CryptographySecurity

1
Chapter 10 Key Management Other Public Key
Cryptosystems

• 10.0 ElGamal cryptosystem
• 10.1 Key Management
• 10.2 Diffie-Hellman Key Exchange
• 10.3 Elliptic Curve Arithmetic
• 10.4 Elliptic Curve Cryptography

2
10.0 ElGamal cryptosystem

• Key generation algorithm
• Input k
• Randomly generate a prime p of length k bits
• Compute a generator g for Zp
• Randomly select x, 2?x?p-2
• Compute ygx mod p
• Public-key KU(g, p, y),
• Private-key KR(g, p, x)

3
ElGamal cryptosystem (cont.)

• Encryption algorithm E
• Input ((g, p, y), M) (0?M?p-1)
• Randomly select k, 1?k?p-2
• Compute agk mod p
• Compute bmyk mod p
• Ciphertext C(a,b)
• Decryption algorithm D
• Input ((g, p, x), C) (0?C?n-1)
• Compute Mb/ax mod p

4
ElGamal cryptosystem (cont.)

• Why it works ?
• Fact (ga)b mod p(gb)a mod p
• b/ax mod p m ? yk/(gk)x mod p m ? (gx)k/gkx
  mod p m mod p m
• Thinking How to send a large message M gt p,

5
ElGamal cryptosystem (cont.)

• Security is based on hardness of discrete
  logarithm problem xlogg y mod p
• Two users can use the same (g, p)

6
10.1 Key management

• Two issues
• Distribution of public keys
• Use of public keys to distribute secret keys
• Since public key cryptosystems are too slow for
  encrypting the entire (long) message.
• Thinking How to send a large message M gt p using
  the public key system.

7
Distribution of public keys

• 1. Public announcement
• 2. Publicly available directory
• 3. Public-key authority
• 4. Public-key certificates
• Note that Comparisons among four approaches.

8
Public announcement

• Every one keeps a list of received public keys.
• Advantage simple
• Disadvantages
• Any one can forge an announcement of another
• Any one has to keep a long list of public keys
• For example, PGP (pretty-good-privacy email
  system) uses this approach

9
Public directory

• A trusted organization maintains a dynamic
  directory of (name, public key)-entries
• A user A can register, update, denounce his
  public key KUa to the organization via an
  authenticated channel
• Disadvantage the directory is the target of
  attacks

10
Public directory (cont.)
11
Public-key authority

• A trusted authority maintains a dynamic directory
  of (name, public key)-entries for participants
• Any user knows the authoritys public key
• A user A can register, update, denounce his
  public key KUa to the authority via an
  authenticated channel

12
Public-key authority (cont.)
Once per time period
13
Public-key authority (cont.)

• Disadvantages
• Public-key authority is the bottleneck since
  every user has to contact the authority to obtain
  others public keys. ( On-line )
• Public-key authority is the target of the attacks

14
Public-key certificate

• A certificate authority (CA) has a pair of public
  and private keys (KUCA, KRCA) for signing and
  verification
• Each participant knows CAs public key KUCA
• Each participant A requests CA to issue a
  certificate for his public key KUACertA?IDA,
  KUA, T, Sign(KRCA, IDAKUAT)?
• T(T1,T2) is the valid time period of the
  certificate, ie. CertA is valid from time T1 to
  T2
• Note KUA is supplied by participant A

15
Public-key certificate (cont.)

• Participant A keeps secret his private key KRA
• When user B obtains As certificateCertA ?ID,
  KU, T, ??, it can use CAs public key KUCA to
  verify validity of CertA
• Whether the current time is in between T1 and T2
• Whether Verify(KUCA, IDKUT, ?)true
• If the above two checks are valid, B obtains As
  public key KUA
• This is an off-line version of public-key
  authority

16
Public-key certificate (cont.)
17
Public-key certificate (cont.)

• Disadvantages
• CA is the target of security
• A participant may lost his private before the
  expiration time T2
• CA has to maintain a list of revoked certificates
  (Why ?)

18
Recall 10.1 Key management

• Two issues
• Distribution of public keys
• Use of public keys to distribute secret keys
• Since public key cryptosystems are too slow for
  encrypting the entire (long) message.

19
Public-key distribution of secret keys

• A and B both have each others public key
• But, public-key encryption is usually slow
• Use public key to establish session (secret) keys

20
Distribution of secret keys (cont.)

• Simple scheme
• Problems ? Fair, KUB

21
Distribution of secret keys (cont.)

• Scheme with secrecy and authentication
• Note Challenge and Response / Problem ?
  H(N1N2)

22
10.2 Diffie-Hellman Key Exchange

• first public-key type scheme proposed
• by Diffie Hellman in 1976 along with the
  exposition of public key concepts
• note now know that James Ellis (UK CESG)
  secretly proposed the concept in 1970
• is a practical method for public exchange of a
  secret key
• used in a number of commercial products

23
Diffie-Hellman Key Exchange

• a public-key distribution scheme
• cannot be used to exchange an arbitrary message
• rather it can establish a common key
• known only to the two participants
• value of key depends on the participants (and
  their private and public key information)
• based on exponentiation in a finite (Galois)
  field (modulo a prime or a polynomial) - easy
• security relies on the difficulty of computing
  discrete logarithms (similar to factoring) hard

24
Diffie-Hellman key exchange

• Two remote users establish a secret (session) key
  via an insecure channel
• They dont share a secret key
• They dont have public keys
• Facts
• (ga mod p)b mod p (gb mod p)a mod p gab mod p
• Discrete logarithm problem It is hard to
  computex logg y mod p from given (g, p, y)

25
DH key exchange (cont.)

• Global parameters (g, p)
• p a large prime, say, 512-bit long
• g?Zp-1 a generator for Zp

26
DH key exchange (cont.)

• Example global parameters p97, g5
• Alice a36, Ya536 mod 97 50
• Bob b58, Yb558 mod 97 44
• The established secret key (Yb)a mod p
  4436 mod 97 75 (Ya)b mod p 5058 mod 97
  75

27
DH key exchange security

• Based on hardness of discrete logarithm problem
  given ga mod p and gb mod p, compute gab mod p
• Vulnerable to man-in-the-middle attack
• Thinking How to defend ?

28
Thinking

• Conference key distribution ?
• Efficient
• Fair ?
• Conference key agreement ?
• Fault Detection ?
• Provably secure ?
• Model ?

29
10.3 Elliptic Curve Cryptography

• majority of public-key crypto (RSA, D-H) use
  either integer or polynomial arithmetic with very
  large numbers/polynomials
• imposes a significant load in storing and
  processing keys and messages
• an alternative is to use elliptic curves
• offers same security with smaller bit sizes

30
Real Elliptic Curves

• an elliptic curve is defined by an equation in
  two variables x y, with coefficients
• consider a cubic elliptic curve of form
• y2 x3 ax b
• where x,y,a,b are all real numbers
• also define zero point O
• have addition operation for elliptic curve
• geometrically sum of QR is reflection of
  intersection R

31
Real Elliptic Curve Example
32
Finite Elliptic Curves

• Elliptic curve cryptography uses curves whose
  variables coefficients are finite
• have two families commonly used
• prime curves Ep(a,b) defined over Zp
• use integers modulo a prime
• best in software
• binary curves E2m(a,b) defined over GF(2n)
• use polynomials with binary coefficients
• best in hardware

33
Elliptic Curve Cryptography

• ECC addition is analog of modulo multiply
• ECC repeated addition is analog of modulo
  exponentiation
• need hard problem equiv. to discrete log.
• QkP, where Q,P belong to a prime curve
• is easy to compute Q given k,P
• but hard to find k given Q,P
• known as the elliptic curve logarithm problem
• Note ygx mod p, given y, g and p to find x
• Certicom example E23(9,17)

34
ECC (cont.)
2R-S
S
35
ECC (cont.)
36
Elliptic curve basics

• O infinity point, the addition entity
• POP for any point P
• Rule three points in EC on a line sum to O
• Inverse If P1 and P2 are in a vertical line,
  P1P2OO, which implies that P1-P2
• Addition If Q and R are not in a vertical line,
  QRP1O, which implies QR -P1 P2
• Double RRS0, which implies 2R -S, where S
  is the intersection point of the tangent line of
  R and the curve

37
Elliptic curve special form

• Special EC L y2x3 axb (mod p)
• 4a327b2 mod p ? 0
• Ep(a,b) O ?(x0,y0) x0, y0?Zp,
  (x0, y0) satisfies L
• Example E23(a1.b1) for L y2x3x1 (mod 23)

38
Elliptic curve special form (cont.)

• POP for any point P
• Inverse if P(x, y), then P(x, -y).
• Addition P(x1, y1), Q(x2, y2)
• P-Q (i.e., x1x2 and y1-y2) PQO
• P?-Q PQ(x3, y3) (see related papers)
• x3?2-x1-x2 (mod p)
• y3 ?(x1-x3)-y1 (mod p)
• ?(y2-y1)/(x2-x1) (mod p) if P?Q, (Slope of two
  points P,Q) (3x12a)/(2y1) (mod p) if PQ
• Scalar nPPPPP

39
Elliptic curve special form (cont.)

• Example, for E23(1,1), P(3,10), Q(9,7)
• Recall Slide ch.10-36
• To compute PQ
• ?(7-10)/(9-3) mod 23 11
• x3112-3-9 mod 23 17
• y311(3-17)-10 mod 23 20
• Thus, PQ(17, 20)?E23(1,1)
• To compute 2P
• ?3(32)1/(2?10) mod 23 6
• x362-3-3 mod 23 7
• y36(3-7)-10 mod 23 12
• Thus, 2P(7, 12)?E23(1,1)
• To compute P
• (3,-10) mod 23 (3,13) ?E23(1,1)

40
Elliptic curve cryptography

• Operations

• Hard problem (elliptic curve logarithm) given
  (P,Q), to find k such that QkP
• analog to the discrete logarithm problem
• Note ygx mod p, given y, g and p to find x

41
Recall DH key exchange (cont.)

• Global parameters (g, p)
• p a large prime, say, 512-bit long
• g?Zp-1 a generator for Zp

42
ECC DH key exchange

• Global parameters (p, a, b, G)
• p a large prime, say, 180-bit long
• G?ECp(a,b) such that the smallest n for nGO is
  large

43
ECC DH key exchange (cont.)

• Global parameters
• p211, a0, b-4, G(2,2)
• Note 241.G O

44
Recall 10.0 ElGamal cryptosystem

• Key generation algorithm
• Input k
• Randomly generate a prime p of length k bits
• Compute a generator g for Zp
• Randomly select x, 2?x?p-2
• Compute ygx mod p
• Public-key KU(g, p, y),
• Private-key KR(g, p, x)

45
Recall ElGamal cryptosystem (cont.)

• Encryption algorithm E
• Input ((g, p, y), M) (0?M?p-1)
• Randomly select k, 1?k?p-2
• Compute agk mod p
• Compute bmyk mod p
• Ciphertext C(a,b)
• Decryption algorithm D
• Input ((g, p, x), C) (0?C?n-1)
• Compute Mb/ax mod p

46
ECC ElGamal encryption

• Key generation
• Randomly select (p, a, b, G), G?ECp(a,b) such
  that the smallest n for nGO is large
• Randomly select naltn and compute PanaG
• KU(p, a, b, Pa)
• KR(p, a, b, na)
• Encryption plaintext is a point Pm
• Randomly select select nkltn
• Compute CmnkG, PmnkPa
• Decryption Cm(Pk, Pb)
• Compute Pm Pb-naPk PmnkPa-naPk

47
ECC ElGamal encryption (cont.)

• Key generation
• p751, a-1, b188, G(0, 376)
• KU(p, a, b, Pa), with Pa(201, 5)
• KR(p, a, b, na), with na ??
• Encryption plaintext Pm(562, 201)
• nk386
• CmnkG, PmnkPa (676, 558), (385, 328)
• Decryption Cm(Pk, Pb)676, 558), (385, 328)
• Pm (385,328) - na(676,558)

48
ECC computational comparison

• Elliptic curve logarithm using Pollards rho
  algorithm

• Integer factorization using generalized number
  field sieve