Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital Signature 4. ElGamal Digital Signature 5. DSS (Digital Signature Standard) 6. ECDSA (Elliptic Curve Digital Signature Algorithm) @G. Gong, 2003 1
8.1. Introduction to Public-key Cryptography Bob s public key Bob s private key Plaintext Alice Encryption algorithm Ciphertext Decryption algorithm Plaintext Bob A. Figure 1. Simplified Model of Public-Key Encryption @G. Gong, 2003 2
B. Requirements of Public-key Cryptography One-way function: easy x infeasible f(x) Trapdoor one-way function: x easy infeasible if k is not known easy if k is known f k(x) @G. Gong, 2003 3
Therefore, security of public-key cryptosystems are based on the difficulty of different computational problems. Most important ones are - Factoring large integers - Finite field discrete logarithms - Elliptic curve discrete logarithms @G. Gong, 2003 4
C. Key pairs of the public-key system In a secure network system, for each user x, he has a pair of keys (E x, D x ): E x is an encryption key which is put into a public key directory or a file ( after certified), called a public-key of the user. D x is a decrypted key kept private, called a private key of the user. D x (E x ) = E x (D x ) = identity map From known E x, it is computational infeasible to obtain D x Alice C = E b (m) Bob: D b (C) = D b E b (m) = m @G. Gong, 2003 5
8.2. Diffie-Hellman Key Exchange the first example of the public-key scheme System public parameters: p: a prime number, g: a primitive element in GF(p). Alice: Private key: a, 0 < a < p, and gcd(a, p - 1) = 1 Public key: g a Bob: Private key: b, 0 < b < p, and gcd(b, p -1) = 1 Public key: g b @G. Gong, 2003 6
Diffie-Hellman Key Exchange Alice a g a Bob b g b (g b a ) = g ba b (g a ) = g ba @G. Gong, 2003 7
Example 1. Let p = 23. Then g = 5 is a primitive element of GF(p). Public key : g 7 = 5 Alice Private key : a = 7 7 = 17mod 23 g 7 =17 Private key : b = Public - key : g 3 = 5 Bob 3 3 = 10mod13 (g Compute: g 3 =10 Compute: 3 ) 7 7 7 3 3 = 10 = 14 mod 23 ( g ) = 17 = 14 mod 23 The secret information shared by Alice and Bob is 14. Attacker: known 7 g 21 g 3 = 14 g = 10? In other words, is attacker able to compute g ab from known g a and g b?
Diffe-Hellman Problem: Given g a and g b, compute g ab. Thus the Diffe-Hellman key exchange scheme is secure if the DH problem is computationally infeasible. The DH problem is computational feasible if the solving discrete logarithm in GF(p) is computationally feasible. Thus, we may say that the security of the DH key exchange scheme is based on the difficulty of solving discrete logarithm in the finite field GF(p). Remark. The DH key exchange scheme has a very important application in key distribution and management, we will discuss more properties of the DH key exchange scheme in Chapter 10). @G. Gong, 2003 9
Milestone work in public-key cryptography W. Diffie and M. E. Hellman, New direction in cryptography, IEEE Trans. On Inform. Theory, Vol. 22, pp644-654, 1976. @G. Gong, 2003 10
8.3. RSA Encryption and Digital Signature Requirement for digital signatures: Everyone can verify digital signature. Only the signer can sign; no one can forge the signer s signature ( this prevents forgery and denial attacks.) Once the dispute occurs, the third party can solve it. @G. Gong, 2003 11
More about number theory (a) The Euclidean algorithm for computing gcd(a, b), the greatest common divisor of two positive integers a and b, b > a. Input: a and b, b > a Output: d = gcd(a, b) Procedure_(a, b, d) Set r b and r = a 0 Compute: = 1 r, < r < r 0 = b = q1r1 + r2 0 r, < r < r 1 = q2r2 + r3 0 3 2 2 1 Return: r m In other words, gcd(a,b) = r m r, < r < r 2 = q3r3 + r4 0 r = q m 1 m M r m 4 3 @G. Gong, 2003 12
(b) The Chinese Remainder Theorem Let m 1,..., m r are pairwise relatively primes, i.e., gcd( m i, m j ) = 1if i j, and a 1,..., a r are integers, then the system of r congruent equations: X a 1 mod m 1 X a 2 mod m 2 M X a r mod m r has a unique solutions X modulo M = m 1 m r, which is given by X r i= 1 a M i i y i mod M where M = i M / mi and y i = M 1 i mod m i, for 1 i r @G. Gong, 2003 13
Example 1. Suppose r = 3, m 1 = 7, m 2 = 11 and m 3 = 13, then M =1001 M1 = M / m1 = 143 = 3mod 7 M 2 = 91= 3mod11 M 3 = 77 = 12mod13 and y =, y = 4 and y 12 1 5 2 3 = If X X 5 3 mod7 mod11 X 10 mod13 Then X = 715 5 + 364 3 + 924 10mod1001 = 13907mod1001 = 894 mod1001 @G. Gong, 2003 14
(c) Lagrange Theorem: suppose that G is a multiplicative group of order n (i.e. G =n) and g G, then the order of g divides n. Corollary: * Φ( n) If b Z, then b 1mod n, n where Φ(n) is the Euler function (i.e., Φ(n) is the number of integer in the range of 1 and n coprime with n), then Z * n = { a Z gcd( n, a) n = 1} @G. Gong, 2003 15
RSA Encryption User Bob sets up: 1. Generates two large primes p and q. 2. Computes n = pq and Φ(n) = (p-1)(q-1) 3. Chooses a random number e: 0 < e < Φ(n) such that gcd(e, Φ(n) ) = 1. 4. Computes d = e -1 mod Φ(n) using the Euclidean algorithm. 5. Do registration for his public-key {n, e} and publish this pair in a directory as his public key. Keep {d, p, q} as his private key. Encryption: Plaintext m < n: ciphertext c = m e mod n Decryption: m = c d, (c e ) d = c mod n @G. Gong, 2003 16
The RSA Algorithm Key Generation Select: p and q both prime; n = pq; e: gcd(e, φ(n)) = 1, 1<e< φ(n). Compute: d = e -1 mod φ(n). Public key: {e, n}. Private key: {d, p, q} Plaintext: m < n Encryption Ciphertext: c = m e mod n Decryption Ciphertext: c Plaintext: m = c d mod n
3. RSA Encryption and Digital Signature (Cont.) RSA Encryption User Bob sets up: 1. Generates two large primes p and q. 2. Computes n = pq and Φ(n) = (p-1)(q-1) 3. Chooses a random number e: 0 < e < Φ(n) such that gcd(e, Φ(n) ) = 1. 4. Computes d = e -1 mod Φ(n) using the Euclidean algorithm. 5. Do registration for his public-key {n, e} and publish this pair in a directory as his public key. Keep {d, p, q} as his private key. Encryption: Plaintext m < n: ciphertext c = m e mod n Decryption: m = c d, (c e ) d = c mod n @G. Gong, 2003 18
The RSA Algorithm Key Generation Select: p and q both prime; n = pq; e: gcd(e, φ(n)) = 1, 1<e< φ(n). Compute: d = e -1 mod φ(n). Public key: {e, n}. Private key: {d, p, q} Plaintext: m < n Encryption Ciphertext: c = m e mod n Decryption Ciphertext: c Plaintext: m = c d mod n @G. Gong, 2003 19
Example 2. Set up step: Bob: 1. Choose p = 101 and q = 113 2. Compute n = pq = 11413 and Φ(n) =100 112=11200=2 6 5 2 7 3. Choose e = 3533 with gcd(3533, Φ(n)) = 1 4. Compute d = e -1 = 6597 mod 11200 5. Bob s Public key: {3533, 11413}, private key: { 6597, 101,113} Encryption: Alice wants to send m = 9726 to Bob. She then computes c = 9726 3533 mod 11413=5761 Decryption: Bob: c 6597 = (9726) 3533 6597 = 9726 @G. Gong, 2003 20
Remark: Requirements for selection of p and q. (1) p and q should differ in length only a few digits. (2) Both p - 1 and q - 1 should contain a large prime factor. (3) gcd(p - 1, q - 1) should small. (4) d should not be small: d > n 1/4. Security of RSA: Security of RSA depends on the difficulty to compute d from known {e, n}. However, d = e -1 mod Φ(n). Usually it has no other way to compute Φ(n) except for knowing p and q. Thus the security of RSA depends on the difficulty of factorisation of a large digital n. @G. Gong, 2003 21
RSA Digital Signature Algorithm (RSA-DSA) User Bob wants to sign a message m, Signing process: 1. Compute h(m) = m, where h(x) is a hashing function. 2. r = m' d, r is a digital signature of m. Verifying process: Verifier uses Bob s public key {e, m} to compute whether r e m ' mod If yes, then r is a valid signature of m. = n Note. Hashing function h is public, which can be chosen as either MD5 (Message digest algorithm), Rivest 1990, or SHA (Secure Hash Algorithm), NIST, 1995. Employing a hashing function is required in any DSA. @G. Gong, 2003 22
RSA-DSA (Cont.) Bob: signer Message m m m r Hash: h r = h(m) d r signature mod n d: Bob s private key RSA-DSA Signing Process @G. Gong, 2003 23
RSA-DSA Verifying Process Alice: verifier m Hash: h r r e =h(m)? mod n e: Bob s public key @G. Gong, 2003 24
Three milestone works which established the foundation of public-key cryptology: W. Diffe and M. E. Hellman, New direction in cryptography, IEEE Trans. On Inform. Theory, Vol. 22, pp.644-654, 1976. R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public cryptosystem, Communication of ACM, Vol. 21, No.2, pp.120-126, Feb. 1978. T. Elgamal, A public-key cryptosystem and signature scheme based on discrete logarithm, IEEE Trans. on Inform. Theory, vol. IT-31, pp.469-472, July, 1985 @G. Gong, 2003 25