Title: To be an effective Information Warrior, individuals need superior computer skills, as well as an ind
1- To be an effective Information Warrior,
individuals need superior computer skills, as
well as an in-depth understanding of information
technology architectures, protocols and
processes. - Michael Erbschloe
- author
of - Information Warfare How to Survive Cyber
Attacks
2AGENDA
- MATHEMATICAL BACKGROUND
- Revision (3,4) ORDER of a mod n (5,6) Primitive
Root g of n (7,8) Index of a (9,10,11) a
quadratic residue mod p and Legendre Symbol (12
to 29) Square and non-square elements of Zp (30
to 33) dlogg,p(b) Discrete Logarithm of b for
base g (mod p) (34 to 36) - Diffie-Hellman Key Exchange (37 to 47)
- ElGamals PK System (48 to 54)
- Digital Signature Systems (55 to 59)
- Elliptic Curve Cryptosystem (ECC) (60 to 73)
- Identity Based Encryption (IBE) (74 to 90)
ISO/IEC 11770-3 Key Agreement Scheme, Shamirs
Method, (Cockss quadratic residues IBE scheme
and Pairing-based methods left out for
self-study)
3Revision Slide-1 Logarithms
- Logxya gt yxa
- Logx10 (x0 1)
- Logxx1 (x1 x)
- Logx(y.z)Logx(y)Logx(z)
- Logx(yr)r . Logx(y)
4Revision Slide-2 Eulers theorem
- Eulers theorem Generalization of Fermats
theorem - If a and n are relatively prime,
- a?(n) 1 mod n
- where ?(n) Eulers Totient Function
- number of positive integers
less than n and relatively prime to n
5Order of a mod n
- If a and n are relatively prime
- am1 mod n.
- The smallest positive value of m for which
- the above equation is satisfied is called
- the ORDER of a mod n.
- Examples Order of 4 mod 17 4 (Please see
slide 8) - Order of 3 mod 17 16 Order of 5 mod 17 16
- Order of 2 mod 17 8 Order of 8 mod 17 8
6Example am modulo 19
- For a2,3,10,13,14 or 15
- Choose any one of the above 6 values for a.
- As m is varied from 1 to 18,
- am(modulo19) generates the entire set
- of non-zero integers from 1 to 18.
- For each of the ( above) 6 values of a
- a181 mod 19.
- Order of a mod n is 18.
7Primitive root
- Definition If, for some integer value of a,
the order of a mod n is equal to F(n), the
integer value of a is called the Primitive
Root of n. - Primitive roots of a prime number p will be
denoted by g. - Property For a primitive root and for every
value of 0ltmF(n), am generates a distinct
number (mod n) and every such number is co-prime
with n. - An integer may - or may not have a primitive
root. - Integer of type pa, 2pa , where p an odd prime
number a a positive integer, have one or more
primitive roots.
8Examples of primitive roots
-
- gs(n) The smallest primitive root of an integer
n - Reference http//mathworld.wolfram.com/PrimitiveR
oot.html as of November 15, 2008
9Index of a number a
- Let modulus n
- Primitive root of n g
- An integer, co-prime to n a
- If gx a mod n,
- then x v(a) is called the Index of a.
- Examples modulus 11, primitive root 6,
-
- For a 5, 66 5 mod 11 Therefore v(5) 6
- For b 7, 63 7 mod 11 Therefore v(7) 3.
10Similarities between Log and Index
- Log(a.b) Log a Log b
- axb mod n g(v(a) v(b)) mod n
- Thus the index of a composite number (axb) is the
sum of the indices of the two numbers ( i.e. a
and b). - Example 5x7 mod 11 6(6 3) mod 11
- Log(ab) b Log a
- ab mod n g(b. v(a)) mod n
- Example 57 mod 11 6(7x 6) mod 11 3
- ba mod n g(a. v(b)) mod n
- Example 75 mod 11 6(5x 3) mod 11 10
11References
- 1. For the smallest primitive roots for the first
few integers http//mathworld.wolfram.com/Primiti
veRoot.html as of Dec 1, 2007 - 2. For a list of first 1000 prime numbers
http//primes.utm.edu/lists/small/1000.txt as of
Dec 1, 2007 - 3. Primes by primitive roots
- http//www.research.att.com/njas/sequences/Sindx_
Pri.html as of Dec 1, 2007 - 4. G.A.Miller, Methods to Determine the
Primitive Roots of a Number, http//www.jstor.org
/view/00029327/di994161/99p0203o/0?framenoframeu
serID89cf8ca8_at_uwindsor.ca/01c0a8346600501ceadb5d
pi3configjstor
12Solution for x2 a mod p
- PROBLEM To solve for x
- x2 a mod p
- where p odd prime and a
an integer - There are three possibilities
- (i) No solution
- a is said to be a quadratic non-residue
mod p. - (ii) One solution if a 0 mod p
- (iii) Two solutions
- a is said to be a quadratic residue
mod p. - Reference Henri Cohen,A Course in Computational
Algebraic Number Theory, Springer 1996, pp27
12
12
13Example Existence of a solution
- Consider modulus 11.
- Squares 1,3,4,5,9
- Non-squares 2,6,7,8,10
- For non-squares, a solution for x2 a mod p does
not exist. - Thus there is no value of x, which satisfies x2
6 mod 11.
14Definition Legendre-Jacobi-Kronecker Symbol
- Legendre Symbol (a/p)
- (a/p) -1 if a is quadratic non-residue mod p
- (a/p) 0 if a 0
- (a/p) 1 if a is quadratic residue mod p.
- The number of solutions of x2 a mod p will be
-
(1 (a/p)).
14
15Solutions, if a is a quadratic
residue mod p
- If (a/p) 1. there exists an x such that
- x2 a mod p
- An easy solution for half of the primes, which
obey - p 3 mod 4
- x a(p1)/4 mod p
- For half of the remaining primes, which obey
- p 5 mod 8, there are two
possibilities - a (p-1)/4 1 ? The solution is x a(p3)/8
mod p. - a (p-1)/4 -1 ? The solution is x
2a.(4a)(p-5)/8 mod p. - For the remaining primes, which obey
- p 1 mod 8, it is difficult
to come to similar solutions. - (The other half consists of those primes, which
obey p 5 mod 8)
15
16Example Solutions for x x2 a mod p
- For p 11 It obeys p 3 mod 4.
- Hence if (a/p) 1, its solutions can be found by
using - x a(p1)/4 mod p
- For p 11,
-
17Algorithm for evaluating
Kronecker(a/b) where a, b e Z
- Step 1 If b 0, output 0 if lal? 1
- 1 if lal
1 END - Step 2 (for removing 2s from b)
- Set v 0
- While b is even
- set v ? (v 1)
- b ? (b/2)
- If v is even, set k ? 1.
- Otherwise k ? (-1) (a2 1)/8
- If b lt 0, set b ? (-b), AND if in addition
- a lt 0, set k ? (-k).
17
17
18Algorithm for evaluating Kronecker(a/b)
where a, b e Z contd. 2
- Step 3 (for reducing size once)
- Note At this stage b is odd and b gt 0.
- Set a ? a mod b
- Step 4 If a 0, output 0 if b gt 1
- k if b
1 END - Step 5 (for removing powers of 2)
- Set v 0
- While a is even
- set v ? (v 1)
- a ? (a/2)
- If v is odd, set k ? (-1) (b2 1)/8.k
18
18
19Algorithm for evaluating Kronecker(a/b)
where a, b e Z contd. 3
- Step 6 Subtract and apply reciprocity.
- Note At this stage a and b are odd.
- Set r ? (b a).
- If r gt 0, set k (-1) (a-1).(b-1)/4.k
- b ? a
- a ? r
- Else set a ? (-r).
- Go to Step 4.
19
19
20Legendre (a/b), where a, b e Z and b is
an odd prime
- Step 1 not required.
- Step 2 (required only for initializing k)
- K is set to 1.
- Step 3 (for reducing size once)
- Note At this stage b is odd and b gt 0.
- Set a ? a mod b
- Step 4 If a 0, output 0 if b gt 1
- k if b
1 -
END
20
20
21Legendre (a/b), where a, b e Z and b is an odd
prime .2
- Step 5 (for removing powers of 2 from a)
- Set v 0
- While a is even
- set v ? (v 1)
- a ?
(a/2) - If v is odd, set k ? (-1) (b2
1)/8.k
21
22Legendre (a/b), where a, b e Z and b is an odd
prime .3
- Step 6 Subtract and apply reciprocity.
- Note At this stage a and b are odd.
- Set r ? (b a).
- If r gt 0, set k (-1) (a-1).(b-1)/4.k
- b ? a
- a ? r
- Else set a ? (-r).
- Go to Step 4.
22
22
23Example 1 for Legendre Symbol
- For modulus p 11, we found
- Squares 1,3,4,5,9
- Non-squares 2,6,7,8,10
- By using the algorithm (of the last three
slides), it can be seen that for each of the
square values, (a/p) 1 - By using the algorithm (of the last three
slides), it can be seen that for each of the
non-square values, (a/p) -1. - Note Try the algorithm for one of the square
values and one of the non-square values and
confirm the above two statements.
24Example 2 for Legendre Symbol
- 25 mod 11
- Iteration 1
- Step2 k 1
- Step 3 a 25 mod 11 3
- Step 4 a ? 0
- Step 5 v 0 Since v ? odd, no change in the
value of k. - Step 6 r 11- 3 8
- k (-1) (a-1).(b-1)/4.k (-1)
2.(10)/4.k -1 - b 3
- a 8.
24
24
25Example 2 for Legendre Symbol 2
- Iteration 2 (begins at step 4)
- Step 4 a ? 0
- Step 5 v 0
- v 1, a 4 v 2, a 2 v
3, a 1 - Since v is odd, k (-1) (b2
1)/8.k 1 - Step 6 r 3- 1 2
- k (-1) (a-1).(b-1)/4.k (-1)
0.(2)/4.k 1 - b 1
- a 2.
25
25
26Example 2 for Legendre Symbol 3
- Iteration 3 (begins at step 4)
- Step 4 a ? 0
- Step 5 v 0
- v 1, a 1
- Since v is odd, k (-1) (b2
1)/8.k 1 - Step 6 r 1- 1 0 a 0
- Iteration 4 (begins at step 4)
- a 0 ? Since b 1, output k 1.
- An easy solution for half of the primes, which
obey - p 3 mod 4 x a
(p1)/4 mod p. - Since 11 3 mod 4, The solution for x2 25 mod
11 is x 253 mod 11 33 mod 11 5
26
26
27Example 3 for Legendre Symbol
- 17 mod 11
- Iteration 1
- Step2 k 1
- Step 3 a 17 mod 11 6
- Step 4 a ? 0
- Step 5 v 0
- v 1, a 3
- Since v is odd, k (-1) (b2 1)/8.k - 1
- Step 6 r 11- 3 8
- k (-1) (a-1).(b-1)/4.k (-1)
2.(10)/4.k 1 - b 3, a 8.
27
27
28Example 3 for Legendre Symbol 2
- Iteration 2 (begins at step 4)
- Step 4 a ? 0
- Step 5 v 0
- v 1, a 4 v 2, a 2 v 3,
a 1 - Since v is odd, k (-1) (b2 1)/8.k
-1 - Step 6 r 3- 1 2
- k (-1) (a-1).(b-1)/4.k (-1)
0.(2)/4.k -1 - b 1
- a 2.
28
28
29Example 3 for Legendre Symbol 3
- Iteration 3 (begins at step 4)
- Step 4 a ? 0
- Step 5 v 0
- v 1, a 1
- Since v is odd, k (-1) (b2
1)/8.k -1 - Step 6 r 1- 1 0 a 0
- Iteration 4 (begins at step 4)
- a 0 ? Since b 1, output k -1.
- Hence no solution exists for x2 17 mod 11
29
29
30Example p 17 .1
31Example p 17 .2
Squares
- Elements of Zp 1,2 3,(p-1) can be either
Squares (as) or Non-squares (an). - Squares 1, 2, 4, 8, 9, 13, 15, 16
- 1 162 mod 17 2 62 mod 17 112 mod 17
- 4 152 mod 17 8 52 mod 17 122 mod 17
- 9 142 mod 17 13 82 mod 17 92 mod 17
- 15 72 mod 17 102 mod 17 16 132 mod 17
- For all i, asi mod p a square element only. ?
- A square element cannot be a primitive root.
- Non-squares 3, 5, 6, 7, 10, 11, 12, 14
- No. of as elements No. of an elements (p-1)/2
32Example p 17 .3
Sub-groups
- Testing whether or not an element is square
- an efficient algorithm called Legendre
Symbol - Examples of groups, formed by
- a3, 5 primitive roots
- Example for p 17, primitive roots 3, 5, 7, 11
- Finding primitive roots of a large prime number
computationally tough - a 2, 8 two blocks of q (p-1)/2 each
- a 4 four blocks of (p-1)/4 each
33Example p 17 .4
Sub-groups
- Depending upon the generator elements, size of
Sub-groups of Zp - Full group (p-1) members, if the generator
element is a primitive root - Size of sub-groups (p-1)/m
- Sub-group of size 1 g 1
- Sub-group of size 2 Members are 1 and (p-1)
- Example Use a of 1, 16, 4, 2 or 8, 3 or 5 to get
groups of size 1, 2, 4, 8 and 16 respectively.
(See slide 29.)
34Logarithmic for Modular Arithmetic
- Consider a prime number p and its primitive
root g. - (There is at least one primitive root for every
Zp.) - For any integer b, we can find the exponent i
such that - bgi(mod p).
- Both g and i are members of Zp i.e.
- 0 i (p-1)
- i Discrete Logarithm of b for base g (mod p)
- dlogg,p(b)
-
35Discrete Logarithm Theorems
- dloga,p(1) 0
- dloga,p(a) 1
- dloga,p(bc) (dloga,pb dloga,pc) mod F(p)
- dloga,p(yr) r x dloga,p(y) mod F(p)
36Calculation of Discrete Logarithm
- Consider p a prime number.
- Its primitive root generator elementg.
- y gx mod p
- Given x, y can be calculated easily using
CLRS algorithm. - For large prime numbers
- Given y, for calculation of x no method
- with a complexity lower than that for
factorizing prime numbers exists. This is known
as the Discrete Logarithm Problem (DLP).
37Diffie-Hellman Key Exchange
(agreement) ..1
- Diffie-Hellman Key Exchange based on DLP
- Alice selects a prime p and generator g of
Gallois Field Zp - select a random number a lt p,
- computes y ga mod p and
- sends y , p and g to Bob
- Bob
- selects a random number blt p,
- computes z gb mod p and
- sends z to Alice
- Reference Whitfield Diffie and Martin E.
Hellman,New Directions in Cryptography, IEEE
Transactions on Information Theory,
IT-22(6)644-654, November 1976 -
38Diffie-Hellman Key Exchange
(agreement)..2
- then Alice computes k za mod p ( gab mod p)
- And Bob computes k yb mod p (gab mod p).
- Therefore Alice and Bob are able to get the same
key securely without meeting together by sending
messages on an insecure line. - A Hacker knows p, g, y and z. But without knowing
a or b, k cannot be determined. - a dlogg,p(y) and b dlogg,p(x) cannot be
found, since discrete log is difficult to
evaluate for large numbers.
39Diffie-Hellman Key Exchange
an-in-the-Middle attack1
- Alice sends y ga mod p to Bob
- Eve intercepts it and sends w gc mod p to Bob.
- Bob (believing that the message is from Alice)
- responds with z gb mod p and
- creates the key k1 wb gcb
- Eve intercepts Bobs message and
- is able to create the key k1 zc gbc
- sends v gd mod p to Alice.
- is able to create the key k2 yd gad
40Diffie-Hellman Key Exchange
Man-in-the-Middle attack2
- Alice receives v and creates the key k2 va gda
- All future communication
- Alice sends messages to Bob encrypted with k2
- Eve
- intercept the message and
- decrypts it using the key k2
- encrypts it using the key k1
- Sends the encrypted message to Alice
- Alice receives the message and is able to decrypt
it by using the key k1 -- similar
scenario for the messages from Bob to Alice - Thus Alice and Bob can be under the mistaken
impression that they are talking to each other. -
41MITM attack and smaller Sub-groups
- For a prime number p,
- Zp 1,2 3,(p-1),
- a primitive root g can generate all the
members. - During a MITM attack, Eve may send a
non-primitive Root as g, leading to a small
sub-group of Zp. This may compromise the
security. - If g is a non-square
- y ga mod p is a square if a is even and it is
non-square if a is odd. - Thus Eve can check y and find out the last bit of
a ( ie whether a is even or odd) ? Use only
squares?
42Safe Prime
- If p 2q 1, where p and q are both prime
numbers, p is called a safe prime. - Choose a group
- with modulo p, where p 2q 1
- which has q elements
- for which g is a square. (Use Legendre Symbol
function to verify.)
43Safe Primes How to choose g for such a group?
- g should be a square
- Since it is a square, it cannot contain all the
2q elements. - The number of elements must be a factor of (p-1).
- However since p-1 2q, it can have only
sub-groups of 1, 2 and q. - Choose a random number r in the range
- 2 . (p-2).
- Select g r2, except that it should not be
either 1 or (p-1)
44Diffie-Hellman Key Exchange
Example 1
- Choose p 11.
- Primitive roots of 11 are 2, 6, 7, 8
- Alice and Bob choose g 2 for p 11 for key
exchange. - She chooses a private key of a 5.
- 25 mod 11 10.
- Alice sends y 10 to Bob.
- Bob chooses a private key of b 7.
- 27 mod 11 7. Bob sends z 7 to Alice.
45Diffie-Hellman Key Exchange
Example 2
- SECRET KEY
- He calculates the secret key k 107 mod 11 10
- Alice calculates the secret key k 75 mod 11
10 - EVE
- Knows about p 11 and g 2
- Can sniff y 10 and z 7. But does not know
about the private keys. - Reference Example 5.2 from Man Young Rhee,
Internet Security - Cryptographic principles. algorithms and
protocols. Wiley 2003
46Diffie-Hellman Key Exchange
To Find the private keys
- To find the private keys
- For a
- Solve the equation 2a mod 11 10.
- i.e. a dlog2,11(10)
- For b
- Solve the equation 2b mod 11 7
- i.e. b dlog2,11(7)
- Calculation of discrete logarithms for large
prime numbers is very hard.
47Diffie-Hellman Key Exchange
The Protocol
- Every user should publish her/his public key (p,
g and y) in a directory. Then all users, whose
keys are in the directory, can communicate with
one another securely by calculating the secret
key. - Question How authentic will the directory be?
- Authenticate using the Diffie-Hellman key If
Alice and Bob recognize each others voice, voice
samples may be encrypted by using the secret key
and exchanged to confirm that there is no MITM. - Problem Will work till voice synthesis
technology is able to reproduce the exactly
similar voice samples.
48ElGamals PK System - keys
- Choose a prime number p and two random numbers g
and d such that - g is the primitive root modulo p.
- 1 d (p-2)
- Calculate e gd mod p
- Private key d
- Public key e, g and p
- Example Choose p 11, g 4 and d 8
- e 48 mod 11 9
- Private key 8 Public key 9, 4 and 11
49ElGamals PK System - Security
- SECURITY To find d from public key, one has to
solve the equation 4d mod 11 9 or d
dlog4,11(9). - This is the Discrete Logarithm Problem.
- It is computationally infeasible for large values
of p.
50ElGamal ENCRYPTION of plaintext message
0 m p-1
- Bob wants to send a message securely to Alice.
- He knows Alices public key e, g and p.
- Encryption Process by Bob
- Choose a random number k ltp k is to be kept
secret by Bob - Message Key K ek mod p
- The Cipher consists of two numbers (C1, C2)
- C1 gk mod p C2 K.m mod p
- K masks the message by using the public key of
Alice. - Bob sends the masked message C2 along with C1.
- C1 helps Alice calculate the mask K for
decryption. - Inverse of K helps calculation of m.
51ElGamals PK System
- Encryption Example
Given Alices public key e 9, g 4 and p
11 Bob chooses a random number k 7. Bob wants
to send the message m 5 to Alice.
ElGamal Encrypter
m
(C1, C2)
e, g, p
Public key
Message Key K 97 mod 11 4 C1 47 mod 11
5 C2 4x5 mod 11 9 Bob sends the Cipher (5,
9) to Alice.
52ElGamals PK System
Decryption
- Alice receives (C1 and C2). She has her private
key d. To decrypt - K ek mod p gdk mod p C1d mod p
- C2 K.m mod p
- or m K-1 .C2 mod p
ElGamal Decrypter
m
(C1, C2)
d
53ElGamals PK System
Comments
- Alice keeps d as a secret.
- Bob keeps k as his secret.
- Bob can compute the mask
- K ek mod p.
- Bob does not know d. But he knows e,
- where e gd
mod p. - Therefore K gdk mod p
- Bob sends C2 along with C1 where C1 gk mod p .
- Alice can compute K, without knowing k, since K
C1d mod p.
54ElGamals PK System
Decryption Example
- Given
- Cipher (C1, C2) (5, 9)
- Alices Private Key d 8
- To Find m
- K 58 mod 11 4
- K-1 .4 mod 11 1 K-1 3
- m 3 .9 mod 11 5
- Reference Example 5.8 from Man Young Rhee,
Internet Security Cryptographic principles.
algorithms and protocols. Wiley 2003
55Digital Signature
- Association with the entity, which signs it
- The receiver can associate with the signing
entity. - The signer cannot repudiate it.
- Association with the message
- The message, which is authenticated, cannot be
changed.
56Attacks on RSA Systems 1
- Low Exponent Attack e is sometimes chosen to be
small ( eg 3) to make encryption faster. - Coppersmith Theorem In a modulo n polynomial
f(x) of degree e, one can use an algorithm of
complexity log n to find the roots if one of the
roots is smaller than n1/e. - On applying the theorem to c me mod n, for
e3, if only two-third of the bits in m are
known, the algorithm, can find all the bits. - Recommendation e may not be smaller than 216 1
65537.
57Attacks on RSA Systems 2
- Broadcast Attacks If the same message is sent to
many recipients with e 3 - a1 m3 mod n1
- a2 m3 mod n2
- a3 m3 mod n3
- CRT can be used to find
- A m3 mod n1. n2.n3
- M can then be found by using ordinary arithmetic.
58Attacks on RSA Systems 3
- Short Pad Attack Bob wants to send a message m
to Alice He pads it with x and encrypts m ll x to
get C1. The message is intercepted and dropped by
Eve. - Alice tells Bob that she has not received the
message. - Bob again pads m with y and encrypts m ll y to
get C2. The message is intercepted by Eve. - If x and y are small, Coppersmith proved that
Eve can find m. - Use Optimal Asymmetric Encryption Padding (OAEP)
with - G a function for converting k bits to m
bits, and, - H a function for converting m bits to k bits
-
59Comparison
- How secure is RSA and Diffie-Hellman or ElGamal?
- RSA based on factorization
- Diffie-Hellman and ElGamal based on DLP
- Have proved
- Factoring a large prime is equivalent to solving
DLP problem. - Exist sub-exponential but super-polynomial
algorithm
60Elliptic Curve Cryptosystem (ECC)
- For ECC, the sub-exponential algorithm of
breaking it has not been found. - So ECC is more secure than RSA or ElGamal
- Or to say, using much smaller key size can
achieve the same security as RSA or ElGamal with
large key size, so more efficient.
61Elliptic curve group over real number
- y2 x3 ax b, where x, y, a and b are real
numbers. - All (x,y) points, satisfying above equation,
along with infinite point O and addition
operation, form a group - Suppose P(x,y) then define
- P(x,-y).
62Definition of a Group
A1 closure under addition
A2 Associativity of addition
A3 Additive identity
A4 Additive inverse
Group
A5 Commutativity of addition
63Elliptic curve example
64Addition operation (A Geometric Approach)
- If P and Q are distinct, and if P ? -Q, define
PQ as follows - Draw a line through P and Q, then the line will
intersect with the curve, the intersected point
is denoted as R, and define PQR. - Define P (-P) O
- If P(x,0), then PP O , (in fact, a vertical
line) - Otherwise, draw a tangent line through P, the
intersected point is defined as R, then PP 2P
R.
65Definition of PQ R
66Definition of P(-P)
67Definition of PP (where y!0)
68Definition of PP (where y0)
69Elliptic Curve Addition An Algebraic Approach
- Adding distinct points P and Q When P (xP,yP)
and Q (xQ,yQ) and P? Q, P ? -Q, P Q R
where s (yP - yQ) / (xP - xQ)xR s2 - xP - xQ
and yR -yP s(xP - xR) Note that s is the
slope of the line through P and Q. - Doubling the point P When yP is not 0,2P R
where s (3xP2 a) / (2yP )xR s2 - 2xP and
yR -yP s(xP - xR) - P (-P) O,
- If P (xP,yP) and yP 0, then P P 2P O.
70Elliptic Curve Groups over Zp
- Zp 0,1,,p-1
- y2 mod p (x3 ax b) mod p
- Where a and b are in Zp, and x, y are also in Zp.
- Addition with modular p.
- Example P23, ZpZ23 ,y2 x3 x
- Points lying on y2 x3 x
- (0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13)
(13,5) (13,18) (15,3) (15,20) (16,8) (16,15)
(17,10) (17,13) (18,10) (18,13) (19,1) (19,22)
(20,4) (20,19) (21,6) (21,17) - Corresponding Elliptic Curves over GF(2m)by
using y2 xy x3 ax2 b
71y2 mod 23 (x3 x) mod 23
72Elliptic Curve groups and the Discrete Logarithm
Problem
- Points on Elliptic curve along with addition
operation form a group. - Given a point P (P ? (x, 0)), consider 2PPP,
3P2PP, ., nP(n-1)PP, - Given any n, it is easy to compute RnP.
- However given R, it is very difficult to find n,
such that nPR. - This is called The Elliptic Curve Discrete
Logarithm Problem (ECDLP).
73Many cryptosystems can be formed based on
Elliptic Curve
- Example Diffie-Hellman key exchange
- Given elliptic curve E and a point P (public)
- Alice selects an a, computes AaP, send A to Bob
- Bob selects a b, computes BbP, sends B to Bob
- Then Alice can compute the key KaBabP,
similarly, Bob computes the key KbAabP
74- It is tough to make predictions, especially
about the future. - -- Yogi
Berra
74
75Differences between Identity-based System and
a standard PK system
- Different Methods of
- Constructing a key
- Distributing a key
- Authenticating a key
- Using a key
- Reference 1. Liqun Chen,Identity-based
Cryptography, HP Laboratories, 2006,
http//www.sti.uniurb.it/events/fosad06/papers/Che
n-fosad06.pdf - 2. A. Shamir. Identity-based cryptosystems and
signature schemes. In Advances in Cryptology -
Crypto '84, Springer-Verlag LNCS 196, 47-53, 1984.
75
76Public Key Infrastructure (PKI) System
- Sender (Alice) requests the CA for the public key
of the Receiver (Bob). - Through an authenticated channel, CA sends the
public key (of Bob) certificate, signed by the
private key of CA. - Alice decrypts the certificate using the public
key of CA. - Alice encrypts her message using the public key
of Bob. - Alice sends the message to Bob through Internet
- Bob gets his private key from CA through an
authenticated channel and decrypts the message.
77Identity Based Encryption (IBE)
- Alice uses the identity of Bob to create his
public key. - Alice encrypts her message using the public key
of Bob. - Alice sends the message to Bob through Internet
- Bob gets his private key from the Master Key
Generator by supplying to it his identity. - Bob decrypts the message by using his private key.
77
78Key Generator in IBE
- Private Key
- Identity
- Master Key
Private Key Generator
78
79IBE Schemes
- Shamirs paper 1984
- Three IBE schemes in 2001
- Sakai, Ohgishi and Kasahara
- Boneh and Franklin
- Cocks
- Sakai and Kasahara in 2003
- .
- .
80Identity
- E-mail address
- Photo
- Phone number
- Postal address
- Role-based access based upon the role of a person
in his organization
80
81Shamirs Method IB Private key for
Bob
- Identity may be the digest of any data string
associated with Bob - Thus ID H(bob_at_uwindsor.ca)
- Let the Master private and public keys be (d,
n) and (e,n) respectively. - Private key SID IDd mod n
- For signing a message
- Choose r a random number
- Compute t re mod n
- Find f H(t,m) where m message
-
81
82Shamirs Method Verification of
Signatures
- s SID.rf mod n
- Output Signatures (s,t)
- Verification of Signatures
- Compute se
- Compute ID. tH(t,m) mod n
- If se ID. tH(t,m) mod n, the signature is
acceptable. - PROOF
- LHS se IDd.e.rf.e mod n ID. rf.e mod n
- RHS ID. re.f mod n
82
83X.509v3
- 1.Distinguished Name
- Root CA single point of failure
- 2. Validity period
- 3. Public Key
- Example National CA/Univ of Windsor/CS/End User
like Chris Smith 2075 - Policy of CA
- Access Control through the certificate
- Certificate revocation lists (CRLs)
- Cross-certification is the black hole of PKI
83
84CRL Problems
- Not issued frequently enough to be effective
against an attacker - Expensive to distribute
- Vulnerable to simple DOS attacks
- Attacker can prevent revocation by blocking CRL
delivery - If a user caches a CRL, he may deal with an
outdated CRL.
84
85CRL Problems 2
- Back-dated CRL can appear at any point in the
future - Destroys the entire concept of nonrepudiation
- Revoking self-signed certificates is hairy
- when a Cert revokes itself, Applications may
- Accept the CRL as valid and revoke the
certificate - Reject the CRL as invalid since it was signed
with a revoked certificate - Crash
- to provide timely revocation exacerbates the
- problem
- Example 10M clients download a 1MB CRL issued
once a minute ? 150GB/s traffic
85
86Online Certificate Status Protocol, OCSP
- Reply is created on the spot in response to the
request - Ephemeral pseudo-CRL avoids CRL validity period
- Problems
- Requires a signing operation for every query
- CAs charge fees to issue a certificate (Most
expensive collection of bits in the world)
Revocation checks may also cost.
86
87ISO/IEC 11770-3 Key Agreement Scheme
- Developed by Guillou and Quisquater, based on
Shamirs scheme - IDA and IDB identities of Alice and Bob
respectively. - Master Key Generator
- private key (d, n) public key (e, n)
- Two elements g and h such that g he mod n
- Master Key Generator creates private keys for
Alice and Bob as follows - SA (1/IDA)d mod n
- SB (1/IDB)d mod n
87
88ISO/IEC 14888-2 Signature Scheme
Key Exchange
- Alice selects a random number a and computes
- tA SA. ha mod n and sends it
to Bob. - Bob selects a random number b and computes
- tB SB. hb mod n and sends it
to Alice. - Both Alice and Bob are able to compute the common
key KAB as follows - KAB ((tB)e. IDB)a gab and KAB ((tA)e. IDA)b
gab - The common symmetric key can be used by Alice and
Bob to exchange messages.
88
89Cockss quadratic residues IBE scheme
- based on the hardness of the quadratic residues
problem, i.e. - y x y2 mod n
- n pq where p and q are two large primes, like
in RSA - does not use pairing
- Reference C. Cocks. An identity-based encryption
scheme based on quadratic residues. In
Proceedings of Cryptography and Coding, LNCS
2260, pp. 360-363, Springer-Verlag, 2001
90Cockss quadratic residues IBE scheme ...2
- is quite fast
- encrypts a message bit by bit, and it requires
log n bits of ciphertext per bit of plaintext - Reference C. Cocks. An identity-based
encryption scheme based on quadratic residues. In
Proceedings of Cryptography and Coding, LNCS
2260, pp. 360-363, Springer-Verlag, 2001.
91Pairings in IBE
- pairings, which have been used in identity-based
cryptography the Weil pairing and the Tate
pairing and their variants. - References 1. P. Barreto, H. Kim, B. Lynn, and
M. Scott, Efficient algorithms for pairing-based
cryptosystems, Proceedings of CRYPTO 2002, LNCS
2442, pages 354369, Springer-Verlag, 2002. - 2. D. Boneh and M. Franklin. Identity based
encryption from the Weil pairing. In Advances in
Cryptology - Crypto 2001, Springer-Verlag LNCS
2139, 213-229, 2001.