To be an effective Information Warrior, individuals need superior computer skills, as well as an ind

1

• To be an effective Information Warrior,
  individuals need superior computer skills, as
  well as an in-depth understanding of information
  technology architectures, protocols and
  processes.
• Michael Erbschloe
• author
  of
• Information Warfare How to Survive Cyber
  Attacks

2
AGENDA

• MATHEMATICAL BACKGROUND
• Revision (3,4) ORDER of a mod n (5,6) Primitive
  Root g of n (7,8) Index of a (9,10,11) a
  quadratic residue mod p and Legendre Symbol (12
  to 29) Square and non-square elements of Zp (30
  to 33) dlogg,p(b) Discrete Logarithm of b for
  base g (mod p) (34 to 36)
• Diffie-Hellman Key Exchange (37 to 47)
• ElGamals PK System (48 to 54)
• Digital Signature Systems (55 to 59)
• Elliptic Curve Cryptosystem (ECC) (60 to 73)
• Identity Based Encryption (IBE) (74 to 90)
  ISO/IEC 11770-3 Key Agreement Scheme, Shamirs
  Method, (Cockss quadratic residues IBE scheme
  and Pairing-based methods left out for
  self-study)

3
Revision Slide-1 Logarithms

• Logxya gt yxa
• Logx10 (x0 1)
• Logxx1 (x1 x)
• Logx(y.z)Logx(y)Logx(z)
• Logx(yr)r . Logx(y)

4
Revision Slide-2 Eulers theorem

• Eulers theorem Generalization of Fermats
  theorem
• If a and n are relatively prime,
• a?(n) 1 mod n
• where ?(n) Eulers Totient Function
• number of positive integers
  less than n and relatively prime to n

5
Order of a mod n

• If a and n are relatively prime
• am1 mod n.
• The smallest positive value of m for which
• the above equation is satisfied is called
• the ORDER of a mod n.
• Examples Order of 4 mod 17 4 (Please see
  slide 8)
• Order of 3 mod 17 16 Order of 5 mod 17 16
• Order of 2 mod 17 8 Order of 8 mod 17 8

6
Example am modulo 19

• For a2,3,10,13,14 or 15
• Choose any one of the above 6 values for a.
• As m is varied from 1 to 18,
• am(modulo19) generates the entire set
• of non-zero integers from 1 to 18.
• For each of the ( above) 6 values of a
• a181 mod 19.
• Order of a mod n is 18.

7
Primitive root

• Definition If, for some integer value of a,
  the order of a mod n is equal to F(n), the
  integer value of a is called the Primitive
  Root of n.
• Primitive roots of a prime number p will be
  denoted by g.
• Property For a primitive root and for every
  value of 0ltmF(n), am generates a distinct
  number (mod n) and every such number is co-prime
  with n.
• An integer may - or may not have a primitive
  root.
• Integer of type pa, 2pa , where p an odd prime
  number a a positive integer, have one or more
  primitive roots.

8
Examples of primitive roots

• gs(n) The smallest primitive root of an integer
  n
• Reference http//mathworld.wolfram.com/PrimitiveR
  oot.html as of November 15, 2008

9
Index of a number a

• Let modulus n
• Primitive root of n g
• An integer, co-prime to n a
• If gx a mod n,
• then x v(a) is called the Index of a.
• Examples modulus 11, primitive root 6,
• For a 5, 66 5 mod 11 Therefore v(5) 6
• For b 7, 63 7 mod 11 Therefore v(7) 3.

10
Similarities between Log and Index

• Log(a.b) Log a Log b
• axb mod n g(v(a) v(b)) mod n
• Thus the index of a composite number (axb) is the
  sum of the indices of the two numbers ( i.e. a
  and b).
• Example 5x7 mod 11 6(6 3) mod 11
• Log(ab) b Log a
• ab mod n g(b. v(a)) mod n
• Example 57 mod 11 6(7x 6) mod 11 3
• ba mod n g(a. v(b)) mod n
• Example 75 mod 11 6(5x 3) mod 11 10

11
References

• 1. For the smallest primitive roots for the first
  few integers http//mathworld.wolfram.com/Primiti
  veRoot.html as of Dec 1, 2007
• 2. For a list of first 1000 prime numbers
  http//primes.utm.edu/lists/small/1000.txt as of
  Dec 1, 2007
• 3. Primes by primitive roots
• http//www.research.att.com/njas/sequences/Sindx_
  Pri.html as of Dec 1, 2007
• 4. G.A.Miller, Methods to Determine the
  Primitive Roots of a Number, http//www.jstor.org
  /view/00029327/di994161/99p0203o/0?framenoframeu
  serID89cf8ca8_at_uwindsor.ca/01c0a8346600501ceadb5d
  pi3configjstor

12
Solution for x2 a mod p

• PROBLEM To solve for x
• x2 a mod p
• where p odd prime and a
  an integer
• There are three possibilities
• (i) No solution
• a is said to be a quadratic non-residue
  mod p.
• (ii) One solution if a 0 mod p
• (iii) Two solutions
• a is said to be a quadratic residue
  mod p.
• Reference Henri Cohen,A Course in Computational
  Algebraic Number Theory, Springer 1996, pp27

12
12
13
Example Existence of a solution

• Consider modulus 11.
• Squares 1,3,4,5,9
• Non-squares 2,6,7,8,10
• For non-squares, a solution for x2 a mod p does
  not exist.
• Thus there is no value of x, which satisfies x2
  6 mod 11.

14
Definition Legendre-Jacobi-Kronecker Symbol

• Legendre Symbol (a/p)
• (a/p) -1 if a is quadratic non-residue mod p
• (a/p) 0 if a 0
• (a/p) 1 if a is quadratic residue mod p.
• The number of solutions of x2 a mod p will be
• 
  (1 (a/p)).

14
15
Solutions, if a is a quadratic
residue mod p

• If (a/p) 1. there exists an x such that
• x2 a mod p
• An easy solution for half of the primes, which
  obey
• p 3 mod 4
• x a(p1)/4 mod p
• For half of the remaining primes, which obey
• p 5 mod 8, there are two
  possibilities
• a (p-1)/4 1 ? The solution is x a(p3)/8
  mod p.
• a (p-1)/4 -1 ? The solution is x
  2a.(4a)(p-5)/8 mod p.
• For the remaining primes, which obey
• p 1 mod 8, it is difficult
  to come to similar solutions.
• (The other half consists of those primes, which
  obey p 5 mod 8)

15
16
Example Solutions for x x2 a mod p

• For p 11 It obeys p 3 mod 4.
• Hence if (a/p) 1, its solutions can be found by
  using
• x a(p1)/4 mod p
• For p 11,

17
Algorithm for evaluating
Kronecker(a/b) where a, b e Z

• Step 1 If b 0, output 0 if lal? 1
• 1 if lal
  1 END
• Step 2 (for removing 2s from b)
• Set v 0
• While b is even
• set v ? (v 1)
• b ? (b/2)
• If v is even, set k ? 1.
• Otherwise k ? (-1) (a2 1)/8
• If b lt 0, set b ? (-b), AND if in addition
• a lt 0, set k ? (-k).

17
17
18
Algorithm for evaluating Kronecker(a/b)
where a, b e Z contd. 2

• Step 3 (for reducing size once)
• Note At this stage b is odd and b gt 0.
• Set a ? a mod b
• Step 4 If a 0, output 0 if b gt 1
• k if b
  1 END
• Step 5 (for removing powers of 2)
• Set v 0
• While a is even
• set v ? (v 1)
• a ? (a/2)
• If v is odd, set k ? (-1) (b2 1)/8.k

18
18
19
Algorithm for evaluating Kronecker(a/b)
where a, b e Z contd. 3

• Step 6 Subtract and apply reciprocity.
• Note At this stage a and b are odd.
• Set r ? (b a).
• If r gt 0, set k (-1) (a-1).(b-1)/4.k
• b ? a
• a ? r
• Else set a ? (-r).
• Go to Step 4.

19
19
20
Legendre (a/b), where a, b e Z and b is
an odd prime

• Step 1 not required.
• Step 2 (required only for initializing k)
• K is set to 1.
• Step 3 (for reducing size once)
• Note At this stage b is odd and b gt 0.
• Set a ? a mod b
• Step 4 If a 0, output 0 if b gt 1
• k if b
  1
• 
  END

20
20
21
Legendre (a/b), where a, b e Z and b is an odd
prime .2

• Step 5 (for removing powers of 2 from a)
• Set v 0
• While a is even
• set v ? (v 1)
• a ?
  (a/2)
• If v is odd, set k ? (-1) (b2
  1)/8.k

21
22
Legendre (a/b), where a, b e Z and b is an odd
prime .3

• Step 6 Subtract and apply reciprocity.
• Note At this stage a and b are odd.
• Set r ? (b a).
• If r gt 0, set k (-1) (a-1).(b-1)/4.k
• b ? a
• a ? r
• Else set a ? (-r).
• Go to Step 4.

22
22
23
Example 1 for Legendre Symbol

• For modulus p 11, we found
• Squares 1,3,4,5,9
• Non-squares 2,6,7,8,10
• By using the algorithm (of the last three
  slides), it can be seen that for each of the
  square values, (a/p) 1
• By using the algorithm (of the last three
  slides), it can be seen that for each of the
  non-square values, (a/p) -1.
• Note Try the algorithm for one of the square
  values and one of the non-square values and
  confirm the above two statements.

24
Example 2 for Legendre Symbol

• 25 mod 11
• Iteration 1
• Step2 k 1
• Step 3 a 25 mod 11 3
• Step 4 a ? 0
• Step 5 v 0 Since v ? odd, no change in the
  value of k.
• Step 6 r 11- 3 8
• k (-1) (a-1).(b-1)/4.k (-1)
  2.(10)/4.k -1
• b 3
• a 8.

24
24
25
Example 2 for Legendre Symbol 2

• Iteration 2 (begins at step 4)
• Step 4 a ? 0
• Step 5 v 0
• v 1, a 4 v 2, a 2 v
  3, a 1
• Since v is odd, k (-1) (b2
  1)/8.k 1
• Step 6 r 3- 1 2
• k (-1) (a-1).(b-1)/4.k (-1)
  0.(2)/4.k 1
• b 1
• a 2.

25
25
26
Example 2 for Legendre Symbol 3

• Iteration 3 (begins at step 4)
• Step 4 a ? 0
• Step 5 v 0
• v 1, a 1
• Since v is odd, k (-1) (b2
  1)/8.k 1
• Step 6 r 1- 1 0 a 0
• Iteration 4 (begins at step 4)
• a 0 ? Since b 1, output k 1.
• An easy solution for half of the primes, which
  obey
• p 3 mod 4 x a
  (p1)/4 mod p.
• Since 11 3 mod 4, The solution for x2 25 mod
  11 is x 253 mod 11 33 mod 11 5

26
26
27
Example 3 for Legendre Symbol

• 17 mod 11
• Iteration 1
• Step2 k 1
• Step 3 a 17 mod 11 6
• Step 4 a ? 0
• Step 5 v 0
• v 1, a 3
• Since v is odd, k (-1) (b2 1)/8.k - 1
• Step 6 r 11- 3 8
• k (-1) (a-1).(b-1)/4.k (-1)
  2.(10)/4.k 1
• b 3, a 8.

27
27
28
Example 3 for Legendre Symbol 2

• Iteration 2 (begins at step 4)
• Step 4 a ? 0
• Step 5 v 0
• v 1, a 4 v 2, a 2 v 3,
  a 1
• Since v is odd, k (-1) (b2 1)/8.k
  -1
• Step 6 r 3- 1 2
• k (-1) (a-1).(b-1)/4.k (-1)
  0.(2)/4.k -1
• b 1
• a 2.

28
28
29
Example 3 for Legendre Symbol 3

• Iteration 3 (begins at step 4)
• Step 4 a ? 0
• Step 5 v 0
• v 1, a 1
• Since v is odd, k (-1) (b2
  1)/8.k -1
• Step 6 r 1- 1 0 a 0
• Iteration 4 (begins at step 4)
• a 0 ? Since b 1, output k -1.
• Hence no solution exists for x2 17 mod 11

29
29
30
Example p 17 .1
31
Example p 17 .2
Squares

• Elements of Zp 1,2 3,(p-1) can be either
  Squares (as) or Non-squares (an).
• Squares 1, 2, 4, 8, 9, 13, 15, 16
• 1 162 mod 17 2 62 mod 17 112 mod 17
• 4 152 mod 17 8 52 mod 17 122 mod 17
• 9 142 mod 17 13 82 mod 17 92 mod 17
• 15 72 mod 17 102 mod 17 16 132 mod 17
• For all i, asi mod p a square element only. ?
• A square element cannot be a primitive root.
• Non-squares 3, 5, 6, 7, 10, 11, 12, 14
• No. of as elements No. of an elements (p-1)/2

32
Example p 17 .3
Sub-groups

• Testing whether or not an element is square
• an efficient algorithm called Legendre
  Symbol
• Examples of groups, formed by
• a3, 5 primitive roots
• Example for p 17, primitive roots 3, 5, 7, 11
• Finding primitive roots of a large prime number
  computationally tough
• a 2, 8 two blocks of q (p-1)/2 each
• a 4 four blocks of (p-1)/4 each

33
Example p 17 .4
Sub-groups

• Depending upon the generator elements, size of
  Sub-groups of Zp
• Full group (p-1) members, if the generator
  element is a primitive root
• Size of sub-groups (p-1)/m
• Sub-group of size 1 g 1
• Sub-group of size 2 Members are 1 and (p-1)
• Example Use a of 1, 16, 4, 2 or 8, 3 or 5 to get
  groups of size 1, 2, 4, 8 and 16 respectively.
  (See slide 29.)

34
Logarithmic for Modular Arithmetic

• Consider a prime number p and its primitive
  root g.
• (There is at least one primitive root for every
  Zp.)
• For any integer b, we can find the exponent i
  such that
• bgi(mod p).
• Both g and i are members of Zp i.e.
• 0 i (p-1)
• i Discrete Logarithm of b for base g (mod p)
• dlogg,p(b)

35
Discrete Logarithm Theorems

• dloga,p(1) 0
• dloga,p(a) 1
• dloga,p(bc) (dloga,pb dloga,pc) mod F(p)
• dloga,p(yr) r x dloga,p(y) mod F(p)

36
Calculation of Discrete Logarithm

• Consider p a prime number.
• Its primitive root generator elementg.
• y gx mod p
• Given x, y can be calculated easily using
  CLRS algorithm.
• For large prime numbers
• Given y, for calculation of x no method
• with a complexity lower than that for
  factorizing prime numbers exists. This is known
  as the Discrete Logarithm Problem (DLP).

37
Diffie-Hellman Key Exchange
(agreement) ..1

• Diffie-Hellman Key Exchange based on DLP
• Alice selects a prime p and generator g of
  Gallois Field Zp
• select a random number a lt p,
• computes y ga mod p and
• sends y , p and g to Bob
• Bob
• selects a random number blt p,
• computes z gb mod p and
• sends z to Alice
• Reference Whitfield Diffie and Martin E.
  Hellman,New Directions in Cryptography, IEEE
  Transactions on Information Theory,
  IT-22(6)644-654, November 1976

38
Diffie-Hellman Key Exchange
(agreement)..2

• then Alice computes k za mod p ( gab mod p)
• And Bob computes k yb mod p (gab mod p).
• Therefore Alice and Bob are able to get the same
  key securely without meeting together by sending
  messages on an insecure line.
• A Hacker knows p, g, y and z. But without knowing
  a or b, k cannot be determined.
• a dlogg,p(y) and b dlogg,p(x) cannot be
  found, since discrete log is difficult to
  evaluate for large numbers.

39
Diffie-Hellman Key Exchange
an-in-the-Middle attack1

• Alice sends y ga mod p to Bob
• Eve intercepts it and sends w gc mod p to Bob.
• Bob (believing that the message is from Alice)
• responds with z gb mod p and
• creates the key k1 wb gcb
• Eve intercepts Bobs message and
• is able to create the key k1 zc gbc
• sends v gd mod p to Alice.
• is able to create the key k2 yd gad

40
Diffie-Hellman Key Exchange
Man-in-the-Middle attack2

• Alice receives v and creates the key k2 va gda
• All future communication
• Alice sends messages to Bob encrypted with k2
• Eve
• intercept the message and
• decrypts it using the key k2
• encrypts it using the key k1
• Sends the encrypted message to Alice
• Alice receives the message and is able to decrypt
  it by using the key k1 -- similar
  scenario for the messages from Bob to Alice
• Thus Alice and Bob can be under the mistaken
  impression that they are talking to each other.

41
MITM attack and smaller Sub-groups

• For a prime number p,
• Zp 1,2 3,(p-1),
• a primitive root g can generate all the
  members.
• During a MITM attack, Eve may send a
  non-primitive Root as g, leading to a small
  sub-group of Zp. This may compromise the
  security.
• If g is a non-square
• y ga mod p is a square if a is even and it is
  non-square if a is odd.
• Thus Eve can check y and find out the last bit of
  a ( ie whether a is even or odd) ? Use only
  squares?

42
Safe Prime

• If p 2q 1, where p and q are both prime
  numbers, p is called a safe prime.
• Choose a group
• with modulo p, where p 2q 1
• which has q elements
• for which g is a square. (Use Legendre Symbol
  function to verify.)

43
Safe Primes How to choose g for such a group?

• g should be a square
• Since it is a square, it cannot contain all the
  2q elements.
• The number of elements must be a factor of (p-1).
  
• However since p-1 2q, it can have only
  sub-groups of 1, 2 and q.
• Choose a random number r in the range
• 2 . (p-2).
• Select g r2, except that it should not be
  either 1 or (p-1)

44
Diffie-Hellman Key Exchange
Example 1

• Choose p 11.
• Primitive roots of 11 are 2, 6, 7, 8
• Alice and Bob choose g 2 for p 11 for key
  exchange.
• She chooses a private key of a 5.
• 25 mod 11 10.
• Alice sends y 10 to Bob.
• Bob chooses a private key of b 7.
• 27 mod 11 7. Bob sends z 7 to Alice.

45
Diffie-Hellman Key Exchange
Example 2

• SECRET KEY
• He calculates the secret key k 107 mod 11 10
• Alice calculates the secret key k 75 mod 11
  10
• EVE
• Knows about p 11 and g 2
• Can sniff y 10 and z 7. But does not know
  about the private keys.
• Reference Example 5.2 from Man Young Rhee,
  Internet Security
• Cryptographic principles. algorithms and
  protocols. Wiley 2003

46
Diffie-Hellman Key Exchange
To Find the private keys

• To find the private keys
• For a
• Solve the equation 2a mod 11 10.
• i.e. a dlog2,11(10)
• For b
• Solve the equation 2b mod 11 7
• i.e. b dlog2,11(7)
• Calculation of discrete logarithms for large
  prime numbers is very hard.

47
Diffie-Hellman Key Exchange
The Protocol

• Every user should publish her/his public key (p,
  g and y) in a directory. Then all users, whose
  keys are in the directory, can communicate with
  one another securely by calculating the secret
  key.
• Question How authentic will the directory be?
• Authenticate using the Diffie-Hellman key If
  Alice and Bob recognize each others voice, voice
  samples may be encrypted by using the secret key
  and exchanged to confirm that there is no MITM.
• Problem Will work till voice synthesis
  technology is able to reproduce the exactly
  similar voice samples.

48
ElGamals PK System - keys

• Choose a prime number p and two random numbers g
  and d such that
• g is the primitive root modulo p.
• 1 d (p-2)
• Calculate e gd mod p
• Private key d
• Public key e, g and p
• Example Choose p 11, g 4 and d 8
• e 48 mod 11 9
• Private key 8 Public key 9, 4 and 11

49
ElGamals PK System - Security

• SECURITY To find d from public key, one has to
  solve the equation 4d mod 11 9 or d
  dlog4,11(9).
• This is the Discrete Logarithm Problem.
• It is computationally infeasible for large values
  of p.

50
ElGamal ENCRYPTION of plaintext message
0 m p-1

• Bob wants to send a message securely to Alice.
• He knows Alices public key e, g and p.
• Encryption Process by Bob
• Choose a random number k ltp k is to be kept
  secret by Bob
• Message Key K ek mod p
• The Cipher consists of two numbers (C1, C2)
• C1 gk mod p C2 K.m mod p
• K masks the message by using the public key of
  Alice.
• Bob sends the masked message C2 along with C1.
• C1 helps Alice calculate the mask K for
  decryption.
• Inverse of K helps calculation of m.

51
ElGamals PK System
- Encryption Example
Given Alices public key e 9, g 4 and p
11 Bob chooses a random number k 7. Bob wants
to send the message m 5 to Alice.
ElGamal Encrypter
m
(C1, C2)
e, g, p
Public key
Message Key K 97 mod 11 4 C1 47 mod 11
5 C2 4x5 mod 11 9 Bob sends the Cipher (5,
9) to Alice.
52
ElGamals PK System
Decryption

• Alice receives (C1 and C2). She has her private
  key d. To decrypt
• K ek mod p gdk mod p C1d mod p
• C2 K.m mod p
• or m K-1 .C2 mod p

ElGamal Decrypter
m
(C1, C2)
d
53
ElGamals PK System
Comments

• Alice keeps d as a secret.
• Bob keeps k as his secret.
• Bob can compute the mask
• K ek mod p.
• Bob does not know d. But he knows e,
• where e gd
  mod p.
• Therefore K gdk mod p
• Bob sends C2 along with C1 where C1 gk mod p .
• Alice can compute K, without knowing k, since K
  C1d mod p.

54
ElGamals PK System
Decryption Example

• Given
• Cipher (C1, C2) (5, 9)
• Alices Private Key d 8
• To Find m
• K 58 mod 11 4
• K-1 .4 mod 11 1 K-1 3
• m 3 .9 mod 11 5
• Reference Example 5.8 from Man Young Rhee,
  Internet Security Cryptographic principles.
  algorithms and protocols. Wiley 2003

55
Digital Signature

• Association with the entity, which signs it
• The receiver can associate with the signing
  entity.
• The signer cannot repudiate it.
• Association with the message
• The message, which is authenticated, cannot be
  changed.

56
Attacks on RSA Systems 1

• Low Exponent Attack e is sometimes chosen to be
  small ( eg 3) to make encryption faster.
• Coppersmith Theorem In a modulo n polynomial
  f(x) of degree e, one can use an algorithm of
  complexity log n to find the roots if one of the
  roots is smaller than n1/e.
• On applying the theorem to c me mod n, for
  e3, if only two-third of the bits in m are
  known, the algorithm, can find all the bits.
• Recommendation e may not be smaller than 216 1
  65537.

57
Attacks on RSA Systems 2

• Broadcast Attacks If the same message is sent to
  many recipients with e 3
• a1 m3 mod n1
• a2 m3 mod n2
• a3 m3 mod n3
• CRT can be used to find
• A m3 mod n1. n2.n3
• M can then be found by using ordinary arithmetic.

58
Attacks on RSA Systems 3

• Short Pad Attack Bob wants to send a message m
  to Alice He pads it with x and encrypts m ll x to
  get C1. The message is intercepted and dropped by
  Eve.
• Alice tells Bob that she has not received the
  message.
• Bob again pads m with y and encrypts m ll y to
  get C2. The message is intercepted by Eve.
• If x and y are small, Coppersmith proved that
  Eve can find m.
• Use Optimal Asymmetric Encryption Padding (OAEP)
  with
• G a function for converting k bits to m
  bits, and,
• H a function for converting m bits to k bits

59
Comparison

• How secure is RSA and Diffie-Hellman or ElGamal?
• RSA based on factorization
• Diffie-Hellman and ElGamal based on DLP
• Have proved
• Factoring a large prime is equivalent to solving
  DLP problem.
• Exist sub-exponential but super-polynomial
  algorithm

60
Elliptic Curve Cryptosystem (ECC)

• For ECC, the sub-exponential algorithm of
  breaking it has not been found.
• So ECC is more secure than RSA or ElGamal
• Or to say, using much smaller key size can
  achieve the same security as RSA or ElGamal with
  large key size, so more efficient.

61
Elliptic curve group over real number

• y2 x3 ax b, where x, y, a and b are real
  numbers.
• All (x,y) points, satisfying above equation,
  along with infinite point O and addition
  operation, form a group
• Suppose P(x,y) then define
• P(x,-y).

62
Definition of a Group
A1 closure under addition
A2 Associativity of addition
A3 Additive identity
A4 Additive inverse
Group

• Abelian Group

A5 Commutativity of addition
63
Elliptic curve example
64
Addition operation (A Geometric Approach)

• If P and Q are distinct, and if P ? -Q, define
  PQ as follows
• Draw a line through P and Q, then the line will
  intersect with the curve, the intersected point
  is denoted as R, and define PQR.
• Define P (-P) O
• If P(x,0), then PP O , (in fact, a vertical
  line)
• Otherwise, draw a tangent line through P, the
  intersected point is defined as R, then PP 2P
  R.

65
Definition of PQ R
66
Definition of P(-P)
67
Definition of PP (where y!0)
68
Definition of PP (where y0)
69
Elliptic Curve Addition An Algebraic Approach

• Adding distinct points P and Q When P (xP,yP)
  and Q (xQ,yQ) and P? Q, P ? -Q, P Q R
  where s (yP - yQ) / (xP - xQ)xR s2 - xP - xQ
  and yR -yP s(xP - xR) Note that s is the
  slope of the line through P and Q.
• Doubling the point P When yP is not 0,2P R
  where s (3xP2 a) / (2yP )xR s2 - 2xP and
  yR -yP s(xP - xR)
• P (-P) O,
• If P (xP,yP) and yP 0, then P P 2P O.

70
Elliptic Curve Groups over Zp

• Zp 0,1,,p-1
• y2 mod p (x3 ax b) mod p
• Where a and b are in Zp, and x, y are also in Zp.
• Addition with modular p.
• Example P23, ZpZ23 ,y2 x3 x
• Points lying on y2 x3 x
• (0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13)
  (13,5) (13,18) (15,3) (15,20) (16,8) (16,15)
  (17,10) (17,13) (18,10) (18,13) (19,1) (19,22)
  (20,4) (20,19) (21,6) (21,17)
• Corresponding Elliptic Curves over GF(2m)by
  using y2 xy x3 ax2 b

71
y2 mod 23 (x3 x) mod 23
72
Elliptic Curve groups and the Discrete Logarithm
Problem

• Points on Elliptic curve along with addition
  operation form a group.
• Given a point P (P ? (x, 0)), consider 2PPP,
  3P2PP, ., nP(n-1)PP,
• Given any n, it is easy to compute RnP.
• However given R, it is very difficult to find n,
  such that nPR.
• This is called The Elliptic Curve Discrete
  Logarithm Problem (ECDLP).

73
Many cryptosystems can be formed based on
Elliptic Curve

• Example Diffie-Hellman key exchange
• Given elliptic curve E and a point P (public)
• Alice selects an a, computes AaP, send A to Bob
• Bob selects a b, computes BbP, sends B to Bob
• Then Alice can compute the key KaBabP,
  similarly, Bob computes the key KbAabP

74

• It is tough to make predictions, especially
  about the future.
• -- Yogi
  Berra

74
75
Differences between Identity-based System and
a standard PK system

• Different Methods of
• Constructing a key
• Distributing a key
• Authenticating a key
• Using a key
• Reference 1. Liqun Chen,Identity-based
  Cryptography, HP Laboratories, 2006,
  http//www.sti.uniurb.it/events/fosad06/papers/Che
  n-fosad06.pdf
• 2. A. Shamir. Identity-based cryptosystems and
  signature schemes. In Advances in Cryptology -
  Crypto '84, Springer-Verlag LNCS 196, 47-53, 1984.

75
76
Public Key Infrastructure (PKI) System

• Sender (Alice) requests the CA for the public key
  of the Receiver (Bob).
• Through an authenticated channel, CA sends the
  public key (of Bob) certificate, signed by the
  private key of CA.
• Alice decrypts the certificate using the public
  key of CA.
• Alice encrypts her message using the public key
  of Bob.
• Alice sends the message to Bob through Internet
• Bob gets his private key from CA through an
  authenticated channel and decrypts the message.

77
Identity Based Encryption (IBE)

• Alice uses the identity of Bob to create his
  public key.
• Alice encrypts her message using the public key
  of Bob.
• Alice sends the message to Bob through Internet
• Bob gets his private key from the Master Key
  Generator by supplying to it his identity.
• Bob decrypts the message by using his private key.

77
78
Key Generator in IBE

• Private Key
• Identity
• Master Key

Private Key Generator
78
79
IBE Schemes

• Shamirs paper 1984
• Three IBE schemes in 2001
• Sakai, Ohgishi and Kasahara
• Boneh and Franklin
• Cocks
• Sakai and Kasahara in 2003
• .
• .

80
Identity

• E-mail address
• Photo
• Phone number
• Postal address
• Role-based access based upon the role of a person
  in his organization

80
81
Shamirs Method IB Private key for
Bob

• Identity may be the digest of any data string
  associated with Bob
• Thus ID H(bob_at_uwindsor.ca)
• Let the Master private and public keys be (d,
  n) and (e,n) respectively.
• Private key SID IDd mod n
• For signing a message
• Choose r a random number
• Compute t re mod n
• Find f H(t,m) where m message

81
82
Shamirs Method Verification of
Signatures

• s SID.rf mod n
• Output Signatures (s,t)
• Verification of Signatures
• Compute se
• Compute ID. tH(t,m) mod n
• If se ID. tH(t,m) mod n, the signature is
  acceptable.
• PROOF
• LHS se IDd.e.rf.e mod n ID. rf.e mod n
• RHS ID. re.f mod n

82
83
X.509v3

• 1.Distinguished Name
• Root CA single point of failure
• 2. Validity period
• 3. Public Key
• Example National CA/Univ of Windsor/CS/End User
  like Chris Smith 2075
• Policy of CA
• Access Control through the certificate
• Certificate revocation lists (CRLs)
• Cross-certification is the black hole of PKI

83
84
CRL Problems

• Not issued frequently enough to be effective
  against an attacker
• Expensive to distribute
• Vulnerable to simple DOS attacks
• Attacker can prevent revocation by blocking CRL
  delivery
• If a user caches a CRL, he may deal with an
  outdated CRL.

84
85
CRL Problems 2

• Back-dated CRL can appear at any point in the
  future
• Destroys the entire concept of nonrepudiation
• Revoking self-signed certificates is hairy
• when a Cert revokes itself, Applications may
• Accept the CRL as valid and revoke the
  certificate
• Reject the CRL as invalid since it was signed
  with a revoked certificate
• Crash
• to provide timely revocation exacerbates the
• problem
• Example 10M clients download a 1MB CRL issued
  once a minute ? 150GB/s traffic

85
86
Online Certificate Status Protocol, OCSP

• Reply is created on the spot in response to the
  request
• Ephemeral pseudo-CRL avoids CRL validity period
• Problems
• Requires a signing operation for every query
• CAs charge fees to issue a certificate (Most
  expensive collection of bits in the world)
  Revocation checks may also cost.

86
87
ISO/IEC 11770-3 Key Agreement Scheme

• Developed by Guillou and Quisquater, based on
  Shamirs scheme
• IDA and IDB identities of Alice and Bob
  respectively.
• Master Key Generator
• private key (d, n) public key (e, n)
• Two elements g and h such that g he mod n
• Master Key Generator creates private keys for
  Alice and Bob as follows
• SA (1/IDA)d mod n
• SB (1/IDB)d mod n

87
88
ISO/IEC 14888-2 Signature Scheme
Key Exchange

• Alice selects a random number a and computes
• tA SA. ha mod n and sends it
  to Bob.
• Bob selects a random number b and computes
• tB SB. hb mod n and sends it
  to Alice.
• Both Alice and Bob are able to compute the common
  key KAB as follows
• KAB ((tB)e. IDB)a gab and KAB ((tA)e. IDA)b
  gab
• The common symmetric key can be used by Alice and
  Bob to exchange messages.

88
89
Cockss quadratic residues IBE scheme

• based on the hardness of the quadratic residues
  problem, i.e.
• y x y2 mod n
• n pq where p and q are two large primes, like
  in RSA
• does not use pairing
• Reference C. Cocks. An identity-based encryption
  scheme based on quadratic residues. In
  Proceedings of Cryptography and Coding, LNCS
  2260, pp. 360-363, Springer-Verlag, 2001

90
Cockss quadratic residues IBE scheme ...2

• is quite fast
• encrypts a message bit by bit, and it requires
  log n bits of ciphertext per bit of plaintext
• Reference C. Cocks. An identity-based
  encryption scheme based on quadratic residues. In
  Proceedings of Cryptography and Coding, LNCS
  2260, pp. 360-363, Springer-Verlag, 2001.

91
Pairings in IBE

• pairings, which have been used in identity-based
  cryptography the Weil pairing and the Tate
  pairing and their variants.
• References 1. P. Barreto, H. Kim, B. Lynn, and
  M. Scott, Efficient algorithms for pairing-based
  cryptosystems, Proceedings of CRYPTO 2002, LNCS
  2442, pages 354369, Springer-Verlag, 2002.
• 2. D. Boneh and M. Franklin. Identity based
  encryption from the Weil pairing. In Advances in
  Cryptology - Crypto 2001, Springer-Verlag LNCS
  2139, 213-229, 2001.