- Informatik 4
advertisement
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Contents
•
•
Security in Communication
Networks WS‘00/01
•
1 / 59
Number theory and algebraic foundations
→ Modular arithmetic
→ Prime numbers
→ Multiplicative inverse modulo n
Classical public-key cryptography
→ Encryption and Digital Signatures
→ RSA
→ Rabin cryptosystem
→ Diffie-Hellman cryptosystem
→ ElGamal cryptosystem
→ Merkle-Hellman cryptosystem
"Modern" public-key cryptography
→ Multiprime cryptosystem
→ Elliptic Curves
3. Public Key Cryptography
Number theory and algebraic foundations
2 / 59
• Modular arithmetic
– Rings
– Modular addition, multiplication, and exponentiation
• Prime numbers
– Multiplicative inverse
– Euclidean algorithm
– Fermat's Theorem and Euler's Theorem
– Miller-Rabin algorithm
1
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Modular arithmetic
3 / 59
Security in Communication
Networks WS‘00/01
Number theory provides basic knowledge to understand how and why
public key algorithms work.
→ Necessary concepts for understanding public key algorithms
→ Most public key algorithms are based on modular arithmetic
Modular arithmetic
→ Operates on a ring (Zn, +, ⋅), where
• Zn is a set of non-negative integers smaller than some positive integer n
• +: Zn × Zn → Zn is a function that
– is associative and commutative
– has a neutral element 0 ∈ Zn
– has a inverse element x-1 to each x ∈ Z n, i.e. x + x-1 = 0
• ⋅: Zn × Zn → Zn is an associative function (it is not necessarily commutative)
• + and ⋅ have left and right distributivity
→ Needed for public key cryptography: addition, multiplication, exponentiation
→ Computations of these functions are performed modulo n
3. Public Key Cryptography
Arithmetic operations modulo n (1)
4 / 59
Arithmetic computing modulo n
→ Arithmetic operations are performed as usual, but the result is replaced by its
remainder when divided by n (e.g. 3 + 9 = 12 ≡ 2 mod 10)
Modular addition
• Given: c = x + k mod n, with c, x, k ∈ Zn
→ if x + k < n :
c= a+ b
→ if x + k ≥ n :
c = j,
where x + k = i ⋅ n + j and j < n
• Can be used to encrypt digits:
each number x out of a range of numbers is
unambiguously mapped onto another
number c from this range
+
0
1
2
3
4
5
6
7
8
9
0
0
1
2
3
4
5
6
7
8
9
1
1
2
3
4
5
6
7
8
9
0
2
2
3
4
5
6
7
8
9
0
1
3
3
4
5
6
7
8
9
0
1
2
4
4
5
6
7
8
9
0
1
2
3
5
5
6
7
8
9
0
1
2
3
4
6
6
7
8
9
0
1
2
3
4
5
7
7
8
9
0
1
2
3
4
5
6
8
8
9
0
1
2
3
4
5
6
7
9
9
0
1
2
3
4
5
6
7
8
• Caesar Cipher: add a constant k to each number
• Decryption needs subtraction. This can be replaced by
an addition of the inverse value
2
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Arithmetic operations modulo n (2)
5 / 59
Security in Communication
Networks WS‘00/01
Modular multiplication
* 0 1 2 3 4 5 6 7 8 9
• Given: c = x ⋅ k mod n, with c, x, k ∈ Zn
0 0 0 0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6 7 8 9
→ if x ⋅ k < n :
c= x⋅k
2 0 2 4 6 8 0 2 4 6 8
→ if x ⋅ k ≥ n :
c = j,
3 0 3 6 9 2 5 8 1 4 7
4 0 4 8 2 6 0 4 8 2 6
where x ⋅ k = i ⋅ n + j and j < n
5 0 5 0 5 0 5 0 5 0 5
6 0 6 2 8 4 0 6 2 8 4
• Encryption only works with special keys k
7 0 7 4 1 8 5 2 9 6 3
• Example for n = 10: only k ∈{1, 3, 7, 9} is
8 0 8 6 4 2 0 8 6 4 2
9 0 9 8 7 6 5 4 3 2 1
usable as (simple) cipher key
→ only for these values the mapping is unambiguous
→ for other values of k, an information loss occurs
• Only use keys k relatively prime to n
→ k and n share no other common factor than 1
• Decryption works by multiplication of cipher text c with the multiplicative
inverse k-1, i.e. k ⋅ k-1 = 1 mod n (e.g. 7 -1 = 3 mod 10, because 7 ⋅ 3 = 1 mod 10)
→ Multiplicative inverse for n = 10 only exists for 1,3,7, and 9
3. Public Key Cryptography
Arithmetic operations modulo n (3)
Modular exponentiation
• Given: c = xk mod n, with c, x, k ∈ Zn
→ if xk < n :
c = xk
→ if xk ≥ n :
c = j,
k
where x = i ⋅ n + j and j < n
• Note: difference to modular multiplication:
xk mod n ≠ xk+n mod n
• Encryption only works with special keys k
-1
• Decryption needs an inverse k-1 with xk⋅k = 1
But: inverse k-1 does not exist in each case
xy
0
1
2
3
4
5
6
7
8
9
0 1
0
1 1
1 2
1 3
1 4
1 5
1 6
1 7
1 8
1 9
2
0
1
4
9
6
5
6
9
4
1
6 / 59
3
0
1
8
7
4
5
8
3
2
9
4
0
1
6
1
6
5
6
1
6
1
5
0
1
2
3
4
5
6
7
8
9
6
0
1
4
9
6
5
6
9
4
1
7
0
1
8
7
4
5
6
3
2
9
8
0
1
6
1
6
5
6
1
6
1
9
0
1
2
3
4
5
6
7
8
9
3
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Finding modular inverses
7 / 59
• Finding multiplicative inverses to x is a very time consuming process
• If x has 100 digits, no Brute Force attack is possible
• Useful: x relatively prime to n → a multiplicative inverse x-1 mod n exists
• Computing multiplicative inverse by the Euclidean Algorithm
Security in Communication
Networks WS‘00/01
Euclidean algorithm
→ Determines the greatest common divisor (gcd) of x and n
→ Given x and n, it finds an y with x ⋅ y = 1 mod n (if one exists)
→ if x is relatively prime to n: gcd(x, n) = 1
→ Idea:
• Replace x and n with smaller numbers with the same gcd
• If one number becomes zero, the other one is the gcd
→ Faster algorithm:
• The smaller the numbers are, the faster the computation of gcd is
• Replace the bigger number with its remainder divided by
the smaller number
3. Public Key Cryptography
The Euclidean algorithm
The algorithm
• Note: gcd(0, y) = y
• In general:
if d denotes a divisor of x and y
⇒ x = i ⋅ d, y = j · d
⇒ x - y = i ⋅ d - j ⋅ d = (i - j) ⋅ d
⇒ If x > 0, replace gcd(x, y)
with gcd(x-y, y)
• Efficiency: x and y should be
as small as possible
Assume, d is the maximum of
all divisors (achieved by
division x mod y)
⇒ gcd(x, y) = gcd(x mod y, y)
• If y > x, exchange x and y
Example:
gcd(6, 14)?
→ gcd(6, 14-6)
→ gcd(6,8)
→ gcd(6,2)
→ gcd(4,2)
→ gcd(2,2)
→ gcd(2,0)
→=2
8 / 59
FUNCTION INT GCD(INT X, INT Y)
BEGIN
INT R2 = X;
INT R1 = Y;
INT Q;
INT HELP;
WHILE (R1 > 0)
BEGIN
Q = R2 / R1;
HELP = R1;
R1 = R2 % R1 // (R2 mod R1)
R2 = HELP;
END
RETURN R2;
END
4
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Multiplicative inverse by Euclidean algorithm
9 / 59
How to find a multiplicative inverse x -1 to x mod n, such that
x ⋅ x-1 = 1 mod n, with the euclidean algorithm?
• Multiplicative inverse for x mod n: a u exists with u ⋅ x = 1 mod n
⇒ u ⋅ x differs from 1 by a multiple of n
⇒ There is a v with u ⋅ x + v ⋅ n = 1
Computing gcd(x, n) can compute such a v and a u, if gcd(x, n) = 1
⇒ If gcd(x, n) = 1, u is the multiplicative inverse to x
Security in Communication
Networks WS‘00/01
• Could there be more than one u mod n with u ⋅ x = 1 mod n?
→ Suppose: m ⋅ x = 1 mod n
⇒ m ⋅ x ⋅ u = u mod n
But u ⋅ x = 1 mod n
⇒ m ⋅ 1 = u mod n
⇒m= u
3. Public Key Cryptography
Computing the multiplicative inverse
10 / 59
• Initialisation: u-2 = 1, v-2 = 0,
u-1 = 0, v-1 = 1,
r-2 = x, r-1 = y, i=0
• Repeat: if rn-1 = 0 ⇒ gcd(x, y) = rn-2
else divide rn-2 by rn-1 to get quotient qn and remainder rn
• Keep track of: u i = ui-2 - qi ⋅ ui-1, vi = vi-2 - qi ⋅ vi-1
• Example:
i
-2
-1
0
1
2
3
4
5
qi
0
1
2
6
15
2
ri
ui
vi
407
1
0
595
0
1
407
1
0
188 -1
1
31
3
-2
2
-19 13
1 288 -197
0 -595 407
r5 = 0 ⇒ gcd(407, 595) = r4 = 1, multiplicative inverse u4 (= 407 -1 mod 595) = 288
5
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Finding prime numbers
11 / 59
Problem with Euclidean algorithm: how to find x mod n with gcd(x, n) = 1?
• Naive method: divide x by all numbers ≤ n
⇒ Takes too long of your lifetime
• Practical solutions: there is no hundred per cent that large number is prime
Security in Communication
Networks WS‘00/01
• But: there are tests for determining that a number is probably prime
→ Use properties
1.) gcd(x, n) = 1, if x and n are relatively prime
(x and n are relatively prime, if there are integers
u and v with u ⋅ x + v ⋅ n = 1)
2.) Φ(n), the totient function, denotes the number of integers
relatively prime to n
3. Public Key Cryptography
The Euler function Φ(n)
Computing Φ(n)
• If n is prime
⇒ all numbers 1, ..., n - 1 are relatively prime to n
⇒ Φ(n) = n - 1
• If n is a product of primes p and q
⇒ There are p q candidates for numbers relatively prime to n
⇒ But from them, there are p multiplies of q and q multiplies of p
⇒ (p + q - 1) numbers are not relatively prime to n
i=2
⇒ Φ(n) = p ⋅ q - (p + q - 1) = (p - 1) ⋅ (q - 1)
• If n is a prime or a product of different primes
xy 0 1 2 3 4
y
y
mod
Φ(n)
0
0 0 0 0
⇒ x mod n = x
mod n
1 1 1 1 1 1
• Example for n = 10 (= 5 ⋅ 2)
2 1 2 4 8 6
3 1 3 9 7 1
→ Relatively prime to n: {1, 3, 7, 9}
4 1 4 6 4 6
⇒ Φ(n) = (5 - 1) ⋅ (2 - 1) = 4
5 1 5 5 5 5
6 1 6 6 8 6
⇒ Column i + 4 is the same as column i
7 1 7 9 3 1
• Important special case: y = 1 mod Φ(n)
8 1 8 4 2 6
⇒ for any x: xy = x1 mod Φ(n) = x mod n
9 1 9 1 9 1
12 / 59
i+4
5
0
1
2
3
4
5
6
7
8
9
6
0
1
4
9
6
5
6
9
4
1
7
0
1
8
7
4
5
6
3
2
9
8
0
1
6
1
6
5
6
1
6
1
9
0
1
2
3
4
5
6
7
8
9
6
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Euler's Theorem and Fermat's Theorem
13 / 59
Euler's Theorem
For any a relatively prime to n holds: a Φ(n) = 1 mod n
If n is prime: Φ(n) = n - 1. In this case:
Fermat's Theorem
If n is a prime and 0 < a < n ⇒ an - 1 = 1 mod n
→ Good rule for determining primes
Security in Communication
Networks WS‘00/01
→ But: what about n with a n - 1 = 1 mod n, where n is no prime?
→ Find primes by a simple prime test
- Choose an a with a < n and compute an - 1 mod n.
- if the result is not 1, n is no prime
- if the result is 1, n may be a prime
(e.g., if n has 100 digits, the probability for n to be no prime is 10 -13)
3. Public Key Cryptography
Prime tests
14 / 59
→ If the simple prime test fails:
- A cryptosystem like RSA might fail, a message cannot be decrypted.
- An attacker might be able to compute keys easier.
→ "Solution": test n with other values for a
Some Carmichael numbers:
Problem: Carmichael numbers (very rare)
561 = 3 ⋅ 11 ⋅ 17
- no primes, but for all a holds: a n - 1 = 1 mod n
1105 = 5 ⋅ 13 ⋅ 17
41041 = 7 ⋅ 11 ⋅ 13 ⋅ 41
→ Enhanced prime test is needed:
825265 = 5 ⋅ 7 ⋅ 17 ⋅ 19 ⋅ 73
Miller-Rabin prime test
→ Improved method to find prime numbers
→ Probabilistic prime test
→ Basic foundation: for a prime n holds:
1.) n - 1 can always be expressed by 2b ⋅ c, where c is an odd number
2.) each square root (modulo n) of 1 can only be ±1
(e.g. 4 is a square root of 1 mod 15, because 4 ⋅ 4 = 16 = 1 mod 15,
thus 15 can not be a prime)
7
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Miller-Rabin algorithm
15 / 59
an - 1
Security in Communication
Networks WS‘00/01
• Use Fermat's theorem:
= 1 mod n
• Pick a random number n and test if it is prime
• Test n with the division by smaller primes to speed up the process
• If you think a prime has been found: pick an a by random
• Miller-Rabin algorithm:
compute r = a c mod n
if r = 1 mod n
// is the first mod n-square root 1?
⇒ n is prime
// else: a n-1 only can become 1 by squaring -1 in
else for i = 0 to b - 1 do
// one of the b square operations
if r = -1 mod n
// now: test on allowed square root. Because the
⇒ n is prime
// result before was not 1, it only can become
else
// 1 by squaring -1. Search for a -1
2
r = r mod n
// prepare testing the next square root
⇒ n is not prime
// only non-allowed square roots found
3. Public Key Cryptography
Miller-Rabin algorithm - example
16 / 59
Choose n = 15 as a possible prime
→ n - 1 = 14 = 2 ⋅ 7
→ b = 1, c = 7
→ Pick randomly a = 5
→ Compute ac = 57 = 78125 = 5 mod 15
(this is not 1 nor -1, and:
52 = 25 = 10 mod 15)
→ no prime found
Choose n = 13 as a possible prime
→ n - 1 = 12 = 22 ⋅ 3
→ b = 2, c = 3
→ Pick randomly a = 5
→ Compute 53 = 125 = 8 mod 13
→ Compute 82 = 64 = -1 mod 13
→ -1 is an allowed square root of 1,
thus 13 is (possibly) prime
Other variant: pick randomly a = 4
→ Compute 47 = 16384 = 4 mod 15
(this is not 1 nor -1, and:
42 = 16 = 1 mod 15)
→ This means, 4 is a square root of
1 mod 15
→ no prime found
Other try: pick randomly a = 3
→ compute 3 3 = 27 = 1 mod 13
→ 13 is (possibly) prime
8
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Factorising and discrete logarithm
17 / 59
Security in many public key algorithms is based on the difficulty to
factorise and compute discrete logarithms
Factorising
→ Find the prime factors for a given number
→ One of the oldest problems in number theory, very time consuming
→ Most popular method: Quadratic Sieve
Security in Communication
Networks WS‘00/01
Discrete logarithm
→ Problem to find the inverse to modular exponentiation:
Find an x with a x = b mod n for given a and b
→ Not all discrete logarithms have solutions
→ Very time consuming process to find solutions for big numbers
→ Frequently used method: Index-Calculus method
3. Public Key Cryptography
Classical public-key cryptography
18 / 59
• Encryption and Digital Signatures
• RSA
• Public-key cryptography standard (PKCS)
• Rabin cryptosystem
• Diffie-Hellman cryptosystem
• ElGamal cryptosystem
• Merkle-Hellman cryptosystem
9
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Principles of public key cryptography
19 / 59
→ Also called asymmetric cryptography
→ Unlike secret key cryptography, keys are not shared
→ Working with two keys
• A private key d (known only to the owner)
• A public key e (known by possibly everyone)
→ Public key cryptography principle:
plaintext
cipher text
encryption
public key e
cipher text
private key d
decryption
plaintext
(by a "trapdoor" function)
Security in Communication
Networks WS‘00/01
→ Slower than secret key cryptography
→ More easily configurable
→ Often combined with secret key: authentication and distribution of secret key
3. Public Key Cryptography
Digital signatures and Authentication
20 / 59
Digital signature
→ Associates a number with a message, like a checksum
→ Can only be generated by using the private key d ( = decryption)
→ Readable for everyone knowing the public key e ( = encryption)
→ Similar to hand-written signature (authenticity without the chance to forge it)
signing
plaintext
signed message
private key d
signed message
public key e
verification
plaintext
Authentication
→ A generates a random number and encrypts it with the public key of B
→ B decrypts the message with its private key and
sends back the random number to A
→ If A gets back the original random number, B is authenticated
10
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Purposes of public key algorithms
21 / 59
• Secret key algorithms: all algorithms do things similarly
Security in Communication
Networks WS‘00/01
• Public key algorithms: algorithms differ considerably
• Examples:
→ RSA for encryption and digital signatures
→ ElGamal and DSS for digital signatures
→ Diffie-Hellman for establishment of a shared secret,
but no algorithms for how to use the secret
→ Zero knowledge proof systems for authentication
• Common concept of all algorithms
→ Pair of related quantities (public resp. private)
3. Public Key Cryptography
RSA
22 / 59
Developed by Rivest, Shamir, and Adleman
• Purpose: encryption and decryption of data
• Variable key length
→ Long key used for high security needs
→ Short key used for efficient encryption processes
→ Common key length: 512 bit
• Variable plaintext length
→ Must be shorter than the key
• Cipher text blocks
→ Gets length of the key
• Much slower than secret key algorithms like DES or IDEA
→ Only used for short messages
Important purpose: transmission of secret keys
11
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
RSA key generation
23 / 59
Generating a public key and a corresponding private key
1.) Choose two large primes p and q of 256 bit each
(p and q must be a secret!)
n is public, but factorisation into
2.) Compute n = p ⋅ q
p and q is computationally infeasible
3.) Compute Φ(n) = (p - 1) ⋅ (q - 1)
4.) Choose e relatively prime to Φ(n)
e is public
5.) Find d with d ⋅ e = 1 mod Φ(n)
(d is the multiplicative inverse to e)
⇒ <e, n> is public key
d is secret
⇒ <d, n> is private key
Security in Communication
Networks WS‘00/01
Why do these keys work?
We use modular arithmetic (mod n) with p ⋅ q = n
⇒ Φ(n) = (p - 1) ⋅ (q - 1)
d and e were chosen to be d ⋅ e = 1 mod Φ(n)
Because n is product of distinct primes, for all x
⇒ xd ⋅ e = x1 mod Φ(n) = x mod n
3. Public Key Cryptography
Usage of RSA
24 / 59
1.) Encryption and decryption
→ Encrypt message m using public key of receiver
c = me mod n =: xe
→ Decrypt cipher text c with private key of receiver
m = cd mod n
→Result of decryption process:
(xe )d = xd ⋅ e = x mod n (= x, because x < n)
2.) Digital signature
→ Similar to encryption/decryption process
→ Sender encrypts message m with his private key
s = md mod n
→ Each receiver can read the signed message using the public key of the sender
m = se mod n
12
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Security of RSA
25 / 59
Why is RSA (relatively) secure?
→ Breaking RSA means finding d from knowing e and n
• Attacker only knows: d is the exponentative inverse to e mod Φ(n)
• Simple approach: knowing p and q you can compute Φ(n)
(this is a kind of trapdoor)
• However: an attacker does not know p and q
• Attacker needs to factorise n to obtain p and q
→ Factorising large numbers is difficult
→ The best algorithms are too slow
→ And: Brute Force attack is less efficient than factorising
Security in Communication
Networks WS‘00/01
But it is possible to misuse RSA
→ Assume that an attacker knows the context of a message from A
→ The attacker could encrypt messages with the public key eA
→ If a match is found, the attacker has found the message
3. Public Key Cryptography
Efficiency of RSA (1)
26 / 59
RSA uses large numbers
→ Need for some tricks to speed up computations
Example: n = 678, d = 54, x = 123
(678 is no product of two primes, this is only an example how
the calculation is made)
→ For encryption, compute 123 54 mod 678
→ Naive process:
1.) Compute r = 123 54 (about 100 digits)
2.) Compute r mod 678
→ Very time consuming for these numbers, and for RSA,
the numbers have to be in the range of about 150 digits...
→ A reduction of the number of computation steps is necessary
13
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Efficiency of RSA (2)
27 / 59
Reduction of the number of steps:
1.) Reduce result after each multiplication step
1232 = 123 ⋅ 123 = 15129 = 213 mod 678
1233 = 123 ⋅ 1232 = 123 ⋅ 213 = 26199 = 435 mod 678
1234 = 123 ⋅ 1233 = 123 ⋅ 435 = 53505 = 621 mod 678
...
→ Only 54 multiplications and 54 reductions needed
→ Still unacceptable for size of numbers used in RSA
2.) Using computation rule for n = m + m: xn = xm + m = xm ⋅ xm
Security in Communication
Networks WS‘00/01
1232 = 123 ⋅ 123 = 15129 = 213 mod 678
1234 = 1232 ⋅ 1232 = 213 ⋅ 213 = 54369 = 621 mod 678
1238 = 1234 ⋅ 1234 = 621 ⋅ 621 = 385641 = 537 mod 678
...
3. Public Key Cryptography
Efficiency of RSA (3)
28 / 59
3.) Computing exponents which are not a power of 2
→ Need for intermediate steps: compute x2y + 1 from x2y
→ When to perform such an additional step?
Consider 54 == 110110.
Consists of sequences: 1, 11, 110, 1101, 11011, 110110
→ Each time a sequence element is twice the preceding element or one more.
• If ‘twice the preceding element’: double the exponent
(and divide by mod 678)
• If ‘one more’: double the exponent and multiply with x (and divide)
→ 12354 = (((((123) 2 ⋅ 123)2)2 ⋅ 123) 2 ⋅ 123) 2 = 87 mod 678
1
1 0 1
1 0
→ 8 multiplications and 8 divisions necessary
→ Number of multiplications and divisions increases linearly
with length of exponent in bit
→ Efficient method for RSA
14
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
How to determine p, q, e and d
29 / 59
1.) Finding big primes p and q
• For a 10-digit number, the chance of finding a prime is 1 in 23
• For a 100-digit number, the chance is only 1 in 230
→ Pick random numbers until you find a prime
→ Use Fermat's theorem and the Rabin-Miller algorithm to test if a
random number is prime
Security in Communication
Networks WS‘00/01
2.) Finding d and e for p and q
→ Choose e as relatively prime to (p - 1) ⋅ (q - 1)
a.) by choosing e at random and test if it is relatively prime to (p - 1) ⋅ (q - 1)
b.) by choosing e first and then determine matching p and q
→ RSA is not less secure if always the same e is chosen
→ If e is small or its binary representation has few '1's, the operations for
encryption and signature verification will become much more efficient
→ Use Euclidean algorithm to determine d with e ⋅ d = 1 mod Φ(n)
Notice: do not choose a small d; d is a secret, thus it should be
hard to determine
3. Public Key Cryptography
Using small public keys (1)
30 / 59
Let e be a small constant
→ Public key operations become faster, while leaving private key
operations unchanged
→ Popular values for e are 3 and 65537
e=3
→ Maximises performance
→ Apparently it does not weaken security of RSA
(when some practical constraints on its use are considered)
→ Problems with e = 3
• Small messages m with m3 mod n = m3.
→ Problem: it only takes the cubic root to decrypt
→ Solution: padding message with a random number before encryption
• If a message is sent to 3 or more receivers, m can be derived from
the three encrypted values and the public keys of the receivers
• Find p and q so that 3 is relatively prime to (p - 1) ⋅ (q - 1)
(practical problem, because there are many numbers, 3 is not relatively prime to)
15
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Using small public keys (2)
31 / 59
Security in Communication
Networks WS‘00/01
e = 65537
• Is equivalent to 216 + 1, and it is prime
• The binary representation contains only two '1'
→ Only 17 multiplications are necessary to to compute any me
→ Much faster than the 768 (on the average) multiplications necessary
for a randomly chosen 512 bit value
• The problems mentioned for e = 3 are avoided
3. Public Key Cryptography
Public Key Cryptography Standard (PKCS)
32 / 59
How could different implementations interwork?
→ Standards for encoding of information that will be encrypted or signed
Public Key Cryptography Standard
→ Set of standards PKCS#1 - PKCS#9
→ Definition of encoding RSA public keys, RSA private keys,
RSA signatures, short RSA-encrypted messages (typically secret keys),
and short RSA-signed messages (typically a message digest).
→ Designed to deal with
• Encrypting guessable messages
• Signing smooth numbers
• Multiple recipients of a message for e = 3
• For e = 3, encrypting messages that are less than a third of the length of n
• For e = 3, signing messages where the information is in the high-order part
16
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Example: PKCS#1 (1)
33 / 59
PKCS#1 (encryption)
→ Standard format for messages to be encrypted with RSA
Consists of
• Preceding 0: the message remains smaller than the modulus
• 2: denotes a message which is to be encrypted
• Random bytes (padding):
– Each byte is chosen independently to make it harder to
guess the message
– Independent padding for each recipient
– Make message long enough to avoid problems with
m3 < n for e = 3
• Next 0: marks the beginning data
0 2 ≥ 8 random non-zero bytes 0
data
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Example: PKCS#1 (2)
34 / 59
PKCS#1 (signature)
→ Standard format for messages to be signed with RSA
→ Data are typically a Message Digest of 128 Bit
⇒ Padding is required
Consists of:
• Preceding 0: the message remains smaller than the modulus
• 1: denotes a message which is to be signed
• Random bytes (padding): make the data bigger than 128 byte
• Next 0: marks the begin of data
• Digest type standardises, how to tell another party
which digest function was used
0 1
≥ 8 bytes of ff16
0
digest type and message digest
17
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Rabin cryptosystem
35 / 59
Rabin cryptosystem
→ "Secure" because of the difficulty to find square roots
modulo a composite number
→ Nearly as difficult as factorising large numbers
Security in Communication
Networks WS‘00/01
Rabin algorithm
• Choose primes p and q, both congruent to 3 mod 4
→ p and q form the private key
→ n = p ⋅ q is the public key
• Encryption of message m in the range {0, ..., n - 1}
c = m2 mod n
3. Public Key Cryptography
Decryption in the Rabin cryptosystem
36 / 59
• Decryption is more complex
→ Receiver knows p and q
→ Solve the two congruencies using the so-called Chinese remainder problem
→ Compute: t1 = c(p + 1) / 4 mod p
t2 = p - c(p + 1) / 4 mod p
t3 = c(q + 1) / 4 mod q
t4 = q - c(q + 1) / 4 mod q
→ Choose integers a = q ⋅ (q-1 mod p) and b = p ⋅ (p -1 mod q)
→ Possible solutions are
m1 = (a ⋅ t 1 + b ⋅ t 3) mod n
m2 = (a ⋅ t 1 + b ⋅ t 4) mod n
m3 = (a ⋅ t 2 + b ⋅ t 3) mod n
m4 = (a ⋅ t 2 + b ⋅ t 4) mod n
→ One of these results equals m
• If m is normal text, it is no problem to find the right mi
• Otherwise, add a known header to m before encryption
18
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Diffie-Hellman cryptosystem
37 / 59
• Oldest public key cryptosystem
• Offers better performance than RSA
• Less general than RSA (does neither encryption nor signatures)
Why is it called a cryptosystem?
• Only purpose: two persons can agree upon a secret number (e.g. a shared key),
which cannot be computed by intercepting the publicly exchanged messages
• After the exchange of two public messages both communication partners
A and B know a secret number
• Having agreed on a secret number, A and B can use a cryptosystem (e.g. DES)
to communicate
⇒ Diffie-Hellman actually used for key establishment
Security in Communication
Networks WS‘00/01
• Remaining problem: no authentication between the partners
3. Public Key Cryptography
Diffie-Hellman algorithm
38 / 59
Algorithm for key establishment
→ Choose a prime p with 512 bit
→ Choose a number g < p with some restrictions
• p and g are public!
→ A randomly chooses a 512 bit number S a and computes Ta = g Sa mod p
→ B randomly chooses a 512 bit number S b and computes Tb = gSb mod p
• Sa and Sb are secret
→ A and B exchange Ta and T b
→ A computes kAB = TbSa mod p = gSa ⋅ Sb mod p
→ B computes kAB = TaSb mod p = g Sa ⋅ Sb mod p
But it is practically impossible
to calculate Sa from knowing Ta
• A and B both compute the same secret key gSa ⋅ Sb
It is impossible to compute gSa ⋅ Sb fast enough knowing only Ta and Tb
→ due to the difficulty to compute discrete logarithms, i.e. to compute
S a from knowing gSa
19
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Bucket-Brigade attack on Diffie-Hellman
39 / 59
Problem in Diffie-Hellman: no authentication between A and B
→ If A obtains Tb, she cannot know for sure, if Tb comes from B
Bucket-Brigade attack
• An attacker O obtains Ta and establishes a common secret with A
• Attack method: p and q are known publicly
→ A sends gSo to O (but believes it is
A
O
B
sent to B)
Sa
So
Sb
g = 8389
g = 5876
g = 9267
→ O computes g Sx and sends it to B
5876
8389
→ B computes g Sb and sends it to O
→ O sends gSo back to A
5876
9267
→ O establishes kAO and kBO
shared key kAO
shared key kBO
→ A and B communicate via O
Sa
So
9267So = 5876Sb
5876 = 8389
Security in Communication
Networks WS‘00/01
⇒ Diffie-Hellman is only secure against passive attacks
(i.e. just watching messages)
⇒ Protection against active attacks: use trustful and public
location to publish g Si for all persons I in advance
3. Public Key Cryptography
Diffie-Hellman for encryption
40 / 59
Encryption algorithm using Diffie-Hellman
• Each participant chooses a private key Si
• Each participant computes a public key <p, g, Ti> with T i = gSi mod p
• Publish all public keys at a trusted public place
• Assume, B publishes <p, g, Tb>
• A computes kAB = TbSa mod p
• A uses kAB as secret key with B to compute a cipher text
• A transmits the cipher text and gSa mod p to B
• B computes kAB to decrypt the message
⇒ The secret key is transmitted only together with the message
For a better security, p and g should have these properties:
• p should be a strong prime number, i.e. (p - 1) / 2 is prime, too
• It is desirable to have gx ≠ 1 mod p, x = 0 mod (p - 1).
(if p is a strong prime number, this is true for all g ≠ -1 mod p
with g(p - 1) / 2 = -1 mod p)
• But: this is a costly way for choosing p and g!
20
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
ElGamal cryptosystem
41 / 59
• Mainly used for digital signatures
• Secure because of the difficulty to calculate
discrete logarithms in a finite field
Security in Communication
Networks WS‘00/01
• Uses same kind of key as Diffie-Hellman
• Additionally provides a scheme for signatures
→ each person has a long-time key
– public key: <g, p, T>
– private key: S with gS mod p = T
→ For each message m to be signed a new key pair Sm, <g, p, Tm > has to be generated
→ For the message m to be signed, compute a message digest d m = MD(m|Tm)
→ Compute the signature X = Sm + dm ⋅ S mod (p - 1)
→ Transmit m together with X and T m
→ To verify signature, compute gX, d m, and Tm ⋅ T dm mod p
Check: gX = g Sm + dm ⋅ S = gSm ⋅ gdm ⋅ S = Tm ⋅ Tdm mod p
3. Public Key Cryptography
Digital Signature Standard (DSS)
42 / 59
Digital Signatures with DSS
→ DSS algorithm is called Digital Signature Algorithm (DSA)
→ Algorithm to create digital signatures based on ElGamal
→ Difference to ElGamal is the speed of operations (3 times faster)
Instead using a p of 512 bit, for some operations only use a
prime q of 160 bit, for which p = k ⋅ p + 1holds.
Note: using ElGamal means to generate a key pair <Sm, Tm>
for each message m which has to be signed
• If a pair of keys is used only for two different messages, it
would expose the signer's private key
→ With only two uses, Sm can be deducted
→ By knowing Sm , the secret key S easily can be computed
21
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Digital Signature Algorithm
43 / 59
Digital Signature Algorithm
→ Generate and publish a 512-bit prime p and a 160-bit prime q with p = k ⋅ q + 1
→ Generate and publish a g with g q = 1 mod p (use Fermat's theorem)
Notice: g must not be 1
→ Generate a long-term public/private key pair <T, S> as in ElGamal
→ For each message m generate a separate key pair <Tm, Sm> by
choosing an S m and compute Tm = ((gSm mod p) mod q)
→ For m, compute the message digest dm
→ Compute the signature X = S m-1 ⋅ (dm + S ⋅ Tm) mod q
→ Transmit m, Tm, and X
Security in Communication
Networks WS‘00/01
Signature verification
→ Calculate the mod q inverse of the signature, X-1
→ Calculate the message digest dm
→ Calculate x = d m ⋅ X-1 mod q and y = Tm ⋅ X-1 mod q
→ Calculate z = (g x ⋅ Ty mod p ) mod q
→ If z = Tm, the signature is verified
3. Public Key Cryptography
Merkle-Hellman cryptosystem
44 / 59
The Knapsack Problem
Pack a knapsack optimally with n objects of different weights
a1, ..., an and overall size g
n
→ Search for an order (ki), ki ∈ {0, 1}for i = 1, ..., n with ai ⋅k i = g
∑
This is an NP hard problem
i =0
Merkle-Hellman cryptosystem
"superincreasing"
→ Based on the knapsack problem
→ Special type of knapsack problem:
i
The sizes of the objects form a fast growing sequence with ai + 1 > ai
i=1
⇒ There is a solution in O(n)
Start with biggest object find a new smaller knapsack
with one object less
∑
22
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Merkle-Hellman in cryptography
45 / 59
Principle:
→ Use a simple Knapsack problem as private key and transform it into a hard one which is
used as public key. A message m = (m 1, m2 , ..., m n, ...) is seen as a solution
for the problem, i.e. if m i = 1, mi is in the knapsack
superincreasing sequence;
Example:
the knapsack can be packed very easy
→ A chooses a simple Knapsack problem a with
a = (a i) = (2, 5, 9, 21, 45, 103, 215, 450, 946) as secret key
→ A chooses a prime p = 2003 and a number k = 1289
→ A generates a hard Knapsack problem e = (ei ) with ei = k ⋅ a i mod p
not superincreasing
⇒ e = (575, 436, 1586, 1030, 1921, 569, 721, 1183, 1570)
→ B encrypts a message m = (1, 0, 1, 1, 0, 0, 1, 1, 1) to A by using e
⇒ c = 1 ⋅ 575 + 0 ⋅ 436 + 1 ⋅ 1586 + 1 ⋅ 1030 + 0 ⋅ 1921
+ 0 ⋅ 569 + 1 ⋅ 721 + 1 ⋅ 1183 + 1 ⋅ 1570 = 6665 (this value is transmitted)
→ A computes g = k-1 ⋅ c mod p = 317 ⋅ 6665 mod 2003 = 1643
→ A solves 1643 for (a i) by repeatedly choosing the biggest fitting
number in (ai ), till 1643 is reached
(2, 5, 9, 21, 45, 103, 215, 450, 946)
⇒1 0 1 1 0 0
1
1 1
⇒ The original message is given by the elements of a
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Modern public key cryptosystems
•
•
46 / 59
Classic public key cryptosystems are well analysed
• The performance of classic public-key cryptosystems is wellknown
• Security: classic public key cryptosystems are not perfectly
secure, but computationally secure
Modern public key cryptosystems improve the classic ones:
• Performance: modern public key cryptosystems have a better
performance than the classic ones
• Security: modern public key cryptosystems also offer better
security (with the same key length)
Modern
Modernpublic
publickey
keycryptosystems
cryptosystems
•• Multiprime
Method
Multiprime Method
•• Elliptic
EllipticCurve
CurveCryptosystems
Cryptosystems
23
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Multiprime cryptosystem
47 / 59
The Multiprime cryptosystem
• Developed by COMPAQ in April 2000
• Based on RSA cryptosystem
• Uses n primes instead of 2 primes
• Motivation: for usage in parallel processing environments
Security in Communication
Networks WS‘00/01
••
••
••
••
The
TheChinese
ChineseRemainder
RemainderTheorem
Theorem(CRT)
(CRT)
Description
of
the
cryptosystem
Description of the cryptosystem
Security
Securityconsiderations
considerations
Performance
Performancedata
data
3. Public Key Cryptography
The Chinese Remainder Theorem
48 / 59
Let
) = 1 for 1 ≤ j < k ≤ r,
Let mm11,...,m
,...,mrr be
beintegers
integerswith
withgcd(m
gcd(mj,m
j,mkk) = 1 for 1 ≤ j < k ≤ r,
M
M==mm11·…·
·…·mmrrand
andaa11,...,
,...,aarr integers.
integers.
Then
the
system
of
congruencies
Then the system of congruenciesxx ≡≡aai i(mod
(modmmi)i)(1
(1≤≤ii ≤≤r)
r)has
hasaa
unique
M,
uniquesolution
solutionmodulo
modulo
M,which
whichisisgiven
givenby
by
r
x = ∑ a i M i yi mod M
i=1
-1
where
whereM
Mi i==M
M //mmi iand
andyyi i==M
Mi i-1mod
modmmi,i, for
for11≤≤ii ≤≤rr
Example: r = 3, m1 = 3, m2 = 5, m3 = 23, a1 = 2, a2 = 3, a3 = 14, M = 345
Then M1 = 115, y1 = 1, M2 = 69, y2 = 4, M 3 = 15, y3=20
x = 2 · 115 · 1 + 3 · 69 · 4 + 14 · 15 · 20 mod 345
= 230 + 828 + 4200 mod 345
= 5258 mod 345 = 83
24
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Recursive calculation of the CRT
49 / 59
Let
) = 1 for 1 ≤ j < k ≤ r,
Let mm11,...,m
,...,mrrbe
beintegers
integerswith
withgcd(m
gcd(mj,m
j,mkk) = 1 for 1 ≤ j < k ≤ r,
M
M==mm11·…·m
·…·mrrand
andaa11,...,
,..., aarrintegers.
integers.
Then
the
system
of
congruencies
Then the system of congruenciesxx==yyrr≡≡aai i(mod
(modmmi)i)(1
(1≤≤ii≤≤r)r)has
hasaa
unique
solution
modulo
M,
which
is
calculated
recursively:
unique solution modulo M, which is calculated recursively:
yy1 ==aa1
1
1
yyi ==yyi-1 ++qqi ··((a
– y ))·· qqi´´mod
m ), i = 2,...,r,
i
i-1
i ((ai i – yi-1
i-1
i mod mi i), i = 2,...,r,
where
where
qq1 ==1,1,qqi ==qqi-1 ·· mmi-1,,ii==2,...,r,
2,...,r,
1
i
i-1
i-1
qqi´´==qqi-1-1mod
mmi for
ii==2,...,r.
mod
for
2,...,r.
i
i
i
Security in Communication
Networks WS‘00/01
Example: r = 3, m1 = 3, m2 = 5, m3 = 23, a1 = 2, a2 = 3, a3 = 14
Then y1 = 2, q1 = 1, q 2 = 3, q3 = 15, q2´ = 2, q 3´ = 20
y2 = 2 + 3 · ((3 – 2) · 2 mod 5) = 8
y3 = 8 + 15 · ((14 – 8) · 20 mod 23) = 83
3. Public Key Cryptography
The Multiprime method: CRT and the RSA cryptosystem
Pre - compute
d p = d mod( p − 1)
d:
d:private
privatekey
key
nn==ppqq
Cipher text c
Pre - compute
d q = d mod( q − 1)
Compute
Compute
M p = (c mod p ) p mod p
M q = (c mod q ) q mod q
d
50 / 59
d
Pre - compute
q ′ = q −1 mod p
Compute
M = (((M p − (M q mod p ))⋅ q ′) mod p ) ⋅ q + M q mod n
Plaintext M
25
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Security and performance of the Multiprime method
51 / 59
Security
• At the same length of n, the security decreases with the number
of prime factors
• Otherwise, i.e. if the length of n increases with the number of
prime factors, Multiprime is more secure
Performance
• CRT Method of RSA is four times faster than normal RSA
method
• A parallel implementation increases the throughput
• Let L be the length of the modulus. Then the time is proportional
to L3/r3, where r is the number of primes.
The computing time for RSA would be L3.
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Elliptic Curves
52 / 59
•
Elliptic Curve cryptosystem provide security
equivalent to classic public-key schemes
• Shorter key lengths
⇒ faster computing, less complex chips
Example: RSA chip to perform arithmetic in the
field F2 593 has about 100000 transistors.
Chip to do arithmetic in F2m , m ≈200, would
have 15000 transistors
26
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Elliptic Curves - definition
53 / 59
2
3
Def.:
Def.:Let
Letpp>>33be
beprime.
prime.The
Theelliptic
ellipticcurve
curveyy2==xx3++ax
ax++bbover
over
ZZp isisthe
set
of
solutions
(x,y)∈
Z
×Z
to
the
congruence
the set of solutions (x,y)∈ Zpp×Zpp to the congruence
Here:
p
Here:
yy22≡≡xx33++ax
aaset
ax++bb(mod
(modp),
p),
setofofsolution
solution
points
(x,y)
points
(x,y)
where
wherea,a,bb∈∈ZZppare
areconstants,
constants,so
sothat
that
instead
insteadofofaacurve
curve
3
2
4a
since
4a 3++27
27bb2≡≡OO(mod
(modp),
p),
sinceeverything
everythingisis
in Z = {0, ..., p-1}
together
togetherwith
withaaspecial
specialpoint
pointOOcalled
calledthe
thepoint
pointof
ofinfinity.
infinity. in Zp p = {0, ..., p-1}
Security in Communication
Networks WS‘00/01
Note:
• This definition can be used to define an elliptic curve over any
field with characteristic ≠ 2, 3. If the field has characteristic 2
or 3, another definition is required.
• The point of infinity is similar the identity element of an
abelian group.
3. Public Key Cryptography
Elliptic Curves – definition of addition, i.e. operation ”+“
54 / 59
Let
LetEEbe
bean
anelliptic
ellipticcurve
curveover
overZZpp,,P=(x
P=(x11,,yy11),),Q=(x
Q=(x22,,yy22).).
IfIfxx22==xx11and
y
=
-y
,
then
P+Q
:=
O;
otherwise
and y22 = -y11, then P+Q := O; otherwiseP+Q
P+Q:=
:=(x
(x33,,
2
yy33),),where
xx33==λλ2––xx11 ––xx22,,
yy33==λ(x
where
λ(x11 ––xx33))––yy11
and
and
y2 -y1
x -x
?= 221
3 x1 + a
2 y1
, if P ≠ Q
, if P = Q
Finally,
Finally,PP++OO==OO++PP==P.
P.
Note: With this definition it can be shown, that E is an abelian
group with the identity element O.
commutative
27
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Elliptic Curve - example
55 / 59
Points on the elliptic curve y2=x3+x+6
E = {O, (2,4), (2,7), (3,5), (3,6), (5,2),
over Z11.
(5,9), (7,2), (7,9), (8,3), (8,8), (10,2),
solutions of
x x3+x+6 mod 11 in QR(11)? y
0
6
no
1
8
no
[no solution]
2
5
yes
4,7
3
3
yes
5,6
4
8
no
5
4
yes
6
8
no
7
4
yes
2,9
8
9
yes
3,8
9
7
no
10
4
yes
2,9
(10,9)}
Let α = (2,7). Then:
α = (2,7)
2α = (5,2) = α + α
3α =
(8,3)
4α = (10,2)
5α =
(3,6)
6α = (7,9)
7α =
(7,2)
8α = (3,5)
9α = (10,9)
2,9
11α =
(5,9)
10α = (8,8)
12α = (2,4)
α is a primitive element.
This elliptic curve is isomorphic to Z13 .
Security in Communication
Networks WS‘00/01
i.e. (x,y) = (3,5) and (x,y) = 3,6 are points on the elliptic curve
3. Public Key Cryptography
ElGamal encryption using elliptic curves
56 / 59
Theorem:
Theorem:Let
LetEEbe
bean
anelliptic
ellipticcurve
curvedefined
definedover
overZZpp,,where
whereppisis
prime,
prime,pp>>3.
3.There
Thereare
areintegers
integersnnand
andmmsuch
suchthat
thatEEisisisomorphic
isomorphic
to
toZZnn×Z
×Zmm..Moreover,
Moreover,m|n
m|nand
andm|(p
m|(p––1).
1).
Notes:
• If the integers n and m can be computed, then E has a cyclic
subgroup isomorph to Zn . This subgroup can be used as a setting
for an ElGamal Cryptosystem.
• If m = 1, then E is a cyclic group.
• If |E| is a prime or product of distinct primes, then E is a cyclic
group.
28
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
ElGamal encryption using elliptic curves - example
ααisispublic
public
aaisissecret
secret
ββisispublic
public
57 / 59
aacan‘t
can‘tbe
beobtained
obtainedfrom
fromααand
andββinin
Let
reasonabletime
time(for
(forlarge
largenumbers)
numbers)
Letαα==(2,7)
(2,7)and
andaa==5,5,so
soββ==5α
5α==(3,6).
(3,6). reasonable
The
Theencryption
encryptionoperation
operationisis
eek (x,r)
=
(r α, x + r β) = (y , y ),
k (x,r) = (r α, x + r β) = (y11, y22),
eek(x,r)
= (r (2,7), x + r (3,6)), where x ∈ E and 0 ≤ r ≤ 12
k(x,r) = (r (2,7), x + r (3,6)), where x ∈ E and 0 ≤ r ≤ 12
and
andthe
thedecryption
decryptionoperation
operationisis
rrisisrandom
randomand
andneeds
needsnot
not
ddk(y
,y
)
=
y
––55yy1
(y
1
,y
2
)
=
y
2
to
be
known
for
decryption!
k 1 2
2
1
to
be
known
for
decryption!
this is secret
this is secret
IfIfAlice
Alicewants
wantstotosend
sendxx==(7,9)
(7,9)to
toBob,
Bob,she
shechooses
choosesthe
therandom
randomvalue
valuerr==7.7.
She
Shethen
thencomputes
computes
yy1 ==7(2,7)
7(2,7)==(7,2)
(7,2) and
and
1
yy2 ==(7,9)
+
7(3,6)
=
(7,9) + 7(3,6) =(7,9)
(7,9)++(10,9)
(10,9)==(5,2).
(5,2).
2
Bob
receives
y
=
((7,2),(3,6))
and
obtains
Bob receives y = ((7,2),(3,6)) and obtains
xx==(5,2)
(5,2)––5(7,2)
5(7,2)==(5,2)
(5,2)––(10,9)
(10,9)==(5,2)
(5,2)++(10,2)
(10,2)==(7,9).
(7,9).
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Menezes-Vanstone Elliptic Curve cryptosystem
58 / 59
Let
LetEEbe
bean
anelliptic
ellipticcurve
curvedefined
definedover
over ZZpp,,pp>>33prime,
prime,so
sothat
thatEEcontains
contains
aacyclic
subgroup
H
in
which
the
discrete
log
problem
is
intractable.
cyclic subgroup H in which the discrete log problem is intractable.
Let
LetPP==ZZpp**××ZZpp*,*,CC==EE××ZZpp**××ZZpp*,*,and
anddefine
define
KK=={(E,α,a,β)
:
β
=
aα},
where
α
∈
{(E,α,a,β) : β = aα}, where α ∈E.
E.
The
values
α
and
β
are
public,
and
a
is
secret.
The values α and β are public, and a is secret.
For
ForK=(E,α,a,β),
K=(E,α,a,β),for
foraa(secret)
(secret)random
randomnumber
numberkk∈∈ZZ|H||H|,,and
andfor
forx=(x
x=(x11,x,x22))
∈∈ZZp**××ZZp*,*,define
p
p define
eeK(x,k)
= (y ,y ,y ),
K(x,k) = (y00,y11,y22),
where
where yy00==kα,
kα,(c
(c11,c,c22))==kβ,
kβ,
yy1 ==cc1xx1 mod
modp,p,and
andyy2 ==cc2xx2 mod
modp.p.
1
1 1
2
2 2
For
Foraaciphertext
ciphertextyy==(y(y00,,yy11,,yy22),),define
define
ddK(y)
==(y
cc1-1-1mod
p,p,yy2cc2-1-1mod
p), where ay = (c ,c )
(y)
(y
1
mod
K
1 1
2 2 mod p), where ay00 = (c11,c22)
29
Security in Communication
Networks WS‘00/01
3. Public Key Cryptography
Menezes-Vanstone Elliptic Curve cryptosystem - example
59 / 59
Let
Letαα==(2,7)
(2,7)and
andaa==5,5,so
soββ==5α
5α==(3,6).
(3,6).
IfIfAlice
Alicewants
wantstotosend
sendxx==(x
(x11,x,x22))==(9,1)
(9,1)to
toBob
Bob(note:
(note:xxisisnot
notaapoint
point
on
E),
she
chooses
the
random
value
r
=
7.
on E), she chooses the random value r = 7.
She
Shethen
thencomputes
computes
yy0 ==kα
kα==7(2,7)
7(2,7)== (7,2),
(7,2),kβ
kβ==7(3,6)
7(3,6)==(2,4)
(2,4)==(c
(c11,c,c22))
0
yy1 ==22·· 99mod
mod11
11==7,7, yy22==44·· 11mod
mod11
11==44
1
Bob
receives
y
=
((7,2),7,4)
and
computes
Bob receives y = ((7,2),7,4) and computes
(c
(c11,c,c22))==aayy00==55(7,2)
(7,2)==(2,4)
(2,4)
-1
-1
xx==(x
(x11,x,x22)) ==(y(y11cc11-1mod
mod11,
11,yy22cc22-1mod
mod11)
11)
-1
-1-1mod 11)
-1
==(7
·
2
mod
11,
4
·
4
(7 · 2 mod 11, 4 · 4 mod 11)
==(7
(7·· 66mod
mod11,
11,44 ··33mod
mod11)
11)
==(9,1).
(9,1).
30
