8/12/2019 Excursus 03

1/39

C R Y P T O G R A P H Y

A.A. 2010/2011 1

Cryptography Part III

Public Key Systems

michele elia

Politecnico di Torino

8/12/2019 Excursus 03

2/39

C R Y P T O G R A P H Y

A.A. 2010/2011 2

In the e-world a definition of cryptography is

The art of information integrity

Beside confidentiality Information may need Integrity

Availability

Ubiquity Authenticity (without secrecy)

Tracking

8/12/2019 Excursus 03

3/39

C R Y P T O G R A P H Y

A.A. 2010/2011 3

Secret key cryptography cannot solve large-scale problems

that occur in civilian life:

1Key Distribution Problem:two users need toshare a common secret key. A channel for secret key

exchange may not be available.

2Key Management Problem:in a network of nusers, every pair of users must share a secret key, fora total of n(n-1)/2 keys. If n is not small, then the

number of keys becomes unmanageable.

3Digital Signature Problem:non-secret

authentication and non-repudiation problems are theelectronic counterparts of a hand-written signature;

neither problem can be solved by a secret key system

8/12/2019 Excursus 03

4/39

C R Y P T O G R A P H Y

A.A. 2010/2011 4

Diffie and Hellman

In 1976, Witfield Diffie and Martin Hellman

invented

Public Key Cryptography (PKC)to address key management issues.

The basic idea was the exploitation of a

concept already present in secret key

systems

ONE-WAY FUNCTION

8/12/2019 Excursus 03

5/39

C R Y P T O G R A P H Y

A.A. 2010/2011 5

A naive definition of one-way function is

A function F: D U is one-way if three

conditions are met:

1. It is one-to-one, that is the

functionF-1 : U D exists and is unique

2. It is easyto compute Y=F(X) for

every X D1. It is hardto compute X= F-1(Y) for

almost every Y D

8/12/2019 Excursus 03

6/39

C R Y P T O G R A P H Y

A.A. 2010/2011 6

Public key cryptography: In 25 years manyone-way functions have

been put forward, all based on hard arithmetical problems.Only four functions or principles have survived:

1. Prime factorization: it is easy to multiply two

primes, whereas it is hard to factor their product (Rabin)

2. Discrete Logarithm: it is easy to compute a power in a

cyclic group, whereas it is hard to find the exponent3. Evaluation of the order of a group: it is possible and

easy to define a finite group, whereas the computation

of its order (number of its elements) may be hard

4. Decoding Linear Codes: it is easy to encode and to

corrupt the code word with noise, whereas it is hard

to recover the code word

8/12/2019 Excursus 03

7/39

C R Y P T O G R A P H Y

A.A. 2010/2011 7

One-Way functions vs. Hard Problems - status

Name Hard Problem Equivalent problem?

Rabin Factorisation Solve equations overrings

RSA Order of a

group

Factorisation?

Diffie-Hellman

Diffie-Hellmanproblem

Discrete logarithm?

El Gamal Discretelogarithm

McEliece Decodinglinear codes

Equivalent Goppacodes are difficult todecode?

8/12/2019 Excursus 03

8/39

C R Y P T O G R A P H Y

A.A. 2010/2011 8

Rabin: public key N=pq, message M

Encryption

C = M2 mod N

Decryption

M = C1/2 mod N

p,qprime numbers (Blum primes, 4k+3)

M relatively prime withp,q

Decryption is easy using Chinese Remainder Theorem ifp,q are known Blum primes, and is hard otherwise

8/12/2019 Excursus 03

9/39

C R Y P T O G R A P H Y

A.A. 2010/2011 9

Rabin - 2

Decrypting is equivalent to solving

x2 = C mod pq

CRT requires solving two equations over fields

x2 = C mod p and x2 = C mod q

Ifp and q are Blum primes then

xp = C(p+1)/4 mod p ; xq = C

(q+1)/4 mod q

solution moduloN=pq is obtained as a linear combination

pqpgqg

where

pqCCx qp

mod,

mod

2211

2

4/)1(

1

4/)1(

8/12/2019 Excursus 03

10/39

C R Y P T O G R A P H Y

A.A. 2010/2011 10

Rabin - 3

Cryptanalysis is equivalent to factoring:

If an oracle can compute the four square roots then p is

computed as the common factor between

N=pq and x1-x3

pq

CCx

CCx

CCx

CCx

qp

qp

qp

qp

mod

2

4/)1(

1

4/)1(

4

24/)1(

14/)1(

3

2

4/)1(

1

4/)1(

2

2

4/)1(

1

4/)1(

1

pgCCxx qq 14/)1(

2

4/)1(

31 22

8/12/2019 Excursus 03

11/39

C R Y P T O G R A P H Y

A.A. 2010/2011 11

RSA: public key [N,E], message M

Let p, q be prime numbers andN=p q

Encryption: C = ME mod N

Decryption: M = CD

mod N

M relatively prime with p,q

E relatively prime with the Euler totient function

and

)1)(1()( qppq

)(mod1 pqDE

8/12/2019 Excursus 03

12/39

C R Y P T O G R A P H Y

A.A. 2010/2011 12

Diffie-Hellman

Public parameters: a Z, p prime

Alice: Secret key X

Public Key KA = aX

mod p

Bob: Secret key Y

Public Key KB = aY mod p

Alice-Bob: Common key KAB = aXY mod p

8/12/2019 Excursus 03

13/39

C R Y P T O G R A P H Y

A.A. 2010/2011 13

McEliece

G generator matrix of a linear code (n, k, 2t+1)allowing an algebraic decoding algorithm

[Goppa code (2m, 2m-mt, 2t+1) are good candidates]

Bob: Secret Key (P, A, G)

Public Key: a pair (t, Gp)

where: Gp = PGA

P is a n n permutation matrixA is a k k nonsingular matrix

8/12/2019 Excursus 03

14/39

C R Y P T O G R A P H Y

A.A. 2010/2011 14

McEliece continuation

Alice Encryption: E= Gp M + e

where e is a random vector with less than t 1s

Bob Decryption: E1 = PT E,

M1 = E1 + e ,

where e results from an algebraic decoding

[With Goppa codes the Berlekamp-Massey algorithm is used]

Message recovering

M = A-1 M1

8/12/2019 Excursus 03

15/39

C R Y P T O G R A P H Y

A.A. 2010/2011 15

Complexity

An axiomatic measure of complexity is missing

Problem size is defined to be n, where n may be

number of variables

number of equations

number of bits for representing a parameter

A practical measure of complexity is a function f(n)

A problem is considered hard if f(n)= a0 n

A problem is considered easy if f(n)= b0 log(n) Frequently f(n) = eg(n)

with g(n)=[log(n)]1/2 , n1/3 [log(n)]1/3

8/12/2019 Excursus 03

16/39

C R Y P T O G R A P H Y

A.A. 2010/2011 16

Chinese Remainder Theorem

Let be a product of r positive

integers mi which are relatively primes

Given a non-negative integer a not greater than N,

then r remainders can be computed easily

The Chinese remainder theorem solves the

problem of computing a given the r remainders ai

rmmmN 21

imaa ii mod

iij ji

iij jii

rr

mmg

ofsolutionisgandmg

whereaaaa

mod1

1111

8/12/2019 Excursus 03

17/39

C R Y P T O G R A P H Y

A.A. 2010/2011 17

Chinese Remainder Theorem Properties

Let be

two numbers in ZN decomposed according to CRT

Then

where the operations ai bi, ai+bi and ain are

performed modulo mi. In general CRT reduces the complexity since the

operations are performed in domains of smaller

cardinality.

),,,(),,,( 2121 rr bbbbaaaa

),,,( 2211 rrbaabbaab

),,,( 2211 rr baabbaba ),,,( 21

n

r

nnn aaaa

8/12/2019 Excursus 03

18/39

C R Y P T O G R A P H Y

A.A. 2010/2011 18

Electronic Signature

based on reverse use of a ONE-WAY

function

consists in a pair of numbers

S plain signature encoded as an integer

ES electronic signature

computed from S using a one-way functionhas the significance of an authentication mark.

8/12/2019 Excursus 03

19/39

C R Y P T O G R A P H Y

A.A. 2010/2011 19

Electronic Signature

Standard procedure to sign Bobs message M electronically:

1 A public key directory contains PK the public key of

signatory Bob

2 Bob computes a Digest from M using a hash function(one-way function)

3 Bob forms his signature by juxtaposing

S = Name|Date|Digest|Random

4 Bob computes the electronic signature ES encryptingS with his private key PVK

5 Bobs electronic signature (S,ES) is verified using

Bobs PK public key.

8/12/2019 Excursus 03

20/39

8/12/2019 Excursus 03

21/39

C R Y P T O G R A P H Y

A.A. 2010/2011 21

El Gamal signature public key [p, g, k]

message M

secrect signature: random m, and u

where k = gu mod p

signature(M, a, b)

where a = gm mod p

b solution of b m + a u = M mod p-1

8/12/2019 Excursus 03

22/39

C R Y P T O G R A P H Y

A.A. 2010/2011 22

El Gamal signature public key [p, g, k]

signature

(M, a, b)

verification

?

gM = ab ka mod p

8/12/2019 Excursus 03

23/39

C R Y P T O G R A P H Y

A.A. 2010/2011 23

Digital Signature

Two main scopes:

certify the authenticity of a public or secret message

avoid repudiation

Uses

electronic locking/unlocking of doors

electronic orders and payments

networks or physical access

Algorithm

RSA

Rabib

El Gamal

8/12/2019 Excursus 03

24/39

C R Y P T O G R A P H Y

A.A. 2010/2011 24

Elliptic curves

Elliptic curves are algebraic curves endowed with agroup structure that was discovered by

Giulio Fagnano de Toschi in the eighteen century.

Given two points P and Q on an elliptic curve E, athird point R on E is defined as the sum

R=P+Q

This property was exploited by Euler in his

development of the elliptic integral theory.

In cryptography, the elliptic curves are usedas a rich source of Abelian group

8/12/2019 Excursus 03

25/39

C R Y P T O G R A P H Y

A.A. 2010/2011 25

Elliptic curves

The set of real points of an Elliptic curve E overa finite field forms an Abelian group for a point

sum.

Given P on E and an integer m, the point mP isdefined as mP=P+P+P + +P (m times)

The set of points mP forms a cyclic group where

the discrete logarithm problem is hard:

It is easy to compute Q = mP

It is hard to compute m from Q given P

8/12/2019 Excursus 03

26/39

C R Y P T O G R A P H Y

A.A. 2010/2011 26

Elliptic curve over a finite field GF(pm)

An elliptic curve E consists of a set of points P=(x,y)

whose coordinates satisfy

Y2 = X3 + a4X + a6

where a4, a6X and Y belongs to GF(pm

).

Hasses theorem asserts that the number of points #E

on E with coordinates in GF(pm) satisfies theinequality

ppEpp 21#21

8/12/2019 Excursus 03

27/39

C R Y P T O G R A P H Y

A.A. 2010/2011 27

In E an addition of points is defined as

8/12/2019 Excursus 03

28/39

C R Y P T O G R A P H Y

A.A. 2010/2011 28

The set E is a group for point addition

Given P1=(x1,y1) and P2=(x2,y2)

the sum is point P3=(x3,y3) written

P3= P1+ P2

Addition is

- Commutative and Associative.

- A point O exists which has the role of

group identity

P=P+O

8/12/2019 Excursus 03

29/39

8/12/2019 Excursus 03

30/39

C R Y P T O G R A P H Y

A.A. 2010/2011 30

Addition formulas overGF(2m):Non-Supersingular Curves

6

2

2

32 axaxxyy

21

21

123

221

2

3 ,

)1(

)(

xx

yyQPif

yyy

axxx

QPif

xxx

yxxy

x

axx

33

1

11

2

13

2

1

62

13

)(

8/12/2019 Excursus 03

31/39

8/12/2019 Excursus 03

32/39

C R Y P T O G R A P H Y

A.A. 2010/2011 32

Group structure of E over GF(pm)

Theorem 1 (Hasse)

#E=pm+1-t, with

Theorem 2

Let Ebe an elliptic curve defined over GF(pm),

where p is a prime. Then there exist integers n

and k such that E is isomorphic to Zn Zk.

Further k|n and k|(pm -1).

Zn denotes a cyclic group of order n

mpt 2||

8/12/2019 Excursus 03

33/39

C R Y P T O G R A P H Y

A.A. 2010/2011 33

ECC - Elliptic Curve Crypto-system

EC are used as a rich source of cyclic groups

where the discrete logarithm problem is hard.

EC are used to define a Diffie-Hellman public

key scheme as follows:

Let P be a public fixed point of an Elliptic curve E

Let A= x P and x be Alices public and secret keys,

respectively

Let B= y P and y be Bobs public and secret keys,

respectively The common secret key is K= x y P

8/12/2019 Excursus 03

34/39

C R Y P T O G R A P H Y

A.A. 2010/2011 34

Factorization

Gauss recognized that factorization is an

important, though difficult, problem in arithmetic

Fermat observed that is prime for n=0,1,2,3,4

and guessed that it was prime for every n.At present, a more likely guess would be that no

Fermat number is prime for n greater than 4.

RSA renewed the challenge to factor largenumbers and inspired the development of recent

factorization methods.

122 n

8/12/2019 Excursus 03

35/39

C R Y P T O G R A P H Y

A.A. 2010/2011 35

In 1977 Martin Gardner in ScientificAmerican proposed cryptanalysing a

message encoded with the RSA algorithm

using a 129 digit number product of two

primes (Rivest)

In 1994 the number was factored into two

primes of 64 and 65 digits and the

message was decryptedThe magic words are

squeamish ossifrage

8/12/2019 Excursus 03

36/39

8/12/2019 Excursus 03

37/39

C R Y P T O G R A P H Y

A.A. 2010/2011 37

A millennial evolution has shown that cryptography is a science

rather than an art.

Today, the prophetic words of Adrian A. Albert at theopening of the 382nd Congress of the American

Mathematical Society in 1939 are fully meaningful:

We shall see that cryptography is more thana subject permitting mathematical formulation

for indeed it would not be an exaggeration

to state that

abstract cryptographyis identical with

abstract mathematics.

8/12/2019 Excursus 03

38/39

8/12/2019 Excursus 03

39/39