Lecture 6 Public Key Cryptosystems & Digital Signatures --- New era of secure communications ---

Lecture 6Lecture 6Public Key Cryptosystems & Public Key Cryptosystems &

Digital SignaturesDigital Signatures--- New era of secure --- New era of secure

communications ---communications ---

(C) CPE5002 Semester 2 - 2001 2

OutlineOutline

Why public key cryptography ?Why public key cryptography ? general principles of public key general principles of public key

cryptographycryptography the RSA public key cryptosystemthe RSA public key cryptosystem examples of RSAexamples of RSA

(C) CPE5002 Semester 2 - 2001 3

Private key cipherPrivate key cipher

E Network or Storage

Plain Text Cipher TextCipher Text

D

OriginalPlain Text

Bob

Secret Key

Alice

Secret Key

(C) CPE5002 Semester 2 - 2001 4

Problems with private key ciphersProblems with private key ciphers

In order for Alice & Bob to be able to In order for Alice & Bob to be able to communicate securely using a private communicate securely using a private key cipher, such as DES, they have to key cipher, such as DES, they have to have a shared key in the first place.have a shared key in the first place.Question: Question:

What if they have never met before ?What if they have never met before ? Alice needs to keep Alice needs to keep 100100 different keys different keys

if she wishes to communicate with if she wishes to communicate with 100100 different peopledifferent people

(C) CPE5002 Semester 2 - 2001 5

A questionA question

Consider a group of Consider a group of nn people, each people, each wishing to communicate securely with wishing to communicate securely with all other members in the group, by all other members in the group, by using a private key cipher, say DES.using a private key cipher, say DES.

How many different secret keys does each How many different secret keys does each member of the group have to keep ?member of the group have to keep ?

What’s the total number of different secret What’s the total number of different secret keys that have to be kept by all members of keys that have to be kept by all members of the group ?the group ?

(C) CPE5002 Semester 2 - 2001 6

Motivation of Diffie & HellmanMotivation of Diffie & Hellman

Is it possible for Alice & Bob, who Is it possible for Alice & Bob, who have no shared secret key, to have no shared secret key, to communicate securely ?communicate securely ?

This led to the SINGLE MOST This led to the SINGLE MOST IMPORTANT discovery in the history IMPORTANT discovery in the history of secure communications:of secure communications:

W. Diffie & M. Hellman: New Directions in Cryptography, IEEE Transactions on Information Theory, Vol. IT-22, No.6, Nov. 1976, pp.644-654.

(C) CPE5002 Semester 2 - 2001 7

Main ideasMain ideas

Bob:Bob: publishes, say in Yellow/White pages, his publishes, say in Yellow/White pages, his

public (encryption) key, andpublic (encryption) key, andencryption algorithm.encryption algorithm.

keeps to himself keeps to himself the matching secret (decryption) key.the matching secret (decryption) key.

(C) CPE5002 Semester 2 - 2001 8

Main ideas (2)Main ideas (2)

Alice:Alice:Looks up the phone book, and finds out Looks up the phone book, and finds out

Bob’sBob’spublic (encryption) key, andpublic (encryption) key, andencryption algorithm.encryption algorithm.

Encrypts a message using Bob’s public Encrypts a message using Bob’s public key and encryption algorithm.key and encryption algorithm.

sends the ciphertext to Bob.sends the ciphertext to Bob.

(C) CPE5002 Semester 2 - 2001 9

Main ideas (3)Main ideas (3)

Bob:Bob:Receives the ciphertext from AliceReceives the ciphertext from AliceDecrypts the ciphertext using his secret Decrypts the ciphertext using his secret

decryption key, together with the decryption key, together with the decryption algorithmdecryption algorithm

(C) CPE5002 Semester 2 - 2001 10

Public Key CryptosystemPublic Key Cryptosystem

E Network

Plain Text Cipher Text Cipher Text

D

Plain Text

Alice

Bob

Bob:

Public Key Directory (Yellow/White Pages)

Secret Key

(C) CPE5002 Semester 2 - 2001 11

Main differences with DESMain differences with DES

The public encryption key is different The public encryption key is different from the secret decryption key.from the secret decryption key.

Infeasible for an attacker to find out the Infeasible for an attacker to find out the secret decryption key from the public secret decryption key from the public encryption key.encryption key.

no need for Alice & Bob to distribute a no need for Alice & Bob to distribute a shared secret key beforehand !shared secret key beforehand !

only one pair of public and secret keys only one pair of public and secret keys is required for each user !is required for each user !

(C) CPE5002 Semester 2 - 2001 12

Realising public key ciphersRealising public key ciphers

The most famous system that The most famous system that implements Diffie & Hellman’s ideas implements Diffie & Hellman’s ideas on public key ciphers is due toon public key ciphers is due toRonald Ronald RRivestivestAdi Adi SShamirhamirLeonard Leonard AAdlemandleman

This concrete public key cryptosystem This concrete public key cryptosystem is callis calleded RSA. RSA.

(C) CPE5002 Semester 2 - 2001 13

Prime & compositePrime & composite

Prime and composite numbersPrime and composite numbersa prime number is an integer that can a prime number is an integer that can

divided only by 1 and itselfdivided only by 1 and itselfE.g.E.g. 2,2, 3,3, 5,5, 7,7,

11,11, 13,13, 101,101, 103, ......103, ......

all other integers are compositeall other integers are compositeE.g.E.g. 4,4, 6,6, 8,8, 9,9,

10,10, 12,12, 523743960876432,523743960876432,800164386535800164386535

(C) CPE5002 Semester 2 - 2001 14

Modular operationsModular operations

““remainder”remainder”13 = 3 (mod 5),13 = 3 (mod 5), 1 = 1 (mod 7) 1 = 1 (mod 7) 20 = 0 (mod 5),20 = 0 (mod 5), 32 = 4 (mod 7) 32 = 4 (mod 7)

modular exponentiationmodular exponentiation2222 = 1 (mod 3), = 1 (mod 3), 3 322 = 0 (mod 3) = 0 (mod 3)2222 = 4 (mod 5), = 4 (mod 5), 10 1022 = 8 (mod 92) = 8 (mod 92)4466 = 6 (mod 10), = 6 (mod 10), 3 31111 = 7 (mod 10) = 7 (mod 10)

(C) CPE5002 Semester 2 - 2001 15

RSA Public Key CryptosystemRSA Public Key Cryptosystem

c=m e mod n

Network

Plain Text Cipher Text Cipher Text Plain Text

Alice

Bob

Bob: (e, n)Public Key Directory (Yellow/White Pages)

public key:

e & n

secret key: d

m=c d mod n

(C) CPE5002 Semester 2 - 2001 16

RSA (1)RSA (1)

Bob:Bob:chooses 2 large primes (each at least 100 chooses 2 large primes (each at least 100

digits):digits): p, qp, qmultiplies p and q:multiplies p and q: n = p*qn = p*q

finds out two numbers finds out two numbers ee & & dd such that such thate * d = 1 (mod (p-1)(q-1))e * d = 1 (mod (p-1)(q-1))

public key (published in the phone book)public key (published in the phone book)2 numbers:2 numbers: ((e, ne, n))encryption alg:encryption alg: modular exponentiationmodular exponentiation

secret key:secret key: dd

(C) CPE5002 Semester 2 - 2001 17

RSA (2)RSA (2)

Alice has a message Alice has a message mm to be sent to to be sent to Bob:Bob:finds out Bob’s public encryption key finds out Bob’s public encryption key

((ee, , nn))calculatescalculates

c = mc = mee (mod n)(mod n)sends the ciphertext sends the ciphertext cc to Bob to Bob

(C) CPE5002 Semester 2 - 2001 18

RSA (3)RSA (3)

Bob:Bob:receives the ciphertext receives the ciphertext cc from Alice from Aliceuses his matching secret decryption key uses his matching secret decryption key

dd to calculate to calculatem = cm = cdd (mod n)(mod n)

(C) CPE5002 Semester 2 - 2001 19

RSA --- 1st small example (1)RSA --- 1st small example (1)

Bob:Bob:chooses 2 primes:chooses 2 primes: p=5, q=11p=5, q=11

multiplies p and q:multiplies p and q: n = p*q = 55n = p*q = 55finds out two numbers finds out two numbers e=3e=3 & & d=27d=27 which which

satisfysatisfy3 * 27 = 1 (mod 40)3 * 27 = 1 (mod 40)

Bob’s public key Bob’s public key 2 numbers:2 numbers: ((3, 553, 55))encryption alg:encryption alg: modular exponentiationmodular exponentiation

secret key:secret key: 2727

(C) CPE5002 Semester 2 - 2001 20


Alice has a message Alice has a message m=13m=13 to be sent to to be sent to Bob:Bob:finds out Bob’s public encryption key finds out Bob’s public encryption key

((3, 553, 55))calculatescalculates

c = mc = mee (mod n)(mod n) = 13 = 1333 (mod 55)(mod 55) = 2197 = 2197 (mod 55)(mod 55) = 52 = 52

sends the ciphertext sends the ciphertext c=52c=52 to Bob to Bob

(C) CPE5002 Semester 2 - 2001 21


Bob:Bob:receives the ciphertext receives the ciphertext c=52c=52 from Alice from Aliceuses his matching secret decryption key uses his matching secret decryption key

2727 to calculate to calculatem = 52m = 522727 (mod 55)(mod 55) = 13 (Alice’s message) = 13 (Alice’s message)

(C) CPE5002 Semester 2 - 2001 22

RSA --- 2nd small example (1)RSA --- 2nd small example (1)


multiplies p and q:multiplies p and q: n = p*q = 11413n = p*q = 11413finds out two numbers finds out two numbers e=3533e=3533 & & d=6597d=6597

which satisfywhich satisfy3533 * 6597 = 1 (mod 11200)3533 * 6597 = 1 (mod 11200)



(C) CPE5002 Semester 2 - 2001 23


Alice has a message Alice has a message m=9726m=9726 to be to be sent to Bob:sent to Bob:finds out Bob’s public encryption key finds out Bob’s public encryption key

((3533, 114133533, 11413))calculatescalculates

c = mc = mee (mod n)(mod n) = 9726 = 972635333533 (mod 11413)(mod 11413) = 5761 = 5761

sends the ciphertext sends the ciphertext c=5761c=5761 to Bob to Bob

(C) CPE5002 Semester 2 - 2001 24


Bob:Bob:receives the ciphertext receives the ciphertext c=5761c=5761 from Alice from Aliceuses his matching secret decryption key uses his matching secret decryption key

65976597 to calculate to calculatem = cm = cdd (mod n)(mod n) = 5761 = 576165976597 (mod 11413)(mod 11413) = 9726 (Alice’s message) = 9726 (Alice’s message)

(C) CPE5002 Semester 2 - 2001 25

Remarks on RSARemarks on RSA

The message m The message m has to be has to be an integer an integer between between in the range in the range [1, n][1, n]..

To encrypt long messages we can use To encrypt long messages we can use modes of operation as for private key modes of operation as for private key ciphers, or a hybrid cryptosystem (see ciphers, or a hybrid cryptosystem (see later).later).

(C) CPE5002 Semester 2 - 2001 26

Why RSA is SecureWhy RSA is Secure

Attack Scenario:Attack Scenario:Marvin wants to read Alice’s private message (m) Marvin wants to read Alice’s private message (m)

intended to be read only by Bob.intended to be read only by Bob.However, Alice used RSA to encrypt m using However, Alice used RSA to encrypt m using

Bob’s public key (Bob’s public key (e, ne, n), into the ciphertext ), into the ciphertext cc = = mmee

(mod (mod nn))..Marvin is a determined attacker and managed to Marvin is a determined attacker and managed to

intercept the ciphertext c on its way from Alice’s intercept the ciphertext c on its way from Alice’s to Bob’s computer.to Bob’s computer.

Marvin also looked up Bob’s public key (Marvin also looked up Bob’s public key (e,ne,n) to ) to help him in his attack.help him in his attack.

(C) CPE5002 Semester 2 - 2001 27


Marvin now has (c,e,n) and wants to find out m.Marvin now has (c,e,n) and wants to find out m. How can Marvin proceed to find m?How can Marvin proceed to find m?

Approach 1:Approach 1: If Marvin could also find out Bob’s secret If Marvin could also find out Bob’s secret key d, he could decrypt c into m in the same way as key d, he could decrypt c into m in the same way as Bob does.Bob does. Suppose Bob guards his secret key d very well, what can Suppose Bob guards his secret key d very well, what can

Marvin do then?Marvin do then?

Approach 2:Approach 2: Marvin knows that Marvin knows that cc = = mmee (mod (mod nn)). He . He knows that m is a number between 0 and n-1. So he knows that m is a number between 0 and n-1. So he could use exhaustive search through all n possible could use exhaustive search through all n possible messages m. messages m. But if n is large this takes a long time!But if n is large this takes a long time! Exercise: If m is known to be one of X possible messages, Exercise: If m is known to be one of X possible messages,

how long does this attack take? (Assume it takes time T to how long does this attack take? (Assume it takes time T to encrypt m into c)encrypt m into c)

(C) CPE5002 Semester 2 - 2001 28


Marvin’s Attack options (cont):Marvin’s Attack options (cont):Approach 3:Approach 3: Marvin can try to Marvin can try to computecompute Bob’s Bob’s

secret key d from (e,n) and then use Approach 1.secret key d from (e,n) and then use Approach 1. Remember that e * d = 1 ( mod (p-1)(q-1) )Remember that e * d = 1 ( mod (p-1)(q-1) ) Marvin found in a ‘Number Theory’ book a very fast Marvin found in a ‘Number Theory’ book a very fast

algorithm called algorithm called EUCLID EUCLID to solve the following problem: to solve the following problem: Given two numbers (r,s), the algorithm outputs a number Given two numbers (r,s), the algorithm outputs a number x such that x such that

r * x = 1 (mod s).r * x = 1 (mod s). Exercise: Explain how Marvin can use algorithm Exercise: Explain how Marvin can use algorithm

EUCLIDEUCLID to find Bob’s secret key d very quickly from (e,n) to find Bob’s secret key d very quickly from (e,n) once he manages to ‘factorize’ n = p*q into the prime once he manages to ‘factorize’ n = p*q into the prime factors p and q.factors p and q.

(C) CPE5002 Semester 2 - 2001 29


Approach 3 is the most efficient known method Approach 3 is the most efficient known method Marvin can use to attack RSA!Marvin can use to attack RSA!

The time taken for Marvin to execute the attack in The time taken for Marvin to execute the attack in Approach 3 is essentially the time to factorize Approach 3 is essentially the time to factorize n=p*q into the prime factors p and q.n=p*q into the prime factors p and q.

Therefore, we say that Therefore, we say that RSA is RSA is based onbased on the the factorifactorizzation problemation problem::

While it is easy to multiply large primes While it is easy to multiply large primes together, together, it is computationally infeasible to factorize or split a large composite into its prime factors !!

(C) CPE5002 Semester 2 - 2001 30


The current state of the art in factoriThe current state of the art in factorizzation:ation:LLargest argest RSA RSA number factorednumber factored so far so far: :

115555 decimal decimal digits, as at Adigits, as at Augustugust 199 19999

It took several months of computing time on many It took several months of computing time on many computers around the worldcomputers around the world

Exercise: How long was the binary representation of the Exercise: How long was the binary representation of the above number (bit length)?above number (bit length)?

(hint: log(hint: log22(10) = 3.32 approximately)(10) = 3.32 approximately)

The length of n in an RSA key should therefore be The length of n in an RSA key should therefore be sufficiently longer than 155 decimal digits to be sufficiently longer than 155 decimal digits to be secure against attackers with access to many fast secure against attackers with access to many fast computers.computers.

(C) CPE5002 Semester 2 - 2001 31


How many digits should n have to be secure?How many digits should n have to be secure? Approximate Factoring Time:Approximate Factoring Time: For the fastest known For the fastest known

factoring algorithm (‘Number Field Sieve’): factoring algorithm (‘Number Field Sieve’): If it takes time to factorize number of length |n| digits If it takes time to factorize number of length |n| digits

(or bits),(or bits),

Then it takes time to factorize a number of Then it takes time to factorize a number of length k * |n| digits (bits), where (with |n| in bits):length k * |n| digits (bits), where (with |n| in bits):

Assuming it takes T = 1 day to factorize |n| of length Assuming it takes T = 1 day to factorize |n| of length 155 decimal digits, it would take:155 decimal digits, it would take:

M(2)*T = 2M(2)*T = 22222 days = 20,000 years to factor n of length |n| = days = 20,000 years to factor n of length |n| = 2*155 = 310 digits2*155 = 310 digits

M(3)*T = 2M(3)*T = 23939 days = 2 billion (!!) years to factor n of length days = 2 billion (!!) years to factor n of length |n| = 3*155 = 465 digits…|n| = 3*155 = 465 digits…

TkM )(

T

3/22

3/22

3/13/1 ))44.1/|(|(log))44.1/||((log||923.12)( nnkknkM

(C) CPE5002 Semester 2 - 2001 32


Therefore, whenTherefore, when both p and q in RSA are of both p and q in RSA are of at least at least 11555 digits, the product n=p*q is 5 digits, the product n=p*q is 310310 digits.digits.

Then no one can factorize nThen no one can factorize n in less time in less time than a few thousand years, not even than a few thousand years, not even Marvin!!Marvin!!

Thus the Thus the onlyonly person who can extract the person who can extract the plaintext m from the ciphertext c is Bob, as plaintext m from the ciphertext c is Bob, as only he knows the secret decryption key d !only he knows the secret decryption key d !

(C) CPE5002 Semester 2 - 2001 33

Marvin’s New Attack IdeaMarvin’s New Attack Idea

Instead of just eavesdropping, Marvin can try Instead of just eavesdropping, Marvin can try a more a more active active attack!attack!

Outline of the New Attack:Outline of the New Attack: Marvin generates an RSA key pairMarvin generates an RSA key pair

Public key = Kpub_* = (N_*, e_*)Public key = Kpub_* = (N_*, e_*) Secret key = Ksec_* = d_*Secret key = Ksec_* = d_*

Marvin sends the following email to Alice, Marvin sends the following email to Alice, pretending to be Bob:pretending to be Bob: Hi Alice, Hi Alice,

Please use my new public key from now on to encrypt Please use my new public key from now on to encrypt messages to me. My new public key is Kpub_*. messages to me. My new public key is Kpub_*.

Yours sincerely, Bob.Yours sincerely, Bob.

Marvin decrypts any messages Alice sends to Bob Marvin decrypts any messages Alice sends to Bob (encrypted with Kpub_*), using Ksec_*.(encrypted with Kpub_*), using Ksec_*.

(C) CPE5002 Semester 2 - 2001 34

Preventing Marvin’s Active AttackPreventing Marvin’s Active Attack

The active attack works because:The active attack works because:Alice was tricked by Marvin into encrypting a Alice was tricked by Marvin into encrypting a

message intended for Bob using a “fake” public message intended for Bob using a “fake” public key which is NOT Bob’s public key (in fact it was key which is NOT Bob’s public key (in fact it was Marvin’s).Marvin’s).

To prevent the attack:To prevent the attack: Before Alice encrypts a message for Bob, she must make Before Alice encrypts a message for Bob, she must make

sure she has Bob’s CORRECT public key (and not a fake sure she has Bob’s CORRECT public key (and not a fake one).one).

Alice needs a way of testing the truth of any “Bob’s key Alice needs a way of testing the truth of any “Bob’s key message” informing Alice of Bob’s Public Key. message” informing Alice of Bob’s Public Key.

No one besides Bob should be able to produce such a No one besides Bob should be able to produce such a message so that it will pass Alice’s Test.message so that it will pass Alice’s Test.

(C) CPE5002 Semester 2 - 2001 35

Preventing Marvin’s Active Attack (2)Preventing Marvin’s Active Attack (2)

This is a setting where Alice and Bob have a This is a setting where Alice and Bob have a message integritymessage integrity security requirement! security requirement! Ie. Alice and Bob want to prevent fabrication Ie. Alice and Bob want to prevent fabrication

and/or modification of a “Bob’s key message” (a and/or modification of a “Bob’s key message” (a message informing Alice of Bob’s public key) by message informing Alice of Bob’s public key) by unautorised parties (like Marvin).unautorised parties (like Marvin).

The main cryptographic tool used to achieve The main cryptographic tool used to achieve message integrity is “Digital Signatures”.message integrity is “Digital Signatures”.

In a later lecture (after we have covered “Digital In a later lecture (after we have covered “Digital Signatures”), we will come back to this topic and Signatures”), we will come back to this topic and see how Digital Signatures can be used to prevent see how Digital Signatures can be used to prevent Marvin’s Attack!Marvin’s Attack!

(C) CPE5002 Semester 2 - 2001 36

Private key ciphersPrivate key ciphers

Good pointsGood pointsin-expensive to usein-expensive to usefastfastlow cost VLSI chips availablelow cost VLSI chips available

bad pointsbad pointskey distribution is a problemkey distribution is a problem

(C) CPE5002 Semester 2 - 2001 37

Public key ciphersPublic key ciphers

good pointsgood pointskey key distribution distribution is NOT a problem is NOT a problem

bad pointsbad pointsrelatively expensive to userelatively expensive to userelatively slowrelatively slowVLSI chips not available or relatively high VLSI chips not available or relatively high

costcost

(C) CPE5002 Semester 2 - 2001 38

Combining 2 type of ciphersCombining 2 type of ciphers

In practice, we In practice, we use a public key cipher (such as RSA) to use a public key cipher (such as RSA) to

distribute keysdistribute keysuse a private key cipher (such as DES) to use a private key cipher (such as DES) to

encrypt and decrypt messagesencrypt and decrypt messages

(C) CPE5002 Semester 2 - 2001 39

The need of digital signatureThe need of digital signature

social & business activities and their social & business activities and their associated documents are becoming associated documents are becoming digitaldigitaldigital conferencesdigital conferencesdigital contract signingdigital contract signingdigital cash payments, ......digital cash payments, ......

hand-written signatures are not hand-written signatures are not applicable to digital dataapplicable to digital data

(C) CPE5002 Semester 2 - 2001 40

Digital Signature Digital Signature (based on RSA)(based on RSA)


Bob:

D

Network

Plain Text

Plain Text

Bob

Secret Key

+

Cathy

Signature

Accept if equal

E

Signature

?

Public Key

(C) CPE5002 Semester 2 - 2001 41

Digital Signature Digital Signature (for short doc)(for short doc)


Bob: (e, n)

Network

Plain Text

Plain Text

Bob

Secret Key d

+

Cathy

Signature

Accept if equal

Signature

?

Public Key (e, n)

s =md mod n t =se mod n

(C) CPE5002 Semester 2 - 2001 42

RSA signature --- an eg (1)RSA signature --- an eg (1)


multiplies p and q:multiplies p and q: n = p*q = 55n = p*q = 55finds out two numbers finds out two numbers e=3e=3 & & d=27d=27 which which

satisfysatisfy3 * 27 = 1 (mod 40)3 * 27 = 1 (mod 40)



(C) CPE5002 Semester 2 - 2001 43

RSA signature --- an eg (2)RSA signature --- an eg (2)

Bob has a document Bob has a document m=19 m=19 to sign:to sign:uses his secret key uses his secret key d=27d=27 to calculate the to calculate the

digital signature of digital signature of m=19m=19::s = ms = mdd (mod n)(mod n) = 19 = 192727 (mod 55)(mod 55) = 24 = 24

appends 24 to 19. Now appends 24 to 19. Now (m, s) = (19, 24) (m, s) = (19, 24) indicates that the doc is 19, and Bob’s indicates that the doc is 19, and Bob’s signature on the doc is 24.signature on the doc is 24.

(C) CPE5002 Semester 2 - 2001 44

RSA signature --- an eg. (3)RSA signature --- an eg. (3)

Cathy, a verifier:Cathy, a verifier:receives a pair receives a pair (m,s)=(19, 24)(m,s)=(19, 24)looks up the phone book and finds out looks up the phone book and finds out

Bob’s public key Bob’s public key (e, n)=(3, 55)(e, n)=(3, 55)calculatescalculates t = st = see (mod n)(mod n)

= 24 = 2433 (mod 55) (mod 55) = 19 = 19

checks whether checks whether t=mt=mconfirms that (confirms that (19,2419,24) is a ) is a genuinely genuinely

signed document of Bob signed document of Bob if if t=mt=m..

(C) CPE5002 Semester 2 - 2001 45

How about long documents ?How about long documents ?

In the previous example, a document In the previous example, a document has to be an integer in [0,...,n]has to be an integer in [0,...,n]

to sign a very long document, we need to sign a very long document, we need a so called a so called one-way hash algorithmone-way hash algorithm

instead of signing directly on a doc, instead of signing directly on a doc, we hash the doc first, and sign the we hash the doc first, and sign the hashed data which is normally short.hashed data which is normally short.

(C) CPE5002 Semester 2 - 2001 46

One-Way Hash AlgorithmOne-Way Hash Algorithm

A one-way hash algorithm hashes an input A one-way hash algorithm hashes an input document into a document into a condensedcondensed short output short output (say of 100 bits)(say of 100 bits) Denoting a one-way hash algorithm by H(.), we have:Denoting a one-way hash algorithm by H(.), we have:

Input: m - a binary string of any lengthInput: m - a binary string of any length Output: H(m) - a binary string of L bits, called the “hash Output: H(m) - a binary string of L bits, called the “hash

of m under H”.of m under H”. The output length parameter L is fixed for a given one-The output length parameter L is fixed for a given one-

way hash function H, way hash function H, egeg

The one-way hash function “MD5” has L = 128 bitsThe one-way hash function “MD5” has L = 128 bitsThe one-way hash function “SHA-1” hash L = 160 The one-way hash function “SHA-1” hash L = 160

bitsbits

(C) CPE5002 Semester 2 - 2001 47

One-Way Hash AlgorithmOne-Way Hash Algorithm

A document (of any length)

A condensed short output, say of 100 bits

(C) CPE5002 Semester 2 - 2001 48

Properties of One-Way Hash AlgorithmProperties of One-Way Hash Algorithm

A good one-way hash algorithm H needs to A good one-way hash algorithm H needs to have these propertieshave these properties:: 1. Easy to Evaluate:1. Easy to Evaluate:

The hashing algorithm should be fastThe hashing algorithm should be fast I.e. given any document m, the hashed value h = H(m) can be I.e. given any document m, the hashed value h = H(m) can be

computed quickly.computed quickly. 2. Hard to Reverse:2. Hard to Reverse:

There is no feasible algorithm to “reverse” a hashed value, There is no feasible algorithm to “reverse” a hashed value, I.e. given any hashed value h, it is computationally infeasible to find I.e. given any hashed value h, it is computationally infeasible to find

any document m such that F(h) = m.any document m such that F(h) = m. NOTE: An algorithm is called NOTE: An algorithm is called ‘One-Way’‘One-Way’ if it has BOTH properties 1 and 2. if it has BOTH properties 1 and 2. 3. Hard to find Collisions:3. Hard to find Collisions:

There is no feasible algorithm to find two or more input documents There is no feasible algorithm to find two or more input documents which are hashed into the same condensed output, which are hashed into the same condensed output,

I.e it is computationally infeasible to find any two documents mI.e it is computationally infeasible to find any two documents m11, m, m2 2

such that H(msuch that H(m11)= H(m)= H(m22).).

(C) CPE5002 Semester 2 - 2001 49

The One-way PropertyThe One-way Property

Hash value h(length= L bits)

H

Document m

(any length)

This direction is easy to compute!

Hash value h(length= L bits)

H

Document m

(any length)

But this direction is infeasible to compute!

(C) CPE5002 Semester 2 - 2001 50

Finding collision is infeasibleFinding collision is infeasible

(same condensed output)

I, Bob, will pay$1,000 to Alice.


H H

Document m1

Document m2

(C) CPE5002 Semester 2 - 2001 51

Good one-way hashing algorithmsGood one-way hashing algorithms

MD5 (R. Rivest, 1992)MD5 (R. Rivest, 1992) SHS (secure hashing standard, USA, SHS (secure hashing standard, USA,

1992, modified in 1995)1992, modified in 1995) HAVAL (Y. Zheng, 1992)HAVAL (Y. Zheng, 1992)

(C) CPE5002 Semester 2 - 2001 52

Digital Signature Digital Signature (for long doc)(for long doc)


Bob:

D

Network

Plain Text

E

Plain Text

H

100 bits

Bob

Secret Key

+

H 100 bits

Cathy

Signature

Accept if equal1-way hash

100 bits

Signature

?

Public Key

(C) CPE5002 Semester 2 - 2001 53

Why Digital Signature ?Why Digital Signature ?

UnforgeableUnforgeabletakes 1 billion years to forge !takes 1 billion years to forge !

Un-deniable by the signatoryUn-deniable by the signatory Universally verifiableUniversally verifiable Differs from doc to docDiffers from doc to doc Easily implementable byEasily implementable by

software orsoftware orhardware orhardware orsoftware + hardwaresoftware + hardware

(C) CPE5002 Semester 2 - 2001 54

Unforgeable digital signatureUnforgeable digital signature


a valid signature

101001010

I, Bob, will pay$10,000 to Alice.001001101

also a valid signature

(C) CPE5002 Semester 2 - 2001 55

Important digital signaturesImportant digital signatures

RSARSAstrongly supported by industriesstrongly supported by industriesa de facto industrial standarda de facto industrial standard

Schnorr digital signatureSchnorr digital signaturederived from ElGamal digital signaturederived from ElGamal digital signaturebased on infeasibility of discrete logarithmbased on infeasibility of discrete logarithm

DSS (digital signature standard, USA)DSS (digital signature standard, USA)derived from ElGamal digital signaturederived from ElGamal digital signaturebased on infeasibility of discrete logarithmbased on infeasibility of discrete logarithmstrongly pushed forward by US governmentstrongly pushed forward by US government

Signature schemes using elliptic curvesSignature schemes using elliptic curves

(C) CPE5002 Semester 2 - 2001 56

Digital signature -- summaryDigital signature -- summary

three (3) steps are involved in digital three (3) steps are involved in digital signature signature Setting up public and secret keys Setting up public and secret keys Signing a documentSigning a documentVerifying a signatureVerifying a signature

(C) CPE5002 Semester 2 - 2001 57

Setting up public&secret keysSetting up public&secret keys

Bob does the followingBob does the followingprepares a pair of public and secret keysprepares a pair of public and secret keyspublishes his public key in the public key publishes his public key in the public key

file (such as an on-line phone book)file (such as an on-line phone book)keeps the secret key to himselfkeeps the secret key to himself

Note:Note:Setting up needs only to be done once !Setting up needs only to be done once !

(C) CPE5002 Semester 2 - 2001 58

Signing a documentSigning a document

Once setting up is completed, Bob Once setting up is completed, Bob can sign a document (such as a can sign a document (such as a contract, a cheque, a certificate, ...) contract, a cheque, a certificate, ...) using the secret keyusing the secret key

The pair of document & signature is a The pair of document & signature is a proof that Bob has signed the proof that Bob has signed the document.document.

(C) CPE5002 Semester 2 - 2001 59

Verifying a signatureVerifying a signature

Any party, say Cathy, can verify the Any party, say Cathy, can verify the pair of document and signature, by pair of document and signature, by using Bob’s public key in the public using Bob’s public key in the public key file.key file.

Important !Important !Cathy does NOT have to have public or Cathy does NOT have to have public or

secret key !secret key !

Lecture 6 Public Key Cryptosystems & Digital Signatures --- New era of secure communications ---

Documents

Transcript of Lecture 6 Public Key Cryptosystems & Digital Signatures --- New era of secure communications ---