Chapter 3

Chapter 3 Number Theory, and Public Key Ciphers

Session 3 Contents • Number Theory and Finite Arithmetic • Counting in modulo p Arithmetic • Congruence Arithmetic • Fermat’s Theorem • Euler’s Theorem • Confidentiality using Public-Key Ciphers • Pohlig-Hellman Algorithm • The RSA Algorithm • ElGamal Algorithm • Key Management Using Exponentiation Ciphers • The Diffie-Hellman Key Agreement • RSA Key Transport

Principle of Counting • The number of possible outcomes from which several procedures can be performed together is the product of n1 . n2 x n3 . ... nn. Where n1 is the number of possible way procedure 1 can have, and so on. • Suppose a password contains two distinct lower case letters and three numbers, but the first number can’t be zero. • Letters variations are 26, and 25, (distinct letters). • Number variations are 9, 10, 10. • Total number of passwords of possible passwords are 26 x 25 x 9 x 10 x 10 • At another company, the guidelines might be to use eight upper-case letters, lower case letters, or numbers, in any order. Now for each entry there are 26 + 26 + 10 possibilities and the total password space is 62 . 62 . 62 . 62 . 62 . 62 . 62 . 62 = 628. • When talking about bits there are two possibilities, 0 and 1. • For four bits there are 2 x 2 x 2 x 2 possibilities • For 128 bits there are 2128 possibilities. Exponentiation examples • 2 x 2 x 2 x 2 = 24 • (2 x 2 x 2 x 2 ) x (2 x 2 x 2 ) = 24 x 23 = 2(4+3) = 27 • (2 x 2 x 2 x 2 x 2) / (2 x 2 x 2 ) = 25 / 23 = 2(5-3) = 22

Number Theory and Finite Arithmetic • Number Theory plays an important role in Public-Key crypto systems. • It is necessary to understand only certain basic concepts of Number Theory, such as modular arithmetic and congruence as they are related to a Public-Key crypto system.

Counting in Modular Arithmetic • Add 9h, 43m, 25s and 4h, 26m, 50s Hours Minutes Seconds 9 43 25 4 26 50 ---- ----- ----- 13 69 75 (13 + 1 - 12) (69 + 1 - 60) (75 - 60) 2 10 15 • When we added the seconds and minutes in the example above, we used 60 as a modulo, so we can say that (25 + 50) = 15 (mod 60); 15 is the remainder left, after 75 is divided by 60. • Calculation of modulo returns the remainder after a number is divided by a divisor.

Congruence Arithmetic The notion of congruence arithmetic (modulo arithmetic) was introduced by Gauss; it is a form of arithmetic in which only the remainders after division by a specific integer, are used. If a is divided by p and has a remainder b, it can be said that a is congruent to b, modulo p. For example let’s say that: a = (k . p) + b If a = 32 is divided by p = 5, the result will be k = 6 with a remainder of b = 2. This congruence is expressed as follows: a  b mod p 32 2 mod 5 and it is read, a is congruent to b, modulo p 32 is congruent to 2 modulo 5 Congruences with the same modulo can be added, subtracted, or multiplied. Another way to read the expression is to say that a is equivalent to b, modulo p 32 is equivalent to 2, modulo 5

Congruence – Addition and Subtraction Addition If a  b mod p and c  d mod p, then (a + c)  (b + d) mod p. For example, 32  2 mod 5 and 49  4 mod 5, then, (32 + 49)  (2 + 4) mod 5 or 81  6 mod 5  1 mod 5. Subtraction If a  b mod p and c  d mod p, then (a - c)  (b - d) mod p. For example, a = 49  4 mod 5 and c = 32  2 mod 5, then, (49 - 32)  (4 - 2) mod 5 or 17  2 mod 5. Or for a = 32  2 mod 5 and c = 49  4 mod 5 and then 32 – 49  (2 - 4) mod 5, or -17  -2 mod 5 = -2 mod 5 = 3 mod 5

Addition in Modulo p (a + b + c) mod p = a (mod p) + b (mod p) + c (mod p). Example: Add the following three large numbers, and then find the modulo 8191 of the result. We can add them first and find the modulo: 58,736,593,765 15,345,786,365 1,763,785,786 --------------------- 75,846,165,916 (mod 8191) = 4,171 (mod 8191) Otherwise, we can find the modulo of each number and then add the results of each modulo-added number: 58,736,593,765 (mod 8191) = 5,786 (mod 8191) 15,345,786,365 (mod 8191) = 5,202 (mod 8191) -------------------------- 10,988 (mod 8191) = 2,797 (mod 8191) 2,797 (mod 8191) 1,763,785,786 (mod 8191) = 1,374 (mod 8191) --------------------------- 4,171 (mod 8191)

Congruence – Multiplication Both sides of a congruence can be multiplied by the same number, just as both sides of an algebraic equation can be multiplied by the same number. If a  b mod p then, for any value of c (a . c )  (b . c) mod p Example: For 32  2 (mod 5) and c = 11: (32 . 11)  (2 . 11) (mod 5) 352  22 (mod 5)  2 (mod 5) Also, if a b mod p and c  d mod p, then, (a . c) (b . d) mod p. Example: For 32 2 (mod 5) and 49 4 (mod 5), then, (32 . 49) (2 . 4) (mod 5), 1568 8 (mod 5) 3 (mod 5).

Congruence – Exponentiation Both sides of a congruence can be raised to the same exponent just as both sides of an equation can be raised to the same exponent. For any value of r, Example: For 32  2 mod 5 and r = 3: 323 23 mod 5 32,768  8 mod 5  3 mod 5

Exponentiation in Modulo p (an) mod p = am1 (mod p) x am2 (mod p) x am3 (mod p) x . . . . . Where, n = m1 + m2 + m3 + …. Problem: Find 56118 mod 8191 Convert 118 decimal to 118 binary. 118 (decimal) = 1 1 1 0 1 1 0 (binary) 56118 = 5664 5632 5616 564 562 56118 mod 8191 = 5664 mod 8191 x5632 mod 8191 5616 mod 8191 x 564 mod 8191 x 562 mod 8191 56118 mod 8191 = 7388 mod 8191

Congruence – Canceling The rule for canceling a congruence by an integer is a little more complicated than multiplication. If(a . c ) (b . c) mod p then where (c, p) is the greatest common divisor of c and p. If c and p are relatively prime, then the gcd (c, p) = 1. Example: 58 . 100 100 mod 380 gcd (100, 380) = 20 Then, 58 1 mod 380 / 20  1 mod 19

Exponentiation Ciphers If b = 1, then Fermat’s Theorem indicates that if p is prime and a is not divisible by p (a and p are relatively prime) then,

Fermat’s Theorem • Fermat’s Theorem indicates that if p is prime and a is not divisible by p (a and p are relatively prime) then, • These properties can be used to exponentiate a to a large number. Having the restriction on a and p, it is possible to write, 669 (mod 17) º (617 - 1)4 mod 17 . 65 (mod 17) 669 (mod 17) º 1 . 65 (mod 17) º 7 (mod 17) • A faster way to do the exponentiation is to apply modulo (p - 1) to the exponent and say that if n º m mod (p - 1), then anº am mod p. In the example before: a = 6, m = 69, p = 17, n = 69 mod (17-1) = 5; then, 65 = 669 mod (17 - 1) = 65 (mod 17) = 7 (mod 17)

Euler’s Theorem Euler's Theorem states that: where • a and p are relatively prime, gcd (a, p) = 1. • (p) is the Euler totien function which is equal to the number of integers relatively prime to p in the range 1 ..... (p - 1). For example, for p = 15, the relative prime numbers are 1, 2, 4, 7, 8, 11, 13, 14; so  (15) = 8. In general, a. If p is a prime, then  (p) = (p - 1) b. If p is a prime, then  (pk) = (pk - pk - 1) c. If p and q are primes, then  (p . q) = (p - 1)(q - 1) d. If p is a prime, for p2, then  (p2) = p(p - 1) • If g.c.d (p, q) = 1, the Euler totien function is multiplicative denoting  (pq) =  (p) *  (q)

Euler’s Theorem Using the equation it is possible to exponentiate a to a large number by reducing the exponent. Example: For a = 2, p = 15, and  (15) = 8: 222 (mod 15) º [28 (mod 15)] . [28 (mod 15)] . [26 (mod 15)] 222 (mod 15) º 1 . 1 . [26 (mod 15)] 222 (mod 15) º 4 (mod 15) Even if a is not relatively prime with p, it is possible to reduce the exponent to modulo  (p), except in the case of exponents reduced to 0. For example, for a = 3, p = 15, and  (15) = 8: 322 (mod 15) º [38 (mod 15)] . [38 (mod 15)] . [36 (mod 15)] 322 (mod 15) º 1 . 1 . [36 (mod 15)] 322 (mod 15) º 9 (mod 15)

Exponentiation Cipher According to , equation can be written as and from equation it follows that or, which can be written as where, which can be written as or,

Exponentiation Cipher – Cont. In the reciprocal of the number E is the inverse or multiplicative inverse of D. Normally, E is selected first and then the corresponding D must be found. By symmetry, the exponents E and D are commutative and mutual inverses, so it is possible to say that can be written as Replacing “a” for “M” message, the equation can be written as

Exponentiation Cipher – Cont. In The equation illustrates that if M the plaintext is enciphered with the following algorithm {(plaintext)E (mod p)} to produce a ciphertext, and that if at the receiver’s end, the ciphertext is deciphered using the algorithm [(Ciphertext)D] (mod p), the same plaintext M will be obtained. In other words, by raising the ciphertext to the Dth power and reducing it modulo p, the plaintext will be recovered. This can be written as follows: where M is the plaintext, C is the ciphertext, and E and D are the enciphering and deciphering keys. Exponentiation ciphers encipher a message block by computing the exponential according to above equations.

The Set of Real Numbers

Finite Fields • Finite fields are fields that are finite. • A field is a set of numbers in which the usual mathematical operations (addition, subtraction, multiplication, and division by nonzero quantities) are possible; these operations follow the usual commutative, associative, and distributive laws. • Real numbers, rational numbers (fractions), and complex numbers are elements of infinite fields. • A discrete logarithm (DL) and elliptic curve (EC) cryptography schemes are always based on computations in a finite field in which there are only a finite number of quantities. • For cryptography applications, the finite fields that are usually used are the field of characteristic (congruences). • The finite field used in DL and EC are the field of prime characteristic Fp and the field of characteristic two F2m. The finite field is also denoted as GF(q)

Finite Fields • Characteristic Prime Finite Fields • The finite field Fp is the prime finite field containing p elements. If p is an odd prime number, then there is a unique field Fp that consists of the set of integers{0, 1, 2 ,..., p – 1}. • Characteristic Two Finite Fields • A characteristic two finite field (also known as a binary finite field) is a finite field whose number of elements is 2m. If m is a positive integer greater than 1, the binary finite field F2m consists of the 2mpossible bit strings of length m. • For example, F23 = {000, 001, 010, 011, 100, 101, 110, 111}

What is Public-Key Cryptography ? public-key cryptography / (1) An encryption method that uses a pair of keys, one public and one private. Messages encoded with either one can be decoded by the other. Also called asymmetric encryption. (2) Algorithms used to prove the authenticity of the message originator and to exchange keys.

Types of Public-key Cryptography • Exponentiation ciphers • RSA. • Discrete logarithm systems • ElGamal public-key encryption, Digital Signature Algorithm (DSA), Diffie-Hellman key Agreement. • Elliptic curve cryptography.

Exponentiation Algorithms Pub Key E Pair Key Generator Initial CryptoVariable Priv Key D Message M M = CPriv D (mod p) C = MPub E (mod p) Encipher Decipher Message M Receiver Sender Exponential crypto algorithms encipher messages according to the following formula: M being the plaintext and C the ciphertext.

Pohlig-Hellman Exponentiation Algorithm M is the clear message, C is the crypto message; E and D are the crypto variables used to encipher and to decipher the message. Example: p = 73, E = 29, D = 5 y M = 2; C = ME (mod p) = 229 (mod 73) = 4 (mod 73) M = C D (mod p) = 45 (mod 73) = 2 Recommendation: pshould be a large prime. Keep Eand Dsecret; Polig-Hellman is not a Public Key system. Mathematical Requirements

RSA Algorithm • Where, • M = Plaintext C = Ciphertext • Pub = Public-Key (Encipher) Priv = Private Key (Decipher) • n = p . q • The public key, Pub , and the modulo n are made public and the private, Priv , is kept secret. Example: p = 11, q = 31, n = 11 * 31 = 341 Pub = 53, Priv = 17 and M=2. C = 253(mod 341) = 8 M = 817 (mod 341) = 2 Mathematical requirements:

ElGamal Algorithm • A modification of the ElGamal digital signature can be used to encipher messages. The public and private keys, or key pair, are generated as follows: • Choose a prime p to be the modulo and choose two random numbers g and PrivA = a that are less than p. • Calculate • The public key consist of yA, g, and p. • Suppose Alice wishes to send a message m to Bob. Alice first generates a random number k less than p, then she computes • Alice sends Y1 and Y2 to Bob. Upon receiving the ciphertext, Bob deciphers the message by computing and then m, the message, by calculating

ElGamal Algorithm • Example* • Alice selects the prime p = 2357 to be the modulo, and two random numbers g = 2, and PrivA = a = 1751. • Alice calculates • Alice’s message m = 2035 and random number k = 1520. • Alice computes • Alice sends (y1 and y2) to Bob. • Upon receiving the ciphertext, Bob deciphers the message by computing • And then m, the message, by calculating Note: Values from (Menezes, Oorschot, Vanstone 1996). Applied Cryptography Handbook

Public Key Encryption Receiver (Bob) Sender (Alice) Alice’s Private Key Alice’s Public Key Non-Repudiation of Origin (Authenticity) Anyone who has Alice’s public key will be able to decipher the message. Alice cannot deny that she sent the message. Encipher Decipher Alice’s Public Key Alice’s Private Key Bob will not be able to decipher the message because he doesn’t have Alice’s private key. Encipher Decipher Bob’s Public Key Bob’s Private Key Confidentiality ─ Bob will be the only one able to decipher the message because only he has his private key. Decipher Encipher Bob’s Private Key Bob’s Public Key Enciphering is not possible because Alice doesn’t have Bob’s private key. Encipher Decipher

Key Management • Conventional crypto networks using symmetric cryptosystems typically have a Key Distribution Center (KDC) to distribute or load the keys into each of the crypto units. • There are three ways to send information about the secret key needed to decipher a message: • Pre-Shared Secret Keys – The secret keys are loaded into both parties’ crypto systems beforehand, and it is only necessary to define which of the secret keys was used to encipher the message. • Transport and Wrapping Keys – A secret key can be sent by transporting the key using public key algorithms or by wrapping the key using symmetric key algorithms. • Key Agreement – A key agreement algorithm allows a sender and a receiver to share a secret key computed from public-key algorithms.

Pre-Shared Secret Keys The secret keys have been loaded in both servers, so only the name associated with the key needs to be sent. Web Service Requester Web Service Provider Secret Key Table Secret Key Table Key Name Secret Key Secret Key Key Name Key Name Type of Encryption Algorithm Type of Encryption Algorithm

Service Provider’s Public Key Service Provider’s Private Key Encrypted Key – Transporting the Key Use a public key algorithm to transport the session key Web Service Requester Web Service Provider Session Key Session Key RSAES-v1.5 or RSAES-OAEP.Algorithm RSAES-v1.5 or RSAES-OAEP.Algorithm Deciphering Enciphering

+ + + + Wrapping the Key Use shared key-encrypting-key to wrap (encipher) a session key Web Service Requester Web Service Provider Shared key-encrypting key Shared Key-Encrypting Key Session key Decipher Encipher Enciphered Session key Block 1 Session key Block n Session key Block 1 Enciphered Session key Block n Shared key-encrypting key IV Shared key-encrypting key IV 3DESorAES 3DESorAES Use 3DES or AES to encipher and decipher a session key 3DESorAES 3DESorAES Enciphered Session key Block n Enciphered Session key Block 1 Session key Block 1 Session key Session key Block n

Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange Session Key Session Key Key Agreement Use Diffie-Hellman to calculate ZZ and RFC-2631 Key Agreement Method to generate key material, as required. Web Service Requester Web Service Provider Pre Master Key(ZZ) Pre Master Key(ZZ) Key Material Generation Key Material Generation

Diffie-Hellman Key Agreement System • Sender and receiver, Alice and Bob, agree on fixed constants, p and g, which do not need to be kept secret; p is a large prime number, and g is any integer between 0 and p - 1.(p - 1) / 2 should be a prime. • When communication between Alice and Bob is established, they randomly generate a secret number: PrivA and PrivB. • Alice and Bob generate their corresponding public numbers: • Alice and Bob exchange PubA and PubB over the non-secure channel. • Alice and Bob compute ZZ, the session key, by • Alice and Bob use ZZ as their secret key, and load it into their key generators to secure their communications.

Diffie-Hellman Key Agreement System g and p do not need to be secret Bob Alice g and p arelarge integersPriv B = Random large integer g and p arelarge integersPriv A = Random large integer Bob’s ZZ = Alice’s ZZ Alice’s ZZ = Bob’ZZ Both units use ZZ as the Session Key to encipher the message.

Diffie-Hellman Key Agreement System Sender and receiver agree on the same group or pair of g and p. g and p do not need to be secret g=12 p= 47 PrivA= 3 g= 12 p= 47 PrivB=5 36 14 18 18 Both units use 18 as the Session Key to encipher the message.

Diffie-Hellman Key Agreement System • No control over the generated session key. • Subject to the Man-in-the-Middle attack. • No information about the parties’ identities. • Subject to a clogging attack. It is computationally intensive. • Solution to the Man-in-the-Middle attack • - Establish authenticity between parties with a certificate. • - Add a hash function (message digest). • Authenticate the identity of a message with a digital signature. • Add a random component to the agreed key. Man-in-the-MiddleAttack Alice Bob SA SB Spoofed by the Man-in-the-Middle

Combining Symmetric and Asymmetric Ciphers Client Web Server Exchange (wrap / transport ) or agree (Diffie-Hellman) on a pre-master key. Pre-Master Key Pre-Master Key Master Key Generation Integrity (HMAC) Integrity (HMAC) Master Key Generation Encipher Decipher Cleartext Block Cleartext Block Cleartext Block Cleartext Block + + + + IV IV Use a symmetric algorithm to encipher and decipher a secure transaction. Symmetric Encryption Symmetric Encryption Symmetric Encryption Symmetric Encryption Secret Key Secret Key Ciphertext Block Ciphertext Block Ciphertext Block Ciphertext Block

RSA Key Transport PubB n = p . q Receiver’s Public Key Sender’s Private Key K=CPrivB mod n C=KPubB mod n Secret Key K Secret Key K Decipher Encipher Receiver (Bob) Sender (Alice) • The secret key is transported as a message. • Alice encrypts the secret key using Bob's public key and she sends it to Bob as an encrypted message. • Bob uses his private key to decipher the message and gets the secret key.

RSA Problem • The strength of the RSA algorithm is based on the fact that multiplying two large primes to get n is far easier than, given n, find the two primes; this is called a one-way property. • One approach a cryptanalyst might use to break an RSA algorithm is to find p and q, the factors of n, calculate φ (n), and then calculate Priv from φ (n) and Pub, using Euclid's algorithm. • The difficulty of computing Priv from the public information, φ (n) and Pub, depends on the difficulty of factoring n or of deriving p and q from n, because φ (n) = (p - 1) * (q - 1), φ (n) can only be found if p and q are known. • When p and q are chosen so that n is a 200-digit number, it seems to be computationally infeasible for anyone, even using the fastest computer available today, to break the RSA algorithm. • Today, RSA Data Security recommends using a 768-bit RSA modulo for personal use, 1024-bits for corporate use, and 2048-bits for protecting extremely valuable data (RSA bulleting 10, 1999).

RSA Challenges

Discrete Logarithmic Problem • In the multiplicative group Zp* discrete logarithm (Diffie-Hellman, ElGamal, DSS), the following is the discrete logarithm problem: • Given elements y and x of the group, and a prime p, find a number k such that y = gkmod p. • For example, if y = 2, g = 8, and p = 341, then find k such that 2 ≡ 8k mod 341. • In Diffie-Hellman, y is the public key, g is a random number, p is the modulo, and k is the private key that the cryptanalyst is trying to find out. Which one is the correct Private Key?

To Probe Further • Koblitz, N. (1987). A course in Number Theory and Cryptography. New York: Springer-Verlag. • Ogilvy, C., Anderson, J. (1988). Excursion in Number Theory . New York: Dover Publications, Inc. • Schneir, B. (1994). Applied Cryptography. New York: John Wiley & Sons. • Diffie, W. (May 1988). The first Ten Years of Public-Key Cryptography, (p. 560). Proceedings of the IEEE, Vol.76, No.5. • Diffie W., Hellman M.E. (November 1976). New Directions in Cryptography. IEEE Transactions on Information Theory, Vol. IT-22, No. 6 • ElGamal, T.A. (July 1985). Public Key Cryptosystem and a Signature Scheme Based on Discret Logarithms. IEEE Transactions on Information Theory, Vol. IT-31. • Newman, D. B., Omura, J K., Pickholtz, R. L. (April 1987). Public Key Management for Network Security. IEEE Network Magazine, Vol. 1, No. 2. • Pohlig S. C., Hellman M. E. (January, 1978). An improved algorithm for computing logarithms in GF(p) and its cryptographic significance (pp106-110). IEEE Transactions on Information Theory, Vol IT-24. • Pomerance, C. (Jan 23, 1987). Toward a new Factoring Record, Science News. • Rivest, R., Shamir, A., Adleman L. (1978). A Method for Obtaining Digital Signatures and Public-Key Cryptosystem. Communications ACM, Vol. 21.

Chapter 3

Chapter 3

Presentation Transcript

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

chapter 3

CHAPTER 3-3

Chapter 3-3

Chapter 3 Chapter 3

CHAPTER 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

CHAPTER 3

Chapter 3