M.Mogollon – 0 Cryptography and Security Services: Mechanisms and Applications Manuel Mogollon...

M.Mogollon – 1

Cryptography and Security Services: Mechanisms and Applications

Manuel [email protected]

Chapter 3Chapter 3Number Theory, and Public Key Ciphers

M. Mogollon - 2

Number Theory Exponentiation and Public-Key Ciphers Key Management

Session 3 Contents

• Number Theory and Finite Arithmetic— Counting in modulo p Arithmetic— Congruence Arithmetic— Fermat’s Theorem— Euler’s Theorem

• Confidentiality using Public-Key Ciphers— Pohlig-Hellman Algorithm— The RSA Algorithm— ElGamal Algorithm

• Key Management Using Exponentiation Ciphers— The Diffie-Hellman Key Agreement— RSA Key Transport

M. Mogollon - 3


Principle of Counting

• The number of possible outcomes from which several procedures can be performed together is the product of n1 . n2 x n3 . ... nn. Where n1 is the number of possible way procedure 1 can have, and so on.

• Suppose a password contains two distinct lower case letters and three numbers, but the first number can’t be zero.— Letters variations are 26, and 25, (distinct letters).— Number variations are 9, 10, 10. — Total number of passwords of possible passwords are 26 x 25 x 9 x 10 x 10

• At another company, the guidelines might be to use eight upper-case letters, lower case letters, or numbers, in any order. Now for each entry there are 26 + 26 + 10 possibilities and the total password space is 62 . 62 . 62 . 62 . 62 . 62 . 62 . 62 = 628.

• When talking about bits there are two possibilities, 0 and 1.— For four bits there are 2 x 2 x 2 x 2 possibilities— For 128 bits there are 2128 possibilities.

Exponentiation examples— 2 x 2 x 2 x 2 = 24

— (2 x 2 x 2 x 2 ) x (2 x 2 x 2 ) = 24 x 23 = 2(4+3) = 27 — (2 x 2 x 2 x 2 x 2) / (2 x 2 x 2 ) = 25 / 23 = 2(5-3) = 22

M. Mogollon - 4


Number Theory and Finite Arithmetic

• Number Theory plays an important role in Public-Key crypto systems.

• It is necessary to understand only certain basic concepts of Number Theory, such as modular arithmetic and congruence as they are related to a Public-Key crypto system.

M. Mogollon - 5


Counting in Modular Arithmetic

• Add 9h, 43m, 25s and 4h, 26m, 50s

Hours Minutes Seconds

9 43 25

4 26 50

---- ----- -----

13 69 75

(13 + 1 - 12) (69 + 1 - 60) (75 - 60)

2 10 15

• When we added the seconds and minutes in the example above, we used 60 as a modulo, so we can say that (25 + 50) = 15 (mod 60); 15 is the remainder left, after 75 is divided by 60.

• Calculation of modulo returns the remainder after a number is divided by a divisor.

M. Mogollon - 6


Congruence Arithmetic

The notion of congruence arithmetic (modulo arithmetic) was introduced by Gauss; it is a form of arithmetic in which only the remainders after division by a specific integer, are used. If a is divided by p and has a remainder b, it can be said that a is congruent to b, modulo p. For example let’s say that:

a = (k . p) + b

If a = 32 is divided by p = 5, the result will be k = 6 with a remainder of b = 2.

This congruence is expressed as follows:

a b mod p 32 2 mod 5

and it is read,

a is congruent to b, modulo p 32 is congruent to 2 modulo 5

Congruences with the same modulo can be added, subtracted, or multiplied.

Another way to read the expression is to say that

a is equivalent to b, modulo p 32 is equivalent to 2, modulo 5

M. Mogollon - 7


Congruence – Addition and Subtraction

Addition

If a b mod p and c d mod p, then (a + c) (b + d) mod p.

For example, 32 2 mod 5 and 49 4 mod 5,

then,

(32 + 49) (2 + 4) mod 5 or 81 6 mod 5 1 mod 5.

Subtraction

If a b mod p and c d mod p, then (a - c) (b - d) mod p.

For example, a = 49 4 mod 5 and c = 32 2 mod 5,

then, (49 - 32) (4 - 2) mod 5 or 17 2 mod 5.

Or for a = 32 2 mod 5 and c = 49 4 mod 5 and

then 32 – 49 (2 - 4) mod 5, or -17 -2 mod 5 = -2 mod 5 = 3 mod 5

M. Mogollon - 8


Addition in Modulo p

(a + b + c) mod p = a (mod p) + b (mod p) + c (mod p).

Example: Add the following three large numbers, and then find the modulo 8191 of the result.

We can add them first and find the modulo:58,736,593,76515,345,786,365 1,763,785,786---------------------75,846,165,916 (mod 8191) = 4,171 (mod 8191)

Otherwise, we can find the modulo of each number and then add the results of each modulo-added number:

58,736,593,765 (mod 8191) = 5,786 (mod 8191)15,345,786,365 (mod 8191) = 5,202 (mod 8191)

--------------------------10,988 (mod 8191) = 2,797 (mod 8191)

2,797 (mod 8191)1,763,785,786 (mod 8191) = 1,374 (mod 8191)

---------------------------4,171 (mod 8191)

M. Mogollon - 9


Congruence – Multiplication

Both sides of a congruence can be multiplied by the same number, just as both sides of an algebraic equation can be multiplied by the same number.

If a b mod p

then, for any value of c

(a . c ) (b . c) mod p

Example: For 32 2 (mod 5) and c = 11:

(32 . 11) (2 . 11) (mod 5)

352 22 (mod 5) 2 (mod 5)

Also, if a b mod p and c d mod p,

then, (a . c) (b . d) mod p.

Example: For 32 2 (mod 5) and 49 4 (mod 5),

then, (32 . 49) (2 . 4) (mod 5),

1568 8 (mod 5) 3 (mod 5).

M. Mogollon - 10


Congruence – Exponentiation

Both sides of a congruence can be raised to the same exponent just as both sides of an equation can be raised to the same exponent.

For any value of r,

Example: For 32 2 mod 5 and r = 3:

323 23 mod 5

32,768 8 mod 5

3 mod 5

p b arr mod

M. Mogollon - 11


Exponentiation in Modulo p

(an) mod p = am1 (mod p) x am2 (mod p) x am3 (mod p) x . . . . . Where, n = m1 + m2 + m3 + ….

Problem: Find 56118 mod 8191

Convert 118 decimal to 118 binary.

118 (decimal) = 1 1 1 0 1 1 0 (binary)

56118 = 5664 5632 5616 564 562

56118 mod 8191 = 5664 mod 8191 x 5632 mod 8191 5616 mod 8191 x

564 mod 8191 x 562 mod 8191

56118 mod 8191 = 7388 mod 8191

M. Mogollon - 12


Congruence – Canceling

The rule for canceling a congruence by an integer is a little more complicated than multiplication.

If (a . c ) (b . c) mod p

then

where (c, p) is the greatest common divisor of c and p.

If c and p are relatively prime, then the gcd (c, p) = 1.

Example:

58 . 100 100 mod 380

gcd (100, 380) = 20

Then, 58 1 mod 380 / 20 1 mod 19

] p) (c,

p[ b a mod

M. Mogollon - 13


Exponentiation Ciphers

b + p) * (k= a

p b a mod

p b a rr mod

1 + p) * (k= a

p 1 a mod

p 1 ar mod

1 + p) * (k= a 1-p p 1 a 1-p mod

1 p a 1-p modp 1 )a( k1-p mod

If b = 1, then

Fermat’s Theorem indicates that if p is prime and a is not divisible by p (a and p are relatively prime) then,

M. Mogollon - 14


Fermat’s Theorem

• Fermat’s Theorem indicates that if p is prime and a is not divisible by p (a and p are relatively prime) then,

• These properties can be used to exponentiate a to a large number. Having the restriction on a and p, it is possible to write,

669 (mod 17) º (617 - 1)4 mod 17 . 65 (mod 17)

669 (mod 17) º 1 . 65 (mod 17) º 7 (mod 17)

• A faster way to do the exponentiation is to apply modulo (p - 1) to the exponent and say that if n º m mod (p - 1), then an º am mod p. In the example before:

a = 6, m = 69, p = 17, n = 69 mod (17-1) = 5; then,

65 = 669 mod (17 - 1) = 65 (mod 17) = 7 (mod 17)

1 + p) * (k= a 1-p p 1 a 1-p mod

1 p a 1-p modp 1 )a( k1-p mod 7 1 6

7 1 66

1-7

mod

mod

M. Mogollon - 15


Euler’s Theorem

Euler's Theorem states that:

where

1. a and p are relatively prime, gcd (a, p) = 1.

2. (p) is the Euler totien function which is equal to the number of integers relatively prime to p in the range 1 ..... (p - 1). For example, for p = 15, the relative prime numbers are 1, 2, 4, 7, 8, 11, 13, 14; so (15) = 8. In general, a. If p is a prime, then (p) = (p - 1)b. If p is a prime, then (pk) = (pk - pk - 1)c. If p and q are primes, then (p . q) = (p - 1)(q - 1)d. If p is a prime, for p2, then (p2) = p(p - 1)

3. If g.c.d (p, q) = 1, the Euler totien function is multiplicative denoting (pq) = (p) * (q)

1 + p) * (k= a (p) p 1= a (p) mod

M. Mogollon - 16


Euler’s Theorem Using the equation

it is possible to exponentiate a to a large number by reducing the exponent.

Example: For a = 2, p = 15, and (15) = 8:

222 (mod 15) º [28 (mod 15)] . [28 (mod 15)] . [26 (mod 15)]

222 (mod 15) º 1 . 1 . [26 (mod 15)]

222 (mod 15) º 4 (mod 15)

Even if a is not relatively prime with p, it is possible to reduce the exponent to modulo (p), except in the case of exponents reduced to 0. For example, for a = 3, p = 15, and (15) = 8:

322 (mod 15) º [38 (mod 15)] . [38 (mod 15)] . [36 (mod 15)]

322 (mod 15) º 1 . 1 . [36 (mod 15)]

322 (mod 15) º 9 (mod 15)

p 1= a (p) mod

M. Mogollon - 17


Exponentiation Cipher

According to , equation

can be written as

and from equation

it follows that

or,

which can be written as

where,

which can be written as

or,

p a = a 1 + (p) k mod

p a = a D * E mod

1 + (p) k= D * E

p b arr mod p 1= a (p) mod

p 1= p 1= a k(p) k modmod

p c) * (b c) *(a mod

paaa (p k mod1..

]mod[ (p) 1= D * E

1= (p) D * E ]mod[

M. Mogollon - 18


Exponentiation Cipher – Cont.

In

the reciprocal of the number E is the inverse or multiplicative inverse of D. Normally, E is selected first and then the corresponding D must be found.

By symmetry, the exponents E and D are commutative and

mutual inverses, so it is possible to say that

can be written as

Replacing “a” for “M” message, the equation can be written as

p a = a D * E mod

1= (p) D * E ]mod[

p p] a[= p a E DD * E modmodmod

M= p M D * E mod

M= p p] M[ E D modmod

a = p a D * E mod

M. Mogollon - 19


Exponentiation Cipher – Cont.

In

The equation illustrates that if M the plaintext is enciphered with the following algorithm {(plaintext)E (mod p)} to produce a ciphertext, and that if at the receiver’s end, the ciphertext is deciphered using the algorithm [(Ciphertext)D] (mod p), the same plaintext M will be obtained.

In other words, by raising the ciphertext to the Dth power and reducing it modulo p, the plaintext will be recovered. This can be written as follows:

where M is the plaintext, C is the ciphertext, and E and D are the enciphering and deciphering keys.

Exponentiation ciphers encipher a message block by computing the exponential according to above equations.

M= p p] M[ E D modmod

p M= C E mod

p C= M D mod

M. Mogollon - 20


The Set of Real Numbers

Symbol Number System

Description Examples

NNatural

NumbersCounting numbers (also called positive integers).

1, 2, 3, 4, 5, …..

Z IntegersSet of natural numbers, their negatives, and zero.

.., -2, -1, 0, 1, 2, …

Q Rational

Any number that can be represented as a/b, where and a and b are integers and b ≠ 0.

-7, -2/5, 0, ¾, 5.42

R RealSet of all rational and irrational numbers.

-7, -2/5, 0, 1, ¾, 5.42,

,5,2

M. Mogollon - 21


Finite Fields

• Finite fields are fields that are finite.• A field is a set of numbers in which the usual mathematical

operations (addition, subtraction, multiplication, and division by nonzero quantities) are possible; these operations follow the usual commutative, associative, and distributive laws.

• Real numbers, rational numbers (fractions), and complex numbers are elements of infinite fields.

• A discrete logarithm (DL) and elliptic curve (EC) cryptography schemes are always based on computations in a finite field in which there are only a finite number of quantities.

• For cryptography applications, the finite fields that are usually used are the field of characteristic (congruences).

• The finite field used in DL and EC are the field of prime characteristic Fp and the field of characteristic two F2

m. The finite field is also denoted as GF(q)

M. Mogollon - 22


Finite Fields

• Characteristic Prime Finite Fields—The finite field Fp is the prime finite field containing p elements. If

p is an odd prime number, then there is a unique field Fp that consists of the set of integers{0, 1, 2 ,..., p – 1}.

• Characteristic Two Finite Fields—A characteristic two finite field (also known as a binary finite field)

is a finite field whose number of elements is 2m. If m is a positive integer greater than 1, the binary finite field F2

m consists of the 2m possible bit strings of length m.

—For example, F23 = {000, 001, 010, 011, 100, 101, 110, 111}

M. Mogollon - 23


What is Public-Key Cryptography ?

public-key cryptography / (1) An encryption method that uses a pair of keys, one public and one private. Messages encoded with either one can be decoded by the other. Also called asymmetric encryption. (2) Algorithms used to prove the authenticity of the message originator and to exchange keys.

M. Mogollon - 24


Types of Public-key Cryptography

• Exponentiation ciphers—RSA.

• Discrete logarithm systems—ElGamal public-key encryption, Digital Signature Algorithm (DSA),

Diffie-Hellman key Agreement.

• Elliptic curve cryptography.

M. Mogollon - 25


Exponentiation Algorithms

Exponential crypto algorithms encipher messages according to the following formula:

M being the plaintext and C the ciphertext.

pCM

pMC

Driv

Eub

P

P

mod

mod

Receiver

Initial CryptoVariable

DecipherMessageM Message M

Pub Key E

Sender

C = MPub E (mod p)Encipher

M = CPriv D (mod p)

Pair Key Generator

Priv Key D

M. Mogollon - 26


Pohlig-Hellman Exponentiation Algorithm

M is the clear message, C is the crypto message; E and D are the crypto variables used to encipher and to decipher the message. Example: p = 73, E = 29, D = 5 y M = 2;

C = M E (mod p) = 229 (mod 73) = 4 (mod 73)M = C D (mod p) = 45 (mod 73) = 2

pCM

pMC

Driv

Eub

P

P

mod

mod

Recommendation: p should be a large prime.Keep E and D secret; Polig-Hellman is not a Public Key system.

Mathematical Requirements

172mod5*29

]mod[

1p = (p)

1 = (p) D * E

1) -(p 1= ] (p) [ 1= D * E modmod

M. Mogollon - 27


RSA Algorithm

Where,M = Plaintext C = Ciphertext

Pub = Public-Key (Encipher) Priv = Private Key (Decipher) n = p . q

The public key, Pub , and the modulo n are made public and the private, Priv , is kept secret.

nCM

nMC

Driv

Dub

P

P

mod

mod

Example: p = 11, q = 31, n = 11 * 31 = 341Pub = 53, Priv = 17 and M=2.

C = 253 (mod 341) = 8 M = 817 (mod 341) = 2

Mathematical requirements:

1300mod17*53

)1(*)(

]mod[

q1p = (n)

1 = (n) P * P rivub

M. Mogollon - 28


ElGamal Algorithm

• A modification of the ElGamal digital signature can be used to encipher messages. The public and private keys, or key pair, are generated as follows:1. Choose a prime p to be the modulo and choose two random numbers g

and PrivA = a that are less than p.2. Calculate

3. The public key consist of yA, g, and p.

• Suppose Alice wishes to send a message m to Bob. Alice first generates a random number k less than p, then she computes

• Alice sends Y1 and Y2 to Bob. Upon receiving the ciphertext, Bob deciphers the message by computing

and then m, the message, by calculating

) p ( g= y PrivA

A mod

) p ( y= y Aivp mod)Pr1(13

) p (y y= m mod23

) p ( ym= y

) p ( g= y

Ak

k

mod

mod

2

1

M. Mogollon - 29


ElGamal Algorithm

• Example*1. Alice selects the prime p = 2357 to be the modulo, and two

random numbers g = 2, and PrivA = a = 1751.

2. Alice calculates

3. Alice’s message m = 2035 and random number k = 1520.

4. Alice computes

5. Alice sends (y1 and y2) to Bob.

6. Upon receiving the ciphertext, Bob deciphers the message by computing

7. And then m, the message, by calculating

Note: Values from (Menezes, Oorschot, Vanstone 1996). Applied Cryptography Handbook

11852357mod2mod 1751 ) ( ) p ( g= y PrivA

A

6972357mod1185.2035

14302357mod21520

2

15201

) ( = y

) ( = y

8722357mod1430mod )175112357()Pr1(13 ) ( ) p ( y= y Aivp

2035)2357mod(697.872mod23 ) p (y y= m

M. Mogollon - 30


Public Key Encryption

Encipher

Decipher

Alice’s Private Key

Alice’s Public Key

Encipher

Decipher

Bob’s Public Key

Bob’s Private Key

Encipher

Decipher

Bob’s Private Key

Bob’s Public Key

Sender (Alice) Receiver (Bob)

Non-Repudiation of Origin (Authenticity) Anyone who has Alice’s public key will be able to decipher the message. Alice cannot deny that she sent the message.

Confidentiality ─ Bob will be the only one able to decipher the message because only he has his private key.

Enciphering is not possible because Alice doesn’t have Bob’s private key.

Encipher

Decipher

Alice’s Public Key

Alice’s Private Key

Bob will not be able to decipher the message because he doesn’t have Alice’s private key.

M. Mogollon - 31


Key Management

• Conventional crypto networks using symmetric cryptosystems typically have a Key Distribution Center (KDC) to distribute or load the keys into each of the crypto units.

• There are three ways to send information about the secret key needed to decipher a message:— Pre-Shared Secret Keys – The secret keys are loaded into both parties’

crypto systems beforehand, and it is only necessary to define which of the secret keys was used to encipher the message.

— Transport and Wrapping Keys – A secret key can be sent by transporting the key using public key algorithms or by wrapping the key using symmetric key algorithms.

— Key Agreement – A key agreement algorithm allows a sender and a receiver to share a secret key computed from public-key algorithms.

M. Mogollon - 32


Pre-Shared Secret Keys

The secret keys have been loaded in both servers, so only the name associated with the

key needs to be sent.

Web Service Requester

Web Service Provider

Secret Key Table

Secret Key

Key Name

Type of Encryption Algorithm

Key Name

Secret Key Table

Secret Key

Key Name

Type of Encryption Algorithm

M. Mogollon - 33


Encrypted Key – Transporting the Key

Use a public key algorithm to transport the session key

Service Provider’s Public Key

Session Key

Session Key

RSAES-v1.5 or RSAES-OAEP

.Algorithm



Service Provider’s

Private Key

Enciphering Deciphering

RSAES-v1.5 or RSAES-OAEP

.Algorithm

M. Mogollon - 34


Wrapping the Key

Shared key-encrypting key

Use shared key-encrypting-key to wrap (encipher) a session key

3DESor

AES

Session key Block 1

Enciphered Session key

Block 1

IVShared key-encrypting

keyIV

+

Use 3DES or AES to encipher and decipher a

session key

EncipherDecipher



Shared Key-Encrypting Key

Session key

Session key

Session key Block n


Block n

3DESor

AES

+

+ +


Block n


Block 1

Session key Block 1

Session key Block n

3DESor

AES

3DESor

AES

Shared key-encrypting

key

M. Mogollon - 35


Key Agreement

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange

Pre Master Key(ZZ)

Pre Master Key(ZZ)

Key Material Generation

Session Key

Session Key

Key Material Generation

Use Diffie-Hellman to calculate ZZ and RFC-2631 Key

Agreement Method to generate key material, as required.



M. Mogollon - 36


Diffie-Hellman Key Agreement System

1. Sender and receiver, Alice and Bob, agree on fixed constants, p and g, which do not need to be kept secret; p is a large prime number, and g is any integer between 0 and p - 1.(p - 1) / 2 should be a prime.

2. When communication between Alice and Bob is established, they randomly generate a secret number: PrivA and PrivB.

3. Alice and Bob generate their corresponding public numbers:

4. Alice and Bob exchange PubA and PubB over the non-secure channel.

5. Alice and Bob compute ZZ, the session key, by

6. Alice and Bob use ZZ as their secret key, and load it into their key generators to secure their communications.

) p ( g= Pub PrivAA mod ) p ( g= Pub Priv

BB mod

) p ( Pub= ZZ Priv B

A mod ) p ( Pub= ZZ Priv A

B mod

M. Mogollon - 37



Both units use ZZ as the Session Key to encipher the message.

g and p are large integers

Priv A = Random large integer

)(modPr pgP AivAub

PubBPubA

Alice’s ZZ = Bob’ZZ Bob’s ZZ = Alice’s ZZ

g and p do not need to be secret

)(modPr pgP BivBub

Alice Bob

g and p are large integers

Priv B = Random large integer

) p ( Pub= ZZ Priv A

B mod) p ( Pub= ZZ Priv B

A mod

M. Mogollon - 38



g=12 p= 47

PrivA= 3

g= 12 p= 47

PrivB=5

18 18

36 14

g and p do not need to be secret

Both units use 18 as the Session Key to encipher the message.

36)47(mod12 3 AubP 14)47(mod12 5 BubP

18)47(mod14 3 Z 18)47(mod36' 5 Z

Sender and receiver agree on the same group or pair of g and p.

M. Mogollon - 39



• No control over the generated session key.

• Subject to the Man-in-the-Middle attack.

• No information about the parties’ identities.

• Subject to a clogging attack. It is computationally intensive.

Spoofed by the Man-in-the-Middle

Solution to the Man-in-the-Middle attack

- Establish authenticity between parties with a certificate.

- Add a hash function (message digest).

- Authenticate the identity of a message with a digital signature.

- Add a random component to the agreed key.SA SB

Alice Bob

Man-in-the-MiddleAttack

M. Mogollon - 40


Combining Symmetric and Asymmetric Ciphers

Exchange (wrap / transport ) or agree (Diffie-Hellman) on a pre-master key.

Symmetric Encryption

Ciphertext Block

IV + +

Secret Key

IV+ +

Secret KeyUse a symmetric algorithm to encipher

and decipher a secure transaction.

Encipher Decipher

Client Web Server




Master Key Generation

Pre-Master Key

Master Key Generation

Pre-Master Key

Integrity (HMAC)

Integrity (HMAC)

Cleartext Block

Cleartext Block

Ciphertext Block

Cleartext Block

Cleartext Block

Ciphertext Block

Ciphertext Block

M. Mogollon - 41


RSA Key Transport

• The secret key is transported as a message.• Alice encrypts the secret key using Bob's public key and she

sends it to Bob as an encrypted message.• Bob uses his private key to decipher the message and gets the

secret key.

nCK

nKCBriv

Bub

P

P

mod

mod

Receiver (Bob)

Sender’s Private Key

DecipherSecret Key K Secret Key K

PubB

n = p . q

Sender (Alice)

Encipher

Receiver’s Public Key

C=KPubB mod nK=CPrivB mod n

M. Mogollon - 42


RSA Problem

• The strength of the RSA algorithm is based on the fact that multiplying two large primes to get n is far easier than, given n, find the two primes; this is called a one-way property.

• One approach a cryptanalyst might use to break an RSA algorithm is to find p and q, the factors of n, calculate φ (n), and then calculate Priv from φ (n) and Pub, using Euclid's algorithm.

• The difficulty of computing Priv from the public information, φ (n) and Pub, depends on the difficulty of factoring n or of deriving p and q from n, because φ (n) = (p - 1) * (q - 1), φ (n) can only be found if p and q are known.

• When p and q are chosen so that n is a 200-digit number, it seems to be computationally infeasible for anyone, even using the fastest computer available today, to break the RSA algorithm.

• Today, RSA Data Security recommends using a 768-bit RSA modulo for personal use, 1024-bits for corporate use, and 2048-bits for protecting extremely valuable data (RSA bulleting 10, 1999).

M. Mogollon - 43


RSA Challenges

Number Month Number Month

RSA-100 April 1991 RSA-110 April 1992

RSA-120 June 1993 RSA-129 April 1994

RSA-130 April 1996 RSA-140 February 1999

RSA-155 August 1999 RSA-160 April 2003

RSA-576 December 2003 RSA-640November

2005

RSA-704 Open RSA 768 Open

M. Mogollon - 44


Discrete Logarithmic Problem

• In the multiplicative group Zp* discrete logarithm (Diffie-Hellman, ElGamal, DSS), the following is the discrete logarithm problem:—Given elements y and x of the group, and a prime p, find a number k

such that y = gk mod p.—For example, if y = 2, g = 8, and p = 341, then find k such that 2 ≡ 8k

mod 341.—In Diffie-Hellman, y is the public key, g is a random number, p is the

modulo, and k is the private key that the cryptanalyst is trying to find out.

Which one is the correct Private Key?

M. Mogollon - 45


To Probe Further• Koblitz, N. (1987). A course in Number Theory and Cryptography. New York: Springer-

Verlag.• Ogilvy, C., Anderson, J. (1988). Excursion in Number Theory . New York: Dover Publications,

Inc.• Schneir, B. (1994). Applied Cryptography. New York: John Wiley & Sons.• Diffie, W. (May 1988). The first Ten Years of Public-Key Cryptography, (p. 560). Proceedings

of the IEEE, Vol.76, No.5.• Diffie W., Hellman M.E. (November 1976). New Directions in Cryptography. IEEE

Transactions on Information Theory, Vol. IT-22, No. 6• ElGamal, T.A. (July 1985). Public Key Cryptosystem and a Signature Scheme Based on

Discret Logarithms. IEEE Transactions on Information Theory, Vol. IT-31.• Newman, D. B., Omura, J K., Pickholtz, R. L. (April 1987). Public Key Management for

Network Security. IEEE Network Magazine, Vol. 1, No. 2.• Pohlig S. C., Hellman M. E. (January, 1978). An improved algorithm for computing

logarithms in GF(p) and its cryptographic significance (pp106-110). IEEE Transactions on Information Theory, Vol IT-24.

• Pomerance, C. (Jan 23, 1987). Toward a new Factoring Record, Science News.• Rivest, R., Shamir, A., Adleman L. (1978). A Method for Obtaining Digital Signatures and

Public-Key Cryptosystem. Communications ACM, Vol. 21.

M.Mogollon – 0 Cryptography and Security Services: Mechanisms and Applications Manuel Mogollon...

Documents

Transcript of M.Mogollon – 0 Cryptography and Security Services: Mechanisms and Applications Manuel Mogollon...