Internet.Security
.pdf170 |
INTERNET SECURITY |
Thus, the whole ciphertext blocks ci , 1 i 10, are computed as:
3223 |
3155 |
1012 |
1712 |
1595 |
2653 |
0802 |
2360 |
0832 |
1369 |
To decrypt the first ciphertext c1 = 3223, use the decryption key, d = 1019, and compute:
m1 ≡ c1d (mod n) |
|
|
|
|
|||
≡ 32231019 (mod 3337) ≡ 914 |
|
|
|||||
m2 ≡ c2d (mod n) |
|
|
|
|
|||
≡ 31551019 |
(mod 3337) ≡ 615 |
|
|
||||
|
. |
|
|
|
|
|
|
|
. |
|
|
|
|
|
|
|
. |
|
|
|
|
|
|
The recreated message of this example is computed as: |
|||||||
|
|
|
|
|
|
Y |
|
0914 |
0615 |
1813 |
0120 |
0915 |
L |
||
1400 |
1905 |
0321 |
1809 |
2025 |
|||
F |
|||||||
|
|
|
|
|
|||
5.2.2 |
RSA Signature Scheme |
|
|||||
|
|
|
|
|
M |
|
|
A E The RSA public-key cryptosystemTcan be used for both encryption and signatures. Each
user has three integers e, d and n, n = pq with p and q large primes. For the key pair (e, d), ed ≡ 1 (mod φ(n)) must be satisfied. If sender A wants to send signed message c corresponding to message m to receiver B, A signs it using A’s private key, computing c ≡ mdA (mod nA). First A computes
ϕ(nA) ≡ lcm (pA − 1, qA − 1)
where lcm stands for the least common multiple. The sender A selects his own key pair (eA, dA) such that
eA•dA ≡ 1 (mod ϕ(nA))
The modulus nA and the public key eA are published., Figure 5.3 illustrates the RSA signature scheme.
Example 5.7 Choose p = 11 and q = 17. Then n = pq = 187.
Compute ϕ(n) = 1 cm (p − 1, q − 1)
= 1 cm (10, 16) = 80
Select eA = 27. Then eAdA ≡ 1 (mod ϕ(nA))
27dA ≡ 1 (mod 80) dA = 3
Team-Fly®
|
|
|
ASYMMETRIC PUBLIC-KEY CRYPTOSYSTEMS |
171 |
||||||||
|
User A |
|
|
|
User B |
|
||||||
A′ private key |
eAdA ≡ 1 (mod j(nA)) A′ public key |
|
||||||||||
|
dA |
|
|
|
|
|
eA |
|
|
|
||
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Message |
c ≡ mdA (mod nA) |
|
m |
||
E |
||
|
nA |
|
pA |
qA |
|
−1 |
pA −1 |
|
|
lcm
qA −1 j(nA) = lcm( pA − 1, qA − 1)
D 
m
ceA ≡ mdAeA (mod nA)
≡ m
Figure 5.3 The RSA signature scheme.
Suppose m = 55. Then the signed message is
c ≡ mdA (mod 187)
≡ 553 (mod 187) ≡ 132
The message will be recreated as:
m ≡ ceA (mod n)
≡ 13227 (mod 187) ≡ 55
Thus, the message m is accepted as authentic.
Next, consider a case where the message is much longer. The larger m requires more computation in signing and verification steps. Therefore, it is better to compute the message digest using a appropriate hash function, for example, the SHA-1 algorithm. Signing the message digest rather than the message often improves the efficiency of the process because the message digest is usually much smaller than the message.
When the message is assumed to be m = 75 139, the message digest h of m is computed using the SHA-1 algorithm as follows:
h≡ H (m) (mod n)
≡ H (75 139) (mod 187)
172 |
INTERNET SECURITY |
≡86a0aab5631e729b0730757b0770947307d9f597
≡768587753333627872847426508024461003561962698135
(mod 187) (decimal)
The message digest h is then computed as:
h ≡ H (75 139) (mod 187) ≡ 11
Signing h with A’s private key dA produces:
c ≡ hdA (mod n)
≡ 113 (mod 187) ≡ 22
Thus, the signature verification proceeds as follows:
h ≡ ceA (mod n)
≡ 2227 (mod 187) ≡ 11
which shows that verification is accomplished.
In hardware, RSA is about 1000 times slower than DES. RSA is also implemented in smartcards, but these implementations are slower. DES is about 100 times faster than RSA. However, RSA will never reach the speed of symmetric cipher algorithms.
It is known that the security of RSA depends on the problem of factoring large numbers. To find the private key from the public key e and the modulus n, one has to factor n. Currently, n must be larger than a 129 decimal digit modulus. Easy methods to break RSA have not yet been found. A brute-force attack is even less efficient than trying to factor n. RSA encryption and signature verification are faster if you use a low value for e, but can be insecure.
5.3 ElGamal’s Public-key Cryptosystem
ElGamal proposed a public-key cryptosystem in 1985. The ElGamal algorithm can be used for both encryption and digital signatures. The security of the ElGamal scheme relies on the difficulty of computing discrete logarithms over GF(p) where p is a large prime. Prime factorisation and discrete logarithms are required to implement the RSA and ElGamal cryptosystems.
In the RSA cryptosystems, each user has three integers e, d and n, where n = pq with two large primes p and q, and ed ≡ 1(mod φ(n)), φ being Euler’s totient function. User A has a public key consisting of the pair (eA, nA) and a private key dA; similarly, user B has (eB , nB ) and dB . To encrypt the message m to B, A uses B’s public key for computing the encrypted message (or ciphertext) such that c ≡ meB (mod nB ). If A wants to send the signed message to B, A signs the message m using his own private key dA such that c ≡ mdA (mod nA).
To describe the ElGamal system, choose a prime number p and two random numbers, g and x, such that both g < p and x < p, where x is a private key. The random number g
ASYMMETRIC PUBLIC-KEY CRYPTOSYSTEMS |
173 |
is a primitive root modulo p. The public key is defined by y, g and p. Then we compute y ≡ gx (mod p). To encrypt the message m, 0 < m p − 1, first pick a random number k such that gcd (k, p − 1) = 1. The encrypted message (or ciphertext) can be expressed by the pair (r, s) as follows:
r ≡ gk (mod p)
s ≡ (yk m (mod p)) (m (mod p − 1))
To decrypt m, divide s by rx such that s/rx ≡ m (mod p − 1). To sign a given message m, first choose a random number k such that gcd (k, p − 1) = 1, and compute m ≡ xr + ks (mod p − 1) using the extended euclidean algorithm to solve s. The basic technique for encryption and signature using the ElGamal algorithm as a two-key cryptosystem is described in the following section.
5.3.1 ElGamal Encryption
To generate a key pair, first choose a prime p and two random numbers g and x such that g < p and x < p. Then compute
y ≡ gx (mod p)
The public key is (y, g, p) and the private key is x < p.
To encrypt the message m, 0 m p − 1, first choose a random number k such that gcd (k, p − 1) = 1. The encrypted message (or ciphertext) is then the following pair (r, s):
r ≡ gk (mod p)
s ≡ (yk (mod p)) (m(mod p − 1))
Note that the size of the ciphertext is double the size of the message. To decrypt the message, divide s by rx , as shown below:
rx ≡ (gk )x (mod p)
s/rx ≡ yk m/(gk )x ≡ (gx )k m/(gk )x ≡ m (mod p − 1)
The ElGamal encryption scheme is plotted in Figure 5.4 and Table 5.5.
Example 5.8 Choose:
p = 11 (a prime)
g = 4 (a random number such thatg < p)
x = 8 (a private key such thatx < p)
Then compute:
y ≡ gx (mod p) ≡ 48 (mod 11) ≡ 9
174 |
INTERNET SECURITY |
g
y ≡ gx (mod p) x 
r ≡ gk (mod p) k 
m |
|
|
m (mod p − 1) s ≡ [yk (mod p)] |
|
|
[m (mod p − 1)] |
s |
|
y k (mod p) |
m ≡ r x |
(mod p) |
÷ |
|
m |
r x (mod p)
Figure 5.4 The ElGamal encryption scheme.
Table 5.5 ElGamal encryption algorithm
Public key:
p (a prime number)
g, x < p (two random numbers) y ≡ gx (mod p)
y, g and p: public key
Private key:
x < p |
|
|
|
|
|
|
|||
Enciphering: |
|
− |
|
= |
|
||||
k |
: a |
|
k |
|
|
1) |
1 |
||
|
random number such that gcd (k, p |
|
|
||||||
r ≡ g |
|
k |
(mod p) |
|
|
|
|
||
s ≡ (y |
|
(mod p)) (m(mod p − 1)) |
|
|
|
|
|||
Deciphering:
m ≡ s/rx (mod p), 0 m p − 1
The public key is y = 9, g = 4 and p = 11. The private key x = 8 is given above. To encrypt the message m = 5, first choose a random number k = 7 such that gcd (k, p − 1) = gcd (7, 10) = 1 and compute:
r ≡ gk (mod p) ≡ 47 (mod 11) ≡ 5 s ≡ (yk (mod p)) (m (mod p − 1))
≡ (97 (mod 11)) (5 (mod 10) ≡ 4 × 5 ≡ 20
ASYMMETRIC PUBLIC-KEY CRYPTOSYSTEMS |
175 |
To decipher the message m, first compute:
rx (mod p) ≡ 58 (mod 11) ≡ 4
and take the ratio:
m = s/rx (mod p) ≡ 20/4 ≡ 5
It thus proves that the message m is completely restored using the ElGamal encryption algorithm (see Table 5.5)
5.3.2ElGamal Signatures
To sign a message m, first choose a random number k such that gcd (k, p − 1) = 1 (relatively prime). The public key is described by
y ≡ gx (mod p)
where the private key is x < p. Let m be a message to be signed, 0 m p − 1. Choose first a random number k such that gcd (k, p − 1) = 1 (relatively prime). Then compute
r ≡ gk (mod p)
The signature for m is the pair (r, s), 0 r, s < p − 1.
gm ≡ yr rs (mod p)
≡(gx )r (gk )s (mod p)
≡gxr+ks (mod p)
from which
m ≡ xr + ks (mod p − 1)
Use the extended euclidean algorithm to solve s. The signature for m is the pair (r, s). The random number s should be kept secret. To verify a signature, confirm that:
yr rs (mod p) ≡ gm (mod p)
Figure 5.5 illustrates the ElGamal signature scheme based on Table 5.6.
Example 5.9 To sign a message m, first choose a prime p = 11 and two random numbers g = 7 and x = 3, where x < p is a private key.
Compute:
y ≡ gx (mod p) ≡ 73 (mod 11) ≡ 2
The public key is y = 2, g = 7 and p = 11.
176 |
INTERNET SECURITY |
User A |
User B |
g |
|
|
|
|
|
|
x GF (p) |
Message m |
|
GF (p) |
|
g m (mod p) |
|
y ≡ g x (mod p) |
|
m |
|
|||
x |
Extended |
|
|
|
||
|
|
|
|
|||
|
euclidean |
|
|
|
||
r ≡ g k (mod p) |
algorithm |
|
|
|
||
m ≡ rx + ks |
|
|
|
|||
k |
(mod p − 1) |
s |
= ? |
|
||
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
No |
Yes |
p |
|
|
|
|
|
|
p − 1 |
|
|
|
|
|
|
−1 |
|
|
|
|
|
|
|
yr |
|
|
r s |
|
|
|
|
|
|
|
yrr s (mod p) |
|
Figure 5.5 The ElGamal signature scheme.
Table 5.6 ElGamal signature algorithm
Public key:
p (a prime number)
g < p (a random number)
y ≡ gx (mod p) where x < p
Private key:
k: a random number r ≡ gk (mod p)
s: compute from m ≡ xr + ks (mod p − 1)
Verifying:
Accept as valid if
yr rs (mod p) ≡ gm (mod p)
|
ASYMMETRIC PUBLIC-KEY CRYPTOSYSTEMS |
177 |
To authenticate m = 6, choose a random number k = 7 such |
that gcd (k, p − 1) |
|
= gcd (7, 10) = 1. Compute: |
|
|
r ≡ gk (mod p) ≡ 77 (mod 11) ≡ 6 |
|
|
m ≡ xr + ks (mod p − 1) (euclidean algorithm to solve for s) |
|
|
6 ≡ 3 × 6 + 7s (mod 10) |
|
|
7s ≡ −2 (mod 10) ≡ 28 (mod 10) |
|
|
s ≡ 4 (mod 10) |
|
|
The signature is the pair of r = 6 and s = 4. |
|
|
To verify a signature, it must be confirmed that |
|
|
yr rs (mod p) ≡ gm (mod p) |
|
|
(26) (64) (mod 11) ≡ |
76 (mod 11) |
|
81 (mod 11) ≡ |
15 (mod 11) |
|
4 (mod 11) ≡ |
4 (mod 11) |
|
5.3.3ElGamal Authentication Scheme
The ElGamal signature or authentication scheme looking at another angle is to describe in the following.
The sender chooses a finite field GF(p) where p is a prime. Let g be a primitive element of GF(p). First choose two random integers g and x such that g < p and x < p. A key x is kept secret by both the sender and the receiver. Let m denote a message which is relatively prime to p. Then compute:
u ≡ gm (mod p)
Let c denote a ciphertext such that gcd (c, p) = 1.
Using the extended euclidean algorithm, the following congruence is to solve for v:
c ≡ xu + mv (mod p − 1)
or v ≡ m−1 (c – xu) (mod p − 1)
To authenticate the ciphertext c, the signed cryptogram (c, u, v) is transmitted to the receiver. Upon receipt of (c, u, v), the receiver computes
A≡ (gx )uuv (mod p)
≡gc−mv (gm)v (mod p)
≡gc (mod p)
Thus, the ciphertext c is accepted as authentic if A ≡ gc (mod p). Once this ciphertext has been accepted, the message m is recovered by:
m ≡ v−1 (c – xu) (mod p − 1)
178 |
INTERNET SECURITY |
The ElGamal authentication scheme is shown in Figure 5.6. The ElGamal authentication algorithm given in Table 5.7 is illustrated by the following example.
Example 5.10 Take the finite field GF(11). Then the set of primitive elements of GF(11) |
|||||
is {2, 6, 7, 8}. Choose a primitive |
element |
g = 7 from the |
set. Define the |
public key |
|
g |
|
|
|
|
|
u ≡ g m (mod p) |
|
c |
|
A ≡ g c (mod p) |
|
m |
Extended |
|
|
|
|
|
|
|
|
||
|
euclidean |
|
|
|
|
|
algorithm |
c − xu |
|
|
|
|
c ≡ xu + mv |
|
|
|
|
Private |
|
|
|
|
|
|
|
|
|
|
|
key |
v |
|
|
m |
|
|
|
|
|
||
x |
|
|
|
|
|
|
|
|
|
|
|
gx |
|
|
v−1 |
Yes Accepted as |
|
|
|
Inverse |
|||
|
|
|
= ? |
authentic |
|
|
|
|
|
||
|
|
|
|
Rejection of |
|
(g x )u |
|
|
|
|
|
|
|
|
No |
authenticity |
|
|
uv |
|
|
|
|
|
|
A ≡ (g x )uuv (mod p) |
|
|
|
Figure 5.6 The ElGamal authentication scheme.
Table 5.7 ElGamal authentication algorithm
Sender
p (a prime integer)
g < p (a primitive element of GF(p))
u ≡ gm (mod p) where m < p is a message. x < p (a private key)
c(ciphertext)
c≡ xu + mv : solve for v
(c, u, v): (the signed cryptogram to be transmitted)
Receiver
A ≡ (gx )uuv (mod p)
Verifying:
Accept as valid if and only if A ≡ gc (mod p)
Decryption:
m ≡ v−1(c − xu) (mod p − 1)
ASYMMETRIC PUBLIC-KEY CRYPTOSYSTEMS |
179 |
as (g, p) = (7, 11) and x = 5 as the chosen private key which is shared by both the sender and the receiver. If the sender now wants to transmit a message m = 3 such that gcd(m, p) = gcd(3, 11) = 1, then compute first:
u ≡ gm (mod p) ≡ 73 (mod 11) ≡ 2
Next, compute v by solving the following congruence:
c ≡ xu + mv (mod p − 1)
7 ≡ 5 × 2 + 3v (mod 10)
3v ≡ 7 (mod 10) v ≡ 9 (mod 10)
where c = 7 is assumed.
Send the signed cryptogram (c, u, v) = (7, 2, 9) to the receiver. At the receiving end, compute:
A≡ (gx )uuv (mod p)
≡(75)229(mod 11)
≡(102)(29) (mod 11) ≡ 6
and A ≡ gc (mod p) ≡ 77 (mod 11) ≡ 6
Thus, the cryptogram (7, 2, 9) is accepted, and c = 7 is authentic. Finally, the message is restored in the following manner:
m ≡ v−1 (c − xu) (mod p − 1)
≡9−1(7 − 5 × 2)(mod 10)
≡(9−1) (7) (mod 10) ≡ 3
The message m = 3 has been completely recovered.
5.4 Schnorr’s Public-key Cryptosystem
In 1990, Schnorr introduced his authentication and signature schemes based on discrete logarithms.
5.4.1 Schnorr’s Authentication Algorithm
First choose two primes, p and q, such that q (1 < q < p − 1) is a |
prime factor |
of |
p − 1. To generate a public key, choose a = 1 such that a ≡ h(p−1)/q |
(mod p), that |
is, |
aq ≡ hp−1 (mod p). If h is relatively prime to p, by Fermat’s theorem it can then be written as hp−1 ≡ 1 (mod p). As a result, we have aq ≡ 1 (mod p), 1 < a < p − 1. All