological development of all cellular forms
of life
Cryptocx v6 is a fully OpenPGP compatible encryption component.
Elliptic curve digital signature algorithm
Elliptic curve EIGamal
elliptic curve MQV
Business transactions conducted over the Internet.
is often used to mean either a signature imputed to a text via one or
more of several electronic means, or cryptographic means to add nonrepudiation and message integrity features to a document.
64
ElGamal cryptosystem
65
ElGamal
cryptosystem
66
ElGamal signature scheme
is a digital signature scheme which is based on the difficulty of
computing discrete logarithms
67
elliptic curve cryptography (ECC)
is an approach to public-key cryptography based on the mathematics
of elliptic curves.
68
Elliptic Curve Discrete Logarithm The problem of finding m such that m ·P = Q, where P and Q are two
Problem
points on an elliptic curve.
69
group
a group is a set, together with a binary operation, such as multiplication
or addition.
70
71
72
elliptic curves
email clients
encryption
is a plane curve defined by an equation of the form y2 = x3 + a x + b.
is a computer program that is used to read and send e-mail.
The transformation of plaintext into an apparently less readable form
(called ciphertext) through a mathematical process. The ciphertext may
be read by anyone who has the key that decrypts (undoes the
encryption) the ciphertext.
73
Enigma
was a portable cipher machine used to encrypt and decrypt secret
messages.
74
Enigmail
is a public key encryption extension for versions of the Mozilla
Application Suite and Mozilla Thunderbird running on Microsoft
Windows or Unix-like operating systems
75
Eudora
is an email client that was once used widely on the Microsoft Windows
and Macintosh operating systems.
76
77
Evolution
exponentiate
Its user interface and functionality are similar to Microsoft Outlook.
is a process generalized from repeated (or iterated) multiplication, in
much the same way that multiplication is a process generalized from
repeated addition.
Khushdeep Noheria
discrete
is an asymmetric key encryption algorithm for public key cryptography
which is based on Diffie-Hellman key agreement.
log is an asymmetric key encryption algorithm for public key cryptography.
Page 51
Asymmetric Key Cryptography
WS-2005/06
78
FBI
Federal Bureau of Investigation, a U.S. government law enforcement
agency.
79
80
Fermat factorization
Fermat's little theorem
Based on Fermat's little theorem
states that if p is a prime number, then for any integer a, such that
81
finite field
82
83
FIPS-182-2, change notice 1
Firefox
84
free software
as defined by the Free Software Foundation, is software which can be
used, copied, studied, modified and redistributed without restriction.
85
86
FreeBSD
frequency analysis
is a Unix-like free software operating system.
is the study of the frequency of letters or groups of letters in a
ciphertext.
87
Galois field
A field with a finite number of elements. The size of a finite field must
be a power of prime number.
88
GCHQ
The Government Communications Headquarters (GCHQ) is a British
intelligence agency
89
generating element
In abstract algebra, a generating set of a group G is a subset S such
that every element of G can be expressed as the product of finitely
many elements of S and their inverses.
90
91
92
GNOME
GNU General Public License
GNU Privacy Guard
GNOME is the official desktop of the GNU Project
is a free software license.
is a free software replacement for the PGP suite of cryptographic
software
93
hamming weight
Is of a string is its Hamming distance from the zero string (string
consisting of all zeros) of the same length.
94
hash collisions
is a situation that occurs when two distinct inputs into a hash function
produce identical outputs.
95
96
hash function
hash value
A function that takes a variable sized input and has a fixed size output.
A hash value (or simply hash), also called a message digest, is a
number generated from a string of text.
97
98
Horde
HTTPS
is a PHP-based Web application framework.
HyperText Transfer Protocol (HTTP) is the primary method used to
convey information on the World Wide Web.
99
100
101
Hushmail
IDEA
identity-based encryption
is a free webmail service which offers PGP-encrypted email
International Data Encryption Algorithm (IDEA) is a block cipher.
is a key authentication system in which the public key of a user is some
unique information about the identity of the user (e.g. a user's email
address).
102
IETF standard
Internet Engineering Task Force (IETF) is charged with developing and
promoting Internet standards, in particular, those of the TCP/IP
protocol suite.
Khushdeep Noheria
ap = a*(mod p)
A mathematical structure consisting of a finite or infinite set F together
with two binary operations called addition and multiplication. Typical
examples include the set of real numbers, the set of rational numbers,
and the set of integers modulo p.
Fedral Information Processing Standard
is a free, cross-platform, graphical web browser developed by the
Mozilla Corporation.
Page 52
Asymmetric Key Cryptography
WS-2005/06
103
integer factorization
integer factorization problem is the problem of finding a non-trivial
divisor of a composite number.
104
Interlock Protocol
as a method to expose a middle-man who might try to compromise two
parties that use anonymous key agreement to secure their
conversation.
105
Internet Protocol
is a data-oriented protocol used by source and destination hosts for
communicating data across a packet-switched internetwork.
106
Internet standards-track
Internet standards evolve through a series of three maturation stages:
proposed standard, draft standard, and standard. Collectively, these
stages of evolution are known as the standards track.
107
Ipsec
IP security) is a standard for securing Internet Protocol (IP)
communications by encrypting and/or authenticating all IP packets.
108
109
110
ISAKMP
KDE
Key
Internet Security Association and Key Management Protocol.
K Desktop Environment
A string of bits used widely in cryptography, allowing people to encrypt
and decrypt data; a key can be used to perform other mathematical
operations as well. Given a cipher, a key determines the mapping of
the plaintext to the ciphertext.
111
112
key lengths
key management
Also known as key size.
The various processes that deal with the creation, distribution,
authentication, and storage of keys.
113
key server
is a computer — typically running special software — which provides
cryptographic keys to users or other programs.
114
key size
the key size (alternatively key length) is a measure of the number of
possible keys which can be used in a cipher
115
Key pair
The full key information in a public-key cryptosystem, consisting of the
public key and private key.
116
keystroke logger
is a diagnostic used in software development that captures the user's
keystrokes
117
118
Kmail
knapsack problem
is the email client of the KDE Desktop Environment.
A problem that involves selecting a number of objects with given
weights from a set, such that the sum of the weights is maximal but
less than a pre-specified weight.
119
120
121
Legendre symbol
Malleable
man in the middle (MITM) attack
is used in connection with factorization and quadratic residues.
is a term used in the analyses of cryptographic algorithms.
is an attack in which an attacker is able to read, insert and modify at
will, messages between two parties without either party knowing that
the link between them has been compromised.
122
123
Merkle's Puzzles
message authentication code
Merkle's Puzzles is an early construction for a public-key cryptosystem
A MAC is a function that takes a variable length input and a key to
produce a fixed-length output. See also hash-based MAC, streamcipher based MAC, and block-cipher based MAC.
124
message digest
A hash function takes a long string (or message) of any length as input
and produces a fixed length string as output, sometimes termed a
message digest or a digital fingerprint.
125
126
MIME
MIT
Multipurpose Internet Mail Extensions.
Massachusetts Institute of Technology
Khushdeep Noheria
Page 53
Asymmetric Key Cryptography
WS-2005/06
127
mobile telephone networks
The mobile phone communicates via a network of base stations which
are in turn linked to the conventional telephone network.
128
129
modular exponentiation
Mozilla
is a type of exponentiation performed over a modulus.
is a trademark of the Mozilla Foundation and historically had been
used internally as a codename for the Netscape Navigator web
browser from its beginning.
130
MQV
Menezes-Qu-Vanstone) is an authenticated protocol for key agreement
based on the Diffie-Hellman scheme.
131
multiplicative group
a group is a set, together with a binary operation, such as multiplication
or addition.
132
133
Mutt
need-to-know" principle
is a text-based email client for Unix-like systems.
Classified information, which access is restricted by law or regulation to
particular classes of people.
134
NetBSD
NetBSD was the second freely redistributable, open source version of
the BSD
135
NIST
National Institute of Standards and Technology, a United States
agency that produces security and cryptography related standards (as
well as others); these standards are published as FIPS documents.
136
137
Nonce
non-repudiation
means 'for the present time' or 'for a single occasion or purpose'.
A property of a cryptosystem. Non-repudiation cryptosystems are those
in which the users cannot deny actions they performed.
138
NP-complete
An NP problem is NP-complete if any other NP problem can be
reduced to it in polynomial time.
139
NSA
140
one-time pad
National Security Agency. A security-conscious U. S. government
agency whose mission is to decipher and monitor foreign
communications.
A secret-key cipher in which the key is a truly random sequence of bits
that is as long as the message itself, and encryption is performed by
XORing the message with the key. This is theoretically unbreakable.
141
142
open standard
OpenBSD
are publicly available specifications for achieving a specific task
OpenBSD is a freely available, BSD-based Unix-like operating system.
143
OpenPGP
the PGP design was adopted as an Internet standards-track
specification known as OpenPGP
144
145
OpenSSL
open source implementation of the SSL and TLS protocols.
Optimal Asymmetric Encryption is a padding scheme often used together with RSA encryption.
Padding
146
147
padding
Parses
Extra bits concatenated with a key, password, or plaintext.
parsing is the process of analyzing an input sequence (read from a file
or a keyboard, for example) in order to determine its grammatical
structure with respect to a given formal grammar.
148
pass phrase
is a sequence of words or other text used to control access to a
computer system, program or data.
149
Password-authenticated
agreement
150
PGP
Khushdeep Noheria
key is an interactive method for two or more parties to establish
cryptographic keys based on one or more party's knowledge of a
password.
is a computer program which provides cryptographic privacy and
authentication
Page 54
Asymmetric Key Cryptography
WS-2005/06
151
PGPfone
is a secure voice system based on the popular PGP encryption
package.
152
153
154
PKCS
plaintext
Plugin
Public Key Cryptography Standards
The data to be encrypted.
is a computer program that can, or must, interact with another program
to provide a certain, usually very specific, function.
155
Pohlig-Hellman algorithm
is an algorithm for the computation of discrete logarithms in a
multiplicative group whose order is a smooth integer.
156
157
power associative
primality tests
is a weak form of associativity.
is a probabilistic test to determine if a number is composite or probably
prime.
158
prime number
Any integer greater than 1 that is divisible only by 1 and itself. The first
twelve primes are 2,3,5,7,11,13,17,19,23,29,31, and 37.
159
primitive
primitive root modulo n is a concept from modular arithmetic in number
theory.
160
private key
In public-key cryptography, this key is the secret key. It is primarily
used for decryption but is also used for encryption with digital
signatures.
161
162
163
probabilistic
Probabilistic Signature Scheme
protocol
is an algorithm which is allowed to flip a truly random coin.
A provably secure way of creating signatures using the RSA algorithm.
A series of steps that two or more parties agree upon to complete a
task.
164
public key
In public-key cryptography this key is made public to all, it is primarily
used for encryption but can be used for verifying signatures.
165
public key infrastructure
is an arrangement which provides for third-party vetting of, and
vouching for, user identities.
166
public-key (asymmetric key)
Cryptography based on methods involving a public key and a private
key cryptography.
167
quantum computer
A theoretical computer based on ideas from quantum theory;
theoretically it is capable of operating nondeterministically.
168
Rabin systems
is a primality test: an algorithm which determines whether a given
number is prime.
169
random number generator
is a computational or physical device designed to generate a sequence
of numbers that does not have any easily discernable pattern, so that
the sequence can be treated as being random.
170
171
Repudiation
Retinal
Is a inverse of non-repudiation.
is a thin layer of cells at the back of the eyeball of vertebrates and
some cephalopods.
172
RFC 3156
Request for Comments(RFC), a series of notes about the Internet,
started in 1969 each RFC is designated by an RFC number.
173
rotor machines
is a electro-mechanical device used for encrypting and decrypting
secret messages.
174
RSA algorithm
175
RSA-PSS
A public-key cryptosystem based on the factoring problem. RSA stands
for Rivest, Shamir and Adleman, the developers of the RSA public-key
cryptosystem and the founders of RSA Data Security (now RSA
Security).
is a signature scheme based on the RSA cryptosystem and provides
increased security assurance.
Khushdeep Noheria
Page 55
Asymmetric Key Cryptography
WS-2005/06
176
177
178
S/MIME
S/WAN
safe prime
Secure Multipurpose Internet Mail Extensions.
Secure Wide Area Network.
A safe prime is a prime number of the form 2p + 1, where p is also a
prime.
179
Seahorse
is a GNOME front-end application for managing PGP keys, written by
Jacob Perkins.
180
secret key
In secret-key cryptography, this is the key used both for encryption and
decryption.
181
security token
a hardware token or cryptographic token is a physical device that an
authorized user of computer services is given to aid in authentication.
182
semantically secure
is a widely-used definition for security in an asymmetric key encryption
algorithm.
183
session key
A key for symmetric-key cryptosystems which is used for the duration
of one message or communication session
184
185
SHA-1 hash functions
Shor's algorithm
is a set of related cryptographic hash functions
is a quantum algorithm for factoring a number N in O((log N)3) time
and O(log N) space
186
SILC
SILC (protocol) which provides secure conferencing services over the
Internet.
187
software token
Unlike hardware tokens, software tokens run on you PC or on a
separate multi-purpose device.
188
Sophie Germain prime
A prime number p is called a Sophie Germain prime if 2p + 1 is also
prime.
189
190
SPEKE
spoofing
Simple Password Exponential Key Exchange
is also sometimes used to refer to header forgery, the insertion of false
or misleading information in email or netnews headers.
191
square-and-multiply algorithm
is an algorithm used for the fast computation of large integer powers of
a number x.
192
193
SRP
SSL
Secure Remote Password Protocol
Secure Socket Layer. A protocol used for secure Internet
communications.
194
standard security protocols
is an abstract or concrete protocol that performs a security-related
function and applies cryptographic methods.
195
196
197
stream ciphers
STS
Subgroups
A secret-key encryption algorithm that operates on a bit at a time.
Station-to-Station (STS) protocol is a cryptographic key agreement.
A subset H of a group (G,*) which remains a group when the operation
* is restricted to H is called a subgroup of G.
198
subset sum problem
A problem where one is given a set of numbers and needs to find a
subset that sums to a particular value.
199
substitution ciphers
is a method of encryption by which units of plaintext are substituted
with ciphertext.
200
super-encipherment
refers to a situation where an encrypted message is then encrypted
again using the same encryption system or a different system. This is
also called cascading encryption.
201
symmetric key algorithms
are a class of algorithms for cryptography that use trivially related
cryptographic keys for both decryption and encryption.
202
symmetric key cipher
An encryption algorithm that uses the same key is used for encryption
as decryption.
Khushdeep Noheria
Page 56
Asymmetric Key Cryptography
WS-2005/06
203
symmetric(secret-key)
cryptography
symmetric-key encryption are single-key and private-key encryption.
204
205
Telex
Thunderbird
A global teleprinter network, called the Telex network,
Thunderbird is a free, cross-platform email and news client developed
by the Mozilla Foundation.
206
207
TLS
traffic analysis
Transport Layer Security Protocol.
Traffic analysis is the process of intercepting and examining messages
in order to deduce information from patterns in communication
208
transposition ciphers
changes one character from the plaintext to another (to decrypt the
reverse is done).
209
Trapdoor
210
Triple DES
A one-way function that has an easy-to-compute inverse if you know
certain secret information. This secret information is called the
trapdoor.
is a block cipher formed from the Data Encryption Standard (DES)
cipher by using it three times.
jj211
trusted third party
is an entity which facilitates interactions between two parties who both
trust the third party
212
TWIRL
is a hypothetical hardware device designed to speed up the sieving
step of the general number field sieve integer factorization algorithm.
213
two-factor authentication
is any authentication protocol that requires two independent ways to
establish identity and privileges.
214
Twofish
is a symmetric key block cipher with a block size of 128 bits and key
sizes up to 256 bits.
215
Web of trust
is a concept used in PGP, GnuPG, and other OpenPGP-compatible
systems to establish the authenticity of the binding between a public
key and a user.
216
217
web traffic
Weil pairing
is the amount of data sent and received by visitors to a web site.
is a construction of roots of unity by means of functions on an elliptic
curve.
218
Zimmermann Telegram
was a telegram dispatched by the Foreign Secretary of the German
Empire, Arthur Zimmermann.
Appendix C References
Kryptografie in Theorie und Praxis by Albrecht Beutelspacher, Heike B.
Neumann and Thomas Schwarzpaul
Public-key cryptography From Wikipedia, the free encyclopedia
RSA Laboratories www.RSAsecurity.com
Cryptography Theory and Practice by Douglas R. Stinson
About PGP www.PGP.com
Khushdeep Noheria
Page 57
