1 / 118

Chapter V

Dilemma of private key cryptographyHow to make key available in advance?Use of

dot
Download Presentation

Chapter V

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Chapter V Public Key Cryptography

    2. Dilemma of private key cryptography How to make key available in advance? Use of trusted third party? May defeat the purpose of secrecy

    3. Trap door function y = f(x) ? y easy to evaluate x = f-1(y) ? x not so easy to evaluate Additional info. with Alice makes evaluation of x easy ? f(x) : trap door function Alice has a shortcut to evaluate x Public key cryptography uses trap door function 3 schemes in wide use ? discussed here All use a public key & a private ley Basic idea became popular with Diffie-Hellman

    6. Diffie-Hellmn (DH) Algorithm for Key exchange p a large prime number & Alice & c ? another number Alice & Bob exchange p & c through a public channel Eve too may know these! With a a number known only to her -- Alice computes A: A = ca (mod p) & sends A to Bob through channel Bob on his side uses A and computes db = cba (mod p) With b a number known only to him -- Bob computes B: B = cb (mod p) & sends B to Alice through channel On receipt, B Alice computes da = Ba (mod p) = cab (mod p) da & db ?same ?private key known only to Alice and Bob They can use it for private key cryptography

    7. Example 1: p = 39869 & c = 5 5 9967? 1 (mod 39869) & 9967 is a prime, Order of 5 is 9967 Alice selects a = 100 A ? 5100 (mod 39869) ? 34965 (mod 39869) Alice conveys 34965 to Bob Bob selects b = 87 B ? 587 (mod 39869) ? 33152 (mod 39869) and conveys 33152 to Alice Alice uses 33152 & computes d as d ? 33152100 (mod 39869) ? 836 (mod 39869) Bob uses 34965 & computes d as d ? 3496587 (mod 39869) ? 836 (mod 39869) 836 ?private key shared between Alice and Bob

    8. Eve uses A = 34965 as input & Shanks algorithm 5-200(mod 39869) = 26003 After 67th iteration 567 ? 34965?2600350 (mod 39869) ? 34965? 5-10000 (mod 39869) 510067 ? 34965 (mod 39869) ? 59967 5100 (mod 39869) ? 1? 5100 (mod 39869) since the order of 5 is 9967 ? a ? 100 ? Eve can use this & compute private key as Alice did

    9. Eve can Use B and repeat procedure Eves effort [67 steps] ? 2 orders more Disparity more conspicuous with large p values

    10. Example - 2 Alice & Bob share p = 30559 & c = 2048 2048463 ? 1 (mod 30559) ? order of c is 463 Alice selects a = 100 A ? 2048100 ? 19340 (mod 30559) A -- public key of Alice conveyed to Bob Bob selects b = 87 204887 ? 9111 (mod 30559) B-- public key of Bob conveyed to Alice 1934087 ? 23710 (mod 30559) & 9111100 ? 23710 (mod 30559) The private key shared is 23710

    11. Eve applies Shanks algorithm as follows: 2048-175 ? 204830558-175 (mod 30559) ? 13503 (mod 30559) After 19 steps we get 20483341 ? 19340 (mod 30559) ? a ? 3341 (mod 30559) ? 3341 (mod 30559) Since 3341 = 463 ? 7 + 100 Eve has obtained a as 100 itself Eve can compute private key as 23710 following procedure adopted by Alice or Bob.

    12. In Example 2 Shanks algorithm gave a after 19 steps - order of c = 463 in Example 1: order of 5 ~10 times more a was computed with 67 steps Shanks algorithm solves DL problem in O ( ) ) ? [N is order of c ] Ex. 1: O ( ) 920 Ex. 2: O( ) 130 ? Use large value for p & large value for c

    13. Shanks algorithm a collision algorithm Apparent wild goose chase? Birthday paradox brings out effectiveness of collision algorithms in a telling manner A ? one in a group of n people pb ? P that none in the group has same birthday as A p1 ? P that at least one in the group shares birthday with A

    14. pa approximates p1 as ? Appxn. justifiable For n= 10, P of a coincidence is 2.7% P rises to 12.8% with n = 50 A related problem: What is P that at least two in the group share same birthday? Assign a birthday out of 365 to A P that B in the group does not have same B/D as A = 364/365

    15. P that B & C do not share same B/D with A = . . . P that no two in the group share the same B/D = P that at least two persons have same birthday p2 = Use appxn.

    20. Collision Algorithm 1 search for discrete logarithm to base g through following steps: Select a random number n If gn = h (mod p) the search is over Else try the next random number The approach corresponds to problem considered above Example: Obtain DL of 28244 to base 19 (mod 39863) program returned failure after 10, 000 (unsuccessful) trials with a random seed of 2 2nd trial ? a seed of 1 returned DL = 100 after 51trials

    21. Random search algorithm ? seek a match between any two quantities in list: Select a random number n n10, n11, n12, . . . ? a sequence of random numbers Obtain sequence: n20, n21, n22, . ? 2nd sequence of random numbers Obtain sequence: Seek match {any entry in List-1 & any entry in List-2} On match, stop search a & b ? numbers in two lists: ga = hgb (mod p) discrete logarithm = (a b) (mod p) Collision Algorithm 2

    22. Example Obtain DL of 28244 to base 19 (mod 39863). With a seed of 2 after 83 trials program returns DL as 100 With a seed value of 1 after 176 trials program returns DL as 100 ? In both cases No. of steps ~200

    23. Pollards ? algorithm collision algorithm ? birthday paradox S ? a set of finite number of elements N ? integer & f: S ? S ? mapping x0, x1, x2, . . . . ? a sequence in S obtained through repeated mapping with f ? x1 = f(x0), x2 = f(x1), x3 = f(x2), x4 = f(x3), . . . No. of members in set is limited & every choice of element decided solely by previous element ?sequence eventually gets into a cycle and repeats itself Abstract representation of progress of mapping process ? Figure ?

    25. Orbit from x0 to xt ? uneventful Subsequently repetition in a loop of M points preceding part x0 to xT an appended tail genesis of name ? for algorithm Large N ? large no. of sequence elements to be stored to detect a collision Pollard procedure: Avoid large storage use two simultaneous sequences {x0, x1, x2, . . . } & {y0, y1, y2, . . .} ? y0 = x0; y1 = f(f(y0)); y2 = f(f(y1)); y3 = f(f(y2)); . . . ? two sequences

    26. Table ? corresponding elements of sequences At ith step the algorithm computes xi & yi (x2i) Compares them for a match State after Tth mapping: ? i = T xi = xT & yi = x2t yi is somewhere in ? loop Increment i ? xi advances one step & yi by two steps ? both in the same direction (clockwise in Figure)

    27. If yi is behind xi by k steps As xi advances by k steps, yi advances by 2k steps Catches up with xi ? collision! Once xi enters loop a collision occurs in a maximum of M/2 steps collision after ith step ? xi = x2i 2i = i + kM ? 2i = i (mod M) ? i = kM (5.14) ? collision occurs at first multiple of M after entry into loop

    28. expectation of I at collision pk P (No collision in first i steps) Use approximation ? P of collision after exactly k steps Contribution to expected value

    29. No of steps of collision ~

    30. Pollard ? algorithm to find DL Base g, h ? Zp ? g being a primitive element Define mapping function f in terms of powers of h & g Collision ? identify h as a power of g Pollard suggests a function as On collision yi = x2i = xi at every iteration, multiply x by powers of g & h & get f (x)

    31. powers of g & h increased in 3 possible ways x < p/3 ? power of g alone incremented p/3 < x < 2p/3 ? power of g and h doubled x >2p/3 ? power of h alone incremented On collision & xi = yi (mod p) ? ? where d ? DL of h to base g ?1 - ?2 = d(?2 ?1) + k(p-1) ? k - an integer

    32. gcd ((?2 ?1), (p-1)) = 1 ? d = (?1 - ?2 )(?2 ?1)-1 else use extended Euclidean algorithm & evaluate d Example : DL of h = 28244 to base g = 19 (mod 3986) Pollard ? algorithm ? collision at 124th iteration xi = g5308h 2719 (mod 39863) & yi = g14324h 14293 (mod 39863) g5308h 2719 = g14324h 14293 (mod 39863) ? h 12846 = g9016 (mod 39863) ? congruence 12846d = 9016 + k 39862 Divide by 2 ? 6423 d = 4508 + k 19931 gcd (6433, 19931) ? 1; A trial through successive values of k yields 6423 ? 100 = 4508 + 32 ? 19931 ? d = 100

    33. Index calculus method for DLP Index calculus older name for DL Steps: Factorise (p-1) & identify factors ? a set of small prime p1, p2, p3, . . . Identify a random number n1 that can be expressed as n1 = (?1 loggp1 + ?2 loggp2 + ?3 loggp3 + . . )(mod(p-1)) Similarly identify other congruences n2 = (?1 loggp1 + ? 2 loggp2 + ? 3 loggp3 + . . )(mod(p-1)) n3 = (?1 loggp1 + ?2 loggp2 + ?3 loggp3 + . . )(mod(p-1)) Solve congruences & get loggp1, loggp2, loggp3, . .

    34. Trial & error identify k ? Let h = gx (mod p)? Form congruence ? log p1, log p2, . .known ? solve for x Example: Evaluate loggh (mod p):p = 39863, g = 19, & h = 28244

    35. Trials with a set of random numbers ? congruences involving log of small primes 2, 3, & 5 243553 = 7644 (mod 39863) = 1934569 (mod 39863) 283154 = 1644 (mod 39863) = 191420 (mod 39863) 233852 = 36584 (mod 39863) = 191420 (mod 39863) 253355 = 29179 (mod 39863) = 1930593(mod 39863) Let a = logg2, b = logg3 & c = logg5 Take DLs & substitute a, b, & c for logg2, logg3, & logg5 4a + 5b + 3c = 34569 (mod 39862) 8a + b + 4c = 1420 (mod 39862) # 3a + 8b + 2c = 39508 (mod 39862) 5a + 3b + 5c = 30593 (mod 39862)

    36. Factorise 39862 ? 39862 = 2 19 1049 ? product of primes - 2, 19, & 1049 Form sets of congruences ? mod 2, mod 19, & mod 1049 Solve these congruences Subsequently combine these to yield solution to congruences # mod 2 versions of Equations # ? b1+ c1 = 1 (mod 2) b1 = 0 (mod 2) $ a1 = 0 (mod 2) a1 + b1 + c1 = 1 (mod 2) Solution ? a1 = 0 (mod 2); b1 = 1 (mod 2); c1 = 0 (mod 2) ? set { a1, b1, c1} satisfies all four congruences

    37. mod 19 versions of Equations # ? 4a2 + 5b2 + 3c2 = 8 (mod 19) (5.40) 8a2 + b2 + 4c2 = 14 (mod 19) (5.41) 3a2 + 8b2 + 2c2 = 7 (mod 19) (5.42) 5a2 + 3b2 + 5c2 = 3 (mod 19) (5.43) Multiply (5.41) by 5 & subtract (5.40) ? 17a2 + 17c2 = 7 (mod 19) (5.44) Multiply (5.44) by 17-1 = 9 (mod 19) ? a2 + c2 = 6 (mod 19) (5.45) Multiply (5.41) by 8 & subtract (5.42) ? 61a2 + 30c2 = 105 (mod 19) ? 4a2 + 11c2 = 10 (mod 19) (5.46)

    38. Solve (5.45) & (5.46) (using 7-1 = 11 (mod 19)) ? a2 = 18 (mod 2); c2 = 11 (mod 2) Substitute in (5.37) and solve ? b2 = 2 (mod 2) ?set {a2,b2,c2} satisfies all four congruences ? (5.40) to (5.43) (mod 1049) versions of # 4a3 + 5b3 + 3c3 = 1001 (mod 1049) (5.47) 8a3 + b3 + 4c3 = 371 (mod 1049) (5.48) 3a3 + 8b3 + 2c3 = 695 (mod 1049) (5.49) 5a3 + 3b3 + 5c3 = 172 (mod 1049) (5.50) Multiplying (5.48) by 5 and subtract (5.47) ? 36a3 + 17c3 = 854 (mod 1049)

    39. Multiply by 36-1 = 204 (mod 1049) ? a3 + 321c3 = 82 (mod 1049) (5.51) Multiply (5.48) by 8 & subtract (5.47) ? 61a3 + 30c3 = 175 (mod 19) Multiply by 61-1 = 86 (mod 1049) ? a3 + 482c3 = 364 (mod 1049) (5.52) Solve (5.51) & (5.52) ? a3 = 673 (mod 1049); c3 = 106 (mod 1049) Substitute (5.48) & solve ? b3 = 857 (mod 1049) ? set {a3, b3, c3} satisfies all four congruences represented by (5.47) to (5.50)

    40. b3 = 857, c3 = 106 & a3 = 673 + 1049 k1 for any k1 ? Z 1049 will satisfy (5.47) to (5.50) a2 = 15 + 19 k2 for any k2 ? Z 19, b2 = 2 & c2 = 11 will satisfy (5.40) to (5.43) Combine ? 673 + 1049 k1 = 15 + 19 k2 or 12 + 1049 k1 = 19 k2 ? 1049 k1 = 7 (mod 19) ? 4 k1 = 7 (mod 19) (5.53) Multiply 4-1 (mod 19) = 5 ? k1 = 16 (5.54) a = 673 + 16 1049 = 17457 b = 857 + 1049 k3 = 2 (mod 19) ? 2 + 4 k3 = 2 (mod 19) ? k3 = 0 & b = 857 c = 106 + 1049 k4 = 11 (mod 19)

    41. ? 11 + 4 k4 = 11 (mod 19) ? k4 = 0 & c = 106 Set [a = 17457, b = 857, & c = 106] satisfies congruences (mod 19) & congruences (mod 1049) simultaneously 19 1049 = 19931 ? a = 17457 + 19931 = 37388 b = 857 + 19931 = 20788 & c = 106 + 19931 = 20037 satisfy all congruences # ? log192 = 37388 (5.55) log193 = 20788 (5.56) log195 = 20037 (5.57) This completes step1 of algorithm

    42. Use these & execute step 2 trials with a few random numbers ? 28244 198733 = 26 34 53 (mod 39863) Let x = log1928244 (mod 19) (5.58) Taking DL of (5.58) x + 8733 = 6 log19 2 + 4 log19 3 + 3 log19 5 Substitute for log19 2, log19 3, and log19 5 from (5.55) to (5.57) & simplify ? x = 100 (mod 39863)

    43. Observations DLP complexity ? Effectiveness of DH key exchange scheme & El Gamal public key cryptosystem p-1 factorised to products of powers of small primes ? DLP succumbs to Pohlig-Hellman algorithm Shanks algorithm, Pollards ? algorithm & their variants ? DL in O ( ) steps ? worst case p-1 has 2 as a factor ? select p of form 2q+1 where q is a prime ? too severe a constraint! Practical approach ? select p such p-1 has one dominant large prime as a factor ? deterrent to use of Pohlig-Hellman algorithm or variants to solve DLP Integer calculus approach ? effective to solve DLP even if p-1 has a large prime as a factor Choose p with care

    44. ElGamal Public Key Cryptosystem A modification of D-H algorithm for private key exchange. Message exchanged using a {private key, public key} pair Step by step procedure is as follows: Alice & Bob exchange p & g, g ? Zp ? a (primitive) element -- a ? Zp private key of Alice Alice computes A = ga (mod p) & shares A with Bob a known only to Alice but A - public key - made known to Bob by Alice Bob selects a key k called an ephemeral key

    45. Bob computes c1 = gk (mod p) & c2 = mAk (mod p) and discards k ? m is the message k exists only for the session concerned & not used further Short term existence ? term ephemeral Bob sends set {c1, c2} CT -- to Alice Alice uses her private key a and computes c1-ac2 = g-ka mAk(mod p) = g-ka mgka (mod p) = m ? product is message ? recovered!

    46. Example p = 30559 has g = 7 as a primitive element Alice selects a = 1000 as the private key Corresponding public key is A = 71000 (mod 30559) = 24439 ? Alice sends this to Bob Bob selects another random number b = 2000 & computes c1 = 72000 (mod 30559) = 19625 (mod 30559) Message to be sent is m = 13327 ?c2 = mAk = 13327 ? 244392000 (mod 30559) = 13327 ? 21759 (mod 30559) = 7842 (mod 30559) Bob sends pair {c1, c2}= {19625, 7842} to Alice

    47. Alice computes c1-a as 19625-1000 = 1962529558 (mod 30559) = 2219 (mod 30559) ? c1-ac2 = 2219 ? 7842 (mod 30559) = 13327 (mod 30559) N-digit message encrypted as 2n-digit CT?2 to1 expansion Getting a using known A, p, & g ? DLP ElGamal scheme ? as difficult / complex as underlying DPL

    48. RSA Cryptosystem RSA short form for Rivest, Shamir, & Adleman - people credited with its introduction Security ? difficulty of factorising large integers level of security ? orders better than that of ElGamel scheme N ? product of two primes of same order-- p & q Form product (p-1)(q-1) ? (N) = (p-1)(q-1) Alice identifies e ? such that gcd (e, ? (N)) = 1 ? e - relatively prime to (p-1)(q-1) Alice publishes {N, e} as her public key

    49. Bob can select any message m < N Bob computes c = me (mod N) & sends {e, N} to Alice as CT Alice computes d as satisfying congruence de = 1 (mod ? (N)) ? gcd (e, ? (N)) = 1? d exists d can be computed using extended Euclidean algorithm or fast powering algorithm or any other algorithm Alice decrypts c as cd(mod N) to retrieve PT cd = med (mod N) = m 1+k? (N)(mod N) = m since mk? (N) = 1 (mod N) Knowing d, the above is relatively straightforward Eve (without knowledge of d) has to find d through DL route to retrieve message

    50. Example p = 67 & q = 71 ? two primes pq =4757 & (p-1)(q-1) = 66 ? 70 = 4620 Select e = 47 & apply extended Euclidean algorithm 47 ? 983 = 1 + 4620 ? 10 ? d = e-1 = 983 m message to be encrypted = 234 CT ? c = me = 23447 (mod 4757) = 3739 Decryption is done as cd = 3739983 = 234 (mod 4757)

    51. Example message m = 234 encrypted & decrypted with p = 83 & q = 107 ? steps : pq = 8881 & (p-1)(q-1) = 8692 e = 127 127 ? 2327 34 ? 8692 = 1. ? d = e-1 = 2327 m = 234 ? 234127 (mod 8881) = 2236 = c Decrypted output =22362327 = 234 (mod 8881) which is message itself

    52. RSA ? best known public key cryptosystem today p & q to be of same order ~ 300 digits (1024 bits) each. p-1 & q-1 to have one large prime as a factor gcd((p-1), (q-1)) to be small? note that it is at least 2. Implementation ? identify large prime numbers - p & q Approaches to CA Algorithms to factorise large numbers N to p & q and ? ((p-1)(q-1)) into (p-1) & (q-1) (p-1) & (q-1) have 2 as a factor ? select e > 2 e = 3 makes the system susceptible to attacks Larger values are preferred e = 216+1 = 65537 (prime) is an oft quoted choice compute m through fast powering algorithm

    53. Primality tests Large primes ? essential in cryptography Generate random number Test for primality Absolute test ? divide by all primes up to Or other tests ? not practical Algorithms for indirect / approximate test Commonly used Suffice in many cases no choice !

    54. Miller-Robin Test Fermats little theorem: every prime number p satisfies congruence ap-1 = 1 (mod p) for any a ? generalize: Any a satisfies ? ap = a (mod p) Proof: a ? p ? already proved a > p ? two cases arise 1. p is a factor of a: Let a = kp ? a (mod p) = 0 ? ap = a (mod p) = 0 2. p is not a factor of a: a = kp + b Where 0 < b < p. ? ap (mod p) = bp = b(mod p)

    55. M-R test ? a negative test for primality it is not satisfied ? n ? not a prime test is satisfied? n may be a prime ? raises hope ? n can be a prime! Villains ? Carmichael numbers ? not primes

    56. a is called a witness for n if an ? a(mod n) Witness confirms that n is not a prime Miller-Robin test ?tests a for being a witness A simplified procedure (& not rising it to power of p-1) ap-1 = 1 (mod p) ? a(p-1)/2 = 1 (mod p) or a(p-1)/2 = -1 (mod p) Let p-1 = 2kq If a(p-1)/2 = 1 (mod p) one of the following satisfied: ? aq = 1 (mod p) or aq = -1 (mod p) ? for one i ? k Result stated as a formal algorithm ?

    60. p in range 2 ? p ? x ?(x) ?number of primes up to x in the limit (1/ln x) ? fraction of primes up to x ?(x) & (1/ln x) for different orders of x given in Table ? ?(x) steadily reduces as order of x increases if N is not a prime it has at least 75% of numbers less than itself as witnesses ? known ? A random number a with 0 < a < N is not a witness has a 25% chance P(two successive selections of random numbers are not witnesses) = (1- 0.75)2

    62. Cumulative probabilities for l successive trials ? Table (The bound is actually more by ln l for 10300 it is actually more by 691) If l = 10, uncertainty in declaring a as prime< 10-6 Restrict selection of random numbers to obvious candidate numbers in ZN & reduce uncertainty further

    63. Do witness test only with odd random numbers ? uncertainty reduced by half restrict a to random numbers of type a = 210 + k 211 (210 = 2 ? 3 ? 5 ? 7) 2, 3, 5, 7 ? not factors of a Uncertainty reduces to Miller-Robin & similar algorithms ? approximate test Increase number of trials & increase P of number being prime Absolute tests ? much slower In practice: a number clears Miller-Robin test enough times (say 100) ?take it as prime

    64. Factorisation of Large Numbers Pollards p-1 method Number R ? p-1 is a factor but q-1 is not a actor: ? R = k1 (p-1) & R = k2 (q-1) + k3 ? k1, k2, & k3 integers With a random a value ? aR 1 has p as a factor ? aR-1 = kp q is not a factor of aR-1 select a & R ? compute aR-1 Use Euclidean algorithm & get gcd (aR-1, N) =d d is a factor of N Try with different R values method is effective if p-1 has small primes as factors

    65. Pollards (p-1) algorithm ? iterative procedure to factorise N Identify L such that all factors of (p-1) as powers of primes are factors of L! Fermats theorem ? ap-1 = 1 (mod p) ? aL!= 1 (mod p) ? aL!- 1 has p as a factor Let d = aL! (mod N) ? d = aL! - k N for some integer k ? p is a factor of (aL! 1) & N ? d too has p as a factor ? gcd (d, N) is a factor of N Pollards (p-1) algorithm takes jth power of a(j-1)! (mod N) to computes aj! (mod N) at every iteration Algorithm ?

    68. Pollard ? algorithm used to factorise number N x1, x2, z1, z2 ? ZN x1 = z1(mod N) & x1 = z1(mod N) Form d = gcd(x1-x2, N) d? 0, ? d is a factor of N ? Pollard ? algorithm for factorization Steps: Define xi+1 ? f(xi) ? maps elements of ZN onto itself Obtain d = gcd ((xi+1 xj), N) after every stage in mapping sequence for all j up to i+1 if d ? 1, it is a factor of N

    69. As i increases P of identifying d approaches 1 sufficiently closely (birthday paradox) f(x) = b2x2 + b0 (mod N) suffices Take b2 = 1 & b0 as a small integer search for gcd to proceed from xk+1 where b2x2 + b0 > N, for the first time In step 2, limit search to range k to i+1

    71. Factorise N = 648749 With x[0] = 4, the sequence is reproduced in Table. It continues up to x [41] entries x [17] = 456829 & x [41] = 322330 give gcd (607711-322330, 648749) = 857 ? factor of 648749 Total number of gcds to be computed before identifying the factor is more than 800

    72. sequence x[i] size increases rapidly as size of number to be factorised increases Scan full sequence each time & check gcd ? consumes unduly large amount of additional resources Attractive alternative ? Use two sequences & extract gcd of latest entries in the two Sequences: xi+1 = f(xi) & yi+1 = f(f(yi)) ? x0 = y0 form initial entry ? Pollard ? algorithm At each step only most recent values of xi & yi are stored Only these used to obtain the gcd Algorithm ?

    74. factorise N = 648749 With x[0] = y[0] = 2, after 118 iterations 857 is returned as a factor With x[0] = y[0] = 3, after 150 iterations 857 is returned as a factor With x[0] = y[0] = 4, after 250 iterations, failure is returned With x[0] = y[0] = 7, after 134 iterations 757 is returned as a factor In each the total number of gcd computations is same as the number of iterations ? an order less than in the above case

    75. Factorise N =4087 With x[0] = y[0] = 1, N is returned as gcd after 9 steps. ? corresponds to a situation where xj+1 = xj after the iteration enters cyclic phase Iteration sequence may be repeated with a different initial condition set {x[0], y[0]} or a slightly altered function With x[0] = y[0] = 3, 67 is returned as a factor after two steps.

    76. Factorisation through difference of squares N ? number to be factorised; a & b are integers Consider relation N = a2 b2 = (a + b) (a b) ? N + b2 = a2 ? Add square of an integer to N & form square of another integer ? Express N as product of two numbers p = 1933 & q = 1949 N = pq = 3767417 = (1941+ 8) ( 1941 8) = 19412 82 ? 3767417 + 82 = 3767481 = 19412 ? Addition of 82 converts N to a perfect square Factors of N can obtained from it as 1933 & 1949

    77. Algorithm Add squares of numbers as 22, 32, 42, . successively to N If sum is a square ? obtain factors as above Method is effective if N is product of two factors close to each other Factorise 5475551 using the difference of squares approach 5475551 + 12 = 5475552 ? not a square 5475551 + 22 = 5475555 ? not a square 5475551 + 32 = 5475560 ? not a square 5475551 + 42 = 5475567 ? not a square 5475551 + 52 = 5475576 ? not a square 5475551 + 62 = 5475587 ? not a square 5475551 + 72 = 5475600 = 23402 ?5475551 = 2347 ? 2333

    78. Factorise 471953 using the difference of squares approach. 471953 + 12 = 471954 ? not a square 471953 + 22 = 471955 ? not a square 471953 + 32 = 471961 ? not a square 471953 + 42 = 471969 = 6872 ? 471953 = 691 ? 683 method can be extended to cases where factors of N are not necessarily close to each other

    79. Example N = 994043 3N = 1747 ? 1767 = 17272 202 ? 3 ? 994043 + 202 = 17272 To extract factors of 994043 get lcm (994043, 1727) & lcm (994043, 1747) These are 1747 & 569 Method ? too simplistic to be practical adaptations of above ? widely used methods to factorise large numbers

    80. Elliptic Curve Cryptography (ECC) ECC ? an attractive alternative to DH key exchange, ElGamel, and RSA cryptosystems Basis ? An elliptic curve group over Zp + an addition operation elliptic curve ? y2 = x3 + ax + b a &b constants; x & y variables Curve takes three different forms. singular elliptic curve ? 3 roots for x when y = 0 ? has two slope values at repeated root ? not of interest to us For y =0 ? x3 + ax + b = 0 #

    82. Let roots be d, e, and e ? e being repeated root # ? (x d )(x e )2 = 0 x3 (d +2e)x2 + (2de + e2)x de2 = 0 Identify coefficients with # ? d = -2e ; 2de + e2 = a;& -de2 = b eliminate d & e ? 4a3 + 27b2 = 0 ? condition to be satisfied for EC to be singular if a & b are chosen such that 4a3 + 27b2 ? 0 singular case avoided & corresponding EC used for ECC

    84. 2. Intersection at three points -- P, Q, & R (x1, y1) & (x2, y2) are points P & Q Co-ordinates of point R ? (x3, -y3) (Reasons for negative sign? ? wait!) Solve equations for EC & straight line simultaneously ? R obtained ( in terms of x1, y1. x2, & y2 ) y = ?x + c ? straight line through P, Q, & R ? y2 = ?2 x2 + 2?cx + c2 Substitute in # ? x3 ?2x2 + (a - 2?c)x + b c2 = 0 roots x1, x2, & x3 satisfy ? (x x1)(x x2)(x x3) = 0

    85. Identify coefficients of x2 in both equations? x1 + x2 + x3 = ?2 ? x3 = ?2 x1 x2 Three possibilities: evaluate - y3 for each 1. straight line ? parallel to y-axis (? ? ? ) ? x1 = x2 = x3 ? y1 = - y2 & y3 is at ? This point (x3, y3) ? denoted as O (x, ? ) 2. x1? x2 ? ? 3. Points P(x1, y1) & Q (x2, y2) coincide Straight line is tangential to EC at P /Q Differentiate # & substitute values of x1 &y1

    86. ? & EC ? y2 = x3 3x + 4 Two points P (-1, 2.4495) & Q (1, 1.4142) ? 3rd point? x3 = ? 2 x1 x2 = 0.26796 & y3 = ?(x3 x1) + y1= 1.7931 P(1, 1.4142) & Q(1, 1.4142) ? same point on EC x3 = ? 2 x1 x2 = -2 y3 = ?(x3 x1) + y1= y1 = 1.4142

    87. P(-1, 2.4495) & Q(-1, 2.4495) same point on EC ? = 0 ? ?2 = 0 x3 = x1 x2 = 2 & y3 = ?(x3 x1) + y1= y1 = 2.4495 P(2, 2.4495) & Q(2, 2.4495) same point EC x3 = ? 2 x1 x2 = -0.6250 y3 = ?(x3 x1) + y1= 1.8371 (x3 x1) + y1 = - 2. 3729

    88. Abelian Group Group ? an algebraic structure with an operation like addition defined on it Group elements satisfy commutative property ? Abelian group Zp with modulo addition as defined operation ? Abelin group G ? Abelian group with a, b, c, . . as members With ? as operation, group satisfies following axioms: Closure: a ? b is an element of group Associativity: a ? (b ? c)= (b ? a ) ? c Commutativity: a ? b = b ? a Identity element e in set such that a ? e = e

    89. Inverse element: Each element a has an associated element a-1 such that a ? a-1 = e Representative examples of Abelian groups: All real numbers with addition as defined operation & 0 as identity element All real numbers with multiplication as defined operation & 1 as identity element. All rational numbers with addition as defined operation & 0 as identity element All rational numbers with multiplication as defined operation & 1 as identity element Zp with modular addition as defined operation & 0 as identity element Zp with modular multiplication as defined operation & 1 as identity element

    90. Abelian group on Elliptic curve Basis of ECC ? An Abelian group - defined on points on EC Points (xi, yi) is on EC form defining group Addition -- symbol ? operation defined for a pair of points P(x1, y1) & Q (x2, y2) in group Form sum element as follows: Extend straight line joining P(x1, y1) &Q (x2, y2) to intersect EC at point R (x3, -y3)- (the co-ordinates of R can be obtained as explained earlier) Obtain R as reflection of R on the x-axis. R is the point with co-ordinates (x3, y3) x3 evaluated as earlier;Y3 evaluated ?y3 =? (x1 x3) y1 Point R is the sum element

    91. The addition operation is represented as P ? Q = R If P(x1, y1) & Q (x1, -y1) ?two points, sum element is at infinity ?identity element of group represented by symbol O ? sum element is also within group P + Q = Q + P = R ? addition commutative Addition carried out in one of three possible ways If P (X1, y1) ? Q(x2, y2) = O, Q (x2, y2) ? additive inverse of P(x1, y1) & vice versa ? pair (P2, Q2) in Figure P1 (y- co-ordinate is a zero) is similar: here P1 = P1-1 Two other cases in Figure ? [2]P3 = R3 & P4 + Q4 = R4

    93. If P(x1, y1), Q(x2, y2), & R(x3, y3) three points in group, they satisfy the associativity condition (P(x1, y1) ? Q(x2, y2))? R(x3, y3) = P(x1, y1) ? (Q(x2, y2) ? R(x3, y3)) Addition can be carried out repeatedly? manifests as multiplication by an integer Example [2]P = P ? P; [3] P = P ? [2] P = P ? P ? P; [N] P = P + P + P+ . . . N times A typical P, [2]P, [3]P, . . sequence obtained through such successive and repeated addition operations is shown in Figure ?

    95. Examples EC - y2 = x3 3x + 4 1. Obtain sum of points P (-1, 2.4495) & Q (1, 1.4142) -- x3 = 0.26796 & y3 = 1.7931? evaluated earlier Sum point is R (0.26796, - 1.7931) Sum point can be obtained for other cases similarly In each case y-co-ordinate has been obtained by changing sign of y3 2. P(-1, 2.4495) ?Q(1, -1.4142) = R (3.732, 6.692) 3. P(1, 1.4142) ? Q(1, 1.4142) = R (-2, -1.4142) 4. P(-1, 2.4495) ? Q(-1, 2.4495) = R (2, -2.4495) 5. P(2, 2.4495) ?Q(2, 2.4495)= R(-0.6250, 2. 3729)

    96. Example point P(-1, 2.4493)?Obtain [2]P,[3]P,& [4]P steps summarized in Table ?

    97. 5.7.3 EC Group over Zp Abelian group over EC encompasses all points on the curve & additional abstract point O at infinity point co-ordinates ? real & irrational number pairs satisfying ECequation. Consider Zp ? define Abelian group over EC ? x & y co-ordinate values in Zp a & b also in Zp geometric interpretation not valid EC equation relating x & y values hold good Addition operation also holds good.

    98. Formally define EC group over Zp as ? xi, yi ? Zp satisfy EC equation y 2 =x3 + ax + b(mod p) where a, b ? Zp & 4a3 + 27b2 ? 0% P (x1, y1) & Q (x2, y2) ? pairs satisfying EC Equation ? if P (x1, y1) satisfies EC Equation, Q (x1, -y1) also satisfies EC equation Identity element - O : for any P (x1, y1) in group P (x1, y1) ? P (x1, p - y1)= O O ? abstract point at infinity? additive identity element Additionsum of points P(x1, y1) & Q (x2, y2) ? P(x1, y1) ? Q(x2, y2) = R(x3, y3) R(x3, y3) ? obtained in one of three possible ways depending on relative values of x1, x2, y1, & y2

    99. 1.R = O if x1 = x2 & y2 = p - y1 2. If x1 = x2 & y1= y2 ? = ((3x12 +a)(2y1)-1)(mod p) x3 = (?2 2 x1)(mod p) y3 = (?(x3 x1)-1 + y1) (mod p) 3. If x1 ? x2 and y1 ? y2, ? = ((y2 y1)(x2 x1)-1) (mod p) x3 = (?2 x1 x2)(mod p) y3 = (?(x3 x1)-1 + y1) (mod p)

    100. Points on the EC Group over Zp EC group elementsover Zp ? substitute different values of x ? Zp in Equation % & evaluate y (mod p) If g is a primitive element of Zp, y2 = gc (mod p) ? c is an even number This constrains & limits number of elements in group number of elements of a set of EC groups Table? Number depends on a & b values of EC for given Zp Number same order as p total number of elements in group (E) lies in range p +1 2 . Elements of representative sets of EC groups in ? Tables ??

    104. Point Multiplication concept of point addition can be extended to multiply points. Let P ? P be represented as [2]P signifying a multiplication by 2 operation. Extending the concept we have P ? P ? P = [3] P [3] P ? [2] P = [5] P [m ? n] P = [n]P ? [n] P ? [n] P . . . ? m times. Example EC group with a =3, b=4, & p=23; P ? point P (6, 13) ? [n] P for different values of n are given in Table ?

    105. From the table one can confirm the following: [2] P ? [3] P = [5] P = (18, 18) [2 ? 3] P = [6] P = (7, 0) [5] P ? [2] P = [7] P = (18, 5) [5? 2 ] P = [10] P = (0, 21)

    106. Primitive Point and Order EC group over an Zp ? Add a point to itself repeatedly & form a sequence No. of points in group limited ? at some stage sequence repeats as a cycle Total No. of distinct points in cyclic sequence corresponds to order of point Ep ? No. of distinct points in group Order ? Ep Tables [following PPT] give cyclic sequence for a selected set of points & order in each case for a EC group ? If point is suitably chosen order can be Ep itself

    108. A point for which order is Ep itself corresponds to primitive element g in Zp For ECC applications an EC group with such a point called a primitive point here with order of Ep itself, is desirable ? Selection of group & primitive point? do with care! P ?a primitive point & Ep ?total No. of points in group ? [Ep] P = P @ result ? an adaptation of Fermats little theorem @can be exploited effectively for public key cryptography. Last table corresponds to such a case; the point selected for repeated addition G(0, 2) produces the full sequence and can be taken as the primitive point for use in ECC.

    109. Fast Addition in Elliptic curve groups Find R = [a] P, given a and P [a] P computation ? Double and add algorithm ? analogous to the fast powering algorithm in Zp Express a as a binary number. a = ak2k + ak-12k -1 + ak-22k-2 + . . . + a020 ? [a] P = [ak2k]P + [ak-12k -1]P + [ak-22k-2 ]P + . . . [a0]P Let R = 1 & Q = P Do the following for all 0 = i = k If ai = 1, R = Q + R Q = [2]Q The procedure is given formally as Algorithm ?

    111. Take y2 = x3 -3x + 4 over Z23 Sequence starting with P= (0, 2) continues through [28] P = (2, 12), and [29] P = (0, 21) & [30] P = O [17] P = (9, 19); [ 2 ? 17] P = [2] (9, 19) = (8, 20) = [4] (0, 2) Take y2 = x3 -3x + 4 over Z443 Sequence starting with P= (1, 47) continues through [454] P = (441, 47) & [455] P = (1, 396) [338] P = (297, 290); [2 ? 338]= [2] (297, 290) = (403, 206) = [220] (1, 147)

    112. DL Problem With g, a, h ? Zp, a is DL loggh (mod p) DL definition hinges on concept of exponentiation in modular arithmetic Extend concept to EC groups where addition operation has same significance as multiplication operation in Zp G ? primitive point with order Ep in an EC group [a] P = h where h is also a point in EC group a ? defined as discrete logarithm of h with respect to P

    113. Use double & add algorithm to obtain h for a given (a, P) pair Corresponding inverse problem of finding out DL for a given (h, P) pair is more difficult Level of difficulty is said to be at least on par with corresponding DL problem Zp ? Finding DL in an EC group ? a trap door function. Pollard ? type algorithm or similar other collision algorithms ? surmount difficulty of finding DL a limited extent However DL problem still remains

    114. D-H Key exchange DH key exchange scheme in EC group ? similar to that with Zp Example: Alice and Bob exchange a = -3, b = 4, p = 23, g =5 & Ep = 29 regarding EC group They exchange primitive point data G (0,2). Alice selects private key a = 14 & computes A = [a]G = [14]G = (22, 11) Point A ? public key of Alice: she sends Point A to Bob

    115. Bob selects private key b = 10 & computes B = [b]G = [10]G = (6, 8) Bob sends to Alice point B as his public key Alice computes d as dA = [a] B = [14]B = [14 10]G = [20]G = (6,15) Bob computes dB = [10]A = [140]G = 20G = (6,15) which is the same as dA Shared secret key between Alice & Bob is (6, 15)

    116. Example Consider EC group with a = -3, b = -4, p= 443, & g = 2; Ep = 455 Primitive point G (1, 47) has order 455 Alice &Bob share all this basic information Alice selects her private key a = 234 Corresponding public key is A = [234] G = [67, 298] Bob selects his private key b = 197 Corresponding public key is B = [197] G = [432, 373] Alice computes d as dA = [a] B = [234]B = [234 197]G = [101 455 + 143]G = [143]G = (81, 250) Bob computes dB = [197 234] G = [140]G = (81, 250) as done earlier (81, 250) is the shared secret key between Alice &Bob

    117. ElGamel Private Key Cryptosystem ElGamel public key cryptosystem is implementation in ECC in a simplified form ? illustrative example EC group a = -3, b = -4, p= 443, & g = 2; Ep = 455 Primitive point G (1, 47) has order 455 private key of Alice ? a = 229 [229] G = (85, 72) ? public key A: Alice sends A to Bob Bob chooses ephemeral key k = 181 & computes c1 as c1 = [181] G = (343, 311) m = 222 ? message to be encrypted Bob computes c2 as c2 = [m + k ]A = [222 + 181 + 229] G = [177] G = (170, 67) Encrypted message that Bob sends to Alice is the pair (c1, c2) = ((343, 311), (170, 67)) Alice computes c2 ? (-c1-a) = [177-181- 229]G = [455 + 222]G = [222] G thus retrieving message m = 222 itself

    118. Key exchange & public key cryptosystems explained ? too elementary to be practical A number of related issues not discussed in depth ? Algorithms to decide number of elements in EC group Identifying a primitive point with a large enough order Selection of a & b values to ensure EC group is not weak Message expansion ratio is 4:1 for cryptosystem described ? Ways of reducing it are to be explored Alternate ways of defining public key cryptosystem itself are to be explored ECC ? apparently complex: its main attraction ? relative high level of security it provides for same size of numbers & digits used

More Related