1 / 52

Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002

Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002. DAAD 2002. Information Security. Information Security = Safeguarding information during storage or transmission . Some objectives of information security: Confidentiality Data integrity Authentication

alia
Download Presentation

Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CryptologyMarion ScheepersBoise State University Boise , IdahoSept 24 – 26, 2002 DAAD 2002

  2. Information Security • Information Security = Safeguarding information during storage or transmission. • Some objectives of information security: • Confidentiality • Data integrity • Authentication • Non-repudiation

  3. Cryptology = The mathematics of information security The idea: • Use mathematics to secure the information • Security is mathematically compromised when some specific mathematical problem is solved • No known method solves the mathematical problem in a reasonable amount of time

  4. Cryptographic Primitives • Encryption schemas • Digital signatures schemas • Hash functions • Random number generators

  5. Crypto-system evaluation criteria • Security levels [How many bit operations are needed to defeat the security objective?] • Performance[How many bit operations are needed to carry out the security objective?] • Ease of implementation[How “easy” is it to create the crypto-system based on existing technology?]

  6. Some Number Theory Theorem [Euclidean Algorithm] : For all natural numbers a and b, there are integers m and n such that gcd(a,b) = ma + nb. Theorem: ax mod b =1 has a solution if, and only if, gcd(a,b) = 1.

  7. Euler’s phi function • Definition phi(n) = |{a< n: gcd(a,n) = 1}|. • Theorem [Euler - Fermat] For any a <n with gcd(a,n) = 1, we have aphi(n) mod n = 1.

  8. Chinese Remainder Theorem • Theorem Let m and n be numbers with gcd(m,n) =1. Then for all a<m and b<n there are a unique x<mn with a = x mod m and b = x mod n.

  9. Dirichlet’s Theorem • Theorem If gcd(a,b) = 1, then the set {an + b: n=1, 2, 3, …} contains infinitely many prime numbers. • Riemann Hypothesis (RH): For all e>0: pi(x) = li(x)+O(x(1/2 + e)) • Extended Riemann Hypothesis (ERH):For all e>0: pi(x,n,a) = li(x)/phi(n)+O(x(1/2 + e))

  10. Miller-Rabin Primality test • Theorem If n is an odd prime, write n-1 = r 2s where r is odd. For any a with gcd(a,n) = 1, • either ar mod n = 1, or else • there is a j = 0, 1, .., s-1 with a(r 2^j) mod n = n-1 • Theorem For n > 9 odd and composite, at most phi(n)/4 positive numbers a < n satisfy clauses 1 or 2 modulo n.

  11. Primitive roots • Definition: g < n is a primitive root of n if gcd(g,n) = 1 and there is for each i<n with gcd(i,n) = 1, a k with i = gk mod n. • Theorem [Gauss] n has a primitive root if, and only if, n = 1, 2, 4, pe or 2pe where p is some odd prime. • Theorem For any M>0 the set {p: p a prime number and M < least primitive root of p < p-M} is infinite. • Theorem [Burgess] For each e>0 there is a p(e) such that for each prime p > p(e) the least primitive root of p < p(1/4 + e)

  12. Computational Complexity I For f and g sequences of natural numbers: • f = O(g): there are an N and C with: for all n>N, f(n) < Cg(n). • f = o(g): lim(f(n)/g(n)) = 0. • length(n) = 1 + [log2(n)]. • Ln(g,c) = O( e(c (ln(n)^g) (ln(ln(n))^ (1-g))) NOTE: Ln(0,c) = O((ln(n))c) is “polynomial in length of n” Ln(1,c) = O(e(c ln(n))) is “exponential in length of n” Ln(g,c) for 0 < g < 1 is “subexponential and superpolynomial in length of n”

  13. Computational Complexity 2

  14. RSA on a finite group G fn(a) = an Theorem. If gcd(n,|G|) = 1, then fn is one-to-one. Moreover, if m is a solution for nx mod |G| = 1, then fm is an inverse for fn.

  15. RSA Keys Public keys: The group G and the function fn. Coding function: F maps messages in ordinary text into the group G. Private key: The function fm.

  16. Alice encrypts to Bob • Look up Bob’s public key (G,fn) and coding function F. • With M = F(message), compute E = fn(M). [Then E is the encrypted version of M] • Send E to Bob.

  17. Bob decrypts Compute D = fm(E). Compute the inverse of D under the coding function F.

  18. RSA signatures Public keys: The group G and the function fn. Private key: fm. Bob signs an item, a, known to Alice: • s = fm(a) Alice checks if s is Bob’s signature on a: • b = fn(s) • If b = a, then Alice accepts s as Bob’s signature on a.

  19. Classical RSA To construct the public and private keys: • Choose two prime numbers p and q. • Put R = pq. And put G = {a<R: gcd(a,R) = 1} with operation multiplication mod R. NOTE: |G| = phi(R). • Choose n so that gcd(n,phi(R)) = 1. This n specifies the encryption function fn. • Compute m = 1/n mod phi(R). This specifies the private key fm. • Coding Function: ASCIIPad • Example

  20. RSA key generation efficiency • Selection of prime numbers. prime numbers must be large. Issue 1: How to test if a large number is prime? Issue 2: What is the probability that a large number be prime? • Computing R. O(ln(p)ln(q)). Polynomial time. • Selecting n. n must be odd. Issue: Probability(gcd(n,phi(R)) = 1)? phi(phi(R))/phi(R). • Computing m. O(ln(phi(R))2). Polynomial time.

  21. RSA operations - efficiency • Coding computation: polynomial time. • Encryption: fn(M) = Mn mod R. O(ln(n) ln(R)2) polynomial time. • Decryption: fm(E) = Em mod R. O(ln(m)ln(R)2) ~ O(ln(R)3) – polynomial time.

  22. RSA security • Use the factorization of R to compute phi(R) in polynomial time in the length of R. From phi(R) and fn compute fm in polynomial time in the length of phi(R). • Issue: How hard is it to factor R? The best factoring algorithms (Lenstra’s Number Field Sieve) has super polynomial time LR(1/3,c) for some constant c. This is subexponential. • Fermat factoring [Stopped here: Sept 24] • Pollard p-1 method

  23. RSA signature issues • If enough small primes have been signed, these can be used to construct forged signatures on specific messages.Example • If items signed are first padded, and n is small, certain signatures can be forged.

  24. El-Gamal crypto system (G,*): a finite group, g: element of large order. Private key: a natural number N < |<g>|. Public keys: G, g and y (=gN) Coding function: A bijective function F which maps messages in ordinary text into G.

  25. Alice encrypts for Bob • Compute     M:= F(message) • Choose a random natural number R<|<g>| • Compute:     z:= yR and d:=gR in G. • Compute E:=M*z in G. • Send (E,d) to Bob.

  26. Bob Decrypts • Compute x = dN. • Compute the inverse, X, of x in G. • Compute D:= X*E in G. • Compute the inverse of F’s value on D.

  27. Signature Schema • Items to be signed: elements of {0, 1, …, |G|-1}. • Given: Bijection f from G to {0, 1, … , |G|-1}. • The public signature key is (G,g,y,f)

  28. Bob signs m • Choose a random number k in {1, …, |G|-1} • Compute t = gk • Compute a solution, s, to the equation m = N f(t) + sk mod |<g>| • The signature is (t,s)

  29. Alice verifies Bob’s signature • Verify that both y and s are less than |<g>|. • Then verify if yf(t)ts (= g Nf(t) + sk) = gm • If both are true: Accept (t,s) as signature of the owner of public key (G,g,y) on m.

  30. Classical El-Gamal • Choose a large prime number p. • Put G = {1,2, …, p-1} with operation multiplication mod p. NOTE: |G| = p-1. • Choose a primitive root g of p. • Choose N in {1,2,…,p-1} randomly. This specifies the private key. • Compute y = gN mod p • Coding Function: ASCIIPad

  31. El-Gamal key generation • Selection of prime numbers. Issue 1: How to test if a large number is prime? Issue 2: probability that a large number is prime? • Selection of a primitive root. Theoretical estimate: There are primitive roots < p¼ + o(1). Exhaustive search can be exponential time (O(e(¼+o(1)) ln(p))). ERH implies: Least primitive root is O(ln(p)6). Issue: How to test if g is a primitive root of p? • Selecting N. N must be large, but not easy to guess. Issue: What is a good way to choose N “randomly”? • Computing y. O(ln(p)2). Polynomial time in length of p.

  32. El-Gamal operations • Encryption: z and d: O(ln(p)2) – polynomial time. E: O(ln(p)2) - polynomial time. • Decryption: x = yN mod p: O(ln(p)2) – polynomial time.X= x-1 mod p: O(ln(p) 2) – polynomial time. X*E mod p: O(ln(p)2) – polynomial time.

  33. El-Gamal Security level For discrete logarithms in this group:super polynomial time Lp(1/3,C), some constant C. This is subexponential, and compares to the estimates for factoring classical RSA moduliHellman-Pohlig-Silver Algorithm [Stopped here: Sept. 25 (no signatures)]

  34. Classical El-Gamal signatures To sign message m: • Choose, randomly, k with 0 < k < p-1. • Compute t = gk mod p. • Solve m = Nt+ks mod (p-1) for s • Signature is (t,s) NOTE: s = (m- Nt)/k mod (p-1) if gcd(k,p-1) = 1.

  35. Security threats for signatures • Hellman Pohlig Silver algorithm. • Covert channels used to leak private keys. • Signature trapdoors by the key designers. • Careless choice of the primitive root.

  36. a = x2 mod p, p prime and 0 < a<p: • Definition: a is a quadratic residue of p if a = x^2 mod p has a solution. Else, a is a non-quadratic residue of p. • Definition: Legendre(a,p) = 1 if a is a quadratic residue of p, -1 otherwise.

  37. Quadratic Reciprocity • Theorem: If Legendre(a,p) =1 then a = x^2 mod p has exactly two solutions. If p mod 4 =3, then exactly one of these two solutions is also a quadratic residue of p. • Theorem [Quadratic Reciprocity] For odd prime numbers p and q,Legendre(p,q)*Legendre(q,p) = (-1)(p-1)(q-1)/4

  38. Solving a = x2 mod p • Theorem [Euler] If p mod 4 = 3 and Legendre(a,p) = 1, then b = a(p+1)/4 mod p solves a = x2 mod p, and b is a quadratic residue for p. • For p mod 4 =1, the Tonelli-Shanks algorithmcan be used to compute solutions when they exist. This algorithm depends on finding first a quadratic nonresidue of p. • Theorem For each M there are infinitely many primes p such that M < least quadratic nonresidue of p < p-M • Theorem For each prime p, the least quadratic nonresidue of p is below 1 + p1/2. • Theorem [ERH] For each prime p there is a quadratic nonresidue of p of size O(ln(p)2).

  39. Tonnelli-Shanks algorithm • Given a quadratic nonresidue, the algorithm finds a square root in time O(ln(p)4). • There is no known deterministic polynomial time algorithm for finding a quadratic nonresidue. • For each e>0 there is a polynomial time algorithm that finds a nonresidue with probability > 1-e:a. Randomly choose n<p [50% chance nonresidue]. b. Check in O(ln(p)3) time if n is a nonresidue. This is a non-deterministic polynomial time algorithm. ERH indicates a deterministic polynomial time algorithm.

  40. Elliptic Curves over Zp, p>3 • Consider equations of form y2 = x3 + ux2 +vx +w and u, v, w in ZpExamples over real line • With appropriate substitutions equivalent to: E: y2 = x3 + a*x + b, and a, b in Zp . • If 4a3+27b2 mod p is nonzero we say: “E is an elliptic curve over Zp”.

  41. E/Zp for 4a3+27b2 mod p nonzero • Solutions in Zp x Zp of E: y2 = x3 + ax + b, and a, b in Zp, together with extraneous point O is denoted E/Zp. • There is an Abelian group operation on E/Zp. • For A = [x1,y1] and B = [x2,y2] in E/Zp define:If A = B: L = (3x12 + a)/2y1Else: L = (y2-y1)/(x2-x1)

  42. Group operation • A+O = A = O+A • If x1 = x2 but y1 is not y2: A+B = O. • Else: A+B = [x3,y3] wherex3 = L2 – x1 – x2.y3 = y1 – L(x1 – x3).

  43. Trace of Frobenius t = || E/Zp | - (p+1)| Definition: • If t = 1: E/Zp is anomalous. • If t mod p = 0: E/Zp is supersingular. Theorem[Hasse] t < 2sqrt(p)+1. Theorem: • p mod 4 = 3: E/Zp supersingular exactly if b = 0. • p mod 4 = 1: E/Zp supersingular exactly if a = 0.

  44. The structure of E/Zp Theorem E/Zp is isomorphic to Zd x Ze where d divides gcd(e,p-1). (d = 1 is possible). Definition E/Zp[m] = {a in E/Zp:m*a = O}. Theorem If m mod p > 0 then E/Zp[m] is isomorphic to Zm x Zm.

  45. Computational Complexity and E/Zp • Group operation: O(ln(p)2) – polynomial time • Group order: O(ln(p)8) – polynomial time(Schoof’s algorithm) • Finding a point in E/Zp : Opr(ln(p)4) – probabilistic polynomial time Examples

  46. Discrete logarithms and E/Zp • Anomalous: O(ln(p)) – polynomial time. • Supersingular: Lk(1/3, c) wherec = (64/9)1/3) and k = pn, some “small” n.Subexponential but superpolynomial time. • General: O(eCln(p)) – exponential time. Hellman-Pohlig-Silver algorithm also applies to E/Zp.

  47. Koblitz embedding for E/Zp • Probabilistic parameter k: 30 < k < 51 • Embedding F into Zp: range-values below p/k • To embed m: Search x in [mk,(m+1)k) with [x,y] in E/Zp for some y. This is image of m. • Probability of failure about (1/2)k.

  48. Recovering m from Koblitz point m = floor(x/k). .

  49. El-Gamal on Elliptic Curve Groups • Public Key: E/Zp, g in E/Zp, y (= N*g)(Specify p, a, b for E/Zp) • Private Key: N with 0 < N < |<g>|

  50. EC El-Gamal Key Generation • Selection of prime number p • Selection of parameters a and b • Selection of point g: Opr(ln(p)4) • Selection of private key N • Computation of y: O(ln(N)ln(p)3)

More Related