C R Y P T O G R A P H Y

A.A. 2010/2011 1
Cryptography Part III
Public Key Systems
michele elia
Politecnico di Torino
C R Y P T O G R A P H Y
A.A. 2010/2011 2
In the e-world a definition of cryptography is
The art of information integrity
Beside confidentiality Information may need
Integrity
Availability
Ubiquity
Authenticity (without secrecy)
Tracking
C R Y P T O G R A P H Y
A.A. 2010/2011 3
Secret key cryptography cannot solve large-scale problems
that occur in civilian life:
1Key Distribution Problem: two users need to
share a common secret key. A channel for secret key
exchange may not be available.
2Key Management Problem: in a network of n
users, every pair of users must share a secret key, for
a total of n(n-1)/2 keys. If n is not small, then the
number of keys becomes unmanageable.
3Digital Signature Problem: non-secret
authentication and non-repudiation problems are the
electronic counterparts of a hand-written signature;
neither problem can be solved by a secret key system
C R Y P T O G R A P H Y
A.A. 2010/2011 4
Diffie and Hellman
In 1976, Witfield Diffie and Martin Hellman
invented
Public Key Cryptography (PKC)
to address key management issues.
The basic idea was the exploitation of a
concept already present in secret key
systems
ONE-WAY FUNCTION
C R Y P T O G R A P H Y
A.A. 2010/2011 5
A naive definition of one-way functionis
A function F: D U is one-way if three
conditions are met:
1. It is one-to-one, that is the
function
F
-1
: U D exists and is unique
2. It is easy to compute Y=F(X) for
every X e D
1. It is hard to compute X= F
-1
(Y) for
almost every Y e D
C R Y P T O G R A P H Y
A.A. 2010/2011 6
Public key cryptography: In 25 years many one-way functions have
been put forward, all based on hard arithmetical problems.
Only four functions or principles have survived:
1. Prime factorization: it is easy to multiply two
primes, whereas it is hard to factor their product (Rabin)
2. Discrete Logarithm: it is easy to compute a power in a
cyclic group, whereas it is hard to find the exponent
3. Evaluation of the order of a group: it is possible and
easy to define a finite group, whereas the computation
of its order (number of its elements) may be hard
4. Decoding Linear Codes: it is easy to encode and to
corrupt the code word with noise, whereas it is hard
to recover the code word
C R Y P T O G R A P H Y
A.A. 2010/2011 7
One-Way functions vs. Hard Problems - status
Name Hard Problem Equivalent problem?
Rabin Factorisation Solve equations over
rings
RSA Order of a
group
Factorisation?
Diffie-
Hellman
Diffie-Hellman
problem
Discrete logarithm?
El Gamal Discrete
logarithm
McEliece Decoding
linear codes
Equivalent Goppa
codes are difficult to
decode?
C R Y P T O G R A P H Y
A.A. 2010/2011 8
Rabin: public key N=pq, message M
Encryption
C = M
2
mod N
Decryption
M= C
1/2
mod N
p,q prime numbers (Blum primes, 4k+3)
Mrelatively prime with p,q
Decryption is easy using Chinese Remainder Theorem if
p,q are known Blum primes, and is hard otherwise
C R Y P T O G R A P H Y
A.A. 2010/2011 9
Rabin - 2
Decrypting is equivalent to solving
x
2
= C mod pq
CRT requires solving two equations over fields
x
2
= C mod p and x
2
= C mod q
If p and q are Blum primes then
x
p
= C
(p+1)/4
mod p ; x
q
= C
(q+1)/4
mod q
solution modulo N=pq is obtained as a linear combination
pq p g q g
where
pq C C x
q p
mod ,
mod
2 2 1 1
2
4 / ) 1 (
1
4 / ) 1 (
= =
=
+ +


C R Y P T O G R A P H Y
A.A. 2010/2011 10
Rabin - 3
Cryptanalysis is equivalent to factoring:
If an oracle can compute the four square roots then p is
computed as the common factor between
N=pq and x
1
-x
3
pq
C C x
C C x
C C x
C C x
q p
q p
q p
q p
mod
2
4 / ) 1 (
1
4 / ) 1 (
4
2
4 / ) 1 (
1
4 / ) 1 (
3
2
4 / ) 1 (
1
4 / ) 1 (
2
2
4 / ) 1 (
1
4 / ) 1 (
1

+ =
+ =
=
+ + =
+ +
+ +
+ +
+ +




p g C C x x
q q
1
4 / ) 1 (
2
4 / ) 1 (
3 1
2 2
+ +
= =
C R Y P T O G R A P H Y
A.A. 2010/2011 11
RSA: public key [N,E], message M
Let p, q be prime numbers and N=p q
Encryption: C = M
E
mod N
Decryption: M= C
D
mod N
Mrelatively prime with p,q
E relatively prime with the Euler totient function
and
) 1 )( 1 ( ) ( = q p pq
) ( mod 1 pq DE =
C R Y P T O G R A P H Y
A.A. 2010/2011 12
Diffie-Hellman
Public parameters: a e Z, p prime
Alice: Secret key X
Public Key K
A
= a
X
mod p
Bob: Secret key Y
Public Key K
B
= a
Y
mod p
Alice-Bob: Common key K
AB
= a
XY
mod p
C R Y P T O G R A P H Y
A.A. 2010/2011 13
McEliece
G generator matrix of a linear code (n, k, 2t+1)
allowing an algebraic decoding algorithm
[Goppa code (2
m
, 2
m
-mt, 2t+1) are good candidates]
Bob: Secret Key (P, A, G)
Public Key: a pair (t, G
p
)
where: G
p
= PGA
P is a n n permutation matrix
A is a k k nonsingular matrix
C R Y P T O G R A P H Y
A.A. 2010/2011 14
McEliece continuation
Alice Encryption: E= G
p
M + e
where e is a random vector with less than t 1s
Bob Decryption: E
1
= P
T
E,
M
1
= E
1
+ e ,
where e results from an algebraic decoding
[With Goppa codes the Berlekamp-Massey algorithm is used]
Message recovering
M = A
-1
M
1
C R Y P T O G R A P H Y
A.A. 2010/2011 15
Complexity
An axiomatic measure of complexity is missing
Problem size is defined to be n, where n may be
number of variables
number of equations
number of bits for representing a parameter
A practical measure of complexity is a function f(n)
A problem is considered hard if f(n)= a
0
n
A problem is considered easy if f(n)= b
0
log(n)
Frequently f(n) = e
g(n)
with g(n)=[log(n)]
1/2
, n
1/3
[log(n)]
1/3
C R Y P T O G R A P H Y
A.A. 2010/2011 16
Chinese Remainder Theorem
Let be a product of r positive
integers m
i
which are relatively primes
Given a non-negative integer a not greater than N,
then r remainders can be computed easily
The Chinese remainder theorem solves the
problem of computing a given the r remainders a
i
r
m m m N
2 1
=
i m a a
i i
= mod
i i j j i
i i j j i i
r r
m m g
of solution is g and m g
where
a a a a
mod 1
1 1 1 1
=
[
[
=
+ + + =
=
=

C R Y P T O G R A P H Y
A.A. 2010/2011 17
Chinese Remainder Theorem Properties
Let be
two numbers in Z
N
decomposed according to CRT
Then
where the operations a
i
b
i
, a
i
+b
i
and a
i
n
are
performed modulo m
i.
In general CRT reduces the complexity since the
operations are performed in domains of smaller
cardinality.
) , , , ( ) , , , (
2 1 2 1 r r
b b b b a a a a
) , , , (
2 2 1 1 r r
b a a b b a ab
) , , , (
2 2 1 1 r r
b a a b b a b a + + + +
) , , , (
2 1
n
r
n n n
a a a a
C R Y P T O G R A P H Y
A.A. 2010/2011 18
Electronic Signature
based on reverse use of a ONE-WAY
function
consists in a pair of numbers
S plain signature encoded as an integer
ES electronic signature
computed from S using a one-way function
has the significance of an authentication mark.
C R Y P T O G R A P H Y
A.A. 2010/2011 19
Electronic Signature
Standard procedure to sign Bobs message M electronically:
1 A public key directory contains PK the public key of
signatory Bob
2 Bob computes a Digest from Musing a hash function
(one-way function)
3 Bob forms his signature by juxtaposing
S = Name|Date|Digest|Random
4 Bob computes the electronic signature ES encrypting
S with his private key PVK
5 Bobs electronic signature (S,ES) is verified using
Bobs PK public key.
C R Y P T O G R A P H Y
A.A. 2010/2011 20
Rabin signature public key N=pq
message M
secrect signature: random R, and
signature
(M, K, S)
where S=\[M
.
(RE)] and K = (RE)
2
verification
?
S
4
= M
2
K
2
|
|
.
|

\
|
+
|
|
.
|

\
|

=
q
M
p
M
2 1

C R Y P T O G R A P H Y
A.A. 2010/2011 21
El Gamal signature public key [p, g, k]
message M
secrect signature: random m, and u
where k = g
u
mod p
signature
(M, a, b)
where a = g
m
mod p
b solution of b m + a u = M mod p-1
C R Y P T O G R A P H Y
A.A. 2010/2011 22
El Gamal signature public key [p, g, k]
signature
(M, a, b)
verification
?
g
M
= a
b
k
a
mod p
C R Y P T O G R A P H Y
A.A. 2010/2011 23
Digital Signature
Two main scopes:
certify the authenticity of a public or secret message
avoid repudiation
Uses
electronic locking/unlocking of doors
electronic orders and payments
networks or physical access
Algorithm
RSA
Rabib
El Gamal
C R Y P T O G R A P H Y
A.A. 2010/2011 24
Elliptic curves
Elliptic curves are algebraic curves endowed with a
group structure that was discovered by
Giulio Fagnano de Toschi in the eighteen century.
Given two points P and Q on an elliptic curve E, a
third point R on E is defined as the sum
R=P+Q
This property was exploited by Euler in his
development of the elliptic integral theory.
In cryptography, the elliptic curves are used
as a rich source of Abelian group
C R Y P T O G R A P H Y
A.A. 2010/2011 25
Elliptic curves
The set of real points of an Elliptic curve E over
a finite field forms an Abelian group for a point
sum.
Given P on E and an integer m, the point mP is
defined as mP=P+P+P + +P (m times)
The set of points mP forms a cyclic group where
the discrete logarithm problem is hard:
It is easy to compute Q = mP
It is hard to compute m from Q given P
C R Y P T O G R A P H Y
A.A. 2010/2011 26
Elliptic curve over a finite field GF(p
m
)
An elliptic curve E consists of a set of points P=(x,y)
whose coordinates satisfy
Y
2
= X
3
+ a
4
X + a
6
where a
4
, a
6
X and Y belongs to GF(p
m
).
Hasses theorem asserts that the number of points #E
on E with coordinates in GF(p
m
) satisfies the
inequality
p p E p p 2 1 # 2 1 + + s s +
C R Y P T O G R A P H Y
A.A. 2010/2011 27
In E an addition of points is defined as
C R Y P T O G R A P H Y
A.A. 2010/2011 28
The set E is a group for point addition
Given P
1
=(x
1
,y
1
) and P
2
=(x
2
,y
2
)
the sum is point P
3
=(x
3
,y
3
) written
P
3
= P
1
+ P
2
Addition is
- Commutative and Associative.
- A point O exists which has the role of
group identity
P=P+O
C R Y P T O G R A P H Y
A.A. 2010/2011 29
Addition formulas

=
+ =
1 2 3
2 1
2
3
) 1 (
) (
y y y
x x x

=
+
=

=
Q P if
y
a x
Q P if
x x
y y
1
4 1
1 2
1 2
2
3

C R Y P T O G R A P H Y
A.A. 2010/2011 30
Addition formulas over GF(2
m
): Non-Supersingular Curves
6
2
2
3 2
a x a x xy y + + = +
2 1
2 1
1 2 3
2 2 1
2
3
,
) 1 (
) (
x x
y y
Q P if
y y y
a x x x
+
+
= =

+ =
+ + + + =

Q P if
x x
x
y
x x y
x
a
x x
=

+ + + =
+ =
3 3
1
1
1
2
1 3
2
1
6
2
1 3
) (
C R Y P T O G R A P H Y
A.A. 2010/2011 31
Duplication formulas are important
nP=(b
s
2
s
+b
s-1
2
s-1
+ b
1
2 + b
0
)P
and
2
s
P= 2(2(2 ))P s-times
If s = [log
2
n] then 2s additions/duplications are sufficient
to compute Q=nP: EASY
Given Q and P
to compute n: HARD
C R Y P T O G R A P H Y
A.A. 2010/2011 32
Group structure of E over GF(p
m
)
Theorem 1 (Hasse)
#E=p
m
+1-t, with
Theorem 2
Let E be an elliptic curve defined over GF(p
m
),
where p is a prime. Then there exist integers n
and k such that E is isomorphic to Z
n
Z
k
.
Further k|n and k|(p
m
-1).
Z
n
denotes a cyclic group of order n
m
p t 2 | | s
C R Y P T O G R A P H Y
A.A. 2010/2011 33
ECC - Elliptic Curve Crypto-system
EC are used as a rich source of cyclic groups
where the discrete logarithm problem is hard.
EC are used to define a Diffie-Hellman public
key scheme as follows:
Let P be a public fixed point of an Elliptic curve E
Let A= x P and x be Alices public and secret keys,
respectively
Let B= yP and ybe Bobs public and secret keys,
respectively
The common secret key is K= x yP
C R Y P T O G R A P H Y
A.A. 2010/2011 34
Factorization
Gauss recognized that factorization is an
important, though difficult, problem in arithmetic
Fermat observed that is prime for n=0,1,2,3,4
and guessed that it was prime for every n.
At present, a more likely guess would be that no
Fermat number is prime for n greater than 4.
RSA renewed the challenge to factor large
numbers and inspired the development of recent
factorization methods.
1 2
2
+
n
C R Y P T O G R A P H Y
A.A. 2010/2011 35
In 1977 Martin Gardner in Scientific
American proposed cryptanalysing a
message encoded with the RSA algorithm
using a 129 digit number product of two
primes (Rivest)
In 1994 the number was factored into two
primes of 64 and 65 digits and the
message was decrypted
The magic words are
squeamish ossifrage
C R Y P T O G R A P H Y
A.A. 2010/2011 36
It is likely that the RSA problem is not equivalent
to factoring.
Using lattice algorithms it is possible to break
systems with small exponents E
Small D secret exponents are weak
It seems that 250 digit numbers cannot be
factored in the near future
250 digit is about 800 bits which seem to be a
reasonable size for absolute secure keys
C R Y P T O G R A P H Y
A.A. 2010/2011 37
A millennial evolution has shown that cryptography is a science
rather than an art.
Today, the prophetic words of Adrian A. Albert at the
opening of the 382nd Congress of the American
Mathematical Society in 1939 are fully meaningful:
We shall see that cryptography is more than
a subject permitting mathematical formulation
for indeed it would not be an exaggeration
to state that
abstract cryptography
is identical with
abstract mathematics.
C R Y P T O G R A P H Y
A.A. 2010/2011 38
Bibliography
W. Diffie, M.E. Hellman, New Directions in
Cryptography, IEEE Transactions on Information
Theory, vol.IT-22, n.6, November 1976, pp.644-654.
C.E. Shannon, Communication Theory and Secrecy
Systems, BSTJ , vol. 28, 1949, pp.656-715.
N. Koblitz, A Course in Number Theory and
Cryptography, Springer, 1987.
J.A. Buchmann, Introduction to Cryptography,
Springer, New York, 2000.
B. Schneier, Applied Cryptography, Wiley, 1996.
C R Y P T O G R A P H Y
A.A. 2010/2011 39
Bibliography
F. Fabris, Teoria dell'Informazione, Codici, Cifrari,
Bollati Boringhieri, Torino, 2001.
R. Mollin, An Introduction to Cryptography, CRC,
New York, 2007.
A.J. Menezes, P.C. van Oorschot, S.S. Vanstone,
Handbook of Applied Cryptography, CRC 1997.
R.A. Rueppel, Analysis and Design of Stream Ciphers,
Springer, New York, 1986.
G.J. Simmons, Contemporary Cryptology: The Science
of Information Integrity, IEEE Press, New York, 1992.