Beruflich Dokumente
Kultur Dokumente
NumberTheory Primenumber
Modulararithmetic Euclidsalgorithm
Fermets andEulerstheorem Primality
Chineseremaindertheorem Discrete
logarithm
PublickeycryptographyandRSA
Keydistribution Keymanagement
Diffie Hellmankeyexchange
Ellipticcurvecryptography
Slides CourtesyofWilliamStallings,Cryptography&NetworkSecurity,PearsonEducation,4thEdition
Chapter1NumberTheory
Primenumber
Modulararithmetic
Euclidsalgorithm
Fermets andEulerstheorem
Primality
Chineseremaindertheorem
Discretelogarithm
PrimeNumbers
primenumbersonlyhavedivisorsof1andself
theycannotbewrittenasaproductofothernumbers
note:1isprime,butisgenerallynotofinterest
eg.2,3,5,7areprime,4,6,8,9,10arenot
primenumbersarecentraltonumbertheory
listofprimenumberlessthan200is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
61 67 71 73 79 83 89 97 101 103 107 109 113 127
131 137 139 149 151 157 163 167 173 179 181 191
193 197 199
PrimeFactorisation
is'clockarithmetic'
usesafinitenumberofvalues,andloopsback
fromeitherend
modulararithmeticiswhendoaddition&
multiplicationandmoduloreduceanswer
candoreductionatanypoint,ie
a+b mod n = [a mod n + b mod n] mod n
ModularArithmetic
candomodulararithmeticwithanygroupof
integers: Zn = {0, 1, , n-1}
formacommutativeringforaddition
withamultiplicativeidentity
notesomepeculiarities
if(a+b)=(a+c) mod n
then b=c mod n
butif(a.b)=(a.c) mod n
then b=c mod n onlyif a isrelativelyprimeto n
Modulo8AdditionExample
+ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1
3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4
6 6 7 0 1 2 3 4 5
7 7 0 1 2 3 4 5 6
GreatestCommon
Divisor(GCD)
acommonprobleminnumbertheory
GCD(a,b)ofaandbisthelargestnumberthat
dividesevenlyintobothaandb
egGCD(60,24)=12
oftenwantnocommonfactors (except1)and
hencenumbersarerelativelyprime
egGCD(8,15)=1
hence8&15arerelativelyprime
EuclideanAlgorithm
anefficientwaytofindtheGCD(a,b)
usestheoremthat:
GCD(a,b) = GCD(b, a mod b)
EuclideanAlgorithmtocomputeGCD(a,b)is:
EUCLID(a,b)
1. A = a; B = b
2. if B = 0 return A = gcd(a, b)
3. R = A mod B
4. A = B
5. B = R
6. goto 2
ExampleGCD(1970,1066)
ap-1 = 1 (mod p)
wherep isprimeandgcd(a,p)=1
alsoknownasFermatsLittleTheorem
alsoap = p (mod p)
usefulinpublickeyandprimalitytesting
EulerTotientFunction(n)
whendoingarithmeticmodulon
completesetofresidues is:0..n-1
reducedsetofresidues isthosenumbers(residues)
whicharerelativelyprimeton
egforn=10,
completesetofresiduesis{0,1,2,3,4,5,6,7,8,9}
reducedsetofresiduesis{1,3,7,9}
numberofelementsinreducedsetofresiduesis
calledtheEulerTotientFunction(n)
EulerTotientFunction(n)
tocompute(n)needtocountnumberof
residuestobeexcluded
ingeneralneedprimefactorization,but
forp(pprime) (p) = p-1
forp.q(p,qprime) (pq) =(p-1)x(q-1)
eg.
(37) = 36
(21) = (31)x(71) = 2x6 = 12
Euler'sTheorem
ageneralisationofFermat'sTheorem
a(n) = 1 (mod n)
foranya,n wheregcd(a,n)=1
eg.
a=3;n=10; (10)=4;
hence 34 = 81 = 1 mod 10
a=2;n=11; (11)=10;
hence 210 = 1024 = 1 mod 11
PrimalityTesting
oftenneedtofindlargeprimenumbers
traditionallysieve usingtrialdivision
ie.dividebyallnumbers(primes)inturnlessthanthe
squarerootofthenumber
onlyworksforsmallnumbers
alternativelycanusestatisticalprimalitytestsbased
onpropertiesofprimes
forwhichallprimesnumberssatisfyproperty
butsomecompositenumbers,calledpseudoprimes,also
satisfytheproperty
canuseaslowerdeterministicprimalitytest
ChineseRemainderTheorem
usedtospeedupmodulocomputations
ifworkingmoduloaproductofnumbers
eg.mod M = m1m2..mk
ChineseRemaindertheoremletsusworkin
eachmodulimiseparately
sincecomputationalcostisproportionalto
size,thisisfasterthanworkinginthefull
modulusM
ChineseRemainderTheorem
canimplementCRTinseveralways
tocomputeA(mod M)
firstcomputeallai = A mod mi separately
determineconstantsci below,whereMi = M/mi
thencombineresultstogetanswerusing:
PrimitiveRoots
fromEulerstheoremhavea(n)mod n=1
consideram=1 (mod n), GCD(a,n)=1
mustexistform = (n) butmaybesmaller
oncepowersreachm,cyclewillrepeat
ifsmallestism = (n) thena iscalledaprimitive
root
ifp isprime,thensuccessivepowersofa "generate"
thegroupmod p
theseareusefulbutrelativelyhardtofind
DiscreteLogarithms
theinverseproblemtoexponentiationistofindthe
discretelogarithm ofanumbermodulop
thatistofindx suchthaty = gx (mod p)
thisiswrittenasx = logg y (mod p)
ifgisaprimitiverootthenitalwaysexists,otherwise
itmaynot,eg.
x=log3 4mod13hasnoanswer
x=log2 3mod13=4bytryingsuccessivepowers
whilstexponentiationisrelativelyeasy,finding
discretelogarithmsisgenerallyahard problem
Summary
haveconsidered:
primenumbers
FermatsandEulersTheorems&(n)
PrimalityTesting
ChineseRemainderTheorem
DiscreteLogarithms
Chapter2Publickey
cryptography
Publickeycryptography
RSA
PrivateKeyCryptography
traditionalprivate/secret/singlekey
cryptographyusesone key
sharedbybothsenderandreceiver
ifthiskeyisdisclosedcommunicationsare
compromised
alsoissymmetric,partiesareequal
hencedoesnotprotectsenderfromreceiver
forgingamessage&claimingissentbysender
PublicKeyCryptography
probablymostsignificantadvanceinthe3000
yearhistoryofcryptography
usestwo keys apublic&aprivatekey
asymmetric sincepartiesarenot equal
usescleverapplicationofnumbertheoretic
conceptstofunction
complementsratherthan replacesprivatekey
crypto
WhyPublicKeyCryptography?
developedtoaddresstwokeyissues:
keydistribution howtohavesecure
communicationsingeneralwithouthavingtotrust
aKDCwithyourkey
digitalsignatures howtoverifyamessage
comesintactfromtheclaimedsender
publicinventionduetoWhitfieldDiffie&
MartinHellmanatStanfordUniin1976
knownearlierinclassifiedcommunity
PublicKeyCryptography
publickey/twokey/asymmetric cryptography
involvestheuseoftwo keys:
apublickey,whichmaybeknownbyanybody,andcanbe
usedtoencryptmessages,andverifysignatures
aprivatekey,knownonlytotherecipient,usedtodecrypt
messages,andsign (create) signatures
isasymmetric because
thosewhoencryptmessagesorverifysignaturescannot
decryptmessagesorcreatesignatures
PublicKeyCryptography
PublicKeyCharacteristics
PublicKeyalgorithmsrelyontwokeyswhere:
itiscomputationallyinfeasibletofinddecryptionkey
knowingonlyalgorithm&encryptionkey
itiscomputationallyeasytoen/decryptmessageswhen
therelevant(en/decrypt)keyisknown
eitherofthetworelatedkeyscanbeusedforencryption,
withtheotherusedfordecryption(forsomealgorithms)
PublicKeyCryptosystems
PublicKeyApplications
canclassifyusesinto3categories:
encryption/decryption (providesecrecy)
digitalsignatures (provideauthentication)
keyexchange (ofsessionkeys)
somealgorithmsaresuitableforalluses,
othersarespecifictoone
SecurityofPublicKeySchemes
likeprivatekeyschemesbruteforceexhaustive
search attackisalwaystheoreticallypossible
butkeysusedaretoolarge(>512bits)
securityreliesonalargeenough differencein
difficultybetweeneasy (en/decrypt)andhard
(cryptanalyse)problems
moregenerallythehard problemisknown,butis
madehardenoughtobeimpracticaltobreak
requirestheuseofverylargenumbers
henceisslow comparedtoprivatekeyschemes
RSA
byRivest,Shamir&AdlemanofMITin1977
bestknown&widelyusedpublickeyscheme
basedonexponentiationinafinite(Galois)fieldover
integersmoduloaprime
nb.exponentiationtakesO((logn)3)operations(easy)
useslargeintegers(eg.1024bits)
securityduetocostoffactoringlargenumbers
nb.factorizationtakesO(elognloglogn)operations(hard)
RSAKeySetup
eachusergeneratesapublic/privatekeypairby:
selectingtwolargeprimesatrandom p, q
computingtheirsystemmodulusn=p.q
note(n)=(p-1)(q-1)
selectingatrandomtheencryptionkeye
where1<e<(n), gcd(e,(n))=1
solvefollowingequationtofinddecryptionkeyd
e.d=1 mod (n) and 0dn
publishtheirpublicencryptionkey:PU={e,n}
keepsecretprivatedecryptionkey:PR={d,n}
RSAUse
toencryptamessageMthesender:
obtainspublickey ofrecipientPU={e,n}
computes:C = Me mod n,where0M<n
todecrypttheciphertextCtheowner:
usestheirprivatekeyPR={d,n}
computes:M = Cd mod n
notethatthemessageMmustbesmaller
thanthemodulusn(blockifneeded)
WhyRSAWorks
becauseofEuler'sTheorem:
a(n)mod n = 1 wheregcd(a,n)=1
inRSAhave:
n=p.q
(n)=(p-1)(q-1)
carefullychosee &d tobeinversesmod (n)
hencee.d=1+k.(n) forsomek
hence:
Cd = Me.d = M1+k.(n) = M1.(M(n))k
= M1.(1)k = M1 = M mod n
RSAExample KeySetup
sampleRSAencryption/decryptionis:
givenmessageM = 88 (nb.88<187)
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88
Exponentiation
canusetheSquareandMultiplyAlgorithm
afast,efficientalgorithmforexponentiation
conceptisbasedonrepeatedlysquaringbase
andmultiplyingintheonesthatareneededto
computetheresult
lookatbinaryrepresentationofexponent
onlytakesO(log2 n)multiplesfornumbern
eg.75 = 74.71 = 3.7 = 10 mod 11
eg.3129 = 3128.31 = 5.3 = 4 mod 11
Exponentiation
c = 0; f = 1
for i = k downto 0
do c = 2 x c
f = (f x f) mod n
if bi == 1 then
c = c + 1
f = (f x a) mod n
return f
EfficientEncryption
encryptionusesexponentiationtopowere
henceifesmall,thiswillbefaster
oftenchoosee=65537(2161)
alsoseechoicesofe=3ore=17
butifetoosmall(ege=3)canattack
usingChineseremaindertheorem&3messages
withdifferentmodulii
ifefixedmustensuregcd(e,(n))=1
ierejectanyporqnotrelativelyprimetoe
EfficientDecryption
decryptionusesexponentiationtopowerd
thisislikelylarge,insecureifnot
canusetheChineseRemainderTheorem
(CRT)tocomputemodp&qseparately.then
combinetogetdesiredanswer
approx4timesfasterthandoingdirectly
onlyownerofprivatekeywhoknowsvalues
ofp&qcanusethistechnique
RSAKeyGeneration
usersofRSAmust:
determinetwoprimesatrandom p, q
selecteithere ord andcomputetheother
primesp,q mustnotbeeasilyderivedfrom
modulusn=p.q
meansmustbesufficientlylarge
typicallyguessanduseprobabilistictest
exponentse,d areinverses,souseInverse
algorithmtocomputetheother
RSASecurity
possibleapproachestoattackingRSAare:
bruteforcekeysearch(infeasiblegivensizeof
numbers)
mathematicalattacks(basedondifficultyof
computing(n),byfactoringmodulusn)
timingattacks(onrunningofdecryption)
chosenciphertextattacks(givenpropertiesof
RSA)
FactoringProblem
mathematicalapproachtakes3forms:
factorn=p.q,hencecompute(n) andthend
determine(n) directlyandcomputed
findddirectly
currentlybelieveallequivalenttofactoring
haveseenslowimprovementsovertheyears
asofMay05bestis200decimaldigits(663)bitwithLS
biggestimprovementcomesfromimprovedalgorithm
cfQStoGHFStoLS
currentlyassume10242048bitRSAissecure
ensurep,qofsimilarsizeandmatchingotherconstraints
TimingAttacks
developedbyPaulKocherinmid1990s
exploittimingvariationsinoperations
eg.multiplyingbysmallvslargenumber
orIF'svaryingwhichinstructionsexecuted
inferoperandsizebasedontimetaken
RSAexploitstimetakeninexponentiation
countermeasures
useconstantexponentiationtime
addrandomdelays
blindvaluesusedincalculations
ChosenCiphertextAttacks
haveconsidered:
principlesofpublickeycryptography
RSAalgorithm,implementation,security
Chapter3KeyManagement
publickeyencryptionhelpsaddresskey
distributionproblems
havetwoaspectsofthis:
distributionofpublickeys
useofpublickeyencryptiontodistributesecret
keys
DistributionofPublicKeys
canbeconsideredasusingoneof:
publicannouncement
publiclyavailabledirectory
publickeyauthority
publickeycertificates
PublicAnnouncement
usersdistributepublickeystorecipientsor
broadcasttocommunityatlarge
eg.appendPGPkeystoemailmessagesorpostto
newsgroupsoremaillist
majorweaknessisforgery
anyonecancreateakeyclaimingtobesomeone
elseandbroadcastit
untilforgeryisdiscoveredcanmasqueradeas
claimeduser
PubliclyAvailableDirectory
canobtaingreatersecuritybyregisteringkeys
withapublicdirectory
directorymustbetrustedwithproperties:
contains{name,publickey}entries
participantsregistersecurelywithdirectory
participantscanreplacekeyatanytime
directoryisperiodicallypublished
directorycanbeaccessedelectronically
stillvulnerabletotamperingorforgery
PublicKeyAuthority
improvesecuritybytighteningcontrolover
distributionofkeysfromdirectory
haspropertiesofdirectory
andrequiresuserstoknowpublickeyforthe
directory
thenusersinteractwithdirectorytoobtain
anydesiredpublickeysecurely
doesrequirerealtimeaccesstodirectorywhen
keysareneeded
PublicKeyAuthority
PublicKeyCertificates
certificatesallowkeyexchangewithoutreal
timeaccesstopublickeyauthority
acertificatebindsidentity topublickey
usuallywithotherinfosuchasperiodofvalidity,
rightsofuseetc
withallcontentssigned byatrustedPublic
KeyorCertificateAuthority(CA)
canbeverifiedbyanyonewhoknowsthe
publickeyauthoritiespublickey
PublicKeyCertificates
PublicKeyDistribution
ofSecretKeys
usepreviousmethodstoobtainpublickey
canuseforsecrecyorauthentication
butpublickeyalgorithmsareslow
sousuallywanttouseprivatekeyencryption
toprotectmessagecontents
henceneedasessionkey
haveseveralalternativesfornegotiatinga
suitablesession
SimpleSecretKeyDistribution
proposedbyMerklein1979
Ageneratesanewtemporarypublickeypair
AsendsBthepublickeyandtheiridentity
BgeneratesasessionkeyKsendsittoA
encryptedusingthesuppliedpublickey
Adecryptsthesessionkeyandbothuse
problemisthatanopponentcaninterceptand
impersonatebothhalvesofprotocol
PublicKeyDistribution
ofSecretKeys
ifhavesecurelyexchangedpublickeys:
HybridKeyDistribution
retainuseofprivatekeyKDC
sharessecretmasterkeywitheachuser
distributessessionkeyusingmasterkey
publickeyusedtodistributemasterkeys
especiallyusefulwithwidelydistributedusers
rationale
performance
backwardcompatibility
DiffieHellmanKeyExchange
firstpublickeytypeschemeproposed
byDiffie&Hellmanin1976alongwiththe
expositionofpublickeyconcepts
note:nowknowthatWilliamson (UKCESG)
secretlyproposedtheconceptin1970
isapracticalmethodforpublicexchangeofa
secretkey
usedinanumberofcommercialproducts
DiffieHellmanKeyExchange
apublickeydistributionscheme
cannotbeusedtoexchangeanarbitrarymessage
ratheritcanestablishacommonkey
knownonlytothetwoparticipants
valueofkeydependsontheparticipants(andtheir
privateandpublickeyinformation)
basedonexponentiationinafinite(Galois)field
(moduloaprimeorapolynomial) easy
securityreliesonthedifficultyofcomputingdiscrete
logarithms(similartofactoring) hard
DiffieHellmanSetup
allusersagreeonglobalparameters:
largeprimeintegerorpolynomialq
a beingaprimitiverootmodq
eachuser(eg.A)generatestheirkey
choosesasecretkey(number):xA < q
xA
computetheirpublickey:yA = a mod q
eachusermakespublicthatkeyyA
DiffieHellmanKeyExchange
sharedsessionkeyforusersA&BisKAB:
xA.xB
KAB = a mod q
xB
= yA mod q (which B can compute)
x
= yB A mod q (which A can compute)
KAB isusedassessionkeyinprivatekeyencryption
schemebetweenAliceandBob
ifAliceandBobsubsequentlycommunicate,theywill
havethesame keyasbefore,unlesstheychoose
newpublickeys
attackerneedsanx,mustsolvediscretelog
DiffieHellmanExample
usersAlice&Bobwhowishtoswapkeys:
agreeonprimeq=353 anda=3
selectrandomsecretkeys:
AchoosesxA=97, BchoosesxB=233
computerespectivepublickeys:
97
yA=3 mod 353 = 40 (Alice)
233
yB=3 mod 353 = 248 (Bob)
computesharedsessionkeyas:
x 97
KAB= yB A mod 353 = 248 = 160 (Alice)
x 233
KAB= yA B mod 353 = 40 = 160 (Bob)
KeyExchangeProtocols
userscouldcreaterandomprivate/publicDH
keyseachtimetheycommunicate
userscouldcreateaknownprivate/publicDH
keyandpublishinadirectory,thenconsulted
andusedtosecurelycommunicatewiththem
bothofthesearevulnerabletoameetinthe
MiddleAttack
authenticationofthekeysisneeded
Chapter4Ellipticcurve
cryptography
Ellipticcurvecryptography
EllipticCurveCryptography
majorityofpublickeycrypto(RSA,DH)use
eitherintegerorpolynomialarithmeticwith
verylargenumbers/polynomials
imposesasignificantloadinstoringand
processingkeysandmessages
analternativeistouseellipticcurves
offerssamesecuritywithsmallerbitsizes
newer,butnotaswellanalysed
RealEllipticCurves
anellipticcurveisdefinedbyanequationin
twovariablesx&y,withcoefficients
consideracubicellipticcurveofform
y2 =x3 +ax+b
wherex,y,a,bareallrealnumbers
alsodefinezeropointO
haveadditionoperationforellipticcurve
geometricallysumofQ+Risreflectionof
intersectionR
RealEllipticCurveExample
FiniteEllipticCurves
Ellipticcurvecryptographyusescurveswhose
variables&coefficientsarefinite
havetwofamiliescommonlyused:
primecurvesEp(a,b) definedoverZp
useintegersmoduloaprime
bestinsoftware
binarycurvesE2m(a,b) definedoverGF(2n)
usepolynomialswithbinarycoefficients
bestinhardware
EllipticCurveCryptography
ECCadditionisanalogofmodulomultiply
ECCrepeatedadditionisanalogofmodulo
exponentiation
needhardproblemequivtodiscretelog
Q=kP,whereQ,Pbelongtoaprimecurve
iseasytocomputeQgivenk,P
buthardtofindkgivenQ,P
knownastheellipticcurvelogarithmproblem
Certicomexample:E23(9,17)
ECCDiffieHellman
candokeyexchangeanalogoustoDH
usersselectasuitablecurveEp(a,b)
selectbasepointG=(x1,y1)
withlargeorderns.t.nG=O
A&BselectprivatekeysnA<n, nB<n
computepublickeys:PA=nAG, PB=nBG
computesharedkey:K=nAPB, K=nBPA
samesinceK=nAnBG
ECCEncryption/Decryption
severalalternatives,willconsidersimplest
mustfirstencodeanymessageMasapointonthe
ellipticcurvePm
selectsuitablecurve&pointGasinDH
eachuserchoosesprivatekeynA<n
andcomputespublickeyPA=nAG
toencryptPm :Cm={kG, Pm+kPb},krandom
decryptCm compute:
Pm+kPbnB(kG) = Pm+k(nBG)nB(kG) = Pm
ECCSecurity
reliesonellipticcurvelogarithmproblem
fastestmethodisPollardrhomethod
comparedtofactoring,canusemuchsmaller
keysizesthanwithRSAetc
forequivalentkeylengthscomputationsare
roughlyequivalent
henceforsimilarsecurityECCofferssignificant
computationaladvantages
ComparableKeySizesfor
EquivalentSecurity
haveconsidered:
distributionofpublickeys
publickeydistributionofsecretkeys
DiffieHellmankeyexchange
EllipticCurvecryptography