130 likes | 278 Views
Cryptosystem Properties. Recall that among the desirable properties for a cryptosystem are authentication and non-repudiation Authentication means being able to determine the author from the message
E N D
Cryptosystem Properties • Recall that among the desirable properties for a cryptosystem are authentication and non-repudiation • Authentication means being able to determine the author from the message • Non-repudiation means that it is possible to prove that the message came from the author (who cannot “repudiate” the message) • Public-key systems, one cannot determine the author nor, if one knows who the author is, prove that the author sent the message • Thus we need more steps to ensure authentication and non-repudiation
Authentication and Non-repudiation • To ensure authentication and non-repudiation, the general approach is as follows: • Let Ebob, Ealice be the public encryption functions for Bob and Alice, respectively, and let Dbob, Dalice be their private decryption functions. • Alice starts with message x and computes y = Ebob(Dalice(x)) and sends it to Bob • Bob then recovers x by computing Ealice(Dbob(y)) • Bob knows that Alice sent the message since no one else could have computed Dalice. • For the same reason, Alice cannot deny having sent the message.
RSA Version • Assume that Bob has public key (e_bob,m_bob) and private key (d_bob,m_bob). • Similarly, Alice has public key (e_alice,m_alice) and private key (d_alice,m_alice). • Assume that m_bob < m_alice • As always, Bob encodes his message as a string of integers each of which is less than m_bob. • For each integer x in the string, he then computes y = (xd_bob mod m_bob)e_alice mod m_alice • Alice deciphers each y by computing (yd_alice mod m_alice)e_bob mod m_bob = x
RSA Version • When Alice wishes to send a message to Bob, she sends (xe_bob mod m_bob)d_alice mod m_alice • Thus each person uses his or her private key and the other’s public key. • Enciphering is done by using the smaller modulus first, then the larger modulus • What happens if enciphering starts with the larger modulus first? • It is possible that xe_alice mod m_alice > m_bob and thus information might be lost when you reduce modulo m_bob • Deciphering is done by using the larger modulus first • If Oscar intercepts Alice’s message he could modify it to appear that he had sent the message (although he doesn’t know what the message is) • All Oscar has to do is apply Alice’s encryption method, then his own decryption method. • Several solutions. One: publish two keys, sending and receiving, with all send-keys in a range less than the range for all receive-keys
RSA Signatures • A variation on the previous ideas is for Alice to double the size of her message by adding a “digital signature” that is unique to the message • She does so by sending a pair (x,y) where x is the encrypted message and y = xd_alice mod m_alice • The value y is thought of as Alice’s signature • Bob can verify that the message came from Alice by computing ye_alice • He accepts the signature as valid if and only if the result equals x • If Eve intercepts, replaces x with her message x1 and sends it to Bob,he will know the message did not come from Alice since ye_alice x1 • Another attack is for Eve to choose y1 first, then set x1 = y1e_alice. Since x1d_alice = y1, Alice would then have a hard time denying having sent the message. • However, it is extremely unlikely that x1 will be a meaningful message and the forgery is detectable.
Blind Signatures • A variation on the previous method that allows Alice to sign a document without knowing its contents. Let x be the document to be signed. • Alice chooses p, q, m, e, d as usual for an RSA scheme and publishes m and e. • Bob chooses a random integer k (mod m) with gcd(k,m) = 1. He then computes t = kex (mod m) and sends it to Alice • Alice signs t by computing s td (mod m) and sends it to Bob • Bob computes s/k (mod m). This is the signed message xd Why? s = td = (kex)d = (ke)dxd m kedxd = kxd, so s/k = xd. The choice of k is random thus so is RSA encryption ke and the multiple kex of a random integer. Therefore kex gives essentially no information about x Thus Alice knows nothing about what she has signed (dangerous!)
Primitive Roots • A primitive root for a prime p is an integer r having exactly p-1 distinct powers mod p. • Example 3 is a primitive root mod 7: 317 3, 327 2, 337 6, 347 4, 357 5, 367 1
Primitive Roots • PropositionLet g be a primitive root for a prime p. • For any integer n, gnp 1 if and only if n p-1 0 • For any integers j,k: gjp gk if and only if j p-1 k Proof Conclusion 1 First prove n p-1 0 gnp 1 n p-1 0 m n = (p-1)m gn = g m(p-1) = (gm)p-1 p 1 (Fermat) Next prove gnp 1 n p-1 0 We want to show p-1 | n. Write n = (p-1)q + r with 0 r < p-1 Then 1 p gn = (gq)p-1grp 1gr = gr Suppose r > 0 and look at g, g2, . . ., gr-1, gr p 1, gr+1p g, …. Clearly, there are at most r distinct powers of g mod p which contradicts the definition of a primitive root for p. Thus r = 0 so we have that p-1 divides n, completing the proof of part 1
Primitive Roots • PropositionLet g be a primitive root for a prime p. • For any integer n, gnp 1 if and only if n p-1 0 • For any integers j,k we have gjp gk if and only if j p-1 k Proof continued Conclusion 2 Without loss of generality, we may assume that j k. only if: gjp gk gj-k p 1 j-k p-1 0 (by part 1) j p-1 k if:j p-1 k j-k p-1 0 gj-k p 1 (by part 1) gjp gk
Discrete Logarithms • Fix a prime p. Let and be nonzero integers mod p and suppose p x for some x. • The problem of finding x is called the discrete logarithm problem • If n is the smallest positive integer such that n p 1, we may assume 0 x < n. In this case, we denote x = L() • L() is called the discrete log of with respect to • Example: For p = 11 we claim L2(9) = 6. Proof: 26 = 64 11 9 • Of course all the numbers 6, 16, 26, … satisfy the exponential equation, but we take the least nonnegative value 6 • Often, is taken to be a primitive root of p so that every nonzero is a power of • If is not a primitive root of p, there are nonzero values of for which the discrete logarithm is not defined
Discrete Logarithms • If is a primitive root of p, then the usual product rule for logs holds for discrete logarithms: L(12) p-1 L(1) + L(2) • While it is easy to compute exponents, it is apparently very hard to compute discrete logarithms • This is similar to the fact that it is easy to multiply two large primes but difficult to factor such numbers • In 2001, a discrete log was computed for a 110-digit prime, a record at that time • At that time the record for factorization was 155 digits • It is this “one-way” property that is exploited in public-key cryptosystems • The ElGamal Cryptosystem is a public-key cryptosystem based on the discrete logarithm problem
ElGamal Cryptosystem • In the ElGamal public-key cryptosystem, the plaintext elements are integers mod p but the ciphertext elements are pairs (r,t) of integers mod p • Bob chooses a larger prime p and a primitive root . Bob also chooses a secret integer a and computes = a (mod p) • Bob’s public key is then (p, , ) • If Alice wishes to send a message x to Bob, where 0 < x < p, she does the following • chooses a secret random integer k and computes r = k mod p • computes t = kx mod p • sends the pair (r,t) to Bob • Bob decrypts by computing tr-a mod p, which will be x: tr-a = kx(k)-a = (a)kx -ak p x
ElGamal Cryptosystem • Obviously Bob must keep the value of a secret • While , and p are public, the value r equals a and we rely on the difficulty of computing a from a for our security • Also, since k is a random integer, so is k. Since x is multiplied by a random integer to get the second component of the ciphertext (r,t), knowledge of (r,t) gives no useful information about x • It is important that different random integers are chosen as k for different messages.