Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf ·...
Transcript of Asymmetric Cryptography - Mississippi State Universityweb.cse.msstate.edu/~ramkumar/acrypt.pdf ·...
OutlineMathematical Preliminaries
PKCDigital Signatures
Asymmetric Cryptography
Mahalingam RamkumarMississippi State University, MS
January 25, 2009
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
1 Mathematical PreliminariesComputing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
2 Public Key CryptographyDiffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
3 Digital SignaturesRSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Material Covered Earlier
1 Basic theorem of arithmetic (every number can be expressedas a product of prime powers), LCM, GCD.
2 Computing GCD using the Euclidean Algorithm (Chapter 4.3)
3 Modular arithmetic operations (Chapter 4.2)
4 Computing modular multiplicative inverse using extendedEuclidean Algorithm (Chapter 4.4)
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Notations
1 a p b (a divides b; b = ka where k is an integer; b ≡ 0 mod a)
2 If a p bc, but a . b and a . c then a is not a prime.
3 If a prime p p bc then p p b or p p c or both.
4 (x , y) - GCD of x and y . If (x , y) = 1 x and y are relativelyprime or co-primes. A prime number is coprime to allnumbers.
5 Zm = {0, 1, . . . ,m − 1}6 Zp = {0, 1, . . . , p − 1} (p is a prime)
7 Z∗p = {1, 2, . . . , p − 1} (all elements of Zp except 0)
8 Zm is a ring. Zp is a field (as all elements have multiplicativeinverses)
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Ring vs Field
1 Consider the two equations
2x + 2y ≡ 22 mod 56
2x + 2y ≡ 22 mod 31
2 We cannot reduce the first one to x + y ≡ 11
3 We can reduce the second equation to x + y ≡ 11.
4 Why? (need to multiply by the multiplicative inverse of 2)
5 As all numbers have multiplicative inverses we can easily solvesystems of linear equations in a field. Not so simple in rings.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Euclidean Algorithm
1 (See Chapters 4.3 and 4.4)
2 To compute GCD (a0, a1) (assume a0 > a1)
3 (a0, a1) = (a1, a2) where a0 ≡ a2 mod a1
4 Recursively generate (ai , ai+1), ai+1 < ai , whereai−1 ≡ ai+1 mod ai till the GCD can be trivially found.
5 Bezout’s Representation: If s = (m, a) we can write s ass = im + ja where i and j are integers.
6 The Bezouts representation can be determined using theextended Euclidean algorithm.
7 If s = (m, a) = 1 we can write 1 = im + ja or ja = 1− im orja ≡ 1 mod m. Thus j is the multiplicative inverse of a in Zm.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Extended Euclid Algorithm
d = (a, b) = ak + bl : Algorithm returns d , k , l
|a=457,b=283|u(0) u(1) u(2) v(0) v(1) v(2)
u=[a 1 0] |457 1 0 283 0 1v=[b 0 1] |283 0 1 174 1 -1while (v(0) != 0) do |174 1 -1 109 -1 2y=floor(u(0)/v(0)); |109 -1 2 65 2 -3w=u-y*v; | 65 2 -3 44 -3 5u=v; | 44 -3 5 21 5 -8v=w; | 21 5 -8 2 -13 21
endwhile | 2 -13 21 1 135 -283d=u(0); k=u(1); l=u(2); | 1 135 -218 0 -283 457
|____________________________| 1 = 135*457 + (-218)*283
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Square and Multiply Algorithm
1 See Figures 9.7 and 9.8 in the text.2 Compute y = ax mod n. Large a, x , n (say 300 digits long)3 Let b(r) · · · b(0) be the binary representation of the exponent
x (an r + 1 bit number)4 Square and multiply algorithm requires r + 1 to 2(r + 1)
multiplications (1000 to 2000 multiplications for 300 digitexponents)
z=1;for i=r downto 0
z=z*z mod nif (b(i) = 1)
z = z*a mod nendif;
endfor;Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Example: Compute 3643 mod 87
x = 43 = 101011b; r = 5; a = 36; n = 87; z = 1;
1 b5 = 1, z = 1 z = z2a ≡ 36 mod 872 b4 = 0, z = 36 z = z2 ≡ 78 mod 873 b3 = 1, z = 78 z = z2a ≡ 45 mod 874 b2 = 0, z = 45 z = z2 ≡ 24 mod 875 b1 = 1, z = 24 z = z2a ≡ 30 mod 876 b0 = 1, z = 30 z = z2a ≡ 36 mod 87
(1)
3643 ≡ 36 mod 87
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Euler-Phi Funtion
1 See Chapter 8.2 (Euler Totient)
2 Φ(m): the number of elements in Zm that are co-prime to m
3 In Zm, Φ(m) elements have multiplicative inverses.
4 For m = p, Φ(p) = p − 1.
5 For m = pq (where p and q are primes)Φ(m) = (p − 1)(q − 1).
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Example
1 p = 5, q = 7. m = 35. Φ(35) = (5− 1)(7− 1) = 24
2 5 multiples of 7 (0,7,14,21,28) and 7 multiples of 5(0,5,10,15,20,25,30) are not relatively prime to 35
3 5+7-1 elements are not co-prime
4 35 - (5+7-1) = 24 numbers are co-prime to m (havemultiplicative inverses).
5 More generally, for m = pq
6 p multiples of q and q multiples of p are not co-prime to m -a total of p + q − 1 elements (0 is common)
7 Φ(m) = pq − (p + q − 1) = (p − 1)(q − 1).
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Fermat’s Little Theorem
1 See Chapter 8.2
2 Applicable for Z∗p
∀a ∈ Z∗p, ap ≡ a mod p
∀a ∈ Z∗p, ap−1 ≡ 1 mod p
3 Proof: aZ∗p is simply a permutation of Z∗p
p−1∏i=1
ai ≡ ap−1(p − 1)! ≡p−1∏i=1
i ≡ (p − 1)! mod p
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Why ...
1 is aZ∗p a permutation of Z∗p?
2 We can easily see that no two elements of aZ∗p can beidentical.
3 Consider ai and aj in aZ∗p (corresponding to i and j in Z∗p)
4 Is it possible that ia ≡ ja mod p (or (ia− ja) ≡ 0 mod p)?
5 No. Only possible if p divides (i − j)a and both (i − j) and ahave no common factors with p.
6 All elements of aZ∗p should be unique!
7 Or aZ∗p is a permutation of Z∗p.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Alternate Proof for ap ≡ a mod p
1 Based on mathematical induction.
2 We know 1p ≡ 1 mod p
3 Assume np ≡ n mod p
4 Show (n + 1)p ≡ (n + 1) mod p
5 Perform binomial expansion of (n + 1)p
6 (n + 1)p =∑n
i=0
(pi
)ni mod p
7 All terms that are multiples of p can be ignored.
8 That leaves only two terms:(p
0
)n0 = 1 and
(pp
)np ≡ n mod p.
9 Thus (n + 1)p ≡ (n + 1) mod p.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Euler-Fermat’s Theorem
1 Applicable for Zm (m need not be a prime)2 We are more interested in m of the form m = pq where p and
q are primes.
∀a ∈ Zm, aΦ(m)+1 ≡ a mod m
∀a : (a,m) = 1, aΦ(m) ≡ 1 mod m
3 Also note that
a2Φ(m)+1 ≡ a.aΦ(m) ≡ aΦ(m)+1 ≡ a mod m
oe a ≡ a1 ≡ akΦ(m)+1 mod m for any integer k .4 We can replace the exponent x with y ≡ x mod Φ(m):
ax ≡ ax mod Φ(m) mod m
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Proof: aΦ(m)+1 ≡ a mod m, where m = pq
It is easy to see that
p p (X − a)q p (X − a)
}=⇒ pq p (X − a)
X ≡ a mod pX ≡ a mod q
}=⇒ X ≡ a mod pq
Now consider X = aΦ(m)+1 = a(p−1)(q−1)+1
Easy to see that for any a,
a(p−1)(q−1)+1 ≡ a mod p
a(p−1)(q−1)+1 ≡ a mod q
}=⇒ a(p−1)(q−1)+1 ≡ a mod pq.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Computing Modular ExponentsEuler-Phi FunctionFermat’s Little TheoremEuler-Fermat’s Theorem
Example
1 For p = 3, q = 5 and m = pq = 15, we haveΦ(m) = (3− 1)(5− 1) = 8
2 For all a (between 1 and 14) a9 ≡ a mod 15
3 For all a coprime to 15 a8 ≡ 1 mod 15
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Public Key Cryptography
1 Every entity (for example, Alice) chooses private key(s)
2 Computes public key(s)
3 Alice advertizes her public keys
4 And never reveals her private keys.
5 It should not be possible for any one to compute the privatekey from the public key (obviously)
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Inverse Problems
1 Most PKC algorithms rely on difficult inverse problems
Factorization Problem: Given large p and q it is easy tocompute n = pq. But given n it is impractical to factorize ninto the constituent primes.Discrete Logarithm Problem: Let α = g a mod p. Given a, g , pcomputing α is trivial. However given α, g and p it isimpractical to compute a
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Encryption, Signatures and Key Exchange
1 To send an encrypted message to Alice the sender shouldencrypt the message with Alice’s public key
2 Only Alice (who has the corresponding private key candecrypt the message)
3 If Alice encrypts the message using her private key anybodywith access to her public key can verify that the message wassent by Alice (digital signature)
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Diffie Helman Key Exchange
DH is based on difficulty of calculating discrete logarithms
A known p, and (preferably) a generator g in Zp.
Alice chooses a secret a, calculates α ≡ ga mod p.
Bob chooses a secret b, calculates β ≡ gb mod p.
Alice and Bob exchange α and β
Alice calculates KAB ≡ βa mod p.
Bob calculates KAB ≡ αb mod p.
Both of them arrive at KAB ≡ gab mod p.
KAB is a secret that no one apart from Alice and Bob cancalculate!
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
DH Example
p = 13, g = 2.
Alice chooses a = 3. α ≡ ga ≡ 23 ≡ 8 mod 13
Bob chooses b = 7. β ≡ gb ≡ 27 ≡ 11 mod 13
Alice calculates Kab ≡ βa ≡ 113 ≡ 5 mod 13
Alice calculates Kab ≡ αb ≡ 87 ≡ 5 mod 13
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
RSA - (Rivest - Shamir - Adelman)
See Chapter 9.2
Alice chooses two large primes p and q.
n = pq is the modulus (Zn is a ring - not a field)
Φ(n) = (p − 1)(q − 1).
Alice chooses e such that (e,Φ(n)) = 1.
Computes d such that de ≡ 1 mod Φ(n). Or d is themultiplicative inverse of d mod Φ(n) (using extendedEuclidean algorithm)
Destroy p, q and Φ(n).
n and e are public keys
d is the private key
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
RSA
Cannot determine p and q from n (factorization is hard)
Cannot determine Φ(n) without factoring n. So finding dgiven e (and n) is hard.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
RSA Cipher
Alice’s public keys are na and ea.
Bob desires to send a message P to Alice
Bob computes and sends C = Pea mod na
Alice computes P = Cda ≡ Peada ≡ PkΦ(na)+1 ≡ P mod na.
eada ≡ 1 mod Φ(na)→ eada = 1 + kΦ(na).
Only Alice (who has access to da) decrypt the message
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
RSA Example
p = 11, q = 13. n = pq = 143
φ(n) = (p − 1)(q − 1) = 120.
Choose e = 7 (say)
d ≡ e−1 mod 120 ≡ 103.
P ≡ 41 mod 143.
C ≡ 417 mod 143 ≡ 24.
P ≡ Cd ≡ 24103 mod 143 ≡ 41.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Practical Issues
1 Typically p and q may be numbers with around 150 digits
2 n and Φ(n) may be 300 digits long.
3 e could be small. But d may be 300 digits long4 For RSA to be practical it should be easy to
choose two large primes p and q (we must be able to verifythat the numbers are indeed primes)compute multiplicative inverses (trivial)compute large exponents (trivial)
5 It should be difficult (practically impossible) for any one tofactorize n to determine p (and / or q)
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Generating Large Primes
1 See Chapter 9.2
2 Say we need to generate a 150 digit prime
3 Generate a random odd number with 150 digits
4 Check if it is a prime
5 If not increment number by two and check again
6 till we “stumble upon” a prime
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Density of Prime numbers
1 Prime numbers are dense
2 Total number of primes less than N is roughly Nlog(N)
3 Total number of primes with 150 or less digits is 2.8761e148
4 Total number of primes with 149 or less digits is 2.8953e147
5 Total number of 150 digit primes is 2.5866e148 (one in every387 numbers)
6 On an average we need to test about 387/4 = 97 numbers(test if it is a prime)
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Primality Testing
1 How do we check if some number p′ is a prime?
2 A number is a prime if it does not have any factors.
3 Do we have to factorize a number to determine a is not aprime?
4 If that were the case primality checking is impractical (Afterall, PKC relies on the fact that factorization is a hard problem)
5 If p′ (say 150 digits) is not a prime, at least one factor shouldbe 75 digits or less
6 The total number of primes with 75 digits are less is stillprohibitively high (about 5.7e73)
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Probabilistic Primality Testing
1 Fermat’s little theorem to the rescue!2 The algorithm for testing if p′ is a prime:
COUNT=0;while (1)
choose random aif (a, p′) 6= 1 return PRIME=FALSE; break; endif;if ap′−1 mod p′ 6= 1 return PRIME=FALSE; break; endif;COUNT=COUNT+1;if (COUNT=100) return PRIME=TRUE; break; endif
endwhile;
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Primality Testing
1 If p′ IS a prime we know that ap′−1 ≡ 1 mod p′.
2 However, the reverse is NOT true. ap′−1 can be 1 even if p′ isnot a prime.
3 If ap′−1 ≡ 1 mod p′ we say “p′ is pseudo-prime to a” (a primep is pseudo-prime to all bases)
4 Do we need to check all possible values of a? (if so there is noadvantage to this approach)
5 Thankfully we do not need to check for all values of a.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
Probabilistic Primality Checking
1 Let us assume that p′ is pseudo-prime to bases a1 · · · an andIS NOT a pseudo-prime to a base b.
2 Obviously, p′ cannot be a pseudo-prime to basesba1, ba2, . . . , ban.
3 If p′ is not a pseudo-prime to one base, it should not be apseudo-prime to as many bases as the number of bases forwhich it is a pseudo-prime!
4 Isolated occurrences of non pseudo-primes is not possible
5 Either p′ is a pseudo-prome to all bases (in which case p′ is aprime) or it is not a pseudo-prime to at least half the bases.
6 If the test passes for 100 random values of a the probabilitythat p′ is not a prime is less than 2−100.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
El Gamal Cipher
Based on the difficulty of discrete log problem (like DH)
All entities agree on a prime p (say 200 digits long) and agenerator g
Alice chooses a random value a as her private key (a < p alsohas typically the same number of digits as p)
Alice compute α = ga mod p as her public key.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
El Gamal
Bob knows α, p, g , needs to send P to Alice
Bob chooses a random k (from Zp) and computesµ = gk mod p
Sends ciphertext C = Pαk mod p along with the mask µ toAlice.
Alice with access to the private key a can computeµa(gk)a ≡ (ga)k = αk . No one else can compute αk withoutthe knowledge of k.
Alice compute multiplicative inverse of µa (say ν = (µa)−1)
Now Alice can get Cν = Pαk(αk)−1 = P.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
Diffie HelmanRSA EncryptionPrimality TestingEl Gamal Cipher
El Gamal Cipher Example
p = 13, g = 2.
Alice chooses a = 3. α ≡ ga ≡ 23 ≡ 8 mod 13
Bob chooses k = 5, gk ≡ 25 ≡ 6 mod 13
Say P = 4. αk ≡ 85 ≡ 8 mod 13. C = Pαk = 4 ∗ 8 ≡ 6
Alice calculates αk ≡ (gk)a ≡ 63 ≡ 8
Inverse of 8 is 5.
P = Pαk(αk)−1 ≡ 6 ∗ 5 ≡ 4 mod 13.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Practical Signature Schemes
Signer (message source) and any number of verfiers.
Message M to be signed
Signer computes h = H(M) (for example SHA-1 hash)
h is encrypted with the private key to get the signature S .
Signer sends M ‖ S
Receiver:
Extract M. Calculate h = H(M).
Verify decryption of S with public key yields h.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
RSA - As a Signature Scheme
Alice’s public keys are na and ea.
Alice wishes to sign a hash h = h(M)
The signature S is computes as S = hda mod na.
Any verifier with access to Alice’s public keys ea and na canverify that h = Sea ≡ heada ≡ hkΦ(na)+1 ≡ h mod na.
eada ≡ 1 mod Φ(na)→ eada = 1 + kΦ(na).
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
El Gamal Signature Scheme
Public p, g ∈ Zp - g preferably a generator.
Alice’s private key a ∈ Zp.
Alice’s public key α ≡ ga mod p.
To sign a message M with hash h = H(M) Alice chooses arandom 1 ≤ k ≤ p − 2 and calculates:
r = gk mod ps = (h − ar)k−1 mod (p − 1)
Signature is r ‖ s
Verfication: αr r s ≡ gh mod p.
αr = gar , r s = gk(h−ar)k−1= gh−ar
αr r s = gargh−ar = gh
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
El Gamal Example
p = 79, g = 7. Let h = 12 and k = 5.
Alice’s private key a = 43. Public key α ≡ 743 ≡ 48 mod 79.
k−1 mod (p − 1) ≡ 47 mod 78.
r = gk ≡ 75 ≡ 59 mod 79.
s = (12− 43× 59)41 ≡ 41 mod 78.
αr r s ≡ 48595941 ≡ 8 mod 79
gh ≡ 712 ≡ 8 mod 79.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
RSA vs El Gamal
1 Generation of RSA key pairs is an expensive operation -mainly due to the need to generate primes p and q. For ElGamal the private key can be chosen randomly.
2 For RSA every entity uses a different modulus n = pq. For ElGamal all entities can use the same p (and g)
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
RSA vs El Gamal
1 To encrypt a value P ∈ Zp (say a 1024-bit quantity) thesender needs to provide two 1024-bit quantities in El Gamal(the cipher text C and the mask µ). In RSA only one value isrequired (RSA has less bandwidth overheads).
2 Same goes for signatures too (r and s for El Gamal)
3 In RSA it is possible to choose very small values of publicencryption e. Choosing say e = 3 does not affect the securityof RSA. So encryption can be fast (but decryption will still beslow as the private exponent d will be 1024-bits long).
4 For the same reason verification of RSA signatures can be fast.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Order of a number in Zp
1 The order of a ∈ Zp is the minimum value r for whichar ≡ 1 mod p
2 The maximum order is p − 1. Also referred to as full order.Generators have full order.
3 The order of any number divides p − 1
4 As p − 1 is always even at the minimum we should have 4orders - p − 1, 1, 2, and p−1
2
5 In Z11 we saw 2,6,7 and 8 have full order (p − 1 = 10); 3,4,5and 9 have order (p − 1)/2 = 5; 10 has order 2; 1 has order 1;
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Order of a number
1 The order of 1 is always 1 and the order of p − 1 is always 2(irrespective of p)
2 The number of elements with full order (the number ofgenerators) is Φ(p − 1)
3 The number of elements with order p−1d is Φ((p − 1)/d)).
4 The maximum order is p − 1. Also referred to as full order.Generators have full order.
5 The order of any number divides p − 1
6 As p − 1 is always even at the minimum we should have 4orders - p − 1, 1, 2, and p−1
2
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Schnorr Signature Scheme
DSA is a variant of the Schnorr Scheme
Public p, q, gq, hash function H().
Large prime p (say 1024-bits)Prime q | (p − 1) (say 160-bit prime)gq ∈ Zp, where gq has order q. (Zp will contain Φ(q) = q − 1numbers of order q - any of which can be chosen for thispurpose)
Alice’s private key a ∈ Zp, public key α ≡ gaq mod p.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Schnorr Signature Scheme
To sign a message M Alice chooses a random 1 ≤ k ≤ q − 1and calculates:
r = H(M ‖ gkq ) mod q
s = (k + aγ) mod q
Signature is r ‖ s (both r and s are 160-bit quantities)
Verifier (who has α = gaq mod p can calculate
x ≡ g sqα−r mod q
≡ gk+arq g−ar
q mod q≡ gk
q mod q(2)
and verify H(M ‖ x) = r .
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Advantages of Schnorr’s Signature
1 The signature size is small (equivalent to 2 hashes)
2 All computations (for signing and verification) use smallermodulus q (p is typically 1024 bits)
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Factorization
1 RSA relies on the assumption that factorization is hard
2 Brute force factorization of n = pq: Check all primes less than√n.
3 For 300 digit n (around 150 digit p and q) around 1e147primes have to be tested - highly impractical
4 Attacker complexity of 1e20 may be acceptable (equivalent to64-bit symmetric cipher)
5 Many sophisticated algorithms have been developed forfactorization
6 We will just need to increase the key lengths as sophisticationof attacks improve
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Some Factorization Algorithms
1 Fermat’s factorization is effective if the two prime factors (pand q) are close to each other
2 Pollards p − 1 algorithm is efficient in scenarios where eitherp − 1 or q − 1 is comprised of many small factors
3 William’s p + 1 algorithm is efficient when p + 1 or q + 1 iscomprised entirely of small factors
4 Care is taken to ensure that p and q are not close - forexample choosing 148-digit q and 150 digit p
5 it is also necessary to ensure that p− 1, q− 1, p + 1, q + 1 donot have small factors.
6 all these requirements makes secure key generation even morecomplex for RSA.
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
More Advanced Factoring Algorithms
1 Dixons random squares, number field sieves etc.
2 All of them try to determine some “special relationships”
3 If we can find two numbers x and y such that x2 ≡ y2 mod nand x 6≡ y mod n and x 6≡ −y mod n, then we can easilyfactorize n
4 Note that
x2 ≡ y2 mod n⇒ n p (x − y)(x + y)x 6≡ y mod n⇒ n . (x − y)x 6≡ −y mod n⇒ n . (x + y)
(3)
5 Which means (n, x + y) and (n, x − y) should give the factorsof n
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Discrete Log
1 Shank’s Algorithm
2 Pohlig-Helman Algorithm (works well if p − 1 has no largefactors)
3 Index Calculus method
4 Number-field seive
Ramkumar Asymmetric
OutlineMathematical Preliminaries
PKCDigital Signatures
RSA SignaturesEl Gamal SignaturesRSA vs El GamalDSASecurity of PKC
Public Key Cryptography
Computationally about 1000 times more expensive thansymmetric cryptography
Used sparingly
encrypting session keyssigning hashes
RSA - bandwidth efficient, primality testing is hard - sogeneration of key pairs is complex.
DH - based schemes - no need to generate prime numbers(generating key pairs is trivial). Everyone can use the same p,g . Needs twice the bandwidth.
Ramkumar Asymmetric