Transcript Document
Chapter 10
Asymmetric-Key
Cryptography
10.1
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Objectives
To distinguish between two cryptosystems:
symmetric-key and asymmetric-key
To introduce trapdoor one-way functions and
their use in asymmetric-key cryptosystems
10.2
To introduce the knapsack cryptosystem as one of
the first ideas in asymmetric-key cryptography
To discuss the RSA cryptosystem
To discuss the Rabin cryptosystem
To discuss the ElGamal cryptosystem
To discuss the elliptic curve cryptosystem
10.1 INTRODUCTION
Symmetric and asymmetric-key cryptography
will exist in parallel and continue to serve the community.
We actually believe that
they are complements of each other;
the advantages of one can compensate
for the disadvantages of the other.
10.3
10.1 INTRODUCTION
The conceptual difference
between symmetric and asymmetric-key cryptography
are based on how these systems keep a secret.
In symmetric-key cryptography,
the secret must be shared between two persons.
In asymmetric-key cryptography,
the secret is personal (unshared);
each person creates and keeps his/her own secret.
Symmetric-key cryptography is based on sharing secrecy;
Asymmetric-key cryptography is based on personal secrecy.
10.4
10.1 INTRODUCTION
Some other aspects of security besides encipherment
that need asymmetric-key cryptography:
Authentication, Digital signature, etc.
Whenever an application is based on a personal secret,
we need asymmetric-key cryptography.
Whereas symmetric cryptography is based on
substitution and permutation of symbols
(characters or bits),
asymmetric-key cryptography is based
on applying mathematical function to numbers.
10.5
10.1.1 Keys
Asymmetric-key cryptography uses two separate keys:
one private and one public.
Figure 10.1 Locking and unlocking in asymmetric-key cryptosystem
10.6
10.1.2 General Idea
A secret key used in symmetric-key cryptography
is normally a string of symbols,
a private key used in asymmetric-key cryptography is
a number or a set of numbers.
Figure 10.2 General idea of asymmetric-key cryptosystem
10.7
Public-key distribution does not require secrecy,
but must provide authentication and integrity.
10.1.2 General Idea
Plaintext/Ciphertext
Unlike in symmetric-key cryptography,
plaintext and ciphertext are treated as integers
in asymmetric-key cryptography.
The message must be encoded as an integer
(or the set of integers) before encryption;
the integers must be decoded into the message
after decryption.
Asymmetric-key cryptography is normally used
to encrypt/decrypt small pieces of information,
such as the cipher key for symmetric-key cryptography.
10.8
10.1.2 General Idea
Encryption/Decryption
C = f (Kpublic , P)
P = g(Kprivate , C)
The encryption function f is used only for encryption;
the decryption function g is used only for encryption.
We will show that
the function f needs to be trapdoor one-way function
to allow Bob to decrypt the message
but to prevent Eve from doing so.
10.9
10.1.3 Need for Both
There is a very important fact
that is sometimes misunderstood:
The advent of asymmetric-key cryptography does not
eliminate the need for symmetric-key cryptography.
The asymmetric-key cryptography, which uses
mathematical functions for encryption and decryption,
is much slower than symmetric-key cryptography.
For encipherment of large messages,
symmetric-key cryptography is still needed.
However, asymmetric-key cryptography is still needed
for authentication, digital signatures,
and secret key exchanges.
10.10
10.1.4 Trapdoor One-Way Function
The main idea behind asymmetric-key cryptography is
the concept of the trapdoor one-way function.
Functions
Figure 10.3 A function as rule mapping a domain to a range
Invertible function : one-to-one
10.11
10.1.4 Trapdoor One-Way Function
One-Way Function (OWF)
A one-way function is a function that satisfies :
1. f is easy to compute.
2. f −1 is difficult to compute,
i.e., it is computationally infeasible to calculate x = f −1(y).
Trapdoor One-Way Function (TOWF)
A one-way function with the following property :
3. Given y and a trapdoor, x can be computed easily.
10.12
10.1.4 Trapdoor One-Way Function
Example 10. 1
When n is large, n = p × q is a one-way function.
Given p and q, it is always easy to calculate n;
given n, it is very difficult to compute p and q.
This is the factorization problem.
Example 10. 2
When n is large,
the function y = xk mod n is a trapdoor one-way function.
Given x, k, and n, it is easy to calculate y.
Given y, k, and n, it is very difficult to calculate x.
This is the discrete logarithm problem.
However, if we know the trapdoor, k′
such that k × k ′ = 1 mod f(n),
we can use x = yk′ mod n to find x.
10.13
10.1.5 Knapsack Cryptosystem
Definition
Given a = [a1, a2, …, ak ]
and
x = [x1, x2, …, xk].
Given a and x, it is easy to calculate s.
However, given s and a, it is difficult to find x.
The function knapsackSum is a one-way function
if a is a general k-tuple.
Superincreasing Tuple
ai ≥ a1 + a2 + … + ai−1
It is easy to compute knapsackSum and inv_knapsackSum
if the k-tuple a is superincreasing.
10.14
10.1.5 Knapsack Cryptosystem
10.15
10.1.5 Knapsack Cryptosystem
Example 10. 3
Assume that a = [17, 25, 46, 94, 201,400] and s = 272 are given.
Table 10.1 shows how the tuple x is found
using inv_knapsackSum routine in Algorithm 10.1.
In this case x = [0, 1, 1, 0, 1, 0],
which means that 25, 46, and 201 are in the knapsack.
10.16
10.1.5 Knapsack Cryptosystem
Secret Communication with Knapsacks.
Figure 10.4 Secret communication with knapsack cryptosystem
10.17
10.1.5 Knapsack Cryptosystem
Key Generation
a. Create a superincreasing k-tuple b = [b1, b2, . . ., bk].
b. Choose a modulus n, such that n > b1+ b2+ . . .+ bk.
c. Select a random integer r that relatively prime with n
and 1≤ r ≤ n -1.
d. Create a temporary k-tuple t = [t1, t 2, . . ., t k]
in which ti = rⅹbi mod n.
e. Select a permutation of k objects and
find a new tuple a = permute(t).
f. The public key is the k-tuple a.
The private key is n, r, and k-tuple b.
10.18
10.1.5 Knapsack Cryptosystem
Encryption
Suppose Alice needs to send a message to Bob.
a. Alice converts her message to a k-tuple x = [x1, x2, . . ., xk]
in which xi is either 0 or 1. The tuple is the plaintext.
b. Alice uses the knapsackSum to calculate s and
sends the value of s as ciphertext.
Decryption
Bob receives the ciphertext s.
a. Bob calculates s’ = r-1ⅹs mod n.
b. Bob uses the inv_knapsackSum to create x’.
c. Bob permutes x’ to find x.
The tuple x is the recovered plaintext.
10.19
10.1.5 Knapsack Cryptosystem
Example 10.4
This is a trivial (very insecure) example
just to show the procedure.
10.20
10.1.5 Knapsack Cryptosystem
Example 10.4 (Continued)
10.21
10.2 RSA CRYPTOSYSTEM
The most common public-key algorithm is
the RSA cryptosystem,
named for its inventors (Rivest, Shamir, and Adleman).
10.22
10.2.1 Introduction
RSA uses two exponents, e and d,
where e is public and d is private.
Figure 10.5 Complexity of operations in RSA
10.23
10.2.2 Procedure
Figure 10.6 Encryption, decryption, and key generation in RSA
10.24
10.2.2 Procedure
Two Algebraic Structures
Encryption/Decryption Ring: R = <Zn , +, × >
Key-Generation Group:
Key Generation
G = <Zf(n)∗, × >
e and d are created in such a way that d = e-1 mod f(n).
10.25
10.2.2 Procedure
10.26
10.2.2 Procedure
Encryption
10.27
10.2.2 Procedure
Decryption
10.28
10.2.2 Procedure
Proof of RSA
We can prove that
the encryption and decryption are inverses of each other
using the second version of Euler’s theorem:
Assume that the plaintext retrieved by Bob is P1
and prove that it is equal to P.
10.29
10.2.3 Some Trivial Examples
Example 10.5
Bob chooses 7 and 11 as p and q and calculates n = 77.
The value of f(n) = (7 − 1)(11 − 1) or 60.
Now he chooses two exponents, e and d, from Z60∗.
If he chooses e to be 13, then d is 37.
Note that e×d mod 60 = 1 (they are inverses of each other).
Now imagine that Alice wants to send the plaintext 5 to Bob.
She uses the public exponent 13 to encrypt 5.
Bob receives the ciphertext 26 and
uses the private key 37 to decipher the ciphertext:
10.30
10.2.3 Some Trivial Examples
Example 10.6
Now assume that
another person, John, wants to send a message to Bob.
John can use the same public key
announced by Bob (probably on his website), 13;
John’s plaintext is 63.
John calculates the following:
Bob receives the ciphertext 28 and
uses his private key 37 to decipher the ciphertext:
10.31
10.2.3 Some Trivial Examples
Example 10.7
Jennifer creates a pair of keys for herself.
She chooses p = 397 and q = 401. She calculates n = 159197.
She then calculates f(n) = 158400.
She then chooses e = 343 and d = 12007.
Show how Ted can send a message to Jennifer
if he knows e and n.
Solution
Suppose Ted wants to send the message “NO” to Jennifer.
He changes each character to a number (from 00 to 25),
with each character coded as two digits.
He then concatenates the two coded characters and
gets a four-digit number.
The plaintext is 1314.
Figure 10.7 shows the process.
10.32
10.2.3 Some Trivial Examples
Figure 10.7 Encryption and decryption in Example 10.7
10.33
10.2.4 Attacks on RSA
No devastating attacks on RSA have been yet discovered.
Several attacks have been predicted.
Figure 10.8 Taxonomy of potential attacks on RSA
10.34
10.2.4 Attacks on RSA
Factorization Attack
The security of RSA is based on the idea that
the modulus is so large that it is infeasible
to factor it in a reasonable time.
If Eve can factor n,
then she can calculate f(n) = (p − 1)(q − 1) and
Bob’s private key d (the trapdoor)
that can be used to decrypt any encrypted message.
To be secure, RSA presently requires that
n should be more than 300 decimal digits,
which means that the modulus must be
at least 1024 bits.
10.35
10.2.4 Attacks on RSA
Chosen-Ciphertext Attack
This attack is based on the multiplicative property of RSA.
Assume that Alice creates the ciphertext C = Pe mod n
and sends C to Bob.
Also assume that
Bob will decrypt an arbitrary ciphertext for Eve.
Eve intercepts C and uses the following steps to find P:
a.Eve chooses a random integer X in Zn*.
b.Eve calculates Y = C×Xe mod n.
c.Eve sends Y to Bob for decryption and get Z = Yd mod n;
This step is an instance of chosen-ciphertext attack.
d.Eve can easily find P because
10.36
10.2.4 Attacks on RSA
Attacks on the Encryption Exponent
To reduce the encryption time,
it is tempting to use a small encryption exponent e.
The common value for e is e = 3.
However, there are some potential attacks
on low encryption exponent.
To thwart these kinds of attacks,
it is recommended to use e = 216 +1 = 65537
(or a prime close to this value).
10.37
10.2.4 Attacks on RSA
Attacks on the Encryption Exponent (Continued)
Coppersmith Theorem Attack
This theorem states that
in a modulo-n polynomial f(x) of degree e, one can use
an algorithm of complexity log n to find the roots
if one of the roots is smaller than n1/e.
This theorem can be applied to the RSA cryptosystem
with C = f(P) = Pe mod n.
If e = 3 and
only two thirds of the bits in the plaintext P are known,
the algorithm can find all bits in the plaintext.
10.38
10.2.4 Attacks on RSA
Attacks on the Encryption Exponent (Continued)
Broadcast Attack
This attack can be launched if one entity sends
the same message to a group of recipients
with the same low encryption exponent.
Assume that Alice wants to send the same message
to three recipients with the same public exponent e = 3
and the moduli n1, n2, and n3.
10.39
10.2.4 Attacks on RSA
Broadcast Attack (Continued)
Applying the Chinese remainder theorem,
Eve can find an equation of the form C’ = P3 mod n1n2n3.
This implies that P3 < n1n2n3 and
then C’ = P3 is in regular (not modular) arithmetic.
Eve can find the value of P = C’1/3.
10.40
10.2.4 Attacks on RSA
Attacks on the Encryption Exponent (Continued)
Related Message Attack
This attack is discovered by Franklin Reiter.
Alice encrypts two plaintexts P1 and P2 with e = 3 and
sends C1 and C2 to Bob.
If P1 is related to P2 by linear function,
then Eve can recover P1 and P2
in a feasible computation time.
10.41
10.2.4 Attacks on RSA
Attacks on the Encryption Exponent (Continued)
Short Pad Attack
This attack is discovered by Coppersmith.
Alice has a message M to send to Bob.
She pads the message with r1, encrypts Mr1 to get C1 ,
and sends C1 to Bob.
Eve intercepts and drop it.
Bob informs Alice that he has not received the message, so
Alice pads the message again with r2, encrypts Mr2 to get C2,
and sends it to Bob.
Now Eve has C1 and C2, and she knows they both belongs
to the same message M.
Coppersmith proved that that
if r1 and r2 are short, Eve may be able to recover M.
10.42
10.2.4 Attacks on RSA
Attacks on the Decryption Exponent
Two form of attacks can be launched on decryption exponent:
revealed decryption exponent attack and
low decryption exponent attack.
10.43
10.2.4 Attacks on RSA
Attacks on the Decryption Exponent
Revealed Decryption Exponent Attack
If Eve can find the decryption exponent, d,
she can decrypt the current encrypted message.
Furthermore, Eve can use a probabilistic algorithm to factor n
and find the value of p and q.
If Bob changes only the compromised decryption exponent
but keeps the same modulus, n,
Eve will be able to decrypt future messages.
In RSA, if d is compromised,
then p, q, n, e, and d must be regenerated.
10.44
10.2.4 Attacks on RSA
Attacks on the Decryption Exponent (Continued)
Low Decryption Exponent Attack
Bob may think that using a small private-key d,
would make the decryption process faster for him.
Wiener showed that if d < 1/3 n1/4,
a special type of attack based on continuous fraction,
a topic discussed in number theory,
can jeopardize the security of RSA.
For this to happen, it must be the case that q < p < 2q.
If these two conditions exist,
Eve can factor n in polynomial time.
In RSA, the recommendation is to have d ≥ 1/3 n1/4
to prevent low decryption exponent attack.
10.45
10.2.4 Attacks on RSA
Plaintext Attacks
Plaintext and ciphertext in RSA are permutation of each other
because they are integers in the same interval (0 to n-1).
This means that Eve knows something about the plaintext.
This characteristic may allow some attacks on the plaintext.
Three attacks have been mentioned in the literature :
short message attack, cycling attack
unconcealed attack.
10.46
and
10.2.4 Attacks on RSA
Plaintext Attacks (Continued)
Short Message Attack
If Eve knows the set of all possible plaintexts,
she can find the plaintext for the intercepted ciphertext
by encrypting all of possible messages
until the result is the same.
For this reason,
short messages must be padded with random bits
at the front and the end before encryption
to thwart this type of attack.
Use of OAEP (Optimal Asymmetric Encryption Padding)
(will be discussed).
10.47
10.2.4 Attacks on RSA
Plaintext Attacks (Continued)
Cycling Attack
The cycling attack is based on the fact that
if ciphertext is a permutation of the plaintext,
the continuous encryption of the ciphertext
will eventually result in the plaintext.
When to stop?
Note that Eve does not know what the plaintext is.
If she goes one step further,
she can find the plaintext for the intercepted ciphertext.
10.48
10.2.4 Attacks on RSA
Plaintext Attacks (Continued)
Cycling Attack (Continued)
Eve can find the plaintext for the intercepted ciphertext,
but the complexity of this attack is equivalent
to the complexity of factoring n.
10.49
10.2.4 Attacks on RSA
Plaintext Attacks (Continued)
Unconcealed Message Attack
This attack is based on the permutation relationship
between plaintext and ciphertext.
It has been proven that
there are some (unconcealed) messages
that are encrypted themselves, such as P = 0 and P= 1.
Note that normally the encryption exponent is odd.
Although there are more,
if the encrypting exponent is selected carefully,
the number of unconcealed message is negligible.
Also the encrypting program can always check
if encrypted ciphertext is the same as the plaintext.
10.50
10.2.4 Attacks on RSA
Attacks on the Modulus
The main attack on RSA is the factorization attack.
The factorization attack can be considered
an attack on the low modulus.
We can consider another attack on the modulus.
Common Modulus Attack
This attack is can be launched
if community uses a common modulus, n.
Suppose that a trusted party selects p and q,
calculates n and f(n), and creates a pair (ei, di) for each entity.
10.51
10.2.4 Attacks on RSA
Common Modulus Attack (Continued)
Assume Alice needs to send a message to Bob.
C = PeB mod n
If Eve is a member of the community with (eE, dE),
Eve can decrypt C.
Using (eE, dE),
Eve can launch a probabilistic attack to factor n and find dB.
To thwart this type of attack,
the modulus must not be shared.
Each entity needs to calculate her/his own modulus.
10.52
10.2.4 Attacks on RSA
Attacks on Implementation
There are several attacks on the implementation of RSA.
the timing attack and the power attack.
Timing Attack
A ciphertext-only attack,
called the timing attack, demonstrated by Paul Kocher,
is based on the fast-exponential algorithm.
The time to “square and multiplication” (when the bit 1)
is longer than that of only “square” (when the bit is 0).
This timing difference allows Eve to find the value of bits in d,
one by one.
10.53
10.2.4 Attacks on RSA
Timing Attack (Continued)
Assume that Eve has intercepted
a large number of ciphertexts, C1 to Cm.
Also assume that Eve has observed how long it takes for Bob
to decrypt each ciphertext, T1 to Tm.
Eve, who knows how long it takes for underlying hardware
to calculate the multiplication operation,
calculates t1 to tm, where ti is the time to required to calculate
the multiplication operation Result = ResultⅹCi mod n.
Eve can use Algorithm 10.5,
a simplified version of the algorithm used in practice,
to calculate all bits in d.
10.54
10.2.4 Attacks on RSA
10.55
10.2.4 Attacks on RSA
Timing Attack (Continued)
There are two methods to thwart timing attack:
1.Add random delays to the exponentiations to make each
exponentiation take the same amount of time.
2.Rivest recommended blinding.
The idea is to multiply the ciphertext by a random number
before decryption as follows:
a. Select a secrete random number r between 1 and (n-1).
b. Calculate C1 = Cⅹre mod n.
c. Calculate P1 = C1d mod n.
d. Calculate P = P1ⅹr-1 mod n.
Power Attack
10.56
This attack is similar to the timing attack.
10.2.4 Attacks on RSA
Recommendations
The following recommendations are based
on theoretical and experimental results.
1.The number of bits for n should be at least 1024.
2.The two primes p and q must be at least 512 bits.
3.The values of p and q should not be very close to each
other.
4.Both of p-1 and q-1 should have at least one large prime
factor.
5.The ratio p/q should not be very close to a rational number
with a small numerator or denominator.
6.The modulus must not be shared.
10.57
10.2.4 Attacks on RSA
Recommendations (Continued)
7.The value of e should be 216+1 or an integer close to this
value.
8.If the private key d is leaked, Bob must immediately change
n as well as both e and d.
9.Message must be padded using OASP, discussed later.
10.58
10.2.6 OAEP
A short messages in RSA make the ciphertext
vulnerable to short message attacks.
It has been shown that
simply adding bogus data (padding) to the message
might make Eve’s job harder,
but with additional efforts she can still attack the ciphertext.
The solution proposed by the RSA group and some vendors
is to apply a procedure called
optimal asymmetric encryption padding (OAEP).
10.59
10.2.6 OAEP
Figure 10.9 Optimal asymmetric encryption padding (OAEP)
10.60
10.2.6 OAEP
Error in Transmission
If there is even a single bit error during transmission,
RSA will fail
If the received ciphertext is different from what was sent,
the receiver cannot determine the original plaintext.
The plaintext calculated at the receiver site
may be very different from the one sent by the sender.
The transmission media must be error-free by adding
error-detecting or error-correcting redundant bits
to the ciphertext.
10.61
10.2.6 OAEP
Example 10. 8
Here is a more realistic example.
We choose a 512-bit p and q, calculate n and f(n),
then choose e and test for relative primeness with f(n).
We then calculate d.
Finally, we show the results of encryption and decryption.
The integer p is a 159-digit number.
10.62
10.2.6 OAEP
Example 10. 8 (Continued)
The modulus n = p × q. It has 309 digits.
f(n) = (p − 1)(q − 1) has 309 digits.
10.63
10.2.6 OAEP
Example 10. 8 (Continued)
Bob chooses e = 35535 (the ideal is 65537) and
tests it to make sure it is relatively prime with f(n).
He then finds the inverse of e modulo f(n) and calls it d.
10.64
10.2.6 OAEP
Example 10. 8 (Continued)
Alice wants to send the message “THIS IS A TEST”,
which can be changed to a numeric value
using the 00−26 encoding scheme
(26 is the space character).
The ciphertext calculated by Alice is C = Pe, which is
10.65
10.2.6 OAEP
Example 10. 8 (Continued)
Bob can recover the plaintext from the ciphertext
using P = Cd, which is
The recovered plaintext is “THIS IS A TEST” after decoding.
Application
RSA can be used to encrypt and decrypt actual message,
but it is very slow if the message is long.
RSA is useful for short message.
We will see that RSA is used
in digital signature and authentication.
10.66
10.3 RABIN CRYPTOSYSTEM
The Rabin cryptosystem can be thought of
as an RSA cryptosystem
in which the value of e and d are fixed.
The encryption is C ≡ P2 (mod n) and
the decryption is P ≡ C1/2 (mod n).
The public key in the Rabin cryptosystem is n;
the private key is the tuple (p, q).
Decryption of the message is infeasible for Eve
without knowing the values p and q.
10.67
10.3 RABIN CRYPTOSYSTEM
Figure 10.10 Rabin cryptosystem
10.68
10.3.1 Procedure
Key Generation
Although the two primes, p and q, can be
in the form 4k+1 or 4k+3,
the decryption process becomes more difficult
if the first form is used.
It is recommended to use the second form.
10.69
10.3.1 Procedure
Encryption
Although the plaintext P can be chosen from the set Zn,
we have defined to be in the set Zn*
to make the decryption easier.
Encryption in the Rabin cryptosystem is
very simple and can be done quickly.
This is beneficial when resources are limited,
such as the smart cards
10.70
10.3.1 Procedure
Decryption
10.71
The Rabin cryptosystem is not deterministic:
Decryption creates four equally probable plaintexts.
However, in many situations,
the receiver can easily pick up the right answer.
10.3.1 Procedure
Example 10. 9
Here is a very trivial example to show the idea.
1. Bob selects p = 23 and q = 7.
Note that both are congruent to 3 mod 4.
2. Bob calculates n = p × q = 161.
3. Bob announces n publicly; he keeps p and q private.
4. Alice wants to send the plaintext P = 24.
Note that 161 and 24 are relatively prime; 24 is in Z161*.
She calculates C = 242 = 93 mod 161,
and sends the ciphertext 93 to Bob.
10.72
10.3.1 Procedure
Example 10. 9
5. Bob receives 93 and calculates four values:
a1 = +(93 (23+1)/4) mod 23 = 1 mod 23
a2 = −(93 (23+1)/4) mod 23 = 22 mod 23
b1 = +(93 (7+1)/4) mod 7 = 4 mod 7
b2 = − (93 (7+1)/4) mod 7 = 3 mod 7
6. Bob takes four possible answers,
(a1, b1), (a1, b2), (a2, b1), and (a2, b2),
and uses the Chinese remainder theorem
to find four possible plaintexts: 116, 24, 137, and 45.
Note that only the second answer is Alice’s plaintext.
Bob needs to make a decision based on the situation.
10.73
10.3.2 Security of the Rabin System
The Rabin system is secure as long as
p and q are large numbers.
The complexity of the Rabin system is at the same level
as factoring a large number n
into its two prime factors p and q.
In other words, the Rabin system is as secure as RSA.
10.74
10.4 ELGAMAL CRYPTOSYSTEM
Besides RSA and Rabin,
another public-key cryptosystem is ElGamal.
ElGamal is based on the discrete logarithm problem
discussed in Chapter 9.
Recall from Chapter 9 that
if p is a very large prime,
e1 is a primitive root in the group G = <Zp*, x>
and r is an integer,
then e2 = e1r mod p is easy to compute
using the fast exponential algorithm,
but given e2, e1, and p,
it is infeasible to calculate r = loge1e2 mod p
(discrete logarithm problem).
10.75
10.4.2 Procedure
Figure 10.11 Key generation, encryption, and decryption in ElGamal
10.76
10.4.2 Procedure
Key Generation
10.77
10.4.2 Procedure
Encryption
10.78
10.4.2 Procedure
Decryption
The bit-operation complexity of encryption or decryption
in ElGamal cryptosystem is polynomial.
10.79
10.4.3 Proof
Example 10.10
Bob chooses p = 11 and e1 = 2.
Then choose d = 3 and calculates e2 = e1d = 8.
So the public keys are (2, 8, 11) and the private key is 3.
Alice chooses r = 4 and calculates C1 and C2 for the plaintext 7.
Bob receives the ciphertexts (5, 6) and calculates the plaintext.
10.80
10.4.3 Proof
Example 10.11
Instead of using P = [C2 × (C1d)
−1]
mod p for decryption,
we can avoid the calculation of multiplicative inverse and
use P = [C2 × C1 p−1−d] mod p
(see Fermat’s little theorem in Chapter 9).
In Example 10.10,
we can calculate P = [6 × 5 11−1−3] mod 11 = 7 mod 11.
10.81
10.4.4 Analysis
In ElGamal cryptosystem, Alice creates r and keeps it secret;
Bob creates d and keeps it secret.
The puzzle of the cryptosystem can be solved as follows:
a. Alice sends C2 = [e2r × P] mod p = [(e1 rd) × P] mod p.
(e1 rd) facts as a mask that hides the value of P.
b. Bob needs to create a replica of the mask and
invert it to cancel the effect of the mask.
c. Alice also sends C1 = e1r to Bob, a part of the mask.
Bob needs to calculate C1d to make a replica of the mask
because C1d = (e1r )d = (e1 rd).
d. It might be said that Bob helps Alice make the mask (e1 rd)
without revealing the value d (e2 = e1d);
Alice helps Bob make the mask (e1 rd)
without revealing the value r (C1 = e1r).
10.82
10.4.5 Security of ElGamal
Two attacks have been mentioned for ElGamal cryptosystem
in the literature:
Attacks based on low modulus and known plaintext attacks
Low-modulus Attacks
If the value of p is not large enough,
Eve can use some efficient algorithm
to solve the discrete logarithm problem to find d or r.
If p is small, Eve can find d = loge1 e2 mod p and
can be used for decryption as long as
Bob uses the same keys.
Eve also can use the value C1 to find r = loge1 C1 mod p.
10.83
10.4.5 Security of ElGamal
Know-Plaintext Attack
If Alice uses the same random exponent r,
to encrypt two plaintexts P and P’,
Eve can discover P’ if she knows P.
Assume that C2 = P × (e1r) mod p and C2‘= P‘ × (e2r) mod p.
Eve finds P’ using the following steps:
1. (e2r) = C2 × P-1 mod p
2. P’ = C2‘ × (e2r)-1 mod p
It is recommended that Alice use a fresh value r.
For the ElGamal cryptosystem,
p must be at least 300 digits and
10.84
r must be new for each encipherment.
10.4.5 Security of ElGamal
Example 10.12
Bob uses a random integer of 512 bits (the ideal is 1024 bits).
The integer p is a 155-digit number (the ideal is 300 digits).
Bob then chooses e1, d, and calculates e2, as shown below:
Bob announces (e1, e2, p) as his public key
and keeps d as his private key.
10.85
10.4.5 Security of ElGamal
Example 10.12 (Continued)
Alice has the plaintext P = 3200 to send to Bob.
She chooses r = 545131, calculates C1 and C2,
and sends them to Bob.
Bob calculates the plaintext
P = C2 × ((C1)d)−1 mod p = 3200 mod p.
10.86
10.4.6
Application
ElGamal can be used whenever RSA can be used.
It is used for key exchange, authentication,
and encryption and decryption of small messages.
10.87
10.5 ELLIPTIC CURVE
CRYPTOSYSTEMS
Although RSA and ElGamal are
secure asymmetric-key cryptosystems,
their security comes with a price, their large keys.
Researchers have looked for alternatives that
give the same level of security with smaller key sizes.
One of these promising alternatives is
the elliptic curve cryptosystem (ECC).
10.88
10.5.1 Elliptic Curves over
Real Numbers
The general equation for an elliptic curve is
Elliptic curves over real numbers use
a special class of elliptic curves of the form
In the above equation, if 4a3+27b2 ≠ 0,
the equation represents a nonsingular elliptic curve;
otherwise, the equation represents a singular elliptic curves.
In a nonsingular elliptic curve,
the equation x3+ax+b=0 has three distinct roots.
10.89
10.5.1 Elliptic Curves over
Real Numbers
Example 10.13
Figure 10.12 shows two elliptic curves
with equations y2 = x3 − 4x and y2 = x3 − 1.
Both are nonsingular.
However, the first has three real roots (x = −2, x = 0, and x = 2),
but the second has only one real root (x = 1) and
two imaginary ones.
Figure 10.12 Two elliptic curves over a real field
10.90
10.5.1 Elliptic Curves over
Real Numbers
An Abelian Group
Define an abelian (commutative) group
using points on an elliptic curve.
For example, the points P=(2.0, 0.0), Q=(0.0, 0.0), R=(-2.0, 0.0),
S=(10.0, 30.98), and T=(10.0, -38.98) are all points
on the curve y2 = x3 − 4x.
The group in this case is G = <E, +>.
Operation
The specific properties of a nonsingular elliptic curve
allow us to define an addition operation
on the points of this curve.
10.91
10.5.1 Elliptic Curves over
Real Numbers
An Abelian Group (Continued)
The operation is the addition of two points on the curve
to get another point on the curve.
Figure 10.13 Three adding cases in an elliptic curve
10.92
10.5.1 Elliptic Curves over
Real Numbers
1.
2.
3. The intercepting point is at infinity;
a point O as the point at infinity or zero point,
which is the additive identity of the group.
10.93
10.5.1 Elliptic Curves over
Real Numbers
Properties of the Operation (addition)
1. Closure:
2. Associativity : (P+Q)+R = P+(Q+R)
3. Commutativity:
4. Existence of identity: The additive identity in this case
is the zero point, O.
5. Existence of inverse: the point P=(x1, y1) and Q =(x1, -y1)
are inverse of each other.
10.94
10.5.2 Elliptic Curves over GF(p)
Cryptography requires modular arithmetic.
We have defined an elliptic curve group
with addition operation,
but the operation on the coordinates of the point are
over GF(p).
We call resulting elliptic curve Ep(a, b),
where p is the modulus, a and b are coefficients
of the equation y2 = x3+ax+b.
Finding an Inverse
The inverse of a point (x, y) is (x, −y),
where −y is the additive inverse of y.
For example, if p = 13, the inverse of (4, 2) is (4, 11).
10.95
10.5.2 Elliptic Curves over GF(p)
Finding Points on the Curve
Algorithm 10.12 shows the pseudocode
for finding the points on the curve Ep(a, b).
10.96
10.5.2 Elliptic Curves over GF(p)
Example 10. 14
For curve E13(1, 1), the equation is y2 = x3 + x + 1 and
the calculation is done modulo 13.
Note that some values of y2 do not have a square root
in modulo 13 arithmetic.
Points with x=2, 3, 6, and 9 are not on the curve.
Figure 10.14 Points on an elliptic curve over GF(p)
10.97
10.5.2 Elliptic Curves over GF(p)
Adding Two Points
Example 10. 15
Let us add two points in Example 10.14, R = P + Q,
where P = (4, 2) and Q = (10, 6).
a.
λ = (6 − 2) × (10 − 4)−1 = 4 × 6−1 = 4 ×11 = 5 mod 13.
b. x = (52 − 4 −10) = 11 mod 13.
c.
y = [5 (4 −11) − 2] = 2 mod 13.
d. R = (11, 2), which is a point on the curve in Example 10.14.
Multiplying a Point by a Constants
Multiplying a point P on the elliptic curve by a constant k
means adding the point P to itself k time.
10.98
10.5.3 Elliptic Curves over GF(2n)
To define an elliptic curve over GF(2n),
one needs to change the cubic equation.
The common equation is
where b ≠ 0.
Note that the values of x, y, a, and b are polynomials
representing n-bit words.
Finding Inverses
If P = (x, y), then −P = (x, x + y).
Finding Points on the Curve
We can write an algorithm to find the points on the curve
using generators for polynomials discussed in Chapter 7.
10.99
10.5.3 Elliptic Curves over GF(2n)
Example 10.16
We choose GF(23) with elements {0, 1, g, g2, g3, g4, g5, g6}
using the irreducible polynomial of f(x) = x3 + x + 1,
which means that g3 + g + 1 = 0 or g3 = g + 1.
Other powers of g can be calculated accordingly.
The following shows the values of the g’s.
10.100
10.5.3 Elliptic Curves over GF(2n)
Example 10. 16 (Continued)
Using the elliptic curve y2 + xy = x3 + g3x2 + 1,
with a = g3 and b = 1,
we can find the points on this curve,
as shown in Figure 10.15.
Figure 10.15 Points on an elliptic curve over GF(2n)
10.101
10.5.3 Elliptic Curves over GF(2n)
Adding Two Points
1.If P = (x1, y1), Q = (x2, y2), Q ≠ −P, and Q ≠ P,
then R = (x3, y3)= P + Q can be found
as
2. If Q = P, then R = P + P (or R = 2P) can be found as
10.102
10.5.3 Elliptic Curves over GF(2n)
Example 10. 17
Let us find R = P + Q, where P = (0, 1) and Q = (g2, 1).
We have λ = 0 and R = (g5, g4).
Example 10. 18
Let us find R = 2P, where P = (g2, 1).
We have λ = g2 + 1/g2 = g2 + g5 = g + 1 and R = (g6, g5).
Multiplying a Point by a Constant
The points are added continuously.
We may use the rule for R = 2P.
10.103
10.5.4 ECC Simulating ElGamal
Figure 10.16 shows the simulation of ElGamal cryptosystem
using elliptic curve over GF(p) or GF(2n).
Figure 10.16 ElGamal cryptosystem using the elliptic curve
10.104
10.5.4 ECC Simulating ElGamal
Generating Public and Private Keys
E(a, b) ,
Encryption
Decryption
10.105
e1(x1, y1) ,
d,
e2(x2, y2) = d × e1(x1, y1)
10.5.4 ECC Simulating ElGamal
Example 10. 19
Here is a very trivial example of encipherment
using an elliptic curve over GF(p).
1. Bob selects E67(2, 3) as the elliptic curve over GF(p).
2. Bob selects e1 = (2, 22) and d = 4.
3. Bob calculates e2 = (13, 45), where e2 = d × e1.
4. Bob publicly announces the tuple (E, e1, e2).
5. Alice wants to send the plaintext P = (24, 26) to Bob.
She selects r = 2.
10.106
10.5.4 ECC Simulating ElGamal
Example 10. 19
(Continued)
6. Alice finds the point C1 = (35, 1), where C1 = r × e1.
7. Alice finds the point C2 = (21, 44), where C2 = P + r × e2.
8. Bob receives C1 and C2.
He uses 2 × C1 (35, 1) to get (23, 25).
9. Bob inverts the point (23, 25) to get (23, 42).
10. Bob adds (23, 25) with C2 = (21, 44)
to get the original P = (24, 26) .
10.107
10.5.4 ECC Simulating ElGamal
Comparison
a. The original algorithm uses a multiplicative group;
the simulation uses an elliptic group.
b. The two exponents in the original algorithm are
numbers in the multiplicative group;
the two multipliers in the simulation are points
on elliptic group.
c. The private key in each algorithm is an integer.
d. The secret numbers chosen by Alice in each algorithm
are integers.
e. The exponentiation in the original algorithm is replaced
by the multiplication of a point by a constant.
10.108
10.5.4 ECC Simulating ElGamal
f. The multiplication in the original algorithm is replaced by
the addition of a points.
g. The inverse in the original algorithm is
the multiplicative inverse in the multiplicative group;
the inverse in the simulation is
the additive inverse of a point on the curve.
h. Calculation is usually easier in the elliptic curve
because multiplication is simpler than exponentiation,
addition is simpler than multiplication,
and finding the inverse is much simpler
in the elliptic curve group than in a multiplicative group.
10.109
10.5.4 ECC Simulating ElGamal
Security of ECC
The security of ECC depends on
the difficulty of solving the elliptic curve logarithm problem.
Modulus Size
For the same level of security (computational effort),
the modulus, n, can be smaller in ECC than RSA.
For example, ECC over the GF(2n) with n of 160 bits
can provide the same level of security
as RSA with n of 1024 bits.
10.110