Uploaded byAnubhavShivhare1
PPT, PDF71 views

ch10_pkcs_nemo.pptxxczxczxczxczxczxczxczxczxczx

czxczxczxczxc

Embed presentation

Download to read offline
Cryptography and Cryptography and Network Security Network Security Chapter 10 Chapter 10 Fifth Edition Fifth Edition by William Stallings by William Stallings Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown
Chapter 10 – Chapter 10 – Other Public Key Other Public Key Cryptosystems Cryptosystems Amongst the tribes of Central Australia every man, woman, Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed and child has a secret or sacred name which is bestowed by the older men upon him or her soon after birth, and by the older men upon him or her soon after birth, and which is known to none but the fully initiated members of which is known to none but the fully initiated members of the group. This secret name is never mentioned except the group. This secret name is never mentioned except upon the most solemn occasions; to utter it in the hearing of upon the most solemn occasions; to utter it in the hearing of men of another group would be a most serious breach of men of another group would be a most serious breach of tribal custom. When mentioned at all, the name is spoken tribal custom. When mentioned at all, the name is spoken only in a whisper, and not until the most elaborate only in a whisper, and not until the most elaborate precautions have been taken that it shall be heard by no precautions have been taken that it shall be heard by no one but members of the group. The native thinks that a one but members of the group. The native thinks that a stranger knowing his secret name would have special stranger knowing his secret name would have special power to work him ill by means of magic. power to work him ill by means of magic. — —The Golden Bough, The Golden Bough, Sir James George Frazer Sir James George Frazer
Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange  first public-key type scheme proposed first public-key type scheme proposed  by Diffie & Hellman in 1976 along with the by Diffie & Hellman in 1976 along with the exposition of public key concepts exposition of public key concepts  note: now know that note: now know that Williamson Williamson (UK CESG) (UK CESG) secretly proposed the concept in 1970 secretly proposed the concept in 1970  is a practical method for public exchange is a practical method for public exchange of a secret key of a secret key  used in a number of commercial products used in a number of commercial products
Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange  a public-key distribution scheme a public-key distribution scheme  cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message  rather it can establish a common key rather it can establish a common key  known only to the two participants known only to the two participants  value of key depends on the participants (and value of key depends on the participants (and their private and public key information) their private and public key information)  based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy (modulo a prime or a polynomial) - easy  security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard discrete logarithms (similar to factoring) – hard
Diffie-Hellman Setup Diffie-Hellman Setup  all users agree on global parameters: all users agree on global parameters:  large prime integer or polynomial large prime integer or polynomial q q  a a being a primitive root mod being a primitive root mod q q  each user (eg. A) generates their key each user (eg. A) generates their key  chooses a secret key (number): chooses a secret key (number): x xA A < q < q  compute their compute their public key public key: : y yA A = = a a x xA A mod q mod q  each user makes public that key each user makes public that key y yA A
Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange  shared session key for users A & B is K shared session key for users A & B is KAB AB: : K KAB AB = = a a x xA. A.x xB B mod q mod q = y = yA A x xB B mod q (which mod q (which B B can compute) can compute) = y = yB B x xA A mod q (which mod q (which A A can compute) can compute)  K KAB AB is used as session key in private-key is used as session key in private-key encryption scheme between Alice and Bob encryption scheme between Alice and Bob  if Alice and Bob subsequently communicate, if Alice and Bob subsequently communicate, they will have the they will have the same same key as before, unless key as before, unless they choose new public-keys they choose new public-keys  attacker needs an x, must solve discrete log attacker needs an x, must solve discrete log
Diffie-Hellman Example Diffie-Hellman Example  users Alice & Bob who wish to swap keys: users Alice & Bob who wish to swap keys:  agree on prime agree on prime q=353 q=353 and and a a=3 =3  select random secret keys: select random secret keys:  A chooses A chooses x xA A=97, =97, B chooses B chooses x xB B=233 =233  compute respective public keys: compute respective public keys:  y yA A= =3 3 97 97 mod 353 = 40 mod 353 = 40 (Alice) (Alice)  y yB B= =3 3 233 233 mod 353 = 248 mod 353 = 248(Bob) (Bob)  compute shared session key as: compute shared session key as:  K KAB AB= y = yB B x xA A mod 353 = mod 353 = 248 248 97 97 = 160 = 160 (Alice) (Alice)  K KAB AB= y = yA A x xB B mod 353 = mod 353 = 40 40 233 233 = 160 = 160 (Bob) (Bob)
Key Exchange Protocols Key Exchange Protocols  users could create random private/public users could create random private/public D-H keys each time they communicate D-H keys each time they communicate  users could create a known private/public users could create a known private/public D-H key and publish in a directory, then D-H key and publish in a directory, then consulted and used to securely consulted and used to securely communicate with them communicate with them  both of these are vulnerable to a Man-in- both of these are vulnerable to a Man-in- the-Middle Attack the-Middle Attack  authentication of the keys is needed authentication of the keys is needed
Man-in-the-Middle Attack Man-in-the-Middle Attack 1. 1. Darth prepares by creating two private / public keys Darth prepares by creating two private / public keys 2. 2. Alice transmits her public key to Bob Alice transmits her public key to Bob 3. 3. Darth intercepts this and transmits his first public key to Darth intercepts this and transmits his first public key to Bob. Darth also calculates a shared key with Alice Bob. Darth also calculates a shared key with Alice 4. 4. Bob receives the public key and calculates the shared key Bob receives the public key and calculates the shared key (with Darth instead of Alice) (with Darth instead of Alice) 5. 5. Bob transmits his public key to Alice Bob transmits his public key to Alice 6. 6. Darth intercepts this and transmits his second public key Darth intercepts this and transmits his second public key to Alice. Darth calculates a shared key with Bob to Alice. Darth calculates a shared key with Bob 7. 7. Alice receives the key and calculates the shared key (with Alice receives the key and calculates the shared key (with Darth instead of Bob) Darth instead of Bob)  Darth can then intercept, decrypt, re-encrypt, forward all Darth can then intercept, decrypt, re-encrypt, forward all messages between Alice & Bob messages between Alice & Bob
ElGamal Cryptography ElGamal Cryptography  public-key cryptosystem related to D-H public-key cryptosystem related to D-H  uses exponentiation in a finite field uses exponentiation in a finite field  with security based difficulty of computing with security based difficulty of computing discrete logarithms, as in D-H discrete logarithms, as in D-H  each user (eg. A) generates their key each user (eg. A) generates their key  chooses a secret key (number): chooses a secret key (number): 1 < 1 < x xA A < q-1 < q-1  compute their compute their public key public key: : y yA A = = a a x xA A mod q mod q
ElGamal Message Exchange ElGamal Message Exchange  Bob encrypts a message to send to A computing Bob encrypts a message to send to A computing  represent message represent message M M in range in range 0 <= M <= q-1 0 <= M <= q-1 • longer messages must be sent as blocks longer messages must be sent as blocks  chose random integer chose random integer k k with with 1 <= k <= q-1 1 <= k <= q-1  compute one-time key compute one-time key K = y K = yA A k k mod q mod q  encrypt M as a pair of integers encrypt M as a pair of integers (C (C1 1,C ,C2 2) ) where where • C C1 1 = = a a k k mod q ; mod q ; C C2 2 = KM mod q = KM mod q  A then recovers message by A then recovers message by  recovering key K as recovering key K as K = K = C C1 1 x xA A mod q mod q  computing M as computing M as M = C M = C2 2 K K-1 -1 mod q mod q  a unique k must be used each time a unique k must be used each time  otherwise result is insecure otherwise result is insecure
ElGamal Example ElGamal Example  use field GF(19) use field GF(19) q=19 q=19 and and a a=10 =10  Alice computes her key: Alice computes her key:  A chooses A chooses x xA A=5 & =5 & computes computes y yA A= =10 10 5 5 mod 19 = 3 mod 19 = 3  Bob send message Bob send message m=17 m=17 as as (11,5) (11,5) by by  chosing random chosing random k=6 k=6  computing computing K = y K = yA A k k mod q = 3 mod q = 3 6 6 mod 19 = 7 mod 19 = 7  computing computing C C1 1 = = a a k k mod q = 10 mod q = 10 6 6 mod 19 = 11; mod 19 = 11; C C2 2 = KM mod q = 7.17 mod 19 = 5 = KM mod q = 7.17 mod 19 = 5  Alice recovers original message by computing: Alice recovers original message by computing:  recover recover K = K = C C1 1 x xA A mod q = mod q = 11 11 5 5 mod 19 = 7 mod 19 = 7  compute inverse compute inverse K K-1 -1 = 7 = 7-1 -1 = 11 = 11  recover recover M = C M = C2 2 K K-1 -1 mod q = 5.11 mod 19 = 17 mod q = 5.11 mod 19 = 17
Elliptic Curve Cryptography Elliptic Curve Cryptography  majority of public-key crypto (RSA, D-H) majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic use either integer or polynomial arithmetic with very large numbers/polynomials with very large numbers/polynomials  imposes a significant load in storing and imposes a significant load in storing and processing keys and messages processing keys and messages  an alternative is to use elliptic curves an alternative is to use elliptic curves  offers same security with smaller bit sizes offers same security with smaller bit sizes  newer, but not as well analysed newer, but not as well analysed
Real Elliptic Curves Real Elliptic Curves  an an elliptic curve is defined by an elliptic curve is defined by an equation in two variables x & y, with equation in two variables x & y, with coefficients coefficients  consider a cubic elliptic curve of form consider a cubic elliptic curve of form  y y2 2 = = x x3 3 + + ax ax + + b b  where x,y,a,b are all real numbers where x,y,a,b are all real numbers  also define zero point O also define zero point O  consider set of points E(a,b) that satisfy consider set of points E(a,b) that satisfy  have addition operation for elliptic curve have addition operation for elliptic curve  geometrically sum of P+Q is reflection of the geometrically sum of P+Q is reflection of the intersection R intersection R
Real Elliptic Curve Example Real Elliptic Curve Example
Finite Elliptic Curves Finite Elliptic Curves  Elliptic curve cryptography uses curves Elliptic curve cryptography uses curves whose variables & coefficients are finite whose variables & coefficients are finite  have two families commonly used: have two families commonly used:  prime curves prime curves E Ep p(a,b) (a,b) defined over Z defined over Zp p • use integers modulo a prime use integers modulo a prime • best in software best in software  binary curves binary curves E E2 2m m(a,b) (a,b) defined over GF(2 defined over GF(2n n ) ) • use polynomials with binary coefficients use polynomials with binary coefficients • best in hardware best in hardware
Elliptic Curve Cryptography Elliptic Curve Cryptography  ECC addition is analog of modulo multiply ECC addition is analog of modulo multiply  ECC repeated addition is analog of ECC repeated addition is analog of modulo exponentiation modulo exponentiation  need “hard” problem equiv to discrete log need “hard” problem equiv to discrete log  Q=kP Q=kP, where Q,P belong to a prime curve , where Q,P belong to a prime curve  is “easy” to compute Q given k,P is “easy” to compute Q given k,P  but “hard” to find k given Q,P but “hard” to find k given Q,P  known as the elliptic curve logarithm problem known as the elliptic curve logarithm problem  Certicom example: Certicom example: E E23 23(9,17) (9,17)
ECC Diffie-Hellman ECC Diffie-Hellman  can do key exchange analogous to D-H can do key exchange analogous to D-H  users select a suitable curve users select a suitable curve E Eq q(a,b) (a,b)  select base point select base point G=(x G=(x1 1,y ,y1 1) )  with large order with large order n n s.t. s.t. nG=O nG=O  A & B select private keys A & B select private keys n nA A<n, n <n, nB B<n <n  compute public keys: compute public keys: P PA A=n =nA AG, G, P PB B=n =nB BG G  compute shared key: compute shared key: K K=n =nA AP PB B, , K K=n =nB BP PA A  same since same since K K=n =nA An nB BG G  attacker would need to find attacker would need to find k k, hard , hard
ECC Encryption/Decryption ECC Encryption/Decryption  several alternatives, will consider simplest several alternatives, will consider simplest  must first encode any message M as a point on must first encode any message M as a point on the elliptic curve P the elliptic curve Pm m  select suitable curve & point G as in D-H select suitable curve & point G as in D-H  each user chooses private key each user chooses private key n nA A<n <n  and computes public key and computes public key P PA A=n =nA AG G  to encrypt P to encrypt Pm m : : C Cm m={kG, P ={kG, Pm m+kP +kPb b} }, , k k random random  decrypt C decrypt Cm m compute: compute: P Pm m+ +k kP Pb b– –n nB B( (kG kG) = ) = P Pm m+ +k k( (n nB BG G)– )–n nB B( (kG kG) = ) = P Pm m
ECC Security ECC Security  relies on elliptic curve logarithm problem relies on elliptic curve logarithm problem  fastest method is “Pollard rho method” fastest method is “Pollard rho method”  compared to factoring, can use much compared to factoring, can use much smaller key sizes than with RSA etc smaller key sizes than with RSA etc  for equivalent key lengths computations for equivalent key lengths computations are roughly equivalent are roughly equivalent  hence for similar security ECC offers hence for similar security ECC offers significant computational advantages significant computational advantages
Comparable Key Sizes for Comparable Key Sizes for Equivalent Security Equivalent Security Symmetric scheme (key size in bits) ECC-based scheme (size of n in bits) RSA/DSA (modulus size in bits) 56 112 512 80 160 1024 112 224 2048 128 256 3072 192 384 7680 256 512 15360
Pseudorandom Number Pseudorandom Number Generation (PRNG) based on Generation (PRNG) based on Asymmetric Ciphers Asymmetric Ciphers  asymmetric encryption algorithm produce asymmetric encryption algorithm produce apparently random output apparently random output  hence can be used to build a hence can be used to build a pseudorandom number generator (PRNG) pseudorandom number generator (PRNG)  much slower than symmetric algorithms much slower than symmetric algorithms  hence only use to generate a short hence only use to generate a short pseudorandom bit sequence (eg. key) pseudorandom bit sequence (eg. key)
PRNG based on RSA PRNG based on RSA  have Micali-Schnorr PRNG using RSA have Micali-Schnorr PRNG using RSA  in ANSI X9.82 and ISO 18031 in ANSI X9.82 and ISO 18031
Summary Summary  have considered: have considered:  Diffie-Hellman key exchange Diffie-Hellman key exchange  ElGamal cryptography ElGamal cryptography  Elliptic Curve cryptography Elliptic Curve cryptography  Pseudorandom Number Generation (PRNG) Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers (RSA & ECC) based on Asymmetric Ciphers (RSA & ECC)

More Related Content

PPT
Lec4_ Information Security _ public cryptosystem.ppt
bymohammadaltemimi1
 
PPTX
Diffie Hellman Key Exchange protocol.pptx
byRohitAhuja58
 
PDF
CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
PPTX
Other Public-Key Cryptosystems -Module 2 notes.ppt.pptx
bySHRITEJASHASTRYS1
 
PPT
Other public key systems
byAravindharamanan S
 
PPT
ch10_key_management.ppt
byPanimalarK
 
PPTX
Information and data security other public key cryptosystems
byMazin Alwaaly
 
PPT
Unit - 3.ppt
byDHANABALSUBRAMANIAN
 
Lec4_ Information Security _ public cryptosystem.ppt
bymohammadaltemimi1
 
Diffie Hellman Key Exchange protocol.pptx
byRohitAhuja58
 
CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
Other Public-Key Cryptosystems -Module 2 notes.ppt.pptx
bySHRITEJASHASTRYS1
 
Other public key systems
byAravindharamanan S
 
ch10_key_management.ppt
byPanimalarK
 
Information and data security other public key cryptosystems
byMazin Alwaaly
 
Unit - 3.ppt
byDHANABALSUBRAMANIAN
 

Similar to ch10_pkcs_nemo.pptxxczxczxczxczxczxczxczxczxczx

PPT
KEY MGMT.ppt
byRizwanBasha12
 
PPTX
2.11 Diffie -hellman exchange.pptx
bygirilogu2
 
PPTX
Module-2Other Public-Key Cryptosystems.pptx
byAmbikaVenkatesh4
 
PPT
session6Mdjdjjskskskxkckjdjddddkfjjfjjjj
bya7349061
 
PPTX
Diffie hellman key algorithm
byShaishavShah8
 
PDF
international security system data threats
bygacop74666
 
PDF
PRINCIPLES OF INFORMATION SYSTEM SECURITY
bygacop74666
 
PDF
CNS - Unit - 4 - Public Key Cryptosystem
byGyanmanjari Institute Of Technology
 
PPT
Rsa diffi-network security-itt
byrameshvvv
 
PPTX
Diffie Hellman.pptx
bySou Jana
 
PPT
Ch10
byJoe Christensen
 
PPT
Diffie–Hellman key exchange technique with a common prime
byProfLSrividya
 
PPTX
Diffie hellman key exchange algorithm
bySunita Kharayat
 
PPTX
modernencryptionthatinvolvesdes-ppt.pptx
byPawanBharadwaj2
 
PPTX
CNS 3RD UNIT PPT.pptx
bypjeraids
 
PDF
Public-Key Cryptography.pdfWrite the result of the following operation with t...
byFahmiOlayah
 
PPTX
information security(Public key encryption its characteristics and weakness, ...
byZara Nawaz
 
PPTX
Key Management
byMd. Sadiqul Amin
 
PPT
Crypto2
byphanleson
 
PPT
CS283-PublicKey.ppt
byShounakDas16
 
KEY MGMT.ppt
byRizwanBasha12
 
2.11 Diffie -hellman exchange.pptx
bygirilogu2
 
Module-2Other Public-Key Cryptosystems.pptx
byAmbikaVenkatesh4
 
session6Mdjdjjskskskxkckjdjddddkfjjfjjjj
bya7349061
 
Diffie hellman key algorithm
byShaishavShah8
 
international security system data threats
bygacop74666
 
PRINCIPLES OF INFORMATION SYSTEM SECURITY
bygacop74666
 
CNS - Unit - 4 - Public Key Cryptosystem
byGyanmanjari Institute Of Technology
 
Rsa diffi-network security-itt
byrameshvvv
 
Diffie Hellman.pptx
bySou Jana
 
Ch10
byJoe Christensen
 
Diffie–Hellman key exchange technique with a common prime
byProfLSrividya
 
Diffie hellman key exchange algorithm
bySunita Kharayat
 
modernencryptionthatinvolvesdes-ppt.pptx
byPawanBharadwaj2
 
CNS 3RD UNIT PPT.pptx
bypjeraids
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
byFahmiOlayah
 
information security(Public key encryption its characteristics and weakness, ...
byZara Nawaz
 
Key Management
byMd. Sadiqul Amin
 
Crypto2
byphanleson
 
CS283-PublicKey.ppt
byShounakDas16
 

Recently uploaded

PDF
Vascular-Derived Primary Cells: Defining Blood Vessel Tone
byKosheeka : Primary Cells for Research
 
PPTX
ISO 13485 Certification Journey- A case Study from I3CGLOBAL.pptx
byI3CGLOBAL
 
PPTX
7.-HIKING-AND-TREKKING.pptx.............
bymiravelrayne4
 
PPTX
How We Achieved FDA 510(k) Clearance for a Male Latex Condom – Case Study.pptx
byI3CGLOBAL
 
PPTX
Complete Overview of Nitrile Examination Gloves 510k Clearance Process
byI3CGLOBAL
 
PPTX
Mastering-the-Medical-Billing-Revenue-Cycle-From-Patient-Access-to-Payment.pptx
byfenoxo7095
 
PDF
The Battle 2025 Beyond the proprioception: neuroplasticity and cognitive reha...
byNicola Taddio
 
PPTX
Latex Surgical Gloves FDA 510(k) Clearance – Complete Submission Walkthrough ...
byI3CGLOBAL
 
PPTX
Dyspnea decoded: from clinical evaluation to functional recovery.pptx
byShilpasree Saha
 
PPTX
Clinical Audit of Preoperative Preparation in Oral Cancer Surgery as per NCCN...
byDr Yash Chaddha
 
PPTX
Hypodermic Syringe FDA 510(k) Case Study – Successful Clearance Strategy Expl...
byI3CGLOBAL
 
PPTX
Clinical Audit Study Plan for Diabetic Foot Management_NABH_Dr Dev Taneja 31....
byDrDevTaneja1
 
PDF
How Visual Supports Enhance Learning in Children With Autism?
byDianaVicente6
 
PPTX
Additional Power Point T for review.pptx
byGetachew929313
 
PPTX
General principles of Plaster of Paris cast/slab immobilization in fracture ...
byAsish Rajak
 
PPTX
PGLA Suture FDA 510(k) Clearance – Complete Success Story by I3CGLOBAL
byI3CGLOBAL
 
PDF
Understanding Parkinson’s Disease: Causes, Symptoms, and Treatment [2025]
byAdvancells: Stem Cell Lab and Research
 
PDF
CURRENT Medical Diagnosis and Treatment 2024 63rd Edition PDF
bydexedit675
 
PDF
Ed Strachar- Illuminating the Path to Energetic Freedom with Healing Genius®.pdf
byEd Strachar
 
PPTX
What is Clinical Documentation Integrity (CDI)?
byStafgo Health
 
Vascular-Derived Primary Cells: Defining Blood Vessel Tone
byKosheeka : Primary Cells for Research
 
ISO 13485 Certification Journey- A case Study from I3CGLOBAL.pptx
byI3CGLOBAL
 
7.-HIKING-AND-TREKKING.pptx.............
bymiravelrayne4
 
How We Achieved FDA 510(k) Clearance for a Male Latex Condom – Case Study.pptx
byI3CGLOBAL
 
Complete Overview of Nitrile Examination Gloves 510k Clearance Process
byI3CGLOBAL
 
Mastering-the-Medical-Billing-Revenue-Cycle-From-Patient-Access-to-Payment.pptx
byfenoxo7095
 
The Battle 2025 Beyond the proprioception: neuroplasticity and cognitive reha...
byNicola Taddio
 
Latex Surgical Gloves FDA 510(k) Clearance – Complete Submission Walkthrough ...
byI3CGLOBAL
 
Dyspnea decoded: from clinical evaluation to functional recovery.pptx
byShilpasree Saha
 
Clinical Audit of Preoperative Preparation in Oral Cancer Surgery as per NCCN...
byDr Yash Chaddha
 
Hypodermic Syringe FDA 510(k) Case Study – Successful Clearance Strategy Expl...
byI3CGLOBAL
 
Clinical Audit Study Plan for Diabetic Foot Management_NABH_Dr Dev Taneja 31....
byDrDevTaneja1
 
How Visual Supports Enhance Learning in Children With Autism?
byDianaVicente6
 
Additional Power Point T for review.pptx
byGetachew929313
 
General principles of Plaster of Paris cast/slab immobilization in fracture ...
byAsish Rajak
 
PGLA Suture FDA 510(k) Clearance – Complete Success Story by I3CGLOBAL
byI3CGLOBAL
 
Understanding Parkinson’s Disease: Causes, Symptoms, and Treatment [2025]
byAdvancells: Stem Cell Lab and Research
 
CURRENT Medical Diagnosis and Treatment 2024 63rd Edition PDF
bydexedit675
 
Ed Strachar- Illuminating the Path to Energetic Freedom with Healing Genius®.pdf
byEd Strachar
 
What is Clinical Documentation Integrity (CDI)?
byStafgo Health
 

ch10_pkcs_nemo.pptxxczxczxczxczxczxczxczxczxczx

  • 1.
    Cryptography and Cryptography and NetworkSecurity Network Security Chapter 10 Chapter 10 Fifth Edition Fifth Edition by William Stallings by William Stallings Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown
  • 2.
    Chapter 10 – Chapter10 – Other Public Key Other Public Key Cryptosystems Cryptosystems Amongst the tribes of Central Australia every man, woman, Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed and child has a secret or sacred name which is bestowed by the older men upon him or her soon after birth, and by the older men upon him or her soon after birth, and which is known to none but the fully initiated members of which is known to none but the fully initiated members of the group. This secret name is never mentioned except the group. This secret name is never mentioned except upon the most solemn occasions; to utter it in the hearing of upon the most solemn occasions; to utter it in the hearing of men of another group would be a most serious breach of men of another group would be a most serious breach of tribal custom. When mentioned at all, the name is spoken tribal custom. When mentioned at all, the name is spoken only in a whisper, and not until the most elaborate only in a whisper, and not until the most elaborate precautions have been taken that it shall be heard by no precautions have been taken that it shall be heard by no one but members of the group. The native thinks that a one but members of the group. The native thinks that a stranger knowing his secret name would have special stranger knowing his secret name would have special power to work him ill by means of magic. power to work him ill by means of magic. — —The Golden Bough, The Golden Bough, Sir James George Frazer Sir James George Frazer
  • 3.
    Diffie-Hellman Key Exchange Diffie-HellmanKey Exchange  first public-key type scheme proposed first public-key type scheme proposed  by Diffie & Hellman in 1976 along with the by Diffie & Hellman in 1976 along with the exposition of public key concepts exposition of public key concepts  note: now know that note: now know that Williamson Williamson (UK CESG) (UK CESG) secretly proposed the concept in 1970 secretly proposed the concept in 1970  is a practical method for public exchange is a practical method for public exchange of a secret key of a secret key  used in a number of commercial products used in a number of commercial products
  • 4.
    Diffie-Hellman Key Exchange Diffie-HellmanKey Exchange  a public-key distribution scheme a public-key distribution scheme  cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message  rather it can establish a common key rather it can establish a common key  known only to the two participants known only to the two participants  value of key depends on the participants (and value of key depends on the participants (and their private and public key information) their private and public key information)  based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy (modulo a prime or a polynomial) - easy  security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard discrete logarithms (similar to factoring) – hard
  • 5.
    Diffie-Hellman Setup Diffie-Hellman Setup all users agree on global parameters: all users agree on global parameters:  large prime integer or polynomial large prime integer or polynomial q q  a a being a primitive root mod being a primitive root mod q q  each user (eg. A) generates their key each user (eg. A) generates their key  chooses a secret key (number): chooses a secret key (number): x xA A < q < q  compute their compute their public key public key: : y yA A = = a a x xA A mod q mod q  each user makes public that key each user makes public that key y yA A
  • 6.
    Diffie-Hellman Key Exchange Diffie-HellmanKey Exchange  shared session key for users A & B is K shared session key for users A & B is KAB AB: : K KAB AB = = a a x xA. A.x xB B mod q mod q = y = yA A x xB B mod q (which mod q (which B B can compute) can compute) = y = yB B x xA A mod q (which mod q (which A A can compute) can compute)  K KAB AB is used as session key in private-key is used as session key in private-key encryption scheme between Alice and Bob encryption scheme between Alice and Bob  if Alice and Bob subsequently communicate, if Alice and Bob subsequently communicate, they will have the they will have the same same key as before, unless key as before, unless they choose new public-keys they choose new public-keys  attacker needs an x, must solve discrete log attacker needs an x, must solve discrete log
  • 7.
    Diffie-Hellman Example Diffie-Hellman Example users Alice & Bob who wish to swap keys: users Alice & Bob who wish to swap keys:  agree on prime agree on prime q=353 q=353 and and a a=3 =3  select random secret keys: select random secret keys:  A chooses A chooses x xA A=97, =97, B chooses B chooses x xB B=233 =233  compute respective public keys: compute respective public keys:  y yA A= =3 3 97 97 mod 353 = 40 mod 353 = 40 (Alice) (Alice)  y yB B= =3 3 233 233 mod 353 = 248 mod 353 = 248(Bob) (Bob)  compute shared session key as: compute shared session key as:  K KAB AB= y = yB B x xA A mod 353 = mod 353 = 248 248 97 97 = 160 = 160 (Alice) (Alice)  K KAB AB= y = yA A x xB B mod 353 = mod 353 = 40 40 233 233 = 160 = 160 (Bob) (Bob)
  • 8.
    Key Exchange Protocols KeyExchange Protocols  users could create random private/public users could create random private/public D-H keys each time they communicate D-H keys each time they communicate  users could create a known private/public users could create a known private/public D-H key and publish in a directory, then D-H key and publish in a directory, then consulted and used to securely consulted and used to securely communicate with them communicate with them  both of these are vulnerable to a Man-in- both of these are vulnerable to a Man-in- the-Middle Attack the-Middle Attack  authentication of the keys is needed authentication of the keys is needed
  • 9.
    Man-in-the-Middle Attack Man-in-the-Middle Attack 1. 1.Darth prepares by creating two private / public keys Darth prepares by creating two private / public keys 2. 2. Alice transmits her public key to Bob Alice transmits her public key to Bob 3. 3. Darth intercepts this and transmits his first public key to Darth intercepts this and transmits his first public key to Bob. Darth also calculates a shared key with Alice Bob. Darth also calculates a shared key with Alice 4. 4. Bob receives the public key and calculates the shared key Bob receives the public key and calculates the shared key (with Darth instead of Alice) (with Darth instead of Alice) 5. 5. Bob transmits his public key to Alice Bob transmits his public key to Alice 6. 6. Darth intercepts this and transmits his second public key Darth intercepts this and transmits his second public key to Alice. Darth calculates a shared key with Bob to Alice. Darth calculates a shared key with Bob 7. 7. Alice receives the key and calculates the shared key (with Alice receives the key and calculates the shared key (with Darth instead of Bob) Darth instead of Bob)  Darth can then intercept, decrypt, re-encrypt, forward all Darth can then intercept, decrypt, re-encrypt, forward all messages between Alice & Bob messages between Alice & Bob
  • 10.
    ElGamal Cryptography ElGamal Cryptography public-key cryptosystem related to D-H public-key cryptosystem related to D-H  uses exponentiation in a finite field uses exponentiation in a finite field  with security based difficulty of computing with security based difficulty of computing discrete logarithms, as in D-H discrete logarithms, as in D-H  each user (eg. A) generates their key each user (eg. A) generates their key  chooses a secret key (number): chooses a secret key (number): 1 < 1 < x xA A < q-1 < q-1  compute their compute their public key public key: : y yA A = = a a x xA A mod q mod q
  • 11.
    ElGamal Message Exchange ElGamalMessage Exchange  Bob encrypts a message to send to A computing Bob encrypts a message to send to A computing  represent message represent message M M in range in range 0 <= M <= q-1 0 <= M <= q-1 • longer messages must be sent as blocks longer messages must be sent as blocks  chose random integer chose random integer k k with with 1 <= k <= q-1 1 <= k <= q-1  compute one-time key compute one-time key K = y K = yA A k k mod q mod q  encrypt M as a pair of integers encrypt M as a pair of integers (C (C1 1,C ,C2 2) ) where where • C C1 1 = = a a k k mod q ; mod q ; C C2 2 = KM mod q = KM mod q  A then recovers message by A then recovers message by  recovering key K as recovering key K as K = K = C C1 1 x xA A mod q mod q  computing M as computing M as M = C M = C2 2 K K-1 -1 mod q mod q  a unique k must be used each time a unique k must be used each time  otherwise result is insecure otherwise result is insecure
  • 12.
    ElGamal Example ElGamal Example use field GF(19) use field GF(19) q=19 q=19 and and a a=10 =10  Alice computes her key: Alice computes her key:  A chooses A chooses x xA A=5 & =5 & computes computes y yA A= =10 10 5 5 mod 19 = 3 mod 19 = 3  Bob send message Bob send message m=17 m=17 as as (11,5) (11,5) by by  chosing random chosing random k=6 k=6  computing computing K = y K = yA A k k mod q = 3 mod q = 3 6 6 mod 19 = 7 mod 19 = 7  computing computing C C1 1 = = a a k k mod q = 10 mod q = 10 6 6 mod 19 = 11; mod 19 = 11; C C2 2 = KM mod q = 7.17 mod 19 = 5 = KM mod q = 7.17 mod 19 = 5  Alice recovers original message by computing: Alice recovers original message by computing:  recover recover K = K = C C1 1 x xA A mod q = mod q = 11 11 5 5 mod 19 = 7 mod 19 = 7  compute inverse compute inverse K K-1 -1 = 7 = 7-1 -1 = 11 = 11  recover recover M = C M = C2 2 K K-1 -1 mod q = 5.11 mod 19 = 17 mod q = 5.11 mod 19 = 17
  • 13.
    Elliptic Curve Cryptography EllipticCurve Cryptography  majority of public-key crypto (RSA, D-H) majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic use either integer or polynomial arithmetic with very large numbers/polynomials with very large numbers/polynomials  imposes a significant load in storing and imposes a significant load in storing and processing keys and messages processing keys and messages  an alternative is to use elliptic curves an alternative is to use elliptic curves  offers same security with smaller bit sizes offers same security with smaller bit sizes  newer, but not as well analysed newer, but not as well analysed
  • 14.
    Real Elliptic Curves RealElliptic Curves  an an elliptic curve is defined by an elliptic curve is defined by an equation in two variables x & y, with equation in two variables x & y, with coefficients coefficients  consider a cubic elliptic curve of form consider a cubic elliptic curve of form  y y2 2 = = x x3 3 + + ax ax + + b b  where x,y,a,b are all real numbers where x,y,a,b are all real numbers  also define zero point O also define zero point O  consider set of points E(a,b) that satisfy consider set of points E(a,b) that satisfy  have addition operation for elliptic curve have addition operation for elliptic curve  geometrically sum of P+Q is reflection of the geometrically sum of P+Q is reflection of the intersection R intersection R
  • 15.
    Real Elliptic CurveExample Real Elliptic Curve Example
  • 16.
    Finite Elliptic Curves FiniteElliptic Curves  Elliptic curve cryptography uses curves Elliptic curve cryptography uses curves whose variables & coefficients are finite whose variables & coefficients are finite  have two families commonly used: have two families commonly used:  prime curves prime curves E Ep p(a,b) (a,b) defined over Z defined over Zp p • use integers modulo a prime use integers modulo a prime • best in software best in software  binary curves binary curves E E2 2m m(a,b) (a,b) defined over GF(2 defined over GF(2n n ) ) • use polynomials with binary coefficients use polynomials with binary coefficients • best in hardware best in hardware
  • 17.
    Elliptic Curve Cryptography EllipticCurve Cryptography  ECC addition is analog of modulo multiply ECC addition is analog of modulo multiply  ECC repeated addition is analog of ECC repeated addition is analog of modulo exponentiation modulo exponentiation  need “hard” problem equiv to discrete log need “hard” problem equiv to discrete log  Q=kP Q=kP, where Q,P belong to a prime curve , where Q,P belong to a prime curve  is “easy” to compute Q given k,P is “easy” to compute Q given k,P  but “hard” to find k given Q,P but “hard” to find k given Q,P  known as the elliptic curve logarithm problem known as the elliptic curve logarithm problem  Certicom example: Certicom example: E E23 23(9,17) (9,17)
  • 18.
    ECC Diffie-Hellman ECC Diffie-Hellman can do key exchange analogous to D-H can do key exchange analogous to D-H  users select a suitable curve users select a suitable curve E Eq q(a,b) (a,b)  select base point select base point G=(x G=(x1 1,y ,y1 1) )  with large order with large order n n s.t. s.t. nG=O nG=O  A & B select private keys A & B select private keys n nA A<n, n <n, nB B<n <n  compute public keys: compute public keys: P PA A=n =nA AG, G, P PB B=n =nB BG G  compute shared key: compute shared key: K K=n =nA AP PB B, , K K=n =nB BP PA A  same since same since K K=n =nA An nB BG G  attacker would need to find attacker would need to find k k, hard , hard
  • 19.
    ECC Encryption/Decryption ECC Encryption/Decryption several alternatives, will consider simplest several alternatives, will consider simplest  must first encode any message M as a point on must first encode any message M as a point on the elliptic curve P the elliptic curve Pm m  select suitable curve & point G as in D-H select suitable curve & point G as in D-H  each user chooses private key each user chooses private key n nA A<n <n  and computes public key and computes public key P PA A=n =nA AG G  to encrypt P to encrypt Pm m : : C Cm m={kG, P ={kG, Pm m+kP +kPb b} }, , k k random random  decrypt C decrypt Cm m compute: compute: P Pm m+ +k kP Pb b– –n nB B( (kG kG) = ) = P Pm m+ +k k( (n nB BG G)– )–n nB B( (kG kG) = ) = P Pm m
  • 20.
    ECC Security ECC Security relies on elliptic curve logarithm problem relies on elliptic curve logarithm problem  fastest method is “Pollard rho method” fastest method is “Pollard rho method”  compared to factoring, can use much compared to factoring, can use much smaller key sizes than with RSA etc smaller key sizes than with RSA etc  for equivalent key lengths computations for equivalent key lengths computations are roughly equivalent are roughly equivalent  hence for similar security ECC offers hence for similar security ECC offers significant computational advantages significant computational advantages
  • 21.
    Comparable Key Sizesfor Comparable Key Sizes for Equivalent Security Equivalent Security Symmetric scheme (key size in bits) ECC-based scheme (size of n in bits) RSA/DSA (modulus size in bits) 56 112 512 80 160 1024 112 224 2048 128 256 3072 192 384 7680 256 512 15360
  • 22.
    Pseudorandom Number Pseudorandom Number Generation(PRNG) based on Generation (PRNG) based on Asymmetric Ciphers Asymmetric Ciphers  asymmetric encryption algorithm produce asymmetric encryption algorithm produce apparently random output apparently random output  hence can be used to build a hence can be used to build a pseudorandom number generator (PRNG) pseudorandom number generator (PRNG)  much slower than symmetric algorithms much slower than symmetric algorithms  hence only use to generate a short hence only use to generate a short pseudorandom bit sequence (eg. key) pseudorandom bit sequence (eg. key)
  • 23.
    PRNG based onRSA PRNG based on RSA  have Micali-Schnorr PRNG using RSA have Micali-Schnorr PRNG using RSA  in ANSI X9.82 and ISO 18031 in ANSI X9.82 and ISO 18031
  • 24.
    Summary Summary  have considered: haveconsidered:  Diffie-Hellman key exchange Diffie-Hellman key exchange  ElGamal cryptography ElGamal cryptography  Elliptic Curve cryptography Elliptic Curve cryptography  Pseudorandom Number Generation (PRNG) Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers (RSA & ECC) based on Asymmetric Ciphers (RSA & ECC)

Editor's Notes

  • #1 Lecture slides by Lawrie Brown for “Cryptography and Network Security”, 5/e, by William Stallings, Chapter 10 – “Other Public Key Cryptosystems”.
  • #2 Opening quote.
  • #3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie-Hellman key exchange. This first published public-key algorithm appeared in the seminal paper by Diffie and Hellman that defined public-key cryptography [DIFF76b] and is generally referred to as Diffie-Hellman key exchange. The concept had been previously described in a classified report in 1970 by Williamson (UK CESG) - and subsequently declassified in 1987, see [ELLI99]. The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values. A number of commercial products employ this key exchange technique.
  • #4 The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values, which depends on the value of the public/private keys of the participants. The Diffie-Hellman algorithm uses exponentiation in a finite (Galois) field (modulo a prime or a polynomial), and depends for its effectiveness on the difficulty of computing discrete logarithms.
  • #5 In the Diffie-Hellman key exchange algorithm, there are two publicly known numbers: a prime number q and an integer a that is a primitive root of q. The prime q and primitive root a can be common to all using some instance of the D-H scheme. Note that the primitive root a is a number whose powers successively generate all the elements mod q. Users Alice and Bob choose random secrets x's, and then "protect" them using exponentiation to create their public y's. For an attacker monitoring the exchange of the y's to recover either of the x's, they'd need to solve the discrete logarithm problem, which is hard.
  • #6 The actual key exchange for either party consists of raising the others "public key' to power of their private key. The resulting number (or as much of as is necessary) is used as the key for a block cipher or other private key scheme. For an attacker to obtain the same value they need at least one of the secret numbers, which means solving a discrete log, which is computationally infeasible given large enough numbers. Note that if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys.
  • #7 Here is an example of Diffie-Hellman from the text using prime q=353, showing how each computes its public key, and then how after they exchange public keys, each can compute the common secret key.I n this simple example, it would be possible by brute force to determine the secret key 160. In particular, an attacker E can determine the common key by discovering a solution to the equation 3a mod 353 = 40 or the equation 3b mod 353 = 248. The brute-force approach is to calculate powers of 3 modulo 353, stopping when the result equals either 40 or 248. The desired answer is reached with the exponent value of 97, which provides 397 mod 353 = 40. With larger numbers, the problem becomes impractical.
  • #8 Now consider a simple protocol that makes use of the Diffie-Hellman calculation. Suppose that user A wishes to set up a connection with user B and use a secret key to encrypt messages on that connection. User A can generate a one-time private key XA, calculate YA, and send that to user B. User B responds by generating a private value XB, calculating YB, and sending YB to user A. Both users can now calculate the key. The necessary public values q and a would need to be known ahead of time. Alternatively, user A could pick values for q and a and include those in the first message.
  • #9 Now consider a simple protocol that makes use of the Diffie-Hellman calculation. Suppose that user A wishes to set up a connection with user B and use a secret key to encrypt messages on that connection. User A can generate a one-time private key XA, calculate YA, and send that to user B. User B responds by generating a private value XB, calculating YB, and sending YB to user A. Both users can now calculate the key. The necessary public values q and a would need to be known ahead of time. Alternatively, user A could pick values for q and a and include those in the first message.
  • #10 The protocol described on the previous slide is insecure against a man-in-the-middle attack. Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack proceeds as follows: Darth prepares for the attack by generating two random private keys XD1 and XD2 and then computing the corresponding public keys YD1 and YD2 Alice transmits YA to Bob. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA )^ XD2 mod q Bob receives YD1 and calculates K1=(YD1 )^ XB mod q Bob transmits YB to Alice. Darth intercepts YB and transmits YD2 to Alice. Darth calculates K1=(YB )^ XD1 mod q Alice receives YD2 and calculates K2=(YD2 )^ XA mod q . At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share secret key K1 and Alice and Darth share secret key K2. All future communication between Bob and Alice is compromised in the following way: Alice sends an encrypted message M: E(K2, M). Darth intercepts the encrypted message and decrypts it, to recover M. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth simply wants to eavesdrop on the communication without altering it. In the second case, Darth wants to modify the message going to Bob. The key exchange protocol is vulnerable to such an attack because it does not authenticate the participants. This vulnerability can be overcome with the use of digital signatures and public- key certificates.
  • #11 The protocol described on the previous slide is insecure against a man-in-the-middle attack. Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack proceeds as follows: Darth prepares for the attack by generating two random private keys XD1 and XD2 and then computing the corresponding public keys YD1 and YD2 Alice transmits YA to Bob. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA )^ XD2 mod q Bob receives YD1 and calculates K1=(YD1 )^ XB mod q Bob transmits YB to Alice. Darth intercepts YB and transmits YD2 to Alice. Darth calculates K1=(YB )^ XD1 mod q Alice receives YD2 and calculates K2=(YD2 )^ XA mod q . At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share secret key K1 and Alice and Darth share secret key K2. All future communication between Bob and Alice is compromised in the following way: Alice sends an encrypted message M: E(K2, M). Darth intercepts the encrypted message and decrypts it, to recover M. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth simply wants to eavesdrop on the communication without altering it. In the second case, Darth wants to modify the message going to Bob. The key exchange protocol is vulnerable to such an attack because it does not authenticate the participants. This vulnerability can be overcome with the use of digital signatures and public- key certificates.
  • #12 In 1984, T. Elgamal announced a public-key scheme based on discrete logarithms, closely related to the Diffie-Hellman technique [ELGA84, ELGA85]. The ElGamal cryptosystem is used in some form in a number of standards including the digital signature standard (DSS) and the S/MIME email standard. As with Diffie-Hellman, the global elements of ElGamal are a prime number q and a, which is a primitive root of q. User A generates a private/public key pair as shown. The security of ElGamal is based on the difficulty of computing discrete logarithms, to recover either x given y, or k given K (next slide).
  • #13 Any user B that has access to A's public key can encrypt a message as shown. These steps correspond to Figure 9.1a in that Alice generates a public/private key pair; Bob encrypts using Alice's public key; and Alice decrypts using her private key. See text for details of why these steps result in M being recovered. Note that K functions as a one-time key, used to encrypt and decrypt the message. If a message must be broken up into blocks and sent as a sequence of encrypted blocks, a unique value of k should be used for each block. If k is used for more than one block, knowledge of one block m of the message enables the user to compute other blocks as shown in the text. The basic idea with El Gamal encryption is to choose a random key, protect it, then use it to scramble the message by multiplying the message with it. Two bits of info have to be sent: the first to recover this temporary key, the second the actual scrambled message. See that El Gamal encryption involves 1 modulo exponentiation and a multiplication (vs 1 exponentiation for RSA).
  • #14 Here is an example of ElGamal from the text using the prime field GF(19); that is, q = 19. It has primitive roots {2, 3, 10, 13, 14, 15}, as shown in Table 8.3. We choose a = 10. Alice generates a key pair as shown. Suppose Bob wants to send the message with the value M = 17. Then he computes the ciphertext pair (11, 5) and sends this to Alice. Alice recovers the message by first recovering K, then computing its inverse (using the Extended Euclids Algorithm – see Ch 4), and finally recovering M.
  • #15 A major issue with the use of Public-Key Cryptography, is the size of numbers used, and hence keys being stored. Recently, an alternate approach has emerged, elliptic curve cryptography (ECC), which performs the computations using elliptic curve arithmetic instead of integer or polynomial arithmetic. Already, ECC is showing up in standardization efforts, including the IEEE P1363 Standard for Public-Key Cryptography. The principal attraction of ECC, compared to RSA, is that it appears to offer equal security for a far smaller key size, thereby reducing processing overhead. Although the theory of ECC has been around for some time, it is only recently that products have begun to appear and that there has been sustained cryptanalytic interest in probing for weaknesses. Accordingly, the confidence level in ECC is not yet as high as that in RSA.
  • #16 An elliptic curve is defined by an equation in two variables, with coefficients. For cryptography, the variables and coefficients are restricted to elements in a finite field, which results in the definition of a finite abelian group (see Ch 4 for details of an abelian group). Before looking at this, we first look at elliptic curves in which the variables and coefficients are real numbers. This case is perhaps easier to visualize. Elliptic curves are not ellipses. They are so named because they are described by cubic equations, similar to those used for calculating the circumference of an ellipse. For our purpose, we can consider cubic equations for elliptic curves of the form shown here. Also included in the definition of an elliptic curve is a single element denoted O and called the point at infinity or the zero point. Now, consider the set of points E(a, b) consisting of all of the points (x, y) that satisfy this equation together with the element O. Using a different value of the pair (a, b) results in a different set E(a, b). See text for detailed rules of addition and relation to zero point O. Can derive an algebraic interpretation of addition, based on computing gradient of tangent and then solving for intersection with curve. There is also an algebraic description of additions over elliptic curves, see text.
  • #17 Stallings Figure 10.4b “Example of Elliptic Curves”, illustrates the geometric interpretation of elliptic curve addition, as follows: If three points on an elliptic curve lie on a straight line, their sum is O. hence define addition as: O serves as the additive identity. Thus O = –O; for any point P on the elliptic curve, P + O = P. In what follows, we assume P <> O and Q <> O. The negative of a point P is the point with the same x coordinate but the negative of the y coordinate; that is, if P = (x, y), then –P = (x, –y). These two points can be joined by a vertical line & that P + (–P) = P – P = O. To add two points P and Q with different x coordinates, draw a straight line between them and find the third point of intersection R. There is a unique point R that is the point of intersection (unless the line is tangent to the curve at either P or Q, in which case we take R = P or R = Q, respectively). To form a group structure, we need to define addition on these three points as follows: P + Q = –R. ie. P + Q to be the mirror image (with respect to the x axis) of the third point of intersection as shown on slide. The geometric interpretation of the preceding item also applies to two points, P and –P, with the same x coordinate. The points are joined by a vertical line, which can be viewed as also intersecting the curve at the infinity point. We therefore have P + (–P) = O, consistent with item (2). To double a point Q, draw the tangent line and find the other point of intersection S. Then Q + Q = 2Q = –S. With the preceding list of rules, it can be shown that the set E(a, b) is an abelian group.
  • #18 Elliptic curve cryptography makes use of elliptic curves in which the variables and coefficients are all restricted to elements of a finite field. Two families of elliptic curves are used in cryptographic applications: prime curves over Zp (best for software use), and binary curves over GF(2m) (best for hardware use). There is no obvious geometric interpretation of elliptic curve arithmetic over finite fields. The algebraic interpretation used for elliptic curve arithmetic over does readily carry over. See text for detailed discussion.
  • #19 Elliptic Curve Cryptography uses addition as an analog of modulo multiply, and repeated addition as an analog of modulo exponentiation. The “hard” problem is the elliptic curve logarithm problem. We give an example taken from the Certicom Web site (www.certicom.com). Consider the group E23(9, 17). This is the group defined by the equation y2 mod 23 = (x3 + 9x + 17) mod 23. What is the discrete logarithm k of Q = (4, 5) to the base P = (16, 5)? The brute-force method is to compute multiples of P until Q is found. Thus P = (16, 5); 2P = (20, 20); 3P = (14, 14); 4P = (19, 20); 5P = (13, 10); 6P = (7, 3); 7P = (8, 7); 8P = (12, 17) ; 9P = (4, 5). Because 9P = (4, 5) = Q, the discrete logarithm Q = (4, 5) to the base P = (16, 5) is k = 9. In a real application, k would be so large as to make the brute-force approach infeasible.
  • #20 Illustrate here the elliptic curve analog of Diffie-Hellman key exchange, which is a close analogy given elliptic curve multiplication equates to modulo exponentiation. Key exchange using elliptic curves can be done in the following manner. First pick a large integer q, which is either a prime number p or an integer of the form 2m and elliptic curve parameters a and b for Equation (10.5) or Equation (10.7). This defines the elliptic group of points Eq(a, b). Next, pick a base point G = (x1, y1) in Eq(a, b) whose order is a very large value n. The order n of a point G on an elliptic curve is the smallest positive integer n such that nG = O. So Eq(a, b) and G are parameters of the cryptosystem known to all participants. A key exchange between users A and B can then be accomplished as shown. To break this scheme, an attacker would need to be able to compute k given G and kG, which is assumed hard.
  • #21 Several approaches to encryption/decryption using elliptic curves have been analyzed in the literature. This one is an analog of the ElGamal public-key encryption algorithm. The sender must first encode any message M as a point on the elliptic curve Pm (there are relatively straightforward techniques for this). Note that the ciphertext is a pair of points on the elliptic curve. The sender masks the message using random k, but also sends along a “clue” allowing the receiver who know the private-key to recover k and hence the message. For an attacker to recover the message, the attacker would have to compute k given G and kG, which is assumed hard.
  • #22 The security of ECC depends on how difficult it is to determine k given kP and P. This is referred to as the elliptic curve logarithm problem. The fastest known technique for taking the elliptic curve logarithm is known as the Pollard rho method. Compared to factoring integers or polynomials, can use much smaller numbers for equivalent levels of security.
  • #23 Stallings Table 10.3 - “ Comparable Key Sizes in Terms of Computational Effort for Cryptanalysis” ompares various algorithms by showing comparable key sizes in terms of computational effort for cryptanalysis. As can be seen, a considerably smaller key size can be used for ECC compared to RSA. Furthermore, for equal key lengths, the computational effort required for ECC and RSA is comparable. Thus, there is a computational advantage to using ECC with a shorter key length than a comparably secure RSA.
  • #24 We noted in Chapter 7 that, because a symmetric block cipher produces an apparently random output, it can serve as the basis of a pseudorandom number generator (PRNG). Similarly, an asymmetric encryption algorithm produces apparently random output and can be used to build a PRNG. Because asymmetric algorithms are typically much slower than symmetric algorithms, asymmetric algorithms are not used to generate open-ended PRNG bit streams. Rather, the asymmetric approach is useful for creating a pseudorandom function (PRF) for generating a short pseudorandom bit sequence. In this section, we examine two PRNG designs based on pseudorandom functions.
  • #25 For a sufficient key length, the RSA algorithm is considered secure and is a good candidate to form the basis of a PRNG. Such a PRNG, known as the Micali-Schnorr PRNG is recommended in the ANSI standard X9.82 (Random Number Generation) and in the ISO standard 18031 (Random Bit Generation). The PRNG is illustrated in Stallings Figure 10.8. This PRNG has much the same structure as the output feedback (OFB) mode used as a PRNG but using RSA instead of a block cipher. We can define the PRNG as follows: SETUP Select parameters per normal RSA key setup, with r + k =bitlength of n SEED Select a random seed x of bitlength the same as n GENERATE a pseudorandom sequence of length k x m using the loop: for i from 1 to m do the following: yi = xei-1 mod n xi = r most significant bits of yi zi = k least significant bits of yi OUTPUT The output sequence is z1 || z2 || … || zm The parameters n, r, e, and k are selected to satisfy the six conditions detailed in the text. There is clearly a tradeoff between r and k. Because RSA is computationally intensive, we would like to generate as many pseudorandom bits per iteration as possible, and therefore would like a large value of k. However, for cryptographic strength, we would like r to be as large as possible.
  • #26 In this subsection, we briefly summarize a technique developed by the U.S. National Security Agency known as dual elliptic curve PRNG (DEC PRNG). This technique is recommended in NIST SP 800-90, the ANSI standard X9.82 and in the ISO standard 18031. There has been some controversy regarding both the security and inefficiency of this algorithm compared to other alternatives. Can summarize the algorithm as follows: Let P and Q be two known points on a given elliptic curve. The seed of the DEC PRNG is a random integer s0 Let x denote a function that gives the x-coordinate of a point of the curve. Let lsb i(s) denote the i least significant bits of an integer s. The DEC PRNG transforms the seed into the pseudorandom sequence of length 240k, k > 0, as follows. for i = 1 to k do set si = x(si-1 P ) set ri = lsb240 (x(si Q)) end for return r1 , . . . , rk Given the security concerns expressed for this PRNG, the only motivation for its use would be that it is used in a system that already implements ECC but does not implement any other symmetric, asymmetric, or hash cryptographic algorithm that could be used to build a PRNG.
  • #27 Chapter 10 summary.