1 / 13

Cryptosystem Properties

Cryptosystem Properties. Recall that among the desirable properties for a cryptosystem are authentication and non-repudiation Authentication means being able to determine the author from the message

octavius-booker
Télécharger la présentation

Cryptosystem Properties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptosystem Properties • Recall that among the desirable properties for a cryptosystem are authentication and non-repudiation • Authentication means being able to determine the author from the message • Non-repudiation means that it is possible to prove that the message came from the author (who cannot “repudiate” the message) • Public-key systems, one cannot determine the author nor, if one knows who the author is, prove that the author sent the message • Thus we need more steps to ensure authentication and non-repudiation

  2. Authentication and Non-repudiation • To ensure authentication and non-repudiation, the general approach is as follows: • Let Ebob, Ealice be the public encryption functions for Bob and Alice, respectively, and let Dbob, Dalice be their private decryption functions. • Alice starts with message x and computes y = Ebob(Dalice(x)) and sends it to Bob • Bob then recovers x by computing Ealice(Dbob(y)) • Bob knows that Alice sent the message since no one else could have computed Dalice. • For the same reason, Alice cannot deny having sent the message.

  3. RSA Version • Assume that Bob has public key (e_bob,m_bob) and private key (d_bob,m_bob). • Similarly, Alice has public key (e_alice,m_alice) and private key (d_alice,m_alice). • Assume that m_bob < m_alice • As always, Bob encodes his message as a string of integers each of which is less than m_bob. • For each integer x in the string, he then computes y = (xd_bob mod m_bob)e_alice mod m_alice • Alice deciphers each y by computing (yd_alice mod m_alice)e_bob mod m_bob = x

  4. RSA Version • When Alice wishes to send a message to Bob, she sends (xe_bob mod m_bob)d_alice mod m_alice • Thus each person uses his or her private key and the other’s public key. • Enciphering is done by using the smaller modulus first, then the larger modulus • What happens if enciphering starts with the larger modulus first? • It is possible that xe_alice mod m_alice > m_bob and thus information might be lost when you reduce modulo m_bob • Deciphering is done by using the larger modulus first • If Oscar intercepts Alice’s message he could modify it to appear that he had sent the message (although he doesn’t know what the message is) • All Oscar has to do is apply Alice’s encryption method, then his own decryption method. • Several solutions. One: publish two keys, sending and receiving, with all send-keys in a range less than the range for all receive-keys

  5. RSA Signatures • A variation on the previous ideas is for Alice to double the size of her message by adding a “digital signature” that is unique to the message • She does so by sending a pair (x,y) where x is the encrypted message and y = xd_alice mod m_alice • The value y is thought of as Alice’s signature • Bob can verify that the message came from Alice by computing ye_alice • He accepts the signature as valid if and only if the result equals x • If Eve intercepts, replaces x with her message x1 and sends it to Bob,he will know the message did not come from Alice since ye_alice x1 • Another attack is for Eve to choose y1 first, then set x1 = y1e_alice. Since x1d_alice = y1, Alice would then have a hard time denying having sent the message. • However, it is extremely unlikely that x1 will be a meaningful message and the forgery is detectable.

  6. Blind Signatures • A variation on the previous method that allows Alice to sign a document without knowing its contents. Let x be the document to be signed. • Alice chooses p, q, m, e, d as usual for an RSA scheme and publishes m and e. • Bob chooses a random integer k (mod m) with gcd(k,m) = 1. He then computes t = kex (mod m) and sends it to Alice • Alice signs t by computing s  td (mod m) and sends it to Bob • Bob computes s/k (mod m). This is the signed message xd Why? s = td = (kex)d = (ke)dxd m kedxd = kxd, so s/k = xd. The choice of k is random thus so is RSA encryption ke and the multiple kex of a random integer. Therefore kex gives essentially no information about x Thus Alice knows nothing about what she has signed (dangerous!)

  7. Primitive Roots • A primitive root for a prime p is an integer r having exactly p-1 distinct powers mod p. • Example 3 is a primitive root mod 7: 317 3, 327 2, 337 6, 347 4, 357 5, 367 1

  8. Primitive Roots • PropositionLet g be a primitive root for a prime p. • For any integer n, gnp 1 if and only if n p-1 0 • For any integers j,k: gjp gk if and only if j p-1 k Proof Conclusion 1 First prove n p-1 0  gnp 1 n p-1 0  m n = (p-1)m  gn = g m(p-1) = (gm)p-1 p 1 (Fermat) Next prove gnp 1  n p-1 0 We want to show p-1 | n. Write n = (p-1)q + r with 0  r < p-1 Then 1 p gn = (gq)p-1grp 1gr = gr Suppose r > 0 and look at g, g2, . . ., gr-1, gr p 1, gr+1p g, …. Clearly, there are at most r distinct powers of g mod p which contradicts the definition of a primitive root for p. Thus r = 0 so we have that p-1 divides n, completing the proof of part 1

  9. Primitive Roots • PropositionLet g be a primitive root for a prime p. • For any integer n, gnp 1 if and only if n p-1 0 • For any integers j,k we have gjp gk if and only if j p-1 k Proof continued Conclusion 2 Without loss of generality, we may assume that j  k. only if: gjp gk gj-k p 1  j-k p-1 0 (by part 1)  j p-1 k if:j p-1 k  j-k p-1 0  gj-k p 1 (by part 1)  gjp gk

  10. Discrete Logarithms • Fix a prime p. Let  and  be nonzero integers mod p and suppose p x for some x. • The problem of finding x is called the discrete logarithm problem • If n is the smallest positive integer such that n p 1, we may assume 0  x < n. In this case, we denote x = L() • L() is called the discrete log of  with respect to  • Example: For p = 11 we claim L2(9) = 6. Proof: 26 = 64 11 9 • Of course all the numbers 6, 16, 26, … satisfy the exponential equation, but we take the least nonnegative value 6 • Often,  is taken to be a primitive root of p so that every nonzero  is a power of  • If  is not a primitive root of p, there are nonzero values of  for which the discrete logarithm is not defined

  11. Discrete Logarithms • If  is a primitive root of p, then the usual product rule for logs holds for discrete logarithms: L(12) p-1 L(1) + L(2) • While it is easy to compute exponents, it is apparently very hard to compute discrete logarithms • This is similar to the fact that it is easy to multiply two large primes but difficult to factor such numbers • In 2001, a discrete log was computed for a 110-digit prime, a record at that time • At that time the record for factorization was 155 digits • It is this “one-way” property that is exploited in public-key cryptosystems • The ElGamal Cryptosystem is a public-key cryptosystem based on the discrete logarithm problem

  12. ElGamal Cryptosystem • In the ElGamal public-key cryptosystem, the plaintext elements are integers mod p but the ciphertext elements are pairs (r,t) of integers mod p • Bob chooses a larger prime p and a primitive root . Bob also chooses a secret integer a and computes  = a (mod p) • Bob’s public key is then (p, , ) • If Alice wishes to send a message x to Bob, where 0 < x < p, she does the following • chooses a secret random integer k and computes r = k mod p • computes t = kx mod p • sends the pair (r,t) to Bob • Bob decrypts by computing tr-a mod p, which will be x: tr-a = kx(k)-a = (a)kx -ak p x

  13. ElGamal Cryptosystem • Obviously Bob must keep the value of a secret • While ,  and p are public, the value r equals a and we rely on the difficulty of computing a from a for our security • Also, since k is a random integer, so is k. Since x is multiplied by a random integer to get the second component of the ciphertext (r,t), knowledge of (r,t) gives no useful information about x • It is important that different random integers are chosen as k for different messages.

More Related