@G. Gong, 2003 1

Chapter 8 Public-key Cryptography and Digital Signatures

1. Introduction to Public-key Cryptography2. Example of Public-key Algorithm: Diffie-

Hellman Key Exchange Scheme 3. RSA Encryption and Digital Signature4. ElGamal Digital Signature5. DSS (Digital Signature Standard)6. ECDSA (Elliptic Curve Digital Signature

Algorithm)

v

@G. Gong, 2003 2

Plaintext Encryptionalgorithm

Decryptionalgorithm

Ciphertext Plaintext

Bob’sprivate

key

Bob’spublic

key

A. Figure 1. Simplified Model of Public-Key Encryption

AliceBob

8.1. Introduction to Public-key Cryptography

@G. Gong, 2003 3

x

easy

f(x)infeasible

One-way function:

Trapdoor one-way function:

xeasy

infeasible if k is not knownf (x)k

easy if k is known

B. Requirements of Public-key Cryptography

@G. Gong, 2003 4

Therefore, security of public-key cryptosystems are based on the difficulty of different computational problems.

Most important ones are - Factoring large integers- Finite field discrete logarithms - Elliptic curve discrete logarithms

@G. Gong, 2003 5

C. Key pairs of the public-key system

In a secure network system, for each user x, he has a pair of keys (Ex, Dx):

• Ex is an encryption key which is put into a public key directory or a file ( after certified), called a public-key of the user.

• Dx is a decrypted key kept private, called a private key of the user.

• Dx(Ex) = Ex(Dx) = identity map

• From known Ex, it is computational infeasible to obtain Dx

Alice C = Eb(m) Bob: Db(C) = DbEb(m) = m

@G. Gong, 2003 6

8.2. Diffie-Hellman Key Exchange – the first example of the public-key scheme

Bob:Private key: b, 0 < b < p, and gcd(b, p -1) = 1Public key: gb

System public parameters:p: a prime number,g: a primitive element in GF(p).

Alice:Private key: a, 0 < a < p, and gcd(a, p - 1) = 1Public key: ga

@G. Gong, 2003 7

Diffie-Hellman Key Exchange

Alice Bob

g a

g b

= g ba(g b a) = g bab

(g a )

a b

Example 1. Let p = 23. Then g = 5 is a primitive element of GF(p).

Compute:

23mod 1410)(g 773 == 23mod 1417)( 337 ==g

The secret information shared by Alice and Bob is 14.

Attacker: known ?

10

14g 21

3

7

gg

⇒

=

=

In other words, is attacker able to compute gab from known ga

and gb?

23mod175

:keyPublic77 ==

−

g

7:key Private =a

Alice 3:key Private =b

13mod105

:key-Public33 ==g

Bob

177 =g

Compute:103 =g

@G. Gong, 2003 9

Diffe-Hellman Problem:

Given ga and gb, compute gab.

Thus the Diffe-Hellman key exchange scheme is secure if the DH problem is computationally infeasible.

The DH problem is computational feasible if the solving discrete logarithm in GF(p) is computationally feasible.

Remark. The DH key exchange scheme has a very important application in key distribution and management, we will discuss more properties of the DH key exchange scheme in Chapter 10).

Thus, we may say that the security of the DH key exchange scheme is based on the difficulty of solving discrete logarithm in the finite field GF(p).

@G. Gong, 2003 10

W. Diffie and M. E. Hellman, New direction in cryptography, IEEE Trans. On Inform. Theory, Vol. 22, pp644-654, 1976.

Milestone work in public-key cryptography

@G. Gong, 2003 11

8.3. RSA Encryption and Digital Signature

Requirement for digital signatures:

• Once the dispute occurs, the third party can solve it.

• Everyone can verify digital signature.

• Only the signer can sign; no one can forge the signer’s signature ( this prevents forgery and denial attacks.)

@G. Gong, 2003 12

More about number theory

(a) The Euclidean algorithm for computing gcd(a, b), the greatest common divisor of two positive integers a and b, b > a.

Output: d = gcd(a, b)

Input: a and b, b > a

arbr == 10 and Set

122110 0 , rrrrqbr <<+==

233221 0 , rrrrqr <<+=

344332 0 , rrrrqr <<+=

M

mmm rqr =−1

Return: rm

Procedure_(a, b, d)

Compute:

In other words, gcd(a,b) = rm

@G. Gong, 2003 13

(b) The Chinese Remainder Theorem

Let m1, ...., mr are pairwise relatively primes, i.e.,

and a1, ...., ar are integers, then the system of r congruent equations:

11 mod maX ≡

22 mod maX ≡

rr maX mod ≡

M

has a unique solutions X modulo M = m1 … mr, which is given by

MyMaXr

iiii mod

1∑

=

≡

where and / ii mMM = rimMy ii ≤≤= − 1for , mod 1i

, if 1),gcd( jimm ji ≠=

@G. Gong, 2003 14

Example 1. Suppose r = 3, m1 = 7, m2 = 11 and m3 = 13, then

7mod3143/ 11 === mMM

M =1001

11mod3912 ==M

13mod12773 ==M

and 12 and 4,5 321 === yyy

7mod 5≡X

11mod 3≡X

13mod 10≡X

If

1001 mod 894 1001mod13907

1001mod1092433645715

==

×+×+×=XThen

@G. Gong, 2003 15

(c) Lagrange Theorem: suppose that G is a multiplicative group of order n (i.e. |G|=n) and g∈G, then the order of g divides n.

Corollary: ,mod1 then , If )(* nbZb nn ≡∈ Φ

where Φ(n) is the Euler function (i.e., Φ(n) is the number of integer in the range of 1 and n coprime with n), then

}1),gcd(|{* =∈= anZaZ nn

@G. Gong, 2003 16

RSA Encryption

User Bob sets up:

1. Generates two large primes p and q.

5. Do registration for his public-key {n, e} and publish this pairin a directory as his public key. Keep {d, p, q} as his private key.

4. Computes d = e-1 mod Φ(n) using the Euclidean algorithm.

3. Chooses a random number e:

0 < e < Φ(n) such that gcd(e, Φ(n) ) = 1.

2. Computes n = pq and Φ(n) = (p-1)(q-1)

Encryption: Plaintext m < n: ciphertext c = me mod n

Decryption: m = cd, (ce)d = c mod n

Encryption

Plaintext: m < n Ciphertext: c = me mod n

Decryption

Ciphertext: c Plaintext: m = cd mod n

Key Generation

Select: p and q both prime; n = pq; e: gcd(e, φ(n)) = 1, 1<e< φ(n). Compute: d = e-1 mod φ(n). Public key: {e, n}. Private key: {d, p, q}

The RSA Algorithm

@G. Gong, 2003 18

RSA Encryption

User Bob sets up:

1. Generates two large primes p and q.

5. Do registration for his public-key {n, e} and publish this pairin a directory as his public key. Keep {d, p, q} as his private key.

4. Computes d = e-1 mod Φ(n) using the Euclidean algorithm.

3. Chooses a random number e:

0 < e < Φ(n) such that gcd(e, Φ(n) ) = 1.

2. Computes n = pq and Φ(n) = (p-1)(q-1)

Encryption: Plaintext m < n: ciphertext c = me mod n

Decryption: m = cd, (ce)d = c mod n

3. RSA Encryption and Digital Signature (Cont.)

@G. Gong, 2003 19

Encryption

Plaintext: m < n Ciphertext: c = me mod n

Decryption

Ciphertext: c Plaintext: m = cd mod n

Key Generation

Select: p and q both prime; n = pq; e: gcd(e, φ(n)) = 1, 1<e< φ(n). Compute: d = e-1 mod φ(n). Public key: {e, n}. Private key: {d, p, q}

The RSA Algorithm

@G. Gong, 2003 20

Example 2. Set up step:

Bob:

1. Choose p = 101 and q = 113

5. Bob’s Public key: {3533, 11413}, private key: { 6597, 101,113}

4. Compute d = e-1 = 6597 mod 11200

3. Choose e = 3533 with gcd(3533, Φ(n)) = 1

2. Compute n = pq = 11413 and Φ(n) =100×112=11200=26×52×7

Decryption:

Bob: c6597 = (9726)3533×6597 = 9726

Encryption:

Alice wants to send m = 9726 to Bob.

She then computes c = 97263533 mod 11413=5761

@G. Gong, 2003 21

Remark: Requirements for selection of p and q.

(1) p and q should differ in length only a few digits.

(4) d should not be small: d > n1/4.

(3) gcd(p - 1, q - 1) should small.

(2) Both p - 1 and q - 1 should contain a large prime factor.

Security of RSA:

Security of RSA depends on the difficulty to compute d from known {e, n}. However, d = e-1 mod Φ(n). Usually it has no other way to compute Φ(n) except for knowing p and q. Thus the security of RSA depends on the difficulty of factorisation of a large digital n.

@G. Gong, 2003 22

RSA Digital Signature Algorithm (RSA-DSA)

1. Compute h(m) = m’, where h(x) is a hashing function.

User Bob wants to sign a message m,

Signing process:

2. r is a digital signature of m.,'dmr =

Verifying process: Verifier uses Bob’s public key {e, m} to compute whether

nmr e mod '=

If yes, then r is a valid signature of m.

Note. Hashing function h is public, which can be chosen as either MD5 (Message digest algorithm), Rivest 1990, or SHA (Secure Hash Algorithm), NIST, 1995. Employing a hashing function is required in any DSA.

@G. Gong, 2003 23

Messagem

m

r

Hash: h

m

r = h(m)dr

Bob: signer

d: Bob’s private key

signature

mod n

RSA-DSA (Cont.)

RSA-DSA Signing Process

@G. Gong, 2003 24

RSA-DSA Verifying ProcessAlice: verifier

Hash: h

re =h(m)?

m

r

e: Bob’s public key

mod n

@G. Gong, 2003 25

R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public cryptosystem, Communication of ACM, Vol. 21, No.2, pp.120-126, Feb. 1978.

T. Elgamal, A public-key cryptosystem and signature scheme based on discrete logarithm, IEEE Trans. on Inform. Theory, vol. IT-31, pp.469-472, July, 1985

W. Diffe and M. E. Hellman, New direction in cryptography, IEEE Trans. On Inform. Theory, Vol. 22, pp.644-654, 1976.

Three milestone works which established the foundation of public-key cryptology: