Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages
|
|
- Audrey West
- 6 years ago
- Views:
Transcription
1 Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages MEI-NA WANG Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. SUNG-MING YEN National Central University Dept. of Computer Science and Information Eng. Lab. of Cryptography and Information Security Jhong-Li, TAIWAN 3001, R.O.C. CHI-DIAN WU National Central University Dept. of Computer Science and Information Eng. Lab. of Cryptography and Information Security Jhong-Li, TAIWAN 3001, R.O.C. CHIH-TA LIN Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. Abstract: This paper considers both the security issues and fundamental properties of a recently proposed for encrypting large messages. This may be useful for communicating large messages since it reduces both computation and bandwidth requirement. However, the result of this paper shows that security level of this modified is different from that of the original ElGamal cryptosystem. Furthermore, fundamental weakness exists in this modified system, say successful decryption can not be guaranteed. Finally, we propose an enhancement on the security of the. Key Words: Carmichael s lambda function, Discrete logarithm, ElGamal cryptosystem, Primitive root. 1 Introduction Conventionally, symmetric-key cryptosystems, e.g., DES [1] and AES [], are used for bulk encryption where large messages need to be encrypted and decrypted. There are two major problems for symmetric-key cryptosystems. The first problem is about session key (secret key) distribution, and the second problem is the inability to provide undeniability. On the other hand, asymmetric-key cryptosystems, e.g., RSA [3] and ElGamal [4], are able to encrypt and decrypt messages as symmetric-key cryptosystems, and can solve the above two disadvantages of symmetric-key cryptosystems. Unfortunately, the performance of asymmetric-key cryptosystems is much inferior to that of symmetric-key cryptosystems. Therefore, hybrid cryptosystems are widely employed in such a way that symmetrickey cryptosystems are used for bulk encryption, and asymmetric-key cryptosystems are applied in order to distribute secret keys prior to the bulk encryption. However, in this situation we need two categories of cryptosystems to be implemented and coexist. In order to encrypt large messages efficiently by using asymmetric-key cryptosystems, an was proposed in [5]. This modified asymmetric-key cryptosystem certainly works much more efficiently than the original ElGamal cryptosystem when encrypting large messages. It was claimed [5] that both the original ElGamal and the s share the same security assumption, i.e., both are based on the intractability of solving discrete logarithm problem. However, no rigorous security proof nor functionality analysis was provided in [5]. The contribution of this paper is that thorough security consideration of the ElGamal-like extension [5] is provided. The result shows that the security level of this (although it is more efficient for encrypting large messages) is not equivalent to the original ElGamal cryptosystem [4], say more or less
2 weaker. Disadvantage of possible unsuccessful decryption is also pointed out in this paper. Furthermore, enhancement on both security and performance of the ElGamal-like extension are given. The result obtained in this paper can especially be useful to resource limited small devices, e.g., smart card, to achieve efficient bulk encryption as well as easy session key distribution with only one kind of cryptosystem. Review of the ElGamal-Like Cryptosystem for Encrypting Large Messages The original ElGamal cryptosystem [4] is reviewed as follows. A prime P and a primitive root (or called generator) g for ZZ P are selected. Each user, e.g., user u i, randomly selects his own secret key x i R [1, P ] and computes the related public key y i = g x i mod P. When encrypting a message m < P, the sender computes both s = g r mod P (where r R [1, P ]) and c = m yi r mod P (where y i is the public key of the receiver, say u i ). The receiver u i can decrypt the cipher (s, c) by computing m = c (s x i ) 1 mod P. In a recent work [5], the above original ElGamal cryptosystem was extended to facilitate large messages encryption, say a message m P where m denotes the bit length of m. The modified works as follows. The sender computes s 1 = g r 1 mod P and s = g r mod P (where r 1, r R [1, P ]) and c j = m j ([y r 1 i mod P ] [(y r i ) j mod P ]) mod P (in most of the following discussions, [y r 1 i mod P ] will be abbreviated as y r 1 i ) where denotes bitwise XOR operation and j = 1,,, t. Similar to the original ElGamal cryptosystem, the receiver u i decrypts the cipher (s 1, s, c j (j = 1,,, t)) by computing m j = c j (s x i 1 (sx i )j ) 1 mod P. The above modified cryptosystem may be useful for encrypting and transmitting large messages over the network since it offers low data expansion ratio (defined as ciphertext / plaintext ) and lower computational overhead when compared with the original ElGamal cryptosystem. Notice that the data expansion ratio of the original ElGamal cryptosystem is two, while the data expansion ratio of the is almost one for large t and thus saves communication bandwidth. 3 The Difference From the Original ElGamal Cryptosystem 3.1 Some remarks on the design of Some remarks on the design of will be given in the following which were missing in [5]. The system aims to generalize the Diffie-Hellman key exchange protocol [6] to enable the sharing of multiple keys between two parties. We notice that related topic has been considered in the literature [7] (or refer to the introduction of [8]) which requires the shared keys to be authenticated. Note that however in the original ElGamal cryptosystem (which extends Diffie-Hellman key exchange to an encryption), no shared key authentication is assumed. In the above, both s 1 = g r 1 mod P and s = g r mod P are employed trying to distribute multiple sessions keys, say t keys, by defining each shared session key to be (y r 1 i ) j ) mod P for j = 1,,, t. 3. Security analysis of the ElGamallike cryptosystem Some necessary fundamental results of number theory to be used in the following discussions will be reviewed. Given an odd prime P and a primitive root g when modulo P, any element in ZZ P can be represented by g k mod P for some integer k [1, P 1] (or k [0, P ]) [9]. Given integers n and g, the size of the largest cyclic group generated by g k mod n (for all integers k) is λ(n) where λ(n) is called Carmichael s lambda function of n [9]. Carmichael s theorem states that g λ(n) 1 (mod n) if gcd(g, n) = 1, and the order of g is a factor of λ(n). A related but seldom noticed result is that the smallest positive integer T for g T +1 g (mod n) if gcd(g, n) 1 (evidently g 1) is a factor of λ(n). Note that in this case, g has no order since no positive R can be found such that g R 1 (mod n). Theorem 1 Given an odd prime P and a primitive root g when modulo P, g j mod P (or more precisely g j mod P 1 mod P ) cannot generate all the elements in ZZ P where j = 1,,, P 1. Proof By the property that g k mod P (for all integers k [1, P 1] or k [0, P ]) can generate all the elements in ZZ P, in order to enable g j mod P 1 mod P to generate all the ele-
3 ments in ZZ P, we need j mod (P 1) to generate all the integers in [0, P ]. If P = 3, then j mod (P 1) = 0 for all integers j. For P > 3, because P 1 is not a prime and cannot have a primitive root to generate all the integers in [0, P ]. Based on Carmichael s theorem, the total number of integers generated by evaluating j mod (P 1), say T, is a factor of λ(p 1) which is always less than P 1. Therefore, T is always less than P 1. This proves the theorem. For example, let P = 7, we observe that j mod 6 generates {, 4} for all integers j in [1, 6] since the smallest positive integer T such that T +1 (mod 6) is two. In this example, λ(6) = λ( 3) = lcm(φ(), φ(3)) = lcm(1, ) = where φ(a) is Euler s totient function of a. The integer T is a factor of λ(6). In order to enhance the security of the ElGamal-like extension reported in [5], we need to select the prime P such that the smallest positive integer T for T +1 (mod P 1) is as large as possible. Theorem Given an odd prime P and a primitive root g when modulo P, the largest possible number of integers generated by evaluating g j mod P (j = 1,,, P 1) is P 1 1 Proof Let P = Q + 1 where Q is also an odd prime. Based on Carmichael s theorem, the total number of integers, say T, generated by evaluating j mod ( Q) is a factor of λ( Q) = lcm(φ(), φ(q)) = Q 1 = P 1 1. Therefore, T is at most P 1 1. It can be derived easily that if P is not in the form of P = Q + 1 with Q being a prime, i.e., Q is a composite integer, then λ(p 1) < Q 1. One good approach to select P of the to provide high security level is to employ the following Algorithm 1 to generate the prime P such that the smallest positive integer T for T +1 (mod P 1) is equal to P 1 1. However, we wish to emphasize that even if such P can be selected, security level of the ElGamal-like extension is still different from that of the original ElGamal cryptosystem. We will conclude this in the following remark. One further remark is that in all the above analysis, we assume that the public key y i of user u i is also a primitive root when modulo P. Note that this requires the user secret key x i to be relatively prime to P 1, i.e., gcd(x i, P 1) = 1 based on the basic property of number theory [9]. Input: some appropriate bit length of q Output: P repeat randomly select a prime q Q q + 1 P Q + 1 if (either Q or P is not a prime) then repeat again if ( T +1 (mod P 1) for T {1,, q}) then repeat again else appropriate P is found until (appropriate P is found) return P Figure 1: Algorithm for generation of P. In the original ElGamal cryptosystem, if y i is a primitive root, then it leads to yi r mod P (r is all the integers in [1, P 1]) is a permutation of all the integers within [1, P 1] [9]. So, for a specific message m the ciphertext c = m yi r mod P can be any integer within [1, P 1]. However, this is not the case for the ElGamal-like extension [5] since (y r 1 i ) j ) mod P is not a permutation of all the integers within [1, P 1] even if gcd(r, P 1) = 1 in order to let y r i mod P to be a primitive root modulo P. This can be seen from the result of Theorem and the fact that (y r 1 i ) j ) mod P can generate the same number of integers as that generated by (y r i ) j mod P. One thing to notice in Algorithm 1 is that we select P = Q + 1 where Q is also a prime which maximizes the probability to find r such that gcd(r, P 1) = 1 in order to let y r i mod P to be a primitive root modulo P [9]. Notice that the above restriction on gcd(r, P 1) = 1 in order to generate as many integers as possible by evaluating (y r i ) j mod P is different from that of the original ElGamal cryptosystem in which any integer r R [1, P ] is applicable. 3.3 Undecryptable cipher in the One of the fundamental design criteria of encryption system is that all ciphertext should be decryptable by the legitimate receiver. However, we find two possible reasons for the ElGamal-like ex-
4 tension [5] to be undecryptable for some cases. The first case is that when (y r 1 i (y r i ) j ) = P the ciphertext c j = m j P mod P = 0. This makes the plaintext m j impossible to recover. The second case is that when y r 1 i (y r i ) j (mod P ) which leads to (y r 1 i ) j ) = 0. This will occur when r 1 r j (mod w) if r 1 and r are not well selected where w is the order of y i when modulo P. Some precaution is possible but this implies that r 1 and r are not truly randomly selected in [1, P ]. Although some mechanism is possible to fix the above mentioned two disadvantages of undecryptable cipher, e.g., to increment j automatically if necessary, however it may more or less lead to either an irregular encryption/decryption process or somewhat reducing the security level because of the constraint of selecting parameters. 4 Possible Enhancement of Security One possible approach of security enhancement of the ElGamal-like extension is provided in the following. The sender computes s 1 = g r 1 mod P and s = g r mod P (where r 1, r R [1, P ]) and c j = m j (y r 1 i ) j ) mod P where j = 1,,, t. The above modified version has exactly the same performance as the original ElGamal-like extension in [5] since (y r i ) j mod P = (y r i ) j 1 (y r i ) mod P where (y r i ) j 1 mod P has been computed when preparing c j 1. In this enhanced, suppose that y i is a primitive root (this is also implicitly assumed in the original ElGamal cryptosystem) and gcd(r, P 1) = 1 (this is also necessary in the original ElGamal-like extension as discussed in this paper), then (y r i ) j mod P for j = 1,,, P 1 can generate all the elements in ZZ P. This evidently improves the security level. However, we notice that even if (y r i ) j mod P (for j = 1,,, P 1) can generate all the elements in ZZ P, it is still possible that y r 1 i ) j y r 1 i ) k (mod P ) with j k. We call this property as a collision of y r 1 i ) j and y r 1 i ) k. This implies that for some cases y r 1 i ) j mod P (for j = 1,,, P 1) may not generate P 1 different integers and this basically depends on the value of y r 1 i mod P. Since the probability of the above collision is negligible, we will not consider it in the following discussions. Based on the result of Theorem, it can be proven that the collision probability of the original ElGamal-like extension is at least twice of that of the enhanced cryptosystem. 4.1 Advantage of the enhanced In the original ElGamal cryptosystem, to encrypt t messages the sender has to select t different random exponents r s and to compute yi r mod P. Note that all these t random exponents should be all different for security reason. A good pseudo random number generator (PRNG) would be necessary, but this does not assure that repetition of some r will never happen. Based on fundamental probability theory, if r is to be randomly selected within [1, K], then roughly every K outcomes of the PRNG will have one repetition with the probability of about 1. However, in the real case, occurrence of repetition of r may still happen for the number of application on the PRNG much less than K, especially if an inappropriate PRNG is adopted. This requires all the previously used random exponents r s be stored and be compared with each time a new one is selected by the PRNG. Of course, this would not be a practical solution. On the other hand, if the ElGamal-like and especially the enhanced s will be employed, the above disadvantage can be avoided. In the enhanced, under appropriate parameters selection as described in this paper, (y r i ) j mod P (for j = 1,,, P 1) can generate all the elements in ZZ P. No (yr i ) j mod P (for j = 1,,, P 1) will be repeated in a single communication round, say when both r 1 and r are repeated employed. This implies that a non-repeated random exponent R is selected each time and y R i mod P is computed subject to t < P 1 as in almost all real applications. 5 Concluding Remark and Possible Further Enhancement The considers primarily to improve the performance of the original El- Gamal cryptosystem when encrypting large messages, i.e., message P. During the design of, both arithmetic and Boolean operations are employed to generate each mask (i.e., (y r 1 i ) j ) mod P or (y r 1 i (y r i ) j ) mod P ) in order to protect each m j.
5 Someone might think that further improvement on performance is possible by computing c j = m j (y r 1 i ) j ) since one modular multiplication is replaced by a bitwise XOR operation which is much less time consuming. However, the above design is not very secure except that a special property of P will be applicable as shown in the following. Let B = yi r mod P be represented in binary form as (b n 1, b n,, b 1, b 0 ). The above modification is not very secure because that the probabilities P r(b i = 0) P r(b i = 1) (say P r(b i = 0) = 1 + δ i and P r(b i = 1) = 1 δ i for a very small bias δ i ) for all i since P is an odd integer. The situation is a little bit worse for larger i. This condition is the same for both the original ElGamal and the s. However, it can be easily proven that in the enhanced P r(b i = 0) = 1 + δ i and P r(b i = 1) = 1 δ i and also δi < δ i. However, it is interesting to notice that the above design has three potential merits especially if P is very close to n 1. In this case, the above probability bias problem for all bit positions b i is minimized and security can be extensively improved. Firstly, in this design the range of m does not have to be less than P. Secondly, the design can solve the undecryptable cipher problem for both the original and the enhanced ElGamal-like cryptosystems, i.e., the cipher can be decrypted even if (y r 1 i ) j ) = 0. Thirdly, the collision problem can be overcome if the above design is employed. [5] M.S. Hwang, C.C. Chang, and K.F. Hwang, An for enciphering large messages, IEEE Trans. Knowledge and Data Engineering, vol. 14, no., pp , 00. [6] W. Diffie and M.E. Hellman, New directions in cryptography, IEEE Trans. on Inform. Theory, vol., no. 6, pp , [7] L. Harn and H.Y. Lin, An authenticated key agreement protocol without using oneway functions, Proc. of 8th National Conf. on Information Security, Kaoshiung Taiwan, pp , [8] S.M. Yen and M. Joye, An improved authenticated multiple-key agreement protocol, IEE Electronics Letters, vol. 34, no. 18, pp , [9] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone. Handbook of applied cryptography. CRC Press, Acknowledgements: This work was supported in part by Institute for Information Industry, R.O.C. References: [1] National Bureau of Standard, Data encryption standard, Federal Information Processing Standards, NBS, [] NIST, FIPS-197: Advanced Encryption Standard, Federal Information Processing Standard, FIPS 197, 001. [3] R. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Comm. of the ACM, vol. 1, no., pp , [4] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inf. Theory, vol. 31, no. 4, pp , 1985.
8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationA New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm
A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm Min-Shiang Hwang Cheng-Chi Lee Shiang-Feng Tzeng Department of Management Information System National Chung Hsing University
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationAN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM
AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM VORA,VRUSHANK APPRENTICE PROGRAM Abstract. This paper will analyze the strengths and weaknesses of the underlying computational
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationAspect of Prime Numbers in Public Key Cryptosystem
Aspect of Prime Numbers in Public Key Cryptosystem Md.Mehedi Masud, Huma Galzie, Kazi Arif Hossain and Md.Minhaj Ul Islam Computer Science and Engineering Discipline Khulna University, Khulna-9208, Bangladesh
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationand Other Fun Stuff James L. Massey
Lectures in Cryptology 10-14 October 2005 School of Engineering and Science International University Bremen Lecture 3: Public-Key Cryptography and Other Fun Stuff James L. Massey [Prof.-em. ETH Zürich,
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationNumber Theory & Modern Cryptography
Number Theory & Modern Cryptography Week 12 Stallings: Ch 4, 8, 9, 10 CNT-4403: 2.April.2015 1 Introduction Increasing importance in cryptography Public Key Crypto and Signatures Concern operations on
More informationAitken and Neville Inverse Interpolation Methods over Finite Fields
Appl. Num. Anal. Comp. Math. 2, No. 1, 100 107 (2005) / DOI 10.1002/anac.200410027 Aitken and Neville Inverse Interpolation Methods over Finite Fields E.C. Laskari 1,3, G.C. Meletiou 2,3, and M.N. Vrahatis
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationSlides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013
RSA Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013 Recap Recap Number theory o What is a prime number? o What is prime factorization? o What is a GCD? o What does relatively prime
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationThe RSA cryptosystem and primality tests
Mathematics, KTH Bengt Ek November 2015 Supplementary material for SF2736, Discrete mathematics: The RSA cryptosystem and primality tests Secret codes (i.e. codes used to make messages unreadable to outsiders
More informationHans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References
Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009 Die Unterlagen sind ausschliesslich zum persoenlichen Gebrauch der Vorlesungshoerer bestimmt. Die Herstellung von elektronischen
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationWeek 7 An Application to Cryptography
SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 55 Week 7 An Application to Cryptography Cryptography the study of the design and analysis of mathematical techniques that ensure secure communications
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationBiomedical Security. Overview 9/15/2017. Erwin M. Bakker
Biomedical Security Erwin M. Bakker Overview Cryptography: Algorithms Cryptography: Protocols Pretty Good Privacy (PGP) / B. Schneier Workshop Biomedical Security Biomedical Application Security (guest
More informationA Comparative Study of RSA Based Digital Signature Algorithms
Journal of Mathematics and Statistics 2 (1): 354-359, 2006 ISSN 1549-3644 2006 Science Publications A Comparative Study of RSA Based Digital Signature Algorithms 1 Ramzi A. Haraty, 2 A. N. El-Kassar and
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationA fast modular multiplication algorithm for calculating the product AB modulo N
Information Processing Letters 72 (1999) 77 81 A fast modular multiplication algorithm for calculating the product AB modulo N Chien-Yuan Chen a,, Chin-Chen Chang b,1 a Department of Information Engineering,
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationBatch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco
Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, West Bengal, India. Outline Introduction
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationNUMBER THEORY FOR CRYPTOGRAPHY
1 CHAPTER 4. NUMBER THEORY FOR CRYPTOGRAPHY 1 INSTITÚID TEICNEOLAÍOCHTA CHEATHARLACH INSTITUTE OF TECHNOLOGY CARLOW NUMBER THEORY FOR CRYPTOGRAPHY Contents 1 Number Theory for Cryptography 2 1.1 Linear
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationEindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015
Eindhoven University of Technology MASTER Kleptography cryptography with backdoors Antheunisse, M. Award date: 2015 Disclaimer This document contains a student thesis (bachelor's or master's), as authored
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationTHE RSA CRYPTOSYSTEM
THE RSA CRYPTOSYSTEM SILVIA ROBLES Abstract. This paper explores the history and mathematics behind the RSA cryptosystem, including the idea of public key cryptosystems and number theory. It outlines the
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationAdaptive Security of Compositions
emester Thesis in Cryptography Adaptive ecurity of Compositions Patrick Pletscher ETH Zurich June 30, 2005 upervised by: Krzysztof Pietrzak, Prof. Ueli Maurer Email: pat@student.ethz.ch In a recent paper
More informationECE596C: Handout #11
ECE596C: Handout #11 Public Key Cryptosystems Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract In this lecture we introduce necessary mathematical background for studying
More informationECE 646 Lecture 9. RSA: Genesis, operation & security
ECE 646 Lecture 9 RSA: Genesis, operation & security Required Reading (1) W. Stallings, "Cryptography and Network-Security," Chapter 8.1 Prime Numbers Chapter 8.2 Fermat's and Euler's Theorems Chapter
More informationA new conic curve digital signature scheme with message recovery and without one-way hash functions
Annals of the University of Craiova, Mathematics and Computer Science Series Volume 40(2), 2013, Pages 148 153 ISSN: 1223-6934 A new conic curve digital signature scheme with message recovery and without
More informationBiomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.
Biomedical Security Erwin M. Bakker Some Security News From: NYTimes Blockchains are not safe for voting (slashdot.org) : From Motherboard.vice.com ECDAA: Eliptic Curve Direct Anonymous Attestation for
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationAccelerated Search for Gaussian Generator Based on Triple Prime Integers
Journal of Computer Science 5 (9): 614-618, 2009 ISSN 1549-3636 2009 Science Publications Accelerated Search for Gaussian Generator Based on Triple Prime Integers 1 Boris S. Verkhovsky and 2 Md Shiblee
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationLecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya
BBM 205 Discrete Mathematics Hacettepe University http://web.cs.hacettepe.edu.tr/ bbm205 Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya Resources: Kenneth Rosen,
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?
More informationImplementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction
Implementation of the RSA algorithm and its cryptanalysis Chandra M. Kota and Cherif Aissi 1 University of Louisiana at Lafayette, College of Engineering Lafayette, LA 70504, USA Abstract Session IVB4
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More information