Chapter 3

1 / 45

# Chapter 3 - PowerPoint PPT Presentation

Chapter 3. Number Theory, and Public Key Ciphers. Session 3 Contents. Number Theory and Finite Arithmetic Counting in modulo p Arithmetic Congruence Arithmetic Fermat’s Theorem Euler’s Theorem Confidentiality using Public-Key Ciphers Pohlig-Hellman Algorithm The RSA Algorithm

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Chapter 3' - amara

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Chapter 3

Number Theory, and Public Key Ciphers

Session 3 Contents
• Number Theory and Finite Arithmetic
• Counting in modulo p Arithmetic
• Congruence Arithmetic
• Fermat’s Theorem
• Euler’s Theorem
• Confidentiality using Public-Key Ciphers
• Pohlig-Hellman Algorithm
• The RSA Algorithm
• ElGamal Algorithm
• Key Management Using Exponentiation Ciphers
• The Diffie-Hellman Key Agreement
• RSA Key Transport
Principle of Counting
• The number of possible outcomes from which several procedures can be performed together is the product of n1 . n2 x n3 . ... nn. Where n1 is the number of possible way procedure 1 can have, and so on.
• Suppose a password contains two distinct lower case letters and three numbers, but the first number can’t be zero.
• Letters variations are 26, and 25, (distinct letters).
• Number variations are 9, 10, 10.
• Total number of passwords of possible passwords are 26 x 25 x 9 x 10 x 10
• At another company, the guidelines might be to use eight upper-case letters, lower case letters, or numbers, in any order. Now for each entry there are 26 + 26 + 10 possibilities and the total password space is 62 . 62 . 62 . 62 . 62 . 62 . 62 . 62 = 628.
• When talking about bits there are two possibilities, 0 and 1.
• For four bits there are 2 x 2 x 2 x 2 possibilities
• For 128 bits there are 2128 possibilities.

Exponentiation examples

• 2 x 2 x 2 x 2 = 24
• (2 x 2 x 2 x 2 ) x (2 x 2 x 2 ) = 24 x 23 = 2(4+3) = 27
• (2 x 2 x 2 x 2 x 2) / (2 x 2 x 2 ) = 25 / 23 = 2(5-3) = 22
Number Theory and Finite Arithmetic
• Number Theory plays an important role in Public-Key crypto systems.
• It is necessary to understand only certain basic concepts of Number Theory, such as modular arithmetic and congruence as they are related to a Public-Key crypto system.
Counting in Modular Arithmetic
• Add 9h, 43m, 25s and 4h, 26m, 50s

Hours Minutes Seconds

9 43 25

4 26 50

---- ----- -----

13 69 75

(13 + 1 - 12) (69 + 1 - 60) (75 - 60)

2 10 15

• When we added the seconds and minutes in the example above, we used 60 as a modulo, so we can say that (25 + 50) = 15 (mod 60); 15 is the remainder left, after 75 is divided by 60.
• Calculation of modulo returns the remainder after a number is divided by a divisor.
Congruence Arithmetic

The notion of congruence arithmetic (modulo arithmetic) was introduced by Gauss; it is a form of arithmetic in which only the remainders after division by a specific integer, are used. If a is divided by p and has a remainder b, it can be said that a is congruent to b, modulo p. For example let’s say that:

a = (k . p) + b

If a = 32 is divided by p = 5, the result will be k = 6 with a remainder of b = 2.

This congruence is expressed as follows:

a  b mod p 32 2 mod 5

a is congruent to b, modulo p 32 is congruent to 2 modulo 5

Congruences with the same modulo can be added, subtracted, or multiplied.

Another way to read the expression is to say that

a is equivalent to b, modulo p 32 is equivalent to 2, modulo 5

If a  b mod p and c  d mod p, then (a + c)  (b + d) mod p.

For example, 32  2 mod 5 and 49  4 mod 5,

then,

(32 + 49)  (2 + 4) mod 5 or 81  6 mod 5  1 mod 5.

Subtraction

If a  b mod p and c  d mod p, then (a - c)  (b - d) mod p.

For example, a = 49  4 mod 5 and c = 32  2 mod 5,

then, (49 - 32)  (4 - 2) mod 5 or 17  2 mod 5.

Or for a = 32  2 mod 5 and c = 49  4 mod 5 and

then 32 – 49  (2 - 4) mod 5, or -17  -2 mod 5 = -2 mod 5 = 3 mod 5

(a + b + c) mod p = a (mod p) + b (mod p) + c (mod p).

Example: Add the following three large numbers, and then find the modulo 8191 of the result.

We can add them first and find the modulo:

58,736,593,765

15,345,786,365

1,763,785,786

---------------------

75,846,165,916 (mod 8191) = 4,171 (mod 8191)

Otherwise, we can find the modulo of each number and then add the results of each modulo-added number:

58,736,593,765 (mod 8191) = 5,786 (mod 8191)

15,345,786,365 (mod 8191) = 5,202 (mod 8191)

--------------------------

10,988 (mod 8191) = 2,797 (mod 8191)

2,797 (mod 8191)

1,763,785,786 (mod 8191) = 1,374 (mod 8191)

---------------------------

4,171 (mod 8191)

Congruence – Multiplication

Both sides of a congruence can be multiplied by the same number, just as both sides of an algebraic equation can be multiplied by the same number.

If a  b mod p

then, for any value of c

(a . c )  (b . c) mod p

Example: For 32  2 (mod 5) and c = 11:

(32 . 11)  (2 . 11) (mod 5)

352  22 (mod 5)  2 (mod 5)

Also, if a b mod p and c  d mod p,

then, (a . c) (b . d) mod p.

Example: For 32 2 (mod 5) and 49 4 (mod 5),

then, (32 . 49) (2 . 4) (mod 5),

1568 8 (mod 5) 3 (mod 5).

Congruence – Exponentiation

Both sides of a congruence can be raised to the same exponent just as both sides of an equation can be raised to the same exponent.

For any value of r,

Example: For 32  2 mod 5 and r = 3:

323 23 mod 5

32,768  8 mod 5

 3 mod 5

Exponentiation in Modulo p

(an) mod p = am1 (mod p) x am2 (mod p) x am3 (mod p) x . . . . . Where, n = m1 + m2 + m3 + ….

Problem: Find 56118 mod 8191

Convert 118 decimal to 118 binary.

118 (decimal) = 1 1 1 0 1 1 0 (binary)

56118 = 5664 5632 5616 564 562

56118 mod 8191 = 5664 mod 8191 x5632 mod 8191 5616 mod 8191 x 564 mod 8191 x 562 mod 8191

56118 mod 8191 = 7388 mod 8191

Congruence – Canceling

The rule for canceling a congruence by an integer is a little more complicated than multiplication.

If(a . c ) (b . c) mod p

then

where (c, p) is the greatest common divisor of c and p.

If c and p are relatively prime, then the gcd (c, p) = 1.

Example:

58 . 100 100 mod 380

gcd (100, 380) = 20

Then, 58 1 mod 380 / 20  1 mod 19

Exponentiation Ciphers

If b = 1, then

Fermat’s Theorem indicates that if p is prime and a is not divisible by p (a and p are relatively prime) then,

Fermat’s Theorem
• Fermat’s Theorem indicates that if p is prime and a is not divisible by p (a and p are relatively prime) then,
• These properties can be used to exponentiate a to a large number. Having the restriction on a and p, it is possible to write,

669 (mod 17) º (617 - 1)4 mod 17 . 65 (mod 17)

669 (mod 17) º 1 . 65 (mod 17) º 7 (mod 17)

• A faster way to do the exponentiation is to apply modulo (p - 1) to the exponent and say that if n º m mod (p - 1), then anº am mod p. In the example before:

a = 6, m = 69, p = 17, n = 69 mod (17-1) = 5; then,

65 = 669 mod (17 - 1) = 65 (mod 17) = 7 (mod 17)

Euler’s Theorem

Euler's Theorem states that:

where

• a and p are relatively prime, gcd (a, p) = 1.
• (p) is the Euler totien function which is equal to the number of integers relatively prime to p in the range 1 ..... (p - 1). For example, for p = 15, the relative prime numbers are 1, 2, 4, 7, 8, 11, 13, 14; so  (15) = 8. In general,

a. If p is a prime, then  (p) = (p - 1)

b. If p is a prime, then  (pk) = (pk - pk - 1)

c. If p and q are primes, then  (p . q) = (p - 1)(q - 1)

d. If p is a prime, for p2, then  (p2) = p(p - 1)

• If g.c.d (p, q) = 1, the Euler totien function is multiplicative denoting  (pq) =  (p) *  (q)
Euler’s Theorem

Using the equation

it is possible to exponentiate a to a large number by reducing the exponent.

Example: For a = 2, p = 15, and  (15) = 8:

222 (mod 15) º [28 (mod 15)] . [28 (mod 15)] . [26 (mod 15)]

222 (mod 15) º 1 . 1 . [26 (mod 15)]

222 (mod 15) º 4 (mod 15)

Even if a is not relatively prime with p, it is possible to reduce the exponent to modulo  (p), except in the case of exponents reduced to 0. For example, for a = 3, p = 15, and  (15) = 8:

322 (mod 15) º [38 (mod 15)] . [38 (mod 15)] . [36 (mod 15)]

322 (mod 15) º 1 . 1 . [36 (mod 15)]

322 (mod 15) º 9 (mod 15)

Exponentiation Cipher

According to , equation

can be written as

and from equation

it follows that

or,

which can be written as

where,

which can be written as

or,

Exponentiation Cipher – Cont.

In

the reciprocal of the number E is the inverse or multiplicative inverse of D. Normally, E is selected first and then the corresponding D must be found.

By symmetry, the exponents E and D are commutative and mutual inverses, so it is possible to say that

can be written as

Replacing “a” for “M” message, the equation can be written as

Exponentiation Cipher – Cont.

In

The equation illustrates that if M the plaintext is enciphered with the following algorithm {(plaintext)E (mod p)} to produce a ciphertext, and that if at the receiver’s end, the ciphertext is deciphered using the algorithm [(Ciphertext)D] (mod p), the same plaintext M will be obtained.

In other words, by raising the ciphertext to the Dth power and reducing it modulo p, the plaintext will be recovered. This can be written as follows:

where M is the plaintext, C is the ciphertext, and E and D are the enciphering and deciphering keys.

Exponentiation ciphers encipher a message block by computing the exponential according to above equations.

Finite Fields
• Finite fields are fields that are finite.
• A field is a set of numbers in which the usual mathematical operations (addition, subtraction, multiplication, and division by nonzero quantities) are possible; these operations follow the usual commutative, associative, and distributive laws.
• Real numbers, rational numbers (fractions), and complex numbers are elements of infinite fields.
• A discrete logarithm (DL) and elliptic curve (EC) cryptography schemes are always based on computations in a finite field in which there are only a finite number of quantities.
• For cryptography applications, the finite fields that are usually used are the field of characteristic (congruences).
• The finite field used in DL and EC are the field of prime characteristic Fp and the field of characteristic two F2m. The finite field is also denoted as GF(q)
Finite Fields
• Characteristic Prime Finite Fields
• The finite field Fp is the prime finite field containing p elements. If p is an odd prime number, then there is a unique field Fp that consists of the set of integers{0, 1, 2 ,..., p – 1}.
• Characteristic Two Finite Fields
• A characteristic two finite field (also known as a binary finite field) is a finite field whose number of elements is 2m. If m is a positive integer greater than 1, the binary finite field F2m consists of the 2mpossible bit strings of length m.
• For example, F23 = {000, 001, 010, 011, 100, 101, 110, 111}
What is Public-Key Cryptography ?

public-key cryptography / (1) An encryption method that uses a pair of keys, one public and one private. Messages encoded with either one can be decoded by the other. Also called asymmetric encryption. (2) Algorithms used to prove the authenticity of the message originator and to exchange keys.

Types of Public-key Cryptography
• Exponentiation ciphers
• RSA.
• Discrete logarithm systems
• ElGamal public-key encryption, Digital Signature Algorithm (DSA), Diffie-Hellman key Agreement.
• Elliptic curve cryptography.
Exponentiation Algorithms

Pub Key E

Pair Key Generator

Initial CryptoVariable

Priv Key D

Message

M

M = CPriv D (mod p)

C = MPub E (mod p)

Encipher

Decipher

Message M

Sender

Exponential crypto algorithms encipher messages according to the following formula:

M being the plaintext and C the ciphertext.

Pohlig-Hellman Exponentiation Algorithm

M is the clear message, C is the crypto message; E and D are the crypto variables used to encipher and to decipher the message.

Example: p = 73, E = 29, D = 5 y M = 2;

C = ME (mod p) = 229 (mod 73) = 4 (mod 73)

M = C D (mod p) = 45 (mod 73) = 2

Recommendation:

pshould be a large prime.

Keep Eand Dsecret; Polig-Hellman is not a Public Key system.

Mathematical Requirements

RSA Algorithm
• Where,
• M = Plaintext C = Ciphertext
• Pub = Public-Key (Encipher) Priv = Private Key (Decipher)
• n = p . q
• The public key, Pub , and the modulo n are made public and the private, Priv , is kept secret.

Example: p = 11, q = 31, n = 11 * 31 = 341

Pub = 53, Priv = 17 and M=2.

C = 253(mod 341) = 8 M = 817 (mod 341) = 2

Mathematical requirements:

ElGamal Algorithm
• A modification of the ElGamal digital signature can be used to encipher messages. The public and private keys, or key pair, are generated as follows:
• Choose a prime p to be the modulo and choose two random numbers g and PrivA = a that are less than p.
• Calculate
• The public key consist of yA, g, and p.
• Suppose Alice wishes to send a message m to Bob. Alice first generates a random number k less than p, then she computes
• Alice sends Y1 and Y2 to Bob. Upon receiving the ciphertext, Bob deciphers the message by computing

and then m, the message, by calculating

ElGamal Algorithm
• Example*
• Alice selects the prime p = 2357 to be the modulo, and two random numbers g = 2, and PrivA = a = 1751.
• Alice calculates
• Alice’s message m = 2035 and random number k = 1520.
• Alice computes
• Alice sends (y1 and y2) to Bob.
• Upon receiving the ciphertext, Bob deciphers the message by computing
• And then m, the message, by calculating

Note: Values from (Menezes, Oorschot, Vanstone 1996). Applied Cryptography Handbook

Public Key Encryption

Sender (Alice)

Alice’s Private Key

Alice’s Public Key

Non-Repudiation of Origin (Authenticity) Anyone who has Alice’s public key will be able to decipher the message. Alice cannot deny that she sent the message.

Encipher

Decipher

Alice’s Public Key

Alice’s Private Key

Bob will not be able to decipher the message because he doesn’t have Alice’s private key.

Encipher

Decipher

Bob’s Public Key

Bob’s Private Key

Confidentiality ─ Bob will be the only one able to decipher the message because only he has his private key.

Decipher

Encipher

Bob’s Private Key

Bob’s Public Key

Enciphering is not possible because Alice doesn’t have Bob’s private key.

Encipher

Decipher

Key Management
• Conventional crypto networks using symmetric cryptosystems typically have a Key Distribution Center (KDC) to distribute or load the keys into each of the crypto units.
• There are three ways to send information about the secret key needed to decipher a message:
• Pre-Shared Secret Keys – The secret keys are loaded into both parties’ crypto systems beforehand, and it is only necessary to define which of the secret keys was used to encipher the message.
• Transport and Wrapping Keys – A secret key can be sent by transporting the key using public key algorithms or by wrapping the key using symmetric key algorithms.
• Key Agreement – A key agreement algorithm allows a sender and a receiver to share a secret key computed from public-key algorithms.
Pre-Shared Secret Keys

The secret keys have been loaded in both servers, so only the name associated with the key needs to be sent.

Web Service Requester

Web Service Provider

Secret Key Table

Secret Key Table

Key Name

Secret Key

Secret Key

Key Name

Key Name

Type of Encryption Algorithm

Type of Encryption Algorithm

Service Provider’s Public Key

Service Provider’s Private Key

Encrypted Key – Transporting the Key

Use a public key algorithm to transport the session key

Web Service Requester

Web Service Provider

Session Key

Session Key

RSAES-v1.5 or RSAES-OAEP.Algorithm

RSAES-v1.5 or RSAES-OAEP.Algorithm

Deciphering

Enciphering

+

+

+

+

Wrapping the Key

Use shared key-encrypting-key to wrap (encipher) a session key

Web Service Requester

Web Service Provider

Shared key-encrypting key

Shared Key-Encrypting Key

Session key

Decipher

Encipher

Enciphered Session key Block 1

Session key Block n

Session key Block 1

Enciphered Session key Block n

Shared key-encrypting key

IV

Shared key-encrypting key

IV

3DESorAES

3DESorAES

Use 3DES or AES to encipher and decipher a session key

3DESorAES

3DESorAES

Enciphered Session key Block n

Enciphered Session key Block 1

Session key Block 1

Session key

Session key Block n

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange

Session Key

Session Key

Key Agreement

Use Diffie-Hellman to calculate ZZ and RFC-2631 Key Agreement Method to generate key material, as required.

Web Service Requester

Web Service Provider

Pre Master Key(ZZ)

Pre Master Key(ZZ)

Key Material Generation

Key Material Generation

Diffie-Hellman Key Agreement System
• Sender and receiver, Alice and Bob, agree on fixed constants, p and g, which do not need to be kept secret; p is a large prime number, and g is any integer between 0 and p - 1.(p - 1) / 2 should be a prime.
• When communication between Alice and Bob is established, they randomly generate a secret number: PrivA and PrivB.
• Alice and Bob generate their corresponding public numbers:
• Alice and Bob exchange PubA and PubB over the non-secure channel.
• Alice and Bob compute ZZ, the session key, by
• Alice and Bob use ZZ as their secret key, and load it into their key generators to secure their communications.
Diffie-Hellman Key Agreement System

g and p do not need to be secret

Bob

Alice

g and p arelarge integersPriv B = Random large integer

g and p arelarge integersPriv A = Random large integer

Bob’s ZZ = Alice’s ZZ

Alice’s ZZ = Bob’ZZ

Both units use ZZ as the Session Key to encipher the message.

Diffie-Hellman Key Agreement System

Sender and receiver agree on the same group or pair of g and p.

g and p do not need to be secret

g=12 p= 47

PrivA= 3

g= 12 p= 47

PrivB=5

36

14

18

18

Both units use 18 as the Session Key to encipher the message.

Diffie-Hellman Key Agreement System
• No control over the generated session key.
• Subject to the Man-in-the-Middle attack.
• No information about the parties’ identities.
• Subject to a clogging attack. It is computationally intensive.
• Solution to the Man-in-the-Middle attack
• - Establish authenticity between parties with a certificate.
• - Add a hash function (message digest).
• Authenticate the identity of a message with a digital signature.
• Add a random component to the agreed key.

Man-in-the-MiddleAttack

Alice

Bob

SA

SB

Spoofed by the Man-in-the-Middle

Combining Symmetric and Asymmetric Ciphers

Client

Web Server

Exchange (wrap / transport ) or agree (Diffie-Hellman) on a pre-master key.

Pre-Master Key

Pre-Master Key

Master Key Generation

Integrity (HMAC)

Integrity (HMAC)

Master Key Generation

Encipher

Decipher

Cleartext Block

Cleartext Block

Cleartext Block

Cleartext Block

+

+

+

+

IV

IV

Use a symmetric algorithm to encipher and decipher a secure transaction.

Symmetric Encryption

Symmetric Encryption

Symmetric Encryption

Symmetric Encryption

Secret Key

Secret Key

Ciphertext Block

Ciphertext Block

Ciphertext Block

Ciphertext Block

RSA Key Transport

PubB

n = p . q

Sender’s Private Key

K=CPrivB mod n

C=KPubB mod n

Secret Key K

Secret Key K

Decipher

Encipher

Sender (Alice)

• The secret key is transported as a message.
• Alice encrypts the secret key using Bob's public key and she sends it to Bob as an encrypted message.
• Bob uses his private key to decipher the message and gets the secret key.
RSA Problem
• The strength of the RSA algorithm is based on the fact that multiplying two large primes to get n is far easier than, given n, find the two primes; this is called a one-way property.
• One approach a cryptanalyst might use to break an RSA algorithm is to find p and q, the factors of n, calculate φ (n), and then calculate Priv from φ (n) and Pub, using Euclid's algorithm.
• The difficulty of computing Priv from the public information, φ (n) and Pub, depends on the difficulty of factoring n or of deriving p and q from n, because φ (n) = (p - 1) * (q - 1), φ (n) can only be found if p and q are known.
• When p and q are chosen so that n is a 200-digit number, it seems to be computationally infeasible for anyone, even using the fastest computer available today, to break the RSA algorithm.
• Today, RSA Data Security recommends using a 768-bit RSA modulo for personal use, 1024-bits for corporate use, and 2048-bits for protecting extremely valuable data (RSA bulleting 10, 1999).
Discrete Logarithmic Problem
• In the multiplicative group Zp* discrete logarithm (Diffie-Hellman, ElGamal, DSS), the following is the discrete logarithm problem:
• Given elements y and x of the group, and a prime p, find a number k such that y = gkmod p.
• For example, if y = 2, g = 8, and p = 341, then find k such that 2 ≡ 8k mod 341.
• In Diffie-Hellman, y is the public key, g is a random number, p is the modulo, and k is the private key that the cryptanalyst is trying to find out.

Which one is the correct Private Key?

To Probe Further
• Koblitz, N. (1987). A course in Number Theory and Cryptography. New York: Springer-Verlag.
• Ogilvy, C., Anderson, J. (1988). Excursion in Number Theory . New York: Dover Publications, Inc.
• Schneir, B. (1994). Applied Cryptography. New York: John Wiley & Sons.
• Diffie, W. (May 1988). The first Ten Years of Public-Key Cryptography, (p. 560). Proceedings of the IEEE, Vol.76, No.5.
• Diffie W., Hellman M.E. (November 1976). New Directions in Cryptography. IEEE Transactions on Information Theory, Vol. IT-22, No. 6
• ElGamal, T.A. (July 1985). Public Key Cryptosystem and a Signature Scheme Based on Discret Logarithms. IEEE Transactions on Information Theory, Vol. IT-31.
• Newman, D. B., Omura, J K., Pickholtz, R. L. (April 1987). Public Key Management for Network Security. IEEE Network Magazine, Vol. 1, No. 2.
• Pohlig S. C., Hellman M. E. (January, 1978). An improved algorithm for computing logarithms in GF(p) and its cryptographic significance (pp106-110). IEEE Transactions on Information Theory, Vol IT-24.
• Pomerance, C. (Jan 23, 1987). Toward a new Factoring Record, Science News.
• Rivest, R., Shamir, A., Adleman L. (1978). A Method for Obtaining Digital Signatures and Public-Key Cryptosystem. Communications ACM, Vol. 21.