ASYMMETRIC CIPHERS AND NUMBER THEORY

ASYMMETRIC
CIPHERS
Unit III
Prepared by: Suresh Thapa,
Vedas College, Jawalakhel, Nepal
Number Theory
■ Prime Numbers
– An integer p > 1 is a prime number if and only if its only divisors are ± 1 and ±p.
Examples are 7 , 13…
– Any integer a > 1 can be factored in a unique way as:
A=p1a1.p2a2……………………ptat where p1 < p2 < ... < pt are prime numbers and
where each is a positive integer.
– This is known as the fundamental theorem of arithmetic.
– Examples are
■ 91 = 7 x 13 (factorization)
■ 3600 = 24 x 32 x 52 11011 = 7 x 112 x 13
■
Number Theory
■ Fermat’s theorem
– Fermat's theorem states the following: If p is prime and a is a positive integer not
divisible by p, then
■ ap-1=1 (mod p) (here a and p are relatively prime)
– Example
■ a = 7, p = 19
■ 72 = 49 ≡ 11(mod 19)
■ 74 =72 x72 ≡ 11x11=121 ≡ 7(mod 19)
■ 78 ≡49 ≡ 11(mod 19)
■ 716 =121 =7(mod 19)
■ ap1 = 718 = 716 x 72 ≡ 7 x 11 ≡ 1(mod 19)
– Alternative form of fermat theorem is
■ ap=a(mod p)
Number Theory
■ Euler's Totient Function
– This is an important quantity in number theory, referred to as Euler's totient
function and written ф(n), defined as the number of positive integers less than n
and relatively prime to n.
– By convention, ф(1) = 1. n Ф(n)
– If n is prime number then ф(n)=n-1. 1 1
3 2
13 12
14 6
15 8
19 18
20 8
Number Theory
■ Testing for Primality
– For many cryptographic algorithms, it is necessary to select one or more very large
prime numbers at random.
– Thus we are faced with the task of determining whether a given large number is
prime.
– There is no simple yet efficient means of accomplishing this task.
– Traditional Method
■ divide by all numbers (primes) in turn less than the square root of the number
■ only works for small numbers
– alternatively can use statistical primality tests based on properties of primes
■ for which all primes numbers satisfy property
■ but some composite numbers, called pseudo-primes, also satisfy the property
Number Theory
■ Miller-Rabin Algorithm
– The algorithm due to Miller and Rabin is typically used to test a large number for
primality.
– Before explaining the algorithm, we need some background.
– First, any positive odd integer n>= 3 can be expressed as follows:
■ n - 1 = 2kq with k > 0, q odd
■ (n-1) is an even integer and divide (n-1) by 2 until the result is an odd number q, for a
total of k division.
Number Theory
– Two Properties of Prime Number:
– The first property state that:
■ p is prime and a is a positive integer less than p, then a 2 mod p = 1 if and only if either
a mod p = 1 or a mod p= -1 mod p = p-1.
■ By the rules of modular arithmetic (a mode p) (a mode p) = a2 mod p.
■ Thus if either a mode p = 1 or a mod p = -1, then a2 mod p = 1.
■ Conversely, if a2 mod p = 1, then (a mod p)2 = 1, which is true only for a mod p = 1 or
a mod p = -1.
Number Theory
– Two Properties of Prime Number:
– The second property state that:
■ Let p be a prime number greater than 2. We can then write p -1 = 2 kq, with k > 0 q odd.
Let a be any integer in the range 1 < a < p 1. Then one of the two following conditions
is true:
– aq is congruent to 1 modulo p. That is, aq mod p = 1, or equivalently, aq ≡1 (mod
p).
– One of the numbers aq, a2q, a4q,..., q is congruent to -1 modulo p. That is, there
is some number j in the range (1 <=j <=k) such that mod p = 1 mod p = p-1, or
equivalently, ≡-1 (mod p).
Number Theory
– Conclusion
■ If n is prime, then either the first element in the list of residues a q, a2q, a4q,... Modulo n
equals 1, or some elements in the list equals (n-1), otherwise n in composite.
■ But even if the condition is met, it does not guarantee that the number is prime.
■ Example: n = 2047 = 23 x 89
– Now, n-1= 2047-1=2046
– From 2nd Property, p-1=2kq,
– 2046 = 21 x 1023
– Now let a=2 (1<a<p-1), 21023 mod 2047 = 1
– So according to second property, 2047 is prime number but is it not.
Number Theory
■ Miller-Rabin
Algorithm
– Test(n)
■ Find integers k, q, with k > 0, q odd, so that (n-1 = 2kq);
■ Select a random integer a, 1 < a < n-1;
■ if aq mod n = 1 then return("inconclusive");
■ for j = 0 to k 1 do
– if mod n ≡ n - 1 then return("inconclusive");
■ return("composite");
– Test whether n =221 is prime or not
(n-1)=220=22x55=2kq
Let try a=5 then we have aq mod n =555 mod 221 = 112 mod 221
Which is neither 1 nor 220
Let j=1
So, = mod n = 52 x 55 mod 221 = 168
Possible values of j where 0 and 1 (j=0 to k -1)
Hence, return “Composite”
Number Theory
■ Discreate Logarithms
– the inverse problem to exponentiation is to find the discrete logarithm of a number
modulo p
– that is to find i such that b = ai (mod p)
– this is written as i = d loga b (mod p)
– if a is a primitive root then it always exists, otherwise it may not, e.g.,
x = log3 4 mod 13 has no answer
x = log2 3 mod 13 = 4 by trying successive powers
– whilst exponentiation is relatively easy, finding discrete logarithms is generally a
hard problem
Number Theory
■ Discreate Logarithms
Public Key Cryptosystems
■ Public Key Cryptosystems
– Requires two separate keys, private and public key
– Network users receive these key pair from certificated authorities
– When other user want to encrypt the date, they get the intended recipient’s public
key from a public directory
– When the message arrives, the recipient decrypts it using private key
– Must meet following three conditions
■ It must be computationally easy to encipher or decipher a message given the
appropriate key
■ It must be computationally infeasible to derive the private key from the public key
■ It must be computationally infeasible to determine the private key from a choose
plaintext attack
■ Public Key Cryptosystems
– A public key encryption scheme has six ingredients
■ Plaintext
– This is the readable message or data that is fed into the algorithm as input.
■ Encryption Algorithm
– The encryption algorithm performs various transformations on the plaintext
■ Public and Private key
– This is a pair of keys that have been selected so that if one is used for encryption,
the other is used for decryption. The exact transformations performed by the
algorithm depend on the public or private key that is provided as input.
■ Ciphertext
– This is the scrambled message produced as output. It depends on the plaintext and
the key. For a given message, two different keys will produce two different
ciphertexts.
■ Decryption Algorithm
– This algorithm accepts the ciphertext and the matching key and produces the
original plaintext.
■ Public-Key Cryptosystem for Secrecy
– There is some source A that produces a message in plaintext, X =[X1, X2,..., XM,].
The M elements of X are letters in some finite alphabet. The message is intended
for destination B. B generates a related pair of keys: a public key, PU b, and a
private key, PUb. PUb is known only to B, whereas PUb is publicly available and
therefore accessible by A. this is shown in figure next page.
– With the message X and the encryption key PUb as input, A forms the ciphertext Y
= [Y1, Y2,..., YN]:
■ Y = E(PUb, X)
– The intended receiver, in possession of the matching private key, is able to invert
the transformation:
■ X = D(PRb, Y)
■ Public-Key Cryptosystem for Authentication
– In this case, A prepares a message to B and encrypts it using A's private key before
transmitting it. B can decrypt the message using A's public key. Because the
message was encrypted using A's private key, only A could have prepared the
message.
– Therefore, the entire encrypted message serves as a digital signature. In addition,
it is impossible to alter the message without access to A's private key, so the
message is authenticated both in terms of source and in terms of data integrity.
Figure show the use of public-key encryption to provide authentication:
■ Y = E(PRa, X)
■ Y = E(PUa, Y)
■ Public-Key Cryptosystem for Authentication and Secrecy
– It is, however, possible to provide both the authentication function and
confidentiality by a double use of the public-key scheme:
■ Z = E(PUb, E(PRa, X))
■ X = D(PUa, D(PRb, Z))
– In this case, we begin as before by encrypting a message, using the sender's
private key. This provides the digital signature.
– Next, we encrypt again, using the receiver's public key. The final ciphertext can be
decrypted only by the intended receiver, who alone has the matching private key.
Thus, confidentiality is provided.
– The disadvantage of this approach is that the public-key algorithm, which is
complex, must be exercised four times rather than two in each communication.
■ Public-Key Cryptosystem for Authentication and Secrecy
■ Requirements for Public-Key Cryptography
– It is computationally easy for a party B to generate a pair (public key PU b, private key
PRb).
– It is computationally easy for a sender A, knowing the public key and the message to be
encrypted, M, to generate the corresponding ciphertext:
■ C = E(PUb, M)
– It is computationally easy for the receiver B to decrypt the resulting ciphertext using the
private key to recover the original message:
■ M = D(PRb, C) = D[PRb, E(PUb, M)]
– It is computationally infeasible for an adversary, knowing the public key, PUb, to
determine the private key, PRb.
– It is computationally infeasible for an adversary, knowing the public key, PU b, and a
ciphertext, C, to recover the original message, M.
We can add a sixth requirement that, although useful, is not necessary for all public-key
applications:
– The two keys can be applied in either order
■ M = D[PUb, E(PRb, M)] = D[PRb, E(PUb, M)]
Distribution of Public Key
■ Distribution of public key
– Public announcement
– Publicly available directory
– Public-key authority
– Public key certificates
■ Public announcement
– Public key is public
– Any participant can send public key to any other participant or broadcast the key
to the community at large
– Eg PGP users have adopted the practice of appending their public key to message
that they send to public forum such as USENET newsgroups and Internet mailing
list
– Weakness: anyone can forge such a public announcement
■ Publicly Available Directory
– Greater degree of security can be achieved
– Maintenance and distribution of public directory would have to be the
responsibility of some trusted entity
■ The authority maintains a directory with {name, public key} entry for each participant
■ Each participant registers a public key with the directory authority
■ A participant may replace the existing key with new one at any time
■ Participant could also access the directory electronically
■ Public-Key Authority
– Stronger security for the public key distribution can be achieved by providing tighter control over the
distribution of public keys from the directory
■ A sends a time stamped message to the public key authority containing a request for the current public key of B
■ The authority responds with a message that is encrypted using the authority’s private key, PRauth. Thus, A is able to
decrypt the message using the authority’s public key. Therefore, A is assured that the message originated with authority.
The message includes the following:
– B’s public key, PUb,which A can use to encrypt message destined for B
– The original request used to enable A to match this response with the corresponding earlier request and to verify
that the original request was not altered before reception by authority
– The original timestamp given so A can determine that this is not an old message from the authority containing a
key other than B’s current public key
■ A stores B’s public key and also uses it to encrypt a message to B containing an identifier of A (IDA) and a nonce (N1),
which is used to identity this transaction uniquely
■ B retrieves A’s public key from the authority in the same manner as A retrieved B’s public key.
At this point, public keys have been securely delivered to A and B, and they may begin their protected exchange.
■ B sends a message to A encrypted with PUa and containing A’s nonce (N1) as well as a new nonce generated by B (N2).
Because only B could have decrypted message, the presence of N1 in message assures A that the correspondent is B.
■ A returns N2, which is encrypted using B’s public key, to assure B that its correspondent is A.
■ Public-Key Authority
■ Public-Key Certificates
– The public-key authority could be somewhat of a bottleneck in the
– system, for a user must appeal to the authority for a public key for every other user that it wishes to contact. As before, the
directory of names and public keys maintained by the authority is vulnerable to tampering.
– An alternative approach, first suggested by Kohnfelder, is to use certificates that can be used by participants to exchange keys
without contacting a public-key authority, in a way that is as reliable as if the keys were obtained directly from a public-key
authority.
– In essence, a certificate consists of a public key plus an identifier of the key owner, with the whole block signed by a trusted third
party. Typically, the third party is a certificate authority, such as a government agency or a financial institution, that is trusted by
the user community.
– A user can present his or her public key to the authority in a secure manner, and obtain a certificate. The user can then publish the
certificate. Anyone needed this user's public key can obtain the certificate and verify that it is valid by way of the attached trusted
signature.
– A participant can also convey its key information to another by transmitting its certificate. Other participants can verify that the
certificate was created by the authority.
– We can place the following requirements on this scheme:
■ Any participant can read a certificate to determine the name and public key of the certificate's owner.
■ Any participant can verify that the certificate originated from the certificate authority and is not counterfeit.
■ Only the certificate authority can create and update certificates.
■ Any participant can verify the currency of the certificate.
– A certificate scheme is illustrated in Figure. Each participant applies to the certificate authority, supplying a public key and
requesting a certificate.
– Application must be in person or by some form of secure authenticated communication. For
participant A, the authority provides a certificate of the form
■ CA = E(PRauth, [T||IDA||PUa])
– where PRauth is the private key used by the authority and T is a timestamp. A may then pass
this certificate on to any other participant, who reads and verifies the certificate as follows:
■ D(PUauth, CA) = D(PUauth, E(PRauth, [T||IDA||PUa])) = (T||IDA||PUa)
■ Diffie-Hellman Key Exchange
– Diffie-Hellman (D-H) key exchange is a cryptographic protocol that allows two parties that have
no prior knowledge of each other to jointly establish a shared secret key over an insecure
communications channel. This key can then be used to encrypt subsequent communications using
a symmetric key cipher.
– Other names for Diffie-Hellman Key Exchange are Diffie-Hellman Key Agreement, Diffie-
Hellman Key Establishment, Diffie-Hellman Key Negotiation, Exponential Key Exchange.
– Description: The simplest and original implementation of the protocol uses the multiplicative
group of integers modulo p, where p is a prime and g is primitive root of p.
– Steps:
■ Generate the global public elements p and g, where p is a prime number and g < p is a primitive root of p.
■ User A selects a random integer number X A<p, and computes YA = g XA mod p.
■ User B independently selects a random integer XB<p, and computes YB = gXB mod p.
■ Each side keeps the X value private and makes the Y value available publicly to the other side.
■ User A generates secret key as K = (Y B)XA mod p.
■ User B generates secret key as K = (YA)XB mod p
– Why the key from both side same:
■ From user A, K = (YB)XA mod p = (gXB mod p)XA mod p= (gXB)XA mod p= gXBXA mod p
■ From user B, K= (YA)XB mod p =(gXA mod p)XB mod p= (gXA)XB mod p= gXBXA mod p
– Example: Alice and Bob agree to use a prime number p=23 and base g=5.
– Alice chooses a secret integer XA =6, then sends Bob (YA = g XA mod p):56 mod 23 = 8.
– Bob chooses a secret integer XB =15, then sends Alice (YB = g XB mod p):515 mod 23= 19.
– Alice computes (YB)XA mod p: 196 mod 23 = 2 and Bob computes (YA)XB mod p: 815 mod 23 = 2.
– Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them,
for sending messages across the same open communications channel. Of course, much larger values of
XA, XB, and p would be needed to make this example secure, since it is easy to try all the possible
values of gXAXB mod 23 (there will be, at most, 22 such values, even if XA, XB are large).
– If p were a prime of at least 300 digits, and XA, XB were at least 100 digits long, then even the best
algorithms known today could not find a given only g, p, and g XA mod p, even using all of mankind's
computing power. The problem is known as the discrete logarithm problem.
– Note that g need not be large at all, and in practice is usually either 2 or 5.
– Study self: Man In Middle Attack
■ Man In Middle Attack
– Suppose Alice and Bob wish to exchange keys, and Darth is the adversary.
– The attack proceeds as follows:
■ Darth prepares for the attack by generating two random private keys X D1 and XD2 and then computing the corresponding public
keys YD1 and YD2.
■ Alice transmits YA to Bob.
■ Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA)XD2 mod q
■ Bob receives YD1 and calculates K1 = (YD1)XE mod q.
■ Bob transmits XA to Alice
■ Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1 = (YB)XD1 mod q.
■ Alice receives YD2 and calculates K2 = (YD2)XA mod q.
– At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share secret key K1 and Alice
and Darth share secret key K2. All future communication between Bob and Alice is compromised in the following way:
■ Alice sends an encrypted message M: E(K2, M).
■ Darth intercepts the encrypted message and decrypts it, to recover M.
■ Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth simply wants to eavesdrop on the
communication without altering it. In the second case, Darth wants to modify the message going to Bob.
– The key exchange protocol is vulnerable to such an attack because it does not authenticate the participants. This
vulnerability can be overcome with the use of digital signatures and public-key certificates;
RSA (Rivest-Shamir-Adleman)
Algorithm
■ RSA is an algorithm for public-key cryptography. It was the first algorithm known to be suitable for signing as
well as encryption, and one of the first great advances in public key cryptography.
■ RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys
and the use of up-to-date implementations.
■ Operation:
– RSA involves a public key and a private key. The public key can be known to everyone and is used for
encrypting messages. Messages encrypted with the public key can only be decrypted using the private key.
■ RSA Key Generation:
– Choose two distinct large random prime numbers p and q
– Compute n = pq, n is used as the modulus for both the public and private keys
– Compute the totient: φ(n) = (p − 1)(q − 1).
– Choose an integer e such that 1 < e < φ(n), and e and φ(n) share no factors other than 1 i.e. e and φ(n) are
relatively prime)
– e is released as the public key exponent
– Compute d to satisfy the congruence relation ed ≡ 1 mod φ(n); i.e. de = 1 + kφ(n) for some integer k.
– d is kept as the private key exponent
Algorithm
■ Encrypting Messages
– Alice transmits her public key (n, e) to Bob and keeps the private key secret.
– Bob send message M to Alice by turning M into a number m < n by using a reversible
protocol called a padding scheme. He then computes the ciphertext c as:
■ c = me mod n.
– Bob then transmits c to Alice.
■ Decrypting Messages
– Alice can recover m from c by using her private key exponent d by the following computation:
■ m = cd mod n.
– Given m, she can recover the original message M.
Algorithm
Algorithm
■ Example
– Consider, p = 61 and q = 53
– now, compute n = pq = 61 * 53 = 3233
– Compute the totient φ(n) = (p − 1)(q − 1) = (61-1)(53-1) = 3120 Choose e > 1 relatively prime to 3120;
e = 17
– Compute d such that ed ≡ 1 mod φ(n) e.g., by computing the modular multiplicative inverse of e modulo
φ(n): d = 2753 since 17 * 2753 = 46801 = 1 + 15 * 3120.
– The public key is (n = 3233, e = 17).
– For a padded message m the encryption function is:
■ c = me mod n = m17 mod 3233.
– The private key is (n = 3233, d = 2753).
– The decryption function is:
■ m = cd mod n = c2753 mod 3233.
– For example, to encrypt m = 123, we calculate
■ c = 12317 mod 3233 = 855 to decrypt c = 855, we calculate m = 855 2753 mod 3233 = 123
■ Both of these calculations can be computed efficiently using the square-and-multiply algorithm for modular
exponentiation.
ElGamal Cryptographic System
■ Based on Discreate Logarithm Problem, Called Elliptic Curve Variant
■ Derives strength from the assumption that the discrete logarithms cannot be founded in practical time frame for a
given number, while the inverse operation of the power can be computed efficiently
■ Generation of ElGamal Key Pair
– the global elements of Elgamal are a prime number q and a, which is a primitive root of q.
– User A generates a private/public key pair as follows:
■ Generate a random integer XA, such that 1 < XA < q - 1.
■ Compute YA = aXA mod q.
■ A’s private key is XA and A’s public key is {q, a, YA}.
– Any user B that has access to A’s public key can encrypt a message as follows:
■ Represent the message as an integer M in the range <= M <= q - 1. Longer messages are sent as a sequence of blocks,
with each block being an integer less than q.
■ Choose a random integer k such that 1 <= k <= q - 1.
■ Compute a one-time key K = (YA)k mod q.
■ Encrypt M as the pair of integers (C1, C2) where C1 = ak mod q; C2 = KM mod q
– User A recovers the plaintext as follows:
■ Recover the key by computing K = (C1)XA mod q.
■ Compute M = (C2K-1) mod q.
■ Let us demonstrate why the Elgamal scheme works.
■ First, we show how K is recovered by the decryption process:
– K = (YA)k mod q  K is defined during the encryption process
– K = (aXA mod q)k mod q  substitute using YA = aXA mod q
– K = akXA mod q  by the rules of modular arithmetic
– K = (C1)XA mod q  substitute using C1 = ak mod q
■ Next, using K, we recover the plaintext as
– C2 = KM mod q
– (C2K-1) mod q = KMK-1 mod q = M mod q = M
■ Bob generates a random integer k.
■ Bob generates a one-time key K using Alice’s public-key components YA, q, and k.
■ Bob encrypts k using the public-key component a, yielding C1. C1 provides sufficient information for Alice to recover
K.
■ Bob encrypts the plaintext message M using K.
■ Alice recovers K from C1 using her private key.
■ Alice uses K-1 to recover the plaintext message from C2.
■ For example, let us start with the prime field GF(19); that is, q = 19.
■ It has primitive roots {2, 3, 10, 13, 14, 15}. We choose a = 10.
■ Alice generates a key pair as follows:
– Alice chooses XA = 5.
– Then YA = aXA mod q = a5 mod 19 = 3
– Alice’s private key is 5 and Alice’s public key is {q, a, YA} = {19, 10, 3}.
■ Suppose Bob wants to send the message with the value M = 17. Then:
– Bob chooses k = 6.
– Then K = (YA)k mod q = 36 mod 19 = 729 mod 19 = 7.
– So
■ C1 = ak mod q = a6 mod 19 = 11
■ C2 = KM mod q = 7 * 17 mod 19 = 119 mod 19 = 5
– Bob sends the ciphertext (11, 5).
For decryption:
– Alice calculates K = (C1)XA mod q = 115 mod 19 = 161051 mod 19 = 7.
– Then K-1 in GF(19) is 7-1 mod 19 = 11.
– Finally, M = (C2K-1) mod q = 5 * 11 mod 19 = 55 mod 19 = 17.
■ ElGamal Analysis
– Each user has a private key x, and has three components of public key – prime modulus p,
generator g and public key Y =gx mod p
– Strength of ElGamal is based on the difficulty of discreate logarithm problem
– The secure key size is generally > 1024 bits (2048 bits long key as used)
– On the processing speed front, Elgamal is quite slow, it is used for key authentication protocol
– Due to higher processing efficiency, Elliptic Curve variants of Elgamal are becoming
increasingly popular
■ Self study
– Elliptic curve cryptography (ECC)
– A comparison of RSA and Elgamal Schemes
Thank You

ASYMMETRIC CIPHERS AND NUMBER THEORY

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ASYMMETRIC CIPHERS AND NUMBER THEORY

Încărcat de

Drepturi de autor:

Formate disponibile

ASYMMETRIC

S-ar putea să vă placă și