textbook: introduction to cryptography 2nd ed. by j.a. buchmann

Fuw-Yi Yang 1

Textbook: Introduction to Cryptography 2nd ed. By J.A. BuchmannChap 8 Public-Key Encryption

Department of Computer Science and Information Engineering, Chaoyang University of Technology

朝陽科技大學資工系

Speaker: Fuw-Yi Yang 楊伏夷

伏夷非征番 , 道德經察政章 (Chapter 58) 伏者潛藏也道紀章 (Chapter 14) 道無形象 , 視之不可見者曰夷

Fuw-Yi Yang 2

Contents

IdeaSecurityRSA CryptosystemRabin EncryptionDiffie-Hellman Key ExchangeElGamal Encryption

Fuw-Yi Yang 3

8.1 Idea

A problem of the symmetric cryptosystems that we have described so far is key distribution and key management.

When Alice and Bob use a symmetric cryptosystem, they must exchange a secret key before they can secretly communicate.

For the key exchange, they need, for example, a secure channel or a courier.

The key exchange problem becomes more difficult if many people want to exchange encrypted messages, for example, on the Internet.

If a communication network has n users and any two of them exchange a key, then n(n - 1)/2 secret key exchanges are necessary and all those keys have to be stored secretly.

Fuw-Yi Yang 4

8.1 Idea

In public-key systems, key management is much simpler. In public-key system, only the decryption keys must be kept secret. A decryption key is therefore called a secret key or a private key. Computing private keys from their corresponding public keys is infeasible.Example 8.1.1 A directory of public keys may look like this:

Name Public key

Alice 13245722331097423121

Bob 7867644676897809808089

… …

Fuw-Yi Yang 5

8.2 Security

8.2.1 Security of the secret key

A public-key cryptosystem can only be secure if the problem of computing the secret key from publicly available information is intractable. In the public-key cryptosystems that are used today this is guaranteed since the underlying number-theoretic problems are intractable.

However, it is possible that in the future algorithms will be found that solves those problems very efficiently.

For example, it has been shown by Shor that quantum computers can break all public-key cryptosystems that are used today.

But it is unknown if such quantum computers can ever be built.

Fuw-Yi Yang 6

8.2 Security

8.2.2 Semantic Security

Finding the secret key is not the only possible goal of an attack on a public-key cryptosystem.

For example, an attacker of a deterministic public-key cryptosystem can easily find the plaintext that corresponds to a ciphertext without knowledge of the secret key if only very few plaintexts are possible.

The model that is generally agreed to be the right definition of security against passive attacks (see next page) is semantic security. This model was introduced by S. Goldwasser and S. Micali in 1984. Semantic security is related to perfect secrecy from Chapter 4.

Fuw-Yi Yang 7

8.2 Security

8.2.2 Semantic Security

A public key cryptosystem is semantically secure if a passive attacker with limited resources cannot obtain any relevant information about the plaintext that corresponds to a given ciphertext. In contrast, cryptosystems with perfect secrecy are secure against any passive attacker.Note: Chapter 3, page 76, A passive attacker can only mount cipher-only attacks; An active attacker can mount chosen plaintext and chosen ciphertext attacks. He can also change the ciphertext in order to manipulate the corresponding plaintext.

Fuw-Yi Yang 8

8.2 Security

8.2.3 Chosen Ciphertext Security

The strongest security notion for public-key cryptosystems is security against chosen ciphertext attacks.

In this model, the attacker can decrypt any ciphertext of his choice except for the ciphertext in which he is really interested.

Chosen ciphertext security is the same as non-malleability, which means that an attacker is not able to change the ciphertext in such a way that the corresponding plaintext is changed in a controlled way.

Fuw-Yi Yang 9

8.2 Security

8.2.4 Security Proofs

Today, none of the computational problems that are the security basis for the known public-key cryptosystems is provably intractable.

Therefore, there are no provably secure public-key cryptosystems.

Security proofs for public-key cryptosystems are, in fact, security reductions.

Fuw-Yi Yang 10

8.2 Security

8.2.4 Security Proofs

In such a reduction it is proved that a public-key cryptosystems is secure as long as a few well defined computational problems such as the factoring problem for integers are intractable.

So the security of the cryptosystem is reduced to the intractability of those computational problems. To judge the security of a cryptosystem for such a reduction exists it suffices to know how difficult a few mathematical problem are.

Fuw-Yi Yang 11

8.3 RSA Cryptosystem 8.3.1 Key Generation

We explain how Bob generates his private and public RSA keys.

Bob generates randomly and independently two large (odd) prime numbers p and q and computes the product n = pq.

Bob also chooses an integer e with 1 < e < (n) = (p - 1)(q - 1) and gcd(e, (n)) = 1.

Bob computes an integer d with 1 < d < (n) and ed = 1 mod (n).

Bob’s public key is the pair (n, e). His private key is d.

The number n is called the RSA modulus, e is called the encryption exponent, and d is called the decryption exponent.

Fuw-Yi Yang 12

8.3 RSA Cryptosystem 8.3.1 Key Generation

Note that the secret key d can be computed from the encryption exponent e if the prime factors p and q of n are known.

Therefore, if the attacker, Oscar, is able to find the prime factorization of n, then he can easily find Bob’s secret key d.

Example 8.3.1 Bob chooses the prime factors p = 11 and q = 23. Then n = 253 and (253) = 220. The smallest possible e is e = 3 since gcd(3, 220) = 1. d = 147.

Fuw-Yi Yang 13

8.3 RSA Cryptosystem 8.3.2 Encryption

We first explain how to encrypt numbers with the RSA system. Then we show how RSA can be used as a block cipher.

In the first variant, the plaintext space consists of all integers m with0 m < n.

A plaintext m is encrypted by computing c = me mod n.

The ciphertext is c. If Alice knows the public key (n, e), she can encrypt. To make encryption efficient, Alice uses fast exponentiation.

Example 8.3.2 As in Example 8.3.1, let n = 253 and e = 3.

Then the plaintext space is {0, 1, …, 252}.

Encrypting the integer m = 165, we obtain c = 1653 mod 253 = 110.

Fuw-Yi Yang 14


Now we show how to use RSA encryption as a block cipher. We use the alphabet = ZN = {0, 1, 2, …, N-1} for some positive integer N. Let k = logNn.

A word m1…mk k corresponds to the integer m = m1Nk-1 + m2Nk-2 + …+ mkNk-k .

Note that the choice of k implies

0 m (N - 1)Nk-1 + (N - 1)Nk-2 + …+ (N - 1)Nk-k = Nk - 1 < n.

We will identify the block in k with their corresponding integers.

The block m is encrypted by computing c = me mod n.

The integer c is written in base N. The N-adic expansion of c may have length at most k+1.

Fuw-Yi Yang 15


We can therefore write c = c0Nk-0 + c1Nk-1 + …+ ckNk-k, ci .

The cipher block is c = c0c1…ck.

In this way the RSA maps blocks of length k invectively to blocks of length k+1 (since k = logNn ).

Example 8.3.3 As in Example 8.3.1, let n = 253 and e = 3.

Let = {0, a, b, c} with the identification 00, a 1, b2, c3.

Then k = logNn = log4253 = 3.

This is the length of the plaintext blocks. We encrypt the block abb.

m = a * 42 + b * 41 + b * 40 = 16 + 8 + 2 = 26.

C = 263 mod 253 = 119. C = a * 43 + c * 42 + a * 41 + c * 40.

Fuw-Yi Yang 16

8.3 RSA Cryptosystem 8.3.3 Decryption

Theorem 8.3.4 Let (n, e) be a public RSA key and d the corresponding private RSA key. Then (me)d mod n = m for any integer m with 0 m < n.Proof. d e = 1 mod (p - 1)(q - 1), there is an integer l with d e = 1 + l (p - 1)(q - 1). Therefore, (me)d = me d = m 1 + l (p - 1)(q - 1) = m (m (p - 1)(q - 1))l = m mod p. If p is not a divisor of m, then this congruence follows from Fermat’s little theorem. Otherwise, the assertion is trivial because both sides of the congruence are 0 mod p. Analogously, we see that (me)d = m mod q. Because p and q are distinct prime numbers, (CRT one to one) we obtain (me)d = m mod n. endofproof

Fuw-Yi Yang 17

8.3 RSA Cryptosystem 8.3.4 Security of the secret key Computing d from (n, e)

The followings (Lemma 8.3.6, Theorem 8.3.7, 4 factoring steps and Theorem 8.3.8 ) show that computing d from (n, e) is as difficult as finding the prime factors p and q of n. This does not prove the difficulty of computing the secret key directly, but it reduces this difficulty to that of a famous mathematical problem, the factoring problem of integers.

Fuw-Yi Yang 18

8.3 RSA Cryptosystem 8.3.4 Security of the secret key

Lemma 8.3.6 For all integers a that are prime to n, the order of the residue class ak + nZ in the group (Z/nZ)* is in {2i: 0 i s}. Where s = max{t N ={1, 2,…}: 2t divides d e - 1} and k = (d e - 1)/ 2s.

Proof. Let a be an integer that is prime to n. By Theorem 8.3.4, we have ae d - 1 = 1 mod n. Since d e - 1 = k 2s, this implies (ak) 2 s = 1 mod n.Hence, by Theorem 2.9.2 the order of ak + nZ is a divisor of 2s. endofproof

Fuw-Yi Yang 19

Theorem 8.3.7 Let a be an integer that is prime to n. If the orders of the residue class ak + pZ in (Z/pZ)* and of ak + qZ in (Z/qZ)* are different, then 1 < gcd((a2t k - 1), n) for some t {0, 1, …, s - 1}.

Proof. By Lemma 8.3.6 and Theorem 2.9.2, the order of ak mod p and ak mod q is in {0, 1, …, s}. Without loss of generality, the order of ak mod p is greater than the order of ak mod q. Let the order of ak mod q be 2t. Then t < s, a2t k = 1 mod q, but a2t k 1 mod p. Therefore, gcd((a2t k - 1), n) = q. endofproof


Fuw-Yi Yang 20

By Theorem 8.3.6 and Theorem 8.3.7 we can factor n as follows if e and d are known (s = max{t N ={1, 2,…}: 2t divides d e - 1}) :

1. Choose at random an integer a in the set {0, 1, …, n - 1}. 2. Compute g = gcd(a, n). 3. If g = 1, then compute g = gcd((a2t k - 1), n) for some t = s - 1, s - 2, … until g > 1 or t = 0. 4. If g > 1, then g = p or g = q. Hence, the factorization of n is found and the algorithm terminates. Otherwise, the algorithm was unsuccessful with the chosen base a.


Fuw-Yi Yang 21

If the algorithm was not successful with the chosen a, then we run it again. We will now show that the probability of the algorithm being successful is at least 1/2. Therefore the probability of success after r iterations is at least 1- (1/2)r.

Example 8.3.9 In example 8.3.1, we have n = 253, e = 3, and d = 147. Hence, ed - 1 = 440 = 23 * 55. If we use a = 2, then we obtain

gcd((2220 - 1), 253) = 253,

gcd((2110 - 1), 253) = 253,

gcd((255 - 1), 253) = 23


Fuw-Yi Yang 22

Theorem 8.3.8 The number of integers a prime to n in the set{1, 2,…, n - 1} for which ak has a different order mod p and mod q is at least (p - 1)(q - 1)/2. Proof. Let g be a primitive root mod p and mod q. It exists by the Chinese remainder theorem 2.15.2. First, we assume that the order of gk mod p is greater than the order of gk mod q. By Lemma 8.3.6, those orders are powers of 2. Let x be an odd integer {1,…, p - 1} and let y {0, 1,…, q - 2}. Let a be the least nonnegative solution of the simultaneous congruence a = gx mod p, a = gy mod q. 8.4


Fuw-Yi Yang 23

Then ,a {1, 2,…, n - 1}. By Theorem 2.9.5, the order of ak mod p is the same as the order of gk mod p, since the order of gk mod p is a powers of 2 and x is odd. But the order of ak mod q is at most of order of gk mod q and hence smaller than the order of ak mod p. Also the solutions of 8.4 are pairwise distinct because g is a primitive root mod p and mod q (CRT 2.15.2). Therefore, we have found (p - 1)(q - 1)/2 integers a {1, 2,…, n - 1} that are pairwise distinct, prime to n, and for which the order of ak mod p and mod q are distinct. If the order of gk mod q is greater than the order of gk mod p, then the proof is analogous.


Fuw-Yi Yang 24

Finally, assume that the orders of gk mod p and mod q are equal. Since (p - 1) and (q - 1) are both even, k is odd, and g is a primitive root mod p and mod q, this order is at least 2. We determine the required integers as solutions of 8.4. This time the exponent pairs (x, y) consist of one even and one odd number. Without loss of generality, x is odd and y is even. The order of ak mod p is the same as the order of gk mod p, since the order of gk mod p is a powers of 2 and x is odd.


Fuw-Yi Yang 25

But the order of ak mod q is at most of order of gk mod q and hence smaller than the order of ak mod p. Also the solutions of 8.4 are pairwise distinct because g is a primitive root mod p and mod q (CRT 2.15.2). Therefore, we have found (p - 1)(q - 1)/2 integers a {1, 2,…, n - 1} that are pairwise distinct, prime to n, and for which the order of ak mod p and mod q are distinct

endofproof


Fuw-Yi Yang 26

D. R. Stinson, Cryptography Theory and Practice, Chapman & Hall/CRC, pp 194, 2002 Computing ψ(n) is no easier than factoring n. Assume thatψ(n), n are available.

n = pq, ψ(n) = (p - 1)(q - 1),

pq - p - q +1 - ψ(n) = 0 pn/p - p - n/p +1 - ψ(n) = 0 p2 - (n - ψ(n) + 1)p + n = 0 The two roots of the above equation will be p and q, the factors of n.endofproof

8.3 RSA Cryptosystem 8.3.4 Security of the secret key Computing ψ(n)

Fuw-Yi Yang 27

In the previous section, we have shown that factoring the RSA modulus is as difficult as finding the secret RSA key.

But finding the secret key is not the only possible goal of an attacker. He may also try to determine the plaintext that corresponds to a given ciphertext that was encrypted with Bob’s public key. It is an open problem whether being able to decrypt individual RSA ciphertext implies the ability to factor n efficiently. It is not known whether breaking RSA is as difficult as factoring integers. It is not known whether factoring is difficult.

8.3 RSA Cryptosystem 8.3.5 RSA and Factoring

Fuw-Yi Yang 28

In order to make the factorization of the RSA modulus infeasible, its prime factors p and q must be chosen appropriately.

If p-1 has only small prime factors, then the p-1 factoring method is successful (Chapter 9).

Given the strength of the currently known factoring algorithms, p and q should both be almost equal length and at least of binary length 512.

8.3 RSA Cryptosystem 8.3.6 Choice of p and q

Fuw-Yi Yang 29

The public key e is chosen as small as possible to make encryption efficient. The least possible encryption exponent is e = 3. If this is used, then encryption requires one squaring and one multiplication mod n.

However, using small encryption exponents such as e = 3 may be dangerous because an attacker can use the low-exponent attack. This attack works if the same message m is encrypted e times with encryption exponent e and e pairwise coprime RSA moduli ni, 1 i e. See next page

8.3 RSA Cryptosystem 8.3.7 Choice of e

Fuw-Yi Yang 30

Let ci = me mod ni, 1 i e be the corresponding RSA ciphertexts. Then the attacker uses the following algorithm:1. Use CRT to compute an integer with c = ci mod ni, 1 i e and 0 c < n1…ne.2. Determine the message m as the eth root of c in Z. Theorem 8.3.11 Let e N, n1, … , ne N be pairwise coprime and m N with 0 m ni for 1 i e. Let c N with c = me mod ni, 1 i e and 0 c < n1…ne. Then c = me. Proof: The integer c' = me satisfies the simultaneous congruence c' = me mod ni,1 i e, and we have 0 c < n1…ne because 0 m ni for 1 i e.


Fuw-Yi Yang 31

Theorem 8.3.11 Let e N, n1, … , ne N be pairwise coprime and m N with 0 m ni for 1 i e. Let c N with c = me mod ni, 1 i e and 0 c < n1…ne. Then c = me. Proof: The integer c' = me satisfies the simultaneous congruence c' = me mod ni,1 i e, and we have 0 c < n1…ne because 0 m ni for 1 i e. On the other hand, the integer c = me from the theorem satisfies the same congruence and also satisfies 0 c < n1…ne. By Theorem 2.15.2 (CRT), the solution of this congruence is uniquely determined mod n1…ne. Therefore we have c = c'.Endofproof


Fuw-Yi Yang 32

The eth root of the eth power c can be determined very efficiently, for example by a cut and choose technique.Example 8.3.12 Let e = 3, n1 = 55, n2 = 391, n3 = 1189, m = 41. Therefore c1 = 6, c2 = 105, c3 = 1148.Compute x1n2n3 = 1 mod n1, x2n1n3 = 1 mod n2, x3n1n2 = 1 mod n3.We have x1 = 24, x2 = 4, x3 = -531.Then c = c1x1n2n3 + c2x2n1n3 + c3x3n1n2 mod n1n2n3 = 68921.m = 689211/3 = 41.

The low-exponent attack cannot be mounted if the encrypted messages are pairwise different. We can also choose a larger encryption exponent. A popular choice is e = 216 + 1.


Fuw-Yi Yang 33

To protect the private RSA key it can be stored on a smartcard.

That smartcard is a mini-computer that carries out encryption by itself. So the secret key never leaves the smartcard. The smartcard has limited resources and is low. Therefore it looks like a good idea to choose a small decryption key d and to compute the corresponding encryption key e.

But it is insecure. Boneh and Durfee have shown that RSA can be broken if d < n0.292.

8.3 RSA Cryptosystem 8.3.8 Choice of d

Fuw-Yi Yang 34

RSA encryption requires one exponentiation modulo n. The smaller the encryption exponent, is the more efficiently encryption works. However, small encryption exponents open the possibility of a low-exponent attack.

RSA decryption also requires one exponentiation modulo n. But the decryption exponent must be as large as n. Suppose that the RSA modulus n is a k-bit number. Then, typically, d is also a k-bit number and k/2 bits are 1. Thus decryption requires k squarings and k/2 multiplications mod n.

8.3 RSA Cryptosystem 8.3.9 Efficiency

Fuw-Yi Yang 35

RSA decryption can be hastened if the CRT is used. This works as follows. Alice wants to decrypt ciphertext c. Her private RSA key is d. She computes mp = cd mod p-1 mod p, mq = cd mod q-1 mod q.

She computes an integer m {0, 1, 2, …, n-1} such that m = mp mod p, m = mq mod q.

To find m, she computes yp and yq with ypp + yqq= 1. Then m = mqypp + mpyqq mod n.

The decryption with CRT is almost twice as fast as standard decryption.

8.3 RSA Cryptosystem 8.3.9 Efficiency

Fuw-Yi Yang 36

Let (n, e) be a public RSA key. If two messages m1 and m2 are encrypted under this key, then we obtain c1 = m1

e mod n, c2 = m2e mod n.

The product of the ciphertext is c = c1c2 mod n = (m1m2)e mod n.

Anyone who knows the ciphertexts c1 and c2 can compute the encryption of m = m1m2 without knowing this plaintext. This is a form of existential forgery. In order for the receiver to notice the forgery, the plaintext space must be reduced. Only plaintexts of a certain form are accepted.

8.3 RSA Cryptosystem 8.3.10 Multiplicativity

Fuw-Yi Yang 37

We have described various attacks (low-exponent, multiplicativity) on RSA. However, RSA is not semantically secure or secure against chosen ciphertext attacks even if all parameters are chosen in a way that the described attacks are impossible. As we have seen in Section 3.3.2 RSA must be at least randomized.

The RSA variant that is considered as secure can be found in the standard PKCS# 1. It is based on OAEP (optimal asymmetric encryption protocol). In principle, that protocol works as follows.

8.3 RSA Cryptosystem 8.3.11 Secure RSA

Fuw-Yi Yang 38

Let k be a positive integer such that the maximum running time that a realistic attacker is able to use is considerably smaller than 2k. Let b be the binary length of the RSA modulus. Hence, b 1024. Set l = b - k - 1. G: {0, 1}k {0, 1}l (expansion function) and H: {0, 1}l {0, 1}k (compression function) are publicly known. The plaintext space is {0, 1}l.


Fuw-Yi Yang 39

If a plaintext m {0, 1}l is encrypted, then a random number r {0, 1}k is chosen. The ciphertext is c = [ (m G(r)) || (r H(m G(r)) ) ]e mod n.

In order to decrypt, the receiver computes

cd = [ (m G(r)) || (r H(m G(r)) ) ] mod n.

r = (r H(m G(r)) ) H(m G(r))

m = G(r) m G(r)

If G and H are random functions, then this scheme is provably secure against chosen ciphertext attacks provided that inverting the RSA function is infeasible.


Fuw-Yi Yang 40

We explain how the RSA cryptosystem can be generalized. The public key consists of finite group G and an encryption exponent e, which is prime to the order o of G. In the case of RSA, this group is (Z/nZ)*, where n is an RSA modulus. The secret key is an integer d with ed = 1 mod o the order o of G. Clearly, the order o of the group G must also be kept secret since otherwise the secret key d can be determined by solving the congruence ed = 1 mod o. Variants of RSA are known, but they all become insecure if factoring integers turns out to be easy. Hence, the factoring problem for integers is so far the only mathematical problem on which RSA-type cryptosystems are based.

8.3 RSA Cryptosystem 8.3.12 Generalization

Fuw-Yi Yang 41

The security of the RSA system is related to the difficulty of factoring integers. It is, however, not known if RSA is as difficult as factoring integers, i.e. if being able to break RSA implies the ability of factoring integers.

The security of the Rabin system is also based on the difficulty of factoring integers. But in contrast to RSA, it can be shown that anyone who can break the Rabin system efficiently can also efficiently factor integers.

8.4 Rabin Encryption

Fuw-Yi Yang 42

Alice chooses randomly two large prime numbers p and q with p = q = 3 mod 4. Alice computes n = pq. Her public key is n. Her secret key is the pair (p, q).

8.4 Rabin Encryption 8.4.1 Key Generation

Fuw-Yi Yang 43

The plaintext space is the set {0, 1, …, n-1}. To encrypt the plaintext m {0, 1, …, n-1}, Bob uses the public key n of Alice and computes c = m2 mod n. The ciphertext is c.

Like RSA, the Rabin system can be used to implement a kind of block cipher.

8.4 Rabin Encryption 8.4.2 Encryption

Fuw-Yi Yang 44

Suppose that n = pq, where p and q are distinct odd primes with p = q = 3 mod 4. The solutions of x2 = a mod p and x2 = a mod q are x = a(p+1)/4 mod p and x = a(q+1)/4 mod q respectively.

Definition. If m is a positive integer, we say that the integer a is a quadratic residue of m if gcd(a, m) = 1 and the congruence x2 = a mod m has a solution. If the congruence x2 = a mod m has no solution, we say that the integer a is a quadratic nonresidue of m. (Chapter 11 of Elementary Number Theory, Rosen)

8.4 Rabin Encryption 8.4.3 Decryption

Fuw-Yi Yang 45

Lemma 11.1 Let p be an odd prime and a an integer not divisible by p. Then the congruence x2 = a mod p has either no solution or exactly two congruent solutions modulo p. Proof. 1. x2 = a mod p has a solution, say x = x0, then x = -x0 is a second incongruent solution. If x0 = -x0 then 2x0 = 0 mod p p|2x0 p|x0 p|x0 p|a. But p|x0 is impossible because a is an integer not divisible by p.

Next page will show that there are no more than two incongruent solutions.


Fuw-Yi Yang 46

2. Assume that x = x0 and x = x1 are both solutions of x2 = a mod p. Then we have x0

2 = x12 = a mod p, so that (x0 + x1)(x0 - x1) = 0 mod p.

Hence p|(x0 + x1) or p|(x0 - x1), so that x0 = x1 mod p or x0 = -x1 mod p. Therefore, if there is a solution of x2 = a mod p, there are exactly two incongruent solutions modulo p. Endofproof(Chapter 11 of Elementary Number Theory, Rosen)


Fuw-Yi Yang 47

Definition. Let p be an odd prime and a an integer not divisible by p. The Legendre symbol is defined by

= 1 if a is a quadratic residue of p,

= -1 if a is a quadratic nonresidue of p.

Theorem 11.3 Euler’s Criterion Let p be an odd prime and a an integer not divisible by p. Then the Legendre symbol is calculated by = a(p-1)/2 mod p.Proof.(Chapter 11 of Elementary Number Theory, Rosen)


p

a

p

a

p

a

p

a

Fuw-Yi Yang 48

1. Assume that = 1, then the congruence x2 = a mod p has a solution, say x0. Then a(p-1)/2 = x0

2(p-1)/2 = x0(p-1) = 1 mod p. (Fermat’s little theorem)

2. Assume that = -1, then the congruence x2 = a mod p has no solution. By Theorem 4.10 ax = b mod m has no solution if gcd(a, m) cannot divide b. Thus we have ij = a mod p. (because gcd(a, p) = 1, i = 1, 2 ,…,p-1 )

3. Since x2 = a mod p has no solution, thus i j. We group the integers 1, 2 ,…,p-1 into (p-1)/2 pairs, each with product a. Multiplying these pairs together, we find that (p-1)! = a(p-1)/2 = -1 mod p. (By Wilson’s Theorem) endofproof (Chapter 11 of Elementary Number Theory, Rosen)


p

a

p

a

Fuw-Yi Yang 49

Wilson’s Theorem (p-1)! = -1 mod p1. p = 2, (p-1)! = 1 = -1 mod 2.2. Let p be a prime greater than 2. Every integer a {2, 3, …, p-2}, there is an inverse a' with a a' = 1mod p. There are p-3 elements in the set {2, 3, …, p-2}. Hence, they can be grouped into (p-3)/2 pairs with the product of each pair congruent to 1 modulo p.3. The inverse of 1 is itself. Also the inverse of (p-1) is (p-1).4. (p-1)! = 1 * 2 * 3 *…* (p-3) * (p-2) * (p-1) = 1 * (p-1) = -1 mod p. endofproof (Chapter 11 of Elementary Number Theory, Rosen)


Fuw-Yi Yang 50

Now we can show that The solutions of x2 = a mod p and x2 = a mod q are x = a(p+1)/4 mod p and x = a(q+1)/4 mod q respectively.

1. By Euler’s Criterion, we have

= a(p-1)/2 = 1 mod p, = a(q-1)/2 = 1 mod q, so that a is a

quadratic residue of both p and q.

2. (a(p+1)/4)2 = a(p+1)/2 = a(p-1)/2 a = a mod p, (a(q+1)/4)2 = a(q+1)/2 = a(q-1)/2 a = a mod q.

3. Using CRT.

(Chapter 11 of Elementary Number Theory, Rosen)


p

a

q

a

Fuw-Yi Yang 51

Alice computes the plaintext m from the ciphertext c by extracting square roots. She proceeds as follows.

mp = c(p+1)/4 mod p, mq = c(q+1)/4 mod q.

Then mp + pZ are the two square roots of c + pZ in Z/pZ, and mq + qZ are the two square roots of c + qZ in Z/qZ.

Using the extended euclidean algorithm, Alice determines yp and yq in integer with ypp + yqq = 1.

Then r = mqypp + mpyqq mod n, s = mqypp - mpyqq mod n.

It is easy to verify that r, s are the four square roots of c mod n in the set {0, 1, …, n-1}. One of those square roots must be the original message m.


Fuw-Yi Yang 52

Example 8.4.1 Alice uses the prime numbers p = 11 and q = 23. Then n = 253. Bob encrypts the message m = 158.

He computes c = m2 mod n = 170. Alice determines yp = -2 and yq = 1 with ypp + yqq = 1.

mp = c(p+1)/4 mod p = 1703 = mod 11 = 4, mq = c(q+1)/4 mod q = 1703 = mod 23 = 3. r = mqypp + mpyqq mod n = 3 * -2 * 11 + 4 * 1 * 23 = 26 mod 253. s = mqypp - mpyqq mod n = 3 * -2 * 11 - 4 * 1 * 23 = 95 mod 253.

The four square roots of c mod n are 26, 95, 227, 158. One of those square roots is the original plaintext.


Fuw-Yi Yang 53

In the Rabin system, encryption only requires one squaring, so Rabin encryption is more efficient than RSA encryption. Decryption in the Rabin system is as expensive as RSA decryption with the CRT.

8.4 Rabin Encryption 8.4.4 Efficiency

Fuw-Yi Yang 54

We show that breaking the Rabin system with ciphertext-only attack is as difficult as factoring the Rabin modulus. Let R be the algorithm that breaks the Rabin system. Given c {0, 1, …, n-1} such that c + nZ is a square in (Z/nZ)*, it computes m = R(c) {0, 1, …, n-1}, which is the original plaintext.

The procedure is as follows: next page

8.4 Rabin Encryption 8.4.5 Security against ciphertext-only attacks

Fuw-Yi Yang 55

1. Chooses a random integer x {0, 1, …, n-1}.2. If gcd(x, n) 1, then we find one of the prime factors of n. 3. c = m2 mod n and m = R(c).4. We have m = x mod p and m = x mod q, m = x, gcd(m-x, n) = n m = -x mod p and m = -x mod q, m = -x, gcd(m-x, n) = gcd(-2x, n) = 1 (gcd(x, n) = 1) m = x mod p and m = -x mod q, gcd(m-x, n) = p (m - x = kp) m = -x mod p and m = x mod q. gcd(m-x, n) =q (m - x = kq)

Since x has been chosen at random with equidistribution, each of the cases has the same probability. Therefore, this procedure factors n with probability at least 1/2.


Fuw-Yi Yang 56

Example 8.4.2 Alice uses the prime numbers p = 11 and q = 23. Suppose Oscar is able to compute square roots modulo 253 with algorithm R.1.He chooses a random integer x = 17 {0, 1, …, n-1}.2. If gcd(x, n) = 1. 3. c = m2 mod n = 172 mod 253 = 36.4. The square roots of 36 mod 253 are 6, 17, 236, 247 (By R(c)).5. We have gcd(6-17, 253) = 11, gcd(247-17, 253) = 23.


Fuw-Yi Yang 57

We describe the protocol of Diffie and Hellman for exchanging secret keys over insecure channels.

This protocol itself is not a public-key cryptosystem, but it is the basis for the ElGamal system.

The situation is the following. Alice and Bob wish to use a symmetric encryption system to keep their communication over an insecure channel secret. Initially, Alice and Bob must exchange a secret key. The Diffie Hellman key exchange system enables Alice and Bob to use their insecure channel for this key exchange.

8.5 Diffie-Hellman Key Exchange

Fuw-Yi Yang 58

Everybody can listen to the key exchange but the information obtained cannot be used to construct the secret key.

The protocol of Diffie and Hellman is a milestone in public-key cryptography. The security of the Diffie-Hellman key exchange is not based on the factoring problem for integers but on the discrete logarithm problem (DLP). We introduce it in the next section.

8.5 Diffie-Hellman Key Exchange

Fuw-Yi Yang 59

Let p be a prime number. By the Corollary 2.22.1, the group (Z/pZ)* is cyclic of order p-1. Let g be a primitive root mod p. Then for any integer A {1, 2, …, p-1} there is an exponent a {0, 1, …, p-2} with A = ga mod p. This exponent a is called the discrete logarithm of A to the base g.

We write a = loggA. The computation of discrete logarithm is considered to be difficult. No efficient algorithm for solving this problem is known. But on the other hand, there is no proof that this problem is in fact difficult. (We will discuss DLP in Chapter 10)

8.5 Diffie-Hellman Key Exchange 8.5.1 Discrete Logarithms

Fuw-Yi Yang 60

Example 8.5.1 Let p = 13. A primitive root mod 13 is 2. (g = 2)The discrete logarithms of all integer in {1, 2, …, 12} to the base 2 are listed below.


A 1 2 3 4 5 6 7 8 9 10 11 12

loggA 0 1 4 2 9 5 11 3 8 10 7 6

Fuw-Yi Yang 61

Example 8.5.2 Consider the additive group Z/nZ for a positive integer n. It is cyclic of order n (neutral element 0). A generator of this group is the residue class 1 + nZ. Let A {0, 1, …, n-1}. The discrete logarithm a of A + nZ to the base 1 + nZ satisfies the congruence A = a mod n. Hence, a = A.

The other generators of Z/nZ are the residue class g + nZ with gcd(g, n) =1. The discrete logarithm a of A + nZ to the base g + nZ satisfies the congruence A = ag mod n.

This congruence can be solved with the extended euclidean algorithm. Therefore, in Z/nZ, discrete logarithms can be computed very efficiently. This group cannot be used for implementing a secure Diffie-Hellman key exchange protocol.


Fuw-Yi Yang 62

1. Alice and Bob agree on a large prime number p and an integer g with 2 g p-2 such that the order of g mod p is sufficiently high.

2. The prime p and the primitive root g can be publicly known.

3. Alice chooses an integer a {0, 1, …, p-2} randomly. Compute A = ga mod p and sends the result A to Bob, but keeps the exponent a secret.

4. Bob chooses an integer b {0, 1, …, p-2} randomly. Compute B = gb mod p and sends the result B to Alice. He also keeps the exponent b secret.

5. The common secret key is: Alice computes Ba = gab mod p;

Bob computes Ab = gab mod p.

8.5 Diffie-Hellman Key Exchange 8.5.2 Key exchange

Fuw-Yi Yang 63

Like several other cryptographic protocols, the Diffie-Hellman key exchange protocol requires the computation of an integer g whose order mod p is sufficiently high.

8.5 Diffie-Hellman Key Exchange 8.5.3 Selection of g

Fuw-Yi Yang 64

The eavesdropper, Oscar, learns the integers p, g, A, and B but not the discrete logarithm a of A and b of B to the base g. He wants to determine the secret key K = gab mod p from p, g, A, and B. This is called the Diffie-Hellman problem.

If Oscar can compute discrete logarithms mod p, he can also solve the Diffie-Hellman problem. This is the only known method for breaking the Diffie-Hellman protocol.

So far, nobody has been able to prove that if Oscar can break the Diffie-Hellman problem he can also efficiently compute discrete logarithms mod p. It is an important open problem of public-key cryptography to find such a proof.

8.5 Diffie-Hellman Key Exchange 8.5.4 Security

Fuw-Yi Yang 65

As long as the Diffie-Hellman problem is difficult to solve, no eavesdropper can determine the secret key from the publicly known information.

Also, if the decision Diffie-Hellman problem is intractable, then an attacker cannot obtain any relevant information from the publicly known information.

That problem is the following. Given ga mod p, gb mod p, and gc mod p, decide whether

gc = gab mod p.

Another attack on the Diffie-Hellman protocol is the man in the middle attack.

8.5 Diffie-Hellman Key Exchange 8.5.4 Security

Fuw-Yi Yang 66

A secure and efficient Diffie-Hellman key exchange protocol can be implemented in all cyclic groups in which the Diffie-Hellman problem is difficult to solve and for which the group operations can be efficiently implemented.

8.5 Diffie-Hellman Key Exchange 8.5.5 Other groups

Fuw-Yi Yang 67

The ElGamal cryptosystem is closely connected to the Diffie-Hellman key exchange. Its security is also based on the difficulty of solving the Diffie-Hellman problem in (Z/pZ)*.

8.6 ElGamal Encryption

Fuw-Yi Yang 68

Alice chooses a prime number p and a primitive root g mod p whose order mod p is sufficiently high.

Then he chooses a random exponent a {0, 1, …, p-2} and computes A = ga mod p.

The public key of Alice is (p, g, A). The secret key is the exponent a.

8.6 ElGamal Encryption 8.6.1 Key generation

Fuw-Yi Yang 69

The plaintext space is the set {0, 1, …, p-1}. To encrypt a plaintext m, Bob gets the authentic public key (p, g, A) of Alice. Then he chooses a random integer b {1, 2, …, p-2} and computes B = gb mod p, c = mAb mod p.

The ciphertext is the pair (B, c).

Note that c is the product of plaintext m and the Diffie-Hellman key Ab. The number B is Bob’s key part from the Diffie-Hellman system.

8.6 ElGamal Encryption 8.6.2 Encryption

Fuw-Yi Yang 70

Alice has obtained the pair (B, c). To reconstruct the plaintext m, she divides c by the Diffie-Hellman key Ba mod p. Namely, m = c / Ba mod p, or m = c B-a = c B p-1-a mod p.

Example 8.6.1 p =23, g =7, a =6, A = ga = 76 = 4 mod 23.

Public key is (p, g, A) = (23, 7, 4). Secret Key is 6.

Encryption: Bob chooses a plaintext m= 7, random integer b = 3. B = gb = 73 = 21 mod 23, c = mAb = 7 * 43 = 11 mod 23. The ciphertext is the pair (B, c) = (21, 11).

Decryption: Alice computes m = c B p-1-a = 11 * 2116 = 7 mod 23.

8.6 ElGamal Encryption 8.6.3 Decryption

Fuw-Yi Yang 71

ElGamal decryption like RSA decryption, requires one modular exponentiation.

ElGamal encryption requires two modular exponentiations. RSA encryption requires only one modular exponentiation.

But the exponentiations for the ElGamal encryption are independent of the plaintext that is actually encrypted. Therefore, those exponentiations can be carried out as precomputations.

In the ElGamal cryptosystem, the ciphertext is twice as long as the plaintext. This is called message expansion and is a disadvantage. On the other hand, the ElGamal cryptosystem is a randomized cryptosystem, which can be regarded as an advantage.

8.6 ElGamal Encryption 8.6.4 Efficiency

Fuw-Yi Yang 72

If the attacker, Oscar, can compute discrete logarithms mod p, then he can break the ElGamal system. It is, however, not known whether being able to break ElGamal implies the ability to compute efficiently discrete logarithms mod p.

However, breaking the ElGamal cryptosystem and breaking the Diffie-Hellman key exchange protocol are equally difficult.See next page

8.6 ElGamal Encryption 8.6.5 ElGamal and Diffie-Hellman

Fuw-Yi Yang 73

1. Assume that Oscar can break the Diffie-Hellman key exchange system. Namely, given that p, g, A, and B, Oscar can compute k = gab mod p. Then given the ciphertext (B, c) and public information (p, g, A) of Alice. Oscar can compute k = gab mod p, and m = c / k .

2. Assume that Oscar can break the ElGamal cryptosystem. That is, given the ciphertext (B, c) and public information (p, g, A) of Alice. Oscar can compute m. Since m = c / gab mod p, then Oscar can compute the number k = gab mod p. Thus breaking the Diffie-Hellman key exchange system.

8.6 ElGamal Encryption 8.6.5 ElGamal and Diffie-Hellman

Fuw-Yi Yang 74

To prevent the application of the known DL algorithms (Chaper 10) , the prime number p must be at least of binary length 512. Furthermore, to prevent the application of DL algorithms such as the Pohlig-Hellman algorithm or the number field sieve, which work efficiently for prime numbers of a special form, such primes must be avoided.

It appears best to choose the prime p randomly with equidistribution from all primes of a certain length.

8.6 ElGamal Encryption 8.6.6 Choice of parameters

Fuw-Yi Yang 75

The ElGamal encryption algorithm is randomized by using a random exponent b. If a plaintext m is encrypted, the ciphertext is

(B = gb mod p, c = mAb mod p),

where b is a random number in {1, 2, …, p-2} chosen with the uniform distribution. Hence the ciphertext (B, c) is a uniform distributed random pair in {1, 2, …, p-1}2, provided that A is a primitive root mod p; that is gcd(a, p-1) = 1.

8.6 ElGamal Encryption 8.6.7 ElGamal is randomized

Fuw-Yi Yang 76

By virtue of this randomization the ElGamal public-key cryptosystem is semantically secure as long as the decision Diffie-Hellman problem is intractable.

However, the ElGamal public-key cryptosystem is malleable; that is, the attacker can change the ciphertext in such a way that the plaintext is changed in a controlled way.In fact, if (B, c) is the ciphertext that corresponds to the plaintext m, then, (B, cx) is the ciphertext that corresponds to the plaintext mx, for any x {0, 1, …, p-1}.

8.6 ElGamal Encryption 8.6.7 ElGamal is randomized

Fuw-Yi Yang 77

An important advantage of the ElGamal system is the fact that it can be implemented in any cyclic group. The only requirements are that computation in that group be efficient and the Diffie-Hellman problem be difficult.

It is very important that the ElGamal system can be implemented in other groups because nobody knows whether the discrete logarithm problem in (Z/pZ)* is difficult. If someone finds an efficient DL algorithm for (Z/pZ)*, then one can switch to another group in which the DL problem is still infeasible.

8.6 ElGamal Encryption 8.6.8 Generalization

textbook: introduction to cryptography 2nd ed. by j.a. buchmann

Documents