Добавил:

Upload Опубликованный материал нарушает ваши авторские права? Сообщите нам.

Вуз:

Балтийский федеральный университет им. И.Канта

Предмет:

[НЕСОРТИРОВАННОЕ]

Файл:

Internet.Security

.pdf

Скачиваний:

Добавлен:

10.02.2015

Размер:

3.75 Mб

Скачать

☆

<<< < Предыдущая 9 10 11 12 13 14 15 16 17 18 19 2021 / 4321 22 23 24 25 26 27 28 29 30 31 32 33 > Следующая >>>

180 INTERNET SECURITY

these numbers, p, q and a, can be freely published and shared with a group of users. To generate a key pair, choose a random number s < q which is used as the private key. Next, compute λ ≡ a−s (mod p) which is the public key.

Now, user A picks a random number r < q and computes x ≡ ar (mod p). User B picks a random number t and sends it to the user A, where t (0, 1, 2, . . . , 2v − 1) indicates the security level. Schnorr recommends the value of v = 72 for sufﬁcient security. User A computes y ≡ r + st (mod q) and sends it to user B. Thus, user B tests veriﬁcation

of authenticity such that x ≡ ay λt (mod p). Figure 5.7 illustrates Schnorr’s authentication scheme, and Table 5.8 shows the related algorithm.

Example 5.11 Choose two primes p = 23 and q = 11 such that q = 11 is a prime factor of p − 1 = 22. Choose a = 3 satisfying aq ≡ 1 (mod p), i.e. 311 ≡ 1 (mod 23). Choose s = 8 < q as the private key and compute the public key such that λ ≡ a−s (mod p) ≡

3−8 (mod 23). Compute the multiplicative inverse of a = 3: aa−1 ≡ 1 (mod p), 3a−1 ≡

1 (mod 23) from which a−1

8. Thus, λ

≡

(modY23) 4.

≡

The sender picks r = 5 < q and computes:

x ≡ a (mod p)

≡ 35 (mod 23) ≡ 13

The receiver sends t = 15 to theAsender and the sender computes:

y ≡ r + st (mod q)

≡ (5 + 8 × 15)(mod 11)

≡ 125 (mod 11) ≡ 4

Table 5.8 Schnorr’s authentication algorithm

Preprocessing:

Choose two primes,

and

, such that

is a prime factor of

−

Choose a such that a

≡ 1 (mod p).

Key generation:

Choose a random number s < q (private key)

Compute λ

≡

a−s (mod p) (public key)

User A

User B

Choose a random number r < q

Pick a random number t such that 0 < t < 2v − 1

Compute x ≡ ar (mod p)

←

Compute y ≡ r + st

(mod q)

Send t to user A

→

(mod p)

Send y to user B

Verify that x ≡ a

Team-Fly®

ASYMMETRIC PUBLIC-KEY CRYPTOSYSTEMS

181

p	q	r	Private	s	−1
p	q	r	key	s	−1	Public
			key			Public
						key
						a−s	l
						a−s
aq ≡ 1 (mod p)							0 < t < 2v − 1
							lt	t
a		ar (mod p)
					a
				st
					y ≡ r + st (mod q)	ay
						ay
							ay . lt (mod p)
				x ≡ ar (mod p)		= ?
						= ?
					No		Yes
					Authenticity		Accept authentication
					fails		as true

Figure 5.7 Schnorr’s authentication scheme.

To verify x ≡ ay · λt (mod p) ≡ 13, compute:

x≡ (34)(415) (mod 23)

≡ 12 × 3 (mod 23) ≡ 13

Since ar (mod p) ≡ ay λt (mod p) ≡ 13, the authentication is accepted.

5.4.2Schnorr’s Signature Algorithm

For a digital signature, user A concatenates the message m and x and computes the hash code:

h ≡ H (m||x)

User A sends the signature (h, y) to user B. User B computes z ≡ ay λh (mod p) and conﬁrms whether hashing the concatenation of m and z yields:

h ≡ H (m||z)

If h = h , then user B accepts the signature as valid.

For the same level of security, Schnorr’s signature algorithms are shorter than RSA ones. Also, Schnorr’s signatures are much shorter than ElGamal signatures. Figure 5.8 and Table 5.9 illustrate Schnorr’s signature algorithm.

182	INTERNET SECURITY
User A	User B

p	q	r
			Private			Public
			Private			key
			key			key
aq ≡ 1 (mod p)			key	−1
aq ≡ 1 (mod p)			s	−1
a	ar (mod p)				a−s	l ≡ a−s (mod p)	lh
a	ar (mod p)				a−s		lh
	x
		h		s . h		a y		a y . lh (mod p)
m		H				a y		a y . lh (mod p)
					y ≡ r + sh (mod q)			z
								z
				h	= ?	h′	H	m
p : Prime number					= ?		H	m
p : Prime number					No	Yes
q : Prime factor of p − 1					No	Yes
r : Random number, less than q

l: Public key	If no,	If yes, user B
s : Private key	the signature	accepts
(h, y): signature	is not verified	the signature to be true

Figure 5.8 Schnorr’s signature scheme.

Table 5.9 Schnorr’s signature algorithm

Preprocessing stage and the two key pair are the same.

User A	User B
Choose r < q (a random number)
Compute x ≡ ar (mod p)
Concatenate m and x, i.e. m\|\|x and hash
such that h = H (m\|\|x)
Compute y = r + sh (mod q)	Compute z ≡ a	y		h	(mod p)
Send the signature (h, y) to user B →	Compute z ≡ a		λ		(mod p)
	Concatenate m and z and hash:
	h = H (m\|\|z)					=	h ),
	If the two hash values match (h					=
	If the two hash values match (h

then user B accepts the signature as valid

Example 5.12

First choose two primes

and

such that

q p

−

i.e. q is

≡ 1

a prime factor of p7− 1. Determine a = 7 in order to meet the requirement of a

(mod p) such that 7 ≡ 823 543 ≡ 1 (mod 29). Pick a private key s = 4 such that s < q and compute the public key as follows:

λ≡ a−s (mod p)

≡ 7−4 (mod 29) ≡ 24

ASYMMETRIC PUBLIC-KEY CRYPTOSYSTEMS

183

User A:

Choose a random number r = 5 < q and then compute:

x ≡ ar (mod p)

≡ 75 (mod 29) ≡ 16

Concatenate m and x and hash m||x such that h ≡ H (m||x) = H (12 345||16)

where the message m = 12 345 is assumed., To produce the message digest h = H (m||x), use the Secure Hash Algorithm (SHA) which is closely modelled on MD4. Utilising SHA for h yields a 160-bit message digest as the output, as follows:

h ≡ H (m||x) (mod q) ≡ H (12 345||16) (mod 7)

=a11784b83ea003cd66491c7e1de07296d9d9242c (hexadecimal)

=919671992759145855242593220263016201851705566252

(mod 7) (decimal)

≡ 5

User A computes y ≡ r + sh (mod q):

y ≡ (5 + 4 × 5) (mod 7) ≡ 25 (mod 7) ≡ 4

Send signature (h, y) = (5, 4) to user B. User B ﬁrst computes: z ≡ ay · λh (mod p)

≡74 × 245 (mod 29)

≡(23 × 7) (mod 29)

≡16

Concatenate m = 12 345 and z and hash it as follows: h ≡ H (m||z) (mod q)

≡H (12 345||16) (mod 7)

≡5

which is identical to h. Therefore, user B accepts the signature as valid because h = h . The next example demonstrates how to solve the problem, making use of the MD5 algorithm in order to compute the 128-bit message digest. The source code of the MD5

program can be obtained from ftp.funet.ﬁ:/pub/crypt/hash/mds/md5.

Example 5.13 If two primes p = 23 and q = 11 are given, then a = 9 is determined. Choose a private key s = 4, a random number r = 7 and the message m = 135.

User A

Compute

184					INTERNET SECURITY
Key generation
Private key: s =		4
Public key: λ	≡	a−s	(mod p)
Public key: λ		a−s	(mod p)
	≡	9−4	(mod 23)	≡	4
	≡			≡

x ≡ ar (mod p)

≡ 97 (mod 23) ≡ 4

Using the MD5 algorithm, compute the message digest:

h≡ H (m||x) (mod q)

≡H (135||4) (mod 11)

h≡ af 4732711661056eadbf 798ba191272a (hexadecimal)

≡232984575419504758889249578349365372714 (mod 11)

≡0

Using h = 0, y ≡ r + sh (mod q) becomes y ≡ 7 (mod 11).

Send the signature (h, y) = (0, 7) to user B.

User B

When user B receives the signature (h, y), compute:

z≡ ay λh (mod p)

≡ 97 (mod 23) ≡ 4

Applying MD5 to h ≡ H (m||z) (mod q) ≡ H (135||4) (mod 11), we have

h = af 4732711661056eadbf 798ba191272a

Thus, user B conﬁrms veriﬁcation of h (mod 11) ≡ h (mod 11) ≡ 0.

5.5 Digital Signature Algorithm

In 1991 The National Institute of Standards and Technology (NIST) proposed the Digital Signature Algorithm (DSA) for federal digital signature applications. The proposed new Digital Signature Standard (DSS) uses a public-key signature scheme to verify to a recipient the integrity of data received and the identity of the sender of the data.

DSA provides smartcard applications for digital signature. Key generation in DSA is faster than in RSA. Signature generation has the same level of speed as RSA, but signature veriﬁcation is much slower than RSA.

Many software companies, such as IBM, Microsoft, Novell and Apple, that have already licenced the RSA algorithm, protested against the DSS. Many companies wanted

ASYMMETRIC PUBLIC-KEY CRYPTOSYSTEMS

185

NIST to adopt ISO/IEC 9796 for use instead of RSA as the international digital signature standard.

The DSA is based on the difﬁculty of computing discrete logarithms, and originated from schemes presented by ElGamal and Schnorr. The public key consists of three parameters, p, q and g, and is common to a group of users. Choose q of a 160-bit prime number and select a prime number p with 512 < p < 1024 bits such that q is a prime factor of p − 1. Next, choose g > 1 to be of the form h (p−1)/q (mod p) such that h is an integer between 1 and p − 1.

With these three numbers, each user chooses a private key x in the range 1 < x < q − 1 and the public key y is computed from x as y ≡ gx (mod p). Recall that determining x is computationally impossible because the discrete logarithm of y to the base g (mod p) is difﬁcult to calculate.

To sign a message m, the sender computes two parameters, r and s, which are functions of (p, q, g and x), the message digest H (m), and a random number k < q. At the receiver, veriﬁcation is performed as shown in Table 5.10. The receiver generates a quantity v that is a function of parameters (x, y, r, s−1 and H (m)).

When a one-way hash function H operates on a message m of any length, a ﬁxedlength message digest (hash code) h can be produced such that h = H (m). The message digest h to the DSA input computes the signature for the message m. Signing the message digest rather than the message itself often improves the efﬁciency of the signature process, because the message digest h is usually much smaller than the message m. The SHA is called secure because it is designed to be computationally impossible to recover a message corresponding to a given message digest. Any change to a message in transit will result in a different message digest, and the signature will fail to verify. The structure of the

DSA algorithm is illustrated in Figure 5.9.

Example 5.14

Choose

p = 23 and

q = 11 such

that

q is

a prime factor of p − 1.

Choose h

−

such that g

≡

< p

162 (mod 23)

3 > 1. Choose the private key

x = 7 < q and compute the public key y ≡ g

(mod p) ≡ 3

(mod 23) ≡ 2.

Sender: (signing)

Choose k = 5 such that k < q = 11 and compute the signatures (r, s) as follows:

r≡ (gk mod p) (mod q)

≡ (35 mod 23) (mod 11) ≡ 13 (mod 11) ≡ 2

Assume that h = H (m) = 10 and compute:

s≡ k−1 (h + xr) (mod q)

≡ 5−1 (10 + 7 × 2) (mod 11) ≡ (9 × 24) (mod 11) ≡ 216 (mod 11) ≡ 7

where the multiplicative inverse k−1 is:

k · k−1 ≡ 1 (mod q)

5k−1 ≡ 1 (mod 11) from which k−1 = 9

186		INTERNET SECURITY
	Table 5.10	DSA signatures

Key pair generation:

p: a prime number between 512 to 1024 bits long

q: a prime factor of p − 1, 160 bits long

g ≡ h (p−1)/q (mod p) > 1, and h < p − 1

(p, q and g): public parameters

x < q: the private key, 160 bits long

y ≡ gx (mod p): the public key, 160 bits long

Signing process (sender):

k < q: a random number r ≡ (gk mod p) (mod q)

s ≡ k−1 (h + xr ) (mod q), h = H (m) is a one-way hash function of the message m.

(r, s): signature

Verifying signature (receiver):

w ≡ s−1 (mod q) u1 ≡ h × w (mod q) u2 ≡ r × w (mod q)

v ≡ (gu1yu2 (mod p)) (mod q)

If v = r, then the signature is veriﬁed.

Originator

Recipient

h′

(p − 1)/q

Random

k−1

Inverse

r ≡ (gk mod p)

(mod q)

Private

s−1 = w

key

Inverse

h + rx

s ≡ k−1 (h + rx)

Yes

(mod q)

Signature

is verified

(r, s): signature

y ≡ gx (mod p)

Public

= ?

Signature

h = H(m): hash value

key

is rejected

Figure 5.9 DSA digital signature scheme.

ASYMMETRIC PUBLIC-KEY CRYPTOSYSTEMS

187

Receiver: (verifying)

Compute:

w≡ s−1 (mod q)

≡ 7−1 (mod 11) ≡ 8

u1 ≡ (h × w) (mod q)

≡ (10 × 8) (mod 11) ≡ 3 u2 ≡ (r × w) (mod q)

≡(2 × 8) (mod 11) ≡ 5

v ≡ ((gu1 × yu2) mod p) (mod q)

≡((33 × 25) mod 23) (mod 11)

≡(864 (mod 23)) (mod 11) ≡ 13 (mod 11) ≡ 2

Since v = r = 2, the signature is veriﬁed.

5.6 The Elliptic Curve Cryptosystem (ECC)

The Elliptic Curve Cryptosystem (ECC) was introduced by Neal Koblity and Victor Miller in 1985. The elliptic curve discrete logarithm problem appears to be substantially more difﬁcult than the existing discrete logarithm problem. Considering they have equal levels of security, ECC uses smaller parameters than the conventional discrete logarithm systems.

In this section we ﬁrst present the concept of an elliptic curve and then discuss its applications to existing public-key algorithms. Finally, we will look at cryptographic algorithms with elliptic curves over the prime or ﬁnite ﬁelds.

5.6.1 Elliptic Curves

Elliptic curves (ECs) have been studied for many years. Elliptic curves over the prime ﬁeld Zp or the ﬁnite ﬁeld GF(2n) are particularly interesting because they provide a way of constructing cryptographic algorithms. ECs have the potential to provide faster public-key cryptosystem with smaller key sizes.

Elliptic curves over prime ﬁeld Zp

Figure 5.10 shows the elliptic curve y2 = x3 + ax + b deﬁned over Zp where a, b Zp · Zp is called a prime ﬁeld if and only if p > 3 is an odd prime. An elliptic curve (EC) can be made into an abelian group with all points on an EC, including the point at inﬁnity O under the condition of 4a3 + 27b2 = 0 (mod p). If two distinct points P (x1, y1) and Q(x2, y2) are on an elliptic curve, the third point R is deﬁned as P + Q = R(x3, y3) (see Figure 5.10). The third point R is deﬁned as follows: ﬁrst draw a line through P

188	INTERNET SECURITY

−R

Figure 5.10 An elliptic curve.

and Q, ﬁnd the intersection point −R on the elliptic curve, and ﬁnally determine the reﬂection point R with respect to the x-axis, which is the sum of P and Q. If P (x, y) is a point on an elliptic curve (EC), then P + P = R(x3, y3) (double of P ) is deﬁned as follows: ﬁrst draw a tangent line to the elliptic curve at P . This tangent line will intersect the EC at a second point (−R). Then R(x3, y3) is the reﬂection point of −R with respect to the x-axis, as depicted in Figure 5.11. If P (x, y) = O, it is deﬁned as −P (x, −y). Hence if Q = −P , it satisﬁes P + Q = O. Since all arithmetic operations are written additively, P + P = 2P = O because slope {P (xi , 0)} x-axis when yi = 0.

Subsequently, 3P = 2P + P = P , 4P =2	2P +3 2P = O, 5P = 4P + P = P , . . ., etc.
If the points on an elliptic curve y	= x + ax + b over Zp are represented by the

points P (x1, y1), Q(x2, y2) and R(x3, y3) = P + Q, the following theorems will hold:

1.When P = Q, x3 = α2 − x1 − x2, y3 = −y1 + α (x1 − x3) when α = (y2 − y1)/(x2 − x1). Consider the linear curve y = αx + λ passing through the points P and Q. Then

α and λ are written as

α = (y2 − y1)/(x2 − x1) and λ = y1 − αx1,

respectively. If

the point (x, y)

(x, αx

λ) on

P Q

meets the condition to be on EC, it should be

(αx + λ)

= x

+ (a − 2αλ)x + b − λ

= 0

+ ax + b or2 x

− α

from which we

can obtain x1 + x2 + x3 = α

with due regard to the relation between roots and coef-

ﬁcients. Thus it proves to be:

ASYMMETRIC PUBLIC-KEY CRYPTOSYSTEMS

189

−R

P = Q

Figure 5.11 The doubling of an elliptic curve point.

x2 − x1

− x1 − x2

and

= −y1 +

− x1

(x1 − x3)

2 − 1

β2

2 − 1

When P

(i.e.

2P (x

, y

)

−

β(x

−

when β

(3x

3 = −

a)/(2y1).

= x

+ ax

+ b, compute the slope at P .

Using y

= 3x2 + a

3x2 + a

Thus:

3x12 + a

and

3x12 + a

)

−

2y1

3 = −

2y1

Figure 5.11 shows a geometric description of the doubling of an EC point 2P =

R(x3, y3)).

When P = −Q, it is obvious that P + Q = O.

<<< < Предыдущая 9 10 11 12 13 14 15 16 17 18 19 2021 / 4321 22 23 24 25 26 27 28 29 30 31 32 33 > Следующая >>>

Соседние файлы в предмете [НЕСОРТИРОВАННОЕ]

#
21.11.2019368.64 Кб18inf_selfwork.doc
#
27.11.2019103.94 Кб15Institut_konfiskatsii_v_zarubezhnykh_stranakh.doc
#
01.05.2025325.12 Кб2instr.doc
#
10.02.201513.28 Mб32intel_v10_full_final.pdf
#
10.02.20156.96 Mб23InterAction_Noyabr_2013.pdf
#
10.02.20153.75 Mб48Internet.Security.pdf
#
01.05.202543.75 Кб4Inzhenernye_seti_i_OTZIS (1).docx
#
10.02.201588.58 Кб78inzhiniring.doc
#
01.04.2025312.83 Кб1iogp_otvety_k_ekzamenu.doc
#
22.12.2018128.51 Кб16iogp_zachet_1.doc
#
01.05.202588.06 Кб3IP_NIR_Magistranta.doc