Dr. F. Vercauteren

Public-key cryptographyBased on slides of Prof. Bart Preneel

Dr. F. Vercauteren

Katholieke Universiteit Leuven

7 June 2005

Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel

Prime numbers

Definition

◮ a prime is an integer > 1 whose only divisors are 1 and thenumber itself

◮ numbers which are not prime are composites◮ 1 is neither a prime nor a composite (but a unit)

Every number can be written as a product of prime numbersExample: 12 = 2 · 2 · 3 210 = 2 · 3 · 5 · 7Unique factorisation of integers (fundamental theorem ofnumber theory)


The sieve of Eratosthenes (1)

◮ How does one find all prime numbers ≤ n?◮ Delete all multiples (≤ n) of all primes 2, 3, 5, 7, . . . to

√n

◮ Method is called sieve of Eratosthenes


The sieve of Eratosthenes (2)

n = 100,√

100 = 10⇒ 2, 3, 5, 7

0 1 2 3 4 5 6 7 8 9

10 11 12 13 14 15 16 17 18 19

20 21 22 23 24 25 26 27 28 29

30 31 32 33 34 35 36 37 38 39

40 41 42 43 44 45 46 47 48 49

50 51 52 53 54 55 56 57 58 59

60 61 62 63 64 65 66 67 68 69

70 71 72 73 74 75 76 77 78 79

80 81 82 83 84 85 86 87 88 89

90 91 92 93 94 95 96 97 98 99


The sieve of Eratosthenes (2a)

n = 100,√

100 = 10⇒ 2, 3, 5, 7

0 1 2 3 5 7 9

11 13 15 17 19

21 23 25 27 29

31 33 35 37 39

41 43 45 47 49

51 53 55 57 59

61 63 65 67 69

71 73 75 77 79

81 83 85 87 89

91 93 95 97 99


The sieve of Eratosthenes (2b)

n = 100,√

100 = 10⇒ 2, 3, 5, 7

0 1 2 3 5 7

11 13 17 19

23 25 29

31 35 37

41 43 47 49

53 55 59

61 65 67

71 73 77 79

83 85 89

91 95 97


The sieve of Eratosthenes (2c)

n = 100,√

100 = 10⇒ 2, 3, 5, 7

0 1 2 3 5 7

11 13 17 19

23 29

31 37

41 43 47 49

53 59

61 67

71 73 77 79

83 89

91 97


The sieve of Eratosthenes (2d)

n = 100,√

100 = 10⇒ 2, 3, 5, 7

0 1 2 3 5 7

11 13 17 19

23 29

31 37

41 43 47

53 59

61 67

71 73 79

83 89

97


Group (1)

DefinitionA group (G, ·) consists of a set G and an operation ·, satisfying

1. associative: a · (b · c) = (a · b) · c,∀a, b, c ∈ G

2. identity element: ∃1 ∈ G,∀a ∈ G : a · 1 = 1 · a = a

3. inverse element: ∀a ∈ G,∃a−1 ∈ G : a · a−1 = a−1 · a = 1

4. commutative (extra): ∀a, b ∈ G : a · b = b · a

DefinitionThe order of an element a of a group (G, ·) is t , iff t is thesmallest positive number such that

a · a · · · · · a︸︷︷︸

t

= 1


Field

DefinitionA field (F ,+, ·) consists of a set F and two operations + and ·,satisfying

1. (F ,+) is a commutative group, with identity element 0

2. (F\{0}, ·) is a commutative group, with identity element 1

3. distributive: ∀a, b, c ∈ F : a · (b + c) = (a · b) + (a · c)

DefinitionThe characteristic of the field, is the order of 1 in the group(F ,+) or zero if the order is not finite


Modular Arithmetic (1)

◮ Given integers a, b and n 6= 0◮ a is congruent to b modulo n⇔ a− b = k · n, i.e. n | a− b◮ Notation: a ≡ b mod n

Example: 17 ≡ 7 mod 5 since 17− 7 = 2 · 5



◮ a ≡ a mod n◮ a ≡ b mod n ⇔ b ≡ a mod n◮ a ≡ b mod n & b ≡ c mod n⇒ a ≡ c mod n

; equivalence relation

Every equivalence class (residue class) can be represented byan element in [0, n − 1]

Convention: a mod n represents the residue of a modulo n inthe range [0, n − 1]



TheoremGiven integers a1, a2

(a1 + a2) mod n ≡ [a1 mod n + a2 mod n] mod n

(a1 − a2) mod n ≡ [a1 mod n − a2 mod n] mod n

(a1 · a2) mod n ≡ [a1 mod n · a2 mod n] mod n

; integers modulo n, + and · commutative ring

TheoremFor all exponents t

et mod n ≡ [

t∏

i=1

(e mod n)] mod n



◮ Existence of inverse: given a ∈ [0, n − 1], find x ∈ [0, n − 1]such that a · x mod n ≡ 1

◮ Example: 3 · 7 mod 10 ≡ 21 mod 10 ≡ 1, thus 3 and 7 areeach other’s inverse modulo 10

Theorema ∈ [0, n − 1] has a unique inverse modulo n⇔ a and n arerelatively prime, i.e. gcd(a, n) = 1

◮ ; if n is a prime, all elements have an inverse◮ ; integers modulo p, + and · is a (finite) field


Modular Arithmetic (5): Euclid’s algorithm

Example: 160−1 mod 841 ≡ ? Compute gcd(841, 160)

841 = 5 · 160 + 41

160 = 3 · 41 + 37

41 = 1 · 37 + 4

37 = 9 · 4 + 1

; 1 = 37− 9 · 4 = 37− 9 · (41− 1 · 37)

= 10 · 37− 9 · 41 = 10 · (160− 3 · 41)− 9 · 41

= 10 · 160− 39 · 41 = 10 · 160− 39 · (841− 5 · 160)

= 205 · 160− 39 · 841

; 160−1 mod 841 ≡ 205⇐⇒ 160 · 205 ≡ 1 mod 841


Fermat’s Little Theorem (1)

Let p be a prime, then for each integer a one has:

ap ≡ a mod p

and for p 6 |a:ap−1 ≡ 1 mod p

; the order of a non-zero element is a divisor of p − 1

Example: p = 11, a = 2 compute 210 mod 11:

24 mod 11 ≡ 16 mod 11 ≡ 5

28 mod 11 ≡ 52 mod 11 ≡ 25 mod 11 ≡ 3

210 mod 11 ≡ 3 · 22 mod 11 ≡ 12 mod 11 ≡ 1


Fermat’s Little Theorem (2)

◮ Fermat’s little theorem can only be used as acompositeness test

◮ If gcd(a, n) = 1 and an−1 6≡ 1 mod n then n is composite◮ But : the theorem cannot be used as a prime test◮ gcd(2, 341) = 1 and 2340 ≡ 1 mod 341, but 341 = 11 · 31


Euler ϕ function

DefinitionFor an integer n > 0, ϕ(n) is the number of non-negativeintegers less than n which are relatively prime to n, i.e.

ϕ(n) = #{0 < a < n | gcd(a, n) = 1}

◮ p prime: ϕ(p) = p − 1◮ n = p · q with p, q prime

ϕ(n) = ϕ(p) · ϕ(q) = (p − 1) · (q − 1)

Example: p = 3, q = 5, n = 15

ϕ(15) = (3− 1) · (5− 1) = 2 · 4 = 8,

Indeed, the numbers co-prime to 15 are {1, 2, 4, 7, 8, 11, 13, 14}


Euler’s generalisation of Fermat’s LT

Theorem∀a, n, gcd(a, n) = 1:

aϕ(n) mod n ≡ 1

Solving a · x mod n ≡ 1, with gcd(a, n) = 1

x = a−1 ≡ aϕ(n)−1 mod n

Example: a = 2, n = 15, ϕ(15) = 8

x ≡ aϕ(n)−1 mod n ≡ 27 mod 15 ≡ 8,

indeed, 2 · 8 ≡ 1 mod 15


Computing modular inverse

gcd(a, n) = 1: inverse a−1 mod n can be computed

1. As aϕ(n)−1 mod n if the factorisation of n is known

2. Using the generalisation of Euclid’s algorithm for the gcd (=more efficient than using ϕ(n))

3. Possibly in combination with the Chinese RemainderTheorem (see below)


Chinese Remainder Theorem (CRT) (1)

Let n = 15 = 3 · 5, then every number between 0 and 14 can berepresented by unique coordinates:

0 1 2 3 4

0 0 6 12 3 91 10 1 7 13 42 5 11 2 8 14

All elements in the 3 × 5 matrix are being used.(note gcd(3, 5) = 1)



Is this always the case?Example: Let n = 24 = 4 · 6, then

0 1 2 3 4 5

0 0, 12 8, 10 4, 161 1, 13 9, 21 5, 172 6, 18 2, 14 10, 223 7, 19 3, 15 11, 23

Note gcd(4, 6) 6= 1

TheoremIf m1, m2 satisfy gcd(m1, m2) = 1, then one can replace thebasis m1 ·m2, by the bases m1, m2.



TheoremSuppose we want to solve a system of congruences to differentmoduli mi , with gcd(mi , mj) = 1, i 6= j :

x ≡ a1 mod m1

x ≡ a2 mod m2

...

x ≡ ar mod mr

Then there exists a simultaneous solution x to all of thecongruences, with x ∈ [0, m − 1] with m = m1 ·m2 · · ·mr .



Application: replace computation modulo m by

1. Computation modulo factors of m that are co-prime

2. Reconstruct the result modulo m

Advantages:◮ Computations with smaller numbers◮ FLT: computation with smaller exponents

Example: Decryption operation in RSA (see below)


CRT (5): how to find x?

Special case: m = m1 ·m2 (gcd(m1, m2) = 1)

x ≡ a1 modm1

x ≡ a2 modm2

◮ First equation equivalent to:

∃k ∈ Z : x = a1 + k ·m1

◮ Second equation then implies:

x = a1 + km1 ≡ a2 mod m2

◮ Determines k mod m2 as

k ≡ (a2 − a1) ·m−11 mod m2


CRT (6): example

Example: Inverse of 7 modulo 55 = 5 · 11?

7 · x1 ≡ 1 mod 5

7 · x2 ≡ 1 mod 11

◮ Euclid: x1 = 3, x2 = 8◮ Use CRT to find solution for

x ≡ 3 mod 5

x ≡ 8 mod 11

◮ k = (8− 3) · 5−1 ≡ 1 mod 11⇒ x ≡ 8 mod 55


Primes revisited (1)

◮ Are the primes randomly distributed?◮ How many primes of are there of a given length?◮ How can one test whether a number is prime?

TheoremThe number of primes smaller than x is asymptotically:

π(x) ≈ xln x

Example: Number of 512-bit primes: π(2512)−π(2511) ≈ 2502.5

◮ 1 in 355 512-bit numbers is prime◮ 1 in 178 odd 512-bit numbers is prime◮ 1 in 118 512-bit odd numbers that are not a multiple of 3 is

prime



prime test 6= generation of primes

◮ TEST: given p, verify whether p is prime◮ GENERATION: given [r1, r2], find a prime in this interval

DefinitionLet s be an integer satisfying

bs−1 ≡ 1 mod s, for some b, 1 < b < s

then s is called a basis-b-pseudoprime (notation: b-psp)

Theorem (Fermat’s Little Theorem)If s is prime and gcd(b, s) = 1, then s is an b-psp



DefinitionLet s be an odd integer with

s − 1 = 2v · s′, s′ odd

then s is a strong basis-b-pseudoprime (notation: strong b-psp)if either

bs′ ≡ 1 mod s

orb2k

·s′ ≡ −1 mod s, for an integer k , 0 ≤ k < v


Miller-Rabin prime test

◮ If for a given basis b, 1 < b < s, s is not a strong b-psp,then s is a composite

◮ If s is a composite, then there are at least 3(s − 1)/4 suchbases [Rabin 1976, Monier 1978]

◮ If s is prime, then for all 0 < b < s, s is a strong b-psp◮ Leads to Miller-Rabin prime test , i.e. for random bases b,

test if s is strong b-psp◮ Fails with probability 1/4, so repeated application makes

error exponentially small


One-way functions

Definitionf : X −→ Y : x 7→ f (x) = y is a one-way function⇔

◮ ∀x ∈ X , f (x) is easy to compute◮ Given y ∈ Y , finding an x ∈ X , with f (x) = y is a hard

problem (computationally infeasible)

Note: do such functions exist? = open problem


Candidate One-way functions

Multiplication : given p, q, compute n = p · q◮ Inverse problem: given a large n, product of 2 primes of

about the same size, find these primes

Modular exponentiation : given a, n with a ∈ [1, n − 1]am mod n can be computed efficiently (square and multiply)

◮ Inverse problem (= discrete logarithm): given a, n and b,find x such that

ax mod n ≡ b


One-way functions: example

Example: 54 mod 21 ≡ 16,; 4 is the discrete log of 16 w.r.t. the basis 5 modulo 21

But: there is no general polynomial time (efficient) algorithm tocompute discrete logs

One-way functions:◮ Cannot be used directly for encryption, because Bob

cannot recover m from f (m)

◮ Useful for Diffie-Hellman key agreement protocol and theprotection of passwords


Trapdoor one-way functions

DefinitionOne-way functions which can be inverted using additionalinformation, i.e. the trapdoor information

Example:◮ Let n = p · q, consider modular exponentiation modulo n

b = ae mod n

◮ Inverse operation: e-th root of b◮ Given p and q inverse operation is easy, so p (and q) are

the trapdoor information


Public-key agreement: Diffie-Hellman

Agree on a secret key using commutative one-way functions

Alice BobYA = fA(Z )

−YA−−−−−−−−→

YB = fB(Z )

←YB−−−−−−−−−

KAB = fA(YB) = fA(fB(Z )) KBA = fB(fA(Z ))


Diffie-Hellman with discrete log (1)

Choose a large prime number p and a generator α mod p

Alice BobxA ∈R [1, p − 1], αxA

−αxA

−−−−−−−−→xB ∈R [1, p − 1], αxB

←αxB

−−−−−−−−−KBA = (αxB )xA KBA = (αxA)xB

Note: all calculations mod p



◮ How to find KAB from YA and YB, i.e. αxA·xB from αxA mod pand αxB mod p?

◮ Only known solution: find xA from αxA or xB from αxB (=DLP in GF (p))

◮ Other algorithm? Currently not very likely . . .

DefinitionThe Diffie-Hellman assumption: given αxA and αxA , it is hard tocompute αxA·xB



◮ If Diffie-Hellman assumption true, then key agreementsecure (bar authentication)

◮ Diffie-Hellman problem cannot be harder than the discretelogarithm problem

◮ Many groups: DHP equivalent with DLP, i.e. given oracle tosolve DHP, also possible to solve DLP


Discrete log problem

Discrete log in GF (p):◮ Hard if p ‘safe prime’: (p− 1)/2 prime, else Pohlig-Hellman◮ Security: 512 bits ≃ 1 month, 1024 bits ≃ 5 . . . 6 year◮ Algorithms: index calculus algorithms exploiting

representation of elements, e.g. general number field sieve

Discrete logs in other groups :◮ Diffie-Hellman only needs the group structure◮ Less algebraic structure implies that logarithm is probably

harder◮ Example: Group of points on elliptic curve over a finite field


Public-key encryption (1)

Send a confidential message protected with a public key(trapdoor one-way functions)

DSB[EPB

(m)] = m

E� �

D� �

- - -

?

�

�

�

�

?P PC

(PB, SB)

PB

PB

SB

authentic channel


Public-key encryption (2): notions of security

Perfect security = information theoretic security :◮ Adversary with infinite computing power can learn nothing

about plaintext given ciphertext◮ Shannon: key is as long as message, key only used once◮ Not useful for public key cryptography

Semantic security :◮ Like perfect security, but with polynomially bounded

computing power◮ Ciphertext does not leak any information about plaintext◮ Hard to use in practice


Public-key encryption (3): notions of security

Polynomial security = indistinguishability of encryption s:◮ Definition according to the following game:

1. Adversary A is given encryption function fy with y public key2. Find stage : A produces two plaintext messages m0 and m1

3. Guess stage : A is given encryption cb of one of theplaintext messages m0 or m1

4. Goal : A has to guess the value of b with probability greaterthan 1/2

◮ Note: deterministic encryption function can never bepolynomially secure


Public-key encryption (4): attack models

Passive attack = CPA :◮ Adversary has access to black box performing encryption,

but not decryption◮ Always possible in public-key system

Chosen ciphertext attack = CCA1 :◮ Adversary has access to black box performing decryption,

during the find stage only (not the guess stage)

Adaptive chosen ciphertext attack = CCA2 :◮ Adversary has access to black box performing decryption,

during the both the find and guess stage, except to decryptciphertext cb


Public-key encryption (5): definition of security

DefinitionA public key encryption algorithm is called secure if it issemantically secure against an adaptive chosen ciphertextattack

◮ In many cases, much easier to prove that encryptionalgorithm is IND-CCA2 secure

◮ In practice, IND-CCA2 is used as definition of security◮ None of the textbook public key encryption algorithms is

IND-CCA2 secure!


Public-key encryption (6): further notions of security

Non-malleability :◮ Given plaintext/ciphertext pair (m, c), impossible to

determine valid ciphertext c′ on a related message m′

◮ Malleable encryption scheme is not secure against anadaptive chosen ciphertext attack

Plaintext aware :◮ Very strong notion of security◮ Computationally infeasible to construct valid ciphertext,

without starting from a plaintext◮ Implies that decryption oracle is useless since cannot

construct valid ciphertexts


RSA (1): description

Key generation◮ Find 2 primes p and q of ± 155 digits and set n = p · q◮ Compute

λ(n) = lcm(p − 1, q − 1) = ϕ(n)/(gcd(p − 1, q − 1))

◮ Choose e co-prime to λ(n) (6= ±1)◮ Compute d = e−1 mod λ(n)

public key = (e, n)

private key = (d , n) or (p, q)

◮ Encryption : c = me mod n◮ Decryption : m = cd mod n


RSA (2): example

◮ p = 19, q = 23, n = 437, e = 13◮ λ(437) = 18 · 22/ gcd(18, 22) = 9 · 22 = 198◮ d = e−1 mod 198 (and NOT mod 437 !!!!)◮ Euclid’s algorithm gives: d = 61

Let the message be m = 123, then◮ Encryption: c = 12313 mod 437 = 386◮ Decryption: 38661 mod 437 = 123 = m


RSA (3): implementation aspects

◮ Choose small public exponent with low Hamming weight,e.g. e = 3, 212 + 3, 216 + 1 for faster encryption, security isquestionable for encryption

◮ Do not use small private exponents (see below)◮ p, q known by owner of private key, so faster modular

exponentiation with CRT (2.5 . . . 3×)◮ Miller-Rabin used as prime test for p and q◮ Much slower than DES, e.g. SW 200 MHz Pentium Pro:

◮ DES: 35 Mbit/s, AES: 70 Mbit/s◮ 1024-bit RSA encryption: 250 Kbit/s (32-bit exponent)◮ 1024-bit RSA decryption: 30 Kbit/s


RSA (4): proof

To be shown: ed ≡ 1 mod λ(n)⇒ med ≡ m mod n

Case 1: gcd(m, n) = 1◮ (p − 1)|λ(n) and (q − 1)|λ(n)

◮ By FLT, we therefore have

mλ(n) ≡ 1 mod p and mλ(n) ≡ 1 mod q

◮ Write ed = 1 + kλ(n) with k ∈ Z, then

med ≡ m mod p and med ≡ m mod q

◮ By CRT, med ≡ m mod pq


RSA (5): proof

Case 2: gcd(m, n) 6= 1, so p|m or q|m◮ Note that if p|m, then m ≡ 0 mod p, so med ≡ m mod p◮ If p 6 |m, then same reasoning as in case 1 holds

med ≡ m mod p and med ≡ m mod q

◮ By CRT, med ≡ m mod pq


RSA (6): security in practice

◮ Best known attack: simply factor n◮ Security: 512 bits ≃ less than a month, 1024 bits ≃ 5 year◮ Choice of ‘strong’ primes p and q, i.e. p− 1 and q − 1 need

a ‘large’ prime factor◮ Computing λ(n) is equivalent to factoring n

Example: Simple proof if one can find ϕ(n):◮ n − ϕ(n) + 1 = p + q and pq = n ; p and q



◮ Need to use padding scheme, else exploit homomorphicproperty

◮ Each user needs to have a different modulus◮ Small secret exponents d are not secure (< 29% of

modulus length)◮ Partial key exposure attacks . . .◮ Chosen ciphertext attack on PKCS#1 v1.5 based on error

messages (needs 300 000 to 2 000 000 ciphertexts)◮ Currently, PKCS#1 v2.1 based on Optimal Asymmetric

Encryption (OAEP)◮ But OAEP also has its problems: move to RSA-KEM.



Problems of small public exponent e (for encryption):◮ If a fraction (e − 1)/e of the plaintext bits is known, the

remaining bits can be determined◮ If identical plaintext is sent to e users (with moduli n1, n2,

. . . , ne):ci ≡ me mod ni

with CRT (ni are relatively prime)

c̃ ≡ me mod n1 · n2 · · · ne

me < n1 · n2 · · · ne hence solving for m is easy

Note: can be extended to different but ‘related’ messages


RSA (9): exercises

The purpose of this exercise is to show that textbook RSA isnot secure at all:

◮ Show that textbook RSA cannot be polynomially secure◮ Show that RSA is malleable◮ Given (m, c) derive encryption of 2m using an adaptively

chosen ciphertext attack


Factorisation records

Factoring n or computing discrete logs mod n: O(Ln[13 , 1.902])

Ln[a, b] = exp[

(b + O(1))(ln(n))a · (ln(ln(n))1−a]

year # digits computing effort1984 71 0.1 MY1989 105 ?1992 110 75 MY1994 129 5000 MY1996 130 1000 MY1999 140 2000 MY1999 155 8400 MY2003 174 48640 MY2005 200 165000 MY


ElGamal encryption (1)

Key generation:◮ Parameters: (safe) prime p and generator α of GF (p)×

◮ Private key : x (1 < x < p − 1)◮ Public key : y = αx mod p

Encryption:◮ Generate random k (1 < k < p − 1) with gcd(k , p − 1) = 1◮ r = αk mod p (k and r are ephemeral key pair)◮ s = yk ·m mod p (0 ≤ m ≤ p − 1)◮ Ciphertext : c = (r , s)

Decryption:◮ m = s · r−x mod p◮ Indeed: r−x = α−kx = y−k mod p


ElGamal encryption (2)

◮ Security relies on the discrete log problem and not onfactoring

◮ Ciphertext twice as long as the plaintext◮ Secure random number generator required for k◮ Non-deterministic encryption: the same plaintext will

always result in different ciphertexts


Hybrid systems

For encryption:◮ triple-DES or AES: parties need to share a secret key◮ RSA: too slow for bulk data (1000 times slower)

DefinitionHybrid systems: public-key system to agree on the secret key,which is then used as the secret key in a conventional system(such as triple AES) to encrypt the bulk information


Digital signatures (1)

Authentication :◮ Data integrity: authentication of content◮ Data origin authentication: authentication of sender

Digital signature :◮ Can be verified by a third party (such as a judge)◮ 2 operations: sign and verify


Digital signatures (2)

V� �

S� �

� � �

?

�

��

��

�

?P PC

(PA, SA)

PA

PA

SA

authentic channel


Digital signatures: security notions

The following types of forgery are commonly used:

1. Total break : adversary can produce signatures on anymessage, as if she was the valid key holder (basically hasthe private key)

2. Selective forgery : adversary can forge a signature onsingle message chosen by someone else with highprobability

3. Existential forgery : adversary can forge signature onsingle message, even random message is OK


Digital signatures: attack models

Key only attack :◮ Adversary has access to verification function (is public

anyway)

Known message attack :◮ Adversary has list of messages previously signed by key

holder

Chosen message attack :◮ Adversary has access to singing oracle


Digital signatures algorithms

◮ RSA: advised to use different key pair for encryption andsigning in one system

◮ ElGamal signature (1985) and variants (1989, . . . )◮ DSA (Digital Signature Algorithm), FIPS 186 (1994) and

variants such as elliptic curve DSA (ECDSA)◮ QUARTZ (based on MQ problem)

Digital signature standards: ISO/IEC 9796, ISO/IEC 14888


Digital signatures with RSA (with recovery)

For short messages (up to 50. . . 80 bytes):◮ Signer uses padding scheme to add redundancy to the

message m giving m′

◮ Signing operation: c = m′d mod n◮ Verifier computes m′d mod n and checks the redundancy◮ Verifier recovers m from m′

Goal of padding scheme:◮ Avoid small messages: no reduction◮ Otherwise all ciphertexts c would be valid signatures◮ Homomorphic property:

RSA(m1 ·m2) = RSA(m1) · RSA(m2)

◮ After two signatures, one can forge a third one, . . .


Digital signature with RSA (without recovery)

For long messages:

.. -

.. -

Where dips the rockyhighland of Sleuth Wood in thelake, There lies a leafy islandwhere flapping herons wake thedrowsy water-rats; there we’vehid our faery vats, full of berriesand of reddest stolen cherries.Come away, o human child! Tothe

?@@

��

?hash

signSA-

?12239215682364

Where dips the rockyhighland of Sleuth Wood in thelake, There lies a leafy islandwhere flapping herons wake thedrowsy water-rats; there we’vehid our faery vats, full of berriesand of reddest stolen cherries.Come away, o human child! Tothe

?@@

��

?hash

verifyPA-

612239215682364

- OK?


Digital signature with RSA: padding schemes

Many padding schemes have been broken!◮ ISO/IEC 9796-1 has been withdrawn in 2000◮ ISO/IEC 9796-2 is suspicious (only for restricted

applications)◮ PKCS#1 is still not broken, but several revisions (current

version 2.1)◮ PSS, PSS-R, provably secure signing

Note: attacks require chosen texts, which may or may not berealistic


DSA (1) (Digital Signature Algorithm) (1994)

Specification in FIPS 186

Key generation:◮ General system parameters: prime p and 160-bit prime q,

with q|(p − 1)

◮ Generator α of group of order q◮ Every user has:◮ Private key : x (1 < x < q − 1)◮ Public key : y = αx mod p

Note: parameters have to be generated as described (complexalgorithm) in order to avoid certain attacks


DSA (2) (Digital Signature Algorithm)

Signing:◮ Message m (0 ≤ m ≤ q − 1)◮ Ephemeral key, i.e. choose random number k (1 < k < q),

compute r = (αk mod p) mod q◮ Compute s = (m + x · r) · k−1 mod q◮ Signature = (r , s), (if r or s = 0, choose new value for k)

Verification:◮ Compute w = s−1 mod q and verify whether

r =(αmw · y rw mod p

)mod q


DSA (3) (Digital Signature Algorithm)

◮ Security of generation of ephemeral key k is paramount◮ Howgrave-Graham & Smart: if you know 3 bits of k for 100

signatures, can easily recover secret key◮ Based on lattice reduction techniques to solve hidden

number problem◮ Some implementations always use small k . . .


DSA versus RSA

◮ Discrete log/factoring: ± equivalent◮ Advantage DSA: some operations mod q, shorter

signature, r can be precomputed◮ Disadvantage DSA: cannot be used for encryption!◮ Disadvantage DSA: verification of signature slower than

signing◮ RSA: patent expired in 2000, DSA: US government has a

patent but currently license-free

Future: discrete log in different algebraic structures, such asthe group of an elliptic curve over GF (p). Important advantageis that shorter keys could be sufficient (200 bits)


Dr. F. Vercauteren

Documents

Transcript of Dr. F. Vercauteren