Internet Security Cryptographic Principles, Algorithms and Protocols - Chapter 5 ppt

5 Asymmetric Public-key CryptosystemsPublic-key cryptography became public soon after Whitefield Diffie and Martin Hellman1976 proposed the innovative concept of an exponential key exchang

5 Asymmetric Public-key Cryptosystems

Public-key cryptography became public soon after Whitefield Diffie and Martin Hellman(1976) proposed the innovative concept of an exponential key exchange scheme Since

1976, numerous public-key algorithms have been proposed, but many of them have sincebeen broken Of the many algorithms that are still considered to be secure, most areimpractical

Only a few public-key algorithms are both secure and practical Of these, only someare suitable for encryption Others are only suitable for digital signatures Among thesenumerous public-key cryptography algorithms, only four algorithms, RSA (1978) andElGamal (1985), Schnorr (1990) and ECC (1985) are considered to be suitable for bothencryption and digital signatures Another public-key algorithm that is designed to only

be suitable for secure digital signatures is DSA (1991) The designer should bear in mindthat the security of any encryption scheme depends on the length of the key and thecomputational work involved in breaking a cipher

In 1976, Diffie and Hellman proposed a scheme using the exponentiation modulo q (aprime) as a public key exchange algorithm Exponential key exchange takes advantage ofeasy computation of exponentials in a finite field GF(q) with a prime q compared withthe difficulty of computing logarithms over GF(q) withq elements{1, 2, , q − 1} Let

q be a prime number andαa primitive element of the prime numberq Then the powers

ofα generate all the distinct integers from 1 to q− 1 in some order For any integerY

and a primitive elementαof prime number q, a unique exponentX is found such that

Y ≡ α X (modq), 1
X
q − 1

ThenX is referred to as the discrete logarithm ofY to the baseαover GF(q):

X=logα Yover GF(q), 1
Y
q − 1

Internet Security. Edited by M.Y Rhee

 2003 John Wiley & Sons, Ltd ISBN 0-470-85285-2

162 INTERNET SECURITY

Calculation ofY fromXis comparatively easy, using repeated squaring, but computation

ofX fromY is typically far more difficult

Suppose the useri chooses a random integer X i and the userj a random integerX j.Then the user i picks a random number X i from the integer set {1, 2, , q − 1} Theuseri keepsX i secret, but sends

and useK ij as their common key

The useri computesK ij by raisingY j to the power X i:

in GF(q)

Example 5.1 Consider a prime field Zq whereq is a prime modulus Ifαis a primitiveroot of the modulus q, then α generates the set of nonzero integer modulo q such that

α, α2, , α q−1 These powers ofαare all distinct and are all relatively prime toq Given

α, 1
α
q − 1, and q= 11, all the primitive elements ofq are computed as shown inTable 5.1

For the modulusq= 11, the primitive elements areα = 2, 6, 7 and 8 whose order is 10,respectively

Example 5.2 Consider a finite field GF(q) of a primeq Choose a primitive element

α= 2of the modulus q = 11

y from the set {1, 2, , p− 1}

User B

Figure 5.1 The Diffie– Hellman exponential key exchange scheme.

Table 5.1 Powers of primitive elementα (over Z11)

164 INTERNET SECURITY

Compute:

2λ (1
λ
10): 21 22 23 24 25 26 27 28 29 210

To initiate communication, the user i chooses X i = 5 randomly from the integer set

2λ (mod 11)= {1, 2, , 10}and keep it secret The userisends

Thus, each user computes the common key

Example 5.3 Consider the key exchange problem in the finite field GF(2m) form= 3.The primitive polynonial p(x) of degree m= 3 over GF(2) is p(x) = 1 + x + x3 If α

is a root of p(x) over GF(2), then the field elements of GF(23) generated by p(α)=

1+ α + α3= 0are shown in Table 5.2

Table 5.2 Field elements of GF(2 3 ) forq= 7

Suppose users i and j select X i = 2 and X j = 5, respectively Both X i and X j arekept secret, but

Userj computesK ij in a similer fashion:

K ij ≡ (Y i ) Xj (modq) ≡ (α2)5 (mod 7) ≡ α10 (mod 7) ≡ α3≡ 110

Thus two users i and j arrive at a keyK ij in common These examples are extremelysmall in size and are intended only to illustrate the technique So far, we have shownhow to calculate the Diffie–Hellman key exchange, the security of which lies in the factthat it is very difficult to compute discrete logarithms for large primes

This pioneering work relating to the key-exchange algorithm introduced a new approach

to cryptography that met the requirements for public-key systems The first response to thechallenge was the development of the RSA scheme which was the only widely acceptedapproach to the public key encryption The RSA cryptosystem will be examined in thenext section

In 1976, Diffie and Hellman introduced the idea of the exponential key exchange In 1977Rivest, Schamir and Adleman invented the RSA algorithm for encryption and digital sig-natures which was the first public-key cryptosystem Soon after the publication of the RSAalgorithm, Merkle and Hellman devised a public-key cryptosystem for encryption based

on the knapsack algorithm The RSA cryptosystem resembles the D–H key exchangesystem in using exponentiation in modula arithmetic for its encryption and decryption,except that RSA operates its arithmetic over the composite numbers Even though thecryptanalysis was researched for many years for RSA’s security, it is still popular andreliable The security of RSA depends on the problem of factoring large numbers It isproved that 110-digit numbers are being factored with the power of current factoringtechnology To keep RSA’s level of security, more than 150-digit values for n will berequired The speed of RSA does not beats DES, because DES is about 100 times fasterthan RSA in software

Given the public keyeand the modulusn, the private keyd for decryption has to be found

by factoringn Choose two large prime numbers,p and q, and compute the modulus n

The decryption keyd and the modulusnare also relatively prime The numberseandn

are called the public keys, while the numberd is called the private key

To encrypt a messagem, the ciphertextccorresponding to the message block can befound using the following encryption formula:

due to the fact thated ≡ 1 (modφ(n))

Because Euler’s formula ism φ(n) ≡ 1 (modn), the messagemis relatively prime ton

such that gcd(m, n)= 1 Sincem λ φ(n) ≡ 1 (modn)for some integerλ, it can be written

m λ φ(n)+1 ≡ m (modn), becausem λ φ(n)+1 ≡ mm λ φ(n) ≡ m (modn) Thus, the messagem

: Relatively prime

p, q e d

Figure 5.2 RSA public-key cryptosystem for encryption/decryption.

Table 5.3 RSA encryption algorithm

Public keye:

n (product of two primes p and q (secret integers))

e (encryption key, relatively prime to φ(n) = (p − 1) (q − 1))

m ≡ c d (mod n), where c is a ciphertext.

The public key (e, n) is required for encryption of m If m= 2, then the message misencrypted as:

c ≡ m e (modn)

≡ 27 (mod 527)≡ 128

To decrypt a message, perform the same exponentiation process using the decryption key

Thus, the message is recovered

To encrypt the message m, break it into a series of m i-digit blocks, 1
i
n − 1.Suppose each character in the message is represented by a two-digit number as shown inTable 5.4

Example 5.6 Encode the message ‘INFORMATION SECURITY’ using Table 5.4

The first block,m1= 914, is encrypted by raising it to the powere= 79and dividing by

n= 3337and taking the remainderc1= 3223as the first block of ciphertext:

The RSA public-key cryptosystem can be used for both encryption and signatures Eachuser has three integerse, d and n, n = pq with p and q large primes For the key pair(e, d),ed ≡ 1 (mod φ(n))must be satisfied If sender A wants to send signed message c

corresponding to message mto receiver B, A signs it using A’s private key, computing

c ≡ m dA (modn A) First A computes

Figure 5.3 The RSA signature scheme.

Supposem= 55 Then the signed message is

Thus, the messagemis accepted as authentic

Next, consider a case where the message is much longer The largermrequires more putation in signing and verification steps Therefore, it is better to compute the messagedigest using a appropriate hash function, for example, the SHA-1 algorithm Signingthe message digest rather than the message often improves the efficiency of the processbecause the message digest is usually much smaller than the message

com-When the message is assumed to bem= 75 139, the message digesthofmis computedusing the SHA-1 algorithm as follows:

h ≡ H (m) (modn)

≡ H (75 139) (mod 187)

which shows that verification is accomplished.

In hardware, RSA is about 1000 times slower than DES RSA is also implemented

in smartcards, but these implementations are slower DES is about 100 times faster thanRSA However, RSA will never reach the speed of symmetric cipher algorithms

It is known that the security of RSA depends on the problem of factoring large numbers

To find the private key from the public keye and the modulus n, one has to factor n.Currently, n must be larger than a 129 decimal digit modulus Easy methods to breakRSA have not yet been found A brute-force attack is even less efficient than trying tofactorn RSA encryption and signature verification are faster if you use a low value for

e, but can be insecure

ElGamal proposed a public-key cryptosystem in 1985 The ElGamal algorithm can beused for both encryption and digital signatures The security of the ElGamal schemerelies on the difficulty of computing discrete logarithms over GF(p) where p is a largeprime Prime factorisation and discrete logarithms are required to implement the RSA andElGamal cryptosystems

In the RSA cryptosystems, each user has three integerse,d andn, wheren = pqwithtwo large primesp andq, anded ≡ 1(mod φ(n)),φbeing Euler’s totient function User

Ahas a public key consisting of the pair (e A , n A) and a private keyd A; similarly, userB

has (e B , n B) andd B To encrypt the messagemtoB, AusesB’s public key for computingthe encrypted message (or ciphertext) such that c ≡ m e B (modn B ) If A wants to sendthe signed message toB, Asigns the messagemusing his own private keyd Asuch that

c ≡ m dA (mod n A )

To describe the ElGamal system, choose a prime numberp and two random numbers,

gandx, such that bothg < pandx < p, wherex is a private key The random numberg

is a primitive root modulop The public key is defined byy,gandp Then we compute

y ≡ g x (modp) To encrypt the messagem,0< m
p − 1, first pick a random number

k such that gcd (k, p − 1) = 1 The encrypted message (or ciphertext) can be expressed

by the pair (r, s) as follows:

r ≡ g k (modp)

s ≡ (y k m (modp)) (m (mod p − 1))

To decryptm, divides byr x such thats/r x ≡ m (modp − 1) To sign a given message

m, first choose a random numberksuch that gcd (k, p − 1) = 1, and computem ≡ xr +

ks (mod p − 1) using the extended euclidean algorithm to solve s The basic techniquefor encryption and signature using the ElGamal algorithm as a two-key cryptosystem isdescribed in the following section

To generate a key pair, first choose a prime p and two random numbers g and x suchthatg < p andx < p Then compute

y ≡ g x (modp)

The public key is (y, g, p) and the private key isx < p

To encrypt the messagem, 0
m
p − 1, first choose a random numberksuch thatgcd(k, p − 1) = 1 The encrypted message (or ciphertext) is then the following pair (r, s):

g = 4 (a random number such thatg < p)

x = 8 (a private key such thatx < p)

Then compute:

y ≡ g x (modp)≡ 48 (mod 11)≡ 9

y k (mod p)

r x (mod p)

s

r x

Figure 5.4 The ElGamal encryption scheme.

Table 5.5 ElGamal encryption algorithm

To decipher the messagem, first compute:

To sign a message m, first choose a random number k such that gcd (k, p − 1) = 1

(relatively prime) The public key is described by

Figure 5.5 illustrates the ElGamal signature scheme based on Table 5.6

Example 5.9 To sign a messagem, first choose a primep= 11and two random bersg= 7and x= 3, where x < pis a private key

num-Compute:

y ≡ g x (modp)≡ 73 (mod 11)≡ 2

The public key isy= 2,g= 7and p= 11

m ≡ rx + ks (mod p− 1)

Figure 5.5 The ElGamal signature scheme.

Table 5.6 ElGamal signature algorithm

To authenticate m= 6, choose a random number k= 7 such that gcd (k, p − 1)

The signature is the pair ofr= 6and s= 4

To verify a signature, it must be confirmed that

y r r s (mod p) ≡ g m (modp)

(26) (64) (mod 11)≡ 76 (mod 11)

81(mod 11) ≡ 15 (mod 11)

4(mod 11) ≡ 4 (mod 11)

The ElGamal signature or authentication scheme looking at another angle is to describe

in the following

The sender chooses a finite field GF(p) where p is a prime Let g be a primitiveelement of GF(p) First choose two random integersgandx such thatg < pandx < p

A keyxis kept secret by both the sender and the receiver Letmdenote a message which

is relatively prime top Then compute:

u ≡ g m (modp)

Letcdenote a ciphertext such that gcd(c, p)= 1

Using the extended euclidean algorithm, the following congruence is to solve for v:

178 INTERNET SECURITY

The ElGamal authentication scheme is shown in Figure 5.6 The ElGamal authenticationalgorithm given in Table 5.7 is illustrated by the following example

Example 5.10 Take the finite field GF(11) Then the set of primitive elements of GF(11)

is {2, 6, 7, 8} Choose a primitive element g= 7 from the set Define the public key

g

Extended euclidean algorithm

Figure 5.6 The ElGamal authentication scheme.

Table 5.7 ElGamal authentication algorithm

as (g, p) = (7, 11) and x= 5 as the chosen private key which is shared by both thesender and the receiver If the sender now wants to transmit a messagem= 3such thatgcd(m, p)=gcd(3, 11)= 1, then compute first:

and A ≡ g c (modp)≡ 77 (mod 11)≡ 6

Thus, the cryptogram (7, 2, 9) is accepted, andc= 7 is authentic Finally, the message

is restored in the following manner:

m ≡ v−1 (c − xu) (modp − 1)

≡ 9−1(7 − 5 × 2)(mod 10)

≡ (9−1) (7) (mod 10)≡ 3

The messagem= 3has been completely recovered

In 1990, Schnorr introduced his authentication and signature schemes based on crete logarithms

First choose two primes, p and q, such that q (1< q < p− 1) is a prime factor of

p− 1 To generate a public key, choose a such that a ≡ h (p −1)/q (modp), that is,

a q ≡ h p−1 (modp) If h is relatively prime to p, by Fermat’s theorem it can then bewritten ash p−1≡ 1 (mod p) As a result, we have a q ≡ 1 (modp), 1 < a < p− 1 All

180 INTERNET SECURITY

these numbers,p,q anda, can be freely published and shared with a group of users Togenerate a key pair, choose a random number s < q which is used as the private key.Next, computeλ ≡ a −s (modp)which is the public key.

Now, user A picks a random numberr < q and computes x ≡ a r (mod p) User Bpicks a random numbert and sends it to the user A, wheret ∈ (0, 1, 2, , 2 v− 1) indi-cates the security level Schnorr recommends the value ofv= 72for sufficient security.User A computesy ≡ r + st (modq)and sends it to user B Thus, user B tests verification

of authenticity such thatx ≡ a y λ t (mod p) Figure 5.7 illustrates Schnorr’s authenticationscheme, and Table 5.8 shows the related algorithm

Example 5.11 Choose two primesp= 23andq= 11such thatq= 11is a prime factor

ofp− 1 = 22 Choose a = 3 satisfyinga q ≡ 1 (modp), i.e 311 ≡ 1 (mod 23) Choose

s = 8 < q as the private key and compute the public key such that λ ≡ a −s (mod p)≡

3−8 (mod 23) Compute the multiplicative inverse of a= 3: aa−1≡ 1 (modp),3 −1≡

1(mod 23)from which a−1= 8 Thus, λ≡ 88 (mod 23)≡ 4.The sender picksr = 5 < q and computes:

x ≡ a r (mod p)

≡ 35 (mod 23)≡ 13The receiver sendst = 15to the sender and the sender computes:

Choose two primes, p and q, such that q is a prime factor of p− 1.

Choosea such that a q ≡ 1 (mod p).

Key generation:

Choose a random numbers < q (private key)

Computeλ ≡ a −s (modp) (public key)

Choose a random numberr < q

Computex ≡ a r(modp) Pick a random numbert such that 0 < t < 2 v− 1