A Primer to Cryptography

1
A Primer to Cryptography Digital Signatures
2
Scope

• An Introduction
• Classical Cryptography
• Public-Key Cryptography
• Digital Signatures

3
Part 1 An Introduction
4
What is Cryptography?
5
Definition

• Cryptology
• Cryptology is the study of cryptography and
  cryptanalysis.
• Cryptography
• Cryptography is the study of mathematical
  techniques related to aspects of information
  security, such as confidentiality, data
  integrity, entity authentication, and data origin
  authentication.
• Cryptanalysis
• Cryptanalysis is the study of mathematical
  techniques for attempting to defeat information
  security services.

6
Do You Know?

• Navajo Code Talkers
• Enigma Cipher Machine

7
Part 2Classical Cryptography
8
A Picture
Opponent
Message Sent
Internet
Message Received
9
Some Definitions

• Plaintext, x
• English text, numbers, information in raw form
• Ciphertext, y
• The encrypted form of the above
• Keyspace, K
• The finite set of all possible keys

10
Some Definitions (Contd)

• Encryption Key, eK
• The key to encrypt the plaintext to ciphertext
• Decryption Key, dK
• The key to decrypt the ciphertext back to
  plaintext
• Note
• eK(x) y and dk(y) x
• i.e. dK(eK(x)) x for all plaintext

11
A Picture Too
Oscar
y
x
y
x
Alice
Decrypter
Encrypter
Bob
Secure Channel
K
Key Source
12
Definition

• A cryptosystem is a five-tuple (?, ?, ?, ?, ?),
  where the following conditions are satisfied
• 1. ? is a finite set of possible plain texts
• 2. ? is a finite set of possible ciphertexts
• 3. ?, the keyspace, is a finite set of possible
  keys
• 4. For each K ? ?,
• there is an encryption rule eK ? ? and a
  corresponding decryption rule dK ? ?.
• Each eK ? ? and dK ? ? are functions
• such that dK(eK(x)) x for every plaintext x ? ?.

13
Some Examples of Classical Cryptosystems

• Shift Cipher
• Substitution Cipher
• Affine Cipher
• Vigenere Cipher
• Hill Cipher
• Permutation Cipher

14
Example of Classical Cryptosystem

• Shift Cipher
• 1) We set up a correspondence between the 26
  English alphabets and the residues modulo 26.
• i.e. A 0, B 1, C 2, D 3, E 4,
• X 23, Y 24, Z 25
• 2) We define the Shift Cipher as follows
• For 0 K 25,
• Define eK (x) x K mod 26 ( y )
• Define dK (y) y K mod 26 ( x )

15
Example 1

• Suppose the encryption key is K 3, and the
  plaintext is as follows
• JUSTDIDIT
• Convert the plaintext to residues modulo 26
• 9 20 18 19 3 8 3 8 19
• Add 3 to each value, and reducing it modulo 26
• 12 23 21 22 6 11 6 11 22
• Convert the integers back to alphabets for
  ciphertext.
• MXVWGLGLW

16
Example 1(Contd)

• To decrypt MXVWGLGLW
• Convert the ciphertext to residues modulo 26.
• 12 23 21 22 6 11 6 11 22
• The decryption key will be to subtract 3 from
  each value. (or adding 23 to it)
• 9 20 18 19 3 8 3 8 19
• Convert the integers back to alphabets for the
  plaintext.
• JUSTDIDIT

17
Did you know?

• For the particular key K 3,
• the cryptosystem is often called the Caesar
  Cipher, which was purportedly used by Julius
  Caesar.

18
Part 3Public-Key Cryptosystems
19
Concept

• Previously, for classical cryptosystems, the keys
  eK and dK are symmetric and need prior
  communication of the key between both parties.
• For modern cryptosystems, it is computationally
  infeasible to determine dK given eK.
• (computationally secure, not unconditionally
  secure.)
• Hence, eK can be made public by publishing it in
  a directory.
• Advantage Anyone can send an encrypted message
  to a specific person and only that person who has
  the decryption key can decrypt the ciphertext.

20
Some Examples of Public-Key Cryptosystems

• RSA
• Merkle-Hellman Knapsack
• McEliece (or Niederreiter) Cryptosystem
• ElGamal Cryptosystem
• Chor-Rivest Cryptosystem
• Elliptic Curve Cryptosystem

21
RSA Cryptosystem

• Based on the difficulty of factoring large
  integers
• Uses computation in ?n, where n is the product of
  2 distinct odd primes p and q and that
• ? (n) ( p 1 )( q 1 )

22
Definition

• Let n pq, where p and q are primes.
• Let ? ? ?n
• Define
• ? (n,p,q,a,b) n pq, p,q prime, ab ? 1 (mod
  ?(n))
• Note that a and b are coprime to ?(n).
• For K (n,p,q,a,b) define
• eK (x) x b mod n
• and dk (y) y a mod n (x,y ? ?n)
• The values n and b are public, and the values p,
  q and a are secret.

23
How does it work?

• We verify that the encryption and decryption are
  inverse operations.
• Since ab ? 1 (mod ? (n)), i.e. ab t ? (n) 1
  for some integer t ? 1.
• Case 1 Suppose gcd (x , p) 1, then
• x p 1 ? 1 (mod p) FLT
• Then x t ?(n) 1 ? x (mod p)
• Case 2 Suppose gcd (x , p) p, then
• Then x t ?(n) 1 ? 0 ? x (mod p)
• Thus x t ?(n) 1 ? x (mod p) for all x

24
How does it work? (Contd)

• Likewise, we do the same for q.
• Hence, x t ?(n) 1 ? x (mod q) for all
  x
• Since p and q are distinct primes, we have
• x t ?(n) 1 ? x (mod n) for all x
• Because p x t ?(n) 1 x and q x t ?(n)
  1 x,
• and p and q are distinct primes,
• (pq ) n x t ?(n) 1 x
• x t ?(n) 1 ? x (mod n) for all x

25
ElGamal Cryptosystem

• Based on the difficulty of the discrete logarithm
  problem for finite fields.
• Discrete Logarithm Problem for ?p
• Find the unique integer a, 0 ? a ? p 2,
• such that
• ? a ? ? (mod p)
• We denote this integer a by log? ?

26
Definition

• Let p be a prime such that the discrete log
  problem in ?p is intractable, and let ? ? ?p be
  a primitive element.
• Define ? (p, ?, a, ?) ? a ? ? (mod p)
• The values p, ? and ? are public and a is
  secret.
• For K (p, ?, a, ?), and for a secret random
  number
• k ? ?p 1, define
• eK (x, k) (y1, y2),
• where y1 ? k mod p y2 x? k mod p
• For y1, y2 ? ?p , define
• dK (y1, y2) y2 (y1a) -1 mod p

27
How ElGamal Cryptosystem Works

• The plaintext x is masked by multiplying by ?
  k, yielding y2.
• The value ? k is also transmitted as part of the
  ciphertext.
• By knowing the secret exponent a, we can compute
  ? k from ? k. Then we can remove the mask by
  dividing y2 by ? k to obtain x.
• Note (? k) a (? a) k ? ? k (mod p)
• System is nondeterministic, i.e. many possible
  ciphertext from a plaintext x. (randomly chosen k)

28
Definition

• Let p be a prime such that the discrete log
  problem in ?p is intractable, and let ? ? ?p be
  a primitive element.
• Define ? (p, ?, a, ?) ? a ? ? (mod p)
• For K (p, ?, a, ?), and for a secret random
  number
• k ? ?p 1, define
• eK (x, k) (y1, y2),
• where y1 ? k mod p y2 x? k mod p
• For y1, y2 ? ?p , define
• dK (y1, y2) y2 (y1a) -1 mod p

29
Part 4Digital Signatures
30
Concept

• Conventional Signature vs Digital Signature
• For conventional signature,
• 1) signature physically part of document
• 2) verification of signature by comparison
• Problems
• 1) Need to physically present to sign.
• 2) Easy to forge a signature

31
Concept (Contd)

• For digital signature,
• 1) signature not part of message signed, so
  algorithm used must bind it to message.
• 2) verified using publicly known algorithms,
  and much harder to forge.
• 3) a copy of digital signature is identical
  to original so the message to be signed
  should contain information, such as date, to
  prevent being reused.

32
Important

• It is important to take even more precautions for
  the security of a signature than that of a
  cryptosystem.
• A message may be encrypted and decrypted only
  once, so it suffices to use any cryptosystem that
  is known to be secure at the time the message is
  encrypted.
• However, a signed message could function as a
  legal document such as a contract or a will, so
  it is likely that it would be necessary to verify
  a signature long after the message is signed.

33
Digital Signature

• Digital Signature consists of two components
• a signing algorithm a verification algorithm
• One can sign a message x using a secret signing
  algorithm sig and the resulting signature sig (x)
  can be subsequently verified using a public
  verification algorithm ver.
• Given a pair of pair, (x, y) the verification
  algorithm returns an true or false answer
  depending on whether the signature is authentic.
• ver (x, y) true if y sig (x)
• false if y ? sig (x)

34
Formal Definition

• A digital signature is a five-tuple

35
Examples of Digital Signatures

• RSA Signature Scheme
• ElGamal Signature Scheme
• Digital Signature Standard
• One-time Signatures
• Undeniable Signatures
• Fail-stop Signatures

36
RSA Signature Scheme

• Let n pq where p, q are primes.
• Define
• ? (n,p,q,a,b) n pq, p,q prime, ab ? 1 (mod
  ?(n))
• The values n and b are public, and the values p,
  q and a are secret.
• For K (n,p,q,a,b) define
• sigK (x) x a mod n
• And verk (x, y) true ? x ? y b mod n
• (x,y ? ?n)

37
Security Concerns

• Not unconditionally secure but computationally
  secure.
• Anyone can forge a signature on a random
  message x by computing x eK (y) for some y
  then y sigK (x).
• However, the message will be meaningful with
  only a very small probability.
• Signing, then Encrypting VS Encrypting, then
  Signing

38
ElGamal Signature Scheme

• Let p be a prime such that the discrete log
  problem in ?p is intractable, and let ? ? ?p be
  a primitive element.
• Define ? (p, ?, a, ?) ? a ? ? (mod p)
• The values p, ? and ? are public and a is
  secret.
• For K (p, ?, a, ?), and for a secret random
  number
• k ? ?p 1, define
• sigK (x, k) (?, ?),
• where ? ? k mod p ? (x a?) k -1 mod p
  1
• For x, ? ? ?p, ? ? ?p 1 define
• verK (x,?, ?) true ? ? ?? ? ? ? x (mod p)

39
How It Works

• This scheme is also non-deterministic, so the
  verification algorithm must be able to accept any
  of the valid signatures as authentic.
• ? ?? ? ? ? a? ? k? (mod p) ? ? x (mod p)
• from the fact that a? k? ? x (mod p 1)

40
Security Concerns

• There are ways to sign a random message by
  fixing ?, ? and x simultaneously.
• However, although they produce valid forged
  signatures, they cannot choose the message to be
  signed.
• Also, the random value k should not be revealed.
• Otherwise, it is easy to compute
• a (x - k?) ? -1 (mod p 1)
• Another thing is k should not be used in signing
  two different messages. Otherwise, we can compute
  k from these two messages, and hence find a.

41
Digital Signature Standard (DSS)

• A modification of the ElGamal Signature Scheme.
• Adopted as a standard on December 1, 1994
• Since the ElGamal Scheme is no more secure than
  the Discrete Logarithm problem, the prime p must
  be large.
• p should at least be of 512 bits (i.e. about 154
  decimal digits) or even 1024 bits to provide
  security. However this will lead to very long
  signatures.
• DSS modifies the ElGamal Scheme in an ingenious
  way so that a 160 bit message is signed using a
  320 bit signature, but the computations are done
  512-bit modulus p.
• For potential applications, such as smart cards,
  shorter signatures are desirable

42
DSS

• Let p be a 512-bit prime such that the discrete
  log problem in ?p is intractable, and let q be a
  160-bit prime that divides p 1.
• Let ? ? ?p be qth root of 1 modulo p.
• Define ? (p, q, ?, a, ?) ? a ? ? (mod p)
• The values p, q, ? and ? are public and a is
  secret.
• For K (p, q, ?, a, ?), and for a secret random
  number
• k ? ?p 1, define
• sigK (x, k) (?, ?),
• where ? (? k mod p) mod q ? (x a?) k -1
  mod q
• For x ? ?q, ?, ? ? ?q, verification is by
  computing
• e1 x? -1 mod q
• e2 ?? -1 mod q
• verK (x,?, ?) true ? (? e1 ? e2 mod p) mod q
  ?

43
One Time Signatures

• We will describe a conceptually simple way to
  construct a one-time signature scheme from any
  one-way function.
• The term one-time means only one message can be
  signed.
• The scheme is known as Lamport Signature Scheme.

44
Lamport Signature Scheme

• Informally, a message to be signed is a binary k
  tuple where each tuple is signed individually.
• The value zi, j corresponds to the i th bit of
  the message having value j (j 0,1)
• Each zi, j is the image of yi, j under a one-way
  function f.
• The i th bit of the message is signed using the
  preimage yi, j of the zi, j corresponding to the
  i th bit of the message.
• Verification consists simply of checking that
  each signature is the preimage of the appropriate
  public-key element.

45
Definition

• Let k be a positive integer where k no of bits
  of message.
• Suppose f is a one-way function, and let yi,j
  be chosen at random, 1 ? i ? k, j 0,1 and
• let z i,j f (yi,j), 1 ? i ? k, j 0,1
• Define sig ( x1, x2, , xk ) (y1,x1, y2,x2,
  , yk,xk)
• and ver ( x1, x2, , xk , a1, a2, , ak) true
• ? f (ai ) z i, xi , 1 ? i ? k

46
Security Concerns

• It is not possible to forge a signature because
  we cannot invert the one-way function f to
  obtain the secret y s.
• However, given signatures for two different
  messages, it is possible to construct signatures
  for further messages.
• For example, if (0,0,1) and (1,1,1) are signed
  using same scheme, it is easy to construct
  (1,0,1) and (0,1,1)
• The size of signatures for this scheme is very
  large. However, there is a modification due to
  Bos and Chaum that allows signatures to be made
  shorter using the Sperner property.

47
Undeniable Signature Schemes

• An example is Chaum-van Antwerpen Undeniable
  Signature Scheme.
• Novel Features
• A signature cannot be verified without
  cooperation of signer.
• Verification by means of a challenge-and-respons
  e protocol
• Signer cannot disavow a signature that he has
  made.
• The scheme incorporates a disavowal protocol
  by which a signer can prove if a signature is a
  forgery. Refusal to prove so would be regarded as
  that the signature is genuine.
• Hence, an undeniable signature scheme consists of
  3 components a signing protocol, a verification
  protocol, and a disavowal protocol.

48
Example (Verification Protocol)

• Let p 467. (i.e. q 133)
• 4 is an element of order 133 in ?p, so we will
  choose it as generator. Hence, ? 4.
• Suppose a 101, then ? ? a mod 467 449
• Bob signs a message x 119 with signature
• y 119101 mod 467 129
• Alice wants to verify signature using random
  values
• e1 38, e2 397
• She computes c 13, and Bob will respond with d
  9
• Alice checks the response by verifying
• 11938 4397 ? 9 (mod 467)
• Alice accepts the signature as valid.

49
Proof that Verification Works

• Note that the exponents are to be reduced modulo
  q.
• Observe d ? c a-1 (mod p)
• ? y e1a-1 ? e2a-1 (mod p)
• Since ? a ? ? (mod p), we have ? a-1 ? ? (mod p)
• Similarly, y ? x a (mod p), we have y a-1 ? x
  (mod p)
• Hence d ? x e1 ? e2 (mod p)

50
Security Concerns

• Bob cannot fool Alice into accepting a fradulent
  signature as valid, except with a very small
  probability
• Theorem
• If y ? x a (mod p), then Alice will accept y as
  a valid signature for x with probability 1/q.
• The result does not depend on any computational
  assumptions, i.e. the security is unconditional.

51
Proof of Theorem

• First observe that each possible challenge c
  corresponds to exactly q ordered pairs (e1, e2)
  because y and ? are both elements of
  multiplicative group G of prime order p.
• Idea is using the fact ? is a generator of G and
  so we can express c, d, x, y as a power of ?.
  Then we will use the exponents modulo q to form a
  system of congruences. And since y ? x a (mod p),
  we will have nonzero determinant for the system,
  i.e. there is a unique solution.
• That is every d ? G is the correct response for
  exactly one of the q possible pairs (e1, e2).
  Consequently, the probability that Bob gives a
  response d that will be verified is exactly 1/q.
  Thus theorem is proved.

52
Example (Disavowal Protocol)

• As before, p 467, ? 4, a 101, ? 449
• Suppose the message x 286 is sent with bogus
  signature y 83, and Bob wants to convince Alice
  that it is invalid.
• Alice begins by choosing the random values (e1,
  e2) (45, 237)
• Alice computes c 305 and Bob responds with d
  109
• Alice computes 286454237 mod 467 149
• Since 149 ? 109, Alice proceeds with step 5 of
  protocol.

53
Example (Contd) - Disavowal Protocol

• Alice chooses random values (f1, f2) (125, 9)
• Alice computes C 270, and Bob responds with D
  68.
• Alice computes 28612549 mod 467 25
• Since 25 ? 68, Alice proceeds to step 9 of
  protocol and performs the consistency check.
• This check succeeds as (109 x 4 -237) 125 ? 188
  (mod 467)
• (68 x 4-9) 45 ? 188 (mod 467)
• Hence, Alice is convinced the signature is
  invalid.

54
Security Concern (2)

• This algorithm must be able to show two things
• Bob can convince Alice that an invalid signature
  is a forgery.
• Bob cannot make Alice believe a valid signature
  is a forgery except with a very small
  probability.
• Theorem
• If y ? x a (mod p), and Alice and Bob follow the
  disavowal protocol, then (d? -e2) f1 ? (D? -f2)
  e1 (mod p)
• Theorem
• Suppose y ? a (mod p), and Alice follow the
  disavowal protocol.
• If d ? xe1? e2 (mod p) and D ? xf1? f2 (mod p),
  then the probability that
• (d? -e2) f1 ? (D? -f2) e1 (mod p) is 1 1/q.

55
Proof of Theorems

• Proof of first theorem
• Just dealing with the exponents of the variables
  involved.
• Doing so, we will show (d? -e2) f1 ? y e1f 2 ?
  (D? -f2) e1 (mod p)
• and thus the consistency check in step 9
  succeeds.
• Proof of second theorem
• Derive a contradiction from the 4 congruences
  involved. (with 4th assumed equal)
• Rewrite consistency check D ? d 0f1 ? f2 (mod p)
  where
• d0 ? d 1/e1 ? -e2/e1 (mod p) is a value hat
  depends only on steps 1- 4.
• Applying theorem earlier, we conclude y is a
  valid signature for d0 with probability 1 1/q.
• But we are assuming that y is a valid signature
  for x. That is, with high probability we have x a
  ? d0a which implies x d0
• But we have d ? xe1? e2 (mod p) means that x ? d
  1/e1 ? -e2/e1 (mod p)
• Hence, we conclude x ? do and we have a
  contradiction.

56
Fail-stop Signatures

• Provides enhanced security against the
  possibility that a very powerful adversary might
  be able to forge a signature.
• In the event that someone is able to forge the
  signature, then the signer can prove that it is a
  forgery with a very high probability.
• We will describe in here van Heyst and Pedersen
  Fail-stop Signature Scheme, which is a one-time
  scheme.
• The system consists of signing and verification
  as well as a proof of forgery algorithm

57

• We begin with a definition.
• Two keys (?1, ?2 , a1, a2, b1, b2) and (?3, ?4 ,
  a3, a4, b3, b4) are said to be equivalent if ?1
  ?3 and ?2 ?4.
• It is easy to see that there are exactly q 2
  keys in any equivalence class.
• Lemma 1
• Suppose K and K1 are equivalent keys and suppose
  that verK (x, y) true, then verK1 (x, y) true
• Lemma 2
• Suppose K is a key and y sigK (x). Then there
  are exactly q keys K1 equivalent to K such that y
  sigK1 (x).

58

• Lemma 3
• Suppose K is a key, y sigK (x) and verK (x1,
  y1) true, where x ? x1. Then there are at most
  one key K1 equivalent to K such that y sigK1
  (x) and y1 sigK1 (x1).
• Theorem
• Given that sigK (x) y and x ? x1, then an
  opponent can compute sigK (x1) with probability
  1/q.

59
Example (Fail-stop Signature Scheme)

• Suppose p 3467 2 x 1733 1. The element ?
  4 has the order 1733 in ?3467.
• Suppose ao 1567, so ? 41567 mod 3467 514
• (Recall that Bob knows the value of ? and ? but
  not a0.)
• Suppose Bob forms his key using a1 888, a2
  1024, b1 786, b2 999, so
• ?1 48885141024 mod 3467 3405
• And ?2 4786514999 mod 3467 2281
• Suppose Bob gets a forged signature (822,55) on
  the message 3383. This is a valid signature since
  th verification condition is satisfied
• 3405 x 22813383 2282 (mod 3467) 482251455
  2282 (mod 3467)
• This is not what Bob would have constructed.
• Bob computes his own signature to be
• (888 3383 x 786 mod 1733, 1024 3383 x 999
  mod 1733)
• (1504, 1291)
• He proceeds to calculate the secret discrete log,
  a0 (822 1504)(1291 55) -1
• 1567
• This is proof of forgery.

60
Conclusion
61
The End
62
Example

• Let p 101 and q 113.
• Then n 11413 and ? (n) 100x112 11200
• We choose b such that gcd (b, ? (n) ) 1, so
  that it has a inverse. We will obtain b -1 by
  Euclidean algorithm.
• Let b 3533, hence b -1 6597 (mod ? (n) )
• We will publish n 11413 and p

63
How does it work?

• We verify that the encryption and decryption are
  inverse operations.
• Since ab ? 1 (mod ? (n)), i.e. ab t ? (n) 1
  for some integer t ? 1.
• Case 1 Suppose x ? ?n, then we have
• (x b) a ? x t? (n)1 (mod n)
• ? (x ? (n)) t x (mod n)
• ? 1t x (mod n)
• ? x (mod n)

64
How does it work? (Contd)

• Case 2 Suppose that x ? ?n,
• then we have x is a multiple of p or a multiple
  of q.
• Suppose it is a multiple of p, i.e. gcd (x , p)
  p, then
• (x b) a ? 0 ? x (mod p)