Asymm Crypto

7/27/2019 Asymm Crypto

1/35

Asymmetric Cryptography

Mahalingam Ramkumar

Department of CSE

Mississippi State University


2/35

Mathematical Preliminaries

CRT Chinese Remainder Theorem Euler Phi Function

Fermat's Theorem Euler-Fermat's Theorem


3/35

CRT

Recall Basic Theorem of Arithmetic

m=i=0

n

pi

ei=i=0

n

mi

mi,mj=1 ijConsider any number in aZm

aa1 mod m1aa

2mod m

2

aan mod mn

Now given a1an can we find a ?

Is a unique?


4/35

CRT

Example180=22325=495233 mod4

235 mod9233 mod5Is there any other number (apart from 23)which satisfies these equations?

Answer - no!So we could represent 23 as (3,5,3)

4,9,5 are orthogonal axes(3,5,3) are projections of 23 on those axes!


5/35

CRT

xa1 mod m1xa2 mod m2

xan mod mn

xy mod m,m=i=1n

mi, mi,mj=1, ij

Let Mi=m/mi,Ni=Mi1

mod mi

xyi=1n

aiM

iN

imod m

Check : x mod miai

MiNi mod mi1,MiNi mod mj0, ij


6/35

CRT - Example

x5 mod13x6 mod11x9 mod17

x4 mod19m=13.11.17.19=46189,

M1=46189 /13=3553, N

1=3553141 mod1310 mod13

M2=46189 /11=4199,N1=4199181 mod117 mod11

M3=46189 /17=2717, N1=27171141 mod1711 mod17

M4=46189 /19=2431,N1=24311181 mod1918 mod19

xi=1

4

aiMiNi mod46189

x5.3553.106.4199.79.2717.114.2431.18 mod46189x12810 mod46189


7/35

CRT A Useful Relationship

xa mod m1xa mod m2

xa mod mn

then xa mod m


8/35

Euler Phi Function

How many numbers in Zm

are relatively prime

to m?

Or how many numbers in Zm havemultiplicative inverses?

m=

i=1n

pi

ei

m=i=1n

{pi

eipi

ei1}


9/35

Euler Phi Function

Special Cases m is prime; say m=p (m) = (p) = p-1 (all numbers 1 to m-1 are relatively prime

to a prime number!)

m = p1*p2 (m) = (p

1-1)(p

2-1)

Check equation with e1

= e2

= 1

(m = p1p

2) = m {p

1+ p

2- 1} exclude numbers which

are multiples of p1 or p2 p

1multiples of p

2

p2

multiples of p1

{0 1 2 3 4 5 6 7 8 9 10 11 12 13 14} (15 = 5x3)

m=i=

1

n

pie

i

m=i=1n

{pi

eipi

ei1}


10/35

Fermat's Theorem

aZp,ap11 mod p

Zp={0,1,2,,p2,p1}

Consider aZp and0i , j ,p

1

Can two terms of aZp, say i , j be equal?

If iaja0 mod p then pija

No two terms can be equal!aZp is a permutation of Zp

Either p ij or pa

Only possible ifij=0 or i=j


11/35

Fermat's Theorem - Continued

Verify for p = 7, 31 (assignment 3)

aZp,ap11 mod p

Product of all terms in Zp and aZp

should be identical (neglecting 0)p1 !ap1p1! mod p

1ap1 mod p


12/35

Euler - Fermat's Theorem

Proof for m = pe by induction

Can extend proof for any m due to themultiplicative property of (m) Verify for m = 25 = 52 (assignment 3) Verify for m = 12 = 22*3 (assignment 3)

am1 mod m if aZm anda ,m=1,


13/35


14/35

Square and Multiply Algorithm

How do we efficiently calculate yax mod nLet b

rb

r1b

1b0

be binary representation of x

x=i=0r bi2i

ax=

i=0

r

abi2

i

=abr2r

abr12r1

a2b1ab0

z=1

for i=r downto0

z=z2 mod nifb

i=1z=za mod n endif

endfor

yz


15/35

Square and Multiply Algorithm

Example36

43mod87

x=43=101011b; r=5 ;a=36 ;

z=1 ;b5=1 ;z=1 ;z=z2a mod8736 mod87

b4=0 ;z=36; z=z2 mod8778 mod87

b3=1;z=78;z=z2a mod8745 mod87

b2=0; z=45; z=z2

mod8724 mod87b1=1; z=24;z=z

2a mod8730 mod87

b0=1; z=30;z=z2a mod8736 mod87


16/35

Primality Testing

How do we check if a number n is a prime? A prime number does not have any factors

No prime smaller than n is a factor So check all primes smaller than n?

Impractical say n is a hundred digit prime How many prime numbers less than n?

Roughly n / log(n) For a hundred digit number log(n) is less than

250 So the number of primes less than n is of the

order of 10

97

Prime numbers are dense


17/35

Primality Checking

Uses Fermat's theorem We know if a number n is prime

If n is not prime can the above equation hold

for some a? - Yes. How does this help? Do we need to check all

possible a? We do not. If the equation does not hold for

even one value of a then it will not hold for

at least half the values of a

an1

mod n1a,n=1


18/35

Probabilistic Primality Checking

We have n For k = 1 to N

Choose a number a < n randomly Check if a | n

if so n is not prime. Quit Check if a(n-1) = 1 mod n.

If test fails n is not prime. Quit. Continue

End for If test passes N checks probability that n is

not prime is (1/2)

N


19/35

Observations

Choosing large primes randomly is not difficult Choose a large odd number Check if it is a prime

Probabilistic primality testing If not prime increment number by 2 and check again Remember primes are dense we'll eventually find one

for hundred digit numbers the mean search length is only

125 numbers! Modular exponentiation is trivial with square and

multiply algorithm If pand qare two large primes, and if n=pq

determining pand qgiven n is extremely difficult! No known polynomial complexity algorithm for

factorization.


20/35

RSA (Rivest-Shamir-Adelman)

Choose two large primes p,q. Let n=pqWe known=p1q1Choose eZn such thate,n=1

Calculate de1 modnNow e is the public encryption key

and d is the private decryption keyRemember ed1 modn or ed=kn1

For any an,aed

a mod n. From Euler-Phi TheoremThrow away p,q, andn

Encryption CPemod n

Decryption PCdmod n

Check C

d

Ped

Pkn1

Pn

k

P1

k

PP mod n


21/35

Strength of Public Key

Cryptography If modulus is 64 bit value is PKC as strong as

symmetric cryptography with key length of 64 bits? No very easy to factorize / calculate discrete logs

in such small domains Typically need modulus of the order of 1024 bits! Computationally much more expensive than

symmetric cryptography about 3 order of

magnitudes more Usually used only for establishing shared

symmetric keys


22/35

Exponential Ciphers

Exponential Ciphers Diffie-Helman El Gamal

HASH Functions Signature Schemes


23/35

Order of a number

Let Zp={0,1,,p1}

What is the order of a number aZpThe minimum value of x such that a

x1 mod p

Example - order of 1 is 1Order of p1 is2 (Why?)Order of any number dividesp1Or order of any number is of the formp1/dHow many numbers of order p1 ? p1=p

How many numbers of order p1/d ? p1 /dLet p=7. Orders of numbers 1 to 6 are

Element 1 2 3 4 5 6

Order 1 3 6 3 6 2

A number of full order is called a GENERATOR


24/35

Diffie Helman Key Exchange

Large prime p, and g preferably a generator

Alice chooses aZp

and calculatesga mod p

Bob chooses bZp and calculatesgb

mod pPublic values p,g

Shared secret between Alice and Bob is Kgab mod p

Alice can calculate Kagab mod p

Bob can calculate Kb

gba

mod p


25/35

El Gamal Cryptosystem

Large prime p, and g preferably a generatorPublic values p,g

Alice chooses aZp and calculatesga

mod p

Alice's public key

, private key a

Message from Bob to Alice, PBob chooses a random kZpBob calculatesgk mod p,CPk mod pBob sends,C to AliceAlice calculatesa mod p and PC1 mod p

C1Pka1Pgakgka1Pgakgak1P mod p

Bob masks message P with gak

Sends a cluegk mod p for unmaskingCaution - should use different k every time!


26/35

RSA vs El Gamal

For RSA every node uses a different

modulus Each node has to generate two primes

generating primes is much more computationally

intensive than exponentiation For El Gamal all nodes can use the same p,g

Easy to choose private key! Extra bandwidth needed for mask Usually as asymmetric crypto is used just for

transmitting a single value El Gamal needs

twice the bandwidth of RSA


27/35

Hash Functions

h = H(M) M can be of any size

h is always of fixed size Typically h


28/35

Birthday Paradox

50 people in a room what is the probability that

two people have the same birthday? Extremely high about 0.977

A message M hashes to N bits say h. What is theprobability that another message M

1hashes to h?

1/2N we need to search 2N to see a hit. What is the probability that two messages have the

same hash? We need to search only 2N/2 messages

64 bit hash is not strongly collision resistant Normally we use 160 bit hash functions


29/35

MD5 128 bit hash

Message length K Pad message with P bits such that K+P is 448 mod

512 (64 bits less than a multiple of 512)

Padding is done even if K is already 448 mod 512! Padding is 1 followed by P-1 zeros Length of padding is at least 1. Maximum value is

512

Append length as a 64 bit value. Total length is L x 512 Output h initialized to four fixed 32 bit quantities

A,B,C,D


30/35

MD5

HMD5 HMD5 HMD5IV

Block 1 Block 2 Block L

128 bit 128 bit 128 bit 128 bit 128 bit

512 bit 512 bit 512 bit

Each HMD5 block involves 64 rounds of data mangling4 stages of 16 rounds eachEach stage has different compression functions F,G,H,I

Each round uses an entry from a fixed Table of length 64Every bit of the hash code is a function of every bit of input

Other hash functions SHA, SHA-1, RIPEMD-160


31/35

Digital Signatures

Signer and verifier Anyone should be able to verify a signature DS with public key cryptography

Signer encrypts message with his private key Verifier checks (decrypts) with signer's public

key

Usually only message hash is signed!


32/35

RSA Signature scheme

Message M h = H(M) Alice signer. Private key d, public key e,

modulus n. Signature s = hd mod n Signed message M | s

Verification Verifier calculates h = H(M) Checks if se mod n equals h


33/35

El Gamal Signature Scheme

Large prime p, and g preferably a generatorPublic values p,g

Message M.

Message hash h=HMAlice chooses aZp and calculatesg

amod p

Alice's public key , private key aTo sign h Alice chooses1kp2 and calculates

gk mod phak1 modp1

Send M

Verificationgagkhak1

gaghagh mod p


34/35

El Gamal Signature - Example

p=79,g=7Alice's private key a=43

ga mod p74348 mod79Let hash of a message be12

Alice chooses k=5,k1 mod p147 mod78

gk mod p7559

hak11243594741 mod p1

4859 59418 mod79

Check gh

mod p712 mod798 mod79


35/35

Schnorr Signature Scheme

Large prime p, and smaller prime q such that qp1Typically p is 1024 bits and q is 160 bitsA number gq of order q

Public values p,q,gq

Alice chooses aZp and calculatesgqa

mod p

Alice's public key , private key aMessage M. Hash function H .To sign a message

HMgqk ,1kq1

ka mod qBoth and are 160 bit quantities!Verification

H Mg H Mgkag a HMgk mod p

Asymm Crypto

Documents

Transcript of Asymm Crypto