����ASYMMETRIC CIPHERS: Principles of Public-Key Cryptosystems, The �RSA algorithm, Diffie - Hellman Key Exchange, Elliptic Curve Arithmetic,�Elliptic Curve Cryptography �(Text 1: Chapter 8, Chapter 9: Section 1, 3, 4)��Text Books:�1. William Stallings , “Cryptography and Network Security Principles and Practice”, � Pearson Education Inc., 6th Edition, 2014, ISBN: 978-93-325-1877-3�2. Bruce Schneier, “Applied Cryptography Protocols, Algorithms, and Source code � in C”, Wiley Publications, 2nd Edition, ISBN: 9971-51-348-X.� � Reference Books: �1. Cryptography and Network Security, Behrouz A. Forouzan, TMH, 2007.�2. Cryptography and Network Security, Atul Kahate, TMH, 2003. ��

MODULE 4

*

2

Asymmetric Key Encryption

Diffie and Hellman

*

3

*

4

*

5

Y = E(PU_b, X)

X = D(PR_b, Y)

*

6

Y = E(PR_a, X) X = D(PU_a, Y)

*

7

Z = E(PU_b, E(PR_a, X)) X = D(PU_a, E(PR_b, Z))

*

8

*

9

Requirements for Public-Key Cryptography

1. It is computationally easy for a party B to generate a pair (public key PU_b,

private key PR_b).

2. It is computationally easy for a sender A, knowing the public key and the

message to be encrypted, M, to generate the corresponding ciphertext:

C = E(PU_b, M)

3. It is computationally easy for the receiver B to decrypt the resulting

ciphertext using the private key to recover the original message:

M = D(PR_b, C) = D[PR_b, E(PU_b, M)]

4. It is computationally infeasible for an adversary, knowing the public key,

PU_b, to determine the private key, PR_b.

5. It is computationally infeasible for an adversary, knowing the public key,

PU_b, and a ciphertext, C, to recover the original message, M.

​

We can add a sixth requirement that, although useful, is not necessary for all public-key applications:

​

6. The two keys can be applied in either order:

M = D[PU_b, E(PR_b, M)] = D[PR_b, E(PU_b, M)]

*

10

The RSA (Ron Rivest, Adi Shamir, and Len Adleman) Algorithm 1977

C = M^e mod n

M = C^d mod n = (M^e)^d mod n = M^ed mod n

For this algorithm to be satisfactory for public-key encryption, the following requirements must be met:

1. It is possible to find values of e, d, n such that M^ed mod n = M for all M < n.
2. It is relatively easy to calculate mod M^e mod n and C^d for all values of M < n.
3. It is infeasible to determine d given e and n.

M^ed mod n = M

The preceding relationship holds if e and d are multiplicative inverses modulo φ(n), where φ(n) is the Euler totient function.

For p, q prime, φ(pq) = (p -1)(q-1) The relationship between e and d can be expressed as

*

11

That is, e and d are multiplicative inverses mod f(n). Note that, according to the rules of modular arithmetic, this is true only if d (and therefore e) is relatively prime to f(n).

Equivalently, gcd(f(n),d) = 1.

*

12

*

13

Two numbers are relatively prime if they have no prime factors in common; that is, their only common divisor is 1. This is equivalent to saying that two numbers are relatively prime if their greatest common divisor is 1.

1. Select two prime numbers, p = 17 and q = 11.
2. Calculate n = pq = 17 x 11 = 187.
3. Calculate f(n) = (p-1)(q-1) = 16 x 10 = 160.
4. Select e such that e is relatively prime to f(n) = 160 and less than f(n) we choose e = 7.
5. Determine d such that de 1 (mod 160) and d < 160. The correct value is d = 23, because 23 x 7 = 161 = 10 x 160 + 1; d can be calculated using the extended Euclid's algorithm.

*

14

If gcd(f(ɸ), e) = 1, then e has a multiplicative inverse modulo f(ɸ).

That is, for positive integer b < f(ɸ), there exists a e¹ < f(ɸ) such that ee¹ = 1 mod f(ɸ). The Euclidean algorithm can be extended so that, in addition to finding gcd(f(ɸ), e), if the gcd is 1, the algorithm returns the multiplicative inverse of e.

*

15

Diffie–Hellman key exchange

First, we define a primitive root of a prime number p as one whose powers modulo p generate all the integers from 1 to p-1. That is, if a is a primitive root of the prime number p, then the numbers

a mod p, a² mod p,..., a^p-1 mod p

are distinct and consist of the integers from 1 through p-1 in some permutation.

For any integer b and a primitive root a of prime number p, we can find a unique exponent i such that

Used for sharing a secret key

*

16

The number 3 is a primitive root modulo 7 because

*

17

The Algorithm

*

18

*

19

*

20

​

1. Alice and Bob agree to use a prime number q=23 and base a=5.
2. Alice chooses a secret integer Xa=6, then sends Bob Ya= a^Xa mod q
• Ya = 5⁶ mod 23
• Ya = 15,625 mod 23
• Ya = 8
3. Bob chooses a secret integer Xb=15, then sends Alice Yb = a^Xb mod q
• Yb = 5¹⁵ mod 23
• Yb = 30,517,578,125 mod 23
• Yb = 19
4. Alice computes s = Yb ^Xa mod q
• s = 19⁶ mod 23
• s = 47,045,881 mod 23
• s = 2

*

21

​

5. Bob computes s = Ya ^Xb mod q
• s = 8¹⁵ mod 23
• s = 35,184,372,088,832 mod 23
• s = 2
6. Alice and Bob now share a secret: s = 2. This is because 6*15 is the same as 15*6. So somebody who had known both these private integers might also have calculated s as follows:
• s = 5^6*15 mod 23
• s = 5^15*6 mod 23
• s = 5⁹⁰ mod 23
• s = 807,793,566,946,316,088,741,610,050,849,573,099,185,363,389,551,639,556,884,765,625 mod 23
• s = 2

Elliptic Curve Cryptography

• majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials
• imposes a significant load in storing and processing keys and messages
• an alternative is to use elliptic curves
• offers same security with smaller bit sizes
• newer, but not as well analysed

Real Elliptic Curves

• an elliptic curve is defined by an equation in two variables x & y, with coefficients
• consider a cubic elliptic curve of form
• y² = x³ + ax + b
• where x,y,a,b are all real numbers
• also define zero point O
• consider set of points E(a,b) that satisfy
• have addition operation for elliptic curve
• geometrically sum of P+Q is reflection of the intersection R

Real Elliptic Curve Example

Finite Elliptic Curves

• Elliptic curve cryptography uses curves whose variables & coefficients are finite
• have two families commonly used:
• prime curves E_p(a,b) defined over Z_p
• use integers modulo a prime
• best in software
• binary curves E_2m(a,b) defined over GF(2ⁿ)
• use polynomials with binary coefficients
• best in hardware

Elliptic Curve Cryptography

• ECC addition is analog of modulo multiply
• ECC repeated addition is analog of modulo exponentiation
• need “hard” problem equiv to discrete log
• Q=kP, where Q,P belong to a prime curve
• is “easy” to compute Q given k,P
• but “hard” to find k given Q,P
• known as the elliptic curve logarithm problem
• Certicom example: E₂₃(9,17)

ECC Diffie-Hellman

• can do key exchange analogous to D-H
• users select a suitable curve E_q(a,b)
• select base point G=(x₁,y₁)
• with large order n s.t. nG=O
• A & B select private keys n_A<n, n_B<n
• compute public keys: P_A=n_AG, P_B=n_BG
• compute shared key: K=n_AP_B, K=n_BP_A
• same since K=n_An_BG
• attacker would need to find k, hard

​

ECC Encryption/Decryption

• several alternatives, will consider simplest
• must first encode any message M as a point on the elliptic curve P_m
• select suitable curve & point G as in D-H
• each user chooses private key n_A<n
• and computes public key P_A=n_AG
• to encrypt P_m : C_m={kG, P_m+kP_b}, k random
• decrypt C_m compute:

P_m+kP_b–n_B(kG) = P_m+k(n_BG)–n_B(kG) = P_m

ECC Security

• relies on elliptic curve logarithm problem
• fastest method is “Pollard rho method”
• compared to factoring, can use much smaller key sizes than with RSA etc
• for equivalent key lengths computations are roughly equivalent
• hence for similar security ECC offers significant computational advantages

Comparable Key Sizes for Equivalent Security